Updates on Freexian

ELA-1656-1 gimp security update

Sat, 14 Mar 2026 18:38:32 +0100

Package : gimp

Version : 2.8.18-1+deb9u9 (stretch), 2.10.8-2+deb10u8 (buster)

Several vulnerabilities were discovered in GIMP, the GNU Image Manipulation Program, which could result in denial of service or potentially the execution of arbitrary code if malformed XWD, ICNS, PGM or ICO files are opened.

ELA-1655-1 openjdk-8 security update

Thu, 05 Mar 2026 11:00:36 +0100

Package : openjdk-8

Version : 8u482-ga-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in incorrect certificate validation, CRLF injection or man-in-the-middle attacks.

ELA-1654-1 python-tornado security update

Sun, 01 Mar 2026 00:50:33 +0100

Package : python-tornado

Version : 4.4.3-1+deb9u2 (stretch)

Multiple vulnerabilities were discovered in python-tornado, a scalable, non-blocking Python web framework and asynchronous networking library.

CVE-2025-47287

When Tornado's 'multipart/form-data' parser encounters certain errors,
it logs a warning but continues trying to parse the remainder of the
data. This allows remote attackers to generate an extremely high volume
of logs, constituting a DoS attack. This DoS is compounded by the fact
that the logging subsystem is synchronous.

CVE-2025-67724

Custom reason phrases can cause multiple vulnerabilities (like XSS,
header injection, ...) due to being used unescaped in HTTP headers.

CVE-2025-67725

A single maliciously crafted HTTP request can cause a possible DoS
due to quadratic performance of repeated header lines.

CVE-2025-67726

An inefficient algorithm when parsing parameters for HTTP header
values can potentially cause a DoS.

ELA-1652-1 glib2.0 security update

Sat, 28 Feb 2026 08:10:20 +0000

Package : glib2.0

Version : 2.50.3-2+deb9u9 (stretch), 2.58.3-2+deb10u10 (buster)

Multiple issues were found in GLib, a general-purpose, portable utility library, that could lead to denial of service, memory corruption or potentially arbitrary code execution if maliciously crafted data is processed.

CVE-2026-0988: Codean Labs found missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).
CVE-2026-1484: treeplus, with additional thanks to Sovereign Tech Resilience program of the Sovereign Tech Agency, found a flaw in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.
CVE-2026-1485: treeplus, with additonal thanks to Sovereign Tech Resilience program of the Sovereign Tech Agency, found a flaw in Glib’s content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.
CVE-2026-1489: treeplus, with additional thanks to Sovereign Tech Resilience program of the Sovereign Tech Agency, found a flaw in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.

ELA-1653-1 gnutls28 security update

Fri, 27 Feb 2026 08:36:51 +0100

Package : gnutls28

Version : 3.5.8-5+deb9u10 (stretch), 3.6.7-4+deb10u15 (buster)

Related CVEs : CVE-2025-9820 CVE-2025-14831

Vulnerabilities were found in GnuTLS, a portable library which implements the Transport Layer Security and Datagram Transport Layer Security protocols, which may lead to Denial of Service.

CVE-2025-9820: An out-of-bound write issue was discovered when a PKCS#11 token is initialized with the gnutls_pkcs11_token_init() function and it is passed a token label longer than 32 characters.
CVE-2025-14831: Tim Scheckenbach discovered that verifying specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs) could lead to resource exhaustion.

ELA-1651-1 modsecurity-crs security update

Sun, 22 Feb 2026 11:14:08 +0100

Package : modsecurity-crs

Version : 3.2.3-0+deb10u4 (buster)

Related CVEs : CVE-2023-38199

A issue has been fixed in modsecurity-crs, a set of generic attack detection rules for use with ModSecurity.

CVE-2023-38199

Coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does not detect multiple Content-Type request headers on some platforms. This might allow attackers to bypass a WAF with a crafted payload, aka “Content-Type confusion” between the WAF and the backend application. This occurs when the web application relies on only the last Content-Type header. Other platforms may reject the additional Content-Type header or merge conflicting headers, leading to detection as a malformed header.

ELA-1650-1 gegl security update

Sat, 21 Feb 2026 18:55:06 +0100

Package : gegl

Version : 0.3.8-4+deb9u2 (stretch), 0.4.12-2+deb10u2 (buster)

Related CVEs : CVE-2026-2049 CVE-2026-2050

A heap-based buffer overflow was discovered in the RGBE/HDR parser of GEGL, a graph-based image processing library, which could result in denial of service or the execution of arbitrary code if malformed files are processed.

ELA-1649-1 gimp security update

Fri, 20 Feb 2026 18:40:37 +0100

Package : gimp

Version : 2.8.18-1+deb9u8 (stretch), 2.10.8-2+deb10u7 (buster)

Related CVEs : CVE-2026-2239 CVE-2026-2271 CVE-2026-2272

ELA-1648-1 python-django security update

Thu, 19 Feb 2026 11:48:22 -0800

Package : python-django

Version : 1:1.10.7-2+deb9u30 (stretch), 1:1.11.29-1+deb10u19 (buster)

It was discovered that there were multiple vulnerabilities in Django, the Python-based web-development framework:

CVE-2025-13473: The check_password function in django.contrib.auth.handlers.modwsgi for authentication via mod_wsgi allowed remote attackers to enumerate users via a timing attack.
CVE-2026-1207: Raster lookups on RasterField (only implemented on PostGIS) allowed remote attackers to inject SQL via the band index parameter.
CVE-2026-1285: The django.utils.text.Truncator.chars() and Truncator.words() methods (with html=True) and the truncatechars_html and truncatewords_html template filters allowed a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags.
CVE-2026-1287: FilteredRelation was subject to SQL injection in column aliases via control characters using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet methods annotate(), aggregate(), extra(), values(), values_list() and alias().
CVE-2026-1312: QuerySet.order_by() was subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in FilteredRelation.

In addition, The fix for CVE-2025-6069 in the python3.9 source package which modified the html.parser.HTMLParser class in such a way that changed the behaviour of Django’s strip_tags() method in some edge cases that were tested by Django’s testsuite. As a result of this regression, we have updated the testsuite for the new expected results.

ELA-1647-1 libpng1.6 security update

Tue, 17 Feb 2026 19:34:36 +0100

Package : libpng1.6

Version : 1.6.28-1+deb9u3 (stretch), 1.6.36-6+deb10u2 (buster)

Multiple vulnerabilties have been found in libpng, the official PNG reference library, potentially allowing information disclosure via out-of-bounds read or denial of service via infinite loop.

CVE-2026-22695

There is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018.

CVE-2026-22801

There is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems.

CVE-2026-25646

A out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and  the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification.

ELA-1646-1 wireshark security update

Mon, 16 Feb 2026 14:58:00 +0100

Package : wireshark

Version : 2.6.20-0+deb10u9~deb9u2 (stretch), 2.6.20-0+deb10u10 (buster)

Multiple vulnerabilities have been fixed in the network traffic analyzer Wireshark.

CVE-2024-9781

AppleTalk and RELOAD Framing dissector crash allows denial of service via packet injection or crafted capture file.

CVE-2024-11596

ECMP dissector crash allows denial of service via packet injection or crafted capture file.

CVE-2025-5601

Column handling crashes allows denial of service via packet injection or crafted capture file.

CVE-2025-11626

MONGO dissector infinite loop allows denial of service.

CVE-2025-13946

MEGACO dissector infinite loop in allows denial of service.

ELA-1645-1 clamav new upstream version

Fri, 13 Feb 2026 16:40:22 +0100

Package : clamav

Version : 1.4.3+dfsg-1~deb10u1 (buster)

The 1.0 version of ClamAV, an anti-virus utility for Unix, had recently been discontinued upstream, and was set to no longer accept signature updates on November 28, 2026. This update brings ClamAV 1.4 to buster, extending the upstream support.

ELA-1644-1 linux-5.10 security update

Fri, 13 Feb 2026 16:07:07 +0100

Package : linux-5.10

Version : 5.10.249-1~deb9u1 (stretch), 5.10.249-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

ELA-1643-1 linux-6.1 security update

Fri, 13 Feb 2026 14:32:59 +0100

Package : linux-6.1

Version : 6.1.162-1~deb9u1 (stretch), 6.1.162-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

ELA-1642-1 python3.7 security update

Tue, 10 Feb 2026 08:23:36 +0100

Package : python3.7

Version : 3.7.3-2+deb10u11 (buster)

Multiple security issues were discovered in Python, an interactive high-level object-oriented language. This may cause memory corruption, e-mail and HTTP headers injection, validation bypass of .zip archives, and denial of service (DoS).

CVE-2025-4516

There is an issue in CPython when using bytes.decode("unicode_escape", error="ignore|replace").
CVE-2025-6069

The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
CVE-2025-6075

If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
CVE-2025-8194

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.
CVE-2025-8291

The ‘zipfile’ module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the ‘zipfile’ module compared to other ZIP implementations.
CVE-2025-11468

When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.
CVE-2025-12084

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.
CVE-2025-13837

When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues.
CVE-2025-15282

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.
CVE-2026-0672

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
CVE-2026-1299

The email module, specifically the “BytesGenerator” class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

ELA-1641-1 python3.5 security update

Tue, 10 Feb 2026 08:23:30 +0100

Package : python3.5

Version : 3.5.3-1+deb9u12 (stretch)

Multiple security issues were discovered in Python, an interactive high-level object-oriented language. This may cause e-mail and HTTP headers injection, validation bypass of .zip archives, and denial of service (DoS).

CVE-2025-6069

The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
CVE-2025-6075

If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
CVE-2025-8194

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.
CVE-2025-8291

The ‘zipfile’ module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the ‘zipfile’ module compared to other ZIP implementations.
CVE-2025-12084

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.
CVE-2025-13837

When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues.
CVE-2025-15282

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.
CVE-2026-0672

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
CVE-2026-1299

The email module, specifically the “BytesGenerator” class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

ELA-1640-1 python2.7 security update

Tue, 10 Feb 2026 08:23:20 +0100

Package : python2.7

Version : 2.7.13-2+deb9u12 (stretch), 2.7.16-2+deb10u7 (buster)

Multiple security issues were discovered in Python, an interactive high-level object-oriented language. This may cause HTTP headers injection and denial of service (DoS).

CVE-2025-6069

The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
CVE-2025-6075

If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.
CVE-2025-8194

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.
CVE-2025-12084

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.
CVE-2026-0672

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

ELA-1639-1 pypy security update

Tue, 10 Feb 2026 08:23:13 +0100

Package : pypy

Version : 7.0.0+dfsg-3+deb10u3 (buster)

Multiple vulnerabilities were discovered in PyPy, a fast, compliant alternative implementation of the Python language.

All fixed vulnerabilities come from the embedded python2.7 standard library. Please refer to ELA-1640-1 for details.

ELA-1638-1 phpunit security update

Mon, 09 Feb 2026 17:21:24 +0530

Package : phpunit

Version : 7.5.6-1+deb10u1 (buster)

Related CVEs : CVE-2026-24765

PHPUnit is a testing framework for PHP. A vulnerability has been discovered involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the cleanupForCoverage() method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious .coverage files are present prior to the execution of the PHPT test.

ELA-1637-1 tomcat9 security update

Sat, 07 Feb 2026 12:06:45 +0100

Package : tomcat9

Version : 9.0.107-0+deb10u3 (buster)

Several security vulnerabilities have been found in Tomcat 9, a Java web server and servlet engine. The update corrects various flaws which can lead to a bypass of security constraints or a denial of service.

The regression update announced as ELA-1615-2 was incomplete. Some class files were still missing from jar files which are part of the libtomcat9-java binary package. In order to remedy this problem the following build-dependencies of tomcat9 have been upgraded to a new upstream release:

bnd
osgi-core
osgi-compendium
osgi-annotation
eclipse-jdt-core
felix-resolver

ELA-1636-1 xrdp security update

Thu, 05 Feb 2026 20:27:46 +0530

Package : xrdp

Version : 0.9.9-1+deb10u5 (buster)

Related CVEs : CVE-2025-68670

xrdp is an open source RDP server. It was found that xrdp contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system.

ELA-1615-2 tomcat9 regression update

Tue, 03 Feb 2026 11:46:46 +0100

Package : tomcat9

Version : 9.0.107-0+deb10u2 (buster)

The tomcat9 security update, released as ELA-1615-1, introduced a regression. Several classes were missing in tomcat9-jasper-el.jar and tomcat9-embed-el.jar due to toolchain changes between version 9.0.31 and 9.0.107 which required a newer version of bnd, a tool to create and diagnose OSGi bundles. Those classes have been restored.

ELA-1635-1 python-tornado security update

Mon, 02 Feb 2026 00:28:14 +0100

Package : python-tornado

Version : 5.1.1-4+deb10u3 (buster)

Multiple vulnerabilities were discovered in python-tornado, a scalable, non-blocking Python web framework and asynchronous networking library.

CVE-2025-67724

Custom reason phrases can cause multiple vulnerabilities (like XSS,
header injection, ...) due to being used unescaped in HTTP headers.

CVE-2025-67725

A single maliciously crafted HTTP request can cause a possible DoS
due to quadratic performance of repeated header lines.

CVE-2025-67726

An inefficient algorithm when parsing parameters for HTTP header
values can potentially cause a DoS.

ELA-1634-1 pyasn1 security update

Sun, 01 Feb 2026 23:20:10 +0530

Package : pyasn1

Version : 0.1.9-2+deb9u1 (stretch), 0.4.2-3+deb10u1 (buster)

Related CVEs : CVE-2026-23490

It was discovered that pyasn1, a generic ASN.1 library for Python, is prone to a denial of service vulnerability, which may result in memory exhaustion from malformed OID/RELATIVE-OID with excessive continuation octets.

ELA-1633-1 modsecurity-apache security update

Sun, 01 Feb 2026 17:08:20 +0530

Package : modsecurity-apache

Version : 2.9.1-2+deb9u5 (stretch)

Related CVEs : CVE-2025-54571

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario.

ELA-1632-1 ceph security update

Sun, 01 Feb 2026 03:55:32 +0530

Package : ceph

Version : 10.2.11-2+deb9u4 (stretch), 12.2.11+dfsg1-2.1+deb10u3 (buster)

Related CVEs : CVE-2024-47866

Ceph is a distributed object, block, and file storage platform. Using the argument x-amz-copy-source to put an object and specifying an empty string as its content leads to the RGW daemon crashing, resulting in a DoS attack.

ELA-1631-1 libsodium security update

Sun, 01 Feb 2026 03:41:31 +0530

Package : libsodium

Version : 1.0.17-1+deb10u1 (buster)

Related CVEs : CVE-2025-69277

It was discovered that the crypto_core_ed25519_is_valid_point() function of the Sodium cryptography library mishandled checks for valid elliptic curve points.

ELA-1630-1 dcmtk security update

Wed, 28 Jan 2026 13:09:38 +0100

Package : dcmtk

Version : 3.6.4-2.1+deb10u5 (buster)

Related CVEs : CVE-2025-14607 CVE-2025-14841

Two vulnerabilities have been addressed in DCMTK, a collection of libraries and applications implementing large parts of the DICOM standard for medical images.

CVE-2025-14607

Possible memory corruption caused by illegal attributes in datasets which
are processed by DcmByteString functions.

CVE-2025-14841

Invalid messages sent to dcmqrscp, the Image Central Test Node, may
trigger a segmentation fault due to a NULL pointer being de-referenced.

ELA-1629-1 apache-log4j2 security update

Wed, 28 Jan 2026 13:01:57 +0100

Package : apache-log4j2

Version : 2.17.1-1~deb10u2 (buster)

Related CVEs : CVE-2025-68161

In Apache Log4j2, a Java Logging Framework, the Socket Appender does not perform TLS hostname verification of the peer certificate, even when the verifyHostName configuration attribute or the log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under specific and hard to exploit conditions.

ELA-1628-1 edk2 security update

Wed, 28 Jan 2026 12:32:47 +0100

Package : edk2

Version : 2020.11-2+deb10u1 (buster)

Multiple security vulnerabilities have been fixed in EDK II, a modern, feature-rich, cross-platform firmware development environment. Remotely exploitable buffer overflows and out-of-bounds or infinite loop vulnerabilities may lead to a denial of service or the execution of arbitrary code.

ELA-1626-1 apache2 security update

Mon, 26 Jan 2026 23:58:32 +0100

Package : apache2

Version : 2.4.25-3+deb9u22 (stretch)

Multiple vulnerabilities were fixed in apache HTTPD server, a popular webserver.

CVE-2025-58098

Apache HTTP Server with Server Side Includes (SSI) enabled
and mod_cgid (but not mod_cgi) passes the shell-escaped
query string to #exec cmd="..." directives

CVE-2025-65082

Improper Neutralization of Escape, Meta, or Control Sequences
vulnerability was found in Apache HTTP Server through
environment variables set via the Apache configuration
unexpectedly superseding variables calculated
by the server for CGI programs

CVE-2025-66200

A mod_userdir+suexec bypass vulnerability via AllowOverride FileInfo was
found in Apache HTTP Server. Users with access to use the RequestHeader directive
in htaccess can cause some CGI scripts to run under an unexpected userid.

ELA-1627-1 python-django security update

Mon, 26 Jan 2026 11:40:09 -0800

Package : python-django

Version : 1:1.10.7-2+deb9u29 (stretch), 1:1.11.29-1+deb10u18 (buster)

Multiple vulnerabilities were discovered in Django, the Python-based web development framework:

CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+.
CVE-2024-27351: Fix a potential regular expression denial-of-service (“ReDoS”) attack in django.utils.text.Truncator.words. This method (with html=True) and the truncatewords_html template filter were subject to a potential regular expression denial-of-service attack via a suitably crafted string. This is, in part, a follow up to CVE-2019-14232 and CVE-2023-43665.
CVE-2024-39614: Fix a potential denial-of-service in django.utils.translation.get_supported_language_variant. This method was subject to a potential DoS attack when used with very long strings containing specific characters. To mitigate this vulnerability, the language code provided to get_supported_language_variant is now parsed up to a maximum length of 500 characters.
CVE-2024-45231: Potential user email enumeration via response status on password reset. Due to unhandled email sending failures, the django.contrib.auth.forms.PasswordResetForm class allowed remote attackers to enumerate user emails by issuing password reset requests and observing the outcomes. To mitigate this risk, exceptions occurring during password reset email sending are now handled and logged using the django.contrib.auth logger.

ELA-1625-1 apache2 security update

Mon, 26 Jan 2026 19:17:53 +0100

Package : apache2

Version : 2.4.59-1~deb10u6 (buster)

Multiple vulnerabilities were fixed in apache HTTPD server, a popular webserver.

CVE-2025-55753

Update mod_md to v2.6.6

An integer overflow was found. In the case of failed ACME certificate
renewal leads, after a number of failures (~30 days in default
configurations), to the backoff timer becoming 0. Attempts to renew
the certificate then are repeated without delays until it succeeds

CVE-2025-58098

Apache HTTP Server with Server Side Includes (SSI) enabled
and mod_cgid (but not mod_cgi) passes the shell-escaped
query string to #exec cmd="..." directives

CVE-2025-65082

Improper Neutralization of Escape, Meta, or Control Sequences
vulnerability was found in Apache HTTP Server through
environment variables set via the Apache configuration
unexpectedly superseding variables calculated
by the server for CGI programs

CVE-2025-66200

A mod_userdir+suexec bypass vulnerability via AllowOverride FileInfo was
found in Apache HTTP Server. Users with access to use the RequestHeader directive
in htaccess can cause some CGI scripts to run under an unexpected userid.

ELA-1624-1 imagemagick security update

Mon, 26 Jan 2026 17:13:58 +0100

Package : imagemagick

Version : 8:6.9.7.4+dfsg-11+deb9u25 (stretch), 8:6.9.10.23+dfsg-2.1+deb10u14 (buster)

Multiple vulnerabilities were fixed in imagemagick an image manipulation software suite.

CVE-2026-23874

A stack overflow was found via infinite recursion in
MSL (Magick Scripting Language) `<write>` command when
writing to MSL format.

CVE-2026-23876

A heap buffer overflow vulnerability was found in the XBM
image decoder (ReadXBMImage) allows an attacker to write
controlled data past the allocated heap buffer when
processing a maliciously crafted image file.
Any operation that reads or identifies an image can
trigger the overflow, making it exploitable via common
image upload and processing pipelines.

CVE-2026-23952

NULL pointer dereference was found in MSL parser via <comment>
tag before image load

ELA-1623-1 openjdk-11 security update

Mon, 26 Jan 2026 16:30:22 +0100

Package : openjdk-11

Version : 11.0.30+7-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in incorrect certificate validation, CRLF injection or man-in-the-middle attacks.

ELA-1622-1 php7.3 security update

Sun, 25 Jan 2026 19:23:14 +0100

Package : php7.3

Version : 7.3.31-1~deb10u12 (buster)

Related CVEs : CVE-2025-14178

Security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in server side request forgery or denial of service.

CVE-2025-14178: Heap buffer overflow in array_merge().
GHSA-www2-q4fc-65wf: dns_get_record() and other DNS functions don’t have any null contain check, which may lead to SSRF or unexpected behavior. While this has a (low) security impact, no CVE ID was assigned for this vulnerability yet.

ELA-1621-1 taglib security update

Sun, 25 Jan 2026 13:28:39 +0100

Package : taglib

Version : 1.11.1+dfsg.1-0.3+deb9u2 (stretch), 1.11.1+dfsg.1-0.3+deb10u2 (buster)

Related CVEs : CVE-2023-47466

An issues has been found in taglib, an audio meta-data library. The issue is related to a segmentation violation and a resulting application crash due to processing a crafted WAV file in which an id3 chunk is the only valid chunk.

ELA-1620-1 zvbi security update

Sun, 25 Jan 2026 13:26:36 +0100

Package : zvbi

Version : 0.2.35-13+deb9u1 (stretch), 0.2.35-16+deb10u1 (buster)

Several issues have been found in zvbi, a Vertical Blanking Interval decoder. CVE-2025-2173 is related to an uninitialized pointer in src/conv.c:: vbi_strndup_iconv_ucs2() The other issues are related to integer overflows in several functions distributed all over the code.

ELA-1619-1 inetutils security update

Sun, 25 Jan 2026 12:27:45 +0100

Package : inetutils

Version : 1.9.4-2+deb9u4 (stretch), 2:1.9.4-7+deb10u4 (buster)

Related CVEs : CVE-2026-24061

Kyu Neushwaistein aka Carlos Cortes Alvarez found that inetutils, a collection of common network programs, was vulnerable to an authentication bypass problem in telnetd, which could lead to remote root shell access (if telnetd is enabled and exposed).

As described also in the GNU InetUtils security advisory, it is not recommended to run telnetd server at all. At a minimum, restrict network access to the telnet port to trusted clients only. There is after all no encryption built into the telnet protocol, so authentication details would be sent in plain text over the network (which thus needs to be trusted).

For more details see the GNU InetUtils Security Advisory: https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html

ELA-1618-1 python-urllib3 security update

Fri, 23 Jan 2026 16:58:20 +0100

Package : python-urllib3

Version : 1.24.1-1+deb10u5 (buster)

Related CVEs : CVE-2026-21441

It was discovered that python-urllib3, an HTTP library with thread-safe connection pooling for Python, was reading the entire response body to drain the connection and unnecessarily decompressed the content when following HTTP redirects via the streaming API.

This decompression occured in way that bypassed the library’s decompression-bomb safeguards. A malicious server could therefore exploit this behavior to trigger denial of service on the client due to excessive resource consumption (high CPU usage and large memory allocations).

ELA-1617-1 gpsd security update

Mon, 19 Jan 2026 22:36:05 +0100

Package : gpsd

Version : 3.17-7+deb10u1 (buster)

Related CVEs : CVE-2025-67268 CVE-2025-67269

Multiple vulnerabilities were found in gpsd, a service daemon that monitors Global Navigation Satellite System (GNSS) receivers attached to a host computer through serial or USB ports.

CVE-2025-67268

gpsd contains a heap-based out-of-bounds write
vulnerability in the drivers/driver_nmea2000.c file.
The hnd_129540 function, which handles NMEA2000 PGN 129540
(GNSS Satellites in View) packets, fails to validate the
user-supplied satellite count against the size of the skyview
array (184 elements). This allows an attacker to write beyond
the bounds of the array by providing a satellite count up
to 255, leading to memory corruption, Denial of Service (DoS),
and potentially arbitrary code execution.

CVE-2025-67269

An integer underflow vulnerability exists in the `nextstate()`
function in `gpsd/packet.c`.
When parsing a NAVCOM packet, the payload length is calculated
using `lexer->length = (size_t)c - 4` without checking if
the input byte `c` is less than 4. This results in an unsigned
integer underflow, setting `lexer->length` to a very large value
(near `SIZE_MAX`). The parser then enters a loop attempting to
consume this massive number of bytes, causing 100% CPU utilization
and a Denial of Service (DoS) condition.

ELA-1616-1 cjose security update

Mon, 19 Jan 2026 02:46:32 +0100

Package : cjose

Version : 0.4.1-3+deb9u1 (stretch)

Related CVEs : CVE-2023-37464

It was discovered that the AES GCM decryption routine of cjose, a C library implementing the JOSE standard, incorrectly uses the tag length from the actual authentication tag provided in the JWE instead of the specified fixed length of 16 bytes.

This allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly.

ELA-1615-1 tomcat9 security update

Sat, 17 Jan 2026 15:22:40 +0100

Package : tomcat9

Version : 9.0.107-0+deb10u1 (buster)

Several security vulnerabilities have been found in Tomcat 9, a Java web server and servlet engine. Most notably the update improves the handling of HTTP/2 connections and corrects various flaws which can lead to uncontrolled resource consumption and a Denial of Service (DoS)

A risk analysis was carried out, and it was determined that the best available solution was to backport the bullseye version of Tomcat to buster. This decision means that upon installing this update users of Tomcat in buster will be moving from a Tomcat version of 9.0.31 to 9.0.107.

Unfortunately, some minor incompatibilities may arise, as documented at the end of this advisory.

CVE-2024-34750: Tomcat was affected by an improper handling of exceptional conditions vulnerability. Tomcat mishandled excessive HTTP/2 headers, causing stream miscounts and infinite timeouts that allowed connections to remain open and trigger a denial of service.
CVE-2024-54677: Tomcat was affected by an uncontrolled resource consumption vulnerability. Crafted requests to the bundled examples app could exhaust resources and lead to denial of service.
CVE-2025-31650: Tomcat was affected by an improper input validation vulnerability. Invalid HTTP priority headers were not cleaned up correctly, causing memory leaks that could accumulate and result in an OutOfMemoryException and denial of service.
CVE-2025-31651: Tomcat was affected by an improper neutralization vulnerabiltiy. Certain rewrite rule configurations allowed specially crafted requests to bypass rewrite rules, potentially bypassing associated security constraints.
CVE-2025-46701: Tomcat was affected by an improper handling of case sensitivity vulnerability. The CGI servlet failed to correctly enforce case‑sensitive pathInfo checks, enabling attackers to bypass security constraints by altering URL casing.
CVE-2025-48976: Tomcat was affected by an allocation of resources without limits vulnerabilty. Multipart headers could be crafted in large numbers to consume excessive memory, enabling Denial of Service (DoS).
CVE-2025-48988: Tomcat was affected by an allocation of resources without limits vulnerabilty. Tomcat allowed multipart uploads with many large headers, enabling attackers to exhaust memory and cause Denial of Service (DoS)
CVE-2025-49125: Tomcat was affected by an authentication bypass vulnerability. PreResources or PostResources mounted outside the root could be accessed through unexpected paths not protected by the intended security constraints, enabling bypass of authentication rules.
CVE-2025-52434: Tomcat was affected by a race condition. Improper synchronization during client‑initiated HTTP/2 connection closes could trigger crashes in the APR/Native connector, leading to Denial of Service (DoS).
CVE-2025-52520: Tomcat was affected by an integer overflow. Certain multipart upload configurations could trigger an integer overflow, allowing attackers to bypass size limits and cause Denial of Service (DoS)
CVE-2025-53506: Tomcat was affected by an uncontrolled resource consumption vulnerability. If an HTTP/2 client failed to acknowledge the initial settings frame, Tomcat could allow excessive concurrent streams, resulting in Denial of Service (DoS)

To remediate vulnerabilities in the Tomcat 9 server stack, an upgrade was performed instead of applying minimal patching. The following notworthy changes where identified:

Hardened AJP connector: secretRequired defaults to true. A workarround is to requires explicit config: secretRequired=“false” or better from a security point of view set a secret
Deprecated RemoteAddrFilter and RemoteHostFilter. You may migrate to RemoteCIDRFilter and RemoteCIDRValve
Fix of Session ID propagation for SSO Valve. This may break SSO.

ELA-1613-1 postgresql-9.6 security update

Thu, 15 Jan 2026 20:18:43 +0100

Package : postgresql-9.6

Version : 9.6.24-0+deb9u10 (stretch)

Multiple vulnerabilities were fixed in PostgreSQL, a popular database.

CVE-2025-4207: Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq.
CVE-2025-8713: PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intended to hide. PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user could craft a leaky operator that bypassed view access control lists (ACLs) and bypassed row security policies in partitioning or table inheritance hierarchies. Reachable statistics data notably included histograms and most-common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this class of vulnerability, but this gap remained.
CVE-2025-8714: Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096.
CVE-2025-8715: Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.
CVE-2025-12818: Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq.

ELA-1612-1 postgresql-11 security update

Thu, 15 Jan 2026 20:12:30 +0100

Package : postgresql-11

Version : 11.22-0+deb10u6 (buster)

Multiple vulnerabilities were fixed in PostgreSQL, a popular database.

CVE-2025-4207: Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq.
CVE-2025-8713: PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intended to hide. PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user could craft a leaky operator that bypassed view access control lists (ACLs) and bypassed row security policies in partitioning or table inheritance hierarchies. Reachable statistics data notably included histograms and most-common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this class of vulnerability, but this gap remained.
CVE-2025-8714: Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096.
CVE-2025-8715: Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.
CVE-2025-12817: Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail.
CVE-2025-12818: Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by hundreds of megabytes. This results in a segmentation fault for the application using libpq.

ELA-1614-1 linux-6.1 security update

Thu, 15 Jan 2026 19:25:33 +0100

Package : linux-6.1

Version : 6.1.159-1~deb9u1 (stretch), 6.1.159-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

ELA-1611-1 samba security update

Thu, 15 Jan 2026 16:42:13 +0100

Package : samba

Version : 2:4.5.16+dfsg-1+deb9u6 (stretch), 2:4.9.5+dfsg-5+deb10u6 (buster)

Related CVEs : CVE-2025-9640

A vulnerability was found in Samba, a SMB/CIFS file, print, and login server for Unix, in the streams_xattr VFS server module, where uninitialized heap memory could be written into alternate data streams. An authenticated attacker can read residual memory content that may include sensitive data.

ELA-1610-1 gnupg2 security update

Wed, 14 Jan 2026 15:17:22 -0500

Package : gnupg2

Version : 2.1.18-8~deb9u6 (stretch), 2.2.12-1+deb10u3 (buster)

Related CVEs : CVE-2025-68973

Several issues have been discovered in gnupg2, a tool for secure communication and data storage.

CVE-2025-68973

There exist memory corruptions in the armor parsing code of GnuPG
that can be exploited to provide primitives like out of bounds
buffer read and write. This might be exploitable to the point of
remote code execution (RCE).

Additional issues:

+ Potential key signature digest algorithm downgrade.

  GnuPG may downgrade the message digest algorithm to insecure SHA1
  algorithm during signature checking due to reading from
  uninitialized memory. This reduces the security of User ID
  Certification Signatures to that of SHA1. SHA1 suffers from known
  cryptographic weaknesses like chosen prefix attacks.

+ Multiple plaintext attack on detached PGP signatures.

  An attacker can arbitrarily swap the plaintext shown to a GnuPG
  user, when the user verifies a detached signature versus views it
  with `--decrypt`. This attack allows deceiving users verifying
  messages, following GnuPG usage best practices about the content
  of a message signed with a detached signature. Note, that it is
  possible in many scenarios to convert between signature types,
  i.e., convert a different signature type to a detached signature.

+ GnuPG Accepts Path Separators and Path Traversals in Literal Data.

  GnuPG accepts arbitrary file paths in the unsigned Literal Data
  packet filename field and uses that value without sufficient
  sanitization. In combination with tricking a user with ANSI
  formatted output that changes GnuPG output with deceptive apparent
  GnuPG logs, this can lead to creation or overwrite of any file on
  the system the user can write to, including executable files which
  the user may later execute.

ELA-1609-1 libidn2 security update

Mon, 12 Jan 2026 14:22:25 +0100

Package : libidn2

Version : 2.0.5-1+deb10u2 (buster)

Related CVEs : CVE-2019-12290

It was found that libidn2, a library for internationalized domain names (IDNA2008/TR46), was vulnerable to a domain impersonation attack, where especially crafted domain names could impersonate other domains.

ELA-1608-1 u-boot security update

Mon, 05 Jan 2026 21:24:56 +0530

Package : u-boot

Version : 2016.11+dfsg1-4+deb9u2 (stretch)

Related CVEs : CVE-2025-24857

It was found that improper access control for volatile memory containing boot code in Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips IPQ4019, IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 could allow an attacker to execute arbitrary code.

ELA-1607-1 gimp security update

Mon, 05 Jan 2026 12:00:07 +0100

Package : gimp

Version : 2.8.18-1+deb9u7 (stretch)

Related CVEs : CVE-2007-3126 CVE-2025-14422

Multiple file parsing problems where identified in GIMP, the GNU Image Manipulation Program, that could lead to crashes or even arbitrary code execution when opening malicious files.

CVE-2007-3126: Gimp before 2.8.22 allows context-dependent attackers to cause a denial of service (crash) via an ICO file with an InfoHeader containing a Height of zero, a similar issue to CVE-2007-2237.
CVE-2025-14422: GIMP PNM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PNM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28273.

NOTE: See ELA-1604-1 for Debian 10 (buster).

ELA-1606-1 imagemagick security update

Mon, 05 Jan 2026 10:04:32 +0100

Package : imagemagick

Version : 8:6.9.7.4+dfsg-11+deb9u24 (stretch), 8:6.9.10.23+dfsg-2.1+deb10u13 (buster)

Multiple vulnerabilities were fixed in imagemagick an image manipulation software suite.

CVE-2025-65955

A vulnerability was found in ImageMagick’s Magick++ layer that
manifests when Options::fontFamily is invoked with an empty
string. Clearing a font family calls RelinquishMagickMemory on
_drawInfo->font, freeing the font string but leaving _drawInfo->font
pointing to freed memory while _drawInfo->family is set to that
(now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font
re-frees or dereferences dangling memory. DestroyDrawInfo and other
setters (Options::font, Image::font) assume _drawInfo->font remains
valid, so destruction or subsequent updates trigger crashes or heap
corruption

CVE-2025-66628

The TIM (PSX TIM) image parser contains a critical integer overflow
vulnerability in its ReadTIMImage function (coders/tim.c). The code
reads width and height (16-bit values) from the file header and
calculates image_size = 2 * width * height without checking for
overflow. On 32-bit systems (or where size_t is 32-bit), this
calculation can overflow if width and height are large (e.g., 65535),
wrapping around to a small value

CVE-2025-68618

Magick's failure to limit the depth of SVG file reads caused
a DoS attack.

CVE-2025-68950

Magick's failure to limit MVG mutual references forming a loop

CVE-2025-69204

Converting a malicious MVG file to SVG caused an integer overflow.

ELA-1605-1 adminer security update

Sun, 04 Jan 2026 20:31:57 +0530

Package : adminer

Version : 4.7.1-1+deb10u2 (buster)

Related CVEs : CVE-2023-45195 CVE-2023-45196

Multiple vulnerabilities were found in adminer, a web-based database administration tool.

CVE-2023-45195: Adminer is vulnerable to SSRF via database connection fields. This could allow an unauthenticated remote attacker to enumerate or access systems the attacker would not otherwise have access to.
CVE-2023-45196: Adminer allows an unauthenticated remote attacker to cause a denial of service by connecting to an attacker-controlled service that responds with HTTP redirects. The denial of service is subject to PHP configuration limits.

ELA-1604-1 gimp security update

Sat, 03 Jan 2026 13:53:04 +0100

Package : gimp

Version : 2.10.8-2+deb10u6 (buster)

Related CVEs : CVE-2025-14422 CVE-2025-14425

Multiple file parsing problems where identified in GIMP, the GNU Image Manipulation Program, that could lead to crashes or even arbitrary code execution when opening malicious files.

CVE-2025-14422: GIMP PNM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PNM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28273.
CVE-2025-14425: GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28248.

NOTE: See ELA-1607-1 for Debian 9 (stretch).

ELA-1603-1 net-snmp security update

Thu, 01 Jan 2026 13:53:27 +0100

Package : net-snmp

Version : 5.7.3+dfsg-1.7+deb9u6 (stretch), 5.7.3+dfsg-5+deb10u5 (buster)

Related CVEs : CVE-2025-68615

net-snmp is a SNMP application library, tools and daemon.

A specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash.

(SNMP ports should never be open to public networks. There is no mitigation available other than ensuring ports to snmptrapd are appropriately firewalled or by upgrading.)

ELA-1602-1 python-django security update

Mon, 29 Dec 2025 12:41:48 -0800

Package : python-django

Version : 1:1.10.7-2+deb9u28 (stretch), 1:1.11.29-1+deb10u17 (buster)

Related CVEs : CVE-2025-64460

A potential denial-of-service vulnerability was discovered in Django, a popular Python-based web development framework.

An algorithmic complexity issue in the getInnerText() method in the django.core.serializers.xml_serializer class could have allowed a remote attacker to cause a potential denial-of-service, triggering CPU and memory exhaustion via a specially crafted XML input submitted to a service that invokes the XML Deserializer. The vulnerability resulted from repeated string concatenation while recursively collecting text nodes which produced superlinear-style computation.

ELA-1601-1 python-urllib3 security update

Fri, 26 Dec 2025 13:46:01 +0100

Package : python-urllib3

Version : 1.19.1-1+deb9u4 (stretch), 1.24.1-1+deb10u4 (buster)

Related CVEs : CVE-2025-50181 CVE-2025-66418

CVE-2025-50181: Redirects were not disabled when retries are disabled on PoolManager instantiation. An application attempting to mitigate server-side request forgery (SSRF) or open redirect vulnerabilities by disabling redirects at the PoolManager level remained vulnerable.
CVE-2025-66418: The number of links in the decompression chain was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps which could lead to denial of service.

ELA-1600-1 gst-plugins-base1.0 security update

Fri, 26 Dec 2025 12:14:39 +0530

Package : gst-plugins-base1.0

Version : 1.10.4-1+deb9u6 (stretch), 1.14.4-2+deb10u5 (buster)

Multiple vulnerabilities were found in the plugins for the GStreamer media framework leading to a crash.

CVE-2025-47806

In GStreamer, the subparse plugin's parse_subrip_time function
may write data past the bounds of a stack buffer, leading to
a crash.

CVE-2025-47807

In GStreamer, the subparse plugin's subrip_unescape_formatting
function may dereference a NULL pointer while parsing a subtitle
file, leading to a crash.

CVE-2025-47808

In GStreamer, the subparse plugin's tmplayer_parse_line function may
dereference a NULL pointer while parsing a subtitle file, leading to
a crash.

ELA-1599-1 usbmuxd security update

Mon, 22 Dec 2025 03:21:41 +0530

Package : usbmuxd

Version : 1.1.0-2+deb9u1 (stretch), 1.1.1~git20181007.f838cf6-1+deb10u1 (buster)

Related CVEs : CVE-2025-66004

It was discovered that usbmuxd, USB multiplexor daemon for iPhone and iPod Touch devices, incorrectly handled certain paths received with the SavePairRecord command. A local attacker could possibly use this issue to delete and write files named *.plist in arbitrary locations.

ELA-1598-1 roundcube security update

Fri, 19 Dec 2025 21:38:39 +0100

Package : roundcube

Version : 1.3.17+dfsg.1-1~deb10u9 (buster)

Related CVEs : CVE-2025-68460 CVE-2025-68461

CVE-2025-68460: Information disclosure vulnerability in the HTML style sanitizer.
CVE-2025-68461: Cross-Site-Scripting (XSS) vulnerability via SVG’s <animate> tag, which could allow a remote attacker to load arbitrary JavaScript code and might lead to privilege escalation or information disclosure via malicious SVG document.

ELA-1597-1 glib2.0 security update

Thu, 18 Dec 2025 14:34:09 +0100

Package : glib2.0

Version : 2.50.3-2+deb9u8 (stretch), 2.58.3-2+deb10u9 (buster)

ELA-1596-1 python-apt security update

Tue, 16 Dec 2025 01:26:01 +0530

Package : python-apt

Version : 1.4.4 (stretch), 1.8.4.4 (buster)

Related CVEs : CVE-2025-6966

Julian Andres Klode discovered that python-apt, a Python interface to libapt-pkg, incorrectly handled deb822 configuration files. An attacker could use this issue to cause python-apt to crash, resulting in a denial of service.

ELA-1595-1 linux-5.10 security update

Sat, 13 Dec 2025 08:58:04 +0100

Package : linux-5.10

Version : 5.10.247-1~deb9u1 (stretch), 5.10.247-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

This version additionally includes many more bug fixes from stable updates 5.10.245-5.10.247. The broken pktcdvd driver has also been disabled.

ELA-1594-1 tzdata new timezone database

Fri, 12 Dec 2025 10:46:53 +0100

Package : tzdata

Version : 2025b-0+deb9u2 (stretch), 2025b-0+deb10u2 (buster)

This update includes the latest changes to the leap second list, including an update to its expiry date, which was set for the end of December.

ELA-1593-1 libsoup2.4 security update

Thu, 11 Dec 2025 14:54:07 +0100

Package : libsoup2.4

Version : 2.56.0-2+deb9u5 (stretch), 2.64.2-2+deb10u3 (buster)

Several vulnerabilities have been found in libsoup2.4.

libsoup is an HTTP client/server library for GNOME. It uses GObjects and the glib main loop, to integrate well with GNOME applications.

CVE-2025-4945: integer overflow in cookie parsing.

A flaw was found in the cookie parsing logic of the libsoup HTTP
library, used in GNOME applications and other software. The
vulnerability arises when processing the expiration date of cookies,
where a specially crafted value can trigger an integer overflow. This
may result in undefined behavior, allowing an attacker to bypass cookie
expiration logic, causing persistent or unintended cookie behavior. The
issue stems from improper validation of large integer inputs during date
arithmetic operations within the cookie parsing routines.

CVE-2025-4476: crash in soup_auth_digest_get_protection_space.

A denial-of-service vulnerability has been identified in the libsoup
HTTP client library. This flaw can be triggered when a libsoup client
receives a 401 (Unauthorized) HTTP response containing a specifically
crafted domain parameter within the WWW-Authenticate header. Processing
this malformed header can lead to a crash of the client application
using libsoup. An attacker could exploit this by setting up a malicious
HTTP server. If a user's application using the vulnerable libsoup
library connects to this malicious server, it could result in a
denial-of-service. Successful exploitation requires tricking a user's
client application into connecting to the attacker's malicious server.

CVE-2025-4948: verify boundary limits for multipart body.

A flaw was found in the soup_multipart_new_from_message() function of
the libsoup HTTP library, which is commonly used by GNOME and other
applications to handle web communications. The issue occurs when the
library processes specially crafted multipart messages. Due to improper
validation, an internal calculation can go wrong, leading to an integer
underflow. This can cause the program to access invalid memory and
crash. As a result, any application or server using libsoup could be
forced to exit unexpectedly, creating a denial-of-service (DoS) risk.

CVE-2025-4969: verify array bounds before accessing.

A vulnerability was found in the libsoup package. This flaw stems from
its failure to correctly verify the termination of multipart HTTP
messages. This can allow a remote attacker to send a specially crafted
multipart HTTP body, causing the libsoup-consuming server to read beyond
its allocated memory boundaries (out-of-bounds read).

ELA-1592-1 libssh security update

Wed, 10 Dec 2025 15:45:53 +0100

Package : libssh

Version : 0.7.3-2+deb9u5 (stretch)

Several vulnerabilities have been found in libssh, a tiny C SSH library.

CVE-2023-6004

Vinci found a command injection issue in the ProxyCommand and ProxyJump
features.

CVE-2025-4877

Ronald Crane found that bin_to_base64() could experience an integer
overflow and subsequent under allocation, leading to an out of
bounds write on 32-bit builds.

CVE-2025-4878

Ronald Crane found that privatekey_from_file() used an uninitialized
variable under certain conditions, which could lead to signing
failure, use-after-free or memory corruption.

CVE-2025-5318

Ronald Crane found that sftp_handle() had an incorrect check, which
could lead to an out of bounds read.

CVE-2025-8114

Philippe Antoine found a null pointer dereference issue when libssh
calculates the session id for the key exchange (KEX) process and an
error happens when allocating memory using cryptographic functions,
leading to a crash.

CVE-2025-8277

Francesco Rollo a memory leak during the KEX process when a client
sets the `first_kex_packet_follows` flag in the KEXINIT message and
repeatedly makes incorrect KEX guesses.

ELA-1591-1 libssh security update

Wed, 10 Dec 2025 15:42:47 +0100

Package : libssh

Version : 0.8.7-1+deb10u4 (buster)

Several vulnerabilities have been found in libssh, a tiny C SSH library.

CVE-2025-4877

Ronald Crane found that bin_to_base64() could experience an integer
overflow and subsequent under allocation, leading to an out of
bounds write on 32-bit builds.

CVE-2025-4878

Ronald Crane found that privatekey_from_file() used an uninitialized
variable under certain conditions, which could lead to signing
failure, use-after-free or memory corruption.

CVE-2025-5318

Ronald Crane found that sftp_handle() had an incorrect check, which
could lead to an out of bounds read.

CVE-2025-8114

Philippe Antoine found a null pointer dereference issue when libssh
calculates the session id for the key exchange (KEX) process and an
error happens when allocating memory using cryptographic functions,
leading to a crash.

CVE-2025-8277

Francesco Rollo a memory leak during the KEX process when a client
sets the `first_kex_packet_follows` flag in the KEXINIT message and
repeatedly makes incorrect KEX guesses.

ELA-1590-1 lasso security update

Mon, 08 Dec 2025 11:46:18 +0100

Package : lasso

Version : 2.5.0-5+deb9u2 (stretch), 2.6.0-2+deb10u2 (buster)

Keane O’Kelley discovered several vulnerabilities in lasso, a library implementing Liberty Alliance and SAML protocols, which could result in denial of service or the execution of arbitrary code.

ELA-1589-1 libpng1.6 security update

Sun, 07 Dec 2025 09:04:13 +0100

Package : libpng1.6

Version : 1.6.28-1+deb9u2 (stretch), 1.6.36-6+deb10u1 (buster)

Multiple vulnerabilties have been found in libpng, the official PNG reference library, allowing information disclosure via out-of-bounds read, denial of service via application crash, or heap corruption with potential for arbitrary code execution.

CVE-2025-64505

Heap buffer over-read in png_do_quantize via malformed palette index.

CVE-2025-64506

Heap buffer over-read in png_write_image_8bit

CVE-2025-64720

Buffer overflow in png_image_read_composite via incorrect palette
premultiplication

CVE-2025-65018

Heap buffer overflow in png_combine_row triggered via png_image_finish_read

CVE-2025-66293

An out-of-bounds read vulnerability in libpng's simplified API allows
reading up to 1012 bytes beyond the png_sRGB_base[512] array when
processing palette PNG images with partial transparency and gamma correction

ELA-1588-1 libhtp security update

Thu, 04 Dec 2025 13:28:35 -0300

Package : libhtp

Version : 1:0.5.30-1+deb10u1 (buster)

Related CVEs : CVE-2024-23837 CVE-2024-45797

Multiple cases of denial of service due to excessive CPU time and memory utilization have been fixed in LibHTP, a parser for the HTTP protocol mainly used by the network analysis and threat detection software Suricata.

ELA-1587-1 libapache2-mod-auth-openidc security update

Wed, 03 Dec 2025 12:51:01 +0100

Package : libapache2-mod-auth-openidc

Version : 2.3.10.2-1+deb10u5 (buster)

Related CVEs : CVE-2025-3891

A vulnerability has been fixed in mod_auth_openidc, an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality.

An unauthenticated attacker can crash the Apache httpd process by sending a POST request without a Content-Type header when OIDCPreservePost is enabled in mod_auth_openidc. This leads to denial of service.

A workaround is to disable the OIDCPreservePost directive.

ELA-1568-2 unbound1.9 security update

Mon, 01 Dec 2025 00:24:29 +0100

Package : unbound1.9

Version : 1.9.0-2+deb10u2~deb9u8 (stretch)

Related CVEs : CVE-2025-11411

Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan discovered that the initial fix for CVE-2025-11411 as applied in ELA 1568-1 did not fully fix the vulnerability. Updated packages correcting this issue are now available.

Additionally, this update includes a fix for potential amplification DDoS attacks due to improperly following cleared RD flags.

ELA-1567-2 unbound security update

Mon, 01 Dec 2025 00:23:18 +0100

Package : unbound

Version : 1.9.0-2+deb10u8 (buster)

Related CVEs : CVE-2025-11411

Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan discovered that the initial fix for CVE-2025-11411 as applied in ELA 1567-1 did not fully fix the vulnerability. Updated packages correcting this issue are now available.

Additionally, this update includes a fix for potential amplification DDoS attacks due to improperly following cleared RD flags.

ELA-1586-1 cups-filters security update

Sun, 30 Nov 2025 18:41:49 +0100

Package : cups-filters

Version : 1.11.6-3+deb9u4 (stretch), 1.21.6-5+deb10u3 (buster)

Several issues have been found in cups-filters, which provides additional CUPS filters.

CVE-2025-64503 out of bounds write vulnerability when processing crafted PDF files containing a large ‘Mediabox’ value
CVE-2025-57812 out of bounds read/write vulnerability in the processing of TIFF image files
CVE-2025-64524 infinite loop with crafted input raster file, that resuls into a heap buffer overflow

ELA-1585-1 qtbase-opensource-src security update

Sat, 29 Nov 2025 10:41:24 +0100

Package : qtbase-opensource-src

Version : 5.7.1+dfsg-3+deb9u6 (stretch)

Related CVEs : CVE-2015-9541

An exponential XML entity expansion was discovered in Qt, a cross-platform C++ application framework. A crafted SVG document was mishandled in QXmlStreamReader and would cause a denial of service, a related issue to CVE 2003-1564 (“billion laughs attack”).

ELA-1584-1 qtbase-opensource-src security update

Sat, 29 Nov 2025 10:41:13 +0100

Package : qtbase-opensource-src

Version : 5.11.3+dfsg1-1+deb10u8 (buster)

Related CVEs : CVE-2024-39936

A race condition was discovered in Qt, a cross-platform C++ application framework. Code to make security-relevant decisions about an established HTTP2 connection may execute too early, because the encrypted() signal has not yet been emitted and processed.

ELA-1583-1 linux-6.1 security update

Tue, 25 Nov 2025 16:00:49 +0100

Package : linux-6.1

Version : 6.1.158-1~deb9u1 (stretch), 6.1.158-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

ELA-1582-1 erlang security update

Mon, 24 Nov 2025 17:48:27 +0100

Package : erlang

Version : 1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u5 (stretch), 1:22.2.7+dfsg-1+deb10u4 (buster)

Multiple vulnerabilities were fixed in Erlang a concurrent, real-time, distributed functional language.

CVE-2025-4748: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Erlang OTP (stdlib modules) allows Absolute Path Traversal, File Manipulation. This vulnerability is associated with program files lib/stdlib/src/zip.erl and program routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless the memory option is passed.
CVE-2025-48038, CVE-2025-48039, CVE-2025-48041: Allocation of Resources Without Limits or Throttling vulnerability in Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation, Resource Leak Exposure, Flooding. These vulnerabilities are associated with program files lib/ssh/src/ssh_sftpd.erl.

ELA-1581-1 libsoup2.4 security update

Wed, 19 Nov 2025 09:39:12 +0100

Package : libsoup2.4

Version : 2.56.0-2+deb9u4 (stretch), 2.64.2-2+deb10u2 (buster)

Multiple issues has been identified in libsoup2.4. This update contains fixes for a few of them that have previously been addressed in LTS and newer releases. Additional updates will come when more of the recently allocated CVE ids have been analyzed.

CVE-2025-2784: heap buffer over-read when sniffing content via the skip_insight_whitespace() function. Libsoup clients may read one byte out-of-bounds in response to a crafted HTTP response by an HTTP server.

CVE-2025-32050: libsoup append_param_quoted() function may contain an overflow bug resulting in a buffer under-read.

CVE-2025-32052: vulnerability in the sniff_unknown() function may lead to heap buffer over-read.

CVE-2025-32053: vulnerability in sniff_feed_or_html() and skip_insignificant_space() functions may lead to a heap buffer over-read.

CVE-2025-32906: soup_headers_parse_request() function may be vulnerable to an out-of-bound read. This flaw allows a malicious user to use a specially crafted HTTP request to crash the HTTP server.

CVE-2025-32909: SoupContentSniffer may be vulnerable to a NULL pointer dereference in the sniff_mp4 function. The HTTP server may cause the libsoup client to crash.

CVE-2025-32910: soup_auth_digest_authenticate() is vulnerable to a NULL pointer dereference. This issue may cause the libsoup client to crash.

CVE-2025-32911: use-after-free memory issue not on the heap in the soup_message_headers_get_content_disposition() function. This flaw allows a malicious HTTP client to cause memory corruption in the libsoup server.

CVE-2025-32913: the soup_message_headers_get_content_disposition() function is vulnerable to a NULL pointer dereference. This flaw allows a malicious HTTP peer to crash a libsoup client or server that uses this function.

CVE-2025-32914: the soup_multipart_new_from_message() function is vulnerable to an out-of-bounds read. This flaw allows a malicious HTTP client to induce the libsoup server to read out of bounds.

CVE-2025-32912: SoupAuthDigest is vulnerable to a NULL pointer dereference. The HTTP server may cause the libsoup client to crash.

Additionally for buster an updated test certificate was included that extends the expiration to year 2049.

ELA-1580-1 libssh security update

Tue, 18 Nov 2025 15:51:19 +0100

Package : libssh

Version : 0.8.7-1+deb10u3 (buster)

Several vulnerabilities were discovered in libssh, a tiny C SSH library.

CVE-2020-16135

A NULL pointer dereference was found in sftpserver, which would lead
to denial of service.

CVE-2023-6004

It was reported that using the ProxyCommand or the ProxyJump feature
may allow an attacker to inject malicious code through specially
crafted hostnames.

CVE-2023-6918

Jack Weinstein reported that missing checks for return values for
digests may result in denial of service (application crashes) or
usage of uninitialized memory.

ELA-1579-1 mbedtls security update

Mon, 17 Nov 2025 15:08:43 +0100

Package : mbedtls

Version : 2.16.9-0~deb10u2 (buster)

Multiple vulnerabilities have been fixed in mbedtls, a lightweight crypto and SSL/TLS library.

CVE-2025-47917

MbedTLS allows use-after-free in certain situations in the correctly developed applications.
CVE-2025-48965

The handling of val.p and val.len in mbedtls_asn1_store_named_data was inconsistent and allowed NULL pointer dereference. The fix for this issue depended on fixes for two related issues in the same piece of code, which are now also fixed.
CVE-2025-52496

A race condition in AESNI detection could occur if certain compiler optimisations were applied, making it possible to extract an AES key from a multithreaded program or perform a GCM forgery.
CVE-2025-52497

In mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, one-byte heap-based buffer underflow could occur.

ELA-1578-1 squid security update

Fri, 14 Nov 2025 17:49:49 +0100

Package : squid

Version : 4.13-10+deb11u6~deb10u1 (buster)

Multiple vulnerabilities were reported in Squid, a popular proxy server.

The changes required to fix all the open vulnerabilities, especially CVE-2025-62168, were too invasive to be backported individually, and the risk of regressions was too high due to large amount of source code that needed to be modified or rewritten, including the internal C++ library.

After carrying out a risk analysis, it was determined that the best available solution was to backport the version from Debian 11 “bullseye” to Debian 10. This decision means that, upon installing this update, users of Squid in Debian 10 will be moving from Squid version 4.6 to 4.13.

Please note that to remediate CVE-2025-62168, users need to review their Squid configuration and disable the insecure email_err_data setting if it was previously enabled. The CVE-2025-62168 patch disables this configuration by default, but it does not override existing insecure administrator-defined settings.

CVE-2023-5824:

The limits applied for validation of HTTP response headers are applied before caching. However, Squid may grow a cached HTTP response header beyond the configured maximum size, causing a stall or crash of the worker process when a large header is retrieved from the disk cache, resulting in a denial of service.

CVE-2023-46728:

Due to a NULL pointer dereference bug Squid is vulnerable to a Denial of Service attack against Squid's Gopher gateway. The gopher protocol support was enabled by default in previous Squid versions. Responses triggering this bug can be received from any gopher server, even those without malicious intent.
Gopher support has been removed.

CVE-2025-54574:

Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management.

CVE-2025-59362:

Squid mishandles ASN.1 encoding of long SNMP OIDs. This occurs in `asn_build_objid` in `lib/snmplib/asn1.c`.

CVE-2025-62168:

Failure to redact HTTP authentication credentials in error handling allows information disclosure. The vulnerability allows a malicious actor to bypass browser security protections and learn the credentials a trusted client uses to authenticate. This potentially allows a remote client to identify security tokens or credentials used internally by a web application using Squid for backend load balancing. These attacks do not require Squid to be configured with HTTP authentication.

ELA-1577-1 gst-plugins-good1.0 security update

Thu, 13 Nov 2025 16:46:12 +0100

Package : gst-plugins-good1.0

Version : 1.10.4-1+deb9u5 (stretch)

Multiple vulnerabilities were discovered in plugins for the GStreamer media framework.

CVE-2024-47543:

An OOB-read vulnerability has been discovered
in qtdemux_parse_container function within qtdemux.c.
In the parent function qtdemux_parse_node, the value of
length is not well checked. So, if length is big enough,
it causes the pointer end to point beyond the boundaries
of buffer. Subsequently, in the qtdemux_parse_container
function, the while loop can trigger an OOB-read,
accessing memory beyond the bounds of buf.
This vulnerability can result in reading up to
4GB of process memory or potentially causing a
segmentation fault (SEGV) when accessing invalid memory

CVE-2024-47545:

An integer underflow has been detected in qtdemux_parse_trak function
within qtdemux.c. During the strf parsing case, the subtraction
size -= 40 can lead to a negative integer overflow if it is less than
40. If this happens, the subsequent call to gst_buffer_fill will
invoke memcpy with a large tocopy size, resulting in an OOB-read.

CVE-2024-47546:

An integer underflow has been detected
in extract_cc_from_data function within qtdemux.c.
In the FOURCC_c708 case, the subtraction atom_length - 8
may result in an underflow if atom_length is less than 8.
When that subtraction underflows, *cclen ends up being a
large number, and then cclen is passed to g_memdup2
leading to an out-of-bounds (OOB) read

CVE-2024-47597:

An OOB-read has been detected in the function
qtdemux_parse_samples within qtdemux.c. This issue arises
when the function qtdemux_parse_samples reads data beyond
the boundaries of the stream->stco buffer. The following code
snippet shows the call to qt_atom_parser_get_offset_unchecked,
which leads to the OOB-read when parsing the provided
GHSL-2024-245_crash1.mp4 file. This issue may lead
to read up to 8 bytes out-of-bounds.

CVE-2025-47219:

The isomp4 plugin's qtdemux_parse_trak() function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure.

ELA-1576-1 gst-plugins-good1.0 security update

Wed, 12 Nov 2025 21:42:42 +0100

Package : gst-plugins-good1.0

Version : 1.14.4-1+deb10u5 (buster)

Related CVEs : CVE-2025-47183 CVE-2025-47219

Multiple vulnerabilities were discovered in plugins for the GStreamer media framework.

CVE-2025-47183

The isomp4 plugin's qtdemux_parse_tree() function may read past the end of a heap buffer while parsing an MP4 file, leading to information disclosure.

CVE-2025-47219

The isomp4 plugin's qtdemux_parse_trak() function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure.

ELA-1575-1 libarchive security update

Tue, 11 Nov 2025 11:13:35 +0100

Package : libarchive

Version : 3.2.2-2+deb9u6 (stretch), 3.3.3-4+deb10u5 (buster)

Multiple vulnerabilties were fixed in libarchive a multi-format archive and compression library.

CVE-2025-5914

A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.

CVE-2025-5916

This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive.

CVE-2025-5917

This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation.

CVE-2025-5918

This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.

ELA-1574-1 dcmtk security update

Tue, 11 Nov 2025 08:35:57 +0100

Package : dcmtk

Version : 3.6.4-2.1+deb10u4 (buster)

Several vulnerabilities have been fixed in DCMTK, a collection of libraries and applications implementing large parts of the DICOM standard for medical images.

CVE-2025-9732

Processing of an invalid DICOM image with a Photometric
Interpretation of "YBR_FULL" and a Planar Configuration of "1" where
the number of pixels stored does not match the expected number of pixels.
This may lead to memory corruption.

CVE-2022-4981

Various issues in the dcmqrscp configuration file parser that could cause
application crashes when reading a malformed configuration file, due to
insufficient checks of the input data.

CVE-2020-36855

Stack-based overflow in the dcmqrscp config parser.

ELA-1573-1 gimp security update

Tue, 11 Nov 2025 08:29:55 +0100

Package : gimp

Version : 2.8.18-1+deb9u6 (stretch), 2.10.8-2+deb10u5 (buster)

Related CVEs : CVE-2025-10934

GIMP, the GNU Image Manipulation Program, is vulnerable to a heap-based buffer overflow when parsing XWD files. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP and requires the target to visit a malicious page or open a malicious file.

ELA-1572-1 geographiclib security update

Tue, 11 Nov 2025 08:25:22 +0100

Package : geographiclib

Version : 1.46-2+deb9u1 (stretch), 1.49-4+deb10u1 (buster)

Related CVEs : CVE-2025-60751

Geographiclib is a C++ library to solve geodesic problems. A stack buffer overflow occurs when the GeoConvert tool receives a crafted input. The overflow occurs because the program does not properly validate an internal index, allowing an out-of-bounds write on the stack. An attacker can exploit this vulnerability to hijack the program’s control flow by overwriting a return address to point to a libc function and execute arbitrary code.

ELA-1571-1 strongswan security update

Tue, 11 Nov 2025 02:31:10 +0100

Package : strongswan

Version : 5.7.2-1+deb10u5 (buster)

Related CVEs : CVE-2025-62291

Xu Biang discovered a buffer overflow bug in the eap-mschapv2 plugin of strongSwan, an IKE/IPsec suite. The eap-mschapv2 plugin does not correctly check the length of an EAP-MSCHAPv2 Failure Request packet on the client, which can cause an integer underflow that leads to a crash, and a heap-based buffer overflow that’s potentially exploitable for remote code execution.

ELA-1570-1 gdk-pixbuf security update

Sun, 09 Nov 2025 23:36:46 -0300

Package : gdk-pixbuf

Version : 2.36.5-2+deb9u4 (stretch), 2.38.1+dfsg-1+deb10u2 (buster)

Related CVEs : CVE-2025-7345

A vulnerability was found in gdk-pixbuf, a library used by many GTK applications to load graphical assets. When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding.

ELA-1569-1 openjdk-8 security update

Fri, 07 Nov 2025 11:01:11 +0100

Package : openjdk-8

Version : 8u472-ga-1~deb9u1 (stretch)

Related CVEs : CVE-2025-53057 CVE-2025-53066

Two vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in XML external entity injection attacks or incorrect certificate validation.

ELA-1568-1 unbound1.9 security update

Thu, 06 Nov 2025 20:13:31 +0100

Package : unbound1.9

Version : 1.9.0-2+deb10u2~deb9u7 (stretch)

Related CVEs : CVE-2025-11411

Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan discovered that unbound, a validating, recursive, and caching DNS resolver, was vulnerable to cache poisoning via NS RRSet injection, which could lead to domain hijack.

Promiscuous NS RRSets that complement DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver’s knowledge of the zone’s name servers. A malicious actor who is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) can poison Unbound’s cache for the delegation point.

The fix scrubs unsolicited NS RRSets (and their respective address records) from replies, thereby mitigating the possible poison effect. The protection can be turned off by setting the new configuration option “iter-scrub-promiscuous” to “no”, see unbound.conf(5).

ELA-1567-1 unbound security update

Thu, 06 Nov 2025 20:13:30 +0100

Package : unbound

Version : 1.9.0-2+deb10u7 (buster)

Related CVEs : CVE-2025-11411

ELA-1566-1 pure-ftpd security update

Mon, 03 Nov 2025 19:27:42 -0300

Package : pure-ftpd

Version : 1.0.47-3+deb10u1 (buster)

Multiple vulnerabilities were discovered in pure-ftpd, a secure and efficient FTP server, that could lead to data corruption, information disclosure or program crash.

CVE-2019-20176:

Stack exhaustion in the listdir function in ls.c.

CVE-2020-9274:

Uninitialized pointer in the diraliases linked list.

CVE-2020-9365:

Out-of-bounds (OOB) read in the pure_strcmp function in utils.c.

CVE-2021-40524:

Incorrect max_filesize quota mechanism in the server allows adversaries to
upload files of unbounded size.

ELA-1565-1 git security update

Fri, 31 Oct 2025 16:31:45 +0100

Package : git

Version : 1:2.11.0-3+deb9u13 (stretch), 1:2.20.1-2+deb10u11 (buster)

Multiple vulnerabilities have been discovered in git, the distributed revision control system.

CVE-2025-27613

Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when
a user clones an untrusted repository and runs gitk without additional
command arguments, files for which the user has write permission can be
created and truncated.

CVE-2025-46835

Git GUI allows you to use the Git source control management tools via a GUI.
When a user clones an untrusted repository and is tricked into editing a
file located in a maliciously named directory in the repository, then Git
GUI can create and overwrite files for which the user has write permission.

CVE-2025-48384

When reading a config value, Git strips any trailing carriage return and line
feed (CRLF). When writing a config entry, values with a trailing CR are not
quoted, causing the CR to be lost when the config is later read. When
initializing a submodule, if the submodule path contains a trailing CR, the
altered path is read resulting in the submodule being checked out to an
incorrect location. If a symlink exists that points the altered path to the
submodule hooks directory, and the submodule contains an executable
post-checkout hook, the script may be unintentionally executed after checkout.

ELA-1564-1 qemu security update

Thu, 30 Oct 2025 15:52:21 -0300

Package : qemu

Version : 1:2.8+dfsg-6+deb9u20 (stretch)

Related CVEs : CVE-2023-3019 CVE-2024-3447

Multiple security issues were found in QEMU, a fast processor emulator, that could result in denial of service, information leak, or privilege escalation.

CVE-2023-3019

Use-after-free error in the e1000e NIC emulation.

CVE-2024-3447

Heap-based buffer overflow in SDHCI device emulation.

This update also removes the usage of the C (Credential) flag for the binfmt_misc registration within the qemu-user-static (and qemu-user-binfmt) packages, as it allowed for privilege escalation when running a suid/sgid binary under qemu-user. This means suid/sgid foreign-architecture binaries are not running with elevated privileges under qemu-user anymore. If you relied on this behavior of qemu-user in the past (running suid/sgid foreign-arch binaries), this will require changes to your deployment.

In Debian 9 “stretch”, the affected packages are qemu-user-static (and qemu-user-binfmt).

ELA-1562-1 ghostscript security update

Thu, 30 Oct 2025 16:20:46 +0100

Package : ghostscript

Version : 9.26a~dfsg-0+deb9u15 (stretch), 9.27~dfsg-2+deb10u12 (buster)

Related CVEs : CVE-2025-59798 CVE-2025-59799

It was discovered that Ghostscript incorrectly handled some PDF files. An attacker could use this issue to cause Ghostscript to crash, resulting in a denial of service.

ELA-1563-1 openssl1.0 security update

Thu, 30 Oct 2025 09:50:01 +0100

Package : openssl1.0

Version : 1.0.2u-1~deb9u11 (stretch)

Related CVEs : CVE-2025-9230

Stanislav Fort discovered an out of bounds read and write issue when decrypting CMS messages that were encrypted using password based encryption.

ELA-1561-1 xorg-server security update

Wed, 29 Oct 2025 18:50:19 +0100

Package : xorg-server

Version : 2:1.19.2-1+deb9u23 (stretch), 2:1.20.4-1+deb10u18 (buster)

Jan-Niklas Sohn discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged.

ELA-1560-1 intel-microcode security update

Wed, 29 Oct 2025 17:19:16 +0100

Package : intel-microcode

Version : 3.20250812.1~deb9u1 (stretch), 3.20250812.1~deb10u1 (buster)

This update ships updated CPU microcode for some types of Intel CPUs and provides mitigations for security vulnerabilities which could result in privilege escalation or denial of service.

CVE-2025-20053

Improper buffer restrictions for some Intel(R) Xeon(R) Processor firmware with
SGX enabled may allow a privileged user to potentially enable escalation of
privilege via local access.

CVE-2025-20109

Improper Isolation or Compartmentalization in the stream cache mechanism for
some Intel(R) Processors may allow an authenticated user to potentially enable
escalation of privilege via local access.

CVE-2025-21090

Missing reference to active allocated resource for some Intel(R) Xeon(R)
processors may allow an authenticated user to potentially enable denial of
service via local access.

CVE-2025-22839

Insufficient granularity of access control in the OOB-MSM for some Intel(R)
Xeon(R) 6 Scalable processors may allow a privileged user to potentially enable
escalation of privilege via adjacent access.

CVE-2025-22840

Sequence of processor instructions leads to unexpected behavior for some
Intel(R) Xeon(R) 6 Scalable processors may allow an authenticated user to
potentially enable escalation of privilege via local access

CVE-2025-22889

Improper handling of overlap between protected memory ranges for some Intel(R)
Xeon(R) 6 processor with Intel(R) TDX may allow a privileged user to
potentially enable escalation of privilege via local access.

CVE-2025-24305

Insufficient control flow management in the Alias Checking Trusted Module
(ACTM) firmware for some Intel(R) Xeon(R) processors may allow a privileged
user to potentially enable escalation of privilege via local access.

CVE-2025-26403

Out-of-bounds write in the memory subsystem for some Intel(R) Xeon(R) 6
processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user
to potentially enable escalation of privilege via local access.

CVE-2025-32086

Improperly implemented security check for standard in the DDRIO configuration
for some Intel(R) Xeon(R) 6 Processors when using Intel(R) SGX or Intel(R) TDX
may allow a privileged user to potentially enable escalation of privilege via
local access.

ELA-1559-1 openssl security update

Wed, 29 Oct 2025 15:24:31 +0100

Package : openssl

Version : 1.1.0l-1~deb9u11 (stretch)

Related CVEs : CVE-2025-9230

Stanislav Fort discovered an out of bounds read and write issue when decrypting CMS messages that were encrypted using password based encryption.

ELA-1558-1 openssl security update

Wed, 29 Oct 2025 11:58:53 +0100

Package : openssl

Version : 1.1.1n-0+deb10u8 (buster)

Related CVEs : CVE-2024-13176 CVE-2025-9230

Two vulnerabilities were found in OpenSSL, a Secure Sockets Layer toolkit:

CVE-2024-13176

A timing side-channel which could potentially allow recovering
the private key exists in the ECDSA signature computation.

CVE-2025-9230

An application trying to decrypt CMS messages encrypted using
password based encryption can trigger an out-of-bounds read and write.

ELA-1557-1 python-pip security update

Wed, 29 Oct 2025 00:51:32 +0100

Package : python-pip

Version : 9.0.1-2+deb9u3 (stretch), 18.1-5+deb10u1 (buster)

Multiple vulnerabilities have been discovered in python-pip, the Python package installer.

CVE-2019-20916

Directory traversal is possible when a URL is given in an install command,
because a Content-Disposition header can have ../ in a filename.

This issue had been fixed in Stretch already via version 9.0.1-2+deb9u2 of
python-pip (DLA-2370-1).

CVE-2021-3572

A flaw exists in the way Unicode separators are handled in Git references.

CVE-2023-5752

When installing a package from a Mercurial VCS URL, arbitrary configuration
options could be injected to the "hg clone" call.

CVE-2025-8869

Pip's tar extraction doesn't check that symbolic links point to extraction
directory.

ELA-1556-1 openjdk-11 security update

Sun, 26 Oct 2025 20:48:27 +0100

Package : openjdk-11

Version : 11.0.29+6-1~deb10u1 (buster)

Related CVEs : CVE-2025-53057 CVE-2025-53066

Two vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in XML external entity injection attacks or incorrect certificate validation.

ELA-1555-1 request-tracker4 security update

Sun, 26 Oct 2025 12:57:27 +0100

Package : request-tracker4

Version : 4.4.3-2+deb10u5 (buster)

Related CVEs : CVE-2025-61873

It was discovered that Request Tracker, an extensible trouble-ticket tracking system is prone to a CSV injection via ticket values with special characters that are exported to a TSV from search results.

ELA-1554-1 node-form-data security update

Sat, 25 Oct 2025 17:26:26 +0200

Package : node-form-data

Version : 2.3.2-2+deb10u1 (buster)

Related CVEs : CVE-2025-7783

It was discovered that there was a potential HTTP Parameter Pollution (HPP) issue in node-form-data, a tool to create multipart/form-data streams module in Node.js applications.

ELA-1553-1 icedtea-web security update

Sat, 25 Oct 2025 15:04:37 +0200

Package : icedtea-web

Version : 1.6.2-3.1+deb9u2 (stretch), 1.7.2-2+deb10u1 (buster)

Several security vulnerabilities were found in icedtea-web, an implementation of the Java Network Launching Protocol (JNLP).

CVE-2019-10181

 It was found that in icedtea-web executable code could be injected
 in a JAR file without compromising the signature verification. An
 attacker could use this flaw to inject code in a trusted JAR. The
 code would be executed inside the sandbox.

CVE-2019-10182

 It was found that icedtea-web did not properly sanitize paths from
 <jar/> elements in JNLP files. An attacker could trick a victim
 into running a specially crafted application and use this flaw to
 upload arbitrary files to arbitrary locations in the context of the
 user.

CVE-2019-10185

It was found that icedtea-web was vulnerable to a zip-slip attack
during auto-extraction of a JAR file. An attacker could use this
flaw to write files to arbitrary locations. This could also be used
to replace the main running application and, possibly, break out of
the sandbox.

ELA-1552-1 xrdp security update

Fri, 24 Oct 2025 19:35:12 +0200

Package : xrdp

Version : 0.9.9-1+deb10u4 (buster)

Three issues found in xrdp are addressed in this update. xrdp is an open source remote desktop protocol (RDP) server.

xrdp had a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter MaxLoginRetry in /etc/xrdp/sesman.ini. However, this mechanism was not effectively working. As a result, xrdp allows an infinite number of login attempts.

Access to the font glyphs in xrdp_painter.c is not bounds-checked. Since some of this data is controllable by the user, this can result in an out-of-bounds read within the xrdp executable. The vulnerability allows an out-of-bounds read within a potentially privileged process. On non-Debian platforms, xrdp tends to run as root. Potentially an out-of-bounds write can follow the out-of-bounds read. There is no denial-of-service impact, provided that xrdp is running in forking mode.

Improper handling of session establishment errors allows bypassing OS-level session restrictions. The auth_start_session function can return non-zero (1) value on, e.g., PAM error which may result in in session restrictions such as max concurrent sessions per user by PAM (ex ./etc/security/limits.conf) being bypassed. Users (administrators) that don’t use restrictions by PAM are not affected.

ELA-1551-1 raptor2 security update

Wed, 22 Oct 2025 20:03:16 +0200

Package : raptor2

Version : 2.0.14-1+deb9u3 (stretch), 2.0.14-1.1~deb10u3 (buster)

Related CVEs : CVE-2024-57822 CVE-2024-57823

Two issues have been found in raptor2, an RDF parser and serializer utilities. One issue is related to a heap-based buffer over-read when parsing triples. The other issue is related to an integer underflow when normalizing an URI.

ELA-1550-1 gimp security update

Wed, 22 Oct 2025 15:22:36 +0200

Package : gimp

Version : 2.8.18-1+deb9u5 (stretch), 2.10.8-2+deb10u4 (buster)

CVE-2025-6035

An integer overflow vulnerability exists in the GIMP “Despeckle” plug-in. The issue occurs due to unchecked multiplication of image dimensions, such as width, height, and bytes-per-pixel (img_bpp), which can result in allocating insufficient memory and subsequently performing out-of-bounds writes. This issue could lead to heap corruption, a potential denial of service (DoS), or arbitrary code execution in certain scenarios.
CVE-2025-10922

ZDI-CAN-27863: GIMP DCM File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
CVE-2025-48797

Flaw when processing certain TGA image files. If a user opens one of these image files that has been specially crafted by an attacker, GIMP can be tricked into making serious memory errors, potentially leading to crashes and causing a heap buffer overflow.
CVE-2025-48798

Flaw when processing XCF image files. If a user opens one of these image files that has been specially crafted by an attacker, GIMP can be tricked into making serious memory errors, potentially leading to crashes and causing use-after-free issues.

ELA-1549-1 gegl security update

Wed, 22 Oct 2025 15:22:29 +0200

Package : gegl

Version : 0.3.8-4+deb9u1 (stretch)

Multiple vulnerabilities were discovered in GEGL, a graph-based image processing library, which could result in denial of service or the execution of arbitrary code if malformed files or filenames are processed.

CVE-2018-10113

The process function in operations/external/ppm-load.c has unbounded memory allocation, leading to a denial of service (application crash) upon allocation failure.
CVE-2018-10114

The gegl_buffer_iterate_read_simple function in buffer/gegl-buffer-access.c allows remote attackers to cause a denial of service (write access violation) or possibly have unspecified other impact via a malformed PPM file, related to improper restrictions on memory allocation in the ppm_load_read_header function in operations/external/ppm-load.c.
CVE-2021-45463

load_cache allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load.
CVE-2025-10921

GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability.

ELA-1548-1 gegl security update

Wed, 22 Oct 2025 15:22:16 +0200

Package : gegl

Version : 0.4.12-2+deb10u1 (buster)

Related CVEs : CVE-2021-45463 CVE-2025-10921

CVE-2021-45463

load_cache allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load.
CVE-2025-10921

GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability.

ELA-1547-1 nginx security update

Tue, 21 Oct 2025 20:18:47 +0200

Package : nginx

Version : 1.10.3-1+deb9u9 (stretch), 1.14.2-2+deb10u6 (buster)

Multiple vulnerabilities were found in nginx a popular webserver.

CVE-2024-7347

A vulnerability was found in the ngx_http_mp4_module,
This vulnerability might allow an attacker to over-read NGINX
worker memory resulting in its termination, using a specially crafted mp4 file.

CVE-2024-33452

A vulnerability was found in the lua-nginx-module.
This vulnerability allows a remote attacker to conduct HTTP request smuggling
via a crafted HEAD request.

CVE-2025-23419

When multiple server blocks are configured to share the same IP address and port,
an attacker can use session resumption to bypass client certificate authentication
requirements on these servers.
This vulnerability arises when TLS Session Tickets are used and/or the SSL session cache
are used in the default server and the default server is performing
client certificate authentication

ELA-1546-1 libphp-adodb security update

Mon, 20 Oct 2025 22:56:57 +0200

Package : libphp-adodb

Version : 5.20.9-1+deb9u3 (stretch), 5.20.14-1+deb10u3 (buster)

Related CVEs : CVE-2025-54119

Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements (SQL injection) when the code using ADOdb connects to a sqlite3 or sqlite database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name.

ELA-1545-1 imagemagick security update

Mon, 20 Oct 2025 09:52:54 +0200

Package : imagemagick

Version : 8:6.9.7.4+dfsg-11+deb9u23 (stretch), 8:6.9.10.23+dfsg-2.1+deb10u12 (buster)

Related CVEs : CVE-2025-62171

An integer overflow vulnerability was discovered in the ReadBMP() function of the BMP decoder within ImageMagick.

Although CVE-2025-57803 was issued to address this flaw, the proposed fix is incomplete and fails to prevent exploitation in certain scenarios. Specifically, the patch introduces a BMPOverflowCheck() function in some code path, but it is invoked only after the overflow has already occurred—rendering in some case.

This oversight allows a specially crafted 58-byte BMP file to trigger AddressSanitizer crashes, potentially leading to denial-of-service (DoS) conditions.

This new issue was designated CVE-2025-62171.

ELA-1544-1 linux-5.10 security update

Fri, 17 Oct 2025 17:53:00 +0200

Package : linux-5.10

Version : 5.10.244-1~deb9u1 (stretch), 5.10.244-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

Starting with this version, modules are signed with an ephemeral key on all architectures. This version additionally includes many more bug fixes from stable updates 5.10.238 through 5.10.244.

ELA-1543-1 linux-6.1 security update

Thu, 16 Oct 2025 13:05:58 +0200

Package : linux-6.1

Version : 6.1.153-1~deb9u1 (stretch), 6.1.153-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information disclosure.

Starting with this version, modules are signed with an ephemeral key on all architectures, and the broken pktcdvd driver is disabled. This version additionally includes many more bug fixes from stable updates 6.1.141 through 6.1.153.

ELA-1542-1 libxml2 security update

Wed, 15 Oct 2025 19:48:17 +0200

Package : libxml2

Version : 2.9.4+dfsg1-2.2+deb9u15 (stretch), 2.9.4+dfsg1-7+deb10u13 (buster)

Related CVEs : CVE-2025-9714

CVE-2025-9714: It was discovered that recursion evaluation in XPath evaluation is uncontrolled and therefore allows a local attacker to cause a stack overflow via crafted expressions.
CVE-2025-7425: Sergei Glazunov discovered a heap-use-after-free in xmlFreeID() caused by atype corruption. While the vulnerability was reported against libxslt, the XSLT 1.0 processing library, it is now mitigated in this libxml2 version.

ELA-1541-1 php-horde-css-parser security update

Wed, 15 Oct 2025 17:27:18 +0200

Package : php-horde-css-parser

Version : 1.0.11-3+deb10u1 (buster)

Related CVEs : CVE-2020-13756

Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker.

The php-horde-css-parser package bundles the Saberworm PHP CSS Parser code and is thus also vulnerable.

ELA-1540-1 qemu security update

Wed, 15 Oct 2025 10:38:47 -0300

Package : qemu

Version : 1:3.1+dfsg-8+deb10u13 (buster)

Related CVEs : CVE-2023-3019 CVE-2024-3447

Multiple security issues were found in QEMU, a fast processor emulator, that could result in denial of service, information leak, or privilege escalation.

CVE-2023-3019

Use-after-free error in the e1000e NIC emulation.

CVE-2024-3447

Heap-based buffer overflow in SDHCI device emulation.

In Debian 10 “buster”, the affected packages are qemu-user-static (and qemu-user-binfmt).

ELA-1539-1 distro-info-data database update

Tue, 14 Oct 2025 17:31:56 +0200

Package : distro-info-data

Version : 0.41+deb10u2~bpo9+9 (stretch), 0.41+deb10u13 (buster)

This is a routine update of the distro-info-data database for Debian ELTS users.

It updates the EoL date for bookworm and adds Ubuntu 26.04 LTS “Resolute Raccoon”.

ELA-1538-1 libfcgi security update

Mon, 13 Oct 2025 19:06:30 +0200

Package : libfcgi

Version : 2.4.0-8.4+deb9u1 (stretch), 2.4.0-10+deb10u1 (buster)

Related CVEs : CVE-2025-23016

An issue has been found in libfcgi, a FastCGI bridge from CGI. The issue is related to an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket.

ELA-1537-1 redis security update

Thu, 09 Oct 2025 10:26:31 -0700

Package : redis

Version : 3:3.2.6-3+deb9u17 (stretch), 5:5.0.14-1+deb10u10 (buster)

Multiple vulnerabilities were discovered in Redis, a popular key/value database:

CVE-2025-46817: Fix an issue where an authenticated user could have used a specially-crafted Lua script to cause an integer overflow and potentially lead to remote code execution.
CVE-2025-46819: Address a potential vulnerability where an authenticated user could have used a specially-crafted Lua script to read out-of-bound data and/or crash the server and thereby create a denial of service attack.
CVE-2025-49844: Fix an issue where authenticated users could have exploited a specially-crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution.

ELA-1536-1 mosquitto security update

Tue, 07 Oct 2025 21:22:17 -0300

Package : mosquitto

Version : 1.5.7-1+deb10u2 (buster)

Related CVEs : CVE-2024-10525

CVE-2024-10525

If a malicious broker sends a crafted SUBACK packet with no reason codes, a
client using libmosquitto may make out of bounds memory access when acting in
its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr
clients.

ELA-1535-1 python-django security update

Tue, 07 Oct 2025 14:06:15 -0700

Package : python-django

Version : 1:1.10.7-2+deb9u27 (stretch), 1:1.11.29-1+deb10u16 (buster)

Related CVEs : CVE-2025-59681 CVE-2025-59682

It was discovered that there were two vulnerabilities in Django, a popular web development framework:

CVE-2025-59681: Fix a potential SQL injection in QuerySet.annotate(), alias(), aggregate() and extra(). These methods were subject to SQL injection in column aliases, using a suitably crafted dictionary via dictionary expansion as the **kwargs passed to these methods on MySQL and MariaDB.
CVE-2025-59682: Fix a potential partial directory-traversal vulnerability in archive.extract(). This function, used by startapp --template and startproject --template allowed partial directory-traversal via an archive with file paths sharing a common prefix with the target directory.

ELA-1534-1 freeipa security update

Sun, 05 Oct 2025 12:20:11 +0200

Package : freeipa

Version : 4.7.2-3+deb10u2 (buster)

FreeIPA, an integrated security information management solution designed for Linux and Unix environments, was affected by multiple vulnerabilities.

CVE-2019-10195

FreeIPA's batch processing API logged operations, including user passwords in clear text on FreeIPA masters.
Batch processing of commands with passwords as arguments or options is not performed by default in FreeIPA
but is possible by third-party components. An attacker having access to system logs on FreeIPA masters
could use this flaw to produce log file content with passwords exposed.

CVE-2019-14867

A flaw was found in FreeIPA in the way the internal function ber_scanf() was used in some components,
which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal
key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed
on the server hosting the IPA server.

CVE-2024-3183

A flaw was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key.
This key is different for each new session, which protects it from brute force attacks. However,
the ticket it contains is encrypted using the target principal key directly. For user principals,
this key is a hash of a public per-principal randomly-generated salt and the user’s password.
If a principal is compromised it means the attacker would be able to retrieve tickets encrypted
to any principal, all of them being encrypted by their own key directly.
By taking these tickets and salts offline, the attacker could run brute force attacks to
find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password).

CVE-2024-11029

A flaw was found in the FreeIPA API audit, where it sends the whole FreeIPA command line to journalctl.
As a consequence, during the FreeIPA installation process, it inadvertently leaks the administrative
user credentials, including the administrator password, to the journal database. In the worst-case scenario,
where the journal log is centralized, users with access to it can have improper access to the FreeIPA administrator credentials.

CVE-2025-4404

A privilege escalation from host to domain vulnerability was found in the FreeIPA project.
The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin
account by default, allowing users to create services with the same canonical name as the REALM admin.
When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service,
containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over
the REALM, leading to access to sensitive data and sensitive data exfiltration.

ELA-1533-1 libcpanel-json-xs-perl security update

Wed, 01 Oct 2025 19:45:18 -0300

Package : libcpanel-json-xs-perl

Version : 4.09-1+deb10u1 (buster)

Related CVEs : CVE-2025-40928

A vulnerability has been fixed in libcpanel-json-xs-perl, a Perl module for serialising to JSON.

CVE-2025-40928

Integer buffer overflow causing a segfault when parsing crafted JSON,
enabling denial-of-service attacks or other unspecified impact.

ELA-1532-1 libjson-xs-perl security update

Wed, 01 Oct 2025 19:43:27 -0300

Package : libjson-xs-perl

Version : 3.030-1+deb9u1 (stretch), 3.040-1+deb10u1 (buster)

Related CVEs : CVE-2025-40928

A vulnerability has been fixed in libjson-xs-perl, a Perl module which does C/XS-accelerated manipulation of JSON-formatted data.

CVE-2025-40928

Integer buffer overflow causing a segfault when parsing crafted JSON,
enabling denial-of-service attacks or other unspecified impact.

ELA-1531-1 tiff security update

Wed, 01 Oct 2025 10:08:29 +0200

Package : tiff

Version : 4.0.8-2+deb9u14 (stretch), 4.1.0+git191117-2~deb10u11 (buster)

Related CVEs : CVE-2024-13978 CVE-2025-9900

Multiple vulnerabilities were fixed in tiff, a library and tools providing support for the Tag Image File Format (TIFF).

CVE-2024-13978: Affected by this vulnerability is the function t2p_read_tiff_init of the file tools/tiff2pdf.c of the component fax2ps. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult.
CVE-2025-9900: This vulnerability is a “write-what-where” condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file’s metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.

ELA-1510-2 libcommons-lang-java regression update

Wed, 01 Oct 2025 04:59:40 +0200

Package : libcommons-lang-java

Version : 2.6-6+deb9u2 (stretch), 2.6-8+deb10u2 (buster)

The patch to fix CVE-2025-48924 has not been backported correctly and can lead to an unexpected ClassNotFoundException in ClassUtils.getClass(). Updated packages are now available to correct this issue.

ELA-1530-1 libcommons-lang3-java security update

Wed, 01 Oct 2025 04:46:45 +0200

Package : libcommons-lang3-java

Version : 3.5-1+deb9u1 (stretch), 3.8-2+deb10u1 (buster)

Related CVEs : CVE-2025-48924

A vulnerability was discovered in Apache Commons Lang utility classes, a Java API for classes that are in java.lang’s hierarchy.

CVE-2025-48924

An uncontrolled recursion vulnerability was discovered in Apache Commons
Lang. The method ClassUtils.getClass() can throw a StackOverflowError
on very long inputs.

ELA-1529-1 modsecurity-apache security update

Tue, 30 Sep 2025 22:58:37 -0300

Package : modsecurity-apache

Version : 2.9.3-3+deb11u5~deb10u1 (buster)

Related CVEs : CVE-2025-54571

Cross-site scripting due to insufficient return value handling has been fixed in modsecurity-apache, a module for the Apache webserver to tighten Web application security.

ELA-1528-1 wireless-regdb upstream version update

Tue, 30 Sep 2025 18:13:56 -0300

Package : wireless-regdb

Version : 2025.07.10-1~deb9u1 (stretch), 2025.07.10-1~deb10u1 (buster)

This update includes the changes in wireless-regdb 2025.07.10, reflecting changes to radio regulations in several countries.

ELA-1527-1 mplayer security update

Sat, 27 Sep 2025 18:11:32 +0200

Package : mplayer

Version : 2:1.3.0-6+deb9u1 (stretch)

Several issues have been found in mplayer, a movie player for Unix-like systems. They are basically related to buffer overflows, divide by zero or out of bounds read in different parts of the code.

ELA-1526-1 ceph security update

Sat, 27 Sep 2025 17:26:36 +0200

Package : ceph

Version : 10.2.11-2+deb9u3 (stretch), 12.2.11+dfsg1-2.1+deb10u2 (buster)

Related CVEs : CVE-2025-52555

Ceph a distributed file system was affected by a vulnerability.

An unprivileged user can escalate to root privileges in a ceph-fuse mounted CephFS by chmod 777 a directory owned by root to gain access.

The result of this is that a user could read, write and execute to any directory as long as they chmod 777 it. This impacts confidentiality, integrity, and availability.

ELA-1525-1 libxslt security update

Thu, 25 Sep 2025 12:21:55 +0200

Package : libxslt

Version : 1.1.29-2.1+deb9u5 (stretch), 1.1.32-2.2~deb10u4 (buster)

Related CVEs : CVE-2023-40403 CVE-2025-7424

CVE-2023-40403: It was discovered that the generate-id() function could return deterministic values and could leak the memory layout of different XML objects, which might lead to information disclosure.
CVE-2025-7424: Ivan Fratric discovered a type confusion vulnerability in xmlNode.psvi between stylesheet and source nodes, which could lead to application crash.

ELA-1524-1 corosync security update

Mon, 22 Sep 2025 23:32:30 +0200

Package : corosync

Version : 2.4.2-3+deb9u2 (stretch), 3.0.1-2+deb10u2 (buster)

Related CVEs : CVE-2025-30472

An issue has been found in corosync, a cluster engine daemon and utilities. A stack-based buffer overflow may happen when encryption is disabled or the attacker knows the encryption key and a large crafted UDP packet has to be processed.

ELA-1523-1 syslog-ng security update

Mon, 22 Sep 2025 19:17:19 +0200

Package : syslog-ng

Version : 3.8.1-10+deb9u2 (stretch), 3.19.1-5+deb10u2 (buster)

Related CVEs : CVE-2024-47619

Syslog-ng, a widely used logging service, was found to be vulnerable due to improper handling of wildcard certificates during TLS authentication.

Specifically, the function tls_wildcard_match() incorrectly accepted certificate patterns like foo.*.bar, which violate standard wildcard rules and should not be permitted. Additionally, partial wildcard patterns such as foo.a*c.bar were matched by GLib, further weakening the authentication mechanism.

This flaw could allow a monster-in-the-middle attacker to impersonate legitimate endpoints, compromising the integrity of secure logging. Such wildcard mismatches must be explicitly rejected to ensure robust TLS validation.

ELA-1522-1 pam security update

Mon, 22 Sep 2025 19:00:59 +0200

Package : pam

Version : 1.1.8-3.6+deb9u1 (stretch), 1.3.1-5+deb10u1 (buster)

Related CVEs : CVE-2024-22365 CVE-2025-6020

Multiple vulnerabilities were found in the PAM namespace module, used to configure private namespaces for user sessions.

CVE-2024-22365

Attackers may cause a denial of service
blocking the login process, via mkfifo, because the
openat call (for protect_dir) lacks the O_DIRECTORY flag.

CVE-2025-6020

pam_namespace may use access user-controlled paths
without proper protection, allowing local users to elevate
their privileges to root via multiple symlink attacks
and race conditions.

ELA-1521-1 shibboleth-sp security update

Sun, 21 Sep 2025 22:24:49 +0200

Package : shibboleth-sp

Version : 3.0.4+dfsg1-1+deb10u3 (buster)

Related CVEs : CVE-2025-9943

An SQL injection vulnerability has been identified in the “ID” attribute of the SAML response when the replay cache of the Shibboleth Service Provider (SP) is configured to use an SQL database as storage service.

An unauthenticated attacker can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database, if the database connection is configured to use the ODBC plugin.

ELA-1520-1 jq security update

Sun, 21 Sep 2025 17:36:58 +0200

Package : jq

Version : 1.5+dfsg-1.3+deb9u1 (stretch), 1.5+dfsg-2+deb10u1 (buster)

Related CVEs : CVE-2025-48060

An issue has been found in jq, a lightweight and flexible command-line JSON processor. A heap buffer overflow may happen when formatting empty strings.

ELA-1519-1 openvpn security update

Sat, 20 Sep 2025 14:29:16 -0300

Package : openvpn

Version : 2.4.0-6+deb9u5 (stretch)

Related CVEs : CVE-2024-5594

A vulnerability was discovered in openvpn, a virtual private network application which could result in data injection.

CVE-2024-5594

OpenVPN does not sanitize PUSH_REPLY messages properly which
attackers can use to inject unexpected arbitrary data into
third-party executables or plug-ins.

ELA-1518-1 openvpn security update

Sat, 20 Sep 2025 14:27:50 -0300

Package : openvpn

Version : 2.4.7-1+deb10u2 (buster)

Related CVEs : CVE-2022-0547 CVE-2024-5594

Two vulnerabilities were discovered in openvpn, a virtual private network application which could result in authentication bypass or data injection.

CVE-2022-0547

OpenVPN may enable authentication bypass in external
authentication plug-ins when more than one of them makes use of
deferred authentication replies, which allows an external user to
be granted access with only partially correct credentials.

CVE-2024-5594

OpenVPN does not sanitize PUSH_REPLY messages properly which
attackers can use to inject unexpected arbitrary data into
third-party executables or plug-ins.

ELA-1517-1 python-eventlet security update

Thu, 18 Sep 2025 11:52:57 -0700

Package : python-eventlet

Version : 0.19.0-6+deb9u1 (stretch), 0.20.0-6+deb10u1 (buster)

Related CVEs : CVE-2025-58068 CVE-2023-40217

A potential HTTP Request Smuggling issue was discovered in python-eventlet, a concurrent networking library for Python.

This issue was caused by the improper handling of HTTP trailer sections. This vulnerability could have permitted attackers to bypass front-end security controls, launch targeted attacks against active site users and/or poison web caches. This problem has been addressed by dropping trailers, a potentially breaking change if a backend behind the eventlet.wsgi proxy requires such trailers.

ELA-1516-1 imagemagick security update

Sun, 14 Sep 2025 20:01:46 +0200

Package : imagemagick

Version : 8:6.9.7.4+dfsg-11+deb9u22 (stretch)

Multiple vulnerabilities were fixed in imagemagick an image manipulation software suite.

CVE-2017-11531

A crafted file in convert, can lead to a Memory Leak in the WriteHISTOGRAMImage()
function in coders/histogram.c.

CVE-2017-11532

A crafted file in convert, can lead to a Memory Leak in the WriteMPCImage()
function in coders/mpc.c.

CVE-2017-11534

A crafted file in convert, can lead to a Memory Leak in the lite_font_map()
function in coders/wmf.c.

CVE-2025-53014

A heap buffer overflow was found in the `InterpretImageFilename`
function. The issue stems from an off-by-one error that causes
out-of-bounds memory access when processing format strings
containing consecutive percent signs (`%%`).

CVE-2025-53019

ImageMagick's `magick stream` command, specifying multiple
consecutive `%d` format specifiers in a filename template
caused a memory leak

CVE-2025-53101

ImageMagick's `magick mogrify` command, specifying
multiple consecutive `%d` format specifiers in a filename
template caused internal pointer arithmetic to generate
an address below the beginning of the stack buffer,
resulting in a stack overflow through `vsnprintf()`.

CVE-2025-55154

The magnified size calculations in ReadOneMNGIMage
(in coders/png.c) are unsafe and can overflow,
leading to memory corruption.

CVE-2025-55212

passing a geometry string containing only a colon (":")
to montage -geometry leads GetGeometry() to set width/height
to 0. Later, ThumbnailImage() divides by these zero dimensions,
triggering a crash (SIGFPE/abort)

CVE-2025-55298

A format string bug vulnerability exists in InterpretImageFilename
function where user input is directly passed to FormatLocaleString
without proper sanitization. An attacker can overwrite arbitrary
memory regions, enabling a wide range of attacks from heap
overflow to remote code execution.

CVE-2025-57803

A 32-bit integer overflow in the BMP encoderâ??s scanline-stride
computation collapses bytes_per_line (stride) to a tiny
value while the per-row writer still emits 3 Ã? width bytes
for 24-bpp images. The row base pointer advances using the
(overflowed) stride, so the first row immediately writes
past its slot and into adjacent heap memory with
attacker-controlled bytes.

CVE-2025-57807

A security problem was found in SeekBlob(), which permits
advancing the stream offset beyond the current end without
increasing capacity, and WriteBlob(), which then expands by
quantum + length (amortized) instead of offset + length,
and copies to data + offset. When offset â?« extent, the
copy targets memory beyond the allocation, producing a
deterministic heap write on 64-bit builds. No 2â?¶â?´
arithmetic wrap, external delegates, or policy settings
are required.

ELA-1515-1 imagemagick security update

Sat, 13 Sep 2025 21:05:44 +0200

Package : imagemagick

Version : 8:6.9.10.23+dfsg-2.1+deb10u11 (buster)

Multiple vulnerabilities were fixed in imagemagick an image manipulation software suite.

CVE-2025-53014

A heap buffer overflow was found in the `InterpretImageFilename`
function. The issue stems from an off-by-one error that causes
out-of-bounds memory access when processing format strings
containing consecutive percent signs (`%%`).

CVE-2025-53019

ImageMagick's `magick stream` command, specifying multiple
consecutive `%d` format specifiers in a filename template
caused a memory leak

CVE-2025-53101

ImageMagick's `magick mogrify` command, specifying
multiple consecutive `%d` format specifiers in a filename
template caused internal pointer arithmetic to generate
an address below the beginning of the stack buffer,
resulting in a stack overflow through `vsnprintf()`.

CVE-2025-55154

The magnified size calculations in ReadOneMNGIMage
(in coders/png.c) are unsafe and can overflow,
leading to memory corruption.

CVE-2025-55212

passing a geometry string containing only a colon (":")
to montage -geometry leads GetGeometry() to set width/height
to 0. Later, ThumbnailImage() divides by these zero dimensions,
triggering a crash (SIGFPE/abort)

CVE-2025-55298

A format string bug vulnerability exists in InterpretImageFilename
function where user input is directly passed to FormatLocaleString
without proper sanitization. An attacker can overwrite arbitrary
memory regions, enabling a wide range of attacks from heap
overflow to remote code execution.

CVE-2025-57803

A 32-bit integer overflow in the BMP encoderâ??s scanline-stride
computation collapses bytes_per_line (stride) to a tiny
value while the per-row writer still emits 3 Ã? width bytes
for 24-bpp images. The row base pointer advances using the
(overflowed) stride, so the first row immediately writes
past its slot and into adjacent heap memory with
attacker-controlled bytes.

CVE-2025-57807

A security problem was found in SeekBlob(), which permits
advancing the stream offset beyond the current end without
increasing capacity, and WriteBlob(), which then expands by
quantum + length (amortized) instead of offset + length,
and copies to data + offset. When offset â?« extent, the
copy targets memory beyond the allocation, producing a
deterministic heap write on 64-bit builds. No 2â?¶â?´
arithmetic wrap, external delegates, or policy settings
are required.

ELA-1514-1 ca-certificates-java bugfix update

Sat, 13 Sep 2025 18:56:46 +0200

Package : ca-certificates-java

Version : 20230710~deb12u1~deb11u1~deb10u1 (buster)

The ca-certificates-java package needs to be upgraded to resolve a circular dependency between Java packages and ca-certificates, which would otherwise prevent the system certificates from being updated.

ELA-1513-1 opencv security update

Fri, 12 Sep 2025 14:25:55 -0300

Package : opencv

Version : 3.2.0+dfsg-6+deb10u1 (buster)

Multiple vulnerabilities were found in the computer vision library OpenCV.

CVE-2017-18009

Buffer overflow in the cv::HdrDecoder::checkSignature function

CVE-2019-14491

Out-of-bounds read in cv::predictOrdered<cv::HaarEvaluator>

CVE-2019-14492

Out-of-bounds read/write in the HaarEvaluator::OptFeature::calc function

CVE-2019-14493

NULL pointer dereference in the cv::XMLParser::parse funcion

CVE-2019-15939

Divide-by-zero error in cv::HOGDescriptor::getDescriptorSize

CVE-2019-19624

Out-of-bounds read in the calc() function of dis_flow.cpp, when dealing
with small images

ELA-1512-1 cups security update

Thu, 11 Sep 2025 23:53:19 +0200

Package : cups

Version : 2.2.1-8+deb9u13 (stretch), 2.2.10-6+deb10u12 (buster)

Related CVEs : CVE-2025-58060 CVE-2025-58364

Two vulnerabilities were discovered in cups, the Common UNIX Printing System, which may result in authentication bypass with AuthType Negotiate or in denial of service (daemon crash).

ELA-1511-1 clamav security update

Thu, 04 Sep 2025 15:05:45 -0300

Package : clamav

Version : 1.0.9+dfsg-1~deb9u1 (stretch), 1.0.9+dfsg-1~deb10u1 (buster)

Related CVEs : CVE-2025-20128 CVE-2025-20260

A couple of vulnerabilities have been fixed in ClamAV, an anti-virus utility for Unix, in this new upstream stable release.

CVE-2025-20128

The Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV
could allow an unauthenticated, remote attacker to cause a denial of service
(DoS) condition on an affected device.

CVE-2025-20260

The PDF scanning processes of ClamAV could allow an unauthenticated, remote
attacker to cause a buffer overflow condition, cause a denial of service (DoS)
condition, or execute arbitrary code on an affected device.

ELA-1510-1 libcommons-lang-java security update

Sun, 31 Aug 2025 18:29:17 +0200

Package : libcommons-lang-java

Version : 2.6-6+deb9u1 (stretch), 2.6-8+deb10u1 (buster)

Related CVEs : CVE-2025-48924

A vulnerability was discovered in Apache Commons Lang utility classes, a Java API for classes that are in java.lang’s hierarchy.

CVE-2025-48924

An uncontrolled recursion vulnerability was discovered in Apache Commons
Lang. The method ClassUtils.getClass() can throw a StackOverflowError
on very long inputs.

ELA-1509-1 apache2 security update

Sat, 30 Aug 2025 23:15:51 +0200

Package : apache2

Version : 2.4.25-3+deb9u21 (stretch)

Multiple vulnerabilities have been addressed in Apache, a widely used web server.

Please note that the fix for CVE-2025-23048, included in this ELA, may cause some SSL-enabled websites to encounter the error AH02032. Additional details are provided at the end of this advisory.

CVE-2024-42516

HTTP response splitting in the core of Apache HTTP Server allows an
attacker who can manipulate the Content-Type response headers of
applications hosted or proxied by the server can split the HTTP response

CVE-2024-43204

A SSRF (Server Side Request Forgery) was found in Apache HTTP Server
with mod_proxy loaded allows an attacker to
send outbound proxy requests to a URL controlled by the attacker.
This attack requires an unlikely configuration where mod_headers
is configured to modify the Content-Type request or response header with a
value provided in the HTTP request

CVE-2024-43394

A Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows
allows to potentially leak NTLM hashes to a malicious server via  mod_rewrite
or apache expressions that pass unvalidated request input.

CVE-2024-47252

Insufficient escaping of user-supplied data in mod_ssl allows an untrusted
SSL/TLS client to insert escape characters into log files in some
configurations. In a logging configuration where CustomLog is used with
"%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as
SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and
unsanitized data provided by the client may appear in log files.

CVE-2025-23048

An access control bypass by trusted clients is possible using TLS 1.3
session resumption. Configurations are affected when mod_ssl is
configured for multiple virtual hosts, with each restricted to a
different set of trusted client certificates
(for example with a different SSLCACertificateFile/Path setting).
In such a case, a client trusted to access one virtual host may be able to
access another virtual host, if SSLStrictSNIVHostCheck is not enabled
in either virtual host.

CVE-2025-49630

In certain proxy configurations, a denial of service attack against
Apache HTTP Server can be triggered by untrusted clients causing
an assertion in mod_proxy_http2. Configurations affected are a
reverse proxy is configured for an HTTP/2 backend, with
ProxyPreserveHost set to "on".

CVE-2025-49812

In some mod_ssl configurations on Apache HTTP server, an HTTP
desynchronisation attack allows a man-in-the-middle attacker
to hijack an HTTP session via a TLS upgrade. Only configurations
using "SSLEngine optional" to enable TLS upgrades are affected.
Support for TLS upgrade was removed.

CVE-2025-53020

A late Release of Memory after Effective Lifetime vulnerability
was found in Apache HTTP Server.

Note that following the resolution of CVE-2025-23048, some SSL-enabled websites may begin encountering the error (AH02032):

Misdirected Request:
The client needs a new connection for this request as the
requested host name does not match the Server Name Indication
(SNI) in use for this connection.

This behavior is particularly noticeable with AWS Application Load Balancers. Although they support intelligent SNI handling, they do not (as of this writing) relay SNI data to the target server, resulting in failed connections when hostnames don’t align.

Without an SNI provided by the client, there is nothing httpd can do to determine which vhost/configuration should be used to provide the correct certificate (and TLS authentication eventually) whenever multiple vhosts listen on the same IP:port.

That’s because reading the HTTP Host header necessarily has to happen after the TLS handshake/auth/decryption (and later renegotiation is not an option with TLSv1.3).

So those connections fall back to the first vhost declared on the IP:port for the TLS handshake part, and if the request Host header finally matches a different vhost with a different TLS configuration it’s rejected with AH02032.

Before 2.4.64 (or this backport) the check was not accurate and would allow that, with security implications.

As a workaround, you may (after a risk analysis) generate a wildcard certificate. If you’re managing multiple domains, consolidate them into a single certificate by including each wildcard domain as an alias. Then, update the Apache configuration to reference this unified certificate.

Another possible workaround is to configure each virtual host to listen on a separate port. This approach avoids SNI-related issues by ensuring that each vhost is uniquely addressed through its own connection endpoint, thereby allowing distinct TLS configurations without ambiguity.

This error may also stem from a misconfigured HAProxy setup. In such cases, enabling dynamic SNI handling on HAProxy might be necessary to ensure that the correct hostname is passed through during the TLS handshake. After risk analysis, it could be done by using “sni req.hdr(Host)” directive.

This error may also be caused by a misconfigured Nginx proxy setup. In such scenarios, enabling Server Name Indication (SNI) when connecting to the backend may be necessary to ensure that the correct hostname is transmitted during the TLS handshake. After conducting a risk analysis, this can be achieved by configuring the “proxy_ssl_server_name on;” and “proxy_ssl_name $host;” directives.

ELA-1508-1 udisks2 security update

Fri, 29 Aug 2025 15:57:52 +0200

Package : udisks2

Version : 2.1.8-1+deb9u2 (stretch), 2.8.1-4+deb10u4 (buster)

Related CVEs : CVE-2025-8067

Michael Imfeld discovered an out-of-bounds read vulnerability in udisks2, which may result in denial of service (daemon process crash), or in mapping an internal file descriptor from the daemon process onto a loop device, resulting in local privilege escalation.

ELA-1507-1 luajit security update

Tue, 26 Aug 2025 00:06:48 +0200

Package : luajit

Version : 2.1.0~beta3+dfsg-5.1+deb10u1 (buster)

CVE-2019-19391

It was discovered that debug.getinfo() has a type confusion issue that leads to arbitrary memory write or read operations, because certain cases involving valid stack levels and > options are mishandled.

Note: The LuaJIT project owner disputes the vulnerability and states that the debug library is unsafe by design.

CVE-2020-15890

Yongheng Chen discovered an out-of-bounds read because __gc handler frame traversal is mishandled.

CVE-2020-24372

Yongheng Chen discovered out-of-bounds read in lj_err_run().

CVE-2024-25176

Kutyavin Maxim discovered a stack-buffer-overflow in lj_strfmt_wfnum().

CVE-2024-25177

Kutyavin Maxim discovered an unsinking of IR_FSTORE for NULL metatable.

CVE-2024-25178

Kutyavin Maxim discovered an out-of-bounds read in the stack-overflow handler.

ELA-1506-1 firebird3.0 security update

Mon, 25 Aug 2025 15:34:46 +0300

Package : firebird3.0

Version : 3.0.5.33100.ds4-2+deb10u1 (buster)

Related CVEs : CVE-2025-54989

An XDR message parsing NULL pointer dereference has been fixed in the Firebird database.

ELA-1505-1 iperf3 security update

Sun, 24 Aug 2025 23:53:45 +0300

Package : iperf3

Version : 3.9-1+deb11u3~deb9u1 (stretch), 3.9-1+deb11u3~deb10u1 (buster)

Related CVEs : CVE-2025-54349 CVE-2025-54350

Two vulnerabilities have been fixed in the IP bandwidth measuring tool iperf3.

CVE-2025-54349

heap buffer overflow

CVE-2025-54350

reachable assert

ELA-1504-1 unbound1.9 security update

Sun, 24 Aug 2025 22:51:14 +0200

Package : unbound1.9

Version : 1.9.0-2+deb10u2~deb9u6 (stretch)

CVE-2025-5994

Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.

Unbound now includes a fix that disregards replies that came back without ECS when ECS was expected.

CVE-2024-33655

The DNSBomb attack, via specially timed DNS queries and answers, can cause a Denial of Service on resolvers and spoofed targets.

While Unbound itself is not vulnerable for DoS, it can be used to take part in a pulsing DoS amplification attack.

Configuration options have been added to help mitigate the impact by trying to shrink the DNSBomb window so that the impact of the DoS from Unbound is significantly lower than it used to be:

discard-timeout (default value: 1900): After 1900 ms a reply to the client will be dropped. Unbound would still work on the query but refrain from replying in order to not accumulate a huge number of “old” replies. Legitimate clients retry on timeouts.
wait-limit (default value: 1000): Limits the amount of client queries that require recursion (cache-hits are not counted) per IP address. More recursive queries than the allowed limit are dropped. Use `wait-limit: 0` in order to disable all wait limits.
wait-limit-netblock: These do not have a default value but they can fine grain configuration for specific netblocks.

CVE-2019-18934

Shell code injection vulnerability after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with --enable-ipsecmod support, and ipsecmod is enabled and used in the configuration.

Debian binary packages are not built with --enable-ipsecmod, and therefore unaffected. Still, the fix is included in the source package for users building their own packages.

In addition, this version includes follow-up upstream fixes and improvements for CVE-2024-43167.

ELA-1503-1 unbound security update

Sun, 24 Aug 2025 22:50:14 +0200

Package : unbound

Version : 1.9.0-2+deb10u6 (buster)

CVE-2025-5994

Unbound now includes a fix that disregards replies that came back without ECS when ECS was expected.

CVE-2024-33655

The DNSBomb attack, via specially timed DNS queries and answers, can cause a Denial of Service on resolvers and spoofed targets.

While Unbound itself is not vulnerable for DoS, it can be used to take part in a pulsing DoS amplification attack.

Configuration options have been added to help mitigate the impact by trying to shrink the DNSBomb window so that the impact of the DoS from Unbound is significantly lower than it used to be:

discard-timeout (default value: 1900): After 1900 ms a reply to the client will be dropped. Unbound would still work on the query but refrain from replying in order to not accumulate a huge number of “old” replies. Legitimate clients retry on timeouts.
wait-limit (default value: 1000): Limits the amount of client queries that require recursion (cache-hits are not counted) per IP address. More recursive queries than the allowed limit are dropped. Use `wait-limit: 0` in order to disable all wait limits.
wait-limit-netblock: These do not have a default value but they can fine grain configuration for specific netblocks.

CVE-2019-25031

Configuration injection in create_unbound_ad_servers.sh upon a successful man-in-the-middle attack against a cleartext HTTP session.

CVE-2019-25032

Integer overflow in the regional allocator via regional_alloc.

CVE-2019-25033

Integer overflow in the regional allocator via the ALIGN_UP macro.

CVE-2019-25034

Integer overflow in sldns_str2wire_dname_buf_origin() leading to an out-of-bounds write.

CVE-2019-25035

Out-of-bounds write in sldns_bget_token_par().

CVE-2019-25036

Assertion failure and denial of service in synth_cname().

CVE-2019-25037

Assertion failure and denial of service in dname_pkt_copy() via an invalid packet.

CVE-2019-25038

Integer overflow in a size calculation in dnscrypt/dnscrypt.c.

CVE-2019-25039

Integer overflow in a size calculation in respip/respip.c.

CVE-2019-25040

Infinite loop via a compressed name in dname_pkt_copy().

CVE-2019-25041

Assertion failure via a compressed name in dname_pkt_copy().

CVE-2019-25042

Out-of-bounds write via a compressed name in rdata_copy().

CVE-2019-18934

Debian binary packages are not built with --enable-ipsecmod, and therefore unaffected. Still, the fix is included in the source package for users building their own packages.

In addition, this version includes follow-up upstream fixes and improvements for CVE-2024-43167.

ELA-1502-1 apache2 security update

Fri, 22 Aug 2025 00:29:27 +0200

Package : apache2

Version : 2.4.59-1~deb10u5 (buster)

Multiple vulnerabilities have been addressed in Apache, a widely used web server.

Please note that the fix for CVE-2025-23048, included in this ELA, may cause some SSL-enabled websites to encounter the error AH02032. Additional details are provided at the end of this advisory.

CVE-2024-42516

HTTP response splitting in the core of Apache HTTP Server allows an
attacker who can manipulate the Content-Type response headers of
applications hosted or proxied by the server can split the HTTP response

CVE-2024-43204

A SSRF (Server Side Request Forgery) was found in Apache HTTP Server
with mod_proxy loaded allows an attacker to
send outbound proxy requests to a URL controlled by the attacker.
This attack requires an unlikely configuration where mod_headers
is configured to modify the Content-Type request or response header with a
value provided in the HTTP request

CVE-2024-43394

A Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows
allows to potentially leak NTLM hashes to a malicious server via  mod_rewrite
or apache expressions that pass unvalidated request input.

CVE-2024-47252

Insufficient escaping of user-supplied data in mod_ssl allows an untrusted
SSL/TLS client to insert escape characters into log files in some
configurations. In a logging configuration where CustomLog is used with
"%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as
SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and
unsanitized data provided by the client may appear in log files.

CVE-2025-23048

An access control bypass by trusted clients is possible using TLS 1.3
session resumption. Configurations are affected when mod_ssl is
configured for multiple virtual hosts, with each restricted to a
different set of trusted client certificates
(for example with a different SSLCACertificateFile/Path setting).
In such a case, a client trusted to access one virtual host may be able to
access another virtual host, if SSLStrictSNIVHostCheck is not enabled
in either virtual host.

CVE-2025-49630

In certain proxy configurations, a denial of service attack against
Apache HTTP Server can be triggered by untrusted clients causing
an assertion in mod_proxy_http2. Configurations affected are a
reverse proxy is configured for an HTTP/2 backend, with
ProxyPreserveHost set to "on".

CVE-2025-49812

In some mod_ssl configurations on Apache HTTP server, an HTTP
desynchronisation attack allows a man-in-the-middle attacker
to hijack an HTTP session via a TLS upgrade. Only configurations
using "SSLEngine optional" to enable TLS upgrades are affected.
Support for TLS upgrade was removed.

CVE-2025-53020

A late Release of Memory after Effective Lifetime vulnerability
was found in Apache HTTP Server.

Note that following the resolution of CVE-2025-23048, some SSL-enabled websites may begin encountering the error (AH02032):

Misdirected Request:
The client needs a new connection for this request as the
requested host name does not match the Server Name Indication
(SNI) in use for this connection.

That’s because reading the HTTP Host header necessarily has to happen after the TLS handshake/auth/decryption (and later renegotiation is not an option with TLSv1.3).

Before 2.4.64 (or this backport) the check was not accurate and would allow that, with security implications.

ELA-1501-1 mariadb-10.3 security update

Sat, 16 Aug 2025 11:15:06 +0200

Package : mariadb-10.3

Version : 1:10.3.39-0+deb10u4 (buster)

Multiple vulnerabilities were fixed in MariaDB 10.3, a popular database engine.

CVE-2023-52968

A Denial Of Service (DoS) was found in MariaDB. MariaDB server may call
fix_fields_if_needed under mysql_derived_prepare when derived is not yet
prepared, leading to a find_field_in_table crash.

CVE-2023-52969

MariaDB may crash with an empty backtrace log. This may be related
to make_aggr_tables_info and optimize_stage2.

CVE-2023-52968

MariaDB may crash in Item_direct_view_ref::derived_field_transformer_for_where.

ELA-1500-1 dns-root-data DNSSEC trust anchors update

Fri, 15 Aug 2025 09:53:16 +0200

Package : dns-root-data

Version : 2024071801~deb9u1 (stretch), 2024071801~deb10u1 (buster)

The dns-root-data package contains DNS root zone data as published by IANA to be used as initial source by DNS software. This release adds the DNSKEY record for the KSK-2024 trust anchor. This new key is planned for use starting October 2026, and the previous one (KSK-2017) should be revoked January 2027, leaving time to propagate the new trust anchor, or roll to it sooner in case of emergency.

ELA-1499-1 aide security update

Thu, 14 Aug 2025 17:33:31 +0200

Package : aide

Version : 0.16.1-1+deb10u2 (buster)

Related CVEs : CVE-2025-54409

Rajesh Pangare discovered a vulnerability in aide, an advanced intrusion detection system. A local attacker can take advantage of these flaws to crash aide during report printing.

ELA-1498-1 openjpeg2 security update

Sun, 10 Aug 2025 18:15:20 +0300

Package : openjpeg2

Version : 2.3.0-2+deb10u4 (buster)

Related CVEs : CVE-2019-12973 CVE-2025-50952

Multiple vulnerabilities have been fixed in the JPEG 2000 image library OpenJPEG.

CVE-2019-12973

Excessive iterations in convertbmp

CVE-2025-50952

Avoid potential undefined behaviour in opj_dwt_decode_tile()

ELA-1497-1 distro-info-data database update

Sat, 09 Aug 2025 19:30:26 +0200

Package : distro-info-data

Version : 0.41+deb10u2~bpo9+8 (stretch), 0.41+deb10u12 (buster)

This is a routine update of the distro-info-data database for Debian ELTS users.

It adds the release and estimated EoL dates for Debian 13 “Trixie”. Also included is a new “eol-legacy” column for Ubuntu Legacy Support.

ELA-1496-1 gnutls28 security update

Sat, 09 Aug 2025 18:30:42 +0300

Package : gnutls28

Version : 3.5.8-5+deb9u9 (stretch)

Related CVEs : CVE-2025-32988 CVE-2025-32990

Multiple vulnerabilities have been fixed in GnuTLS, a library implementing the SSL, TLS and DTLS protocols.

CVE-2025-32988

Double-free upon error when exporting otherName in SAN

CVE-2025-32990

1-byte write buffer overrun in certtool

ELA-1495-1 gnutls28 security update

Sat, 09 Aug 2025 18:30:29 +0300

Package : gnutls28

Version : 3.6.7-4+deb10u14 (buster)

Multiple vulnerabilities have been fixed in GnuTLS, a library implementing the SSL, TLS and DTLS protocols.

CVE-2025-6395

NULL dereference when 2nd Client Hello omits PSK

CVE-2025-32988

Double-free upon error when exporting otherName in SAN

CVE-2025-32990

1-byte write buffer overrun in certtool

ELA-1494-1 unrar-nonfree security update

Sat, 09 Aug 2025 17:59:23 +0300

Package : unrar-nonfree

Version : 1:5.6.6-1+deb10u5~deb9u1 (stretch), 1:5.6.6-1+deb10u5 (buster)

Related CVEs : CVE-2024-33899

ANSI escape injection has been fixed in UnRAR, an unarchiver for .rar archives.

ELA-1493-1 libphp-adodb security update

Tue, 05 Aug 2025 23:52:12 +0300

Package : libphp-adodb

Version : 5.20.9-1+deb9u2 (stretch)

Related CVEs : CVE-2025-46337

SQL injection in the PostgreSQL driver has been fixed in the ADOdb database access library for PHP.

ELA-1492-1 python-setuptools security update

Tue, 05 Aug 2025 12:27:10 +0200

Package : python-setuptools

Version : 33.1.1-1+deb9u1 (stretch), 40.8.0-1+deb10u1 (buster)

Multiple vulnerabilities have been fixed in the Python setuptools package. setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages.

CVE-2022-40897: Regular Expression Denial of Service (ReDoS) in package_index.py.
CVE-2024-6345: A vulnerability in the package_index module allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system.
CVE-2025-47273: A path traversal vulnerability in PackageIndex. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context.

ELA-1491-1 openjdk-8 security update

Fri, 01 Aug 2025 08:52:23 +0200

Package : openjdk-8

Version : 8u462-ga-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, information disclosure or bypass of sandbox restrictions.

ELA-1490-1 linux-6.1 security update

Thu, 31 Jul 2025 12:54:54 +0200

Package : linux-6.1

Version : 6.1.140-1~deb9u1 (stretch), 6.1.140-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

For CPUs affected to ITS (Indirect Target Selection), to fully mitigate the vulnerability it is also necessary to update the intel-microcode packages released in ELA-1425-1.

For details on the Indirect Target Selection (ITS) vulnerability please refer to the VUSec article and the Intel one.

ELA-1489-1 php7.0 security update

Mon, 28 Jul 2025 16:34:06 +0200

Package : php7.0

Version : 7.0.33-0+deb9u22 (stretch)

Related CVEs : CVE-2025-1220 CVE-2025-1735 CVE-2025-6491

CVE-2025-1220

Jihwan Kim discovered that fsockopen() lack validation that the hostname supplied does not contain null characters, which may lead to other functions like parse_url() to treat the hostname in an incorrect way, thereby potentially causing Server Side Request Forgery.

CVE-2025-1735

It was discovered that pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors, which may lead to crashes due to null pointer dereferences.

This issue is related to CVE-2025-1094 which was reported to PostgreSQL.

CVE-2025-6491

Ahmed Lekssays discovered that SoapVar instances created with a fully qualified name larger than 2G could lead to denial of service due to null pointer dereference.

ELA-1488-1 php7.3 security update

Mon, 28 Jul 2025 16:34:05 +0200

Package : php7.3

Version : 7.3.31-1~deb10u11 (buster)

Related CVEs : CVE-2025-1220 CVE-2025-1735 CVE-2025-6491

CVE-2025-1220

CVE-2025-1735

It was discovered that pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors, which may lead to crashes due to null pointer dereferences.

This issue is related to CVE-2025-1094 which was reported to PostgreSQL.

CVE-2025-6491

Ahmed Lekssays discovered that SoapVar instances created with a fully qualified name larger than 2G could lead to denial of service due to null pointer dereference.

ELA-1487-1 libxml2 security update

Mon, 28 Jul 2025 11:40:54 +0200

Package : libxml2

Version : 2.9.4+dfsg1-2.2+deb9u14 (stretch), 2.9.4+dfsg1-7+deb10u12 (buster)

CVE-2024-34459: Zhineng Zhong discovered that formatting error messages with xmllint --htmlout could result in a buffer over-read.
CVE-2025-6021: Ahmed Lekssays discovered an integer overflow issue in xmlBuildQName() which could result in memory corruption or a denial of service when processing crafted input.
CVE-2025-6170: Ahmed Lekssays discovered a stack-based buffer overflow issue in the command-parsing logic of the interactive shell in xmllint.
CVE-2025-49794: Nikita Sveshnikov discovered a heap use-after-free issue in the schematron. When processing XPath expressions in Schematron schema elements <sch:name path="…"/>, a pointer to freed memory is returned and then accessed, leading to undefined behavior or potential crashes.
CVE-2025-49796: Nikita Sveshnikov discovered a type confusion issue in the schematron. Processing sch:name elements and accessing namespace information may lead to leading to memory corruption or undefined behavior.

ELA-1486-1 openjdk-11 security update

Wed, 23 Jul 2025 12:34:55 +0200

Package : openjdk-11

Version : 11.0.28+6-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, information disclosure or bypass of sandbox restrictions.

ELA-1485-1 djvulibre security update

Mon, 21 Jul 2025 16:53:58 +0300

Package : djvulibre

Version : 3.5.27.1-7+deb9u3 (stretch), 3.5.27.1-10+deb10u2 (buster)

Related CVEs : CVE-2021-46312 CVE-2025-53367

Multiple vulnerabilities have been fixed in DjVuLibre, a library and tools to handle documents in the DjVu format.

CVE-2021-46312

Divide by zero in IWBitmap::Encode::init()

CVE-2025-53367

Buffer overflow in MMRDecoder

ELA-1484-1 dcmtk security update

Mon, 21 Jul 2025 15:11:43 +0300

Package : dcmtk

Version : 3.6.1~20160216-4.1+deb9u2 (stretch), 3.6.4-2.1+deb10u3 (buster)

Multiple vulnerabilities have been fixed in DCMTK, a collection of libraries and applications implementing large parts the DICOM standard for medical images.

CVE-2022-2119

Path traversal vulnerability

CVE-2022-2120

Path traversal vulnerability

CVE-2025-2357

Segfault in JPEG-LS decoder

CVE-2025-25472

DoS with invalid mono images

CVE-2025-25474

Buffer overflow with invalid images

CVE-2025-25475

NULL pointer dereference

ELA-1483-1 freerdp2 security update

Fri, 18 Jul 2025 23:25:36 +0300

Package : freerdp2

Version : 2.3.0+dfsg1-2+deb11u3~deb10u1 (buster)

Multiple vulnerabilities have been fixed in freerdp2, an implementation of the Remote Desktop Protocol.

CVE-2022-24882

Server side NTLM does not properly check parameters

CVE-2022-39320

Heap buffer overflow in urbdrc channel

CVE-2024-22211

Integer overflow in freerdp_bitmap_planar_context_reset

CVE-2024-32039

Integer overflow and Out of bounds write in clear_decompress_residual_data

CVE-2024-32040

Integer underflow in nsc_rle_decode

CVE-2024-32041

Out of bounds read in zgfx_decompress_segment

CVE-2024-32458

Out of bounds read in planar_skip_plane_rle

CVE-2024-32459

Out of bounds read in ncrush_decompress

CVE-2024-32460

Out of bounds read in interleaved_decompress

CVE-2024-32658

Out of bounds read in ExtractRunLengthRegular*

CVE-2024-32659

Out of bounds read in freerdp_image_copy

CVE-2024-32660

Out of memory in zgfx_decompress

CVE-2024-32661

NULL dereference in rdp_write_logon_info_v1

ELA-1482-1 commons-beanutils security update

Thu, 17 Jul 2025 23:54:04 +0300

Package : commons-beanutils

Version : 1.9.3-1+deb10u2 (buster)

Related CVEs : CVE-2025-48734

Improper access control has been fixed in Apache Commons BeanUtils, Java classes for working with JavaBeans classes.

ELA-1481-1 redis security update

Mon, 14 Jul 2025 15:28:14 -0700

Package : redis

Version : 3:3.2.6-3+deb9u16 (stretch), 5:5.0.14-1+deb10u9 (buster)

Related CVEs : CVE-2025-32023 CVE-2025-48367

Two issues were discovered in Redis, the key-value database:

CVE-2025-32023: An authenticated user may have used a specially-crafted string to trigger a stack/heap out-of-bounds write during hyperloglog operations, potentially leading to a remote code execution vulnerability. Installations that used Redis’ ACL system to restrict hyperloglog HLL commands are unaffected by this issue.
CVE-2025-48367: An unauthenticated connection could have caused repeated IP protocol errors, leading to client starvation and ultimately become a Denial of Service (DoS) attack.

ELA-1480-1 varnish security update

Thu, 10 Jul 2025 07:37:20 +0200

Package : varnish

Version : 5.0.0-7+deb9u4 (stretch)

Related CVEs : CVE-2025-47905

A client-side desync vulnerability can be triggered in Varnish Cache, a state of the art, high-performance web accelerator. An attacker can abuse a flaw in Varnish’s handling of chunked transfer encoding which allows certain malformed HTTP/1 requests to exploit improper framing of the message body to smuggle additional requests. Specifically, Varnish incorrectly permits CRLF to be skipped to delimit chunk boundaries.

ELA-1479-1 commons-vfs security update

Tue, 01 Jul 2025 00:38:30 +0200

Package : commons-vfs

Version : 2.1-2+deb10u1 (buster)

Related CVEs : CVE-2025-27553

A vulnerability was discovered in Apache Commons VFS, a Java API for accessing various filesystems.

CVE-2025-27553

A relative path traversal vulnerability was discovered in Apache Commons
VFS. The FileObject API in Commons VFS has a 'resolveFile' method that
takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that
"an exception is thrown if the resolved file is not a descendent of the
base file". But when a path contains encoded ".." characters (for example,
"%2E%2E/bar.txt"), it might return file objects that are not a descendent
of the base file, without throwing an exception.

ELA-1478-1 rar security update

Mon, 30 Jun 2025 22:28:34 +0300

Package : rar

Version : 2:7.01-1~deb9u1 (stretch)

Related CVEs : CVE-2024-33899

ANSI escape injection has been fixed in the RAR archiver.

ELA-1477-1 jessie-elts end of life

Mon, 30 Jun 2025 15:31:34 -0300

Package : jessie-elts

The Extended Long Term Support (ELTS) Team hereby announces that Debian 8 “Jessie” support has reached its end-of-life today, June 30, 2025, ten years after its initial release on April 26th, 2015.

We strongly encourage any remaining Jessie users to upgrade to a supported Debian version. The ELTS Team will continue to provide security support for Debian 9 “Stretch” and Debian 10 “Buster”, while Debian 11 “Bullseye” and Debian 12 “Bookworm” are still supported by Debian.

Freexian and the ELTS Team would like to thank all the users that made Debian 8 ELTS possible, and we invite any interested parties to contribute to the extended support of the still supported Debian releases.

ELA-1476-1 sudo security update

Mon, 30 Jun 2025 16:30:54 +0200

Package : sudo

Version : 1.8.10p3-1+deb8u10 (jessie), 1.8.19p1-2.1+deb9u7 (stretch), 1.8.27-1+deb10u7 (buster)

Related CVEs : CVE-2025-32462

Rich Mirch discovered that sudo, a program designed to provide limited super user privileges to specific users, does not correctly handle the host (-h or –host) option. Due to a bug the host option was not restricted to listing privileges only and could be used when running a command via sudo or editing a file with sudoedit. Depending on the rules present in the sudoers file the flaw might allow a local privilege escalation attack.

ELA-1475-1 gst-plugins-good1.0 security update

Mon, 30 Jun 2025 15:23:12 +0200

Package : gst-plugins-good1.0

Version : 1.10.4-1+deb9u4 (stretch)

Multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

ELA-1474-1 catdoc security update

Mon, 30 Jun 2025 13:56:12 +0300

Package : catdoc

Version : 1:0.94.3~git20160113.dbc9ec6+dfsg-1+deb9u2 (stretch), 1:0.95-4.1+deb11u1~deb10u1 (buster)

Multiple vulnerabilities have been fixed in catdoc, a text extractor for MS-Office files.

CVE-2024-48877

memory corruption

CVE-2024-52035

integer overflow

CVE-2024-54028

integer underflow

ELA-1473-1 python-tornado security update

Mon, 30 Jun 2025 02:42:50 +0200

Package : python-tornado

Version : 5.1.1-4+deb10u2 (buster)

Related CVEs : CVE-2025-47287

A vulnerability was discovered in python-tornado, a scalable, non-blocking Python web framework and asynchronous networking library.

CVE-2025-47287

When Tornado's 'multipart/form-data' parser encounters certain errors,
it logs a warning but continues trying to parse the remainder of the
data. This allows remote attackers to generate an extremely high volume
of logs, constituting a DoS attack. This DoS is compounded by the fact
that the logging subsystem is synchronous.

ELA-1472-1 xorg-server security update

Thu, 26 Jun 2025 10:02:18 +0200

Package : xorg-server

Version : 2:1.16.4-1+deb8u19 (jessie), 2:1.19.2-1+deb9u22 (stretch), 2:1.20.4-1+deb10u17 (buster)

Nils Emmerich discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged.

ELA-1471-1 symfony security update

Tue, 24 Jun 2025 20:42:34 +0200

Package : symfony

Version : 3.4.22+dfsg-2+deb10u4 (buster)

Related CVEs : CVE-2024-50343 CVE-2024-50345

CVE-2024-50343: It was discovered input ending with \n could bypass Validators.
CVE-2024-50345: Sam Mush discovered that due to URI parsing mismatch between common browsers and the Request class, an attacker could supply a specially crafted URI to bypass validation and redirect users to another domain.

ELA-1470-1 python-django security update

Mon, 23 Jun 2025 17:14:46 -0700

Package : python-django

Version : 1.7.11-1+deb8u21 (jessie)

Related CVEs : CVE-2023-43665

A potential denial-of-service vulnerability was uncovered in Django, a popular Python-based web-development framework.

Following the fix for CVE-2019-14232, the regular expressions used in the implementation of django.utils.text.Truncator’s chars() and words() methods (with html=True) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability.

The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus also vulnerable.

The input processed by Truncator, when operating in HTML mode, has been limited to the first five million characters in order to avoid potential performance and memory issues.

ELA-1469-1 auto-apt-proxy bugfix update

Mon, 23 Jun 2025 09:21:44 +0200

Package : auto-apt-proxy

Version : 11+deb10u1 (buster)

auto-apt-proxy no longer attempts to look up a network interface name as a hostname and thereby avoids running into a timeout that caused autopkgtests of other packages to fail.

ELA-1468-1 poppler security update

Sat, 21 Jun 2025 07:47:39 +0200

Package : poppler

Version : 0.48.0-2+deb9u7 (stretch)

Multiple vulnerabilities were discovered in poppler, a PDF rendering library, which could result in denial of service. An attacker could make poppler-based applications crash through various means.

Additionally, boomaga (BOOklet MAnager), a virtual preview printer, was rebuilt to handle ABI-breaking changes in the poppler private API.

CVE-2017-7515

An uncontrolled recursion in pdfunite resulting into potential denial-of-service. Note: the fix is a pre-requisite for CVE-2019-9903’s.
CVE-2017-14617

Complete fix, initially fix was in 0.48.0-2+deb9u1. For reference:

A floating point exception occurs in the ImageStream class in Stream.cc, which may lead to a potential attack when handling malicious PDF files.
CVE-2018-20551

A reachable Object::getString assertion allows attackers to cause a denial of service due to construction of invalid rich media annotation assets in the AnnotRichMedia class in Annot.c.
CVE-2019-9903

PDFDoc::markObject in PDFDoc.cc mishandles dict marking, leading to stack consumption in the function Dict::find() located at Dict.cc, which can (for example) be triggered by passing a crafted pdf file to the pdfunite binary.
CVE-2020-23804

Uncontrolled Recursion in pdfinfo, and pdftops allows remote attackers to cause a denial of service via crafted input.
CVE-2022-37050

PDFDoc::savePageAs in PDFDoc.c callows attackers to cause a denial-of-service (application crashes with SIGABRT) by crafting a PDF file in which the xref data structure is mishandled in getCatalog processing. Note that this vulnerability is caused by the incomplete patch of CVE-2018-20662.
CVE-2022-37051

A reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file.
CVE-2022-37052

A reachable Object::getString assertion allows attackers to cause a denial of service due to a failure in markObject.
CVE-2022-38349

There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.
CVE-2024-56378

Out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc.
CVE-2025-32364

A floating-point exception in the PSStack::roll function can cause an application to crash when handling malformed inputs associated with INT_MIN.
CVE-2025-32365

Poppler allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.

ELA-1467-1 poppler security update

Sat, 21 Jun 2025 07:47:20 +0200

Package : poppler

Version : 0.71.0-5+deb10u4 (buster)

Multiple vulnerabilities were discovered in poppler, a PDF rendering library, which could result in denial of service. An attacker could make poppler-based applications crash through various means.

CVE-2022-37052

A reachable Object::getString assertion allows attackers to cause a denial of service due to a failure in markObject.
CVE-2022-38349

There is a reachable assertion in Object.h, will lead to denial of service because PDFDoc::replacePageDict in PDFDoc.cc lacks a stream check before saving an embedded file.
CVE-2024-56378

Out-of-bounds read vulnerability within the JBIG2Bitmap::combine function in JBIG2Stream.cc.
CVE-2025-32364

A floating-point exception in the PSStack::roll function can cause an application to crash when handling malformed inputs associated with INT_MIN.
CVE-2025-32365

Poppler allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check.

ELA-1466-1 konsole security update

Fri, 20 Jun 2025 11:08:27 -0700

Package : konsole

Version : 4:18.04.0-1+deb10u1 (buster)

Related CVEs : CVE-2025-49091

It was discovered that there was a potential remote code execution vulnerability in konsole, the X terminal emulator of the KDE desktop environment.

ELA-1465-1 libblockdev security update

Tue, 17 Jun 2025 23:52:30 +0200

Package : libblockdev

Version : 2.20-7+deb10u2 (buster)

Related CVEs : CVE-2025-6019

The Qualys Threat Research Unit (TRU) discovered a local privilege escalation vulnerability in libblockdev, a library for manipulating block devices. An “allow_active” user can exploit this flaw via the udisks daemon to obtain the full privileges of the root user.

Details can be found in the Qualys advisory at https://www.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt

Along with the libblockdev update, updated udisks2 packages are released, to enforce that private mounts are mounted with ’nodev,nosuid'.

ELA-1464-1 gst-plugins-bad1.0 security update

Tue, 17 Jun 2025 23:51:50 +0300

Package : gst-plugins-bad1.0

Version : 1.10.4-1+deb9u6 (stretch), 1.14.4-1+deb10u6 (buster)

Related CVEs : CVE-2025-3887

A stack buffer-overflow in the H.265 codec parser has been fixed in the “bad” set of codecs for the GStreamer multimedia framework.

ELA-1463-1 mercurial security update

Tue, 17 Jun 2025 14:22:15 +0200

Package : mercurial

Version : 4.0-1+deb9u3 (stretch), 4.8.2-1+deb10u2 (buster)

Related CVEs : CVE-2025-2361

A cross-site scripting vulnerability was discovered in hgweb, the integrated stand-alone web interface of the Mercurial version control system.

This update also stabilizes the test suites.

ELA-1462-1 roundcube security update

Tue, 17 Jun 2025 00:28:06 +0200

Package : roundcube

Version : 1.3.17+dfsg.1-1~deb10u8 (buster)

Related CVEs : CVE-2025-49113

Kirill Firsov discovered that Roundcube, a skinnable AJAX based webmail solution for IMAP servers, was performing PHP Object deserialization on unvalidated input, which could lead to remote code execution by an authenticated attacker.

ELA-1348-2 python2.7 regression update

Mon, 16 Jun 2025 22:56:09 +0200

Package : python2.7

Version : 2.7.13-2+deb9u11 (stretch)

The fix for CVE-2023-27043 made the email.utils.getaddresses function return results with an additional conversion from Python string object (str) to Unicode object (unicode). This can lead to a change in corner-case situations, as spotted in the Mercurial test suite. The fix was adapted to restore the previous behavior.

ELA-1347-2 python2.7 regression update

Mon, 16 Jun 2025 22:28:04 +0200

Package : python2.7

Version : 2.7.16-2+deb10u6 (buster)

ELA-1461-1 icu security update

Sun, 15 Jun 2025 23:58:46 +0300

Package : icu

Version : 52.1-8+deb8u10 (jessie), 57.1-6+deb9u6 (stretch), 63.1-6+deb10u4 (buster)

Related CVEs : CVE-2025-5222

A stack-based buffer overflow has been fixed in ICU, a C++ and C library for Unicode and Globalization support.

ELA-1460-1 libreoffice security update

Fri, 13 Jun 2025 23:43:07 +0200

Package : libreoffice

Version : 1:6.1.5-3+deb9u7 (stretch), 1:6.1.5-3+deb10u16 (buster)

Related CVEs : CVE-2025-1080 CVE-2025-2866

Multiple vulnerabilities were fixed in libreoffice, a popular office productivity suite.

CVE-2025-1080

LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice
with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific
to LibreOffice was added. In the affected versions of LibreOffice a link in a browser
using that scheme could be constructed with an embedded inner URL that when passed
to LibreOffice could call internal macros with arbitrary arguments.

CVE-2025-2866

Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows
PDF Signature Spoofing by Improper Validation. In the affected versions of LibreOffice
a flaw in the verification code for adbe.pkcs7.sha1 signatures could cause invalid
signatures to be accepted as valid.

ELA-1459-1 u-boot security update

Fri, 13 Jun 2025 16:55:47 -0300

Package : u-boot

Version : 2016.11+dfsg1-4+deb9u1 (stretch), 2019.01+dfsg-7+deb10u1 (buster)

Multiple vulnerabilities have been discovered in u-boot, a boot loader for embedded systems.

CVE-2019-13103

A crafted self-referential DOS partition table will cause all Das U-Boot
versions through 2019.07-rc4 to infinitely recurse, causing the stack to grow
infinitely and eventually either crash or overwrite other data.

CVE-2019-13104

In Das U-Boot versions 2016.11-rc1 through 2019.07-rc4, an underflow can cause
memcpy() to overwrite a very large amount of data (including the whole stack)
while reading a crafted ext4 filesystem.

CVE-2019-13106

Das U-Boot versions 2016.09 through 2019.07-rc4 can memset() too much data
while reading a crafted ext4 filesystem, which results in a stack buffer
overflow and likely code execution.

CVE-2019-14192

An issue was discovered in Das U-Boot through 2019.07. There is an unbounded
memcpy when parsing a UDP packet due to a net_process_received_packet integer
underflow during an nc_input_packet call.

CVE-2019-14193

An issue was discovered in Das U-Boot through 2019.07. There is an unbounded
memcpy with an unvalidated length at nfs_readlink_reply, in the "if" block
after calculating the new path length.

CVE-2019-14194

An issue was discovered in Das U-Boot through 2019.07. There is an unbounded
memcpy with a failed length check at nfs_read_reply when calling store_block in
the NFSv2 case.

CVE-2019-14195

An issue was discovered in Das U-Boot through 2019.07. There is an unbounded
memcpy with unvalidated length at nfs_readlink_reply in the "else" block after
calculating the new path length.

CVE-2019-14196

An issue was discovered in Das U-Boot through 2019.07. There is an unbounded
memcpy with a failed length check at nfs_lookup_reply.

CVE-2019-14197

An issue was discovered in Das U-Boot through 2019.07. There is a read of
out-of-bounds data at nfs_read_reply.

CVE-2019-14198

An issue was discovered in Das U-Boot through 2019.07. There is an unbounded
memcpy with a failed length check at nfs_read_reply when calling store_block in
the NFSv3 case.

CVE-2019-14199

An issue was discovered in Das U-Boot through 2019.07. There is an unbounded
memcpy when parsing a UDP packet due to a net_process_received_packet integer
underflow during an *udp_packet_handler call.

CVE-2019-14200

An issue was discovered in Das U-Boot through 2019.07. There is a stack-based
buffer overflow in this nfs_handler reply helper function: rpc_lookup_reply.

CVE-2019-14201

An issue was discovered in Das U-Boot through 2019.07. There is a stack-based
buffer overflow in this nfs_handler reply helper function: nfs_lookup_reply.

CVE-2019-14202

An issue was discovered in Das U-Boot through 2019.07. There is a stack-based
buffer overflow in this nfs_handler reply helper function: nfs_readlink_reply.

CVE-2019-14203

An issue was discovered in Das U-Boot through 2019.07. There is a stack-based
buffer overflow in this nfs_handler reply helper function: nfs_mount_reply.

CVE-2019-14204

An issue was discovered in Das U-Boot through 2019.07. There is a stack-based
buffer overflow in this nfs_handler reply helper function: nfs_umountall_reply.

CVE-2020-8432

In Das U-Boot through 2020.01, a double free has been found in the cmd/gpt.c
do_rename_gpt_parts() function. Double freeing may result in a write-what-where
condition, allowing an attacker to execute arbitrary code.

CVE-2020-10648

Das U-Boot through 2020.01 allows attackers to bypass verified boot
restrictions and subsequently boot arbitrary images by providing a crafted FIT
image to a system configured to boot the default configuration.

CVE-2022-2347

There exists an unchecked length field in UBoot. The U-Boot DFU implementation
does not bound the length field in USB DFU download setup packets, and it does
not verify that the transfer direction corresponds to the specified command.
Consequently, if a physical attacker crafts a USB DFU download setup packet
with a `wLength` greater than 4096 bytes, they can write beyond the
heap-allocated request buffer.

CVE-2022-30552

Das U-Boot 2022.01 has a Buffer Overflow.

CVE-2022-30790

Das U-Boot 2022.01 has a Buffer Overflow, a different issue than
CVE-2022-30552.

CVE-2022-34835

In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant
stack-based buffer overflow in the "i2c md" command enables the corruption of
the return address pointer of the do_i2c_md function.

CVE-2024-57256

An integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1
occurs for zalloc (adding one to an le32 variable) via a crafted ext4
filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and
resultant memory overwrite.

CVE-2024-57258

Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur
for a crafted squashfs filesystem via sbrk, via request2size, or because
ptrdiff_t is mishandled on x86_64.

ELA-1458-1 python-django security update

Fri, 13 Jun 2025 11:45:09 -0700

Package : python-django

Version : 1:1.10.7-2+deb9u26 (stretch), 1:1.11.29-1+deb10u15 (buster)

A number of vulnerabilities were found in Django, a Python-based web-development framework:

CVE-2023-43665: Address a denial-of-service possibility in django.utils.text.Truncator.

Following the fix for CVE-2019-14232, the regular expressions used in the implementation of django.utils.text.Truncator’s chars() and words() methods (with html=True) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus also vulnerable. The input processed by Truncator, when operating in HTML mode, has been limited to the first five million characters in order to avoid potential performance and memory issues.
CVE-2024-24680: Potential denial-of-service in intcomma template filter. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
CVE-2025-32873: Denial-of-service possibility in strip_tags().

django.utils.html.strip_tags() would be slow to evaluate certain inputs containing large sequences of incomplete HTML tags. This function is used to implement the striptags template filter, which was therefore also vulnerable. strip_tags() now raises a SuspiciousOperation exception if it encounters an unusually large number of unclosed opening tags.

ELA-1457-1 varnish security update

Fri, 13 Jun 2025 18:06:18 +0200

Package : varnish

Version : 6.1.1-1+deb10u5 (buster)

Related CVEs : CVE-2025-30346 CVE-2025-47905

Two client-side desync vulnerabilities can be triggered in Varnish, a high-performance web accelerator. An attacker can exploit these flaws when using malformed HTTP/1 requests. The primary risk of these vulnerabilities is enabling HTTP request smuggling attacks which could lead to cache poisoning or the bypass of a web application firewall.

ELA-1456-1 ublock-origin security update

Thu, 12 Jun 2025 23:20:12 +0200

Package : ublock-origin

Version : 1.62.0+dfsg-0+deb9u2 (stretch), 1.62.0+dfsg-0+deb10u2 (buster)

Related CVEs : CVE-2025-4215

A flaw was found in ublock-origin, an efficient ads, malware and tracker blocker. A remote attacker could abuse an inefficient regular expression in ublock-origin’s filters to cause a denial-of-service and freeze a web browser.

ELA-1455-1 curl security update

Mon, 09 Jun 2025 22:38:21 -0300

Package : curl

Version : 7.38.0-4+deb8u29 (jessie)

Three security issues were found in Curl, an easy-to-use client-side URL transfer library and command line tool:

CVE-2023-27534

A path traversal vulnerability exists in curl <8.0.0 SFTP implementation
causes the tilde (~) character to be wrongly replaced when used as a prefix
in the first path element, in addition to its intended use as the first
element to indicate a path relative to the user's home directory. Attackers
can exploit this flaw to bypass filtering or execute arbitrary code by
crafting a path like /~2/foo while accessing a server with a specific user.

CVE-2023-28321

An improper certificate validation vulnerability exists in curl <v8.1.0 in
the way it supports matching of wildcard patterns when listed as "Subject
Alternative Name" in TLS server certificates. curl can be built to use its
own name matching function for TLS rather than one provided by a TLS
library. This private wildcard matching function would match IDN
(International Domain Name) hosts incorrectly and could as a result accept
patterns that otherwise should mismatch. IDN hostnames are converted to
puny code before used for certificate checks. Puny coded names always start
with `xn--` and should not be allowed to pattern match, but the wildcard
check in curl could still check for `x*`, which would match even though the
IDN name most likely contained nothing even resembling an `x`.

CVE-2023-28322

An information disclosure vulnerability exists in curl <v8.1.0 when doing
HTTP(S) transfers, libcurl might erroneously use the read callback
(`CURLOPT_READFUNCTION`) to ask for data to send, even when the
`CURLOPT_POSTFIELDS` option has been set, if the same handle previously
was used to issue a `PUT` request which used that callback. This flaw may
surprise the application and cause it to misbehave and either send off the
wrong data or use memory after free or similar in the second transfer. The
problem exists in the logic for a reused handle when it is (expected to be)
changed from a PUT to a POST.

ELA-1068-2 curl regression update

Mon, 09 Jun 2025 14:47:49 -0300

Package : curl

Version : 7.52.1-5+deb9u24 (stretch), 7.64.0-4+deb10u12 (buster)

The fix for CVE-2023-27534 in curl made the handling of tilde (~) way more strict in sftp mode and caused a regression when trying to list the home dir with sftp://host/~.

ELA-1454-1 twitter-bootstrap3 security update

Mon, 09 Jun 2025 15:03:15 +0200

Package : twitter-bootstrap3

Version : 3.3.7+dfsg-2+deb9u3~deb8u2 (jessie), 3.3.7+dfsg-2+deb9u4 (stretch), 3.4.1+dfsg-1+deb10u2 (buster)

Related CVEs : CVE-2025-1647

A cross-site scripting (XSS) vulnerability has been identified within the Bootstrap 3 Popover component and Bootstrap 3 Tooltip component, which allows unsanitized HTML to be used.

If you use bootstrap through a module bundler, you may need to rebuild your application.

ELA-1453-1 modsecurity-apache security update

Mon, 09 Jun 2025 16:02:51 +0300

Package : modsecurity-apache

Version : 2.8.0-3+deb8u4 (jessie), 2.9.1-2+deb9u4 (stretch), 2.9.3-3+deb11u4~deb10u1 (buster)

Related CVEs : CVE-2025-48866

DoS with sanitiseArg/sanitizeArg has been fixed in modsecurity-apache, a module for the Apache webserver to tighten Web application security.

ELA-1452-1 glibc security update

Sun, 08 Jun 2025 09:40:31 +0100

Package : glibc

Version : 2.28-10+deb10u5 (buster)

Related CVEs : CVE-2025-0395 CVE-2025-4802

Multiple vulnerabilities were discovered in the GNU C Library, the C standard library implementation used by Debian.

CVE-2024-0395

When the function fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.

CVE-2025-4802

Privilege escalation may be possible in statically compiled setuid binaries that call dlopen(), due to an untrusted LD_LIBRARY_PATH environment variable vulnerability. This includes calls to dlopen() internal to glibc itself, made after user calls to setlocale() or to NSS functions such as getaddrinfo().

ELA-1451-1 glibc security update

Sun, 08 Jun 2025 09:39:20 +0100

Package : glibc

Version : 2.19-18+deb8u15 (jessie), 2.24-11+deb9u8 (stretch)

Related CVEs : CVE-2025-0395

A flaw was found in the implementation of assert() in the GNU C Library, the C standard library implementation used by Debian. When the function fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.

ELA-1448-1 python-django security update

Sat, 07 Jun 2025 10:03:49 -0700

Package : python-django

Version : 1.7.11-1+deb8u20 (jessie)

A number of vulnerabilities were discovered in Django, a popular Python-based web development framework:

CVE-2025-32873: Prevent an issue where the strip_tags() function in django.utils.html was vulnerable to a potential denial-of-service (DoS) attack when processing inputs containing large sequences of incomplete HTML tags. The template filter |striptags was similarly vulnerable, as it is built on top of strip_tags().
CVE-2024-24680: Prevent an issue where the |intcomma template filter was subject to a potential denial-of-service attack when used with very long input strings.
CVE-2023-36053: Prevent an potential denial-of-service issue in the EmailValidator and URLValidator classes that could have been exploited via a very large number of domain name labels containing emails and/or URLs.

ELA-1450-1 krb5 security update

Sat, 07 Jun 2025 10:48:15 +0200

Package : krb5

Version : 1.12.1+dfsg-19+deb8u11 (jessie), 1.15-1+deb9u8 (stretch), 1.17-3+deb10u9 (buster)

Related CVEs : CVE-2025-3576

A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.

In order to fix CVE-2025-3576, vulnerable cryptographic algorithms for tickets need to be disabled explicitly with the new allow_rc4 or allow_des3 variables.

According to the vulnerability report “Kerberos’ RC4-HMAC broken in practice: spoofing PACs with MD5 collisions”, disabling this cryptographic algorithm suite may break some older authentication systems, and administrators should test carefully.

Because of the risk of breaking certain configurations, the new allow_rc4 or allow_des3 are being treated as having a default value of ’true’ for updates to older Debian releases. This leaves the 3DES and RC4 algorithms enabled, but administrators are strongly encouraged to disable them after verifying compatibility in their environments.

ELA-1449-1 libfile-find-rule-perl security update

Fri, 06 Jun 2025 23:56:14 +0300

Package : libfile-find-rule-perl

Version : 0.34-1+deb11u1~deb9u1 (stretch), 0.34-1+deb11u1~deb10u1 (buster)

Related CVEs : CVE-2011-10007

Arbitrary code execution with crafted file names was fixed in libfile-find-rule-perl, a module to search for files based on rules.

ELA-1447-1 net-tools security update

Sat, 31 May 2025 23:58:20 +0300

Package : net-tools

Version : 1.60-26+deb8u1 (jessie), 1.60+git20161116.90da8a0-1+deb9u1 (stretch), 1.60+git20180626.aebd88e-1+deb10u1 (buster)

Related CVEs : CVE-2025-46836

Multiple stack-based buffer overflows have been fixed in the net-tools network utilities.

ELA-1446-1 libvpx security update

Sat, 31 May 2025 23:49:38 +0300

Package : libvpx

Version : 1.6.1-3+deb9u7 (stretch), 1.7.0-3+deb10u4 (buster)

Related CVEs : CVE-2025-5283

Double free on init failure has been fixed in libvpx, a library for decoding and encoding VP8 and VP9 videos.

ELA-1445-1 espeak-ng security update

Sat, 31 May 2025 10:55:02 +0200

Package : espeak-ng

Version : 1.49.0+dfsg-11+deb9u1 (stretch), 1.49.2+dfsg-8+deb10u2 (buster)

Several issues have been found in espeak-ng, a Multi-lingual software speech synthesizer. The issues are related to buffer overflow or underflow in several functions and a floating point exception.

ELA-1444-1 kmail-account-wizard security update

Sat, 31 May 2025 01:12:19 +0200

Package : kmail-account-wizard

Version : 4:18.08.3-1+deb10u1 (buster)

Related CVEs : CVE-2020-15954 CVE-2024-50624

Two issues have been found in kmail-account-wizard, a wizard for KDE PIM applications account setup.

One issue is about a man-in-the-middle-attack when using autoconf for retrieving configuration. The other issue is about a misleading UI, in which the state of encryption is shown wrong.

Please also note that for configuration with autoconf.example.com, the config is first fetched with https and the former http is used only as fallback. For configuration via example.com/.well-known/autoconfig the config is now fetched only with https.

ELA-1443-1 linux-6.1 security update

Fri, 30 May 2025 10:53:02 +0200

Package : linux-6.1

Version : 6.1.137-1~deb9u1 (stretch), 6.1.137-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

This additionally includes many more bug fixes from stable updates 6.1.130-6.1.137 and an update of the Microsoft Azure Network Adapter (mana) driver.

ELA-1442-1 linux-5.10 security update

Fri, 30 May 2025 09:36:27 +0200

Package : linux-5.10

Version : 5.10.237-1~deb8u1 (jessie), 5.10.237-1~deb9u1 (stretch), 5.10.237-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

This additionally includes many more bug fixes from stable updates 5.10.235-5.10.237.

ELA-1441-1 modsecurity-apache security update

Thu, 29 May 2025 23:56:19 +0300

Package : modsecurity-apache

Version : 2.8.0-3+deb8u3 (jessie), 2.9.1-2+deb9u3 (stretch), 2.9.3-1+deb10u3 (buster)

Related CVEs : CVE-2025-47947

DoS with sanitiseMatchedBytes has been fixed in modsecurity-apache, a module for the Apache webserver to tighten Web application security.

ELA-1440-1 webpy security update

Thu, 29 May 2025 14:28:13 +0300

Package : webpy

Version : 1:0.38-1+deb9u1 (stretch)

Related CVEs : CVE-2025-3818

PostgreSQL SQL injection has been fixed in web.py, a Web framework for Python applications.

ELA-1438-1 yelp security update

Wed, 28 May 2025 17:32:20 -0300

Package : yelp

Version : 3.22.0-1+deb9u1 (stretch), 3.31.90-1+deb10u1 (buster)

Related CVEs : CVE-2025-3155

A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment.

ELA-1439-1 yelp-xsl security update

Wed, 28 May 2025 17:31:33 -0300

Package : yelp-xsl

Version : 3.20.1-2+deb9u1 (stretch), 3.31.90-1+deb10u1 (buster)

Related CVEs : CVE-2025-3155

ELA-1437-1 libbson security update

Mon, 26 May 2025 17:08:23 -0400

Package : libbson

Version : 1.4.2-1+deb9u1 (stretch)

Multiple vulnerabilities have been discovered in the MongoDB BSON library.

CVE-2017-14227

The bson_iter_codewscope function in bson-iter.c miscalculates a
bson_utf8_validate length argument, which allows remote attackers to
cause a denial of service (heap-based buffer over-read in the
bson_utf8_validate function in bson-utf8.c).

CVE-2018-16790

_bson_iter_next_internal in bson-iter.c has a heap-based buffer
over-read via a crafted bson buffer.

CVE-2023-0437

When calling bson_utf8_validate on some inputs a loop with an exit
condition that cannot be reached may occur, i.e. an infinite loop.

CVE-2024-6381

The bson_strfreev function in the MongoDB C driver library may be
susceptible to an integer overflow where the function will try to
free memory at a negative offset. This may result in memory
corruption.

CVE-2024-6383

The bson_string_append function in MongoDB C Driver may be
vulnerable to a buffer overflow where the function might attempt to
allocate too small of buffer and may lead to memory corruption of
neighbouring heap memory.

CVE-2025-0755

The various bson_append functions in the MongoDB C driver library
may be susceptible to buffer overflow when performing operations
that could result in a final BSON document which exceeds the maximum
allowable size (INT32_MAX), resulting in a segmentation fault and
possible application crash.

ELA-1435-1 libfcgi-perl security update

Mon, 26 May 2025 23:00:48 +0200

Package : libfcgi-perl

Version : 0.77-1+deb8u2 (jessie), 0.78-2+deb9u1 (stretch), 0.78-2+deb10u1 (buster)

Related CVEs : CVE-2025-40907

libfcgi-perl is a helper module for FastCGI, a binary protocol for interfacing interactive programs with a web server. It was found the included FastCGI library is affected by CVE-2025-23016, causing an integer overflow (and resultant heap-based buffer overflow) via crafted nameLen or valueLen values in data to the IPC socket which may lead to a denial of service or other unspecified impact.

ELA-1434-1 subversion security update

Mon, 26 May 2025 22:49:55 +0200

Package : subversion

Version : 1.8.10-6+deb8u10 (jessie), 1.9.5-1+deb9u7 (stretch), 1.10.4-1+deb10u4 (buster)

Related CVEs : CVE-2024-46901

A flaw has been discovered in subversion, an advanced version control system. The patch for CVE-2013-1968 was incomplete and unintentionally left mod_dav_svn vulnerable to control characters in filenames. If a path or a revision-property which contains control characters is committed to a repository then SVN operations served by mod_dav_svn can be disrupted.

ELA-1433-1 glib2.0 security update

Mon, 26 May 2025 22:23:44 +0200

Package : glib2.0

Version : 2.42.1-1+deb8u9 (jessie)

Related CVEs : CVE-2025-4373

A flaw was found in GLib, a bundle of low-level system libraries, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.

Additionally this update addresses a regression introduced in ELA-625-1 in order to fix CVE-2021-27218. The inline keyword in the gmem.h header file was not defined if software used an older C standard which led to a build failure when building reverse-dependencies of GLib, e.g. subversion.

ELA-1436-1 gimp security update

Mon, 26 May 2025 15:53:36 +0300

Package : gimp

Version : 2.8.18-1+deb9u4 (stretch), 2.10.8-2+deb10u3 (buster)

Related CVEs : CVE-2025-5473

ICO file parsing integer overflow has been fixed in GIMP, the GNU Image Manipulation Program.

ELA-1432-1 libphp-adodb security update

Sat, 24 May 2025 23:52:15 +0300

Package : libphp-adodb

Version : 5.20.14-1+deb10u2 (buster)

Related CVEs : CVE-2025-46337

SQL injection in the PostgreSQL driver has been fixed in the ADOdb database access library for PHP.

ELA-1431-1 mongo-c-driver security update

Wed, 21 May 2025 09:58:35 -0400

Package : mongo-c-driver

Version : 1.14.0-1+deb10u1 (buster)

Multiple vulnerabilities have been discovered in the MongoDB C Driver.

CVE-2021-32050

Some MongoDB Drivers may erroneously publish events containing
authentication-related data to a command listener configured by an
application. The published events may contain security-sensitive
data when specific authentication-related commands are executed.
Without due care, an application may inadvertently expose this
sensitive information, e.g., by writing it to a log file. This issue
only arises if an application enables the command listener feature
(this is not enabled by default).

CVE-2023-0437

When calling bson_utf8_validate on some inputs a loop with an exit
condition that cannot be reached may occur, i.e. an infinite loop.

CVE-2024-6381

The bson_strfreev function in the MongoDB C driver library may be
susceptible to an integer overflow where the function will try to
free memory at a negative offset. This may result in memory
corruption.

CVE-2024-6383

The bson_string_append function in MongoDB C Driver may be
vulnerable to a buffer overflow where the function might attempt to
allocate too small of buffer and may lead to memory corruption of
neighbouring heap memory.

CVE-2025-0755

The various bson_append functions in the MongoDB C driver library
may be susceptible to buffer overflow when performing operations
that could result in a final BSON document which exceeds the maximum
allowable size (INT32_MAX), resulting in a segmentation fault and
possible application crash.

ELA-1430-1 vim security update

Wed, 21 May 2025 10:31:07 +0200

Package : vim

Version : 2:7.4.488-7+deb8u12 (jessie), 2:8.0.0197-4+deb9u12 (stretch), 2:8.1.0875-5+deb10u7 (buster)

Multiple vulnerabilities have been fixed in the editor vim.

CVE-2023-4738

buffer-overflow in vim_regsub_both()

CVE-2023-5344

buffer-overflow in trunc_string()

CVE-2024-22667

stack-buffer-overflow in option callback functions

CVE-2024-43802

heap-buffer-overflow in ins_typebuf()

CVE-2024-47814

use-after-free when closing a buffer

ELA-1429-1 openjdk-8 security update

Tue, 20 May 2025 12:26:21 +0200

Package : openjdk-8

Version : 8u452-ga-1~deb8u1 (jessie), 8u452-ga-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, information disclosure or bypass of sandbox restrictions.

ELA-1428-1 openjdk-11 security update

Tue, 20 May 2025 10:37:25 +0200

Package : openjdk-11

Version : 11.0.27+6-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, information disclosure or bypass of sandbox restrictions.

ELA-1427-1 open-vm-tools security update

Mon, 19 May 2025 15:33:03 +0200

Package : open-vm-tools

Version : 2:10.1.5-5055683-4+deb9u7 (stretch), 2:10.3.10-1+deb10u7 (buster)

Related CVEs : CVE-2025-22247

It was discovered that insecure file handling in open-vm-tools, an open source implementation of VMware Tools, may allow an unprivileged local guest user to tamper local files to trigger insecure file operations within that VM.

ELA-1426-1 ghostscript security update

Mon, 19 May 2025 00:49:04 +0200

Package : ghostscript

Version : 9.26a~dfsg-0+deb8u15 (jessie), 9.26a~dfsg-0+deb9u14 (stretch), 9.27~dfsg-2+deb10u11 (buster)

Multiple vulnerabilities affected ghostscript an interpreter for PostScript and Portable Document Format (PDF) page description languages.

CVE-2025-27830

Buffer overflow via serialization of DollarBlend

CVE-2025-27831

Unicode decoding overrun

CVE-2025-27832

Integer overflow leading to buffer overflow

CVE-2025-27835

Confusion between bytes and shorts

CVE-2025-27836

Buffer overflow in bj10v device

ELA-1425-1 intel-microcode security update

Sun, 18 May 2025 19:23:37 +0200

Package : intel-microcode

Version : 3.20250512.1~deb8u1 (jessie), 3.20250512.1~deb9u1 (stretch), 3.20250512.1~deb10u1 (buster)

Microcode updates have been released for Intel(R) processors, addressing multiple potential vulnerabilties that may allow denial of service or information disclosure.

CVE-2024-28956

Exposure of Sensitive Information in Shared Microarchitectural
Structures during Transient Execution for some Intel(R) Processors
may allow an authenticated user to potentially enable information
disclosure via local access.

CVE-2024-43420

Exposure of sensitive information caused by shared
microarchitectural predictor state that influences transient
execution for some Intel Atom(R) processors may allow an
authenticated user to potentially enable information disclosure via
local access.

CVE-2024-45332

Exposure of sensitive information caused by shared
microarchitectural predictor state that influences transient
execution in the indirect branch predictors for some Intel(R)
Processors may allow an authenticated user to potentially enable
information disclosure via local access.

CVE-2025-20012

Incorrect behavior order for some Intel(R) Core™ Ultra Processors
may allow an unauthenticated user to potentially enable information
disclosure via physical access.

CVE-2025-20054

Uncaught exception in the core management mechanism for some
Intel(R) Processors may allow an authenticated user to potentially
enable denial of service via local access.

CVE-2025-20103

Insufficient resource pool in the core management mechanism for some
Intel(R) Processors may allow an authenticated user to potentially
enable denial of service via local access.

CVE-2025-20623

Exposure of sensitive information caused by shared
microarchitectural predictor state that influences transient
execution for some Intel(R) Core™ processors (10th Generation) may
allow an authenticated user to potentially enable information
disclosure via local access.

CVE-2025-24495

Incorrect initialization of resource in the branch prediction unit
for some Intel(R) Core™ Ultra Processors may allow an authenticated
user to potentially enable information disclosure via local access.

ELA-1424-1 libraw security update

Sun, 18 May 2025 14:43:37 +0200

Package : libraw

Version : 0.17.2-6+deb9u6 (stretch), 0.19.2-2+deb10u5 (buster)

CVE-2025-43961: Out-of-bounds read in the Fujifilm 0xf00c tag parser. (This issue did not affect 0.17.2-6+deb9u5 and earlier versions.)
CVE-2025-43962: Out-of-bounds reads for tag 0x412 processing, related to large w0 or w1 values or the frac and mult calculations.
CVE-2025-43963: phase_one_correct() allows out-of-buffer access because split_col and split_row values are not checked in 0x041f tag processing.
CVE-2025-43964: Tag 0x412 processing in phase_one_correct() does not enforce minimum w0 and w1 values.

ELA-1423-1 dropbear security update

Sun, 18 May 2025 08:59:41 +0200

Package : dropbear

Version : 2018.76-5+deb10u3 (buster)

Related CVEs : CVE-2025-47203

Marcin Nowak discovered that dbclient(1) hostname arguments with a comma (for multihop) are passed to the shell which could result in running arbitrary shell commands locally. Such behavior could have security implications in situations where dbclient(1) is passed untrusted hostname arguments.

The multihop command is now executed directly (no shell is involved).

ELA-1422-1 simplesamlphp security update

Sat, 17 May 2025 10:22:36 +0200

Package : simplesamlphp

Version : 1.16.3-1+deb10u4 (buster)

Related CVEs : CVE-2020-5225 CVE-2025-27773

Multiple vulnerabilites have been discovered in SimpleSAMLphp, a framework for authentication, primarily via the SAML protocol.

CVE-2020-5225

Log injection in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script, which receives error reports and sends them via email to the system administrator, did not properly sanitize the report identifier obtained from the request. This allows an attacker, under specific circumstances, to inject new log lines by manually crafting this report ID. When configured to use the file logging handler, SimpleSAMLphp will output all its logs by appending each log line to a given file. Since the reportID parameter received in a request sent to www/errorreport.php was not properly sanitized, it was possible to inject newline characters into it, effectively allowing a malicious user to inject new log lines with arbitrary content.

CVE-2025-27773

The SimpleSAMLphp SAML2 library is a PHP library for SAML2 related functionality. Prior to versions 4.17.0 and 5.0.0-alpha.20, there is a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message. Versions 4.17.0 and 5.0.0-alpha.20 contain a fix for the issue.

ELA-1421-1 vips security update

Fri, 16 May 2025 13:24:18 +0200

Package : vips

Version : 8.7.4-1+deb10u2 (buster)

Related CVEs : CVE-2021-27847

Division by zero issues were discovered in vips_eye_point() and vips_mask_point(), potentially leading to denial of service.

ELA-1420-1 redis security update

Mon, 12 May 2025 16:24:47 +0300

Package : redis

Version : 2:2.8.17-1+deb8u15 (jessie), 3:3.2.6-3+deb9u15 (stretch), 5:5.0.14-1+deb10u8 (buster)

Related CVEs : CVE-2025-21605

Unlimited output buffer for unauthenticated clients has been fixed in the key–value database Redis.

ELA-1419-1 wpa security update

Sun, 11 May 2025 11:25:24 +0200

Package : wpa

Version : 2:2.9.0-21+deb11u3~deb10u1 (buster)

Multiple vulnerabilities were found in wpa, a set of tools including the widely-used wpasupplicant client for authenticating with WPA and WPA2 wireless networks.

CVE-2022-23303

The implementations of SAE in hostapd
are vulnerable to side channel attacks as a result of
cache access patterns.

CVE-2022-23304

The implementations of EAP-pwd are vulnerable
to side-channel attacks as a result of cache access patterns.

CVE-2022-37660

The PKEX code remains active even after
a successful PKEX association. An attacker that successfully
bootstrapped public keys with another entity using PKEX in
the past, will be able to subvert a future bootstrapping
by passively observing public keys.

ELA-1418-1 request-tracker4 security update

Thu, 08 May 2025 12:59:14 -0300

Package : request-tracker4

Version : 4.4.3-2+deb10u4 (buster)

Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system, which could result in information disclosure, cross-site scripting and use of weak encryption for S/MIME emails.

ELA-1417-1 golang-glog security update

Mon, 05 May 2025 15:32:49 +0200

Package : golang-glog

Version : 0.0~git20160126.23def4e-3+deb10u1 (buster)

Related CVEs : CVE-2024-45339

When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process’s log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.

The following Go packages have been rebuilt in order to fix this issue:

golang-grpc-gateway 1.6.4-2+deb10u1
mtail 3.0.0~rc19-2+deb10u1
prometheus-mongodb-exporter 1.0.0+git20180522.e755a44-1+deb10u1

ELA-1416-1 libuv1 security update

Sun, 04 May 2025 19:08:25 +0200

Package : libuv1

Version : 1.24.1-1+deb10u3 (buster)

Related CVEs : CVE-2020-8252

realpath in libuv incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.

ELA-1415-1 nodejs security update

Sun, 04 May 2025 00:41:56 +0200

Package : nodejs

Version : 10.24.0~dfsg-1~deb10u6 (buster)

Related CVEs : CVE-2025-47153

Node.js a popular server side javascript engine was affected by a vulnerability on 32bits architecture.

Build processes for libuv and Node.js for 32-bit systems, have an inconsistent off_t size (e.g., building on i386 Debian always uses _FILE_OFFSET_BITS=64 for the libuv dynamic library, but uses the _FILE_OFFSET_BITS global system default of 32 for nodejs), leading to out-of-bounds access.

Following reverse dependencies were also rebuilt in order to fix the vulnerability:

node-expat
node-iconv
node-leveldown
node-mapnik
node-modern-syslog
node-nodedbi
node-opencv
node-sqlite3
node-srs
node-stringprep
node-websocket
node-ws
node-zipfile
r-cran-v8

ELA-1414-1 postgresql-9.6 security update

Fri, 02 May 2025 08:58:28 +0200

Package : postgresql-9.6

Version : 9.6.24-0+deb9u9 (stretch)

Related CVEs : CVE-2025-1094

PostgreSQL, a popular database, was affected by a vulnerability.

Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns.

ELA-1413-1 mysql-connector-python security update

Fri, 02 May 2025 00:00:08 +0200

Package : mysql-connector-python

Version : 2.1.6-1+deb9u1 (stretch)

Multiple vulnerabilities have been discovered in mysql-connector-python, a Python implementation of the MySQL client/server protocol.

CVE-2019-2435

A vulnerability to man-in-the-middle attacks was discovered in the pure
Python implementation. MySQL clients connecting using TLS have not been
verifying the server name against the server certificate's common
name (CN) and subject alternative names (SANs).

CVE-2024-21272

Malicious strings can be injected when utilizing dictionary-based query
parameterization via the `cursor.execute()` API command and the C-based
implementation of the connector.

CVE-2025-21548

A possible RCE has been detected involving the MySQL Connector/Python
configuration files.

ELA-1412-1 libxml2 security update

Wed, 30 Apr 2025 18:20:15 +0200

Package : libxml2

Version : 2.9.1+dfsg1-5+deb8u19 (jessie), 2.9.4+dfsg1-2.2+deb9u13 (stretch), 2.9.4+dfsg1-7+deb10u11 (buster)

Related CVEs : CVE-2025-32414 CVE-2025-32415

Two issues have been found in libxml2, the GNOME XML library. They are related to an out-of-bounds memory access in the Python API and a heap-buffer-overflow in xmlSchemaIDCFillNodeTables().

ELA-1411-1 expat security update

Wed, 30 Apr 2025 18:10:01 +0200

Package : expat

Version : 2.2.0-2+deb9u10 (stretch), 2.2.6-2+deb10u9 (buster)

Related CVEs : CVE-2024-50602

An issue has been found in expat, an XML parsing C library. The issue is related to a crash within XML_ResumeParser() because XML_StopParser() can stop/suspend an unstarted parser.

ELA-1410-1 python3.7 security update

Sun, 27 Apr 2025 14:13:57 +0300

Package : python3.7

Version : 3.7.3-2+deb10u10 (buster)

Related CVEs : CVE-2025-1795

List separators in email headers were wrongly Unicode-encoded in email headers in the Python3 interpreter.

ELA-1409-1 zabbix security update

Sun, 27 Apr 2025 09:53:46 +0200

Package : zabbix

Version : 1:2.2.23+dfsg-0+deb8u10 (jessie), 1:4.0.4+dfsg-1+deb10u6 (buster)

Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially among other effects allowing XSS, Code Execution, information disclosure, remote code execution, impersonation or session hijacking.

Most of the CVEs are targeting the buster update, the CVE targeting jessie is marked accordingly.

CVE-2024-22114

A user with no permission to any of the Hosts can access and view host
count & other statistics through System Information Widget in Global
View Dashboard.

CVE-2024-22116

An administrator with restricted permissions can exploit the script
execution functionality within the Monitoring Hosts section. The lack of
default escaping for script parameters enabled this user ability to
execute arbitrary code via the Ping script, thereby compromising
infrastructure.

CVE-2024-22117

When a URL is added to the map element, it is recorded in the database
with sequential IDs. Upon adding a new URL, the system retrieves the
last sysmapelementurlid value and increments it by one. However, an
issue arises when a user manually changes the sysmapelementurlid value
by adding sysmapelementurlid + 1. This action prevents others from
adding URLs to the map element.

CVE-2024-22122

Zabbix allows to configure SMS notifications. AT command injection
occurs on "Zabbix Server" because there is no validation of "Number"
field on Web nor on Zabbix server side. Attacker can run test of SMS
providing specially crafted phone number and execute additional AT
commands on the modem.

CVE-2024-22123

Setting SMS media allows to set GSM modem file. Later this file is used
as Linux device. But due everything is a file for Linux, it is possible
to set another file, e.g. log file and zabbix_server will try to
communicate with it as modem. As a result, log file will be broken with
AT commands and small part for log file content will be leaked to UI.

CVE-2024-36464

When exporting media types, the password is exported in the YAML in
plain text. This appears to be a best practices type issue and may
have no actual impact. The user would need to have permissions to
access the media types and therefore would be expected to have
access to these passwords.

CVE-2024-36467

An authenticated user with API access (e.g.: user with default User
role), more specifically a user with access to the user.update API
endpoint is enough to be able to add themselves to any group
(e.g.: Zabbix Administrators), except to groups that are disabled
or having restricted GUI access.

CVE-2024-36469

Execution time for an unsuccessful login differs when using a
non-existing username compared to using an existing one.

CVE-2024-42325 (jessie and buster)

Zabbix API user.get returns all users that share common group with the
calling user. This includes media and other information, such as login
attempts, etc.

CVE-2024-42332

The researcher is showing that due to the way the SNMP trap log is
parsed, an attacker can craft an SNMP trap with additional lines of
information and have forged data show in the Zabbix UI. This attack
requires SNMP auth to be off and/or the attacker to know the
community/auth details. The attack requires an SNMP item to be
configured as text on the target host.

CVE-2024-42333

The researcher is showing that it is possible to leak a small amount
of Zabbix Server memory using an out of bounds read in
src/libs/zbxmedia/email.c

CVE-2024-45700

Zabbix server is vulnerable to a DoS vulnerability due to uncontrolled
resource exhaustion. An attacker can send specially crafted requests to
the server, which will cause the server to allocate an excessive amount
of memory and perform CPU-intensive decompression operations, ultimately
leading to a service crash.

ELA-1408-1 curl security update

Sat, 26 Apr 2025 23:49:19 -0300

Package : curl

Version : 7.52.1-5+deb9u23 (stretch), 7.64.0-4+deb10u11 (buster)

Related CVEs : CVE-2024-2398 CVE-2024-8096

Two security issues were found in Curl, an easy-to-use client-side URL transfer library and command line tool:

CVE-2024-2398

When an application tells libcurl it wants to allow HTTP/2 server push, and
the amount of received headers for the push surpasses the maximum allowed
limit (1000), libcurl aborts the server push. When aborting, libcurl
inadvertently does not free all the previously allocated headers and
instead leaks the memory.

Further, this error condition fails silently and is therefore not easily
detected by an application.

CVE-2024-8096

When curl is told to use the Certificate Status Request TLS extension,
often referred to as OCSP stapling, to verify that the server certificate
is valid, it might fail to detect some OCSP problems and instead wrongly
consider the response as fine.

If the returned status reports another error than "revoked" (like for
example "unauthorized") it is not treated as a bad certificate.

ELA-1407-1 imagemagick security update

Sat, 26 Apr 2025 23:56:09 +0300

Package : imagemagick

Version : 8:6.8.9.9-5+deb8u28 (jessie), 8:6.9.7.4+dfsg-11+deb9u21 (stretch), 8:6.9.10.23+dfsg-2.1+deb10u10 (buster)

Related CVEs : CVE-2025-43965

Mishandling of MIFF image depth after SetQuantumFormat() has been fixed in ImageMagick, a software suite for editing and manipulating digital images.

ELA-1406-1 distro-info-data database update

Sat, 26 Apr 2025 09:42:26 -0400

Package : distro-info-data

Version : 0.36~bpo8+7 (jessie), 0.41+deb10u2~bpo9+7 (stretch), 0.41+deb10u11 (buster)

This is a routine update of the distro-info-data database for Debian ELTS users.

It adds Ubuntu 25.10 “Questing Quokka” and Debian 15 “Duke”.

ELA-1405-1 erlang security update

Wed, 23 Apr 2025 19:56:35 +0200

Package : erlang

Version : 19.2.1+dfsg-2+really23.3.4.18-0+deb9u4 (stretch), 1:22.2.7+dfsg-1+deb10u3 (buster)

Related CVEs : CVE-2025-32433

A remote code execution vulnerability was discovered in the Erlang/OTP implementation of the SSH protocol.

CVE-2025-32433

A SSH server may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials.

ELA-1404-1 hiredis security update

Wed, 23 Apr 2025 20:42:19 +0300

Package : hiredis

Version : 0.13.3-2+deb9u1 (stretch), 0.14.0-3+deb10u1 (buster)

Related CVEs : CVE-2020-7105

NULL pointer dereferences due to unchecked return values of allocation functions have been fixed in hiredis, a C client library for the Redis key-value database.

ELA-1403-1 libsndfile security update

Wed, 23 Apr 2025 13:26:54 +0200

Package : libsndfile

Version : 1.0.25-9.1+deb8u8 (jessie), 1.0.27-3+deb9u4 (stretch), 1.0.28-6+deb10u3 (buster)

Related CVEs : CVE-2022-33065 CVE-2024-50612

Several security vulnerabilities have been found in libsndfile, a library for reading/writing audio files.

CVE-2022-33065

Multiple signed integers overflow in function au_read_header in src/au.c
and in functions mat4_open and mat4_read_header in src/mat4.c in
Libsndfile, allows an attacker to cause Denial of Service or other
unspecified impacts.

CVE-2024-50612

libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote
out-of-bounds read.

ELA-1402-1 libxstream-java security update

Tue, 22 Apr 2025 22:08:48 +0200

Package : libxstream-java

Version : 1.4.11.1-1+deb8u7 (jessie), 1.4.11.1-1+deb10u5 (buster)

Related CVEs : CVE-2024-47072

XStream is a Java library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream has been patched to detect the manipulation in the binary input stream causing the stack overflow and raises an InputManipulationException instead.

ELA-1401-1 transfig security update

Mon, 21 Apr 2025 14:32:05 +0300

Package : transfig

Version : 1:3.2.6a-2~deb8u2 (jessie)

Multiple vulnerabilities have been fixed in the transfig utilities for converting XFig figure files.

CVE-2025-31162

floating point exception with huge pattern lengths

CVE-2025-31163

non-rejection of arcs with co-incident points

CVE-2025-31164

heap buffer overflow on arc-box with zero radius

ELA-1400-1 fig2dev security update

Mon, 21 Apr 2025 14:30:48 +0300

Package : fig2dev

Version : 1:3.2.6a-2+deb9u5 (stretch), 1:3.2.7a-5+deb10u6 (buster)

Multiple vulnerabilities have been fixed in the fig2dev utilities for converting XFig figure files.

CVE-2025-31162

floating point exception with huge pattern lengths

CVE-2025-31163

non-rejection of arcs with co-incident points

CVE-2025-31164

heap buffer overflow on arc-box with zero radius

ELA-1399-1 wget security update

Mon, 21 Apr 2025 11:22:08 +0300

Package : wget

Version : 1.16-1+deb8u8 (jessie), 1.18-5+deb9u4 (stretch), 1.20.1-1.1+deb10u1 (buster)

Related CVEs : CVE-2024-38428

Mishandling of semicolons in the userinfo subcomponent of a URI has been fixed in GNU Wget, a utility for retrieving files over HTTP, HTTPS, FTP and FTPS.

ELA-1398-1 postgresql-11 security update

Fri, 18 Apr 2025 22:24:03 +0200

Package : postgresql-11

Version : 11.22-0+deb10u5 (buster)

Related CVEs : CVE-2025-1094

PostgreSQL, a popular database, was affected by a vulnerability.

ELA-1397-1 libmodbus security update

Thu, 17 Apr 2025 14:33:54 +0200

Package : libmodbus

Version : 3.0.6-1+deb8u2 (jessie), 3.0.6-2+deb9u2 (stretch), 3.1.4-2+deb10u3 (buster)

Related CVEs : CVE-2024-10918

Stack-based Buffer Overflow vulnerability in libmodbus v3.1.10 allows to overflow the buffer allocated for the Modbus response the function tries to reply to a Modbus request with an unexpect length.

ELA-1396-1 jinja2 security update

Wed, 16 Apr 2025 22:27:03 -0300

Package : jinja2

Version : 2.7.3-1+deb8u2 (jessie), 2.8-1+deb9u2 (stretch), 2.10-2+deb10u2 (buster)

Related CVEs : CVE-2024-56326 CVE-2025-27516

A couple of vulnerabilities were found in jinja2, a template engine. The rendering of untrusted templates could lead to attackers executing arbitrary Python code.

CVE-2024-56326

Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects
calls to str.format allows an attacker that controls the content of a
template to execute arbitrary Python code. To exploit the vulnerability, an
attacker needs to control the content of a template. Whether that is the
case depends on the type of application using Jinja. This vulnerability
impacts users of applications which execute untrusted templates. Jinja's
sandbox does catch calls to str.format and ensures they don't escape the
sandbox. However, it's possible to store a reference to a malicious string's
format method, then pass that to a filter that calls it. No such filters are
built-in to Jinja, but could be present through custom filters in an
application. After the fix, such indirect calls are also handled by the
sandbox.

CVE-2025-27516

Prior to 3.1.6, an oversight in how the Jinja sandboxed environment
interacts with the |attr filter allows an attacker that controls the
content of a template to execute arbitrary Python code. To exploit the
vulnerability, an attacker needs to control the content of a template.
Whether that is the case depends on the type of application using Jinja.
This vulnerability impacts users of applications which execute untrusted
templates. Jinja's sandbox does catch calls to str.format and ensures they
don't escape the sandbox. However, it's possible to use the |attr filter to
get a reference to a string's plain format method, bypassing the sandbox.
After the fix, the |attr filter no longer bypasses the environment's
attribute lookup.

ELA-1395-1 shadow security update

Tue, 15 Apr 2025 18:55:41 +0200

Package : shadow

Version : 1:4.2-3+deb8u6 (jessie)

Related CVEs : CVE-2023-4641 CVE-2023-29383

Several vulnerabilities were discovered in the shadow suite of login tools. An attacker may extract a password from memory in limited situations, and confuse an administrator inspecting /etc/passwd from within a terminal.

CVE-2023-4641

When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.
CVE-2023-29383

It is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed.

ELA-1393-1 opensaml security update

Tue, 15 Apr 2025 16:38:35 +0200

Package : opensaml

Version : 3.0.1-1+deb10u1 (buster)

Related CVEs : CVE-2025-31335

Alexander Tan discovered that the OpenSAML C++ library was susceptible to forging of signed SAML messages. For additional details please refer to the upstream advisory at https://shibboleth.net/community/advisories/secadv_20250313.txt

For Debian 8 (jessie) and 9 (stretch), see separate ELA-1394-1 for opensaml2.

ELA-1394-1 opensaml2 security update

Tue, 15 Apr 2025 16:38:08 +0200

Package : opensaml2

Version : 2.5.3-2+deb8u3 (jessie), 2.6.0-4+deb9u2 (stretch)

Related CVEs : CVE-2025-31335

For Debian 10 (buster), see separate ELA-1393-1 for opensaml.

ELA-1386-1 atop security update

Mon, 14 Apr 2025 19:54:30 -0300

Package : atop

Version : 2.4.0-3+deb10u1 (buster)

Related CVEs : CVE-2025-31160

It was discovered that Atop, a monitor tool for system resources and process activity, always tried to connect to the port of atopgpud (an additional daemon gathering GPU statistics not shipped in Debian) while performing insufficient sanitising of the data read from this port.

With this update, additional validation is added and by default atop no longer tries to connect to the atopgpud daemon port unless explicitly enabled via -k.

ELA-1392-1 twitter-bootstrap4 security update

Mon, 14 Apr 2025 22:51:03 +0200

Package : twitter-bootstrap4

Version : 4.3.1+dfsg2-1+deb10u1 (buster)

Related CVEs : CVE-2024-6531

Bootstrap (formerly Twitter Bootstrap), a free and open-source CSS framework, was affected by a XSS vulnerability in carousel component.

If you use bootstrap through a module bundler, you may need to rebuild your application.

ELA-1391-1 gimp security update

Mon, 14 Apr 2025 13:36:02 +0300

Package : gimp

Version : 2.8.18-1+deb9u3 (stretch), 2.10.8-2+deb10u2 (buster)

Related CVEs : CVE-2025-2761

Out-of-bounds write in FLI (AutoDesk FLIC animation) file parsing has been fixed in GIMP, the GNU Image Manipulation Program.

ELA-1390-1 glib2.0 security update

Mon, 14 Apr 2025 12:03:37 +0300

Package : glib2.0

Version : 2.58.3-2+deb10u8 (buster)

Related CVEs : CVE-2025-3360

Integer overflow in g_date_time_new_from_iso8601() has been fixed in the GNOME library glib2.0.

ELA-1389-1 twitter-bootstrap3 security update

Sun, 13 Apr 2025 21:59:58 +0200

Package : twitter-bootstrap3

Version : 3.3.7+dfsg-2+deb9u3 (stretch), 3.4.1+dfsg-1+deb10u1 (buster)

Related CVEs : CVE-2024-6484 CVE-2024-6485

Bootstrap (formerly Twitter Bootstrap), a free and open-source CSS framework, was affected by multiple XSS vulnerabilities.

If you use bootstrap through a module bundler, you may need to rebuild your application.

ELA-1388-1 twitter-bootstrap3 security update

Sun, 13 Apr 2025 19:19:34 +0200

Package : twitter-bootstrap3

Version : 3.3.7+dfsg-2+deb9u3~deb8u1 (jessie)

Bootstrap (formerly Twitter Bootstrap), a free and open-source CSS framework, was affected by multiple XSS vulnerabilities.

If you use bootstrap through a module bundler, you may need to rebuild your application.

ELA-1387-1 erlang security update

Sun, 13 Apr 2025 10:07:58 +0200

Package : erlang

Version : 1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u3 (stretch), 1:22.2.7+dfsg-1+deb10u2 (buster)

Multiple vulnerabilities were found in Erlang/OTP, a set of libraries for the Erlang programming language.

CVE-2023-48795

The SSH transport protocol, as implemented in Erlang, allows remote attackers to bypass integrity
checks such that some packets are omitted (from the extension negotiation message), and
a client and server may consequently end up with a connection for which some security features
have been downgraded or disabled, aka a Terrapin attack

CVE-2025-26618

Packet size is not verified properly for SFTP packets. As a result when multiple SSH packets
(conforming to max SSH packet size) are received by ssh, they might be combined into an
SFTP packet which will exceed the max allowed packet size and potentially cause
large amount of memory to be allocated (causing a Deny of Service).

CVE-2025-30211

A maliciously formed KEX (Key EXchange message for SSH protocol) init message can result
with high memory usage. Implementation does not verify RFC specified limits on algorithm names
(64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient
processing of the error data. As a result, large amount of memory will be allocated
for processing malicious data.

ELA-1385-1 php5 security update

Thu, 10 Apr 2025 23:38:58 +0200

Package : php5

Version : 5.6.40+dfsg-0+deb8u23 (jessie)

CVE-2025-1217

Tim Düsterhus discovered that the header parser of the http stream wrapper does not handle folded headers and passes incorrect MIME types to an attached stream notifier.

CVE-2025-1219

Tim Düsterhus discovered that when requesting a HTTP resource using the DOM or SimpleXML extensions, the wrong content-type header is used to determine the charset when the requested resource performs a redirect. This allows an attacker to cause a document to be parsed incorrectly, changing its meaning and possibly bypassing validation.

CVE-2025-1734

It was discovered that the streams HTTP wrapper does not fail for headers with invalid name and no colon, thereby violating RFC-mandated behavior and potentially leading to request smuggling.

CVE-2025-1736

It was discovered that the stream HTTP wrapper header check might omit basic auth header in some cases, thereby stripping it.

CVE-2025-1861

It was discovered that the stream HTTP wrapper truncate redirect location to 1024 bytes, while the RFC-recommended length is 8000 and browsers usually limit to around 2048.

The URI truncation might result in omitting some critical information (e.g. from the query) or even redirection to other resources. It could even result in DOS of the remote site if the trucated URL results in error.

ELA-1384-1 php7.0 security update

Thu, 10 Apr 2025 23:38:57 +0200

Package : php7.0

Version : 7.0.33-0+deb9u21 (stretch)

CVE-2025-1217

Tim Düsterhus discovered that the header parser of the http stream wrapper does not handle folded headers and passes incorrect MIME types to an attached stream notifier.

CVE-2025-1219

CVE-2025-1734

It was discovered that the streams HTTP wrapper does not fail for headers with invalid name and no colon, thereby violating RFC-mandated behavior and potentially leading to request smuggling.

CVE-2025-1736

It was discovered that the stream HTTP wrapper header check might omit basic auth header in some cases, thereby stripping it.

CVE-2025-1861

It was discovered that the stream HTTP wrapper truncate redirect location to 1024 bytes, while the RFC-recommended length is 8000 and browsers usually limit to around 2048.

GHSA-wg4p-4hqh-c3g9

An out of bound read was discovered in the XML parsing logic when XML_OPTION_SKIP_TAGSTART is set to a high value and the XML document has shorter tag names than expected. (No CVE was assigned for this vulnerability at the time of writing.)

ELA-1383-1 php7.3 security update

Thu, 10 Apr 2025 23:38:56 +0200

Package : php7.3

Version : 7.3.31-1~deb10u10 (buster)

CVE-2025-1217

Tim Düsterhus discovered that the header parser of the http stream wrapper does not handle folded headers and passes incorrect MIME types to an attached stream notifier.

CVE-2025-1219

CVE-2025-1734

It was discovered that the streams HTTP wrapper does not fail for headers with invalid name and no colon, thereby violating RFC-mandated behavior and potentially leading to request smuggling.

CVE-2025-1736

It was discovered that the stream HTTP wrapper header check might omit basic auth header in some cases, thereby stripping it.

CVE-2025-1861

It was discovered that the stream HTTP wrapper truncate redirect location to 1024 bytes, while the RFC-recommended length is 8000 and browsers usually limit to around 2048.

GHSA-wg4p-4hqh-c3g9

ELA-1343-2 proftpd-dfsg regression update

Wed, 09 Apr 2025 08:58:34 +0200

Package : proftpd-dfsg

Version : 1.3.5e+r1.3.5b-4+deb9u5 (stretch)

The update for proftpd-dfsg announced in ELA 1343-1 introduced a regression for Debian 9 “stretch”, making sftp public key authentification rejected by default. Updated packages are now available to fix this issue.

ELA-1382-1 linux-6.1 security update

Tue, 08 Apr 2025 11:23:55 +0200

Package : linux-6.1

Version : 6.1.129-1~deb9u1 (stretch), 6.1.129-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

ELA-1381-1 ruby2.1 security update

Sun, 06 Apr 2025 22:49:44 +0200

Package : ruby2.1

Version : 2.1.5-2+deb8u16 (jessie)

Ruby, a popular scripting language, was affected by multiple vulnerabilities.

CVE-2025-27219

In the CGI gem, the CGI::Cookie.parse method in the CGI library
contains a potential Denial of Service (DoS) vulnerability.
The method does not impose any limit on the length of the raw cookie
value it processes. This oversight can lead to excessive
resource consumption when parsing extremely large cookies.

CVE-2025-27220

In the CGI gem, a Regular Expression Denial of Service (ReDoS)
vulnerability exists in the Util#escapeElement method.

CVE-2025-27221

In the URI gem, the URI handling methods
(URI.join, URI#merge, URI#+) have an inadvertent leakage of
authentication credentials because userinfo is retained
even after changing the host.

ELA-1380-1 openjpeg2 security update

Fri, 04 Apr 2025 22:59:49 +0200

Package : openjpeg2

Version : 2.1.2-1.1+deb8u1 (jessie), 2.1.2-1.1+deb9u8 (stretch)

Several security vulnerabilities have been discovered in openjpeg2, a JPEG 2000 image library. Processing of maliciously crafted image files may trigger heap-based buffer overflows which may lead to an application crash or other undefined behavior.

In order to improve the error handling of openjpeg2 in jessie, the version was upgraded to 2.1.2, the same one as in stretch. This means long-standing minor issues CVE-2014-7947, CVE-2016-1923 and CVE-2016-3183 are also fixed in Debian 8 “jessie” now.

ELA-1379-1 openjpeg2 security update

Fri, 04 Apr 2025 22:44:38 +0200

Package : openjpeg2

Version : 2.3.0-2+deb10u3 (buster)

ELA-1376-1 tomcat9 security update

Fri, 04 Apr 2025 22:10:00 +0200

Package : tomcat9

Version : 9.0.31-1~deb10u14 (buster)

Related CVEs : CVE-2025-24813

It was found that a malicious user was able to view security sensitive files and/or inject content into those files when writes were enabled for the default servlet (disabled by default) and support for partial PUT was enabled (default). Under certain circumstances, depending on the application in use, remote code execution may have been possible.

ELA-1377-1 tomcat8 security update

Fri, 04 Apr 2025 22:09:40 +0200

Package : tomcat8

Version : 8.0.14-1+deb8u29 (jessie), 8.5.54-0+deb9u18 (stretch)

Related CVEs : CVE-2025-24813

ELA-1378-1 tomcat7 security update

Fri, 04 Apr 2025 22:09:19 +0200

Package : tomcat7

Version : 7.0.56-3+really7.0.109-1+deb8u8 (jessie)

Related CVEs : CVE-2025-24813

ELA-1375-1 shellinabox security update

Fri, 04 Apr 2025 17:53:50 +0300

Package : shellinabox

Version : 2.21~deb9u1 (stretch)

Related CVEs : CVE-2018-16789

Denial of service with broken multipart/form-data has been fixed in shellinabox, a web server that can export arbitrary command line tools to a web based terminal emulator.

ELA-1374-1 ruby2.3 security update

Thu, 03 Apr 2025 21:54:40 +0200

Package : ruby2.3

Version : 2.3.3-1+deb9u14 (stretch)

Ruby, a popular scripting language, was affected by multiple vulnerabilities.

CVE-2025-27219

In the CGI gem, the CGI::Cookie.parse method in the CGI library
contains a potential Denial of Service (DoS) vulnerability.
The method does not impose any limit on the length of the raw cookie
value it processes. This oversight can lead to excessive
resource consumption when parsing extremely large cookies.

CVE-2025-27220

In the CGI gem, a Regular Expression Denial of Service (ReDoS)
vulnerability exists in the Util#escapeElement method.

CVE-2025-27221

In the URI gem, the URI handling methods
(URI.join, URI#merge, URI#+) have an inadvertent leakage of
authentication credentials because userinfo is retained
even after changing the host.

ELA-1373-1 php-horde-turba regression update

Thu, 03 Apr 2025 16:45:23 +0200

Package : php-horde-turba

Version : 4.2.23-1+deb10u2 (buster)

An error was introduced while fixing CVE-2022-30287 in Horde Turba, an address book component for the Horde groupware suite, see DLA 3090-1:

Note: while php-horde-turba is currently not supported, this update both fixes a regression and an issue on installation that hinders testing other supported php-horde-* packages.

ELA-1372-1 php-horde-imp security update

Thu, 03 Apr 2025 16:40:39 +0200

Package : php-horde-imp

Version : 6.2.22-1+deb10u1 (buster)

Horde Editor, the HTML editor for the Horde groupware platform, relies on CKEditor v3. CKEditor v3 reached EOL and is not supported in Debian buster ELTS. This updates upgrades to CKEditor v4, as a first step to move to CKEditor v5.

Note: while php-horde-imp is currently not supported, this update is necessary to complete the CKEditor upgrade in php-horde-editor, which is supported, see ELA-1371-1.

ELA-1371-1 php-horde-editor security update

Thu, 03 Apr 2025 16:39:27 +0200

Package : php-horde-editor

Version : 2.0.5+debian0-2+deb10u1 (buster)

ELA-1370-1 linux-5.10 security update

Wed, 02 Apr 2025 13:25:40 +0200

Package : linux-5.10

Version : 5.10.234-1~deb8u2 (jessie), 5.10.234-1~deb9u1 (stretch), 5.10.234-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

ELA-1369-1 tzdata new timezone database

Tue, 01 Apr 2025 13:52:23 +0200

Package : tzdata

Version : 2025b-0+deb8u1 (jessie), 2025b-0+deb9u1 (stretch), 2025b-0+deb10u1 (buster)

This update includes the changes in tzdata 2025b. Notable changes are:

New America/Coyhaique zone for Aysén Region in Chile, which moves from -04/-03 to -03. It will not change its clocks on 2025-04-05.

ELA-1368-1 freetype security update

Tue, 01 Apr 2025 01:42:38 +0300

Package : freetype

Version : 2.6.3-3.2+deb9u4 (stretch), 2.9.1-3+deb10u4 (buster)

Related CVEs : CVE-2025-27363

An out of bounds write with subglyph structures has been fixed in the font rendering library FreeType.

ELA-1367-1 suricata security update

Mon, 31 Mar 2025 23:37:13 +0200

Package : suricata

Version : 1:4.1.2-2+deb10u3 (buster)

Several issues have been found in suricata, the next Generation Intrusion Detection and Prevention Tool. They are related to bypass of HTTP-based signature, mishandling of multiple fragmented packets, logic errors, infinite loops and buffer overflows.

ELA-1366-1 libdata-entropy-perl security update

Mon, 31 Mar 2025 15:11:12 +0300

Package : libdata-entropy-perl

Version : 0.007-3.1+deb11u1~deb10u1 (buster)

Related CVEs : CVE-2025-1860

The perl module Data::Entropy was using the cryptographically insecure rand() function as the default entropy source.

ELA-1365-1 amd64-microcode security update

Mon, 31 Mar 2025 08:33:49 +0200

Package : amd64-microcode

Version : 3.20250311.1~deb8u1 (jessie), 3.20250311.1~deb9u1 (stretch), 3.20250311.1~deb10u1 (buster)

Related CVEs : CVE-2024-56161

A potential vulnerability has been found for certain AMD platforms which creates a possible confidential computing vulnerability.

AMD has released updated microcode to prevent an attacker from loading tampered microcode.

Additionally, an SEV firmware update might be required for some platforms to support SEV-SNP attestation, which may also necessitate a BIOS update.

For details please see the AMD security bulletin AMD-SB-3019.

CVE-2024-56161 (AMD-SB-3019):

Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privileges to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP.

ELA-1364-1 intel-microcode security update

Sun, 30 Mar 2025 12:46:44 +0200

Package : intel-microcode

Version : 3.20250211.1~deb8u1 (jessie), 3.20250211.1~deb9u1 (stretch), 3.20250211.1~deb10u1 (buster)

Microcode updates have been released for Intel(R) processors, addressing multiple potential vulnerabilties that may allow local privilege escalation, denial of service or information disclosure.

CVE-2023-34440 (INTEL-SA-01139)

Improper input validation in UEFI firmware for some Intel(R) Processors
may allow a privileged user to potentially enable escalation of
privilege via local access.

CVE-2023-43758 (INTEL-SA-01139)

Improper input validation in UEFI firmware for some Intel(R) processors
may allow a privileged user to potentially enable escalation of
privilege via local access.

CVE-2024-24582 (INTEL-SA-01139)

Improper input validation in XmlCli feature for UEFI firmware for some
Intel(R) processors may allow privileged user to potentially enable
escalation of privilege via local access.

CVE-2024-28047 (INTEL-SA-01139)

Improper input validation in UEFI firmware for some Intel(R) Processors
may allow a privileged user to potentially enable information disclosure
via local access.

CVE-2024-28127 (INTEL-SA-01139)

Improper input validation in UEFI firmware for some Intel(R) Processors
may allow a privileged user to potentially enable escalation of
privilege via local access.

CVE-2024-29214 (INTEL-SA-01139)

Improper input validation in UEFI firmware CseVariableStorageSmm for
some Intel(R) Processors may allow a privileged user to potentially
enable escalation of privilege via local access.

CVE-2024-31068 (INTEL-SA-01166)

Improper Finite State Machines (FSMs) in Hardware Logic for some
Intel(R) Processors may allow privileged user to potentially enable
denial of service via local access.

CVE-2024-31157 (INTEL-SA-01139)

Improper initialization in UEFI firmware OutOfBandXML module in some
Intel(R) Processors may allow a privileged user to potentially enable
information disclosure via local access.

CVE-2024-36293 (INTEL-SA-01213)

Improper access control in the EDECCSSA user leaf function for some
Intel(R) Processors with Intel(R) SGX may allow an authenticated user to
potentially enable denial of service via local access.

CVE-2024-37020 (INTEL-SA-01194)

Sequence of processor instructions leads to unexpected behavior in the
Intel(R) DSA V1.0 for some Intel(R) Xeon(R) Processors may allow an
authenticated user to potentially enable denial of service via local
access.

CVE-2024-39279 (INTEL-SA-01139)

Insufficient granularity of access control in UEFI firmware in some
Intel(R) processors may allow a authenticated user to potentially enable
denial of service via local access.

CVE-2024-39355 (INTEL-SA-01228)

Improper handling of physical or environmental conditions in some
Intel(R) Processors may allow an authenticated user to enable denial of
service via local access.

ELA-1363-1 librabbitmq security update

Sun, 30 Mar 2025 11:37:56 +0200

Package : librabbitmq

Version : 0.5.2-2+deb8u2 (jessie)

Related CVEs : CVE-2023-35789

An issue has been found in librabbitmq, a AMQP client library and tools written in C. The issue is related to credential visibility when using the tools on the command line.

ELA-1362-1 librabbitmq security update

Sun, 30 Mar 2025 11:32:08 +0200

Package : librabbitmq

Version : 0.8.0-1+deb9u1 (stretch), 0.9.0-0.2+deb10u1 (buster)

Related CVEs : CVE-2019-18609 CVE-2023-35789

Several issues have been found in librabbitmq, a AMQP client library and tools written in C. The issue are related to heap memory corruption due to integer overflow and credential visibility when using the tools on the command line.

ELA-1361-1 ffmpeg security update

Sun, 30 Mar 2025 10:33:54 +0200

Package : ffmpeg

Version : 7:4.1.11-0+deb10u4 (buster)

Several issues have been found in ffmpeg, a library and tools for transcoding, streaming and playing of multimedia files. The issues are related to out-of-bounds read, assert errors and NULL pointer dereferences.

ELA-1360-1 ffmpeg security update

Sun, 30 Mar 2025 09:55:33 +0200

Package : ffmpeg

Version : 7:3.2.19-0+deb9u7 (stretch)

ELA-1359-1 ruby2.5 security update

Fri, 28 Mar 2025 21:51:17 +0000

Package : ruby2.5

Version : 2.5.5-3+deb10u10 (buster)

Ruby, a popular scripting language, was affected by multiple vulnerabilities.

CVE-2025-27219

In the CGI gem, the CGI::Cookie.parse method in the CGI library
contains a potential Denial of Service (DoS) vulnerability.
The method does not impose any limit on the length of the raw cookie
value it processes. This oversight can lead to excessive
resource consumption when parsing extremely large cookies.

CVE-2025-27220

In the CGI gem, a Regular Expression Denial of Service (ReDoS)
vulnerability exists in the Util#escapeElement method.

CVE-2025-27221

In the URI gem, the URI handling methods
(URI.join, URI#merge, URI#+) have an inadvertent leakage of
authentication credentials because userinfo is retained
even after changing the host.

ELA-1358-1 libxslt security update

Fri, 28 Mar 2025 20:54:28 +0200

Package : libxslt

Version : 1.1.28-2+deb8u8 (jessie), 1.1.29-2.1+deb9u4 (stretch), 1.1.32-2.2~deb10u3 (buster)

Related CVEs : CVE-2024-55549 CVE-2025-24855

Two use-after-free vulnerabilities have been fixed in the XSLT processing library libxslt.

CVE-2024-55549

Use-after-free related to excluded namespaces

CVE-2025-24855

Use-after-free of XPath context node

ELA-1357-1 clamav security update

Wed, 26 Mar 2025 15:34:40 -0300

Package : clamav

Version : 1.0.7+dfsg-1~deb9u1 (stretch)

This update brings ClamAV 1.0.7, which comes with the ability to keep downloading the bytecode database (the previous version will be declared EOL by upstream soon and lose that ability).

The following packages were updated/introduced to the archive to allow the new ClamAV build. An important side note is that those packages will not become officially supported:

libarchive-latest/t3.3.3-4~deb9u1
libuv1-latest/1.24.1-1~deb9u1
cmake-latest/3.18.4-2~deb9u1
protobuf-latest/3.6.1.3-2~deb9u1
grpc/1.16.1-1~deb9u1
llvm-toolchain-13/1:13.0.1-6~deb9u1
rustc-mozilla/1.63.0+dfsg1-2~deb9u1
cargo-mozilla/0.66.0+ds1-1~deb9u1

The following packages were also updated due to the new ClamAV library package:

dansguardian/2.10.1.1-5.1+deb9u3
havp/0.92a-4+deb9u2
c-icap-modules/1:0.4.4-1+deb9u3
libclamunrar/1.0.3-1~deb9u1
python-clamav/0.4.1-8+deb9u2

ELA-1356-1 python-django security update

Wed, 26 Mar 2025 12:10:39 +0000

Package : python-django

Version : 1.7.11-1+deb8u19 (jessie), 1:1.10.7-2+deb9u25 (stretch), 1:1.11.29-1+deb10u14 (buster)

Related CVEs : CVE-2025-26699

It was discovered that there was a potential denial-of-service (DoS) vulnerability in Django, a Python-based web development framework.

The issue was situated in the wrap() method of the django.utils.text module. This method and the |wordwrap template filter were subject to a potential DoS attack when used with very long strings.

ELA-1355-1 lighttpd security update

Mon, 24 Mar 2025 20:55:39 -0300

Package : lighttpd

Version : 1.4.45-1+deb9u2 (stretch)

Related CVEs : CVE-2018-25103

Fix use-after-free vulnerabilities in request parsing which might read from invalid pointers to memory used in the same request, not from other requests.

ELA-1354-1 ruby-rack security update

Mon, 24 Mar 2025 23:57:51 +0200

Package : ruby-rack

Version : 1.6.4-4+deb9u7 (stretch), 2.0.6-3+deb10u5 (buster)

Multiple vulnerabilities have been fixed in ruby-rack, an interface for developing web applications in Ruby.

CVE-2025-25184

Log Injection in Rack::CommonLogger

CVE-2025-27111

Log Injection in Rack::Sendfile

CVE-2025-27610

Local file inclusion in Rack::Static

ELA-1353-1 tzdata new timezone database

Tue, 18 Mar 2025 19:45:47 +0100

Package : tzdata

Version : 2025a-0+deb8u1 (jessie), 2025a-0+deb9u1 (stretch), 2025a-0+deb10u1 (buster)

This update includes the changes in tzdata 2025a. Notable changes are:

Paraguay adopts permanent -03 starting in spring 2024.
Updated leap second list, which was set to expire by the end of June.

ELA-1352-1 gnutls28 security update

Sun, 16 Mar 2025 20:45:45 +0100

Package : gnutls28

Version : 3.3.30-0+deb8u3 (jessie), 3.5.8-5+deb9u8 (stretch), 3.6.7-4+deb10u13 (buster)

Related CVEs : CVE-2024-12243

Bing Shi discovered that certificate data with a large number of names or name constraints were handled inefficiently, which may lead to Denial of Service upon specially crafted certificates.

ELA-1351-1 squid3 security update

Sun, 16 Mar 2025 18:15:33 +0100

Package : squid3

Version : 3.5.23-5+deb8u8 (jessie), 3.5.23-5+deb9u11 (stretch)

Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache.

CVE-2024-25617

A Denial of Service attack against HTTP header parsing. This problem allows
a remote client or a remote server to perform Denial of Service when
sending oversized headers in HTTP messages.

CVE-2024-37894

Due to an Out-of-bounds Write error when assigning ESI variables, Squid is
susceptible to a Memory Corruption error. This error can lead to a Denial
of Service attack.

CVE-2024-45802

Disable ESI feature support. Due to Input Validation, Premature Release of
Resource During Expected Lifetime, and Missing Release of Resource after
Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks
by a trusted server against all clients using the proxy. This problem is
fixed by changing the build configuration to specify the --disable-esi
option.

ELA-1349-1 python2.7 security update

Fri, 14 Mar 2025 15:22:58 +0100

Package : python2.7

Version : 2.7.9-2-ds1-1+deb8u13 (jessie)

Multiple security issues were discovered in Python, an interactive high-level object-oriented language. This may cause e-mail header injection, memory leak, improper validation and denial of service (DoS).

CVE-2023-27043

The email module of Python incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup).
CVE-2024-5642

CPython doesn’t disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).
CVE-2024-6232

Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
CVE-2024-6923

The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.
CVE-2024-7592

When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.
CVE-2024-11168

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren’t IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
CVE-2025-0938

urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn’t valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

ELA-1348-1 python2.7 security update

Fri, 14 Mar 2025 15:22:47 +0100

Package : python2.7

Version : 2.7.13-2+deb9u10 (stretch)

Multiple security issues were discovered in Python, an interactive high-level object-oriented language. This may cause e-mail header injection, memory corruption, memory leak, improper validation and denial of service (DoS).

CVE-2023-27043

The email module of Python incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup).
CVE-2024-0397

memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()” in the “ssl” module. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured.
CVE-2024-5642

CPython doesn’t disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).
CVE-2024-6232

Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
CVE-2024-6923

The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.
CVE-2024-7592

When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.
CVE-2024-11168

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren’t IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
CVE-2025-0938

urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn’t valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

ELA-1350-1 pypy security update

Fri, 14 Mar 2025 15:11:13 +0100

Package : pypy

Version : 5.6.0+dfsg-4+deb9u2 (stretch), 7.0.0+dfsg-3+deb10u2 (buster)

Multiple vulnerabilities were discovered in PyPy, a fast, compliant alternative implementation of the Python language.

All fixed vulnerabilities come from embedded code copies.

For vulnerabilities from the python2.7 standard library, please refer to ELA-1349-1.

ELA-1347-1 python2.7 security update

Fri, 14 Mar 2025 15:08:51 +0100

Package : python2.7

Version : 2.7.16-2+deb10u5 (buster)

Multiple security issues were discovered in Python, an interactive high-level object-oriented language. This may cause e-mail header injection, memory corruption, improper validation and denial of service (DoS).

CVE-2023-27043

The email module of Python incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup).
CVE-2024-0397

memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()” in the “ssl” module. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured.
CVE-2024-6232

Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
CVE-2024-6923

The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.
CVE-2024-7592

When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.
CVE-2024-11168

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren’t IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
CVE-2025-0938

urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn’t valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

ELA-1346-1 gst-plugins-good1.0 security update

Thu, 13 Mar 2025 18:01:50 +0000

Package : gst-plugins-good1.0

Version : 1.14.4-1+deb10u4 (buster)

ELA-1345-1 squid security update

Tue, 11 Mar 2025 14:24:36 +0100

Package : squid

Version : 4.6-1+deb10u11 (buster)

Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache.

CVE-2024-23638

A Denial of Service attack against Cache Manager error responses. This
problem allows a trusted client to perform Denial of Service when
generating error pages for Client Manager reports.

CVE-2024-25111

A possible Denial of Service attack against HTTP Chunked decoder due to an
uncontrolled recursion bug. This problem allows a remote attacker to cause
Denial of Service when sending a crafted, chunked, encoded HTTP Message.

CVE-2024-25617

A Denial of Service attack against HTTP header parsing. This problem allows
a remote client or a remote server to perform Denial of Service when
sending oversized headers in HTTP messages.

CVE-2024-37894

Due to an Out-of-bounds Write error when assigning ESI variables, Squid is
susceptible to a Memory Corruption error. This error can lead to a Denial
of Service attack.

CVE-2024-45802

Disable ESI feature support. Due to Input Validation, Premature Release of
Resource During Expected Lifetime, and Missing Release of Resource after
Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks
by a trusted server against all clients using the proxy. This problem is
fixed by changing the build configuration to specify the --disable-esi
option.

ELA-1344-1 commons-beanutils security update

Sun, 09 Mar 2025 23:29:38 +0200

Package : commons-beanutils

Version : 1.9.3-1+deb10u1 (buster)

Related CVEs : CVE-2019-10086

Arbitrary code execution was possible by default in Apache Commons BeanUtils, Java classes for working with JavaBeans classes.

If needed, users can restore the previous default with

final BeanUtilsBean bub = new BeanUtilsBean(); 
bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);

ELA-1343-1 proftpd-dfsg security update

Sun, 09 Mar 2025 15:30:32 +0000

Package : proftpd-dfsg

Version : 1.3.5e+r1.3.5b-4+deb9u4 (stretch), 1.3.6-4+deb10u7 (buster)

Multiple vulnerabilities were fixed in ProFTPD, a popular FTP server.

CVE-2023-48795:

The SSH transport protocol with certain OpenSSH extensions like the SFTP implementation found in ProFTPD, allows remote attackers
to bypass integrity checks such that some packets are omitted (from the extension negotiation message),
and a client and server may consequently end up with a connection for which some security features have been downgraded
or disabled.

This attack is also known as the Terrapin attack.

CVE-2023-51713:

The make_ftp_cmd function in ProFTPD has a one-byte out-of-bounds read.

CVE-2024-48651:

A user with no supplemental groups will incorrectly inherit supplemental groups
from the parent process. The parent process retains supplemental GID 0, which is inherited by child
processes and not overwritten if the authenticated user has no supplemental groups.

CVE-2024-57392:

A Buffer Overflow vulnerability allowed a remote attacker to execute arbitrary code (RCE) and can cause a
Denial of Service (DoS) on the FTP service by sending a maliciously crafted message to the ProFTPD service port.

Moreover two important bugs were fixed on this release

Blastradius fix:

Fix the computation of the RADIUS Message-Authenticator signature to conform
more properly to RFC 2869, and allow RADIUS authentification to work against
mitigations of CVE-2024-3596.

Debian bug #1090813:

The PassivePorts directive can cause proftpd to swap data streams across
clients when the server is in passive mode.

ELA-1342-1 log4net security update

Sun, 09 Mar 2025 13:32:49 +0200

Package : log4net

Version : 1.2.10+dfsg-8~deb10u1 (buster)

Related CVEs : CVE-2018-1285

XML external entities were not disabled when parsing configuration files in log4net, a logging library for the Common Language Infrastructure (Mono, .NET).

ELA-1341-1 sqlparse security update

Sat, 08 Mar 2025 07:54:48 +0100

Package : sqlparse

Version : 0.1.13-2+deb8u1 (jessie), 0.2.2-1+deb9u2 (stretch), 0.2.4-1+deb10u2 (buster)

Related CVEs : CVE-2024-4340

Uriya Yavniely discovered that passing a heavily nested list to sqlparse.parse() may raise a RecursionError exception, which may lead to denial of service.

A generic SQLParseError is now raised instead.

ELA-1340-1 emacs24 security update

Wed, 05 Mar 2025 18:16:25 +0800

Package : emacs24

Version : 24.4+1-5+deb8u6 (jessie), 24.5+1-11+deb9u6 (stretch)

Multiple problems were discovered in GNU Emacs, the extensible, customisable, self-documenting real-time display editor.

CVE-2022-45939

Improper use of the system C library function in Emacs’s implementation of the ctags program could permit shell metacharcater injection when used on untrusted input source code.

CVE-2024-53920

Several ways to trigger arbitrary code execution were discovered in Emacs’s support for editing files in its own dialect of Lisp. These include arbitrary code execution upon opening an otherwise innocent-looking file, with any (or no) file extension, for editing.

CVE-2025-1244

Improper handling of custom ‘man’ URI schemes could allow an attacker to execute arbitrary shell commands by tricking users into visiting a specially crafted website, or an HTTP URL with a redirect.

ELA-1339-1 linux-6.1 security update

Sun, 02 Mar 2025 17:18:00 +0100

Package : linux-6.1

Version : 6.1.128-1~deb9u1 (stretch), 6.1.128-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

ELA-1338-1 nodejs security update

Sun, 02 Mar 2025 11:06:01 +0000

Package : nodejs

Version : 10.24.0~dfsg-1~deb10u5 (buster)

Related CVEs : CVE-2025-23085

A vulnerability was fixed in Node.js, a popular JavaScript runtime implementation.

A memory leak could occur when a remote peer (client) abruptly closes an HTTP/2 socket without sending a GOAWAY notification. Additionally, the same leak could be triggered if an invalid header is detected by nghttp2, causing the connection to be terminated by the peer.

This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects Node.js HTTP/2 Server users.

ELA-1337-1 xorg-server security update

Sat, 01 Mar 2025 00:23:25 +0100

Package : xorg-server

Version : 2:1.16.4-1+deb8u18 (jessie), 2:1.19.2-1+deb9u21 (stretch), 2:1.20.4-1+deb10u16 (buster)

Jan-Niklas Sohn discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged.

ELA-822-2 amanda regression update

Sat, 01 Mar 2025 00:02:49 +0100

Package : amanda

Version : 1:3.3.9-5+deb9u3 (stretch)

A fix of CVE-2022-37704 for amanda, the Advanced Maryland Automatic Network Disk Archiver, has been found incomplete. This update fixes handling of RSH environment variables and uses a correct check for dump/xfsdump.

ELA-1336-1 libtasn1-6 security update

Fri, 28 Feb 2025 18:25:03 +0100

Package : libtasn1-6

Version : 4.2-3+deb8u6 (jessie), 4.10-1.1+deb9u3 (stretch), 4.13-3+deb10u2 (buster)

Related CVEs : CVE-2024-12133

Bing Shi discovered that certificate data with a large number of names or name constraints were handled inefficiently, which may lead to Denial of Service upon specially crafted certificates.

ELA-1331-1 dnsmasq security update

Fri, 28 Feb 2025 14:24:49 +0100

Package : dnsmasq

Version : 2.72-3+deb8u8 (jessie), 2.76-5+deb9u5 (stretch)

Related CVEs : CVE-2023-50387 CVE-2023-50868

Two vulnerabilities were found in dnsmasq, a small caching DNS proxy and DHCP/TFTP server, which could lead to denial of service by querying specially crafted DNS resource records in control of an attacker.

CVE-2023-50387

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840,
and related RFCs) allow remote attackers to cause a denial of service (CPU
consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One
of the concerns is that, when there is a zone with many DNSKEY and RRSIG
records, the protocol specification implies that an algorithm must evaluate
all combinations of DNSKEY and RRSIG records.

CVE-2023-50868

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC
9276 guidance is skipped) allows remote attackers to cause a denial of
service (CPU consumption for SHA-1 computations) via DNSSEC responses in a
random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification
implies that an algorithm must perform thousands of iterations of a hash
function in certain situations.

For jessie and stretch, DNSSEC support has been disabled, as a backport of the fix was deemed too disruptive. Administrators can still validate DNS lookups on downstream clients by installing a validating resolver there. For administrators that require DNSSEC support in dnsmasq, we recommend upgrading to at least buster.

ELA-1335-1 emacs25 security update

Fri, 28 Feb 2025 17:03:41 +0800

Package : emacs25

Version : 25.1+1-4+deb9u6 (stretch)

Related CVEs : CVE-2024-53920 CVE-2025-1244

Multiple problems were discovered in GNU Emacs, the extensible, customisable, self-documenting real-time display editor.

CVE-2024-53920

CVE-2025-1244

ELA-1334-1 emacs security update

Fri, 28 Feb 2025 17:02:42 +0800

Package : emacs

Version : 1:26.1+1-3.2+deb10u7 (buster)

Related CVEs : CVE-2024-53920 CVE-2025-1244

Multiple problems were discovered in GNU Emacs, the extensible, customisable, self-documenting real-time display editor.

CVE-2024-53920

CVE-2025-1244

ELA-1333-1 ruby2.1 security update

Thu, 27 Feb 2025 19:27:49 +0000

Package : ruby2.1

Version : 2.1.5-2+deb8u15 (jessie)

Multiple vulnerabilities were found in ruby a popular programming language.

CVE-2024-35176

The REXML gem has a Denial of Service (DoS) vulnerability
when it parses an XML that has many <s in
an attribute value. Those who need to parse
untrusted XMLs may be impacted to this vulnerability.

CVE-2024-39908

The REXML gem has some Denial of Service (DoS) vulnerabilities
when it parses an XML that has many specific characters such
as <, 0 and %>. If you need to parse untrusted XMLs,
you many be impacted to these vulnerabilities.

CVE-2024-41123

The REXML gem has some DoS vulnerabilities when it parses an XML
that has many specific characters such as whitespace character,
>] and ]>.

CVE-2024-41123

The REXML gem has some Denial of Service (DoS) vulnerabilities
when it parses an XML that has many specific characters
such as whitespace character, >] and ]>.
If you need to parse untrusted XMLs, you may be impacted
to these vulnerabilities.

CVE-2024-41946

The REXML gem had a Denial of Service (DoS) vulnerability
when it parses an XML that has many entity expansions
with SAX2 or pull parser API.

CVE-2024-43398

REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.6 has a Denial of Service (DoS)
vulnerability when it parses an XML that has many deep
elements that have same local name attributes.
If you need to parse untrusted XMLs with tree parser
API like REXML::Document.new, you may be impacted
to this vulnerability. If you use other parser APIs
such as stream parser API and SAX2 parser API,
you are not impacted.

CVE-2024-49761

REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.9 has a ReDoS vulnerability
when it parses an XML that has many digits between
&# and x...; in a hex numeric character reference (&#x...;)

ELA-1332-1 apache2 security update

Thu, 27 Feb 2025 19:13:28 +0000

Package : apache2

Version : 2.4.10-10+deb8u30 (jessie)

Related CVEs : CVE-2024-38473

apache2 a popular webserver was affected by a vulnerability.

Encoding problem allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.

ELA-1330-1 ruby2.3 security update

Tue, 25 Feb 2025 16:42:18 +0000

Package : ruby2.3

Version : 2.3.3-1+deb9u13 (stretch)

Multiple vulnerabilities were found in ruby a popular programming language.

CVE-2024-35176

The REXML gem has a Denial of Service (DoS) vulnerability
when it parses an XML that has many <s in
an attribute value. Those who need to parse
untrusted XMLs may be impacted to this vulnerability.

CVE-2024-39908

The REXML gem has some Denial of Service (DoS) vulnerabilities
when it parses an XML that has many specific characters such
as <, 0 and %>. If you need to parse untrusted XMLs,
you many be impacted to these vulnerabilities.

CVE-2024-41123

The REXML gem has some Denial of Service (DoS) vulnerabilities
when it parses an XML that has many specific characters
such as whitespace character, >] and ]>.
If you need to parse untrusted XMLs, you may be impacted
to these vulnerabilities.

CVE-2024-41123

The REXML gem has some DoS vulnerabilities when it parses an XML
that has many specific characters such as whitespace character,
>] and ]>.

CVE-2024-41946

The REXML gem had a Denial of Service (DoS) vulnerability
when it parses an XML that has many entity expansions
with SAX2 or pull parser API.

CVE-2024-43398

REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.6 has a Denial of Service (DoS)
vulnerability when it parses an XML that has many deep
elements that have same local name attributes.
If you need to parse untrusted XMLs with tree parser
API like REXML::Document.new, you may be impacted
to this vulnerability. If you use other parser APIs
such as stream parser API and SAX2 parser API,
you are not impacted.

CVE-2024-49761

REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.9 has a ReDoS vulnerability
when it parses an XML that has many digits between
&# and x...; in a hex numeric character reference (&#x...;)

ELA-1329-1 apache2 security update

Tue, 25 Feb 2025 16:37:18 +0000

Package : apache2

Version : 2.4.25-3+deb9u20 (stretch)

Related CVEs : CVE-2024-38473

apache2 a popular webserver was affected by a vulnerability.

Encoding problem allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.

ELA-1328-1 krb5 security update

Mon, 24 Feb 2025 21:31:08 +0000

Package : krb5

Version : 1.12.1+dfsg-19+deb8u10 (jessie), 1.15-1+deb9u7 (stretch), 1.17-3+deb10u8 (buster)

Related CVEs : CVE-2025-24528

MIT krb5 a popular implementation of kerberos 5 authentication protocol was affected by a vulnerability.

An authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash.

ELA-1327-1 libxml2 security update

Mon, 24 Feb 2025 18:58:28 +0100

Package : libxml2

Version : 2.9.1+dfsg1-5+deb8u18 (jessie), 2.9.4+dfsg1-2.2+deb9u12 (stretch), 2.9.4+dfsg1-7+deb10u10 (buster)

Multiple vulnerabilities have been found in libxml2, a library providing support to read, modify and write XML and HTML files. These vulnerabilities could potentially lead to denial of servie or other unintended behaviors.

CVE-2022-49043

xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.

CVE-2023-39615 (Stretch only)

libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at 
/libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.

CVE-2023-45322 (Stretch only)

libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail."

CVE-2024-25062 (Stretch only)

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

CVE-2024-56171

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

CVE-2025-24928

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.

CVE-2025-27113

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.

ELA-1325-1 bind9 security update

Fri, 21 Feb 2025 09:55:59 +0100

Package : bind9

Version : 1:9.10.3.dfsg.P4-12.3+deb9u18 (stretch), 1:9.11.5.P4+dfsg-5.1+deb10u14 (buster)

Related CVEs : CVE-2024-11187

One vulnerability was discovered in BIND, a DNS server implementation, which may result in denial of service.

It is possible to construct a zone such that some queries to it will generate responses containing numerous records in the Additional section. An attacker sending many such queries can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Zones will usually need to have been deliberately crafted to exploit this flaw.

ELA-1326-1 python-urllib3 security update

Fri, 21 Feb 2025 00:59:00 +0100

Package : python-urllib3

Version : 1.9.1-3+deb8u3 (jessie), 1.19.1-1+deb9u3 (stretch), 1.24.1-1+deb10u3 (buster)

Related CVEs : CVE-2024-37891

It was discovered that when sending HTTP requests without using urllib3’s proxy support, it’s possible to accidentally set the Proxy-Authorization header even though it won’t have any effect as the request is not using a forwarding proxy or a tunneling proxy.

In those cases, urllib3 doesn’t treat the Proxy-Authorization HTTP header as one carrying authentication material and thus doesn’t strip the header on cross-origin redirects, which might lead to authorization bypass.

ELA-1324-1 openssh security update

Thu, 20 Feb 2025 19:42:59 +0100

Package : openssh

Version : 1:7.4p1-10+deb9u10 (stretch), 1:7.9p1-10+deb10u5 (buster)

Related CVEs : CVE-2025-26465

The Qualys Threat Research Unit (TRU) discovered that the OpenSSH client is vulnerable to a machine-in-the-middle attack if the VerifyHostKeyDNS option is enabled (disabled by default).

The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). This issue was assigned CVE-2020-14145. Completely removing this information leak would cause other problems, but this update includes a partial mitigation by preferring the default ordering if the user has a key that matches the best-preference default algorithm.

In addition, the stretch update fixes a regression introduced with the fix for CVE-2023-48795, which could cause segmentation faults under some circumstances.

ELA-1323-1 pypy security update

Fri, 14 Feb 2025 10:27:25 +0100

Package : pypy

Version : 7.0.0+dfsg-3+deb10u1 (buster)

Multiple vulnerabilities were discovered in PyPy, a fast, compliant alternative implementation of the Python language.

All fixed vulnerabilities come from embedded code copies.

For vulnerabilities from the python2.7 standard library, please refer to:

One vulnerability comes from internal python2.7 C code copy, Pypy is only affected when making use of the compatibility layer for Python C extension (cpyext):

CVE-2014-7185

Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a “buffer” function.

The remaining minor vulnerability comes from a python-pi embedded copy. We believe it is not exploitable, as the bundled py module is only used during package build, but it is included for consistency with pypy3 DLA-3966-1:

CVE-2020-29651

A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.

ELA-1322-1 pypy security update

Fri, 14 Feb 2025 10:27:12 +0100

Package : pypy

Version : 5.6.0+dfsg-4+deb9u1 (stretch)

Multiple vulnerabilities were discovered in PyPy, a fast, compliant alternative implementation of the Python language.

All fixed vulnerabilities come from embedded code copies.

For vulnerabilities from the python2.7 standard library, please refer to:

One vulnerability comes from internal python2.7 C code copy, Pypy is only affected when making use of the compatibility layer for Python C extension (cpyext):

CVE-2014-7185

Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a “buffer” function.

CVE-2020-29651

A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.

ELA-1305-2 ruby2.5 regression update

Wed, 12 Feb 2025 23:49:11 +0000

Package : ruby2.5

Version : 2.5.5-3+deb10u9 (buster)

A regression was found in the REXML gem shipped with ruby2.5.

Some valid XML file were wrongly considered invalid for some namespace corner case (particularly XML file using the xml: namespace).

ELA-1321-1 dcmtk security update

Wed, 12 Feb 2025 23:50:44 +0200

Package : dcmtk

Version : 3.6.1~20160216-4.1+deb9u1 (stretch), 3.6.4-2.1+deb10u2 (buster)

Related CVEs : CVE-2024-47796 CVE-2024-52333

Two cases of improper array index validation have been fixed in DCMTK, a collection of libraries and applications implementing large parts the DICOM standard for medical images.

Additionally, a regression introduced in the previous update has been fixed.

ELA-1320-1 openjdk-8 new java update

Wed, 12 Feb 2025 10:51:49 +0100

Package : openjdk-8

Version : 8u442-ga-1~deb8u1 (jessie), 8u442-ga-1~deb9u1 (stretch)

This update brings OpenJDK 8u442, which comes with stability and bug fixes.

ELA-1319-1 asterisk security update

Wed, 12 Feb 2025 02:13:01 +0100

Package : asterisk

Version : 1:13.14.1~dfsg-2+deb9u11 (stretch), 1:16.28.0~dfsg-0+deb10u6 (buster)

Related CVEs : CVE-2024-53566

A vulnerability was discovered in asterisk, an Open Source Private Branch Exchange.

CVE-2024-53566

It is possible to access files outside the configuration directory via AMI
and path traversal even when live_dangerously is not enabled.

ELA-1318-1 iperf3 security update

Tue, 11 Feb 2025 00:36:47 +0100

Package : iperf3

Version : 3.9-1+deb8u1 (jessie), 3.9-1+deb9u1 (stretch), 3.9-1+deb10u1 (buster)

Several security vulnerabilities have been discovered in iperf3, an internet protocol bandwidth measuring tool, which may lead to a denial-of-service. When iperf3 was used as a server with RSA authentication CVE-2024-26306 allowed a timing side channel attack in RSA decryption operations sufficient for an attacker to recover credential plaintext.

ELA-1317-1 ark security update

Sat, 08 Feb 2025 19:53:19 +0100

Package : ark

Version : 4:18.08.3-1+deb10u3 (buster)

Related CVEs : CVE-2024-57966

A flaw was discovered in ark, an archive utility for the KDE platform. Ark extracted archives with absolute paths to the corresponding location on the user’s file system. Absolute paths are now treated as relative paths to prevent overwriting of sensitive information.

ELA-1316-1 git-lfs security update

Tue, 04 Feb 2025 13:14:07 +0100

Package : git-lfs

Version : 2.7.1-1+deb10u2 (buster)

Related CVEs : CVE-2024-53263

CVE-2024-53263

When Git LFS requests credentials from Git for a remote host, it passes portions of the host’s URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user’s Git credentials.

ELA-1315-1 sssd security update

Sat, 01 Feb 2025 02:39:03 +0100

Package : sssd

Version : 1.15.0-3+deb9u3 (stretch), 1.16.3-3.2+deb10u3 (buster)

CVE-2018-10852

It was discovered that when SSSD created the UNIX pipe for communication between sudo and the sssd-sudo responder, the umask() call was set to be too permissive, which resulted in the pipe being readable and writable. Then, if an attacker used the same communication protocol that sudo uses to talk to SSSD, they could obtain the list of sudo rules for any user who stores their sudo rules in a remote directory.

While the sudo responder is not started by default by SSSD itself, utilities like ipa-client-install configure the sudo responder to be started.

CVE-2018-16838

It was discovered that when the Group Policy Objects (GPO) are not readable by SSSD due to a too strict permission settings on the server side, SSSD allows all authenticated users to login instead of denying access.

A new boolean setting ad_gpo_ignore_unreadable (defaulting to False) is introduced for environments where attributes in the groupPolicyContainer are not readable and changing the permissions on the GPO objects is not possible or desirable. See sssd-ad(5).

CVE-2019-3811

It was discovered that if a user was configured with no home directory set, then sssd(8) returns / (i.e., the root directory) instead of the empty string (meaning no home directory). This could impact services that restrict the user’s filesystem access to within their home directory through chroot() or similar.

CVE-2023-3758

A race condition flaw was found in SSSD where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting access to resources inappropriately.

(sssd 1.16.3-3.2+deb10u3 only fixes CVE-2023-3758 as the previous version was already immune to the other vulnerabilities.)

ELA-1314-1 ffmpeg security update

Sat, 01 Feb 2025 00:33:13 +0100

Package : ffmpeg

Version : 7:3.2.19-0+deb9u6 (stretch)

Several issues have been found in ffmpeg, a package that contains tools for transcoding, streaming and playing of multimedia files Those issues are related to possible integer overflows, double-free on errors, out-of-bounds access and an incomplete check of negative durations.

ELA-1313-1 ffmpeg security update

Sat, 01 Feb 2025 00:28:05 +0100

Package : ffmpeg

Version : 7:4.1.11-0+deb10u3 (buster)

ELA-1312-1 openjdk-11 security update

Fri, 31 Jan 2025 14:41:21 +0100

Package : openjdk-11

Version : 11.0.26+4-1~deb10u1 (buster)

Related CVEs : CVE-2025-21502

An issue was found in the OpenJDK Java runtime, which may result in unauthorized access.

ELA-1311-1 busybox security update

Fri, 31 Jan 2025 09:25:03 +0100

Package : busybox

Version : 1:1.22.0-9+deb8u6 (jessie), 1:1.22.0-19+deb9u3 (stretch), 1:1.30.1-4+deb10u1 (buster)

Multiple vulnerabilities have been found in BusyBox, a lightweight single-executable containing various Unix utilities, which potentially allow attackers to cause denial of service, information leakage, or arbitrary code execution through malformed gzip data, crafted LZMA input or crafted awk patterns.

CVE-2018-20679 (Jessie and Stretch only)

An issue was discovered in BusyBox before 1.30.0. An out of bounds read
in udhcp components (consumed by the DHCP server, client, and relay)
allows a remote attacker to leak sensitive information from the stack by
sending a crafted DHCP message. This is related to verification in
udhcp_get_option() in networking/udhcp/common.c that 4-byte options are
indeed 4 bytes.

CVE-2021-28831 (Buster only)

decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit
on the huft_build result pointer, with a resultant invalid free or
segmentation fault, via malformed gzip data.

CVE-2021-42374

An out-of-bounds heap read in Busybox's unlzma applet leads to
information leak and denial of service when crafted LZMA-compressed
input is decompressed. This can be triggered by any applet/format that

CVE-2021-42378

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
getvar_i function

CVE-2021-42379

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
next_input_file function

CVE-2021-42380

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
clrvar function

CVE-2021-42381

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
hash_init function

CVE-2021-42382

use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
getvar_s function

CVE-2021-42384

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
handle_special function

CVE-2021-42385

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
evaluate function

CVE-2021-42386

A use-after-free in Busybox's awk applet leads to denial of service and
possibly code execution when processing a crafted awk pattern in the
nvalloc function

CVE-2022-48174

There is a stack overflow vulnerability in ash.c:6030 in busybox before
1.35. In the environment of Internet of Vehicles, this vulnerability can
be executed from command to arbitrary code execution.

CVE-2023-42364

A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to
cause a denial of service via a crafted awk pattern in the awk.c
evaluate function.

CVE-2023-42365

A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a
crafted awk pattern in the awk.c copyvar function.

ELA-1310-1 libreoffice security update

Thu, 30 Jan 2025 22:18:24 +0000

Package : libreoffice

Version : 1:4.3.3-2+deb8u16 (jessie)

Related CVEs : CVE-2024-12425 CVE-2024-12426

Libreoffice, an office productivity software suite, was affected by two vulnerabilities

CVE-2024-12425

An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability was found
in The Document Foundation LibreOffice and allows Absolute Path Traversal. An attacker can write to arbitrary
locations, albeit suffixed with ".ttf", by supplying a file in a format that supports embedded font files.

CVE-2024-12426

An Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability
was found in The Document Foundation LibreOffice. URLs could be constructed which expanded environmental
variables or INI file values, so potentially sensitive information could be exfiltrated
to a remote server on opening a document containing such links.

ELA-1309-1 libgit2 security update

Thu, 30 Jan 2025 19:44:11 +0100

Package : libgit2

Version : 0.21.1-3+deb8u2 (jessie)

Multiple vulnerabilities were discovered in libgit2.

CVE-2016-8568

The git_commit_message function in oid.c allows remote attackers to cause a denial of service (out-of-bounds read) via a cat-file command with a crafted object file.
CVE-2016-8569

The git_oid_nfmt function in commit.c allows remote attackers to cause a denial of service (NULL pointer dereference) via a cat-file command with a crafted object file.
CVE-2016-10128

Buffer overflow in the git_pkt_parse_line function in transports/smart_pkt.c in the Git Smart Protocol support in libgit2 allows remote attackers to have unspecified impact via a crafted non-flush packet.
CVE-2016-10129

The Git Smart Protocol support in libgit2 allows remote attackers to cause a denial of service (NULL pointer dereference) via an empty packet line.
CVE-2018-8099

Incorrect returning of an error code in the index.c:read_entry() function leads to a double free in libgit2, which allows an attacker to cause a denial of service via a crafted repository index file.
CVE-2018-10887

An unexpected sign extension in git_delta_apply function in delta.c file may lead to an integer overflow which in turn leads to an out of bound read, allowing to read before the base object. An attacker may use this flaw to leak memory addresses or cause a Denial of Service.
CVE-2018-10888

A missing check in git_delta_apply function in delta.c file, may lead to an out-of-bound read while reading a binary delta file. An attacker may use this flaw to cause a Denial of Service.
CVE-2020-12278

path.c mishandles equivalent filenames that exist because of NTFS Alternate Data Streams. This may allow remote code execution when cloning a repository.
CVE-2020-12279

checkout.c mishandles equivalent filenames that exist because of NTFS short names. This may allow remote code execution when cloning a repository
CVE-2024-24577

Using crafted inputs to the git_index_add function could cause heap corruption, and this had the potential to permit arbitrary code execution.

ELA-1308-1 activemq security update

Thu, 30 Jan 2025 10:00:45 +0100

Package : activemq

Version : 5.6.0+dfsg1-4+deb8u4 (jessie)

Multiple security issues were discovered in Apache ActiveMQ, a multi-protocol message broker.

CVE-2018-11775

TLS hostname verification was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.
CVE-2020-13920

Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the “jmxrmi” entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects.
CVE-2021-26117

The optional LDAP login module can be configured to use anonymous access to the LDAP server. In this case, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.
CVE-2023-46604

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath.

ELA-1307-1 git security update

Tue, 28 Jan 2025 16:46:04 +0000

Package : git

Version : 1:2.1.4-2.1+deb8u15 (jessie), 1:2.11.0-3+deb9u12 (stretch), 1:2.20.1-2+deb10u10 (buster)

Related CVEs : CVE-2024-50349 CVE-2024-52006

Multiple vulnerabilities were discovered in git, a fast, scalable and distributed revision control system.

CVE-2024-50349

When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This could allow attackers to craft URLs that contain ANSI escape sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker’s control.

CVE-2024-52006

Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way.

ELA-1306-1 python-django security update

Tue, 28 Jan 2025 11:17:55 +0000

Package : python-django

Version : 1.7.11-1+deb8u18 (jessie), 1:1.10.7-2+deb9u24 (stretch), 1:1.11.29-1+deb10u13 (buster)

Related CVEs : CVE-2024-53907 CVE-2024-56374

Two vulnerabilities were discovered in Django, a Python-based web development framework:

CVE-2024-53907: Prevent a potential Denial of Service (DoS) attack. The strip_tags method and striptags template filter were subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.
CVE-2024-56374: Prevent another potential Denial of Service (DoS) attack. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could have led to a potential denial-of-service attack. The clean_ipv6_address and is_valid_ipv6_address functions were vulnerable as was the GenericIPAddressField form field. The GenericIPAddressField model field was not affected.

ELA-1305-1 ruby2.5 security update

Sun, 26 Jan 2025 22:38:31 +0000

Package : ruby2.5

Version : 2.5.5-3+deb10u8 (buster)

Multiple vulnerabilities were found in ruby a popular programming language.

CVE-2024-35176

The REXML gem has a Denial of Service (DoS) vulnerability
when it parses an XML that has many <s in
an attribute value. Those who need to parse
untrusted XMLs may be impacted to this vulnerability.

CVE-2024-39908

The REXML gem has some Denial of Service (DoS) vulnerabilities
when it parses an XML that has many specific characters such
as <, 0 and %>. If you need to parse untrusted XMLs,
you many be impacted to these vulnerabilities.

CVE-2024-41123

The REXML gem has some Denial of Service (DoS) vulnerabilities
when it parses an XML that has many specific characters
such as whitespace character, >] and ]>.
If you need to parse untrusted XMLs, you may be impacted
to these vulnerabilities.

CVE-2024-41946

The REXML gem had a Denial of Service (DoS) vulnerability
when it parses an XML that has many entity expansions
with SAX2 or pull parser API.

CVE-2024-43398

REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.6 has a Denial of Service (DoS)
vulnerability when it parses an XML that has many deep
elements that have same local name attributes.
If you need to parse untrusted XMLs with tree parser
API like REXML::Document.new, you may be impacted
to this vulnerability. If you use other parser APIs
such as stream parser API and SAX2 parser API,
you are not impacted.

CVE-2024-49761

REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.9 has a ReDoS vulnerability
when it parses an XML that has many digits between
&# and x...; in a hex numeric character reference (&#x...;)

ELA-1304-1 postgresql-9.4 security update

Sat, 25 Jan 2025 12:25:39 -0500

Package : postgresql-9.4

Version : 9.4.26-0+deb8u11 (jessie)

Multiple security issues were discovered in PostgreSQL, which may result in the execution of arbitrary code, privilege escalation, log manipulation, or denial of service.

CVE-2023-5870

A flaw was found in PostgreSQL involving the pg_cancel_backend role that
signals background workers, including the logical replication launcher,
autovacuum workers, and the autovacuum launcher. Successful exploitation
requires a non-core extension with a less-resilient background worker
and would affect that specific background worker only.

CVE-2024-10977

Client use of server error message in PostgreSQL allows a server not
trusted under current SSL or GSS settings to furnish arbitrary non-NUL
bytes to the libpq application. For example, a man-in-the-middle attacker
could send a long error message that a human or screen-scraper user of
psql mistakes for valid query results.

CVE-2024-10978

Incorrect privilege assignment in PostgreSQL allows a less-privileged
application user to view or change different rows from those intended. An
attack requires the application to use SET ROLE, SET SESSION
AUTHORIZATION, or an equivalent feature.

CVE-2024-10979

Incorrect control of environment variables in PostgreSQL PL/Perl allows
an unprivileged database user to change sensitive process environment
variables (e.g. PATH).

ELA-1303-1 postgresql-9.6 security update

Sat, 25 Jan 2025 12:25:29 -0500

Package : postgresql-9.6

Version : 9.6.24-0+deb9u8 (stretch)

Multiple security issues were discovered in PostgreSQL, which may result in the execution of arbitrary code, privilege escalation, or log manipulation.

CVE-2024-10976

Incomplete tracking in PostgreSQL of tables with row security allows a
reused query to view or change different rows from those intended. It
leads to potentially incorrect policies being applied in cases where
role-specific policies are used and a given query is planned under one
role and then executed under other roles.

CVE-2024-10977

Client use of server error message in PostgreSQL allows a server not
trusted under current SSL or GSS settings to furnish arbitrary non-NUL
bytes to the libpq application. For example, a man-in-the-middle attacker
could send a long error message that a human or screen-scraper user of
psql mistakes for valid query results.

CVE-2024-10978

Incorrect privilege assignment in PostgreSQL allows a less-privileged
application user to view or change different rows from those intended. An
attack requires the application to use SET ROLE, SET SESSION
AUTHORIZATION, or an equivalent feature.

CVE-2024-10979

Incorrect control of environment variables in PostgreSQL PL/Perl allows
an unprivileged database user to change sensitive process environment
variables (e.g. PATH).

ELA-1302-1 postgresql-11 security update

Sat, 25 Jan 2025 12:25:21 -0500

Package : postgresql-11

Version : 11.22-0+deb10u4 (buster)

Multiple security issues were discovered in PostgreSQL, which may result in the execution of arbitrary code, privilege escalation, or log manipulation.

CVE-2024-10976

Incomplete tracking in PostgreSQL of tables with row security allows a
reused query to view or change different rows from those intended. It
leads to potentially incorrect policies being applied in cases where
role-specific policies are used and a given query is planned under one
role and then executed under other roles.

CVE-2024-10977

Client use of server error message in PostgreSQL allows a server not
trusted under current SSL or GSS settings to furnish arbitrary non-NUL
bytes to the libpq application. For example, a man-in-the-middle attacker
could send a long error message that a human or screen-scraper user of
psql mistakes for valid query results.

CVE-2024-10978

Incorrect privilege assignment in PostgreSQL allows a less-privileged
application user to view or change different rows from those intended. An
attack requires the application to use SET ROLE, SET SESSION
AUTHORIZATION, or an equivalent feature.

CVE-2024-10979

Incorrect control of environment variables in PostgreSQL PL/Perl allows
an unprivileged database user to change sensitive process environment
variables (e.g. PATH).

ELA-1301-1 rails security update

Fri, 24 Jan 2025 13:32:31 -0300

Package : rails

Version : 2:4.2.7.1-1+deb9u6 (stretch)

Multiple vunerabilities were discovered in rails, the Ruby based server-side MVC web application framework, which could result in XSS, data disclosure and open redirect.

CVE-2022-27777

A XSS Vulnerability in Action View tag helpers which would allow an attacker to inject content if able to control input into specific attributes.

CVE-2023-22792

A regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

CVE-2023-22795

A regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

CVE-2023-22796

A regular expression based DoS vulnerability in Active Support. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

CVE-2023-28120

A vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.

ELA-1300-1 frr security update

Thu, 23 Jan 2025 12:29:54 +0100

Package : frr

Version : 7.5.1-1.1+deb10u4 (buster)

Related CVEs : CVE-2024-55553

In FRR, all routes are re-validated if the total size of an update received via RTR exceeds the internal socket’s buffer size, default 4K on most OSes. An attacker can use this to trigger re-parsing of the RIB for FRR routers using RTR by causing more than this number of updates during an update interval (usually 30 minutes). Additionally, this effect regularly occurs organically. Furthermore, an attacker can use this to trigger route validation continuously. Given that routers with large full tables may need more than 30 minutes to fully re-validate the table, continuous issuance/withdrawal of large numbers of ROA may be used to impact the route handling performance of all FRR instances using RPKI globally. Additionally, the re-validation will cause heightened BMP traffic to ingestors.

ELA-1299-1 libreoffice security update

Tue, 21 Jan 2025 15:47:20 +0000

Package : libreoffice

Version : 1:6.1.5-3+deb9u6 (stretch), 1:6.1.5-3+deb10u15 (buster)

Related CVEs : CVE-2024-12425 CVE-2024-12426

Libreoffice, an office productivity software suite, was affected by two vulnerabilities

CVE-2024-12425

An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability was found
in The Document Foundation LibreOffice and allows Absolute Path Traversal. An attacker can write to arbitrary
locations, albeit suffixed with ".ttf", by supplying a file in a format that supports embedded font files.

CVE-2024-12426

An Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability
was found in The Document Foundation LibreOffice. URLs could be constructed which expanded environmental
variables or INI file values, so potentially sensitive information could be exfiltrated
to a remote server on opening a document containing such links.

ELA-1298-1 tiff security update

Mon, 20 Jan 2025 17:24:16 +0200

Package : tiff

Version : 4.0.3-12.3+deb8u18 (jessie), 4.0.8-2+deb9u13 (stretch), 4.1.0+git191117-2~deb10u10 (buster)

Related CVEs : CVE-2024-7006

NULL pointer dereference in TIFFReadDirectory()/TIFFReadCustomDirectory() has been fixed in tiff, a library and tools providing support for the Tag Image File Format (TIFF).

Additionally, issues with the earlier fixes for CVE-2023-52356 and CVE-2023-25433 have been resolved.

ELA-1297-1 redis security update

Mon, 20 Jan 2025 17:02:28 +0200

Package : redis

Version : 2:2.8.17-1+deb8u14 (jessie), 3:3.2.6-3+deb9u14 (stretch), 5:5.0.14-1+deb10u7 (buster)

Related CVEs : CVE-2024-46981

Possible code execution with Lua scripting due to a missing call to the garbage collector has been fixed in the key–value database Redis.

ELA-1296-1 libtar security update

Mon, 20 Jan 2025 16:21:53 +0200

Package : libtar

Version : 1.2.20-7+deb10u1 (buster)

Multiple vulnerabilities have been fixed in libtar, a library for manipulating tar archives.

CVE-2021-33643

out-of-bounds read in gnu_longlink()

CVE-2021-33644

out-of-bounds read in gnu_longname()

CVE-2021-33645

memory leak in th_read()

CVE-2021-33646 memory leak in th_read()

ELA-1295-1 hplip security update

Mon, 20 Jan 2025 15:56:11 +0200

Package : hplip

Version : 3.16.11+repack0-3+deb9u1 (stretch), 3.18.12+dfsg0-2+deb10u1 (buster)

Related CVEs : CVE-2020-6923

MDNS buffer issues have been fixed in HPLIP, the HP Linux Imaging and Printing system.

ELA-1290-2 rsync regression update

Sun, 19 Jan 2025 19:32:48 +0100

Package : rsync

Version : 3.1.1-3+deb8u4 (jessie), 3.1.2-1+deb9u5 (stretch), 3.1.3-6+deb10u2 (buster)

The update for rsync announced in ELA 1290-1 introduced a regression when using the -H option to preserve hard links. Updated packages are now available to correct this issue.

ELA-1294-1 ucf security update

Thu, 16 Jan 2025 17:03:34 +0000

Package : ucf

Version : 3.0030+deb8u1 (jessie), 3.0036+deb9u1 (stretch), 3.0038+nmu1+deb10u1 (buster)

A potential command-injection vulnerability was discovered in ucf, a tool to preserve user changes to config files.

ELA-1293-1 tomcat9 security update

Wed, 15 Jan 2025 22:28:53 +0100

Package : tomcat9

Version : 9.0.31-1~deb10u13 (buster)

Several problems have been addressed in Tomcat 9, a Java based web server, servlet and JSP engine.

CVE-2024-21733

Generation of Error Message Containing Sensitive Information vulnerability
in Apache Tomcat.

CVE-2024-38286

Apache Tomcat, under certain configurations, allows an attacker to cause an
OutOfMemoryError by abusing the TLS handshake process.

CVE-2024-52316

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is
configured to use a custom Jakarta Authentication (formerly JASPIC)
ServerAuthContext component which may throw an exception during the
authentication process without explicitly setting an HTTP status to
indicate failure, the authentication may not fail, allowing the user to
bypass the authentication process. There are no known Jakarta
Authentication components that behave in this way.

CVE-2024-50379 / CVE-2024-56337

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP
compilation in Apache Tomcat permits an RCE on case insensitive file
systems when the default servlet is enabled for write (non-default
configuration).
Some users may need additional configuration to fully mitigate
CVE-2024-50379 depending on which version of Java they are using with
Tomcat. For Debian 10 "buster" the system property
sun.io.useCanonCaches must be explicitly set to false (it defaults to
true). Most Debian users will not be affected because Debian uses case
sensitive file systems by default.

ELA-1292-1 tomcat8 security update

Wed, 15 Jan 2025 16:20:19 +0100

Package : tomcat8

Version : 8.5.54-0+deb9u17 (stretch)

Several problems have been addressed in Tomcat 8, a Java based web server, servlet and JSP engine, which may have led to an OutOfMemoryError or the revelation of sensitive information.

CVE-2024-21733

Generation of Error Message Containing Sensitive Information vulnerability
in Apache Tomcat.

CVE-2024-38286

Apache Tomcat, under certain configurations, allows an attacker to cause an
OutOfMemoryError by abusing the TLS handshake process.

CVE-2024-52316

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is
configured to use a custom Jakarta Authentication (formerly JASPIC)
ServerAuthContext component which may throw an exception during the
authentication process without explicitly setting an HTTP status to
indicate failure, the authentication may not fail, allowing the user to
bypass the authentication process. There are no known Jakarta
Authentication components that behave in this way.

ELA-1291-1 tomcat7 security update

Wed, 15 Jan 2025 00:31:00 +0100

Package : tomcat7

Version : 7.0.56-3+really7.0.109-1+deb8u7 (jessie)

Related CVEs : CVE-2024-23672

A denial-of-service vulnerability was found in Tomcat 7, a Java based web server, servlet and JSP engine. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.

ELA-1290-1 rsync security update

Tue, 14 Jan 2025 19:51:14 +0100

Package : rsync

Version : 3.1.1-3+deb8u3 (jessie), 3.1.2-1+deb9u4 (stretch), 3.1.3-6+deb10u1 (buster)

Several vulnerabilities were discovered in rsync, a fast, versatile, remote (and local) file-copying tool.

CVE-2024-12085

Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a flaw in
the way rsync compares file checksums, allowing a remote attacker to
trigger an information leak.

CVE-2024-12086

Simon Scannell, Pedro Gallegos and Jasiel Spelman discovered a flaw
which would result in a server leaking contents of an arbitrary file
from the client's machine.

CVE-2024-12087

Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a path
traversal vulnerability in the rsync daemon affecting the
--inc-recursive option, which could allow a server to write files
outside of the client's intended destination directory.

CVE-2024-12088

Simon Scannell, Pedro Gallegos and Jasiel Spelman reported that when
using the --safe-links option, rsync fails to properly verify if a
symbolic link destination contains another symbolic link with it,
resulting in path traversal and arbitrary file write outside of the
desired directory.

CVE-2024-12747

Aleksei Gorban "loqpa" discovered a race condition when handling
symbolic links resulting in an information leak which may enable
escalation of privileges.

ELA-1289-1 python-reportlab security update

Tue, 14 Jan 2025 17:33:40 +0100

Package : python-reportlab

Version : 3.1.8-3+deb8u3 (jessie)

Related CVEs : CVE-2019-19450 CVE-2020-28463

CVE-2019-19450

Ravi Prakash Giri discovered a remote code execution vulnerability via crafted XML document where <unichar code=" is followed by arbitrary Python code.

This issue is similar to CVE-2019-17626.

CVE-2020-28463

Karan Bamal discovered a Server-side Request Forgery (SSRF) vulnerability via <img> tags. New settings trustedSchemes and trustedHosts have been added as part of the fix/mitigation: they can be used to specify an explicit allowlist for remote sources.

ELA-1288-1 linux-6.1 security update

Tue, 14 Jan 2025 14:02:17 +0100

Package : linux-6.1

Version : 6.1.119-1~deb9u1 (stretch), 6.1.119-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks.

ELA-1287-1 python-tornado security update

Sat, 11 Jan 2025 17:20:45 +0100

Package : python-tornado

Version : 4.4.3-1+deb9u1 (stretch), 5.1.1-4+deb10u1 (buster)

Related CVEs : CVE-2023-28370 CVE-2024-52804

Multiple vulnerabilities were discovered in python-tornado, a scalable, non-blocking Python web framework and asynchronous networking library.

CVE-2023-28370

An open redirect vulnerability in Tornado versions 6.3.1 and earlier allows
a remote unauthenticated attacker to redirect a user to an arbitrary web
site and conduct a phishing attack by having the user access a specially
crafted URL.

CVE-2024-52804

The algorithm used for parsing HTTP cookies in Tornado versions prior to
6.4.2 sometimes has quadratic complexity, leading to excessive CPU
consumption when parsing maliciously-crafted cookie headers. This
parsing occurs in the event loop thread and may block the processing of
other requests.

ELA-1286-1 sympa security update

Mon, 06 Jan 2025 11:15:21 +0100

Package : sympa

Version : 6.2.40~dfsg-1+deb10u2 (buster)

Related CVEs : CVE-2024-55919

A flaw was found in Sympa’s web interface, a modern mailing list manager. An attacker may bypass authentication by using an arbitrary e-mail address when the generic SSO loging feature was enabled.

ELA-1285-1 ca-certificates-java bugfix update

Fri, 03 Jan 2025 12:27:48 +0000

Package : ca-certificates-java

Version : 20190405+deb10u1 (buster)

ca-certificate-java, a package that update the cacerts keystore (a collection of trusted certificate authority certificates) used for many java runtimes, failed to install.

ELA-1284-1 fastnetmon security update

Mon, 30 Dec 2024 13:25:47 +0100

Package : fastnetmon

Version : 1.1.3+dfsg-8.1+deb10u1 (buster)

Related CVEs : CVE-2024-56073

A potential security issue has been discovered in FastNetMon, a fast DDoS analyzer: Malformed Netflow traffic could result in denial of service.

ELA-1283-1 gst-plugins-base0.10 security update

Sun, 29 Dec 2024 11:08:47 +0000

Package : gst-plugins-base0.10

Version : 0.10.36-2+deb8u5 (jessie)

gstreamer a multimedia framework was affected by multiple vulnerabilities.

CVE-2024-47541

An Out of Bound write vulnerability has been
identified in the gst_ssa_parse_remove_override_codes
function of the gstssaparse.c file.

CVE-2024-47542

A null pointer dereference has been
discovered in the id3v2_read_synch_uint function, located
in id3v2.c

CVE-2024-47615

An Out Of Bound Write has been detected
in the function gst_parse_vorbis_setup_packet within
vorbis_parse.c.

ELA-1282-1 gst-plugins-base1.0 security update

Sat, 28 Dec 2024 21:19:33 +0000

Package : gst-plugins-base1.0

Version : 1.4.4-2+deb8u6 (jessie), 1.10.4-1+deb9u5 (stretch), 1.14.4-2+deb10u4 (buster)

gstreamer a multimedia framework was affected by multiple vulnerabilities.

CVE-2024-47538

A stack-buffer overflow has been detected
in the `vorbis_handle_identification_packet`
function within `gstvorbisdec.c`

CVE-2024-47541

An Out of Bound write vulnerability has been
identified in the gst_ssa_parse_remove_override_codes
function of the gstssaparse.c file.

CVE-2024-47542

A null pointer dereference has been
discovered in the id3v2_read_synch_uint function, located
in id3v2.c

CVE-2024-47600

An Out of Bound read vulnerability has been
detected in the format_channel_mask function in
gst-discoverer.c

CVE-2024-47607

A stack-buffer overflow has been
detected in the gst_opus_dec_parse_header function
within `gstopusdec.c'.

CVE-2024-47615

An Out Of Bound Write has been detected
in the function gst_parse_vorbis_setup_packet within
vorbis_parse.c.

CVE-2024-47835

A null pointer dereference vulnerability
has been detected in the parse_lrc function within
gstsubparse.c

ELA-1281-1 gstreamer1.0 security update

Fri, 27 Dec 2024 10:29:36 +0000

Package : gstreamer1.0

Version : 1.4.4-2+deb8u2 (jessie), 1.10.4-1+deb9u1 (stretch), 1.14.4-1+deb10u1 (buster)

Related CVEs : CVE-2024-47606

gstreamer a multimedia framework was affected by a vulnerability.

The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the ‘slice_size’ variable.

ELA-1280-1 amavisd-new security update

Thu, 26 Dec 2024 20:52:43 +0100

Package : amavisd-new

Version : 1:2.10.1-4+deb9u1 (stretch), 1:2.11.0-6.1+deb10u1 (buster)

Related CVEs : CVE-2024-28054

Amavis has an interpretation conflict when there are ambiguous boundary delimiters in a MIME email message. An attacker can send crafted emails that avoid checks for banned files or malware.

Amavis now treats such emails as UNCHECKED, and this new behavior can be configured, see:

ELA-1279-1 php5 security update

Thu, 26 Dec 2024 15:12:38 +0100

Package : php5

Version : 5.6.40+dfsg-0+deb8u22 (jessie)

CVE-2024-8929

Sébastien Rolland discovered a partial content leak of the heap through heap buffer over-read in mysqlnd.

By connecting to a fake MySQL server or tampering with network packets and initiating a SQL Query, it is possible to abuse php_mysqlnd_rset_field_read() when parsing MySQL fields packets in order to include the rest of the heap content starting from the address of the cursor of the currently read buffer.

CVE-2024-8932

Yiheng Cao discovered that uncontrolled long string inputs to ldap_escape() on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

CVE-2024-11233

A memory-related vulnerability was discovered in the filter handling system, particularly when processing input with convert.quoted-printable-decode filters, which could lead to a segmentation fault.

This vulnerability is triggered through specific sequences of input data, causing PHP to crash. When exploited, it allows an attacker to extract a single byte of data from the heap or result in denial of service.

CVE-2024-11234

Lorenzo Leonardini discovered that Configuring a proxy in a stream context might allow for CRLF injection in URIs, which could lead to authorization bypass by Server Side Request Forgery attack (SSRF).

CVE-2024-11236

An integer overflow vulnerability was found in the firebird and dblib quoters, which can result in out-of-bounds writes.

GHSA-4w77-75f9-2c8w

A heap-use-after-free vulnerability was discovered in the sapi_read_post_data() function, which could allow an attacker to exploit memory safety issues during POST request processing.

In addition, this releases fixes a segfault on close() after free_result() with mysqlnd, which wasn’t assigned an advisory number.

ELA-1278-1 php7.0 security update

Thu, 26 Dec 2024 15:12:37 +0100

Package : php7.0

Version : 7.0.33-0+deb9u20 (stretch)

CVE-2024-8929

Sébastien Rolland discovered a partial content leak of the heap through heap buffer over-read in mysqlnd.

CVE-2024-8932

Yiheng Cao discovered that uncontrolled long string inputs to ldap_escape() on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

CVE-2024-11233

CVE-2024-11234

CVE-2024-11236

An integer overflow vulnerability was found in the firebird and dblib quoters, which can result in out-of-bounds writes.

GHSA-4w77-75f9-2c8w

A heap-use-after-free vulnerability was discovered in the sapi_read_post_data() function, which could allow an attacker to exploit memory safety issues during POST request processing.

ELA-1277-1 php7.3 security update

Thu, 26 Dec 2024 15:12:36 +0100

Package : php7.3

Version : 7.3.31-1~deb10u9 (buster)

CVE-2024-8929

Sébastien Rolland discovered a partial content leak of the heap through heap buffer over-read in mysqlnd.

CVE-2024-8932

Yiheng Cao discovered that uncontrolled long string inputs to ldap_escape() on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

CVE-2024-11233

CVE-2024-11234

CVE-2024-11236

An integer overflow vulnerability was found in the firebird and dblib quoters, which can result in out-of-bounds writes.

GHSA-4w77-75f9-2c8w

A heap-use-after-free vulnerability was discovered in the sapi_read_post_data() function, which could allow an attacker to exploit memory safety issues during POST request processing.

ELA-1276-1 intel-microcode security update

Mon, 23 Dec 2024 20:33:41 +0100

Package : intel-microcode

Version : 3.20241112.1~deb8u1 (jessie), 3.20241112.1~deb9u1 (stretch), 3.20241112.1~deb10u1 (buster)

A microcode update has been released for Intel processors, addressing multiple vulnerabilties which potentially could cause local privileged escalation or local DoS.

CVE-2024-21820

Incorrect default permissions in some Intel(R) Xeon(R) processor memory
controller configurations when using Intel(R) SGX may allow a privileged user
to potentially enable escalation of privilege via local access.
(INTEL-SA-01079)

CVE-2024-21853

Improper finite state machines (FSMs) in the hardware logic in some 4th and 5th
Generation Intel(R) Xeon(R) Processors may allow an authorized user to
potentially enable denial of service via local access. (INTEL-SA-01101)

CVE-2024-23918

Improper conditions check in some Intel(R) Xeon(R) processor memory controller
configurations when using Intel(R) SGX may allow a privileged user to
potentially enable escalation of privilege via local access. (INTEL-SA-01079)

CVE-2024-23984 (already adressed in a previous upload, this upload adds more processor models.)

Observable discrepancy in RAPL interface for some Intel(R) Processors may allow
a privileged user to potentially enable information disclosure via local
access.

ELA-1275-1 libpgjava regression update

Fri, 20 Dec 2024 08:17:29 +0200

Package : libpgjava

Version : 42.2.5-2+deb10u5 (buster)

A regression in PgResultSet.refreshRow() introduced by the CVE-2022-31197 fix in 42.2.5-2+deb10u2 has been fixed in the PostgreSQL JDBC Driver.

ELA-1274-1 astropy bugfix update

Fri, 20 Dec 2024 08:12:54 +0200

Package : astropy

Version : 3.1.2-2+deb10u2 (buster)

Due to an issue unrelated to the DLA changes, the DLA-3803-1 update of astropy (an Astronomy package for Python) containing the CVE-2023-41334 fix had bever been successfully built.

ELA-1273-1 zabbix security update

Sun, 15 Dec 2024 16:25:14 +0100

Package : zabbix

Version : 1:2.2.23+dfsg-0+deb8u9 (jessie), 1:3.0.32+dfsg-0+deb9u8 (stretch)

Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially among other effects allowing denial of service, information disclosure, log tampering or buffer over-read.

CVE-2024-22117

When a URL is added to the map element, it is recorded in the database
with sequential IDs. Upon adding a new URL, the system retrieves the
last sysmapelementurlid value and increments it by one. However, an
issue arises when a user manually changes the sysmapelementurlid value
by adding sysmapelementurlid + 1. This action prevents others from
adding URLs to the map element.

CVE-2024-36464

When exporting media types, the password is exported in the YAML in
plain text. This appears to be a best practices type issue and may
have no actual impact. The user would need to have permissions to
access the media types and therefore would be expected to have
access to these passwords.

CVE-2024-42332

The researcher is showing that due to the way the SNMP trap log is
parsed, an attacker can craft an SNMP trap with additional lines of
information and have forged data show in the Zabbix UI. This attack
requires SNMP auth to be off and/or the attacker to know the
community/auth details. The attack requires an SNMP item to be
configured as text on the target host.

CVE-2024-42333

The researcher is showing that it is possible to leak a small amount
of Zabbix Server memory using an out of bounds read in
src/libs/zbxmedia/email.c

ELA-1272-1 libsoup2.4 security update

Thu, 12 Dec 2024 20:25:42 +0800

Package : libsoup2.4

Version : 2.48.0-1+deb8u3 (jessie), 2.56.0-2+deb9u3 (stretch), 2.64.2-2+deb10u1 (buster)

Multiple vulnerabilities were discovered in libsoup2.4, an HTTP library for Gtk+ programs.

CVE-2024-52530

In some configurations, HTTP request smuggling is possible because null characters at the end of the names of HTTP headers were ignored.

CVE-2024-52531

There was a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. This could lead to memory corruption, crashes or information disclosure. (Contrary to the CVE description, it is now believed that input received over the network could trigger this.)

CVE-2024-52532

An infinite loop in the processing of WebSocket data from clients could lead to a denial-of-service problem through memory exhaustion.

ELA-1271-1 linux-6.1 new linux version

Thu, 12 Dec 2024 12:29:20 +0100

Package : linux-6.1

Version : 6.1.112-1~deb9u1 (stretch), 6.1.112-1~deb10u1 (buster)

This update introduces Linux kernel 6.1 to Debian 9 stretch and Debian 10 buster. This kernel will be supported along with 5.10, but for a longer period. Linux 4.19 was discontinued as announced in ELA-1116-1. Instructions on how to update to 6.1 and support periods can be found in the kernel backports page.

ELA-1270-1 ntp security update

Wed, 11 Dec 2024 12:28:41 +0800

Package : ntp

Version : 1:4.2.8p12+dfsg-4+deb10u1 (buster)

Multiple vulnerabilities were discovered in ntp, a Network Time Protocol daemon and set of utility programs.

CVE-2020-11868

It was possible for an off-path attacker to block unauthenticated synchronisation via a server mode packet with a spoofed source IP address.

CVE-2020-15025

A remote attacker could cause a denial-of-service because of a memory leak in situations where a CMAC key is used and associated with a CMAC algorithm in the ntp.keys file.

CVE-2023-26555

The clock driver for the Trimble Palisade GPS timing receiver contained an out-of-bounds write, which could cause memory corruption or a crash.

ELA-1269-1 avahi security update

Mon, 09 Dec 2024 14:37:19 +0200

Package : avahi

Version : 0.6.31-5+deb8u3 (jessie), 0.6.32-2+deb9u3 (stretch), 0.7-4+deb10u4 (buster)

Multiple vulnerabilities have been fixed in the service discovery system Avahi.

Additionally, a GetAlternativeServiceName regression introduced by the CVE-2023-1981 fix in DLA-3414-1 (buster) and ELA-844-1 (jessie, stretch) has been fixed.

CVE-2023-38469

Reachable assertion in avahi_dns_packet_append_record

CVE-2023-38470

Reachable assertion in avahi_escape_label

CVE-2023-38471

Reachable assertion in dbus_set_host_name

CVE-2023-38472

Reachable assertion in avahi_rdata_parse

CVE-2023-38473

Reachable assertion in avahi_alternative_host_name

ELA-1268-1 clamav security update

Wed, 04 Dec 2024 19:36:21 -0300

Package : clamav

Version : 0.103.12+dfsg-0+deb8u1 (jessie), 0.103.12+dfsg-0+deb9u1 (stretch), 1.0.7+dfsg-1~deb10u1 (buster)

Related CVEs : CVE-2024-20505 CVE-2024-20506

Two vulnerabilities were found in ClamAV, an antivirus toolkit for Unix.

CVE-2024-20505

Affected versions could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to an out of bounds read. An attacker could exploit this vulnerability by submitting a crafted PDF file to be scanned by ClamAV on an affected device. An exploit could allow the attacker to terminate the scanning process.

CVE-2024-20506

Affected versions could allow an authenticated, local attacker to corrupt critical system files. The vulnerability is due to allowing the ClamD process to write to its log file while privileged without checking if the logfile has been replaced with a symbolic link. An attacker could exploit this vulnerability if they replace the ClamD log file with a symlink to a critical system file and then find a way to restart the ClamD process. An exploit could allow the attacker to corrupt a critical system file by appending ClamD log messages after restart.

On Debian 10 (Buster), clamav was updated to version 1.0.7+dfsg-1~deb10u1. In order to properly built it, new source packages and their binaries were introduced to Debian 10 (Buster):

cmake-latest/3.18.4-2~deb10u1
llvm-toolchain-16/1:16.0.6-15~deb10u1
rustc-web/1.78.0+dfsg1-2~deb10u1

Due to the library soname bump, the reverse dependencies of libclamav9 were also rebuilt against libclamav11. The following source packages were updated:

c-icap-modules/1:0.5.3-1+deb10u2
cyrus-imapd/3.0.8-6+deb10u7
havp/0.93-2+deb10u1
pg-snakeoil/1.1-1+deb10u1
python-clamav/0.4.1-11+deb10u1

ELA-1267-1 python3.4 security update

Tue, 03 Dec 2024 18:35:28 +0000

Package : python3.4

Version : 3.4.2-1+deb8u19 (jessie)

Multiple vulnerabilities were found in python3.4, an interactive high-level object-oriented language.

CVE-2023-27043:

The email module of Python
incorrectly parsed e-mail addresses that contain
a special character. The wrong portion of an
RFC2822 header was identified as the value of the addr-spec.
In some applications, an attacker could bypass a protection
mechanism in which application access is granted only after
verifying receipt of e-mail to a specific domain (e.g.,
only @company.example.com addresses may be used for signup).

CVE-2024-6232:

Regular expressions that allowed excessive
backtracking during tarfile.TarFile header parsing were vulnerable
to ReDoS via specifically-crafted tar archives.

CVE-2024-6923

The email module didn’t properly quote
newlines for email headers when serializing an email message,
allowing for header injection when an email is serialized.

CVE-2024-7592

When parsing cookies that contained
backslashes for quoted characters in the cookie value,
the parser would use an algorithm with quadratic complexity,
resulting in excess CPU resources being used while parsing
the value

CVE-2024-9287

A vulnerability has been found in the `venv`
module and CLI where path names provided when creating a
virtual environment were not quoted properly, allowing the
creator to inject commands into virtual environment "activation"
scripts (ie "source venv/bin/activate").

CVE-2024-11168

The urllib.parse.urlsplit() and urlparse()
functions improperly validated bracketed hosts (`[]`),
allowing hosts that weren't IPv6 or IPvFuture. This behavior
was not conformant to RFC 3986 and potentially enabled SSRF
if a URL is processed by more than one URL parser.

ELA-1266-1 simplesamlphp security update

Tue, 03 Dec 2024 12:01:32 -0300

Package : simplesamlphp

Version : 1.16.3-1+deb10u3 (buster)

Related CVEs : CVE-2024-52596 CVE-2024-52806

It was discovered that in SimpleSAMLphp, an implementation of the SAML 2.0 protocol, is prone to XML external entity (XXE) vulnerabilities when loading (untrusted) XML documents or parsing SAML messages.

ELA-1238-2 needrestart regression update

Mon, 02 Dec 2024 21:55:26 -0300

Package : needrestart

Version : 1.2-8+deb8u4 (jessie), 2.11-3+deb9u4 (stretch), 3.4-5+deb10u3 (buster)

Related CVEs : CVE-2024-48991

The update for needrestart announced as ELA 1228-1 introduced a regression, reporting false positives for processes running in chroot or mountns. Updated packages are now available to correct this issue.

ELA-1265-1 mariadb-10.1 security update

Sun, 01 Dec 2024 10:29:50 +0000

Package : mariadb-10.1

Version : 10.1.48-0+deb9u6 (stretch)

Related CVEs : CVE-2022-38791

A Denial-of-service vulnerability was found in MariaDB, a popular database server. It was found that the mariabackup tool did not correctly handle a mutex primitive, making it possible for local users to trigger a deadlock.

ELA-1264-1 openssl1.0 security update

Sun, 01 Dec 2024 10:32:47 +0800

Package : openssl1.0

Version : 1.0.2u-1~deb9u10 (stretch)

Related CVEs : CVE-2023-5678 CVE-2024-0727

Multiple vulnerabilities were discovered in OpenSSL, the Secure Sockets Layer toolkit.

CVE-2023-5678

A denial of service could occur with excessively long X9.42 DH keys.

CVE-2024-0727

A denial of service could occur with a null field in a PKCS12 file.

ELA-1263-1 lemonldap-ng security update

Sat, 30 Nov 2024 22:25:46 +0100

Package : lemonldap-ng

Version : 2.0.2+ds-7+deb10u11 (buster)

Related CVEs : CVE-2024-48933 CVE-2024-52947

Two Cross-site scripting (XSS) vulnerabilities were discovered in Lemonldap::NG, an OpenID-Connect, CAS and SAML compatible Web-SSO system, which could lead to injection of arbitrary scripts or HTML content.

CVE-2024-48933: XSS vulnerability which allows remote attackers to inject arbitrary web script or HTML into the login page via a username if userControl has been set to a non-default value that allows special HTML characters.
CVE-2024-52947: XSS vulnerability which allows remote attackers to inject arbitrary web script or HTML via the url parameter of the upgrade session confirmation page (upgradeSession) if the “Upgrade session” plugin has been enabled by an admin.

ELA-1262-1 python3.5 security update

Sat, 30 Nov 2024 21:04:07 +0000

Package : python3.5

Version : 3.5.3-1+deb9u11 (stretch)

Multiple vulnerabilities were found in python3.5, an interactive high-level object-oriented language.

CVE-2023-27043:

The email module of Python
incorrectly parsed e-mail addresses that contain
a special character. The wrong portion of an
RFC2822 header was identified as the value of the addr-spec.
In some applications, an attacker could bypass a protection
mechanism in which application access is granted only after
verifying receipt of e-mail to a specific domain (e.g.,
only @company.example.com addresses may be used for signup).

CVE-2024-6232:

Regular expressions that allowed excessive
backtracking during tarfile.TarFile header parsing were vulnerable
to ReDoS via specifically-crafted tar archives.

CVE-2024-6923

The email module didn’t properly quote
newlines for email headers when serializing an email message,
allowing for header injection when an email is serialized.

CVE-2024-7592

When parsing cookies that contained
backslashes for quoted characters in the cookie value,
the parser would use an algorithm with quadratic complexity,
resulting in excess CPU resources being used while parsing
the value

CVE-2024-9287

A vulnerability has been found in the `venv`
module and CLI where path names provided when creating a
virtual environment were not quoted properly, allowing the
creator to inject commands into virtual environment "activation"
scripts (ie "source venv/bin/activate").

CVE-2024-11168

The urllib.parse.urlsplit() and urlparse()
functions improperly validated bracketed hosts (`[]`),
allowing hosts that weren't IPv6 or IPvFuture. This behavior
was not conformant to RFC 3986 and potentially enabled SSRF
if a URL is processed by more than one URL parser.

ELA-1261-1 dnsmasq security update

Sat, 30 Nov 2024 16:28:29 +0100

Package : dnsmasq

Version : 2.80-1+deb10u3 (buster)

Related CVEs : CVE-2023-50387 CVE-2023-50868

CVE-2023-50387

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840,
and related RFCs) allow remote attackers to cause a denial of service (CPU
consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One
of the concerns is that, when there is a zone with many DNSKEY and RRSIG
records, the protocol specification implies that an algorithm must evaluate
all combinations of DNSKEY and RRSIG records.

CVE-2023-50868

The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC
9276 guidance is skipped) allows remote attackers to cause a denial of
service (CPU consumption for SHA-1 computations) via DNSSEC responses in a
random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification
implies that an algorithm must perform thousands of iterations of a hash
function in certain situations.

ELA-1260-1 activemq security update

Sat, 30 Nov 2024 14:49:59 +0100

Package : activemq

Version : 5.14.3-3+deb9u3 (stretch) 5.15.16-0+deb10u2 (buster)

Related CVEs : CVE-2023-46604 CVE-2022-41678

Two vulnerabilities were discovered in the activemq suite of packages. Activemq is the java-based flexible & powerful open source multi-protocol message broker.

CVE-2022-41678

Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.

The fix for this problem has been added to both the Debian Stretch and the Debian Buster packages.

CVE-2023-46604

Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath.

The fix for this problem has been added to the Debian Stretch package. The Debian Buster package was fixed already
in a previous update, in version 5.15.16-0+deb10u1.

ELA-1259-1 editorconfig-core security update

Sat, 30 Nov 2024 13:07:19 +0100

Package : editorconfig-core

Version : 0.12.1-1.1+deb10u1 (buster)

Related CVEs : CVE-2023-0341 CVE-2024-53849

Two issues have been found in editorconfig-core, a coding style indenter for all editors. Both issues are related to buffer overflows in different locations.

ELA-1258-1 openssl security update

Sat, 30 Nov 2024 19:15:19 +0800

Package : openssl

Version : 1.0.1t-1+deb8u22 (jessie)

Related CVEs : CVE-2023-5678 CVE-2024-0727

Multiple vulnerabilities were discovered in OpenSSL, the Secure Sockets Layer toolkit.

CVE-2023-5678

A denial of service could occur with excessively long X9.42 DH keys.

CVE-2024-0727

A denial of service could occur with a null field in a PKCS12 file.

ELA-1257-1 openssl security update

Sat, 30 Nov 2024 19:14:29 +0800

Package : openssl

Version : 1.1.0l-1~deb9u10 (stretch)

Multiple vulnerabilities were discovered in OpenSSL, the Secure Sockets Layer toolkit.

CVE-2023-5678

A denial of service could occur with excessively long X9.42 DH keys.

CVE-2024-0727

A denial of service could occur with a null field in a PKCS12 file.

CVE-2024-2511

A denial of service could occur when the SSL_OP_NO_TICKET flag is set, with TLSv1.3.

CVE-2024-9143

Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. This could lead to information disclosure or possibly remote code execution.

ELA-1256-1 openssl security update

Sat, 30 Nov 2024 19:13:05 +0800

Package : openssl

Version : 1.1.1n-0+deb10u7 (buster)

Multiple vulnerabilities were discovered in OpenSSL, the Secure Sockets Layer toolkit.

CVE-2023-5678

A denial of service could occur with excessively long X9.42 DH keys.

CVE-2024-0727

A denial of service could occur with a null field in a PKCS12 file.

CVE-2024-2511

A denial of service could occur when the SSL_OP_NO_TICKET flag is set, with TLSv1.3.

CVE-2024-4741

A use-after-free problem was found in the SSL_free_buffers function.

CVE-2024-5535

Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer.

CVE-2024-9143

ELA-1255-1 unbound1.9 security update

Thu, 28 Nov 2024 23:00:27 +0100

Package : unbound1.9

Version : 1.9.0-2+deb10u2~deb9u5 (stretch)

Multiple vulnerabilities were discovered in unbound, a validating, recursive, caching DNS resolver.

CVE-2024-8508

When handling replies with very large RRsets that unbound needs to perform
name compression for, it can spend a considerable time applying name
compression to downstream replies, potentially leading to degraded
performance and eventually denial of service in well orchestrated attacks.

CVE-2024-43167

A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in
Unbound. This issue could allow an attacker who can invoke specific
sequences of API calls to cause a segmentation fault. When certain API
functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are called in a
particular order, the program attempts to read from a NULL pointer,
leading to a crash. This issue can result in a denial of service by causing
the application to terminate unexpectedly.

CVE-2024-43168

A heap-buffer-overflow flaw was found in the cfg_mark_ports function within
Unbound's config_file.c, which can lead to memory corruption. This issue
could allow an attacker with local access to provide specially crafted
input, potentially causing the application to crash or allowing arbitrary
code execution. This could result in a denial of service or unauthorized
actions on the system.

ELA-1254-1 icinga2 security update

Thu, 28 Nov 2024 22:50:44 +0100

Package : icinga2

Version : 2.10.3-2+deb10u2 (buster)

Multiple vulnerabilities were discovered in icinga2, a general-purpose monitoring application.

CVE-2020-29663

An issue was discovered where revoked certificates due for renewal were
automatically being renewed, ignoring the CRL.

CVE-2021-32739

A vulnerability was discovered that may allow privilege escalation for
authenticated API users. With a read-only user's credentials, an attacker can
view most attributes of all config objects including `ticket_salt` of
`ApiListener`. This salt is enough to compute a ticket for every possible
common name (CN). A ticket, the master node's certificate, and a self-signed
certificate are enough to successfully request the desired certificate from
Icinga. That certificate may in turn be used to steal an endpoint or API user's
identity.

CVE-2021-32743

Some of the Icinga 2 features that require credentials for external
services expose those credentials through the API to authenticated API users
with read permissions for the corresponding object types.  IdoMysqlConnection
and IdoPgsqlConnection (every released version) exposes the password of the
user used to connect to the database.  ElasticsearchWriter (added in 2.8.0)
exposes the password used to connect to the Elasticsearch server. An attacker
who obtains these credentials can impersonate Icinga to these services and add,
modify and delete information there.

CVE-2021-37698

ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do
not verify the server's certificate despite a certificate authority being
specified. Instances which connect to any of the mentioned time series
databases (TSDBs) using TLS over a spoofable infrastructure should change the
credentials (if any) used by the TSDB writer feature to authenticate against
the TSDB.

CVE-2024-49369

The TLS certificate validation in all Icinga 2 versions starting from
2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster
nodes as well as any API users that use TLS client certificates for
authentication (ApiUser objects with the `client_cn` attribute set).

ELA-1253-1 redis security update

Thu, 28 Nov 2024 23:45:11 +0200

Package : redis

Version : 2:2.8.17-1+deb8u13 (jessie), 3:3.2.6-3+deb9u13 (stretch), 5:5.0.14-1+deb10u6 (buster)

Multiple vulnerabilities have been fixed in the key–value database Redis.

CVE-2022-35977

integer overflows in SETRANGE and SORT

CVE-2022-36021 (jessie, stretch)

string pattern matching DoS

CVE-2023-25155

SRANDMEMBER integer overflow

CVE-2024-31228

unbounded pattern matching DoS

CVE-2024-31449 (stretch)

Lua bit library stack overflow

ELA-1252-1 libmodule-scandeps-perl security update

Thu, 28 Nov 2024 17:29:38 -0300

Package : libmodule-scandeps-perl

Version : 1.16-1+deb8u1 (jessie), 1.23-1+deb9u1 (stretch), 1.27-1+deb10u1 (buster)

Related CVEs : CVE-2024-10224

The Qualys Threat Research Unit discovered that libmodule-scandeps-perl, a Perl module to recursively scan Perl code for dependencies, allows an attacker to execute arbitrary shell commands via specially crafted file names.

Details can be found in the Qualys advisory at https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

ELA-1251-1 mpg123 security update

Thu, 28 Nov 2024 19:56:36 +0000

Package : mpg123

Version : 1.23.8-1+deb9u1 (stretch)

mpg123 a popular MPEG layer 1/2/3 audio player was affected by multiple vulnerabilities.

CVE-2017-9545

The next_text function allowed remote attackers to cause a
Denial Of Service (buffer over-read) via a crafted mp3 file.

CVE-2017-10683

A heap-based buffer over-read was found in the convert_latin1 function.
A crafted input will lead to a remote denial of service attack.

CVE-2017-12797

An Integer Overflow was found in the INT123_parse_new_id3 function
in the ID3 parser in mpg123 on 32-bit platforms. This vulnerability
allowed remote attackers to cause a denial of service via a crafted
file, which triggers a heap-based buffer overflow.

CVE-2017-12839

A heap-based buffer over-read was found in the getbits function.
This vulnerability allowed a remote attackers to cause
a possible denial-of-service (out-of-bounds read) via a
crafted mp3 file.

CVE-2024-10573

An out-of-bounds write flaw was found in mpg123 when handling crafted
streams. When decoding PCM, the libmpg123 may write past the end
of a heap-located buffer. Consequently, heap corruption may happen.

ELA-1250-1 mpg123 security update

Thu, 28 Nov 2024 19:52:11 +0000

Package : mpg123

Version : 1.25.10-2+deb10u1 (buster)

Related CVEs : CVE-2024-10573

mpg123 a popular MPEG layer 1/2/3 audio player was affected by a vulnerability.

An out-of-bounds write flaw was found in mpg123 when handling crafted streams. When decoding PCM, the libmpg123 may write past the end of a heap-located buffer. Consequently, heap corruption may happen.

ELA-1249-1 tzdata new timezone database

Thu, 28 Nov 2024 20:44:04 +0100

Package : tzdata

Version : 2024b-0+deb8u1 (jessie), 2024b-0+deb9u1 (stretch), 2024b-0+deb10u1 (buster)

This update includes the changes in tzdata 2024b. Notable changes are:

Updated leap second list, which was set to expire by the end of December.
Correction of historical data for Mexico, Mongolia and Portugal.

ELA-1248-1 twisted security update

Thu, 28 Nov 2024 16:18:16 +0100

Package : twisted

Version : 16.6.0-2+deb9u5 (stretch)

Related CVEs : CVE-2024-41671 CVE-2024-41810

Multiple security issues were found in Twisted, an event-based framework for internet applications, which could result in incorrect ordering of HTTP requests or cross-site scripting.

CVE-2024-41671

The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.
CVE-2024-41810

The twisted.web.util.redirectTo function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

ELA-1247-1 twisted security update

Thu, 28 Nov 2024 16:17:48 +0100

Package : twisted

Version : 18.9.0-3+deb10u3 (buster)

Multiple security issues were found in Twisted, an event-based framework for internet applications, which could result in incorrect ordering of HTTP requests or cross-site scripting.

CVE-2023-46137

When sending multiple HTTP requests in one TCP packet, twisted.web will process the requests asynchronously without guaranteeing the response order. If one of the endpoints is controlled by an attacker, the attacker can delay the response on purpose to manipulate the response of the second request when a victim launched two requests using HTTP pipeline.
CVE-2024-41671

The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure.
CVE-2024-41810

The twisted.web.util.redirectTo function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.

ELA-1246-1 exim4 security update

Wed, 27 Nov 2024 16:22:28 +0100

Package : exim4

Version : 4.84.2-2+deb8u13 (jessie), 4.89-2+deb9u14 (stretch), 4.92-8+deb10u11 (buster)

Related CVEs : CVE-2023-42117 CVE-2023-42119

Multiple potential security vulnerabilities have been addressed in exim4, a mail transport agent. These issues may allow remote attackers to disclose sensitive information or execute arbitrary code but only if Exim4 is run behind or with untrusted proxy servers or DNS resolvers. If your proxy-protocol proxy or DNS resolver are trustworthy, you are not affected.

In addition CVE-2021-38371 and CVE-2022-3559 have been addressed for Debian 10 “Buster” and CVE-2022-3559 for Debian 9 “Stretch”.

ELA-1245-1 bind9 security update

Wed, 27 Nov 2024 11:56:02 +0100

Package : bind9

Version : 1:9.10.3.dfsg.P4-12.3+deb9u17 (stretch)

Related CVEs : CVE-2024-1737 CVE-2024-1975

Several vulnerabilities were discovered in BIND, a DNS server implementation, which may result in denial of service.

ELA-1244-1 python3.7 security update

Tue, 26 Nov 2024 11:13:28 +0000

Package : python3.7

Version : 3.7.3-2+deb10u9 (buster)

Multiple vulnerabilities were found in python3.7, an interactive high-level object-oriented language.

CVE-2023-27043:

The email module of Python
incorrectly parsed e-mail addresses that contain
a special character. The wrong portion of an
RFC2822 header was identified as the value of the addr-spec.
In some applications, an attacker could bypass a protection
mechanism in which application access is granted only after
verifying receipt of e-mail to a specific domain (e.g.,
only @company.example.com addresses may be used for signup).

CVE-2024-6232:

Regular expressions that allowed excessive
backtracking during tarfile.TarFile header parsing were vulnerable
to ReDoS via specifically-crafted tar archives.

CVE-2024-6923

The email module didn’t properly quote
newlines for email headers when serializing an email message,
allowing for header injection when an email is serialized.

CVE-2024-7592

When parsing cookies that contained
backslashes for quoted characters in the cookie value,
the parser would use an algorithm with quadratic complexity,
resulting in excess CPU resources being used while parsing
the value

CVE-2024-9287

A vulnerability has been found in the `venv`
module and CLI where path names provided when creating a
virtual environment were not quoted properly, allowing the
creator to inject commands into virtual environment "activation"
scripts (ie "source venv/bin/activate").

CVE-2024-11168

The urllib.parse.urlsplit() and urlparse()
functions improperly validated bracketed hosts (`[]`),
allowing hosts that weren't IPv6 or IPvFuture. This behavior
was not conformant to RFC 3986 and potentially enabled SSRF
if a URL is processed by more than one URL parser.

ELA-1243-1 ghostscript security update

Sun, 24 Nov 2024 23:59:04 +0200

Package : ghostscript

Version : 9.26a~dfsg-0+deb8u13 (jessie), 9.26a~dfsg-0+deb9u13 (stretch), 9.27~dfsg-2+deb10u10 (buster)

Multiple vulnerabilities have been fixed in the PostScript/PDF interpreter Ghostscript.

CVE-2024-46951

PS interpreter unchecked pointer

CVE-2024-46953

output filename format string integer overflow

CVE-2024-46955

PS interpreter out-of-bounds

CVE-2024-46956

PS interpreter out-of-bounds

ELA-1242-1 intel-microcode security update

Sun, 24 Nov 2024 15:45:15 +0100

Package : intel-microcode

Version : 3.20240910.1~deb8u1 (jessie), 3.20240910.1~deb9u1 (stretch), 3.20240910.1~deb10u1 (buster)

Related CVEs : CVE-2024-23984 CVE-2024-24968

A microcode update has been released for Intel processors, addressing multiple vulnerabilties which potentially could cause information disclosue or local DoS.

CVE-2024-23984

Observable discrepancy in RAPL interface for some Intel(R)
Processors may allow a privileged user to potentially enable
information disclosure via local access.

CVE-2024-24968

Improper finite state machines (FSMs) in hardware logic in some
Intel(R) Processors may allow an privileged user to potentially
enable a denial of service via local access.

ELA-1241-1 amd64-microcode security update

Sun, 24 Nov 2024 10:28:32 +0100

Package : amd64-microcode

Version : 3.20240820.1~deb8u1 (jessie), 3.20240820.1~deb9u1 (stretch), 3.20240820.1~deb10u1 (buster)

AMD has released microcode updates to address multiple vulnerabilties.

This release requires either new-enough system firmware, or a recent-enough Linux kernel to properly work on AMD Genoa and Bergamo processors.

The firmware requirement is AGESA 1.0.0.8 or newer.

The Linux kernel requirement is a group of patches that are already present in the Linux stable/LTS/ELTS trees since versions: v4.19.289, v5.4.250, v5.10.187, v5.15.120, v6.1.37, v6.3.11 and v6.4.1. These patches are also present in Linux v6.5-rc1.

CVE-2023-20569

A side channel vulnerability on some of the AMD CPUs may allow an
attacker to influence the return address prediction. This may result
in speculative execution at an attacker-controlled?address,
potentially leading to information disclosure. 

CVE-2023-20569 had been previously reported as fixed in an earlier
update, this update expands the fixes to 4th Gen AMD EPYC
processors, Genoa (Family=0x19 Model=0x11) and Bergamo (Family=0x19
Model=0xa0). See Debian bug #1043381 for details.

CVE-2023-20584

IOMMU improperly handles certain special address ranges with invalid
device table entries (DTEs), which may allow an attacker with
privileges and a compromised Hypervisor to induce DTE faults to
bypass RMP checks in SEV-SNP, potentially leading to a loss of guest
integrity.

CVE-2023-31315

Improper validation in a model specific register (MSR) could allow a
malicious program with ring0 access to modify SMM configuration
while SMI lock is enabled, potentially leading to arbitrary code
execution.

CVE-2023-31356

Incomplete system memory cleanup in SEV firmware could allow a
privileged attacker to corrupt guest private memory, potentially
resulting in a loss of data integrity.

ELA-1240-1 glib2.0 security update

Sat, 23 Nov 2024 21:00:13 +0200

Package : glib2.0

Version : 2.42.1-1+deb8u8 (jessie), 2.50.3-2+deb9u7 (stretch), 2.58.3-2+deb10u7 (buster)

Related CVEs : CVE-2024-52533

A buffer overflow with long SOCKS4a proxy hostname and username has been fixed in the GNOME Input/Output library (GIO).

ELA-1239-1 qtbase-opensource-src security update

Fri, 22 Nov 2024 23:43:54 +0200

Package : qtbase-opensource-src

Version : 5.3.2+dfsg-4+deb8u7 (jessie), 5.7.1+dfsg-3+deb9u5 (stretch), 5.11.3+dfsg1-1+deb10u7 (buster)

Multiple vulnerabilities have been fixed in qtbase-opensource-src, the core part of the Qt 5 application framework.

CVE-2023-24607 (jessie)

Qt SQL ODBC driver DoS

CVE-2023-32763 (jessie)

Qt SVG buffer overflow

CVE-2023-33285 (jessie)

QDnsLookup buffer over-read

CVE-2023-34410

certificate validation for TLS did not always consider whether the root of a chain is a configured CA certificate

CVE-2023-37369 (jessie)

QXmlStreamReader buffer overflow

CVE-2023-38197 (jessie)

QXmlStreamReader buffer overflow

ELA-1238-1 needrestart security update

Wed, 20 Nov 2024 15:23:01 -0300

Package : needrestart

Version : 1.2-8+deb8u3 (jessie), 2.11-3+deb9u3 (stretch), 3.4-5+deb10u2 (buster)

The Qualys Threat Research Unit discovered several local privilege escalation vulnerabilities in needrestart, a utility to check which daemons need to be restarted after library upgrades.

CVE-2024-11003

  Local attackers can trick needrestart to call the Perl module
  Module::ScanDeps with attacker-controlled files.

CVE-2024-48990

  Local attackers can execute arbitrary code as root by tricking needrestart
  into running the Python interpreter with an attacker-controlled PYTHONPATH
  environment variable.

CVE-2024-28991

  Local attackers can execute arbitrary code as root by winning a race
  condition and tricking needrestart into running their own, fake Python
  interpreter (instead of the system's real Python interpreter).

CVE-2024-28992

  Local attackers can also execute arbitrary code as root by tricking
  needrestart into running the Ruby interpreter with an attacker-controlled
  RUBYLIB environment variable.

Details can be found in the Qualys advisory at https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

ELA-1237-1 smarty3 security update

Sun, 17 Nov 2024 12:54:19 +0100

Package : smarty3

Version : 3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u3 (buster)

Multiple vulnerabilties were discovered for smarty3, a widely-used PHP templating engine, which potentially allows an attacker to perform an XSS (e.g JavaScript or PHP code injection).

CVE-2018-25047

In Smarty before 3.1.47 and 4.x before 4.2.1,
libs/plugins/function.mailto.php allows XSS. A web page that uses
smarty_function_mailto, and that could be parameterized using GET or
POST input parameters, could allow injection of JavaScript code by a
user.

CVE-2018-25047 had already been reported as fixed previously via DLA-3262-1, however it was found the fix was incomplete.

CVE-2023-28447

In affected versions smarty did not properly escape javascript code.
An attacker could exploit this vulnerability to execute arbitrary
JavaScript code in the context of the user's browser session. This
may lead to unauthorized access to sensitive user data, manipulation
of the web application's behavior, or unauthorized actions performed
on behalf of the user. Users are advised to upgrade to either
version 3.1.48 or to 4.3.1 to resolve this issue. There are no known
workarounds for this vulnerability.

CVE-2024-35226

In affected versions template authors could inject php code by
choosing a malicious file name for an extends-tag. Sites that cannot
fully trust template authors should update asap. All users are
advised to update.  There is no patch for users on the v3 branch.
There are no known workarounds for this vulnerability.

ELA-1236-1 waitress security update

Sat, 16 Nov 2024 23:56:23 +0200

Package : waitress

Version : 1.2.0~b2-2+deb10u2 (buster)

Related CVEs : CVE-2024-49769

DoS due to resource exhaustion has been fixed in waitress, a Python Web Server Gateway Interface server.

ELA-1235-1 unbound security update

Fri, 15 Nov 2024 14:02:20 +0100

Package : unbound

Version : 1.9.0-2+deb10u5 (buster)

Multiple vulnerabilities were discovered in unbound, a validating, recursive, caching DNS resolver.

CVE-2024-8508

When handling replies with very large RRsets that unbound needs to perform
name compression for, it can spend a considerable time applying name
compression to downstream replies, potentially leading to degraded
performance and eventually denial of service in well orchestrated attacks.

CVE-2024-43167

A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in
Unbound. This issue could allow an attacker who can invoke specific
sequences of API calls to cause a segmentation fault. When certain API
functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are called in a
particular order, the program attempts to read from a NULL pointer,
leading to a crash. This issue can result in a denial of service by causing
the application to terminate unexpectedly.

CVE-2024-43168

A heap-buffer-overflow flaw was found in the cfg_mark_ports function within
Unbound's config_file.c, which can lead to memory corruption. This issue
could allow an attacker with local access to provide specially crafted
input, potentially causing the application to crash or allowing arbitrary
code execution. This could result in a denial of service or unauthorized
actions on the system.

ELA-1234-1 apache2 security update

Fri, 15 Nov 2024 08:36:15 +0000

Package : apache2

Version : 2.4.59-1~deb10u4 (buster)

Related CVEs : CVE-2024-38473

A vulnerability was found in apache2, a popular web server.

An encoding problem in mod_proxy allowed request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.

This affects configurations where mechanisms other than ProxyPass/ProxyPassMatch or RewriteRule with the ‘P’ flag are used to configure a request to be proxied, such as SetHandler or inadvertent proxying via CVE-2024-39573.

Note that these alternate mechanisms may be used within .htaccess.

ELA-1233-1 libarchive security update

Mon, 11 Nov 2024 23:51:03 +0200

Package : libarchive

Version : 3.1.2-11+deb8u12 (jessie), 3.2.2-2+deb9u5 (stretch), 3.3.3-4+deb10u4 (buster)

Related CVEs : CVE-2024-20696

RAR reader out-of-bounds write has been fixed in libarchive, a multi-format archive and compression library.

ELA-1232-1 libseccomp security update

Mon, 11 Nov 2024 13:02:02 +0200

Package : libseccomp

Version : 2.4.1-1~deb8u1 (jessie), 2.4.1-1~deb9u1 (stretch), 2.4.1-1~deb10u1 (buster)

Related CVEs : CVE-2019-9893

The kernel syscall filtering library libseccomp has been upgraded to version 2.4.1 to fix 64-bit argument comparisons.

ELA-1231-1 nss security update

Sat, 09 Nov 2024 22:46:29 +0100

Package : nss

Version : 2:3.26-1+debu8u19 (jessie) 2:3.26.2-1.1+deb9u8 (stretch) 2:3.42.1-1+deb10u9 (buster)

Related CVEs : CVE-2024-6602 CVE-2024-6609

Two vulnerabilities were discovered in the nss suite of packages, which include libnss3 and other tools for dealing with certificates and security standards.

CVE-2024-6602

A mismatch between allocator and deallocator could have lead to memory corruption.

CVE-2024-6609

When almost out-of-memory an elliptic curve key which was never allocated could have been freed again.

ELA-1230-1 context bugfix update

Tue, 05 Nov 2024 21:43:40 +0000

Package : context

Version : 2018.04.04.20181118-1+deb10u1 (buster)

The CVE-2023-32700 fix for the texlive-bin package, released for Debian 10 “buster” as DLA-3427-1, introduced a regression in context, a general-purpose document processor. The DLA-3427-1 update broke the context binary package installation process.

This regression update corrects the issue, fixing the context package’s mtxrun script

ELA-1229-1 libheif security update

Tue, 05 Nov 2024 13:21:10 -0800

Package : libheif

Version : 1.3.2-2+deb10u3 (buster)

Related CVEs : CVE-2023-0996

There was a vulnerability in the strided image parsing code in libheif, a decoder/encoder for the HEIF and AVIF image formats.

An attacker could have exploited this through a crafted image file to cause a buffer overflow in linear memory during a memcpy call.

ELA-1228-1 openjdk-8 security update

Mon, 04 Nov 2024 18:20:50 +0100

Package : openjdk-8

Version : 8u432-b06-2~deb8u1 (jessie), 8u432-b06-2~deb9u1 (stretch)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, information disclosure or bypass of Java sandbox restrictions.

ELA-1227-1 libxml2 security update

Sun, 03 Nov 2024 09:13:19 +0100

Package : libxml2

Version : 2.9.1+dfsg1-5+deb8u17 (jessie), 2.9.4+dfsg1-7+deb10u9 (buster)

Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files, potentially allowing an attacker to perform denial of service or trigger an use-after-free situation.

CVE-2016-9318 (Debian 8 update only)

XML External Entity (XXE) attacks via a crafted document.

Note: CVE-2016-9318 has been previously addressed for Debian 10 (buster) in ELA-1195.

CVE-2017-16932

When expanding a parameter entity in a DTD, infinite recursion could lead to
an infinite loop or memory exhaustion.

CVE-2023-39615

Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via
the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability
allows attackers to cause a Denial of Service (DoS) via supplying a crafted
XML file.

CVE-2023-45322

libxml2 through 2.11.5 has a use-after-free that can only occur after a
certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c.

CVE-2024-25062

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5.
When using the XML Reader interface with DTD validation and XInclude 
expansion enabled, processing crafted XML documents can lead to an 
xmlValidatePopElement use-after-free.

ELA-1226-1 perl security update

Sat, 02 Nov 2024 18:08:01 +0000

Package : perl

Version : 5.20.2-3+deb8u14 (jessie), 5.24.1-3+deb9u8 (stretch), 5.28.1-6+deb10u2 (buster)

Related CVEs : CVE-2020-16156 CVE-2023-31484

Perl a popular script language was affected by multiple vulnerabilities.

CVE-2020-16156:

 An attacker can prepend checksums for modified
 packages to the beginning of CHECKSUMS files,
 before the cleartext PGP headers. This makes
 the Module::Signature::_verify() checks
 in both cpan and cpanm pass.
 Without the sigtext and plaintext arguments
 to _verify(), the _compare() check is bypassed.
 This results in _verify() only checking that
 valid signed cleartext is present somewhere
 in the file.

CVE-2023-31484:

CPAN.pm does not verify TLS certificates
when downloading distributions over HTTPS.

ELA-1225-1 texlive-bin security update

Fri, 01 Nov 2024 22:31:54 +0000

Package : texlive-bin

Version : 2016.20160513.41080.dfsg-2+deb9u2 (stretch), 2018.20181218.49446-1+deb10u3 (buster)

Related CVEs : CVE-2023-32668 CVE-2024-25262

TeXLive, a popular software distribution for the TeX typesetting system that includes major TeX-related programs, macro packages, and fonts, was affected by two vulnerabilties.

CVE-2023-32668

A document (compiled with the default settings)
was allowed to make arbitrary network requests.
This occurs because full access to the socket library was
permitted by default, as stated in the documentation.

CVE-2024-25262

A heap buffer overflow was found via
the function ttfLoadHDMX:ttfdump. This vulnerability
allows attackers to cause a Denial of Service (DoS)
via supplying a crafted TTF file.

ELA-1224-1 libcpan-reporter-smoker-perl bug fix update

Fri, 01 Nov 2024 22:22:16 +0000

Package : libcpan-reporter-smoker-perl

Version : 0.28-1+deb9u1 (stretch), 0.29-1+deb10u1 (buster)

This update fixes the build of this package, which was preventing security updates of perl to be tested.

ELA-1223-1 xorg-server security update

Thu, 31 Oct 2024 19:53:25 +0100

Package : xorg-server

Version : 2:1.16.4-1+deb8u17 (jessie), 2:1.19.2-1+deb9u20 (stretch), 2:1.20.4-1+deb10u15 (buster)

Related CVEs : CVE-2024-9632

Jan-Niklas Sohn working with Trend Micro Zero Day Initiative found an issue in the X server and Xwayland implementations published by X.Org. CVE-2024-9632 can be triggered by providing a modified bitmap to the X.Org server. This may lead to local privilege escalation if the server is run as root or remote code execution (e.g. x11 over ssh).

ELA-1222-1 ffmpeg security update

Thu, 31 Oct 2024 19:52:19 +0200

Package : ffmpeg

Version : 7:3.2.19-0+deb9u5 (stretch), 7:4.1.11-0+deb10u2 (buster)

Multiple vulnerabilities have been fixed in the FFmpeg multimedia framework.

CVE-2020-20898 (buster)

avfilter/vf_convolution integer overflow

CVE-2020-22040

avfilter/f_reverse memory leaks

CVE-2020-22051 (buster)

avfilter/vf_tile memory leak

CVE-2020-22056 (buster)

avfilter/af_acrossover memory leak

CVE-2021-38090 (buster)

avfilter/vf_convolution integer overflow

CVE-2021-38091 (buster)

avfilter/vf_convolution integer overflow

CVE-2021-38092 (buster)

avfilter/vf_convolution integer overflow

CVE-2021-38093 (buster)

avfilter/vf_convolution integer overflow

CVE-2021-38094 (buster)

avfilter/vf_convolution integer overflow

CVE-2022-48434 (buster)

lavc/pthread_frame hwaccel use-after-free

CVE-2023-49502

avfilter/bwdif buffer overflow

CVE-2023-50010 (buster)

avfilter/vf_gradfun buffer overflow

CVE-2023-51793 (buster)

avfilter/vf_weave buffer overflow

CVE-2023-51794 (buster)

avfilter/af_stereowiden buffer overflow

CVE-2023-51798 (buster)

avfilter/vf_minterpolate floating point exception

CVE-2024-31578 (buster)

avutil/hwcontext use-after-free

CVE-2024-32230

avcodec/mpegvideo_enc buffer overflow

ELA-1221-1 mariadb-10.1 security update

Wed, 30 Oct 2024 17:38:19 +0000

Package : mariadb-10.1

Version : 10.1.48-0+deb9u5 (stretch)

Several vulnerabilities have been fixed in MariaDB, a popular database server.

CVE-2022-31621

In extra/mariabackup/ds_xbstream.cc, when an error occurs
(stream_ctxt->dest_file == NULL) while executing the method xbstream_open,
the held lock is not released correctly, which allows local users
to trigger a Denial of Service (DoS) due to the deadlock.

CVE-2022-31623

In extra/mariabackup/ds_compress.cc, when an error occurs
(i.e., going to the err label) while executing the method
create_worker_threads, the held lock thd->ctrl_mutex is not released
correctly, which allows local users to trigger a Denial of Service (DoS)
due to the deadlock.

CVE-2022-31624

While executing the plugin/server_audit/server_audit.c method log_statement_ex,
the held lock lock_bigbuffer is not released correctly, which allows local
users to trigger a Denial of Service (DoS) due to the deadlock.

CVE-2022-47015

It is possible for function spider_db_mbase::print_warnings to dereference
a null pointer, thus triggering a Denial of Service (DoS).

CVE-2024-21096

A difficult to exploit vulnerability allows unauthenticated
attacker with logon to the infrastructure where MariaDB Server
executes to compromise MariaDB Server.
Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of
MariaDB Server accessible data as well as unauthorized
read access to a subset of MariaDB Server accessible
data and unauthorized ability to cause a partial
denial of service (partial DoS)

Note that fixes related to CVE-2024-21096 may break forwards and backwards compatibility in certain situations when doing logical backup and restore with plain SQL files (e.g. when using mariadb-dump or mysqldump).

The MariaDB client now has the command-line option --sandbox and the MariaDB client database prompt command \-. This enables sandbox mode for the rest of the session, until disconnected. Once in sandbox mode, any command that could do something on the shell is disabled.

Additionally mysqldump now adds the following command inside a comment at the very top of the logical SQL file to trigger sandbox mode:

/*M!999999\- enable the sandbox mode */

Newer version of MariaDB clients strip away the backslash and dash (-), and then tries to execute the internal command with a dash.

Older versions of MariaDB client and all versions of MySQL client considers this a comment, and will ignore it. There may however be situations where importing logical SQL dump files may fail due to this, so users should be advised.

Users are best protected from both security issues and interoperability issues by using the latest mariadb-dump shipped in MariaDB 11.4.3, 10.11.9, 10.6.19 and 10.5.26. The CVE-2024-21096 was officially fixed already in 11.4.2, but the latest batch of MariaDB minor maintenance releases include further improvements on the sandbox mode. For buster ELTS this CVE was fixed in verson 1:10.3.39-0+deb10u3.

Note that the mariadb-dump can be used to make the logical backups from both MariaDB and MySQL servers. Also the mariadb client program can connect to both MariaDB and MySQL servers and import those SQL dump files.

ELA-1220-1 shadow security update

Mon, 28 Oct 2024 23:29:35 +0200

Package : shadow

Version : 1:4.4-4.1+deb9u2 (stretch), 1:4.5-1.1+deb10u1 (buster)

Multiple vulnerabilities have been fixed in shadow, commonly used utilities to change and administer password and group data.

CVE-2018-7169

unprivileged user can drop supplementary groups

CVE-2023-4641

gpasswd password leak

CVE-2023-29383

chfn missing control character check

ELA-1219-1 linux-5.10 security update

Mon, 28 Oct 2024 12:04:14 +0100

Package : linux-5.10

Version : 5.10.226-1~deb8u1 (jessie), 5.10.226-1~deb9u1 (stretch), 5.10.226-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

For Debian 10 buster, the corresponding linux-signed packages have also been updated using the Freexian CA certificate. Note that in order to boot the updated kernels using Secure Boot, the updated shim-signed packages (which ship the Freexian CA) need to be installed. For more information see the shim announcement.

ELA-1218-1 asterisk security update

Sun, 27 Oct 2024 19:03:39 +0100

Package : asterisk

Version : 1:13.14.1~dfsg-2+deb9u10 (stretch)

Related CVEs : CVE-2024-42365

One issue has been found in asterisk, an Open Source Private Branch Exchange.

CVE-2024-42365

Due to a privilege escalation, remote code execution and/or
blind server-side request forgery with arbitrary protocol are
possible.

Thanks to Niels Galjaard, a minor privilege escalation has been fixed. More information about ths can be found at: https://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/2024-July/038664.html

Please be aware that this fix explicitly sets the gid of the asterisk process to “asterisk”. In case you added the user asterisk to other groups, please update your systemd service file accordingly. ~

ELA-1217-1 asterisk security update

Sun, 27 Oct 2024 18:41:30 +0100

Package : asterisk

Version : 1:16.28.0~dfsg-0+deb10u5 (buster)

Related CVEs : CVE-2024-42365 CVE-2024-42491

Two issues have been found in asterisk, an Open Source Private Branch Exchange.

CVE-2024-42365

Due to a privilege escalation, remote code execution and/or
blind server-side request forgery with arbitrary protocol are
possible.

CVE-2024-42491

Due to bad handling of malformed Contact or Record-Route URI in an
incoming  SIP request, Asterisk might crash when res_resolver_unbound
is used.

Thanks to Niels Galjaard, a minor privilege escalation has been fixed. More information about ths can be found at: https://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/2024-July/038664.html

ELA-1216-1 graphicsmagick security update

Sun, 27 Oct 2024 14:49:53 +0100

Package : graphicsmagick

Version : 1.3.20-3+deb8u14 (jessie)

Related CVEs : CVE-2020-21679

It was discovered that a buffer overflow in GraphicsMagick, a collection of image processing tools, could result in denial of service or potentially in the execution of arbitrary code when converting crafted images to the PCX format.

ELA-1215-1 python-cryptography security update

Sat, 26 Oct 2024 23:02:59 +0300

Package : python-cryptography

Version : 2.6.1-3+deb10u5 (buster)

Related CVEs : CVE-2020-25659

Mitigation for Bleichenbacher attacks on RSA decryption has been added in python-cryptography, a Python library for cryptographic algorithms.

ELA-1214-1 distro-info-data database update

Fri, 25 Oct 2024 09:49:27 -0700

Package : distro-info-data

Version : 0.36~bpo8+6 (jessie), 0.41+deb10u2~bpo9+6 (stretch), 0.41+deb10u10 (buster)

This is a routine update of the distro-info-data database for Debian ELTS users.

It adds Ubuntu 25.04.

ELA-1213-1 shim new certificates

Thu, 24 Oct 2024 14:10:36 +0200

Package : shim

Version : 15.8-1~deb10u2 (buster)

In order to support Secure Boot in buster ELTS, the shim needs to have the Freexian public certificate used to sign Linux kernels and other packages. This update adds that certificate to the shim alongside the Debian public CA, which allows to boot both old (signed by Debian) and new (signed by Freexian) packages.

The respective shim-signed package has also been updated to reflect this change.

In order to be able to boot future kernel security updates on setups where Secure Boot is enabled, these shim packages need to be upgraded, otherwise the old versions will not be able to verify the new signatures and the bootloader will refuse to load those kernel versions.

ELA-1212-1 samba security update

Wed, 23 Oct 2024 12:29:57 -0300

Package : samba

Version : 2:4.2.14+dfsg-0+deb8u16 (jessie)

Several vulnerabilities were discovered in Samba, SMB/CIFS file, print, and login server for Unix.

CVE-2016-2124

A flaw was found in the way samba implemented SMB1 authentication. An
attacker could use this flaw to retrieve the plaintext password sent over
the wire even if Kerberos authentication was required.

CVE-2021-44142

Orange Tsai reported an out-of-bounds heap write vulnerability in
the VFS module vfs_fruit, which could result in remote execution of
arbitrary code as root.

CVE-2022-2127

Out-of-bounds read in winbind AUTH_CRAP.

CVE-2022-3437

Heimdal des/des3 heap-based buffer overflow.

CVE-2022-32742

Server memory information leak via SMB1.

CVE-2023-4091

Client can truncate files even with read-only permissions.

ELA-1211-1 libheif security update

Tue, 22 Oct 2024 16:05:48 -0700

Package : libheif

Version : 1.3.2-2+deb10u2 (buster)

Related CVEs : CVE-2024-41311

It was discovered that there was a potential out-of-bounds read vulnerability in libheif, a decoder and encoder for the HEIF and AVIF image formats.

Insufficient checks in ImageOverlay::parse() could have been exploited by an overlay image with forged offsets which could in turn have led to undefined behaviour.

ELA-1210-1 openjdk-11 security update

Tue, 22 Oct 2024 17:19:50 +0200

Package : openjdk-11

Version : 11.0.25+9-1~deb10u1 (buster)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, information disclosure or bypass of Java sandbox restrictions.

ELA-1209-1 libsepol security update

Tue, 22 Oct 2024 14:01:17 +0800

Package : libsepol

Version : 2.6-2+deb9u1 (stretch), 2.8-1+deb10u1 (buster)

Multiple vulnerabilities were discovered in libsepol, a set of userspace utilities and libraries for manipulating SELinux policies.

CVE-2021-36084, CVE-2021-36085, CVE-2021-36086

Three use-after-free problems were discovered in the CIL compiler. These could lead to data corruption, denial of service or possibly arbitrary code execution.

CVE-2021-36087

A heap-based buffer over-read was discovered in the CIL compiler. This could lead to confidentiality or integrity violations, or crashes.

ELA-1208-1 php5 security update

Sun, 20 Oct 2024 20:30:02 +0200

Package : php5

Version : 5.6.40+dfsg-0+deb8u21 (jessie)

Related CVEs : CVE-2024-8925 CVE-2024-8927

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in erroneous parsing of multipart/form-data or bypass of the cgi.force_direct directive.

CVE-2024-8925: Mihail Kirov discovered an erroneous parsing of multipart form data contained in an HTTP POST request, which could lead to legitimate data not being processed thereby violating data integrity.
CVE-2024-8927: It was discovered that the cgi.force_redirect configuration setting is bypassable due to environment variable collision.

ELA-1207-1 php7.0 security update

Sun, 20 Oct 2024 20:30:01 +0200

Package : php7.0

Version : 7.0.33-0+deb9u19 (stretch)

Related CVEs : CVE-2024-8925 CVE-2024-8927

CVE-2024-8925: Mihail Kirov discovered an erroneous parsing of multipart form data contained in an HTTP POST request, which could lead to legitimate data not being processed thereby violating data integrity.
CVE-2024-8927: It was discovered that the cgi.force_redirect configuration setting is bypassable due to environment variable collision.

ELA-1206-1 php7.3 security update

Sun, 20 Oct 2024 20:30:00 +0200

Package : php7.3

Version : 7.3.31-1~deb10u8 (buster)

Related CVEs : CVE-2024-8925 CVE-2024-8927

CVE-2024-8925: Mihail Kirov discovered an erroneous parsing of multipart form data contained in an HTTP POST request, which could lead to legitimate data not being processed thereby violating data integrity.
CVE-2024-8927: It was discovered that the cgi.force_redirect configuration setting is bypassable due to environment variable collision.

ELA-1205-1 libreoffice security update

Sat, 19 Oct 2024 14:25:54 +0000

Package : libreoffice

Version : 1:6.1.5-3+deb9u5 (stretch), 1:6.1.5-3+deb10u14 (buster)

Related CVEs : CVE-2024-7788

A vulnerability was found in libreoffice a popular office productivity suite.

CVE-2024-7788:

Various file formats are based on the zip file format. In cases of corruption of the underlying zip's central directory, LibreOffice offers a "repair mode" which will attempt to recover the zip file structure by scanning for secondary local file headers in the zip to reconstruct the document.

Prior to this fix, in the case of digitally signed zip files, an attacker could construct a document which, when repaired, reported a signature status not valid for the recovered file.

Previously if verification failed the user could choose to ignore the failure and enable the macros anyway.

Repair document mode has to be inherently tolerant, so now in fixed versions all signatures are implied to be invalid in recovery mode.

ELA-1204-1 libapache-mod-jk security update

Mon, 14 Oct 2024 12:09:28 -0700

Package : libapache-mod-jk

Version : 1:1.2.46-0+deb8u3 (jessie), 1:1.2.46-1+deb10u3 (buster)

Related CVEs : CVE-2024-46544

It was discovered that there was an insecure configuration issue in libapache-mod-jk, an Apache web server module used to forward requests from Apache to Tomcat using the AJP protocol.

An issue with incorrect default permissions could have allowed local users to view and modify shared memory containing mod_jk’s configuration, which may have potentially led to information disclosure and/or a denial of service attack.

ELA-1203-1 samba security update

Sat, 12 Oct 2024 09:43:32 -0300

Package : samba

Version : 2:4.5.16+dfsg-1+deb9u5 (stretch)

Several vulnerabilities were discovered in Samba, SMB/CIFS file, print, and login server for Unix.

CVE-2016-2124

A flaw was found in the way samba implemented SMB1 authentication. An
attacker could use this flaw to retrieve the plaintext password sent over
the wire even if Kerberos authentication was required.

CVE-2020-25717

Andrew Bartlett reported that Samba may map domain users to local
users in an undesired way, allowing for privilege escalation. The
update introduces a new parameter "min domain uid" (default to 1000)
to not accept a UNIX uid below this value.

CVE-2021-44142

Orange Tsai reported an out-of-bounds heap write vulnerability in
the VFS module vfs_fruit, which could result in remote execution of
arbitrary code as root.

CVE-2022-2127

Out-of-bounds read in winbind AUTH_CRAP.

CVE-2022-3437

Heimdal des/des3 heap-based buffer overflow.

CVE-2022-32742

Server memory information leak via SMB1.

CVE-2023-4091

Client can truncate files even with read-only permissions.

ELA-1202-1 gtk+2.0 security update

Mon, 07 Oct 2024 14:00:53 +0300

Package : gtk+2.0

Version : 2.24.25-3+deb8u3 (jessie), 2.24.31-2+deb9u1 (stretch), 2.24.32-3+deb10u1 (buster)

Related CVEs : CVE-2024-6655

Modules were also searched in the current working directory in the GNOME toolkit gtk+2.0, allowing library injection.

ELA-1201-1 gtk+3.0 security update

Mon, 07 Oct 2024 13:58:29 +0300

Package : gtk+3.0

Version : 3.14.5-1+deb8u2 (jessie), 3.22.11-1+deb9u1 (stretch), 3.24.5-1+deb10u1 (buster)

Related CVEs : CVE-2024-6655

Modules were also searched in the current working directory in the GNOME toolkit gtk+3.0, allowing library injection.

ELA-1200-1 libgsf security update

Mon, 07 Oct 2024 01:04:31 +0300

Package : libgsf

Version : 1.14.41-1+deb9u1 (stretch), 1.14.45-1+deb10u1 (buster)

Related CVEs : CVE-2024-36474 CVE-2024-42415

Integer overflows have been fixed in libgsf, the GNOME Project G Structured File Library.

CVE-2024-36474

directory integer overflow

CVE-2024-42415

sector allocation table integer overflow

ELA-1199-1 cups security update

Sun, 06 Oct 2024 19:37:30 +0200

Package : cups

Version : 2.2.1-8+deb9u12 (stretch)

Related CVEs : CVE-2024-35235 CVE-2024-47175

Two issues have been found in cups, the Common UNIX Printing System(tm). This update introduces stronger validations of input data from external printers.

Please be aware that now bugs in the firmware of the printer might be detected. In case of problems, that should appear in the error.log, please update this firmware first.

The other issue is related to domain socket handling, where files might be overwritten.

ELA-1198-1 cups security update

Sun, 06 Oct 2024 18:30:58 +0200

Package : cups

Version : 2.2.10-6+deb10u11 (buster)

Related CVEs : CVE-2024-47175

An issue has been found in cups, the Common UNIX Printing System(tm). This update introduces stronger validations of input data from external printers.

Please be aware that now bugs in the firmware of the printer might be detected. In case of problems, that should appear in the error.log, please update this firmware first.

This ELA also contains an update of CVE-2024-35235, where problems could arise when only domain sockets are used to send data to the printer.

ELA-1197-1 ntfs-3g security update

Fri, 04 Oct 2024 23:29:03 +0300

Package : ntfs-3g

Version : 1:2016.2.22AR.1+dfsg-1+deb9u5 (stretch), 1:2017.3.23AR.3-4+deb11u4~deb10u1 (buster)

Related CVEs : CVE-2023-52890

Use-after-free in ntfs_uppercase_mbs() has been fixed in ntfs-3g, a read/write driver for the NTFS filesystem.

ELA-1196-1 e2fsprogs security update

Fri, 04 Oct 2024 17:25:40 +0300

Package : e2fsprogs

Version : 1.42.12-2+deb8u3 (jessie), 1.43.4-2+deb9u3 (stretch), 1.44.5-1+deb10u4 (buster)

Related CVEs : CVE-2022-1304

An out-of-bounds read/write vulnerability has been fixed in the e2fsck tool of the ext2/ext3/ext4 file system utilities e2fsprogs.

ELA-1195-1 libxml2 security update

Thu, 03 Oct 2024 23:48:50 +0300

Package : libxml2

Version : 2.9.4+dfsg1-7+deb10u8 (buster)

Related CVEs : CVE-2016-9318

An XML External Entity (XXE) attack via crafted documents has been fixed in the XML library libxml2.

ELA-1194-1 vlc security update

Thu, 03 Oct 2024 23:27:44 +0300

Package : vlc

Version : 3.0.21-0+deb9u1 (stretch), 3.0.21-0+deb10u1 (buster)

Related CVEs : CVE-2024-46461

A buffer overflow with MMS streams has been fixed by upgrading the VLC media player to the latest upstream version.

ELA-1192-1 mariadb-10.3 security update

Thu, 03 Oct 2024 19:51:28 +0000

Package : mariadb-10.3

Version : 1:10.3.39-0+deb10u3 (buster)

Related CVEs : CVE-2024-21096

Several vulnerabilities have been fixed in MariaDB, a popular database server.

CVE-2024-21096

A difficult to exploit vulnerability allows unauthenticated
attacker with logon to the infrastructure where MariaDB Server
executes to compromise MariaDB Server.
Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of
MariaDB Server accessible data as well as unauthorized
read access to a subset of MariaDB Server accessible
data and unauthorized ability to cause a partial
denial of service (partial DoS)

Additionally mysqldump now adds the following command inside a comment at the very top of the logical SQL file to trigger sandbox mode:

/*M!999999\- enable the sandbox mode */

Newer version of MariaDB clients strip away the backslash and dash (-), and then tries to execute the internal command with a dash.

ELA-1193-1 zabbix security update

Thu, 03 Oct 2024 19:42:05 +0200

Package : zabbix

Version : 2.2.23+dfsg-0+deb8u8 (jessie), 1:3.0.32+dfsg-0+deb9u7 (stretch)

Several security vulnerabilities have been discovered in zabbix, a network monitoring solution.

CVE-2024-22114

A user with no permission to any of the Hosts can access and view host
count & other statistics through System Information Widget in Global
View Dashboard.

CVE-2024-22116

An administrator with restricted permissions can exploit the script
execution functionality within the Monitoring Hosts section. The lack of
default escaping for script parameters enabled this user ability to
execute arbitrary code via the Ping script, thereby compromising
infrastructure.

CVE-2024-22119

Stored XSS in graph items select form

CVE-2024-22122

Zabbix allows to configure SMS notifications. AT command injection
occurs on "Zabbix Server" because there is no validation of "Number"
field on Web nor on Zabbix server side. Attacker can run test of SMS
providing specially crafted phone number and execute additional AT
commands on the modem.

CVE-2024-22123

Setting SMS media allows to set GSM modem file. Later this file is used
as Linux device. But due everything is a file for Linux, it is possible
to set another file, e.g. log file and zabbix_server will try to
communicate with it as modem. As a result, log file will be broken with
AT commands and small part for log file content will be leaked to UI.

ELA-1191-1 sqlite3 security update

Mon, 30 Sep 2024 23:57:48 +0300

Package : sqlite3

Version : 3.27.2-3+deb10u3 (buster)

Multiple vulnerabilities have been fixed in the SQLite database.

CVE-2019-19244

Mishandling of sub-select that uses both DISTINCT and window functions, and also has certain ORDER BY usage

CVE-2021-36690

Expert extension segfault

CVE-2023-7104

Session extension buffer overread

ELA-1190-1 expat security update

Mon, 30 Sep 2024 13:51:14 +0200

Package : expat

Version : 2.1.0-6+deb8u12 (jessie), 2.2.0-2+deb9u9 (stretch), 2.2.6-2+deb10u8 (buster)

Multiple vulnerabilities were found in expat, an XML parsing C library, which could lead to Denial of Service, memory corruption or arbitrary code execution.

CVE-2024-45490: TaiYou discovered that xmlparse.c does not reject a negative length for XML_ParseBuffer(), which may cause memory corruption or code execution.
CVE-2024-45491: TaiYou discovered that xmlparse.c has an integer overflow for nDefaultAtts on 32-bit platforms, which may cause denial of service or code execution.
CVE-2024-45492: TaiYou discovered that xmlparse.c has an integer overflow for m_groupSize on 32-bit platforms, which may cause denial of service or code execution.

ELA-1189-1 mariadb-10.1 security update

Mon, 30 Sep 2024 10:30:30 +0000

Package : mariadb-10.1

Version : 10.1.48-0+deb9u4 (stretch)

Several vulnerabilities have been fixed in MariaDB, a popular database server.

CVE-2022-21427

An easily exploitable vulnerability allowed high
privileged attacker with network access via multiple protocols
to compromise MariaDB Server. Successful attacks of this vulnerability
can result in unauthorized ability to cause a hang
or frequently repeatable crash (complete DOS). Certain UTF8 combining
marks cause MariaDB to crash when doing Full-Text searches.

CVE-2022-24048, CVE-2022-24051, CVE-2022-24052

MariaDB CONNECT Storage Engine Stack-based Buffer
Overflow Privilege Escalation Vulnerability. This vulnerability allows
local attackers to escalate privileges on affected installations
of MariaDB. Authentication is required to exploit this vulnerability.
The specific flaw exists within the processing of SQL queries.
The issue results from the lack of proper validation of the length
of user-supplied data prior to copying it to a fixed-length stack-based
buffer. An attacker can leverage this vulnerability to escalate
privileges and execute arbitrary code in the context of the
service account. Concerned Storage Engines are JSON, XML and MYSQL.

CVE-2022-24050

MariaDB CONNECT Storage Engine use-after-free
privilege escalation vulnerability. This vulnerability allows local
attackers to escalate privileges on affected installations of MariaDB.
Authentication is required to exploit this vulnerability.
The specific flaw exists within the processing of SQL queries.
The issue results from the lack of validating the existence of an object
prior to performing operations on the object.
An attacker can leverage this vulnerability to escalate privileges and
execute arbitrary code in the context of the service account.

CVE-2022-27380

An issue in the component my_decimal::operator=
of MariaDB Server was discovered that makes it possible for attackers to cause
a Denial of Service (DoS) via specially crafted SQL statements.

CVE-2022-27383

An use-after-free was found in the component
my_strcasecmp_8bit, which may be exploited via specially crafted
SQL statements.

CVE-2022-27384, CVE-2022-32083

An issue in the component
Item_subselect::init_expr_cache_tracker allows attackers to cause
a Denial of Service (DoS) via specially crafted SQL statements.

CVE-2022-27387

A global buffer overflow in the component
decimal_bin_size was found, which is exploited via specially
crafted SQL statements.

CVE-2022-27448

An issue was found in multi-update and implicit
grouping handling, which is exploited via specially
crafted SQL statements.  An attacker can leverage
this vulnerability to cause a Denial of Service (DoS)

CVE-2022-31622

Incorrect handling of errors while executing the
method create_worker_threads could lead to a Denial of Service (DoS).

ELA-1188-1 wireshark security update

Mon, 30 Sep 2024 10:42:32 +0300

Package : wireshark

Version : 2.6.20-0+deb10u9~deb9u1 (stretch), 2.6.20-0+deb10u9 (buster)

Multiple vulnerabilities have been fixed in the network traffic analyzer Wireshark.

CVE-2023-0667

MSMMS dissector buffer overflow

CVE-2023-3649

iSCSI dissector crash

CVE-2023-4512

CBOR dissector crash

CVE-2024-0211

DOCSIS dissector crash

CVE-2024-2955

T.38 dissector crash

CVE-2024-4853

Editcap byte chopping crash

CVE-2024-4854

MONGO dissector infinite loop

CVE-2024-8250

NTLMSSP dissector crash

CVE-2024-8645

SPRT dissector crash

ELA-1187-1 cups-filters security update

Sun, 29 Sep 2024 23:47:39 +0200

Package : cups-filters

Version : 1.0.61-5+deb8u5 (jessie)

Related CVEs : CVE-2024-47176

Simone Margaritelli an issue in cups-filters. Multiple bugs in the cups-browsed component can result in the execution of arbitrary commands without authentication when a print job is started.

(Jessie is only affected by CVE-2024-47176; the code for CVE-2024-47076 is not available)

ELA-1186-1 cups-filters security update

Sun, 29 Sep 2024 23:44:59 +0200

Package : cups-filters

Version : 1.11.6-3+deb9u3 (stretch), 1.21.6-5+deb10u2 (buster)

Related CVEs : CVE-2024-47076 CVE-2024-47176

Simone Margaritelli reported several vulnerabilities in cups-filters. Missing validation of IPP attributes returned from an IPP server and multiple bugs in the cups-browsed component can result in the execution of arbitrary commands without authentication when a print job is started.

ELA-1185-1 iproute2 security update

Sat, 28 Sep 2024 04:30:43 +0300

Package : iproute2

Version : 4.20.0-2+deb10u2 (buster)

Related CVEs : CVE-2019-20795

Use-after-free in get_netnsid_from_name() has been fixed in iproute2, a collection of utilities for controlling TCP/IP networking and traffic control.

ELA-1184-1 zeromq3 security update

Sat, 28 Sep 2024 02:49:36 +0300

Package : zeromq3

Version : 4.3.1-4+deb10u3 (buster)

Multiple vulnerabilities have been fixed in the messaging library ZeroMQ.

CVE-2021-20234

Memory leak in client induced by malicious server(s)

CVE-2021-20235

Heap overflow when receiving malformed ZMTP v1 packets

CVE-2021-20237

Memory leak in PUB server induced by malicious client(s)

ELA-1183-1 apache2 security update

Fri, 27 Sep 2024 19:58:15 +0000

Package : apache2

Version : 2.4.10-10+deb8u29 (jessie), 2.4.25-3+deb9u19 (stretch)

Related CVEs : CVE-2024-38474 CVE-2024-38475

Apache2, a popular webserver, was vulnerable.

CVE-2024-38474

Substitution encoding issue in mod_rewrite in Apache HTTP Server
allowed and attacker to execute scripts in directories permitted
by the configuration but not directly reachable by any URL or
source disclosure of scripts meant to only to be executed as CGI.
Some RewriteRules that capture and substitute unsafely will
now fail unless rewrite flag "UnsafeAllow3F" is specified.

CVE-2024-38475

Improper escaping of output in mod_rewrite allowed an attacker
to map URLs to filesystem locations that are permitted
to be served by the server but are not intentionally/directly
reachable by any URL, resulting in code execution
or source code disclosure.
Substitutions in server context that use a backreferences
or variables as the first segment of the substitution are affected.
Some unsafe RewiteRules will be broken by this change
and the rewrite flag "UnsafePrefixStat" can be used
to opt back in once ensuring the substitution is
appropriately constrained.

ELA-1182-1 apache2 security update

Tue, 24 Sep 2024 21:48:30 +0000

Package : apache2

Version : 2.4.59-1~deb10u3 (buster)

Related CVEs : CVE-2024-38474 CVE-2024-38475

Apache2, a popular webserver, was vulnerable.

CVE-2024-38474

Substitution encoding issue in mod_rewrite in Apache HTTP Server
allowed and attacker to execute scripts in directories permitted
by the configuration but not directly reachable by any URL or
source disclosure of scripts meant to only to be executed as CGI.
Some RewriteRules that capture and substitute unsafely will
now fail unless rewrite flag "UnsafeAllow3F" is specified.

CVE-2024-38475

Improper escaping of output in mod_rewrite allowed an attacker
to map URLs to filesystem locations that are permitted
to be served by the server but are not intentionally/directly
reachable by any URL, resulting in code execution
or source code disclosure.
Substitutions in server context that use a backreferences
or variables as the first segment of the substitution are affected.
Some unsafe RewiteRules will be broken by this change
and the rewrite flag "UnsafePrefixStat" can be used
to opt back in once ensuring the substitution is
appropriately constrained.

ELA-1181-1 libreoffice security update

Tue, 17 Sep 2024 10:21:15 +0000

Package : libreoffice

Version : 1:6.1.5-3+deb9u4 (stretch), 1:6.1.5-3+deb10u13 (buster)

Related CVEs : CVE-2024-6472

libreoffice a popular office productivity software suite, was vulnerable.

Certificate Validation user interface in LibreOffice allowed a potential vulnerability. Signed macros are scripts that have been digitally signed by the developer using a cryptographic signature. When a document with a signed macro is opened a warning is displayed by LibreOffice before the macro is executed.

Previously, if verification failed the user could fail to understand the failure and may choose to enable the macros anyway.

ELA-1180-1 libpam-tacplus security update

Sun, 15 Sep 2024 23:39:19 +0300

Package : libpam-tacplus

Version : 1.3.8-2+deb10u2 (buster)

Related CVEs : CVE-2016-20014

Missing zeroing of a structure has been fixed in libpam-tacplus, a PAM module for using TACACS+ as an authentication service.

ELA-1179-1 firmware-nonfree security update

Sat, 14 Sep 2024 09:34:31 +0200

Package : firmware-nonfree

Version : 20190114+really20220913-0+deb8u3 (jessie), 20190114+really20220913-0+deb9u3 (stretch), 20190114+really20220913-0+deb10u3 (buster)

Intel® has released two advisories about potential security vulnerabilities in some Intel® PROSet/Wireless WiFi, Bluetooth® and Killer™ WiFi products may allow information disclosurre or denial of service. The full advisories are available at [1] and [2].

[1] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html [2] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html

This updated firmware-nonfree package includes the following firmware files:

  intel/ibt-0041-0041.sfi
  intel/ibt-17-16-1.sfi
  intel/ibt-17-2.sfi
  intel/ibt-18-16-1.sfi
  intel/ibt-18-2.sfi
  intel/ibt-19-0-0.sfi
  intel/ibt-19-0-1.sfi
  intel/ibt-19-0-4.sfi
  intel/ibt-19-16-4.sfi
  intel/ibt-19-240-1.sfi
  intel/ibt-19-240-4.sfi
  intel/ibt-19-32-0.sfi
  intel/ibt-19-32-1.sfi
  intel/ibt-19-32-4.sfi
  intel/ibt-20-0-3.sfi
  intel/ibt-20-1-3.sfi
  intel/ibt-20-1-4.sfi
  iwlwifi-Qu-b0-hr-b0-77.ucode
  iwlwifi-Qu-b0-jf-b0-77.ucode
  iwlwifi-Qu-c0-hr-b0-77.ucode
  iwlwifi-Qu-c0-jf-b0-77.ucode
  iwlwifi-QuZ-a0-hr-b0-77.ucode
  iwlwifi-QuZ-a0-jf-b0-77.ucode
  iwlwifi-cc-a0-77.ucode
  iwlwifi-so-a0-gf-a0-84.ucode
  iwlwifi-so-a0-gf-a0-86.ucode
  iwlwifi-so-a0-gf-a0.pnvm
  iwlwifi-so-a0-gf4-a0-84.ucode
  iwlwifi-so-a0-gf4-a0-86.ucode
  iwlwifi-so-a0-gf4-a0.pnvm
  iwlwifi-so-a0-hr-b0-83.ucode
  iwlwifi-so-a0-hr-b0-84.ucode
  iwlwifi-so-a0-hr-b0-86.ucode
  iwlwifi-ty-a0-gf-a0-84.ucode
  iwlwifi-ty-a0-gf-a0-86.ucode
  iwlwifi-ty-a0-gf-a0.pnvm

The updated firmware files might need updated kernel to work and as old firmware versions might loaded on older kernels, it is encouraged to verify whether the kernel loaded the updated firmware file and take additional measures if needed.

CVE-2023-35061

Improper initialization for some Intel® PROSet/Wireless and Intel® Killer™ Wi-Fi software before version 22.240 may allow an unauthenticated user to potentially enable information disclosure via adjacent access.

CVE-2023-38417

Improper input validation for some Intel® PROSet/Wireless WiFi software before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

CVE-2023-47210

Improper input validation for some Intel® PROSet/Wireless WiFi software for linux before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

ELA-1178-1 hsqldb1.8.0 security update

Sat, 07 Sep 2024 18:45:14 +0300

Package : hsqldb1.8.0

Version : 1.8.0.10+dfsg-3+deb8u1 (jessie)

Related CVEs : CVE-2023-1183

Arbitrary file write with a SCRIPT command was fixed in the Java database engine hsqldb1.8.0.

ELA-1177-1 bluez security update

Sat, 07 Sep 2024 17:07:49 +0300

Package : bluez

Version : 5.43-2+deb9u8 (stretch), 5.50-1.2~deb10u6 (buster)

Multiple vulnerabilities have been fixed in bluez, a library, tools and daemons for using Bluetooth devices.

CVE-2023-27349 (stretch)

AVRCP crash while handling unsupported events

CVE-2023-50229

Phone Book Access profile Heap-based Buffer Overflow

CVE-2023-50230

Phone Book Access profile Heap-based Buffer Overflow

ELA-1176-1 libxml2 security update

Sat, 07 Sep 2024 15:51:27 +0300

Package : libxml2

Version : 2.9.1+dfsg1-5+deb8u16 (jessie), 2.9.4+dfsg1-2.2+deb9u11 (stretch), 2.9.4+dfsg1-7+deb10u7 (buster)

Related CVEs : CVE-2016-3709 CVE-2022-2309

Two vulnerabilities have been fixed in the XML library libxml2.

CVE-2016-3709 (buster)

HTML 4 parser cross-site scripting

CVE-2022-2309

Parser NULL pointer dereference

ELA-1175-1 dovecot security update

Sat, 07 Sep 2024 02:57:04 +0200

Package : dovecot

Version : 1:2.2.27-3+deb9u8 (stretch), 1:2.3.4.1-5+deb10u8 (buster)

Related CVEs : CVE-2024-23185

A Denial of Service (DoS) vulnerability was discovered in the IMAP implementation of the Dovecot mail server: Very large headers could cause resource exhaustion when parsing message.

ELA-1174-1 postgresql-9.4 security update

Wed, 04 Sep 2024 15:42:21 -0400

Package : postgresql-9.4

Version : 9.4.26-0+deb8u10 (jessie)

Related CVEs : CVE-2024-7348

Noah Misch discovered a race condition in the pg_dump tool included in PostgreSQL, which may result in privilege escalation.

ELA-1173-1 postgresql-9.6 security update

Wed, 04 Sep 2024 15:42:10 -0400

Package : postgresql-9.6

Version : 9.6.24-0+deb9u7 (stretch)

Related CVEs : CVE-2024-7348

Noah Misch discovered a race condition in the pg_dump tool included in PostgreSQL, which may result in privilege escalation.

ELA-1172-1 postgresql-11 security update

Wed, 04 Sep 2024 15:42:00 -0400

Package : postgresql-11

Version : 11.22-0+deb10u3 (buster)

Related CVEs : CVE-2024-7348

Noah Misch discovered a race condition in the pg_dump tool included in PostgreSQL, which may result in privilege escalation.

ELA-1171-1 mariadb-10.1 security update

Sun, 01 Sep 2024 14:33:28 +0000

Package : mariadb-10.1

Version : 10.1.48-0+deb9u3 (stretch)

Multiple vulnerabilities were fixed in MariaDB, a popular database server.

CVE-2021-2154

An easily exploitable vulnerability related to the UDF_INIT()
function, used by MariaDB allows
high privileged attacker with network access via multiple
protocols to compromise MariaDB Server.
Successful attacks of this vulnerability can result
in unauthorized ability to cause the server to hang or frequently
repeatable crashes.

CVE-2021-2166

MySQL's SET plug-in variables wrongly locked making it possible for
high privileged attackers with network access to compromise the MariaDB
server, potentially causing Denial-of-Service (DoS).

CVE-2021-2194

Incorrect handling of filters related to full-text search could be used by
remote attackers to cause MariaDB Server to crash.

CVE-2021-2389

Incorrect handling of SELECT and UPDATE queries on tables with full-text
indices may cause out-of-memory errors.

CVE-2021-46657

get_sort_by_table in MariaDB could be used to cause an
application crash via certain subquery uses of ORDER BY.

CVE-2021-46661

Incorrect handling of find functions in tables and lists makes it possible
to cause a DoS.

CVE-2021-46663

Incorrect handling of certain SELECT statements made it possible to crash
the MariaDB server by the use of ha_maria::extra application.

CVE-2021-46664

MariaDB crash in sub_select_postjoin_aggr for a NULL value of aggr.

CVE-2021-46665

Incorrect handling of used_tables makes it possible to cause MariaDB to crash.

CVE-2021-46666

Mishandling of HAVING and WHERE clauses allows attacker to produce a DoS.

CVE-2021-46667

Integer overflow in sql_lex.cc may yield to an application crash.

CVE-2021-46668

MariaDB crash via certain long
SELECT DISTINCT statements that improperly interact with
storage-engine resource limitations for temporary data structures.

CVE-2021-46669

convert_const_to_int use-after-free when the BIGINT data type is used.

ELA-1170-1 roundcube security update

Fri, 30 Aug 2024 18:38:05 +0200

Package : roundcube

Version : 1.3.17+dfsg.1-1~deb10u7 (buster)

Multiple cross-site scripting (XSS) vulnerabilities were discovered in Roundcube, a skinnable AJAX based webmail solution for IMAP servers, which could lead to privilege escalation, information disclosure or denial of service.

CVE-2024-42008: Oskar Zeino-Mahmalat discovered that Roundcube allows XSS in serving of attachments other than HTML or SVG.
CVE-2024-42009: Oskar Zeino-Mahmalat discovered that Roundcube allows XSS in post-processing of sanitized HTML content.
CVE-2024-42010: Oskar Zeino-Mahmalat discovered an information leak (access to remote content) due to insufficient CSS filtering.

ELA-1169-1 intel-microcode security update

Thu, 29 Aug 2024 03:11:50 +0200

Package : intel-microcode

Version : 3.20240813.1~deb8u1 (jessie), 3.20240813.1~deb9u1 (stretch), 3.20240813.1~deb10u1 (buster)

This update ships updated CPU microcode for some types of Intel CPUs and provides mitigations for vulnerabilities that may allow a privileged user to potentially enable escalation of privilege, partial information disclosure, or denial of service via local access.

ELA-1168-1 bind9 security update

Wed, 28 Aug 2024 17:28:37 +0200

Package : bind9

Version : 1:9.11.5.P4+dfsg-5.1+deb10u13 (buster)

Related CVEs : CVE-2023-4408 CVE-2024-1737 CVE-2024-1975

Several vulnerabilities were discovered in BIND, a DNS server implementation, which may result in denial of service.

ELA-1167-1 libtommath security update

Wed, 28 Aug 2024 10:43:51 +0100

Package : libtommath

Version : 0.42.0-1.1+deb8u1 (jessie), 1.0-4+deb9u1 (stretch), buster (1.1.0-3+deb10u1)

Related CVEs : CVE-2023-36328

It was discovered that there was a series of integer overflow vulnerabilities in LibTomMath, a multiple-precision mathematics library.

This could have led attackers to execute arbitrary code and/or cause a denial of service (DoS).

ELA-1166-1 frr security update

Tue, 27 Aug 2024 23:45:36 +0200

Package : frr

Version : 7.5.1-1.1+deb10u3 (buster)

Related CVEs : CVE-2024-44070

An issue has been found in frr, a routing suite of internet protocols (BGP, OSPF, IS-IS, …) Before using the TLV value, due to a missing length check of the remaining stream, one could read behind the buffer.

ELA-1165-1 systemd security update

Tue, 27 Aug 2024 19:11:32 +0300

Package : systemd

Version : 232-25+deb9u17 (stretch), 241-7~deb10u11 (buster)

Multiple vulnerabilities have been fixed in systemd, the default init system in Debian, when using systemd-resolved with DNSSEC.

ELA-1164-1 python-django security update

Tue, 27 Aug 2024 15:41:47 +0100

Package : python-django

Version : 1:1.11.29-1+deb10u12 (buster)

(Release for buster only)

A number of vulnerabilities were discovered in Django, a popular Python-based web development framework:

CVE-2024-41989: The floatformat template filter was subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.
CVE-2024-41991: Fix an issue where the urlize and urlizetrunc template filters (as well as the AdminURLFieldWidget widget) were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
CVE-2024-42005: Fix an issue where the QuerySet.values() and values_list() methods on models with a JSONFields were subject to a SQL injection attack through column aliases via a crafted JSON object key.

ELA-1163-1 python-django security update

Tue, 27 Aug 2024 13:48:46 +0100

Package : python-django

Version : 1.7.11-1+deb8u17 (jessie), 1:1.10.7-2+deb9u23 (stretch)

Related CVEs : CVE-2024-41989

(Release for jessie and stretch only)

A Denial of Service (DoS) vulnerability was discovered in Django, a popular Python-based web development framework.

The floatformat template filter was subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent.

ELA-1162-1 suricata security update

Tue, 27 Aug 2024 12:17:40 +0300

Package : suricata

Version : 1:4.1.2-2+deb10u2 (buster)

Multiple vulnerabilities have been fixed in intrusion detection system (IDS) and intrusion prevention system (IPS) Suricata.

CVE-2019-10050

Buffer over-read in DecodeMPLS()

CVE-2019-10051

Incorrect SMB1 filename parsing

CVE-2019-10052

Incorrect DHCP parsing

CVE-2019-10053

Heap overflow in SSHParseBanner()

CVE-2019-10054

Integer overflow in NFS process_reply_record_v3()

CVE-2019-10055

Crash in ftp_pasv_response()

CVE-2019-10056

Crash in DecodeEthernet()

CVE-2019-15699

Memory overread in TLSDecodeHSHelloExtensions()

CVE-2019-16410

Memory overread in Defrag4Reassemble()

CVE-2019-16411

Overread in IPV4OptValidateTimestamp()

CVE-2019-18625

SYN_SENT RST/FIN injection

CVE-2019-18792

Reject broken TCP ACK packets

CVE-2019-1010279

TCP/HTTP detection bypass

CVE-2021-35063

TCP evasion

CVE-2021-37592

TCP evasion

CVE-2024-37151

id reuse can lead to invalid reassembly

ELA-1161-1 libvirt security update

Sun, 25 Aug 2024 14:20:42 +0200

Package : libvirt

Version : 1.2.9-9+deb8u8 (jessie), 3.0.0-4+deb9u6 (stretch)

Several issue have been found in libvirt, a library for interfacing with different virtualization systems. The issues are related to use-after-free, an off-by-one, a null pointer dereference and badly handled mutex, which could be used for a denial of service. The other issues are related to privilege escalation and breaking out of the sVirt confinement.

(strictly speaking CVE-2021-3975 only affects Stretch)

ELA-1160-1 tiff security update

Sat, 24 Aug 2024 00:59:15 +0200

Package : tiff

Version : 4.0.3-12.3+deb8u17 (jessie), 4.0.8-2+deb9u12 (stretch)

Related CVEs : CVE-2023-3576 CVE-2023-52356

Two issues have been found in tiff, a Tag Image File Format (TIFF) library with tools. Using crafted TIFF files an attacker would be able to cause a segmentation fault or a memory leak, which may result in an application crash and denial of service.

ELA-1159-1 apache2 security update

Fri, 23 Aug 2024 11:08:28 +0000

Package : apache2

Version : 2.4.25-3+deb9u18 (stretch), 2.4.59-1~deb10u2 (buster)

Multiple vulnerabilities were found on apache, a popular webserver.

CVE-2024-36387

Serving WebSocket protocol upgrades over a HTTP/2 connection could
result in a NULL Pointer dereference, leading to a crash of the
server process

CVE-2024-38476

Backend application whose reponse headers are malicious
rendered apache2 vulnerable to SSRF
(Server-side Request Forgery) and local script execution.

CVE-2024-38477

A NULL pointer dereference was found in
mod_proxy allowing an attacker to crash the server via
a malicious request.

CVE-2024-39573

A potential SSRF in mod_rewrite allowed an
attacker to cause unsafe RewriteRules to unexpectedly
setup URL's to be handled by mod_proxy.

CVE-2024-39884

A regression of CVE-2024-38476 in the core of Apache
HTTP Server ignores some use of the legacy content-type based
configuration of handlers. "AddType" and similar configuration,
under some circumstances where files are requested indirectly,
result in source code disclosure of local content. For example,
PHP scripts may be served instead of interpreted.

CVE-2024-40725

A partial fix for CVE-2024-38476 in the core of
Apache HTTP Server ignores some use of the legacy content-type based
configuration of handlers. "AddType" and similar configuration,
under some circumstances where files are requested indirectly,
result in source code disclosure of local content. For example,
PHP scripts may be served instead of interpreted.

Moreover a functionality bug was fixed in webdav list of well known browser by adding dolphin and Konqueror/5 browsers.

ELA-1158-1 apache2 security update

Thu, 22 Aug 2024 20:09:55 +0000

Package : apache2

Version : 2.4.10-10+deb8u28 (jessie)

Multiple vulnerabilities were found on apache, a popular webserver.

CVE-2024-38476

Backend application whose reponse headers are malicious
rendered apache2 vulnerable to SSRF
(Server-side Request Forgery) and local script execution.

CVE-2024-38477

A NULL pointer dereference was found in
mod_proxy allowing an attacker to crash the server via
a malicious request.

CVE-2024-39573

A potential SSRF in mod_rewrite allowed an
attacker to cause unsafe RewriteRules to unexpectedly
setup URL's to be handled by mod_proxy.

CVE-2024-39884

A regression of CVE-2024-38476 in the core of Apache
HTTP Server ignores some use of the legacy content-type based
configuration of handlers. "AddType" and similar configuration,
under some circumstances where files are requested indirectly,
result in source code disclosure of local content. For example,
PHP scripts may be served instead of interpreted.

CVE-2024-40725

A partial fix for CVE-2024-38476 in the core of
Apache HTTP Server ignores some use of the legacy content-type based
configuration of handlers. "AddType" and similar configuration,
under some circumstances where files are requested indirectly,
result in source code disclosure of local content. For example,
PHP scripts may be served instead of interpreted.

Moreover a functionality bug was fixed in webdav list of well known browser by adding dolphin and Konqueror/5 browsers.

ELA-1157-1 glib2.0 security update

Mon, 19 Aug 2024 08:54:25 +0200

Package : glib2.0

Version : 2.42.1-1+deb8u7 (jessie)

Related CVEs : CVE-2024-34397

Alicia Boya Garcia reported that the GDBus signal subscriptions in the GLib library are prone to a spoofing vulnerability. A local attacker can take advantage of this flaw to cause a GDBus-based client to behave incorrectly, with an application-dependent impact.

ELA-1156-1 indent security update

Sat, 17 Aug 2024 23:57:21 +0300

Package : indent

Version : 2.2.12-1+deb11u1~deb10u1 (buster)

Related CVEs : CVE-2023-40305 CVE-2024-0911

Multiple issues have been fixed in GNU indent, a C source code formatter.

ELA-1152-1 dnsmasq security update

Sat, 17 Aug 2024 18:10:21 +0200

Package : dnsmasq

Version : 2.80-1+deb10u2 (buster)

Multiple vulnerabilities have been fixed in the dnsmasq package, the small caching DNS proxy and DHCP/TFTP server.

CVE-2019-14834

A vulnerability was found in dnsmasq before version 2.81, where the memory leak allows remote attackers to cause a denial of service (memory consumption) via vectors involving DHCP response creation.

CVE-2021-3448

A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity.

CVE-2022-0934

A single-byte, non-arbitrary write/use-after-free flaw was found in dnsmasq. This flaw allows an attacker who sends a crafted packet processed by dnsmasq, potentially causing a denial of service.

CVE-2023-28450

An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020.

ELA-1155-1 git security update

Sat, 17 Aug 2024 08:15:19 +0800

Package : git

Version : 1:2.1.4-2.1+deb8u14 (jessie), 1:2.11.0-3+deb9u11 (stretch)

Multiple vulnerabilities were discovered in git, a fast, scalable and distributed revision control system.

CVE-2019-1387

It was possible to bypass the previous check for this vulnerability using parallel cloning, or the –recurse-submodules option to git-checkout(1). (applicable to Debian “stretch” only)

CVE-2023-25652

Feeding specially-crafted input to ‘git apply –reject’ could overwrite a path outside the working tree with partially controlled contents, corresponding to the rejected hunk or hunks from the given patch.

CVE-2023-25815

Low-privileged users could inject malicious messages into Git’s output under MINGW.

CVE-2023-29007

A specially-crafted .gitmodules file with submodule URLs longer than 1024 characters could be used to inject arbitrary configuration into $GIT_DIR/config.

CVE-2024-32002

Repositories with submodules could be specially-crafted to write hooks into .git/ which would then be executed during an ongoing clone operation.

CVE-2024-32004

A specially-crafted local repository could cause the execution of arbitrary code when cloned by another user.

CVE-2024-32021

When cloning a local repository that contains symlinks via the filesystem, Git could have created hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the objects/ directory.

CVE-2024-32465

When cloning a local repository obtained from a downloaded archive, hooks in that repository could be used for arbitrary code execution.

(Updates for Debian “buster” were announced in DLA-3844-1, during the Debian LTS support period.)

ELA-1154-1 util-linux security update

Thu, 15 Aug 2024 21:02:29 -0400

Package : util-linux

Version : 2.26.2+really2.25.2-6+deb8u2 (jessie), 2.29.2-1+deb9u3 (stretch)

Related CVEs : CVE-2024-28085

Skyler Ferrante discovered that the wall(1) utility found in util-linux, a collection of system utilities for Linux, does not filter escape sequences from command line arguments. This allows unprivileged local users to put arbitrary text on other users terminals if mesg is set to ‘y’ and the wall executable is setgid, which could lead to information disclosure.

With this update the wall executable is no longer installed setgid tty.

ELA-1153-1 wpa security update

Wed, 14 Aug 2024 21:42:19 +0300

Package : wpa

Version : 2.3-1+deb8u15 (jessie), 2:2.4-1+deb9u11 (stretch), 2:2.7+git20190128+0c1e29f-6+deb10u5 (buster)

Related CVEs : CVE-2024-5290

Local privilege escalation by loading libraries from untrusted paths has been fixed in wpasupplicant, a commonly used tool for connection and authentication in wireless and wired networks.

ELA-1151-1 gdk-pixbuf security update

Tue, 13 Aug 2024 16:53:04 +0300

Package : gdk-pixbuf

Version : 2.31.1-2+deb8u10 (jessie), 2.36.5-2+deb9u3 (stretch), 2.38.1+dfsg-1+deb10u1 (buster)

Related CVEs : CVE-2022-48622

Memory corruption has been fixed in the loader for ANI (animated cursors) files in GDK Pixbuf, a library used by the GTK widget toolkit.

ELA-1150-1 ruby2.5 security update

Tue, 13 Aug 2024 13:06:52 +0200

Package : ruby2.5

Version : 2.5.5-3+deb10u7 (buster)

Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in denial-of-service (DoS), information leak, and remote code execution.

CVE-2023-36617

Follow-up fix for CVE-2023-28755.

A ReDoS issue was discovered in the URI component. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects.
CVE-2024-27280

A buffer-overread issue was discovered in StringIO. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value.
CVE-2024-27281

When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.)
CVE-2024-27282

If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings.

ELA-1149-1 ruby2.3 security update

Tue, 13 Aug 2024 13:06:50 +0200

Package : ruby2.3

Version : 2.3.3-1+deb9u12 (stretch)

Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in denial-of-service (DoS), information leak, HTTP response splitting, XML round-trip issues, and remote code execution.

CVE-2021-28965

The REXML gem does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
CVE-2021-33621

The cgi gem allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
CVE-2022-28739

Buffer over-read occurs in String-to-Float conversion, including Kernel#Float and String#to_f.
CVE-2023-28755, CVE-2023-36617

A ReDoS issue was discovered in the URI component. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects.
CVE-2023-28756

A ReDoS issue was discovered in the Time component. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects.
CVE-2024-27281

When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.)
CVE-2024-27282

If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings.

ELA-1148-1 ruby2.1 security update

Tue, 13 Aug 2024 13:06:44 +0200

Package : ruby2.1

Version : 2.1.5-2+deb8u14 (jessie)

CVE-2021-28965

The REXML gem does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
CVE-2021-33621

The cgi gem allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
CVE-2022-28739

Buffer over-read occurs in String-to-Float conversion, including Kernel#Float and String#to_f.
CVE-2023-28756

A ReDoS issue was discovered in the Time component. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects.
CVE-2024-27281

When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.)
CVE-2024-27282

If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings.

This release also provide follow-up fixes for CVE-2016-2338 (ELA-1148-1) and CVE-2021-41817 (ELA-531-1).

ELA-1147-1 python-aiosmtpd security update

Mon, 12 Aug 2024 16:39:23 +0300

Package : python-aiosmtpd

Version : 1.2-3+deb10u1 (buster)

Related CVEs : CVE-2024-27305 CVE-2024-34083

Two vulnerabilities have been fixed in python-aiosmtpd, an asyncio based SMTP server.

CVE-2024-27305

SMTP smuggling with non-standard line endings

CVE-2024-34083

STARTTLS unencrypted command injection

ELA-1146-1 openjdk-11 security update

Wed, 07 Aug 2024 09:41:32 +0200

Package : openjdk-11

Version : 11.0.24+8-2~deb10u1 (buster)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, information disclosure or bypass of Java sandbox restrictions.

ELA-1145-1 curl security update

Mon, 05 Aug 2024 21:13:04 +0200

Package : curl

Version : 7.38.0-4+deb8u28 (jessie), 7.52.1-5+deb9u22 (stretch), 7.64.0-4+deb10u10 (buster)

Related CVEs : CVE-2024-7264

A denial-of-service vulnerability was found in cURL, an easy-to-use client-side URL transfer library. libcurl’s ASN1 parser code has the GTime2str() function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up crashing but this flaw can also lead to heap contents getting returned to the application when CURLINFO_CERTINFO is used.

ELA-1144-1 exim4 security update

Wed, 31 Jul 2024 23:08:08 +0200

Package : exim4

Version : 4.89-2+deb9u13 (stretch), 4.92-8+deb10u10 (buster)

Related CVEs : CVE-2024-39929

An issue has been found in exim4, the Mail Transport Agent. Due to bad parsing of multiline RFC 2231 header filenames in mime ACL, a remote attacker could bypass this protection mechanism and potentially deliver executable attachements to mailboxes.

ELA-1143-1 aom security update

Wed, 31 Jul 2024 23:55:34 +0300

Package : aom

Version : 1.0.0-3+deb10u2 (buster)

Related CVEs : CVE-2024-5171

Integer overflows have been fixed in aom, an AV1 Codec Library.

ELA-1142-1 openjdk-8 security update

Tue, 30 Jul 2024 10:55:20 +0200

Package : openjdk-8

Version : 8u422-b05-1~deb8u1 (jessie), 8u422-b05-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in bypass of sandbox restrictions, information disclosure or denial of service.

ELA-1141-1 krb5 security update

Mon, 29 Jul 2024 22:35:11 +0300

Package : krb5

Version : 1.12.1+dfsg-19+deb8u9 (jessie), 1.15-1+deb9u6 (stretch), 1.17-3+deb10u7 (buster)

Multiple vulnerabilities have been fixed in krb5, the MIT implementation of the Kerberos network authentication protocol.

CVE-2024-26458

Memory leak in xmt_rmtcallres()

CVE-2024-26461

Memory leak in gss_krb5int_make_seal_token_v3()

CVE-2024-37370

GSS wrap token Extra Count field manipulation

CVE-2024-37371

Invalid GSS memory reads with manipulated tokens

ELA-1140-1 imagemagick security update

Fri, 26 Jul 2024 10:53:26 +0000

Package : imagemagick

Version : 8:6.8.9.9-5+deb8u27 (jessie)

Imagemagick, an image processing toolking was vulnerable.

CVE-2017-11752

The ReadMAGICKImage function allows remote attackers to cause
a denial of service (memory leak) via a crafted file.

CVE-2017-12566

A memory leak vulnerability was found in the function ReadMVGImage
in mvg coder, which allows attackers to cause a denial of service.

CVE-2017-18022

A memory leak vulnerability was found in MontageImageCommand.

CVE-2018-11655

A memory leak vulnerability was found in the function GetImagePixelCache
which allows attackers to cause a denial of service via a crafted
CALS image file.

CVE-2021-3596

A NULL pointer dereference flaw was found in ReadSVGImage(). This issue
is due to not checking the return value from libxml2's xmlCreatePushParserCtxt()
and uses the value directly, which leads to a crash and segmentation fault.

CVE-2022-28463

A buffer overflow was found in Imagemagick in cin file coder.

CVE-2022-48541

A memory leak was found that allows a remote attackers to perform
a denial of service via the "identify -help" command.

CVE-2023-1289

Loading a specially created SVG file may cause a segmentation fault.
When ImageMagick crashes, it generates a lot of trash files. These trash
files can be large if the SVG file contains many render actions, and could
result in a denial of service.

CVE-2023-5341

A heap use-after-free flaw was found in coders/bmp.c

CVE-2023-34151

Undefined behaviors of casting double to size_t in svg, mvg and other
coders.

ELA-1139-1 phppgadmin security update

Thu, 25 Jul 2024 12:11:05 +0100

Package : phppgadmin

Version : 5.1-1.1+deb8u1 (jessie)

Related CVEs : CVE-2023-40619

A potential Remote Code Execution (RCE) vulnerability was discovered in phppgadmin, a web-based administration tool for the PostgreSQL database.

This was an issue related to the deserialisation of untrusted data, which may have led to remote code execution because user-controlled data was passed directly to the PHP unserialize() function.

ELA-1133-2 imagemagick regression update

Tue, 23 Jul 2024 23:02:21 +0000

Package : imagemagick

Version : 8:6.9.10.23+dfsg-2.1+deb10u9 (buster)

Related CVEs : CVE-2023-34151

The Imagemagick security update issued as ELA 1133-1 addressed the vulnerability identified by CVE-2023-34151. The fix for that CVE introduced a regression.

A Magick Vector Graphics file including a pattern operator could return an incorrect bounding box, and thus generate a corrupted pattern.

ELA-1138-1 python3.4 security update

Tue, 23 Jul 2024 16:21:43 +0300

Package : python3.4

Version : 3.4.2-1+deb8u18 (jessie)

Related CVEs : CVE-2024-4032 CVE-2024-5642

Multiple vulnerabilities have been fixed in the Python3 interpreter.

CVE-2024-4032

Incorrect information about private addresses in the ipaddress module

CVE-2024-5642

NPN buffer overread when using empty list in SSLContext.set_npn_protocols()

Note that the CVE-2024-5642 fix disables NPN (Next Protocol Negotiation) in the ssl module, NPN is a TLS extension for the obsolete SPDY protocol (HTTP/2 is the successor to SPDY).

ELA-1137-1 python3.5 security update

Tue, 23 Jul 2024 16:05:19 +0300

Package : python3.5

Version : 3.5.3-1+deb9u10 (stretch)

Related CVEs : CVE-2024-0397 CVE-2024-4032 CVE-2024-5642

Multiple vulnerabilities have been fixed in the Python3 interpreter.

CVE-2024-0397

Race condition in ssl.SSLContext

CVE-2024-4032

Incorrect information about private addresses in the ipaddress module

CVE-2024-5642

NPN buffer overread when using empty list in SSLContext.set_npn_protocols()

Note that the CVE-2024-5642 fix disables NPN (Next Protocol Negotiation) in the ssl module, NPN is a TLS extension for the obsolete SPDY protocol (HTTP/2 is the successor to SPDY). Support for the NPN-successor ALPN for HTTP/2 continues to be available.

ELA-1136-1 imagemagick security update

Tue, 23 Jul 2024 12:30:47 +0000

Package : imagemagick

Version : 8:6.9.7.4+dfsg-11+deb9u20 (stretch)

Imagemagick, an image processing toolking was vulnerable.

CVE-2017-11752

The ReadMAGICKImage function allows remote attackers to cause
a denial of service (memory leak) via a crafted file.

CVE-2017-12566

A memory leak vulnerability was found in the function ReadMVGImage
in mvg coder, which allows attackers to cause a denial of service.

CVE-2017-18022

A memory leak vulnerability was found in MontageImageCommand.

CVE-2018-11655

A memory leak vulnerability was found in the function GetImagePixelCache
which allows attackers to cause a denial of service via a crafted
CALS image file.

CVE-2022-48541

A memory leak in was found that allows a remote attackers to perform
a denial of service via the "identify -help" command.

CVE-2023-1289

Loading a specially created SVG file may cause a segmentation fault.
When ImageMagick crashes, it generates a lot of trash files. These trash
files can be large if the SVG file contains many render actions, and could
result in a denial of service.

CVE-2023-5341

A heap use-after-free flaw was found in coders/bmp.c

CVE-2023-34151

Undefined behaviors of casting double to size_t in svg, mvg and other
coders.

ELA-1135-1 python3.7 security update

Mon, 22 Jul 2024 17:53:36 +0300

Package : python3.7

Version : 3.7.3-2+deb10u8 (buster)

Related CVEs : CVE-2024-0397 CVE-2024-4032

Multiple vulnerabilities have been fixed in the Python3 interpreter.

CVE-2024-0397

Race condition in ssl.SSLContext

CVE-2024-4032

Incorrect information about private addresses in the ipaddress module

ELA-1134-1 uw-imap regression update

Sat, 20 Jul 2024 20:15:04 +0200

Package : uw-imap

Version : 8:2007f~dfsg-6+deb10u1 (buster)

The uw-imap toolkit package had a problem when used with openssl 1.1.1.

It could not work with Google IMAP servers because Google wants SNI requests if the client supports TLS 1.3.

ELA-1133-1 imagemagick security update

Fri, 19 Jul 2024 21:01:26 +0000

Package : imagemagick

Version : 8:6.9.10.23+dfsg-2.1+deb10u8 (buster)

Related CVEs : CVE-2023-1289 CVE-2023-34151

The security fixes for two security vulnerabilities in Imagemagick, an image processing toolking, were found to be incomplete.

CVE-2023-1289

Loading a specially created SVG file may cause a segmentation fault.
When ImageMagick crashes, it generates a lot of trash files. These trash
files can be large if the SVG file contains many render actions, and could
result in a denial of service.

CVE-2023-34151

Undefined behaviors of casting double to size_t in svg, mvg and other
coders.

These vulnerabilities were previously addressed in Debian 10 buster during its Debian Long Term Support period, as announced via the [DLA 3737-1]:

[DLA 3737-1] https://lists.debian.org/debian-lts-announce/2024/02/msg00007.html

ELA-1132-1 php-horde-mime-viewer security update

Wed, 17 Jul 2024 12:02:03 +0100

Package : php-horde-mime-viewer

Version : 2.0.7-2+deb8u1 (jessie)

Related CVEs : CVE-2022-26874

A Cross-Site Scripting (XSS) vulnerability was discovered in php-horde-mime-viewer, a PHP library for parsing and displaying email messages encoded in the MIME (or “Multipurpose Internet Mail Extensions”) format.

ELA-1131-1 phpldapadmin security update

Tue, 16 Jul 2024 09:16:57 +0100

Package : phpldapadmin

Version : 1.2.2-5.2+deb8u3 (jessie)

Related CVEs : CVE-2016-15039

A HTTP request smuggling vulnerability was discovered in phpldapadmin, a web-based interface for administering Lightweight Directory Access Protocol (LDAP) servers.

ELA-1130-1 binutils security update

Mon, 15 Jul 2024 10:02:51 +0300

Package : binutils

Version : 2.25-5+deb8u2 (jessie), 2.28-5+deb9u1 (stretch), 2.31.1-16+deb10u1 (buster)

Related CVEs : CVE-2018-12934 CVE-2018-1000876

Two vulnerabilities have been fixed in binutils, the GNU assembler, linker and binary utilities.

Note that the fix for CVE-2018-12934 removes demangling support for some ancient (e.g. GCC 2.x) mangling schemes

CVE-2018-12934

OOM in c++filt

CVE-2018-1000876

Integer Overflow in objdump

ELA-1129-1 apache2 security update

Thu, 11 Jul 2024 20:47:15 +0000

Package : apache2

Version : 2.4.25-3+deb9u17 (stretch)

Multiple vulnerabilities were fixed in the HTTP2 module of apache2.

CVE-2020-9490

A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would resulted in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards.

CVE-2020-11993

When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools.

CVE-2021-33193

A crafted method sent through HTTP/2 bypassed validation and were forwarded by mod_proxy, which could lead to request splitting or cache poisoning.

CVE-2023-45802

When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that.

CVE-2024-27316

HTTP/2 incoming headers exceeding the limit were temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client did not stop sending headers, this led to memory exhaustion.

ELA-1128-1 axis security update

Thu, 11 Jul 2024 17:08:17 +0100

Package : axis

Version : 1.4-21+deb8u1 (jessie)

Related CVEs : CVE-2018-8032 CVE-2023-40743

Two vulnerabilities were discovered in Apache Axis, an XML-based web service framework for Java.

CVE-2018-8032: Fix a cross-site scripting (XSS) attack in the default servlet/services. (#905328)

CVE-2023-40743: Fix an issue in ServiceFactory.getService that allowed potentially dangerous lookup mechanisms. When passing untrusted input to this API method, this could have exposed the application to DoS, SSRF and even attacks leading to remote code execution. (#1051288)

ELA-1127-1 dns-root-data security update

Mon, 08 Jul 2024 13:00:27 -0300

Package : dns-root-data

Version : 2024041801~deb8u1 (jessie), 2024041801~deb9u1 (stretch), 2024041801~deb10u1 (buster)

The dns-root-data package contains various DNS root zone related data as published by IANA to be used by various DNS software as a common source of DNS root zone data. This release includes updates such as the new A and AAAA records of the B root server. Without this update, users could face slowdowns when doing DNS queries after the old B root server’s IP addresses cease functioning, on November 27th 2024.

ELA-1126-1 exim4 security update

Sun, 07 Jul 2024 18:36:35 +0200

Package : exim4

Version : 4.84.2-2+deb8u12 (jessie), 4.89-2+deb9u12 (stretch)

Related CVEs : CVE-2023-51766

It was discovered that Exim, a mail transport agent, can be induced to accept a second message embedded as part of the body of a first message in certain configurations where PIPELINING or CHUNKING on incoming connections is offered.

ELA-1125-1 ffmpeg security update

Sat, 06 Jul 2024 23:34:50 +0200

Package : ffmpeg

Version : 7:3.2.19-0+deb9u4 (stretch)

Several buffer overflow vulnerabilities were discovered in ffmpeg, tools for transcoding, streaming and playing of multimedia files. An attacker may use these flaws to create specially crafted multimedia files and cause a denial of service or arbitrary code execution when they are processed by ffmpeg.

ELA-1124-1 sendmail security update

Fri, 05 Jul 2024 20:34:20 +0000

Package : sendmail

Version : 8.15.2-8+deb9u2 (stretch)

Related CVEs : CVE-2023-51765

sendmail allowed SMTP smuggling in certain configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because sendmail supports . but some other popular e-mail servers do not.

This particular injection vulnerability has been closed, unfortunatly full closure need to reject mail that contain NUL (0x00 byte).

This is slighly non conformant with RFC and could be opt-out by setting confREJECT_NUL to ‘false’ in sendmail.mc file.

ELA-1122-1 emacs24 security update

Fri, 05 Jul 2024 10:00:21 +0800

Package : emacs24

Version : 24.4+1-5+deb8u5 (jessie), 24.5+1-11+deb9u5 (stretch)

Related CVEs : CVE-2024-39331

A vulnerability was discovered in GNU Emacs, the extensible, customisable, self-documenting display editor.

The org-link-expand-abbrev function expanded a %(…) link abbrev even when the abbrev specified an unsafe function, such as shell-command-to-string. This could lead to arbitrary code execution as soon as an Org-mode format file was opened.

ELA-1123-1 emacs25 security update

Fri, 05 Jul 2024 10:00:21 +0800

Package : emacs25

Version : 25.1+1-4+deb9u5 (stretch)

Related CVEs : CVE-2024-39331

A vulnerability was discovered in GNU Emacs, the extensible, customisable, self-documenting display editor.

ELA-1121-1 python-idna security update

Wed, 03 Jul 2024 12:09:46 -0400

Package : python-idna

Version : 2.2-1+deb9u1 (stretch)

Related CVEs : CVE-2024-3651

Guido Vranken discovered an issue in python3-idna, a library to support the Internationalized Domain Names in Applications (IDNA) protocol. A specially crafted argument to the idna.encode() function could consume significant resources, which may lead to Denial of Service.

ELA-1120-1 linux-5.10 security update

Tue, 02 Jul 2024 10:37:25 +0200

Package : linux-5.10

Version : 5.10.218-1~deb8u1 (jessie), 5.10.218-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

ELA-1119-1 glibc security update

Sun, 30 Jun 2024 23:53:41 +0300

Package : glibc

Version : 2.19-18+deb8u14 (jessie), 2.24-11+deb9u7 (stretch)

Multiple vulnerabilities have been fixed in the Name Service Cache Daemon that is built by the GNU C library and shipped in the nscd binary package.

CVE-2024-33599

nscd: Stack-based buffer overflow in netgroup cache

CVE-2024-33600

nscd: Null pointer crashes after notfound response

CVE-2024-33601

nscd: Daemon may terminate on memory allocation failure

CVE-2024-33602

nscd: Possible memory corruption

ELA-1118-1 dcmtk security update

Sun, 30 Jun 2024 23:51:53 +0300

Package : dcmtk

Version : 3.6.1~20160216-4+deb10u1 (stretch)

Multiple vulnerabilities have been fixed in DCMTK, a collection of libraries and applications implementing large parts the DICOM standard for medical images.

CVE-2019-1010228

Buffer overflow in DcmRLEDecoder::decompress()

CVE-2021-41687

Incorrect freeing of memory

CVE-2021-41688

Incorrect freeing of memory

CVE-2021-41689

NULL pointer dereference

CVE-2021-41690

Incorrect freeing of memory

CVE-2022-2121

NULL pointer dereference

CVE-2022-43272

Memory leak in single process mode

CVE-2024-28130

Segmentation faults due to incorrect typecast

CVE-2024-34508

Segmentation fault via invalid DIMSE message

CVE-2024-34509

Segmentation fault via invalid DIMSE message

ELA-1117-1 gunicorn security update

Sat, 29 Jun 2024 11:42:09 +0200

Package : gunicorn

Version : 19.6.0-10+deb9u3 (stretch)

Related CVEs : CVE-2024-1135

Gunicorn, an event-based HTTP/WSGI server, fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn’s handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.

ELA-1116-1 linux-4.19 security update

Fri, 28 Jun 2024 14:27:19 +0200

Package : linux-4.19

Version : 4.19.316-1~deb8u1 (jessie), 4.19.316-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

This is the final Linux 4.19 kernel update, which becomes end-of-life. It is advised to upgrade to a supported kernel, see the kernel page for details.

ELA-1115-1 glib2.0 security update

Thu, 27 Jun 2024 11:16:30 +0200

Package : glib2.0

Version : 2.50.3-2+deb9u6 (stretch)

Related CVEs : CVE-2024-34397

ELA-1114-1 composer security update

Wed, 19 Jun 2024 12:25:28 -0700

Package : composer

Version : 1.2.2-1+deb9u3 (stretch)

Related CVEs : CVE-2024-35241 CVE-2024-35242

It was discovered that there were a number of command-line injection vulnerabilities in Composer, a popular dependency manager for PHP.

The install, status, reinstall and remove functionality had issues when used with Git or Hg repositories which used maliciously- crafted branch names, which could have been abused to execute arbitrary shell commands.

ELA-1113-1 libndp security update

Wed, 19 Jun 2024 11:44:30 -0700

Package : libndp

Version : 1.4-2+deb8u2 (jessie), 1.6-1+deb9u1 (stretch)

Related CVEs : CVE-2024-5564

It was discovered that there was a buffer overflow vulnerability in libndp, a library for implementing IPv6’s “Neighbor Discovery Protocol” (NDP) and is used by Network Manager and other networking tools.

A local, malicious user could have caused a buffer overflow in Network Manager by sending a malformed IPv6 router advertisement packet. This issue existed because libndp was not correctly validating route length information.

ELA-1107-1 php7.0 security update

Tue, 18 Jun 2024 22:43:54 +0200

Package : php7.0

Version : 7.0.33-0+deb9u18 (stretch)

Related CVEs : CVE-2024-5458

PHP, a widely-used open source general purpose scripting language, is affected by a security problem when parsing certain types of URLs.

Due to a code logic error filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly. The problem is related to CVE-2020-7071 but affects IPv6 host parts.

ELA-1108-1 php5 security update

Tue, 18 Jun 2024 22:43:47 +0200

Package : php5

Version : 5.6.40+dfsg-0+deb8u20 (jessie)

Related CVEs : CVE-2024-5458

PHP, a widely-used open source general purpose scripting language, is affected by a security problem when parsing certain types of URLs.

ELA-1110-1 netty security update

Tue, 18 Jun 2024 22:43:21 +0200

Package : netty

Version : 1:4.1.7-2+deb9u5 (stretch)

Related CVEs : CVE-2024-29025

Julien Viet discovered that Netty, a Java NIO client/server socket framework, was vulnerable to allocation of resources without limits or throttling due to the accumulation of data in the HttpPostRequestDecoder. This would allow an attacker to cause a denial of service.

ELA-1112-1 libvpx security update

Tue, 18 Jun 2024 23:39:23 +0300

Package : libvpx

Version : 1.3.0-3+deb8u5 (jessie), 1.6.1-3+deb9u6 (stretch)

Related CVEs : CVE-2016-6711 CVE-2017-0393 CVE-2024-5197

Multiple vulnerabilities have been fixed in libvpx, a library for decoding and encoding VP8 and VP9 videos.

CVE-2016-6711 (vulnerability was not present in stretch)

VP8 decoder crash with invalid leading keyframes

CVE-2017-0393 (vulnerability was not present in stretch)

VP8 threading issues

CVE-2024-5197

Integer overflows

ELA-1111-1 pymongo security update

Mon, 17 Jun 2024 19:36:53 +0000

Package : pymongo

Version : 2.7.2-1+deb8u1 (jessie), 3.4.0-1+deb9u1 (stretch)

Related CVEs : CVE-2024-5629

An out-of-bounds read in the ‘bson’ module of PyMongo allowed deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.

ELA-1109-1 nano security update

Mon, 17 Jun 2024 14:58:58 +0300

Package : nano

Version : 2.2.6-3+deb8u1 (jessie), 2.7.4-1+deb9u1 (stretch)

Related CVEs : CVE-2024-5742

A symlink attack with emergency file saving has been fixed in the text editor nano.

ELA-1106-1 apache2 security update

Fri, 14 Jun 2024 19:38:36 +0000

Package : apache2

Version : 2.4.10-10+deb8u27 (jessie)

Related CVEs : CVE-2023-38709

Faulty input validation in the core of Apache allowed malicious or exploitable backend/content generators to split HTTP responses

ELA-1105-1 gst-plugins-base0.10 security update

Thu, 06 Jun 2024 09:51:25 +0200

Package : gst-plugins-base0.10

Version : 0.10.36-2+deb8u4 (jessie)

Related CVEs : CVE-2024-4453

An integer overflow in the EXIF metadata parsing was discovered in the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed file is processed.

ELA-1104-1 nghttp2 security update

Sat, 01 Jun 2024 01:02:24 +0200

Package : nghttp2

Version : 1.18.1-1+deb9u4 (stretch)

Related CVEs : CVE-2024-28182

An issue has been found in nghttp2, a library, server, proxy and client implementing HTTP/2. An implementation using the nghttp2 library will continue to receive CONTINUATION frames, and will not callback to the application to allow visibility into this information before it resets the stream, resulting in Denial of Service.

ELA-1103-1 inetutils security update

Fri, 31 May 2024 17:45:03 +0300

Package : inetutils

Version : 2:1.9.4-2+deb9u3 (stretch)

Related CVEs : CVE-2019-0053 CVE-2023-40303

Two vulnerabilities were fixed in inetutils, the GNU network utilities.

CVE-2019-0053

Insufficient validation of environment variables in telnet

CVE-2023-40303

Possible privilege escalation in ftpd, rcp, rlogin, rsh, rshd, and uucpd when a set*id() family function like setuid() fails

ELA-1102-1 gst-plugins-base1.0 security update

Thu, 30 May 2024 23:57:46 +0300

Package : gst-plugins-base1.0

Version : 1.4.4-2+deb8u5 (jessie), 1.10.4-1+deb9u4 (stretch)

Related CVEs : CVE-2024-4453

An integer overflow in the EXIF metadata parser has been fixed in the GStreamer media framework.

ELA-1101-1 python-django security update

Wed, 29 May 2024 09:58:00 +0100

Package : python-django

Version : 1:1.10.7-2+deb9u22 (stretch)

Three vulnerabilities were fixed in python-django, a popular Python-based web development framework:

CVE-2023-36053: Prevent a potential regular expression denial of service (DoS) vulnerability in EmailValidator and URLValidator. EmailValidator and URLValidator were subject to potential regular expression denial of service attack via a very large number of domain name labels of emails and URLs.
CVE-2023-43665: Fix a DoS vulnerability in django.utils.text.Truncator. Following the fix for CVE-2019-14232, the regular expressions used in the implementation of django.utils.text.Truncator’s chars() and words() methods were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability.
CVE-2024-24680: Prevent a potential DoS in the intcomma template filter. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.

ELA-1100-1 python-pymysql security update

Mon, 27 May 2024 23:39:27 +0100

Package : python-pymysql

Version : 0.7.10-1+deb9u1 (stretch)

Related CVEs : CVE-2024-36039

It was discovered that there was a potential SQL injection attack in python-pymysql, a MySQL client library for Python. This was exploitable when python-pymysql was used with untrusted JSON input as keys were not escaped by the escape_dict routine.

ELA-1099-1 apache2 security update

Sun, 26 May 2024 19:52:51 +0000

Package : apache2

Version : 2.4.10-10+deb8u26 (jessie)

Related CVEs : CVE-2023-31122 CVE-2024-24795

CVE-2023-31122

An Out-of-bounds Read vulnerability was found in mod_macro of Apache HTTP Server.

CVE-2024-24795

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.

Please note that the fix of CVE-2024-24795, may break unrelated CGI-BIN scripts. As part of the security fix, the Apache webserver mod_cgi module has stopped relaying the Content-Length field of the HTTP reply header from the CGI programs back to the client in cases where the connection is to be closed and the client is able to read until end-of-file. You may restore legacy behavior for trusted scripts by adding the following configuration environment variable to the Apache configuration, scoped to the <Directory> entry or entries in which script is being served via CGI, SetEnv ap_trust_cgilike_cl "yes". The definitive fix is to read the whole input, re-allocating the input buffer to fit as more input is received, and to not trust that CONTENT_LENGTH variable is always present.

ELA-1098-1 apache2 security update

Sun, 26 May 2024 19:13:52 +0000

Package : apache2

Version : 2.4.25-3+deb9u16 (stretch)

CVE-2023-31122

An Out-of-bounds Read vulnerability was found in mod_macro of Apache HTTP Server.

CVE-2023-38709

A faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.

CVE-2024-24795

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.

ELA-1097-1 libreoffice security update

Sun, 26 May 2024 13:56:58 +0000

Package : libreoffice

Version : 1:6.1.5-3~deb9u3 (stretch)

Related CVEs : CVE-2024-3044

Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic. Such scripts were previously deemed trusted but are now deemed untrusted.

ELA-1086-2 emacs25 regression update

Sat, 25 May 2024 09:31:18 +0100

Package : emacs25

Version : 25.1+1-4+deb9u4 (stretch)

The previous update to Emacs did not include builds for all supported architectures. The same update has been reissued to include all builds.

ELA-1085-2 emacs24 regression update

Sat, 25 May 2024 09:31:12 +0100

Package : emacs24

Version : 24.4+1-5+deb8u4 (jessie), 24.5+1-11+deb9u4 (stretch)

The previous update to Emacs did not include builds for all supported architectures. The same update has been reissued to include all builds.

ELA-1096-1 composer security update

Fri, 24 May 2024 20:24:17 +0000

Package : composer

Version : 1.2.2-1+deb9u2 (stretch)

Related CVEs : CVE-2022-24828 CVE-2023-43655

Composer, an application-level dependency manager for the PHP programming language, was vulnerable.

CVE-2022-24828

 Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there.

CVE-2023-43655

Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini.

ELA-1089-2 less regression update

Wed, 22 May 2024 19:34:55 +0200

Package : less

Version : 458-3+deb8u2 (jessie), 481-2.1+deb9u1 (stretch)

The i386 binaries for the less security update, announced as ELA-1089-1, were not correctly published in the jessie-security archive. This issue has been resolved by simply rebuilding the packages. No additional changes have been made. No further action is required if you use either the amd64 binaries or Debian 9 “stretch”.

ELA-1095-1 uwsgi security update

Sun, 19 May 2024 09:01:10 +0000

Package : uwsgi

Version : 2.0.14+20161117-3+deb9u7 (stretch)

Related CVEs : CVE-2024-24795

uWSGI, a Web Server Gateway Interface that mainly interfaces between a web server and a python application, allowed an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.

ELA-1094-1 bind9 security update

Fri, 17 May 2024 19:33:12 -0300

Package : bind9

Version : 9.9.5.dfsg-9+deb8u31 (jessie), 1:9.10.3.dfsg.P4-12.3+deb9u16 (stretch)

Related CVEs : CVE-2023-50387 CVE-2023-50868

Two vulnerabilities were discovered in BIND, a DNS server implementation, which may result in denial of service.

CVE-2023-50387

Certain DNSSEC aspects of the DNS protocol allow remote attackers to cause
a denial of service via DNSSEC queries. This is known as the "KeyTrap"
issue.

CVE-2023-50868

The Closest Encloser Proof aspect of the DNS protocol allows remote
attackers to cause a denial of service via DNSSEC queries in a random
subdomain attack. This is known as the "NSEC3" issue.

ELA-1093-1 linux-5.10 security update

Mon, 13 May 2024 10:16:59 +0200

Package : linux-5.10

Version : 5.10.216-1~deb8u1 (jessie), 5.10.216-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

ELA-1092-1 php7.0 security update

Sat, 11 May 2024 23:21:19 +0200

Package : php7.0

Version : 7.0.33-0+deb9u17 (stretch)

Related CVEs : CVE-2024-2756 CVE-2024-3096

Two security problems were found in PHP, a widely-used open source general purpose scripting language, which could result in information disclosure or incorrect validation of password hashes.

CVE-2024-2756

Marco Squarcina discovered that network and same-site attackers can set a
standard insecure cookie in the victim's browser which is treated as a
`__Host-` or `__Secure-` cookie by PHP applications.  This issue stems from
an incomplete fix to CVE-2022-31629.

CVE-2024-3096

Eric Stern discovered that if a password stored with password_hash() starts
with a null byte (\x00), testing a blank string as the password via
password_verify() incorrectly returns true. If a user were able to create
a password with a leading null byte (unlikely, but syntactically valid),
the issue would allow an attacker to trivially compromise the victim's
account by attempting to sign in with a blank string.

ELA-1091-1 php5 security update

Sat, 11 May 2024 23:14:25 +0200

Package : php5

Version : 5.6.40+dfsg-0+deb8u19 (jessie)

Related CVEs : CVE-2024-2756 CVE-2024-3096

Two security problems were found in PHP, a widely-used open source general purpose scripting language, which could result in information disclosure or incorrect validation of password hashes.

CVE-2024-2756

Marco Squarcina discovered that network and same-site attackers can set a
standard insecure cookie in the victim's browser which is treated as a
`__Host-` or `__Secure-` cookie by PHP applications.  This issue stems from
an incomplete fix to CVE-2022-31629.

CVE-2024-3096

Eric Stern discovered that if a password stored with password_hash() starts
with a null byte (\x00), testing a blank string as the password via
password_verify() incorrectly returns true. If a user were able to create
a password with a leading null byte (unlikely, but syntactically valid),
the issue would allow an attacker to trivially compromise the victim's
account by attempting to sign in with a blank string.

ELA-1090-1 gnutls28 security update

Fri, 10 May 2024 14:44:26 +0200

Package : gnutls28

Version : 3.5.8-5+deb9u7 (stretch)

Related CVEs : CVE-2021-4209

A NULL pointer dereference flaw was found in GnuTLS, a library implementing the TLS and SSL protocols. As Nettle’s hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw possibly leads to a denial of service after authentication.

ELA-1089-1 less security update

Wed, 08 May 2024 23:27:52 +0200

Package : less

Version : 458-3+deb8u1 (jessie), 481-2.1+deb9u1 (stretch)

Related CVEs : CVE-2022-48624 CVE-2024-32487

Several vulnerabilities were discovered in less, a file pager, which may result in the execution of arbitrary commands if a file with a specially crafted file name is processed.

ELA-1088-1 intel-microcode security update

Sun, 05 May 2024 13:19:36 +0200

Package : intel-microcode

Version : 3.20240312.1~deb8u1 (jessie), 3.20240312.1~deb9u1 (stretch)

Intel has released microcode updates, addressing serveral vulnerabilties:

CVE-2023-22655

Protection mechanism failure in some 3rd and 4th Generation Intel(R)
Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow
a privileged user to potentially enable escalation of privilege via
local access.

CVE-2023-28746

Information exposure through microarchitectural state after
transient execution from some register files for some Intel(R)
Atom(R) Processors may allow an authenticated user to potentially
enable information disclosure via local access.

CVE-2023-38575

Non-transparent sharing of return predictor targets between contexts
in some Intel(R) Processors may allow an authorized user to
potentially enable information disclosure via local access.

CVE-2023-39368

Protection mechanism failure of bus lock regulator for some Intel(R)
Processors may allow an unauthenticated user to potentially enable
denial of service via network access.

CVE-2023-43490

Incorrect calculation in microcode keying mechanism for some
Intel(R) Xeon(R) D Processors with Intel(R) SGX may allow a
privileged user to potentially enable information disclosure via
local access.

ELA-1087-1 glibc security update

Sat, 04 May 2024 01:48:46 +0300

Package : glibc

Version : 2.19-18+deb8u13 (jessie), 2.24-11+deb9u6 (stretch)

Related CVEs : CVE-2024-2961

Out-of-bounds write in the iconv ISO-2022-CN-EXT module has been fixed
in the GNU C library.

ELA-1086-1 emacs25 security update

Fri, 03 May 2024 13:35:14 +0100

Package : emacs25

Version : 25.1+1-4+deb9u3 (stretch)

Multiple problems were discovered in GNU Emacs, the extensible, customisable, self-documenting display editor.

CVE-2024-30203 & CVE-2024-30204

In Emacs before 29.3, LaTeX preview is enabled by default for e-mail attachments in some Emacs MUAs. This can lead to denial of service.

(A request has been submitted to MITRE to merge these CVE numbers.)

CVE-2024-30205

In Emacs before 29.3, Org mode considers the contents of remote files to be trusted. This affects Org Mode before 9.6.23.

ELA-1085-1 emacs24 security update

Fri, 03 May 2024 13:35:07 +0100

Package : emacs24

Version : 24.4+1-5+deb8u3 (jessie), 24.5+1-11+deb9u3 (stretch)

Multiple problems were discovered in GNU Emacs, the extensible, customisable, self-documenting display editor.

CVE-2024-30203 & CVE-2024-30204

In Emacs before 29.3, LaTeX preview is enabled by default for e-mail attachments in some Emacs MUAs. This can lead to denial of service.

(A request has been submitted to MITRE to merge these CVE numbers.)

CVE-2024-30205

In Emacs before 29.3, Org mode considers the contents of remote files to be trusted. This affects Org Mode before 9.6.23.

ELA-1084-1 distro-info-data database update

Wed, 01 May 2024 10:27:40 -0400

Package : distro-info-data

Version : 0.36~bpo8+5 (jessie), 0.41+deb10u2~bpo9+5 (stretch)

This is a routine update of the distro-info-data database for Debian ELTS users.

It adds Ubuntu 24.10.

Also included are LTS and ELTS columns for Debian, and ESM columns for Ubuntu. The versions of distro-info in jessie and stretch are not able to display the data from these columns, but they are present in the CSV.

ELA-1083-1 qtbase-opensource-src security update

Wed, 01 May 2024 00:53:01 +0200

Package : qtbase-opensource-src

Version : 5.7.1+dfsg-3+deb9u4 (stretch)

Several issues have been found in qtbase-opensource-src, a collection of several Qt modules/libraries. The issues are related to buffer overflows, infinite loops or application crashes due to processing of crafted input files.

ELA-1082-1 phpmyadmin security update

Tue, 30 Apr 2024 13:26:28 +0100

Package : phpmyadmin

Version : 4:4.2.12-2+deb8u12 (jessie)

Related CVEs : CVE-2020-22452

A potential SQL injection vulnerability was discovered in phpmyadmin, the popular MySQL web administration tool.

This could have been exploited by a malicious storage engine value.

ELA-1081-1 ruby-rack security update

Mon, 29 Apr 2024 12:27:30 +0300

Package : ruby-rack

Version : 1.6.4-4+deb9u6 (stretch)

Related CVEs : CVE-2024-26141 CVE-2024-26146

Multiple vulnerabilities were fixed in ruby-rack, an interface for developing web applications in Ruby.

CVE-2024-26141

Reject Range headers which are too large

CVE-2024-26146

ReDoS in Accept header parsing

ELA-1080-1 openjdk-8 security update

Mon, 29 Apr 2024 11:26:18 +0200

Package : openjdk-8

Version : 8u412-ga-1~deb8u1 (jessie), 8u412-ga-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service or information disclosure.

ELA-1079-1 pillow security update

Sun, 28 Apr 2024 15:48:30 +0300

Package : pillow

Version : 2.6.1-2+deb8u10 (jessie), 4.0.0-4+deb9u6 (stretch)

Related CVEs : CVE-2024-28219

A buffer overflow in _imagingcms.c was fixed in Pillow, an image processing library for Python.

ELA-1078-1 util-linux security update

Fri, 26 Apr 2024 12:44:26 +0100

Package : util-linux

Version : 2.26.2-6+deb8u1 (jessie), 2.29.2-1+deb9u2 (stretch)

Related CVEs : CVE-2021-37600

An integer overflow attack was discovered in util-linux which could have caused a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file.

ELA-1077-1 tomcat8 security update

Fri, 26 Apr 2024 06:31:17 +0200

Package : tomcat8

Version : 8.0.14-1+deb8u28 (jessie)

Related CVEs : CVE-2023-46589

Norihito Aimoto of OSSTech Corporation discovered a security vulnerability in the Tomcat servlet and JSP engine.

A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.

ELA-1076-1 tomcat7 security update

Fri, 26 Apr 2024 06:30:17 +0200

Package : tomcat7

Version : 7.0.56-3+really7.0.109-1+deb8u6 (jessie)

Related CVEs : CVE-2023-46589

Norihito Aimoto of OSSTech Corporation discovered a security vulnerability in the Tomcat servlet and JSP engine.

A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.

ELA-1075-1 libdatetime-timezone-perl new timezone database

Wed, 24 Apr 2024 16:05:23 +0200

Package : libdatetime-timezone-perl

Version : 1:1.75-2+2024a (jessie), 1:2.09-1+2024a (stretch)

This update includes the changes in tzdata 2024a for the Perl bindings.

ELA-1074-1 tzdata new timezone database

Wed, 24 Apr 2024 15:57:56 +0200

Package : tzdata

Version : 2024a-0+deb8u1 (jessie), 2024a-0+deb9u1 (stretch)

This update includes the changes in tzdata 2024a. Notable changes are:

- Kazakhstan unifies on UTC+5 beginning 2024-03-01.
- Palestine springs forward a week later after Ramadan.

ELA-1073-1 expat security update

Sat, 20 Apr 2024 11:05:45 +0200

Package : expat

Version : 2.1.0-6+deb8u11 (jessie), 2.2.0-2+deb9u8 (stretch)

Related CVEs : CVE-2023-52425

Expat, an XML parsing C library has been found to have an vulnerability that allows an attacker to perform a denial of service (resource consumption), when many full reparsings are required in the case of a large tokens.

When parsing a really big token that requires multiple buffer fills to complete, expat has to re-parse the token from start multiple times, which takes time. These patches introduce a heuristic that, when having failed on the same token multiple times, defers further parsing until there’s significantly more data available.

The patch also introduces an optional API, XML_SetReparseDeferralEnabled() to disable the new heuristic.

ELA-1072-1 xorg-server security update

Tue, 16 Apr 2024 21:40:00 +0300

Package : xorg-server

Version : 2:1.16.4-1+deb8u16 (jessie), 2:1.19.2-1+deb9u19 (stretch)

Multiple vulnerabilities have been fixed in the Xorg X server.

CVE-2024-31080

Heap buffer overread in ProcXIGetSelectedEvents()

CVE-2024-31081

Heap buffer overread in ProcXIPassiveGrabDevice()

CVE-2024-31083

Use-after-free in ProcRenderAddGlyphs()

ELA-1071-1 tomcat8 security update

Thu, 11 Apr 2024 11:41:06 +0200

Package : tomcat8

Version : 8.5.54-0+deb9u15 (stretch)

Related CVEs : CVE-2024-23672 CVE-2024-24549

Two security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

CVE-2024-24549

 Denial of Service due to improper input validation vulnerability for
 HTTP/2. When processing an HTTP/2 request, if the request exceeded any of
 the configured limits for headers, the associated HTTP/2 stream was not
 reset until after all of the headers had been processed.

CVE-2024-23672

 Denial of Service via incomplete cleanup vulnerability. It was possible
 for WebSocket clients to keep WebSocket connections open leading to
 increased resource consumption.

ELA-1070-1 libcaca security update

Sun, 07 Apr 2024 10:48:47 +0200

Package : libcaca

Version : 0.99.beta19-2+deb8u3 (jessie), 0.99.beta19-2.2+deb9u3 (stretch)

Related CVEs : CVE-2021-30498 CVE-2021-30499

Two issues have been found in libcaca, a colour ASCII art library. Both are related to heap buffer overflow, which might lead to memory corruption.

ELA-1069-1 libgd2 security update

Sun, 07 Apr 2024 01:44:26 +0200

Package : libgd2

Version : 2.1.0-5+deb8u15 (jessie), 2.2.4-2+deb9u6 (stretch)

Several issues have been found in libgd2, a GD Graphics Library. They are related to out-of-bounds reads or NULL pointer derefence allowing denial of service attacks.

ELA-1068-1 curl security update

Tue, 26 Mar 2024 21:17:26 +0000

Package : curl

Version : 7.52.1-5+deb9u21 (stretch)

curl, a tool for transferring data using various network protocols, was vulnerable.

CVE-2023-27534

A path traversal vulnerability existed in curl implementation that causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.

CVE-2023-28321

An improper certificate validation vulnerability existed in curl in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" (SNA) in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to pattern match, but the wildcard check in curl could still check for `x*`, which would match even though the IDN name most likely contained nothing even resembling an `x`.

CVE-2023-28322

An information disclosure vulnerability existed in curl when doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

CVE-2023-46218

This flaw allowed a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with domain=co.UK when the URL used a lower case hostname curl.co.uk, even though co.uk is listed as a PSL domain.

ELA-1067-1 python3.4 security update

Sun, 24 Mar 2024 23:57:01 +0200

Package : python3.4

Version : 3.4.2-1+deb8u17 (jessie)

Related CVEs : CVE-2024-0450

The zipfile module was vulnerable to “quoted-overlap” zip-bombs in the Python 3 interpreter.

ELA-1066-1 python3.5 security update

Sun, 24 Mar 2024 23:55:11 +0200

Package : python3.5

Version : 3.5.3-1+deb9u9 (stretch)

Related CVEs : CVE-2024-0450

The zipfile module was vulnerable to “quoted-overlap” zip-bombs in the Python 3 interpreter.

ELA-1065-1 python2.7 security update

Sun, 24 Mar 2024 23:42:05 +0200

Package : python2.7

Version : 2.7.9-2-ds1-1+deb8u12 (jessie), 2.7.13-2+deb9u9 (stretch)

Related CVEs : CVE-2024-0450

The zipfile module was vulnerable to “quoted-overlap” zip-bombs in the Python 2 interpreter.

ELA-1064-1 wpa security update

Sun, 24 Mar 2024 19:01:24 +0000

Package : wpa

Version : 2.3-1+deb8u14 (jessie), 2:2.4-1+deb9u10 (stretch)

Related CVEs : CVE-2023-52160

The implementation of PEAP in wpa_supplicant allowed authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network’s TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.

ELA-1063-1 qemu security update

Sun, 24 Mar 2024 19:52:48 +0200

Package : qemu

Version : 1:2.8+dfsg-6+deb9u19 (stretch)

Multiple vulnerabilities have been fixed in the machine emulator and virtualizer QEMU.

CVE-2020-14394

infinite loop in the USB xHCI controller emulation

CVE-2023-0330

reentrancy issues in the LSI controller

CVE-2023-2861

9pfs did not prohibit opening special files on the host side

CVE-2023-3180

heap buffer overflow in the virtual crypto device

CVE-2023-3354

remote unauthenticated clients could cause denial of service in VNC server

CVE-2023-5088

IDE guest I/O operation addressed to an arbitrary disk offset might get targeted to offset 0 instead

ELA-1062-1 libnet-cidr-lite-perl security update

Sat, 23 Mar 2024 17:28:24 +0100

Package : libnet-cidr-lite-perl

Version : 0.21-1+deb9u1 (stretch)

Related CVEs : CVE-2021-47154

An issue has been found in libnet-cidr-lite-perl, a module for merging IPv4 or IPv6 CIDR address ranges.

Extraneous zero characters at the beginning of an IP address string might allow attackers to bypass access control that is based on IP addresses.

Please check your application whether it accidentally allows such leading zero characters (that are normally meant to indicate octal numbers).

ELA-1061-1 postgresql-9.4 security update

Wed, 20 Mar 2024 23:00:29 +0200

Package : postgresql-9.4

Version : 9.4.26-0+deb8u9 (jessie)

Related CVEs : CVE-2024-0985

In the PostgreSQL database server, a late privilege drop in the REFRESH MATERIALIZED VIEW CONCURRENTLY command could allow an attacker to trick a user with higher privileges to run SQL commands.

ELA-1060-1 postgresql-9.6 security update

Wed, 20 Mar 2024 22:57:09 +0200

Package : postgresql-9.6

Version : 9.6.24-0+deb9u6 (stretch)

Related CVEs : CVE-2024-0985

In the PostgreSQL database server, a late privilege drop in the REFRESH MATERIALIZED VIEW CONCURRENTLY command could allow an attacker to trick a user with higher privileges to run SQL commands.

ELA-1059-1 pillow security update

Tue, 19 Mar 2024 13:42:17 +0800

Package : pillow

Version : 2.6.1-2+deb8u9 (jessie), 4.0.0-4+deb9u5 (stretch)

Multiple vulnerabilities were discovered in the Python Imaging Library (PIL), an image processing library for Python.

CVE-2021-23437

It was discovered that the getrgb function was vulnerable to a regular expression denial-of-service attack.

CVE-2022-22817

A fix for this CVE was announced in advisories DLA-2893-1 and ELA-546-1. It was discovered that this fix was incomplete. This update completes the fix.

CVE-2023-44271

It was discovered that an overlong text length argument passed to an ImageDraw instance could cause uncontrollable memory allocation and denial-of-service.

CVE-2023-50447

It was discovered that PIL.ImageMath.eval could permit arbitrary code execution via the environment parameter (see also CVE-2022-22817, which concerned the expression parameter).

ELA-1058-1 kde4libs security update

Tue, 19 Mar 2024 02:19:15 +0530

Package : kde4libs

Version : 4:4.14.26-2+deb9u1 (stretch)

Related CVEs : CVE-2019-14744

Dominik Penner discovered a flaw in how KConfig interpreted shell commands in desktop files and other configuration files. An attacker may trick users into installing specially crafted files which could then be used to execute arbitrary code, e.g. a file manager trying to find out the icon for a file or any application using KConfig. Thus the entire feature of supporting shell commands in KConfig entries has been removed.

ELA-1057-1 inetutils security update

Tue, 19 Mar 2024 02:08:12 +0530

Package : inetutils

Version : 2:1.9.2.39.3a460-3+deb8u2 (jessie)

Multiple vulnerabilities were found in the inetutils package, a collection of common network programs.

CVE-2019-0053

A stack-based overflow is present in the handling of environment variables when connecting via the telnet client to remote telnet servers. This issue only affects the telnet client — accessible from the CLI or shell — in Junos OS. Inbound telnet services are not affected by this issue.
CVE-2021-40491

The ftp client in inetutils does not validate addresses returned by PASV/LSPV responses to make sure they match the server address.
CVE-2022-39028

telnetd in inetutils has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a “telnet/tcp server failing (looping), service terminated” error.
CVE-2023-40303

inetutils may allow privilege escalation because of unchecked return values of set*id() family functions in ftpd, rcp, rlogin, rsh, rshd, and uucpd. This is, for example, relevant if the setuid system call fails when a process is trying to drop privileges before letting an ordinary user control the activities of the process.

ELA-1056-1 python3.4 security update

Mon, 18 Mar 2024 17:10:38 +0100

Package : python3.4

Version : 3.4.2-1+deb8u16 (jessie)

Multiple vulnerabilities were found in python3.4, an interactive high-level object-oriented language. An attacker could cause DoS (denial-of-service) situations, exfiltrate private information, and possibly execute arbitrary code.

CVE-2022-48560

A use-after-free exists via heappushpop in heapq.
CVE-2022-48564

read_ints in plistlib.py is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.
CVE-2022-48565

An XML External Entity (XXE) issue was discovered. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.
CVE-2022-48566

In compare_digest in Lib/hmac.py, constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.
CVE-2023-40217

If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as “not connected” and won’t initiate a handshake, but buffered data will still be readable from the socket buffer.

ELA-1055-1 openssh security update

Mon, 11 Mar 2024 12:41:11 -0300

Package : openssh

Version : 1:6.7p1-5+deb8u10 (jessie)

Related CVEs : CVE-2021-41617 CVE-2023-51385

Several vulnerabilities have been discovered in OpenSSH, an implementation of the SSH protocol suite.

CVE-2021-41617

It was discovered that sshd failed to correctly initialise supplemental
groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the command
as a different user. Instead these commands would inherit the groups that
sshd was started with.

CVE-2023-51385

It was discovered that if an invalid user or hostname that contained shell
metacharacters was passed to ssh, and a ProxyCommand, LocalCommand
directive or "match exec" predicate referenced the user or hostname via
expansion tokens, then an attacker who could supply arbitrary
user/hostnames to ssh could potentially perform command injection. The
situation could arise in case of git repositories with submodules, where the
repository could contain a submodule with shell characters in its user or
hostname.

Unfortunately, the changes required to fix the Terrapin Attack (CVE-2023-48795) in jessie are too intrusive to be backported and represent a high risk of introducing regressions. We also concluded that the Terrapin Attack is hardly exploitable on the server side of the OpenSSH packaged in jessie, since it does not support EXT_INFO messages, which are required to take advantage of the attack. To mitigate this attack, we recommend to OpenSSH users to disable the ChaCha20-Poly1305 algorithm from the allowed cipher suites used by both OpenSSH client and server. For convenience, we include here examples of the Ciphers configuration option that can be used removing ChaCha20-Poly1305 from the default list. This is the example for OpenSSH server’s /etc/ssh/sshd_config:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

And this is for system-wise OpenSSH client’s /etc/ssh/ssh_config:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour

Users should adapt those examples to their local configuration.

ELA-1054-1 nss security update

Mon, 11 Mar 2024 06:54:24 +0100

Package : nss

Version : 2:3.26-1+debu8u18 (jessie), 2:3.26.2-1.1+deb9u7 (stretch)

Related CVEs : CVE-2023-4421 CVE-2023-5388 CVE-2024-0743

Multiple vulnerabilities were found in nss, a set of libraries designed to support cross-platform development of security-enabled client and server applications.

CVE-2023-4421

A fuzzing project discovered vulnerabilities to Bleichenbacher
timing attacks in NSS's facilities for RSA cryptography.

CVE-2023-5388

A timing attack against RSA decryption in TLS. This vulnerablity has been
named The MArvin Attack a Bleichenbacher-like vulernability.

CVE-2024-0743

An unchecked return value in TLS handshake code could have caused a
potentially exploitable crash.

ELA-1053-1 libgit2 security update

Sun, 03 Mar 2024 16:39:42 +0200

Package : libgit2

Version : 0.25.1+really0.24.6-1+deb9u3 (stretch)

Related CVEs : CVE-2024-24577

Arbitrary code execution in git_index_add has been fixed in libgit2, a library implementing the Git core methods.

ELA-1052-1 wireshark security update

Thu, 29 Feb 2024 23:56:36 +0000

Package : wireshark

Version : 2.6.20-0+deb9u7 (stretch)

Multiple vulnerabilities have been fixed in the network traffic analyzer Wireshark.

CVE-2023-4511

BT SDP dissector infinite loop

CVE-2023-4513

BT SDP dissector memory leak

CVE-2023-6175

NetScreen file parser crash

CVE-2024-0208

GVCP dissector crash

ELA-1051-1 gsoap security update

Thu, 29 Feb 2024 23:51:06 +0000

Package : gsoap

Version : 2.8.35-4+deb9u3 (stretch)

Multiple vulnerabilities have been fixed in the gSOAP toolkit for developing Web services.

CVE-2020-13574

WS-Security plugin denial-of-service

CVE-2020-13575

WS-Addressing plugin denial-of-service

CVE-2020-13576

WS-Addressing plugin code execution

CVE-2020-13577

WS-Security plugin denial-of-service

CVE-2020-13578

WS-Security plugin denial-of-service

ELA-1050-1 php-phpseclib security update

Thu, 29 Feb 2024 21:27:27 +0000

Package : php-phpseclib

Version : 2.0.30-2~deb9u1 (stretch)

Related CVEs : CVE-2023-48795

The Terrapin attack is a cryptographic attack on the SSH prootocol reducing the security of SSH, by using a downgrade attack via man-in-the-middle interception. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.

ELA-1049-1 evince security update

Thu, 29 Feb 2024 20:38:21 +0100

Package : evince

Version : 3.22.1-3+deb9u3 (stretch)

Related CVEs : CVE-2023-51698

A security vulnerability was found in Evince, a document viewer, which may grant an attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL using a maliciously crafted CBT (comic book archive) document which is a TAR archive. The comic book backend of Evince uses libarchive now, which handles CBT and other comic book archives correctly.

ELA-1048-1 jinja2 security update

Sun, 25 Feb 2024 22:59:30 +0100

Package : jinja2

Version : 2.7.3-1+deb8u1 (jessie), 2.8-1+deb9u1 (stretch)

Related CVEs : CVE-2024-22195

It was discovered that there was an injection attack in jinja2, a popular templating engine used in various Python applications.

It was possible to inject arbitrary HTML attributes into rendered HTML via the “xmlattr” filter, potentially leading to a Cross-Site Scripting (XSS) attack. It may also have been possible to bypass attribute validation checks if they were blacklist-based.

ELA-1047-1 bind9 security update

Sun, 25 Feb 2024 09:34:45 +0100

Package : bind9

Version : 1:9.9.5.dfsg-9+deb8u30 (jessie), 1:9.10.3.dfsg.P4-12.3+deb9u15 (stretch)

Related CVEs : CVE-2023-3341

An issue has been discovered in BIND, a DNS server implementation.

A stack exhaustion flaw was discovered in the control channel code which may result in denial of service (named daemon crash).

ELA-1046-1 unbound1.9 security update

Sat, 24 Feb 2024 11:49:09 +0100

Package : unbound1.9

Version : 1.9.0-2+deb10u2~deb9u4 (stretch)

Related CVEs : CVE-2023-50387 CVE-2023-50868

Two vulnerabilities were discovered in unbound, a validating, recursive, caching DNS resolver. Specially crafted DNSSEC answers could lead unbound down a very CPU intensive and time costly DNSSEC (CVE-2023-50387) or NSEC3 hash (CVE-2023-50868) validation path, resulting in denial of service.

ELA-1045-1 phpseclib security update

Fri, 23 Feb 2024 20:24:41 +0000

Package : phpseclib

Version : 1.0.19-1~deb9u2 (stretch)

Related CVEs : CVE-2023-48795

phpseclib, a library used for secure communication written in PHP language, was vulnerable to so called Terrapin-Attack. The SSH transport protocol, with certain OpenSSH extensions, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled.

ELA-1044-1 optipng security update

Fri, 23 Feb 2024 13:09:56 +0000

Package : optipng

Version : 0.7.5-1+deb8u3 (jessie), 0.7.6-1+deb9u2 (stretch)

Related CVEs : CVE-2015-7802 CVE-2023-43907

Optipng, a tool for optimizing image files, by recompressesing image files to a smaller size, without losing any information, was vulnerable.

CVE-2015-7802

Under Debian 8 (jessie), optipng allowed remote attackers to cause a denial of service (uninitialized memory read) via a crafted GIF file. Debian 9, stretch, was already fixed.

CVE-2023-43907

A global buffer overflow via the 'buffer' variable at gifread.c, was found.

ELA-1043-1 xorg-server security update

Sat, 10 Feb 2024 23:46:09 +0100

Package : xorg-server

Version : 2:1.16.4-1+deb8u15 (jessie)

Several vulnerabilities were discovered in the Xorg X server, which may result in privilege escalation if the X server is running privileged or denial of service.

ELA-1042-1 sudo security update

Sat, 03 Feb 2024 18:15:38 +0000

Package : sudo

Version : 1.8.19p1-2.1+deb9u6 (stretch)

Related CVEs : CVE-2023-28486 CVE-2023-28487

Sudo, a program designed to allow a sysadmin to give limited root privileges to users and log root activity, was vulnerable.

CVE-2023-28486

Sudo did not escape control characters in log messages.

CVE-2023-28487

Sudo did not escape control characters in sudoreplay output.

ELA-1041-1 zabbix security update

Sat, 03 Feb 2024 15:49:27 +0100

Package : zabbix

Version : 2.2.23+dfsg-0+deb8u7 (jessie), 1:3.0.32+dfsg-0+deb9u6 (stretch)

Related CVEs : CVE-2023-32721 CVE-2023-32726

Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially allowing an attacker to perform a stored XSS, Server-Side Request Forgery (SSRF), exposure of sensitive information, a system crash, or arbitrary code execution.

CVE-2023-32721

A stored XSS has been found in the Zabbix web application in the
Maps element if a URL field is set with spaces before URL.

CVE-2023-32726

Possible buffer overread from reading DNS responses.

ELA-1040-1 xorg-server security update

Wed, 31 Jan 2024 22:09:37 +0100

Package : xorg-server

Version : 2:1.19.2-1+deb9u18 (stretch)

Several vulnerabilities were discovered in the Xorg X server, which may result in privilege escalation if the X server is running privileged or denial of service.

ELA-1039-1 postfix security update

Wed, 31 Jan 2024 09:28:33 +0000

Package : postfix

Version : 2.11.3-1+deb8u3 (jessie), 3.1.15-0+deb9u2 (stretch)

Related CVEs : CVE-2023-51764

Postfix, a popular mail server, was vulnerable.

Postfix allowed SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking.

Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism.

This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as using the backported smtpd_forbid_bare_newline=yes option.

ELA-1038-1 openssh security update

Tue, 30 Jan 2024 18:36:48 -0300

Package : openssh

Version : 1:7.4p1-10+deb9u9 (stretch)

Several vulnerabilities have been discovered in OpenSSH, an implementation of the SSH protocol suite.

CVE-2021-41617

It was discovered that sshd failed to correctly initialise supplemental
groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the command
as a different user. Instead these commands would inherit the groups that
sshd was started with.

CVE-2023-48795

Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH
protocol is prone to a prefix truncation attack, known as the "Terrapin
attack". This attack allows a MITM attacker to effect a limited break of the
integrity of the early encrypted SSH transport protocol by sending extra
messages prior to the commencement of encryption, and deleting an equal
number of consecutive messages immediately after encryption starts.

Details can be found at https://terrapin-attack.com/

CVE-2023-51385

It was discovered that if an invalid user or hostname that contained shell
metacharacters was passed to ssh, and a ProxyCommand, LocalCommand
directive or "match exec" predicate referenced the user or hostname via
expansion tokens, then an attacker who could supply arbitrary
user/hostnames to ssh could potentially perform command injection. The
situation could arise in case of git repositories with submodules, where the
repository could contain a submodule with shell characters in its user or
hostname.

ELA-1037-1 squid3 security update

Tue, 30 Jan 2024 22:36:41 +0100

Package : squid3

Version : 3.5.23-5+deb8u7 (jessie), 3.5.23-5+deb9u10 (stretch)

Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache. Due to programming errors in Squid’s HTTP request parsing, remote attackers may be able to execute a denial of service attack by sending large X-Forwarded-For header or trigger a stack buffer overflow while performing HTTP Digest authentication. Other issues facilitate a denial of service attack against Squid’s Helper process management. In regard to CVE-2023-46728: Please note that support for the Gopher protocol has simply been removed in future Squid versions. There is no fix available. We recommend to reject all gopher URL requests instead.

ELA-1036-1 jasper security update

Tue, 30 Jan 2024 19:30:03 +0100

Package : jasper

Version : 1.900.1-debian1-2.4+deb8u12 (jessie)

Related CVEs : CVE-2023-51257

An issue has been found in jasper, a library and programs for manipulating JPEG-2000 files. The issue is about an invalid memory write which might allow a local attacker to execute arbitrary code.

ELA-1035-1 openjdk-8 security update

Fri, 26 Jan 2024 10:10:37 +0100

Package : openjdk-8

Version : 8u402-ga-1~deb8u1 (jessie), 8u402-ga-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in side channel attacks, leaking sensitive data to log files, denial of service or bypass of sandbox restrictions.

ELA-1034-1 linux-4.19 security update

Thu, 25 Jan 2024 11:45:33 +0100

Package : linux-4.19

Version : 4.19.304-1~deb8u1 (jessie), 4.19.304-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2021-44879

Wenqing Liu reported a NULL pointer dereference in the f2fs
implementation. An attacker able to mount a specially crafted image
can take advantage of this flaw for denial of service.

CVE-2023-0590

Dmitry Vyukov discovered a race condition in the network scheduler
core that that can lead to a use-after-free.  A local user with
the CAP_NET_ADMIN capability in any user or network namespace
could exploit this to cause a denial of service (crash or memory
corruption) or possibly for privilege escalation.

CVE-2023-1077

Pietro Borrello reported a type confusion flaw in the task
scheduler.  A local user might be able to exploit this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation.

CVE-2023-1206

It was discovered that the networking stack permits attackers to
force hash collisions in the IPv6 connection lookup table, which
may result in denial of service (significant increase in the cost
of lookups, increased CPU utilization).

CVE-2023-1989

Zheng Wang reported a race condition in the btsdio Bluetooth
adapter driver that can lead to a use-after-free.  An attacker
able to insert and remove SDIO devices can use this to cause a
denial of service (crash or memory corruption) or possibly to run
arbitrary code in the kernel.

CVE-2023-3212

Yang Lan discovered that missing validation in the GFS2 filesystem
could result in denial of service via a NULL pointer dereference
when mounting a malformed GFS2 filesystem.

CVE-2023-3390

A use-after-free flaw in the netfilter subsystem caused by
incorrect error path handling may result in denial of service or
privilege escalation.

CVE-2023-3609, CVE-2023-3776, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208

It was discovered that a use-after-free in the cls_fw, cls_u32,
cls_route and network classifiers may result in denial of service
or potential local privilege escalation.

CVE-2023-3611

It was discovered that an out-of-bounds write in the traffic
control subsystem for the Quick Fair Queueing scheduler (QFQ) may
result in denial of service or privilege escalation.

CVE-2023-3772

Lin Ma discovered a NULL pointer dereference flaw in the XFRM
subsystem which may result in denial of service.

CVE-2023-4244

A race condition was found in the nftables subsystem that could
lead to a use-after-free.  A local user could exploit this to
cause a denial of service (crash), information leak, or possibly
for privilege escalation.

CVE-2023-4622

Bing-Jhong Billy Jheng discovered a use-after-free within the Unix
domain sockets component, which may result in local privilege
escalation.

CVE-2023-4623

Budimir Markovic reported a missing configuration check in the
sch_hfsc network scheduler that could lead to a use-after-free or
other problems.  A local user with the CAP_NET_ADMIN capability in
any user or network namespace could exploit this to cause a denial
of service (crash or memory corruption) or possibly for privilege
escalation.

CVE-2023-4921

"valis" reported flaws in the sch_qfq network scheduler that could
lead to a use-after-free.  A local user with the CAP_NET_ADMIN
capability in any user or network namespace could exploit this to
cause a denial of service (crash or memory corruption) or possibly
for privilege escalation.

CVE-2023-5717

Budimir Markovic reported a heap out-of-bounds write vulnerability
in the Linux kernel's Performance Events system caused by improper
handling of event groups, which may result in denial of service or
privilege escalation. The default settings in Debian prevent
exploitation unless more permissive settings have been applied in
the kernel.perf_event_paranoid sysctl.

CVE-2023-6606

"j51569436" reported a potential out-of-bounds read in the CIFS
filesystem implementation.  If a CIFS filesystem is mounted from a
malicious server, the server could possibly exploit this to cause
a denial of service (crash).

CVE-2023-6931

Budimir Markovic reported a heap out-of-bounds write vulnerability
in the Linux kernel's Performance Events system which may result in
denial of service or privilege escalation. The default settings in
Debian prevent exploitation unless more permissive settings have
been applied in the kernel.perf_event_paranoid sysctl.

CVE-2023-6932

A use-after-free vulnerability in the IPv4 IGMP implementation may
result in denial of service or privilege escalation.

CVE-2023-25775

Ivan D Barrera, Christopher Bednarz, Mustafa Ismail and Shiraz
Saleem discovered that improper access control in the Intel Ethernet
Controller RDMA driver may result in privilege escalation.

CVE-2023-34319

Ross Lagerwall discovered a buffer overrun in Xen's netback driver
which may allow a Xen guest to cause denial of service to the
virtualisation host by sending malformed packets.

CVE-2023-34324

Marek Marczykowski-Gorecki reported a possible deadlock in the Xen
guests event channel code which may allow a malicious guest
administrator to cause a denial of service.

CVE-2023-35001

Tanguy DUBROCA discovered an out-of-bounds reads and write flaw in
the Netfilter nf_tables implementation when processing an
nft_byteorder expression, which may result in local privilege
escalation for a user with the CAP_NET_ADMIN capability in any
user or network namespace.

CVE-2023-39189, CVE-2023-39192, CVE-2023-39193

Lucas Leong of Trend Micro Zero Day Initiative reported missing
bounds checks in the nfnetlink_osf, xt_u32, and xt_sctp netfilter
modules.  A local user with the CAP_NET_ADMIN capability in any
user or network namespace could exploit these to leak sensitive
information from the kernel or for denial of service (crash).

CVE-2023-39194

Lucas Leong of Trend Micro Zero Day Initiative reported a missing
bounds check in the xfrm (IPsec) subsystem.  A local user with the
CAP_NET_ADMIN capability in any user or network namespace could
exploit this to leak sensitive information from the kernel or for
denial of service (crash).

CVE-2023-40283

A use-after-free was discovered in Bluetooth L2CAP socket
handling.

CVE-2023-42753

Kyle Zeng discovered an off-by-one error in the netfilter ipset
subsystem which could lead to out-of-bounds memory access.  A
local user with the CAP_NET_ADMIN capability in any user or
network namespace could exploit this to cause a denial of service
(memory corruption or crash) and possibly for privilege
escalation.

CVE-2023-42754

Kyle Zeng discovered a flaw in the IPv4 implementation which could
lead to a null pointer deference.  A local user could exploit this
for denial of service (crash).

CVE-2023-42755

Kyle Zeng discovered missing configuration validation in the
cls_rsvp network classifier which could lead to out-of-bounds
reads.  A local user with the CAP_NET_ADMIN capability in any user
or network namespace could exploit this to cause a denial of
service (crash) or to leak sensitive information.

This flaw has been mitigated by removing the cls_rsvp classifier.

CVE-2023-45863

A race condition in library routines for handling generic kernel
objects may result in an out-of-bounds write in the
fill_kobj_path() function.

CVE-2023-45871

Manfred Rudigier reported a flaw in the igb network driver for
Intel Gigabit Ethernet interfaces.  When the "rx-all" feature was
enabled on such a network interface, an attacker on the same
network segment could send packets that would overflow a receive
buffer, leading to a denial of service (crash or memory
corruption) or possibly remote code execution.

CVE-2023-51780

It was discovered that a race condition in the ATM (Asynchronous
Transfer Mode) subsystem may lead to a use-after-free.

CVE-2023-51781

It was discovered that a race condition in the Appletalk subsystem
may lead to a use-after-free.

CVE-2023-51782

It was discovered that a race condition in the Amateur Radio X.25
PLP (Rose) support may lead to a use-after-free. This module is not
auto-loaded on Debian systems, so this issue only affects systems
where it is explicitly loaded.

This update additionally includes many more bug fixes from stable updates 4.19.290-4.19.304 inclusive.

ELA-1033-1 linux-5.10 security update

Thu, 25 Jan 2024 11:26:43 +0100

Package : linux-5.10

Version : 5.10.205-2~deb8u1 (jessie), 5.10.205-2~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2021-44879

Wenqing Liu reported a NULL pointer dereference in the f2fs
implementation. An attacker able to mount a specially crafted image
can take advantage of this flaw for denial of service.

CVE-2023-5178

Alon Zahavi reported a use-after-free flaw in the NVMe-oF/TCP
subsystem in the queue initialization setup, which may result in
denial of service or privilege escalation.

CVE-2023-5197

Kevin Rich discovered a use-after-free flaw in the netfilter
subsystem which may result in denial of service or privilege
escalation for a user with the CAP_NET_ADMIN capability in any user
or network namespace.

CVE-2023-5717

Budimir Markovic reported a heap out-of-bounds write vulnerability
in the Linux kernel's Performance Events system caused by improper
handling of event groups, which may result in denial of service or
privilege escalation. The default settings in Debian prevent
exploitation unless more permissive settings have been applied in
the kernel.perf_event_paranoid sysctl.

CVE-2023-6121

Alon Zahavi reported an out-of-bounds read vulnerability in the
NVMe-oF/TCP which may result in an information leak.

CVE-2023-6531

Jann Horn discovered a use-after-free flaw due to a race condition
when the unix garbage collector's deletion of a SKB races
with unix_stream_read_generic() on the socket that the SKB is
queued on.

CVE-2023-6817

Xingyuan Mo discovered that a use-after-free in Netfilter's
implementation of PIPAPO (PIle PAcket POlicies) may result in denial
of service or potential local privilege escalation for a user with
the CAP_NET_ADMIN capability in any user or network namespace.

CVE-2023-6931

Budimir Markovic reported a heap out-of-bounds write vulnerability
in the Linux kernel's Performance Events system which may result in
denial of service or privilege escalation. The default settings in
Debian prevent exploitation unless more permissive settings have
been applied in the kernel.perf_event_paranoid sysctl.

CVE-2023-6932

A use-after-free vulnerability in the IPv4 IGMP implementation may
result in denial of service or privilege escalation.

CVE-2023-25775

Ivan D Barrera, Christopher Bednarz, Mustafa Ismail and Shiraz
Saleem discovered that improper access control in the Intel Ethernet
Controller RDMA driver may result in privilege escalation.

CVE-2023-34324

Marek Marczykowski-Gorecki reported a possible deadlock in the Xen
guests event channel code which may allow a malicious guest
administrator to cause a denial of service.

CVE-2023-35827

Zheng Wang reported a use-after-free flaw in the Renesas Ethernet
AVB support driver.

CVE-2023-45863

A race condition in library routines for handling generic kernel
objects may result in an out-of-bounds write in the
fill_kobj_path() function.

CVE-2023-46813

Tom Dohrmann reported that a race condition in the Secure Encrypted
Virtualization (SEV) implementation when accessing MMIO registers
may allow a local attacker in a SEV guest VM to cause a denial of
service or potentially execute arbitrary code.

CVE-2023-46862

It was discovered that a race condition in the io_uring
subsystem may result in a NULL pointer dereference, causing a
denial of service.

CVE-2023-51780

It was discovered that a race condition in the ATM (Asynchronous
Transfer Mode) subsystem may lead to a use-after-free.

CVE-2023-51781

It was discovered that a race condition in the Appletalk subsystem
may lead to a use-after-free.

CVE-2023-51782

It was discovered that a race condition in the Amateur Radio X.25
PLP (Rose) support may lead to a use-after-free. This module is not
auto-loaded on Debian systems, so this issue only affects systems
where it is explicitly loaded.

This update additionally fixes Debian bugs #1032104, #1035587, and #1052304; and includes many more bug fixes from stable updates 5.10.198-5.10.205 inclusive.

ELA-1032-1 asterisk security update

Wed, 24 Jan 2024 20:02:22 +0100

Package : asterisk

Version : 1:13.14.1~dfsg-2+deb9u9 (stretch)

Related CVEs : CVE-2023-37457 CVE-2023-49294

Two security vulnerabilities were discovered in Asterisk, a private branch exchange.

CVE-2023-37457

The 'update' functionality of the PJSIP_HEADER dialplan function can exceed
the available buffer space for storing the new value of a header. By doing
so this can overwrite memory or cause a crash. This is not externally
exploitable, unless dialplan is explicitly written to update a header based
on data from an outside source. If the 'update' functionality is not used
the vulnerability does not occur.

CVE-2023-49294

It is possible to read any arbitrary file even when the `live_dangerously`
option is not enabled.

ELA-1031-1 xerces-c security update

Sun, 21 Jan 2024 18:53:45 +0100

Package : xerces-c

Version : 3.1.1-5.1+deb8u6 (jessie), 3.1.4+debian-2+deb9u3 (stretch)

Related CVEs : CVE-2023-37536

Even Rouault discovered that xerces-c, a validating XML parser library for C++, was vulnerable to integer overflow via crafted .xsd files, which can lead to out-of-bounds access.

ELA-1030-1 freerdp security update

Wed, 17 Jan 2024 11:04:38 +0100

Package : freerdp

Version : 1.1.0~git20140921.1.440916e+dfsg1-13+deb9u6 (stretch)

Multiple vulnerabilities have been found in freerdp2, a free implementation of the Remote Desktop Protocol (RDP). An attacker (e.g. through a malicious RDP server) could launch DoS (denial-of-service) attacks through multiple vectors typically crashing the client, exploit buffer overflows that could lead to command execution, or access files outside of a shared directory.

This update also fixes two regressions related to the CVE-2020-11096 and CVE-2020-11089 fixes in ELA-717-1.

CVE-2020-11524

libfreerdp/codec/interleaved.c has an Out-of-bounds Write.
CVE-2022-39282

FreeRDP based clients on unix systems using /parallel command line switch might read uninitialized data and send it to the server the client is currently connected to.
CVE-2022-39318

Missing input validation in urbdrc channel. A malicious server can trick a FreeRDP based client to crash with division by zero.
CVE-2022-39319

Missing input length validation in the urbdrc channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server.
CVE-2022-39347

missing path canonicalization and base path check for drive channel. A malicious server can trick a FreeRDP based client to read files outside the shared directory.
CVE-2022-41877

Missing input length validation in drive channel. A malicious server can trick a FreeRDP based client to read out of bound data and send it back to the server.
CVE-2023-39353

Missing offset validation leading to Out Of Bound Read. In the libfreerdp/codec/rfx.c file there is no offset validation in tile->quantIdxY, tile->quantIdxCb, and tile->quantIdxCr. As a result crafted input can lead to an out of bounds read access which in turn will cause a crash.
CVE-2023-39354

Out-Of-Bounds Read in the nsc_rle_decompress_data function. The Out-Of-Bounds Read occurs because it processes context->Planes without checking if it contains data of sufficient length. Should an attacker be able to leverage this vulnerability they may be able to cause a crash.
CVE-2023-39356

Missing offset validation may lead to an Out Of Bound Read in the function gdi_multi_opaque_rect. In particular there is no code to validate if the value multi_opaque_rect->numRectangles is less than 45. Looping through multi_opaque_rect->numRectangles without proper boundary checks can lead to Out-of-Bounds Read errors which will likely lead to a crash.
CVE-2023-40188

Out-Of-Bounds Read in the nsc_rle_decode function. This Out-Of-Bounds Read occurs because processing is done on the in variable without checking if it contains data of sufficient length. Insufficient data for the in variable may cause errors or crashes.

ELA-1029-1 tinyxml security update

Tue, 16 Jan 2024 20:14:18 +0000

Package : tinyxml

Version : 2.6.2-2+deb8u2 (jessie), 2.6.2-4+deb9u2 (stretch)

Related CVEs : CVE-2023-34194

TinyXML, a small and simple XML parser library, was vulnerable. A specially crafted XML document with a NUL character (\0) located after a whitespace character, could trigger a crash.

ELA-1028-1 tomcat8 security update

Thu, 04 Jan 2024 11:54:59 +0000

Package : tomcat8

Version : 8.5.54-0+deb9u14 (stretch)

Related CVEs : CVE-2023-46589

An improper input validation vulnerability was discovered in Apache Tomcat. Tomcat did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests, leading to the possibility of request smuggling when behind a reverse proxy.

The update for Debian 8 “jessie” is pending.

ELA-1026-1 libreoffice security update

Sun, 31 Dec 2023 10:21:47 +0000

Package : libreoffice

Version : 1:4.3.3-2+deb8u15 (jessie)

Related CVEs : CVE-2023-6185

An Improper Input Validation vulnerability was found in GStreamer integration of The Document Foundation LibreOffice allows an attacker to execute arbitrary GStreamer plugins. In affected versions the filename of the embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system.

ELA-1027-1 libde265 security update

Sun, 31 Dec 2023 11:09:18 +0100

Package : libde265

Version : 1.0.11-0+deb9u6 (stretch)

Three issues have been found in libde265, an open H.265 video codec implementation. All issues are related to heap-buffer-overflow or global buffer overflow in different functions.

ELA-1025-1 libreoffice security update

Sat, 30 Dec 2023 13:51:11 +0000

Package : libreoffice

Version : 1:6.1.5-3~deb9u2 (stretch)

Multiple vulnerabilities have been discovered in LibreOffice an office productivity software suite:

CVE-2020-12801:

If LibreOffice has an encrypted document
open and crashes, that document is auto-saved encrypted.
On restart, LibreOffice offers to restore the document
and prompts for the password to decrypt it. If the recovery
is successful, and if the file format of the recovered document
was not LibreOffice's default ODF file format, then affected versions
of LibreOffice default that subsequent saves of the document
are unencrypted. This may lead to a user accidentally saving
a MSOffice file format document unencrypted while believing
it to be encrypted.

CVE-2020-12802:

LibreOffice has a 'stealth mode' in which only
documents from locations deemed 'trusted' are allowed to
retrieve remote resources. This mode is not the default mode,
but can be enabled by users who want to disable LibreOffice's ability
to include remote resources within a document. A flaw existed
where remote graphic links loaded from docx documents were omitted
from this protection.

CVE-2020-12803:

ODF documents can contain forms to be
filled out by the user. Similar to HTML forms, the contained
form data can be submitted to a URI, for example, to an external
web server. To create submittable forms, ODF implements the
XForms W3C standard, which allows data to be submitted without
the need for macros or other active scripting. LibreOffice allowed
forms to be submitted to any URI, including file: URIs, enabling
form submissions to overwrite local files. User-interaction
is required to submit the form, but to avoid the possibility
of malicious documents engineered to maximize the possibility of
inadvertent user submission this feature has now been limited to
http[s] URIs, removing the possibility to overwrite local files.

CVE-2023-6185

An Improper Input Validation vulnerability
was found in GStreamer integration of The Document
Foundation LibreOffice allows an attacker to execute arbitrary
GStreamer plugins. In affected versions the filename of the
embedded video is not sufficiently escaped when passed to
GStreamer enabling an attacker to run arbitrary
gstreamer plugins depending on what plugins are installed
on the target system.

Fix CVE-2023-6186

LibreOffice supports hyperlinks.
In addition to the typical common protocols such as
http/https hyperlinks can also have target URLs that
can launch built-in macros or dispatch built-in
internal commands. In affected version of LibreOffice
there are scenarios where these can be executed without warning
if the user activates such hyperlinks. In later versions
the users's explicit macro execution permissions
for the document are now consulted if these non-typical
hyperlinks can be executed. The possibility to use these
variants of hyperlink targets for floating frames has been removed.

ELA-1024-1 haproxy security update

Sun, 24 Dec 2023 11:47:09 +0100

Package : haproxy

Version : 1.5.8-3+deb8u4 (jessie), 1.7.5-2+deb9u2 (stretch)

Related CVEs : CVE-2023-45539

It was discovered that there was a potential information disclosure vulnerability in HAProxy, a reverse proxy server used to load balance HTTP requests across multiple servers.

HAProxy formerly accepted the # (ie. the “pound” or “hash”) symbol as part of a URI component. This might have allowed remote attackers to obtain sensitive information upon HAProxy’s misinterpretation of a path_end rule, such as by routing index.html#.png to a static server.

CVE-2023-45539

HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server.

ELA-1023-1 bluez security update

Wed, 20 Dec 2023 12:01:28 +0000

Package : bluez

Version : 5.43-2+deb9u2~deb8u6 (jessie), 5.43-2+deb9u7 (stretch)

Related CVEs : CVE-2023-45866

It was discovered that there was a keyboard injection attack in Bluez, a set of services and tools for interacting with wireless Bluetooth devices.

Prior to this change, BlueZ may have permitted unauthenticated peripherals to establish encrypted connections and thereby accept keyboard reports, potentially permitting injection of HID (~keyboard) commands, despite no user authorising such access.

ELA-1022-1 ncurses security update

Mon, 18 Dec 2023 15:29:43 +0200

Package : ncurses

Version : 5.9+20140913-1+deb8u6 (jessie), 6.0+20161126-1+deb9u5 (stretch)

Related CVEs : CVE-2023-29491

Loading of custom terminfo entries in setuid/setgid programs has been disabled to mitigate memory corruption via malformed data in terminfo database files.

ELA-1019-2 xorg-server security update

Sun, 17 Dec 2023 19:53:30 +0100

Package : xorg-server

Version : 2:1.16.4-1+deb8u14 (jessie), 2:1.19.2-1+deb9u17 (stretch)

Related CVEs : CVE-2023-6377

The initial fix for CVE-2023-6377 as applied in ELA 1019-1 did not fully fix the vulnerability. Updated packages correcting this issue including the upstream merged commit are now available.

ELA-1021-1 intel-microcode security update

Sun, 17 Dec 2023 18:38:36 +0100

Package : intel-microcode

Version : 3.20231114.1~deb8u1 (jessie), 3.20231114.1~deb9u1 (stretch)

Related CVEs : CVE-2023-23583

Benoit Morgan, Paul Grosen, Thais Moreira Hamasaki, Ke Sun, Alyssa Milburn, Hisham Shafi, Nir Shlomovich, Tavis Ormandy, Daniel Moghimi, Josh Eads, Salman Qazi, Alexandra Sandulescu, Andy Nguyen, Eduardo Vela, Doug Kwan, and Kostik Shtoyk discovered that some Intel processors mishandle repeated sequences of instructions leading to unexpected behavior, which may result in privilege escalation, information disclosure or denial of service. This vulnerability is also known as reptar and has been assigend CVE-2023-23583.

ELA-1020-1 tzdata security update

Fri, 15 Dec 2023 16:48:45 +0100

Package : tzdata

Version : 2021a-0+deb8u11 (jessie), 2021a-0+deb9u11 (stretch)

This update includes the latest changes to the leap second list, including an update to its expiry date, which was set for the end of December.

ELA-1019-1 xorg-server security update

Wed, 13 Dec 2023 12:05:42 +0100

Package : xorg-server

Version : 2:1.16.4-1+deb8u13 (jessie), 2:1.19.2-1+deb9u16 (stretch)

Related CVEs : CVE-2023-6377 CVE-2023-6478

Jan-Niklas Sohn discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged.

ELA-1018-1 rabbitmq-server security update

Mon, 11 Dec 2023 12:44:16 +0100

Package : rabbitmq-server

Version : 3.6.6+really3.8.9-0+deb9u2 (stretch)

Related CVEs : CVE-2023-46118

RabbitMQ is a multi-protocol messaging and streaming broker. The HTTP API did not enforce an HTTP request body limit, making it vulnerable for denial of service (DoS) attacks with very large messages by an authenticated user with sufficient credentials.

ELA-1017-1 opendkim security update

Fri, 01 Dec 2023 19:48:43 +0100

Package : opendkim

Version : 2.11.0~alpha-10+deb9u2 (stretch)

Related CVEs : CVE-2022-48521

CVE-2022-48521: An issue was discovered in OpenDKIM through 2.10.3, and 2.11.x through 2.11.0-Beta2. It fails to keep track of ordinal numbers when removing fake Authentication-Results header fields, which allows a remote attacker to craft an e-mail message with a fake sender address such that programs that rely on Authentication-Results from OpenDKIM will treat the message as having a valid DKIM signature when in fact it has none.

ELA-1016-1 vlc security update

Thu, 30 Nov 2023 23:52:01 +0000

Package : vlc

Version : 3.0.20-0+deb9u1 (stretch)

Related CVEs : CVE-2023-47359 CVE-2023-47360

Two vulnerabilities in the MMS over HTTP protocol have been fixed in the VLC media player, which has also been upgraded to the latest upstream version.

CVE-2023-47359

Heap buffer overflow in the MMSH module.

CVE-2023-47360

Integer underflow in the MMSH module.

ELA-1015-1 gst-plugins-bad1.0 security update

Thu, 30 Nov 2023 23:35:57 +0100

Package : gst-plugins-bad1.0

Version : 1.4.4-2.1+deb8u7 (jessie), 1.10.4-1+deb9u5 (stretch)

Related CVEs : CVE-2023-44446

An issue has been found in gst-plugins-bad1.0, which contains several GStreamer plugins from the “bad” set. The issue is related to use-after-free of some pointers within the MXF demuxer.

ELA-1013-1 zbar security update

Thu, 30 Nov 2023 16:35:19 +0000

Package : zbar

Version : 0.10+doc-10.1+deb9u1 (stretch)

Related CVEs : CVE-2023-40889

Zbar, a barcode scanner application, was vulnerable. A heap-based buffer overflow existed in the qr_reader_match_centers function. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.

ELA-1014-1 python-urllib3 security update

Thu, 30 Nov 2023 16:24:26 +0000

Package : python-urllib3

Version : 1.9.1-3+deb8u2 (jessie), 1.19.1-1+deb9u2 (stretch)

Multiple vulnerabilities were found in python-urllib3, a user-friendly HTTP library for Python.

CVE-2018-20060

It was discovered that the Authorization HTTP header was not removed when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This could allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.

CVE-2018-25091

Yoshida Katsuhiko discovered that the fix for CVE-2018-20060 did not cover non-titlecase request headers; for instance “authorization” request headers were not removed during cross-origin redirects. (Per RFC7230 sec. 3.2 header fields are to be treated case-insensitively.)

CVE-2023-43804

It was discovered that the Cookie request header was not stripped during cross-origin redirects. It is therefore possible for a user specifying a Cookie header to unknowingly leak information via HTTP redirects to a different origin, unless the user disables redirects explicitly. The issue is similar to CVE-2018-20060, but for the Cookie request header rather than Authorization.

CVE-2023-45803

It was discovered that the HTTP request body was not removed when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body, like POST, to GET, as required by the HTTP RFCs. This could lead to information disclosure.

ELA-1012-1 strongswan security update

Wed, 29 Nov 2023 12:57:37 +0000

Package : strongswan

Version : 5.2.1-6+deb8u11 (jessie)

Related CVEs : CVE-2023-41913

It was discovered that there was a potential buffer overflow in strongswan, a popular IPsec-based VPN (Virtual Private Network) server.

A vulnerability related to processing public Diffie-Hellman key exchange values could have resulted in a buffer overflow and potentially remote code execution as a consequence.

ELA-1011-1 freeimage security update

Tue, 28 Nov 2023 07:14:06 +0100

Package : freeimage

Version : 3.17.0+ds1-5+deb9u2

Related CVEs : CVE-2020-21427 CVE-2020-22524

Multiple vulnerabilities were discovered in freeimage, library for graphics image formats.

CVE-2020-21427

Buffer overflow vulnerability in function LoadPixelDataRLE8
in PluginBMP.cpp allows remote attackers to run arbitrary code and cause
other impacts via crafted image file.

CVE-2020-22524

Buffer overflow vulnerability in FreeImage_Load function
allows remote attackers to run arbitrary code and cause other
impacts via crafted PFM file.

ELA-1010-1 minizip security update

Mon, 27 Nov 2023 23:35:50 +0100

Package : minizip

Version : 1.1-8+deb9u1 (stretch)

Related CVEs : CVE-2023-45853

An issue has been found in minizip, a compression library. When using long filenames, an integer overflow might happen, which results in a heap-based buffer overflow in zipOpenNewFileInZip4_64().

ELA-1009-1 symfony security update

Mon, 27 Nov 2023 20:05:19 +0100

Package : symfony

Version : 2.8.7+dfsg-1.3+deb9u5 (stretch)

Related CVEs : CVE-2023-46734

Pierre Rudloff discovered a potential XSS vulnerability in Symfony, a PHP framework. Some Twig filters in CodeExtension use is_safe=html but do not actually ensure their input is safe. Symfony now escapes the output of the affected filters.

ELA-1008-1 audiofile security update

Mon, 27 Nov 2023 19:52:54 +0100

Package : audiofile

Version : 0.3.6-4+deb9u2 (stretch)

Related CVEs : CVE-2019-13147 CVE-2022-24599

The audiofile library allows the processing of audio data to and from audio files of many common formats (currently AIFF, AIFF-C, WAVE, NeXT/Sun, BICS, and raw data).

CVE-2019-13147

Audiofile was vulnerable due to an integer overflow. The program quits
early if NeXT audio files include too many channels now.

CVE-2022-24599

A memory leak was found due to reading a not null terminated copyright field.
Preallocate zeroed memory and always NUL terminate C strings from now on.

ELA-1007-1 amanda security update

Mon, 27 Nov 2023 19:06:34 +0100

Package : amanda

Version : 1:3.3.9-5+deb9u2 (stretch)

Multiple vulnerabilties have been found in Amanda, a backup system designed to archive many computers on a network to a single large-capacity tape drive. The vulnerabilties potentially allow local privilege escalation from the backup user to root or allow leaking information whether a directory exists in the filesystem.

CVE-2022-37703

In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path.

CVE-2022-37705

A privilege escalation flaw was found in Amanda 3.5.1 in which the backup user can acquire root privileges. The vulnerable component is the runtar SUID program, which is a wrapper to run /usr/bin/tar with specific arguments that are controllable by the attacker. This program mishandles the arguments passed to tar binary.

CVE-2023-30577

The SUID binary "runtar" can accept the possibly malicious GNU tar options if fed with some non-argument option starting with "--exclude" (say --exclude-vcs). The following option will be accepted as "good" and it could be an option passing some script/binary that would be executed with root permissions.

ELA-1006-1 libde265 security update

Sun, 26 Nov 2023 13:49:50 +0100

Package : libde265

Version : 1.0.11-0+deb9u5 (stretch)

Related CVEs : CVE-2023-43887

An issue has been found in libde265, an open H.265 video codec implementation. It is related to a buffer over read in pic_parameter_set::dump, which might result in an information leak or denial of service with crafted H.265 files.

ELA-1005-1 gimp security update

Tue, 21 Nov 2023 17:17:56 +0200

Package : gimp

Version : 2.8.18-1+deb9u2 (stretch)

Multiple vulnerabilities were fixed in GIMP, the GNU Image Manipulation Program.

CVE-2022-30067

Out-of-memory with crafted XCF file.

CVE-2023-44442

PSD file parsing buffer overflow.

CVE-2023-44444

PSP file parsing buffer overflow.

ELA-1004-1 libde265 security update

Mon, 20 Nov 2023 13:36:07 +0100

Package : libde265

Version : 1.0.11-0+deb9u4 (stretch)

Several issues have been found in libde265, an open H.265 video codec implementation. They are related to segmentation faults and buffer overflows in different functions, which might result in denial of service.

ELA-1003-1 postgresql-9.4 security update

Sun, 19 Nov 2023 11:41:42 +0100

Package : postgresql-9.4

Version : 9.4.26-0+deb8u8 (jessie)

Related CVEs : CVE-2023-5869 CVE-2023-39417

Several security vulnerabilities have been found in PostgreSQL, an advanced open source database.

CVE-2023-5869

While modifying certain SQL array values, missing overflow checks let
authenticated database users write arbitrary bytes to a memory area that
facilitates arbitrary code execution. Missing overflow checks also let
authenticated database users read a wide area of server memory. The
CVE-2021-32027 fix covered some attacks of this description, but it missed
others.

CVE-2023-39417

In the EXTENSION SCRIPT, a SQL Injection vulnerability was found in
PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a
quoting construct (dollar quoting, '', or ""). If an administrator has
installed files of a vulnerable, trusted, non-bundled extension, an
attacker with database-level CREATE privilege can execute arbitrary code as
the bootstrap superuser.

ELA-1002-1 vim security update

Sat, 18 Nov 2023 23:52:37 +0200

Package : vim

Version : 2:7.4.488-7+deb8u11 (jessie), 2:8.0.0197-4+deb9u11 (stretch)

Related CVEs : CVE-2023-4752 CVE-2023-4781 CVE-2023-5344

Multiple vulnerabilities have been fixed in the editor vim.

CVE-2023-4752 Heap use after free in ins_compl_get_exp()

CVE-2023-4781 Heap buffer-overflow in vim_regsub_both()

CVE-2023-5344 Heap buffer-overflow in trunc_string()

ELA-1000-1 ceph security update

Thu, 16 Nov 2023 12:00:58 +0000

Package : ceph

Version : 0.80.7-2+deb8u6 (jessie), 10.2.11-2+deb9u2 (stretch)

Related CVEs : CVE-2023-43040

A flaw was found in Ceph RGW component. An unprivileged user can write to any bucket(s) accessible by a given key if a POST’s form-data contains a key called “bucket” with a value matching the name of the bucket used to sign the request. The result of this is that a user could actually upload to any bucket accessible by the specified access key as long as the bucket in the POST policy matches the bucket in said POST form part.

ELA-1001-1 postgresql-9.6 security update

Thu, 16 Nov 2023 00:38:29 +0100

Package : postgresql-9.6

Version : 9.6.24-0+deb9u5 (stretch)

Several security vulnerabilities have been found in PostgreSQL, an advanced open source database.

CVE-2023-5868

Certain aggregate function calls receiving "unknown"-type arguments could
disclose bytes of server memory from the end of the "unknown"-type value to
the next zero byte. One typically gets an "unknown"-type value via a string
literal having no type designation.

CVE-2023-5869

While modifying certain SQL array values, missing overflow checks let
authenticated database users write arbitrary bytes to a memory area that
facilitates arbitrary code execution. Missing overflow checks also let
authenticated database users read a wide area of server memory. The
CVE-2021-32027 fix covered some attacks of this description, but it missed
others.

CVE-2023-5870

Documentation says the pg_signal_backend role cannot signal "a backend
owned by a superuser". On the contrary, it can signal background workers,
including the logical replication launcher. It can signal autovacuum
workers and the autovacuum launcher. Signaling autovacuum workers and those
two launchers provides no meaningful exploit, so exploiting this
vulnerability requires a non-core extension with a less-resilient
background worker. For example, a non-core background worker that does not
auto-restart would experience a denial of service with respect to that
particular background worker.

CVE-2023-39417

In the EXTENSION SCRIPT, a SQL Injection vulnerability was found in
PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a
quoting construct (dollar quoting, '', or ""). If an administrator has
installed files of a vulnerable, trusted, non-bundled extension, an
attacker with database-level CREATE privilege can execute arbitrary code as
the bootstrap superuser.

ELA-999-1 open-vm-tools security update

Tue, 14 Nov 2023 19:49:26 +0000

Package : open-vm-tools

Version : 10.1.5-5055683-4+deb9u6 (jessie), 2:10.1.5-5055683-4+deb9u6 (stretch)

Related CVEs : CVE-2023-34058 CVE-2023-34059

The Open Virtual Machine Tools (open-vm-tools) project is an open source implementation of VMware Tools. It is a suite of virtualization utilities and drivers to improve the functionality, user experience and administration of VMware virtual machines.

CVE-2023-34058:

A file descriptor hijack vulnerability was found in the `vmware-user-suid-wrapper`
command. A malicious actor with non-root privileges might have been able
to hijack the `block` file descriptor. Compared to the most recent upstream version,
the `uinput` file descriptor hijack vulnerability was not present (this file descriptor
was added latter for supporting Wayland).

CVE-2023-34059:

A SAML Token Signature Bypass vulnerability was found in VGAUTH component.
A malicious actor that has been granted Guest Operation Privileges
in a target virtual machine might have been able to
elevate their privileges if that target
virtual machine has been assigned a more privileged Guest Alias.

This update fixes CVE-2023-34058 and CVE-2023-34059 for Stretch, but fixes only CVE-2023-34058 for Jessie. Indeed, the vulnerable code (VGAUTH component) was introduced later in upstream version 9.10.0, and thus Jessie was not vulnerable to the attack exposed in CVE-2023-34059.

ELA-998-1 batik security update

Sun, 05 Nov 2023 17:14:28 +0000

Package : batik

Version : 1.7+dfsg-5+deb8u4 (jessie), 1.8-4+deb9u4 (stretch)

Batik is a toolkit for applications or applets that want to use images in the Scalable Vector Graphics (SVG) format for various purposes, such as viewing, generation or manipulation. Various Server-Side Request Forgery (SSRF) vulnerabilities were fixed.

CVE-2020-11987

A server-side request forgery was found, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

CVE-2022-38398

A Server-Side Request Forgery (SSRF) vulnerability was found that allows an attacker to load a URL thru the JAR protocol.

CVE-2022-38648

A Server-Side Request Forgery (SSRF) vulnerability was found that allows an attacker to fetch external resources.

CVE-2022-40146

A Server-Side Request Forgery (SSRF) vulnerability was found that allows an attacker to access files using a JAR type URL.

CVE-2022-44729

A Server-Side Request Forgery (SSRF) vulnerability was found. A malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure.

CVE-2022-44730

A Server-Side Request Forgery (SSRF) vulnerability was found. A malicious SVG can probe user profile / data and send it directly as parameter to a URL.

ELA-997-1 python3.5 security update

Fri, 03 Nov 2023 08:48:21 +0000

Package : python3.5

Version : 3.5.3-1+deb9u8 (stretch)

Multiple vulnerabilities were found in python3.5, an interactive high-level object-oriented language.

CVE-2021-3177:

A regression was fixed in CVE-2021-3177: ISO C90 forbids mixed
declarations and code, that could lead to compilation errors in
some contexts.

CVE-2022-48560:

A use-after-free existed in Python via heappushpop function
in heapq.

CVE-2022-48564:

A DoS attack via CPU and RAM exhaustion
when processing malformed Apple Property List files
in binary format was fixed. This needed a backport of GH-4455.

CVE-2022-48565:

An XML External Entity (XXE) issue
was discovered in Python. The plistlib module no longer
accepts entity declarations in XML plist files to
avoid XML vulnerabilities.

CVE-2022-48566:

An issue was discovered in compare_digest
in Lib/hmac.py in Python. Constant-time-defeating
optimisations were possible in the accumulator variable
in hmac.compare_digest, that would facilitate a side
channel type attack.

CVE-2023-40217:

A race condition was fixed in TLS handling.
If a TLS server-side socket is created, receives data
into the socket buffer, and then is closed quickly,
there is a brief window where the SSLSocket instance
will detect the socket as "not connected" and
won't initiate a handshake, but buffered data will
still be readable from the socket buffer.
This data will not be authenticated if the server-side
TLS peer is expecting client certificate authentication,
and is indistinguishable from valid TLS stream data.
Data is limited in size to the amount that will fit in the buffer.
The TLS connection cannot directly be used for data
exfiltration because the vulnerable code path requires
that the connection be closed on initialization of the SSLSocket.

ELA-996-1 request-tracker4 security update

Thu, 02 Nov 2023 11:11:55 -0300

Package : request-tracker4

Version : 4.4.1-3+deb9u6 (stretch)

Related CVEs : CVE-2023-41259 CVE-2023-41260

Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system.

CVE-2023-41259

Tom Wolters reported that Request Tracker is vulnerable to accepting
unvalidated RT email headers in incoming email and the mail-gateway REST
interface.

CVE-2023-41260

Tom Wolters reported that Request Tracker is vulnerable to information
leakage via response messages returned from requests sent via the
mail-gateway REST interface

Even if these issues have been fixed, it is strongly recommended to ensure that .../REST/1.0/NoAuth is only accessible for host(s) that run rt-mailgate for submitting email to RT. This is often the system which has request-tracker4 installed. The sample configurations supplied by these packages for Apache2 and Nginx restrict access to localhost only.

ELA-995-1 distro-info test-suite update

Mon, 30 Oct 2023 15:26:11 +0200

Package : distro-info

Version : 0.14+deb8u1 (jessie), 0.14+deb9u1 (stretch)

This is a non-security update, enabling distro-info to continue to build with the distro-info-data update in ELA-994-1, which broke some test-suite assumptions.

This update also allows distro-info to support additional columns in distro-info-data, easing future updates.

ELA-994-1 distro-info-data database update

Mon, 30 Oct 2023 15:25:28 +0200

Package : distro-info-data

Version : 0.36~bpo8+4 (jessie), 0.41+deb10u2~bpo9+4 (stretch)

This is a routine update of the distro-info-data database for Debian LTS users.

It includes Ubuntu 24.10, and makes some minor updates to older EoL dates.

ELA-993-1 gst-plugins-bad1.0 security update

Sat, 28 Oct 2023 18:52:50 +0200

Package : gst-plugins-bad1.0

Version : 1.4.4-2.1+deb8u6 (jessie), 1.10.4-1+deb9u4 (stretch)

ELA-992-1 openjdk-8 security update

Fri, 27 Oct 2023 08:41:34 +0200

Package : openjdk-8

Version : 8u392-ga-1~deb8u1 (jessie), 8u392-ga-1~deb9u1 (stretch)

Related CVEs : CVE-2023-22067 CVE-2023-22081

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in authentication bypass, information disclosure or denial of service.

ELA-991-1 linux-5.10 security update

Thu, 26 Oct 2023 10:08:51 +0200

Package : linux-5.10

Version : 5.10.197-1~deb8u1 (jessie), 5.10.197-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2022-4269

William Zhao discovered that a flaw in the Traffic Control (TC)
subsystem when using a specific networking configuration
(redirecting egress packets to ingress using TC action "mirred"),
may allow a local unprivileged user to cause a denial of service
(triggering a CPU soft lockup).

CVE-2022-39189

Jann Horn discovered that TLB flush operations are mishandled in
the KVM subsystem in certain KVM_VCPU_PREEMPTED situations, which
may allow an unprivileged guest user to compromise the guest
kernel.

CVE-2023-1206

It was discovered that the networking stack permits attackers to
force hash collisions in the IPv6 connection lookup table, which
may result in denial of service (significant increase in the cost
of lookups, increased CPU utilization).

CVE-2023-1380

Jisoo Jang reported a heap out-of-bounds read in the brcmfmac
Wi-Fi driver. On systems using this driver, a local user could
exploit this to read sensitive information or to cause a denial of
service.

CVE-2023-2002

Ruiahn Li reported an incorrect permissions check in the Bluetooth
subsystem. A local user could exploit this to reconfigure local
Bluetooth interfaces, resulting in information leaks, spoofing, or
denial of service (loss of connection).

CVE-2023-2007

Lucas Leong and Reno Robert discovered a
time-of-check-to-time-of-use flaw in the dpt_i2o SCSI controller
driver. A local user with access to a SCSI device using this
driver could exploit this for privilege escalation.

This flaw has been mitigated by removing support for the I2OUSRCMD
operation.

CVE-2023-2124

Kyle Zeng, Akshay Ajayan and Fish Wang discovered that missing
metadata validation may result in denial of service or potential
privilege escalation if a corrupted XFS disk image is mounted.

CVE-2023-2269

Zheng Zhang reported that improper handling of locking in the
device mapper implementation may result in denial of service.

CVE-2023-2898

It was discovered that missing sanitising in the f2fs file system
may result in denial of service if a malformed file system is
accessed.

CVE-2023-3090

It was discovered that missing initialization in ipvlan networking
may lead to an out-of-bounds write vulnerability, resulting in
denial of service or potentially the execution of arbitrary code.

CVE-2023-3111

The TOTE Robot tool found a flaw in the Btrfs filesystem driver
that can lead to a use-after-free. It's unclear whether an
unprivileged user can exploit this.

CVE-2023-3141

A flaw was discovered in the r592 memstick driver that could lead
to a use-after-free after the driver is removed or unbound from a
device. The security impact of this is unclear.

CVE-2023-3212

Yang Lan discovered that missing validation in the GFS2 filesystem
could result in denial of service via a NULL pointer dereference
when mounting a malformed GFS2 filesystem.

CVE-2023-3268

It was discovered that an out-of-bounds memory access in relayfs
could result in denial of service or an information leak.

CVE-2023-3338

Davide Ornaghi discovered a flaw in the DECnet protocol
implementation which could lead to a null pointer dereference or
use-after-free. A local user can exploit this to cause a denial of
service (crash or memory corruption) and probably for privilege
escalation.

This flaw has been mitigated by removing the DECnet protocol
implementation.

CVE-2023-3389

Querijn Voet discovered a use-after-free in the io_uring
subsystem, which may result in denial of service or privilege
escalation.

CVE-2023-3609, CVE-2023-3776. CVE-2023-4128

It was discovered that a use-after-free in the cls_fw, cls_u32,
cls_route and network classifiers may result in denial of service
or potential local privilege escalation.

CVE-2023-3611

It was discovered that an out-of-bounds write in the traffic
control subsystem for the Quick Fair Queueing scheduler (QFQ) may
result in denial of service or privilege escalation.

CVE-2023-3772

Lin Ma discovered a NULL pointer dereference flaw in the XFRM
subsystem which may result in denial of service.

CVE-2023-3773

Lin Ma discovered a flaw in the XFRM subsystem, which may result
in denial of service for a user with the CAP_NET_ADMIN capability
in any user or network namespace.

CVE-2023-3863

It was discovered that a use-after-free in the NFC implementation
may result in denial of service, an information leak or potential
local privilege escalation.

CVE-2023-4004

It was discovered that a use-after-free in Netfilter's
implementation of PIPAPO (PIle PAcket POlicies) may result in
denial of service or potential local privilege escalation for a
user with the CAP_NET_ADMIN capability in any user or network
namespace.

CVE-2023-4132

A use-after-free in the driver for Siano SMS1xxx based MDTV
receivers may result in local denial of service.

CVE-2023-4147

Kevin Rich discovered a use-after-free in Netfilter when adding a
rule with NFTA_RULE_CHAIN_ID, which may result in local privilege
escalation for a user with the CAP_NET_ADMIN capability in any
user or network namespace.

CVE-2023-4194

A type confusion in the implementation of TUN/TAP network devices
may allow a local user to bypass network filters.

CVE-2023-4244

A race condition was found in the nftables subsystem that could
lead to a use-after-free.  A local user could exploit this to
cause a denial of service (crash), information leak, or possibly
for privilege escalation.

CVE-2023-4273

Maxim Suhanov discovered a stack overflow in the exFAT driver,
which may result in local denial of service via a malformed file
system.

CVE-2023-4622

Bing-Jhong Billy Jheng discovered a use-after-free within the Unix
domain sockets component, which may result in local privilege
escalation.

CVE-2023-4623

Budimir Markovic reported a missing configuration check in the
sch_hfsc network scheduler that could lead to a use-after-free or
other problems.  A local user with the CAP_NET_ADMIN capability in
any user or network namespace could exploit this to cause a denial
of service (crash or memory corruption) or possibly for privilege
escalation.

CVE-2023-4921

"valis" reported flaws in the sch_qfq network scheduler that could
lead to a use-after-free.  A local user with the CAP_NET_ADMIN
capability in any user or network namespace could exploit this to
cause a denial of service (crash or memory corruption) or possibly
for privilege escalation.

CVE-2023-20588

Jana Hofmann, Emanuele Vannacci, Cedric Fournet, Boris Koepf and
Oleksii Oleksenko discovered that on some AMD CPUs with the Zen1
micro architecture an integer division by zero may leave stale
quotient data from a previous division, resulting in a potential
leak of sensitive data.

CVE-2023-21255

A use-after-free was discovered in the Android binder driver,
which may result in local privilege escalation on systems where
the binder driver is loaded.

CVE-2023-21400

Ye Zhang and Nicolas Wu discovered a double-free in the io_uring
subsystem, which may result in denial of service or privilege
escalation.

CVE-2023-31084

It was discovered that the DVB Core driver does not properly
handle locking of certain events, allowing a local user to cause a
denial of service.

CVE-2023-34256

The syzbot tool found a time-of-check-to-time-of-use flaw in the
ext4 filesystem driver. An attacker able to mount a disk image or
device that they can also write to directly could exploit this to
cause an out-of-bounds read, possibly resulting in a leak of
sensitive information or denial of service (crash).

CVE-2023-34319

Ross Lagerwall discovered a buffer overrun in Xen's netback driver
which may allow a Xen guest to cause denial of service to the
virtualisation host by sending malformed packets.

CVE-2023-35788

Hangyu Hua discovered that an off-by-one in the Flower traffic
classifier may result in local denial of service or the execution
of privilege escalation.

CVE-2023-35823

A flaw was discovered in the saa7134 media driver that could lead
to a use-after-free after the driver is removed or unbound from a
device. The security impact of this is unclear.

CVE-2023-35824

A flaw was discovered in the dm1105 media driver that could lead
to a use-after-free after the driver is removed or unbound from a
device. The security impact of this is unclear.

CVE-2023-40283

A use-after-free was discovered in Bluetooth L2CAP socket
handling.

CVE-2023-42753

Kyle Zeng discovered an off-by-one error in the netfilter ipset
subsystem which could lead to out-of-bounds memory access.  A
local user with the CAP_NET_ADMIN capability in any user or
network namespace could exploit this to cause a denial of service
(memory corruption or crash) and possibly for privilege
escalation.

CVE-2023-42755

Kyle Zeng discovered missing configuration validation in the
cls_rsvp network classifier which could lead to out-of-bounds
reads.  A local user with the CAP_NET_ADMIN capability in any user
or network namespace could exploit this to cause a denial of
service (crash) or to leak sensitive information.

This flaw has been mitigated by removing the cls_rsvp classifier.

CVE-2023-42756

Kyle Zeng discovered a race condition in the netfiler ipset
subsystem which could lead to an assertion failure.  A local user
with the CAP_NET_ADMIN capability in any user or network namespace
could exploit this to cause a denial of service (crash).

This update additionally fixes Debian bugs #871216, #1035359, #1036543, #1044518, and #1050622; and includes many more bug fixes from stable updates 5.10.180-5.10.197 inclusive.

ELA-990-1 xorg-server security update

Wed, 25 Oct 2023 17:42:22 +0200

Package : xorg-server

Version : 2:1.16.4-1+deb8u12 (jessie), 2:1.19.2-1+deb9u15 (stretch)

Related CVEs : CVE-2023-5367 CVE-2023-5380

Jan-Niklas Sohn discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged.

ELA-989-1 dbus security update

Mon, 23 Oct 2023 15:56:20 +0200

Package : dbus

Version : 1.10.32-0+deb9u3 (stretch)

Related CVEs : CVE-2023-34969

It was found that D-Bus, a simple interprocess messaging system, was susceptible to a denial of service vulnerability if a monitor was being run.

ELA-988-1 redis security update

Mon, 23 Oct 2023 13:49:03 +0100

Package : redis

Version : 2:2.8.17-1+deb8u12 (jessie), 3:3.2.6-3+deb9u12 (stretch)

Related CVEs : CVE-2023-45145

It was discovered that there was an authentication bypass vulnerability in Redis, a popular key-value database similar to memcached.

On startup, Redis began listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) was used, this created a race condition that enabled, during a short period of time, another process to establish an otherwise unauthorized connection.

ELA-987-1 krb5 security update

Mon, 23 Oct 2023 14:27:02 +0300

Package : krb5

Version : 1.12.1+dfsg-19+deb8u8 (jessie), 1.15-1+deb9u5 (stretch)

Related CVEs : CVE-2023-36054

Potential freeing of an uninitialized pointer in kadm_rpc_xdr.c was fixed in krb5, the MIT implementation of the Kerberos network authentication protocol.

ELA-957-2 zabbix regression update

Sat, 21 Oct 2023 12:29:26 +0200

Package : zabbix

Version : 1:2.2.23+dfsg-0+deb8u6 (jessie), 1:3.0.32+dfsg-0+deb9u5 (stretch)

The last update required an update to the database scheme, but as zabbix does not support upgrading the database scheme if SQlite3 is used, using zabbix-proxy-sqlite3 requires the user to drop the database and recreate it with a supplied sql template file.

However, this template file has not been updated in the previous upload, making this recreation difficult when not knowing the details.

Please read /usr/share/doc/zabbix-proxy-sqlite3/README.Debian for instructions how to create the database file.

Note: All other database backends will automatically update the schema.

ELA-985-2 tomcat8 regression update

Tue, 17 Oct 2023 00:25:04 +0200

Package : tomcat8

Version : 8.5.54-0+deb9u13 (stretch)

A regression was discovered in the Http2UpgradeHandler class of Tomcat 8 introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong value for the overheadcount variable forced HTTP2 connections to close early.

ELA-986-1 tomcat7 security update

Mon, 16 Oct 2023 13:44:31 +0200

Package : tomcat7

Version : 7.0.56-3+really7.0.109-1+deb8u5 (jessie)

Related CVEs : CVE-2023-42795 CVE-2023-45648

Two security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

CVE-2023-42795

Information Disclosure. When recycling various internal objects, including
the request and the response, prior to re-use by the next request/response,
an error could cause Tomcat to skip some parts of the recycling process
leading to information leaking from the current request/response to the
next.

CVE-2023-45648

Request smuggling. Tomcat did not correctly parse HTTP trailer headers. A
specially crafted, invalid trailer header could cause Tomcat to treat a
single request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.

ELA-985-1 tomcat8 security update

Mon, 16 Oct 2023 00:14:14 +0200

Package : tomcat8

Version : 8.0.14-1+deb8u27 (jessie), 8.5.54-0+deb9u12 (stretch)

Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

CVE-2023-42795

Information Disclosure. When recycling various internal objects, including
the request and the response, prior to re-use by the next request/response,
an error could cause Tomcat to skip some parts of the recycling process
leading to information leaking from the current request/response to the
next.

CVE-2023-44487

DoS caused by HTTP/2 frame overhead (Rapid Reset Attack).
Only Tomcat 8 in Debian 9 "Stretch" was affected.

CVE-2023-45648

Request smuggling. Tomcat did not correctly parse HTTP trailer headers. A
specially crafted, invalid trailer header could cause Tomcat to treat a
single request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.

ELA-984-1 nghttp2 security update

Sun, 15 Oct 2023 15:20:32 +0200

Package : nghttp2

Version : 1.18.1-1+deb9u3 (stretch)

Related CVEs : CVE-2023-44487

CVE-2023-44487 describes a flaw in the HTTP2 protocol that allows an attacker to rapidly create and cancel streams by sending a HEADERS frame immediately followed by a RST_STREAM. This can cause a denial of service due to resource exhaustion.

The applied patches mitigate this flaw by rate limiting the cancellation of streams and disconnecting the client when this limit is exceeded.

ELA-983-1 python-reportlab security update

Sun, 15 Oct 2023 11:46:51 +0100

Package : python-reportlab

Version : 3.3.0-2+deb9u2 (stretch)

Related CVEs : CVE-2019-19450 CVE-2020-28463

Vulnerabilities were found in python-reportlab, a Python library for creating PDF documents.

CVE-2019-19450

The start_unichar function in paraparser.py was found to evaluate untrusted user input, which could permit remote code execution.

CVE-2020-28463

It was discovered that img tags could be used for Server-side Request Forgery (SSRF). The issue can be mitigated by using the new trustedSchemes and trustedHosts rl_config variables. See “Inline Images” in ch. 6 of the reportlab user manual.

ELA-982-1 curl security update

Wed, 11 Oct 2023 13:51:14 +0200

Package : curl

Version : 7.38.0-4+deb8u27 (jessie), 7.52.1-5+deb9u20 (stretch)

Related CVEs : CVE-2023-38546

An issue was found in Curl, an easy-to-use client-side URL transfer library and command line tool, which could lead to cookie injection from a file named none under certain circumstances.

ELA-981-1 firmware-nonfree security update

Sun, 08 Oct 2023 13:04:23 +0200

Package : firmware-nonfree

Version : 20190114+really20220913-0+deb8u2 (jessie), 20190114+really20220913-0+deb9u2 (stretch)

Intel® released the INTEL-SA-00766 advisory about potential security vulnerabilities in some Intel® PROSet/Wireless WiFi and Killer™ WiFi products may allow escalation of privilege or denial of service. The full advisory is available at [1]

[1] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00766.html

This updated firmware-nonfree package includes the following firmware files:

Intel Bluetooth AX2xx series:
- ibt-0041-0041.sfi
- ibt-19-0-0.sfi
- ibt-19-0-1.sfi
- ibt-19-0-4.sfi
- ibt-19-16-4.sfi
- ibt-19-240-1.sfi
- ibt-19-240-4.sfi
- ibt-19-32-0.sfi
- ibt-19-32-1.sfi
- ibt-19-32-4.sfi
- ibt-20-0-3.sfi
- ibt-20-1-3.sfi
- ibt-20-1-4.sfi
Intel Wireless 22000 series
- iwlwifi-Qu-b0-hr-b0-77.ucode
- iwlwifi-Qu-b0-jf-b0-77.ucode
- iwlwifi-Qu-c0-hr-b0-77.ucode
- iwlwifi-Qu-c0-jf-b0-77.ucode
- iwlwifi-QuZ-a0-hr-b0-77.ucode
- iwlwifi-cc-a0-77.ucode

The updated firmware files might need updated kernel to work. It is encouraged to verify whether the kernel loaded the updated firmware file and take additional measures if needed.

CVE-2022-27635

Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM)
WiFi software may allow a privileged user to potentially enable escalation of
privilege via local access.

CVE-2022-36351

Improper input validation in some Intel(R) PROSet/Wireless WiFi and Killer(TM)
WiFi software may allow an unauthenticated user to potentially enable denial of
service via adjacent access.

CVE-2022-38076

Improper input validation in some Intel(R) PROSet/Wireless WiFi and Killer(TM)
WiFi software may allow an authenticated user to potentially enable escalation
of privilege via local access.

CVE-2022-40964

Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM)
WiFi software may allow a privileged user to potentially enable escalation of
privilege via local access.

CVE-2022-46329

Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi software
may allow a privileged user to potentially enable escalation of privilege via
local access.

ELA-980-1 libxpm security update

Thu, 05 Oct 2023 13:11:12 +0200

Package : libxpm

Version : 1:3.5.12-0+deb8u3 (jessie), 1:3.5.12-1+deb9u2 (stretch)

Several vulnerabilities were found in libXpm, the X Pixmap (XPM) image library.

CVE-2023-43786

Yair Mizrahi discovered an infinite recursion issue when parsing
crafted XPM files, which would result in denial of service.

CVE-2023-43787

Yair Mizrahi discovered a buffer overflow vulnerability in libX11
when parsing crafted XPM files, which could result in denial of
service or potentially the execution of arbitrary code.

CVE-2023-43788

Alan Coopersmith found an out of bounds read in
XpmCreateXpmImageFromBuffer, which could result in denial of
service when parsing crafted XPM files.

CVE-2023-43789

Alan Coopersmith discovered an out of bounds read issue when
parsing corrupted colormaps, which could lead to denial of
service when parsing crafted XPM files.

ELA-979-1 libx11 security update

Thu, 05 Oct 2023 12:50:34 +0200

Package : libx11

Version : 2:1.6.2-3+deb8u7 (jessie), 2:1.6.4-3+deb9u6 (stretch)

Several vulnerabilities were found in libx11, the X11 client-side library.

CVE-2023-43785

Gregory James Duck discovered an out of bounds memory access in
_XkbReadKeySyms, which could result in denial of service.

CVE-2023-43786

Yair Mizrahi found an infinite recursion in PutSubImage when
parsing a crafted file, which would result in stack exhaustion
and denial of service.

CVE-2023-43787

Yair Mizrahi discovered an integer overflow in XCreateImage
when parsing crafted input, which would result in a small buffer
allocation leading into a buffer overflow. This could result
in denial of service or potentially in arbitrary code execution.

ELA-978-1 cups security update

Tue, 03 Oct 2023 10:32:08 +0200

Package : cups

Version : 1.7.5-11+deb8u12 (jessie), 2.2.1-8+deb9u11 (stretch)

Related CVEs : CVE-2023-4504 CVE-2023-32360

Two issues have been found in cups, the Common UNIX Printing System(tm).

CVE-2023-4504

Due to missing boundary checks a heap-based buffer overflow and code execution might be possible by using crafted postscript documents.

CVE-2023-32360

Unauthorized users might be allowed to fetch recently printed documents.

Since this is a configuration fix, it might be that it does not reach you if you are updating the package. Please double check your /etc/cups/cupsd.conf file, whether it limits the access to CUPS-Get-Document with something like the following

AuthType Default Require user @OWNER @SYSTEM Order deny,allow

(The important line is the ‘AuthType Default’ in this section)

ELA-977-1 libraw security update

Tue, 03 Oct 2023 08:57:46 +0200

Package : libraw

Version : 0.17.2-6+deb9u5 (stretch)

Related CVEs : CVE-2020-22628 CVE-2021-32142

Two buffer overflow vulnerabilities were found in libraw, a raw image decoder library, which could lead to denial of service via application crash or potentially other unspecified impact.

ELA-976-1 exim4 security update

Tue, 03 Oct 2023 01:08:01 +0200

Package : exim4

Version : 4.84.2-2+deb8u11 (jessie), 4.89-2+deb9u11 (stretch)

Related CVEs : CVE-2023-42114 CVE-2023-42116

Several vulnerabilities were discovered in Exim, a mail transport agent, which could result in remote code execution if the SPA/NTLM authenticators are used.

ELA-975-1 libvpx security update

Mon, 02 Oct 2023 13:17:41 +0200

Package : libvpx

Version : 1.6.1-3+deb9u5 (stretch)

Related CVEs : CVE-2023-44488

A buffer overflow vulnerability was found in libvpx, a multimedia library for the VP8 and VP9 video codecs, which could result in the execution of arbitrary code if a specially crafted VP9 media stream is processed.

ELA-974-1 ghostscript security update

Sat, 30 Sep 2023 22:58:01 +0300

Package : ghostscript

Version : 9.26a~dfsg-0+deb8u12 (jessie), 9.26a~dfsg-0+deb9u12 (stretch)

CVE-2020-21710

Divide by zero in eps_print_page()

CVE-2020-21890

Buffer overflow in clj_media_size()

CVE-2023-38559

Buffer overflow in devn_pcx_write_rle()

ELA-973-1 libvpx security update

Sat, 30 Sep 2023 20:56:51 +0200

Package : libvpx

Version : 1.3.0-3+deb8u4 (jessie), 1.6.1-3+deb9u4 (stretch)

Related CVEs : CVE-2023-5217

Clement Lecigne discovered a heap-based buffer overflow in libvpx, a multimedia library for the VP8 and VP9 video codecs, which may result in the execution of arbitrary code if a specially crafted VP8 media stream is processed.

ELA-972-1 exempi security update

Sat, 30 Sep 2023 21:35:20 +0300

Package : exempi

Version : 2.4.1-1+deb9u2 (stretch)

Related CVEs : CVE-2020-18651 CVE-2020-18652

Buffer overflows were fixed in the functions ID3_Support::ID3v2Frame::getFrameValue() and WEBP_Support::VP8XChunk::VP8XChunk() of Exempi, an implementation of XMP (Extensible Metadata Platform).

ELA-942-2 qpdf regression update

Sat, 30 Sep 2023 15:08:14 +0300

Package : qpdf

Version : 6.0.0-2+deb9u2 (stretch)

Two patches were dropped that caused compatibility issues after backport, reopening the following CVEs: CVE-2015-9252, CVE-2017-9209, CVE-2017-11625, CVE-2017-11627

ELA-971-1 libwebp security update

Fri, 29 Sep 2023 21:41:17 -0300

Package : libwebp

Version : 0.5.2-1+deb9u3 (stretch)

Related CVEs : CVE-2023-4863

A buffer overflow in parsing WebP images may result in the execution of arbitrary code.

ELA-970-1 libreoffice security update

Fri, 29 Sep 2023 19:10:07 +0000

Package : libreoffice

Version : 1:4.3.3-2+deb8u14 (jessie)

Related CVEs : CVE-2023-0950

An abitrary code execution vulnerability was found in LibreOffice, an office productivity software suite.

CVE-2023-0950

 An improper Validation of Array Index
 vulnerability was present in the spreadsheet component of
 LibreOffice. This allows an attacker to craft a spreadsheet
 document that will cause an array index underflow when loaded.
 In the affected versions of LibreOffice certain malformed
 spreadsheet formulas, such as AGGREGATE, could be created
 with less parameters passed to the formula interpreter than
 it expected, leading to an array index underflow,
 in which case there is a risk that arbitrary code could be executed

Unfortunately the changes required to fix the remaining issues affecting LibreOffice in Debian jessie are too invasive to be backported. Those issues affect only the use of LibreOffice via its Graphical User Interface (GUI). Users of LibreOffice needing the GUI are encouraged to migrate to Debian stretch or newer. From this point onwards the GUI components of LibreOffice are no longer supported in Debian jessie. Headless LibreOffice will continue to be supported.

ELA-969-1 graphicsmagick security update

Fri, 29 Sep 2023 12:57:44 +0200

Package : graphicsmagick

Version : 1.3.30+hg15796-1~deb9u7 (stretch)

Related CVEs : CVE-2020-21679

ELA-968-1 libreoffice security update

Thu, 28 Sep 2023 16:25:40 +0000

Package : libreoffice

Version : 1:6.1.5-3~deb9u1 (stretch)

Multiple vulnerabilities were found in LibreOffice, an office productivity software suite, leading to arbitrary script execution, improper certificate validation, and weak encryption of password storage in the user’s configuration database.

The changes required to fix all the open vulnerabilities, especially those affecting the Graphical User Interface (GUI), were too invasive to be backported individually, and the risk of regressions was too high, due to large amounts of source code that needed to be modified or rewritten, including an internal library.

A risk analysis was carried out, and it was determined that the best available solution was to backport the buster version of LibreOffice to stretch. This decision means that upon installing this update users of LibreOffice in stretch will be moving from a LibreOffice version of 5.x to 6.1.5. Additionally, this backport required the introduction of libxmlsec1 as new dependency.

CVE-2021-25636

Only use X509Data LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both "X509Data" and "KeyValue" children of the "KeyInfo" tag, which when opened caused LibreOffice to verify using the "KeyValue" but to report verification with the unrelated "X509Data" value.

CVE-2022-3140

Insufficient validation of "vnd.libreoffice.command" URI schemes. LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme "vnd.libreoffice.command" specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning.

CVE-2022-26305

Compare authors using Thumbprint An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to verify that the macro was actually signed with the certificate. An adversary could therefore create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading to the user to execute arbitrary code contained in macros improperly trusted.

CVE-2022-26306

LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data.

CVE-2022-26307

Add Initialization Vectors to password storage. LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulerable to a brute force attack if an attacker has access to the users stored config.

CVE-2022-38745

Libreoffice may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory.

CVE-2023-0950

Improper Validation of Array Index vulnerability in the spreadsheet component allows an attacker to craft a spreadsheet document that will cause an array index underflow when loaded. In the affected versions of LibreOffice certain malformed spreadsheet formulas, such as AGGREGATE, could be created with less parameters passed to the formula interpreter than it expected, leading to an array index underflow, in which case there is a risk that arbitrary code could be executed.

CVE-2023-2255

Improper access control in editor components of LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice.

ELA-967-1 ncurses security update

Thu, 28 Sep 2023 14:48:47 +0100

Package : ncurses

Version : 5.9+20140913-1+deb8u5 (jessie), 6.0+20161126-1+deb9u4 (stretch)

Related CVEs : CVE-2020-19189

An out-of-bounds read problem was found in the postprocess_terminfo function of ncurses, a text-based user interface toolkit, which could potentially lead to an exposure of sensitive information or denial of service.

ELA-966-1 openssl1.0 security update

Tue, 26 Sep 2023 23:36:02 +0200

Package : openssl1.0

Version : 1.0.2u-1~deb9u9 (stretch)

Related CVEs : CVE-2023-3446 CVE-2023-3817

Two issues have been discovered in openssl, a Secure Sockets Layer toolkit. Excessively long DH key or parameter checks can cause significant delays in applications using DH_check(), DH_check_ex(), or EVP_PKEY_param_check() functions, potentially leading to Denial of Service attacks when keys or parameters are obtained from untrusted sources.

ELA-964-1 glib2.0 security update

Mon, 25 Sep 2023 17:05:47 -0300

Package : glib2.0

Version : 2.42.1-1+deb8u6 (jessie), 2.50.3-2+deb9u5 (stretch)

Several security vulnerabilities were found in GLib, a general-purpose utility library, used by projects such as GTK+, GIMP, and GNOME.

CVE-2023-29499

GVariant deserialization fails to validate that the input conforms to the
expected format, leading to denial of service.

CVE-2023-32611

GVariant deserialization is vulnerable to a slowdown issue where a crafted
GVariant can cause excessive processing, leading to denial of service.

CVE-2023-32665

GVariant deserialization is vulnerable to an exponential blowup issue where
a crafted GVariant can cause excessive processing, leading to denial of
service.

ELA-965-1 tomcat7 security update

Mon, 25 Sep 2023 21:54:53 +0200

Package : tomcat7

Version : 7.0.56-3+really7.0.109-1+deb8u4 (jessie)

Related CVEs : CVE-2023-24998 CVE-2023-41080

Two security vulnerabilities were discovered in Apache Tomcat, a servlet and JSP engine.

CVE-2023-24998

Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to
provide the file upload functionality defined in the Jakarta Servlet
specification. Apache Tomcat was, therefore, also vulnerable to the Apache
Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to
the number of request parts processed. This resulted in the possibility of
an attacker triggering a DoS with a malicious upload or series of uploads.

CVE-2023-41080

If the ROOT (default) web application is configured to use FORM
authentication then it is possible that a specially crafted URL could be
used to trigger a redirect to an URL of the attacker's choice.

ELA-963-1 plexus-utils2 security update

Mon, 25 Sep 2023 17:48:24 +0200

Package : plexus-utils2

Version : 3.0.15-1+deb8u2 (jessie), 3.0.22-1+deb9u1 (stretch)

Related CVEs : CVE-2022-4244 CVE-2022-4245

Two security vulnerabilities have been found in plexus-utils2, a collection of components used by Apache Maven.

CVE-2022-4244

A Directory Traversal issue was discovered in plexus-utils2. This is an
attack which aims to access files and directories that are stored outside
the intended folder. By manipulating files with "dot-dot-slash (../)"
sequences and its variations, or by using absolute file paths, it may be
possible to access arbitrary files and directories stored on the file system,
including application source code, configuration, and other critical system
files.

CVE-2022-4245

The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to
sanitize comments for a --> sequence. This issue means that text contained
in the command string could be interpreted as XML and allow for XML
injection.

ELA-962-1 elfutils security update

Mon, 25 Sep 2023 16:37:38 +0200

Package : elfutils

Version : 0.159-4.2+deb8u2 (jessie), 0.168-1+deb9u2 (stretch)

Related CVEs : CVE-2020-21047

An issue has been found in elfutils, a collection of utilities to handle ELF objects. Due to missing bound checks and reachable asserts, an attacker can use crafted elf files to trigger application crashes that result in denial-of-services.

As part of this update, CVE-2019-7149 has been fixed as well in Stretch. Due to a heap-buffer-overflow problem in function read_srclines() a crafted ELF input can cause segmentation faults.

ELA-961-1 linux-5.10 new linux version

Mon, 25 Sep 2023 09:39:11 +0200

Package : linux-5.10

Version : 5.10.179-5~deb8u1 (jessie)

This update introduces Linux kernel 4.19 to Debian 8 jessie. Linux kernel 4.19 is still supported. Instructions on how to update to 5.10 can be found in the kernel backports page.

ELA-960-1 libapache-mod-jk security update

Sun, 24 Sep 2023 21:18:28 +0200

Package : libapache-mod-jk

Version : 1:1.2.46-0+deb8u2 (jessie), 1:1.2.46-0+deb9u2 (stretch)

Related CVEs : CVE-2023-41081

The mod_jk component of Apache Tomcat Connectors, an Apache 2 module to forward requests from Apache to Tomcat, in some circumstances, such as when a configuration included “JkOptions +ForwardDirectories” but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of this security update, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. This issue affects Apache Tomcat Connectors (mod_jk only).

ELA-959-1 tomcat8 security update

Sun, 24 Sep 2023 17:45:34 +0200

Package : tomcat8

Version : 8.0.14-1+deb8u26 (jessie), 8.5.54-0+deb9u11 (stretch)

Related CVEs : CVE-2023-24998 CVE-2023-41080

Two security vulnerabilities were discovered in Apache Tomcat, a servlet and JSP engine.

CVE-2023-24998

Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to
provide the file upload functionality defined in the Jakarta Servlet
specification. Apache Tomcat was, therefore, also vulnerable to the Apache
Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to
the number of request parts processed. This resulted in the possibility of
an attacker triggering a DoS with a malicious upload or series of uploads.

CVE-2023-41080

If the ROOT (default) web application is configured to use FORM
authentication then it is possible that a specially crafted URL could be
used to trigger a redirect to an URL of the attacker's choice.

ELA-958-1 lldpd security update

Sat, 23 Sep 2023 23:57:35 +0200

Package : lldpd

Version : 0.9.6-1+deb9u2 (stretch)

Related CVEs : CVE-2023-41910

Matteo Memelli discovered a flaw in lldpd, an implementation of the IEEE 802.1ab protocol. By crafting a CDP PDU packet with specific CDP_TLV_ADDRESSES TLVs, a malicious actor can remotely force the lldpd daemon to perform an out-of-bounds read on heap memory.

ELA-957-1 zabbix security update

Sat, 23 Sep 2023 19:13:57 +0200

Package : zabbix

Version : 1:2.2.23+dfsg-0+deb8u5 (jessie)

Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially allowing to crash the server, information disclosure or Cross-Site-Scripting attacks.

Important Notices: To mitigate CVE-2019-17382, on existing installations, the guest account needs to be manually disabled, for example by disabling the the “Guest group” in the UI: Administration -> User groups -> Guests -> Untick Enabled

CVE-2013-7484

Zabbix before version 4.4.0alpha2 stores credentials in the "users"
table with the password hash stored as a MD5 hash, which is a known
insecure hashing method. Furthermore, no salt is used with the hash.

CVE-2019-17382 (Disputed, not considered by upstream to be a security issue)

An issue was discovered in
zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through
4.4. An attacker can bypass the login page and access the dashboard
page, and then create a Dashboard, Report, Screen, or Map without
any Username/Password (i.e., anonymously). All created elements
(Dashboard/Report/Screen/Map) are accessible by other users and by
an admin.

CVE-2022-43515

Zabbix Frontend provides a feature that allows admins to
maintain the installation and ensure that only certain IP addresses
can access it. In this way, any user will not be able to access the
Zabbix Frontend while it is being maintained and possible sensitive
data will be prevented from being disclosed. An attacker can bypass
this protection and access the instance using IP address not listed
in the defined range.

CVE-2023-29450

JavaScript pre-processing can be used by the attacker to gain
access to the file system (read-only access on behalf of user
"zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading
to unauthorized access to sensitive data.

CVE-2023-29451

Specially crafted string can cause a buffer overrun in the JSON
parser library leading to a crash of the Zabbix Server or a Zabbix
Proxy.

CVE-2023-29454

A Stored or persistent cross-site scripting (XSS) vulnerability
was found on “Users” section in “Media” tab in “Send to” form field.
When new media is created with malicious code included into field
“Send to” then it will execute when editing the same media.

Note: This issue was accidentially not mentioned in the debian changelog.

CVE-2023-29455

A Reflected XSS attacks, also known as non-persistent attacks, was
found where an attacker can pass malicious code as GET request to
graph.php and system will save it and will execute when current
graph page is opened.

CVE-2023-29456

URL validation scheme receives input from a user and then parses
it to identify its various components. The validation scheme can
ensure that all URL components comply with internet standards.

CVE-2023-29457

A Reflected XSS attacks, also known as non-persistent attacks, was
found where XSS session cookies could be revealed, enabling a
perpetrator to impersonate valid users and abuse their private
accounts.

ELA-956-1 libssh2 security update

Sat, 23 Sep 2023 16:10:28 +0200

Package : libssh2

Version : 1.4.3-4.1+deb8u7 (jessie), 1.7.0-1+deb9u3 (stretch)

Related CVEs : CVE-2020-22218

An issue has been found in libssh2, an SSH2 client-side library, in function _libssh2_packet_add(), which could allow attackers to access out of bounds memory.

ELA-955-1 open-vm-tools security update

Fri, 22 Sep 2023 19:49:26 +0200

Package : open-vm-tools

Version : 2:10.1.5-5055683-4+deb9u5 (stretch)

Related CVEs : CVE-2023-20900

A security vulnerability was found in the Open VMware Tools. A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias.

ELA-642-2 java-common regression update

Fri, 22 Sep 2023 13:35:47 -0300

Package : java-common

Version : 0.52+deb8u2 (jessie)

The java-common update of ELA-642-1 introduced a bug in /usr/share/java/java_defaults.mk, that made several actually supported architectures were not included in the java_architectures variable.

ELA-954-1 flac security update

Fri, 22 Sep 2023 12:52:45 +0200

Package : flac

Version : 1.3.0-3+deb8u3 (jessie), 1.3.2-2+deb9u3 (stretch)

Related CVEs : CVE-2020-22219

A buffer overflow was discovered in flac, a library handling Free Lossless Audio Codec media, which could potentially result in the execution of arbitrary code.

ELA-953-1 openssl security update

Fri, 22 Sep 2023 10:01:40 +0200

Package : openssl

Version : 1.0.1t-1+deb8u21 (jessie), 1.1.0l-1~deb9u9 (stretch)

Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit.

CVE-2023-0464

David Benjamin reported a flaw related to the verification of X.509
certificate chains that include policy constraints, which may result
in denial of service.

CVE-2023-0465

David Benjamin reported that invalid certificate policies in leaf
certificates are silently ignored. A malicious CA could take
advantage of this flaw to deliberately assert invalid certificate
policies in order to circumvent policy checking on the certificate
altogether.

CVE-2023-0466

David Benjamin discovered that the implementation of the
X509_VERIFY_PARAM_add0_policy() function does not enable the check
which allows certificates with invalid or incorrect policies to pass
the certificate verification (contrary to its documentation).

CVE-2023-2650

It was discovered that processing malformed ASN.1 object identifiers
or data may result in denial of service.

CVE-2023-3446

It was found that checking excessively long DH keys or parameters
could lead to denial of service.

In addition, the stretch update addresses the following issues:

CVE-2022-4304

A timing based side channel attack was found on the RSA decryption
implementation.

CVE-2023-3817

It was found that checking excessively long DH keys or parameters
could lead to denial of service.

ELA-952-1 gsl security update

Fri, 22 Sep 2023 00:30:37 +0200

Package : gsl

Version : 1.16+dfsg-2+deb8u1 (jessie), 2.3+dfsg-1+deb9u1 (stretch)

Related CVEs : CVE-2020-35357

A buffer overflow can occur when calculating the quantile value using the Statistics Library of GSL (GNU Scientific Library). Processing a maliciously crafted input data for gsl_stats_quantile_from_sorted_data of the library may lead to unexpected application termination or arbitrary code execution.

ELA-951-1 beep security update

Wed, 20 Sep 2023 23:58:53 +0200

Package : beep

Version : 1.3-4+deb9u2 (stretch)

Related CVEs : CVE-2018-1000532

It was found that beep, an advanced PC-speaker beeper, contains an External Control of File Name or Path vulnerability in the --device option that can allow a local unprivileged user to inhibit execution of arbitrary programs by other users, allowing DoS.

ELA-950-1 python2.7 security update

Wed, 20 Sep 2023 21:44:40 +0200

Package : python2.7

Version : 2.7.9-2-ds1-1+deb8u11 (jessie), 2.7.13-2+deb9u8 (stretch)

This update fixes multiple vulnerabilities concerning the urlparse module as well as vulnerabilities concerning the heapq, hmac, plistlib and ssl modules.

CVE-2022-0391

The `urlparse` module helps break Uniform Resource Locator (URL) strings
into components. The issue involves how the `urlparse` method does not
sanitize input and allows characters like `'\r'` and `'\n'` in the URL
path.  This flaw allows an attacker to input a crafted URL, leading to
injection attacks.

CVE-2022-48560

A use-after-free exists in Python via `heappushpop` in `heapq`.

CVE-2022-48565

An XML External Entity (XXE) issue was discovered in Python.  The
`plistlib` module no longer accepts entity declarations in XML plist files
to avoid XML vulnerabilities.

CVE-2022-48566

An issue was discovered in `compare_digest` in `Lib/hmac.py` in Python.
Constant-time-defeating optimisations were possible in the accumulator
variable in `hmac.compare_digest`.

CVE-2023-24329

An issue in the `urlparse` component of Python allows attackers to bypass
blocklisting methods by supplying a URL that starts with blank characters.

CVE-2023-40217

The issue primarily affects servers written in Python (such as HTTP
servers) that use TLS client authentication. If a TLS server-side socket is
created, receives data into the socket buffer, and then is closed quickly,
there is a brief window where the `SSLSocket` instance will detect the
socket as "not connected" and won't initiate a handshake, but buffered data
will still be readable from the socket buffer.  This data will not be
authenticated if the server-side TLS peer is expecting client certificate
authentication, and is indistinguishable from valid TLS stream data. Data
is limited in size to the amount that will fit in the buffer. (The TLS
connection cannot directly be used for data exfiltration because the
vulnerable code path requires that the connection be closed on
initialization of the `SSLSocket`.)

ELA-949-1 mutt security update

Wed, 20 Sep 2023 14:49:22 -0300

Package : mutt

Version : 1.5.23-3+deb8u7 (jessie), 1.7.2-1+deb9u7 (stretch)

Related CVEs : CVE-2023-4874 CVE-2023-4875

Two NULL pointer dereference flaws were discovered in Mutt, a text-based mailreader supporting MIME, GPG, PGP and threading, which may result in denial of service (application crash) when viewing a specially crafted email or when composing from a specially crafted draft message.

ELA-948-1 linux-4.19 security update

Wed, 20 Sep 2023 13:25:15 +0200

Package : linux-4.19

Version : 4.19.289-2~deb8u1 (jessie), 4.19.289-2~deb9u1 (stretch)

Related CVEs : CVE-2022-40982

Daniel Moghimi discovered Gather Data Sampling (GDS), a hardware vulnerability for Intel CPUs which allows unprivileged speculative access to data which was previously stored in vector registers.

This mitigation requires updated CPU microcode provided in the intel-microcode package and released as ELA-935-1.

For details please refer to https://downfall.page/ and https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html.

ELA-947-1 linux-5.10 security update

Wed, 20 Sep 2023 10:12:32 +0200

Package : linux-5.10

Version : 5.10.179-5~deb9u1 (stretch)

Related CVEs : CVE-2022-40982 CVE-2023-20569

CVE-2022-40982

Daniel Moghimi discovered Gather Data Sampling (GDS), a hardware
vulnerability for Intel CPUs which allows unprivileged speculative
access to data which was previously stored in vector registers.

This mitigation requires updated CPU microcode provided in the
intel-microcode package.

For details please refer to <https://downfall.page/> and
<https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html>.

CVE-2023-20569

Daniel Trujillo, Johannes Wikner and Kaveh Razavi discovered
INCEPTION, also known as Speculative Return Stack Overflow (SRSO),
a transient execution attack that leaks arbitrary data on all AMD
Zen CPUs. An attacker can mis-train the CPU BTB to predict non-
architectural CALL instructions in kernel space and use this to
control the speculative target of a subsequent kernel RET,
potentially leading to information disclosure via a speculative
side-channel.

For details please refer to
<https://comsec.ethz.ch/research/microarch/inception/> and
<https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-7005>.

ELA-946-1 c-ares security update

Fri, 15 Sep 2023 10:49:43 +0200

Package : c-ares

Version : 1.10.0-2+deb8u7 (jessie), 1.12.0-1+deb9u6 (stretch)

Related CVEs : CVE-2020-22217

A vulnerability has been identified in c-ares, an asynchronous name resolver library:

CVE-2020-22217

A buffer overflow vulnerability has been found in c-ares before
via the function ares_parse_soa_reply in ares_parse_soa_reply.c.
This vulnerability was discovered through fuzzing. Exploitation
of this vulnerability may allow an attacker to execute arbitrary
code or cause a denial of service condition.

ELA-945-1 zabbix security update

Sat, 09 Sep 2023 12:17:33 +0200

Package : zabbix

Version : 1:3.0.32+dfsg-0+deb9u4 (stretch)

Several security vulnerabilities have been discovered in zabbix, a network monitoring solution, potentially allowing to crash the server, information disclosure or Cross-Site-Scripting attacks.

CVE-2013-7484

Zabbix before version 4.4.0alpha2 stores credentials in the "users"
table with the password hash stored as a MD5 hash, which is a known
insecure hashing method. Furthermore, no salt is used with the hash.

CVE-2019-17382 (Disputed, not considered by upstream to be a security issue)

An issue was discovered in
zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through
4.4. An attacker can bypass the login page and access the dashboard
page, and then create a Dashboard, Report, Screen, or Map without
any Username/Password (i.e., anonymously). All created elements
(Dashboard/Report/Screen/Map) are accessible by other users and by
an admin.

CVE-2022-43515

Zabbix Frontend provides a feature that allows admins to
maintain the installation and ensure that only certain IP addresses
can access it. In this way, any user will not be able to access the
Zabbix Frontend while it is being maintained and possible sensitive
data will be prevented from being disclosed. An attacker can bypass
this protection and access the instance using IP address not listed
in the defined range.

CVE-2023-29450

JavaScript pre-processing can be used by the attacker to gain
access to the file system (read-only access on behalf of user
"zabbix") on the Zabbix Server or Zabbix Proxy, potentially leading
to unauthorized access to sensitive data.

CVE-2023-29451

Specially crafted string can cause a buffer overrun in the JSON
parser library leading to a crash of the Zabbix Server or a Zabbix
Proxy.

CVE-2023-29454

A Stored or persistent cross-site scripting (XSS) vulnerability
was found on “Users” section in “Media” tab in “Send to” form field.
When new media is created with malicious code included into field
“Send to” then it will execute when editing the same media.

Note: This issue was accidentially not mentioned in the debian changelog.

CVE-2023-29455

A Reflected XSS attacks, also known as non-persistent attacks, was
found where an attacker can pass malicious code as GET request to
graph.php and system will save it and will execute when current
graph page is opened.

CVE-2023-29456

URL validation scheme receives input from a user and then parses
it to identify its various components. The validation scheme can
ensure that all URL components comply with internet standards.

CVE-2023-29457

A Reflected XSS attacks, also known as non-persistent attacks, was
found where XSS session cookies could be revealed, enabling a
perpetrator to impersonate valid users and abuse their private
accounts.

ELA-944-1 python-django security update

Thu, 07 Sep 2023 13:33:25 -0700

Package : python-django

Version : 1:1.10.7-2+deb9u21 (stretch)

Related CVEs : CVE-2023-41164

It was discovered that there was a potential denial of service vulnerability in Django, a popular Python-based web development framework.

Upstream reported that there was a potential vulnerability in django.utils.encoding.uri_to_iri(). This method was subject to potential DoS attack via certain inputs with a very large number of Unicode characters.

ELA-943-1 memcached security update

Thu, 07 Sep 2023 11:46:12 -0700

Package : memcached

Version : 1.4.21-1.1+deb8u4 (jessie), 1.4.33-1+deb9u2 (stretch)

Related CVEs : CVE-2022-48571

It was discovered that there was a potential Denial of Service (DoS) vulnerability in memcached, a high-performance in-memory object caching system.

A crash could have occurred when handling “multi-packet” uploads in UDP mode. Deployments of memcached that only use TCP are likely unaffected by this issue.

ELA-942-1 qpdf security update

Thu, 31 Aug 2023 23:57:22 +0200

Package : qpdf

Version : 6.0.0-2+deb9u1 (stretch)

Multiple vulnerabilities were fixed in QPDF, a command-line tool and C++ library that performs content-preserving transformations on PDF files.

ELA-941-1 gst-plugins-ugly1.0 security update

Thu, 31 Aug 2023 23:56:13 +0200

Package : gst-plugins-ugly1.0

Version : 1.10.4-1+deb9u2 (stretch)

Demuxer vulnerabilities have been fixed in the RealMedia demuxers for the GStreamer media framework

ELA-940-1 flask security update

Tue, 29 Aug 2023 21:07:55 +0200

Package : flask

Version : 0.12.1-1+deb9u1 (stretch)

Related CVEs : CVE-2018-1000656 CVE-2019-1010083

Flask, a micro web framework for the Python programming language, contains a improper input validation vulnerability (CWE-20) that can result in large amount of memory usage, possibly leading to denial of service. This attack appears to be exploitable through a crafted JSON data in an incorrect encoding. NOTE: this may overlap CVE-2019-1010083.

ELA-939-1 unrar-nonfree security update

Tue, 29 Aug 2023 00:28:12 +0200

Package : unrar-nonfree

Version : 1:5.6.6-1+deb9u2 (stretch)

Related CVEs : CVE-2023-40477

A specific flaw within the processing of recovery volumes exists in UnRAR, an unarchiver for rar files. It allows remote attackers to execute arbitrary code on affected installations. User interaction is required to exploit this vulnerability. The target must visit a malicious page or open a malicious rar file.

ELA-938-1 rar security update

Tue, 29 Aug 2023 00:18:44 +0200

Package : rar

Version : 2:6.23-1~deb9u1 (stretch)

Related CVEs : CVE-2023-40477

A specific flaw within the processing of recovery volumes exists in RAR, an archive program for rar files. It allows remote attackers to execute arbitrary code on affected installations. User interaction is required to exploit this vulnerability. The target must visit a malicious page or open a malicious rar file.

ELA-937-1 clamav security update

Mon, 28 Aug 2023 16:02:20 +0530

Package : clamav

Version : 0.103.9+dfsg-0+deb8u1 (jessie), 0.103.9+dfsg-0+deb9u1 (stretch)

Related CVEs : CVE-2023-20197

A vulnerability in the filesystem image parser for Hierarchical File System Plus (HFS+) of ClamAV, an anti-virus utility for Unix, could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

ELA-936-1 ruby-rack security update

Mon, 28 Aug 2023 09:06:31 +0530

Package : ruby-rack

Version : 1.6.4-4+deb9u5 (stretch)

Related CVEs : CVE-2023-27539

It was found out that a carefully crafted input can cause header parsing in Rack, a modular Ruby webserver interface, to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.

ELA-935-1 intel-microcode security update

Sun, 27 Aug 2023 01:21:37 +0530

Package : intel-microcode

Version : 3.20230808.1~deb8u1 (jessie), 3.20230808.1~deb9u1 (stretch)

This update ships updated CPU microcode for some types of Intel CPUs and provides mitigations for security vulnerabilities.

CVE-2022-40982

Daniel Moghimi discovered Gather Data Sampling (GDS), a hardware
vulnerability which allows unprivileged speculative access to data
which was previously stored in vector registers.

For details please refer to https://downfall.page/ and
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/gather-data-sampling.html.

CVE-2022-41804

Unauthorized error injection in Intel SGX or Intel TDX for some
Intel Xeon Processors which may allow a local user to potentially
escalate privileges.

CVE-2023-23908

Improper access control in some 3rd Generation Intel Xeon Scalable
processors may result in an information leak.

ELA-934-1 php7.0 security update

Sat, 26 Aug 2023 21:47:02 +0200

Package : php7.0

Version : 7.0.33-0+deb9u16 (stretch)

Related CVEs : CVE-2023-3823 CVE-2023-3824

Two security vulnerabilities have been found in PHP, a server-side, HTML-embedded scripting language.

CVE-2023-3823

In PHP various XML functions rely on libxml global state to track
configuration variables, like whether external entities are loaded. This
state is assumed to be unchanged unless the user explicitly changes it by
calling appropriate function. However, since the state is process-global,
other modules - such as ImageMagick - may also use this library within the
same process, and change that global state for their internal purposes, and
leave it in a state where external entities loading is enabled. This can
lead to the situation where external XML is parsed with external entities
loaded, which can lead to disclosure of any local files accessible to PHP.
This vulnerable state may persist in the same process across many requests,
until the process is shut down.

CVE-2023-3824

In PHP when loading phar file, while reading PHAR directory entries,
insufficient length checking may lead to a stack buffer overflow, leading
potentially to memory corruption or RCE.

ELA-933-1 php5 security update

Sat, 26 Aug 2023 21:38:25 +0200

Package : php5

Version : 5.6.40+dfsg-0+deb8u18 (jessie)

Related CVEs : CVE-2023-3823 CVE-2023-3824

Two security vulnerabilities have been found in PHP, a server-side, HTML-embedded scripting language.

CVE-2023-3823

In PHP various XML functions rely on libxml global state to track
configuration variables, like whether external entities are loaded. This
state is assumed to be unchanged unless the user explicitly changes it by
calling appropriate function. However, since the state is process-global,
other modules - such as ImageMagick - may also use this library within the
same process, and change that global state for their internal purposes, and
leave it in a state where external entities loading is enabled. This can
lead to the situation where external XML is parsed with external entities
loaded, which can lead to disclosure of any local files accessible to PHP.
This vulnerable state may persist in the same process across many requests,
until the process is shut down.

CVE-2023-3824

In PHP when loading phar file, while reading PHAR directory entries,
insufficient length checking may lead to a stack buffer overflow, leading
potentially to memory corruption or RCE.

ELA-932-1 openssl1.0 security update

Fri, 25 Aug 2023 23:29:15 +0200

Package : openssl1.0

Version : 1.0.2u-1~deb9u8 (stretch)

Several issues have been found in openssl1.0, a Secure Sockets Layer toolkit.

CVE-2022-1292, CVE-2022-2068

The c_rehash script does not properly sanitise shell metacharacters to prevent
command injection. This script is executed by update-ca-certificates,
from ca-certificates, to re-hash certificates in /etc/ssl/certs/. An attacker
able to place files in this directory could execute arbitrary commands with
the privileges of the script.

CVE-2023-0215, CVE-2023-0286

Multiple vulnerabilities may result in incomplete encryption, side channel attacks,
denial of service or information disclosure.

CVE-2023-0464

David Benjamin reported a flaw related to the verification of X.509 certificate
chains that include policy constraints, which may result in denial of service.

CVE-2023-0465

David Benjamin reported that invalid certificate policies in leaf certificates
are silently ignored. A malicious CA could take advantage of this flaw to
deliberately assert invalid certificate policies in order to circumvent policy
checking on the certificate altogether.

CVE-2023-0466

David Benjamin discovered that the implementation of the
X509_VERIFY_PARAM_add0_policy() function does not enable the check which
allows certificates with invalid or incorrect policies to pass the certificate
verification (contrary to its documentation).

CVE-2023-2650

It was discovered that processing malformed ASN.1 object identifiers or data
may result in denial of service.

ELA-931-1 w3m security update

Thu, 24 Aug 2023 14:11:55 +0200

Package : w3m

Version : 0.5.3-19+deb8u4 (jessie), 0.5.3-34+deb9u2 (stretch)

Related CVEs : CVE-2022-38223

Han Zheng discovered an out-of-bounds write in w3m, a text based web browser and pager. It can be triggered by sending a crafted HTML file to the w3m binary. It allows an attacker to cause Denial of Service (DoS) or possibly have unspecified other impact.

ELA-930-1 snapd security update

Wed, 23 Aug 2023 01:11:22 +0200

Package : snapd

Version : 2.21-2+deb9u3 (stretch)

Related CVEs : CVE-2022-3328

The Qualys Research Team discovered that a race condition existed in the snapd snap-confine binary when preparing the private /tmp mount for a snap. A local attacker could possibly use this issue to escalate privileges and execute arbitrary code.

ELA-929-1 qt4-x11 security update

Tue, 22 Aug 2023 18:50:04 -0400

Package : qt4-x11

Version : 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u5 (jessie), 4:4.8.7+dfsg-11+deb9u4 (stretch)

Several vulnerabilities have been found in qt4-x11, a graphical windowing toolkit.

CVE-2021-3481

While rendering and displaying a crafted Scalable Vector Graphics
(SVG) file this flaw may lead to an unauthorized memory access. The
highest threat from this vulnerability is to data confidentiality
and the application availability.

CVE-2021-45930

An out-of-bounds write in
QtPrivate::QCommonArrayOps<QPainterPath::Element>::growAppend
(called from QPainterPath::addPath and QPathClipper::intersect).

CVE-2023-32573

Uninitialized variable usage in m_unitsPerEm.

CVE-2023-32763

An application crash in QXmlStreamReader via a crafted XML string
that triggers a situation in which a prefix is greater than a
length.

CVE-2023-34410

Certificate validation for TLS does not always consider whether the
root of a chain is a configured CA certificate.

CVE-2023-37369

There can be an application crash in QXmlStreamReader via a crafted
XML string that triggers a situation in which a prefix is greater
than a length.

CVE-2023-38197

There are infinite loops in recursive entity expansion.

ELA-928-1 poppler security update

Mon, 21 Aug 2023 17:04:48 +0300

Package : poppler

Version : 0.26.5-2+deb8u16 (jessie), 0.48.0-2+deb9u6 (stretch)

Related CVEs : CVE-2020-36023 CVE-2020-36024

Two vulnerabilities have been fixed in poppler, a PDF rendering library.

CVE-2020-36023

Infinite loop in FoFiType1C::cvtGlyph()

CVE-2020-36024

NULL dereference in FoFiType1C::convertToType1()

ELA-927-1 ffmpeg security update

Mon, 21 Aug 2023 10:28:42 +0200

Package : ffmpeg

Version : 7:3.2.19-0+deb9u3 (stretch)

Related CVEs : CVE-2021-28429

An issue has been found in ffmpeg, a tool/library for transcoding, streaming and playing of multimedia files. Due to an integer overflow in av_timecode_make_string() in libavutil/timecode.c, local attackers might cause a Dos with crafted .mov files.

ELA-926-1 opendmarc security update

Fri, 18 Aug 2023 02:00:34 +0200

Package : opendmarc

Version : 1.3.2+ds-0+deb9u1 (stretch)

Related CVEs : CVE-2019-20790 CVE-2020-12272

CVE-2019-20790

OpenDMARC when used with pypolicyd-spf 2.0.2, allows attacks that bypass
SPF and DMARC authentication in situations where the HELO field is
inconsistent with the MAIL FROM field.

CVE-2020-12272

OpenDMARC allows attacks that inject authentication results to provide
false information about the domain that originated an e-mail message. This
is caused by incorrect parsing and interpretation of SPF/DKIM
authentication results, as demonstrated by the example.net(.example.com
substring.

ELA-925-1 openssh security update

Fri, 18 Aug 2023 05:00:01 +0530

Package : openssh

Version : 1:6.7p1-5+deb8u9 (jessie), 1:7.4p1-10+deb9u8 (stretch)

Related CVEs : CVE-2023-38408

A vulnerability was found in OpenSSH. The PKCS#11 feature in the ssh-agent in OpenSSH has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system (the code in /usr/lib is not necessarily safe for loading into ssh-agent).

This flaw allows an attacker with control of the forwarded agent-socket on the server and the ability to write to the filesystem of the client host to execute arbitrary code with the privileges of the user running the ssh-agent.

ELA-924-1 open-vm-tools security update

Thu, 17 Aug 2023 09:49:42 +0530

Package : open-vm-tools

Version : 2:9.4.6-1770165-8+deb8u1 (jessie), 2:10.1.5-5055683-4+deb9u4 (stretch)

Related CVEs : CVE-2023-20867

open-vm-tools is a package that provides Open VMware Tools for virtual machines hosted on VMware.

It was discovered that Open VM Tools incorrectly handled certain authentication requests. A fully compromised ESXi host can force Open VM Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.

ELA-923-1 libssh security update

Wed, 16 Aug 2023 19:19:49 -0400

Package : libssh

Version : 0.6.3-4+deb8u6 (jessie), 0.7.3-2+deb9u4 (stretch)

Related CVEs : CVE-2019-14889 CVE-2023-1667

Two security issues have been discovered in libssh, a tiny C SSH library, which may allow a remote authenticated user to cause a denial of service or inject arbitrary commands.

CVE-2019-14889

A flaw was found with the libssh API function ssh_scp_new() in
versions before 0.9.3 and before 0.8.8. When the libssh SCP client
connects to a server, the scp command, which includes a
user-provided path, is executed on the server-side. In case the
library is used in a way where users can influence the third
parameter of the function, it would become possible for an attacker
to inject arbitrary commands, leading to a compromise of the remote
target.

Note that this CVE was previously fixed in jessie and that it has
now been fixed in stretch.

CVE-2023-1667

A NULL pointer dereference was found In libssh during re-keying with
algorithm guessing. This issue may allow an authenticated client to
cause a denial of service.

ELA-922-1 rar security update

Wed, 16 Aug 2023 19:48:04 +0200

Package : rar

Version : 2:6.20-0.1~deb9u1 (stretch)

Related CVEs : CVE-2022-30333

The RAR archiver allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file.

ELA-921-1 unrar-nonfree security update

Wed, 16 Aug 2023 12:01:46 +0200

Package : unrar-nonfree

Version : 1:5.6.6-1+deb9u1 (stretch)

It was discovered that UnRAR, an unarchiver for rar files, allows extraction of files outside of the destination folder via symlink chains. Programming flaws like heap-based buffer overflows or out-of-bounds reads may also cause a denial of service (application crash) if a malformed rar archive is extracted.

ELA-920-1 datatables.js security update

Tue, 15 Aug 2023 19:46:27 +0530

Package : datatables.js

Version : 1.10.13+dfsg-2+deb9u1 (stretch)

Related CVEs : CVE-2021-23445

datatables.js is a jQuery plug-in that makes nice tables from different data sources.

It was discovered that if an array is passed to the HTML escape entities function, it would not have its contents escaped.

ELA-919-1 hdf5 security update

Mon, 14 Aug 2023 00:35:20 +0200

Package : hdf5

Version : 1.10.0-patch1+docs-3+deb9u2 (stretch)

Multiple security vulnerabilities were discovered in HDF5, a Hierarchical Data Format and a library for scientific data. Memory leaks, out-of-bound reads and division by zero errors may lead to a denial of service when processing a malformed HDF file.

ELA-918-1 sox security update

Sun, 13 Aug 2023 15:47:40 +0000

Package : sox

Version : 14.4.1-5+deb8u7 (jessie), 14.4.1-5+deb9u5 (stretch)

Related CVEs : CVE-2023-32627

SoX is a command line utility that can convert various formats of computer audio files in to other formats. It can also apply various effects to these sound files during the conversion.

Sox was vulnerable to divide by zero vulnerability by reading an specialy crafted Creative Voice File (.voc) file, in the read_samples function. This flaw can lead to a denial of service.

ELA-917-1 systemd security update

Thu, 10 Aug 2023 00:24:34 +0200

Package : systemd

Version : 215-17+deb8u15 (jessie)

Related CVEs : CVE-2022-3821 CVE-2023-26604

Systemd is a system and service manager. The following security vulnerabilities have been fixed.

CVE-2023-26604

systemd does not adequately block local privilege escalation for
some Sudo configurations, e.g., plausible sudoers files in which the
"systemctl status" command may be executed. Specifically, systemd does not
set LESSSECURE to 1, and thus other programs may be launched from the less
program. This presents a substantial security risk when running systemctl
from Sudo, because less executes as root when the terminal size is too
small to show the complete systemctl output.

This update introduces a new systemd environment variable called
$SYSTEMD_PAGERSECURE. By default it is set to true which means LESSSECURE
is set to 1. However only the less pager implements such a security
feature and thus will be used whenever $SYSTEMD_PAGERSECURE is true. You
can disable this feature by setting $SYSTEMD_PAGERSECURE to false.

As a general precaution we recommend to carefully review an existing
sudoers file and reassess if certain privileges are still required for
normal users.

CVE-2022-3821

An off-by-one error issue was discovered in Systemd in format_timespan()
function of time-util.c. An attacker could supply specific values for time
and accuracy that leads to buffer overrun in format_timespan(), leading to
a Denial of Service.

ELA-829-1 lldpd security update

Mon, 07 Aug 2023 14:13:04 +0100

Package : lldpd

Version : 0.9.6-1+deb9u1 (stretch)

Related CVEs : CVE-2020-27827 CVE-2021-43612

It was discovered that there were two potential denial of service (DoS) attacks in lldpd, a implementation of the IEEE 802.1ab (LLDP) protocol used to administer and monitor networking devices.

ELA-916-1 systemd security update

Fri, 04 Aug 2023 22:24:01 +0200

Package : systemd

Version : 232-25+deb9u16 (stretch)

Related CVEs : CVE-2022-3821 CVE-2023-26604

Systemd is a system and service manager. The following security vulnerabilities have been fixed.

CVE-2023-26604

systemd does not adequately block local privilege escalation for
some Sudo configurations, e.g., plausible sudoers files in which the
"systemctl status" command may be executed. Specifically, systemd does not
set LESSSECURE to 1, and thus other programs may be launched from the less
program. This presents a substantial security risk when running systemctl
from Sudo, because less executes as root when the terminal size is too
small to show the complete systemctl output.

This update introduces a new systemd environment variable called
$SYSTEMD_PAGERSECURE. By default it is set to true which means LESSSECURE
is set to 1. However only the less pager implements such a security
feature and thus will be used whenever $SYSTEMD_PAGERSECURE is true. You
can disable this feature by setting $SYSTEMD_PAGERSECURE to false.

As a general precaution we recommend to carefully review an existing
sudoers file and reassess if certain privileges are still required for
normal users.

CVE-2022-3821

An off-by-one error issue was discovered in Systemd in format_timespan()
function of time-util.c. An attacker could supply specific values for time
and accuracy that leads to buffer overrun in format_timespan(), leading to
a Denial of Service.

ELA-915-1 linux-5.10 security update

Fri, 04 Aug 2023 14:56:22 +0200

Package : linux-5.10

Version : 5.10.179-3~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2023-2156

It was discovered that a flaw in the handling of the RPL protocol
may allow an unauthenticated remote attacker to cause a denial of
service if RPL is enabled (not by default in Debian).

CVE-2023-3390

A use-after-free flaw in the netfilter subsystem caused by
incorrect error path handling may result in denial of service or
privilege escalation.

CVE-2023-3610

A use-after-free flaw in the netfilter subsystem caused by
incorrect refcount handling on the table and chain destroy path
may result in denial of service or privilege escalation.

CVE-2023-20593

Tavis Ormandy discovered that under specific microarchitectural
circumstances, a vector register in AMD "Zen 2" CPUs may not be
written to 0 correctly.  This flaw allows an attacker to leak
sensitive information across concurrent processes, hyper threads
and virtualized guests.

For details please refer to
<https://lock.cmpxchg8b.com/zenbleed.html> and
<https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8>.

This issue can also be mitigated by a microcode update through the
amd64-microcode package or a system firmware (BIOS/UEFI) update.
However, the initial microcode release by AMD only provides
updates for second generation EPYC CPUs.  Various Ryzen CPUs are
also affected, but no updates are available yet.

CVE-2023-31248

Mingi Cho discovered a use-after-free flaw in the Netfilter
nf_tables implementation when using nft_chain_lookup_byid, which
may result in local privilege escalation for a user with the
CAP_NET_ADMIN capability in any user or network namespace.

CVE-2023-35001

Tanguy DUBROCA discovered an out-of-bounds reads and write flaw in
the Netfilter nf_tables implementation when processing an
nft_byteorder expression, which may result in local privilege
escalation for a user with the CAP_NET_ADMIN capability in any
user or network namespace.

ELA-914-1 python-django security update

Fri, 04 Aug 2023 13:07:39 +0100

Package : python-django

Version : 1:1.10.7-2+deb9u20 (stretch)

A number of vulnerabilities were discovered in Django, a popular Python-based web development framework.

CVE-2021-45115: Denial-of-service possibility in the UserAttributeSimilarityValidator class. UserAttributeSimilarityValidator incurred significant overhead evaluating submitted password that were artificially large in relative to the comparison values. On the assumption that access to user registration was unrestricted this provided a potential vector for a denial-of-service attack. In order to mitigate this issue, relatively long values are now ignored by this class.
CVE-2021-45116: Potential information disclosure in dictsort template filter. Due to leveraging the Django Template Language’s variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure or unintended method calls, if passed a suitably crafted key. In order to avoid this possibility, dictsort now works with a restricted resolution logic, that will not call methods, nor allow indexing on dictionaries.
CVE-2021-45452: Potential directory-traversal via Storage.save(). Storage.save() allowed directory-traversal if directly passed suitably crafted file names.
CVE-2023-24580: Potential denial-of-service vulnerability in file uploads. Passing certain inputs to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack. The number of files parts parsed is now limited via the new DATA_UPLOAD_MAX_NUMBER_FILES setting.
CVE-2023-31047: Prevent a potential bypass of validation when uploading multiple files using one form field. Uploading multiple files using one form field has never been supported by forms.FileField or forms.ImageField as only the last uploaded file was validated. Unfortunately, Uploading multiple files topic suggested otherwise. In order to avoid the vulnerability, the ClearableFileInput and FileInput form widgets now raise ValueError when the multiple HTML attribute is set on them. To prevent the exception and keep the old behavior, set the allow_multiple_selected attribute to True.

ELA-913-1 bouncycastle security update

Wed, 02 Aug 2023 18:40:10 +0000

Package : bouncycastle

Version : 1.56-1+deb9u4 (stretch)

Related CVEs : CVE-2023-33201

Bouncy Castle is a collection of APIs used in cryptography. It includes APIs for both the Java and the C# programming languages.

Bouncy Castle was vulnerable due to a LDAP injection in X509 certificates handling. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate’s Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.

ELA-912-1 symfony security update

Wed, 02 Aug 2023 18:25:20 +0200

Package : symfony

Version : 2.8.7+dfsg-1.3+deb9u4 (stretch)

Multiple security vulnerabilities were found in symfony, a PHP framework for web and console applications and a set of reusable PHP components, which could lead to information disclosure or impersonation.

CVE-2018-14774

When using HttpCache, the values of the X-Forwarded-Host headers are implicitly
and wrongly set as trusted, leading to potential host header injection.

CVE-2021-21424

James Isaac, Mathias Brodala and Laurent Minguet discovered that it was
possible to enumerate users without relevant permissions due to different
exception messages depending on whether the user existed or not. It was also
possible to enumerate users by using a timing attack, by comparing time
elapsed when authenticating an existing user and authenticating a
non-existing user.

403s are now returned whether the user exists or not if a user cannot
switch to a user or if the user does not exist.

CVE-2022-24894

Soner Sayakci discovered that when the Symfony HTTP cache system is
enabled, the response header might be stored with a Set-Cookie header and
returned to some other clients, thereby allowing an attacker to retrieve the
victim's session.

The HttpStore constructor now takes a parameter containing a list of
private headers that are removed from the HTTP response headers. The default
value for this parameter is Set-Cookie, but it can be overridden or extended
by the application.

CVE-2022-24895

Marco Squarcina discovered that CSRF tokens weren't cleared upon login,
which could enable same-site attackers to bypass the CSRF protection
mechanism by performing an attack similar to a session-fixation.

ELA-911-1 phpmyadmin security update

Wed, 02 Aug 2023 00:11:05 +0200

Package : phpmyadmin

Version : 4:4.6.6-4+deb9u3 (stretch)

Related CVEs : CVE-2020-22452 CVE-2023-25727

phpMyAdmin is a popular MySQL web administration tool. The following security vulnerabilities have been addressed:

CVE-2020-22452

SQL Injection vulnerability in function getTableCreationQuery in
CreateAddField.php in phpMyAdmin via the tbl_storage_engine or
tbl_collation parameters to tbl_create.php.

CVE-2023-25727

In phpMyAdmin an authenticated user can trigger XSS by uploading a crafted
.sql file through the drag-and-drop interface.

ELA-910-1 amd64-microcode security update

Tue, 01 Aug 2023 10:41:18 +0200

Package : amd64-microcode

Version : 3.20230719.1~deb8u1 (jessie), 3.20230719.1~deb9u1 (stretch)

Tavis Ormandy discovered that under specific microarchitectural circumstances, a vector register in “Zen 2” CPUs may not be written to 0 correctly. This flaw allows an attacker to leak register contents across concurrent processes, hyper threads and virtualized guests.

For details please refer to https://lock.cmpxchg8b.com/zenbleed.html https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8

The initial microcode release by AMD only provides updates for second generation EPYC CPUs: Various Ryzen CPUs are also affected, but no updates are available yet. Fixes will be provided in a later update once they are released.

Ruiyi Zhang, Lukas Gerlach, Daniel Weber, Lorenz Hetterich, Youheng Lü, Andreas Kogler and Michael Schwarz discovered a software-based fault injection attack on SEV VMs, leading to a potential loss of guest virtual machine memory integrity.

For details please refer to https://cachewarpattack.com/ https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3005.html

For more specific details and target dates please refer to the AMD advisory at https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html

ELA-909-1 tiff security update

Mon, 31 Jul 2023 23:50:52 +0000

Package : tiff

Version : 4.0.3-12.3+deb8u16 (jessie), 4.0.8-2+deb9u11 (stretch)

CVE-2023-2908

NULL pointer dereference in tif_dir.c

CVE-2023-3316

NULL pointer dereference in TIFFClose()

CVE-2023-3618

Buffer overflow in tiffcrop

CVE-2023-25433

Buffer overflow in tiffcrop

CVE-2023-26965

Use after free in tiffcrop

CVE-2023-26966

Buffer overflow in uv_encode()

CVE-2023-40745

Integer overflow in tiffcp

CVE-2023-41175

Integer overflow in raw2tiff

ELA-908-1 netty-3.9 security update

Mon, 31 Jul 2023 18:34:23 +0200

Package : netty-3.9

Version : 3.9.0.Final-1+deb8u2 (jessie)

Related CVEs : CVE-2021-21290

It was discovered that there was an insecure temporary file issue that could have lead to disclosure of arbitrary local files.

ELA-907-1 linux-4.19 security update

Mon, 31 Jul 2023 12:02:43 +0200

Package : linux-4.19

Version : 4.19.289-1~deb8u1 (jessie), 4.19.289-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2023-1380

Jisoo Jang reported a heap out-of-bounds read in the brcmfmac
Wi-Fi driver.  On systems using this driver, a local user could
exploit this to read sensitive information or to cause a denial of
service (crash).

CVE-2023-2002

Ruiahn Li reported an incorrect permissions check in the Bluetooth
subsystem.  A local user could exploit this to reconfigure local
Bluetooth interfaces, resulting in information leaks, spoofing, or
denial of service (loss of connection).

CVE-2023-2007

Lucas Leong (@_wmliang_) and Reno Robert of Trend Micro Zero Day
Initiative discovered a time-of-check-to-time-of-use flaw in the
dpt_i2o SCSI controller driver.  A local user with access to a
SCSI device using this driver could exploit this for privilege
escalation.

This flaw has been mitigated by removing support for the I2OUSRCMD
operation.

CVE-2023-2269

Zheng Zhang reported that improper handling of locking in the
device mapper implementation may result in denial of service.

CVE-2023-3090

It was discovered that missing initialization in ipvlan networking
may lead to an out-of-bounds write vulnerability, resulting in
denial of service or potentially the execution of arbitrary code.

CVE-2023-3111

The TOTE Robot tool found a flaw in the Btrfs filesystem driver
that can lead to a use-after-free.  It's unclear whether an
unprivileged user can exploit this.

CVE-2023-3141

A flaw was discovered in the r592 memstick driver that could lead
to a use-after-free after the driver is removed or unbound from a
device.  The security impact of this is unclear.

CVE-2023-3268

It was discovered that an out-of-bounds memory access in relayfs
could result in denial of service or an information leak.

CVE-2023-3338

Ornaghi Davide discovered a flaw in the DECnet protocol
implementation which could lead to a null pointer dereference or
use-after-free.  A local user can exploit this to cause a denial
of service (crash or memory corruption) and probably for privilege
escalation.

This flaw has been mitigated by removing the DECnet protocol
implementation.

CVE-2023-20593

Tavis Ormandy discovered that under specific microarchitectural
circumstances, a vector register in AMD "Zen 2" CPUs may not be
written to 0 correctly.  This flaw allows an attacker to leak
sensitive information across concurrent processes, hyper threads
and virtualized guests.

For details please refer to
<https://lock.cmpxchg8b.com/zenbleed.html> and
<https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8>.

This issue can also be mitigated by a microcode update through the
amd64-microcode package or a system firmware (BIOS/UEFI) update.
However, the initial microcode release by AMD only provides
updates for second generation EPYC CPUs.  Various Ryzen CPUs are
also affected, but no updates are available yet.

CVE-2023-31084

It was discovered that the DVB Core driver does not properly
handle locking of certain events, allowing a local user to cause a
denial of service.

CVE-2023-32233

Patryk Sondej and Piotr Krysiuk discovered a use-after-free flaw
in the Netfilter nf_tables implementation when processing batch
requests, which may result in local privilege escalation for a
user with the CAP_NET_ADMIN capability in any user or network
namespace.

CVE-2023-34256

The syzbot tool found a time-of-check-to-time-of-use flaw in the
ext4 filesystem driver.  An attacker able to mount a disk image or
device that they can also write to directly could exploit this to
cause an out-of-bounds read, possibly resulting in a leak of
sensitive information or denial of service (crash).

CVE-2023-35788

Hangyu Hua discovered an out-of-bounds write vulnerability in the
Flower classifier which may result in denial of service or the
execution of arbitrary code.

CVE-2023-35823

A flaw was discovered in the saa7134 media driver that could lead
to a use-after-free after the driver is removed or unbound from a
device.  The security impact of this is unclear.

CVE-2023-35824

A flaw was discovered in the dm1105 media driver that could lead
to a use-after-free after the driver is removed or unbound from a
device.  The security impact of this is unclear.

CVE-2023-35828

A flaw was discovered in the renesas_udc USB device-mode driver
that could lead to a use-after-free after the driver is removed or
unbound from a device.  The security impact of this is unclear.

This driver is not enabled in Debian's official kernel
configurations.

ELA-906-1 monit security update

Sun, 30 Jul 2023 22:33:32 +0200

Package : monit

Version : 1:5.9-1+deb8u3 (jessie), 1:5.20.0-6+deb9u3 (stretch)

Related CVEs : CVE-2022-26563

Youssef Rebahi-Gilbert discovered that users with disabled accounts but with a valid password can login to Monit, a utility for monitoring and managing daemons or similar programs, due to a flaw in the PAM authentication check.

ELA-905-1 ckeditor security update

Sat, 29 Jul 2023 09:32:16 +0000

Package : ckeditor

Version : 4.4.4+dfsg1-2+deb8u2 (jessie), 4.5.7+dfsg-2+deb9u2 (stretch)

Related CVEs : CVE-2021-37695

A regression was introduced after fixing CVE-2021-37695 in ckeditor a rich text editor for the web written in javascript. This regression was due to lack of polyfill (a snippet of code that patches a piece of functionality that is missing in some browsers) in stretch and jessie for javascript array class. This was fixed by manually emulating the polyfill. This regression was introduced in DLA-2813-1 for stretch and ELA-513-1 for jessie.

ELA-903-1 phpseclib security update

Thu, 27 Jul 2023 21:09:45 +0000

Package : phpseclib

Version : 1.0.19-1~deb9u1 (stretch)

Related CVEs : CVE-2021-30130

The PHP Secure Communications Library is a fully PKCS#1 (v2.1) compliant RSA, DES, 3DES, RC4, Rijndael, AES, Blowfish, Twofish, SSH-1, SSH-2, SFTP, and X.509 implementation. This library mishandled RSA PKCS#1 v1.5 signature verification.

ELA-902-1 iperf3 security update

Thu, 27 Jul 2023 18:05:26 +0200

Package : iperf3

Version : 3.0.7-1+deb8u2 (jessie), 3.1.3-1+deb9u1 (stretch)

Related CVEs : CVE-2023-38403

A memory allocation issue was found in iperf3, the Internet Protocol bandwidth measuring tool, that may cause a denial of service when encountering a certain invalid length value in TCP packets.

ELA-901-1 openjdk-8 security update

Thu, 27 Jul 2023 16:24:24 +0200

Package : openjdk-8

Version : 8u382-ga-1~deb8u1 (jessie), 8u382-ga-1~deb9u1 (stretch)

Related CVEs : CVE-2023-22045 CVE-2023-22049

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in bypass of sandbox restrictions, information disclosure or denial of service.

ELA-900-1 gst-plugins-good1.0 security update

Tue, 25 Jul 2023 23:52:43 +0200

Package : gst-plugins-good1.0

Version : 1.4.4-2+deb8u6 (jessie), 1.10.4-1+deb9u3 (stretch)

Related CVEs : CVE-2023-37327

Multiple multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

ELA-899-1 gst-plugins-base1.0 security update

Tue, 25 Jul 2023 23:48:57 +0200

Package : gst-plugins-base1.0

Version : 1.4.4-2+deb8u4 (jessie), 1.10.4-1+deb9u3 (stretch)

Related CVEs : CVE-2023-37328

ELA-898-1 gst-plugins-bad1.0 security update

Tue, 25 Jul 2023 23:45:52 +0200

Package : gst-plugins-bad1.0

Version : 1.4.4-2.1+deb8u5 (jessie), 1.10.4-1+deb9u3 (stretch)

Related CVEs : CVE-2023-37329

ELA-904-1 bind9 security update

Tue, 25 Jul 2023 12:15:22 +0100

Package : bind9

Version : 1:9.9.5.dfsg-9+deb8u29 (jessie), 1:9.10.3.dfsg.P4-12.3+deb9u14 (stretch)

Related CVEs : CVE-2023-2828

A potential denial of service (DoS) vulnerability was discovered in bind9, the popular DNS server.

Every named instance configured to run as a recursive resolver maintains a cache database holding the responses to the queries it has recently sent to authoritative servers. The size limit for that cache database can be configured using the max-cache-size statement in the configuration file which defaults to 90% of the total amount of memory available on the host. When the size of the cache reaches 7/8 of the configured limit, a cache-cleaning algorithm starts to remove expired and/or least-recently used RRsets from the cache in order to keep memory use below the configured limit.

However, it was discovered that the effectiveness of the cache-cleaning algorithm used in named can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured max-cache-size limit to be significantly exceeded.

By exploiting this flaw, an attacker could have caused the amount of memory used by a named resolver to go well beyond the configured max-cache-size limit. The effectiveness of the attack depends on a number of factors (e.g. query load, query patterns), but since the default value of the max-cache-size statement is 90%, in the worst case, the attacker can exhaust all available memory on the host running named, leading to a denial-of-service condition.

ELA-897-1 python-werkzeug security update

Tue, 25 Jul 2023 08:36:06 +0000

Package : python-werkzeug

Version : 0.9.6+dfsg-1+deb8u3 (jessie), 0.11.15+dfsg1-1+deb9u2 (stretch)

Related CVEs : CVE-2023-23934 CVE-2023-25577

Multiple vulnerabilities were found in Werkzeug, a comprehensive WSGI web application library written in python.

CVE-2023-23934:

Werkzeug will parse the cookie `=__Host-test=bad` as
`__Host-test=bad`. If a Werkzeug application is running next to a
vulnerable or malicious subdomain which sets such a cookie using a
vulnerable browser, the Werkzeug application will see the bad cookie
value but the valid cookie key. Browsers may allow "nameless" cookies
that look like `=value` instead of `key=value`. A vulnerable browser
may allow a compromised application on an adjacent subdomain to
exploit this to set a cookie like `=__Host-test=bad` for another
subdomain.

CVE-2023-25577:

Werkzeug's multipart form data parser will parse an
unlimited number of parts, including file parts. Parts can be a small
amount of bytes, but each requires CPU time to parse and may use more
memory as Python data. If a request can be made to an endpoint that
accesses `request.data`, `request.form`, `request.files`, or
`request.get_data(parse_form_data=False)`, it can cause unexpectedly
high resource usage. This allows an attacker to cause a denial of
service by sending crafted multipart data to an endpoint that will
parse it.

ELA-896-1 twisted security update

Sat, 22 Jul 2023 18:08:15 +0200

Package : twisted

Version : 14.0.2-3+deb8u6 (jessie), 16.6.0-2+deb9u4 (stretch)

Multiple vulnerabilities were discovered in Twisted, an event-based framework for internet applications written in Python. An attacker may initiate request smuggling, Man-In-The-Middle (MITM) communication interception and cross-site-scripting (XSS).

CVE-2019-12387

twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF.
CVE-2019-12855

In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2022-39348

When the host header does not match a configured host twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection. In practice this should be very difficult to exploit as being able to modify the Host header of a normal HTTP request implies that one is already in a privileged position.

ELA-895-1 netty-3.9 security update

Sun, 16 Jul 2023 18:45:29 +0200

Package : netty-3.9

Version : 3.9.9.Final-1+deb9u2 (stretch)

Related CVEs : CVE-2021-21290

It was discovered that there was an insecure temporary file issue that could have lead to disclosure of arbitrary local files.

ELA-894-1 python-git security update

Sat, 15 Jul 2023 19:51:20 +0200

Package : python-git

Version : 2.1.1-2+deb9u1 (stretch)

Related CVEs : CVE-2022-24439

python-git, a Python library to interact with Git repositories, is vulnerable to shell injection due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command.

ELA-893-1 pypdf2 security update

Fri, 14 Jul 2023 23:43:15 +0300

Package : pypdf2

Version : 1.26.0-2+deb9u2 (stretch)

Related CVEs : CVE-2023-36810

Quadratic runtime with malformed PDFs missing xref marker has been fixed in PyPDF2, a pure Python PDF library.

ELA-892-1 yajl security update

Tue, 11 Jul 2023 18:56:29 +0200

Package : yajl

Version : 2.1.0-2+deb8u2 (jessie), 2.1.0-2+deb9u2 (stretch)

Multiple vulnerabilties have been found in yajl, a JSON parser / small validating JSON generator# written in ANSI C, which potentially can cause memory corruption or DoS.

The CVE-20117-16516 had been addressed already in ELA-888-1, however the fix has been found to be incomplete as it missed an additional memory leak. This update fixes that problem.

CVE-2017-16516

When a crafted JSON file is supplied to yajl, the process might
crash with a SIGABRT in the yajl_string_decode function in 
yajl_encode.c. This results potentially in a denial of service.

CVE-2022-24795

The 1.x branch and the 2.x branch of `yajl` contain an integer overflow
which leads to subsequent heap memory corruption when dealing with large
(~2GB) inputs.

CVE-2023-33460

There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse function,
which potentially cause out-of-memory in server and cause crash.

ELA-891-1 nsis security update

Tue, 11 Jul 2023 09:00:27 +0100

Package : nsis

Version : 2.51-1+deb9u1

Related CVEs : CVE-2023-37378

It was discovered that the Nullsoft Scriptable Install System (NSIS) before version 3.09 mishandles access control for the uninstaller directory.

ELA-890-1 php-cas security update

Sun, 09 Jul 2023 17:55:46 +0200

Package : php-cas

Version : 1.3.3-4+deb9u1 (stretch)

Related CVEs : CVE-2017-1000071 CVE-2022-39369

Two vulnerabilities has been found in phpCAS, a Central Authentication Service client library in php, which may allow an attacker to gain access to a victim’s account on a vulnerable CASified service without victim’s knowledge, when the victim visits attacker’s website while being logged in to the same CAS server and an possible authentication bypass vulnerability, if used with an vulnerable CAS server suspectible to XML injection.

The fix for this vulnerabilty requires an API breaking change in php-cas and will require that software using the library be updated.

The only package depending on php-cas in stretch, package fusiondirectory, is not supported by ELTS und therefore has not been updated. It will stop working if configured to use CAS.

For software using php-cas, please see the upstream instructions how to update this software [1]:

phpCAS now requires an additional service base URL argument when constructing the client class. It accepts any argument of:

A service base URL string. The service URL discovery will always use this server name (protocol, hostname and port number) without using any external host names.
An array of service base URL strings. The service URL discovery will check against this list before using the auto discovered base URL. If there is no match, the first base URL in the array will be used as the default. This option is helpful if your PHP website is accessible through multiple domains without a canonical name, or through both HTTP and HTTPS.
A class that implements CAS_ServiceBaseUrl_Interface. If you need to customize the base URL discovery behavior, you can pass in a class that implements the interface.

Constructing the client class is usually done with phpCAS::client().

For example, using the first possiblity:
phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
could become:
phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, "https://casified-service.example.org:8080");

Details of the vulnerabilities:

CVE-2022-39369

The phpCAS library uses HTTP headers to determine the service URL used
to validate tickets. This allows an attacker to control the host header
and use a valid ticket granted for any authorized service in the same
SSO realm (CAS server) to authenticate to the service protected by
phpCAS.  Depending on the settings of the CAS server service registry in
worst case this may be any other service URL (if the allowed URLs are
configured to "^(https)://.*") or may be strictly limited to known and
authorized services in the same SSO federation if proper URL service
validation is applied.

CVE-2017-1000071

Jasig phpCAS version 1.3.4 is vulnerable to an authentication bypass 
in the validateCAS20 function when configured to authenticate
against an old CAS server (which needs to be suspectible to XML tag)

[1] https://github.com/apereo/phpCAS/blob/f3db27efd1f5020e71f2116f637a25cc9dbda1e3/docs/Upgrading#L1C1-L1C1

ELA-889-1 dpdk security update

Sat, 08 Jul 2023 18:31:04 -0300

Package : dpdk

Version : 16.11.11-1+deb9u3 (stretch)

Related CVEs : CVE-2022-2132

A buffer overflow was discovered in the vhost code of DPDK, a set of libraries for fast packet processing, which could result in denial of service or the execution of arbitrary code by malicious guests/containers.

ELA-883-2 c-ares regression update

Tue, 04 Jul 2023 21:06:10 +0200

Package : c-ares

Version : 1.10.0-2+deb8u6 (jessie), 1.12.0-1+deb9u5 (stretch)

The previous security update of c-ares, issued as ELA-883-1, causes a regression on both Jessie and Stretch suites.

This update fixes this regression.

ELA-888-1 yajl security update

Sat, 01 Jul 2023 11:58:07 +0200

Package : yajl

Version : 2.1.0-2+deb8u1 (jessie), 2.1.0-2+deb9u1 (stretch)

Related CVEs : CVE-2023-33460

A memory leak has been found in yajl, a JSON parser / small validating JSON generator written in ANSI C, which might allow an attacker to cause an out of memory situation and potentially causing a crash.

ELA-887-1 cups security update

Sat, 01 Jul 2023 00:33:54 +0200

Package : cups

Version : 1.7.5-11+deb8u11 (jessie), 2.2.1-8+deb9u10 (stretch)

Related CVEs : CVE-2023-34241

An issue has been found in cups, the Common UNIX Printing System(tm). Due to a use-after-free bug an attacker could cause a denial-of-service. In case of having access to the log files, an attacker could also exfiltrate private keys or other sensitive information from the cups daemon.

ELA-886-1 ffmpeg security update

Fri, 30 Jun 2023 23:52:05 +0200

Package : ffmpeg

Version : 7:3.2.19-0+deb9u2 (stretch)

Related CVEs : CVE-2022-3109 CVE-2022-3341

Two null pointer dereferences have been fixed in the FFmpeg multimedia framework.

CVE-2022-3109

Null pointer dereference in vp3_decode_frame()

CVE-2022-3341

Null pointer dereference in nutdec.c

ELA-885-1 python3.4 security update

Fri, 30 Jun 2023 23:51:57 +0200

Package : python3.4

Version : 3.4.2-1+deb8u15 (jessie)

Related CVEs : CVE-2015-20107 CVE-2022-45061

Several vulnerabilities were fixed in the Python3 interpreter.

CVE-2015-20107

The mailcap module did not add escape characters into commands discovered in the system mailcap file.

CVE-2022-45061

Quadratic time in the IDNA decoder.

ELA-884-1 python3.5 security update

Fri, 30 Jun 2023 23:51:40 +0200

Package : python3.5

Version : 3.5.3-1+deb9u7 (stretch)

Several vulnerabilities were fixed in the Python3 interpreter.

CVE-2015-20107

The mailcap module did not add escape characters into commands discovered in the system mailcap file.

CVE-2021-4189

Make ftplib not trust the PASV response.

CVE-2022-45061

Quadratic time in the IDNA decoder.

ELA-883-1 c-ares security update

Fri, 30 Jun 2023 23:05:33 +0200

Package : c-ares

Version : 1.10.0-2+deb8u5 (jessie), 1.12.0-1+deb9u4 (stretch)

Related CVEs : CVE-2023-31130 CVE-2023-32067

Two vulnerabilities were discovered in c-ares, an asynchronous name resolver library:

CVE-2023-31130

ares_inet_net_pton() is found to be vulnerable to a buffer underflow
for certain ipv6 addresses, in particular "0::00:00:00/2" was found
to cause an issue. c-ares only uses this function internally for
configuration purposes, however external usage for other purposes may
cause more severe issues.

CVE-2023-32067

Target resolver may erroneously interprets a malformed UDP packet
with a length of 0 as a graceful shutdown of the connection, which
could cause a denial of service.

ELA-882-1 postgresql-9.4 security update

Thu, 29 Jun 2023 20:43:30 +0000

Package : postgresql-9.4

Version : 9.4.26-0+deb8u7 (jessie)

Related CVEs : CVE-2023-2454

schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an attacker with elevated database-level privileges to execute arbitrary code.

ELA-881-1 libx11 security update

Thu, 29 Jun 2023 14:57:16 +0300

Package : libx11

Version : 2:1.6.2-3+deb8u6 (jessie), 2:1.6.4-3+deb9u5 (stretch)

Related CVEs : CVE-2023-3138

Missing input validation in various functions may have resulted in denial of service in various functions provided by libx11, the X11 client-side library.

ELA-880-1 postgresql-9.6 security update

Wed, 28 Jun 2023 21:14:33 +0000

Package : postgresql-9.6

Version : 9.6.24-0+deb9u4 (stretch)

Related CVEs : CVE-2023-2454 CVE-2023-2455

CVE-2023-2454:

schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an attacker with elevated database-level privileges to execute arbitrary code.

CVE-2023-2455:

Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles.

ELA-879-1 lua5.3 security update

Mon, 26 Jun 2023 10:10:31 +0000

Package : lua5.3

Version : 5.3.3-1+deb9u2 (stretch)

Related CVEs : CVE-2019-6706

A use after free was found in lua 5.3. A crash might be triggered by a debug.upvaluejoin call with specially crafted parameters.

ELA-878-1 libwebp security update

Mon, 26 Jun 2023 11:28:39 +0300

Package : libwebp

Version : 0.5.2-1+deb9u2 (stretch)

Related CVEs : CVE-2023-1999

Double free which may result in denial of service was fixed in the libwebp image compression library.

ELA-877-1 xmltooling security update

Fri, 23 Jun 2023 15:01:59 -0300

Package : xmltooling

Version : 1.5.3-2+deb8u5 (jessie)

Related CVEs : CVE-2023-36661

Jurien de Jong discovered that the parsing of KeyInfo elements within the XMLTooling library may result in server-side request forgery.

ELA-876-1 hsqldb1.8.0 security update

Wed, 21 Jun 2023 19:00:32 +0200

Package : hsqldb1.8.0

Version : 1.8.0.10+dfsg-7+deb9u1 (stretch)

Related CVEs : CVE-2023-1183

Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL database engine, allowed the execution of spurious scripting commands in .script and .log files. Hsqldb supports a “SCRIPT” keyword which is normally used to record the commands input by the database admin to output such a script. In combination with LibreOffice, an attacker could craft an odb containing a “database/script” file which itself contained a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker.

ELA-875-1 libxpm security update

Tue, 20 Jun 2023 20:11:42 +0000

Package : libxpm

Version : 1:3.5.12-0+deb8u2 (jessie), 1:3.5.12-1+deb9u1 (stretch)

Multiple vulnerabilities were found in libxpm, a library handling X PixMap image format (so called xpm files). xpm files are an extension of the monochrome X BitMap format specified in the X protocol, and are commonly used in traditional X applications.

CVE-2022-4883

When processing files with .Z or .gz extensions, the library calls external programs to compress and uncompress files, relying on the PATH environment variable to find these programs, which could allow a malicious user to execute other programs by manipulating the PATH environment variable.

CVE-2022-44617

When processing a file with width of 0 and a very large height, some parser functions will be called repeatedly and can lead to an infinite loop, resulting in a Denial of Service in the application linked to the library.

CVE-2022-46285

When parsing a file with a comment not closed an end-of-file condition will not be detected, leading to an infinite loop and resulting in a Denial of Service in the application linked to the library.

ELA-873-1 php7.0 security update

Tue, 20 Jun 2023 19:50:37 +0200

Package : php7.0

Version : 7.0.33-0+deb9u15 (stretch)

Related CVEs : CVE-2023-3247

Niels Dossche and Tim Düsterhus discovered that PHP’s implementation of the SOAP HTTP Digest authentication used an insufficient number of random bytes. This would affect PHP applications that use SOAP with HTTP Digest authentication against a possibly malicious server over HTTP.

ELA-872-1 libfastjson security update

Tue, 20 Jun 2023 19:42:17 +0200

Package : libfastjson

Version : 0.99.4-1+deb9u1 (stretch)

Related CVEs : CVE-2020-12762

An issue has been found in libfastjson, a fast json library for C. Due to missing checks, out-of-bounds write might happen when parsing large JSON files.

ELA-874-1 glibc security update

Tue, 20 Jun 2023 14:21:57 +0200

Package : glibc

Version : 2.19-18+deb8u12 (jessie)

Related CVEs : CVE-2015-20109

This update fixes a denial of service condition in fnmatch. This is a variant of CVE-2015-8984, which has been associated with BZ#18032. This variant is reported as BZ#18036, but has not been fixed together with the original problem.

ELA-871-1 sqlparse security update

Mon, 19 Jun 2023 17:50:45 +0200

Package : sqlparse

Version : 0.2.2-1+deb9u1 (stretch)

Related CVEs : CVE-2023-30608

Erik Krogh Kristensen discovered that sqlparse, a non-validating SQL parser, contained a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

ELA-870-1 requests security update

Sun, 18 Jun 2023 19:56:05 +0200

Package : requests

Version : 2.4.3-6+deb8u1 (jessie), 2.12.4-1+deb9u1 (stretch)

Related CVEs : CVE-2023-32681

Requests, a Python HTTP library, has been leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. For HTTP connections sent through the tunnel, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization header must be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information.

ELA-869-1 php-phpseclib security update

Sat, 17 Jun 2023 19:19:13 +0000

Package : php-phpseclib

Version : 2.0.4-1 (stretch)

Related CVEs : CVE-2021-30130

It was discovered that php-phpseclib, a pure-PHP implementation of various cryptographic and arithmetic algorithms, mishandles RSA PKCS#1 v1.5 signature verification. An attacker may get invalid signatures accepted, bypassing authorization control in specific situations.

ELA-868-1 exim4 security update

Mon, 12 Jun 2023 06:00:54 +0200

Package : exim4

Version : 4.84.2-2+deb8u10 (jessie), 4.89-2+deb9u10 (stretch)

Related CVEs : CVE-2021-38371

A flaw was found in Exim, a Mail Transport Agent (MTA). The STARTTLS feature in Exim allows response injection (buffering) during MTA SMTP sending. The program will fail with an appropriate error message if such a behavior is detected now.

ELA-867-1 vim security update

Mon, 12 Jun 2023 05:58:04 +0200

Package : vim

Version : 2:7.4.488-7+deb8u10 (jessie), 2:8.0.0197-4+deb9u10 (stretch)

Multiple security vulnerabilities have been discovered in vim, an enhanced vi editor. Buffer overflows and out-of-bounds reads may lead to a denial-of-service (application crash) or other unspecified impact.

ELA-866-1 sysstat security update

Thu, 08 Jun 2023 13:37:07 +0200

Package : sysstat

Version : 11.0.1-1+deb8u2 (jessie), 11.4.3-2+deb9u2 (stretch)

Related CVEs : CVE-2023-33204

It was discovered that sysstat, a system performance tools for Linux, incompletely fixed CVE-2022-39377 (as published in ELA-731-1), which could lead to crashes and possibly remote code execution.

CVE-2023-33204

sysstat allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for CVE-2022-39377.

For reference, the initial vulnerability was:

CVE-2022-39377

On 32 bit systems, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE).

ELA-865-1 imagemagick security update

Wed, 07 Jun 2023 10:31:18 +0000

Package : imagemagick

Version : 8:6.8.9.9-5+deb8u26 (jessie), 8:6.9.7.4+dfsg-11+deb9u19 (stretch)

Several security vulnerabilities have been addressed in imagemagick, an image processing toolkit.

CVE-2017-12670

A missing validation was found in coders/mat.c, leading to an assertion failure in the function DestroyImage in MagickCore/image.c, which allows attackers to cause a denial of service. This fix was only applied for  Debian 9 stretch. Debian 8 jessie was previously fixed.

CVE-2018-10804

A memory leak in WriteTIFFImage (coders/tiff.c) was fixed.

CVE-2021-20309

A division by zero in WaveImage() was fixed.

CVE-2022-32545

An undefined behavior due to conversion to outside the range of long was fixed.

CVE-2022-32546

An unaligned access in magick/property.c was fixed.

CVE-2022-32547

An undefined behavior due to conversion to outside the range of representable values of type 'unsigned char'.

ELA-864-1 linux-5.10 security update

Wed, 07 Jun 2023 09:10:18 +0200

Package : linux-5.10

Version : 5.10.179-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2023-0386

It was discovered that under certain conditions the overlayfs
filesystem implementation did not properly handle copy up
operations. A local user permitted to mount overlay mounts in user
namespaces can take advantage of this flaw for local privilege
escalation.

CVE-2023-31436

Gwangun Jung reported a a flaw causing heap out-of-bounds
read/write errors in the traffic control subsystem for the Quick
Fair Queueing scheduler (QFQ) which may result in information
leak, denial of service or privilege escalation.

CVE-2023-32233

Patryk Sondej and Piotr Krysiuk discovered a use-after-free flaw
in the Netfilter nf_tables implementation when processing batch
requests, which may result in local privilege escalation for a
user with the CAP_NET_ADMIN capability in any user or network
namespace.

ELA-863-1 cpio security update

Mon, 05 Jun 2023 01:38:06 +0300

Package : cpio

Version : 2.11+dfsg-4.1+deb8u4 (jessie), 2.11+dfsg-6+deb9u1 (stretch)

Related CVEs : CVE-2019-14866 CVE-2021-38185

Improper validation of input was fixed in GNU cpio, a program to manage archives of files.

ELA-862-1 wireshark security update

Sat, 03 Jun 2023 23:54:12 +0300

Package : wireshark

Version : 2.6.20-0+deb9u6 (stretch)

Several vulnerabilities were fixed in the network traffic analyzer Wireshark.

CVE-2023-2856

VMS TCPIPtrace file parser crash

CVE-2023-2858

NetScaler file parser crash

CVE-2023-2879

GDSDB infinite loop

CVE-2023-2952

XRA dissector infinite loop

ELA-861-1 emacs24 security update

Sat, 03 Jun 2023 02:33:03 +0200

Package : emacs24

Version : 24.4+1-5+deb8u2 (jessie), 24.5+1-11+deb9u2 (stretch)

Related CVEs : CVE-2022-48339 CVE-2023-28617

Xi Lu discovered that missing input sanitizing in Emacs could result in the execution of arbitrary shell commands.

ELA-860-1 cups security update

Thu, 01 Jun 2023 12:14:29 +0200

Package : cups

Version : 1.7.5-11+deb8u10 (jessie), 2.2.1-8+deb9u9 (stretch)

Related CVEs : CVE-2023-32324

An issue has been found in cups, the Common UNIX Printing System. Due to a buffer overflow vulnerability in the function format_log_line() a remote attackers could cause a denial-of-service(DoS). The vulnerability can be triggered when the configuration file cupsd.conf sets the value of “loglevel” to “DEBUG”.

ELA-859-1 python-ipaddress security update

Tue, 30 May 2023 11:40:21 -0400

Package : python-ipaddress

Version : 1.0.17-1+deb9u1 (stretch)

Related CVEs : CVE-2020-14422

A potential denial of service (DoS) vulnerability was discovered in python-ipaddress, a backport of Python 3’s ipaddress module for creating and manipulating IPv4 and IPv6 internet addresses (eg. 127.0.0.1).

This was caused by improperly computing hash values in the IPv4Interface and IPv6Interface classes: if an application was affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, an attacker could have caused many dictionary entries to be created.

ELA-858-1 emacs25 security update

Tue, 30 May 2023 00:56:46 +0200

Package : emacs25

Version : 25.1+1-4+deb9u2 (stretch)

Xi Lu discovered that missing input sanitizing in Emacs could result in the execution of arbitrary shell commands.

ELA-857-1 libtasn1-6 security update

Sat, 27 May 2023 19:26:04 +0200

Package : libtasn1-6

Version : 4.2-3+deb8u5 (jessie), 4.10-1.1+deb9u2 (stretch)

Related CVEs : CVE-2021-46848

It was discovered that there was an off-by-one array size issue in libtasn1-6, a library to manage the generic ASN.1 data structure.

ELA-856-1 freetype security update

Sat, 27 May 2023 18:18:05 +0200

Package : freetype

Version : 2.5.2-3+deb8u6 (jessie), 2.6.3-3.2+deb9u3 (stretch)

Related CVEs : CVE-2022-27405 CVE-2022-27406

Two issues have been found in freetype, a FreeType 2 font engine. Both issues are related to segmentation violations in different functions: ft_open_face_internal() and FT_Request_Size().

ELA-855-1 bzip2 security update

Fri, 26 May 2023 16:34:10 -0300

Package : bzip2

Version : 1.0.6-8.1+deb9u1 (stretch)

Related CVEs : CVE-2019-12900

A vulnerability has been fixed in bzip2, a high-quality block-sorting file compressor. CVE-2019-12900 is a out-of-bounds write when using a crafted compressed file.

This vulnerability was fixed in Debian Jessie, with bzip2 version 1.0.6-4+deb7u1

ELA-854-1 openjdk-8 security update

Fri, 26 May 2023 10:34:51 +0200

Package : openjdk-8

Version : 8u372-ga-1~deb8u1 (jessie), 8u372-ga-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in information disclosure or denial of service.

ELA-853-1 python2.7 security update

Thu, 25 May 2023 11:42:02 +0200

Package : python2.7

Version : 2.7.9-2-ds1-1+deb8u10 (jessie), 2.7.13-2+deb9u7 (stretch)

Multiple security issues were discovered in Python, an interactive high-level object-oriented language. An attacker may cause command injection, denial of service (DoS) and request smuggling.

CVE-2015-20107

The mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). Note: this CVE was really issued in 2022.
CVE-2020-8492

Python allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
CVE-2020-26116

http.client allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
CVE-2021-3733

There’s a flaw in urllib’s AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client.
CVE-2021-3737

An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time.
CVE-2022-45061

An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service.

This update also brings improved fixes for CVE-2019-10160 (ELA-134-1,DLA-2280-1) and CVE-2021-3177 (ELA-598-1,DLA-2919-1), and drop the patch for CVE-2019-9740/CVE-2019-9947 (DLA-1834-1,DLA-2337-1) whose issue was introduced later in the 2.7.x series.

ELA-852-1 cups-filters security update

Mon, 22 May 2023 11:18:06 +0200

Package : cups-filters

Version : 1.11.6-3+deb9u2 (stretch)

Related CVEs : CVE-2023-24805

It was discovered that missing input sanitising in cups-filters, when using the Backend Error Handler (beh) backend to create an accessible network printer, may result in the execution of arbitrary commands.

ELA-851-1 uwsgi security update

Sat, 20 May 2023 08:08:27 +0000

Package : uwsgi

Version : 2.0.14+20161117-3+deb9u6 (stretch)

Related CVEs : CVE-2023-27522

A HTTP Response Smuggling vulnerability was fixed mod_proxy_uwsgi apache module included in uwsgi package. Special characters in the origin response header can truncate/split the response forwarded to the client.

ELA-850-1 sqlite security update

Sat, 13 May 2023 13:08:51 +0200

Package : sqlite

Version : 2.8.17-12+deb8u1 (jessie), 2.8.17-14+deb9u1 (stretch)

Related CVEs : CVE-2016-6153 CVE-2018-8740

Two vulnerabilities have been fixed in sqlite (V2) which which might allow local users to obtain sensitive information, cause a denial of service (application crash), or have unspecified other impact.

CVE-2016-6153

sqlite improperly implemented the temporary directory search algorithm, which
might allow local users to obtain sensitive information, cause a denial of
service (application crash), or have unspecified other impact by leveraging use
of the current working directory for temporary files.

CVE-2018-8740

Databases whose schema is corrupted using a CREATE TABLE AS statement could
cause a NULL pointer dereference,

ELA-849-1 php5 security update

Sat, 13 May 2023 07:20:31 +0200

Package : php5

Version : 5.6.40+dfsg-0+deb8u17 (jessie)

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in denial of service or incorrect validation of BCrypt hashes.

CVE-2022-31631

Due to an uncaught integer overflow, `PDO::quote()` of PDO_SQLite
may return an improperly quoted string.  The exact details likely
depend on the implementation of `sqlite3_snprintf()`, but with some
versions it is possible to force the function to return a single
apostrophe, if the function is called on user supplied input without
any length restrictions in place.

CVE-2023-0567

Tim Düsterhus discovered that malformed BCrypt hashes that include a
`$` within their salt part trigger a buffer overread and may
erroneously validate any password as valid.  (`Password_verify()`
always return `true` with such inputs.)

CVE-2023-0568

1-byte array overrun when appending slash to paths during path
resolution.

CVE-2023-0662

Jakob Ackermann discovered a Denial of Service vulnerability when
parsing multipart request body: the request body parsing in PHP
allows any unauthenticated attacker to consume a large amount of CPU
time and trigger excessive logging.

ELA-848-1 php7.0 security update

Sat, 13 May 2023 01:25:09 +0200

Package : php7.0

Version : 7.0.33-0+deb9u14 (stretch)

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in denial of service or incorrect validation of BCrypt hashes.

CVE-2022-31631

Due to an uncaught integer overflow, `PDO::quote()` of PDO_SQLite
may return an improperly quoted string.  The exact details likely
depend on the implementation of `sqlite3_snprintf()`, but with some
versions it is possible to force the function to return a single
apostrophe, if the function is called on user supplied input without
any length restrictions in place.

CVE-2023-0567

Tim Düsterhus discovered that malformed BCrypt hashes that include a
`$` within their salt part trigger a buffer overread and may
erroneously validate any password as valid.  (`Password_verify()`
always return `true` with such inputs.)

CVE-2023-0568

1-byte array overrun when appending slash to paths during path
resolution.

CVE-2023-0662

Jakob Ackermann discovered a Denial of Service vulnerability when
parsing multipart request body: the request body parsing in PHP
allows any unauthenticated attacker to consume a large amount of CPU
time and trigger excessive logging.

ELA-847-1 linux-4.19 security update

Fri, 05 May 2023 19:04:57 +0200

Package : linux-4.19

Version : 4.19.282-1~deb8u1 (jessie), 4.19.282-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak.

CVE-2022-2873

Zheyu Ma discovered that an out-of-bounds memory access flaw in
the Intel iSMT SMBus 2.0 host controller driver may result in
denial of service (system crash).

CVE-2022-3424

Zheng Wang and Zhuorao Yang reported a flaw in the SGI GRU driver
which could lead to a use-after-free.  On systems where this driver
is used, a local user can explit this for denial of service (crash
or memory corruption) or possibly for privilege escalation.

This driver is not enabled in Debian's official kernel
configurations.

CVE-2022-3545

It was discovered that the Netronome Flow Processor (NFP) driver
contained a use-after-free flaw in area_cache_get(), which may
result in denial of service or the execution of arbitrary code.

CVE-2022-3707

Zheng Wang reported a flaw in the i915 graphics driver's
virtualisation (GVT-g) support that could lead to a double-free.
On systems where this feature is used, a guest can exploit this
for denial of service (crash or memory corruption) or possibly for
privilege escalation.

CVE-2022-4744

The syzkaller tool found a flaw in the TUN/TAP network driver,
which can lead to a double-free.  A local user can exploit this
for denial of service (crash or memory corruption) or possibly for
privilege escalation.

CVE-2022-36280

An out-of-bounds memory write vulnerability was discovered in the
vmwgfx driver, which may allow a local unprivileged user to cause
a denial of service (system crash).

CVE-2022-41218

Hyunwoo Kim reported a use-after-free flaw in the Media DVB core
subsystem caused by refcount races, which may allow a local user
to cause a denial of service or escalate privileges.

CVE-2022-45934

An integer overflow in l2cap_config_req() in the Bluetooth
subsystem was discovered, which may allow a physically proximate
attacker to cause a denial of service (system crash).

CVE-2022-47929

Frederick Lawler reported a NULL pointer dereference in the
traffic control subsystem allowing an unprivileged user to cause a
denial of service by setting up a specially crafted traffic
control configuration.

CVE-2023-0045

Rodrigo Branco and Rafael Correa De Ysasi reported that when a
user-space task told the kernel to enable Spectre v2 mitigation
for it, the mitigation was not enabled until the task was next
rescheduled.  This might be exploitable by a local or remote
attacker to leak sensitive information from such an application.

CVE-2023-0266

A use-after-free flaw in the sound subsystem due to missing
locking may result in denial of service or privilege escalation.

CVE-2023-0394

Kyle Zeng discovered a NULL pointer dereference flaw in
rawv6_push_pending_frames() in the network subsystem allowing a
local user to cause a denial of service (system crash).

CVE-2023-0458

Jordy Zimmer and Alexandra Sandulescu found that getrlimit() and
related system calls were vulnerable to speculative execution
attacks such as Spectre v1.  A local user could explot this to
leak sensitive information from the kernel.

CVE-2023-0459

Jordy Zimmer and Alexandra Sandulescu found a regression in
Spectre v1 mitigation in the user-copy functions for the amd64
(64-bit PC) architecture.  Where the CPUs do not implement SMAP or
it is disabled, a local user could exploit this to leak sensitive
information from the kernel.  Other architectures may also be
affected.

CVE-2023-0461

"slipper" reported a flaw in the kernel's support for ULPs (Upper
Layer Protocols) on top of TCP that can lead to a double-free when
using kernel TLS sockets.  A local user can exploit this for
denial of service (crash or memory corruption) or possibly for
privilege escalation.

Kernel TLS is not enabled in Debian's official kernel
configurations.

CVE-2023-1073

Pietro Borrello reported a type confusion flaw in the HID (Human
Interface Device) subsystem.  An attacker able to insert and
remove USB devices might be able to use this to cause a denial of
service (crash or memory corruption) or possibly to run arbitrary
code in the kernel.

CVE-2023-1074

Pietro Borrello reported a type confusion flaw in the SCTP
protocol implementation which can lead to a memory leak.  A local
user could exploit this to cause a denial of service (resource
exhaustion).

CVE-2023-1078

Pietro Borrello reported a type confusion flaw in the RDS protocol
implementation.  A local user could exploit this to cause a denial
of service (crash or memory corruption) or possibly for privilege
escalation.

CVE-2023-1079

Pietro Borrello reported a race condition in the hid-asus HID
driver which could lead to a use-after-free.  An attacker able to
insert and remove USB devices can use this to cause a denial of
service (crash or memory corruption) or possibly to run arbitrary
code in the kernel.

CVE-2023-1118

Duoming Zhou reported a race condition in the ene_ir remote
control driver that can lead to a use-after-free if the driver
is unbound.  It is not clear what the security impact of this is.

CVE-2023-1281, CVE-2023-1829

"valis" reported two flaws in the cls_tcindex network traffic
classifier which could lead to a use-after-free.  A local user can
exploit these for privilege escalation.  This update removes
cls_tcindex entirely.

CVE-2023-1513

Xingyuan Mo reported an information leak in the KVM implementation
for the i386 (32-bit PC) architecture.  A local user could exploit
this to leak sensitive information from the kernel.

CVE-2023-1670

Zheng Wang reported a race condition in the xirc2ps_cs network
driver which can lead to a use-after-free.  An attacker able to
insert and remove PCMCIA devices can use this to cause a denial of
service (crash or memory corruption) or possibly to run arbitrary
code in the kernel.

CVE-2023-1855

Zheng Wang reported a race condition in the xgene-hwmon hardware
monitoring driver that may lead to a use-after-free.  It is not
clear what the security impact of this is.

CVE-2023-1859

Zheng Wang reported a race condition in the 9pnet_xen transport
for the 9P filesystem on Xen, which can lead to a use-after-free.
On systems where this feature is used, a backend driver in another
domain can use this to cause a denial of service (crash or memory
corruption) or possibly to run arbitrary code in the vulnerable
domain.

CVE-2023-1989

Zheng Wang reported a race condition in the btsdio Bluetooth
adapter driver that can lead to a use-after-free.  An attacker
able to insert and remove SDIO devices can use this to cause a
denial of service (crash or memory corruption) or possibly to run
arbitrary code in the kernel.

CVE-2023-1990

Zheng Wang reported a race condition in the st-nci NFC adapter
driver that can lead to a use-after-free.  It is not clear what
the security impact of this is.

This driver is not enabled in Debian's official kernel
configurations.

CVE-2023-1998

José Oliveira and Rodrigo Branco reported a regression in Spectre
v2 mitigation for user-space on x86 CPUs supporting IBRS but not
eIBRS.  This might be exploitable by a local or remote attacker to
leak sensitive information from a user-space application.

CVE-2023-2162

Mike Christie reported a race condition in the iSCSI TCP transport
that can lead to a use-after-free.  On systems where this feature
is used, a local user might be able to use this to cause a denial
of service (crash or memory corruption) or possibly for privilege
escalation.

CVE-2023-2194

Wei Chen reported a potential heap buffer overflow in the
i2c-xgene-slimpro I²C adapter driver.  A local user with
permission to access such a device can use this to cause a denial
of service (crash or memory corruption) and probably for privilege
escalation.

CVE-2023-23454

Kyle Zeng reported that the Class Based Queueing (CBQ) network
scheduler was prone to denial of service due to interpreting
classification results before checking the classification return
code.

CVE-2023-23455

Kyle Zeng reported that the ATM Virtual Circuits (ATM) network
scheduler was prone to a denial of service due to interpreting
classification results before checking the classification return
code.

CVE-2023-23559

Szymon Heidrich reported incorrect bounds checks in the rndis_wlan
Wi-Fi driver which may lead to a heap buffer overflow or overread.
An attacker able to insert and remove USB devices can use this to
cause a denial of service (crash or memory corruption) or
information leak, or possibly to run arbitrary code in the kernel.

CVE-2023-26545

Lianhui Tang reported a flaw in the MPLS protocol implementation
that could lead to a double-free.  A local user might be able to
exploit this to cause a denial of service (crash or memory
corruption) or possibl for privilege escalation.

CVE-2023-28328

Wei Chen reported a flaw in the az6927 DVB driver that can lead to
a null pointer dereference.  A local user permitted to access an
I²C adapter device that this driver creates can use this to cause
a denial of service (crash).

CVE-2023-30456

Reima ISHII reported a flaw in the KVM implementation for Intel
CPUs affecting nested virtualisation.  When KVM was used as the L0
hypervisor, and EPT and/or unrestricted guest mode was disabled,
it did not prevent an L2 guest from being configured with an
architecturally invalid protection/paging mode.  A malicious guest
could exploit this to cause a denial of service (crash).

CVE-2023-30772

Zheng Wang reported a race condition in the da9150 charger driver
which could lead to a use-after-free.  It is not clear what the
security impact of this is.

This driver is not enabled in Debian's official kernel
configurations.

This update additionally fixes Debian bug #825141, and includes many more bug fixes from stable updates 4.19.270-4.19.282 inclusive.

ELA-832-2 syslog-ng regression update

Thu, 04 May 2023 21:11:54 +0200

Package : syslog-ng

Version : 3.5.6-2+deb8u2 (jessie)

It has been reported that the previous security update, issued as ELA-832-1, caused a regression leading to the syslog-ng daemon restarting.

This update fixes this regression.

ELA-846-2 openimageio regression update

Thu, 04 May 2023 02:35:22 +0200

Package : openimageio

Version : 1.4.14~dfsg0-1+deb8u2 (jessie)

The previous security update of openimageio, issued as ELA-846-1, could not be built on the armel computer platform for Debian 8 “Jessie”. This update disables the creation of openimageio’s pdf documentation at build time on armel. All other platforms are not affected and an upgrade is not required.

ELA-846-1 openimageio security update

Wed, 03 May 2023 11:53:26 +0200

Package : openimageio

Version : 1.4.14~dfsg0-1+deb8u1 (jessie), 1.6.17~dfsg0-1+deb9u1 (stretch)

Multiple security vulnerabilities have been discovered in OpenImageIO, a library for reading and writing images. Buffer overflows and out-of-bounds read and write programming errors may lead to a denial of service (application crash) or the execution of arbitrary code if a malformed image file is processed.

ELA-845-1 linux-5.10 security update

Wed, 03 May 2023 09:48:03 +0200

Package : linux-5.10

Version : 5.10.178-3~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak.

CVE-2022-2196

A regression was discovered in the KVM implementation for Intel CPUs,
affecting Spectre v2 mitigation for nested virtualisation.  When
KVM was used as the L0 hypervisor, an L2 guest could exploit this
to leak sensitive information from its L1 hypervisor.

CVE-2022-3424

Zheng Wang and Zhuorao Yang reported a flaw in the SGI GRU driver
which could lead to a use-after-free.  On systems where this driver
is used, a local user can explit this for denial of service (crash
or memory corruption) or possibly for privilege escalation.

This driver is not enabled in Debian's official kernel
configurations.

CVE-2022-3707

Zheng Wang reported a flaw in the i915 graphics driver's
virtualisation (GVT-g) support that could lead to a double-free.
On systems where this feature is used, a guest can exploit this
for denial of service (crash or memory corruption) or possibly for
privilege escalation.

CVE-2022-4129

Haowei Yan reported a race condition in the L2TP protocol
implementation which could lead to a null pointer dereference.  A
local user could exploit this for denial of service (crash).

CVE-2022-4379

Xingyuan Mo reported a flaw in the NFSv4.2 inter server to
server copy implementation which could lead to a use-after-free.

This feature is not enabled in Debian's official kernel
configurations.

CVE-2023-0045

Rodrigo Branco and Rafael Correa De Ysasi reported that when a
user-space task told the kernel to enable Spectre v2 mitigation
for it, the mitigation was not enabled until the task was next
rescheduled.  This might be exploitable by a local or remote
attacker to leak sensitive information from such an application.

CVE-2023-0458

Jordy Zimmer and Alexandra Sandulescu found that getrlimit() and
related system calls were vulnerable to speculative execution
attacks such as Spectre v1.  A local user could explot this to
leak sensitive information from the kernel.

CVE-2023-0459

Jordy Zimmer and Alexandra Sandulescu found a regression in
Spectre v1 mitigation in the user-copy functions for the amd64
(64-bit PC) architecture.  Where the CPUs do not implement SMAP or
it is disabled, a local user could exploit this to leak sensitive
information from the kernel.  Other architectures may also be
affected.

CVE-2023-0461

"slipper" reported a flaw in the kernel's support for ULPs (Upper
Layer Protocols) on top of TCP that can lead to a double-free when
using kernel TLS sockets.  A local user can exploit this for
denial of service (crash or memory corruption) or possibly for
privilege escalation.

Kernel TLS is not enabled in Debian's official kernel
configurations.

CVE-2023-1073

Pietro Borrello reported a type confusion flaw in the HID (Human
Interface Device) subsystem.  An attacker able to insert and
remove USB devices might be able to use this to cause a denial of
service (crash or memory corruption) or possibly to run arbitrary
code in the kernel.

CVE-2023-1074

Pietro Borrello reported a type confusion flaw in the SCTP
protocol implementation which can lead to a memory leak.  A local
user could exploit this to cause a denial of service (resource
exhaustion).

CVE-2023-1076

Pietro Borrello reported a type confusion flaw in the TUN/TAP
network driver, which results in all TUN/TAP sockets being marked
as belonging to user ID 0 (root).  This may allow local users to
evade local firewall rules based on user ID.

CVE-2023-1077

Pietro Borrello reported a type confusion flaw in the task
scheduler.  A local user might be able to exploit this to cause a
denial of service (crash or memory corruption) or possibly for
privilege escalation.

CVE-2023-1078

Pietro Borrello reported a type confusion flaw in the RDS protocol
implementation.  A local user could exploit this to cause a denial
of service (crash or memory corruption) or possibly for privilege
escalation.

CVE-2023-1079

Pietro Borrello reported a race condition in the hid-asus HID
driver which could lead to a use-after-free.  An attacker able to
insert and remove USB devices can use this to cause a denial of
service (crash or memory corruption) or possibly to run arbitrary
code in the kernel.

CVE-2023-1118

Duoming Zhou reported a race condition in the ene_ir remote
control driver that can lead to a use-after-free if the driver
is unbound.  It is not clear what the security impact of this is.

CVE-2023-1281, CVE-2023-1829

"valis" reported two flaws in the cls_tcindex network traffic
classifier which could lead to a use-after-free.  A local user can
exploit these for privilege escalation.  This update removes
cls_tcindex entirely.

CVE-2023-1513

Xingyuan Mo reported an information leak in the KVM implementation
for the i386 (32-bit PC) architecture.  A local user could exploit
this to leak sensitive information from the kernel.

CVE-2023-1611

"butt3rflyh4ck" reported a race condition in the btrfs filesystem
driver which can lead to a use-after-free.  A local user could
exploit this to cause a denial of service (crash or memory
corruption) or possibly for privilege escalation.

CVE-2023-1670

Zheng Wang reported a race condition in the xirc2ps_cs network
driver which can lead to a use-after-free.  An attacker able to
insert and remove PCMCIA devices can use this to cause a denial of
service (crash or memory corruption) or possibly to run arbitrary
code in the kernel.

CVE-2023-1855

Zheng Wang reported a race condition in the xgene-hwmon hardware
monitoring driver that may lead to a use-after-free.  It is not
clear what the security impact of this is.

CVE-2023-1859

Zheng Wang reported a race condition in the 9pnet_xen transport
for the 9P filesystem on Xen, which can lead to a use-after-free.
On systems where this feature is used, a backend driver in another
domain can use this to cause a denial of service (crash or memory
corruption) or possibly to run arbitrary code in the vulnerable
domain.

CVE-2023-1872

Bing-Jhong Billy Jheng reported a race condition in the io_uring
subsystem that can lead to a use-after-free.  A local user could
exploit this to cause a denial of service (crash or memory
corruption) or possibly for privilege escalation.

CVE-2023-1989

Zheng Wang reported a race condition in the btsdio Bluetooth
adapter driver that can lead to a use-after-free.  An attacker
able to insert and remove SDIO devices can use this to cause a
denial of service (crash or memory corruption) or possibly to run
arbitrary code in the kernel.

CVE-2023-1990

Zheng Wang reported a race condition in the st-nci NFC adapter
driver that can lead to a use-after-free.  It is not clear what
the security impact of this is.

This driver is not enabled in Debian's official kernel
configurations.

CVE-2023-1998

José Oliveira and Rodrigo Branco reported a regression in Spectre
v2 mitigation for user-space on x86 CPUs supporting IBRS but not
eIBRS.  This might be exploitable by a local or remote attacker to
leak sensitive information from a user-space application.

CVE-2023-2162

Mike Christie reported a race condition in the iSCSI TCP transport
that can lead to a use-after-free.  On systems where this feature
is used, a local user might be able to use this to cause a denial
of service (crash or memory corruption) or possibly for privilege
escalation.

CVE-2023-2194

Wei Chen reported a potential heap buffer overflow in the
i2c-xgene-slimpro I²C adapter driver.  A local user with
permission to access such a device can use this to cause a denial
of service (crash or memory corruption) and probably for privilege
escalation.

CVE-2023-22998

Miaoqian Lin reported an incorrect error check in the virtio-gpu
GPU driver.  A local user with access to such a device might be
able to use this to cause a denial of service (crash).

CVE-2023-23004

Miaoqian Lin reported an incorrect error check in the mali-dp GPU
driver.  A local user with access to such a device might be able
to use this to cause a denial of service (crash).

CVE-2023-23559

Szymon Heidrich reported incorrect bounds checks in the rndis_wlan
Wi-Fi driver which may lead to a heap buffer overflow or overread.
An attacker able to insert and remove USB devices can use this to
cause a denial of service (crash or memory corruption) or
information leak, or possibly to run arbitrary code in the kernel.

CVE-2023-25012

Pietro Borrello reported a race condition in the hid-bigbenff HID
driver which could lead to a use-after-free.  An attacker able to
insert and remove USB devices can use this to cause a denial of
service (crash or memory corruption) or possibly to run arbitrary
code in the kernel.

CVE-2023-26545

Lianhui Tang reported a flaw in the MPLS protocol implementation
that could lead to a double-free.  A local user might be able to
exploit this to cause a denial of service (crash or memory
corruption) or possibl for privilege escalation.

CVE-2023-28328

Wei Chen reported a flaw in the az6927 DVB driver that can lead to
a null pointer dereference.  A local user permitted to access an
I²C adapter device that this driver creates can use this to cause
a denial of service (crash).

CVE-2023-28466

Hangyu Hua reported a race condition in the kernel TLS socket
implementation which can lead to a use-after-free or null
pointer dereference.  A local user can exploit this for
denial of service (crash or memory corruption) or possibly for
privilege escalation.

This feature is not enabled in Debian's official kernel
configurations.

CVE-2023-30456

Reima ISHII reported a flaw in the KVM implementation for Intel
CPUs affecting nested virtualisation.  When KVM was used as the L0
hypervisor, and EPT and/or unrestricted guest mode was disabled,
it did not prevent an L2 guest from being configured with an
architecturally invalid protection/paging mode.  A malicious guest
could exploit this to cause a denial of service (crash).

This update additionally fixes Debian bugs #989705, #993612, #1022126, and #1031753; and includes many more bug fixes from stable updates 5.10.163-5.10.178 inclusive.

ELA-844-1 avahi security update

Tue, 02 May 2023 11:29:35 -0700

Package : avahi

Version : 0.6.31-5+deb8u2 (jessie), 0.6.32-2+deb9u2 (stretch)

Related CVEs : CVE-2023-1981

It was discovered that there was a local Denial of Service (DoS) vulnerability in Avahi, a system that facilitates service discovery on a local network.

The avahi-daemon process could have been crashed over the DBus message bus.

ELA-843-1 libdatetime-timezone-perl new timezone database

Tue, 02 May 2023 15:23:12 +0200

Package : libdatetime-timezone-perl

Version : 1:1.75-2+2023c (jessie), 1:2.09-1+2023c (stretch)

This update includes the changes in tzdata 2023c for the Perl bindings.

ELA-842-1 tzdata new timezone database

Tue, 02 May 2023 15:19:09 +0200

Package : tzdata

Version : 2021a-0+deb8u10 (jessie), 2021a-0+deb9u10 (stretch)

This update includes the changes in tzdata 2023c. Notable changes are:

Revert Lebanon DST changes.
Updated leap second list.

ELA-841-1 distro-info-data database update

Sun, 30 Apr 2023 21:57:18 -0400

Package : distro-info-data

Version : 0.36~bpo8+3 (jessie), 0.41+deb10u2~bpo9+3 (stretch)

This is a routine update of the distro-info-data database for Debian ELTS users.

It includes the expected release date for Debian 12, adds Debian 14, adds Ubuntu 23.10, and some minor updates to EoL dates for Ubuntu releases.

ELA-840-1 apache2 security update

Sun, 30 Apr 2023 23:47:57 +0000

Package : apache2

Version : 2.4.10-10+deb8u25 (jessie), 2.4.25-3+deb9u15 (stretch)

Several vulnerabilities have been discovered in apache2, a webserver that may be used as front-end proxy for other applications. These vulnerabilities may lead to HTTP request smuggling, and thus to front-end security controls being bypassed.

Unfortunately, fixing these security vulnerabilities may require changes to configuration files. Some out-of-specification RewriteRule directives that were previously silently accepted, are now rejected with error AH10409. For instance, some RewriteRules that included a back-reference and the flags “[L,NC]” will need to be written with extra escaping flags such as “[B= ?,BNP,QSA]”.

CVE-2006-20001

A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash.

CVE-2022-36760

An Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allowed an attacker to smuggle requests to the AJP server it forwards requests to.

CVE-2022-37436

A malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.

CVE-2023-25690

Some mod_proxy configurations allow an HTTP request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.

ELA-839-1 wireshark security update

Sat, 29 Apr 2023 23:41:05 +0300

Package : wireshark

Version : 2.6.20-0+deb9u5 (stretch)

Several vulnerabilities were fixed in the network traffic analyzer Wireshark.

CVE-2023-1161

ISO 15765 dissector crash

CVE-2023-1992

RPCoRDMA dissector crash

CVE-2023-1993

LISP dissector large loop vulnerability

CVE-2023-1994

GQUIC dissector crash

ELA-838-1 redis security update

Fri, 21 Apr 2023 13:18:10 +0100

Package : redis

Version : 2:2.8.17-1+deb8u11 (jessie), 2:2.8.17-1+deb8u11 (stretch)

Related CVEs : CVE-2023-28856

It was discovered that there was a potential remote denial of service vulnerability in Redis, a popular NoSQL key-value database.

Authenticated users could have used the HINCRBYFLOAT command to create an invalid hash field that would have crashed the Redis server on access.

ELA-837-1 libxml2 security update

Thu, 20 Apr 2023 19:40:36 +0200

Package : libxml2

Version : 2.9.1+dfsg1-5+deb8u15 (jessie), 2.9.4+dfsg1-2.2+deb9u10 (stretch)

Multiple issues were found in libxml2, the GNOME XML library, which possibly allows an remote attacker to trigger a potential heap memory corruption or trigger a denial of service or other unspecified impact.

The Jessie update 2.9.1+dfsg1-5+deb8u15 fixes all mentioned CVEs. The Stretch update 2.9.4+dfsg1-2.2+deb9u10 fixes CVE-2023-28484 and CVE-2023-29469, as the other have been fixed by an previous upload – see DLA-2972-1 for details.

CVE-2017-5130

An integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in
Google Chrome prior to 62.0.3202.62 and other products, allowed a remote
attacker to potentially exploit heap corruption via a crafted XML file.

CVE-2017-5969

libxml2 2.9.4, when used in recover mode, allows one to cause a denial
of service (NULL pointer dereference) via a crafted XML document.

CVE-2023-28484

NULL dereference in xmlSchemaFixupComplexType.

CVE-2023-29469

Hashing of empty dict strings isn't deterministic.

ELA-836-1 protobuf security update

Wed, 19 Apr 2023 08:58:01 +0200

Package : protobuf

Version : 2.6.1-1+deb8u1 (jessie), 3.0.0-9+deb9u1 (stretch)

This update fixes a NULL pointer dereference and two denial of service conditions in protobuf.

CVE-2021-22569

An issue in protobuf-java allowed the interleaving of
com.google.protobuf.UnknownFieldSet fields in such a way that would be
processed out of order. A small malicious payload can occupy the parser for
several minutes by creating large numbers of short-lived objects that cause
frequent, repeated pauses.

CVE-2021-22570

Nullptr dereference when a null char is present in a proto symbol. The
symbol is parsed incorrectly, leading to an unchecked call into the proto
file's name during generation of the resulting error message. Since the
symbol is incorrectly parsed, the file is nullptr.

CVE-2022-1941

A parsing vulnerability for the MessageSet type in the ProtocolBuffers can
lead to out of memory failures. A specially crafted message with multiple
key-value per elements creates parsing issues, and can lead to a Denial of
Service against services receiving unsanitized input.

ELA-835-1 pjproject security update

Tue, 18 Apr 2023 22:50:07 +0200

Package : pjproject

Version : 2.5.5~dfsg-6+deb9u9 (stretch)

Related CVEs : CVE-2023-27585

PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability affects applications that use PJSIP DNS resolver. It doesn’t affect PJSIP users who do not utilise PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793. The difference is that this issue is in parsing the query record parse_query(), while the issue in CVE-2022-24793 is in parse_rr(). A workaround is to disable DNS resolution in PJSIP config (by setting nameserver_count to zero) or use an external resolver implementation instead.

ELA-833-1 ghostscript security update

Tue, 18 Apr 2023 01:14:56 +0200

Package : ghostscript

Version : 9.26a~dfsg-0+deb8u11 (jessie), 9.26a~dfsg-0+deb9u11 (stretch)

Related CVEs : CVE-2023-28879

It was discovered that there was a potential buffer-overflow vulnerability in ghostscript, a popular interpreter for the PostScript language used, for example, to generate PDF files.

ELA-834-1 keepalived security update

Tue, 18 Apr 2023 01:12:21 +0200

Package : keepalived

Version : 1:1.3.2-1+deb9u1 (stretch)

Related CVEs : CVE-2018-19115 CVE-2021-44225

Two security vulnerabilities were found in keepalived, a failover and monitoring daemon for LVS clusters.

CVE-2018-19115

keepalived has a heap-based buffer overflow when parsing HTTP
status codes resulting in DoS or possibly unspecified other impact, because
extract_status_code in lib/html.c has no validation of the status code and
instead writes an unlimited amount of data to the heap.

CVE-2021-44225

A flaw was found in keepalived where an improper authentication
vulnerability allows an unprivileged user to change properties that could
lead to an access-control bypass.

ELA-832-1 syslog-ng security update

Sun, 16 Apr 2023 14:41:10 +0200

Package : syslog-ng

Version : 3.5.6-2+deb8u1 (jessie), 3.8.1-10+deb9u1 (stretch)

Related CVEs : CVE-2022-38725

It was discovered that an integer overflow in the RFC3164 parser of syslog-ng, a system logging daemon, may result in denial of service via malformed syslog messages.

ELA-831-1 curl security update

Mon, 10 Apr 2023 17:45:15 +0200

Package : curl

Version : 7.38.0-4+deb8u26 (jessie), 7.52.1-5+deb9u19 (stretch)

Several security vulnerabilities have been found in cURL, an easy-to-use client-side URL transfer library.

CVE-2023-27533

A vulnerability in input validation exists in curl during
communication using the TELNET protocol. It may allow an attacker to pass on
maliciously crafted user name and "telnet options" during server
negotiation. The lack of proper input scrubbing allows an attacker to send
content or perform option negotiation without the application's intent.
This vulnerability could be exploited if an application allows user input,
thereby enabling attackers to execute arbitrary code on the system.

CVE-2023-27535

An authentication bypass vulnerability exists in libcurl in the FTP
connection reuse feature that can result in wrong credentials being used
during subsequent transfers. Previously created connections are kept in a
connection pool for reuse if they match the current setup. However, certain
FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER,
CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the
configuration match checks, causing them to match too easily. This could
lead to libcurl using the wrong credentials when performing a transfer,
potentially allowing unauthorized access to sensitive information.

CVE-2023-27536

An authentication bypass vulnerability exists in libcurl in the
connection reuse feature which can reuse previously established connections
with incorrect user permissions due to a failure to check for changes in
the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects
krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in
unauthorized access to sensitive information. The safest option is to not
reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.

CVE-2023-27538

An authentication bypass vulnerability exists in libcurl where it
reuses a previously established SSH connection despite the fact that an SSH
option was modified, which should have prevented reuse. libcurl maintains a
pool of previously used connections to reuse them for subsequent transfers
if the configurations match. However, two SSH settings were omitted from
the configuration check, allowing them to match easily, potentially leading
to the reuse of an inappropriate connection.

ELA-830-1 tomcat8 security update

Mon, 10 Apr 2023 17:35:18 +0200

Package : tomcat8

Version : 8.0.14-1+deb8u25 (jessie), 8.5.54-0+deb9u10 (stretch)

Related CVEs : CVE-2023-28708

A flaw has been found in the Tomcat servlet and JSP engine. When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

ELA-828-1 dnsmasq security update

Mon, 10 Apr 2023 13:01:40 +0000

Package : dnsmasq

Version : 2.72-3+deb8u7 (jessie), 2.76-5+deb9u4 (stretch)

Multiple security vulnerabilities were found on dnsmasq, a lightweight, easy to configure DNS forwarder, designed to provide DNS (and optionally DHCP and TFTP) services to a small-scale network.

CVE-2017-15107

A vulnerability was found in the implementation of
DNSSEC in Dnsmasq. Wildcard synthesized NSEC records could be
improperly interpreted to prove the non-existence of hostnames that
actually exist.
This particular CVE was only fixed for 2.76-5+deb9u4. DNSSEC validation
for jessie (until 2.73) does a bottom/top validation instead of a top/bottom
validation.

CVE-2019-14834

A vulnerability was found in dnsmasq before version
2.81, where the memory leak allows remote attackers to cause a denial
of service (memory consumption) via vectors involving DHCP response
creation

CVE-2022-0934

A single-byte, non-arbitrary write/use-after-free flaw
was found in dnsmasq. This flaw allows an attacker who sends a crafted
packet processed by dnsmasq, potentially causing a denial of
service.

CVE-2023-28450

The default maximum EDNS.0 UDP packet size was set
to 4096 but should be 1232 because of DNS Flag Day 2020.

ELA-827-1 tomcat7 security update

Mon, 10 Apr 2023 14:50:52 +0200

Package : tomcat7

Version : 7.0.56-3+really7.0.109-1+deb8u3 (jessie)

Related CVEs : CVE-2023-28708

ELA-826-1 firmware-nonfree security update

Sun, 02 Apr 2023 11:03:46 +0200

Package : firmware-nonfree

Version : 20190114+really20220913-0+deb8u1 (jessie), 20190114+really20220913-0+deb9u1 (stretch)

The firmware-nonfree package has been updated to include addtional firmware that may be requested by some drivers in newer Linux kernels.

Some of the updated firmware files adresses security vulnerabilities, which may allow Escalation of Privileges, Denial of Services and Information Disclosures.

For best support, we recommend to utilize the backported (Extended) LTS kernels.

CVE-2020-24586 (INTEL-SA-00473)

The 802.11 standard that underpins Wi-Fi Protected Access (WPA,
WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require
that received fragments be cleared from memory after (re)connecting
to a network. Under the right circumstances, when another device
sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can
be abused to inject arbitrary network packets and/or exfiltrate user
data.

CVE-2020-24587 (INTEL-SA-00473)

The 802.11 standard that underpins Wi-Fi Protected Access (WPA,
WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require
that all fragments of a frame are encrypted under the same key. An
adversary can abuse this to decrypt selected fragments when another
device sends fragmented frames and the WEP, CCMP, or GCMP encryption
key is periodically renewed.

CVE-2020-24588 (INTEL-SA-00473)

The 802.11 standard that underpins Wi-Fi Protected Access (WPA,
WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require
that the A-MSDU flag in the plaintext QoS header field is
authenticated. Against devices that support receiving non-SSP A-MSDU
frames (which is mandatory as part of 802.11n), an adversary can
abuse this to inject arbitrary network packets.

CVE-2021-23168 (INTEL-SA-00621)

Out of bounds read for some Intel(R) PROSet/Wireless WiFi and
Killer(TM) WiFi products may allow an unauthenticated user to
potentially enable denial of service via adjacent access.

CVE-2021-23223 (INTEL-SA-00621)

Improper initialization for some Intel(R) PROSet/Wireless WiFi and
Killer(TM) WiFi products may allow a privileged user to potentially
enable escalation of privilege via local access.

CVE-2021-37409 (INTEL-SA-00621)

Improper access control for some Intel(R) PROSet/Wireless WiFi and
Killer(TM) WiFi products may allow a privileged user to potentially
enable escalation of privilege via local access.

CVE-2021-44545 (INTEL-SA-00621)

Improper input validation for some Intel(R) PROSet/Wireless WiFi and
Killer(TM) WiFi products may allow an unauthenticated user to
potentially enable denial of service via adjacent access.

CVE-2022-21181 (INTEL-SA-00621)

Improper input validation for some Intel(R) PROSet/Wireless WiFi and
Killer(TM) WiFi products may allow a privileged user to potentially
enable escalation of privilege via local access.

The following advisories are also fixed by this upload, but needs an updated Linux kernel to load the updated firmware:

CVE-2020-12362 (INTEL-SA-00438)

Integer overflow in the firmware for some Intel(R) Graphics Drivers
for Windows * before version 26.20.100.7212 and before Linux kernel
version 5.5 may allow a privileged user to potentially enable an
escalation of privilege via local access.

CVE-2020-12363 (INTEL-SA-00438)

Improper input validation in some Intel(R) Graphics Drivers for
Windows* before version 26.20.100.7212 and before Linux kernel
version 5.5 may allow a privileged user to potentially enable a
denial of service via local access.

CVE-2020-12364 (INTEL-SA-00438)

Null pointer reference in some Intel(R) Graphics Drivers for
Windows* before version 26.20.100.7212 and before version Linux
kernel version 5.5 may allow a privileged user to potentially enable
a denial of service via local access.

ELA-825-1 intel-microcode security update

Sat, 01 Apr 2023 12:13:28 +0200

Package : intel-microcode

Version : 3.20230214.1~deb8u1 (jessie), 3.20230214.1~deb9u1 (stretch)

Multiple potential security vulnerabilities in some Intel® Processors have been found which may allow information disclosure or may allow escalation of privilege. Intel is releasing microcode updates to mitigate this potential vulnerabilities.

Please pay attention that the fix for CVE-2022-33196 might require a firmware update.

CVE-2022-21216 (INTEL-SA-00700)

Insufficient granularity of access control in out-of-band
management in some Intel(R) Atom and Intel Xeon Scalable Processors
may allow a privileged user to potentially enable escalation of
privilege via adjacent network access.

CVE-2022-21233 (INTEL-SA-00657)

Improper isolation of shared resources in some Intel(R) Processors
may allow a privileged user to potentially enable information
disclosure via local access.

CVE-2022-33196 (INTEL-SA-00738)

Incorrect default permissions in some memory controller
configurations for some Intel(R) Xeon(R) Processors when using
Intel(R) Software Guard Extensions which may allow a privileged user
to potentially enable escalation of privilege via local access.

This fix may require a firmware update to be effective on some
processors.

CVE-2022-33972 (INTEL-SA-00730)

Incorrect calculation in microcode keying mechanism for some 3rd
Generation Intel(R) Xeon(R) Scalable Processors may allow a
privileged user to potentially enable information disclosure via
local acces

CVE-2022-38090 (INTEL-SA-00767)

Improper isolation of shared resources in some Intel(R) Processors
when using Intel(R) Software Guard Extensions may allow a privileged
user to potentially enable information disclosure via local access.

ELA-824-1 libmicrohttpd security update

Thu, 30 Mar 2023 23:21:47 +0200

Package : libmicrohttpd

Version : 0.9.37+dfsg-1+deb8u1 (jessie), 0.9.51-1+deb9u1 (stretch)

Related CVEs : CVE-2023-27371

An issue has been found in linmicrohttpd, a library embedding HTTP server functionality. Parsing crafted POST requests result in an out of bounds read, which might cause a DoS (Denial of Service).

ELA-823-1 joblib security update

Thu, 30 Mar 2023 19:59:31 +0200

Package : joblib

Version : 0.8.3-1+deb8u1 (jessie), 0.10.3+git55-g660fe5d-1+deb9u1 (stretch)

Related CVEs : CVE-2022-21797

It was discovered that joblib did not properly sanitize arguments to pre_dispatch, allowing arbitrary code execution.

ELA-822-1 amanda security update

Thu, 30 Mar 2023 15:38:32 +0200

Package : amanda

Version : 1:3.3.9-5+deb9u1 (stretch)

Related CVEs : CVE-2022-37704

It was discovered that there was a potential privilege escalation vulnerability in the “amanda” backup utility. The SUID binary located at /lib/amanda/rundump executed /usr/sbin/dump as root with arguments controlled by the attacker, which may have led to an escalation of privileges, denial of service (DoS) or information disclosure.

ELA-821-1 xorg-server security update

Wed, 29 Mar 2023 15:32:14 +0200

Package : xorg-server

Version : 2:1.16.4-1+deb8u11 (jessie), 2:1.19.2-1+deb9u14 (stretch)

Related CVEs : CVE-2023-1393

Jan-Niklas Sohn discovered that a use-after-free flaw in the Composite extension of the X.org X server may result in privilege escalation if the X server is running under the root user.

ELA-820-1 unbound1.9 security update

Wed, 29 Mar 2023 00:29:24 +0200

Package : unbound1.9

Version : 1.9.0-2+deb10u2~deb9u3 (stretch)

Several security vulnerabilities have been discovered in unbound, a validating, recursive, caching DNS resolver.

CVE-2022-3204

A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation
Attack) has been discovered in various DNS resolving software. The
NRDelegation Attack works by having a malicious delegation with a
considerable number of non responsive nameservers. The attack starts by
querying a resolver for a record that relies on those unresponsive
nameservers. The attack can cause a resolver to spend a lot of
time/resources resolving records under a malicious delegation point where a
considerable number of unresponsive NS records reside. It can trigger high
CPU usage in some resolver implementations that continually look in the
cache for resolved NS records in that delegation. This can lead to degraded
performance and eventually denial of service in orchestrated attacks.
Unbound does not suffer from high CPU usage, but resources are still needed
for resolving the malicious delegation. Unbound will keep trying to resolve
the record until hard limits are reached. Based on the nature of the attack
and the replies, different limits could be reached. From now on Unbound
introduces fixes for better performance when under load, by cutting
opportunistic queries for nameserver discovery and DNSKEY prefetching and
limiting the number of times a delegation point can issue a cache lookup
for missing records.

CVE-2022-30698 and CVE-2022-30699

NLnet Labs Unbound is vulnerable to a novel type of the "ghost domain
names" attack. The vulnerability works by targeting an Unbound instance.
Unbound is queried for a rogue domain name when the cached delegation
information is about to expire. The rogue nameserver delays the response so
that the cached delegation information is expired. Upon receiving the
delayed answer containing the delegation information, Unbound overwrites
the now expired entries. This action can be repeated when the delegation
information is about to expire making the rogue delegation information
ever-updating. From now on Unbound stores the start time for a query and
uses that to decide if the cached delegation information can be
overwritten.

ELA-819-1 imagemagick security update

Fri, 24 Mar 2023 13:39:40 +0000

Package : imagemagick

Version : 8:6.8.9.9-5+deb8u25 (jessie), 8:6.9.7.4+dfsg-11+deb9u18 (stretch)

Multiple vulnerability were found in ImageMagick, an image processing software, that could result in deny of service, or memory leaks.

CVE-2017-18028

A memory exhaustion vulnerability was found in the function
ReadTIFFImage in coders/tiff.c, which allow remote attackers to
cause a denial of service via a crafted file.

CVE-2020-27767

A flaw was found in ImageMagick in MagickCore/quantum.h.
An attacker who submits a crafted file that is processed by ImageMagick
could trigger undefined behavior in the form of values outside the range
of types `float` and `unsigned char`. This would most likely lead to
an impact to application availability, but could potentially cause
other problems related to undefined behavior.

CVE-2021-3574

A flaw was found in ImageMagick, executing a crafted file with
the convert command, will leak memory.

CVE-2021-20224

An integer overflow issue was discovered in ImageMagick's
ExportIndexQuantum() function in MagickCore/quantum-export.c.
Function calls to GetPixelIndex() could result in values
outside the range of representable for the 'unsigned char'.
When ImageMagick processes a crafted pdf file,
this could lead to an undefined behaviour or a crash.

CVE-2022-44267

ImageMagick was vulnerable to Denial of Service.
When it parses a PNG image (e.g., for resize), the convert process
could be left waiting for stdin input.

ELA-818-1 libdatetime-timezone-perl new timezone database

Fri, 24 Mar 2023 13:30:26 +0100

Package : libdatetime-timezone-perl

Version : 1:1.75-2+2023b (jessie), 1:2.09-1+2023b (stretch)

This update includes the changes in tzdata 2023b for the Perl bindings.

ELA-817-1 tzdata new timezone database

Fri, 24 Mar 2023 13:26:39 +0100

Package : tzdata

Version : 2021a-0+deb8u9 (jessie), 2021a-0+deb9u9 (stretch)

This update includes the changes in tzdata 2023b. Notable changes are:

Egypt uses DST again, starting on April.
Palestine and Lebanon delay the start of DST this year.
Morocco DST will happen a week earlier on April 23.
Adjustments to Greenland’s timezones and DST rules.

ELA-798-2 sox regression update

Mon, 20 Mar 2023 11:19:41 +0100

Package : sox

Version : 14.4.1-5+deb8u6 (jessie), 14.4.1-5+deb9u4 (stretch)

One of the security fixes released as ELA 798 introduced a regression in the processing WAV files with variable bitrate encoding. Updated sox packages are available to correct this issue.

ELA-816-1 pcre2 security update

Sat, 18 Mar 2023 17:04:51 +0100

Package : pcre2

Version : 10.22-3+deb9u1 (stretch)

Related CVEs : CVE-2022-1586

Multiple out-of-bounds read vulnerabilities were found in pcre2, a Perl Compatible Regular Expression library, which could result in information disclosure or denial or service.

CVE-2022-1586

An out-of-bounds read vulnerability was discovered in the PCRE2 library
in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c
file. This involves a unicode property matching issue in JIT-compiled
regular expressions.  The issue occurs because the character was not
fully read in case-less matching within JIT.

Additionally, this upload also fixes a subject buffer overread in JIT when UTF is disabled and \X or \R has a greater than 1 fixed quantifier. This issue was found by Yunho Kim.

ELA-815-1 net-snmp security update

Mon, 13 Mar 2023 03:54:45 +0530

Package : net-snmp

Version : 5.7.2.1+dfsg-1+deb8u6 (jessie), 5.7.3+dfsg-1.7+deb9u5 (stretch)

Related CVEs : CVE-2022-44792 CVE-2022-44793

net-snmp, Simple Network Management Protocol agents, were reported to have a couple of vulnerabilities, resulting in a denial of service.

CVE-2022-44792

handle_ipDefaultTTL in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP
has a NULL Pointer Exception bug that can be used by a remote attacker
(who has write access) to cause the instance to crash via a crafted UDP
packet, resulting in Denial of Service.

CVE-2022-44793

handle_ipv6IpForwarding in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP
has a NULL Pointer Exception bug that can be used by a remote attacker to
cause the instance to crash via a crafted UDP packet, resulting in
Denial of Service.

ELA-814-1 jupyter-core security update

Mon, 13 Mar 2023 03:32:20 +0530

Package : jupyter-core

Version : 4.2.1-1+deb9u1 (stretch)

Related CVEs : CVE-2022-39286

It was discovered that jupyter-core, the base framework for Jupyter projects like Jupyter Notebooks, could execute arbitrary code when loading configuration files.

ELA-813-1 apr-util security update

Mon, 13 Mar 2023 02:24:43 +0530

Package : apr-util

Version : 1.5.4-1+deb8u1 (jessie), 1.5.4-3+deb9u1 (stretch)

Related CVEs : CVE-2017-12618 CVE-2022-25147

apr-util, Apache Portable Runtime Utility Library, had multiple vulnerabilities.

CVE-2017-12618

apr-util fails to validate the integrity of SDBM database files
used by apr_sdbm*() functions, resulting in a possible out of
bound read access. A local user with write access to the database
can make a program or process using these functions crash, and
cause a denial of service.

CVE-2022-25147

Integer Overflow or Wraparound vulnerability in apr_base64
functions of apr-util allows an attacker to write beyond bounds
of a buffer.

ELA-812-1 mono security update

Sun, 05 Mar 2023 23:11:42 +0200

Package : mono

Version : 4.6.2.7+dfsg-1+deb9u1 (stretch)

Related CVEs : CVE-2023-26314

Triggering arbitrary code execution was possible due to .desktop files registered as application/x-ms-dos-executable MIME handlers in the open source .NET framework Mono.

ELA-811-1 libde265 security update

Sun, 05 Mar 2023 09:24:34 +0100

Package : libde265

Version : 1.0.11-0+deb9u3 (stretch)

Multiple issues were found in libde265, an open source implementation of the h.265 video codec, which may result in denial of service, have unspecified other impact, possibly code execution due to a heap-based buffer overflow.

CVE-2022-47664

Libde265 1.0.9 is vulnerable to Buffer Overflow in
ff_hevc_put_hevc_qpel_pixels_8_sse

CVE-2022-47665

Libde265 1.0.9 has a heap buffer overflow vulnerability in
de265_image::set_SliceAddrRS(int, int, int)

CVE-2023-24751

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the mc_chroma function at motion.cc. This
vulnerability allows attackers to cause a Denial of Service (DoS)
via a crafted input file.

CVE-2023-24752

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the ff_hevc_put_hevc_epel_pixels_8_sse function at
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted input file.

CVE-2023-24754

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted input file.

CVE-2023-24755

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the put_weighted_pred_8_fallback function at
fallback-motion.cc. This vulnerability allows attackers to cause a
Denial of Service (DoS) via a crafted input file.

CVE-2023-24756

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the ff_hevc_put_unweighted_pred_8_sse function at
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted input file.

CVE-2023-24757

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the put_unweighted_pred_16_fallback function at
fallback-motion.cc. This vulnerability allows attackers to cause a
Denial of Service (DoS) via a crafted input file.

CVE-2023-24758

libde265 v1.0.10 was discovered to contain a NULL pointer
dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at
sse-motion.cc. This vulnerability allows attackers to cause a Denial
of Service (DoS) via a crafted input file.

CVE-2023-25221

Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow
vulnerability in the derive_spatial_luma_vector_prediction function
in motion.cc.

ELA-810-1 linux-5.10 security update

Fri, 03 Mar 2023 09:05:41 +0100

Package : linux-5.10

Version : 5.10.162-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2022-2873

Zheyu Ma discovered that an out-of-bounds memory access flaw in
the Intel iSMT SMBus 2.0 host controller driver may result in
denial of service (system crash).

CVE-2022-3545

It was discovered that the Netronome Flow Processor (NFP) driver
contained a use-after-free flaw in area_cache_get(), which may
result in denial of service or the execution of arbitrary code.

CVE-2022-3623

A race condition when looking up a CONT-PTE/PMD size hugetlb page
may result in denial of service or an information leak.

CVE-2022-4696

A use-after-free vulnerability was discovered in the io_uring
subsystem.

CVE-2022-36280

An out-of-bounds memory write vulnerability was discovered in the
vmwgfx driver, which may allow a local unprivileged user to cause
a denial of service (system crash).

CVE-2022-41218

Hyunwoo Kim reported a use-after-free flaw in the Media DVB core
subsystem caused by refcount races, which may allow a local user
to cause a denial of service or escalate privileges.

CVE-2022-45934

An integer overflow in l2cap_config_req() in the Bluetooth
subsystem was discovered, which may allow a physically proximate
attacker to cause a denial of service (system crash).

CVE-2022-47929

Frederick Lawler reported a NULL pointer dereference in the
traffic control subsystem allowing an unprivileged user to cause a
denial of service by setting up a specially crafted traffic
control configuration.

CVE-2023-0179

Davide Ornaghi discovered incorrect arithmetics when fetching VLAN
header bits in the netfilter subsystem, allowing a local user to
leak stack and heap addresses or potentially local privilege
escalation to root.

CVE-2023-0240

A flaw was discovered in the io_uring subsystem that could lead
to a use-after-free.  A local user could exploit this to cause
a denial of service (crash or memory corruption) or possibly for
privilege escalation.

CVE-2023-0266

A use-after-free flaw in the sound subsystem due to missing
locking may result in denial of service or privilege escalation.

CVE-2023-0394

Kyle Zeng discovered a NULL pointer dereference flaw in
rawv6_push_pending_frames() in the network subsystem allowing a
local user to cause a denial of service (system crash).

CVE-2023-23454

Kyle Zeng reported that the Class Based Queueing (CBQ) network
scheduler was prone to denial of service due to interpreting
classification results before checking the classification return
code.

CVE-2023-23455

Kyle Zeng reported that the ATM Virtual Circuits (ATM) network
scheduler was prone to a denial of service due to interpreting
classification results before checking the classification return
code.

CVE-2023-23586

A flaw was discovered in the io_uring subsystem that could lead to
an information leak.  A local user could exploit this to obtain
sensitive information from the kernel or other users.

This update also fixes Debian bugs #825141, #1008501, #1027430, and #1027483, and includes many more bug fixes from stable updates 5.10.159-5.10.162 inclusive.

ELA-809-1 freeradius security update

Fri, 24 Feb 2023 22:00:14 +0100

Package : freeradius

Version : 3.0.17+dfsg-1.1+deb9u1 (stretch)

Several flaws were found in freeradius, a high-performance and highly configurable RADIUS server.

CVE-2022-41859

In freeradius, the EAP-PWD function compute_password_element() leaks
information about the password which allows an attacker to substantially
reduce the size of an offline dictionary attack.

CVE-2022-41860

In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the
server will try to look that option up in the internal dictionaries. This
lookup will fail, but the SIM code will not check for that failure.
Instead, it will dereference a NULL pointer, and cause the server to crash.

CVE-2022-41861

A flaw was found in freeradius. A malicious RADIUS client or home server
can send a malformed attribute which can cause the server to crash.

CVE-2019-11234

FreeRADIUS does not prevent use of reflection for authentication spoofing,
aka a "Dragonblood" issue, a similar issue to CVE-2019-9497.

CVE-2019-11235

FreeRADIUS mishandles the "each participant verifies that the received
scalar is within a range, and that the received group element is a valid
point on the curve being used" protection mechanism, aka a "Dragonblood"
issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.

CVE-2019-13456

In FreeRADIUS 3.0 on average 1 in every 2048 EAP-pwd handshakes fails
because the password element cannot be found within 10 iterations of the
hunting and pecking loop. This leaks information that an attacker can use
to recover the password of any user. This information leakage is similar to
the "Dragonblood" attack and CVE-2019-9494.

CVE-2019-17185

In FreeRADIUS 3.0.x the EAP-pwd module used a global OpenSSL
BN_CTX instance to handle all handshakes. This mean multiple threads use the
same BN_CTX instance concurrently, resulting in crashes when concurrent
EAP-pwd handshakes are initiated. This can be abused by an adversary as a
Denial-of-Service (DoS) attack.

ELA-808-1 git security update

Fri, 24 Feb 2023 14:39:21 +0100

Package : git

Version : 1:2.1.4-2.1+deb8u13 (jessie), 1:2.11.0-3+deb9u10 (stretch)

Related CVEs : CVE-2023-22490 CVE-2023-23946

Several vulnerabilities have been discovered in git, a fast, scalable and distributed revision control system.

CVE-2023-22490

yvvdwf found a data exfiltration vulnerability while performing a local
clone from a malicious repository even using a non-local transport.

CVE-2023-23946

Joern Schneeweisz found a path traversal vulnerbility in git-apply
that a path outside the working tree can be overwritten as the acting
user.

ELA-807-1 openssl security update

Wed, 22 Feb 2023 10:25:53 +0100

Package : openssl

Version : 1.0.1t-1+deb8u20 (jessie), 1.1.0l-1~deb9u8 (stretch)

Related CVEs : CVE-2023-0215 CVE-2023-0286

Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit, which may result in denial of service or information disclosure.

Additional details can be found in the upstream advisory.

ELA-806-1 tiff security update

Wed, 22 Feb 2023 00:04:20 +0100

Package : tiff

Version : 4.0.3-12.3+deb8u15 (jessie), 4.0.8-2+deb9u10 (stretch)

Several flaws were found in tiffcrop, a program distributed by tiff, a library and tools providing support for the Tag Image File Format (TIFF). A specially crafted tiff file can lead to an out-of-bounds write or read resulting in a denial of service.

ELA-805-1 libgit2 security update

Tue, 21 Feb 2023 21:40:14 +0100

Package : libgit2

Version : 0.25.1+really0.24.6-1+deb9u2 (stretch)

Related CVEs : CVE-2023-22742

A vulnerability have been found in libgit2, a cross-platform, linkable library implementation of Git.

Previous versions of libgit’s SSH backend did by default not perform certificate checking if the caller did not explicitly provide a certificate check callback and so may be subjected to a man-in-the-middle attack.

ELA-804-1 libarchive security update

Tue, 21 Feb 2023 16:14:31 +0100

Package : libarchive

Version : 3.1.2-11+deb8u11 (jessie)

This update fixes the build on armhf, which was preventing security updates from reaching that architecture.

ELA-803-1 git security update

Tue, 21 Feb 2023 14:41:10 +0100

Package : git

Version : 1:2.1.4-2.1+deb8u12 (jessie)

Multiple issues were found in Git, a distributed revision control system. An attacker may trigger remote code execution, cause local users into executing arbitrary commands, leak information from the local filesystem, and bypass restricted shell.

This update includes two changes of behavior that may affect certain setup:

It stops when directory traversal changes ownership from the current user while looking for a top-level git directory, a user could make an exception by using the new safe.directory configuration.
The default of protocol.file.allow has been changed from “always” to “user”.

ELA-802-1 nss security update

Tue, 21 Feb 2023 01:15:06 +0100

Package : nss

Version : 2:3.26-1+debu8u17 (jessie), 2:3.26.2-1.1+deb9u6 (stretch)

Related CVEs : CVE-2023-0767

Christian Holler discovered that incorrect handling of PKCS 12 Safe Bag attributes in nss, the Mozilla Network Security Service library, may result in execution of arbitrary code if a specially crafted PKCS 12 certificate bundle is processed.

ELA-801-1 clamav security update

Mon, 20 Feb 2023 18:54:40 +0100

Package : clamav

Version : 0.103.8+dfsg-0+deb8u1 (jessie), 0.103.8+dfsg-0+deb9u1 (stretch)

Related CVEs : CVE-2023-20032 CVE-2023-20052

Two vulnerabilities have been found in the ClamAV antivirus toolkit, which could result in arbitrary code execution or information disclosure when parsing maliciously crafted HFS+ or DMG files.

ELA-800-1 c-ares security update

Sun, 19 Feb 2023 00:36:28 +0100

Package : c-ares

Version : 1.10.0-2+deb8u4 (jessie), 1.12.0-1+deb9u3 (stretch)

Related CVEs : CVE-2022-4904

It was discovered that in c-ares, an asynchronous name resolver library, the config_sortlist function is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow and thus may cause a denial of service.

ELA-799-1 asterisk security update

Fri, 17 Feb 2023 00:51:34 +0100

Package : asterisk

Version : 1:13.14.1~dfsg-2+deb9u8 (stretch)

Related CVEs : CVE-2022-37325 CVE-2022-42706

Two security vulnerabilities were discovered in Asterisk, an Open Source Private Branch Exchange.

CVE-2022-37325

An incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed
Calling or Called Party IE can cause a denial of service.

CVE-2022-42706

GetConfig, via Asterisk Manager Interface, allows a connected application
to access files outside of the asterisk configuration directory, aka
Directory Traversal.

ELA-546-2 pillow regression update

Tue, 14 Feb 2023 09:27:39 +0100

Package : pillow

Version : 2.6.1-2+deb8u8 (jessie)

Related CVEs : CVE-2021-28675

The patch to address CVE-2021-28675 in Pillow 2.6.1-2+deb8u7 raised OSError exceptions when processing truncated files. This version has been updated to raise IOError exceptions instead, which makes Pillow itself handle the error, making it more transparent to users.

ELA-780-2 curl regression update

Fri, 10 Feb 2023 09:53:20 -0500

Package : curl

Version : 7.38.0-4+deb8u25 (jessie)

Related CVEs : CVE-2022-27774

The patches for CVE-2022-27774 caused a regression in libcurl which could result in a segmentation fault. The root cause has been identified and the patches have been revised.

ELA-798-1 sox security update

Fri, 10 Feb 2023 13:36:51 +0100

Package : sox

Version : 14.4.1-5+deb8u5 (jessie), 14.4.1-5+deb9u3 (stretch)

This update fixes multiple file format validation vulnerabilities that could result in memory access violations such as buffer overflows and floating point exceptions. It also fixes a regression in hcom parsing introduced when fixing CVE-2017-11358.

CVE-2019-13590

In sox-fmt.h (startread function), there is an integer overflow on the
result of integer addition (wraparound to 0) fed into the lsx_calloc macro
that wraps malloc. When a NULL pointer is returned, it is used without a
prior check that it is a valid pointer, leading to a NULL pointer
dereference on lsx_readbuf in formats_i.c.

CVE-2021-3643

The lsx_adpcm_init function within libsox leads to a
global-buffer-overflow. This flaw allows an attacker to input a malicious
file, leading to the disclosure of sensitive information.

CVE-2021-23159

A vulnerability was found in SoX, where a heap-buffer-overflow occurs
in function lsx_read_w_buf() in formats_i.c file. The vulnerability is
exploitable with a crafted file, that could cause an application to
crash.

CVE-2021-23172

A vulnerability was found in SoX, where a heap-buffer-overflow occurs
in function startread() in hcom.c file. The vulnerability is
exploitable with a crafted hcomn file, that could cause an application
to crash.

CVE-2021-23210

A floating point exception (divide-by-zero) issue was discovered in
SoX in functon read_samples() of voc.c file. An attacker with a
crafted file, could cause an application to crash.

CVE-2021-33844

A floating point exception (divide-by-zero) issue was discovered in
SoX in functon startread() of wav.c file. An attacker with a crafted
wav file, could cause an application to crash.

CVE-2021-40426

A heap-based buffer overflow vulnerability exists in the sphere.c
start_read() functionality of Sound Exchange libsox. A specially-crafted
file can lead to a heap buffer overflow. An attacker can provide a
malicious file to trigger this vulnerability.

CVE-2022-31650

There is a floating-point exception in lsx_aiffstartwrite in aiff.c.

CVE-2022-31651

There is an assertion failure in rate_init in rate.c.

ELA-797-1 heimdal security update

Thu, 09 Feb 2023 13:19:38 +0100

Package : heimdal

Version : 1.6~rc2+dfsg-9+deb8u3 (jessie)

This update fixes several vulnerabilities in heimdal, an implementation of kerberos.

CVE-2018-16860

A flaw was found in the Heimdal KDC implementation. A man in the middle
attacker could use this flaw to intercept the request to the KDC and
replace the user name (principal) in the request with any desired user name
(principal) that exists in the KDC effectively obtaining a ticket for that
principal.

CVE-2019-14870

Improper validation of forwarded kerberos tickets.

CVE-2021-3671

A null pointer de-reference was found in the way heimdal kdc handled
missing sname in TGS-REQ (Ticket Granting Server - Request). An
authenticated user could use this flaw to crash the kdc.

CVE-2021-44758

Heimdal allows attackers to cause a NULL pointer dereference in a SPNEGO
acceptor via a preferred_mech_type of GSS_C_NO_OID and a nonzero
initial_response value to send_accept.

CVE-2022-3437

A heap-based buffer overflow vulnerability was found within the GSSAPI
unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES
decryption routines in the Heimdal GSSAPI library allow a length-limited
write buffer overflow on malloc() allocated memory when presented with a
maliciously small packet. This flaw allows a remote user to send specially
crafted malicious data to the application, possibly resulting in a denial
of service (DoS) attack.

CVE-2022-41916

Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos. It was
vulnerable to a denial of service vulnerability in the PKI certificate
validation library, affecting the KDC (via PKINIT) and kinit (via PKINIT),
as well as any third-party applications using Heimdal's libhx509.

CVE-2022-42898

PAC parsing in heimdal has integer overflows that may lead to remote code
execution (in KDC, kadmind, or a GSS or Kerberos application server) on
32-bit platforms (which have a resultant heap-based buffer overflow), and
cause a denial of service on other platforms. This occurs in krb5_pac_parse
in lib/krb5/krb/pac.c in MIT Kerberos. The bug for heimdal is similar.

CVE-2022-44640

Heimdal allows remote attackers to execute arbitrary code because of an
invalid free in the ASN.1 codec used by the Key Distribution Center (KDC).

Note that there also is a version 1.6~rc2+dfsg-9+deb8u2, which had a build failure on 32bit architectures.

ELA-796-1 wireshark security update

Wed, 08 Feb 2023 22:02:38 +0100

Package : wireshark

Version : 2.6.20-0+deb9u4 (stretch)

Multiple security vulnerabilities have been discovered in Wireshark, a network traffic analyzer. An attacker could cause a denial of service (infinite loop or application crash) via packet injection or a crafted capture file.

CVE-2022-4345

Infinite loops in the BPv6, OpenFlow, and Kafka protocol dissectors in
Wireshark 4.0.0 to 4.0.1 and 3.6.0 to 3.6.9 allows denial of service via
packet injection or crafted capture file

CVE-2023-0411

Excessive loops in multiple dissectors in Wireshark 4.0.0 to 4.0.2 and
3.6.0 to 3.6.10 and allows denial of service via packet injection or
crafted capture file

CVE-2023-0412

TIPC dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 and
allows denial of service via packet injection or crafted capture file

CVE-2023-0413

Dissection engine bug in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10
and allows denial of service via packet injection or crafted capture
file

CVE-2023-0415

iSCSI dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10
and allows denial of service via packet injection or crafted capture
file

CVE-2023-0417

Memory leak in the NFS dissector in Wireshark 4.0.0 to 4.0.2 and 3.6.0
to 3.6.10 and allows denial of service via packet injection or crafted
capture file

ELA-795-1 heimdal security update

Wed, 08 Feb 2023 13:15:06 +0100

Package : heimdal

Version : 7.1.0+dfsg-13+deb9u4 (stretch)

This update fixes several vulnerabilities in heimdal, an implementation of kerberos.

CVE-2019-14870

Improper validation of forwarded kerberos tickets.

CVE-2021-3671

A null pointer de-reference was found in the way heimdal kdc handled
missing sname in TGS-REQ (Ticket Granting Server - Request). An
authenticated user could use this flaw to crash the kdc.

CVE-2021-44758

Heimdal allows attackers to cause a NULL pointer dereference in a SPNEGO
acceptor via a preferred_mech_type of GSS_C_NO_OID and a nonzero
initial_response value to send_accept.

CVE-2022-3437

A heap-based buffer overflow vulnerability was found within the GSSAPI
unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES
decryption routines in the Heimdal GSSAPI library allow a length-limited
write buffer overflow on malloc() allocated memory when presented with a
maliciously small packet. This flaw allows a remote user to send specially
crafted malicious data to the application, possibly resulting in a denial
of service (DoS) attack.

CVE-2022-41916

Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos. It was
vulnerable to a denial of service vulnerability in the PKI certificate
validation library, affecting the KDC (via PKINIT) and kinit (via PKINIT),
as well as any third-party applications using Heimdal's libhx509.

CVE-2022-42898

PAC parsing in heimdal has integer overflows that may lead to remote code
execution (in KDC, kadmind, or a GSS or Kerberos application server) on
32-bit platforms (which have a resultant heap-based buffer overflow), and
cause a denial of service on other platforms. This occurs in krb5_pac_parse
in lib/krb5/krb/pac.c in MIT Kerberos. The bug for heimdal is similar.

CVE-2022-44640

Heimdal allows remote attackers to execute arbitrary code because of an
invalid free in the ASN.1 codec used by the Key Distribution Center (KDC).

ELA-794-1 xorg-server security update

Tue, 07 Feb 2023 11:23:05 +0100

Package : xorg-server

Version : 2:1.16.4-1+deb8u10 (jessie), 2:1.19.2-1+deb9u13 (stretch)

Related CVEs : CVE-2023-0494

Jan-Niklas Sohn, working with Trend Micro Zero Day Initiative, discovered a vulnerability in the X.Org X server. A potential use after free mighty result in local privilege escalation if the X server is running privileged or remote code execution during ssh X forwarding sessions.

ELA-793-1 python3.4 bugfix update

Mon, 06 Feb 2023 09:43:37 +0100

Package : python3.4

Version : 3.4.2-1+deb8u13 (jessie)

This update fixes the build on armhf, which was preventing security updates from reaching that architecture.

ELA-792-1 modsecurity-apache security update

Fri, 03 Feb 2023 20:42:59 +0100

Package : modsecurity-apache

Version : 2.8.0-3+deb8u2 (jessie)

Related CVEs : CVE-2022-48279

A issues was found in modsecurity-apache, open source, cross platform web application firewall (WAF) engine for Apache which allows remote attackers to bypass the applications firewall.

CVE-2022-48279

In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart
requests were incorrectly parsed and could bypass the Web Application
Firewall.
NOTE: this is related to CVE-2022-39956 but can be considered
independent changes to the ModSecurity (C language) codebase.

ELA-791-1 python-django security update

Wed, 01 Feb 2023 13:26:35 -0800

Package : python-django

Version : 1.7.11-1+deb8u16 (jessie), 1:1.10.7-2+deb9u19 (stretch)

Related CVEs : CVE-2023-23969

It was discovered that there was a potential Denial of Service (DoS) vulnerability in Django, a popular Python-based web development framework.

Parsed values of the Accept-Language HTTP headers are cached by Django order to avoid repetitive parsing. This could have led to a potential denial-of-service attack via excessive memory usage if the raw value of Accept-Language headers was very large.

Accept-Language headers are now limited to a maximum length specifically in order to avoid this issue.

ELA-790-1 libarchive security update

Tue, 31 Jan 2023 23:17:56 +0100

Package : libarchive

Version : 3.1.2-11+deb8u10 (jessie), 3.2.2-2+deb9u4 (stretch)

Related CVEs : CVE-2022-36227

An issue has been found in libarchive, a multi-format archive and compression library. Due to missing checks after calloc, null pointer dereferences might happen.

ELA-789-1 openjdk-8 security update

Tue, 31 Jan 2023 16:15:46 +0100

Package : openjdk-8

Version : 8u362-ga-1~deb8u1 (jessie), 8u362-ga-1~deb9u1 (stretch)

Related CVEs : CVE-2023-21830 CVE-2023-21843

Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in bypass of sandbox restrictions.

ELA-788-1 git security update

Tue, 31 Jan 2023 08:54:08 +0100

Package : git

Version : 1:2.11.0-3+deb9u9 (stretch)

This update includes two changes of behavior that may affect certain setup:

It stops when directory traversal changes ownership from the current user while looking for a top-level git directory, a user could make an exception by using the new safe.directory configuration.
The default of protocol.file.allow has been changed from “always” to “user”.

ELA-787-1 ruby-sinatra security update

Tue, 31 Jan 2023 04:15:45 +0530

Package : ruby-sinatra

Version : 1.4.7-5+deb9u2 (stretch)

Related CVEs : CVE-2022-45442

Sinatra is a domain-specific language for creating web applications in Ruby. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input.

ELA-786-1 tiff security update

Mon, 30 Jan 2023 23:42:38 +0100

Package : tiff

Version : 4.0.3-12.3+deb8u14 (jessie), 4.0.8-2+deb9u9 (stretch)

Multiple vulnerabilities were found in tiff, a library and tools providing support for the Tag Image File Format (TIFF), leading to denial of service (DoS) and possibly local code execution.

ELA-785-1 ruby-rack security update

Tue, 31 Jan 2023 04:10:10 +0530

Package : ruby-rack

Version : 1.6.4-4+deb9u4 (stretch)

Related CVEs : CVE-2022-44570 CVE-2022-44571

A couple of ReDoS vulnerabilities were found in multipart parser and Rack::Utils.byte_ranges in ruby-rack, a modular Ruby webserver interface.

ELA-784-1 ruby-git security update

Tue, 31 Jan 2023 04:07:49 +0530

Package : ruby-git

Version : 1.2.8-1+deb9u1 (stretch)

A couple of vulnerabilities were reported against ruby-git, a Ruby interface to the Git revision control system, that could lead to a command injection and execution of an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product.

ELA-783-1 modsecurity-crs security update

Mon, 30 Jan 2023 19:44:32 +0100

Package : modsecurity-crs

Version : 3.2.3-0+deb9u1 (stretch)

Multiple issues were found in modsecurity-crs, a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls, which allows remote attackers to bypass the web applications firewall.

If you are using modsecurity-crs with apache2 / libapache2-modsecurity, please make sure to review your modsecurity configuration, usually /etc/modsecurity/modsecurity.conf, against the updated recommended configration, available in /etc/modsecurity/modsecurity.conf-recommended: Some of the changes to the recommended rules are required to avoid WAF bypasses in certain circumstances.

Please note that CVE-2022-39956 requires an updated modsecurity-apache packge, which has been previously uploaded to buster-security, see Debian ELTS Advisory ELA-779-1 for details.

Kudos to @airween for the support and help while perparing the update.

CVE-2018-16384

A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule
Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special
function name (such as "if") and b is the SQL statement to be executed.

CVE-2019-13464

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2.
Use of X.Filename instead of X_Filename can bypass some PHP Script Uploads
rules, because PHP automatically transforms dots into underscores in
certain contexts where dots are invalid.

CVE-2020-22669

Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL
injection bypass vulnerability. Attackers can use the comment characters
and variable assignments in the SQL syntax to bypass Modsecurity WAF 
protection and implement SQL injection attacks on Web applications.

CVE-2021-35368

OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1,
and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a 
trailing pathname.

CVE-2022-39955

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set
bypass by submitting a specially crafted HTTP Content-Type header field that
indicates multiple character encoding schemes. A vulnerable back-end can
potentially be exploited by declaring multiple Content-Type "charset" names and
therefore bypassing the configurable CRS Content-Type header "charset" allow
list. An encoded payload can bypass CRS detection this way and may then be
decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected,
as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and
users are advised to upgrade to 3.2.2 and 3.3.3 respectively.

CVE-2022-39956

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set
bypass for HTTP multipart requests by submitting a payload that uses a
character encoding scheme via the Content-Type or the deprecated
Content-Transfer-Encoding multipart MIME header fields that will not be decoded
and inspected by the web application firewall engine and the rule set. The
multipart payload will therefore bypass detection. A vulnerable backend that
supports these encoding schemes can potentially be exploited. The legacy CRS
versions 3.0.x and 3.1.x are affected, as well as the currently supported
versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2
and 3.3.3 respectively. The mitigation against these vulnerabilities depends on
the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).

CVE-2022-39957

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body
bypass. A client can issue an HTTP Accept header field containing an optional
"charset" parameter in order to receive the response in an encoded form.
Depending on the "charset", this response can not be decoded by the web
application firewall. A restricted resource, access to which would ordinarily
be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and
3.1.x are affected, as well as the currently supported versions 3.2.1 and
3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3
respectively.

CVE-2022-39958

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass
to sequentially exfiltrate small and undetectable sections of data by
repeatedly submitting an HTTP Range header field with a small byte range. A
restricted resource, access to which would ordinarily be detected, may be
exfiltrated from the backend, despite being protected by a web application
firewall that uses CRS. Short subsections of a restricted resource may bypass
pattern matching techniques and allow undetected access. The legacy CRS
versions 3.0.x and 3.1.x are affected, as well as the currently supported
versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2
and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.

ELA-782-1 xorg-server security update

Sun, 29 Jan 2023 13:33:08 +0100

Package : xorg-server

Version : 2:1.16.4-1+deb8u9 (jessie), 2:1.19.2-1+deb9u12 (stretch)

Jan-Niklas Sohn discovered several vulnerabilities in X server extensions in the X.Org X server, which may result in privilege escalation if the X server is running privileged.

ELA-781-1 libzen security update

Sun, 29 Jan 2023 01:16:40 +0100

Package : libzen

Version : 0.4.34-1+deb9u1 (stretch)

Related CVEs : CVE-2020-36646

Crafted arguments to a function could lead to an unchecked return value and a null pointer dereference.

ELA-780-1 curl security update

Sat, 28 Jan 2023 16:29:20 -0500

Package : curl

Version : 7.38.0-4+deb8u24 (jessie), 7.52.1-5+deb9u18 (stretch)

Several vulnerabilities were discovered in Curl, an easy-to-use client-side URL transfer library, which could result in denial of service or information disclosure.

This update also revises the fix for CVE-2022-27782 released for stretch in ELA-664-1.

ELA-779-1 modsecurity-apache security update

Thu, 26 Jan 2023 19:48:35 +0100

Package : modsecurity-apache

Version : 2.9.1-2+deb9u2 (stretch)

Related CVEs : CVE-2022-48279 CVE-2023-24021

Multiple issues were found in modsecurity-apache, open source, cross platform web application firewall (WAF) engine for Apache which allows remote attackers to bypass the applications firewall and other unspecified impact.

CVE-2022-48279

In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart
requests were incorrectly parsed and could bypass the Web Application
Firewall.
NOTE: this is related to CVE-2022-39956 but can be considered
independent changes to the ModSecurity (C language) codebase.

CVE-2023-24021

Incorrect handling of null-bytes in file uploads in ModSecurity
before 2.9.7 may allow for Web Application Firewall bypasses and
buffer overflows on the Web Application Firewall when executing
rules reading the FILES_TMP_CONTENT collection.

ELA-778-1 libde265 security update

Thu, 26 Jan 2023 16:32:39 +0100

Package : libde265

Version : 1.0.2-2+deb9u2 (stretch)

Multiple issues were found in libde265, an open source implementation of the H.265 video codec, which may result in denial of or have unspecified other impact.

CVE-2020-21594

libde265 v1.0.4 contains a heap buffer overflow in the put_epel_hv_fallback
function, which can be exploited via a crafted a file.

CVE-2020-21595

libde265 v1.0.4 contains a heap buffer overflow in the mc_luma function,
which can be exploited via a crafted a file.

CVE-2020-21596

libde265 v1.0.4 contains a global buffer overflow in the
decode_CABAC_bit function, which can be exploited via a crafted a
file.

CVE-2020-21597

libde265 v1.0.4 contains a heap buffer overflow in the mc_chroma
function, which can be exploited via a crafted a file.

CVE-2020-21598

libde265 v1.0.4 contains a heap buffer overflow in the
ff_hevc_put_unweighted_pred_8_sse function, which can be exploited
via a crafted a file.

CVE-2020-21600

libde265 v1.0.4 contains a heap buffer overflow in the
put_weighted_pred_avg_16_fallback function, which can be exploited via a
crafted a file.

CVE-2020-21601

libde265 v1.0.4 contains a stack buffer overflow in the put_qpel_fallback
function, which can be exploited via a crafted a file.

CVE-2020-21602

libde265 v1.0.4 contains a heap buffer overflow in the
put_weighted_bipred_16_fallback function, which can be exploited via a crafted
a file.

CVE-2020-21603

libde265 v1.0.4 contains a heap buffer overflow in the
put_qpel_0_0_fallback_16 function, which can be exploited via a crafted a file.

CVE-2020-21604

libde265 v1.0.4 contains a heap buffer overflow fault in the
_mm_loadl_epi64 function, which can be exploited via a crafted a file.

CVE-2020-21605

libde265 v1.0.4 contains a segmentation fault in the apply_sao_internal
function, which can be exploited via a crafted a file.

CVE-2020-21606

libde265 v1.0.4 contains a heap buffer overflow fault in the
put_epel_16_fallback function, which can be exploited via a crafted a file.

CVE-2022-43235

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via ff_hevc_put_hevc_epel_pixels_8_sse in sse-motion.cc. This
vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted
video file.

CVE-2022-43236

Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow
vulnerability via put_qpel_fallback<unsigned short> in fallback-motion.cc. This
vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted
video file.

CVE-2022-43237

Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow
vulnerability via void put_epel_hv_fallback<unsigned short> in
fallback-motion.cc. This vulnerability allows attackers to cause a Denial of
Service (DoS) via a crafted video file.

CVE-2022-43238

Libde265 v1.0.8 was discovered to contain an unknown crash via
ff_hevc_put_hevc_qpel_h_3_v_3_sse in sse-motion.cc. This vulnerability allows
attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43239

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via mc_chroma<unsigned short> in motion.cc. This vulnerability
allows attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43240

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via ff_hevc_put_hevc_qpel_h_2_v_1_sse in sse-motion.cc. This
vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted
video file.

CVE-2022-43241

Libde265 v1.0.8 was discovered to contain an unknown crash via
ff_hevc_put_hevc_qpel_v_3_8_sse in sse-motion.cc. This vulnerability allows
attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43242

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via mc_luma<unsigned char> in motion.cc. This vulnerability
allows attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43243

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via ff_hevc_put_weighted_pred_avg_8_sse in sse-motion.cc. This
vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted
video file.

CVE-2022-43244

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via put_qpel_fallback<unsigned short> in fallback-motion.cc. This
vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted
video file.

CVE-2022-43245

Libde265 v1.0.8 was discovered to contain a segmentation violation via
apply_sao_internal<unsigned short> in sao.cc. This vulnerability allows
attackers to cause a Denial of Service (DoS) via a crafted video file.

CVE-2022-43248

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via put_weighted_pred_avg_16_fallback in fallback-motion.cc. This
vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted
video file.

CVE-2022-43249

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via put_epel_hv_fallback<unsigned short> in fallback-motion.cc.
This vulnerability allows attackers to cause a Denial of Service (DoS) via a
crafted video file.

CVE-2022-43250

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via put_qpel_0_0_fallback_16 in fallback-motion.cc.  This
vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted
video file.

CVE-2022-43252

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via put_epel_16_fallback in fallback-motion.cc. This
vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted
video file.

CVE-2022-43253

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow
vulnerability via put_unweighted_pred_16_fallback in fallback-motion.cc. This
vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted
video file.

CVE-2022-47655

Libde265 1.0.9 is vulnerable to Buffer Overflow in function void
put_qpel_fallback<unsigned short>

ELA-777-1 php5 security update

Tue, 24 Jan 2023 15:22:00 +0100

Package : php5

Version : 5.6.40+dfsg-0+deb8u16 (jessie)

Multiple security issues were discovered in PHP, a widely-used open source general purpose scripting language which could result in denial of service, information disclosure, insecure cookie handling or potentially the execution of arbitrary code.

ELA-776-1 linux-4.19 security update

Tue, 24 Jan 2023 10:04:27 +0100

Package : linux-4.19

Version : 4.19.269-1~deb8u1 (jessie), 4.19.269-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2022-2978

"butt3rflyh4ck", Hao Sun, and Jiacheng Xu reported a flaw in the
nilfs2 filesystem driver which can lead to a use-after-free.  A
local use might be able to exploit this to cause a denial of
service (crash or memory corruption) or possibly for privilege
escalation.

CVE-2022-3521

The syzbot tool found a race condition in the KCM subsystem
which could lead to a crash.

This subsystem is not enabled in Debian's official kernel
configurations.

CVE-2022-3524

The syzbot tool found a race condition in the IPv6 stack which
could lead to a memory leak.  A local user could exploit this to
cause a denial of service (memory exhaustion).

CVE-2022-3564

A flaw was discovered in the Bluetooh L2CAP subsystem which
would lead to a use-after-free.  This might be exploitable
to cause a denial of service (crash or memory corruption) or
possibly for privilege escalation.

CVE-2022-3565

A flaw was discovered in the mISDN driver which would lead to a
use-after-free.  This might be exploitable to cause a denial of
service (crash or memory corruption) or possibly for privilege
escalation.

CVE-2022-3594

Andrew Gaul reported that the r8152 Ethernet driver would log
excessive numbers of messages in response to network errors.  A
remote attacker could possibly exploit this to cause a denial of
service (resource exhaustion).

CVE-2022-3621, CVE-2022-3646

The syzbot tool found flaws in the nilfs2 filesystem driver which
can lead to a null pointer dereference or memory leak.  A user
permitted to mount arbitrary filesystem images could use these to
cause a denial of service (crash or resource exhaustion).

CVE-2022-3628

Dokyung Song, Jisoo Jang, and Minsuk Kang reported a potential
heap-based buffer overflow in the brcmfmac Wi-Fi driver.  A user
able to connect a malicious USB device could exploit this to cause
a denial of service (crash or memory corruption) or possibly for
privilege escalation.

CVE-2022-3640

A flaw was discovered in the Bluetooh L2CAP subsystem which
would lead to a use-after-free.  This might be exploitable
to cause a denial of service (crash or memory corruption) or
possibly for privilege escalation.

CVE-2022-3643 (XSA-423)

A flaw was discovered in the Xen network backend driver that would
result in it generating malformed packet buffers.  If these
packets were forwarded to certain other network devices, a Xen
guest could exploit this to cause a denial of service (crash or
device reset).

CVE-2022-3649

The syzbot tool found flaws in the nilfs2 filesystem driver which
can lead to a use-after-free.  A user permitted to mount arbitrary
filesystem images could use these to cause a denial of service
(crash or memory corruption) or possibly for privilege escalation.

CVE-2022-4378

Kyle Zeng found a flaw in procfs that would cause a stack-based
buffer overflow.  A local user permitted to write to a sysctl
could use this to cause a denial of service (crash or memory
corruption) or possibly for privilege escalation.

CVE-2022-20369

A flaw was found in the v4l2-mem2mem media driver that would lead
to an out-of-bounds write.  A local user with access to such a
device could exploit this for privilege escalation.

CVE-2022-29901

Johannes Wikner and Kaveh Razavi reported that for Intel
processors (Intel Core generation 6, 7 and 8), protections against
speculative branch target injection attacks were insufficient in
some circumstances, which may allow arbitrary speculative code
execution under certain microarchitecture-dependent conditions.

More information can be found at
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/return-stack-buffer-underflow.html

CVE-2022-40768

"hdthky" reported that the stex SCSI adapter driver did not fully
initialise a structure that is copied to user-space.  A local user
with access to such a device could exploit this to leak sensitive
information.

CVE-2022-41849

A race condition was discovered in the smscufx graphics driver,
which could lead to a use-after-free.  A user able to remove the
physical device while also accessing its device node could exploit
this to cause a denial of service (crash or memory corruption) or
possibly for privilege escalation.

CVE-2022-41850

A race condition was discovered in the hid-roccat input driver,
which could lead to a use-after-free.  A local user able to access
such a device could exploit this to cause a denial of service
(crash or memory corruption) or possibly for privilege escalation.

CVE-2022-42328, CVE-2022-42329 (XSA-424)

Yang Yingliang reported that the Xen network backend driver did
not use the proper function to free packet buffers in one case,
which could lead to a deadlock.  A Xen guest could exploit this to
cause a denial of service (hang).

CVE-2022-42895

Tamás Koczka reported a flaw in the Bluetooh L2CAP subsystem
that would result in reading uninitialised memory.  A nearby
attacker able to make a Bluetooth connection could exploit
this to leak sensitive information.

CVE-2022-42896

Tamás Koczka reported flaws in the Bluetooh L2CAP subsystem that
can lead to a use-after-free.  A nearby attacker able to make a
Bluetooth SMP connection could exploit this to cause a denial of
service (crash or memory corruption) or possibly for remote code
execution.

CVE-2022-43750

The syzbot tool found that the USB monitor (usbmon) driver allowed
user-space programs to overwrite the driver's data structures.  A
local user permitted to access a USB monitor device could exploit
this to cause a denial of service (memory corruption or crash) or
possibly for privilege escalation.  However, by default only the
root user can access such devices.

ELA-775-1 php7.0 security update

Tue, 24 Jan 2023 09:44:22 +0100

Package : php7.0

Version : 7.0.33-0+deb9u13 (stretch)

ELA-774-1 linux-5.10 security update

Mon, 23 Jan 2023 09:52:16 +0100

Package : linux-5.10

Version : 5.10.158-2~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2021-3759

It was discovered that the memory cgroup controller did not
account for kernel memory allocated for IPC objects.  A local user
could use this for denial of service (memory exhaustion).

CVE-2022-3169

It was discovered that the NVMe host driver did not prevent a
concurrent reset and subsystem reset.  A local user with access to
an NVMe device could use this to cause a denial of service (device
disconnect or crash).

CVE-2022-3435

Gwangun Jung reported a flaw in the IPv4 forwarding subsystem
which would lead to an out-of-bounds read.  A local user with
CAP_NET_ADMIN capability in any user namespace could possibly
exploit this to cause a denial of service (crash).

CVE-2022-3521

The syzbot tool found a race condition in the KCM subsystem
which could lead to a crash.

This subsystem is not enabled in Debian's official kernel
configurations.

CVE-2022-3524

The syzbot tool found a race condition in the IPv6 stack which
could lead to a memory leak.  A local user could exploit this to
cause a denial of service (memory exhaustion).

CVE-2022-3564

A flaw was discovered in the Bluetooh L2CAP subsystem which
would lead to a use-after-free.  This might be exploitable
to cause a denial of service (crash or memory corruption) or
possibly for privilege escalation.

CVE-2022-3565

A flaw was discovered in the mISDN driver which would lead to a
use-after-free.  This might be exploitable to cause a denial of
service (crash or memory corruption) or possibly for privilege
escalation.

CVE-2022-3594

Andrew Gaul reported that the r8152 Ethernet driver would log
excessive numbers of messages in response to network errors.  A
remote attacker could possibly exploit this to cause a denial of
service (resource exhaustion).

CVE-2022-3628

Dokyung Song, Jisoo Jang, and Minsuk Kang reported a potential
heap-based buffer overflow in the brcmfmac Wi-Fi driver.  A user
able to connect a malicious USB device could exploit this to cause
a denial of service (crash or memory corruption) or possibly for
privilege escalation.

CVE-2022-3640

A flaw was discovered in the Bluetooh L2CAP subsystem which
would lead to a use-after-free.  This might be exploitable
to cause a denial of service (crash or memory corruption) or
possibly for privilege escalation.

CVE-2022-3643 (XSA-423)

A flaw was discovered in the Xen network backend driver that would
result in it generating malformed packet buffers.  If these
packets were forwarded to certain other network devices, a Xen
guest could exploit this to cause a denial of service (crash or
device reset).

CVE-2022-4139

A flaw was discovered in the i915 graphics driver.  On gen12 "Xe"
GPUs it failed to flush TLBs when necessary, resulting in GPU
programs retaining access to freed memory.  A local user with
access to the GPU could exploit this to leak sensitive
information, cause a denial of service (crash or memory
corruption) or likely for privilege escalation.

CVE-2022-4378

Kyle Zeng found a flaw in procfs that would cause a stack-based
buffer overflow.  A local user permitted to write to a sysctl
could use this to cause a denial of service (crash or memory
corruption) or possibly for privilege escalation.

CVE-2022-41849

A race condition was discovered in the smscufx graphics driver,
which could lead to a use-after-free.  A user able to remove the
physical device while also accessing its device node could exploit
this to cause a denial of service (crash or memory corruption) or
possibly for privilege escalation.

CVE-2022-41850

A race condition was discovered in the hid-roccat input driver,
which could lead to a use-after-free.  A local user able to access
such a device could exploit this to cause a denial of service
(crash or memory corruption) or possibly for privilege escalation.

CVE-2022-42328, CVE-2022-42329 (XSA-424)

Yang Yingliang reported that the Xen network backend driver did
not use the proper function to free packet buffers in one case,
which could lead to a deadlock.  A Xen guest could exploit this to
cause a denial of service (hang).

CVE-2022-42895

Tamás Koczka reported a flaw in the Bluetooh L2CAP subsystem
that would result in reading uninitialised memory.  A nearby
attacker able to make a Bluetooth connection could exploit
this to leak sensitive information.

CVE-2022-42896

Tamás Koczka reported flaws in the Bluetooh L2CAP subsystem that
can lead to a use-after-free.  A nearby attacker able to make a
Bluetooth SMP connection could exploit this to cause a denial of
service (crash or memory corruption) or possibly for remote code
execution.

CVE-2022-47518, CVE-2022-47519, CVE-2022-47521

Several flaws were discovered in the wilc1000 Wi-Fi driver which
could lead to a heap-based buffer overflow.  A nearby attacker
could exploit these for denial of service (crash or memory
corruption) or possibly for remote code execution.

CVE-2022-47520

A flaw was discovered in the wilc1000 Wi-Fi driver which could
lead to a heap-based buffer overflow.  A local user with
CAP_NET_ADMIN capability over such a Wi-Fi device could exploit
this for denial of service (crash or memory corruption) or
possibly for privilege escalation.

ELA-773-1 pjproject security update

Wed, 18 Jan 2023 17:11:47 +0100

Package : pjproject

Version : 2.5.5~dfsg-6+deb9u8 (stretch)

Related CVEs : CVE-2022-23537 CVE-2022-23547

Multiple security issues were discovered in pjproject, a free and open source multimedia communication library written in C implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE

CVE-2022-23537

Buffer overread when parsing a specially crafted STUN message with
unknown attribute. The vulnerability affects applications that
uses STUN including PJNATH and PJSUA-LIB.

CVE-2022-23547

Possible buffer overread when parsing a certain STUN message.
The vulnerability affects applications that uses STUN including
PJNATH and PJSUA-LIB.

ELA-772-1 sudo security update

Wed, 18 Jan 2023 16:33:58 +0100

Package : sudo

Version : 1.8.10p3-1+deb8u9 (jessie), 1.8.19p1-2.1+deb9u5 (stretch)

Related CVEs : CVE-2023-22809

Matthieu Barjole and Victor Cutillas discovered that sudoedit in sudo, a program designed to provide limited super user privileges to specific users, does not properly handle ‘–’ to separate the editor and arguments from files to edit. A local user permitted to edit certain files can take advantage of this flaw to edit a file not permitted by the security policy, resulting in privilege escalation.

ELA-771-1 libxstream-java security update

Mon, 16 Jan 2023 22:20:47 +0100

Package : libxstream-java

Version : 1.4.11.1-1+deb8u6 (jessie), 1.4.11.1-1+deb9u6 (stretch)

Related CVEs : CVE-2022-41966

XStream serializes Java objects to XML and back again. Versions prior to this update may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation of the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This update handles the stack overflow and raises an InputManipulationException instead.

ELA-770-1 netty security update

Mon, 16 Jan 2023 00:10:34 +0100

Package : netty

Version : 1:4.1.7-2+deb9u4 (stretch)

Several out-of-memory, stack overflow or HTTP request smuggling vulnerabilities have been discovered in Netty, a Java NIO client/server socket framework, which may allow attackers to cause a denial of service or bypass restrictions when used as a proxy.

ELA-769-1 libapreq2 security update

Sat, 14 Jan 2023 19:46:27 +0100

Package : libapreq2

Version : 2.13-7~deb9u2 (stretch)

Related CVEs : CVE-2022-22728

A flaw in Apache libapreq2 versions 2.16 and earlier could cause a buffer overflow while processing multipart form uploads. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.

ELA-768-1 viewvc security update

Wed, 11 Jan 2023 10:19:31 +0000

Package : viewvc

Version : 1.1.26-1+deb9u1 (stretch)

Related CVEs : CVE-2023-22456 CVE-2023-22464

It was discovered that there were two issues in viewvc, a web-based interface for browsing Subversion and CVS repositories. The attack vectors involved files with unsafe names; names that, when embedded into an HTML stream, could cause the browser to run unwanted code.

ELA-767-1 exiv2 security update

Wed, 11 Jan 2023 10:35:15 +0100

Package : exiv2

Version : 0.24-4.1+deb8u7 (jessie)

This update fixes a number of memory access violations and other input validation failures that can be triggered by passing specially crafted files to exiv2.

CVE-2017-11591

There is a Floating point exception in the Exiv2::ValueType function
in Exiv2 0.26 that will lead to a remote denial of service attack via
crafted input.

CVE-2017-14859

An Invalid memory address dereference was discovered in
Exiv2::StringValueBase::read in value.cpp in Exiv2 0.26. The
vulnerability causes a segmentation fault and application crash, which
leads to denial of service.

CVE-2017-14862

An Invalid memory address dereference was discovered in
Exiv2::DataValue::read in value.cpp in Exiv2 0.26. The vulnerability
causes a segmentation fault and application crash, which leads to
denial of service.

CVE-2017-14864

An Invalid memory address dereference was discovered in
Exiv2::getULong in types.cpp in Exiv2 0.26. The vulnerability causes a
segmentation fault and application crash, which leads to denial of
service.

CVE-2017-17669

There is a heap-based buffer over-read in the
Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp in
Exiv2 0.26. A crafted PNG file will lead to a remote denial of service
attack.

CVE-2017-18005

Exiv2 0.26 has a Null Pointer Dereference in the
Exiv2::DataValue::toLong function in value.cpp, related to crafted
metadata in a TIFF file.

CVE-2017-9239

An issue was discovered in Exiv2 0.26. When the data structure of the
structure ifd is incorrect, the program assigns pValue_ to 0x0, and
the value of pValue() is 0x0. TiffImageEntry::doWriteImage will use
the value of pValue() to cause a segmentation fault. To exploit this
vulnerability, someone must open a crafted tiff file.

CVE-2019-13110

A CiffDirectory::readDirectory integer overflow and out-of-bounds read
in Exiv2 through 0.27.1 allows an attacker to cause a denial of
service (SIGSEGV) via a crafted CRW image file.

CVE-2019-13112

A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2
through 0.27.1 allows an attacker to cause a denial of service (crash
due to an std::bad_alloc exception) via a crafted PNG image file.

CVE-2020-18771

Exiv2 0.27.99.0 has a global buffer over-read in
Exiv2::Internal::Nikon1MakerNote::print0x0088 in nikonmn_int.cpp which
can result in an information leak.

CVE-2021-29458

Exiv2 is a command-line utility and C++ library for reading, writing,
deleting, and modifying the metadata of image files. An out-of-bounds
read was found in Exiv2 versions v0.27.3 and earlier. The out-of-
bounds read is triggered when Exiv2 is used to write metadata into a
crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service by crashing Exiv2, if they
can trick the victim into running Exiv2 on a crafted image file. Note
that this bug is only triggered when writing the metadata, which is a
less frequently used Exiv2 operation than reading the metadata. For
example, to trigger the bug in the Exiv2 command-line application, you
need to add an extra command-line argument such as insert. The bug is
fixed in version v0.27.4.

CVE-2021-32815

Exiv2 is a command-line utility and C++ library for reading, writing,
deleting, and modifying the metadata of image files. The assertion
failure is triggered when Exiv2 is used to modify the metadata of a
crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service, if they can trick the
victim into running Exiv2 on a crafted image file. Note that this bug
is only triggered when modifying the metadata, which is a less
frequently used Exiv2 operation than reading the metadata. For
example, to trigger the bug in the Exiv2 command-line application, you
need to add an extra command-line argument such as `fi`. ### Patches
The bug is fixed in version v0.27.5. ### References Regression test
and bug fix: #1739 ### For more information Please see our [security
policy](https://github.com/Exiv2/exiv2/security/policy) for
information about Exiv2 security.

CVE-2021-34334

Exiv2 is a command-line utility and C++ library for reading, writing,
deleting, and modifying the metadata of image files. An infinite loop
is triggered when Exiv2 is used to read the metadata of a crafted
image file. An attacker could potentially exploit the vulnerability to
cause a denial of service, if they can trick the victim into running
Exiv2 on a crafted image file. The bug is fixed in version v0.27.5.

CVE-2021-37620

Exiv2 is a command-line utility and C++ library for reading, writing,
deleting, and modifying the metadata of image files. An out-of-bounds
read was found in Exiv2 versions v0.27.4 and earlier. The out-of-
bounds read is triggered when Exiv2 is used to read the metadata of a
crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service, if they can trick the
victim into running Exiv2 on a crafted image file. The bug is fixed in
version v0.27.5.

CVE-2021-37622

Exiv2 is a command-line utility and C++ library for reading, writing,
deleting, and modifying the metadata of image files. An infinite loop
was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is
triggered when Exiv2 is used to modify the metadata of a crafted image
file. An attacker could potentially exploit the vulnerability to cause
a denial of service, if they can trick the victim into running Exiv2
on a crafted image file. Note that this bug is only triggered when
deleting the IPTC data, which is a less frequently used Exiv2
operation that requires an extra command line option (`-d I rm`). The
bug is fixed in version v0.27.5.

ELA-766-1 exiv2 security update

Wed, 11 Jan 2023 10:35:10 +0100

Package : exiv2

Version : 0.25-3.1+deb9u4 (stretch)

This update fixes a number of memory access violations and other input validation failures that can be triggered by passing specially crafted files to exiv2.

CVE-2017-11591

There is a Floating point exception in the Exiv2::ValueType function
in Exiv2 0.26 that will lead to a remote denial of service attack via
crafted input.

CVE-2017-14859

An Invalid memory address dereference was discovered in
Exiv2::StringValueBase::read in value.cpp in Exiv2 0.26. The
vulnerability causes a segmentation fault and application crash, which
leads to denial of service.

CVE-2017-14862

An Invalid memory address dereference was discovered in
Exiv2::DataValue::read in value.cpp in Exiv2 0.26. The vulnerability
causes a segmentation fault and application crash, which leads to
denial of service.

CVE-2017-14864

An Invalid memory address dereference was discovered in
Exiv2::getULong in types.cpp in Exiv2 0.26. The vulnerability causes a
segmentation fault and application crash, which leads to denial of
service.

CVE-2017-17669

There is a heap-based buffer over-read in the
Exiv2::Internal::PngChunk::keyTXTChunk function of pngchunk_int.cpp in
Exiv2 0.26. A crafted PNG file will lead to a remote denial of service
attack.

CVE-2017-18005

Exiv2 0.26 has a Null Pointer Dereference in the
Exiv2::DataValue::toLong function in value.cpp, related to crafted
metadata in a TIFF file.

CVE-2018-17581

CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has
excessive stack consumption due to a recursive function, leading to
Denial of service.

CVE-2018-19107

In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp (called from
psdimage.cpp in the PSD image reader) may suffer from a denial of
service (heap-based buffer over-read) caused by an integer overflow
via a crafted PSD image file.

CVE-2018-19108

In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in the
PSD image reader may suffer from a denial of service (infinite loop)
caused by an integer overflow via a crafted PSD image file.

CVE-2018-19535

In Exiv2 0.26 and previous versions, PngChunk::readRawProfile in
pngchunk_int.cpp may cause a denial of service (application crash due
to a heap-based buffer over-read) via a crafted PNG file.

CVE-2018-20097

There is a SEGV in
Exiv2::Internal::TiffParserWorker::findPrimaryGroups of
tiffimage_int.cpp in Exiv2 0.27-RC3. A crafted input will lead to a
remote denial of service attack.

CVE-2018-8976

In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial
of service (image.cpp Exiv2::Internal::stringFormat out-of-bounds
read) via a crafted file.

CVE-2019-13110

A CiffDirectory::readDirectory integer overflow and out-of-bounds read
in Exiv2 through 0.27.1 allows an attacker to cause a denial of
service (SIGSEGV) via a crafted CRW image file.

CVE-2019-13112

A PngChunk::parseChunkContent uncontrolled memory allocation in Exiv2
through 0.27.1 allows an attacker to cause a denial of service (crash
due to an std::bad_alloc exception) via a crafted PNG image file.

CVE-2019-13114

http.c in Exiv2 through 0.27.1 allows a malicious http server to cause
a denial of service (crash due to a NULL pointer dereference) by
returning a crafted response that lacks a space character.

CVE-2019-13504

There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in
mrwimage.cpp in Exiv2 through 0.27.2.

CVE-2019-14369

Exiv2::PngImage::readMetadata() in pngimage.cpp in Exiv2 0.27.99.0
allows attackers to cause a denial of service (heap-based buffer over-
read) via a crafted image file.

CVE-2019-14370

In Exiv2 0.27.99.0, there is an out-of-bounds read in
Exiv2::MrwImage::readMetadata() in mrwimage.cpp. It could result in
denial of service.

CVE-2019-17402

Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in
types.cpp when called from
Exiv2::Internal::CiffDirectory::readDirectory in crwimage_int.cpp,
because there is no validation of the relationship of the total size
to the offset and size.

CVE-2020-18771

Exiv2 0.27.99.0 has a global buffer over-read in
Exiv2::Internal::Nikon1MakerNote::print0x0088 in nikonmn_int.cpp which
can result in an information leak.

CVE-2021-29458

Exiv2 is a command-line utility and C++ library for reading, writing,
deleting, and modifying the metadata of image files. An out-of-bounds
read was found in Exiv2 versions v0.27.3 and earlier. The out-of-
bounds read is triggered when Exiv2 is used to write metadata into a
crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service by crashing Exiv2, if they
can trick the victim into running Exiv2 on a crafted image file. Note
that this bug is only triggered when writing the metadata, which is a
less frequently used Exiv2 operation than reading the metadata. For
example, to trigger the bug in the Exiv2 command-line application, you
need to add an extra command-line argument such as insert. The bug is
fixed in version v0.27.4.

CVE-2021-32815

Exiv2 is a command-line utility and C++ library for reading, writing,
deleting, and modifying the metadata of image files. The assertion
failure is triggered when Exiv2 is used to modify the metadata of a
crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service, if they can trick the
victim into running Exiv2 on a crafted image file. Note that this bug
is only triggered when modifying the metadata, which is a less
frequently used Exiv2 operation than reading the metadata. For
example, to trigger the bug in the Exiv2 command-line application, you
need to add an extra command-line argument such as `fi`. ### Patches
The bug is fixed in version v0.27.5. ### References Regression test
and bug fix: #1739 ### For more information Please see our [security
policy](https://github.com/Exiv2/exiv2/security/policy) for
information about Exiv2 security.

CVE-2021-34334

Exiv2 is a command-line utility and C++ library for reading, writing,
deleting, and modifying the metadata of image files. An infinite loop
is triggered when Exiv2 is used to read the metadata of a crafted
image file. An attacker could potentially exploit the vulnerability to
cause a denial of service, if they can trick the victim into running
Exiv2 on a crafted image file. The bug is fixed in version v0.27.5.

CVE-2021-37620

Exiv2 is a command-line utility and C++ library for reading, writing,
deleting, and modifying the metadata of image files. An out-of-bounds
read was found in Exiv2 versions v0.27.4 and earlier. The out-of-
bounds read is triggered when Exiv2 is used to read the metadata of a
crafted image file. An attacker could potentially exploit the
vulnerability to cause a denial of service, if they can trick the
victim into running Exiv2 on a crafted image file. The bug is fixed in
version v0.27.5.

CVE-2021-37621

Exiv2 is a command-line utility and C++ library for reading, writing,
deleting, and modifying the metadata of image files. An infinite loop
was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is
triggered when Exiv2 is used to print the metadata of a crafted image
file. An attacker could potentially exploit the vulnerability to cause
a denial of service, if they can trick the victim into running Exiv2
on a crafted image file. Note that this bug is only triggered when
printing the image ICC profile, which is a less frequently used Exiv2
operation that requires an extra command line option (`-p C`). The bug
is fixed in version v0.27.5.

CVE-2021-37622

Exiv2 is a command-line utility and C++ library for reading, writing,
deleting, and modifying the metadata of image files. An infinite loop
was found in Exiv2 versions v0.27.4 and earlier. The infinite loop is
triggered when Exiv2 is used to modify the metadata of a crafted image
file. An attacker could potentially exploit the vulnerability to cause
a denial of service, if they can trick the victim into running Exiv2
on a crafted image file. Note that this bug is only triggered when
deleting the IPTC data, which is a less frequently used Exiv2
operation that requires an extra command line option (`-d I rm`). The
bug is fixed in version v0.27.5.

ELA-765-1 leptonlib security update

Tue, 10 Jan 2023 15:05:24 +0100

Package : leptonlib

Version : 1.71-2.1+deb8u2 (jessie)

This update fixes several issues related to unsafe processing of untrusted input and dealing with predictable paths below /tmp. Part of the affected functionality is primarily intended for debugging leptonlib. This functionality has been disabled rather than fixed. It can reenabled by issuing a call to setLeptDebugOK(1). This change in behaviour was performed upstream and in Debian 10 and later.

CVE-2018-3836

An exploitable command injection vulnerability exists in the
gplotMakeOutput function. A specially crafted gplot rootname argument can
cause a command injection resulting in arbitrary code execution. An
attacker can provide a malicious path as input to an application that
passes attacker data to this function to trigger this vulnerability.

CVE-2018-7186

Leptonica does not limit the number of characters in a %s format argument
to fscanf or sscanf, which allows remote attackers to cause a denial of
service (stack-based buffer overflow) or possibly have unspecified other
impact via a long string, as demonstrated by the gplotRead and
ptaReadStream functions.

CVE-2018-7441

Leptonica uses hardcoded /tmp pathnames, which might allow local users to
overwrite arbitrary files or have unspecified other impact by creating
files in advance or winning a race condition, as demonstrated by
/tmp/junk_split_image.ps in prog/splitimage2pdf.c.

CVE-2018-7442

The gplotMakeOutput function does not block '/' characters in the gplot
rootname argument, potentially leading to path traversal and arbitrary file
overwrite.

CVE-2022-38266

An issue in the Leptonica linked library allows attackers to cause an
arithmetic exception leading to a Denial of Service (DoS) via a crafted
JPEG file.

ELA-764-1 leptonlib security update

Tue, 10 Jan 2023 15:03:08 +0100

Package : leptonlib

Version : 1.74.1-1+deb9u2 (stretch)

CVE-2017-18196

Leptonica constructs unintended pathnames (containing duplicated path
components) when operating on files in /tmp subdirectories, which might
allow local users to bypass intended file restrictions by leveraging access
to a directory located deeper within the /tmp directory tree, as
demonstrated by /tmp/ANY/PATH/ANY/PATH/input.tif.

CVE-2018-3836

An exploitable command injection vulnerability exists in the
gplotMakeOutput function. A specially crafted gplot rootname argument can
cause a command injection resulting in arbitrary code execution. An
attacker can provide a malicious path as input to an application that
passes attacker data to this function to trigger this vulnerability.

CVE-2018-7186

Leptonica does not limit the number of characters in a %s format argument
to fscanf or sscanf, which allows remote attackers to cause a denial of
service (stack-based buffer overflow) or possibly have unspecified other
impact via a long string, as demonstrated by the gplotRead and
ptaReadStream functions.

CVE-2018-7441

Leptonica uses hardcoded /tmp pathnames, which might allow local users to
overwrite arbitrary files or have unspecified other impact by creating
files in advance or winning a race condition, as demonstrated by
/tmp/junk_split_image.ps in prog/splitimage2pdf.c.

CVE-2018-7442

The gplotMakeOutput function does not block '/' characters in the gplot
rootname argument, potentially leading to path traversal and arbitrary file
overwrite.

CVE-2022-38266

An issue in the Leptonica linked library allows attackers to cause an
arithmetic exception leading to a Denial of Service (DoS) via a crafted
JPEG file.

ELA-763-1 grub2 security update

Mon, 09 Jan 2023 01:11:08 +0100

Package : grub2

Version : 2.02~beta2-22+deb8u2 (jessie)

Several issues were found in GRUB2’s font handling code, which could result in crashes and potentially execution of arbitrary code. Further issues were found in image loading that could potentially lead to memory overflows. Please note that some integer overflow mitigations could not be applied because of builtin GCC functions which are only available in newer Debian versions. Only system administrators should be able to change grub2 fonts. If you use the default fonts, your system is not affected.

ELA-762-1 libjettison-java security update

Sat, 31 Dec 2022 18:29:14 +0100

Package : libjettison-java

Version : 1.5.3-1~deb9u1 (stretch)

Several flaws have been discovered in libjettison-java, a collection of StAX parsers and writers for JSON. Specially crafted user input may cause a denial of service via out-of-memory or stack overflow errors.

In addition a build failure related to the update was fixed in jersey1.

ELA-761-1 exuberant-ctags security update

Sat, 31 Dec 2022 13:03:14 +0000

Package : exuberant-ctags

Version : 1:5.9~svn20110310-11+deb9u1 (stretch)

Related CVEs : CVE-2022-4515

A flaw was found in the way the exubertant-ctags source code parser handled the “-o” command-line option which specifies the tag filename. A crafted tag filename specified in the command line or in the configuration file could have resulted in arbitrary command execution because the externalSortTags() in sort.c calls the system(3) function in an unsafe way.

ELA-760-1 grub2 security update

Fri, 30 Dec 2022 14:41:28 +0100

Package : grub2

Version : 2.02~beta3-5+deb9u3 (stretch)

Related CVEs : CVE-2022-2601 CVE-2022-3775

Several issues were found in GRUB2’s font handling code, which could result in crashes and potentially execution of arbitrary code.

ELA-759-1 libcommons-net-java security update

Thu, 29 Dec 2022 21:50:49 +0100

Package : libcommons-net-java

Version : 3.6-1+deb9u1 (stretch)

Related CVEs : CVE-2021-37533

ZeddYu Lu discovered that the FTP client of Apache Commons Net, a Java client API for basic Internet protocols, trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client.

ELA-758-1 exempi security update

Thu, 29 Dec 2022 08:25:09 +0100

Package : exempi

Version : 2.4.1-1+deb9u1 (stretch)

Multiple issues were found in exempi, a library to parse XMP (Extensible Metadata Platform) metadata, which may result in denial of service (infinite loops and crashes), memory disclosures, potentially arbitrary code executions in the context of the current user or other unspecified impacts.

CVE-2017-18233

An issue was discovered in Exempi before 2.4.4. Integer overflow in the Chunk
class in XMPFiles/source/FormatSupport/RIFF.cpp allows remote attackers to
cause a denial of service (infinite loop) via crafted XMP data in a .avi file.

CVE-2017-18234

An issue was discovered in Exempi before 2.4.3. It allows remote attackers to
cause a denial of service (invalid memcpy with resultant use-after-free) or
possibly have unspecified other impact via a .pdf file containing JPEG data,
related to XMPFiles/source/FormatSupport/ReconcileTIFF.cpp,
XMPFiles/source/FormatSupport/TIFF_MemoryReader.cpp, and
XMPFiles/source/FormatSupport/TIFF_Support.hpp

CVE-2017-18235

An issue was discovered in Exempi before 2.4.3. The VPXChunk class in
XMPFiles/source/FormatSupport/WEBP_Support.cpp does not ensure nonzero widths
and heights, which allows remote attackers to cause a denial of service
(assertion failure and application exit) via a crafted .webp file.

CVE-2017-18236

An issue was discovered in Exempi before 2.4.4. The
ASF_Support::ReadHeaderObject function in
XMPFiles/source/FormatSupport/ASF_Support.cpp allows remote attackers to cause
a denial of service (infinite loop) via a crafted .asf file.

CVE-2017-18237

An issue was discovered in Exempi before 2.4.3. The
PostScript_Support::ConvertToDate function in
XMPFiles/source/FormatSupport/PostScript_Support.cpp allows remote attackers to
cause a denial of service (invalid pointer dereference and application crash)
via a crafted .ps file.

CVE-2017-18238

An issue was discovered in Exempi before 2.4.4. The
TradQT_Manager::ParseCachedBoxes function in
XMPFiles/source/FormatSupport/QuickTime_Support.cpp allows remote attackers to
cause a denial of service (infinite loop) via crafted XMP data in a .qt file.

CVE-2018-7728

An issue was discovered in Exempi through 2.4.4.
XMPFiles/source/FileHandlers/TIFF_Handler.cpp mishandles a case of a zero
length, leading to a heap-based buffer over-read in the MD5Update() function in
third-party/zuid/interfaces/MD5.cpp.

CVE-2018-7729

An issue was discovered in Exempi through 2.4.4. There is a stack-based buffer
over-read in the PostScript_MetaHandler::ParsePSFile() function in
XMPFiles/source/FileHandlers/PostScript_Handler.cpp.

CVE-2018-7730

An issue was discovered in Exempi through 2.4.4. A certain case of a 0xffffffff
length is mishandled in XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp,
leading to a heap-based buffer over-read in the
PSD_MetaHandler::CacheFileData() function.

CVE-2018-7731

An issue was discovered in Exempi through 2.4.4.
XMPFiles/source/FormatSupport/WEBP_Support.cpp does not check whether a
bitstream has a NULL value, leading to a NULL pointer dereference in the
WEBP::VP8XChunk class.

CVE-2018-12648

The WEBP::GetLE32 function in XMPFiles/source/FormatSupport/WEBP_Support.hpp in
Exempi 2.4.5 has a NULL pointer dereference.

CVE-2021-36045

XMP Toolkit SDK versions 2020.1 (and earlier) are affected by an out-of-bounds
read vulnerability that could lead to disclosure of arbitrary memory. An
attacker could leverage this vulnerability to bypass mitigations such as ASLR.
Exploitation of this issue requires user interaction in that a victim must open
a malicious file.

CVE-2021-36046 / CVE-2021-36052

XMP Toolkit version 2020.1 (and earlier) is affected by a memory corruption
vulnerability, potentially resulting in arbitrary code execution in the context
of the current user. User interaction is required to exploit this
vulnerability.

CVE-2021-36047 / CVE-2021-36048

XMP Toolkit SDK version 2020.1 (and earlier) is affected by an Improper Input
Validation vulnerability potentially resulting in arbitrary code execution in
the context of the current user. Exploitation requires user interaction in that
a victim must open a crafted file.

CVE-2021-36050 / CVE-2021-36051

XMP Toolkit SDK version 2020.1 (and earlier) is affected by a buffer overflow
vulnerability potentially resulting in arbitrary code execution in the context
of the current user. Exploitation requires user interaction in that a victim
must open a crafted file.

CVE-2021-36053

XMP Toolkit SDK versions 2020.1 (and earlier) are affected by an out-of-bounds
read vulnerability that could lead to disclosure of arbitrary memory. An
attacker could leverage this vulnerability to bypass mitigations such as ASLR.
Exploitation of this issue requires user interaction in that a victim must open
a malicious file.

CVE-2021-36054

XMP Toolkit SDK version 2020.1 (and earlier) is affected by a buffer overflow
vulnerability potentially resulting in local application denial of service in
the context of the current user. Exploitation requires user interaction in that
a victim must open a crafted file.

CVE-2021-36055 / CVE-2021-36056

XMP Toolkit SDK versions 2020.1 (and earlier) are affected by a use-after-free
vulnerability that could result in arbitrary code execution in the context of
the current user. Exploitation of this issue requires user interaction in that
a victim must open a malicious file.

CVE-2021-36057

XMP Toolkit SDK version 2020.1 (and earlier) is affected by a write-what-where
condition vulnerability caused during the application's memory allocation
process. This may cause the memory management functions to become mismatched
resulting in local application denial of service in the context of the current
user.

CVE-2021-36058

XMP Toolkit SDK version 2020.1 (and earlier) is affected by an Integer Overflow
vulnerability potentially resulting in application-level denial of service in
the context of the current user. Exploitation requires user interaction in that
a victim must open a crafted file.

CVE-2021-36064

XMP Toolkit version 2020.1 (and earlier) is affected by a Buffer Underflow
vulnerability which could result in arbitrary code execution in the context of
the current user. Exploitation of this issue requires user interaction in that
a victim must open a malicious file.

CVE-2021-39847

XMP Toolkit SDK version 2020.1 (and earlier) is affected by a stack-based
buffer overflow vulnerability potentially resulting in arbitrary code execution
in the context of the current user. Exploitation requires user interaction in
that a victim must open a crafted file.

CVE-2021-40716

XMP Toolkit SDK versions 2021.07 (and earlier) are affected by an out-of-bounds
read vulnerability that could lead to disclosure of sensitive memory. An
attacker could leverage this vulnerability to bypass mitigations such as ASLR.
Exploitation of this issue requires user interaction in that a victim must open
a malicious file.

CVE-2021-40732

XMP Toolkit version 2020.1 (and earlier) is affected by a null pointer
dereference vulnerability that could result in leaking data from certain memory
locations and causing a local denial of service in the context of the current
user. User interaction is required to exploit this vulnerability in that the
victim will need to open a specially crafted MXF file.

CVE-2021-42528

XMP Toolkit 2021.07 (and earlier) is affected by a Null pointer dereference
vulnerability when parsing a specially crafted file. An unauthenticated
attacker could leverage this vulnerability to achieve an application
denial-of-service in the context of the current user. Exploitation of this
issue requires user interaction in that a victim must open a malicious file.

CVE-2021-42529

XMP Toolkit SDK version 2021.07 (and earlier) is affected by a stack-based
buffer overflow vulnerability potentially resulting in arbitrary code execution
in the context of the current user. Exploitation requires user interaction in
that a victim must open a crafted file.

CVE-2021-42530

XMP Toolkit SDK version 2021.07 (and earlier) is affected by a stack-based
buffer overflow vulnerability potentially resulting in arbitrary code execution
in the context of the current user. Exploitation requires user interaction in
that a victim must open a crafted file.

CVE-2021-42531

XMP Toolkit SDK version 2021.07 (and earlier) is affected by a stack-based
buffer overflow vulnerability potentially resulting in arbitrary code execution
in the context of the current user. Exploitation requires user interaction in
that a victim must open a crafted file.

CVE-2021-42532

XMP Toolkit SDK version 2021.07 (and earlier) is affected by a stack-based
buffer overflow vulnerability potentially resulting in arbitrary code execution
in the context of the current user. Exploitation requires user interaction in
that a victim must open a crafted file.

ELA-757-1 proftpd-dfsg security update

Sun, 25 Dec 2022 23:50:38 +0100

Package : proftpd-dfsg

Version : 1.3.5e+r1.3.5-2+deb8u8 (jessie), 1.3.5e+r1.3.5b-4+deb9u3 (stretch)

Related CVEs : CVE-2021-46854

It was discovered that mod_radius in ProFTPD, a versatile, virtual-hosting FTP daemon, allows memory disclosure to RADIUS servers.

ELA-756-1 libksba security update

Sat, 24 Dec 2022 16:37:48 +0100

Package : libksba

Version : 1.3.2-1+deb8u3 (jessie), 1.3.5-2+deb9u2 (stretch)

Related CVEs : CVE-2022-47629

An integer overflow flaw was discovered in the CRL signature parser in libksba, an X.509 and CMS support library, which could result in denial of service or the execution of arbitrary code.

ELA-755-1 libde265 security update

Fri, 16 Dec 2022 15:46:57 +0100

Package : libde265

Version : 1.0.2-2+deb9u1 (stretch)

Multiple issues were found in libde265, an open source implementation of the h.265 video codec, which may result in denial of service, or have unspecified other impact.

CVE-2020-21599

libde265 v1.0.4 contains a heap buffer overflow in the
de265_image::available_zscan function, which can be exploited via a crafted
a file.

CVE-2021-35452

An Incorrect Access Control vulnerability exists in libde265 v1.0.8 due to
a SEGV in slice.cc.

CVE-2021-36409

There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at
sps.cc:925 in libde265 v1.0.8 when decoding file, which allows attackers to
cause a Denial of Service (DoS) by running the application with a crafted
file or possibly have unspecified other impact.

CVE-2021-36410

A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-motion.cc in
function put_epel_hv_fallback when running program dec265.

CVE-2021-36411

An issue has been found in libde265 v1.0.8 due to incorrect access control.
A SEGV caused by a READ memory access in function derive_boundaryStrength of
deblock.cc has occurred. The vulnerability causes a segmentation fault and
application crash, which leads to remote denial of service.

ELA-754-1 erlang security update

Mon, 12 Dec 2022 15:17:19 +0100

Package : erlang

Version : 1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u2 (stretch)

Related CVEs : CVE-2022-37026

A Client Authentication Bypass vulnerability has been discovered in the concurrent, real-time, distributed functional language Erlang. Impacted are those who are running an ssl/tls/dtls server using the ssl application either directly or indirectly via other applications. Note that the vulnerability only affects servers that request client certification, that is sets the option {verify, verify_peer}.

The rabbitmq-server binary package is most affected by this vulnerability. In order to remedy the problem rabbitmq-server was upgraded to version 3.6.6+really3.8.9-0+deb9u1.

Please note that the versioning scheme +really{$upstream_version} indicates the real upstream version. This was done to allow seamless upgrades from Stretch to Buster.

ELA-753-1 krb5 security update

Thu, 08 Dec 2022 14:49:07 +0100

Package : krb5

Version : 1.12.1+dfsg-19+deb8u7 (jessie), 1.15-1+deb9u4 (stretch)

Related CVEs : CVE-2022-42898

It was discovered that there was a potential Denial of Service (DoS) attack against krb5, a suite of tools implementing the Kerberos authentication system. An integer overflow in PAC parsing could have been exploited if a cross-realm entity acted maliciously.

ELA-752-1 jqueryui security update

Wed, 07 Dec 2022 16:02:47 +0530

Package : jqueryui

Version : 1.12.1+dfsg-4+deb9u1 (stretch)

jQuery-UI, the official jQuery user interface library, is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery were reported to have the following vulnerabilities.

CVE-2021-41182

jQuery-UI was accepting the value of the `altField` option of the
Datepicker widget from untrusted sources may execute untrusted code.
This has been fixed and now any string value passed to the `altField`
option is now treated as a CSS selector.

CVE-2021-41183

jQuery-UI was accepting the value of various `*Text` options of the
Datepicker widget from untrusted sources may execute untrusted code.
This has been fixed and now the values passed to various `*Text`
options are now always treated as pure text, not HTML.

CVE-2021-41184

jQuery-UI was accepting the value of the `of` option of the
`.position()` util from untrusted sources may execute untrusted code.
This has been fixed and now any string value passed to the `of`
option is now treated as a CSS selector.

CVE-2022-31160

jQuery-UI was potentially vulnerable to cross-site scripting.
Initializing a checkboxradio widget on an input enclosed within a
label makes that parent label contents considered as the input label.
Calling `.checkboxradio( "refresh" )` on such a widget and the initial
HTML contained encoded HTML entities will make them erroneously get

ELA-751-1 giflib security update

Mon, 05 Dec 2022 13:36:18 +0100

Package : giflib

Version : 4.1.6-11+deb8u2 (jessie), 5.1.4-0.4+deb9u1 (stretch)

This update fixes two file format vulnerabilities in giflib and one in the gif2rgb utility.

CVE-2016-3977

Heap-based buffer overflow in util/gif2rgb.c in gif2rgb allows
remote attackers to cause a denial of service (application crash)
via the background color index in a GIF file

CVE-2018-11490

The DGifDecompressLine function in dgif_lib.c, as later shipped in
cgif.c in sam2p 0.49.4, has a heap-based buffer overflow because a
certain "Private->RunningCode - 2" array index is not checked.  This
will lead to a denial of service or possibly unspecified other
impact.

CVE-2019-15133

A malformed GIF file triggers a divide-by-zero exception in the
decoder function DGifSlurp in dgif_lib.c if the height field of the
ImageSize data structure is equal to zero.

ELA-750-1 clamav security update

Mon, 05 Dec 2022 17:08:16 +0530

Package : clamav

Version : 0.103.7+dfsg-0+deb8u1 (jessie), 0.103.7+dfsg-0+deb9u1 (stretch)

ClamAV, an anti-virus utility for Unix, v0.103.7 is a critical patch release with the following fixes:

Fix logical signature “Intermediates” feature.
Relax constraints on slightly malformed zip archives that contain overlapping file entries.

ELA-749-1 vlc security update

Sat, 03 Dec 2022 04:52:16 +0530

Package : vlc

Version : 3.0.17.4-0+deb9u2 (stretch)

Related CVEs : CVE-2022-41325

Mitsurugi Heishiro found out that in VLC, multimedia player and streamer, a potential buffer overflow in the vnc module could trigger remote code execution if a malicious vnc URL is deliberately played.

ELA-748-1 libraw security update

Thu, 01 Dec 2022 18:03:52 +0100

Package : libraw

Version : 0.16.0-9+deb8u6 (jessie)

Related CVEs : CVE-2020-15503

This update adds thumbnail size checks to avoid out of bounds memory accesses.

CVE-2020-15503

LibRaw lacks a thumbnail size range check. This affects
decoders/unpack_thumb.cpp, postprocessing/mem_image.cpp, and
utils/thumb_utils.cpp. For example,
malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs without
validating T.tlength.

ELA-747-1 libraw security update

Thu, 01 Dec 2022 18:02:07 +0100

Package : libraw

Version : 0.17.2-6+deb9u4 (stretch)

Related CVEs : CVE-2017-16909 CVE-2020-15503

This update fixes two more memory access violations. CVE-2017-16909 was reported as fixed via DLA-2903-1 earlier, but that update really fixed CVE-2017-16910.

CVE-2017-16909

An error related to the "LibRaw::panasonic_load_raw()" function
(dcraw_common.cpp) can be exploited to cause a heap-based buffer
overflow and subsequently cause a crash via a specially crafted
TIFF image.

CVE-2020-15503

LibRaw lacks a thumbnail size range check. This affects
decoders/unpack_thumb.cpp, postprocessing/mem_image.cpp, and
utils/thumb_utils.cpp. For example,
malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs without
validating T.tlength.

ELA-746-1 inetutils security update

Wed, 30 Nov 2022 23:33:34 +0100

Package : inetutils

Version : 2:1.9.4-2+deb9u2 (stretch)

Related CVEs : CVE-2021-40491 CVE-2022-39028

Several security vulnerabilities were discovered in inetutils, a collection of common network programs.

CVE-2021-40491

inetutils' ftp client before 2.2 does not validate addresses
returned by PSV/LSPV responses to make sure they match the server
address.  A malicious server can exploit this flaw to reach services
in the client's private network.  (This is similar to curl's
CVE-2020-8284.)

CVE-2022-39028

inetutils's telnet server through 2.3 has a NULL pointer dereference
which a client can trigger by sending 0xff 0xf7 or 0xff 0xf8.  In a
typical installation, the telnetd application would crash but the
telnet service would remain available through inetd.  However, if the
telnetd application has many crashes within a short time interval,
the telnet service would become unavailable after inetd logs a
"telnet/tcp server failing (looping), service terminated" error.

ELA-745-1 snapd security update

Wed, 30 Nov 2022 23:29:26 +0100

Package : snapd

Version : 2.21-2+deb9u2 (stretch)

Related CVEs : CVE-2021-44730 CVE-2021-44731

Multiple vulnerabilties were discovered in snapd, a daemon and tooling that enable Snap packages, which could result in bypass of access restrictions or privilege escalation.

ELA-743-1 squid3 security update

Tue, 29 Nov 2022 15:06:12 +0530

Package : squid3

Version : 3.5.23-5+deb8u6 (jessie), 3.5.23-5+deb9u9 (stretch)

Related CVEs : CVE-2022-41317 CVE-2022-41318

This update fixes two vulnerabilities in squid3

CVE-2022-41317

Due to inconsistent handling of internal URIs Squid is
vulnerable to Exposure of Sensitive Information about clients
using the proxy.

CVE-2022-41318

Due to an incorrect integer overflow protection Squid SSPI and
SMB authentication helpers are vulnerable to a Buffer Overflow
attack.

ELA-744-1 libraw security update

Tue, 29 Nov 2022 10:18:39 +0100

Package : libraw

Version : 0.16.0-9+deb8u5 (jessie)

This update fixes multiple memory access violations.

CVE-2017-13735

There is a floating point exception in the kodak_radc_load_raw
function in dcraw_common.cpp. It will lead to a remote denial of
service attack.

CVE-2017-14265

A Stack-based Buffer Overflow was discovered in xtrans_interpolate in
internal/dcraw_common.cpp. It could allow a remote denial of service
or code execution attack.

CVE-2017-14608

An out of bounds read flaw related to kodak_65000_load_raw has been
reported in dcraw/dcraw.c and internal/dcraw_common.cpp. An attacker
could possibly exploit this flaw to disclose potentially sensitive
memory or cause an application crash.

CVE-2017-16909

An error related to the "LibRaw::panasonic_load_raw()" function
(dcraw_common.cpp) can be exploited to cause a heap-based buffer
overflow and subsequently cause a crash via a specially crafted TIFF
image.

CVE-2017-16910

An error within the "LibRaw::xtrans_interpolate()" function
(internal/dcraw_common.cpp) can be exploited to cause an invalid read
memory access and subsequently a Denial of Service condition.

CVE-2018-10528

There is a stack-based buffer overflow in the utf2char function in
libraw_cxx.cpp.

CVE-2018-10529

There is an out-of-bounds read affecting the X3F property table list
implementation in libraw_x3f.cpp and libraw_cxx.cpp.

CVE-2018-5804

A type confusion error within the "identify()" function
(internal/dcraw_common.cpp) can be exploited to trigger a division by
zero.

CVE-2018-5805

A boundary error within the "quicktake_100_load_raw()" function
(internal/dcraw_common.cpp) can be exploited to cause a stack-based
buffer overflow and subsequently cause a crash.

CVE-2018-5806

An error within the "leaf_hdr_load_raw()" function
(internal/dcraw_common.cpp) can be exploited to trigger a NULL pointer
dereference.

CVE-2018-5813

An error within the "parse_minolta()" function (dcraw/dcraw.c) can be
exploited to trigger an infinite loop via a specially crafted file.

CVE-2020-35530

There is an out-of-bounds write vulnerability within the "new_node()"
function (libraw\src\x3f\x3f_utils_patched.cpp) that can be triggered
via a crafted X3F file.

CVE-2020-35531

An out-of-bounds read vulnerability exists within the get_huffman_diff()
function (libraw\src\x3f\x3f_utils_patched.cpp) when reading data from
an image file.

CVE-2020-35532

An out-of-bounds read vulnerability exists within the
"simple_decode_row()" function (libraw\src\x3f\x3f_utils_patched.cpp)
which can be triggered via an image with a large row_stride field.

CVE-2020-35533

An out-of-bounds read vulnerability exists within the
"LibRaw::adobe_copy_pixel()" function (libraw\src\decoders\dng.cpp)
when reading data from the image file.

ELA-737-2 postgresql-9.6 security update

Sun, 27 Nov 2022 08:27:49 -0500

Package : postgresql-9.6

Version : 9.6.24-0+deb9u3 (stretch)

The postgresql-9.6 packages announced in ELA-737-1 failed to build as a result of a configuration setting in the build environment. The packages announced in this follow-up update have been modified so that they will build properly. The CVEs referenced in ELA-737-1 remain properly patched in this release and this release contains no changes outside of those necessary to address the build failure.

ELA-742-1 dhcpcd5 security update

Fri, 25 Nov 2022 23:16:54 +0100

Package : dhcpcd5

Version : 6.10.1-1+deb9u1 (stretch)

Related CVEs : CVE-2019-11578 CVE-2019-11579

Several security vulnerabilities have been discovered in dhcpcd5, a DHCPv4 and DHCPv6 dual-stack client.

CVE-2019-11579:

dhcp.c in dhcpcd contains a 1-byte read overflow with DHO_OPTSOVERLOADED.

CVE-2019-11578:

auth.c in dhcpcd allowed attackers to infer secrets by performing latency attacks.

ELA-740-1 vim security update

Fri, 25 Nov 2022 08:00:52 +0100

Package : vim

Version : 2:8.0.0197-4+deb9u9 (stretch)

This update fixes multiple memory access violations in vim.

CVE-2022-1897

Out-of-bounds Write

CVE-2022-1942

Heap-based Buffer Overflow

CVE-2022-2000

Out-of-bounds Write

CVE-2022-2129

Out-of-bounds Write

CVE-2022-3235

Use After Free

CVE-2022-3256

Use After Free

CVE-2022-3352

Use After Free

ELA-741-1 vim security update

Fri, 25 Nov 2022 08:00:34 +0100

Package : vim

Version : 2:7.4.488-7+deb8u9 (jessie)

This update fixes multiple memory access violations in vim.

CVE-2022-1785

Out-of-bounds Write

CVE-2022-1897

Out-of-bounds Write

CVE-2022-1942

Heap-based Buffer Overflow

CVE-2022-2000

Out-of-bounds Write

CVE-2022-2129

Out-of-bounds Write

CVE-2022-3235

Use After Free

CVE-2022-3256

Use After Free

ELA-739-1 nginx security update

Wed, 23 Nov 2022 22:54:35 +0100

Package : nginx

Version : 1.6.2-5+deb8u10 (jessie), 1.10.3-1+deb9u8 (stretch)

It was discovered that parsing errors in the mp4 module of Nginx, a high-performance web and reverse proxy server, could result in denial of service, memory disclosure or potentially the execution of arbitrary code when processing a malformed mp4 file.

This module is only enabled in the nginx-extras binary package.

In addition the following vulnerability has been fixed.

CVE-2021-3618

ALPACA is an application layer protocol content confusion attack,
exploiting TLS servers implementing different protocols but using
compatible certificates, such as multi-domain or wildcard certificates.
A MiTM attacker having access to victim's traffic at the TCP/IP layer can
redirect traffic from one subdomain to another, resulting in a valid TLS
session. This breaks the authentication of TLS and cross-protocol attacks
may be possible where the behavior of one protocol service may compromise

ELA-738-1 postgresql-9.4 security update

Wed, 23 Nov 2022 15:38:53 -0500

Package : postgresql-9.4

Version : 9.4.26-0+deb8u6

Related CVEs : CVE-2022-2625 CVE-2022-1552

CVE-2022-2625

Sven Klemm found that some extensions in the PostgreSQL database system could replace objects not belonging to the extension. An attacker could leverage this to run arbitrary commands as another user.
CVE-2022-1552

Alexander Lakhin discovered that the autovacuum feature and multiple commands could escape the “security-restricted operation” sandbox.

ELA-737-1 postgresql-9.6 security update

Wed, 23 Nov 2022 15:38:41 -0500

Package : postgresql-9.6

Version : 9.6.24-0+deb9u2 (stretch)

Related CVEs : CVE-2022-2625 CVE-2022-1552

CVE-2022-2625

Sven Klemm found that some extensions in the PostgreSQL database system could replace objects not belonging to the extension. An attacker could leverage this to run arbitrary commands as another user.
CVE-2022-1552

Alexander Lakhin discovered that the autovacuum feature and multiple commands could escape the “security-restricted operation” sandbox.

ELA-736-1 ntfs-3g security update

Tue, 22 Nov 2022 00:16:02 +0100

Package : ntfs-3g

Version : 1:2014.2.15AR.2-1+deb8u7 (jessie), 1:2016.2.22AR.1+dfsg-1+deb9u4 (stretch)

Related CVEs : CVE-2022-40284

Yuchen Zeng and Eduardo Vela discovered a buffer overflow in NTFS-3G, a read-write NTFS driver for FUSE, due to incorrect validation of some of the NTFS metadata. A local user can take advantage of this flaw for local root privilege escalation.

ELA-735-1 tomcat7 security update

Sun, 20 Nov 2022 23:59:57 +0100

Package : tomcat7

Version : 7.0.56-3+really7.0.109-1+deb8u1 (jessie)

Related CVEs : CVE-2021-30640 CVE-2022-42252

Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

CVE-2022-42252

If Apache Tomcat was configured to ignore invalid HTTP headers via setting
rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not
reject a request containing an invalid Content-Length header making a
request smuggling attack possible if Tomcat was located behind a reverse
proxy that also failed to reject the request with the invalid header.

CVE-2021-30640

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to
authenticate using variations of a valid user name and/or to bypass some of
the protection provided by the LockOut Realm. This update fixes a
regression due to the fix for CVE-2021-30640.

ELA-734-1 tomcat8 security update

Sun, 20 Nov 2022 23:35:26 +0100

Package : tomcat8

Version : 8.0.14-1+deb8u23 (jessie), 8.5.54-0+deb9u9 (stretch)

Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. The version of Tomcat 8 in Jessie was only affected by CVE-2022-23181.

CVE-2022-42252

If Apache Tomcat was configured to ignore invalid HTTP headers via setting
rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not
reject a request containing an invalid Content-Length header making a
request smuggling attack possible if Tomcat was located behind a reverse
proxy that also failed to reject the request with the invalid header.

CVE-2022-23181

The fix for bug CVE-2020-9484 introduced a time of check, time of use
vulnerability into Apache Tomcat that allowed a local attacker to perform
actions with the privileges of the user that the Tomcat process is using.
This issue is only exploitable when Tomcat is configured to persist
sessions using the FileStore.

CVE-2022-29885

The documentation of Apache Tomcat for the EncryptInterceptor incorrectly
stated it enabled Tomcat clustering to run over an untrusted network. This
was not correct. While the EncryptInterceptor does provide confidentiality
and integrity protection, it does not protect against all risks associated
with running over any untrusted network, particularly DoS risks.

ELA-733-1 vim security update

Mon, 14 Nov 2022 13:44:05 +0100

Package : vim

Version : 2:7.4.488-7+deb8u8 (jessie), 2:8.0.0197-4+deb9u8 (stretch)

Multiple security vulnerabilities have been discovered in vim, an enhanced vi editor. Buffer overflows, out-of-bounds reads and use-after-free may lead to a denial-of-service (application crash) or other unspecified impact.

ELA-732-1 jackson-databind security update

Sun, 13 Nov 2022 23:27:14 +0100

Package : jackson-databind

Version : 2.8.6-1+deb9u11 (stretch)

Related CVEs : CVE-2022-42003 CVE-2022-42004

Several flaws were discovered in jackson-databind, a fast and powerful JSON library for Java. A denial of service (resource exhaustion) could occur because of a missing check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

ELA-731-1 sysstat security update

Mon, 14 Nov 2022 03:30:06 +0530

Package : sysstat

Version : 11.0.1-1+deb8u1 (jessie), 11.4.3-2+deb9u1 (stretch)

Related CVEs : CVE-2022-39377

On 32 bit systems, allocate_structures contains a size_t overflow in sa_common.c. The allocate_structures function insufficiently checks bounds before arithmetic multiplication, allowing for an overflow in the size allocated for the buffer representing system activities. This issue may lead to Remote Code Execution (RCE).

ELA-730-1 xorg-server security update

Fri, 11 Nov 2022 13:44:15 +0100

Package : xorg-server

Version : 2:1.16.4-1+deb8u8 (jessie), 2:1.19.2-1+deb9u11 (stretch)

Related CVEs : CVE-2022-3550 CVE-2022-3551

Two vulnerabilities were found in the Xkb extension of the X.org X server, which could result in denial of service or possibly privilege escalation if the X server is running privileged.

ELA-729-1 libjettison-java security update

Fri, 11 Nov 2022 13:42:09 +0100

Package : libjettison-java

Version : 1.4.0-1+deb9u1 (stretch)

Related CVEs : CVE-2022-40149

It was discovered that libjettison-java, a collection of StAX parsers and writers for JSON, was vulnerable to a denial-of-service attack, if the attacker provided untrusted XML or JSON data.

ELA-728-1 sudo security update

Wed, 09 Nov 2022 08:26:57 +0000

Package : sudo

Version : 1.8.19p1-2.1+deb9u4 (stretch)

Related CVEs : CVE-2021-23239

It was discovered that there was a information disclosure vulnerability in sudo, a tool used to provide limited superuser privileges to specific users.

A local unprivileged user may have been able to perform arbitrary directory-existence tests by exploiting a race condition in sudoedit.

ELA-727-1 ffmpeg security update

Wed, 09 Nov 2022 09:23:27 +0100

Package : ffmpeg

Version : 7:3.2.19-0+deb9u1 (stretch)

Related CVEs : CVE-2020-21697

Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

ELA-726-1 pixman security update

Tue, 08 Nov 2022 10:44:51 +0100

Package : pixman

Version : 0.32.6-3+deb8u2 (jessie), 0.34.0-1+deb9u1 (stretch)

Related CVEs : CVE-2022-44638

Maddie Stone found that pixman, a pixel manipulation and processing library, was vulnerable to a heap buffer overwrite, which could lead to a denial of service or potentially other unspecified impact.

ELA-724-1 glibc security update

Mon, 07 Nov 2022 12:32:37 +0100

Package : glibc

Version : 2.24-11+deb9u5 (stretch)

This update fixes a significant number of minor to important vulnerabilities in glibc.

CVE-2016-10228

The iconv program in the GNU C Library, when invoked with multiple suffixes
in the destination encoding (TRANSLATE or IGNORE) along with the -c option,
enters an infinite loop when processing invalid multi-byte input sequences,
leading to a denial of service.

CVE-2017-12132

The DNS stub resolver in the GNU C Library, when EDNS support is enabled,
will solicit large UDP responses from name servers, potentially simplifying
off-path DNS spoofing attacks due to IP fragmentation.

CVE-2018-6485

An integer overflow in the implementation of the posix_memalign in memalign
functions in the GNU C Library could cause these functions to return a
pointer to a heap area that is too small, potentially leading to heap
corruption.

CVE-2018-6551

The malloc implementation in the GNU C Library on powerpc and i386
did not properly handle malloc calls with arguments close to SIZE_MAX
and could return a pointer to a heap region that is smaller than
requested, eventually leading to heap corruption.

CVE-2018-1000001

In glibc is confusion in the usage of getcwd() by realpath() which can be
used to write before the destination buffer leading to a buffer underflow
and potential code execution.

CVE-2019-19126

On the x86-64 architecture, the GNU C Library fails to ignore the
LD_PREFER_MAP_32BIT_EXEC environment variable during program execution
after a security transition, allowing local attackers to restrict the
possible mapping addresses for loaded libraries and thus bypass ASLR for
a setuid program.

CVE-2019-25013

The iconv feature in the GNU C Library, when processing invalid multi-byte
input sequences in the EUC-KR encoding, may have a buffer over-read.

CVE-2019-9169

In the GNU C Library, proceed_next_node in posix/regexec.c has a heap-based
buffer over-read via an attempted case-insensitive regular-expression match.

CVE-2020-1752

A use-after-free vulnerability in glibc was found in the way the tilde
expansion was carried out.  Directory paths containing an initial tilde
followed by a valid username were affected by this issue. A local attacker
could exploit this flaw by creating a specially crafted path that, when
processed by the glob function, would potentially lead to arbitrary code
execution.

CVE-2020-10029

The GNU C Library could overflow an on-stack buffer during range
reduction if an input to an 80-bit long double function contains a
non-canonical bit pattern, a seen when passing a
0x5d414141414141410000 value to sinl on x86 targets. This is related
to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.

CVE-2020-27618

The iconv function in the GNU C Library, when processing invalid
multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390,
and IBM1399 encodings, fails to advance the input state, which could
lead to an infinite loop in applications, resulting in a denial of
service, a different vulnerability from CVE-2016-10228.

CVE-2021-3326

The iconv function in the GNU C Library, when processing invalid
input sequences in the ISO-2022-JP-3 encoding, fails an assertion in
the code path and aborts the program, potentially resulting in a
denial of service.

CVE-2021-3999

A flaw was found in glibc. An off-by-one buffer overflow and underflow
in getcwd() may lead to memory corruption when the size of the buffer
is exactly 1. A local attacker who can control the input buffer and
size passed to getcwd() in a setuid program could use this flaw to
potentially execute arbitrary code and escalate their privileges on
the system.

CVE-2021-33574

The mq_notify function in the GNU C Library has a use-after-free. It
may use the notification thread attributes object (passed through
its struct sigevent parameter) after it has been freed by the
caller, leading to a denial of service (application crash) or
possibly unspecified other impact.

CVE-2021-35942

The wordexp function in the GNU C Library may crash or read
arbitrary memory in parse_param (in posix/wordexp.c) when called
with an untrusted, crafted pattern, potentially resulting in a
denial of service or disclosure of information. This occurs because
atoi was used but strtoul should have been used to ensure correct
calculations.

CVE-2022-23218

The deprecated compatibility function svcunix_create in the sunrpc
module of the GNU C Library copies its path argument on the stack
without validating its length, which may result in a buffer
overflow, potentially resulting in a denial of service or (if an
application is not built with a stack protector enabled) arbitrary
code execution.

CVE-2022-23219

The deprecated compatibility function clnt_create in the sunrpc
module of the GNU C Library copies its hostname argument on the
stack without validating its length, which may result in a buffer
overflow, potentially resulting in a denial of service or (if an
application is not built with a stack protector enabled) arbitrary
code execution.

ELA-725-1 glibc security update

Mon, 07 Nov 2022 12:32:37 +0100

Package : glibc

Version : 2.19-18+deb8u11 (jessie)

This update fixes a significant number of minor to important vulnerabilities in glibc.

CVE-2017-12132

The DNS stub resolver in the GNU C Library, when EDNS support is
enabled, will solicit large UDP responses from name servers,
potentially simplifying off-path DNS spoofing attacks due to IP
fragmentation.

CVE-2017-12133

Use-after-free vulnerability in the clntudp_call function in
sunrpc/clnt_udp.c in the GNU C Library allows remote attackers to
have unspecified impact via vectors related to error path.

CVE-2017-15670

The GNU C Library contains an off-by- one error leading to a
heap-based buffer overflow in the glob function in glob.c, related
to the processing of home directories using the ~ operator followed
by a long string.

CVE-2017-15671

The glob function in glob.c in the GNU C Library, when invoked with
GLOB_TILDE, could skip freeing allocated memory when processing the
~ operator with a long user name, potentially leading to a denial of
service (memory leak).

CVE-2017-15804

The glob function in glob.c in the GNU C Library contains a buffer
overflow during unescaping of user names with the ~ operator.

CVE-2017-16997

elf/dl-load.c in the GNU C Library mishandles RPATH and RUNPATH
containing $ORIGIN for a privileged (setuid or AT_SECURE) program,
which allows local users to gain privileges via a Trojan horse
library in the current working directory, related to the
fillin_rpath and decompose_rpath functions.  This is associated with
misinterpretion of an empty RPATH/RUNPATH token as the "./"
directory. NOTE: this configuration of RPATH/RUNPATH for a
privileged program is apparently very uncommon; most likely, no such
program is shipped with any common Linux distribution.

CVE-2017-1000408

A memory leak in glibc can be reached and amplified through the
LD_HWCAP_MASK environment variable. Please note that many versions
of glibc are not vulnerable to this issue if patched for
CVE-2017-1000366.

CVE-2017-1000409

A buffer overflow in glibc can be triggered through the
LD_LIBRARY_PATH environment variable.

CVE-2018-6485

An integer overflow in the implementation of the posix_memalign in
memalign functions in the GNU C Library could cause these functions
to return a pointer to a heap area that is too small, potentially
leading to heap corruption.

CVE-2018-6551

The malloc implementation in the GNU C Library on powerpc and i386
did not properly handle malloc calls with arguments close to
SIZE_MAX and could return a pointer to a heap region that is smaller
than requested, eventually leading to heap corruption.

CVE-2018-11236

stdlib/canonicalize.c in the GNU C Library when processing very long
pathname arguments to the realpath function, could encounter an
integer overflow on 32-bit architectures, leading to a stack-based
buffer overflow and, potentially, arbitrary code execution.

CVE-2018-1000001

In glibc there is confusion in the usage of getcwd() by realpath()
which can be used to write before the destination buffer leading to
a buffer underflow and potential code execution.

CVE-2019-9169

In the GNU C Library, proceed_next_node in posix/regexec.c has a
heap-based buffer over-read via an attempted case-insensitive
regular-expression match.

CVE-2019-25013

The iconv feature in the GNU C Library, when processing invalid
multi-byte input sequences in the EUC-KR encoding, may have a buffer
over-read.

CVE-2020-1752

A use-after-free vulnerability introduced in glibc was found in the
way the tilde expansion was carried out.  Directory paths containing
an initial tilde followed by a valid username were affected by this
issue. A local attacker could exploit this flaw by creating a
specially crafted path that, when processed by the glob function,
would potentially lead to arbitrary code execution.

CVE-2020-10029

The GNU C Library could overflow an on-stack buffer during range
reduction if an input to an 80-bit long double function contains a
non-canonical bit pattern, a seen when passing a
0x5d414141414141410000 value to sinl on x86 targets. This is related
to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.

CVE-2020-27618

The iconv function in the GNU C Library, when processing invalid
multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390,
and IBM1399 encodings, fails to advance the input state, which could
lead to an infinite loop in applications, resulting in a denial of
service, a different vulnerability from CVE-2016-10228.

CVE-2020-29573

sysdeps/i386/ldbl2mpn.c in the GNU C Library on x86 targets has a
stack-based buffer overflow if the input to any of the printf family
of functions is an 80-bit long double with a non-canonical bit
pattern, as seen when passing a
\x00\x04\x00\x00\x00\x00\x00\x00\x00\x04 value to sprintf.

CVE-2021-3326

The iconv function in the GNU C Library, when processing invalid
input sequences in the ISO-2022-JP-3 encoding, fails an assertion in
the code path and aborts the program, potentially resulting in a
denial of service.

CVE-2021-3999

A flaw was found in glibc. An off-by-one buffer overflow and underflow
in getcwd() may lead to memory corruption when the size of the buffer
is exactly 1. A local attacker who can control the input buffer and
size passed to getcwd() in a setuid program could use this flaw to
potentially execute arbitrary code and escalate their privileges on
the system.

CVE-2021-33574

The mq_notify function in the GNU C Library has a use-after-free. It
may use the notification thread attributes object (passed through
its struct sigevent parameter) after it has been freed by the
caller, leading to a denial of service (application crash) or
possibly unspecified other impact.

CVE-2021-35942

The wordexp function in the GNU C Library may crash or read
arbitrary memory in parse_param (in posix/wordexp.c) when called
with an untrusted, crafted pattern, potentially resulting in a
denial of service or disclosure of information. This occurs because
atoi was used but strtoul should have been used to ensure correct
calculations.

CVE-2022-23218

The deprecated compatibility function svcunix_create in the sunrpc
module of the GNU C Library copies its path argument on the stack
without validating its length, which may result in a buffer
overflow, potentially resulting in a denial of service or (if an
application is not built with a stack protector enabled) arbitrary
code execution.

CVE-2022-23219

The deprecated compatibility function clnt_create in the sunrpc
module of the GNU C Library copies its hostname argument on the
stack without validating its length, which may result in a buffer
overflow, potentially resulting in a denial of service or (if an
application is not built with a stack protector enabled) arbitrary
code execution.

ELA-723-1 linux-5.10 security update

Fri, 04 Nov 2022 12:27:36 +0100

Package : linux-5.10

Version : 5.10.149-2~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2021-4037

Christian Brauner reported that the inode_init_owner function for
the XFS filesystem in the Linux kernel allows local users to
create files with an unintended group ownership allowing attackers
to escalate privileges by making a plain file executable and SGID.

CVE-2022-0171

Mingwei Zhang reported that a cache incoherence issue in the SEV
API in the KVM subsystem may result in denial of service.

CVE-2022-1184

A flaw was discovered in the ext4 filesystem driver which can lead
to a use-after-free. A local user permitted to mount arbitrary
filesystems could exploit this to cause a denial of service (crash
or memory corruption) or possibly for privilege escalation.

CVE-2022-1679

The syzbot tool found a race condition in the ath9k_htc driver
which can lead to a use-after-free.  This might be exploitable to
cause a denial service (crash or memory corruption) or possibly
for privilege escalation.

CVE-2022-2153

"kangel" reported a flaw in the KVM implementation for x86
processors which could lead to a null pointer dereference. A local
user permitted to access /dev/kvm could exploit this to cause a
denial of service (crash).

CVE-2022-2602

A race between handling an io_uring request and the Unix socket
garbage collector was discovered. An attacker can take advantage
of this flaw for local privilege escalation.

CVE-2022-2663

David Leadbeater reported flaws in the nf_conntrack_irc
connection-tracking protocol module. When this module is enabled
on a firewall, an external user on the same IRC network as an
internal user could exploit its lax parsing to open arbitrary TCP
ports in the firewall, to reveal their public IP address, or to
block their IRC connection at the firewall.

CVE-2022-2905

Hsin-Wei Hung reported a flaw in the eBPF verifier which can lead
to an out-of-bounds read.  If unprivileged use of eBPF is enabled,
this could leak sensitive information.  This was already disabled
by default, which would fully mitigate the vulnerability.

CVE-2022-3028

Abhishek Shah reported a race condition in the AF_KEY subsystem,
which could lead to an out-of-bounds write or read.  A local user
could exploit this to cause a denial of service (crash or memory
corruption), to obtain sensitive information, or possibly for
privilege escalation.

CVE-2022-3061

A flaw was discovered in the i740 driver which may result in
denial of service.

This driver is not enabled in Debian's official kernel
configurations.

CVE-2022-3176

A use-after-free flaw was discovered in the io_uring subsystem
which may result in local privilege escalation to root.

CVE-2022-3303

A race condition in the snd_pcm_oss_sync function in the sound
subsystem in the Linux kernel due to improper locking may result
in denial of service.

CVE-2022-3586 (ZDI-22-1452)

The Zero Day Initiative reported a flaw in the sch_sfb network
scheduler, which may lead to a use-after-free and leak of
sensitive information from the kernel.

CVE-2022-3621, CVE-2022-3646

The syzbot tool found flaws in the nilfs2 filesystem driver which
can lead to a null pointer dereference or memory leak.  A user
permitted to mount arbitrary filesystem images could use these to
cause a denial of service (crash or resource exhaustion).

CVE-2022-3625

A flaw was discovered in the devlink subsystem which can lead to
a use-after-free.  The security impact of this is unclear.

CVE-2022-3629

The syzbot tool found a memory leak in the Virtual Socket Protocol
implementation.  A local user could exploit this to cause a denial
of service (resource exhaustion).

CVE-2022-3633

The Linux Verification Center found a memory leak in the SAE J1939
protocol implementation.  A local user could exploit this to cause
a denial of service (resource exhaustion).

CVE-2022-3635

Several race conditions were discovered in the idt77252 ATM
driver, which can lead to a use-after-free if the module is
removed.  The security impact of this is unclear.

CVE-2022-3649

The syzbot tool found flaws in the nilfs2 filesystem driver which
can lead to a use-after-free.  A user permitted to mount arbitrary
filesystem images could use these to cause a denial of service
(crash or memory corruption) or possibly for privilege escalation.

CVE-2022-20421

A use-after-free vulnerability was discovered in the
binder_inc_ref_for_node function in the Android binder driver. On
systems where the binder driver is loaded, a local user could
exploit this for privilege escalation.

CVE-2022-20422

A race condition was discovered in the instruction emulator for
64-bit Arm systems.  Concurrent changes to the sysctls that
control the emulator could result in a null pointer dereference.
The security impact of this is unclear.

CVE-2022-39188

Jann Horn reported a race condition in the kernel's handling of
unmapping of certain memory ranges. When a driver created a memory
mapping with the VM_PFNMAP flag, which many GPU drivers do, the
memory mapping could be removed and freed before it was flushed
from the CPU TLBs. This could result in a page use-after-free. A
local user with access to such a device could exploit this to
cause a denial of service (crash or memory corruption) or possibly
for privilege escalation.

CVE-2022-39190

Gwangun Jung reported a flaw in the nf_tables subsystem.  A local
user could exploit this to cause a denial of service (crash).

CVE-2022-39842

An integer overflow was discovered in the pxa3xx-gcu video driver
which could lead to a heap out-of-bounds write.

This driver is not enabled in Debian's official kernel
configurations.

CVE-2022-40307

A race condition was discovered in the EFI capsule-loader driver,
which could lead to use-after-free. A local user permitted to
access this device (/dev/efi_capsule_loader) could exploit this to
cause a denial of service (crash or memory corruption) or possibly
for privilege escalation. However, this device is normally only
accessible by the root user.

CVE-2022-41222

A race condition was discovered in the memory management subsystem
that can lead to stale TLB entries.  A local user could exploit
this to cause a denial of service (memory corruption or crash),
information leak, or privilege escalation.

CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42722

Soenke Huster discovered several vulnerabilities in the mac80211
subsystem triggered by WLAN frames which may result in denial of
service or the execution of arbitrary code.

CVE-2022-43750

The syzbot tool found that the USB monitor (usbmon) driver allowed
user-space programs to overwrite the driver's data structures.  A
local user permitted to access a USB monitor device could exploit
this to cause a denial of service (memory corruption or crash) or
possibly for privilege escalation.  However, by default only the
root user can access such devices.

This update also fixes a regression for some older 32-bit PCs (bug #1017425), and enables the i10nm_edac driver (bug #1019248). It additionally includes many more bug fixes from stable updates 5.10.137-5.10.149 inclusive.

ELA-722-1 distro-info-data database update

Mon, 31 Oct 2022 11:52:04 +0200

Package : distro-info-data

Version : 0.36~bpo8+2 (jessie), 0.41+deb10u2~bpo9+2 (stretch)

This is a routine update of the distro-info-data database for Debian ELTS users.

It includes a correction to some historical data, and adds newer Debian and Ubuntu releases up to the current date.

ELA-721-1 libxml2 security update

Sun, 30 Oct 2022 16:59:12 +0100

Package : libxml2

Version : 2.9.1+dfsg1-5+deb8u14 (jessie), 2.9.4+dfsg1-2.2+deb9u9 (stretch)

Related CVEs : CVE-2022-40303 CVE-2022-40304

It was discovered that libxml2, the GNOME XML library, was vulnerable to integer overflows and memory corruption.

CVE-2022-40303

 Parsing a XML document with the XML_PARSE_HUGE option enabled can result
 in an integer overflow because safety checks were missing in some
 functions. Also, the xmlParseEntityValue function did not have any length
 limitation.

CVE-2022-40304

 When a reference cycle is detected in the XML entity cleanup function the
 XML entity data can be stored in a dictionary. In this case, the
 dictionary becomes corrupted resulting in logic errors, including memory
 errors like double free.

ELA-720-1 bluez security update

Sun, 30 Oct 2022 13:00:58 +0100

Package : bluez

Version : 5.43-2+deb9u2~deb8u5 (jessie), 5.43-2+deb9u6 (stretch)

Several vulnerabilities have been found in BlueZ, the Linux Bluetooth protocol stack.

CVE-2022-0204

A heap overflow vulnerability was found in bluez. An attacker with local network access could pass specially crafted files causing an application to halt or crash, leading to a denial of service.

CVE-2022-39176

BlueZ allows physically proximate attackers to obtain sensitive information because profiles/audio/avrcp.c does not validate params_len.

CVE-2022-39177

BlueZ allows physically proximate attackers to cause a denial of service because malformed and invalid capabilities can be processed in profiles/audio/avdtp.c.

ELA-719-1 graphicsmagick security update

Sun, 30 Oct 2022 02:07:46 +0200

Package : graphicsmagick

Version : 1.3.20-3+deb8u13 (jessie), 1.3.30+hg15796-1~deb9u6 (stretch)

Related CVEs : CVE-2022-1270

An issue has been found in graphicsmagick, a collection of image processing tools. Due to missing checks, a crafted MIFF file could result in a heap buffer overflow when parsing it.

ELA-717-1 freerdp security update

Sat, 29 Oct 2022 15:34:37 +0200

Package : freerdp

Version : 1.1.0~git20140921.1.440916e+dfsg1-13+deb9u5 (stretch)

Several memory access vulnerabilities have been discovered in FreeRDP, a free implementation of Microsoft’s Remote Desktop Protocol. These vulnerabilities could lead to both Denial of Service and access to privileged memory, like password hashes.

ELA-718-1 batik security update

Sat, 29 Oct 2022 01:56:35 +0200

Package : batik

Version : 1.7+dfsg-5+deb8u3 (jessie), 1.8-4+deb9u3 (stretch)

Related CVEs : CVE-2022-41704 CVE-2022-42890

It was discovered that Apache Batik, an SVG library for Java, allowed attackers to run arbitrary Java code when processing a malicious SVG file.

ELA-716-1 djangorestframework security update

Fri, 28 Oct 2022 09:17:21 +0530

Package : djangorestframework

Version : 3.4.0-2+deb9u1 (stretch)

Related CVEs : CVE-2018-25045 CVE-2020-25626

Two cross-site scripting vulnerabilities were discovered in the Django Rest Framework, a toolkit to build web APIs.

ELA-715-1 expat security update

Fri, 28 Oct 2022 07:17:05 +0530

Package : expat

Version : 2.1.0-6+deb8u10 (jessie), 2.2.0-2+deb9u7 (stretch)

Related CVEs : CVE-2022-43680

In src:expat, an XML parsing C library, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

ELA-714-1 menu-cache security update

Fri, 28 Oct 2022 00:24:51 +0200

Package : menu-cache

Version : 1.0.0-1+deb8u1 (jessie)

Related CVEs : CVE-2017-8933

It was discovered that menu-cache, the LXDE implementation of freedesktop’s menu cache, insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (menu unavailability).

ELA-713-1 libdatetime-timezone-perl new timezone database

Wed, 26 Oct 2022 19:50:05 +0200

Package : libdatetime-timezone-perl

Version : 1:1.75-2+2022e (jessie), 1:2.09-1+2022e (stretch)

This update includes the changes in tzdata 2022e for the Perl bindings.

ELA-712-1 tzdata new timezone database

Wed, 26 Oct 2022 19:46:10 +0200

Package : tzdata

Version : 2021a-0+deb8u7 (jessie), 2021a-0+deb9u7 (stretch)

This update includes the changes in tzdata 2022e. Notable changes are:

Syria and Jordan are abandoning the DST regime and are changing to permanent +03, so they will not fall back from +03 to +02 on 2022-10-28.

In addition, the jessie version is building tzdata-java again, to make OpenJDK 7 installable again. Note that that version is unsupported security-wise though.

ELA-711-1 openjdk-8 security update

Wed, 26 Oct 2022 19:38:12 +0200

Package : openjdk-8

Version : 8u352-ga-1~deb8u1 (jessie), 8u352-ga-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in information disclosure or denial of service.

ELA-710-1 pjproject security update

Wed, 26 Oct 2022 15:11:59 +0200

Package : pjproject

Version : 2.5.5~dfsg-6+deb9u7 (stretch)

Related CVEs : CVE-2022-39244

PJSIP is a free and open source multimedia communication library written in C. The PJSIP parser, PJMEDIA RTP decoder, and PJMEDIA SDP parser are affected by a buffer overflow vulnerability. Users connecting to untrusted clients are at risk.

ELA-709-1 libbluray bugfix update

Tue, 25 Oct 2022 09:41:37 +0200

Package : libbluray

Version : 1:0.6.2-1+deb8u1 (jessie), 1:0.9.3-3+deb9u1 (stretch)

The latest Java security updates introduced a change that broke libbluray’s interactive BD-J support. This update addresses that, adding compatibility with recent Java versions.

ELA-708-1 libxdmcp security update

Wed, 19 Oct 2022 09:26:54 +0200

Package : libxdmcp

Version : 1:1.1.1-1+deb8u3 (jessie)

Related CVEs : CVE-2017-2625

It was found that libxdmcp 1:1.1.1-1+deb8u1 released as DLA-2006-1 did not properly apply the fix for CVE-2017-2625. That has been corrected now, the description for that issue follows:

libxdmcp, the X11 Display Manager Control Protocol library, used weak entropy to generate the session keys. A local attacker could brute force the keys to connect to another user’s session.

ELA-707-1 bcel security update

Tue, 18 Oct 2022 13:36:57 +0200

Package : bcel

Version : 6.0~rc3-1+deb8u1 (jessie), 6.0-1+deb9u1 (stretch)

Related CVEs : CVE-2022-34169

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. In Debian the vulnerable code is in the bcel source package.

ELA-706-1 libksba security update

Tue, 18 Oct 2022 12:39:05 +0200

Package : libksba

Version : 1.3.2-1+deb8u2 (jessie), 1.3.5-2+deb9u1 (stretch)

Related CVEs : CVE-2022-3515

An integer overflow flaw was discovered in the CRL parser in libksba, an X.509 and CMS support library, which could result in denial of service or the execution of arbitrary code.

ELA-705-1 qemu security update

Mon, 17 Oct 2022 16:11:01 +0200

Package : qemu

Version : 1:2.1+dfsg-12+deb8u23 (jessie), 1:2.8+dfsg-6+deb9u18 (stretch)

Multiple vulnerabilities were found in QEMU, a fast processor emulator, which could result in denial of service or the execution of arbitrary code.

In addition, the jessie package addresses CVE-2021-3930, a denial of service vulnerability in the SCSI device emulation.

ELA-704-1 isc-dhcp security update

Thu, 13 Oct 2022 20:19:23 +0200

Package : isc-dhcp

Version : 4.3.1-6+deb8u6 (jessie), 4.3.5-3+deb9u3 (stretch)

Related CVEs : CVE-2022-2928 CVE-2022-2929

Several vulnerabilities have been discovered in the ISC DHCP client, relay and server.

CVE-2022-2928

It was discovered that the DHCP server does not correctly perform
option reference counting when configured with "allow leasequery;".
A remote attacker can take advantage of this flaw to cause a denial
of service (daemon crash).

CVE-2022-2929

It was discovered that the DHCP server is prone to a memory leak
flaw when handling contents of option 81 (fqdn) data received in
a DHCP packet. A remote attacker can take advantage of this flaw
to cause DHCP servers to consume resources, resulting in denial
of service.

ELA-703-1 mediawiki security update

Thu, 13 Oct 2022 00:08:15 +0200

Package : mediawiki

Version : 1:1.27.7-1+deb9u13 (stretch)

Related CVEs : CVE-2022-41765

A privacy flaw was discovered in mediawiki, a website engine for collaborative work. The HTMLUserTextField exposed the existence of hidden users which gave more insight than actually intended.

ELA-702-1 strongswan security update

Mon, 10 Oct 2022 11:40:12 -0700

Package : strongswan

Version : 5.5.1-4+deb9u7 (stretch), 5.2.1-6+deb8u10 (jessie)

Related CVEs : CVE-2022-40617

It was discovered that there was a potential denial of service vulnerability in strongswan, an IPsec VPN solution.

Strongswan could have queried URLs with untrusted certificates, and this could potentially lead to a DoS attack by blocking the fetcher thread.

ELA-701-1 dbus security update

Mon, 10 Oct 2022 14:08:14 +0200

Package : dbus

Version : 1.8.22-0+deb8u5 (jessie), 1.10.32-0+deb9u2 (stretch)

Evgeny Vereshchagin discovered multiple vulnerabilities in D-Bus, a simple interprocess messaging system, which may result in denial of service by an authenticated user.

ELA-700-1 git security update

Mon, 10 Oct 2022 01:02:06 +0200

Package : git

Version : 1:2.1.4-2.1+deb8u11 (jessie), 1:2.11.0-3+deb9u8 (stretch)

Related CVEs : CVE-2021-21300 CVE-2021-40330

Several security vulnerabilities have been discovered in Git, a fast, scalable, distributed revision control system, which may affect multi-user systems.

CVE-2021-21300

A specially crafted repository that contains symbolic links as well as
files using a clean/smudge filter such as Git LFS, may cause just-checked
out script to be executed while cloning onto a case-insensitive file system
such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and
macOS).

CVE-2021-40330

git_connect_git in connect.c allows a repository path to contain a newline
character, which may result in unexpected cross-protocol requests, as
demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1
substring.

ELA-699-1 asterisk security update

Fri, 07 Oct 2022 23:55:49 +0200

Package : asterisk

Version : 1:13.14.1~dfsg-2+deb9u7 (stretch)

Related CVEs : CVE-2020-35776 CVE-2022-26651

Several security vulnerabilities have been discovered in Asterisk, an Open Source Private Branch Exchange.

CVE-2022-26651

The func_odbc module provides possibly inadequate escaping functionality
for backslash characters in SQL queries, resulting in user-provided data
creating a broken SQL query or possibly a SQL injection.

CVE-2020-35776

A buffer overflow in res_pjsip_diversion.c allows remote attackers to crash
Asterisk by deliberately misusing SIP 181 responses.

ELA-698-1 bind9 security update

Fri, 07 Oct 2022 12:21:24 +0200

Package : bind9

Version : 1:9.9.5.dfsg-9+deb8u28 (jessie), 1:9.10.3.dfsg.P4-12.3+deb9u13 (stretch)

Related CVEs : CVE-2022-2795 CVE-2022-38177

Several vulnerabilities were discovered in BIND, a DNS server implementation.

CVE-2022-2795

Yehuda Afek, Anat Bremler-Barr and Shani Stajnrod discovered that a
flaw in the resolver code can cause named to spend excessive amounts
of time on processing large delegations, significantly degrade
resolver performance and result in denial of service.

CVE-2022-38177

It was discovered that the DNSSEC verification code for the ECDSA
algorithm is susceptible to a memory leak flaw. A remote attacker
can take advantage of this flaw to cause BIND to consume resources,
resulting in a denial of service.

ELA-697-1 libraw security update

Tue, 04 Oct 2022 14:30:37 +0200

Package : libraw

Version : 0.17.2-6+deb9u3 (stretch)

Multiple file format vulnerabilities have been fixed in libraw.

CVE-2018-5816

An integer overflow error within the "identify()"
function (internal/dcraw_common.cpp) in LibRaw versions
prior to 0.18.12 can be exploited to trigger a division by
zero via specially crafted NOKIARAW file (Note: This
vulnerability is caused due to an incomplete fix of
CVE-2018-5804).

CVE-2018-10528

There is a stack-based buffer overflow in the utf2char
function in libraw_cxx.cpp.

CVE-2018-10529

There is an out-of-bounds read affecting the X3F
property table list implementation in libraw_x3f.cpp and
libraw_cxx.cpp.

CVE-2020-35530

In LibRaw, there is an out-of-bounds write vulnerability
within the "new_node()" function
(libraw\src\x3f\x3f_utils_patched.cpp) that can be triggered
via a crafted X3F file.

CVE-2020-35531

In LibRaw, an out-of-bounds read vulnerability exists
within the get_huffman_diff() function
(libraw\src\x3f\x3f_utils_patched.cpp) when reading data
from an image file.

CVE-2020-35532

In LibRaw, an out-of-bounds read vulnerability exists
within the "simple_decode_row()" function
(libraw\src\x3f\x3f_utils_patched.cpp) which can be
triggered via an image with a large row_stride field.

CVE-2020-35533

In LibRaw, an out-of-bounds read vulnerability exists
within the "LibRaw::adobe_copy_pixel()" function
(libraw\src\decoders\dng.cpp) when reading data from the
image file.

ELA-696-1 linux-4.19 security update

Tue, 04 Oct 2022 09:31:12 +0200

Package : linux-4.19

Version : 4.19.260-1~deb8u1 (jessie), 4.19.260-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks.

CVE-2021-4159

A flaw was found in the eBPF verifier which could lead to an
out-of-bounds read.  If unprivileged use of eBPF is enabled, this
could leak sensitive information.  This was already disabled by
default, which would fully mitigate the vulnerability.

CVE-2021-33655

A user with access to a framebuffer console device could cause a
memory out-of-bounds write via the FBIOPUT_VSCREENINFO ioctl.

CVE-2021-33656

A user with access to a framebuffer console device could cause a
memory out-of-bounds write via some font setting ioctls.  These
obsolete ioctls have been removed.

CVE-2022-1462

一只狗 reported a race condition in the pty (pseudo-terminal)
subsystem that can lead to a slab out-of-bounds write.  A local
user could exploit this to cause a denial of service (crash or
memory corruption) or possibly for privilege escalation.

CVE-2022-1679

The syzbot tool found a race condition in the ath9k_htc driver
which can lead to a use-after-free.  This might be exploitable to
cause a denial service (crash or memory corruption) or possibly
for privilege escalation.

CVE-2022-2153

"kangel" reported a flaw in the KVM implementation for x86
processors which could lead to a null pointer dereference. A local
user permitted to access /dev/kvm could exploit this to cause a
denial of service (crash).

CVE-2022-2318

A use-after-free in the Amateur Radio X.25 PLP (Rose) support may
result in denial of service.

CVE-2022-2586

A use-after-free in the Netfilter subsystem may result in local
privilege escalation for a user with the CAP_NET_ADMIN capability
in any user or network namespace.

CVE-2022-2588

Zhenpeng Lin discovered a use-after-free flaw in the cls_route
filter implementation which may result in local privilege
escalation for a user with the CAP_NET_ADMIN capability in any
user or network namespace.

CVE-2022-2663

David Leadbeater reported flaws in the nf_conntrack_irc
connection-tracking protocol module.  When this module is enabled
on a firewall, an external user on the same IRC network as an
internal user could exploit its lax parsing to open arbitrary TCP
ports in the firewall, to reveal their public IP address, or to
block their IRC connection at the firewall.

