Beiträge von Micha

    Package : xen


    CVE ID : CVE-2021-28694 CVE-2021-28695 CVE-2021-28696 CVE-2021-28697


    CVE-2021-28698 CVE-2021-28699 CVE-2021-28700 CVE-2021-28701



    Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in privilege escalation, denial of service or information leaks.



    With the end of upstream support for the 4.11 branch, the version of xen in the oldstable distribution (buster) is no longer supported. If you rely on security support for your Xen installation an update to the stable distribution (bullseye) is recommended.



    For the stable distribution (bullseye), these problems have been fixed in version 4.14.3-1~deb11u1.



    We recommend that you upgrade your xen packages.



    For the detailed security status of xen please refer to its security tracker page at:


    Information on source package xen



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : wpewebkit


    CVE ID : CVE-2021-30858



    The following vulnerabilities have been discovered in the webkit2gtk web engine:



    CVE-2021-30858


    An anonymous researcher discovered that processing maliciously


    crafted web content may lead to arbitrary code execution. Apple is


    aware of a report that this issue may have been actively


    exploited.



    For the stable distribution (bullseye), this problem has been fixed in version 2.32.4-1~deb11u1.



    We recommend that you upgrade your wpewebkit packages.



    For the detailed security status of wpewebkit please refer to its security tracker page at:


    Information on source package wpewebkit



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : webkit2gtk


    CVE ID : CVE-2021-30858



    The following vulnerabilities have been discovered in the webkit2gtk web engine:



    CVE-2021-30858


    An anonymous researcher discovered that processing maliciously


    crafted web content may lead to arbitrary code execution. Apple is


    aware of a report that this issue may have been actively


    exploited.



    For the oldstable distribution (buster), this problem has been fixed in version 2.32.4-1~deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 2.32.4-1~deb11u1.



    We recommend that you upgrade your webkit2gtk packages.



    For the detailed security status of webkit2gtk please refer to its security tracker page at:


    Information on source package webkit2gtk



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : nextcloud-desktop


    CVE ID : CVE-2021-22895 CVE-2021-32728


    Debian Bug : 989846



    Two vulnerabilities were discovered in the Nextcloud desktop client, which could result in information disclosure.



    For the oldstable distribution (buster), these problems have been fixed in version 2.5.1-3+deb10u2.



    For the stable distribution (bullseye), these problems have been fixed in version 3.1.1-2+deb11u1.



    We recommend that you upgrade your nextcloud-desktop packages.



    For the detailed security status of nextcloud-desktop please refer to its security tracker page at:


    Information on source package nextcloud-desktop



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : thunderbird


    CVE ID : CVE-2021-38493



    Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.



    For the oldstable distribution (buster), this problem has been fixed in version 1:78.14.0-1~deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 1:78.14.0-1~deb11u1.



    We recommend that you upgrade your thunderbird packages.



    For the detailed security status of thunderbird please refer to its security tracker page at:


    Information on source package thunderbird



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : ghostscript


    CVE ID : CVE-2021-3781


    Debian Bug : 994011



    It was discovered that Ghostscript, the GPL PostScript/PDF interpreter, does not properly validate access for the "%pipe%", "%handle%" and "%printer%" io devices, which could result in the execution of arbitrary code if a malformed Postscript file is processed (despite the -dSAFER sandbox being enabled).



    For the stable distribution (bullseye), this problem has been fixed in version 9.53.3~dfsg-7+deb11u1.



    We recommend that you upgrade your ghostscript packages.



    For the detailed security status of ghostscript please refer to its security tracker page at:


    Information on source package ghostscript



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : ntfs-3g


    CVE ID : CVE-2021-33285 CVE-2021-33286 CVE-2021-33287 CVE-2021-33289


    CVE-2021-35266 CVE-2021-35267 CVE-2021-35268 CVE-2021-35269


    CVE-2021-39251 CVE-2021-39252 CVE-2021-39253 CVE-2021-39254


    CVE-2021-39255 CVE-2021-39256 CVE-2021-39257 CVE-2021-39258


    CVE-2021-39259 CVE-2021-39260 CVE-2021-39261 CVE-2021-39262


    CVE-2021-39263


    Debian Bug : 988386



    Several vulnerabilities were discovered in NTFS-3G, a read-write NTFS driver for FUSE. A local user can take advantage of these flaws for local root privilege escalation.



