Debian Security Advisory

    • Offizieller Beitrag

    Package : util-linux

    CVE ID : CVE-2024-28085

    Debian Bug : 1067849


    Skyler Ferrante discovered that the wall tool from util-linux does not properly handle escape sequences from command line arguments. A local attacker can take advantage of this flaw for information disclosure.


    With this update wall and write are not anymore installed with setgid tty.


    For the oldstable distribution (bullseye), this problem has been fixed in version 2.36.1-8+deb11u2.


    For the stable distribution (bookworm), this problem has been fixed in version 2.38.1-5+deb12u1.


    We recommend that you upgrade your util-linux packages.


    For the detailed security status of util-linux please refer to its security tracker page at:

    Information on source package util-linux


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : mediawiki

    CVE ID : not yet available


    Two security issues were discovered in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting or denial of service.


    For the oldstable distribution (bullseye), this problem has been fixed in version 1:1.35.13-1+deb11u2.


    For the stable distribution (bookworm), this problem has been fixed in version 1:1.39.7-1~deb12u1.


    We recommend that you upgrade your mediawiki packages.


    For the detailed security status of mediawiki please refer to its security tracker page at:

    Information on source package mediawiki


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : py7zr

    CVE ID : CVE-2022-44900


    A directory traversal vulnerability was discovered in py7zr, a library and command-line utility to process 7zip archives.


    For the oldstable distribution (bullseye), this problem has been fixed in version 0.11.3+dfsg-1+deb11u1.


    We recommend that you upgrade your py7zr packages.


    For the detailed security status of py7zr please refer to its security tracker page at:

    Information on source package py7zr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : gtkwave

    CVE ID : CVE-2023-32650 CVE-2023-34087 CVE-2023-34436 CVE-2023-35004

    CVE-2023-35057 CVE-2023-35128 CVE-2023-35702 CVE-2023-35703

    CVE-2023-35704 CVE-2023-35955 CVE-2023-35956 CVE-2023-35957

    CVE-2023-35958 CVE-2023-35959 CVE-2023-35960 CVE-2023-35961

    CVE-2023-35962 CVE-2023-35963 CVE-2023-35964 CVE-2023-35969

    CVE-2023-35970 CVE-2023-35989 CVE-2023-35992 CVE-2023-35994

    CVE-2023-35995 CVE-2023-35996 CVE-2023-35997 CVE-2023-36746

    CVE-2023-36747 CVE-2023-36861 CVE-2023-36864 CVE-2023-36915

    CVE-2023-36916 CVE-2023-37282 CVE-2023-37416 CVE-2023-37417

    CVE-2023-37418 CVE-2023-37419 CVE-2023-37420 CVE-2023-37442

    CVE-2023-37443 CVE-2023-37444 CVE-2023-37445 CVE-2023-37446

    CVE-2023-37447 CVE-2023-37573 CVE-2023-37574 CVE-2023-37575

    CVE-2023-37576 CVE-2023-37577 CVE-2023-37578 CVE-2023-37921

    CVE-2023-37922 CVE-2023-37923 CVE-2023-38583 CVE-2023-38618

    CVE-2023-38619 CVE-2023-38620 CVE-2023-38621 CVE-2023-38622

    CVE-2023-38623 CVE-2023-38648 CVE-2023-38649 CVE-2023-38650

    CVE-2023-38651 CVE-2023-38652 CVE-2023-38653 CVE-2023-38657

    CVE-2023-39234 CVE-2023-39235 CVE-2023-39270 CVE-2023-39271

    CVE-2023-39272 CVE-2023-39273 CVE-2023-39274 CVE-2023-39275

    CVE-2023-39316 CVE-2023-39317 CVE-2023-39413 CVE-2023-39414

    CVE-2023-39443 CVE-2023-39444


    Claudio Bozzato discovered multiple security issues in gtkwave, a file waveform viewer for VCD (Value Change Dump) files, which may result in the execution of arbitrary code if malformed files are opened.


    For the oldstable distribution (bullseye), these problems have been fixed in version 3.3.104+really3.3.118-0+deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 3.3.118-0.1~deb12u1.


    We recommend that you upgrade your gtkwave packages.


    For the detailed security status of gtkwave please refer to its security tracker page at:

    Information on source package gtkwave


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-3156 CVE-2024-3158 CVE-2024-3159


    Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 123.0.6312.105-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : cockpit

    CVE ID : CVE-2024-2947


    It was discovered that Cockpit, a web console for Linux servers, was susceptible to arbitrary command execution if an administrative user was tricked into opening an sosreport file with a malformed filename.


    For the stable distribution (bookworm), this problem has been fixed in version 287.1-0+deb12u1.


    We recommend that you upgrade your cockpit packages.


    For the detailed security status of cockpit please refer to its security tracker page at:

    Information on source package cockpit


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-3157 CVE-2024-3515 CVE-2024-3516


    Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 123.0.6312.122-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : xorg-server

    CVE ID : CVE-2024-31080 CVE-2024-31081 CVE-2024-31083


    Several vulnerabilities were discovered in the Xorg X server, which may result in privilege escalation if the X server is running privileged or denial of service.


    For the oldstable distribution (bullseye), these problems have been fixed in version 2:1.20.11-1+deb11u13.


    For the stable distribution (bookworm), these problems have been fixed in version 2:21.1.7-3+deb12u7.


    We recommend that you upgrade your xorg-server packages.


    For the detailed security status of xorg-server please refer to its security tracker page at:

