-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3957-1 [email protected] https://www.debian.org/lts/security/ Salvatore Bonaccorso November 19, 2024 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : needrestart Version : 3.5-4+deb11u4 CVE ID : CVE-2024-11003 CVE-2024-48990 CVE-2024-48991 CVE-2024-48992 The Qualys Threat Research Unit discovered several local privilege escalation vulnerabilities in needrestart, a utility to check which daemons need to be restarted after library upgrades. A local attacker can execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable (CVE-2024-48990) or running the Ruby interpreter with an attacker-controlled RUBYLIB environment variable (CVE-2024-48992). Additionally a local attacker can trick needrestart into running a fake Python interpreter (CVE-2024-48991) or cause needrestart to call the Perl module Module::ScanDeps with attacker-controlled files (CVE-2024-11003). Details can be found in the Qualys advisory at https://www.qualys.com/2024/11/19/needrestart/needrestart.txt For Debian 11 bullseye, these problems have been fixed in version 3.5-4+deb11u4. We recommend that you upgrade your needrestart packages. For the detailed security status of needrestart please refer to its security tracker page at: https://security-tracker.debian.org/tracker/needrestart Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmc8wCZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QJ/g/6AqyiyJSxt8cCgkNUUZ+j186CX3cu6y/3LrbOGMEDrJ4P25uzqvTn/mTh FYkIHW2Wl08xaJPER0d5MwoxreCZMdywfdQcFXbo0ccuAMclBotwnN7B/2zkc2KE sLiAIETsD/R0XdUE7fvPW62RiB49Ko1ECNKoU8ioLPtPZu1jdHcg48SnPaxgZag6 0Ti70j3c6YyY9/MtoZorbsvmjnv6A575iqWolictAduZGkOmTsQEyZlXV+qsfohw Y75BQ7xffay7DFziK8tfdxCVUhCeW+L2GuOFo+dC+hlfe/GuMm7ycyOPKQXsScby EcXd234XzQW6AJs5XrRQiZsNvQYbAm+2ynP4Tx8B2iZ/EXygcVmahHn28KfyBOBU 8B3iw2Ty1SHoOIWp8mM6oxVPa5t00ytRI/6hYHvCwcEpAYG1aqqNS/+u5ZZQPr6b w0/xlHxYiKfDQszw23tqpUKfQbjST3W0yuczPA8ii1M6Nk9M+rIKD5z52E+jMQ/i dn2TKPDRUdwGxkcUgAPHtd9Ctxzl+dQ25pthFFy3WDggU0UED7+fN62LjazhvCV8 ZL55JXj/L3m2YfinVTe98r/n1JTjK+nL5+gBK7JkTkbl9Syqr6aN359wMQ6CzDeh JKBfropRQ/OrECTJJtrK95hfc8yg/s7k10zsLPhs0fs25y6iuzw= =0NUe -----END PGP SIGNATURE-----
