Bug#1073061: r-base: CVE-2024-27322 execution of arbitrary code
Dirk Eddelbuettel wrote: > Just FYI the view of R Core (upstream) and the R Foundation (I'm on the board) > is that this is a nothingburger. We would love for the CVE to be retracted > but nobody (among a team of volunteers) has time or energy to pursue this. > > See > https://blog.r-project.org/2024/05/10/statement-on-cve-2024-27322/index.html > for the official statement. JFTR, I've sent a request to mark this CVE as rejected, with a reference to the statement above. Cheers, Moritz
Bug#1073012: Automatically rewrite incoming entries from some CNAs as NFUs
Package: security-tracker Severity: wishlist These days the scopes of CNAs are usually narrow and scoped to a specific vendor. We should leverage this for pre-processing incoming data and to reduce toil. We can do this by extending the "automatic update" job to automatically annotate CVEs assigned by a given CNA as NFU entries. As an example all CVEs coming from the "Wordfence" CNA should be automatically added as "NOT-FOR-US: WordPress plugin". This avoids cumbersome manual triage (and review would still happen on the commited entries). Same for many commercial software vendors, e.g. a company like SAP which has no ties to FLOSS everything coming from their CNA should automatically be added as "NOT-FOR-US: SAP" without human interaction. We should only extend this on a case-by-case basis. E.g. Oracle has a lot of propietary software, but they also maintain mysql, Java and virtualbox, so they need manual review still. Cheers, Moritz
Bug#1072366: libndp: CVE-2024-5564
Hi Florian, On Mon, Jun 10, 2024 at 08:41:27AM +0200, Florian Ernst wrote: > Dear Security Team, > > On Sat, Jun 01, 2024 at 04:57:53PM +0200, Salvatore Bonaccorso wrote: > > [...] > > [0] https://security-tracker.debian.org/tracker/CVE-2024-5564 > > https://www.cve.org/CVERecord?id=CVE-2024-5564 > > An updated package containing upstream's fix has just been uploaded and > is waiting to be processed for unstable. > > Upstream's fix: > https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af > (as referenced from https://github.com/jpirko/libndp/issues/26 and > already seen by carnil) > Debian change: > https://salsa.debian.org/debian/libndp/-/commit/a6136d60ef278c1aebee32f805ff473f0ee6ef99 > > The corresponding Debian change applies cleanly on bookworm / stable > (naturally, as until today bookworm and sid both had libndp 1.8-1) and > also on bullseye / oldstable and buster / oldoldstable (both having > libndp 1.6-1). > > I could prepare packages targeting (old)stable, if so desired. Or would > it be easier for you if you just take over from here? It would be great if you could prepare updates for bullseye-security and bookworm-security [1]. Please use 1.6-1+deb11u1 and 1.8-1+deb12u1 as the respective version numbers. security.debian.org also has autopkgtests set up, so we should get some good coverage by reverse deps. Cheers, Moritz [1] https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security
Bug#1072720: libglib2.0-0: Following fix #1070745, typing `A keys doesn't type an À anymore
On Sun, Jun 09, 2024 at 06:23:00PM +0100, Simon McVittie wrote: > On Sun, 09 Jun 2024 at 17:23:27 +0200, gru...@laposte.net wrote: > > Please note that ^e gives ê correctly but `A doesn't > > Security team: > > Based on this information, I don't think this is a regression caused by > the GLib security update, or in fact anything to do with GLib: it seems > that ibus is "mostly" working, and the GLib regression resulted in ibus > not working at all. Ack, thanks for the detailed followup. Cheers, Moritz
Bug#1072531: 389-ds-base: CVE-2024-2199
Source: 389-ds-base X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for 389-ds-base. CVE-2024-2199[0]: | A denial of service vulnerability was found in 389-ds-base ldap | server. This issue may allow an authenticated user to cause a server | crash while modifying `userPassword` using malformed input. https://bugzilla.redhat.com/show_bug.cgi?id=2267976 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-2199 https://www.cve.org/CVERecord?id=CVE-2024-2199 Please adjust the affected versions in the BTS as needed.
Bug#1072530: smarty3: CVE-2024-35226
Source: smarty3 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for smarty3. CVE-2024-35226[0]: | Smarty is a template engine for PHP, facilitating the separation of | presentation (HTML/CSS) from application logic. In affected versions | template authors could inject php code by choosing a malicious file | name for an extends-tag. Sites that cannot fully trust template | authors should update asap. All users are advised to update. There | is no patch for users on the v3 branch. There are no known | workarounds for this vulnerability. https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w https://github.com/smarty-php/smarty/commit/76881c8d33d80648f70c9b0339f770f5f69a87a2 (support/4) https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a (v5.2.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-35226 https://www.cve.org/CVERecord?id=CVE-2024-35226 Please adjust the affected versions in the BTS as needed.
Bug#1072529: smarty4: CVE-2024-35226
Source: smarty4 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for smarty4. CVE-2024-35226[0]: | Smarty is a template engine for PHP, facilitating the separation of | presentation (HTML/CSS) from application logic. In affected versions | template authors could inject php code by choosing a malicious file | name for an extends-tag. Sites that cannot fully trust template | authors should update asap. All users are advised to update. There | is no patch for users on the v3 branch. There are no known | workarounds for this vulnerability. https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w https://github.com/smarty-php/smarty/commit/76881c8d33d80648f70c9b0339f770f5f69a87a2 (support/4) https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a (v5.2.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-35226 https://www.cve.org/CVERecord?id=CVE-2024-35226 Please adjust the affected versions in the BTS as needed.
Bug#1072528: tcpdf: CVE-2024-22641
Source: tcpdf X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for tcpdf. I realise you're aware given you replied to the upstream issue, but also filing in the BTS for completeness: CVE-2024-22641[0]: | TCPDF version 6.6.5 and before is vulnerable to ReDoS (Regular | Expression Denial of Service) if parsing an untrusted SVG file. https://github.com/tecnickcom/TCPDF/issues/724 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22641 https://www.cve.org/CVERecord?id=CVE-2024-22641 Please adjust the affected versions in the BTS as needed.
Bug#1072527: Mark libreswan as EOLed in Bullseye
Source: debian-security-support Version: 1:13+2024.05.15 Severity: wishlist X-Debbugs-Cc: d...@fifthhorseman.net Security support for libreswan in Bullseye is EOLed, the recent security fixes for CVE-2023-38710 are too intrusive/risky to backport (also see https://github.com/libreswan/libreswan/issues/1233) Cheers, Moritz
Bug#1072300: RM: phppgadmin/7.13.0+dfsg-2
Am Fri, May 31, 2024 at 03:53:13PM -0300 schrieb Leandro Cunha: > Package: release.debian.org > Control: affects -1 + src:phppgadmin > X-Debbugs-Cc: phppgad...@packages.debian.org > User: release.debian@packages.debian.org > Usertags: rm > X-Debbugs-Cc: leandrocunha...@gmail.com > Severity: normal > > Reason and request > I open this bug to request the removal of the phppgadmin package > version 7.13.0+dfsg-2 from the current stable version of Debian I suppose it should also be removed from bullseye/oldstable, right? If so, can you please file a separate bug for it? Cheers, Moritz
Bug#1072180: golang-github-lucas-clemente-quic-go: CVE-2024-22189
Source: golang-github-lucas-clemente-quic-go X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for golang-github-lucas-clemente-quic-go. CVE-2024-22189[0]: | quic-go is an implementation of the QUIC protocol in Go. Prior to | version 0.42.0, an attacker can cause its peer to run out of memory | sending a large number of `NEW_CONNECTION_ID` frames that retire old | connection IDs. The receiver is supposed to respond to each | retirement frame with a `RETIRE_CONNECTION_ID` frame. The attacker | can prevent the receiver from sending out (the vast majority of) | these `RETIRE_CONNECTION_ID` frames by collapsing the peers | congestion window (by selectively acknowledging received packets) | and by manipulating the peer's RTT estimate. Version 0.42.0 contains | a patch for the issue. No known workarounds are available. https://github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c478 https://github.com/quic-go/quic-go/commit/4a99b816ae3ab03ae5449d15aac45147c85ed47a (v0.42.0) https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22189 https://www.cve.org/CVERecord?id=CVE-2024-22189 Please adjust the affected versions in the BTS as needed.
Bug#1072179: pypy3: CVE-2023-27043
Source: pypy3 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for pypy3. CVE-2023-27043[0]: | The email module of Python through 3.11.3 incorrectly parses e-mail | addresses that contain a special character. The wrong portion of an | RFC2822 header is identified as the value of the addr-spec. In some | applications, an attacker can bypass a protection mechanism in which | application access is granted only after verifying receipt of e-mail | to a specific domain (e.g., only @company.example.com addresses may | be used for signup). This occurs in email/_parseaddr.py in recent | versions of Python. https://github.com/python/cpython/issues/102988 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-27043 https://www.cve.org/CVERecord?id=CVE-2023-27043 Please adjust the affected versions in the BTS as needed.
Bug#1072178: libnetwork-ipv4addr-perl: CVE-2021-47155
Source: libnetwork-ipv4addr-perl X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for libnetwork-ipv4addr-perl. CVE-2021-47155[0]: | The Net::IPV4Addr module 0.10 for Perl does not properly consider | extraneous zero characters in an IP address string, which (in some | situations) allows attackers to bypass access control that is based | on IP addresses. https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/#net-ipv4addrhttpsmetacpanorgreleasenet-ipv4addr If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-47155 https://www.cve.org/CVERecord?id=CVE-2021-47155 Please adjust the affected versions in the BTS as needed.
Bug#1069127: python-idna: CVE-2024-3651
Hi Guilhem, > > CVE-2024-3651[0]: > > | potential DoS via resource consumption via specially crafted inputs to > > | idna.encode() > > I'm preparing an update for this issue for Buster LTS, would you like me > to propose debdiffs for (o)s-pu and sid too? Please do so! Cheers, Moritz
Bug#1072126: frr: CVE-2024-31948
Source: frr X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for frr. CVE-2024-31948[0]: | In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix | SID attribute in a BGP UPDATE packet can cause the bgpd daemon to | crash. https://github.com/FRRouting/frr/pull/15628 Fixed by: https://github.com/FRRouting/frr/commit/ba6a8f1a31e1a88df2de69ea46068e8bd9b97138 Fixed by: https://github.com/FRRouting/frr/commit/babb23b74855e23c987a63f8256d24e28c044d07 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31948 https://www.cve.org/CVERecord?id=CVE-2024-31948 Please adjust the affected versions in the BTS as needed.
Bug#1072124: gnome-shell: CVE-2024-36472
On Tue, May 28, 2024 at 05:33:32PM -0400, Jeremy Bícha wrote: > Control: forwarded -1 https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7688 > > On Tue, May 28, 2024 at 5:24 PM Moritz Mühlenhoff wrote: > > CVE-2024-36472[0]: > > | In GNOME Shell through 45.7, a portal helper can be launched > > | automatically (without user confirmation) based on network responses > > | provided by an adversary (e.g., an adversary who controls the local > > | Wi-Fi network), and subsequently loads untrusted JavaScript code, > > | which may lead to resource consumption or other impacts depending on > > | the JavaScript code's behavior. > > The initial GNOME issue was closed already (the CVE was requested by > someone who is not a GNOME developer). But GNOME Shell may change the > workflow for the captive portal helper so we can leave this bug open, > pointing to the new issue that was opened upstream. Yeah, the never filed a bug for the botched CVE assignment, this is the bug reference explocitly for the followup actionable filed by Michael Catanzaro Cheers, Moritz
Bug#1072125: frr: CVE-2024-31949
Source: frr X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for frr. CVE-2024-31949[0]: | In FRRouting (FRR) through 9.1, an infinite loop can occur when | receiving a MP/GR capability as a dynamic capability because | malformed data results in a pointer not advancing. https://github.com/FRRouting/frr/pull/15640 Fixed by: https://github.com/FRRouting/frr/commit/30a332dad86fafd2b0b6c61d23de59ed969a219b If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31949 https://www.cve.org/CVERecord?id=CVE-2024-31949 Please adjust the affected versions in the BTS as needed.
Bug#1070377: frr: CVE-2024-34088
Am Sat, May 04, 2024 at 06:00:24PM +0200 schrieb Moritz Mühlenhoff: > Source: frr > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerability was published for frr. > > CVE-2024-34088[0]: > | In FRRouting (FRR) through 9.1, it is possible for the get_edge() > | function in ospf_te.c in the OSPF daemon to return a NULL pointer. > | In cases where calling functions do not handle the returned NULL > | value, the OSPF daemon crashes, leading to denial of service. There are two additional CVE IDs related covered by the same pull request (https://github.com/FRRouting/frr/pull/15674/): CVE-2024-31951: | In the Opaque LSA Extended Link parser in FRRouting (FRR) through | 9.1, there can be a buffer overflow and daemon crash in | ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read | Segment Routing Adjacency SID subTLVs (lengths are not validated). CVE-2024-31950: | In FRRouting (FRR) through 9.1, there can be a buffer overflow and | daemon crash in ospf_te_parse_ri for OSPF LSA packets during an | attempt to read Segment Routing | subTLVs (their size is not validated). These got merged with the following commits: https://github.com/FRRouting/frr/commit/f69d1313b19047d3d83fc2b36a518355b861dfc4 https://github.com/FRRouting/frr/commit/5557a289acdaec8cc63ffc97b5c2abf6dee7b3a https://github.com/FRRouting/frr/commit/8c177d69e32b91b45bda5fc5da6511fa03dc11ca https://github.com/FRRouting/frr/commit/e08495a4a8ad4d2050691d9e5e13662d2635b2e0 Cheers, Moritz
Bug#1072124: gnome-shell: CVE-2024-36472
Source: gnome-shell X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for gnome-shell. CVE-2024-36472[0]: | In GNOME Shell through 45.7, a portal helper can be launched | automatically (without user confirmation) based on network responses | provided by an adversary (e.g., an adversary who controls the local | Wi-Fi network), and subsequently loads untrusted JavaScript code, | which may lead to resource consumption or other impacts depending on | the JavaScript code's behavior. https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7688 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-36472 https://www.cve.org/CVERecord?id=CVE-2024-36472 Please adjust the affected versions in the BTS as needed.
Bug#1072123: jayway-jsonpath: CVE-2023-51074
Source: jayway-jsonpath X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for jayway-jsonpath. CVE-2023-51074[0]: | json-path v2.8.0 was discovered to contain a stack overflow via the | Criteria.parse() method. https://github.com/json-path/JsonPath/issues/973 https://github.com/json-path/JsonPath/commit/71a09c1193726c010917f1157ecbb069ad6c3e3b (json-path-2.9.0) https://github.com/json-path/JsonPath/pull/985 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-51074 https://www.cve.org/CVERecord?id=CVE-2023-51074 Please adjust the affected versions in the BTS as needed.
Bug#1072121: node-ip: CVE-2024-29415
Source: node-ip X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-ip. CVE-2024-29415[0]: | The ip package through 2.0.1 for Node.js might allow SSRF because | some IP addresses (such as 127.1, 01200034567, 012.1.2.3, | 000:0:::01, and ::fFFf:127.0.0.1) are improperly categorized as | globally routable via isPublic. NOTE: this issue exists because of | an incomplete fix for CVE-2023-42282. https://github.com/indutny/node-ip/issues/150 https://github.com/indutny/node-ip/pull/144 https://github.com/indutny/node-ip/pull/143 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-29415 https://www.cve.org/CVERecord?id=CVE-2024-29415 Please adjust the affected versions in the BTS as needed.
Bug#1072120: zabbix: CVE-2024-22120
Source: zabbix X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for zabbix. CVE-2024-22120[0]: | Zabbix server can perform command execution for configured scripts. | After command is executed, audit entry is added to "Audit Log". Due | to "clientip" field is not sanitized, it is possible to injection | SQL into "clientip" and exploit time based blind SQL injection. https://support.zabbix.com/browse/ZBX-24505 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22120 https://www.cve.org/CVERecord?id=CVE-2024-22120 Please adjust the affected versions in the BTS as needed.
Bug#1072119: python-aiosmtpd: CVE-2024-34083
Source: python-aiosmtpd X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-aiosmtpd. CVE-2024-34083[0]: | aiosmptd is a reimplementation of the Python stdlib smtpd.py based | on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept | extra unencrypted commands after STARTTLS, treating them as if they | came from inside the encrypted connection. This could be exploited | by a man-in-the-middle attack. Version 1.4.6 contains a patch for | the issue. https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8 https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda (v1.4.6) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34083 https://www.cve.org/CVERecord?id=CVE-2024-34083 Please adjust the affected versions in the BTS as needed.
Bug#1072118: liboqs: CVE-2024-31510
Source: liboqs X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for liboqs. CVE-2024-31510[0]: | An issue in Open Quantum Safe liboqs v.10.0 allows a remote attacker | to escalate privileges via the crypto_sign_signature parameter in | the /pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/sign.c | component. https://github.com/liang-junkai/Fault-injection-of-ML-DSA seems to be the only reference, might need to get reported upstream as well. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31510 https://www.cve.org/CVERecord?id=CVE-2024-31510 Please adjust the affected versions in the BTS as needed.
Bug#1071628: python-pymysql: CVE-2024-36039
On Tue, May 28, 2024 at 09:06:51AM +0200, Thomas Goirand wrote: > On 5/22/24 17:08, Moritz Mühlenhoff wrote: > > The following vulnerability was published for python-pymysql. > > > > We should also fix this in a DSA, could you prepare debdiffs for > > bookworm-security and bullseye-security? > > > > CVE-2024-36039[0]: > > | PyMySQL through 1.1.0 allows SQL injection if used with untrusted > > | JSON input because keys are not escaped by escape_dict. > > > > https://github.com/advisories/GHSA-v9hf-5j83-6xpp > > https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c > > (v1.1.1) > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2024-36039 > > https://www.cve.org/CVERecord?id=CVE-2024-36039 > > > > Please adjust the affected versions in the BTS as needed. > > Hi, > > Please find attached to this message, the fixes I would like to upload to > bullseye and bookworm. Please allow these uploads. > > Note that I have uploaded latest upstream version 1.1.1-1 to unstable, that > includes the patch in these debdiffs. Thanks! These look fine, please build both with -sa and upload to security-master. Cheers, Moritz
Bug#1071746: clojure: CVE-2024-22871
On Fri, May 24, 2024 at 11:42:38AM -0400, Louis-Philippe Véronneau wrote: > On Fri, 24 May 2024 16:53:28 +0200 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= > wrote: > > Source: clojure > > X-Debbugs-CC: t...@security.debian.org > > Severity: important > > Tags: security > > > > Hi, > > > > The following vulnerability was published for clojure. > > > > CVE-2024-22871[0]: > > | An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an > > | attacker to cause a denial of service (DoS) via the > > | clojure.core$partial$fn__5920 function. > > > > https://github.com/advisories/GHSA-vr64-r9qj-h27f > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2024-22871 > > https://www.cve.org/CVERecord?id=CVE-2024-22871 > > > > Please adjust the affected versions in the BTS as needed. > > Hi, > > Thanks for the report. Maybe I'm reading this wrong, but the Debian archive > has clojure 1.10 (oldstable) and 1.11 (stable and up). > > The CVE seems to apply only from 1.12.0-alpha5 to 1.20. Can you confirm why > we are affected by this CVE? The CVE descriptions are often bogus, see the upstream I advisory I listed: | The affected Clojure classes (Cycle, Repeat, Iterate) exist in Clojure 1.7.0-1.11.1, 1.12.0-alpha1-1.12.0-alpha8. Cheers, Moritz
Bug#1071751: iperf3: CVE-2024-26306
Source: iperf3 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for iperf3. CVE-2024-26306[0]: | iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server | with RSA authentication, allows a timing side channel in RSA | decryption operations. This side channel could be sufficient for an | attacker to recover credential plaintext. It requires the attacker | to send a large number of messages for decryption, as described in | "Everlasting ROBOT: the Marvin Attack" by Hubert Kario. https://downloads.es.net/pub/iperf/esnet-secadv-2024-0001.txt.asc https://github.com/esnet/iperf/releases/tag/3.17 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-26306 https://www.cve.org/CVERecord?id=CVE-2024-26306 Please adjust the affected versions in the BTS as needed.
Bug#1071750: dnsdist: CVE-2024-25581
Source: dnsdist X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for dnsdist. CVE-2024-25581[0]: | When incoming DNS over HTTPS support is enabled using the nghttp2 | provider, and queries are routed to a tcp-only or DNS over TLS | backend, an attacker can trigger an assertion failure in DNSdist by | sending a request for a zone transfer (AXFR or IXFR) over DNS over | HTTPS, causing the process to stop and thus leading to a Denial of | Service. DNS over HTTPS is not enabled by default, and backends are | using plain DNS (Do53) by default. https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2024-03.html Patches: https://downloads.powerdns.com/patches/2024-03/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25581 https://www.cve.org/CVERecord?id=CVE-2024-25581 Please adjust the affected versions in the BTS as needed.
Bug#1071748: bpftrace: CVE-2024-2313
Source: bpftrace X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for bpftrace. CVE-2024-2313[0]: | If kernel headers need to be extracted, bpftrace will attempt to | load them from a temporary directory. An unprivileged attacker could | use this to force bcc to load compromised linux headers. Linux | distributions which provide kernel headers by default are not | affected by default. https://github.com/bpftrace/bpftrace/commit/4be4b7191acb8218240e6b7178c30fa8c9b59998 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-2313 https://www.cve.org/CVERecord?id=CVE-2024-2313 Please adjust the affected versions in the BTS as needed.
Bug#1071747: bpfcc: CVE-2024-2314
Source: bpfcc X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for bpfcc. CVE-2024-2314[0]: | If kernel headers need to be extracted, bcc will attempt to load | them from a temporary directory. An unprivileged attacker could use | this to force bcc to load compromised linux headers. Linux | distributions which provide kernel headers by default are not | affected by default. Fixed by: https://github.com/iovisor/bcc/commit/008ea09e891194c072f2a9305a3c872a241dc342 (v0.30.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-2314 https://www.cve.org/CVERecord?id=CVE-2024-2314 Please adjust the affected versions in the BTS as needed.
Bug#1071746: clojure: CVE-2024-22871
Source: clojure X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for clojure. CVE-2024-22871[0]: | An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an | attacker to cause a denial of service (DoS) via the | clojure.core$partial$fn__5920 function. https://github.com/advisories/GHSA-vr64-r9qj-h27f If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22871 https://www.cve.org/CVERecord?id=CVE-2024-22871 Please adjust the affected versions in the BTS as needed.
Bug#1071745: docker.io: CVE-2024-24557
Source: docker.io X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for docker.io. CVE-2024-24557[0]: | Moby is an open-source project created by Docker to enable software | containerization. The classic builder cache system is prone to cache | poisoning if the image is built FROM scratch. Also, changes to some | instructions (most important being HEALTHCHECK and ONBUILD) would | not cause a cache miss. An attacker with the knowledge of the | Dockerfile someone is using could poison their cache by making them | pull a specially crafted image that would be considered as a valid | cache candidate for some build steps. 23.0+ users are only affected | if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 | environment variable) or are using the /build API endpoint. All | users on versions older than 23.0 could be impacted. Image build API | endpoint (/build) and ImageBuild function from | github.com/docker/docker/client is also affected as it the uses | classic builder by default. Patches are included in 24.0.9 and | 25.0.2 releases. https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24557 https://www.cve.org/CVERecord?id=CVE-2024-24557 Please adjust the affected versions in the BTS as needed.
Bug#1071743: lief: CVE-2024-31636
Source: lief X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for lief. CVE-2024-31636[0]: | An issue in LIEF v.0.14.1 allows a local attacker to obtain | sensitive information via the name parameter of the machd_reader.c | component. https://github.com/lief-project/LIEF/issues/1038 https://github.com/lief-project/LIEF/commit/307e113f8e00b034f0a5f1baa33e54d636c52ea3 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31636 https://www.cve.org/CVERecord?id=CVE-2024-31636 Please adjust the affected versions in the BTS as needed.
Bug#1071742: cjson: CVE-2024-31755
Source: cjson X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for cjson. CVE-2024-31755[0]: | cJSON v1.7.17 was discovered to contain a segmentation violation, | which can trigger through the second parameter of function | cJSON_SetValuestring at cJSON.c. https://github.com/DaveGamble/cJSON/issues/839 https://github.com/DaveGamble/cJSON/pull/840 https://github.com/DaveGamble/cJSON/commit/7e4d5dabe7a9b754c601f214e65b544e67ba9f59 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31755 https://www.cve.org/CVERecord?id=CVE-2024-31755 Please adjust the affected versions in the BTS as needed.
Bug#1053004: CVE-2019-10784 and CVE-2023-40619
On Wed, May 22, 2024 at 02:42:58PM -0300, Leandro Cunha wrote: > Hi everyone, > > On Wed, May 22, 2024 at 12:39 PM Moritz Mühlenhoff wrote: > > > > Am Wed, Mar 06, 2024 at 06:39:01AM -0300 schrieb Leandro Cunha: > > > Hi Christoph Berg, > > > > > > On Wed, Mar 6, 2024 at 5:42 AM Christoph Berg wrote: > > > > > > > > Re: Leandro Cunha > > > > > The > > > > > next job would be to make it available through backports and I would > > > > > choose to remove this package from stable. But I would only leave > > > > > bookworm backports due to other bugs found (this CVEs too) and fixed > > > > > in 7.14.7. > > > > > I have to search about the status of backports to oldstable. But I'm > > > > > also studying the possibility of working with patches for these two > > > > > versions. > > > > > > > > Why would you want to remove it from stable? In closed environments, > > > > CVEs are often not a problem. > > > > > > > > Christoph > > > > > > In addition to the CVEs, phppgadmin which is present in stable does > > > not connect to PostgreSQL 15 and 16 without a patch I inserted in > > > 7.13.0+dfsg-3, but I can add the same patch by reopening bug #1029516 > > > or opening another important bug (I am aware that the bug must have a > > > severity greater than important)[3] for the stable and submission of > > > new bug to the release team for approval. That way it would be > > > released in a future release a version with this issue fixed (if > > > approved). But CVE-2023-40619 is treated with critical severity and > > > CVE-2019-10784 is also critical according to the NVD[1][2]. The Debian > > > LTS team handled this with DLA-3644-1 (CVE-2023-40619)[4] in buster > > > (oldoldstable) and of OpenSUSE team also handled both CVEs in > > > Leap[5][6]. > > > Removing this package in stable will not leave users without them and > > > we can release it in backports. > > > I can treat this as a job of ensuring the quality of what is > > > distributed by Debian. > > > > Agreed, if the package is actually broken with the version of PostgreSQL > > in stable and if there's no sensible backport for the open security issues, > > then let's rather remove it by the next point release. > > > > Cheers, > > Moritz > > It's the best thing to do, the package with the necessary corrections > is already present in bookworm-backports and the user just needs to > run apt install -t bookworm-backports phppgadmin[1][2][3] with > sponsorship of Christoph Berg (thank you for that) and thanks also to > the Debian Security Team. Ack, will you do the removal request? You can do that with "reportbug release.debian.org" and then selecting the "rm stable/testing removal requests" option. Cheers, Moritz
Bug#1053004: CVE-2019-10784 and CVE-2023-40619
Am Wed, Mar 06, 2024 at 06:39:01AM -0300 schrieb Leandro Cunha: > Hi Christoph Berg, > > On Wed, Mar 6, 2024 at 5:42 AM Christoph Berg wrote: > > > > Re: Leandro Cunha > > > The > > > next job would be to make it available through backports and I would > > > choose to remove this package from stable. But I would only leave > > > bookworm backports due to other bugs found (this CVEs too) and fixed > > > in 7.14.7. > > > I have to search about the status of backports to oldstable. But I'm > > > also studying the possibility of working with patches for these two > > > versions. > > > > Why would you want to remove it from stable? In closed environments, > > CVEs are often not a problem. > > > > Christoph > > In addition to the CVEs, phppgadmin which is present in stable does > not connect to PostgreSQL 15 and 16 without a patch I inserted in > 7.13.0+dfsg-3, but I can add the same patch by reopening bug #1029516 > or opening another important bug (I am aware that the bug must have a > severity greater than important)[3] for the stable and submission of > new bug to the release team for approval. That way it would be > released in a future release a version with this issue fixed (if > approved). But CVE-2023-40619 is treated with critical severity and > CVE-2019-10784 is also critical according to the NVD[1][2]. The Debian > LTS team handled this with DLA-3644-1 (CVE-2023-40619)[4] in buster > (oldoldstable) and of OpenSUSE team also handled both CVEs in > Leap[5][6]. > Removing this package in stable will not leave users without them and > we can release it in backports. > I can treat this as a job of ensuring the quality of what is > distributed by Debian. Agreed, if the package is actually broken with the version of PostgreSQL in stable and if there's no sensible backport for the open security issues, then let's rather remove it by the next point release. Cheers, Moritz
Bug#1071633: libmodbus: CVE-2024-34244
Source: libmodbus X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libmodbus. CVE-2024-34244[0]: | libmodbus v3.1.10 is vulnerable to Buffer Overflow via the | modbus_write_bits function. This issue can be triggered when the | function is fed with specially crafted input, which leads to out-of- | bounds read and can potentially cause a crash or other unintended | behaviors. https://github.com/stephane/libmodbus/issues/743 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34244 https://www.cve.org/CVERecord?id=CVE-2024-34244 Please adjust the affected versions in the BTS as needed.
Bug#1071632: node-braces: CVE-2024-4068
Source: node-braces X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-braces. CVE-2024-4068[0]: | The NPM package `braces`, versions prior to 3.0.3, fails to limit | the number of characters it can handle, which could lead to Memory | Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced | braces" as input, the parsing will enter a loop, which will cause | the program to start allocating heap memory without freeing it at | any moment of the loop. Eventually, the JavaScript heap limit is | reached, and the program will crash. https://github.com/micromatch/braces/issues/35 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-4068 https://www.cve.org/CVERecord?id=CVE-2024-4068 Please adjust the affected versions in the BTS as needed.
Bug#1071631: node-micromatch: CVE-2024-4067
Source: node-micromatch X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-micromatch. CVE-2024-4067[0]: | The NPM package `micromatch` is vulnerable to Regular Expression | Denial of Service (ReDoS). The vulnerability occurs in | `micromatch.braces()` in `index.js` because the pattern `.*` will | greedily match anything. By passing a malicious payload, the pattern | matching will keep backtracking to the input while it doesn't find | the closing bracket. As the input size increases, the consumption | time will also increase until it causes the application to hang or | slow down. There was a merged fix but further testing shows the | issue persists. This issue should be mitigated by using a safe | pattern that won't start backtracking the regular expression due to | greedy matching. https://github.com/micromatch/micromatch/issues/243 https://github.com/micromatch/micromatch/pull/247 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-4067 https://www.cve.org/CVERecord?id=CVE-2024-4067 Please adjust the affected versions in the BTS as needed.
Bug#1071630: maxima: CVE-2024-34490
Source: maxima X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for maxima. CVE-2024-34490[0]: | In Maxima through 5.47.0 before 51704c, the plotting facilities make | use of predictable names under /tmp. Thus, the contents may be | controlled by a local attacker who can create files in advance with | these names. This affects, for example, plot2d. https://sourceforge.net/p/maxima/bugs/3755/ https://sourceforge.net/p/maxima/code/ci/51704ccb090f6f971b641e4e0b7c1c22c4828bf7/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34490 https://www.cve.org/CVERecord?id=CVE-2024-34490 Please adjust the affected versions in the BTS as needed.
Bug#1071628: python-pymysql: CVE-2024-36039
Source: python-pymysql X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-pymysql. We should also fix this in a DSA, could you prepare debdiffs for bookworm-security and bullseye-security? CVE-2024-36039[0]: | PyMySQL through 1.1.0 allows SQL injection if used with untrusted | JSON input because keys are not escaped by escape_dict. https://github.com/advisories/GHSA-v9hf-5j83-6xpp https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c (v1.1.1) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-36039 https://www.cve.org/CVERecord?id=CVE-2024-36039 Please adjust the affected versions in the BTS as needed.
Bug#1071626: ruby3.1: CVE-2024-35176
Source: ruby3.1 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for ruby3.1. CVE-2024-35176[0]: | REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a | denial of service vulnerability when it parses an XML that has many | `<`s in an attribute value. Those who need to parse untrusted XMLs | may be impacted to this vulnerability. The REXML gem 3.2.7 or later | include the patch to fix this vulnerability. As a workaround, don't | parse untrusted XMLs. https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh Fixed by: https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb (v3.2.7) https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-35176 https://www.cve.org/CVERecord?id=CVE-2024-35176 Please adjust the affected versions in the BTS as needed.
Bug#1071627: ruby3.2: CVE-2024-35176
Source: ruby3.2 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for ruby3.2. CVE-2024-35176[0]: | REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a | denial of service vulnerability when it parses an XML that has many | `<`s in an attribute value. Those who need to parse untrusted XMLs | may be impacted to this vulnerability. The REXML gem 3.2.7 or later | include the patch to fix this vulnerability. As a workaround, don't | parse untrusted XMLs. https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh Fixed by: https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb (v3.2.7) https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-35176 https://www.cve.org/CVERecord?id=CVE-2024-35176 Please adjust the affected versions in the BTS as needed.
Bug#1071127: Mark slurm-wlm as EOLed in Bullseye
Source: debian-security-support Version: 1:13+2024.01.30 Severity: wishlist X-Debbugs-Cc: gennaro.ol...@gmail.com Security support for slurm-wlm in Bullseye is EOLed, the recent changes were too intrusive too meaningfully backport.
Bug#1070860: musescore3: CVE-2023-44428
Am Fri, May 10, 2024 at 06:39:20PM + schrieb Thorsten Glaser:
> This is a bit like the limited security support for binutils,
> I suppose. Could/should we document that in the same places?
Sure thing, this sounds similar to what was done for Lilypond,
best to simply ship a similar README.Debian.security within
the lilypond2 and lilypond3 packages.
Cheers,
Moritz
Bug#1070861: hdf5: CVE-2024-33877 CVE-2024-33876 CVE-2024-33875 CVE-2024-33874 CVE-2024-33873 CVE-2024-32624 CVE-2024-32623 CVE-2024-32622 CVE-2024-32621 CVE-2024-32620 CVE-2024-32619 CVE-2024-32618 C
Source: hdf5 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for hdf5: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/ CVE-2024-33877[0]: | HDF5 Library through 1.14.3 has a heap-based buffer overflow in | H5T__conv_struct_opt in H5Tconv.c. CVE-2024-33876[1]: | HDF5 Library through 1.14.3 has a heap buffer overflow in | H5S__point_deserialize in H5Spoint.c. CVE-2024-33875[2]: | HDF5 Library through 1.14.3 has a heap-based buffer overflow in | H5O__layout_encode in H5Olayout.c, resulting in the corruption of | the instruction pointer. CVE-2024-33874[3]: | HDF5 Library through 1.14.3 has a heap buffer overflow in | H5O__mtime_new_encode in H5Omtime.c. CVE-2024-33873[4]: | HDF5 Library through 1.14.3 has a heap-based buffer overflow in | H5D__scatter_mem in H5Dscatgath.c. CVE-2024-32624[5]: | HDF5 Library through 1.14.3 contains a heap-based buffer overflow in | H5T__ref_mem_setnull in H5Tref.c (called from H5T__conv_ref in | H5Tconv.c), resulting in the corruption of the instruction pointer. CVE-2024-32623[6]: | HDF5 Library through 1.14.3 contains a heap-based buffer overflow in | H5VM_array_fill in H5VM.c (called from H5S_select_elements in | H5Spoint.c). CVE-2024-32622[7]: | HDF5 Library through 1.14.3 contains a out-of-bounds read operation | in H5FL_arr_malloc in H5FL.c (called from H5S_set_extent_simple in | H5S.c). CVE-2024-32621[8]: | HDF5 Library through 1.14.3 contains a heap-based buffer overflow in | H5HG_read in H5HG.c (called from H5VL__native_blob_get in | H5VLnative_blob.c), resulting in the corruption of the instruction | pointer. CVE-2024-32620[9]: | HDF5 Library through 1.14.3 contains a heap-based buffer over-read | in H5F_addr_decode_len in H5Fint.c, resulting in the corruption of | the instruction pointer. CVE-2024-32619[10]: | HDF5 Library through 1.14.3 contains a heap-based buffer overflow in | H5T_copy_reopen in H5T.c, resulting in the corruption of the | instruction pointer. CVE-2024-32618[11]: | HDF5 Library through 1.14.3 contains a heap-based buffer overflow in | H5T__get_native_type in H5Tnative.c, resulting in the corruption of | the instruction pointer. CVE-2024-32617[12]: | HDF5 Library through 1.14.3 contains a heap-based buffer over-read | caused by the unsafe use of strdup in H5MM_xstrdup in H5MM.c (called | from H5G__ent_to_link in H5Glink.c). CVE-2024-32616[13]: | HDF5 Library through 1.14.3 contains a heap-based buffer over-read | in H5O__dtype_encode_helper in H5Odtype.c. CVE-2024-32615[14]: | HDF5 Library through 1.14.3 contains a heap-based buffer overflow in | H5Z__nbit_decompress_one_byte in H5Znbit.c, caused by the earlier | use of an initialized pointer. CVE-2024-32614[15]: | HDF5 Library through 1.14.3 has a SEGV in H5VM_memcpyvv in H5VM.c. CVE-2024-32613[16]: | HDF5 Library through 1.14.3 contains a heap-based buffer over-read | in the function H5HL__fl_deserialize in H5HLcache.c, a different | vulnerability than CVE-2024-32612. CVE-2024-32612[17]: | HDF5 Library through 1.14.3 contains a heap-based buffer over-read | in H5HL__fl_deserialize in H5HLcache.c, resulting in the corruption | of the instruction pointer, a different vulnerability than | CVE-2024-32613. CVE-2024-32611[18]: | HDF5 Library through 1.14.3 may use an uninitialized value in | H5A__attr_release_table in H5Aint.c. CVE-2024-32610[19]: | HDF5 Library through 1.14.3 has a SEGV in H5T_close_real in H5T.c, | resulting in a corrupted instruction pointer. CVE-2024-32609[20]: | HDF5 Library through 1.14.3 allows stack consumption in the function | H5E_printf_stack in H5Eint.c. CVE-2024-32607[21]: | HDF5 Library through 1.14.3 has a SEGV in H5A__close in H5Aint.c, | resulting in the corruption of the instruction pointer. CVE-2024-32606[22]: | HDF5 Library through 1.14.3 may attempt to dereference uninitialized | values in h5tools_str_sprint in tools/lib/h5tools_str.c (called from | h5tools_dump_simple_data in tools/lib/h5tools_dump.c). CVE-2024-32605[23]: | HDF5 Library through 1.14.3 has a heap-based buffer over-read in | H5VM_memcpyvv in H5VM.c (called from H5D__compact_readvv in | H5Dcompact.c). CVE-2024-29166[24]: | HDF5 through 1.14.3 contains a buffer overflow in H5O__linfo_decode, | resulting in the corruption of the instruction pointer and causing | denial of service or potential code execution. CVE-2024-29165[25]: | HDF5 through 1.14.3 contains a buffer overflow in | H5Z__filter_fletcher32, resulting in the corruption of the | instruction pointer and causing denial of service or potential code | execution. CVE-2024-29164[26]: | HDF5 through 1.14.3 contains a stack buffer overflow in | H5R__decode_heap, resulting in the corruption of the instruction | pointer and causing denial of service or potential code execution. CVE-2024-29163[27]: | HDF5 through 1.14.3 contains a heap buffer overflow in | H5T__bit_find, resulting in the corruption of
Bug#1070860: musescore3: CVE-2023-44428
Source: musescore3 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for musescore3. CVE-2023-44428[0]: | MuseScore CAP File Parsing Heap-based Buffer Overflow Remote Code | Execution Vulnerability. This vulnerability allows remote attackers | to execute arbitrary code on affected installations of MuseScore. | User interaction is required to exploit this vulnerability in that | the target must visit a malicious page or open a malicious file. | The specific flaw exists within the parsing of CAP files. The issue | results from the lack of proper validation of the length of user- | supplied data prior to copying it to a heap-based buffer. An | attacker can leverage this vulnerability to execute code in the | context of the current process. Was ZDI-CAN-20769. Unfortunatetly details are sparse, the only reference is https://www.zerodayinitiative.com/advisories/ZDI-23-1526/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-44428 https://www.cve.org/CVERecord?id=CVE-2023-44428 Please adjust the affected versions in the BTS as needed.
