[SECURITY] [DSA 5542-1] request-tracker4 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5542-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 30, 2023 https://www.debian.org/security/faq - - Package: request-tracker4 CVE ID : CVE-2023-41259 CVE-2023-41260 Debian Bug : 1054516 Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system. CVE-2023-41259 Tom Wolters reported that Request Tracker is vulnerable to accepting unvalidated RT email headers in incoming email and the mail-gateway REST interface. CVE-2023-41260 Tom Wolters reported that Request Tracker is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST interface. For the oldstable distribution (bullseye), these problems have been fixed in version 4.4.4+dfsg-2+deb11u3. For the stable distribution (bookworm), these problems have been fixed in version 4.4.6+dfsg-1.1+deb12u1. We recommend that you upgrade your request-tracker4 packages. For the detailed security status of request-tracker4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/request-tracker4 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmVAFIhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Rh2xAAiVD21hoYb0v/KZ2tvBYCzLPn5Gt8TGtIAkjfK2Ld11tP+T4T4Y5+rqvd pt19lHHpq7Sv8KintaRXBZvDbFCNd1M9oBjXPf0Cf/Rc3IP8LOKuHA+53wt6mP+q mN589zah9CCjN91qhP+S6viaybIunB8G5qnWXcrkwk/nTAlqtkq9wtMohLfipKEm TYwFFwAeFJhcSnQNN1EmMX4jOY4abE5RmrMPUAHsfLlxXrPqZ8orRYfCh7DZIAnk jeastNtbpOpZbrbPNXAdl4iiGgE2kZc6IiE7siFZYhGhNL1NN3cQh1lG5eRpynZ9 q+UvUlbDM2HE5RZi8ZIdcvysEW3YZR3Tghdcb/cQJxtXKn1auXwmlo/Jf30M9gii kneMxP7SRrhmdFHsWrOlFg8B0TDiOMNs43Q7O80DFzv/e73GZFyawkklc9X1zMj/ LvN+Z2oqcfsiy7XYi88++RK8Q/M9Cs8Y4Hsct9xwGW2qtV7/quLHpJ3NHmuqC8bg AJdVxva33Of5YkZ4e/hygtu8yttlq5ZGnsxHStAC8IziCL/rUQdRRCIoLVjnQTMQ s8A+yYtJJaprCmDvHJU4pSlSMxMjqYHFR8AIO+AMsTUgKyuNzwlTpczE0KtlmB6X F5P0NExyVQE3kWvZzVVqj44M/MiysmNDHuH8qJjdjmm/hFvllaw= =tItS -END PGP SIGNATURE-
[SECURITY] [DSA 5541-1] request-tracker5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5541-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 30, 2023 https://www.debian.org/security/faq - - Package: request-tracker5 CVE ID : CVE-2023-41259 CVE-2023-41260 CVE-2023-45024 Debian Bug : 1054517 Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system. CVE-2023-41259 Tom Wolters reported that Request Tracker is vulnerable to accepting unvalidated RT email headers in incoming email and the mail-gateway REST interface. CVE-2023-41260 Tom Wolters reported that Request Tracker is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST interface. CVE-2023-45024 It was reported that Request Tracker is vulnerable to information leakage via transaction searches made by authenticated users in the transaction query builder. For the stable distribution (bookworm), these problems have been fixed in version 5.0.3+dfsg-3~deb12u2. We recommend that you upgrade your request-tracker5 packages. For the detailed security status of request-tracker5 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/request-tracker5 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmVAExFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Rb4w/+L1YcgCKoOMVBlwGlYnlEYZivThfDm1S/hwRwThqZtuDn0PPHw/Skl9Tp z2D7KjB0OEV3bixDCrYowOe4sUpxt8nAmHu0+LM9yik5ZbUh/GkX1gFQhleTA6l1 Oa6PHuukFr31qwIvFse2D1MHyeKTgmWvDN8/l+mL1QB3oQ52Yh82fIBgky1x4tJl NZZKE6GVIyptnUUMYGa3QHK2oGW6RV41htB4aNl3boPrmpIXfw5dS86ZoMi1Tx2Q ww8tvsexwpWhXkGk8DTxgd+gTd0UKQixn+bRm50nuiFx5HZxTieg9ma6wbX4psPA 43r9H4lOxC5K3s/WIvfwexm0057O87BZSa1HvQE/6iGZ/ehQlP1WPxRADxAqdSGD 5G7JonHfSpVWQMa7u6qOZj6A/rWojWq3LN9I7t/SBdxIAYuV6mkLnWK+eYQz3oxQ cR2ob/ymdNrT2Nfafs2WKFpZNDx8pLFl9NVjNEoHrklTfPhZFlDXcPtm0+pk7M73 lfYdMP+3xHVELuL0wckMuoSoddHHv0LmwgXXY+6YVISrQ970YEnxV23Y4dBvI7dY 31TnGKjZ6MwWnqO3kwOlTLj/Zb+fnIfsQwRway9Q0vNa6c2NR0ONASaMtVfS3MsJ jeNKFbuRweOsj9JO3eceDevpS68kBEi1ev071LNhh/oP7KTwRDw= =DPKi -END PGP SIGNATURE-
[SECURITY] [DSA 5540-1] jetty9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5540-1 secur...@debian.org https://www.debian.org/security/ Markus Koschany October 30, 2023 https://www.debian.org/security/faq - - Package: jetty9 CVE ID : CVE-2023-36478 CVE-2023-44487 Two remotely exploitable security vulnerabilities were discovered in Jetty 9, a Java based web server and servlet engine. The HTTP/2 protocol implementation did not sufficiently verify if HPACK header values exceed their size limit. Furthermore the HTTP/2 protocol allowed a denial of service (server resource consumption) because request cancellation can reset many streams quickly. This problem is also known as Rapid Reset Attack. For the oldstable distribution (bullseye), these problems have been fixed in version 9.4.50-4+deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 9.4.50-4+deb12u2. We recommend that you upgrade your jetty9 packages. For the detailed security status of jetty9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jetty9 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmVABttfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTJ2g/9E8TKXU1Mko9WhumkvRQNsYxAM43L/gmYMRm4JEqhqpjHHZECJIOAVyxs uN0uE13T+JckplIAhfdsZgbmDDNjASyFWv9OfOdf2h4Y9ZhoXP22MXI2MjKb9MSH KfmPtX4S95UyF/Ty0kK17W63p4EvtNlcgRokx5yFpUF/rN72GXVx25W6WQ1pSHrJ ESJMqOr8d3Wn5/4yaPEunQrvPa4WkQSTv8nHAIxIenP3wiNuK2tZWN6GCAdbirQp MWt282W/ueGcRDq8UJB2tWkxqx8CNnqeIeh0LpaSZRbaf62DChtyj+5OnYyhwBTk 1mhwuveCFtNzRQyHRBrOrVWRAG43ktSyEYG90Il9iDchQROi0sJkQFVB0TXG6FnC hIFBcPw9VW5+7I+4gxexhpguq/SXZV9V9QH+jSeEBOgdKY/qX0farjElmhgFLRuS /weJAqnc9C6w4BB7gnE9ow4nbGqKqMEj1yoO8itMhCWBCaEIia0INpao7pfpf/9r KekLFoi6Gux0gqVMhhBw3latxW9zth93tNEeuuGb+kP/TDreBVkZnqrYVbtj49Wv IMX77Q8OB/TDQ8K5cEq05wcq59TIkAaVKGrP3sXsjbt4umbkjhbp8Oxv+chMOgPQ E8ThC0Q+lbZ4nth0vw2R93ObMfzlxZN2YJUqKf3aw/yAKd8YIys= =CO/+ -END PGP SIGNATURE-
[SECURITY] [DSA 5539-1] node-browserify-sign security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5539-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 30, 2023 https://www.debian.org/security/faq - - Package: node-browserify-sign CVE ID : CVE-2023-46234 Debian Bug : 1054667 It was reported that incorrect bound checks in the dsaVerify function in node-browserify-sign, a Node.js library which adds crypto signing for browsers, allows an attacker to perform signature forgery attacks by constructing signatures that can be successfully verified by any public key. For the oldstable distribution (bullseye), this problem has been fixed in version 4.2.1-1+deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 4.2.1-3+deb12u1. We recommend that you upgrade your node-browserify-sign packages. For the detailed security status of node-browserify-sign please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-browserify-sign Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmU/2K5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SYeRAAmffcSYdBfiH/6U30rpfiLylS8zL/ca2sILLKmfYuwG/DH6n5BJ5n+oos RrXpXhOXjhLmTe1f9Sst3hXCv0IIsJoITnrlmfSjp0CmTk3jx/VhQljSeFUCAFUk pyAL27QB76SSwqiJNNqvbKEwwatdtNyNFs/zE7Ir7lFT7hKLwryv70Mwf1xWdh59 ZFMaCGPntGWpgwSHy88kD/z6Oo3SV/Q+U73Y53Rv62ZZMNrX1ploVsI1zPLFrOQS NkUwT+nGCfe13S5GUZ/w5U/joEjXWlDbPH8VSnL7pFBudVP6h6NcgyHds7jYsHbZ AuViuE0ctEu2li/j51fD6MOZu2HRtaxi6EuZpaOTUDbq1qC5GvGa0+4FuNBVO3k3 3N+4fVARStFoWFnoqX8+0kWJvkhvO8O8AVoIMRzWEbLjeBv5nMHxggRfw2cisJeN TGIDvJfDiC7w18TDEIwDwEo1nScCWndPK5LPkI6+j9VQIVKdf9UGJS+pnWgywT9G 6EiSKS+pOQSujNV5XuWDeicV2e3CvgrVQ+kaOKvFBgpGfZwOFV2+324kCnAk1hMu pAnn7/7e/NYdDhpzmAv6fD5GfiW8WhLgRkNpKAQwoPV1Ywwr9S9KBxsWK2Lf1W4t 6RyyKKX8M+gz7rLmeGfjJ4fbGdn/xSH7IWXjBCOiN1W+gwNmsCg= =htaY -END PGP SIGNATURE-
