[SECURITY] [DLA 3784-1] libcaca security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3784-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz April 07, 2024https://wiki.debian.org/LTS - - Package: libcaca Version: 0.99.beta19-2.1+deb10u1 CVE ID : CVE-2021-30498 CVE-2021-30499 Two issues have been found in libcaca, a colour ASCII art library. Both are related to heap buffer overflow, which might lead to memory corruption. For Debian 10 buster, these problems have been fixed in version 0.99.beta19-2.1+deb10u1. We recommend that you upgrade your libcaca packages. For the detailed security status of libcaca please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libcaca Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmYSXI9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEftSg/7BjdPzQHgr4mQ+bczR6C8aez4+t36XkWfAsoTwoB9EhaYs6Qc1Yaa2FVw AU41xIxB2RKRGptz3aR6fP2mK0AqrX/kAlRGHYKAmBy6rgoTMOMGCVaPWX587TiD LxPlkA/tra80WIytumQee91LCdNy8ts970dYXD9CH2AzL5Ck2CLJntDRZq865er+ KdnI37nx+TvJeaM2ADSX8sNGqJgDtiio9XsuACkcesCJfteqxGzaR/A3N/wH4T6X JmNtLNN/ApenryHaBFm8vvGurpGdK83nEbOIaMg7FLZkBRtRMSq6TmkW0gAPdIKZ ScTgv1aoluiA67fH5RVxbp3v3S4tY/FMOFAU/5mfHoaPIWlSOcgQ5g9pALVJAPY/ OxJhSywxQtt1/+G51xBh87/hXkOcm39xT7RWBhEhw+vhL/iEccP9IJlZhAiyY5JA xisCEoI7HyV8zAfLurucM8wG5rfFKbswk+D794zGY3UnaE0At0LNt9K1ZkASQ5Yn Fu7N1JUECSOrl1xg0LUgiQdIG1jpOthmw3Y+5S/TvesT+aaQGquK6FHq02EsWrtl jQWtsTEYt5IIVustpD/tIJtXKwMK+8/u1S2O9+enqpeU9h/NBYcA6mzZ1kUU9vUs j3i7DJR+K0akk0PwPbVlvYETUnBb2Xh1uTM4amE9m8jadx18WV8= =VMil -END PGP SIGNATURE-
[SECURITY] [DLA 3781-1] libgd2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3781-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz April 07, 2024https://wiki.debian.org/LTS - - Package: libgd2 Version: 2.2.5-5.2+deb10u1 CVE ID : CVE-2018-14553 CVE-2021-38115 CVE-2021-40812 Several issues have been found in libgd2, a GD Graphics Library. They are related to out-of-bounds reads or NULL pointer derefence allowing denial of service attacks. For Debian 10 buster, these problems have been fixed in version 2.2.5-5.2+deb10u1. We recommend that you upgrade your libgd2 packages. For the detailed security status of libgd2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libgd2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmYR2hpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfZIQ/+NUSbfWtenPmMs8ZnsH2nmWfTPFKgXceMXfG2VjgRo9xyrXjths/fQHQG DhL87JyjLPov8DxsxF3Kt0eZhrxitKFfBxfB7uit1p4fptPuvw7aGAHK/6IOIH07 Fq0KP2AmKNVdUVFnm7Sb4lE0FucY7k/uFqGo3+nnESYE5UguVOgJc+23xUQydRHB 9HoY026wGxO9lZGirCmn3tggPwTW01ZEtbTJhGQXSamNRjO4Ac+Km0y4wN00LmDV 3ZMyspsvmLvqreovN/Msk18rGgfxcHP8ZZWEPLR19FDyTgRLHWUVhHGAunRG0GHS UxBFK4RmURpM0ZWVeCS8HeivBl1AmNIPi2NPIrLd/cg215zAmZ6piXhw/JQiLR+G gaFfhWasl2iOfyyJA6CCNTVJAX0QH+7GyOi1xAFpwZjXVo/kjrMOWQfSU36+v+iO NksZPVFt8Tw+8EAvF4Hz7vFX8Fj91SSSMiJrkp9aqKmANji2hcvc7OfuZH9D14eh AB/IGlGaCq8cc5etdFcqHzh3QOOpAIjPhc82s9Z4XZntIICOkxpTMNqVoPumyU8L U7otWsPZ7btpdWjL6Q0s/FvlTmmoqztfmrW1xYVWzLKiq7o2seb40Z5xRkj1PXUB n99gI7rHOG1e6BbI2fBFGPqyTbaEBwWgSkTjqOdJUv7fu43cOvU= =OPAm -END PGP SIGNATURE-
Re: bind9 LTS
On 31.03.24 15:51, Sean Whitton wrote: Finally, do you you have any notes on testing? I couldn't run the testsuite during package build, so I created a Jessie and Stretch VM, run the network configure script and manually started the testsuite. Thorsten
[SECURITY] [DLA 3770-1] libnet-cidr-lite-perl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3770-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz March 23, 2024https://wiki.debian.org/LTS - - Package: libnet-cidr-lite-perl Version: 0.21-2+debu10u1 CVE ID : CVE-2021-47154 An issue has been found in libnet-cidr-lite-perl, a module for merging IPv4 or IPv6 CIDR address ranges. Extraneous zero characters at the beginning of an IP address string might allow attackers to bypass access control that is based on IP addresses. Please check your application whether it accidentally allows such leading zero characters (that are normally meant to indicate octal numbers). For Debian 10 buster, this problem has been fixed in version 0.21-2+debu10u1. We recommend that you upgrade your libnet-cidr-lite-perl packages. For the detailed security status of libnet-cidr-lite-perl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libnet-cidr-lite-perl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmX/AoJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeS0w//X6qyxaGb0ZhA+WYIaIDfs+WXjnR5MR0tAy8wubXm+Wq1CJrbRcxLhCpr Lg0Q3OoGqR8pWt0a5/f1Z2DtowmWspwvnwdV3E23mER0xjOLYmQhpjRrHbDy+s4z n5qp2pmJhstyepXV17ElkKghHLzQDb7ZYbOAl/YhbP1kkVTcqxetM5TOKpyEn+dL 8NQnErFsQ6cyOuqbdf3i1lwpA1NjNKa3LwLPou6u6X6oBqxAI1otHbkpsJglGNgS E5m3ZWZCym984/C88gO3zXMmNEbfrEoypy+hTVtoXNCtOh9yX1D0VLwiVpnLKUT2 X1UoiH9Sxzx0K5WbclbsEkL++HmXEgHrhMXyAkv80aEDvdIzgGGO3OrlOUmVFRwq jeyP+XtAozveufK+BDRIYAArZzyNOROWJ3IK1xL5EbXUJs60Y3oh3W/9E0Hs4SGR O51XS47LiSzPMf6yJ2eShpLJ+BLg1VDYIAtcsjcKWPlJsSvAaG2JPJf4Xn+Nwvs2 yYKeCEkGXif/7xPfftvaHce0p8Av7Zi1MJ/myK7E6PcdIPouZuJhRsZZ3CDoDQHm KdmaVr05rQxUlMQoKGgYmnwxRo0dtfk73p1xHEBoX69mwqxHQMP8MVO/XDWfCs7k xN7IFnOH74nS10VkBigxoC2WzhyuAR0e/uP6m/Bu+GOuMaA9S6s= =kE+i -END PGP SIGNATURE-
Re: Help
can you please be a bit more verbose about what help you need? Thorsten
Re: Security releases for ecosystems that use static linking
On Mon, 18 Mar 2024, Emilio Pozuelo Monfort wrote: One solution which has been discussed in the past is to import a full copy of stable towards stable-security at the beginning of each release cycle, but that is currently not possible since security-master is a Ganeti VM and the disk requirements for a full archive copy would rather require a baremetal host. (... suggestion of Emilio ...) Thoughts? The idea is nice, but needs someone to implement it. Anyway, the problem is not really new. Since many years, not to say decades, I hear that there is not enough space on security-master. I also hear that Debian has so much money and problems to spend it. So why not solve this problem by buying new hardware? This can not be that difficult. Is there any reason why security-master needs to be a Ganeti VM? Thorsten
[SECURITY] [DLA 3741-1] engrampa security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3741-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz February 26, 2024 https://wiki.debian.org/LTS - - Package: engrampa Version: 1.20.2-1+deb10u1 CVE ID : CVE-2023-52138 It was discovered that engrampa, an archive manager for the MATE desktop environment was susceptible to path traversal when handling CPIO archives. For Debian 10 buster, this problem has been fixed in version 1.20.2-1+deb10u1. We recommend that you upgrade your engrampa packages. For the detailed security status of engrampa please refer to its security tracker page at: https://security-tracker.debian.org/tracker/engrampa Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmXc2vZfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeidQ/+OXdJzkSv22BrVfT5S6cbHX2+qExKATL3oclS0EHe5lC9Px5FScXViqXf xyqVJlRbY4uUc/XWp9er55liq9ikfo7+auUEp9b6cY8YtwUEi6SlwbFw6bBrtgf/ U98jdSoV0BhjvMLhKDLiO5UkGRCv2inkDNnFWe0N5tWQJb46PK5gRiMPD4LxJG6u UEP8PCro+prpU+n02Ddxvo8ZmBS67IKTJI4UNruFkC93FhE5f8JLCMkjJ1YmyGZ7 Q45Lgry1OswQ65DPROz1/olTjROMfa9nAZBYrNgBeDJnfSrQ737/FSZiEMB3JhyP UG0Gm1x97LByott6XbN9CFzZyGh8ZNqSP6vQqP9CiHWLbwxpKMnMJJYd7YMXhcCL U86owDYJ6CQY68+W16dhXkCGYEl6wcDVXO8vvsyOrhn8XtraDPgkr0YDp8B7BfRv tsdcGuAABEk4bbkzmtRlTZa/26AKIBdQ8VEd6/kk27QBW17NWwYJHrY1nmEZvReS uQn5Gv0AuH7GFXae3OEvLD8csXVjQxHso4bQAVIi5JFP6lU4nZ2ef0Ohf+oqvgiS qu/AMTbV11NV1o0hdeaZPljc99lKQDijsGwdwso6A3bfAxmeFpmWOhTGYuV7Ef1a 0ApbNTYbvlhmLQDBAubsz3iy0hhGkYPoeTx35WdlGH7tkT18VOU= =aGva -END PGP SIGNATURE-
[SECURITY] [DLA 3739-1] libjwt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3739-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz February 24, 2024 https://wiki.debian.org/LTS - - Package: libjwt Version: 1.10.1-1+deb10u1 CVE ID : CVE-2024-25189 An issue has been found in libjwt, a C library to handle JWT (JSON Web Token). Due to using strcmp(), which does not use constant time during execution, a timing side channel attack might be possible. For Debian 10 buster, this problem has been fixed in version 1.10.1-1+deb10u1. We recommend that you upgrade your libjwt packages. For the detailed security status of libjwt please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libjwt Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmXbEj1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEchLhAAiEV52Q5aKZCR0yjsBeY374kSsfT2cQrpbeVGqBztQYSXx/8F1ubJuXQl Yz8HFMr3kGAl8HvwDguSaaZNqCBOItuXgAD60IADO89+6z+VaETjuC3ln0QOVs9s KKBTkeHZD259BWV+7hdS2N9l81pCyVoYJmlaA11OoC+GyvLsU7mBmpA/au5CEUbY QtbV0ghgZ0K21Bz+xM18xwIIZfQE/weCXlWYG911DeYJJQ1bn4+5NQHnUwIwXilg QIGY1t5PmtcdwMcToblm+m1s+6/WIuj2onAQh06TWRUBXYANMxM0HaxhK946FmsS jh5dW+KE6SfSgcNn1YwSUFjV+/lnqs7O2j8Wsofj+g0ie/o06MIrB0TQzvT6Wizy 4FmciMtKiCeiMprZtScH1f2a2ovNvrTHE+efueHg/PBuOF6pedwHizrkFx3B2Zy9 MT3+kGG7Cb9rCtgtXLwtqoN/jjfbvu6ZdYhqlzZAINGKFo6s5yEgT561tTapTz3Q K2MBrbuRrKFJ7uszUGJ3zTbMMDsTXX8TXjVnzMlK+lKNV3exAuZayJdzIWQUXoap pZP47Cn/wJHk1Gt5GvXMEitL+axLJpJir0and77kzLPe/bEburHIgh2GdLu4M9YB O2NjuNwENGbTxXuMPyXJviCLSj36wJ2vUl+ltFz6ML33/8GdBG8= =ge2j -END PGP SIGNATURE-
[SECURITY] [DLA 3726-1] bind9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3726-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz January 30, 2024 https://wiki.debian.org/LTS - - Package: bind9 Version: 1:9.11.5.P4+dfsg-5.1+deb10u10 CVE ID : CVE-2023-3341 An issue has been discovered in BIND, a DNS server implementation. A stack exhaustion flaw was discovered in the control channel code which may result in denial of service (named daemon crash). For Debian 10 buster, this problem has been fixed in version 1:9.11.5.P4+dfsg-5.1+deb10u10. We recommend that you upgrade your bind9 packages. For the detailed security status of bind9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/bind9 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmW5bZ1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeKkw//ZeSVQxgqJj2HxoOfG/aGcfl71RYnHINDg5J7i+Po7YSTQ+gFLPA/btOD 8FRFsHF7LK/lc1JHiS1ZSvKbIaHg5sM/idaPASHjVztdzYQorTLoUr3uVHWpSfP9 CzKyjlQZQv6HossMeCyR0vrH7pMolOZdCm1EyhRJIGGHsNSJgIrshqnV2VBaF198 LZYtemyOPOQgtavJdFk4ca74iPnaNTPLZwBlvzVuTKLNb2e7WbWm1luf8ZsSPEKl PiSRDW9zYMAamB3neczZ05pBbdQ3tvsRikC5tNkQfWHDujhvpTfZYXh3Tjq6V9N/ eaPZh+AttGhMKo7E4S+vN+W29t1W+D2f0yJtqxfiNofX3c4vXBGk714THRIa/w/o t6tkOXeaMo5J7lvWnBseVPp/QwPFhzSgDh3NXsiCSifm3uD2C5jrpquO/rDYBpF7 W632tDXcUsUoSU89AnM5GFuG5gb2n6riLT5Awy9Jt+Jh98eoPi0sIGpsfHcP9QRQ Obs1TTXuppitcjnwd6pxN5yotoVTsH2SVs+EX5Ds0AApTY06EH2avgb5uW4+4STL /awoEChZeti810zN6rt1TwSr0oG0eZ2MHbEFg0gh3wDELdLywic49BNiUg4UCc2m J0gb/jHQ/iQbe27z/d4ZINWQTtVq6tyKvFPpQQsNSb0ZujtvHPQ= =Nq/3 -END PGP SIGNATURE-
[SECURITY] [DLA 3700-1] cjson security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3700-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz December 30, 2023 https://wiki.debian.org/LTS - - Package: cjson Version: 1.7.10-1.1+deb10u2 CVE ID : CVE-2023-50471 An issue has been found in cjson, an ultralightweight JSON parser in ANSI C. The issue is related to a segmentation violation in function cJSON_InsertItemInArray(). For Debian 10 buster, this problem has been fixed in version 1.7.10-1.1+deb10u2. We recommend that you upgrade your cjson packages. For the detailed security status of cjson please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cjson Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmWQZtNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdTTQ//aG9GOVmp51JdBvC53SthDgKBEATLxEekyKXE10JcxJ+lgiBG0rlgjzdH +rHH6Qtf4UwOROi+iv2cD+jjN8rlzU+vowXT/FCSotcG4OWc5x/9xsB6MMykWjl0 2PlJobRPX3ERHg1HCjn9BpZBWJommSzh5lUVQcEMTLM+HZijjw5jX9ESVdOJsXwU 6AwwDN0jIdCZi5u/YeW/ACohlHBBmo/ucPVA4+HIcODlINOqTF0AE+hoQbKJ7nuO Nqm+p55b5Ly6mdLVbQ8M6Y3FtQSF8G/8R1Ug7qvntJ6wqkze/ZlOl5j/btbCs/5K gkvZBF5WdPA9GRnuBOQkWSbcMaUHP2B2QbNpEOuKzAhAbIwEEmm4dz7Cx0QSCoQH wUOcUSwQn3I7/CbdGmuvksSM7PYP8eb2EA872Oynga1Ks1XvUZc11NfxcJz4P7+S nk91xRNhLO5CG4JSjaPlBEVv0xu0ZiBjesymh4t2a6nTktsMV1uvm1oUWHLaHfTk 5odN2rlp+IQoF6BAuMdOXTQf771pYsNSS/EpQPOy0aYaCyJyNsxdQaMkQKZ+AKjy vH6utM6fR6cWMbMTXnQrXTLzaxgMmMsLcK7Xy1mSPue4kOIkpDCizBhmAKDh3pAC 75lOBEMjieoa6EYic6lPNM486FWBJPAKfa/Ad2d97fSNM/3NekI= =AmTc -END PGP SIGNATURE-
[SECURITY] [DLA 3699-1] libde265 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3699-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz December 30, 2023 https://wiki.debian.org/LTS - - Package: libde265 Version: 1.0.11-0+deb10u6 CVE ID : CVE-2023-49465 CVE-2023-49467 CVE-2023-49468 Three issues have been found in libde265, an open H.265 video codec implementation. All issues are related to heap-buffer-overflow or global buffer overflow in different functions. For Debian 10 buster, these problems have been fixed in version 1.0.11-0+deb10u6. We recommend that you upgrade your libde265 packages. For the detailed security status of libde265 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libde265 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmWQYe9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfiug/+P6CyrGF+9c/VTg3753SFBya2cceuKdxynhtggSsvttiHDlM33eO4I51W rN+aajfOrr5SEGNFh0bZtDdpgUIu4ljdJO4ZbgF7VViT5HL+L8udvv7DUhFILFpC va4Q6UV3eSj4NEXyyZIiRwbWV/I+WqpHQm6OPqTxfxsM1o4LlSNsbd3A4GY7ht6j WTXraYfQKF7tDqo8fJh4rAXdBuI1Tb+TkuURdF7T0U12Y6JWcP+T4N96W2QCsuYH 1uPOjU6lylt7y21JTfoc5BfFfWuk3e3fwUf9LeL0Gq9/7gB39UVJFSlUIWhMe/7l LRDBMPz032/0ZO8KM3S1bBE3gCQxW+5Ay5KkEnU754BwZZBpiNZou/Rk5oLjcg6J Fjdfea+2YbGPZkweUz8ifTvXHKtSrPxmHPKVF9CkhzbeBt0yJAy/BQLlXm7ct4Qt Yw6z9oaSG3FEuVkZJB7KdA08HPmgOIoImZbTMqRfuRYeZRcwoSsKwm/NoIp49QDE pLkrGlPrCb0zvjxDzoH1QM3RCQUvzkPPBZd4BXrHorxuHvTT7G5K6I2OIqvIUKQZ ePUlo76wD0tWFbbGIslkRNbdKJmaZ3UZFWNzld4MHHfQGD0f4K1MtO95+/iMcvrq G8t6xvrHELPyqpnlSzgAbs/+XEAjRXjcmL4Vs9V4kiXJbS94x64= =IKlN -END PGP SIGNATURE-
[SECURITY] [DLA 3686-2] xorg-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3686-2debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz December 17, 2023 https://wiki.debian.org/LTS - - Package: xorg-server Version: 2:1.20.4-1+deb10u12 CVE ID : CVE-2023-6377 The initial fix for CVE-2023-6377 as applied in DLA 3686-1 did not fully fix the vulnerability. Updated packages correcting this issue including the upstream merged commit are now available. For Debian 10 buster, this problem has been fixed in version 2:1.20.4-1+deb10u12. We recommend that you upgrade your xorg-server packages. For the detailed security status of xorg-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xorg-server Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmV/PWxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeuURAAu3H57+MQwLI5dldDQ9jmAJffG2CrRiXSI7UAIq9pLUx7MQ1I+yS1bTKr YfJ06J742Wq2D2MqGVZmleVob+Ykw+bJBWthA6HP4x6E3BBXlpuS5MsjX9HyuZpJ es/gv1H1PvjoWQIZTLkFKLi+rMj4kPqtKuAy1LklJF/BkH4y3R7e1dOmnLhl4fSk bx+bb1XSEn7PEyldNzwBgOs+zOn+xk/toIYYboBUNZ9kHRelQus3nsd1hbtqX242 E5MSwI527DcuMJ4ZDqy3wurPLj2PeGza8YtMl8yTfqmH66ZNwkBGgkxdAM9jpHqb ogYPAaXErv83ivNu4uHz8m3Dp3k5g0fqzXC3dSO5rL4trom0Rgl7Ii4NF5M0Smjc rYxr7iJ6t9F5N6VXxt2k7Cu/cS+VgIFXFo45nPuhLbB++il/Hptrsx3ttj41EFlx zNvZDT2CegalDk0lwGQy4ZdDXeRwdwz6mlFAko9HaCntoHLjs/6huvWgnHIFzLCb 3X5EXJHtDRJguAF1Qy2In7l5IDspfgQoeRzlWKhnS634LeVIVqsLRA53OruQo6ne 9n2k+FC8TMsLNXJpA1fVjlP1jGhtFzANa5g+Twn8AFqzRiRPqOVQrcFjJKrmG1Y0 kdbTrteAGBwyGxP3JlHTvg8OmVj0rzPj362ttfup1MZUsLGEI2Q= =9Txs -END PGP SIGNATURE-
[SECURITY] [DLA 3686-1] xorg-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3686-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz December 13, 2023 https://wiki.debian.org/LTS - - Package: xorg-server Version: 2:1.20.4-1+deb10u11 CVE ID : CVE-2023-6377 CVE-2023-6478 Jan-Niklas Sohn discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged. For Debian 10 buster, these problems have been fixed in version 2:1.20.4-1+deb10u11. We recommend that you upgrade your xorg-server packages. For the detailed security status of xorg-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xorg-server Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmV5ZbxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfHBQ//VHHh0wLxDoqdayIAzpkEYW5kz6Ry4aGzV7rzlTleqIHlwlgSaCiilS91 BDROx5rjXEoXYRqn6SCv8J4paHhdlYaHT1WGvGZkfOuYPnIysQiAO3oGV8cJ0gxl 9KjN084/Lhfr7DvqMHeUPm4O0OXOnoenDr7euiK087NERhsYAzpFAnP1d6gl6yA5 JAKMt9I5EMLZLB7bqyYQUukYVw5UjpDpSA3dy0RYTOi+JP+1NBlGFGTvf4FPpPJT jZ/VfAvrU8CRAXXvoFcX4T9KTr1tSch44OhZBYLDx1d53FhoscEqtQtfRjFWZApw AKrWS4WRaV6dynzU1mjlyE5yGqBYEfL3yJ5KA8oaD+0D8CJtraDGTakLkpLRnv31 rw3946zyp52YlTW2crh1u2GV9mnlI2CVyJQy6lBZR07jnvlRwAHWCJ3US8t7H+A6 24n0YELH0O65ac7tnjVzdmvFJJuUmtI+wxSgKarl5twC2Fwpq6roL3fBSz845ZB1 o0sx4lAgcb3J+fzFlvyh2yEGm6M/horjRshUg+iU7+PkwlGcFv2y/4BlJZ9wj7Da YZ7s42id19LUSxFCC1El0EtSVOtPRmm3cF7BvOoKfHgkdrS8HCGpUKGgP4+T7Sbs gEvdbXHhuthpNs8uie73zfJAfievnpbrogkNAqN32msikOdxaEk= =Lz2B -END PGP SIGNATURE-
Re: Pkg sponsorship needed with LTS upload: curl/7.64.0-4+deb10u8
Hi, On 10.12.23 17:11, Boyuan Yang wrote: Looking at https://lts-team.pages.debian.net/wiki/Development.html , it seems that only CVE-related bugs or major bugs are actively handled. Now I am wondering (1) if the current non-CVE bugfix would qualify for a separate package upload in Debian Buster via LTS Team, and (2) if anyone would review the changes attached and have it uploaded into the archive. this bug surely does not warrant an extra LTS upload. But I added a note to curl in dla-needed.txt and #926148 might be fixed in combination with the next DLA. If this bugfix is fixed and uploaded within 7 days, I am willing to pay a one- time USD 100 to the personal account, or (at your preference) a 1-year USD 300 (or equivalent)-level subscription to the affiliated LTS/ELTS-related company for the person's bugfix work. It makes me wonder why this bugfix is of such a value ... Thorsten
Re: About urlview?
