Debian LTS Linux Distribution
Find the information you need for your favorite open source distribution .
Find the information you need for your favorite open source distribution .
Jakub Wilk discovered a local privilege escalation in needrestart, a utility to check which daemons need to be restarted after library upgrades. Regular expressions to detect the Perl, Python, and Ruby interpreters are not anchored, allowing a local user to escalate
Felix Wilhelm discovered that libxml2, the GNOME XML library, did not correctly check for integer overflows or used wrong types for buffer sizes. This could result in out-of-bounds writes or other memory errors when working on large, multi-gigabyte buffers.
Multiple security vulnerabilities have been discovered in vim, an enhanced vi editor. Buffer overflows, out-of-bounds reads and use-after-free may lead to a denial-of-service (application crash) or other unspecified impact.
A couple of vulnerabilities were found in src:cifs-utils, a Common Internet File System utilities, and are as follows: CVE-2022-27239
The ffmpeg project released the new version 3.2.18 with fixes for various issues found by the OSS-Fuzz project. For Debian 9 stretch, this release is packaged in version 7:3.2.18-0+deb9u1.
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is executed by update-ca-certificates, from ca-certificates, to re-hash certificates in /etc/ssl/certs/. An attacker able to place files in this directory could execute arbitrary commands with the
CVE-2021-3596 A NULL pointer dereference flaw was found in ImageMagick in versions prior to 7.0.10-31 in ReadSVGImage() in
Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in information disclosure or denial of service. For Debian 9 stretch, these problems have been fixed in version
lrzip, a compression program, was found to have a heap memory corruption bug. For Debian 9 stretch, this problem has been fixed in version 0.631-1+deb9u3.
It was discovered that the package com.google.code.gson:gson before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Waitress is a Python WSGI server, an application server for Python web apps. Security updates to fix request smuggling bugs, when combined with another http proxy that interprets requests differently. This can lead to a potential for
It was discovered that Mutt, a text-based mailreader supporting MIME, GPG, PGP and threading, incorrectly handled certain input. An attacker could possibly use this issue to cause a crash, or expose sensitive information.
KiCad is a suite of programs for the creation of printed circuit boards. It includes a schematic editor, a PCB layout tool, support tools and a 3D viewer to display a finished & fully populated PCB.
One security issue has been found in a compression library libz-mingw-w64. Danilo Ramos discovered that incorrect memory handling in
In ecdsautils, a collection of ECDSA elliptic curve cryptography command line tools, an improper verification of cryptographic signatures was detected. A signature consisting only of zeroes is always considered valid, making it trivial to forge signatures.
Multiple security issues were discovered in mruby, a lightweight implementation of the Ruby language CVE-2017-9527
Smarty3, a template engine for PHP, allowed template authors to run restricted static php methods. The same authors could also run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the math function, remote users were able to run arbitrary PHP
Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure or spoofing.
Several issues were discovered in OpenVPN, a Virtual Private Network server and client, that could lead to authentication bypass when using deferred auth plugins.
The Twisted Web HTTP 1.1 server, located in the twisted.web.http module, parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling.