Debian Security Advisory

    • Offizieller Beitrag

    Package : atril

    CVE ID : CVE-2023-52076


    It was discovered that missing input sanitising in the Atril document viewer could result in writing arbitrary files in the users home directory if a malformed epub document is opened.


    For the oldstable distribution (bullseye), this problem has been fixed in version 1.24.0-1+deb11u1. This update also disables support for comic book archives, mitigating CVE-2023-51698.


    For the stable distribution (bookworm), this problem has been fixed in version 1.26.0-2+deb12u3.


    We recommend that you upgrade your atril packages.


    For the detailed security status of atril please refer to its security tracker page at:

    Information on source package atril


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libreoffice

    CVE ID : CVE-2024-3044


    Amel Bouziane-Leblond discovered that LibreOffice's support for binding scripts to click events on graphics could result in unchecked script execution.


    For the oldstable distribution (bullseye), this problem has been fixed in version 1:7.0.4-4+deb11u9.


    For the stable distribution (bookworm), this problem has been fixed in version 4:7.4.7-1+deb12u2.


    We recommend that you upgrade your libreoffice packages.


    For the detailed security status of libreoffice please refer to its security tracker page at:

    Information on source package libreoffice


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-4761


    A security issue was discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. Google is aware that an exploit for CVE-2024-4761 exists in the wild.


    For the stable distribution (bookworm), this problem has been fixed in version 124.0.6367.207-1~deb12u1.


    We highly recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769

    CVE-2024-4770 CVE-2024-4777


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or clickjacking.


    For the oldstable distribution (bullseye), these problems have been fixed in version 115.11.0esr-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 115.11.0esr-1~deb12u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ghostscript

    CVE ID : CVE-2023-52722 CVE-2024-29510 CVE-2024-33869 CVE-2024-33870

    CVE-2024-33871


    Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed.


    For the oldstable distribution (bullseye), these problems have been fixed in version 9.53.3~dfsg-7+deb11u7.


    For the stable distribution (bookworm), these problems have been fixed in version 10.0.0~dfsg-11+deb12u4.


    We recommend that you upgrade your ghostscript packages.


    For the detailed security status of ghostscript please refer to its security tracker page at:

    Information on source package ghostscript


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769

    CVE-2024-4770 CVE-2024-4777


    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.


    For the oldstable distribution (bullseye), these problems have been fixed in version 1:115.11.0-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 1:115.11.0-1~deb12u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-4947 CVE-2024-4948 CVE-2024-4949 CVE-2024-4950


    Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 125.0.6422.60-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2024-27834


    The following vulnerabilities have been discovered in the WebKitGTK web engine:


    CVE-2024-27834


    Manfred Paul discovered that an attacker with arbitrary read and

    write capability may be able to bypass Pointer Authentication.


    For the oldstable distribution (bullseye), this problem has been fixed in version 2.44.2-1~deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 2.44.2-1~deb12u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    Information on source package webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-5157 CVE-2024-5158 CVE-2024-5159 CVE-2024-5160


    Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 125.0.6422.76-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-5274


    A security issue was discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. Google is aware that an exploit for CVE-2024-5274 exists in the wild.


    For the stable distribution (bookworm), this problem has been fixed in version 125.0.6422.112-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ruby-rack

    CVE ID : CVE-2024-25126 CVE-2024-26141 CVE-2024-26146


    Multiple security issues were found in Rack, an interface for developing web applications in Ruby, which could result in denial of service.


    For the oldstable distribution (bullseye), these problems have been fixed in version 2.1.4-3+deb11u2.


    For the stable distribution (bookworm), these problems have been fixed in version 2.2.6.4-1+deb12u1.


    We recommend that you upgrade your ruby-rack packages.


    For the detailed security status of ruby-rack please refer to its security tracker page at:

    Information on source package ruby-rack


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : redmine

    CVE ID : CVE-2023-47258 CVE-2023-47259 CVE-2023-47260


    Multiple cross-site scripting vulnerabilities were found in Redmine, a project management web application.


    For the stable distribution (bookworm), these problems have been fixed in version 5.0.4-5+deb12u1.