Hi Chime, On 05.12.23 17:13, Chime Hart wrote: Hi All: Maybe I should ask this in Debian Accessibility, but I notice in Debian SID, last 2 days or so since urlview got updated, its layout when finding matches are different. urlview got a new maintainer/upstream (in CC:) and development picked up pace again. Probably something broke ... Anyway, this mailing list is more about the older versions of Debian and not the bleeding edge. Thorsten Original report left for nabijaczlew...@nabijaczleweli.xyz: I am useing it with L Y N X but now its landing on a blank line instead of a match from a search. Something else I've noticed for alot longer, when hitting a slash to search, I must hit a backspace, otherwise there is a capitol P. I wish I could mention an exact version number but there seems no command for that. Urlview has been quite useful for myself for probably more than 10 years, sure beats manually looking in source-code and having to cut-and-paste. If you would rather, I could write a name listed in a man-page? Thanks so much in advance Chime
[SECURITY] [DLA 3673-1] gst-plugins-bad1.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3673-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz November 28, 2023 https://wiki.debian.org/LTS - - Package: gst-plugins-bad1.0 Version: 1.14.4-1+deb10u5 CVE ID : CVE-2023-6 An issue has been found in gst-plugins-bad1.0, which contains several GStreamer plugins from the "bad" set. The issue is related to use-after-free of some pointers within the MXF demuxer. For Debian 10 buster, this problem has been fixed in version 1.14.4-1+deb10u5. We recommend that you upgrade your gst-plugins-bad1.0 packages. For the detailed security status of gst-plugins-bad1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gst-plugins-bad1.0 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmVmbx5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfSSw/9HNsOJfZofV9TqU1osbejPjzaeINgvS89wCzxTJmfl7uumE6UmGEGONe0 Z/+G/PSamFyXIiTcAZNxojgNGnZs99MyCD7tdkSyj67XHcz4d6T3m7DWtKLpCB88 ztG5qVzGF+Ts7IPuOqAL0Xd+9B6RzbPmzjaHQsQtDjchEF14SxFjCYC9+HhYdDRC AWgUBbJ6ag+fuZLmMaGBEs+vzP70Xdl00iB31azSYH5bqxKFGwmC79yCcmETBhYl qPiT0ORv2S/Z/0Amm1tdcQ0cLrPPuK2TRN531U+pZbvRnvcYnr1jUWbXOYd8F6Px OIFJvcVO3nePJQtgNs3PdKRDTLiKDsv+k0h8pAZLmH0XFJUF+MAVKIqlnXayTWpZ m3n6Q/Us3Q2o4D7lXqtceGNljx07C3ubtJwwsJ/3RK/7rnvAgXHEbFljB2oVFwdY BMVV+Z3wKCkIRuIrOiqJOdbAF2zPQ5Nja9wZa1GHsh7g3jTz4gdnqCXEdV8hcMes HMfuV4sjKimi5Bd8RZX7dA2ZgF7koZsinZvD7hAYxHVBKtykItATYnZwXVemFPn4 n40yx/IRKm/ZlQUnzn6Lj2c8reEkQdrMIH3t+4SfXU2V/zjX69cQB2k16NAA+v7g OhBmeFYDclhPyKU6n0piB+zKk9t8FE92BLpmKD21YAuvTol4a0s= =f37q -END PGP SIGNATURE-
[SECURITY] [DLA 3670-1] minizip security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3670-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz November 28, 2023 https://wiki.debian.org/LTS - - Package: minizip Version: 1.1-8+deb10u1 CVE ID : CVE-2023-45853 An issue has been found in minizip, a compression library. When using long filenames, an integer overflow might happen, which results in a heap-based buffer overflow in zipOpenNewFileInZip4_64(). For Debian 10 buster, this problem has been fixed in version 1.1-8+deb10u1. We recommend that you upgrade your minizip packages. For the detailed security status of minizip please refer to its security tracker page at: https://security-tracker.debian.org/tracker/minizip Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmVlIt1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEc5lRAAwTs0N/HIAe7uabUjGi3Vllm3OlDiKcYOSW8NkB8WEk76kIF2MSO9GK0b YXDVaeOgcjUbNcwPtmevHANlW7tJ2vVVJ078l77cYr/Rgbc8FknuUmlY4gDAyKih ZNZiP3h+/NgthdVd1eVKMi5ghKKpH2LdVHGZ7uk5cCmn2YoC/+GrtUdcPvUVqReM u8ze0+BgDOXGYqDqWSO/KyFf86ocRloqKZtxgDzZ8hBtKU2FZjvNjUfmOIvsbp+M 3Ch9yMvg1nL01rDK8Fm7FGCTOfVMkOgu3w/uZAUjaYg7d5S7hdXkQy8lRSyGlXbw 0SvGv2mtouG2ba9DbHP11c+h2zYv8IdTpl8qMVY8d0c8WaR9p/vTZba7KYicGquG pNgZI6Gp4moqhS+uG3HUUesKegwuruFzxabxysgiVdXZ+jqmtAGuiATC7KcgDLbl UmbNQcoFfcZV/22i3oLBGoCC5TmzUdOskm9AvoPILqiDun7B+O7werawIM8VlsRC hhm9qI8ihNxrTm4E41W1bBO8J5f4SshjrjALVAVXBYRXGJqsRR3owvPA3UZNdqSG eF+kxVPgUTJgp/Ibm136/ypJ4M2DsucpmoXsbAYH91HYWVDx91oBlHO28bPpe0RJ 4G7nvr+vytBJjfSSrjW+N8SeOJyKLMqptLiUcB6mrw9Tyq/9Wxw= =Q4Bp -END PGP SIGNATURE-
[SECURITY] [DLA 3633-1] gst-plugins-bad1.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3633-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz October 28, 2023 https://wiki.debian.org/LTS - - Package: gst-plugins-bad1.0 Version: 1.14.4-1+deb10u4 CVE ID : CVE-2023-40474 CVE-2023-40475 CVE-2023-40476 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. For Debian 10 buster, these problems have been fixed in version 1.14.4-1+deb10u4. We recommend that you upgrade your gst-plugins-bad1.0 packages. For the detailed security status of gst-plugins-bad1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gst-plugins-bad1.0 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmU8+bxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdu0xAAxHArQLsjex63/sogLFHnGz7aeayWYMJaQGLq8LXC+oVdb+Csl9+L46Tx sAZe5wldFDhxdhlSI55wS4sQ56VpuwHPQQhoLbtRHM7jw+eK0sWmYnZwLQmtevNf AUfcBWevIM2WoRP2fDaoWB2nFlLOB24ixH7SEU4hFYlk8cqx/wmD5yChkDn608FV bb5q7PvD1kzSC+CP58bF+tireQ6lfW/8QVixgKhBaPXMVd8m8fs+84gZTjxzD2Di lIgfjMmo5cstdhuijTx41Yc9pLAI+D3DE0VNcht9wzR4Kg9QZXGWkeyn1kteQ/T7 sM9BbRP9Os3AQvBxJLyOnuqWjcnrdkNk5Z+yorJjITJ1EpCm+VOp20BmY25lKHoN WqLnC/0/hzowBd0NH2aG4xlm6rkovE6aU2M/h7/PGQAEglsOmTUUGcgCmagX79f2 QJJxk87FiuexZ3VqaFqehmMyb3h3zg0t8GwhqRsg/x03kAxF8ZlO0kRszj5hNbfA 8FdjHpm09pOzRpX+6brdbO2yyTR7TFENldO9oSaRzA5363A9KpAR2DztKTJiTK3P TMiHuj1wTMreCZuOBJ7IQO3cJXXJv+1Ny59RicW99ZyhUbyvhRm4FwRCzgbmeGZP WJCKu/BtJbWBv6OkMZVSAv5oIWJQB5JHbUD072g8oeZGziNMUJU= =iLoy -END PGP SIGNATURE-
[SECURITY] [DLA 3631-1] xorg-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3631-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz October 25, 2023 https://wiki.debian.org/LTS - - Package: xorg-server Version: 2:1.20.4-1+deb10u10 CVE ID : CVE-2023-5367 CVE-2023-5380 Jan-Niklas Sohn discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged. For Debian 10 buster, these problems have been fixed in version 2:1.20.4-1+deb10u10. We recommend that you upgrade your xorg-server packages. For the detailed security status of xorg-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xorg-server Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmU5MW5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEf3bQ//cblpquhaVRwCoCMDj95fvIG+vrkQY8d/N+5fPKJvMXs67OzChsBsgZy+ wnIg2jPvCNTDfTbBlnSi3aGKvd4FoWwjahMpJ2fhIwDMXViZa5V+o3MXMMHgs3pi 4zb33LfXIYwEVrl3ATftlv0yX05ch4KFrsolUEMqr5wTiN2hVlwzoqcepiOP2lxU Gg28/5jyEcbiOVOV5RKxaJHxMtU+WE9cAoEnzJpfM81WnxG2qK2t8MjQI30HRWlm nV0eGX4Kib+vH+VPy45RiQrQo2shEWpqa3vIfQbRsOWLFK86y9aLdJYjjHVolDSY qgCF0Uy9lNWpZHx5O8baP6BQOvblGRusPPDqeBjli1peaJBI21qt+/T+Pzrrj1uP Xr8WCydJFHnShRV37Fzft7O+KPphHsvUiYK7yNVA+2wwqRtgA5+BQvBtbs5nFgkQ pR6mExNRU4M37v+c01+pwZFQb7ovrLYOsX9UnNvwrBEF21p5DpSoxNxWGypIm+XV Oop7CgsAttJGAQ4ci1QaWlmiVKqXZ6jcVUgeIXXMJ51+nhVAsHBdANi+Vy3uNzFS XePGPyOw15p5ezdEU2yPG7ftotwexIt5zt51y4vEoBqV3tdhD5yv1KK5/wa1mdYH vP74qclCN2vumI7/yvqBkjYMxEiKWIQtwqj7dLpzHdKvnBG18gk= =MWd+ -END PGP SIGNATURE-
[SECURITY] [DLA 3615-1] libcue security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3615-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz October 12, 2023 https://wiki.debian.org/LTS - - Package: libcue Version: 2.2.1-2+deb10u1 CVE ID : CVE-2023-43641 Kevin Backhouse discovered an out-of-bounds array access in Libcue, a library for parsing CD metadata, which could result in the execution of arbitrary code. For Debian 10 buster, this problem has been fixed in version 2.2.1-2+deb10u1. We recommend that you upgrade your libcue packages. For the detailed security status of libcue please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libcue Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmUnHjdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfPjw/+JDQ+/7RjVoamwPggiS7FfhJPdR8LAFamZN5f5FZbL/3PT8YrN5AC962g qF7pSbKle7bR7NqWsQKEwYyY7jrHNf/WtaqcsHDsy72woetdSwhJz8pAkgSAQkqo 9AKZod6QBi+LxKyogrcDFxwjg+DbGgaSBqpJGy/lVMQwiwDjjKGDbVc/T2tQNNUX 92u6ztcxZoHktXcbnHU8bGhw/IiOm1xSgh19QYKf/JGLC/MPGUQYBBrA3XkkoTEq ahzTXENvAW8ett0+M0qrb2pMIFhnDa9Iuo7mDVxXVNDiIBSo1c5J5iOnuIpvBhWy RFNHF6AjHBzcPr0va+LQwsPSEUS/D28pP6xCm6jN8PpCzwGyojivmbTctzqcvj85 gz47iDKe7ckA8H8I74n1yD46DJBK16+T8MZDQzseRpO/v7stZeWawbKD34wF0E2g F4tgu4zc2HeSI4KQcGEYoZHBeGEpL5F4sWqqLNDltRfNUxphIcgY4tcZNdCvUwsX 1pTjMOxMv308ezwguHU4DzRNzuD1VlPpGr+wDE94Y4Xfv6xgrlZGpNdGEkObbcLK qVXGGr7HkSX6pMV1kdppVDjemksrEeHFjkMbjR8xJ9osG2jGtDf/Gqq2qpdP+kbo GAI0SYP4qBPheesOwC0vgphr/eWN5G0gptBJcmvruwJ1FFsfSeo= =Pmbz -END PGP SIGNATURE-
Re: Ring
On 10.10.23 11:53, Bastien Roucariès wrote: All of that said, it is interesting to me that fairly recently (at the end of August) the ring package in buster was updated to fix 23 CVEs, but this particular CVE was left open. Perhaps it would be worthwhile to find out from Thorsten (who prepared the most recent update) why that decision was made. Thorsten could you hint use about this bug on buster ? On the one hand the fix for the other CVEs took quite some time and on the other hand the patch for this CVE didn't look that easy, so I uploaded with the last CVE left open. It is "just" a DoS and a rather old CVE, so I was afraid that my patch would do more damage than good. Moreover I am not an openssl expert, so we are where we are now. Thorsten
[SECURITY] [DLA 3594-1] cups security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3594-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz September 30, 2023https://wiki.debian.org/LTS - - Package: cups Version: 2.2.10-6+deb10u9 CVE ID : CVE-2023-4504 CVE-2023-32360 Debian Bug : #1051953 Two issues have been found in cups, the Common UNIX Printing System(tm). CVE-2023-4504 Due to missing boundary checks a heap-based buffer overflow and code execution might be possible by using crafted postscript documents. CVE-2023-32360 Unauthorized users might be allowed to fetch recently printed documents. Since this is a configuration fix, it might be that it does not reach you if you are updating the package. Please double check your /etc/cups/cupds.conf file, whether it limits the access to CUPS-Get-Document with something like the following > >AuthType Default >Require user @OWNER @SYSTEM >Order deny,allow > (The important line is the 'AuthType Default' in this section) For Debian 10 buster, these problems have been fixed in version 2.2.10-6+deb10u9. We recommend that you upgrade your cups packages. For the detailed security status of cups please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cups Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmUYUtxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEcORg//UpUUH22sBoMS5cr79Pl0nnopHdvnR2cUqV9ii4CvCbZORRiKN5zsIRJC jA4abldyyVfIHrvJe9Bs2hi2bPTegW5BMxEe0AjtO4GS/clqV6rRAYv6Y7Oh3nXF sinf1B6bjaR8slWx+lbo+Lri5Tmb+bzcxK733SXoWKxG8kyICe9H+iqIUOhy1jTy MdOpJAR+IZ554N/ibiTG72Gs/YTuyRxv99EGz0tcMrbn9AqEj1dO0oMeRuw3mIGf yq3rq1ewtfQubYL9//a0XLBSxc7gv8thGYv2is9/3d0SGjPdRjG99+GL4oYi+NiD sNb7QHHdAbyDIPESLm71igoOy5zVubDox6tsPPYC/4mDOijR2BmUU+BJnpLpP4nC 9uGmtEIJuUR2mfSwgKUmlxJGid3Z8lzdZb7VMUFv1if60cNl5NR+0EAdIkl4JKsu dj/sLZYn96FDZc4sIX/VtnnuZ6QWPayjGaU50d0DEHmAzg+Uq5baLYSTuEU2Xf4R YhPJllWCkBKS8E82NitOoSuwuv48ywvYvbjvDN18y0eMPtDauPlL9HFsGncXINiZ A4o2fXt7JeGOXzuLliMbdaYQoVy/K2w2ID+/zTaZorue5vmD/Ngk5B4qqtCJf0e8 Li49MST7189f3Tmv7ibl21krIwW/60OXOmqHwDU2uLmSQ+JDllc= =eiB5 -END PGP SIGNATURE-
[SECURITY] [DLA 3579-1] elfutils security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3579-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz September 23, 2023https://wiki.debian.org/LTS - - Package: elfutils Version: 0.176-1.1+deb10u1 CVE ID : CVE-2020-21047 An issue has been found in elfutils, a collection of utilities to handle ELF objects. Due to missing bound checks and reachable asserts, an attacker can use crafted elf files to trigger application crashes that result in denial-of-services. For Debian 10 buster, this problem has been fixed in version 0.176-1.1+deb10u1. We recommend that you upgrade your elfutils packages. For the detailed security status of elfutils please refer to its security tracker page at: https://security-tracker.debian.org/tracker/elfutils Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmUPGK1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdKoA/9H8PG4zV62/qQUBNZpEiVNC2ZU60S2R2guXvJ+1X2PpHD6rDLnfTcx4kh NO2UC4S4CeYXMfkfgYAR6Kf/3s3hVyhqOa4wPBggbU7CBwtam6Q9gBs9CaAETSbb bGf6B30YfozkeoAhOCU6q/2/KcbO3SSk/QPi3lXTOHILecKYkrpIuUWA2stA+mPQ zkFRW+CkLzTUhEEP37T1WSdFL//lbI/BgEBsgKvEnb9G+LeAKlqoivS3i2cMgCCs zojwZt2wlvrLyNKgelJ+zw/4rUz4t74YpxET2cW3KHSCeSDhHg68TkaqAbHIuW7s VDhlp4Iiu86qs9xnfyXfsxQVrOzIGwHYE5K+AKIhSDSOA9NNxhODtbYQfVnodSD1 KX87csHpwSFgE9uT+5U5UaKwp8N7nXrIeu6tUJqrOZPmsbIMlc+W4H+Q0YvMQDLD a4VMmynUbXOL15GmVAuTyoTa0cv5myHPjsdt9FD5t5foEl2+1ZG+4Kmf6vf3kDKn ype8veNgDKToiF+OuO9Zrez5vWiX4DWa6PP2yg0QPIXrcltuxYUa+r0F89loyn5Y Ryl1hFrp6DrhHHgtrcISkXJn520kgSZNv4OZDND0JgsRVr1FxC1QkPun20RdDj2l /nWyzWwsJMbcF+nvCfb3OJ9ghj12eadIaYEFfpjAn7brbAbPHxo= =YXt/ -END PGP SIGNATURE-
[SECURITY] [DLA 3549-1] ring security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3549-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz August 29, 2023 https://wiki.debian.org/LTS - - Package: ring Version: 20190215.1.f152c98~ds1-1+deb10u2 CVE ID : CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845 CVE-2022-21722 CVE-2022-21723 CVE-2022-23537 CVE-2022-23547 CVE-2022-23608 CVE-2022-24754 CVE-2022-24763 CVE-2022-24764 CVE-2022-24793 CVE-2022-31031 CVE-2022-39244 CVE-2023-27585 Several issue have been found in ring/jami, a secure and distributed voice, video and chat platform. The issues are about missing boundary checks, resulting in out-of-bound read access, buffer overflow or denial-of-service. For Debian 10 buster, these problems have been fixed in version 20190215.1.f152c98~ds1-1+deb10u2. We recommend that you upgrade your ring/jami packages. For the detailed security status of ring please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ring Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmTuX+dfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfWfg/+IckV/24PEmWXjVbk3W172wcd8sPfYFvHK4IQmM1vyV607RBGS10a5jHA 0lBqJvg9R3VQEGIERfT7wLdEKE7yMHy5fB/gjQCsrKB5d1S3wgaDWSaFBO/FTs0L IG+hSmN5g4fjy3a5GBWdQ+JOUhZglFy0d+GKzD+GQfsnly9ZFAIvoavKMGC2OQci Za3cxcK/zIfH7DvptKMnkBBiCNZUHIfdSoEaKbPwGCv/frLl9p2OK/ORHguwG/Mo bahpMmxLWcsz6xAWAQtjauroS/mfbXUfcPYmCreWfwk0qOVL+HAomHZWTX0V2/Vd OBr63v5NDRibJSI9YBucAoaiEuhEz989YOm8lWpvZqURFJSSr7FFS+UxGpbEM3od t7/lY+gLVu/mM8Nl4VQlmyDW4mM2ysRaLXxmABpJzYf1jyfmftevW+SbIw5SjFBM mRVWWOJp5mOGcKAMhosux1NehftdhlT8iOFc7sHcX27JU/bVfAps2wSFqT/LPHea clearNuaiFKAd749QyewWEepsRXvvFjlIBzoop1t4vlQwHw2J9r8NUGMsX2qHAyW 4RgJ+c347ZJAahkQFDdDJ6pcM2dzgN8taswEDVkT8Y/2lbcJkJ2k5X7trtVqRLMk Lv+yCPS3/4Ia72KV3+SA/tzNpR0w2HElalU9hQKOhWtgvJWVDEE= =ro/n -END PGP SIGNATURE-
[SECURITY] [DLA 3548-1] qpdf security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3548-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz August 29, 2023 https://wiki.debian.org/LTS - - Package: qpdf Version: 8.4.0-2+deb10u1 CVE ID : CVE-2018-18020 CVE-2021-25786 CVE-2021-36978 Several issues have been found in qpdf, a package with tools for transforming and inspecting PDF files. Crafted files may enable remote attackers to execute arbitrary code or create recursive calls for a long time, which causes a denial of service. Further a heap-based buffer overflow might occur when a certain downstream write fails. For Debian 10 buster, these problems have been fixed in version 8.4.0-2+deb10u1. We recommend that you upgrade your qpdf packages. For the detailed security status of qpdf please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qpdf Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmTuXcZfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfdNw/+IPtc+zufCXNipcVcKALqGl2ZaRYbffBfrUhL+DAa/x7T2oXwZJiHROHp kR6XpyK2DzvntIjpAWpYCtnCjYmTEZoH1iRdVcwhCz9Excis0vKEVnNNHA/ssPCw NVmQ/AEwPNsVtwNZBhCLkBzeupSk7r5Lte9aBk4vlJPKfsreGrTfrLTvfGcKQSQ+ aw6u27/g7A3C4NER1/5fb0oVbHnqbIr9W93w50Pyns7xDqg90nX5BsidLlxZXvnj JFhXunrIjgXNG4Xr+4MtgIU3lbp1NF2hhCxw79geqmsv29moxSsQG2R2Q5q9Oh5E IXctlDlSOUCR+Ei/Qe0E637LnQ+nDyT3bIWRI1Kx3ud40bDzEMOwaatYnyiuKX67 XAQsOQg2pEpe21/tciVwL1cxlJlW8bx3NWdtqoAqo4KWtUshBjCbLvU2pJff0G5/ JbIPzPfAw5uyXahn/ISWhRn05O4jDUnIQVlWoteQA0l9xQBxL/Ycn0lv1DsPytBm hpEYhla9VCnLNvXdAvU+7RBRMi6YjCqaABCj4aAl6m6GDMScJ/M+CxHTKfhh4Rtq j2mg7ReyULXOFYEMfAeeKsC7L9zmLKQK22bY8rixLDNd3QMN4EsZjAmEuhvZBENW kJx5/335gwKbvo9lOtft9L/oMEt8CD3XlhsZtnxZJ7JzQSEGHtQ= =XF8F -END PGP SIGNATURE-
[SECURITY] [DLA 3504-1] gst-plugins-base1.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3504-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz July 25, 2023 https://wiki.debian.org/LTS - - Package: gst-plugins-base1.0 Version: 1.14.4-2+deb10u2 CVE ID : CVE-2023-37328 Multiple multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. For Debian 10 buster, this problem has been fixed in version 1.14.4-2+deb10u2. We recommend that you upgrade your gst-plugins-base1.0 packages. For the detailed security status of gst-plugins-base1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gst-plugins-base1.0 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmTAAfFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeHxg/+Nt+UV9pZLYGVl2wTf366LW2bmLe0RPZZMqhiJYJ2q+pYNCQtCude5vNn vGtbfjIIF5x6i327h9oEwqq5Rr/Ajx+1o7aX0DtkSor0gUe7PujXF74ibdWeIUXG 2kkRMOER/1Rzutbdlbfyz1+sOx1hE9GSv7stGw3Sf2Qyud+InDiWPd/utocUol0m u2Af6/LIw9WKxXJAnm4hq9c+J9aNAsV3EWgw1FU0nQ1y5dRUX6jyFBjsj2m0lqPt 0TTsTHJPftNiGbxBCj4VUfufu2YMiwVAN++a5HnVhPOPhYZcLXrdhhNId6ANvM+m 6Wq1VHDRO69kBNiy+0HA7U3doZ2ze5lORfhTf+UUYapd2iy5FIjfeduPQSwLYxs/ uhwsWQhal1F5eRYfRsnc4r7Pmr1f7uHE0OAU1QMgDEfxsqpix+tN9MPy70gaPwn6 3BTGWkqrvVbN695BTP4uifkz3XyZcFQi4K7MPoD3z4FXffSJ8X66rWdXNuvecHIJ FW83Zu8kC83Ro3Pjm6/E2wt1i7KFrHd3YiVeAIbCucjm2RH79ayIHdU95AMwSM+z Bx4nOjlwGGnrScpIk8ZuRU4/E0jyUT4RXJ68VHqQDP3nA1Gv4f1TJ97y0HUV+g97 o/WgS3K/coQcWdKculLEe/F6rTW2wd8kApAG2zBPG+lUeH9KMl4= =2aTB -END PGP SIGNATURE-
[SECURITY] [DLA 3503-1] gst-plugins-bad1.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3503-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz July 25, 2023 https://wiki.debian.org/LTS - - Package: gst-plugins-bad1.0 Version: 1.14.4-1+deb10u3 CVE ID : CVE-2023-37329 Multiple multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. For Debian 10 buster, this problem has been fixed in version 1.14.4-1+deb10u3. We recommend that you upgrade your gst-plugins-bad1.0 packages. For the detailed security status of gst-plugins-bad1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gst-plugins-bad1.0 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmTAAVVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdpBA/+Jd7HNv1uhKPtDnJuF6yXgbTap9Wq3sRyZZJG/L4RrIbqpj+uymN856aj 9WPyXK0NMSYXXRBmPYH4GESPSJDq3hdMYCmldoi4EiykasnFZGq/DKo63uQEJs/n ubiSC/bSVNKKGZkz37DPKF6FMfU0QbH0QlMWIWV/DRXyyGBUBISVDyUGnB6HH9pB OXjmU+bi7l/uU0rc8uZ/2kQTuBJhRq5u0jyA7h+i0i3/Bs2ewP2JbcJv2vxfXc47 Y8VfMYFQ5xMneWGX278ty+UqcTEVbx6wXxr09FA4XvEdAcicX79mhpYOpWdyfkKi J05ochzc0A/oOmyC8bBk3/73ugDfC39zgfmXhZa3sB5fjuLMaqfdGix5vVvMSFfZ YIY9KXn9eKkNYS7zAV762gpH+gWj280blL/tI/k5T5JiZPU7k4QSSyN0sH5Ber41 yrbLpuah6QaXY6bFKKfdLyog02F9TsLQ/b69EqaH53kLhN/VDtGJcYXrR9JYMS3i Wd9l1puAH4uDyoC3Lc5t/0xCRkG3zwoWikJay7SfhjOYazhHue7Ctx/cTIJVlJ9X 40uoWdvQB19crgGjun7nVaU5xm/ow3PCZBi871hWhTt8S1iRfVl7LNHXTmuxxlne yBVUCQrghvu5fjG5SmlUmqkH9c33KE+zjoaffp5C/C5t1ZlY5VU= =wPln -END PGP SIGNATURE-
