Beiträge von Micha

    Package : thunderbird

    CVE ID : CVE-2020-6792 CVE-2020-6793 CVE-2020-6794 CVE-2020-6795

    CVE-2020-6798 CVE-2020-6800


    Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service.


    For the oldstable distribution (stretch), these problems have been fixed in version 1:68.5.0-1~deb9u1.


    For the stable distribution (buster), these problems have been fixed in version 1:68.5.0-1~deb10u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : evince

    CVE ID : CVE-2017-1000159 CVE-2019-11459 CVE-2019-1010006

    Debian Bug : 927820


    Several vulnerabilities were discovered in evince, a simple multi-page document viewer.


    CVE-2017-1000159


    Tobias Mueller reported that the DVI exporter in evince is

    susceptible to a command injection vulnerability via specially

    crafted filenames.


    CVE-2019-11459


    Andy Nguyen reported that the tiff_document_render() and

    tiff_document_get_thumbnail() functions in the TIFF document backend

    did not handle errors from TIFFReadRGBAImageOriented(), leading to

    disclosure of uninitialized memory when processing TIFF image files.


    CVE-2019-1010006


    A buffer overflow vulnerability in the tiff backend could lead to

    denial of service, or potentially the execution of arbitrary code if

    a specially crafted PDF file is opened.


    For the oldstable distribution (stretch), these problems have been fixed in version 3.22.1-3+deb9u2.


    For the stable distribution (buster), these problems have been fixed in version 3.30.2-3+deb10u1. The stable distribution is only affected by CVE-2019-11459.


    We recommend that you upgrade your evince packages.


    For the detailed security status of evince please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/evince


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : postgresql-11

    CVE ID : CVE-2020-1720


    Tom Lane discovered that "ALTER ... DEPENDS ON EXTENSION" sub commands in the PostgreSQL database did not perform authorisation checks.


    For the stable distribution (buster), this problem has been fixed in version 11.7-0+deb10u1.


    We recommend that you upgrade your postgresql-11 packages.


    For the detailed security status of postgresql-11 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/postgresql-11


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : postgresql-9.6

    CVE ID : CVE-2020-1720


    Tom Lane discovered that "ALTER ... DEPENDS ON EXTENSION" sub commands in the PostgreSQL database did not perform authorisation checks.


    For the oldstable distribution (stretch), this problem has been fixed in version 9.6.17-0+deb9u1.


    We recommend that you upgrade your postgresql-9.6 packages.


    For the detailed security status of postgresql-9.6 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/postgresql-9.6


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : openjdk-8

    CVE ID : CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601

    CVE-2020-2604 CVE-2020-2654 CVE-2020-2659


    Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, incorrect implementation of Kerberos GSSAPI and TGS requests or incorrect TLS handshakes.


    For the oldstable distribution (stretch), these problems have been fixed in version 8u242-b08-1~deb9u1.


    We recommend that you upgrade your openjdk-8 packages.


    For the detailed security status of openjdk-8 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/openjdk-8


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : firefox-esr

    CVE ID : CVE-2020-6796 CVE-2020-6798 CVE-2020-6800


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.


    For the oldstable distribution (stretch), these problems have been fixed in version 68.5.0esr-1~deb9u1.


    For the stable distribution (buster), these problems have been fixed in version 68.5.0esr-1~deb10u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : libxmlrpc3-java

    CVE ID : CVE-2019-17570

    Debian Bug : 949089


    Guillaume Teissier reported that the XMLRPC client in libxmlrpc3-java, an XML-RPC implementation in Java, does perform deserialization of the server-side exception serialized in the faultCause attribute of XMLRPC error response messages. A malicious XMLRPC server can take advantage of this flaw to execute arbitrary code with the privileges of an application using the Apache XMLRPC client library.


    Note that a client that expects to get server-side exceptions need to set explicitly the enabledForExceptions property.


    For the oldstable distribution (stretch), this problem has been fixed in version 3.1.3-8+deb9u1.


    For the stable distribution (buster), this problem has been fixed in version 3.1.3-9+deb10u1.


    We recommend that you upgrade your libxmlrpc3-java packages.


