Debian Security Advisory

    • Offizieller Beitrag

    Package : ceph

    CVE ID : CVE-2023-43040 CVE-2024-48916


    Sage McTaggart discovered an authentication bypass in radosgw, the RADOS REST gateway of Ceph, a distributed storage and file system.


    For the stable distribution (bookworm), these problems have been fixed in version 16.2.15+ds-0+deb12u1.


    We recommend that you upgrade your ceph packages.


    For the detailed security status of ceph please refer to its security tracker page at:

    Information on source package ceph


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : smarty3

    CVE ID : CVE-2023-28447 CVE-2024-35226


    Two security vulnerabilities were discovered in Smarty, a template engine for PHP, which could result in PHP code injection or cross-site scripting.


    For the stable distribution (bookworm), these problems have been fixed in version 3.1.47-2+deb12u1.


    We recommend that you upgrade your smarty3 packages.


    For the detailed security status of smarty3 please refer to its security tracker page at:

    Information on source package smarty3


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : proftpd-dfsg

    CVE ID : CVE-2024-48651

    Debian Bug : 1082326


    Brian Ristuccia discovered that in ProFTPD, a powerful modular FTP/SFTP/FTPS server, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql.


    For the stable distribution (bookworm), this problem has been fixed in version 1.3.8+dfsg-4+deb12u4.


    We recommend that you upgrade your proftpd-dfsg packages.


    For the detailed security status of proftpd-dfsg please refer to its security tracker page at:

    Information on source package proftpd-dfsg


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : python-aiohttp

    CVE ID : CVE-2023-47627 CVE-2023-49081 CVE-2023-49082

    CVE-2024-23334 CVE-2024-30251 CVE-2024-52304


    Multiple security vulnerabilities were discovered in python-aiohttp, a HTTP client/server for asyncio, which could result in denial of service, directory traversal, CRLF injection or request smuggling.


    For the stable distribution (bookworm), these problems have been fixed in version 3.8.4-1+deb12u1.


    We recommend that you upgrade your python-aiohttp packages.


    For the detailed security status of python-aiohttp please refer to its security tracker page at:

    Information on source package python-aiohttp


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-12381 CVE-2024-12382


    Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 131.0.6778.139-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : smarty4

    CVE ID : CVE-2024-35226


    A security vulnerability was discovered in Smarty, a template engine for PHP, which could result in PHP code injection.


    For the stable distribution (bookworm), this problem has been fixed in version 4.3.0-1+deb12u2.


    We recommend that you upgrade your smarty4 packages.


    For the detailed security status of smarty4 please refer to its security tracker page at:

    Information on source package smarty4


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : gst-plugins-base1.0

    CVE ID : CVE-2024-47538 CVE-2024-47541 CVE-2024-47600

    CVE-2024-47607 CVE-2024-47615 CVE-2024-47835


    Multiple multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.


    For the stable distribution (bookworm), these problems have been fixed in version 1.22.0-3+deb12u3.


    We recommend that you upgrade your gst-plugins-base1.0 packages.


    For the detailed security status of gst-plugins-base1.0 please refer to its security tracker page at:

    Information on source package gst-plugins-base1.0


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : gstreamer1.0

    CVE ID : CVE-2024-47606


    Antonio Morales reported an integer overflow vulnerability in the memory allocator in the Core GStreamer libraries, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is processed.


    For the stable distribution (bookworm), this problem has been fixed in version 1.22.0-2+deb12u1.


    We recommend that you upgrade your gstreamer1.0 packages.


    For the detailed security status of gstreamer1.0 please refer to its security tracker page at:

    Information on source package gstreamer1.0


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : dpdk

    CVE ID : CVE-2024-11614


    A buffer overflow was discovered in the vhost code of DPDK, a set of libraries for fast packet processing, which could result in denial of service or the execution of arbitrary code by malicious guests/containers.


    For the stable distribution (bookworm), this problem has been fixed in version 22.11.7-1~deb12u1.


    We recommend that you upgrade your dpdk packages.


    For the detailed security status of dpdk please refer to its security tracker page at:

    Information on source package dpdk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2024-12692 CVE-2024-12693 CVE-2024-12694 CVE-2024-12695


    Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.


    For the stable distribution (bookworm), these problems have been fixed in version 131.0.6778.204-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2024-54479 CVE-2024-54502 CVE-2024-54505 CVE-2024-54508


    The following vulnerabilities have been discovered in the WebKitGTK web engine:


    CVE-2024-54479


    Seunghyun Lee discovered that processing maliciously crafted web

    content may lead to an unexpected process crash.


    CVE-2024-54502


    Brendon Tiszka discovered that processing maliciously crafted web

    content may lead to an unexpected process crash.


    CVE-2024-54505


    Gary Kwong discovered that processing maliciously crafted web

    content may lead to memory corruption.


    CVE-2024-54508


    linjy, chluo and Xiangwei Zhang discovered that processing

    maliciously crafted web content may lead to an unexpected process

    crash.


    For the stable distribution (bookworm), these problems have been fixed in version 2.46.5-1~deb12u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    Information on source package webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : xen

    CVE ID : CVE-2023-28746 CVE-2023-46841 CVE-2023-46842 CVE-2024-2193

    CVE-2024-2201 CVE-2024-31142 CVE-2024-31143 CVE-2024-31145

    CVE-2024-31146 CVE-2024-45817 CVE-2024-45818 CVE-2024-45819


    Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in privilege escalation, denial of service or information leaks.


    For the stable distribution (bookworm), these problems have been fixed in version 4.17.5+23-ga4e5191dc0-1.


    We recommend that you upgrade your xen packages.


    For the detailed security status of xen please refer to its security tracker page at:

    Information on source package xen


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : fastnetmon

    CVE ID : CVE-2024-56072 CVE-2024-56073


    Two security issues have been discovered in FastNetMon, a fast DDoS

    analyzer: Malformed Netflow/sFlow traffic could result in denial of service.


    For the stable distribution (bookworm), these problems have been fixed in version 1.2.4-2+deb12u1.


    We recommend that you upgrade your fastnetmon packages.


    For the detailed security status of fastnetmon please refer to its security tracker page at:

    Information on source package fastnetmon


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : gst-plugins-good1.0

    CVE ID : CVE-2024-47537 CVE-2024-47539 CVE-2024-47540 CVE-2024-47543

    CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596

    CVE-2024-47597 CVE-2024-47598 CVE-2024-47599 CVE-2024-47601

    CVE-2024-47602 CVE-2024-47603 CVE-2024-47606 CVE-2024-47613

    CVE-2024-47774 CVE-2024-47775 CVE-2024-47776 CVE-2024-47777

    CVE-2024-47778 CVE-2024-47834


    Multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.


    For the stable distribution (bookworm), these problems have been fixed in version 1.22.0-5+deb12u2.


    We recommend that you upgrade your gst-plugins-good1.0 packages.


    For the detailed security status of gst-plugins-good1.0 please refer to its security tracker page at:

    Information on source package gst-plugins-good1.0


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/