[SECURITY] [DLA 3378-1] duktape security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3378-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz April 01, 2023https://wiki.debian.org/LTS - - Package: duktape Version: 2.3.0-1+deb10u1 CVE ID : CVE-2021-46322 An issue has been found in duktape, an embeddable Javascript engine. It was discovered that a special crafted js file could result in a SEGV due to reaching some stack limits. For Debian 10 buster, this problem has been fixed in version 2.3.0-1+deb10u1. We recommend that you upgrade your duktape packages. For the detailed security status of duktape please refer to its security tracker page at: https://security-tracker.debian.org/tracker/duktape Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmQnaWVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfKMQ/8C1GY4ueOUJoDAl7rcTnwPDRxKfDg7hszcn+SVDRzWzsvJz1O5SLkk4Op G6UkQMCE8keIXxrCgCCjZ8jQIYvv0kKmyKsGIzPmzK/AFcrKoZTodaX4/ckz5WlN rQQIXSJupNqsgEjAEfe5ZXZ+F4ntHGK+pfMQm7lNBYuuVCUVNCdti8JdDvpD+TrG dlNyuyEmooAQahfMYMBxmg6E9UrtSSsPMWn6V/qm3AnOYz1CbrZWUqvoH8UC8evr z89acj7EKqTh+Zc2Iq4dE3ixHyNdt77VvEhscoWKHiG7JMQXv3y7v/q/WTObrRNl ErPf36JCEk9+HPTmVsUUhOapoJ1D5WeI6PR0Y2sE9LmT35vf09vaXKOl0i5yC229 vnyPuD/VFmQffWJYcC91ZForJJu2XlDbGgImcKSebsTEmq+HVUpsbQYQ8BDz6OCS Zgg6X5mtA4A3Kg4JX0kC8/uTjmlMYbekf44z2XGHiWlZl4MI5SDecKviSBTogLrf O92PYdrYwp6gS+k5ZAY6SzOZ30STbOPB6yLiGp1PG65wFY/6aR4pjStw0mu04x6v Nqulzqvzt1B7wgZSsKdN0FVKMoOtys12cwCl8+7laJd8o73QQnIpY+lHHPmKuIgK zr9JtURoRFd0ZLkuaOXg5bHF/Jz9pBvFIe4NnoGIj1KlmD0TnhM= =PdOd -END PGP SIGNATURE-
[SECURITY] [DLA 3377-1] systemd security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3377-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk March 31, 2023https://wiki.debian.org/LTS - - Package: systemd Version: 241-7~deb10u9 CVE ID : CVE-2023-26604 Local privilege escalation for some sudo configurations has been fixed in systemd, the default init system in Debian. For Debian 10 buster, this problem has been fixed in version 241-7~deb10u9. We recommend that you upgrade your systemd packages. For the detailed security status of systemd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/systemd Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmQnSOQACgkQiNJCh6LY mLHN4BAAqkkjvOaVNrQf4yvcK/nzdi2b/BB1vHfLxUNzaMjZDYDQcWuE7xl7fuOV PnEEEnxOCJCbUfYuo/rEBRpFPQuBmeTbFvqKeoZibHhp3YXKrYOUan5PJBsUZVML RkULZXX+LwJZo+cTJC/lhNgnzlbeGS5ylgTCVPMpzb52+usA5HgAv7fOfhy7ZqwH fW33iq3ybRYmAPtjZiM2W427VuEDGJN4q8tyiTyLyg/oC+Od/yLvku5lJBqsXJvj yuSXpn1QPnmRjDmOOjn2ZUzdF+lkiDqFpe1iKPWiZ7ShRZwBLj78kOKf+PF3IPnp OPTiWIJvfZ4rMQk3pnrhG3APn0YmVe83mQf23LMXPYRkjTfRQgyiuzEZb0+/DWbX fodOcvR7CP/VAt7wtE3vutnWeTSHlQibgroJMt8ylnK7iM+USAPcDZVQh4eTFyIw IZ912HvPEG29UbIjyRmsXoLiv+iYfSJhnCBB0LI6ja8FaWEMKwgL390leEywROOD WcCo4yu9KxbZR4m4lQFEaU0PNB6bjy/IN0JKFXYmmpeBzPnTDL0rFDyOWcpAC9Q1 O5Kw8TOpJ06zodJrZD0skDaDVkxheD9Lq9CRicIfhuRsejiluxa/GLS1quqtIa91 OUEFJhkCs3d3x0tWKyIZXLkRF3Q5AJJefjgvuNylyr2SYw8gG3c= =WI01 -END PGP SIGNATURE-
[SECURITY] [DLA 3375-1] xrdp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian LTS Advisory DLA-3375-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb March 31, 2023https://wiki.debian.org/LTS - - Package: xrdp Version: 0.9.9-1+deb10u3 CVE IDs: CVE-2022-23480 CVE-2022-23481 CVE-2022-23482 Debian Bug : 1025879 It was discovered that there were a number of vulnerabilies in the xrdp Remote Desktop Protocol (RDP) server: * CVE-2022-23480: Prevent a series of potential buffer overflow vulnerabilities in the devredir_proc_client_devlist_announce_req() function. * CVE-2022-23481: Fix an out-of-bounds read vulnerability in the xrdp_caps_process_confirm_active() function. * CVE-2022-23482: Fix an out-of-bounds read vulnerability in the xrdp_sec_process_mcs_data_CS_CORE() function. For Debian 10 buster, these problems have been fixed in version 0.9.9-1+deb10u3. We recommend that you upgrade your xrdp packages. For the detailed security status of xrdp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xrdp Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmQm1dsACgkQHpU+J9Qx HljlcRAAtl6O9oCk8zzqPWgTC5H+I6/Ro+FW8UNEdLlVBa/tenj3TADFr30faeJZ vhqUCFx0ncaZRkmnNvT8Tyhi56E/NSFF8qCag7bnq0QrOAF24Ao/0y34K/vMXbTd P3xJnD8cbJws0TOwiKCUU5pRPxeRK+bZlvZy5TFs5VggU7p4u+obRZrsavgS0dbG xW8MF4UFvAG1g+N34VExzY5T/t9vG/xJjnV662az+h/xSdDuCzup8RGpa1Kvh+5H FmLZUY7J3DJTehKP2bp1kuOPEkYy2i6xB8AklqCpnh9QdR7ECo6VzH945tz4p9u4 qbEow4joMmtykvhMs+imOIf4AoOulpbi6EZnZ3fGO1zXjAH4EaSB+YCnG2VOnp1q 7LrOx0aQ1e5GA3EaEWrXaeh0zMc2c9L7xDA7D8lgHuV3RsqATp3KsOiEH6WF81rt NugP87L4X802FudOi7Hzf23+ToMsX/ofzQl2NVHE9QI8fw85KhEWlz4OmXfAcXrR 9z5FSKb+bpL1hCYokB2tv7Ey8UAsZeE2RNUvPgpdLcZ8MOqtUXVexghSh9lPQ+js N5lPBz2pu3OdtefIZU2bZfd5ZQLjI8gqfS9Y1TOXLrirh6kYgn0SjGiteQFKuod4 ym04jEuzJpicFqH03vgIYVN6EI2+/yUKdNKnZKQqSiIvDNIvu/8= =uBP0 -END PGP SIGNATURE-
[SECURITY] [DLA 3373-1] json-smart security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3373-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Bastien Roucariès March 30, 2023https://wiki.debian.org/LTS - - Package: json-smart Version: 2.2-2+deb10u1 CVE ID : CVE-2021-31684 CVE-2023-1370 Debian Bug : 1033474 Multiple vulnerabilities were found in Json-smart library. Json-smart is a performance focused, JSON processor lib written in Java. CVE-2021-31684 A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via for instance a crafted web request. CVE-2023-1370 A stack overflow was found due to excessive recursion. When reaching a â[â or â{â character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software For Debian 10 buster, these problems have been fixed in version 2.2-2+deb10u1. We recommend that you upgrade your json-smart packages. For the detailed security status of json-smart please refer to its security tracker page at: https://security-tracker.debian.org/tracker/json-smart Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmQmk7kACgkQADoaLapB CF+PARAApnmlYJnlvax9UUpjy4b3G3ZHnRJ9TWRlWs4FVNgiexFTbAQFAPYu/Y5U y+HnmXVMm09uUhBfHL4ApOASwAaAiRSFja9vK5EMuxM3c75RF2uTFF/MtxHwdAht oiw+VYIH/jhF+wSp5RB9VKSUVe00mU65umYJncW6H+nKVKqbtKeSFzOYu4+DQ72E IslBwyC24xrTR9wU99F01miM6xdxBTevlLim3nlfP9HqWaE1ThdbmQbW7ZWZaL6D ApycKSP1fA+R+sv8MmYegjhSoTkpk56Nt9p4oMA0CXMvRbONUwsqZNmPEoyW/tma AtLHQZl8aOp/WrRhbS9LNupqrkbSQ81FfvZzf0axdat79dEwLGkLn2utwvaZ//AS a5ly6KRNJKueV7V0q5vjP5LlL95Mk4hLZikXsY+cO7akj1NrHHq3GKWiAayU+U7F dwaF/j0EfZvkeuMvIjYhYjbIy4e4xXobAuFphdxQ2ODheYPKQf9s7U4SZsvBWszf P5CSaHLR8TtmpYdjYTNgY7k3fCIVu5ehHZLSVmVGhrYDe/qy0m3y7AgLTccGKfHd YczCzfZzKFsxXP6pBXJzGZWNfKlQly94TKa8G2oyYrIHxiFCTvqTgpzfaaAo/Tpy geAfAENfddNLX01GHq9XNcK4zgITDSjRAwRnPJY7INZsCaTE2e8= =cja+ -END PGP SIGNATURE-