MGASA-2026-0144 Updated dpkg packages fix security vulnerabilities

It was discovered that dpkg-deb a component of dpkg, the Debian package management system does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service infinite loop spinning the CPU...

Astra Linux - уязвимость в redis

It was discovered that Redis, a persistent key-value database, due to a packaging issue, is susceptible to a Lua sandbox escape that is specific to Debian. This could lead to remote code execution...

Astra Linux - уязвимость в avahi

The avahi-daemon-check-dns.sh script within the Debian avahi package, as of version 0.8-4, is executed as the root user via /etc/network/if-up.d/avahi-daemon. This script allows a local attacker to cause a denial of service or create arbitrary empty files through a symlink attack on files located...

PT-2026-23848

Name of the Vulnerable Software and Affected Versions dpkg-deb affected versions not specified Description The dpkg-deb component of the Debian package management system does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive. This can lead to a...

CVE-2025-13633

Use after free in Digital Credentials in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: High...

CVE-2024-7021

Inappropriate implementation in Autofill in Google Chrome on Windows prior to 124.0.6367.60 allowed a remote attacker to perform UI spoofing via a crafted HTML page. Chromium security severity: Medium...

EUVD-2013-0290

Malware in sbrugna...

Debian dla-4301 : python-django-doc - security update

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4301 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4301-1 [email protected] https://www.debian.org/lts/security/...

CVE-2025-8880

Race in V8 in Google Chrome prior to 139.0.7258.127 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

[SECURITY] Fedora 41 Update: dpkg-1.22.20-1.fc41

This package provides the low-level infrastructure for handling the installation and removal of Debian software packages. This package contains the tools including dpkg-source required to unpack, build and upload Debian source packages. This package also contains the programs dpkg which used to...

CVE-2021-28129

While working on Apache OpenOffice 4.1.8 a developer discovered that the DEB package did not install using root, but instead used a userid and groupid of 500. This both caused issues with desktop integration and could allow a crafted attack on files owned by that user or group if they exist. User...

CVE-2021-26720

avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon. NOTE: this only affects th...

PT-2024-24601 · Unknown · Git Credential Manager

Name of the Vulnerable Software and Affected Versions: Git Credential Manager GCM versions prior to 2.5.0 Description: The issue arises from the Debian package of Git Credential Manager GCM not setting root ownership on installed files prior to version 2.5.0. This allows a user on a multi-user...

SUSE CVE-2021-26720

avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon. NOTE: this only affects th...

PT-2022-1643

Name of the Vulnerable Software and Affected Versions Redis versions prior to the fixed version Debian-specific Redis Server affected versions not specified Description A Lua sandbox escape vulnerability in Redis could result in remote code execution. The issue is related to a packaging problem a...

CVE-2022-0543

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a Debian-specific Lua sandbox escape, which could result in remote code execution. Recent assessments: NinjaOperator at March 25, 2022 8:04pm UTC reported: Muhstik Gang has been seen exploiting...

avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon. NOTE: this only affects the packaging for Debian GNU/Linux (used indirectly by SUSE) not the upstream Avahi product.

...

AZL-6323 CVE-2021-26720 affecting package avahi for versions less than 0.8-1

avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon. NOTE: this only affects th...

UBUNTU-CVE-2021-26720

avahi-daemon-check-dns.sh in the Debian avahi package through 0.8-4 is executed as root via /etc/network/if-up.d/avahi-daemon, and allows a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /run/avahi-daemon. NOTE: this only affects th...

Race condition

The groonga-httpd package 6.1.5-1 for Debian sets the /var/log/groonga ownership to the groonga account, which might let local users obtain root access because of unsafe interaction with logrotate. For example, an attacker can exploit a race condition to insert a symlink from /var/log/groonga/htt...