Debian Security Advisory

    • Offizieller Beitrag

    Package : iwd

    CVE ID : CVE-2023-52161

    Debian Bug : 1064062


    It was discovered that iwd, the iNet Wireless Daemon, does not properly handle messages in the 4-way handshake used when connecting to a protected WiFi network for the first time. An attacker can take advantage of this flaw to gain unauthorized access to a protected WiFi network if iwd is operating in Access Point (AP) mode.


    For the oldstable distribution (bullseye), this problem has been fixed in version 1.14-3+deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 2.3-1+deb12u1.


    We recommend that you upgrade your iwd packages.

    For the detailed security status of iwd please refer to its security tracker page at:

    Information on source package iwd

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : knot-resolver

    CVE ID : CVE-2023-46317 CVE-2023-50387 CVE-2023-50868


    It was discovered that malformed DNSSEC records within a DNS zone could result in denial of service against Knot Resolver, a caching, DNSSEC- validating DNS resolver.


    For the stable distribution (bookworm), these problems have been fixed in version 5.6.0-1+deb12u1.


    We recommend that you upgrade your knot-resolver packages.


    For the detailed security status of knot-resolver please refer to its security tracker page at:

    Information on source package knot-resolver


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-1938 CVE-2024-1939


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bookworm), this problem has been fixed in version 122.0.6261.94-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : yard

    CVE ID : CVE-2024-27285


    Aviv Keller discovered that the frames.html file generated by YARD, a documentation generation tool for the Ruby programming language, was vulnerable to cross-site scripting.


    For the oldstable distribution (bullseye), this problem has been fixed in version 0.9.24-1+deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 0.9.28-2+deb12u2.


    We recommend that you upgrade your yard packages.


    For the detailed security status of yard please refer to its security tracker page at:

    Information on source package yard


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-2173 CVE-2024-2174 CVE-2024-2176


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 122.0.6261.111-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : squid

    CVE ID : CVE-2023-46724 CVE-2023-46846 CVE-2023-46847 CVE-2023-49285

    CVE-2023-49286 CVE-2023-50269 CVE-2024-23638 CVE-2024-25617

    CVE-2023-46848 CVE-2024-25111

    Debian Bug : 1055252 1054537 1055250 1055251 1058721


    Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache. Due to programming errors in Squid's HTTP request parsing, remote attackers may be able to execute a denial of service attack by sending large X-Forwarded-For header or trigger a stack buffer overflow while performing HTTP Digest authentication. Other issues facilitate request smuggling past a firewall or a denial of service against Squid's Helper process management.


    In regard to CVE-2023-46728: Please note that support for the Gopher protocol has simply been removed in future Squid versions. There are no plans by the upstream developers of Squid to fix this issue. We recommend to reject all Gopher URL requests instead.


    For the oldstable distribution (bullseye), these problems have been fixed in version 4.13-10+deb11u3.


    For the stable distribution (bookworm), these problems have been fixed in version 5.7-2+deb12u1.


    We recommend that you upgrade your squid packages.


    For the detailed security status of squid please refer to its security tracker page at:

    Information on source package squid


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libuv1

    CVE ID : CVE-2024-24806

    Debian Bug : 1063484


    It was discovered that the uv_getaddrinfo() function in libuv, an asynchronous event notification library, incorrectly truncated certain hostnames, which may result in bypass of security measures on internal APIs or SSRF attacks.


    For the oldstable distribution (bullseye), this problem has been fixed in version 1.40.0-2+deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 1.44.2-1+deb12u1.


    We recommend that you upgrade your libuv1 packages.


    For the detailed security status of libuv1 please refer to its security tracker page at:

    Information on source package libuv1


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-2400


    Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bookworm), this problem has been fixed in version 122.0.6261.128-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openvswitch

    CVE ID : CVE-2023-3966 CVE-2023-5366

    Debian Bug : 1063492


    Two vulnerabilities were discovered in Open vSwitch, a software-based Ethernet virtual switch, which could result in a bypass of OpenFlow rules or denial of service.


    For the oldstable distribution (bullseye), these problems have been fixed in version 2.15.0+ds1-2+deb11u5. This update also adresses a memory leak tracked as CVE-2024-22563.


    For the stable distribution (bookworm), these problems have been fixed in version 3.1.0-2+deb12u1.


    We recommend that you upgrade your openvswitch packages.


    For the detailed security status of openvswitch please refer to its security tracker page at:

    Information on source package openvswitch


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : composer

    CVE ID : CVE-2024-24821

    Debian Bug : 1063603


    It was discovered that composer, a dependency manager for the PHP language, processed files in the local working directory. This could lead to local privilege escalation or malicious code execution. Due to a technical issue this email was not sent on 2024-02-26 like it should have.


    For the oldstable distribution (bullseye), this problem has been fixed in version 2.0.9-2+deb11u2.


    For the stable distribution (bookworm), this problem has been fixed in version 2.5.5-1+deb12u1.


    We recommend that you upgrade your composer packages.


    For the detailed security status of composer please refer to its security tracker page at:

    Information on source package composer


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : fontforge

    CVE ID : CVE-2024-25081 CVE-2024-25082

    Debian Bug : 1064967


    It was discovered that fontforge, a font editor, is prone to shell command injection vulnerabilities when processing specially crafted files.


    For the oldstable distribution (bullseye), these problems have been fixed in version 1:20201107~dfsg-4+deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 1:20230101~dfsg-1.1~deb12u1.


    We recommend that you upgrade your fontforge packages.


    For the detailed security status of fontforge please refer to its security tracker page at:

    Information on source package fontforge


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : php-dompdf-svg-lib

    CVE ID : CVE-2023-50251 CVE-2023-50252 CVE-2024-25117


    Three security issues were discovered in php-svg-lib, a PHP library to read, parse and export to PDF SVG files, which could result in denial of service, restriction bypass or the execution of arbitrary code.


    For the stable distribution (bookworm), these problems have been fixed in version 0.5.0-3+deb12u1.


    We recommend that you upgrade your php-dompdf-svg-lib packages.


    For the detailed security status of php-dompdf-svg-lib please refer to its security tracker page at:

    Information on source package php-dompdf-svg-lib


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : pdns-recursor


    One of the upstream changes in the update released as DSA 5626 contained a regression in the zoneToCache function. Updated pdns-recursor packages are available to correct this issue.


    For the stable distribution (bookworm), this problem has been fixed in version 4.8.7-1.


    We recommend that you upgrade your pdns-recursor packages.


    For the detailed security status of pdns-recursor please refer to its security tracker page at:

    Information on source package pdns-recursor


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2023-5388 CVE-2024-0743 CVE-2024-2607 CVE-2024-2608

    CVE-2024-2610 CVE-2024-2611 CVE-2024-2612 CVE-2024-2614

    CVE-2024-2616


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or information disclosure, bypass of content security policies or spoofing.


    For the oldstable distribution (bullseye), these problems have been fixed in version 115.9.0esr-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 115.9.0esr-1~deb12u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2023-5388 CVE-2024-0743 CVE-2024-1936 CVE-2024-2607

    CVE-2024-2608 CVE-2024-2610 CVE-2024-2611 CVE-2024-2612

    CVE-2024-2614 CVE-2024-2616


    Multiple security issues were discovered in Thunderbird, which could result in denial of service, the execution of arbitrary code or leaks of encrypted email subjects.


    For the oldstable distribution (bullseye), these problems have been fixed in version 1:115.9.0-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 1:115.9.0-1~deb12u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2024-29944


    Manfred Paul discovered a flaw in the Mozilla Firefox web browser, allowing an attacker to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process.


    For the oldstable distribution (bullseye), this problem has been fixed in version 115.9.1esr-1~deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 115.9.1esr-1~deb12u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : cacti

    CVE ID : CVE-2023-39360 CVE-2023-39513 CVE-2023-49084 CVE-2023-49085

    CVE-2023-49086 CVE-2023-49088 CVE-2023-50250 CVE-2023-50569

    Debian Bug : 1059254


    Multiple security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in cross-site scripting, SQL injection, or command injection.


    For the oldstable distribution (bullseye), these problems have been fixed in version 1.2.16+ds1-2+deb11u3.


    For the stable distribution (bookworm), these problems have been fixed in version 1.2.24+ds1-1+deb12u2.


    We recommend that you upgrade your cacti packages.


    For the detailed security status of cacti please refer to its security tracker page at:

    Information on source package cacti


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : samba

    CVE ID : CVE-2022-2127 CVE-2022-3437 CVE-2023-4091 CVE-2023-34966

    CVE-2023-34967 CVE-2023-34968


    Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix, which might result in denial of service or information disclosure.


    For the oldstable distribution (bullseye), these problems have been fixed in version 2:4.13.13+dfsg-1~deb11u6.


    We recommend that you upgrade your samba packages.


    For the detailed security status of samba please refer to its security tracker page at:

    Information on source package samba


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-2625 CVE-2024-2626 CVE-2024-2627 CVE-2024-2628

    CVE-2024-2629 CVE-2024-2630 CVE-2024-2631 CVE-2024-2883

    CVE-2024-2885 CVE-2024-2886 CVE-2024-2887


    Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 123.0.6312.86-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : xz-utils

    CVE ID : CVE-2024-3094


    Andres Freund discovered that the upstream source tarballs for xz-utils, the XZ-format compression utilities, are compromised and inject malicious code, at build time, into the resulting liblzma5 library.


    Right now no Debian stable versions are known to be affected.

    Compromised packages were part of the Debian testing, unstable and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1. The package has been reverted to use the upstream 5.4.5 code, which we have versioned 5.6.1+really5.4.5-1.


    Users running Debian testing and unstable are urged to update the xz-utils packages.


    For the detailed security status of xz-utils please refer to its security tracker page at:

    Information on source package xz-utils


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/