[SECURITY] [DLA 3344-1] nodejs security update
- Debian LTS Advisory DLA-3344-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin February 26, 2023 https://wiki.debian.org/LTS - Package: nodejs Version: 10.24.0~dfsg-1~deb10u3 CVE ID : CVE-2022-43548 CVE-2023-23920 Debian Bug : 1023518 1031834 Vulnerabilities have been found in Node.js, which could result in DNS rebinding or arbitrary code execution. CVE-2022-43548 The Node.js rebinding protector for `--inspect` still allows invalid IP addresses, specifically in octal format, which browsers such as Firefox attempt to resolve via DNS. When combined with an active `--inspect` session, such as when using VSCode, an attacker can perform DNS rebinding and execute arbitrary code. CVE-2023-23920 Ben Noordhuis reported that Node.js would search and potentially load ICU data when running with elevated privileges. Node.js now builds with `ICU_NO_USER_DATA_OVERRIDE` to avoid this. For Debian 10 buster, these problems have been fixed in version 10.24.0~dfsg-1~deb10u3. We recommend that you upgrade your nodejs packages. For the detailed security status of nodejs please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nodejs Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3343-1] mono security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3343-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk February 24, 2023 https://wiki.debian.org/LTS - - Package: mono Version: 5.18.0.240+dfsg-3+deb10u1 CVE ID : CVE-2023-26314 Debian Bug : 972146 Triggering arbitrary code execution was possible due to .desktop files registered as application/x-ms-dos-executable MIME handlers in the open source .NET framework Mono. For Debian 10 buster, this problem has been fixed in version 5.18.0.240+dfsg-3+deb10u1. We recommend that you upgrade your mono packages. For the detailed security status of mono please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mono Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmP51+cACgkQiNJCh6LY mLEVUg//SxvSPQUHmgCUSDx48KWq4dvQ/HdQsyKmo/3uUOhoU9+BmeK+dj0Spv+7 YVPMfKe+9aYG29ufKIh3O1Yk07eRtii4z3b0WnffUnhIbV58AziqutlKzhr6k4r/ NIB0zzg1+7XLUlViBJW3TV9JpytR+hObvRQnsSTEA70EEYPoRqmjql5RbC5gS+wU ed6ZamPQoVvgbAng6j3rzsjYsfAkMM1rRukAeyPnJ6BRKUEsUsluLBsCX6OrBCRR CaebbNo4d7sxUy2GoRMKNd+NJV0Tr0JjZ4oZpXD2sdxmkJ2UGaXVheOY428UDHNW zeEFSq3dNu1GFSrjJE2YNcuIxJnB6J6k1/CaJbDLP/pls+5bgANcPiw089gRm1tq WxjXEn3FAqQCwawGWJe5NTNXRRLZFC+CoHlS8YGzjWJI51n3LECJSbGxnWXfS7Nz Rt/qbuCY6RtdJJOkTsI+itEdJEer8txfqAakEVFs6TWCX9MXMVy+f6N3V8BN9wHZ nCc7GyL1h27Zx+p8Ie1QkfA588B8LDkfuPRQrHZKrr/aTJlkUUYm6e0uBRc55pDG G5ZrsIuIC67hmrLa8T0EJsoh5GoJ5xixTR7kFbI2dc4Wu+HQIO6Rf7AdxKZPVmSO tbCQF+g20q7yBW3iJi2mDxqidrH4/wIxIBpF+O0wLTDKF2CP1kY= =A9BJ -END PGP SIGNATURE-
