Bug#1070860: musescore3: CVE-2023-44428
Am Fri, May 10, 2024 at 06:39:20PM + schrieb Thorsten Glaser: > This is a bit like the limited security support for binutils, > I suppose. Could/should we document that in the same places? Sure thing, this sounds similar to what was done for Lilypond, best to simply ship a similar README.Debian.security within the lilypond2 and lilypond3 packages. Cheers, Moritz
Bug#1070861: hdf5: CVE-2024-33877 CVE-2024-33876 CVE-2024-33875 CVE-2024-33874 CVE-2024-33873 CVE-2024-32624 CVE-2024-32623 CVE-2024-32622 CVE-2024-32621 CVE-2024-32620 CVE-2024-32619 CVE-2024-32618 C
Source: hdf5 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for hdf5: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/ CVE-2024-33877[0]: | HDF5 Library through 1.14.3 has a heap-based buffer overflow in | H5T__conv_struct_opt in H5Tconv.c. CVE-2024-33876[1]: | HDF5 Library through 1.14.3 has a heap buffer overflow in | H5S__point_deserialize in H5Spoint.c. CVE-2024-33875[2]: | HDF5 Library through 1.14.3 has a heap-based buffer overflow in | H5O__layout_encode in H5Olayout.c, resulting in the corruption of | the instruction pointer. CVE-2024-33874[3]: | HDF5 Library through 1.14.3 has a heap buffer overflow in | H5O__mtime_new_encode in H5Omtime.c. CVE-2024-33873[4]: | HDF5 Library through 1.14.3 has a heap-based buffer overflow in | H5D__scatter_mem in H5Dscatgath.c. CVE-2024-32624[5]: | HDF5 Library through 1.14.3 contains a heap-based buffer overflow in | H5T__ref_mem_setnull in H5Tref.c (called from H5T__conv_ref in | H5Tconv.c), resulting in the corruption of the instruction pointer. CVE-2024-32623[6]: | HDF5 Library through 1.14.3 contains a heap-based buffer overflow in | H5VM_array_fill in H5VM.c (called from H5S_select_elements in | H5Spoint.c). CVE-2024-32622[7]: | HDF5 Library through 1.14.3 contains a out-of-bounds read operation | in H5FL_arr_malloc in H5FL.c (called from H5S_set_extent_simple in | H5S.c). CVE-2024-32621[8]: | HDF5 Library through 1.14.3 contains a heap-based buffer overflow in | H5HG_read in H5HG.c (called from H5VL__native_blob_get in | H5VLnative_blob.c), resulting in the corruption of the instruction | pointer. CVE-2024-32620[9]: | HDF5 Library through 1.14.3 contains a heap-based buffer over-read | in H5F_addr_decode_len in H5Fint.c, resulting in the corruption of | the instruction pointer. CVE-2024-32619[10]: | HDF5 Library through 1.14.3 contains a heap-based buffer overflow in | H5T_copy_reopen in H5T.c, resulting in the corruption of the | instruction pointer. CVE-2024-32618[11]: | HDF5 Library through 1.14.3 contains a heap-based buffer overflow in | H5T__get_native_type in H5Tnative.c, resulting in the corruption of | the instruction pointer. CVE-2024-32617[12]: | HDF5 Library through 1.14.3 contains a heap-based buffer over-read | caused by the unsafe use of strdup in H5MM_xstrdup in H5MM.c (called | from H5G__ent_to_link in H5Glink.c). CVE-2024-32616[13]: | HDF5 Library through 1.14.3 contains a heap-based buffer over-read | in H5O__dtype_encode_helper in H5Odtype.c. CVE-2024-32615[14]: | HDF5 Library through 1.14.3 contains a heap-based buffer overflow in | H5Z__nbit_decompress_one_byte in H5Znbit.c, caused by the earlier | use of an initialized pointer. CVE-2024-32614[15]: | HDF5 Library through 1.14.3 has a SEGV in H5VM_memcpyvv in H5VM.c. CVE-2024-32613[16]: | HDF5 Library through 1.14.3 contains a heap-based buffer over-read | in the function H5HL__fl_deserialize in H5HLcache.c, a different | vulnerability than CVE-2024-32612. CVE-2024-32612[17]: | HDF5 Library through 1.14.3 contains a heap-based buffer over-read | in H5HL__fl_deserialize in H5HLcache.c, resulting in the corruption | of the instruction pointer, a different vulnerability than | CVE-2024-32613. CVE-2024-32611[18]: | HDF5 Library through 1.14.3 may use an uninitialized value in | H5A__attr_release_table in H5Aint.c. CVE-2024-32610[19]: | HDF5 Library through 1.14.3 has a SEGV in H5T_close_real in H5T.c, | resulting in a corrupted instruction pointer. CVE-2024-32609[20]: | HDF5 Library through 1.14.3 allows stack consumption in the function | H5E_printf_stack in H5Eint.c. CVE-2024-32607[21]: | HDF5 Library through 1.14.3 has a SEGV in H5A__close in H5Aint.c, | resulting in the corruption of the instruction pointer. CVE-2024-32606[22]: | HDF5 Library through 1.14.3 may attempt to dereference uninitialized | values in h5tools_str_sprint in tools/lib/h5tools_str.c (called from | h5tools_dump_simple_data in tools/lib/h5tools_dump.c). CVE-2024-32605[23]: | HDF5 Library through 1.14.3 has a heap-based buffer over-read in | H5VM_memcpyvv in H5VM.c (called from H5D__compact_readvv in | H5Dcompact.c). CVE-2024-29166[24]: | HDF5 through 1.14.3 contains a buffer overflow in H5O__linfo_decode, | resulting in the corruption of the instruction pointer and causing | denial of service or potential code execution. CVE-2024-29165[25]: | HDF5 through 1.14.3 contains a buffer overflow in | H5Z__filter_fletcher32, resulting in the corruption of the | instruction pointer and causing denial of service or potential code | execution. CVE-2024-29164[26]: | HDF5 through 1.14.3 contains a stack buffer overflow in | H5R__decode_heap, resulting in the corruption of the instruction | pointer and causing denial of service or potential code execution. CVE-2024-29163[27]: | HDF5 through 1.14.3 contains a heap buffer overflow in | H5T__bit_find, resulting in the corruption of
Bug#1070860: musescore3: CVE-2023-44428
Source: musescore3 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for musescore3. CVE-2023-44428[0]: | MuseScore CAP File Parsing Heap-based Buffer Overflow Remote Code | Execution Vulnerability. This vulnerability allows remote attackers | to execute arbitrary code on affected installations of MuseScore. | User interaction is required to exploit this vulnerability in that | the target must visit a malicious page or open a malicious file. | The specific flaw exists within the parsing of CAP files. The issue | results from the lack of proper validation of the length of user- | supplied data prior to copying it to a heap-based buffer. An | attacker can leverage this vulnerability to execute code in the | context of the current process. Was ZDI-CAN-20769. Unfortunatetly details are sparse, the only reference is https://www.zerodayinitiative.com/advisories/ZDI-23-1526/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-44428 https://www.cve.org/CVERecord?id=CVE-2023-44428 Please adjust the affected versions in the BTS as needed.
Bug#1070859: npgsql: CVE-2024-32655
Source: npgsql X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for npgsql. CVE-2024-32655[0]: | Npgsql is the .NET data provider for PostgreSQL. The `WriteBind()` | method in `src/Npgsql/Internal/NpgsqlConnector.FrontendMessages.cs` | uses `int` variables to store the message length and the sum of | parameter lengths. Both variables overflow when the sum of parameter | lengths becomes too large. This causes Npgsql to write a message | size that is too small when constructing a Postgres protocol message | to send it over the network to the database. When parsing the | message, the database will only read a small number of bytes and | treat any following bytes as new messages while they belong to the | old message. Attackers can abuse this to inject arbitrary Postgres | protocol messages into the connection, leading to the execution of | arbitrary SQL statements on the application's behalf. This | vulnerability is fixed in 4.0.14, 4.1.13, 5.0.18, 6.0.11, 7.0.7, and | 8.0.3. https://github.com/npgsql/npgsql/security/advisories/GHSA-x9vc-6hfv-hg8c https://github.com/npgsql/npgsql/commit/f7e7ead0702d776a8f551f5786c4cac2d65c4bc6 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32655 https://www.cve.org/CVERecord?id=CVE-2024-32655 Please adjust the affected versions in the BTS as needed.
Bug#1070858: golang-github-opencontainers-go-digest: CVE-2024-3727
Source: golang-github-opencontainers-go-digest X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for golang-github-opencontainers-go-digest. CVE-2024-3727[0]: | A flaw was found in the github.com/containers/image library. This | flaw allows attackers to trigger unexpected authenticated registry | accesses on behalf of a victim user, causing resource exhaustion, | local path traversal, and other attacks. Details are a little sparse, the only reference is https://bugzilla.redhat.com/show_bug.cgi?id=2274767 at this point. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3727 https://www.cve.org/CVERecord?id=CVE-2024-3727 Please adjust the affected versions in the BTS as needed.
Bug#1070395: tinyproxy: CVE-2023-40533 CVE-2023-49606
Source: tinyproxy X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for tinyproxy. CVE-2023-40533[0]: | An uninitialized memory use vulnerability exists in Tinyproxy 1.11.1 | while parsing HTTP requests. In certain configurations, a specially | crafted HTTP request can result in disclosure of data allocated on | the heap, which could contain sensitive information. An attacker can | make an unauthenticated HTTP request to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2023-1902 CVE-2023-49606[1]: | A use-after-free vulnerability exists in the HTTP Connection Headers | parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially | crafted HTTP header can trigger reuse of previously freed memory, | which leads to memory corruption and could lead to remote code | execution. An attacker needs to make an unauthenticated HTTP request | to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-40533 https://www.cve.org/CVERecord?id=CVE-2023-40533 [1] https://security-tracker.debian.org/tracker/CVE-2023-49606 https://www.cve.org/CVERecord?id=CVE-2023-49606 Please adjust the affected versions in the BTS as needed.
Bug#1070394: libstb: CVE-2023-47212
Source: libstb X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libstb. CVE-2023-47212[0]: | A heap-based buffer overflow vulnerability exists in the comment | functionality of stb _vorbis.c v1.22. A specially crafted .ogg file | can lead to an out-of-bounds write. An attacker can provide a | malicious file to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2023-1846 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-47212 https://www.cve.org/CVERecord?id=CVE-2023-47212 Please adjust the affected versions in the BTS as needed.
Bug#1070392: exiv2: CVE-2024-24826 CVE-2024-25112
Source: exiv2 X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerabilities were published for exiv2. The advisories are a little misleading, they mention it as new in v0.28.0, but that only applies to the "main" branch, where it was removed and later reintroduced. The 0.27-maintenance branch _does_ include the Quicktime decoder CVE-2024-24826[0]: | Exiv2 is a command-line utility and C++ library for reading, | writing, deleting, and modifying the metadata of image files. An | out-of-bounds read was found in Exiv2 version v0.28.1. The | vulnerable function, `QuickTimeVideo::NikonTagsDecoder`, was new in | v0.28.0, so Exiv2 versions before v0.28 are _not_ affected. The out- | of-bounds read is triggered when Exiv2 is used to read the metadata | of a crafted video file. In most cases this out of bounds read will | result in a crash. This bug is fixed in version v0.28.2. Users are | advised to upgrade. There are no known workarounds for this | vulnerability. https://github.com/Exiv2/exiv2/security/advisories/GHSA-g9xm-7538-mq8w https://github.com/Exiv2/exiv2/pull/2337 CVE-2024-25112[1]: | Exiv2 is a command-line utility and C++ library for reading, | writing, deleting, and modifying the metadata of image files. A | denial-of-service was found in Exiv2 version v0.28.1: an unbounded | recursion can cause Exiv2 to crash by exhausting the stack. The | vulnerable function, `QuickTimeVideo::multipleEntriesDecoder`, was | new in v0.28.0, so Exiv2 versions before v0.28 are _not_ affected. | The denial-of-service is triggered when Exiv2 is used to read the | metadata of a crafted video file. This bug is fixed in version | v0.28.2. Users are advised to upgrade. There are no known | workarounds for this vulnerability. https://github.com/Exiv2/exiv2/security/advisories/GHSA-crmj-qh74-2r36 Fixed by: https://github.com/Exiv2/exiv2/commit/355afea485550e8214ac6b449fb210a7efb71365 (v0.28.2) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24826 https://www.cve.org/CVERecord?id=CVE-2024-24826 [1] https://security-tracker.debian.org/tracker/CVE-2024-25112 https://www.cve.org/CVERecord?id=CVE-2024-25112 Please adjust the affected versions in the BTS as needed.
Bug#1070393: gobgp: CVE-2023-46565
Source: gobgp X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for gobgp. CVE-2023-46565[0]: | Buffer Overflow vulnerability in osrg gobgp commit | 419c50dfac578daa4d11256904d0dc182f1a9b22 allows a remote attacker to | cause a denial of service via the handlingError function in | pkg/server/fsm.go. https://github.com/osrg/gobgp/issues/2725 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46565 https://www.cve.org/CVERecord?id=CVE-2023-46565 Please adjust the affected versions in the BTS as needed.
Bug#1070390: opendmarc: CVE-2024-25768
Source: opendmarc X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for opendmarc. It's unclear whether this is actually a security issue, it doesn't appear to have been reported upstream... CVE-2024-25768[0]: | OpenDMARC 1.4.2 contains a null pointer dereference vulnerability in | /OpenDMARC/libopendmarc/opendmarc_policy.c. https://github.com/LuMingYinDetect/OpenDMARC_defects/blob/main/OpenDMARC_detect_1.md If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25768 https://www.cve.org/CVERecord?id=CVE-2024-25768 Please adjust the affected versions in the BTS as needed.
Bug#1070388: jupyterhub: CVE-2024-28233
Source: jupyterhub X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for jupyterhub. CVE-2024-28233[0]: | JupyterHub is an open source multi-user server for Jupyter | notebooks. By tricking a user into visiting a malicious subdomain, | the attacker can achieve an XSS directly affecting the former's | session. More precisely, in the context of JupyterHub, this XSS | could achieve full access to JupyterHub API and user's single-user | server. The affected configurations are single-origin JupyterHub | deployments and JupyterHub deployments with user-controlled | applications running on subdomains or peer subdomains of either the | Hub or a single-user server. This vulnerability is fixed in 4.1.0. https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-7r3h-4ph8-w38g https://github.com/jupyterhub/jupyterhub/commit/e2798a088f5ad45340fe79cdf1386198e664f77f If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28233 https://www.cve.org/CVERecord?id=CVE-2024-28233 Please adjust the affected versions in the BTS as needed.
Bug#1070387: gdcm: CVE-2024-25569 CVE-2024-22373 CVE-2024-22391
Source: gdcm X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for gdcm. These are fixed in 3.0.24: CVE-2024-25569[0]: | An out-of-bounds read vulnerability exists in the | RAWCodec::DecodeBytes functionality of Mathieu Malaterre Grassroot | DICOM 3.0.23. A specially crafted DICOM file can lead to an out-of- | bounds read. An attacker can provide a malicious file to trigger | this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1944 CVE-2024-22373[1]: | An out-of-bounds write vulnerability exists in the | JPEG2000Codec::DecodeByStreamsCommon functionality of Mathieu | Malaterre Grassroot DICOM 3.0.23. A specially crafted DICOM file can | lead to a heap buffer overflow. An attacker can provide a malicious | file to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1935 CVE-2024-22391[2]: | A heap-based buffer overflow vulnerability exists in the | LookupTable::SetLUT functionality of Mathieu Malaterre Grassroot | DICOM 3.0.23. A specially crafted malformed file can lead to memory | corruption. An attacker can provide a malicious file to trigger this | vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1924 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25569 https://www.cve.org/CVERecord?id=CVE-2024-25569 [1] https://security-tracker.debian.org/tracker/CVE-2024-22373 https://www.cve.org/CVERecord?id=CVE-2024-22373 [2] https://security-tracker.debian.org/tracker/CVE-2024-22391 https://www.cve.org/CVERecord?id=CVE-2024-22391 Please adjust the affected versions in the BTS as needed.
Bug#1070384: llvm-toolchain-14: CVE-2024-31852
Source: llvm-toolchain-14 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-14. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved to the stack, and thus there | can sometimes be an exploitable error in the flow of control. This | affects the ARM backend and can be demonstrated with Clang. NOTE: | the vendor perspective is "we don't have strong objections for a CVE | to be created ... It does seem that the likelihood of this | miscompile enabling an exploit remains very low, because the | miscompile resulting in this JOP gadget is such that the function is | most likely to crash on most valid inputs to the function. So, if | this function is covered by any testing, the miscompile is most | likely to be discovered before the binary is shipped to production." https://github.com/llvm/llvm-project/issues/80287 https://bugs.chromium.org/p/llvm/issues/detail?id=69 https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31852 https://www.cve.org/CVERecord?id=CVE-2024-31852 Please adjust the affected versions in the BTS as needed.
Bug#1070383: llvm-toolchain-15: CVE-2024-31852
Source: llvm-toolchain-15 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-15. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved to the stack, and thus there | can sometimes be an exploitable error in the flow of control. This | affects the ARM backend and can be demonstrated with Clang. NOTE: | the vendor perspective is "we don't have strong objections for a CVE | to be created ... It does seem that the likelihood of this | miscompile enabling an exploit remains very low, because the | miscompile resulting in this JOP gadget is such that the function is | most likely to crash on most valid inputs to the function. So, if | this function is covered by any testing, the miscompile is most | likely to be discovered before the binary is shipped to production." https://github.com/llvm/llvm-project/issues/80287 https://bugs.chromium.org/p/llvm/issues/detail?id=69 https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31852 https://www.cve.org/CVERecord?id=CVE-2024-31852 Please adjust the affected versions in the BTS as needed.
Bug#1070382: llvm-toolchain-16: CVE-2024-31852
Source: llvm-toolchain-16 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-16. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved to the stack, and thus there | can sometimes be an exploitable error in the flow of control. This | affects the ARM backend and can be demonstrated with Clang. NOTE: | the vendor perspective is "we don't have strong objections for a CVE | to be created ... It does seem that the likelihood of this | miscompile enabling an exploit remains very low, because the | miscompile resulting in this JOP gadget is such that the function is | most likely to crash on most valid inputs to the function. So, if | this function is covered by any testing, the miscompile is most | likely to be discovered before the binary is shipped to production." https://github.com/llvm/llvm-project/issues/80287 https://bugs.chromium.org/p/llvm/issues/detail?id=69 https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31852 https://www.cve.org/CVERecord?id=CVE-2024-31852 Please adjust the affected versions in the BTS as needed.
Bug#1070381: llvm-toolchain-17: CVE-2024-31852
Source: llvm-toolchain-17 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-17. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved to the stack, and thus there | can sometimes be an exploitable error in the flow of control. This | affects the ARM backend and can be demonstrated with Clang. NOTE: | the vendor perspective is "we don't have strong objections for a CVE | to be created ... It does seem that the likelihood of this | miscompile enabling an exploit remains very low, because the | miscompile resulting in this JOP gadget is such that the function is | most likely to crash on most valid inputs to the function. So, if | this function is covered by any testing, the miscompile is most | likely to be discovered before the binary is shipped to production." https://github.com/llvm/llvm-project/issues/80287 https://bugs.chromium.org/p/llvm/issues/detail?id=69 https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31852 https://www.cve.org/CVERecord?id=CVE-2024-31852 Please adjust the affected versions in the BTS as needed.
Bug#1070380: llvm-toolchain-18: CVE-2024-31852
Source: llvm-toolchain-18 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-18. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved to the stack, and thus there | can sometimes be an exploitable error in the flow of control. This | affects the ARM backend and can be demonstrated with Clang. NOTE: | the vendor perspective is "we don't have strong objections for a CVE | to be created ... It does seem that the likelihood of this | miscompile enabling an exploit remains very low, because the | miscompile resulting in this JOP gadget is such that the function is | most likely to crash on most valid inputs to the function. So, if | this function is covered by any testing, the miscompile is most | likely to be discovered before the binary is shipped to production." https://github.com/llvm/llvm-project/issues/80287 https://bugs.chromium.org/p/llvm/issues/detail?id=69 https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31852 https://www.cve.org/CVERecord?id=CVE-2024-31852 Please adjust the affected versions in the BTS as needed.
Bug#1070379: pytorch: CVE-2024-31580 CVE-2024-31583 CVE-2024-31584
Source: pytorch X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for pytorch. CVE-2024-31580[0]: | PyTorch before v2.2.0 was discovered to contain a heap buffer | overflow vulnerability in the component | /runtime/vararg_functions.cpp. This vulnerability allows attackers | to cause a Denial of Service (DoS) via a crafted input. https://github.com/pytorch/pytorch/commit/b5c3a17c2c207ebefcb85043f0cf94be9b2fef81 CVE-2024-31583[1]: | Pytorch before version v2.2.0 was discovered to contain a use-after- | free vulnerability in torch/csrc/jit/mobile/interpreter.cpp. https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2 CVE-2024-31584[2]: | Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via | the component torch/csrc/jit/mobile/flatbuffer_loader.cpp. https://github.com/pytorch/pytorch/commit/7c35874ad664e74c8e4252d67521f3986eadb0e6 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31580 https://www.cve.org/CVERecord?id=CVE-2024-31580 [1] https://security-tracker.debian.org/tracker/CVE-2024-31583 https://www.cve.org/CVERecord?id=CVE-2024-31583 [2] https://security-tracker.debian.org/tracker/CVE-2024-31584 https://www.cve.org/CVERecord?id=CVE-2024-31584 Please adjust the affected versions in the BTS as needed.
Bug#1070378: docker.io: CVE-2024-32473
Source: docker.io X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for docker.io. CVE-2024-32473[0]: | Moby is an open source container framework that is a key component | of Docker Engine, Docker Desktop, and other distributions of | container tooling or runtimes. In 26.0.0, IPv6 is not disabled on | network interfaces, including those belonging to networks where | `--ipv6=false`. An container with an `ipvlan` or `macvlan` interface | will normally be configured to share an external network link with | the host machine. Because of this direct access, (1) Containers may | be able to communicate with other hosts on the local network over | link-local IPv6 addresses, (2) if router advertisements are being | broadcast over the local network, containers may get SLAAC-assigned | addresses, and (3) the interface will be a member of IPv6 multicast | groups. This means interfaces in IPv4-only networks present an | unexpectedly and unnecessarily increased attack surface. The issue | is patched in 26.0.2. To completely disable IPv6 in a container, use | `--sysctl=net.ipv6.conf.all.disable_ipv6=1` in the `docker create` | or `docker run` command. Or, in the service configuration of a | `compose` file. https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9 https://github.com/moby/moby/commit/841c4c8057bcf5317d6565875595a3f0c046e3fa It's not super clear whether this is only fixed in 26.x and old releases (such as the one in unstable) are not affected or, let's validate and update the Security Tracker accordingly if not (ideally by identifying the introducing commit) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32473 https://www.cve.org/CVERecord?id=CVE-2024-32473 Please adjust the affected versions in the BTS as needed.
Bug#1070377: frr: CVE-2024-34088
Source: frr X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for frr. CVE-2024-34088[0]: | In FRRouting (FRR) through 9.1, it is possible for the get_edge() | function in ospf_te.c in the OSPF daemon to return a NULL pointer. | In cases where calling functions do not handle the returned NULL | value, the OSPF daemon crashes, leading to denial of service. https://github.com/FRRouting/frr/pull/15674 Introduced by: https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5 (base_8.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34088 https://www.cve.org/CVERecord?id=CVE-2024-34088 Please adjust the affected versions in the BTS as needed.
Bug#1070376: uriparser: CVE-2024-34402 CVE-2024-34403
Source: uriparser X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for uriparser. CVE-2024-34402[0]: | An issue was discovered in uriparser through 0.9.7. | ComposeQueryEngine in UriQuery.c has an integer overflow via long | keys or values, with a resultant buffer overflow. https://github.com/uriparser/uriparser/pull/185 https://github.com/uriparser/uriparser/issues/183 CVE-2024-34403[1]: | An issue was discovered in uriparser through 0.9.7. | ComposeQueryMallocExMm in UriQuery.c has an integer overflow via a | long string. https://github.com/uriparser/uriparser/issues/183 https://github.com/uriparser/uriparser/pull/186 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34402 https://www.cve.org/CVERecord?id=CVE-2024-34402 [1] https://security-tracker.debian.org/tracker/CVE-2024-34403 https://www.cve.org/CVERecord?id=CVE-2024-34403 Please adjust the affected versions in the BTS as needed.
