Debian Security Advisory

    • Offizieller Beitrag

    Package : glibc

    CVE ID : CVE-2023-6246 CVE-2023-6779 CVE-2023-6780


    The Qualys Research Labs discovered several vulnerabilities in the GNU C Library's __vsyslog_internal() function (called by syslog() and vsyslog()). A heap-based buffer overflow (CVE-2023-6246), an off-by-one heap overflow (CVE-2023-6779) and an integer overflow (CVE-2023-6780) can be exploited for privilege escalation or denial of service.


    Details can be found in the Qualys advisory at https://www.qualys.com/2024/01/30/syslog


    Additionally a memory corruption was discovered in the glibc's qsort() function, due to missing bounds check and when called by a program with a non-transitive comparison function and a large number of attacker-controlled elements. As the use of qsort() with a non-transitive comparison function is undefined according to POSIX and ISO C standards, this is not considered a vulnerability in the glibc itself. However the qsort() implementation was hardened against misbehaving callers.


    Details can be found in the Qualys advisory at https://www.qualys.com/2024/01/30/qsort


    For the stable distribution (bookworm), these problems have been fixed in version 2.36-9+deb12u4.


    We recommend that you upgrade your glibc packages.


    For the detailed security status of glibc please refer to its security tracker page at:

    Information on source package glibc


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-1059 CVE-2024-1060 CVE-2024-1077


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 121.0.6167.139-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-17

    CVE ID : CVE-2024-20918 CVE-2024-20919 CVE-2024-20921 CVE-2024-20926

    CVE-2024-20932 CVE-2024-20945 CVE-2024-20952


    Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in side channel attacks, leaking sensitive data to log files, denial of service or bypass of sandbox restrictions.


    For the oldstable distribution (bullseye), these problems have been fixed in version 17.0.10+7-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 17.0.10+7-1~deb12u1.


    We recommend that you upgrade your openjdk-17 packages.


    For the detailed security status of openjdk-17 please refer to its security tracker page at:

    Information on source package openjdk-17


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : zbar

    CVE ID : CVE-2023-40889 CVE-2023-40890

    Debian Bug : 1051724


    Two vulnerabilities were discovered in zbar, a library for scanning and decoding QR and bar codes, which may result in denial of service, information disclosure or potentially the execution of arbitrary code if a specially crafted code is processed.


    For the oldstable distribution (bullseye), these problems have been fixed in version 0.23.90-1+deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 0.23.92-7+deb12u1.


    We recommend that you upgrade your zbar packages.


    For the detailed security status of zbar please refer to its security tracker page at:

    Information on source package zbar


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : runc

    CVE ID : CVE-2024-21626


    It was discovered that runc, a command line client for running applications packaged according to the Open Container Format (OCF), was suspectible to multiple container breakouts due to an internal file descriptor leak.


    For the oldstable distribution (bullseye), this problem has been fixed in version 1.0.0~rc93+ds1-5+deb11u3.


    For the stable distribution (bookworm), this problem has been fixed in version 1.1.5+ds1-1+deb12u1.


    We recommend that you upgrade your runc packages.


    For the detailed security status of runc please refer to its security tracker page at:

    Information on source package runc


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ruby-sanitize

    CVE ID : CVE-2023-36823


    It was discovered that ruby-sanitize, a whitelist-based HTML sanitizer, insufficiently sanitised <style> elements, which may result in cross-site scripting.


    For the oldstable distribution (bullseye), this problem has been fixed in version 5.2.1-2+deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 6.0.0-1.1+deb12u1.


    We recommend that you upgrade your ruby-sanitize packages.


    For the detailed security status of ruby-sanitize please refer to its security tracker page at:

    Information on source package ruby-sanitize


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-1283 CVE-2024-1284


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 121.0.6167.160-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2024-23206 CVE-2024-23213 CVE-2024-23222


    The following vulnerabilities have been discovered in the WebKitGTK web engine:


    CVE-2024-23206


    An anonymous researcher discovered that a maliciously crafted

    webpage may be able to fingerprint the user.


    CVE-2024-23213


    Wangtaiyu discovered that processing web content may lead to

    arbitrary code execution.


    CVE-2024-23222


    Apple discovered that processing maliciously crafted web content

    may lead to arbitrary code execution. Apple is aware of a report

    that this issue may have been exploited.


    For the oldstable distribution (bullseye), these problems have been fixed in version 2.42.5-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 2.42.5-1~deb12u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    Information on source package webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libgit2

    CVE ID : CVE-2024-24577 CVE-2024-24575


    Two vulnerabilities were discovered in libgit2, a low-level Git library, which may result in denial of service or potentially the execution of arbitrary code.


    For the oldstable distribution (bullseye), this problem has been fixed in version 1.1.0+dfsg.1-4+deb11u2.


    For the stable distribution (bookworm), this problem has been fixed in version 1.5.1+ds-1+deb12u1.


    We recommend that you upgrade your libgit2 packages.


    For the detailed security status of libgit2 please refer to its security tracker page at:

    Information on source package libgit2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : unbound

    CVE ID : CVE-2023-50387 CVE-2023-50868

    Debian Bug : 1063845


    Two vulnerabilities were discovered in unbound, a validating, recursive, caching DNS resolver. Specially crafted DNSSEC answers could lead unbound down a very CPU intensive and time costly DNSSEC

    (CVE-2023-50387) or NSEC3 hash (CVE-2023-50868) validation path, resulting in denial of service.


    Details can be found at

    https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt


    For the oldstable distribution (bullseye), these problems have been fixed in version 1.13.1-1+deb11u2.


    For the stable distribution (bookworm), these problems have been fixed in version 1.17.1-2+deb12u2.


    We recommend that you upgrade your unbound packages.


    For the detailed security status of unbound please refer to its security tracker page at:

    Information on source package unbound


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : bind9

    CVE ID : CVE-2023-4408 CVE-2023-5517 CVE-2023-5679 CVE-2023-6516

    CVE-2023-50387 CVE-2023-50868


    Several vulnerabilities were discovered in BIND, a DNS server implementation, which may result in denial of service.


    For the oldstable distribution (bullseye), these problems have been fixed in version 1:9.16.48-1.


    For the stable distribution (bookworm), these problems have been fixed in version 1:9.18.24-1.


    We recommend that you upgrade your bind9 packages.


    For the detailed security status of bind9 please refer to its security tracker page at:

    Information on source package bind9


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : postgresql-13

    CVE ID : CVE-2024-0985


    It was discovered that a late privilege drop in the "REFRESH MATERIALIZED VIEW CONCURRENTLY" command could allow an attacker to trick a user with higher privileges to run SQL commands with these permissions.


    For the oldstable distribution (bullseye), this problem has been fixed in version 13.14-0+deb11u1.


    We recommend that you upgrade your postgresql-13 packages.


    For the detailed security status of postgresql-13 please refer to its security tracker page at:

    Information on source package postgresql-13


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : postgresql-15

    CVE ID : CVE-2024-0985


    It was discovered that a late privilege drop in the "REFRESH MATERIALIZED VIEW CONCURRENTLY" command could allow an attacker to trick a user with higher privileges to run SQL commands with these permissions.


    For the stable distribution (bookworm), this problem has been fixed in version 15.6-0+deb12u1.


    We recommend that you upgrade your postgresql-15 packages.


    For the detailed security status of postgresql-15 please refer to its security tracker page at:

    Information on source package postgresql-15


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : edk2

    CVE ID : CVE-2023-48733


    Mate Kukri discovered the Debian build of EDK2, a UEFI firmware implementation, used an insecure default configuration which could result in Secure Boot bypass via the UEFI shell.


    This updates disables the UEFI shell if Secure Boot is used.


    For the oldstable distribution (bullseye), this problem has been fixed in version 2020.11-2+deb11u2.


    For the stable distribution (bookworm), this problem has been fixed in version 2022.11-6+deb12u1. This update also addresses several security issues in the ipv6 network stack (CVE-2022-36763, CVE-2022-36764, CVE-2022-36765, CVE-2023-45230, CVE-2023-45229, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235)


    We recommend that you upgrade your edk2 packages.


    For the detailed security status of edk2 please refer to its security tracker page at:

    Information on source package edk2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : engrampa

    CVE ID : CVE-2023-52138


    It was discovered that Engrampa, an archive manager for the MATE desktop environment was susceptible to path traversal when handling CPIO archives.


    For the oldstable distribution (bullseye), this problem has been fixed in version 1.24.1-1+deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 1.26.0-1+deb12u2.


    We recommend that you upgrade your engrampa packages.


    For the detailed security status of engrampa please refer to its security tracker page at:

    Information on source package engrampa


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : pdns-recursor

    CVE ID : CVE-2023-50387 CVE-2023-50868


    It was discovered that malformed DNSSEC records within a DNS zone could result in denial of service against PDNS Recursor, a resolving name server.


    For the stable distribution (bookworm), these problems have been fixed in version 4.8.6-1.


    We recommend that you upgrade your pdns-recursor packages.


    For the detailed security status of pdns-recursor please refer to its security tracker page at:

    Information on source package pdns-recursor


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2024-1546 CVE-2024-1547 CVE-2024-1548 CVE-2024-1549

    CVE-2024-1550 CVE-2024-1551 CVE-2024-1552 CVE-2024-1553


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure or spoofing.


    For the oldstable distribution (bullseye), these problems have been fixed in version 115.8.0esr-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 115.8.0esr-1~deb12u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : imagemagick

    CVE ID : CVE-2021-3610 CVE-2022-1115 CVE-2023-1289 CVE-2023-1906

    CVE-2023-3428 CVE-2023-5341 CVE-2023-34151

    Debian Bug : 1013282 1036999


    This update fixes multiple vulnerabilities in Imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed image files are processed.


    For the oldstable distribution (bullseye), these problems have been fixed in version 8:6.9.11.60+dfsg-1.3+deb11u3.


    For the stable distribution (bookworm), these problems have been fixed in version 8:6.9.11.60+dfsg-1.6+deb12u1.


    We recommend that you upgrade your imagemagick packages.


    For the detailed security status of imagemagick please refer to its security tracker page at:

    Information on source package imagemagick


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-1669 CVE-2024-1670 CVE-2024-1671 CVE-2024-1672

    CVE-2024-1673 CVE-2024-1674 CVE-2024-1675 CVE-2024-1676


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 122.0.6261.57-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2024-1546 CVE-2024-1547 CVE-2024-1548 CVE-2024-1549

    CVE-2024-1550 CVE-2024-1551 CVE-2024-1552 CVE-2024-1553


    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.


    For the oldstable distribution (bullseye), these problems have been fixed in version 1:115.8.0-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 1:115.8.0-1~deb12u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/