[SECURITY] [DLA 3336-1] node-url-parse security update
- Debian LTS Advisory DLA-3336-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin February 23, 2023 https://wiki.debian.org/LTS - Package: node-url-parse Version: 1.2.0-2+deb10u2 CVE ID : CVE-2021-3664 CVE-2021-27515 CVE-2022-0512 CVE-2022-0639 CVE-2022-0686 CVE-2022-0691 Debian Bug : 985110 991577 Multiple vulnerabilities were found in node-types-url-parse, a Node.js module used to parse URLs, which may result in authorization bypass or redirection to untrusted sites. CVE-2021-3664 url-parse mishandles certain uses of a single (back)slash such as https:\ & https:/ and interprets the URI as a relative path. Browsers accept a single backslash after the protocol, and treat it as a normal slash, while url-parse sees it as a relative path. Depending on library usage, this may result in allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. CVE-2021-27515 Using backslash in the protocol is valid in the browser, while url-parse thinks it's a relative path. An application that validates a URL using url-parse might pass a malicious link. CVE-2022-0512 Incorrect handling of username and password can lead to failure to properly identify the hostname, which in turn could result in authorization bypass. CVE-2022-0639 Incorrect conversion of `@` characters in protocol in the `href` field can lead to lead to failure to properly identify the hostname, which in turn could result in authorization bypass. CVE-2022-0686 Rohan Sharma reported that url-parse is unable to find the correct hostname when no port number is provided in the URL, such as in `http://example.com:`. This could in turn result in SSRF attacks, open redirects or any other vulnerability which depends on the `hostname` field of parsed URL. CVE-2022-0691 url-parse is unable to find the correct hostname when the URL contains a backspace `\b` character. This tricks the parser into interpreting the URL as a relative path, bypassing all hostname checks. It can also lead to false positive in `extractProtocol()`. For Debian 10 buster, these problems have been fixed in version 1.2.0-2+deb10u2. We recommend that you upgrade your node-url-parse packages. For the detailed security status of node-url-parse please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-url-parse Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3335-1] asterisk security update
- Debian LTS Advisory DLA-3335-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany February 22, 2023 https://wiki.debian.org/LTS - Package: asterisk Version: 1:16.28.0~dfsg-0+deb10u2 CVE ID : CVE-2022-23537 CVE-2022-23547 CVE-2022-31031 CVE-2022-37325 CVE-2022-39244 CVE-2022-39269 CVE-2022-42705 CVE-2022-42706 Multiple security vulnerabilities have been discovered in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for launching a denial of service attack or the execution of arbitrary code. For Debian 10 buster, these problems have been fixed in version 1:16.28.0~dfsg-0+deb10u2. We recommend that you upgrade your asterisk packages. For the detailed security status of asterisk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/asterisk Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3334-1] sofia-sip security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3334-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk February 22, 2023 https://wiki.debian.org/LTS - - Package: sofia-sip Version: 1.12.11+20110422.1-2.1+deb10u3 CVE ID : CVE-2022-47516 Debian Bug : 1031792 Denial of service (crash) via a crafted UDP message that leads to internal assert was fixed in sofia-sip, a SIP (Session Initiation Protocol) User-Agent library. For Debian 10 buster, this problem has been fixed in version 1.12.11+20110422.1-2.1+deb10u3. We recommend that you upgrade your sofia-sip packages. For the detailed security status of sofia-sip please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sofia-sip Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmP2jAcACgkQiNJCh6LY mLEFOBAAkvG34l8lF2GQghUJ0XB6Bfk2RaYl3d2kkawzgtpSDzL/Bdefuen1RZG+ KkQupgUyvdCLkYNSQjDQLli4Pxzr3A4iud47eeBlk9IGzTPpx4NNSPITeQSOoqLT UvP9Pjx5Car/ivM1Mr47VxYIh5uNPeq0djtHs6hp3u7sZOcN7V/saX0UidfVXO+F uozkss2bBb4XqTHaepDiqMItViDQfzBcusPMUFXQ6L3wPmGhdxZRNvhfp+J6Qn9o L/a/ncrjJGb0dYgWIQPFDFjV8qQvOVxAS1jPkzm6QuEhDjDJT7z9vY5/VSNxyDx/ euHrwoa6S3mfLjkGkZjoWXWEwzxUBBtexU89nsLJqKnqoPICs7hh0YVsFrGx0Td6 Mfbq4KcLjNE0Llbz8zdNu0DMHtifbvFu0e5XnyvUyWGjDit7HNLVeEs+5Z++S5ir tK3hJJ8yhNfMwVaU+/9115jayRvBkroOnGarRm5ttle/fraGtw7+JVaZ1CqtxSIT 2hP7APSA8Ngy7RtrgwDQ3JuShSdjk2zLt26/b6ZtmxOxHYkBhFo+iZwRreEWRlr1 BLyd2YZ/sfoYYXsf5GaitNJ9mnU+2TvlQ3d4OSO48GcP7BZSul12OWQgF4j/SmsU GDW4wI/xGrb7osWKdNxE0CqWNpZ7ZUbOPsiIWXObTyWFF8dzMWA= =juJl -END PGP SIGNATURE-
[SECURITY] [DLA 3331-1] python-cryptography security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian LTS Advisory DLA-3331-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb February 21, 2023 https://wiki.debian.org/LTS - - Package: python-cryptography Version: 2.6.1-3+deb10u3 CVE ID : CVE-2023-23931 Debian Bug : 1031049 It was discovered that there was a potential memory corrution vulnerability in python-cryptography, a Python library offering a number of encryption and cryptography primitives. For Debian 10 buster, this problem has been fixed in version 2.6.1-3+deb10u3. We recommend that you upgrade your python-cryptography packages. For the detailed security status of python-cryptography please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-cryptography Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmP1HfsACgkQHpU+J9Qx HlgYqg//TtZYDIgA18CtgXdzE+sodon8ulCvhI9h9v2Y5PxOpKo5JAJKHov+T/Ek UIQAF02SSYZzJrYhh54BWvQ3U27e9nkb+EliLkYEIGJaWf+cjOc6BL0S1tRO79/2 cjEhYPfWCCFAgOcLXwVNwZtwcCEQObjmYiTeVWpxsWES8EM9AOYUqSuzg743lXoF E3wUOJTJpkgh3TkWYpCR06RlnnCgsLOs3QXh3K8Y19U7RvhnlfEKbIUMOx6SJSec 6zRrVWxWcudqzw2OfF4H52XSi3+DGiUzGWTVtCoqfc10FkySnEPj517Jo5b7GEZt 9q1aC800RQq+85pUeiVSInDHpoMyK4kdL7+SkeVrwGUyINlm1rhIw3xAPejQCz1j m+mWIW7sFLRye4AJceA86A+Bi3S15vmU+F/ZHt9KZLo/sAaJFEiboc7FzW3ifND+ hapktVkdPGs4ZDm/A/UuYVOLo1XKGmzsAsrXnAAbcPXFsvcqxJODnrX8WLUF0f6w Lx/yP6fMXDgyjI0+yni/Wx0qG4x6naUXj5CJTozXPopUm4KGewOSnO2B5r/LXzxD 66mfEI5X7W8pe9PHw2Y3RiO2WFvAz9RXzECIe7W1rJ/k3mvYHIY18ZzbtL653OoL hZHMBFoIjgVAgTdcWBvqbzBW68Gq33o+vPTaz5wrWAkWxpUg5X0= =5j/J -END PGP SIGNATURE-