Bug#1070859: npgsql: CVE-2024-32655
Source: npgsql X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for npgsql. CVE-2024-32655[0]: | Npgsql is the .NET data provider for PostgreSQL. The `WriteBind()` | method in `src/Npgsql/Internal/NpgsqlConnector.FrontendMessages.cs` | uses `int` variables to store the message length and the sum of | parameter lengths. Both variables overflow when the sum of parameter | lengths becomes too large. This causes Npgsql to write a message | size that is too small when constructing a Postgres protocol message | to send it over the network to the database. When parsing the | message, the database will only read a small number of bytes and | treat any following bytes as new messages while they belong to the | old message. Attackers can abuse this to inject arbitrary Postgres | protocol messages into the connection, leading to the execution of | arbitrary SQL statements on the application's behalf. This | vulnerability is fixed in 4.0.14, 4.1.13, 5.0.18, 6.0.11, 7.0.7, and | 8.0.3. https://github.com/npgsql/npgsql/security/advisories/GHSA-x9vc-6hfv-hg8c https://github.com/npgsql/npgsql/commit/f7e7ead0702d776a8f551f5786c4cac2d65c4bc6 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32655 https://www.cve.org/CVERecord?id=CVE-2024-32655 Please adjust the affected versions in the BTS as needed.
Bug#1070858: golang-github-opencontainers-go-digest: CVE-2024-3727
Source: golang-github-opencontainers-go-digest X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for golang-github-opencontainers-go-digest. CVE-2024-3727[0]: | A flaw was found in the github.com/containers/image library. This | flaw allows attackers to trigger unexpected authenticated registry | accesses on behalf of a victim user, causing resource exhaustion, | local path traversal, and other attacks. Details are a little sparse, the only reference is https://bugzilla.redhat.com/show_bug.cgi?id=2274767 at this point. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3727 https://www.cve.org/CVERecord?id=CVE-2024-3727 Please adjust the affected versions in the BTS as needed.
Bug#1070395: tinyproxy: CVE-2023-40533 CVE-2023-49606
Source: tinyproxy X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for tinyproxy. CVE-2023-40533[0]: | An uninitialized memory use vulnerability exists in Tinyproxy 1.11.1 | while parsing HTTP requests. In certain configurations, a specially | crafted HTTP request can result in disclosure of data allocated on | the heap, which could contain sensitive information. An attacker can | make an unauthenticated HTTP request to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2023-1902 CVE-2023-49606[1]: | A use-after-free vulnerability exists in the HTTP Connection Headers | parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially | crafted HTTP header can trigger reuse of previously freed memory, | which leads to memory corruption and could lead to remote code | execution. An attacker needs to make an unauthenticated HTTP request | to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-40533 https://www.cve.org/CVERecord?id=CVE-2023-40533 [1] https://security-tracker.debian.org/tracker/CVE-2023-49606 https://www.cve.org/CVERecord?id=CVE-2023-49606 Please adjust the affected versions in the BTS as needed.
Bug#1070394: libstb: CVE-2023-47212
Source: libstb X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libstb. CVE-2023-47212[0]: | A heap-based buffer overflow vulnerability exists in the comment | functionality of stb _vorbis.c v1.22. A specially crafted .ogg file | can lead to an out-of-bounds write. An attacker can provide a | malicious file to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2023-1846 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-47212 https://www.cve.org/CVERecord?id=CVE-2023-47212 Please adjust the affected versions in the BTS as needed.
Bug#1070392: exiv2: CVE-2024-24826 CVE-2024-25112
Source: exiv2 X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerabilities were published for exiv2. The advisories are a little misleading, they mention it as new in v0.28.0, but that only applies to the "main" branch, where it was removed and later reintroduced. The 0.27-maintenance branch _does_ include the Quicktime decoder CVE-2024-24826[0]: | Exiv2 is a command-line utility and C++ library for reading, | writing, deleting, and modifying the metadata of image files. An | out-of-bounds read was found in Exiv2 version v0.28.1. The | vulnerable function, `QuickTimeVideo::NikonTagsDecoder`, was new in | v0.28.0, so Exiv2 versions before v0.28 are _not_ affected. The out- | of-bounds read is triggered when Exiv2 is used to read the metadata | of a crafted video file. In most cases this out of bounds read will | result in a crash. This bug is fixed in version v0.28.2. Users are | advised to upgrade. There are no known workarounds for this | vulnerability. https://github.com/Exiv2/exiv2/security/advisories/GHSA-g9xm-7538-mq8w https://github.com/Exiv2/exiv2/pull/2337 CVE-2024-25112[1]: | Exiv2 is a command-line utility and C++ library for reading, | writing, deleting, and modifying the metadata of image files. A | denial-of-service was found in Exiv2 version v0.28.1: an unbounded | recursion can cause Exiv2 to crash by exhausting the stack. The | vulnerable function, `QuickTimeVideo::multipleEntriesDecoder`, was | new in v0.28.0, so Exiv2 versions before v0.28 are _not_ affected. | The denial-of-service is triggered when Exiv2 is used to read the | metadata of a crafted video file. This bug is fixed in version | v0.28.2. Users are advised to upgrade. There are no known | workarounds for this vulnerability. https://github.com/Exiv2/exiv2/security/advisories/GHSA-crmj-qh74-2r36 Fixed by: https://github.com/Exiv2/exiv2/commit/355afea485550e8214ac6b449fb210a7efb71365 (v0.28.2) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24826 https://www.cve.org/CVERecord?id=CVE-2024-24826 [1] https://security-tracker.debian.org/tracker/CVE-2024-25112 https://www.cve.org/CVERecord?id=CVE-2024-25112 Please adjust the affected versions in the BTS as needed.
Bug#1070393: gobgp: CVE-2023-46565
Source: gobgp X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for gobgp. CVE-2023-46565[0]: | Buffer Overflow vulnerability in osrg gobgp commit | 419c50dfac578daa4d11256904d0dc182f1a9b22 allows a remote attacker to | cause a denial of service via the handlingError function in | pkg/server/fsm.go. https://github.com/osrg/gobgp/issues/2725 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46565 https://www.cve.org/CVERecord?id=CVE-2023-46565 Please adjust the affected versions in the BTS as needed.
Bug#1070390: opendmarc: CVE-2024-25768
Source: opendmarc X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for opendmarc. It's unclear whether this is actually a security issue, it doesn't appear to have been reported upstream... CVE-2024-25768[0]: | OpenDMARC 1.4.2 contains a null pointer dereference vulnerability in | /OpenDMARC/libopendmarc/opendmarc_policy.c. https://github.com/LuMingYinDetect/OpenDMARC_defects/blob/main/OpenDMARC_detect_1.md If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25768 https://www.cve.org/CVERecord?id=CVE-2024-25768 Please adjust the affected versions in the BTS as needed.
Bug#1070388: jupyterhub: CVE-2024-28233
Source: jupyterhub X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for jupyterhub. CVE-2024-28233[0]: | JupyterHub is an open source multi-user server for Jupyter | notebooks. By tricking a user into visiting a malicious subdomain, | the attacker can achieve an XSS directly affecting the former's | session. More precisely, in the context of JupyterHub, this XSS | could achieve full access to JupyterHub API and user's single-user | server. The affected configurations are single-origin JupyterHub | deployments and JupyterHub deployments with user-controlled | applications running on subdomains or peer subdomains of either the | Hub or a single-user server. This vulnerability is fixed in 4.1.0. https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-7r3h-4ph8-w38g https://github.com/jupyterhub/jupyterhub/commit/e2798a088f5ad45340fe79cdf1386198e664f77f If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28233 https://www.cve.org/CVERecord?id=CVE-2024-28233 Please adjust the affected versions in the BTS as needed.
Bug#1070387: gdcm: CVE-2024-25569 CVE-2024-22373 CVE-2024-22391
Source: gdcm X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for gdcm. These are fixed in 3.0.24: CVE-2024-25569[0]: | An out-of-bounds read vulnerability exists in the | RAWCodec::DecodeBytes functionality of Mathieu Malaterre Grassroot | DICOM 3.0.23. A specially crafted DICOM file can lead to an out-of- | bounds read. An attacker can provide a malicious file to trigger | this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1944 CVE-2024-22373[1]: | An out-of-bounds write vulnerability exists in the | JPEG2000Codec::DecodeByStreamsCommon functionality of Mathieu | Malaterre Grassroot DICOM 3.0.23. A specially crafted DICOM file can | lead to a heap buffer overflow. An attacker can provide a malicious | file to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1935 CVE-2024-22391[2]: | A heap-based buffer overflow vulnerability exists in the | LookupTable::SetLUT functionality of Mathieu Malaterre Grassroot | DICOM 3.0.23. A specially crafted malformed file can lead to memory | corruption. An attacker can provide a malicious file to trigger this | vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1924 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25569 https://www.cve.org/CVERecord?id=CVE-2024-25569 [1] https://security-tracker.debian.org/tracker/CVE-2024-22373 https://www.cve.org/CVERecord?id=CVE-2024-22373 [2] https://security-tracker.debian.org/tracker/CVE-2024-22391 https://www.cve.org/CVERecord?id=CVE-2024-22391 Please adjust the affected versions in the BTS as needed.
Bug#1070384: llvm-toolchain-14: CVE-2024-31852
Source: llvm-toolchain-14 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-14. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved to the stack, and thus there | can sometimes be an exploitable error in the flow of control. This | affects the ARM backend and can be demonstrated with Clang. NOTE: | the vendor perspective is "we don't have strong objections for a CVE | to be created ... It does seem that the likelihood of this | miscompile enabling an exploit remains very low, because the | miscompile resulting in this JOP gadget is such that the function is | most likely to crash on most valid inputs to the function. So, if | this function is covered by any testing, the miscompile is most | likely to be discovered before the binary is shipped to production." https://github.com/llvm/llvm-project/issues/80287 https://bugs.chromium.org/p/llvm/issues/detail?id=69 https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31852 https://www.cve.org/CVERecord?id=CVE-2024-31852 Please adjust the affected versions in the BTS as needed.
Bug#1070383: llvm-toolchain-15: CVE-2024-31852
Source: llvm-toolchain-15 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-15. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved to the stack, and thus there | can sometimes be an exploitable error in the flow of control. This | affects the ARM backend and can be demonstrated with Clang. NOTE: | the vendor perspective is "we don't have strong objections for a CVE | to be created ... It does seem that the likelihood of this | miscompile enabling an exploit remains very low, because the | miscompile resulting in this JOP gadget is such that the function is | most likely to crash on most valid inputs to the function. So, if | this function is covered by any testing, the miscompile is most | likely to be discovered before the binary is shipped to production." https://github.com/llvm/llvm-project/issues/80287 https://bugs.chromium.org/p/llvm/issues/detail?id=69 https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31852 https://www.cve.org/CVERecord?id=CVE-2024-31852 Please adjust the affected versions in the BTS as needed.
Bug#1070382: llvm-toolchain-16: CVE-2024-31852
Source: llvm-toolchain-16 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-16. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved to the stack, and thus there | can sometimes be an exploitable error in the flow of control. This | affects the ARM backend and can be demonstrated with Clang. NOTE: | the vendor perspective is "we don't have strong objections for a CVE | to be created ... It does seem that the likelihood of this | miscompile enabling an exploit remains very low, because the | miscompile resulting in this JOP gadget is such that the function is | most likely to crash on most valid inputs to the function. So, if | this function is covered by any testing, the miscompile is most | likely to be discovered before the binary is shipped to production." https://github.com/llvm/llvm-project/issues/80287 https://bugs.chromium.org/p/llvm/issues/detail?id=69 https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31852 https://www.cve.org/CVERecord?id=CVE-2024-31852 Please adjust the affected versions in the BTS as needed.
Bug#1070381: llvm-toolchain-17: CVE-2024-31852
Source: llvm-toolchain-17 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-17. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved to the stack, and thus there | can sometimes be an exploitable error in the flow of control. This | affects the ARM backend and can be demonstrated with Clang. NOTE: | the vendor perspective is "we don't have strong objections for a CVE | to be created ... It does seem that the likelihood of this | miscompile enabling an exploit remains very low, because the | miscompile resulting in this JOP gadget is such that the function is | most likely to crash on most valid inputs to the function. So, if | this function is covered by any testing, the miscompile is most | likely to be discovered before the binary is shipped to production." https://github.com/llvm/llvm-project/issues/80287 https://bugs.chromium.org/p/llvm/issues/detail?id=69 https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31852 https://www.cve.org/CVERecord?id=CVE-2024-31852 Please adjust the affected versions in the BTS as needed.
Bug#1070380: llvm-toolchain-18: CVE-2024-31852
Source: llvm-toolchain-18 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-18. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved to the stack, and thus there | can sometimes be an exploitable error in the flow of control. This | affects the ARM backend and can be demonstrated with Clang. NOTE: | the vendor perspective is "we don't have strong objections for a CVE | to be created ... It does seem that the likelihood of this | miscompile enabling an exploit remains very low, because the | miscompile resulting in this JOP gadget is such that the function is | most likely to crash on most valid inputs to the function. So, if | this function is covered by any testing, the miscompile is most | likely to be discovered before the binary is shipped to production." https://github.com/llvm/llvm-project/issues/80287 https://bugs.chromium.org/p/llvm/issues/detail?id=69 https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31852 https://www.cve.org/CVERecord?id=CVE-2024-31852 Please adjust the affected versions in the BTS as needed.
Bug#1070379: pytorch: CVE-2024-31580 CVE-2024-31583 CVE-2024-31584
Source: pytorch X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for pytorch. CVE-2024-31580[0]: | PyTorch before v2.2.0 was discovered to contain a heap buffer | overflow vulnerability in the component | /runtime/vararg_functions.cpp. This vulnerability allows attackers | to cause a Denial of Service (DoS) via a crafted input. https://github.com/pytorch/pytorch/commit/b5c3a17c2c207ebefcb85043f0cf94be9b2fef81 CVE-2024-31583[1]: | Pytorch before version v2.2.0 was discovered to contain a use-after- | free vulnerability in torch/csrc/jit/mobile/interpreter.cpp. https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2 CVE-2024-31584[2]: | Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via | the component torch/csrc/jit/mobile/flatbuffer_loader.cpp. https://github.com/pytorch/pytorch/commit/7c35874ad664e74c8e4252d67521f3986eadb0e6 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31580 https://www.cve.org/CVERecord?id=CVE-2024-31580 [1] https://security-tracker.debian.org/tracker/CVE-2024-31583 https://www.cve.org/CVERecord?id=CVE-2024-31583 [2] https://security-tracker.debian.org/tracker/CVE-2024-31584 https://www.cve.org/CVERecord?id=CVE-2024-31584 Please adjust the affected versions in the BTS as needed.
Bug#1070378: docker.io: CVE-2024-32473
Source: docker.io X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for docker.io. CVE-2024-32473[0]: | Moby is an open source container framework that is a key component | of Docker Engine, Docker Desktop, and other distributions of | container tooling or runtimes. In 26.0.0, IPv6 is not disabled on | network interfaces, including those belonging to networks where | `--ipv6=false`. An container with an `ipvlan` or `macvlan` interface | will normally be configured to share an external network link with | the host machine. Because of this direct access, (1) Containers may | be able to communicate with other hosts on the local network over | link-local IPv6 addresses, (2) if router advertisements are being | broadcast over the local network, containers may get SLAAC-assigned | addresses, and (3) the interface will be a member of IPv6 multicast | groups. This means interfaces in IPv4-only networks present an | unexpectedly and unnecessarily increased attack surface. The issue | is patched in 26.0.2. To completely disable IPv6 in a container, use | `--sysctl=net.ipv6.conf.all.disable_ipv6=1` in the `docker create` | or `docker run` command. Or, in the service configuration of a | `compose` file. https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9 https://github.com/moby/moby/commit/841c4c8057bcf5317d6565875595a3f0c046e3fa It's not super clear whether this is only fixed in 26.x and old releases (such as the one in unstable) are not affected or, let's validate and update the Security Tracker accordingly if not (ideally by identifying the introducing commit) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32473 https://www.cve.org/CVERecord?id=CVE-2024-32473 Please adjust the affected versions in the BTS as needed.
Bug#1070377: frr: CVE-2024-34088
Source: frr X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for frr. CVE-2024-34088[0]: | In FRRouting (FRR) through 9.1, it is possible for the get_edge() | function in ospf_te.c in the OSPF daemon to return a NULL pointer. | In cases where calling functions do not handle the returned NULL | value, the OSPF daemon crashes, leading to denial of service. https://github.com/FRRouting/frr/pull/15674 Introduced by: https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5 (base_8.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34088 https://www.cve.org/CVERecord?id=CVE-2024-34088 Please adjust the affected versions in the BTS as needed.
Bug#1070376: uriparser: CVE-2024-34402 CVE-2024-34403
Source: uriparser X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for uriparser. CVE-2024-34402[0]: | An issue was discovered in uriparser through 0.9.7. | ComposeQueryEngine in UriQuery.c has an integer overflow via long | keys or values, with a resultant buffer overflow. https://github.com/uriparser/uriparser/pull/185 https://github.com/uriparser/uriparser/issues/183 CVE-2024-34403[1]: | An issue was discovered in uriparser through 0.9.7. | ComposeQueryMallocExMm in UriQuery.c has an integer overflow via a | long string. https://github.com/uriparser/uriparser/issues/183 https://github.com/uriparser/uriparser/pull/186 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34402 https://www.cve.org/CVERecord?id=CVE-2024-34402 [1] https://security-tracker.debian.org/tracker/CVE-2024-34403 https://www.cve.org/CVERecord?id=CVE-2024-34403 Please adjust the affected versions in the BTS as needed.
Bug#1070375: python-jose: CVE-2024-33663 CVE-2024-33664
Source: python-jose X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for python-jose. CVE-2024-33663[0]: | python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA | keys and other key formats. This is similar to CVE-2022-29217. https://github.com/mpdavis/python-jose/issues/346 CVE-2024-33664[1]: | python-jose through 3.3.0 allows attackers to cause a denial of | service (resource consumption) during a decode via a crafted JSON | Web Encryption (JWE) token with a high compression ratio, aka a "JWT | bomb." This is similar to CVE-2024-21319. https://github.com/mpdavis/python-jose/issues/344 https://github.com/mpdavis/python-jose/pull/345 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-33663 https://www.cve.org/CVERecord?id=CVE-2024-33663 [1] https://security-tracker.debian.org/tracker/CVE-2024-33664 https://www.cve.org/CVERecord?id=CVE-2024-33664 Please adjust the affected versions in the BTS as needed.
Bug#1070373: quickjs: CVE-2024-33263
Source: quickjs X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for quickjs. CVE-2024-33263[0]: | QuickJS commit 3b45d15 was discovered to contain an Assertion | Failure via JS_FreeRuntime(JSRuntime *) at quickjs.c. https://github.com/bellard/quickjs/issues/277 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-33263 https://www.cve.org/CVERecord?id=CVE-2024-33263 Please adjust the affected versions in the BTS as needed.
Bug#1070374: social-auth-app-django: CVE-2024-32879
Source: social-auth-app-django X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for social-auth-app-django. CVE-2024-32879[0]: | Python Social Auth is a social authentication/registration | mechanism. Prior to version 5.4.1, due to default case-insensitive | collation in MySQL or MariaDB databases, third-party authentication | user IDs are not case-sensitive and could cause different IDs to | match. This issue has been addressed by a fix released in version | 5.4.1. An immediate workaround would be to change collation of the | affected field. https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3 https://github.com/python-social-auth/social-app-django/commit/31c3e0c7edb187004d8abbde7e9c4f7ef9098138 (5.4.1) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32879 https://www.cve.org/CVERecord?id=CVE-2024-32879 Please adjust the affected versions in the BTS as needed.
Bug#1070372: tqdm: CVE-2024-34062
Source: tqdm X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for tqdm. CVE-2024-34062[0]: | tqdm is an open source progress bar for Python and CLI. Any optional | non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, | `--manpath`) are passed through python's `eval`, allowing arbitrary | code execution. This issue is only locally exploitable and had been | addressed in release version 4.66.3. All users are advised to | upgrade. There are no known workarounds for this vulnerability. https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p Fixed by: https://github.com/tqdm/tqdm/commit/b53348c73080b4edeb30b4823d1fa0d8d2c06721 (v4.66.3) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34062 https://www.cve.org/CVERecord?id=CVE-2024-34062 Please adjust the affected versions in the BTS as needed.
Bug#1070371: ofono: CVE-2023-4232 CVE-2023-4233 CVE-2023-4234 CVE-2023-4235
Source: ofono X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for ofono. It's not clear whether they were actually reported upstream or only submitted to Red Hat Bugzilla: CVE-2023-4232[0]: | A flaw was found in ofono, an Open Source Telephony on Linux. A | stack overflow bug is triggered within the decode_status_report() | function during the SMS decoding. It is assumed that the attack | scenario is accessible from a compromised modem, a malicious base | station, or just SMS. There is a bound check for this memcpy length | in decode_submit(), but it was forgotten in decode_status_report(). https://bugzilla.redhat.com/show_bug.cgi?id=2255394 CVE-2023-4233[1]: | A flaw was found in ofono, an Open Source Telephony on Linux. A | stack overflow bug is triggered within the | sms_decode_address_field() function during the SMS PDU decoding. It | is assumed that the attack scenario is accessible from a compromised | modem, a malicious base station, or just SMS. https://bugzilla.redhat.com/show_bug.cgi?id=2255396 CVE-2023-4234[2]: | A flaw was found in ofono, an Open Source Telephony on Linux. A | stack overflow bug is triggered within the decode_submit_report() | function during the SMS decoding. It is assumed that the attack | scenario is accessible from a compromised modem, a malicious base | station, or just SMS. There is a bound check for this memcpy length | in decode_submit(), but it was forgotten in decode_submit_report(). https://bugzilla.redhat.com/show_bug.cgi?id=2255399 CVE-2023-4235[3]: | A flaw was found in ofono, an Open Source Telephony on Linux. A | stack overflow bug is triggered within the decode_deliver_report() | function during the SMS decoding. It is assumed that the attack | scenario is accessible from a compromised modem, a malicious base | station, or just SMS. There is a bound check for this memcpy length | in decode_submit(), but it was forgotten in decode_deliver_report(). https://bugzilla.redhat.com/show_bug.cgi?id=2255402 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-4232 https://www.cve.org/CVERecord?id=CVE-2023-4232 [1] https://security-tracker.debian.org/tracker/CVE-2023-4233 https://www.cve.org/CVERecord?id=CVE-2023-4233 [2] https://security-tracker.debian.org/tracker/CVE-2023-4234 https://www.cve.org/CVERecord?id=CVE-2023-4234 [3] https://security-tracker.debian.org/tracker/CVE-2023-4235 https://www.cve.org/CVERecord?id=CVE-2023-4235 Please adjust the affected versions in the BTS as needed.
Bug#1070370: dmitry: CVE-2017-7938 CVE-2020-14931 CVE-2024-31837
Source: dmitry X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for dmitry. CVE-2017-7938[0]: | Stack-based buffer overflow in DMitry (Deepmagic Information | Gathering Tool) version 1.3a (Unix) allows attackers to cause a | denial of service (application crash) or possibly have unspecified | other impact via a long argument. An example threat model is | automated execution of DMitry with hostname strings found in local | log files. https://packetstormsecurity.com/files/142210/Dmitry-1.3a-Local-Stack-Buffer-Overflow.html https://github.com/jaygreig86/dmitry/pull/12 CVE-2020-14931[1]: | A stack-based buffer overflow in DMitry (Deepmagic Information | Gathering Tool) 1.3a might allow remote WHOIS servers to execute | arbitrary code via a long line in a response that is mishandled by | nic_format_buff. https://github.com/jaygreig86/dmitry/issues/4 https://github.com/jaygreig86/dmitry/pull/6 Fixed by: https://github.com/jaygreig86/dmitry/commit/da1fda491145719ae15dd36dd37a69bdbba0b192 CVE-2024-31837[2]: | DMitry (Deepmagic Information Gathering Tool) 1.3a has a format- | string vulnerability, with a threat model similar to CVE-2017-7938. https://github.com/jaygreig86/dmitry/pull/12 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7938 https://www.cve.org/CVERecord?id=CVE-2017-7938 [1] https://security-tracker.debian.org/tracker/CVE-2020-14931 https://www.cve.org/CVERecord?id=CVE-2020-14931 [2] https://security-tracker.debian.org/tracker/CVE-2024-31837 https://www.cve.org/CVERecord?id=CVE-2024-31837 Please adjust the affected versions in the BTS as needed.
Bug#1070175: RM: salt/3002.6+dfsg1-4+deb11u1
On Wed, May 01, 2024 at 06:29:29PM +0100, Adam D. Barratt wrote: > On Wed, 2024-05-01 at 13:02 +0200, Moritz Muehlenhoff wrote: > > Please remove salt in the next Bullseye point release. > > It was already removed frm unstable for being unsupportable > > and unmaintained (https:://bugs.debian.org/1069654). > > > > There are two related packages which need to be removed > > alongside, since salt-common depends on them (but which > > have no other dependencies outside of salt): > > > > pytest-salt-factories 0.93.0-1 > > pytest-testinfra 6.1.0-1 > > I'm not doubting whether at least the former should be removed, but > "salt-common depends on them" isn't a reason to remove things in > itself. A relationship in the opposite direction certainly would be > (i.e. "they depend on salt-common"). It's actually build dependencies, both pytest-salt-factories and pytest-testinfra build depend on salt-common. Cheers, Moritz
Bug#1070176: Mark pdns-recursor as EOLed in Bullseye
Source: debian-security-support Version: 1:13+2024.01.30 Severity: wishlist X-Debbugs-Cc: z...@debian.org Please mark pdns-recursor as EOL/no longer covered by security support in Bullseye. These packages can still be used for select use cases (internal resolver within a company network), but 4.4 is lagging too much behind to be supportable as a general purpose resolver. Cheers, Moritz
Bug#1070175: RM: salt/3002.6+dfsg1-4+deb11u1
Package: release.debian.org Severity: normal X-Debbugs-Cc: s...@packages.debian.org Control: affects -1 + src:salt User: release.debian@packages.debian.org Usertags: rm Please remove salt in the next Bullseye point release. It was already removed frm unstable for being unsupportable and unmaintained (https:://bugs.debian.org/1069654). There are two related packages which need to be removed alongside, since salt-common depends on them (but which have no other dependencies outside of salt): pytest-salt-factories 0.93.0-1 pytest-testinfra 6.1.0-1 Cheers, Moritz
Bug#1069762: pdns-recursor: CVE-2024-25583 - 4.8.8 for stable
On Thu, Apr 25, 2024 at 08:37:14AM +0200, Chris Hofstaedtler wrote: > Hi Moritz, > > could we once again use the upstream release for stable? > debdiff 4.8.7-1 -> 4.8.8-1 is attached. Ack. Following the 4.8 releases has served us well. debdiff looks fine, please build with -sa and upload to security-master. Cheers, Moritz
Bug#1069764: python-flask-cors: CVE-2024-1681
Source: python-flask-cors X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for python-flask-cors. CVE-2024-1681[0]: | corydolphin/flask-cors is vulnerable to log injection when the log | level is set to debug. An attacker can inject fake log entries into | the log file by sending a specially crafted GET request containing a | CRLF sequence in the request path. This vulnerability allows | attackers to corrupt log files, potentially covering tracks of other | attacks, confusing log post-processing tools, and forging log | entries. The issue is due to improper output neutralization for | logs. https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644 https://github.com/corydolphin/flask-cors/issues/349 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-1681 https://www.cve.org/CVERecord?id=CVE-2024-1681 Please adjust the affected versions in the BTS as needed.
Bug#1069763: matrix-synapse: CVE-2024-31208
Source: matrix-synapse X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for matrix-synapse. CVE-2024-31208[0]: | Synapse is an open-source Matrix homeserver. A remote Matrix user | with malicious intent, sharing a room with Synapse instances before | 1.105.1, can dispatch specially crafted events to exploit a weakness | in the V2 state resolution algorithm. This can induce high CPU | consumption and accumulate excessive data in the database of such | instances, resulting in a denial of service. Servers in private | federations, or those that do not federate, are not affected. Server | administrators should upgrade to 1.105.1 or later. Some workarounds | are available. One can ban the malicious users or ACL block servers | from the rooms and/or leave the room and purge the room using the | admin API. https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a (v1.105.1) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31208 https://www.cve.org/CVERecord?id=CVE-2024-31208 Please adjust the affected versions in the BTS as needed.
Bug#1069762: pdns-recursor: CVE-2024-25583
Source: pdns-recursor X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for pdns-recursor. CVE-2024-25583[0]: PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor https://www.openwall.com/lists/oss-security/2024/04/24/1 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25583 https://www.cve.org/CVERecord?id=CVE-2024-25583 Please adjust the affected versions in the BTS as needed.
Bug#1069725: nagios-plugins-contrib: pmp-check-mysql-file-privs generates WARN state on default MariaDB installation
Source: nagios-plugins-contrib Version: 46.20240417 Severity: normal Tags: upstream On a not heavily modified default installation, the check pmp-check-mysql-file- privs gives the following warning by default: WARN files with wrong ownership: /var/lib/mysql/debian-10.11.flag ( For systems that have been upgraded, it is probably even more: WARN files with wrong ownership: /var/lib/mysql/mysql_upgrade_info /var/lib/mysql/debian-10.5.flagWARN ) Of course, a workaround would be to chown those files, since that should not do much harm, but it might be nice to just patch the check to ignore those (debian-specific) files. -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.6.15-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1069679: ofono: CVE-2023-2794
Source: ofono X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for ofono. CVE-2023-2794[0]: | A flaw was found in ofono, an Open Source Telephony on Linux. A | stack overflow bug is triggered within the decode_deliver() function | during the SMS decoding. It is assumed that the attack scenario is | accessible from a compromised modem, a malicious base station, or | just SMS. There is a bound check for this memcpy length in | decode_submit(), but it was forgotten in decode_deliver(). https://bugzilla.redhat.com/show_bug.cgi?id=2255387 https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a90421d8e45d63b304dc010baba24633e7869682 https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=7f2adfa22fbae824f8e2c3ae86a3f51da31ee400 https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=07f48b23e3877ef7d15a7b0b8b79d32ad0a3607e https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=8fa1fdfcb54e1edb588c6a5e260b065a39c9 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-2794 https://www.cve.org/CVERecord?id=CVE-2023-2794 Please adjust the affected versions in the BTS as needed.
Bug#1069678: openjdk-8: CVE-2024-21011 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094
Source: openjdk-8 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for openjdk-8. CVE-2024-21011[0]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Hotspot). Supported versions that are affected are Oracle Java SE: | 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for | JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: | 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows | unauthenticated attacker with network access via multiple protocols | to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized ability to cause a partial denial of service | (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition. Note: This vulnerability can be | exploited by using APIs in the specified Component, e.g., through a | web service which supplies data to the APIs. This vulnerability also | applies to Java deployments, typically in clients running sandboxed | Java Web Start applications or sandboxed Java applets, that load and | run untrusted code (e.g., code that comes from the internet) and | rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 | (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21068[1]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Hotspot). Supported versions that are affected are Oracle Java SE: | 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: | 17.0.10, 21.0.2 and 22; Oracle GraalVM Enterprise Edition: 21.3.9. | Difficult to exploit vulnerability allows unauthenticated attacker | with network access via multiple protocols to compromise Oracle Java | SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. | Successful attacks of this vulnerability can result in unauthorized | update, insert or delete access to some of Oracle Java SE, Oracle | GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. | Note: This vulnerability can be exploited by using APIs in the | specified Component, e.g., through a web service which supplies data | to the APIs. This vulnerability also applies to Java deployments, | typically in clients running sandboxed Java Web Start applications | or sandboxed Java applets, that load and run untrusted code (e.g., | code that comes from the internet) and rely on the Java sandbox for | security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2024-21085[2]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise | Edition product of Oracle Java SE (component: Concurrency). | Supported versions that are affected are Oracle Java SE: 8u401, | 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and | 21.3.9. Difficult to exploit vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful | attacks of this vulnerability can result in unauthorized ability to | cause a partial denial of service (partial DOS) of Oracle Java SE, | Oracle GraalVM Enterprise Edition. Note: This vulnerability can be | exploited by using APIs in the specified Component, e.g., through a | web service which supplies data to the APIs. This vulnerability also | applies to Java deployments, typically in clients running sandboxed | Java Web Start applications or sandboxed Java applets, that load and | run untrusted code (e.g., code that comes from the internet) and | rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 | (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21094[3]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Hotspot). Supported versions that are affected are Oracle Java SE: | 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for | JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 | and 21.3.9. Difficult to exploit vulnerability allows | unauthenticated attacker with network access via multiple protocols | to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized update, insert or delete access to some of | Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability can be exploited | by using APIs in the specified Component, e.g., through a web | service which supplies data to the APIs. This vulnerability also | applies to Java
Bug#1069677: rust-rustls: CVE-2024-32650
Source: rust-rustls X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for rust-rustls. CVE-2024-32650[0]: | Rustls is a modern TLS library written in Rust. | `rustls::ConnectionCommon::complete_io` could fall into an infinite | loop based on network input. When using a blocking rustls server, if | a client send a `close_notify` message immediately after | `client_hello`, the server's `complete_io` will get in an infinite | loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11. https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj https://github.com/rustls/rustls/commit/2123576840aa31043a31b0770e6572136fbe0c2d (v/0.23.5) https://github.com/rustls/rustls/commit/6e938bcfe82a9da7a2e1cbf10b928c7eca26426e (v/0.23.5) https://rustsec.org/advisories/RUSTSEC-2024-0336.html If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32650 https://www.cve.org/CVERecord?id=CVE-2024-32650 Please adjust the affected versions in the BTS as needed.
Bug#1068818: sngrep: CVE-2024-3119 CVE-2024-3120
On Sun, Apr 21, 2024 at 07:35:43PM +, Victor Seva wrote: > Hi, > > > I've just uploaded sngrep 1.8.1-1 to sid and prepared 1.6.0-1+deb12u1 for > bookworms-security [0]. > > Attached debdiff file. > > Waiting for you reply, > Victor > > [0] > https://salsa.debian.org/pkg-voip-team/sngrep/-/tags/debian%2F1.6.0-1+deb12u1 Hi Victor, diff looks fine, but I don't believe this really needs a DSA; it's rather obscure attack vector. I think addressing this via the next Bookworm point release is perfectly fine, what do you think? Procedure is outlined at https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions Cheers, Moritz
Bug#1069252: bookworm-pu: package libapache2-mod-auth-openidc/2.4.12.3-2+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: libapache2-mod-auth-open...@packages.debian.org,
t...@security.debian.org
Control: affects -1 + src:libapache2-mod-auth-openidc
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
Backported the patch to fix CVE-2024-24814.
Does not require DSA as per #1064183#28.
[ Impact ]
DoS when `OIDCSessionType client-cookie` is set and
a crafted Cookie header is supplied
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-
hxr6-w4gc-7vvv
[ Tests ]
Manually on own infra.
[ Risks ]
Patch has minimal complexity but is from the upstream author
who is generally very knowledgable about his code.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Added upstream commit as patch that fixes oidc_util_get_chunked_cookie
function to properly handle chunked cookies and decline malicious ones.
[ Other info ]
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/changelog
libapache2-mod-auth-openidc-2.4.12.3/debian/changelog
--- libapache2-mod-auth-openidc-2.4.12.3/debian/changelog 2023-05-02
11:48:09.0 +0200
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/changelog 2024-04-18
14:20:00.0 +0200
@@ -1,3 +1,16 @@
+libapache2-mod-auth-openidc (2.4.12.3-2+deb12u1) bookworm; urgency=medium
+
+ * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks
+cookie value made the server vulnerable to a Denial of Service (DoS)
+attack. If an attacker manipulated the value of the OpenIDC cookie to a
+very large integer like , the server struggled with the request for
+a long time and finally returned a 500 error. Making a few requests of this
+kind caused servers to become unresponsive, and so attackers could thereby
+craft requests that would make the server work very hard and/or crash with
+minimal effort. (Closes: #1064183)
+
+ -- Moritz Schlarb Thu, 18 Apr 2024 14:20:00 +0200
+
libapache2-mod-auth-openidc (2.4.12.3-2) unstable; urgency=high
* Add patch to Fix CVE-2023-28625 (Closes: #1033916)
diff -Nru libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf
libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf
--- libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf2023-05-02
11:41:28.0 +0200
+++ libapache2-mod-auth-openidc-2.4.12.3/debian/gbp.conf2024-04-18
14:20:00.0 +0200
@@ -1,2 +1,3 @@
[DEFAULT]
pristine-tar = True
+debian-branch = bookworm
diff -Nru
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
---
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
2023-05-02 11:47:32.0 +0200
+++
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0001-Fix-CVE-2023-28625-segfault-DoS-when-OIDCStripCookie.patch
2024-04-18 14:20:00.0 +0200
@@ -1,9 +1,9 @@
From: Moritz Schlarb
Date: Tue, 2 May 2023 11:44:18 +0200
Subject: Fix CVE-2023-28625: segfault DoS when OIDCStripCookies is set
+
Origin: upstream,
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-f5xw-rvfr-24qr
Applied-Upstream: 2.4.13.2,
https://github.com/OpenIDC/mod_auth_openidc/commit/c0e1edac3c4c19988ccdc7713d7aebfce6ff916a
-
---
src/mod_auth_openidc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff -Nru
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch
---
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch
1970-01-01 01:00:00.0 +0100
+++
libapache2-mod-auth-openidc-2.4.12.3/debian/patches/0002-fix-DoS-CVE-2024-24814.patch
2024-04-18 14:20:00.0 +0200
@@ -0,0 +1,60 @@
+From: Hans Zandbelt
+Date: Tue, 6 Feb 2024 23:45:40 +0100
+Subject: [PATCH] release 2.4.15.2: fix DoS CVE-2024-24814
+
+fix CVE-2024-24814: DoS when 'OIDCSessionType client-cookie' is set and
+a crafted Cookie header is supplied
+https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
+
+Signed-off-by: Hans Zandbelt
+---
+ src/util.c | 35 +--
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index e1f0a3a..7a86c24 100644
+--- a/src/util.c
b/src/util.c
+@@ -1325,25 +1325,24 @@ static char*
oidc_util_get_chunk_cookie_name(request_rec *r,
+ */
+ char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName,
+ int chunkSize) {
+- char *cookieValue = NULL;
+- char
Bug#1069253: bullseye-pu: package libapache2-mod-auth-openidc/2.4.9.4-0+deb11u4
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: libapache2-mod-auth-open...@packages.debian.org,
t...@security.debian.org
Control: affects -1 + src:libapache2-mod-auth-openidc
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
Backported the patch to fix CVE-2024-24814.
Does not require DSA as per #1064183#28.
[ Impact ]
DoS when `OIDCSessionType client-cookie` is set and
a crafted Cookie header is supplied
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-
hxr6-w4gc-7vvv
[ Tests ]
Manually on own infra.
[ Risks ]
Patch has minimal complexity but is from the upstream author
who is generally very knowledgable about his code.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Added upstream commit as patch that fixes oidc_util_get_chunked_cookie
function to properly handle chunked cookies and decline malicious ones.
[ Other info ]
diff -Nru libapache2-mod-auth-openidc-2.4.9.4/debian/changelog
libapache2-mod-auth-openidc-2.4.9.4/debian/changelog
--- libapache2-mod-auth-openidc-2.4.9.4/debian/changelog2023-05-02
12:59:57.0 +0200
+++ libapache2-mod-auth-openidc-2.4.9.4/debian/changelog2024-04-18
14:27:26.0 +0200
@@ -1,3 +1,16 @@
+libapache2-mod-auth-openidc (2.4.9.4-0+deb11u4) bullseye; urgency=high
+
+ * CVE-2024-24814: Missing input validation on mod_auth_openidc_session_chunks
+cookie value made the server vulnerable to a Denial of Service (DoS)
+attack. If an attacker manipulated the value of the OpenIDC cookie to a
+very large integer like , the server struggled with the request for
+a long time and finally returned a 500 error. Making a few requests of this
+kind caused servers to become unresponsive, and so attackers could thereby
+craft requests that would make the server work very hard and/or crash with
+minimal effort. (Closes: #1064183)
+
+ -- Moritz Schlarb Thu, 18 Apr 2024 14:27:26 +0200
+
libapache2-mod-auth-openidc (2.4.9.4-0+deb11u3) bullseye-security; urgency=high
* Add patch to Fix CVE-2023-28625 (Closes: #1033916)
diff -Nru
libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch
libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch
---
libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch
1970-01-01 01:00:00.0 +0100
+++
libapache2-mod-auth-openidc-2.4.9.4/debian/patches/0004-fix-DoS-CVE-2024-24814.patch
2024-04-18 14:25:44.0 +0200
@@ -0,0 +1,60 @@
+From: Hans Zandbelt
+Date: Tue, 6 Feb 2024 23:45:40 +0100
+Subject: [PATCH] release 2.4.15.2: fix DoS CVE-2024-24814
+
+fix CVE-2024-24814: DoS when 'OIDCSessionType client-cookie' is set and
+a crafted Cookie header is supplied
+https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
+
+Signed-off-by: Hans Zandbelt
+---
+ src/util.c | 35 +--
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index c6453d0..6782293 100644
+--- a/src/util.c
b/src/util.c
+@@ -1288,25 +1288,24 @@ static char*
oidc_util_get_chunk_cookie_name(request_rec *r,
+ */
+ char* oidc_util_get_chunked_cookie(request_rec *r, const char *cookieName,
+ int chunkSize) {
+- char *cookieValue = NULL;
+- char *chunkValue = NULL;
+- int i = 0;
+- if (chunkSize == 0) {
+- cookieValue = oidc_util_get_cookie(r, cookieName);
+- } else {
+- int chunkCount = oidc_util_get_chunked_count(r, cookieName);
+- if (chunkCount > 0) {
+- cookieValue = "";
+- for (i = 0; i < chunkCount; i++) {
+- chunkValue = oidc_util_get_cookie(r,
+-
oidc_util_get_chunk_cookie_name(r, cookieName, i));
+- if (chunkValue != NULL)
+- cookieValue = apr_psprintf(r->pool,
"%s%s", cookieValue,
+- chunkValue);
+- }
+- } else {
+- cookieValue = oidc_util_get_cookie(r, cookieName);
++ char *cookieValue = NULL, *chunkValue = NULL;
++ int chunkCount = 0, i = 0;
++ if (chunkSize == 0)
++ return oidc_util_get_cookie(r, cookieName);
++ chunkCount = oidc_util_get_chunked_count(r, cookieName);
++ if (chunkCount == 0)
++ return oidc_util_get_cookie(r, cookieName);
++ if ((chunkCount < 0) || (chunkCount > 99)) {
++ oidc_warn(r, "chunk count out of bounds: %d", chunkCount);
++
Bug#1064183: libapache2-mod-auth-openidc: CVE-2024-24814
On Thu, Apr 18, 2024 at 02:40:41PM +0200, Moritz Schlarb wrote: > Dear Salvatore, > > I've prepared, built, tested and uploaded fixed versions for bullseye > (2.4.9.4-0+deb11u4), bookworm (2.4.12.3-2+deb12u1) and trixie (2.4.15.7-1). > > Would you like to issue a DSA for them or is it enough that they are > included in the next stable point release? Hi Moritz, I think it's sufficient if we only fix these via the next point release(s), thanks! Cheers, Moritz
Bug#1064183: libapache2-mod-auth-openidc: CVE-2024-24814
Dear Salvatore, I've prepared, built, tested and uploaded fixed versions for bullseye (2.4.9.4-0+deb11u4), bookworm (2.4.12.3-2+deb12u1) and trixie (2.4.15.7-1). Would you like to issue a DSA for them or is it enough that they are included in the next stable point release? Regards, Moritz On 18.02.24 07:57, Salvatore Bonaccorso wrote: Source: libapache2-mod-auth-openidc Version: 2.4.15.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libapache2-mod-auth-openidc. CVE-2024-24814[0]: | mod_auth_openidc is an OpenID Certified™ authentication and | authorization module for the Apache 2.x HTTP server that implements | the OpenID Connect Relying Party functionality. In affected versions | missing input validation on mod_auth_openidc_session_chunks cookie | value makes the server vulnerable to a denial of service (DoS) | attack. An internal security audit has been conducted and the | reviewers found that if they manipulated the value of the | mod_auth_openidc_session_chunks cookie to a very large integer, like | , the server struggles with the request for a long time and | finally gets back with a 500 error. Making a few requests of this | kind caused our server to become unresponsive. Attackers can craft | requests that would make the server work very hard (and possibly | become unresponsive) and/or crash with minimal effort. This issue | has been addressed in version 2.4.15.2. Users are advised to | upgrade. There are no known workarounds for this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24814 https://www.cve.org/CVERecord?id=CVE-2024-24814 [1] https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv [2] https://github.com/OpenIDC/mod_auth_openidc/commit/4022c12f314bd89d127d1be008b1a80a08e1203d Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Moritz Schlarb Unix und Cloud Zentrum für Datenverarbeitung Johannes Gutenberg-Universität Mainz OpenPGP-Fingerprint: DF01 2247 BFC6 5501 AFF2 8445 0C24 B841 C7DD BAAF smime.p7s Description: S/MIME Cryptographic Signature
Bug#1069189: mysql-8.0: CVE-2024-21102 CVE-2024-21096 CVE-2024-21087 CVE-2024-21069 CVE-2024-21062 CVE-2024-21060 CVE-2024-21054 CVE-2024-21047 CVE-2024-21013 CVE-2024-21009 CVE-2024-21008 CVE-2024-21
Source: mysql-8.0 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for mysql-8.0. CVE-2024-21102[0]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Thread Pooling). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21096[1]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Client: mysqldump). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to | exploit vulnerability allows unauthenticated attacker with logon to | the infrastructure where MySQL Server executes to compromise MySQL | Server. Successful attacks of this vulnerability can result in | unauthorized update, insert or delete access to some of MySQL Server | accessible data as well as unauthorized read access to a subset of | MySQL Server accessible data and unauthorized ability to cause a | partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 | Base Score 4.9 (Confidentiality, Integrity and Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). CVE-2024-21087[2]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Group Replication Plugin). Supported versions | that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21069[3]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: DDL). Supported versions that are affected are | 8.0.36 and prior and 8.3.0 and prior. Easily exploitable | vulnerability allows high privileged attacker with network access | via multiple protocols to compromise MySQL Server. Successful | attacks of this vulnerability can result in unauthorized ability to | cause a hang or frequently repeatable crash (complete DOS) of MySQL | Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS | Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21062[4]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21060[5]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Data Dictionary). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21054[6]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21047[7]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: InnoDB). Supported versions that are affected are | 8.0.36 and prior and 8.3.0 and prior. Easily exploitable | vulnerability allows high privileged attacker with network access | via multiple protocols to compromise MySQL
Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1
Am Tue, Apr 09, 2024 at 10:01:11AM +0200 schrieb Andreas Beckmann: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: Bastien Roucariès > Control: affects -1 + src:json-smart > Control: block 1039985 with -1 > Control: block 1033474 with -1 > > [ Reason ] > Two CVEs were fixed in buster-lts, but not yet in bullseye or later, > causing version skew on upgrades: CVE-2023-1370 / #1033474 is unfixed in sid, and being fixed in unstable is a pre condition for a point update. Bastien, since you fixed it in buster-lts, can you please also take care of addressing unstable? Cheers, Moritz
Bug#1068822: qemu: CVE-2024-3567
Source: qemu X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qemu. CVE-2024-3567[0]: | A flaw was found in QEMU. An assertion failure was present in the | update_sctp_checksum() function in hw/net/net_tx_pkt.c when trying | to calculate the checksum of a short-sized fragmented packet. This | flaw allows a malicious guest to crash QEMU and cause a denial of | service condition. https://bugzilla.redhat.com/show_bug.cgi?id=2274339 https://gitlab.com/qemu-project/qemu/-/issues/2273 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3567 https://www.cve.org/CVERecord?id=CVE-2024-3567 Please adjust the affected versions in the BTS as needed.
Bug#1068821: qemu: CVE-2024-3447
Source: qemu X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qemu. CVE-2024-3447[0]: https://patchew.org/QEMU/20240404085549.16987-1-phi...@linaro.org/ https://patchew.org/QEMU/20240409145524.27913-1-phi...@linaro.org/ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3447 https://www.cve.org/CVERecord?id=CVE-2024-3447 Please adjust the affected versions in the BTS as needed.
Bug#1068820: qemu: CVE-2024-3446
Source: qemu X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qemu. CVE-2024-3446[0]: | A double free vulnerability was found in QEMU virtio devices | (virtio-gpu, virtio-serial-bus, virtio-crypto), where the | mem_reentrancy_guard flag insufficiently protects against DMA | reentrancy issues. This issue could allow a malicious privileged | guest to crash the QEMU process on the host, resulting in a denial | of service or allow arbitrary code execution within the context of | the QEMU process on the host. https://bugzilla.redhat.com/show_bug.cgi?id=2274211 https://patchew.org/QEMU/20240409105537.18308-1-phi...@linaro.org/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3446 https://www.cve.org/CVERecord?id=CVE-2024-3446 Please adjust the affected versions in the BTS as needed.
Bug#1068819: qemu: CVE-2024-26327 CVE-2024-26328
Source: qemu X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for qemu. CVE-2024-26327[0]: | An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in | hw/pci/pcie_sriov.c mishandles the situation where a guest writes | NumVFs greater than TotalVFs, leading to a buffer overflow in VF | implementations. CVE-2024-26328[1]: | An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in | hw/pci/pcie_sriov.c does not set NumVFs to PCI_SRIOV_TOTAL_VF, and | thus interaction with hw/nvme/ctrl.c is mishandled. https://lore.kernel.org/all/20240213055345-mutt-send-email-mst%40kernel.org Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6 (v7.0.0-rc0) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-26327 https://www.cve.org/CVERecord?id=CVE-2024-26327 [1] https://security-tracker.debian.org/tracker/CVE-2024-26328 https://www.cve.org/CVERecord?id=CVE-2024-26328 Please adjust the affected versions in the BTS as needed.
Bug#1068818: sngrep: CVE-2024-3119 CVE-2024-3120
Source: sngrep X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for sngrep. CVE-2024-3119[0]: | A buffer overflow vulnerability exists in all versions of sngrep | since v0.4.2, due to improper handling of 'Call-ID' and 'X-Call-ID' | SIP headers. The functions sip_get_callid and sip_get_xcallid in | sip.c use the strncpy function to copy header contents into fixed- | size buffers without checking the data length. This flaw allows | remote attackers to execute arbitrary code or cause a denial of | service (DoS) through specially crafted SIP messages. https://github.com/irontec/sngrep/commit/dd5fec92730562af6f96891291cd4e102b80bfcc (v1.8.1) CVE-2024-3120[1]: | A stack-buffer overflow vulnerability exists in all versions of | sngrep since v1.4.1. The flaw is due to inadequate bounds checking | when copying 'Content-Length' and 'Warning' headers into fixed-size | buffers in the sip_validate_packet and sip_parse_extra_headers | functions within src/sip.c. This vulnerability allows remote | attackers to execute arbitrary code or cause a denial of service | (DoS) via crafted SIP messages. https://github.com/irontec/sngrep/commit/f3f8ed8ef38748e6d61044b39b0dabd7e37c6809 (v1.8.1) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3119 https://www.cve.org/CVERecord?id=CVE-2024-3119 [1] https://security-tracker.debian.org/tracker/CVE-2024-3120 https://www.cve.org/CVERecord?id=CVE-2024-3120 Please adjust the affected versions in the BTS as needed.
Bug#1068817: undertow: CVE-2024-1635
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for undertow. CVE-2024-1635[0]: | A vulnerability was found in Undertow. This vulnerability impacts a | server that supports the wildfly-http-client protocol. Whenever a | malicious user opens and closes a connection with the HTTP port of | the server and then closes the connection immediately, the server | will end with both memory and open file limits exhausted at some | point, depending on the amount of memory available. At HTTP | upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks | connections if RemotingConnection is closed by Remoting | ServerConnectionOpenListener. Because the remoting connection | originates in Undertow as part of the HTTP upgrade, there is an | external layer to the remoting connection. This connection is | unaware of the outermost layer when closing the connection during | the connection opening procedure. Hence, the Undertow | WriteTimeoutStreamSinkConduit is not notified of the closed | connection in this scenario. Because WriteTimeoutStreamSinkConduit | creates a timeout task, the whole dependency tree leaks via that | task, which is added to XNIO WorkerThread. So, the workerThread | points to the Undertow conduit, which contains the connections and | causes the leak. https://bugzilla.redhat.com/show_bug.cgi?id=2264928 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-1635 https://www.cve.org/CVERecord?id=CVE-2024-1635 Please adjust the affected versions in the BTS as needed.
Bug#1068815: undertow: CVE-2023-1973
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for undertow. CVE-2023-1973[0]: The only reference is at Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=2185662 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-1973 https://www.cve.org/CVERecord?id=CVE-2023-1973 Please adjust the affected versions in the BTS as needed.
Bug#1068816: undertow: CVE-2024-1459
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for undertow. CVE-2024-1459[0]: | A path traversal vulnerability was found in Undertow. This issue may | allow a remote attacker to append a specially-crafted sequence to an | HTTP request for an application deployed to JBoss EAP, which may | permit access to privileged or restricted files and directories. The only reference here is at Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=2259475 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-1459 https://www.cve.org/CVERecord?id=CVE-2024-1459 Please adjust the affected versions in the BTS as needed.
Bug#1068629: testng7 backport for bullseye needed for latest Java LTS releases
Am Tue, Apr 09, 2024 at 02:02:13PM +1200 schrieb Vladimir Petko: > Hi, > > I have realized that I have not submitted the bug report for this > issue, so the decision to try vendoring dependencies for JTREG is not > visible anywhere. > > Starting from the April OpenJDK release, JTREG 7.3 will be used for > openjdk-11 and up, which will require having it in Buster and up. > > In Ubuntu, the January OpenJDK update used the vendored version, and > we have not found any test regression issues caused by it. > > I have an MR open[1] that does not update the source tree and a > branch[2] with imported sources. Thanks, using a vendored version seems perfectly fine here and makes our life significantly easier for stable/oldstable updates (and jtreg isn't used outside of OpenJDK anyway) Cheers, Moritz
Bug#1068462: gpac: CVE-2024-28318 CVE-2024-28319 CVE-2023-46426 CVE-2023-46427 CVE-2024-24265 CVE-2024-24266 CVE-2024-24267
Source: gpac X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for gpac. CVE-2024-28318[0]: | gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain a | out of boundary write vulnerability via swf_get_string at | scene_manager/swf_parse.c:325 https://github.com/gpac/gpac/issues/2764 https://github.com/gpac/gpac/commit/ae831621a08a64e3325ce532f8b78811a1581716 CVE-2024-28319[1]: | gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain an | out of boundary read vulnerability via gf_dash_setup_period | media_tools/dash_client.c:6374 https://github.com/gpac/gpac/issues/2763 https://github.com/gpac/gpac/commit/cb3c29809bddfa32686e3deb231a76af67b68e1e CVE-2023-46426[2]: | Heap-based Buffer Overflow vulnerability in gpac version 2.3-DEV- | rev588-g7edc40fee-master, allows remote attackers to execute | arbitrary code and cause a denial of service (DoS) via gf_fwrite | component in at utils/os_file.c. https://github.com/gpac/gpac/issues/2642 https://github.com/gpac/gpac/commit/14ec709a1ffae23ad777c37320290caa0a754341 CVE-2023-46427[3]: | An issue was discovered in gpac version 2.3-DEV-rev588-g7edc40fee- | master, allows remote attackers to execute arbitrary code, cause a | denial of service (DoS), and obtain sensitive information via null | pointer deference in gf_dash_setup_period component in | media_tools/dash_client.c. https://github.com/gpac/gpac/issues/2641 https://github.com/gpac/gpac/commit/ed8424300fc4a1f5231ecd1d47f502ddd3621d1a CVE-2024-24265[4]: | gpac v2.2.1 was discovered to contain a memory leak via the | dst_props variable in the gf_filter_pid_merge_properties_internal | function. https://github.com/yinluming13579/gpac_defects/blob/main/gpac_1.md CVE-2024-24266[5]: | gpac v2.2.1 was discovered to contain a Use-After-Free (UAF) | vulnerability via the dasher_configure_pid function at | /src/filters/dasher.c. https://github.com/yinluming13579/gpac_defects/blob/main/gpac_2.md CVE-2024-24267[6]: | gpac v2.2.1 was discovered to contain a memory leak via the | gfio_blob variable in the gf_fileio_from_blob function. https://github.com/yinluming13579/gpac_defects/blob/main/gpac_3.md If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28318 https://www.cve.org/CVERecord?id=CVE-2024-28318 [1] https://security-tracker.debian.org/tracker/CVE-2024-28319 https://www.cve.org/CVERecord?id=CVE-2024-28319 [2] https://security-tracker.debian.org/tracker/CVE-2023-46426 https://www.cve.org/CVERecord?id=CVE-2023-46426 [3] https://security-tracker.debian.org/tracker/CVE-2023-46427 https://www.cve.org/CVERecord?id=CVE-2023-46427 [4] https://security-tracker.debian.org/tracker/CVE-2024-24265 https://www.cve.org/CVERecord?id=CVE-2024-24265 [5] https://security-tracker.debian.org/tracker/CVE-2024-24266 https://www.cve.org/CVERecord?id=CVE-2024-24266 [6] https://security-tracker.debian.org/tracker/CVE-2024-24267 https://www.cve.org/CVERecord?id=CVE-2024-24267 Please adjust the affected versions in the BTS as needed.
Bug#1068461: freeimage: CVE-2024-28562 CVE-2024-28563 CVE-2024-28564 CVE-2024-28565 CVE-2024-28566 CVE-2024-28567 CVE-2024-28568 CVE-2024-28569 CVE-2024-28570 CVE-2024-28571 CVE-2024-28572 CVE-2024-28
Source: freeimage X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for freeimage. They are all only published at https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 and don't appear to be forwarded upstream yet. CVE-2024-28562[0]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to execute arbitrary code via the | Imf_2_2::copyIntoFrameBuffer() component when reading images in EXR | format. CVE-2024-28563[1]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the Imf_2_2::DwaCompressor::Classifier::Classifier() function | when reading images in EXR format. CVE-2024-28564[2]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the Imf_2_2::CharPtrIO::readChars() function when reading images | in EXR format. CVE-2024-28565[3]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the psdParser::ReadImageData() function when reading images in | PSD format. CVE-2024-28566[4]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to execute arbitrary code via the | AssignPixel() function when reading images in TIFF format. CVE-2024-28567[5]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the FreeImage_CreateICCProfile() function when reading images in | TIFF format. CVE-2024-28568[6]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the read_iptc_profile() function when reading images in TIFF | format. CVE-2024-28569[7]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to execute arbitrary code via the | Imf_2_2::Xdr::read() function when reading images in EXR format. CVE-2024-28570[8]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the processMakerNote() function when reading images in JPEG | format. CVE-2024-28571[9]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the fill_input_buffer() function when reading images in JPEG | format. CVE-2024-28572[10]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the FreeImage_SetTagValue() function when reading images in JPEG | format. CVE-2024-28573[11]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the jpeg_read_exif_profile() function when reading images in | JPEG format. CVE-2024-28574[12]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the opj_j2k_copy_default_tcp_and_create_tcd() function when | reading images in J2K format. CVE-2024-28574[13]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the opj_j2k_copy_default_tcp_and_create_tcd() function when | reading images in J2K format. CVE-2024-28575[14]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the opj_j2k_read_mct() function when reading images in J2K | format. CVE-2024-28576[15]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the opj_j2k_tcp_destroy() function when reading images in J2K | format. CVE-2024-28577[16]: | Null Pointer Dereference vulnerability in open source FreeImage | v.3.19.0 [r1909] allows a local attacker to cause a denial of | service (DoS) via the jpeg_read_exif_profile_raw() function when | reading images in JPEG format. CVE-2024-28578[17]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to execute arbitrary code via the | Load() function when reading images in RAS format. CVE-2024-28579[18]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to cause a denial of service (DoS) | via the FreeImage_Unload() function when reading images in HDR | format. CVE-2024-28580[19]: | Buffer Overflow vulnerability in open source FreeImage v.3.19.0 | [r1909] allows a local attacker to execute arbitrary code via the | ReadData() function when
