[SECURITY] [DLA 3638-1] h2o security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3638-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
October 29, 2023  https://wiki.debian.org/LTS
- -

Package: h2o
Version: 2.2.5+dfsg2-2+deb10u2
CVE ID : CVE-2023-44487
Debian Bug : 1054232

A vulnerability has been identified in h2o, a high-performance web server
with support for HTTP/2.

A security vulnerability CVE-2023-44487 was discovered that could potentially
be exploited to disrupt server operation.

The vulnerability in the h2o HTTP/2 server was related to the handling of
certain types of HTTP/2 requests. In certain scenarios, an attacker could
send a series of malicious requests, causing the server to process them
rapidly and exhaust system resources.

The applied upstream patch changes the ABI. Therefore, if your application
is built against any shared libraries of h2o, you need to rebuild it.
No Debian package is affected.

For Debian 10 buster, this problem has been fixed in version
2.2.5+dfsg2-2+deb10u2.

We recommend that you upgrade your h2o packages.

For the detailed security status of h2o please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/h2o

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmVBCo8ACgkQ0+Fzg8+n
/wbanQ//Yo0J2I6ph/5a2hZfQ+kgbsMBXCy7hZh6CenGPgHTjCWPp48ss7Pje0ZB
j6w6EdMMpqgGHkS3ODMoavcK1Kvh+9ARtpS8yHvLuQo60IF8juaeJXQvSYZm9Lvk
4E7EiMOZ3MU+zPht9DgDi6CdeT9TS0aMRqWT89ClRJ63PUFJvIojby6wSKZ5jXg5
REoD1tAwNw+TMpQuH5NFCkn/SwhzPxwV/gzLSgwqynkXOBoVk1oLQ0e0utyla3tg
RUl1x3b6LGm3mzpsufCSJ6e4nLoj7VWz0w1/U+RPYB+Sp4ORailC1LwF9GwjEuhq
o+CETCwUsO4WtyR5QtSFTWYDBF65j9X+OfOSsuC5POykBM/KmXyRsZHzeETp30/c
vbciK9xFP5b5iNk1aEfLxL2QJVcENFAfBzfIizggKWSFVVoJiSDQVbN3dY4QoQ8P
yXX2CFgQmmv0TtSp7j7Lq1/oAxIiIp4RQWjqA18T3w1muuQ20fNJnEgNAs0Lh69v
eiM6qbP5w9WMC0BUjPSqmg693A+SPk5nxcq1BX1uvQmF1UGlKCGX8E7iX8YAthjg
KfWHS9KEUuW4AyoHCnJFtRqSEumScOaPfzNcfYMn/aCPCZ/TL/Qa1Mft26hpBn66
j7C637FYQ4gLCQMRykeHo45ES4jaZZO6XuotgUgDybgdzsv0vjc=
=0auQ
-END PGP SIGNATURE-

[SECURITY] [DLA 3567-1] c-ares security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3567-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
September 15, 2023https://wiki.debian.org/LTS
- -

Package: c-ares
Version: 1.14.0-1+deb10u4
CVE ID : CVE-2020-22217

A vulnerability has been identified in c-ares, an asynchronous name
resolver library:

CVE-2020-22217:

A buffer overflow vulnerability has been found in c-ares before
via the function ares_parse_soa_reply in ares_parse_soa_reply.c.
This vulnerability was discovered through fuzzing. Exploitation
of this vulnerability may allow an attacker to execute arbitrary
code or cause a denial of service condition.

For Debian 10 buster, this problem has been fixed in version
1.14.0-1+deb10u4.

We recommend that you upgrade your c-ares packages.

For the detailed security status of c-ares please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/c-ares

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmUD/DoACgkQ0+Fzg8+n
/wZ4lw/9FgVXE7CvEKIGfSFXX4D/ayOVUUJ21pha8cI78qWvO2Lfxhc1MBN94eMX
RLrt6KcLFfLkxSBq6KhHSOZ1ZuKZ56wN4OzsuvzClquTL1BZ63TfnDPCs1StkuTs
PCNvmDdObRMXAEOjzYBwC61Zr89kYnijubupdVeCIG7L2+lfbjlWcxeGEu05C/9i
HSD4WBo+RCtWhZd3LtDoHWn1kS6DhX+fHTrO22jE/+rL8i6Tc2foTcDzcAInLGG1
J5DqXfzLSQLk6pjH1eDGrrNN2ANL7HIY8UexUBKKJTAdSgcZ5qXLwhB1ymZRvw8R
tvbuk0g8B7lNCoSDIU4HSUiZBfm4Pi8i1GFMZSqPG8cqWqpSbPYO6ZfAVM8PWt1i
Xxf2tpiE8LmNf0KyI5epXSFugIeFtAkpQBiBc9OGRTH6CybUfpGf8e4rvdZzGPFR
yS9be+d5/SlG++Jq3JT/Iw56kSAicHJenZtlIND0LWJ9TBxhRD80fQ6JtwEn0C++
Ko848oTzGya61kKajAFqv4wUXu9pheO1ZWDUgmPTqniHHKo9EeK7rn2SYqRmZVEH
wbckwLC924JItis9YLuuNc+jE4VO1oDWbwMBGb2iChx4476YwQHkzYFvQdwCzmv3
JUR0zZSzh9/pqH92BttZx/+uWVMBc+ZIbvOKgTEPXxjaAx7ZuPo=
=V+cN
-END PGP SIGNATURE-

[SECURITY] [DLA 3562-1] orthanc security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3562-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
September 12, 2023https://wiki.debian.org/LTS
- -

Package: orthanc
Version: 1.5.6+dfsg-1+deb10u1
CVE ID : CVE-2023-33466
Debian Bug : 1040597

A security vulnerability was identified in Orthanc, a DICOM server used for
medical imaging, whereby authenticated API users had the capability to overwrite
arbitrary files and, in certain configurations, execute unauthorized code.

This update addresses the issue by backporting a safeguard mechanism: the
RestApiWriteToFileSystemEnabled option is now included, and it is set to "true"
by default in the /etc/orthanc/orthanc.json configuration file. Should users
wish to revert to the previous behavior, they can manually set this option
to "true" themselves.

For Debian 10 buster, this problem has been fixed in version
1.5.6+dfsg-1+deb10u1.

We recommend that you upgrade your orthanc packages.

For the detailed security status of orthanc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/orthanc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmUAHycACgkQ0+Fzg8+n
/wbzLw/+OwxSnkOEATh2LGqRA4RwOFzCdCZxQvjRL+gzb6dvM2eG9P0aSs5/Ek2e
kd9uSTRUvgkBoH00ku5QXVytXfiSbzEKZFqowRgCOaCTPfEHJDY6xxzXd8uPdfRY
ZmaRUuwJDi4Wu0k8HBBZ+47vv8jXCXKLb2Z16aAjKaegCfMINujgMH5N/Ld6RlfX
i4Gr+f1YTfwIHssEKj7IWGYd5+uoY/RoRbgWcIRWDjWUQ3a+/evTx8k6OV3E978G
x9PC6loQGDZZLCypdhB6paIyKVpwD66h2AnIG5xAK+awv2SW0lb+SywcnJAqyaHa
Hu3UvRI3YCSOMVkkuOyQ/GN3PhUOJ0+hhFGsaM9UFWWlZheARpqLSNYHdRRTw5rf
XNPDiKkieUL4HC0bQQxuSGf3h71OpHIavfPX7OeysgKz3NfjYBl0l4RbmwQi1kNs
6zfOSPx+5hJbPGoQssMn1j7TWnWnZTOPPrgWVy/PX1JF6y47465gJeoxIQ8tFqbs
8Mx+LeH0HyjteYtVCCMPg1OPATTMSDBzfiY0JUKcowoOanLvL/+0MRH1A2iBcSAw
HW3xRLA/6AB14iJGDwN7DyFXIkkNk/pLMM/siSMiBDP2NU68+ortlN6Lec+n7QFF
YJAFJqeaLqTLf2fnJ9oUs9fyD3uBioec3uCqcm3rjTt7rsabpT4=
=uDem
-END PGP SIGNATURE-

[SECURITY] [DLA 3530-1] openssl security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3530-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
August 15, 2023   https://wiki.debian.org/LTS
- -

Package: openssl
Version: 1.1.1n-0+deb10u6
CVE ID : CVE-2023-3446 CVE-2023-3817

Two vunerabilities were discovered in openssl, a Secure Sockets Layer toolkit:

CVE-2023-3446, CVE-2023-3817

Excessively long DH key or parameter checks can cause significant delays
in applications using DH_check(), DH_check_ex(), or EVP_PKEY_param_check()
functions, potentially leading to Denial of Service attacks when keys or
parameters are obtained from untrusted sources.


For Debian 10 buster, these problems have been fixed in version
1.1.1n-0+deb10u6.

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openssl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmTcZQoACgkQ0+Fzg8+n
/wYumRAAj29oKHHqdz8gZgy+wZKZ86QUDtPGDLeGcgN0A1aLowvxtpfzXyR/p246
cn6tn2DiDo9wPvCq/7zMcbgv3i9a/vjS19769t0CtjyMSzp4F/B4R7e+wW69rXh2
42eNoRmvJtFtN0uyWARjOA3x3TKAL5oWcu/Tm7Ej5Ie9BKffCt4yAFn3dFbkYCF7
pYOQEsaBEBKclnX9diXvDCjxvh+8hHxCXTyIBtbVXRJwMzcOB0AoL18eGbbNE/i/
fobKMnlp4Iyn5OXokNFyxyzIEbc4281bndy/LbrVv+Rb3J8lejZRU/iAnSN0UPEV
1E/OpDJo49s6c3hzkTTG2by+TwoF3ZhPfltrL9ORtaCz8vGkLdx1LNE/EjS3fj8n
4w+MC89yBJt+Ira0/TOIgdZ7AFkoF+O1lhyC72uS0V5D0CQvqZnQ0msDUZj1xrfU
/xVkhznjeHhJHF/3Te3SEmLLC0P8E630yn3Xq+5lkxr3u7ewvXtMbhVRezLZ6q3y
i7uYDorZ6neToPVhhqmENqfn3QKHmOpi9Y6znY3IAWAuJkAsFUGaNmoHIfmftL0j
YvyNEg7JjVcvAjKt0T2K6J30YPl+WXcwNE4DEAD3GG2yKMcYHTQrUs9qN6txienk
mKA46MbjyqxLE5BB0MhFzrhCt6adr3ruWvOVK2naeSce0mgwHrw=
=Kzxb
-END PGP SIGNATURE-

[SECURITY] [DLA 3471-1] c-ares security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3471-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
June 26, 2023 https://wiki.debian.org/LTS
- -

Package: c-ares
Version: 1.14.0-1+deb10u3
CVE ID : CVE-2023-31130 CVE-2023-32067

Two vunerabilities were discovered in c-ares, an asynchronous name
resolver library:

CVE-2023-31130

ares_inet_net_pton() is found to be vulnerable to a buffer underflow
for certain ipv6 addresses, in particular "0::00:00:00/2" was found
to cause an issue. c-ares only uses this function internally for
configuration purposes, however external usage for other purposes may
cause more severe issues.

CVE-2023-32067

Target resolver may erroneously interprets a malformed UDP packet
with a length of 0 as a graceful shutdown of the connection, which
could cause a denial of service.

For Debian 10 buster, these problems have been fixed in version
1.14.0-1+deb10u3.

We recommend that you upgrade your c-ares packages.

For the detailed security status of c-ares please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/c-ares

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmSZ61QACgkQ0+Fzg8+n
/wb82hAAmK/VnXYGgePdz6nDLPP+Zz/+VfykeDdOt6Ru2KL0fkuGWTtxDwRJ6R/O
yopEG3Ws68vapseQd8aQdwkDbmhEOmxcEqfvbVj0DTx5uu70Dg/jxEACDcnFwN2V
wUPt2PoJj5Qy20gF1G4kEFzKg8u6W0m+fCXf9mWAyF0+0cir9aXobCS7AbDmiweO
9QEAY5ybJdytKiFA7fYNm63j8LCTgny5emDmXeEyFUd8500poel9UbMVmglUSton
Qdl2EbnvHx1BZ9WK++4KKQZbn5at/N+2ldl8oefDOnHuyIc3QZh1KXjahkrU6q9X
LKTJTN3PiQj1NXOt5NHkjfeefk5Ofe/1mLlbaZ7QAYKAyOn8NQMpMEY+oIb9T2UO
yKkUt958KvAmPZzwLFfDFzU04VgX1xygiLhpQvYJoPNCgqrBlqsaff35EbAdEzJb
W46qGmpIn2Uy9qbEWGgyWBg6moYEA0LF8CK4JMEPA6Cyh4Ka7nfGpfqCGkN5C8Xb
IgyiQf9+oCh+IK9p3YLv+4lIt5Y84LYxYooqdPJPceJxlbEgYNIxQpydqtNAnWie
o/LIyDLSI0hhDs9N9D0vmeyETl+vUOmKUjUmnp3R3G844svK18MahXbudMxFk44f
EyMTVFRz4WexiyHa32MuApIBUHAdSu70vTvLIivinIgIrMyoMCo=
=LIQi
-END PGP SIGNATURE-

[SECURITY] [DLA 3399-1] 389-ds-base security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3399-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
April 24, 2023https://wiki.debian.org/LTS
- -

Package: 389-ds-base
Version: 1.4.0.21-1+deb10u1
CVE ID : CVE-2019-3883 CVE-2019-10224 CVE-2019-14824 CVE-2021-3514
 CVE-2021-3652 CVE-2021-4091 CVE-2022-0918 CVE-2022-0996
 CVE-2022-2850

Multiple security issues were discovered in 389-ds-base: an open source LDAP
server for Linux.

CVE-2019-3883

SSL/TLS requests do not enforce ioblocktimeout limit, leading to DoS
vulnerability by hanging all workers with hanging LDAP requests.

CVE-2019-10224

The vulnerability may disclose sensitive information, such as the Directory
Manager password, when the dscreate and dsconf commands are executed in
verbose mode. An attacker who can view the screen or capture the terminal
standard error output can exploit thisvulnerability to obtain confidential 
information.

CVE-2019-14824

The 'deref' plugin of 389-ds-base has a vulnerability that enables it to
disclose attribute values using the 'search' permission. In certain setups,
an authenticated attacker can exploit this flaw to access confidential
attributes, including password hashes.

CVE-2021-3514

If a sync_repl client is used, an authenticated attacker can trigger a crash
by exploiting a specially crafted query that leads to a NULL pointer
dereference.

CVE-2021-3652

Importing an asterisk as password hashes enables successful authentication
with any password, allowing attackers to access accounts with disabled
passwords.

CVE-2021-4091

A double free was found in the way 389-ds-base handles virtual attributes
context in persistent searches. An attacker could send a series of search
requests, forcing the server to behave unexpectedly, and crash.

CVE-2022-0918

An unauthenticated attacker with network access to the LDAP port can cause a
denial of service. The denial of service is triggered by a single message
sent over a TCP connection, no bind or other authentication is required. The
message triggers a segmentation fault that results in slapd crashing.

CVE-2022-0996

Expired password was still allowed to access the database. A user whose
password was expired was still allowed to access the database as if the
password was not expired.  Once a password is expired, and "grace logins"
have been used up, the account is basically supposed to be locked out and
should not be allowed to perform any privileged action.

CVE-2022-2850

The vulnerability in content synchronization plugin enables an 
authenticated attacker to trigger a denial of service via a crafted query 
through a NULL
pointer dereference.

For Debian 10 buster, these problems have been fixed in version
1.4.0.21-1+deb10u1.

We recommend that you upgrade your 389-ds-base packages.

For the detailed security status of 389-ds-base please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/389-ds-base

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmRGErYACgkQ0+Fzg8+n
/wZqwhAAhec1oVkYCADWDJgb8CKmFwqtqwffRJPOdDZ/V6PEdxp4RmC7+YuVCgD7
aBGv+p0uTxqGfW69wlOKExHfakyR/GDAS695agPOrVoOv/+0S3l5rRz/qAT5YaNX
YSYYeKuFBaG6S8KmW3ur834eXcLylyFuwZND6waez72FWECM5wi9lmB1/5D1Zjn1
14CegrFXYzAIPiXLnTK6pX2a0GUbLZCGH6fNIAY+ensAZMLyiVrU0tJ89OV04hvw
E3XmQH3VB17KuThYPUp5X7Ricl+i6AhoA7Dx1owIzLqWNtTTzdWEhMPhE4iGG9Q2
GidwMWBbmooilT6lvU581aeLtfzTUhWOd7Ty5+nJiNIDFY5EDcMbNIioK5zwGqW0
YR1kwPD2am44/ZqrOlqkaUUJ1dzXJ/IHed/ybW4ozsjHTQ25cLYftC91DCaMSn6r
/vaYDDcnSFGbz/C3av5QAf/PbkrYq3wf815X52KM3Vzqd+b/9dhlwuzO60Ky8geb
uDnJJeK0E2iqdfLHhEtWidGagYTkFV0FWdepU/7RWQVmLaIgdHBKX6eyEEIfEDK/
936j8iclt79YOhdcH/xk6dKoGwd4AL4x2OYwzeGll8kCEh6YNlyzlwrpFHH/y1Cy
XV3ZrGUdyR6QYaFRjaivrXymOQdFwHkGP2xhEZzdocEQTYzWEh8=
=/mMk
-END PGP SIGNATURE-

[SECURITY] [DLA 3376-1] svgpp security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3376-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
March 31, 2023https://wiki.debian.org/LTS
- -

Package: svgpp
Version: 1.2.3+dfsg1-6+deb10u1
CVE ID : CVE-2019-6245 CVE-2019-6247 CVE-2021-44960

Multiple security issues were discovered in svgpp: a C++ library for parsing and
rendering Scalable Vector Graphics (SVG) files.

CVE-2021-44960
   The XMLDocument::getRoot function in the renderDocument function handled the
   XMLDocument object improperly. Specifically, it returned a null pointer
   prematurely at the second if statement, resulting in a null pointer
   reference behind the renderDocument function.

CVE-2019-6245 and CVE-2019-6247:
   issues were discovered in Anti-Grain Geometry (AGG) within the function
   agg::cell_aa::not_equal. Since svgpp is a header-only library, the issue is
   only transitive in theory. As a result, only a dependency version hardening
   has been added to the control file.

For Debian 10 buster, these problems have been fixed in version
1.2.3+dfsg1-6+deb10u1.

We recommend that you upgrade your svgpp packages.

For the detailed security status of svgpp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/svgpp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmQoWJMACgkQ0+Fzg8+n
/wb9exAAl1LsKmtRibU1i6ffoQQkdzYr++yGd/4HP6IgU6DGn7/1mWMZOI5sRqVr
Xf7/aIO/E90LhflKQlLD9U/CIVRv1I8IoOnx+FzgO04sbAhgStE95BK8G2ecWQFj
f2oSFEnLcpS3V1Axad5WQGTfzphKCUMbN9o3McFvirhYQIPyKTGQrf0OopYK/bYA
SHNLuIP4MpasTcdjCpEXWCO6HqM7hhRYxxKf5oWhJtCuP3WfIL2P5sdrYr4ZevSj
8snonvzqK4DCLIDy/N0XIwDuKfotFl9h42fmqJbHKNdBu1jaLYL8xqkgu6/NyvTf
MiqJRA/JS3AG1yYv58R0/tOmJcIigCbSFE3TPvHSLmVeIAMQdfdVaS1Nq/NO5405
/ouj4lQhFSklh5WkhnJQp9F9tA/dICTMGcoY8OZUhY07Jp3OPHqOCIXC1+q2gwd2
baBTiUNE0rVs726mLZoghKnGNugsWSCOjLJWDq5zAXlWo6XCzEwkwEZR5Ge8wATd
i69ZORt5O5DsPmfFSGpKyplr/VAmgHrUzUxusiNcpBTVJ6Ips4jGRZ8u6VRh6+dE
5Lsqg3CZo9YGnnH/kmOLni7iBb4pbml97MmjG90QH8q2QaAgQ/32S5v756dBSWdc
uXX2Yh29CxXOnhdEsgzcnkIrbNfzXgjBKX1X4ucFA9UlZyxZAxI=
=Ogx9
-END PGP SIGNATURE-

[SECURITY] [DLA 3353-1] xfig security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3353-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
March 05, 2023https://wiki.debian.org/LTS
- -

Package: xfig
Version: 1:3.2.7a-3+deb10u1
CVE ID : CVE-2021-40241
Debian Bug : 992395

A security issue has been discovered in xfig, a diagramming tool for the
interactive generation of figures under X11.