    Information on source package xorg-server


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : linux

    CVE ID : CVE-2023-2176 CVE-2023-6270 CVE-2023-7042 CVE-2023-28746

    CVE-2023-47233 CVE-2023-52429 CVE-2023-52434 CVE-2023-52435

    CVE-2023-52583 CVE-2023-52584 CVE-2023-52587 CVE-2023-52588

    CVE-2023-52589 CVE-2023-52593 CVE-2023-52594 CVE-2023-52595

    CVE-2023-52597 CVE-2023-52598 CVE-2023-52599 CVE-2023-52600

    CVE-2023-52601 CVE-2023-52602 CVE-2023-52603 CVE-2023-52604

    CVE-2023-52606 CVE-2023-52607 CVE-2023-52616 CVE-2023-52617

    CVE-2023-52618 CVE-2023-52619 CVE-2023-52620 CVE-2023-52621

    CVE-2023-52622 CVE-2023-52623 CVE-2023-52630 CVE-2023-52631

    CVE-2023-52632 CVE-2023-52633 CVE-2023-52635 CVE-2023-52637

    CVE-2023-52638 CVE-2023-52639 CVE-2023-52640 CVE-2023-52641

    CVE-2024-0340 CVE-2024-0841 CVE-2024-1151 CVE-2024-2201

    CVE-2024-22099 CVE-2024-23850 CVE-2024-23851 CVE-2024-24857

    CVE-2024-24858 CVE-2024-26581 CVE-2024-26582 CVE-2024-26583

    CVE-2024-26584 CVE-2024-26585 CVE-2024-26586 CVE-2024-26590

    CVE-2024-26593 CVE-2024-26600 CVE-2024-26601 CVE-2024-26602

    CVE-2024-26603 CVE-2024-26606 CVE-2024-26621 CVE-2024-26622

    CVE-2024-26625 CVE-2024-26626 CVE-2024-26627 CVE-2024-26629

    CVE-2024-26639 CVE-2024-26640 CVE-2024-26641 CVE-2024-26642

    CVE-2024-26643 CVE-2024-26651 CVE-2024-26654 CVE-2024-26659

    CVE-2024-26660 CVE-2024-26663 CVE-2024-26664 CVE-2024-26665

    CVE-2024-26667 CVE-2024-26671 CVE-2024-26673 CVE-2024-26675

    CVE-2024-26676 CVE-2024-26679 CVE-2024-26680 CVE-2024-26681

    CVE-2024-26684 CVE-2024-26685 CVE-2024-26686 CVE-2024-26687

    CVE-2024-26688 CVE-2024-26689 CVE-2024-26695 CVE-2024-26696

    CVE-2024-26697 CVE-2024-26698 CVE-2024-26700 CVE-2024-26702

    CVE-2024-26704 CVE-2024-26706 CVE-2024-26707 CVE-2024-26710

    CVE-2024-26712 CVE-2024-26714 CVE-2024-26715 CVE-2024-26717

    CVE-2024-26718 CVE-2024-26720 CVE-2024-26722 CVE-2024-26723

    CVE-2024-26726 CVE-2024-26727 CVE-2024-26731 CVE-2024-26733

    CVE-2024-26735 CVE-2024-26736 CVE-2024-26737 CVE-2024-26741

    CVE-2024-26742 CVE-2024-26743 CVE-2024-26744 CVE-2024-26745

    CVE-2024-26747 CVE-2024-26748 CVE-2024-26749 CVE-2024-26750

    CVE-2024-26751 CVE-2024-26752 CVE-2024-26753 CVE-2024-26754

    CVE-2024-26759 CVE-2024-26760 CVE-2024-26761 CVE-2024-26763

    CVE-2024-26764 CVE-2024-26765 CVE-2024-26766 CVE-2024-26769

    CVE-2024-26771 CVE-2024-26772 CVE-2024-26773 CVE-2024-26774

    CVE-2024-26775 CVE-2024-26776 CVE-2024-26777 CVE-2024-26778

    CVE-2024-26779 CVE-2024-26780 CVE-2024-26781 CVE-2024-26782

    CVE-2024-26787 CVE-2024-26788 CVE-2024-26789 CVE-2024-26790

    CVE-2024-26791 CVE-2024-26792 CVE-2024-26793 CVE-2024-26795

    CVE-2024-26798 CVE-2024-26800 CVE-2024-26801 CVE-2024-26802

    CVE-2024-26803 CVE-2024-26804 CVE-2024-26805 CVE-2024-26809

    CVE-2024-26810 CVE-2024-26811 CVE-2024-26812 CVE-2024-26813

    CVE-2024-26814 CVE-2024-26815 CVE-2024-26816 CVE-2024-27437


    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.


    For the stable distribution (bookworm), these problems have been fixed in version 6.1.85-1.


    We recommend that you upgrade your linux packages.


    For the detailed security status of linux please refer to its security tracker page at:

    Information on source package linux


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : trafficserver

    CVE ID : CVE-2024-31309


    Bartek Nowotarski discovered that Apache Traffic Server, a reverse and forward proxy server, was susceptible to denial of service via HTTP2 continuation frames.


    For the oldstable distribution (bullseye), this problem has been fixed in version 8.1.10+ds-1~deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 9.2.4+ds-0+deb12u1.


    We recommend that you upgrade your trafficserver packages.


    For the detailed security status of trafficserver please refer to its security tracker page at:

    Information on source package trafficserver


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : php7.4

    CVE ID : CVE-2023-3823 CVE-2023-3824 CVE-2024-2756 CVE-2024-3096


    Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in secure cookie bypass, XXE attacks or incorrect validation of password hashes.


    For the oldstable distribution (bullseye), these problems have been fixed in version 7.4.33-1+deb11u5.


    We recommend that you upgrade your php7.4 packages.


    For the detailed security status of php7.4 please refer to its security tracker page at:

    Information on source package php7.4


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : php8.2

    CVE ID : CVE-2023-3823 CVE-2023-3824 CVE-2024-2756 CVE-2024-3096


    Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in secure cookie bypass, XXE attacks or incorrect validation of password hashes.


    For the stable distribution (bookworm), these problems have been fixed in version 8.2.18-1~deb12u1.


    We recommend that you upgrade your php8.2 packages.


    For the detailed security status of php8.2 please refer to its security tracker page at:

    Information on source package php8.2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : apache2

    CVE ID : CVE-2023-31122 CVE-2023-38709 CVE-2023-43622

    CVE-2023-45802 CVE-2024-24795 CVE-2024-27316


    Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in HTTP response splitting or denial of service.


    For the oldstable distribution (bullseye), these problems have been fixed in version 2.4.59-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 2.4.59-1~deb12u1.


    We recommend that you upgrade your apache2 packages.


    For the detailed security status of apache2 please refer to its security tracker page at:

    Information on source package apache2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : cockpit

    Debian Bug : 1069059


    The update of cockpit released in DSA 5655-1 did not correctly built binary packages due to unit test failures when building against libssh 0.10.6. This update corrects that problem.


    For the stable distribution (bookworm), this problem has been fixed in version 287.1-0+deb12u2.


    We recommend that you upgrade your cockpit packages.


    For the detailed security status of cockpit please refer to its security tracker page at:

    Information on source package cockpit


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854

    CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or clickjacking.


    For the oldstable distribution (bullseye), these problems have been fixed in version 115.10.0esr-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 115.10.0esr-1~deb12u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : jetty9

    CVE ID : CVE-2024-22201


    Jetty 9 is a Java based web server and servlet engine. It was discovered that remote attackers may leave many HTTP/2 connections in ESTABLISHED state (not closed), TCP congested and idle. Eventually the server will stop accepting new connections from valid clients which can cause a denial of service.


    For the oldstable distribution (bullseye), this problem has been fixed in version 9.4.50-4+deb11u2.


    For the stable distribution (bookworm), this problem has been fixed in version 9.4.50-4+deb12u3.


    We recommend that you upgrade your jetty9 packages.


    For the detailed security status of jetty9 please refer to its security tracker page at:

    Information on source package jetty9


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : tomcat10

    CVE ID : CVE-2023-46589 CVE-2024-23672 CVE-2024-24549

    Debian Bug : 1057082 1066877 1066878


    Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.


    CVE-2023-46589


    Tomcat 10 did not correctly parse HTTP trailer headers. A trailer header

    that exceeded the header size limit could cause Tomcat to treat a single

    request as multiple requests leading to the possibility of request

    smuggling when behind a reverse proxy.


    CVE-2024-24549


    Denial of Service due to improper input validation vulnerability for

    HTTP/2. When processing an HTTP/2 request, if the request exceeded any of

    the configured limits for headers, the associated HTTP/2 stream was not

    reset until after all of the headers had been processed.


    CVE-2024-23672


    Denial of Service via incomplete cleanup vulnerability. It was possible

    for WebSocket clients to keep WebSocket connections open leading to

    increased resource consumption.


    For the stable distribution (bookworm), these problems have been fixed in version 10.1.6-1+deb12u2.


    We recommend that you upgrade your tomcat10 packages.


    For the detailed security status of tomcat10 please refer to its security tracker page at:

    Information on source package tomcat10


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : flatpak

    CVE ID : CVE-2024-32462


    Gergo Koteles discovered that sandbox restrictions in Flatpak, an application deployment framework for desktop apps, could by bypassed in combination with xdg-desktop-portal.


    For the oldstable distribution (bullseye), this problem has been fixed in version 1.10.8-0+deb11u2.


    For the stable distribution (bookworm), this problem has been fixed in version 1.14.4-1+deb12u1.


    We recommend that you upgrade your flatpak packages.


    For the detailed security status of flatpak please refer to its security tracker page at:

    Information on source package flatpak


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : tomcat9

    CVE ID : CVE-2023-46589 CVE-2024-23672 CVE-2024-24549

    Debian Bug : 1057082 1066877 1066878


    Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.


    CVE-2023-46589


    Tomcat 9 did not correctly parse HTTP trailer headers. A trailer header

    that exceeded the header size limit could cause Tomcat to treat a single

    request as multiple requests leading to the possibility of request

    smuggling when behind a reverse proxy.


    CVE-2024-24549


    Denial of Service due to improper input validation vulnerability for

    HTTP/2. When processing an HTTP/2 request, if the request exceeded any of

    the configured limits for headers, the associated HTTP/2 stream was not

    reset until after all of the headers had been processed.


    CVE-2024-23672


    Denial of Service via incomplete cleanup vulnerability. It was possible

    for WebSocket clients to keep WebSocket connections open leading to

    increased resource consumption.


    For the oldstable distribution (bullseye), these problems have been fixed in version 9.0.43-2~deb11u10.


    We recommend that you upgrade your tomcat9 packages.


    For the detailed security status of tomcat9 please refer to its security tracker page at:

    Information on source package tomcat9


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-3832 CVE-2024-3833 CVE-2024-3834 CVE-2024-3837

    CVE-2024-3838 CVE-2024-3839 CVE-2024-3840 CVE-2024-3841

    CVE-2024-3843 CVE-2024-3844 CVE-2024-3845 CVE-2024-3846

    CVE-2024-3847


    Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 124.0.6367.60-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/