Debian Beveiliging

Debian Security Advisories

Matthew Wild discovered that the WebSockets code in Prosody, a
lightweight Jabber/XMPP server, was susceptible to denial of service.

It was discovered that the libreswan IPsec implementation could be
forced into a crash/restart via a malformed IKEv1 packet, resulting in
denial of service.

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

Multiple security issues were discovered in Chromium, which could result
in the execution of arbitrary code, denial of service or information
disclosure.

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary code,
information disclosure, denial of service or spoofing.

Several vulnerabilities have been discovered in Epiphany, the GNOME web
browser, allowing XSS attacks under certain circumstances.

DSA-5043 lxml – security update

12 January 2022, 12:00 am

It was discovered that lxml, a Python binding for the libxml2 and
libxslt libraries, does not properly sanitize its input, which could
lead to cross-site scripting.

Several vulnerabilities were discovered in WordPress, a web blogging
tool. They allowed remote attackers to perform SQL injection, run
unchecked SQL queries, bypass hardening, or perform Cross-Site
Scripting (XSS) attacks.

An out-of-bounds memory access was discovered in the mod_extforward plugin of
the lighttpd web server, which may result in denial of service.

DSA-5041 cfrpki – security update

11 January 2022, 12:00 am

Multiple vulnerabilities were discovered in Cloudflare’s RPKI validator,
which could result in denial of service or path traversal.

Multiple security issues were discovered in Ghostscript, the GPL
PostScript/PDF interpreter, which could result in denial of service and
potentially the execution of arbitrary code if malformed document files
are processed.

It was discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, did not properly sanitize HTML
messages. This would allow an attacker to perform Cross-Site Scripting
(XSS) attacks.

It was discovered that sphinxsearch, a fast standalone full-text SQL
search engine, could allow arbitrary files to be read by abusing a
configuration option.

Two vulnerabilities have been discovered in the Apache HTTP server:

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code, spoofing, information disclosure,
downgrade attacks on SMTP STARTTLS connections or misleading display of
OpenPGP/MIME signatures.

Multiple vulnerabilities were discovered in the FORT RPKI validator, which
could result in denial of service or path traversal.

Several vulnerabilities were discovered in djvulibre, a library and
set of tools to handle documents in the DjVu format. An attacker could
crash document viewers and possibly execute arbitrary code through
crafted DjVu files.

The following vulnerabilities have been discovered in the webkit2gtk
web engine:

The following vulnerabilities have been discovered in the wpewebkit
web engine:

DSA-5028 spip – security update

22 December 2021, 12:00 am

It was discovered that SPIP, a website engine for publishing, would
allow a malicious user to perform cross-site scripting and SQL
injection attacks, or execute arbitrary code.

DSA-5029 sogo – security update

22 December 2021, 12:00 am

It was discovered that missing SAML signature validation in the SOGo
groupware could result in impersonation attacks.

Jan-Niklas Sohn discovered that multiple input validation failures in X
server extensions of the X.org X server may result in privilege
escalation if the X server is running privileged.