Several issues were found in Redmine, a project management web application, which could lead to cross-site scripting, information disclosure, and reading arbitrary files from the server.

For Debian 9 stretch, these problems have been fixed in version 3.3.1-4+deb9u4.

We recommend that you upgrade your redmine packages.

For the detailed security status of redmine please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/redmine

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues have been discovered in the PostgreSQL database system, which could result in the execution of arbitrary code or disclosure of memory content.

One security issue has been discovered in libgetdata

CVE-2021-20204

A heap memory corruption problem (use after free) can be triggered when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library.

For Debian 9 stretch, this problem has been fixed in version 0.9.4-1+deb9u1.

We recommend that you upgrade your libgetdata packages.

For the detailed security status of libgetdata please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/libgetdata

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

CVE-2018-10196

NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library allows remote attackers to cause a denial of service (application crash) via a crafted file.

CVE-2020-18032

A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file.

For Debian 9 stretch, these problems have been fixed in version 2.38.0-17+deb9u1.

We recommend that you upgrade your graphviz packages.

For the detailed security status of graphviz please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/graphviz

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file.

It was discovered that there was a potential memory corruption vulnerability in the lz4 compression algorithm library.

For Debian 9 'Stretch', this problem has been fixed in version 0.0~r131-2+deb9u1.

We recommend that you upgrade your lz4 packages.

For the detailed security status of lz4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lz4

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

CVE-2021-22885

There is a possible information disclosure/unintended method execution vulnerability in Action Pack when using the `redirect_to` or `polymorphic_url` helper with untrusted user input.

CVE-2021-22904

There is a possible DoS vulnerability in the Token Authentication logic in Action Controller. Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication.

For Debian 9 stretch, these problems have been fixed in version 2:4.2.7.1-1+deb9u5.

We recommend that you upgrade your rails packages.

For the detailed security status of rails please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rails

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that composer, a dependency manager for PHP, did not properly sanitize Mercurial URLs, which could lead to arbitrary code execution.

For Debian 9 stretch, this problem has been fixed in version 1.2.2-1+deb9u1.

We recommend that you upgrade your composer packages.

For the detailed security status of composer please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/composer

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jemery Galindo discovered an out-of-bounds memory access in Hivex, a library to parse Windows Registry hive files.

For Debian 9 stretch, this problem has been fixed in version 1.3.13-2+deb9u1.

We recommend that you upgrade your hivex packages.

For the detailed security status of hivex please refer to its security tracker page at: https://security-tracker.debian.org/tracker/hivex

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Jeremy Galindo discovered an out-of-bounds memory access in Hivex, a library to parse Windows Registry hive files.

Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, which could cause denial of service via application crash when parsing specially crafted files.

For Debian 9 stretch, these problems have been fixed in version 2.9.4+dfsg1-2.2+deb9u4.

We recommend that you upgrade your libxml2 packages.

For the detailed security status of libxml2 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/libxml2

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Qualys Research Labs reported several vulnerabilities in Exim, a mail transport agent, which could result in local privilege escalation and remote code execution.

Details can be found in the Qualys advisory at https://www.qualys.com/2021/05/04/21nails/21nails.txt

For Debian 9 stretch, these problems have been fixed in version 4.89-2+deb9u8.

We recommend that you upgrade your exim4 packages.

For the detailed security status of exim4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/exim4

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The patch from latest upstream release to address CVE-2021-30152 was not portable to stretch-security version causing MediaWiki APIs to fail. This update includes a patch from upstream REL_31 release which fix the issue. 

For Debian 9 stretch, this problem has been fixed in version 1:1.27.7-1~deb9u9.

We recommend that you upgrade your mediawiki packages.

For the detailed security status of mediawiki please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/mediawiki

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several security vulnerabilities have been discovered in Unbound, a validating, recursive, caching DNS resolver, by security researchers of X41 D-SEC located in Aachen, Germany. Integer overflows, assertion failures, an out-of-bound write and an infinite loop vulnerability may lead to a denial of service or have a negative impact on data confidentiality.

For Debian 9 stretch, these problems have been fixed in version 1.9.0-2+deb10u2~deb9u2.

We recommend that you upgrade your unbound1.9 packages.

