The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2764 advisory.

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2765 advisory.

  - Buffer overflow in the main function in jstest_main.c in Mujstest in Artifex Software, Inc. MuPDF before     1.10 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted file.
    (CVE-2016-10246)

  - Buffer overflow in the my_getline function in jstest_main.c in Mujstest in Artifex Software, Inc. MuPDF     before 1.10 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted file.
    (CVE-2016-10247)

  - Stack-based buffer overflow in jstest_main.c in mujstest in Artifex Software, Inc. MuPDF 1.10a allows     remote attackers to have unspecified impact via a crafted image. (CVE-2017-6060)

  - In MuPDF 1.12.0 and earlier, multiple memory leaks in the PDF parser allow an attacker to cause a denial     of service (memory leak) via a crafted file. (CVE-2018-1000036)

  - In MuPDF 1.13.0, there is an infinite loop in the fz_skip_space function of the pdf/pdf-xref.c file. A     remote adversary could leverage this vulnerability to cause a denial of service via a crafted pdf file.
    (CVE-2018-10289)

  - Artifex MuPDF before 1.18.0 has a heap based buffer over-write in tiff_expand_colormap() function when     parsing TIFF files allowing attackers to cause a denial of service. (CVE-2020-19609)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 / 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-4975 advisory.

  - A use after free issue was addressed with improved memory management. This issue is fixed in iOS 14.8 and     iPadOS 14.8, macOS Big Sur 11.6. Processing maliciously crafted web content may lead to arbitrary code     execution. Apple is aware of a report that this issue may have been actively exploited. (CVE-2021-30858)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has a package installed that is affected by a vulnerability as referenced in the dla-2763 advisory.

  - In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code     into pages with pagination links. This has been fixed in 1.2.1. (CVE-2020-11082)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-4976 advisory.

  - A use after free issue was addressed with improved memory management. This issue is fixed in iOS 14.8 and     iPadOS 14.8, macOS Big Sur 11.6. Processing maliciously crafted web content may lead to arbitrary code     execution. Apple is aware of a report that this issue may have been actively exploited. (CVE-2021-30858)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2762 advisory.

  - In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the     SoupSessionAsync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is     similar to CVE-2016-20011. (CVE-2021-39365)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 / 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-4973 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4977 advisory.

  - IOMMU page mapping issues on x86 T[his CNA information record relates to multiple CVEs; the text explains     which aspects/vulnerabilities correspond to which CVE.] Both AMD and Intel allow ACPI tables to specify     regions of memory which should be left untranslated, which typically means these addresses should pass the     translation phase unaltered. While these are typically device specific ACPI properties, they can also be     specified to apply to a range of devices, or even all devices. On all systems with such regions Xen failed     to prevent guests from undoing/replacing such mappings (CVE-2021-28694). On AMD systems, where a     discontinuous range is specified by firmware, the supposedly-excluded middle range will also be identity-     mapped (CVE-2021-28695). Further, on AMD systems, upon de-assigment of a physical device from a guest, the     identity mappings would be left in place, allowing a guest continued access to ranges of memory which it     shouldn't have access to anymore (CVE-2021-28696). (CVE-2021-28694, CVE-2021-28695, CVE-2021-28696)

  - grant table v2 status pages may remain accessible after de-allocation Guest get permitted access to     certain Xen-owned pages of memory. The majority of such pages remain allocated / associated with a guest     for its entire lifetime. Grant table v2 status pages, however, get de-allocated when a guest switched     (back) from v2 to v1. The freeing of such pages requires that the hypervisor know where in the guest these     pages were mapped. The hypervisor tracks only one use within guest space, but racing requests from the     guest to insert mappings of these pages may result in any of them to become mapped in multiple locations.
    Upon switching back from v2 to v1, the guest would then retain access to a page that was freed and perhaps     re-used for other purposes. (CVE-2021-28697)

  - long running loops in grant table handling In order to properly monitor resource use, Xen maintains     information on the grant mappings a domain may create to map grants offered by other domains. In the     process of carrying out certain actions, Xen would iterate over all such entries, including ones which     aren't in use anymore and some which may have been created but never used. If the number of entries for a     given domain is large enough, this iterating of the entire table may tie up a CPU for too long, starving     other domains or causing issues in the hypervisor itself. Note that a domain may map its own grants, i.e.
    there is no need for multiple domains to be involved here. A pair of cooperating guests may, however,     cause the effects to be more severe. (CVE-2021-28698)

  - inadequate grant-v2 status frames array bounds check The v2 grant table interface separates grant     attributes from grant status. That is, when operating in this mode, a guest has two tables. As a result,     guests also need to be able to retrieve the addresses that the new status tracking table can be accessed     through. For 32-bit guests on x86, translation of requests has to occur because the interface structure     layouts commonly differ between 32- and 64-bit. The translation of the request to obtain the frame numbers     of the grant status table involves translating the resulting array of frame numbers. Since the space used     to carry out the translation is limited, the translation layer tells the core function the capacity of the     array within translation space. Unfortunately the core function then only enforces array bounds to be     below 8 times the specified value, and would write past the available space if enough frame numbers needed     storing. (CVE-2021-28699)

  - xen/arm: No memory limit for dom0less domUs The dom0less feature allows an administrator to create     multiple unprivileged domains directly from Xen. Unfortunately, the memory limit from them is not set.
    This allow a domain to allocate memory beyond what an administrator originally configured.
    (CVE-2021-28700)

  - Another race in XENMAPSPACE_grant_table handling Guests are permitted access to certain Xen-owned pages of     memory. The majority of such pages remain allocated / associated with a guest for its entire lifetime.
    Grant table v2 status pages, however, are de-allocated when a guest switches (back) from v2 to v1. Freeing     such pages requires that the hypervisor enforce that no parallel request can result in the addition of a     mapping of such a page to a guest. That enforcement was missing, allowing guests to retain access to pages     that were freed and perhaps re-used for other purposes. Unfortunately, when XSA-379 was being prepared,     this similar issue was not noticed. (CVE-2021-28701)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4974 advisory.

  - Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL     certificate verification when using the Register with a Provider flow. (CVE-2021-22895)

  - The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients     using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint.
    In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to     previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the     data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is     fixed in Nextcloud Desktop Client version 3.3.0. There are no known workarounds aside from upgrading.
    (CVE-2021-32728)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2760 advisory.

  - A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions     (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being     called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to     force an invalid signature, causing an assertion failure or possible validation. The highest threat to     this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-20305)

  - A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An     attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial     of service. (CVE-2021-3580)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2761 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2759 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2758 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2757 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2754 advisory.

  - An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the     application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.
    (CVE-2021-39371)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2756 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-4972 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 / 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-4969 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 / 11 host has a package installed that is affected by a vulnerability as referenced in the dsa-4970 advisory.

  - An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker (logged into     any account) can send a crafted POST request to unsubscribe any user from a mailing list, also revealing     whether that address was subscribed in the first place. (CVE-2021-40347)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4971 advisory.

  - In NTFS-3G versions < 2021.8.22, when a specially crafted NTFS attribute is supplied to the function     ntfs_get_attribute_value, a heap buffer overflow can occur allowing for memory disclosure or denial of     service. The vulnerability is caused by an out-of-bound buffer access which can be triggered by mounting a     crafted ntfs partition. The root cause is a missing consistency check after reading an MFT record : the     bytes_in_use field should be less than the bytes_allocated field. When it is not, the parsing of the     records proceeds into the wild. (CVE-2021-33285)

  - In NTFS-3G versions < 2021.8.22, when a specially crafted unicode string is supplied in an NTFS image a     heap buffer overflow can occur and allow for code execution. (CVE-2021-33286)

  - In NTFS-3G versions < 2021.8.22, when specially crafted NTFS attributes are read in the function     ntfs_attr_pread_i, a heap buffer overflow can occur and allow for writing to arbitrary memory or denial of     service of the application. (CVE-2021-33287)

  - In NTFS-3G versions < 2021.8.22, when a specially crafted MFT section is supplied in an NTFS image a heap     buffer overflow can occur and allow for code execution. (CVE-2021-33289)

  - In NTFS-3G versions < 2021.8.22, when a specially crafted NTFS inode pathname is supplied in an NTFS image     a heap buffer overflow can occur resulting in memory disclosure, denial of service and even code     execution. (CVE-2021-35266)

  - NTFS-3G versions < 2021.8.22, a stack buffer overflow can occur when correcting differences in the MFT and     MFTMirror allowing for code execution or escalation of privileges when setuid-root. (CVE-2021-35267)

  - In NTFS-3G versions < 2021.8.22, when a specially crafted NTFS inode is loaded in the function     ntfs_inode_real_open, a heap buffer overflow can occur allowing for code execution and escalation of     privileges. (CVE-2021-35268)

  - NTFS-3G versions < 2021.8.22, when a specially crafted NTFS attribute from the MFT is setup in the     function ntfs_attr_setup_flag, a heap buffer overflow can occur allowing for code execution and escalation     of privileges. (CVE-2021-35269)

  - A crafted NTFS image can cause a NULL pointer dereference in ntfs_extent_inode_open in NTFS-3G <     2021.8.22. (CVE-2021-39251)

  - A crafted NTFS image can cause an out-of-bounds read in ntfs_ie_lookup in NTFS-3G < 2021.8.22.
    (CVE-2021-39252)

  - A crafted NTFS image can cause an out-of-bounds read in ntfs_runlists_merge_i in NTFS-3G < 2021.8.22.
    (CVE-2021-39253)

  - A crafted NTFS image can cause an integer overflow in memmove, leading to a heap-based buffer overflow in     the function ntfs_attr_record_resize, in NTFS-3G < 2021.8.22. (CVE-2021-39254)

  - A crafted NTFS image can trigger an out-of-bounds read, caused by an invalid attribute in     ntfs_attr_find_in_attrdef, in NTFS-3G < 2021.8.22. (CVE-2021-39255)

  - A crafted NTFS image can cause a heap-based buffer overflow in ntfs_inode_lookup_by_name in NTFS-3G <     2021.8.22. (CVE-2021-39256)

  - A crafted NTFS image with an unallocated bitmap can lead to a endless recursive function call chain     (starting from ntfs_attr_pwrite), causing stack consumption in NTFS-3G < 2021.8.22. (CVE-2021-39257)

  - A crafted NTFS image can cause out-of-bounds reads in ntfs_attr_find and ntfs_external_attr_find in     NTFS-3G < 2021.8.22. (CVE-2021-39258)

  - A crafted NTFS image can trigger an out-of-bounds access, caused by an unsanitized attribute length in     ntfs_inode_lookup_by_name, in NTFS-3G < 2021.8.22. (CVE-2021-39259)

  - A crafted NTFS image can cause an out-of-bounds access in ntfs_inode_sync_standard_information in NTFS-3G     < 2021.8.22. (CVE-2021-39260)

  - A crafted NTFS image can cause a heap-based buffer overflow in ntfs_compressed_pwrite in NTFS-3G <     2021.8.22. (CVE-2021-39261)

  - A crafted NTFS image can cause an out-of-bounds access in ntfs_decompress in NTFS-3G < 2021.8.22.
    (CVE-2021-39262)

  - A crafted NTFS image can trigger a heap-based buffer overflow, caused by an unsanitized attribute in     ntfs_get_attribute_value, in NTFS-3G < 2021.8.22. (CVE-2021-39263)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2714 advisory.

  - fs/seq_file.c in the Linux kernel 3.16 through 5.13.x before 5.13.4 does not properly restrict seq buffer     allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an     unprivileged user, aka CID-8cae8cd89f05. (CVE-2021-33909)

  - net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from     kernel stack memory because parts of a data structure are uninitialized. (CVE-2021-34693)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2745 advisory.

  - Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption     and a potentially exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91,     Firefox ESR < 78.13, and Firefox < 91. (CVE-2021-29980)

  - Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly     considered during garbage collection. This led to memory corruption and a potentially exploitable crash.
    This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
    (CVE-2021-29984)

  - A use-after-free vulnerability in media channels could have led to memory corruption and a potentially     exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13,     and Firefox < 91. (CVE-2021-29985)

  - A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable     crash. *Note: This issue only affected Linux operating systems. Other operating systems are unaffected.*     This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
    (CVE-2021-29986)

  - Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds     read or memory corruption, and a potentially exploitable crash. This vulnerability affects Thunderbird <     78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91. (CVE-2021-29988)

  - Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these     bugs showed evidence of memory corruption and we presume that with enough effort some of these could have     been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.13, Firefox ESR < 78.13,     and Firefox < 91. (CVE-2021-29989)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-4968 advisory.

  - An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform     an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs     and possibly other ACLs. (CVE-2021-40346)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has a package installed that is affected by a vulnerability as referenced in the dla-2755 advisory.

  - Btrbk before 0.31.2 allows command execution because of the mishandling of remote hosts filtering SSH     commands using ssh_filter_btrbk.sh in authorized_keys. (CVE-2021-38173)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by a vulnerability as referenced in the dsa-4967 advisory.

  - squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is     then used by unsquashfs to create the new file during the unsquash. The filename is not validated for     traversal outside of the destination directory, and thus allows writing to locations outside of the     destination. (CVE-2021-40153)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2752 advisory.

  - squashfs_opendir in unsquash-1.c in Squashfs-Tools 4.5 stores the filename in the directory entry; this is     then used by unsquashfs to create the new file during the unsquash. The filename is not validated for     traversal outside of the destination directory, and thus allows writing to locations outside of the     destination. (CVE-2021-40153)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2753 advisory.

  - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a     single, large transfer request, to reduce the overhead and improve performance. The combined size of the     bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper     validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the     array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a     denial of service. (CVE-2021-3527)

  - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw     exists in the bootp_input() function and could occur while processing a udp packet that is smaller than     the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of     uninitialized heap memory from the host. The highest threat from this vulnerability is to data     confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3592)

  - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw     exists in the udp_input() function and could occur while processing a udp packet that is smaller than the     size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory     disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw     affects libslirp versions prior to 4.6.0. (CVE-2021-3594)

  - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw     exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the     size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory     disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw     affects libslirp versions prior to 4.6.0. (CVE-2021-3595)

  - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs     when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A     malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,     resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the     host. (CVE-2021-3682)

  - An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions     prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-     bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this     flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the     host. (CVE-2021-3713)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-4965 advisory.

  - A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared     secrets during the lifetime of the session. One of them is called secret_hash and the other session_id.
    Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as     an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked     as long as these buffers were same. But the key re-exchange operation can also change the key exchange     method, which can be based on hash of different size, eventually creating secret_hash of different size     than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used     again during second key re-exchange. (CVE-2021-3634)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2751 advisory.

  - An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a     client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was     present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL     pointer dereference will result, leading to a crash and a denial of service attack. A server is only     vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS     clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of     these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in     OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). (CVE-2021-3449)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4966 advisory.

  - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC     Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when decoding the atom for     the co64 FOURCC can cause an integer overflow due to unchecked arithmetic resulting in a heap-based     buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger     this vulnerability. (CVE-2021-21834)

  - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC     Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input using the ctts FOURCC code     can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that     causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.
    (CVE-2021-21836)

  - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of     the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer     overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory     corruption. An attacker can convince a user to open a video to trigger this vulnerability.
    (CVE-2021-21837, CVE-2021-21838, CVE-2021-21839)

  - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC     Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input used to process an atom using     the saio FOURCC code cause an integer overflow due to unchecked arithmetic resulting in a heap-based     buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger     this vulnerability. (CVE-2021-21840)

  - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC     Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when reading an atom using     the 'sbgp' FOURCC code can cause an integer overflow due to unchecked arithmetic resulting in a heap-based     buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger     this vulnerability. (CVE-2021-21841)

  - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC     Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow     when processing an atom using the 'ssix' FOURCC code, due to unchecked arithmetic resulting in a heap-     based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to     trigger this vulnerability. (CVE-2021-21842)

  - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of     the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer     overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory     corruption. After validating the number of ranges, at [41] the library will multiply the count by the size     of the GF_SubsegmentRangeInfo structure. On a 32-bit platform, this multiplication can result in an     integer overflow causing the space of the array being allocated to be less than expected. An attacker can     convince a user to open a video to trigger this vulnerability. (CVE-2021-21843)

  - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of     the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input when encountering an     atom using the stco FOURCC code, can cause an integer overflow due to unchecked arithmetic resulting in     a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a     video to trigger this vulnerability. (CVE-2021-21844)

  - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of     the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input in stsc decoder     can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that     causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.
    (CVE-2021-21845)

  - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of     the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input in stsz decoder     can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that     causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.
    (CVE-2021-21846)

  - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of     the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input in stts decoder     can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that     causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.
    (CVE-2021-21847)

  - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC     Project on Advanced Content library v1.0.1. The library will actually reuse the parser for atoms with the     stsz FOURCC code when parsing atoms that use the stz2 FOURCC code and can cause an integer overflow     due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An     attacker can convince a user to open a video to trigger this vulnerability. (CVE-2021-21848)

  - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC     Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow     when the library encounters an atom using the tfra FOURCC code due to unchecked arithmetic resulting in     a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a     video to trigger this vulnerability. (CVE-2021-21849)

  - An exploitable integer overflow vulnerability exists within the MPEG-4 decoding functionality of the GPAC     Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer overflow     when the library encounters an atom using the trun FOURCC code due to unchecked arithmetic resulting in     a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a     video to trigger this vulnerability. (CVE-2021-21850)

  - Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of     the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an integer     overflow due to unchecked addition arithmetic resulting in a heap-based buffer overflow that causes memory     corruption. An attacker can convince a user to open a video to trigger this vulnerability.
    (CVE-2021-21853, CVE-2021-21854, CVE-2021-21855, CVE-2021-21857, CVE-2021-21858)

  - An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the     GPAC Project on Advanced Content library v1.0.1. The stri_box_read function is used when processing atoms     using the 'stri' FOURCC code. An attacker can convince a user to open a video to trigger this     vulnerability. (CVE-2021-21859)

  - An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the     GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an improper     memory allocation resulting in a heap-based buffer overflow that causes memory corruption. The FOURCC     code, 'trik', is parsed by the function within the library. An attacker can convince a user to open a     video to trigger this vulnerability. (CVE-2021-21860)

  - An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the     GPAC Project on Advanced Content library v1.0.1. When processing the 'hdlr' FOURCC code, a specially     crafted MPEG-4 input can cause an improper memory allocation resulting in a heap-based buffer overflow     that causes memory corruption. An attacker can convince a user to open a video to trigger this     vulnerability. (CVE-2021-21861)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2750 advisory.

  - In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input file can result in an infinite loop     and hang, with high CPU consumption. Remote attackers could leverage this vulnerability to cause a denial     of service via a crafted file. (CVE-2019-20421)

  - Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata     of image files. A heap buffer overflow was found in Exiv2 versions v0.27.3 and earlier. The heap overflow     is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially     exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a     crafted image file. Note that this bug is only triggered when _writing_ the metadata, which is a less     frequently used Exiv2 operation than _reading_ the metadata. For example, to trigger the bug in the Exiv2     command-line application, you need to add an extra command-line argument such as `insert`. The bug is     fixed in version v0.27.4. (CVE-2021-29457)

  - Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and     ICC image metadata. An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. Exiv2 is a     command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image     files. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
    An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if     they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered     when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For     example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line     argument such as `insert`. The bug is fixed in version v0.27.4. Please see our security policy for     information about Exiv2 security. (CVE-2021-29473)

  - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-29457. Reason: This candidate is a     duplicate of CVE-2021-29457. Notes: All CVE users should reference CVE-2021-29457 instead of this     candidate. All references and descriptions in this candidate have been removed to prevent accidental     usage. (CVE-2021-31291)

  - An integer overflow in CrwMap::encode0x1810 of Exiv2 0.27.3 allows attackers to trigger a heap-based     buffer overflow and cause a denial of service (DOS) via crafted metadata. (CVE-2021-31292)

  - A flaw was found in Exiv2 in versions before and including 0.27.4-RC1. Improper input validation of the     rawData.size property in Jp2Image::readMetadata() in jp2image.cpp can lead to a heap-based buffer overflow     via a crafted JPG image containing malicious EXIF data. (CVE-2021-3482)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2749 advisory.

  - A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg() in extensions/cairo_io/cairo-     image-surface-jpeg.c in GNOME gThumb before 3.8.3 and Linux Mint Pix before 2.4.5 allows attackers to     cause a crash and potentially execute arbitrary code via a crafted JPEG file. (CVE-2019-20326)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-4964 advisory.

  - In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the     SoupSessionAsync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is     similar to CVE-2016-20011. (CVE-2021-39365)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4963 advisory.

  - In order to decrypt SM2 encrypted data an application is expected to call the API function     EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the     out parameter can be NULL and, on exit, the outlen parameter is populated with the buffer size     required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer     and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the out parameter. A bug     in the implementation of the SM2 decryption code means that the calculation of the buffer size required to     hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size     required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the     application a second time with a buffer that is too small. A malicious attacker who is able present SM2     content for decryption to an application could cause attacker chosen data to overflow the buffer by up to     a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing     application behaviour or causing the application to crash. The location of the buffer is application     dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).
    (CVE-2021-3711)

  - ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a     buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings     which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not     a strict requirement, ASN.1 strings that are parsed using OpenSSL's own d2i functions (and other similar     parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will     additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for     applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array     by directly setting the data and length fields in the ASN1_STRING array. This can also happen by using     the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to     assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for     strings that have been directly constructed. Where an application requests an ASN.1 structure to be     printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the     application without NUL terminating the data field, then a read buffer overrun can occur. The same thing     can also occur during name constraints processing of certificates (for example if a certificate has been     directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the     certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the     X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an     application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL     functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack).
    It could also result in the disclosure of private memory contents (such as private keys, or sensitive     plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected     1.0.2-1.0.2y). (CVE-2021-3712)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-4962 advisory.

  - LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a     specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and     information disclosure. (CVE-2021-3693)

  - LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially     crafted URL to an authenticated user, this flaw can be abused for remote code execution and information     disclosure. (CVE-2021-3694)

  - LedgerSMB does not sufficiently guard against being wrapped by other sites, making it vulnerable to     'clickjacking'. This allows an attacker to trick a targetted user to execute unintended actions.
    (CVE-2021-3731)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has a package installed that is affected by a vulnerability as referenced in the dla-2748 advisory.

  - In tnef before 1.4.18, an attacker may be able to write to the victim's .ssh/authorized_keys file via an     e-mail message with a crafted winmail.dat application/ms-tnef attachment, because of a heap-based buffer     over-read involving strdup. (CVE-2019-18849)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-4961 advisory.

  - Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature     verification and single-signature verification, leading to a remote assertion failure, aka TROVE-2021-007.
    (CVE-2021-38385)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has a package installed that is affected by a vulnerability as referenced in the dla-2747 advisory.

  - ircII before 20210314 allows remote attackers to cause a denial of service (segmentation fault and client     crash, disconnecting the victim from an IRC server) via a crafted CTCP UTC message. (CVE-2021-29376)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2742 advisory.

  - Buffer Overflow vulnerability exists in FFmpeg 4.1 via apng_do_inverse_blend in libavcodec/pngenc.c, which     could let a remote malicious user cause a Denial of Service (CVE-2020-21041)

  - Buffer Overflow vulnerability in FFmpeg 4.2 in mov_write_video_tag due to the out of bounds in     libavformat/movenc.c, which could let a remote malicious user obtain sensitive information, cause a Denial     of Service, or execute arbitrary code. (CVE-2020-22015)

  - A heap-based Buffer Overflow vulnerability in FFmpeg 4.2 at libavcodec/get_bits.h when writing .mov files,     which might lead to memory corruption and other potential consequences. (CVE-2020-22016)

  - Buffer Overflow vulnerability in FFmpeg 4.2 in the build_diff_map function in libavfilter/vf_fieldmatch.c,     which could let a remote malicious user cause a Denial of Service. (CVE-2020-22020)

  - Buffer Overflow vulnerability in FFmpeg 4.2 at filter_edges function in libavfilter/vf_yadif.c, which     could let a remote malicious user cause a Denial of Service. (CVE-2020-22021)

  - A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 in filter_frame at     libavfilter/vf_fieldorder.c, which might lead to memory corruption and other potential consequences.
    (CVE-2020-22022)

  - A heap-based Buffer Overflow vulnerabililty exists in FFmpeg 4.2 in filter_frame at     libavfilter/vf_bitplanenoise.c, which might lead to memory corruption and other potential consequences.
    (CVE-2020-22023)

  - A heap-based Buffer Overflow vulnerability exists in gaussian_blur at libavfilter/vf_edgedetect.c, which     might lead to memory corruption and other potential consequences. (CVE-2020-22025)

  - Buffer Overflow vulnerability exists in FFmpeg 4.2 in the config_input function at     libavfilter/af_tremolo.c, which could let a remote malicious user cause a Denial of Service.
    (CVE-2020-22026)

  - Buffer Overflow vulnerability exists in FFmpeg 4.2 in filter_vertically_8 at libavfilter/vf_avgblur.c,     which could cause a remote Denial of Service. (CVE-2020-22028)

  - A Heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 at libavfilter/vf_w3fdif.c in     filter16_complex_low, which might lead to memory corruption and other potential consequences.
    (CVE-2020-22031)

  - A heap-based Buffer Overflow vulnerability exists FFmpeg 4.2 at libavfilter/vf_edgedetect.c in     gaussian_blur, which might lead to memory corruption and other potential consequences. (CVE-2020-22032)

  - A heap-based Buffer Overflow vulnerability exists in FFmpeg 4.2 in filter_intra at libavfilter/vf_bwdif.c,     which might lead to memory corruption and other potential consequences. (CVE-2020-22036)

  - Prior to ffmpeg version 4.3, the tty demuxer did not have a 'read_probe' function assigned to it. By     crafting a legitimate ffconcat file that references an image, followed by a file the triggers the tty     demuxer, the contents of the second file will be copied into the output file verbatim (as long as the     `-vcodec copy` option is passed to ffmpeg). (CVE-2021-3566)

  - libavcodec/dnxhddec.c in FFmpeg 4.4 does not check the return value of the init_vlc function, a similar     issue to CVE-2013-0868. (CVE-2021-38114)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has a package installed that is affected by a vulnerability as referenced in the dla-2746 advisory.

  - ircII before 20210314 allows remote attackers to cause a denial of service (segmentation fault and client     crash, disconnecting the victim from an IRC server) via a crafted CTCP UTC message. (CVE-2021-29376)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2741 advisory.

  - In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input     string, like //../foo, or \\..\foo, the result would be the same value, thus possibly providing access     to files in the parent directory, but not further above (thus limited path traversal), if the calling     code would use the result to construct a path value. (CVE-2021-29425)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4960 advisory.

  - An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It does not     ensure that the scheme and path portions of a URI have the expected characters. For example, the authority     field (as observed on a target HTTP/2 server) might differ from what the routing rules were intended to     achieve. (CVE-2021-39240)

  - An issue was discovered in HAProxy 2.0 before 2.0.24, 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before     2.4.3. An HTTP method name may contain a space followed by the name of a protected resource. It is     possible that a server would interpret this as a request for that protected resource, such as in the GET     /admin? HTTP/1.1 /static/images HTTP/1.1 example. (CVE-2021-39241)

  - An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead     to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority     is mishandled. (CVE-2021-39242)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has a package installed that is affected by a vulnerability as referenced in the dla-2744 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4959 advisory.

  - Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these     bugs showed evidence of memory corruption and we presume that with enough effort some of these could have     been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.13, Firefox ESR < 78.13,     and Firefox < 91. (CVE-2021-29989)

  - Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly     considered during garbage collection. This led to memory corruption and a potentially exploitable crash.
    This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
    (CVE-2021-29984)

  - A use-after-free vulnerability in media channels could have led to memory corruption and a potentially     exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13,     and Firefox < 91. (CVE-2021-29985)

  - A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable     crash. *Note: This issue only affected Linux operating systems. Other operating systems are unaffected.*     This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
    (CVE-2021-29986)

  - Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds     read or memory corruption, and a potentially exploitable crash. This vulnerability affects Thunderbird <     78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91. (CVE-2021-29988)

Note that Nessus has not tested for this issue but has instead relied only on the application's self- reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4958 advisory.

  - In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input file can result in an infinite loop     and hang, with high CPU consumption. Remote attackers could leverage this vulnerability to cause a denial     of service via a crafted file. (CVE-2019-20421)

  - Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata     of image files. A heap buffer overflow was found in Exiv2 versions v0.27.3 and earlier. The heap overflow     is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially     exploit the vulnerability to gain code execution, if they can trick the victim into running Exiv2 on a     crafted image file. Note that this bug is only triggered when _writing_ the metadata, which is a less     frequently used Exiv2 operation than _reading_ the metadata. For example, to trigger the bug in the Exiv2     command-line application, you need to add an extra command-line argument such as `insert`. The bug is     fixed in version v0.27.4. (CVE-2021-29457)

  - Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and     ICC image metadata. An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. Exiv2 is a     command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image     files. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file.
    An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if     they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered     when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. For     example, to trigger the bug in the Exiv2 command-line application, you need to add an extra command-line     argument such as `insert`. The bug is fixed in version v0.27.4. Please see our security policy for     information about Exiv2 security. (CVE-2021-29473)

  - An integer overflow in CrwMap::encode0x1810 of Exiv2 0.27.3 allows attackers to trigger a heap-based     buffer overflow and cause a denial of service (DOS) via crafted metadata. (CVE-2021-31292)

  - A flaw was found in Exiv2 in versions before and including 0.27.4-RC1. Improper input validation of the     rawData.size property in Jp2Image::readMetadata() in jp2image.cpp can lead to a heap-based buffer overflow     via a crafted JPG image containing malicious EXIF data. (CVE-2021-3482)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4957 advisory.

  - Incorrect handling of url fragment vulnerability of Apache Traffic Server allows an attacker to poison the     cache. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
    (CVE-2021-27577)

  - Invalid values in the Content-Length header sent to Apache Traffic Server allows an attacker to smuggle     requests. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
    (CVE-2021-32565)

  - Improper Input Validation vulnerability in HTTP/2 of Apache Traffic Server allows an attacker to DOS the     server. This issue affects Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1.
    (CVE-2021-32566, CVE-2021-32567)

  - Stack-based Buffer Overflow vulnerability in cachekey plugin of Apache Traffic Server. This issue affects     Apache Traffic Server 7.0.0 to 7.1.12, 8.0.0 to 8.1.1, 9.0.0 to 9.0.1. (CVE-2021-35474)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2734 advisory.

  - curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as     `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a     flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized     data from a stack based buffer to the server, resulting in potentially revealing sensitive internal     information to the server using a clear-text network protocol. (CVE-2021-22898)

  - libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of     them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert'     into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing     wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary     depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can     setto qualify how to verify the server certificate. (CVE-2021-22924)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2740 advisory.

  - Mozilla developers reported memory safety bugs present in Firefox 90 and Firefox ESR 78.12. Some of these     bugs showed evidence of memory corruption and we presume that with enough effort some of these could have     been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.13, Firefox ESR < 78.13,     and Firefox < 91. (CVE-2021-29989)

  - Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly     considered during garbage collection. This led to memory corruption and a potentially exploitable crash.
    This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
    (CVE-2021-29984)

  - A use-after-free vulnerability in media channels could have led to memory corruption and a potentially     exploitable crash. This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13,     and Firefox < 91. (CVE-2021-29985)

  - A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable     crash. *Note: This issue only affected Linux operating systems. Other operating systems are unaffected.*     This vulnerability affects Thunderbird < 78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91.
    (CVE-2021-29986)

  - Firefox incorrectly treated an inline list-item element as a block element, resulting in an out of bounds     read or memory corruption, and a potentially exploitable crash. This vulnerability affects Thunderbird <     78.13, Thunderbird < 91, Firefox ESR < 78.13, and Firefox < 91. (CVE-2021-29988)

Note that Nessus has not tested for this issue but has instead relied only on the application's self- reported version number.

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2735 advisory.

  - It was found Ceph versions before 13.2.4 that authenticated ceph users with read only permissions could     steal dm-crypt encryption keys used in ceph disk encryption. (CVE-2018-14662)

  - It was found in Ceph versions before 13.2.4 that authenticated ceph RGW users can cause a denial of     service against OMAPs holding bucket indices. (CVE-2018-16846)

  - A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related     to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader     tag in the CORS configuration file generates a header injection in the response when the CORS request is     made. Ceph versions 3.x and 4.x are vulnerable to this issue. (CVE-2020-10753)

  - A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon     S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted     input. (CVE-2020-1760)

  - A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway) in versions before 14.2.21. The     vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline     character in the ExposeHeader tag in the CORS configuration file generates a header injection in the     response when the CORS request is made. In addition, the prior bug fix for CVE-2020-10753 did not account     for the use of \r as a header separator, thus a new flaw has been created. (CVE-2021-3524)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dsa-4955 advisory.

  - Stack buffer overflow in libspf2 versions below 1.2.11 when processing certain SPF macros can lead to     Denial of service and potentially code execution via malicious crafted SPF explanation messages.
    (CVE-2021-20314)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Severity
153601	Debian DLA-2764-1 : tomcat8 - LTS security update	high
153600	Debian DLA-2765-1 : mupdf - LTS security update	high
153572	Debian DSA-4975-1 : webkit2gtk - security update	high
153571	Debian DLA-2763-1 : ruby-kaminari - LTS security update	medium
153570	Debian DSA-4976-1 : wpewebkit - security update	high
153548	Debian DLA-2762-1 : grilo - LTS security update	medium
153512	Debian DSA-4973-1 : thunderbird - security update	critical
153509	Debian DSA-4977-1 : xen - security update	high
153485	Debian DSA-4974-1 : nextcloud-desktop - security update	medium
153482	Debian DLA-2760-1 : nettle - LTS security update	high
153481	Debian DLA-2761-1 : openssl1.0 - LTS security update	high
153480	Debian DLA-2759-1 : gnutls28 - LTS security update	high
153431	Debian DLA-2758-1 : sssd - LTS security update	high
153226	Debian DLA-2757-1 : thunderbird - LTS security update	critical
153217	Debian DLA-2754-1 : pywps - LTS security update	high
153216	Debian DLA-2756-1 : firefox-esr - LTS security update	critical
153215	Debian DSA-4972-1 : ghostscript - security update	high
153202	Debian DSA-4969-1 : firefox-esr - security update	critical
153201	Debian DSA-4970-1 : postorius - security update	high
153182	Debian DSA-4971-1 : ntfs-3g - security update	critical
153148	Debian DLA-2714-1 : linux-4.19 - LTS security update	high
153132	Debian DLA-2745-1 : thunderbird - LTS security update	high
153123	Debian DSA-4968-1 : haproxy - security update	medium
153026	Debian DLA-2755-1 : btrbk - LTS security update	critical
153024	Debian DSA-4967-1 : squashfs-tools - security update	critical
152983	Debian DLA-2752-1 : squashfs-tools - LTS security update	critical
152982	Debian DLA-2753-1 : qemu - LTS security update	high
152967	Debian DSA-4965-1 : libssh - security update	critical
152966	Debian DLA-2751-1 : postgresql-9.6 - LTS security update	medium
152943	Debian DSA-4966-1 : gpac - security update	high
152899	Debian DLA-2750-1 : exiv2 - LTS security update	high
152898	Debian DLA-2749-1 : gthumb - LTS security update	high
152892	Debian DSA-4964-1 : grilo - security update	high
152783	Debian DSA-4963-1 : openssl - security update	high
152775	Debian DSA-4962-1 : ledgersmb - security update	high
152773	Debian DLA-2748-1 : tnef - LTS security update	medium
152753	Debian DSA-4961-1 : tor - security update	high
152739	Debian DLA-2747-1 : ircii - LTS security update	high
152737	Debian DLA-2742-1 : ffmpeg - LTS security update	high
152723	Debian DLA-2746-1 : scrollz - LTS security update	high
152662	Debian DLA-2741-1 : commons-io - LTS security update	medium
152638	Debian DSA-4960-1 : haproxy - security update	critical
152607	Debian DLA-2744-1 : usermode - LTS security update	high
152568	Debian DSA-4959-1 : thunderbird - security update	critical
152565	Debian DSA-4958-1 : exiv2 - security update	high
152564	Debian DSA-4957-1 : trafficserver - security update	critical
152547	Debian DLA-2734-1 : curl - LTS security update	low
152535	Debian DLA-2740-1 : firefox-esr - LTS security update	critical
152519	Debian DLA-2735-1 : ceph - LTS security update	medium
152518	Debian DSA-4955-1 : libspf2 - security update	critical

Debian Local Security Checks Family for Nessus

high

high

high

medium

high

medium

critical

high

medium

high

high

high

high

critical

high

critical

high

critical

high

critical

high

high

medium

critical

critical

critical

high

critical

medium

high

high

high

high

high

high

medium

high

high

high

high

medium

critical

high

critical

high

critical

low

critical

medium

critical