[SECURITY] [DLA 3808-1] intel-microcode security update
- Debian LTS Advisory DLA-3808-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost May 04, 2024 https://wiki.debian.org/LTS - Package: intel-microcode Version: 3.20240312.1~deb10u1 CVE ID : CVE-2023-22655 CVE-2023-28746 CVE-2023-38575 CVE-2023-39368 CVE-2023-43490 Debian Bug : 1066108 Intel has released microcode updates, addressing serveral vulnerabilties. CVE-2023-22655 Protection mechanism failure in some 3rd and 4th Generation Intel(R) Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2023-28746 Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. CVE-2023-38575 Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. CVE-2023-39368 Protection mechanism failure of bus lock regulator for some Intel(R) Processors may allow an unauthenticated user to potentially enable denial of service via network access. CVE-2023-43490 Incorrect calculation in microcode keying mechanism for some Intel(R) Xeon(R) D Processors with Intel(R) SGX may allow a privileged user to potentially enable information disclosure via local access. For Debian 10 buster, these problems have been fixed in version 3.20240312.1~deb10u1. We recommend that you upgrade your intel-microcode packages. For the detailed security status of intel-microcode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/intel-microcode Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3797-1] frr security update
- Debian LTS Advisory DLA-3797-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 28, 2024https://wiki.debian.org/LTS - Package: frr Version: 7.5.1-1.1+deb10u2 CVE ID : CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128 CVE-2022-26129 CVE-2022-37035 CVE-2023-38406 CVE-2023-38407 CVE-2023-46752 CVE-2023-46753 CVE-2023-47234 CVE-2023-47235 CVE-2024-31948 CVE-2024-31949 Debian Bug : 1008010 1016978 1055852 Several vulnerabilities have been found in frr, the FRRouting suite of internet protocols. An attacker could craft packages to trigger buffer overflows with the possibility to gain remote code execution, buffer overreads, crashes or trick the software to enter an infinite loop. CVE-2022-26125 Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the input packet length in isisd/isis_tlvs.c. CVE-2022-26126 Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to the use of strdup with a non-zero-terminated binary string in isis_nb_notifications.c. CVE-2022-26127 A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to missing a check on the input packet length in the babel_packet_examin function in babeld/message.c. CVE-2022-26128 A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to a wrong check on the input packet length in the babel_packet_examin function in babeld/message.c. CVE-2022-26129 Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the subtlv length in the functions, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c. CVE-2022-37035 An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c, there is a possible use-after-free due to a race condition. This could lead to Remote Code Execution or Information Disclosure by sending crafted BGP packets. User interaction is not needed for exploitation. CVE-2023-38406 bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri length of zero, aka a "flowspec overflow." CVE-2023-38407 bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond the end of the stream during labeled unicast parsing. CVE-2023-46752 An issue was discovered in FRRouting FRR through 9.0.1. It mishandles malformed MP_REACH_NLRI data, leading to a crash. CVE-2023-46753 An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute. CVE-2023-47234 An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c, there is a possible use-after-free due to a race condition. This could lead to Remote Code Execution or Information Disclosure by sending crafted BGP packets. User interaction is not needed for exploitation. CVE-2023-47235 An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when a malformed BGP UPDATE message with an EOR is processed, because the presence of EOR does not lead to a treat-as-withdraw outcome. CVE-2024-31948 In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID attribute in a BGP UPDATE packet can cause the bgpd daemon to crash. CVE-2024-31949 In FRRouting (FRR) through 9.1, an infinite loop can occur when receiving a MP/GR capability as a dynamic capability because malformed data results in a pointer not advancing. For Debian 10 buster, these problems have been fixed in version 7.5.1-1.1+deb10u2. We recommend that you upgrade your frr packages. For the detailed security status of frr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/frr Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3783-1] expat security update
- Debian LTS Advisory DLA-3783-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 07, 2024https://wiki.debian.org/LTS - Package: expat Version: 2.2.6-2+deb10u7 CVE ID : CVE-2023-52425 Debian Bug : 1063238 Expat, an XML parsing C library has been found to have an vulnerability that allows an attacker to perform a denial of service (resource consumption, when many full reparsings are required in the case of a large tokens. When parsing a really big token that requires multiple buffer fills to complete, expat has to re-parse the token from start multiple times, which takes time. These patches introduce a heuristic that, when having failed on the same token multiple times, defers further parsing until there's significantly more data available. The patch also introduces an optiional API, XML_SetReparseDeferralEnabled(), to disable the new heuristic. For Debian 10 buster, this problem has been fixed in version 2.2.6-2+deb10u7. We recommend that you upgrade your expat packages. For the detailed security status of expat please refer to its security tracker page at: https://security-tracker.debian.org/tracker/expat Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3757-1] nss security update
- Debian LTS Advisory DLA-3757-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost March 10, 2024https://wiki.debian.org/LTS - Package: nss Version: 2:3.42.1-1+deb10u8 CVE ID : CVE-2023-5388 CVE-2024-0743 Debian Bug : 1056284 Multiple vulnerabilities were found in nss, a set of libraries designed to support cross-platform development of security-enabled client and server applications. CVE-2023-5388 Timing attack against RSA decryption in TLS. This vulnerablity has been named The Marvin Attack. CVE-2024-0743 An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. For Debian 10 buster, these problems have been fixed in version 2:3.42.1-1+deb10u8. We recommend that you upgrade your nss packages. For the detailed security status of nss please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nss Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3734-1] openvswitch security update
- Debian LTS Advisory DLA-3734-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost February 17, 2024 https://wiki.debian.org/LTS - Package: openvswitch Version: 2.10.7+ds1-0+deb10u5 CVE ID : CVE-2023-5366 Debian Bug : A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses. For Debian 10 buster, this problem has been fixed in version 2.10.7+ds1-0+deb10u5. We recommend that you upgrade your openvswitch packages. For the detailed security status of openvswitch please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openvswitch Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3717-1] zabbix security update
- Debian LTS Advisory DLA-3717-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost January 24, 2024 https://wiki.debian.org/LTS - Package: zabbix Version: 1:4.0.4+dfsg-1+deb10u4 CVE ID : CVE-2023-32721 CVE-2023-32723 CVE-2023-32726 Debian Bug : 1053877 Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially allowing an attacker to perform a stored XSS, Server-Side Request Forgery (SSRF), exposure of sensitive information, a system crash, or arbitrary code execution. CVE-2023-32721 A stored XSS has been found in the Zabbix web application in the Maps element if a URL field is set with spaces before URL. CVE-2023-32723 Inefficient user permission check, as request to LDAP is sent before user permissions are checked. CVE-2023-32726 Possible buffer overread from reading DNS responses. For Debian 10 buster, these problems have been fixed in version 1:4.0.4+dfsg-1+deb10u4. We recommend that you upgrade your zabbix packages. For the detailed security status of zabbix please refer to its security tracker page at: https://security-tracker.debian.org/tracker/zabbix Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3693-1] osslsigncode security update
- Debian LTS Advisory DLA-3693-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost December 23, 2023 https://wiki.debian.org/LTS - Package: osslsigncode Version: 2.0+really2.5-4+deb10u1 CVE ID : CVE-2023-36377 Debian Bug : 1035875 A Buffer Overflow vulnerability has been found in osslsigncode, a OpenSSL based Authenticode signing tool for PE/MSI/Java CAB files, which possibly allows an malicious attacker to execute arbitrary code when signing a crafted file. For Debian 10 buster, this problem has been fixed in version 2.0+really2.5-4+deb10u1. We recommend that you upgrade your osslsigncode packages. For the detailed security status of osslsigncode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/osslsigncode Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3690-1] intel-microcode security update
- Debian LTS Advisory DLA-3690-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost December 16, 2023 https://wiki.debian.org/LTS - Package: intel-microcode Version: 3.20231114.1~deb10u1 CVE ID : CVE-2023-23583 Debian Bug : 1055962 Benoit Morgan, Paul Grosen, Thais Moreira Hamasaki, Ke Sun, Alyssa Milburn, Hisham Shafi, Nir Shlomovich, Tavis Ormandy, Daniel Moghimi, Josh Eads, Salman Qazi, Alexandra Sandulescu, Andy Nguyen, Eduardo Vela, Doug Kwan, and Kostik Shtoyk discovered that some Intel processors mishandle repeated sequences of instructions leading to unexpected behavior, which may result in privilege escalation, information disclosure or denial of service. For Debian 10 buster, this problem has been fixed in version 3.20231114.1~deb10u1. We recommend that you upgrade your intel-microcode packages. For the detailed security status of intel-microcode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/intel-microcode Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3681-1] amanda security update
- Debian LTS Advisory DLA-3681-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost December 03, 2023 https://wiki.debian.org/LTS - Package: amanda Version: 1:3.5.1-2+deb10u2 CVE ID : CVE-2022-37703 CVE-2022-37705 CVE-2023-30577 Debian Bug : 1021017 1029829 1055253 Multiple vulnerabilties have been found in Amanda,a backup system designed to archive many computers on a network to a single large-capacity tape drive. The vulnerabilties potentially allows local privilege escalation from the backup user to root or leak information whether a directory exists in the filesystem. CVE-2022-37703 In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path. CVE-2022-37705 A privilege escalation flaw was found in Amanda 3.5.1 in which the backup user can acquire root privileges. The vulnerable component is the runtar SUID program, which is a wrapper to run /usr/bin/tar with specific arguments that are controllable by the attacker. This program mishandles the arguments passed to tar binary. CVE-2023-30577 The SUID binary "runtar" can accept the possibly malicious GNU tar options if fed with some non-argument option starting with "--exclude" (say --exclude-vcs). The following option will be accepted as "good" and it could be an option passing some script/binary that would be executed with root permissions. For Debian 10 buster, these problems have been fixed in version 1:3.5.1-2+deb10u2. We recommend that you upgrade your amanda packages. For the detailed security status of amanda please refer to its security tracker page at: https://security-tracker.debian.org/tracker/amanda Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3680-1] opendkim security update
- Debian LTS Advisory DLA-3680-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost December 03, 2023 https://wiki.debian.org/LTS - Package: opendkim Version: 2.11.0~alpha-12+deb10u1 CVE ID : CVE-2022-48521 Debian Bug : 1041107 An issue (CVE-2022-48521) was discovered in OpenDKIM through 2.10.3, and 2.11.x through 2.11.0-Beta2. It fails to keep track of ordinal numbers when removing fake Authentication-Results header fields, which allows a remote attacker to craft an e-mail message with a fake sender address such that programs that rely on Authentication-Results from OpenDKIM will treat the message as having a valid DKIM signature when in fact it has none. For Debian 10 buster, this problem has been fixed in version 2.11.0~alpha-12+deb10u1. We recommend that you upgrade your opendkim packages. For the detailed security status of opendkim please refer to its security tracker page at: https://security-tracker.debian.org/tracker/opendkim Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3655-1] lwip security update
- Debian LTS Advisory DLA-3655-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost November 18, 2023 https://wiki.debian.org/LTS - Package: lwip Version: 2.0.3-3+deb10u2 CVE ID : CVE-2020-22283 Debian Bug : 991646 A buffer overflow vulnerability has been found in lwip, a small independent implementation of the TCP/IPv4/IPv6 protocol suite, which allows an attacker to access information via a crafted ICMPv6 package. This vulnerability has been assigned CVE-2020-22283. For Debian 10 buster, this problem has been fixed in version 2.0.3-3+deb10u2. We recommend that you upgrade your lwip packages. For the detailed security status of lwip please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lwip Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3654-1] freerdp2 security update
- Debian LTS Advisory DLA-3654-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost November 17, 2023 https://wiki.debian.org/LTS - Package: freerdp2 Version: 2.3.0+dfsg1-2+deb10u4 CVE ID : CVE-2021-41160 CVE-2022-24883 CVE-2022-39282 CVE-2022-39283 CVE-2022-39316 CVE-2022-39318 CVE-2022-39319 CVE-2022-39347 CVE-2022-41877 Debian Bug : 1001062 1021659 Multiple vulnerabilties have been found in freelrdp2, a free implementation of the Remote Desktop Protocol (RDP). The vulnerabilties potentially allows authentication bypasses on configuration errors, buffer overreads, DoS vectors, buffer overflows or accessing files outside of a shared directory. CVE-2021-41160 In affected versions a malicious server might trigger out of bound writes in a connected client. Connections using GDI or SurfaceCommands to send graphics updates to the client might send `0` width/height or out of bound rectangles to trigger out of bound writes. With `0` width or heigth the memory allocation will be `0` but the missing bounds checks allow writing to the pointer at this (not allocated) region. CVE-2022-24883 Prior to version 2.7.0, server side authentication against a `SAM` file might be successful for invalid credentials if the server has configured an invalid `SAM` file path. FreeRDP based clients are not affected. RDP server implementations using FreeRDP to authenticate against a `SAM` file are affected. Version 2.7.0 contains a fix for this issue. As a workaround, use custom authentication via `HashCallback` and/or ensure the `SAM` database path configured is valid and the application has file handles left. CVE-2022-39282 FreeRDP based clients on unix systems using `/parallel` command line switch might read uninitialized data and send it to the server the client is currently connected to. FreeRDP based server implementations are not affected. CVE-2023-39283 All FreeRDP based clients when using the `/video` command line switch might read uninitialized data, decode it as audio/video and display the result. FreeRDP based server implementations are not affected. CVE-2022-39316 In affected versions there is an out of bound read in ZGFX decoder component of FreeRDP. A malicious server can trick a FreeRDP based client to read out of bound data and try to decode it likely resulting in a crash. CVE-2022-39318 Affected versions of FreeRDP are missing input validation in `urbdrc` channel. A malicious server can trick a FreeRDP based client to crash with division by zero. CVE-2022-39319 Affected versions of FreeRDP are missing input length validation in the `urbdrc` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. CVE-2022-39347 Affected versions of FreeRDP are missing path canonicalization and base path check for `drive` channel. A malicious server can trick a FreeRDP based client to read files outside the shared directory. CVE-2022-41877 Affected versions of FreeRDP are missing input length validation in `drive` channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server. For Debian 10 buster, these problems have been fixed in version 2.3.0+dfsg1-2+deb10u4. We recommend that you upgrade your freerdp2 packages. For the detailed security status of freerdp2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/freerdp2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3538-2] zabbix regression update
- Debian LTS Advisory DLA-3538-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost October 21, 2023 https://wiki.debian.org/LTS - Package: zabbix Version: 1:4.0.4+dfsg-1+deb10u3 CVE ID : Debian Bug : 1051300 The last update required an update to the database scheme, but as zabbix does not support upgrading the database scheme if SQlite3 is used, using zabbix-proxy-sqlite3 requires the user to drop the database and recreate it with a supplied sql template file. However, this template file has not been updated in the previous upload, making this recreation difficult when not knowing the details. Please read /usr/share/doc/zabbix-proxy-sqlite3/README.Debian for instructions how to create the database file. Note: All other database backends will automatically update the schema. For Debian 10 buster, this problem has been fixed in version 1:4.0.4+dfsg-1+deb10u3. We recommend that you upgrade your zabbix packages. For the detailed security status of zabbix please refer to its security tracker page at: https://security-tracker.debian.org/tracker/zabbix Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3608-1] vinagre update for DLA-3606-1