CVE-2021-40241:
A potential buffer overflow exists in the file src/w_help.c at line 55.
Specifically, the length of the string returned by getenv("LANG") may become
very long and cause a buffer overflow while executing the sprintf() 
function.
This vulnerability could potentially allow an attacker to execute arbitrary
code or cause a denial-of-service condition.

For Debian 10 buster, this problem has been fixed in version
1:3.2.7a-3+deb10u1.

We recommend that you upgrade your xfig packages.

For the detailed security status of xfig please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xfig

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmQEvKEACgkQ0+Fzg8+n
/waH1g/+IW/TB5mq/oTzEmohkmCwfz/j6WiRQr90yWo3TU/o2HkO7owpbqJuMNvi
gLADPK4qd1sL52oAZ9hThjnxaDtnqGRxkuRVxu0IVIMeH/wlXzj2+r58k+iBOhzY
oE07ccCa436IhS72djbBRNvEDBZv72NQicU3fXQXPJcizyOvITw/x+ykc9gBHICO
UnDj9HE9x5QTDH+BgTVZg/43jAzC2SF2Ydq/Z7yrKI1MFvZgZFXNrYc+BtBHlQWU
Z1ZSb+WxltKDb8tb9buPZzdhZmfPnz/6y0fDylEfSislTVjbK0CbgL0AxCNTqniD
JX7/KWCrVvg7goTk9br3DMlqvX1EMRe+cEY8VZealIFwQ8GTyBMhx1Kq8iCwrH/v
8oSoIGNw1y48ijvvwl5r73Twxb7PJoB8NWidt99gnwMlH6jf40CB7m/K2pxoft+p
so5yGBIMIYxty5A+82NK9wesS4ckYJy9aMsYpge4tzkL98T1zYfraHVUZeEVc01I
e4rsDlrO73MRyjgPkLUU+EoFjv+Z23BypjRpCiE2NUGk964pa2vThANWkOsTC1qj
7GPq7Sa664bPojjaPdD4BWHn062ibVoeAd88IHyJxwzijM3vLtjrJoma7hmcYYpV
0Km5ITJ0+nZ2wxgRcD+P4S4OGZvVRNJdkDcoWfddi2SJyXM4OeE=
=rD2W
-END PGP SIGNATURE-

[SECURITY] [DLA 3122-1] dovecot security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3122-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
September 27, 2022https://wiki.debian.org/LTS
- -

Package: dovecot
Version: 1:2.3.4.1-5+deb10u7
CVE ID : CVE-2021-33515 CVE-2022-30550

Two security issues were discovered in dovecot: IMAP and POP3 email server.

CVE-2021-33515

The submission service in Dovecot before 2.3.15 allows STARTTLS command
injection in lib-smtp. Sensitive information can be redirected to an
attacker-controlled address.

CVE-2022-30550

When two passdb configuration entries exist with the same driver and args
settings, incorrectly applied settings can lead to an unintended security
configuration and can permit privilege escalation in certain configurations.

For Debian 10 buster, these problems have been fixed in version
1:2.3.4.1-5+deb10u7.

We recommend that you upgrade your dovecot packages.

For the detailed security status of dovecot please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dovecot

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmMyeTgACgkQ0+Fzg8+n
/wbdKw//YewFBHxoPkh17+pDNUNrfK3tI95dFaqRN7vsuJXniE/hJgMSdXGtOWEM
/RsnJzTK5Ku7EASEf072NM00KMjwtkmxYVKpNN1SKoseg8PfBgWqaicDiEYJqMw2
CFpk20rf0Fr2yuuRMYWJpYXMPKpPLXSVy7IOqrU7RTvTiEK3eyqZ/O/QMwxFKCZj
X7z/nkBQtPqW+2eI1A3ezNrhBSbs5XolEM1v31MxusiDFwYnbG+7jqpA4BPbwPwQ
hhJurzzqnL0Z1glNZRavUrNrcEV/qp7x+LRmzYy9aCbjj4VuonpXKMIUD73exT9P
bio2WzSEAJNdNG3jZE9vA6Nyp93Zp5VimYhK1VbBJEhpWr0zFroDYk81ihjdcEPC
qpNaBJlHpOApCaWibC8azs8SPmxi9NDch1ejrH0lmCfu+dQAdR+4uKttZIdXqmF4
WYLXLECb4wACjyJ1yKCuulOqjlGrCdzk4rasz+aiGYs4DVYWgMrRgwgxG47+ALYd
/JIsY8/xw8zI1kv+AiVrS1q5qMIxr9CtXFQYV7J2UC/TjUPsh5Chi2Bop3Q42HM4
3lYp3t2R1C+c91q+af0tjoKKhP3XZot+JmaEMyZ6rpD0t+vMYlwb79dq9M6jW5pw
+2xZQWJ/xyaYQ5IzBkjTw2RzCHkl1nCbKeDGtPbFk2LxU2A8Z3Q=
=lZEB
-END PGP SIGNATURE-

[SECURITY] [DLA 3097-1] thunderbird security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3097-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
September 04, 2022https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:91.13.0-1~deb10u1
CVE ID : CVE-2022-38472 CVE-2022-38473 CVE-2022-38478

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

For Debian 10 buster, these problems have been fixed in version
1:91.13.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmMVECoACgkQ0+Fzg8+n
/wYt8xAAmengfdphLdwH4GZY2Jm0TT8TzmgI9MOa7de3hEnOLtBKX9qE7ne2TD4u
pvHIPklor83XBgPBKwyUfYTbiYtTwRz8HdmORG8zUdi2+7NPBq/7T6DMcdbLuYlD
VqYZGKB8DkJL5SI9ISJ8mp52CJ8epnnGoy7/Fps9jEd6QGGs/hrv6BWzeOTNhot/
vkFCqWe+0oNoOIaG0MHiiLNhaBZzJrH3CKlV2ezVmXaG6izJTq36wEiOKCuNRPUj
zcWCdaWqi38MuXTWwIynM6tEh4b5R3PayTnti1c1UQl9Fs+T+4V5l6QQqcPzF95B
gk4nmQRZYeXCb/OI4oIwxDcHC1b+aLuHMXeS6KZn4KJHLQN/B4THIoTUNECjOd6P
GPd02zr9LuhnLjpIptxuGgQvTAdxXWqivkqH9cZEeQ3qI9DeLAyCYuUhEfP9vgGG
nIjVIDNXGs4ZsErd5ck7JMiATUmAIC6iuhC0GRnYTzKiwrFUwppz9AobdeSag8wm
fuIf0oX4pevBwmq3+6VhxSn6ykxIJy5AGVYXlOIcwIzUEph0Vamt1pDEfozPDsjr
qYDXcrfoVlilayHTu/CFq2/po1XSIyt9LdWTdFPLVPWKcAHCSXtNP15R//7RoFdM
OFLHrUv0irf6pqV2xU5lXYw58nYce5tTZETKcXO5sjINclI2gu0=
=QV36
-END PGP SIGNATURE-

[SECURITY] [DLA 3087-1] webkit2gtk security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3087-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
August 30, 2022   https://wiki.debian.org/LTS
- -

Package: webkit2gtk
Version: 2.36.7-1~deb10u1
CVE ID : CVE-2022-32893

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2022-32893

An anonymous researcher discovered that processing maliciously
crafted web content may lead to arbitrary code execution. Apple is
aware of a report that this issue may have been actively
exploited.

For Debian 10 buster, this problem has been fixed in version
2.36.7-1~deb10u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmMOOScACgkQ0+Fzg8+n
/wYLWA/5AfkmYxgRJrmY1YIaknbP9BWsNn8/nxIwaVgN8jZlA0GkzhB0+J5GAPBx
5/fblyoWXWRdEsBekqlTTqOQsr5SdPWstbVSrb2eLkj6F/Yp6DhDRMWbOGU/gc5P
CBUdYOZ4/tB4XXeTrxDb//Q4Al7t2iRgADold1zlXw/TCEJAOa6qO6kZgZjf1xMq
YZmfU/h2FOCjDn9QccUM/tjoa+ePFzkz8P/3uQupP297c0G3wlWaCtkmca8h0UgD
LNjA+x3erQHYU354GSS1WCjbZChKdncEveWMMbV88YK8JLXbq3sD+Ztiqz3waDh+
I5h/Yh3ntSPnpp69ozHN/XbfUUJ3oTj4jP4VGWAuKhagKFg6dfIauilSkZ/FMCP9
bJxJWPOnyddiPKRHKA8gnmza5ponP2iwghAHsmORFntvDVp8R7N6xLWFE6cryoem
B/BVIF5xEsnZlD0MboGN/ZAcaXyeIqF2I6MxLLSaBTgnOShE1Ku26j8QOvqaL/er
p5inaZTu4WP1y0YqFgD6rvWjVGy5ZsCUbBhGDjJhK0FYTqWdOIu/QSomxfd0yxfC
2+fy13MYetPQXvMWYfDDGixxBK0lLJ0ArroGvad0WnB+uyEwX29jiq0rG+tyM9I3
hV8lWFGg4dIWRfln8oWmIiNcj7jANBa5B/Hdc3jlRwc4FY3Sv8I=
=tjtU
-END PGP SIGNATURE-

[SECURITY] [DLA 3084-1] ndpi security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3084-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
August 27, 2022   https://wiki.debian.org/LTS
- -

Package: ndpi
Version: 2.6-3+deb10u1
CVE ID : CVE-2020-15472 CVE-2020-15476

Two security issues have been discovered in ndpi: deep packet inspection
library.


CVE-2020-15472

H.323 dissector is vulnerable to a heap-based buffer over-read in 
ndpi_search_h323 in lib/protocols/h323.c.

CVE-2020-15476

Oracle protocol dissector has a heap-based buffer over-read in 
ndpi_search_oracle.

For Debian 10 buster, these problems have been fixed in version
2.6-3+deb10u1.

We recommend that you upgrade your ndpi packages.

For the detailed security status of ndpi please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ndpi

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmMLOuQACgkQ0+Fzg8+n
/wa5EhAAk2gRn9sJAlealaLCTNtatgM1VNAS6+qans3GFqUd++lzcD5DX1i2e6Tx
lOR55eWNLeMqx3wP6w67Ik+uPvEfmPg6AKk/EiGkcgRfw8A5ZFdAXfg8yT7cC723
X/9qK7FepHR0cB297vzXezrWggV/Mjbsbfx3ZfMyUiS5S4iwSR5sqsNNXdLkudKC
E3AymRsUKhOty6TSCRilNOd5kvORx9eJvUUTJca8Tfo6LwTQBCRWyTX6hU/5gQqP
el5n2K+MZJ5eV0+ckrj8w8dCLT5y3M+/qgZGSosOMdqKSDZrNzDdvuUF8EKSjN6z
4H+ba5u4Fxr6oDCC4V4uCijsSTvbslH+XwGMCKGABxPL3Yq+ldC7H9mZIi5bJEGr
gwu4iEeIAzIlTPdLvyycBqgLPV8S2Dzv7HV5Z1SXp6f38fUBczBTyq0kBSXkivOq
tAH6eKGtqkiW1VXY1JSCl197GaxDrHQkBdFG3bDI+3hX0Kx9MN8qXBc0mShOkGep
788dVF38OL5BtOLVRwTLCsqGX2+mZX1hA1SgvZ8v3wg4Y3gZoIP/p0UYNsa3XFEV
DZ3QamPS/YZlWhLfa05sTC+CaM5+W7SYkTaPT84wpyPd3//XaXYUuK+LUxBnkt7N
t9PCZPXxSc+xlsECEWadAiXvTVDN7Q7iBkjuqps19PcQy4mMQjs=
=ufUV
-END PGP SIGNATURE-

[SECURITY] [DLA 3080-1] firefox-esr security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3080-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
August 24, 2022   https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 91.13.0esr-1~deb10u1
CVE ID : CVE-2022-38472 CVE-2022-38473 CVE-2022-38478
Debian Bug : 

Multiple security issues have been found in the Mozilla Firefox
web browser, which could potentially result in the execution
of arbitrary code or spoofing.

For Debian 10 buster, these problems have been fixed in version
91.13.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmMGhb8ACgkQ0+Fzg8+n
/wZ6OxAAj2NFWat//igxYPjh+JDm995lhVyFApVpf9pLwlA567AhpbD94ujY+Cmu
ne+oQWumvjAHL6/tW7htrZdL42YCqr97Fh0X4qyH+gkmkLQkb1cHQL94aAlhW71I
7k6e4mqp1mRHZ1hxJSRIf1OC5vtCnuCILZu8EVv/ylT4uCMTvwo5oEUutBCCIISG
EbhRpPZ6u6F5LnT4si10Bay48fAs3CwF39P9Tvq0fGXAKbzezQf/TRApNW1DtRjt
Zz9tNsskKAqUb5oCN4kfkureDKks17buANxm9S9IWTLKvQ9maIdzc+gtRA/bnCZ8
0Tj1PZy4CWbK/3hYVfT3G/khSG9H+VKhaCR8s5XEzynJ/87gZ8TDR35b80sRANKy
Jvgt6yK/lPGv9cecJnWTL1MukbGnkD5dK4u8py9JPF/2+JLn7O9fHVhfDLEsTu0b
Wa8Tz6urQlpc1B+7HDxDAEvWv5p3xg50BBaK17CvYRFFqet2ZM8ylh4G0/UzqvGv
bzu5WYiLO3QH3YEUy4HgsGkhvCLe9+jQxQRpZJIFg95egVqnXlYk6XW3bEvW1UIq
7rg39WuvJq4WFq1tnUeK6KmiV1l7UoCTbu1mzeLzIskhAc3MgSzWv5k4fGlfkqQ3
HIBD7UWBU5xgZ3EG4pv0fHL6msmMe3q5VblILDDqnGWei8SIw8I=
=8s/D
-END PGP SIGNATURE-

[SECURITY] [DLA 3019-1] admesh security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3019-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
May 22, 2022  https://wiki.debian.org/LTS
- -

Package: admesh
Version: 0.98.2-3+deb9u1
CVE ID : CVE-2018-25033
Debian Bug : 1010770

One security issue has been found in a tool for processing triangulated solid
meshes admesh.

A heap-based buffer over-read in stl_update_connects_remove_1 (called from
stl_remove_degenerate) in connect.c was detected which might lead to memory
corruption and other potential consequences.

For Debian 9 stretch, this problem has been fixed in version
0.98.2-3+deb9u1.

We recommend that you upgrade your admesh packages.

For the detailed security status of admesh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/admesh

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmKLAnQACgkQ0+Fzg8+n
/wYpLw/+KtBi5ChsLMU1jLZjls+VLfnHQqHPignYNTSW7uFLnI/VDRo81PVYE19f
LqzNbfo8xYsEBrUyiYpd9P0D5luaYBwxPrsQr7stfTlIUrVEVpgHFBPHYmXOA4Vj
EI9K0wYLY7FVJyiC/Ry+qlSx2PMd48QdIt2ILD1EoTHKccUWUR0QJotvly5s1bvA
9B2Yxm32jGRmKpS78FZoT+FGI4XGEzOdufdCVGaMeTCeSpUd8EPla9vycQZ1tz9c
M283aFNWYSDCZUutlfbfbnx9CmgvH/W59jzyOjdch03+kvN/qz48t1ApYpynSBtj
373R0D3SkRHzLo4i0NYKW5Mtnxw9sQYNvPSMQjdSlMjKE5Z7nL0sUckEqGJS+9nW
J4vSCya37H9JFv68G3E6XR8hr0RAS+dg+65NshrYJgLRwNE0VcGLQP2ZVHZYubyE
rUfk6V19DV/pjtUKSdazDOC5pUBp/XlsQ6FWuIYc4qyvPzYs0gj14zn1S5/D9V/i
agh2o4qxqTHrRGMw3QYbArL7Z7XuxvGSKUnJW79OCHgtO+ikIA+l0tjbn9wJLAjb
RJ/IGAIRHWewoxMTbAB5gHMEFPIaTVIKT71+j9k18yHveNxg6mtLI/vCEbjI1H7t
9+WVEL8T4J/3MCNaNCWWZFdbYJFt9TGb68KI1XciWM5ssmnPE3c=
=2Q17
-END PGP SIGNATURE-

[SECURITY] [DLA 2983-1] abcm2ps security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

From: Anton Gladky 
To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2983-1] abcm2ps security update

- -
Debian LTS Advisory DLA-2983-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
April 16, 2022https://wiki.debian.org/LTS
- -

Package: abcm2ps
Version: 7.8.9-1+deb9u1
CVE ID : CVE-2018-10753 CVE-2018-10771 CVE-2019-1010069 CVE-2021-32434
 CVE-2021-32435 CVE-2021-32436:

Multiple vulnerabilities have been discovered in abcm2ps: program which
translates ABC music description files to PostScript.

CVE-2018-10753

Stack-based buffer overflow in the delayed_output function in music.c
allows remote attackers to cause a denial of service (application crash) or
possibly have unspecified other impact.

CVE-2018-10771

Stack-based buffer overflow in the get_key function in parse.c allows remote
attackers to cause a denial of service (application crash) or possibly have
unspecified other impact.

CVE-2019-1010069

Incorrect access control allows attackers to cause a denial of service via a
crafted file.

CVE-2021-32434

Array overflow when wrong duration in voice overlay.

CVE-2021-32435

Stack-based buffer overflow in the function get_key in parse.c allows remote
attackers to cause a senial of service (DoS) via unspecified vectors.

CVE-2021-32436

Out-of-bounds read in the function write_title() in subs.c allows remote
attackers to cause a denial of service via unspecified vectors.

For Debian 9 stretch, these problems have been fixed in version
7.8.9-1+deb9u1.

We recommend that you upgrade your abcm2ps packages.