CVE-2022-3028

Abhishek Shah reported a race condition in the AF_KEY subsystem,
which could lead to an out-of-bounds write or read.  A local user
could exploit this to cause a denial of service (crash or memory
corruption), to obtain sensitive information, or possibly for
privilege escalation.

CVE-2022-26365, CVE-2022-33740, CVE-2022-33741, CVE-2022-33742

Roger Pau Monne discovered that Xen block and network PV device
frontends don't zero out memory regions before sharing them with
the backend, which may result in information disclosure.
Additionally it was discovered that the granularity of the grant
table doesn't permit sharing less than a 4k page, which may also
result in information disclosure.

CVE-2022-26373

It was discovered that on certain processors with Intel's Enhanced
Indirect Branch Restricted Speculation (eIBRS) capabilities there
are exceptions to the documented properties in some situations,
which may result in information disclosure.

Intel's explanation of the issue can be found at
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/post-barrier-return-stack-buffer-predictions.html

CVE-2022-33744

Oleksandr Tyshchenko discovered that ARM Xen guests can cause a
denial of service to the Dom0 via paravirtual devices.

CVE-2022-36879

A flaw was discovered in xfrm_expand_policies in the xfrm
subsystem which can cause a reference count to be dropped twice.

CVE-2022-36946

Domingo Dirutigliano and Nicola Guerrera reported a memory
corruption flaw in the Netfilter subsystem which may result in
denial of service.

CVE-2022-39188

Jann Horn reported a race condition in the kernel's handling of
unmapping of certain memory ranges.  When a driver created a
memory mapping with the VM_PFNMAP flag, which many GPU drivers do,
the memory mapping could be removed and freed before it was
flushed from the CPU TLBs.  This could result in a page use-after-
free.  A local user with access to such a device could exploit
this to cause a denial of service (crash or memory corruption) or
possibly for privilege escalation.

CVE-2022-39842

An integer overflow was discovered in the pxa3xx-gcu video driver
which could lead to a heap out-of-bounds write.

This driver is not enabled in Debian's official kernel
configurations.

CVE-2022-40307

A race condition was discovered in the EFI capsule-loader driver,
which could lead to use-after-free.  A local user permitted to
access this device (/dev/efi_capsule_loader) could exploit this to
cause a denial of service (crash or memory corruption) or possibly
for privilege escalation.  However, this device is normally only
accessible by the root user.

ELA-695-1 libdatetime-timezone-perl new timezone database

Mon, 03 Oct 2022 14:24:52 +0200

Package : libdatetime-timezone-perl

Version : 1:1.75-2+2022d (jessie), 1:2.09-1+2022d (stretch)

This update includes the changes in tzdata 2022d for the Perl bindings.

ELA-694-1 tzdata new timezone database

Mon, 03 Oct 2022 14:15:09 +0200

Package : tzdata

Version : 2021a-0+deb8u6 (jessie), 2021a-0+deb9u6 (stretch)

This update includes the changes in tzdata 2022d. Notable changes are:

Palestine now switches back to standard time on October 29.
Updated leap second list, which was set to expire by the end of December.

ELA-693-1 snakeyaml security update

Mon, 03 Oct 2022 00:55:31 +0200

Package : snakeyaml

Version : 1.12-2+deb8u1 (jessie), 1.17-1+deb9u1 (stretch)

Several security vulnerabilities have been discovered in SnakeYaml, a YAML parser for Java, which could facilitate a denial of service attack whenever maliciously crafted input files are processed by SnakeYaml.

ELA-692-1 exim4 security update

Sat, 01 Oct 2022 18:45:05 +0530

Package : exim4

Version : 4.84.2-2+deb8u9 (jessie), 4.89-2+deb9u9 (stretch)

Related CVEs : CVE-2022-37452

It was discovered that in Exim, a mail transport agent, handling an e-mail can cause a heap-based buffer overflow in some situations. An attacker can cause a denial-of-service (DoS) and possibly execute arbitrary code.

ELA-691-1 wkhtmltopdf security update

Sat, 01 Oct 2022 05:35:36 +0530

Package : wkhtmltopdf

Version : 0.12.1-2+deb8u1 (jessie), 0.12.3.2-3+deb9u1 (stretch)

Related CVEs : CVE-2020-21365

Directory traversal vulnerability in wkhtmltopdf, a set of CLI utilities to convert html to pdf or image using WebKit, allows remote attackers to read local files and disclose sensitive information via a crafted html file running with the default configurations.

Do note that it’s a breaking change, in the way that the local filesystem access will be blocked by default. In case you need to enable or allow it, use --enable-local-file-access. Another option would be to use --allow <path> to specify the folder(s) from which local files are allowed to be loaded.

ELA-690-1 libvncserver security update

Fri, 30 Sep 2022 00:01:51 +0200

Package : libvncserver

Version : 0.9.11+dfsg-1.3~deb9u7 (stretch)

Related CVEs : CVE-2020-29260

An issue has been found in libvncserver, a library to write one’s own VNC server. Due to a memory leak in function rfbClientCleanup() a remote attacker might be able to cause a denial of service.

ELA-689-1 poppler security update

Thu, 29 Sep 2022 18:34:50 +0200

Package : poppler

Version : 0.26.5-2+deb8u15 (jessie), 0.48.0-2+deb9u5 (stretch)

Several security vulnerabilities have been discovered in Poppler, a PDF rendering library, that could lead to denial of service or possibly other unspecified impact when processing maliciously crafted documents.

ELA-688-1 openssl security update

Thu, 29 Sep 2022 18:08:27 +0200

Package : openssl

Version : 1.0.1t-1+deb8u19 (jessie), 1.1.0l-1~deb9u7 (stretch)

Related CVEs : CVE-2022-2068 CVE-2022-2097

It was discovered that the c_rehash script included in OpenSSL did not sanitise shell meta characters which could result in the execution of arbitrary commands.

In addition, the stretch package addresses CVE-2022-2097, an information disclosure issue in the AES OCB assembly implementation for the x86 architecture.

ELA-687-1 liblouis security update

Tue, 27 Sep 2022 13:41:42 +0200

Package : liblouis

Version : 3.0.0-3+deb9u5 (stretch)

Related CVEs : CVE-2022-26981 CVE-2022-31783

Two buffer overwrite vulnerabilities were found in liblouis, a braille translator library, that could cause denial of service or have other unspecified impact.

ELA-686-1 expat security update

Sun, 25 Sep 2022 10:29:59 +0200

Package : expat

Version : 2.1.0-6+deb8u9 (jessie), 2.2.0-2+deb9u6 (stretch)

Related CVEs : CVE-2022-40674

Rhodri James discovered a heap use-after-free vulnerability in the doContent function in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed.

ELA-685-1 ntfs-3g security update

Sat, 24 Sep 2022 00:36:07 +0200

Package : ntfs-3g

Version : 1:2014.2.15AR.2-1+deb8u6 (jessie)

Several vulnerabilities were discovered in NTFS-3G, a read-write NTFS driver for FUSE. A local user can take advantage of these flaws for local root privilege escalation.

CVE-2022-30783

An invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic between NTFS-3G and the kernel when using libfuse-lite.

CVE-2022-30784

A crafted NTFS image can cause heap exhaustion in ntfs_get_attribute_value.

CVE-2022-30785

A file handle created in fuse_lib_opendir, and later used in fuse_lib_readdir, enables arbitrary memory read and write operations when using libfuse-lite.

CVE-2022-30786

A crafted NTFS image can cause a heap-based buffer overflow in ntfs_names_full_collate.

CVE-2022-30787

An integer underflow in fuse_lib_readdir enables arbitrary memory read operations when using libfuse-lite.

CVE-2022-30788

A crafted NTFS image can cause a heap-based buffer overflow in ntfs_mft_rec_alloc.

CVE-2022-30789

A crafted NTFS image can cause a heap-based buffer overflow in ntfs_check_log_client_array.

CVE-2021-46790

A crafted NTFS image can cause a heap-based buffer overflow in ntfsck.

ELA-684-1 pdftk security update

Fri, 23 Sep 2022 11:42:25 +0200

Package : pdftk

Version : 2.02-2+deb8u1 (jessie), 2.02-4+deb9u1 (stretch)

Related CVEs : CVE-2021-37819

It was found that PDFtk, a tool for manipulating PDF documents, was vulnerable to an infinite loop if a crafted file was processed, which could result in denial of service.

ELA-683-1 unzip security update

Thu, 22 Sep 2022 18:55:50 +0200

Package : unzip

Version : 6.0-16+deb8u7 (jessie), 6.0-21+deb9u3 (stretch)

Related CVEs : CVE-2022-0529 CVE-2022-0530

Sandipan Roy discovered two vulnerabilities in InfoZIP’s unzip program, a de-archiver for .zip files, which could result in denial of service or potentially the execution of arbitrary code.

ELA-682-1 open-vm-tools security update

Wed, 21 Sep 2022 23:47:28 +0530

Package : open-vm-tools

Version : 2:10.1.5-5055683-4+deb9u3 (stretch)

Related CVEs : CVE-2022-31676

A vulnerability was discovered in open-vm-tools, an open source implementation of VMware Tools, allowing an unprivileged local guest user to escalate their privileges as root user in the virtual machine.

ELA-681-1 mako security update

Wed, 21 Sep 2022 18:07:13 +0200

Package : mako

Version : 1.0.0+dfsg-0.1+deb8u1 (jessie), 1.0.6+ds1-2+deb9u1 (stretch)

Related CVEs : CVE-2022-40023

It was found that Mako, a Python template library, was vulnerable to a denial of service attack via crafted regular expressions.

ELA-680-1 intel-microcode security update

Mon, 19 Sep 2022 12:13:26 +0200

Package : intel-microcode

Version : 3.20220510.1~deb8u1 (jessie), 3.20220510.1~deb9u1 (stretch)

This update ships updated CPU microcode for some types of Intel CPUs and provides mitigations for security vulnerabilities which could result in information disclosure or denial or service.

ELA-679-1 glib2.0 security update

Thu, 15 Sep 2022 17:23:24 +0200

Package : glib2.0

Version : 2.42.1-1+deb8u5 (jessie), 2.50.3-2+deb9u4 (stretch)

Related CVEs : CVE-2021-3800

It was found that GLib, a general-purpose portable utility library, could be used to print partial contents from arbitrary files. This could be exploited from setuid binaries linking to GLib for information disclosure of files with a specific format.

ELA-678-1 sqlite3 security update

Thu, 15 Sep 2022 08:48:59 +0100

Package : sqlite3

Version : 3.8.7.1-1+deb8u8 (jessie), 3.16.2-5+deb9u4 (stretch)

Related CVEs : CVE-2020-35525

A potential null pointer dereference vulnerability was discovered in the popular embedded database engine SQLite related to INTERSEC query processing.

ELA-677-1 zlib security update

Mon, 12 Sep 2022 11:06:34 +0200

Package : zlib

Version : 1:1.2.8.dfsg-2+deb8u3 (jessie), 1:1.2.8.dfsg-5+deb9u2 (stretch)

Related CVEs : CVE-2022-37434

Evgeny Legerov reported a heap-based buffer overflow vulnerability in the inflate operation in zlib, which could result in denial of service or potentially the execution of arbitrary code if specially crafted input is processed.

ELA-676-1 linux-5.10 security update

Fri, 09 Sep 2022 10:38:16 +0200

Package : linux-5.10

Version : 5.10.136-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2022-2585

A use-after-free flaw in the implementation of POSIX CPU timers may
result in denial of service or in local privilege escalation.

CVE-2022-2586

A use-after-free in the Netfilter subsystem may result in local
privilege escalation for a user with the CAP_NET_ADMIN capability in
any user or network namespace.

CVE-2022-2588

Zhenpeng Lin discovered a use-after-free flaw in the cls_route
filter implementation which may result in local privilege escalation
for a user with the CAP_NET_ADMIN capability in any user or network
namespace.

CVE-2022-26373

It was discovered that on certain processors with Intel's Enhanced
Indirect Branch Restricted Speculation (eIBRS) capabilities there
are exceptions to the documented properties in some situations,
which may result in information disclosure.

Intel’s explanation of the issue can be found at the Intel advisory

CVE-2022-29900

Johannes Wikner and Kaveh Razavi reported that for AMD/Hygon
processors, mis-trained branch predictions for return instructions
may allow arbitrary speculative code execution under certain
microarchitecture-dependent conditions.

A list of affected AMD CPU types can be found at the AMD bulletin

CVE-2022-29901

Johannes Wikner and Kaveh Razavi reported that for Intel processors
(Intel Core generation 6, 7 and 8), protections against speculative
branch target injection attacks were insufficient in some
circumstances, which may allow arbitrary speculative code execution
under certain microarchitecture-dependent conditions.

More information can be found at the Intel advisory

CVE-2022-36879

A flaw was discovered in xfrm_expand_policies in the xfrm subsystem
which can cause a reference count to be dropped twice.

CVE-2022-36946

Domingo Dirutigliano and Nicola Guerrera reported a memory
corruption flaw in the Netfilter subsystem which may result in
denial of service.

ELA-675-1 systemd security update

Tue, 06 Sep 2022 17:25:56 +0200

Package : systemd

Version : 232-25+deb9u15 (stretch)

Related CVEs : CVE-2022-2526

A use-after-free vulnerability was found in systemd, a system and service manager. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in ‘resolved-dns-stream.c’ not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later.

ELA-674-1 mediawiki security update

Mon, 05 Sep 2022 22:00:02 +0200

Package : mediawiki

Version : 1:1.27.7-1+deb9u12 (stretch)

Several security vulnerabilities were discovered in mediawiki, a website engine for collaborative work. Insufficiently escaped input text may allow a malicious user to perform cross-site-scripting (XSS) attacks.

ELA-673-1 ghostscript security update

Sat, 03 Sep 2022 23:24:50 +0200

Package : ghostscript

Version : 9.26a~dfsg-0+deb8u10 (jessie), 9.26a~dfsg-0+deb9u10 (stretch)

Related CVEs : CVE-2020-27792

A heap-based buffer over write vulnerability was found in GhostScript, the GPL PostScript/PDF interpreter. An attacker could trick a user to open a crafted PDF file, triggering the heap buffer overflow that could lead to memory corruption or a denial of service.

ELA-672-1 grunt security update

Sun, 04 Sep 2022 02:41:12 +0530

Package : grunt

Version : 1.0.1-5+deb9u2 (stretch)

Related CVEs : CVE-2022-0436

Grunt is a JavaScript task runner, a tool used to automatically perform frequent tasks such as minification, compilation, unit testing, and linting. In GruntJS, file.copy operations in GruntJS are not protected against symlink traversal for both source and destination directories.

ELA-671-1 ruby-tzinfo security update

Sun, 04 Sep 2022 02:31:35 +0530

Package : ruby-tzinfo

Version : 1.2.2-2+deb9u1 (stretch)

Related CVEs : CVE-2022-31163

It was discovered that there was a potential directory traversal vulnerablilty in ruby-tzinfo, a timezone library for the Ruby programming language.

ELA-670-1 http-parser security update

Wed, 31 Aug 2022 10:44:58 +0100

Package : http-parser

Version : 2.1-2+deb8u1 (jessie), 2.1-2+deb9u1 (stretch)

Related CVEs : CVE-2020-8287

There was a potential HTTP request smuggling vulnerability in http-parser, a popular library for parsing HTTP messages.

ELA-668-1 net-snmp security update

Tue, 30 Aug 2022 16:18:45 +0200

Package : net-snmp

Version : 5.7.2.1+dfsg-1+deb8u5 (jessie), 5.7.3+dfsg-1.7+deb9u4 (stretch)

Yu Zhang and Nanyu Zhong discovered several vulnerabilities in net-snmp, a suite of Simple Network Management Protocol applications, which could result in denial of service or the execution of arbitrary code

ELA-667-1 gst-plugins-good1.0 security update

Sat, 27 Aug 2022 00:52:59 +0200

Package : gst-plugins-good1.0

Version : 1.4.4-2+deb8u5 (jessie), 1.10.4-1+deb9u2 (stretch)

Adam Doupe discovered multiple vulnerabilities in package gst-plugins-good1.0, which contains Gstreamer plugins from the “good” set. The issues are within the plugins to demux Mastroska and AVI files, which could result in denial of service or the execution of arbitrary code.

ELA-666-1 sqlite3 security update

Thu, 25 Aug 2022 11:49:35 +0200

Package : sqlite3

Version : 3.8.7.1-1+deb8u7 (jessie)

Related CVEs : CVE-2019-16168 CVE-2019-20218

Multiple fixes for vulnerabilities were backported from Debian stretch to Debian jessie. The two fixed vulnerabilities could result in crashes when working with BTree indexes, and in unexpected behaviour after parsing errors in WITH clauses.

Debian 9 stretch is not affected, the changes have been delivered there before.

ELA-665-1 vlc security update

Sun, 21 Aug 2022 12:12:27 +0200

Package : vlc

Version : 3.0.17.4-0+deb9u1 (stretch)

Multiple vulnerabilities were discovered in the VLC media player, which could result in the execution of arbitrary code or denial of service if a malformed file is opened.

ELA-664-1 curl security update

Sun, 21 Aug 2022 01:17:00 +0200

Package : curl

Version : 7.38.0-4+deb8u23 (jessie), 7.52.1-5+deb9u17 (stretch)

Multiple security vulnerabilities have been discovered in cURL, an URL transfer library. These flaws may allow remote attackers to obtain sensitive information, leak authentication or cookie header data or facilitate a denial of service attack.

The following CVE has been additionally addressed in Debian 9 “Stretch”.

CVE-2022-27782

libcurl would reuse a previously created connection even when a TLS or SSH
related option had been changed that should have prohibited reuse. libcurl
keeps previously used connections in a connection pool for subsequent
transfers to reuse if one of them matches the setup. However, several TLS and
SSH settings were left out from the configuration match checks, making them
match too easily.

ELA-663-1 libdatetime-timezone-perl new timezone database

Fri, 19 Aug 2022 11:41:21 +0200

Package : libdatetime-timezone-perl

Version : 1:1.75-2+2022c (jessie), 1:2.09-1+2022c (stretch)

This update includes the changes in tzdata 2022c for the Perl bindings.

ELA-662-1 tzdata new timezone database

Fri, 19 Aug 2022 11:30:36 +0200

Package : tzdata

Version : 2021a-0+deb8u5 (jessie), 2021a-0+deb9u5 (stretch)

This update includes the changes in tzdata 2022b. Notable changes are:

Iran plans to stop observing DST permanently, after it falls back on 2022-09-21.
Chile’s 2022 DST start is delayed from September 4 to September 11.

Note that for jessie, the tzdata-java package which was built for Java 7 is no longer provided, as Java 7 is no longer supported.

ELA-661-1 linux-5.10 security update

Wed, 10 Aug 2022 11:44:30 +0200

Package : linux-5.10

Version : 5.10.127-2~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks:

CVE-2021-33655

A user with access to a framebuffer console driver could cause a
memory out-of-bounds write via the FBIOPUT_VSCREENINFO ioctl.

CVE-2022-2318

A use-after-free in the Amateur Radio X.25 PLP (Rose) support may
result in denial of service.

CVE-2022-26365 / CVE-2022-33740 / CVE-2022-33741 / CVE-2022-33742

Roger Pau Monne discovered that Xen block and network PV device
frontends don't zero out memory regions before sharing them with the
backend, which may result in information disclosure. Additionally it
was discovered that the granularity of the grant table doesn't permit
sharing less than a 4k page, which may also result in information
disclosure.

CVE-2022-33743

Jan Beulich discovered that incorrect memory handling in the Xen
network backend may lead to denial of service.

CVE-2022-33744

Oleksandr Tyshchenko discovered that ARM Xen guests can cause a denial
of service to the Dom0 via paravirtual devices.

CVE-2022-34918

Arthur Mongodin discovered a heap buffer overflow in the Netfilter
subsystem which may result in local privilege escalation.

ELA-660-1 squid3 security update

Mon, 08 Aug 2022 07:46:36 -0700

Package : squid3

Version : 3.5.23-5+deb8u5 (jessie), 3.5.23-5+deb9u8 (stretch)

Related CVEs : CVE-2021-28116 CVE-2021-46784

Two vulnerabilities were discovered in squid3, a popular HTTP caching proxy:

CVE-2021-28116: Squid through 4.14 and 5.x through 5.0.5, in some configurations, allows information disclosure because of an out-of-bounds read in WCCP protocol data. This can be leveraged as part of a chain for remote code execution as nobody.
CVE-2021-46784: In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due to improper buffer management, a Denial of Service can occur when processing long Gopher server responses.

ELA-659-1 mod-wsgi security update

Sun, 07 Aug 2022 01:21:21 +0200

Package : mod-wsgi

Version : 4.5.11-1+deb9u1 (stretch)

Related CVEs : CVE-2022-2255

An issue has been found in mod-wsgi, a Python WSGI adapter module for Apache. A request from an untrusted proxy does not remove the X-Client-IP header and thus allowing this header to be passed to the target WSGI application.

ELA-658-1 libxslt security update

Fri, 05 Aug 2022 08:21:49 -0700

Package : libxslt

Version : 1.1.28-2+deb8u7 (jessie), 1.1.29-2.1+deb9u3 (stretch)

Related CVEs : CVE-2019-5815 CVE-2021-30560

Two vulnerabilities were discovered in libxslt, an XML processing library:

CVE-2019-5815: Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.
CVE-2021-30560: Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

ELA-657-1 ruby-rack security update

Wed, 03 Aug 2022 10:57:34 -0700

Package : ruby-rack

Version : 1.6.4-4+deb9u3 (stretch)

Related CVEs : CVE-2022-30122 CVE-2022-30123

Two vulnerabilities were discovered in ruby-rack, a popular Ruby webserver:

CVE-2022-30122: Prevent a Denial of Service (DoS) vulnerability in the HTTP multipart parsing.
CVE-2022-30123: Prevent a potential shell escape sequence injection vulnerability that could be triggered through the logging system.

ELA-656-1 libxml2 security update

Wed, 03 Aug 2022 08:25:21 -0700

Package : libxml2

Version : 2.9.4+dfsg1-2.2+deb9u8 (stretch)

Related CVEs : CVE-2016-3709

A cross-site scripting vulnerability was discovered in libxml2, a widely used XML parsing library.

ELA-655-1 libhttp-daemon-perl security update

Mon, 01 Aug 2022 11:25:42 +0200

Package : libhttp-daemon-perl

Version : 6.01-1+deb8u1 (jessie), 6.01-1+deb9u1 (stretch)

Related CVEs : CVE-2022-31081

An issue has been found in libhttp-daemon-perl, a simple http server class. Due to insufficient Content-Length: handling in HTTP-header an attacker could gain privileged access to APIs or poison intermediate caches.

ELA-654-1 xorg-server security update

Tue, 26 Jul 2022 17:23:00 +0200

Package : xorg-server

Version : 2:1.16.4-1+deb8u7 (jessie), 2:1.19.2-1+deb9u10 (stretch)

Related CVEs : CVE-2022-2319 CVE-2022-2320

Jan-Niklas Sohn discovered two out of bound memory writes in X.Org Server’s ProcXkbSetGeometry and ProcXkbSetDeviceInfo Xkb extensions. These issues could be exploited by an attacker to cause denial of service, privilege escalation or arbitrary code execution.

ELA-653-1 openjdk-8 security update

Tue, 26 Jul 2022 14:52:36 +0200

Package : openjdk-8

Version : 8u342-b07-1~deb8u1 (jessie), 8u342-b07-1~deb9u1 (stretch)

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in information disclosure, unauthorized access or code execution.

ELA-652-1 linux-4.19 security update

Tue, 26 Jul 2022 10:32:37 +0200

Package : linux-4.19

Version : 4.19.249-2~deb8u1 (jessie), 4.19.249-2~deb9u1 (stretch)

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2021-4197

Eric Biederman reported that incorrect permission checks in the
cgroup process migration implementation can allow a local attacker
to escalate privileges.

CVE-2022-0494

The scsi_ioctl() was susceptible to an information leak only
exploitable by users with CAP_SYS_ADMIN or CAP_SYS_RAWIO
capabilities.

CVE-2022-0812

It was discovered that the RDMA transport for NFS (xprtrdma)
miscalculated the size of message headers, which could lead to a
leak of sensitive information between NFS servers and clients.

CVE-2022-0854

Ali Haider discovered a potential information leak in the DMA
subsystem. On systems where the swiotlb feature is needed, this
might allow a local user to read sensitive information.

CVE-2022-1011

Jann Horn discovered a flaw in the FUSE (Filesystem in User-Space)
implementation. A local user permitted to mount FUSE filesystems
could exploit this to cause a use-after-free and read sensitive
information.

CVE-2022-1012, CVE-2022-32296

Moshe Kol, Amit Klein, and Yossi Gilad discovered a weakness
in randomisation of TCP source port selection.

CVE-2022-1016

David Bouman discovered a flaw in the netfilter subsystem where
the nft_do_chain function did not initialize register data that
nf_tables expressions can read from and write to. A local attacker
can take advantage of this to read sensitive information.

CVE-2022-1048

Hu Jiahui discovered a race condition in the sound subsystem that
can result in a use-after-free. A local user permitted to access a
PCM sound device can take advantage of this flaw to crash the
system or potentially for privilege escalation.

CVE-2022-1184

A flaw was discovered in the ext4 filesystem driver which can lead
to a use-after-free. A local user permitted to mount arbitrary
filesystems could exploit this to cause a denial of service (crash
or memory corruption) or possibly for privilege escalation.

CVE-2022-1195

Lin Ma discovered race conditions in the 6pack and mkiss hamradio
drivers, which could lead to a use-after-free. A local user could
exploit these to cause a denial of service (memory corruption or
crash) or possibly for privilege escalation.

CVE-2022-1198

Duoming Zhou discovered a race condition in the 6pack hamradio
driver, which could lead to a use-after-free. A local user could
exploit this to cause a denial of service (memory corruption or
crash) or possibly for privilege escalation.

CVE-2022-1199, CVE-2022-1204, CVE-2022-1205

Duoming Zhou discovered race conditions in the AX.25 hamradio
protocol, which could lead to a use-after-free or null pointer
dereference. A local user could exploit this to cause a denial of
service (memory corruption or crash) or possibly for privilege
escalation.

CVE-2022-1353

The TCS Robot tool found an information leak in the PF_KEY
subsystem. A local user can receive a netlink message when an
IPsec daemon registers with the kernel, and this could include
sensitive information.

CVE-2022-1419

Minh Yuan discovered a race condition in the vgem virtual GPU
driver that can lead to a use-after-free. A local user permitted
to access the GPU device can exploit this to cause a denial of
service (crash or memory corruption) or possibly for privilege
escalation.

CVE-2022-1516

A NULL pointer dereference flaw in the implementation of the X.25
set of standardized network protocols, which can result in denial
of service.

This driver is not enabled in Debian's official kernel
configurations.

CVE-2022-1652

Minh Yuan discovered a race condition in the floppy driver that
can lead to a use-after-free. A local user permitted to access a
floppy drive device can exploit this to cause a denial of service
(crash or memory corruption) or possibly for privilege escalation.

CVE-2022-1729

Norbert Slusarek discovered a race condition in the perf subsystem
which could result in local privilege escalation to root. The
default settings in Debian prevent exploitation unless more
permissive settings have been applied in the
kernel.perf_event_paranoid sysctl.

CVE-2022-1734

Duoming Zhou discovered race conditions in the nfcmrvl NFC driver
that could lead to a use-after-free, double-free or null pointer
dereference. A local user might be able to exploit these for
denial of service (crash or memory corruption) or possibly for
privilege escalation.

This driver is not enabled in Debian's official kernel
configurations.

CVE-2022-1974, CVE-2022-1975

Duoming Zhou discovered that the NFC netlink interface was
suspectible to denial of service.

CVE-2022-2153

"kangel" reported a flaw in the KVM implementation for x86
processors which could lead to a null pointer dereference. A local
user permitted to access /dev/kvm could exploit this to cause a
denial of service (crash).

CVE-2022-21123, CVE-2022-21125, CVE-2022-21166

Various researchers discovered flaws in Intel x86 processors,
collectively referred to as MMIO Stale Data vulnerabilities.
These are similar to the previously published Microarchitectural
Data Sampling (MDS) issues and could be exploited by local users
to leak sensitive information.

For some CPUs, the mitigations for these issues require updated
microcode.  An updated intel-microcode package may be provided at
a later date.  The updated CPU microcode may also be available as
part of a system firmware ("BIOS") update.

Further information on the mitigation can be found at
<https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html>
or in the linux-doc-4.19 package.

CVE-2022-23960

Researchers at VUSec discovered that the Branch History Buffer in
Arm processors can be exploited to create information side-
channels with speculative execution.  This issue is similar to
Spectre variant 2, but requires additional mitigations on some
processors.

This was previously mitigated for 32-bit Arm (armel and armhf)
architectures and is now also mitigated for 64-bit Arm (arm64).

This can be exploited to obtain sensitive information from a
different security context, such as from user-space to the kernel,
or from a KVM guest to the kernel.

CVE-2022-26490

Buffer overflows in the STMicroelectronics ST21NFCA core driver
can result in denial of service or privilege escalation.

This driver is not enabled in Debian's official kernel
configurations.

CVE-2022-27666

"valis" reported a possible buffer overflow in the IPsec ESP
transformation code. A local user can take advantage of this flaw
to cause a denial of service or for privilege escalation.

CVE-2022-28356

"Beraphin" discovered that the ANSI/IEEE 802.2 LLC type 2 driver did
not properly perform reference counting on some error paths. A
local attacker can take advantage of this flaw to cause a denial
of service.

CVE-2022-28388

A double free vulnerability was discovered in the 8 devices
USB2CAN interface driver.

CVE-2022-28389

A double free vulnerability was discovered in the Microchip CAN
BUS Analyzer interface driver.

CVE-2022-28390

A double free vulnerability was discovered in the EMS CPC-USB/ARM7
CAN/USB interface driver.

CVE-2022-29581

Kyle Zeng discovered a reference-counting bug in the cls_u32
network classifier which can lead to a use-after-free. A local
user can exploit this to cause a denial of service (crash or
memory corruption) or possibly for privilege escalation.

CVE-2022-30594

Jann Horn discovered a flaw in the interaction between ptrace and
seccomp subsystems. A process sandboxed using seccomp() but still
permitted to use ptrace() could exploit this to remove the seccomp
restrictions.

CVE-2022-32250

Aaron Adams discovered a use-after-free in Netfilter which may
result in local privilege escalation to root.

CVE-2022-33981

Yuan Ming from Tsinghua University reported a race condition in
the floppy driver involving use of the FDRAWCMD ioctl, which could
lead to a use-after-free. A local user with access to a floppy
drive device could exploit this to cause a denial of service
(crash or memory corruption) or possibly for privilege escalation.
This ioctl is now disabled by default.

This update also corrects a regression in the network scheduler subsystem (bug #1013299).

For the 32-bit Arm (armel and armhf) architectures, this update enables optimised implementations of several cryptographic and CRC algorithms. For at least AES, this should remove a timing side- channel that could lead to a leak of sensitive information.

This update includes many more bug fixes from stable updates 4.19.236-4.19.249 inclusive, including for bug #1006346. The random driver has been backported from Linux 5.19, fixing numerous performance and correctness issues. Some changes will be visible:

- The entropy pool size is now 256 bits instead of 4096. You may need to adjust the configuration of system monitoring or user-space entropy gathering services to allow for this.
- On systems without a hardware RNG, the kernel may log more uses of /dev/urandom before it is fully initialised. These uses were previously under-counted and this is not a regression.

ELA-632-2 apache2 regression update

Sat, 23 Jul 2022 13:38:05 -0400

Package : apache2

Version : 2.4.10-10+deb8u24 (jessie)

The patch for CVE-2022-31813 caused a regression in the apache2 package for Debian 8 jessie, which resulted in some request parameters being lost in modproxy and modproxy_http configurations. This version corrects the regression and implements the intended fix without request parameters being lost.

Note that this regression only affects the apache2 package for Debian 8 jessie. The apache2 package for Debian 9 stretch which was published under the original advisory ELA-632-1 is not affected by this regression.

ELA-651-1 gsasl security update

Sat, 23 Jul 2022 15:00:53 +0100

Package : gsasl

Version : 1.8.0-6+deb8u1 (jessie), 1.8.0-8+deb9u1 (stretch)

Related CVEs : CVE-2022-2469

Prevent a potential read-out-of-bounds vulnerability was discovered in gsasl, a library for performing SASL authentication. The attack could have been performed by a malicious (authenticated) GSS-API client.

ELA-650-1 jetty8 security update

Fri, 22 Jul 2022 21:21:46 +0200

Package : jetty8

Version : 8.1.16-4+deb8u1 (jessie)

Several security vulnerabilities have been discovered in Jetty 8, a Java webserver and servlet engine.

CVE-2019-10247

The server running on any OS and Jetty version combination will reveal the
configured fully qualified directory base resource location on the output
of the 404 error for not finding a Context that matches the requested path.
The default server behavior on jetty-distribution and jetty-home will
include at the end of the Handler tree a DefaultHandler, which is
responsible for reporting this 404 error, it presents the various
configured contexts as HTML for users to click through to. This produced
HTML includes output that contains the configured fully qualified directory
base resource location for each context.

CVE-2020-27216

On Unix like systems, the system's temporary directory is shared between
all users on that system. A collocated user can observe the process of
creating a temporary sub directory in the shared temporary directory and
race to complete the creation of the temporary subdirectory. If the
attacker wins the race then they will have read and write permission to the
subdirectory used to unpack web applications, including their WEB-INF/lib
jar files and JSP files. If any code is ever executed out of this temporary
directory, this can lead to a local privilege escalation vulnerability.

CVE-2021-28169

It is possible for requests to the ConcatServlet with a doubly encoded path
to access protected resources within the WEB-INF directory. For example a
request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file.
This can reveal sensitive information regarding the implementation of a web
application.

ELA-649-1 python-oslo.utils security update

Wed, 20 Jul 2022 09:17:15 +0100

Package : python-oslo.utils

Version : 3.16.0-2+deb9u1 (stretch)

Related CVEs : CVE-2022-0718

Prevent exposure of sensitive admin passwords due to poor handling of credential masking.

ELA-648-1 ruby-rails-html-sanitizer security update

Wed, 20 Jul 2022 08:54:52 +0100

Package : ruby-rails-html-sanitizer

Version : 1.0.3-2+deb9u1 (stretch)

Related CVEs : CVE-2022-32209

A potential cross-site scripting (XSS) vulnerability was discovered in ruby-rails-html-sanitizer, a library to clean (or “sanitize”) HTML for rendering within Ruby on Rails web applications.

ELA-647-1 request-tracker4 security update

Mon, 18 Jul 2022 08:15:13 +0200

Package : request-tracker4

Version : 4.2.8-3+deb8u4 (jessie), 4.4.1-3+deb9u5 (stretch)

Related CVEs : CVE-2021-38562 CVE-2022-25802

Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system.

CVE-2022-25802

It was discovered that Request Tracker is vulnerable to a cross-site
scripting (XSS) attack when displaying attachment content with fraudulent
content types.

Additionally it was discovered that Request Tracker did not perform full rights checks on accesses to file or image type custom fields, possibly allowing access to these custom fields by users without rights to access to the associated objects, resulting in information disclosure.

Furthermore the following vulnerability was addressed in Debian 8.

CVE-2021-38562

 Sensitive information could have been revealed by way of a timing attack
 on the authentication system.

ELA-646-1 python-babel security update

Sun, 17 Jul 2022 11:45:22 +0100

Package : python-babel

Version : 1.3+dfsg.1-5+deb8u1 (jessie)

Related CVEs : CVE-2021-42771

An arbitrary code execution vulnerability was discovered in python-babel, a library for internationalizing Python applications.

Attackers could load arbitrary locale .data files (containing serialized Python objects) via a directory traversal attack, leading to code execution.

ELA-645-1 pjproject security update

Fri, 15 Jul 2022 13:08:20 +0100

Package : pjproject

Version : 2.5.5~dfsg-6+deb9u6 (stretch)

Related CVEs : CVE-2022-31031

There was a stack buffer overflow vulnerability in pjproject, a multimedia communication library used in various VOIP frameworks. pjproject now maintains a maximum attribute count to prevent this from happening.

ELA-644-1 python-pysaml2 security update

Fri, 15 Jul 2022 10:14:49 +0100

Package : python-pysaml2

Version : 2.0.0-1+deb8u4 (jessie)

Related CVEs : CVE-2021-21239

A certificate verification bypass vulnerability was discovered in python-pysaml2, a library for exchanging SAML authentication tokens.

The default CryptoBackendXmlSec1 backend used the xmlsec1 binary to verify the signature of signed SAML documents but, by default, xmlsec1 accepted any type of key found within the given document; xmlsec1 actually needs to be configured explicitly to only use only x509 certificates for the verification process of the SAML document signature.

ELA-643-1 ncurses security update

Thu, 14 Jul 2022 23:34:57 +0200

Package : ncurses

Version : 5.9+20140913-1+deb8u4 (jessie), 6.0+20161126-1+deb9u3 (stretch)

Several issues have been found in ncurses, a shared libraries for terminal handling. These issues are about out-of-bounds reads, missing checks for strange input and NULL pointer dereferencing in different parts of the library.

ELA-642-1 java-common new default java version

Thu, 14 Jul 2022 13:22:10 +0200

Package : java-common

Version : 0.52+deb8u1 (jessie)

This update changes the default Java packages to Java 8, with Java 7 no longer being supported. When both versions are installed, the java binary still defaults to Java 7. That will be changed in the next openjdk-8 update, and in the meanwhile can be changed using the update-alternatives --config java command, or by uninstalling the Java 7 packages.

ELA-641-1 strongswan security update

Thu, 14 Jul 2022 00:22:25 +0200

Package : strongswan

Version : 5.2.1-6+deb8u9 (jessie)

Related CVEs : CVE-2021-41991 CVE-2021-45079

CVE-2021-45079

Zhuowei Zhang discovered a bug in the EAP authentication client code of
strongSwan, an IKE/IPsec suite, that may allow to bypass the client and in
some scenarios even the server authentication, or could lead to a
denial-of-service attack.

CVE-2021-41991

Researchers at the United States of America National Security Agency (NSA)
identified a denial of service vulnerability in strongSwan.
Once the in-memory certificate cache is full it tries to randomly replace
lesser used entries. Depending on the generated random value, this could
lead to an integer overflow that results in a double-dereference and a call
using out-of-bounds memory that most likely leads to a segmentation fault.
Remote code execution can't be ruled out completely, but attackers have no
control over the dereferenced memory, so it seems unlikely at this point.

ELA-640-1 python-django security update

Wed, 13 Jul 2022 15:23:33 +0100

Package : python-django

Version : 1:1.10.7-2+deb9u18 (stretch)

Related CVEs : CVE-2022-34265

A SQL injection vulnerability was discovered in Django, the popular web development framework.

The Trunc() and Extract() database functions were subject to SQL injection if untrusted data is used as a kind or lookup_name value. Applications that constrained the lookup name and kind choice to a “known”, fixed or otherwise safe list were unaffected.

ELA-639-1 libjpeg-turbo security update

Tue, 12 Jul 2022 19:05:59 +0200

Package : libjpeg-turbo

Version : 1:1.5.1-2+deb9u3 (stretch)

Related CVEs : CVE-2021-46822

A heap-based buffer overflow vulnerability was found in the libjpeg-turbo image library in the get_word_rgb_row() function in rdppm.c. This flaw allows a remote attacker to persuade a victim to open a specially-crafted file, causing the application to crash.

ELA-638-1 ruby-sinatra security update

Tue, 12 Jul 2022 10:43:33 +0100

Package : ruby-sinatra

Version : 1.4.7-5+deb9u1 (stretch)

Related CVEs : CVE-2022-29970

A file traversal vulnerability was discovered in ruby-sinatra, a popular web server often used with Ruby on Rails. We now validate that any expanded paths match the allowed public_dir when serving static files.

ELA-637-1 needrestart security update

Tue, 12 Jul 2022 10:02:52 +0200

Package : needrestart

Version : 1.2-8+deb8u2 (jessie)

Related CVEs : CVE-2022-30688

Jakub Wilk discovered a local privilege escalation in needrestart, a utility to check which daemons need to be restarted after library upgrades. Regular expressions to detect the Perl, Python, and Ruby interpreters are not anchored, allowing a local user to escalate privileges when needrestart tries to detect if interpreters are using old source files.

ELA-636-1 gnupg2 security update

Mon, 11 Jul 2022 16:09:11 +0200

Package : gnupg2

Version : 2.0.26-6+deb8u3 (jessie), 2.1.18-8~deb9u5 (stretch)

Related CVEs : CVE-2018-9234 CVE-2022-34903

CVE-2022-34903

Demi Marie Obenour discovered a flaw in GnuPG, allowing for signature
spoofing via arbitrary injection into the status line. An attacker who
controls the secret part of any signing-capable key or subkey in the
victim's keyring, can take advantage of this flaw to provide a
correctly-formed signature that some software, including gpgme, will
accept to have validity and signer fingerprint chosen from the attacker.

CVE-2018-9234

GnuPG does not enforce a configuration in which key certification requires an
offline master Certify key, which results in apparently valid certifications
that occurred only with access to a signing subkey.

ELA-635-1 wireless-regdb new wireless regulatory database

Mon, 11 Jul 2022 14:12:33 +0200

Package : wireless-regdb

Version : 2022.04.08-1~deb9u1 (stretch)

This update includes the latest changes to the wireless regulatory database. In addition, it allows the Linux 5.10 kernel to verify and autoload it.

ELA-634-1 linux-5.10 new kernel version

Mon, 11 Jul 2022 13:44:41 +0200

Package : linux-5.10

Version : 5.10.120-1~deb9u1 (stretch)

This update introduces Linux kernel 5.10 to Debian 9 stretch. This kernel will be supported along with 4.19, but for a longer period. Linux 4.9 is no longer supported. Instructions on how to update to 5.10 and support periods can be found in the kernel backports page.

ELA-633-1 linux-4.19 new kernel version

Mon, 11 Jul 2022 12:51:10 +0200

Package : linux-4.19

Version : 4.19.232-1~deb8u1 (jessie)

This update introduces Linux kernel 4.19 to Debian 8 jessie. Previous kernels 3.16 and 4.9 are no longer supported. Instructions on how to update to 4.19 can be found in the kernel backports page.

ELA-632-1 apache2 security update

Mon, 04 Jul 2022 15:10:29 -0400

Package : apache2

Version : 2.4.10-10+deb8u23 (jessie), 2.4.25-3+deb9u14 (stretch)

Several security vulnerabilities were found in the Apache HTTP server:

CVE-2022-26377

Inconsistent Interpretation of HTTP Requests ('HTTP Request
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
allows an attacker to smuggle requests to the AJP server it forwards
requests to.

CVE-2022-28614

The ap_rwrite() function read unintended memory if an attacker can
cause the server to reflect very large input using ap_rwrite() or
ap_rputs(), such as with mod_luas r:puts() function. Modules
compiled and distributed separately from Apache HTTP Server that use
the 'ap_rputs' function and may pass it a very large (INT_MAX or
larger) string must be compiled against current headers to resolve
the issue.

CVE-2022-28615

Apache HTTP Server may crash or disclose information due to a read
beyond bounds in ap_strcmp_match() when provided with an extremely
large input buffer.

CVE-2022-29404

In Apache HTTP Server, a malicious request to a lua script that
calls r:parsebody(0) may cause a denial of service due to no default
limit on possible input size.

CVE-2022-30522

If Apache HTTP Server is configured to do transformations with
mod_sed in contexts where the input to mod_sed may be very large,
mod_sed may make excessively large memory allocations and trigger an
abort.

CVE-2022-30556

Apache HTTP Server may return lengths to applications calling
r:wsread() that point past the end of the storage allocated for the
buffer.

CVE-2022-31813

Apache HTTP Server may not send the X-Forwarded-* headers to the
origin server based on client side Connection header hop-by-hop
mechanism. This may be used to bypass IP based authentication on the
origin server/application.

ELA-631-1 dpkg security update

Sun, 03 Jul 2022 17:20:53 -0400

Package : dpkg

Version : 1.17.28 (jessie)

Related CVEs : CVE-2022-1664

Max Justicz reported a directory traversal vulnerability in Dpkg::Source::Archive in dpkg, the Debian package management system. This affects extracting untrusted source packages in the v2 and v3 source package formats that include a debian.tar.

ELA-630-1 maven-shared-utils security update

Mon, 27 Jun 2022 13:08:44 +0200

Package : maven-shared-utils

Version : 0.4-1+deb8u1 (jessie)

Related CVEs : CVE-2022-29599

It was discovered that the Commandline class in maven-shared-utils, a collection of various utility classes for the Maven build system, can emit double-quoted strings without proper escaping, allowing shell injection attacks.

ELA-629-1 libsndfile security update

Sun, 26 Jun 2022 13:29:56 +0200

Package : libsndfile

Version : 1.0.25-9.1+deb8u7 (jessie)

Related CVEs : CVE-2021-4156

An issue has been found in libsndfile, a library for reading/writing audio files. Using a crafted FLAC file, an attacker could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information.

ELA-628-1 vim security update

Wed, 22 Jun 2022 10:45:41 +0200

Package : vim

Version : 2:7.4.488-7+deb8u7 (jessie)

ELA-627-1 tzdata new timezone database

Thu, 16 Jun 2022 11:32:19 +0200

Package : tzdata

Version : 2021a-0+deb8u4

This update includes the latest changes to the leap second list, including an update to its expiry date, which was set for the end of June.

ELA-626-1 haproxy security update

Wed, 15 Jun 2022 01:04:24 +0200

Package : haproxy

Version : 1.5.8-3+deb8u3

Related CVEs : CVE-2019-18277

Nathan Davison discovered that HAProxy, a load balancing reverse proxy, did not correctly reject requests or responses featuring a transfer-encoding header missing the “chunked” value which could facilitate a HTTP request smuggling attack.

Furthermore two issues have been addressed which never received a final CVE. There was a risk of reading past the end of a buffer in src/proto_http.c. This could lead to a denial of service (segmentation fault and application crash)

ELA-625-1 glib2.0 security update

Tue, 14 Jun 2022 13:39:09 +0200

Package : glib2.0

Version : 2.42.1-1+deb8u4

Several security vulnerabilities were found in glib2.0, a general-purpose utility library for the GNOME environment.

CVE-2021-27218

If g_byte_array_new_take() was called with a buffer of 4GB or more on a
64-bit platform, the length would be truncated modulo 2**32, causing
unintended length truncation.

CVE-2021-27219

The function g_bytes_new has an integer overflow on 64-bit platforms due to
an implicit cast from 64 bits to 32 bits. The overflow could potentially
lead to memory corruption.

CVE-2021-28153

When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to
replace a path that is a dangling symlink, it incorrectly also creates the
target of the symlink as an empty file, which could conceivably have
security relevance if the symlink is attacker-controlled. (If the path is
a symlink to a file that already exists, then the contents of that file
correctly remain unchanged.)

ELA-624-1 avahi security update

Tue, 14 Jun 2022 13:35:18 +0200

Package : avahi

Version : 0.6.31-5+deb8u1

Related CVEs : CVE-2021-3468 CVE-2021-26720

It was discovered that the Debian package of Avahi, a framework for Multicast DNS Service Discovery, executed the script avahi-daemon-check-dns.sh with root privileges which would allow a local attacker to cause a denial of service or create arbitrary empty files via a symlink attack on files under /var/run/avahi-daemon. This script is now executed with the privileges of user and group avahi and requires sudo in order to achieve that.

Furthermore it was found (CVE-2021-3468) that the event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop.

ELA-623-1 python-bottle security update

Thu, 09 Jun 2022 01:18:08 +0530

Package : python-bottle

Version : 0.12.7-1+deb8u4

Related CVEs : CVE-2022-31799

Bottle, which is a fast, simple and lightweight WSGI micro web-framework for Pytho, mishandles errors during early request binding.

ELA-622-1 clamav security update

Mon, 06 Jun 2022 17:11:13 +0200

Package : clamav

Version : 0.103.6+dfsg-0+deb8u1

Several vulnerabilities have been found in the ClamAV antivirus toolkit, that could result in denial of service or other unspecified impact.

ELA-621-1 beep security update

Sat, 04 Jun 2022 02:08:01 +0530

Package : beep

Version : 1.3-3+deb8u2

Related CVEs : CVE-2018-1000532

beep, an advanced PC-speaker beeper, contains a External Control of File Name or Path vulnerability in –device option that can result in Local unprivileged user can inhibit execution of arbitrary programs by other users, allowing DoS. This attack appear to be exploitable via The system must allow local users to run beep.

ELA-620-1 libdbi-perl security update

Mon, 30 May 2022 21:50:39 +0200

Package : libdbi-perl

Version : 1.631-3+deb8u2

Related CVEs : CVE-2014-10402

It was discovered that CVE-2014-10401 was fixed incompletely in the Perl5 Database Interface (DBI). An attacker could trigger information disclosure through a different vector.

CVE-2014-10401

DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute.
CVE-2014-10402

DBD::File drivers can open files from folders other than those specifically passed via the f_dir attribute in the data source name (DSN). NOTE: this issue exists because of an incomplete fix for CVE-2014-10401.

ELA-619-1 modsecurity-apache security update

Sat, 28 May 2022 09:00:45 +0100

Package : modsecurity-apache

Version : 2.8.0-3+deb8u1

Related CVEs : CVE-2021-42717

It was discovered that there was a potential resource exhaustion attack in modsecurity-apache, an Apache module which inspects HTTP requests with the aim of preventing typical web application attacks such as XSS and SQL.

ELA-618-1 openldap security update

Fri, 27 May 2022 01:15:19 +0200

Package : openldap

Version : 2.4.40+dfsg-1+deb8u11

Related CVEs : CVE-2022-29155

Jacek Konieczny discovered a SQL injection vulnerability in the back-sql backend to slapd in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol, allowing an attacker to alter the database during an LDAP search operations when a specially crafted search filter is processed.

ELA-617-1 libxml2 security update

Wed, 18 May 2022 22:18:40 +0200

Package : libxml2

Version : 2.9.1+dfsg1-5+deb8u13

Related CVEs : CVE-2022-29824

Felix Wilhelm discovered that libxml2, the GNOME XML library, did not correctly check for integer overflows or used wrong types for buffer sizes. This could result in out-of-bounds writes or other memory errors when working on large, multi-gigabyte buffers.

ELA-616-1 vim security update

Wed, 18 May 2022 16:32:55 +0200

Package : vim

Version : 2:7.4.488-7+deb8u6

ELA-615-1 openjpeg2 security update

Tue, 17 May 2022 21:39:18 -0400

Package : openjpeg2

Version : 2.1.0-2+deb8u14

Related CVEs : CVE-2022-1122

A flaw was found in the opj2_decompress program in openjpeg2 in the way it handles an input directory with a large number of files. When it fails to allocate a buffer to store the filenames of the input directory, it calls free() on an uninitialized pointer, leading to a segmentation fault and a denial of service.

ELA-614-1 cifs-utils security update

Mon, 16 May 2022 19:16:35 +0530

Package : cifs-utils

Version : 2:6.4-1+deb8u1

Related CVEs : CVE-2022-27239 CVE-2022-29869

A couple of vulnerabilities were found in src:cifs-utils, a Common Internet File System utilities, and are as follows:

CVE-2022-27239

In cifs-utils, a stack-based buffer overflow when parsing the
mount.cifs ip= command-line argument could lead to local attackers
gaining root privileges.

CVE-2022-29869

cifs-utils, with verbose logging, can cause an information leak
when a file contains = (equal sign) characters but is not a valid
credentials file.

ELA-613-1 openssl security update

Mon, 16 May 2022 08:08:29 -0400

Package : openssl

Version : 1.0.1t-1+deb8u18

Related CVEs : CVE-2022-1292

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is executed by update-ca-certificates, from ca-certificates, to re-hash certificates in /etc/ssl/certs/. An attacker able to place files in this directory could execute arbitrary commands with the privileges of the script.

ELA-612-1 openjdk-8 security update

Sat, 14 May 2022 11:25:52 +0200

Package : openjdk-8

Version : 8u332-ga-1~deb8u1

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in information disclosure or denial of service.

ELA-611-1 libgoogle-gson-java security update

Sat, 14 May 2022 03:12:59 +0530

Package : libgoogle-gson-java

Version : 2.2.4-1+deb8u1

Related CVEs : CVE-2022-25647

src:libgoogle-gson-java, which helps convert Java objects into their JSON representation, is vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

ELA-610-1 htmldoc security update

Fri, 13 May 2022 12:59:19 -0700

Package : htmldoc

Version : 1.8.27-8+deb8u4

Related CVEs : CVE-2022-27114

It was discovered that there was an integer overflow vulnerability in htmldoc, a HTML processor that generates indexed HTML, PS and PDF files. This was caused by a programming error in the image_load_jpeg function due to a conflation or confusion of declared/expected/observed image dimensions.

ELA-609-1 ruby-nokogiri security update

Fri, 13 May 2022 10:39:16 -0700

Package : ruby-nokogiri

Version : 1.6.3.1+ds-1+deb8u3

Related CVEs : CVE-2022-24836

It was discovered that there was a potential denial of service attack in ruby-nokogiri, a HTML, XML, SAX etc. parser written in/for the Ruby programming language. This was caused by the use of inefficient regular expressions that were susceptible to excessive backtracking.

ELA-608-1 lrzip security update

Fri, 13 May 2022 20:49:28 +0530

Package : lrzip

Version : 0.616-1+deb8u2

Related CVEs : CVE-2022-28044

src:lrzip, a compression program with a very high compression ratio, was discovered to contain a heap memory corruption via the component lrzip.c:initialise_control.

ELA-607-1 mutt security update

Fri, 13 May 2022 04:56:35 +0530

Package : mutt

Version : 1.5.23-3+deb8u6

Related CVEs : CVE-2022-1328

It was discovered that Mutt, a text-based mailreader supporting MIME, GPG, PGP and threading, incorrectly handled certain input. An attacker could possibly use this issue to cause a crash, or expose sensitive information.

ELA-606-1 ghostscript security update

Mon, 09 May 2022 09:56:30 +0200

Package : ghostscript

Version : 9.26a~dfsg-0+deb8u9

Related CVEs : CVE-2019-25059

A security vulnerability was found in Ghostscript, the GPL PostScript/PDF interpreter. It was discovered that some privileged Postscript operators remained accessible from various places. For instance a specially crafted PostScript file could use this flaw in order to have access to the file system outside of the constrains imposed by -dSAFER.

ELA-605-1 jackson-databind security update

Tue, 03 May 2022 15:32:10 +0200

Package : jackson-databind

Version : 2.4.2-2+deb8u17

Related CVEs : CVE-2020-36518

It was discovered that the implementation of UntypedObjectDeserializer in jackson-databind, a fast and powerful JSON library for Java, was prone to a denial of service attack when deeply nested object and array values were processed.

ELA-604-1 twisted security update

Sun, 01 May 2022 15:35:14 +0200

Package : twisted

Version : 14.0.2-3+deb8u5

Related CVEs : CVE-2022-24801

Twisted is an event-based Python framework for internet applications. The Twisted Web HTTP 1.1 server parsed several HTTP request constructs more leniently than permitted by RFC 7230. This non-conformant parsing can lead to desync if requests pass through multiple HTTP parsers, potentially resulting in HTTP request smuggling.

ELA-603-1 libarchive security update

Sat, 30 Apr 2022 16:50:21 +0200

Package : libarchive

Version : 3.1.2-11+deb8u9

Three issues have been found in libarchive, a multi-format archive and compression library.

CVE-2021-31566 symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive

CVE-2021-23177 extracting a symlink with ACLs modifies ACLs of target

CVE-2019-19221 out-of-bounds read because of an incorrect mbrtowc or mbtowc call

ELA-602-1 tinyxml security update

Sat, 30 Apr 2022 16:46:17 +0200

Package : tinyxml

Version : 2.6.2-2+deb8u1

Related CVEs : CVE-2021-42260

An issue has been found in tinyxml, a C++ XML parsing library. Crafted XML messages could lead to an infinite loop in TiXmlParsingData::Stamp(), which results in a denial of service.

ELA-601-1 openvpn security update

Thu, 28 Apr 2022 14:10:59 +0200

Package : openvpn

Version : 2.3.4-5+deb8u3

Several issues were discovered in OpenVPN, a Virtual Private Network server and client, that could lead to authentication bypass when using deferred auth plugins.

Note that this upload disables support for multiple deferred auth plugins, following the upstream fix for CVE-2022-0547.

ELA-600-1 golang security update

Thu, 28 Apr 2022 11:36:26 +0200

Package : golang

Version : 2:1.3.3-1+deb8u5

Related CVEs : CVE-2022-23806

In the Go programming language, Curve.IsOnCurve in crypto/elliptic can incorrectly return true in situations with a big.Int value that is not a valid field element. Operating on those values may cause a panic or an invalid curve operation.

ELA-599-1 bind9 security update

Wed, 20 Apr 2022 16:06:30 +0200

Package : bind9

Version : 1:9.9.5.dfsg-9+deb8u27

Related CVEs : CVE-2021-25220

It was found that bind9, an internet domain name server, was vulnerable to cache poisoning. When using forwarders, bogus NS records supplied by, or via, those forwarders may be cached and used by named if it needs to recurse for any reason, causing it to obtain and pass on potentially incorrect answers.

This update corrects the regression in the isc-dhcp package. [ELA-584-2]

ELA-598-1 python2.7 security update

Thu, 14 Apr 2022 20:28:05 +0530

Package : python2.7

Version : 2.7.9-2-ds1-1+deb8u9

Multiple vulnerabilities were found in src:python2.7, the Python interpreter.

CVE-2019-16935

The documentation XML-RPC server in Python has XSS via the server_title
field. This occurs in Lib/DocXMLRPCServer.py. If set_server_title is called
with untrusted input, arbitrary JavaScript can be delivered to clients that
visit the http URL for this server.

CVE-2021-3177

Python has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which
may lead to remote code execution in certain Python applications that
accept floating-point numbers as untrusted input.

CVE-2021-4189

A flaw was found in Python, specifically in the FTP (File Transfer Protocol)
client library when using it in PASV (passive) mode. The flaw lies in how
the FTP client trusts the host from PASV response by default. An attacker
could use this flaw to setup a malicious FTP server that can trick FTP
clients into connecting back to a given IP address and port. This could lead
to FTP client scanning ports which otherwise would not have been possible.
.
Instead of using the returned address, ftplib now uses the IP address we're
already connected to. For the rare user who wants an old behavior, set a
`trust_server_pasv_ipv4_address` attribute on your `ftplib.FTP` instance to
True.

ELA-597-1 lrzip security update

Wed, 13 Apr 2022 15:00:12 +0200

Package : lrzip

Version : 0.616-1+deb8u1

Several security vulnerabilities have been discovered in lrzip, a compression program. Heap-based and stack buffer overflows, use-after-free and infinite loops would allow attackers to cause a denial of service or possibly other unspecified impact via a crafted compressed file.

CVE-2017-8842

The bufRead::get() function in libzpaq/libzpaq.h allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted archive.
CVE-2017-8843

The join_pthread function in stream.c allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive.
CVE-2017-8844

The read_1g function in stream.c allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted archive.
CVE-2017-8845

The lzo1x_decompress function in lzo1x_d.ch in LZO, as used in lrzip, allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted archive.
CVE-2017-8846

The read_stream function in stream.c allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted archive.
CVE-2017-8847

The bufRead::get() function in libzpaq/libzpaq.h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted archive.
CVE-2017-9928

A stack buffer overflow was found in the function get_fileinfo, which allows attackers to cause a denial of service via a crafted file.
CVE-2017-9929

A stack buffer overflow was found in the function get_fileinfo, which allows attackers to cause a denial of service via a crafted file.
CVE-2018-5650

There is an infinite loop and application hang in the unzip_match function in runzip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted lrz file.
CVE-2018-5747

There is a use-after-free in the ucompthread function (stream.c). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted lrz file.
CVE-2018-5786

There is an infinite loop and application hang in the get_fileinfo function (lrzip.c). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted lrz file.
CVE-2018-9058

There is an infinite loop in the runzip_fd function of runzip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted lrz file.
CVE-2018-10685

There is a use-after-free in the lzma_decompress_buf function of stream.c, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
CVE-2018-11496

There is a use-after-free in read_stream in stream.c, because decompress_file in lrzip.c lacks certain size validation.
CVE-2020-25467

A null pointer dereference was discovered lzo_decompress_buf in stream.c which allows an attacker to cause a denial of service (DOS) via a crafted compressed file.
CVE-2021-27345

A null pointer dereference was discovered in ucompthread in stream.c which allows attackers to cause a denial of service (DOS) via a crafted compressed file.
CVE-2021-27347

Use after free in lzma_decompress_buf function in stream.c in allows attackers to cause Denial of Service (DoS) via a crafted compressed file.
CVE-2022-26291

lrzip was discovered to contain a multiple concurrency use-after-free between the functions zpaq_decompress_buf() and clear_rulist(). This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted lrz file.

ELA-596-1 openjpeg2 security update

Tue, 12 Apr 2022 21:48:44 +0200

Package : openjpeg2

Version : 2.1.0-2+deb8u13

Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec.

CVE-2020-27842

Null pointer dereference through specially crafted input. The highest impact
of this flaw is to application availability.

CVE-2020-27843

The flaw allows an attacker to provide specially crafted input to the
conversion or encoding functionality, causing an out-of-bounds read. The
highest threat from this vulnerability is system availability.

CVE-2021-29338

Integer overflow allows remote attackers to crash the application, causing a
denial of service. This occurs when the attacker uses the command line
option "-ImgDir" on a directory that contains 1048576 files.

ELA-595-1 zabbix security update

Mon, 11 Apr 2022 00:26:02 +0200

Package : zabbix

Version : 1:2.2.23+dfsg-0+deb8u4

Several security vulnerabilities have been discovered in zabbix, a network monitoring solution. An authenticated user can create a link with reflected Javascript code inside it for graphs and actions pages and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.

ELA-594-1 xz-utils security update

Sun, 10 Apr 2022 18:46:15 +0530

Package : xz-utils

Version : 5.1.1alpha+20120614-2+deb8u1

Related CVEs : CVE-2022-1271

An arbitrary-file-write vulnerability was discovered in xz-utils, which provides XZ-format compression utilities.

ELA-593-1 gzip security update

Sun, 10 Apr 2022 18:42:35 +0530

Package : gzip

Version : 1.6-4+deb8u1

Related CVEs : CVE-2022-1271

An arbitrary-file-write vulnerability was discovered in gzip, which provides GNU compression utilities.

ELA-592-1 fribidi security update

Sun, 10 Apr 2022 12:30:08 +0200

Package : fribidi

Version : 0.19.6-3+deb8u1

Several issues have been found in fribidi, a free Implementation of the Unicode BiDi algorithm. The issues are related to stack-buffer-overflow, heap-buffer-overflow, and a SEGV.

CVE-2022-25308 stack-buffer-overflow issue in main()

CVE-2022-25309 heap-buffer-overflow issue in fribidi_cap_rtl_to_unicode()

CVE-2022-25310 SEGV issue in fribidi_remove_bidi_marks()

ELA-591-1 minidlna security update

Sun, 10 Apr 2022 00:26:44 +0200

Package : minidlna

Version : 1.1.2+dfsg-1.1+deb8u1

Related CVEs : CVE-2022-26505

Validate HTTP requests to protect against DNS rebinding, thus forbid a remote web server to exfiltrate media files.

ELA-590-1 zlib security update

Sun, 03 Apr 2022 10:28:07 +0200

Package : zlib

Version : 1:1.2.8.dfsg-2+deb8u2

Related CVEs : CVE-2018-25032

Danilo Ramos discovered that incorrect memory handling in zlib’s deflate handling could result in denial of service or potentially the execution of arbitrary code if specially crafted input is processed.

ELA-589-1 libgc security update

Wed, 30 Mar 2022 23:24:03 +0200

Package : libgc

Version : 1:7.2d-6.4+deb8u1

Related CVEs : CVE-2016-9427

libgc, a conservative garbage collector, is vulnerable to integer overflows in multiple places. In some cases, when asked to allocate a huge quantity of memory, instead of failing the request, it will return a pointer to a small amount of memory possibly tricking the application into a buffer overwrite.

ELA-588-1 cacti security update

Tue, 29 Mar 2022 23:12:48 +0200

Package : cacti

Version : 0.8.8b+dfsg-8+deb8u10

Multiple vulnerabilities were discovered in Cacti, a web interface for graphing of monitoring systems, leading to authentication bypass and cross-site scripting (XSS). An attacker may get access to unauthorized areas and impersonate other users, under certain conditions.

CVE-2018-10060

Cacti has XSS because it does not properly reject unintended characters, related to use of the sanitize_uri function in lib/functions.php.
CVE-2018-10061

Cacti has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).
CVE-2020-13230

Disabling a user account does not immediately invalidate any permissions granted to that account (e.g., permission to view logs).
CVE-2020-23226

Multiple Cross Site Scripting (XSS) vulnerabilities exist in multiple files.
CVE-2021-23225

Cacti allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the “new_username” field during creation of a new user via “Copy” method at user_admin.php.
CVE-2022-0730

Under certain ldap conditions, Cacti authentication can be bypassed with certain credential types.

Additionally, follow-up fixes were included for CVE-2019-11025 (DLA-1757-1) and CVE-2020-7106 (DLA-2069-1).

ELA-587-1 libdatetime-timezone-perl new upstream version

Tue, 29 Mar 2022 19:23:28 +0200

Package : libdatetime-timezone-perl

Version : 1:1.75-2+2022a

This update includes the changes in tzdata 2022a for the Perl bindings.

ELA-586-1 tzdata new upstream version

Tue, 29 Mar 2022 19:19:07 +0200

Package : tzdata

Version : 2021a-0+deb8u3

This update includes the changes in tzdata 2022a. Notable changes are:

Adjusted DST rules for Palestine, already in effect.

ELA-584-2 bind9 regression update

Wed, 23 Mar 2022 01:24:27 +0100

Package : bind9

Version : 1:9.9.5.dfsg-9+deb8u24

The patch for CVE-2021-25220 caused a regression in the isc-dhcp-client package which prevented network configuration via the dhclient. This patch has been reverted until the regression can be properly addressed.

ELA-585-1 apache2 security update

Tue, 22 Mar 2022 08:33:32 +0100

Package : apache2

Version : 2.4.10-10+deb8u22

Several vulnerabilities have been discovered in the Apache HTTP server, which could result in denial of service, request smuggling or buffer overflows.

ELA-584-1 bind9 security update

Mon, 21 Mar 2022 15:18:53 +0100

Package : bind9

Version : 1:9.9.5.dfsg-9+deb8u24

Related CVEs : CVE-2021-25220

ELA-583-1 paramiko security update

Mon, 21 Mar 2022 11:50:23 +0000

Package : paramiko

Version : 1.15.1-1+deb8u2

Related CVEs : CVE-2022-24302

It was discovered that there was a potential race condition in Paramiko, a pure-Python implementation of the SSH algorithm. In particular, unauthorised information disclosure could have occurred during the creation of SSH private keys.

ELA-582-1 wordpress security update

Mon, 21 Mar 2022 00:02:47 +0530

Package : wordpress

Version : 4.1.35+dfsg-0+deb8u1

Several vulnerabilities like Prototype Pollution Vulnerability in a jQuery dependency and in the block editor, and Stored Cross Site Scripting Vulnerability were discovered in Wordpress, a web blogging tool.

ELA-581-1 libxml2 security update

Thu, 17 Mar 2022 21:55:05 +0100

Package : libxml2

Version : 2.9.1+dfsg1-5+deb8u12

Related CVEs : CVE-2022-23308

One vulnerability has been discovered in the libxml2: GNOME XML library.

CVE-2022-23308

the application that validates XML using xmlTextReaderRead() with XML_PARSE_DTDATTR
and XML_PARSE_DTDVALID enabled becomes vulnerable to this use-after-free bug.
This issue can result in denial of service.

ELA-580-1 openssl security update

Thu, 17 Mar 2022 10:54:55 +0100

Package : openssl

Version : 1.0.1t-1+deb8u17

Related CVEs : CVE-2022-0778

Tavis Ormandy discovered that the BN_mod_sqrt() function of OpenSSL could be tricked into an infinite loop. This could result in denial of service via malformed certificates.

ELA-579-1 debian-archive-keyring update

Wed, 16 Mar 2022 22:29:39 +0100

Package : debian-archive-keyring

Version : 2017.5~deb8u2

debian-archive-keyring is a package containing GnuPG archive keys of the Debian archive. New GPG-keys are being constantly added with every new Debian release.

For Debian 8 Jessie, GPG-keys for 10/buster and 11/bullseye Debian release are added in the version 2017.5~deb8u2.

ELA-578-1 flac security update

Thu, 17 Mar 2022 02:42:18 +0530

Package : flac

Version : 1.3.0-3+deb8u2

Related CVEs : CVE-2021-0561

In append_to_verify_fifo_interleaved_ of stream_encoder.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed.

ELA-577-1 linux-4.9 security update

Wed, 16 Mar 2022 08:57:05 +0100

Package : linux-4.9

Version : 4.9.303-1~deb8u1

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2021-3640

LinMa of BlockSec Team discovered a race condition in the
Bluetooth SCO implementation that can lead to a use-after-free.  A
local user could exploit this to cause a denial of service (memory
corruption or crash) or possibly for privilege escalation.

CVE-2021-3752

Likang Luo of NSFOCUS Security Team discovered a flaw in the
Bluetooth L2CAP implementation that can lead to a user-after-free.
A local user could exploit this to cause a denial of service
(memory corruption or crash) or possibly for privilege escalation.

CVE-2021-4002

It was discovered that hugetlbfs, the virtual filesystem used by
applications to allocate huge pages in RAM, did not flush the
CPU's TLB in one case where it was necessary.  In some
circumstances a local user would be able to read and write huge
pages after they are freed and reallocated to a different process.
This could lead to privilege escalation, denial of service or
information leaks.

CVE-2021-4083

Jann Horn reported a race condition in the local (Unix) sockets
garbage collector, that can lead to use-after-free.  A local user
could exploit this to cause a denial of service (memory corruption
or crash) or possibly for privilege escalation.

CVE-2021-4155

Kirill Tkhai discovered a data leak in the way the XFS_IOC_ALLOCSP
IOCTL in the XFS filesystem allowed for a size increase of files
with unaligned size. A local attacker can take advantage of this
flaw to leak data on the XFS filesystem.

CVE-2021-4202

Lin Ma discovered a race condition in the NCI (NFC Controller
Interface) driver, which could lead to a use-after-free.  A local
user could exploit this to cause a denial of service (memory
corruption or crash) or possibly for privilege escalation.

This protocol is not enabled in Debian's official kernel
configurations.

CVE-2021-28711, CVE-2021-28712, CVE-2021-28713 (XSA-391)

Juergen Gross reported that malicious PV backends can cause a denial
of service to guests being serviced by those backends via high
frequency events, even if those backends are running in a less
privileged environment.

CVE-2021-28714, CVE-2021-28715 (XSA-392)

Juergen Gross discovered that Xen guests can force the Linux
netback driver to hog large amounts of kernel memory, resulting in
denial of service.

CVE-2021-29264

It was discovered that the "gianfar" Ethernet driver used with
some Freescale SoCs did not correctly handle a Rx queue overrun
when jumbo packets were enabled.  On systems using this driver and
jumbo packets, an attacker on the network could exploit this to
cause a denial of service (crash).

This driver is not enabled in Debian's official kernel
configurations.

CVE-2021-33033

The syzbot tool found a reference counting bug in the CIPSO
implementation that can lead to a use-after-free.

This protocol is not enabled in Debian's official kernel
configurations.

CVE-2021-39685

Szymon Heidrich discovered a buffer overflow vulnerability in the
USB gadget subsystem, resulting in information disclosure, denial of
service or privilege escalation.

CVE-2021-39686

A race condition was discovered in the Android binder driver, that
could lead to incorrect security checks.  On systems where the
binder driver is loaded, a local user could exploit this for
privilege escalation.

This driver is not enabled in Debian's official kernel
configurations.

CVE-2021-39698

Linus Torvalds reported a flaw in the file polling implementation,
which could lead to a use-after-free.  A local user could exploit
this for denial of service (memory corruption or crash) or
possibly for privilege escalation.

CVE-2021-39714

A potential reference count overflow was found in the Android Ion
driver.  On systems where the Ion driver is loaded, a local user
could exploit this for denial of service (memory corruption or
crash) or possibly for privilege escalation.

This driver is not enabled in Debian's official kernel
configurations.

CVE-2021-43976

Zekun Shen and Brendan Dolan-Gavitt discovered a flaw in the
mwifiex_usb_recv() function of the Marvell WiFi-Ex USB Driver. An
attacker able to connect a crafted USB device can take advantage of
this flaw to cause a denial of service.

CVE-2021-45095

It was discovered that the Phone Network protocol (PhoNet) driver
has a reference count leak in the pep_sock_accept() function.

CVE-2022-0001 (INTEL-SA-00598)

Researchers at VUSec discovered that the Branch History Buffer in
Intel processors can be exploited to create information side-
channels with speculative execution.  This issue is similar to
Spectre variant 2, but requires additional mitigations on some
processors.

This can be exploited to obtain sensitive information from a
different security context, such as from user-space to the kernel,
or from a KVM guest to the kernel.

CVE-2022-0002 (INTEL-SA-00598)

This is a similar issue to CVE-2022-0001, but covers exploitation
within a security context, such as from JIT-compiled code in a
sandbox to hosting code in the same process.

This can be partly mitigated by disabling eBPF for unprivileged
users with the sysctl: kernel.unprivileged_bpf_disabled=2.  This
update does that by default.

CVE-2022-0330

Sushma Venkatesh Reddy discovered a missing GPU TLB flush in the
i915 driver, resulting in denial of service or privilege escalation.

CVE-2022-0435

Samuel Page and Eric Dumazet reported a stack overflow in the
networking module for the Transparent Inter-Process Communication
(TIPC) protocol, resulting in denial of service or potentially the
execution of arbitrary code.

CVE-2022-0487

A use-after-free was discovered in the MOXART SD/MMC Host Controller
support driver. This flaw does not impact the Debian binary packages
as CONFIG_MMC_MOXART is not set.

CVE-2022-0492

Yiqi Sun and Kevin Wang reported that the cgroup-v1 subsystem does
not properly restrict access to the release-agent feature. A local
user can take advantage of this flaw for privilege escalation and
bypass of namespace isolation.

CVE-2022-0617

butt3rflyh4ck discovered a NULL pointer dereference in the UDF
filesystem. A local user that can mount a specially crafted UDF
image can use this flaw to crash the system.

CVE-2022-24448

Lyu Tao reported a flaw in the NFS implementation in the Linux
kernel when handling requests to open a directory on a regular file,
which could result in a information leak.

CVE-2022-25258

Szymon Heidrich reported the USB Gadget subsystem lacks certain
validation of interface OS descriptor requests, resulting in memory
corruption.

CVE-2022-25375

Szymon Heidrich reported that the RNDIS USB gadget lacks validation
of the size of the RNDIS_MSG_SET command, resulting in information
leak from kernel memory.

ELA-576-1 vim security update

Tue, 15 Mar 2022 23:40:01 +0100

Package : vim

Version : 2:7.4.488-7+deb8u5

Multiple security vulnerabilities have been discovered in vim, an enhanced vi editor. Buffer overflows, out-of-bounds reads and Null pointer derefrences may lead to a denial of service (application crash) or other unspecified impact.

ELA-575-1 twisted security update

Tue, 08 Mar 2022 12:04:24 +0000

Package : twisted

Version : 14.0.2-3+deb8u4

Related CVEs : CVE-2022-21716

It was discovered that there was an issue in the Twisted Python network framework where SSH client and server implementations could accept an infinite amount of data for the peer’s SSH version identifier and that a buffer then uses all available memory.

ELA-574-1 expat security update

Mon, 07 Mar 2022 14:59:48 +0100

Package : expat

Version : 2.1.0-6+deb8u8

Several vulnerabilities have been discovered in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed.

ELA-573-1 cyrus-sasl2 security update

Sun, 06 Mar 2022 18:11:21 +0100

Package : cyrus-sasl2

Version : 2.1.26.dfsg1-13+deb8u3

Related CVEs : CVE-2022-24407

It was discovered that the SQL plugin in cyrus-sasl2, a library implementing the Simple Authentication and Security Layer, is prone to a SQL injection attack. An authenticated remote attacker can take advantage of this flaw to execute arbitrary SQL commands and for privilege escalation.

ELA-572-1 python3.4 security update

Thu, 03 Mar 2022 16:59:47 +0100

Package : python3.4

Version : 3.4.2-1+deb8u12

Several vulnerabilities were found in Python 3.4, an interactive high-level object-oriented language, that could result in denial of service, port scanning, web cache poisoning or potentially code execution.

ELA-571-1 usbredir security update

Wed, 02 Mar 2022 12:38:46 +0100

Package : usbredir

Version : 0.7-1+deb8u1

Related CVEs : CVE-2021-3700

A use-after-free vulnerability was found in Usbredirparser, a parser for the usbredir protocol, which could result in denial of service or potentially arbitrary code execution.

ELA-570-1 htmldoc security update

Sat, 26 Feb 2022 12:15:48 +0100

Package : htmldoc

Version : 1.8.27-8+deb8u3

Several issues have been found in htmldoc, an HTML processor that generates indexed HTML, PS, and PDF.

CVE-2022-0534

 A crafted GIF file could lead to a stack out-of-bounds read,
 which could result in a crash (segmentation fault).

CVE-2021-43579

 Converting an HTML document, which links to a crafted BMP file,
 could lead to a stack-based buffer overflow, which could result
 in remote code execution.

CVE-2021-40985

 A crafted BMP image could lead to a buffer overflow, which could
 cause a denial of service.

ELA-569-1 tiff security update

Thu, 24 Feb 2022 00:04:42 +0100

Package : tiff

Version : 4.0.3-12.3+deb8u13

Several issues have been found in tiff, a library and tools to manipulate and convert files in the Tag Image File Format (TIFF).

CVE-2022-22844

out-of-bounds read in _TIFFmemcpy in certain situations involving a
custom tag and 0x0200 as the second word of the DE field.

CVE-2022-0562

Null source pointer passed as an argument to memcpy() function within
TIFFReadDirectory(). This could result in a Denial of Service via
crafted TIFF files.

CVE-2022-0561

Null source pointer passed as an argument to memcpy() function within
TIFFFetchStripThing(). This could result in a Denial of Service via
crafted TIFF files.

ELA-567-2 apache2 regression update

Sun, 20 Feb 2022 11:25:41 +0100

Package : apache2

Version : 2.4.10-10+deb8u21

The patch for CVE-2021-44224 introduced an unknown symbol, which prevents apache2 from starting.

ELA-568-1 ksh security update

Sun, 20 Feb 2022 01:36:38 +0100

Package : ksh

Version : 93u+20120801-1+deb8u1

Related CVEs : CVE-2019-14868

A flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those environment variables could allow them to exploit this issue remotely.

ELA-566-1 twisted security update

Sat, 19 Feb 2022 17:31:27 +0100

Package : twisted

Version : 14.0.2-3+deb8u3

Related CVEs : CVE-2022-21712

It was discovered that Twisted, a Python event-based framework for internet applications, exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the twisted.web.RedirectAgent and twisted.web.BrowserLikeRedirectAgent functions.

ELA-567-1 apache2 security update

Sat, 19 Feb 2022 17:07:49 +0100

Package : apache2

Version : 2.4.10-10+deb8u20

Related CVEs : CVE-2021-44224 CVE-2021-44790

Two vulnerabilities have been discovered in the Apache HTTP server:

CVE-2021-44224

When operating as a forward proxy, Apache was depending on the setup suspectable to denial of service or Server Side Request forgery.

CVE-2021-44790

A buffer overflow in mod_lua may result in denial of service or potentially the execution of arbitrary code.

ELA-565-1 zsh security update

Fri, 18 Feb 2022 09:35:03 +0100

Package : zsh

Version : 5.0.7-5+deb8u4

Related CVEs : CVE-2021-45444

It was discovered that zsh, a powerful shell and scripting language, did not prevent recursive prompt expansion. This would allow an attacker to execute arbitrary commands into a user’s shell, for instance by tricking a vcs_info user into checking out a git branch with a specially crafted name.

ELA-564-1 libxstream-java security update

Tue, 15 Feb 2022 13:48:11 -0800

Package : libxstream-java

Version : 1.4.11.1-1+deb8u5

Related CVEs : CVE-2021-43859

It was discovered that there was a potential remote denial of service (DoS) attack in XStream, a Java library used to serialize objects to XML and back again.

An attacker could have consumed 100% of the CPU resources, but the library now monitors and accumulates the time it takes to add elements to collections, and throws an exception if a set threshold is exceeded.

ELA-563-1 openjdk-8 security update

Thu, 10 Feb 2022 11:50:20 +0100

Package : openjdk-8

Version : 8u322-b06-1~deb8u1

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, bypass of deserialization restrictions or information disclosure.

ELA-562-1 zabbix security update

Mon, 07 Feb 2022 22:49:25 +0100

Package : zabbix

Version : 1:2.2.23+dfsg-0+deb8u3

Related CVEs : CVE-2022-23134

Thomas Chauchefoin from SonarSource discovered that in Zabbix, a server/client network monitoring system, after the initial setup process, some steps of setup.php file are reachable not only by super-administrators, but by unauthenticated users as well. An attacker could bypass checks and potentially change the configuration of Zabbix Frontend.

ELA-561-1 xterm security update

Mon, 07 Feb 2022 22:09:44 +0530

Package : xterm

Version : 312-2+deb8u4

Related CVEs : CVE-2022-24130

xterm, an X terminal emulator, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.

ELA-560-1 libphp-adodb security update

Sun, 06 Feb 2022 14:20:19 +0530

Package : libphp-adodb

Version : 5.15-1+deb8u2

Related CVEs : CVE-2021-3850

It was found that in libphp-adodb, a PHP database abstraction layer library, an attacker can inject values into the PostgreSQL connection string by bypassing adodb_addslashes(). The function can be bypassed in phppgadmin, for example, by surrounding the username in quotes and submitting with other parameters injected in between.

ELA-559-1 dojo security update

Sun, 06 Feb 2022 14:03:01 +0530

Package : dojo

Version : 1.10.2+dfsg-1+deb8u4

Multiple vulnerabilities were found in src:dojo, as follows:

CVE-2018-6561

`dijit.Editor` in Dojo allows XSS via the onload attribute
of an SVG element.

CVE-2020-4051

In Dijit, there is a cross-site scripting vulnerability in
the Editor's LinkDialog plugin.

CVE-2021-23450

It was found that Dojo is vulnerable to Prototype Pollution
via the setObject function.

ELA-558-1 python-django security update

Tue, 01 Feb 2022 11:13:05 -0800

Package : python-django

Version : 1.7.11-1+deb8u15

Related CVEs : CVE-2022-22818 CVE-2022-23833

It was discovered that there were two vulnerabilities in Django, the popular Python-based web development framework:

CVE-2022-22818: Possible XSS via the {% debug %} template tag.

The {% debug %} template tag didn’t properly encode the current context, posing an XSS attack vector.

In order to avoid this vulnerability, {% debug %} no longer outputs information when the DEBUG setting is False, and it ensures all context variables are correctly escaped when the DEBUG setting is True.
CVE-2022-23833: Denial-of-service possibility in file uploads

Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

ELA-557-1 apache-log4j1.2 security update

Tue, 01 Feb 2022 12:48:59 +0100

Package : apache-log4j1.2

Version : 1.2.17-5+deb8u2

Multiple security vulnerabilities have been discovered in Apache Log4j 1.2, a Java logging framework, when it is configured to use JMSSink, JDBCAppender, JMSAppender or Apache Chainsaw which could be exploited for remote code execution.

Note that a possible attacker requires write access to the Log4j configuration and the aforementioned features are not enabled by default. In order to completely mitigate against these type of vulnerabilities the related classes have been removed from the resulting jar file.

ELA-556-1 expat security update

Tue, 01 Feb 2022 12:46:28 +0100

Package : expat

Version : 2.1.0-6+deb8u7

Multiple security vulnerabilities have been discovered in Expat, the XML parsing C library. Integer overflows or invalid shifts may lead to a denial of service or other unspecified impact.

ELA-555-1 shadow security update

Tue, 01 Feb 2022 14:20:21 +0530

Package : shadow

Version : 1:4.2-3+deb8u5

Related CVEs : CVE-2017-12424 CVE-2018-7169

CVE-2017-12424

It was discovered that shadow incorrectly handled certain inputs.
An attacker could possibly use this issue to cause a crash or
expose sensitive information.

CVE-2018-7169

It was discovered that shadow incorrectly handled certain inputs.
An attacker could possibly use this issue to expose sensitive
information.

ELA-554-1 qt4-x11 security update

Tue, 01 Feb 2022 04:17:51 +0530

Package : qt4-x11

Version : 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u4

Multiple out-of-bounds error were discovered in qt4-x11. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability.

ELA-541-2 uriparser security update

Wed, 26 Jan 2022 09:38:43 -0800

Package : uriparser

Version : 0.8.0.1-2+deb8u4

Related CVEs : CVE-2021-46141

It was discovered that the fix for CVE-2021-46141 released in uriparser version 0.8.0.1-2+deb8u3 was incomplete.

ELA-553-1 libxfont security update

Tue, 25 Jan 2022 23:09:10 +0100

Package : libxfont

Version : 1:1.5.1-1+deb8u2

Related CVEs : CVE-2017-16611

An issue has been found in libxfont, an X11 font rasterisation library. By creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog.

ELA-552-1 lrzsz security update

Tue, 25 Jan 2022 23:00:21 +0100

Package : lrzsz

Version : 0.12.21-7+deb8u1

Related CVEs : CVE-2018-10195

An issues has been found in lrzsz, a set of tools for zmodem/xmodem/ymodem file transfer. Due to an incorrect length check, which might result in a size_t wrap around, an information leak to the receiving side could happen.

ELA-551-1 policykit-1 security update

Tue, 25 Jan 2022 19:35:45 +0100

Package : policykit-1

Version : 0.105-15~deb8u5

Related CVEs : CVE-2021-4034

The Qualys Research Labs discovered a local privilege escalation in PolicyKit’s pkexec.

Details can be found in the Qualys advisory at https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt

ELA-550-1 nss security update

Tue, 25 Jan 2022 16:23:14 +0100

Package : nss

Version : 2:3.26-1+debu8u16

Related CVEs : CVE-2022-22747

It was found that nss, the Mozilla Network Security Service library, was vulnerable to a NULL pointer dereference when parsing empty PKCS 7 sequences, which could result in denial of service.

ELA-549-1 apr security update

Mon, 24 Jan 2022 23:37:33 +0100

Package : apr

Version : 1.5.1-3+deb8u1

Related CVEs : CVE-2017-12613

An issue has been found in apr, the Apache Portable Runtime Library. The issue is related to out of bounds memory access due to invalid date fields.

ELA-548-1 ipython security update

Mon, 24 Jan 2022 08:45:13 -0800

Package : ipython

Version : 2.3.0-2+deb8u1

Related CVEs : CVE-2022-21699

It was discovered that there was a potential arbitrary code execution vulnerability in IPython, the interactive Python shell.

This issue stemmed from IPython executing untrusted files in the current working directory. According to upstream:

Almost all versions of IPython looks for configuration and profiles in current working directory. Since IPython was developed before pip and environments existed, it was used a convenient way to load code/packages in a project dependant way.

In 2022, it is not necessary anymore, and can lead to confusing behavior where for example cloning a repository and starting IPython or loading a notebook from any Jupyter-Compatible interface that has ipython set as a kernel can lead to code execution.

To address this problem, the current working directory is no longer searched for profiles or configuration files.

ELA-547-1 golang security update

Mon, 24 Jan 2022 16:42:10 +0100

Package : golang

Version : 2:1.3.3-1+deb8u4

Several vulnerabilities were discovered in the Go programming language. An attacker could trigger denial-of-service (DoS) and information leak.

CVE-2021-33196

In archive/zip, a crafted file count (in an archive’s header) can cause a NewReader or OpenReader panic.
CVE-2021-36221

Go has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort.
CVE-2021-39293

Follow-up fix to CVE-2021-33196
CVE-2021-41771

ImportedSymbols in debug/macho (for Open or OpenFat) accesses a Memory Location After the End of a Buffer, aka an out-of-bounds slice situation.
CVE-2021-44717

Go on UNIX allows write operations to an unintended file or unintended network connection as a consequence of erroneous closing of file descriptor 0 after file-descriptor exhaustion.

ELA-546-1 pillow security update

Mon, 24 Jan 2022 11:20:44 +0100

Package : pillow

Version : 2.6.1-2+deb8u7

Multiple security issues were discovered in Pillow, a Python imaging library, which could result in denial of service and potentially the execution of arbitrary code if malformed images are processed.

ELA-545-1 aide security update

Mon, 24 Jan 2022 02:26:23 +0530

Package : aide

Version : 0.16~a2.git20130520-3+deb8u1

Related CVEs : CVE-2021-45417

David Bouman discovered a heap-based buffer overflow vulnerability in the base64 functions of aide, an advanced intrusion detection system, which can be triggered via large extended file attributes or ACLs. This may result in denial of service or privilege escalation.

ELA-543-1 qtsvg-opensource-src security update

Mon, 24 Jan 2022 02:21:34 +0530

Package : qtsvg-opensource-src

Version : 5.3.2-2+deb8u1

Multiple out-of-bounds error were discovered in qtsvg-opensource-src. The highest threat from CVE-2021-3481 (at least) is to data confidentiality the application availability.

ELA-544-1 libspf2 security update

Fri, 21 Jan 2022 00:16:01 +0100

Package : libspf2

Version : 1.2.10-5+deb8u2

Related CVEs : CVE-2021-33912 CVE-2021-33913

Two issues have been found in libspf2, a library for validating mail senders with SPF. Both issues are related to heap-based buffer overflows.

ELA-542-1 gdal security update

Mon, 17 Jan 2022 11:58:09 +0100

Package : gdal

Version : 1.10.1+dfsg-8+deb8u3

Related CVEs : CVE-2021-45943

An issue was found in GDAL, a geospatial library, that could lead to denial of service via application crash or possibly the execution of arbitrary code if maliciously crafted data was parsed.

ELA-541-1 uriparser security update

Mon, 17 Jan 2022 10:37:17 +0000

Package : uriparser

Version : 0.8.0.1-2+deb8u3

Related CVEs : CVE-2021-46141 CVE-2021-46142

It was discovered that there were two “invalid free” issues in uriparser, a C library for parsing URLs according to RFC 3986.

ELA-540-1 ghostscript security update

Sun, 16 Jan 2022 23:25:57 +0100

Package : ghostscript

Version : 9.26a~dfsg-0+deb8u8

Related CVEs : CVE-2021-45944 CVE-2021-45949

Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed.

ELA-539-1 wordpress security update

Thu, 13 Jan 2022 02:59:05 +0530

Package : wordpress

Version : 4.1.34+dfsg-0+deb8u1

Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform SQL injection, run unchecked SQL queries, bypass hardening, or perform Cross-Site Scripting (XSS) attacks.

ELA-538-1 clamav security update

Mon, 10 Jan 2022 17:59:09 +0100

Package : clamav

Version : 0.103.4+dfsg-0+deb8u1

Version 0.102 of ClamAV, an anti-virus toolkit, is end-of-life. ClamAV has been updated to version 0.103 to be able to receive virus signature updates.

ELA-537-1 salt security update

Mon, 03 Jan 2022 19:21:00 +0100

Package : salt

Version : 2014.1.13+ds-3+deb8u2

Multiple security vulnerabilities have been discovered in Salt, a powerful remote execution manager, that allow for local privilege escalation on a minion, server side template injection attacks, shell and command injections or incorrect validation of SSL certificates.

CVE-2020-16846

Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.
CVE-2020-17490

The TLS module creates certificates with weak file permissions.
CVE-2020-35662

When authenticating to services using certain modules, the SSL certificate is not always validated.
CVE-2021-3197

The salt-api’s ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.
CVE-2021-21996

A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion.
CVE-2021-25282

The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.
CVE-2021-25283

The jinja renderer does not protect against server side template injection attacks.
CVE-2021-25284

salt.modules.cmdmod can log credentials to the info or error log level.

ELA-536-1 lxml security update

Sat, 01 Jan 2022 12:02:26 +0530

Package : lxml

Version : 3.4.0-1+deb8u5

Related CVEs : CVE-2021-43818

lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs.

ELA-535-1 linux-4.9 security update

Thu, 30 Dec 2021 11:55:44 +0100

Package : linux-4.9

Version : 4.9.290-1~deb8u1

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leaks.

CVE-2020-3702

A flaw was found in the driver for Atheros IEEE 802.11n family of
chipsets (ath9k) allowing information disclosure.

CVE-2020-16119

Hadar Manor reported a use-after-free in the DCCP protocol
implementation in the Linux kernel. A local attacker can take
advantage of this flaw to cause a denial of service or potentially
to execute arbitrary code.

CVE-2021-0920

A race condition was discovered in the local sockets (AF_UNIX)
subsystem, which could lead to a use-after-free.  A local user
could exploit this for denial of service (memory corruption or
crash), or possibly for privilege escalation.

CVE-2021-3612

Murray McAllister reported a flaw in the joystick input subsystem.
A local user permitted to access a joystick device could exploit
this to read and write out-of-bounds in the kernel, which could
be used for privilege escalation.

CVE-2021-3653

Maxim Levitsky discovered a vulnerability in the KVM hypervisor
implementation for AMD processors in the Linux kernel: Missing
validation of the `int_ctl` VMCB field could allow a malicious L1
guest to enable AVIC support (Advanced Virtual Interrupt
Controller) for the L2 guest. The L2 guest can take advantage of
this flaw to write to a limited but still relatively large subset
of the host physical memory.

CVE-2021-3655

Ilja Van Sprundel and Marcelo Ricardo Leitner found multiple flaws
in the SCTP implementation, where missing validation could lead to
an out-of-bounds read.  On a system using SCTP, a networked
attacker could exploit these to cause a denial of service (crash).

CVE-2021-3679

A flaw in the Linux kernel tracing module functionality could
allow a privileged local user (with CAP_SYS_ADMIN capability) to
cause a denial of service (resource starvation).

CVE-2021-3732

Alois Wohlschlager reported a flaw in the implementation of the
overlayfs subsystem, allowing a local attacker with privileges to
mount a filesystem to reveal files hidden in the original mount.

CVE-2021-3753

Minh Yuan reported a race condition in the vt_k_ioctl in
drivers/tty/vt/vt_ioctl.c, which may cause an out of bounds read
in vt.

CVE-2021-3760

Lin Horse reported a flaw in the NCI (NFC Controller Interface)
driver, which could lead to a use-after-free.

However, this driver is not included in the binary packages
provided by Debian.

CVE-2021-20317

It was discovered that the timer queue structure could become
corrupt, leading to waiting tasks never being woken up.  A local
user with certain privileges could exploit this to cause a denial
of service (system hang).

CVE-2021-20321

A race condition was discovered in the overlayfs filesystem
driver.  A local user with access to an overlayfs mount and to its
underlying upper directory could exploit this for privilege
escalation.

CVE-2021-20322

An information leak was discovered in the IPv4 implementation.  A
remote attacker could exploit this to quickly discover which UDP
ports a system is using, making it easier for them to carry out a
DNS poisoning attack against that system.

CVE-2021-22543

David Stevens discovered a flaw in how the KVM hypervisor maps
host memory into a guest.  A local user permitted to access
/dev/kvm could use this to cause certain pages to be freed when
they should not, leading to a use-after-free.  This could be used
to cause a denial of service (crash or memory corruption) or
possibly for privilege escalation.

CVE-2021-37159

A flaw was discovered in the hso driver for Option mobile
broadband modems.  An error during initialisation could lead to a
double-free or use-after-free.  An attacker able to plug in USB
devices could use this to cause a denial of service (crash or
memory corruption) or possibly to run arbitrary code.

CVE-2021-38160

A flaw in the virtio_console was discovered allowing data
corruption or data loss by an untrusted device.

CVE-2021-38198

A flaw was discovered in the KVM implementation for x86
processors, that could result in virtual memory protection within
a guest not being applied correctly.  When shadow page tables are
used - i.e. for nested virtualisation, or on CPUs lacking the EPT
or NPT feature - a user of the guest OS might be able to exploit
this for denial of service or privilege escalation within the
guest.

CVE-2021-38199

Michael Wakabayashi reported a flaw in the NFSv4 client
implementation, where incorrect connection setup ordering allows
operations of a remote NFSv4 server to cause a denial of service.

CVE-2021-38204

A flaw was discovered in the max4321-hcd USB host controller
driver, which could lead to a use-after-free.

However, this driver is not included in the binary packages
provided by Debian.

CVE-2021-38205

An information leak was discovered in the xilinx_emaclite network
driver.  On a custom kernel where this driver is enabled and used,
this might make it easier to exploit other kernel bugs.

CVE-2021-40490

A race condition was discovered in the ext4 subsystem when writing
to an inline_data file while its xattrs are changing. This could
result in denial of service.

CVE-2021-41864

An integer overflow was discovered in the Extended BPF (eBPF)
subsystem.  A local user could exploit this for denial of service
(memory corruption or crash), or possibly for privilege
escalation.

This can be mitigated by setting sysctl
kernel.unprivileged_bpf_disabled=1, which disables eBPF use by
unprivileged users.

CVE-2021-42008

A heap buffer overflow was discovered in the 6pack serial port
network driver.  A local user with CAP_NET_ADMIN capability could
exploit this for denial of service (memory corruption or crash), or
possibly for privilege escalation.

CVE-2021-42739

A heap buffer overflow was discovered in the firedtv driver for
FireWire-connected DVB receivers.  A local user with access to a
firedtv device could exploit this for denial of service (memory
corruption or crash), or possibly for privilege escalation.

CVE-2021-43389

The Active Defense Lab of Venustech discovered a flaw in the CMTP
subsystem as used by Bluetooth, which could lead to an
out-of-bounds read and object type confusion.  A local user with
CAP_NET_ADMIN capability in the initial user namespace could
exploit this for denial of service (memory corruption or crash),
or possibly for privilege escalation.

ELA-534-1 xorg-server security update

Wed, 29 Dec 2021 22:58:33 +0100

Package : xorg-server

Version : 2:1.16.4-1+deb8u6

Related CVEs : CVE-2021-4008 CVE-2021-4009 CVE-2021-4011

Jan-Niklas Sohn discovered that multiple input validation failures in X server extensions of the X.org X server may result in privilege escalation if the X server is running privileged.

ELA-533-1 python-gnupg security update

Wed, 29 Dec 2021 02:48:06 +0530

Package : python-gnupg

Version : 0.3.6-1+deb8u2

Related CVEs : CVE-2018-12020

Marcus Brinkmann discovered that GnuPG before 2.2.8 improperly handled certain command line parameters. A remote attacker could use this to spoof the output of GnuPG and cause unsigned e-mail to appear signed.

ELA-532-1 zziplib security update

Tue, 28 Dec 2021 00:52:41 +0100

Package : zziplib

Version : 0.13.62-3+deb8u3

Related CVEs : CVE-2020-18442

An issue has been found in zziplib, a library providing read access on ZIP-archive. Because of mishandling a return value, an attacker might cause a denial of service due to an infinite loop.

ELA-531-1 ruby2.1 security update

Mon, 27 Dec 2021 06:13:40 +0530

Package : ruby2.1

Version : 2.1.5-2+deb8u13

Related CVEs : CVE-2021-41817 CVE-2021-41819

A cookie prefix spoofing vulnerability in CGI::Cookie.parse and a regular expression denial of service vulnerability (ReDoS) on date parsing methods was discovered in src:ruby2.1, the Ruby interpreter.

ELA-530-1 systemd bug fix

Mon, 27 Dec 2021 01:28:58 +0530

Package : systemd

Version : 215-17+deb8u14

systemd-shutdown is run after the network is stopped, so remounting a network filesystem read-only can hang. A simple umount is the most useful thing that can be done for a network filesystem once the network is down.

ELA-529-1 ufraw security update

Fri, 24 Dec 2021 02:10:08 +0100

Package : ufraw

Version : 0.20-2+deb8u2

Related CVEs : CVE-2015-8366

An issue has been found in ufraw, a standalone importer for raw camera images. Due to an array index error in smal_decode_segment() an attacker might be able to cause memory errors and possibly execute arbitrary code.

ELA-528-1 raptor2 security update

Tue, 14 Dec 2021 00:29:39 +0100

Package : raptor2

Version : 2.0.14-1+deb8u2

Related CVEs : CVE-2020-25713

An issue has been found in raptor2, a Raptor RDF parser and serializer library. Malformed input file can lead to a segfault.

ELA-527-1 libsamplerate security update

Tue, 14 Dec 2021 00:22:18 +0100

Package : libsamplerate

Version : 0.1.8-8+deb8u1

Related CVEs : CVE-2017-7697

An issue has been found in libsamplerate, an audio sample rate conversion library. Using a crafted audio file a buffer over-read might happen in calc_output_single() in src_sinc.c.

ELA-525-2 nss regression update

Wed, 08 Dec 2021 04:46:08 +0530

Package : nss

Version : 2:3.26-1+debu8u15

ELA-525-1 was rolled out, fixing CVE-2021-43527 in nss, but that lead to a regression, preventing SSL connections in Chromium. The complete bug report could be found here: https://bugs.debian.org/1001219.

ELA-526-1 opensc security update

Tue, 07 Dec 2021 10:00:52 -0800

Package : opensc

Version : 0.16.0-3+deb8u3

Multiple vulnerabilities were discovered in opensc, a set of utilities to interact with smartcard devices:

CVE-2020-26570: Heap-based buffer overflow in sc_oberthur_read_file.
CVE-2020-26571: Stack-based buffer overflow in sc_pkcs15emu_gemsafeGPK_init.
CVE-2020-26572: Stack-based buffer overflow in tcos_decipher.

ELA-525-1 nss security update

Thu, 02 Dec 2021 18:15:10 +0530

Package : nss

Version : 2:3.26-1+debu8u14

Related CVEs : CVE-2021-43527

Tavis Ormandy discovered that nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code.

ELA-524-1 gmp security update

Tue, 30 Nov 2021 02:57:05 +0530

Package : gmp

Version : 2:6.0.0+dfsg-6+deb8u1

Related CVEs : CVE-2021-43618

GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.

ELA-523-1 ntfs-3g security update

Tue, 30 Nov 2021 01:46:01 +0530

Package : ntfs-3g

Version : 1:2014.2.15AR.2-1+deb8u5

Several vulnerabilities were discovered in NTFS-3G, a read-write NTFS driver for FUSE. A local user can take advantage of these flaws for local root privilege escalation.

ELA-522-1 bluez security update

Sat, 27 Nov 2021 12:13:48 +0100

Package : bluez

Version : 5.43-2+deb9u2~deb8u4

Several vulnerabilities were discovered in BlueZ, the Linux Bluetooth protocol stack. An attacker could cause a denial-of-service (DoS) or leak information.

CVE-2019-8921

SDP infoleak; the vulnerability lies in the handling of a SVC_ATTR_REQ by the SDP implementation of BlueZ. By crafting a malicious CSTATE, it is possible to trick the server into returning more bytes than the buffer actually holds, resulting in leaking arbitrary heap data.
CVE-2019-8922

SDP Heap Overflow; this vulnerability lies in the SDP protocol handling of attribute requests as well. By requesting a huge number of attributes at the same time, an attacker can overflow the static buffer provided to hold the response.
CVE-2021-41229

sdp_cstate_alloc_buf allocates memory which will always be hung in the singly linked list of cstates and will not be freed. This will cause a memory leak over time. The data can be a very large object, which can be caused by an attacker continuously sending sdp packets and this may cause the service of the target device to crash.

ELA-521-1 libmodbus security update

Mon, 22 Nov 2021 16:52:03 +0100

Package : libmodbus

Version : 3.0.6-1+deb8u1

Related CVEs : CVE-2019-14462 CVE-2019-14463

Two issues have been found in libmodbus, a library for the Modbus protocol. Both issues are related to out of bound reads, which could result in a denial of service or other unspecified impact.

ELA-520-1 libsdl1.2 security update

Sun, 21 Nov 2021 17:04:46 +0100

Package : libsdl1.2

Version : 1.2.15-10+deb8u3

Related CVEs : CVE-2019-13616

An issue has been found in libsdl1.2, a library for portable low level access to a video framebuffer, audio output, mouse, and keyboard. It is related to an heap-based buffer over-read, resulting in a DoS by using a crafted BMP file.

ELA-519-1 qtbase-opensource-src security update

Sat, 20 Nov 2021 18:55:45 +0100

Package : qtbase-opensource-src

Version : 5.3.2+dfsg-4+deb8u6

Related CVEs : CVE-2018-19872

A malformed PPM file could crash the application by generating a division by zero.

ELA-518-1 postgresql-9.4 security update

Thu, 18 Nov 2021 16:34:23 +0100

Package : postgresql-9.4

Version : 9.4.26-0+deb8u5

Related CVEs : CVE-2021-23214 CVE-2021-23222

Jacob Champion discovered that PostgreSQL, an object-relational SQL database, may process unencrypted bytes from a database connection even if it is encrypted. A man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established.

CVE-2021-23214

Server processes unencrypted bytes from man-in-the-middle - when the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.
CVE-2021-23222

libpq processes unencrypted bytes from man-in-the-middle - a man-in-the-middle attacker can inject false responses to the client’s first few queries, despite the use of SSL certificate verification and encryption. If more preconditions hold, the attacker can exfiltrate the client’s password or other confidential data that might be transmitted early in a session. The attacker must have a way to trick the client’s intended server into making the confidential data accessible to the attacker. A known implementation having that property is a PostgreSQL configuration vulnerable to CVE-2021-23214.

ELA-517-1 atftp security update

Wed, 17 Nov 2021 01:32:41 +0100

Package : atftp

Version : 0.7.git20120829-1+deb8u2

Related CVEs : CVE-2020-6097 CVE-2021-41054

Two issues have been found in atftp, an advanced TFTP client. Both are related to sending crafted requests to the server and triggering a denial-of-service due to for example a buffer overflow.

ELA-516-1 openjdk-7 security update

Thu, 11 Nov 2021 10:18:09 +0100

Package : openjdk-7

Version : 7u321-2.6.28-0+deb8u1

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, selection of weak ciphers, sandbox bypass or information disclosure.

ELA-515-1 jqueryui security update

Thu, 11 Nov 2021 10:07:50 +0100

Package : jqueryui

Version : 1.10.1+dfsg-1+deb8u1

Several cross-site scripting (XSS) vulnerabilities have been found in jqueryui, a JavaScript UI library for dynamic web applications, which could allow attackers with sufficient access to inject arbitrary code.

ELA-514-1 openjdk-8 security update

Tue, 09 Nov 2021 14:02:27 -0500

Package : openjdk-8

Version : 8u312-b07-1~deb8u1

Several vulnerabilities have been discovered in the OpenJDK Java runtime, including issues with cyprographic hashing, TLS client handshaking, and various other issues.

Thanks to Thorsten Glaser and ⮡ tarent for contributing the updated packages to address these vulnerabilities.