- Debian LTS Advisory DLA-3608-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost October 07, 2023 https://wiki.debian.org/LTS - Package: vinagre Version: 3.22.0-6+deb10u1 CVE ID : Debian Bug : 983533 It has been found that the update of freerdp2 (see DLA-3606-1) exposed a bug in vinagre, which causes crashes and breaks RDP connections with the symtoms of hangs and black screens. Note: sha256 is now used instead of sha1 to fingerprint certificates. This will invalidate all hosts in FreeRDP known_hosts2 file, $HOME/.config/freerdp/known_hosts2. In case of problems with the connection, try removing that file. For Debian 10 buster, this problem has been fixed in version 3.22.0-6+deb10u1. We recommend that you upgrade your vinagre packages. For the detailed security status of vinagre please refer to its security tracker page at: https://security-tracker.debian.org/tracker/vinagre Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3607-1] gnome-boxes update for DLA-3606-1
- Debian LTS Advisory DLA-3607-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost October 07, 2023 https://wiki.debian.org/LTS - Package: gnome-boxes Version: 3.30.3-2+deb10u1 CVE ID : Debian Bug : It has been found that the update of freerdp2 (see DLA-3606-1) exposed a bug in gnome-boxes, which breaks RDP connections with the symtoms of hangs and black screens. Note: sha256 is now used instead of sha1 to fingerprint certificates. This will invalidate all hosts in FreeRDP known_hosts2 file, $HOME/.config/freerdp/known_hosts2. In case of problems with the connection, try removing that file. For Debian 10 buster, this problem has been fixed in version 3.30.3-2+deb10u1. We recommend that you upgrade your gnome-boxes packages. For the detailed security status of gnome-boxes please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnome-boxes Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3606-1] freerdp2 security update
- Debian LTS Advisory DLA-3606-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost October 07, 2023 https://wiki.debian.org/LTS - Package: freerdp2 Version: 2.3.0+dfsg1-2+deb10u3 CVE ID : CVE-2020-4030 CVE-2020-4031 CVE-2020-4032 CVE-2020-4033 CVE-2020-11017 CVE-2020-11018 CVE-2020-11019 CVE-2020-11038 CVE-2020-11039 CVE-2020-11040 CVE-2020-11041 CVE-2020-11042 CVE-2020-11043 CVE-2020-11044 CVE-2020-11045 CVE-2020-11046 CVE-2020-11047 CVE-2020-11048 CVE-2020-11049 CVE-2020-11058 CVE-2020-11085 CVE-2020-11086 CVE-2020-11087 CVE-2020-11088 CVE-2020-11089 CVE-2020-11095 CVE-2020-11096 CVE-2020-11097 CVE-2020-11098 CVE-2020-11099 CVE-2020-13396 CVE-2020-13397 CVE-2020-13398 CVE-2020-15103 CVE-2023-39350 CVE-2023-39351 CVE-2023-39352 CVE-2023-39353 CVE-2023-39354 CVE-2023-39355 CVE-2023-39356 CVE-2023-40567 CVE-2023-40181 CVE-2023-40186 CVE-2023-40188 CVE-2023-40569 CVE-2023-40589 Debian Bug : 965979 1051638 Multiple vulnerabilties have been found in freelrdp2, a free implementation of the Remote Desktop Protocol (RDP). The vulnerabilties potentially allows buffer overreads, buffer overflows, interger overflows, use-after-free, DoS vectors. CVE-2020-4030 In FreeRDP before version 2.1.2, there is an out of bounds read in TrioParse. Logging might bypass string length checks due to an integer overflow. This is fixed in version 2.1.2. CVE-2020-4031 In FreeRDP before version 2.1.2, there is a use-after-free in gdi_SelectObject. All FreeRDP clients using compatibility mode with /relax-order-checks are affected. This is fixed in version 2.1.2. CVE-2020-4032 In FreeRDP before version 2.1.2, there is an integer casting vulnerability in update_recv_secondary_order. All clients with +glyph-cache /relax-order-checks are affected. This is fixed in version 2.1.2. CVE-2020-4033 In FreeRDP before version 2.1.2, there is an out of bounds read in RLEDECOMPRESS. All FreeRDP based clients with sessions with color depth < 32 are affected. This is fixed in version 2.1.2. CVE-2020-11017 In FreeRDP less than or equal to 2.0.0, by providing manipulated input a malicious client can create a double free condition and crash the server. This is fixed in version 2.1.0. CVE-2020-11018 In FreeRDP less than or equal to 2.0.0, a possible resource exhaustion vulnerability can be performed. Malicious clients could trigger out of bound reads causing memory allocation with random size. This has been fixed in 2.1.0. CVE-2020-11019 In FreeRDP less than or equal to 2.0.0, when running with logger set to "WLOG_TRACE", a possible crash of application could occur due to a read of an invalid array index. Data could be printed as string to local terminal. This has been fixed in 2.1.0. CVE-2020-11038 In FreeRDP less than or equal to 2.0.0, an Integer Overflow to Buffer Overflow exists. When using /video redirection, a manipulated server can instruct the client to allocate a buffer with a smaller size than requested due to an integer overflow in size calculation. With later messages, the server can manipulate the client to write data out of bound to the previously allocated buffer. This has been patched in 2.1.0. CVE-2020-11039 In FreeRDP less than or equal to 2.0.0, when using a manipulated server with USB redirection enabled (nearly) arbitrary memory can be read and written due to integer overflows in length checks. This has been patched in 2.1.0. CVE-2020-11040 In FreeRDP less than or equal to 2.0.0, there is an out-of-bound data read from memory in clear_decompress_subcode_rlex, visualized on screen as color. This has been patched in 2.1.0. CVE-2020-11041 In FreeRDP less than or equal to 2.0.0, an outside controlled array index is used unchecked for data used as configuration for sound backend (alsa, oss, pulse, ...). The most likely outcome is a crash of the client instance followed by no or distorted sound or a session disconnect. If a user cannot upgrade to the patched version, a workaround is to disable sound for the session. This has been patched in 2.1.0. CVE-2020-11042 In FreeRDP greater than 1.1 and before 2.0.0, there is an out-of-bounds read in update_read_icon_info. It allows reading a attacker-defined amount of client memory (32bit unsigned -> 4GB) to an intermediate buffer. This can be used to crash the client or store information for
[SECURITY] [DLA 3596-1] firmware-nonfree security update
- Debian LTS Advisory DLA-3596-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost September 30, 2023https://wiki.debian.org/LTS - Package: firmware-nonfree Version: 20190114+really20220913-0+deb10u2 CVE ID : CVE-2022-27635 CVE-2022-36351 CVE-2022-38076 CVE-2022-40964 CVE-2022-46329 Debian Bug : 1051892 Intel® released the INTEL-SA-00766 advisory about potential security vulnerabilities in some Intel® PROSet/Wireless WiFi and Killer™ WiFi products may allow escalation of privilege or denial of service. The full advisory is available at [1] [1] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00766.html This updated firmware-nonfree package includes the following firmware files: - Intel Bluetooth AX2xx series: ibt-0041-0041.sfi ibt-19-0-0.sfi ibt-19-0-1.sfi ibt-19-0-4.sfi ibt-19-16-4.sfi ibt-19-240-1.sfi ibt-19-240-4.sfi ibt-19-32-0.sfi ibt-19-32-1.sfi ibt-19-32-4.sfi ibt-20-0-3.sfi ibt-20-1-3.sfi ibt-20-1-4.sfi - Intel Wireless 22000 series iwlwifi-Qu-b0-hr-b0-77.ucode iwlwifi-Qu-b0-jf-b0-77.ucode iwlwifi-Qu-c0-hr-b0-77.ucode iwlwifi-Qu-c0-jf-b0-77.ucode iwlwifi-QuZ-a0-hr-b0-77.ucode iwlwifi-cc-a0-77.ucode The updated firmware files might need updated kernel to work. It is encouraged to verify whether the kernel loaded the updated firmware file and take additional measures if needed. CVE-2022-27635 Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2022-36351 Improper input validation in some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow an unauthenticated user to potentially enable denial of service via adjacent access. CVE-2022-38076 Improper input validation in some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2022-40964 Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2022-46329 Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi software may allow a privileged user to potentially enable escalation of privilege via local access. For Debian 10 buster, these problems have been fixed in version 20190114+really20220913-0+deb10u2. We recommend that you upgrade your firmware-nonfree packages. For the detailed security status of firmware-nonfree please refer to its security tracker page at: https://security-tracker.debian.org/tracker/firmware-nonfree Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3538-1] zabbix security update
- Debian LTS Advisory DLA-3538-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost August 22, 2023 https://wiki.debian.org/LTS - Package: zabbix Version: 1:4.0.4+dfsg-1+deb10u2 CVE ID : CVE-2013-7484 CVE-2019-17382 CVE-2022-35229 CVE-2022-43515 CVE-2023-29450 CVE-2023-29451 CVE-2023-29454 CVE-2023-29455 CVE-2023-29456 CVE-2023-29457 Debian Bug : 1026847 Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially allowing to crash the server, information disclosure or Cross-Site-Scripting attacks. Important Notices: To mitigate CVE-2019-17382, on existing installations, the guest account needs to be manually disabled, for example by disabling the the "Guest group" in the UI: Administration -> User groups -> Guests -> Untick Enabled This update also fixes a regression with CVE-2022-35229, which broke the possiblity to edit and add discovery rules in the UI. CVE-2013-7484 Zabbix before version 4.4.0alpha2 stores credentials in the "users" table with the password hash stored as a MD5 hash, which is a known insecure hashing method. Furthermore, no salt is used with the hash. CVE-2019-17382 (Disputed, not seen by upstream as not a security issue) An issue was discovered in zabbix.php?action=dashboard.view=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin. CVE-2022-35229 An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. CVE-2022-43515 Zabbix Frontend provides a feature that allows admins to maintain the installation and ensure that only certain IP addresses can access it. In this way, any user will not be able to access the Zabbix Frontend while it is being maintained and possible sensitive data will be prevented from being disclosed. An attacker can bypass this protection and access the instance using IP address not listed in the defined range. CVE-2023-29450 JavaScript pre-processing can be used by the attacker to gain access to the file system (read-only access on behalf of user "zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading to unauthorized access to sensitive data. CVE-2023-29451 Specially crafted string can cause a buffer overrun in the JSON parser library leading to a crash of the Zabbix Server or a Zabbix Proxy. CVE-2023-29454 A Stored or persistent cross-site scripting (XSS) vulnerability was found on “Users” section in “Media” tab in “Send to” form field. When new media is created with malicious code included into field “Send to” then it will execute when editing the same media. CVE-2023-29455 A Reflected XSS attacks, also known as non-persistent attacks, was found where an attacker can pass malicious code as GET request to graph.php and system will save it and will execute when current graph page is opened. CVE-2023-29456 URL validation scheme receives input from a user and then parses it to identify its various components. The validation scheme can ensure that all URL components comply with internet standards. CVE-2023-29457 A Reflected XSS attacks, also known as non-persistent attacks, was found where XSS session cookies could be revealed, enabling a perpetrator to impersonate valid users and abuse their private accounts. For Debian 10 buster, these problems have been fixed in version 1:4.0.4+dfsg-1+deb10u2. We recommend that you upgrade your zabbix packages. For the detailed security status of zabbix please refer to its security tracker page at: https://security-tracker.debian.org/tracker/zabbix Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3501-1] renderdoc security update
- Debian LTS Advisory DLA-3501-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost July 25, 2023 https://wiki.debian.org/LTS - Package: renderdoc Version: 1.2+dfsg-2+deb10u1 CVE ID : CVE-2023-33863 CVE-2023-33864 CVE-2023-33865 Debian Bug : 1037208 Multiple security issues were discovered in renderdoc a stand-alone graphics debugging tool, which potentially allows a remote attacker to execute arbitrary code. CVE-2023-33863 an integer overflow that results in a heap-based buffer overflow that might be exploitable by a remote attacker to execute arbitrary code on the machine that runs RenderDoc CVE-2023-33864 an integer underflow that results in a heap-based buffer overflow that might be exploitable by a remote attacker to execute arbitrary code on the machine that runs RenderDoc. CVE-2023-33865 a symlink vulnerability that might be exploitable by a unprivileged local attacker to obtain the privileges of the user who runs RenderDoc. For Debian 10 buster, these problems have been fixed in version 1.2+dfsg-2+deb10u1. We recommend that you upgrade your renderdoc packages. For the detailed security status of renderdoc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/renderdoc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3492-1] yajl security update
- Debian LTS Advisory DLA-3492-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost July 11, 2023 https://wiki.debian.org/LTS - Package: yajl Version: 2.1.0-3+deb10u2 CVE ID : CVE-2017-16516 CVE-2022-24795 CVE-2023-33460 Debian Bug : 1040036 Multiple vulnerabilties have been found in yajl, a JSON parser / small validating JSON generator# written in ANSI C, which potentially can cause memory corruption or DoS. The CVE-20117-16516 had been addressed already in DLA-3478, however the fix has been found to be incomplete as it missed an additional memory leak. This update fixes that problem. CVE-2017-16516 When a crafted JSON file is supplied to yajl, the process might crash with a SIGABRT in the yajl_string_decode function in yajl_encode.c. This results potentially in a denial of service. CVE-2022-24795 The 1.x branch and the 2.x branch of `yajl` contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs. CVE-2023-33460 There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function, which potentially cause out-of-memory in server and cause crash. For Debian 10 buster, these problems have been fixed in version 2.1.0-3+deb10u2. We recommend that you upgrade your yajl packages. For the detailed security status of yajl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/yajl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3487-1] fusiondirectory security update and rebuild for php-cas
- Debian LTS Advisory DLA-3487-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA Tobias Frost July 08, 2023 https://wiki.debian.org/LTS - Package: fusiondirectory Version: 1.2.3-4+deb10u2 CVE ID : CVE-2022-36179 CVE-2022-36180 Debian Bug : A potential Cross Site Scripting (XSS) vulnerablity (CVE-2022-36180) and session handling vulnerability (CVE-2022-36179 )have been found in fusiondirectory, a Web Based LDAP Administration Program. Additionally, fusiondirectory has been updated to address the API change in php-cas due to CVE-2022-39369, see DLA 3485-1 for details. Due to this, if CAS authentication is used, fusiondirectory will stop working until those steps are done: - make sure to install the updated fusiondirectory-schema package for buster. - update the fusiondirectory core schema in LDAP by running fusiondirectory-insert-schema -m - switch to using the new php-cas API by running fusiondirectory-setup --set-config-CasLibraryBool=TRUE - set the CAS ClientServiceName to the base URL of the fusiondirectory installation, for example: fusiondirectory-setup --set-config-CasClientServiceName="https://fusiondirectory.example.org/; For Debian 10 buster, these problems have been fixed in version 1.2.3-4+deb10u2. We recommend that you upgrade your fusiondirectory packages. For the detailed security status of fusiondirectory please refer to its security tracker page at: https://security-tracker.debian.org/tracker/fusiondirectory Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3486-1] ocsinventory-server update for php-cas
- Debian LTS Advisory DLA-3486-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost July 08, 2023 https://wiki.debian.org/LTS - Package: ocsinventory-server Version: 2.5+dfsg1-1+deb10u1 CVE ID : n/a Debian Bug : The source package ocsinventory-server, a Hardware and software inventory tool has been updated to address the API change in php-cas due to CVE-2022-39369, see DLA 3485-1 for details. CAS is an optional authentication mechanism in the binary package ocsinventory-reports, and if used, ocsinventory-reports will stop working until it has been reconfigured: It now requires the baseURL of to-be-authenticated service to be configured. For ocsinventory-reports, this is configured with the variable $cas_service_base_url in the file /usr/share/ocsinventory-reports/backend/require/cas.config.php Warning: regardless of this update, ocsreports-server should only be used in secure and trusted environments. For Debian 10 buster, this update is available through version 2.5+dfsg1-1+deb10u1. We recommend that you upgrade your ocsinventory-server packages. For the detailed security status of ocsinventory-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ocsinventory-server Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3485-1] php-cas security update
- Debian LTS Advisory DLA-3485-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost July 08, 2023 https://wiki.debian.org/LTS - Package: php-cas Version: 1.3.6-1+deb10u1 CVE ID : CVE-2022-39369 Debian Bug : 1023571 A vulnerability has been found in phpCAS, a Central Authentication Service client library in php, which may allow an attacker to gain access to a victim's account on a vulnerable CASified service without victim's knowledge, when the victim visits attacker's website while being logged in to the same CAS server. The fix for this vulnerabilty requires an API breaking change in php-cas and will require that software using the library be updated. For buster, all packages in the Debian repositories which are using php-cas have been updated, though additional manual configuration is to be expected, as php-cas needs additional site information -- the service base URL -- for it to function. The DLAs for the respective packages will have additional information, as well as the package's NEWS files. For 3rd party software using php-cas, please be note that upstream provided following instructions how to update this software [1]: phpCAS now requires an additional service base URL argument when constructing the client class. It accepts any argument of: 1. A service base URL string. The service URL discovery will always use this server name (protocol, hostname and port number) without using any external host names. 2. An array of service base URL strings. The service URL discovery will check against this list before using the auto discovered base URL. If there is no match, the first base URL in the array will be used as the default. This option is helpful if your PHP website is accessible through multiple domains without a canonical name, or through both HTTP and HTTPS. 3. A class that implements CAS_ServiceBaseUrl_Interface. If you need to customize the base URL discovery behavior, you can pass in a class that implements the interface. Constructing the client class is usually done with phpCAS::client(). For example, using the first possiblity: phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); could become: phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, "https://casified-service.example.org:8080;); Details of the vulnerability: CVE-2022-39369 The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to "^(https)://.*") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied. [1] https://github.com/apereo/phpCAS/blob/f3db27efd1f5020e71f2116f637a25cc9dbda1e3/docs/Upgrading#L1C1-L1C1 For Debian 10 buster, this problem has been fixed in version 1.3.6-1+deb10u1. We recommend that you upgrade your php-cas packages. For the detailed security status of php-cas please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php-cas Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3478-1] yajl security update
- Debian LTS Advisory DLA-3478-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost July 02, 2023 https://wiki.debian.org/LTS - Package: yajl Version: 2.1.0-2+deb10u1 CVE ID : CVE-2023-33460 Debian Bug : 1039984 A memory leak has been found in yajl, a JSON parser / small validating JSON generator written in ANSI C, which might allow an attacker to cause an out of memory situation and potentially causing a crash. For Debian 10 buster, this problem has been fixed in version 2.1.0-2+deb10u1. We recommend that you upgrade your yajl packages. For the detailed security status of yajl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/yajl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3437-1] libssh security update
- Debian LTS Advisory DLA-3437-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost May 29, 2023 https://wiki.debian.org/LTS - Package: libssh Version: 0.8.7-1+deb10u2 CVE ID : CVE-2019-14889 CVE-2023-1667 Debian Bug : 946548 1035832 Two security issues have been discovered in libssh, a tiny C SSH library, which may allows an remote authenticated user to cause a denial of service or inject arbitrary commands. CVE-2019-14889 A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence the third parameter of the function, it would become possible for an attacker to inject arbitrary commands, leading to a compromise of the remote target. CVE-2023-1667 A NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a denial of service. For Debian 10 buster, these problems have been fixed in version 0.8.7-1+deb10u2. We recommend that you upgrade your libssh packages. For the detailed security status of libssh please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libssh Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3431-1] sqlite security update
- Debian LTS Advisory DLA-3431-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost May 22, 2023 https://wiki.debian.org/LTS - Package: sqlite Version: 2.8.17-15+deb10u1 CVE ID : CVE-2016-6153 CVE-2018-8740 Debian Bug : Two vulnerabilities have been fixed in sqlite (V2) which which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact. CVE-2016-6153 sqlite improperly implemented the temporary directory search algorithm, which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact by leveraging use of the current working directory for temporary files. CVE-2018-8740 Databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference, For Debian 10 buster, these problems have been fixed in version 2.8.17-15+deb10u1. We recommend that you upgrade your sqlite packages. For the detailed security status of sqlite please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sqlite Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3418-1] nvidia-graphics-drivers-legacy-390xx security update
- Debian LTS Advisory DLA-3418-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost May 11, 2023 https://wiki.debian.org/LTS - Package: nvidia-graphics-drivers-legacy-390xx Version: 390.157-1~deb10u1 CVE ID : CVE-2022-34670 CVE-2022-34674 CVE-2022-34675 CVE-2022-34677 CVE-2022-34680 CVE-2022-42257 CVE-2022-42258 CVE-2022-42259 Debian Bug : 1025281 NVIDIA has released a software security update for the NVIDIA GPU Display Driver R390 linux driver branch. This update addresses issues that may lead to denial of service, escalation of privileges, information disclosure, data tampering or undefined behavior. CVE-2022-34670 NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause truncation errors when casting a primitive to a primitive of smaller size causes data to be lost in the conversion, which may lead to denial of service or information disclosure. CVE-2022-34674 NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where a helper function maps more physical pages than were requested, which may lead to undefined behavior or an information leak. CVE-2022-34675 NVIDIA Display Driver for Linux contains a vulnerability in the Virtual GPU Manager, where it does not check the return value from a null-pointer dereference, which may lead to denial of service. CVE-2022-34677 NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause an integer to be truncated, which may lead to denial of service or data tampering. CVE-2022-34680 NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an integer truncation can lead to an out-of-bounds read, which may lead to denial of service. CVE-2022-42257 NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to information disclosure, data tampering or denial of service. CVE-2022-42258 NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service, data tampering, or information disclosure. CVE-2022-42259 NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer (nvidia.ko), where an integer overflow may lead to denial of service. For Debian 10 buster, these problems have been fixed in version 390.157-1~deb10u1. We recommend that you upgrade your nvidia-graphics-drivers-legacy-390xx packages. For the detailed security status of nvidia-graphics-drivers-legacy-390xx please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nvidia-graphics-drivers-legacy-390xx Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3390-1] zabbix security update
- Debian LTS Advisory DLA-3390-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 12, 2023https://wiki.debian.org/LTS - Package: zabbix Version: 1:4.0.4+dfsg-1+deb10u1 CVE ID : CVE-2019-15132 CVE-2020-15803 CVE-2021-27927 CVE-2022-24349 CVE-2022-24917 CVE-2022-24919 CVE-2022-35229 CVE-2022-35230 Debian Bug : 935027 966146 1014992 1014994 Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially allowing User Enumeration, Cross-Site-Scripting or Cross-Site Request Forgery. CVE-2019-15132 Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php. CVE-2020-15803 Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget. CVE-2021-27927 In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges. CVE-2022-24349 An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel. CVE-2022-24917 An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. CVE-2022-24919 An authenticated user can create a link with reflected Javascript code inside it for graphs’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. CVE-2022-35229 An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. CVE-2022-35230 An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. For Debian 10 buster, these problems have been fixed in version 1:4.0.4+dfsg-1+deb10u1. We recommend that you upgrade your zabbix packages. For the detailed security status of zabbix please refer to its security tracker page at: https://security-tracker.debian.org/tracker/zabbix Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3390-1] zabbix security update
- Debian LTS Advisory DLA-3390-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 12, 2023https://wiki.debian.org/LTS - Package: zabbix Version: 1:4.0.4+dfsg-1+deb10u1 CVE ID : CVE-2019-15132 CVE-2020-15803 CVE-2021-27927 CVE-2022-24349 CVE-2022-24917 CVE-2022-24919 CVE-2022-35229 CVE-2022-35230 Debian Bug : 935027 966146 1014992 1014994 Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially allowing User Enumeration, Cross-Site-Scripting or Cross-Site Request Forgery. CVE-2019-15132 Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocking for a number of seconds). This affects both api_jsonrpc.php and index.php. CVE-2020-15803 Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1 allows stored XSS in the URL Widget. CVE-2021-27927 In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges. CVE-2022-24349 An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel. CVE-2022-24917 An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. CVE-2022-24919 An authenticated user can create a link with reflected Javascript code inside it for graphs’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. CVE-2022-35229 An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. CVE-2022-35230 An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. For Debian 10 buster, these problems have been fixed in version 1:4.0.4+dfsg-1+deb10u1. We recommend that you upgrade your zabbix packages. For the detailed security status of zabbix please refer to its security tracker page at: https://security-tracker.debian.org/tracker/zabbix Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3387-2] udisks2 regression update
