[SECURITY] [DLA 3749-1] phpseclib security update
- Debian LTS Advisory DLA-3749-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin March 05, 2024https://wiki.debian.org/LTS - Package: phpseclib Version: 1.0.19-3~deb10u3 CVE ID : CVE-2024-27354 CVE-2024-27355 Security issues were discovered in phpseclib, a PHP library for arbitrary-precision integer arithmetic, which could lead to Denial of Service. CVE-2024-27354 An attacker can construct a malformed certificate containing an extremely large prime to cause a denial of service (CPU consumption for an `isPrime` primality check). This issue was introduced when attempting to fix CVE-2023-27560. CVE-2024-27355 When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for `decodeOID`). For Debian 10 buster, these problems have been fixed in version 1.0.19-3~deb10u3. We recommend that you upgrade your phpseclib packages. For the detailed security status of phpseclib please refer to its security tracker page at: https://security-tracker.debian.org/tracker/phpseclib Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3750-1] php-phpseclib security update
- Debian LTS Advisory DLA-3750-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin March 05, 2024https://wiki.debian.org/LTS - Package: php-phpseclib Version: 2.0.30-2~deb10u3 CVE ID : CVE-2024-27354 CVE-2024-27355 Security issues were discovered in php-phpseclib, a PHP library for arbitrary-precision integer arithmetic, which could lead to Denial of Service. CVE-2024-27354 An attacker can construct a malformed certificate containing an extremely large prime to cause a denial of service (CPU consumption for an `isPrime` primality check). This issue was introduced when attempting to fix CVE-2023-27560. CVE-2024-27355 When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for `decodeOID`). For Debian 10 buster, these problems have been fixed in version 2.0.30-2~deb10u3. We recommend that you upgrade your php-phpseclib packages. For the detailed security status of php-phpseclib please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php-phpseclib Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3751-1] libapache2-mod-auth-openidc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian LTS Advisory DLA-3751-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb March 05, 2024https://wiki.debian.org/LTS - - Package: libapache2-mod-auth-openidc Version: 2.3.10.2-1+deb10u4 CVE ID : CVE-2024-24814 Debian Bug : 1064183 It was discovered that there was a potential Denial of Service (DoS) attack in libapache2-mod-auth-openidc, an OpenID Connect (OpenIDC) module for the Apache web server. Missing input validation on mod_auth_openidc_session_chunks cookie value made the server vulnerable to this attack. If an attacker manipulated the value of the OpenIDC cookie to a very large integer like , the server struggled with the request for a long time and finally returned a 500 error. Making a few requests of this kind caused servers to become unresponsive, and so attackers could thereby craft requests that would make the server work very hard and/or crash with minimal effort. For Debian 10 buster, this problem has been fixed in version 2.3.10.2-1+deb10u4. We recommend that you upgrade your libapache2-mod-auth-openidc packages. For the detailed security status of libapache2-mod-auth-openidc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmXnW3MACgkQHpU+J9Qx HlhwGw/+NHgag1pRt184HwyEomFSYn/Gx0cLFxs9W5pAQ+KZXze4/YYe5WxqBzAy P6XC843DtG8GBtfDjNQah5eOEaWpXNmWhQyLGgN6KzrVCxq1JOx2XAbcVUp9ZVTw Ibh+G//9L2YePuto0ogIEgBlhNfmbr1R58lFzEuDjZxT7LfrSPFLhXtaGA3rrv6v eJW4AM+iUI8iReg/CUqYt67c43BDhBINOhgNQrAsY4CB8miMCMxTIfzoAugR+JFA JEonKjaPskVhX6HWBhH9qmogsXhDLsY3HFAsnFy6JsbcD1FYgc9lLbw9MzOnSPa3 4Gvmbh+w5M3bGIX3lPoNyUHXf1f5FhcLspqGbnXxgXWrxLKSkf5MYDH871+gLVm1 hoJ9DZe2OzmL4g4xfiTQf0WUg3ZEL6ta9s4s5dgDTwB6S8iBDSUzcgF1bk8Lumvf zd2P3F7nPoLd69MBZeB1PCvQ8te4k4m4RkWluAAzY0jPU+lWe99UUifSgyZj80xE sb7ozzEBpOWaqXTu5DfkDflBZgCOF+y6gPRijvv4jOq8V4SCva7J0J3vKoc9Ooo4 HnwCJxFdVt3X2LznxvUHwYPcwMX3zgA/jazYamVRgmEQjGEMeyQvWPJ53O2nJUlf C6/yAsmQkGl20RZusKGWx2qAMHES5GgN1SoZtRuZh2PuDlYlYcs= =XLup -END PGP SIGNATURE-
[SECURITY] [DLA 3752-1] libuv1 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3752-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk March 05, 2024https://wiki.debian.org/LTS - - Package: libuv1 Version: 1.24.1-1+deb10u2 CVE ID : CVE-2024-24806 Debian Bug : 1063484 Improper Domain Lookup in uv_getaddrinfo() has been fixed in libuv, an asynchronous event notification library. For Debian 10 buster, this problem has been fixed in version 1.24.1-1+deb10u2. We recommend that you upgrade your libuv1 packages. For the detailed security status of libuv1 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libuv1 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmXnlLAACgkQiNJCh6LY mLGafRAAiEqTBLP40PAuRrN6nF1NU6XrpH1amKTGMt4kWuMUAsjyC3pn62rAMjJV Ec15GbBoTgJ2Oq7BeO/RAKTCIoPNhRwpfH6egQPyhvU8Q/GlPrukO3JKTMw+54Al IAcZuQW9CiAP9t3ohZ5COpzHT13EcvNvhNJijB000w1B650u/f2J5bJNkZF5xVNU 4ZVCuPacFc8k6WCzY5VpjlTGU4QRaG8yOfEUc6roYI3+860Nek1PoBwKGrxgIwr/ m7WwfB4OS826fxIOjzq7/W4it7pTdKbhQEfj+YjbyTYakpXnxaqC33km+JECV7PS BNK4nZ12FaBrC9x1hhSV85JBAEMQA6BkvaOZjGSjzmeovNqGXyTwzGDvF3Cy7VSP t1+7oihLEddElJ27Aw4p5vsT8NBF1CaEEfHLQZkSFaD/vdLHVRJd/l7N0cz5NC/6 txNKhETv+z+AD3xrF75RcbUOMcrGCGSCwR1OvOvcncQAVUUh2JD5QmoxfxqyUX3E wxBYrodXmyIIUX8jwLpDf4kR84qFfTpAYXQYzyNdE35W1XNlUAFwr0WhhkcJIf+6 yQpzWUIm43Ink9Izbx1k9PuooQWA0DUI7Z9ZZY56fNy9Qg5CiVLKA4BqAfVmQr0K AyERRnMC7fTm2D7r9mas8sGSXDIlszupGUCRxaF50HwHAdS6eDE= =DQHZ -END PGP SIGNATURE-
