[SECURITY] [DLA 3443-1] wireshark security update

2023-06-03 Thread Adrian Bunk 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3443-1debian-...@lists.debian.org
https://www.debian.org/lts/security/  Adrian Bunk
June 03, 2023 https://wiki.debian.org/LTS
- -

Package: wireshark
Version: 2.6.20-0+deb10u7
CVE ID : CVE-2023-2856 CVE-2023-2858 CVE-2023-2879 CVE-2023-2952

Several vulnerabilities were fixed in the network traffic analyzer Wireshark.

CVE-2023-2856

VMS TCPIPtrace file parser crash

CVE-2023-2858

NetScaler file parser crash

CVE-2023-2879

GDSDB infinite loop

CVE-2023-2952

XRA dissector infinite loop

For Debian 10 buster, these problems have been fixed in version
2.6.20-0+deb10u7.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wireshark

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmR7al4ACgkQiNJCh6LY
mLFJAA/9ExrJ3MmOC50fnlIppkSDpLkd8Zgw4aYZgnl5bndRFidextFF2rAuCYdD
H0kGmBRaOUFl0saNdsUoMARgWTV+K8uY8pBy6xasTbDZhPxSPOfzTXAQUNlgtvg5
04BbiFHqkyn3KG8od2iMDLQz0SRJJCuQLLOMupS494hCm9S7YFPXJQIXR1V2ukaG
P9NFe84rGVbO7+5E5WkUDil1yhuy6uTXl3ja9mk26b6PUXL6W0Fp8iEE0yo/jz/h
5H6qS4t57x/NnKizUiPJNRhNE0rYGiSVumL3mn9U8KFtbUd3NpGVJlNfsTVQFqK9
WygUYg+YbdN7c8w3M1HBF+OKTj1o3h5/8yqbLQbDWjM+RxkOoXcmJKOFV/a/k8PN
Yet+YQHBAy5aJVftwJbTQGBGmelmgYBjt0rmQhYAjWLYC4ZIHA59PeSa5FlI4f7b
NzOB39Q0CrEws2tlK/pOVGjsPRCtG85FAI6ACD97VGRAqjdUPvkMRreQw1y1Ks+K
7BqeTUSoKwMYTHDk2+xc/J4iYE7C5kLGUeMrmGqqOaodP4MzuvJl4rowkTn/FWyX
3NowQuU+0famaLB0oaR0f+n47NzUqVySYsS32CYNbM3e5KA0xeHJLuHEbT+n1tLv
Ab8vAp4Gtm5YuxLxhZ1nD3WyR7hITYej7OGVt1UL/Oinl+dgkRo=
=0K2X
-END PGP SIGNATURE-

[SECURITY] [DLA 3442-1] nbconvert security update

2023-06-03 Thread Guilhem Moulin 
-
Debian LTS Advisory DLA-3442-1debian-...@lists.debian.org
https://www.debian.org/lts/security/   Guilhem Moulin
June 03, 2023 https://wiki.debian.org/LTS
-

Package: nbconvert
Version: 5.4-2+deb10u1
CVE ID : CVE-2021-32862

Alvaro Muñoz from the GitHub Security Lab discovered sixteen ways to
exploit a cross-site scripting vulnerability in nbconvert, a tool and
library used to convert notebooks to various other formats via Jinja
templates.

When using nbconvert to generate an HTML version of a user-controllable
notebook, it is possible to inject arbitrary HTML which may lead to
cross-site scripting (XSS) vulnerabilities if these HTML notebooks are
served by a web server without tight Content-Security-Policy (e.g.,
nbviewer).

  * GHSL-2021-1013: XSS in notebook.metadata.language_info.pygments_lexer;
  * GHSL-2021-1014: XSS in notebook.metadata.title;
  * GHSL-2021-1015: XSS in notebook.metadata.widgets;
  * GHSL-2021-1016: XSS in notebook.cell.metadata.tags;
  * GHSL-2021-1017: XSS in output data text/html cells;
  * GHSL-2021-1018: XSS in output data image/svg+xml cells;
  * GHSL-2021-1019: XSS in notebook.cell.output.svg_filename;
  * GHSL-2021-1020: XSS in output data text/markdown cells;
  * GHSL-2021-1021: XSS in output data application/javascript cells;
  * GHSL-2021-1022: XSS in output.metadata.filenames image/png and
image/jpeg;
  * GHSL-2021-1023: XSS in output data image/png and image/jpeg cells;
  * GHSL-2021-1024: XSS in output.metadata.width/height image/png and
image/jpeg;
  * GHSL-2021-1025: XSS in output data application/vnd.jupyter.widget-state+
json cells;
  * GHSL-2021-1026: XSS in output data application/vnd.jupyter.widget-view+
json cells;
  * GHSL-2021-1027: XSS in raw cells; and
  * GHSL-2021-1028: XSS in markdown cells.

Some of these vulnerabilities, namely GHSL-2021-1017, -1020, -1021, and
-1028, are actually design decisions where text/html, text/markdown,
application/JavaScript and markdown cells should allow for arbitrary
JavaScript code execution.  These vulnerabilities are therefore left open
by default, but users can now opt-out and strip down all JavaScript
elements via a new HTMLExporter option `sanitize_html`.

For Debian 10 buster, this problem has been fixed in version
5.4-2+deb10u1.

We recommend that you upgrade your nbconvert packages.

For the detailed security status of nbconvert please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nbconvert

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature