Debian Security Advisory

    • Offizieller Beitrag

    Package : openjdk-11

    CVE ID : CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939

    CVE-2023-21954 CVE-2023-21967 CVE-2023-21968 CVE-2023-22006

    CVE-2023-22036 CVE-2023-22041 CVE-2023-22045 CVE-2023-22049


    Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in bypass of sandbox restrictions, information disclosure, reduced cryptographic strength of the AES implementation, directory traversal or denial of service.


    For the oldstable distribution (bullseye), these problems have been fixed in version 11.0.20+8-1~deb11u1.


    We recommend that you upgrade your openjdk-11 packages.


    For the detailed security status of openjdk-11 please refer to its security tracker page at:

    Information on source package openjdk-11


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2023-2312 CVE-2023-4349 CVE-2023-4350 CVE-2023-4351

    CVE-2023-4352 CVE-2023-4353 CVE-2023-4354 CVE-2023-4355

    CVE-2023-4356 CVE-2023-4357 CVE-2023-4358 CVE-2023-4359

    CVE-2023-4360 CVE-2023-4361 CVE-2023-4362 CVE-2023-4363

    CVE-2023-4364 CVE-2023-4365 CVE-2023-4366 CVE-2023-4367

    CVE-2023-4368


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the oldstable distribution (bullseye), these problems have been fixed in version 116.0.5845.96-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 116.0.5845.96-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux

    CVE ID : CVE-2022-4269 CVE-2022-39189 CVE-2023-1206 CVE-2023-1380

    CVE-2023-2002 CVE-2023-2007 CVE-2023-2124 CVE-2023-2269

    CVE-2023-2898 CVE-2023-3090 CVE-2023-3111 CVE-2023-3212

    CVE-2023-3268 CVE-2023-3338 CVE-2023-3389 CVE-2023-3609

    CVE-2023-3611 CVE-2023-3776 CVE-2023-3863 CVE-2023-4004

    CVE-2023-4128 CVE-2023-4132 CVE-2023-4147 CVE-2023-4194

    CVE-2023-4273 CVE-2023-20588 CVE-2023-21255 CVE-2023-21400

    CVE-2023-31084 CVE-2023-34319 CVE-2023-35788 CVE-2023-40283


    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.


    CVE-2022-4269


    William Zhao discovered that a flaw in the Traffic Control (TC)

    subsystem when using a specific networking configuration

    (redirecting egress packets to ingress using TC action "mirred"),

    may allow a local unprivileged user to cause a denial of service

    (triggering a CPU soft lockup).


    CVE-2022-39189


    Jann Horn discovered that TLB flush operations are mishandled in the

    KVM subsystem in certain KVM_VCPU_PREEMPTED situations, which may

    allow an unprivileged guest user to compromise the guest kernel.


    CVE-2023-1206


    It was discovered that the networking stack permits attackers to

    force hash collisions in the IPv6 connection lookup table, which may

    result in denial of service (significant increase in the cost of

    lookups, increased CPU utilization).


    CVE-2023-1380


    Jisoo Jang reported a heap out-of-bounds read in the brcmfmac Wi-Fi

    driver. On systems using this driver, a local user could exploit

    this to read sensitive information or to cause a denial of service.


    CVE-2023-2002


    Ruiahn Li reported an incorrect permissions check in the Bluetooth

    subsystem. A local user could exploit this to reconfigure local

    Bluetooth interfaces, resulting in information leaks, spoofing, or

    denial of service (loss of connection).


    CVE-2023-2007


    Lucas Leong and Reno Robert discovered a time-of-check-to-time-of-

    use flaw in the dpt_i2o SCSI controller driver. A local user with

    access to a SCSI device using this driver could exploit this for

    privilege escalation.


    This flaw has been mitigated by removing support for the I2OUSRCMD

    operation.


    CVE-2023-2124


    Kyle Zeng, Akshay Ajayan and Fish Wang discovered that missing

    metadata validation may result in denial of service or potential

    privilege escalation if a corrupted XFS disk image is mounted.


    CVE-2023-2269


    Zheng Zhang reported that improper handling of locking in the device

    mapper implementation may result in denial of service.


