[SECURITY] [DLA 3808-1] intel-microcode security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3808-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
May 04, 2024  https://wiki.debian.org/LTS
-

Package: intel-microcode
Version: 3.20240312.1~deb10u1
CVE ID : CVE-2023-22655 CVE-2023-28746 CVE-2023-38575 CVE-2023-39368 
 CVE-2023-43490
Debian Bug : 1066108

Intel has released microcode updates, addressing serveral vulnerabilties.

CVE-2023-22655

Protection mechanism failure in some 3rd and 4th Generation Intel(R)
Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow
a privileged user to potentially enable escalation of privilege via
local access.

CVE-2023-28746

Information exposure through microarchitectural state after
transient execution from some register files for some Intel(R)
Atom(R) Processors may allow an authenticated user to potentially
enable information disclosure via local access.

CVE-2023-38575

Non-transparent sharing of return predictor targets between contexts
in some Intel(R) Processors may allow an authorized user to
potentially enable information disclosure via local access.

CVE-2023-39368

Protection mechanism failure of bus lock regulator for some Intel(R)
Processors may allow an unauthenticated user to potentially enable
denial of service via network access.

CVE-2023-43490

Incorrect calculation in microcode keying mechanism for some
Intel(R) Xeon(R) D Processors with Intel(R) SGX may allow a
privileged user to potentially enable information disclosure via
local access.

For Debian 10 buster, these problems have been fixed in version
3.20240312.1~deb10u1.

We recommend that you upgrade your intel-microcode packages.

For the detailed security status of intel-microcode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/intel-microcode

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3797-1] frr security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3797-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
April 28, 2024https://wiki.debian.org/LTS
-

Package: frr
Version: 7.5.1-1.1+deb10u2
CVE ID : CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128 
 CVE-2022-26129 CVE-2022-37035 CVE-2023-38406 CVE-2023-38407 
 CVE-2023-46752 CVE-2023-46753 CVE-2023-47234 CVE-2023-47235 
 CVE-2024-31948 CVE-2024-31949
Debian Bug : 1008010 1016978 1055852

Several vulnerabilities have been found in frr, the FRRouting suite of
internet protocols. An attacker could craft packages to trigger buffer
overflows with the possibility to gain remote code execution, buffer
overreads, crashes or trick the software to enter an infinite loop.

CVE-2022-26125

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
wrong checks on the input packet length in isisd/isis_tlvs.c.

CVE-2022-26126

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
the use of strdup with a non-zero-terminated binary string in
isis_nb_notifications.c.

CVE-2022-26127

A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
missing a check on the input packet length in the babel_packet_examin
function in babeld/message.c.

CVE-2022-26128

A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
a wrong check on the input packet length in the babel_packet_examin
function in babeld/message.c.

CVE-2022-26129

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
wrong checks on the subtlv length in the functions, parse_hello_subtlv,
parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c.

CVE-2022-37035

An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
there is a possible use-after-free due to a race condition. This could
lead to Remote Code Execution or Information Disclosure by sending
crafted BGP packets. User interaction is not needed for exploitation.

CVE-2023-38406

bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri
length of zero, aka a "flowspec overflow."

CVE-2023-38407

bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond
the end of the stream during labeled unicast parsing.

CVE-2023-46752

An issue was discovered in FRRouting FRR through 9.0.1. It mishandles
malformed MP_REACH_NLRI data, leading to a crash.

CVE-2023-46753

An issue was discovered in FRRouting FRR through 9.0.1. A crash can
occur for a crafted BGP UPDATE message without mandatory attributes,
e.g., one with only an unknown transit attribute.

CVE-2023-47234

An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
there is a possible use-after-free due to a race condition. This could
lead to Remote Code Execution or Information Disclosure by sending
crafted BGP packets. User interaction is not needed for exploitation.

CVE-2023-47235

An issue was discovered in FRRouting FRR through 9.0.1. A crash can
occur when a malformed BGP UPDATE message with an EOR is processed,
because the presence of EOR does not lead to a treat-as-withdraw
outcome.

CVE-2024-31948

In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID
attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.

CVE-2024-31949

In FRRouting (FRR) through 9.1, an infinite loop can occur when
receiving a MP/GR capability as a dynamic capability because malformed
data results in a pointer not advancing.

For Debian 10 buster, these problems have been fixed in version
7.5.1-1.1+deb10u2.

We recommend that you upgrade your frr packages.

For the detailed security status of frr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/frr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3783-1] expat security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3783-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
April 07, 2024https://wiki.debian.org/LTS
-

Package: expat
Version: 2.2.6-2+deb10u7
CVE ID : CVE-2023-52425
Debian Bug : 1063238

Expat, an XML parsing C library has been found to have an vulnerability
that allows an attacker to perform a denial of service (resource
consumption, when many full reparsings are required in the case of a
large tokens.

When parsing a really big token that requires multiple buffer fills to
complete, expat has to re-parse the token from start multiple times,
which takes time. These patches introduce a heuristic that, when having
failed on the same token multiple times, defers further parsing until
there's significantly more data available.

The patch also introduces an optiional API,
XML_SetReparseDeferralEnabled(), to disable the new heuristic.

For Debian 10 buster, this problem has been fixed in version
2.2.6-2+deb10u7.

We recommend that you upgrade your expat packages.

For the detailed security status of expat please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/expat

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3757-1] nss security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3757-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
March 10, 2024https://wiki.debian.org/LTS
-

Package: nss
Version: 2:3.42.1-1+deb10u8
CVE ID : CVE-2023-5388 CVE-2024-0743
Debian Bug : 1056284

Multiple vulnerabilities were found in nss, a set of libraries designed
to support cross-platform development of security-enabled client and
server applications.

CVE-2023-5388

   Timing attack against RSA decryption in TLS. This vulnerablity has been
   named The Marvin Attack.

CVE-2024-0743

   An unchecked return value in TLS handshake code could have caused a
   potentially exploitable crash.

For Debian 10 buster, these problems have been fixed in version
2:3.42.1-1+deb10u8.

We recommend that you upgrade your nss packages.

For the detailed security status of nss please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nss

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3734-1] openvswitch security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3734-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
February 17, 2024 https://wiki.debian.org/LTS
-

Package: openvswitch
Version: 2.10.7+ds1-0+deb10u5
CVE ID : CVE-2023-5366
Debian Bug : 

A flaw was found in Open vSwitch that allows ICMPv6 Neighbor
Advertisement packets between virtual machines to bypass OpenFlow rules.
This issue may allow a local attacker to create specially crafted
packets with a modified or spoofed target IP address field that can
redirect ICMPv6 traffic to arbitrary IP addresses.

For Debian 10 buster, this problem has been fixed in version
2.10.7+ds1-0+deb10u5.

We recommend that you upgrade your openvswitch packages.

For the detailed security status of openvswitch please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openvswitch

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3717-1] zabbix security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3717-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
January 24, 2024  https://wiki.debian.org/LTS
-

Package: zabbix
Version: 1:4.0.4+dfsg-1+deb10u4
CVE ID : CVE-2023-32721 CVE-2023-32723 CVE-2023-32726
Debian Bug : 1053877

Several security vulnerabilities have been discovered in zabbix, a
network monitoring solution, potentially allowing an attacker to perform
a stored XSS, Server-Side Request Forgery (SSRF), exposure of sensitive
information, a system crash, or arbitrary code execution.

CVE-2023-32721

  A stored XSS has been found in the Zabbix web application in the
  Maps element if a URL field is set with spaces before URL.

CVE-2023-32723

  Inefficient user permission check, as request to LDAP is sent before
  user permissions are checked.

CVE-2023-32726

  Possible buffer overread from reading DNS responses.

For Debian 10 buster, these problems have been fixed in version
1:4.0.4+dfsg-1+deb10u4.

We recommend that you upgrade your zabbix packages.

For the detailed security status of zabbix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zabbix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3693-1] osslsigncode security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3693-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
December 23, 2023 https://wiki.debian.org/LTS
-

Package: osslsigncode
Version: 2.0+really2.5-4+deb10u1
CVE ID : CVE-2023-36377
Debian Bug : 1035875

A Buffer Overflow vulnerability has been found in osslsigncode, a
OpenSSL based Authenticode signing tool for PE/MSI/Java CAB files, which
possibly allows an malicious attacker to execute arbitrary code when
signing a crafted file.

For Debian 10 buster, this problem has been fixed in version
2.0+really2.5-4+deb10u1.

We recommend that you upgrade your osslsigncode packages.

For the detailed security status of osslsigncode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/osslsigncode

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3690-1] intel-microcode security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3690-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
December 16, 2023 https://wiki.debian.org/LTS
-

Package: intel-microcode
Version: 3.20231114.1~deb10u1
CVE ID : CVE-2023-23583
Debian Bug : 1055962

Benoit Morgan, Paul Grosen, Thais Moreira Hamasaki, Ke Sun, Alyssa
Milburn, Hisham Shafi, Nir Shlomovich, Tavis Ormandy, Daniel Moghimi,
Josh Eads, Salman Qazi, Alexandra Sandulescu, Andy Nguyen, Eduardo Vela,
Doug Kwan, and Kostik Shtoyk discovered that some Intel processors
mishandle repeated sequences of instructions leading to unexpected
behavior, which may result in privilege escalation, information
disclosure or denial of service.

For Debian 10 buster, this problem has been fixed in version
3.20231114.1~deb10u1.

We recommend that you upgrade your intel-microcode packages.

For the detailed security status of intel-microcode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/intel-microcode

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3681-1] amanda security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3681-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
December 03, 2023 https://wiki.debian.org/LTS
-

Package: amanda
Version: 1:3.5.1-2+deb10u2
CVE ID : CVE-2022-37703 CVE-2022-37705 CVE-2023-30577
Debian Bug : 1021017 1029829 1055253

Multiple vulnerabilties have been found in Amanda,a backup system
designed to archive many computers on a network to a single
large-capacity tape drive. The vulnerabilties potentially allows local
privilege escalation from the backup user to root or leak information
whether a directory exists in the filesystem.

CVE-2022-37703

In Amanda 3.5.1, an information leak vulnerability was found in the
calcsize SUID binary. An attacker can abuse this vulnerability to
know if a directory exists or not anywhere in the fs. The binary
will use `opendir()` as root directly without checking the path,
letting the attacker provide an arbitrary path.


CVE-2022-37705

A privilege escalation flaw was found in Amanda 3.5.1 in which the
backup user can acquire root privileges. The vulnerable component is
the runtar SUID program, which is a wrapper to run /usr/bin/tar with
specific arguments that are controllable by the attacker. This
program mishandles the arguments passed to tar binary.

CVE-2023-30577

The SUID binary "runtar" can accept the possibly malicious GNU tar
options if fed with some non-argument option starting with
"--exclude" (say --exclude-vcs). The following option will be
accepted as "good" and it could be an option passing some
script/binary that would be executed with root permissions.

For Debian 10 buster, these problems have been fixed in version
1:3.5.1-2+deb10u2.

We recommend that you upgrade your amanda packages.

For the detailed security status of amanda please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/amanda

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3680-1] opendkim security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3680-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
December 03, 2023 https://wiki.debian.org/LTS
-

Package: opendkim
Version: 2.11.0~alpha-12+deb10u1
CVE ID : CVE-2022-48521
Debian Bug : 1041107

An issue (CVE-2022-48521) was discovered in OpenDKIM through 2.10.3, and
2.11.x through 2.11.0-Beta2. It fails to keep track of ordinal numbers
when removing fake Authentication-Results header fields, which allows a
remote attacker to craft an e-mail message with a fake sender address
such that programs that rely on Authentication-Results from OpenDKIM
will treat the message as having a valid DKIM signature when in fact it
has none.

For Debian 10 buster, this problem has been fixed in version
2.11.0~alpha-12+deb10u1.

We recommend that you upgrade your opendkim packages.

For the detailed security status of opendkim please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/opendkim

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3655-1] lwip security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3655-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
November 18, 2023 https://wiki.debian.org/LTS
-

Package: lwip
Version: 2.0.3-3+deb10u2
CVE ID : CVE-2020-22283
Debian Bug : 991646

A buffer overflow vulnerability has been found in lwip, a small independent
implementation of the TCP/IPv4/IPv6 protocol suite, which allows an attacker
to access information via a crafted ICMPv6 package. This vulnerability
has been assigned CVE-2020-22283.

For Debian 10 buster, this problem has been fixed in version
2.0.3-3+deb10u2.

We recommend that you upgrade your lwip packages.

For the detailed security status of lwip please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lwip

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3654-1] freerdp2 security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3654-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
November 17, 2023 https://wiki.debian.org/LTS
-

Package: freerdp2
Version: 2.3.0+dfsg1-2+deb10u4
CVE ID : CVE-2021-41160 CVE-2022-24883 CVE-2022-39282 CVE-2022-39283
 CVE-2022-39316 CVE-2022-39318 CVE-2022-39319 CVE-2022-39347
 CVE-2022-41877 

Debian Bug : 1001062 1021659

Multiple vulnerabilties have been found in freelrdp2, a free implementation of
the Remote Desktop Protocol (RDP). The vulnerabilties potentially allows 
authentication bypasses on configuration errors, buffer overreads, DoS vectors,
buffer overflows or accessing files outside of a shared directory.

CVE-2021-41160

In affected versions a malicious server might trigger out of bound writes 
in a
connected client. Connections using GDI or SurfaceCommands to send graphics
updates to the client might send `0` width/height or out of bound 
rectangles to
trigger out of bound writes. With `0` width or heigth the memory allocation
will be `0` but the missing bounds checks allow writing to the pointer at 
this
(not allocated) region.

CVE-2022-24883

Prior to version 2.7.0, server side authentication against a `SAM` file 
might
be successful for invalid credentials if the server has configured an 
invalid
`SAM` file path. FreeRDP based clients are not affected. RDP server
implementations using FreeRDP to authenticate against a `SAM` file are
affected. Version 2.7.0 contains a fix for this issue. As a workaround, use
custom authentication via `HashCallback` and/or ensure the `SAM` database 
path
configured is valid and the application has file handles left.

CVE-2022-39282

FreeRDP based clients on unix systems using `/parallel` command line switch
might read uninitialized data and send it to the server the client is 
currently
connected to. FreeRDP based server implementations are not affected.

CVE-2023-39283

All FreeRDP based clients when using the `/video` command line switch might
read uninitialized data, decode it as audio/video and display the result.
FreeRDP based server implementations are not affected.

CVE-2022-39316

In affected versions there is an out of bound read in ZGFX decoder 
component of
FreeRDP. A malicious server can trick a FreeRDP based client to read out of
bound data and try to decode it likely resulting in a crash.

CVE-2022-39318

Affected versions of FreeRDP are missing input validation in `urbdrc` 
channel.
A malicious server can trick a FreeRDP based client to crash with division 
by
zero.

CVE-2022-39319

Affected versions of FreeRDP are missing input length validation in the
`urbdrc` channel. A malicious server can trick a FreeRDP based client to 
read
out of bound data and send it back to the server.

CVE-2022-39347

Affected versions of FreeRDP are missing path canonicalization and base path
check for `drive` channel. A malicious server can trick a FreeRDP based 
client
to read files outside the shared directory.

CVE-2022-41877

Affected versions of FreeRDP are missing input length validation in `drive`
channel. A malicious server can trick a FreeRDP based client to read out of
bound data and send it back to the server.


For Debian 10 buster, these problems have been fixed in version
2.3.0+dfsg1-2+deb10u4.

We recommend that you upgrade your freerdp2 packages.

For the detailed security status of freerdp2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/freerdp2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3538-2] zabbix regression update

[Tobias Frost]

-
Debian LTS Advisory DLA-3538-2debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
October 21, 2023  https://wiki.debian.org/LTS
-

Package: zabbix
Version: 1:4.0.4+dfsg-1+deb10u3
CVE ID : 
Debian Bug : 1051300

The last update required an update to the database scheme, but as
zabbix does not support upgrading the database scheme if SQlite3 is used,
using zabbix-proxy-sqlite3 requires the user to drop the database and recreate
it with a supplied sql template file. 

However, this template file has not been updated in the previous upload,
making this recreation difficult when not knowing the details.

Please read /usr/share/doc/zabbix-proxy-sqlite3/README.Debian for instructions
how to create the database file.

Note: All other database backends will automatically update the schema.

For Debian 10 buster, this problem has been fixed in version
1:4.0.4+dfsg-1+deb10u3.

We recommend that you upgrade your zabbix packages.

For the detailed security status of zabbix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zabbix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3608-1] vinagre update for DLA-3606-1

[Tobias Frost]

-
Debian LTS Advisory DLA-3608-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
October 07, 2023  https://wiki.debian.org/LTS
-

Package: vinagre
Version: 3.22.0-6+deb10u1
CVE ID : 
Debian Bug : 983533

It has been found that the update of freerdp2 (see DLA-3606-1) exposed a
bug in vinagre, which causes crashes and breaks RDP connections with the 
symtoms of hangs and black screens.

Note: sha256 is now used instead of sha1 to fingerprint certificates. This will
invalidate all hosts in FreeRDP known_hosts2 file, 
$HOME/.config/freerdp/known_hosts2.
In case of problems with the connection, try removing that file.

For Debian 10 buster, this problem has been fixed in version
3.22.0-6+deb10u1.

We recommend that you upgrade your vinagre packages.

For the detailed security status of vinagre please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/vinagre

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3607-1] gnome-boxes update for DLA-3606-1

[Tobias Frost]

-
Debian LTS Advisory DLA-3607-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
October 07, 2023  https://wiki.debian.org/LTS
-

Package: gnome-boxes
Version: 3.30.3-2+deb10u1
CVE ID : 
Debian Bug : 

It has been found that the update of freerdp2 (see DLA-3606-1) exposed a
bug in gnome-boxes, which breaks RDP connections with the symtoms of
hangs and black screens. 

Note: sha256 is now used instead of sha1 to fingerprint certificates. This will
invalidate all hosts in FreeRDP known_hosts2 file, 
$HOME/.config/freerdp/known_hosts2.
In case of problems with the connection, try removing that file.

For Debian 10 buster, this problem has been fixed in version
3.30.3-2+deb10u1.

We recommend that you upgrade your gnome-boxes packages.

For the detailed security status of gnome-boxes please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gnome-boxes

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3606-1] freerdp2 security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3606-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
October 07, 2023  https://wiki.debian.org/LTS
-

Package: freerdp2
Version: 2.3.0+dfsg1-2+deb10u3
CVE ID : CVE-2020-4030 CVE-2020-4031 CVE-2020-4032 CVE-2020-4033 
 CVE-2020-11017 CVE-2020-11018 CVE-2020-11019 CVE-2020-11038 
 CVE-2020-11039 CVE-2020-11040 CVE-2020-11041 CVE-2020-11042 
 CVE-2020-11043 CVE-2020-11044 CVE-2020-11045 CVE-2020-11046 
 CVE-2020-11047 CVE-2020-11048 CVE-2020-11049 CVE-2020-11058 
 CVE-2020-11085 CVE-2020-11086 CVE-2020-11087 CVE-2020-11088 
 CVE-2020-11089 CVE-2020-11095 CVE-2020-11096 CVE-2020-11097 
 CVE-2020-11098 CVE-2020-11099 CVE-2020-13396 CVE-2020-13397 
 CVE-2020-13398 CVE-2020-15103 CVE-2023-39350 CVE-2023-39351 
 CVE-2023-39352 CVE-2023-39353 CVE-2023-39354 CVE-2023-39355 
 CVE-2023-39356 CVE-2023-40567 CVE-2023-40181 CVE-2023-40186 
 CVE-2023-40188 CVE-2023-40569 CVE-2023-40589
Debian Bug : 965979 1051638

Multiple vulnerabilties have been found in freelrdp2, a free
implementation of the Remote Desktop Protocol (RDP).
The vulnerabilties potentially allows buffer overreads, buffer overflows,
interger overflows, use-after-free, DoS vectors.

