[SECURITY] [DLA 3340-1] libgit2 security update
- Debian LTS Advisory DLA-3340-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost February 23, 2023 https://wiki.debian.org/LTS - Package: libgit2 Version: 0.27.7+dfsg.1-0.2+deb10u1 CVE ID : CVE-2020-12278 CVE-2020-12279 CVE-2023-22742 Debian Bug : 1029368 A vulnerability have been found in libgit2, a cross-platform, linkable library implementation of Git, which may result in remote code execution when cloning a repository on a NTFS-like filesystem or man-in-the-middle attacks due to improper verification of cryptographic Signature. CVE-2020-12278 An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository. CVE-2020-12279 An issue was discovered in libgit2 before 0.28.4 and 0.9x before 0.99.0. checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository CVE-2023-22742 libgit2 is a cross-platform, linkable library implementation of Git. When using an SSH remote with the optional libssh2 backend, libgit2 does not perform certificate checking by default. Prior versions of libgit2 require the caller to set the `certificate_check` field of libgit2's `git_remote_callbacks` structure - if a certificate check callback is not set, libgit2 does not perform any certificate checking. This means that by default - without configuring a certificate check callback, clients will not perform validation on the server SSH keys and may be subject to a man-in-the-middle attack. For Debian 10 buster, these problems have been fixed in version 0.27.7+dfsg.1-0.2+deb10u1. We recommend that you upgrade your libgit2 packages. For the detailed security status of libgit2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libgit2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3339-1] binwalk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3339-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk February 23, 2023 https://wiki.debian.org/LTS - - Package: binwalk Version: 2.1.2~git20180830+dfsg1-1+deb10u1 CVE ID : CVE-2022-4510 Code execution through crafted PFS filesystems was fixed in binwalk, a tool and Python module for analyzing binary blobs and executable code. For Debian 10 buster, this problem has been fixed in version 2.1.2~git20180830+dfsg1-1+deb10u1. We recommend that you upgrade your binwalk packages. For the detailed security status of binwalk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/binwalk Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmP3wl0ACgkQiNJCh6LY mLFL5Q/+Pgv+fZRt1RDImeWKoQv/Di0bCIiMkHP7hLSFMV/oui4rajQECxIZD4As d0lP4UbR0WYozwHZVXTcd5eydh2zoLr58+LsPuwqI++zW5FvctLpG4St3Y/oe6Mf 1ZYviCyttsPERsq7q5nMNsyFsC7aGhzjUTC+CDtKcH+RJEHiX0xw8QKLM3FrgR67 NuFaKN5vv4Wqq5FikQS8+Fbo4kzRT8onJigflgZ6rLNor3ZBzXHK3a4j2EduLKCS LF1AjFHCEg/oUQpnamPu+2dCnQkQQAwploamW52LrDBVRgM6vjNY9vXoaeuJNCqe 76BXfExx4GIDGC3+LCkcNIYCooNc4rY/ur8RiTJtzw21Y+JDGe7+umklfq82SV1y /zRHl0agtj5NxIQED53RsvyvObHyMaBkOpLv+45pHSD0daAx4wY8yG0fT8wKOPiR 5+1e9x+Wq53DPB3YSDiJSrduOvBSWwXlh2wEdLwaootOJYuU3Iy6FosuGN0tvKWk NKuTJpMoJ3K9u48DaZX7osZTLzNQZz0bybxAlBVXeCrhPJk4ujnbycykoPZlorfk VfPAadl6w/3h5+bl6eDOIoxjJXqCiQzhOJIgMi1HN8dgxvTx+DPxkEnRAsWMtLrK /vAznJejVidjvhnonye0x5epgLAnxsPNmEZMwPgruRTIf88+P20= =7W0c -END PGP SIGNATURE-
[SECURITY] [DLA 3338-1] git security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian LTS Advisory DLA-3338-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Emilio Pozuelo Monfort February 23, 2023 https://wiki.debian.org/LTS - - Package: git Version: 1:2.20.1-2+deb10u8 CVE ID : CVE-2023-22490 CVE-2023-23946 Several vulnerabilities have been discovered in git, a fast, scalable and distributed revision control system. CVE-2023-22490 yvvdwf found a data exfiltration vulnerability while performing a local clone from a malicious repository even using a non-local transport. CVE-2023-23946 Joern Schneeweisz found a path traversal vulnerbility in git-apply that a path outside the working tree can be overwritten as the acting user. For Debian 10 buster, these problems have been fixed in version 1:2.20.1-2+deb10u8. We recommend that you upgrade your git packages. For the detailed security status of git please refer to its security tracker page at: https://security-tracker.debian.org/tracker/git Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmP3nOkACgkQnUbEiOQ2 gwL4+A//S5lvjvQmXzXSQoWhOit1VzKM9eVAB9GObU7NJWqhDAbEZinxjlRnDBjL LSFc0YvU0gmkCB2fkNPNduIyJcB3e7AwXNKinUyfnkpgM7GxFiyiUOhZEVq51cJi JdWvZUXGQ740E8v4lYKDLnnyQ1Yu/gr4wqQuz2+U76HH9gyg4F8ELrJiepioTT7C eQriddHEC8siTzAFGKjTLz6Gjd1wdxl5YS8ETuy/gDu2ZQMN/NhONwK5o9uRskZ8 5leRMNxUvVCAFfV7uCt8bwY8ahV9Na3mK/GMCaMx9iSMeQDx/5/YFFaMG/lDBv81 yJJJo2+GitLjSwj0VsLXJkPcNeXHoLrfYhiD9w0x+NRRDLhFmIgnUMzbPtGj6o4/ +CJRZy2CVtliTuLE/QDie0kojXoQcleycpZyRtrX+YO0HKN12VXzVrVgFp1W32NY L/0DGUaT3Hq6Wf3STBD0LfUKPx6FGCTOXmnBZViwJnrnwWpokVrYqFqSYfnrhNDU zLLbkJF+H8k10FxMUQuMFkNuVeWC13pBwAXPBKjVMP2kPJik4/b+H2pH7+T+F2xt 7wcyqgPmhHxMNVLQdu7RTVTFDHNZPiqYMYyzWsMHv6d2y4TQ6DFh17+/yJw4T2+e AjPf0Qzzr4I+Etsk1+lNUNhFWoA0XjJYrzt8ztPJJuE82VcD3x4= =I8Ib -END PGP SIGNATURE-
[SECURITY] [DLA 3337-1] mariadb-10.3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian LTS Advisory DLA-3337-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Otto Kekäläinen February 23, 2023 https://wiki.debian.org/LTS - - Package: mariadb-10.3 Version: 1:10.3.38-0+deb10u1 Debian Bug : 1008629 A new MariaDB minor maintenance release 10.3.38 has been released. It includes fix for a major performance/memory consumption issue (MDEV-29988). For further details, see the MariaDB 10.3 release notes: https://mariadb.com/kb/en/mariadb-10-3-37-release-notes/ https://mariadb.com/kb/en/mariadb-10-3-38-release-notes/ For Debian 10 buster, this problem has been fixed in version 1:10.3.38-0+deb10u1. We recommend that you upgrade your mariadb-10.3 packages. For the detailed security status of mariadb-10.3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mariadb-10.3 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmP3HgcACgkQnUbEiOQ2 gwLubRAAlycl/zGt+lpl2z9smquI5cIy2gbTP0uhewg//uhCN6Y8H5Vfshv1YHbz H8s3xAqMtii2olhd25S0z+C/8HdTIyBBgzY27MjoeGXbrfzilzNmXQJ/2BldWY5w Q0AYiftnKGPHe/YWO5CPsKI23KluwJ5z+b+zp5mWmSZWikdyuXnnpvEVKPZTLFuZ +/VAl0tAP9852sLKMo3cZVGkW9sOXJCUn5I8mQ3DnEK/66/7Xk1HyW9J/ouhqWQ4 7ynXA+rL7mSN9Xcles9u4zL8UVeZOvcOach0v8ohbkzCVBw5pztry3UGNm+sH881 U8Z7gKxthltc1Kuyo8bKdsFeRtx+IA4wCGmS0VWd5656t9tc8KSpxcE4mhbNL5CL b2BEzpuUnXib+XHJNYXhRc4dXO1LRmTYSGkW7f26SdBpeePRpEdyJxcaxhyfKKsZ ZROikw/9tgJ+OBvet5N0sTRo9tXYPC3NgHYsVWcf1A+OmDUYptGCKJeIPduE7dmA yeYIvF0SW7rE2+YBP0sXC1BvW2Ouc4J4PuKSFzGu7e7jHr5HCjzQvxA5M6FThf+p QIFWfYC7zaz2xnMr/pURR37VIud/oG4edJAhJoDsUN8W/MG0FfBkt455OYLiKL/Z y1OLGdy3kUf7McEYOjrZzLcYwy0TEKQ9fvc6sIn6STZikjgMXqs= =8ZoR -END PGP SIGNATURE-