For the detailed security status of unbound1.9 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/unbound1.9

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that there was potential directory-traversal vulnerability in Django, a popular Python-based web development framework.

The MultiPartParser, UploadedFile and FieldFile classes allowed directory-traversal via uploaded files with suitably crafted file names. In order to mitigate this risk, stricter basename and path sanitation is now applied. Specifically, empty file names and paths with dot segments are rejected.

For Debian 9 'Stretch', this problem has been fixed in version 1:1.10.7-2+deb9u13.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Qualys Research Labs reported several vulnerabilities in Exim, a mail transport agent, which could result in local privilege escalation and remote code execution.

Details can be found in the Qualys advisory at https://www.qualys.com/2021/05/04/21nails/21nails.txt

Several vulnerabilities were discovered in BIND, a DNS server implementation.

CVE-2021-25214

Greg Kuechle discovered that a malformed incoming IXFR transfer could trigger an assertion failure in named, resulting in denial of service.

CVE-2021-25215

Siva Kakarla discovered that named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query.

CVE-2021-25216

It was discovered that the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries.

For Debian 9 stretch, these problems have been fixed in version 1:9.10.3.dfsg.P4-12.3+deb9u9.

We recommend that you upgrade your bind9 packages.

For the detailed security status of bind9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/bind9

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Four security issues have been discovered in cgal. A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL.

CVE-2020-28601

An oob read vulnerability exists in Nef_2/PM_io_parser.h PM_io_parser::read_vertex() Face_of[] OOB read. An attacker can provide malicious input to trigger this vulnerability.

CVE-2020-28636

An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->twin() An attacker can provide malicious input to trigger this vulnerability.

CVE-2020-35628

An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sloop() slh->incident_sface. An attacker can provide malicious input to trigger this vulnerability.

CVE-2020-35636

An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() sfh->volume(). An attacker can provide malicious input to trigger this vulnerability.

For Debian 9 stretch, these problems have been fixed in version 4.9-1+deb9u1.

We recommend that you upgrade your cgal packages.

For the detailed security status of cgal please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cgal

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the chromium web browser.

  - CVE-2021-21227     Gengming Liu discovered a data validation issue in the     v8 JavaScript library.

  - CVE-2021-21228     Rob Wu discovered a policy enforcement error.

  - CVE-2021-21229     Mohit Raj discovered a user interface error in the file     downloader.

  - CVE-2021-21230     Manfred Paul discovered use of an incorrect type.

  - CVE-2021-21231     Sergei Glazunov discovered a data validation issue in     the v8 JavaScript library.

  - CVE-2021-21232     Abdulrahman Alqabandi discovered a use-after-free issue     in the developer tools.

  - CVE-2021-21233     Omair discovered a buffer overflow issue in the ANGLE     library.

One security issue has been discovered in subversion :

CVE-2020-17525 :

Subversion's mod_authz_svn module will crash if the server is using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option and a client sends a request for a non-existing repository URL.
This can lead to disruption for users of the service.

For Debian 9 stretch, this problem has been fixed in version 1.9.5-1+deb9u6.

We recommend that you upgrade your subversion packages.

For the detailed security status of subversion please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/subversion

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that libhibernate3-java, a powerful, high performance object/relational persistence and query service, is prone to a SQL injection vulnerability allowing an attacker to access unauthorized information or possibly conduct further attacks.

Several vulnerabilities were discovered in BIND, a DNS server implementation.

  - CVE-2021-25214     Greg Kuechle discovered that a malformed incoming IXFR     transfer could trigger an assertion failure in named,     resulting in denial of service.

  - CVE-2021-25215     Siva Kakarla discovered that named could crash when a     DNAME record placed in the ANSWER section during DNAME     chasing turned out to be the final answer to a client     query.

  - CVE-2021-25216     It was discovered that the SPNEGO implementation used by     BIND is prone to a buffer overflow vulnerability. This     update switches to use the SPNEGO implementation from     the Kerberos libraries.

It was discovered that composer, a dependency manager for PHP, did not properly sanitize Mercurial URLs, which could lead to arbitrary code execution.

A vulnerability was discovered in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which may result in execution of arbitrary code if a malformed DjVu file is processed.

For Debian 9 stretch, these problems have been fixed in version 0~20161202.7bbe0b3e-1+deb9u2.

We recommend that you upgrade your edk2 packages.

For the detailed security status of edk2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/edk2

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the chromium web browser.

  - CVE-2021-21201     Gengming Liu and Jianyu Chen discovered a use-after-free     issue.

  - CVE-2021-21202     David Erceg discovered a use-after-free issue in     extensions.

  - CVE-2021-21203     asnine discovered a use-after-free issue in     Blink/Webkit.

  - CVE-2021-21204     Tsai-Simek, Jeanette Ulloa, and Emily Voigtlander     discovered a use-after-free issue in Blink/Webkit.

  - CVE-2021-21205     Alison Huffman discovered a policy enforcement error.

  - CVE-2021-21207     koocola and Nan Wang discovered a use-after-free in the     indexed database.

  - CVE-2021-21208     Ahmed Elsobky discovered a data validation error in the     QR code scanner.

  - CVE-2021-21209     Tom Van Goethem discovered an implementation error in     the Storage API.

  - CVE-2021-21210     @bananabr discovered an error in the networking     implementation.

  - CVE-2021-21211     Akash Labade discovered an error in the navigation     implementation.

  - CVE-2021-21212     Hugo Hue and Sze Yui Chau discovered an error in the     network configuration user interface.

  - CVE-2021-21213     raven discovered a use-after-free issue in the WebMIDI     implementation.

  - CVE-2021-21214     A use-after-free issue was discovered in the networking     implementation.

  - CVE-2021-21215     Abdulrahman Alqabandi discovered an error in the     Autofill feature.

  - CVE-2021-21216     Abdulrahman Alqabandi discovered an error in the     Autofill feature.

  - CVE-2021-21217     Zhou Aiting discovered use of uninitialized memory in     the pdfium library.

  - CVE-2021-21218     Zhou Aiting discovered use of uninitialized memory in     the pdfium library.

  - CVE-2021-21219     Zhou Aiting discovered use of uninitialized memory in     the pdfium library.

  - CVE-2021-21221     Guang Gong discovered insufficient validation of     untrusted input.

  - CVE-2021-21222     Guang Gong discovered a buffer overflow issue in the v8     JavaScript library.

  - CVE-2021-21223     Guang Gong discovered an integer overflow issue.

  - CVE-2021-21224     Jose Martinez discovered a type error in the v8     JavaScript library.

  - CVE-2021-21225     Brendon Tiszka discovered an out-of-bounds memory access     issue in the v8 JavaScript library.

  - CVE-2021-21226     Brendon Tiszka discovered a use-after-free issue in the     networking implementation.

Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

For Debian 9 stretch, this problem has been fixed in version 1.10.4-1+deb9u1.

We recommend that you upgrade your gst-plugins-ugly1.0 packages.

For the detailed security status of gst-plugins-ugly1.0 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-ugly1.0

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the Shibboleth Service Provider is prone to a NULL pointer dereference flaw in the cookie-based session recovery feature. A remote, unauthenticated attacker can take advantage of this flaw to cause a denial of service (crash in the shibd daemon/service).

For additional information please refer to the upstream advisory at https://shibboleth.net/community/advisories/secadv_20210426.txt

Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

For Debian 9 stretch, this problem has been fixed in version 1.10.4-1+deb9u1.

We recommend that you upgrade your gst-libav1.0 packages.

For the detailed security status of gst-libav1.0 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/gst-libav1.0

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

For Debian 9 stretch, this problem has been fixed in version 1.10.4-1+deb9u2.

We recommend that you upgrade your gst-plugins-base1.0 packages.

For the detailed security status of gst-plugins-base1.0 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-base1.0

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

For Debian 9 stretch, this problem has been fixed in version 1.10.4-1+deb9u2.

We recommend that you upgrade your gst-plugins-bad1.0 packages.

For the detailed security status of gst-plugins-bad1.0 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-bad1.0

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

Multiple security vulnerabilities were found in Jackson Databind.

CVE-2020-24616

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

CVE-2020-24750

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

CVE-2020-25649

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

CVE-2020-35490

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.

CVE-2020-35491

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

CVE-2020-35728

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

CVE-2020-36179

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36180

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36181

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36182

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36183

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

CVE-2020-36184

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

CVE-2020-36185

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

CVE-2020-36186

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

CVE-2020-36187

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

CVE-2020-36188

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDICS.

CVE-2020-36189

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DMCS.

CVE-2021-20190

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing.
The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

For Debian 9 stretch, these problems have been fixed in version 2.8.6-1+deb9u9.

We recommend that you upgrade your jackson-databind packages.

For the detailed security status of jackson-databind please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/jackson-databind

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in bypass of sandbox restrictions.

For Debian 9 stretch, these problems have been fixed in version 8u292-b10-0+deb8u1.

We recommend that you upgrade your openjdk-8 packages.

For the detailed security status of openjdk-8 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-8

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Drupal project identified a vulnerability in the sanitization performed in the _filter_xss_arttributes function, potentially allowing a cross-site scripting, and granted it the Drupal Security Advisory ID SA-CORE-2021-002 :

https://www.drupal.org/sa-core-2021-002

No CVE number has been announced.

For Debian 9 'Stretch', the fix to this issue was backported in version 7.52-2+deb9u15.

We recommend you upgrade your drupal7 package.

For detailed security status of drupal7, please refer to its security tracker page :

https://security-tracker.debian.org/tracker/source-package/drupal7

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that OpenDMARC, a milter implementation of DMARC, has improper null termination in the function opendmarc_xml_parse that can result in a one-byte heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate report. This can cause remote memory corruption when a '\0' byte overwrites the heap metadata of the next chunk and its PREV_INUSE flag.

For Debian 9 stretch, this problem has been fixed in version 1.3.2-2+deb9u3.

We recommend that you upgrade your opendmarc packages.

For the detailed security status of opendmarc please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/opendmarc

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the OpenJDK Java platform incompletely enforced configuration settings used in Jar signing verifications.

A use-after-free vulnerability was found in the Matroska plugin of the the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

For Debian 9 stretch, this problem has been fixed in version 1.10.4-1+deb9u1.

We recommend that you upgrade your gst-plugins-good1.0 packages.

For the detailed security status of gst-plugins-good1.0 please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-good1.0

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure, privilege escalation or spoofing.

For Debian 9 stretch, these problems have been fixed in version 78.10.0esr-1~deb9u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities were discovered in libspring-java, a modular Java/J2EE application framework. An attacker may execute code, perform XST attack, issue unauthorized cross-domain requests or cause a DoS (denial of service) in specific configurations.

CVE-2018-1270

Spring Framework allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

CVE-2018-11039

Spring Framework allows web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

CVE-2018-11040

Spring Framework allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the 'jsonp' and 'callback' JSONP parameters, enabling cross-domain requests.

CVE-2018-15756

Spring Framework provides support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack.

For Debian 9 stretch, these problems have been fixed in version 4.3.5-1+deb9u1.

We recommend that you upgrade your libspring-java packages.

For the detailed security status of libspring-java please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/libspring-java

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An issue has been found in pjproject, a set of libraries for the PJ Project. Due to bad handling of two consecutive crafted answers to an INVITE, the attacker is able to crash the server resulting in a denial of service.

For Debian 9 stretch, this problem has been fixed in version 2.5.5~dfsg-6+deb9u2.

We recommend that you upgrade your pjproject packages.

For the detailed security status of pjproject please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/pjproject

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in wpa_supplicant and hostapd.

  - CVE-2020-12695     It was discovered that hostapd does not properly handle     UPnP subscribe messages under certain conditions,     allowing an attacker to cause a denial of service.

  - CVE-2021-0326     It was discovered that wpa_supplicant does not properly     process P2P (Wi-Fi Direct) group information from active     group owners. An attacker within radio range of the     device running P2P could take advantage of this flaw to     cause a denial of service or potentially execute     arbitrary code.

  - CVE-2021-27803     It was discovered that wpa_supplicant does not properly     process P2P (Wi-Fi Direct) provision discovery requests.
    An attacker within radio range of the device running P2P     could take advantage of this flaw to cause a denial of     service or potentially execute arbitrary code.

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code or information disclosure.
In adddition a number of security issues were addressed in the OpenPGP support.

For Debian 9 stretch, these problems have been fixed in version 1:78.10.0-1~deb9u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code or information disclosure.
In addition a number of security issues were addressed in the OpenPGP support.

Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform XML External Entity (XXE) attacks, and access private content.

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure, privilege escalation or spoofing.

ID	Name	Severity
149492	Debian DLA-2658-1 : redmine security update	high
149490	Debian DSA-4915-1 : postgresql-11 - security update	high
149488	Debian DLA-2660-1 : libgetdata security update	high
149485	Debian DLA-2659-1 : graphviz security update	high
149482	Debian DSA-4914-1 : graphviz - security update	high
149460	Debian DLA-2657-1 : lz4 security update	high
149427	Debian DLA-2655-1 : rails security update	high
149426	Debian DLA-2654-1 : composer security update	medium
149423	Debian DLA-2656-1 : hivex security update	high
149373	Debian DSA-4913-1 : hivex - security update	high
149372	Debian DLA-2653-1 : libxml2 security update	high
149345	Debian DLA-2650-1 : exim4 security update	high
149344	Debian DLA-2648-2 : mediawiki regression update	medium
149342	Debian DLA-2652-1 : unbound1.9 security update	high
149339	Debian DLA-2651-1 : python-django security update	medium
149275	Debian DSA-4912-1 : exim4 - security update	high
149262	Debian DLA-2647-1 : bind9 security update	medium
149261	Debian DLA-2649-1 : cgal security update	high
149250	Debian DSA-4911-1 : chromium - security update	medium
149246	Debian DLA-2646-1 : subversion security update	medium
149232	Debian DSA-4908-1 : libhibernate3-java - security update	medium
149229	Debian DSA-4909-1 : bind9 - security update	medium
149219	Debian DSA-4907-1 : composer - security update	medium
149218	Debian DSA-4910-1 : libimage-exiftool-perl - security update	medium
149103	Debian DLA-2645-1 : edk2 security update	medium
149082	Debian DSA-4906-1 : chromium - security update	medium
149040	Debian DLA-2643-1 : gst-plugins-ugly1.0 security update	high
149038	Debian DSA-4905-1 : shibboleth-sp - security update	medium
149037	Debian DLA-2644-1 : gst-libav1.0 security update	high
149036	Debian DLA-2641-1 : gst-plugins-base1.0 security update	high
149034	Debian DLA-2642-1 : gst-plugins-bad1.0 security update	high
149020	Debian DSA-4903-1 : gst-plugins-base1.0 - security update	high
149019	Debian DLA-2638-1 : jackson-databind security update	high
149017	Debian DSA-4902-1 : gst-plugins-bad1.0 - security update	high
149016	Debian DLA-2634-1 : openjdk-8 security update	medium
149015	Debian DLA-2637-1 : drupal7 security update	high
149014	Debian DLA-2639-1 : opendmarc security update	high
149011	Debian DSA-4900-1 : gst-plugins-good1.0 - security update	medium
149010	Debian DSA-4899-1 : openjdk-11 - security update	low
149009	Debian DLA-2640-1 : gst-plugins-good1.0 security update	medium
149008	Debian DLA-2633-1 : firefox-esr security update	medium
149007	Debian DSA-4901-1 : gst-libav1.0 - security update	high
149005	Debian DSA-4904-1 : gst-plugins-ugly1.0 - security update	high
149004	Debian DLA-2635-1 : libspring-java security update	high
149003	Debian DLA-2636-1 : pjproject security update	medium
148967	Debian DSA-4898-1 : wpa - security update	high
148965	Debian DLA-2632-1 : thunderbird security update	medium
148964	Debian DSA-4897-1 : thunderbird - security update	medium
148963	Debian DSA-4896-1 : wordpress - security update	medium
148932	Debian DSA-4895-1 : firefox-esr - security update	medium

Debian Local Security Checks Family for Nessus

high

high

high

high

high

high

high

medium

high

high

high

high

medium

high

medium

high

medium

high

medium

medium

medium

medium

medium

medium

medium

medium

high

medium

high

high

high

high

high

high

medium

high

high

medium

low

medium

medium

high

high

high

medium

high

medium

medium

medium

medium