Advisory: Debian LTS Essential and Critical Security Patch Updates
Find the information you need for your favorite open source distribution .
Find the information you need for your favorite open source distribution .
This update fixes a denial of service vulnerability in leptonlib. It can be made to crash with an arithmetic exception on specially crafted JPEG files. For Debian 10 buster, this problem has been fixed in version
Several security vulnerabilities were discovered in virglrenderer, a virtual GPU for KVM virtualization. CVE-2019-18388
dlt-daemon, a Diagnostic Log and Trace logging daemon, had the following vulnerabilities reported: CVE-2020-29394
jQuery-UI, the official jQuery user interface library, is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery were reported to have the following vulnerabilities.
In node-log4js, a port of log4js in Node.js, default file permissions for log files created by the file, fileSync, and dateFile appenders are world-readable. This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their
node-json-schema, JSON Schema validation and specifications, was vulnerable to Improperly Controlled Modification of Object Prototype Attributes.
A potential cross-site scripting (XSS) vulnerability was discovered in ruby-rails-html-sanitizer, a library to clean (or "sanitize") HTML for rendering within Ruby on Rails web applications.
When parsing files containing Nef polygon data, several memory access violations may happen. Many of these allow code execution. CVE-2020-28601
AWStats, a powerful and featureful web server log analyzer, allowed XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks.
There was a potential HTTP request smuggling vulnerability in http-parser, a popular library for parsing HTTP messages. For Debian 10 buster, this problem has been fixed in version
This update fixes two file format vulnerabilities in giflib. CVE-2018-11490
ranjit-git discovered an information leak vulnerability in node-fetch, a Node.js module exposing a window.fetch compatible API on Node.js runtime: the module was not honoring the same-origin-policy and upon following a redirect would leak cookies to the the target URL.
Cristian-Alexandru Staicu discovered a prototype pollution vulnerability in inode-cached-path-relative, a Node.js module used to cache (memoize) the result of path.relative.
ClamAV, an anti-virus utility for Unix, v0.103.7 is a critical patch release with the following fixes: * Fix logical signature "Intermediates" feature.
Jhead, a tool for manipulating EXIF data embedded in JPEG images, allowed attackers to execute arbitrary OS commands by placing them in a JPEG filename and then using the regeneration -rgt50, -autorot or -ce option. In addition a buffer overflow error in exif.c has been addressed which could lead to a denial
pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This
g810-led, a LED configuration tool for Logitech Gx10 keyboards, contained a udev rule to make supported device nodes world-readable and writable, allowing any process on the system to read traffic from keyboards, including sensitive data.
Mitsurugi Heishiro found out that in VLC, multimedia player and streamer, a potential buffer overflow in the vnc module could trigger remote code execution if a malicious vnc URL is deliberately played.
This update adds size checks to thumbnail extraction. Prior to these checks, it was possible to overflow arguments to e.g. malloc and thus cause out-of-bounds memory accesses.
It was discovered that there was a potential Denial of Service (DoS) attack against krb5, a suite of tools implementing the Kerberos authentication system. An integer overflow in PAC parsing could have been exploited if a cross-realm entity acted maliciously.