    For the oldstable distribution (buster), these problems have been fixed in version 1:2017.3.23AR.3-3+deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 1:2017.3.23AR.3-4+deb11u1.



    We recommend that you upgrade your ntfs-3g packages.



    For the detailed security status of ntfs-3g please refer to its security tracker page at:


    Information on source package ntfs-3g



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : postorius


    CVE ID : CVE-2021-40347



    Kevin Israel discovered that Postorius, the administrative web frontend for Mailman 3, didn't validate whether a logged-in user owns the email address when unsubscribing.



    For the oldstable distribution (buster), this problem has been fixed in version 1.2.4-1+deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 1.3.4-2+deb11u1.



    We recommend that you upgrade your postorius packages.



    For the detailed security status of postorius please refer to its security tracker page at:


    Information on source package postorius



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : firefox-esr


    CVE ID : CVE-2021-38493



    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.



    For the oldstable distribution (buster), this problem has been fixed in version 78.14.0esr-1~deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 78.14.0esr-1~deb11u1.



    We recommend that you upgrade your firefox-esr packages.



    For the detailed security status of firefox-esr please refer to its security tracker page at:


    Information on source package firefox-esr



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : haproxy


    CVE ID : CVE-2021-40346



    Ori Hollander reported that missing header name length checks in the


    htx_add_header() and htx_add_trailer() functions in HAProxy, a fast and reliable load balancing reverse proxy, could result in request smuggling attacks or response splitting attacks.



    Additionally this update addresses #993303 introduced in DSA 4960-1 causing HAProxy to fail serving URLs with HTTP/2 containing '//'.



    For the stable distribution (bullseye), this problem has been fixed in version 2.2.9-2+deb11u2.



    We recommend that you upgrade your haproxy packages.



    For the detailed security status of haproxy please refer to its security tracker page at:


    Information on source package haproxy



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : squashfs-tools


    CVE ID : CVE-2021-40153



    Etienne Stalmans discovered that unsquashfs in squashfs-tools, the tools to create and extract Squashfs filesystems, does not validate filenames for traversal outside of the destination directory. An attacker can take advantage of this flaw for writing to arbitrary files to the filesystem if a malformed Squashfs image is processed.



    For the oldstable distribution (buster), this problem has been fixed in version 1:4.3-12+deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 1:4.4-2+deb11u1.



    We recommend that you upgrade your squashfs-tools packages.



    For the detailed security status of squashfs-tools please refer to its security tracker page at:


    Information on source package squashfs-tools



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : gpac


    CVE ID : CVE-2021-21834 CVE-2021-21836 CVE-2021-21837 CVE-2021-21838


    CVE-2021-21839 CVE-2021-21840 CVE-2021-21841 CVE-2021-21842


    CVE-2021-21843 CVE-2021-21844 CVE-2021-21845 CVE-2021-21846


    CVE-2021-21847 CVE-2021-21848 CVE-2021-21849 CVE-2021-21850


    CVE-2021-21853 CVE-2021-21854 CVE-2021-21855 CVE-2021-21857


    CVE-2021-21858 CVE-2021-21859 CVE-2021-21860 CVE-2021-21861



    Multiple security issues were discovered in the GPAC multimedia framework which could result in denial of service or the execution of arbitrary code.



    The oldstable distribution (buster) is not affected.



    For the stable distribution (bullseye), these problems have been fixed in version 1.0.1+dfsg1-4+deb11u1.



    We recommend that you upgrade your gpac packages.



    For the detailed security status of gpac please refer to its security tracker page at:


    Information on source package gpac



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : libssh


    CVE ID : CVE-2021-3634


    Debian Bug : 993046



    It was discovered that a buffer overflow in rekeying in libssh could result in denial of service or potentially the execution of arbitrary code.



    The oldstable distribution (buster) is not affected.



    For the stable distribution (bullseye), this problem has been fixed in version 0.9.5-1+deb11u1.



    We recommend that you upgrade your libssh packages.



    For the detailed security status of libssh please refer to its security tracker page at:


    Information on source package libssh



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : ledgersmb



    The update for ledgersmb released as DSA 4862-1 introduced a regression in the display of some search results. Updated ledgersmb packages are now available to correct this issue.



    For the oldstable distribution (buster), this problem has been fixed in version 1.6.9+ds-1+deb10u3.



    For the stable distribution (bullseye), this problem has been fixed in version 1.6.9+ds-2+deb11u3.



