Beiträge von Micha

Package : modsecurity

CVE ID : CVE-2020-15598

Ervin Hegedues discovered that ModSecurity v3 enabled global regular expression matching which could result in denial of service. For additional information please refer to https://coreruleset.org/20200914/cve-2020-15598/

For the stable distribution (buster), this problem has been fixed in version 3.0.3-1+deb10u2.

We recommend that you upgrade your modsecurity packages.

For the detailed security status of modsecurity please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/modsecurity

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : inspircd

CVE ID : CVE-2019-20917 CVE-2020-25269

Debian Bug : 960650

Two security issues were discovered in the pgsql and mysql modules of the InspIRCd IRC daemon, which could result in denial of service.

For the stable distribution (buster), these problems have been fixed in version 2.0.27-1+deb10u1.

We recommend that you upgrade your inspircd packages.

For the detailed security status of inspircd please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/inspircd

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : teeworlds

CVE ID : CVE-2020-12066

It was discovered that insufficient sanitising of received network packets in the game server of Teeworlds, an online multi-player platform 2D shooter, could result in denial of service.

For the stable distribution (buster), this problem has been fixed in version 0.7.2-5+deb10u1.

We recommend that you upgrade your teeworlds packages.

For the detailed security status of teeworlds please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/teeworlds

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : lemonldap-ng

CVE ID : CVE-2020-24660

It was discovered that the default configuration files for running the Lemonldap::NG Web SSO system on the Nginx web server were susceptible to authorisation bypass of URL access rules. The Debian packages do not use Nginx by default.

For the stable distribution (buster), this problem has been fixed in version 2.0.2+ds-7+deb10u5, this update provides fixed example configuration which needs to be integrated into Lemonldap::NG deployments based on Nginx.

We recommend that you upgrade your lemonldap-ng packages.

For the detailed security status of lemonldap-ng please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/lemonldap-ng

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : zeromq3

CVE ID : CVE-2020-15166

It was discovered that ZeroMQ, a lightweight messaging kernel library does not properly handle connecting peers before a handshake is completed. A remote, unauthenticated client connecting to an application using the libzmq library, running with a socket listening with CURVE encryption/authentication enabled can take advantage of this flaw to cause a denial of service affecting authenticated and encrypted clients.

For the stable distribution (buster), this problem has been fixed in version 4.3.1-4+deb10u2.

We recommend that you upgrade your zeromq3 packages.

For the detailed security status of zeromq3 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/zeromq3

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : qemu

CVE ID : CVE-2020-12829 CVE-2020-14364 CVE-2020-15863 CVE-2020-16092

Debian Bug : 961451 968947

Multiple security issues were discovered in QEMU, a fast processor

emulator:

CVE-2020-12829

An integer overflow in the sm501 display device may result in denial of

service.

CVE-2020-14364

An out-of-bands write in the USB emulation code may result in

guest-to-host code execution.

CVE-2020-15863

A buffer overflow in the XGMAC network device may result in denial of

service or the execution of arbitrary code.

CVE-2020-16092

A triggerable assert in the e1000e and vmxnet3 devices may result in

denial of service.

For the stable distribution (buster), these problems have been fixed in version 1:3.1+dfsg-8+deb10u8.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/qemu

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : ark

CVE ID : CVE-2020-24654

Debian Bug : 969437

Fabian Vogt reported that the Ark archive manager did not sanitise extraction paths, which could result in maliciously crafted archives with symlinks writing outside the extraction directory.

For the stable distribution (buster), this problem has been fixed in version 4:18.08.3-1+deb10u2.

We recommend that you upgrade your ark packages.

For the detailed security status of ark please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ark

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : xorg-server

CVE ID : CVE-2020-14345 CVE-2020-14346 CVE-2020-14347 CVE-2020-14361

CVE-2020-14362

Debian Bug : 968986

Several vulnerabilities have been discovered in the X.Org X server.

Missing input sanitising in X server extensions may result in local privilege escalation if the X server is configured to run with root privileges. In addition an ASLR bypass was fixed.

For the stable distribution (buster), these problems have been fixed in version 2:1.20.4-1+deb10u1.

We recommend that you upgrade your xorg-server packages.

For the detailed security status of xorg-server please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/xorg-server

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : apache2

CVE ID : CVE-2020-1927 CVE-2020-1934 CVE-2020-9490 CVE-2020-11984

CVE-2020-11993

Several vulnerabilities have been found in the Apache HTTPD server.

CVE-2020-1927

Fabrice Perez reported that certain mod_rewrite configurations are

prone to an open redirect.

CVE-2020-1934

Chamal De Silva discovered that the mod_proxy_ftp module uses

uninitialized memory when proxying to a malicious FTP backend.

CVE-2020-9490

Felix Wilhelm discovered that a specially crafted value for the

'Cache-Digest' header in a HTTP/2 request could cause a crash when

the server actually tries to HTTP/2 PUSH a resource afterwards.

CVE-2020-11984

Felix Wilhelm reported a buffer overflow flaw in the mod_proxy_uwsgi

module which could result in information disclosure or potentially

remote code execution.

CVE-2020-11993

Felix Wilhelm reported that when trace/debug was enabled for the

HTTP/2 module certain traffic edge patterns can cause logging

statements on the wrong connection, causing concurrent use of

memory pools.

