Debian Linux Security Advisory 5268-1 - Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5268-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 01, 2022                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ffmpegSeveral vulnerabilities have been discovered in the FFmpeg multimediaframework, which could result in denial of service or potentially theexecution of arbitrary code if malformed files/streams are processed.For the stable distribution (bullseye), this problem has been fixed inversion 7:4.3.5-0+deb11u1.We recommend that you upgrade your ffmpeg packages.For the detailed security status of ffmpeg please refer toits security tracker page at:https://security-tracker.debian.org/tracker/ffmpegFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmNhc1QACgkQEMKTtsN8TjadExAAhdN753YXa53vaBbQi8XQHiZEfWJY6ohVHwVrYMnQ31aa0XzJ7IsnQ7MauWpcwd/xxv/pg0BuNsUY4V4oFLHRJJd9+TGqfzg6nNYBOawrntTy0WrWwXS14A2IkYZ+TE888y/5/P0AkNdAtgEn3nsgPdgGF79/axvLQ0mU6jfb6qkg7CwDrjwdVbaxaR1Tb4V1PJhrkFE/wFnjlvhNc8Xfc8EcoorCslPuQ6KAEB1SLQikcSwzy2B4f8Kzyob4tkts5fckbtJp5O5fbgNfqiPS2np92e3B1PfzY+yTztj2yZaTNxAfRu5Wd5TrGzmj5mh+4sbYmSAIddA72TxsyLiIbMX5B0n7f6irQr4lnPbaUKOlE/PKidwyiZg4MUkU2c88FD0AlaHUieugO6/VNRa3iKcDJE8XScpAxYSJ/t7+k0O2oHd2+/e2CO1fY6XW5L4Q5bFjTWnefyf2Q4t2JTRYeD1aepz6F/+ly1odFFCMe1NL63Icteypi2hMExUmyDpU0G60vYg5DpgHvj7HM4Xds9r/zc6OYgrgAJQMnRTVTb+4dZrHPQAZ8vQwP/QVh+bgK5u9QjajS2DM30/cV/zIr1B2/09c566N7xHXrYv359toAsELKKoYB4Kxn/vNJtR0WeuZPfcO062kuWpKHTJ3A3lK7UrcBY7YuBFBK2PXCSI=SdoQ-----END PGP SIGNATURE-----

Debian Security Advisory 5268-1

xfig 3.2.7 is vulnerable to Buffer Overflow.

Toggle useless messages

**Report forwarded** to debian-bugs-dist@lists.debian.org, subin.kim@prosys.kr, Roland Rosenfeld <roland@debian.org>:  
Bug#992395; Package xfig. (Wed, 18 Aug 2021 06:15:03 GMT) (full text, mbox, link).

**Acknowledgement sent** to "Potential Buffer Overflow vulnerability in xfig-3.2.7b" <subin.kim@prosys.kr>:  
New Bug report received and forwarded. Copy sent to subin.kim@prosys.kr, Roland Rosenfeld <roland@debian.org>. (Wed, 18 Aug 2021 06:15:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: xfig
Version: xfig
Severity: important

Dear Maintainer,

It seems that there exists a potential Buffer Overflow.
(src/w\_help.c:55)
sprintf(filename, "%s/html/%s/index.html", XFIGDOCDIR, getenv("LANG"));

the length of getenv("LANG") may become very long and cause Buffer Overflow while executing sprintf(...).


-System Information:
Debian Release: 11.0
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86\_64)

Kernel: Linux 4.4.0-19041-Microsoft
Locale: LANG=en\_US.UTF-8, LC\_CTYPE=en\_US.UTF-8 (charmap=UTF-8), LANGUAGE=en\_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages xfig depends on:
pn  fig2dev | transfig  <none>
ii  libc6               2.31-13
ii  libjpeg62-turbo     1:1.5.2-2+deb10u1
ii  libpng16-16         1.6.36-6
ii  libx11-6            2:1.6.7-1+deb10u2
ii  libxi6              2:1.7.9-1
pn  libxpm4             <none>
ii  libxt6              1:1.1.5-1+b3
ii  sensible-utils      0.0.14
pn  xaw3dg              <none>

Versions of packages xfig recommends:
pn  xfig-libs  <none>

Versions of packages xfig suggests:
pn  cups-client | lpr  <none>
pn  ghostscript        <none>
pn  gimp               <none>
pn  gsfonts-x11        <none>
pn  netpbm             <none>
pn  spell              <none>
pn  xfig-doc           <none>

**Reply sent** to Roland Rosenfeld <roland@debian.org>:  
You have taken responsibility. (Fri, 20 Aug 2021 12:09:03 GMT) (full text, mbox, link).

**Notification sent** to "Potential Buffer Overflow vulnerability in xfig-3.2.7b" <subin.kim@prosys.kr>:  
Bug acknowledged by developer. (Fri, 20 Aug 2021 12:09:03 GMT) (full text, mbox, link).

Message #12 received at 992395-close@bugs.debian.org (full text, mbox, reply):

Source: xfig
Source-Version: 1:3.2.8a-1
Done: Roland Rosenfeld <roland@debian.org>

We believe that the bug you reported is fixed in the latest version of
xfig, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 992395@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roland Rosenfeld <roland@debian.org> (supplier of updated xfig package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 20 Aug 2021 13:26:32 +0200
Source: xfig
Architecture: source
Version: 1:3.2.8a-1
Distribution: unstable
Urgency: medium
Maintainer: Roland Rosenfeld <roland@debian.org>
Changed-By: Roland Rosenfeld <roland@debian.org>
Closes: 992395
Changes:
 xfig (1:3.2.8a-1) unstable; urgency=medium
 .
   \* New upstream release 3.2.8a.
   \* 07\_missing-config.h, 08\_fig-format-doc, 09\_repair-table-doc are now
     incorporated upstream.
   \* Adapt file preservation to new upstream version.
   \* Update debian/copyright.
   \* Move xfig binary to /usr/libexec/xfig/xfig.
   \* Package test binaries and use them in autopkgtest.
   \* Update to Standards-Version 4.6.0 (no changes).
   \* 07\_LANG\_overflow: Avoid buffer overflow in LANG (Closes: #992395).
Checksums-Sha1:
 3c61e420b37da903f6a7e246fb0bacdab13c5ab8 2268 xfig\_3.2.8a-1.dsc
 0ac17ad33fdc8d570c187641e3d62ca9cd8faa2e 5380896 xfig\_3.2.8a.orig.tar.xz
 cd9de585ba1cf9f60cb888db8e6c23aedac8db8a 31736 xfig\_3.2.8a-1.debian.tar.xz
 7ec24ede8ad6c45982f1d6daecdf8eb2bbeb78db 8802 xfig\_3.2.8a-1\_source.buildinfo
Checksums-Sha256:
 5ccff8d437f6cca74c999902606c5288bc2faa3d4e369fbf5e9e41f06f528b83 2268 xfig\_3.2.8a-1.dsc
 ba43c0ea85b230d3efa5a951a3239e206d0b033d044c590a56208f875f888578 5380896 xfig\_3.2.8a.orig.tar.xz
 5bce4925951b4da43606ea0fdbc58e6d5bd586db5d3288f1b6abd2f69bc7dbe8 31736 xfig\_3.2.8a-1.debian.tar.xz
 8b72190e5c937543ef4692e84125a5bc816e234e68982b38f2c2d9f63e48f407 8802 xfig\_3.2.8a-1\_source.buildinfo
Files:
 47505378c399e92bd8320c9e7c3cfa26 2268 graphics optional xfig\_3.2.8a-1.dsc
 58dd2b6f9f17d7006c78156ce2da0073 5380896 graphics optional xfig\_3.2.8a.orig.tar.xz
 21becafff522811fd703ad707848b2c8 31736 graphics optional xfig\_3.2.8a-1.debian.tar.xz
 1ad72572a407e7d1ee3be3d287bbf4f4 8802 graphics optional xfig\_3.2.8a-1\_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErC+9sQSUPYpEoCEdAnE7z8pUELIFAmEfkesACgkQAnE7z8pU
ELK3ihAAjb2QzTyLRtUVTT50trBehzl8WJvfo7txeYBvJZup+j0hd0T46EFlpZ7M
gTFTN2zxWf7w8WUYQyfSqM7anzl3otEEaLSQ3kE3vzo+ZH9T0J98m2F/OQbEqF1u
QLbZxQF4f8M98s3TY3qBrE8Q+jN9CxcAaHMD4raoUw5LVz6FJ8c/l/xg8AQN2ekK
YWwwhZnxRWJjM3mu6hK7Cj9ihOsrs6f9q10t08q6sKVnuWLTUuvl5mGB3cDd/zHk
YNJ724pBwqUNPU1sDfGl6/DWiuWjmJwaQ1H/MnPEnV/7Utu3adfvF7AAodmxuV91
Jvx5Tb9VqnY84eRdCi2zFFyMKk4Kv6VXNLcOtFbpg7chFcWApIm+NY4Ql5s21yZg
JJZgrVHEo1rjqGbNQ9dnQHN8qZCANeKbJ44eGDgFnYPrUr963TWHhbDOOcwgU4sS
/HQf6aeq6OtXU5gSpLW2yfex2PAPustTmedREnSLuI3V5yiQxNa3Z8fQe3I36AKR
f0M4PU0c8JFEucA4ocwnzKflGsEqwGd/0OOSiPLShCdE+iaBrbz7FaOnQBO81Oyx
KUEXbL19EgBvSiz1oXIuVxgoObcEx2PK+W8uw1RkWq7Y2yjfx2N+kuDvTsJAEDzA
xYOtje3y6/VKKGWBVlDz8rFJSBA0hSY68XS+xQTzFPnNIU5wFPw=
=/r76
-----END PGP SIGNATURE-----

**Bug archived.** Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 18 Sep 2021 07:29:13 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Mon Oct 31 16:35:27 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2021-40241: #992395 - xfig: Potential Buffer Overflow vulnerability in src/w_help.c

At this year’s KubeCon/CloudNativeCon, both development and operations practitioners were tackling different security needs.

As a self-identified movie buff, some movie lines somehow stick with me over the years. One of them is from Ridley Scott's _Gladiator_ (2000), when a Roman senator says, "The beating heart of Rome is not the marble of the Senate, it is the sand of the Colosseum."

That line popped up in my head as I walked around the halls at KubeCon/CloudNativeCon ("KubeCon"), the marquee event for the Cloud Native Computing Foundation (CNCF). To me, the beating heart of cloud-native security is most definitely KubeCon.

This year's North American edition of the event took place last week in Detroit, bringing together thousands of participants on-site plus many others remotely. In addition to the main three-day event, the growing interest in specific projects has led the Cloud Native Computing Foundation to set up various "co-located events" ahead of the main conference.

For the 2022 event, there was not only a specific CloudNativeSecurityCon two-day event but also plenty of security content across other events, including Application Networking Day, EnvoyCon, Policy Day with OPA, ServiceMeshCon, and more, reflecting the wide interest in cloud-native security topics. Interestingly, the CloudNativeSecurityCon event has itself now "graduated" to an independent event to be hosted separately in February.

**Cloud-Native security: Development vs. Operations**

So, where is the current state of cloud-native security conversations? To Omdia, there is a strong bifurcation: development-centric concerns and operations-centric concerns. It is not as helpful to call these "Dev" and "Ops" because team structure is in flux in many organizations: some may have site reliability engineering (SRE) teams, some may call them operations, platform teams, and more.

On the development side of the ledger, three topics of interest are provenance, noise, and exposure.

Provenance asks the fundamental question: Can we trust the integrity of the external component we're incorporating into our software pipeline? While many examples exist, the 2020 SolarWinds attack was a turning point for interest in the integrity of the software supply chain. At KubeCon, there was palpable momentum behind the idea of signing software images: The sigstore project was announced as general availability and is being used by Kubernetes and other key projects.

Noise refers to reducing the number of vulnerabilities that exist in the environment, starting with slimming down the container base images that are being used. This may include using image bases such as Alpine or Debian Slim or considering "distroless" alternatives that are even smaller. The benefit is that these smaller images have minimal footprint and therefore reduced chance of vulnerabilities popping up.

Exposure: For any given vulnerability, how exposed are we as an organization? There is no better example of this in recent industry history than Log4j, of course. This is the realm of discussions on software bills of materials (SBOMs) as it relates to knowing where components may be used either as images sitting in a registry somewhere or running in production. Interestingly, as this essay is being written, there's advance notice that information about critical vulnerabilities in OpenSSL 3.x will be disclosed imminently, which will likely be another good use case for SBOMs — just where is OpenSSL 3.x used in our organization? Given that SBOM coverage is still not widespread, Omdia expects minimal SBOM usage this time around, unfortunately.

Operations teams are naturally focused on providing and operating an increasingly complex underlying platform and doing so securely. The word “platform” is particularly relevant here: There was notable interest in organizing Kubernetes and many of the growing list of CNCF projects (140 as of this writing, between the various stages of project incubation: sandbox, incubation, graduated) into easier-to-consume platforms. Of specific interest to security audiences, projects such as Cilium (using the underlying eBPF functionality) for networking and observability, SPIFFE/SPIRE (for establishing identities), Falco (for runtime security), Open Policy Agent (for policy-as-code), Cloud Custodian (for governance), and others are worth looking into. The expectation is that these projects will increasingly collaborate with "observability" aspects of cloud-native and will also be deployed using practices such as GitOps.

**Reasons for Optimism on Cloud-Native Security**

Where do we go from here? It was abundantly clear that the cloud-native community cares deeply about security and is moving forward full-speed with tackling the many topics around it. The guidance to security teams is to quickly come up to speed on how these different projects and initiatives are being implemented. It's important to note that for many organizations, this will come not in the form of explicitly using the community project (though some will), but rather as part of a packaged platform from vendors such as Red Hat, SUSE, Canonical, and others, or directly from the cloud providers such as AWS, Google Cloud, Azure, Oracle, and others.

Be aware that, in the context of open source usage, there's no such thing as really "free" — even if one chooses to use the vanilla upstream version of projects, there are inherent costs in maintaining those packages and participating in the community development.

Cloud-Native Security Was in the Air at KubeCon/CloudNativeCon 2022

Debian Linux Security Advisory 5267-1 - Nicky Mouha discovered a buffer overflow in 'sha3', a Python library for the SHA-3 hashing functions.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5267-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 30, 2022                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : pysha3CVE ID         : CVE-2022-37454Debian Bug     : 1023030Nicky Mouha discovered a buffer overflow in 'sha3', a Python library forthe SHA-3 hashing functions.For the stable distribution (bullseye), this problem has been fixed inversion 1.0.2-4.1+deb11u1.We recommend that you upgrade your pysha3 packages.For the detailed security status of pysha3 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/pysha3Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmNeydYACgkQEMKTtsN8TjZM0RAAk28/0iK+MlZR4EtgLm8chSw8YsaDjyCC6yVv82fz5yjYRhNkCteunkH0ffN2B8EXRJN8pqRV89ptnwOkwW3KjaJ6un3new3Zg4sPFB2DULd3yoxD3YGlzbh/EmHsnDSN88M8TSSi6IGErBIrMNqKt0FORg9/whpujDOJToo5np8uV7/SZNEMo2BOLtLIoXjMB4erlaI5pEE9/mEr6hzXJNsiVy82GtGZESuFo0XWu3hsD6BCzBvWKvZIOuALuTE9BEPGWJBPAIAqDS48yEd8KXiSEex9zsxdAa2vhsFHJ3U1LvwxZY0DvjG5JSjImc9U/p7DrwHhSyuS/pUFkR47Hl+d5i6+9IcU3lvFjszrq9bX019HuF2/U9ZfgvNQL/LmUpxFEyEziE3xkMG/SBP809fJ+UAU1XRV4qj6Yd/dN9TBZXE4eTcjzVCnjxjEzJKjaMcNl1qMM5JanG69iuGdy61ubTA/vEjxNH3qQOnJmITc1RuLlpkiU7TVA6ggNJ59xPQLLvgJ0lTY0oOQ0+pGh8aTHixHQFa35ynES6i+gKULv6M+fa/oayRLpw+06fGoSxdPmM8LHp9c54pLN3KgPIIcb/Aimkl+ReUYnrSXsaerfmyXS3f0LEjfhSxozXAooTxRr3eh5pUpTd3fuooodn9Zh3o5E5QcTbK82UGkTLI==p4UM-----END PGP SIGNATURE-----

Debian Security Advisory 5267-1

Debian Linux Security Advisory 5266-1 - A heap use-after-free vulnerability after overeager destruction of a shared DTD in the XML_ExternalEntityParserCreate function in Expat, an XML parsing C library, may result in denial of service or potentially the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5266-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoOctober 30, 2022                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : expatCVE ID         : CVE-2022-43680Debian Bug     : 1022743A heap use-after-free vulnerability after overeager destruction of ashared DTD in the XML_ExternalEntityParserCreate function in Expat, anXML parsing C library, may result in denial of service or potentiallythe execution of arbitrary code.For the stable distribution (bullseye), this problem has been fixed inversion 2.2.10-2+deb11u5.We recommend that you upgrade your expat packages.For the detailed security status of expat please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/expatFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmNehABfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TT5RAAiDBqtdgoagQspAsmWvoT1IJw0fsx2IFA4ynzyAI33nXegNKfDUGmc9wWKVm4APPaFWvy9s4hlA7HeMUdRQRxuW2iL5q3Jnkbjcnm1kISTgxPymt0HFeJWr9TVRSQt0OqUtzzOvNAz2lSd86551EMPa/oS0fvLq/vDTC3mTL1WsoMsouJR+l7potTMtJf43G10AmfLx+XgSsfmHU2Hvf5S2PO7aEmNHic9HW7bwUqm6KF2lZs5Qo4IVykqQ3eKufLg0HZcOi+QMWxpKYzxOR/tnzYHjLAzTI7yjugBBufcaux1kYnB0ULnDLfOc+uHXuhttfji4sbEzGB9uWDX+rhtBszcaM/Ww53J8tDy3chnv93pi5em1ABQljrPjFz/+N4g4tsNgdCTvMjT332kPi6W9zFUA/iB21LP4H7xc3stGCVubZW0UVcvOu2ubCabr/XQBOtlnc4tj/L9UyQW+Rfqe9x1WHkhwTuHMg8/YcqWljv3LwTz1DXfyFF0vmSlliOr0POP7I0iJvrw647rVBaNEsVPNqFhPu5Ro5jd5y3gt+f763J692JXfTPQJc3PaJz37NCdupga7lPu1W5cSLAYtze5JxqH4XJaKFprpaGfo3OFIDas0Z5yIs8DxMbjmY9VlpMQ8vKfHYPgoKV+NRv9bKKpBLxYI/o4bq8uA4JgpE==bLU+-----END PGP SIGNATURE-----

Debian Security Advisory 5266-1

Debian Linux Security Advisory 5265-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5265-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
October 29, 2022                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : tomcat9  
CVE ID         : CVE-2021-43980 CVE-2022-23181 CVE-2022-29885

Several security vulnerabilities have been discovered in the Tomcat  
servlet and JSP engine.

CVE-2021-43980

    The simplified implementation of blocking reads and writes introduced in  
    Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing  
    (but extremely hard to trigger) concurrency bug that could cause client  
    connections to share an Http11Processor instance resulting in responses, or  
    part responses, to be received by the wrong client.

CVE-2022-23181

    The fix for bug CVE-2020-9484 introduced a time of check, time of use  
    vulnerability into Apache Tomcat that allowed a local attacker to perform  
    actions with the privileges of the user that the Tomcat process is using.  
    This issue is only exploitable when Tomcat is configured to persist  
    sessions using the FileStore.

CVE-2022-29885

    The documentation of Apache Tomcat for the EncryptInterceptor incorrectly  
    stated it enabled Tomcat clustering to run over an untrusted network. This  
    was not correct. While the EncryptInterceptor does provide confidentiality  
    and integrity protection, it does not protect against all risks associated  
    with running over any untrusted network, particularly DoS risks.

For the stable distribution (bullseye), these problems have been fixed in  
version 9.0.43-2~deb11u4.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmNdoYJfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeRLxxAAzz/exjL7ERlJfqqvv1ofnRRmmJYtqaofzV8Ewb/xrFIQM8ZXohWLF9a0  
s0monZtUm+eQEKM3nYl1nXPI4l/shKnvo9yU17gcxqBgzBeYqsX9hqDm2Ie0raS7  
n22rwO4fHcQJ7vhSx2oYNL++YbEYQFEZgz+ZfiOLStHc2pIq2fxi4+jXuXHMUwuS  
KuCOYF8VLBjY87T7BT168GtKi02sIQzbXgAQSAGU6WsOvV4DLjagn/g+b1lK8F5u  
xO6rU2iM6pR73Ei2H2pb1B39BGhjorub7L2GQfiIMKf3bD7M+jflCnGq3n/xsUrO  
6PkaSCaN4DEip9V+3DBJ4TcOj0x/LzHMHimDoZ/CLI5qoPq5KWS4L7AKXM876+v5  
HIIzDH5B5INTeSEoVDkgKVx2fy8ZbaeDV+cmFTjXb+pmFpxxEuPGRYJg3Mv8PsqZ  
qPUqyrTKx8treIfXNJhJL00omDAX1T75H38BMNv56BbAHcBfszyFHHzr9uPo0+Fc  
tLYanZlx48IfCLXhOl2VcyE5up1snJmtMG1S2wFfl4btVfApGSAzAxSeYau+EGTu  
poFmm/5atf68cKEyGIuPFeNk97mqIp55gDi5lks/Cs7wW/EJndzFd/g5LwXb1HO1  
E30OhC79DT0Jlwpw3+VhS475K3XzGOhnk4x6DA1a/NtAzzaz7dg=  
=U52K  
-----END PGP SIGNATURE-----

Debian Security Advisory 5265-1

Debian Linux Security Advisory 5264-1 - It was discovered that Apache Batik, a SVG library for Java, allowed attackers to run arbitrary Java code by processing a malicious SVG file.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5264-1                   security@debian.orghttps://www.debian.org/security/                          Markus KoschanyOctober 29, 2022                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : batikCVE ID         : CVE-2022-41704 CVE-2022-42890It was discovered that Apache Batik, a SVG library for Java, allowedattackers to run arbitrary Java code by processing a malicious SVG file.For the stable distribution (bullseye), these problems have been fixed inversion 1.12-4+deb11u1.We recommend that you upgrade your batik packages.For the detailed security status of batik please refer toits security tracker page at:https://security-tracker.debian.org/tracker/batikFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmNdoPxfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeSwixAAz3126lRuHpJFXreXL0dbIwiahb36LhtNx29gI7C5QkzFt49svIswJ7JM+n9GokhtggWNuyN7wF6fyQzH7VEZSYW9yzzoUbbduJoTnBArtwYyuKdfg1KnWl7h/Wzvd8JuyLtMDCXivlqNbatfenoipUclYtB7bupb+8YX71GKxh/vXU9kR6jS5eQLUnLk2SdbVMfwEna+KqEjt4yyS7SXWNJcMOVPbQLPhvjq8xMVAaShxNjn0hk7gGEtH2TBFSp7UcX8kmuPCES/70t8cS7jiA8FjRRz1M8Lf12SZGLbCCtZMQdlY4Lc0OP22Di2PTwSU0cg6dQJPR9zbXeBMA6Bff6hsCs4eFUugmPE28N7zSs4cjiNvn//+Kf4C/unsaOMR6bony/z9AqjxjvYv34h3AVd0/8Bg9GLe6kYX38EaY7D/biiZKPgbkQzXo6DU7rm8fFEGcTj/1yY+ScgznkfPob6QYLpT+b0jF+KpLPfA/Lz2bOh2DNHUVV9hKLC3t8i02KPhxrwbbpeJ7L7F8o/Giw0Ho6m0RLCTm2+sR57t7cHF9B0PH7qZRsgMp4GSrydeUUK8SZGMus1NnSmqbfd4GiY2Wohd3GiN+YqIK4lWbhNi3RZg2VFaGsVRRVtnBAgaCCZcd0BjvNEIpOoPXro97I0lqwKiAqBnKZobh86/dU==yzAL-----END PGP SIGNATURE-----

Debian Security Advisory 5264-1

Debian Linux Security Advisory 5262-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5262-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 27, 2022                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : thunderbirdCVE ID         : CVE-2022-42927 CVE-2022-42928 CVE-2022-42929 CVE-2022-42932Multiple security issues were discovered in Thunderbird, which couldresult in denial of service or the execution of arbitrary code.For the stable distribution (bullseye), these problems have been fixed inversion 1:102.4.0-1~deb11u1.We recommend that you upgrade your thunderbird packages.For the detailed security status of thunderbird please refer toits security tracker page at:https://security-tracker.debian.org/tracker/thunderbirdFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmNa7koACgkQEMKTtsN8TjYPZRAApCIeC67U5v1tdzqmO49gDFrXVF4lcTiHaQxfMd+8Z0G/hdBdwJorRekj8o2vKfp7AbmpR3flDP9/v9ugCQxdu3G8tbUEG+Plezz6+XskPdTS9wil7WLeoA3LftFTqrzeECcSeoarXdMt3OsQ43Lcxvyzbw1X8Fht3tUB3VLSF0+y4NmKtv0RS1Qd+kL3uCm+wBd4gUWD6HBwPhR6uxso+BqTz16fgqyKCSsQvZ7erw8Hszra9ZbEXfEnBOA0yl25eCPgAN0KZRqjq4o6fBEgOo3VeTDf2IAG50Mcecd/wismxZqWQycNSRCrnhSrqPaL2hN1KkxxjN4SV4I9xaERyTKt4wfy71Tx9NFMpS8GuRZ4qi1NxUX6Y4BQshDAv2iLJ2vHB5om76qLzlx1CdynZkDPIv+q5rfs40gIZH7gcKrI4D6WlwYTvNVUBOTjUhpxDvuperRUkGe4pR2upAmbGwiVdORvJGY1BzDOi2AMc90g7/l4bktV6wEFApnjGIOBWBfYtbf5lzYzGCynfP71Z9ZBLmTtjMScjln04n+IzX+Dkl5DREgVZilbClhB9kSb15msinn3lok0NyJaF3V76HDiaJUtmAXzrfLrblkk1Aw/HMD3ryF2VUizYB0zMI4iz3UR+tS2ww6tWEesgt9DL5f8cEstL8fNtk0hUZ6U/qE=avOl-----END PGP SIGNATURE-----

Debian Security Advisory 5262-1

Debian Linux Security Advisory 5261-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5261-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 26, 2022                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2022-3652 CVE-2022-3653 CVE-2022-3654 CVE-2022-3655                 CVE-2022-3656 CVE-2022-3657 CVE-2022-3658 CVE-2022-3659                 CVE-2022-3660 CVE-2022-3661Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 107.0.5304.68-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmNZexEACgkQEMKTtsN8TjYRnxAAqAA0Egh1wZoBi7sCYhoCqR546MdWDKO/bJfqYq2aKO3KZDz9Td7BnZ1t/v+Cj49QBk+OfQaLbSP0KTcPqYIQAtd9z2bdskSs+4rFcj+jFmmM59WsSEghsGGApANaYUUsDitGqVJpFUkZCXHYxYUt0sWJYZ8QeYHipQr6Mw22+n77igvQjpqzdIpDXIUlSasDGx7vFoX0Psu8C5TvXhCjxzFr0mLHRuEf+HjlrEwS7eTrycZN2rcc0JFH6oCwVtitKsiEwhystoaDaX1YKZczQ/O9S+pBj4wh4PTQPNTUeODyN3pZKwRVJmUM8rR/lBTEfFRtUw615ieDX/lideqfo9OK0GmY3iSwf5oL728iuu5seWcPKAO09t6sNvG2Fjw6JTn0NQ7z9LZFHeWDbDlLV6ABQ2VusoMMRRkAdNV9ycuiXThGsQBw6ukTUzUfKnui9NV37ouDClnahB96/Y4i8BGXyYF0T4TMCJUtiZCG4xASGEbMHwUO4h6A2WjIq/m6F2pg98cEG/losAuxBwtwzRzoUY8gvoQZE+7WoMTRyQIpmO8AfJraNvexKx/im/7eLvtF/0XIy57hQzRsnbOQ1RzcdxDgV4zJ+L+QeyXDgkAwYs1s1Xtt7Dl21New/cV0OUInJ9Z9qvOo2Hz7D/UOYopDjlhx1XMZJPtgXIOilQQ=rkOd-----END PGP SIGNATURE-----

Debian Security Advisory 5261-1

When we depend on an open commons as our computing foundation, we need it to be secure, and the most effective way to do that is through open solutions.

Open source software is deeply embedded in enterprises today: from the Linux kernel to data center infrastructure, and from databases to application servers and front ends. The importance of securing the supply chain has become front and center in the industry, with the US government's involvement and the formation of industry bodies such as OpenSSF to work on solutions.

We know that we must secure the open source software we use — it's also important that open source be an integral part of the solutions that we create. Proprietary solutions alone are not enough to counter the threat to the ever-expanding areas of vulnerability. To properly secure our software dependencies in depth, solutions must interoperate tightly with key open source infrastructure such as the Linux kernel and Kubernetes.

Through our experience with creating the Falco runtime threat detection tool, and contributing it as open source to the Cloud Native Computing Foundation (CNCF), we've learned valuable lessons about how important it is to provide open source solutions for security.

**1\. Collaborative development goes broad and deep.**

Security is a never-ending battle against expanding attacks and attack surfaces. Through collaboration, we are able to bring together more expertise, apply more scrutiny, and cover a broader range of use cases than through proprietary development. Nobody can be an expert on everything, but many people can come together to contribute their singular deep expertise into an open source project.

While Falco's core competency specializes in monitoring Linux syscalls, the team strategically added a plug-in interface. Through this, other infrastructure can be secured, from Kubernetes admission controllers to cloud services such as AWS CloudTrail or Okta. The open nature of the project means that experts in particular platforms — whether open or proprietary — can contribute their know-how and help the entire user base. Proprietary approaches can't reach this same level of scale.

Moreover, you don't need to ask anyone's permission to extend open source to cover a new service or platform: If what you need isn't there, and you're able to contribute, you can ensure that your needs will be covered in the future.

**2\. Standards-based development promotes choice.**

When open source software is part of a multivendor body such as the CNCF and in widespread use, adopters can reasonably view it as being a _de facto_ standard. Using open source standards provides an interoperable framework in which an ecosystem of tools, support, and training exist. As a user, you always have the freedom to control your own solution by directly using the open source, or choosing commercial tools that interoperate.

Drawing from Falco as an example, multiple vendors such as Sysdig, Red Hat, and Sumo Logic have built their own solutions based on the codebase. At their core, they are aligned on the protocols that Falco uses for event capture, meaning users get choice, a richer ecosystem of tools that use the standards, and future optionality.

**3\. Open source is transparent.**

Open source gives you the full visibility to examine exactly how a piece of software works. This transparency brings a double benefit.

First, if you're trusting every node in your systems with a tool, you want assurance about its security. Even if you're not auditing the code yourself, you benefit from many contributors with the resources to find and fix vulnerabilities. For software that has achieved widespread adoption, these contributors likely include cloud-scale operators with deep expertise.

Second, open source brings you insight and possibly influence on the direction of the software. You can become a contributor and influence technical direction, or allocate funding towards supporting its sustained development. When that software lives inside an industry foundation, you may benefit from established standards in governance, auditing, and sustainability.

**4\. Modern platforms are built on open source.**

To provide the assurance users need, security should be considered as an integral factor of any platform, not an optional extra. Open source is the engine room of the modern software stack, and therefore security solutions must also reach into the open source foundations. The cloud-native era has driven new approaches to operations and architecture, and security is no exception. Following the desire to "shift left" and incorporate security earlier in the software development life cycle, the same benefits apply to doing that with the open source foundations that run our enterprise platforms.

**Conclusion**

Open source is the only approach with the agility and broad reach to set up the conditions to meet modern security concerns. Users depending on massive open source infrastructure — the basis of today's clouds — should be careful of any security solution that does not acknowledge and leverage open source itself.

When we depend on an open commons as our computing foundation, we need it to be secure, and the most effective way to do that is through open solutions.

**About the Author**

    

Edd Wilder-James' career spans open standards, open source, and data analytics, in roles covering technology, content, business, and strategy. At Sysdig, his team is committed to growing Falco as the standard for runtime threat detection. Previously, Edd led teams working on open source programs at Google, working with TensorFlow, Kubeflow, Go, and Kubernetes. He has over two decades in the open source world, chairing OSCON for six years, and is a former Debian and GNOME contributor.

Tag

#debian