    We recommend that you upgrade your ledgersmb packages.



    For the detailed security status of ledgersmb please refer to its security tracker page at:


    Information on source package ledgersmb



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : ledgersmb


    CVE ID : CVE-2021-3731 CVE-2021-3693 CVE-2021-3694



    Several vulnerabilities were discovered in LedgerSMB, a financial accounting and ERP program, which could result in cross-site scripting or clickjacking.



    For the oldstable distribution (buster), this problem has been fixed in version 1.6.9+ds-1+deb10u2.



    For the stable distribution (bullseye), this problem has been fixed in version 1.6.9+ds-2+deb11u2.



    We recommend that you upgrade your ledgersmb packages.



    For the detailed security status of ledgersmb please refer to its security tracker page at:


    Information on source package ledgersmb



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : grilo


    CVE ID : CVE-2021-39365


    Debian Bug : 992971



    Michael Catanzaro reported a problem in Grilo, a framework for discovering and browsing media. TLS certificate verification is not enabled on the SoupSessionAsync objects created by Grilo, leaving users vulnerable to network MITM attacks.



    For the oldstable distribution (buster), this problem has been fixed in version 0.3.7-1+deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 0.3.13-1+deb11u1.



    We recommend that you upgrade your grilo packages.



    For the detailed security status of grilo please refer to its security tracker page at:


    Information on source package grilo



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : openssl


    CVE ID : CVE-2021-3711 CVE-2021-3712



    Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit.



    CVE-2021-3711



    John Ouyang reported a buffer overflow vulnerability in the SM2


    decryption. An attacker able to present SM2 content for


    decryption to an application can take advantage of this flaw to


    change application behaviour or cause the application to crash


    (denial of service).



    CVE-2021-3712



    Ingo Schwarze reported a buffer overrun flaw when processing ASN.1


    strings in the X509_aux_print() function, which can result in denial


    of service.



    Additional details can be found in the upstream advisory:


    https://www.openssl.org/news/secadv/20210824.txt



    For the oldstable distribution (buster), these problems have been fixed in version 1.1.1d-0+deb10u7.



    For the stable distribution (bullseye), these problems have been fixed in version 1.1.1k-1+deb11u1.



    We recommend that you upgrade your openssl packages.



    For the detailed security status of openssl please refer to its security tracker page at:


    Information on source package openssl



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : tor


    CVE ID : CVE-2021-38385



    Henry de Valence reported a flaw in the signature verification code in Tor, a connection-based low-latency anonymous communication system. A remote attacker can take advantage of this flaw to cause an assertion failure, resulting in denial of service.



    For the oldstable distribution (buster), this problem has been fixed in version 0.3.5.16-1.



    For the stable distribution (bullseye), this problem has been fixed in version 0.4.5.10-1~deb11u1.



    We recommend that you upgrade your tor packages.



    For the detailed security status of tor please refer to its security tracker page at:


    Information on source package tor



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : haproxy


    CVE ID : not yet assigned



    Several vulnerabilities were discovered in HAProxy, a fast and reliable load balancing reverse proxy, which can result in HTTP request smuggling. By carefully crafting HTTP/2 requests, it is possible to smuggle another HTTP request to the backend selected by the HTTP/2 request. With certain configurations, it allows an attacker to send an HTTP request to a backend, circumventing the backend selection logic.



    Known workarounds are to disable HTTP/2 and set "tune.h2.max-concurrent-streams" to 0 in the "global" section.



    global


    tune.h2.max-concurrent-streams 0



    For the stable distribution (bullseye), these problems have been fixed in version 2.2.9-2+deb11u1.



    We recommend that you upgrade your haproxy packages.



    For the detailed security status of haproxy please refer to its security tracker page at:


    Information on source package haproxy



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : thunderbird


    CVE ID : CVE-2021-29980 CVE-2021-29984 CVE-2021-29985


    CVE-2021-29986 CVE-2021-29988 CVE-2021-29989



    Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.



    For the stable distribution (bullseye), these problems have been fixed in version 1:78.13.0-1~deb11u1.



    For the oldstable distribution (buster), these problems have been fixed in version 1:78.13.0-1~deb10u1.



    We recommend that you upgrade your thunderbird packages.



    For the detailed security status of thunderbird please refer to its security tracker page at:


    Information on source package thunderbird



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/