For the detailed security status of abcm2ps please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/abcm2ps

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmJbpzsACgkQ0+Fzg8+n
/wb3FhAAkxX+SysYeZnpdq+bMS8MOSftBP1iRKBGrJ7c8rv1vT9MK2ZsxVDScl8q
tgt+UvraL5x46o9axFmDcWvQYe4Q82vZuRj2HqYqvqaJkjZYF/gPjqXiptLLPeZ+
IH3XAUhOofFt5iNqICINiy4lIHcyPyCMQItiXe0rR3k21MHnk6RIgAgi4dOWh/aD
6A53kzWIhXiTqkKX4m18Al+dpobhC870sTuvg8gW6QuwrETYBtfa7G1ZGsagR01p
KPXO5pVBYhUhw7QRpxprKbUriCNv44mX4ZZRumyh863jtcS7ZJJlcXa+pehYOSPs
aZw5iweKt5fu6S7KGvZa+1bHJXVEFyxuAu/kMzTsdTTDZk1FGA9zThPr17gzQ+b1
sEfrjKh7Ux3gsfFzhNKczAdvl8kIgkRV5FHbH9GD9FMihxFcgrE0j0yVC7BGK7rX
16Z/TYxgliC1aPRVx4WCYQfWwiiJvgDAkxjkHR5D8S8+/qZ+iAK26EEuR2Zk9k7O
XmlCZNuQP0clVLRmg2PtA/ao5/dSgFlHtwK4S7OjBAIiMZgojnQr8WcBvGynl/St
8bEg9v9yDArRwC6uymqpq3II8jzL35CBx5OsPAKetC3bAQ87ImNyk+K3JwMaHFs4
Ls1bzO7vVQc92sALs8KpJqc9KxA4eihczQl/j5YEivJN91NsgvE=
=JgCR
-END PGP SIGNATURE-

[SECURITY] [DLA 2975-1] openjpeg2 security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2975-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
April 10, 2022https://wiki.debian.org/LTS
- -

Package: openjpeg2
Version: 2.1.2-1.1+deb9u7
CVE ID : CVE-2020-27842 CVE-2020-27843 CVE-2021-29338 CVE-2022-1122

Multiple vulnerabilities have been discovered in openjpeg2, the open-source
JPEG 2000 codec.

CVE-2020-27842

Null pointer dereference through specially crafted input. The highest impact
of this flaw is to application availability.


CVE-2020-27843

The flaw allows an attacker to provide specially crafted input to the
conversion or encoding functionality, causing an out-of-bounds read. The
highest threat from this vulnerability is system availability.


CVE-2021-29338

Integer overflow allows remote attackers to crash the application, causing a
denial of service. This occurs when the attacker uses the command line
option "-ImgDir" on a directory that contains 1048576 files.


CVE-2022-1122

Input directory with a large number of files can lead to a segmentation
fault and a denial of service due to a call of free() on an uninitialized
pointer.

For Debian 9 stretch, these problems have been fixed in version
2.1.2-1.1+deb9u7.

We recommend that you upgrade your openjpeg2 packages.

For the detailed security status of openjpeg2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjpeg2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmJS014ACgkQ0+Fzg8+n
/wYtGQ//RVxucO3D5d3vCI5R6tMps1pGCpB65CFwBoUsiNAH4rxpKkNwUusSjTXJ
/DJZc4SWeQPjKkIBHF4N2Pfa5B+nj8nogc/P4DjYw1YYWqtviNzb7T5kFsUFdel/
QTIjXjgnIa494+9oBFt46ktblRQKXTJdyc/JngOzNkCdSQO4zVD1ADo8EDVDh4u1
t2VtbDQPYSiETmuLq75a6paiZHYfMe7bW/J3T9W6A0TX8sy78D7MID4okc8x3qoi
EshovPF+XrXEUDxzRxXTibkuItqWT2okQoR4GaiY5Wu1oj/37cimIC9HHjdN6Rt3
uiImw0bAEwv7y6WdowXFqEgD/W6JSeAB+RWvZ7D4aQkJ2dlPqB1FRPr0eAmJMIBS
0QLym43SrIRKIg1RkpUoFrW9DkMuTlyfh+8N5PYF7IRtAKh4nN7SvXvpr2Ha/lSD
3zbJqtkk0AYOi28wZrkFkkIDurxZKDXEKMoytSb82turI6/npr5AQZUJnx1w9q6a
bPqNmFCIPl4Ia1YVcxlTtNuVUf+Zqyoc8f4rv4xrlV4XmbVxQLQf6vPuBly4ZJxE
nyNThfVKtwMD61kRZYNouZtQa2ySkQEH/W+OCmzfwWdC0zo0CuOQtO1O0PqJcjeh
meTZVBjkZzdqAFctlVXKS86FFxHAA6lGZjpl7Dc7+4wMmpsLLDo=
=/qyq
-END PGP SIGNATURE-

[SECURITY] [DLA 2972-1] libxml2 security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2972-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
April 08, 2022https://wiki.debian.org/LTS
- -

Package: libxml2
Version: 2.9.4+dfsg1-2.2+deb9u6
CVE ID : CVE-2016-9318 CVE-2017-5130 CVE-2017-5969 CVE-2017-16932
 CVE-2022-23308

Five security issues have been discovered in libxml2: XML C parser and toolkit.

CVE-2016-9318

Vulnerable versions do not offer a flag directly indicating that the current
document may be read but other files may not be opened, which makes it
easier for remote attackers to conduct XML External Entity (XXE) attacks via
a crafted document.


CVE-2017-5130

Integer overflow in memory debug code, allowed a remote attacker to
potentially exploit heap corruption via a crafted XML file.


CVE-2017-5969

Parser in a recover mode allows remote attackers to cause a denial of 
service
(NULL pointer dereference) via a crafted XML document.


CVE-2017-16932

When expanding a parameter entity in a DTD, infinite recursion could lead to
an infinite loop or memory exhaustion.


CVE-2022-23308

the application that validates XML using xmlTextReaderRead() with
XML_PARSE_DTDATTR and XML_PARSE_DTDVALID  enabled becomes vulnerable to this
use-after-free bug. This issue can result in denial of service.

For Debian 9 stretch, these problems have been fixed in version
2.9.4+dfsg1-2.2+deb9u6.

We recommend that you upgrade your libxml2 packages.

For the detailed security status of libxml2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxml2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmJQpkoACgkQ0+Fzg8+n
/wZ6PhAAndS9fS9kzIuxuaQ/SfAgvd2qzI63fcXHtMufm81bHPrXV3JIDVHlJvLD
9xAxT20ml3PzAiMBN8osKlCGmWqU2jF7tCsAQvfL+8GNNzNBHr/GY+OXKT/bn0sw
8knaLjmCS+hkndo8UFzmN+2nFgN6HmimKAdo9TinVc134jkwwKEkozcPZxfN22LI
Bey+kGN3ML6NJLPkz9rcwDzNDcerAKSu1prMLlc6JPUji9Rj4RWwTJNV3tLlcBFJ
JJcD7zROMebTjq7F+Zmlmtgo3eZvAV4WsPiC/VdraFShfx+J89EVlWTNvnr4xw9p
v1Os5+JvLd2q538Tnw39vy6oxyfUayTANtBdaUn5AMf2kDY4K9cP4naQnLNhDlhF
X0OSsNZxVN7w98NjYtVkmDwEkBZByPjBuglsKWG95atFWx1a3Yctdchi/Am6aZCn
eF6yc+VnwMnkvYdChUxYIP7fj2fEvI2aoaZ+YTn7c+ZwBteijekOLK2At98kQmvj
h/SaliPNbw6ITXtAAFrBLsBO07A7YS59WuHfIiKK3Lv0vlGiutfEshrT59a2BA38
JksMEkqLYKfq+RIGOnKz23KJL7u1u2Rc973zgClz5l+GXdqIW7lvcvMdzzuKzXZX
Q6RUQlvLmLRA26fLu/ql30H2delrtDmAHuXjMb4evVec5ygL9U4=
=s6iR
-END PGP SIGNATURE-

[SECURITY] [DLA 2968-1] zlib security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2968-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
April 02, 2022https://wiki.debian.org/LTS
- -

Package: zlib
Version: 1:1.2.8.dfsg-5+deb9u1
CVE ID : CVE-2018-25032
Debian Bug : 1008265

One security issue has been found in a compression library zlib.

Danilo Ramos discovered that incorrect memory handling in zlib's deflate
handling could result in denial of service or potentially the execution
of arbitrary code if specially crafted input is processed.

For Debian 9 stretch, this problem has been fixed in version
1:1.2.8.dfsg-5+deb9u1.

We recommend that you upgrade your zlib packages.

For the detailed security status of zlib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zlib

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmJIvRUACgkQ0+Fzg8+n
/wa2sRAAnVRUX6BJ3XirC9hT+s8oTH199z72pURYtFjcpVkmORHqdpjQwNiwOTkE
xSfezAO116Ts5YTi6UnKtZYKd6NwxhtcAWp5Q2wdbKAuI5Tcz8OI+cxfbWE9MNdN
BqxOWvmgw3S937Qw3goXS78jIjei+1KauNk9clyLg/qrHempXagl8kT4eQq7JEDU
l8uNAP+s4rV6FbrFIgeoNgKJ01MK5Os0iEY1mwgX3kI94XSsuBj4mEcxOh9kY5DL
m1OiWokEZs9IOarFOaWw2BuOcN2FEkRRANvNeqzthDWDnqIwsfLl399V6Ow7TzrM
Yqokqk3u91xst2ea+4E7/StlDpQI4y0PvtOVlfieSXaDbiPZTWLEQnnpAHAdtqIB
g/RfTcnhNac38Tz1v1fyeQK/s+q0O1iRcPxPiTvbPpTvfO9UQ1vvhfvErxt4iTil
go9RAXp8Rhtqp1/eACqybJ8xFjbAksLxWszCOZBoKzvsMc1xTRtrlImnTRZCyUd6
7pceOJzJV8QJkxPk5VOO9Rqp0XPQ/qtQsMP5EEtfvVkuyGaA2ALLppKBzF9O1CdU
oR0LBhzg56Fgkx1m10uUqTJElF6flbJrMw0Z9MPT4IQo3/fGSOiYc/9rYi+B5aSS
PIw6IfYsEdhMyVauICz2mJnTnA8EXCnT/fmG+GovzZRL1MzPmr4=
=XmzY
-END PGP SIGNATURE-

[SECURITY] [UPDATE] [DLA 2948-1] debian-archive-keyring update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2948-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
March 13, 2022https://wiki.debian.org/LTS
- -

Package: debian-archive-keyring
Version: 2017.5+deb9u2

debian-archive-keyring is a package containing GnuPG archive keys of the Debian
archive. New GPG-keys are being constantly added with every new Debian release.


For Debian 9 stretch, GPG-keys for 11/bullseye Debian release are added
in the version 2017.5+deb9u2.

We recommend that you upgrade your debian-archive-keyring packages only if you
need to work with packages from 11/bullseye release.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmIuZCUACgkQ0+Fzg8+n
/waPghAAkwzNN9hJtIvTnsMflkD43JE8QpNJwuFAaaOdOPADmGFAE6OH3+ZxuBHi
7QKSpEHx0wlfosHRxcqTYs34Gn16ZKscLD6ZExB2c71ZdsIJ15WQyOuqroL9Rajb
pBhB1KddBKuyfTYYHMvyT9XZGSYgR3yKW5/9lUQv8ip83e1DmgN1y+osd0mu5DTB
u8FUM87Qy5vYmmynWwnVxqRK1u0gzx3xXP4elbp90pAQQHBrhUWVhD0C5Gb6Udca
NywnIgldI4/zx/WZAi6ROfDV5xpHV8ODCEPV1Bdm6ut3GZTg0ZUfthbQq9xLhqQZ
n6KXcHAsNsmP2sEzxrkCVOqiSBaEUV2lKYs0sdGe3HTO3TTuo67/l6MnOTljsUgv
G8NRmBxnjADagK5IJQ+b07yqgCc7B1RSqV9mjZST55N30Qzya4xdfzlc3h74ad9Z
O8Akxo+4bjzdPyBxo4g5wyj2c0jbJ+3qJV5cJvPnyXGsO49q+8wlK96cNDiatSY4
gePNf7Z6qq6B9BmuTcksAZFTPtgyX6MyGJOXSBP9nZn0XBno59TVD3YcFbErvJqk
9blpEfmpttKLrAeDkaaNagBrXDNlM4eHTHuPfh9m3FHz5aUHu1ef78XbuYdM5mrq
P48Sr8L52A4CM+DHXV7FBWQmop/53v8D0jCXfxAvTM4wG4SjhD4=
=87Ag
-END PGP SIGNATURE-

[SECURITY] [DLA 2937-1] gif2apng security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2937-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
March 07, 2022https://wiki.debian.org/LTS
- -

Package: gif2apng
Version: 1.9+srconly-2+deb9u2
CVE ID : CVE-2021-45909 CVE-2021-45910 CVE-2021-45911

Three issues have been discovered in gif2apng: tool for converting animated GIF 
images to APNG format.

CVE-2021-45909:

heap-based buffer overflow vulnerability in the DecodeLZW function.
It allows an attacker to write a large amount of arbitrary data outside the
boundaries of a buffer.

CVE-2021-45910:

heap-based buffer overflow within the main function. It allows an attacker
to write data outside of the allocated buffer.

CVE-2021-45911:

heap based buffer overflow in processing of delays in the main function.

For Debian 9 stretch, these problems have been fixed in version
1.9+srconly-2+deb9u2.

We recommend that you upgrade your gif2apng packages.

For the detailed security status of gif2apng please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gif2apng

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmImdoQACgkQ0+Fzg8+n
/wbvAg/+LspuBOfueBg5GA8jDAA0PqCGXmapRCum8CCjAhkUUtJP3lzYRE4gvOWI
KkmyuIdkMRo14yhMO+p9WAAJtZsgbGRAvZeNSOMR2bB1uGth2grOHMiHjr3sLeSI
qIrChDhR/f+9aSKdGOmmke6D06Tk8eCihn8/ew+3bAMdHj/Y7vGBejNQeaebUg5Y
Km+L04vM77snlpFsT3tMBqwBjP1cWYPM17TZlEdJ8W6pz1pxFa9aeIf6aiWA3xlZ
BoCWipNgrUh5y7x3DG9RzsYgIgxHM745TndFjHwY6PJzUogqEOch+IN+9Pdun2/o
REZHCyandnPXL/lPnAClPaMr+WktF2Qg34thDdaNdkjvjbhjjzJFWcMkCtaBpzVI
vjkaLWAtKBTO70yiNNNZ6rc4zjDcDgCRyIOxYLleAR0blwWe67ALfq/4oLzAvESU
IsFlni1wE1SS09WIXPCoXL4Td4fyJGmiLI3M+nzU7j3gEoTaSCf6Q0+LkZBQ5ccW
4SiDxbVFWh70NLZ638hO6WWY9Lp6oPaWS3jOaYF2sxPKlea9AiGqsuLw3W1Sg6Jl
DOg54py33bayWD3iX1+V0nVVMkNZhBjvYcVBwZe6iBOObvj1w6FSBypLZEc0/uOa
QJKQqHnC5VDEYs4u2oN3O5oYsxlkOH3Zvl9sLqFO9FBNfqVldSY=
=za4R
-END PGP SIGNATURE-

[SECURITY] [DLA 2929-1] ujson security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2929-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
February 26, 2022 https://wiki.debian.org/LTS
- -

Package: ujson
Version: 1.35-1+deb9u1
CVE ID : CVE-2021-45958

One issue have been discovered in ujson: ultra fast JSON encoder and decoder 
for Python.

CVE-2021-45958

Stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from 
encode) has
been detected. Exploitation can, for example, use a large amount of 
indentation.


For Debian 9 stretch, this problem has been fixed in version
1.35-1+deb9u1.

We recommend that you upgrade your ujson packages.

For the detailed security status of ujson please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ujson

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmIap3wACgkQ0+Fzg8+n
/wasXg//bRnI92gxS/+jf275UkyR6Ivjhlsm2griSV+nCbBM4F2pal8j3O55S0gA
KsKfqEbk8q+IrvWzoG6nRTTn2yNK+Ln5hQUb1tpWbNbh3gXFHybZ7M1bffJiZxIJ
RkW8JrHWaTAIquhi7esKo/mgSJc9M9dxHGZj2HaeRBAo1LZwPgMQjoRmGsm017U3
ZwBmTPwwKal0fFwzploQ2op7dgKMZ1iq0dYJgrWyxD0xGuYcVKBPenP5FR/MpG6q
bMDYtFKTRHgdFtZZ+ayzJlKvM6HN3bUgxKI3WiyfBKXqV5/X+qkEhPw3qEhd1HZi
m9ElhZOUrGgTpE16IQd7Jn28KuiYGPaXCqDMZgC1D05DkVvCbEVBtlapXupL93Hz
//WQ0ZfAzlimNlIb6M3cca3w1UDUWCHYBSQrzDc47p+O4y9ayqE5dDMMG630Lyef
EHV6EpII2sXgqw1p6+qjaW9s8kRN7DSho142ZIkd/IMwhL4dpMui/XILUDA1Y3Dv
UB9/xPvRnEPVmIinONvw0tJKjlbzuASfvM+4SmN9r5M26YDzdC/fwV3JFmExespE
A5wEdyW4ePyc4c4IVAYqiF0bBa0QUoO2dj+zcPUPif8kiA10gX/j7k2SLjIE2moF
wYyQ0Jv640ZXyySYBi7ObECOwaUnrxxiFCegyMf2sm1hwCQiKhM=
=xfNX
-END PGP SIGNATURE-

[SECURITY] [DLA 2919-1] python2.7 security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2919-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
February 12, 2022 https://wiki.debian.org/LTS
- -

Package: python2.7
Version: 2.7.13-2+deb9u6
CVE ID : CVE-2021-3177 CVE-2021-4189

Two issues have been discovered in python2.7:

CVE-2021-3177

Python has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may
lead to remote code execution in certain Python applications that accept
floating-point numbers as untrusted input.

CVE-2021-4189

A flaw was found in Python, specifically in the FTP (File Transfer Protocol)
client library when using it in PASV (passive) mode. The flaw lies in how
the FTP client trusts the host from PASV response by default. An attacker
could use this flaw to setup a malicious FTP server that can trick FTP
clients into connecting back to a given IP address and port. This could lead
to FTP client scanning ports which otherwise would not have been possible.
.
Instead of using the returned address, ftplib now uses the IP address we're
already connected to. For the rare user who wants an old behavior, set a
`trust_server_pasv_ipv4_address` attribute on your `ftplib.FTP` instance to
True.

For Debian 9 stretch, these problems have been fixed in version
2.7.13-2+deb9u6.

We recommend that you upgrade your python2.7 packages.

For the detailed security status of python2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python2.7

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmIIAncACgkQ0+Fzg8+n
/wZuIw/+OiuwUuPTvw9K+5rw1h1Rme/llzRWopNoPh8wJ+mhz8VOJ9O0gkdRqphu
zpA8JjP+6Nip0cBLQsDlfs/3Oz8H3mZdh7f3SwIlaFqR/U0Y7/SvyL31NwVc84i6
zsQPeXU3Z6Ox8EEUg5B3UCiaaeaOoTQayXCoGPx72i+wOiLSIwK7Aq7H04PBmfSJ
hWL6p7O+B+KiwlGcgK9oX+cGa84SoZFrSsSY8ftY/ZDdtTlbGLZn6y1yPtsszsxf
sMS0PMN9iOCqeSBqelSldLVV8eSFmdE1nvR3NMfX8jNHp8Q8DKkRhlzR6w6O6FFL
8gGWrg7IZL1D6nblYwGoGWcZDftcDl26cayLVTg9NsHmTGTH5PYPz6/43VRK5qz6
66naV0S38f0CgcfHhuiBG3D+u1VOAe8DSlmgCmf52Iqu+1xbE+PM3WyOhDwSI11Z
EllRe4+s1tnojc7U3EOkpd/JbxFp7wWYtSCkpYmDfGXhFy1Er4oKGPAZURymFtBK
IEiTE42RqqfC77kwxoqz++W0VEx/JDKOMHT0zcxtip1G9aYtCMM6nt5fsrxwxZNY
CyL7QVEeVtn4qum2Z1BwDaUJZpdf0nDAgmoQWgXAt0LZ9zevVNG9wv0XgQacUnLG
AGCjRWwl77dgeYrJMlItYLFRoFReEnh+YuRbbvgIcZwBr1tSrOk=
=3cDu
-END PGP SIGNATURE-

[SECURITY] [DLA 2907-1] apache2 security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2907-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
February 01, 2022 https://wiki.debian.org/LTS
- -

Package: apache2
Version: 2.4.25-3+deb9u12
CVE ID : CVE-2021-44224 CVE-2021-44790

Two vulnerabilities have been discovered in the Apache HTTP server:

CVE-2021-44224

When operating as a forward proxy, Apache was depending on the setup
suspectable to denial of service or Server Side Request forgery.

CVE-2021-44790

A buffer overflow in mod_lua may result in denial of service or potentially
the execution of arbitrary code.

For Debian 9 stretch, these problems have been fixed in version
2.4.25-3+deb9u12.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/apache2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmH5o6AACgkQ0+Fzg8+n
/waQSA//fTkCFFZZ/s0vp91MOaNIMjOh8TYgohRuYSlM6AN9Iq49L5mhFfrcXiD9
dG/oYNRHVw7cTgjIi2Uj3p+UCP/WmdfDPV4kyPAMSfeviJks0rlGE7qTvgFr11pL
OcJBe6tR2P/MrLJhQkV5ThgBZjHgQ31todCw7dnoVg2rip8oeeEiY1JbPUvo5gYg
3zXTENYKMf7yxGNkQEfSLOC80fCsUAxR+szqdfx0li4h6+3aI7gkufVszn2YpalQ
KEOJk7/0rvhdMIkZVaNVQERhyiiPVQ1meeX2aW6onhvmMp/JepkL30afVhcOSWbr
QQYSsYfj/NpjOIYLc8NCRUFdB0cPlRtTETOJTDk2dkBNrESztGPA1procz5RscAR
EuyPAqwDivd+SVhsXc0p6UPpEK24GB2mJTLQAdbw5I/4oREQNQIJ4Pttqtm/WurJ
ecOVZ1/CxbBr2/tUh56DTmXWTWvH714aAlcgpU+sJROz2/VBLFagpg/pxIAu9mM1
SY6GQYqEtfK7wl8lbn0lrVMh9bco+iNlCZB1amXcsSKKYFeUeHcDPjPvtMZIzg/c
l1hgE4D0t2LoEiCX7btPCWvmAyP3j+XMqsnKbH9NHL2fQcIZgq0B+nc2m4TThmI1
hY8BT2ltvJn+aFGNaD2lgpffzSQ7eZmR+mP4mqE2m/wQDKDIuTs=
=BHJi
-END PGP SIGNATURE-

[SECURITY] [DLA 2879-1] lighttpd security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2879-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
January 14, 2022  https://wiki.debian.org/LTS
- -

Package: lighttpd
Version: 1.4.45-1+deb9u1
CVE ID : CVE-2018-19052

One issue has been discovered in lighttpd: fast webserver with minimal memory
footprint.

CVE-2018-19052: an issue was discovered in mod_alias_physical_handler in
mod_alias.c in lighttpd before 1.4.50. There is potential ../ path traversal of
a single directory above an alias target, with a specific mod_alias
configuration where the matched alias lacks a trailing '/' character, but the
alias target filesystem path does have a trailing '/' character.

For Debian 9 stretch, this problem has been fixed in version
1.4.45-1+deb9u1.

We recommend that you upgrade your lighttpd packages.

For the detailed security status of lighttpd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lighttpd

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmHm/wMACgkQ0+Fzg8+n
/wbkGRAAkBPd/YM8g/PqpkgpXhomSOlP+2ydhJFg8bgpCuC6XGvZeHZtGKV5QcgJ
cTPRC7fGqHZ2C617h6gsuSRcpZxz7xkzyM2uQtlXCxKP8NIg56K4lzJ+Z23JjGE7
/2Dg8/7QVQ+HeLT0fWyaOYhRVjVgdlUCLfby+Lf+icMzGZ8yysT2bnLNwFn0QFiv
WG580M0JFo3y/gFaI7G5PCAh5Qr/7gr0kOotl9tv4GOz18KMiBhrGMjnzOCD3bYm
Hi0bP9jBv4mdN45yEeysJLlItr34XOjU9Q++bs83OJ48JqBlNpvnGyQFPTZaFs2I
3VasogDKZt3uOXOdk3aO9mAea9QsI8CTVkSqvUhDKQqEXYBmnAHbjyN7NB540WRB
2d+YSCCTKMoybL7mSNTo9fZAsJEKqXtllnJ4W9I3zK0KQC7Ks8SEoGj30eZkQK56
BYvVCfHB3IMLqgEx7M0QU4DN3n7lm7drwhISba1Z+1Y9OtfQZ8aP3oKqGdDb00jE
9uD4D3mKVnrAuZ6DI6/n+VhXGNtNjWkOp8tXP9uuFyizYXGChbex4JoUPgglvNm+
JGh/kYfyql1v19Pl1bcYa8zH+Y9z5rnLEA/4SmVA/MnsehkD0ftQFaL5qQZiHspH
v2uz8uJ5MTcrI4zl43bznQ5Zw9dqKyS+cVTrnVwtvUJ+3gN5sq0=
=Ejs6
-END PGP SIGNATURE-

[SECURITY] [DLA 2876-1] vim security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2876-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
January 10, 2022  https://wiki.debian.org/LTS
- -

Package: vim
Version: 2:8.0.0197-4+deb9u4
CVE ID : CVE-2017-17087 CVE-2019-20807 CVE-2021-3778 CVE-2021-3796

Multiple issues have been discovered in vim: an enhanced vi text editor:

CVE-2017-17087
fileio.c in Vim sets the group ownership of a .swp file to the editor's 
primary
group (which may be different from the group ownership of the original 
file),
which allows local users to obtain sensitive information by leveraging an
applicable group membership.

CVE-2019-20807
Users can circumvent the rvim restricted mode and execute arbitrary OS
commands via scripting interfaces (e.g., Python, Ruby, or Lua).

CVE-2021-3778
Heap-based Buffer Overflow with invalid utf-8 character was detected in
regexp_nfa.c.

CVE-2021-3796
Heap Use-After-Free memory error was detected in normal.c. A successful
exploitation may lead to code execution.

For Debian 9 stretch, these problems have been fixed in version
2:8.0.0197-4+deb9u4.

We recommend that you upgrade your vim packages.

For the detailed security status of vim please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/vim

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmHcqhoACgkQ0+Fzg8+n
/wZilQ//WDE93KpT0jg1kuiTgqhXjdfF+CZVH5NrBkp95OmxkPRe97fwNqgE5Ufd
KqNx/3CV80fWIMtlGRgIK/nMQhiLvmbBlCmaG2UEdgz1SSd5ToU9GvcZXNOy13ps
C8GyGJfuzTMiqME20GfUKm6lIeHkyPbpAAIX/eFI/H3crkyHFqSYFGW/yDYjPvVs
9sF53kYeB7l8gqlKE+2jGownyNZYqmmo3eWakkTl/uCRnedxUEOstUY2woqkQwNe
H5i+Ug5KEPBo6hk5rOPGa196Oqg3nVF2ZOwCDFVC41ODlhespavZCzyZVTXeTRSV
uT4hymineqiPfFSs1qdJwBj3SOkbw3y3ml2d0TX1nTF/YBShELBS1BoL/PR0lgXz
I2v8CbLZLSU036+82lMeic8ayBcT+KS13dBPZWH+afikxdNTfh37+5hb5tci+PAc
cHf/10RNxVEXfpY2HufTIPKmFtAdezkrIDMRiCj1+7oty2EYAI7lwEHcombj4WEu
zlXxN6U58OkCx3PvgRLm2hE22KmIsvJ1hFYRPtizhi/BIxtSb1vF77PV+kB9LYjk
E73Sgrfe6830CQGDxveEQ/rts5moA1ZMHX+tz58z9NkgLmDj/rrpLYclwbm9XaP+
/5rm/OGf/IBbn6w8L0SDfPgjUzi9BF2PPHxcXaQEptJtT0vkW/s=
=9KDF
-END PGP SIGNATURE-

[SECURITY] [DLA 2848-1] libssh2 security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2848-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
December 17, 2021 https://wiki.debian.org/LTS
- -

Package: libssh2
Version: 1.7.0-1+deb9u2
CVE ID : CVE-2019-13115 CVE-2019-17498

Two issues have been discovered in libssh2, a client-side C library implementing
the SSH2 protocol:

CVE-2019-13115:
kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has
an integer overflow that could lead to an out-of-bounds read in the way
packets are read from the server. A remote attacker who compromises a
SSH server may be able to disclose sensitive information or cause a denial
of service condition on the client system when a user connects to the 
server.

CVE-2019-17498:
SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds 
check,
enabling an attacker to specify an arbitrary (out-of-bounds) offset for a
subsequent memory read. A crafted SSH server may be able to disclose 
sensitive
information or cause a denial of service condition on the client system when
a user connects to the server.

For Debian 9 stretch, these problems have been fixed in version
1.7.0-1+deb9u2.

We recommend that you upgrade your libssh2 packages.

For the detailed security status of libssh2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libssh2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmG9FZcACgkQ0+Fzg8+n
/wYcjA/8DbDlW35YAdfZnkIdylAZDlC0v/Ij5NaLcpJYUrL7OjFvPGJvh3koZz1f
y2HM/U2VEGYoMLHKxDItEpSw9FkkS6NB2HoA8CM2+PAkzn6GAVlJ26Kh0SkrHZi1
djFlyC/FQDm07m7jTy9ntG7kioisjClGMrDQj+Zkb00TczKk4+q6uB92HpDj0/sG
M25HwhVmUuFYnR6tS5gSeil/pcjmFD6486BHu+uAfqIQwMsyofWGTcT7iSTtIaLE
2LHWLy4AOZVsdbhEdcARv3TQccHkzR1yWkQ9aGIVNuxXu5jWCfnyEmxJjePyGe4q
EDdrA1ml1nDfhzxbQevbGWsDUXPuYEYP0lMqu0QM/Z7D8lR0EoOheoS9zKkn+M5g
BDAuRSrE1yB+1Cha5EoXtEeJ9abbW9E6UqqeMWLRkAjlGfsvQnOU5JlpZauPkjaW
taz3gQ7ByrVPv9Z0kdp0KiwgaTiBErbaqxKB35/XILDAvu7H/tdOV5vx900uvUah
0XWU0Oyp7wRNU0cPzf0hYoqi5rwoB+zFSFj5VtGU8aRpEkmxpVVbUCPcqOnYE0Bg
RaDS3euw1zvzzNp6TINZg2SrF4rF/KFbA5UpLiRq7D0W5jSgNVcnfTTCOtdWscrt
8kZB5JNyePyyRGNsq8A28mgcV+pFmfg1NDMmtAC7sy8rPvQTyww=
=e/qE
-END PGP SIGNATURE-

[SECURITY] [DLA 2839-1] gerbv security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2839-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
December 03, 2021 https://wiki.debian.org/LTS
- -

Package: gerbv
Version: 2.6.1-2+deb9u1
CVE ID : CVE-2021-40391

One security issue has been discovered in gerbv: a viewer for Gerber RS-274X 
files.

It was discovered that an out-of-bounds write vulnerability exists in the drill
format T-code tool. A specially-crafted drill file can lead to code execution.
An attacker can provide a malicious file to trigger this vulnerability.

For Debian 9 stretch, this problem has been fixed in version
2.6.1-2+deb9u1.

We recommend that you upgrade your gerbv packages.

For the detailed security status of gerbv please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gerbv

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmGqc8UACgkQ0+Fzg8+n
/wbnxw/7B7quJeb+LwelKTjalNxv3nxDFneqFU5aw9PETNLchppjaeaf4wtsRQGv
fMipbBejrMS3gYXbQJka+n332Rw8NKh1hMDmXKExeSE+7zw8PmaBcmuhjbR7kv/5
dJauAyHRJH0c9vC6aPEro/28bUnrbn9TDEobVaKv++3rmPI37uRb0+dNRc9haUvp
uyLUkzjE2JRCTFk454/G0iZf6sfAzRbpvHSz0u74JAhylceNlf215AFQJGjdsDj3
v9dH2qCEHeWkRpOrjEsxZ+uBjAH+CsuU+2GQNs00+mRWfMmL3V8zAmskjJbUu5zf
BoGj6MYwsws0hxkKxB/62CqhVIf8BAjU7Gv9uhxnFaTRN/OkqzXcid4DT5kAH28w
SeNrz64BvPppzGbISYOgnB/Koa4yT4Oi/YfsXZ2uBeDAKsULxxIrJRUu/OspGFn6
5V2fDl6t3HtwidBdsG36aT7wWxT+nterQP0WWLgOXHCH5T8F1SDts1i88cw9TPgZ
REEmoi+hZagpblisYPzUz8KepY0PbO2NLUBdKcpHsVkjQTJuLiNpRQ8nf1XNnvxZ
Qzwigkmg0BOIc2+G2qL4CEq85rgkoFmjXm7RoBVtB7WZhaDp2uS62uXk5NNv7JQ5
8lz5mXfXGHhA3uhW/O6sTA7SopvnBUVXyW9XhXqbzyT9wgrI04A=
=bKJn
-END PGP SIGNATURE-

[SECURITY] [DLA 2837-1] gmp security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2837-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
December 02, 2021 https://wiki.debian.org/LTS
- -

Package: gmp
Version: 2:6.1.2+dfsg-1+deb9u1
CVE ID : CVE-2021-43618
Debian Bug : 994405

One security issue has been discovered in gmp: GNU Multiple Precision 
Arithmetic Library.
It was discovered that integer overflow is possible in mpz/inp_raw.c and
resultant buffer overflow via crafted input, leading to a segmentation fault
on 32-bit platforms.

For Debian 9 stretch, this problem has been fixed in version
2:6.1.2+dfsg-1+deb9u1.

We recommend that you upgrade your gmp packages.

For the detailed security status of gmp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gmp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmGpJCkACgkQ0+Fzg8+n
/wZlUBAAnuM5xs5sZQ1w5Wc2HXt2lPdIb/8ri2pUVEL8udLpvSiqrJlOqyBnY6R1
HKgcFOEVsajlMYJYFCSEjbN6qR9mZMxNFcI0XwC5kn0wFdLKD3FPS+jiOKDHBGF/
z1OhTJqFSCadQUGCrGQb/63M6dl8CKXy2MZNEdvkZiPsbIkYKfBAsq9gbxqcoWK6
jnOSgzbYmnU1aj6oH7QIrL2amPMx/ZcOx8v9tt6C1m2fCMEZM/yOT3mVSxaYwiAF
odPSHGNVdgl2uWQwpW5uoP2csJ+RD6rXB86sct/cCjtRGLCRZYzJuy7sIeKzCbu4
bnc6NnOG8qbdVE4mNfUzh18UrOfoU12seeEY9O56w2n7OV+HVpqHnWFygizYoKjL
d9L5cs9WRFlBxdQx9Ps5IBgP4fdwhU7QHSKeOIb3wnEVrahO3QCvGHKz8LK/rZep
a4dN9Q6gpqvqzgAQh6zNShidIUTtSlfgSVdVPrSMVkMNKxS8B6WLNYculwBkqZdh
QW4lc+NH3R9OJf1ecXGMc5GCFvIPHJxK+NXsoxbMcVCdiNsoYgVnPRUDlV4WrvZh
C9GFJbXkS45GKBda17TaTKM+EBEFDoE5opmWl/xwNkJu8Wjv/aZBO3kflLn2Bl4x
Uf4rQmMZWBqn4pjftlQz/jh44cxs66T5Fqahsp4WIp2cRw4Hlxw=
=/0KZ
-END PGP SIGNATURE-

[SECURITY] [DLA 2818-1] ffmpeg security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2818-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
November 13, 2021 https://wiki.debian.org/LTS
- -

Package: ffmpeg
Version: 7:3.2.16-1+deb9u1
CVE ID : CVE-2020-20445 CVE-2020-20446 CVE-2020-20451 CVE-2020-20453 
 CVE-2020-22037 CVE-2020-22041 CVE-2020-22044 CVE-2020-22046 
 CVE-2020-22048 CVE-2020-22049 CVE-2020-22054 CVE-2021-38171
 CVE-2021-38291

Multiple issues have been discovered in ffmpeg - tools for transcoding,
streaming and playing of multimedia files.

CVE-2020-20445

Divide By Zero issue via libavcodec/lpc.h, which allows a remote malicious
user to cause a Denial of Service.

CVE-2020-20446

Divide By Zero issue via libavcodec/aacpsy.c, which allows a remote 
malicious
user to cause a Denial of Service.

CVE-2020-20451

Denial of Service issue due to resource management errors via
fftools/cmdutils.c.

CVE-2020-20453

Divide By Zero issue via libavcodec/aaccoder, which allows a remote
malicious user to cause a Denial of Service.

CVE-2020-22037

A Denial of Service vulnerability due to a memory leak in
avcodec_alloc_context3 at options.c

CVE-2020-22041

A Denial of Service vulnerability due to a memory leak in
the av_buffersrc_add_frame_flags function in buffersrc.

CVE-2020-22044

A Denial of Service vulnerability due to a memory leak in the
url_open_dyn_buf_internal function in libavformat/aviobuf.c.

CVE-2020-22046

A Denial of Service vulnerability due to a memory leak in the
avpriv_float_dsp_allocl function in libavutil/float_dsp.c.

CVE-2020-22048

A Denial of Service vulnerability due to a memory leak in the
ff_frame_pool_get function in framepool.c.

CVE-2020-22049

A Denial of Service vulnerability due to a memory leak in the
wtvfile_open_sector function in wtvdec.c.

CVE-2020-22054

A Denial of Service vulnerability due to a memory leak in the av_dict_set
function in dict.c.

CVE-2021-38171

adts_decode_extradata in libavformat/adtsenc.c does not check the
init_get_bits return value, which is a necessary step because the second
argument to init_get_bits can be crafted.

CVE-2021-38291

Assertion failure at src/libavutil/mathematics.c, causing ffmpeg aborted
is detected. In some extrme cases, like with adpcm_ms samples with an
extremely high channel count, get_audio_frame_duration() may return a
negative frame duration value.


For Debian 9 stretch, these problems have been fixed in version
7:3.2.16-1+deb9u1.

We recommend that you upgrade your ffmpeg packages.

For the detailed security status of ffmpeg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ffmpeg

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmGRdfMACgkQ0+Fzg8+n
/wYM1hAAlHzYwm9B2nvTdl09cQjxypZel3vsSLywadLMkwxz+nOkqT8eKK7NUCx+
DDuCEpNKx8NXudadNxp3RFgjkmC72cB9aFZsjaq2OoycCJhRK43hTWNt+4fEuSWZ
AVThV5bC72usSf2bW56cHsiF1nIJqkPIlc9wpPBXPz+sVSoDrZAN7npzdMmrZbEi
jakCPqUAtOfJXMlphT5rN91DVFvHbSeeSl4YSVk4/ne7vPv8exy2eQH1UfHOu7JY
7jzg15Y9H5eQILlVTyj5Kjqf8oC20toyMTFJLYTnBBlnRGjDa71RqBajWN3wfH2h
HNrLrFuqpeR0L5Pp7BdybGETHTh4xdXthj6yWQr83rGJt6qSr4wbB7cYyhp/fPci
+5k92Cr/4+GVtbZ5Mf3swqVuak6N+FHHhO3RmcNGxaGBf8FGo6R4appfbMITusow
AdJWeGIwIU57jPkD3gVAuySWJGtm2jiqpHMpL7tF9t4ZX/tOE3Anzoxtql+qJhZH
fU+GdJ6giWA80NnpicG44I6dh/yC8zL3B/nXRI/dBVVgmSEwL4ypFfj/C491nx2i
FQ/suwiZLaSip8dDyjsb6kdvvoivRqMZhzmWlsp3cdvJluJdqSfMMG0sI9J7nxfk
phWZs4mBriPSOu+zQoLr7uyqtL/sSHeQ0gINBAN9iO5sagG6aBk=
=2qUQ
-END PGP SIGNATURE-

[SECURITY] [DLA 2812-1] botan1.10 security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2812-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
November 08, 2021 https://wiki.debian.org/LTS
- -

Package: botan1.10
Version: 1.10.17-1+deb9u1
CVE ID : CVE-2017-14737

One security issue has been discovered in botan1.10: a C++ cryptography
library.


An attacker of a local or a cross-VM may be able to recover bits of
secret exponents as used in RSA, DH, etc. with help of cache analysis.
https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/wang-shuai

For Debian 9 stretch, this problem has been fixed in version
1.10.17-1+deb9u1.

We recommend that you upgrade your botan1.10 packages.

For the detailed security status of botan1.10 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/botan1.10

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmGJlfsACgkQ0+Fzg8+n
/waTvxAAmViY/mHlK+e6Bs3JwfiFbtBixUxnfnaIF+byn7QGjoWCQhcKMP/QrPiO
x4KU0S/88634P5t0Kd7VtGxAPKAuS9u4U2GzbED3LNqWkE6YIsK0TqJTXGDT/Q3o
dEFWp7pHuG5nAP4pPJ9xTPXZfaF0gI+/HgetPUxB026qvhl/iaveEvzyyH94Yc9J
0lZSEnyC3tymRM9/8RlvthQIVDiZENMZHvTH7Alyn+yu3VEGkRCWlY+mfPSqSHUS
Qa0XNAzNEQXeYKY/1OUmNbxjHX8scy9H2rlchs/+G63lgY6oS29ZKCf2ON36gCes
/zVWzPCAhy1iIr6QPDSx8zpkHp4Y4t7da98WUTW72hsrHEVGKZXI1IwD52QbQxUq
y76k4fiKIcP0TcoRVyXjCFW/+0fgEI+hMHiA0tM8iuas4wTBYD9D+iuRijaBYWKB
/cO73DpBvurXmLZNFBfN0PxIY8paw3ru1pZE9VA8dixauE3jIYTcwDIj5hEvkrG9
2u9qQBNnm06C9eXuu9F1jBI3HNgZX9cRyJL8/ig3J8rbBq9OrI2z2ssztXf+3Gp5
HZL5aqp0PoRxmnUasgOucbrgJEcz7W15F6mceRy6PoSeknX7xZVvB+CR0qGxBtH7
MI6NBxhB3dQUsry6gUlerBJYY6Yd+oSZk2+Ujb+8936adhW8y+E=
=xXmx
-END PGP SIGNATURE-

[SECURITY] [DLA 2793-1] mosquitto security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2793-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
October 26, 2021  https://wiki.debian.org/LTS
- -

Package: mosquitto
Version: 1.4.10-3+deb9u5
CVE ID : CVE-2017-7655

One security issue has been discovered in mosquitto: MQTT message broker.
A null dereference vulnerability was found which could lead to crashes for
applications using the library.

For Debian 9 stretch, this problem has been fixed in version
1.4.10-3+deb9u5.

We recommend that you upgrade your mosquitto packages.

For the detailed security status of mosquitto please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mosquitto

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmF5aQ0ACgkQ0+Fzg8+n
/waN+g//Z2jk48y0pwfTnN3jQFosyBb6Aci8fw3LwvCwRr6UXaWc+16vgmtUD2dW
BW9Oj3cSjCHbR+IuXM7NWwxehfrtVrFDVblJJp3wB+LmGAv6WqC7T0YD9dOMCjgL
Q5pwdaPeBcfUMvQTO2drjP+z1Qcmx+h4ZI1c5FR00uUiITeTcrm2wBhkW0b1CZoo
exifPUrsdGDkDRj0A5FEpAIUPBJW05vyyLVq+vozOhyf+DPRpte7gMADhGCzB0au
R3JYLjlCGrZjWaQgC4mNfq9WHXIOKPeGr9w227xyZbc5HCun96epySaCzNQj+/jL
/rfI0SaPugyI3pEQ3xoSlv+dZVRQzfP7MthzNVks0bzgpJVTa0AVCSL5o2pkQtlB
6jz9+0x/Zlmv/ISTH3pyZ3MLHU8oj9iBgbuvXbpZwQho2e2qmv3OTSUKc4O7eLfi
Onz77ZJg2mCXEXz9PVirJAX212r7exYNwGs94GLptFGishUgiGt+Wrpe9hetCunx
MJbZsIfE1n3X4nxeIyN/mgyjTRfWR9P8eYxFKJZfx3NrXx2HLLNqQ+Ye6Ufft9WW
hi3PK9pff46w86aw+jR4934Ai83055J9Jq5fG26D5LOj/366bojnxW8AbEAXEOQ5
owJqqcMyOIx822u5K+ZRrAXxVF+7ts06B4TXNMD2YOB9oJDkpiw=
=Irwz
-END PGP SIGNATURE-

[SECURITY] [DLA 2786-1] nghttp2 security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2786-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
October 16, 2021  https://wiki.debian.org/LTS
- -

Package: nghttp2
Version: 1.18.1-1+deb9u2
CVE ID : CVE-2018-1000168 CVE-2020-11080

Two security issue have been discovered in nghttp2: server, proxy and client
implementing HTTP/2.

CVE-2018-1000168

An Improper Input Validation CWE-20 vulnerability found in ALTSVC frame 
handling
that can result in segmentation fault leading to denial of service. This 
attack
appears to be exploitable via network client.

CVE-2020-11080

The overly large HTTP/2 SETTINGS frame payload causes denial of service.
The proof of concept attack involves a malicious client constructing a 
SETTINGS
frame with a length of 14,400 bytes (2400 individual settings entries) over 
and over again.
The attack causes the CPU to spike at 100%.

For Debian 9 stretch, these problems have been fixed in version
1.18.1-1+deb9u2.

We recommend that you upgrade your nghttp2 packages.

For the detailed security status of nghttp2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nghttp2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmFrvI8ACgkQ0+Fzg8+n
/wakFA//cHXBrc2jiJ6comMoArM7BnSE0/DxbrY5FsdoN1NWEbTKcsK+cDuW9bBk
roCrah3Nwzw3lnjlsWiR0PVqklyYWEBYdq6TEs1h+cp8XIpxFGuRQcbieZFqrGXB
09H4yFBlbpgeu3KyHtLfuuqJSklJg4GVvI4iCd4+ruu1avYnSk5HFtji9SLjx9vX
zcM66+yll1ZKD64C2wAwzSeYvDntU5DGO3rwQ6LC2R8SDka7tudh5YBqP+I7tZeQ
aNqYJ0WctVdPoEe2IHZMAYZQsfKU2OkJW9E/fHK/E3ghDAscDYWWGOyEn4o0sp3c
FzHkzXLq+KRSD62EFBu5KKCZQ9wlfQ6ckGf6kuWRQIJnpAAgPRYsor3h8vDvEm9B
CHidp75FAPkX2vCbFzTlIKl5NDr9ilZlT6mHzZKtfbFNn300a6wTFOqrWwah2xyE
7VY1YX3v8jRMYoY6V4K62f0PMKmj00vt/huscugH6sur21VF/8DXWY/oPMAPbuj7
B0V5IAf3xLWNivD+cML3zPTwE5LBnIf/SCenijPLpwolf0tGhtKtDEsfj8yZTXsZ
U4VDksNKNckLgy/bWl4pRPb/wGxax4e/DgUCWRljjGxIPrfuoY6Wtr9q29ONEoMp
82QMVZAUemFkCJ6eGqs2s+oaCII4/R86L00yPBljMbPf32YDaf4=
=vAXg
-END PGP SIGNATURE-

[SECURITY] [DLA 2775-1] plib security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2775-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
October 02, 2021  https://wiki.debian.org/LTS
- -

Package: plib
Version: 1.8.5-7+deb9u1
CVE ID : CVE-2021-38714

One security issue has been discovered in plib.

Integer overflow vulnerability that could result in arbitrary code execution.
The vulnerability is found in ssgLoadTGA() function in src/ssg/ssgLoadTGA.cxx 
file.

For Debian 9 stretch, this problem has been fixed in version
1.8.5-7+deb9u1.

We recommend that you upgrade your plib packages.

For the detailed security status of plib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/plib

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmFYRlsACgkQ0+Fzg8+n
/wYIyA/9FFgE9gBXVTL5zEDZObe9wyZPxiXlDO+mF6MYpY7qgg4Z/6C/mkZrceE4
pBN1mpSAJ11Udxvyhoy4bB2Kqy73jB2E8xh6NCbIqYlmVi03NFXPJ13lKnNCsNON
rPAzoySkz/cPLKgTgStKdCfbrxche+TV8QTIs8LrPw2vmqVtAAUbUuNyxmYVpQad
WnzoLWDmjL5OmblFZFTrLSCzVg6mRcMYgX4hhOee+1Jiw8dKvaDSWHw4k1yNbtef
ZlaB4+jjCNa8WAr1ksh/hfqrikdH9EGgCn7Pp/hDnUaBzcHDpjGLTrcdRVJZWaJm
zKuYmAvr84V7tefjekPwzhjy7FwyzRGzSKfECVPX5TPgqIQEAvVBIF40SD0ZxPaT
nJJORy0CeAVFx96eO8wAGZQCeoW+39RF2MDdw6Y77QiXMGGbEBWsYwZ37POpBdDT
5MRI7A+eEVVd6NRkpIFVjETZ/kaqfpX91iRwgcnfs7kZY+ky9BrS0W2HA77vR/Bp
kSKkacWmbkU3QIN43jXZ/dU7PIFJ2HfJUnGmyDmekS5RqvSbkYBTKXZhW6c826JW
WOHHnQgrFgho2c3yByOAh3dT9mH4+hujQco/6S4494TDJZEnqNrE6CgtCIPSURor
ZGu7wqjVMvISyfpU0Eicy88gK7ljEnpcEERn/ne2cvmPOV6VZy4=
=A2pl
-END PGP SIGNATURE-

[SECURITY] [DLA 2765-1] mupdf security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2765-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
September 23, 2021https://wiki.debian.org/LTS
- -

Package: mupdf
Version: 1.14.0+ds1-4+deb9u1
CVE ID : CVE-2016-10246 CVE-2016-10247 CVE-2017-6060 CVE-2018-10289
 CVE-2018-136 CVE-2020-19609

Multiple issues have been discovered in mupdf.

CVE-2016-10246

Buffer overflow in the main function in jstest_main.c allows remote 
attackers
to cause a denial of service (out-of-bounds write) via a crafted file.


CVE-2016-10247

Buffer overflow in the my_getline function in jstest_main.c allows remote 
attackers
to cause a denial of service (out-of-bounds write) via a crafted file.


CVE-2017-6060

Stack-based buffer overflow in jstest_main.c allows remote attackers
to have unspecified impact via a crafted image.


CVE-2018-10289

An infinite loop in the fz_skip_space function of the pdf/pdf-xref.c file.
A remote adversary could leverage this vulnerability to cause a denial of
service via a crafted pdf file.


CVE-2018-136

Multiple memory leaks in the PDF parser allow an attacker to cause a denial
of service (memory leak) via a crafted file.


CVE-2020-19609

A heap based buffer over-write in tiff_expand_colormap() function when 
parsing TIFF
files allowing attackers to cause a denial of service.


For Debian 9 stretch, these problems have been fixed in version
1.14.0+ds1-4+deb9u1.

We recommend that you upgrade your mupdf packages.

For the detailed security status of mupdf please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mupdf

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmFM5qcACgkQ0+Fzg8+n
/wZ+2w/+KMtJDPzaGgHYzhaeax75+IXBf9zfbS+AO/trnFuj8Jh7bNql5REN+7Bf
sT6R/8U74AMKmZrTrurq1Exp5KpNxxlPCOJvl8RgrSzC+0hmzIy/+MeIi+Q/TaiW
j1b6HpqILbWz2NmzM0cYcDXYFRt9voOwKDwehmz2Vr/Zm9elX+VPzlm77mcGJy0H
f0eC81vizuI1s+DPa1Psd0USzBjfcLgUaIN+e4/aGOSMUX6EwYzvX8DjIYGO1PeV
L8ye3XybwL734IUmgU7MSKdZi/qJ9pYeIuyq48mvNNlEZXu0pEmiJBepwKnIvtLi
eKMimFLs6Hth2+jKoSJn3evk/Wd6JT8/HK8aMlsEsad2NVrw/ovy07I09DfXIW8F
iphBKPJHQezLmDzCsrzutjDVmOrEs06IygD1wglsCxKDCXrT0lPQzbyiuHhDbbCv
+KStwXAmp+Q2sgsWqYU+/N4/60mGrgNNtFiLBFqtrb1mQzY+P867Vofg1KNjJ39L
egQhyJjnTE09PNXYA8S+Ev3CbgvWBaPX5n8uROpMaFhXR2g9t5Q6+sVEt+5oJ13f
DpLqPDWDUNlrqe3+MVyDUMkZ+Xoonl40Yxn3c+x3WuCiiiSJ2liJY4T/QLlpUqg3
MLQoQn+1C1tvc+peLGNh5Bgemr1qoz9wT0fI0CtUmJcmUAZQhMI=
=4y6v
-END PGP SIGNATURE-

[SECURITY] [DLA 2758-1] sssd security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2758-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
September 15, 2021https://wiki.debian.org/LTS
- -

Package: sssd
Version: 1.15.0-3+deb9u2
CVE ID : CVE-2021-3621

One security issue has been discovered in sssd.

The sssctl command was vulnerable to shell command injection via the logs-fetch
and cache-expire subcommands. This flaw allows an attacker to trick the root
user into running a specially crafted sssctl command, such as via sudo, to gain
root access. The highest threat from this vulnerability is to confidentiality,
integrity, as well as system availability.

For Debian 9 stretch, this problem has been fixed in version
1.15.0-3+deb9u2.

We recommend that you upgrade your sssd packages.

For the detailed security status of sssd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sssd

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmFCWGQACgkQ0+Fzg8+n
/wboeQ/+J/Y0UfLvGRUnUYaLZjU/8ab+TeN0Bfq3cjxluu3zmmxY9dfZNuHU1dWO
UHgmefRAULUaZ6i6tmiTj08gKxSrQu8anNYrZAfEQcBSU/LHlHup1rh2IaD+AoRs
iAUaD+VitXrI0tHvHKoomFRjBCAcgdSq30nzVvv4HxuX/I5/ILQ5UMWrvSk/JJb6
t7lgORo9fn82NqTUBtfB7+sBXqeN4mtY5O7ViW/sBbaeZ6V1eRpeM9Ocb07tsPOK
ZTtjvrwI0+LtAbozhUK3kCUsVmoMWX4S3g9gOmA9czfy55/r6F7Z1QbEzc9RqnPH
4vJXDwe9rTc/nLoUXIgSgc8Q04/YvdqnpxVPqO0fZ/D+yCrTqSRcuSgPioz85Zjx
ei43NgpZMLRheeA6sJKaVNyU5vj7nXgqUosTDS6kGZXHIsm4/DkfLBgp5xM9+I8z
As1IkXlK82BWZdXxxfpG+zBzIGrPf2/3OSRBpEOsFMDM4fi6uDxwcldCDcjUCf1h
tyUnx4Cvh0npPGiSUtOVjZ6e8KYBLt/R6xPWKxrYJMeBO7nSL0WeblgNC2H0ZofB
1azxhTRpZOMcB/y3cHMl4/hgUDlX9t8rHcvyzDDj22cqHGr0wnGMOHi2hFzF2nSb
hvWKset5gDmpuOe9yxzQ3g1LZRenEdVZsoDmYz1l3iixiVW0bWc=
=ssLt
-END PGP SIGNATURE-

[SECURITY] [DLA 2742-2] ffmpeg regression update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2742-2debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
August 22, 2021   https://wiki.debian.org/LTS
- -

Package: ffmpeg
Version: 7:3.2.15-0+deb9u4

During the backporting of one of patches in CVE-2020-22021 one line was wrongly
interpreted and it caused the regression during the deinterlacing process.
Thanks to Jari Ruusu for the reporting the issue and for the testing of
prepared update.

For Debian 9 stretch, this problem has been fixed in version
7:3.2.15-0+deb9u4.

We recommend that you upgrade your ffmpeg packages.

For the detailed security status of ffmpeg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ffmpeg

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmEiyT4ACgkQ0+Fzg8+n
/waoGg//cD08sZ9mZZcnti+jVxUm2JNQKhm5w8djrNP9Dzi+wuhEF+LO6py05P3r
UgFDC72uvf4be8BkjbPlZ55R3pM31Vm6372m3jUoXUPuxMDqBbKTgtg1FEdtvpzK
bIfb05ixx7Fhpx9OATa1GwypC8vzx25e9vIKA3kWSbOIFK5PADQT4MUNbkwBFD7/
EXWomfAcKF94XTjgsztov4lbgeHmdmKreGLefWnCgFr6Wi0ey8PbGHAb/wGw/BNC
XedgcV8Bbr1kbDqJSYvm9q5BvSX2lQInmCaRUNr15wsnq5KzmIQpJ/pvoqAlm48+
EoxxNpz2pnGFTTDkOReREI7rNMLPFaGFP576RGx39sVvDFj3GLURqsyLlRPHfTjs
uqdow+Xu3z1PLDH0qqQFJBLk3BWBXzcVKpVNgXVsAKDuDD4YnCQ8F33DWGpSdowL
ef73o92lOQoDkA4y5XqY9xdj20SwGGFyMosgrexrrmGzQHVJHY6NpLRWfwdMm3Pn
MxUkSKCe4m8vHtTqmXvM1pp5gQO+fPwOU6jM+xCKPIy33xgpMAhyXom1nrtA/KK0
ecX0YcwwwagOak5OzRaqnF0fYsXIJr4RgZJgkqAf+DBoxjNWA3NfGDu6j2zDMzOq
zCfjyfoG0opGH2yiaFVm//HsMSRCNKVrcBVReuN7GjkoN14RHbY=
=37ez
-END PGP SIGNATURE-

[SECURITY] [DLA 2742-1] ffmpeg security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2742-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
August 14, 2021   https://wiki.debian.org/LTS
- -

Package: ffmpeg
Version: 7:3.2.15-0+deb9u3
CVE ID : CVE-2020-21041 CVE-2020-22015 CVE-2020-22016 CVE-2020-22020 
 CVE-2020-22021 CVE-2020-22022 CVE-2020-22023 CVE-2020-22025 
 CVE-2020-22026 CVE-2020-22028 CVE-2020-22031 CVE-2020-22032 
 CVE-2020-22036 CVE-2021-3566 CVE-2021-38114

Multiple issues have been discovered in ffmpeg.

CVE-2020-21041

Buffer Overflow vulnerability exists via apng_do_inverse_blend in
libavcodec/pngenc.c, which could let a remote malicious user cause a
Denial of Service.

CVE-2020-22015

Buffer Overflow vulnerability in mov_write_video_tag due to the out of
bounds in libavformat/movenc.c, which could let a remote malicious user
obtain sensitive information, cause a Denial of Service, or execute
arbitrary code.

