[SECURITY] [DSA 4680-1] tomcat9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4680-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 06, 2020 https://www.debian.org/security/faq - - Package: tomcat9 CVE ID : CVE-2019-10072 CVE-2019-12418 CVE-2019-17563 CVE-2019-17569 CVE-2020-1935 CVE-2020-1938 Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling, code execution in the AJP connector (disabled by default in Debian) or a man-in-the-middle attack against the JMX interface. For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u1. The fix for CVE-2020-1938 may require configuration changes when Tomcat is used with the AJP connector, e.g. in combination with libapache-mod-jk. For instance the attribute "secretRequired" is set to true by default now. For affected setups it's recommended to review https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html before the deploying the update. We recommend that you upgrade your tomcat9 packages. For the detailed security status of tomcat9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat9 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl6zJKQACgkQEMKTtsN8 TjYyjQ/+PcaMqPqvviDHl79uke1rIdFNyZ0bJU5prm9aQgv2/YF1AxlTE6Iim+yJ uvqTpLEWYF4eufOj9uh9XgBMvjfPcB6iPqQ3fot4kuIgZmwyX5yeMdEEPvAMOC2r a/+gFWkLtWNO4ppQeOppUhGgagmWtWLcVrDZX09JS+loLufqcNdGWFv8PIUH+jZO J9r93seU5mafKV7h7G3Z2gdAWIV2XRJVpk5x1w4O8VAft6aZ9Tn9VTV18MNJiy3H hS0kxempEUzSu/kQWUWjxICrhKH/WmAoFJJGUeKj5nj9AIf1m1aXPOppq4ww1DyX VU3htZ06YejVDKOtJ4cotNWVZU/HWSZXlHeKnzDFTfjjlhvW53wM5CfNuWqtNGHG jLN7qj3Y/kmhy55IxABqMSS9lpSZiGjjytOi4fKGKL3xryDl7NsIAUPmxm7YQQya +VBihzj0rXRYMPGctisBA71SkMML9fB+OzqmSAI7DAz+AxMotipsJGGCpiWfT8Ke 4opXXQe+NhVx2jCtjExI8bvM7mfvHE/N13VNpdxGwTvjYm5tFHKvNOg3X8QR01/a EC+5xiUJh3ilL3zCw7mP+3tv9p5TFuphA1hWJygudnZg4UtqjgBzuAtNkWUIt/xe JTtGcm/HQuYhsZbO3pqwo8pm92LeUfs7YFp2NPTU7SaYt3uWxKM= =WcA6 -END PGP SIGNATURE-
[SECURITY] [DSA 4679-1] keystone security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4679-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 06, 2020 https://www.debian.org/security/faq - - Package: keystone CVE ID : not yet available Debian Bug : 959900 A vulnerability was found in the EC2 credentials API of Keystone, the OpenStack identity service: Any user authenticated within a limited scope (trust/oauth/application credential) could create an EC2 credential with an escalated permission, such as obtaining "admin" while the user is on a limited "viewer" role. For the stable distribution (buster), this problem has been fixed in version 2:14.2.0-0+deb10u1. We recommend that you upgrade your keystone packages. For the detailed security status of keystone please refer to its security tracker page at: https://security-tracker.debian.org/tracker/keystone Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl6zIwkACgkQEMKTtsN8 Tjb8fRAAi5rEWlp7Y4LzE7q/lI8R/622m/8nGve65O8FfnRJdp1jjkORvTSOuX7j l5QH6x6juRwU9j6HhYtotcCi7HMIl3R9Xw75AHIZPor/evL+P2Ry8lVnXqui2qVj BUMgjo7xJE8LBTrtXqI1dBfHi+4KHfwKYMG0MGvuBo4mWFCdwD5BioYjklcmdanS 2MxmCHxooQn+3ZYQE/fb0JIMUctp/qf/EUMyn/8IkvBk41Rac4yI2efLLl8TJGst im+X8f/pZsnmP3uzYcNz3hsEDQUvM5dp6We9VJjSLG33hOBs0rj87fTyfPJbK1Az i/uLpVu2oJ6/9U5bZrgelD3z5OzY/t6O2JEPq/GUUcQbc7In3ih7U9y0qnC96c9O xHUgC5wXFdInVSU+fFLzmJNWViOCCyOfWszI7GJUQzOkbSgXBf8Q+nN6N1YgUDwO KfSs1URlfWxl51a+6+JEtje0WFuSnjcgFNt9WGIU7MX7gby7G30Ob9RYfMtYIZqs 51PjA/OlWZz7sQOX4TMqyDtEVMl08/uO/ftHfS60xG7APAx/v+JFxWe9ErsFZjvp /rzH6Hzzz4WvOSK7zXCkqr35gp/CSqdQi57miQQ8ele4ySeeLH9tKssd40xJKMKN FEkBHgmKV+5FbuuXcNnfxYXRQcmt/0GkzGCDhNqx2H2TFj3rqw4= =go1k -END PGP SIGNATURE-
[SECURITY] [DSA 4678-1] firefox-esr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4678-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 06, 2020 https://www.debian.org/security/faq - - Package: firefox-esr CVE ID : CVE-2020-6831 CVE-2020-12387 CVE-2020-12392 CVE-2020-12395 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or information disclosure. For the oldstable distribution (stretch), these problems have been fixed in version 68.8.0esr-1~deb9u1. For the stable distribution (buster), these problems have been fixed in version 68.8.0esr-1~deb10u1. We recommend that you upgrade your firefox-esr packages. For the detailed security status of firefox-esr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/firefox-esr Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl6zIwMACgkQEMKTtsN8 Tjb8Sw/8CXnIhjt6ohYyp4x3p1JUF4TO2DhIV1/TYS7GfTO/Z9DIvJD8QVa3YrYB MbVfFcllT3bX2Zx5Jt0WYoWpKQoKZvZwKY4s0ZALx5mdVqAjR3ezOc+Xly86KA+k EOMPUcisDSuxmUWODLD/xSiquwZ4mjZOrgyWcSmWhcQ3H/eLFJUsXvC+z9pJQxtu 4xISmiszOKOBHbsOPtjomV8T78+SO19XyCasJV9eNHhXmywZu4+Dj5INlqJ8dxO3 ipp1fwhRDg3/RR9wAaMgOfTfNdsAEpAY6Qq3L+TuBzVcDDwYmvQz4lvaCZdtLZ7T ChGBJkHRee3U1K+jct8JV6OUpEr5ZvxM5D5hfitqRznneTZZjohGKc1I7W7RqkCD gTa9YBiZRe6E4KbL2gChiE4+b+LTM1abvt4lswSkuHAyVj4hVXSvCYBqdQLcoex5 fsTN1Am0aflGhYrofwHmnzn4rrsXFOVTqk79FD7ZWvXVHQFmx22CahUtehzkjKIb qSAiMT5eJqj0QO7DJZOlFp0kCxPk8rd39IurjiZZv24ta65SPAJWDZukzCUTWbkS QKdjTtiTzo1qLu8Hj/xU16WbgYqr1lcmatm1NgHlRADCUUzRxdWvb+nOPqifbrx1 1zXLVq/lAuPDd6ywA+s0EzgHJaz0WcoLl4RvgT4akNJTniaunyQ= =Q5B5 -END PGP SIGNATURE-