- Debian LTS Advisory DLA-3387-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 10, 2023https://wiki.debian.org/LTS - Package: udisks2 Version: 2.8.1-4+deb10u2 Debian Bug : 1034124 A regression was reported that the fix for CVE-2021-3802 broken mounting allow-listed mount option/value pairs, for example errors=remount-ro. For Debian 10 buster, this problem has been fixed in version 2.8.1-4+deb10u2. We recommend that you upgrade your udisks2 packages. For the detailed security status of udisks2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/udisks2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3387-1] udisks2 security update
- Debian LTS Advisory DLA-3387-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 07, 2023https://wiki.debian.org/LTS - Package: udisks2 Version: 2.8.1-4+deb10u1 CVE ID : CVE-2021-3802 Debian Bug : Stefan Walter found that udisks2, a service to access and manipulate storage devices, could cause denial of service via system crash if a corrupted or specially crafted ext2/3/4 device or image was mounted, which could happen automatically on certain environments. For Debian 10 buster, this problem has been fixed in version 2.8.1-4+deb10u1. We recommend that you upgrade your udisks2 packages. For the detailed security status of udisks2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/udisks2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3380-1] firmware-nonfree LTS new upstream version (security updates and newer firmware for Linux 5.10)
- Debian LTS Advisory DLA-3380-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 01, 2023https://wiki.debian.org/LTS - Package: firmware-nonfree Version: 20190114+really20220913-0+deb10u1 CVE ID : CVE-2020-12362 CVE-2020-12363 CVE-2020-12364 CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2021-23168 CVE-2021-23223 CVE-2021-37409 CVE-2021-44545 CVE-2022-21181 Debian Bug : 844056 877667 903437 919452 919632 927286 927917 928510 928631 928672 931930 935969 947356 956224 962972 963025 963558 964028 966025 968272 969000 971791 975726 977042 980101 982579 982757 983255 983561 984489 984852 984874 985740 985743 991500 992551 999825 1006500 1006638 1009316 1009618 1014651 1015728 1016058 1019847 1020962 The firmware-nonfree package has been updated to include addtional firmware that may be requested by some drivers in Linux 5.10, availble for Debian LTS as backported kernel. Some of the updated firmware files adresses security vulnerabilities, which may allow Escalation of Privileges, Denial of Services and Information Disclosures. CVE-2020-24586 (INTEL-SA-00473) The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data. CVE-2020-24587 (INTEL-SA-00473) The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. CVE-2020-24588 (INTEL-SA-00473) The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets. CVE-2021-23168 (INTEL-SA-00621) Out of bounds read for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow an unauthenticated user to potentially enable denial of service via adjacent access. CVE-2021-23223 (INTEL-SA-00621) Improper initialization for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2021-37409 (INTEL-SA-00621) Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable escalation of privilege via local access. CVE-2021-44545 (INTEL-SA-00621) Improper input validation for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow an unauthenticated user to potentially enable denial of service via adjacent access. CVE-2022-21181 (INTEL-SA-00621) Improper input validation for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable escalation of privilege via local access. The following advisories are also fixed by this upload, but needs an updated Linux kernel to load the updated firmware: CVE-2020-12362 (INTEL-SA-00438) Integer overflow in the firmware for some Intel(R) Graphics Drivers for Windows * before version 26.20.100.7212 and before Linux kernel version 5.5 may allow a privileged user to potentially enable an escalation of privilege via local access. CVE-2020-12363 (INTEL-SA-00438) Improper input validation in some Intel(R) Graphics Drivers for Windows* before version 26.20.100.7212 and before Linux kernel version 5.5 may allow a privileged user to potentially enable a denial of service via local access. CVE-2020-12364 (INTEL-SA-00438) Null pointer reference in some Intel(R) Graphics Drivers for Windows* before version 26.20.100.7212 and before version Linux kernel version 5.5 may allow a privileged user to potentially enable a denial of service via local access. For Debian 10 buster, these problems have been fixed in version 20190114+really20220913-0+deb10u1. We recommend that you upgrade your firmware-nonfree packages. For the detailed
[SECURITY] [DLA 3379-1] intel-microcode security update
- Debian LTS Advisory DLA-3379-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost April 01, 2023https://wiki.debian.org/LTS - Package: intel-microcode Version: 3.20230214.1~deb10u1 CVE ID : CVE-2022-21216 CVE-2022-21233 CVE-2022-33196 CVE-2022-33972 CVE-2022-38090 Debian Bug : 1031334 Multiple potential security vulnerabilities in some Intel® Processors have been found which may allow information disclosure or may allow escalation of privilege. Intel is releasing firmware updates to mitigate this potential vulnerabilities. Please pay attention that the fix for CVE-2022-33196 might require a firmware update. CVE-2022-21216 (INTEL-SA-00700) Insufficient granularity of access control in out-of-band management in some Intel(R) Atom and Intel Xeon Scalable Processors may allow a privileged user to potentially enable escalation of privilege via adjacent network access. CVE-2022-33196 (INTEL-SA-00738) Incorrect default permissions in some memory controller configurations for some Intel(R) Xeon(R) Processors when using Intel(R) Software Guard Extensions which may allow a privileged user to potentially enable escalation of privilege via local access. This fix may require a firmware update to be effective on some processors. CVE-2022-33972 (INTEL-SA-00730) Incorrect calculation in microcode keying mechanism for some 3rd Generation Intel(R) Xeon(R) Scalable Processors may allow a privileged user to potentially enable information disclosure via local acces CVE-2022-38090 (INTEL-SA-00767) Improper isolation of shared resources in some Intel(R) Processors when using Intel(R) Software Guard Extensions may allow a privileged user to potentially enable information disclosure via local access. CVE-2022-21233 (INTEL-SA-00657) Improper isolation of shared resources in some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access. For Debian 10 buster, these problems have been fixed in version 3.20230214.1~deb10u1. We recommend that you upgrade your intel-microcode packages. For the detailed security status of intel-microcode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/intel-microcode Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3356-1] wireless-regdb security update
- Debian LTS Advisory DLA-3356-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost March 09, 2023https://wiki.debian.org/LTS - Package: wireless-regdb Version: 2022.04.08-2~deb10u1 CVE ID : n/a Debian Bug : This update the wireless regulatory database to version 2022.04.08. In addition, it allows the Linux 5.10 kernel to verify and autoload it. We recommend that you upgrade your wireless-regdb package. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3352-1] libde265 security update
- Debian LTS Advisory DLA-3352-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost March 04, 2023https://wiki.debian.org/LTS - Package: libde265 Version: 1.0.11-0+deb10u4 CVE ID : CVE-2023-24751 CVE-2023-24752 CVE-2023-24754 CVE-2023-24755 CVE-2023-24756 CVE-2023-24757 CVE-2023-24758 CVE-2023-25221 Debian Bug : Multiple issues were found in libde265, an open source implementation of the h.265 video codec, which may result in denial of service, possibly code execution due to a heap-based buffer overflow or have unspecified other impact. CVE-2023-24751 libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the mc_chroma function at motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file. CVE-2023-24752 libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_hevc_epel_pixels_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file. CVE-2023-24754 libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file. CVE-2023-24755 libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the put_weighted_pred_8_fallback function at fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file. CVE-2023-24756 libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_unweighted_pred_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file. CVE-2023-24757 libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the put_unweighted_pred_16_fallback function at fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file. CVE-2023-24758 libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file. CVE-2023-25221 Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function in motion.cc. For Debian 10 buster, these problems have been fixed in version 1.0.11-0+deb10u4. We recommend that you upgrade your libde265 packages. For the detailed security status of libde265 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libde265 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3340-1] libgit2 security update
