[SECURITY] [DSA 5526-1] chromium security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5526-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 12, 2023 https://www.debian.org/security/faq - - Package: chromium CVE ID : CVE-2023-5218 CVE-2023-5473 CVE-2023-5474 CVE-2023-5475 CVE-2023-5476 CVE-2023-5477 CVE-2023-5478 CVE-2023-5479 CVE-2023-5481 CVE-2023-5483 CVE-2023-5484 CVE-2023-5485 CVE-2023-5486 CVE-2023-5487 Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. For the oldstable distribution (bullseye) the updates need an additional toolchain update. When completed, fixes will be made available as 118.0.5993.70-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 118.0.5993.70-1~deb12u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmUoLQkACgkQEMKTtsN8 TjbT1w//SZOz5ggSz+pko8nfcD8AFJ7C1s4z145zm5I7fK/7rrISgq3VGcV/iZEw KhVz9CNCuDsyEW1sL9pB7piGdS4jBIvoQQ3Eu197ReS+Ln/l9wDj6xftGafGX3ve ypRVROQF1RUn0P0mevGkLVh3ECcFFEA4eIST+6IDWqOG/rZbPy1hxui+n8RgEQ8M D6hMZuJw4gB+LSB/Xf8zeguqbLfqizz3Z+N158c4pYXbwqlwEzmU7bJxuh/3zokz o9Ze+Y7H0KzKDADHY2U3DH0OGv5gW5aDZ+x2ozPpXzA+iD8JLj7JV+oilOQuD7YU jRi0L+hMDjaHIVFWgZVn9yLAKXNZPRQ+H52ZeWr2Pxl7HzJr18FroXG3Vp7XZgsB 2nOt5/Ko/7K7LbjnCMhUWzqMwq93uH9IQRgnKiHK8lAJw8hG8siCbNiIYhLlvUJ8 F1l7WijdSjpu3E5jRTHTYrHJCjXC8v/M+1p5b0IPzBG98GzZzNMibmzSGy11PITL /fMZpMU2ngyOI1OeXAG0gJM7r0NkiUOliThR7cLXiIfaHReVA5BzKfUR3HqtECzz qu8MeoLoohqJ9NILpz5FzXkEm89wuT93G6GwUraUD9tOLnn4+v7uI+bOTh83CRuh fYmHSIJTzmB1ULZuxfBl9MZ8zLFJhlmFvp/E5Rzik3+AchnEH8U= =HjjW -END PGP SIGNATURE-
[SECURITY] [DSA 5527-1] webkit2gtk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-5527-1 secur...@debian.org https://www.debian.org/security/ Alberto Garcia October 12, 2023 https://www.debian.org/security/faq - - Package: webkit2gtk CVE ID : CVE-2023-39928 CVE-2023-41074 CVE-2023-41993 The following vulnerabilities have been discovered in the WebKitGTK web engine: CVE-2023-39928 Marcin Noga discovered that a specially crafted web page can abuse a vulnerability in the MediaRecorder API to cause memory corruption and potentially arbitrary code execution. CVE-2023-41074 Junsung Lee and Me Li discovered that processing web content may lead to arbitrary code execution. CVE-2023-41993 Bill Marczak and Maddie Stone discovered that processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. For the oldstable distribution (bullseye), these problems have been fixed in version 2.42.1-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 2.42.1-1~deb12u1. We recommend that you upgrade your webkit2gtk packages. For the detailed security status of webkit2gtk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/webkit2gtk Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmUoSJAACgkQAAyEYu0C 2AI3Xg//YRhE5mSszGaNvp7i/2KXs4xBSP4k8mJ+EG2SDOKxIeiu2HU5PhGmhrSp PmJE3xFU5R2mov03nwu0yPKve6iijgYdh1evPBgSdexLJjJciasu5GtIl+MAmrq1 r7qVro8GabC4Ul4ALRp7k3qxFR2+wPD1jfFlKHavxpc8gSmfBLlLoOwfsNhmXXz5 eI87n7tbp35/nDv1m/VU/BkQh1LWqGQlO7sU25I/y2Vz/5SMyYuwjquSIVOkxVYm UM2QntYVuRO+sooZHSDzjBpB4Wn99jWAPq7jYwec7tmATKE/Yea3rQQ7b5b6rk+t Pp+TDsjx17uL3c656rGrf5vy0F4udxgCtRvEXCpf2Dn2DLKV3xudKwn99cwj2Vco 4fKZLjtbpLUqCtbcGZ3OhSHNatbXW6lvdAlb/vQI/N5TDwVHQlRygUSVGumiO6T9 eNCVc/IEUeyD7hfpcUglMNXroxaFelViAfjadj5NrOsbS0eRgfzhSAFY0MwE7quC 0j1RgfNgM6RmkWEyWzLjHcmDr+eX2SFDRAcb+re6EoAAzuIY22Db+SlXgTiVBIPv bIu++eOnIo92uUKjFaKCXF6NGEBRhkYx5MpdRXGw0ehVuZ4ueWvuZAcFC5z5GSMN o36hFYQ/p8K06OFuBKzP9ce76BXsGWIBQiDz1mbP69E4jwBT3b4= =oxcS -END PGP SIGNATURE-
[SECURITY] [DSA 5522-2] tomcat9 regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5522-2 secur...@debian.org https://www.debian.org/security/ Markus Koschany October 12, 2023 https://www.debian.org/security/faq - - Package: tomcat9 CVE ID : CVE-2023-44487 Debian Bug : 1053820 The patch to address CVE-2023-44487 (Rapid Reset Attack) was incomplete and caused a regression when using asynchronous I/O (the default for NIO and NIO2). DATA frames must be included when calculating the HTTP/2 overhead count to ensure that connections are not prematurely terminated. For the oldstable distribution (bullseye), this problem has been fixed in version 9.0.43-2~deb11u8. We recommend that you upgrade your tomcat9 packages. For the detailed security status of tomcat9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat9 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUoVnpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTdbw/+O6hd6miJKAJtK7QqgsstFL9TdqVLv8cLsOli5tobVkH+G00iXk6umG7E dzE7xekBXhR3rT/3rFw9AdJAl4wdiy7JySZGVfWWP+vLpBfnXX4tmIy8hCaoFc2d /IarTTfW9TZ+R166cB16m9UGPNP9beYqvx+kuuQlF4CRV/WWLGcpnZ/hiWb656BW BBsCh5Ig0BkBOundI44ofcWR2S/+4VQw0tNMEChqOJBkgNSVSD/IO/ia0n4Zy2so NvWVi7FMAE8xNz1afsjwY9opJXCAHZSKJjzVU9qRPNmwsdJMExP26E73cmSObSZo cUV95wFA6SFKoo5fWn5WSeC4BVGlXr0jrgE0kQy7NzPBM2KLmsB0l917ejdquHIy CFoNSmdX+mFJgmvBgtnvR1tFa2VgLZFMROYFSCf39XzBF0XmfiqVc5ejEy6yZRtg T9a8tA6yux8kzwC7aw+ZFfBfhmRcDt9m3hDlJO39ex7NP8Df9Wk++Jh2bIjj96LQ FH12q5zr4Dnyk2pG29MJbAgyCtYJrYubJR3XY97UhSva6uBOa92GYLjXjJVfcBQA UZ7vL2vIlwXF+7b/Xihb9mRAepPCKkHwROUGiFvVXnXNiNYUg84BZ1GhBTFo4M/G hoyYeUc8HrreGPsGY5dLoTwOqH6hUVnYbcLjwNV885FnH6Ccz78= =tl0s -END PGP SIGNATURE-
