Debian Linux Debian Linux OS

Do you want an email whenever new security vulnerabilities are reported in Debian Linux?

By the Year

In 2021 there have been 197 vulnerabilities in Debian Linux with an average score of 7.3 out of ten. Last year Debian Linux had 507 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Debian Linux in 2021 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2021 is greater by 0.43.

Year Vulnerabilities Average Score
2021 197 7.32
2020 507 6.89
2019 554 7.50
2018 1015 7.31

It may take a day or so for new Debian Linux vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Debian Linux Security Vulnerabilities

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile

CVE-2021-31542 7.5 - High - May 05, 2021

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names.

Unrestricted File Upload

Insufficient data validation in V8 in Google Chrome prior to 90.0.4430.93

CVE-2021-21231 8.8 - High - April 30, 2021

Insufficient data validation in V8 in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Insufficient Verification of Data Authenticity

Incorrect security UI in downloads in Google Chrome on Android prior to 90.0.4430.93

CVE-2021-21229 6.5 - Medium - April 30, 2021

Incorrect security UI in downloads in Google Chrome on Android prior to 90.0.4430.93 allowed a remote attacker to perform domain spoofing via a crafted HTML page.

Origin Validation Error

Insufficient policy enforcement in extensions in Google Chrome prior to 90.0.4430.93

CVE-2021-21228 4.3 - Medium - April 30, 2021

Insufficient policy enforcement in extensions in Google Chrome prior to 90.0.4430.93 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.

AuthZ

In BIND 9.0.0 -> 9.11.29

CVE-2021-25215 7.5 - High - April 29, 2021

In BIND 9.0.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a query for a record triggering the flaw described above, the named process will terminate due to a failed assertion check. The vulnerability affects all currently maintained BIND 9 branches (9.11, 9.11-S, 9.16, 9.16-S, 9.17) as well as all other versions of BIND 9.

assertion failure

In BIND 9.5.0 -> 9.11.29

CVE-2021-25216 9.8 - Critical - April 29, 2021

In BIND 9.5.0 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.11.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.1 of the BIND 9.17 development branch, BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting values for the tkey-gssapi-keytab or tkey-gssapi-credential configuration options. Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers. For servers that meet these conditions, the ISC SPNEGO implementation is vulnerable to various attacks, depending on the CPU architecture for which BIND was built: For named binaries compiled for 64-bit platforms, this flaw can be used to trigger a buffer over-read, leading to a server crash. For named binaries compiled for 32-bit platforms, this flaw can be used to trigger a server crash due to a buffer overflow and possibly also to achieve remote code execution. We have determined that standard SPNEGO implementations are available in the MIT and Heimdal Kerberos libraries, which support a broad range of operating systems, rendering the ISC implementation unnecessary and obsolete. Therefore, to reduce the attack surface for BIND users, we will be removing the ISC SPNEGO implementation in the April releases of BIND 9.11 and 9.16 (it had already been dropped from BIND 9.17). We would not normally remove something from a stable ESV (Extended Support Version) of BIND, but since system libraries can replace the ISC SPNEGO implementation, we have made an exception in this case for reasons of stability and security.

assertion failure

In BIND 9.8.5 -> 9.8.8

CVE-2021-25214 6.5 - Medium - April 29, 2021

In BIND 9.8.5 -> 9.8.8, 9.9.3 -> 9.11.29, 9.12.0 -> 9.16.13, and versions BIND 9.9.3-S1 -> 9.11.29-S1 and 9.16.8-S1 -> 9.16.13-S1 of BIND 9 Supported Preview Edition, as well as release versions 9.17.0 -> 9.17.11 of the BIND 9.17 development branch, when a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed.

assertion failure

Composer is a dependency manager for PHP

CVE-2021-29472 8.8 - High - April 27, 2021

Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system. The impact to Composer users directly is limited as the composer.json file is typically under their own control and source download URLs can only be supplied by third party Composer repositories they explicitly trust to download and execute source code from, e.g. Composer plugins. The main impact is to services passing user input to Composer, including Packagist.org and Private Packagist. This allowed users to trigger remote code execution. The vulnerability has been patched on Packagist.org and Private Packagist within 12h of receiving the initial vulnerability report and based on a review of logs, to the best of our knowledge, was not abused by anyone. Other services/tools using VcsRepository/VcsDriver or derivatives may also be vulnerable and should upgrade their composer/composer dependency immediately. Versions 1.10.22 and 2.0.13 include patches for this issue.

Code Injection

Inappropriate implementation in Autofill in Google Chrome prior to 90.0.4430.72

CVE-2021-21216 6.5 - Medium - April 26, 2021

Inappropriate implementation in Autofill in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to spoof security UI via a crafted HTML page.

Authentication Bypass by Spoofing

Insufficient validation of untrusted input in Mojo in Google Chrome prior to 90.0.4430.72

CVE-2021-21221 6.5 - Medium - April 26, 2021

Insufficient validation of untrusted input in Mojo in Google Chrome prior to 90.0.4430.72 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.

Improper Input Validation

Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72

CVE-2021-21219 5.5 - Medium - April 26, 2021

Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file.

Information Disclosure

Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72

CVE-2021-21218 5.5 - Medium - April 26, 2021

Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file.

Use of Uninitialized Resource

Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72

CVE-2021-21217 5.5 - Medium - April 26, 2021

Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file.

Information Disclosure

Inappropriate implementation in Autofill in Google Chrome prior to 90.0.4430.72

CVE-2021-21215 6.5 - Medium - April 26, 2021

Inappropriate implementation in Autofill in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to spoof security UI via a crafted HTML page.

Authentication Bypass by Spoofing

Insufficient policy enforcement in navigation in Google Chrome on iOS prior to 90.0.4430.72

CVE-2021-21205 8.1 - High - April 26, 2021

Insufficient policy enforcement in navigation in Google Chrome on iOS prior to 90.0.4430.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

Use after free in navigation in Google Chrome prior to 90.0.4430.85

CVE-2021-21226 9.6 - Critical - April 26, 2021

Use after free in navigation in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Dangling pointer

Out of bounds memory access in V8 in Google Chrome prior to 90.0.4430.85

CVE-2021-21225 8.8 - High - April 26, 2021

Out of bounds memory access in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Buffer Overflow

Type confusion in V8 in Google Chrome prior to 90.0.4430.85

CVE-2021-21224 8.8 - High - April 26, 2021

Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

Object Type Confusion

Integer overflow in Mojo in Google Chrome prior to 90.0.4430.85

CVE-2021-21223 9.6 - Critical - April 26, 2021

Integer overflow in Mojo in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Integer Overflow or Wraparound

Heap buffer overflow in V8 in Google Chrome prior to 90.0.4430.85

CVE-2021-21222 6.5 - Medium - April 26, 2021

Heap buffer overflow in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.

Memory Corruption

Use after free in Network API in Google Chrome prior to 90.0.4430.72

CVE-2021-21214 8.8 - High - April 26, 2021

Use after free in Network API in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially exploit heap corruption via a crafted Chrome Extension.

Dangling pointer

Use after free in WebMIDI in Google Chrome prior to 90.0.4430.72

CVE-2021-21213 8.8 - High - April 26, 2021

Use after free in WebMIDI in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Dangling pointer

Incorrect security UI in Network Config UI in Google Chrome on ChromeOS prior to 90.0.4430.72

CVE-2021-21212 6.5 - Medium - April 26, 2021

Incorrect security UI in Network Config UI in Google Chrome on ChromeOS prior to 90.0.4430.72 allowed a remote attacker to potentially compromise WiFi connection security via a malicious WAP.

Inappropriate implementation in Navigation in Google Chrome on iOS prior to 90.0.4430.72

CVE-2021-21211 6.5 - Medium - April 26, 2021

Inappropriate implementation in Navigation in Google Chrome on iOS prior to 90.0.4430.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Origin Validation Error

Inappropriate implementation in Network in Google Chrome prior to 90.0.4430.72

CVE-2021-21210 6.5 - Medium - April 26, 2021

Inappropriate implementation in Network in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially access local UDP ports via a crafted HTML page.

