Debian Security Advisory

    • Offizieller Beitrag

    Package : apache2

    Debian Bug : 1079172 1079206


    The fixes for CVE-2024-38474 and CVE-2024-39884 introduced two regressions in mod_rewrite and mod_proxy.


    For the stable distribution (bookworm), these problems have been fixed in version 2.4.62-1~deb12u2.


    We recommend that you upgrade your apache2 packages.


    For the detailed security status of apache2 please refer to its security tracker page at:

    Information on source package apache2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-9602 CVE-2024-9603


    Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 129.0.6668.100-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2024-9680


    Damien Schaeffer discovered a use-after-free in the Mozilla Firefox web browser, which could result in the execution of arbitrary code.


    For the stable distribution (bookworm), this problem has been fixed in version 128.3.1esr-1~deb12u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2024-9392 CVE-2024-9393 CVE-2024-9394 CVE-2024-9401

    CVE-2024-9680


    Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.


    For the stable distribution (bookworm), these problems have been fixed in version 1:115.16.0esr-1~deb12u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : node-dompurify

    CVE ID : CVE-2024-47875


    It was discovered that DOMPurify, a sanitizer for HTML, MathML and SVG was susceptible to nesting-based mXSS.


    For the stable distribution (bookworm), this problem has been fixed in version 2.4.1+dfsg+~2.4.0-2.


    We recommend that you upgrade your node-dompurify packages.


    For the detailed security status of node-dompurify please refer to its security tracker page at:

    Information on source package node-dompurify


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : python-reportlab

    CVE ID : CVE-2023-33733


    Elyas Damej discovered that a sandbox mechanism in ReportLab, a Python library to create PDF documents, could be bypassed which may result in the execution of arbitrary code when converting malformed HTML to a PDF document.


    For the stable distribution (bookworm), this problem has been fixed in version 3.6.12-1+deb12u1.


    We recommend that you upgrade your python-reportlab packages.


    For the detailed security status of python-reportlab please refer to its security tracker page at:

    Information on source package python-reportlab


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2024-40866 CVE-2024-44187


    The following vulnerabilities have been discovered in the WebKitGTK web engine:


    CVE-2024-40866


    Hafiizh and YoKo Kho discovered that visiting a malicious website

    may lead to address bar spoofing.


    CVE-2024-44187


    Narendra Bhati discovered that a malicious website may exfiltrate

    data cross-origin.


    For the stable distribution (bookworm), these problems have been fixed in version 2.46.0-2~deb12u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    Information on source package webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-9954 CVE-2024-9955 CVE-2024-9956 CVE-2024-9957

    CVE-2024-9958 CVE-2024-9959 CVE-2024-9960 CVE-2024-9961

    CVE-2024-9962 CVE-2024-9963 CVE-2024-9964 CVE-2024-9965

    CVE-2024-9966


    Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 130.0.6723.58-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-17

    CVE ID : CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235


    Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 17.0.13+11-2~deb12u1.


    We recommend that you upgrade your openjdk-17 packages.


    For the detailed security status of openjdk-17 please refer to its security tracker page at:

    Information on source package openjdk-17


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : python-sql

    CVE ID : CVE-2024-9774


    Cedric Krier discovered that python-sql, a library to write SQL queries in a pythonic way, performed insufficient sanitising which could result in SQL injection.


    For the stable distribution (bookworm), this problem has been fixed in version 1.4.0-1+deb12u1.


    We recommend that you upgrade your python-sql packages.


    For the detailed security status of python-sql please refer to its security tracker page at:

    Information on source package python-sql


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libheif

    CVE ID : CVE-2023-29659 CVE-2023-49462 CVE-2024-41311


    Multiple security issues were found in libheif, a library to parse HEIF and AVIF files, which could result in denial of service or potentially the execution of arbitrary code.


    For the stable distribution (bookworm), these problems have been fixed in version 1.15.1-1+deb12u1.


    We recommend that you upgrade your libheif packages.


    For the detailed security status of libheif please refer to its security tracker page at:

    Information on source package libheif


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : twisted

    CVE ID : CVE-2023-46137 CVE-2024-41671 CVE-2024-41810


    Multiple security issues were found in Twisted, an event-based framework for internet applications, which could result in incorrect ordering of HTTP requests or cross-site scripting.


    For the stable distribution (bookworm), these problems have been fixed in version 22.4.0-4+deb12u1.


    We recommend that you upgrade your twisted packages.


    For the detailed security status of twisted please refer to its security tracker page at:

    Information on source package twisted


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : activemq

    CVE ID : CVE-2023-46604


    Christoper L. Shannon discovered that the implementation of the OpenWire protocol in Apache ActiveMQ was susceptible to the execution of arbitrary code.


    For the stable distribution (bookworm), these problems have been fixed in version 5.17.2+dfsg-2+deb12u1.


    We recommend that you upgrade your activemq packages.


    For the detailed security status of activemq please refer to its security tracker page at:

    Information on source package activemq


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-10229 CVE-2024-10230 CVE-2024-10231


    Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 130.0.6723.69-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : xorg-server

    CVE ID : CVE-2024-9632

    Debian Bug : 1086244


    Jan-Niklas Sohn discovered that a heap-based buffer overflow in the _XkbSetCompatMap function in the X Keyboard Extension of the X.org X server may result in privilege escalation if the X server is running privileged.


    For the stable distribution (bookworm), this problem has been fixed in version 2:21.1.7-3+deb12u8.


    We recommend that you upgrade your xorg-server packages.


    For the detailed security status of xorg-server please refer to its security tracker page at:

    Information on source package xorg-server


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2024-10458 CVE-2024-10459 CVE-2024-10460 CVE-2024-10461

    CVE-2024-10462 CVE-2024-10463 CVE-2024-10464 CVE-2024-10465

    CVE-2024-10466 CVE-2024-10467


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, cross-site scripting, spoofing or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 128.4.0esr-1~deb12u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-10487 CVE-2024-10488


    Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 130.0.6723.91-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2024-10458 CVE-2024-10459 CVE-2024-10460 CVE-2024-10461

    CVE-2024-10462 CVE-2024-10463 CVE-2024-10464 CVE-2024-10465

    CVE-2024-10466 CVE-2024-10467


    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.


    Debian follows the Thunderbird upstream releases. Support for the 115.x series has ended, so starting with this update we're now following the 128.x series.


    For the stable distribution (bookworm), these problems have been fixed in version 1:128.4.0esr-1~deb12u1. This version is not yet available for the i386 architecture.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2024-44244 CVE-2024-44296


    The following vulnerabilities have been discovered in the WebKitGTK web engine:


    CVE-2024-44244


    An anonymous researcher, Q1IQ (@q1iqF) and P1umer discovered that

    processing maliciously crafted web content may lead to an

    unexpected process crash.


    CVE-2024-44296


    Narendra Bhati discovered that processing maliciously crafted web

    content may prevent Content Security Policy from being enforced.


    For the stable distribution (bookworm), these problems have been fixed in version 2.46.3-1~deb12u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    Information on source package webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : guix

    CVE ID : not yet available


    It was discovered that the daemon of the GNU Guix functional package manager was susceptible to privilege escalation. For additional information please refer to https://guix.gnu.org/en/blog/2024/b…-vulnerability/


    For the stable distribution (bookworm), this problem has been fixed in version 1.4.0-3+deb12u2.


    We recommend that you upgrade your guix packages.


    For the detailed security status of guix please refer to its security tracker page at:

    Information on source package guix


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/