[SECURITY] [DLA 3411-1] distro-info-data database update
- Debian LTS Advisory DLA-3411-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Stefano Rivera April 30, 2023https://wiki.debian.org/LTS - Package: distro-info-data Version: 0.41+deb10u7 This is a routine update of the distro-info-data database for Debian LTS users. It includes the expected release date for Debian 12, adds Debian 14, adds Ubuntu 23.10, and some minor updates to EoL dates for Ubuntu releases. For Debian 10 buster, these issues have been fixed in version 0.41+deb10u6. We recommend that you upgrade your distro-info-data packages. For the detailed security status of distro-info-data please refer to its security tracker page at: https://security-tracker.debian.org/tracker/distro-info-data Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3410-1] openvswitch security update
- Debian LTS Advisory DLA-3410-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin May 01, 2023 https://wiki.debian.org/LTS - Package: openvswitch Version: 2.10.7+ds1-0+deb10u4 CVE ID : CVE-2023-1668 Debian Bug : 1034042 David Marchand discovered that Open vSwitch, a multilayer, software-based, Ethernet virtual switch, was vulnerable to crafted IP packets with ip proto set to 0, potentially causing a denial of service. Triggering the vulnerability requires an attacker to send a crafted IP packet with protocol field set to 0 and the flow rules to contain 'set' actions on other fields in the IP protocol header. The resulting flows will omit required actions, and fail to mask the IP protocol field, resulting in a large bucket which captures all IP packets. For Debian 10 buster, this problem has been fixed in version 2.10.7+ds1-0+deb10u4. We recommend that you upgrade your openvswitch packages. For the detailed security status of openvswitch please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openvswitch Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3409-1] libapache2-mod-auth-openidc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3409-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk April 30, 2023https://wiki.debian.org/LTS - - Package: libapache2-mod-auth-openidc Version: 2.3.10.2-1+deb10u2 CVE ID : CVE-2019-20479 CVE-2021-32785 CVE-2021-32786 CVE-2021-32791 CVE-2021-32792 CVE-2023-28625 Debian Bug : 991580 991581 991582 991583 1033916 Several vulnerabilities were fixed in libapache2-mod-auth-openidc, an OpenID Connect Relying Party implementation for Apache. CVE-2019-20479 Insufficient validatation of URLs beginning with a slash and backslash. CVE-2021-32785 Crash when using an unencrypted Redis cache. CVE-2021-32786 Open Redirect vulnerability in the logout functionality. CVE-2021-32791 AES GCM encryption in used static IV and AAD. CVE-2021-32792 XSS vulnerability when using OIDCPreservePost. CVE-2023-28625 NULL pointer dereference with OIDCStripCookies. For Debian 10 buster, these problems have been fixed in version 2.3.10.2-1+deb10u2. We recommend that you upgrade your libapache2-mod-auth-openidc packages. For the detailed security status of libapache2-mod-auth-openidc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmRO2icACgkQiNJCh6LY mLGkPhAAg1hWzk52AhdbiwRuEj9zyyZKJd7ZQYDjbBMgOlgSXG28XtS8tTEp8oKP /hyWoyyczyqkdVwv3UAoOwOcuXa8Fr9bcCdF/KWZsONFtAXaf1+IOvQmyg+orf5P G4xG7EtMIXKb/JF0zNEov7dAr2TP1bAlE1lIdDbsNje+0lV7irXumnx8BVAoDJ0j 3Ea8ptrtDknTXNf8hEx7TNR5XoSi8soeaAZw0ckHVK7t9P+YLvd4HWBt1xwU4w5q SryyVRgYe0s68AA2aIQYj205Zx4f5auLwkR+GPvW0cpoqUAbiy27JqBW2AysB5qO GsFwUfUn9nVj6ViJxhEbW9KnrMRb2Xy2FqfGVqU9rMuEkTUjAbsUzTYWa2RccULJ q4QskZrhowYqw7JhhOOyAbM0pU6RW9y0PWte7uQzfbw0mtK9vPLtnpPIBI0tPjg+ veko0oRGwS3FU4oAa3jWS8VOJhlR//lB5RpgMRqhd/Dm68+81UQ8+2lBSLRbfuXg Le7CmV33DIuwixr6HCfSCrvSk4PpQm/GQDKgYo+LuVr+LNZ0J+NDdvbFfLRhV5NX TvliSq3nfnfxSjQ/s8DdF+8StSVW2nOjPwfPQ3TK1VtFUpwWFl+d93vcr/uoh9yb GJaFLbWVYjNu6EavWs/pqb+W7Qq5G7XTeE9Mdxq2KgE07ePuOwc= =Tb3N -END PGP SIGNATURE-
[SECURITY] [DLA 3408-1] jruby security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3408-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk April 30, 2023https://wiki.debian.org/LTS - - Package: jruby Version: 9.1.17.0-3+deb10u1 CVE ID : CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2020-25613 CVE-2021-31810 CVE-2021-32066 CVE-2023-28755 CVE-2023-28756 Debian Bug : 972230 1014818 Several vulnerabilities were fixed in JRuby, a Java implementation of the Ruby programming language. CVE-2017-17742 CVE-2019-16254 HTTP Response Splitting attacks in the HTTP server of WEBrick. CVE-2019-16201 Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication. CVE-2019-16255 Code injection vulnerability of Shell#[] and Shell#test. CVE-2020-25613 HTTP Request Smuggling attack in WEBrick. CVE-2021-31810 Trusting FTP PASV responses vulnerability in Net::FTP. CVE-2021-32066 Net::IMAP did not raise an exception when StartTLS fails with an an unknown response. CVE-2023-28755 Quadratic backtracking on invalid URI. CVE-2023-28756 The Time parser mishandled invalid strings that have specific characters. For Debian 10 buster, these problems have been fixed in version 9.1.17.0-3+deb10u1. We recommend that you upgrade your jruby packages. For the detailed security status of jruby please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jruby Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmRO1mAACgkQiNJCh6LY mLEQLRAAvxLEfO+mmRT5U57RfK6OG6r9lrHwkR1wjSkBhuvnQpoNs6npgT47xVdt avPQYwwu9wL3Tb02NmlBKRmv1UWDo1xQTL8ows++4V1QakLnUsv1K84VSQkFCmBN cWSQwIbXHYgL0HU/LqadlCmn8+NwAJJZLZ8/TCtokgAfiuEXKJIaywzHmA9iDwK3 SFvGA1lxKZo+xbNqJhsyIUxmi0ukn43dMiqxqoeMSuZPlaG9EBvyIXNN7ayktjfR cnZDr7EaB/W+CjHWECXJkx2gPoRYNjb3CtxsVP7kBXxYyUZQ0dcDxJi+N2wabYic GAsv8YPPqCzIYXjXsDI9IZop1zQ86XM2hu+64XN9eI56k+gev45376vFjlXIFeYA P9JwmYS9h6Ru1kvqShFxHULpPMIOMFMakDmxtFuW3NyjG5GYlWvnYs7jTC7OYP0Y vvBP3f35EtBsP+/ksVfLxH5e1jbk43lnD1poiJe8UzCB5maYRUSZ1/A8BgQN3lFc AuZWnKwOcXrjtnD0wki1h6864Hte3BpvoLGa4DwQu6RJGrOuJoHy++aRI87UIcHZ hRd3VDdXABGT3pZp+D2b5QDUrS1TtOaATfmQxAaAghV+i2JNrwT2PF477m3ecJ5c pSGPmcH+5zF+9tVjQ+FmbmBs1r5nB8+U7gizq9D1ubvxuE0EuRs= =6QoI -END PGP SIGNATURE-
[SECURITY] [DLA 3407-1] jackson-databind security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3407-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk April 30, 2023https://wiki.debian.org/LTS - - Package: jackson-databind Version: 2.9.8-3+deb10u5 CVE ID : CVE-2020-10650 One more gadget type (ignite-jta) is being blocked in the Jackson Data Processor library for processing JSON and other data formats in Java. For Debian 10 buster, this problem has been fixed in version 2.9.8-3+deb10u5. We recommend that you upgrade your jackson-databind packages. For the detailed security status of jackson-databind please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jackson-databind Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmROmXgACgkQiNJCh6LY mLE29g//UkSshHJf5MIW1qHrx8eGnWhLjOy6BrY3LiIRqvl0+7lQxZ8h5z5Q6PQR XeBvQG1b6TEPM7U61RJRZxRT2BtEUaEeLKOGblzlGPhWibJIgrQ1s9+vN7/aKETv VEJXgyivxYdLL8KeXGlo9NWJj3lvF1RxyG0gpcKS7PawOBT+Wngx7RtWauv5HZL7 huu9KzmBoW5uaANTeaiYgn6Q22q11w9mf5G+83Km+cYRw60Ge8TOkPaqvcJVe9J8 Bj4GUIHBPjZ3c5Uj/ALCrNjq+TfdxVsIDNKNIF3koIvAOiz6O9k+BHM09Muu3t0I 5K/1RYAMbXBlgUjVa1eHVUa3b9OJPy0ZOK8cFxtEaxQR5cmOxA9KvCI4FhTiS5SM Rgl3licyjhx5V8onk2/CdYSN7K32SKFdXSkJZJXHv1E/43i7kXcqK2r6Prr/rc5X 6IN4Wv09HLKSCEDLtvQNfIW2Xo+3S3M4M3hJ5v+oeexJvZIKlHOL6QEbZkGfTabz 5EerV4X1IT7ysYS5/18iiTQlg/S3ywH/SaN+6sH9o28j+3enIXmO2JKStFa0grMh HTMDG37lQT0wl4dlO+rPUVof4pT4O6NkkODXpyBEm4D4HNtD3rwqv5URqBGtZHwf uN0ByVNMyWZ45bi2jRoGyBMoBmdrBO8QQMOTSYaJeV91c0e5/VY= =uaw3 -END PGP SIGNATURE-
[SECURITY] [DLA 3405-1] libxml2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3405-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz April 30, 2023https://wiki.debian.org/LTS - - Package: libxml2 Version: 2.9.4+dfsg1-7+deb10u6 CVE ID : CVE-2023-28484 CVE-2023-29469 Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files. CVE-2023-28484 A NULL pointer dereference flaw when parsing invalid XML schemas may result in denial of service. CVE-2023-29469 It was reported that when hashing empty strings which aren't null-terminated, xmlDictComputeFastKey could produce inconsistent results, which may lead to various logic or memory errors. For Debian 10 buster, these problems have been fixed in version 2.9.4+dfsg1-7+deb10u6. We recommend that you upgrade your libxml2 packages. For the detailed security status of libxml2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libxml2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmROSl9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEe2CBAAwUS50x706EMf8jKbPREm9AVxNyciujkdLP/3R+giaxAqBVCp7v9Msh70 cqR/6ZYqTi9LTzLbTp6xQDXhgSnGxPAMpUekadgJz61HWj9milwx7EzW3rn6ujkA 5Lmp1QEJRnrJyEHQ/j9cKgSeJQzyiz3qHWft8hGTP6NDrtTWfWZdrnLuYBkQgKSR arwvDfZJFI4fHzgf9pqC/X9GNHylF4OmxDgjboyR5LM45YKwflByvncdUBr0EhqF 9jHcJIwjaTqjBVd4ggnwbMOgiOQTMgXqcire7kN3vvb78s8W9rBQ2RUCPW2STyKM 6SQYgvDlkqQo1bZ79BxHmk9DvQ8yRRxKCKf0SsbtNSYCi0LnQ32hM7Osi2hpX98a sEbjA0xDaOAeCLnabxQdIgt2Tq80zM+nWBUSzINgNFml6V7rT3tqx8opu+JyLlcU xsArpILckRSly6cNN3lWlFj9oMyjeBPGfO+jNV19cfqOyrXAGxXSCtCORkgoPVsk VwiPI2gKICQK2pI3KS2yjQEK3GeIK0XzR1eGE127ZAXKfSgO1RII7G/YGrh10JFb QEdfDOSqA7Xl8bFEZlAGScRFc7U4hLtu0QKUn+lhmQ8Lcd53ryun44xxSAOW5nTE iH7Tt5Xzzvvbn7YEinzByvNBxhJO5JwGAJYawU5sodtG3uUD5U4= =bKEc -END PGP SIGNATURE-
[SECURITY] [DLA 3406-1] sniproxy security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3406-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz April 30, 2023https://wiki.debian.org/LTS - - Package: sniproxy Version: 0.6.0-1+deb10u1 CVE ID : CVE-2023-25076 An issue has been found in sniproxy, a transparent TLS and HTTP layer 4 proxy with SNI support. Due to bad handling of wildcard backend hosts, a crafted HTTP or TLS packet might lead to remote arbitrary code execution. For Debian 10 buster, this problem has been fixed in version 0.6.0-1+deb10u1. We recommend that you upgrade your sniproxy packages. For the detailed security status of sniproxy please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sniproxy Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmROS4pfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfYMA//RvxUFnx0SBALjE35lRana+KH4Yv2zmC368mJYQwJvT3jHU3/0olTtQ8s bibxPmQ7MC3sZ7oSQHt4tz4xI6HzUJqf6AsVOkUaz0Nz6N4RZBA+Rdby0lWVLvss SL7lC63PzoGie4SgWGMHPD01SnVX7YWQjJGzd9wzLPKwSm0h/5mMhq7C/BTPwT76 I9gAhoJcOiOWMVnGHChI2dbBvzXiwfpUEhoQ5yZxklKP9vg+sTks4csYoDyZVTUA jPHLytGAohVcAuSUsIIPxOq82Lg7qIGB4CmEd1fDAw8cYd8mwDwh6VdiQ94fQ/VF T2mbJB+Xvk0gjAZOOv+5MntzcvHKMfiqVVCdxz1z18dSHRDVbDh2ib1LClwFggHB SHyHHvMIItOJZAlIg0L7jmucN+lYZc1R3GOuX7LBeIe4DNu4g2sr4yQm87W9em1l StME5HfdmucckbuWGxN5d38IU6n/LzxMC0qGOqOgzW/PldUCyQyQbE5vRqd++PD/ GIQW93AKTPDPFLLrYjoGBgF1fLfWqMZw8oXmX1kU5gAJbSb/8CPTdDX7qzpuONVZ TVBq4CuEQTjqgsBuQSozEdh6bhWMufZSUFg+NViRmkOOkStPnzIHKYwjbms71XyK CqZG6JkG9XMsePq8RkrX/Jr9cKz87AU9//1vUNSAX24fjKtzx60= =Ly35 -END PGP SIGNATURE-