It was discovered that there was a potential reflected file download (RFD) vulnerability in ruby-sinatra, a Ruby library for writing HTTP applications. A Content-Disposition HTTP header was being incorrectly derived from a potentially user-supplied filename.
This update fixes a number of memory access violations and other input validation failures that can be triggered by passing specially crafted files to exiv2.
It was discovered that there was an off-by-one array size issue in libtasn1-6, a library to manage the generic ASN.1 data structure. For Debian 10 buster, this problem has been fixed in version
It was discovered that there was a potential cross-site scripting vulnerability in smarty3, a widely-used PHP templating engine. For Debian 10 buster, this problem has been fixed in version
It was discovered that there was a potential null pointer dereference vulnerability in libetpan, an low-level library for handling email. For Debian 10 buster, this problem has been fixed in version
It was discovered that node-xmldom, a standard XML DOM (Level2 CORE) implementation in pure javascript, processed ill-formed XML, which may result in bugs and security holes in downstream applications.
It was discovered that there was an issue in Emacs where where attackers could have executed arbitrary commands via shell metacharacters in the name of a source-code file.
Several flaws have been discovered in libjettison-java, a collection of StAX parsers and writers for JSON. Specially crafted user input may cause a denial of service via out-of-memory or stack overflow errors.
Supraja Baskar discovered prototype pollution vulnerability in node-loader-utils, a Node.js module for webpack loaders. For Debian 10 buster, this problem has been fixed in version