Bug#1070375: python-jose: CVE-2024-33663 CVE-2024-33664
Source: python-jose X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for python-jose. CVE-2024-33663[0]: | python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA | keys and other key formats. This is similar to CVE-2022-29217. https://github.com/mpdavis/python-jose/issues/346 CVE-2024-33664[1]: | python-jose through 3.3.0 allows attackers to cause a denial of | service (resource consumption) during a decode via a crafted JSON | Web Encryption (JWE) token with a high compression ratio, aka a "JWT | bomb." This is similar to CVE-2024-21319. https://github.com/mpdavis/python-jose/issues/344 https://github.com/mpdavis/python-jose/pull/345 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-33663 https://www.cve.org/CVERecord?id=CVE-2024-33663 [1] https://security-tracker.debian.org/tracker/CVE-2024-33664 https://www.cve.org/CVERecord?id=CVE-2024-33664 Please adjust the affected versions in the BTS as needed.
Bug#1070373: quickjs: CVE-2024-33263
Source: quickjs X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for quickjs. CVE-2024-33263[0]: | QuickJS commit 3b45d15 was discovered to contain an Assertion | Failure via JS_FreeRuntime(JSRuntime *) at quickjs.c. https://github.com/bellard/quickjs/issues/277 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-33263 https://www.cve.org/CVERecord?id=CVE-2024-33263 Please adjust the affected versions in the BTS as needed.
Bug#1070374: social-auth-app-django: CVE-2024-32879
Source: social-auth-app-django X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for social-auth-app-django. CVE-2024-32879[0]: | Python Social Auth is a social authentication/registration | mechanism. Prior to version 5.4.1, due to default case-insensitive | collation in MySQL or MariaDB databases, third-party authentication | user IDs are not case-sensitive and could cause different IDs to | match. This issue has been addressed by a fix released in version | 5.4.1. An immediate workaround would be to change collation of the | affected field. https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3 https://github.com/python-social-auth/social-app-django/commit/31c3e0c7edb187004d8abbde7e9c4f7ef9098138 (5.4.1) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32879 https://www.cve.org/CVERecord?id=CVE-2024-32879 Please adjust the affected versions in the BTS as needed.
Bug#1070372: tqdm: CVE-2024-34062
Source: tqdm X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for tqdm. CVE-2024-34062[0]: | tqdm is an open source progress bar for Python and CLI. Any optional | non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, | `--manpath`) are passed through python's `eval`, allowing arbitrary | code execution. This issue is only locally exploitable and had been | addressed in release version 4.66.3. All users are advised to | upgrade. There are no known workarounds for this vulnerability. https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p Fixed by: https://github.com/tqdm/tqdm/commit/b53348c73080b4edeb30b4823d1fa0d8d2c06721 (v4.66.3) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34062 https://www.cve.org/CVERecord?id=CVE-2024-34062 Please adjust the affected versions in the BTS as needed.
Bug#1070371: ofono: CVE-2023-4232 CVE-2023-4233 CVE-2023-4234 CVE-2023-4235
Source: ofono X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for ofono. It's not clear whether they were actually reported upstream or only submitted to Red Hat Bugzilla: CVE-2023-4232[0]: | A flaw was found in ofono, an Open Source Telephony on Linux. A | stack overflow bug is triggered within the decode_status_report() | function during the SMS decoding. It is assumed that the attack | scenario is accessible from a compromised modem, a malicious base | station, or just SMS. There is a bound check for this memcpy length | in decode_submit(), but it was forgotten in decode_status_report(). https://bugzilla.redhat.com/show_bug.cgi?id=2255394 CVE-2023-4233[1]: | A flaw was found in ofono, an Open Source Telephony on Linux. A | stack overflow bug is triggered within the | sms_decode_address_field() function during the SMS PDU decoding. It | is assumed that the attack scenario is accessible from a compromised | modem, a malicious base station, or just SMS. https://bugzilla.redhat.com/show_bug.cgi?id=2255396 CVE-2023-4234[2]: | A flaw was found in ofono, an Open Source Telephony on Linux. A | stack overflow bug is triggered within the decode_submit_report() | function during the SMS decoding. It is assumed that the attack | scenario is accessible from a compromised modem, a malicious base | station, or just SMS. There is a bound check for this memcpy length | in decode_submit(), but it was forgotten in decode_submit_report(). https://bugzilla.redhat.com/show_bug.cgi?id=2255399 CVE-2023-4235[3]: | A flaw was found in ofono, an Open Source Telephony on Linux. A | stack overflow bug is triggered within the decode_deliver_report() | function during the SMS decoding. It is assumed that the attack | scenario is accessible from a compromised modem, a malicious base | station, or just SMS. There is a bound check for this memcpy length | in decode_submit(), but it was forgotten in decode_deliver_report(). https://bugzilla.redhat.com/show_bug.cgi?id=2255402 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-4232 https://www.cve.org/CVERecord?id=CVE-2023-4232 [1] https://security-tracker.debian.org/tracker/CVE-2023-4233 https://www.cve.org/CVERecord?id=CVE-2023-4233 [2] https://security-tracker.debian.org/tracker/CVE-2023-4234 https://www.cve.org/CVERecord?id=CVE-2023-4234 [3] https://security-tracker.debian.org/tracker/CVE-2023-4235 https://www.cve.org/CVERecord?id=CVE-2023-4235 Please adjust the affected versions in the BTS as needed.
Bug#1070370: dmitry: CVE-2017-7938 CVE-2020-14931 CVE-2024-31837
Source: dmitry X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for dmitry. CVE-2017-7938[0]: | Stack-based buffer overflow in DMitry (Deepmagic Information | Gathering Tool) version 1.3a (Unix) allows attackers to cause a | denial of service (application crash) or possibly have unspecified | other impact via a long argument. An example threat model is | automated execution of DMitry with hostname strings found in local | log files. https://packetstormsecurity.com/files/142210/Dmitry-1.3a-Local-Stack-Buffer-Overflow.html https://github.com/jaygreig86/dmitry/pull/12 CVE-2020-14931[1]: | A stack-based buffer overflow in DMitry (Deepmagic Information | Gathering Tool) 1.3a might allow remote WHOIS servers to execute | arbitrary code via a long line in a response that is mishandled by | nic_format_buff. https://github.com/jaygreig86/dmitry/issues/4 https://github.com/jaygreig86/dmitry/pull/6 Fixed by: https://github.com/jaygreig86/dmitry/commit/da1fda491145719ae15dd36dd37a69bdbba0b192 CVE-2024-31837[2]: | DMitry (Deepmagic Information Gathering Tool) 1.3a has a format- | string vulnerability, with a threat model similar to CVE-2017-7938. https://github.com/jaygreig86/dmitry/pull/12 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7938 https://www.cve.org/CVERecord?id=CVE-2017-7938 [1] https://security-tracker.debian.org/tracker/CVE-2020-14931 https://www.cve.org/CVERecord?id=CVE-2020-14931 [2] https://security-tracker.debian.org/tracker/CVE-2024-31837 https://www.cve.org/CVERecord?id=CVE-2024-31837 Please adjust the affected versions in the BTS as needed.
Bug#1069764: python-flask-cors: CVE-2024-1681
Source: python-flask-cors X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for python-flask-cors. CVE-2024-1681[0]: | corydolphin/flask-cors is vulnerable to log injection when the log | level is set to debug. An attacker can inject fake log entries into | the log file by sending a specially crafted GET request containing a | CRLF sequence in the request path. This vulnerability allows | attackers to corrupt log files, potentially covering tracks of other | attacks, confusing log post-processing tools, and forging log | entries. The issue is due to improper output neutralization for | logs. https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644 https://github.com/corydolphin/flask-cors/issues/349 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-1681 https://www.cve.org/CVERecord?id=CVE-2024-1681 Please adjust the affected versions in the BTS as needed.
Bug#1069763: matrix-synapse: CVE-2024-31208
Source: matrix-synapse X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for matrix-synapse. CVE-2024-31208[0]: | Synapse is an open-source Matrix homeserver. A remote Matrix user | with malicious intent, sharing a room with Synapse instances before | 1.105.1, can dispatch specially crafted events to exploit a weakness | in the V2 state resolution algorithm. This can induce high CPU | consumption and accumulate excessive data in the database of such | instances, resulting in a denial of service. Servers in private | federations, or those that do not federate, are not affected. Server | administrators should upgrade to 1.105.1 or later. Some workarounds | are available. One can ban the malicious users or ACL block servers | from the rooms and/or leave the room and purge the room using the | admin API. https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a (v1.105.1) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31208 https://www.cve.org/CVERecord?id=CVE-2024-31208 Please adjust the affected versions in the BTS as needed.
Bug#1069762: pdns-recursor: CVE-2024-25583
Source: pdns-recursor X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for pdns-recursor. CVE-2024-25583[0]: PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor https://www.openwall.com/lists/oss-security/2024/04/24/1 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25583 https://www.cve.org/CVERecord?id=CVE-2024-25583 Please adjust the affected versions in the BTS as needed.
Bug#1069679: ofono: CVE-2023-2794
Source: ofono X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for ofono. CVE-2023-2794[0]: | A flaw was found in ofono, an Open Source Telephony on Linux. A | stack overflow bug is triggered within the decode_deliver() function | during the SMS decoding. It is assumed that the attack scenario is | accessible from a compromised modem, a malicious base station, or | just SMS. There is a bound check for this memcpy length in | decode_submit(), but it was forgotten in decode_deliver(). https://bugzilla.redhat.com/show_bug.cgi?id=2255387 https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a90421d8e45d63b304dc010baba24633e7869682 https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=7f2adfa22fbae824f8e2c3ae86a3f51da31ee400 https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=07f48b23e3877ef7d15a7b0b8b79d32ad0a3607e https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=8fa1fdfcb54e1edb588c6a5e260b065a39c9 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-2794 https://www.cve.org/CVERecord?id=CVE-2023-2794 Please adjust the affected versions in the BTS as needed.
Bug#1069678: openjdk-8: CVE-2024-21011 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094
Source: openjdk-8 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for openjdk-8. CVE-2024-21011[0]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Hotspot). Supported versions that are affected are Oracle Java SE: | 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for | JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: | 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows | unauthenticated attacker with network access via multiple protocols | to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized ability to cause a partial denial of service | (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition. Note: This vulnerability can be | exploited by using APIs in the specified Component, e.g., through a | web service which supplies data to the APIs. This vulnerability also | applies to Java deployments, typically in clients running sandboxed | Java Web Start applications or sandboxed Java applets, that load and | run untrusted code (e.g., code that comes from the internet) and | rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 | (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21068[1]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Hotspot). Supported versions that are affected are Oracle Java SE: | 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: | 17.0.10, 21.0.2 and 22; Oracle GraalVM Enterprise Edition: 21.3.9. | Difficult to exploit vulnerability allows unauthenticated attacker | with network access via multiple protocols to compromise Oracle Java | SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. | Successful attacks of this vulnerability can result in unauthorized | update, insert or delete access to some of Oracle Java SE, Oracle | GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. | Note: This vulnerability can be exploited by using APIs in the | specified Component, e.g., through a web service which supplies data | to the APIs. This vulnerability also applies to Java deployments, | typically in clients running sandboxed Java Web Start applications | or sandboxed Java applets, that load and run untrusted code (e.g., | code that comes from the internet) and rely on the Java sandbox for | security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2024-21085[2]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise | Edition product of Oracle Java SE (component: Concurrency). | Supported versions that are affected are Oracle Java SE: 8u401, | 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and | 21.3.9. Difficult to exploit vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful | attacks of this vulnerability can result in unauthorized ability to | cause a partial denial of service (partial DOS) of Oracle Java SE, | Oracle GraalVM Enterprise Edition. Note: This vulnerability can be | exploited by using APIs in the specified Component, e.g., through a | web service which supplies data to the APIs. This vulnerability also | applies to Java deployments, typically in clients running sandboxed | Java Web Start applications or sandboxed Java applets, that load and | run untrusted code (e.g., code that comes from the internet) and | rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 | (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21094[3]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Hotspot). Supported versions that are affected are Oracle Java SE: | 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for | JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 | and 21.3.9. Difficult to exploit vulnerability allows | unauthenticated attacker with network access via multiple protocols | to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized update, insert or delete access to some of | Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability can be exploited | by using APIs in the specified Component, e.g., through a web | service which supplies data to the APIs. This vulnerability also | applies to Java
Bug#1069677: rust-rustls: CVE-2024-32650
Source: rust-rustls X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for rust-rustls. CVE-2024-32650[0]: | Rustls is a modern TLS library written in Rust. | `rustls::ConnectionCommon::complete_io` could fall into an infinite | loop based on network input. When using a blocking rustls server, if | a client send a `close_notify` message immediately after | `client_hello`, the server's `complete_io` will get in an infinite | loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11. https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj https://github.com/rustls/rustls/commit/2123576840aa31043a31b0770e6572136fbe0c2d (v/0.23.5) https://github.com/rustls/rustls/commit/6e938bcfe82a9da7a2e1cbf10b928c7eca26426e (v/0.23.5) https://rustsec.org/advisories/RUSTSEC-2024-0336.html If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32650 https://www.cve.org/CVERecord?id=CVE-2024-32650 Please adjust the affected versions in the BTS as needed.
Bug#1069189: mysql-8.0: CVE-2024-21102 CVE-2024-21096 CVE-2024-21087 CVE-2024-21069 CVE-2024-21062 CVE-2024-21060 CVE-2024-21054 CVE-2024-21047 CVE-2024-21013 CVE-2024-21009 CVE-2024-21008 CVE-2024-21
Source: mysql-8.0 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for mysql-8.0. CVE-2024-21102[0]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Thread Pooling). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21096[1]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Client: mysqldump). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to | exploit vulnerability allows unauthenticated attacker with logon to | the infrastructure where MySQL Server executes to compromise MySQL | Server. Successful attacks of this vulnerability can result in | unauthorized update, insert or delete access to some of MySQL Server | accessible data as well as unauthorized read access to a subset of | MySQL Server accessible data and unauthorized ability to cause a | partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 | Base Score 4.9 (Confidentiality, Integrity and Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). CVE-2024-21087[2]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Group Replication Plugin). Supported versions | that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21069[3]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: DDL). Supported versions that are affected are | 8.0.36 and prior and 8.3.0 and prior. Easily exploitable | vulnerability allows high privileged attacker with network access | via multiple protocols to compromise MySQL Server. Successful | attacks of this vulnerability can result in unauthorized ability to | cause a hang or frequently repeatable crash (complete DOS) of MySQL | Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS | Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21062[4]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21060[5]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Data Dictionary). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21054[6]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21047[7]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: InnoDB). Supported versions that are affected are | 8.0.36 and prior and 8.3.0 and prior. Easily exploitable | vulnerability allows high privileged attacker with network access | via multiple protocols to compromise MySQL
Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1
Am Tue, Apr 09, 2024 at 10:01:11AM +0200 schrieb Andreas Beckmann: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: Bastien Roucariès > Control: affects -1 + src:json-smart > Control: block 1039985 with -1 > Control: block 1033474 with -1 > > [ Reason ] > Two CVEs were fixed in buster-lts, but not yet in bullseye or later, > causing version skew on upgrades: CVE-2023-1370 / #1033474 is unfixed in sid, and being fixed in unstable is a pre condition for a point update. Bastien, since you fixed it in buster-lts, can you please also take care of addressing unstable? Cheers, Moritz
Bug#1068822: qemu: CVE-2024-3567
Source: qemu X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qemu. CVE-2024-3567[0]: | A flaw was found in QEMU. An assertion failure was present in the | update_sctp_checksum() function in hw/net/net_tx_pkt.c when trying | to calculate the checksum of a short-sized fragmented packet. This | flaw allows a malicious guest to crash QEMU and cause a denial of | service condition. https://bugzilla.redhat.com/show_bug.cgi?id=2274339 https://gitlab.com/qemu-project/qemu/-/issues/2273 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3567 https://www.cve.org/CVERecord?id=CVE-2024-3567 Please adjust the affected versions in the BTS as needed.
Bug#1068821: qemu: CVE-2024-3447
Source: qemu X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qemu. CVE-2024-3447[0]: https://patchew.org/QEMU/20240404085549.16987-1-phi...@linaro.org/ https://patchew.org/QEMU/20240409145524.27913-1-phi...@linaro.org/ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3447 https://www.cve.org/CVERecord?id=CVE-2024-3447 Please adjust the affected versions in the BTS as needed.
Bug#1068820: qemu: CVE-2024-3446
Source: qemu X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qemu. CVE-2024-3446[0]: | A double free vulnerability was found in QEMU virtio devices | (virtio-gpu, virtio-serial-bus, virtio-crypto), where the | mem_reentrancy_guard flag insufficiently protects against DMA | reentrancy issues. This issue could allow a malicious privileged | guest to crash the QEMU process on the host, resulting in a denial | of service or allow arbitrary code execution within the context of | the QEMU process on the host. https://bugzilla.redhat.com/show_bug.cgi?id=2274211 https://patchew.org/QEMU/20240409105537.18308-1-phi...@linaro.org/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3446 https://www.cve.org/CVERecord?id=CVE-2024-3446 Please adjust the affected versions in the BTS as needed.
Bug#1068819: qemu: CVE-2024-26327 CVE-2024-26328
Source: qemu X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for qemu. CVE-2024-26327[0]: | An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in | hw/pci/pcie_sriov.c mishandles the situation where a guest writes | NumVFs greater than TotalVFs, leading to a buffer overflow in VF | implementations. CVE-2024-26328[1]: | An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in | hw/pci/pcie_sriov.c does not set NumVFs to PCI_SRIOV_TOTAL_VF, and | thus interaction with hw/nvme/ctrl.c is mishandled. https://lore.kernel.org/all/20240213055345-mutt-send-email-mst%40kernel.org Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6 (v7.0.0-rc0) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-26327 https://www.cve.org/CVERecord?id=CVE-2024-26327 [1] https://security-tracker.debian.org/tracker/CVE-2024-26328 https://www.cve.org/CVERecord?id=CVE-2024-26328 Please adjust the affected versions in the BTS as needed.
Bug#1068818: sngrep: CVE-2024-3119 CVE-2024-3120
Source: sngrep X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for sngrep. CVE-2024-3119[0]: | A buffer overflow vulnerability exists in all versions of sngrep | since v0.4.2, due to improper handling of 'Call-ID' and 'X-Call-ID' | SIP headers. The functions sip_get_callid and sip_get_xcallid in | sip.c use the strncpy function to copy header contents into fixed- | size buffers without checking the data length. This flaw allows | remote attackers to execute arbitrary code or cause a denial of | service (DoS) through specially crafted SIP messages. https://github.com/irontec/sngrep/commit/dd5fec92730562af6f96891291cd4e102b80bfcc (v1.8.1) CVE-2024-3120[1]: | A stack-buffer overflow vulnerability exists in all versions of | sngrep since v1.4.1. The flaw is due to inadequate bounds checking | when copying 'Content-Length' and 'Warning' headers into fixed-size | buffers in the sip_validate_packet and sip_parse_extra_headers | functions within src/sip.c. This vulnerability allows remote | attackers to execute arbitrary code or cause a denial of service | (DoS) via crafted SIP messages. https://github.com/irontec/sngrep/commit/f3f8ed8ef38748e6d61044b39b0dabd7e37c6809 (v1.8.1) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3119 https://www.cve.org/CVERecord?id=CVE-2024-3119 [1] https://security-tracker.debian.org/tracker/CVE-2024-3120 https://www.cve.org/CVERecord?id=CVE-2024-3120 Please adjust the affected versions in the BTS as needed.
Bug#1068817: undertow: CVE-2024-1635
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for undertow. CVE-2024-1635[0]: | A vulnerability was found in Undertow. This vulnerability impacts a | server that supports the wildfly-http-client protocol. Whenever a | malicious user opens and closes a connection with the HTTP port of | the server and then closes the connection immediately, the server | will end with both memory and open file limits exhausted at some | point, depending on the amount of memory available. At HTTP | upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks | connections if RemotingConnection is closed by Remoting | ServerConnectionOpenListener. Because the remoting connection | originates in Undertow as part of the HTTP upgrade, there is an | external layer to the remoting connection. This connection is | unaware of the outermost layer when closing the connection during | the connection opening procedure. Hence, the Undertow | WriteTimeoutStreamSinkConduit is not notified of the closed | connection in this scenario. Because WriteTimeoutStreamSinkConduit | creates a timeout task, the whole dependency tree leaks via that | task, which is added to XNIO WorkerThread. So, the workerThread | points to the Undertow conduit, which contains the connections and | causes the leak. https://bugzilla.redhat.com/show_bug.cgi?id=2264928 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-1635 https://www.cve.org/CVERecord?id=CVE-2024-1635 Please adjust the affected versions in the BTS as needed.
Bug#1068815: undertow: CVE-2023-1973
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for undertow. CVE-2023-1973[0]: The only reference is at Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=2185662 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-1973 https://www.cve.org/CVERecord?id=CVE-2023-1973 Please adjust the affected versions in the BTS as needed.
Bug#1068816: undertow: CVE-2024-1459
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for undertow. CVE-2024-1459[0]: | A path traversal vulnerability was found in Undertow. This issue may | allow a remote attacker to append a specially-crafted sequence to an | HTTP request for an application deployed to JBoss EAP, which may | permit access to privileged or restricted files and directories. The only reference here is at Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=2259475 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-1459 https://www.cve.org/CVERecord?id=CVE-2024-1459 Please adjust the affected versions in the BTS as needed.
Bug#1068629: testng7 backport for bullseye needed for latest Java LTS releases
Am Tue, Apr 09, 2024 at 02:02:13PM +1200 schrieb Vladimir Petko: > Hi, > > I have realized that I have not submitted the bug report for this > issue, so the decision to try vendoring dependencies for JTREG is not > visible anywhere. > > Starting from the April OpenJDK release, JTREG 7.3 will be used for > openjdk-11 and up, which will require having it in Buster and up. > > In Ubuntu, the January OpenJDK update used the vendored version, and > we have not found any test regression issues caused by it. > > I have an MR open[1] that does not update the source tree and a > branch[2] with imported sources. Thanks, using a vendored version seems perfectly fine here and makes our life significantly easier for stable/oldstable updates (and jtreg isn't used outside of OpenJDK anyway) Cheers, Moritz
Bug#1068462: gpac: CVE-2024-28318 CVE-2024-28319 CVE-2023-46426 CVE-2023-46427 CVE-2024-24265 CVE-2024-24266 CVE-2024-24267
Source: gpac X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for gpac. CVE-2024-28318[0]: | gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain a | out of boundary write vulnerability via swf_get_string at | scene_manager/swf_parse.c:325 https://github.com/gpac/gpac/issues/2764 https://github.com/gpac/gpac/commit/ae831621a08a64e3325ce532f8b78811a1581716 CVE-2024-28319[1]: | gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain an | out of boundary read vulnerability via gf_dash_setup_period | media_tools/dash_client.c:6374 https://github.com/gpac/gpac/issues/2763 https://github.com/gpac/gpac/commit/cb3c29809bddfa32686e3deb231a76af67b68e1e CVE-2023-46426[2]: | Heap-based Buffer Overflow vulnerability in gpac version 2.3-DEV- | rev588-g7edc40fee-master, allows remote attackers to execute | arbitrary code and cause a denial of service (DoS) via gf_fwrite | component in at utils/os_file.c. https://github.com/gpac/gpac/issues/2642 https://github.com/gpac/gpac/commit/14ec709a1ffae23ad777c37320290caa0a754341 CVE-2023-46427[3]: | An issue was discovered in gpac version 2.3-DEV-rev588-g7edc40fee- | master, allows remote attackers to execute arbitrary code, cause a | denial of service (DoS), and obtain sensitive information via null | pointer deference in gf_dash_setup_period component in | media_tools/dash_client.c. https://github.com/gpac/gpac/issues/2641 https://github.com/gpac/gpac/commit/ed8424300fc4a1f5231ecd1d47f502ddd3621d1a CVE-2024-24265[4]: | gpac v2.2.1 was discovered to contain a memory leak via the | dst_props variable in the gf_filter_pid_merge_properties_internal | function. https://github.com/yinluming13579/gpac_defects/blob/main/gpac_1.md CVE-2024-24266[5]: | gpac v2.2.1 was discovered to contain a Use-After-Free (UAF) | vulnerability via the dasher_configure_pid function at | /src/filters/dasher.c. https://github.com/yinluming13579/gpac_defects/blob/main/gpac_2.md CVE-2024-24267[6]: | gpac v2.2.1 was discovered to contain a memory leak via the | gfio_blob variable in the gf_fileio_from_blob function. https://github.com/yinluming13579/gpac_defects/blob/main/gpac_3.md If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28318 https://www.cve.org/CVERecord?id=CVE-2024-28318 [1] https://security-tracker.debian.org/tracker/CVE-2024-28319 https://www.cve.org/CVERecord?id=CVE-2024-28319 [2] https://security-tracker.debian.org/tracker/CVE-2023-46426 https://www.cve.org/CVERecord?id=CVE-2023-46426 [3] https://security-tracker.debian.org/tracker/CVE-2023-46427 https://www.cve.org/CVERecord?id=CVE-2023-46427 [4] https://security-tracker.debian.org/tracker/CVE-2024-24265 https://www.cve.org/CVERecord?id=CVE-2024-24265 [5] https://security-tracker.debian.org/tracker/CVE-2024-24266 https://www.cve.org/CVERecord?id=CVE-2024-24266 [6] https://security-tracker.debian.org/tracker/CVE-2024-24267 https://www.cve.org/CVERecord?id=CVE-2024-24267 Please adjust the affected versions in the BTS as needed.
Bug#1068461: freeimage: CVE-2024-28562 CVE-2024-28563 CVE-2024-28564 CVE-2024-28565 CVE-2024-28566 CVE-2024-28567 CVE-2024-28568 CVE-2024-28569 CVE-2024-28570 CVE-2024-28571 CVE-2024-28572 CVE-2024-28
Source: freeimage X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for freeimage. They are all only published at https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 and don't appear to be forwarded upstream yet. CVE-2024-28562[0]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to execute arbitrary code via the | Imf_2_2::copyIntoFrameBuffer() component when reading images in EXR | format. CVE-2024-28563[1]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the Imf_2_2::DwaCompressor::Classifier::Classifier() function | when reading images in EXR format. CVE-2024-28564[2]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the Imf_2_2::CharPtrIO::readChars() function when reading images | in EXR format. CVE-2024-28565[3]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the psdParser::ReadImageData() function when reading images in | PSD format. CVE-2024-28566[4]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to execute arbitrary code via the | AssignPixel() function when reading images in TIFF format. CVE-2024-28567[5]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the FreeImage_CreateICCProfile() function when reading images in | TIFF format. CVE-2024-28568[6]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the read_iptc_profile() function when reading images in TIFF | format. CVE-2024-28569[7]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to execute arbitrary code via the | Imf_2_2::Xdr::read() function when reading images in EXR format. CVE-2024-28570[8]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the processMakerNote() function when reading images in JPEG | format. CVE-2024-28571[9]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the fill_input_buffer() function when reading images in JPEG | format. CVE-2024-28572[10]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the FreeImage_SetTagValue() function when reading images in JPEG | format. CVE-2024-28573[11]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the jpeg_read_exif_profile() function when reading images in | JPEG format. CVE-2024-28574[12]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the opj_j2k_copy_default_tcp_and_create_tcd() function when | reading images in J2K format. CVE-2024-28574[13]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the opj_j2k_copy_default_tcp_and_create_tcd() function when | reading images in J2K format. CVE-2024-28575[14]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the opj_j2k_read_mct() function when reading images in J2K | format. CVE-2024-28576[15]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the opj_j2k_tcp_destroy() function when reading images in J2K | format. CVE-2024-28577[16]: | Null Pointer Dereference vulnerability in open source FreeImage | v.3.19.0 [r1909] allows a local attacker to cause a denial of | service (DoS) via the jpeg_read_exif_profile_raw() function when | reading images in JPEG format. CVE-2024-28578[17]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to execute arbitrary code via the | Load() function when reading images in RAS format. CVE-2024-28579[18]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the FreeImage_Unload() function when reading images in HDR | format. CVE-2024-28580[19]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to execute arbitrary code via the | ReadData() function when
Bug#1068460: docker.io: CVE-2024-29018
Source: docker.io X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for docker.io. CVE-2024-29018[0]: | Moby is an open source container framework that is a key component | of Docker Engine, Docker Desktop, and other distributions of | container tooling or runtimes. Moby's networking implementation | allows for many networks, each with their own IP address range and | gateway, to be defined. This feature is frequently referred to as | custom networks, as each network can have a different driver, set of | parameters and thus behaviors. When creating a network, the | `--internal` flag is used to designate a network as _internal_. The | `internal` attribute in a docker-compose.yml file may also be used | to mark a network _internal_, and other API clients may specify the | `internal` parameter as well. When containers with networking are | created, they are assigned unique network interfaces and IP | addresses. The host serves as a router for non-internal networks, | with a gateway IP that provides SNAT/DNAT to/from container IPs. | Containers on an internal network may communicate between each | other, but are precluded from communicating with any networks the | host has access to (LAN or WAN) as no default route is configured, | and firewall rules are set up to drop all outgoing traffic. | Communication with the gateway IP address (and thus appropriately | configured host services) is possible, and the host may communicate | with any container IP directly. In addition to configuring the | Linux kernel's various networking features to enable container | networking, `dockerd` directly provides some services to container | networks. Principal among these is serving as a resolver, enabling | service discovery, and resolution of names from an upstream | resolver. When a DNS request for a name that does not correspond to | a container is received, the request is forwarded to the configured | upstream resolver. This request is made from the container's network | namespace: the level of access and routing of traffic is the same as | if the request was made by the container itself. As a consequence | of this design, containers solely attached to an internal network | will be unable to resolve names using the upstream resolver, as the | container itself is unable to communicate with that nameserver. Only | the names of containers also attached to the internal network are | able to be resolved. Many systems run a local forwarding DNS | resolver. As the host and any containers have separate loopback | devices, a consequence of the design described above is that | containers are unable to resolve names from the host's configured | resolver, as they cannot reach these addresses on the host loopback | device. To bridge this gap, and to allow containers to properly | resolve names even when a local forwarding resolver is used on a | loopback address, `dockerd` detects this scenario and instead | forward DNS requests from the host namework namespace. The loopback | resolver then forwards the requests to its configured upstream | resolvers, as expected. Because `dockerd` forwards DNS requests to | the host loopback device, bypassing the container network | namespace's normal routing semantics entirely, internal networks can | unexpectedly forward DNS requests to an external nameserver. By | registering a domain for which they control the authoritative | nameservers, an attacker could arrange for a compromised container | to exfiltrate data by encoding it in DNS queries that will | eventually be answered by their nameservers. Docker Desktop is not | affected, as Docker Desktop always runs an internal resolver on a | RFC 1918 address. Moby releases 26.0.0, 25.0.4, and 23.0.11 are | patched to prevent forwarding any DNS requests from internal | networks. As a workaround, run containers intended to be solely | attached to internal networks with a custom upstream address, which | will force all upstream DNS queries to be resolved from the | container's network namespace. https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx https://github.com/moby/moby/pull/46609 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-29018 https://www.cve.org/CVERecord?id=CVE-2024-29018 Please adjust the affected versions in the BTS as needed.
Bug#1068459: murano: CVE-2024-29156
Source: murano X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for murano. CVE-2024-29156[0]: | In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, | the Murano service's MuranoPL extension to the YAQL language fails | to sanitize the supplied environment, leading to potential leakage | of sensitive service account information. https://bugs.launchpad.net/murano/+bug/2048114 https://wiki.openstack.org/wiki/OSSN/OSSN-0093 No fix in Murano, but a change in src:python-yaql renders this unexploitable: https://opendev.org/openstack/yaql/commit/83e28324e1a0ce3970dd854393d2431123a909d3 (3.0.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-29156 https://www.cve.org/CVERecord?id=CVE-2024-29156 Please adjust the affected versions in the BTS as needed.
Bug#1068455: varnish: CVE-2024-30156
Source: varnish X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for varnish. CVE-2024-30156[0]: | Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 | LTS), and Varnish Enterprise 6 before 6.0.12r6, allows credits | exhaustion for an HTTP/2 connection control flow window, aka a Broke | Window Attack. https://varnish-cache.org/security/VSV00014.html https://varnish-cache.org/docs/7.5/whats-new/changes-7.5.html#cve-2024-30156 https://github.com/varnishcache/varnish-cache/commit/c0201724f0280894ec714fe76fc26ba9831f0551 (varnish-7.5.0) https://github.com/varnishcache/varnish-cache/commit/727a5f80347545b6fc7a6aa48f9fb74e90528f0c (varnish-7.5.0) https://github.com/varnishcache/varnish-cache/commit/42a10e90015bd8a9cb1c7c2e0e313f8b5ae9ebe9 (varnish-7.5.0) https://github.com/varnishcache/varnish-cache/commit/eccb50837d61fcb5a6927eef94c570bd1d03c26d (varnish-7.5.0) https://github.com/varnishcache/varnish-cache/commit/0b82e00708b88f696af5881b7a19caf2144d13f7 (varnish-7.5.0) https://github.com/varnishcache/varnish-cache/commit/4938f05b318eb2daa2ccc89dafeed3126552c481 (varnish-7.5.0) https://github.com/varnishcache/varnish-cache/commit/41ef373af53571a94ea8f73f0538322270799a84 (varnish-7.5.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-30156 https://www.cve.org/CVERecord?id=CVE-2024-30156 Please adjust the affected versions in the BTS as needed.
Bug#1068457: azure-uamqp-python: CVE-2024-29195
Source: azure-uamqp-python X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for azure-uamqp-python. CVE-2024-29195[0]: | The azure-c-shared-utility is a C library for AMQP/MQTT | communication to Azure Cloud Services. This library may be used by | the Azure IoT C SDK for communication between IoT Hub and IoT Hub | devices. An attacker can cause an integer wraparound or under- | allocation or heap buffer overflow due to vulnerabilities in | parameter checking mechanism, by exploiting the buffer length | parameter in Azure C SDK, which may lead to remote code execution. | Requirements for RCE are 1. Compromised Azure account allowing | malformed payloads to be sent to the device via IoT Hub service, 2. | By passing IoT hub service max message payload limit of 128KB, and | 3. Ability to overwrite code space with remote code. Fixed in commit | https://github.com/Azure/azure-c-shared- | utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2. https://github.com/Azure/azure-c-shared-utility/security/advisories/GHSA-m8wp-hc7w-x4xg https://github.com/Azure/azure-c-shared-utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-29195 https://www.cve.org/CVERecord?id=CVE-2024-29195 Please adjust the affected versions in the BTS as needed.
Bug#1068454: qt6-base: CVE-2024-30161
Source: qt6-base X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qt6-base. CVE-2024-30161[0]: | In Qt before 6.5.6 and 6.6.x before 6.6.3, the wasm component may | access QNetworkReply header data via a dangling pointer. https://codereview.qt-project.org/c/qt/qtbase/+/544314 https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=a5b00cefef12999e9a213943855abe6bc0ab5365 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-30161 https://www.cve.org/CVERecord?id=CVE-2024-30161 Please adjust the affected versions in the BTS as needed.
Bug#1068453: request-tracker5: CVE-2024-3262
Source: request-tracker5 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for request-tracker5. CVE-2024-3262[0]: | Information exposure vulnerability in RT software affecting version | 4.4.1. This vulnerability allows an attacker with local access to | the device to retrieve sensitive information about the application, | such as vulnerability tickets, because the application stores the | information in the browser cache, leading to information exposure | despite session termination. https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a https://github.com/bestpractical/rt/commit/468f86bd3e82c3b5b5ef7087d416a7509d4b1abe If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3262 https://www.cve.org/CVERecord?id=CVE-2024-3262 Please adjust the affected versions in the BTS as needed.
Bug#1068452: request-tracker4: CVE-2024-3262
Source: request-tracker4 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for request-tracker4. CVE-2024-3262[0]: | Information exposure vulnerability in RT software affecting version | 4.4.1. This vulnerability allows an attacker with local access to | the device to retrieve sensitive information about the application, | such as vulnerability tickets, because the application stores the | information in the browser cache, leading to information exposure | despite session termination. https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a https://github.com/bestpractical/rt/commit/468f86bd3e82c3b5b5ef7087d416a7509d4b1abe If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3262 https://www.cve.org/CVERecord?id=CVE-2024-3262 Please adjust the affected versions in the BTS as needed.
Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
Source: apache2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for apache2. CVE-2024-27316[0]: https://www.kb.cert.org/vuls/id/421644 https://www.openwall.com/lists/oss-security/2024/04/04/4 CVE-2024-24795[1]: https://www.openwall.com/lists/oss-security/2024/04/04/5 CVE-2023-38709[2]: https://www.openwall.com/lists/oss-security/2024/04/04/3 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27316 https://www.cve.org/CVERecord?id=CVE-2024-27316 [1] https://security-tracker.debian.org/tracker/CVE-2024-24795 https://www.cve.org/CVERecord?id=CVE-2024-24795 [2] https://security-tracker.debian.org/tracker/CVE-2023-38709 https://www.cve.org/CVERecord?id=CVE-2023-38709 Please adjust the affected versions in the BTS as needed.
Bug#1068346: node-express: CVE-2024-29041
Source: node-express X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-express. CVE-2024-29041[0]: | Express.js minimalist web framework for node. Versions of Express.js | prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 | are affected by an open redirect vulnerability using malformed URLs. | When a user of Express performs a redirect using a user-provided URL | Express performs an encode [using | `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents | before passing it to the `location` header. This can cause malformed | URLs to be evaluated in unexpected ways by common redirect allow | list implementations in Express applications, leading to an Open | Redirect via bypass of a properly implemented allow list. The main | method impacted is `res.location()` but this is also called from | within `res.redirect()`. The vulnerability is fixed in 4.19.2 and | 5.0.0-beta.3. https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc https://github.com/koajs/koa/issues/1800 https://github.com/expressjs/express/pull/5539 https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd (4.19.0) https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-29041 https://www.cve.org/CVERecord?id=CVE-2024-29041 Please adjust the affected versions in the BTS as needed.
Bug#1068347: nodejs: CVE-2024-27983 CVE-2024-27982
Source: nodejs X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for nodejs. CVE-2024-27983[0]: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/ CVE-2024-27982[1]: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/ If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27983 https://www.cve.org/CVERecord?id=CVE-2024-27983 [1] https://security-tracker.debian.org/tracker/CVE-2024-27982 https://www.cve.org/CVERecord?id=CVE-2024-27982 Please adjust the affected versions in the BTS as needed.
Bug#1068144: slang2: CVE-2023-45927 CVE-2023-45929
Source: slang2 X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerabilities were published for slang2. From my perspective they have no real security impact, but we can still treat/fix them as regular bugs: CVE-2023-45927[0]: | S-Lang 2.3.2 was discovered to contain an arithmetic exception via | the function tt_sprintf(). http://lists.jedsoft.org/lists/slang-users/2023/003.html CVE-2023-45929[1]: | S-Lang 2.3.2 was discovered to contain a segmentation fault via the | function fixup_tgetstr(). http://lists.jedsoft.org/lists/slang-users/2023/002.html If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-45927 https://www.cve.org/CVERecord?id=CVE-2023-45927 [1] https://security-tracker.debian.org/tracker/CVE-2023-45929 https://www.cve.org/CVERecord?id=CVE-2023-45929 Please adjust the affected versions in the BTS as needed.
Bug#1060407: gtkwave update for {bookworm,bullseye,buster}-security
Hi Adrian,
> attached are proposed debdiffs for updating gtkwave to 3.3.118 in
> {bookworm,bullseye,buster}-security for review for a DSA
> (and as preview for buster).
Thanks!
> General notes:
>
> I checked a handful CVEs, and they were also present in buster.
> If anyone insists that I check for every single CVE whether it is also
> in buster I can do that, but that would be a lot of work.
Nah, no need.
> As mentioned in #1060407 there are different tarballs for GTK 2 and GTK 3.
> Looking closer I realized that this is actually one tarball that
> supports GTK 1+2, and one tarball that supports GTK 2+3.
> I did stay at the GTK 1+2 tarball that was already used before
> for bullseye and buster since there was anyway a different upstream
> tarball required for the +really version that is required to avoid
> creating file conflicts with ghwdump when upgrading to bookworm.
>
> What does the security team consider the best versioning for bullseye?
> In #1060407 I suggested 3.3.104+really3.3.118-0.1, but now I ended up
> preferring 3.3.104+really3.3.118-0+deb11u1
That's fine.
> debdiffs contain only changes to debian/
The bookworm/bullseye debdiffs looks good, please upload to security-master,
thanks!
Note that both need -sa, but dak needs some special attention when
uploading to security-master. You'll need to wait for the ACCEPTED mail
before you can upload the next one.
Cheers,
Moritz
Bug#1067456: erlang-jose: CVE-2023-50966
Source: erlang-jose X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for erlang-jose. CVE-2023-50966[0]: | erlang-jose (aka JOSE for Erlang and Elixir) through 1.11.6 allow | attackers to cause a denial of service (CPU consumption) via a large | p2c (aka PBES2 Count) value in a JOSE header. https://github.com/potatosalad/erlang-jose/issues/156 https://github.com/P3ngu1nW/CVE_Request/blob/main/erlang-jose.md If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-50966 https://www.cve.org/CVERecord?id=CVE-2023-50966 Please adjust the affected versions in the BTS as needed.
Bug#1067457: jose: CVE-2023-50967
Source: jose X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for jose. CVE-2023-50967[0]: | latchset jose through version 11 allows attackers to cause a denial | of service (CPU consumption) via a large p2c (aka PBES2 Count) | value. This doesn't appear to have been forwarded upstream yet: https://github.com/P3ngu1nW/CVE_Request/blob/main/latch-jose.md If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-50967 https://www.cve.org/CVERecord?id=CVE-2023-50967 Please adjust the affected versions in the BTS as needed.
Bug#1067180: fastdds: CVE-2024-26369
Source: fastdds X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for fastdds. CVE-2024-26369[0]: | An issue in the HistoryQosPolicy component of FastDDS v2.12.x, | v2.11.x, v2.10.x, and v2.6.x leads to a SIGABRT (signal abort) upon | receiving DataWriter's data. https://github.com/eProsima/Fast-DDS/issues/4365 https://github.com/eProsima/Fast-DDS/pull/4375 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-26369 https://www.cve.org/CVERecord?id=CVE-2024-26369 Please adjust the affected versions in the BTS as needed.
Bug#1067179: ldap-account-manager: CVE-2024-23333
Source: ldap-account-manager X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for ldap-account-manager. CVE-2024-2[0]: | LDAP Account Manager (LAM) is a webfrontend for managing entries | stored in an LDAP directory. LAM's log configuration allows to | specify arbitrary paths for log files. Prior to version 8.7, an | attacker could exploit this by creating a PHP file and cause LAM to | log some PHP code to this file. When the file is then accessed via | web the code would be executed. The issue is mitigated by the | following: An attacker needs to know LAM's master configuration | password to be able to change the main settings; and the webserver | needs write access to a directory that is accessible via web. LAM | itself does not provide any such directories. The issue has been | fixed in 8.7. As a workaround, limit access to LAM configuration | pages to authorized users. https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-fm9w-7m7v-wxqv If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-2 https://www.cve.org/CVERecord?id=CVE-2024-2 Please adjust the affected versions in the BTS as needed.
Bug#1067178: clickhouse: CVE-2024-22412
Source: clickhouse X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for clickhouse. CVE-2024-22412[0]: | ClickHouse is an open-source column-oriented database management | system. A bug exists in the cloud ClickHouse offering prior to | version 24.0.2.54535 and in github.com/clickhouse/clickhouse version | 23.1. Query caching bypasses the role based access controls and the | policies being enforced on roles. In affected versions, the query | cache only respects separate users, however this is not documented | and not expected behavior. People relying on ClickHouse roles can | have their access control lists bypassed if they are using query | caching. Attackers who have control of a role could guess queries | and see data they shouldn't have access to. Version 24.1 of | ClickHouse and version 24.0.2.54535 of ClickHouse Cloud contain a | patch for this issue. Based on the documentation, role based access | control should be enforced regardless if query caching is enabled or | not. https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-45h5-f7g3-gr8r https://github.com/ClickHouse/ClickHouse/pull/58611 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22412 https://www.cve.org/CVERecord?id=CVE-2024-22412 Please adjust the affected versions in the BTS as needed.
Bug#1067177: black: CVE-2024-21503
Source: black X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for black. CVE-2024-21503[0]: | Versions of the package black before 24.3.0 are vulnerable to | Regular Expression Denial of Service (ReDoS) via the | lines_with_leading_tabs_expanded function in the strings.py file. An | attacker could exploit this vulnerability by crafting a malicious | input that causes a denial of service. Exploiting this | vulnerability is possible when running Black on untrusted input, or | if you habitually put thousands of leading tab characters in your | docstrings. https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273 https://github.com/psf/black/releases/tag/24.3.0 https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-21503 https://www.cve.org/CVERecord?id=CVE-2024-21503 Please adjust the affected versions in the BTS as needed.
Bug#1064968: net-snmp: CVE-2024-26464
Source: net-snmp X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for net-snmp. This appeared in the CVE feed, but I doubt that it was actually forwarded upstream. CVE-2024-26464[0]: | net-snmp 5.9.4 contains a memory leak vulnerability in /net- | snmp/apps/snmpvacm.c. https://github.com/LuMingYinDetect/net-snmp_defects/blob/main/net-snmp_detect_1.md If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-26464 https://www.cve.org/CVERecord?id=CVE-2024-26464 Please adjust the affected versions in the BTS as needed.
Bug#1064967: fontforge: CVE-2024-25081 CVE-2024-25082
Source: fontforge X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for fontforge. CVE-2024-25081[0]: | Splinefont in FontForge through 20230101 allows command injection | via crafted filenames. CVE-2024-25082[1]: | Splinefont in FontForge through 20230101 allows command injection | via crafted archives or compressed files. Fixed by: https://github.com/fontforge/fontforge/pull/5367 https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25081 https://www.cve.org/CVERecord?id=CVE-2024-25081 [1] https://security-tracker.debian.org/tracker/CVE-2024-25082 https://www.cve.org/CVERecord?id=CVE-2024-25082 Please adjust the affected versions in the BTS as needed.
Bug#1064966: apache-mime4j: CVE-2024-21742
Source: apache-mime4j X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for apache-mime4j. CVE-2024-21742[0]: | Improper input validation allows for header injection in MIME4J | library when using MIME4J DOM for composing message. This can be | exploited by an attacker to add unintended headers to MIME messages. https://www.openwall.com/lists/oss-security/2024/02/27/5 https://github.com/apache/james-mime4j/commit/9dec5df2a588fed8027839815daefa79ee66efd1 (apache-mime4j-project-0.8.10) https://github.com/apache/james-mime4j/pull/91 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-21742 https://www.cve.org/CVERecord?id=CVE-2024-21742 Please adjust the affected versions in the BTS as needed.
Bug#1064965: krb5: CVE-2024-26458 CVE-2024-26461 CVE-2024-26462
Source: krb5 X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerabilities were published for krb5. They appeared in the CVE feed, but I doubt they have actually been forwarded to Kerberos upstream... CVE-2024-26458[0]: | Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in | /krb5/src/lib/rpc/pmap_rmt.c. https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md CVE-2024-26461[1]: | Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in | /krb5/src/lib/gssapi/krb5/k5sealv3.c. https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md CVE-2024-26462[2]: | Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in | /krb5/src/kdc/ndr.c. https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-26458 https://www.cve.org/CVERecord?id=CVE-2024-26458 [1] https://security-tracker.debian.org/tracker/CVE-2024-26461 https://www.cve.org/CVERecord?id=CVE-2024-26461 [2] https://security-tracker.debian.org/tracker/CVE-2024-26462 https://www.cve.org/CVERecord?id=CVE-2024-26462 Please adjust the affected versions in the BTS as needed.
Bug#1064517: texlive-bin: CVE-2024-25262
Source: texlive-bin X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for texlive-bin. CVE-2024-25262[0]: | texlive-bin commit c515e was discovered to contain heap buffer | overflow via the function ttfLoadHDMX:ttfdump. This vulnerability | allows attackers to cause a Denial of Service (DoS) via supplying a | crafted TTF file. https://tug.org/svn/texlive/trunk/Build/source/texk/ttfdump/ChangeLog?revision=69605=co https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912 https://github.com/TeX-Live/texlive-source/pull/63 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25262 https://www.cve.org/CVERecord?id=CVE-2024-25262 Please adjust the affected versions in the BTS as needed.
Bug#1064516: ruby-rack: CVE-2024-26141 CVE-2024-25126 CVE-2024-26146
Source: ruby-rack X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for ruby-rack. CVE-2024-26141[0]: Reject Range headers which are too large https://github.com/rack/rack/releases/tag/v2.2.8.1 https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b (v2.2.8.1) CVE-2024-25126[1]: Fixed ReDoS in Content Type header parsing https://github.com/rack/rack/releases/tag/v2.2.8.1 CVE-2024-26146[2]: Fixed ReDoS in Accept header parsing https://github.com/rack/rack/releases/tag/v2.2.8.1 https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd (v2.2.8.1) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-26141 https://www.cve.org/CVERecord?id=CVE-2024-26141 [1] https://security-tracker.debian.org/tracker/CVE-2024-25126 https://www.cve.org/CVERecord?id=CVE-2024-25126 [2] https://security-tracker.debian.org/tracker/CVE-2024-26146 https://www.cve.org/CVERecord?id=CVE-2024-26146 Please adjust the affected versions in the BTS as needed.
Bug#1064515: fastdds: CVE-2023-50257
Source: fastdds X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for fastdds. CVE-2023-50257[0]: | eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of | the Data Distribution Service standard of the Object Management | Group. Even with the application of SROS2, due to the issue where | the data (`p[UD]`) and `guid` values used to disconnect between | nodes are not encrypted, a vulnerability has been discovered where a | malicious attacker can forcibly disconnect a Subscriber and can deny | a Subscriber attempting to connect. Afterwards, if the attacker | sends the packet for disconnecting, which is data (`p[UD]`), to the | Global Data Space (`239.255.0.1:7400`) using the said Publisher ID, | all the Subscribers (Listeners) connected to the Publisher (Talker) | will not receive any data and their connection will be disconnected. | Moreover, if this disconnection packet is sent continuously, the | Subscribers (Listeners) trying to connect will not be able to do so. | Since the initial commit of the `SecurityManager.cpp` code (`init`, | `on_process_handshake`) on Nov 8, 2016, the Disconnect Vulnerability | in RTPS Packets Used by SROS2 has been present prior to versions | 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7. https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-v5r6-8mvh-cp98 https://github.com/eProsima/Fast-DDS/commit/f2e5ceae8fbea0a6c9445a366faaca0b98a8ef86 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-50257 https://www.cve.org/CVERecord?id=CVE-2023-50257 Please adjust the affected versions in the BTS as needed.
Bug#1064514: pymatgen: CVE-2024-23346
Source: pymatgen X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for pymatgen. CVE-2024-23346[0]: | Pymatgen (Python Materials Genomics) is an open-source Python | library for materials analysis. A critical security vulnerability | exists in the | `JonesFaithfulTransformation.from_transformation_str()` method | within the `pymatgen` library prior to version 2024.2.20. This | method insecurely utilizes `eval()` for processing input, enabling | execution of arbitrary code when parsing untrusted input. Version | 2024.2.20 fixes this issue. https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-23346 https://www.cve.org/CVERecord?id=CVE-2024-23346 Please adjust the affected versions in the BTS as needed.
Bug#1064063: plasma-workspace: CVE-2024-1433
Source: plasma-workspace X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for plasma-workspace. CVE-2024-1433[0]: | A vulnerability, which was classified as problematic, was found in | KDE Plasma Workspace up to 5.93.0. This affects the function | EventPluginsManager::enabledPlugins of the file | components/calendar/eventpluginsmanager.cpp of the component Theme | File Handler. The manipulation of the argument pluginId leads to | path traversal. It is possible to initiate the attack remotely. The | complexity of an attack is rather high. The exploitability is told | to be difficult. The patch is named | 6cdf42916369ebf4ad5bd876c4dfa0170d7b2f01. It is recommended to apply | a patch to fix this issue. The associated identifier of this | vulnerability is VDB-253407. NOTE: This requires write access to | user's home or the installation of third party global themes. https://github.com/KDE/plasma-workspace/commit/6cdf42916369ebf4ad5bd876c4dfa0170d7b2f01 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-1433 https://www.cve.org/CVERecord?id=CVE-2024-1433 Please adjust the affected versions in the BTS as needed.
Bug#1064062: iwd: CVE-2023-52161
Source: iwd X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for iwd. CVE-2023-52161[0]: https://www.top10vpn.com/research/wifi-vulnerabilities/ While this mentions a patch for wpasupplication, it's not obvious if this was reported/fixed in iwd. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-52161 https://www.cve.org/CVERecord?id=CVE-2023-52161 Please adjust the affected versions in the BTS as needed.
Bug#1064061: wpa: CVE-2023-52160
Source: wpa X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for wpa. CVE-2023-52160[0]: https://www.top10vpn.com/research/wifi-vulnerabilities/ https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baff If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-52160 https://www.cve.org/CVERecord?id=CVE-2023-52160 Please adjust the affected versions in the BTS as needed.
Bug#1064055: nodejs: CVE-2023-46809 CVE-2024-22019 CVE-2024-21892
Source: nodejs X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for nodejs. CVE-2023-46809[0]: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#nodejs-is-vulnerable-to-the-marvin-attack-timing-variant-of-the-bleichenbacher-attack-against-pkcs1-v15-padding-cve-2023-46809---medium CVE-2024-22019[1]: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#reading-unprocessed-http-request-with-unbounded-chunk-extension-allows-dos-attacks-cve-2024-22019---high CVE-2024-21892[2]: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#code-injection-and-privilege-escalation-through-linux-capabilities-cve-2024-21892---high There are some other issues, but they only affect the version in expeirimental. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46809 https://www.cve.org/CVERecord?id=CVE-2023-46809 [1] https://security-tracker.debian.org/tracker/CVE-2024-22019 https://www.cve.org/CVERecord?id=CVE-2024-22019 [2] https://security-tracker.debian.org/tracker/CVE-2024-21892 https://www.cve.org/CVERecord?id=CVE-2024-21892 Please adjust the affected versions in the BTS as needed.
Bug#1064054: qtbase-opensource-src-gles: CVE-2024-25580
Source: qtbase-opensource-src-gles X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qtbase-opensource-src-gles. CVE-2024-25580[0]: https://bugzilla.redhat.com/show_bug.cgi?id=2264423 https://download.qt.io/official_releases/qt/5.15/CVE-2024-25580-qtbase-5.15.diff If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25580 https://www.cve.org/CVERecord?id=CVE-2024-25580 Please adjust the affected versions in the BTS as needed.
Bug#1064053: qtbase-opensource-src: CVE-2024-25580
Source: qtbase-opensource-src X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qtbase-opensource-src. CVE-2024-25580[0]: https://bugzilla.redhat.com/show_bug.cgi?id=2264423 https://download.qt.io/official_releases/qt/5.15/CVE-2024-25580-qtbase-5.15.diff If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25580 https://www.cve.org/CVERecord?id=CVE-2024-25580 Please adjust the affected versions in the BTS as needed.
Bug#1064052: qt6-base: CVE-2024-25580
Source: qt6-base X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qt6-base. CVE-2024-25580[0]: https://bugzilla.redhat.com/show_bug.cgi?id=2264423 https://code.qt.io/cgit/qt/qtbase.git/commit/?id=28ecb523ce8490bff38b251b3df703c72e057519 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25580 https://www.cve.org/CVERecord?id=CVE-2024-25580 Please adjust the affected versions in the BTS as needed.
Bug#1064051: azure-uamqp-python: CVE-2024-25110
Source: azure-uamqp-python X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for azure-uamqp-python. CVE-2024-25110[0]: | The UAMQP is a general purpose C library for AMQP 1.0. During a call | to open_get_offered_capabilities, a memory allocation may fail | causing a use-after-free issue and if a client called it during | connection communication it may cause a remote code execution. Users | are advised to update the submodule with commit `30865c9c`. There | are no known workarounds for this vulnerability. azure-uamqp-python appears bundle azure-uamqp-c, so presumably it's also affected? https://github.com/Azure/azure-uamqp-c/commit/30865c9ccedaa32ddb036e87a8ebb52c3f18f695 https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-c646-4whf-r67v If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25110 https://www.cve.org/CVERecord?id=CVE-2024-25110 Please adjust the affected versions in the BTS as needed.
Bug#1063795: python-glance-store: CVE-2024-1141
Source: python-glance-store X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for python-glance-store. CVE-2024-1141[0]: | A vulnerability was found in python-glance-store. The issue occurs | when the package logs the access_key for the glance-store when the | DEBUG log level is enabled. https://bugzilla.redhat.com/show_bug.cgi?id=2258836 https://github.com/openstack/glance_store/commit/d6e531af4821c8466b1e9404f12f89f6216417f2 https://github.com/openstack/glance_store/commit/a5ba027922ba1230b4ae9abb810f36427be6354a If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-1141 https://www.cve.org/CVERecord?id=CVE-2024-1141 Please adjust the affected versions in the BTS as needed.
Bug#1063540: libhibernate-validator-java: CVE-2023-1932
Source: libhibernate-validator-java X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libhibernate-validator-java. CVE-2023-1932[0]: rendering of invalid html with SafeHTML leads to HTML injection and XSS https://bugzilla.redhat.com/show_bug.cgi?id=1809444 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-1932 https://www.cve.org/CVERecord?id=CVE-2023-1932 Please adjust the affected versions in the BTS as needed.
Bug#1063539: undertow: CVE-2023-4639
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for undertow. CVE-2023-4639[0]: https://bugzilla.redhat.com/show_bug.cgi?id=2166022 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-4639 https://www.cve.org/CVERecord?id=CVE-2023-4639 Please adjust the affected versions in the BTS as needed.
Bug#1063538: python-multipart: CVE-2024-24762
Source: python-multipart X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for python-multipart. CVE-2024-24762[0]: | FastAPI is a web framework for building APIs with Python 3.8+ based | on standard Python type hints. When using form data, `python- | multipart` uses a Regular Expression to parse the HTTP `Content- | Type` header, including options. An attacker could send a custom- | made `Content-Type` option that is very difficult for the RegEx to | process, consuming CPU resources and stalling indefinitely (minutes | or more) while holding the main event loop. This means that process | can't handle any more requests. It's a ReDoS(Regular expression | Denial of Service), it only applies to those reading form data, | using `python-multipart`. This vulnerability has been patched in | version 0.109.0. This was reported by fastapi: https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389 But the actual code fix within Debian is in python-multipart: https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4 https://github.com/Kludex/python-multipart/pull/75 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24762 https://www.cve.org/CVERecord?id=CVE-2024-24762 Please adjust the affected versions in the BTS as needed.
Bug#1063537: ckeditor3: CVE-2024-24815 CVE-2024-24816
Source: ckeditor3 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for ckeditor3. CVE-2024-24815[0]: | CKEditor4 is an open source what-you-see-is-what-you-get HTML | editor. A cross-site scripting vulnerability has been discovered in | the core HTML parsing module in versions of CKEditor4 prior to | 4.24.0-lts. It may affect all editor instances that enabled full- | page editing mode or enabled CDATA elements in Advanced Content | Filtering configuration (defaults to `script` and `style` elements). | The vulnerability allows attackers to inject malformed HTML content | bypassing Advanced Content Filtering mechanism, which could result | in executing JavaScript code. An attacker could abuse faulty CDATA | content detection and use it to prepare an intentional attack on the | editor. A fix is available in version 4.24.0-lts. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb CVE-2024-24816[1]: | CKEditor4 is an open source what-you-see-is-what-you-get HTML | editor. A cross-site scripting vulnerability vulnerability has been | discovered in versions prior to 4.24.0-lts in samples that use the | `preview` feature. All integrators that use these samples in the | production code can be affected. The vulnerability allows an | attacker to execute JavaScript code by abusing the misconfigured | preview feature. It affects all users using the CKEditor 4 at | version < 4.24.0-lts with affected samples used in a production | environment. A fix is available in version 4.24.0-lts. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76 https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24815 https://www.cve.org/CVERecord?id=CVE-2024-24815 [1] https://security-tracker.debian.org/tracker/CVE-2024-24816 https://www.cve.org/CVERecord?id=CVE-2024-24816 Please adjust the affected versions in the BTS as needed.
Bug#1063536: ckeditor: CVE-2024-24815 CVE-2024-24816
Source: ckeditor X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for ckeditor. CVE-2024-24815[0]: | CKEditor4 is an open source what-you-see-is-what-you-get HTML | editor. A cross-site scripting vulnerability has been discovered in | the core HTML parsing module in versions of CKEditor4 prior to | 4.24.0-lts. It may affect all editor instances that enabled full- | page editing mode or enabled CDATA elements in Advanced Content | Filtering configuration (defaults to `script` and `style` elements). | The vulnerability allows attackers to inject malformed HTML content | bypassing Advanced Content Filtering mechanism, which could result | in executing JavaScript code. An attacker could abuse faulty CDATA | content detection and use it to prepare an intentional attack on the | editor. A fix is available in version 4.24.0-lts. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb CVE-2024-24816[1]: | CKEditor4 is an open source what-you-see-is-what-you-get HTML | editor. A cross-site scripting vulnerability vulnerability has been | discovered in versions prior to 4.24.0-lts in samples that use the | `preview` feature. All integrators that use these samples in the | production code can be affected. The vulnerability allows an | attacker to execute JavaScript code by abusing the misconfigured | preview feature. It affects all users using the CKEditor 4 at | version < 4.24.0-lts with affected samples used in a production | environment. A fix is available in version 4.24.0-lts. https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76 https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24815 https://www.cve.org/CVERecord?id=CVE-2024-24815 [1] https://security-tracker.debian.org/tracker/CVE-2024-24816 https://www.cve.org/CVERecord?id=CVE-2024-24816 Please adjust the affected versions in the BTS as needed.
Bug#1063534: libjwt: CVE-2024-25189
Source: libjwt X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libjwt. CVE-2024-25189[0]: | libjwt 1.15.3 uses strcmp (which is not constant time) to verify | authentication, which makes it easier to bypass authentication via a | timing side channel. The report is https://github.com/P3ngu1nW/CVE_Request/blob/main/benmcollins%3Alibjwt.md but it doesn't seem to have been reported upstream yet. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25189 https://www.cve.org/CVERecord?id=CVE-2024-25189 Please adjust the affected versions in the BTS as needed.
Bug#1063535: node-ip: CVE-2023-42282
Source: node-ip X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-ip. CVE-2023-42282[0]: | An issue in NPM IP Package v.1.1.8 and before allows an attacker to | execute arbitrary code and obtain sensitive information via the | isPublic() function. It seems upstream has been unresponsive to the reports: https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/ https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-42282 https://www.cve.org/CVERecord?id=CVE-2023-42282 Please adjust the affected versions in the BTS as needed.
Bug#1032972: handbrake: debian version of handbrake does not handle subtitles correctly
Hi Michael, thanks for looking into this! michael spreng wrote: > The above mentioned patch to ffmpeg changes ffmpeg to remember the pts. But > handbrake can remember the pts just as well. So see the attached patch which > does exactly that: if the subtitle is incomplete, it saves the pts to the > handbrake subtitle context, and retrieves it if there is no pts on a > completed subtitle ready for output. > > I am unsure how to proceed from here. Is that fix acceptable? Where would I > submit it? Can you please send/propose this upstream, they are in a much better position to assess this approach. Either by making a pull request https://github.com/HandBrake/HandBrake or by opening an issue there. Cheers, Moritz
Bug#1061543: indent: CVE-2024-0911
Source: indent X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, This was assigned CVE-2024-0911: https://lists.gnu.org/archive/html/bug-indent/2024-01/msg1.html If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-0911 https://www.cve.org/CVERecord?id=CVE-2024-0911 Please adjust the affected versions in the BTS as needed.
Bug#1060860: rust-vmm-sys-util: CVE-2023-50711
Source: rust-vmm-sys-util X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for rust-vmm-sys-util. CVE-2023-50711[0]: | vmm-sys-util is a collection of modules that provides helpers and | utilities used by multiple rust-vmm components. Starting in version | 0.5.0 and prior to version 0.12.0, an issue in the | `FamStructWrapper::deserialize` implementation provided by the crate | for `vmm_sys_util::fam::FamStructWrapper` can lead to out of bounds | memory accesses. The deserialization does not check that the length | stored in the header matches the flexible array length. Mismatch in | the lengths might allow out of bounds memory access through Rust- | safe methods. The issue was corrected in version 0.12.0 by inserting | a check that verifies the lengths of compared flexible arrays are | equal for any deserialized header and aborting deserialization | otherwise. Moreover, the API was changed so that header length can | only be modified through Rust-unsafe code. This ensures that users | cannot trigger out-of-bounds memory access from Rust-safe code. https://rustsec.org/advisories/RUSTSEC-2024-0002.html https://github.com/advisories/GHSA-875g-mfp6-g7f9 https://github.com/rust-vmm/vmm-sys-util/commit/30172fca2a8e0a38667d934ee56682247e13f167 (v0.12.1) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-50711 https://www.cve.org/CVERecord?id=CVE-2023-50711 Please adjust the affected versions in the BTS as needed.
Bug#1060696: gpac: CVE-2023-50120
Source: gpac X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for gpac. CVE-2023-50120[0]: | MP4Box GPAC version 2.3-DEV-rev636-gfbd7e13aa-master was discovered | to contain an infinite loop in the function av1_uvlc at | media_tools/av_parsers.c. This vulnerability allows attackers to | cause a Denial of Service (DoS) via a crafted MP4 file. https://github.com/gpac/gpac/issues/2698 https://github.com/gpac/gpac/commit/b655955b840ccd7c7198bb15375aa510e76208eb If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-50120 https://www.cve.org/CVERecord?id=CVE-2023-50120 Please adjust the affected versions in the BTS as needed.
Bug#1060695: qtbase-opensource-src-gles: CVE-2023-51714
Source: qtbase-opensource-src-gles X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qtbase-opensource-src-gles. CVE-2023-51714[0]: | An issue was discovered in the HTTP2 implementation in Qt before | 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and | 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an | incorrect HPack integer overflow check. https://codereview.qt-project.org/c/qt/qtbase/+/524864 https://codereview.qt-project.org/c/qt/qtbase/+/524865/3 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-51714 https://www.cve.org/CVERecord?id=CVE-2023-51714 Please adjust the affected versions in the BTS as needed.
Bug#1060694: qtbase-opensource-src: CVE-2023-51714
Source: qtbase-opensource-src X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qtbase-opensource-src. CVE-2023-51714[0]: | An issue was discovered in the HTTP2 implementation in Qt before | 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and | 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an | incorrect HPack integer overflow check. https://codereview.qt-project.org/c/qt/qtbase/+/524864 https://codereview.qt-project.org/c/qt/qtbase/+/524865/3 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-51714 https://www.cve.org/CVERecord?id=CVE-2023-51714 Please adjust the affected versions in the BTS as needed.
Bug#1060693: qt6-base: CVE-2023-51714
Source: qt6-base X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qt6-base. CVE-2023-51714[0]: | An issue was discovered in the HTTP2 implementation in Qt before | 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and | 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an | incorrect HPack integer overflow check. https://codereview.qt-project.org/c/qt/qtbase/+/524864 https://codereview.qt-project.org/c/qt/qtbase/+/524865/3 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-51714 https://www.cve.org/CVERecord?id=CVE-2023-51714 Please adjust the affected versions in the BTS as needed.
Bug#1060691: freeimage: CVE-2023-47992 CVE-2023-47993 CVE-2023-47994 CVE-2023-47996 CVE-2023-47997
Source: freeimage X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for freeimage. These don't appear to have been reported upstream, could you check with the upstream developers? CVE-2023-47992[0]: | An integer overflow vulnerability in | FreeImageIO.cpp::_MemoryReadProc in FreeImage 3.18.0 allows | attackers to obtain sensitive information, cause a denial-of-service | attacks and/or run arbitrary code. https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47992 CVE-2023-47993[1]: | A Buffer out-of-bound read vulnerability in Exif.cpp::ReadInt32 in | FreeImage 3.18.0 allows attackers to cause a denial-of-service. https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47993 CVE-2023-47994[2]: | An integer overflow vulnerability in LoadPixelDataRLE4 function in | PluginBMP.cpp in Freeimage 3.18.0 allows attackers to obtain | sensitive information, cause a denial of service and/or run | arbitrary code. https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47994 CVE-2023-47996[4]: | An integer overflow vulnerability in Exif.cpp::jpeg_read_exif_dir in | FreeImage 3.18.0 allows attackers to obtain information and cause a | denial of service. https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47996 CVE-2023-47997[5]: | An issue discovered in BitmapAccess.cpp::FreeImage_AllocateBitmap in | FreeImage 3.18.0 leads to an infinite loop and allows attackers to | cause a denial of service. https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47997 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-47992 https://www.cve.org/CVERecord?id=CVE-2023-47992 [1] https://security-tracker.debian.org/tracker/CVE-2023-47993 https://www.cve.org/CVERecord?id=CVE-2023-47993 [2] https://security-tracker.debian.org/tracker/CVE-2023-47994 https://www.cve.org/CVERecord?id=CVE-2023-47994 [3] https://security-tracker.debian.org/tracker/CVE-2023-47995 https://www.cve.org/CVERecord?id=CVE-2023-47995 [4] https://security-tracker.debian.org/tracker/CVE-2023-47996 https://www.cve.org/CVERecord?id=CVE-2023-47996 [5] https://security-tracker.debian.org/tracker/CVE-2023-47997 https://www.cve.org/CVERecord?id=CVE-2023-47997 Please adjust the affected versions in the BTS as needed.
Bug#1060692: libuev: CVE-2022-48620
Source: libuev X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libuev. CVE-2022-48620[0]: | uev (aka libuev) before 2.4.1 has a buffer overflow in epoll_wait if | maxevents is a large number. https://github.com/troglobit/libuev/issues/27 https://github.com/troglobit/libuev/commit/2d9f1c9ce655cc38511aeeb6e95ac30914f7aec9 (v2.4.1) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-48620 https://www.cve.org/CVERecord?id=CVE-2022-48620 Please adjust the affected versions in the BTS as needed.
Bug#1060408: edk2: CVE-2022-36763 CVE-2022-36764 CVE-2022-36765
Source: edk2 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for edk2. CVE-2022-36763[0]: | EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() | function, allowing a user to trigger a heap buffer overflow via a | local network. Successful exploitation of this vulnerability may | result in a compromise of confidentiality, integrity, and/or | availability. https://github.com/tianocore/edk2/security/advisories/GHSA-xvv8-66cq-prwr https://bugzilla.tianocore.org/show_bug.cgi?id=4117 CVE-2022-36764[1]: | EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() | function, allowing a user to trigger a heap buffer overflow via a | local network. Successful exploitation of this vulnerability may | result in a compromise of confidentiality, integrity, and/or | availability. https://github.com/tianocore/edk2/security/advisories/GHSA-4hcq-p8q8-hj8j https://bugzilla.tianocore.org/show_bug.cgi?id=4118 CVE-2022-36765[2]: | EDK2 is susceptible to a vulnerability in the CreateHob() function, | allowing a user to trigger a integer overflow to buffer overflow via | a local network. Successful exploitation of this vulnerability may | result in a compromise of confidentiality, integrity, and/or | availability. https://github.com/tianocore/edk2/security/advisories/GHSA-ch4w-v7m3-g8wx https://bugzilla.tianocore.org/show_bug.cgi?id=4166 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-36763 https://www.cve.org/CVERecord?id=CVE-2022-36763 [1] https://security-tracker.debian.org/tracker/CVE-2022-36764 https://www.cve.org/CVERecord?id=CVE-2022-36764 [2] https://security-tracker.debian.org/tracker/CVE-2022-36765 https://www.cve.org/CVERecord?id=CVE-2022-36765 Please adjust the affected versions in the BTS as needed.
Bug#1060409: gpac: CVE-2024-0321 CVE-2024-0322
Source: gpac X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for gpac. CVE-2024-0321[0]: | Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to | 2.3-DEV. https://huntr.com/bounties/4c027b94-8e9c-4c31-a169-893b25047769/ https://github.com/gpac/gpac/commit/d0ced41651b279bb054eb6390751e2d4eb84819a CVE-2024-0322[1]: | Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV. https://huntr.com/bounties/87611fc9-ed7c-43e9-8e52-d83cd270bbec/ https://github.com/gpac/gpac/commit/092904b80edbc4dce315684a59cc3184c45c1b70 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-0321 https://www.cve.org/CVERecord?id=CVE-2024-0321 [1] https://security-tracker.debian.org/tracker/CVE-2024-0322 https://www.cve.org/CVERecord?id=CVE-2024-0322 Please adjust the affected versions in the BTS as needed.
Bug#877016: Time to drop cpufrequtils?
Am Fri, Jan 05, 2024 at 12:08:54PM +0100 schrieb Chris Hofstaedtler: > On Sun, Sep 03, 2023 at 08:26:00PM +0200, Moritz Mühlenhoff wrote: > > severity 877016 serious > > thanks > > > > Am Thu, Sep 28, 2017 at 06:51:30AM -0700 schrieb Mattia Dongili: > > > On Wed, Sep 27, 2017 at 03:16:52PM -0400, Phil Susi wrote: > > > > Package: cpufrequtils > > > > Version: 008-1 > > > ... > > > > is the case, should cpufrequtils not be removed now? > > > > > > Yes, indeed it should. Thanks for nagging. > > > > Bumping the severity to RC to move forward with this for trixie. > > > > $ dak rm -nR cpufrequtils > Will remove the following packages from unstable: > > cpufrequtils | 008-2 | source, amd64, arm64, armel, armhf, i386, > mips64el, s390x > libcpufreq-dev | 008-2 | amd64, arm64, armel, armhf, i386, mips64el, > ppc64el, s390x > libcpufreq-dev | 008-2+b1 | riscv64 > libcpufreq0 | 008-2 | amd64, arm64, armel, armhf, i386, mips64el, > ppc64el, s390x > libcpufreq0 | 008-2+b1 | riscv64 > > Maintainer: Seunghun Han > > --- Reason --- > > -- > > Checking reverse dependencies... > No dependency problem found. > > Seems like it's good to go? Given the original bug to suggest it's removal is from 2017, I think it's safe to say that anyone had a chance to object to it's removal :-) Cheers, Moritz
