Debian LTS Linux Distribution - Page 46.75
Find the information you need for your favorite open source distribution .
Find the information you need for your favorite open source distribution .
Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code, spoofing, information disclosure, downgrade attacks on SMTP STARTTLS connections or misleading display of OpenPGP/MIME signatures.
Past security updates of Salt, a remote execution manager, introduced regressions for which follow-up fixes were published: CVE 2020-16846 regression
In the download utility aria2, --log was leaking HTTP user credentials in local log file. For Debian 9 stretch, this problem has been fixed in version
Stack overflow due to infinite recursion was fixed in agg, the Anti-Grain Geometry graphical toolkit. For Debian 9 stretch, this problem has been fixed in version
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs.
Apache Log4j2, a Java Logging Framework, is vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote
Several vulnerabilities have been fixed in the AdvanceCOMP recompression utilities. CVE-2018-1056
The regression of postgresql-9.6-postgis-2.3-scripts being empty in 2.3.1+dfsg-2+deb9u1 has been fixed. For Debian 9 stretch, this problem has been fixed in version
Jan-Niklas Sohn discovered that multiple input validation failures in X server extensions of the X.org X server may result in privilege escalation if the X server is running privileged.
Access to IMAP mailboxes through running imapd over rsh and ssh is now disabled by default in uw-imap, the University of Washington IMAP Toolkit. Code using the library can enable it with tcp_parameters() after making sure that the IMAP server name is sanitized.
It was discovered that SPIP, a website engine for publishing, would allow a malicious user to perform cross-site scripting and SQL injection attacks, or execute arbitrary code.
In ruby-haml, which is an elegant, structured XHTML/XML templating engine, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to
Two vulnerabilities were fixed in the reSIProcate SIP stack. CVE-2017-11521
Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure or spoofing.
A couple of vulnerabilites were found in python-gnupg, a Python wrapper for the GNU Privacy Guard. CVE-2018-12020
A couple of vulnerabilites were found in paramiko, an implementation of SSHv2 protocol in Python. CVE-2018-1000805
An XSS vulnerability was discovered in noVNC, a HTML5 VNC client, in which the remote VNC server could inject arbitrary HTML into the noVNC web page via the messages propagated to the status field, such as the VNC server name.
A cookie prefix spoofing vulnerability in CGI::Cookie.parse and a regular expression denial of service vulnerability (ReDoS) on date parsing methods were discovered in src:ruby2.1, the Ruby interpreter.
The python-rdflib-tools package (tools for converting to and from RDF) had wrappers that could load Python modules from the current working directory, allowing code injection.
In PostGIS, which adds support for geographic objects to the PostgreSQL database, denial of service via crafted ST_AsX3D function input was fixed.