[SECURITY] [DLA 3854-1] tryton-client security update
- Debian LTS Advisory DLA-3854-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany June 30, 2024 https://wiki.debian.org/LTS - Package: tryton-client Version: 5.0.5-1+deb10u1 CVE ID : not yet available Cédric Krier has found that trytond, the Tryton application server, accepts compressed content from unauthenticated requests which makes it vulnerable to zip bomb attacks. This update fixes a potential regression in tryton-client. It allows users only to send gzip content within a session. For Debian 10 buster, this problem has been fixed in version 5.0.5-1+deb10u1. We recommend that you upgrade your tryton-client packages. For the detailed security status of tryton-client please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tryton-client Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3853-1] tryton-server security update
- Debian LTS Advisory DLA-3853-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany June 30, 2024 https://wiki.debian.org/LTS - Package: tryton-server Version: 5.0.4-2+deb10u3 CVE ID : not yet available Cédric Krier has found that trytond, the Tryton application server, accepts compressed content from unauthenticated requests which makes it vulnerable to zip bomb attacks. For Debian 10 buster, this problem has been fixed in version 5.0.4-2+deb10u3. We recommend that you upgrade your tryton-server packages. For the detailed security status of tryton-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tryton-server Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3852-1] edk2 security update
- Debian LTS Advisory DLA-3852-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany June 30, 2024 https://wiki.debian.org/LTS - Package: edk2 Version: 0~20181115.85588389-3+deb10u4 CVE ID : CVE-2023-48733 Mate Kukri discovered the Debian build of EDK2, a UEFI firmware implementation, used an insecure default configuration which could result in Secure Boot bypass via the UEFI shell. For Debian 10 buster, this problem has been fixed in version 0~20181115.85588389-3+deb10u4. We recommend that you upgrade your edk2 packages. For the detailed security status of edk2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/edk2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3851-1] gunicorn security update
- Debian LTS Advisory DLA-3851-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany June 30, 2024 https://wiki.debian.org/LTS - Package: gunicorn Version: 19.9.0-1+deb10u1 CVE ID : CVE-2024-1135 Debian Bug : 1069126 Gunicorn, an event-based HTTP/WSGI server, fails to properly validate Transfer- Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn’s handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure. For Debian 10 buster, this problem has been fixed in version 19.9.0-1+deb10u1. We recommend that you upgrade your gunicorn packages. For the detailed security status of gunicorn please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gunicorn Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3845-1] dlt-daemon security update
- Debian LTS Advisory DLA-3845-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany June 27, 2024 https://wiki.debian.org/LTS - Package: dlt-daemon Version: 2.18.0-1+deb10u2 CVE ID : CVE-2022-39836 CVE-2022-39837 CVE-2023-26257 CVE-2023-36321 Several flaws were discovered in dlt-daemon, a Diagnostic Log and Trace logging daemon. Buffer overflows and memory leaks may lead to a denial of service or other unspecified impact. For Debian 10 buster, these problems have been fixed in version 2.18.0-1+deb10u2. We recommend that you upgrade your dlt-daemon packages. For the detailed security status of dlt-daemon please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dlt-daemon Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3834-1] netty security update
- Debian LTS Advisory DLA-3834-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany June 21, 2024 https://wiki.debian.org/LTS - Package: netty Version: 1:4.1.33-1+deb10u5 CVE ID : CVE-2024-29025 Debian Bug : 1068110 Julien Viet discovered that Netty, a Java NIO client/server socket framework, was vulnerable to allocation of resources without limits or throttling due to the accumulation of data in the HttpPostRequestDecoder. This would allow an attacker to cause a denial of service. For Debian 10 buster, this problem has been fixed in version 1:4.1.33-1+deb10u5. We recommend that you upgrade your netty packages. For the detailed security status of netty please refer to its security tracker page at: https://security-tracker.debian.org/tracker/netty Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3833-1] php7.3 security update
- Debian LTS Advisory DLA-3833-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany June 17, 2024 https://wiki.debian.org/LTS - Package: php7.3 Version: 7.3.31-1~deb10u7 CVE ID : CVE-2024-5458 Debian Bug : 1072885 PHP, a widely-used open source general purpose scripting language, is affected by a security problem when parsing certain types of URLs. Due to a code logic error filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly. The problem is related to CVE-2020-7071 but affects IPv6 host parts. For Debian 10 buster, this problem has been fixed in version 7.3.31-1~deb10u7. We recommend that you upgrade your php7.3 packages. For the detailed security status of php7.3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php7.3 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3814-1] glib2.0 security update
- Debian LTS Advisory DLA-3814-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany May 13, 2024 https://wiki.debian.org/LTS - Package: glib2.0 Version: 2.58.3-2+deb10u6 CVE ID : CVE-2024-34397 Alicia Boya Garcia reported that the GDBus signal subscriptions in the GLib library are prone to a spoofing vulnerability. A local attacker can take advantage of this flaw to cause a GDBus-based client to behave incorrectly, with an application-dependent impact. For Debian 10 buster, this problem has been fixed in version 2.58.3-2+deb10u6. We recommend that you upgrade your glib2.0 packages. For the detailed security status of glib2.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/glib2.0 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3812-1] libpgjava security update
- Debian LTS Advisory DLA-3812-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany May 09, 2024 https://wiki.debian.org/LTS - Package: libpgjava Version: 42.2.5-2+deb10u4 CVE ID : CVE-2024-1597 A possible SQL injection vulnerability was found in libpgjava, the PostgreSQL JDBC Driver. It allows an attacker to inject SQL if using PreferQueryMode=SIMPLE which is not the default mode. In the default mode there is no vulnerability. For Debian 10 buster, this problem has been fixed in version 42.2.5-2+deb10u4. We recommend that you upgrade your libpgjava packages. For the detailed security status of libpgjava please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libpgjava Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3795-1] knot-resolver security update
- Debian LTS Advisory DLA-3795-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany April 26, 2024https://wiki.debian.org/LTS - Package: knot-resolver Version: 3.2.1-3+deb10u2 CVE ID : CVE-2019-10190 CVE-2019-10191 CVE-2019-19331 CVE-2020-12667 Debian Bug : 932048 946181 961076 Several security vulnerabilities have been discovered in knot-resolver, a caching, DNSSEC-validating DNS resolver which may allow remote attackers to bypass DNSSEC validation or cause a denial-of-service. For Debian 10 buster, these problems have been fixed in version 3.2.1-3+deb10u2. We recommend that you upgrade your knot-resolver packages. For the detailed security status of knot-resolver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/knot-resolver Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3780-1] jetty9 security update
- Debian LTS Advisory DLA-3780-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany April 06, 2024https://wiki.debian.org/LTS - Package: jetty9 Version: 9.4.50-4+deb10u2 CVE ID : CVE-2024-22201 Debian Bug : 1064923 Jetty 9 is a Java based web server and servlet engine. It was discovered that remote attackers may leave many HTTP/2 connections in ESTABLISHED state (not closed), TCP congested and idle. Eventually the server will stop accepting new connections from valid clients which can cause a denial of service. For Debian 10 buster, this problem has been fixed in version 9.4.50-4+deb10u2. We recommend that you upgrade your jetty9 packages. For the detailed security status of jetty9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jetty9 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3779-1] tomcat9 security update
- Debian LTS Advisory DLA-3779-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany April 06, 2024https://wiki.debian.org/LTS - Package: tomcat9 Version: 9.0.31-1~deb10u12 CVE ID : CVE-2024-23672 CVE-2024-24549 Debian Bug : 1066877 1066878 Two security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2024-24549 Denial of Service due to improper input validation vulnerability for HTTP/2. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed. CVE-2024-23672 Denial of Service via incomplete cleanup vulnerability. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption. For Debian 10 buster, these problems have been fixed in version 9.0.31-1~deb10u12. We recommend that you upgrade your tomcat9 packages. For the detailed security status of tomcat9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat9 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3756-1] wordpress security update
- Debian LTS Advisory DLA-3756-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany March 10, 2024https://wiki.debian.org/LTS - Package: wordpress Version: 5.0.21+dfsg1-0+deb10u1 CVE ID : not yet available Two security vulnerabilities have been discovered in Wordpress, a popular content management framework, a PHP File Upload bypass via the plugin installer and a possible remote code execution vulnerability which requires an attacker to control all the properties of a deserialized object. No CVE have been assigned for these problems yet. https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/ For Debian 10 buster, this problem has been fixed in version 5.0.21+dfsg1-0+deb10u1. We recommend that you upgrade your wordpress packages. For the detailed security status of wordpress please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wordpress Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3736-1] unbound security update
- Debian LTS Advisory DLA-3736-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany February 21, 2024 https://wiki.debian.org/LTS - Package: unbound Version: 1.9.0-2+deb10u4 CVE ID : CVE-2023-50387 CVE-2023-50868 Debian Bug : 1063845 Two vulnerabilities were discovered in unbound, a validating, recursive, caching DNS resolver. Specially crafted DNSSEC answers could lead unbound down a very CPU intensive and time costly DNSSEC (CVE-2023-50387) or NSEC3 hash (CVE-2023-50868) validation path, resulting in denial of service. For Debian 10 buster, these problems have been fixed in version 1.9.0-2+deb10u4. We recommend that you upgrade your unbound packages. For the detailed security status of unbound please refer to its security tracker page at: https://security-tracker.debian.org/tracker/unbound Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3721-1] xorg-server security update
- Debian LTS Advisory DLA-3721-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany January 25, 2024 https://wiki.debian.org/LTS - Package: xorg-server Version: 2:1.20.4-1+deb10u13 CVE ID : CVE-2023-6816 CVE-2024-0229 CVE-2024-0408 CVE-2024-0409 CVE-2024-21885 CVE-2024-21886 Several vulnerabilities were discovered in the Xorg X server, which may result in privilege escalation if the X server is running privileged or denial of service. For Debian 10 buster, these problems have been fixed in version 2:1.20.4-1+deb10u13. We recommend that you upgrade your xorg-server packages. For the detailed security status of xorg-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xorg-server Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3709-2] squid regression update
- Debian LTS Advisory DLA-3709-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany January 22, 2024 https://wiki.debian.org/LTS - Package: squid Version: 4.6-1+deb10u10 CVE ID : CVE-2023-46846 Debian Bug : 1060857 It was discovered that the fix for CVE-2023-46846 was incomplete. In some cases Squid, a full featured web proxy cache, returned empty responses for URLs when Transfer-Encoding: chunked was in use. For Debian 10 buster, this problem has been fixed in version 4.6-1+deb10u10. We recommend that you upgrade your squid packages. For the detailed security status of squid please refer to its security tracker page at: https://security-tracker.debian.org/tracker/squid Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3709-1] squid security update
- Debian LTS Advisory DLA-3709-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany January 09, 2024 https://wiki.debian.org/LTS - Package: squid Version: 4.6-1+deb10u9 CVE ID : CVE-2023-46846 CVE-2023-46847 CVE-2023-49285 CVE-2023-49286 CVE-2023-50269 Debian Bug : 1054537 1055250 1058721 Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache. Due to programming errors in Squid's HTTP request parsing, remote attackers may be able to execute a denial of service attack by sending large X-Forwarded-For header or trigger a stack buffer overflow while performing HTTP Digest authentication. Other issues facilitate request smuggling past a firewall or a denial of service against Squid's Helper process management. In regard to CVE-2023-46728: Please note that support for the Gopher protocol has simply been removed in future Squid versions. There are no plans by the upstream developers of Squid to fix this issue. We recommend to reject all Gopher URL requests instead. For Debian 10 buster, these problems have been fixed in version 4.6-1+deb10u9. We recommend that you upgrade your squid packages. For the detailed security status of squid please refer to its security tracker page at: https://security-tracker.debian.org/tracker/squid Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3708-1] exim4 security update
- Debian LTS Advisory DLA-3708-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany January 05, 2024 https://wiki.debian.org/LTS - Package: exim4 Version: 4.92-8+deb10u9 CVE ID : CVE-2023-51766 Debian Bug : 1059387 It was discovered that Exim, a mail transport agent, can be induced to accept a second message embedded as part of the body of a first message in certain configurations where PIPELINING or CHUNKING on incoming connections is offered. For Debian 10 buster, this problem has been fixed in version 4.92-8+deb10u9. We recommend that you upgrade your exim4 packages. For the detailed security status of exim4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/exim4 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3706-1] netatalk security update
- Debian LTS Advisory DLA-3706-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany January 04, 2024 https://wiki.debian.org/LTS - Package: netatalk Version: 3.1.12~ds-3+deb10u5 CVE ID : CVE-2022-22995 Debian Bug : 1053545 Corentin BAYET, Etienne HELLUY-LAFONT and Luca MORO of Synacktiv discovered a symlink redirection vulnerability in Netatalk, the Apple Filing Protocol service. The create_appledesktop_folder function of netatalk can be used to unsafely move files outside the shared volume using the "mv" system utility. The create_appledesktop_folder function is called when netatalk is configured to use the legacy AppleDouble v2 format of file system meta data. By using the features of another file sharing protocol, like SMB, an attacker could abuse this primitive to create an arbitrary symbolic link and move it outside the share. The attacker could then reuse the created symlink to write arbitrary files on the targeted system. On the targeted device where it was demonstrated, writing arbitrary files on the system resulted in a remote code execution. For Debian 10 buster, this problem has been fixed in version 3.1.12~ds-3+deb10u5. We recommend that you upgrade your netatalk packages. For the detailed security status of netatalk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/netatalk Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3696-1] asterisk security update
- Debian LTS Advisory DLA-3696-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany December 28, 2023 https://wiki.debian.org/LTS - Package: asterisk Version: 1:16.28.0~dfsg-0+deb10u4 CVE ID : CVE-2023-37457 CVE-2023-38703 CVE-2023-49294 CVE-2023-49786 Debian Bug : 1059303 1059032 1059033 Multiple security vulnerabilities have been discovered in Asterisk, an Open Source Private Branch Exchange. CVE-2023-37457 The 'update' functionality of the PJSIP_HEADER dialplan function can exceed the available buffer space for storing the new value of a header. By doing so this can overwrite memory or cause a crash. This is not externally exploitable, unless dialplan is explicitly written to update a header based on data from an outside source. If the 'update' functionality is not used the vulnerability does not occur. CVE-2023-38703 PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages. SRTP is a higher level media transport which is stacked upon a lower level media transport such as UDP and ICE. Currently a higher level transport is not synchronized with its lower level transport that may introduce a use-after-free issue. This vulnerability affects applications that have SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other than UDP. This vulnerability’s impact may range from unexpected application termination to control flow hijack/memory corruption. CVE-2023-49294 It is possible to read any arbitrary file even when the `live_dangerously` option is not enabled. CVE-2023-49786 Asterisk is susceptible to a DoS due to a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. For Debian 10 buster, these problems have been fixed in version 1:16.28.0~dfsg-0+deb10u4. We recommend that you upgrade your asterisk packages. For the detailed security status of asterisk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/asterisk Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3687-1] rabbitmq-server security update
- Debian LTS Advisory DLA-3687-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany December 13, 2023 https://wiki.debian.org/LTS - Package: rabbitmq-server Version: 3.8.2-1+deb10u2 CVE ID : CVE-2023-46118 Debian Bug : 1056723 RabbitMQ is a multi-protocol messaging and streaming broker. The HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages by an authenticated user with sufficient credentials. For Debian 10 buster, this problem has been fixed in version 3.8.2-1+deb10u2. We recommend that you upgrade your rabbitmq-server packages. For the detailed security status of rabbitmq-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rabbitmq-server Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3664-1] symfony security update
- Debian LTS Advisory DLA-3664-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany November 24, 2023 https://wiki.debian.org/LTS - Package: symfony Version: 3.4.22+dfsg-2+deb10u3 CVE ID : CVE-2023-46734 Debian Bug : 1055774 Pierre Rudloff discovered a potential XSS vulnerability in Symfony, a PHP framework. Some Twig filters in CodeExtension use `is_safe=html` but do not actually ensure their input is safe. Symfony now escapes the output of the affected filters. For Debian 10 buster, this problem has been fixed in version 3.4.22+dfsg-2+deb10u3. We recommend that you upgrade your symfony packages. For the detailed security status of symfony please refer to its security tracker page at: https://security-tracker.debian.org/tracker/symfony Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3660-1] gnutls28 security update
- Debian LTS Advisory DLA-3660-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany November 22, 2023 https://wiki.debian.org/LTS - Package: gnutls28 Version: 3.6.7-4+deb10u11 CVE ID : CVE-2023-5981 Debian Bug : 1056188 A vulnerability was found in GnuTLS, a secure communications library, which may facilitate a timing attack to compromise a cryptographic system. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. Only TLS ciphertext processing is affected. For Debian 10 buster, this problem has been fixed in version 3.6.7-4+deb10u11. We recommend that you upgrade your gnutls28 packages. For the detailed security status of gnutls28 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnutls28 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3658-1] wordpress security update
- Debian LTS Advisory DLA-3658-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany November 20, 2023 https://wiki.debian.org/LTS - Package: wordpress Version: 5.0.20+dfsg1-0+deb10u1 CVE ID : CVE-2023-5561 CVE-2023-3 Several security vulnerabilities have been discovered in Wordpress, a popular content management framework, which may lead to exposure of sensitive information to an unauthorized actor in WordPress or allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack. For Debian 10 buster, these problems have been fixed in version 5.0.20+dfsg1-0+deb10u1. We recommend that you upgrade your wordpress packages. For the detailed security status of wordpress please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wordpress Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3657-1] activemq security update
- Debian LTS Advisory DLA-3657-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany November 20, 2023 https://wiki.debian.org/LTS - Package: activemq Version: 5.15.16-0+deb10u1 CVE ID : CVE-2020-13920 CVE-2021-26117 CVE-2023-46604 Debian Bug : 1054909 982590 Several security vulnerabilities have been discovered in ActiveMQ, a Java message broker. CVE-2020-13920 Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. CVE-2021-26117 The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. CVE-2023-46604 The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. For Debian 10 buster, these problems have been fixed in version 5.15.16-0+deb10u1. We recommend that you upgrade your activemq packages. For the detailed security status of activemq please refer to its security tracker page at: https://security-tracker.debian.org/tracker/activemq Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3656-1] netty security update
- Debian LTS Advisory DLA-3656-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany November 19, 2023 https://wiki.debian.org/LTS - Package: netty Version: 1:4.1.33-1+deb10u4 CVE ID : CVE-2023-44487 Debian Bug : 1054234 A flaw was discovered in Netty, a Java NIO client/server socket framework. The HTTP/2 protocol implementation allowed a denial of service (server resource consumption) because request cancellation can reset many streams quickly. This problem is also known as Rapid Reset Attack. For Debian 10 buster, this problem has been fixed in version 1:4.1.33-1+deb10u4. We recommend that you upgrade your netty packages. For the detailed security status of netty please refer to its security tracker page at: https://security-tracker.debian.org/tracker/netty Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3647-1] trapperkeeper-webserver-jetty9-clojure
- Debian LTS Advisory DLA-3647-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany November 07, 2023 https://wiki.debian.org/LTS - Package: trapperkeeper-webserver-jetty9-clojure Version: 1.7.0-2+deb10u2 Debian Bug : 1055348 The recent update of jetty9, released as DLA 3641-1, caused a regression in PuppetDB, a major component of Puppet that helps you manage and automate the configuration of servers. More specifically another package, trapperkeeper- webserver-jetty9-clojure, still used the deprecated SslContextFactory class which made PuppetDB fail to start. This update makes use of the preferred new SslContextFactory#Server class now. For Debian 10 buster, this problem has been fixed in version 1.7.0-2+deb10u2. We recommend that you upgrade your trapperkeeper-webserver-jetty9-clojure packages. For the detailed security status of trapperkeeper-webserver-jetty9-clojure please refer to its security tracker page at: https://security-tracker.debian.org/tracker/trapperkeeper-webserver-jetty9-clojure Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3641-1] jetty9 security update
- Debian LTS Advisory DLA-3641-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany October 30, 2023 https://wiki.debian.org/LTS - Package: jetty9 Version: 9.4.50-4+deb10u1 CVE ID : CVE-2020-27218 CVE-2023-36478 CVE-2023-44487 Debian Bug : 976211 Two remotely exploitable security vulnerabilities were discovered in Jetty 9, a Java based web server and servlet engine. The HTTP/2 protocol implementation did not sufficiently verify if HPACK header values exceed their size limit. Furthermore the HTTP/2 protocol allowed a denial of service (server resource consumption) because request cancellation can reset many streams quickly. This problem is also known as Rapid Reset Attack. In addition this version also addresses CVE-2020-27218. If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request. For Debian 10 buster, these problems have been fixed in version 9.4.50-4+deb10u1. We recommend that you upgrade your jetty9 packages. For the detailed security status of jetty9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jetty9 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3622-1] axis security update
- Debian LTS Advisory DLA-3622-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany October 17, 2023 https://wiki.debian.org/LTS - Package: axis Version: 1.4-28+deb10u1 CVE ID : CVE-2023-40743 Debian Bug : 1051288 Letian Yuan discovered a flaw in Apache Axis 1.x, a SOAP implementation written in Java. It may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to remote code execution. For Debian 10 buster, this problem has been fixed in version 1.4-28+deb10u1. We recommend that you upgrade your axis packages. For the detailed security status of axis please refer to its security tracker page at: https://security-tracker.debian.org/tracker/axis Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3617-2] tomcat9 regression update
- Debian LTS Advisory DLA-3617-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany October 17, 2023 https://wiki.debian.org/LTS - Package: tomcat9 Version: 9.0.31-1~deb10u10 CVE ID : CVE-2023-44487 A regression was discovered in the Http2UpgradeHandler class of Tomcat 9 introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong value for the overheadcount variable forced HTTP2 connections to close early. For Debian 10 buster, this problem has been fixed in version 9.0.31-1~deb10u10. We recommend that you upgrade your tomcat9 packages. For the detailed security status of tomcat9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat9 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3617-1] tomcat9 security update
- Debian LTS Advisory DLA-3617-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany October 13, 2023 https://wiki.debian.org/LTS - Package: tomcat9 Version: 9.0.31-1~deb10u9 CVE ID : CVE-2023-24998 CVE-2023-41080 CVE-2023-42795 CVE-2023-44487 CVE-2023-45648 Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2023-24998 Denial of service. Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, therefore, also vulnerable to the Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to the number of request parts processed. This resulted in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. CVE-2023-41080 Open redirect. If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice. CVE-2023-42795 Information Disclosure. When recycling various internal objects, including the request and the response, prior to re-use by the next request/response, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. CVE-2023-44487 DoS caused by HTTP/2 frame overhead (Rapid Reset Attack) CVE-2023-45648 Request smuggling. Tomcat did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. For Debian 10 buster, these problems have been fixed in version 9.0.31-1~deb10u9. We recommend that you upgrade your tomcat9 packages. For the detailed security status of tomcat9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat9 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3597-1] open-vm-tools security update
- Debian LTS Advisory DLA-3597-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany October 01, 2023 https://wiki.debian.org/LTS - Package: open-vm-tools Version: 2:10.3.10-1+deb10u5 CVE ID : CVE-2023-20900 Debian Bug : 1050970 A security vulnerability was found in the Open VMware Tools. A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias. For Debian 10 buster, this problem has been fixed in version 2:10.3.10-1+deb10u5. We recommend that you upgrade your open-vm-tools packages. For the detailed security status of open-vm-tools please refer to its security tracker page at: https://security-tracker.debian.org/tracker/open-vm-tools Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3592-1] jetty9 security update
- Debian LTS Advisory DLA-3592-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany September 30, 2023https://wiki.debian.org/LTS - Package: jetty9 Version: 9.4.16-0+deb10u3 CVE ID : CVE-2023-26048 CVE-2023-26049 CVE-2023-36479 CVE-2023-40167 Multiple security vulnerabilities were found in Jetty, a Java based web server and servlet engine. The org.eclipse.jetty.servlets.CGI class has been deprecated. It is potentially unsafe to use it. The upstream developers of Jetty recommend to use Fast CGI instead. See also CVE-2023-36479. CVE-2023-26048 In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. CVE-2023-26049 Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. CVE-2023-40167 Prior to this version Jetty accepted the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. CVE-2023-36479 Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For Debian 10 buster, these problems have been fixed in version 9.4.16-0+deb10u3. We recommend that you upgrade your jetty9 packages. For the detailed security status of jetty9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jetty9 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3584-1] netatalk security update
- Debian LTS Advisory DLA-3584-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany September 25, 2023https://wiki.debian.org/LTS - Package: netatalk Version: 3.1.12~ds-3+deb10u4 CVE ID : CVE-2023-42464 Debian Bug : 1052087 Florent Saudel and Arnaud Gatignol discovered a Type Confusion vulnerability in the Spotlight RPC functions in afpd in Netatalk. When parsing Spotlight RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the underlying protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a malicious actor may be able to fully control the value of the pointer and theoretically achieve Remote Code Execution on the host. For Debian 10 buster, this problem has been fixed in version 3.1.12~ds-3+deb10u4. We recommend that you upgrade your netatalk packages. For the detailed security status of netatalk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/netatalk Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3580-1] libapache-mod-jk security update
- Debian LTS Advisory DLA-3580-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany September 24, 2023https://wiki.debian.org/LTS - Package: libapache-mod-jk Version: 1:1.2.46-1+deb10u2 CVE ID : CVE-2023-41081 Debian Bug : 1051956 The mod_jk component of Apache Tomcat Connectors, an Apache 2 module to forward requests from Apache to Tomcat, in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of this security update, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. This issue affects Apache Tomcat Connectors (mod_jk only). For Debian 10 buster, this problem has been fixed in version 1:1.2.46-1+deb10u2. We recommend that you upgrade your libapache-mod-jk packages. For the detailed security status of libapache-mod-jk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libapache-mod-jk Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3578-1] lldpd security update
- Debian LTS Advisory DLA-3578-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany September 22, 2023https://wiki.debian.org/LTS - Package: lldpd Version: 1.0.3-1+deb10u2 CVE ID : CVE-2023-41910 Matteo Memelli discovered a flaw in lldpd, an implementation of the IEEE 802.1ab protocol. By crafting a CDP PDU packet with specific CDP_TLV_ADDRESSES TLVs, a malicious actor can remotely force the lldpd daemon to perform an out-of-bounds read on heap memory. For Debian 10 buster, this problem has been fixed in version 1.0.3-1+deb10u2. We recommend that you upgrade your lldpd packages. For the detailed security status of lldpd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lldpd Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3576-1] gsl security update
- Debian LTS Advisory DLA-3576-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany September 21, 2023https://wiki.debian.org/LTS - Package: gsl Version: 2.5+dfsg-6+deb10u1 CVE ID : CVE-2020-35357 A buffer overflow can occur when calculating the quantile value using the Statistics Library of GSL (GNU Scientific Library). Processing a maliciously crafted input data for gsl_stats_quantile_from_sorted_data of the library may lead to unexpected application termination or arbitrary code execution. For Debian 10 buster, this problem has been fixed in version 2.5+dfsg-6+deb10u1. We recommend that you upgrade your gsl packages. For the detailed security status of gsl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gsl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3573-1] frr security update
- Debian LTS Advisory DLA-3573-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany September 19, 2023https://wiki.debian.org/LTS - Package: frr Version: 7.5.1-1.1+deb10u1 CVE ID : CVE-2022-36440 CVE-2022-40302 CVE-2022-40318 CVE-2022-43681 CVE-2023-31490 CVE-2023-38802 CVE-2023-41358 CVE-2023-41360 CVE-2023-41361 CVE-2023-41909 Debian Bug : 1035829 1036062 Multiple security vulnerabilities were found in frr, the FRRouting suite of internet protocols. Maliciously constructed Border Gateway Protocol (BGP) packages or corrupted tunnel attributes may cause a denial of service (application crash) which could be exploited by a remote attacker. For Debian 10 buster, these problems have been fixed in version 7.5.1-1.1+deb10u1. We recommend that you upgrade your frr packages. For the detailed security status of frr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/frr Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3572-1] libyang security update
- Debian LTS Advisory DLA-3572-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany September 19, 2023https://wiki.debian.org/LTS - Package: libyang Version: 0.16.105+really1.0-0+deb10u1 CVE ID : CVE-2019-20391 CVE-2019-20392 CVE-2019-20393 CVE-2019-20394 CVE-2019-20395 CVE-2019-20396 CVE-2019-20397 CVE-2019-20398 Multiple flaws were found in libyang, a parser toolkit for IETF YANG data modeling. Double frees, invalid memory access and Null pointer dereferences may cause a denial of service or potentially code execution. For Debian 10 buster, these problems have been fixed in version 0.16.105+really1.0-0+deb10u1. We recommend that you upgrade your libyang packages. For the detailed security status of libyang please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libyang Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3556-1] aom security update
- Debian LTS Advisory DLA-3556-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany September 06, 2023https://wiki.debian.org/LTS - Package: aom Version: 1.0.0-3+deb10u1 CVE ID : CVE-2020-36130 CVE-2020-36131 CVE-2020-36133 CVE-2020-36135 CVE-2021-30473 CVE-2021-30474 CVE-2021-30475 Multiple security vulnerabilities have been discovered in aom, the AV1 Video Codec Library. Buffer overflows, use-after-free and NULL pointer dereferences may cause a denial of service or other unspecified impact if a malformed multimedia file is processed. For Debian 10 buster, these problems have been fixed in version 1.0.0-3+deb10u1. We recommend that you upgrade your aom packages. For the detailed security status of aom please refer to its security tracker page at: https://security-tracker.debian.org/tracker/aom Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3543-1] rar security update
- Debian LTS Advisory DLA-3543-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany August 27, 2023 https://wiki.debian.org/LTS - Package: rar Version: 2:6.23-1~deb10u1 CVE ID : CVE-2023-40477 A specific flaw within the processing of recovery volumes exists in RAR, an archive program for rar files. It allows remote attackers to execute arbitrary code on affected installations. User interaction is required to exploit this vulnerability. The target must visit a malicious page or open a malicious rar file. For Debian 10 buster, this problem has been fixed in version 2:6.23-1~deb10u1. We recommend that you upgrade your rar packages. For the detailed security status of rar please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rar Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3542-1] unrar-nonfree security update
- Debian LTS Advisory DLA-3542-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany August 26, 2023 https://wiki.debian.org/LTS - Package: unrar-nonfree Version: 1:5.6.6-1+deb10u4 CVE ID : CVE-2023-40477 A specific flaw within the processing of recovery volumes exists in UnRAR, an unarchiver for rar files. It allows remote attackers to execute arbitrary code on affected installations. User interaction is required to exploit this vulnerability. The target must visit a malicious page or open a malicious rar file. For Debian 10 buster, this problem has been fixed in version 1:5.6.6-1+deb10u4. We recommend that you upgrade your unrar-nonfree packages. For the detailed security status of unrar-nonfree please refer to its security tracker page at: https://security-tracker.debian.org/tracker/unrar-nonfree Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3540-1] mediawiki security update
- Debian LTS Advisory DLA-3540-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany August 23, 2023 https://wiki.debian.org/LTS - Package: mediawiki Version: 1:1.31.16-1+deb10u6 CVE ID : CVE-2023-29141 An auto-block can occur for an untrusted X-Forwarded-For header in MediaWiki, a website engine for collaborative work. X-Forwarded-For is not necessarily trustworthy and can specify multiple IP addresses in a single header, all of which are checked for blocks. When a user is autoblocked, the wiki will create an IP block behind-the-scenes for that user without exposing the user's IP on-wiki. However, spoofing XFF would let an attacker guess at the IPs of users who have active autoblocks, since the block message includes the username of the original block target. For Debian 10 buster, this problem has been fixed in version 1:1.31.16-1+deb10u6. We recommend that you upgrade your mediawiki packages. For the detailed security status of mediawiki please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mediawiki Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3535-1] unrar-nonfree security update
- Debian LTS Advisory DLA-3535-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany August 17, 2023 https://wiki.debian.org/LTS - Package: unrar-nonfree Version: 1:5.6.6-1+deb10u3 CVE ID : CVE-2022-48579 It was discovered that UnRAR, an unarchiver for rar files, allows extraction of files outside of the destination folder via symlink chains. For Debian 10 buster, this problem has been fixed in version 1:5.6.6-1+deb10u3. We recommend that you upgrade your unrar-nonfree packages. For the detailed security status of unrar-nonfree please refer to its security tracker page at: https://security-tracker.debian.org/tracker/unrar-nonfree Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3534-1] rar security update
- Debian LTS Advisory DLA-3534-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany August 17, 2023 https://wiki.debian.org/LTS - Package: rar Version: 2:6.20-0.1~deb10u1 CVE ID : CVE-2022-30333 Debian Bug : 1012228 The RAR archiver allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. For Debian 10 buster, this problem has been fixed in version 2:6.20-0.1~deb10u1. We recommend that you upgrade your rar packages. For the detailed security status of rar please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rar Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3426-3] netatalk regression update
- Debian LTS Advisory DLA-3426-3debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany August 13, 2023 https://wiki.debian.org/LTS - Package: netatalk Version: 3.1.12~ds-3+deb10u3 CVE ID : CVE-2022-23123 Debian Bug : 1043504 Another regression was identified in Netatalk, the Apple Filing Protocol service, introduced with the patch for CVE-2022-23123. It is impacting a subset of users that have certain metadata in their shared files. The issue leads to an unavoidable crash and renders netatalk useless with their shared volumes. Separately, it also contains a fix for saving MS Office files onto an otherwise functioning shared volume. For Debian 10 buster, this problem has been fixed in version 3.1.12~ds-3+deb10u3. We recommend that you upgrade your netatalk packages. For the detailed security status of netatalk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/netatalk Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3522-1] hdf5 security update
- Debian LTS Advisory DLA-3522-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany August 09, 2023 https://wiki.debian.org/LTS - Package: hdf5 Version: 1.10.4+repack-10+deb10u1 CVE ID : CVE-2018-11206 CVE-2018-17233 CVE-2018-17234 CVE-2018-17237 CVE-2018-17434 CVE-2018-17437 Multiple security vulnerabilities were discovered in HDF5, a Hierarchical Data Format and a library for scientific data. Memory leaks, out-of-bound reads and division by zero errors may lead to a denial of service when processing a malformed HDF file. For Debian 10 buster, these problems have been fixed in version 1.10.4+repack-10+deb10u1. We recommend that you upgrade your hdf5 packages. For the detailed security status of hdf5 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/hdf5 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3520-1] libhtmlcleaner-java security update
- Debian LTS Advisory DLA-3520-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany August 07, 2023 https://wiki.debian.org/LTS - Package: libhtmlcleaner-java Version: 2.21-5+deb10u1 CVE ID : CVE-2023-34624 A security vulnerability has been discovered in libhtmlcleaner-java, a Java HTML parser library. An attacker was able to cause a denial of service (StackOverflowError) if the parser runs on user supplied input with deeply nested HTML elements. This update introduces a new nesting depth limit which can be overridden in cleaner properties. For Debian 10 buster, this problem has been fixed in version 2.21-5+deb10u1. We recommend that you upgrade your libhtmlcleaner-java packages. For the detailed security status of libhtmlcleaner-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libhtmlcleaner-java Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3518-1] openimageio security update
- Debian LTS Advisory DLA-3518-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany August 07, 2023 https://wiki.debian.org/LTS - Package: openimageio Version: 2.0.5~dfsg0-1+deb10u2 CVE ID : CVE-2022-41649 CVE-2022-41684 CVE-2022-41794 CVE-2022-41837 CVE-2023-24472 CVE-2023-36183 Debian Bug : 1027143 1034151 Multiple security vulnerabilities have been discovered in OpenImageIO, a library for reading and writing images. Buffer overflows and out-of-bounds read and write programming errors may lead to a denial of service (application crash) or the execution of arbitrary code if a malformed image file is processed. For Debian 10 buster, these problems have been fixed in version 2.0.5~dfsg0-1+deb10u2. We recommend that you upgrade your openimageio packages. For the detailed security status of openimageio please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openimageio Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3509-1] libmail-dkim-perl update
- Debian LTS Advisory DLA-3509-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany July 27, 2023 https://wiki.debian.org/LTS - Package: libmail-dkim-perl Version: 0.54-1+deb10u1 Debian Bug : 1039489 It was discovered that the domain check in libmail-dkim-perl, a Perl module to cryptographically identify the sender of email, compares i and d tags case sensitive when t=s is set on the DKIM key which causes spurious fails of legitimate messages. For Debian 10 buster, this problem has been fixed in version 0.54-1+deb10u1. We recommend that you upgrade your libmail-dkim-perl packages. For the detailed security status of libmail-dkim-perl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libmail-dkim-perl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3506-1] iperf3 security update
- Debian LTS Advisory DLA-3506-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany July 25, 2023 https://wiki.debian.org/LTS - Package: iperf3 Version: 3.6-2+deb10u1 CVE ID : CVE-2023-38403 Debian Bug : 1040830 A memory allocation issue was found in iperf3, the Internet Protocol bandwidth measuring tool, that may cause a denial of service when encountering a certain invalid length value in TCP packets. For Debian 10 buster, this problem has been fixed in version 3.6-2+deb10u1. We recommend that you upgrade your iperf3 packages. For the detailed security status of iperf3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/iperf3 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3491-1] erlang security update
- Debian LTS Advisory DLA-3491-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany July 11, 2023 https://wiki.debian.org/LTS - Package: erlang Version: 1:22.2.7+dfsg-1+deb10u1 CVE ID : CVE-2022-37026 Debian Bug : 1024632 A Client Authentication Bypass vulnerability has been discovered in the concurrent, real-time, distributed functional language Erlang. Impacted are those who are running an ssl/tls/dtls server using the ssl application either directly or indirectly via other applications. Note that the vulnerability only affects servers that request client certification, that is sets the option {verify, verify_peer}. Additionally the source package elixir-lang has been rebuilt against the new erlang version. The rabbitmq-server package was upgraded to version 3.8.2 to fix an incompatibility with Erlang 22. For Debian 10 buster, this problem has been fixed in version 1:22.2.7+dfsg-1+deb10u1. We recommend that you upgrade your erlang packages. For the detailed security status of erlang please refer to its security tracker page at: https://security-tracker.debian.org/tracker/erlang Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3489-1] mediawiki security update
- Debian LTS Advisory DLA-3489-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany July 10, 2023 https://wiki.debian.org/LTS - Package: mediawiki Version: 1:1.31.16-1+deb10u5 CVE ID : CVE-2022-47927 A security issue was discovered in MediaWiki, a website engine for collaborative work, which could result in information disclosure when SQLite files are created within a data directory that has weak permissions. For Debian 10 buster, this problem has been fixed in version 1:1.31.16-1+deb10u5. We recommend that you upgrade your mediawiki packages. For the detailed security status of mediawiki please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mediawiki Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3468-1] hsqldb1.8.0 security update
- Debian LTS Advisory DLA-3468-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany June 22, 2023 https://wiki.debian.org/LTS - Package: hsqldb1.8.0 Version: 1.8.0.10+dfsg-10+deb10u1 CVE ID : CVE-2023-1183 Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL database engine, allowed the execution of spurious scripting commands in .script and .log files. Hsqldb supports a "SCRIPT" keyword which is normally used to record the commands input by the database admin to output such a script. In combination with LibreOffice, an attacker could craft an odb containing a "database/script" file which itself contained a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker. For Debian 10 buster, this problem has been fixed in version 1.8.0.10+dfsg-10+deb10u1. We recommend that you upgrade your hsqldb1.8.0 packages. For the detailed security status of hsqldb1.8.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/hsqldb1.8.0 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3467-1] hsqldb security update
- Debian LTS Advisory DLA-3467-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany June 22, 2023 https://wiki.debian.org/LTS - Package: hsqldb Version: 2.4.1-2+deb10u2 CVE ID : CVE-2023-1183 Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL database engine, allowed the execution of spurious scripting commands in .script and .log files. Hsqldb supports a "SCRIPT" keyword which is normally used to record the commands input by the database admin to output such a script. In combination with LibreOffice, an attacker could craft an odb containing a "database/script" file which itself contained a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker. For Debian 10 buster, this problem has been fixed in version 2.4.1-2+deb10u2. We recommend that you upgrade your hsqldb packages. For the detailed security status of hsqldb please refer to its security tracker page at: https://security-tracker.debian.org/tracker/hsqldb Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3462-1] wordpress security update
- Debian LTS Advisory DLA-3462-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany June 21, 2023 https://wiki.debian.org/LTS - Package: wordpress Version: 5.0.19+dfsg1-0+deb10u1 CVE ID : CVE-2023-2745 Debian Bug : 1036296 Several security vulnerabilities have been addressed in Wordpress, a popular content management framework. WordPress Core is vulnerable to Directory Traversal via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. For Debian 10 buster, this problem has been fixed in version 5.0.19+dfsg1-0+deb10u1. We recommend that you upgrade your wordpress packages. For the detailed security status of wordpress please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wordpress Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3456-1] requests security update
- Debian LTS Advisory DLA-3456-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany June 18, 2023 https://wiki.debian.org/LTS - Package: requests Version: 2.21.0-1+deb10u1 CVE ID : CVE-2023-32681 Debian Bug : 1036693 Requests, a Python HTTP library, has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. For Debian 10 buster, this problem has been fixed in version 2.21.0-1+deb10u1. We recommend that you upgrade your requests packages. For the detailed security status of requests please refer to its security tracker page at: https://security-tracker.debian.org/tracker/requests Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3455-1] golang-go.crypto security update
- Debian LTS Advisory DLA-3455-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany June 16, 2023 https://wiki.debian.org/LTS - Package: golang-go.crypto Version: 1:0.0~git20181203.505ab14-1+deb10u1 CVE ID : CVE-2019-11840 CVE-2019-11841 CVE-2020-9283 Debian Bug : 952462 Several security vulnerabilities have been discovered in golang-go.crypto, the supplementary Go cryptography libraries. CVE-2019-11840 An issue was discovered in supplementary Go cryptography libraries, aka golang-googlecode-go-crypto. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications. CVE-2019-11841 A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries. The "Hash" Armor Header specifies the message digest algorithm(s) used for the signature. Since the library skips Armor Header parsing in general, an attacker can not only embed arbitrary Armor Headers, but also prepend arbitrary text to cleartext messages without invalidating the signatures. CVE-2020-9283 golang.org/x/crypto allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client. The following Go packages have been rebuilt in order to fix the aforementioned issues. rclone: 1.45-3+deb10u1 obfs4proxy: 0.0.7-4+deb10u1 gobuster: 2.0.1-1+deb10u1 restic: 0.9.4+ds-2+deb10u1 gopass: 1.2.0-2+deb10u1 aptly: 1.3.0+ds1-2.2~deb10u2: dnscrypt-proxy: 2.0.19+ds1-2+deb10u1 g10k: 0.5.7-1+deb10u1 hub: 2.7.0~ds1-1+deb10u1 acmetool: 0.0.62-3+deb10u1 syncthing: 1.0.0~ds1-1+deb10u1 packer: 1.3.4+dfsg-4+deb10u1 etcd: 3.2.26+dfsg-3+deb10u1 notary: 0.6.1~ds1-3+deb10u1 For Debian 10 buster, these problems have been fixed in version 1:0.0~git20181203.505ab14-1+deb10u1. We recommend that you upgrade your golang-go.crypto packages. For the detailed security status of golang-go.crypto please refer to its security tracker page at: https://security-tracker.debian.org/tracker/golang-go.crypto Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3453-1] vim security update
- Debian LTS Advisory DLA-3453-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany June 12, 2023 https://wiki.debian.org/LTS - Package: vim Version: 2:8.1.0875-5+deb10u5 CVE ID : CVE-2022-4141 CVE-2023-0054 CVE-2023-1175 CVE-2023-2610 Debian Bug : 1027146 1031875 1035955 Multiple security vulnerabilities have been discovered in vim, an enhanced vi editor. Buffer overflows and out-of-bounds reads may lead to a denial-of-service (application crash) or other unspecified impact. For Debian 10 buster, these problems have been fixed in version 2:8.1.0875-5+deb10u5. We recommend that you upgrade your vim packages. For the detailed security status of vim please refer to its security tracker page at: https://security-tracker.debian.org/tracker/vim Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3451-1] pypdf2 security update
- Debian LTS Advisory DLA-3451-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany June 09, 2023 https://wiki.debian.org/LTS - Package: pypdf2 Version: 1.26.0-2+deb10u1 CVE ID : CVE-2022-24859 Debian Bug : 1009879 Sebastian Krause discovered that manipulated inline images can force PyPDF2, a pure Python PDF library, into an infinite loop, if a maliciously crafted PDF file is processed. For Debian 10 buster, this problem has been fixed in version 1.26.0-2+deb10u1. We recommend that you upgrade your pypdf2 packages. For the detailed security status of pypdf2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pypdf2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3426-2] netatalk regression update
- Debian LTS Advisory DLA-3426-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany June 01, 2023 https://wiki.debian.org/LTS - Package: netatalk Version: 3.1.12~ds-3+deb10u2 CVE ID : CVE-2022-23121 Debian Bug : 1036740 The security update of netatalk, the Apple Filing Protocol service, announced as DLA-3426-1 caused a regression when the netatalk server was configured to use the AppleDouble v2 file system format. For Debian 10 buster, this problem has been fixed in version 3.1.12~ds-3+deb10u2. We recommend that you upgrade your netatalk packages. For the detailed security status of netatalk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/netatalk Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3427-2] texlive-bin regression update
- Debian LTS Advisory DLA-3427-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany May 31, 2023 https://wiki.debian.org/LTS - Package: texlive-bin Version: 2018.20181218.49446-1+deb10u2 CVE ID : CVE-2019-18604 Debian Bug : 1036891 It was discovered that the patch to fix CVE-2023-32700 in texlive-bin, released as DLA-3427-1, was incomplete and caused an error when running the lualatex command. The following security vulnerability has been addressed as well. CVE-2019-18604 A flaw was found in axohelp in axodraw2. The sprintf function is mishandled which may cause a stack overflow error. For Debian 10 buster, this problem has been fixed in version 2018.20181218.49446-1+deb10u2. We recommend that you upgrade your texlive-bin packages. For the detailed security status of texlive-bin please refer to its security tracker page at: https://security-tracker.debian.org/tracker/texlive-bin Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3427-1] texlive-bin security update
- Debian LTS Advisory DLA-3427-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany May 20, 2023 https://wiki.debian.org/LTS - Package: texlive-bin Version: 2018.20181218.49446-1+deb10u1 CVE ID : CVE-2023-32700 Max Chernoff discovered that improperly secured shell-escape in LuaTeX may result in arbitrary shell command execution, even with shell escape disabled, if specially crafted tex files are processed. For Debian 10 buster, this problem has been fixed in version 2018.20181218.49446-1+deb10u1. We recommend that you upgrade your textlive-bin packages. For the detailed security status of textlive-bin please refer to its security tracker page at: https://security-tracker.debian.org/tracker/textlive-bin Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3426-1] netatalk security update
- Debian LTS Advisory DLA-3426-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany May 17, 2023 https://wiki.debian.org/LTS - Package: netatalk Version: 3.1.12~ds-3+deb10u1 CVE ID : CVE-2021-31439 CVE-2022-0194 CVE-2022-23121 CVE-2022-23122 CVE-2022-23123 CVE-2022-23124 CVE-2022-23125 CVE-2022-43634 CVE-2022-45188 Debian Bug : 1034170 1024021 Multiple security vulnerabilities have been discovered in netatalk, the Apple Filing Protocol service, which allow remote attackers to disclose sensitive information, cause a denial of service or execute arbitrary code. For Debian 10 buster, these problems have been fixed in version 3.1.12~ds-3+deb10u1. We recommend that you upgrade your netatalk packages. For the detailed security status of netatalk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/netatalk Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3420-1] golang-websocket security update
- Debian LTS Advisory DLA-3420-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany May 14, 2023 https://wiki.debian.org/LTS - Package: golang-websocket Version: 1.4.0-1+deb10u1 CVE ID : CVE-2020-27813 An integer overflow vulnerability exists in golang-websocket, a Go package implementing the WebSocket protocol connection. An attacker would use this flaw to cause a denial of service attack on an HTTP Server allowing websocket connections. The following reverse-dependencies have been rebuilt against the new golang- websocket version: hugo and gitlab-workhorse For Debian 10 buster, this problem has been fixed in version 1.4.0-1+deb10u1. We recommend that you upgrade your golang-websocket packages. For the detailed security status of golang-websocket please refer to its security tracker page at: https://security-tracker.debian.org/tracker/golang-websocket Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3416-1] emacs security update
- Debian LTS Advisory DLA-3416-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany May 10, 2023 https://wiki.debian.org/LTS - Package: emacs Version: 1:26.1+1-3.2+deb10u4 CVE ID : CVE-2022-48337 CVE-2022-48339 CVE-2023-28617 Debian Bug : 1031730 1033342 Xi Lu discovered that missing input sanitizing in Emacs could result in the execution of arbitrary shell commands. For Debian 10 buster, these problems have been fixed in version 1:26.1+1-3.2+deb10u4. We recommend that you upgrade your emacs packages. For the detailed security status of emacs please refer to its security tracker page at: https://security-tracker.debian.org/tracker/emacs Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3398-1] curl security update
- Debian LTS Advisory DLA-3398-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany April 21, 2023https://wiki.debian.org/LTS - Package: curl Version: 7.64.0-4+deb10u6 CVE ID : CVE-2023-27533 CVE-2023-27535 CVE-2023-27536 CVE-2023-27538 Several security vulnerabilities have been found in cURL, an easy-to-use client-side URL transfer library. CVE-2023-27533 A vulnerability in input validation exists in curl during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system. CVE-2023-27535 An authentication bypass vulnerability exists in libcurl in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information. CVE-2023-27536 An authentication bypass vulnerability exists in libcurl in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed. CVE-2023-27538 An authentication bypass vulnerability exists in libcurl where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection. For Debian 10 buster, these problems have been fixed in version 7.64.0-4+deb10u6. We recommend that you upgrade your curl packages. For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3394-1] asterisk security update
- Debian LTS Advisory DLA-3394-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany April 19, 2023https://wiki.debian.org/LTS - Package: asterisk Version: 1:16.28.0~dfsg-0+deb10u3 CVE ID : CVE-2023-27585 A flaw was found in Asterisk, an Open Source Private Branch Exchange. A buffer overflow vulnerability affects users that use PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793. The difference is that this issue is in parsing the query record `parse_query()`, while the issue in CVE-2022-24793 is in `parse_rr()`. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver implementation instead. For Debian 10 buster, this problem has been fixed in version 1:16.28.0~dfsg-0+deb10u3. We recommend that you upgrade your asterisk packages. For the detailed security status of asterisk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/asterisk Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3388-1] keepalived security update
- Debian LTS Advisory DLA-3388-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany April 10, 2023https://wiki.debian.org/LTS - Package: keepalived Version: 1:2.0.10-1+deb10u1 CVE ID : CVE-2021-44225 A flaw was found in keepalived, a failover and monitoring daemon for LVS clusters, where an improper authentication vulnerability allows an unprivileged user to change properties that could lead to an access-control bypass. For Debian 10 buster, this problem has been fixed in version 1:2.0.10-1+deb10u1. We recommend that you upgrade your keepalived packages. For the detailed security status of keepalived please refer to its security tracker page at: https://security-tracker.debian.org/tracker/keepalived Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3385-1] trafficserver security update
- Debian LTS Advisory DLA-3385-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany April 05, 2023https://wiki.debian.org/LTS - Package: trafficserver Version: 8.1.6+ds-1~deb10u1 CVE ID : CVE-2022-31778 CVE-2022-31779 CVE-2022-32749 CVE-2022-37392 Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in HTTP request smuggling, cache poisoning or information disclosure. For Debian 10 buster, these problems have been fixed in version 8.1.6+ds-1~deb10u1. We recommend that you upgrade your trafficserver packages. For the detailed security status of trafficserver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/trafficserver Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3384-1] tomcat9 security update
- Debian LTS Advisory DLA-3384-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany April 05, 2023https://wiki.debian.org/LTS - Package: tomcat9 Version: 9.0.31-1~deb10u8 CVE ID : CVE-2022-42252 CVE-2023-28708 Debian Bug : 1033475 Two security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2022-42252 Apache Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false. Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. CVE-2023-28708 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. For Debian 10 buster, these problems have been fixed in version 9.0.31-1~deb10u8. We recommend that you upgrade your tomcat9 packages. For the detailed security status of tomcat9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat9 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3382-1] openimageio security update
- Debian LTS Advisory DLA-3382-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany April 05, 2023https://wiki.debian.org/LTS - Package: openimageio Version: 2.0.5~dfsg0-1+deb10u1 CVE ID : CVE-2022-36354 CVE-2022-41639 CVE-2022-41838 CVE-2022-41977 CVE-2022-41981 CVE-2022-41988 CVE-2022-41999 CVE-2022-43592 CVE-2022-43593 CVE-2022-43594 CVE-2022-43595 CVE-2022-43596 CVE-2022-43597 CVE-2022-43598 CVE-2022-43599 CVE-2022-43600 CVE-2022-43601 CVE-2022-43602 CVE-2022-43603 Debian Bug : 1027143 1027808 Multiple security vulnerabilities have been discovered in OpenImageIO, a library for reading and writing images. Buffer overflows and out-of-bounds read and write programming errors may lead to a denial of service (application crash) or the execution of arbitrary code if a malformed image file is processed. For Debian 10 buster, these problems have been fixed in version 2.0.5~dfsg0-1+deb10u1. We recommend that you upgrade your openimageio packages. For the detailed security status of openimageio please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openimageio Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3371-1] unbound security update
- Debian LTS Advisory DLA-3371-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany March 29, 2023https://wiki.debian.org/LTS - Package: unbound Version: 1.9.0-2+deb10u3 CVE ID : CVE-2020-28935 CVE-2022-3204 CVE-2022-30698 CVE-2022-30699 Debian Bug : 1016493 977165 Several security vulnerabilities have been discovered in unbound, a validating, recursive, caching DNS resolver. CVE-2022-3204 A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolving software. The NRDelegation Attack works by having a malicious delegation with a considerable number of non responsive nameservers. The attack starts by querying a resolver for a record that relies on those unresponsive nameservers. The attack can cause a resolver to spend a lot of time/resources resolving records under a malicious delegation point where a considerable number of unresponsive NS records reside. It can trigger high CPU usage in some resolver implementations that continually look in the cache for resolved NS records in that delegation. This can lead to degraded performance and eventually denial of service in orchestrated attacks. Unbound does not suffer from high CPU usage, but resources are still needed for resolving the malicious delegation. Unbound will keep trying to resolve the record until hard limits are reached. Based on the nature of the attack and the replies, different limits could be reached. From now on Unbound introduces fixes for better performance when under load, by cutting opportunistic queries for nameserver discovery and DNSKEY prefetching and limiting the number of times a delegation point can issue a cache lookup for missing records. CVE-2022-30698 and CVE-2022-30699 Unbound is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a rogue domain name when the cached delegation information is about to expire. The rogue nameserver delays the response so that the cached delegation information is expired. Upon receiving the delayed answer containing the delegation information, Unbound overwrites the now expired entries. This action can be repeated when the delegation information is about to expire making the rogue delegation information ever-updating. From now on Unbound stores the start time for a query and uses that to decide if the cached delegation information can be overwritten. CVE-2020-28935 Unbound contains a local vulnerability that would allow for a local symlink attack. For Debian 10 buster, these problems have been fixed in version 1.9.0-2+deb10u3. We recommend that you upgrade your unbound packages. For the detailed security status of unbound please refer to its security tracker page at: https://security-tracker.debian.org/tracker/unbound Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3342-1] freeradius security update
- Debian LTS Advisory DLA-3342-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany February 24, 2023 https://wiki.debian.org/LTS - Package: freeradius Version: 3.0.17+dfsg-1.1+deb10u2 CVE ID : CVE-2022-41859 CVE-2022-41860 CVE-2022-41861 Several flaws were found in freeradius, a high-performance and highly configurable RADIUS server. CVE-2022-41859 In freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack. CVE-2022-41860 In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash. CVE-2022-41861 A malicious RADIUS client or home server can send a malformed attribute which can cause the server to crash. For Debian 10 buster, these problems have been fixed in version 3.0.17+dfsg-1.1+deb10u2. We recommend that you upgrade your freeradius packages. For the detailed security status of freeradius please refer to its security tracker page at: https://security-tracker.debian.org/tracker/freeradius Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3335-1] asterisk security update
- Debian LTS Advisory DLA-3335-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany February 22, 2023 https://wiki.debian.org/LTS - Package: asterisk Version: 1:16.28.0~dfsg-0+deb10u2 CVE ID : CVE-2022-23537 CVE-2022-23547 CVE-2022-31031 CVE-2022-37325 CVE-2022-39244 CVE-2022-39269 CVE-2022-42705 CVE-2022-42706 Multiple security vulnerabilities have been discovered in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for launching a denial of service attack or the execution of arbitrary code. For Debian 10 buster, these problems have been fixed in version 1:16.28.0~dfsg-0+deb10u2. We recommend that you upgrade your asterisk packages. For the detailed security status of asterisk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/asterisk Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3333-1] tiff security update
- Debian LTS Advisory DLA--1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany February 21, 2023 https://wiki.debian.org/LTS - Package: tiff Version: 4.1.0+git191117-2~deb10u7 CVE ID : CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799 CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 Debian Bug : 1031632 Several flaws were found in tiffcrop, a program distributed by tiff, a library and tools providing support for the Tag Image File Format (TIFF). A specially crafted tiff file can lead to an out-of-bounds write or read resulting in a denial of service. For Debian 10 buster, these problems have been fixed in version 4.1.0+git191117-2~deb10u7. We recommend that you upgrade your tiff packages. For the detailed security status of tiff please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tiff Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3327-1] nss security update
- Debian LTS Advisory DLA-3327-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany February 20, 2023 https://wiki.debian.org/LTS - Package: nss Version: 2:3.42.1-1+deb10u6 CVE ID : CVE-2020-6829 CVE-2020-12400 CVE-2020-12401 CVE-2020-12403 CVE-2023-0767 Multiple security vulnerabilities have been discovered in nss, the Network Security Service libraries. CVE-2020-6829 When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. CVE-2020-12400 When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. CVE-2020-12401 During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. CVE-2020-12403 A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. CVE-2023-0767 Christian Holler discovered that incorrect handling of PKCS 12 Safe Bag attributes may result in execution of arbitrary code if a specially crafted PKCS 12 certificate bundle is processed. For Debian 10 buster, these problems have been fixed in version 2:3.42.1-1+deb10u6. We recommend that you upgrade your nss packages. For the detailed security status of nss please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nss Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3323-1] c-ares security update
- Debian LTS Advisory DLA-3323-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany February 18, 2023 https://wiki.debian.org/LTS - Package: c-ares Version: 1.14.0-1+deb10u2 CVE ID : CVE-2022-4904 Debian Bug : 1031525 It was discovered that in c-ares, an asynchronous name resolver library, the config_sortlist function is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow and thus may cause a denial of service. For Debian 10 buster, this problem has been fixed in version 1.14.0-1+deb10u2. We recommend that you upgrade your c-ares packages. For the detailed security status of c-ares please refer to its security tracker page at: https://security-tracker.debian.org/tracker/c-ares Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3321-1] gnutls28 security update
- Debian LTS Advisory DLA-3321-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany February 18, 2023 https://wiki.debian.org/LTS - Package: gnutls28 Version: 3.6.7-4+deb10u10 CVE ID : CVE-2023-0361 Hubert Kario discovered a timing side channel in the RSA decryption implementation of the GNU TLS library. For Debian 10 buster, this problem has been fixed in version 3.6.7-4+deb10u10. We recommend that you upgrade your gnutls28 packages. For the detailed security status of gnutls28 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnutls28 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3318-1] haproxy security update
- Debian LTS Advisory DLA-3318-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany February 14, 2023 https://wiki.debian.org/LTS - Package: haproxy Version: 1.8.19-1+deb10u4 CVE ID : CVE-2023-25725 A security vulnerability was discovered in HAProxy, a fast and reliable load balancing reverse proxy, which may result in denial of service, or bypass of access controls and routing rules via specially crafted requests. For Debian 10 buster, this problem has been fixed in version 1.8.19-1+deb10u4. We recommend that you upgrade your haproxy packages. For the detailed security status of haproxy please refer to its security tracker page at: https://security-tracker.debian.org/tracker/haproxy Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3317-1] snort security update
- Debian LTS Advisory DLA-3317-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany February 11, 2023 https://wiki.debian.org/LTS - Package: snort Version: 2.9.20-0+deb10u1 CVE ID : CVE-2020-3299 CVE-2020-3315 CVE-2021-1223 CVE-2021-1224 CVE-2021-1236 CVE-2021-1494 CVE-2021-1495 CVE-2021-34749 CVE-2021-40114 Debian Bug : 1021276 Multiple security vulnerabilities were discovered in snort, a flexible Network Intrusion Detection System, which could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or bypass filtering technology on an affected device and ex-filtrate data from a compromised host. For Debian 10 buster, these problems have been fixed in version 2.9.20-0+deb10u1. We recommend that you upgrade your snort packages. For the detailed security status of snort please refer to its security tracker page at: https://security-tracker.debian.org/tracker/snort Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3314-1] libsdl2 security update
- Debian LTS Advisory DLA-3314-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany February 09, 2023 https://wiki.debian.org/LTS - Package: libsdl2 Version: 2.0.9+dfsg1-1+deb10u1 CVE ID : CVE-2019-7572 CVE-2019-7573 CVE-2019-7574 CVE-2019-7575 CVE-2019-7576 CVE-2019-7577 CVE-2019-7578 CVE-2019-7635 CVE-2019-7636 CVE-2019-7638 CVE-2019-13616 CVE-2019-13626 CVE-2020-14409 CVE-2020-14410 CVE-2021-33657 CVE-2022-4743 Debian Bug : 924610 1014577 Several security vulnerabilities have been discovered in SDL2, the Simple DirectMedia Layer library. These vulnerabilities may allow an attacker to cause a denial of service or result in the execution of arbitrary code if malformed images or sound files are processed. For Debian 10 buster, these problems have been fixed in version 2.0.9+dfsg1-1+deb10u1. We recommend that you upgrade your libsdl2 packages. For the detailed security status of libsdl2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libsdl2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3277-1] powerline-gitstatus security update
- Debian LTS Advisory DLA-3277-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany January 20, 2023 https://wiki.debian.org/LTS - Package: powerline-gitstatus Version: 1.3.2-0+deb10u1 CVE ID : CVE-2022-42906 Powerline Gitstatus, a status line plugin for the VIM editor, allows arbitrary code execution. Git repositories can contain per-repository configuration that changes the behavior of git, including running arbitrary commands. When using powerline-gitstatus, changing to a directory automatically runs git commands in order to display information about the current repository in the prompt. If an attacker can convince a user to change their current directory to one controlled by the attacker, such as in a shared filesystem or extracted archive, powerline-gitstatus will run arbitrary commands under the attacker's control. For Debian 10 buster, this problem has been fixed in version 1.3.2-0+deb10u1. We recommend that you upgrade your powerline-gitstatus packages. For the detailed security status of powerline-gitstatus please refer to its security tracker page at: https://security-tracker.debian.org/tracker/powerline-gitstatus Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3276-1] lava security update
- Debian LTS Advisory DLA-3276-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany January 19, 2023 https://wiki.debian.org/LTS - Package: lava Version: 2019.01-5+deb10u2 CVE ID : CVE-2022-44641 Debian Bug : 1024429 Igor Ponomarev discovered that LAVA, a continuous integration system for deploying operating systems onto physical and virtual hardware for running tests, was susceptible to denial of service via recursive XML entity expansion. For Debian 10 buster, this problem has been fixed in version 2019.01-5+deb10u2. We recommend that you upgrade your lava packages. For the detailed security status of lava please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lava Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3273-1] libitext5-java security update
- Debian LTS Advisory DLA-3273-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany January 18, 2023 https://wiki.debian.org/LTS - Package: libitext5-java Version: 5.5.13-1+deb10u1 CVE ID : CVE-2021-43113 Debian Bug : 1014597 It was discovered that the CompareTool of iText, a Java PDF library which uses the external ghostscript software to compare PDFs at a pixel level, allowed command injection when parsing a specially crafted filename. For Debian 10 buster, this problem has been fixed in version 5.5.13-1+deb10u1. We recommend that you upgrade your libitext5-java packages. For the detailed security status of libitext5-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libitext5-java Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3268-1] netty security update
- Debian LTS Advisory DLA-3268-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany January 11, 2023 https://wiki.debian.org/LTS - Package: netty Version: 1:4.1.33-1+deb10u3 CVE ID : CVE-2021-37136 CVE-2021-37137 CVE-2021-43797 CVE-2022-41881 CVE-2022-41915 Debian Bug : 1027180 1014769 1001437 Several out-of-memory, stack overflow or HTTP request smuggling vulnerabilities have been discovered in Netty, a Java NIO client/server socket framework, which may allow attackers to cause a denial of service or bypass restrictions when used as a proxy. For Debian 10 buster, these problems have been fixed in version 1:4.1.33-1+deb10u3. We recommend that you upgrade your netty packages. For the detailed security status of netty please refer to its security tracker page at: https://security-tracker.debian.org/tracker/netty Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3267-1] libxstream-java security update
- Debian LTS Advisory DLA-3267-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany January 11, 2023 https://wiki.debian.org/LTS - Package: libxstream-java Version: 1.4.11.1-1+deb10u4 CVE ID : CVE-2022-41966 Debian Bug : 1027754 XStream serializes Java objects to XML and back again. Versions prior to 1.4.11.1-1+deb10u4 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation of the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This update handles the stack overflow and raises an InputManipulationException instead. For Debian 10 buster, this problem has been fixed in version 1.4.11.1-1+deb10u4. We recommend that you upgrade your libxstream-java packages. For the detailed security status of libxstream-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libxstream-java Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3259-1] libjettison-java security update
- Debian LTS Advisory DLA-3259-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany December 31, 2022 https://wiki.debian.org/LTS - Package: libjettison-java Version: 1.5.3-1~deb10u1 CVE ID : CVE-2022-40150 CVE-2022-45685 CVE-2022-45693 Debian Bug : 1022553 Several flaws have been discovered in libjettison-java, a collection of StAX parsers and writers for JSON. Specially crafted user input may cause a denial of service via out-of-memory or stack overflow errors. In addition a build failure related to the update was fixed in jersey1. For Debian 10 buster, these problems have been fixed in version 1.5.3-1~deb10u1. We recommend that you upgrade your libjettison-java packages. For the detailed security status of libjettison-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libjettison-java Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3251-1] libcommons-net-java security update
- Debian LTS Advisory DLA-3251-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany December 29, 2022 https://wiki.debian.org/LTS - Package: libcommons-net-java Version: 3.6-1+deb10u1 CVE ID : CVE-2021-37533 Debian Bug : 1025910 ZeddYu Lu discovered that the FTP client of Apache Commons Net, a Java client API for basic Internet protocols, trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. For Debian 10 buster, this problem has been fixed in version 3.6-1+deb10u1. We recommend that you upgrade your libcommons-net-java packages. For the detailed security status of libcommons-net-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libcommons-net-java Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3249-1] mbedtls security update
- Debian LTS Advisory DLA-3249-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany December 26, 2022 https://wiki.debian.org/LTS - Package: mbedtls Version: 2.16.9-0~deb10u1 CVE ID : CVE-2019-16910 CVE-2019-18222 CVE-2020-10932 CVE-2020-10941 CVE-2020-16150 CVE-2020-36421 CVE-2020-36422 CVE-2020-36423 CVE-2020-36424 CVE-2020-36425 CVE-2020-36426 CVE-2020-36475 CVE-2020-36476 CVE-2020-36478 CVE-2021-24119 CVE-2021-43666 CVE-2021-44732 CVE-2022-35409 Debian Bug : 941265 963159 972806 1002631 Multiple security vulnerabilities have been discovered in mbedtls, a lightweight crypto and SSL/TLS library, which may allow attackers to obtain sensitive information like the RSA private key or cause a denial of service (application or server crash). For Debian 10 buster, these problems have been fixed in version 2.16.9-0~deb10u1. We recommend that you upgrade your mbedtls packages. For the detailed security status of mbedtls please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mbedtls Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3248-1] libksba security update
- Debian LTS Advisory DLA-3248-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany December 24, 2022 https://wiki.debian.org/LTS - Package: libksba Version: 1.3.5-2+deb10u2 CVE ID : CVE-2022-47629 An integer overflow flaw was discovered in the CRL signature parser in libksba, an X.509 and CMS support library, which could result in denial of service or the execution of arbitrary code. For Debian 10 buster, this problem has been fixed in version 1.3.5-2+deb10u2. We recommend that you upgrade your libksba packages. For the detailed security status of libksba please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libksba Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3236-1] openexr security update
- Debian LTS Advisory DLA-3236-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany December 12, 2022 https://wiki.debian.org/LTS - Package: openexr Version: 2.2.1-4.1+deb10u2 CVE ID : CVE-2020-16587 CVE-2020-16588 CVE-2020-16589 CVE-2021-3474 CVE-2021-3475 CVE-2021-3476 CVE-2021-3477 CVE-2021-3478 CVE-2021-3479 CVE-2021-3598 CVE-2021-3605 CVE-2021-3933 CVE-2021-3941 CVE-2021-20296 CVE-2021-20298 CVE-2021-20299 CVE-2021-20300 CVE-2021-20302 CVE-2021-20303 CVE-2021-23215 CVE-2021-26260 CVE-2021-45942 Debian Bug : 986796 992703 990450 990899 1014828 Multiple security vulnerabilities have been found in OpenEXR, command-line tools and a library for the OpenEXR image format. Buffer overflows or out-of-bound reads could lead to a denial of service (application crash) if a malformed image file is processed. For Debian 10 buster, these problems have been fixed in version 2.2.1-4.1+deb10u2. We recommend that you upgrade your openexr packages. For the detailed security status of openexr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openexr Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3234-1] hsqldb security update
- Debian LTS Advisory DLA-3234-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany December 10, 2022 https://wiki.debian.org/LTS - Package: hsqldb Version: 2.4.1-2+deb10u1 CVE ID : CVE-2022-41853 Debian Bug : 1023573 It was found that those using java.sql.Statement or java.sql.PreparedStatement in hsqldb, a Java SQL database, to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.4.1-2+deb10u1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names","abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.4.1-2+deb10u1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled. For Debian 10 buster, this problem has been fixed in version 2.4.1-2+deb10u1. We recommend that you upgrade your hsqldb packages. For the detailed security status of hsqldb please refer to its security tracker page at: https://security-tracker.debian.org/tracker/hsqldb Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3219-1] jhead security update
- Debian LTS Advisory DLA-3219-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany December 04, 2022 https://wiki.debian.org/LTS - Package: jhead Version: 1:3.00-8+deb10u1 CVE ID : CVE-2021-34055 CVE-2022-41751 Debian Bug : 1024272 1022028 Jhead, a tool for manipulating EXIF data embedded in JPEG images, allowed attackers to execute arbitrary OS commands by placing them in a JPEG filename and then using the regeneration -rgt50, -autorot or -ce option. In addition a buffer overflow error in exif.c has been addressed which could lead to a denial of service (application crash). For Debian 10 buster, these problems have been fixed in version 1:3.00-8+deb10u1. We recommend that you upgrade your jhead packages. For the detailed security status of jhead please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jhead Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3209-1] ini4j security update
- Debian LTS Advisory DLA-3209-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany November 28, 2022 https://wiki.debian.org/LTS - Package: ini4j Version: 0.5.4-1~deb10u1 CVE ID : CVE-2022-41404 It was discovered that ini4j, a Java library for handling the Windows ini file format, was vulnerable to a denial of service attack via the fetch() method in BasicProfile class, if an attacker provided a manipulated ini file. For Debian 10 buster, this problem has been fixed in version 0.5.4-1~deb10u1. We recommend that you upgrade your ini4j packages. For the detailed security status of ini4j please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ini4j Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3208-1] varnish security update
- Debian LTS Advisory DLA-3208-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany November 27, 2022 https://wiki.debian.org/LTS - Package: varnish Version: 6.1.1-1+deb10u4 CVE ID : CVE-2020-11653 CVE-2022-45060 Debian Bug : 956307 1023751 Martin van Kervel Smedshammer discovered a request forgery attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker may introduce characters through the HTTP/2 pseudo-headers that are invalid in the context of an HTTP/1 request line, causing the Varnish server to produce invalid HTTP/1 requests to the backend. This may in turn be used to successfully exploit vulnerabilities in a server behind the Varnish server. For Debian 10 buster, these problems have been fixed in version 6.1.1-1+deb10u4. We recommend that you upgrade your varnish packages. For the detailed security status of varnish please refer to its security tracker page at: https://security-tracker.debian.org/tracker/varnish Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3207-1] jackson-databind security update
- Debian LTS Advisory DLA-3207-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany November 27, 2022 https://wiki.debian.org/LTS - Package: jackson-databind Version: 2.9.8-3+deb10u4 CVE ID : CVE-2020-36518 CVE-2022-42003 CVE-2022-42004 Debian Bug : 1007109 Several flaws were discovered in jackson-databind, a fast and powerful JSON library for Java. CVE-2020-36518 Java StackOverflow exception and denial of service via a large depth of nested objects. CVE-2022-42003 In FasterXML jackson-databind resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. CVE-2022-42004 In FasterXML jackson-databind resource exhaustion can occur because of a lack of a check in BeanDeserializerBase.deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. For Debian 10 buster, these problems have been fixed in version 2.9.8-3+deb10u4. We recommend that you upgrade your jackson-databind packages. For the detailed security status of jackson-databind please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jackson-databind Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3203-1] nginx security update
- Debian LTS Advisory DLA-3203-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany November 23, 2022 https://wiki.debian.org/LTS - Package: nginx Version: 1.14.2-2+deb10u5 CVE ID : CVE-2021-3618 CVE-2022-41741 CVE-2022-41742 Debian Bug : 991328 It was discovered that parsing errors in the mp4 module of Nginx, a high-performance web and reverse proxy server, could result in denial of service, memory disclosure or potentially the execution of arbitrary code when processing a malformed mp4 file. This module is only enabled in the nginx-extras binary package. In addition the following vulnerability has been fixed. CVE-2021-3618 ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise For Debian 10 buster, these problems have been fixed in version 1.14.2-2+deb10u5. We recommend that you upgrade your nginx packages. For the detailed security status of nginx please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nginx Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3194-1] asterisk security update
- Debian LTS Advisory DLA-3194-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany November 17, 2022 https://wiki.debian.org/LTS - Package: asterisk Version: 1:16.28.0~dfsg-0+deb10u1 CVE ID : CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845 CVE-2021-46837 CVE-2022-21722 CVE-2022-21723 CVE-2022-23608 CVE-2022-24763 CVE-2022-24764 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793 CVE-2022-26498 CVE-2022-26499 CVE-2022-26651 Debian Bug : 1014998 1018073 1014976 Multiple security vulnerabilities have been found in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for information disclosure or the execution of arbitrary code. Special care should be taken when upgrading to this new upstream release. Some configuration files and options have changed in order to remedy certain security vulnerabilities. Most notably the pjsip TLS listener only accepts TLSv1.3 connections in the default configuration now. This can be reverted by adding method=tlsv1_2 to the transport in pjsip.conf. See also https://issues.asterisk.org/jira/browse/ASTERISK-29017. For Debian 10 buster, these problems have been fixed in version 1:16.28.0~dfsg-0+deb10u1. We recommend that you upgrade your asterisk packages. For the detailed security status of asterisk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/asterisk Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3184-1] libjettison-java security update
- Debian LTS Advisory DLA-3184-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany November 10, 2022 https://wiki.debian.org/LTS - Package: libjettison-java Version: 1.4.0-1+deb10u1 CVE ID : CVE-2022-40149 Debian Bug : 1022554 It was discovered that libjettison-java, a collection of StAX parsers and writers for JSON, was vulnerable to a denial-of-service attack, if the attacker provided untrusted XML or JSON data. For Debian 10 buster, this problem has been fixed in version 1.4.0-1+deb10u1. We recommend that you upgrade your libjettison-java packages. For the detailed security status of libjettison-java please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libjettison-java Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part