CVE-2020-4030

In FreeRDP before version 2.1.2, there is an out of bounds read in
TrioParse. Logging might bypass string length checks due to an
integer overflow. This is fixed in version 2.1.2.   

CVE-2020-4031

In FreeRDP before version 2.1.2, there is a use-after-free in
gdi_SelectObject. All FreeRDP clients using compatibility mode with
/relax-order-checks are affected. This is fixed in version 2.1.2.

CVE-2020-4032

In FreeRDP before version 2.1.2, there is an integer casting
vulnerability in update_recv_secondary_order. All clients with
+glyph-cache /relax-order-checks are affected. This is fixed in
version 2.1.2.

CVE-2020-4033

In FreeRDP before version 2.1.2, there is an out of bounds read in
RLEDECOMPRESS. All FreeRDP based clients with sessions with color
depth < 32 are affected. This is fixed in version 2.1.2.

CVE-2020-11017

In FreeRDP less than or equal to 2.0.0, by providing manipulated
input a malicious client can create a double free condition and
crash the server. This is fixed in version 2.1.0.

CVE-2020-11018

In FreeRDP less than or equal to 2.0.0, a possible resource
exhaustion vulnerability can be performed. Malicious clients could
trigger out of bound reads causing memory allocation with random
size. This has been fixed in 2.1.0.

CVE-2020-11019

In FreeRDP less than or equal to 2.0.0, when running with logger set
to "WLOG_TRACE", a possible crash of application could occur due to
a read of an invalid array index. Data could be printed as string to
local terminal. This has been fixed in 2.1.0.

CVE-2020-11038

In FreeRDP less than or equal to 2.0.0, an Integer Overflow to
Buffer Overflow exists. When using /video redirection, a manipulated
server can instruct the client to allocate a buffer with a smaller
size than requested due to an integer overflow in size calculation.
With later messages, the server can manipulate the client to write
data out of bound to the previously allocated buffer. This has been
patched in 2.1.0.

CVE-2020-11039

In FreeRDP less than or equal to 2.0.0, when using a manipulated
server with USB redirection enabled (nearly) arbitrary memory can be
read and written due to integer overflows in length checks. This has
been patched in 2.1.0.

CVE-2020-11040

In FreeRDP less than or equal to 2.0.0, there is an out-of-bound
data read from memory in clear_decompress_subcode_rlex, visualized
on screen as color. This has been patched in 2.1.0.

CVE-2020-11041

In FreeRDP less than or equal to 2.0.0, an outside controlled array
index is used unchecked for data used as configuration for sound
backend (alsa, oss, pulse, ...). The most likely outcome is a crash
of the client instance followed by no or distorted sound or a
session disconnect. If a user cannot upgrade to the patched version,
a workaround is to disable sound for the session. This has been
patched in 2.1.0.

CVE-2020-11042

In FreeRDP greater than 1.1 and before 2.0.0, there is an
out-of-bounds read in update_read_icon_info. It allows reading a
attacker-defined amount of client memory (32bit unsigned -> 4GB) to
an intermediate buffer. This can be used to crash the client or
store information for

[SECURITY] [DLA 3596-1] firmware-nonfree security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3596-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
September 30, 2023https://wiki.debian.org/LTS
-

Package: firmware-nonfree
Version: 20190114+really20220913-0+deb10u2
CVE ID : CVE-2022-27635 CVE-2022-36351 CVE-2022-38076 CVE-2022-40964 
 CVE-2022-46329
Debian Bug : 1051892

Intel® released the INTEL-SA-00766 advisory about potential security
vulnerabilities in some Intel® PROSet/Wireless WiFi and Killer™ WiFi products
may allow escalation of privilege or denial of service. The full advisory is
available at [1]

[1] 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00766.html

This updated firmware-nonfree package includes the following firmware files:
   - Intel Bluetooth AX2xx series:
  ibt-0041-0041.sfi
  ibt-19-0-0.sfi
  ibt-19-0-1.sfi
  ibt-19-0-4.sfi
  ibt-19-16-4.sfi
  ibt-19-240-1.sfi
  ibt-19-240-4.sfi
  ibt-19-32-0.sfi
  ibt-19-32-1.sfi
  ibt-19-32-4.sfi
  ibt-20-0-3.sfi
  ibt-20-1-3.sfi
  ibt-20-1-4.sfi
- Intel Wireless 22000 series
  iwlwifi-Qu-b0-hr-b0-77.ucode
  iwlwifi-Qu-b0-jf-b0-77.ucode
  iwlwifi-Qu-c0-hr-b0-77.ucode
  iwlwifi-Qu-c0-jf-b0-77.ucode
  iwlwifi-QuZ-a0-hr-b0-77.ucode
  iwlwifi-cc-a0-77.ucode

The updated firmware files might need updated kernel to work. It is encouraged
to verify whether the kernel loaded the updated firmware file and take
additional measures if needed.


CVE-2022-27635

Improper access control for some Intel(R) PROSet/Wireless WiFi and 
Killer(TM)
WiFi software may allow a privileged user to potentially enable escalation 
of
privilege via local access.

CVE-2022-36351

Improper input validation in some Intel(R) PROSet/Wireless WiFi and 
Killer(TM)
WiFi software may allow an unauthenticated user to potentially enable 
denial of
service via adjacent access.

CVE-2022-38076

Improper input validation in some Intel(R) PROSet/Wireless WiFi and 
Killer(TM)
WiFi software may allow an authenticated user to potentially enable 
escalation
of privilege via local access.

CVE-2022-40964

Improper access control for some Intel(R) PROSet/Wireless WiFi and 
Killer(TM)
WiFi software may allow a privileged user to potentially enable escalation 
of
privilege via local access.

CVE-2022-46329

Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi software
may allow a privileged user to potentially enable escalation of privilege 
via
local access.

For Debian 10 buster, these problems have been fixed in version
20190114+really20220913-0+deb10u2.

We recommend that you upgrade your firmware-nonfree packages.

For the detailed security status of firmware-nonfree please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firmware-nonfree

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



signature.asc
Description: PGP signature

[SECURITY] [DLA 3538-1] zabbix security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3538-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
August 22, 2023   https://wiki.debian.org/LTS
-

Package: zabbix
Version: 1:4.0.4+dfsg-1+deb10u2
CVE ID : CVE-2013-7484 CVE-2019-17382 CVE-2022-35229 CVE-2022-43515 
 CVE-2023-29450 CVE-2023-29451 CVE-2023-29454 CVE-2023-29455 
 CVE-2023-29456 CVE-2023-29457
Debian Bug : 1026847

Several security vulnerabilities have been discovered in zabbix, a network
monitoring solution, potentially allowing to crash the server, information
disclosure or Cross-Site-Scripting attacks.

Important Notices:
To mitigate CVE-2019-17382, on existing installations, the guest account
needs to be manually disabled, for example by disabling the the "Guest
group" in the UI:
   Administration -> User groups -> Guests -> Untick Enabled

This update also fixes a regression with CVE-2022-35229, which broke the
possiblity to edit and add discovery rules in the UI.



CVE-2013-7484

Zabbix before version 4.4.0alpha2 stores credentials in the "users"
table with the password hash stored as a MD5 hash, which is a known
insecure hashing method. Furthermore, no salt is used with the hash.

CVE-2019-17382 (Disputed, not seen by upstream as not a security issue)

An issue was discovered in
zabbix.php?action=dashboard.view=1 in Zabbix through
4.4. An attacker can bypass the login page and access the dashboard
page, and then create a Dashboard, Report, Screen, or Map without
any Username/Password (i.e., anonymously). All created elements
(Dashboard/Report/Screen/Map) are accessible by other users and by
an admin.

CVE-2022-35229

An authenticated user can create a link with reflected
Javascript code inside it for the discovery page and send it to
other users. The payload can be executed only with a known CSRF
token value of the victim, which is changed periodically and is
difficult to predict.

CVE-2022-43515

Zabbix Frontend provides a feature that allows admins to
maintain the installation and ensure that only certain IP addresses
can access it. In this way, any user will not be able to access the
Zabbix Frontend while it is being maintained and possible sensitive
data will be prevented from being disclosed. An attacker can bypass
this protection and access the instance using IP address not listed
in the defined range.

CVE-2023-29450

JavaScript pre-processing can be used by the attacker to gain
access to the file system (read-only access on behalf of user
"zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading
to unauthorized access to sensitive data.

CVE-2023-29451

Specially crafted string can cause a buffer overrun in the JSON
parser library leading to a crash of the Zabbix Server or a Zabbix
Proxy.

CVE-2023-29454

A Stored or persistent cross-site scripting (XSS) vulnerability
was found on “Users” section in “Media” tab in “Send to” form field.
When new media is created with malicious code included into field
“Send to” then it will execute when editing the same media.

CVE-2023-29455

A Reflected XSS attacks, also known as non-persistent attacks, was
found where an attacker can pass malicious code as GET request to
graph.php and system will save it and will execute when current
graph page is opened.

CVE-2023-29456

URL validation scheme receives input from a user and then parses
it to identify its various components. The validation scheme can
ensure that all URL components comply with internet standards.

CVE-2023-29457

A Reflected XSS attacks, also known as non-persistent attacks, was
found where XSS session cookies could be revealed, enabling a
perpetrator to impersonate valid users and abuse their private
accounts.

For Debian 10 buster, these problems have been fixed in version
1:4.0.4+dfsg-1+deb10u2.

We recommend that you upgrade your zabbix packages.

For the detailed security status of zabbix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zabbix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3501-1] renderdoc security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3501-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
July 25, 2023 https://wiki.debian.org/LTS
-

Package: renderdoc
Version: 1.2+dfsg-2+deb10u1
CVE ID : CVE-2023-33863 CVE-2023-33864 CVE-2023-33865
Debian Bug : 1037208

Multiple security issues were discovered in renderdoc a stand-alone
graphics debugging tool, which potentially allows a remote attacker
to execute arbitrary code.

