[SECURITY] [DLA 3342-1] freeradius security update
- Debian LTS Advisory DLA-3342-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany February 24, 2023 https://wiki.debian.org/LTS - Package: freeradius Version: 3.0.17+dfsg-1.1+deb10u2 CVE ID : CVE-2022-41859 CVE-2022-41860 CVE-2022-41861 Several flaws were found in freeradius, a high-performance and highly configurable RADIUS server. CVE-2022-41859 In freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack. CVE-2022-41860 In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the server to crash. CVE-2022-41861 A malicious RADIUS client or home server can send a malformed attribute which can cause the server to crash. For Debian 10 buster, these problems have been fixed in version 3.0.17+dfsg-1.1+deb10u2. We recommend that you upgrade your freeradius packages. For the detailed security status of freeradius please refer to its security tracker page at: https://security-tracker.debian.org/tracker/freeradius Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 3341-1] curl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3341-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk February 24, 2023 https://wiki.debian.org/LTS - - Package: curl Version: 7.64.0-4+deb10u5 CVE ID : CVE-2023-23916 Debian Bug : 1031371 HTTP multi-header compression denial of service has been fixed in curl, a command line tool and library for transferring data with URLs. For Debian 10 buster, this problem has been fixed in version 7.64.0-4+deb10u5. We recommend that you upgrade your curl packages. For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmP4nKwACgkQiNJCh6LY mLHRPhAArz0793ekL6VwFNcpFbPfRmM0YracDoKoF/6p3zrJ5QVNiFEGuAn1p5gB Gx8dk718Jdu4Ph+sMed48a5B1k1z8Qp4v9xNlt2B+aHFFQez5fkyP8ZyUAyhUaiu nzEbm2eAT5LsoI8URdwRpjDYnZj0IBYJu1jt38tqQoBzUikWV6eC3yeh9NYFUNYB ZYFqJi+bOOpsptLvUAfRXHXToC+7nmsBLQdWr3lrELWfwhhJD+HAU/YI5FaP6Fa5 f8AiVgvYAugoF1IQHuPpBepUwZOynYgTBTBffG3ca4NRsbfDt1Z9GL7Z0/q4rNNB J53eihMmPRzxVoODsuHtwRjGkMQXO/7YeVAfHbYCUwGut2haWRcW3SDf82kI36cF mFojO6cV7n37ylZ2C1XHFM23599DnTvGtVESBY5mpKkhrI7redTWl+BC8n8vuwfW 7bdvXr/0iO0UKBpdnPTyEqEhZ/y9gFnBTk1f0LezpJxa7DHvXmSSJ1c2FJWzRPsn fEPB16KG8x1qMoiDQgzp8KMDH1QCbRbO1phSnOGkDQH5eFmLdiOHADvIi0OwFttO kfupn4rhurXdaB8DHpkRfhlzOyFLGoPZ08FFoJcPBbqDm+IcSr3RSyiYN+FJD+SE PBv582qxKfboCkW99jcHIWfYg0P2rC12HkNpP2hemXhpzsQjI/s= =JgEq -END PGP SIGNATURE-