CVE-2020-22016

A heap-based Buffer Overflow vulnerability at libavcodec/get_bits.h when
writing .mov files, which might lead to memory corruption and other
potential consequences.

CVE-2020-22020

Buffer Overflow vulnerability in the build_diff_map function in
libavfilter/vf_fieldmatch.c, which could let a remote malicious user cause
a Denial of Service.

CVE-2020-22021

Buffer Overflow vulnerability at filter_edges function in
libavfilter/vf_yadif.c, which could let a remote malicious user cause a
Denial of Service.

CVE-2020-22022

A heap-based Buffer Overflow vulnerability exists in filter_frame at
libavfilter/vf_fieldorder.c, which might lead to memory corruption and other
potential consequences.

CVE-2020-22023

A heap-based Buffer Overflow vulnerabililty exists in filter_frame at
libavfilter/vf_bitplanenoise.c, which might lead to memory corruption and
other potential consequences.

CVE-2020-22025

A heap-based Buffer Overflow vulnerability exists in gaussian_blur at
libavfilter/vf_edgedetect.c, which might lead to memory corruption and other
potential consequences.

CVE-2020-22026

Buffer Overflow vulnerability exists in the config_input function at
libavfilter/af_tremolo.c, which could let a remote malicious user cause a
Denial of Service.

CVE-2020-22028

Buffer Overflow vulnerability in filter_vertically_8 at
libavfilter/vf_avgblur.c, which could cause a remote Denial of Service.

CVE-2020-22031

A Heap-based Buffer Overflow vulnerability in filter16_complex_low, which
might lead to memory corruption and other potential consequences.

CVE-2020-22032

A heap-based Buffer Overflow vulnerability in gaussian_blur, which might
lead to memory corruption and other potential consequences.

CVE-2020-22036

A heap-based Buffer Overflow vulnerability in filter_intra at
libavfilter/vf_bwdif.c, which might lead to memory corruption and other
potential consequences.

CVE-2021-3566

The tty demuxer did not have a 'read_probe' function assigned to it. By
crafting a legitimate "ffconcat" file that references an image, followed by
a file the triggers the tty demuxer, the contents of the second file will be
copied into the output file verbatim (as long as the `-vcodec copy` option
is passed to ffmpeg).

CVE-2021-38114

libavcodec/dnxhddec.c does not check the return value of the  init_vlc
function. Crafted DNxHD data can cause unspecified impact.

For Debian 9 stretch, these problems have been fixed in version
7:3.2.15-0+deb9u3.

We recommend that you upgrade your ffmpeg packages.

For the detailed security status of ffmpeg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ffmpeg

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmEYnuUACgkQ0+Fzg8+n
/wZjLw//SqRxR5dxNq3k6PHU198Mj9rVuPinsKS1yucBMslAznMYYpIC0PWptNVH
Dv/5ZFLZg6lMmZJ/okNtwBs/ctJF2mBGUlp8xFgmKJlVmKszM4H2WJzvLivN4nAt
IlWCiuS1ODdQEtZOKBiTVi9OEUvjjRZdRFdvmtNlz36ng4mGe2e70sg+leexfhhN
lwCuGP1Zq4u/OuxitlP8VlLciGuFPbxnKhN26pHykrdMnkd1VwE3tyDK1T2jKzZX
hVbpqhDgxTseo5P7g/+Ciz9rm4yYRTA2njzEN+eyA6AQV8ZrYF259BaWaJLqWvLI
RdQmaFeZ3K0DpW3k0PX2BWb0aeV5rltdWjCq12sJr0bMkosEbx2MK0pYdVtCdF1t
uo9DmGLpu1ihwF09BpyQ91dC0NYb8n6opB7bGmif76pkLNROmCNqn2G+AKSwSCig
w9pY+KFf8U6+888fcjI4I9kupbqDuRIOSvtkdVOxcQF6tmkT+mw8nWsUi2WnAux3
DITYEPQvHPxHcfNCSqwoIRVX17gD1S3CbBfpwYJTMEQMHRbdNaybVmdLQGb

[SECURITY] [DLA 2707-1] sogo security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2707-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
July 12, 2021 https://wiki.debian.org/LTS
- -

Package: sogo
Version: 3.2.6-2+deb9u1
CVE ID : CVE-2021-33054

One security issue has been discovered in sogo.

SOGo does not validate the signatures of any SAML assertions it receives.
Any actor with network access to the deployment could impersonate users when
SAML is the authentication method.

For Debian 9 stretch, this problem has been fixed in version
3.2.6-2+deb9u1.

We recommend that you upgrade your sogo packages.

ATTENTION! If you are using SAML authentication, use sogo-tool to immediately
delete users sessions and force all users to visit the login page:

sogo-tool -v expire-sessions 1
systemctl restart memcached

For the detailed security status of sogo please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sogo

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmDsn0sACgkQ0+Fzg8+n
/wYXghAAiA3Qz87G28FyoGMfusI4DD/jNGLzOLnK9o5MFctgD4Lx3mZaphrCM6Za
SDAfUaFbM/DQjdDUzEbLTMDt9M3yicplx0xPw57yHBnNJ2VWiLC287KonnaKVgNK
Uyw3ZGLS1Ak2nx67z/8o9VZzb9vhBVF1pKFWF3KvbjMMRnUT+sKw4honcjIWz0Rm
/Om71twYXjbbx/aHMZjnJlrLiR2dTwbviohYTNAjDMDPbsaiB6JIWCqo0rZOz5A0
4u/ZeZKJzVJ8WU0K1ekCqI0wSFTP4bnpAVyd/vrdapbf6s+BktbqAJ5+BGTFK17+
14tP36EzAk14/82Wzs6TgalsIsfoEuANfOss/Eqsa1o4G5HhyDGx8f1iQSUL07rg
N/AmPzxJRNdjsOAHiztCZAY+99lhgOab7ckEnEaqKgc5fkiU5USAaN1/VBdtiiBX
Ssu7+scWApPo7UFays+MO8eNW3y90hwoQLcOZLQwIiIH0cWl4P3wod0Lzu7wJKj5
GhSP7HSqyI+ZrmKGGyfWH38GjhPfMWRUNDTo3CbkIjU1aEjP0vqSQv5CZsqxf0Y7
QTxq3PVxNvzVF112rMalG1MjQACcFFiZ0id8t5LmhYzTrbNmWHCOXq3Bsr0Du1s4
rUIQPZ2m/JePCAWFFJaT56ewStSU5BEO2buNPVcR3wLT3BrKnL8=
=QZ0z
-END PGP SIGNATURE-

[SECURITY] [DLA 2705-1] scilab security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2705-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
July 07, 2021 https://wiki.debian.org/LTS
- -

Package: scilab
Version: 5.5.2-4+deb9u1
CVE ID : CVE-2021-30485 CVE-2021-31229 CVE-2021-31347 CVE-2021-31348 
 CVE-2021-31598

Multiple issues have been discovered in scilab, particularly in ezXML embedded 
library:

CVE-2021-30485

Descriptionincorrect memory handling, leading to a NULL pointer dereference
in ezxml_internal_dtd()

CVE-2021-31229

Out-of-bounds write in ezxml_internal_dtd() leading to out-of-bounds write
of a one byte constant

CVE-2021-31347, CVE-2021-31348

incorrect memory handling in ezxml_parse_str() leading to out-of-bounds read

CVE-2021-31598

Out-of-bounds write in ezxml_decode() leading to heap corruption

For Debian 9 stretch, these problems have been fixed in version
5.5.2-4+deb9u1.

We recommend that you upgrade your scilab packages.

For the detailed security status of scilab please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/scilab

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmDnLjIACgkQ0+Fzg8+n
/wZCVA//QGHjMXqEDMGgBlKA06HsTifv+EkXWcowJ3AwP1MG8HiasWYovdxqUqvd
hFOmsVdYoVDmE9Mb0UvaniRoNavdvKou7I6ZMf4PGnwp+YZulaj5KmdJ4+MVLeVe
EPeQB9lz2mVut0wCWMEm665fYGMwGj5beJKdyj6ley8BKs22r8VEotTrP3wvCyh5
sykKPursI3+JLzraTgilk8cn55tl6VY8u/bIVPrT0KHu+Nm+KlKLNLyfjnfJHbl3
LXiNegYWrSzo1Ant3BgdF3jf3RO8n8j7o5ULkIzgQg+sLaC3dOdomJAE2M2kV9ak
lYnqeQsjp8ceKdi/kVOIBq5xV4okhztRun5bcu7mhXhzlwGiDmjwvdn6mCbBFzOj
2ov88xwAe+G1GCOhvRaclAaWA3o6fz5oqLTfpsn+DAOSrkR06LAeKYS3Zs8puuD0
ZLQGmH1P+VGZDmwMg9tXNtvajCaHXxMwunSTtN/QhmZM7cGpaAWXfOLIpOzAJ9Rt
n6fE9TGWAi8/1MSFKVFeY87SQbkV7nNT9Fb9RXJs8LAhrtgpxEpWRd5wHDTLEPCk
IlXhA41iE6sWt+7v11h0fxYajYR61AFygOXlid1PoX6kNcLidSReJLtasdQryHOB
3DzYstcG09q9Lt/EifFQdKsOzncXh/bZL/gphRcVZt/AJ8h3FpA=
=Mvga
-END PGP SIGNATURE-

[SECURITY] [DLA 2687-2] prosody regression update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2687-2debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
June 19, 2021 https://wiki.debian.org/LTS
- -

Package: prosody
Version: 0.9.12-2+deb9u4
CVE ID : CVE-2021-32921

It was discovered that the previous upload of the package prosody
versioned 0.9.12-2+deb9u3 introduced a regression in the
mod_auth_internal_hashed module. Big thanks to Andre Bianchi for the reporting
an issue and for testing the update.

For Debian 9 stretch, this problem has been fixed in version
0.9.12-2+deb9u4.

We recommend that you upgrade your prosody packages.

For the detailed security status of prosody please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/prosody

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmDNjcAACgkQ0+Fzg8+n
/wbPJA/9ExAHfQ83wnMEqtvfdNxEkfFdG2/tbLHeGM3gQy6wEFnfLEVfqINfqshO
4qFIA0/DkZrk7jjD2HrO6XkXdvkC9HezpM98p9sXAMjZagNqXRDPrxpo+yGOOgTp
oT74yQ/RFquFyDPs+p98/UUIl27220ktyTXhTRPiVg9PoTL4TTe2aauhV2FPigm5
HQVCH2bKf8A54l6s9t9fUDXokSyeq33JoPxdhVZTRbPLmw860XSfsc5dnE5L4zAC
eqjd1Rj+xQ74vBzKJApvILmCkjJrB4CkPWYW92HamZxPVV6Seairle0DBc2VpizV
rUiP2BIh4DabfS4R9RwuCCpw70GybqCzbeLhAOnXKMa0j5Ma4XdCWvVwFdpdS5px
q1zx9Vk/m0iXsRzTg7Ggjzy8zvu5qF7a7DZi2JrOdlHiIbirPOUz7bCPd1MnA00H
4wlVtfDHFeDgS+wlEnGgoII+SlnUnGw/D+G3QGqnkMkQ6qQSJiOvlWOpGEzdnB9Z
hPQhyomDTJSLjOYPlOfRd4rFF/MMiJEKWQDVhyiVjH/dMFZCwmK29ylPkVPrRMDD
r6Ahj87qottoh3p93nymLK8q1TKeM3a+rAP4nUKQQtKrMjKi/QhgqHLaQORTV8pV
38hG1xvWHoJjQhu1rL+zBIwKYN0Juxt6ybYnC7te8iwBOneu0IU=
=Exn8
-END PGP SIGNATURE-

[SECURITY] [DLA 2687-1] prosody security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2687-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
June 15, 2021 https://wiki.debian.org/LTS
- -

Package: prosody
Version: 0.9.12-2+deb9u3
CVE ID : CVE-2021-32917 CVE-2021-32921

Two security issues have been discovered in prosody:

CVE-2021-32917

The proxy65 component allows open access by default, even if neither of the
users has an XMPP account on the local server, allowing unrestricted use of
the server's bandwidth.

CVE-2021-32921

Authentication module does not use a constant-time algorithm for comparing
certain secret strings when running under Lua 5.2 or later. This can
potentially be used in a timing attack to reveal the contents of secret
strings to an attacker.

For Debian 9 stretch, these problems have been fixed in version
0.9.12-2+deb9u3.

We recommend that you upgrade your prosody packages.

For the detailed security status of prosody please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/prosody

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmDJfdIACgkQ0+Fzg8+n
/wagXA//UNnOzVde7HdXBCtrlqOOons1VcGkLQ0hoMLLoCcJuJRA+w6LAJUPtuzE
1whyyhyujWC2keXSle+ZH1FfGd3SHwOvodCO2YaqCl8Vy0J05XC/bjYXGkboyIec
wO5uSkZo6ABl8L2n6g3CUjcujnUM9FW1qfGF5OLmmNkESVsSck1LskgrV/NjLBEJ
xBvz+JafDD8hGzCF9CrMmzBsjYHiCQG9UpfSn9bPAP8HMtv3uwwtV5ydhw+PdCSp
OTNdFpURAKoMXxYgkGRglU32ltv7rlOj6ldSHR9eiZleoj2AW2ILpKP1+9e3R7nK
uTbgm7WMuM09XeNLwDModXalK+vSsZ/5q2+G9VIKz3m353nmzeQ8328bHiJSdBL9
iRPET0x8/xIoCxQ6uWWXUfQr1SjFJ757Dmd8d2TllVMulX16l2qsYEmOWEHqwkss
DysZz3goO/aAknzCrsabdUcRJB+WlER8fBtWDogV7NLQNKjP4+acAlHw9f7CvV5x
/Get8Fsnreej5yCvmknfXsmiKnvW/v4SAlLgdYCJ8af1D4CaNL2CjHRj9jtlNzSP
m8Z/vYiEZSaTkmaYUMX2OCv6SkmxIWepua2DmJtigPWuJJvBj9Sj4MudIgVzQGbE
oOBqTuoTvIxeRXOg8s6JmeC0/CT+nX1c+Ss+vaHcgU64fNX7mmA=
=Wp0Z
-END PGP SIGNATURE-

[SECURITY] [DLA 2677-1] libwebp security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2677-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
June 05, 2021 https://wiki.debian.org/LTS
- -

Package: libwebp
Version: 0.5.2-1+deb9u1
CVE ID : CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012
 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329
 CVE-2020-36330 CVE-2020-36331

Multiple security issues have been discovered in libwebp

CVE-2018-25009

 An out-of-bounds read was found in function WebPMuxCreateInternal.
 The highest threat from this vulnerability is to data confidentiality
 and to the service availability.

CVE-2018-25010

An out-of-bounds read was found in function ApplyFilter.
The highest threat from this vulnerability is to data confidentiality
and to the service availability.

CVE-2018-25011

A heap-based buffer overflow was found in PutLE16().
The highest threat from this vulnerability is to data confidentiality
and integrity as well as system availability.

CVE-2018-25012

An out-of-bounds read was found in function WebPMuxCreateInternal.
The highest threat from this vulnerability is to data confidentiality
and to the service availability.

CVE-2018-25013

An out-of-bounds read was found in function ShiftBytes.
The highest threat from this vulnerability is to data confidentiality
and to the service availability.

CVE-2018-25014

An unitialized variable is used in function ReadSymbol.
The highest threat from this vulnerability is to data confidentiality
and integrity as well as system availability.

CVE-2020-36328

A heap-based buffer overflow in function WebPDecodeRGBInto is possible
due to an invalid check for buffer size. The highest threat from this
vulnerability is to data confidentiality and integrity as well as system
availability.

CVE-2020-36329

A use-after-free was found due to a thread being killed too early.
The highest threat from this vulnerability is to data confidentiality
and integrity as well as system availability.

CVE-2020-36330

An out-of-bounds read was found in function ChunkVerifyAndAssign.
The highest threat from this vulnerability is to data confidentiality
and to the service availability.

CVE-2020-36331

An out-of-bounds read was found in function ChunkAssignData.
The highest threat from this vulnerability is to data confidentiality
and to the service availability.

For Debian 9 stretch, these problems have been fixed in version
0.5.2-1+deb9u1.

We recommend that you upgrade your libwebp packages.

For the detailed security status of libwebp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libwebp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmC9FhYACgkQ0+Fzg8+n
/wYKAg//f5NtN+jpbgP5uUHiOwTQ8dQvnXY4Up1hz/ag8LzEhS/uZqk9mwyiYpNn
Pe5VsgnX3INvuqKEaEA/6O9x6MtC2QBvccZHNVTTCbN6vNfHdtlCUKygmYhfzLoC
FnDQd2tpLg0+rhLu3LYrsRSH8Qp0ztzPIOxriPY57GgUdE5oLXLg43bjO9fos9XA
5fOdxA7BkY/QM+HW8Q3Tcw5b09M81xoY8w4gZOAqbkwMY9QnqzLoExzQ2iFrxHXq
LGg0mNxwAPQIApG0nxvRfBYTUxmgzoRMCcdz/me8pspxR5hcfO7rORmkk1IVaplE
mlDLAA0uxalO2xrraaj/hWRKtaKeUd/LtrCUPme7nEhPJLM9bluE+SrCflzaGMhh
5uKGRgxSjd7U03fzd+BS2C38HLwoyfgR3s3Oq+8CKfhupFbd7R0aP2xEw3ZZWrBR
H3di+mc3k4PmL6ho5pTLRz6byKiX4zsVeBkjNniHWh8TVO0lNWYz6ZeRedn6W7x+
iBj500iyf6yhpJdKXhAFPtogNXz6Z+XvrAAeAG7UzzNIqeNK7mbXtxsx9yUIXDd4
peMm03P9661cfxbAwmffv1NU4gbezbsNRUtyhQrsU8faFVqOZYQGDZsvm22KU3iL
BxroXuqB68K2QuGcM1H/N9luf2lL3QUBzLip2EBRUkzwkLCVjME=
=4dOP
-END PGP SIGNATURE-

[SECURITY] [DLA 2672-1] libwebp security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2677-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
June 05, 2021 https://wiki.debian.org/LTS
- -

Package: libwebp
Version: 0.5.2-1+deb9u1
CVE ID : CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012
 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329
 CVE-2020-36330 CVE-2020-36331

Multiple security issues have been discovered in libwebp

CVE-2018-25009

 An out-of-bounds read was found in function WebPMuxCreateInternal.
 The highest threat from this vulnerability is to data confidentiality
 and to the service availability.

CVE-2018-25010

An out-of-bounds read was found in function ApplyFilter.
The highest threat from this vulnerability is to data confidentiality
and to the service availability.

CVE-2018-25011

A heap-based buffer overflow was found in PutLE16().
The highest threat from this vulnerability is to data confidentiality
and integrity as well as system availability.

CVE-2018-25012

An out-of-bounds read was found in function WebPMuxCreateInternal.
The highest threat from this vulnerability is to data confidentiality
and to the service availability.

CVE-2018-25013

An out-of-bounds read was found in function ShiftBytes.
The highest threat from this vulnerability is to data confidentiality
and to the service availability.

CVE-2018-25014

An unitialized variable is used in function ReadSymbol.
The highest threat from this vulnerability is to data confidentiality
and integrity as well as system availability.

CVE-2020-36328

A heap-based buffer overflow in function WebPDecodeRGBInto is possible
due to an invalid check for buffer size. The highest threat from this
vulnerability is to data confidentiality and integrity as well as system
availability.

CVE-2020-36329

A use-after-free was found due to a thread being killed too early.
The highest threat from this vulnerability is to data confidentiality
and integrity as well as system availability.

CVE-2020-36330

An out-of-bounds read was found in function ChunkVerifyAndAssign.
The highest threat from this vulnerability is to data confidentiality
and to the service availability.

CVE-2020-36331

An out-of-bounds read was found in function ChunkAssignData.
The highest threat from this vulnerability is to data confidentiality
and to the service availability.

For Debian 9 stretch, these problems have been fixed in version
0.5.2-1+deb9u1.

We recommend that you upgrade your libwebp packages.

For the detailed security status of libwebp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libwebp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmC7t8MACgkQ0+Fzg8+n
/wY3MQ/9HJZ/ZRdebr6kVrI2Kft17rJcL5Yrad4CkY2hGDShH9I1a9hrxxnY5o6K
t9xHMJB3BzQPECL+4zSOHlJYoZ+J7eHtU1MO6FytWw8NW761f7IEV3C7f72uq1hQ
hRHMPIpZUw5SEWjIFCef42yEV+LViVvugLWKYR3I8ZAQK+Cddz6m1KlMpow7ZEQj
uSljS3Y1Qsm8puDpKEIYJL+DKkKyasNeAf1jwZwymTCFei5AFK/ISDCMi6VDt5A1
TOYG0dmwFXwIrHaRAPPh36j0Y9Z1KzlX4mH//rDfxI7U3uXlP/zTdSuREMCVZ2lH
ApmkCV4GDlpCZW/2xwchCkPrks6/KLzRjvShzKxoBBn7dbJef88LxgYOazyEua8O
5kGQL6QGsfPnWiyBfW4TGsN2/UzIx3kpKwr8C1OLecoRVaG7bueznJBFTpXlH7q2
+Wve5sWDCctzDVzyjEi/N7T+VsfFJPZjSBty0aYNyttpVJCHU0yGTh9YslFTxPsA
lEYzVvAGujTPr29x43aBUotXa3XjZfBPEHTj/SQWR9SqQ9ORunsmgsJigrajJeYj
mqWmTrjbq1zhto7zpyF6ZP2r2vKdYU/p1nWDPS/KXQHQUqhZRCf0QjfH1G6NBDWj
JLxHPIQt8zLk97HkaczFJGXNugWNe66i6a3q7GfDc/ym88feDXk=
=3iR4
-END PGP SIGNATURE-

[SECURITY] [DLA 2672-1] imagemagick security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2672-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
June 02, 2021 https://wiki.debian.org/LTS
- -

Package: imagemagick
Version: 8:6.9.7.4+dfsg-11+deb9u13
CVE ID : CVE-2020-27751 CVE-2021-20243 CVE-2021-20245 CVE-2021-20309 
 CVE-2021-20312 CVE-2021-20313

Multiple security issues have been discovered in imagemagick.

CVE-2020-27751

A flaw was found in MagickCore/quantum-export.c. An attacker who submits a
crafted file that is processed by ImageMagick could trigger undefined 
behavior
in the form of values outside the range of type
`unsigned long long` as well as a shift exponent that is too large for
64-bit type. This would most likely lead to an impact to application 
availability,
but could potentially cause other problems related to undefined behavior.

CVE-2021-20243

A flaw was found in MagickCore/resize.c. An attacker who submits a crafted
file that is processed by ImageMagick could trigger undefined behavior
in the form of math division by zero.

CVE-2021-20245

A flaw was found in coders/webp.c. An attacker who submits a crafted file 
that
is processed by ImageMagick could trigger undefined behavior in the form of
math division by zero.

CVE-2021-20309

A division by zero in WaveImage() of MagickCore/visual-effects.c may trigger
undefined behavior via a crafted image file submitted to an application 
using
ImageMagick.

CVE-2021-20312

An integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger
undefined behavior via a crafted image file that is submitted by an attacker
and processed by an application using ImageMagick.

CVE-2021-20313

A potential cipher leak when the calculate signatures in TransformSignature 
is possible.

For Debian 9 stretch, these problems have been fixed in version
8:6.9.7.4+dfsg-11+deb9u13.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmC4YaYACgkQ0+Fzg8+n
/wYMuw//ZsXNvwxPZRk252ZwNcHveR/+5dRe93CB+WSGBbUqaTSfQzvqM9DLQxZi
G9D2srgZK+yg1kev4Wa3FufpEjJkE3YFWLvEjhBhqAuj+Px1y/K3YNaRhPw1xC0o
z7GIyoLWi3jAsyyZnOJupUfPpo+ac6yFcT1eAYGMS2hLS6WDx/32l+YBflYKWja0
eqIWfgXwxSA6uaTjV4SNc6JP1VqoA44ZJE7sS9R9oYhR5ewkQ+rDIDfAHyOG/gk/
EG0UwbZZWlpVsPzvEHZxanr2A2+GvJZ3AQ1hirlbWyGcf4Jv4uJ/Xw8jdH7rG1EE
VgqEFHGRVznAQXmbGDPvoREMgSQiYd0yWYs0yVqUGT0Asp5nyr+1bDna8irG5cok
1Ubg+u6YquUa2PPbmWp7zK6+7o4A6PW48mAt29YwIM8vrZE4AV3fW6a4XXWEeuTB
wu3ljrhmYPmm9hO9eG8RrK8810+wDCnTeX9lXI2pDF/9dcllXku/ArtXR+e0Ejxv
xESCkYOjVEY7MCVwuNvVZE197LAXqctUQ7aoTpixnulmTpmmx9OG0Wg8DbQhS1cI
XFJXBL9tmYuN2dwzk7R8trOtZWl2rDzHbxPXR3EFO/fU+cjCMRMfKt90Ed6bKmfd
4v6AXVWZXSow02IDi5Nud+L6FAQZ9ZkjLjOK9Updboe7MoIIy2A=
=e6iK
-END PGP SIGNATURE-

[SECURITY] [DLA 2660-1] libgetdata security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2660-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
May 13, 2021  https://wiki.debian.org/LTS
- -

Package: libgetdata
Version: 0.9.4-1+deb9u1
CVE ID : CVE-2021-20204

One security issue has been discovered in libgetdata

CVE-2021-20204

A heap memory corruption problem (use after free) can be triggered when 
processing
maliciously crafted dirfile databases. This degrades the 
confidentiality,
integrity and availability of third-party software that uses libgetdata 
as a library.

For Debian 9 stretch, this problem has been fixed in version
0.9.4-1+deb9u1.

We recommend that you upgrade your libgetdata packages.

For the detailed security status of libgetdata please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libgetdata

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIyBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmCdPw0ACgkQ0+Fzg8+n
/wbrsg/4yqtSRrVIx4RP7XTZUC9NFa2YkX0eXgAIf2WedW9x6kFQPDx8RoV6TEwH
hj9oxRNnNbmmYHABfZ/7F9OAasz5rKUnf916HWdzIfJdbu1xS21alHYMxXrP63mC
IjcKbln5dUnnNCljIdMgDkf11Sq5ylYoe+houbo/pPsephb1c5mQALRzQDQgqCxN
cJUB7dU4ikPanJypDqbHsf8ToNex1RsGBMTCFUghJZxGCYFqAVbAWTUY1civtQ/x
ABBQ5L9BvQzVxOteZsjzMFJM6gzMR6gnGCiWVgIzLhDmCXk/IYHuxchwr6ubOD8V
M0vEi5ntkAoWmdD5QRoMOc/B+uyWcsITQjVGgFkc9UvQhgj9gf8/IM9l4a8JOIw2
wYyO27BnLwZnS34IBrYbwExRf33lBA+KrdtyN5YJ97C4DTEPnos8Xo9MPVnU8B8W
X8NS/6/UrRRv4XiSW1hcybPDJMhcZeJMuVufxIDfUqqSnH/yerWFAmjzi2ZNn8rC
6aQELqx/Z1qnpRiINkoYm5TtrpG87nzcAyvN7qbJcYQRpuMKiiQZiYbIAtL1hNnF
OB3xLjooi61of9ObaJ9MlEwxBJk1GcNGMlEHgMbucumstHwwisoKDzlgVbhNUYZE
ZPxZpBUvpC7xIvMIcR7AIhZ3Whxqg3L0sY2niad+7ZbPC7y1eg==
=pqt1
-END PGP SIGNATURE-

[SECURITY] [DLA 2649-1] cgal security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2649-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
May 04, 2021  https://wiki.debian.org/LTS
- -

Package: cgal
Version: 4.9-1+deb9u1
CVE ID : CVE-2020-28601 CVE-2020-28636 CVE-2020-35628 CVE-2020-35636

Four security issues have been discovered in cgal. A code execution 
vulnerability exists
in the Nef polygon-parsing functionality of CGAL.

CVE-2020-28601

An oob read vulnerability exists in Nef_2/PM_io_parser.h 
PM_io_parser::read_vertex()
Face_of[] OOB read. An attacker can provide malicious input to trigger this 
vulnerability.

CVE-2020-28636

An oob read vulnerability exists in Nef_S2/SNC_io_parser.h 
SNC_io_parser::read_sloop()
slh->twin() An attacker can provide malicious input to trigger this 
vulnerability.

CVE-2020-35628

An oob read vulnerability exists in Nef_S2/SNC_io_parser.h 
SNC_io_parser::read_sloop()
slh->incident_sface. An attacker can provide malicious input to trigger 
this vulnerability.

CVE-2020-35636

An oob read vulnerability exists in Nef_S2/SNC_io_parser.h 
SNC_io_parser::read_sface()
sfh->volume(). An attacker can provide malicious input to trigger this 
vulnerability.

For Debian 9 stretch, these problems have been fixed in version
4.9-1+deb9u1.

We recommend that you upgrade your cgal packages.

For the detailed security status of cgal please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cgal

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmCSKqkACgkQ0+Fzg8+n
/wYGPRAAkavgFuBvhoyzk9jh6dyqtg3LVeLwws53CnJwM4aUWnm+WPZqMmQR4rWr
lCkjkRMM2ozKYoytfRA5UjjuhJsA16f66BxLR8CmQkRYayQaCDtRi40tbvHuem+n
Qq+Z2Dc9PaP+l95myBPWwJWa+RWZrYXrw3JdwHfrRQycQnFopsZx2ghc0jjnAlC9
jAoayqdM5436DV7oH705KnKGRtgWSC2bi9uquqItyTd3pAznG1CICa0ioMM6o6Qb
PfZaRnHh2uPDDds+A2gFn6+j5PYK4M2Sa8/ORCYZqCvToFpVQIc+HeFkbrXfWeOr
kK86Hpr2DqjEV8CnZadAHEfVqt9/FkGKYTxdbvfW5o4GkdDxJo+HQbntn9VQ4eqB
awa5I/kHopCD6WA8YkMzpKkApQOqy7+BMa3s1EDXBtbgd8BffvYeNywT2GuPzluO
e4m1L+nJl1p+t/a5yu/R7glPHWGidHYR+E+ow8Q90KY3HHTZfY4edWmtf87h3Xtt
SG4Mp2UjloeuiIUUWGclKzqAzATh4BNiggAB9aq8sxi7/jwYa57dT1Xw/oVTEZD5
pQRei9F3F/+y70NVzFvWz9hV5LxEtC6K8RbMFVGS9pPaZfe0RLNO7MXACV6NUbZO
QnI4lFHGuh9Xb0/P/mcahci3q0X4wvXxR9FB0Z+Wo2VLMTmzPl0=
=bnXH
-END PGP SIGNATURE-

[SECURITY] [DLA 2646-1] subversion security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2646-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
May 03, 2021  https://wiki.debian.org/LTS
- -

Package: subversion
Version: 1.9.5-1+deb9u6
CVE ID : CVE-2020-17525

One security issue has been discovered in subversion:

CVE-2020-17525:

Subversion's mod_authz_svn module will crash if the server is using
in-repository authz rules with the AuthzSVNReposRelativeAccessFile
option and a client sends a request for a non-existing repository URL.
This can lead to disruption for users of the service.

For Debian 9 stretch, this problem has been fixed in version
1.9.5-1+deb9u6.

We recommend that you upgrade your subversion packages.

For the detailed security status of subversion please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/subversion

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmCQ2moACgkQ0+Fzg8+n
/wYuBQ//XVEyexG/MpiecNhCxmVUaRcq5w188jKNHqv4K3XjveKzvx4FQoayhwdR
MllGy4kInS/A/9JYnSIqCyRRk3UAxSvULU724N/lkXyWHskExdZxr3jDco1eByA1
3cWu3AmomjHGh6G4lla57jZxtcdnbtgkPbaCGEV8AZFMfUAgkk1l00EiEfRtsAjD
Gu/ZIYXdzbBvCKBeeoNq7c9tb2NH+Yrk7albevRPl9/cSP0mD5zNLcgIEWiJDkcF
S2q7z8i0nK/JkX6VKk2NJCgUTFBInkEPViKaGyweIDwGr94xW2k6veF7amaNj+ln
y8b6cM+cT3kf9VtUCn5bOLCwhaG41aOJ3/1yVkBRJ1gRwdvKbtEljjViqMla2WvV
JcsCN5N6UBf09BNF+C8Qp7Bzg3SaiAnUa4XIeDDFuO/WLoBUc4mRSlXrU2U5+9K5
uDn3HU4REd3CNEDVUxPAv+nFGU6qrwFJgf6kCwPdQv3mH9SvMr4C18glufcCERPO
XlG9Kls9Aa39thgk0shDMstbmzwii0L9ZMVZBwJfY8iGHZA7ITuqzHMnjdFZtXwa
MIpo6kOGkkPsvQN6EX9xHq5nNQwKzhm5hA8U2KfyDevvLSvb1TlJqLGniMUnoaAy
jWzJ1d8u1YQ2eJWaU8BOY0ctreiGBWRwzKpIUP44RMY2JvUl/1o=
=chqu
-END PGP SIGNATURE-

[SECURITY] [DLA 2628-1] python2.7 security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2628-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
April 17, 2021https://wiki.debian.org/LTS
- -

Package: python2.7
Version: 2.7.13-2+deb9u5
CVE ID : CVE-2019-16935 CVE-2021-23336

Two security issues have been discovered in python2.7:

CVE-2019-16935

The documentation XML-RPC server in Python 2.7 has XSS via the server_title
field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in
Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with
untrusted input, arbitrary JavaScript can be delivered to clients that
visit the http URL for this server.

CVE-2021-23336

The Python2.7 vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl
and urllib.parse.parse_qs by using a vector called parameter cloaking. When
the attacker can separate query parameters using a semicolon (;), they can
cause a difference in the interpretation of the request between the proxy
(running with default configuration) and the server. This can result in 
malicious
requests being cached as completely safe ones, as the proxy would usually 
not
see the semicolon as a separator, and therefore would not include it in a 
cache
key of an unkeyed parameter.

**Attention, API-change!**
Please be sure your software is working properly if it uses 
`urllib.parse.parse_qs`
or `urllib.parse.parse_qsl`, `cgi.parse` or `cgi.parse_multipart`.

Earlier Python versions allowed using both  ``;`` and ``&`` as query 
parameter
separators in `urllib.parse.parse_qs` and `urllib.parse.parse_qsl`.
Due to security concerns, and to conform with
newer W3C recommendations, this has been changed to allow only a single
separator key, with ``&`` as the default.  This change also affects
`cgi.parse` and `cgi.parse_multipart` as they use the affected
functions internally. For more details, please see their respective
documentation.


For Debian 9 stretch, these problems have been fixed in version
2.7.13-2+deb9u5.

We recommend that you upgrade your python2.7 packages.

For the detailed security status of python2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python2.7

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmB7N4EACgkQ0+Fzg8+n
/wb/qxAAj6FN++ub8ZbGfOH4my+nWTGASrjSPjUk4+XSA1JsKxTgXUfqEeYW1+ms
N7JvsaO4tgS946tVvlxDEokjso3BH7ljJQHpNKhbqsDmIUHvK3Fm2Xrg1J750gGl
dsJjkUx85Yq/+B8JyidJMrsj//AZVsd76B9J5cSw47gyowLa++fAT4Lbk1rTCajO
FL80pGEA2Mmw4c/HA9qgLvNtMsQWlgQCIObK20d0mQSzvCA5X13SM5U4bhbsoAqW
AM3mEWOyFs53MssKBych940sqA2YZKUkS7voL2BzjXANSTAFI2rPiQn3kPaoNtl6
7v9JMDYuhZypj2VdNOWS0NkZGUtBI9RcsLAIUdrrzLIDEQ0tvgOBWHakvS0W/K7H
IZOUoBoyRSU573dhGC4WaQMgaaYmk/E+sWngy6Qu6G4FmSZOX/ANeX1NkU8JGBJ7
Ej9FUn9/4nOkYSwspznueXuFsSFEtmBQD9hZ9xV+L8xxyASlT/5dORsIYYkz2xX3
E6yJ5foLuk0xqCXH5tBlHoS/9Wy2ccoOEltYZCXFvvA6vL7izrmXWxOniOPsQ6b8
cOnQBHHXu0ervBD017MgXPfpmjXlc8STlF+oz35TYEZ6K8Q0caCYK7vKHUCVgSev
YcAZoIrwEV43nWsSWjK03NnZfLfLCleoTtsyB7rwvokXEZrTErs=
=OkPp
-END PGP SIGNATURE-

[SECURITY] [DLA 2619-1] python3.5 security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2619-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
April 05, 2021https://wiki.debian.org/LTS
- -

Package: python3.5
Version: 3.5.3-1+deb9u4
CVE ID : CVE-2021-3177 CVE-2021-3426 CVE-2021-23336

Three security issues have been discovered in python3.5:

CVE-2021-3177

Python 3.x  has a buffer overflow in PyCArg_repr in _ctypes/callproc.c,
which may lead to remote code execution in certain Python applications that 
accept
floating-point numbers as untrusted input.
This occurs because sprintf is used unsafely.

CVE-2021-3426

Running `pydoc -p` allows other local users to extract arbitrary files.
The `/getfile?key=path` URL allows to read arbitrary file on the filesystem.

The fix removes the "getfile" feature of the pydoc module which
could be abused to read arbitrary files on the disk (directory
traversal vulnerability).

CVE-2021-23336

The Python3.5 vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl
and urllib.parse.parse_qs by using a vector called parameter cloaking. When
the attacker can separate query parameters using a semicolon (;), they can
cause a difference in the interpretation of the request between the proxy
(running with default configuration) and the server. This can result in 
malicious
requests being cached as completely safe ones, as the proxy would usually 
not
see the semicolon as a separator, and therefore would not include it in a 
cache
key of an unkeyed parameter.

**Attention, API-change!**
Please be sure your software is working properly if it uses 
`urllib.parse.parse_qs`
or `urllib.parse.parse_qsl`, `cgi.parse` or `cgi.parse_multipart`.

Earlier Python versions allowed using both  ``;`` and ``&`` as query 
parameter
separators in `urllib.parse.parse_qs` and `urllib.parse.parse_qsl`.
Due to security concerns, and to conform with
newer W3C recommendations, this has been changed to allow only a single
separator key, with ``&`` as the default.  This change also affects
`cgi.parse` and `cgi.parse_multipart` as they use the affected
functions internally. For more details, please see their respective
documentation.


For Debian 9 stretch, these problems have been fixed in version
3.5.3-1+deb9u4.

We recommend that you upgrade your python3.5 packages.

