Debian Security Advisory

    • Neu
    • Offizieller Beitrag

    Package : iwd

    CVE ID : CVE-2023-52161

    Debian Bug : 1064062


    It was discovered that iwd, the iNet Wireless Daemon, does not properly handle messages in the 4-way handshake used when connecting to a protected WiFi network for the first time. An attacker can take advantage of this flaw to gain unauthorized access to a protected WiFi network if iwd is operating in Access Point (AP) mode.


    For the oldstable distribution (bullseye), this problem has been fixed in version 1.14-3+deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 2.3-1+deb12u1.


    We recommend that you upgrade your iwd packages.

    For the detailed security status of iwd please refer to its security tracker page at:

    Information on source package iwd

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : knot-resolver

    CVE ID : CVE-2023-46317 CVE-2023-50387 CVE-2023-50868


    It was discovered that malformed DNSSEC records within a DNS zone could result in denial of service against Knot Resolver, a caching, DNSSEC- validating DNS resolver.


    For the stable distribution (bookworm), these problems have been fixed in version 5.6.0-1+deb12u1.


    We recommend that you upgrade your knot-resolver packages.


    For the detailed security status of knot-resolver please refer to its security tracker page at:

    Information on source package knot-resolver


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-1938 CVE-2024-1939


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bookworm), this problem has been fixed in version 122.0.6261.94-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : yard

    CVE ID : CVE-2024-27285


    Aviv Keller discovered that the frames.html file generated by YARD, a documentation generation tool for the Ruby programming language, was vulnerable to cross-site scripting.


    For the oldstable distribution (bullseye), this problem has been fixed in version 0.9.24-1+deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 0.9.28-2+deb12u2.


    We recommend that you upgrade your yard packages.


    For the detailed security status of yard please refer to its security tracker page at:

    Information on source package yard


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-2173 CVE-2024-2174 CVE-2024-2176


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 122.0.6261.111-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : squid

    CVE ID : CVE-2023-46724 CVE-2023-46846 CVE-2023-46847 CVE-2023-49285

    CVE-2023-49286 CVE-2023-50269 CVE-2024-23638 CVE-2024-25617

    CVE-2023-46848 CVE-2024-25111

    Debian Bug : 1055252 1054537 1055250 1055251 1058721


    Several security vulnerabilities have been discovered in Squid, a full featured web proxy cache. Due to programming errors in Squid's HTTP request parsing, remote attackers may be able to execute a denial of service attack by sending large X-Forwarded-For header or trigger a stack buffer overflow while performing HTTP Digest authentication. Other issues facilitate request smuggling past a firewall or a denial of service against Squid's Helper process management.


    In regard to CVE-2023-46728: Please note that support for the Gopher protocol has simply been removed in future Squid versions. There are no plans by the upstream developers of Squid to fix this issue. We recommend to reject all Gopher URL requests instead.


    For the oldstable distribution (bullseye), these problems have been fixed in version 4.13-10+deb11u3.


    For the stable distribution (bookworm), these problems have been fixed in version 5.7-2+deb12u1.


    We recommend that you upgrade your squid packages.


    For the detailed security status of squid please refer to its security tracker page at:

    Information on source package squid


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : libuv1

    CVE ID : CVE-2024-24806

    Debian Bug : 1063484


    It was discovered that the uv_getaddrinfo() function in libuv, an asynchronous event notification library, incorrectly truncated certain hostnames, which may result in bypass of security measures on internal APIs or SSRF attacks.


    For the oldstable distribution (bullseye), this problem has been fixed in version 1.40.0-2+deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 1.44.2-1+deb12u1.


    We recommend that you upgrade your libuv1 packages.


    For the detailed security status of libuv1 please refer to its security tracker page at:

    Information on source package libuv1


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-2400


    Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bookworm), this problem has been fixed in version 122.0.6261.128-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : openvswitch

    CVE ID : CVE-2023-3966 CVE-2023-5366

    Debian Bug : 1063492


    Two vulnerabilities were discovered in Open vSwitch, a software-based Ethernet virtual switch, which could result in a bypass of OpenFlow rules or denial of service.


    For the oldstable distribution (bullseye), these problems have been fixed in version 2.15.0+ds1-2+deb11u5. This update also adresses a memory leak tracked as CVE-2024-22563.


    For the stable distribution (bookworm), these problems have been fixed in version 3.1.0-2+deb12u1.


    We recommend that you upgrade your openvswitch packages.


    For the detailed security status of openvswitch please refer to its security tracker page at:

    Information on source package openvswitch


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : composer

    CVE ID : CVE-2024-24821

    Debian Bug : 1063603


    It was discovered that composer, a dependency manager for the PHP language, processed files in the local working directory. This could lead to local privilege escalation or malicious code execution. Due to a technical issue this email was not sent on 2024-02-26 like it should have.


    For the oldstable distribution (bullseye), this problem has been fixed in version 2.0.9-2+deb11u2.


    For the stable distribution (bookworm), this problem has been fixed in version 2.5.5-1+deb12u1.


    We recommend that you upgrade your composer packages.


    For the detailed security status of composer please refer to its security tracker page at:

    Information on source package composer


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/