[SECURITY] [DLA 3222-1] node-fetch security update
- Debian LTS Advisory DLA-3222-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 05, 2022 https://wiki.debian.org/LTS - Package: node-fetch Version: 1.7.3-1+deb10u1 CVE ID : CVE-2022-0235 ranjit-git discovered an information leak vulnerability in node-fetch, a Node.js module exposing a window.fetch compatible API on Node.js runtime: the module was not honoring the same-origin-policy and upon following a redirect would leak cookies to the the target URL. For Debian 10 buster, this problem has been fixed in version 1.7.3-1+deb10u1. We recommend that you upgrade your node-fetch packages. For the detailed security status of node-fetch please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-fetch Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3221-1] node-cached-path-relative security update
- Debian LTS Advisory DLA-3221-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 05, 2022 https://wiki.debian.org/LTS - Package: node-cached-path-relative Version: 1.0.1-2+deb10u1 CVE ID : CVE-2018-16472 CVE-2021-23518 Debian Bug : #1004338 Cristian-Alexandru Staicu discovered a prototype pollution vulnerability in inode-cached-path-relative, a Node.js module used to cache (memoize) the result of path.relative. CVE-2018-16472 An attacker controlling both the path and the cached value, can mount a prototype pollution attack and thus overwrite arbitrary properties on Object.prototype, which may result in denial of service. CVE-2021-23518 The fix for CVE-2018-16472 was incomplete and other prototype pollution vulnerabilities were found in the meantime, resulting in a new CVE. For Debian 10 buster, these problems have been fixed in version 1.0.1-2+deb10u1. We recommend that you upgrade your node-cached-path-relative packages. For the detailed security status of node-cached-path-relative please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-cached-path-relative Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3220-1] clamav new upstream version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - --- Debian LTS Advisory DLA-3220-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta December 04, 2022 https://wiki.debian.org/LTS - --- Package: clamav Version: 0.103.7+dfsg-0+deb10u1 ClamAV, an anti-virus utility for Unix, v0.103.7 is a critical patch release with the following fixes: * Fix logical signature "Intermediates" feature. * Relax constraints on slightly malformed zip archives that contain overlapping file entries. For Debian 10 buster, this problem has been fixed in version 0.103.7+dfsg-0+deb10u1. We recommend that you upgrade your clamav packages. For the detailed security status of clamav please refer to its security tracker page at: https://security-tracker.debian.org/tracker/clamav Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmOM4s0ACgkQgj6WdgbD S5byBw//fB2rrBuUNQk6SMtCPBSdO36kK5rv5OBGJ95odsGsFQjqW161GcDshFcm Mz4GyO1M2aL7X+NM7VJbKUwKLB1RD5WBu11Ivi+HOgQnoG3arAUEOCgY9oB0LWFE 4qqInH04/8w2gmHUxbimxAeiHimxEOjvbNlO7VQhIYmo8zoPi6r/+elKSeVf2wJL nZX8lZ1h3mO3Q9x+3U87B2zDDw9qokGt/huO53VP/5A3jlI6z+pwKIBzvWofFunq 0ue6Efjo5r/zsLbps+j3Y8PHTtAm2H1l5b6dTaUB6z/KW6LLUiPNjxUd59jf6rGP vuROy6Mrt7uigAjSycdqQqagJyriKFTZBdDcECkiqOU0z5qYkoG8s2vKOoiWOTId A7vONI1/GJaL17V39teaYkrxDKgjxWYmpbbhglfIfxZsSCrekwGZ4H23V+lYLWks HJI5wA4nOdv0hf0+8rgcifu4Deljg6qiDiyqoHvgTvTEInNcxqBMEKdSyva7ztaj gPcXeenZIhVq+iTP36jodj2f4EomQ+wMlga9IjNGCfHhxJFeN+1EGNgo3INj/81P r4WFN+shKx3zo/xNbMumXTuT4KuCT+CYUQy6iFb5Wk7I27BHbLeoR/T/xG9q3GU5 rsE1f0rAAkwXcrPQh8IL78eZz8JrXyymbWU6bs8t+qgzPHE4lsE= =laBd -END PGP SIGNATURE-
[SECURITY] [DLA 3219-1] jhead security update
- Debian LTS Advisory DLA-3219-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany December 04, 2022 https://wiki.debian.org/LTS - Package: jhead Version: 1:3.00-8+deb10u1 CVE ID : CVE-2021-34055 CVE-2022-41751 Debian Bug : 1024272 1022028 Jhead, a tool for manipulating EXIF data embedded in JPEG images, allowed attackers to execute arbitrary OS commands by placing them in a JPEG filename and then using the regeneration -rgt50, -autorot or -ce option. In addition a buffer overflow error in exif.c has been addressed which could lead to a denial of service (application crash). For Debian 10 buster, these problems have been fixed in version 1:3.00-8+deb10u1. We recommend that you upgrade your jhead packages. For the detailed security status of jhead please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jhead Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
