Bug#1084057: restrictedpython: CVE-2024-6484
retitle 1084057 restrictedpython: CVE-2024-47532 thx Am Fri, Oct 04, 2024 at 05:16:28PM +0200 schrieb Moritz Mühlenhoff: > Source: restrictedpython > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > Sorry, copy&paste error. This should instead be: https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-5rfv-66g4-jr8h Fixed by: https://github.com/zopefoundation/RestrictedPython/commit/d701cc36cccac36b21fa200f1f2d1945a9a215e6 (7.3) Cheers, Moritz
Bug#1084060: twitter-bootstrap3: CVE-2024-6484 CVE-2024-6485
Source: twitter-bootstrap3 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for twitter-bootstrap3. CVE-2024-6484[0]: | A vulnerability has been identified in Bootstrap that exposes users | to Cross-Site Scripting (XSS) attacks. The issue is present in the | carousel component, where the data-slide and data-slide-to | attributes can be exploited through the href attribute of an tag | due to inadequate sanitization. This vulnerability could potentially | enable attackers to execute arbitrary JavaScript within the victim's | browser. https://www.herodevs.com/vulnerability-directory/cve-2024-6484 CVE-2024-6485[1]: | A security vulnerability has been discovered in bootstrap that could | enable Cross-Site Scripting (XSS) attacks. The vulnerability is | associated with the data-loading-text attribute within the button | plugin. This vulnerability can be exploited by injecting malicious | JavaScript code into the attribute, which would then be executed | when the button's loading state is triggered. https://www.herodevs.com/vulnerability-directory/cve-2024-6485 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-6484 https://www.cve.org/CVERecord?id=CVE-2024-6484 [1] https://security-tracker.debian.org/tracker/CVE-2024-6485 https://www.cve.org/CVERecord?id=CVE-2024-6485 Please adjust the affected versions in the BTS as needed.
Bug#1084061: golang-github-containers-common: CVE-2024-9341
Source: golang-github-containers-common X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for golang-github-containers-common. CVE-2024-9341[0]: | A flaw was found in Go. When FIPS mode is enabled on a system, | container runtimes may incorrectly handle certain file paths due to | improper validation in the containers/common Go library. This flaw | allows an attacker to exploit symbolic links and trick the system | into mounting sensitive host directories inside a container. This | issue also allows attackers to access critical host files, bypassing | the intended isolation between containers and the host system. https://bugzilla.redhat.com/show_bug.cgi?id=2315691 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-9341 https://www.cve.org/CVERecord?id=CVE-2024-9341 Please adjust the affected versions in the BTS as needed.
Bug#1084059: twitter-bootstrap4: CVE-2024-6531
Source: twitter-bootstrap4 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for twitter-bootstrap4. CVE-2024-6531[0]: | A vulnerability has been identified in Bootstrap that exposes users | to Cross-Site Scripting (XSS) attacks. The issue is present in the | carousel component, where the data-slide and data-slide-to | attributes can be exploited through the href attribute of an tag | due to inadequate sanitization. This vulnerability could potentially | enable attackers to execute arbitrary JavaScript within the victim's | browser. https://www.herodevs.com/vulnerability-directory/cve-2024-6531 But I think the bigger issue is that Bootstrap 3 and 4 are EOLed, so possibly Debian should move to use 5 instead? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-6531 https://www.cve.org/CVERecord?id=CVE-2024-6531 Please adjust the affected versions in the BTS as needed.
Bug#1084058: giflib: CVE-2024-45993
Source: giflib X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for giflib. CVE-2024-45993[0]: | Giflib Project v5.2.2 is vulnerable to a heap buffer overflow via | gif2rgb. Doesn't appear to have been reported upstream yet: https://gitlab.com/mthandazo/project-pov If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45993 https://www.cve.org/CVERecord?id=CVE-2024-45993 Please adjust the affected versions in the BTS as needed.
Bug#1084056: libgsf: CVE-2024-36474 CVE-2024-42415
Source: libgsf X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for libgsf. CVE-2024-36474[0]: | An integer overflow vulnerability exists in the Compound Document | Binary File format parser of the GNOME Project G Structured File | Library (libgsf) version v1.14.52. A specially crafted file can | result in an integer overflow when processing the directory from the | file that allows for an out-of-bounds index to be used when reading | and writing to an array. This can lead to arbitrary code execution. | An attacker can provide a malicious file to trigger this | vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-2068 CVE-2024-42415[1]: | An integer overflow vulnerability exists in the Compound Document | Binary File format parser of v1.14.52 of the GNOME Project G | Structured File Library (libgsf). A specially crafted file can | result in an integer overflow that allows for a heap-based buffer | overflow when processing the sector allocation table. This can lead | to arbitrary code execution. An attacker can provide a malicious | file to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-2069 Both are tracked/fixed upstream via: https://gitlab.gnome.org/GNOME/libgsf/-/issues/34 https://gitlab.gnome.org/GNOME/libgsf/-/commit/06d0cb92a4c02e7126ef2ff6f5e29fd74b4be9e0 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-36474 https://www.cve.org/CVERecord?id=CVE-2024-36474 [1] https://security-tracker.debian.org/tracker/CVE-2024-42415 https://www.cve.org/CVERecord?id=CVE-2024-42415 Please adjust the affected versions in the BTS as needed.
Bug#1084057: restrictedpython: CVE-2024-6484
Source: restrictedpython X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for restrictedpython. CVE-2024-6484[0]: | A vulnerability has been identified in Bootstrap that exposes users | to Cross-Site Scripting (XSS) attacks. The issue is present in the | carousel component, where the data-slide and data-slide-to | attributes can be exploited through the href attribute of an tag | due to inadequate sanitization. This vulnerability could potentially | enable attackers to execute arbitrary JavaScript within the victim's | browser. https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-5rfv-66g4-jr8h Fixed by: https://github.com/zopefoundation/RestrictedPython/commit/d701cc36cccac36b21fa200f1f2d1945a9a215e6 (7.3) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-6484 https://www.cve.org/CVERecord?id=CVE-2024-6484 Please adjust the affected versions in the BTS as needed.
Bug#1084055: edk2: CVE-2024-38796
Source: edk2 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for edk2. CVE-2024-38796[0]: | EDK2 contains a vulnerability in the PeCoffLoaderRelocateImage(). An | Attacker may cause memory corruption due to an overflow via an | adjacent network. A successful exploit of this vulnerability may | lead to a loss of Confidentiality, Integrity, and/or Availability. https://github.com/tianocore/edk2/security/advisories/GHSA-xpcr-7hjq-m6qm https://bugzilla.tianocore.org/show_bug.cgi?id=1993 https://github.com/tianocore/edk2/pull/6249 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-38796 https://www.cve.org/CVERecord?id=CVE-2024-38796 Please adjust the affected versions in the BTS as needed.
Bug#1084054: nvidia-cuda-toolkit: CVE-2024-0123 CVE-2024-0124 CVE-2024-0125
Source: nvidia-cuda-toolkit X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for nvidia-cuda-toolkit. CVE-2024-0123[0]: | NVIDIA CUDA toolkit for Windows and Linux contains a vulnerability | in the nvdisasm command line tool where an attacker may cause an | improper validation in input issue by tricking the user into running | nvdisasm on a malicious ELF file. A successful exploit of this | vulnerability may lead to denial of service. CVE-2024-0124[1]: | NVIDIA CUDA Toolkit for Windows and Linux contains a vulnerability | in the nvdisam command line tool, where a user can cause nvdisasm to | read freed memory by running it on a malformed ELF file. A | successful exploit of this vulnerability might lead to a limited | denial of service. CVE-2024-0125[2]: | NVIDIA CUDA Toolkit for Windows and Linux contains a vulnerability | in the nvdisam command line tool, where a user can cause a NULL | pointer dereference by running nvdisasm on a malformed ELF file. A | successful exploit of this vulnerability might lead to a limited | denial of service. https://nvidia.custhelp.com/app/answers/detail/a_id/5577 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-0123 https://www.cve.org/CVERecord?id=CVE-2024-0123 [1] https://security-tracker.debian.org/tracker/CVE-2024-0124 https://www.cve.org/CVERecord?id=CVE-2024-0124 [2] https://security-tracker.debian.org/tracker/CVE-2024-0125 https://www.cve.org/CVERecord?id=CVE-2024-0125 Please adjust the affected versions in the BTS as needed.
Bug#1083192: ckeditor: CVE-2024-43407
Package: ckeditor X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for ckeditor. CVE-2024-43407[0]: | CKEditor4 is an open source what-you-see-is-what-you-get HTML | editor. A potential vulnerability has been discovered in CKEditor 4 | Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS | attack by exploiting a flaw in the GeSHi syntax highlighter library | hosted by the victim. The GeSHi library was included as a vendor | dependency in CKEditor 4 source files. In a specific scenario, an | attacker could craft a malicious script that could be executed by | sending a request to the GeSHi library hosted on a PHP web server. | The GeSHi library is no longer actively maintained. Due to the lack | of ongoing support and updates, potential security vulnerabilities | have been identified with its continued use. To mitigate these risks | and enhance the overall security of the CKEditor 4, we have decided | to completely remove the GeSHi library as a dependency. This change | aims to maintain a secure environment and reduce the risk of any | security incidents related to outdated or unsupported software. The | fix is be available in version 4.25.0-lts. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv Fixed by removing the plugins/codesnippetgeshi/dev directory completely: https://github.com/ckeditor/ckeditor4/commit/71072c9f7f263329841bd38e7e5309074c82ef94 (4.25.0-lts) https://github.com/ckeditor/ckeditor4/commit/951e7d75fcbcaa2590b0719fb0bb0dd0539ca6fa (4.25.0-lts) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-43407 https://www.cve.org/CVERecord?id=CVE-2024-43407 Please adjust the affected versions in the BTS as needed.
Bug#1083191: ruby3.2: CVE-2024-41123 CVE-2024-41946 CVE-2024-43398
Package: ruby3.2 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for rexml, which is bundled in Ruby: CVE-2024-41123[0]: | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has | some DoS vulnerabilities when it parses an XML that has many | specific characters such as whitespace character, `>]` and `]>`. The | REXML gem 3.3.3 or later include the patches to fix these | vulnerabilities. https://github.com/ruby/rexml/security/advisories/GHSA-r55c-59qm-vjw6 https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/ CVE-2024-41946[1]: | REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS | vulnerability when it parses an XML that has many entity expansions | with SAX2 or pull parser API. The REXML gem 3.3.3 or later include | the patch to fix the vulnerability. https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4 https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/ CVE-2024-43398[2]: | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a | DoS vulnerability when it parses an XML that has many deep elements | that have same local name attributes. If you need to parse untrusted | XMLs with tree parser API like REXML::Document.new, you may be | impacted to this vulnerability. If you use other parser APIs such as | stream parser API and SAX2 parser API, this vulnerability is not | affected. The REXML gem 3.3.6 or later include the patch to fix the | vulnerability. https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-41123 https://www.cve.org/CVERecord?id=CVE-2024-41123 [1] https://security-tracker.debian.org/tracker/CVE-2024-41946 https://www.cve.org/CVERecord?id=CVE-2024-41946 [2] https://security-tracker.debian.org/tracker/CVE-2024-43398 https://www.cve.org/CVERecord?id=CVE-2024-43398 Please adjust the affected versions in the BTS as needed.
Bug#1083190: ruby3.1: CVE-2024-41123 CVE-2024-41946 CVE-2024-43398
Package: ruby3.1 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for rexml, which is bundled in Ruby: CVE-2024-41123[0]: | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has | some DoS vulnerabilities when it parses an XML that has many | specific characters such as whitespace character, `>]` and `]>`. The | REXML gem 3.3.3 or later include the patches to fix these | vulnerabilities. https://github.com/ruby/rexml/security/advisories/GHSA-r55c-59qm-vjw6 https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/ CVE-2024-41946[1]: | REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS | vulnerability when it parses an XML that has many entity expansions | with SAX2 or pull parser API. The REXML gem 3.3.3 or later include | the patch to fix the vulnerability. https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4 https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/ CVE-2024-43398[2]: | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a | DoS vulnerability when it parses an XML that has many deep elements | that have same local name attributes. If you need to parse untrusted | XMLs with tree parser API like REXML::Document.new, you may be | impacted to this vulnerability. If you use other parser APIs such as | stream parser API and SAX2 parser API, this vulnerability is not | affected. The REXML gem 3.3.6 or later include the patch to fix the | vulnerability. https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-41123 https://www.cve.org/CVERecord?id=CVE-2024-41123 [1] https://security-tracker.debian.org/tracker/CVE-2024-41946 https://www.cve.org/CVERecord?id=CVE-2024-41946 [2] https://security-tracker.debian.org/tracker/CVE-2024-43398 https://www.cve.org/CVERecord?id=CVE-2024-43398 Please adjust the affected versions in the BTS as needed.
Bug#1083189: sentry-python: CVE-2024-40647
Package: sentry-python
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for sentry-python.
CVE-2024-40647[0]:
| sentry-sdk is the official Python SDK for Sentry.io. A bug in
| Sentry's Python SDK < 2.8.0 allows the environment variables to be
| passed to subprocesses despite the `env={}` setting. In Python's
| `subprocess` calls, all environment variables are passed to
| subprocesses by default. However, if you specifically do not want
| them to be passed to subprocesses, you may use `env` argument in
| `subprocess` calls. Due to the bug in Sentry SDK, with the Stdlib
| integration enabled (which is enabled by default), this expectation
| is not fulfilled, and all environment variables are being passed to
| subprocesses instead. The issue has been patched in pull request
| #3251 and is included in sentry-sdk==2.8.0. We strongly recommend
| upgrading to the latest SDK version. However, if it's not possible,
| and if passing environment variables to child processes poses a
| security risk for you, you can disable all default integrations.
https://github.com/getsentry/sentry-python/security/advisories/GHSA-g92j-qhmh-64v2
https://github.com/getsentry/sentry-python/pull/3251
https://github.com/getsentry/sentry-python/commit/763e40aa4cb57ecced467f48f78f335c87e9bdff
(2.8.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-40647
https://www.cve.org/CVERecord?id=CVE-2024-40647
Please adjust the affected versions in the BTS as needed.
Bug#1083188: podman: CVE-2024-3056
Package: podman X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for podman. CVE-2024-3056[0]: | A flaw was found in Podman. This issue may allow an attacker to | create a specially crafted container that, when configured to share | the same IPC with at least one other container, can create a large | number of IPC resources in /dev/shm. The malicious container will | continue to exhaust resources until it is out-of-memory (OOM) | killed. While the malicious container's cgroup will be removed, the | IPC resources it created are not. Those resources are tied to the | IPC namespace that will not be removed until all containers using it | are stopped, and one non-malicious container is holding the | namespace open. The malicious container is restarted, either | automatically or by attacker control, repeating the process and | increasing the amount of memory consumed. With a container | configured to restart always, such as `podman run --restart=always`, | this can result in a memory-based denial of service of the system. https://bugzilla.redhat.com/show_bug.cgi?id=2270717 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3056 https://www.cve.org/CVERecord?id=CVE-2024-3056 Please adjust the affected versions in the BTS as needed.
Bug#1083185: rapidjson: CVE-2024-38517
Package: rapidjson X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for rapidjson. CVE-2024-38517[0]: | Tencent RapidJSON is vulnerable to privilege escalation due to an | integer underflow in the `GenericReader::ParseNumber()` function of | `include/rapidjson/reader.h` when parsing JSON text from a stream. | An attacker needs to send the victim a crafted file which needs to | be opened; this triggers the integer underflow vulnerability (when | the file is parsed), leading to elevation of privilege. https://github.com/Tencent/rapidjson/pull/1261 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-38517 https://www.cve.org/CVERecord?id=CVE-2024-38517 Please adjust the affected versions in the BTS as needed.
Bug#1083184: golang-github-hashicorp-go-getter: CVE-2024-3817
Package: golang-github-hashicorp-go-getter X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for golang-github-hashicorp-go-getter. CVE-2024-3817[0]: | HashiCorp’s go-getter library is vulnerable to argument injection | when executing Git to discover remote branches. This vulnerability | does not affect the go-getter/v2 branch and package. https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3817 https://www.cve.org/CVERecord?id=CVE-2024-3817 Please adjust the affected versions in the BTS as needed.
Bug#1083187: rapidjson: CVE-2024-39684
Package: rapidjson X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for rapidjson. CVE-2024-39684[0]: | Tencent RapidJSON is vulnerable to privilege escalation due to an | integer overflow in the `GenericReader::ParseNumber()` function of | `include/rapidjson/reader.h` when parsing JSON text from a stream. | An attacker needs to send the victim a crafted file which needs to | be opened; this triggers the integer overflow vulnerability (when | the file is parsed), leading to elevation of privilege. https://github.com/Tencent/rapidjson/issues/2289 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-39684 https://www.cve.org/CVERecord?id=CVE-2024-39684 Please adjust the affected versions in the BTS as needed.
Bug#1083029: mplayer: security issue: Unchecked Return Value to NULL Pointer Dereference
On Mon, Sep 30, 2024 at 12:26:00PM +0200, Lorenzo Puliti wrote: > a patch is available (see the link above), I don't think a CVE is > assigned yet. No need, standard crashes of end user applications are not treated as security issues, but standard bugs and don't need a CVE. Cheers, Moritz
Bug#1082902: bookworm-pu: package nghttp2/1.52.0-1+deb12u2
On Sat, Sep 28, 2024 at 02:38:29AM +0300, Adrian Bunk wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: secur...@debian.org, Tomasz Buchert > > * CVE-2024-28182: unbounded number of HTTP/2 CONTINUATION frames DoS > (Closes: #1068415) > * nghttp2_option_set_stream_reset_rate_limit was added in > 1.52.0-1+deb12u1, add to debian/libnghttp2-14.symbols > > Tagged moreinfo, as question to the security team whether they want > this in -pu or as DSA. pu is fine, thanks! Cheers, Moritz
Bug#1082855: heat: CVE-2024-7319
Source: heat X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for heat. CVE-2024-7319[0]: | An incomplete fix for CVE-2023-1625 was found in openstack-heat. | Sensitive information may possibly be disclosed through the | OpenStack stack abandon command with the hidden feature set to True | and the CVE-2023-1625 fix applied. https://storyboard.openstack.org/#!/story/2011007 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-7319 https://www.cve.org/CVERecord?id=CVE-2024-7319 Please adjust the affected versions in the BTS as needed.
Bug#1082854: undertow: CVE-2024-7885
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for undertow. CVE-2024-7885[0]: | A vulnerability was found in Undertow where the | ProxyProtocolReadListener reuses the same StringBuilder instance | across multiple requests. This issue occurs when the | parseProxyProtocolV1 method processes multiple requests on the same | HTTP connection. As a result, different requests may share the same | StringBuilder instance, potentially leading to information leakage | between requests or responses. In some cases, a value from a | previous request or response may be erroneously reused, which could | lead to unintended data exposure. This issue primarily results in | errors and connection termination but creates a risk of data leakage | in multi-request environments. https://bugzilla.redhat.com/show_bug.cgi?id=2305290 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-7885 https://www.cve.org/CVERecord?id=CVE-2024-7885 Please adjust the affected versions in the BTS as needed.
Bug#1082861: opensc: CVE-2024-45617
Source: opensc X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for opensc. CVE-2024-45617[0]: | A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, | minidriver, and CTK. An attacker could use a crafted USB Device or | Smart Card, which would present the system with a specially crafted | response to APDUs. Insufficient or missing checking of return | values of functions leads to unexpected work with variables that | have not been initialized. https://bugzilla.redhat.com/show_bug.cgi?id=2309286 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45617 https://www.cve.org/CVERecord?id=CVE-2024-45617 Please adjust the affected versions in the BTS as needed.
Bug#1082869: bluez: CVE-2023-51592
Source: bluez X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for bluez. CVE-2023-51592[0]: | BlueZ Audio Profile AVRCP parse_media_folder Out-Of-Bounds Read | Information Disclosure Vulnerability. This vulnerability allows | network-adjacent attackers to disclose sensitive information via | Bluetooth on affected installations of BlueZ. User interaction is | required to exploit this vulnerability in that the target must | connect to a malicious device. The specific flaw exists within the | handling of the AVRCP protocol. The issue results from the lack of | proper validation of user-supplied data, which can result in a read | past the end of an allocated buffer. An attacker can leverage this | in conjunction with other vulnerabilities to execute arbitrary code | in the context of root. Was ZDI-CAN-20854. It's not clear whether this has been properly reported upstream: https://www.zerodayinitiative.com/advisories/ZDI-23-1905/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-51592 https://www.cve.org/CVERecord?id=CVE-2023-51592 Please adjust the affected versions in the BTS as needed.
Bug#1082871: jupyterlab: CVE-2024-43805
Package: jupyterlab X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for jupyterlab. CVE-2024-43805[0]: | jupyterlab is an extensible environment for interactive and | reproducible computing, based on the Jupyter Notebook Architecture. | This vulnerability depends on user interaction by opening a | malicious notebook with Markdown cells, or Markdown file using | JupyterLab preview feature. A malicious user can access any data | that the attacked user has access to as well as perform arbitrary | requests acting as the attacked user. JupyterLab v3.6.8, v4.2.5 and | Jupyter Notebook v7.2.2 have been patched to resolve this issue. | Users are advised to upgrade. There is no workaround for the | underlying DOM Clobbering susceptibility. However, select plugins | can be disabled on deployments which cannot update in a timely | fashion to minimise the risk. These are: 1. `@jupyterlab/mathjax- | extension:plugin` - users will loose ability to preview mathematical | equations. 2. `@jupyterlab/markdownviewer-extension:plugin` - users | will loose ability to open Markdown previews. 3. | `@jupyterlab/mathjax2-extension:plugin` (if installed with optional | `jupyterlab-mathjax2` package) - an older version of the mathjax | plugin for JupyterLab 4.x. To disable these extensions run: | ```jupyter labextension disable @jupyterlab/markdownviewer- | extension:plugin && jupyter labextension disable | @jupyterlab/mathjax-extension:plugin && jupyter labextension disable | @jupyterlab/mathjax2-extension:plugin ``` in bash. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-9q39-rmj3-p4r2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-43805 https://www.cve.org/CVERecord?id=CVE-2024-43805 Please adjust the affected versions in the BTS as needed.
Bug#1081907: vte: CVE-2024-37535
Am Sun, Sep 15, 2024 at 11:03:42PM +0100 schrieb Simon McVittie: > On Sun, 15 Sep 2024 at 23:18:53 +0200, Moritz Mühlenhoff wrote: > > The following vulnerability was published for vte. This is already addressed > > in vte2.91, but also filing this for completeness for the deprecated source > > package: > > > > CVE-2024-37535[0]: > > | GNOME VTE before 0.76.3 allows an attacker to cause a denial of > > | service (memory consumption) via a window resize escape sequence, a > > | related issue to CVE-2000-0476. > > I think this is wontfix. The only reason why the GTK2-based vte is still > in Debian at all is for the benefit of debian-installer, which hasn't > caught up with GTK3 yet. > > In principle we could remove the .deb and leave only the .udeb, but I think > that would make it harder to test vte, so is probably not a great idea. > > It would probably make sense to add vte to the list of packages that don't > have security support. Thanks for the notice, I missed that the only reverse dependency is d-i, which has no real attack surface for this bug. As such, I'll mark it as unimportant in the security tracker. Feel free to mark the bug as wontfix or even close it, both seem fine (there's a public reference in the Security Tracker anyway). Cheers, Moritz
Bug#1082853: opensc: CVE-2024-8443
Source: opensc X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for opensc. CVE-2024-8443[0]: | A heap-based buffer overflow vulnerability was found in the | libopensc OpenPGP driver. A crafted USB device or smart card with | malicious responses to the APDUs during the card enrollment process | using the `pkcs15-init` tool may lead to out-of-bound rights, | possibly resulting in arbitrary code execution. https://bugzilla.redhat.com/show_bug.cgi?id=2310494 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-8443 https://www.cve.org/CVERecord?id=CVE-2024-8443 Please adjust the affected versions in the BTS as needed.
Bug#1082852: 389-ds-base: CVE-2024-8445
Source: 389-ds-base X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for 389-ds-base. CVE-2024-8445[0]: | The fix for CVE-2024-2199 in 389-ds-base was insufficient to cover | all scenarios. In certain product versions, an authenticated user | may cause a server crash while modifying `userPassword` using | malformed input. https://bugzilla.redhat.com/show_bug.cgi?id=2310110 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-8445 https://www.cve.org/CVERecord?id=CVE-2024-8445 Please adjust the affected versions in the BTS as needed.
Bug#1082872: jupyter-notebook: CVE-2024-43805
Package: jupyter-notebook X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for jupyter-notebook. CVE-2024-43805[0]: | jupyterlab is an extensible environment for interactive and | reproducible computing, based on the Jupyter Notebook Architecture. | This vulnerability depends on user interaction by opening a | malicious notebook with Markdown cells, or Markdown file using | JupyterLab preview feature. A malicious user can access any data | that the attacked user has access to as well as perform arbitrary | requests acting as the attacked user. JupyterLab v3.6.8, v4.2.5 and | Jupyter Notebook v7.2.2 have been patched to resolve this issue. | Users are advised to upgrade. There is no workaround for the | underlying DOM Clobbering susceptibility. However, select plugins | can be disabled on deployments which cannot update in a timely | fashion to minimise the risk. These are: 1. `@jupyterlab/mathjax- | extension:plugin` - users will loose ability to preview mathematical | equations. 2. `@jupyterlab/markdownviewer-extension:plugin` - users | will loose ability to open Markdown previews. 3. | `@jupyterlab/mathjax2-extension:plugin` (if installed with optional | `jupyterlab-mathjax2` package) - an older version of the mathjax | plugin for JupyterLab 4.x. To disable these extensions run: | ```jupyter labextension disable @jupyterlab/markdownviewer- | extension:plugin && jupyter labextension disable | @jupyterlab/mathjax-extension:plugin && jupyter labextension disable | @jupyterlab/mathjax2-extension:plugin ``` in bash. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-9q39-rmj3-p4r2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-43805 https://www.cve.org/CVERecord?id=CVE-2024-43805 Please adjust the affected versions in the BTS as needed.
Bug#1082874: ruby-fugit: CVE-2024-43380
Source: ruby-fugit X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for ruby-fugit. CVE-2024-43380[0]: | fugit contains time tools for flor and the floraison group. The | fugit "natural" parser, that turns "every wednesday at 5pm" into "0 | 17 * * 3", accepted any length of input and went on attempting to | parse it, not returning promptly, as expected. The parse call could | hold the thread with no end in sight. Fugit dependents that do not | check (user) input length for plausibility are impacted. A fix was | released in fugit 1.11.1. https://github.com/floraison/fugit/security/advisories/GHSA-2m96-52r3-2f3g https://github.com/floraison/fugit/issues/104 https://github.com/floraison/fugit/commit/6a7527497c0bb9196efe503e3d9b5271128a8ee1 (v1.11.1) https://github.com/floraison/fugit/commit/2a11805444d9ed036ee8570b88cd2b6df450ee84 (v1.11.1) https://github.com/floraison/fugit/commit/a9a262873450eaf5671747f846a6ec1e5f7d87c1 (v1.11.1) https://github.com/floraison/fugit/commit/025ad7bb76590d3360750d5617b235a23908e5bb (v1.11.1) https://github.com/floraison/fugit/commit/767ef550281bcdc8782233840f98cf8487340476 (v1.11.1) https://github.com/floraison/fugit/commit/ad2c1c9c737213d585fff0b51c927d178b2c05a5 (v1.11.1) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-43380 https://www.cve.org/CVERecord?id=CVE-2024-43380 Please adjust the affected versions in the BTS as needed.
Bug#1082875: invesalius: CVE-2024-42845
Source: invesalius X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for invesalius. CVE-2024-42845[0]: | An eval Injection vulnerability in the component | invesalius/reader/dicom.py of InVesalius 3.1.1 through 3.1.8 | allows attackers to execute arbitrary code via loading a crafted | DICOM file. Not sure if that has actually been reported upstream, currently the only reference is https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-42845 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-42845 https://www.cve.org/CVERecord?id=CVE-2024-42845 Please adjust the affected versions in the BTS as needed.
Bug#1082862: opensc: CVE-2024-45618
Source: opensc X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for opensc. CVE-2024-45618[0]: | A vulnerability was found in pkcs15-init in OpenSC. An attacker | could use a crafted USB Device or Smart Card, which would present | the system with a specially crafted response to APDUs. | Insufficient or missing checking of return values of functions leads | to unexpected work with variables that have not been initialized. https://bugzilla.redhat.com/show_bug.cgi?id=2309287 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45618 https://www.cve.org/CVERecord?id=CVE-2024-45618 Please adjust the affected versions in the BTS as needed.
Bug#1082868: dogtag-pki: CVE-2023-4727
Source: dogtag-pki X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for dogtag-pki. CVE-2023-4727[0]: | A flaw was found in dogtag-pki and pki-core. The token | authentication scheme can be bypassed with a LDAP injection. By | passing the query string parameter sessionID=*, an attacker can | authenticate with an existing session saved in the LDAP directory | server, which may lead to escalation of privilege. https://bugzilla.redhat.com/show_bug.cgi?id=2232218 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-4727 https://www.cve.org/CVERecord?id=CVE-2023-4727 Please adjust the affected versions in the BTS as needed.
Bug#1082870: bluez: CVE-2023-51594
Source: bluez X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for bluez. CVE-2023-51594[0]: | BlueZ OBEX Library Out-Of-Bounds Read Information Disclosure | Vulnerability. This vulnerability allows network-adjacent attackers | to disclose sensitive information on affected installations of | BlueZ. User interaction is required to exploit this vulnerability in | that the target must connect to a malicious Bluetooth device. The | specific flaw exists within the handling of OBEX protocol | parameters. The issue results from the lack of proper validation of | user-supplied data, which can result in a read past the end of an | allocated buffer. An attacker can leverage this in conjunction with | other vulnerabilities to execute arbitrary code in the context of | root. Was ZDI-CAN-20937. It's not clear whether this has been properly reported upstream: https://www.zerodayinitiative.com/advisories/ZDI-23-1901/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-51594 https://www.cve.org/CVERecord?id=CVE-2023-51594 Please adjust the affected versions in the BTS as needed.
Bug#1082866: intel-mediasdk: CVE-2023-22656 CVE-2023-45221 CVE-2023-47169 CVE-2023-47282 CVE-2023-48368 CVE-2023-48727
Source: intel-mediasdk X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for intel-mediasdk. CVE-2023-22656[0]: | Out-of-bounds read in Intel(R) Media SDK and some Intel(R) oneVPL | software before version 23.3.5 may allow an authenticated user to | potentially enable escalation of privilege via local access. CVE-2023-45221[1]: | Improper buffer restrictions in Intel(R) Media SDK all versions may | allow an authenticated user to potentially enable escalation of | privilege via local access. CVE-2023-47169[2]: | Improper buffer restrictions in Intel(R) Media SDK software all | versions may allow an authenticated user to potentially enable | denial of service via local access. CVE-2023-47282[3]: | Out-of-bounds write in Intel(R) Media SDK all versions and some | Intel(R) oneVPL software before version 23.3.5 may allow an | authenticated user to potentially enable escalation of privilege via | local access. CVE-2023-48368[4]: | Improper input validation in Intel(R) Media SDK software all | versions may allow an authenticated user to potentially enable | denial of service via local access. CVE-2023-48727[5]: | NULL pointer dereference in some Intel(R) oneVPL software before | version 23.3.5 may allow an authenticated user to potentially enable | information disclosure via local access. Sadly there's no specific information, just the very high level advisory https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-22656 https://www.cve.org/CVERecord?id=CVE-2023-22656 [1] https://security-tracker.debian.org/tracker/CVE-2023-45221 https://www.cve.org/CVERecord?id=CVE-2023-45221 [2] https://security-tracker.debian.org/tracker/CVE-2023-47169 https://www.cve.org/CVERecord?id=CVE-2023-47169 [3] https://security-tracker.debian.org/tracker/CVE-2023-47282 https://www.cve.org/CVERecord?id=CVE-2023-47282 [4] https://security-tracker.debian.org/tracker/CVE-2023-48368 https://www.cve.org/CVERecord?id=CVE-2023-48368 [5] https://security-tracker.debian.org/tracker/CVE-2023-48727 https://www.cve.org/CVERecord?id=CVE-2023-48727 Please adjust the affected versions in the BTS as needed.
Bug#1082867: onevpl: CVE-2023-22656 CVE-2023-45221 CVE-2023-47169 CVE-2023-47282 CVE-2023-48368 CVE-2023-48727
Source: onevpl X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for onevpl. CVE-2023-22656[0]: | Out-of-bounds read in Intel(R) Media SDK and some Intel(R) oneVPL | software before version 23.3.5 may allow an authenticated user to | potentially enable escalation of privilege via local access. CVE-2023-45221[1]: | Improper buffer restrictions in Intel(R) Media SDK all versions may | allow an authenticated user to potentially enable escalation of | privilege via local access. CVE-2023-47169[2]: | Improper buffer restrictions in Intel(R) Media SDK software all | versions may allow an authenticated user to potentially enable | denial of service via local access. CVE-2023-47282[3]: | Out-of-bounds write in Intel(R) Media SDK all versions and some | Intel(R) oneVPL software before version 23.3.5 may allow an | authenticated user to potentially enable escalation of privilege via | local access. CVE-2023-48368[4]: | Improper input validation in Intel(R) Media SDK software all | versions may allow an authenticated user to potentially enable | denial of service via local access. CVE-2023-48727[5]: | NULL pointer dereference in some Intel(R) oneVPL software before | version 23.3.5 may allow an authenticated user to potentially enable | information disclosure via local access. Sadly there's no specific information, just the very high level advisory https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-22656 https://www.cve.org/CVERecord?id=CVE-2023-22656 [1] https://security-tracker.debian.org/tracker/CVE-2023-45221 https://www.cve.org/CVERecord?id=CVE-2023-45221 [2] https://security-tracker.debian.org/tracker/CVE-2023-47169 https://www.cve.org/CVERecord?id=CVE-2023-47169 [3] https://security-tracker.debian.org/tracker/CVE-2023-47282 https://www.cve.org/CVERecord?id=CVE-2023-47282 [4] https://security-tracker.debian.org/tracker/CVE-2023-48368 https://www.cve.org/CVERecord?id=CVE-2023-48368 [5] https://security-tracker.debian.org/tracker/CVE-2023-48727 https://www.cve.org/CVERecord?id=CVE-2023-48727 Please adjust the affected versions in the BTS as needed.
Bug#1082864: opensc: CVE-2024-45620
Source: opensc X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for opensc. CVE-2024-45620[0]: | A vulnerability was found in the pkcs15-init tool in OpenSC. An | attacker could use a crafted USB Device or Smart Card, which would | present the system with a specially crafted response to APDUs. When | buffers are partially filled with data, initialized parts of the | buffer can be incorrectly accessed. https://bugzilla.redhat.com/show_bug.cgi?id=2309289 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45620 https://www.cve.org/CVERecord?id=CVE-2024-45620 Please adjust the affected versions in the BTS as needed.