[SECURITY] [DLA 3505-1] gst-plugins-good1.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3505-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz July 25, 2023 https://wiki.debian.org/LTS - - Package: gst-plugins-good1.0 Version: 1.14.4-1+deb10u3 CVE ID : CVE-2023-37327 Multiple multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. For Debian 10 buster, this problem has been fixed in version 1.14.4-1+deb10u3. We recommend that you upgrade your gst-plugins-good1.0 packages. For the detailed security status of gst-plugins-good1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gst-plugins-good1.0 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmTAAnNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEe9rxAAu3QP9Tuqzat3V61+Y2riFDrq0dITkwnV1vW901pDnRY3IA3Q7npu8wDE nZunhSR3mvCsWzsaxR++xpRjsxkN8N8WuWS+uFy+b0bqAsyMt8mfPi8V1BOZy8ZX XiS6wmEA2/yF0Vtir89ZP0/3xwCySdeftK9Tx2sWdOYzGlvRPACnIPMwsRRKmxbv Ui3ERxhbphRTOX5lLxB09pEOr7QvPgnwDtHvpZeahO+PzcVxygN7sB0q2VeARXCd B/4gd4X4k1tWTDvZWMpCnURpVVt8KqO2AD3n/0baVT9lekLqwMxJkLlm7Zfa1Elh vL48IiX8LjZ2Ch2B7Zq3bgVzytfmBkEqfOsBvbejY/A0XRzDSEYwKU3xQ7EcSP0T u3KBRvW+yvzN7/lH3PJCn0Pf4w9TSbQuhWJ/qZTj2j4Z4ayBMqRfF9sau41GHrup SSzqL8vhIa68tgAGOneY6Pd8Mm+I2aoYtNRvoWKXDc6lTn3eLemV+VOubo8oTI4y H9h9MyHK4Fdo5ETdxicFIv8o4jpn0NUehkOQW1bIEtfsWTs+fHtF/xKbZefLavba J8U+9pVmGLDJkzYI2DpgufLgHYwO3E/99dAN+5D81eMd2j50Z1/KDLowZM8WPR6/ B8WMD/dtZ+Uo3shv1vQxD6iitQDU7RLrgepfgizNL8S+mAfwTF0= =Sbxq -END PGP SIGNATURE-
[SECURITY] [DLA 3476-1] cups security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3476-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz June 30, 2023 https://wiki.debian.org/LTS - - Package: cups Version: 2.2.10-6+deb10u8 CVE ID : CVE-2023-34241 An issue has been found in cups, the Common UNIX Printing System(tm). Due to a use-after-free bug an attacker could cause a denial-of-service. In case of having access to the log files, an attacker could also exfiltrate private keys or other sensitive information from the cups daemon. For Debian 10 buster, this problem has been fixed in version 2.2.10-6+deb10u8. We recommend that you upgrade your cups packages. For the detailed security status of cups please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cups Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmSfF2JfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeSzQ//Q1G2W7K92B54fgH5lIA/7adrvxRLQY15jFicX+DmZBA3PH5LiOZTv6oC CKWOOvrmGxjg5qIalpnn9JFugHzAE5DEfNG4crZ3DMdnD7vv6krFEz5CjN7znMUb GSC0WsE025eg3d53TAtMIvWg2PRApPU35Nm/BCRkDJEBIAdksjRfFnGsMSMbWyO9 MG7Q21t8s3NeUYKki01eiN71GYf9dHmrboxUtN8Gre3J6mXUbn45+2NadTn9J8gF lz5OjVIv9D3roLbXS0DtaWFxsrZY3vogqzxj1UVVOD814x9s01SEkd5COStlBuYI oj3sh//qLvPmEdbs232QEOnK996ytr8dkM7kq4Brp3LDCnasgtYZS5E+tSYDpHUl TW61H/G1EnrVWM9oRqpyc3RrvvrFaAMWTwlQ+TC1kJx9msIEFn8q0jdCmD2gqdzZ T+ss/UhtY2wCIgn1G8H/60/Cc+YGMzCl92GI8YaeX4iJos/HhK+LW7ximqtrxCMK Dzl2yCA4OVz0oWMUIG9+AUqBq0U2T3pZyimkZEEOErZIOt4DUCfmlMHdDzeu3APp PhffO+W7xvvORWUAOOgB4QpecGZBky5KwkbFQycO2nvSIAf9XBcEzNKoaxnFd4Oe Ty2qele+pt9K8HdxoJL+D1sOLINfpladyOIeAWB1qQJhBeIumvE= =MUfz -END PGP SIGNATURE-
[SECURITY] [DLA 3465-1] minidlna security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3465-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz June 21, 2023 https://wiki.debian.org/LTS - - Package: minidlna Version: 1.2.1+dfsg-2+deb10u4 CVE ID : CVE-2023-33476 A heap-based buffer overflow vulnerability was found in the HTTP chunk parsing code of minidlna, a lightweight DLNA/UPnP-AV server, which may result in denial of service or the execution of arbitrary code. For Debian 10 buster, this problem has been fixed in version 1.2.1+dfsg-2+deb10u4. We recommend that you upgrade your minidlna packages. For the detailed security status of minidlna please refer to its security tracker page at: https://security-tracker.debian.org/tracker/minidlna Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmSTSapfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdLMg/+I7l6vKl12OFlt8mFzO3NCLIj+CBaTAoG+JBdvgfbQ2OT8dQ4jFtQForE sl5Nap4Ch64eHaNZ8lfzLVHLmsBHjDdTDnDwITx/hGsLNw2pvZZRnE2OaoEz22lr UtBag/RzeQqWt+yXkmiD2hACIT/RzeHP7bsxI/DNOAOcrJ81+7bzBwdzIgUiVO2X 5wnikzcOg/zZyw+JTiKDZxwG+D2jgHO85ctV4u3qTM5rPWOY9FobVAa+hWYurOtW RAvrRdoK+0ozsVdYFJ4tJ3wXd5ck1VIjoYPmad5reTzJouoedD3zYU2NTmSPTbKF L7iG+bgAiZqE9ou+pb7Muc7YkhF9ZVWJVsWPWo/Op7VVF5BEa7VJ3Dd/UJp9/eS3 ryYkx3cYzrKeJAm+2MIXLEnyiS93xLz/0FJ+rGgJ5TsmyAotyuWhM2l3Ud06YJu+ eeCkvG/MIU8Jcd8h8SdOlkEimKPKcv1Pqh8LTQhQTHnZm9g6cFqx3Sw74pF/Jaye j7Bmab7y0HFP0l8LHNuWEd9buyAIc4fXH+TDmPa7ed4DJRLY8c2OrFBUrjvXvvyF A15dNsjM7bGRoVbvxFq0SmOMzH14glquvYiFZ7ydR70l962CF1WIQnPqNOH2PJzU MNDtWKCWGL7kJvm3jkR5MfC3AULdMeEHDfLMsqgqK1v64rF55jI= =1+zh -END PGP SIGNATURE-
[SECURITY] [DLA 3461-1] libfastjson security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3461-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz June 20, 2023 https://wiki.debian.org/LTS - - Package: libfastjson Version: 0.99.8-2+deb10u1 CVE ID : CVE-2020-12762 An issue has been found in libfastjson, a fast json library for C. Due to missing checks, out-of-bounds write might happen when parsing large JSON files. For Debian 10 buster, this problem has been fixed in version 0.99.8-2+deb10u1. We recommend that you upgrade your libfastjson packages. For the detailed security status of libfastjson please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libfastjson Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmSSFplfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeJ3hAAh1Pu4eQmOeWxoNFjLS0LEY6tK4sgECfqGov4rZkdM7pGf0IJaUlFYQQT wq1+xEb6qkXw4kR6loJlc4J89ULFaW67nqcxioDPXtZQ8Zs6EStPfbvA9h0MiKMr ah3cjnSVHMljKiWIOmY5GApFyW1C+60XcW8udiaL9qNnYd4MN3I7l3Spih6r/3Pk Lg7i7WGTmuvzYvxZfa96JMCrcM+ofUq6d2YwlBMM2/QTQmK2hXjRnD4+2zOH61d0 b9kXrjrBlGjUQUUfRK4mt2ga4N//U8tdO2Xkg25+XZm4dtOR86+zV4iwBPVFn6zY QTWF+rkTrWwczKRSr9tITJrlhvfnd8VqUNw6ZC/b4aWmI2a1Rkgtf0fU3S07pdqB yumPl8etFzOAX/aYNVqTUJgb71F7bGdxLL9keR/RUYHBzIi6xOwGgRbN/NJWxPpn 71ZkDmjXMp08YbMfZWwcprF4BrB7a9ucqWS32OWnOxxxBM8wJUhpTXcjdsLDUKt8 kc3wJ5EX0woSWNfL9lEcAsmM2NM0axtx27mR2R+/w0IynX2AIPwx0vn1gzuSrmss t/g9CV0Gc/YXl6KB6k76+bS0lv+WKycUbg/m5d4wO6WKwTma/JyasIEW2UqZ9RD3 qkEDLhQajEZKXCw9cqQwYoyltr39x0oW2oOggWcdGkVKDVKmjCw= =FZ2p -END PGP SIGNATURE-
Re: golang-go.crypto security update: Built-Using refers to non-existing source package
Hi Markus, On Tue, 13 Jun 2023, Markus Koschany wrote: The following source packages were rejected: (...) those packages should have been build now. Thorsten
[SECURITY] [DLA 3440-1] cups security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3440-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz June 01, 2023 https://wiki.debian.org/LTS - - Package: cups Version: 2.2.10-6+deb10u7 CVE ID : CVE-2023-32324 An issue has been found in cups, the Common UNIX Printing System. Due to a buffer overflow vulnerability in the function format_log_line() a remote attackers could cause a denial-of-service(DoS). The vulnerability can be triggered when the configuration file cupsd.conf sets the value of "loglevel" to "DEBUG". For Debian 10 buster, this problem has been fixed in version 2.2.10-6+deb10u7. We recommend that you upgrade your cups packages. For the detailed security status of cups please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cups Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmR5DRVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEcBlA//cBaLIKhAOzMADdc9oNWLTU0jrrYO/HWL/b5ao8IqQ10j9QeGI1gYD4a3 M7YkFi4V4XTZYCQz6ORHG4lwHpOlAKqPoxfkFfipRyBxo5Xtt1d/swSNAdj1k9CB H2u9XwhmaXqPMThZcOaUiHiPa12GA9FKQtVTLIjIpgvEQIa5gZYXSj3pIf6ZfoLY VrtoHzcBMOdIa74kkU7S4O6gGB2xhWXXPuHYcVrc8dD97FxDpyGUKop3nFDYI+JL BlLMQidRczE85QthOFSPU3948Iqs+sX0o9xV9P+eybmtx8d3hgpJ7RGp5uErVpbk xR26dFGvPndfT+QzQ4jJpEYyE3xyHObmmfFY8weccSEXBC9gPwdQdbceLuz/cm8j KdXqw8ceta+MRH0oigQLRH2Q0husceX5Lvila3X1fAQN1AfibBN1fELoQYn/ZheK ejkXUY9xbLB+mWJTS3GtuYzw2hPZMkME/fXE95us1vYhTRtg3g+6OWZ+foVGsDOQ tCJ0+/7YIcJrYNGwXD0EyxJ0x8uo1x5q0FHlOtFjWv6iitmRJvx52Ee8d6c+CVl4 kgj4J/KdJWWClPrQAYCX8uVVO43hLRfC7/hIo/X9yqvCc7ERwzNFSVdWVJxsNbkT wUxsLzoZrZinrttuKwgjyCOLnK7LiPb64BXsGe+oVlOvD20cxYk= =oZJ7 -END PGP SIGNATURE-
[SECURITY] [DLA 3430-1] cups-filters security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - Debian LTS Advisory DLA-3430-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz May 22, 2023 https://wiki.debian.org/LTS - - Package: cups-filters Version: 1.21.6-5+deb10u1 CVE ID : CVE-2023-24805 Debian Bug : 1036224 It was discovered that missing input sanitising in cups-filters, when using the Backend Error Handler (beh) backend to create an accessible network printer, may result in the execution of arbitrary commands. For Debian 10 buster, this problem has been fixed in version 1.21.6-5+deb10u1. We recommend that you upgrade your cups-filters packages. For the detailed security status of cups-filters please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cups-filters Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmRqmrhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEcLuA/6Ask0GUZcNZ76YJt+aMhYVdgq4dN9Gm7+NkDVYIWCxj8VEBJ2pVgcmV/G 4Fyl15AbFLR1/wfytWY/WynPRTCDupjl8cq30zKA2EXL/ho9MzIcbwBVrhuAquWx qe+qEhAnT/S0inEM1YOoGPcy876xmI9dm/MubESh3CYhpLoqpowNm3wfTC0uZMPL LgEFVntQsShEfN9VfyectaJBrjPnSLsAzMFsDYkg9jZnXnAxDuumjJCai5loLQ9d EF4d0rOgCFRQ3JCXNq3U6Sw9e+l88utxIsGbQ26Ka42DQwHCB3xoE0+BDlUn44hb FXng4wwUuyzB+DQbTGA9OVkj+ZC3YCnuO/i9bcCQotUXNeBO7tXdhC0uwFPDe0Tl 2Gvr6v0UaqmnQ7MF5VeQPsd289BBxbHgwYxAzt6mTdqsQsxUz2yc6F82oERc6AqS IJznwwDjewTHk7juhbCgZnRZ+Mv6Sw5NEAhvndF3QdSBRCUVKzsZkBrZShgIOAKj YgMUxE1x9kUoUxUtGy7HIzkVDHiHWpnMkoAvsgWeWzjQcbdisvGH8hR0RcHebDNk iCYyiK5iKpu2MqBG/C+rz9qDraxgMwMDvZWKYv+S8ti+wbDJU9lCG+pLb3wA3Bo9 b9jSW/5aW1EtcGIimf9olSwZjLGi0d5zy/buQcqX4yrMMcUdQdw= =KxwO -END PGP SIGNATURE-
Re: hugo_0.55.6+really0.54.0-1+deb10u1_amd64-buildd.changes REJECTED
Hi Markus, On 14.05.23 09:50, Markus Koschany wrote: Could you just manually inject these packages into the security archive please? there were others missing as well, but I hope I got all ... Thorsten
[SECURITY] [DLA 3405-1] libxml2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3405-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz April 30, 2023https://wiki.debian.org/LTS - - Package: libxml2 Version: 2.9.4+dfsg1-7+deb10u6 CVE ID : CVE-2023-28484 CVE-2023-29469 Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files. CVE-2023-28484 A NULL pointer dereference flaw when parsing invalid XML schemas may result in denial of service. CVE-2023-29469 It was reported that when hashing empty strings which aren't null-terminated, xmlDictComputeFastKey could produce inconsistent results, which may lead to various logic or memory errors. For Debian 10 buster, these problems have been fixed in version 2.9.4+dfsg1-7+deb10u6. We recommend that you upgrade your libxml2 packages. For the detailed security status of libxml2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libxml2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmROSl9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEe2CBAAwUS50x706EMf8jKbPREm9AVxNyciujkdLP/3R+giaxAqBVCp7v9Msh70 cqR/6ZYqTi9LTzLbTp6xQDXhgSnGxPAMpUekadgJz61HWj9milwx7EzW3rn6ujkA 5Lmp1QEJRnrJyEHQ/j9cKgSeJQzyiz3qHWft8hGTP6NDrtTWfWZdrnLuYBkQgKSR arwvDfZJFI4fHzgf9pqC/X9GNHylF4OmxDgjboyR5LM45YKwflByvncdUBr0EhqF 9jHcJIwjaTqjBVd4ggnwbMOgiOQTMgXqcire7kN3vvb78s8W9rBQ2RUCPW2STyKM 6SQYgvDlkqQo1bZ79BxHmk9DvQ8yRRxKCKf0SsbtNSYCi0LnQ32hM7Osi2hpX98a sEbjA0xDaOAeCLnabxQdIgt2Tq80zM+nWBUSzINgNFml6V7rT3tqx8opu+JyLlcU xsArpILckRSly6cNN3lWlFj9oMyjeBPGfO+jNV19cfqOyrXAGxXSCtCORkgoPVsk VwiPI2gKICQK2pI3KS2yjQEK3GeIK0XzR1eGE127ZAXKfSgO1RII7G/YGrh10JFb QEdfDOSqA7Xl8bFEZlAGScRFc7U4hLtu0QKUn+lhmQ8Lcd53ryun44xxSAOW5nTE iH7Tt5Xzzvvbn7YEinzByvNBxhJO5JwGAJYawU5sodtG3uUD5U4= =bKEc -END PGP SIGNATURE-
[SECURITY] [DLA 3406-1] sniproxy security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3406-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz April 30, 2023https://wiki.debian.org/LTS - - Package: sniproxy Version: 0.6.0-1+deb10u1 CVE ID : CVE-2023-25076 An issue has been found in sniproxy, a transparent TLS and HTTP layer 4 proxy with SNI support. Due to bad handling of wildcard backend hosts, a crafted HTTP or TLS packet might lead to remote arbitrary code execution. For Debian 10 buster, this problem has been fixed in version 0.6.0-1+deb10u1. We recommend that you upgrade your sniproxy packages. For the detailed security status of sniproxy please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sniproxy Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmROS4pfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfYMA//RvxUFnx0SBALjE35lRana+KH4Yv2zmC368mJYQwJvT3jHU3/0olTtQ8s bibxPmQ7MC3sZ7oSQHt4tz4xI6HzUJqf6AsVOkUaz0Nz6N4RZBA+Rdby0lWVLvss SL7lC63PzoGie4SgWGMHPD01SnVX7YWQjJGzd9wzLPKwSm0h/5mMhq7C/BTPwT76 I9gAhoJcOiOWMVnGHChI2dbBvzXiwfpUEhoQ5yZxklKP9vg+sTks4csYoDyZVTUA jPHLytGAohVcAuSUsIIPxOq82Lg7qIGB4CmEd1fDAw8cYd8mwDwh6VdiQ94fQ/VF T2mbJB+Xvk0gjAZOOv+5MntzcvHKMfiqVVCdxz1z18dSHRDVbDh2ib1LClwFggHB SHyHHvMIItOJZAlIg0L7jmucN+lYZc1R3GOuX7LBeIe4DNu4g2sr4yQm87W9em1l StME5HfdmucckbuWGxN5d38IU6n/LzxMC0qGOqOgzW/PldUCyQyQbE5vRqd++PD/ GIQW93AKTPDPFLLrYjoGBgF1fLfWqMZw8oXmX1kU5gAJbSb/8CPTdDX7qzpuONVZ TVBq4CuEQTjqgsBuQSozEdh6bhWMufZSUFg+NViRmkOOkStPnzIHKYwjbms71XyK CqZG6JkG9XMsePq8RkrX/Jr9cKz87AU9//1vUNSAX24fjKtzx60= =Ly35 -END PGP SIGNATURE-
[SECURITY] [DLA 3378-1] duktape security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3378-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz April 01, 2023https://wiki.debian.org/LTS - - Package: duktape Version: 2.3.0-1+deb10u1 CVE ID : CVE-2021-46322 An issue has been found in duktape, an embeddable Javascript engine. It was discovered that a special crafted js file could result in a SEGV due to reaching some stack limits. For Debian 10 buster, this problem has been fixed in version 2.3.0-1+deb10u1. We recommend that you upgrade your duktape packages. For the detailed security status of duktape please refer to its security tracker page at: https://security-tracker.debian.org/tracker/duktape Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmQnaWVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfKMQ/8C1GY4ueOUJoDAl7rcTnwPDRxKfDg7hszcn+SVDRzWzsvJz1O5SLkk4Op G6UkQMCE8keIXxrCgCCjZ8jQIYvv0kKmyKsGIzPmzK/AFcrKoZTodaX4/ckz5WlN rQQIXSJupNqsgEjAEfe5ZXZ+F4ntHGK+pfMQm7lNBYuuVCUVNCdti8JdDvpD+TrG dlNyuyEmooAQahfMYMBxmg6E9UrtSSsPMWn6V/qm3AnOYz1CbrZWUqvoH8UC8evr z89acj7EKqTh+Zc2Iq4dE3ixHyNdt77VvEhscoWKHiG7JMQXv3y7v/q/WTObrRNl ErPf36JCEk9+HPTmVsUUhOapoJ1D5WeI6PR0Y2sE9LmT35vf09vaXKOl0i5yC229 vnyPuD/VFmQffWJYcC91ZForJJu2XlDbGgImcKSebsTEmq+HVUpsbQYQ8BDz6OCS Zgg6X5mtA4A3Kg4JX0kC8/uTjmlMYbekf44z2XGHiWlZl4MI5SDecKviSBTogLrf O92PYdrYwp6gS+k5ZAY6SzOZ30STbOPB6yLiGp1PG65wFY/6aR4pjStw0mu04x6v Nqulzqvzt1B7wgZSsKdN0FVKMoOtys12cwCl8+7laJd8o73QQnIpY+lHHPmKuIgK zr9JtURoRFd0ZLkuaOXg5bHF/Jz9pBvFIe4NnoGIj1KlmD0TnhM= =PdOd -END PGP SIGNATURE-
[SECURITY] [DLA 3374-1] libmicrohttpd security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3374-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz March 30, 2023https://wiki.debian.org/LTS - - Package: libmicrohttpd Version: 0.9.62-1+deb10u1 CVE ID : CVE-2023-27371 An issue has been found in linmicrohttpd, a library embedding HTTP server functionality. Parsing crafted POST requests result in an out of bounds read, which might cause a DoS (Denial of Service). For Debian 10 buster, this problem has been fixed in version 0.9.62-1+deb10u1. We recommend that you upgrade your libmicrohttpd packages. For the detailed security status of libmicrohttpd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libmicrohttpd Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmQl/PVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdeJQ/8C1CsqBK80uJHoPthtut8HoE3iRRunEl+UUox914bfLRIHeuYOleOdXi9 11hUFMAnbgtYc4tZSs/pN/rRzjg9HjsZpDSlkTSyfRK0TsMBmbfPfW7xU9p72wJs UY9UmQVXDX82Fuo9oeylsUiCuclJpYxRO/UwfhHM3hH4Ioukm6hQH69R/MFoAf8r de5v2fXEaGsGBzxNCgorSd6iTFoyrc20+m7/7gM5tvQtarlaM+oRynU7QlFjvZVO G74Avfnx2OBVbnZqhbQeHG0S9arJw+wbtDZYijXgwihDoEPnVpHQ5shVgfpSQRqA 9UTCJhOPQ/UQHyXTjeitENUNMjTqZkABnWpg/qvAhPEd2xi3BO6Ea+miJEWVrhFW AZ+EAcua1G0OZuhdg/kPZgoECs1kubTLgcQXj71muQAELCjO3x+MNQj+2CT4vrjc 3rX+Gt2m6bv9Crb8vrFssIVc/h96b6VVnYuuY5u9gnbjr0peVTPSiuTcNkS4G4c8 7bNbHjdIqebu2wzawOMxFlArSYuRPpGRE5NhJk9XL8HUBFM3+Dh5NgJ6nrvEyi91 40dzlmfaYQc66ki7fQQ5RPWPsE+cvTWFySy7y2WRCXT+dzpttZWRSPF9ZdJFBW3L Ci0bVn7AZ/R69U7hXEy2OIiPlKcpLAUlg8M4dfE60VPAi1gFKX4= =OLXW -END PGP SIGNATURE-
[SECURITY] [DLA 3372-1] xorg-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3372-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz March 29, 2023https://wiki.debian.org/LTS - - Package: xorg-server Version: 2:1.20.4-1+deb10u9 CVE ID : CVE-2023-1393 Jan-Niklas Sohn discovered that a use-after-free flaw in the Composite extension of the X.org X server may result in privilege escalation if the X server is running under the root user. For Debian 10 buster, this problem has been fixed in version 2:1.20.4-1+deb10u9. We recommend that you upgrade your xorg-server packages. For the detailed security status of xorg-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xorg-server Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmQkTARfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeYAA//VpzBrW7lC3dB2B0v1aHfRSH3YBRBU8hCipQnjY9iSyAh9J75u6PYvpLR CE0m/3Jjuvk4RLJ/KwglAvY3KVGGbEk7JtlpvDxjlQwZCpriXvRN/o2jgItgeWIM 7yBfF0ucd8oZeMmeZWoKgB4nrrXoj7t5IIJ1e+zLJ/57XMm4XoG3wDm19w9VD4Co ZJYfkyHTm7DgfqKnwAGxAF3jBvcbrQ7E/obuNOn/SswUcLHHWsC/HWncLkqb3Bmi XG2bUz05cr3dj/KSNNs/bObKx3RcEZub0UImaS+8mSBmkVnNXpnpZZHBoaId4cur ckAn/1kvQzO1XMgrtX9qss4WnOe+5zyWRDi2qoV4z22jKMT94mxYjI6gE2u+bAZ6 j4Ar+n4nUZWPM/DnhaYge4yGeC/V+rO8eWQm5ud9LGW7mnwewjgQ93UCsH0ju+1K 6dt44LZ82XNI/dU/9wsbfEcb7NHkwPv/gXXVtcH+Gd+/y7sMEOVeRf4VgvlGEAFU lurqZnx0b8AwcRUR4uFmQX+s/6tXRKE/WFjCy3RnbPD4etsZ14nuVZKXxIvip3Bk gvGxUehzEAFJM5qlPUn+n7KCsLsMg1fNId/pF3WZZfIhJMXQ9hYgzuknttSZ/LNH R9LDJN3mBrvnko92V0fHC9hNLZ02bC1nVzUURpzE/UmGqxKUyfU= =TwD/ -END PGP SIGNATURE-
[SECURITY] [DLA 3358-1] mpv security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3358-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz March 12, 2023https://wiki.debian.org/LTS - - Package: mpv Version: 0.29.1-1+deb10u1 CVE ID : CVE-2020-19824 An issue has been found in mpv, a video player based on MPlayer/mplayer2. Due to a use after free an attacker coudl execute arbitrary code or crash the program via the ao_c parameter. For Debian 10 buster, this problem has been fixed in version 0.29.1-1+deb10u1. We recommend that you upgrade your mpv packages. For the detailed security status of mpv please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mpv Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmQND3VfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfUlw//UFe7nWnI8mftPyR1a8PrLulzZbdUomsbE1sNI38j4bma4a/1gbOjJ+2S kbQ5im3+A3lWBUNqPL+5YxKZBegfilzEZucNQcca1YgZpLfXem7f+8Gqk/PFh0qX m+Znbeon3WSmQxhpYyrV7E/ZKA6NNqNAs7oR1AQEzkioQGfcFQ7k8hgM/yOU+iCo iwMgVi1aGhccAJbe/FSXQRe1YzVhQkpBqSvtN6eOjxxcJ9iGD/bJURfbtw/2Ah9M ztdL5K2eGmxt7C86+cNo+/Rpfr8fas6FWCohhlnpMGRYspnnzk3sXpdA7rSKVQRd j0eKxNzfroZM0n1F4dUkcY4EWEcgfL60+Avc4KREF5N8sLcJyXkDj35EckFkGizy CsBm3VKVU8c5OK2ggPJThHc0EfFVujrzhTYW2jcxROlSTw3DiYDnh7CLK8AEP/Jm +E088BcjXZsy29E4f+agKc6PqAAD5GalTT84JJ9DeamUtpiCv5n0UbpU0CGoWz5X 2oCv1NJZUpuVq0pOyg8Cxc/M4D0Cu2i6JzeziBZXREQYcy60bNpp5OG2nmzmbtTT DLq4qfFGxwutuAfTBZ5E18C6qVEP26Sn2rR4pmncAKvd7YE0mrv8HKTViO4e77n5 Ijs4Nn96ebeXComLDLFXzaUX9BDBr7Dkdva+qzvJThI4sj1/eek= =CTfA -END PGP SIGNATURE-