    For the detailed security status of libxmlrpc3-java please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/libxmlrpc3-java


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : libexif

    CVE ID : CVE-2019-9278

    Debian Bug : 945948


    An out-of-bounds write vulnerability due to an integer overflow was reported in libexif, a library to parse EXIF files, which could result in denial of service, or potentially the execution of arbitrary code if specially crafted image files are processed.


    For the oldstable distribution (stretch), this problem has been fixed in version 0.6.21-2+deb9u1.


    For the stable distribution (buster), this problem has been fixed in version 0.6.21-5.1+deb10u1.


    We recommend that you upgrade your libexif packages.


    For the detailed security status of libexif please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/libexif


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : qtbase-opensource-src

    CVE ID : CVE-2020-0569 CVE-2020-0570


    Two security issues were found in the Qt library, which could result in plugins and libraries being loaded from the current working directory, resulting in potential code execution.


    For the oldstable distribution (stretch), these problems have been fixed in version 5.7.1+dfsg-3+deb9u2.


    For the stable distribution (buster), these problems have been fixed in version 5.11.3+dfsg1-1+deb10u3.


    We recommend that you upgrade your qtbase-opensource-src packages.


    For the detailed security status of qtbase-opensource-src please refer to its security tracker page at:

    https://security-tracker.debia…ker/qtbase-opensource-src


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : qemu

    CVE ID : CVE-2019-15890 CVE-2020-7039 CVE-2020-1711


    Two security issues have been found in the SLiRP networking implementation of QEMU, a fast processor emulator, which could result in the execution of arbitrary code or denial of service.


    For the oldstable distribution (stretch), these problems have been fixed in version 1:2.8+dfsg-6+deb9u9.


    For the stable distribution (buster), these problems have been fixed in version 1:3.1+dfsg-8+deb10u4.


    We recommend that you upgrade your qemu packages.


    For the detailed security status of qemu please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/qemu


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : spamassassin

    CVE ID : CVE-2020-1930 CVE-2020-1931

    Debian Bug : 950258


    Two vulnerabilities were discovered in spamassassin, a Perl-based spam filter using text analysis. Malicious rule or configuration files, possibly downloaded from an updates server, could execute arbitrary commands under multiple scenarios.


    For the oldstable distribution (stretch), these problems have been fixed in version 3.4.2-1~deb9u3.


    For the stable distribution (buster), these problems have been fixed in version 3.4.2-1+deb10u2.


    We recommend that you upgrade your spamassassin packages.


    For the detailed security status of spamassassin please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/spamassassin


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : sudo

    CVE ID : CVE-2019-18634

    Debian Bug : 950371


    Joe Vennix discovered a stack-based buffer overflow vulnerability in sudo, a program designed to provide limited super user privileges to specific users, triggerable when configured with the "pwfeedback" option enabled. An unprivileged user can take advantage of this flaw to obtain full root privileges.


    Details can be found in the upstream advisory at https://www.sudo.ws/alerts/pwfeedback.html .


    For the oldstable distribution (stretch), this problem has been fixed in version 1.8.19p1-2.1+deb9u2.


    For the stable distribution (buster), exploitation of the bug is prevented due to a change in EOF handling introduced in 1.8.26.


    We recommend that you upgrade your sudo packages.


    For the detailed security status of sudo please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/sudo


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : libidn2

    CVE ID : CVE-2019-18224

    Debian Bug : 942895


    A heap-based buffer overflow vulnerability was discovered in the

    idn2_to_ascii_4i() function in libidn2, the GNU library for Internationalized Domain Names (IDNs), which could result in denial of service, or the execution of arbitrary code when processing a long domain string.


    For the stable distribution (buster), this problem has been fixed in version 2.0.5-1+deb10u1.


    We recommend that you upgrade your libidn2 packages.


    For the detailed security status of libidn2 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/libidn2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : prosody-modules

    CVE ID : CVE-2020-8086


    It was discovered that the LDAP authentication modules for the Prosody Jabber/XMPP server incorrectly validated the XMPP address when checking whether a user has admin access.


    For the oldstable distribution (stretch), this problem has been fixed in version 0.0~hg20170123.3ed504b944e5+dfsg-1+deb9u1.


