Debian Beveiliging

Debian Security Advisories

DSA-4764 inspircd – security update

18 September 2020, 12:00 am

Two security issues were discovered in the pgsql and mysql modules of
the InspIRCd IRC daemon, which could result in denial of service.

Ervin Hegedues discovered that ModSecurity v3 enabled global regular
expression matching which could result in denial of service. For
additional information please refer to
https://coreruleset.org/20200914/cve-2020-15598/

DSA-4763 teeworlds – security update

14 September 2020, 12:00 am

It was discovered that insufficient sanitising of received network
packets in the game server of Teeworlds, an online multi-player platform
2D shooter, could result in denial of service.

DSA-4761 zeromq3 – security update

7 September 2020, 12:00 am

It was discovered that ZeroMQ, a lightweight messaging kernel library
does not properly handle connecting peers before a handshake is
completed. A remote, unauthenticated client connecting to an application
using the libzmq library, running with a socket listening with CURVE
encryption/authentication enabled can take advantage of this flaw to
cause a denial of service affecting authenticated and encrypted clients.

It was discovered that the default configuration files for running the
Lemonldap::NG Web SSO system on the Nginx web server were susceptible
to authorisation bypass of URL access rules. The Debian packages do not
use Nginx by default.

DSA-4760 qemu – security update

6 September 2020, 12:00 am

Multiple security issues were discovered in QEMU, a fast processor
emulator:

Several vulnerabilities have been discovered in the X.Org X server.
Missing input sanitising in X server extensions may result in local
privilege escalation if the X server is configured to run with root
privileges. In addition an ASLR bypass was fixed.

DSA-4759 ark – security update

4 September 2020, 12:00 am

Fabian Vogt reported that the Ark archive manager did not sanitise
extraction paths, which could result in maliciously crafted archives
with symlinks writing outside the extraction directory.

Several vulnerabilities have been found in the Apache HTTPD server.

Multiple security issues have been found in Thunderbird which could
result in the execution of arbitrary code or the unintended installation
of extensions.

Multiple security issues were found in the OpenEXR image library, which
could result in denial of service and potentially the execution of
arbitrary code when processing malformed EXR image files.

DSA-4753 mupdf – security update

29 August 2020, 12:00 am

A heap-based buffer overflow flaw was discovered in MuPDF, a lightweight
PDF viewer, which may result in denial of service or the execution of
arbitrary code if a malformed PDF file is opened.

Faidon Liambotis discovered that Lilypond, a program for typesetting
sheet music, did not restrict the inclusion of Postscript and SVG
commands when operating in safe mode, which could result in the
execution of arbitrary code when rendering a typesheet file with
embedded Postscript code.

DSA-4751 squid – security update

27 August 2020, 12:00 am

Several vulnerabilities were discovered in Squid, a fully featured web
proxy cache, which could result in request splitting, request smuggling
(leading to cache poisoning) and denial of service when processing
crafted cache digest responses messages.

DSA-4752 bind9 – security update

27 August 2020, 12:00 am

Several vulnerabilities were discovered in BIND, a DNS server
implementation.

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or unintended or malicious extensions being installed.

DSA-4750 nginx – security update

26 August 2020, 12:00 am

It was reported that the Lua module for Nginx, a high-performance web
and reverse proxy server, is prone to a HTTP request smuggling
vulnerability.

Multiple security issues were discovered in Ghostscript, the GPL
PostScript/PDF interpreter which could result in denial of service and
potentially the execution of arbitrary code if malformed document files
are processed.

A directory traversal vulnerability was discovered in Icinga Web 2, a
web interface for Icinga, which could result in the disclosure of files
readable by the process.