[SECURITY] [DSA 5591-1] libssh security update

2023-12-28 Thread Salvatore Bonaccorso 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-5591-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 28, 2023 https://www.debian.org/security/faq
- -

Package: libssh
CVE ID : CVE-2023-6004 CVE-2023-6918 CVE-2023-48795
Debian Bug : 1059004 1059059 1059061

Several vulnerabilities were discovered in libssh, a tiny C SSH library.

CVE-2023-6004

It was reported that using the ProxyCommand or the ProxyJump feature
may allow an attacker to inject malicious code through specially
crafted hostnames.

CVE-2023-6918

Jack Weinstein reported that missing checks for return values for
digests may result in denial of service (application crashes) or
usage of uninitialized memory.

CVE-2023-48795

Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that
the SSH protocol is prone to a prefix truncation attack, known as
the "Terrapin attack". This attack allows a MITM attacker to effect
a limited break of the integrity of the early encrypted SSH
transport protocol by sending extra messages prior to the
commencement of encryption, and deleting an equal number of
consecutive messages immediately after encryption starts.

Details can be found at https://terrapin-attack.com/

For the oldstable distribution (bullseye), these problems have been fixed
in version 0.9.8-0+deb11u1.

For the stable distribution (bookworm), these problems have been fixed in
version 0.10.6-0+deb12u1.

We recommend that you upgrade your libssh packages.

For the detailed security status of libssh please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/libssh

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWNhadfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TR1w/+Mmnf9FXB5B5jQrYIpKB+7ksoXkhNRs92qXbM4SoMT9y8Kps2Ao4cyY7X
8S8eyzwSF1Q847Pb2yfmjQqFwonbjca+uSsvVfITYl0lwZpvV8vIdtZNbQmFp9l9
QTohScBg2xKrOZ/G9A3dih8vWAuvRwKq+5OqRyPt5cHGLZ9isyfF0ccsRvw41lbU
Uu0sfOZetfsDIT1F2Fg3hQW4LzMA1n3yrRMQkOH9iJtdubAoyRE5MzVQktG5FpyG
zcDD824k0vqAnKeulKhb8hf0vpkW2Ji1UDh3eFqoaYRppBFpNyOKSKP1m+pab6We
aUVpIIZhFFIKovR/ZE4LSpTPb8ZLSkrpBSadtxQ1GzCq8EYTfTABVd1weaxaHhZZ
ctrbXeY6EPwc2OQOOozCbyNERve1n5YqPiMfHEheDoaOkxMMB4fiNmXvveSq/eCN
EhSzCdXCl4Z0SKk71gnXUw7G832p2He/mzkVJqZlUusCOWflrUXZa/fcEO+CQNvU
ZRieJDmcXZDBlqC7HC9Khoonth5Gbst//UPL6zOYa2auJ+ftUZLvPeSGMrKdJ//0
CNiG/pWEBggHku+wocggj9ie00hpAltuv6d3nVzLDSNntcDzZ2KpUS6f0Vo8jfm9
PvJ4ymTrCDypWOVEmCPq4h68AFwv75q56lyhvPU0UxnW5524C/U=
=IV9+
-END PGP SIGNATURE-

[SECURITY] [DSA 5590-1] haproxy security update

2023-12-28 Thread Salvatore Bonaccorso 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-5590-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 28, 2023 https://www.debian.org/security/faq
- -

Package: haproxy
CVE ID : CVE-2023-40225 CVE-2023-45539
Debian Bug : 1043502

Several vulnerabilities were discovered in HAProxy, a fast and reliable
load balancing reverse proxy, which can result in HTTP request smuggling
or information disclosure.

For the oldstable distribution (bullseye), these problems have been fixed
in version 2.2.9-2+deb11u6.

For the stable distribution (bookworm), these problems have been fixed in
version 2.6.12-1+deb12u1.

We recommend that you upgrade your haproxy packages.

For the detailed security status of haproxy please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/haproxy

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWNbchfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0S/3g//a2z//lFBvMI5Awp2Sf/l4QEzwYffDa6V62Yjcryhv/+gpuDSNleuXFxu
7JuDQHZzUNi+Lv1HBO5F+393dwSGLDKrdFwOJO9NNknmja9cGZgJ69D1EjDxgRMT
RvTHm5T4rM6J/bdGF4z5c12TRtxQqhg3K+Eymvkv3DtSfMu/Nc5ePF9RXhiMk2U3
wj+7ftDLta54BkzksCrIajfbPHN7XeSGzzJ6CI+5v7aVXbllc74WUO5hF4c51Yev
+TrewQWOLg41LVXpk8SlEeGK3YN+JlQf+PtwRFlMeAeghwpGnEhm+0h5d/mg54Fe
Q3f4Kp46WJcPBJONn+M9nJzn6ujP99vtr3QA+mmJ+OPAUn8RLwUuLUKQdsN1PtNQ
ImJe5LMFUQhon53i4p9yN1jmJ19l1uKjI4IbZSp2NCYBzHNyP0gfKONrbhzfp0tr
WbxRCC+byMBNOSwiYdCw1Zo9602HP8AoOtJd9bVa4o74gC9a+pzieKqZX0hdjlfB
ynJHq2KgKsu/gTNctOexjCGlckQ3EGLqgXqLBF6tZpE1AR78bpyT+XTfYRaW7mwa
aAxsFDDVH757EsOqBnjKORdjlm/nLspAzoqxYSZfongjivXhYkCb27+jMizFOfjj
d454amXH8UGrqf8a32gCef6ph9CEkRkxoa5lxRZx55r7Ml0Msdk=
=69Rn
-END PGP SIGNATURE-