    For the stable distribution (buster), this problem has been fixed in version 0.0~hg20190203.b54e98d5c4a1+dfsg-1+deb10u1.


    We recommend that you upgrade your prosody-modules packages.


    For the detailed security status of prosody-modules please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/prosody-modules


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : opensmtpd

    CVE ID : CVE-2020-7247

    Debian Bug : 950121


    Qualys discovered that the OpenSMTPD SMTP server performed insufficient validation of email addresses which could result in the execution of arbitrary commands as root. In addition this update fixes a denial of service by triggering an opportunistic TLS downgrade.


    For the oldstable distribution (stretch), these problems have been fixed in version 6.0.2p1-2+deb9u2.


    For the stable distribution (buster), these problems have been fixed in version 6.0.3p1-5+deb10u3. This update also includes non-security bugfixes which were already lined up for the Buster 10.3 point release.


    We recommend that you upgrade your opensmtpd packages.


    For the detailed security status of opensmtpd please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/opensmtpd


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : webkit2gtk

    CVE ID : CVE-2019-8835 CVE-2019-8844 CVE-2019-8846


    The following vulnerabilities have been discovered in the webkit2gtk web engine:


    CVE-2019-8835


    An anonymous researcher discovered that maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2019-8844


    William Bowling discovered that maliciously crafted web content

    may lead to arbitrary code execution.


    CVE-2019-8846


    Marcin Towalski of Cisco Talos discovered that maliciously crafted

    web content may lead to arbitrary code execution.


    For the stable distribution (buster), these problems have been fixed in version 2.26.3-1~deb10u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : python-apt

    CVE ID : CVE-2019-15795 CVE-2019-15796

    Debian Bug : 944696


    Two security issues were found in the Python interface to the apt package manager; package downloads from unsigned repositories were incorrectly rejected and the hash validation relied on MD5.


    For the oldstable distribution (stretch), these problems have been fixed in version 1.4.1.


    For the stable distribution (buster), these problems have been fixed in version 1.8.4.1.


    We recommend that you upgrade your python-apt packages.


    For the detailed security status of python-apt please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/python-apt


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : tiff

    CVE ID : CVE-2019-14973 CVE-2019-17546


    Multiple integer overflows have been discovered in the libtiff library and the included tools.


    For the stable distribution (buster), these problems have been fixed in version 4.1.0+git191117-2~deb10u1.


    We recommend that you upgrade your tiff packages.


    For the detailed security status of tiff please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/tiff


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : openconnect

    CVE ID : CVE-2019-16239

    Debian Bug : 940871


    Lukas Kupczyk reported a vulnerability in the handling of chunked HTTP in openconnect, an open client for Cisco AnyConnect, Pulse and GlobalProtect VPN. A malicious HTTP server (after having accepted its identity certificate), can provide bogus chunk lengths for chunked HTTP encoding and cause a heap-based buffer overflow.


    For the oldstable distribution (stretch), this problem has been fixed in version 7.08-1+deb9u1.


    For the stable distribution (buster), this problem has been fixed in version 8.02-1+deb10u1.


    We recommend that you upgrade your openconnect packages.


    For the detailed security status of openconnect please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/openconnect


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : chromium

    CVE ID : CVE-2019-13725 CVE-2019-13726 CVE-2019-13727 CVE-2019-13728

    CVE-2019-13729 CVE-2019-13730 CVE-2019-13732 CVE-2019-13734

    CVE-2019-13735 CVE-2019-13736 CVE-2019-13737 CVE-2019-13738

    CVE-2019-13739 CVE-2019-13740 CVE-2019-13741 CVE-2019-13742

    CVE-2019-13743 CVE-2019-13744 CVE-2019-13745 CVE-2019-13746

    CVE-2019-13747 CVE-2019-13748 CVE-2019-13749 CVE-2019-13750

    CVE-2019-13751 CVE-2019-13752 CVE-2019-13753 CVE-2019-13754

    CVE-2019-13755 CVE-2019-13756 CVE-2019-13757 CVE-2019-13758

    CVE-2019-13759 CVE-2019-13761 CVE-2019-13762 CVE-2019-13763

    CVE-2019-13764 CVE-2019-13767 CVE-2020-6377 CVE-2020-6378

    CVE-2020-6379 CVE-2020-6380


    Several vulnerabilities have been discovered in the chromium web browser.