    CVE-2023-2898


    It was discovered that missing sanitising in the f2fs file

    system may result in denial of service if a malformed file

    system is accessed.


    CVE-2023-3090


    It was discovered that missing initialization in ipvlan networking

    may lead to an out-of-bounds write vulnerability, resulting in

    denial of service or potentially the execution of arbitrary code.


    CVE-2023-3111


    The TOTE Robot tool found a flaw in the Btrfs filesystem driver that

    can lead to a use-after-free. It's unclear whether an unprivileged

    user can exploit this.


    CVE-2023-3212


    Yang Lan that missing validation in the GFS2 filesystem could result

    in denial of service via a NULL pointer dereference when mounting a

    malformed GFS2 filesystem.


    CVE-2023-3268


    It was discovered that an out-of-bounds memory access in relayfs

    could result in denial of service or an information leak.


    CVE-2023-3338


    Davide Ornaghi discovered a flaw in the DECnet protocol

    implementation which could lead to a null pointer dereference or

    use-after-free. A local user can exploit this to cause a denial of service

    (crash or memory corruption) and probably for privilege escalation.


    This flaw has been mitigated by removing the DECnet protocol

    implementation.


    CVE-2023-3389


    Querijn Voet discovered a use-after-free in the io_uring subsystem,

    which may result in denial of service or privilege escalation.


    CVE-2023-3611


    It was discovered that an out-of-bounds write in the traffic control

    subsystem for the Quick Fair Queueing scheduler (QFQ) may result in

    denial of service or privilege escalation.


    CVE-2023-3609 / CVE-2023-3776 / CVE-2023-4128


    It was discovered that a use-after-free in the cls_fw, cls_u32,

    cls_route and network classifiers may result in denial of service or

    potential local privilege escalation.


    CVE-2023-3863


    It was discovered that a use-after-free in the NFC implementation

    may result in denial of service, an information leak or potential

    local privilege escalation.


    CVE-2023-4004


    It was discovered that a use-after-free in Netfilter's

    implementation of PIPAPO (PIle PAcket POlicies) may result in denial

    of service or potential local privilege escalation for a user with

    the CAP_NET_ADMIN capability in any user or network namespace.


    CVE-2023-4132


    A use-after-free in the driver for Siano SMS1xxx based MDTV

    receivers may result in local denial of service.


    CVE-2023-4147


    Kevin Rich discovered a use-after-free in Netfilter when adding a

    rule with NFTA_RULE_CHAIN_ID, which may result in local privilege

    escalation for a user with the CAP_NET_ADMIN capability in any user

    or network namespace.


    CVE-2023-4194


    A type confusion in the implementation of TUN/TAP network devices

    may allow a local user to bypass network filters.


    CVE-2023-4273


    Maxim Suhanov discovered a stack overflow in the exFAT driver, which

    may result in local denial of service via a malformed file system.


    CVE-2023-20588


    Jana Hofmann, Emanuele Vannacci, Cedric Fournet, Boris Koepf and

    Oleksii Oleksenko discovered that on some AMD CPUs with the Zen1

    micro architecture an integer division by zero may leave stale

    quotient data from a previous division, resulting in a potential

    leak of sensitive data.


    CVE-2023-21255


    A use-after-free was discovered in the in the Android binder driver,

    which may result in local privilege escalation on systems where the

    binder driver is loaded.


    CVE-2023-21400


    Ye Zhang and Nicolas Wu discovered a double-free in the io_uring

    subsystem, which may result in denial of service or privilege

    escalation.


    CVE-2023-31084


    It was discovered that the DVB Core driver does not properly handle

    locking of certain events, allowing a local user to cause a denial

    of service.


    CVE-2023-34319


    Ross Lagerwall discovered a buffer overrun in Xen's netback driver

    which may allow a Xen guest to cause denial of service to the

    virtualisation host my sending malformed packets.


    CVE-2023-35788


    Hangyu Hua that an off-by-one in the Flower traffic classifier may

    result in local of service or the execution of privilege escalation.


    CVE-2023-40283


    A use-after-free was discovered in Bluetooth L2CAP socket handling.


    For the oldstable distribution (bullseye), these problems have been fixed in version 5.10.191-1.


    We recommend that you upgrade your linux packages.


    For the detailed security status of linux please refer to its security tracker page at:

    Information on source package linux


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : fastdds

    CVE ID : CVE-2023-39534 CVE-2023-39945 CVE-2023-39946 CVE-2023-39947

    CVE-2023-39948 CVE-2023-39949


    Multipe security issues were discovered in Fast DDS, a C++ implementation of the DDS (Data Distribution Service), which might result in denial of service or potentially the execution of arbitrary code when processing malformed RTPS packets.


    For the oldstable distribution (bullseye), these problems have been fixed in version 2.1.0+ds-9+deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 2.9.1+ds-1+deb12u1.


    We recommend that you upgrade your fastdds packages.


    For the detailed security status of fastdds please refer to its security tracker page at:

    Information on source package fastdds


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : tryton-server

    CVE ID : not yet available


    "Edbo" and Cedric Krier discovered that the Tryton application server does enforce record rules when only reading fields without an SQL type (like Function fields).


    For the oldstable distribution (bullseye), this problem has been fixed in version 5.0.33-2+deb11u2.


    For the stable distribution (bookworm), this problem has been fixed in version 6.0.29-2+deb12u1.


    We recommend that you upgrade your tryton-server packages.


    For the detailed security status of tryton-server please refer to its security tracker page at:

    Information on source package tryton-server


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2023-4427 CVE-2023-4428 CVE-2023-4429 CVE-2023-4430

    CVE-2023-4431


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the oldstable distribution (bullseye), these problems have been fixed in version 116.0.5845.110-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 116.0.5845.110-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : librsvg

    CVE ID : CVE-2023-38633

    Debian Bug : 1041810


    Zac Sims discovered a directory traversal in the URL decoder of librsvg, a SAX-based renderer library for SVG files, which could result in read of arbitrary files when processing a specially crafted SVG file with an include element.


    For the oldstable distribution (bullseye), this problem has been fixed in version 2.50.3+dfsg-1+deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 2.54.7+dfsg-1~deb12u1.


    We recommend that you upgrade your librsvg packages.


    For the detailed security status of librsvg please refer to its security tracker page at:

    Information on source package librsvg


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4581

    CVE-2023-4584


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.


    For the oldstable distribution (bullseye), these problems have been fixed in version 102.15.0esr-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 102.15.0esr-1~deb12u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : json-c

    CVE ID : CVE-2021-32292


    An invalid memory access was discovered in json-c, a JSON library which could result in denial of service.


    For the oldstable distribution (bullseye), this problem has been fixed in version 0.15-2+deb11u1.


    We recommend that you upgrade your json-c packages.


    For the detailed security status of json-c please refer to its security tracker page at:

    Information on source package json-c


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2023-4572

    Debian Bug : 1024981


    A security issue was discovered in Chromium, which could result in the execution of arbitrary code.


    For the oldstable distribution (bullseye), this problem has been fixed in version 116.0.5845.140-1~deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 116.0.5845.140-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4581

    CVE-2023-4584


    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.


    For the oldstable distribution (bullseye), these problems have been fixed in version 1:102.15.0-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 1:102.15.0-1~deb12u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : file

    CVE ID : CVE-2022-48554


    A buffer overflow was found in file, a file type classification tool, which may result in denial of service if a specially crafted file is processed.


    For the oldstable distribution (bullseye), this problem has been fixed in version 1:5.39-3+deb11u1.


    We recommend that you upgrade your file packages.


    For the detailed security status of file please refer to its security tracker page at:

    Information on source package file


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : aom

    CVE ID : CVE-2020-36130 CVE-2020-36131 CVE-2020-36133 CVE-2020-36135

    CVE-2021-30473 CVE-2021-30474 CVE-2021-30475


    Multiple security vulnerabilities have been discovered in aom, the AV1 Video Codec Library. Buffer overflows, use-after-free and NULL pointer dereferences may cause a denial of service or other unspecified impact if a malformed multimedia file is processed.


    For the oldstable distribution (bullseye), these problems have been fixed in version 1.0.0.errata1-3+deb11u1.


    We recommend that you upgrade your aom packages.