CVE-2023-33863

an integer overflow that results in a heap-based buffer overflow
that might be exploitable by a remote attacker to execute arbitrary
code on the machine that runs RenderDoc

CVE-2023-33864

an integer underflow that results in a heap-based buffer overflow
that might be exploitable by a remote attacker to execute arbitrary
code on the machine that runs RenderDoc.

CVE-2023-33865

a symlink vulnerability that might be exploitable by a unprivileged
local attacker to obtain the privileges of the user who runs
RenderDoc.

For Debian 10 buster, these problems have been fixed in version
1.2+dfsg-2+deb10u1.

We recommend that you upgrade your renderdoc packages.

For the detailed security status of renderdoc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/renderdoc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3492-1] yajl security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3492-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
July 11, 2023 https://wiki.debian.org/LTS
-

Package: yajl
Version: 2.1.0-3+deb10u2
CVE ID : CVE-2017-16516 CVE-2022-24795 CVE-2023-33460
Debian Bug : 1040036

Multiple vulnerabilties have been found in yajl, a JSON parser / small
validating JSON generator# written in ANSI C, which potentially can
cause memory corruption or DoS.

The CVE-20117-16516 had been addressed already in DLA-3478, however the
fix has been found to be incomplete as it missed an additional memory
leak.  This update fixes that problem.

CVE-2017-16516

  When a crafted JSON file is supplied to yajl, the process might
  crash with a SIGABRT in the yajl_string_decode function in
  yajl_encode.c. This results potentially in a denial of service.

CVE-2022-24795

  The 1.x branch and the 2.x branch of `yajl` contain an integer
  overflow which leads to subsequent heap memory corruption when dealing
  with large (~2GB) inputs.

CVE-2023-33460

  There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse
  function, which potentially cause out-of-memory in server and cause
  crash.

For Debian 10 buster, these problems have been fixed in version
2.1.0-3+deb10u2.

We recommend that you upgrade your yajl packages.

For the detailed security status of yajl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/yajl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3487-1] fusiondirectory security update and rebuild for php-cas

[Tobias Frost]

-
Debian LTS Advisory DLA-3487-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
 Tobias Frost
July 08, 2023 https://wiki.debian.org/LTS
-

Package: fusiondirectory
Version: 1.2.3-4+deb10u2
CVE ID : CVE-2022-36179 CVE-2022-36180
Debian Bug : 

A potential Cross Site Scripting (XSS) vulnerablity (CVE-2022-36180) and
session handling vulnerability (CVE-2022-36179 )have been found in
fusiondirectory, a Web Based LDAP Administration Program.

Additionally, fusiondirectory has been updated to address the API change
in php-cas due to CVE-2022-39369, see DLA 3485-1 for details.

Due to this, if CAS authentication is used, fusiondirectory
will stop working until those steps are done:

- make sure to install the updated fusiondirectory-schema package for
  buster.

- update the fusiondirectory core schema in LDAP by running
fusiondirectory-insert-schema -m

- switch to using the new php-cas API by running
fusiondirectory-setup --set-config-CasLibraryBool=TRUE

- set the CAS ClientServiceName to the base URL of the fusiondirectory
  installation, for example:
fusiondirectory-setup 
--set-config-CasClientServiceName="https://fusiondirectory.example.org/;


For Debian 10 buster, these problems have been fixed in version
1.2.3-4+deb10u2.

We recommend that you upgrade your fusiondirectory packages.

For the detailed security status of fusiondirectory please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/fusiondirectory

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3486-1] ocsinventory-server update for php-cas

[Tobias Frost]

-
Debian LTS Advisory DLA-3486-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
July 08, 2023 https://wiki.debian.org/LTS
-

Package: ocsinventory-server
Version: 2.5+dfsg1-1+deb10u1
CVE ID : n/a
Debian Bug : 

The source package ocsinventory-server, a Hardware and software
inventory tool has been updated to address the API change in php-cas due
to CVE-2022-39369, see DLA 3485-1 for details.

CAS is an optional authentication mechanism in the binary package
ocsinventory-reports, and if used, ocsinventory-reports will stop
working until it has been reconfigured:

It now requires the baseURL of to-be-authenticated service to be
configured.

For ocsinventory-reports, this is configured with the variable
$cas_service_base_url in the file
/usr/share/ocsinventory-reports/backend/require/cas.config.php

Warning: regardless of this update, ocsreports-server should only be
used in secure and trusted environments.


For Debian 10 buster, this update is available through version
2.5+dfsg1-1+deb10u1.

We recommend that you upgrade your ocsinventory-server packages.

For the detailed security status of ocsinventory-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ocsinventory-server

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3485-1] php-cas security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3485-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
July 08, 2023 https://wiki.debian.org/LTS
-

Package: php-cas
Version: 1.3.6-1+deb10u1
CVE ID : CVE-2022-39369
Debian Bug : 1023571

A vulnerability has been found in phpCAS, a Central Authentication
Service client library in php, which may allow an attacker to gain
access to a victim's account on a vulnerable CASified service without
victim's knowledge, when the victim visits attacker's website while
being logged in to the same CAS server.

The fix for this vulnerabilty requires an API breaking change in php-cas
and will require that software using the library be updated.

For buster, all packages in the Debian repositories which are using
php-cas have been updated, though additional manual configuration is to
be expected, as php-cas needs additional site information -- the service
base URL -- for it to function. The DLAs for the respective packages
will have additional information, as well as the package's NEWS files.

For 3rd party software using php-cas, please be note that upstream
provided following instructions how to update this software [1]:

phpCAS now requires an additional service base URL argument when constructing
the client class. It accepts any argument of:

1. A service base URL string. The service URL discovery will always use this
   server name (protocol, hostname and port number) without using any external
   host names.
2. An array of service base URL strings. The service URL discovery will check
   against this list before using the auto discovered base URL. If there is no
   match, the first base URL in the array will be used as the default. This
   option is helpful if your PHP website is accessible through multiple domains
   without a canonical name, or through both HTTP and HTTPS.
3. A class that implements CAS_ServiceBaseUrl_Interface. If you need to
   customize the base URL discovery behavior, you can pass in a class that
   implements the interface.

Constructing the client class is usually done with phpCAS::client().

For example, using the first possiblity:
  phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
could become:
  phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, 
"https://casified-service.example.org:8080;);


Details of the vulnerability:

CVE-2022-39369

The phpCAS library uses HTTP headers to determine the service URL used
to validate tickets. This allows an attacker to control the host header
and use a valid ticket granted for any authorized service in the same
SSO realm (CAS server) to authenticate to the service protected by
phpCAS.  Depending on the settings of the CAS server service registry in
worst case this may be any other service URL (if the allowed URLs are
configured to "^(https)://.*") or may be strictly limited to known and
authorized services in the same SSO federation if proper URL service
validation is applied.

[1] 
https://github.com/apereo/phpCAS/blob/f3db27efd1f5020e71f2116f637a25cc9dbda1e3/docs/Upgrading#L1C1-L1C1

For Debian 10 buster, this problem has been fixed in version
1.3.6-1+deb10u1.

We recommend that you upgrade your php-cas packages.

For the detailed security status of php-cas please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-cas

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3478-1] yajl security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3478-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
July 02, 2023 https://wiki.debian.org/LTS
-

Package: yajl
Version: 2.1.0-2+deb10u1
CVE ID : CVE-2023-33460
Debian Bug : 1039984

A memory leak has been found in yajl, a JSON parser / small validating
JSON generator written in ANSI C, which might allow an attacker to cause
an out of memory situation and potentially causing a crash.

For Debian 10 buster, this problem has been fixed in version
2.1.0-2+deb10u1.

We recommend that you upgrade your yajl packages.

For the detailed security status of yajl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/yajl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3437-1] libssh security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3437-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
May 29, 2023  https://wiki.debian.org/LTS
-

Package: libssh
Version: 0.8.7-1+deb10u2
CVE ID : CVE-2019-14889 CVE-2023-1667
Debian Bug : 946548 1035832

Two security issues have been discovered in libssh, a tiny C SSH
library, which may allows an remote authenticated user to cause a denial
of service or inject arbitrary commands.

CVE-2019-14889

A flaw was found with the libssh API function ssh_scp_new() in
versions before 0.9.3 and before 0.8.8. When the libssh SCP client
connects to a server, the scp command, which includes a
user-provided path, is executed on the server-side. In case the
library is used in a way where users can influence the third
parameter of the function, it would become possible for an attacker
to inject arbitrary commands, leading to a compromise of the remote
target.

CVE-2023-1667

A NULL pointer dereference was found In libssh during re-keying with
algorithm guessing. This issue may allow an authenticated client to
cause a denial of service.

For Debian 10 buster, these problems have been fixed in version
0.8.7-1+deb10u2.

We recommend that you upgrade your libssh packages.

For the detailed security status of libssh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libssh

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3431-1] sqlite security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3431-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
May 22, 2023  https://wiki.debian.org/LTS
-

Package: sqlite
Version: 2.8.17-15+deb10u1
CVE ID : CVE-2016-6153 CVE-2018-8740
Debian Bug : 

Two vulnerabilities have been fixed in sqlite (V2) which which might
allow local users to obtain sensitive information, cause a denial of
service (application crash), or have unspecified other impact.

CVE-2016-6153

sqlite improperly implemented the temporary directory search algorithm,
which might allow local users to obtain sensitive information, cause a
denial of service (application crash), or have unspecified other impact
by leveraging use of the current working directory for temporary files.

CVE-2018-8740

Databases whose schema is corrupted using a CREATE TABLE AS statement
could cause a NULL pointer dereference,


For Debian 10 buster, these problems have been fixed in version
2.8.17-15+deb10u1.

We recommend that you upgrade your sqlite packages.