    CVE-2019-13725


    Gengming Liu and Jianyu Chen discovered a use-after-free issue in the

    bluetooth implementation.


    CVE-2019-13726


    Sergei Lazunov discovered a buffer overflow issue.


    CVE-2019-13727


    @piochu discovered a policy enforcement error.


    CVE-2019-13728


    Rong Jian and Guang Gong discovered an out-of-bounds write error in the

    v8 javascript library.


    CVE-2019-13729


    Zhe Jin discovered a use-after-free issue.


    CVE-2019-13730


    Soyeon Park and Wen Xu discovered the use of a wrong type in the v8

    javascript library.


    CVE-2019-13732


    Sergei Glazunov discovered a use-after-free issue in the WebAudio

    implementation.


    CVE-2019-13734


    Wenxiang Qian discovered an out-of-bounds write issue in the sqlite

    library.


    CVE-2019-13735


    Gengming Liu and Zhen Feng discovered an out-of-bounds write issue in the

    v8 javascript library.


    CVE-2019-13736


    An integer overflow issue was discovered in the pdfium library.


    CVE-2019-13737


    Mark Amery discovered a policy enforcement error.


    CVE-2019-13738


    Johnathan Norman and Daniel Clark discovered a policy enforcement error.


    CVE-2019-13739


    xisigr discovered a user interface error.


    CVE-2019-13740


    Khalil Zhani discovered a user interface error.


    CVE-2019-13741


    Michał Bentkowski discovered that user input could be incompletely

    validated.


    CVE-2019-13742


    Khalil Zhani discovered a user interface error.


    CVE-2019-13743


    Zhiyang Zeng discovered a user interface error.


    CVE-2019-13744


    Prakash discovered a policy enforcement error.


    CVE-2019-13745


    Luan Herrera discovered a policy enforcement error.


    CVE-2019-13746


    David Erceg discovered a policy enforcement error.


    CVE-2019-13747


    Ivan Popelyshev and André Bonatti discovered an uninitialized value.


    CVE-2019-13748


    David Erceg discovered a policy enforcement error.


    CVE-2019-13749


    Khalil Zhani discovered a user interface error.


    CVE-2019-13750


    Wenxiang Qian discovered insufficient validation of data in the sqlite

    library.


    CVE-2019-13751


    Wenxiang Qian discovered an uninitialized value in the sqlite library.


    CVE-2019-13752


    Wenxiang Qian discovered an out-of-bounds read issue in the sqlite

    library.


    CVE-2019-13753


    Wenxiang Qian discovered an out-of-bounds read issue in the sqlite

    library.


    CVE-2019-13754


    Cody Crews discovered a policy enforcement error.


    CVE-2019-13755


    Masato Kinugawa discovered a policy enforcement error.


    CVE-2019-13756


    Khalil Zhani discovered a user interface error.


    CVE-2019-13757


    Khalil Zhani discovered a user interface error.


    CVE-2019-13758


    Khalil Zhani discovered a policy enforecement error.


    CVE-2019-13759


    Wenxu Wu discovered a user interface error.


    CVE-2019-13761


    Khalil Zhani discovered a user interface error.


    CVE-2019-13762


    csanuragjain discovered a policy enforecement error.


    CVE-2019-13763


    weiwangpp93 discovered a policy enforecement error.


    CVE-2019-13764


    Soyeon Park and Wen Xu discovered the use of a wrong type in the v8

    javascript library.


    CVE-2019-13767


    Sergei Glazunov discovered a use-after-free issue.


    CVE-2020-6377


    Zhe Jin discovered a use-after-free issue.


    CVE-2020-6378


    Antti Levomäki and Christian Jalio discovered a use-after-free issue.


    CVE-2020-6379


    Guang Gong discovered a use-after-free issue.


    CVE-2020-6380


    Sergei Glazunov discovered an error verifying extension messages.


    For the oldstable distribution (stretch), security support for chromium has been discontinued.


    For the stable distribution (buster), these problems have been fixed in version 79.0.3945.130-1~deb10u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/