Exposure of Resource to Wrong Sphere

Inappropriate implementation in storage in Google Chrome prior to 90.0.4430.72

CVE-2021-21209 6.5 - Medium - April 26, 2021

Inappropriate implementation in storage in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Origin Validation Error

Insufficient data validation in QR scanner in Google Chrome on iOS prior to 90.0.4430.72

CVE-2021-21208 6.5 - Medium - April 26, 2021

Insufficient data validation in QR scanner in Google Chrome on iOS prior to 90.0.4430.72 allowed an attacker displaying a QR code to perform domain spoofing via a crafted QR code.

Improper Input Validation

Use after free in IndexedDB in Google Chrome prior to 90.0.4430.72

CVE-2021-21207 8.6 - High - April 26, 2021

Use after free in IndexedDB in Google Chrome prior to 90.0.4430.72 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.

Dangling pointer

Use after free in permissions in Google Chrome prior to 90.0.4430.72

CVE-2021-21201 9.6 - Critical - April 26, 2021

Use after free in permissions in Google Chrome prior to 90.0.4430.72 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

Dangling pointer

Use after free in Blink in Google Chrome prior to 90.0.4430.72

CVE-2021-21203 8.8 - High - April 26, 2021

Use after free in Blink in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Dangling pointer

Use after free in extensions in Google Chrome prior to 90.0.4430.72

CVE-2021-21202 8.6 - High - April 26, 2021

Use after free in extensions in Google Chrome prior to 90.0.4430.72 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension.

Dangling pointer

Use after free in Blink in Google Chrome on OS X prior to 90.0.4430.72

CVE-2021-21204 8.8 - High - April 26, 2021

Use after free in Blink in Google Chrome on OS X prior to 90.0.4430.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Dangling pointer

Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up

CVE-2021-22204 7.8 - High - April 23, 2021

Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image

Injection

Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries)

CVE-2021-2161 5.9 - Medium - April 22, 2021

Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. It can also be exploited by supplying untrusted data to APIs in the specified Component. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries)

CVE-2021-2163 5.3 - Medium - April 22, 2021

Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N).

GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files.

CVE-2021-3497 7.8 - High - April 19, 2021

GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files.

Dangling pointer

GStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files.

CVE-2021-3498 7.8 - High - April 19, 2021

GStreamer before 1.18.4 might cause heap corruption when parsing certain malformed Matroska files.

Buffer Overflow

Wordpress is an open source CMS

CVE-2021-29450 4.3 - Medium - April 15, 2021

Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It's strongly recommended that you keep auto-updates enabled to receive the fix.

Information Disclosure

An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2

CVE-2021-30152 4.3 - Medium - April 09, 2021

An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. When using the MediaWiki API to "protect" a page, a user is currently able to protect to a higher level than they currently have permissions for.

Incorrect Permission Assignment for Critical Resource

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2

CVE-2021-30155 4.3 - Medium - April 09, 2021

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page.

AuthZ

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2

CVE-2021-30159 4.3 - Medium - April 09, 2021

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if Title::getArticleID() returns non-zero with no special flags. Next, MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore, if the page is missing in the replica DB, isValidMove() will return true, and then moveToInternal() will unconditionally delete the page if it can be found in the master.

A vulnerability in the email parsing module in Clam AntiVirus (ClamAV) Software version 0.103.1 and all prior versions could

CVE-2021-1405 7.5 - High - April 08, 2021

A vulnerability in the email parsing module in Clam AntiVirus (ClamAV) Software version 0.103.1 and all prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper variable initialization that may result in an NULL pointer read. An attacker could exploit this vulnerability by sending a crafted email to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process crash, resulting in a denial of service condition.

Classic Buffer Overflow

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser

CVE-2021-28658 5.3 - Medium - April 06, 2021

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were not affected by this vulnerability.

Directory traversal

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2

CVE-2021-30157 6.1 - Medium - April 06, 2021

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS.

XSS

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2

CVE-2021-30158 5.3 - Medium - April 06, 2021

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been compromised, and yet is not able to block any potential future use of the token by an unauthorized party.

authentification

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2

CVE-2021-30154 6.1 - Medium - April 06, 2021

An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On Special:NewFiles, all the mediastatistics-header-* messages are output in HTML unescaped, leading to XSS.

XSS

Format string vulnerability in panoFileOutputNamesCreate() in libpano13 2.9.20~rc2+dfsg-3 and earlier

CVE-2021-20307 9.8 - Critical - April 05, 2021

Format string vulnerability in panoFileOutputNamesCreate() in libpano13 2.9.20~rc2+dfsg-3 and earlier can lead to read and write arbitrary memory values.

Use of Externally-Controlled Format String

Netty is an open-source

CVE-2021-21409 5.9 - Medium - March 30, 2021

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

HTTP Request Smuggling

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection

CVE-2021-23358 7.2 - High - March 29, 2021

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Code Injection

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client

CVE-2021-3449 5.9 - Medium - March 25, 2021

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

NULL Pointer Dereference

XStream is a Java library to serialize objects to XML and back again

CVE-2021-21344 9.8 - Critical - March 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Marshaling, Unmarshaling

XStream is a Java library to serialize objects to XML and back again

CVE-2021-21343 7.5 - High - March 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Marshaling, Unmarshaling

XStream is a Java library to serialize objects to XML and back again

CVE-2021-21342 9.1 - Critical - March 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

XSPA

XStream is a Java library to serialize objects to XML and back again

CVE-2021-21341 7.5 - High - March 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Resource Exhaustion

XStream is a Java library to serialize objects to XML and back again

CVE-2021-21351 9.1 - Critical - March 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Marshaling, Unmarshaling

XStream is a Java library to serialize objects to XML and back again

CVE-2021-21350 9.8 - Critical - March 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Marshaling, Unmarshaling

XStream is a Java library to serialize objects to XML and back again

CVE-2021-21348 7.5 - High - March 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Resource Exhaustion

XStream is a Java library to serialize objects to XML and back again

CVE-2021-21346 9.8 - Critical - March 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Marshaling, Unmarshaling

XStream is a Java library to serialize objects to XML and back again

CVE-2021-21349 8.6 - High - March 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

XSPA

XStream is a Java library to serialize objects to XML and back again

CVE-2021-21347 9.8 - Critical - March 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Marshaling, Unmarshaling

XStream is a Java library to serialize objects to XML and back again

CVE-2021-21345 9.9 - Critical - March 23, 2021

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Code Injection

Shibboleth Service Provider before 3.2.1

CVE-2021-28963 5.3 - Medium - March 22, 2021

Shibboleth Service Provider before 3.2.1 allows content injection because template generation uses attacker-controlled parameters.

Injection

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3

CVE-2021-28957 6.1 - Medium - March 21, 2021

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.

XSS

An issue was discovered in the Linux kernel before 5.11.8

CVE-2020-27171 6 - Medium - March 20, 2021

An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.

off-by-five

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes

CVE-2021-28834 9.8 - Critical - March 19, 2021

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

An issue was discovered in Squid through 4.13 and 5.x through 5.0.4

CVE-2020-25097 8.6 - High - March 19, 2021

An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. Due to improper input validation, it allows a trusted client to perform HTTP Request Smuggling and access services otherwise forbidden by the security controls. This occurs for certain uri_whitespace configuration settings.

HTTP Request Smuggling

A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37

CVE-2021-27928 7.2 - High - March 19, 2021

A remote code execution issue was discovered in MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL. An untrusted search path leads to eval injection, in which a database SUPER user can execute OS commands after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not affect an Oracle product.

Shell injection

The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty

CVE-2017-20002 7.8 - High - March 17, 2021

The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty. This allows local users to login as password-less users even if they are connected by non-physical means such as SSH (hence bypassing PAM's nullok_secure configuration). This notably affects environments such as virtual machines automatically generated with a default blank root password, allowing all local users to escalate privileges.

Improper Privilege Management

The Debian courier-authlib package before 0.71.1-2 for Courier Authentication Library creates a /run/courier/authdaemon directory with weak permissions

CVE-2021-28374 7.5 - High - March 15, 2021

The Debian courier-authlib package before 0.71.1-2 for Courier Authentication Library creates a /run/courier/authdaemon directory with weak permissions, allowing an attacker to read user information. This may include a cleartext password in some configurations. In general, it includes the user's existence, uid and gids, home and/or Maildir directory, quota, and some type of password information (such as a hash).

Cleartext Storage of Sensitive Information

Leptonica before 1.80.0

CVE-2020-36281 7.5 - High - March 12, 2021

Leptonica before 1.80.0 allows a heap-based buffer over-read in pixFewColorsOctcubeQuantMixed in colorquant1.c.

Out-of-bounds Read

Leptonica before 1.80.0

CVE-2020-36278 7.5 - High - March 12, 2021

Leptonica before 1.80.0 allows a heap-based buffer over-read in findNextBorderPixel in ccbord.c.

Out-of-bounds Read

Leptonica before 1.80.0

CVE-2020-36279 7.5 - High - March 12, 2021

Leptonica before 1.80.0 allows a heap-based buffer over-read in rasteropGeneralLow, related to adaptmap_reg.c and adaptmap.c.

Out-of-bounds Read

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux

CVE-2021-21381 8.2 - High - March 11, 2021

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. In Flatpack since version 0.9.4 and before version 1.10.2 has a vulnerability in the "file forwarding" feature which can be used by an attacker to gain access to files that would not ordinarily be allowed by the app's permissions. By putting the special tokens `@@` and/or `@@u` in the Exec field of a Flatpak app's .desktop file, a malicious app publisher can trick flatpak into behaving as though the user had chosen to open a target file with their Flatpak app, which automatically makes that file available to the Flatpak app. This is fixed in version 1.10.2. A minimal solution is the first commit "`Disallow @@ and @@U usage in desktop files`". The follow-up commits "`dir: Reserve the whole @@ prefix`" and "`dir: Refuse to export .desktop files with suspicious uses of @@ tokens`" are recommended, but not strictly required. As a workaround, avoid installing Flatpak apps from untrusted sources, or check the contents of the exported `.desktop` files in `exports/share/applications/*.desktop` (typically `~/.local/share/flatpak/exports/share/applications/*.desktop` and `/var/lib/flatpak/exports/share/applications/*.desktop`) to make sure that literal filenames do not follow `@@` or `@@u`.

Injection

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container

CVE-2020-13936 8.8 - High - March 10, 2021

An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL

CVE-2020-13959 6.1 - Medium - March 10, 2021

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to execute arbitrary JavaScript in the context of the attacked website and the attacked user. This can be abused to steal session cookies, perform requests in the name of the victim or for phishing attacks.

XSS

An integer overflow flaw was found in libtiff that exists in the tif_getimage.c file

CVE-2020-35523 7.8 - High - March 09, 2021

An integer overflow flaw was found in libtiff that exists in the tif_getimage.c file. This flaw allows an attacker to inject and execute arbitrary code when a user opens a crafted TIFF file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Integer Overflow or Wraparound

A heap-based buffer overflow flaw was found in libtiff in the handling of TIFF images in libtiff's TIFF2PDF tool

CVE-2020-35524 7.8 - High - March 09, 2021

A heap-based buffer overflow flaw was found in libtiff in the handling of TIFF images in libtiff's TIFF2PDF tool. A specially crafted TIFF file can lead to arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Buffer Overflow

A flaw was found in ImageMagick in MagickCore/visual-effects.c

CVE-2021-20244 5.5 - Medium - March 09, 2021

A flaw was found in ImageMagick in MagickCore/visual-effects.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.

Divide By Zero

A flaw was found in ImageMagick in MagickCore/resample.c

CVE-2021-20246 5.5 - Medium - March 09, 2021

A flaw was found in ImageMagick in MagickCore/resample.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.

Divide By Zero

A flaw was found in ImageMagick in coders/jp2.c

CVE-2021-20241 5.5 - Medium - March 09, 2021

A flaw was found in ImageMagick in coders/jp2.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability.

Divide By Zero

A flaw was found in privoxy before 3.0.32

CVE-2021-20272 7.5 - High - March 09, 2021

A flaw was found in privoxy before 3.0.32. An assertion failure could be triggered with a crafted CGI request leading to server crash.

assertion failure

A flaw was found in privoxy before 3.0.32

CVE-2021-20273 7.5 - High - March 09, 2021

A flaw was found in privoxy before 3.0.32. A crash can occur via a crafted CGI request if Privoxy is toggled off.

Improper Input Validation

A flaw was found in privoxy before 3.0.32

CVE-2021-20275 7.5 - High - March 09, 2021

A flaw was found in privoxy before 3.0.32. A invalid read of size two may occur in chunked_body_is_complete() leading to denial of service.

Buffer Overflow

A flaw was found in privoxy before 3.0.32

CVE-2021-20276 7.5 - High - March 09, 2021

A flaw was found in privoxy before 3.0.32. Invalid memory access with an invalid pattern passed to pcre_compile() may lead to denial of service.

Buffer Overflow

An issue was discovered in the Linux kernel through 5.11.3

CVE-2021-27364 7.1 - High - March 07, 2021

An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.

Out-of-bounds Read

An issue was discovered in the Linux kernel through 5.11.3

CVE-2021-27365 7.8 - High - March 07, 2021

An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message.

Memory Corruption

An issue was discovered in the Linux kernel through 5.11.3

CVE-2021-27363 4.4 - Medium - March 07, 2021

An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables.

An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV

CVE-2021-28038 6.5 - Medium - March 05, 2021

An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931.

Allocation of Resources Without Limits or Throttling

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body

CVE-2021-25122 7.5 - High - March 01, 2021

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

Information Disclosure

The fix for CVE-2020-9484 was incomplete

CVE-2021-25329 7 - High - March 01, 2021

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.

A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests

CVE-2021-27803 7.5 - High - February 26, 2021

A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.

Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7

CVE-2021-23978 8.8 - High - February 26, 2021

Mozilla developers reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python

CVE-2021-21330 6.1 - Medium - February 26, 2021

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the `aiohttp.web_middlewares.normalize_path_middleware` middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using `aiohttp.web_middlewares.normalize_path_middleware` in your applications.

Open Redirect

If Content Security Policy blocked frame navigation

CVE-2021-23968 4.3 - Medium - February 26, 2021

If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. This could be used to leak sensitive information contained in such URIs. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.

Generation of Error Message Containing Sensitive Information

As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure

CVE-2021-23969 4.3 - Medium - February 26, 2021

As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If thats not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage." Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.

When trying to load a cross-origin resource in an audio/video context a decoding error may have resulted, and the content of

CVE-2021-23973 6.5 - Medium - February 26, 2021

When trying to load a cross-origin resource in an audio/video context a decoding error may have resulted, and the content of that error may have revealed information about the resource. This vulnerability affects Firefox < 86, Thunderbird < 78.8, and Firefox ESR < 78.8.

Generation of Error Message Containing Sensitive Information

A flaw was found in mupdf 1.18.0

CVE-2021-3407 5.5 - Medium - February 23, 2021

A flaw was found in mupdf 1.18.0. Double free of object during linearization may lead to memory corruption and other potential consequences.

Double-free

A flaw was found in libcaca v0.99.beta19

CVE-2021-3410 7.8 - High - February 23, 2021

A flaw was found in libcaca v0.99.beta19. A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context.

Buffer Overflow

In ImageMagick, there is an outside the range of representable values of type 'unsigned int' at MagickCore/quantum-private.h

CVE-2020-27768 3.3 - Low - February 23, 2021

In ImageMagick, there is an outside the range of representable values of type 'unsigned int' at MagickCore/quantum-private.h. This flaw affects ImageMagick versions prior to 7.0.9-0.

Integer Overflow or Wraparound

Smarty before 3.1.39

CVE-2021-26119 7.5 - High - February 22, 2021

Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_object can be accessed in sandbox mode.

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Debian Linux or by Debian? Click the Watch button to subscribe.

subscribe