    For the detailed security status of aom please refer to its security tracker page at:

    Information on source package aom


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2023-4761 CVE-2023-4762 CVE-2023-4763 CVE-2023-4764


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the oldstable distribution (bullseye), these problems have been fixed in version 116.0.5845.180-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 116.0.5845.180-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux

    CVE ID : CVE-2023-1206 CVE-2023-1989 CVE-2023-2430 CVE-2023-2898

    CVE-2023-3611 CVE-2023-3772 CVE-2023-3773 CVE-2023-3776

    CVE-2023-3777 CVE-2023-3863 CVE-2023-4004 CVE-2023-4015

    CVE-2023-4128 CVE-2023-4132 CVE-2023-4147 CVE-2023-4155

    CVE-2023-4194 CVE-2023-4206 CVE-2023-4207 CVE-2023-4208

    CVE-2023-4273 CVE-2023-4569 CVE-2023-4622 CVE-2023-20588

    CVE-2023-34319 CVE-2023-40283


    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.


    CVE-2023-1206


    It was discovered that the networking stack permits attackers to

    force hash collisions in the IPv6 connection lookup table, which may

    result in denial of service (significant increase in the cost of

    lookups, increased CPU utilization).


    CVE-2023-1989


    Zheng Wang reported a race condition in the btsdio Bluetooth adapter

    driver that can lead to a use-after-free. An attacker able to insert

    and remove SDIO devices can use this to cause a denial of service

    (crash or memory corruption) or possibly to run arbitrary code in

    the kernel.


    CVE-2023-2430


    Xingyuan Mo discovered that the io_uring subsystem did not properly

    handle locking when the target ring is configured with IOPOLL, which

    may result in denial of service.


    CVE-2023-2898


    It was discovered that missing sanitising in the f2fs file

    system may result in denial of service if a malformed file

    system is accessed.


    CVE-2023-3611


    The TOTE Robot tool found a flaw in the Btrfs filesystem driver that

    can lead to a use-after-free. It's unclear whether an unprivileged

    user can exploit this.


    CVE-2023-3772


    Lin Ma discovered a NULL pointer dereference flaw in the XFRM

    subsystem which may result in denial of service.


    CVE-2023-3773


    Lin Ma discovered a flaw in the the XFRM subsystem, which may result

    in denial of service for a user with the CAP_NET_ADMIN capability in

    any user or network namespace.


    CVE-2023-3776, CVE-2023-4128, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208


    It was discovered that a use-after-free in the cls_fw, cls_u32 and

    cls_route network classifiers may result in denial of service or

    potential local privilege escalation.


    CVE-2023-3777


    Kevin Rich discovered a use-after-free in Netfilter when flushing

    table rules, which may result in local privilege escalation for a

    user with the CAP_NET_ADMIN capability in any user or network

    namespace.


    CVE-2023-3863


    It was discovered that a use-after-free in the NFC implementation

    may result in denial of service, an information leak or potential

    local privilege escalation.


    CVE-2023-4004


    It was discovered that a use-after-free in Netfilter's

    implementation of PIPAPO (PIle PAcket POlicies) may result in denial

    of service or potential local privilege escalation for a user with

    the CAP_NET_ADMIN capability in any user or network namespace.


    CVE-2023-4015


    Kevin Rich discovered a use-after-free in Netfilter when handling

    bound chain deactivation in certain circumstances, may result in

    denial of service or potential local privilege escalation for a user

    with the CAP_NET_ADMIN capability in any user or network namespace.


    CVE-2023-4132


    A use-after-free in the driver for Siano SMS1xxx based MDTV

    receivers may result in local denial of service.


    CVE-2023-4147


    Kevin Rich discovered a use-after-free in Netfilter when adding a

    rule with NFTA_RULE_CHAIN_ID, which may result in local privilege

    escalation for a user with the CAP_NET_ADMIN capability in any user

    or network namespace.


    CVE-2023-4155


    Andy Nguyen discovered a flaw in the KVM subsystem allowing a KVM

    guest using EV-ES or SEV-SNP to cause a denial of service.


    CVE-2023-4194


    A type confusion in the implementation of TUN/TAP network devices

    may allow a local user to bypass network filters.


    CVE-2023-4273


    Maxim Suhanov discovered a stack overflow in the exFAT driver, which

    may result in local denial of service via a malformed file system.


    CVE-2023-4569


    lonial con discovered flaw in the Netfilter subsystem, which may

    allow a local attacher to cause a double-deactivations of catchall

    elements, which results in a memory leak.


    CVE-2023-4622


    Bing-Jhong Billy Jheng discovered a use-after-free within the Unix

    domain sockets component, which may result in local privilege

    escalation.


    CVE-2023-20588


    Jana Hofmann, Emanuele Vannacci, Cedric Fournet, Boris Koepf and

    Oleksii Oleksenko discovered that on some AMD CPUs with the Zen1

    micro architecture an integer division by zero may leave stale

    quotient data from a previous division, resulting in a potential

    leak of sensitive data.


    CVE-2023-34319


    Ross Lagerwall discovered a buffer overrun in Xen's netback driver

    which may allow a Xen guest to cause denial of service to the

    virtualisation host my sending malformed packets.


    CVE-2023-40283


    A use-after-free was discovered in Bluetooth L2CAP socket handling.


    For the stable distribution (bookworm), these problems have been fixed in version 6.1.52-1. This update is released without armel builds. Changes in the new stable series import cause a substantial increase of the compressed image for marvell flavour. This issue will be addressed in a future linux update.


    We recommend that you upgrade your linux packages.


    For the detailed security status of linux please refer to its security tracker page at:

    Information on source package linux


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : open-vm-tools

    CVE ID : CVE-2023-20867 CVE-2023-20900

    Debian Bug : 1050970


    Two security issues have been discovered in the Open VMware Tools, which may result in a man-in-the-middle attack or authentication bypass.


    For the oldstable distribution (bullseye), these problems have been fixed in version 2:11.2.5-2+deb11u2.


    For the stable distribution (bookworm), these problems have been fixed in version 2:12.2.0-1+deb12u1.


    We recommend that you upgrade your open-vm-tools packages.


    For the detailed security status of open-vm-tools please refer to its security tracker page at:

    Information on source package open-vm-tools


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : mutt

    CVE ID : CVE-2023-4874 CVE-2023-4875

    Debian Bug : 1051563


    Several NULL pointer dereference flaws were discovered in Mutt, a text-based mailreader supporting MIME, GPG, PGP and threading, which may result in denial of service (application crash) when viewing a specially crafted email or when composing from a specially crafted draft message.


    For the oldstable distribution (bullseye), these problems have been fixed in version 2.0.5-4.1+deb11u3.


    For the stable distribution (bookworm), these problems have been fixed in version 2.2.9-1+deb12u1.


    We recommend that you upgrade your mutt packages.


    For the detailed security status of mutt please refer to its security tracker page at:

    Information on source package mutt


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : frr

    CVE ID : CVE-2022-36440 CVE-2022-40302 CVE-2022-40318 CVE-2022-43681

    CVE-2023-31490 CVE-2023-38802 CVE-2023-41358

    Debian Bug : 1035829 1036062


    Brief introduction


    Multiple vulnerbilities were discovered in frr, the FRRouting suite of internet protocols, while processing malformed requests and packets the BGP daemon may have reachable assertions, NULL pointer dereference, out-of-bounds memory access, which may lead to denial of service attack.


    For the oldstable distribution (bullseye), these problems have been fixed in version 7.5.1-1.1+deb11u2.


    For the stable distribution (bookworm), these problems have been fixed in version 8.4.4-1.1~deb12u1.


    We recommend that you upgrade your frr packages.


    For the detailed security status of frr please refer to its security tracker page at:

    Information on source package frr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2023-4863


    A buffer overflow in parsing WebP images may result in the execution of arbitrary code.


    For the oldstable distribution (bullseye), this problem has been fixed in version 102.15.1esr-1~deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 102.15.1esr-1~deb12u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libwebp

    CVE ID : CVE-2023-4863


    A buffer overflow in parsing WebP images may result in the execution of arbitrary code.


    For the stable distribution (bookworm), this problem has been fixed in version 1.2.4-0.2+deb12u1.


    We recommend that you upgrade your libwebp packages.


    For the detailed security status of libwebp please refer to its security tracker page at:

    Information on source package libwebp


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/