[SECURITY] [DLA 3475-1] trafficserver security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3475-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk June 30, 2023 https://wiki.debian.org/LTS - - Package: trafficserver Version: 8.1.7-0+deb10u1 CVE ID : CVE-2022-47184 CVE-2023-30631 CVE-2023-33933 Debian Bug : 1038248 Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server. CVE-2022-47184 The TRACE method can be used to disclose network information. CVE-2023-30631 Configuration option to block the PUSH method in ATS didn't work.< CVE-2023-33933 s3_auth plugin problem with hash calculation. For Debian 10 buster, these problems have been fixed in version 8.1.7-0+deb10u1. We recommend that you upgrade your trafficserver packages. For the detailed security status of trafficserver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/trafficserver Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmSeEncACgkQiNJCh6LY mLEplg/7BHuPeRC3Bd32PVvFLE9saV4LJpXVUBNH9RYT6cHbByzFMkrxZ8xAbZQD X7aKZAMQ6/v00fKl9YkPt2qh0D9t3WdFH8Pf1sCy0CP4JzbDItgYaqNtWUTOAgkb ikeckqwpxLth3PyL7yCzkrQfIQrUs1eoHMwGfTxinvadC3uXW3FvUzzBGuHQfp5/ wPlx4yVl/q5yS+Ylu8Vrb6tyTeTHx+/ihrzX5VM1HL+FEhHjob28l2ywKXfca0eX GYjJVH6Q5umFI1aOOGAHtA1Vz+DsjGmw2JxjbVOsOpm2z9TuZMyIxoUd7fLhptdg oCar3nlVPUbOzSrsuiLKy9sHH8Mj0CeczeRIAq4knrndaafRPrRNqhpdmMAJbwXU jvNZHSp4Q0Gc5mU+2SYCuUY3MToAiwqt6F1bn7LyT4MUhBnfORm4hS+55ELdIySH MsVllqRoMcWaNebzyufcmRTJbW/CXpAab4gak1NKMQoVCDnqY8495zkNh1EX1j7g vIgBCU0XWhyt/n6tpPYnFpSdyU90FaeuQbw1v/jFOYjvlcVARmpa09Z9iidrnE4T KbEX9euckCVMvPPJt+GVLM2oEVK8XqP0dUc/5rHGkOuedFYOnqQYqLUI8OJ0EGdY nTvgFctIk9decFqJre/Z3O63H0tm27kIupcmnOQUlnF228+4Qk8= =Y4Ee -END PGP SIGNATURE-
[SECURITY] [DLA 3474-1] systemd security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3474-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Adrian Bunk June 29, 2023 https://wiki.debian.org/LTS - - Package: systemd Version: 241-7~deb10u10 CVE ID : CVE-2022-3821 Debian Bug : 1021644 A buffer overrun in format_timespan() has been fixed in systemd, the default init system in Debian. Additionally, fixes for getting property OnExternalPower via D-Bus and a memory leak on daemon-reload are also included. For Debian 10 buster, this problem has been fixed in version 241-7~deb10u10. We recommend that you upgrade your systemd packages. For the detailed security status of systemd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/systemd Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmSd8CwACgkQiNJCh6LY mLGm0A/+NXdEY8of4q94EDuk4W7N4GzHQ4LX7FjGZ7gwg0/pHJitrOfnc39sOv+B KV0zwU8azBQ5x1bM1wcId+pNmCC57dszJJIlqNIP9tmJR3niPXfyyGE59TqlJfXq y1ltcN7sV40rTcSpjHeqGq8Pf1BTOFWncv28Lu/FIRqjpsBO0jaCJMBzgeMteaAz JHrYx5uN8dp/hwKKgF6GqKW1/1oGErEBwDNiRMjEaZQFTcs/F6ns1E+zE9P/ppaT lByYFbxVqq9g9iwbRLPEh+UJlmHxf7V541OQ5ViViGdIwysVe49IOf3hcu85PE8J c596UFzikMotdcGOZUvFK2R1HvosVUqMlScQZiqGHZAZSdTLLt/P/NckGrIms2Xt X/nzQwpM6+Cb4VMOhK/1DxkztCrcGK4/5BIwJCI030RxVpEg3S2JidX399Solivu WAiu7BNl4Go3guVTT3+CwHmvNmSx2INrkahSnk2nzwK7uZuZeu6/w34cghROLjg0 hr1Fzp0MvtrS27JVHK3KCfvKod33ZBkNNEIthbAqR4wzVXCWvuW9hVJ7V4YluRwj 4OqyUR1ulMLyeRXbBjsa4NnKdKpBVHH1P+RO+T2lebSVGBjcYo7y79qZt8XQPsow nxf4ngPlR3GdMGpOxgPji/QBY0NamyDJLEnnPyLp+tg0wI/xYtI= =nig5 -END PGP SIGNATURE-
[SECURITY] [DLA 3473-1] docker-registry security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3473-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Bastien Roucariès June 29, 2023 https://wiki.debian.org/LTS - - Package: docker-registry Version: 2.6.2~ds1-2+deb10u1 CVE ID : CVE-2023-2253 Debian Bug : 1035956 A flaw was found in the '/v2/_catalog' endpoint in 'distribution/distribution', which accepts a parameter to control the maximum number of records returned (query string: 'n'). This vulnerability allows a malicious user to submit an unreasonably large value for 'n', causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory. For Debian 10 buster, this problem has been fixed in version 2.6.2~ds1-2+deb10u1. We recommend that you upgrade your docker-registry packages. For the detailed security status of docker-registry please refer to its security tracker page at: https://security-tracker.debian.org/tracker/docker-registry Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmSdipgACgkQADoaLapB CF9S1w//cuFxhQuGFMZ55dMA5aVr4rpPgVManZ9zWoGaJ3a/YNP9qXw8La207n+K FI0bU9BsRJgiQBNUvrEzMAOLM8XqVf+SU4YhEEnWnVf+Fkd5oJ3icq93eugs6g9S soGkh/Aa2PndIz6xT1UUc84+0fhI5E+IePn2IsL3kGHs5m8Kz3Kflih6K0wwr/Pk 0O8HhLzHVaF0RkleljDjw7NIn2UigijfC+uI+x1ZlJDjIt1K1dCu3lk0S4HRTspp dXmAoBLBvNfXiMO1+7GPkOBmqyQJJk9Y72d2fXSC7N6G39sPuNz2lpPEllAzGfiK hXZRypxNbsmG0/tWN6zyJQtKgGTFy/QKsMjfWxoT1Sh4OH8AVvGVybKxAutagTY5 8oqEY51/Q1mBUrgrAwtmOt+sRWgwOLjJ0urcThz3K15/dmcdImGIfmkqecAjLRPv npA/+AJRvsmaIEUGcke17B+AdroSzbJYpqilvpb6Pdp2Aa8ffoa3iVj0+1/2ZpsX TXnThi2IOcmVtM4TvKYSsycpth2GSFBBYdwBuXlYuByONrGFxqCwHczkuwVBcmU8 lUFCfc2yAoVtunyYhOtkAKQuXEbeZESYPZX0+cKPcE0InsHjc4wdIokjAuoRx7Yk LABZWQ+RZE5BRijzQLJ7Oe9eUYvHB3qrT9wtDnIvp6UVP1FlXvc= =/Yo3 -END PGP SIGNATURE-