For the detailed security status of sqlite please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sqlite

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3418-1] nvidia-graphics-drivers-legacy-390xx security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3418-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
May 11, 2023  https://wiki.debian.org/LTS
-

Package: nvidia-graphics-drivers-legacy-390xx
Version: 390.157-1~deb10u1
CVE ID : CVE-2022-34670 CVE-2022-34674 CVE-2022-34675 CVE-2022-34677
 CVE-2022-34680 CVE-2022-42257 CVE-2022-42258 CVE-2022-42259
Debian Bug : 1025281

NVIDIA has released a software security update for the NVIDIA GPU Display
Driver R390 linux driver branch. This update addresses issues that may lead to
denial of service, escalation of privileges, information disclosure, data
tampering or undefined behavior.


CVE-2022-34670

NVIDIA GPU Display Driver for Linux contains a vulnerability in the
kernel mode layer handler, where an unprivileged regular user can
cause truncation errors when casting a primitive to a primitive of
smaller size causes data to be lost in the conversion, which may
lead to denial of service or information disclosure.

CVE-2022-34674

NVIDIA GPU Display Driver for Linux contains a vulnerability in the
kernel mode layer handler, where a helper function maps more
physical pages than were requested, which may lead to undefined
behavior or an information leak.

CVE-2022-34675

NVIDIA Display Driver for Linux contains a vulnerability in the
Virtual GPU Manager, where it does not check the return value from a
null-pointer dereference, which may lead to denial of service.

CVE-2022-34677

NVIDIA GPU Display Driver for Linux contains a vulnerability in the
kernel mode layer handler, where an unprivileged regular user can
cause an integer to be truncated, which may lead to denial of
service or data tampering.

CVE-2022-34680

NVIDIA GPU Display Driver for Linux contains a vulnerability in the
kernel mode layer handler, where an integer truncation can lead to
an out-of-bounds read, which may lead to denial of service.

CVE-2022-42257

NVIDIA GPU Display Driver for Linux contains a vulnerability in the
kernel mode layer (nvidia.ko), where an integer overflow may lead to
information disclosure, data tampering or denial of service.

CVE-2022-42258

NVIDIA GPU Display Driver for Linux contains a vulnerability in the
kernel mode layer (nvidia.ko), where an integer overflow may lead to
denial of service, data tampering, or information disclosure.

CVE-2022-42259

NVIDIA GPU Display Driver for Linux contains a vulnerability in the
kernel mode layer (nvidia.ko), where an integer overflow may lead to
denial of service.

For Debian 10 buster, these problems have been fixed in version
390.157-1~deb10u1.

We recommend that you upgrade your nvidia-graphics-drivers-legacy-390xx 
packages.

For the detailed security status of
nvidia-graphics-drivers-legacy-390xx please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/nvidia-graphics-drivers-legacy-390xx

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3390-1] zabbix security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3390-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
April 12, 2023https://wiki.debian.org/LTS
-

Package: zabbix
Version: 1:4.0.4+dfsg-1+deb10u1
CVE ID : CVE-2019-15132 CVE-2020-15803 CVE-2021-27927 CVE-2022-24349
 CVE-2022-24917 CVE-2022-24919 CVE-2022-35229 CVE-2022-35230
Debian Bug : 935027 966146 1014992 1014994

Several security vulnerabilities have been discovered in zabbix,
a network monitoring solution, potentially allowing User Enumeration, 
Cross-Site-Scripting or Cross-Site Request Forgery.

CVE-2019-15132

Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is
possible to enumerate application usernames based on the variability of server
responses (e.g., the "Login name or password is incorrect" and "No permissions
for system access" messages, or just blocking for a number of seconds). This
affects both api_jsonrpc.php and index.php.

CVE-2020-15803

Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x
before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL
Widget.

CVE-2021-27927

In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1,
5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the
CControllerAuthenticationUpdate controller lacks a CSRF protection
mechanism. The code inside this controller calls diableSIDValidation
inside the init() method. An attacker doesn't have to know Zabbix user
login credentials, but has to know the correct Zabbix URL and contact
information of an existing user with sufficient privileges.

CVE-2022-24349

An authenticated user can create a link with reflected XSS payload for
actions’ pages, and send it to other users. Malicious code has access to
all the same objects as the rest of the web page and can make arbitrary
modifications to the contents of the page being displayed to a victim.
This attack can be implemented with the help of social engineering and
expiration of a number of factors - an attacker should have authorized
access to the Zabbix Frontend and allowed network connection between a
malicious server and victim’s computer, understand attacked
infrastructure, be recognized by the victim as a trustee and use trusted
communication channel.

CVE-2022-24917

An authenticated user can create a link with reflected Javascript code
inside it for services’ page and send it to other users. The payload can
be executed only with a known CSRF token value of the victim, which is
changed periodically and is difficult to predict. Malicious code has
access to all the same objects as the rest of the web page and can make
arbitrary modifications to the contents of the page being displayed to a
victim during social engineering attacks.

CVE-2022-24919

An authenticated user can create a link with reflected Javascript code
inside it for graphs’ page and send it to other users. The payload can
be executed only with a known CSRF token value of the victim, which is
changed periodically and is difficult to predict. Malicious code has
access to all the same objects as the rest of the web page and can make
arbitrary modifications to the contents of the page being displayed to a
victim during social engineering attacks.

CVE-2022-35229

An authenticated user can create a link with reflected Javascript code
inside it for the discovery page and send it to other users. The payload
can be executed only with a known CSRF token value of the victim, which
is changed periodically and is difficult to predict.

CVE-2022-35230

An authenticated user can create a link with reflected Javascript code
inside it for the graphs page and send it to other users. The payload
can be executed only with a known CSRF token value of the victim, which
is changed periodically and is difficult to predict.

For Debian 10 buster, these problems have been fixed in version
1:4.0.4+dfsg-1+deb10u1.

We recommend that you upgrade your zabbix packages.

For the detailed security status of zabbix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zabbix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3390-1] zabbix security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3390-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
April 12, 2023https://wiki.debian.org/LTS
-

Package: zabbix
Version: 1:4.0.4+dfsg-1+deb10u1
CVE ID : CVE-2019-15132 CVE-2020-15803 CVE-2021-27927 CVE-2022-24349
 CVE-2022-24917 CVE-2022-24919 CVE-2022-35229 CVE-2022-35230
Debian Bug : 935027 966146 1014992 1014994

Several security vulnerabilities have been discovered in zabbix,
a network monitoring solution, potentially allowing User Enumeration,
Cross-Site-Scripting or Cross-Site Request Forgery.

CVE-2019-15132

Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is
possible to enumerate application usernames based on the variability of server
responses (e.g., the "Login name or password is incorrect" and "No permissions
for system access" messages, or just blocking for a number of seconds). This
affects both api_jsonrpc.php and index.php.

CVE-2020-15803

Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x
before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL
Widget.

CVE-2021-27927

In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1,
5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the
CControllerAuthenticationUpdate controller lacks a CSRF protection
mechanism. The code inside this controller calls diableSIDValidation
inside the init() method. An attacker doesn't have to know Zabbix user
login credentials, but has to know the correct Zabbix URL and contact
information of an existing user with sufficient privileges.

CVE-2022-24349

An authenticated user can create a link with reflected XSS payload for
actions’ pages, and send it to other users. Malicious code has access to
all the same objects as the rest of the web page and can make arbitrary
modifications to the contents of the page being displayed to a victim.
This attack can be implemented with the help of social engineering and
expiration of a number of factors - an attacker should have authorized
access to the Zabbix Frontend and allowed network connection between a
malicious server and victim’s computer, understand attacked
infrastructure, be recognized by the victim as a trustee and use trusted
communication channel.

CVE-2022-24917

An authenticated user can create a link with reflected Javascript code
inside it for services’ page and send it to other users. The payload can
be executed only with a known CSRF token value of the victim, which is
changed periodically and is difficult to predict. Malicious code has
access to all the same objects as the rest of the web page and can make
arbitrary modifications to the contents of the page being displayed to a
victim during social engineering attacks.

CVE-2022-24919

An authenticated user can create a link with reflected Javascript code
inside it for graphs’ page and send it to other users. The payload can
be executed only with a known CSRF token value of the victim, which is
changed periodically and is difficult to predict. Malicious code has
access to all the same objects as the rest of the web page and can make
arbitrary modifications to the contents of the page being displayed to a
victim during social engineering attacks.

CVE-2022-35229

An authenticated user can create a link with reflected Javascript code
inside it for the discovery page and send it to other users. The payload
can be executed only with a known CSRF token value of the victim, which
is changed periodically and is difficult to predict.

CVE-2022-35230

An authenticated user can create a link with reflected Javascript code
inside it for the graphs page and send it to other users. The payload
can be executed only with a known CSRF token value of the victim, which
is changed periodically and is difficult to predict.

For Debian 10 buster, these problems have been fixed in version
1:4.0.4+dfsg-1+deb10u1.

We recommend that you upgrade your zabbix packages.

For the detailed security status of zabbix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zabbix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3387-2] udisks2 regression update

[Tobias Frost]

-
Debian LTS Advisory DLA-3387-2debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
April 10, 2023https://wiki.debian.org/LTS
-

Package: udisks2
Version: 2.8.1-4+deb10u2
Debian Bug : 1034124

A regression was reported that the fix for CVE-2021-3802 broken mounting
allow-listed mount option/value pairs, for example errors=remount-ro.

For Debian 10 buster, this problem has been fixed in version
2.8.1-4+deb10u2.

We recommend that you upgrade your udisks2 packages.

For the detailed security status of udisks2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/udisks2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3387-1] udisks2 security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3387-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
April 07, 2023https://wiki.debian.org/LTS
-

Package: udisks2
Version: 2.8.1-4+deb10u1
CVE ID : CVE-2021-3802
Debian Bug : 

Stefan Walter found that udisks2, a service to access and manipulate storage
devices, could cause denial of service via system crash if a corrupted or
specially crafted ext2/3/4 device or image was mounted, which could happen
automatically on certain environments.

For Debian 10 buster, this problem has been fixed in version
2.8.1-4+deb10u1.

We recommend that you upgrade your udisks2 packages.

For the detailed security status of udisks2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/udisks2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3380-1] firmware-nonfree LTS new upstream version (security updates and newer firmware for Linux 5.10)

[Tobias Frost]

-
Debian LTS Advisory DLA-3380-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
April 01, 2023https://wiki.debian.org/LTS
-

Package: firmware-nonfree
Version: 20190114+really20220913-0+deb10u1
CVE ID : CVE-2020-12362 CVE-2020-12363 CVE-2020-12364 CVE-2020-24586
 CVE-2020-24587 CVE-2020-24588 CVE-2021-23168 CVE-2021-23223
 CVE-2021-37409 CVE-2021-44545 CVE-2022-21181
Debian Bug : 844056 877667 903437 919452 919632 927286 927917 928510 928631 
928672 931930 935969 947356 956224 962972 963025 963558 964028 966025 968272 
969000 971791 975726 977042 980101 982579 982757 983255 983561 984489 984852 
984874 985740 985743 991500 992551 999825 1006500 1006638 1009316 1009618 
1014651 1015728 1016058 1019847 1020962

The firmware-nonfree package has been updated to include addtional firmware
that may be requested by some drivers in Linux 5.10, availble for Debian LTS as
backported kernel.

Some of the updated firmware files adresses security vulnerabilities, which may
allow Escalation of Privileges, Denial of Services and Information Disclosures.

CVE-2020-24586 (INTEL-SA-00473)

The 802.11 standard that underpins Wi-Fi Protected Access (WPA,
WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require
that received fragments be cleared from memory after (re)connecting
to a network. Under the right circumstances, when another device
sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can
be abused to inject arbitrary network packets and/or exfiltrate user
data.

CVE-2020-24587  (INTEL-SA-00473)

The 802.11 standard that underpins Wi-Fi Protected Access (WPA,
WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require
that all fragments of a frame are encrypted under the same key. An
adversary can abuse this to decrypt selected fragments when another
device sends fragmented frames and the WEP, CCMP, or GCMP encryption
key is periodically renewed.

CVE-2020-24588  (INTEL-SA-00473)

The 802.11 standard that underpins Wi-Fi Protected Access (WPA,
WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require
that the A-MSDU flag in the plaintext QoS header field is
authenticated. Against devices that support receiving non-SSP A-MSDU
frames (which is mandatory as part of 802.11n), an adversary can
abuse this to inject arbitrary network packets.

CVE-2021-23168  (INTEL-SA-00621)

Out of bounds read for some Intel(R) PROSet/Wireless WiFi and
Killer(TM) WiFi products may allow an unauthenticated user to
potentially enable denial of service via adjacent access.

CVE-2021-23223 (INTEL-SA-00621)

Improper initialization for some Intel(R) PROSet/Wireless WiFi and
Killer(TM) WiFi products may allow a privileged user to potentially
enable escalation of privilege via local access.

CVE-2021-37409 (INTEL-SA-00621)

Improper access control for some Intel(R) PROSet/Wireless WiFi and
Killer(TM) WiFi products may allow a privileged user to potentially
enable escalation of privilege via local access.

CVE-2021-44545 (INTEL-SA-00621)

Improper input validation for some Intel(R) PROSet/Wireless WiFi and
Killer(TM) WiFi products may allow an unauthenticated user to
potentially enable denial of service via adjacent access.

CVE-2022-21181 (INTEL-SA-00621)

Improper input validation for some Intel(R) PROSet/Wireless WiFi and
Killer(TM) WiFi products may allow a privileged user to potentially
enable escalation of privilege via local access.

The following advisories are also fixed by this upload, but needs an
updated Linux kernel to load the updated firmware:

CVE-2020-12362 (INTEL-SA-00438)

Integer overflow in the firmware for some Intel(R) Graphics Drivers
for Windows * before version 26.20.100.7212 and before Linux kernel
version 5.5 may allow a privileged user to potentially enable an
escalation of privilege via local access.

CVE-2020-12363 (INTEL-SA-00438)

Improper input validation in some Intel(R) Graphics Drivers for
Windows* before version 26.20.100.7212 and before Linux kernel
version 5.5 may allow a privileged user to potentially enable a
denial of service via local access.

CVE-2020-12364 (INTEL-SA-00438)

Null pointer reference in some Intel(R) Graphics Drivers for
Windows* before version 26.20.100.7212 and before version Linux
kernel version 5.5 may allow a privileged user to potentially enable
a denial of service via local access.

For Debian 10 buster, these problems have been fixed in version
20190114+really20220913-0+deb10u1.

We recommend that you upgrade your firmware-nonfree packages.

For the detailed

[SECURITY] [DLA 3379-1] intel-microcode security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3379-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
April 01, 2023https://wiki.debian.org/LTS
-

Package: intel-microcode
Version: 3.20230214.1~deb10u1
CVE ID : CVE-2022-21216 CVE-2022-21233 CVE-2022-33196 CVE-2022-33972
 CVE-2022-38090
Debian Bug : 1031334

Multiple potential security vulnerabilities in some Intel® Processors
have been found which may allow information disclosure or may allow
escalation of privilege. Intel is releasing firmware updates to mitigate
this potential vulnerabilities.

Please pay attention that the fix for CVE-2022-33196 might require a
firmware update.

CVE-2022-21216 (INTEL-SA-00700)
Insufficient granularity of access control in out-of-band
management in some Intel(R) Atom and Intel Xeon Scalable Processors
may allow a privileged user to potentially enable escalation of
privilege via adjacent network access.

CVE-2022-33196 (INTEL-SA-00738)
Incorrect default permissions in some memory controller
configurations for some Intel(R) Xeon(R) Processors when using
Intel(R) Software Guard Extensions which may allow a privileged user
to potentially enable escalation of privilege via local access.

This fix may require a firmware update to be effective on some
processors.

CVE-2022-33972 (INTEL-SA-00730)
Incorrect calculation in microcode keying mechanism for some 3rd
Generation Intel(R) Xeon(R) Scalable Processors may allow a
privileged user to potentially enable information disclosure via
local acces

CVE-2022-38090 (INTEL-SA-00767)
Improper isolation of shared resources in some Intel(R) Processors
when using Intel(R) Software Guard Extensions may allow a privileged
user to potentially enable information disclosure via local access.

CVE-2022-21233 (INTEL-SA-00657)
Improper isolation of shared resources in some Intel(R) Processors
may allow a privileged user to potentially enable information
disclosure via local access.

For Debian 10 buster, these problems have been fixed in version
3.20230214.1~deb10u1.

We recommend that you upgrade your intel-microcode packages.

For the detailed security status of intel-microcode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/intel-microcode

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3356-1] wireless-regdb security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3356-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
March 09, 2023https://wiki.debian.org/LTS
-

Package: wireless-regdb
Version: 2022.04.08-2~deb10u1
CVE ID : n/a
Debian Bug :

This update the wireless regulatory database to version 2022.04.08.
In addition, it allows the Linux 5.10 kernel to verify and autoload it.

We recommend that you upgrade your wireless-regdb package.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3352-1] libde265 security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3352-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
March 04, 2023https://wiki.debian.org/LTS
-

Package: libde265
Version: 1.0.11-0+deb10u4
CVE ID : CVE-2023-24751 CVE-2023-24752 CVE-2023-24754 CVE-2023-24755
 CVE-2023-24756 CVE-2023-24757 CVE-2023-24758 CVE-2023-25221
Debian Bug :

Multiple issues were found in libde265, an open source implementation of the
h.265 video codec, which may result in denial of service, possibly code
execution due to a heap-based buffer overflow or have unspecified other
impact.

CVE-2023-24751

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the mc_chroma function at motion.cc. This
vulnerability allows attackers to cause a Denial of Service (DoS)
via a crafted input file.

CVE-2023-24752

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the ff_hevc_put_hevc_epel_pixels_8_sse function at
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted input file.

CVE-2023-24754

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted input file.

CVE-2023-24755

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the put_weighted_pred_8_fallback function at
fallback-motion.cc. This vulnerability allows attackers to cause a
Denial of Service (DoS) via a crafted input file.

CVE-2023-24756

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the ff_hevc_put_unweighted_pred_8_sse function at
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted input file.

CVE-2023-24757

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the put_unweighted_pred_16_fallback function at
fallback-motion.cc. This vulnerability allows attackers to cause a
Denial of Service (DoS) via a crafted input file.

CVE-2023-24758

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted input file.

CVE-2023-25221

Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow
vulnerability in the derive_spatial_luma_vector_prediction function
in motion.cc.

For Debian 10 buster, these problems have been fixed in version
1.0.11-0+deb10u4.

We recommend that you upgrade your libde265 packages.

For the detailed security status of libde265 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libde265

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3340-1] libgit2 security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3340-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
February 23, 2023 https://wiki.debian.org/LTS
-

Package: libgit2
Version: 0.27.7+dfsg.1-0.2+deb10u1
CVE ID : CVE-2020-12278 CVE-2020-12279 CVE-2023-22742
Debian Bug : 1029368

A vulnerability have been found in libgit2, a cross-platform, linkable
library implementation of Git, which may result in remote code execution
when cloning a repository on a NTFS-like filesystem or man-in-the-middle
attacks due to improper verification of cryptographic Signature.

CVE-2020-12278

An issue was discovered in libgit2 before 0.28.4 and 0.9x before
0.99.0.  path.c mishandles equivalent filenames that exist because of
NTFS Alternate Data Streams. This may allow remote code execution when
cloning a repository.

CVE-2020-12279

An issue was discovered in libgit2 before 0.28.4 and 0.9x before
0.99.0.  checkout.c mishandles equivalent filenames that exist because
of NTFS short names. This may allow remote code execution when cloning a
repository

CVE-2023-22742

libgit2 is a cross-platform, linkable library implementation of Git.
When using an SSH remote with the optional libssh2 backend, libgit2 does
not perform certificate checking by default. Prior versions of libgit2
require the caller to set the `certificate_check` field of libgit2's
`git_remote_callbacks` structure - if a certificate check callback is
not set, libgit2 does not perform any certificate checking. This means
that by default - without configuring a certificate check callback,
clients will not perform validation on the server SSH keys and may be
subject to a man-in-the-middle attack.

