Beiträge von Micha

Package : libreoffice

CVE ID : CVE-2023-6185 CVE-2023-6186

Reginaldo Silva discovered two security vulnerabilities in LibreOffice, which could result in the execution of arbitrary scripts or Gstreamer plugins when opening a malformed file.

For the oldstable distribution (bullseye), these problems have been fixed in version 1:7.0.4-4+deb11u8.

For the stable distribution (bookworm), these problems have been fixed in version 4:7.4.7-1+deb12u1.

We recommend that you upgrade your libreoffice packages.

For the detailed security status of libreoffice please refer to its security tracker page at:

Information on source package libreoffice

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2023-6508 CVE-2023-6509 CVE-2023-6510 CVE-2023-6511

CVE-2023-6512

Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

For the oldstable distribution (bullseye), the updates are pending and will be released shortly. When completed, fixes will be made available as 120.0.6099.71-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in version 120.0.6099.71-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

Information on source package chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : roundcube

CVE ID : CVE-2023-47272

Debian Bug : 1055421

Rene Rehme discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly set headers when handling attachments. This would allow an attacker to load arbitrary JavaScript code.

For the oldstable distribution (bullseye), this problem has been fixed in version 1.4.15+dfsg.1-1~deb11u2.

For the stable distribution (bookworm), this problem has been fixed in version 1.6.5+dfsg-1~deb12u1.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to its security tracker page at:

Information on source package roundcube

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : rabbitmq-server

CVE ID : CVE-2023-46118

It was discovered that missing input sanitising in the HTTP API endpoint of RabbitMQ, an implementation of the AMQP protocol, could result in denial of service.

For the oldstable distribution (bullseye), this problem has been fixed in version 3.8.9-3+deb11u1.

For the stable distribution (bookworm), this problem has been fixed in version 3.10.8-1.1+deb12u1.

We recommend that you upgrade your rabbitmq-server packages.

For the detailed security status of rabbitmq-server please refer to its security tracker page at:

Information on source package rabbitmq-server

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : nghttp2

CVE ID : CVE-2023-44487

It was discovered that libnghttp2, a library implementing the HTTP/2 protocol, handled request cancellation incorrectly. This could result in denial of service.

For the oldstable distribution (bullseye), this problem has been fixed in version 1.43.0-1+deb11u1.

For the stable distribution (bookworm), this problem has been fixed in version 1.52.0-1+deb12u1.

We recommend that you upgrade your nghttp2 packages.

For the detailed security status of nghttp2 please refer to its security tracker page at:

Information on source package nghttp2

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2023-6345 CVE-2023-6346 CVE-2023-6347 CVE-2023-6348

CVE-2023-6350 CVE-2023-6351

Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

For the oldstable distribution (bullseye), these problems have been fixed in version 119.0.6045.199-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in version 119.0.6045.199-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

Information on source package chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : fastdds

CVE ID : CVE-2023-42459

Debian Bug : 1054163

It was discovered that incorrect memory management in Fast DDS, a C++ implementation of the DDS (Data Distribution Service) might result in denial of service.

The oldstable distribution (bullseye) is not affected.

For the stable distribution (bookworm), this problem has been fixed in version 2.9.1+ds-1+deb12u2.

We recommend that you upgrade your fastdds packages.

For the detailed security status of fastdds please refer to its security tracker page at:

Information on source package fastdds

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : strongswan

CVE ID : CVE-2023-41913

Florian Picca reported a bug the charon-tkm daemon in strongSwan an IKE/IPsec suite.

The TKM-backed version of the charon IKE daemon (charon-tkm) doesn't check the length of received Diffie-Hellman public values before copying them to a fixed-size buffer on the stack, causing a buffer overflow that could potentially be exploited for remote code execution by sending a specially crafted and unauthenticated IKE_SA_INIT message.

For the oldstable distribution (bullseye), this problem has been fixed in version 5.9.1-1+deb11u4.

For the stable distribution (bookworm), this problem has been fixed in version 5.9.8-5+deb12u1.

We recommend that you upgrade your strongswan packages.

For the detailed security status of strongswan please refer to its security tracker page at:

Information on source package strongswan

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2023-5997 CVE-2023-6112

Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

For the oldstable distribution (bullseye), these problems have been fixed in version 119.0.6045.159-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in version 119.0.6045.159-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

Information on source package chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : tiff

CVE ID : CVE-2023-3576 CVE-2023-40745 CVE-2023-41175

Debian Bug :

Brief introduction

Multiple buffer overflows and memory leak issues have been found in tiff, the Tag Image File Format (TIFF) library and tools, which may cause denial of service when processing a crafted TIFF image.

For the oldstable distribution (bullseye), these problems have been fixed in version 4.2.0-1+deb11u5.

For the stable distribution (bookworm), these problems have been fixed in version 4.5.0-6+deb12u1.

We recommend that you upgrade your tiff packages.

For the detailed security status of tiff please refer to its security tracker page at:

Information on source package tiff

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : thunderbird

CVE ID : CVE-2023-6212 CVE-2023-6209 CVE-2023-6208 CVE-2023-6207

CVE-2023-6206 CVE-2023-6205 CVE-2023-6204

Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

For the oldstable distribution (bullseye), these problems have been fixed in version 1:115.5.0-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in version 1:115.5.0-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to its security tracker page at:

Information on source package thunderbird

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : gst-plugins-bad1.0

CVE ID : CVE-2023-44429 CVE-2023-44446

Debian Bug : 1056101 1056102

Multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

For the oldstable distribution (bullseye), these problems have been fixed in version 1.18.4-3+deb11u3.