[SECURITY] [DLA 3310-1] xorg-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3310-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz February 07, 2023 https://wiki.debian.org/LTS - - Package: xorg-server Version: 2:1.20.4-1+deb10u8 CVE ID : CVE-2023-0494 Jan-Niklas Sohn, working with Trend Micro Zero Day Initiative, discovered a vulnerability in the X.Org X server. A potential use after free mighty result in local privilege escalation if the X server is running privileged or remote code execution during ssh X forwarding sessions. For Debian 10 buster, this problem has been fixed in version 2:1.20.4-1+deb10u8. We recommend that you upgrade your xorg-server packages. For the detailed security status of xorg-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xorg-server Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmPh/W1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEecPg//b6DNU//EcP/kUJL7M+LWSX0lfEwgf621gY6HEt6PGjfRPDeuJ/4BjE6C gGCJUotDTzPbxRBU1ZjVDfxcoSqyehI9SKRd0oN+ds663rYVIXerkDUwKOIqSJWW v++Au4Jddn2xUwGcj4Hy4Wk1pZe8bJ6Utefhz9kbuNrLJvX9zQFuMVTMVXMZ3i81 7z22xnYRc0CFXCUATaAj4CW8W9jrGO4S30VV+0lBGT0v3RUBMAkVfXVVbVLLjRZ6 ppDdCxQA8+k1GNkhrrFKfql7fPceo+EuXXjpHWNFP6XrQyXrxRTdzE0VZeTGqM5t E6Q3dQkwG0vQQ2OB2YxC5Cm2Kdl1CnatoPyAX92CCFeDoRytMsY64/7E001sTYkK S7kn7GJ/YwEPVlbYrhPqcVcMo2gHgBXfj38dKedjzMCQGSbPWfvAMrdrO6HOG0tM 7F7Ym95WisMjS+Ls2flVTUys0tNt0MUkXqVPWKSOGJ/6C8KD0ZR7NTyvEhX8eObc 1xVAZ4EnZB0joYmflXICWFTQF6wxUxMPV+HA5Bwg1vzJJHIx1LtUby1R2uwIFt4h fqyuJWy/qw5zIKIlaNjKn0OIDcCFbE2knLHo/yMKTxgvs3M/Vflx17VuA2v1eakA UO4r4uLnV3eCYQwaJQAAs63e3u5+ehGQwcPkj1QFkVNDJSJ1k2Q= =/zin -END PGP SIGNATURE-
[SECURITY] [DLA 3294-1] libarchive security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3294-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz January 30, 2023 https://wiki.debian.org/LTS - - Package: libarchive Version: 3.3.3-4+deb10u3 CVE ID : CVE-2022-36227 An issue has been found in libarchive, a multi-format archive and compression library. Due to missing checks after calloc, null pointer dereferences might happen. For Debian 10 buster, this problem has been fixed in version 3.3.3-4+deb10u3. We recommend that you upgrade your libarchive packages. For the detailed security status of libarchive please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libarchive Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmPYD5NfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEep6xAAhQOrA70r8Xq8la+3KoxJP+KYp36eGeAe22bpNY5BbG9LqiT4kCvY0RMG +7Yd922djie5FeIL8Qj+3XuhUmYbyCrEGTPCA2geylJXw37PQkfYs/r8kiV+D3RJ Wa0HJYvDQ8atp45yzIjjE2TvoCWVPX/wILVbgVtNDeA5a2kkxizMv+2ySkrIfVAp lTN3S7rCKnhGlqdiMFY5PXIvlIZIjcJS/gIhR8LQU9OdEkp0p6WAJ0JPry6Sth32 WhhK+xDD7APq/mwmuhlN0sRLwe5/+EIdoQdOcMGLyfAnDP4aSOursnEs1nR+QUGy imuCGk0+ZLLYnTrZfeaakO0O7VkNQPK9HROWbHy0AzW81kjVpvAN911NQjGa1bz3 iwDQPBjYHn+ZHkH232Ymziya4D/acvbkUbgfcZY4RecNqSqiC3CbGfnz7Ni3tc9g orV/lJ464cPw5bmdxH+iIUqaTnGLA3aHlMlRFstXqBXm9DLzjFx5lBvee4LPqNBR lA1NDT9dVrjI2KlqjQa/BIS6TgsZYxYLZTzIHHzdSgKRaPYEXf9xrMHcHS6SVeoP KQIVwZPlkIROxrtuRJs6lc33fa2f7vB0JjA5cuSQA/Gw14bDbKD/x2XaiJz2mrwR eD2iPSLlbsNj76jqdJQ5j/PA6GeEysEuixG3NHm0Z0/q2TpHoEA= =Wj8A -END PGP SIGNATURE-
[SECURITY] [DLA 3290-1] libzen security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3290-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz January 29, 2023 https://wiki.debian.org/LTS - - Package: libzen Version: 0.4.37-1+deb10u1 CVE ID : CVE-2020-36646 Crafted arguments to a function could lead to an unchecked return value and a null pointer dereference. For Debian 10 buster, this problem has been fixed in version 0.4.37-1+deb10u1. We recommend that you upgrade your libzen packages. For the detailed security status of libzen please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libzen Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmPVuoBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfQ0w//fMogGJ37mqcsNIlRFIzt5KprkFjfFeRlqb/Xu0YZiRg/NbCkvbe6UKgN M+E8z579w6gMvBeqpE2NEk3gt5o6TXEFQ7YYDAHifbJ3IAK/0XcAGcD9lxkQXIQ+ APmuX8QAllqe/CfFd8t6OtEyAElPrfXF5ZGItlR4yJ8MlCNrFB/AGxoat1RjWDdr xd51JxOJiw77BEFNTm74bwllwAHd38NnHI5tcYXRV2vpZmwdcMYRE7WBpRekiRzw h474jyLhAqTeP+Da+OhXT3jSZGhquPcq3yRZFNaLjvw39V5BUNNMDHhXOkagWJTH UuwREkZC1tS9/dopfAk+wEKY8tFY5EBU/QAsGpA2muXGvrag5nAIlmE46bLQvg+m K7hM4+7z7vcJeFJHfqxAMlIiWczifnJywZL5TCQGOliGYGlgpvhY1PidI92QtreE rJHwCMcmzbAND55rc9cr9Jk2kYrz3oq5S+3OBpFBkYC+fwdBkMiDElio/LQwxHNn ztBVuWyw3N1oqjzDgi5CyTer3y8v38b39TwlDYydHja9aTHZit7a7u0Y8nTQlXYE 1UXg3ISndtByoXg7c7wkca5koAKHAlpx945KN3x09yLBQ4hkVUhErTjg9HnumQjy pAAmXPMgeX2Gv19+c6fwXWc13lGLubBlIoDinLZ9W7ZTpblcchk= =BQ81 -END PGP SIGNATURE-
[SECURITY] [DLA 3286-1] tor security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3286-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz January 28, 2023 https://wiki.debian.org/LTS - - Package: tor Version: 0.3.5.16-1+deb10u1 CVE ID : CVE-2023-23589 A logic error was discovered in the implementation of the "SafeSocks" option of Tor, a connection-based low-latency anonymous communication system, which did result in allowing unsafe SOCKS4 traffic to pass. For Debian 10 buster, this problem has been fixed in version 0.3.5.16-1+deb10u1. We recommend that you upgrade your tor packages. For the detailed security status of tor please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tor Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmPVH8tfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfVww/8D9qSuhbLsMSzHGu2MQhIe5jUcMRCzvBLIr0gkc+qPt54Qgexs+oZDz9E QKk3+pAdtOl+hpO8pVo8+opfqpaLLMyYOMUOd9RDt9FJ7XueuJWJN4roMq1e4oHc qB67/7j3MD4N2x/kT2xFK1rD9Ka8xm5R/kg9W1tAcpnCPGHKTrGFjFTtFm6LT6Bc Di9qP81N9yUkfgP0NFfwDKS6ZsveMlPPrF3obs7T65kxs4sFjQUHg4FzO7gFLS74 yOZiEXmRuPGQLqmRO5W5OzT550L71deGmfbDL9BNRIdbcUGoS1XpMPk/LAhG3iHi A/e+NX4LO66/MKqIrSO3z0hIKMdcIRNXQzsinh8Ct3SfBoi7rB7E9j1L3N+oTLpX CPg3w+M+ggIfEPGNm1JNqDdq84bSOu5Cr0Ff/i6dsI082ULwVq+DrNYsT1oqZUAG ZOnJmrQcGrT/rLq/bHnbe0sPxssJl6PyFhM9TuKkTQn1GpK2Iqx/lWdtz1NLMdbz lwef3d7A7IWwaamy+ZOdhHWnEwOa21dItSaNkxS/2kjPbHs93mERiCpHdpC5PZ1v NApBTrmiikXJjrzlbhpa/4MpOVOZBl+qjJcV5arq3LsEXRab56QpFHDPq3zKLXSM 22WblC5RwCbVYRWwHZkOV6CzmVQaEGfiPTlRes66eb/jqRhLX18= =H1Ps -END PGP SIGNATURE-
[SECURITY] [DLA 3272-1] sudo security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3272-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz January 18, 2023 https://wiki.debian.org/LTS - - Package: sudo Version: 1.8.27-1+deb10u5 CVE ID : CVE-2023-22809 Matthieu Barjole and Victor Cutillas discovered that sudoedit in sudo, a program designed to provide limited super user privileges to specific users, does not properly handle '--' to separate the editor and arguments from files to edit. A local user permitted to edit certain files can take advantage of this flaw to edit a file not permitted by the security policy, resulting in privilege escalation. More information can be found at: https://www.sudo.ws/security/advisories/sudoedit_any/ For Debian 10 buster, this problem has been fixed in version 1.8.27-1+deb10u5. We recommend that you upgrade your sudo packages. For the detailed security status of sudo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sudo Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmPIE5hfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdpBw//ZeQt3I3Ed3pmi49ouOhq6nml7CJHfGLB8psJYM87UUJQQBPr509FirHP Zm4RAO9VEsH1ONyFyI12uPR/er7QQC/wW/Q2vFUOPFJ19XNrxUOcdZdaAuw3jgBL XVLmFytcXQRNEMjkvvMDzLyY4w34iRnA9EEuebw9TaYqjdMHQM/TcqYWi2Ci0l2V uMzBXukuE7/E6yy9pHcjVRJcNiVGJxTV8/UaAcUD6w0EdJcddtHijfcea9nJJu4U aXnrgUc1p8DB3JP5NQisrTiPqYFB8tvxT25OBCtALD8xiFQAB9EDldsehy/GrU1p hE5YGd2LRe81sDc4du7SIsiHTK6Lr5PKujzkJRiR8sHCLn3w2aNlobQ7MJAaIkjs B98BLzBteRu16nVOmd+iYKamnURCmhthJ3qTqCls4boZI0lmFxPc/UF4wtASNyab 48HMQsqJDYfjACedZEcswER7iMcQTDXxci42dbWEIrGEoOUbD0321hK3/uIGhvIw x1ovmiyOqpD1TMx8ehYTbT5vXlctgwrYVouWPLUTQY1EwJVfGo6xA6C8tC5eJGbp 6ysTea4/6/YZsDr+f1s6tShsvNlVt2D7PavFlagTRAcj3adBEOByScH/ZAGakOqE ivRj0vP2WvelF0VWtH7Lo5GgbqJNQBR/AXR+Q2/IT8DCoCkn0Ro= =63RN -END PGP SIGNATURE-
[SECURITY] [DLA 3255-1] mplayer security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3255-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz December 31, 2022 https://wiki.debian.org/LTS - - Package: mplayer Version: 2:1.3.0-8+deb10u1 CVE ID : CVE-2022-38850 CVE-2022-38851 CVE-2022-38855 CVE-2022-38858 CVE-2022-38860 CVE-2022-38861 CVE-2022-38863 CVE-2022-38864 CVE-2022-38865 CVE-2022-38866 Several issues have been found in mplayer, a movie player for Unix-like systems. They are basically related to buffer overflows, divide by zero or out of bounds read in different parts of the code. For Debian 10 buster, these problems have been fixed in version 2:1.3.0-8+deb10u1. We recommend that you upgrade your mplayer packages. For the detailed security status of mplayer please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mplayer Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmOwLgpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEcSSw//YnUhGZQ3yL66mxKWiDvH3UmetHiRucR93NvU7aEXBeexDIg5QwSTiOgk AaLIHg/Y5eLJ0XhAk7ID//JIb6xBSpyCUYxesvPpJAagmHwTzndxzcoPFtMXlPxT MTUUPfJ3H7577J6hTI6XOS83m9TOjkRlTv13UA62snwGNaHnCtlMGrR4QYEv9HW4 sGCdzbI94oAeRP62am4cPsg8zH7z6A2a1T6PObSSrPjN/imBFj+Yt2KmygY8LPAo j26TlnywgNnclHqfQJ4E3SECwbhNEW5cmLezZ4uky7TnLvzXUG+0Xv13h9v3coOm LnHXC6QBAFFizgA8ntfo9rwtTHp7asUxoe0+qXS/XDBhK+2calGYS5VA+58hESOz QP9Zdj/Qu3YlWaz3sThEECePNmU2KZI9yNWKjywr8EIXIncgsEKGfM7TDzXmPE3p +KBS9yv6KzShSBUGpXEv8ZK7K8RQyieIBWy9AljJzWVndejd5yEgoRJPJNpYZOd3 Tp5bbRRedLio277bMR+FOj571nnSALOIRWS/IuY3KaE/UPGbf7qjSxR5II1i3Bwb ZD6Ub215L0tIeUAkF3JHiJfSBIPRuCgBqq6Ga7NIb3rWP1QOnHEE+37kx7w76txf hzmJygl/2gxIW+2YGyRynbR4BgcHx1xsJqbdlxaZfb9RSLi2VRE= =KrDp -END PGP SIGNATURE-
[SECURITY] [DLA 3256-1] xorg-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3256-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz December 31, 2022 https://wiki.debian.org/LTS - - Package: xorg-server Version: 2:1.20.4-1+deb10u7 CVE ID : CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344 Jan-Niklas Sohn discovered several vulnerabilities in X server extensions in the X.Org X server, which may result in privilege escalation if the X server is running privileged. For Debian 10 buster, these problems have been fixed in version 2:1.20.4-1+deb10u7. We recommend that you upgrade your xorg-server packages. For the detailed security status of xorg-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xorg-server Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmOwLwFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfcfA/+LVEMOtG0NUPsRrkcrbRgahEhfWqNZo11h6fvjlSLYRX5Jgz83YdO8Iwr Vo8sAq7Fk3WT57JidhuAYFQHRMQhdB9RqYjnfZjDBTP+WmgLC/OF+KCKhGOdrbXu Azb2kdW8JQ117YVLiv2EZ4a+EZZNtuGS9i0t043b0wv7GSPE3pX3a0jnksyQ/JCm IGI3VAmwTmJTVier2sRBPbgaKyKycWBfTxLDLWpQN+cOUhwAW6hJp4zbfVjC/zCr Px5yVo5RjR79CERYtsK9QijJhv55n0ATirdC9WmD64UnQtP4IPWTCTtxww1DBfmm 1cab/6NNlW+JIa5EOIwX2aIXCsTgNQ9SkddtqWr0ryL3tJJFdaoeVkJ/DHjRwAGp GhQ9vdqF4tkXqwEry6Pyp4pKmr/HGlXDWfer8NTVzyvAwcT3CRjVdEumZIDB0Bjy yADXDucVmcW8CtwmN+co6mxYKV+Jikgqp3xf1oB3AChjdF27w6J9dLiGBG6t6PEu K8oaHA813i4KOh4N8Pp1XRtCfZEzkLNwFwxvzgVZ3Ioc9l8wAlAQV3iNoLyaTWsp BDFqlHPQVMdC9ru0uEkqpDUAUbYkxhr3h/aq0ba0bolK05IjZOM2SvgOFHMp7HK0 NKXJDNSjP6ypQ++dCauI0oCVUtiHe7L3ggAIPqS6S2PqvUSWgwg= =EXGW -END PGP SIGNATURE-
[SECURITY] [DLA 3201-1] ntfs-3g security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3201-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz November 22, 2022 https://wiki.debian.org/LTS - - Package: ntfs-3g Version: 1:2017.3.23AR.3-3+deb10u3 CVE ID : CVE-2022-40284 Yuchen Zeng and Eduardo Vela discovered a buffer overflow in NTFS-3G, a read-write NTFS driver for FUSE, due to incorrect validation of some of the NTFS metadata. A local user can take advantage of this flaw for local root privilege escalation. For Debian 10 Buster, this problem has been fixed in version 1:2017.3.23AR.3-3+deb10u3. We recommend that you upgrade your ntfs-3g packages. For the detailed security status of ntfs-3g please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ntfs-3g Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmN8BjFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdL4A//W2ZXcPSB59xpQiYZUyTIxT72Spxrm9AaCACOIFKfdkYk0kybc/4j5m+7 B6EvmnzLrzLaozkqOVXRHvVxmj3b71gvAcRVew1ZQ5nRS4xJ2lSEzPxMwUziKHHr jVobTAPsHve5AXHwbHKLSS2KNFFbJNgCPjUsMGkVygAoo/7nLkDwvENcYG1+gs7B 3aHQmYIdBPwuwaq7fIlG4PGiZVymxRZL2hSlWcIHLuKo3inIrPSi6jFe7Ki+jilP aE7o6La1beDNkyCcI1FZ9T2l1Ku2xR1/y4hw4qZkXksJUNG21aWsIouYlDB7XGO6 +THocHwm7oSVcan7OwyELroGlYhHOHmy2dVIFvE5yTV65D6+Z4E9QWVUYnH+xp7q pyubRU8/QkVsyBVirt7bQZgvDMeUdgzD+HNL0bGkYKe+KD5PTuwpVZtyWcTZDwVl ZRiLdLgv4vDHTJQT3xTKRk+t2xahpLaDRfXBHwmSwBcqv739YX53nR5IUwCpnBRb J0NCa96YxRYsnTX5qtIlfrBXz4tN1ECm9SaR1fXWJixTjIeOjIG/8mux5vSQgeAO 3gFq/AO0uyjstUO+vF+FDRN5Nrr6XoBBZ3IOAhIYIXFtZ6id32f4g+yZH4hLGx2I n/e+Lq/7klwji4KMJMsvwZd4EF0QtwbPqDRuVvoBaqRzeANxAzA= =mSWK -END PGP SIGNATURE-
[SECURITY] [DLA 3200-1] graphicsmagick security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3200-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz November 21, 2022 https://wiki.debian.org/LTS - - Package: graphicsmagick Version: 1.4+really1.3.35-1~deb10u3 CVE ID : CVE-2022-1270 An issue has been found in graphicsmagick, a collection of image processing tools. Due to missing checks, a crafted MIFF file could result in a heap buffer overflow when parsing it. For Debian 10 buster, this problem has been fixed in version 1.4+really1.3.35-1~deb10u3. We recommend that you upgrade your graphicsmagick packages. For the detailed security status of graphicsmagick please refer to its security tracker page at: https://security-tracker.debian.org/tracker/graphicsmagick Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmN6uaNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfEGQ//cSleGlL+MX2vY3TUCk+3EFeaXTUHVYxcv3ibxgvlxiSMAVM4c4yhsyup e0Em6k6cPU1xuQYi7jqrHcsVsbOkpmdbczCz6l7gcSYXkU+XyZNt1EfvSXFTUmGl A1b2+52Ji2VE0TwfpzkkGyJ6hD5WddCcw3VCInaKb26EF5ADlqyRSDyARIChdov3 j6/bwWyk5w7+h4jphG8GYU/R+oLM9VEaaahBzupEMBR2LHpZcl/p+oAt/WNIixMw DkecuScYpGBoZZTbIxBUo5H1jbGn0wgqeBeEgnT1D0JWS/k2PwjnwhFUFiurTXab FI6DGGhTSsWAd6RMHn4xO4craDP391JJh7ZbEwlNkO6UpqKEPBVzCCkGSi13r7x/ /k0MOaWxw2sY3aEWOZDS9nEmHtoccE16eUwaGC3mHpYN6tRx3/rVU5k8NhSopDRE XvwFBKSIUGPZw6c5rFI0RI3g6DGdEm7Kf/KzJ3JcPXDe2M3PQg2ItgqcFpVcviRA LoGtc0Y9CZ52gxQEGlzis+gcodsxyM/neonySK9lHlt3xb+qi7LMJj5XGraXz2iF oNlTsPUAxP6cI4CdrsbKUAe1SQsYM1VpQhx/b/7dP7DZ9oRGPOy4+lLoSKxvavV9 tSpYqOtVJu25FKRCr9rVF5ebbOZtS4bmWjb4pS+kJ8wlo2iuYCY= =b+N4 -END PGP SIGNATURE-
[SECURITY] [DLA 3167-1] ncurses security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3167-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz October 29, 2022 https://wiki.debian.org/LTS - - Package: ncurses Version: 6.1+20181013-2+deb10u3 CVE ID : CVE-2022-29458 An issue has been found in ncurses, a collection of shared libraries for terminal handling. This issue is about an out-of-bounds read in convert_strings in the terminfo library. For Debian 10 buster, this problem has been fixed in version 6.1+20181013-2+deb10u3. We recommend that you upgrade your ncurses packages. For the detailed security status of ncurses please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ncurses Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LT -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmNc6aJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfTHw//XBemmIvDLVAQ2XGTSRfMTRL6uF34yQoEU6sloyr/fzjYImkMGS15rMKl ROcTIpmJzckvdSrlC5ryKACinYLd+ztROrkQWbEo1IaqDIomxdnIF6q3zEC4eL3Y nbXyFfRfI4xd/f8CRrFR/aQoXRCBn+fFSdxoSLGUfw/zRE2MEnBCt4Y/kMeeS05p KhRz/YeMA+klRpe6sv4uLwk8F4xaCNWxUqHLTbShhGVc8pHooMDgOIsD7h8OdXbr 3/N/DL/WgEsd90tLPPYhZof0ojY80hjpEysryGMEy4Ybr5jwN6xDRbM965UmVLGP BmnK4S+C65/7c9LUTBAK1+i6HsvBR/5NgP7OTC47y13TSnM3SQP+ZVGO0BQcrHDA ylamP4uAtGDhXuuIpE4mNKlI0oANsayu427n6JcOkqGBdgnnkSjqZvvZDrAlS04j gG0AAMnn1O/W8ZDTVo/Nugx0/fAlqPabae3ndkDzS/jXaxQqTF8SVoHPARiWBeVu lPCOVUFnHmMIWKUArEJctXa3SbOEF72oM+ogbfQHV7ZTZudeAXooE9Uko5cTE7Ol XJIdEzOzU23u4WCmEo3oUvcAHiYDLA9pbDEPs9gHkYXmQhA08teLvzQRw/7rw3DF cwTvnTeGtqFXJL7GI0ZEGlIg4IxggT7YQAJZ7z84YlKJtV45eMM= =HgrA -END PGP SIGNATURE-
[SECURITY] [DLA 3168-1] openvswitch security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3168-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz October 29, 2022 https://wiki.debian.org/LTS - - Package: openvswitch Version: 2.10.7+ds1-0+deb10u2 CVE ID : CVE-2022-32166 An issue has been found in openvswitch, a software-based, Ethernet virtual switch. This issue is about a heap buffer over-read in flow.c, which could lead to access to an unmapped region of memory. This could result in crashing the software, memory modification, or possible remote execution. For Debian 10 buster, this problem has been fixed in version 2.10.7+ds1-0+deb10u2. We recommend that you upgrade your openvswitch packages. For the detailed security status of openvswitch please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openvswitch Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmNc6wJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdKag//ceEp6nfuZSmcTeA1h4tiS8GhaYDyTy+HI/pgYs84ovjvJJQjtcQltOMz qzu2LSevOXDwpTsdfGQos2hKbq7ZcYVucjmDOh66O0mW92Dis6ICreQJQ68mfFf+ 57TmhyTl4bL21EFfIaNylsB7gEsjyykNGxOWYRDF+hX48zjNlOrFMWVCxSfJwQv9 j7Qc3ytdSwjrAWCF6v0mn7ijkHHjOhERKJ6jUbiUJ2NLi8bIarxWroTpnq8h/q7j rOxIie+yu6RpgiiAV6XYwJqWCEIKdxCLhANbGLNVNUID7h+UeYNJkZMQhx1fqqPM LxkKfVjBUdiFNRAp3NWYYDTqB3WJ6eugcfkCJgUWOlgbbGZ0dQVZY1CHYXhzmA6P IpUE33KvfTYzkXbzYiisWY1U916TO0cbsD0EB76LTt/eRh3xM4nw1y2LyMB5YsQu pYZAKbtXocCVm/JwOeULX0kOp8TT1doHoWAB8Bw+0GW81UyNqGC9JxwlrhF3DNWN eJB4eJNeeds11vO2RvoiF7HDRfu6ffanPBmcWzz9E7jcyoQXERDAp2UtBqWCbdl9 wlfHs1o83+Hpd4FEslrXl7tBqfWNtrvoX8ixWRjQMFjZn28vjukgBkNO27gCMNb1 ujiQDDCeLYJRQ6X5f97JIK7uozKx3U9FFMbiyBBdUuxkiCbw37E= =2XdP -END PGP SIGNATURE-
[SECURITY] [DLA 3130-1] tinyxml security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3130-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz October 01, 2022 https://wiki.debian.org/LTS - - Package: tinyxml Version: 2.6.2-4+deb10u1 CVE ID : CVE-2021-42260 An issue has been found in tinyxml, a C++ XML parsing library. Crafted XML messages could lead to an infinite loop in TiXmlParsingData::Stamp(), which results in a denial of service. For Debian 10 buster, this problem has been fixed in version 2.6.2-4+deb10u1. We recommend that you upgrade your tinyxml packages. For the detailed security status of tinyxml please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tinyxml Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmM3eKVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEePGw/8DQcXp1Jyc28yRb84ky8VJnyWHH7F5fDuRMKEqLv8kGeAea3251c1fTH/ vgwJbrvNuau3A3LUslVahkEoLfzPd801c1AlBH1ielJGmkns3KTOoRFGqEROnLgf O0WWlhjRtE4g+z/9GiVhZa44gBhwxftxzvEUxg+vScA1kzAKJB5OstUb4JJms8lF YvOmUpDBoIryl3fRfKHf4AqF+0heDerCqf1Va+1bdM34i86H0sBJuJYU+W5WW0j8 vNC2l7jcZyFkp/QdS+rzoWEBRfrFryM6yP6iA2o13cXAv/t15S3aDle2bRvUHjwz mwxrZTX47T8PnzH4c+DM6WVcuOsGRvpmZaPBgwQHbljtVj3GnuYdXMwvwP9oEZxT oYjuqxe8/sAqQMebYcxVzL7H15uztS9ZnE0bZ0tUhIYZM1DMgTSISoL5mTNClk0J nqINNIc4X5a7y9HOuItSluOAZmL0ovAuiAgj7GtePftEHlLEDOxOKovbl1uSTUfD rHzJQ1BX1+H1QDbP5o+lqrBu2NDon3nWOF3PgyGqqkUDs0y9MgJUwe9ZgroJom6O CGqYXfGd6VxlvHpGhC0RX2pcXukkNobzn2Jk+iSj1ro77dVSvdIVNU29CmjYKp+r OOJ9IKDL0ZcxNZ+vEcxP0b8+fg4oZCvzZAQ9edU1fWRM2gh7fDk= =GrEH -END PGP SIGNATURE-
[SECURITY] [DLA 3127-1] libhttp-daemon-perl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3127-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz September 30, 2022https://wiki.debian.org/LTS - - Package: libhttp-daemon-perl Version: 6.01-3+deb10u1 CVE ID : CVE-2022-31081 An issue has been found in libhttp-daemon-perl, a simple http server class. Due to insufficient Content-Length: handling in HTTP-header an attacker could gain privileged access to APIs or poison intermediate caches. For Debian 10 buster, this problem has been fixed in version 6.01-3+deb10u1. We recommend that you upgrade your libhttp-daemon-perl packages. For the detailed security status of libhttp-daemon-perl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libhttp-daemon-perl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmM3Ec9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEed6g/+NhrTpFlCXAIXOw8ny2P/VZoQ2E09tEfrnnD7djFC1mFyhTo1D1P6MH7W ec4lLDcpUePcsFBJZzEvoQdxh1K1SKuTtYGvdRH9tve97Z2K2K4bpUYZx221xp+o 2GHQ1e1WjbGPBh1uHLEdPcG3KzqPYV4Bws+HxEY43g8+L2z7esUBC6fVslppZqu/ 85s2H/7N6vO3Q40urLaaDgCb7Qb/zEBKgpjZnO7+eNgyAYTUHyPdxAWMyF1mu03i V3XezgW+lIAEQ30uoOattWB/aIoaNO7n9COxZdYpnZowvjQJMtfGrRmzpG2UOk8u yRqcl2PckzJeFw7xthOgcYJTCfeGnIG7uF5IfWqGOwDf0tuTdKsSZXqD22A1xEBf t1K8E7tMuN14psMP2/JKmKKSXl3Oxgexzo3bPUdxqK/be44HfBETPQKemTF7trsA aaKVmnmxbClwVlQtcSGMDJ71rHx8eNdjn86EvS9KYE86cM78i6YLlcDdT0+9cEWb p0kVPqGy9bAushjJAPaYAZSorbtMRew+9FNHA04U2mhUKsjXipxrCMEaEe4UhlvF acGwj0jEG0EsJMymKysSP7JK2BG+x0iRaiiVUhfwWY/9CjbYRh1Z+D9HYY4ouSQi 2icFidzfgDYrgI1McK+Lcq39q1lqZwwvdm5YqzWsNsb0KRfAZ3Q= =oOd7 -END PGP SIGNATURE-
[SECURITY] [DLA 3126-1] libsndfile security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3126-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz September 30, 2022https://wiki.debian.org/LTS - - Package: libsndfile Version: 1.0.28-6+deb10u2 CVE ID : CVE-2021-4156 An issue has been found in libsndfile, a library for reading/writing audio files. Using a crafted FLAC file, an attacker could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information. For Debian 10 buster, this problem has been fixed in version 1.0.28-6+deb10u2. We recommend that you upgrade your libsndfile packages. For the detailed security status of libsndfile please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libsndfile Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmM2GaRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEf+AxAAsTnr18A8AuK3sV9O0Gur0Sqpr+bnfU2XkrClvStX4Xq/WBtUceoALYR8 5b5SX+kFc7REFTnQmfGmALySJ/EN3nDeXEJJyUv1c7wpmsLsgr1/GBechtCX+J9J Se8ntSJsaevViyRTO8CpwPKobqrSbuVVyPvwE4UDKHMtJJot95I6P2Qg9dJ5LBww /sJNe4cH5K+gj16KuTr3bnOq1EU11OhjbJ0ArnJ6IYAvuVxPVhev9n9Xeopb7rSD f71x1fhu8VK7PFUDV9oMkFxYyAD2EQQmRx2p2XpRfjOE1Sa+du3SvGrJ9q8/ulsS bQRGIOmbjqlINryfnSyFU/UA07SX+K2Po87dY6mYEtZ8hdPZXtIJxosw8mba9Kax 3dYz7y/gCwnOUqJPGCUhjYFXg9F7YmEHrMTWAur5IUGDuaWkV71iEM91cNKuBph0 YYYMDrQgKv7rMEPOhfcnbxz717hF9xUREK7ETFKgHnebbscELJoMMu2pOx6PGJ5K twSmfxKy5gqBU/hFN8APjf4gry3/ThTxGFcMOyGVZnxpqsYvKBpXZtvB0+6fJmjF Jnw9mRzW5uT4WrDLN4d7MwIP45juYiWQ2j0YhoTV+ghuO7jq68U9Wi08H6Q+sRi0 xjnV4biJoVnrwPTVbev5Pypa14OE0j8fo/wCFQ8BHMwBL91bijU= =92/Q -END PGP SIGNATURE-
[SECURITY] [DLA 3125-1] libvncserver security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3125-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz September 30, 2022https://wiki.debian.org/LTS - - Package: libvncserver Version: 0.9.11+dfsg-1.3+deb10u5 CVE ID : CVE-2020-25708 CVE-2020-29260 Two issues have been found in libvncserver, a library to write one's own VNC server. CVE-2020-25708 Due to some missing checks, a divide by zero could happen, which could result in a denial of service. CVE-2020-29260 Due to a memory leak in function rfbClientCleanup() a remote attacker might be able to cause a denial of service. For Debian 10 buster, these problems have been fixed in version 0.9.11+dfsg-1.3+deb10u5. We recommend that you upgrade your libvncserver packages. For the detailed security status of libvncserver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libvncserver Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmM2GMlfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEcVTA//ZkZQiKKI6vHOi3mSQs04DfEbz9wiNFge6HB3UUeAnry4EUj5r8kkSKWp U9O082D6anMCyRvSNW2GT7u9hcjOVq5OOCUdDn1cpmh6MldNoVdpOritCF1chfFF diIdml+GaV8VD15qd/JfO6ml5GpjeDfbPD7zXg3sn4Vwen9l438QfqynLx8Up6qL GDtAISlVA257J2Az9ubPUhn5Ua+hXffxY/Ii+h2bLs4jYscQj+aTePTxxI+X3IH0 nj+z0726fITxM0516avf58nbfXzIBRx0zPnQEHsGYm0e8mm6TPutmoKSPAe7tUUU 7A3Pbk2TGb4d6AkesoHjoHJRW5BZlTRn7LysVwvPc2k9SRCy6AejVr/Q7k7xiTRp stzzPX6EGk1K762EEZSxWEm8aU49EkI7aL+P6kfvE5LWoGEyJHmuWIZa7dSRHshm ziPRQ7PfGXvicztpSlPVYqFWMD2jrlWpW8AyCX3KNRUT14i5coE6KsL8L1hhmcbc m2pjWEs6rVGDtZYdgHWWRP7+ga47quVAHEtr6ev9fEwnfT/d4J2GUKpo8AKx76JW eYa26p6AOBj6/sMYg8E9y8n/1BzHbWuf6SmxVbm/NyhYAzINI4Va09Krr+51oloR tw2vUET+MykXf5BqY+KEy3vnPlGYzdDD2puv2Za61dFw+RVHmo0= =8V2/ -END PGP SIGNATURE-
[SECURITY] [DLA 3119-1] expat security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3119-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz September 25, 2022https://wiki.debian.org/LTS - - Package: expat Version: 2.2.6-2+deb10u5 CVE ID : CVE-2022-40674 Rhodri James discovered a heap use-after-free vulnerability in the doContent function in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed. For Debian 10 buster, this problem has been fixed in version 2.2.6-2+deb10u5. We recommend that you upgrade your expat packages. For the detailed security status of expat please refer to its security tracker page at: https://security-tracker.debian.org/tracker/expat Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmMv/cRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEepdQ/9Gqh1x+5EDHsMuQvAWUsJSa3r+/nM054MZeqWjld0KD2xAOADgM4oWt4L TaxxqVLqL6OBriGB6G6SFWIs2EPk6F4im5cOi9CK7n2uhUHQDe43Y6PkxLJsbcqj hhxlycdCKUwc9DC2hlFRDWXB8civ0tUrIFKzTpQhCnKX5vIB19j0LlXV3379Lpej iy8+spqaS955IgyR2jUKAtBye5pdWI81lXEWbm40i02uWYBS671Qy0FUgArmcSAd ANXOWxT9k81g+hAbyNxyp+b1kIRfg9MKZP7DvubPcn8ct/AOn4KJIgtK5k3wNwPp +mpcTmR7dFsonbhJfajqyCM6iE+ItcxVHO15crW50XnhFWl4s/aIg4gQ0NWwDGZl SxSttQRgYqmkgIDErTlPnG9ltUpG5uOXIGrsTw96AzNAOaOajk8yAgflDQ1UMY/X oC3ABv1Y1urdtWJdVcth7/xv1uc1CpA3+GchI8r++UDzbT8bBkzz4WTcqSJAkVeV V8SB4w6QDkOg8yKFUwIGtbgG0ydKVz115smdS4z1EqwhlkVY3jmBjMI2qWyfSuAp Ic6HW6/wpytTKcb9P3hO80xlOPOGC+A/QV3FxW+1iyYNbpC7QjiMCAHuJYlIps6N WWLiZN/csLnLyvWVPTUxnWzjH373q/J5DuXadQW/gIrpG0jkzqg= =rS6a -END PGP SIGNATURE-
[SECURITY] [DLA 3111-1] mod-wsgi security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3111-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz September 15, 2022https://wiki.debian.org/LTS - - Package: mod-wsgi Version: 4.6.5-1+deb10u1 CVE ID : CVE-2022-2255 An issue has been found in mod-wsgi, a Python WSGI adapter module for Apache. A request from an untrusted proxy does not remove the X-Client-IP header and thus allowing this header to be passed to the target WSGI application. For Debian 10 buster, this problem has been fixed in version 4.6.5-1+deb10u1. We recommend that you upgrade your mod-wsgi packages. For the detailed security status of mod-wsgi please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mod-wsgi Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmMjnJRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeqvQ/+PU3eTKNw5AZugJIXi+OgFC9xtsV7zW+DcrL79Q8BhESSxwYBsmd4vW7E VTKilN96KWr9bdBy9Q2DUwIYLYCA2BU5n9LgeJxKoNndZNkZ277XA1mQd7UzeZV9 KOZ4AYwnBmcCASENG0Dq88Ia+x1A1x5oi9Y8ibl108XoCfjOc01NibK3i01xgAZL UsuRXaKGnsXVnlu3UaH6Gz8ajfKbafdAYMeYZxSdHGzkIGOu79C8QqIIg2/wpxl5 /6RpbfSGxaLp07GYWzofjwBeU4eL8eTIflc58Vks/CAn0UPRniMM69FuTiPf795i aDq3dAWjhm+OkXoo8ag7ekaRel8JR2IqTTgDCpMJbiN9lSQAMC9vYrmJXTMBKPbD orpE8Fssn8iInksoa3mVRrBKzf9+tze6JjfTtPjkxvRbdZPcqVXg37y66AsrXrf6 m5XqszPmpr9vICsWxsvZK4cT7aP+moKKrRm016vJaiEbt8H6V5uHIIetq1UHvc5Q ED01WLR90V86nt9gJH2KoB6o6Vs0uhZzxlVbR4yI8hQg0Vs5VYg+ZGyEO4+vQqZC +Log80urvBwoTZksfEYbDCIVbWT0HVrHaE/YzKHDrUmOozyLqKOG5h3jHZA1A4+s eNijehWgt8HUGh35MM/t3n8gfkYeTj35Quhu/iuwTaa3lTJgsnw= =sp8+ -END PGP SIGNATURE-
[SECURITY] [DLA 3088-1] net-snmp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3088-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz August 30, 2022 https://wiki.debian.org/LTS - - Package: net-snmp Version: 5.7.3+dfsg-5+deb10u3 CVE ID : CVE-2022-24805 CVE-2022-24806 CVE-2022-24807 CVE-2022-24808 CVE-2022-24809 CVE-2022-24810 Yu Zhang and Nanyu Zhong discovered several vulnerabilities in net-snmp, a suite of Simple Network Management Protocol applications, which could result in denial of service or the execution of arbitrary code. For Debian 10 buster, these problems have been fixed in version 5.7.3+dfsg-5+deb10u3. We recommend that you upgrade your net-snmp packages. For the detailed security status of net-snmp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/net-snmp Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmMOgIhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEe25g/9EzafycPNZkmu2SSBPWmfVO/2eMJ+j/nYXxHEWKQBa3Tn5MYwJgHDesnF tzlzl+oDQdElE4DHowwouMARVkfHxyq8VQ1n7IP4MSwLUxo7TgNpMAOoZir/lp6x bIouIKzQGPZMa+DdcHMK8G6QpVjR4wGmS0ub7ezN1xf3IX8YF71VhggCVhTiSLtA 9Rrtb0Nt5nhJiovYQr5+g+wZJYWYjK0TJ9StfworCZVoyc7ika70XzXTB2TcpDjS Xnw4o6SuA1ZWM68B8f/+yTE/WgnBwgjINdhmXqRzlcSp408DKf8Drr/YsZZQ/TQt 4ta5V+4UUrNX6G6Xem/SObv2mlQYpocyF0yW2iWCLJ2wRGTr05as7lqZuO0CRN50 AH7SHjq7WG2o+5Vbf73vpC6NjCKB9cU0u9dNS1Y7z70sp4LjfyCB6OCabzIU0eez XkJhHUvNE85A6vBoFc9tY5/tus+eKXTlObVKrRjzJPwQbXINrXOp3TemmuNJVJhv zxDClX8u6lgwSgUG9e8Z2PWsuvd+96AZgLm8o75VSeJoPEVjcv0NKpblpOhocNoj 2Igs48+jHcNpRXT9YW/jqSyKelTaiJyR5nYa3BReF+kwn0cMDg6Wk7xnLjWfmHbj RlhVgkl1du3626gDMqyGRe6te4kzRDPrqvfHcWTJSPY1Ds9HXsQ= =06xK -END PGP SIGNATURE-
[SECURITY] [DLA 3060-1] blender security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3060-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz June 27, 2022 https://wiki.debian.org/LTS - - Package: blender Version: 2.79.b+dfsg0-1~deb9u2 CVE ID : CVE-2022-0544 CVE-2022-0545 CVE-2022-0546 Several issues have been found in blender, a very fast and versatile 3D modeller/renderer. CVE-2022-0546 An out-of-bounds heap access due to missing checks in the image loader could result in denial of service, memory corruption or potentially code execution. CVE-2022-0545 An integer overflow while processing 2d images might result in a write-what-where vulnerability or an out-of-bounds read vulnerability which could leak sensitive information or achieve code execution. CVE-2022-0544 Crafted DDS image files could create an integer underflow in the DDS loader which leads to an out-of-bounds read and might leak sensitive information. For Debian 9 stretch, these problems have been fixed in version 2.79.b+dfsg0-1~deb9u2. We recommend that you upgrade your blender packages. For the detailed security status of blender please refer to its security tracker page at: https://security-tracker.debian.org/tracker/blender Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmK7dM5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEccHg/+ProlrIBWWXUeiW1Jh74BA5Jck0bvW1B7yLbVAO7CP3gg4EAkg0eiZuvP wCT02W7XvrI0lPdGRBxGht3x6uSCUV7wkb3tEmPJ776IKKDR7iaH+gid8ygkFTGt s8TOWXkMqhqNtFp5pgfhWdM+10tV4DUDK/UgcHDouwXmkT3k714wBgRLJnLhoRqu mjerdUZzf0K8ypSLmMwPrA0wQ50jTSPIfpkyPjTw9yTDoB0kD+AM/HttbGuIPhKE Z2CYcW0RcHwlBMg1lJlgjqkjtvoyCgIlzFK6o4QjJnyo8ztnRUVpLGlWpp6Bqeut pAUcqSlWGySGYizb4WyzvY1WW7qFwWFRo1T5XJqGS9Lupa3TmxxUxKCVhYuRxIvQ jUj3t8LDcAdZJU0pbFnd29uFmaO5mGHLoJk6obrbq1DKXfqH3efNG1u6fpW9wR+O YfhtEWUnAAHw10kfM8CujBjLUtee86HnZDAtw5JgC2tRbsXvRF+QBRPZlvZGiP2A hquZS8iRoq+w5HpvhqJocbJq+JYJkAklWzo5PbxC/ZdDwy4CfHCtTQV2Rq/DGzuJ 86MX3pv3jQ1/lLN6LQx3u/mmAACiepJb/RoXyM8VEayMvMLMRgtTY3JF0FRnz06U iN1MdmA9ZT78Jp/eUsSkepKGO4nBgujJkfhvsN8+0eHgQ3UuLtU= =syMW -END PGP SIGNATURE-
[SECURITY] [DLA 3058-1] libsndfile security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3058-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz June 26, 2022 https://wiki.debian.org/LTS - - Package: libsndfile Version: 1.0.27-3+deb9u3 CVE ID : CVE-2017-12562 CVE-2021-4156 Two issues have been found in libsndfile, a library for reading/writing audio files. CVE-2017-12562 Due to a possible heap buffer overflow attack in an attacker could cause a remote denial of service attack by tricking the function into outputting a largeamount of data. CVE-2021-4156 Using a crafted FLAC file, an attacker could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information. For Debian 9 stretch, these problems have been fixed in version 1.0.27-3+deb9u3. We recommend that you upgrade your libsndfile packages. For the detailed security status of libsndfile please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libsndfile Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmK7W7xfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeC0xAAtkLIBSzpZUxr6ZyRmQqRqRlofjjYLQWgR+P/MVoY2FqT0Wgu9m1QKUi9 2X/UK4NMLVLfskdTsqqXHv1nrUj5e/lDlGCLYjeVvdAWTbALTndsr0e7Z75ojaLU YJ/5ecRn0I/GTU/N+HCQk09oxu/F1/9fK6I6jQnRQQrb1oOtUl84zuudKR0NHsHT J4WeBqZbhcIXdAyyuZ94xPF/K97O+Aokqoth+ycp7CjZvS9mQSsSpnqDMrW77xnE nv4DoPK80L/Oe6B0++xiZxUcq9DDxJ8zeTqUvwktKdzxH9qvKcrh7mVgYMOiBKTF YHtXiqbMsyz83A6nj5SFTZX5E/piQYocTPPMeuK2jA0cPE7MzLhxTVvYfmbk8LtY 59CQbPBHbr7bYzm1q1Qgwl0HleMeHkmzz65y02x4TCVnMLukQZrrBmF4iAAtmT3+ f/IDPg+nidzNFsD1BSRg/vYxAK5RxJeMsrkroEBY7pNO4GYAaRWF7DV33wwLhBwV 4GD9LsbVSVMO5CwItRfhkAv2TER0X2JmKQ/LYdUXACYDtvCoRDUgQDdnauf9y8M/ okb+syuIek+z2klRWnTIJZhWAcbw5PPLUNG5OG3AkFoUsgU1A10za30LJd4ch8e6 egIsuneiprCztxRQL8CEgWqCCwgbWfGeDJm9utDACQBfDsIkDtw= =NXPH -END PGP SIGNATURE-
[SECURITY] [DLA 3030-1] zipios++ security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3030-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz May 27, 2022 https://wiki.debian.org/LTS - - Package: zipios++ Version: 0.1.5.9+cvs.2007.04.28-6+deb9u1 CVE ID : CVE-2019-13453 An issue was found in zipios++, a small C++ library for reading zip files. Due to wrong handling of malformed zip files, an infinite loop could be entered, which results in a denial of service. For Debian 9 stretch, this problem has been fixed in version 0.1.5.9+cvs.2007.04.28-6+deb9u1. We recommend that you upgrade your zipios++ packages. For the detailed security status of zipios++ please refer to its security tracker page at: https://security-tracker.debian.org/tracker/zipios++ Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmKQtrpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEe1pg/8CDjDClAx0xvb66u7urtHTtYlOHTPZakq3UBBBPbpsNoms4PjB4ddApWI HksphIqQu5hG1qJICrMX5JAl2/XIjRAXrpPaHsLkH8TMC5TIUd4Op0vKfh0PYkYY zg6atagBN8r28T4x2eRrYImZt4Q0igl5ANWrSIzhMDg1C8Tav3we1ZynOjzXlbNd CeaOCU2m4jP8VV/3uFt01rNJrmyZG8Z5c8pcYjPBqxlavu7b9Bp51pecj4mHe2z8 FVle6oD1V8EfGMTdev+NDXJTuliEavYHE6JZeziHqpgPrVLlRW04MbYlEBI7tIkm UivGdlbAUZybMStmoaBVOmXBY1W0lgQUkviG0DcGTyscNGRWkSwVhJ4roarrM61n sTQIL9+NEyOQED6jQwr3ncVTFJLwgI0+ZmjN/I/PnGZqYYarhdu3gWwvHBYjFffd FN2QXJU1vjymDpjdSEQrTVAHXRyMyC+k00N8U4L+aKJz7tef//duuSyvb9H7vkt2 KzzYNnlpIZpPQLqF/hiY1MWBz6bQyGk301fGXKb0M4qpNg7kzc/3YN77XTHU0hmS S2jz7qldnanGMv6cCx4sZ+oXw2nO/bLiGIExYXti5WCVDc1dFoDD23BMYLgQMe9D W4WIc4aqbrFmIeWLKwuEFg0zJywYlLvS8W4BcsHWN95w1YFNlYc= =EM7J -END PGP SIGNATURE-
[SECURITY] [DLA 3028-1] atftp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3028-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz May 27, 2022 https://wiki.debian.org/LTS - - Package: atftp Version: 0.7.git20120829-3.1~deb9u3 CVE ID : CVE-2021-46671 An issue has been found in package atftp, an advanced TFTP client/server. Due to missing bound checks, data could be read behind a buffer so that sensible information might be disclosed to a remote client. For Debian 9 stretch, this problem has been fixed in version 0.7.git20120829-3.1~deb9u3. We recommend that you upgrade your atftp packages. For the detailed security status of atftp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/atftp Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmKQDzNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEcfEg/+J72HF6LGn6v5AsQ0qC5zSbQGYggaarEnlumZnszETbyK0evjXEbvhcWr WVqAtAnNdq7GacryDUW/I4APGZomwl68xAxh0i/P4NvoKGbXmfrcg5oVxj0tgZjq 810dovgiwh8Lrg8apiy4j7Xd9iIZXLm+1CkLOjltPbh35+nJ/RUtCatMXwaIZyal 12K5d2ZO91wT+A3AqQHuhz+S/jEJpEE1OWhNhJnqtY7Sel7gvFzhW5KVHrmJZ9zo dUA6ZtMLgyj/F/ymwewJ1xyIRcx35W+bYTgsUO0pG6B2pSaVrnf8s3fmZbSKY0qy hQ7uTCqZa5LlMpjf2tM/wA2/xUatiTQG14ylzymjhH3d4uiSRz8dIlJVmdtSPRVJ hNw4jdBvrxTa+mC5HP9BSouY7PNi4BVGD6ODdsPgH9RRlJF37IVz2dRQfVilCPxh g4Y84ZVL9/xyAo4gNSv0dGJAiA3mMCbWmYDaFtcg5iPkgwrJ5Cn1DC1NlppwTi9B AwOMLp2Iy4t83/Veg/X677jRDWXQCVPT3Zg3PYKMIz267bTCe9XJgwZDTUv+fHP6 97HXuEswh887K+ZgJy0aK+XfSo5FVP1UUzSQewDLGbBBA3Py8ILk7cO9LIc5bHR5 wo0OLMHNM0oPbjFO57npFO4Zwfv+oj/FUh4ivGfm8YejaeUFKS4= =yRBO -END PGP SIGNATURE-
[SECURITY] [DLA 3029-1] cups security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3029-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz May 27, 2022 https://wiki.debian.org/LTS - - Package: cups Version: 2.2.1-8+deb9u8 CVE ID : CVE-2022-26691 Debian Bug : 1011769 Joshua Mason discovered that a logic error in the validation of the secret key used in the "local" authorisation mode of the CUPS printing system may result in privilege escalation. For Debian 9 stretch, this problem has been fixed in version 2.2.1-8+deb9u8. We recommend that you upgrade your cups packages. For the detailed security status of cups please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cups Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmKQEEJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdbWA/8DvebQ6gKelk9rDgKyJtUQN3JPAgs1LHP8np97kHICBSwSbY3zIcB/xCp NlbG54N49uZJc3ARng9L2BbTcqDKWpNE/kHpCtzUpEExG4tH5By6SbalX0bwz+p2 g9w1eiU/7BPeZcuFfQptIaGDW7fFh32yVLAGko3dSP/jeHqXHPzbg0KpIko2ebyX b68+8bodfUfeQVmcPd3mNLaXijztTU/3tSgstHw8+Levk9ycmz4e4UFTeuvAikol UkZRYA3kIKwryQEyoHNYVjp4R0UJJBIbu6CxFnlv5vrxOIOq3TNo/WfH4asOirSe pMDUi5Lb+Nr8EZI4OqgtBAwmZwdRD+zM4qRWuv9dchUCsrOxPBqu5DiRgkrUU23v RcHaOkk+zyGHkNk/VwUaVgqE/My5dIX2Cp3mUjwHx4W7r8+m8mX8jlmNQs8Z6VHI GmMuf+/c/Q03JdsxVzrT3azX83r/u/UWKkwM8+6Zvf0B0voJ8Bg5ymXMarMnZ8gM QaYdhsFLigYNJYW6sVrdvGhbgl6jRztU0BpthSIhZ4RZXw1mABCVfsNWEiXI2hWv ufNhydap10EaBMot70wMzMbngM/biGCKG3P+XNRTCzFrIkUXHahnFByc4R0yVUlC +OfJ3UdXHz1qz6vJf69P7sVqdlEeIfXhO8Zy28icYhP88xOSses= =d+dJ -END PGP SIGNATURE-
[SECURITY] [DLA 2987-1] libarchive security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2987-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz April 30, 2022https://wiki.debian.org/LTS - - Package: libarchive Version: 3.2.2-2+deb9u3 CVE ID : CVE-2019-19221 CVE-2021-23177 CVE-2021-31566 Three issues have been found in libarchive, a multi-format archive and compression library. CVE-2021-31566 symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive CVE-2021-23177 extracting a symlink with ACLs modifies ACLs of target CVE-2019-19221 out-of-bounds read because of an incorrect mbrtowc or mbtowc call For Debian 9 stretch, these problems have been fixed in version 3.2.2-2+deb9u3. We recommend that you upgrade your libarchive packages. For the detailed security status of libarchive please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libarchive Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmJttm9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeFbg/8DUb5lPq+TOae8k2X0bFHmq3s1Cwv5Euz1biZYoTxGrXR2oLA49rwUamU at/Ekp/2E7zhg0WBVS8hl+rLsEinap8aXzbEspzVFnTyxfbcwsXE4jcYkeS0mjLR Xk3tLBp/fgasVAQqJit5xcDXivMKhiUkRjVT+fuxkwfz2gJf9pqla1svGPojFzX5 MsARZAfWDn5CQpmhAYysb8GrZwGjVSlBaHk7mgNT3ABBQBl9/s4+jCgktgnGgJ1c RWE4iedHU6MJ2mBNG5P57iTKLtReOEhPrqSNe+T3lwwWmGb4eAhZRLjzrtvUMIRJ Ir7ATZyzySRiPKGGBAMrUgxZEys4evjm3vi5KnQLsmjZlF2NcRcX70h+bIrzFiPD r93KMm+nkxKzn3mPqaXcKYevPCtoG9yzDNH4VtVAy8DrK7ZBJVbPI1uP5+O4N8xB y3VA0Y9GzUCQ3xkB/46tQbk16wKcMa/kUdrp/nCXbTEIJs7zazcBxhCwN2Mbzv6Z eOs1Zvt/UQ4vCf7izZ2DuRMQgjMR/n6h2hK6a526zYCc22zxQ1RQX4KyD5SaFdBY 6PVS+apHNi8wYZ7rcq0Zrn7+tEdh2lBXGUPMd/NQnr2Wxct+9iKEN0Lp8sW4WEk6 e2qTuOKp6of2RsFrggsLBA92rZvGUQWkH5pX0tZwy+F1yrtr5ec= =MyGA -END PGP SIGNATURE-
[SECURITY] [DLA 2988-1] tinyxml security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2988-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz May 01, 2022 https://wiki.debian.org/LTS - - Package: tinyxml Version: 2.6.2-4+deb9u1 CVE ID : CVE-2021-42260 An issue has been found in tinyxml, a C++ XML parsing library. Crafted XML messages could lead to an infinite loop in TiXmlParsingData::Stamp(), which results in a denial of service. For Debian 9 stretch, this problem has been fixed in version 2.6.2-4+deb9u1. We recommend that you upgrade your tinyxml packages. For the detailed security status of tinyxml please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tinyxml Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmJtt05fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEcUNg/9F8Z7tLXOn52x0WtiIhpcXbkBBXXNBAcpo7ctSRynwBArEJsJNZoyHudj m3QvIWdusgOvFPMsdhhLW85y3BlcWjLURoVmuI/6LbbzYXUqKnA8gwUxPS6AeolJ bjJLelwkRk3grU5aiEjRP6/oXqnAJANU9O9fTahcRgD0pP2onJfajPQyPYuSY/3+ tSszsxVrgsimtK55NC+mg+oNanAaISlLN8wFYBq9nLBtHHUwMlSR/J3t5eJ85hfn gqzgLXAG3j2SC0qkGrL4lDZiCWhoRHZvFV8lciC32UHxvcxtxBAjrXIkST+zbLTy BrUNX2vCBS6Bj7Z9SqybxpJU5Xh62S4ALdTiLLlCy683sbzCuJmUyuW4HjL+XXy+ 5t/qg4rHv/CdmgfAE5vcpEgSD0Fjl0t00TM8jfUz5VktG3XAmxjNHRhHksSf8fBZ t5uDMVJlx3ybjMDvIawrJPKmUB/mO0IoiFnRWLcMrr2lK8cNBvQSNlRS5PGyMx8x LdzAd2QikNqrL5sCVvlxE0zstnfAYgwSy84c64FYqQ4axjEA7+Ps8Knoih1XKSH9 kDwjiIumlwDQLT6qhFUT18Gy/dtcXdYAvhd3aZQSomapAHDRCpfSg49DY2mrlCdv n5vQitWoIKpn+uX4y38x9Uvbeqce0lScX0bgoUFjYi7nRcVv5d0= =MD82 -END PGP SIGNATURE-
[SECURITY] [DLA 2974-1] fribidi security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2974-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz April 10, 2022https://wiki.debian.org/LTS - - Package: fribidi Version: 0.19.7-1+deb9u2 CVE ID : CVE-2022-25308 CVE-2022-25309 CVE-2022-25310 Several issues have been found in fribidi, a free Implementation of the Unicode BiDi algorithm. The issues are related to stack-buffer-overflow, heap-buffer-overflow, and a SEGV. CVE-2022-25308 stack-buffer-overflow issue in main() CVE-2022-25309 heap-buffer-overflow issue in fribidi_cap_rtl_to_unicode() CVE-2022-25310 SEGV issue in fribidi_remove_bidi_marks() For Debian 9 stretch, these problems have been fixed in version 0.19.7-1+deb9u2. We recommend that you upgrade your fribidi packages. For the detailed security status of fribidi please refer to its security tracker page at: https://security-tracker.debian.org/tracker/fribidi Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmJYTGVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEd79Q/8DYl02kz57vsUm7vlBtsvZEZoQSo/jBIMmnqrTjyuDVhbrI5AOuHOi1J1 IwxtcZX5sVGku4a1vBkCKm3mzUKgFQ0v9T0jB20UMDlz+JqaB5+8+US3Vw1tHHSd /eHfmMzTrQ3aZdDripFhI6Z1rbV/F65TAgNv2NfLXPmhof+rU9+bLX0KfxPlbvyC sjIYxlois30Pm/TgGZXGSlH58ObjLMySPnw06DkG6UbDFp0kVQcdRJXw/pdzWe7r pMMJT99L7mz7p+OQcMqMeKqg+YSdoV3Y08h9TwmpEXKShU66KgDyZcC+VdmLU0+W 0qNZr4F269TdaIrZzXTjZM6fUerZvmHikoskt4aj0IFLoSrmf4suEw3LfJ1r4sdZ 2WgsnQ9M6uQRHgNfBN4WucIjRNEs7uY9MwfWU2HBYuTlAEc/nja+Z2Pr9MRDJrRD oAMc+g/mBS9y6VC0HeHLkksV/8U4Vd//gnYw9MaJ0NyiJi+1cs/wAvzCl+fFS5XT dK5tJnvE682eeTQuSCBZ9vPoNdHWK2QfZfuh1SkEtag/pmRhzyjurCDYmvSNu2BE RGNbMVKyIlz59avBXF1VnfY6ePjuoMZcwn0T2V3uIxjcGlcmbUUZ+RUvBZRh6uQp mT3lx+7f/3JU5DgCAUddNekhuYeb0qNvWCH5vgGVSxtMEQhqHNw= =x/SH -END PGP SIGNATURE-
[SECURITY] [DLA 2973-1] minidlna security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2973-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz April 10, 2022https://wiki.debian.org/LTS - - Package: minidlna Version: 1.1.6+dfsg-1+deb9u2 CVE ID : CVE-2022-26505 An issue has been found in minidlna, a lightweight DLNA/UPnP-AV server targeted at embedded systems. HTTP requests needed more checks to protect against DNS rebinding, thus forbid a remote web server to exfiltrate media files. For Debian 9 stretch, this problem has been fixed in version 1.1.6+dfsg-1+deb9u2. We recommend that you upgrade your minidlna packages. For the detailed security status of minidlna please refer to its security tracker page at: https://security-tracker.debian.org/tracker/minidlna Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmJSCYpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdoVg/+LypviYUbVmDH/81bzscltxNbgVoTRkuqByaGbuMhjqAKPTPiCB8+Iep6 +WxTYEHvayue+eRgCkn8LhPMNfLVS8sX+d558j+LbEAHgEWzYVkKSiDbVIbdqSn9 tejUy0Ewi0i77mvtsg/AlWphz78JSB4cAdShBR5asKxeyMxUgKNxnhdM+9fSwN2R 32VOcoIXrgQLcPOPzZxYRGWcwj7SK0CuIsUXu0oeIMdkpBXDQOI2pau6qlS8SL2X 6mllt+Cun/ALVj1R1OuO2C3YQ0Njp//MH2ffTqE2gu7zylybMwUkUvYL8TnpAzqh TJrEApqSrEPwJuH7pE7Be+uWtAFgr1WPcBdXulxpucryfW2Cr6pR0+C79foenDlz nJSg/qxpVDipdbI3anTp/xvGdHNYTkuI3Nw6b+d8MnW18cbcmoH0A58UMlINhh7z UDk45lP7f09NCG+lyT6eKFFt2nsgPjp6sq3YnIKJdwmol2DquvWzEJaWiUhhTeEh XDtxz9K7AymnFOMusjEDwIHsnmzFo/jI8lBOUh8+ay6vDtZe+iqrSjkPyTdp0Kzq vzp0rkVtIlrPYhzY7lNp8emfaf4+7wTWRdhVXUmxrQ9xo/klHwNgcGv6EfBXp1Bc NhR+60r5G3YkUONwXXgXpu9DRpJB67UXRK7pHAqAl4n5BM1bS08= =7Q88 -END PGP SIGNATURE-
[SECURITY] [DLA 2966-1] libgc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2966-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz March 30, 2022https://wiki.debian.org/LTS - - Package: libgc Version: 1:7.4.2-8+deb9u1 CVE ID : CVE-2016-9427 libgc, a conservative garbage collector, is vulnerable to integer overflows in multiple places. In some cases, when asked to allocate a huge quantity of memory, instead of failing the request, it will return a pointer to a small amount of memory possibly tricking the application into a buffer overwrite. For Debian 9 stretch, this problem has been fixed in version 1:7.4.2-8+deb9u1. We recommend that you upgrade your libgc packages. For the detailed security status of libgc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libgc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmJEybtfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeDLQ//YnzoWGY6YiThb8gTLhDI3ZuWZvte8Z9Rfyxepy7YygLbc/rkp48xDn0H EEWw1d5D3PXd19ENJHH8ya3zJVV6BUwtDgacjqbywl1ANlMdM8Hg0eVrILhJ1aKw JMfrv7xDiMtq5md6Ok/skS7dIBR4RGEZIF9cKtN+ikXHadtYsREsOEwJteclbkri Y86Esyh0GTKbcWYUGdbk1csYxGbc1ab5YI7QoeiygIL5DuJYGI9ISNBXOOlALSG4 PC6g5zmknRDuUq33BYFzmry3TyKToL3MWCpCb54NHjSgsM/DLgie5K894We6kF5G zTd2kACJNAi71x1yAoCKCKFGTFM4WWi6GJh1/2asAdNotB2VWSbtgoNDuW7fHdVa 0u1ip8FD73mZ2cAl+22eST6OTWt4/NRuBfvkGFN4u1w6VO0sqhywGa1YKFvLVRux h2o1eiDQYHZg2unhZ8tY9N/J8ODONyIhXlWaBeaJWefvsactEXgqIjDw8nLkZvWU V4FwfPEwaHNTzbEa+aGzfYUXP5nu4R90DmtaNk+OLEGJDJltp+41aJkMwFX41/0t wYSELahhzfZn+JUw4UHan90w0/YuD0x/aMIaPLi5XRyNNmojUcjeqDyT8fNvhPIc zJbFCYjeypkr86PB7BcfBX4eBub8Mxna7QYNoejv0sFUaCGIB1M= =VQ0j -END PGP SIGNATURE-
[SECURITY] [DLA 2931-1] cyrus-sasl2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2931-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz March 06, 2022https://wiki.debian.org/LTS - - Package: cyrus-sasl2 Version: 2.1.27~101-g0780600+dfsg-3+deb9u2 CVE ID : CVE-2022-24407 It was discovered that the SQL plugin in cyrus-sasl2, a library implementing the Simple Authentication and Security Layer, is prone to a SQL injection attack. An authenticated remote attacker can take advantage of this flaw to execute arbitrary SQL commands and for privilege escalation. For Debian 9 stretch, this problem has been fixed in version 2.1.27~101-g0780600+dfsg-3+deb9u2. We recommend that you upgrade your cyrus-sasl2 packages. For the detailed security status of cyrus-sasl2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cyrus-sasl2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmIk7ClfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfyyRAArM4vk5mBRWyzseYURK+8XDxpbM4Bpp7kCjf+rL13+5UVRcpufXjl6yVN o170RBZ3YCmZEzR+Any2FIhjE/6Ar/MlglcjFjXpdv3vMYOM1DlMlapuDgmt+CeU ATjM1Aa6CB5JFlEQxWfnCxK8IGU4AtKwC+1sQZPD9i2sUWukLZpBWurzoz2fMc3e VhN+meXWd9HQ9wh27tnEEISz1EHCSWTeGK3vNQbkNcBGIa4E0px+6AebFFGZWSAt RqTyw8xkxEU7PAWKiMm39Ed4q0Lk0BkKhzQRi0MOgi3noPhbB6vKaplqV0ulh2h9 1gUx6FPu5/rHLDH6yeNOD4h1p5MRIh6D9RgiOilLfmnxfZ4ndVCbgdpQSMcJN9K7 XeKBjp+MaMpAb8wV9PEJMeAv4XLvxCy+2VLBIHLyzuoyAVUKV5sfDM4MSBa2ZSJB lGkGEcpXvyHi3o9l5/YrsEAzykKOfyRg2mxSLXwdo0D2cUmxPKMqEUMPd23k13LJ CTKr7lgerqW6EIBD1Uu5ezIB+yxOwhCUIh5dyXbo96jM5Kv+zCfFByFdT4qhDa7h +bklZ93NEx52aaJrEOintytrzoPU3qacIwhYqgkoFZvPW8KMoohDlLOSUlspYQRZ b/IjU6FvXlRSfV8Z/eA9XDGNExDWcflqPVjE+DnG2taQsbpJi/c= =brOw -END PGP SIGNATURE-
[SECURITY] [DLA 2932-1] tiff security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2932-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz March 06, 2022https://wiki.debian.org/LTS - - Package: tiff Version: 4.0.8-2+deb9u8 CVE ID : CVE-2022-0561 CVE-2022-0562 CVE-2022-22844 Debian Bug : Several issues have been found in tiff, a library and tools to manipulate and convert files in the Tag Image File Format (TIFF). CVE-2022-22844 out-of-bounds read in _TIFFmemcpy in certain situations involving a custom tag and 0x0200 as the second word of the DE field. CVE-2022-0562 Null source pointer passed as an argument to memcpy() function within TIFFReadDirectory(). This could result in a Denial of Service via crafted TIFF files. CVE-2022-0561 Null source pointer passed as an argument to memcpy() function within TIFFFetchStripThing(). This could result in a Denial of Service via crafted TIFF files. For Debian 9 stretch, these problems have been fixed in version 4.0.8-2+deb9u8. We recommend that you upgrade your tiff packages. For the detailed security status of tiff please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tiff Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmIk7QBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdiLBAApuH41axQzsBZu9eEE4Ty95ok9avGpUurh+9iVcEKxY3TH9N64VEVFLE+ NY5S/rQzOr841Ru/AYGynmthQOEQfp+EAZX/7jpea2nN+BeNDjOpgfvrm3IIalka ftez/w6XXYHGVNYAeh0hkK/zuoHYV+JGODLU1eGSFmISYwRm+wASlbadrBqn3zh5 ZE4UJK8bF7VDF4Vv8H7VUvbta/d7m5T5CeJ3XK3ki7sg2ZI+qJh+XN6PD39cJsP/ KtRgwKxGfUsL7kTqLgHoXIwjschntyrfvW8aJJO5nPNT4YJkQwiF9fyOn5Uv2ztA 5Rfov6/pKe82rnZej/9+UCAlDjz7Iq0BgER3mb/XTJCx+7dw526EPZEmITVA+MHs B8wtuo9I9uBmMPMYBubzPNQEyNdV1tCXn1UDgtbX/qL8h/9155Y9oFf8J2tRqg0n iqq1GjB/6qguaeRsfxyS4tOhG1pbYYVRgTUnkl2tl9IIyuRtWPEUmGFUoE+87nn3 DiE8hTuokLdeGZ5H1OLWSsT5rw6L9/TWpnpsG6a0HsKQaFBEGJvTO6zxZ8svfdxY jbnL6uPJ+CpEvrokURxQiB+vpSOMCGWNPYozXXhwAx+kjSy640HHvmjCkwqkntXW LHw5gK5MrHRT+hJJx7/eTUAIlUw7YMTdL/U08P+N6iSvk8f4q3s= =gP3s -END PGP SIGNATURE-
[SECURITY] [DLA 2928-1] htmldoc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2928-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz February 26, 2022 https://wiki.debian.org/LTS - - Package: htmldoc Version: 1.8.27-8+deb9u2 CVE ID : CVE-2021-40985 CVE-2021-43579 CVE-2022-0534 Several issues have been found in htmldoc, an HTML processor that generates indexed HTML, PS, and PDF. CVE-2022-0534 A crafted GIF file could lead to a stack out-of-bounds read, which could result in a crash (segmentation fault). CVE-2021-43579 Converting an HTML document, which links to a crafted BMP file, could lead to a stack-based buffer overflow, which could result in remote code execution. CVE-2021-40985 A crafted BMP image could lead to a buffer overflow, which could cause a denial of service. For Debian 9 stretch, these problems have been fixed in version 1.8.27-8+deb9u2. We recommend that you upgrade your htmldoc packages. For the detailed security status of htmldoc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/htmldoc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmIaDRpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEcf7hAAtZQth4nBFoJEu7y0Iy77V2jUniYs4qetEyJ8E3/J8VUzdfHkp47rWQVc SqVOEk4PQl0qh6/kFnWe+8CJz0FQM2erXvRKGy/5IGxhsi8xkbvvjoFHQbeWJt57 dvJvdLXke/ZlEsFJWJKUJZBKYJGHypGZz8L4MIVTno/hQcD8ahapO1w0zWLA2lgK 1z1F6YbLKos2jtw1lyZvfxkvgKPB/KLmhh7WdgBM4OxmlgsutGhbewqMEZROy/Ct FXX6k5T9v4ILN+aePsvY0YRyHqJPHLVNFzKcvLIuiiqivMvxW+kWbawvP+q5aXBz zbV8SVv7+vT0yH3cTBfzAH6XHDrGvSzAB1nxmIdTw/youYuwxlpguXv6BQiILHHP sc1zWB9gu25uZRORAfFLm2Wrw+pje4QyRsGjGxmXp0HoMjwEFaJ3MY7sOYfsEJc5 lVknTAgSF8D9FehMPQ0L16DpDDc1+ZjHaJ3zrGUzNEZeVvlQCEBrJSZKhadbEjEb /UJX4QzgPJ1utUWrEju8SBSX6zo7OpZQWmd4MYNrCpqR1csA0fvKp7VfRrrTzkX0 hz7VZfpyDMYjtpxl4o3hHQTO1j5weulBJVHjy0MXUAKdrUi/QPuBLcyf5pWSGXAN kEwUbEap7uxyICuXeRRKI3vLZyl5rfmMJ1hhmKQsRXHkP4axA9k= =Xqwr -END PGP SIGNATURE-
[SECURITY] [DLA 2902-1] graphicsmagick security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2902-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz January 27, 2022 https://wiki.debian.org/LTS - - Package: graphicsmagick Version: 1.3.30+hg15796-1~deb9u5 CVE ID : CVE-2020-12672 An issue has been found in graphicsmagick, a collection of image processing tools, that results in a heap buffer overwrite when magnifying MNG images. For Debian 9 stretch, this problem has been fixed in version 1.3.30+hg15796-1~deb9u5. We recommend that you upgrade your graphicsmagick packages. For the detailed security status of graphicsmagick please refer to its security tracker page at: https://security-tracker.debian.org/tracker/graphicsmagick Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmHzIDJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdCjA/+KL+mwn1zBgKM6iaRqX9yYoC/HKSxNAmymtktMgo3GkObTHj8Ur8+vypV MTKPDCsTIDfUxXKPeXvUE7WojTXb6y6Azsvfn83avUuOQlfQHyqE66AOoHuTNcQK +8Wt3gwSGsq8q5/H6XFl2bNQQ+Df2C+lc6O8v90vSX+G9bj7J34HZGOeUWsaGktq WLgChFPyo7Ockn2/dD7bhE21dWdH9xAMV8l08rQMKnh4nJV76Ps9QXn1ZKV2HmT5 JR9HwAalkav+1GlcxKEMV2D3z/dD1xJNNR1jeomp7ff/rxwGn6CCXSWtdPnajdZt 7mOhvBapOF/Sc7ZtMtjNWTG+xk981FMBFIjZEHJy1K24kItKC1gxWBanVoATxWY0 l51Vtqk7dkdhy7aqp+oxnC8HbkyHMeIGCP24ILr9v7dR8Cg9NAX5wa3Neow42H4W uilvHxOF0QdxoxUlBdklKFlSlHKxZpvX6a+xl2tjF3CLR1aEZyPn8f4Kwzb4Jhkq ihDG0lu5WTo5i1eAeItycPGwYM+apf8zEggFljXjvh6/8iC/d0GIRCeqpVNrajVO PZN2Vb10BipTN5sAIagOToGrDzs5kkDfZtry67Itr1ODunqCilIac3nOhvi34Ili xBAdPW+4SLkfaD+bh/7RoaQh7mqg2YWpkWL97CMQFVSSXT05vIE= =edgi -END PGP SIGNATURE-
[SECURITY] [DLA 2901-1] libxfont security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2901-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz January 25, 2022 https://wiki.debian.org/LTS - - Package: libxfont Version: 1:2.0.1-3+deb9u2 CVE ID : CVE-2017-16611 n issue has been found in libxfont, an X11 font rasterisation library. By creating symlinks, a local attacker can open (but not read) local files as user root. This might create unwanted actions with special files like /dev/watchdog. For Debian 9 stretch, this problem has been fixed in version 1:2.0.1-3+deb9u2. We recommend that you upgrade your libxfont packages. For the detailed security status of libxfont please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libxfont Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmHwd5RfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEf25w/9FewnRby8l//fXBTG8JfK4Zs3HMaPQ3WYlPYN3rDm/iCafshjQo18r0o7 /IkkXWKdIClhiLQL4H5R407oEF5zM5QdCcV30gwEv+pyeXgPio0yH0AQKiqi8LAm iwicYrXciusRd6dDeM4sIR4LCKef4/L5g0hH9ItmgbLyl5SI0a7ioQDV/auDE80F hfpeb2fz3xOFbcaHwcuCpRpZqtTtrj2NwZQQIM/8eyuPkGNdjGWDQTU+vh5w/sBp 9vaEHZLL23HSFSr0S/tFYt8Q64ZtgNz3iUyXnbmL2g8S8WfJbCcWa9lHmVuPwccd FcuIEDNQSH2UQWscuoopr5jnyn/R06KQQhX0K7FkLO0q000MtDNemeTkjYTD12wL 2HnPukXsBra7eG4OJQByHWZ+j+MCnBT9kix7lHS9ROAt29HD8CqDFUhWhIoi6+PX nGoiWSrp3FoOIglih+arQddPr6VS2nUD/uW42wdQS53TidY+Xiwcjhq1N0oHvEsz jotolZ7RSRW4Hw/Ty43L5uLnvVcljQkAuqBGpzkyo9+L2QRNyA6PDFhoeZdoC81k V7WbTI4EVujHbWxl2eAIXAIN8Kkv8qQArpo2QN03XVIgqvjjyjx3EELWf3HIfpVR TH0rY73Zp6jxI+IOqs61lzvps0Q/36y8GXzp3kwTcNffhoOOS1E= =K8Zl -END PGP SIGNATURE-
[SECURITY] [DLA 2900-1] lrzsz security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2900-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz January 25, 2022 https://wiki.debian.org/LTS - - Package: lrzsz Version: 0.12.21-8+deb9u1 CVE ID : CVE-2018-10195 An issues has been found in lrzsz, a set of tools for zmodem/xmodem/ymodem file transfer. Due to an incorrect length check, which might result in a size_t wrap around, an information leak to the receiving side could happen. For Debian 9 stretch, this problem has been fixed in version 0.12.21-8+deb9u1. We recommend that you upgrade your lrzsz packages. For the detailed security status of lrzsz please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lrzsz Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmHwdKpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfb6w//RtutOLAcIdNhoDpicQmZpdUw8Gh17yqrTUlTd90/0PmAfM0ZC2RDt/yr CgXDZ77vJ8qjo+9IREpzSTR1hQpakSjKVb9a4y9kk1X4Sz0ZxvZugvHZUcou1Yzg JN0hnukhXGwwRHr/JFbOkqm04JUCJ1afcVNuN9x1VPTZybb0NkdbN+35HEobwdXE dsDVwq8bJGuYB12kviv8O0Mhot3g6zd1jQfTJUyvW9MjkuuTSo1eFHJPQ/J53kDr 6St3wRQhPzifjZCdjuMVj1utVj4siALUCBWP5V8VxWDh/ryUfWlbP+481oe78VQU rvfkGMkZSDOAU5KI+37AkdlEgTaLtyY88rHljBDdZGzeMY925cTwSFLECy+RRLer b0j0poV67uTZm5lgnxbSZb40B1CQmmKeY1eisf9FtZc2df6oyKQGGigS2mryXLqb CGY1FPf+X3LoJ+G15M32GiXg4TjWz6wD4VaJh1pLHNnLNDAPE/56xAxO5rZNHfyn yHUNAmzCSl1ftka4gmXmrUaWljFTd+cPayYRJQh4fQK8uk9PGJMYdfwyrmPP8cKz IkBeH8e5qFLkUiYYqriLBgEFC4z5ogQMFEC2iiG1eaKAU6tUvsyCMQFjJeUcbjys T9mjsCDIZfj9lfCWrifiBug3higrXwp3XLKeJw7Uz00a93jHqvk= =qnzT -END PGP SIGNATURE-
[SECURITY] [DLA 2897-1] apr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2897-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz January 24, 2022 https://wiki.debian.org/LTS - - Package: apr Version: 1.5.2-5+deb9u1 CVE ID : CVE-2017-12613 An issue has been found in apr, the Apache Portable Runtime Library. The issue is related to out of bounds memory access due to invalid date fields. For Debian 9 stretch, this problem has been fixed in version 1.5.2-5+deb9u1. We recommend that you upgrade your apr packages. For the detailed security status of apr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/apr Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmHvKdNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEcmyhAAisjqaRi7vGxPwRSl3xC+zmOMDwfe4SEOhw/KTHboiB/c6XD5jLEINHYF LXfuxN8QU/zIWGOObfqjRJYMT8JlKAl2VzPfWRaxdX8ncR/c6+34RMouDiNEZEsN 4vPM1fKauZbt0jbCZeJbP1UnJ7a97iGFHXcsq0KGxOg/uzDaOqKZUjnJKwGIvjB1 8IGrieOEC+F/ybL7Z7Dj0DT77f9zMs5nyb/uGHzYAypFft5qOsrlJxrpRPzlico9 2NwC+CGaGGLIcMDd0DW86UTrxG7/nFBOwATE2d9uCFvtqBE/FaeQkD3p1B/78zvG VPKbH8bVH8VZKiHAs3Zf73s45GO+Y3wzPs3ZKKj3g7wePu6ywKyU/ZCDOYWn/cUN 4bAC+1KEgUgoDf3S15fDRfDmjyUsceW2whEI/SgIf4i3j44lJuNR6gQmH3GklnYC axf5WklHCRlshArS0R+MZYpiuDFsdTrkmZG/PxYs4TomjNt7srISHSFZUPIA/H+R f1/Eu7RSYgZrP+pM9Od9DHhKYeDTQiC1e9WGQhkRd4+OG/6JordT1YnkjsCoxXtY QczH4ZVyfHsg60Xj803Gl7M8kIDK1L/PqV5Vcgs8l2MbiLnkZYDi0hri9dvoWSDV nRXb1KtIFuRV3YHp3RpwU5cQs+BeoCDfJiXSk1DZxG/4z7lXHRM= =+a7p -END PGP SIGNATURE-
[SECURITY] [DLA 2890-1] libspf2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2890-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz January 21, 2022 https://wiki.debian.org/LTS - - Package: libspf2 Version: 1.2.10-7+deb9u2 CVE ID : CVE-2021-33912 CVE-2021-33913 Two issues have been found in libspf2, a library for validating mail senders with SPF. Both issues are related to heap-based buffer overflows. For Debian 9 stretch, these problems have been fixed in version 1.2.10-7+deb9u2. We recommend that you upgrade your libspf2 packages. For the detailed security status of libspf2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libspf2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmHp8bpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeT5A/+OAIU0JWNCBJgp9lzXmHLwCBivgPX9l63oRyw6Ja5/Lz/8YfJCyaSzpVp Cbb4TJKVX6EMeXQiq+4BKMJgpPnqOuRXoEg1HcfO9WR4wUHyKPqJgjrZPMFbNB2q c3NZ9lwNOHorqjZSGKx5xe1751S0PYZ245lt7yt8McdSbia3+jWx9uj1ooOk9mkK eX2egRrPL0e0X2draHaEektS6dQc2l/ZYcwF1uDp5+O1jekn6buJvqq1T5895Mkb YsjCMg9bkAqKqVqTdKp14o1j6CfuyuG8NMp+j5VOa6Zc3oftSQHuwFnt0dpJv6nR e4U7BTv41bAZfpmvHCwY8sAs3xyQ1yNJrqbAIgwOvEwiiYSxMGlNZ0Lu4YwfSHVQ laRCQipxdx6AV8J/R3sNtoeBVhT0TgGNRrK++1avCw/zcBmJfEUcDyHvZVGupck9 /zjueqO6bvSgFe5tk2xsHJm4mTmyJfiPV3K9mwx3KTYANmv9t3uJOdHnoRUlDRAc 2ioYm3RyZ2TG2sC/w6uefq7xq1Ad6gTKDjvXODr9ganuZwdA0pq8PZE1uS8Fttxk UBPJt9Mw0c4hYfccr5QCHcfyLlU37Gaa5QyFhHak5FtW0QZpNYTYWYfk4xGAaLLE AOoU5Fj7vtx8sMShLLwYHthn0dUZIaY7U0tj9JgF2hvzP5l1V4o= =zUqx -END PGP SIGNATURE-
[SECURITY] [DLA 2882-1] sphinxsearch security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2882-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz January 17, 2022 https://wiki.debian.org/LTS - - Package: sphinxsearch Version: 2.2.11-1.1+deb9u1 CVE ID : CVE-2020-29050 It was discovered that sphinxsearch, a fast standalone full-text SQL search engine, could allow arbitrary files to be read by abusing a configuration option. For Debian 9 stretch, this problem has been fixed in version 2.2.11-1.1+deb9u1. We recommend that you upgrade your sphinxsearch packages. For the detailed security status of sphinxsearch please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sphinxsearch Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmHkq/xfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfy0BAAiG06kpKtuwS3EcECZCmA2eLiE8d3cupKlbRL1Jvm/q0KV1t8sf2UhKBL Y43/ciLzGignu8ozjhaDm0PsiTkocs/1JiTQeu1N6gY5WRiPMWZOW0naMTXLbTiT MfZAo3Knm4pGPUDsUz6tOBf6EbXpBf6W0vYmF+CCc9BRsN3hZ+BYgdNyUkRGJYYV /Wr6v3BgrdOmbz9bCNg7ONzNbG+7eRfy/L1e3Lqj05WJ8sV1CJ2ROAph/EteBGEd 4T7SJFQNJadpTyi3Gbb35JYOLAX0wKAJz7/tu3kggfIgV5BUzh91npS7oq8KrYep VaEHfjGfFtUqpBALa9wv22r2SRnCTbJsPzCvHWOdjDHwcqqjqt3tcPHzoGkwXaaL FR0JfRXeZLtjntHyDgbk8arIqIbQ5ZzFOqhW/gqh8KfErhg7zUqDUAU3FMH5BHkc C1ELu1qjnCUAG8pPqDtAu8TxSqeYprzUOuV4hiAHOpV3IJA39kTlhlMnS2M5IgqY Aq16m99sa47mbXe23y+S/vHiyZAL7CU9noafnPL91lU1bVj1BZeRLM7kNPGZLQgr WLNCgEBmZKKvFe2MkMNKLShm36at5IymiYM/PQAfO3ToQy88DzVCt8nUw8PBAUlh KQBEu9kkadAKf6AYZ9gVE/wav5nEyO6soOdXKuaSj/cIXWRdtJg= =wWGl -END PGP SIGNATURE-
[SECURITY] [DLA 2869-1] xorg-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2869-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz December 29, 2021 https://wiki.debian.org/LTS - - Package: xorg-server Version: 2:1.19.2-1+deb9u9 CVE ID : CVE-2021-4008 CVE-2021-4009 CVE-2021-4011 Jan-Niklas Sohn discovered that multiple input validation failures in X server extensions of the X.org X server may result in privilege escalation if the X server is running privileged. For Debian 9 stretch, these problems have been fixed in version 2:1.19.2-1+deb9u9. We recommend that you upgrade your xorg-server packages. For the detailed security status of xorg-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xorg-server Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmHM3BpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEd2oQ//SXzwhIQo0GKgvl3ZdfQsvuCx/6tzlMjuS6SyjXs61vHkm4Qi8Lgi5g2k 06w7ejapTLl130XcSnXWOYNkP2KbUjHMF+D8qe4FbKtS3mC50xRUjhLrOZ2PxOHH bQKngn5JUVPWP7oUakmChr8rvfdNZ5UjuwYl6ru+7NW1rGieq3fh/dP1T/3Jbr/y /UD2Jlg8USdpJhK9MHtQRkVnLHcbwuf7ndRENSa7cwkMPSBRYQm9bgC8Qlg3hgVu pwdviq/B49br/kcEoggV0a2SRWZv6tY9AuQJmM4h+IHDTK6pX6+1qCOrfx2BlF1k N1hLEEy++KnKDlzvGfvuoz4TPWvO9rUo+CZ+EvEa9UShQi9rIKEsCAirg6fmX1Xp DkKlmWbu5FWo75Tr4qJ/s4Fp0sxT5JeIQYcJKHzh1ScWNWJSTWhFVOjFA6iJXuGa 4VEoK33sDv3TMJNbYDoFc44TvfZ06thdazxeTRfnbw5UcEJuLBEgcz+eAbHwWukR ycDIBWNJi4a0sozySLgkgOO4+K0EkV0vW0inExo+C65396jN+gSPzFeOl/ZFp+lv r286Dfk+L23bm7nr91ldPlvHbgCGVzW0OmvY6oq5/6ByYnFHZhJBeJA58GtHf19U Ypmn9dV/GH+Y8HUUInDWuw8FkSMZ74HnEy/fb06g5zCYb4ug4Jg= =S7KY -END PGP SIGNATURE-
[SECURITY] [DLA 2858-1] libzip security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2858-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz December 28, 2021 https://wiki.debian.org/LTS - - Package: libzip Version: 1.1.2-1.1+deb9u1 CVE ID : CVE-2017-14107 An issue has been found in libzip, a library for reading, creating, and modifying zip archives. Crafted ZIP archives could allow remote attackers to cause denial of service due to memorey allocation failure by mishandling EOCD records. For Debian 9 stretch, this problem has been fixed in version 1.1.2-1.1+deb9u1. We recommend that you upgrade your libzip packages. For the detailed security status of libzip please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libzip Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmHKUEhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEcklRAAmpWTaz7aW9nd58yJ7SVpZMpFaaCcHcs9KgCpKCwDmoZF8ih1DLPVHN5p i4dBWZ3Hu4YGiNOSliAANJbXkCkab13CJ1aHb5HuQwOh5tG360YV+/NHiKyHQoBH xTmwJWeoGxZP6FdrRD4LTwxvCMB7eVukOrBxBHE+wvcEbv/Z1DwhvvQm8ft/TVuY jJjauajQPh5RvzrXcZAK27rxCaJErt8CCghlISZ3unXORL0b8Lv0ug+TdjZsf6JL W2JMmBPlJfYNJ5j6sQktd4qs1dOHiDoZFfAtrdgsHuHoQPmTUZgxs5CbO3a6/VgY Q1kfMz+aQrkwxeZ7h7PCLdFzxIue3yCOOSzfpaZhCNZsejC1FW5Ksz9DMALxHtiB d5w7tR1AMGrQpW1Re5e3AUQUh9UymZNUBBJlt1W4uXBfFZ+x7uybOEB1oC7/r2tZ cirFIRTD7BQ4HEHB0CxDoUViuSFDbF0JAmCoMLFUn/iVCALnWtVrn9JRuIy9dSMn AMgmF+PZH9wC5IY4darjDzBHhYpm8ufRsUGwjEzU2Tg3EotZn9p9QzmLENNnkAp/ TcXj7f2Y+a0y74ZjCIcBdPojwYXQxlsbN4kSirDfpwfYG0KEkWY/3Ae0L1eJtiiz XXW1T+DzIxYInhJCxHrOB4jZ6CYXRcUu+XJ2A7/CZ9yW9feYLgQ= =fh3l -END PGP SIGNATURE-
[SECURITY] [DLA 2859-1] zziplib security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2859-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz December 28, 2021 https://wiki.debian.org/LTS - - Package: zziplib Version: 0.13.62-3.2~deb9u2 CVE ID : CVE-2020-18442 An issue has been found in zziplib, a library providing read access on ZIP-archive. Because of mishandling a return value, an attacker might cause a denial of service due to an infinite loop. For Debian 9 stretch, this problem has been fixed in version 0.13.62-3.2~deb9u2. We recommend that you upgrade your zziplib packages. For the detailed security status of zziplib please refer to its security tracker page at: https://security-tracker.debian.org/tracker/zziplib Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmHKUUBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEe1PxAArwOdcfFQxbr/586cZqUEpmevI9yqf9W4DVNgwjyXybyLDRJmFJP31Dbm 77FwZ+7qtbJDcfxRzVYdoT81asXlwHOyrGiKlLkU7ahkAGsI+qmyo3nwqtForOyd z3DZZEJ5EObpr9P395ei15fwxmCgHB83Nb6LuBkDprK1uGLjq0azMX3A2sn+68u/ 6avr/xM2fV8ytUGX5hYV4nhMi8JC9v++0wiTpPNpCvDlJUae3HjgG6oqKA31/GYd rSaFifYsMtljiIgQt0qo4yPkCJHac5wnn+bQu46OHuwEHww0IpNzvRoIHul3wszu /sS6cpnTQbmTsO9l7sF16/3KmkPxMQryohgCKh5b0ANwOv3BxKb3OEavU0Tqnxo3 D32jimwtptvrFsi+2HMVO3B6bAlcnjKpEj7J2/CyzKzk552Vjbfb8AhRKypiLXKf Wa9xoGVR+cm7B2aHtqSQ9vhLd1K7oPHXVxrhzz87vvFg4IsMHlLRSwkbzIZ/SnZB LDHL/Gpi0L4IE8DyTtnOArk6+ZLzU/4ggLGKIMwAl51laMl6XD/rRRduPLNUMu3z Pc8tjfRc97eqk9Lagky5NHK3gvCz3UR8WCqV6a+FbckwbAes1nEuF4eVr5BTl7qi BwAvPHPkZG+awCzT8tj9EBrc6TP80o6KswcxSl4VWBCWP3yhAfw= =56tm -END PGP SIGNATURE-
[SECURITY] [DLA 2845-1] libsamplerate security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2845-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz December 14, 2021 https://wiki.debian.org/LTS - - Package: libsamplerate Version: 0.1.8-8+deb9u1 CVE ID : CVE-2017-7697 An issue has been found in libsamplerate, an audio sample rate conversion library. Using a crafted audio file a buffer over-read might happen in calc_output_single() in src_sinc.c. For Debian 9 stretch, this problem has been fixed in version 0.1.8-8+deb9u1. We recommend that you upgrade your libsamplerate packages. For the detailed security status of libsamplerate please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libsamplerate Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmG32w5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfERw/+P5ThAkmZZD3NHL/sDhPURiFxouVzd0SBmiHeiBDb1VIrvoZmT41efMGX MgfOsKBZDi0Q+4bYRK6l6a4TWsqMUT/uyen4xzEjSca+YPwHbcK4q53K3WLKQ8n0 0XNN660dH5yCPwl+I1HQ7JGYZ0RKHBNE6XihyMYsa03Jm0GB9Z2rGBLnKeuD0HNj g4VwbMe98tz/F4UQVuZAbtc9wCftuvwLHAqjjFGm8p738EDPylytgJlAO+iIdxzs Ri7k3hdHEOYqDO4DIi2mTmRBx9pNbfid0rGQcpml+zfUZaPo64yXlTFcS6PeXeM3 o39W+QuSoIQumJfVj8wVrWXOVA4X3iZQ4WnRD6n7bbawWFBrN0Z+0FmNAs6BHCHn bZ61izNwfczNibPMXl9fcfKxEGKKl5LT1QRvrg02eofDD/EB6M9Vwa6Buj99CBLI ui387nl/3KHcoUwt1wZTujs1RBEx/jANSOfF32Cw1LJhud7S7J601i7LpR0nBdd0 s4WreFBL4UddaQ/10QYZWnFt9wFiZEVz9HQYVAaBRDSOMeXpxYfE97ea0yWBZfei yEFQfrHZfktibyIUzZ+GwTWYhLeZ+AG3VlkNXi6MAUlr9MNSvX+jBvgWDOBWw+jN GtLon7QW1oi6f25S5xBXpTUfP0jTaCeidNc302ffO9WjVYkgUNc= =jYeY -END PGP SIGNATURE-
[SECURITY] [DLA 2846-1] raptor2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2846-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz December 14, 2021 https://wiki.debian.org/LTS - - Package: raptor2 Version: 2.0.14-1+deb9u2 CVE ID : CVE-2020-25713 An issue has been found in raptor2, a Raptor RDF parser and serializer library. Malformed input file can lead to a segfault. For Debian 9 stretch, this problem has been fixed in version 2.0.14-1+deb9u2. We recommend that you upgrade your raptor2 packages. For the detailed security status of raptor2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/raptor2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmG33zpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfsZg//ZFQDcWlj12RJjHqIV2KhB+sDAIQUTj/aOGu1EvrrEunvnrfXfmoR7P+j cusKGs9IBD56RVfc6KycIevgDeY7DyWbVo5b0OL8i/oeI6kL9Q2hE1U+dInBKyCV pe8SyWwleveXVH24NzW4JYvfGVxlvUf8GdzCcib3S7brcDuypRxwQVOtr8DwCucE yjTNPMEUD6JbEQvK4cDkxEyGpyegxUPL2GRlTyTBVVehIxBT27CIPTh9jmixBuJ9 IxTvuPAMuPftBwRtO5Y0wDw2JVfP+lf9f0tRJtFqvlfCcD6XsVdVS0Y2pZkVyzJi u828802WS+e3o+n4d0+f+QCC8k2II6IoGFEDwnZCv6eNSxIFi6pwe9hnTHxjPNgw UGneCc1MyRAcP41PUIiBEm78u1ERZBmHtnzEixLXCHHbG0nzbGnGoM4OevxGkOS7 +H6kR/nJzuDrMyF7FBZZAjuR+OAR1B05EHzTh892dbIjjRgtXwUVjA2PXr16Ajyr TiGFsuExi0SLWgcaanHl7VzbBIHZoGd1qfJsc7awrb2QKKIUiKEhDthlKmV0eMAv R180XfHopwhW9WuMJyblZsjBka0qyD7Kp7xfP5d807AN6tCyvPmqMFpKrWTisCHp Ye3ursSxU58H5/QcqTZbV5jfor5gjAfBmHGGjNtmcVVKFNdTdx8= =Sj4l -END PGP SIGNATURE-
[SECURITY] [DLA 2825-1] libmodbus security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2825-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz November 22, 2021 https://wiki.debian.org/LTS - - Package: libmodbus Version: 3.0.6-2+deb9u1 CVE ID : CVE-2019-14462 CVE-2019-14463 Two issues have been found in libmodbus, a library for the Modbus protocol. Both issues are related to out of bound reads, which could result in a denial of service or other unspecified impact. For Debian 9 stretch, these problems have been fixed in version 3.0.6-2+deb9u1. We recommend that you upgrade your libmodbus packages. For the detailed security status of libmodbus please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libmodbus Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmGbwF5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeYBRAApXLV8s5zxIZ6XxAHiv2R/XHvUcgxl+85Q+MJhMXIqtAiFRcgwRX10r6A U5SjlsxjsKzNqK6mdFQopPkLhxFO6eFLTcA4JOwsud12PmCNUUH/V5HT78r+Pn2E z+K5aDf4mmtq2YVEMSK3myX69rnACFSy4SkZfZU7PIaSYoe2CWzwChwqwEDaOvFb 4J4uwaddZ1Fdn36YC7tg+sbUxRhu07K5DLMvPPd2XEo/bB7kmFSinshZfhQl/zP4 JDOaqr0XrwLJK9jFEZY+Tci3VUN350PQuWgt8avH9/UqqU/Jm43tmkM7G5vTct8U buqZMMJR7sV7gceSjN06Higp7AMx5ramyjUAhJw53zVCMMsLMDUc7vrVNDse52Fn SAIT1pcxQConR0y71kbuuBFX7glri/f+fgB0lzncItuj8025wIvl2Z4+4ogeGAaW P6j+4DrJ9JeZn7huJ3QbgM4g58h7++lQIannUgQy4b/87Tjeukll9hNkTQrLVrzi ylIqw9jxqO9QYTsrGLhAE9VkaFcbpu8gVYeqDJBhhhM7VtMOaypAb14qJ2DSeOcR gpvFC+8D/KG/aZrPdU69kVMmTULLAdwz5jeZKZ+1fXC+Ie++H7swivue0BNSh9Cj PXy/asNqjoZgslecsWBEYnEYzLb1AIbAQ2U4vK6SPzzIvTim6M0= =BgaS -END PGP SIGNATURE-
[SECURITY] [DLA 2822-1] netkit-rsh security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2822-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz November 19, 2021 https://wiki.debian.org/LTS - - Package: netkit-rsh Version: 0.17-17+deb9u1 CVE ID : CVE-2019-7282 CVE-2019-7283 Two issues have been found in netkit-rsh, client and server programs for remote shell connections. Due to insufficient input validation in path names sent by server, a malicious server can do arbitrary file overwrites in the target directory or modify permissions of the target directory. For Debian 9 stretch, these problems have been fixed in version 0.17-17+deb9u1. We recommend that you upgrade your netkit-rsh packages. For the detailed security status of netkit-rsh please refer to its security tracker page at: https://security-tracker.debian.org/tracker/netkit-rsh Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmGW3KRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdjPQ/+Mr8UhEid8T8Frfvt6TmiaWSz8WEnb/XGD2MTMq74moUVuvv1AHxwe554 z8EFaapeppIpyP3be4c6ee6TLqnATb+EqPPqtrbPkdB+M7r2dBqRIFNUo9hX6UGy 1Wxs4aWkkqCdNv2gTyMYZohJjtufSV92pQ5AorzVYkl27gviMYDXmoWSPE7OS1C1 d9aQJk096GGJoaR2IQGOS9D8Y5N64Z4vMk9p/DUiZm2I1aqLdhpvC2fFvFf7EdDf WbmqY7aIVYaoiEQY3YAbylH7tZVIH7MRGuAeBe/RpZ2AsDVO0DhPWOnlED0T7B1K xEAr1MxVBeHwQ7IeGVa++8t9mNlei7QGUPBYMMoJY4OKSphxgX3GXnxDHUkLgeEv ZPZtOCDkvde6lMbfgA4l9Lzs0j/f02RWH0svLRHIlBSVIMeJv4jGA5GOqfg8Z7ua m8D48gVeFYRT3VyhSvVZ933V4f1nznB5oSBJZa0/RyccbN0Ep5mVbmWQimTdpq0H /+nFSKJ7gweDiZYvf9YiqWecvL1lxUmf0fYmYdkOqSb/ps3MxujTiaxJkWvKiC+h n8sGQW8jnxvDA6PHjSmTB8fwv5JNN6F2Eq0FgjPzi9FErlGhx2rOb0rFmvuEt3Yg FP1be5GPOYk4wnzmc6SysKJ1SqtNdTCM8Ev2Z0nqt+TrNsRWfAQ= =5Zhn -END PGP SIGNATURE-
[SECURITY] [DLA 2821-1] axis security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2821-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz November 17, 2021 https://wiki.debian.org/LTS - - Package: axis Version: 1.4-25+deb9u1 CVE ID : CVE-2018-8032 An issue has been found in axis, a SOAP implementation in Java. The issue is related to a cross-site scripting (XSS) attack in the default servlet/services. For Debian 9 stretch, this problem has been fixed in version 1.4-25+deb9u1. We recommend that you upgrade your axis packages. For the detailed security status of axis please refer to its security tracker page at: https://security-tracker.debian.org/tracker/axis Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmGU6RNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdMTg/+PBoPPvnIwEZoCG2bv4i+acNUj5SGF1AO3pKc1lsPj/yUrDmpjf/021Cw bbjQm/rq2tqorErv9sL5huRShWjjSVhD6vs9cttCOg8vjblUG8wids8qrgJNiPqx 7wvJK63ZqS+LLKX2Tmu2P68b+y8js6giFBOGUbSHXCLpuQ9VSpxzerXzMKWn8obF zlacD+16aBtQKwBbDYBRyKPo8nNd48QTET4YW4/qEy64TIIT+2V61/aE6RuzUK4L MZ7T9x+nyKxFaNddZcKDxtSvvBOaj6U4YfTd9KyhAKD4COAFee2w3ZpI//lzQnpv BUxs2ludTO0fdxCq8LuhoOWnotTDaZlfvKRjw17Tw4IYViuZtBx72iZ4i0jtqWY4 wIGQ067B503ERP1m0Xr09+NBq6CO06qUk3UoCe13/xcwR3BGD/URyLgDfvcwPTL3 2Rh52W5TAJh72XftnP0gW5E7L6HcVqEzEkr6QgIKU8MNAv9+9oprA8yc9czuBxmK QQQq23MUgQAUjvefqFq5hKm22rmRCD0PqYDnkNsiAkfgf4mTI8KPOEw/ocktdlHJ mOdmrq+vECc2Wh5EhvWLuSb6DXUch/XRo669ODSk78YO5kBTV6cuh3op3wmexgk/ 81rEbnTxyNTjYMr5NHz/wefnNEzVzZ8TK2CDnR3io7sQucNgrEA= =gyq4 -END PGP SIGNATURE-
[SECURITY] [DLA 2820-1] atftp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2820-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz November 17, 2021 https://wiki.debian.org/LTS - - Package: atftp Version: 0.7.git20120829-3.1~deb9u2 CVE ID : CVE-2020-6097 CVE-2021-41054 Two issues have been found in atftp, an advanced TFTP client. Both are related to sending crafted requests to the server and triggering a denial-of-service due to for example a buffer overflow. For Debian 9 stretch, these problems have been fixed in version 0.7.git20120829-3.1~deb9u2. We recommend that you upgrade your atftp packages. For the detailed security status of atftp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/atftp Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmGUTMdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEcVaRAAw4n7+OF+JlIEVXjS+5NX4D72hdHw/3UyY+sg66GW9y4UOh5kEQiZCN04 MjRz8NJXURqWo52pPNbUTANGa5OEnXfA83NIimpQoDyq65w7CvJ6zfB4SO6sgn5v mPmT7dq0GT5yvLjHC3KE/qFekoBXDxDyjzg5dBCOgTX5M0ebpiPza/VSkJWrKLQp Hnkt4YmQ0GBNE2mS50nPisiwAL4HaY6oJkRSaFtgIbmMbsi6LwWW15Q4hner4fBp ST+GG9PWQ173RRNyPrbrtq2L2oXSAfswonsqvW7SBWoQ1JT4JSXxGMwpouVyhSyj zjylyl9Ax1srOzVEUoz5OEFQJ+fnb6NldflSohqfn8Jt3KvDIDlEVDA0WoPqwe9R fE9ikXyZ5gN/nxSHo6946yVQiHIcnVz1/+kgiulDmdGCISYaPi24YnpfcwFx625b f4JTe4Ax33MFjxn5OcoUgRSTZ7IjqSwubO55X423xoAV7AW33je7L1hI46/hytOC g2nSzvjM8NlpKFr4h461Uz8pKAVOR+PZfsMTom+XRaNnkfKOkzbJJ/D25koE1oek j0/Wnd//V1BokmzEZLEGfh2/soPG8u62YEKubMSAoHwe4clQ2AWrZs/qiBas7KCR 9xcj5CyzhSmFLWXFflxICZZt7WXQs82XSvIbuIZtAY3OxF4y4Pg= =s1qg -END PGP SIGNATURE-
[SECURITY] [DLA 2800-1] cups security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2800-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz October 30, 2021 https://wiki.debian.org/LTS - - Package: cups Version: 2.2.1-8+deb9u7 CVE ID : CVE-2020-10001 An issue has been found in cups, the Common UNIX Printing System. Due to an input validation issue a malicious application might be allowed to read restricted memory. For Debian 9 stretch, this problem has been fixed in version 2.2.1-8+deb9u7. We recommend that you upgrade your cups packages. For the detailed security status of cups please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cups Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmF8hkNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEcrBBAApEZLp9u5HYY6b6H6KP2KE++5Y8EqJdH0ZVzZhbstc+XJhL8oPuFVXt3l DcEfz+I0N0+pKhK+7cobf+yGl8oZVUPTW3Uoj7FsKqRV9xDo8D7J8JDqCSa8r99D h3qTS1rr/LYLl5/O8gxISlcqXjGmIBMqMPsa6Ie/IVN3TUjQ07A7qr5dS2iLpTRG fgSPbXoutuDtzVseJeG1scN88laGIGF5w8zIzwHZvnr30Jo+k+Y1Jxq6eY2jjkKV H5PhiPjKsrFsIM8NFw1ITjXmICeZ9GLQ90AM7GTqdMOs+pghsunzk+9hBnjng5Ca dVofUiCeIi8M7Hzx2NI0qmjqdxnBsKjPWEUT1lKSWS0i9HJMz5ZaGvdVcDVPlfP/ r2RybBAzKYebXi9uy1NcR0MESvUtt9KhNXtv1StZpo443eddUucv8F1Fu+S+pYAX niCOj3P7gdc3pFOh3R3m7PslgkJtWB+1FlkhMctM1y1sbpToeZsMB0+i3GmnV7fw JuUc6RzuXi9cB+SW4Pwa5v+KrruvMxhcW5GE6ayP4RcMp2yQEgb7Am9Tqg0dNcm8 wlr45Boku0pJdzBATjT52XvP0R+9vRQV08L14feYrJcrpjz2E65afqw4GQnR+hiN E2bQd2nNfQe71xXt160gZdibLNRoBPArQtvvMIcgrSw8k+RIDek= =DInt -END PGP SIGNATURE-
[SECURITY] [DLA 2796-1] jbig2dec security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2796-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz October 29, 2021 https://wiki.debian.org/LTS - - Package: jbig2dec Version: 0.13-4.1+deb9u1 CVE ID : CVE-2017-9216 CVE-2020-12268 Two issues have been found in jbig2dec, a JBIG2 decoder library. One issue is related to an overflow with a crafted image file. The other is related to a NULL pointer dereference. For Debian 9 stretch, these problems have been fixed in version 0.13-4.1+deb9u1. We recommend that you upgrade your jbig2dec packages. For the detailed security status of jbig2dec please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jbig2dec Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmF7MTJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEc+rRAAq1itaE5H9sgC5wyyN5xN9ZKG0kzyEPvXs0tLtYitmhR/3p7WoQL5rbkA kd82fFFuIhMFTsGfpYz7HwF0bNwxdiEUq5B60o2/WX7ZKgQ7M4fsRd8coWwApPF5 NmL8n2fVcUqLBrW/ABcMVLQ02rLebfLAmerh7h20Ibj7fHwSYUHQ28RJtS/hR6NC eysoXLv9Eo5BZe8O6OkvJeKRh34VUAxUA6QCo2JHFZ5dU66rZr9/6IWO9SnnoJ2A WRoVKCLKu7o064vJOoVrdLYXy2Ys8kk5xzHL/DP+agWVjks7BdD+2XvMO9V6bgYl W/cvFtxzTtwFOZ4InTjpAMY8M002A+BxGxeBWjyt5KzMTXaJ1qRfpS5ZzSZSq6Bh 0J3vF7TnExHBTjxIHK8DsGJLkxmwa13nxsfXArUR0oPrYqcVIxJujEqif6RwKIaY Y3DdVhxAAP+rtPEVUhCezecYwAUpdqBeNHCfaTghkz1GrL480G7OsSZB18iqcBEu dNwLkxGj3z//cq7I1MXzk0daPXbATdKD9/bSOmZa00uT1SFbGmpJbgr6Z96NxB9w 0geT0nhpoOXrtpvcnYtVApCAjx7xB5YanKlkWbpqb0f7uJeBu1ayMbv9kKUnoJg3 TfxJrCI0J6/R3ozGfBoHIbwlbl6/1fLKtT6KvAyPEETsFiWYHbY= =Kg9G -END PGP SIGNATURE-
[SECURITY] [DLA 2789-1] squashfs-tools security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2789-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz October 20, 2021 https://wiki.debian.org/LTS - - Package: squashfs-tools Version: 1:4.3-3+deb9u3 CVE ID : CVE-2021-41072 Richard Weinberger reported that unsquashfs in squashfs-tools, the tools to create and extract Squashfs filesystems, does not check for duplicate filenames within a directory. An attacker can take advantage of this flaw for writing to arbitrary files to the filesystem if a malformed Squashfs image is processed. For Debian 9 stretch, this problem has been fixed in version 1:4.3-3+deb9u3. We recommend that you upgrade your squashfs-tools packages. For the detailed security status of squashfs-tools please refer to its security tracker page at: https://security-tracker.debian.org/tracker/squashfs-tools Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmFwkOhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEd9Ww//VwGzNcS8VfxMmI+JD3Yo/vwSxn16hdvmsXWOjlTCU4sYuRv3xRJiMZIo AbCBOfqeNtdJKyaSOB+XDGUNTsmZthTAX9kN92W+yC6RmJt4yzuqvC9BNfZXIy7b Tewvh0qazzKuD0SF4+wt6mZ6z/BGYgKw6bE+DPqH8UQhSY1Jl7+QnIJXvbGoBqmv j/Rxm+9u4HG+kIYESk2IYQgdrlOe7mxvb6P+r2ViJ+gk/LDTSRic+WlE1ztL6lvB du7ZQvQSXzJSNWxbdMGqTU5d+LfQNYtkPQ8VzYOYJ2aU2jT/AB2mYCZD7dAFBD9S kxJq7XA4jxdMpNK2A7Xfaact4w++PuYOzu2kuz9w3IzK3u0JQVsVAVSHSHuyx4qD B5JWuQ1TONofnFnbhJWSo0uAjH9rdja0+2Or7KlMaOJd0TTdP6RHPN02zmqWj6Qn sHOtwIRsNb2mqiq/gW1h+Csq2wzdRDRNpFaz2+Vp2ctKmEOo+hsCnYanOjt5FUEv tdyM83p+8prZwQxpa3Kc111Dhy08LAfQkK+u/Dw1baDNp2JndlFxgTExsDbg4Qqp fsLymDHz0WkVelS6yKz6qiWewlPAVBo+iWf+9i6razJpt4DierTahgJOfolaojjC km9Dr2MQ3NaAi4XKR2T4+qzprBMZiD50cTohXAc3CKat0+Ht0+c= =JziN -END PGP SIGNATURE-
[SECURITY] [DLA 2788-1] strongswan security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2788-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz October 20, 2021 https://wiki.debian.org/LTS - - Package: strongswan Version: 5.5.1-4+deb9u5 CVE ID : CVE-2021-41991 Researchers at the United States of America National Security Agency (NSA) identified a denial of services vulnerability in strongSwan, an IKE/IPsec suite. Once the in-memory certificate cache is full it tries to randomly replace lesser used entries. Depending on the generated random value, this could lead to an integer overflow that results in a double-dereference and a call using out-of-bounds memory that most likely leads to a segmentation fault. Remote code execution can't be ruled out completely, but attackers have no control over the dereferenced memory, so it seems unlikely at this point. For Debian 9 stretch, this problem has been fixed in version 5.5.1-4+deb9u5. We recommend that you upgrade your strongswan packages. For the detailed security status of strongswan please refer to its security tracker page at: https://security-tracker.debian.org/tracker/strongswan Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmFvSHhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEcWhxAAibLAim82ATHVNaha5RjA+P9yNvIYWXnOFnwWMJuBjAxXamnJRFXGQSkD dP0zmHU4+qTdTcXYyG7g9sKTk9KMY+ldrfmPT0fPIxRru1+ny9ssLkPYG/SdDqnZ ZvDE6ssrEtJ7eBjs3a4i3wCsHCaEbdJW2m2LjtM/NDlOo4T1eh/3YOvzNSxlHagz zeAC1yqHPDS70EVtA5rPSeAuZM13WvSN/hlVV3XRYpK9ey8CviEHJSNmBN3fi5Wl zkMltg/MSLoZaQCQGc6HChjNyMrswcHS2InjN3Loq44ZGJbUOo+X1wQodCw/ClRS p8g/1GjJiaVCm0EriJATc428lVup0pq2gvoZPEwF2bu/AZXGuFN4oK8IBIftERVC BmP/H6dOe96cUKus1N7Wuw0dTYMjUlYnzRue/TJONOQwXTBeutEE9pY6acSGeHZA UtzvSpr9i4DQypmcktWfQ8OedNFrFSR37A5hVimhAFwjYi2yeF2bNUn74LCpwfsI J9GIwjQr9S8ThJxYYfKpBQRAOrcN22APngeZF12IPSu8y06T+HlARBr1MXjF9PyF 5tjkW0QbIjeAziuT4Z2vzAKnWBcDc4V7UxvBpTjWEiZEzy3DRFLMNmovYDTB6tDn Uw3gY6RbOWscjvQHmIoaX67G1e6T7ce8x5cPwlCWttI2PF6jIX4= =/OxT -END PGP SIGNATURE-
[SECURITY] [DLA 2773-1] curl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2773-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz September 30, 2021https://wiki.debian.org/LTS - - Package: curl Version: 7.52.1-5+deb9u16 CVE ID : CVE-2021-22946 CVE-2021-22947 Two issues have been found in curl, a command line tool and an easy-to-use client-side library for transferring data with URL syntax. CVE-2021-22946 Crafted answers from a server might force clients to not use TLS on connections though TLS was required and expected. CVE-2021-22947 When using STARTTLS to initiate a TLS connection, the server might send multiple answers before the TLS upgrade and such the client would handle them as being trusted. This could be used by a MITM-attacker to inject fake response data. For Debian 9 stretch, these problems have been fixed in version 7.52.1-5+deb9u16. We recommend that you upgrade your curl packages. For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmFWMxlfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeRoRAAsyOeyBTNFfzqBxhbTyRaMaLFiUuIFh+8m3ysnfEtc9qzfvwgMy412b05 30gKVmYinZsQzCNAjhZY9bIpowAo5RFifwHcaF68y4H068FpCNxC0l4paGVEpAoK LPzbvqTpmncajX5cQe+Nv7rT7Ni1hI1hftKrxj8Tm7WeYB2vgzdwGzYkivmDE2ea hSyYvZdWAeoIHVb1fIfbiaaACr/SJx6TMxX0NdB6shnGEhL0R9S/oXW079+kI/aQ zeWbI1OvjrrV/OeoK9Xv7oGDIsU+G2ohwb9j82NeUl3KBelBnXkkEFY+mo+mLcio uFmdJNHVytYGPxSvW4XdCEY6Tt4Js9uxuFgEYF/E+3aJnf5L/wTxR+4x1vhKRq1T Arg8R+4XZsvfXiGFW04QdKdapIk6BXtnVrvjvB9CaGLVGxd51AoIvL84/pZJC8Hv IAopJ9utWKJGRtIVI9bYkr0H3tEm6B7U1KLpPTbe8FjiVprJxSV/0g0bSNY92/HS ux5VcwdXChStPy8juVDijoGl1P6d8dQTC5OSzLi1WT5kEbEKisvlzO5yDfAmz0Tj 2WLH/azD26X1SWcahPqDXlSSrFfJmSp9f8+q5TrBdCdcX65bOGBgmOlZkA5HP8e+ 5YO2fi7EHBKxcYxBQ3wJGrXoLmo7ZkJwGyZK87Vn5iYyO71zI8I= =spf3 -END PGP SIGNATURE-
[SECURITY] [DLA 2774-1] openssl1.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2774-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz September 30, 2021https://wiki.debian.org/LTS - - Package: openssl1.0 Version: 1.0.2u-1~deb9u6 CVE ID : CVE-2021-3712 An issue has been found in openssl1.0, a Secure Sockets Layer library. The issue is related to read buffer overruns while processing ASN.1 strings. For Debian 9 stretch, this problem has been fixed in version 1.0.2u-1~deb9u6. We recommend that you upgrade your openssl1.0 packages. For the detailed security status of openssl1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl1.0 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmFWM+dfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeZ8A/+Knir9N0m5HsUBG7B9LF+Arv+/DPq5pcmdzuxNTlVow6vRm9W6gkRfrMo LRA2URGXpDMzkmIKc+rjrfQtxMi3l5STFPjx7TyP6gN9aERdAhqYD0sfG+U6EwPF rxxKW3BAJOi5EROO2DB7PjyHWOgQkwWj4xDrstBFKyfzU8+Dhq2UHEqzQbAcUWqI Z+fPyn3MQzf9M+c9pNg2xPoD/Qgw5gJ7KNLPm6+E5vnZ5Br0Z8pI9jXq9myYS/hP QX2Dj9S1CI9dRT0cvvmogwndA5tS2VWwfJEzJWqpxYu0aSL0Lc3Wl24tr0SYaZbV XKzW6HUDBTN8XhKYoEkdI7tfgQLS05FLloZlC7yvtTvykf6gGrUUPpCUp7nG98U5 zRRHnTXsBFGBN9DmBlu3ALyCFgsbGy8PJDB9YwtdcAxuCKBL6Ly146ZyvTkxtsmq 0lpwa1OXJrwdtksEuxW7iWiMdDBB56kTX6NBLMn8uKKuhXK296G3CKm9HRuuOE9/ P6xEqtHpJ3J1ckaEhYuAbZYFsy5If5FVUib4mcpB7RIfYLtVIr2uVnKcdIbFHS8S thdBXAjsf+c7GS3PPzt6kMHgS47bkQkW7NMR9KO7KaCTdU/CreSnZOmp/YuJDa6X urttA4n2U3JMiCZAUSAxQ7cTPEz/Sn6wTxe6ohZgkLY66URKl7k= =FnbS -END PGP SIGNATURE-
[SECURITY] [DLA 2766-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2766-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz September 27, 2021https://wiki.debian.org/LTS - - Package: openssl Version: 1.1.0l-1~deb9u4 CVE ID : CVE-2021-3712 An issue has been found in openssl, a Secure Sockets Layer toolkit. Ingo Schwarze reported a buffer overrun flaw when processing ASN.1 strings, which can result in denial of service. For Debian 9 stretch, this problem has been fixed in version 1.1.0l-1~deb9u4. We recommend that you upgrade your openssl packages. For the detailed security status of openssl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmFQ7kVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdaNQ/+ILDOzjfPJTwsfWL/DZq7gPk/8AK6Li87vBOUCpFsR5vQm8Gf2nf/zyNS FteOM3pYxqhgcb+Zhbk97BvWwyxP6gx2a7VrWtqcVqUqtdSXPn1RFusnQLov1exg lvLNxYAys6yq5ETPjuBYFIeTLbvDQ1jll+XlBEL7REoZ7d79EK9kG/DMD+jtECL9 +P4k3ogiK9BV6yFx6RcV3dFsawBJDUwLEOHze46KpwGasUdPW5ZtNHPlFlTCnw/u LvgbgawO7tZgJMwO8Rr77yMpZioVd2K+/C9Y3zV5ffr2rY2g+2l/nlyTd/YUSSDA jyYkote66Q8s9KFeIGHD+igX+bpys1/1JAw8ebHatZwrZ7FJRMPhBuiutFH+ydVB bmCJR5R0/S7XRrqhyR6WP+z8b4ZB7HlfruFpU2z8vjBb5KzRb9FLLcRNvshkguTJ VergsspBdfLh/gZEqng7c2dsflpVmsFnlegRPtlEEmTwH309bDUWICu5XkmuYvbz gG48lq2yTV2o0KGNOAVQhtqVUV9GF46RZa3sfO9/Ks/Buvq9c+4hzwAgp7dbl7/j rIy+24iaP6jL077Oq7IVqmu3ZGVnaLSiPNm9AUd6LQCI3yQJJoXG1DQ/fHAzZmBE Wlen90uWvSzyShzJndfdzsQ0/b5/OTDFvoTxYOYSKxYwTO5eHps= =7z7o -END PGP SIGNATURE-
[SECURITY] [DLA 2762-1] grilo security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2762-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz September 22, 2021https://wiki.debian.org/LTS - - Package: grilo Version: 0.3.2-2+deb9u1 CVE ID : CVE-2021-39365 An issue has been found in grilo, a framework for discovering and browsing media. Due to missing TLS certificate verification, users are vulnerable to network MITM attacks. For Debian 9 stretch, this problem has been fixed in version 0.3.2-2+deb9u1. We recommend that you upgrade your grilo packages. For the detailed security status of grilo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/grilo Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmFKV3dfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdmeRAAlbiqx0HW+AUlC1r509FSDWRqSCoMpNCB2q8RqlRiBe0nFywk62iqCRof OBWJcAyZvHjnp0DTdtYI7gDjuGe+6taQYYLLRLIQl+TomH88y9cIEgQ1r5EJUIyy AZLHxVtbxft3pdKe/yv3/fZoe1xliLO6mepq9+mzfrECJnK6Vfum8lvHua5PtTtD Ffywdfkb16SVHucTmAsAHPGPPd4NRuApNAx2OUrSApMt3h/SnfaEWd0fVxrckLHF fjVx8iqOt6TdnJWllJx/9A6HiVcjXdo6Epmbtd6u9IhEWtOfoj3s5o5ZptmSCcYi mE0Sl9osVBWraPPFBVaGt6vKJ2wWIzhQgwUkN+Uw+EkiMkAfOHLAougUNJBTrgAf 42I0MiaQjVgZo7yURfr/6t9ZxWoYx2ndLbMMeF93egyyq9d2kiTJM+7Uv3rPRj9t 2uS8C0thL4mqNpVIyKvZ5PN3ZlMhJxMd1RUBpf19W2xpJmKMoTLxf9VvMChFyvL1 XTYZC35afhzSWVIVn//vn+uEVMLHY6q9h8Y1DtHnmtQgdEpClatWAFKYb4lUFD8M 8cYG9f3isG6Y6DCch47iJnAg/kb6mnYa/2WTKNzI33Cf0Ts0yNueGNVKiGVXKwpt u5YP1cnvuJyXF0i1+AkfltZlK4s4TfNDP5a7yHbWo+3IV7sNhZ8= =glxU -END PGP SIGNATURE-
[SECURITY] [DLA 2755-1] btrbk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2755-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz September 05, 2021https://wiki.debian.org/LTS - - Package: btrbk Version: 0.24.0-1+deb9u1 CVE ID : CVE-2021-38173 An issue has been found in btrbk, a backup tool for btrfs subvolumes. Due to mishandling of remote hosts filtering SSH commands using ssh_filter_btrbk.sh in authorized_keys an arbitrary code execution would have been allowed. For Debian 9 stretch, this problem has been fixed in version 0.24.0-1+deb9u1. We recommend that you upgrade your btrbk packages. For the detailed security status of btrbk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/btrbk Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmE1OtZfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEcFew//ToTEaONswhOmgPeq8Lpy5o7Bpo/fJdMXHS8wvlFQa1AjXvkliN6wHPrk VLZyunaTTMeKc7Gxjg066sj2sIPebOgDPE9XePfBfYi6ZcMvAH3st21K6nBrqqs4 05MLSI1KzSYGn4HcMdx+bOZXWac+r+CN8tinMMsVddWko8AXU24hUL7Ytq9+/zYa z1CZ6Hnb/IdSbBCcVe0O/bs+ATWcZ7tsOmb3rfGhIXCXcjgHO5mYuEo4IV6A6oGI x/rAbGFSK1sX3kWUGgeCJtV1yLu7cHkcP7XkQUVX4wQRsMrGgkkLJ105HN5x/2Fo CqTeCzd/3HoNKFBOyDPU5xcxVvXlGYVeyLmnX0/D+cTjT/gl3r7v7oYgOK4fGdp9 ysjcWuMO3BPVRpnSAa1rzf/nvLf7kNdqk1XUTlyj8Cl3vXdfC4EgWT5nZ0wDvN2m 63FgRMvjC5O/EX7aB+UilDIA+CmLFX3gej1ikAKdAAUHxy8+qUL+O2TrK2SZ8B9h V45vLtx6dh/XFdMz1rCF9C2cpBtyXZb0MNnnje/cNAJsUVAfzAiGPWtmcQwGZHSU B/blfzURhF1v7oGLv+fy9/tEM1ygMSahuWzyAmOBpyozHez72mUAiFP2kbHyiWSR fPch1tsZ9lIif1Inn/+75zGUcaDiuEN0UuP2yAXXtmXoPjrEBQ4= =LVZK -END PGP SIGNATURE-
[SECURITY] [DLA 2752-1] squashfs-tools security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2752-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz August 31, 2021 https://wiki.debian.org/LTS - - Package: squashfs-tools Version: 1:4.3-3+deb9u2 CVE ID : CVE-2021-40153 An issue has been found in squashfs-tools, a tool to create and append to squashfs filesystems. As unsquashfs did not validate all filepaths, it would allow writing outside of the original destination. For Debian 9 stretch, this problem has been fixed in version 1:4.3-3+deb9u2. We recommend that you upgrade your squashfs-tools packages. For the detailed security status of squashfs-tools please refer to its security tracker page at: https://security-tracker.debian.org/tracker/squashfs-tools Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmEuZydfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeyhg//fIxj/f8B71Fu/chMYdBdvhWLsXjwbO8P+iA80+MDviSuo3BXKsOWBeXV Xb0FPTN4s5nYhc8N78wbnkSkyLLtoCOXmXwcPr53/kEvQ4OPv4j1xulDj2WuLLdU wgdllrmlcAZPWxFCZLDUNKoNam7DFnEcPCY1Zxd4NNOZetMhAoJyMvpFMXQj9DMr +4VeLd8qfxryXhsJtlDOotjCtB23JfXw3ht83uHPTtIW2GFhyzn+8lngcRYf2Moe yKHUTj9m9mE8IUsIV5UlR99Pb5stZCERuHlrOrdV4jqWu+2vkl4YcD4J2nKAcpmK s/sklXE2zlN2LDh3gButo8FY88T2vLo8itk4RieqCKz4LeMnxPBwQE7xiTLMdpcX eCiDqQTg1RhU5tKMSi/0PgVhE1BmmcXEiNyxljFs2fykLpe/k+hJgPOlCsVNtjah Ar2GehO4kXgd/YI2wLPOT0Cc8aYX6iEaHlwtOK9avomK/rXtIHYknqMXJGjgzDE4 3E14N2cUkgsWzeqihuG/paFtsdhSSNiLzLQDvEQAInuJhTM85f9M3RAcMV0E93Mk 6TI7lRhtS3z4Dfg/Loo0bQ50K9GN4IaWxtNdG1V9quBNuqzES0clZvyut1EPcrLD G4eTFe/fh3O3fX1gy2TXTjdXVGK5YNknEdAW4/vz0lWlxDQqqW8= =vEaf -END PGP SIGNATURE-
[SECURITY] [DLA 2749-1] gthumb security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2749-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz August 29, 2021 https://wiki.debian.org/LTS - - Package: gthumb Version: 3:3.4.4.1-5+deb9u2 CVE ID : CVE-2019-20326 An issue has been found in gthumb, an image viewer and browser. A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg() in extensions/cairo_io/cairo-image-surface-jpeg.c allows attackers to cause a crash and potentially execute arbitrary code via a crafted JPEG file. For Debian 9 stretch, this problem has been fixed in version 3:3.4.4.1-5+deb9u2. We recommend that you upgrade your gthumb packages. For the detailed security status of gthumb please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gthumb Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmEqyrBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdDEhAAomWHxaKyPJ/RPlnX9fQbMMYS+buWO4LIV+rb2UBLH3pCGQ24+mIMsg1L 19YPwnzTUzdmHg7WxTOW7aZt3/GdskspkLvfgAbb2pMsU+qRzuQBkCRJxf7Z2AKi D9B80nAAMIuxLyaurKiWkl7gfkEzIpQrGj3C+SlPstSTtewYM3OB22jB1oWkx/rz Dw4STwRgm3ci2wagesoT58p22YIbYMWzHvDN7sR9KIPL6h8MHK9YFPBN3t04b5iv Rti7ClLEPSsrMZhm+904dcMOXCsFC8KIKKPH+Mv/zcsUscnzPr/r1q7lN53nj6rb b/h92neaI5r6fZ6qNT/0yx8hJgIQvqYlRCRZSYhjVHSvIxcndmfgrtZO3RDx2a4A WIBxYJR2b7bsMCZIqBVMssezIISv3hfTf/g1MlWz56J4Mxezty4ly6f8ElBkeGy5 DcvLhbRw4/uvkzHK4GH2xQUFw1WI1royc/yhk240y2k5R4FMrXDVoXxQVcCmAVuY jNDOD+qDxOjRX+7eBsvcbkTXMp/kRgCY3oisrK4VeHIF2Jq3u28DOWCyCtS19I6T C+qU1qsTaRaw2pPUS6lbSWlllipb6WZoj0RJKD9fUTNtI7bkun3/1/86AsqbDcKc Q5EJo4NZa01aWJEHGKiRY+1ZAQbHz1+12hAywU0SgXuEOrkLRVE= =djd/ -END PGP SIGNATURE-
[SECURITY] [DLA 2748-1] tnef security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2748-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz August 23, 2021 https://wiki.debian.org/LTS - - Package: tnef Version: 1.4.12-1.2+deb9u1 CVE ID : CVE-2019-18849 An issue has been found in tnef, a tool to unpack MIME application/ms-tnef attachments. Using emails with a crafted winmail.dat application/ms-tnef attachment might allow an attacker to change .ssh/authorized_keys. For Debian 9 stretch, this problem has been fixed in version 1.4.12-1.2+deb9u1. We recommend that you upgrade your tnef packages. For the detailed security status of tnef please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tnef Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmEjtiBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdGAQ//Vscw5M1BHbu7O2/Ma3C7Nn/2MgPqO15CUv1bNf/DaxAQFBxWJ3LwuWHN AU8D68DoHiC/18BUyGgVEpx3AH6azARWJBMC8xQNYyru/smQG9yUthg0/VCHnB8+ J43UeA1QXI66QgSo6KXBDZ780leDRjr0x6ITrrlIq5QmO9dCf52wj0anlDcDB+/+ T50idYmOpRJIIjzRhHpZXSPvafATEB7GRRFKd5lUSFeMhxMWqZB0h4tBTSEZR2vw Rygg80wfHgQSF0gmyr9p2/Ku1NCRWnVxs+LTonxAkdEw/dIjVaN7KJ6ewxw8bNlE +qDq/+j61XUp3F9Ufxs1gM+6zSv5O3+O/D0ynjgPV9f/hlIGJZc4CdpNUKGhZnYh G4MJzjpMN5Iwyu2NhgQus4fAdIo8LdMGaJ0sSxBmnteVpP5U5yM9Z6F8wcFI1FDM I5ZrGKKqpN4KbZ5yZdt8LwZNAcamHSLiruDrv1Jyprj5MHy98IXTeT80CjNAUYVV bSqsrP2pnaK9Nl4qlJfExI8gx6/pLHLLELpb8jchFGi895JekcNqMt4amQLXPm9B RvgGDyA85BymQpW5pYRfBaLiGmeF6tQcb35UoDxocUnfSfL3qQbF1TXuPwpAiE1H 3NvCRf5/43lZjKgEj1562+tig8zX4rRnSAVF1w9uhdY0B5Ob1Pc= =fEoB -END PGP SIGNATURE-
[SECURITY] [DLA 2747-1] ircii security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2747-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz August 22, 2021 https://wiki.debian.org/LTS - - Package: ircii Version: 20151120-1+deb9u1 CVE ID : CVE-2021-29376 An issue has been found in ircii, an Internet Relay Chat client. A crafted CTCP UTC message could allow an attacker to disconnect the victim from an IRC server due to a segmentation fault and client crash. For Debian 9 stretch, this problem has been fixed in version 20151120-1+deb9u1. We recommend that you upgrade your ircii packages. For the detailed security status of ircii please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ircii Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmEiHedfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdmlQ//cGyOSyyduPmpCPGhENGR7/1cp7faTLBywTFRNhwjL4teCWPd5bsJkbqX cOOmXLY7cEeKeM6/JvjzlHGu6SFzD/4O0TWj0KcpnV3qQWqN0TIRQJpt61TVfABj YPBgBQbzauz/0z7alAke0uTunMXAFlfl7otjwU6ux9VGc0tz+3On0+ZmHX0wpDUO skVvQ8Q/FsOSUrBpGnDsJO899usaLyTctCihWZqXqAPujXB65N9lUUZon5DbPb3x jSt5bfGZVoX3OvZbFmpC7gNmrMgzD34u30bJ6gV9/9S6hsbB0VXpXCW1mhmcHqvX bmr5hWyyayTN1d4ZxAUZvImF2gtEGdQym9NBF7brHAaQ1XpNFw3rb6OTMkFX5FQ/ hkoGstfZ9ZJIiHNPvXNZBWu+Uwo97C/TrEI2tIcgS0PXvjMNXULyjbbz4Qwaw2Un /Wg1jUij4BRiocIL2RxM9EHCfxgW4UoEcFjO07S4uAlQF+y5d8EQmLCwC9BPLeil 0evk6K4x6Z4hZgyOgMHT097kefQyXeHtpkFftgmZ0FEZGkXI9brBuvWXA7ulYZRz 8rXBqFEBtiZwGY4FlGvMc+0p+pr0xxv3ytu7y9yhDtXGc5isEcymH5M40JUDnsE2 iCbgrI85HPB98clCp1fh2mrbLo+t3q6na78mKfZYAKoq5SRcQrU= =ItUX -END PGP SIGNATURE-