For Debian 10 buster, these problems have been fixed in version
0.27.7+dfsg.1-0.2+deb10u1.

We recommend that you upgrade your libgit2 packages.

For the detailed security status of libgit2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libgit2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3313-1] wireshark security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3313-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
February 08, 2023 https://wiki.debian.org/LTS
-

Package: wireshark
Version: 2.6.20-0+deb10u5
CVE ID : CVE-2022-4345 CVE-2023-0411 CVE-2023-0412 CVE-2023-0413
 CVE-2023-0415 CVE-2023-0417

Multiple security vulnerabilities have been discovered in Wireshark, a
network traffic analyzer. An attacker could cause a denial of service
(infinite loop or application crash) via packet injection or a crafted
capture file.

CVE-2022-4345

Infinite loops in the BPv6, OpenFlow, and Kafka protocol dissectors in
Wireshark 4.0.0 to 4.0.1 and 3.6.0 to 3.6.9 allows denial of service via
packet injection or crafted capture file

CVE-2023-0411

Excessive loops in multiple dissectors in Wireshark 4.0.0 to 4.0.2 and
3.6.0 to 3.6.10 and allows denial of service via packet injection or
crafted capture file

CVE-2023-0412

TIPC dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and
allows denial of service via packet injection or crafted capture file

CVE-2023-0413

Dissection engine bug in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10
and allows denial of service via packet injection or crafted capture
file

CVE-2023-0415

iSCSI dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10
and allows denial of service via packet injection or crafted capture
file

CVE-2023-0417

Memory leak in the NFS dissector in Wireshark 4.0.0 to 4.0.2 and 3.6.0
to 3.6.10 and allows denial of service via packet injection or crafted
capture file

For Debian 10 buster, these problems have been fixed in version
2.6.20-0+deb10u5.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wireshark

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3293-1] modsecurity-crs security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3293-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
January 30, 2023  https://wiki.debian.org/LTS
-

Package: modsecurity-crs
Version: 3.2.3-0+deb10u3
CVE ID : CVE-2018-16384 CVE-2020-22669 CVE-2021-35368 CVE-2022-39955
 CVE-2022-39956 CVE-2022-39957 CVE-2022-39958
Debian Bug : 924352 992000 1021137

Multiple issues were found in modsecurity-crs, a set of generic attack
detection rules for use with ModSecurity or compatible web application
firewalls, which allows remote attackers to bypass the web applications
firewall.

If you are using modsecurity-crs with apache2 / libapache2-modsecurity, please
make sure to review your modsecurity configuration, usually
/etc/modsecurity/modsecurity.conf, against the updated recommended
configration, available in /etc/modsecurity/modsecurity.conf-recommended:
Some of the changes to the recommended rules are required to avoid WAF bypasses
in certain circumstances.

Please note that CVE-2022-39956 requires an updated modsecurity-apache packge,
which has been previously uploaded to buster-security, see Debian LTS Advisory
DLA-3283-1 for details.

If you are using some other solution in connection with the
modsecurity-ruleset, for example one that it is using libmodsecurity3, your
solution might error out with an error message like "Error creating rule:
Unknown variable: MULTIPART_PART_HEADERS". In this case you can disable the
mitigation for CVE-2022-29956 by removing the rule file
REQUEST-922-MULTIPART-ATTACK.conf.  However, be aware that this will disable
the protection and could allow attackers to bypass your Web Application
Firewall.

There is no package in Debian which depends on libmodsecurity3, so if you are
only using software which is available from Debian, you are not affected by
this limitation.

Kudos to @airween for the support and help while perparing the update.

CVE-2018-16384

A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core 
Rule
Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a 
special
function name (such as "if") and b is the SQL statement to be executed.

CVE-2020-22669

Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL
injection bypass vulnerability. Attackers can use the comment characters and
variable assignments in the SQL syntax to bypass Modsecurity WAF protection 
and
implement SQL injection attacks on Web applications.

CVE-2022-39955

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set
bypass by submitting a specially crafted HTTP Content-Type header field that
indicates multiple character encoding schemes. A vulnerable back-end can
potentially be exploited by declaring multiple Content-Type "charset" names 
and
therefore bypassing the configurable CRS Content-Type header "charset" allow
list. An encoded payload can bypass CRS detection this way and may then be
decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are 
affected,
as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and
users are advised to upgrade to 3.2.2 and 3.3.3 respectively.

CVE-2022-39956

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set
bypass for HTTP multipart requests by submitting a payload that uses a
character encoding scheme via the Content-Type or the deprecated
Content-Transfer-Encoding multipart MIME header fields that will not be 
decoded
and inspected by the web application firewall engine and the rule set. The
multipart payload will therefore bypass detection. A vulnerable backend that
supports these encoding schemes can potentially be exploited. The legacy CRS
versions 3.0.x and 3.1.x are affected, as well as the currently supported
versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2
and 3.3.3 respectively. The mitigation against these vulnerabilities 
depends on
the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).

CVE-2022-39957

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body
bypass. A client can issue an HTTP Accept header field containing an 
optional
"charset" parameter in order to receive the response in an encoded form.
Depending on the "charset", this response can not be decoded by the web
application firewall. A restricted resource, access to which would 
ordinarily
be detected, may therefore bypass detection. The legacy CRS versions 3.0.x 
and
3.1.x are affected, as well as the currently supported versions 3.2.1 and
3.3.2. Int

[SECURITY] [DLA 3283-1] modsecurity-apache security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3283-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
January 26, 2023  https://wiki.debian.org/LTS
-

Package: modsecurity-apache
Version: 2.9.3-1+deb10u2
CVE ID : CVE-2022-48279 CVE-2023-24021
Debian Bug : 1029329

Multiple issues were found in modsecurity-apache, open source, cross
platform web application firewall (WAF) engine for Apache which allows
remote attackers to bypass the applications firewall and other
unspecified impact.

CVE-2022-48279

In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart
requests were incorrectly parsed and could bypass the Web Application
Firewall.
NOTE: this is related to CVE-2022-39956 but can be considered
independent changes to the ModSecurity(C language) codebase.

CVE-2023-24021

Incorrect handling of null-bytes in file uploads in ModSecurity
before 2.9.7 may allow for Web Application Firewall bypasses and
buffer iverflows on the Web Application Firewall when executing
rules reading the FILES_TMP_CONTENT collection.

For Debian 10 buster, these problems have been fixed in version
2.9.3-1+deb10u2.

We recommend that you upgrade your modsecurity-apache packages.

For the detailed security status of modsecurity-apache please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/modsecurity-apache

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3280-1] libde265 security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3280-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
January 24, 2023  https://wiki.debian.org/LTS
-

Package: libde265
Version: 1.0.3-1+deb10u2
CVE ID : CVE-2020-21596 CVE-2020-21597 CVE-2020-21598 CVE-2022-43235 
 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 
 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43243 
 CVE-2022-43244 CVE-2022-43245 CVE-2022-43248 CVE-2022-43249 
 CVE-2022-43250 CVE-2022-43252 CVE-2022-43253 CVE-2022-47655
Debian Bug : 1025816 1027179 1029357 1029397

Multiple issues were found in libde265, an open source implementation
of the H.265 video codec, which may result in denial of service or have
unspecified other impact.


CVE-2020-21596

libde265 v1.0.4 contains a global buffer overflow in the
decode_CABAC_bit function, which can be exploited via a crafted a
file.

CVE-2020-21597

libde265 v1.0.4 contains a heap buffer overflow in the mc_chroma
function, which can be exploited via a crafted a file.

CVE-2020-21598

libde265 v1.0.4 contains a heap buffer overflow in the
ff_hevc_put_unweighted_pred_8_sse function, which can be exploited
via a crafted a file.

CVE-2022-43235

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via ff_hevc_put_hevc_epel_pixels_8_sse in
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted video file.

CVE-2022-43236

Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow
vulnerability via put_qpel_fallback in
fallback-motion.cc. This vulnerability allows attackers to cause a
Denial of Service (DoS) via a crafted video file.

CVE-2022-43237

Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow
vulnerability via void put_epel_hv_fallback in
fallback-motion.cc. This vulnerability allows attackers to cause a
Denial of Service (DoS) via a crafted video file.

CVE-2022-43238

Libde265 v1.0.8 was discovered to contain an unknown crash via
ff_hevc_put_hevc_qpel_h_3_v_3_sse in sse-motion.cc. This
vulnerability allows attackers to cause a Denial of Service (DoS)
via a crafted video file.

CVE-2022-43239

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via mc_chroma in motion.cc. This
vulnerability allows attackers to cause a Denial of Service (DoS)
via a crafted video file.

CVE-2022-43240

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via ff_hevc_put_hevc_qpel_h_2_v_1_sse in
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted video file.

CVE-2022-43241

Libde265 v1.0.8 was discovered to contain an unknown crash via
ff_hevc_put_hevc_qpel_v_3_8_sse in sse-motion.cc. This vulnerability
allows attackers to cause a Denial of Service (DoS) via a crafted
video file.

CVE-2022-43242

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via mc_luma in motion.cc. This
vulnerability allows attackers to cause a Denial of Service (DoS)
via a crafted video file.

CVE-2022-43243

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via ff_hevc_put_weighted_pred_avg_8_sse in
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted video file.

CVE-2022-43244

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via put_qpel_fallback in
fallback-motion.cc. This vulnerability allows attackers to cause a
Denial of Service (DoS) via a crafted video file.

CVE-2022-43245

Libde265 v1.0.8 was discovered to contain a segmentation violation
via apply_sao_internal in sao.cc. This vulnerability
allows attackers to cause a Denial of Service (DoS) via a crafted
video file.

CVE-2022-43248

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via put_weighted_pred_avg_16_fallback in
fallback-motion.cc. This vulnerability allows attackers to cause a
Denial of Service (DoS) via a crafted video file.