For the detailed security status of python3.5 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python3.5

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmBrNeUACgkQ0+Fzg8+n
/wZnPw/9FUg2WLvwJI/Do7CQw9ncdyP/bXMlcQFNfN/O+tW3AIDdwBOSRsxSv2P8
ahXhWIge4EUOQst4tN3v48xbtReokEvwiUgRNXKFmMr1qZyD/o/3+EzZKoC5wbp0
a6nISMyHluFJI3YgTDew++5wg9QEaWDGnPOucrl7OxQy4pyX2rrmm8Ral7ODEt9L
uo8dDo6NciuuyMJ3VC9EUmROvYC96cMpzflOWwccGCq5Y9ikOk92XE7kxMIPWm7M
VLWYUck63gWD5g0nAfVRdzICK4DW6mDdOyjCu4EfXkD6Wm+bP53x34GPC8FKDOIl
3YIibvoWbTSpgfbgv+jOT64WPB1dMt6baxlOIrWrqF3dpuAaD365+tMqgZ4PpfAz
3LRPksgsrTVgRWW4YOfJGcEjH+gpMElmpzHRR0aUsVOvQWZW/zHoxoUf6wCkPuz5
y8QeK29ew8+8jvCYSittmt8jBg/bT/ZIeStfLqpKJ+U3GBgaaXaVeM7/Ap6WfNwL
GLWbWug3k4Oc4tXAq9UHa7xDXrBuy+mbZqSt1Wdga61aYnVSNR2Q2/gSO9rDlFmQ
9mBjpmBQs9Igtq04V9OGmiYK2/21fH1o5/t2CFiW1H+Bg2l7SLSASGsw+0DLplXx
mz+49X15SDJvrX7jKAaDMSS48IunVXcyzskLXGjCxbqwPRNRJCI=
=GjSr
-END PGP SIGNATURE-

[SECURITY] [DLA 2605-1] mariadb-10.1 security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2605-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
March 22, 2021https://wiki.debian.org/LTS
- -

Package: mariadb-10.1
Version: 10.1.48-0+deb9u2
CVE ID : CVE-2021-27928

A remote code execution issue was discovered in MariaDB. An untrusted search
path leads to eval injection, in which a database SUPER user can execute OS
commands after modifying wsrep_provider and wsrep_notify_cmd.

For Debian 9 stretch, this problem has been fixed in version
10.1.48-0+deb9u2.

We recommend that you upgrade your mariadb-10.1 packages.

For the detailed security status of mariadb-10.1 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mariadb-10.1

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmBZjKkACgkQ0+Fzg8+n
/wai4g/5Af31KHUFQnd+4/73CfoxoLLHCWo59TJA76EVsQwbIHF1N+4uM1pzVXjf
VSbzKSfL3PSMHGs5NcBRlT+Aofn3G3lNMEKpEVQoeCH1vPLUuqclUIssTX+biPAJ
4HkmiUhJRSnXVPcTGFmSqGOq4Wb0iDeUBOlX6Zgx6XFh5BFRrD/gZZQp7BUMJ4Xd
xBoDiBsutBrPy3zovUEfNYypc5vJQZ/6WGkqxEqVpkP35Tte2z2SGRimRnw3HlDl
jP2NvqauY+xf2QKwEE3h/aqwF4RC9NSSlxnBMXW+4MF2+F/7IpKaBk8WXBGdUBVc
CMJXvW85QBeqguA1umkCRpL2/lUAiY3F79ywzmZVngO7UV80bSSXEx//9hGeS5pd
6oqI97bICLeJmGmS+B9jJotXDQazYfwxtYSEClPFYsWDVNmyw6TwxGs4TVIyf5cn
+g3A80aHVgTIjtYN5wTmB9dmg5daVfGedy7BrosNCreAQfVWkwv5St8ep36rBw3u
IoFD4Of1cnlXK8GglC1pze3n/2Fn9pm9R7JioXyJdme6L9C2vap9ocTNMpRFfA4U
EIP1l2lb5vBt5S65tCTX6yosFaYjH7nMFWSmHYxv4vuBaZsubhRE5zAMsoPdrOLN
8prsh5O/RXvYb0ZsYQY1eApjTz05nGEw7wtyZqj1dWjQjpsCP9U=
=omZt
-END PGP SIGNATURE-

[SECURITY] [DLA 2596-1] tomcat8 security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2594-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
March 15, 2021https://wiki.debian.org/LTS
- -

Package: tomcat8
Version: 8.5.54-0+deb9u6
CVE ID : CVE-2021-24122 CVE-2021-25122 CVE-2021-25329

Three security issues have been detected in tomcat8.

CVE-2021-24122

When serving resources from a network location using the NTFS file system,
Apache Tomcat versions 8.5.0 to 8.5.59 is susceptible to JSP source code
disclosure in some configurations. The root cause was the unexpected
behaviour of the JRE API File.getCanonicalPath() which in turn was caused
by the inconsistent behaviour of the Windows API (FindFirstFileW) in some
circumstances.

CVE-2021-25122

When responding to new h2c connection requests, Apache Tomcat could
duplicate request headers and a limited amount of request body from one
request to another meaning user A and user B could both see the results
of user A's request.

CVE-2021-25329

The fix for 2020-9484 was incomplete. When using Apache Tomcat 8.5.0 to
8.5.61 with a configuration edge case that was highly unlikely to be used,
the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both
the previously published prerequisites for CVE-2020-9484 and the
previously published mitigations for CVE-2020-9484 also apply to this
issue.

For Debian 9 stretch, these problems have been fixed in version
8.5.54-0+deb9u6.

We recommend that you upgrade your tomcat8 packages.

For the detailed security status of tomcat8 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat8

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmBQQhsACgkQ0+Fzg8+n
/wb10hAAmvm8DDeYNtmEam4gMC6kJ3K5nHu64v8QXiF9ecZTJgHzH4vNLlVc1jUT
xBiiQOpJi+5abkMomOnpmHc1ZadmtltPzk1zprds9QqkPbbAOYwl7hzM0MQVcQ2f
4GsRpuLuVxNvjRLEyhUurqXX8/uQ4IuhF19SzOqsP0DOZYuDVptUEfmv9jySO13W
xLkQtDLey9GV5y95X+s++hcyxZgJTrpWL6UFnhtqYE14TgP4zngh8ivwNmZ0nabp
/gYRdxcKfu5j7J1+bc7hSGzYJtkUu3mjyGjaE6UcYH87cM7dUSofwwVeYFhap7Kf
8FWJwpAVmB9NTbaQIJ37Dd2ThG1a9MTwUtUy1WmZ9kTMbpJBGzfU+dWx90cm2Vg/
kvZWSX2VnKfxpZgJqxpCdvLD6IRz97Sy1rLie9Tx9GePUEegaG4S8CWTzckV289F
/ruBAPuvI2t/QT4DunX2+POzE3QzZ1kKYBZyT1F5nHHu2Gck/v4Tjp/wPzBkQl8m
izP2Ctj9eITKszjydYcTdEc+7jKpjjIW8xxYAKuhaKurzvCXJGqKyOxZ1nU1+AqN
38genI5bhGk6HojKvGWrjW/O2jFjaEysWr801jo/BsLvoxJfFFNcItmLxKhwBZyP
+hOP6j9Rv/wrRYjjNaO+2sHeTYDe+b8YQL5uKe407rS3y4i+Pxk=
=E9kd
-END PGP SIGNATURE-

[SECURITY] [DLA 2588-1] zeromq3 security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-2588-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
March 09, 2021https://wiki.debian.org/LTS
- -

Package: zeromq3
Version: 4.2.1-4+deb9u4
CVE ID : CVE-2021-20234 CVE-2021-20235

Two security issues have been detected in zeromq3.

CVE-2021-20234

Memory leak in client induced by malicious server(s) without CURVE/ZAP.

From issue description [1].
When a pipe processes a delimiter and is already not in active state but
still has an unfinished message, the message is leaked.

CVE-2021-20235

Heap overflow when receiving malformed ZMTP v1 packets.

From issue description [2].
The static allocator was implemented to shrink its recorded size similarly
to the shared allocator. But it does not need to, and it should not,
because unlike the shared one the static allocator always uses a static
buffer, with a size defined by the ZMQ_IN_BATCH_SIZE socket option
(default 8192), so changing the size opens the library to heap overflows.
The static allocator is used only with ZMTP v1 peers.

[1] https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87
[2] https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6

For Debian 9 stretch, these problems have been fixed in version
4.2.1-4+deb9u4.

We recommend that you upgrade your zeromq3 packages.

For the detailed security status of zeromq3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zeromq3

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmBI7kcACgkQ0+Fzg8+n
/wZ8pw//b+XR7+mftqtDtMoLD/uRDR4S90OXtVeNJeuigpBuoeHYX1x+ukBZxTki
O9/QFjtan1MsONltjpq0FB5WHC6wjjP7FJVRRa4LT85CAFHe0X+5UxohorLBRaRY
XiQlbB+0H22/QM92JHUzP7imSkXaoMubnQ8P8EMkQqiEK3xMhZxcePDq6ueMf9b7
WiaPmEaZVXFcAAl1gcF094Ce53okPgRla5uifFkKRreSOk0bTzYIzZOWLRRHABt/
9RvzKKuCsyn9qjXkjM1sXYU8NReEn2CBQI7nr4sHDeYJdG64f32HYnffUWZtpJSC
cuHxuDCGJ1Z1pWPnUDiL2G8vJMfqmvkhqDvF4LZjUMx7cviuCDu8gxG5Kgh8L78Y
svi6Y8xlvpnLfrKjm+3AyA5LpnNmeVt9PgBzYaa1dFRqn5SK1WUdgi3pdjR2jUs5
wXdjIZxfj2YihVnGgsF5Mc8fiOK/oSPEfnCtQUCaVqUPKkrm2ywL3hEY1c53E40n
gm4Uveo8j51dIEAMa6z06DWb7r5Rq1JwToqkRXv6lPmI0Y78VCTBD2E1M+1MkinQ
jcDeMGT3j1EYidQ4Ggn42rRrRdokjWgZKeoMj7CCNoM1dM0AYfcS+XJlio2Pdcnu
LmswK0vMGv71FtzTgmIjRxsv9ZVzNAA1CDHKzkWRqEVs6GjLOQY=
=zHQ+
-END PGP SIGNATURE-

[SECURITY] [DLA 2207-1] libntlm security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: libntlm
Version: 1.4-3+deb8u1
CVE ID : CVE-2019-17455


It was discovered that libntlm through 1.5 relies on a fixed buffer
size for tSmbNtlmAuthRequest, tSmbNtlmAuthChallenge, and
tSmbNtlmAuthResponse
read and write operations, as demonstrated by a stack-based buffer
over-read in buildSmbNtlmAuthRequest in smbutil.c for a crafted NTLM
request.

For Debian 8 "Jessie", this problem has been fixed in version
1.4-3+deb8u1.

We recommend that you upgrade your libntlm packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAl64K/kACgkQ0+Fzg8+n
/wbYhw/+IYUw88cFkAa1sK8EdXbLQvbmE/2dOD3ZaaJsrxtB2L3aTORyjcpe3FEI
wgQ+mM7Tn4o3IAVVcKq3xjYyBG/k+wKRTfGnWQJI9aJivDZYpYbR06fFya95HC7+
FpBFwAwEA1AVHOif3jAjDSMKKrxRhML58zj7cIZLYybgfcooTk3jrn+e1Y+0XxnX
Y+uslnvvAunRh6n67+Gbq8Nf3oqXV22039XpvUQbzApSkgWJojRvx1IlNUFT5JOL
a8jdbtTc0l6DegIWmpvkrB1wFHq93g9zZBvbRUBP8VyMnsZCR6LV7GZMI04N/Cl0
CeJmVenE9i5bTBaVcNMvuXGWtjzm7mTgFiILck1qk7zxSZnJJnZeHE3qb/+iaCZn
SxQpu+EXudw2V1SaqvPr8FUPA6DWRV8nnmlneYLq/5DJJJEBUMU4GTiTIrdUpyjE
rzOvQ3rivd/ILvAsKmVQU5Tu8fpqMNR4tKpv/mu8ybU2oF7z8jmtv4p/B3ywYOXr
owGt8CEJ4b6FwGJiMWiccd0fkGx1rtSXqUSA802ctIEnjyG88Cvhtvb7J9c5GrvU
I3H3PaMYBiANnxPOZ1XSCNpMh1flqBLX60O70rX4/RkfhoNTMiXmWLB2t8lxMofw
NJGcSfKTdlePFANF9DUK9y8ifby39XaoxqbIp8dequY28mMpPwc=
=40TN
-END PGP SIGNATURE-

[SECURITY] [DLA 2200-1] mailman security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: mailman
Version: 1:2.1.18-2+deb8u5
CVE ID : CVE-2020-12137


A vulnerability was discovered in mailman. GNU Mailman 2.x before 2.1.30
uses the .obj extension for scrubbed application/octet-stream MIME
parts. This behavior may contribute to XSS attacks against
list-archive visitors, because an HTTP reply from an archive web
server may lack a MIME type, and a web browser may perform MIME
sniffing, conclude that the MIME type should have been text/html, and
execute JavaScript code.


For Debian 8 "Jessie", this problem has been fixed in version
1:2.1.18-2+deb8u5.

We recommend that you upgrade your mailman packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAl6uobwACgkQ0+Fzg8+n
/wbMJQ//eUbb2EAZBBKxb4pvXbNm4BrGCl1FDGC2YC/j2U8F50zlYKF4f5sJoEb5
JWWwV80/rqNd3RyUS9kU8ddl0y0nArt6uH9QrhUFgTtx3woT2lPj128cj18+dxfk
rSjsc++FxrU/eoUG4DDTghdPJcmT8Mqp4GoaMlaS2OZzimWFYJv6hgiDY80a5ywX
75SzakbpOX1LJgC+0J8S90d+qzmHKirrVC7udn6OivXB288IZjKvchZcE6aZTaED
XTYzQYKyHXfiCZnAZPh2Us0w2Dzpkik1E6ysRSc0vBDBZ6NFh7wc0AvXOyHdSzKX
FAj2pXAMABpuloBB2cqryl+9vTVOW5AFDs41SDAytG1CetOQjmka/lQyx8Cc0lYZ
KBm95t2kahBrpq4+zZJPyR2k5zkW3YFKH7m6idFMLsGPpInB+++5sF0aL84vyCgE
uJNatg0qIf90XiNFDM01+E07AjhpJyxNTVEWnXZ60bUCyMZpMwqRl7X4o7EdQPCm
b8onRF+JlHMK6Js27hb0PQo8ofBtN6QvVcbgR1vD68x9ZpSOgdJqzAOJenKWu407
DSumuJRnDeDcisGR+P/M2FoKMuDDcBlRjpv5ob/o8AxnHG7klo4H0KCLLJvMX9iX
cr0C1xc/ke/BlZ4bkga+vEZqaRFeZSQ+o5FrFuhapagAQRU5zbg=
=TeBZ
-END PGP SIGNATURE-

[SECURITY] [DLA 2161-1] tika security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: tika
Version: 1.5-1+deb8u1
CVE ID : CVE-2020-1950 CVE-2020-1951
Debian Bug : 954302 954303


Two security issues have been detected in tika and fixed.

CVE-2020-1950:
carefully crafted or corrupt PSD file can cause excessive memory
usage in Apache.

CVE-2020-1951:
Infinite Loop (DoS) vulnerability in Apache Tika's PSDParser.

For Debian 8 "Jessie", these problems have been fixed in version
1.5-1+deb8u1.

We recommend that you upgrade your tika packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAl5/vcgACgkQ0+Fzg8+n
/wblJQ//XmHdn2NoWi61t0m0mu2x9zi0kvkSiHbD3yUpo/pqFI5KLOQz61W2Q2OQ
h50cAC9bWai+Vzz0LytjR9uL3z/yE0YETQlYDeHXpigTsso2OixnxcJwMIQSDSZC
AgWITLEwL4pO8InZnmrAVhrGOcfqiOn1BNzh3yHzcZ/1ytKSL43UB/J/FQlOQDCR
kQ5JHTUSdCaR9yG8pvFKpiJmauaKTDbPaEIHJ4T+Vhe3twubT1fKbWASbcgvCO5Q
T41R8Qmvy8fou5IHoB2LLwqsPwrhpSBqES2tt4XLEuGlsOH2ZMn9JfkZL5yT2PQ4
818WIwTa56Mwagb96hwq1F0Q2PTWCHnF7mnZk6xz2Cq1OeoLjOBOa33xFGleYio6
Uo+W4nuXbRvTuIMxmTZKlgKWoOBefMd7PbtQtQzX8X0H9BMypGbelhw3OAhTNKtl
pNTPHp8FflmKVw4JY1ef2g+9cf+xagv/aWmOQiKbtzLuroAFdp9BdGYw4/jOyGIr
/J2WxnkHbbROiRyslMS36J9e01ewXJSdJyvA9mVITfPbYkRtSlylZIwafd0Ven/O
1Ax6dClbL8Mk++7M9cjJ3TbJlp5934W5Ximx6RXLEI9p1omWGotVBW3kVIjJtg3Q
ybKbimsCtxCCXJ9WwQTHgzGzJrJpGTGWT/ki7Ey2jgKKVJe4aWs=
=mAhY
-END PGP SIGNATURE-

[SECURITY] [DLA 2148-1] amd64-microcode security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: amd64-microcode
Version: 3.20181128.1~deb8u1
CVE ID : CVE-2017-5715
Debian Bug : 886382


It was discovered that systems with microprocessors utilizing
speculative execution and indirect branch prediction may allow
unauthorized disclosure of information to an attacker with local
user access via a side-channel analysis (Spectre v2).
Multiple fixes were done already in Linux kernel, intel-microcode etc.
This fix adds amd-microcode-based IBPB support.

For Debian 8 "Jessie", this problem has been fixed in version
3.20181128.1~deb8u1.

We recommend that you upgrade your amd64-microcode package.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequent

Regards,

Anton
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAl51H84ACgkQ0+Fzg8+n
/wZvjw//dgFzx6McqaXwd9ydzqxrvxIXxiNU3yYQKEZ6NxTjMHSrrPBCCKWfy36d
lvjzK40Krmn1Q7YSae122YWi/4Sk5S5Y3QTgGD+QHrhQ1AYoyCmbRL3t+drntvVU
lCKv/3VKlLA+E9UX3w5ZKRxOHSoiIbliJ+k8q2PbgruttOX3RJLEtzv3bjUCBsmf
uO5WS/fZt5ia8Qrsk8xZ4uBnF3GgmfUDVaR8Pl9oBIcesBZUqZb0mL73NoGsdIyJ
vKN9h14c+3JujOgMu+GFJ8nNUl8KvLHU3RjXpIK0Ov/PiTykiZed+h2KkA07scJe
gmrbOQsZa53/PJUS4/PT+Nk7UaQh9UPxb3Ipw7QfiOcHY5h17zSwipVmo3nyeftC
N/3khJLQhmiwTl4ejGVcR6PEdF+Gh0Ry9K196BqXwjnsoly+HYKmEARNsVygxQlR
GnN2MG+tTCZMjo6tDv8sV5Lsmmjj6/5UEATZaDxLalRRlbNpXRAAd15sxWQCCFPC
FIx1xaEvlqvkqNvjtudcwDvVv/8c/vYvilzmdTz63WQrP00VPo3SVdpASuIMbBDP
D38D4WtYrwUgKWPI1Vb8aiJAPNhPUzLiSzT1/rC3AZ+BmX3IiFtLXLly+33p5voo
acpXt/Fh0ufCnjhsxLaTgkkdksTucmMf0JwE+bzDmWgZFq5hjLM=
=HLKx
-END PGP SIGNATURE-