Beiträge von Micha

Package : less

CVE ID : CVE-2022-48624 CVE-2024-32487

Debian Bug : 1064293 1068938 1069681

Several vulnerabilities were discovered in less, a file pager, which may result in the execution of arbitrary commands if a file with a specially crafted file name is processed.

For the oldstable distribution (bullseye), these problems have been fixed in version 551-2+deb11u2.

For the stable distribution (bookworm), these problems have been fixed in version 590-2.1~deb12u2.

We recommend that you upgrade your less packages.

For the detailed security status of less please refer to its security tracker page at:

Information on source package less

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : glibc

CVE ID : CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602

Several vulnerabilities were discovered in nscd, the Name Service Cache Daemon in the GNU C library which may lead to denial of service or the execution of arbitrary code.

For the oldstable distribution (bullseye), these problems have been fixed in version 2.31-13+deb11u10.

For the stable distribution (bookworm), these problems have been fixed in version 2.36-9+deb12u7.

We recommend that you upgrade your glibc packages.

For the detailed security status of glibc please refer to its security tracker page at:

Information on source package glibc

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : ruby3.1

CVE ID : CVE-2024-27280 CVE-2024-27281 CVE-2024-27282

Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in information disclosure, denial of service or the execution of arbitrary code.

For the stable distribution (bookworm), these problems have been fixed in version 3.1.2-7+deb12u1.

We recommend that you upgrade your ruby3.1 packages.

For the detailed security status of ruby3.1 please refer to its security tracker page at:

Information on source package ruby3.1

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2024-4331 CVE-2024-4368

Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

For the stable distribution (bookworm), these problems have been fixed in version 124.0.6367.118-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

Information on source package chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2024-4058 CVE-2024-4059 CVE-2024-4060

Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

For the stable distribution (bookworm), these problems have been fixed in version 124.0.6367.78-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

Information on source package chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : pdns-recursor

CVE ID : CVE-2024-25583

It was discovered that PDNS Recursor, a resolving name server, was susceptible to denial of service if recursive forwarding is configured.

For the stable distribution (bookworm), this problem has been fixed in version 4.8.8-1.

We recommend that you upgrade your pdns-recursor packages.

For the detailed security status of pdns-recursor please refer to its security tracker page at:

Information on source package pdns-recursor

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : glibc

CVE ID : CVE-2024-2961

Debian Bug : 1069191

Charles Fol discovered that the iconv() function in the GNU C library is prone to a buffer overflow vulnerability when converting strings to the ISO-2022-CN-EXT character set, which may lead to denial of service (application crash) or the execution of arbitrary code.

For the oldstable distribution (bullseye), this problem has been fixed in version 2.31-13+deb11u9.

For the stable distribution (bookworm), this problem has been fixed in version 2.36-9+deb12u6.

We recommend that you upgrade your glibc packages.

For the detailed security status of glibc please refer to its security tracker page at:

Information on source package glibc

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : openjdk-17

CVE ID : CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21094

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service or information disclosure.

For the oldstable distribution (bullseye), these problems have been fixed in version 17.0.11+9-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in version 17.0.11+9-1~deb12u1.

We recommend that you upgrade your openjdk-17 packages.

For the detailed security status of openjdk-17 please refer to its security tracker page at:

Information on source package openjdk-17

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : openjdk-11

CVE ID : CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21085

CVE-2024-21094

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service or information disclosure.

For the oldstable distribution (bullseye), these problems have been fixed in version 11.0.23+9-1~deb11u1.

We recommend that you upgrade your openjdk-11 packages.

For the detailed security status of openjdk-11 please refer to its security tracker page at:

Information on source package openjdk-11

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : thunderbird

CVE ID : CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854

CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864

Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

For the oldstable distribution (bullseye), this problem has been fixed in version 1:115.10.1-1~deb11u1.

For the stable distribution (bookworm), this problem has been fixed in version 1:115.10.1-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to its security tracker page at:

Information on source package thunderbird

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : guix

CVE ID : CVE-2024-27297

It was discovered that insufficient restriction of unix daemon sockets in the GNU Guix functional package manager could result in sandbox bypass.

For the oldstable distribution (bullseye), this problem has been fixed in version 1.2.0-4+deb11u2.

For the stable distribution (bookworm), this problem has been fixed in version 1.4.0-3+deb12u1.

We recommend that you upgrade your guix packages.

For the detailed security status of guix please refer to its security tracker page at:

Information on source package guix

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2024-3832 CVE-2024-3833 CVE-2024-3834 CVE-2024-3837

CVE-2024-3838 CVE-2024-3839 CVE-2024-3840 CVE-2024-3841

CVE-2024-3843 CVE-2024-3844 CVE-2024-3845 CVE-2024-3846

CVE-2024-3847

Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

For the stable distribution (bookworm), these problems have been fixed in version 124.0.6367.60-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

Information on source package chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : tomcat9

CVE ID : CVE-2023-46589 CVE-2024-23672 CVE-2024-24549

Debian Bug : 1057082 1066877 1066878

Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

CVE-2023-46589

Tomcat 9 did not correctly parse HTTP trailer headers. A trailer header

that exceeded the header size limit could cause Tomcat to treat a single

request as multiple requests leading to the possibility of request

smuggling when behind a reverse proxy.

CVE-2024-24549

Denial of Service due to improper input validation vulnerability for

HTTP/2. When processing an HTTP/2 request, if the request exceeded any of

the configured limits for headers, the associated HTTP/2 stream was not

reset until after all of the headers had been processed.

CVE-2024-23672

Denial of Service via incomplete cleanup vulnerability. It was possible

for WebSocket clients to keep WebSocket connections open leading to

increased resource consumption.

For the oldstable distribution (bullseye), these problems have been fixed in version 9.0.43-2~deb11u10.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to its security tracker page at:

Information on source package tomcat9

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : flatpak

CVE ID : CVE-2024-32462

Gergo Koteles discovered that sandbox restrictions in Flatpak, an application deployment framework for desktop apps, could by bypassed in combination with xdg-desktop-portal.

For the oldstable distribution (bullseye), this problem has been fixed in version 1.10.8-0+deb11u2.

For the stable distribution (bookworm), this problem has been fixed in version 1.14.4-1+deb12u1.

We recommend that you upgrade your flatpak packages.

For the detailed security status of flatpak please refer to its security tracker page at:

Information on source package flatpak

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : tomcat10

CVE ID : CVE-2023-46589 CVE-2024-23672 CVE-2024-24549

Debian Bug : 1057082 1066877 1066878

Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

CVE-2023-46589

Tomcat 10 did not correctly parse HTTP trailer headers. A trailer header

that exceeded the header size limit could cause Tomcat to treat a single

request as multiple requests leading to the possibility of request

smuggling when behind a reverse proxy.

CVE-2024-24549

Denial of Service due to improper input validation vulnerability for

HTTP/2. When processing an HTTP/2 request, if the request exceeded any of

the configured limits for headers, the associated HTTP/2 stream was not

reset until after all of the headers had been processed.

CVE-2024-23672

Denial of Service via incomplete cleanup vulnerability. It was possible

for WebSocket clients to keep WebSocket connections open leading to

increased resource consumption.

For the stable distribution (bookworm), these problems have been fixed in version 10.1.6-1+deb12u2.

We recommend that you upgrade your tomcat10 packages.

For the detailed security status of tomcat10 please refer to its security tracker page at:

Information on source package tomcat10

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : jetty9

CVE ID : CVE-2024-22201

Jetty 9 is a Java based web server and servlet engine. It was discovered that remote attackers may leave many HTTP/2 connections in ESTABLISHED state (not closed), TCP congested and idle. Eventually the server will stop accepting new connections from valid clients which can cause a denial of service.

For the oldstable distribution (bullseye), this problem has been fixed in version 9.4.50-4+deb11u2.

For the stable distribution (bookworm), this problem has been fixed in version 9.4.50-4+deb12u3.

We recommend that you upgrade your jetty9 packages.

For the detailed security status of jetty9 please refer to its security tracker page at:

Information on source package jetty9

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : firefox-esr

CVE ID : CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854

CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or clickjacking.

For the oldstable distribution (bullseye), these problems have been fixed in version 115.10.0esr-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in version 115.10.0esr-1~deb12u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to its security tracker page at:

Information on source package firefox-esr

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : cockpit

Debian Bug : 1069059

The update of cockpit released in DSA 5655-1 did not correctly built binary packages due to unit test failures when building against libssh 0.10.6. This update corrects that problem.

For the stable distribution (bookworm), this problem has been fixed in version 287.1-0+deb12u2.

We recommend that you upgrade your cockpit packages.

For the detailed security status of cockpit please refer to its security tracker page at:

Information on source package cockpit

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : apache2

CVE ID : CVE-2023-31122 CVE-2023-38709 CVE-2023-43622

CVE-2023-45802 CVE-2024-24795 CVE-2024-27316

Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in HTTP response splitting or denial of service.

For the oldstable distribution (bullseye), these problems have been fixed in version 2.4.59-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in version 2.4.59-1~deb12u1.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to its security tracker page at:

Information on source package apache2

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : php8.2

CVE ID : CVE-2023-3823 CVE-2023-3824 CVE-2024-2756 CVE-2024-3096

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in secure cookie bypass, XXE attacks or incorrect validation of password hashes.

For the stable distribution (bookworm), these problems have been fixed in version 8.2.18-1~deb12u1.

We recommend that you upgrade your php8.2 packages.

For the detailed security status of php8.2 please refer to its security tracker page at:

Information on source package php8.2

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/