CVE-2022-43249

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via put_epel_hv_fallback in
fallback-motion.cc.  This vulnerability allows attackers to cause a
Denial of Service (DoS) via a crafted video file.

CVE-2022-43250

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via put_qpel_0_0_fallback_16 in fallback-motion.cc.
This vulnerability allows attackers

[SECURITY] [DLA 3269-1] libapreq2 security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3269-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
January 14, 2023  https://wiki.debian.org/LTS
-

Package: libapreq2
Version: 2.13-7~deb10u2
CVE ID : CVE-2022-22728
Debian Bug : 1018191

A flaw in Apache libapreq2 versions 2.16 and earlier could cause a
buffer overflow while processing multipart form uploads. A remote
attacker could send a request causing a process crash which could lead
to a denial of service attack.

For Debian 10 buster, this problem has been fixed in version
2.13-7~deb10u2.

We recommend that you upgrade your libapreq2 packages.

For the detailed security status of libapreq2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapreq2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3250-1] multipath-tools security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3250-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
December 29, 2022 https://wiki.debian.org/LTS
-

Package: multipath-tools
Version: 0.7.9-3+deb10u2
CVE ID : CVE-2022-41973 CVE-2022-41974
Debian Bug : 1022742

Multiple issues were found in multipath-tools, a tool-chain to manage disk
multipath device maps, which may be used by local attackers to obtain root
privileges or create a directories or overwrite files via symlink attacks.

Please note that the fix for CVE-2022-41973 involves switching from
/dev/shm to systemd-tmpfiles (/run/multipath-tools).
If you have previously accesssed /dev/shm directly, please update your
setup to the new path to facilitate this change.


CVE-2022-41973

multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to
obtain root access, as exploited in conjunction with CVE-2022-41974.
Local users able to access /dev/shm can change symlinks in multipathd
due to incorrect symlink handling, which could lead to controlled file
writes outside of the /dev/shm directory. This could be used indirectly
for local privilege escalation to root.

CVE-2022-41974

multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to
obtain root access, as exploited alone or in conjunction with
CVE-2022-41973. Local users able to write to UNIX domain sockets can
bypass access controls and manipulate the multipath setup. This can lead
to local privilege escalation to root. This occurs because an attacker
can repeat a keyword, which is mishandled because arithmetic ADD is used
instead of bitwise OR.

For Debian 10 buster, these problems have been fixed in version
0.7.9-3+deb10u2.

We recommend that you upgrade your multipath-tools packages.

For the detailed security status of multipath-tools please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/multipath-tools

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3240-1] libde265 security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3240-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
December 15, 2022 https://wiki.debian.org/LTS
-

Package: libde265
Version: 1.0.3-1+deb10u1
CVE ID : CVE-2020-21599 CVE-2021-35452 CVE-2021-36408 CVE-2021-36409
 CVE-2021-36410 CVE-2021-36411
Debian Bug : 1014977

Multiple issues were found in libde265, an open source implementation of the
h.265 video codec, which may result in denial of or have unspecified other
impact.


CVE-2020-21599

libde265 v1.0.4 contains a heap buffer overflow in the
de265_image::available_zscan function, which can be exploited via a crafted
a file.

CVE-2021-35452

An Incorrect Access Control vulnerability exists in libde265 v1.0.8 due to
a SEGV in slice.cc.

CVE-2021-36408

libde265 v1.0.8 contains a Heap-use-after-free in intrapred.h when decoding
file using dec265.

CVE-2021-36409

There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at
sps.cc:925 in libde265 v1.0.8 when decoding file, which allows attackers to
cause a Denial of Service (DoS) by running the application with a crafted
file or possibly have unspecified other impact.

CVE-2021-36410

A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-motion.cc in
function put_epel_hv_fallback when running program dec265.

CVE-2021-36411

An issue has been found in libde265 v1.0.8 due to incorrect access control.
A SEGV caused by a READ memory access in function derive_boundaryStrength of
deblock.cc has occurred. The vulnerability causes a segmentation fault and
application crash, which leads to remote denial of service.

For Debian 10 buster, these problems have been fixed in version
1.0.3-1+deb10u1.

We recommend that you upgrade your libde265 packages.

For the detailed security status of libde265 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libde265

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3238-1] pngcheck security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3238-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
December 13, 2022 https://wiki.debian.org/LTS
-

Package: pngcheck
Version: 3.0.3-1~deb10u2
CVE ID : CVE-2020-35511
Debian Bugs: 1021278

Multiple security issues were discovered in pngcheck, a tool to verify the
integrity of PNG, JNG and MNG files, which could potentially result
in the execution of arbitrary code.

CVE-2020-35511

A global buffer overflow was discovered in pngcheck function in
pngcheck-2.4.0 (5 patches applied) via a crafted png file.


For Debian 10 buster, these problems have been fixed in version
3.0.3-1~deb10u2.

We recommend that you upgrade your pngcheck packages.

For the detailed security status of pngcheck please refer to its security
tracker page at: https://security-tracker.debian.org/tracker/pngcheck

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3232-1] virglrenderer security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3232-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
December 07, 2022 https://wiki.debian.org/LTS
-

Package: virglrenderer
Version: 0.7.0-2+deb10u1
CVE ID : CVE-2019-18388 CVE-2019-18389 CVE-2019-18390 CVE-2019-18391
 CVE-2020-8002 CVE-2020-8003 CVE-2022-0135
Debian Bug : 946942 949954 1009073

Several security vulnerabilities were discovered in virglrenderer, a virtual
GPU for KVM virtualization.

CVE-2019-18388

A NULL pointer dereference in vrend_renderer.c in virglrenderer through
0.8.0 allows guest OS users to cause a denial of service via malformed
commands.

CVE-2019-18389

A heap-based buffer overflow in the vrend_renderer_transfer_write_iov
function in vrend_renderer.c in virglrenderer through 0.8.0 allows
guest OS users to cause a denial of service, or QEMU guest-to-host
escape and code execution, via VIRGL_CCMD_RESOURCE_INLINE_WRITE
commands.

CVE-2019-18390

An out-of-bounds read in the vrend_blit_need_swizzle function in
vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS
users to cause a denial of service via VIRGL_CCMD_BLIT commands.

CVE-2019-18391

A heap-based buffer overflow in the vrend_renderer_transfer_write_iov
function in vrend_renderer.c in virglrenderer through 0.8.0 allows
guest OS users to cause a denial of service via
VIRGL_CCMD_RESOURCE_INLINE_WRITE commands.

CVE-2020-8002

A NULL pointer dereference in vrend_renderer.c in virglrenderer through
0.8.1 allows attackers to cause a denial of service via commands that 
attempt
to launch a grid without previously providing a Compute Shader (CS).

CVE-2020-8003

A double-free vulnerability in vrend_renderer.c in virglrenderer through
0.8.1 allows attackers to cause a denial of service by triggering texture
allocation failure, because vrend_renderer_resource_allocated_texture is 
not an
appropriate place for a free.

CVE-2022-0135

An out-of-bounds write issue was found in the VirGL virtual OpenGL renderer
(virglrenderer). This flaw allows a malicious guest to create a specially
crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl, leading 
to a
denial of service or possible code execution.

For Debian 10 buster, these problems have been fixed in version
0.7.0-2+deb10u1.

We recommend that you upgrade your virglrenderer packages.

For the detailed security status of virglrenderer please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/virglrenderer

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

[SECURITY] [DLA 3176-1] clickhouse security update

[Tobias Frost]

-
Debian LTS Advisory DLA-3176-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
November 03, 2022 https://wiki.debian.org/LTS
-

Package: clickhouse
Version: 18.16.1+ds-4+deb10u1
CVE ID : CVE-2021-42387 CVE-2021-42388 CVE-2021-43304 CVE-2021-43305
Debian Bug : 1008216

Several security vulnerabilities were discovered in clickhouse, a
column-oriented database system.

The vulnerabilities require authentication, but can be triggered by any user
with read permissions. This means the attacker must perform reconnaissance on
the specific ClickHouse server target to obtain valid credentials. Any set of
credentials would do, since even a user with the lowest privileges can trigger
all of the vulnerabilities. By triggering the vulnerabilities, an attacker can
crash the ClickHouse server, leak memory contents or even cause remote code
execution.

CVE-2021-42387:
  Heap out-of-bounds read in Clickhouse's LZ4 compression codec when
  parsing a malicious query. As part of the LZ4::decompressImpl() loop,
  a 16-bit unsigned user-supplied value ('offset') is read from the
  compressed data. The offset is later used in the length of a copy
  operation, without checking the upper bounds of the source of the copy
  operation.


CVE-2021-42388:
  Heap out-of-bounds read in Clickhouse's LZ4 compression codec when
  parsing a malicious query. As part of the LZ4::decompressImpl() loop,
  a 16-bit unsigned user-supplied value ('offset') is read from the
  compressed data. The offset is later used in the length of a copy
  operation, without checking the lower bounds of the source of the copy
  operation.


CVE-2021-43304:
  Heap buffer overflow in Clickhouse's LZ4 compression codec when
  parsing a malicious query. There is no verification that the copy
  operations in the LZ4::decompressImpl loop and especially the
  arbitrary copy operation wildCopycopy_amount(op, ip,
  copy_end), don#8217;t exceed the destination buffer#8217;s
  limits.

CVE-2021-43305:
  Heap buffer overflow in Clickhouse's LZ4 compression codec when
  parsing a malicious query. There is no verification that the copy
  operations in the LZ4::decompressImpl loop and especially the
  arbitrary copy operation wildCopycopy_amount(op, ip,
  copy_end), don#8217;t exceed the destination buffer#8217;s
  limits. This issue is very similar to CVE-2021-43304, but the
  vulnerable copy operation is in a different wildCopy call.

For Debian 10 buster, these problems have been fixed in version
18.16.1+ds-4+deb10u1.

We recommend that you upgrade your clickhouse packages.

For the detailed security status of clickhouse please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/clickhouse

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature