Bug#1072531: 389-ds-base: CVE-2024-2199
Source: 389-ds-base X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for 389-ds-base. CVE-2024-2199[0]: | A denial of service vulnerability was found in 389-ds-base ldap | server. This issue may allow an authenticated user to cause a server | crash while modifying `userPassword` using malformed input. https://bugzilla.redhat.com/show_bug.cgi?id=2267976 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-2199 https://www.cve.org/CVERecord?id=CVE-2024-2199 Please adjust the affected versions in the BTS as needed.
Bug#1072530: smarty3: CVE-2024-35226
Source: smarty3 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for smarty3. CVE-2024-35226[0]: | Smarty is a template engine for PHP, facilitating the separation of | presentation (HTML/CSS) from application logic. In affected versions | template authors could inject php code by choosing a malicious file | name for an extends-tag. Sites that cannot fully trust template | authors should update asap. All users are advised to update. There | is no patch for users on the v3 branch. There are no known | workarounds for this vulnerability. https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w https://github.com/smarty-php/smarty/commit/76881c8d33d80648f70c9b0339f770f5f69a87a2 (support/4) https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a (v5.2.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-35226 https://www.cve.org/CVERecord?id=CVE-2024-35226 Please adjust the affected versions in the BTS as needed.
Bug#1072529: smarty4: CVE-2024-35226
Source: smarty4 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for smarty4. CVE-2024-35226[0]: | Smarty is a template engine for PHP, facilitating the separation of | presentation (HTML/CSS) from application logic. In affected versions | template authors could inject php code by choosing a malicious file | name for an extends-tag. Sites that cannot fully trust template | authors should update asap. All users are advised to update. There | is no patch for users on the v3 branch. There are no known | workarounds for this vulnerability. https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w https://github.com/smarty-php/smarty/commit/76881c8d33d80648f70c9b0339f770f5f69a87a2 (support/4) https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a (v5.2.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-35226 https://www.cve.org/CVERecord?id=CVE-2024-35226 Please adjust the affected versions in the BTS as needed.
Bug#1072528: tcpdf: CVE-2024-22641
Source: tcpdf X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for tcpdf. I realise you're aware given you replied to the upstream issue, but also filing in the BTS for completeness: CVE-2024-22641[0]: | TCPDF version 6.6.5 and before is vulnerable to ReDoS (Regular | Expression Denial of Service) if parsing an untrusted SVG file. https://github.com/tecnickcom/TCPDF/issues/724 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22641 https://www.cve.org/CVERecord?id=CVE-2024-22641 Please adjust the affected versions in the BTS as needed.
Bug#1072300: RM: phppgadmin/7.13.0+dfsg-2
Am Fri, May 31, 2024 at 03:53:13PM -0300 schrieb Leandro Cunha: > Package: release.debian.org > Control: affects -1 + src:phppgadmin > X-Debbugs-Cc: phppgad...@packages.debian.org > User: release.debian@packages.debian.org > Usertags: rm > X-Debbugs-Cc: leandrocunha...@gmail.com > Severity: normal > > Reason and request > I open this bug to request the removal of the phppgadmin package > version 7.13.0+dfsg-2 from the current stable version of Debian I suppose it should also be removed from bullseye/oldstable, right? If so, can you please file a separate bug for it? Cheers, Moritz
Bug#1072180: golang-github-lucas-clemente-quic-go: CVE-2024-22189
Source: golang-github-lucas-clemente-quic-go X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for golang-github-lucas-clemente-quic-go. CVE-2024-22189[0]: | quic-go is an implementation of the QUIC protocol in Go. Prior to | version 0.42.0, an attacker can cause its peer to run out of memory | sending a large number of `NEW_CONNECTION_ID` frames that retire old | connection IDs. The receiver is supposed to respond to each | retirement frame with a `RETIRE_CONNECTION_ID` frame. The attacker | can prevent the receiver from sending out (the vast majority of) | these `RETIRE_CONNECTION_ID` frames by collapsing the peers | congestion window (by selectively acknowledging received packets) | and by manipulating the peer's RTT estimate. Version 0.42.0 contains | a patch for the issue. No known workarounds are available. https://github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c478 https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a (v0.42.0) https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22189 https://www.cve.org/CVERecord?id=CVE-2024-22189 Please adjust the affected versions in the BTS as needed.
Bug#1072179: pypy3: CVE-2023-27043
Source: pypy3 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for pypy3. CVE-2023-27043[0]: | The email module of Python through 3.11.3 incorrectly parses e-mail | addresses that contain a special character. The wrong portion of an | RFC2822 header is identified as the value of the addr-spec. In some | applications, an attacker can bypass a protection mechanism in which | application access is granted only after verifying receipt of e-mail | to a specific domain (e.g., only @company.example.com addresses may | be used for signup). This occurs in email/_parseaddr.py in recent | versions of Python. https://github.com/python/cpython/issues/102988 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-27043 https://www.cve.org/CVERecord?id=CVE-2023-27043 Please adjust the affected versions in the BTS as needed.
Bug#1072178: libnetwork-ipv4addr-perl: CVE-2021-47155
Source: libnetwork-ipv4addr-perl X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for libnetwork-ipv4addr-perl. CVE-2021-47155[0]: | The Net::IPV4Addr module 0.10 for Perl does not properly consider | extraneous zero characters in an IP address string, which (in some | situations) allows attackers to bypass access control that is based | on IP addresses. https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/#net-ipv4addrhttpsmetacpanorgreleasenet-ipv4addr If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-47155 https://www.cve.org/CVERecord?id=CVE-2021-47155 Please adjust the affected versions in the BTS as needed.
Bug#1069127: python-idna: CVE-2024-3651
Hi Guilhem, > > CVE-2024-3651[0]: > > | potential DoS via resource consumption via specially crafted inputs to > > | idna.encode() > > I'm preparing an update for this issue for Buster LTS, would you like me > to propose debdiffs for (o)s-pu and sid too? Please do so! Cheers, Moritz
Bug#1072126: frr: CVE-2024-31948
Source: frr X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for frr. CVE-2024-31948[0]: | In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix | SID attribute in a BGP UPDATE packet can cause the bgpd daemon to | crash. https://github.com/FRRouting/frr/pull/15628 Fixed by: https://github.com/FRRouting/frr/commit/ba6a8f1a31e1a88df2de69ea46068e8bd9b97138 Fixed by: https://github.com/FRRouting/frr/commit/babb23b74855e23c987a63f8256d24e28c044d07 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31948 https://www.cve.org/CVERecord?id=CVE-2024-31948 Please adjust the affected versions in the BTS as needed.
Bug#1072125: frr: CVE-2024-31949
Source: frr X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for frr. CVE-2024-31949[0]: | In FRRouting (FRR) through 9.1, an infinite loop can occur when | receiving a MP/GR capability as a dynamic capability because | malformed data results in a pointer not advancing. https://github.com/FRRouting/frr/pull/15640 Fixed by: https://github.com/FRRouting/frr/commit/30a332dad86fafd2b0b6c61d23de59ed969a219b If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31949 https://www.cve.org/CVERecord?id=CVE-2024-31949 Please adjust the affected versions in the BTS as needed.
Bug#1070377: frr: CVE-2024-34088
Am Sat, May 04, 2024 at 06:00:24PM +0200 schrieb Moritz Mühlenhoff: > Source: frr > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerability was published for frr. > > CVE-2024-34088[0]: > | In FRRouting (FRR) through 9.1, it is possible for the get_edge() > | function in ospf_te.c in the OSPF daemon to return a NULL pointer. > | In cases where calling functions do not handle the returned NULL > | value, the OSPF daemon crashes, leading to denial of service. There are two additional CVE IDs related covered by the same pull request (https://github.com/FRRouting/frr/pull/15674/): CVE-2024-31951: | In the Opaque LSA Extended Link parser in FRRouting (FRR) through | 9.1, there can be a buffer overflow and daemon crash in | ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read | Segment Routing Adjacency SID subTLVs (lengths are not validated). CVE-2024-31950: | In FRRouting (FRR) through 9.1, there can be a buffer overflow and | daemon crash in ospf_te_parse_ri for OSPF LSA packets during an | attempt to read Segment Routing | subTLVs (their size is not validated). These got merged with the following commits: https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4 https://github.com/FRRouting/frr/commit/5557a289acdaec8cc63ffc97b5c2abf6dee7b3a https://github.com/FRRouting/frr/commit/8c177d69e32b91b45bda5fc5da6511fa03dc11ca https://github.com/FRRouting/frr/commit/e08495a4a8ad4d2050691d9e5e13662d2635b2e0 Cheers, Moritz
Bug#1072124: gnome-shell: CVE-2024-36472
Source: gnome-shell X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for gnome-shell. CVE-2024-36472[0]: | In GNOME Shell through 45.7, a portal helper can be launched | automatically (without user confirmation) based on network responses | provided by an adversary (e.g., an adversary who controls the local | Wi-Fi network), and subsequently loads untrusted JavaScript code, | which may lead to resource consumption or other impacts depending on | the JavaScript code's behavior. https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7688 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-36472 https://www.cve.org/CVERecord?id=CVE-2024-36472 Please adjust the affected versions in the BTS as needed.
Bug#1072123: jayway-jsonpath: CVE-2023-51074
Source: jayway-jsonpath X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for jayway-jsonpath. CVE-2023-51074[0]: | json-path v2.8.0 was discovered to contain a stack overflow via the | Criteria.parse() method. https://github.com/json-path/JsonPath/issues/973 https://github.com/json-path/JsonPath/commit/71a09c1193726c010917f1157ecbb069ad6c3e3b (json-path-2.9.0) https://github.com/json-path/JsonPath/pull/985 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-51074 https://www.cve.org/CVERecord?id=CVE-2023-51074 Please adjust the affected versions in the BTS as needed.
Bug#1072121: node-ip: CVE-2024-29415
Source: node-ip X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-ip. CVE-2024-29415[0]: | The ip package through 2.0.1 for Node.js might allow SSRF because | some IP addresses (such as 127.1, 01200034567, 012.1.2.3, | 000:0:::01, and ::fFFf:127.0.0.1) are improperly categorized as | globally routable via isPublic. NOTE: this issue exists because of | an incomplete fix for CVE-2023-42282. https://github.com/indutny/node-ip/issues/150 https://github.com/indutny/node-ip/pull/144 https://github.com/indutny/node-ip/pull/143 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-29415 https://www.cve.org/CVERecord?id=CVE-2024-29415 Please adjust the affected versions in the BTS as needed.
Bug#1072120: zabbix: CVE-2024-22120
Source: zabbix X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for zabbix. CVE-2024-22120[0]: | Zabbix server can perform command execution for configured scripts. | After command is executed, audit entry is added to "Audit Log". Due | to "clientip" field is not sanitized, it is possible to injection | SQL into "clientip" and exploit time based blind SQL injection. https://support.zabbix.com/browse/ZBX-24505 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22120 https://www.cve.org/CVERecord?id=CVE-2024-22120 Please adjust the affected versions in the BTS as needed.
Bug#1072119: python-aiosmtpd: CVE-2024-34083
Source: python-aiosmtpd X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-aiosmtpd. CVE-2024-34083[0]: | aiosmptd is a reimplementation of the Python stdlib smtpd.py based | on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept | extra unencrypted commands after STARTTLS, treating them as if they | came from inside the encrypted connection. This could be exploited | by a man-in-the-middle attack. Version 1.4.6 contains a patch for | the issue. https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8 https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda (v1.4.6) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34083 https://www.cve.org/CVERecord?id=CVE-2024-34083 Please adjust the affected versions in the BTS as needed.
Bug#1072118: liboqs: CVE-2024-31510
Source: liboqs X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for liboqs. CVE-2024-31510[0]: | An issue in Open Quantum Safe liboqs v.10.0 allows a remote attacker | to escalate privileges via the crypto_sign_signature parameter in | the /pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/sign.c | component. https://github.com/liang-junkai/Fault-injection-of-ML-DSA seems to be the only reference, might need to get reported upstream as well. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31510 https://www.cve.org/CVERecord?id=CVE-2024-31510 Please adjust the affected versions in the BTS as needed.
Bug#1071751: iperf3: CVE-2024-26306
Source: iperf3 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for iperf3. CVE-2024-26306[0]: | iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server | with RSA authentication, allows a timing side channel in RSA | decryption operations. This side channel could be sufficient for an | attacker to recover credential plaintext. It requires the attacker | to send a large number of messages for decryption, as described in | "Everlasting ROBOT: the Marvin Attack" by Hubert Kario. https://downloads.es.net/pub/iperf/esnet-secadv-2024-0001.txt.asc https://github.com/esnet/iperf/releases/tag/3.17 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-26306 https://www.cve.org/CVERecord?id=CVE-2024-26306 Please adjust the affected versions in the BTS as needed.
Bug#1071750: dnsdist: CVE-2024-25581
Source: dnsdist X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for dnsdist. CVE-2024-25581[0]: | When incoming DNS over HTTPS support is enabled using the nghttp2 | provider, and queries are routed to a tcp-only or DNS over TLS | backend, an attacker can trigger an assertion failure in DNSdist by | sending a request for a zone transfer (AXFR or IXFR) over DNS over | HTTPS, causing the process to stop and thus leading to a Denial of | Service. DNS over HTTPS is not enabled by default, and backends are | using plain DNS (Do53) by default. https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2024-03.html Patches: https://downloads.powerdns.com/patches/2024-03/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25581 https://www.cve.org/CVERecord?id=CVE-2024-25581 Please adjust the affected versions in the BTS as needed.
Bug#1071748: bpftrace: CVE-2024-2313
Source: bpftrace X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for bpftrace. CVE-2024-2313[0]: | If kernel headers need to be extracted, bpftrace will attempt to | load them from a temporary directory. An unprivileged attacker could | use this to force bcc to load compromised linux headers. Linux | distributions which provide kernel headers by default are not | affected by default. https://github.com/bpftrace/bpftrace/commit/4be4b7191acb8218240e6b7178c30fa8c9b59998 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-2313 https://www.cve.org/CVERecord?id=CVE-2024-2313 Please adjust the affected versions in the BTS as needed.
Bug#1071747: bpfcc: CVE-2024-2314
Source: bpfcc X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for bpfcc. CVE-2024-2314[0]: | If kernel headers need to be extracted, bcc will attempt to load | them from a temporary directory. An unprivileged attacker could use | this to force bcc to load compromised linux headers. Linux | distributions which provide kernel headers by default are not | affected by default. Fixed by: https://github.com/iovisor/bcc/commit/008ea09e891194c072f2a9305a3c872a241dc342 (v0.30.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-2314 https://www.cve.org/CVERecord?id=CVE-2024-2314 Please adjust the affected versions in the BTS as needed.
Bug#1071746: clojure: CVE-2024-22871
Source: clojure X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for clojure. CVE-2024-22871[0]: | An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an | attacker to cause a denial of service (DoS) via the | clojure.core$partial$fn__5920 function. https://github.com/advisories/GHSA-vr64-r9qj-h27f If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22871 https://www.cve.org/CVERecord?id=CVE-2024-22871 Please adjust the affected versions in the BTS as needed.
Bug#1071745: docker.io: CVE-2024-24557
Source: docker.io X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for docker.io. CVE-2024-24557[0]: | Moby is an open-source project created by Docker to enable software | containerization. The classic builder cache system is prone to cache | poisoning if the image is built FROM scratch. Also, changes to some | instructions (most important being HEALTHCHECK and ONBUILD) would | not cause a cache miss. An attacker with the knowledge of the | Dockerfile someone is using could poison their cache by making them | pull a specially crafted image that would be considered as a valid | cache candidate for some build steps. 23.0+ users are only affected | if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 | environment variable) or are using the /build API endpoint. All | users on versions older than 23.0 could be impacted. Image build API | endpoint (/build) and ImageBuild function from | github.com/docker/docker/client is also affected as it the uses | classic builder by default. Patches are included in 24.0.9 and | 25.0.2 releases. https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24557 https://www.cve.org/CVERecord?id=CVE-2024-24557 Please adjust the affected versions in the BTS as needed.
Bug#1071743: lief: CVE-2024-31636
Source: lief X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for lief. CVE-2024-31636[0]: | An issue in LIEF v.0.14.1 allows a local attacker to obtain | sensitive information via the name parameter of the machd_reader.c | component. https://github.com/lief-project/LIEF/issues/1038 https://github.com/lief-project/LIEF/commit/307e113f8e00b034f0a5f1baa33e54d636c52ea3 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31636 https://www.cve.org/CVERecord?id=CVE-2024-31636 Please adjust the affected versions in the BTS as needed.
Bug#1071742: cjson: CVE-2024-31755
Source: cjson X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for cjson. CVE-2024-31755[0]: | cJSON v1.7.17 was discovered to contain a segmentation violation, | which can trigger through the second parameter of function | cJSON_SetValuestring at cJSON.c. https://github.com/DaveGamble/cJSON/issues/839 https://github.com/DaveGamble/cJSON/pull/840 https://github.com/DaveGamble/cJSON/commit/7e4d5dabe7a9b754c601f214e65b544e67ba9f59 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31755 https://www.cve.org/CVERecord?id=CVE-2024-31755 Please adjust the affected versions in the BTS as needed.
Bug#1053004: CVE-2019-10784 and CVE-2023-40619
Am Wed, Mar 06, 2024 at 06:39:01AM -0300 schrieb Leandro Cunha: > Hi Christoph Berg, > > On Wed, Mar 6, 2024 at 5:42 AM Christoph Berg wrote: > > > > Re: Leandro Cunha > > > The > > > next job would be to make it available through backports and I would > > > choose to remove this package from stable. But I would only leave > > > bookworm backports due to other bugs found (this CVEs too) and fixed > > > in 7.14.7. > > > I have to search about the status of backports to oldstable. But I'm > > > also studying the possibility of working with patches for these two > > > versions. > > > > Why would you want to remove it from stable? In closed environments, > > CVEs are often not a problem. > > > > Christoph > > In addition to the CVEs, phppgadmin which is present in stable does > not connect to PostgreSQL 15 and 16 without a patch I inserted in > 7.13.0+dfsg-3, but I can add the same patch by reopening bug #1029516 > or opening another important bug (I am aware that the bug must have a > severity greater than important)[3] for the stable and submission of > new bug to the release team for approval. That way it would be > released in a future release a version with this issue fixed (if > approved). But CVE-2023-40619 is treated with critical severity and > CVE-2019-10784 is also critical according to the NVD[1][2]. The Debian > LTS team handled this with DLA-3644-1 (CVE-2023-40619)[4] in buster > (oldoldstable) and of OpenSUSE team also handled both CVEs in > Leap[5][6]. > Removing this package in stable will not leave users without them and > we can release it in backports. > I can treat this as a job of ensuring the quality of what is > distributed by Debian. Agreed, if the package is actually broken with the version of PostgreSQL in stable and if there's no sensible backport for the open security issues, then let's rather remove it by the next point release. Cheers, Moritz
Bug#1071633: libmodbus: CVE-2024-34244
Source: libmodbus X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libmodbus. CVE-2024-34244[0]: | libmodbus v3.1.10 is vulnerable to Buffer Overflow via the | modbus_write_bits function. This issue can be triggered when the | function is fed with specially crafted input, which leads to out-of- | bounds read and can potentially cause a crash or other unintended | behaviors. https://github.com/stephane/libmodbus/issues/743 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34244 https://www.cve.org/CVERecord?id=CVE-2024-34244 Please adjust the affected versions in the BTS as needed.
Bug#1071632: node-braces: CVE-2024-4068
Source: node-braces X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-braces. CVE-2024-4068[0]: | The NPM package `braces`, versions prior to 3.0.3, fails to limit | the number of characters it can handle, which could lead to Memory | Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced | braces" as input, the parsing will enter a loop, which will cause | the program to start allocating heap memory without freeing it at | any moment of the loop. Eventually, the JavaScript heap limit is | reached, and the program will crash. https://github.com/micromatch/braces/issues/35 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-4068 https://www.cve.org/CVERecord?id=CVE-2024-4068 Please adjust the affected versions in the BTS as needed.
Bug#1071631: node-micromatch: CVE-2024-4067
Source: node-micromatch X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-micromatch. CVE-2024-4067[0]: | The NPM package `micromatch` is vulnerable to Regular Expression | Denial of Service (ReDoS). The vulnerability occurs in | `micromatch.braces()` in `index.js` because the pattern `.*` will | greedily match anything. By passing a malicious payload, the pattern | matching will keep backtracking to the input while it doesn't find | the closing bracket. As the input size increases, the consumption | time will also increase until it causes the application to hang or | slow down. There was a merged fix but further testing shows the | issue persists. This issue should be mitigated by using a safe | pattern that won't start backtracking the regular expression due to | greedy matching. https://github.com/micromatch/micromatch/issues/243 https://github.com/micromatch/micromatch/pull/247 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-4067 https://www.cve.org/CVERecord?id=CVE-2024-4067 Please adjust the affected versions in the BTS as needed.
Bug#1071630: maxima: CVE-2024-34490
Source: maxima X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for maxima. CVE-2024-34490[0]: | In Maxima through 5.47.0 before 51704c, the plotting facilities make | use of predictable names under /tmp. Thus, the contents may be | controlled by a local attacker who can create files in advance with | these names. This affects, for example, plot2d. https://sourceforge.net/p/maxima/bugs/3755/ https://sourceforge.net/p/maxima/code/ci/51704ccb090f6f971b641e4e0b7c1c22c4828bf7/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34490 https://www.cve.org/CVERecord?id=CVE-2024-34490 Please adjust the affected versions in the BTS as needed.
Bug#1071628: python-pymysql: CVE-2024-36039
Source: python-pymysql X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-pymysql. We should also fix this in a DSA, could you prepare debdiffs for bookworm-security and bullseye-security? CVE-2024-36039[0]: | PyMySQL through 1.1.0 allows SQL injection if used with untrusted | JSON input because keys are not escaped by escape_dict. https://github.com/advisories/GHSA-v9hf-5j83-6xpp https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c (v1.1.1) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-36039 https://www.cve.org/CVERecord?id=CVE-2024-36039 Please adjust the affected versions in the BTS as needed.
Bug#1071626: ruby3.1: CVE-2024-35176
Source: ruby3.1 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for ruby3.1. CVE-2024-35176[0]: | REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a | denial of service vulnerability when it parses an XML that has many | `<`s in an attribute value. Those who need to parse untrusted XMLs | may be impacted to this vulnerability. The REXML gem 3.2.7 or later | include the patch to fix this vulnerability. As a workaround, don't | parse untrusted XMLs. https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh Fixed by: https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb (v3.2.7) https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-35176 https://www.cve.org/CVERecord?id=CVE-2024-35176 Please adjust the affected versions in the BTS as needed.
Bug#1071627: ruby3.2: CVE-2024-35176
Source: ruby3.2 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for ruby3.2. CVE-2024-35176[0]: | REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a | denial of service vulnerability when it parses an XML that has many | `<`s in an attribute value. Those who need to parse untrusted XMLs | may be impacted to this vulnerability. The REXML gem 3.2.7 or later | include the patch to fix this vulnerability. As a workaround, don't | parse untrusted XMLs. https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh Fixed by: https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb (v3.2.7) https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-35176 https://www.cve.org/CVERecord?id=CVE-2024-35176 Please adjust the affected versions in the BTS as needed.
Bug#1070860: musescore3: CVE-2023-44428
Am Fri, May 10, 2024 at 06:39:20PM + schrieb Thorsten Glaser: > This is a bit like the limited security support for binutils, > I suppose. Could/should we document that in the same places? Sure thing, this sounds similar to what was done for Lilypond, best to simply ship a similar README.Debian.security within the lilypond2 and lilypond3 packages. Cheers, Moritz
Bug#1070861: hdf5: CVE-2024-33877 CVE-2024-33876 CVE-2024-33875 CVE-2024-33874 CVE-2024-33873 CVE-2024-32624 CVE-2024-32623 CVE-2024-32622 CVE-2024-32621 CVE-2024-32620 CVE-2024-32619 CVE-2024-32618 C
Source: hdf5 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for hdf5: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/ CVE-2024-33877[0]: | HDF5 Library through 1.14.3 has a heap-based buffer overflow in | H5T__conv_struct_opt in H5Tconv.c. CVE-2024-33876[1]: | HDF5 Library through 1.14.3 has a heap buffer overflow in | H5S__point_deserialize in H5Spoint.c. CVE-2024-33875[2]: | HDF5 Library through 1.14.3 has a heap-based buffer overflow in | H5O__layout_encode in H5Olayout.c, resulting in the corruption of | the instruction pointer. CVE-2024-33874[3]: | HDF5 Library through 1.14.3 has a heap buffer overflow in | H5O__mtime_new_encode in H5Omtime.c. CVE-2024-33873[4]: | HDF5 Library through 1.14.3 has a heap-based buffer overflow in | H5D__scatter_mem in H5Dscatgath.c. CVE-2024-32624[5]: | HDF5 Library through 1.14.3 contains a heap-based buffer overflow in | H5T__ref_mem_setnull in H5Tref.c (called from H5T__conv_ref in | H5Tconv.c), resulting in the corruption of the instruction pointer. CVE-2024-32623[6]: | HDF5 Library through 1.14.3 contains a heap-based buffer overflow in | H5VM_array_fill in H5VM.c (called from H5S_select_elements in | H5Spoint.c). CVE-2024-32622[7]: | HDF5 Library through 1.14.3 contains a out-of-bounds read operation | in H5FL_arr_malloc in H5FL.c (called from H5S_set_extent_simple in | H5S.c). CVE-2024-32621[8]: | HDF5 Library through 1.14.3 contains a heap-based buffer overflow in | H5HG_read in H5HG.c (called from H5VL__native_blob_get in | H5VLnative_blob.c), resulting in the corruption of the instruction | pointer. CVE-2024-32620[9]: | HDF5 Library through 1.14.3 contains a heap-based buffer over-read | in H5F_addr_decode_len in H5Fint.c, resulting in the corruption of | the instruction pointer. CVE-2024-32619[10]: | HDF5 Library through 1.14.3 contains a heap-based buffer overflow in | H5T_copy_reopen in H5T.c, resulting in the corruption of the | instruction pointer. CVE-2024-32618[11]: | HDF5 Library through 1.14.3 contains a heap-based buffer overflow in | H5T__get_native_type in H5Tnative.c, resulting in the corruption of | the instruction pointer. CVE-2024-32617[12]: | HDF5 Library through 1.14.3 contains a heap-based buffer over-read | caused by the unsafe use of strdup in H5MM_xstrdup in H5MM.c (called | from H5G__ent_to_link in H5Glink.c). CVE-2024-32616[13]: | HDF5 Library through 1.14.3 contains a heap-based buffer over-read | in H5O__dtype_encode_helper in H5Odtype.c. CVE-2024-32615[14]: | HDF5 Library through 1.14.3 contains a heap-based buffer overflow in | H5Z__nbit_decompress_one_byte in H5Znbit.c, caused by the earlier | use of an initialized pointer. CVE-2024-32614[15]: | HDF5 Library through 1.14.3 has a SEGV in H5VM_memcpyvv in H5VM.c. CVE-2024-32613[16]: | HDF5 Library through 1.14.3 contains a heap-based buffer over-read | in the function H5HL__fl_deserialize in H5HLcache.c, a different | vulnerability than CVE-2024-32612. CVE-2024-32612[17]: | HDF5 Library through 1.14.3 contains a heap-based buffer over-read | in H5HL__fl_deserialize in H5HLcache.c, resulting in the corruption | of the instruction pointer, a different vulnerability than | CVE-2024-32613. CVE-2024-32611[18]: | HDF5 Library through 1.14.3 may use an uninitialized value in | H5A__attr_release_table in H5Aint.c. CVE-2024-32610[19]: | HDF5 Library through 1.14.3 has a SEGV in H5T_close_real in H5T.c, | resulting in a corrupted instruction pointer. CVE-2024-32609[20]: | HDF5 Library through 1.14.3 allows stack consumption in the function | H5E_printf_stack in H5Eint.c. CVE-2024-32607[21]: | HDF5 Library through 1.14.3 has a SEGV in H5A__close in H5Aint.c, | resulting in the corruption of the instruction pointer. CVE-2024-32606[22]: | HDF5 Library through 1.14.3 may attempt to dereference uninitialized | values in h5tools_str_sprint in tools/lib/h5tools_str.c (called from | h5tools_dump_simple_data in tools/lib/h5tools_dump.c). CVE-2024-32605[23]: | HDF5 Library through 1.14.3 has a heap-based buffer over-read in | H5VM_memcpyvv in H5VM.c (called from H5D__compact_readvv in | H5Dcompact.c). CVE-2024-29166[24]: | HDF5 through 1.14.3 contains a buffer overflow in H5O__linfo_decode, | resulting in the corruption of the instruction pointer and causing | denial of service or potential code execution. CVE-2024-29165[25]: | HDF5 through 1.14.3 contains a buffer overflow in | H5Z__filter_fletcher32, resulting in the corruption of the | instruction pointer and causing denial of service or potential code | execution. CVE-2024-29164[26]: | HDF5 through 1.14.3 contains a stack buffer overflow in | H5R__decode_heap, resulting in the corruption of the instruction | pointer and causing denial of service or potential code execution. CVE-2024-29163[27]: | HDF5 through 1.14.3 contains a heap buffer overflow in | H5T__bit_find, resulting in the corruption of
Bug#1070860: musescore3: CVE-2023-44428
Source: musescore3 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for musescore3. CVE-2023-44428[0]: | MuseScore CAP File Parsing Heap-based Buffer Overflow Remote Code | Execution Vulnerability. This vulnerability allows remote attackers | to execute arbitrary code on affected installations of MuseScore. | User interaction is required to exploit this vulnerability in that | the target must visit a malicious page or open a malicious file. | The specific flaw exists within the parsing of CAP files. The issue | results from the lack of proper validation of the length of user- | supplied data prior to copying it to a heap-based buffer. An | attacker can leverage this vulnerability to execute code in the | context of the current process. Was ZDI-CAN-20769. Unfortunatetly details are sparse, the only reference is https://www.zerodayinitiative.com/advisories/ZDI-23-1526/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-44428 https://www.cve.org/CVERecord?id=CVE-2023-44428 Please adjust the affected versions in the BTS as needed.
Bug#1070859: npgsql: CVE-2024-32655
Source: npgsql X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for npgsql. CVE-2024-32655[0]: | Npgsql is the .NET data provider for PostgreSQL. The `WriteBind()` | method in `src/Npgsql/Internal/NpgsqlConnector.FrontendMessages.cs` | uses `int` variables to store the message length and the sum of | parameter lengths. Both variables overflow when the sum of parameter | lengths becomes too large. This causes Npgsql to write a message | size that is too small when constructing a Postgres protocol message | to send it over the network to the database. When parsing the | message, the database will only read a small number of bytes and | treat any following bytes as new messages while they belong to the | old message. Attackers can abuse this to inject arbitrary Postgres | protocol messages into the connection, leading to the execution of | arbitrary SQL statements on the application's behalf. This | vulnerability is fixed in 4.0.14, 4.1.13, 5.0.18, 6.0.11, 7.0.7, and | 8.0.3. https://github.com/npgsql/npgsql/security/advisories/GHSA-x9vc-6hfv-hg8c https://github.com/npgsql/npgsql/commit/f7e7ead0702d776a8f551f5786c4cac2d65c4bc6 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32655 https://www.cve.org/CVERecord?id=CVE-2024-32655 Please adjust the affected versions in the BTS as needed.
Bug#1070858: golang-github-opencontainers-go-digest: CVE-2024-3727
Source: golang-github-opencontainers-go-digest X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for golang-github-opencontainers-go-digest. CVE-2024-3727[0]: | A flaw was found in the github.com/containers/image library. This | flaw allows attackers to trigger unexpected authenticated registry | accesses on behalf of a victim user, causing resource exhaustion, | local path traversal, and other attacks. Details are a little sparse, the only reference is https://bugzilla.redhat.com/show_bug.cgi?id=2274767 at this point. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3727 https://www.cve.org/CVERecord?id=CVE-2024-3727 Please adjust the affected versions in the BTS as needed.
Bug#1070395: tinyproxy: CVE-2023-40533 CVE-2023-49606
Source: tinyproxy X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for tinyproxy. CVE-2023-40533[0]: | An uninitialized memory use vulnerability exists in Tinyproxy 1.11.1 | while parsing HTTP requests. In certain configurations, a specially | crafted HTTP request can result in disclosure of data allocated on | the heap, which could contain sensitive information. An attacker can | make an unauthenticated HTTP request to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2023-1902 CVE-2023-49606[1]: | A use-after-free vulnerability exists in the HTTP Connection Headers | parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially | crafted HTTP header can trigger reuse of previously freed memory, | which leads to memory corruption and could lead to remote code | execution. An attacker needs to make an unauthenticated HTTP request | to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-40533 https://www.cve.org/CVERecord?id=CVE-2023-40533 [1] https://security-tracker.debian.org/tracker/CVE-2023-49606 https://www.cve.org/CVERecord?id=CVE-2023-49606 Please adjust the affected versions in the BTS as needed.
Bug#1070394: libstb: CVE-2023-47212
Source: libstb X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libstb. CVE-2023-47212[0]: | A heap-based buffer overflow vulnerability exists in the comment | functionality of stb _vorbis.c v1.22. A specially crafted .ogg file | can lead to an out-of-bounds write. An attacker can provide a | malicious file to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2023-1846 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-47212 https://www.cve.org/CVERecord?id=CVE-2023-47212 Please adjust the affected versions in the BTS as needed.
Bug#1070392: exiv2: CVE-2024-24826 CVE-2024-25112
Source: exiv2 X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerabilities were published for exiv2. The advisories are a little misleading, they mention it as new in v0.28.0, but that only applies to the "main" branch, where it was removed and later reintroduced. The 0.27-maintenance branch _does_ include the Quicktime decoder CVE-2024-24826[0]: | Exiv2 is a command-line utility and C++ library for reading, | writing, deleting, and modifying the metadata of image files. An | out-of-bounds read was found in Exiv2 version v0.28.1. The | vulnerable function, `QuickTimeVideo::NikonTagsDecoder`, was new in | v0.28.0, so Exiv2 versions before v0.28 are _not_ affected. The out- | of-bounds read is triggered when Exiv2 is used to read the metadata | of a crafted video file. In most cases this out of bounds read will | result in a crash. This bug is fixed in version v0.28.2. Users are | advised to upgrade. There are no known workarounds for this | vulnerability. https://github.com/Exiv2/exiv2/security/advisories/GHSA-g9xm-7538-mq8w https://github.com/Exiv2/exiv2/pull/2337 CVE-2024-25112[1]: | Exiv2 is a command-line utility and C++ library for reading, | writing, deleting, and modifying the metadata of image files. A | denial-of-service was found in Exiv2 version v0.28.1: an unbounded | recursion can cause Exiv2 to crash by exhausting the stack. The | vulnerable function, `QuickTimeVideo::multipleEntriesDecoder`, was | new in v0.28.0, so Exiv2 versions before v0.28 are _not_ affected. | The denial-of-service is triggered when Exiv2 is used to read the | metadata of a crafted video file. This bug is fixed in version | v0.28.2. Users are advised to upgrade. There are no known | workarounds for this vulnerability. https://github.com/Exiv2/exiv2/security/advisories/GHSA-crmj-qh74-2r36 Fixed by: https://github.com/Exiv2/exiv2/commit/355afea485550e8214ac6b449fb210a7efb71365 (v0.28.2) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24826 https://www.cve.org/CVERecord?id=CVE-2024-24826 [1] https://security-tracker.debian.org/tracker/CVE-2024-25112 https://www.cve.org/CVERecord?id=CVE-2024-25112 Please adjust the affected versions in the BTS as needed.
Bug#1070393: gobgp: CVE-2023-46565
Source: gobgp X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for gobgp. CVE-2023-46565[0]: | Buffer Overflow vulnerability in osrg gobgp commit | 419c50dfac578daa4d11256904d0dc182f1a9b22 allows a remote attacker to | cause a denial of service via the handlingError function in | pkg/server/fsm.go. https://github.com/osrg/gobgp/issues/2725 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46565 https://www.cve.org/CVERecord?id=CVE-2023-46565 Please adjust the affected versions in the BTS as needed.
Bug#1070390: opendmarc: CVE-2024-25768
Source: opendmarc X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for opendmarc. It's unclear whether this is actually a security issue, it doesn't appear to have been reported upstream... CVE-2024-25768[0]: | OpenDMARC 1.4.2 contains a null pointer dereference vulnerability in | /OpenDMARC/libopendmarc/opendmarc_policy.c. https://github.com/LuMingYinDetect/OpenDMARC_defects/blob/main/OpenDMARC_detect_1.md If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25768 https://www.cve.org/CVERecord?id=CVE-2024-25768 Please adjust the affected versions in the BTS as needed.
Bug#1070388: jupyterhub: CVE-2024-28233
Source: jupyterhub X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for jupyterhub. CVE-2024-28233[0]: | JupyterHub is an open source multi-user server for Jupyter | notebooks. By tricking a user into visiting a malicious subdomain, | the attacker can achieve an XSS directly affecting the former's | session. More precisely, in the context of JupyterHub, this XSS | could achieve full access to JupyterHub API and user's single-user | server. The affected configurations are single-origin JupyterHub | deployments and JupyterHub deployments with user-controlled | applications running on subdomains or peer subdomains of either the | Hub or a single-user server. This vulnerability is fixed in 4.1.0. https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-7r3h-4ph8-w38g https://github.com/jupyterhub/jupyterhub/commit/e2798a088f5ad45340fe79cdf1386198e664f77f If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28233 https://www.cve.org/CVERecord?id=CVE-2024-28233 Please adjust the affected versions in the BTS as needed.
Bug#1070387: gdcm: CVE-2024-25569 CVE-2024-22373 CVE-2024-22391
Source: gdcm X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for gdcm. These are fixed in 3.0.24: CVE-2024-25569[0]: | An out-of-bounds read vulnerability exists in the | RAWCodec::DecodeBytes functionality of Mathieu Malaterre Grassroot | DICOM 3.0.23. A specially crafted DICOM file can lead to an out-of- | bounds read. An attacker can provide a malicious file to trigger | this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1944 CVE-2024-22373[1]: | An out-of-bounds write vulnerability exists in the | JPEG2000Codec::DecodeByStreamsCommon functionality of Mathieu | Malaterre Grassroot DICOM 3.0.23. A specially crafted DICOM file can | lead to a heap buffer overflow. An attacker can provide a malicious | file to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1935 CVE-2024-22391[2]: | A heap-based buffer overflow vulnerability exists in the | LookupTable::SetLUT functionality of Mathieu Malaterre Grassroot | DICOM 3.0.23. A specially crafted malformed file can lead to memory | corruption. An attacker can provide a malicious file to trigger this | vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1924 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25569 https://www.cve.org/CVERecord?id=CVE-2024-25569 [1] https://security-tracker.debian.org/tracker/CVE-2024-22373 https://www.cve.org/CVERecord?id=CVE-2024-22373 [2] https://security-tracker.debian.org/tracker/CVE-2024-22391 https://www.cve.org/CVERecord?id=CVE-2024-22391 Please adjust the affected versions in the BTS as needed.
Bug#1070384: llvm-toolchain-14: CVE-2024-31852
Source: llvm-toolchain-14 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-14. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved to the stack, and thus there | can sometimes be an exploitable error in the flow of control. This | affects the ARM backend and can be demonstrated with Clang. NOTE: | the vendor perspective is "we don't have strong objections for a CVE | to be created ... It does seem that the likelihood of this | miscompile enabling an exploit remains very low, because the | miscompile resulting in this JOP gadget is such that the function is | most likely to crash on most valid inputs to the function. So, if | this function is covered by any testing, the miscompile is most | likely to be discovered before the binary is shipped to production." https://github.com/llvm/llvm-project/issues/80287 https://bugs.chromium.org/p/llvm/issues/detail?id=69 https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31852 https://www.cve.org/CVERecord?id=CVE-2024-31852 Please adjust the affected versions in the BTS as needed.
Bug#1070383: llvm-toolchain-15: CVE-2024-31852
Source: llvm-toolchain-15 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-15. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved to the stack, and thus there | can sometimes be an exploitable error in the flow of control. This | affects the ARM backend and can be demonstrated with Clang. NOTE: | the vendor perspective is "we don't have strong objections for a CVE | to be created ... It does seem that the likelihood of this | miscompile enabling an exploit remains very low, because the | miscompile resulting in this JOP gadget is such that the function is | most likely to crash on most valid inputs to the function. So, if | this function is covered by any testing, the miscompile is most | likely to be discovered before the binary is shipped to production." https://github.com/llvm/llvm-project/issues/80287 https://bugs.chromium.org/p/llvm/issues/detail?id=69 https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31852 https://www.cve.org/CVERecord?id=CVE-2024-31852 Please adjust the affected versions in the BTS as needed.
Bug#1070382: llvm-toolchain-16: CVE-2024-31852
Source: llvm-toolchain-16 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-16. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved to the stack, and thus there | can sometimes be an exploitable error in the flow of control. This | affects the ARM backend and can be demonstrated with Clang. NOTE: | the vendor perspective is "we don't have strong objections for a CVE | to be created ... It does seem that the likelihood of this | miscompile enabling an exploit remains very low, because the | miscompile resulting in this JOP gadget is such that the function is | most likely to crash on most valid inputs to the function. So, if | this function is covered by any testing, the miscompile is most | likely to be discovered before the binary is shipped to production." https://github.com/llvm/llvm-project/issues/80287 https://bugs.chromium.org/p/llvm/issues/detail?id=69 https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31852 https://www.cve.org/CVERecord?id=CVE-2024-31852 Please adjust the affected versions in the BTS as needed.
Bug#1070381: llvm-toolchain-17: CVE-2024-31852
Source: llvm-toolchain-17 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-17. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved to the stack, and thus there | can sometimes be an exploitable error in the flow of control. This | affects the ARM backend and can be demonstrated with Clang. NOTE: | the vendor perspective is "we don't have strong objections for a CVE | to be created ... It does seem that the likelihood of this | miscompile enabling an exploit remains very low, because the | miscompile resulting in this JOP gadget is such that the function is | most likely to crash on most valid inputs to the function. So, if | this function is covered by any testing, the miscompile is most | likely to be discovered before the binary is shipped to production." https://github.com/llvm/llvm-project/issues/80287 https://bugs.chromium.org/p/llvm/issues/detail?id=69 https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31852 https://www.cve.org/CVERecord?id=CVE-2024-31852 Please adjust the affected versions in the BTS as needed.
Bug#1070380: llvm-toolchain-18: CVE-2024-31852
Source: llvm-toolchain-18 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-18. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved to the stack, and thus there | can sometimes be an exploitable error in the flow of control. This | affects the ARM backend and can be demonstrated with Clang. NOTE: | the vendor perspective is "we don't have strong objections for a CVE | to be created ... It does seem that the likelihood of this | miscompile enabling an exploit remains very low, because the | miscompile resulting in this JOP gadget is such that the function is | most likely to crash on most valid inputs to the function. So, if | this function is covered by any testing, the miscompile is most | likely to be discovered before the binary is shipped to production." https://github.com/llvm/llvm-project/issues/80287 https://bugs.chromium.org/p/llvm/issues/detail?id=69 https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31852 https://www.cve.org/CVERecord?id=CVE-2024-31852 Please adjust the affected versions in the BTS as needed.
Bug#1070379: pytorch: CVE-2024-31580 CVE-2024-31583 CVE-2024-31584
Source: pytorch X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for pytorch. CVE-2024-31580[0]: | PyTorch before v2.2.0 was discovered to contain a heap buffer | overflow vulnerability in the component | /runtime/vararg_functions.cpp. This vulnerability allows attackers | to cause a Denial of Service (DoS) via a crafted input. https://github.com/pytorch/pytorch/commit/b5c3a17c2c207ebefcb85043f0cf94be9b2fef81 CVE-2024-31583[1]: | Pytorch before version v2.2.0 was discovered to contain a use-after- | free vulnerability in torch/csrc/jit/mobile/interpreter.cpp. https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2 CVE-2024-31584[2]: | Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via | the component torch/csrc/jit/mobile/flatbuffer_loader.cpp. https://github.com/pytorch/pytorch/commit/7c35874ad664e74c8e4252d67521f3986eadb0e6 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31580 https://www.cve.org/CVERecord?id=CVE-2024-31580 [1] https://security-tracker.debian.org/tracker/CVE-2024-31583 https://www.cve.org/CVERecord?id=CVE-2024-31583 [2] https://security-tracker.debian.org/tracker/CVE-2024-31584 https://www.cve.org/CVERecord?id=CVE-2024-31584 Please adjust the affected versions in the BTS as needed.
Bug#1070378: docker.io: CVE-2024-32473
Source: docker.io X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for docker.io. CVE-2024-32473[0]: | Moby is an open source container framework that is a key component | of Docker Engine, Docker Desktop, and other distributions of | container tooling or runtimes. In 26.0.0, IPv6 is not disabled on | network interfaces, including those belonging to networks where | `--ipv6=false`. An container with an `ipvlan` or `macvlan` interface | will normally be configured to share an external network link with | the host machine. Because of this direct access, (1) Containers may | be able to communicate with other hosts on the local network over | link-local IPv6 addresses, (2) if router advertisements are being | broadcast over the local network, containers may get SLAAC-assigned | addresses, and (3) the interface will be a member of IPv6 multicast | groups. This means interfaces in IPv4-only networks present an | unexpectedly and unnecessarily increased attack surface. The issue | is patched in 26.0.2. To completely disable IPv6 in a container, use | `--sysctl=net.ipv6.conf.all.disable_ipv6=1` in the `docker create` | or `docker run` command. Or, in the service configuration of a | `compose` file. https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9 https://github.com/moby/moby/commit/841c4c8057bcf5317d6565875595a3f0c046e3fa It's not super clear whether this is only fixed in 26.x and old releases (such as the one in unstable) are not affected or, let's validate and update the Security Tracker accordingly if not (ideally by identifying the introducing commit) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32473 https://www.cve.org/CVERecord?id=CVE-2024-32473 Please adjust the affected versions in the BTS as needed.
Bug#1070377: frr: CVE-2024-34088
Source: frr X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for frr. CVE-2024-34088[0]: | In FRRouting (FRR) through 9.1, it is possible for the get_edge() | function in ospf_te.c in the OSPF daemon to return a NULL pointer. | In cases where calling functions do not handle the returned NULL | value, the OSPF daemon crashes, leading to denial of service. https://github.com/FRRouting/frr/pull/15674 Introduced by: https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5 (base_8.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34088 https://www.cve.org/CVERecord?id=CVE-2024-34088 Please adjust the affected versions in the BTS as needed.
Bug#1070376: uriparser: CVE-2024-34402 CVE-2024-34403
Source: uriparser X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for uriparser. CVE-2024-34402[0]: | An issue was discovered in uriparser through 0.9.7. | ComposeQueryEngine in UriQuery.c has an integer overflow via long | keys or values, with a resultant buffer overflow. https://github.com/uriparser/uriparser/pull/185 https://github.com/uriparser/uriparser/issues/183 CVE-2024-34403[1]: | An issue was discovered in uriparser through 0.9.7. | ComposeQueryMallocExMm in UriQuery.c has an integer overflow via a | long string. https://github.com/uriparser/uriparser/issues/183 https://github.com/uriparser/uriparser/pull/186 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34402 https://www.cve.org/CVERecord?id=CVE-2024-34402 [1] https://security-tracker.debian.org/tracker/CVE-2024-34403 https://www.cve.org/CVERecord?id=CVE-2024-34403 Please adjust the affected versions in the BTS as needed.
Bug#1070375: python-jose: CVE-2024-33663 CVE-2024-33664
Source: python-jose X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for python-jose. CVE-2024-33663[0]: | python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA | keys and other key formats. This is similar to CVE-2022-29217. https://github.com/mpdavis/python-jose/issues/346 CVE-2024-33664[1]: | python-jose through 3.3.0 allows attackers to cause a denial of | service (resource consumption) during a decode via a crafted JSON | Web Encryption (JWE) token with a high compression ratio, aka a "JWT | bomb." This is similar to CVE-2024-21319. https://github.com/mpdavis/python-jose/issues/344 https://github.com/mpdavis/python-jose/pull/345 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-33663 https://www.cve.org/CVERecord?id=CVE-2024-33663 [1] https://security-tracker.debian.org/tracker/CVE-2024-33664 https://www.cve.org/CVERecord?id=CVE-2024-33664 Please adjust the affected versions in the BTS as needed.
Bug#1070373: quickjs: CVE-2024-33263
Source: quickjs X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for quickjs. CVE-2024-33263[0]: | QuickJS commit 3b45d15 was discovered to contain an Assertion | Failure via JS_FreeRuntime(JSRuntime *) at quickjs.c. https://github.com/bellard/quickjs/issues/277 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-33263 https://www.cve.org/CVERecord?id=CVE-2024-33263 Please adjust the affected versions in the BTS as needed.
Bug#1070374: social-auth-app-django: CVE-2024-32879
Source: social-auth-app-django X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for social-auth-app-django. CVE-2024-32879[0]: | Python Social Auth is a social authentication/registration | mechanism. Prior to version 5.4.1, due to default case-insensitive | collation in MySQL or MariaDB databases, third-party authentication | user IDs are not case-sensitive and could cause different IDs to | match. This issue has been addressed by a fix released in version | 5.4.1. An immediate workaround would be to change collation of the | affected field. https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3 https://github.com/python-social-auth/social-app-django/commit/31c3e0c7edb187004d8abbde7e9c4f7ef9098138 (5.4.1) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32879 https://www.cve.org/CVERecord?id=CVE-2024-32879 Please adjust the affected versions in the BTS as needed.
Bug#1070372: tqdm: CVE-2024-34062
Source: tqdm X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for tqdm. CVE-2024-34062[0]: | tqdm is an open source progress bar for Python and CLI. Any optional | non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, | `--manpath`) are passed through python's `eval`, allowing arbitrary | code execution. This issue is only locally exploitable and had been | addressed in release version 4.66.3. All users are advised to | upgrade. There are no known workarounds for this vulnerability. https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p Fixed by: https://github.com/tqdm/tqdm/commit/b53348c73080b4edeb30b4823d1fa0d8d2c06721 (v4.66.3) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34062 https://www.cve.org/CVERecord?id=CVE-2024-34062 Please adjust the affected versions in the BTS as needed.
Bug#1070371: ofono: CVE-2023-4232 CVE-2023-4233 CVE-2023-4234 CVE-2023-4235
Source: ofono X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for ofono. It's not clear whether they were actually reported upstream or only submitted to Red Hat Bugzilla: CVE-2023-4232[0]: | A flaw was found in ofono, an Open Source Telephony on Linux. A | stack overflow bug is triggered within the decode_status_report() | function during the SMS decoding. It is assumed that the attack | scenario is accessible from a compromised modem, a malicious base | station, or just SMS. There is a bound check for this memcpy length | in decode_submit(), but it was forgotten in decode_status_report(). https://bugzilla.redhat.com/show_bug.cgi?id=2255394 CVE-2023-4233[1]: | A flaw was found in ofono, an Open Source Telephony on Linux. A | stack overflow bug is triggered within the | sms_decode_address_field() function during the SMS PDU decoding. It | is assumed that the attack scenario is accessible from a compromised | modem, a malicious base station, or just SMS. https://bugzilla.redhat.com/show_bug.cgi?id=2255396 CVE-2023-4234[2]: | A flaw was found in ofono, an Open Source Telephony on Linux. A | stack overflow bug is triggered within the decode_submit_report() | function during the SMS decoding. It is assumed that the attack | scenario is accessible from a compromised modem, a malicious base | station, or just SMS. There is a bound check for this memcpy length | in decode_submit(), but it was forgotten in decode_submit_report(). https://bugzilla.redhat.com/show_bug.cgi?id=2255399 CVE-2023-4235[3]: | A flaw was found in ofono, an Open Source Telephony on Linux. A | stack overflow bug is triggered within the decode_deliver_report() | function during the SMS decoding. It is assumed that the attack | scenario is accessible from a compromised modem, a malicious base | station, or just SMS. There is a bound check for this memcpy length | in decode_submit(), but it was forgotten in decode_deliver_report(). https://bugzilla.redhat.com/show_bug.cgi?id=2255402 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-4232 https://www.cve.org/CVERecord?id=CVE-2023-4232 [1] https://security-tracker.debian.org/tracker/CVE-2023-4233 https://www.cve.org/CVERecord?id=CVE-2023-4233 [2] https://security-tracker.debian.org/tracker/CVE-2023-4234 https://www.cve.org/CVERecord?id=CVE-2023-4234 [3] https://security-tracker.debian.org/tracker/CVE-2023-4235 https://www.cve.org/CVERecord?id=CVE-2023-4235 Please adjust the affected versions in the BTS as needed.
Bug#1070370: dmitry: CVE-2017-7938 CVE-2020-14931 CVE-2024-31837
Source: dmitry X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for dmitry. CVE-2017-7938[0]: | Stack-based buffer overflow in DMitry (Deepmagic Information | Gathering Tool) version 1.3a (Unix) allows attackers to cause a | denial of service (application crash) or possibly have unspecified | other impact via a long argument. An example threat model is | automated execution of DMitry with hostname strings found in local | log files. https://packetstormsecurity.com/files/142210/Dmitry-1.3a-Local-Stack-Buffer-Overflow.html https://github.com/jaygreig86/dmitry/pull/12 CVE-2020-14931[1]: | A stack-based buffer overflow in DMitry (Deepmagic Information | Gathering Tool) 1.3a might allow remote WHOIS servers to execute | arbitrary code via a long line in a response that is mishandled by | nic_format_buff. https://github.com/jaygreig86/dmitry/issues/4 https://github.com/jaygreig86/dmitry/pull/6 Fixed by: https://github.com/jaygreig86/dmitry/commit/da1fda491145719ae15dd36dd37a69bdbba0b192 CVE-2024-31837[2]: | DMitry (Deepmagic Information Gathering Tool) 1.3a has a format- | string vulnerability, with a threat model similar to CVE-2017-7938. https://github.com/jaygreig86/dmitry/pull/12 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7938 https://www.cve.org/CVERecord?id=CVE-2017-7938 [1] https://security-tracker.debian.org/tracker/CVE-2020-14931 https://www.cve.org/CVERecord?id=CVE-2020-14931 [2] https://security-tracker.debian.org/tracker/CVE-2024-31837 https://www.cve.org/CVERecord?id=CVE-2024-31837 Please adjust the affected versions in the BTS as needed.
Bug#1069764: python-flask-cors: CVE-2024-1681
Source: python-flask-cors X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for python-flask-cors. CVE-2024-1681[0]: | corydolphin/flask-cors is vulnerable to log injection when the log | level is set to debug. An attacker can inject fake log entries into | the log file by sending a specially crafted GET request containing a | CRLF sequence in the request path. This vulnerability allows | attackers to corrupt log files, potentially covering tracks of other | attacks, confusing log post-processing tools, and forging log | entries. The issue is due to improper output neutralization for | logs. https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644 https://github.com/corydolphin/flask-cors/issues/349 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-1681 https://www.cve.org/CVERecord?id=CVE-2024-1681 Please adjust the affected versions in the BTS as needed.
Bug#1069763: matrix-synapse: CVE-2024-31208
Source: matrix-synapse X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for matrix-synapse. CVE-2024-31208[0]: | Synapse is an open-source Matrix homeserver. A remote Matrix user | with malicious intent, sharing a room with Synapse instances before | 1.105.1, can dispatch specially crafted events to exploit a weakness | in the V2 state resolution algorithm. This can induce high CPU | consumption and accumulate excessive data in the database of such | instances, resulting in a denial of service. Servers in private | federations, or those that do not federate, are not affected. Server | administrators should upgrade to 1.105.1 or later. Some workarounds | are available. One can ban the malicious users or ACL block servers | from the rooms and/or leave the room and purge the room using the | admin API. https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a (v1.105.1) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31208 https://www.cve.org/CVERecord?id=CVE-2024-31208 Please adjust the affected versions in the BTS as needed.
Bug#1069762: pdns-recursor: CVE-2024-25583
Source: pdns-recursor X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for pdns-recursor. CVE-2024-25583[0]: PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor https://www.openwall.com/lists/oss-security/2024/04/24/1 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25583 https://www.cve.org/CVERecord?id=CVE-2024-25583 Please adjust the affected versions in the BTS as needed.
Bug#1069679: ofono: CVE-2023-2794
Source: ofono X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for ofono. CVE-2023-2794[0]: | A flaw was found in ofono, an Open Source Telephony on Linux. A | stack overflow bug is triggered within the decode_deliver() function | during the SMS decoding. It is assumed that the attack scenario is | accessible from a compromised modem, a malicious base station, or | just SMS. There is a bound check for this memcpy length in | decode_submit(), but it was forgotten in decode_deliver(). https://bugzilla.redhat.com/show_bug.cgi?id=2255387 https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a90421d8e45d63b304dc010baba24633e7869682 https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=7f2adfa22fbae824f8e2c3ae86a3f51da31ee400 https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=07f48b23e3877ef7d15a7b0b8b79d32ad0a3607e https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=8fa1fdfcb54e1edb588c6a5e260b065a39c9 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-2794 https://www.cve.org/CVERecord?id=CVE-2023-2794 Please adjust the affected versions in the BTS as needed.
Bug#1069678: openjdk-8: CVE-2024-21011 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094
Source: openjdk-8 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for openjdk-8. CVE-2024-21011[0]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Hotspot). Supported versions that are affected are Oracle Java SE: | 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for | JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: | 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows | unauthenticated attacker with network access via multiple protocols | to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized ability to cause a partial denial of service | (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition. Note: This vulnerability can be | exploited by using APIs in the specified Component, e.g., through a | web service which supplies data to the APIs. This vulnerability also | applies to Java deployments, typically in clients running sandboxed | Java Web Start applications or sandboxed Java applets, that load and | run untrusted code (e.g., code that comes from the internet) and | rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 | (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21068[1]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Hotspot). Supported versions that are affected are Oracle Java SE: | 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: | 17.0.10, 21.0.2 and 22; Oracle GraalVM Enterprise Edition: 21.3.9. | Difficult to exploit vulnerability allows unauthenticated attacker | with network access via multiple protocols to compromise Oracle Java | SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. | Successful attacks of this vulnerability can result in unauthorized | update, insert or delete access to some of Oracle Java SE, Oracle | GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. | Note: This vulnerability can be exploited by using APIs in the | specified Component, e.g., through a web service which supplies data | to the APIs. This vulnerability also applies to Java deployments, | typically in clients running sandboxed Java Web Start applications | or sandboxed Java applets, that load and run untrusted code (e.g., | code that comes from the internet) and rely on the Java sandbox for | security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2024-21085[2]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise | Edition product of Oracle Java SE (component: Concurrency). | Supported versions that are affected are Oracle Java SE: 8u401, | 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and | 21.3.9. Difficult to exploit vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful | attacks of this vulnerability can result in unauthorized ability to | cause a partial denial of service (partial DOS) of Oracle Java SE, | Oracle GraalVM Enterprise Edition. Note: This vulnerability can be | exploited by using APIs in the specified Component, e.g., through a | web service which supplies data to the APIs. This vulnerability also | applies to Java deployments, typically in clients running sandboxed | Java Web Start applications or sandboxed Java applets, that load and | run untrusted code (e.g., code that comes from the internet) and | rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 | (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21094[3]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Hotspot). Supported versions that are affected are Oracle Java SE: | 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for | JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 | and 21.3.9. Difficult to exploit vulnerability allows | unauthenticated attacker with network access via multiple protocols | to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized update, insert or delete access to some of | Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability can be exploited | by using APIs in the specified Component, e.g., through a web | service which supplies data to the APIs. This vulnerability also | applies to Java
Bug#1069677: rust-rustls: CVE-2024-32650
Source: rust-rustls X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for rust-rustls. CVE-2024-32650[0]: | Rustls is a modern TLS library written in Rust. | `rustls::ConnectionCommon::complete_io` could fall into an infinite | loop based on network input. When using a blocking rustls server, if | a client send a `close_notify` message immediately after | `client_hello`, the server's `complete_io` will get in an infinite | loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11. https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj https://github.com/rustls/rustls/commit/2123576840aa31043a31b0770e6572136fbe0c2d (v/0.23.5) https://github.com/rustls/rustls/commit/6e938bcfe82a9da7a2e1cbf10b928c7eca26426e (v/0.23.5) https://rustsec.org/advisories/RUSTSEC-2024-0336.html If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32650 https://www.cve.org/CVERecord?id=CVE-2024-32650 Please adjust the affected versions in the BTS as needed.
Bug#1069189: mysql-8.0: CVE-2024-21102 CVE-2024-21096 CVE-2024-21087 CVE-2024-21069 CVE-2024-21062 CVE-2024-21060 CVE-2024-21054 CVE-2024-21047 CVE-2024-21013 CVE-2024-21009 CVE-2024-21008 CVE-2024-21
Source: mysql-8.0 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for mysql-8.0. CVE-2024-21102[0]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Thread Pooling). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21096[1]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Client: mysqldump). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to | exploit vulnerability allows unauthenticated attacker with logon to | the infrastructure where MySQL Server executes to compromise MySQL | Server. Successful attacks of this vulnerability can result in | unauthorized update, insert or delete access to some of MySQL Server | accessible data as well as unauthorized read access to a subset of | MySQL Server accessible data and unauthorized ability to cause a | partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 | Base Score 4.9 (Confidentiality, Integrity and Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). CVE-2024-21087[2]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Group Replication Plugin). Supported versions | that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21069[3]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: DDL). Supported versions that are affected are | 8.0.36 and prior and 8.3.0 and prior. Easily exploitable | vulnerability allows high privileged attacker with network access | via multiple protocols to compromise MySQL Server. Successful | attacks of this vulnerability can result in unauthorized ability to | cause a hang or frequently repeatable crash (complete DOS) of MySQL | Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS | Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21062[4]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21060[5]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Data Dictionary). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21054[6]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21047[7]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: InnoDB). Supported versions that are affected are | 8.0.36 and prior and 8.3.0 and prior. Easily exploitable | vulnerability allows high privileged attacker with network access | via multiple protocols to compromise MySQL
Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1
Am Tue, Apr 09, 2024 at 10:01:11AM +0200 schrieb Andreas Beckmann: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: Bastien Roucariès > Control: affects -1 + src:json-smart > Control: block 1039985 with -1 > Control: block 1033474 with -1 > > [ Reason ] > Two CVEs were fixed in buster-lts, but not yet in bullseye or later, > causing version skew on upgrades: CVE-2023-1370 / #1033474 is unfixed in sid, and being fixed in unstable is a pre condition for a point update. Bastien, since you fixed it in buster-lts, can you please also take care of addressing unstable? Cheers, Moritz
Bug#1068822: qemu: CVE-2024-3567
Source: qemu X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qemu. CVE-2024-3567[0]: | A flaw was found in QEMU. An assertion failure was present in the | update_sctp_checksum() function in hw/net/net_tx_pkt.c when trying | to calculate the checksum of a short-sized fragmented packet. This | flaw allows a malicious guest to crash QEMU and cause a denial of | service condition. https://bugzilla.redhat.com/show_bug.cgi?id=2274339 https://gitlab.com/qemu-project/qemu/-/issues/2273 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3567 https://www.cve.org/CVERecord?id=CVE-2024-3567 Please adjust the affected versions in the BTS as needed.
Bug#1068821: qemu: CVE-2024-3447
Source: qemu X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qemu. CVE-2024-3447[0]: https://patchew.org/QEMU/20240404085549.16987-1-phi...@linaro.org/ https://patchew.org/QEMU/20240409145524.27913-1-phi...@linaro.org/ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3447 https://www.cve.org/CVERecord?id=CVE-2024-3447 Please adjust the affected versions in the BTS as needed.
Bug#1068820: qemu: CVE-2024-3446
Source: qemu X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qemu. CVE-2024-3446[0]: | A double free vulnerability was found in QEMU virtio devices | (virtio-gpu, virtio-serial-bus, virtio-crypto), where the | mem_reentrancy_guard flag insufficiently protects against DMA | reentrancy issues. This issue could allow a malicious privileged | guest to crash the QEMU process on the host, resulting in a denial | of service or allow arbitrary code execution within the context of | the QEMU process on the host. https://bugzilla.redhat.com/show_bug.cgi?id=2274211 https://patchew.org/QEMU/20240409105537.18308-1-phi...@linaro.org/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3446 https://www.cve.org/CVERecord?id=CVE-2024-3446 Please adjust the affected versions in the BTS as needed.
Bug#1068819: qemu: CVE-2024-26327 CVE-2024-26328
Source: qemu X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for qemu. CVE-2024-26327[0]: | An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in | hw/pci/pcie_sriov.c mishandles the situation where a guest writes | NumVFs greater than TotalVFs, leading to a buffer overflow in VF | implementations. CVE-2024-26328[1]: | An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in | hw/pci/pcie_sriov.c does not set NumVFs to PCI_SRIOV_TOTAL_VF, and | thus interaction with hw/nvme/ctrl.c is mishandled. https://lore.kernel.org/all/20240213055345-mutt-send-email-mst%40kernel.org Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6 (v7.0.0-rc0) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-26327 https://www.cve.org/CVERecord?id=CVE-2024-26327 [1] https://security-tracker.debian.org/tracker/CVE-2024-26328 https://www.cve.org/CVERecord?id=CVE-2024-26328 Please adjust the affected versions in the BTS as needed.
Bug#1068818: sngrep: CVE-2024-3119 CVE-2024-3120
Source: sngrep X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for sngrep. CVE-2024-3119[0]: | A buffer overflow vulnerability exists in all versions of sngrep | since v0.4.2, due to improper handling of 'Call-ID' and 'X-Call-ID' | SIP headers. The functions sip_get_callid and sip_get_xcallid in | sip.c use the strncpy function to copy header contents into fixed- | size buffers without checking the data length. This flaw allows | remote attackers to execute arbitrary code or cause a denial of | service (DoS) through specially crafted SIP messages. https://github.com/irontec/sngrep/commit/dd5fec92730562af6f96891291cd4e102b80bfcc (v1.8.1) CVE-2024-3120[1]: | A stack-buffer overflow vulnerability exists in all versions of | sngrep since v1.4.1. The flaw is due to inadequate bounds checking | when copying 'Content-Length' and 'Warning' headers into fixed-size | buffers in the sip_validate_packet and sip_parse_extra_headers | functions within src/sip.c. This vulnerability allows remote | attackers to execute arbitrary code or cause a denial of service | (DoS) via crafted SIP messages. https://github.com/irontec/sngrep/commit/f3f8ed8ef38748e6d61044b39b0dabd7e37c6809 (v1.8.1) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3119 https://www.cve.org/CVERecord?id=CVE-2024-3119 [1] https://security-tracker.debian.org/tracker/CVE-2024-3120 https://www.cve.org/CVERecord?id=CVE-2024-3120 Please adjust the affected versions in the BTS as needed.
Bug#1068817: undertow: CVE-2024-1635
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for undertow. CVE-2024-1635[0]: | A vulnerability was found in Undertow. This vulnerability impacts a | server that supports the wildfly-http-client protocol. Whenever a | malicious user opens and closes a connection with the HTTP port of | the server and then closes the connection immediately, the server | will end with both memory and open file limits exhausted at some | point, depending on the amount of memory available. At HTTP | upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks | connections if RemotingConnection is closed by Remoting | ServerConnectionOpenListener. Because the remoting connection | originates in Undertow as part of the HTTP upgrade, there is an | external layer to the remoting connection. This connection is | unaware of the outermost layer when closing the connection during | the connection opening procedure. Hence, the Undertow | WriteTimeoutStreamSinkConduit is not notified of the closed | connection in this scenario. Because WriteTimeoutStreamSinkConduit | creates a timeout task, the whole dependency tree leaks via that | task, which is added to XNIO WorkerThread. So, the workerThread | points to the Undertow conduit, which contains the connections and | causes the leak. https://bugzilla.redhat.com/show_bug.cgi?id=2264928 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-1635 https://www.cve.org/CVERecord?id=CVE-2024-1635 Please adjust the affected versions in the BTS as needed.
Bug#1068815: undertow: CVE-2023-1973
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for undertow. CVE-2023-1973[0]: The only reference is at Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=2185662 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-1973 https://www.cve.org/CVERecord?id=CVE-2023-1973 Please adjust the affected versions in the BTS as needed.
Bug#1068816: undertow: CVE-2024-1459
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for undertow. CVE-2024-1459[0]: | A path traversal vulnerability was found in Undertow. This issue may | allow a remote attacker to append a specially-crafted sequence to an | HTTP request for an application deployed to JBoss EAP, which may | permit access to privileged or restricted files and directories. The only reference here is at Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=2259475 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-1459 https://www.cve.org/CVERecord?id=CVE-2024-1459 Please adjust the affected versions in the BTS as needed.
Bug#1068629: testng7 backport for bullseye needed for latest Java LTS releases
Am Tue, Apr 09, 2024 at 02:02:13PM +1200 schrieb Vladimir Petko: > Hi, > > I have realized that I have not submitted the bug report for this > issue, so the decision to try vendoring dependencies for JTREG is not > visible anywhere. > > Starting from the April OpenJDK release, JTREG 7.3 will be used for > openjdk-11 and up, which will require having it in Buster and up. > > In Ubuntu, the January OpenJDK update used the vendored version, and > we have not found any test regression issues caused by it. > > I have an MR open[1] that does not update the source tree and a > branch[2] with imported sources. Thanks, using a vendored version seems perfectly fine here and makes our life significantly easier for stable/oldstable updates (and jtreg isn't used outside of OpenJDK anyway) Cheers, Moritz
Bug#1068462: gpac: CVE-2024-28318 CVE-2024-28319 CVE-2023-46426 CVE-2023-46427 CVE-2024-24265 CVE-2024-24266 CVE-2024-24267
Source: gpac X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for gpac. CVE-2024-28318[0]: | gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain a | out of boundary write vulnerability via swf_get_string at | scene_manager/swf_parse.c:325 https://github.com/gpac/gpac/issues/2764 https://github.com/gpac/gpac/commit/ae831621a08a64e3325ce532f8b78811a1581716 CVE-2024-28319[1]: | gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain an | out of boundary read vulnerability via gf_dash_setup_period | media_tools/dash_client.c:6374 https://github.com/gpac/gpac/issues/2763 https://github.com/gpac/gpac/commit/cb3c29809bddfa32686e3deb231a76af67b68e1e CVE-2023-46426[2]: | Heap-based Buffer Overflow vulnerability in gpac version 2.3-DEV- | rev588-g7edc40fee-master, allows remote attackers to execute | arbitrary code and cause a denial of service (DoS) via gf_fwrite | component in at utils/os_file.c. https://github.com/gpac/gpac/issues/2642 https://github.com/gpac/gpac/commit/14ec709a1ffae23ad777c37320290caa0a754341 CVE-2023-46427[3]: | An issue was discovered in gpac version 2.3-DEV-rev588-g7edc40fee- | master, allows remote attackers to execute arbitrary code, cause a | denial of service (DoS), and obtain sensitive information via null | pointer deference in gf_dash_setup_period component in | media_tools/dash_client.c. https://github.com/gpac/gpac/issues/2641 https://github.com/gpac/gpac/commit/ed8424300fc4a1f5231ecd1d47f502ddd3621d1a CVE-2024-24265[4]: | gpac v2.2.1 was discovered to contain a memory leak via the | dst_props variable in the gf_filter_pid_merge_properties_internal | function. https://github.com/yinluming13579/gpac_defects/blob/main/gpac_1.md CVE-2024-24266[5]: | gpac v2.2.1 was discovered to contain a Use-After-Free (UAF) | vulnerability via the dasher_configure_pid function at | /src/filters/dasher.c. https://github.com/yinluming13579/gpac_defects/blob/main/gpac_2.md CVE-2024-24267[6]: | gpac v2.2.1 was discovered to contain a memory leak via the | gfio_blob variable in the gf_fileio_from_blob function. https://github.com/yinluming13579/gpac_defects/blob/main/gpac_3.md If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28318 https://www.cve.org/CVERecord?id=CVE-2024-28318 [1] https://security-tracker.debian.org/tracker/CVE-2024-28319 https://www.cve.org/CVERecord?id=CVE-2024-28319 [2] https://security-tracker.debian.org/tracker/CVE-2023-46426 https://www.cve.org/CVERecord?id=CVE-2023-46426 [3] https://security-tracker.debian.org/tracker/CVE-2023-46427 https://www.cve.org/CVERecord?id=CVE-2023-46427 [4] https://security-tracker.debian.org/tracker/CVE-2024-24265 https://www.cve.org/CVERecord?id=CVE-2024-24265 [5] https://security-tracker.debian.org/tracker/CVE-2024-24266 https://www.cve.org/CVERecord?id=CVE-2024-24266 [6] https://security-tracker.debian.org/tracker/CVE-2024-24267 https://www.cve.org/CVERecord?id=CVE-2024-24267 Please adjust the affected versions in the BTS as needed.
Bug#1068461: freeimage: CVE-2024-28562 CVE-2024-28563 CVE-2024-28564 CVE-2024-28565 CVE-2024-28566 CVE-2024-28567 CVE-2024-28568 CVE-2024-28569 CVE-2024-28570 CVE-2024-28571 CVE-2024-28572 CVE-2024-28
Source: freeimage X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for freeimage. They are all only published at https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 and don't appear to be forwarded upstream yet. CVE-2024-28562[0]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to execute arbitrary code via the | Imf_2_2::copyIntoFrameBuffer() component when reading images in EXR | format. CVE-2024-28563[1]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the Imf_2_2::DwaCompressor::Classifier::Classifier() function | when reading images in EXR format. CVE-2024-28564[2]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the Imf_2_2::CharPtrIO::readChars() function when reading images | in EXR format. CVE-2024-28565[3]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the psdParser::ReadImageData() function when reading images in | PSD format. CVE-2024-28566[4]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to execute arbitrary code via the | AssignPixel() function when reading images in TIFF format. CVE-2024-28567[5]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the FreeImage_CreateICCProfile() function when reading images in | TIFF format. CVE-2024-28568[6]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the read_iptc_profile() function when reading images in TIFF | format. CVE-2024-28569[7]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to execute arbitrary code via the | Imf_2_2::Xdr::read() function when reading images in EXR format. CVE-2024-28570[8]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the processMakerNote() function when reading images in JPEG | format. CVE-2024-28571[9]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the fill_input_buffer() function when reading images in JPEG | format. CVE-2024-28572[10]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the FreeImage_SetTagValue() function when reading images in JPEG | format. CVE-2024-28573[11]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the jpeg_read_exif_profile() function when reading images in | JPEG format. CVE-2024-28574[12]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the opj_j2k_copy_default_tcp_and_create_tcd() function when | reading images in J2K format. CVE-2024-28574[13]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the opj_j2k_copy_default_tcp_and_create_tcd() function when | reading images in J2K format. CVE-2024-28575[14]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the opj_j2k_read_mct() function when reading images in J2K | format. CVE-2024-28576[15]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the opj_j2k_tcp_destroy() function when reading images in J2K | format. CVE-2024-28577[16]: | Null Pointer Dereference vulnerability in open source FreeImage | v.3.19.0 [r1909] allows a local attacker to cause a denial of | service (DoS) via the jpeg_read_exif_profile_raw() function when | reading images in JPEG format. CVE-2024-28578[17]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to execute arbitrary code via the | Load() function when reading images in RAS format. CVE-2024-28579[18]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the FreeImage_Unload() function when reading images in HDR | format. CVE-2024-28580[19]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to execute arbitrary code via the | ReadData() function when
Bug#1068460: docker.io: CVE-2024-29018
Source: docker.io X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for docker.io. CVE-2024-29018[0]: | Moby is an open source container framework that is a key component | of Docker Engine, Docker Desktop, and other distributions of | container tooling or runtimes. Moby's networking implementation | allows for many networks, each with their own IP address range and | gateway, to be defined. This feature is frequently referred to as | custom networks, as each network can have a different driver, set of | parameters and thus behaviors. When creating a network, the | `--internal` flag is used to designate a network as _internal_. The | `internal` attribute in a docker-compose.yml file may also be used | to mark a network _internal_, and other API clients may specify the | `internal` parameter as well. When containers with networking are | created, they are assigned unique network interfaces and IP | addresses. The host serves as a router for non-internal networks, | with a gateway IP that provides SNAT/DNAT to/from container IPs. | Containers on an internal network may communicate between each | other, but are precluded from communicating with any networks the | host has access to (LAN or WAN) as no default route is configured, | and firewall rules are set up to drop all outgoing traffic. | Communication with the gateway IP address (and thus appropriately | configured host services) is possible, and the host may communicate | with any container IP directly. In addition to configuring the | Linux kernel's various networking features to enable container | networking, `dockerd` directly provides some services to container | networks. Principal among these is serving as a resolver, enabling | service discovery, and resolution of names from an upstream | resolver. When a DNS request for a name that does not correspond to | a container is received, the request is forwarded to the configured | upstream resolver. This request is made from the container's network | namespace: the level of access and routing of traffic is the same as | if the request was made by the container itself. As a consequence | of this design, containers solely attached to an internal network | will be unable to resolve names using the upstream resolver, as the | container itself is unable to communicate with that nameserver. Only | the names of containers also attached to the internal network are | able to be resolved. Many systems run a local forwarding DNS | resolver. As the host and any containers have separate loopback | devices, a consequence of the design described above is that | containers are unable to resolve names from the host's configured | resolver, as they cannot reach these addresses on the host loopback | device. To bridge this gap, and to allow containers to properly | resolve names even when a local forwarding resolver is used on a | loopback address, `dockerd` detects this scenario and instead | forward DNS requests from the host namework namespace. The loopback | resolver then forwards the requests to its configured upstream | resolvers, as expected. Because `dockerd` forwards DNS requests to | the host loopback device, bypassing the container network | namespace's normal routing semantics entirely, internal networks can | unexpectedly forward DNS requests to an external nameserver. By | registering a domain for which they control the authoritative | nameservers, an attacker could arrange for a compromised container | to exfiltrate data by encoding it in DNS queries that will | eventually be answered by their nameservers. Docker Desktop is not | affected, as Docker Desktop always runs an internal resolver on a | RFC 1918 address. Moby releases 26.0.0, 25.0.4, and 23.0.11 are | patched to prevent forwarding any DNS requests from internal | networks. As a workaround, run containers intended to be solely | attached to internal networks with a custom upstream address, which | will force all upstream DNS queries to be resolved from the | container's network namespace. https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx https://github.com/moby/moby/pull/46609 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-29018 https://www.cve.org/CVERecord?id=CVE-2024-29018 Please adjust the affected versions in the BTS as needed.
Bug#1068459: murano: CVE-2024-29156
Source: murano X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for murano. CVE-2024-29156[0]: | In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, | the Murano service's MuranoPL extension to the YAQL language fails | to sanitize the supplied environment, leading to potential leakage | of sensitive service account information. https://bugs.launchpad.net/murano/+bug/2048114 https://wiki.openstack.org/wiki/OSSN/OSSN-0093 No fix in Murano, but a change in src:python-yaql renders this unexploitable: https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3 (3.0.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-29156 https://www.cve.org/CVERecord?id=CVE-2024-29156 Please adjust the affected versions in the BTS as needed.
Bug#1068455: varnish: CVE-2024-30156
Source: varnish X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for varnish. CVE-2024-30156[0]: | Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 | LTS), and Varnish Enterprise 6 before 6.0.12r6, allows credits | exhaustion for an HTTP/2 connection control flow window, aka a Broke | Window Attack. https://varnish-cache.org/security/VSV00014.html https://varnish-cache.org/docs/7.5/whats-new/changes-7.5.html#cve-2024-30156 https://github.com/varnishcache/varnish-cache/commit/c0201724f0280894ec714fe76fc26ba9831f0551 (varnish-7.5.0) https://github.com/varnishcache/varnish-cache/commit/727a5f80347545b6fc7a6aa48f9fb74e90528f0c (varnish-7.5.0) https://github.com/varnishcache/varnish-cache/commit/42a10e90015bd8a9cb1c7c2e0e313f8b5ae9ebe9 (varnish-7.5.0) https://github.com/varnishcache/varnish-cache/commit/eccb50837d61fcb5a6927eef94c570bd1d03c26d (varnish-7.5.0) https://github.com/varnishcache/varnish-cache/commit/0b82e00708b88f696af5881b7a19caf2144d13f7 (varnish-7.5.0) https://github.com/varnishcache/varnish-cache/commit/4938f05b318eb2daa2ccc89dafeed3126552c481 (varnish-7.5.0) https://github.com/varnishcache/varnish-cache/commit/41ef373af53571a94ea8f73f0538322270799a84 (varnish-7.5.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-30156 https://www.cve.org/CVERecord?id=CVE-2024-30156 Please adjust the affected versions in the BTS as needed.
Bug#1068457: azure-uamqp-python: CVE-2024-29195
Source: azure-uamqp-python X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for azure-uamqp-python. CVE-2024-29195[0]: | The azure-c-shared-utility is a C library for AMQP/MQTT | communication to Azure Cloud Services. This library may be used by | the Azure IoT C SDK for communication between IoT Hub and IoT Hub | devices. An attacker can cause an integer wraparound or under- | allocation or heap buffer overflow due to vulnerabilities in | parameter checking mechanism, by exploiting the buffer length | parameter in Azure C SDK, which may lead to remote code execution. | Requirements for RCE are 1. Compromised Azure account allowing | malformed payloads to be sent to the device via IoT Hub service, 2. | By passing IoT hub service max message payload limit of 128KB, and | 3. Ability to overwrite code space with remote code. Fixed in commit | https://github.com/Azure/azure-c-shared- | utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2. https://github.com/Azure/azure-c-shared-utility/security/advisories/GHSA-m8wp-hc7w-x4xg https://github.com/Azure/azure-c-shared-utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-29195 https://www.cve.org/CVERecord?id=CVE-2024-29195 Please adjust the affected versions in the BTS as needed.
Bug#1068454: qt6-base: CVE-2024-30161
Source: qt6-base X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qt6-base. CVE-2024-30161[0]: | In Qt before 6.5.6 and 6.6.x before 6.6.3, the wasm component may | access QNetworkReply header data via a dangling pointer. https://codereview.qt-project.org/c/qt/qtbase/+/544314 https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=a5b00cefef12999e9a213943855abe6bc0ab5365 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-30161 https://www.cve.org/CVERecord?id=CVE-2024-30161 Please adjust the affected versions in the BTS as needed.
Bug#1068453: request-tracker5: CVE-2024-3262
Source: request-tracker5 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for request-tracker5. CVE-2024-3262[0]: | Information exposure vulnerability in RT software affecting version | 4.4.1. This vulnerability allows an attacker with local access to | the device to retrieve sensitive information about the application, | such as vulnerability tickets, because the application stores the | information in the browser cache, leading to information exposure | despite session termination. https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a https://github.com/bestpractical/rt/commit/468f86bd3e82c3b5b5ef7087d416a7509d4b1abe If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3262 https://www.cve.org/CVERecord?id=CVE-2024-3262 Please adjust the affected versions in the BTS as needed.
Bug#1068452: request-tracker4: CVE-2024-3262
Source: request-tracker4 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for request-tracker4. CVE-2024-3262[0]: | Information exposure vulnerability in RT software affecting version | 4.4.1. This vulnerability allows an attacker with local access to | the device to retrieve sensitive information about the application, | such as vulnerability tickets, because the application stores the | information in the browser cache, leading to information exposure | despite session termination. https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a https://github.com/bestpractical/rt/commit/468f86bd3e82c3b5b5ef7087d416a7509d4b1abe If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3262 https://www.cve.org/CVERecord?id=CVE-2024-3262 Please adjust the affected versions in the BTS as needed.
Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
Source: apache2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for apache2. CVE-2024-27316[0]: https://www.kb.cert.org/vuls/id/421644 https://www.openwall.com/lists/oss-security/2024/04/04/4 CVE-2024-24795[1]: https://www.openwall.com/lists/oss-security/2024/04/04/5 CVE-2023-38709[2]: https://www.openwall.com/lists/oss-security/2024/04/04/3 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27316 https://www.cve.org/CVERecord?id=CVE-2024-27316 [1] https://security-tracker.debian.org/tracker/CVE-2024-24795 https://www.cve.org/CVERecord?id=CVE-2024-24795 [2] https://security-tracker.debian.org/tracker/CVE-2023-38709 https://www.cve.org/CVERecord?id=CVE-2023-38709 Please adjust the affected versions in the BTS as needed.
Bug#1068346: node-express: CVE-2024-29041
Source: node-express X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-express. CVE-2024-29041[0]: | Express.js minimalist web framework for node. Versions of Express.js | prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 | are affected by an open redirect vulnerability using malformed URLs. | When a user of Express performs a redirect using a user-provided URL | Express performs an encode [using | `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents | before passing it to the `location` header. This can cause malformed | URLs to be evaluated in unexpected ways by common redirect allow | list implementations in Express applications, leading to an Open | Redirect via bypass of a properly implemented allow list. The main | method impacted is `res.location()` but this is also called from | within `res.redirect()`. The vulnerability is fixed in 4.19.2 and | 5.0.0-beta.3. https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc https://github.com/koajs/koa/issues/1800 https://github.com/expressjs/express/pull/5539 https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd (4.19.0) https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-29041 https://www.cve.org/CVERecord?id=CVE-2024-29041 Please adjust the affected versions in the BTS as needed.
Bug#1068347: nodejs: CVE-2024-27983 CVE-2024-27982
Source: nodejs X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for nodejs. CVE-2024-27983[0]: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/ CVE-2024-27982[1]: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/ If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27983 https://www.cve.org/CVERecord?id=CVE-2024-27983 [1] https://security-tracker.debian.org/tracker/CVE-2024-27982 https://www.cve.org/CVERecord?id=CVE-2024-27982 Please adjust the affected versions in the BTS as needed.
Bug#1068144: slang2: CVE-2023-45927 CVE-2023-45929
Source: slang2 X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerabilities were published for slang2. From my perspective they have no real security impact, but we can still treat/fix them as regular bugs: CVE-2023-45927[0]: | S-Lang 2.3.2 was discovered to contain an arithmetic exception via | the function tt_sprintf(). http://lists.jedsoft.org/lists/slang-users/2023/003.html CVE-2023-45929[1]: | S-Lang 2.3.2 was discovered to contain a segmentation fault via the | function fixup_tgetstr(). http://lists.jedsoft.org/lists/slang-users/2023/002.html If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-45927 https://www.cve.org/CVERecord?id=CVE-2023-45927 [1] https://security-tracker.debian.org/tracker/CVE-2023-45929 https://www.cve.org/CVERecord?id=CVE-2023-45929 Please adjust the affected versions in the BTS as needed.
Bug#1060407: gtkwave update for {bookworm,bullseye,buster}-security
Hi Adrian,
> attached are proposed debdiffs for updating gtkwave to 3.3.118 in
> {bookworm,bullseye,buster}-security for review for a DSA
> (and as preview for buster).
Thanks!
> General notes:
>
> I checked a handful CVEs, and they were also present in buster.
> If anyone insists that I check for every single CVE whether it is also
> in buster I can do that, but that would be a lot of work.
Nah, no need.
> As mentioned in #1060407 there are different tarballs for GTK 2 and GTK 3.
> Looking closer I realized that this is actually one tarball that
> supports GTK 1+2, and one tarball that supports GTK 2+3.
> I did stay at the GTK 1+2 tarball that was already used before
> for bullseye and buster since there was anyway a different upstream
> tarball required for the +really version that is required to avoid
> creating file conflicts with ghwdump when upgrading to bookworm.
>
> What does the security team consider the best versioning for bullseye?
> In #1060407 I suggested 3.3.104+really3.3.118-0.1, but now I ended up
> preferring 3.3.104+really3.3.118-0+deb11u1
That's fine.
> debdiffs contain only changes to debian/
The bookworm/bullseye debdiffs looks good, please upload to security-master,
thanks!
Note that both need -sa, but dak needs some special attention when
uploading to security-master. You'll need to wait for the ACCEPTED mail
before you can upload the next one.
Cheers,
Moritz
Bug#1067456: erlang-jose: CVE-2023-50966
Source: erlang-jose X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for erlang-jose. CVE-2023-50966[0]: | erlang-jose (aka JOSE for Erlang and Elixir) through 1.11.6 allow | attackers to cause a denial of service (CPU consumption) via a large | p2c (aka PBES2 Count) value in a JOSE header. https://github.com/potatosalad/erlang-jose/issues/156 https://github.com/P3ngu1nW/CVE_Request/blob/main/erlang-jose.md If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-50966 https://www.cve.org/CVERecord?id=CVE-2023-50966 Please adjust the affected versions in the BTS as needed.
Bug#1067457: jose: CVE-2023-50967
Source: jose X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for jose. CVE-2023-50967[0]: | latchset jose through version 11 allows attackers to cause a denial | of service (CPU consumption) via a large p2c (aka PBES2 Count) | value. This doesn't appear to have been forwarded upstream yet: https://github.com/P3ngu1nW/CVE_Request/blob/main/latch-jose.md If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-50967 https://www.cve.org/CVERecord?id=CVE-2023-50967 Please adjust the affected versions in the BTS as needed.
Bug#1067180: fastdds: CVE-2024-26369
Source: fastdds X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for fastdds. CVE-2024-26369[0]: | An issue in the HistoryQosPolicy component of FastDDS v2.12.x, | v2.11.x, v2.10.x, and v2.6.x leads to a SIGABRT (signal abort) upon | receiving DataWriter's data. https://github.com/eProsima/Fast-DDS/issues/4365 https://github.com/eProsima/Fast-DDS/pull/4375 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-26369 https://www.cve.org/CVERecord?id=CVE-2024-26369 Please adjust the affected versions in the BTS as needed.
Bug#1067179: ldap-account-manager: CVE-2024-23333
Source: ldap-account-manager X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for ldap-account-manager. CVE-2024-2[0]: | LDAP Account Manager (LAM) is a webfrontend for managing entries | stored in an LDAP directory. LAM's log configuration allows to | specify arbitrary paths for log files. Prior to version 8.7, an | attacker could exploit this by creating a PHP file and cause LAM to | log some PHP code to this file. When the file is then accessed via | web the code would be executed. The issue is mitigated by the | following: An attacker needs to know LAM's master configuration | password to be able to change the main settings; and the webserver | needs write access to a directory that is accessible via web. LAM | itself does not provide any such directories. The issue has been | fixed in 8.7. As a workaround, limit access to LAM configuration | pages to authorized users. https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-fm9w-7m7v-wxqv If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-2 https://www.cve.org/CVERecord?id=CVE-2024-2 Please adjust the affected versions in the BTS as needed.
Bug#1067178: clickhouse: CVE-2024-22412
Source: clickhouse X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for clickhouse. CVE-2024-22412[0]: | ClickHouse is an open-source column-oriented database management | system. A bug exists in the cloud ClickHouse offering prior to | version 24.0.2.54535 and in github.com/clickhouse/clickhouse version | 23.1. Query caching bypasses the role based access controls and the | policies being enforced on roles. In affected versions, the query | cache only respects separate users, however this is not documented | and not expected behavior. People relying on ClickHouse roles can | have their access control lists bypassed if they are using query | caching. Attackers who have control of a role could guess queries | and see data they shouldn't have access to. Version 24.1 of | ClickHouse and version 24.0.2.54535 of ClickHouse Cloud contain a | patch for this issue. Based on the documentation, role based access | control should be enforced regardless if query caching is enabled or | not. https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-45h5-f7g3-gr8r https://github.com/ClickHouse/ClickHouse/pull/58611 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22412 https://www.cve.org/CVERecord?id=CVE-2024-22412 Please adjust the affected versions in the BTS as needed.
Bug#1067177: black: CVE-2024-21503
Source: black X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for black. CVE-2024-21503[0]: | Versions of the package black before 24.3.0 are vulnerable to | Regular Expression Denial of Service (ReDoS) via the | lines_with_leading_tabs_expanded function in the strings.py file. An | attacker could exploit this vulnerability by crafting a malicious | input that causes a denial of service. Exploiting this | vulnerability is possible when running Black on untrusted input, or | if you habitually put thousands of leading tab characters in your | docstrings. https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273 https://github.com/psf/black/releases/tag/24.3.0 https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-21503 https://www.cve.org/CVERecord?id=CVE-2024-21503 Please adjust the affected versions in the BTS as needed.
Bug#1064968: net-snmp: CVE-2024-26464
Source: net-snmp X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for net-snmp. This appeared in the CVE feed, but I doubt that it was actually forwarded upstream. CVE-2024-26464[0]: | net-snmp 5.9.4 contains a memory leak vulnerability in /net- | snmp/apps/snmpvacm.c. https://github.com/LuMingYinDetect/net-snmp_defects/blob/main/net-snmp_detect_1.md If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-26464 https://www.cve.org/CVERecord?id=CVE-2024-26464 Please adjust the affected versions in the BTS as needed.
Bug#1064967: fontforge: CVE-2024-25081 CVE-2024-25082
Source: fontforge X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for fontforge. CVE-2024-25081[0]: | Splinefont in FontForge through 20230101 allows command injection | via crafted filenames. CVE-2024-25082[1]: | Splinefont in FontForge through 20230101 allows command injection | via crafted archives or compressed files. Fixed by: https://github.com/fontforge/fontforge/pull/5367 https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25081 https://www.cve.org/CVERecord?id=CVE-2024-25081 [1] https://security-tracker.debian.org/tracker/CVE-2024-25082 https://www.cve.org/CVERecord?id=CVE-2024-25082 Please adjust the affected versions in the BTS as needed.
