#debian

Debian Linux Security Advisory 5278-1 - It was discovered that a buffer overflow in the _getCountedString() function of the Xorg X server may result in denial of service or potentially the execution of arbitrary code.

Debian Linux Security Advisory 5277-1 - Multiple security issues were discovered in PHP, a widely-used open source general purpose scripting language which could result an denial of service, information disclosure, insecure cooking handling or potentially the execution of arbitrary code.

Debian Linux Security Advisory 5276-1 - Maddie Stone reported a heap-based buffer overflow flaw in pixman, a pixel-manipulation library for X and cairo, which could result in denial of service or potentially the execution of arbitrary code.

Debian Linux Security Advisory 5275-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

Debian Linux Security Advisory 5274-1 - Jihwan Kim and Dohyun Lee discovered that visiting a malicious website may lead to user interface spoofing. Dohyun Lee discovered that processing maliciously crafted web content may lead to arbitrary code execution. Abdulrahman Alqabandi, Ryan Shin and Dohyun Lee discovered that processing maliciously crafted web content may disclose sensitive user information.

Debian Linux Security Advisory 5273-1 - Jihwan Kim and Dohyun Lee discovered that visiting a malicious website may lead to user interface spoofing. Dohyun Lee discovered that processing maliciously crafted web content may lead to arbitrary code execution. Abdulrahman Alqabandi, Ryan Shin and Dohyun Lee discovered that processing maliciously crafted web content may disclose sensitive user information.

Roxy Fileman 1.4.6 allows Remote Code Execution via a .phar upload, because the default FORBIDDEN_UPLOADS value in conf.json only blocks .php, .php4, and .php5 files. (Visiting any .phar file invokes the PHP interpreter in some realistic web-server configurations.)

An HTTP Request Forgery issue was discovered in Varnish Cache 5.x and 6.x before 6.0.11, 7.x before 7.1.2, and 7.2.x before 7.2.1. An attacker may introduce characters through HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This could, in turn, be used to exploit vulnerabilities in a server behind the Varnish server. Note: the 6.0.x LTS series (before 6.0.11) is affected.

Microsoft's latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days. 12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by OpenSSL the previous week. Also separately

An information leakage vulnerability in the Bluetooth Low Energy advertisement scan response in Bluetooth Core Specifications 4.0 through 5.2, and extended scan response in Bluetooth Core Specifications 5.0 through 5.2, may be used to identify devices using Resolvable Private Addressing (RPA) by their response or non-response to specific scan requests from remote addresses. RPAs that have been associated with a specific remote device may also be used to identify a peer in the same manner by using its reaction to an active scan request. This has also been called an allowlist-based side channel.