For the stable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u4.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/apache2

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : lilypond

CVE ID : CVE-2020-17353

Faidon Liambotis discovered that Lilypond, a program for typesetting sheet music, did not restrict the inclusion of Postscript and SVG commands when operating in safe mode, which could result in the execution of arbitrary code when rendering a typesheet file with embedded Postscript code.

For the stable distribution (buster), this problem has been fixed in version 2.19.81+really-2.18.2-13+deb10u1.

We recommend that you upgrade your lilypond packages.

For the detailed security status of lilypond please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/lilypond

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : openexr

CVE ID : CVE-2017-9111 CVE-2017-9113 CVE-2017-9114 CVE-2017-9115

CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761

CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765

CVE-2020-15305 CVE-2020-15306

Multiple security issues were found in the OpenEXR image library, which could result in denial of service and potentially the execution of arbitrary code when processing malformed EXR image files.

For the stable distribution (buster), these problems have been fixed in version 2.2.1-4.1+deb10u1.

We recommend that you upgrade your openexr packages.

For the detailed security status of openexr please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/openexr

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : thunderbird

CVE ID : CVE-2020-15664 CVE-2020-15669

Multiple security issues have been found in Thunderbird which could result in the execution of arbitrary code or the unintended installation of extensions.

For the stable distribution (buster), these problems have been fixed in version 1:68.12.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : mupdf

CVE ID : CVE-2019-13290

Debian Bug : 931475

A heap-based buffer overflow flaw was discovered in MuPDF, a lightweight PDF viewer, which may result in denial of service or the execution of arbitrary code if a malformed PDF file is opened.

For the stable distribution (buster), this problem has been fixed in version 1.14.0+ds1-4+deb10u1.

We recommend that you upgrade your mupdf packages.

For the detailed security status of mupdf please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/mupdf

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : bind9

CVE ID : CVE-2020-8619 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624

Debian Bug : 966497

Several vulnerabilities were discovered in BIND, a DNS server implementation.

CVE-2020-8619

It was discovered that an asterisk character in an empty non-

terminal can cause an assertion failure, resulting in denial

of service.

CVE-2020-8622

Dave Feldman, Jeff Warren, and Joel Cunningham reported that a

truncated TSIG response can lead to an assertion failure, resulting

in denial of service.

CVE-2020-8623

Lyu Chiy reported that a flaw in the native PKCS#11 code can lead

to a remotely triggerable assertion failure, resulting in denial

of service.

CVE-2020-8624

Joop Boonen reported that update-policy rules of type "subdomain"

are enforced incorrectly, allowing updates to all parts of the zone

along with the intended subdomain.

For the stable distribution (buster), these problems have been fixed in version 1:9.11.5.P4+dfsg-5.1+deb10u2.

We recommend that you upgrade your bind9 packages.

For the detailed security status of bind9 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/bind9

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : squid

CVE ID : CVE-2020-15810 CVE-2020-15811 CVE-2020-24606

Debian Bug : 968932 968933 968934

Several vulnerabilities were discovered in Squid, a fully featured web proxy cache, which could result in request splitting, request smuggling (leading to cache poisoning) and denial of service when processing crafted cache digest responses messages.

For the stable distribution (buster), these problems have been fixed in version 4.6-1+deb10u4.

We recommend that you upgrade your squid packages.

For the detailed security status of squid please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/squid

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : nginx

CVE ID : CVE-2020-11724

Debian Bug : 964950

It was reported that the Lua module for Nginx, a high-performance web and reverse proxy server, is prone to a HTTP request smuggling vulnerability.

For the stable distribution (buster), this problem has been fixed in version 1.14.2-2+deb10u3.

We recommend that you upgrade your nginx packages.

For the detailed security status of nginx please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/nginx

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : firefox-esr

CVE ID : CVE-2020-15664 CVE-2020-15669

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or unintended or malicious extensions being installed.

For the stable distribution (buster), these problems have been fixed in version 68.12.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : ghostscript

CVE ID : CVE-2020-16287 CVE-2020-16288 CVE-2020-16289 CVE-2020-16290

CVE-2020-16291 CVE-2020-16292 CVE-2020-16293 CVE-2020-16294

CVE-2020-16295 CVE-2020-16296 CVE-2020-16297 CVE-2020-16298

CVE-2020-16299 CVE-2020-16300 CVE-2020-16301 CVE-2020-16302

CVE-2020-16303 CVE-2020-16304 CVE-2020-16305 CVE-2020-16306

CVE-2020-16307 CVE-2020-16308 CVE-2020-16309 CVE-2020-16310

CVE-2020-17538

Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed.

For the stable distribution (buster), these problems have been fixed in version 9.27~dfsg-2+deb10u4.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : icingaweb2

CVE ID : CVE-2020-24368

Debian Bug : 968833

A directory traversal vulnerability was discovered in Icinga Web 2, a web interface for Icinga, which could result in the disclosure of files readable by the process.

For the stable distribution (buster), this problem has been fixed in version 2.6.2-3+deb10u1.

We recommend that you upgrade your icingaweb2 packages.

For the detailed security status of icingaweb2 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/icingaweb2

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : net-snmp

CVE ID : CVE-2020-15861 CVE-2020-15862

Debian Bug : 965166 966599

Several vulnerabilities were discovered in net-snmp, a suite of Simple Network Management Protocol applications, which could lead to privilege escalation.

For the stable distribution (buster), these problems have been fixed in version 5.7.3+dfsg-5+deb10u1.

We recommend that you upgrade your net-snmp packages.

For the detailed security status of net-snmp please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/net-snmp

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/