- Debian LTS Advisory DLA-3340-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost February 23, 2023 https://wiki.debian.org/LTS - Package: libgit2 Version: 0.27.7+dfsg.1-0.2+deb10u1 CVE ID : CVE-2020-12278 CVE-2020-12279 CVE-2023-22742 Debian Bug : 1029368 A vulnerability have been found in libgit2, a cross-platform, linkable library implementation of Git, which may result in remote code execution when cloning a repository on a NTFS-like filesystem or man-in-the-middle attacks due to improper verification of cryptographic Signature. CVE-2020-12278 An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. CVE-2020-12279 An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository CVE-2023-22742 libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. For Debian 10 buster, these problems have been fixed in version 0.27.7+dfsg.1-0.2+deb10u1. We recommend that you upgrade your libgit2 packages. For the detailed security status of libgit2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libgit2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3313-1] wireshark security update
- Debian LTS Advisory DLA-3313-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost February 08, 2023 https://wiki.debian.org/LTS - Package: wireshark Version: 2.6.20-0+deb10u5 CVE ID : CVE-2022-4345 CVE-2023-0411 CVE-2023-0412 CVE-2023-0413 CVE-2023-0415 CVE-2023-0417 Multiple security vulnerabilities have been discovered in Wireshark, a network traffic analyzer. An attacker could cause a denial of service (infinite loop or application crash) via packet injection or a crafted capture file. CVE-2022-4345 Infinite loops in the BPv6, OpenFlow, and Kafka protocol dissectors in Wireshark 4.0.0 to 4.0.1 and 3.6.0 to 3.6.9 allows denial of service via packet injection or crafted capture file CVE-2023-0411 Excessive loops in multiple dissectors in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file CVE-2023-0412 TIPC dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file CVE-2023-0413 Dissection engine bug in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file CVE-2023-0415 iSCSI dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file CVE-2023-0417 Memory leak in the NFS dissector in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and allows denial of service via packet injection or crafted capture file For Debian 10 buster, these problems have been fixed in version 2.6.20-0+deb10u5. We recommend that you upgrade your wireshark packages. For the detailed security status of wireshark please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wireshark Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3293-1] modsecurity-crs security update
- Debian LTS Advisory DLA-3293-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost January 30, 2023 https://wiki.debian.org/LTS - Package: modsecurity-crs Version: 3.2.3-0+deb10u3 CVE ID : CVE-2018-16384 CVE-2020-22669 CVE-2021-35368 CVE-2022-39955 CVE-2022-39956 CVE-2022-39957 CVE-2022-39958 Debian Bug : 924352 992000 1021137 Multiple issues were found in modsecurity-crs, a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls, which allows remote attackers to bypass the web applications firewall. If you are using modsecurity-crs with apache2 / libapache2-modsecurity, please make sure to review your modsecurity configuration, usually /etc/modsecurity/modsecurity.conf, against the updated recommended configration, available in /etc/modsecurity/modsecurity.conf-recommended: Some of the changes to the recommended rules are required to avoid WAF bypasses in certain circumstances. Please note that CVE-2022-39956 requires an updated modsecurity-apache packge, which has been previously uploaded to buster-security, see Debian LTS Advisory DLA-3283-1 for details. If you are using some other solution in connection with the modsecurity-ruleset, for example one that it is using libmodsecurity3, your solution might error out with an error message like "Error creating rule: Unknown variable: MULTIPART_PART_HEADERS". In this case you can disable the mitigation for CVE-2022-29956 by removing the rule file REQUEST-922-MULTIPART-ATTACK.conf. However, be aware that this will disable the protection and could allow attackers to bypass your Web Application Firewall. There is no package in Debian which depends on libmodsecurity3, so if you are only using software which is available from Debian, you are not affected by this limitation. Kudos to @airween for the support and help while perparing the update. CVE-2018-16384 A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special function name (such as "if") and b is the SQL statement to be executed. CVE-2020-22669 Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications. CVE-2022-39955 The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively. CVE-2022-39956 The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8). CVE-2022-39957 The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Int
[SECURITY] [DLA 3283-1] modsecurity-apache security update
- Debian LTS Advisory DLA-3283-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost January 26, 2023 https://wiki.debian.org/LTS - Package: modsecurity-apache Version: 2.9.3-1+deb10u2 CVE ID : CVE-2022-48279 CVE-2023-24021 Debian Bug : 1029329 Multiple issues were found in modsecurity-apache, open source, cross platform web application firewall (WAF) engine for Apache which allows remote attackers to bypass the applications firewall and other unspecified impact. CVE-2022-48279 In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity(C language) codebase. CVE-2023-24021 Incorrect handling of null-bytes in file uploads in ModSecurity before 2.9.7 may allow for Web Application Firewall bypasses and buffer iverflows on the Web Application Firewall when executing rules reading the FILES_TMP_CONTENT collection. For Debian 10 buster, these problems have been fixed in version 2.9.3-1+deb10u2. We recommend that you upgrade your modsecurity-apache packages. For the detailed security status of modsecurity-apache please refer to its security tracker page at: https://security-tracker.debian.org/tracker/modsecurity-apache Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3280-1] libde265 security update
- Debian LTS Advisory DLA-3280-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost January 24, 2023 https://wiki.debian.org/LTS - Package: libde265 Version: 1.0.3-1+deb10u2 CVE ID : CVE-2020-21596 CVE-2020-21597 CVE-2020-21598 CVE-2022-43235 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43243 CVE-2022-43244 CVE-2022-43245 CVE-2022-43248 CVE-2022-43249 CVE-2022-43250 CVE-2022-43252 CVE-2022-43253 CVE-2022-47655 Debian Bug : 1025816 1027179 1029357 1029397 Multiple issues were found in libde265, an open source implementation of the H.265 video codec, which may result in denial of service or have unspecified other impact. CVE-2020-21596 libde265 v1.0.4 contains a global buffer overflow in the decode_CABAC_bit function, which can be exploited via a crafted a file. CVE-2020-21597 libde265 v1.0.4 contains a heap buffer overflow in the mc_chroma function, which can be exploited via a crafted a file. CVE-2020-21598 libde265 v1.0.4 contains a heap buffer overflow in the ff_hevc_put_unweighted_pred_8_sse function, which can be exploited via a crafted a file. CVE-2022-43235 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via ff_hevc_put_hevc_epel_pixels_8_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file. CVE-2022-43236 Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow vulnerability via put_qpel_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file. CVE-2022-43237 Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow vulnerability via void put_epel_hv_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file. CVE-2022-43238 Libde265 v1.0.8 was discovered to contain an unknown crash via ff_hevc_put_hevc_qpel_h_3_v_3_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file. CVE-2022-43239 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via mc_chroma in motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file. CVE-2022-43240 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via ff_hevc_put_hevc_qpel_h_2_v_1_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file. CVE-2022-43241 Libde265 v1.0.8 was discovered to contain an unknown crash via ff_hevc_put_hevc_qpel_v_3_8_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file. CVE-2022-43242 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via mc_luma in motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file. CVE-2022-43243 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via ff_hevc_put_weighted_pred_avg_8_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file. CVE-2022-43244 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_qpel_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file. CVE-2022-43245 Libde265 v1.0.8 was discovered to contain a segmentation violation via apply_sao_internal in sao.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file. CVE-2022-43248 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_weighted_pred_avg_16_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file. CVE-2022-43249 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_epel_hv_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file. CVE-2022-43250 Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_qpel_0_0_fallback_16 in fallback-motion.cc. This vulnerability allows attackers
[SECURITY] [DLA 3269-1] libapreq2 security update