For the stable distribution (bookworm), these problems have been fixed in version 1.22.0-4+deb12u3.

We recommend that you upgrade your gst-plugins-bad1.0 packages.

For the detailed security status of gst-plugins-bad1.0 please refer to its security tracker page at:

Information on source package gst-plugins-bad1.0

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : gimp

CVE ID : CVE-2023-44441 CVE-2023-44442 CVE-2023-44443 CVE-2023-44444

Debian Bug : 1055984

Michael Randrianantenaina reported several vulnerabilities in GIMP, the GNU Image Manipulation Program, which could result in denial of service (application crash) or potentially the execution of arbitrary code if malformed DDS, PSD and PSP files are opened.

For the oldstable distribution (bullseye), these problems have been fixed in version 2.10.22-4+deb11u1.

For the stable distribution (bookworm), these problems have been fixed in version 2.10.34-1+deb12u1.

We recommend that you upgrade your gimp packages.

For the detailed security status of gimp please refer to its security tracker page at:

Information on source package gimp

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : intel-microcode

CVE ID : CVE-2023-23583

Debian Bug : 1055962

Benoit Morgan, Paul Grosen, Thais Moreira Hamasaki, Ke Sun, Alyssa Milburn, Hisham Shafi, Nir Shlomovich, avis Ormandy, Daniel Moghimi, Josh Eads, Salman Qazi, Alexandra Sandulescu, Andy Nguyen, Eduardo Vela, Doug Kwan, and Kostik Shtoyk discovered that some Intel processors mishandle repeated sequences of instructions leading to unexpected behavior, which may result in privilege escalation, information disclosure or denial of service.

For the oldstable distribution (bullseye), this problem has been fixed in version 3.20231114.1~deb11u1.

For the stable distribution (bookworm), this problem has been fixed in version 3.20231114.1~deb12u1.

We recommend that you upgrade your intel-microcode packages.

For the detailed security status of intel-microcode please refer to its security tracker page at:

Information on source package intel-microcode

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : tor

CVE ID : not yet available

It was discovered that Tor was susceptible to a crash during handshake with a remote relay, resulting in denial of service.

For the oldstable distribution (bullseye), support for tor is now discontinued. Please upgrade to the stable release (bullseye) to continue receiving tor updates.

For the stable distribution (bookworm), this problem has been fixed in version 0.4.7.16-1.

We recommend that you upgrade your tor packages.

For the detailed security status of tor please refer to its security tracker page at:

Information on source package tor

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : firefox-esr

CVE ID : CVE-2023-6204 CVE-2023-6205 CVE-2023-6206 CVE-2023-6207

CVE-2023-6208 CVE-2023-6209 CVE-2023-6212

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information leaks or clickjacking.

For the oldstable distribution (bullseye), these problems have been fixed in version 115.5.0esr-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in version 115.5.0esr-1~deb12u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to its security tracker page at:

Information on source package firefox-esr

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : wireshark

CVE ID : CVE-2023-6174 CVE-2023-6175

A vulnerability was discovered in the SSH dissector of Wireshark, a network protocol analyzer, which could result in denial of service or potentially the execution of arbitrary code.

For the stable distribution (bookworm), these problems have been fixed in version 4.0.11-1~deb12u1.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark please refer to its security tracker page at:

Information on source package wireshark

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : netty

CVE ID : CVE-2023-34462 CVE-2023-44487

Debian Bug : 1038947 1054234

Two security vulnerabilities have been discovered in Netty, a Java NIO client/server socket framework.

CVE-2023-34462

It might be possible for a remote peer to send a client hello packet during

a TLS handshake which lead the server to buffer up to 16 MB of data per

connection. This could lead to a OutOfMemoryError and so result in a denial

of service.

CVE-2023-44487

The HTTP/2 protocol allowed a denial of service (server resource

consumption) because request cancellation can reset many streams quickly.

This problem is also known as Rapid Reset Attack.

For the oldstable distribution (bullseye), these problems have been fixed in version 1:4.1.48-4+deb11u2.

For the stable distribution (bookworm), these problems have been fixed in version 1:4.1.48-7+deb12u1.

We recommend that you upgrade your netty packages.

For the detailed security status of netty please refer to its security tracker page at:

Information on source package netty

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : webkit2gtk

CVE ID : CVE-2023-41983 CVE-2023-42852

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2023-41983

Junsung Lee discovered that processing web content may lead to a

denial-of-service.

CVE-2023-42852

An anonymous researcher discovered that processing web content may

lead to arbitrary code execution.

For the oldstable distribution (bullseye), these problems have been fixed in version 2.42.2-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in version 2.42.2-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to its security tracker page at:

Information on source package webkit2gtk

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : openvpn

CVE ID : CVE-2023-46849 CVE-2023-46850

Two vulnerabilities were discovered in openvpn, a virtual private network application which could result in memory disclosure or denial of service.

The oldstable distribution (bullseye) is not affected.

For the stable distribution (bookworm), these problems have been fixed in version 2.6.3-1+deb12u2.

We recommend that you upgrade your openvpn packages.

For the detailed security status of openvpn please refer to its security tracker page at:

Information on source package openvpn

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/