Bug#1082865: runc: CVE-2024-45310
Source: runc X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for runc. CVE-2024-45310[0]: | runc is a CLI tool for spawning and running containers according to | the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 | and earlier, can be tricked into creating empty files or directories | in arbitrary locations in the host filesystem by sharing a volume | between two containers and exploiting a race with `os.MkdirAll`. | While this could be used to create empty files, existing files would | not be truncated. An attacker must have the ability to start | containers using some kind of custom volume configuration. | Containers using user namespaces are still affected, but the scope | of places an attacker can create inodes can be significantly | reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can | also in principle block this attack -- we suspect the industry | standard SELinux policy may restrict this attack's scope but the | exact scope of protection hasn't been analysed. This is exploitable | using runc directly as well as through Docker and Kubernetes. The | issue is fixed in runc v1.1.14 and v1.2.0-rc3. Some workarounds are | available. Using user namespaces restricts this attack fairly | significantly such that the attacker can only create inodes in | directories that the remapped root user/group has write access to. | Unless the root user is remapped to an actual user on the host (such | as with rootless containers that don't use `/etc/sub[ug]id`), this | in practice means that an attacker would only be able to create | inodes in world-writable directories. A strict enough SELinux or | AppArmor policy could in principle also restrict the scope if a | specific label is applied to the runc runtime, though neither the | extent to which the standard existing policies block this attack nor | what exact policies are needed to sufficiently restrict this attack | have been thoroughly tested. https://www.openwall.com/lists/oss-security/2024/09/03/1 https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45310 https://www.cve.org/CVERecord?id=CVE-2024-45310 Please adjust the affected versions in the BTS as needed.
Bug#1082863: opensc: CVE-2024-45619
Source: opensc X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for opensc. CVE-2024-45619[0]: | A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, | minidriver, and CTK. An attacker could use a crafted USB Device or | Smart Card, which would present the system with a specially crafted | response to APDUs. When buffers are partially filled with data, | initialized parts of the buffer can be incorrectly accessed. https://bugzilla.redhat.com/show_bug.cgi?id=2309288 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45619 https://www.cve.org/CVERecord?id=CVE-2024-45619 Please adjust the affected versions in the BTS as needed.
Bug#1082860: opensc: CVE-2024-45616
Source: opensc X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for opensc. CVE-2024-45616[0]: | A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, | minidriver, and CTK. An attacker could use a crafted USB Device or | Smart Card, which would present the system with a specially crafted | response to APDUs. The following problems were caused by | insufficient control of the response APDU buffer and its length when | communicating with the card. https://bugzilla.redhat.com/show_bug.cgi?id=2309290 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45616 https://www.cve.org/CVERecord?id=CVE-2024-45616 Please adjust the affected versions in the BTS as needed.
Bug#1082859: opensc: CVE-2024-45615
Source: opensc X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for opensc. CVE-2024-45615[0]: | A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, | minidriver, and CTK. The problem is missing initialization of | variables expected to be initialized (as arguments to other | functions, etc.). https://bugzilla.redhat.com/show_bug.cgi?id=2309285 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45615 https://www.cve.org/CVERecord?id=CVE-2024-45615 Please adjust the affected versions in the BTS as needed.
Bug#1082857: assimp: CVE-2024-46632
Source: assimp X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for assimp. CVE-2024-46632[0]: | Assimp v5.4.3 is vulnerable to Buffer Overflow via the | MD5Importer::LoadMD5MeshFile function. https://github.com/assimp/assimp/issues/5771 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-46632 https://www.cve.org/CVERecord?id=CVE-2024-46632 Please adjust the affected versions in the BTS as needed.
Bug#1082856: grpc: CVE-2024-7246
Source: grpc X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for grpc. CVE-2024-7246[0]: | It's possible for a gRPC client communicating with a HTTP/2 proxy to | poison the HPACK table between the proxy and the backend such that | other clients see failed requests. It's also possible to use this | vulnerability to leak other clients HTTP header keys, but not | values. This occurs because the error status for a misencoded | header is not cleared between header reads, resulting in subsequent | (incrementally indexed) added headers in the first request being | poisoned until cleared from the HPACK table. Please update to a | fixed version of gRPC as soon as possible. This bug has been fixed | in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4. https://github.com/grpc/grpc/issues/36245 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-7246 https://www.cve.org/CVERecord?id=CVE-2024-7246 Please adjust the affected versions in the BTS as needed.
Bug#1082848: freeimage: CVE-2024-9029
Source: freeimage X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for freeimage. CVE-2024-9029[0]: | A flaw was found in freeimage library. Processing a crafted image | can cause a buffer over-read of 1 byte in the read_iptc_profile | function in the Source/Metadata/IPTC.cpp file because the size of | the profile is not being sanitized, causing a crash in the | application linked to the library, resulting in a denial of service. https://sourceforge.net/p/freeimage/bugs/351/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-9029 https://www.cve.org/CVERecord?id=CVE-2024-9029 Please adjust the affected versions in the BTS as needed.
Bug#1082851: ansible-core: CVE-2024-8775
Source: ansible-core X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for ansible-core. CVE-2024-8775[0]: | A flaw was found in Ansible, where sensitive information stored in | Ansible Vault files can be exposed in plaintext during the execution | of a playbook. This occurs when using tasks such as include_vars to | load vaulted variables without setting the no_log: true parameter, | resulting in sensitive data being printed in the playbook output or | logs. This can lead to the unintentional disclosure of secrets like | passwords or API keys, compromising security and potentially | allowing unauthorized access or actions. There isn't a lot of details, currently only https://bugzilla.redhat.com/show_bug.cgi?id=2312119 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-8775 https://www.cve.org/CVERecord?id=CVE-2024-8775 Please adjust the affected versions in the BTS as needed.
Bug#1082849: bluez: CVE-2024-8805
Source: bluez X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for bluez. CVE-2024-8805[0]: BlueZ HID over GATT Profile Improper Access Control Remote Code Execution Vulnerability https://www.zerodayinitiative.com/advisories/ZDI-24-1229/ https://patchwork.kernel.org/project/bluetooth/patch/20240912204458.3037144-1-luiz.de...@gmail.com/ https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=41f943630d9a03c40e95057b2ac3d96470b9c71e If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-8805 https://www.cve.org/CVERecord?id=CVE-2024-8805 Please adjust the affected versions in the BTS as needed.
Bug#1082847: nix: CVE-2024-47174
Source: nix X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for nix. CVE-2024-47174[0]: | Nix is a package manager for Linux and other Unix systems. Starting | in version 1.11 and prior to versions 2.18.8 and 2.24.8, | `` did not verify TLS certificates on HTTPS | connections. This could lead to connection details such as full URLs | or credentials leaking in case of a man-in-the-middle (MITM) attack. | `` is also known as the builtin derivation builder | `builtin:fetchurl`. It's not to be confused with the evaluation-time | function `builtins.fetchurl`, which was not affected by this issue. | A user may be affected by the risk of leaking credentials if they | have a `netrc` file for authentication, or rely on derivations with | `impureEnvVars` set to use credentials from the environment. In | addition, the commonplace trust-on-first-use (TOFU) technique of | updating dependencies by specifying an invalid hash and obtaining it | from a remote store was also vulnerable to a MITM injecting | arbitrary store objects. This also applied to the impure derivations | experimental feature. Note that this may also happen when using | Nixpkgs fetchers to obtain new hashes when not using the fake hash | method, although that mechanism is not implemented in Nix itself but | rather in Nixpkgs using a fixed-output derivation. The behavior was | introduced in version 1.11 to make it consistent with the Nixpkgs | `pkgs.fetchurl` and to make `` work in the | derivation builder sandbox, which back then did not have access to | the CA bundles by default. Nowadays, CA bundles are bind-mounted on | Linux. This issue has been fixed in Nix 2.18.8 and 2.24.8. As a | workaround, implement (authenticated) fetching with `pkgs.fetchurl` | from Nixpkgs, using `impureEnvVars` and `curlOpts` as needed. https://github.com/NixOS/nix/commit/062b4a489e30da9c85fa4ff15cfdd2e51cac7b90 https://github.com/NixOS/nix/pull/11585 https://github.com/NixOS/nix/security/advisories/GHSA-6fjr-mq49-mm2c If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-47174 https://www.cve.org/CVERecord?id=CVE-2024-47174 Please adjust the affected versions in the BTS as needed.
Bug#1082674: bookworm-pu: package booth/1.0-283-g9d4029a-2+deb12u1
On Tue, Sep 24, 2024 at 07:02:07PM +0300, Adrian Bunk wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm moreinfo > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: Debian HA Maintainers > , secur...@debian.org > > * CVE-2024-3049: wrong hmac might be accepted (Closes: #1073249) > > Tagged moreinfo, as question to the security team it they want this > fix in -pu or as DSA. That's fine for a DSA and the debdiff looks fine, so please upload to security-master. Thanks! Cheers, Moritz
Bug#1082382: ruby-devise-two-factor: CVE-2024-8796
Source: ruby-devise-two-factor X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for ruby-devise-two-factor. CVE-2024-8796[0]: | Under the default configuration, Devise-Two-Factor versions >= 2.2.0 | & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of | the 128-bit minimum defined by RFC 4226. Using a shared secret | shorter than the minimum to generate a multi-factor authentication | code could make it easier for an attacker to guess the shared secret | and generate valid TOTP codes. https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-8796 https://www.cve.org/CVERecord?id=CVE-2024-8796 Please adjust the affected versions in the BTS as needed.
Bug#1082380: freeimage: CVE-2024-31570
Source: freeimage X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for freeimage. CVE-2024-31570[0]: | libfreeimage in FreeImage 3.4.0 through 3.18.0 has a stack-based | buffer overflow in the PluginXPM.cpp Load function via an XPM file. https://sourceforge.net/p/freeimage/bugs/355/ https://www.openwall.com/lists/oss-security/2024/04/11/10 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31570 https://www.cve.org/CVERecord?id=CVE-2024-31570 Please adjust the affected versions in the BTS as needed.
Bug#1082381: protobuf: CVE-2024-7254
Source: protobuf X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for protobuf. CVE-2024-7254[0]: | Any project that parses untrusted Protocol Buffers data containing | an arbitrary number of nested groups / series of SGROUP tags can | corrupted by exceeding the stack limit i.e. StackOverflow. Parsing | nested groups as unknown fields with DiscardUnknownFieldsParser or | Java Protobuf Lite parser, or against Protobuf map fields, creates | unbounded recursions that can be abused by an attacker. https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-7254 https://www.cve.org/CVERecord?id=CVE-2024-7254 Please adjust the affected versions in the BTS as needed.
Bug#1082378: logiops: CVE-2024-45752
Source: logiops X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for logiops. CVE-2024-45752[0]: | logiops through 0.3.4, in its default configuration, allows any | unprivileged user to configure its logid daemon via an unrestricted | D-Bus service, including setting malicious keyboard macros. This | allows for privilege escalation with minimal user interaction. https://bugzilla.suse.com/show_bug.cgi?id=1226598 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45752 https://www.cve.org/CVERecord?id=CVE-2024-45752 Please adjust the affected versions in the BTS as needed.
Bug#1082379: puma: CVE-2024-45614
Source: puma X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for puma. CVE-2024-45614[0]: | Puma is a Ruby/Rack web server built for parallelism. In affected | versions clients could clobber values set by intermediate proxies | (such as X-Forwarded-For) by providing a underscore version of the | same header (X-Forwarded_For). Any users relying on proxy set | variables is affected. v6.4.3/v5.6.9 now discards any headers using | underscores if the non-underscore version also exists. Effectively, | allowing the proxy defined headers to always win. Users are advised | to upgrade. Nginx has a underscores_in_headers configuration | variable to discard these headers at the proxy level as a | mitigation. Any users that are implicitly trusting the proxy defined | headers for security should immediately cease doing so until | upgraded to the fixed versions. https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45614 https://www.cve.org/CVERecord?id=CVE-2024-45614 Please adjust the affected versions in the BTS as needed.
Bug#1082377: qemu: CVE-2024-8354
Source: qemu X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qemu. CVE-2024-8354[0]: | A flaw was found in QEMU. An assertion failure was present in the | usb_ep_get() function in hw/net/core.c when trying to get the USB | endpoint from a USB device. This flaw may allow a malicious | unprivileged guest user to crash the QEMU process on the host and | cause a denial of service condition. https://bugzilla.redhat.com/show_bug.cgi?id=2313497 https://gitlab.com/qemu-project/qemu/-/issues/2548 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-8354 https://www.cve.org/CVERecord?id=CVE-2024-8354 Please adjust the affected versions in the BTS as needed.
Bug#1082055: rust-gix-path: CVE-2024-45405
Source: rust-gix-path X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for rust-gix-path. CVE-2024-45405[0]: | `gix-path` is a crate of the `gitoxide` project (an implementation | of `git` written in Rust) dealing paths and their conversions. Prior | to version 0.10.11, `gix-path` runs `git` to find the path of a | configuration file associated with the `git` installation, but | improperly resolves paths containing unusual or non-ASCII | characters, in rare cases enabling a local attacker to inject | configuration leading to code execution. Version 0.10.11 contains a | patch for the issue. In `gix_path::env`, the underlying | implementation of the `installation_config` and | `installation_config_prefix` functions calls `git config -l --show- | origin` to find the path of a file to treat as belonging to the | `git` installation. Affected versions of `gix-path` do not pass | `-z`/`--null` to cause `git` to report literal paths. Instead, to | cover the occasional case that `git` outputs a quoted path, they | attempt to parse the path by stripping the quotation marks. The | problem is that, when a path is quoted, it may change in substantial | ways beyond the concatenation of quotation marks. If not reversed, | these changes can result in another valid path that is not | equivalent to the original. On a single-user system, it is not | possible to exploit this, unless `GIT_CONFIG_SYSTEM` and | `GIT_CONFIG_GLOBAL` have been set to unusual values or Git has been | installed in an unusual way. Such a scenario is not expected. | Exploitation is unlikely even on a multi-user system, though it is | plausible in some uncommon configurations or use cases. In general, | exploitation is more likely to succeed if users are expected to | install `git` themselves, and are likely to do so in predictable | locations; locations where `git` is installed, whether due to | usernames in their paths or otherwise, contain characters that `git` | quotes by default in paths, such as non-English letters and accented | letters; a custom `system`-scope configuration file is specified | with the `GIT_CONFIG_SYSTEM` environment variable, and its path is | in an unusual location or has strangely named components; or a | `system`-scope configuration file is absent, empty, or suppressed by | means other than `GIT_CONFIG_NOSYSTEM`. Currently, `gix-path` can | treat a `global`-scope configuration file as belonging to the | installation if no higher scope configuration file is available. | This increases the likelihood of exploitation even on a system where | `git` is installed system-wide in an ordinary way. However, | exploitation is expected to be very difficult even under any | combination of those factors. https://github.com/advisories/GHSA-m8rp-vv92-46c7 https://rustsec.org/advisories/RUSTSEC-2024-0371.html If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45405 https://www.cve.org/CVERecord?id=CVE-2024-45405 Please adjust the affected versions in the BTS as needed.
Bug#1082054: clickhouse: CVE-2024-41436
Source: clickhouse X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for clickhouse. CVE-2024-41436[0]: | ClickHouse v24.3.3.102 was discovered to contain a buffer overflow | via the component DB::evaluateConstantExpressionImpl. https://github.com/ClickHouse/ClickHouse/issues/65520 https://github.com/ClickHouse/ClickHouse/pull/66912 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-41436 https://www.cve.org/CVERecord?id=CVE-2024-41436 Please adjust the affected versions in the BTS as needed.
Bug#1081911: bluez: CVE-2023-51580
Source: bluez X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for bluez. CVE-2023-51580[0]: | BlueZ Audio Profile AVRCP avrcp_parse_attribute_list Out-Of-Bounds | Read Information Disclosure Vulnerability. This vulnerability allows | network-adjacent attackers to disclose sensitive information via | Bluetooth on affected installations of BlueZ. User interaction is | required to exploit this vulnerability in that the target must | connect to a malicious device. The specific flaw exists within the | handling of the AVRCP protocol. The issue results from the lack of | proper validation of user-supplied data, which can result in a read | past the end of an allocated buffer. An attacker can leverage this | in conjunction with other vulnerabilities to execute arbitrary code | in the context of root. Was ZDI-CAN-20852. It's unclear whether this was ever properly reported upstream: https://www.zerodayinitiative.com/advisories/ZDI-23-1903/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-51580 https://www.cve.org/CVERecord?id=CVE-2023-51580 Please adjust the affected versions in the BTS as needed.
Bug#1081912: bluez: CVE-2023-51589
Source: bluez X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for bluez. CVE-2023-51589[0]: | BlueZ Audio Profile AVRCP parse_media_element Out-Of-Bounds Read | Information Disclosure Vulnerability. This vulnerability allows | network-adjacent attackers to disclose sensitive information via | Bluetooth on affected installations of BlueZ. User interaction is | required to exploit this vulnerability in that the target must | connect to a malicious device. The specific flaw exists within the | handling of the AVRCP protocol. The issue results from the lack of | proper validation of user-supplied data, which can result in a read | past the end of an allocated buffer. An attacker can leverage this | in conjunction with other vulnerabilities to execute arbitrary code | in the context of root. Was ZDI-CAN-20853. It's unclear whether this was ever properly reported upstream: https://www.zerodayinitiative.com/advisories/ZDI-23-1904/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-51589 https://www.cve.org/CVERecord?id=CVE-2023-51589 Please adjust the affected versions in the BTS as needed.
Bug#1081910: openjpeg2: CVE-2023-39329
Source: openjpeg2 X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for openjpeg2. CVE-2023-39329[0]: | A flaw was found in OpenJPEG. A resource exhaustion can occur in the | opj_t1_decode_cblks function in tcd.c through a crafted image file, | causing a denial of service. https://github.com/uclouvain/openjpeg/issues/1474 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-39329 https://www.cve.org/CVERecord?id=CVE-2023-39329 Please adjust the affected versions in the BTS as needed.
Bug#1081908: openjpeg2: CVE-2023-39327
Source: openjpeg2 X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for openjpeg2. CVE-2023-39327[0]: | A flaw was found in OpenJPEG. Maliciously constructed pictures can | cause the program to enter a large loop and continuously print | warning messages on the terminal. https://github.com/uclouvain/openjpeg/issues/1472 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-39327 https://www.cve.org/CVERecord?id=CVE-2023-39327 Please adjust the affected versions in the BTS as needed.
Bug#1081906: node-webpack: CVE-2024-43788
Source: node-webpack X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-webpack. CVE-2024-43788[0]: | Webpack is a module bundler. Its main purpose is to bundle | JavaScript files for usage in a browser, yet it is also capable of | transforming, bundling, or packaging just about any resource or | asset. The webpack developers have discovered a DOM Clobbering | vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM | Clobbering gadget in the module can lead to cross-site scripting | (XSS) in web pages where scriptless attacker-controlled HTML | elements (e.g., an `img` tag with an unsanitized `name` attribute) | are present. Real-world exploitation of this gadget has been | observed in the Canvas LMS which allows a XSS attack to happen | through a javascript code compiled by Webpack (the vulnerable part | is from Webpack). DOM Clobbering is a type of code-reuse attack | where the attacker first embeds a piece of non-script, seemingly | benign HTML markups in the webpage (e.g. through a post or comment) | and leverages the gadgets (pieces of js code) living in the existing | javascript code to transform it into executable code. This | vulnerability can lead to cross-site scripting (XSS) on websites | that include Webpack-generated files and allow users to inject | certain scriptless HTML tags with improperly sanitized name or id | attributes. This issue has been addressed in release version 5.94.0. | All users are advised to upgrade. There are no known workarounds for | this issue. https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986 https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61 (v5.94.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-43788 https://www.cve.org/CVERecord?id=CVE-2024-43788 Please adjust the affected versions in the BTS as needed.
Bug#1081909: openjpeg2: CVE-2023-39328
Source: openjpeg2 X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for openjpeg2. CVE-2023-39328[0]: | A vulnerability was found in OpenJPEG similar to CVE-2019-6988. This | flaw allows an attacker to bypass existing protections and cause an | application crash through a maliciously crafted file. https://github.com/uclouvain/openjpeg/issues/1471 https://github.com/uclouvain/openjpeg/pull/1470 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-39328 https://www.cve.org/CVERecord?id=CVE-2023-39328 Please adjust the affected versions in the BTS as needed.
Bug#1081907: vte: CVE-2024-37535
Source: vte X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for vte. This is already addressed in vte2.91, but also filing this for completeness for the deprecated source package: CVE-2024-37535[0]: | GNOME VTE before 0.76.3 allows an attacker to cause a denial of | service (memory consumption) via a window resize escape sequence, a | related issue to CVE-2000-0476. https://gitlab.gnome.org/GNOME/vte/-/issues/2786 https://www.openwall.com/lists/oss-security/2024/06/09/1 https://gitlab.gnome.org/GNOME/vte/-/commit/fd5511f24b7269195a7083f409244e9787c705dc (master) https://gitlab.gnome.org/GNOME/vte/-/commit/1803ba866053a3d7840892b9d31fe2944a183eda (master) https://gitlab.gnome.org/GNOME/vte/-/commit/036bc3ddcbb56f05c6ca76712a53b89dee1369e2 (0.76.3) https://gitlab.gnome.org/GNOME/vte/-/commit/c313849c2e5133802e21b13fa0b141b360171d39 (0.76.3) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-37535 https://www.cve.org/CVERecord?id=CVE-2024-37535 Please adjust the affected versions in the BTS as needed.
Bug#1081905: nvidia-cuda-toolkit: CVE-2024-0109 CVE-2024-0110 CVE-2024-0111
Source: nvidia-cuda-toolkit X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for nvidia-cuda-toolkit. CVE-2024-0109[0]: | NVIDIA CUDA Toolkit contains a vulnerability in command `cuobjdump` | where a user may cause a crash by passing in a malformed ELF file. A | successful exploit of this vulnerability may cause an out of bounds | read in the unprivileged process memory which could lead to a | limited denial of service. https://nvidia.custhelp.com/app/answers/detail/a_id/5564 CVE-2024-0110[1]: | NVIDIA CUDA Toolkit contains a vulnerability in command `cuobjdump` | where a user may cause an out-of-bound write by passing in a | malformed ELF file. A successful exploit of this vulnerability may | lead to code execution or denial of service. https://nvidia.custhelp.com/app/answers/detail/a_id/5564 CVE-2024-0111[2]: | NVIDIA CUDA Toolkit contains a vulnerability in command 'cuobjdump' | where a user may cause a crash or produce incorrect output by | passing a malformed ELF file. A successful exploit of this | vulnerability may lead to a limited denial of service or data | tampering. https://nvidia.custhelp.com/app/answers/detail/a_id/5564 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-0109 https://www.cve.org/CVERecord?id=CVE-2024-0109 [1] https://security-tracker.debian.org/tracker/CVE-2024-0110 https://www.cve.org/CVERecord?id=CVE-2024-0110 [2] https://security-tracker.debian.org/tracker/CVE-2024-0111 https://www.cve.org/CVERecord?id=CVE-2024-0111 Please adjust the affected versions in the BTS as needed.
Bug#1080245: python3.11: zipfile.Path regression introduced by CVE-2024-8088 fix
On Fri, Sep 13, 2024 at 11:36:18PM -0300, Santiago Ruano Rincón wrote: > El 13/09/24 a las 21:39, Moritz Mühlenhoff escribió: > > And in the mean time another low severity archive-related CVE appeared > > (CVE-2024-6232), so it would be great if you could submit your diff > > plus the cherrypicked fix for CVE-2024-6232 from the 3.11.x branch > > for the next Bookworm point release? > > Sure. I'll handle that CVE too. Thanks! Cheers, Moritz
Bug#1080245: python3.11: zipfile.Path regression introduced by CVE-2024-8088 fix
Hi Santiago, > I am testing the attached debdiff on my bookworm machine. I can confirm > the behaviour is the same as 3.11.2-6+deb12u2's with the proposed > update. For convenience, I am also attaching a simple test script. > > The package successfully builds, but I see in the logs that a couple of > test failed: test_distutils and test_tools. I am currently building > 3.11.2-6+deb12u3 for being able to compare. > > Could you please take a look at it? > > Also should this be handled via a security update, or via a point > release? The diff looks good to me, but this a marginal regression and I don't believe it's warranted to release this via -security. And in the mean time another low severity archive-related CVE appeared (CVE-2024-6232), so it would be great if you could submit your diff plus the cherrypicked fix for CVE-2024-6232 from the 3.11.x branch for the next Bookworm point release? Cheers, Moritz
Bug#1081656: node-path-to-regexp: CVE-2024-45296
Source: node-path-to-regexp X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-path-to-regexp. CVE-2024-45296[0]: | path-to-regexp turns path strings into a regular expressions. In | certain cases, path-to-regexp will output a regular expression that | can be exploited to cause poor performance. Because JavaScript is | single threaded and regex matching runs on the main thread, poor | performance will block the event loop and lead to a DoS. The bad | regular expression is generated any time you have two parameters | within a single segment, separated by something that is not a period | (.). For users of 0.1, upgrade to 0.1.10. All other users should | upgrade to 8.0.0. https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6 (v8.0.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45296 https://www.cve.org/CVERecord?id=CVE-2024-45296 Please adjust the affected versions in the BTS as needed.
Bug#1081659: pgpool2: CVE-2024-45624
Source: pgpool2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for pgpool2. CVE-2024-45624[0]: | Exposure of sensitive information due to incompatible policies issue | exists in Pgpool-II. If a database user accesses a query cache, | table data unauthorized for the user may be retrieved. https://www.pgpool.net/mediawiki/index.php/Main_Page#Pgpool-II_4.5.4.2C_4.4.9.2C_4.3.12.2C_4.2.19_and_4.1.22_officially_released_.282024.2F09.2F09.29 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45624 https://www.cve.org/CVERecord?id=CVE-2024-45624 Please adjust the affected versions in the BTS as needed.
Bug#1081657: node-body-parser: CVE-2024-45590
Source: node-body-parser X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-body-parser. CVE-2024-45590[0]: | body-parser is Node.js body parsing middleware. body-parser <1.20.3 | is vulnerable to denial of service when url encoding is enabled. A | malicious actor using a specially crafted payload could flood the | server with a large number of requests, resulting in denial of | service. This issue is patched in 1.20.3. https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7 https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce (1.20.3) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45590 https://www.cve.org/CVERecord?id=CVE-2024-45590 Please adjust the affected versions in the BTS as needed.
Bug#1081481: node-express: CVE-2024-43796
Source: node-express X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-express. CVE-2024-43796[0]: | Express.js minimalist web framework for node. In express < 4.20.0, | passing untrusted user input - even after sanitizing it - to | response.redirect() may execute untrusted code. This issue is | patched in express 4.20.0. https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553 (4.20.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-43796 https://www.cve.org/CVERecord?id=CVE-2024-43796 Please adjust the affected versions in the BTS as needed.
Bug#1081483: node-send: CVE-2024-43799
Source: node-send X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-send. CVE-2024-43799[0]: | Send is a library for streaming files from the file system as a http | response. Send passes untrusted user input to SendStream.redirect() | which executes untrusted code. This issue is patched in send 0.19.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-43799 https://www.cve.org/CVERecord?id=CVE-2024-43799 Please adjust the affected versions in the BTS as needed.
Bug#1081482: node-serve-static: CVE-2024-43800
Source: node-serve-static X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-serve-static. CVE-2024-43800[0]: | serve-static serves static files. serve-static passes untrusted user | input - even after sanitizing it - to redirect() may execute | untrusted code. This issue is patched in serve-static 1.16.0. https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b (1.16.0) https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa (2.1.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-43800 https://www.cve.org/CVERecord?id=CVE-2024-43800 Please adjust the affected versions in the BTS as needed.
Bug#1079487: olm: CVE-2024-45191 CVE-2024-45192 CVE-2024-45193
On Fri, Aug 30, 2024 at 07:53:58PM -0400, Hubert Chathi wrote: > severity 1079487 important > > Thanks for filing this bug report. > > (Full disclosure: I am employed by Element to work on Matrix software, > and am part of the cryptography team at Element.) > > The Matrix.org foundation published a blog post about the > vulnerabilities and the libolm deprecation: > https://matrix.org/blog/2024/08/libolm-deprecation/ Of note: the blog > indicates that the vulnerabilities are not believed to be practically > exploitable, so: Thanks, I've updated the Debian Security Tracker to mark these as ignored, along with a reference to the https://matrix.org/blog/2024/08/libolm-deprecation blog post. > Yes. Nheko and NeoChat are Matrix clients that are still being actively > developed. They may switch to vodozemac (the Rust implementation of the > Olm/Megolm protocols, that does not have these vulnerabilities) in the > future, but for now, libolm is still useful. > > I've dropped the severity of this bug to "important" for now. If the > security team disagrees, they can change the severity. Ack, let's simply keep these open to the point where no reverse deps of libolm are left (at which it can be removed from the archive). Cheers, Moritz
Bug#1076310: boinc-app-eah-brp: should it be removed from the archive?
reassign 1076310 ftp.debian.org retitle 1076310 RM: boinc-app-eah-brp -- RoQA; unmaintained and broken affects 1076310 src:boinc-app-eah-brp thanks Am Sun, Jul 28, 2024 at 10:40:02AM +0200 schrieb Paul Gevers: > reassign 1076310 ftp.debian.org > retitle 1076310 RM: boinc-app-eah-brp -- RoQA; unmaintained and broken > affects 1076310 src:boinc-app-eah-brp > > On Sun, 14 Jul 2024 09:32:58 +0200 Paul Gevers wrote: > > If there are no objections in the coming two weeks, I'll reassign this > > bug to the ftp.debian.org pseudo package to ask ftp-master to remove the > > package. This mail missed to CC cont...@bugs.debian.org, fixing that now. Cheers, Moritz
Bug#1079959: Should imdbpy be removed from unstable?
On Thu, Aug 29, 2024 at 10:20:42PM +0200, Ana Guerrero Lopez wrote: > On Thu, Aug 29, 2024 at 09:34:14PM +0200, Helmut Grohne wrote: > > Hi Ana, > > > > On Thu, Aug 29, 2024 at 09:04:09PM +0200, Ana Guerrero Lopez wrote: > > > In short, imdbpy should have been removed from the archive already and > > > replaced by cinemagoer https://cinemagoer.github.io/ > > > I discussed some months ago with Moritz about imdbpy/cinemagoer and > > > he was interested in doing this. > > > > > > If Moritz doesn't have time, then while cinemagoer reachs Debian the > > > best is to remove the package. > > > > It is not clear how to interpret your reply. Do you mean to say that > > imdbpy should not be removed before cinemagoer has been uploaded to > > unstable? Or do you mean to say that imdbpy should be removed > > immediately as that is what will happen eventually? > > In short, I was saying it's Moritz's decision and reading your message > he has a month to reply. I currently don't the time for it, let's remove imdbpy right away and I'll make sure to package cinemagoer as it's replacement (with appropriate Conflicts/Replaces) before the freeze for trixie. Cheers, Moritz
Bug#1078880: [Pkg-javascript-devel] Bug#1078880: gettext.js: CVE-2024-43370
Hi Yadd, > here is a simple patch for this issue The debdiff looks fine, but I don't believe this needs a DSA, can you please submit this for the next point update instead? Cheers, Moritz
Bug#1059007: python-asyncssh: CVE-2023-48795
Am Tue, Apr 30, 2024 at 06:04:34PM +0100 schrieb Steve McIntyre: > Hi! > > On Tue, Dec 19, 2023 at 09:31:00AM +0100, Salvatore Bonaccorso wrote: > >Source: python-asyncssh > >Version: 2.10.1-2 > >Severity: important > >Tags: security upstream > >X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > > > >Hi, > > > >The following vulnerability was published for python-asyncssh. > > > >CVE-2023-48795[0]: > >| The SSH transport protocol with certain OpenSSH extensions, found in > >| OpenSSH before 9.6 and other products, allows remote attackers to > >| bypass integrity checks such that some packets are omitted (from the > >| extension negotiation message), and a client and server may > >| consequently end up with a connection for which some security > >| features have been downgraded or disabled, aka a Terrapin attack. > >| This occurs because the SSH Binary Packet Protocol (BPP), > >| implemented by these extensions, mishandles the handshake phase and > >| mishandles use of sequence numbers. For example, there is an > >| effective attack against SSH's use of ChaCha20-Poly1305 (and CBC > >| with Encrypt-then-MAC). The bypass occurs in > >| chacha20-poly1...@openssh.com and (if CBC is used) the > >| -e...@openssh.com MAC algorithms. This also affects Maverick Synergy > >| Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh > >| before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before > >| 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, and > >| libssh2 through 1.11.0; and there could be effects on Bitvise SSH > >| through 9.31. > > We wanted this fixed in Pexip, so I've taken a look at this bug. > > The upstream bugfix just needs a small rework so it applies cleanly to > the version in bookworm. Here's a debdiff for that that in case it's > useful. Thanks Steve, I'm currently going through the longer tail of open security issues in Bookworm, will release this via a DSA in the next week. Cheers, Moritz
Bug#1078555: ofono: CVE-2024-7537 CVE-2024-7538 CVE-2024-7539 CVE-2024-7540 CVE-2024-7541 CVE-2024-7542 CVE-2024-7543 CVE-2024-7544 CVE-2024-7545 CVE-2024-7546 CVE-2024-7547
Source: ofono X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for ofono. CVE-2024-7537[0]: | oFono QMI SMS Handling Out-Of-Bounds Read Information Disclosure | Vulnerability. This vulnerability allows local attackers to disclose | sensitive information on affected installations of oFono. | Authentication is not required to exploit this vulnerability. The | specific flaw exists within the processing of SMS message lists. The | issue results from the lack of proper validation of user-supplied | data, which can result in a read past the end of an allocated | buffer. An attacker can leverage this in conjunction with other | vulnerabilities to execute arbitrary code in the context of root. | Was ZDI-CAN-23157. https://www.zerodayinitiative.com/advisories/ZDI-24-1077/ CVE-2024-7538[1]: | oFono CUSD AT Command Stack-based Buffer Overflow Code Execution | Vulnerability. This vulnerability allows local attackers to execute | arbitrary code on affected installations of oFono. An attacker must | first obtain the ability to execute code on the target modem in | order to exploit this vulnerability. The specific flaw exists | within the parsing of responses from AT Commands. The issue results | from the lack of proper validation of the length of user-supplied | data prior to copying it to a stack-based buffer. An attacker can | leverage this vulnerability to execute code in the context of root. | Was ZDI-CAN-23190. https://www.zerodayinitiative.com/advisories/ZDI-24-1078/ CVE-2024-7539[2]: | oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability. | This vulnerability allows local attackers to execute arbitrary code | on affected installations of oFono. An attacker must first obtain | the ability to execute code on the target modem in order to exploit | this vulnerability. The specific flaw exists within the parsing of | responses from AT+CUSD commands. The issue results from the lack of | proper validation of the length of user-supplied data prior to | copying it to a stack-based buffer. An attacker can leverage this | vulnerability to execute code in the context of root. Was ZDI- | CAN-23195. https://www.zerodayinitiative.com/advisories/ZDI-24-1079/ CVE-2024-7540[3]: | oFono AT CMGL Command Uninitialized Variable Information Disclosure | Vulnerability. This vulnerability allows local attackers to disclose | sensitive information on affected installations of oFono. An | attacker must first obtain the ability to execute code on the target | modem in order to exploit this vulnerability. The specific flaw | exists within the parsing of responses from AT+CMGL commands. The | issue results from the lack of proper initialization of memory prior | to accessing it. An attacker can leverage this in conjunction with | other vulnerabilities to execute arbitrary code in the context of | root. Was ZDI-CAN-23307. https://www.zerodayinitiative.com/advisories/ZDI-24-1080/ CVE-2024-7541[4]: | oFono AT CMT Command Uninitialized Variable Information Disclosure | Vulnerability. This vulnerability allows local attackers to disclose | sensitive information on affected installations of oFono. An | attacker must first obtain the ability to execute code on the target | modem in order to exploit this vulnerability. The specific flaw | exists within the parsing of responses from AT+CMT commands. The | issue results from the lack of proper initialization of memory prior | to accessing it. An attacker can leverage this in conjunction with | other vulnerabilities to execute arbitrary code in the context of | root. Was ZDI-CAN-23308. https://www.zerodayinitiative.com/advisories/ZDI-24-1081/ CVE-2024-7542[5]: | oFono AT CMGR Command Uninitialized Variable Information Disclosure | Vulnerability. This vulnerability allows local attackers to disclose | sensitive information on affected installations of oFono. An | attacker must first obtain the ability to execute code on the target | modem in order to exploit this vulnerability. The specific flaw | exists within the parsing of responses from AT+CMGR commands. The | issue results from the lack of proper initialization of memory prior | to accessing it. An attacker can leverage this in conjunction with | other vulnerabilities to execute arbitrary code in the context of | root. Was ZDI-CAN-23309. https://www.zerodayinitiative.com/advisories/ZDI-24-1082/ CVE-2024-7543[6]: | oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation | Vulnerability. This vulnerability allows local attackers to execute | arbitrary code on affected installations of oFono. An attacker must | first obtain the ability to execute code on the target modem in | order to exploit this vulnerability. The specific flaw exists | within the parsing of STK command PDUs. The issue results from the | lack of proper validation of the length of user-supplied data prior | to copying it to a heap-based buffer. An attacker can leverage t
Bug#1078553: zabbix: CVE-2024-22114 CVE-2024-22116 CVE-2024-22121 CVE-2024-22122 CVE-2024-22123 CVE-2024-36460 CVE-2024-36461 CVE-2024-36462
Source: zabbix X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for zabbix. CVE-2024-22114[0]: | User with no permission to any of the Hosts can access and view host | count & other statistics through System Information Widget in Global | View Dashboard. https://support.zabbix.com/browse/ZBX-25015 CVE-2024-22116[1]: | An administrator with restricted permissions can exploit the script | execution functionality within the Monitoring Hosts section. The | lack of default escaping for script parameters enabled this user | ability to execute arbitrary code via the Ping script, thereby | compromising infrastructure. https://support.zabbix.com/browse/ZBX-25016 CVE-2024-22121[2]: | A non-admin user can change or remove important features within the | Zabbix Agent application, thus impacting the integrity and | availability of the application. https://support.zabbix.com/browse/ZBX-25011 CVE-2024-22122[3]: | Zabbix allows to configure SMS notifications. AT command injection | occurs on "Zabbix Server" because there is no validation of "Number" | field on Web nor on Zabbix server side. Attacker can run test of SMS | providing specially crafted phone number and execute additional AT | commands on modem. https://support.zabbix.com/browse/ZBX-25012 CVE-2024-22123[4]: | Setting SMS media allows to set GSM modem file. Later this file is | used as Linux device. But due everything is a file for Linux, it is | possible to set another file, e.g. log file and zabbix_server will | try to communicate with it as modem. As a result, log file will be | broken with AT commands and small part for log file content will be | leaked to UI. https://support.zabbix.com/browse/ZBX-25013 CVE-2024-36460[5]: | The front-end audit log allows viewing of unprotected plaintext | passwords, where the passwords are displayed in plain text. https://support.zabbix.com/browse/ZBX-25017 CVE-2024-36461[6]: | Within Zabbix, users have the ability to directly modify memory | pointers in the JavaScript engine. https://support.zabbix.com/browse/ZBX-25018 CVE-2024-36462[7]: | Uncontrolled resource consumption refers to a software vulnerability | where a attacker or system uses excessive resources, such as CPU, | memory, or network bandwidth, without proper limitations or | controls. This can cause a denial-of-service (DoS) attack or degrade | the performance of the affected system. https://support.zabbix.com/browse/ZBX-25019 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22114 https://www.cve.org/CVERecord?id=CVE-2024-22114 [1] https://security-tracker.debian.org/tracker/CVE-2024-22116 https://www.cve.org/CVERecord?id=CVE-2024-22116 [2] https://security-tracker.debian.org/tracker/CVE-2024-22121 https://www.cve.org/CVERecord?id=CVE-2024-22121 [3] https://security-tracker.debian.org/tracker/CVE-2024-22122 https://www.cve.org/CVERecord?id=CVE-2024-22122 [4] https://security-tracker.debian.org/tracker/CVE-2024-22123 https://www.cve.org/CVERecord?id=CVE-2024-22123 [5] https://security-tracker.debian.org/tracker/CVE-2024-36460 https://www.cve.org/CVERecord?id=CVE-2024-36460 [6] https://security-tracker.debian.org/tracker/CVE-2024-36461 https://www.cve.org/CVERecord?id=CVE-2024-36461 [7] https://security-tracker.debian.org/tracker/CVE-2024-36462 https://www.cve.org/CVERecord?id=CVE-2024-36462 Please adjust the affected versions in the BTS as needed.
Bug#1074431: arm-trusted-firmware: CVE-2024-6287 CVE-2024-6285
Am Mon, Jul 08, 2024 at 07:16:54PM -0700 schrieb Vagrant Cascadian: > Control: notfound 1074431 2.4+dfsg-2 > Control: notfound 1074431 2.8.0+dfsg-1 > Control: found 1074431 2.9.0+dfsg-1 > > On 2024-06-28, Moritz Mühlenhoff wrote: > > The following vulnerabilities were published for arm-trusted-firmware. > > > > CVE-2024-6287[0]: > > | Incorrect Calculation vulnerability in Renesas arm-trusted-firmware > > | allows Local Execution of Code. When checking whether a new image > ... > > CVE-2024-6285[1]: > > | Integer Underflow (Wrap or Wraparound) vulnerability in Renesas arm- > > | trusted-firmware. An integer underflow in image range check > > As packaged in Debian bookworm and bullseye, none of the affected > targets are actually built, although the source code contains the issue. > > The targets are built in later versions, starting with 2.9.0+dfsg-1 and > 2.10.0+dfsg-1+b1 currently in trixie and sid. Thanks, I've updated the Debian Security Tracker accordingly. Cheers, Moritz
Bug#1077822: neatvnc: CVE-2024-42458
Source: neatvnc X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for neatvnc. CVE-2024-42458[0]: | server.c in Neat VNC (aka neatvnc) before 0.8.1 does not properly | validate the security type. https://www.openwall.com/lists/oss-security/2024/08/02/1 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-42458 https://www.cve.org/CVERecord?id=CVE-2024-42458 Please adjust the affected versions in the BTS as needed.
Bug#1077821: node-elliptic: CVE-2024-42459 CVE-2024-42460 CVE-2024-42461
Source: node-elliptic X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for node-elliptic. CVE-2024-42459[0]: | In the Elliptic package 6.5.6 for Node.js, EDDSA signature | malleability occurs because there is a missing signature length | check, and thus zero-valued bytes can be removed or appended. CVE-2024-42460[1]: | In the Elliptic package 6.5.6 for Node.js, ECDSA signature | malleability occurs because there is a missing check for whether the | leading bit of r and s is zero. CVE-2024-42461[2]: | In the Elliptic package 6.5.6 for Node.js, ECDSA signature | malleability occurs because BER-encoded signatures are allowed. All addressed by https://github.com/indutny/elliptic/pull/317 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-42459 https://www.cve.org/CVERecord?id=CVE-2024-42459 [1] https://security-tracker.debian.org/tracker/CVE-2024-42460 https://www.cve.org/CVERecord?id=CVE-2024-42460 [2] https://security-tracker.debian.org/tracker/CVE-2024-42461 https://www.cve.org/CVERecord?id=CVE-2024-42461 Please adjust the affected versions in the BTS as needed.
Bug#1077820: clickhouse: CVE-2024-6873
Source: clickhouse X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for clickhouse. CVE-2024-6873[0]: | It is possible to crash or redirect the execution flow of the | ClickHouse server process from an unauthenticated vector by sending | a specially crafted request to the ClickHouse server native | interface. This redirection is limited to what is available within a | 256-byte range of memory at the time of execution, and no known | remote code execution (RCE) code has been produced or exploited. | Fixes have been merged to all currently supported version of | ClickHouse. If you are maintaining your own forked version of | ClickHouse or using an older version and cannot upgrade, the fix for | this vulnerability can be found in this commit | https://github.com/ClickHouse/ClickHouse/pull/64024 . https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-432f-r822-j66f https://github.com/ClickHouse/ClickHouse/pull/64024 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-6873 https://www.cve.org/CVERecord?id=CVE-2024-6873 Please adjust the affected versions in the BTS as needed.
Bug#1077687: bluez: CVE-2023-44431
Source: bluez X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for bluez. CVE-2023-44431[0]: | BlueZ Audio Profile AVRCP Stack-based Buffer Overflow Remote Code | Execution Vulnerability. This vulnerability allows network-adjacent | attackers to execute arbitrary code via Bluetooth on affected | installations of BlueZ. User interaction is required to exploit this | vulnerability in that the target must connect to a malicious device. | The specific flaw exists within the handling of the AVRCP protocol. | The issue results from the lack of proper validation of the length | of user-supplied data prior to copying it to a fixed-length stack- | based buffer. An attacker can leverage this vulnerability to execute | code in the context of root. Was ZDI-CAN-19909. https://www.zerodayinitiative.com/advisories/ZDI-23-1900/ It's unclear whether that has ever been properly reported upstream. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-44431 https://www.cve.org/CVERecord?id=CVE-2023-44431 Please adjust the affected versions in the BTS as needed.
Bug#1077686: mbedtls: CVE-2024-28755
Source: mbedtls X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for mbedtls. CVE-2024-28755[0]: | An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL | context was reset with the mbedtls_ssl_session_reset() API, the | maximum TLS version to be negotiated was not restored to the | configured one. An attacker was able to prevent an Mbed TLS server | from establishing any TLS 1.3 connection, potentially resulting in a | Denial of Service or forced version downgrade from TLS 1.3 to TLS | 1.2. https://github.com/Mbed-TLS/mbedtls/issues/8654 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28755 https://www.cve.org/CVERecord?id=CVE-2024-28755 Please adjust the affected versions in the BTS as needed.
Bug#1077684: libcrypto++: CVE-2024-28285
Source: libcrypto++ X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libcrypto++. CVE-2024-28285[0]: | A Fault Injection vulnerability in the SymmetricDecrypt function in | cryptopp/elgamal.h of Cryptopp Crypto++ 8.9, allows an attacker to | co-reside in the same system with a victim process to disclose | information and escalate privileges. https://groups.google.com/g/cryptopp-users/c/UkVcH2IWR2M?pli=1 https://github.com/weidai11/cryptopp/issues/1262 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28285 https://www.cve.org/CVERecord?id=CVE-2024-28285 Please adjust the affected versions in the BTS as needed.
Bug#1077682: freeipa: CVE-2024-2698
Source: freeipa X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for freeipa. CVE-2024-2698[0]: | A vulnerability was found in FreeIPA in how the initial | implementation of MS-SFU by MIT Kerberos was missing a condition for | granting the "forwardable" flag on S4U2Self tickets. Fixing this | mistake required adding a special case for the | check_allowed_to_delegate() function: If the target service argument | is NULL, then it means the KDC is probing for general constrained | delegation rules and not checking a specific S4U2Proxy request. | In FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to | match the changes from upstream MIT Kerberos 1.20. However, a | mistake resulting in this mechanism applies in cases where the | target service argument is set AND where it is unset. This results | in S4U2Proxy requests being accepted regardless of whether or not | there is a matching service delegation rule. https://bugzilla.redhat.com/show_bug.cgi?id=2270353 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-2698 https://www.cve.org/CVERecord?id=CVE-2024-2698 Please adjust the affected versions in the BTS as needed.
Bug#1077683: freeipa: CVE-2024-3183
Source: freeipa X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for freeipa. CVE-2024-3183[0]: | A vulnerability was found in FreeIPA in a way when a Kerberos TGS- | REQ is encrypted using the client’s session key. This key is | different for each new session, which protects it from brute force | attacks. However, the ticket it contains is encrypted using the | target principal key directly. For user principals, this key is a | hash of a public per-principal randomly-generated salt and the | user’s password.If a principal is compromised it means the | attacker would be able to retrieve tickets encrypted to any | principal, all of them being encrypted by their own key directly. By | taking these tickets and salts offline, the attacker could run brute | force attacks to find character strings able to decrypt tickets when | combined to a principal salt (i.e. find the principal’s password). https://bugzilla.redhat.com/show_bug.cgi?id=2270685 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3183 https://www.cve.org/CVERecord?id=CVE-2024-3183 Please adjust the affected versions in the BTS as needed.
Bug#1077548: anki: CVE-2024-26020 CVE-2024-32152 CVE-2024-32484 CVE-2024-29073
Source: anki X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for anki. CVE-2024-26020[0]: | An arbitrary script execution vulnerability exists in the MPV | functionality of Ankitects Anki 24.04. A specially crafted flashcard | can lead to a arbitrary code execution. An attacker can send | malicious flashcard to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1993 CVE-2024-32152[1]: | A blocklist bypass vulnerability exists in the LaTeX functionality | of Ankitects Anki 24.04. A specially crafted malicious flashcard can | lead to an arbitrary file creation at a fixed path. An attacker can | share a malicious flashcard to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1994 CVE-2024-32484[2]: | An reflected XSS vulnerability exists in the handling of invalid | paths in the Flask server in Ankitects Anki 24.04. A specially | crafted flashcard can lead to JavaScript code execution and result | in an arbitrary file read. An attacker can share a malicious | flashcard to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1995 CVE-2024-29073[3]: | An vulnerability in the handling of Latex exists in Ankitects Anki | 24.04. When Latex is sanitized to prevent unsafe commands, the | verbatim package, which comes installed by default in many Latex | distributions, has been overlooked. A specially crafted flashcard | can lead to an arbitrary file read. An attacker can share a | flashcard to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1992 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-26020 https://www.cve.org/CVERecord?id=CVE-2024-26020 [1] https://security-tracker.debian.org/tracker/CVE-2024-32152 https://www.cve.org/CVERecord?id=CVE-2024-32152 [2] https://security-tracker.debian.org/tracker/CVE-2024-32484 https://www.cve.org/CVERecord?id=CVE-2024-32484 [3] https://security-tracker.debian.org/tracker/CVE-2024-29073 https://www.cve.org/CVERecord?id=CVE-2024-29073 Please adjust the affected versions in the BTS as needed.
Bug#1077547: undertow: CVE-2024-3653
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for undertow. CVE-2024-3653[0]: | A vulnerability was found in Undertow. This issue requires enabling | the learning-push handler in the server's config, which is disabled | by default, leaving the maxAge config in the handler unconfigured. | The default is -1, which makes the handler vulnerable. If someone | overwrites that config, the server is not subject to the attack. The | attacker needs to be able to reach the server with a normal HTTP | request. https://bugzilla.redhat.com/show_bug.cgi?id=2274437 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3653 https://www.cve.org/CVERecord?id=CVE-2024-3653 Please adjust the affected versions in the BTS as needed.
Bug#1077546: undertow: CVE-2024-6162
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for undertow. CVE-2024-6162[0]: | A vulnerability was found in Undertow. URL-encoded request path | information can be broken for concurrent requests on ajp-listener, | causing the wrong path to be processed and resulting in a possible | denial of service. https://bugzilla.redhat.com/show_bug.cgi?id=2293069 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-6162 https://www.cve.org/CVERecord?id=CVE-2024-6162 Please adjust the affected versions in the BTS as needed.
Bug#1077545: undertow: CVE-2024-5971
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for undertow. CVE-2024-5971[0]: | A vulnerability was found in Undertow, where the chunked response | hangs after the body was flushed. The response headers and body were | sent but the client would continue waiting as Undertow does not send | the expected 0\r\n termination of the chunked response. This results | in uncontrolled resource consumption, leaving the server side to a | denial of service attack. This happens only with Java 17 TLSv1.3 | scenarios. https://bugzilla.redhat.com/show_bug.cgi?id=2292211 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-5971 https://www.cve.org/CVERecord?id=CVE-2024-5971 Please adjust the affected versions in the BTS as needed.
Bug#1077544: qtbase-opensource-src-gles: CVE-2024-39936
Source: qtbase-opensource-src-gles X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qtbase-opensource-src-gles. CVE-2024-39936[0]: | An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before | 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x | before 6.7.3. Code to make security-relevant decisions about an | established connection may execute too early, because the | encrypted() signal has not yet been emitted and processed.. https://codereview.qt-project.org/c/qt/qtbase/+/571601 https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=b1e75376cc3adfc7da5502a277dfe9711f3e0536 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-39936 https://www.cve.org/CVERecord?id=CVE-2024-39936 Please adjust the affected versions in the BTS as needed.
Bug#1077543: requirejs: CVE-2024-38998 CVE-2024-38999
Source: requirejs X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for requirejs. CVE-2024-38998[0]: | jrburke requirejs v2.3.6 was discovered to contain a prototype | pollution via the function config. This vulnerability allows | attackers to execute arbitrary code or cause a Denial of Service | (DoS) via injecting arbitrary properties. https://gist.github.com/mestrtee/9acae342285bd2998fa09ebcb1e6d30a CVE-2024-38999[1]: | jrburke requirejs v2.3.6 was discovered to contain a prototype | pollution via the function s.contexts._.configure. This | vulnerability allows attackers to execute arbitrary code or cause a | Denial of Service (DoS) via injecting arbitrary properties. https://gist.github.com/mestrtee/9acae342285bd2998fa09ebcb1e6d30a If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-38998 https://www.cve.org/CVERecord?id=CVE-2024-38998 [1] https://security-tracker.debian.org/tracker/CVE-2024-38999 https://www.cve.org/CVERecord?id=CVE-2024-38999 Please adjust the affected versions in the BTS as needed.
Bug#1077542: rust-gix-worktree: CVE-2024-35186
Source: rust-gix-worktree X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for rust-gix-worktree. CVE-2024-35186[0]: | gitoxide is a pure Rust implementation of Git. During checkout, | `gix-worktree-state` does not verify that paths point to locations | in the working tree. A specially crafted repository can, when | cloned, place new files anywhere writable by the application. This | vulnerability leads to a major loss of confidentiality, integrity, | and availability, but creating files outside a working tree without | attempting to execute code can directly impact integrity as well. | This vulnerability has been patched in version(s) 0.36.0. https://rustsec.org/advisories/RUSTSEC-2024-0349.html https://github.com/advisories/GHSA-7w47-3wg8-547c If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-35186 https://www.cve.org/CVERecord?id=CVE-2024-35186 Please adjust the affected versions in the BTS as needed.
Bug#1077541: rust-gix-index: CVE-2024-35186
Source: rust-gix-index X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for rust-gix-index. CVE-2024-35186[0]: | gitoxide is a pure Rust implementation of Git. During checkout, | `gix-worktree-state` does not verify that paths point to locations | in the working tree. A specially crafted repository can, when | cloned, place new files anywhere writable by the application. This | vulnerability leads to a major loss of confidentiality, integrity, | and availability, but creating files outside a working tree without | attempting to execute code can directly impact integrity as well. | This vulnerability has been patched in version(s) 0.36.0. https://rustsec.org/advisories/RUSTSEC-2024-0348.html https://github.com/advisories/GHSA-7w47-3wg8-547c If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-35186 https://www.cve.org/CVERecord?id=CVE-2024-35186 Please adjust the affected versions in the BTS as needed.
Bug#1077540: rust-gix-fs: CVE-2024-35186
Source: rust-gix-fs X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for rust-gix-fs. CVE-2024-35186[0]: | gitoxide is a pure Rust implementation of Git. During checkout, | `gix-worktree-state` does not verify that paths point to locations | in the working tree. A specially crafted repository can, when | cloned, place new files anywhere writable by the application. This | vulnerability leads to a major loss of confidentiality, integrity, | and availability, but creating files outside a working tree without | attempting to execute code can directly impact integrity as well. | This vulnerability has been patched in version(s) 0.36.0. https://rustsec.org/advisories/RUSTSEC-2024-0350.html https://github.com/advisories/GHSA-7w47-3wg8-547c If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-35186 https://www.cve.org/CVERecord?id=CVE-2024-35186 Please adjust the affected versions in the BTS as needed.
Bug#1074431: arm-trusted-firmware: CVE-2024-6287 CVE-2024-6285
Source: arm-trusted-firmware X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for arm-trusted-firmware. CVE-2024-6287[0]: | Incorrect Calculation vulnerability in Renesas arm-trusted-firmware | allows Local Execution of Code. When checking whether a new image | invades/overlaps with a previously loaded image the code neglects to | consider a few cases. that could An attacker to bypass memory range | restriction and overwrite an already loaded image partly or | completely, which could result in code execution and bypass of | secure boot. https://github.com/renesas-rcar/arm-trusted-firmware/commit/954d488a9798f8fda675c6b57c571b469b298f04 https://asrg.io/security-advisories/cve-2024-6287-incorrect-address-range-calculations-in-renesas-rcar/ CVE-2024-6285[1]: | Integer Underflow (Wrap or Wraparound) vulnerability in Renesas arm- | trusted-firmware. An integer underflow in image range check | calculations could lead to bypassing address restrictions and | loading of images to unallowed addresses. https://github.com/renesas-rcar/arm-trusted-firmware/commit/b596f580637bae919b0ac3a5471422a1f756db3b https://asrg.io/security-advisories/cve-2024-6285-integer-underflow-in-memory-range-check-in-renesas-rcar/ If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-6287 https://www.cve.org/CVERecord?id=CVE-2024-6287 [1] https://security-tracker.debian.org/tracker/CVE-2024-6285 https://www.cve.org/CVERecord?id=CVE-2024-6285 Please adjust the affected versions in the BTS as needed.
Bug#1074430: adminer: CVE-2023-45196 CVE-2023-45195
Source: adminer X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for adminer. CVE-2023-45196[0]: | Adminer and AdminerEvo allow an unauthenticated remote attacker to | cause a denial of service by connecting to an attacker-controlled | service that responds with HTTP redirects. The denial of service is | subject to PHP configuration limits. Adminer is no longer supported, | but this issue was fixed in AdminerEvo version 4.8.4. https://github.com/adminerevo/adminerevo/pull/102/commits/23e7cdc0a32b3739e13d19ae504be0fe215142b6 CVE-2023-45195[1]: | Adminer and AdminerEvo are vulnerable to SSRF via database | connection fields. This could allow an unauthenticated remote | attacker to enumerate or access systems the attacker would not | otherwise have access to. Adminer is no longer supported, but this | issue was fixed in AdminerEvo version 4.8.4. https://github.com/adminerevo/adminerevo/pull/102/commits/18f3167bbcbec3bc746f62db72e016aa99144efc It seems adminer is dead upstream and adminerevo picked up development, so most likely Debian should follow the new upstream? If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-45196 https://www.cve.org/CVERecord?id=CVE-2023-45196 [1] https://security-tracker.debian.org/tracker/CVE-2023-45195 https://www.cve.org/CVERecord?id=CVE-2023-45195 Please adjust the affected versions in the BTS as needed.
Bug#1074429: xml-security-c: CVE-2024-34580
Source: xml-security-c X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for xml-security-c. CVE-2024-34580[0]: | Apache XML Security for C++ through 2.0.4 implements the XML | Signature Syntax and Processing (XMLDsig) specification without | protection against an SSRF payload in a KeyInfo element. NOTE: the | supplier disputes this CVE Record on the grounds that they are | implementing the specification "correctly" and are not "at fault." https://cloud.google.com/blog/topics/threat-intelligence/apache-library-allows-server-side-request-forgery https://www.sonatype.com/blog/the-exploited-ivanti-connect-ssrf-vulnerability-stems-from-xmltooling-oss-library https://github.com/zmanion/Vulnerabilities/blob/main/CVE-2024-21893.md Not sure what to make out of this? It seems the use of xml-security-sec within Shibboleth continues to be supported, but otherwise the library is deemed deprecated, so maybe this should at least be made explicit in the package description? ` If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34580 https://www.cve.org/CVERecord?id=CVE-2024-34580 Please adjust the affected versions in the BTS as needed.
Bug#1074426: golang-golang-x-image: CVE-2024-24792
Source: golang-golang-x-image X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for golang-golang-x-image. CVE-2024-24792[0]: | Parsing a corrupt or malicious image with invalid color indices can | cause a panic. https://github.com/advisories/GHSA-9phm-fm57-rhg8 https://github.com/golang/go/issues/67624 https://go-review.googlesource.com/c/image/+/588115 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24792 https://www.cve.org/CVERecord?id=CVE-2024-24792 Please adjust the affected versions in the BTS as needed.