    We recommend that you upgrade your redmine packages.


    For the detailed security status of redmine please refer to its security tracker page at:

    Information on source package redmine


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : python-pymysql

    CVE ID : CVE-2024-36039


    An SQL injection was discovered in pymysql, a pure Python MySQL driver.


    For the oldstable distribution (bullseye), this problem has been fixed in version 0.9.3-2+deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 1.0.2-2+deb12u1.


    We recommend that you upgrade your python-pymysql packages.


    For the detailed security status of python-pymysql please refer to its security tracker page at:

    Information on source package python-pymysql


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-5493 CVE-2024-5494 CVE-2024-5495 CVE-2024-5496

    CVE-2024-5497 CVE-2024-5498 CVE-2024-5499


    Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 125.0.6422.141-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : gst-plugins-base1.0

    CVE ID : CVE-2024-4453


    An integer overflow in the EXIF metadata parsing was discovered in the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed file is processed.


    For the oldstable distribution (bullseye), this problem has been fixed in version 1.18.4-2+deb11u2.


    For the stable distribution (bookworm), this problem has been fixed in version 1.22.0-3+deb12u2.


    We recommend that you upgrade your gst-plugins-base1.0 packages.


    For the detailed security status of gst-plugins-base1.0 please refer to its security tracker page at:

    Information on source package gst-plugins-base1.0


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : pillow

    CVE ID : CVE-2023-44271 CVE-2023-50447 CVE-2024-28219


    Multiple security issues were discovered in Pillow, a Python imaging library, which could result in denial of service or the execution of arbitrary code if malformed images are processed.


    For the oldstable distribution (bullseye), these problems have been fixed in version 8.1.2+dfsg-0.3+deb11u2.


    For the stable distribution (bookworm), these problems have been fixed in version 9.4.0-1.1+deb12u1.


    We recommend that you upgrade your pillow packages.


    For the detailed security status of pillow please refer to its security tracker page at:

    Information on source package pillow


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : tinyproxy

    CVE ID : CVE-2023-49606


    A use-after-free was discovered in tinyproxy, a lightweight, non-caching, optionally anonymizing HTTP proxy, which could result in denial of service.


    For the stable distribution (bookworm), this problem has been fixed in version 1.11.1-2.1+deb12u1.


    We recommend that you upgrade your tinyproxy packages.


    For the detailed security status of tinyproxy please refer to its security tracker page at:

    Information on source package tinyproxy


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : vlc

    CVE ID : not yet available


    A buffer overflow was discovered in the MMS module of the VLC media player.


    For the oldstable distribution (bullseye), this problem has been fixed in version 3.0.21-0+deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 3.0.21-0+deb12u1.


    We recommend that you upgrade your vlc packages.


    For the detailed security status of vlc please refer to its security tracker page at:

    Information on source package vlc


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : cyrus-imapd

    CVE ID : CVE-2024-34055


    Damian Poddebniak discovered that the Cyrus IMAP server didn't restrict memory allocation for some command arguments which may result in denial of service. This update backports new config directives which allow to configure limits, additional details can be found at:


    Cyrus IMAP 3.6.5 Release Notes — Cyrus IMAP 3.6.5 documentation


    These changes are too intrusive to be backported to the version of Cyrus in the oldstable distribution (bullseye). If the IMAP server is used by untrusted users an update to Debian stable/bookworm is recommended.

    In addition the version of cyrus-imapd in bullseye-backports will be updated with a patch soon.


    For the stable distribution (bookworm), this problem has been fixed in version 3.6.1-4+deb12u2.


    We recommend that you upgrade your cyrus-imapd packages.


    For the detailed security status of cyrus-imapd please refer to its security tracker page at:

    Information on source package cyrus-imapd


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2024-5688 CVE-2024-5690 CVE-2024-5691 CVE-2024-5693

    CVE-2024-5696 CVE-2024-5700 CVE-2024-5702


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, the bypass of sandbox restrictions or an information leak.


    For the oldstable distribution (bullseye), these problems have been fixed in version 115.12.0esr-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 115.12.0esr-1~deb12u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/