- Debian LTS Advisory DLA-3269-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost January 14, 2023 https://wiki.debian.org/LTS - Package: libapreq2 Version: 2.13-7~deb10u2 CVE ID : CVE-2022-22728 Debian Bug : 1018191 A flaw in Apache libapreq2 versions 2.16 and earlier could cause a buffer overflow while processing multipart form uploads. A remote attacker could send a request causing a process crash which could lead to a denial of service attack. For Debian 10 buster, this problem has been fixed in version 2.13-7~deb10u2. We recommend that you upgrade your libapreq2 packages. For the detailed security status of libapreq2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libapreq2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3250-1] multipath-tools security update
- Debian LTS Advisory DLA-3250-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost December 29, 2022 https://wiki.debian.org/LTS - Package: multipath-tools Version: 0.7.9-3+deb10u2 CVE ID : CVE-2022-41973 CVE-2022-41974 Debian Bug : 1022742 Multiple issues were found in multipath-tools, a tool-chain to manage disk multipath device maps, which may be used by local attackers to obtain root privileges or create a directories or overwrite files via symlink attacks. Please note that the fix for CVE-2022-41973 involves switching from /dev/shm to systemd-tmpfiles (/run/multipath-tools). If you have previously accesssed /dev/shm directly, please update your setup to the new path to facilitate this change. CVE-2022-41973 multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root. CVE-2022-41974 multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root. This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR. For Debian 10 buster, these problems have been fixed in version 0.7.9-3+deb10u2. We recommend that you upgrade your multipath-tools packages. For the detailed security status of multipath-tools please refer to its security tracker page at: https://security-tracker.debian.org/tracker/multipath-tools Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3240-1] libde265 security update
- Debian LTS Advisory DLA-3240-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost December 15, 2022 https://wiki.debian.org/LTS - Package: libde265 Version: 1.0.3-1+deb10u1 CVE ID : CVE-2020-21599 CVE-2021-35452 CVE-2021-36408 CVE-2021-36409 CVE-2021-36410 CVE-2021-36411 Debian Bug : 1014977 Multiple issues were found in libde265, an open source implementation of the h.265 video codec, which may result in denial of or have unspecified other impact. CVE-2020-21599 libde265 v1.0.4 contains a heap buffer overflow in the de265_image::available_zscan function, which can be exploited via a crafted a file. CVE-2021-35452 An Incorrect Access Control vulnerability exists in libde265 v1.0.8 due to a SEGV in slice.cc. CVE-2021-36408 libde265 v1.0.8 contains a Heap-use-after-free in intrapred.h when decoding file using dec265. CVE-2021-36409 There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at sps.cc:925 in libde265 v1.0.8 when decoding file, which allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file or possibly have unspecified other impact. CVE-2021-36410 A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-motion.cc in function put_epel_hv_fallback when running program dec265. CVE-2021-36411 An issue has been found in libde265 v1.0.8 due to incorrect access control. A SEGV caused by a READ memory access in function derive_boundaryStrength of deblock.cc has occurred. The vulnerability causes a segmentation fault and application crash, which leads to remote denial of service. For Debian 10 buster, these problems have been fixed in version 1.0.3-1+deb10u1. We recommend that you upgrade your libde265 packages. For the detailed security status of libde265 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libde265 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3238-1] pngcheck security update
- Debian LTS Advisory DLA-3238-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost December 13, 2022 https://wiki.debian.org/LTS - Package: pngcheck Version: 3.0.3-1~deb10u2 CVE ID : CVE-2020-35511 Debian Bugs: 1021278 Multiple security issues were discovered in pngcheck, a tool to verify the integrity of PNG, JNG and MNG files, which could potentially result in the execution of arbitrary code. CVE-2020-35511 A global buffer overflow was discovered in pngcheck function in pngcheck-2.4.0 (5 patches applied) via a crafted png file. For Debian 10 buster, these problems have been fixed in version 3.0.3-1~deb10u2. We recommend that you upgrade your pngcheck packages. For the detailed security status of pngcheck please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pngcheck Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3232-1] virglrenderer security update
- Debian LTS Advisory DLA-3232-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost December 07, 2022 https://wiki.debian.org/LTS - Package: virglrenderer Version: 0.7.0-2+deb10u1 CVE ID : CVE-2019-18388 CVE-2019-18389 CVE-2019-18390 CVE-2019-18391 CVE-2020-8002 CVE-2020-8003 CVE-2022-0135 Debian Bug : 946942 949954 1009073 Several security vulnerabilities were discovered in virglrenderer, a virtual GPU for KVM virtualization. CVE-2019-18388 A NULL pointer dereference in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service via malformed commands. CVE-2019-18389 A heap-based buffer overflow in the vrend_renderer_transfer_write_iov function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service, or QEMU guest-to-host escape and code execution, via VIRGL_CCMD_RESOURCE_INLINE_WRITE commands. CVE-2019-18390 An out-of-bounds read in the vrend_blit_need_swizzle function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service via VIRGL_CCMD_BLIT commands. CVE-2019-18391 A heap-based buffer overflow in the vrend_renderer_transfer_write_iov function in vrend_renderer.c in virglrenderer through 0.8.0 allows guest OS users to cause a denial of service via VIRGL_CCMD_RESOURCE_INLINE_WRITE commands. CVE-2020-8002 A NULL pointer dereference in vrend_renderer.c in virglrenderer through 0.8.1 allows attackers to cause a denial of service via commands that attempt to launch a grid without previously providing a Compute Shader (CS). CVE-2020-8003 A double-free vulnerability in vrend_renderer.c in virglrenderer through 0.8.1 allows attackers to cause a denial of service by triggering texture allocation failure, because vrend_renderer_resource_allocated_texture is not an appropriate place for a free. CVE-2022-0135 An out-of-bounds write issue was found in the VirGL virtual OpenGL renderer (virglrenderer). This flaw allows a malicious guest to create a specially crafted virgil resource and then issue a VIRTGPU_EXECBUFFER ioctl, leading to a denial of service or possible code execution. For Debian 10 buster, these problems have been fixed in version 0.7.0-2+deb10u1. We recommend that you upgrade your virglrenderer packages. For the detailed security status of virglrenderer please refer to its security tracker page at: https://security-tracker.debian.org/tracker/virglrenderer Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3176-1] clickhouse security update
- Debian LTS Advisory DLA-3176-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost November 03, 2022 https://wiki.debian.org/LTS - Package: clickhouse Version: 18.16.1+ds-4+deb10u1 CVE ID : CVE-2021-42387 CVE-2021-42388 CVE-2021-43304 CVE-2021-43305 Debian Bug : 1008216 Several security vulnerabilities were discovered in clickhouse, a column-oriented database system. The vulnerabilities require authentication, but can be triggered by any user with read permissions. This means the attacker must perform reconnaissance on the specific ClickHouse server target to obtain valid credentials. Any set of credentials would do, since even a user with the lowest privileges can trigger all of the vulnerabilities. By triggering the vulnerabilities, an attacker can crash the ClickHouse server, leak memory contents or even cause remote code execution. CVE-2021-42387: Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query. As part of the LZ4::decompressImpl() loop, a 16-bit unsigned user-supplied value ('offset') is read from the compressed data. The offset is later used in the length of a copy operation, without checking the upper bounds of the source of the copy operation. CVE-2021-42388: Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query. As part of the LZ4::decompressImpl() loop, a 16-bit unsigned user-supplied value ('offset') is read from the compressed data. The offset is later used in the length of a copy operation, without checking the lower bounds of the source of the copy operation. CVE-2021-43304: Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query. There is no verification that the copy operations in the LZ4::decompressImpl loop and especially the arbitrary copy operation wildCopycopy_amount(op, ip, copy_end), don#8217;t exceed the destination buffer#8217;s limits. CVE-2021-43305: Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query. There is no verification that the copy operations in the LZ4::decompressImpl loop and especially the arbitrary copy operation wildCopycopy_amount(op, ip, copy_end), don#8217;t exceed the destination buffer#8217;s limits. This issue is very similar to CVE-2021-43304, but the vulnerable copy operation is in a different wildCopy call. For Debian 10 buster, these problems have been fixed in version 18.16.1+ds-4+deb10u1. We recommend that you upgrade your clickhouse packages. For the detailed security status of clickhouse please refer to its security tracker page at: https://security-tracker.debian.org/tracker/clickhouse Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature