[SECURITY] [DSA 5484-1] librsvg security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5484-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 27, 2023 https://www.debian.org/security/faq - - Package: librsvg CVE ID : CVE-2023-38633 Debian Bug : 1041810 Zac Sims discovered a directory traversal in the URL decoder of librsvg, a SAX-based renderer library for SVG files, which could result in read of arbitrary files when processing a specially crafted SVG file with an include element. For the oldstable distribution (bullseye), this problem has been fixed in version 2.50.3+dfsg-1+deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 2.54.7+dfsg-1~deb12u1. We recommend that you upgrade your librsvg packages. For the detailed security status of librsvg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/librsvg Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmTrXKhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TYkg//Q+FWCbAqpcLPI+InN0nga0wROM6JVxX3CVPTg6/4U0XKjPRmx4wlX6Rv RPk1n4M8I7pjdtXT1PfdVsXpwT1+mFewUkOb4aLkuX5+0NOJbxAS6L6Oo1jNs4r0 PJYPcda7edePoIScJ2vH14/yhJs+7ROV3hI0to5CpxT5KejGLTbkhWSs79YMvHxZ BPLcSE/NDOCkDzlJ1aVBndmvgqQGujN7hvjynIi8IGEXrPAofqHO1pfVGtBWtK5o ajXwxdAU2t0+wy4Lc0U2NPDF6r9QIeZidamJ0yfgPbuiU4WCx1lbkCAMG4Bf6m5S 4JqbQmgc+rZCBHy3zaKlipFOEyPe2tfrcvH8zljRXSiKL5P0zMwVeYIRsQj3lUvP ge+xV8Gqod99uv4fgN19OWvcP5HOiXxQnkRtReYiQgKut8W0HAXydCsrctAB2Xvp rYIbsnR1lU8dBAaLqnC/nwrsLVLUv7y1oKDDNjXmNT/aF/ISVF70WVywQK/LbhXI yECoGe+TeoxGjCjT+N/PibL3pMIZ/c8ZLMyH+2+Ad/oD614hPVbe7CUmRCX7Vz2a x8v47b4JY2skki9XdASkKsyvBq9Xus6ZY04D0tTj87wF0Vr4iBAbnFWSJnw2tFVL wn7/ncNkpU/MONR8CAPvhgBc8n/nfF9Fbg6ubEeAHdzlp8EOom8= =uwUe -END PGP SIGNATURE-
[SECURITY] [DSA 5489-1] file security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5489-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 04, 2023https://www.debian.org/security/faq - - Package: file CVE ID : CVE-2022-48554 A buffer overflow was found in file, a file type classification tool, which may result in denial of service if a specially crafted file is processed. For the oldstable distribution (bullseye), this problem has been fixed in version 1:5.39-3+deb11u1. We recommend that you upgrade your file packages. For the detailed security status of file please refer to its security tracker page at: https://security-tracker.debian.org/tracker/file Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmT2NDVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TNFg/+PpsDJJwxstMnU847dp8aR25v62Bboy3FRLrr16gbJozitu/uzsD9pdj7 avI/WcpFaM2Y9in9odYhSccvgWcloq5o/MSm7IMplAm18O3D+m5pFdZw5GSIQKch 3ZRl5F/37P6Kd2UQPXJoMhAUpNdL3LAjRjhfWji3LiWhNky+bOXLF3/TtPjhZutc ffVoQ8Jvjd0U169i4s0i8lomMFs5AErReatFWbpRtWsGN1FYOUXpNa17n+sUwNan eWkthap+bkCINhFTzFCsiEd+QniY1Pyj8/V5EkWMYJzPPWLe0s93t2ORAGlMRmDz zCVEhtHWqOUz592DH9TqjJ8YeQtNd1o2KvTwYGWv63PN8ksoirFHYPqNj/hh6L4U uPc23tmNGtN7ErZnP45Z1SmSzAXVmm+YJjIjxO2qt2rg/DzdXXR8q/hR9FzYvlMQ v058HQ67Vl1ua5d+66T8L7YgmJMoj6qDCJwmpRetfRPqOwucptPDlvRIYn23xSDQ BkYFIbIPzoyvll+HYfhbkuvwa8hisK9PJfS5wEfU3Isp4CpKXhMkwNPgZyYFLqHt 45Vbu1ROAy10Wwu18Lk+Vl9quUz5J0h3Go7Xuvk3xRx6NJPxRKiBGrqYhWcVw+bH gSn5oQCy0aNh4vzJy3bD8ZbQmXxiX/ytzN2TokgXBiIW6b3zGkM= =kuBK -END PGP SIGNATURE-
[SECURITY] [DSA 5492-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5492-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 09, 2023https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2023-1206 CVE-2023-1989 CVE-2023-2430 CVE-2023-2898 CVE-2023-3611 CVE-2023-3772 CVE-2023-3773 CVE-2023-3776 CVE-2023-3777 CVE-2023-3863 CVE-2023-4004 CVE-2023-4015 CVE-2023-4128 CVE-2023-4132 CVE-2023-4147 CVE-2023-4155 CVE-2023-4194 CVE-2023-4206 CVE-2023-4207 CVE-2023-4208 CVE-2023-4273 CVE-2023-4569 CVE-2023-4622 CVE-2023-20588 CVE-2023-34319 CVE-2023-40283 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2023-1206 It was discovered that the networking stack permits attackers to force hash collisions in the IPv6 connection lookup table, which may result in denial of service (significant increase in the cost of lookups, increased CPU utilization). CVE-2023-1989 Zheng Wang reported a race condition in the btsdio Bluetooth adapter driver that can lead to a use-after-free. An attacker able to insert and remove SDIO devices can use this to cause a denial of service (crash or memory corruption) or possibly to run arbitrary code in the kernel. CVE-2023-2430 Xingyuan Mo discovered that the io_uring subsystem did not properly handle locking when the target ring is configured with IOPOLL, which may result in denial of service. CVE-2023-2898 It was discovered that missing sanitising in the f2fs file system may result in denial of service if a malformed file system is accessed. CVE-2023-3611 The TOTE Robot tool found a flaw in the Btrfs filesystem driver that can lead to a use-after-free. It's unclear whether an unprivileged user can exploit this. CVE-2023-3772 Lin Ma discovered a NULL pointer dereference flaw in the XFRM subsystem which may result in denial of service. CVE-2023-3773 Lin Ma discovered a flaw in the the XFRM subsystem, which may result in denial of service for a user with the CAP_NET_ADMIN capability in any user or network namespace. CVE-2023-3776, CVE-2023-4128, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208 It was discovered that a use-after-free in the cls_fw, cls_u32 and cls_route network classifiers may result in denial of service or potential local privilege escalation. CVE-2023-3777 Kevin Rich discovered a use-after-free in Netfilter when flushing table rules, which may result in local privilege escalation for a user with the CAP_NET_ADMIN capability in any user or network namespace. CVE-2023-3863 It was discovered that a use-after-free in the NFC implementation may result in denial of service, an information leak or potential local privilege escalation. CVE-2023-4004 It was discovered that a use-after-free in Netfilter's implementation of PIPAPO (PIle PAcket POlicies) may result in denial of service or potential local privilege escalation for a user with the CAP_NET_ADMIN capability in any user or network namespace. CVE-2023-4015 Kevin Rich discovered a use-after-free in Netfilter when handling bound chain deactivation in certain circumstances, may result in denial of service or potential local privilege escalation for a user with the CAP_NET_ADMIN capability in any user or network namespace. CVE-2023-4132 A use-after-free in the driver for Siano SMS1xxx based MDTV receivers may result in local denial of service. CVE-2023-4147 Kevin Rich discovered a use-after-free in Netfilter when adding a rule with NFTA_RULE_CHAIN_ID, which may result in local privilege escalation for a user with the CAP_NET_ADMIN capability in any user or network namespace. CVE-2023-4155 Andy Nguyen discovered a flaw in the KVM subsystem allowing a KVM guest using EV-ES or SEV-SNP to cause a denial of service. CVE-2023-4194 A type confusion in the implementation of TUN/TAP network devices may allow a local user to bypass network filters. CVE-2023-4273 Maxim Suhanov discovered a stack overflow in the exFAT driver, which may result in local denial of service via a malformed file system. CVE-2023-4569 lonial con discovered flaw in the Netfilter subsystem, which may allow a local attacher to cause a double-deactivations of catchall elements, which results in a memory leak. CVE-2023-4622 Bing-Jhong Billy Jheng discovered a use-after-free within the Unix domain sockets component, which may resul
[SECURITY] [DSA 5494-1] mutt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5494-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 10, 2023https://www.debian.org/security/faq - - Package: mutt CVE ID : CVE-2023-4874 CVE-2023-4875 Debian Bug : 1051563 Several NULL pointer dereference flaws were discovered in Mutt, a text-based mailreader supporting MIME, GPG, PGP and threading, which may result in denial of service (application crash) when viewing a specially crafted email or when composing from a specially crafted draft message. For the oldstable distribution (bullseye), these problems have been fixed in version 2.0.5-4.1+deb11u3. For the stable distribution (bookworm), these problems have been fixed in version 2.2.9-1+deb12u1. We recommend that you upgrade your mutt packages. For the detailed security status of mutt please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mutt Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmT+D8dfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SSRw/9FWka9wnMAzBxcNsxoGxyRD8fWiFitW/MuwDy/29mlPjW+jR1GZsl841e LX6dUHCJYveoo2yccLuj68pTeIVmv9gHh6pHazxCrnMlMq3/677wrT/mJKZZQZzh mAg27I3jUqgUyZPSkS8mXVIA9zLY0qg1Yt5OJx/TJgKdXjHf6xne7ZeCgNo+ESf9 Dtx5fkYSS3yIYPOBRMRJK9kB+4ppsmy5hpSWlsWFrbulKiFEO3nwjcBA6SG6pqJO NmHBp4t5Z1qgSoI5W0WgcL6BzK4Ewz/Jcnh18wCMearITnrpl4TXzeAcPK3jajzg jeUwcu2sPilkOdDq3qXdm58Y5pQDft3gjaDS2XsYuJxyLURrzU4eDAJYGiT4vl1R DPGIwon+0RY1fygtN5Nl6ybAhJ8AMp4JChzhI7RZl//5H+Im3juYymGRj2POG8jp 6uQwyIcC14bvDN9/ZBjJbMqkwhtZPJy/SkteipEVK7LW7J0Hw6jMpDJfbKrttTur BwxuNYdf/NVcLu4jvPNinuxKc4UsJ62HBS8R9i+Ffa96GlHjvuUK2neKuxdhA2m/ /nANosFHK9Wyxg6z9MvoSHsJZY3OjLa3nOfByzTGKKDV4rf8iPqgeg1mv0IWYv0i d3idQbkP65GcT1UgoNBreoO4R3JD07djIQqC1tAa5Rqmb0O7rgQ= =Jqb0 -END PGP SIGNATURE-
[SECURITY] [DSA 5504-1] bind9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5504-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 22, 2023https://www.debian.org/security/faq - - Package: bind9 CVE ID : CVE-2023-3341 CVE-2023-4236 Debian Bug : 1052416 1052417 Several vulnerabilities were discovered in BIND, a DNS server implementation. CVE-2023-3341 A stack exhaustion flaw was discovered in the control channel code which may result in denial of service (named daemon crash). CVE-2023-4236 Robert Story discovered that a flaw in the networking code handling DNS-over-TLS queries could cause named to terminate unexpectedly due to an assertion failure, resulting in denial of service when under high DNS-over-TLS query load conditions. For the oldstable distribution (bullseye), these problems have been fixed in version 1:9.16.44-1~deb11u1. The oldstable distribution (bullseye) is only affected by CVE-2023-3341. For the stable distribution (bookworm), these problems have been fixed in version 1:9.18.19-1~deb12u1. We recommend that you upgrade your bind9 packages. For the detailed security status of bind9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/bind9 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUN9DFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Si0hAAjg9Fdxt8ff9UUBfI5B5KhE2hba1+PlJAroM9NHZUzKNNHVb+/0atqxsI gJ/6NhFtp2DRWlzHbgFt/lcToOOnzXs7R9RQ3iL3QwXx1vsCq0MGLjR3tsk+hzSC vwP02KSo5CcVdyOuHVh7NB9wS+j9ePsBIsEQh+howtIxWZFGd2lE2AxCF0DYU/Gf rMjiwt3SWZ+giYJHIehdn8sqdozQhV/WirKYjdXyAWADPIwQoWacHpPU7Du8aT3d KeknO34OnaWUVRF7NTxCsYkagTrT40lPaLZuPSeh1dm4U6ODF0Lgv4HOc+rHIaqw 6a3rkvXtcXvHbzQ+CREWAMN7l50WjpPV1gUwGRj38huF7zI2JAWY8595e8d1J08S 1i911UzW1diMGLXeV/2Q/8K03LjWMegFJm+4DmUya/lvAW8syxclsIuvl3yHSnXX 8WSNEQLXjJKB4cX+aB2L/zyYHSbO9+rc19u0c/7/I+n2YuDHXTzsrdlEGDR9p51v UqLe7BAN5tUxv0Z+BV0cflFfA5pS1twuKZtjIZztJUSOOQIkmR7Pi8auiV8W+r4V pIHyzuq3BC4d5pzaN3H7xNLgqqLn8bk2i8kEp3ApoObtKP6Pozw6NjT3eW0AXaBi FYI+LWlEA3c+xONpYx6+G1O26dnNksQ0p1aSl2FSfKBF5rgwVVg= =Q0Oq -END PGP SIGNATURE-
[SECURITY] [DSA 5505-1] lldpd security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5505-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 25, 2023https://www.debian.org/security/faq - - Package: lldpd CVE ID : CVE-2023-41910 Matteo Memelli reported an out-of-bounds read flaw when parsing CDP addresses in lldpd, an implementation of the IEEE 802.1ab (LLDP) protocol. A remote attacker can take advantage of this flaw to cause a denial of service via a specially crafted CDP PDU packet. For the oldstable distribution (bullseye), this problem has been fixed in version 1.0.11-1+deb11u2. For the stable distribution (bookworm), this problem has been fixed in version 1.0.16-1+deb12u1. We recommend that you upgrade your lldpd packages. For the detailed security status of lldpd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lldpd Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKSBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUR7DtfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Sdnw/3WH0qPypSyEnjG7l5EcQp6jvNLgiS5jElWJK6nlp1hDjDSWXMtCqaUn63 fnZND9xDGRIymeJP+xF7Id52nxLsnz3Xwc+eJzxjfGsXQG7Cserxdw3IlGkxfOg/ WFGObUQt5BsioT5CvZU4irwUzCU2dPbOFnRKgw2KJHQnHvENfDpF/Q5iXMKrnpjm 2RnTZ4QQDBxBy18AESKbOhwQf42RVKq32MZXrmxjJNB9oiLKn+rcMdSHwHIa065k 6iQnUBZM/kyKXdvy4nHhyAUcP1fRlEs2OMlKm1ZHAdLMZZUkpH+lfrWQxvldTnfA R87XMC56O28KsXOKOlNoAMKrQhBW40MwyXaTHrp5DmBaA8ttscSqUjlaCc/dkVvt ll9xAHZpuXwwrqN3eXKG18WnNu0JDdEoHjnF2a/J+KHC3ZM3YCz2e6zLF9sreqRJ VF+aIbTwC40IKrfru9Dk7UZyUzHDsTTC1y6M8QjUEe5ruLNdFr4pxKyAf3sfswU4 9rmqpFP20jBKbCXWzoHyp1cI+Dapfh9rWPYl+FZ177TRIQY2+3wJ1qCYST70cSxN VTQn7P45EHekJ31JCgGohGc9oWRlzr0K1j1cT7nx+kxkqzI9exCj2AKczft7ukNP j3sKllJqdn2j1dPmhYyIggCQiKq/Tj3shTPkdV8PgPzfzigh0w== =Hds+ -END PGP SIGNATURE-
[SECURITY] [DSA 5510-1] libvpx security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5510-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 29, 2023https://www.debian.org/security/faq - - Package: libvpx CVE ID : CVE-2023-5217 Debian Bug : 1053182 Clement Lecigne discovered a heap-based buffer overflow in libvpx, a multimedia library for the VP8 and VP9 video codecs, which may result in the execution of arbitrary code if a specially crafted VP8 media stream is processed. For the oldstable distribution (bullseye), this problem has been fixed in version 1.9.0-1+deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 1.12.0-1+deb12u1. We recommend that you upgrade your libvpx packages. For the detailed security status of libvpx please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libvpx Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUXPQxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RFDA/9GmZkMOfqEBNeItASvUeQAbPu9w7hh/Ah/Ox9gSFZMvD5QmGTs6Zp8lZY TmOKS2Ls1rgQnfM/c+dm6Le4H9e+EtGYvLI0P6KjIk3T+rA+55os3WoUE99KJsZr j0AZM0jsmaQVuV1MbJIJSGo6a49qRkSIF4eS7/rws8xImu73EgcPQiWep70kF8/i dqnYYqFEKJwT3Oxp2h4zYLM8Jqt8ji4caTHle20rcQ1tdOBCcqDWH87aNk1kqhWE Le281K7sDVYlpyIGSZRsvHbTusESlvp+92sRIQPRDdpMMkSgACBDcHpfCHiJDofD Dn+6Z4zA5XRxHOKlHvYvrg9lDSA1eu9V7oaR2YoBRfIcwd4HxB535FjJRNDGtt+0 thJnuv+zjiA2yK/GTBju52q+96qGcXhPrGOZiQeth4SdxVnK3FKc3lB6HbMgs4ZE RZNhs7AJ4I7pnyX6d8Zux3kPjejrdvBOFT8L+gNYzYn0tkcKHdpK2Xj0OMKboDLF xw26i8GgNb9RUht6Seb1dk2bnel2fJ+rqgxkltpVuTIFjQ942YtHm/a9xj6FLK3D 6CtX1masIZ53uo51k2qWAGJWUqovasIQQHBUeOHgFHw+lHNHNlSsiblu6xc9y4B4 2vpozR449Q3volOr7t7oWv/pmsqrd48ByYXj7NESzD/bm4uOo9E= =NrxQ -END PGP SIGNATURE-
[SECURITY] [DSA 5512-1] exim4 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5512-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 02, 2023 https://www.debian.org/security/faq - - Package: exim4 CVE ID : CVE-2023-42114 CVE-2023-42115 CVE-2023-42116 Several vulnerabilities were discovered in Exim, a mail transport agent, which could result in remote code execution if the EXTERNAL or SPA/NTLM authenticators are used. For the oldstable distribution (bullseye), these problems have been fixed in version 4.94.2-7+deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 4.96-15+deb12u2. We recommend that you upgrade your exim4 packages. For the detailed security status of exim4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/exim4 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUa1ApfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TGThAAlhXEHvEOP7MfFaNN2Nh6Dl6wtFkPjYKB7wljZajtIkmk7IgsxREOMDC+ In+344UwfMJyZB49uvO15EV1dcHwUlOAIaDrFMN4SyMVWP+OllFEDMnexQ0+UyuP m0AGMdvokXQq+5tgaRjP7ThOVM0z3+hbPzRr4tQi2tjB/0k1/p9vC4aDJuuf1i8M iVDvtF4s38zlB1f6oCezulgb+wd53VGjL6vk8nzCxWe6RNtpsxzZGdRnA30tDGaB PvdMSbDEcx85U7DViAtXzVvJe+1IdSTBxu8rrUqR9Md1V1zLf8PPyblENwZlc/zJ 9ad+EuQnYwsiYUnE72pFYO1mR0b8aE7W8V1t96ijOr323oCN2aWI4HWiteEHcGt8 UlE9CT1OG+c5caf7s0L984wEigJxYzc9gTtjX1Y5kh2CAjmvjxPO3v+jRQkPqP9i /x/ax0IvXXeffEUtru1qFscXsgsNru53yRHoGGCo1vwNNwBLuNyD48yFukNFc8rx KK+fjJrCOeSuM21k97T86k9B6sA26IFz/eQJtPXrSC6lzyU75RBWmbPrjEsnqv7G sGUtz1RLLqELhorv+u2SChWsxHMd5rOsZ46bDGoIe+SW7A568blD5P/fv36HYPPX PjFRU7XLS7SUE08cxMUkLHJWMJ/fwIIyEtjoL26oW7r60ITaljg= =+Ajg -END PGP SIGNATURE-
[SECURITY] [DSA 5514-1] glibc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5514-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 03, 2023 https://www.debian.org/security/faq - - Package: glibc CVE ID : CVE-2023-4911 The Qualys Research Labs discovered a buffer overflow in the dynamic loader's processing of the GLIBC_TUNABLES environment variable. An attacker can exploit this flaw for privilege escalation. Details can be found in the Qualys advisory at https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt For the oldstable distribution (bullseye), this problem has been fixed in version 2.31-13+deb11u7. For the stable distribution (bookworm), this problem has been fixed in version 2.36-9+deb12u3. This update includes fixes for CVE-2023-4527 and CVE-2023-4806 originally planned for the upcoming bookworm point release. We recommend that you upgrade your glibc packages. For the detailed security status of glibc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/glibc Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUcTjRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RwIg/9FzdAHadxCbk4N4Yg+aC3CmY68Z0Q2datcBWL5oLnplNNKcgsQqDDrbr4 WBphk1mQBusrOw5t5O2CAZitUk/mcQQ0bsV3YDPKTnKYswYkf6MXIfJ9Ck3uHJ0W yKVczC9g2ZLJ3uhpAIPiKro/XxKJRbek2WLJ+lgXnJz4akhwB1sd1nDEUOKz3gBH jvZj8UvjPHg1gwf1d5Xz4C3Kcd5aso8a/Tpr6iix7UJB8FZmfwlo+Oq4+/obPvJm n5Rj0x6R2GEH/edJylgzrVMOYc5bSZlTs0a4rm90oUHWYL9Y3bDIusJesSedy97H qra/DMFlQRs0JPejC+TUhLmJWvOum30WrPpdQtjSAcWuxKTse/felwyDwwQ3ogP5 tzUOeG/YmHj8kT0owAFUFiQumOifMTVNO2SYHCO3jXSLkMCOw1f9NCmcV3wU05Pe cmFJgiZpzYzg4oY+MOnJAHfryQL4RGhv+VyPk5nhMa9F8405xSvl7did0FPz7YLX aWLAm8xhO/+ZIDowfKGK54zaDt2DHqId7VGNgn196ES8abuY71Le9zj1SIkZIXdA KwEwgGTSxkfWs/ffuzrn7gvmDLvB1u1Gb27Cq3M/WoVlxqGzmufyZM8t9xJhomEY BUNpA4jr0ZKxw5t5oss8xh95OVRCCjK6HAeTbpMXWbeEVCQjV30= =j3fR -END PGP SIGNATURE-
[SECURITY] [DSA 5518-1] libvpx security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5518-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 05, 2023 https://www.debian.org/security/faq - - Package: libvpx CVE ID : CVE-2023-44488 It was discovered that missing input sanitising in the encoding support in libvpx, a multimedia library for the VP8 and VP9 video codecs, may result in denial of service. For the oldstable distribution (bullseye), this problem has been fixed in version 1.9.0-1+deb11u2. For the stable distribution (bookworm), this problem has been fixed in version 1.12.0-1+deb12u2. We recommend that you upgrade your libvpx packages. For the detailed security status of libvpx please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libvpx Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUfC+hfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0ShFg//d7Jd4qC4wXcyMie8BhtQ+mJWjauimf/INZ3HpuFvJy/dXcewbS54rjX6 bCoA7Ph+eMSrHpB8HT7F36kM7bGGHhgiqRacDgyWhTo2I/ypEEuWj0BK29js7ajr vWokgkDIK4xZFqmqV6fKfD2tEa/3IdGxoreuBvta0VOi0mTe1jcuSyiro+DOGCxk SnFpt5Iyvc/uoc+QP3KbqwLqKH8KNOUZDpeIYu3lDByLRDaseuOBuKYGSQsx2lfG 3P5TmAAHJi4KCDm1vpTJW3ifHo7QJkRWhKSfQv66+Lqz3nLfhZR9D9nD9kExFnxP cNCJZqrSdYjtHDXm8VVD+MY2L8ZRCnJkN6Wp9aQHK7i3jhqTv2nsK1mTEbv9HmHo ngfFmXskzgxlnY/5Ye1MSpRflnYskkC7AG/52vYWE00aXnY9OH0Lb7LIseu/YpeY SrSAPcC5ldWgFLH1xfczXgl43Q7bDVYBoiDFGuA6Z1bP0rexuvbKEBBmiEFAOR/F kLE8HbovvuXhGMvpN2RLWGAl7EuBAAJGR/q1/XcQpcdCPVUdkz0YG//o1uNTlUeQ JkiQSzQFBwfvLF0MwnJ/bi7YIZeinEb0bBki01npLvQizafSz4HFyhAQIiRbrQFy 3sVX4BipmVNdzOktp4L62EtKlYFr7fm8/aBZDVtrcn9Lg0CQfkg= =EqLq -END PGP SIGNATURE-
[SECURITY] [DSA 5519-1] grub2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5519-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 06, 2023 https://www.debian.org/security/faq - - Package: grub2 CVE ID : CVE-2023-4692 CVE-2023-4693 Maxim Suhanov discovered multiple vulnerabilities in GURB2's code to handle NTFS filesystems, which may result in a Secure Boot bypass. For the oldstable distribution (bullseye), these problems have been fixed in version 2.06-3~deb11u6. For the stable distribution (bookworm), these problems have been fixed in version 2.06-13+deb12u1. We recommend that you upgrade your grub2 packages. For the detailed security status of grub2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/grub2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUgWX5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S1bxAAoIlLLu0nPXCGZRJydLVpVdkgkosdnlLxMR/oN2rTAWG6f1I2VatAPSKE rBtRSi32TSuLW3Ir6lY+O7Jk7ONKGGbh4CSD1EcFb1w7sylwHZY5mtpMfS7tCDc2 PAasJXSlMXlzRjO0pPCpazYHHmBYAap/JBVc89ZepwleegAoL1UoIaE+eCRliLS9 H00CWdIsnr7F22HNsN+SYyK0itHyqtgx6M1F5v7eXaGd5bPbN1mCTV8okBkCEU7h p14+sEQtrFLLPW1WyBzSEMPWtgrVcOgGy2wBqZRK5UoCUDBohCyjcZFig7ZQ6vuT YTbDMwxBeI6ycK8BpccD+8kZqzNKjjgUPlvu92FxflqYjg98GIa9rcBhETEbare5 RnwhQteYbr+Yn90hng5xvEXu7CC+7nKm+X4jzM2lHRGm56WCeE26+DQ0JB8J2yu+ donTd+vhgLfTgADb9V0nFJh0hecHqh5/n0Jhu5u/ImxhDzbcqlfijNAl42udQmeQ a2V6sBWJxabgJhEGeazEGuWHqpqXJk9dc8xuqWYYGmv4Fioi+2TVAI8lsnRbX4qp 0MU2hrOCHsnccV0VOvENV3dTzgRO5UqUI0xC88FLckz5JQUjh81dGvezuQ1NQNSE AWamwBka/lqyBTg7AMQEwsiximYYyO4DkSBslzMsNGi5pZCc8rk= =+IHG -END PGP SIGNATURE-
[SECURITY] [DSA 5530-1] ruby-rack security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5530-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 22, 2023 https://www.debian.org/security/faq - - Package: ruby-rack CVE ID : CVE-2022-30122 CVE-2022-30123 CVE-2022-44570 CVE-2022-44571 CVE-2022-44572 CVE-2023-27530 CVE-2023-27539 Debian Bug : 1029832 1032803 1033264 Several vulnerabilities were discovered in ruby-rack, a modular Ruby webserver interface, which may result in denial of service and shell escape sequence injection. For the oldstable distribution (bullseye), these problems have been fixed in version 2.1.4-3+deb11u1. We recommend that you upgrade your ruby-rack packages. For the detailed security status of ruby-rack please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-rack Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmU1FpxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SAig/+MS3miFMErKy2l1DjwlzjchJC0cyfMHdVn1mpWZMd3iRVuKqqhRt/GlLS XYFRaU6loJ69WqZGLdnDJtKiOUkJPip5BIL2EZccYdg7nDkvvXs6ATffnC11B/Sn J0N7YAYubtyE/924H+mLh+rpx5sMkmGWHKGssQzP1e2erpBl3FRIQcWm/E1PkvZY 3VmRbSluAxb3nQ6+bm+5RDNZOzPtkFQkEuGFV4BNFYqh0JWO2lKLkdG6r8+SaeBG Kq5i+WtuHxYEVLB1Go6mvyymh8vDq6Mfimfas9B9SYDKjdiU3VOLoiaXEkjepdQF zSm1QVyk9aYJ6Qb5yy8hrr8XPfVuqlumF+ACpsAK1wH+WtKdiQkdZsvFpcYKn5g4 q3zMa8RSoDAEnnc9AmGGdDOT/5sdosby1XAlrO7EoVGuhzKR7i1CtAdmnvABwf1d Vqv3Jrn6pg+1c278vFc/n/fyXaHiPolRhr4xSxaNiT0OQ/f+ZUJg5NAT8WIS355k efSzAWVpOYB4kMM3OcWWwohkYWf6WuUoZZsIKvdE8dnAhV6NYaChrS6wA3fiLoQu 0U9m+4jdB0IDLy+uffIzYCfeFepyq/Gg8e6TIx/T8Rf1uX8VFAvqiBXc3oIlGQMf aulmQel8mGBXceLIMU+Ze0kRmMf3j5JLWotnKRFNDHAW11U2OWU= =tPF2 -END PGP SIGNATURE-
[SECURITY] [DSA 5532-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5532-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 24, 2023 https://www.debian.org/security/faq - - Package: openssl CVE ID : CVE-2023-5363 Tony Battersby reported that incorrect cipher key and IV length processing in OpenSSL, a Secure Sockets Layer toolkit, may result in loss of confidentiality for some symmetric cipher modes. Additional details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20231024.txt For the stable distribution (bookworm), this problem has been fixed in version 3.0.11-1~deb12u2. We recommend that you upgrade your openssl packages. For the detailed security status of openssl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmU4GHNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TXww//aymYKy2Mo+x2RSQkTt3ojSPDCR0nOfdMPy5yYVUQ0CL4NdngPvtGuTTb H2pdTOBo9RF0YJzCnVA1jCS2UBc//grcsnB3RkW2zzRZbXPTELsLow43/w/jo5lZ vm4VYlxiYUiTzXS88LM4vUGPc62cDE+BzZUDOxsygvwqpqa248T+ZdhDFSoIyoCN WaTBjBmyhiqD7OMp4nv4ui6qX+srBbOrLNoiCbzStwbg03pi4WNrfCIKadIy5ibY FjLL73Uyp/mHj+C1OLotPiKV1CLkW1MsHZYhen4zTchTRNEMORsoVKHLvW/X+njE HCMmRfqIvF82EN+9fw33FGpiI70HLjyQIwVQ+NabJNLANOJG/w7NqVMPngQz7BND ddPOnKMXFpaxmlWM+LR7HBkArSOz/cUb3lpyCheL5rs07FZDGmGZZrHKcvuFKvwS 4gvNoBSkNSMHMloAPcYI6SQsKk6ps62E55tzzhyAgIZChJYy4RH3azT/Ud2JohWe dhN6ScXXYEOQpSePA6egfdY+2ZiH+WJnZu6yoX0WL4gbR2PQTysy/P8HMnd1QvE+ OmzyfBeUPlYEBW7Wg/7u9vROGJEQWmbwbIWptV3/BBVh+b79AvegDARNvh6y+5aX VSbE5QHowfYzmwIASYIJoSggb6LQQY1h+SDVj/E6zlglxDE6qQ8= =OgKn -END PGP SIGNATURE-
[SECURITY] [DSA 5533-1] gst-plugins-bad1.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5533-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 24, 2023 https://www.debian.org/security/faq - - Package: gst-plugins-bad1.0 CVE ID : CVE-2023-40474 CVE-2023-40475 CVE-2023-40476 Debian Bug : 1053259 1053260 1053261 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. For the oldstable distribution (bullseye), these problems have been fixed in version 1.18.4-3+deb11u2. For the stable distribution (bookworm), these problems have been fixed in version 1.22.0-4+deb12u2. We recommend that you upgrade your gst-plugins-bad1.0 packages. For the detailed security status of gst-plugins-bad1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gst-plugins-bad1.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmU4L/BfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TxqQ//eRO99HAGSxBpe+slujteJrf9SkyJBdolvoEvz2ZjbiDVSJlwcGdpeYI+ 61ADafQx5L/klbx9FJoiIgRq9OtfzQMAMH3RBhL637EuzFOeQBwBWAQBqs6/MAbi tiYrFusMxPUsxt8EEBCrDZSCOgyW+HOP2nKnmxsx1LnVvYbdHF15m7hRoj6SKvpG Kf8oCHzFKG+4iEKzrSPPRjxVe1ao7I1/xzVPvDN6pFibj3wNNBRM+a5KyHpaAcpw F0V9yT+qYr9FJQEaaIk3rx5JtzNw1KHn8qds8wTZh71mGRI8WkAls8DeKNAE4xtz SGF/SLAUfKukRdYYk2IKe2zLzcrn/KCq9wcdGLOm2ufKJNeiNZUHIr0GxIf/hPOa Kh6yauX7CbUPbYlMRvG1ikt5i3uywNoaClyRXv/8viYrZJC8FfW7Q702UrbBzXzc fkG2jhYXboaZmaMZeX/jXp1tw/GmOvZoPkxQfaf9QHG57ly3gu132dKezzAmXQS8 DHrDFvTqL8QKbS9532YvMsS6/JTMqnoZ6ykcSjgXn1pOedxENxA0xw6S0K9aV4PJ CR9i3DK7CRe/Sf53IlK6+zhsBgrXce3TU8EOAz9PavICEedVaOSIwnW/uPyxQlNe omGF2ka6RC4NvK42/i8SioDWNHtVpUYA/L6hhRrLXP2V9hGHznU= =GYlt -END PGP SIGNATURE-
[SECURITY] [DSA 5534-1] xorg-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5534-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 25, 2023 https://www.debian.org/security/faq - - Package: xorg-server CVE ID : CVE-2023-5367 CVE-2023-5380 Jan-Niklas Sohn discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged. For the oldstable distribution (bullseye), these problems have been fixed in version 2:1.20.11-1+deb11u8. For the stable distribution (bookworm), these problems have been fixed in version 2:21.1.7-3+deb12u2. We recommend that you upgrade your xorg-server packages. For the detailed security status of xorg-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xorg-server Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmU5Ka5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QyCQ/+I9BqRAzJ78GD6U4eSHq/BIp8eelKlubxCbrRhLAL6bD5RT3WnqpKTvvN wW1BU6Cety4OW9NiWzOwfXPkujHs2JAow5pxmdOld7r616dS5pKNcJKM/mi+KQCb QKQw/KNo2bgy/exJaGM1GjzaAO2jhypH/KHM1qcVziNM75NO2puMu26cqlWZf6vi ALa6RYVQ8MiQqx0jZVjbr2W8L3vs05aB/+mNwucDBFmGeNjTCjQ4AFmSfjkOyZtk nUUOtCwA7dSh8bv62knLrSbh+heV+y+gsK0eQb2akyJLG5iE7CITqn1fU4DrPlFp RxeuYeXczJOPj82ET/+rKvQVUN6OmuDk6yKlpSWajYPTCVgNhzDaLRen05CqXiT1 wprIXezkCzMP6MPg1NAwPMk+VWXHz6fb48612prZBgkUetSF8wvTeZ9+lTG5Avi1 2rcY0EFtKjUVT6uP2ZJGXYs81OM5PGFqkvttcGFHLWNjQe3Hm8upUpcNgbBeNKwR HYLdkMkjrZVbAWKcbaH68ahhd6gvNWEeZFGo/3ZWcdWF73j0zWOYYKkM3bHqBNkb YiNdVtwvt4/d/haOXZ26AJOnq8rdOhfNw+nJm/YqEs7C2R4VmTzQrWRUE4qRCkmr 5RfymT7sAZUB3RcNflxyw9TTO55/LHILIuEQN4IncByzBd5qly8= =pBIG -END PGP SIGNATURE-
[SECURITY] [DSA 5539-1] node-browserify-sign security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5539-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 30, 2023 https://www.debian.org/security/faq - - Package: node-browserify-sign CVE ID : CVE-2023-46234 Debian Bug : 1054667 It was reported that incorrect bound checks in the dsaVerify function in node-browserify-sign, a Node.js library which adds crypto signing for browsers, allows an attacker to perform signature forgery attacks by constructing signatures that can be successfully verified by any public key. For the oldstable distribution (bullseye), this problem has been fixed in version 4.2.1-1+deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 4.2.1-3+deb12u1. We recommend that you upgrade your node-browserify-sign packages. For the detailed security status of node-browserify-sign please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-browserify-sign Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmU/2K5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SYeRAAmffcSYdBfiH/6U30rpfiLylS8zL/ca2sILLKmfYuwG/DH6n5BJ5n+oos RrXpXhOXjhLmTe1f9Sst3hXCv0IIsJoITnrlmfSjp0CmTk3jx/VhQljSeFUCAFUk pyAL27QB76SSwqiJNNqvbKEwwatdtNyNFs/zE7Ir7lFT7hKLwryv70Mwf1xWdh59 ZFMaCGPntGWpgwSHy88kD/z6Oo3SV/Q+U73Y53Rv62ZZMNrX1ploVsI1zPLFrOQS NkUwT+nGCfe13S5GUZ/w5U/joEjXWlDbPH8VSnL7pFBudVP6h6NcgyHds7jYsHbZ AuViuE0ctEu2li/j51fD6MOZu2HRtaxi6EuZpaOTUDbq1qC5GvGa0+4FuNBVO3k3 3N+4fVARStFoWFnoqX8+0kWJvkhvO8O8AVoIMRzWEbLjeBv5nMHxggRfw2cisJeN TGIDvJfDiC7w18TDEIwDwEo1nScCWndPK5LPkI6+j9VQIVKdf9UGJS+pnWgywT9G 6EiSKS+pOQSujNV5XuWDeicV2e3CvgrVQ+kaOKvFBgpGfZwOFV2+324kCnAk1hMu pAnn7/7e/NYdDhpzmAv6fD5GfiW8WhLgRkNpKAQwoPV1Ywwr9S9KBxsWK2Lf1W4t 6RyyKKX8M+gz7rLmeGfjJ4fbGdn/xSH7IWXjBCOiN1W+gwNmsCg= =htaY -END PGP SIGNATURE-
[SECURITY] [DSA 5541-1] request-tracker5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5541-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 30, 2023 https://www.debian.org/security/faq - - Package: request-tracker5 CVE ID : CVE-2023-41259 CVE-2023-41260 CVE-2023-45024 Debian Bug : 1054517 Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system. CVE-2023-41259 Tom Wolters reported that Request Tracker is vulnerable to accepting unvalidated RT email headers in incoming email and the mail-gateway REST interface. CVE-2023-41260 Tom Wolters reported that Request Tracker is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST interface. CVE-2023-45024 It was reported that Request Tracker is vulnerable to information leakage via transaction searches made by authenticated users in the transaction query builder. For the stable distribution (bookworm), these problems have been fixed in version 5.0.3+dfsg-3~deb12u2. We recommend that you upgrade your request-tracker5 packages. For the detailed security status of request-tracker5 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/request-tracker5 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmVAExFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Rb4w/+L1YcgCKoOMVBlwGlYnlEYZivThfDm1S/hwRwThqZtuDn0PPHw/Skl9Tp z2D7KjB0OEV3bixDCrYowOe4sUpxt8nAmHu0+LM9yik5ZbUh/GkX1gFQhleTA6l1 Oa6PHuukFr31qwIvFse2D1MHyeKTgmWvDN8/l+mL1QB3oQ52Yh82fIBgky1x4tJl NZZKE6GVIyptnUUMYGa3QHK2oGW6RV41htB4aNl3boPrmpIXfw5dS86ZoMi1Tx2Q ww8tvsexwpWhXkGk8DTxgd+gTd0UKQixn+bRm50nuiFx5HZxTieg9ma6wbX4psPA 43r9H4lOxC5K3s/WIvfwexm0057O87BZSa1HvQE/6iGZ/ehQlP1WPxRADxAqdSGD 5G7JonHfSpVWQMa7u6qOZj6A/rWojWq3LN9I7t/SBdxIAYuV6mkLnWK+eYQz3oxQ cR2ob/ymdNrT2Nfafs2WKFpZNDx8pLFl9NVjNEoHrklTfPhZFlDXcPtm0+pk7M73 lfYdMP+3xHVELuL0wckMuoSoddHHv0LmwgXXY+6YVISrQ970YEnxV23Y4dBvI7dY 31TnGKjZ6MwWnqO3kwOlTLj/Zb+fnIfsQwRway9Q0vNa6c2NR0ONASaMtVfS3MsJ jeNKFbuRweOsj9JO3eceDevpS68kBEi1ev071LNhh/oP7KTwRDw= =DPKi -END PGP SIGNATURE-
[SECURITY] [DSA 5542-1] request-tracker4 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5542-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 30, 2023 https://www.debian.org/security/faq - - Package: request-tracker4 CVE ID : CVE-2023-41259 CVE-2023-41260 Debian Bug : 1054516 Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system. CVE-2023-41259 Tom Wolters reported that Request Tracker is vulnerable to accepting unvalidated RT email headers in incoming email and the mail-gateway REST interface. CVE-2023-41260 Tom Wolters reported that Request Tracker is vulnerable to information leakage via response messages returned from requests sent via the mail-gateway REST interface. For the oldstable distribution (bullseye), these problems have been fixed in version 4.4.4+dfsg-2+deb11u3. For the stable distribution (bookworm), these problems have been fixed in version 4.4.6+dfsg-1.1+deb12u1. We recommend that you upgrade your request-tracker4 packages. For the detailed security status of request-tracker4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/request-tracker4 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmVAFIhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Rh2xAAiVD21hoYb0v/KZ2tvBYCzLPn5Gt8TGtIAkjfK2Ld11tP+T4T4Y5+rqvd pt19lHHpq7Sv8KintaRXBZvDbFCNd1M9oBjXPf0Cf/Rc3IP8LOKuHA+53wt6mP+q mN589zah9CCjN91qhP+S6viaybIunB8G5qnWXcrkwk/nTAlqtkq9wtMohLfipKEm TYwFFwAeFJhcSnQNN1EmMX4jOY4abE5RmrMPUAHsfLlxXrPqZ8orRYfCh7DZIAnk jeastNtbpOpZbrbPNXAdl4iiGgE2kZc6IiE7siFZYhGhNL1NN3cQh1lG5eRpynZ9 q+UvUlbDM2HE5RZi8ZIdcvysEW3YZR3Tghdcb/cQJxtXKn1auXwmlo/Jf30M9gii kneMxP7SRrhmdFHsWrOlFg8B0TDiOMNs43Q7O80DFzv/e73GZFyawkklc9X1zMj/ LvN+Z2oqcfsiy7XYi88++RK8Q/M9Cs8Y4Hsct9xwGW2qtV7/quLHpJ3NHmuqC8bg AJdVxva33Of5YkZ4e/hygtu8yttlq5ZGnsxHStAC8IziCL/rUQdRRCIoLVjnQTMQ s8A+yYtJJaprCmDvHJU4pSlSMxMjqYHFR8AIO+AMsTUgKyuNzwlTpczE0KtlmB6X F5P0NExyVQE3kWvZzVVqj44M/MiysmNDHuH8qJjdjmm/hFvllaw= =tItS -END PGP SIGNATURE-
[SECURITY] [DSA 5547-1] pmix security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5547-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 04, 2023 https://www.debian.org/security/faq - - Package: pmix CVE ID : CVE-2023-41915 Debian Bug : 1051729 Francois Diakhate reported that a race condition in pmix, a library implementing Process Management Interface (PMI) Exascale API, could allow a malicious user to obtain ownership of an arbitrary file on the filesystem when parts of the PMIx library are called by a process with elevated privileges, resulting in privilege escalation. This may happen under the default configuration of certain workload managers, including Slurm. For the oldstable distribution (bullseye), this problem has been fixed in version 4.0.0-4.1+deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 4.2.2-1+deb12u1. We recommend that you upgrade your pmix packages. For the detailed security status of pmix please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pmix Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmVGGG5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QdMQ/7B+6JnojbADILfhhKuVY0hFentvOj1ShNb9+m3xLCE/ZQGBtlddCmCdr1 DqOFYZ+VoxzpOSYP+uobZjo0qvisCdiig/+Pyp6zfYiYxUXoRSCU+2G9MWbxeCwS am/xKmOVAN7h4sN7slu+hpuZf/Xr7fHJ3mmBVkq3a5Q3easj12TMmgtG0zKbQAgx Is6HjfPkOmy3VCmMvZNlGdyVhKgaNsZt3EB8cvG70tOZtNzODKM38HVWGmKUmiSC 9Wm5tP12S0Ms/sZY5A3Cmehgojhdibd8AV4ef7OB3ibB2sK6ix1ddJN8De9pQRvS 77yJ8B5nztaiEr9vXsj/OK1IJBT5zru7KbeQvxhNZZ9F5mjYL24hTlBOO4ZnsdAV XoO3l0yk3bq4asvECywleu+XVWgtOYpMvuJfheKGulzYH/z496yuU4DUKl7qrMki kfUjDhXJEnJ8AdtqLlVfW80Nx5mUaunO0O2Bn7inhHqjc6qZ2QJCIME5A0EvXS42 VYczBwPBhUv3rvFfQ/zTjaIXmrnjwsHNzPkSWupOUeOAHdurC25IWFbIGwbsQRQd Y89m6jMM8z6RazZ/5HKagxfRDxws5VBRKCnTs2npMQlh/E+EV/k6BMDnPVm+wNVy qWY8gh1t6nEwMvMm8lBb3xHeQaM8ZcxjKoQTOL1zmLmZMn61ZpA= =GhRh -END PGP SIGNATURE-
[SECURITY] [DSA 5553-1] postgresql-15 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5553-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 13, 2023 https://www.debian.org/security/faq - - Package: postgresql-15 CVE ID : CVE-2023-5868 CVE-2023-5869 CVE-2023-5870 CVE-2023-39417 CVE-2023-39418 Several vulnerabilities have been discovered in the PostgreSQL database system. CVE-2023-5868 Jingzhou Fu discovered a memory disclosure flaw in aggregate function calls. CVE-2023-5869 Pedro Gallegos reported integer overflow flaws resulting in buffer overflows in the array modification functions. CVE-2023-5870 Hemanth Sandrana and Mahendrakar Srinivasarao reported that the pg_cancel_backend role can signal certain superuser processes, potentially resulting in denial of service. CVE-2023-39417 Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg reported that an extension script using @substitutions@ within quoting may allow to perform an SQL injection for an attacker having database-level CREATE privileges. CVE-2023-39418 Dean Rasheed reported that the MERGE command to enforce UPDATE or SELECT row security policies. For the stable distribution (bookworm), these problems have been fixed in version 15.5-0+deb12u1. We recommend that you upgrade your postgresql-15 packages. For the detailed security status of postgresql-15 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/postgresql-15 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmVSkZ9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TEeA//aemORcM7eOsmMwuyYGoAjpV3o2f6Ji58KN/JunoHAU7TytATJbH1ImSt llsXmd4gOnBCrI2HbpFwHTlgP38Ie3XGYh9Ubtb2sfbOWDgOc+OGF9GdgJ2zc50k c/iLHIH4MmhPqC8r2aDSHM74iM0W4iXGp6d4APRIUWcTVP9GXCpVucF1WA0Oy+Pw wLbqP4yp+w+eyjkZZ7sZ8vx5Q5Yk8YBjaXkoOwlR8+3yp7rzLzM8VHYn8hSQ6JLz RJ6/gKizEHNLU1N6fq6UTHNINRq/C5fbwobW5Of8hPr/N+DpzpXI70PXj5DBFC9k MNpAsc9DlQN0RFKVIKYWBiotOV6LHKnUZlHNRzNTS+nyUmdQmc7BO0tkSm8ChNF2 +YPj3LIlZwhgqSn/iI7BA62U5kp3UeF1EoRA1Mfxn7JK2xKo7cq2opluu3dndLIK XsLjUcTOGMq6pNosz9lsJNAvqU7a5cSKCEBGHFdxZct1RHkbPNFcZUmsFhAcxpwx klHYq1Pl54g1sNZS4KWmTW1TlGKj9d0teC9W8kQ+sGbF3HB5O+RsC+1zAvySMLJ/ u7U793pwaIc/B8KKSsDTqUe9wLLkNsRT/BDxCfhs7qj/cRP0++dwLDYGHtSzqThg B/X8uUrJHsHWJ2IhK+jCpIufOaRSqoozsIqo7FNGbDZlt0ml/h0= =CPWu -END PGP SIGNATURE-
[SECURITY] [DSA 5554-1] postgresql-13 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5554-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 13, 2023 https://www.debian.org/security/faq - - Package: postgresql-13 CVE ID : CVE-2023-5868 CVE-2023-5869 CVE-2023-5870 CVE-2023-39417 Several vulnerabilities have been discovered in the PostgreSQL database system. CVE-2023-5868 Jingzhou Fu discovered a memory disclosure flaw in aggregate function calls. CVE-2023-5869 Pedro Gallegos reported integer overflow flaws resulting in buffer overflows in the array modification functions. CVE-2023-5870 Hemanth Sandrana and Mahendrakar Srinivasarao reported that the pg_cancel_backend role can signal certain superuser processes, potentially resulting in denial of service. CVE-2023-39417 Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg reported that an extension script using @substitutions@ within quoting may allow to perform an SQL injection for an attacker having database-level CREATE privileges. For the oldstable distribution (bullseye), these problems have been fixed in version 13.13-0+deb11u1. We recommend that you upgrade your postgresql-13 packages. For the detailed security status of postgresql-13 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/postgresql-13 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmVSk+VfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q9rQ/8Co/OgM7q3kXV9szTFTh0K0s2+7W04CRaNA+BGESpsnKUAG22FApRbGMG txECE/zyhih7Bq6knDkjwU1TS3mzd5ra0aQEvuErPcDf1oVAm5rzEf8C2bDBZxqo ZuuV03fuh468TQWdUaICoKWueLbSOr0wkh8YLdTOiwSldQg4JkJ2rmWLVx9mxsuT 5XQRESxgMekCkM3s1H+dIo3Bncf6hW78RYn3oi2i2txwwrEmxsYadaBbvqEkdd/G 0/mrkaxF/H9g0CCxrVlcHCfGNfcd9aM2mcYjQEUeypb3CV6ybQpWKgwc0hxXFKUS ndc9iP/DuOnAJTMOQAzxZ5R4wincO5Godb1x5jdCcSCMOVt/5vj/QF5tAvI/85Rq lwgSY/orrB0GeRtNrbi82UZsvLuiOUbgkad3+qEthD+9FQJgTGvMqQqgC6Mr9Ga1 VVlUwMsZsVjkjbeMm75i7dKi5ya+uqlCdVp3zDw9jGUcfo2+BG2uVepVdoNqWu4b X72TdKbZ2sSkSHh4dt6Qyg5GNazix2DvmE+vB2J8jpbodICgAQ43Jq3Hruda4BjD V0C8a+u/u3Mh7Kax4niHGTYK666JyTMUqdEkJGtLx59POAdqCpIVi3+lGUSu51x/ E5pXXHzEuEYCckpxZ0sJctDG1zOCa0BbTNBVYyJEzaAvAhCzpsI= =frzV -END PGP SIGNATURE-
[SECURITY] [DSA 5563-1] intel-microcode security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5563-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 23, 2023 https://www.debian.org/security/faq - - Package: intel-microcode CVE ID : CVE-2023-23583 Debian Bug : 1055962 Benoit Morgan, Paul Grosen, Thais Moreira Hamasaki, Ke Sun, Alyssa Milburn, Hisham Shafi, Nir Shlomovich, avis Ormandy, Daniel Moghimi, Josh Eads, Salman Qazi, Alexandra Sandulescu, Andy Nguyen, Eduardo Vela, Doug Kwan, and Kostik Shtoyk discovered that some Intel processors mishandle repeated sequences of instructions leading to unexpected behavior, which may result in privilege escalation, information disclosure or denial of service. For the oldstable distribution (bullseye), this problem has been fixed in version 3.20231114.1~deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 3.20231114.1~deb12u1. We recommend that you upgrade your intel-microcode packages. For the detailed security status of intel-microcode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/intel-microcode Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmVfcuFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SRaw/+JwZlE+c2OdKBuLSQCrlASs1iM+iDrbEYKWU/F+RX5HZgB7O5d953MSnC 3jIE0+93CY0oW6iwc3ZTaY4cVt7bVC5MmAzkhcVuxLFNqHoBMUtiqIFX4TguWokA LnuXQRrs6+DyZ+3C0gcvHtINnEJzlhS8Oqb0xyJQqSlpYiNng7Wa/F8rfLYGWh6Z N+KIYlyVRBfSO+9pMhRFCM29DWdakdgC5KfHNtRENZxpgeGRxCQQuJIs30hIqKc2 Zma3AcSDU3hiHYSXTD7GjMxD5MYkV0U3ervXgcsfpmbW0rczOOK49VZHdQC2frYP EYnFGSMwl72adEtdKctocqRSjtnAbCanEY8Ses7ihTB5l9H7u4TXgzJrHnZSiZ0L Xd08AJ8m5zglYg9t4UF3qRYgbdRdAvcOpqggAsZVT5UJWVTVP1rAXhyWGXqh39k9 /+JAwjJUTVBIkgJMWPWvj9vLeR7fNKNkJPRfi6wRVZ+cWf5Z2/VqHRkjgT4pDImy adFzRFFzy2JLLett0wpF7Elkpb/0RFOmZw0GbBIOM3XU+/OD93TcT0o0i4gU7DHi W/tEOUk7tnGcIAz3/h9yaOVObm36RdiAHZ+Mprk/GpiSLBsfBQueo+gra2vo0qcq pEgA2XiHqT1LQeqcfJ5AXvdBZAL4bxeWx6DteLL6k1OLrvg4qUc= =l9kq -END PGP SIGNATURE-
[SECURITY] [DSA 5564-1] gimp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5564-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 24, 2023 https://www.debian.org/security/faq - - Package: gimp CVE ID : CVE-2023-1 CVE-2023-2 CVE-2023-3 CVE-2023-4 Debian Bug : 1055984 Michael Randrianantenaina reported several vulnerabilities in GIMP, the GNU Image Manipulation Program, which could result in denial of service (application crash) or potentially the execution of arbitrary code if malformed DDS, PSD and PSP files are opened. For the oldstable distribution (bullseye), these problems have been fixed in version 2.10.22-4+deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 2.10.34-1+deb12u1. We recommend that you upgrade your gimp packages. For the detailed security status of gimp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gimp Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmVhJD5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0R/hxAAlMYQg+W/jKy/+bgIgisVlRM1dSij6pPFqqCh0aMZr9j8AX8CpZvJBCiR mlfPZe6qS88LKt70zX5xoJOFQ5XS/b9HTMFrv2V6l3pe83Hag0sJOic4WbmI258i B6DFb3qVA9PZjQ+a7JsoPBVc80M3o+rkFbdn2e/d+6ApLxq0XGb3iH0JkYIny41F 3FLYhFI1iRCbX9Oxhe91MmtM2CvI5/UWjALS9+U3IgnuyfnTLUEkCfMnvTLEiMBB Twt/rD+zhOEFMvQazocoqEDDjmo4aJ4CVC78EJYbfthUH55JVordifVS6u0tQM0w XGPJhQPsDIModp0KoukvUVlj/LLKa2q9xr5IAM7G5IM3vah8yAFAiF5BFEE4nIRt BBlwfPPVJjrnZEd+pb02HaKgD7bdmAC775HtX8ExGmMeg54ckXv3gokUbFIzDXBA KXhWjoNztrrRiWIo08knZCIYPTxe0Ou6XvrYxcD0UufxqXkSsCdYzC+aBIJasfpd XpbUZ6ECwK/A7DmaIj7Ar4ssvQKf0uLGmQDzGZiLpNsgXg4tR04xCBwQIU7ONr5b 629hDt0Lo6QCjNsSlWKNdOkiIZ3DIYRGUEq4dL56pa+vz74nhvEYq2pWu5ijCAk7 XOZWuw/CkcMpeXp4Y5yZ88eUYdM3bvpCgriqXvpWJA1NxAiw0/s= =EAEb -END PGP SIGNATURE-
[SECURITY] [DSA 5565-1] gst-plugins-bad1.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5565-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 25, 2023 https://www.debian.org/security/faq - - Package: gst-plugins-bad1.0 CVE ID : CVE-2023-44429 CVE-2023-6 Debian Bug : 1056101 1056102 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. For the oldstable distribution (bullseye), these problems have been fixed in version 1.18.4-3+deb11u3. For the stable distribution (bookworm), these problems have been fixed in version 1.22.0-4+deb12u3. We recommend that you upgrade your gst-plugins-bad1.0 packages. For the detailed security status of gst-plugins-bad1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gst-plugins-bad1.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmViCHBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Sw8Q/+Kc9Lp3Zl/JqOl+KE+OQ1BpRmcEdbIjruR+TVuBRkVfasH4IG3nb82dQn 26SeXbR5GA8o48knQDAlHMhurRUVNVbdXDLuOs2+SsGKFrVuv1KCQacqJIH/ybhr AZplbQPUVViJiQlEGy5j80eOfifnlHPvQZKtbqp1y/GvTIK56Pg4d7HNLjWeq7+G 4sdxZeAPSqKdGTOh2fzzy6QIL7QX3FZgBl0fr48+0EdQLLqtQ0dQwSkpXibHZnf9 PmT+/q3R1pk47n+u/OqPXHMN5+7fJZU6vWgkwfvYIUEVHHL6MlDuNLBVmA1gAn0X neRngzuduDoiiKBPSbPk4slcFUIlXpA979IcG/YhO9fdSDs+cPn0euZegzLOgb5v S+javZtGSkRVAwH1O2wNMF+mGvXDWxu1y+foKylQ/KYr2OQBOGymANsX/jw6pWCA V2bunxab0pPUO/o8m8aq6+XkRvht+KWBo884ze9KvZFRxOivYRP+uKxzc26dZzrU xyIGnVuW1Q+iZjWojNfNgpX/oG/c7Ch6TtBxZQQqAdddAlQQQi1rieNTUq391dT1 TQkyLynaeVmpdKMEtapYwcg+WZfD4cl6F+HhKD3zjIvZRr3EOXloIUY04Xh+/VKO 6nnKs+TOyyLXjrEUPEE51qQ22ni9kT0ZppbvHrsDwAsCAER7yxM= =Yk/C -END PGP SIGNATURE-
[SECURITY] [DSA 5576-1] xorg-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5576-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 13, 2023 https://www.debian.org/security/faq - - Package: xorg-server CVE ID : CVE-2023-6377 CVE-2023-6478 Jan-Niklas Sohn discovered several vulnerabilities in the Xorg X server, which may result in privilege escalation if the X server is running privileged. For the oldstable distribution (bullseye), these problems have been fixed in version 2:1.20.11-1+deb11u9. For the stable distribution (bookworm), these problems have been fixed in version 2:21.1.7-3+deb12u3. We recommend that you upgrade your xorg-server packages. For the detailed security status of xorg-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xorg-server Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmV5VupfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SUYw/9EQ3fcLsEcUlDUGzvGo0KtjR57/eAdc3xJkMgVvX+izjW1MADBnJ7UeID 8vthDQnpS1hePUSGRcL7iWjFLO76E3enFpi9LvAR6/uhwvBnRj1crKZcYF19zakJ efQY453/N7KTgFjHs0r/gT888VgU3S1QwFljfbeIfpWvINcFYDzySbxaobkO+Giq UmkDHYxcu+3XRfsCzkPTaDRYTk8UR4Gwidh2ANYiGHtVaZRnykJYXUC5kPNOCwvf xsjzsWnpbimIJ7IhMQDwwNnnGeWWxhX8+m8FnZid7Gv+bcSwzfPh6f8cbN9/azKf kN9qb34k/dtlqgWKlnrp6hWGraAyO/DhOQVAkbPLAQG44tTXTN1oW2MVi4AwLndO BWknANWf3uMrJd7znB//fopMxpHJObI2Y4NnoPRHbCPu4XCeILZunIvEDM3cpx2t bLWK6M35gOmk9hBE+3gzjr6/e6+ksQ4L46dTtw0BKrekWtZuncN6Vj9ULB4Scy9u T7/SNz+NNVXU/2z8eD6HepcyWl6/ZtFsTwRZC6WGJMOQx6xajXelLcLlLyW2/o0E pKmWyyjDz2oztwKRrUjdCrVM4N5JQW7MzgdK3/+ul0+pTqwWmetTGOPha3An9BD/ h3n3aVEdaIr6NQ97S9Z+uDsimEQ30WI9p00pbkpyK4mDpJFtzq8= =M7rh -END PGP SIGNATURE-
[SECURITY] [DSA 5578-1] ghostscript security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5578-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 15, 2023 https://www.debian.org/security/faq - - Package: ghostscript CVE ID : CVE-2023-46751 It was discovered that Ghostscript, the GPL PostScript/PDF interpreter, does not properly handle errors in the gdev_prn_open_printer_seekable() function, which could result in the execution of arbitrary commands if malformed document files are processed. For the stable distribution (bookworm), this problem has been fixed in version 10.0.0~dfsg-11+deb12u3. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmV8yaFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TAJg//dwWvcufMw6RfXljQUkeYvT0LHK8QqRPD7Hv64h+OYGV3O5ptm6vMsWQN 2PEhtrkfQdl7zSugPHcBb0w2M7ZhzwvtbTgVCy0ljnLqucH1H5sE6MEy81hy2UXH c6Cu67h5pbvTaqFE+NhtLpd3ewAhTjTYvIKewm5izrk4XYIr9pzsNWGJACZoX2Pd 5qgCdmkPLm8yCBsZp8J5zNxRNr1z9SWp61o6QWkvdaUGRvUe83/5hn3nS+14dgA/ 0W/3REra8w5kr6tzYdqd2Xwwr/fYYC091XdPejykI/Bv/nxBc6+B+cI8vw+kpqgm ptspuN7LbrjkdQ8ovz1xoDQyyhWt/gVLraNP5Hy/KvX89XF/C+HEeUPDELGJkLMi AIsLzz7NkJ/iOPAiQNk9Qr0/k+Vz9ThTKrFRTCu1CaHOuTB2dzrYfXpJCBktzls7 t1fsDgGlDabR3fYX5WhvRABTFn2yxSl1KVcKfnRZvF3z2kSoQlj9Jqb/IrVdNm4N 21w+2C52fZAHqVv5ccTE7OncKXddevvPXacq8eZuOTSJJAuhgxqIQyetfYABOdEW eIPxc/lvfvaD+O8jDxXQR2Xs9Gf3dMgk9BZCUMkPsK02JXJIfq7rCjk5pnHacv7l WS14r23/EPPXhEn9Sb78Jvn4YrDF1hC1fPiBVulZteMWiRhEWNQ= =Vah7 -END PGP SIGNATURE-
[SECURITY] [DSA 5576-2] xorg-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5576-2 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 17, 2023 https://www.debian.org/security/faq - - Package: xorg-server CVE ID : CVE-2023-6377 The initial fix for CVE-2023-6377 as applied in DSA 5576-1 did not fully fix the vulnerability. Updated packages correcting this issue including the upstream merged commit are now available. For the oldstable distribution (bullseye), this problem has been fixed in version 2:1.20.11-1+deb11u10. For the stable distribution (bookworm), this problem has been fixed in version 2:21.1.7-3+deb12u4. We recommend that you upgrade your xorg-server packages. For the detailed security status of xorg-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xorg-server Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmV+8INfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RTSRAAmuUhWkJzbFNJZzIZxvPxX4grTvBw5TlvOs9VovPtHWmlvnqzIvA3Q47Z 6asqdnWqTgEamK3Bgb/+s6qOzqK4G8cRtP1dq1dvg/OimwKRY96x/Z6+aySW4UEC SPDroT7AXAEMPzYMbgsZh+SIfQLtevEKf0SiuFpF3/e5qWajpZspn+/1o/WEGvxY CqjX+fOrXTWaR17faUiV8fCyZn0ApXv/XSnimgSXniYiK8tmXWNMbl4lyhP1XTuc NP3wNU0NFmsOXJNtxqpz/IQUvS/OzkNye9v9s/usmigLBlVo7J0wwM7r2d/BMVpt PiwBgo6vFf67l53X7iSG6OkMWUazmO5K9xEGuOdHsmKkZg96V7mJPyuSfsk8vXrN aXsHBXk4EwbYFcGXpH8l62GJ5QwzhYnlwIvmGh+DuQbrI6bk/wOdTVe99PbduGm8 tftGQFryg9Uy5KHyegMl9zR7jT/KkE/hGEB9KCwyWVPYmUxAEo5WMRL0YFMH2R4n 4luimBbgLMTi7yWmkG7TLgfedPOvW6cJxs5Qnft0DH0q1sJVYinZ0nvfdCPROF2N +t2Ko/oDHSyD+ylX9h4VVKoI505cqvdn1mzGXRa8O7d0nyA0O5OPF+2MJPTlvn1d qmcbU1om+fKAdZdSIkHF4cZ3yymmQYoc0udUJk1q2csLOivks2A= =pTcv -END PGP SIGNATURE-
[SECURITY] [DSA 5584-1] bluez security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5584-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 21, 2023 https://www.debian.org/security/faq - - Package: bluez CVE ID : CVE-2023-45866 Debian Bug : 1057914 It was reported that the BlueZ's HID profile implementation is not inline with the HID specification which mandates the use of Security Mode 4. The HID profile configuration option ClassicBondedOnly now defaults to "true" to make sure that input connections only come from bonded device connections. For the oldstable distribution (bullseye), this problem has been fixed in version 5.55-3.1+deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 5.66-1+deb12u1. We recommend that you upgrade your bluez packages. For the detailed security status of bluez please refer to its security tracker page at: https://security-tracker.debian.org/tracker/bluez Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWElXhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Qbdw/+Ly8+kB39iFkiQiFluySzb1mPvYHz0RBYx5aa8iLhWU6SuuZwFGv1ZNTf r16whtZOmBGYPDjJrRbksd01rNxIlwW8jaNPCOiDySYqrw3Ni0cbWRYrtNSjzOYJ cwoPg+4OYEiY+0HkAuTaAfctD5Nyf6sIN2dMsy3VERxZAlRFMUElAVn2obhRoW3P VtQHfVsedGcVsmxHS72MnXIEBYhFu9Q+lA80qfteiPBnQUFo41DeV1ar1uGBhDWG qwkl+8+etRYhnLMnX361Hd+5eVAC8IIQQaFR+5lfq7VydIcDcV2gpENOxNj4G3T1 TSJ+ts6BX9BSuPVXFckymid71bbUJ+1r/IpvA8nlc+UIDTPmpZygijohMkjOpuNH kwkPVuRNmOAH6/umh7auZn5donXaPA8k303EUvaMNpGxfmD3jxdLsDwrrE/qRtGv kPCV67y0N6ZaN1d8wxuIcQ4aiQVAgNlmi9hhAfYhhhdt3y/oGcqMT2iUPQIla3Wj sWRUYt8mTcZdG2g00WBj+DTh0EuUwd9ILYPfSK+zWf+ikQ1+LrQvfVEMD1ejWmIg QI6vxwN9wiim9PydlAbtlsQ4vb/246MPuWbXcRS3omW3CvK86i0GpSVvpjrr2DmB pQ4rYr6bFcVINzLr79lz5GMGIpuShCllrtLkXofyfhinvNthKZs= =DXXJ -END PGP SIGNATURE-
[SECURITY] [DSA 5586-1] openssh security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5586-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 22, 2023 https://www.debian.org/security/faq - - Package: openssh CVE ID : CVE-2021-41617 CVE-2023-28531 CVE-2023-48795 CVE-2023-51384 CVE-2023-51385 Debian Bug : 995130 1033166 Several vulnerabilities have been discovered in OpenSSH, an implementation of the SSH protocol suite. CVE-2021-41617 It was discovered that sshd failed to correctly initialise supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a different user. Instead these commands would inherit the groups that sshd was started with. CVE-2023-28531 Luci Stanescu reported that a error prevented constraints being communicated to the ssh-agent when adding smartcard keys to the agent with per-hop destination constraints, resulting in keys being added without constraints. CVE-2023-48795 Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH protocol is prone to a prefix truncation attack, known as the "Terrapin attack". This attack allows a MITM attacker to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. Details can be found at https://terrapin-attack.com/ CVE-2023-51384 It was discovered that when PKCS#11-hosted private keys were added while specifying destination constraints, if the PKCS#11 token returned multiple keys then only the first key had the constraints applied. CVE-2023-51385 It was discovered that if an invalid user or hostname that contained shell metacharacters was passed to ssh, and a ProxyCommand, LocalCommand directive or "match exec" predicate referenced the user or hostname via expansion tokens, then an attacker who could supply arbitrary user/hostnames to ssh could potentially perform command injection. The situation could arise in case of git repositories with submodules, where the repository could contain a submodule with shell characters in its user or hostname. For the oldstable distribution (bullseye), these problems have been fixed in version 1:8.4p1-5+deb11u3. For the stable distribution (bookworm), these problems have been fixed in version 1:9.2p1-2+deb12u2. We recommend that you upgrade your openssh packages. For the detailed security status of openssh please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssh Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWFTwlfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S6PRAAkBJzc/CFQgXLtms7bom/Vw750vvqEVhj7ojOPHbmpoppVIjFR768C5Z6 AO5HiP/uH1tk0x2zejbPhXRgLK/2PEuCTA/4w7UeTzYIGve3IVKVgNs+/sgWQBuK M1xj8zL1PLkRi6rSXAvGpTxqdCtWC61AWHOl1Q03w3usilETJKDsulOBb9sQ9Uid xSRxDUAS//gyRdW+K3D9HsPYJAW/oSu4tJO+UXI1WJTDY1N/i0cq7yH16YXzbEcV dhttLyR5fWx000fSsaaWXgYUS2sSYUfOKPfw4xdePpdeBYNumnpehjfCED5C61EQ os4uvEDi15X8M599/+u0oLVJJFXVSfZ4W1ecFWcFAvMny70F0s1a7AxQCcN3sXkt kLAuOXJHmmhBeqSj1kVKoLcg4WSlCdglRr6KgiXqUVvfUBsWhseoyGJ3jST3PQcZ 70/lIJofavLJdFQHlPTXs7lDnFttgzuB3xE5wM7TeXs5L2l9QI0W64YCtWthqApL c7KjPGmAx7xYOOp+aHclsP74nBVZs6tcvHPf9Y/1OK30XkoMbuW0+oH1rCu6EGs0 F6Th1FneTwRN2NEhzpQMr+34m0T8H7oymiQmi9C+ZDhCBDRcpN4sATYNh70Y/t6y i8k/vZcCCfLxQgdiay5JJCWJPf1pvvmPbgMLs4WVELr/6E9xIR0= =2W// -END PGP SIGNATURE-
[SECURITY] [DSA 5588-1] putty security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5588-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 24, 2023 https://www.debian.org/security/faq - - Package: putty CVE ID : CVE-2021-36367 CVE-2023-48795 Debian Bug : 990901 Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH protocol is prone to a prefix truncation attack, known as the "Terrapin attack". This attack allows a MITM attacker to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. Details can be found at https://terrapin-attack.com/ For the oldstable distribution (bullseye), these problems have been fixed in version 0.74-1+deb11u1. This update includes a fix for CVE-2021-36367. For the stable distribution (bookworm), these problems have been fixed in version 0.78-2+deb12u1. We recommend that you upgrade your putty packages. For the detailed security status of putty please refer to its security tracker page at: https://security-tracker.debian.org/tracker/putty Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWIB5tfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SDBQ/9FAw79bM9LfLI7aFS91kMvrxyhviu7KppEpM6V3OR6gCdrqj6L5MrWY5W G0+iYGdG1fHEoZkvYXq8HnMhsVBD5UuKDGHQ3Z15g1AaIc8tQ67cr7fM5PjYgijq 8z3Vae0nH2WUn+ZIrdf4CnJ2dwiUa+M37UxyGfCNYoEID0KhZrYTuJFLWF5wrIqd p/upvzSBjQ1/fD0O8O6gK4ZCDhKU2/rZuMtnuiQ2ho3gH8J9odHyypqpNquQaslD M3SizrmheLZYhBbCKTggNd+kuMEgkeDg3VRih0VTOggh0CzR7NZbLitoviB5AvzV CFPviQCQOMKQPkBqgmKzDaobTOqwUZ+df4c63nxbENyrXGl9WwTAiBYT19TuX199 TpgjHcmWYwPux6gdga3OHdo7m1eOMCG46S+joLDo6FnUcUMjA2+74z2z1IpYzE0v b+zK+l8Nu74RGY/gH5ewX9JCFGPRiPBwhtu0TavYO1nWbpcz0Z2jrUYIM7kS/3Sp VUbiH9D+PyBJOawxDZSuiEhfOgilGl+r0d3MP0S0Lo2OoKPB9fgVYj5ICyn8ZBQz /bhxzi+wDV0XFkzM8fxdtbq4BwHVXzgmPKdabwZuNL9eViSF0XmSDG0lwFDDT1lK kCcBRnvdpvP0dxFzjfLnWZvISylGDR31q2ZGHIonDq+2yJcFHX8= =qdiJ -END PGP SIGNATURE-
[SECURITY] [DSA 5590-1] haproxy security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5590-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 28, 2023 https://www.debian.org/security/faq - - Package: haproxy CVE ID : CVE-2023-40225 CVE-2023-45539 Debian Bug : 1043502 Several vulnerabilities were discovered in HAProxy, a fast and reliable load balancing reverse proxy, which can result in HTTP request smuggling or information disclosure. For the oldstable distribution (bullseye), these problems have been fixed in version 2.2.9-2+deb11u6. For the stable distribution (bookworm), these problems have been fixed in version 2.6.12-1+deb12u1. We recommend that you upgrade your haproxy packages. For the detailed security status of haproxy please refer to its security tracker page at: https://security-tracker.debian.org/tracker/haproxy Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWNbchfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S/3g//a2z//lFBvMI5Awp2Sf/l4QEzwYffDa6V62Yjcryhv/+gpuDSNleuXFxu 7JuDQHZzUNi+Lv1HBO5F+393dwSGLDKrdFwOJO9NNknmja9cGZgJ69D1EjDxgRMT RvTHm5T4rM6J/bdGF4z5c12TRtxQqhg3K+Eymvkv3DtSfMu/Nc5ePF9RXhiMk2U3 wj+7ftDLta54BkzksCrIajfbPHN7XeSGzzJ6CI+5v7aVXbllc74WUO5hF4c51Yev +TrewQWOLg41LVXpk8SlEeGK3YN+JlQf+PtwRFlMeAeghwpGnEhm+0h5d/mg54Fe Q3f4Kp46WJcPBJONn+M9nJzn6ujP99vtr3QA+mmJ+OPAUn8RLwUuLUKQdsN1PtNQ ImJe5LMFUQhon53i4p9yN1jmJ19l1uKjI4IbZSp2NCYBzHNyP0gfKONrbhzfp0tr WbxRCC+byMBNOSwiYdCw1Zo9602HP8AoOtJd9bVa4o74gC9a+pzieKqZX0hdjlfB ynJHq2KgKsu/gTNctOexjCGlckQ3EGLqgXqLBF6tZpE1AR78bpyT+XTfYRaW7mwa aAxsFDDVH757EsOqBnjKORdjlm/nLspAzoqxYSZfongjivXhYkCb27+jMizFOfjj d454amXH8UGrqf8a32gCef6ph9CEkRkxoa5lxRZx55r7Ml0Msdk= =69Rn -END PGP SIGNATURE-
[SECURITY] [DSA 5591-1] libssh security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5591-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 28, 2023 https://www.debian.org/security/faq - - Package: libssh CVE ID : CVE-2023-6004 CVE-2023-6918 CVE-2023-48795 Debian Bug : 1059004 1059059 1059061 Several vulnerabilities were discovered in libssh, a tiny C SSH library. CVE-2023-6004 It was reported that using the ProxyCommand or the ProxyJump feature may allow an attacker to inject malicious code through specially crafted hostnames. CVE-2023-6918 Jack Weinstein reported that missing checks for return values for digests may result in denial of service (application crashes) or usage of uninitialized memory. CVE-2023-48795 Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH protocol is prone to a prefix truncation attack, known as the "Terrapin attack". This attack allows a MITM attacker to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts. Details can be found at https://terrapin-attack.com/ For the oldstable distribution (bullseye), these problems have been fixed in version 0.9.8-0+deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 0.10.6-0+deb12u1. We recommend that you upgrade your libssh packages. For the detailed security status of libssh please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libssh Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWNhadfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TR1w/+Mmnf9FXB5B5jQrYIpKB+7ksoXkhNRs92qXbM4SoMT9y8Kps2Ao4cyY7X 8S8eyzwSF1Q847Pb2yfmjQqFwonbjca+uSsvVfITYl0lwZpvV8vIdtZNbQmFp9l9 QTohScBg2xKrOZ/G9A3dih8vWAuvRwKq+5OqRyPt5cHGLZ9isyfF0ccsRvw41lbU Uu0sfOZetfsDIT1F2Fg3hQW4LzMA1n3yrRMQkOH9iJtdubAoyRE5MzVQktG5FpyG zcDD824k0vqAnKeulKhb8hf0vpkW2Ji1UDh3eFqoaYRppBFpNyOKSKP1m+pab6We aUVpIIZhFFIKovR/ZE4LSpTPb8ZLSkrpBSadtxQ1GzCq8EYTfTABVd1weaxaHhZZ ctrbXeY6EPwc2OQOOozCbyNERve1n5YqPiMfHEheDoaOkxMMB4fiNmXvveSq/eCN EhSzCdXCl4Z0SKk71gnXUw7G832p2He/mzkVJqZlUusCOWflrUXZa/fcEO+CQNvU ZRieJDmcXZDBlqC7HC9Khoonth5Gbst//UPL6zOYa2auJ+ftUZLvPeSGMrKdJ//0 CNiG/pWEBggHku+wocggj9ie00hpAltuv6d3nVzLDSNntcDzZ2KpUS6f0Vo8jfm9 PvJ4ymTrCDypWOVEmCPq4h68AFwv75q56lyhvPU0UxnW5524C/U= =IV9+ -END PGP SIGNATURE-
[SECURITY] [DSA 5592-1] libspreadsheet-parseexcel-perl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5592-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 30, 2023 https://www.debian.org/security/faq - - Package: libspreadsheet-parseexcel-perl CVE ID : CVE-2023-7101 Debian Bug : 1059450 It was discovered that missing input sanitising in libspreadsheet-parseexcel-perl, a Perl module to access information from Excel Spreadsheets, may result in the execution of arbitrary commands if a specially crafted document file is processed. For the oldstable distribution (bullseye), this problem has been fixed in version 0.6500-1.1+deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 0.6500-4~deb12u1. We recommend that you upgrade your libspreadsheet-parseexcel-perl packages. For the detailed security status of libspreadsheet-parseexcel-perl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libspreadsheet-parseexcel-perl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWQQZFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TiShAAnw9dvwoVVB0rw6nbZGYyNhGsXStNBiN+VFkhIrhE3mfLpiDyFduAOEc0 HqA/SgLUC5hlK45CkubvRzOggFOEOakwGRGawAHRbtOW64ScyFTCsG7j6RL0z05m DqbmlDekey9LJQ/i6/AviZ4NtNjZ8zebucG2YHRj0j0zplqOyRdhxIud4hOSnH50 glkQRlyZz+vOtCHDncv5otlugrfk8ZS/y3+lSMQ3QtvgGxkSlgrTkK81OH0CPn7r 0PJ/XGVN5Cb/DY8yWaTDwbLjwSLWKNFC5Qj9HgkQB8utUwGaerkoxdn9JG4JQTjh adu6umQ+VGgUjfVBxtlYBO3kTXODvsDXAb6qoHzce6jrBoYCwaTzAVpaw1ivRKCU AOSzIDHnwJQzA6nEUlDN7fY9qyb1BeQHljFTFh57rvmPCrsQtzc/mlPQyC5s//j0 6f+FBpnAqKlpdr//U+VNehiv2dmls1coL5xWo68j6wUDOOcahy8OssOlJyvSkS6n 4QzwfsKXTef/e/5kbDDhECiO2zLtl1AtsC6KCYZ76kVpFj2iRAIEY9JFTvNG8CJP podmlPUSjtF91A5AJBqXLKyjQQHK6ufB4Au+pnq+EMcgd+Ql8w9GAU9VekvbQZCA 4hPD7uhEQ3DnQwQ3qnRDaD+R3ZIbWyuWzqbVoCWT/DIN5DYUXDg= =Yl6V -END PGP SIGNATURE-
[SECURITY] [DSA 5593-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5593-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 01, 2024 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2023-6531 CVE-2023-6622 CVE-2023-6817 CVE-2023-6931 CVE-2023-51779 CVE-2023-51780 CVE-2023-51781 CVE-2023-51782 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2023-6531 Jann Horn discovered a use-after-free flaw due to a race condition problem when the unix garbage collector's deletion of a SKB races with unix_stream_read_generic() on the socket that the SKB is queued on. CVE-2023-6622 Xingyuan Mo discovered a flaw in the netfilter subsystem which may result in denial of service or privilege escalation for a user with the CAP_NET_ADMIN capability in any user or network namespace. CVE-2023-6817 Xingyuan Mo discovered that a use-after-free in Netfilter's implementation of PIPAPO (PIle PAcket POlicies) may result in denial of service or potential local privilege escalation for a user with the CAP_NET_ADMIN capability in any user or network namespace. CVE-2023-6931 Budimir Markovic reported a heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system which may result in denial of service or privilege escalation. CVE-2023-51779 It was discovered that a race condition in the Bluetooth subsystem in the bt_sock_ioctl handling may lead to a use-after-free. CVE-2023-51780 It was discovered that a race condition in the ATM (Asynchronous Transfer Mode) subsystem may lead to a use-after-free. CVE-2023-51781 It was discovered that a race condition in the Appletalk subsystem may lead to a use-after-free. CVE-2023-51782 It was discovered that a race condition in the Amateur Radio X.25 PLP (Rose) support may lead to a use-after-free. For the stable distribution (bookworm), these problems have been fixed in version 6.1.69-1. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWSuDJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q7/g//Ski3EY0dL0SNhIWCSVOA01f4rZbW8e+65GpQofJtckBb2Wk1ZyMb+eLv U5aRfscn7DC2J0BiX+/JjaboTx880WcUQw5csbSzb2bEGhsHBwHkCG31qaTs5ekG XH654gBja/FmGZOvQ+YwoglDMCbCiSrUs7fwe3kPhlr3XRHs2ZdezKrOQ3m2bo7g xnA7UwB+5xwbbnweYkmKxtowM+x4XUDsr43/YR+mbeULzprGQGbyxsi8txKJQ8d+ xqyxCl5zki3dF/baBhBLPMH26GUs6fGsplhht9ecUcKXiNeyYLBX6Aepb4YDEgKN o0tBDPVundFPxyQzr8qMfdB0w6+4U2z+QavV/OCziNIKXbnrNUMpjF6Pks+geneY R+ut1KWHVkOJsAgI3mGrLd+tjPSEsdUB2EJhlFWpF9XJnBD3KV9xPVOBN3ZjL1+o t/ow/5XV+LZTihUQ37stcJRnl5U1CGWlBWbUonc++eGbCAvFNaV6gTfADWyz+/6W z5eKFZpj678AFr5RbkgF2earJUT0iC3vgtKMTiEsxNoRMZgVOu8iiekX+gpWBkdt 2w+dAAu8VFixQ5/Sl8LDYCFkP8xrtf31XiNBsrMZzxJDfMtNYMi++iQXSW8LyoL/ JqbEQibQU57ls29SbvoweKCnK1GgBfhrqqGAk7/Pnax0yuK4z4M= =9GI7 -END PGP SIGNATURE-
[SECURITY] [DSA 5594-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5594-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 02, 2024 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2021-44879 CVE-2023-5178 CVE-2023-5197 CVE-2023-5717 CVE-2023-6121 CVE-2023-6531 CVE-2023-6817 CVE-2023-6931 CVE-2023-6932 CVE-2023-25775 CVE-2023-34324 CVE-2023-35827 CVE-2023-45863 CVE-2023-46813 CVE-2023-46862 CVE-2023-51780 CVE-2023-51781 CVE-2023-51782 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2021-44879 Wenqing Liu reported a NULL pointer dereference in the f2fs implementation. An attacker able to mount a specially crafted image can take advantage of this flaw for denial of service. CVE-2023-5178 Alon Zahavi reported a use-after-free flaw in the NVMe-oF/TCP subsystem in the queue initialization setup, which may result in denial of service or privilege escalation. CVE-2023-5197 Kevin Rich discovered a use-after-free flaw in the netfilter subsystem which may result in denial of service or privilege escalation for a user with the CAP_NET_ADMIN capability in any user or network namespace. CVE-2023-5717 Budimir Markovic reported a heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system caused by improper handling of event groups, which may result in denial of service or privilege escalation. The default settings in Debian prevent exploitation unless more permissive settings have been applied in the kernel.perf_event_paranoid sysctl. CVE-2023-6121 Alon Zahavi reported an out-of-bounds read vulnerability in the NVMe-oF/TCP which may result in an information leak. CVE-2023-6531 Jann Horn discovered a use-after-free flaw due to a race condition when the unix garbage collector's deletion of a SKB races with unix_stream_read_generic() on the socket that the SKB is queued on. CVE-2023-6817 Xingyuan Mo discovered that a use-after-free in Netfilter's implementation of PIPAPO (PIle PAcket POlicies) may result in denial of service or potential local privilege escalation for a user with the CAP_NET_ADMIN capability in any user or network namespace. CVE-2023-6931 Budimir Markovic reported a heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system which may result in denial of service or privilege escalation. The default settings in Debian prevent exploitation unless more permissive settings have been applied in the kernel.perf_event_paranoid sysctl. CVE-2023-6932 A use-after-free vulnerability in the IPv4 IGMP implementation may result in denial of service or privilege escalation. CVE-2023-25775 Ivan D Barrera, Christopher Bednarz, Mustafa Ismail and Shiraz Saleem discovered that improper access control in the Intel Ethernet Controller RDMA driver may result in privilege escalation. CVE-2023-34324 Marek Marczykowski-Gorecki reported a possible deadlock in the Xen guests event channel code which may allow a malicious guest administrator to cause a denial of service. CVE-2023-35827 Zheng Wang reported a use-after-free flaw in the Renesas Ethernet AVB support driver. CVE-2023-45863 A race condition in library routines for handling generic kernel objects may result in an out-of-bounds write in the fill_kobj_path() function. CVE-2023-46813 Tom Dohrmann reported that a race condition in the Secure Encrypted Virtualization (SEV) implementation when accessing MMIO registers may allow a local attacker in a SEV guest VM to cause a denial of service or potentially execute arbitrary code. CVE-2023-46862 It was discovered that a race condition in the io_uring subsystem may result in a NULL pointer dereference, causing a denial of service. CVE-2023-51780 It was discovered that a race condition in the ATM (Asynchronous Transfer Mode) subsystem may lead to a use-after-free. CVE-2023-51781 It was discovered that a race condition in the Appletalk subsystem may lead to a use-after-free. CVE-2023-51782 It was discovered that a race condition in the Amateur Radio X.25 PLP (Rose) support may lead to a use-after-free. This module is not auto-loaded on Debian systems, so this issue only affects systems where it is explicitly loaded. For the oldstable distribution (bullseye), these problems have been fixed in version 5.10.205-2. We recommend that you upgrade
[SECURITY] [DSA 5597-1] exim4 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5597-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 04, 2024 https://www.debian.org/security/faq - - Package: exim4 CVE ID : CVE-2023-51766 Debian Bug : 1059387 It was discovered that Exim, a mail transport agent, can be induced to accept a second message embedded as part of the body of a first message in certain configurations where PIPELINING or CHUNKING on incoming connections is offered. For the oldstable distribution (bullseye), this problem has been fixed in version 4.94.2-7+deb11u2. For the stable distribution (bookworm), this problem has been fixed in version 4.96-15+deb12u4. We recommend that you upgrade your exim4 packages. For the detailed security status of exim4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/exim4 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWXKopfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QjSA//XoMnLi4MFMYxltCKlh24MN3boRO7vi2ZwVwmLFsI6VKqwA84x31gqr5l FJgcgwXNsos+4rlMiY5+mRu5aIkHABPW+CRikMZhkN6mU5L1HhSSn8AcdI01xpRe pFnZQdu5wb/h5kkb/AdfhTLXmTT5gWGvlGaNwthCFYW8YlaFSFYOg021d9zRAEWW uKZ4QNKCq3mM+1RG/CSRw+9n8RodZaLivvJQftNbWDlIhRiQsJWLfT6jINucCdg0 5lfjYaiTTWWGmXQUz9ffl6SkFHFx27jZlFieIesRwtudQONUERVQlTRLsiD+p5Sz Bmol5Myay9FX2SyKOFvcOJQPeUfmHERooXnyZl6ZoFU9fVRk6KRdrmIQ3ghyfu5y mcjzpbr+Ap4gyroDd6QkJwIn8dkVlI98dvJ7taJ6Sz5yWVISdBdUG0QJMpiQFH7v /wKEvn846ZJUMZKQstXnAjKc7RWs/T5i3NA1uI6QkgSKdMWOx38+cjHESngkSVew nZe3U3ouBejwucI11+M8SgOw3QosDM8wyDmyWttVmH4nLrIEVNk5jJp0lK7/agIQ KIlx6kDPoqSaN2/5jSvDzVWCJTwXJ/bPRjWDyCP8J6janVD2l73pfxPIjKcxbImK q6JxMQeYYxzX2XxgZliGTGoNZAkFsWy+3tZdaBMt4PlKbYtnJxI= =onc4 -END PGP SIGNATURE-
[SECURITY] [DSA 5603-1] xorg-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5603-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 23, 2024 https://www.debian.org/security/faq - - Package: xorg-server CVE ID : CVE-2023-6816 CVE-2024-0229 CVE-2024-0408 CVE-2024-0409 CVE-2024-21885 CVE-2024-21886 Several vulnerabilities were discovered in the Xorg X server, which may result in privilege escalation if the X server is running privileged or denial of service. For the oldstable distribution (bullseye), these problems have been fixed in version 2:1.20.11-1+deb11u11. For the stable distribution (bookworm), these problems have been fixed in version 2:21.1.7-3+deb12u5. We recommend that you upgrade your xorg-server packages. For the detailed security status of xorg-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xorg-server Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWwGD1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TTQQ//W4eLUMTFmwz8KX3YIo8OLURD91ID1bIjjvrT5uYckPbMVWcIe07tnrU4 GM0Ad09Rq6FCLKNbNqVj8tfvHrA+3VYlNcjD01AnqRYk3zZ85CkMf9tKrUT+/1pB dcyyponNDY18MxJR/3plDdIhPjoaLv+dtZY8kYXzf8qUtk1Rn1C/DbttLzLRC/5Q 7K+aDNoBZqyw7xmoZkmvBK8rf4x2ZtpuetCWvEsgRnCE6YVYj/mCfoiDkIOhM7jw jSv3QpaQ8BzrozbhbB6BgIHSBRTWfgjNcUOqj8I2tPpSTIuDdlTQ+BbA7OKz2+k/ SniFezxPLPFovg3vchOYjxLlKXEl54bhm5y/qFUCMoEPEzLhY6w/8UXo1ggWgtBs 7N6vHNqlS67fOZKiLXhrIsoaAoggF+PvRX2zroa6FH9i4nhl4WRxyHxX/JCLX9yU 28gfwLMPuHqklCCNTwWOlFs/1zMJB8SF563/70CZilBMfFSy0rz80id8Wgv5zpcQ fkW10T9cg8lMF9w5sN1wmb0Tww9dWCehOXLMFa9ATEm/jR6yqWSyjL/0BZ2izeow WwLKeZhk+s5iv+IFRjXqkoWlKpljhOTodKhYVYlyrUK3m66hhIYU8XDtzNGRB+i6 M/PO/raW3dpB7WPChELMQiYo9kqFLno8E7mC5sjvCIq425kw9Rw= =dehR -END PGP SIGNATURE-
[SECURITY] [DSA 5608-1] gst-plugins-bad1.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5608-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 27, 2024 https://www.debian.org/security/faq - - Package: gst-plugins-bad1.0 CVE ID : CVE-2024-0444 A heap-based buffer overflow during tile list parsing was discovered in the AV1 video codec parser for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. For the oldstable distribution (bullseye), this problem has been fixed in version 1.18.4-3+deb11u4. For the stable distribution (bookworm), this problem has been fixed in version 1.22.0-4+deb12u5. We recommend that you upgrade your gst-plugins-bad1.0 packages. For the detailed security status of gst-plugins-bad1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gst-plugins-bad1.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmW1XvtfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T6lQ//U5/FcuUV+SLF3IYzbSGP3nxOl3njQNMQz12woGd8SJdFpsEgeyOFUqwE 1u6xUjNbryI3N/U3zGxEH3P5gZdcxXbQX3dWqHr6IrBC1ciBwKZrtmcmy9ME2OZd 1r2QYGNxGYr2d/E9IV6lvT6L2MPeKTbEmAUjCGgY/nsPi9P2ECwufD7KEHh+6IXn 5WRPEFIWioOXWhiBn02x612VHJUvux5geBz6oLkl9sc2V9coHx19kywaC9W2JMtt SlyBaw3s7l2lv25rwTYCie1YmAgjsvnyZu3ijGMwHp/Sa7RYUkTC09S/fzuZlFOA Dz5HRslsjvlk0SomPg5A0J6eDYVQUqE3fq3A2zRtkDbeGbScAmc4eyR1d4LE0FqT POUxZoCR84fP542vOqLimvfdnkkaPSJwcQJRrwKx4r/hYFwOi4W1gwy90at7MQlj zwrfExMcXu9B3WmzmwAcTsX9nrgyiXNKH3Lib0gT+93TbqdhUNHuj9zC885JfOwx Th+jRaas4dyx4Tjaz83pJaUzEEIgAHByfr5N1UltvIUmO7AX9C9iLLyVVmgb2Qz0 ujdc1N8XSqcvB52psJe5o6oEx6UbAVTH48PGrCuYY2kfzKKHYUan6n8MILRw8Is4 FaUz4BAUd6Fjgo+jG/oS32grK7aujTbqRCiDaTDLcT/vywZldQA= =giTa -END PGP SIGNATURE-
[SECURITY] [DSA 5609-1] slurm-wlm security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5609-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 28, 2024 https://www.debian.org/security/faq - - Package: slurm-wlm CVE ID : CVE-2023-49933 CVE-2023-49936 CVE-2023-49937 CVE-2023-49938 Debian Bug : 1058720 Several vulnerabilities were discovered in the Slurm Workload Manager, a cluster resource management and job scheduling system, which may result in privilege escalation, denial of service, bypass of message hash checks or opening files with an incorrect set of extended groups. For the stable distribution (bookworm), these problems have been fixed in version 22.05.8-4+deb12u2. We recommend that you upgrade your slurm-wlm packages. For the detailed security status of slurm-wlm please refer to its security tracker page at: https://security-tracker.debian.org/tracker/slurm-wlm Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmW2Sj9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q/0xAAiIX2hFquenx281NrzLcnOeIiuvf/+2eXs4/yVQ2P91S7kTzdbRc9n1dV AIwcvQHKHlQH7z/GHVLtjLDwjiAc34OcPzvLipiFgg6JRmKweOMWqyRns9DaIy4v RZRg7RvS4ltDOuqP9UXScTom4GAM3GCF6wrvxsyNwSvwayaJtqQw09OjWHJsKOPe aKJ6yIBfXUukreUQUctVH5P3HG58S1WD/8EqYrpgxC0mBYxs2Iv2FkEcyyiWY2mt huOqkmzfxf25xzQqlDg7kPMikHkqsHmKiFViAWOe44o0C7jED1JOh72BZk93ktrB WaA0lqj9w+CUhPoUinOL76qn+ija8URNIlnPExmY8/BlBDwEZ9pawTo/wv/IS34G zPDrpQQsBTRPpfO9FrJYPf87Ryfp7OpkWfa6LLqTckDp0PQc05/ABdKVtBw/OtfH Zud9/qO+M80045IP4QIzDOiYkAQPEbnS3qlT6Io8RYu4C1tNiALBksMnuim3E63d KbRN4lBzCujKY0clKPLtafE6uNXv9gpQRdq2irDGo+IY8A2rfziWqrmdmiP5bxyQ sZNpTuNSVGa5s+skId17xZDH/uQBi6UTT/0Qz8mceqa1Ufzu2bbpNHVdgGZ+YbAj AT7bOr5AY1JHqdCDXx6Pl2vQhIss20R3bxi8O0oZODPquGWgkwA= =fdxl -END PGP SIGNATURE-
[SECURITY] [DSA 5611-1] glibc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5611-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 30, 2024 https://www.debian.org/security/faq - - Package: glibc CVE ID : CVE-2023-6246 CVE-2023-6779 CVE-2023-6780 The Qualys Research Labs discovered several vulnerabilities in the GNU C Library's __vsyslog_internal() function (called by syslog() and vsyslog()). A heap-based buffer overflow (CVE-2023-6246), an off-by-one heap overflow (CVE-2023-6779) and an integer overflow (CVE-2023-6780) can be exploited for privilege escalation or denial of service. Details can be found in the Qualys advisory at https://www.qualys.com/2024/01/30/syslog Additionally a memory corruption was discovered in the glibc's qsort() function, due to missing bounds check and when called by a program with a non-transitive comparison function and a large number of attacker-controlled elements. As the use of qsort() with a non-transitive comparison function is undefined according to POSIX and ISO C standards, this is not considered a vulnerability in the glibc itself. However the qsort() implementation was hardened against misbehaving callers. Details can be found in the Qualys advisory at https://www.qualys.com/2024/01/30/qsort For the stable distribution (bookworm), these problems have been fixed in version 2.36-9+deb12u4. We recommend that you upgrade your glibc packages. For the detailed security status of glibc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/glibc Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmW5P2BfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TCeQ//VD4TdNtM/wBBMsQ2/RTFVO81yT6ZJ2jxy8v2h9ZZtsBhi1kMP+P4E2pC yAl+8TGZpKCbMqifecV85Z9674aUfEFrqju8E1Mt1kp63MTmagJvPuZg318hjMRg byve8v9nMJjpAotbetz5TesUX3eZeWbkAyqd45vg3g40lIyJHusKra5XEmAxflEB 8zFwZhwWVOZ7cIH2sbsRFprgPcz5YYKAvUEfVWQxikWaN+7XGNKzue6Ar0pkHHGd reLUTnGDv4NMr1Y7JLMau/nIO2JXvl7V2+EefFw02/vmRPovz4ZtmWek3vc2DRl9 JfGEIOkMpbxPgp0dZ2AyKjOEIpIutvGqzLm53MkcajvVlVAMyPPj25rgytaK+07T RS+oP77Bw+pDjRu1PpyCDRWIOCJmqP8esyq5IfMuLDBYPT8JvOyq2Iy/q5U+OvXL nYzvNXfqIkencR0Sd83aRGho6vWSy89mJEWhvMhjYmriJz7ipQo6t+FZb2Jq23wJ pXTcWz5ljtuSQRmf2A98InQsyg1sBVj3dH/8uYEl5f58TvF06SL6vJwtxJED1vLk LR9D1G2zyoJf6PFPMj+qtgdZKxYPX6Zr3nJTNRwM74Z8AYQEcuczWm2vhq78ipPi AyAjNDzU/MPUaDTKeyjS04XD3tyOD3RDPWDjKhV/BiKFuAjuqro= =Zs+W -END PGP SIGNATURE-
[SECURITY] [DSA 5614-1] zbar security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5614-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 03, 2024 https://www.debian.org/security/faq - - Package: zbar CVE ID : CVE-2023-40889 CVE-2023-40890 Debian Bug : 1051724 Two vulnerabilities were discovered in zbar, a library for scanning and decoding QR and bar codes, which may result in denial of service, information disclosure or potentially the execution of arbitrary code if a specially crafted code is processed. For the oldstable distribution (bullseye), these problems have been fixed in version 0.23.90-1+deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 0.23.92-7+deb12u1. We recommend that you upgrade your zbar packages. For the detailed security status of zbar please refer to its security tracker page at: https://security-tracker.debian.org/tracker/zbar Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmW+cM5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RZEQ/+LBd+YadiS/TNfrBy9lYnugnavklh9VSEkO+sKYFVzkq/ypQwuaLA0MaI t0OOIGIrwDVXL0/Lb6Rjuo96PGQX6NJXF2iG7UUD8RjiJDHIFPUP9nbWOjXmNAdt nfUvF9AwyExSpCREhXc2PTDc5lmnAu56NWrJRN53RqngbYSxILoOpNRBDlZUEL3R NrbpPvpQnvIBo2JcmaT/PtgC+U5bxKfnQGQ2Cree/nyq8de9VCPwGeTczqFz8I3N sklG9k8/09+zdJOUpy+KVi+ylTAG/f/ydzGtrFyr++hPU692PIGeu++N3yNX1mP9 KWhsAdkfL581RauwKRgHFnRXK/yUDg7rDUlMRd0w5QphDkL+01mjzgiooGBp5I7O GXvdVgribWdexRiKE0nfzf6sHxzbHXRdCOiPWhGAf5w6ORdpgRwuICo4mWTw1T8G JktFfuLXP7uRIdVIMeIVVVLfFYBQeTr8g7A0TV1ysAzG+yjHVhfYJxTVS9rTNmt8 MJbO6ZBgWnMdMbd+4xlngWMpxDOInhdFBTmbyBdWnbMOQDZhgXLy0Hd0VF96UoQk WoHxphpbioY5on053jSsU6FH0r1bSm5rjOfCkRVLalCTjZyY4TqCSmbTlq3qyxUH gT9ws2M+//SpJKzwGvVXN8+0M3BzVXUGJYmLG0v0/+jb58wUBUA= =OOtS -END PGP SIGNATURE-
[SECURITY] [DSA 5620-1] unbound security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5620-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 14, 2024 https://www.debian.org/security/faq - - Package: unbound CVE ID : CVE-2023-50387 CVE-2023-50868 Debian Bug : 1063845 Two vulnerabilities were discovered in unbound, a validating, recursive, caching DNS resolver. Specially crafted DNSSEC answers could lead unbound down a very CPU intensive and time costly DNSSEC (CVE-2023-50387) or NSEC3 hash (CVE-2023-50868) validation path, resulting in denial of service. Details can be found at https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt For the oldstable distribution (bullseye), these problems have been fixed in version 1.13.1-1+deb11u2. For the stable distribution (bookworm), these problems have been fixed in version 1.17.1-2+deb12u2. We recommend that you upgrade your unbound packages. For the detailed security status of unbound please refer to its security tracker page at: https://security-tracker.debian.org/tracker/unbound Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmXMYixfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TxMxAAmy00/kTKXoaX+YGFHPIZmwdtP/eQnx9SreT40TrvASi7O5d/LKQUhMpY fEPqekyPCmfa/XkFZZVecyaNInoeyuf2olpQ5+gTgZMoxllccCFWqyO+TVhJtobf 8iJttIwwdGYToH/tENr2Ady2Rgg5oy8WILF/5F2bckn2dgQAWUw4Tl7K9rkCf1Jr yO4KJGhXtNpaQZJnvX5dmwm7gDwkXsc9j85diRTRUF14IaMiiPKUpcxmogOGDYJc vY6lBFdLOfmzo1f3BO8SzNV+G0h7kCn/7w9RdpOWqTQoZHdT6IkT0YsZzLuJ0bVy oLWxi8Kh4fdAbEiyffVk0kLOWUmup9hckUSIXQktvOK6koFecm01W8OBzQ/HsB/D NExfo1l7GjAaAv+EkQHMdkiMqdoLI4oduuBxa2nFdCpDESaTN7Li6S0JtVc1YUu+ UKHido3J0/U4xleL8sPPupJ2yVwOmbkeqK3hxH0J+e/uDT6mfrZ0moEEjOyAper8 lqu4TS7rSK0e6/nNQs8dEEcoQQL1B3HXyXqjOBcMM4A1wPkJib8j2use64/+vIz6 9tMflOwUxBirQ/J4PGLWTQmIoxF6NNzqTWgeFMIuq1NXIy7t3TPIIgW3+VWsNJwK Ae8HGZITdiBpGdSDFEa5qYKtiYQS6NxSx/fzyYNlfv7rUzrSNgQ= =m2j/ -END PGP SIGNATURE-
[SECURITY] [DSA 5631-1] iwd security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5631-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 25, 2024 https://www.debian.org/security/faq - - Package: iwd CVE ID : CVE-2023-52161 Debian Bug : 1064062 It was discovered that iwd, the iNet Wireless Daemon, does not properly handle messages in the 4-way handshake used when connecting to a protected WiFi network for the first time. An attacker can take advantage of this flaw to gain unauthorized access to a protected WiFi network if iwd is operating in Access Point (AP) mode. For the oldstable distribution (bullseye), this problem has been fixed in version 1.14-3+deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 2.3-1+deb12u1. We recommend that you upgrade your iwd packages. For the detailed security status of iwd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/iwd Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmXbGdBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TLGg/9HYY8mbmW8ZU9Kf6v7Bns1D7hNx+6C76koK3nliJ1nTwya7rBBCkBo2TB 1/x0h94k2s4AV5KSrJmP2RsqeGrnF/cTp8cKvdNYTU8QJYZA7q1B29MNQDhxqUYC O+HsSgm/HZdsNtajnqZi8KpP4wCbx9w5c1DZ2jmHt5z/vfZAn/Y5FOsPW0fZxe6U GNyoZ0/YwuY9bdH4dvhhsJOZg3B3FtD/DD7IsN0ltY2rFjJmmsQusCrmyDQsNYDY cH3iobOmHQPQ/QnjtrUQsyZb0M6/49EW38H1F76oc57o8jf4MTMsa68TeSFnBC5O OZ5MToB5yKiBAT0+J8wClBGI4iLYCkg6VERLT6pc7d+ffX+EshcTV9eAJgUUoeRG uCNld9M01gRN+i51Gib5YidfMhGQmRb9CMpiF3Ll5rErl/YmQ91GV5W5rBngEpkd QNedIYpPD/tqf2QxTcAzFyT+C+NgcB/LOI3O8p2rjYFEHl773DJEeHvfbwaTKgdK rlZUouO2lqadNQXugrLsGDNqhHOuVgxxzBONjZMyDKjfEOlcqjnySWeZ4CArxAri BVWJ5BbHf50ZLBpo7agcB//u0IH8z31OZwbkNXJfE58gVV0JRuqsfDbn0sIG6CB4 r4I5CNICiubHZDJNwkGOVhdmSFcd5nelmPa45inO2DgxEBAKVdU= =Pykz -END PGP SIGNATURE-
[SECURITY] [DSA 5638-1] libuv1 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5638-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 10, 2024https://www.debian.org/security/faq - - Package: libuv1 CVE ID : CVE-2024-24806 Debian Bug : 1063484 It was discovered that the uv_getaddrinfo() function in libuv, an asynchronous event notification library, incorrectly truncated certain hostnames, which may result in bypass of security measures on internal APIs or SSRF attacks. For the oldstable distribution (bullseye), this problem has been fixed in version 1.40.0-2+deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 1.44.2-1+deb12u1. We recommend that you upgrade your libuv1 packages. For the detailed security status of libuv1 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libuv1 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmXtrrFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TOBw//UDY7qqzhavYjzvVxQ6ka9PGfBLJcRXhMjpwH5JxR6T0KOqCQkasoXCxm NTSzczr0zrtU4Hdtv6tb/E5QfemTpdEfMOtuuKxhQ3jrQNjnqtfDD5ouomrckxMc PtB3SsJ0e1BV97ORDEqrym39VQTIaVgxdZwXU5/mcqaboZx8uxv8XjaDURhAU1eY z5PDno6bTg/zL7bSSugTnxSPHwokv4FICxaG8rR6y6drbI7hndsx+LL+sXs426O8 xDzro+deanl3i9kdXxQujhTxJA+7vUTeaCl8rLFs7kOyNxDbCVADYc+Cc0h8Z0xn v/xNDYkIMprGcUx2QgW9mwfDgKGxDVtltPwb6oIBsKzrYBF/gVUqM5aym3VquS8n +lL7+uA0ZHKMxeQRrCtHCIoDUAhjVarQPqbxIX92tftSIRHU7e8Qfmyo7PdbPs9U C4zUUwIwQ6UtRR8OWIKE8IFa+BRxL2/3KCDjDvpK60VUfanRqdF7zcvifFQMw9mq J/s/IIY6Unhvk9/6QSKrNiaLnFBOVBZ4E4A5OU6W1KAKvixlH8bmv0XCgrlDr2fx /7+Xn8wNA86qPAd9/t6DAVzyjdlis+P6LYzAfrAguWQQS0xkDW+5OQqV3wyKvK1m 9PRJK4vfmiX5kw+VclGbJM4ToaKOLbSlns/QNhHuRw2RDem0/+s= =ai3N -END PGP SIGNATURE-
[SECURITY] [DSA 5641-1] fontforge security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5641-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 19, 2024https://www.debian.org/security/faq - - Package: fontforge CVE ID : CVE-2024-25081 CVE-2024-25082 Debian Bug : 1064967 It was discovered that fontforge, a font editor, is prone to shell command injection vulnerabilities when processing specially crafted files. For the oldstable distribution (bullseye), these problems have been fixed in version 1:20201107~dfsg-4+deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 1:20230101~dfsg-1.1~deb12u1. We recommend that you upgrade your fontforge packages. For the detailed security status of fontforge please refer to its security tracker page at: https://security-tracker.debian.org/tracker/fontforge Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmX5+otfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QM6w/+I599jlPtxJcdadbT6efjRaGYhhj3ICkPG+l3Y+h7hcPAW8VbfdxR3ztP jYbqf1a6R1cb67NAunRLIkouA7uf1o5zix6bGmcLSmuwiqfoqGQOrQXKMZE6fvov YjzWVbQ+W9P+b3fywip7VI+pjC+coliYO/Y+6E0Ylg3GmVq5p/W9SGjefSNI8SKv QmZaUaVnEBVrX+riQ4AncOTKrIrV19mmbwKzZ5FgYLQVvhNrWimNO04RbNi/t+Dc r7rITXc4+e3guBlKjEuOaTdvWtMpwXxxAUU+Tqvgya8OQc10dHHKIIPbvJ1rhi2q k/+vdy6rbde7hwMqgBNUOFoJsIrn5+1bu7BPwU7IDp5C0ibZ/jtisc3JjtxHj5yz 61n/d8+/+usRjKcAos/MKZa988KSNXUyqIv0NQ4Xk5l3AxDdBArDtxfMGKLuzYWM sVD7tlFuu7UcuyI7YY1FJcTDygoDb/CunXBq7yjMh9DEPQEMkWu6gFdge1gXWw20 s0dko9Ypwtoe3BZ5ucbcyHjcfyAzlk+m2LIVO7TQJ5NvRuNuuE/kr+SDWbx4PIji dr5VslvGp2Nx784163P8fduUTxfSNLktsGdqPZmJI6R4FslQjd9oIgTd+/f1VU6t RTu8OcCqREfkwRVhtYrsTjwVvZ4x1OqAnKoxAGM7jzdk0JM= =0dXN -END PGP SIGNATURE-
[SECURITY] [DSA 5645-1] firefox-esr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5645-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 23, 2024https://www.debian.org/security/faq - - Package: firefox-esr CVE ID : CVE-2024-29944 Manfred Paul discovered a flaw in the Mozilla Firefox web browser, allowing an attacker to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process. For the oldstable distribution (bullseye), this problem has been fixed in version 115.9.1esr-1~deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 115.9.1esr-1~deb12u1. We recommend that you upgrade your firefox-esr packages. For the detailed security status of firefox-esr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/firefox-esr Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmX/MOFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Rolg/9GP46S5fV4AGsTsDeOZsx8rbHOZsKgj+Y//dA8Ly79T10CjVcZQSvpFek Czgnwyo9dMqY5jTyxKOcFqsrbCzODKdMtDKVqOdTTptb0eGdorLyRsq0D5Kozn86 W8iq9mDTYiL50Vj7gMgpciNHklM7sjtKCYSTIgJFqLq+/8jMIoaN2qbTCmxo4OjC bqweKgXYlHE/EmgCyjVJ6gjuam5yA1OlrXO+/IqKm809P8TPsceb9FBCY4Gw0jS4 Ioii4Y303fsNNMIHfDANNcvXC6JCnsy0QYjq2DyiNTOyh/leoV+Z9tWQwejcnQBd T0aICDOoQwf6mnsMtsLvoDzsY81DawiHd19nyLeVKhxLwpEmqTz5CIIk72oy39MA SLxY5owGrBPHkelxpi4XNPg7/fDNfeq1L3/CzEPoiExaioLsvC/vgvZzO4drrNkG Eyp2ocGvKejYqt4TfZE/a5vmj7BpNDMmhsUne8XzdPVU8p1Co3jsEGmOVAT00EOv cO1MGfUZdChdTdRHZ6Q/v6Wr2DZvmT9b/yy9uI4I+XjpkDLapS9DbP+FPJKM5y75 lOf3bfsBSHUBRIxxtiDdUmjYH9mTHNPNq6SFlHrcpykqRps+acuL4ZYd2NGG8nHg Bv4lAz/FMJTBI80gqF7nv3v2qsy4CZ9ieBnAQbDHDkVxnnYLGVo= =h5US -END PGP SIGNATURE-
[SECURITY] [DSA 5646-1] cacti security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5646-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 24, 2024https://www.debian.org/security/faq - - Package: cacti CVE ID : CVE-2023-39360 CVE-2023-39513 CVE-2023-49084 CVE-2023-49085 CVE-2023-49086 CVE-2023-49088 CVE-2023-50250 CVE-2023-50569 Debian Bug : 1059254 Multiple security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in cross-site scripting, SQL injection, or command injection. For the oldstable distribution (bullseye), these problems have been fixed in version 1.2.16+ds1-2+deb11u3. For the stable distribution (bookworm), these problems have been fixed in version 1.2.24+ds1-1+deb12u2. We recommend that you upgrade your cacti packages. For the detailed security status of cacti please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cacti Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYAIe9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S9eQ/7ByZTgI28ry2EvqJhUj3m3sT9PtgebprbQ/bvq6osaNjTnMI1BSpn84g9 Cu2aS8ymXWm4ZDc7Kpri0SOhQM6m2G72j/7lSLpfnugTci/qZdW/yG2RQ5aL1G7H h8IRKi395uhAWQ449T7+BDVOKxCwjfY0WdVzH2IQJP3Aa0hUb1QPLL+84pFOSFDU GmIj/HwzK79M6q0FwaldNn3CEhiW5s1PixRY4xZtjsDP0jDqUdNTfWfazaKt+fum GaUyoUR8hBm3IdAhyWS/j8BMquibTo0fwBCsyc54nNWeItwKLY5T5GZGxOfRte5p 60UfqKxxzNFKs5wNMdhPn5MLUmXPbmYzpf6QehYek9pMW0lr44gL1X1pJu5pEDK+ aEp+HoRbPMbMBPFjG+Pgm9s+yWNarhXcoAq01p68Ti12bvb5slGXh1Rbxm3NcQrk uGAeNjdj3EZDb/qasEs3X3ghvLzOliz5b4pvP8S4PlZ9YD1Pdgzctj2qv4WOjvx0 K1MEZf/X9ew0phfzTuKS/xlNo9OA9bSD5r3K6GLgUc+iWFtd9SvAFM05fFkdIN9I c7mWaa5cxxYyGYKVoxCpiO6rPz7spiUVDrf7ukjC6LkCPleWcZOkGblWWQKnw8kA 8kaicQV9LXPG6Pb+DbfpU5gLuc7DYg468bB38gNXp4L2j0a8+bM= =uLpk -END PGP SIGNATURE-
[SECURITY] [DSA 5649-1] xz-utils security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5649-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 29, 2024https://www.debian.org/security/faq - - Package: xz-utils CVE ID : CVE-2024-3094 Andres Freund discovered that the upstream source tarballs for xz-utils, the XZ-format compression utilities, are compromised and inject malicious code, at build time, into the resulting liblzma5 library. Right now no Debian stable versions are known to be affected. Compromised packages were part of the Debian testing, unstable and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1. The package has been reverted to use the upstream 5.4.5 code, which we have versioned 5.6.1+really5.4.5-1. Users running Debian testing and unstable are urged to update the xz-utils packages. For the detailed security status of xz-utils please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xz-utils Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYG4XBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QBZg/9HMXAGIvBC12v8PSnp6EjnagxXBjTqLIJzEwQFgmC1cS58Kmv214c3fD+ rxHEfqQxcgjVSWPbIgI5ZXf1XZtx1YiMGRd9aEvKQSwLu0ox0/UR5igZakLrZb+n t1qvH8AGYQhK41ysFJVwNulUXqqopvGEPgwopLfGPn8P3zjOrs0BoLqYmQ0nbsv3 92l9rAYk6W7G+L3Gwp/cQVzqmyErlEk/QB3Ld+6HLP7a8shY+A8a7iVHE1vkzNjw JeZ2shIrvkCJqb1/BVSJU92fy2P4xjiMY8phDum7dzWnyy0WZLa90B/tDF9WB7Ok nuUa020yxjflnabSM112We1V8D5sh18X30NK8scXiCD5cbPEysGqaUf8Baik9qux Wkn60oqLKFN0VdrUxeqyLp1AC7wEiysQaNqv/8ZqhYF3/KxrbzgBOVy9XeB3pEfk oLLPtUeH3kuXGw2Qp+Kqg3Zlfe04XZZX5kme/7PFkBvjZ8JFH7dWW+eEO9MbnsPD br0tWxod0jhvLdZ6YLFad6q2jkjqO3LH3+SYAhp+otcY1TNpIe7xWAB+Phj0TJqu IoSnYutqEb4mwoUzn9vZRzOxLvyePEJwbFG89sQf4GCYm4FwDhyB51Eo5piC7Fre EtfsmdU7xAl6tljtUkzTHz27dBIokrgw4W0YrYaeUSmm3jKttPA= =522l -END PGP SIGNATURE-
[SECURITY] [DSA 5650-1] util-linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5650-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 31, 2024https://www.debian.org/security/faq - - Package: util-linux CVE ID : CVE-2024-28085 Debian Bug : 1067849 Skyler Ferrante discovered that the wall tool from util-linux does not properly handle escape sequences from command line arguments. A local attacker can take advantage of this flaw for information disclosure. With this update wall and write are not anymore installed with setgid tty. For the oldstable distribution (bullseye), this problem has been fixed in version 2.36.1-8+deb11u2. For the stable distribution (bookworm), this problem has been fixed in version 2.38.1-5+deb12u1. We recommend that you upgrade your util-linux packages. For the detailed security status of util-linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/util-linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYJTYpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Sm+A//cJhy/p0UGnSP5MYNc1a1sLeAMcNJm4lwxqR3zDYYqPWAe0jwsspaguNY 1QPdaqa3d/Vm8pDO8WCnqxuzwqDjwyKNLUYmFbOyDx+U4EyVxC6wsUq936XMvx/5 xiuTJripQm8urnvCaa7lGLhNSWHOc2jHWCqLnXC2AKwAtSGT7LWFKzC8csHxtRYO 5A5iUaDONPWJtGpNDx1cczfIuEUvGpANQWOgxrcyAmHb1kjpGHm0RTikpkqKNm4W VH+DbgzuXlLtzUn0/YUXJPJkZtPe1LDshhUwFhU13K2lIUk3hWBWyGIrXgG+OZhu XgPc/5yAZHjmffHawUPE0LWGA3U6xOWV3pvBIi07XF/kFwR00PXGfMdv9WrTUxxV V6Fv5/kd2MsWvZQSYJ9Bn/6Wo5O9w8M3Lfso2OYx01OFRQHQfn4rfRek0ED81155 qqPaemJYeUIJsDEmiwdr+eh0LZm7+3oMOgdfKDc9ARm9fasWxA7SFg4w5P1h0IWO lzuwEzm2W0az9YJ/BFMaZfoTTn/DW9FJHL7Fo5F2vO9CLAihxMYUDM3mUZNBexY8 Z6XzhdWOSkOAiYI4khDK/TK8jQxSpEjNiFh7Z2pIZs4F6COjI94xtIn+N5nyJxnk AweXW0GGSZxt1sXD99JeD27Rv0UXNKyHfcQRPaYo9FyHntkVxi4= =jL1I -END PGP SIGNATURE-
[SECURITY] [DSA 5657-1] xorg-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5657-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 12, 2024https://www.debian.org/security/faq - - Package: xorg-server CVE ID : CVE-2024-31080 CVE-2024-31081 CVE-2024-31083 Several vulnerabilities were discovered in the Xorg X server, which may result in privilege escalation if the X server is running privileged or denial of service. For the oldstable distribution (bullseye), these problems have been fixed in version 2:1.20.11-1+deb11u13. For the stable distribution (bookworm), these problems have been fixed in version 2:21.1.7-3+deb12u7. We recommend that you upgrade your xorg-server packages. For the detailed security status of xorg-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xorg-server Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYZmfJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Qz4w//cyMczPAsPfqta3Jcw9cclEKJ2EC6p7c1SWm3c16rHyL+pOfcFsNuUrCR H+JPZ8x2qSk5MSJ1AFC4WUJptZup9WlTIfdSNtPJ/T+uweDpEbMGp0dl2DNu5AIP riPtam1aVHUsOr7rT4EzBcRK6hZSltgKZjBeu5vdZLDpexOrGTBx6KmjB62+G21P 3/pog2OVvGi3x6PBsQizEQRW4RP8UsfLEt2EaCxgZKlR+4lfbaSyrKFXolSSbtUR lRur+6dy4569c2Ja844W1MFAtXPre6iFLzhwQNuagwTo4V8OqPAi1vjIpjg/vE2S s9icZpqJMnFuAEvqoUQ9h5hByZtvGYOxoj8xbT5HCwIzro3K2+eEUpPCBZDqfdxh 46a7cShJSPzPSgMaZDhi3+BnmmK5GN/cuaUD9YMm2o5JkRxrRjOyo0P/1yvLAV4/ 66XCXbWFUkLNVAi2Z+VI8vJ+cndQ5x1sSxv8HbNTpDSYeazoUFcvfwvFyok+HQYt OUu22K/TR7ejYGCWXEg/WOqQxgPk63IB2JvuyGRkshis5gKtOstUjPIpvsGpevq+ dMuvY63hnZkJYhqTV9nD0YUg7+H6GznxRcOG/YQmzmpu9htpaotmwCucRi2tAS6A v4Vd90kzBGPcatElBnPkulj9piI+nFaQT40y5ekG8bXVdCYgDQM= =Hr75 -END PGP SIGNATURE-
[SECURITY] [DSA 5658-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5658-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 13, 2024https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2023-2176 CVE-2023-6270 CVE-2023-7042 CVE-2023-28746 CVE-2023-47233 CVE-2023-52429 CVE-2023-52434 CVE-2023-52435 CVE-2023-52583 CVE-2023-52584 CVE-2023-52587 CVE-2023-52588 CVE-2023-52589 CVE-2023-52593 CVE-2023-52594 CVE-2023-52595 CVE-2023-52597 CVE-2023-52598 CVE-2023-52599 CVE-2023-52600 CVE-2023-52601 CVE-2023-52602 CVE-2023-52603 CVE-2023-52604 CVE-2023-52606 CVE-2023-52607 CVE-2023-52616 CVE-2023-52617 CVE-2023-52618 CVE-2023-52619 CVE-2023-52620 CVE-2023-52621 CVE-2023-52622 CVE-2023-52623 CVE-2023-52630 CVE-2023-52631 CVE-2023-52632 CVE-2023-52633 CVE-2023-52635 CVE-2023-52637 CVE-2023-52638 CVE-2023-52639 CVE-2023-52640 CVE-2023-52641 CVE-2024-0340 CVE-2024-0841 CVE-2024-1151 CVE-2024-2201 CVE-2024-22099 CVE-2024-23850 CVE-2024-23851 CVE-2024-24857 CVE-2024-24858 CVE-2024-26581 CVE-2024-26582 CVE-2024-26583 CVE-2024-26584 CVE-2024-26585 CVE-2024-26586 CVE-2024-26590 CVE-2024-26593 CVE-2024-26600 CVE-2024-26601 CVE-2024-26602 CVE-2024-26603 CVE-2024-26606 CVE-2024-26621 CVE-2024-26622 CVE-2024-26625 CVE-2024-26626 CVE-2024-26627 CVE-2024-26629 CVE-2024-26639 CVE-2024-26640 CVE-2024-26641 CVE-2024-26642 CVE-2024-26643 CVE-2024-26651 CVE-2024-26654 CVE-2024-26659 CVE-2024-26660 CVE-2024-26663 CVE-2024-26664 CVE-2024-26665 CVE-2024-26667 CVE-2024-26671 CVE-2024-26673 CVE-2024-26675 CVE-2024-26676 CVE-2024-26679 CVE-2024-26680 CVE-2024-26681 CVE-2024-26684 CVE-2024-26685 CVE-2024-26686 CVE-2024-26687 CVE-2024-26688 CVE-2024-26689 CVE-2024-26695 CVE-2024-26696 CVE-2024-26697 CVE-2024-26698 CVE-2024-26700 CVE-2024-26702 CVE-2024-26704 CVE-2024-26706 CVE-2024-26707 CVE-2024-26710 CVE-2024-26712 CVE-2024-26714 CVE-2024-26715 CVE-2024-26717 CVE-2024-26718 CVE-2024-26720 CVE-2024-26722 CVE-2024-26723 CVE-2024-26726 CVE-2024-26727 CVE-2024-26731 CVE-2024-26733 CVE-2024-26735 CVE-2024-26736 CVE-2024-26737 CVE-2024-26741 CVE-2024-26742 CVE-2024-26743 CVE-2024-26744 CVE-2024-26745 CVE-2024-26747 CVE-2024-26748 CVE-2024-26749 CVE-2024-26750 CVE-2024-26751 CVE-2024-26752 CVE-2024-26753 CVE-2024-26754 CVE-2024-26759 CVE-2024-26760 CVE-2024-26761 CVE-2024-26763 CVE-2024-26764 CVE-2024-26765 CVE-2024-26766 CVE-2024-26769 CVE-2024-26771 CVE-2024-26772 CVE-2024-26773 CVE-2024-26774 CVE-2024-26775 CVE-2024-26776 CVE-2024-26777 CVE-2024-26778 CVE-2024-26779 CVE-2024-26780 CVE-2024-26781 CVE-2024-26782 CVE-2024-26787 CVE-2024-26788 CVE-2024-26789 CVE-2024-26790 CVE-2024-26791 CVE-2024-26792 CVE-2024-26793 CVE-2024-26795 CVE-2024-26798 CVE-2024-26800 CVE-2024-26801 CVE-2024-26802 CVE-2024-26803 CVE-2024-26804 CVE-2024-26805 CVE-2024-26809 CVE-2024-26810 CVE-2024-26811 CVE-2024-26812 CVE-2024-26813 CVE-2024-26814 CVE-2024-26815 CVE-2024-26816 CVE-2024-27437 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the stable distribution (bookworm), these problems have been fixed in version 6.1.85-1. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYaIyZfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RN3A/9HbzpFDgN8uqJJVEHYgDh38m+h/8maSC2qL3G9ZPEckWX6MLBm+yBWcJ0 l/DesFcqc5Lh25bgWSO2jJ4TY4+dbTRFzFcJ/aTnbOKGoGCUQt0W9ZHFVwmkPKQN tbZm1W1K3u/5dz8qow1ntsQuBarD0uDpImbhOZdrk+n88yKVB4lqAqNgel6EPt03 6SYAz
[SECURITY] [DSA 5655-2] cockpit regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5655-2 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 16, 2024https://www.debian.org/security/faq - - Package: cockpit Debian Bug : 1069059 The update of cockpit released in DSA 5655-1 did not correctly built binary packages due to unit test failures when building against libssh 0.10.6. This update corrects that problem. For the stable distribution (bookworm), this problem has been fixed in version 287.1-0+deb12u2. We recommend that you upgrade your cockpit packages. For the detailed security status of cockpit please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cockpit Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYe2O9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QK0RAAkGuh1qsgWCu60JxMYZjfeSyA/w+MlKlwANHCA74QbsvqOyadjrtdxRjK EgKRs8Gz7H8o3bpuVE/4mWkIyDjsn9yZeFlro/6wf3yGsxEL7I2MlKWa56A6hNJD 4dCgdo9gKqcDR7YOpknemN7F8VElUINFjBHzQ6vzm+HMneg4JC3Nhh1TZfNj/trT em/LLoMb9VDHutpv8T0OQwt1tgUxfOfxKDFTsLzjxzYwBfAHqJPu/MZrS1kj15iU HK9nouDw7hYOx0FzTBhlobNnLod8kYN+McUMkiux84lv8PyYE3sxiDlTYcGeG+0n XQ4FHxB6wdolaGKRCwt8t3Bt1uTPvbDYwii6eDmjNLrSFnjbJlfihaVkng9fXb6R kfRHRWhcT15/Yv8GmJUAN7/vNlzPEAXkbXmP3O/MmrLymjsyC4p2Oo8PfKn1biK0 K0s0BrGMd60DvrD6L07ntF0IfF7qoNvYwZLF3ELsXe/h9dlaNtqDHMG2O1OZNB/M VYW6S3reytzexMuqUtKPB2kAZeuiIK6iTJNLU7v1ZWPfHp2ApK3yGxTCXrNj3Ufa kO7Tw0g6w3xIvlxLjHPZ/V9TxBB75i2PmxQMLIk4VjAMY93I6XmESFhI4Me94oQw xYRGVjCCHd8J5Ky4VTgnS66Um2KUkF+nGCZLudTDVeyPzNBh9hk= =b5VL -END PGP SIGNATURE-
[SECURITY] [DSA 5673-1] glibc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5673-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 23, 2024https://www.debian.org/security/faq - - Package: glibc CVE ID : CVE-2024-2961 Debian Bug : 1069191 Charles Fol discovered that the iconv() function in the GNU C library is prone to a buffer overflow vulnerability when converting strings to the ISO-2022-CN-EXT character set, which may lead to denial of service (application crash) or the execution of arbitrary code. For the oldstable distribution (bullseye), this problem has been fixed in version 2.31-13+deb11u9. For the stable distribution (bookworm), this problem has been fixed in version 2.36-9+deb12u6. We recommend that you upgrade your glibc packages. For the detailed security status of glibc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/glibc Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYnXlRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QQVQ//SFTCEazXKFiaeBQD+lGr4ROP2/rSm0WE682g+Xz7HVLJkLtNyLd7Y4SA MVNQDlKntGM//MMQiIUsTGxc4Hq/HgMYVvhXZTlmwRaayTUlJ5jY704vrzMbyaTo iK+88z8SrPwGlHvzzzpNx4/pN8uQYNIK7oLrvCv5ng50Lnh1jBxBTXuEgZQtMq7m Wlo8B+nAaZQKpxHJK+ilNx9kT0g6au4FD+KXzyISBwz4KBEqb10fToHYzl/Wf209 boG9CAbn/rgTM0/wvXb3kDPc3k6yDk+6NI9NVqXSHzkpvbtBJxNi/crnR1Mu7KAh MGqKC9pq6t8zL9v6YV9lGuL/dFBOg+bihsZ3dVyX0B6PDqvmRyZ5lDGZKiiS2jWT RxWoEnM9JdzADd6bbJTICNbFgKNIzmcSxPgfS6/wRp0R679wrq+jhxhAhSNN1ozh dQciRKiLfguTTI4HTRH42frSdXRFue4W48s7LS+Fy0oAaxUza5QNrsFgP9tPBFKl t9ehi3sXqzWTD+Tl51np1dc3yOW9xq0btlUejy0W1L6q6POKIkRrNllVczWJixOA UwuWY4u6zrcX1wgDRSmUsG8k4seHoH7EpfTIaaQ4qgPGalG+9r6ZrMApUS0eOVzd ure7Qo7w6w/UGRxCsuU7pToZlkiHwOlimd7lAGqNMJwofDKbc8k= =8z2B -END PGP SIGNATURE-
[SECURITY] [DSA 5678-1] glibc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5678-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 03, 2024 https://www.debian.org/security/faq - - Package: glibc CVE ID : CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602 Several vulnerabilities were discovered in nscd, the Name Service Cache Daemon in the GNU C library which may lead to denial of service or the execution of arbitrary code. For the oldstable distribution (bullseye), these problems have been fixed in version 2.31-13+deb11u10. For the stable distribution (bookworm), these problems have been fixed in version 2.36-9+deb12u7. We recommend that you upgrade your glibc packages. For the detailed security status of glibc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/glibc Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmY1QD5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Ra3hAAlAcmsW7eSdxGVoa90/83MD/hjEl2PF52Fhh2aCbSohifLlz/fnpg+2Fo pRsvva5ZK3o5hzTwaLdaNL3MkS80qSGI5LYB24gP7EU6jTkltHoHumQ7X8cQZ8Hn c0Sp5BK0UI2sfCsL/xtGusk0GnYXzw/SgAvcBSD4bh/xOusZjHa5XA4ox96v+IAN HAunVpepllXW2T0NrGhq+bdPhTOVn35lNCR3HU6/SrpaldeWl1xT+1mEyuG+0jOd bAJAC51fR/VMBqv6r37OGyS+62Vu5KETvQf8dCKPeFGMmpc3kZHVtv2y5VtXOdLn Yl1BdRQRk+AuW+y7MQwdMUxtppzI8y2GJ0cZlprnkFzf0SnC/aCs9gmq6ekrGLlB JVduPWiwxUjrhaIW4jH+FGFoCE4tUP0fCB/3epq647qkAxz2Op9ApDeySzYRVcuL 74g8vb7lMwlLA0qbRguaqWDj8PQLj1SQH4OyVu2EjfcSB6Kxt+zpJB1rw+AldfCz AYKiI1qfgCW5i5NzvCfpVDjlQGUyWS/d7G9Z9IRZUryvQALgnxt67HG48u50KXE2 n0kZ3FWyI2unYkTZS3xrtt4CeAE47j3+obCYJ3ZGDct/3cJ2PAcWqbtf2kIt7jFp xIdCRAGBIuMR/8zbXi6uMsagxQbEUuY4pA2TKrpp37RyN8d+UDY= =E5yF -END PGP SIGNATURE-
[SECURITY] [DSA 5679-1] less security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5679-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 03, 2024 https://www.debian.org/security/faq - - Package: less CVE ID : CVE-2022-48624 CVE-2024-32487 Debian Bug : 1064293 1068938 1069681 Several vulnerabilities were discovered in less, a file pager, which may result in the execution of arbitrary commands if a file with a specially crafted file name is processed. For the oldstable distribution (bullseye), these problems have been fixed in version 551-2+deb11u2. For the stable distribution (bookworm), these problems have been fixed in version 590-2.1~deb12u2. We recommend that you upgrade your less packages. For the detailed security status of less please refer to its security tracker page at: https://security-tracker.debian.org/tracker/less Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmY1UxpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Rt9Q//RATJdOip2H457Vmye1lZb/mUKci2CJBtj5/JOE1MVH8B0w/Vv5EIWCCa MaBzfq3Wv9FmkLMIkfLp1IbM1KZ20+tVz9rz2tVHq0vp+fSjw8wurBv4AoFiRyI8 pFwTzXEtwWVPVBhsquvOXLNVuOyNBq4fmAc8ETccvhcm9rODsEh4gxKR/BURJxPF jckpSv2EnEx/EEwSdFCaeJ5mjGDVN+Sd4V1LldyDLGCbRfY0RuC1hzGsX99o5NZ9 IEt2ZNQ+9OVQQCcpC6ayKtOkPFGKcRKTxhWZ2Q2gNl6tb0bYaQygHlxxRhiqok3G li898tnb+nI/ZlksblIn6gUwEzBH2a5P0/LJg4iF/N1htz2fv1C+/C8/AVvE9iBr lTV7RAo1xaIuV4yAgFsv+XJ7YsWtJKSwXkSRHAlcU3OGNmtQUxs6iQUrRJ97ax9L 0O/3wh7dXbmkU42EZlybTxYh7eMi074PzLva7t0im8KwC5sjvH7yLe6jLXCJ2+Kx 4apKfxPwTYn0bBqaeNgBBFHWwlYn+Rkofo4N5VdbFDWaMwctZ2FFLrpn3LQ3Mojn ssgf/uchU1M8Vpjp01H3Jr0S97nz5cCwE+LlFddMNVlqNL/hA1xU8zNkyRLJcFai JQVhtvLmuSFOW+FtvTjBB09T3o8lbPKYHacO1/h8/ZB+TKqlwQo= =tUOa -END PGP SIGNATURE-
[SECURITY] [DSA 5680-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5680-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 06, 2024 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2024-26605 CVE-2024-26817 CVE-2024-26922 CVE-2024-26923 CVE-2024-26924 CVE-2024-26925 CVE-2024-26926 CVE-2024-26936 CVE-2024-26939 CVE-2024-26980 CVE-2024-26981 CVE-2024-26983 CVE-2024-26984 CVE-2024-26987 CVE-2024-26988 CVE-2024-26989 CVE-2024-26992 CVE-2024-26993 CVE-2024-26994 CVE-2024-26996 CVE-2024-26997 CVE-2024-26999 CVE-2024-27000 CVE-2024-27001 CVE-2024-27002 CVE-2024-27003 CVE-2024-27004 CVE-2024-27008 CVE-2024-27009 CVE-2024-27013 CVE-2024-27014 CVE-2024-27015 CVE-2024-27016 CVE-2024-27018 CVE-2024-27019 CVE-2024-27020 CVE-2024-27022 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the stable distribution (bookworm), these problems have been fixed in version 6.1.90-1. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmY5EA9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q/jw/+IhGBeIu0f4EoDnOXWtKNIqL154QeSW5iChMM18xupN/kHpYYJOuIsZfy 4U5gGJaiPe/ibLSAzpunZGd6TtTAu5U/TMjoUFBlyhWYLrzIrqCjJP7Jcxoufutx qDZGFokd3k8YazJmZPCnHyTFHfZH008YEHmZSHwq8VIgP3cyIqiSryPxFiFXQfp1 0XzsV1DBGNt4gDFj25TTVzfz4DCOBY9wHcgZW5y7AmVDvG674al16JdfV0K/Kma3 4gizb+d26sEd1E6qQXVJbTQf5RKt156fadJicG59Fv/A4hQoUy+lKapaMNuhyRSk u0r1BGEphKL7Z51PEVcm02XRHa18JuzuEoX+lkWjZvwItvQyz6fMzQLHrUSAYPoM 5hGEYgd3W/h2ss3jmoWKjwsEz6uAbFKleCHKIoYK7iRtPjzcTlSVlN01UxLwIFXJ r2M8axaYDW36jo3t/oCe6wsJekILoSx3MSokTiXrcGq/AWY3z+i33EB1XYN76oTt L/bn8BdPhXBC2ofZ757hMJdvh5fUHO0sfg+L2CrBCENPU/jgDCC0NG7NX2lnVRm6 RW6abfIRHPBn27FyyEvCzyxHpixxMiMp3hBf1tn7iXknU1x9evn9mvw0QW/7n0+W uubWWVe3g/BdEiGsSPKYTnDMx01uj+snjmKKzBd88eG7B8PRGhY= =3Xuh -END PGP SIGNATURE-
[SECURITY] [DSA 5681-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5681-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 06, 2024 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2023-6270 CVE-2023-7042 CVE-2023-28746 CVE-2023-47233 CVE-2023-52429 CVE-2023-52434 CVE-2023-52435 CVE-2023-52447 CVE-2023-52458 CVE-2023-52482 CVE-2023-52486 CVE-2023-52488 CVE-2023-52489 CVE-2023-52491 CVE-2023-52492 CVE-2023-52493 CVE-2023-52497 CVE-2023-52498 CVE-2023-52583 CVE-2023-52587 CVE-2023-52594 CVE-2023-52595 CVE-2023-52597 CVE-2023-52598 CVE-2023-52599 CVE-2023-52600 CVE-2023-52601 CVE-2023-52602 CVE-2023-52603 CVE-2023-52604 CVE-2023-52606 CVE-2023-52607 CVE-2023-52614 CVE-2023-52615 CVE-2023-52616 CVE-2023-52617 CVE-2023-52618 CVE-2023-52619 CVE-2023-52620 CVE-2023-52622 CVE-2023-52623 CVE-2023-52627 CVE-2023-52635 CVE-2023-52637 CVE-2023-52642 CVE-2023-52644 CVE-2023-52650 CVE-2024-0340 CVE-2024-0565 CVE-2024-0607 CVE-2024-0841 CVE-2024-1151 CVE-2024-22099 CVE-2024-23849 CVE-2024-23850 CVE-2024-23851 CVE-2024-24857 CVE-2024-24858 CVE-2024-24861 CVE-2024-26581 CVE-2024-26593 CVE-2024-26600 CVE-2024-26601 CVE-2024-26602 CVE-2024-26606 CVE-2024-26610 CVE-2024-26614 CVE-2024-26615 CVE-2024-26622 CVE-2024-26625 CVE-2024-26627 CVE-2024-26635 CVE-2024-26636 CVE-2024-26640 CVE-2024-26641 CVE-2024-26642 CVE-2024-26643 CVE-2024-26644 CVE-2024-26645 CVE-2024-26651 CVE-2024-26654 CVE-2024-26659 CVE-2024-26663 CVE-2024-26664 CVE-2024-26665 CVE-2024-26671 CVE-2024-26673 CVE-2024-26675 CVE-2024-26679 CVE-2024-26684 CVE-2024-26685 CVE-2024-26687 CVE-2024-26688 CVE-2024-26689 CVE-2024-26695 CVE-2024-26696 CVE-2024-26697 CVE-2024-26698 CVE-2024-26702 CVE-2024-26704 CVE-2024-26707 CVE-2024-26712 CVE-2024-26720 CVE-2024-26722 CVE-2024-26727 CVE-2024-26733 CVE-2024-26735 CVE-2024-26736 CVE-2024-26743 CVE-2024-26744 CVE-2024-26747 CVE-2024-26748 CVE-2024-26749 CVE-2024-26751 CVE-2024-26752 CVE-2024-26753 CVE-2024-26754 CVE-2024-26763 CVE-2024-26764 CVE-2024-26766 CVE-2024-26771 CVE-2024-26772 CVE-2024-26773 CVE-2024-26776 CVE-2024-26777 CVE-2024-26778 CVE-2024-26779 CVE-2024-26781 CVE-2024-26782 CVE-2024-26787 CVE-2024-26788 CVE-2024-26790 CVE-2024-26791 CVE-2024-26793 CVE-2024-26795 CVE-2024-26801 CVE-2024-26804 CVE-2024-26805 CVE-2024-26808 CVE-2024-26809 CVE-2024-26810 CVE-2024-26812 CVE-2024-26813 CVE-2024-26814 CVE-2024-26816 CVE-2024-26817 CVE-2024-26820 CVE-2024-26825 CVE-2024-26833 CVE-2024-26835 CVE-2024-26839 CVE-2024-26840 CVE-2024-26843 CVE-2024-26845 CVE-2024-26846 CVE-2024-26848 CVE-2024-26851 CVE-2024-26852 CVE-2024-26855 CVE-2024-26857 CVE-2024-26859 CVE-2024-26861 CVE-2024-26862 CVE-2024-26863 CVE-2024-26870 CVE-2024-26872 CVE-2024-26874 CVE-2024-26875 CVE-2024-26877 CVE-2024-26878 CVE-2024-26880 CVE-2024-26882 CVE-2024-26883 CVE-2024-26884 CVE-2024-26885 CVE-2024-26889 CVE-2024-26891 CVE-2024-26894 CVE-2024-26895 CVE-2024-26897 CVE-2024-26898 CVE-2024-26901 CVE-2024-26903 CVE-2024-26906 CVE-2024-26907 CVE-2024-26910 CVE-2024-26917 CVE-2024-26920 CVE-2024-26922 CVE-2024-26923 CVE-2024-26924 CVE-2024-26925 CVE-2024-26926 CVE-2024-26931 CVE-2024-26934 CVE-2024-26935 CVE-2024-26937 CVE-2024-26950 CVE-2024-26951 CVE-2024-26955 CVE-2024-26956 CVE-2024-26957 CVE-2024-26958 CVE-2024-26960 CVE-2024-26961 CVE-2024-26965 CVE-2024-26966 CVE-2024-26969 CVE-2024-26970 CVE-2024-26973 CVE-2024-26974 CVE-2024-26976 CVE-2024-26978 CVE-2024-26979 CVE-2024-26981 CVE-2024-26984 CVE-2024-26988 CVE-2024-26993 CVE-2024-26994 CVE-2024-26997 CVE-2024-26999 CVE-2024-27000 CVE-2024-27001 CVE-2024-27004 CVE-2024-27008 CVE-2024-27013 CVE-2024-27020 CVE-2024-27024 CVE-2024-27025 CVE-2024-27028 CVE-2024-27030 CVE-2024-27038 CVE-2024-27043 CVE-2024-27044 CVE-2024-27045 CVE-2024-27046
[SECURITY] [DSA 5682-1] glib2.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5682-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 07, 2024 https://www.debian.org/security/faq - - Package: glib2.0 CVE ID : CVE-2024-34397 Alicia Boya Garcia reported that the GDBus signal subscriptions in the GLib library are prone to a spoofing vulnerability. A local attacker can take advantage of this flaw to cause a GDBus-based client to behave incorrectly, with an application-dependent impact. gnome-shell is updated along with this update to avoid a screencast regression after fixing CVE-2024-34397. For the oldstable distribution (bullseye), this problem has been fixed in version 2.66.8-1+deb11u2. For the stable distribution (bookworm), this problem has been fixed in version 2.74.6-2+deb12u1. We recommend that you upgrade your glib2.0 packages. For the detailed security status of glib2.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/glib2.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmY6hPhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SluA//YDiwiCjSmeQFXuFfSBga+BnPqAx5PHWjPbnjOyTefp6TH0xXiw0mQ2vF 5c99+cwy1kQkWffYJErX7XyLeoaOHxanXOUzyqhCLBH7iJFWIDiKDntYsd1BELDo 2H+9zOISltTowkcx9H0tq3HKM18SFHc/iiImc28wX6PdkosqGHGtTFF/qPOEDqi1 oqObyJV+F0RjGSiTE3qzF6zxmJHrn8oCvQ53L3VbspL+eohfCurkRMjLeg897Opo A67Eh82ZhUouKIBNRNZ6UGVsJ55vKWsYdyvC2zi4e9dbUSumijcPr2kci4C3Rb1M e63SYSL3xWA42z7LbtOdJZh0l7HcHZHDSw4UKhPw6jrCl+4ck5fQN9ezuGU5Rg8d 5oUjuDRIvH6G1vGELd6+P90hj/c+z23g3N41J05YWsLr1imoYuc/zHAHFlpt7NzI dJRczbKl0SUcxQGnevDmgj5LNmqTQvH/Q9t+d8jy6E8n1OP2IweMn+Tiit4abEGN 9bKAc09/qUhKwGrnHFfi7S9lPF9rpQun+voVylacrQsf2ijs2sgWX0kyH81Govxv s/QbTNUJUkXrQmAIahFQPzqEokdZd4phP1w25urjEx1ji7RklR9KtF6bBu6V1mhz fZ1Md3uhUt+8Vktbqwzfj18lvEXYg808ClX7ZA+x5cgTOJJKf8o= =uIf7 -END PGP SIGNATURE-
[SECURITY] [DSA 5682-2] glib2.0 regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5682-2 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 09, 2024 https://www.debian.org/security/faq - - Package: glib2.0 Debian Bug : 1070730 1070736 1070743 1070745 1070749 1070752 The update for glib2.0 released as DSA 5682-1 caused a regression in ibus affecting text entry with non-trivial input methods. Updated glib2.0 packages are available to correct this issue. For the oldstable distribution (bullseye), this problem has been fixed in version 2.66.8-1+deb11u3. For the stable distribution (bookworm), this problem has been fixed in version 2.74.6-2+deb12u2. We recommend that you upgrade your glib2.0 packages. For the detailed security status of glib2.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/glib2.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmY8V7JfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RJGA/+IOsDXWcvXMOYEueKNZ+pIFVXLbT4GVMBvUIBf0wqJFbnmwaTXaEojqNR HKFcCLIBKzhHkJvCmhaEsaZXj05GxI0jIKV0CULuEl1PeYpXaypIF0BIbtH7Jd0j Q7/3qQgafewuJgqwn7e3CG9mF8oZv/QfwH4VPaJMkMd7cdRNytKOiJosg2ZEl3FK ycO/t58SMPxApzY5eebAU/u37UKAzI7PeCIz9FaCUQdwMUFuUeJvsYD21PwxYN/R LK79UsnHiw6sr3cpNirOhm7F3HXSh7WFBqQdcLGrTaix3X+RKW7NymNhIW8m7qWg kJ7w6JArMuvxj2Y2RiBF0eqVVkYcTHOe964+nvDHjzFIUkLU0yhw2GLhK4GzbWjl VpXc/+Rv1I9OsFF4SiKNSbi728NM4GUS3ziew//1l9EPM281UrCDoFRkwi1FP2jT KVWB0CZacqLmo62cT49HBb1rSxDXSEi0qc0yMKus+Jk+NT8H1k+cpjrK5hy0flJt JJWTOJMJ2Ph7LvLbrfsVoeuxeIz+taoLz6JW5dkpk1/LkxSmZkIKztdolirONMqF vBCTyz7IvBxqro5+vRsBnSFPJdw4pCVxhfgI/BFIUe8dA2Sh8bE+o69wTgcGDst5 ZHf28D3hClhMSc/SgotNTUf8KycA15VjxhvNtAeFL0HpOvAKiKI= =T+EA -END PGP SIGNATURE-
[SECURITY] [DSA 5692-1] ghostscript security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5692-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 15, 2024 https://www.debian.org/security/faq - - Package: ghostscript CVE ID : CVE-2023-52722 CVE-2024-29510 CVE-2024-33869 CVE-2024-33870 CVE-2024-33871 Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed. For the oldstable distribution (bullseye), these problems have been fixed in version 9.53.3~dfsg-7+deb11u7. For the stable distribution (bookworm), these problems have been fixed in version 10.0.0~dfsg-11+deb12u4. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmZFFaFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S3qQ/+L4NBqDHzbEmnYIqHMi578/wEX4UL7Y7LNXRz7K8fk7ltMaFeWNQIaHws vry6jGs471C5VL8v4TfzCfVQPc3YHPbAs7Dj/5JIHNSQm3Jljb2f+QYIUrUtpWnd tV/fbf0N8lQF6KDGzjU9ZWKy6vGAa/1KRTGJDXNp5r2YQi5FZeQsQvxpK/oQ7bZ4 auCKexJ5Yf/ybJNYcsAdPs+r2TlXOeHuq80yRkYOTNXwkSBv94xKrXswF6dlKOWz 8o+lmiVvva+qXguqaYvkviJiAGrWjW09tc58C0OtzwzCTgKNZ30Njkw8bGvghL2Q LmYZM/UEkzywCcF7eN9g/4xKKem26wLFKrn01i1Df815gE30/KFinC9+B/8F3UgZ Vng0ca9ddxeIRzdDLEERATBDwN+wJ5I4ips3NkqCBe3lNSyM+f+YMvzDj30/2UKx DrGYHLhNnQG3i2D2MJBQs8YTRjt0t9hIiAM7rYPBBUYaarTeINGfwIppktayYZIj Nika/GmgO9nljdWNHNaC26tfF2gWoHljyC7Qb4N5/VpSLlXT04o5db3SNDZBCANu pOjUKu7iuaa9aeqPwkWC5VLuJly9cGu+QP/s2DaPbJcAKaQDyTeFaUeFpXIzhJO6 YvL2/hd8C0RU+JHkeWK3i0xigODdmVCdoziN9CpAad68vkzD3L0= =ZjGy -END PGP SIGNATURE-
[SECURITY] [DSA 5702-1] gst-plugins-base1.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5702-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 01, 2024 https://www.debian.org/security/faq - - Package: gst-plugins-base1.0 CVE ID : CVE-2024-4453 An integer overflow in the EXIF metadata parsing was discovered in the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed file is processed. For the oldstable distribution (bullseye), this problem has been fixed in version 1.18.4-2+deb11u2. For the stable distribution (bookworm), this problem has been fixed in version 1.22.0-3+deb12u2. We recommend that you upgrade your gst-plugins-base1.0 packages. For the detailed security status of gst-plugins-base1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gst-plugins-base1.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmZay4pfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RlARAAmIfIncL6OtrDoqmsIdVoAhc3ouI+X6X+GdkTellF4MUxo5e5t7L4AwNC SxLAHqbqEgYRicB4pn6gv8AMBzN1Sn/8i3l8V74Eh93IVaId11hbXPEY4YUM3/Md bHQNf8HYkBxfB0PbkuuIWiZpxRTbI9eyo0TwzzF4r74J2032k3hH5hHA+dbO8RiU l//tv3WYpimyL6xrtxM7duws9r3iloEgUNHC2igJVZ0VRnYfmhIF23euzbcCbOal pufHn7DR5CSbp0y2DMDIjwOu14ZJSvvgKzr1knH2t/zW2TuHnVwbDoSP1KBvpcqe 8kaSKcIJZoetxsIv/5wNoVj2IikDUomFO02QPGXIEuMrzYc7ZkX8JC4/+6dgRzKX gFzPXuAU7gHtcmLLfIRnMkg5FVsbJfSUXDaL5tTW5YZ8aSoBUMHn/dNzfJXGn2oE 0nVce4cf0JpeTwMFYs9xT7xn0XCU8CggUjODGY11jGowPpgOXnLO3y08tx6iJ34M QPcFSbhFkrRCgWXEhLTF9N0xpnmiYM0VanA3m2zJlBacotOfEG3ipeRrHylMTUun 9ATrxXWvVNY5hSSB7eK9X6RBSvRdtDPzJ5gzbk3zlH7MKIIyx6CiI+Zx51I292K3 6kmi9zmyFBZgnBzPX2Eigp0bNNZlRwOlOFYKwClcdsgO5yvaxX4= =f9Uv -END PGP SIGNATURE-
[SECURITY] [DSA 5703-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5703-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 02, 2024 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2022-48655 CVE-2023-52585 CVE-2023-52882 CVE-2024-26900 CVE-2024-27398 CVE-2024-27399 CVE-2024-27401 CVE-2024-35848 CVE-2024-35947 CVE-2024-36017 CVE-2024-36031 CVE-2024-36883 CVE-2024-36886 CVE-2024-36889 CVE-2024-36902 CVE-2024-36904 CVE-2024-36905 CVE-2024-36916 CVE-2024-36919 CVE-2024-36929 CVE-2024-36933 CVE-2024-36934 CVE-2024-36939 CVE-2024-36940 CVE-2024-36941 CVE-2024-36946 CVE-2024-36950 CVE-2024-36953 CVE-2024-36954 CVE-2024-36957 CVE-2024-36959 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the oldstable distribution (bullseye), these problems have been fixed in version 5.10.218-1. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmZcl2BfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T0Sw//XK7kn+jtJzbA6ZB2hI9ORfNOwOIuFpjc19ZRV1SVQDknnqqbbRn1R+oA Dlt8KqymYgIn+Mcqp96+xLfzS2F6dnLQlR/QBW47ve6dpjiVKWm7NxJHQaK7hmS6 q8glRv5yyJN5AOeNW2YB3+I18/ru/fuTUzspwQLhFd/8E9EIci8yWwT/xL4pOVHP Jg65Q/KJ1fUs+OkOkLHs6nMA5UokQ5P55irSdvI6vtOZpvPsmezM8ogQYJD4TU7h IxZNt13EfJooNMR8g6p/ddyZNRYQWSKpxUj/QP9D1jMrrvOH6YOvyvElbggpJJBE r5eEz4dziCXq8WeZeu2aEJusRZAug7H5wEq2RmR8UyHmkEjYsmufj3kbmzFdQvp1 GIuT3/BKVqrkMpZNf+1nh1ysVoHe3rA7jBEutUovV/GYMVkvy+mq9tlg2OrIIIwG 6Hl4gcMZ/bTHMr3BxAO6TZwnxMxcxu2pex1yRbs9KujBsa1aS2u5BbAddu1h141e BCSZbwYK/sE12Rl7S7WGEZkSevnmeovvHjPnx9hP0KhOb/lKCFFPP50YIesWfS2H NdpT1vCXdueIhCD+Jj1hnYZbHC/WVgjfAl9ghrDDrcDs3qvdEas/nLDI6VH98wew 8yFyp+3JikYNQP4cIqzRK2eD7q9VtH3WZQqORApB8zqlEfVuxZ4= =DCXU -END PGP SIGNATURE-
[SECURITY] [DSA 5706-1] libarchive security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5706-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 05, 2024 https://www.debian.org/security/faq - - Package: libarchive CVE ID : CVE-2024-26256 Debian Bug : 1072107 An integer overflow vulnerability in the rar e8 filter was discovered in libarchive, a multi-format archive and compression library, which may result in the execution of arbitrary code if a specially crafted RAR archive is processed. For the stable distribution (bookworm), this problem has been fixed in version 3.6.2-1+deb12u1. We recommend that you upgrade your libarchive packages. For the detailed security status of libarchive please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libarchive Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmZgy+pfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0ScPRAAi2HFosqr3NeyDgV7gT3bTjKrq5EwrG9HIYS0e21KPfLteXxcsDjNkfzN nhSY0CoEL29/vyQpON+ht1En7utYtiLrSgDcjak4E26mBcMy2haL3hqMuGQiJTGk clBUQ4iHFU1SL6+KoNEgpNPIDBgDtbVDTNJUz66IUTl/QTjPvTsbUkSdSuXAvN9C 9k5AEkSq4CIYl5UAQk4yJZ1MrU6pWdqPt6cpWULyaI5bIkC+fKdJ5T+2ElTnCT9V M/lkdePtI3V9iwj0vjEpelhmUlojjRUbbyuH+tDiCMUFj+GZueVvdZX1UuO4Je29 vcNZ4VU6YvxU5gsgnQb09KnZd5EFGnqGNBnaEq+EEzW3Q4p2non4q6PUj8H0qzgN DMz8fxXuwdIh/8bVkmRNVQPJFurfLp5aU4ECQ4NROk3rg/sotyAjgQb6QeP2tcax H0sKfgDc+SgcFgbUrGZ3CLanWiv19x7Oggt/I4DX/16GFSq3Z8xMzNlZOIotyr2T bKrIaPxwDrDyk8Qs2f6aPKOHZgiAIEOicpu3FP9Dr+oU9K/a8N2oDuz5Vwt4XOof N25GGZdhTTZtQ4uHBgEx1pmsWhpycdFSPUVHXW3pGoMNgIkOKau/oid73v224koB Xe2eWygGE9Tnk9EDL9FtqYRbq+zTJGElcF7URbVRrxR5MVE8Ejs= =BFbJ -END PGP SIGNATURE-
[SECURITY] [DSA 5718-1] org-mode security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5718-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 25, 2024 https://www.debian.org/security/faq - - Package: org-mode CVE ID : CVE-2024-39331 Debian Bug : 1074136 It was discovered that Org Mode for Emacs is prone to arbitrary shell code evaluation when opening a specially crafted Org file. This update includes updates pending for the upcoming point releases including other security fixes. For the oldstable distribution (bullseye), this problem has been fixed in version 9.4.0+dfsg-1+deb11u3. We recommend that you upgrade your org-mode packages. For the detailed security status of org-mode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/org-mode Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmZ7HkJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Ra0w/7BHBmDTLHRfXymGImQAh7e7QnVf2jliLZQKK//LuavYD0ts7ooPO7rHtF h/1iEw9/VIbj1D6FYsTfD3hD63YISgy0+NbygFqviiE/QYEt4V6GvGUbR8hhb0iZ 6fMKJcwBxfjCa8XOK/k9vK8tkrmEdF5dxGYyUOxeRGSpMoJyIFFdiQzTvtPTLVgf Q3kwznZjrSsFodM3Cwh8fpSf0qwJxQ5cRdll0lQ5YAJnZAs7tmOvI1gJWzr60xC+ iJNlc2BuKJpDbWGcd4hKLttmzfm1Awgg79xRbkWH4o36+gFz7XsPWDhUg8eUnAKJ LYkkNB7THyVj8iOKl657eVOWwK0mpWe9v8aq1JFOkIJ9/544DZo6OqJBli1CH/vO xRmol8AVGogBCNTRi+eG30aVfA3EMmf20qH+BIUOmb9CYwRAxIyOOT1TBHx5UCay V/JuF4LxajBGcYLavQg8ajD23UssEX+JOy/COG7jgUFrbzqaGYD+fn5iCmPoNaP9 09mP2s9xUn2E5Q9/B7JOn/bG9wpRm9lYFKUZJ0gGYZDLtOC77cf7Etc0TsSs9258 rZotSV30e81nxmz4w2Myv06acP11S51nMfm9EUMQkeK3j16IIco9zhpIcSbrHQDr gmkgrO16VfoRfWN5PovELosaYPDs3/zwS3ZJjENEYNQYBd2DrKk= =2Z9A -END PGP SIGNATURE-
[SECURITY] [DSA 5719-1] emacs security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5719-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 25, 2024 https://www.debian.org/security/faq - - Package: emacs CVE ID : CVE-2024-39331 Debian Bug : 1074137 It was discovered that Emacs is prone to arbitrary shell code evaluation when opening a specially crafted Org file. This update includes updates pending for the upcoming point releases including other security fixes. For the oldstable distribution (bullseye), this problem has been fixed in version 1:27.1+1-3.1+deb11u5. For the stable distribution (bookworm), this problem has been fixed in version 1:28.2+1-15+deb12u3. We recommend that you upgrade your emacs packages. For the detailed security status of emacs please refer to its security tracker page at: https://security-tracker.debian.org/tracker/emacs Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmZ7IMRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RRkQ//VodTfx1QWzYCV1WDvv2c6lekODGI1RQcM91+LRXnq+LsumEP55j5w26V 9O1u3Yze/94BVOzlggM3CzPLGeDS1gYDAGvoaZVrkgsK9k9DCN5vKJ3BSJf6vzj7 wtFVvlmnqIsMLUlu6yUpQlsDw6fhwKqrh4egIigDFSwR8kxzo+wBhTGVfuFLpmxl X0B1xAMWsk8srmWxcgvabMvGhSx+z06QHnsguLWljvk+yEQVfVTYqVA3PxySg/Qk /7SPwEBuWwe0MU6s4pltET/VdNI7nYeG2qSmWZ6ruFcYa2Xctoe+r2kQ02ngipJK RZScLFYmxbRqKDGTayNbXvAE9X6P05bhQvpYoYsnTueYrH5JzB++6Zli43PnT6aj ECMHPl7RKv6JOjqZB4VJpfsLw9S8QBkMPtSZ3zfy8/GSX8/113F8k4ur3pu/S3gH N8FWbygOYw6MrC7LeKKE77k43Tep1bEQPd6EwwlopjIulDg00tEGXXH9JdmXKH0V grgZTPubZvB/RrtW/AHkMrEDGdz9BfEnSxIOrPjbT//9tBVsxSN8jUflxUIoiCew v9yw6YUXKaRrIgcvMy/GMg/uaIZmxvYYVlO4eg7QHQ4trwaTtANjUFIya4PCpegu zjJS/rfx1BKpDDFQhJY25e7Tj6zfLV57GAb/rrZhRHRGQUCaBqQ= =62XM -END PGP SIGNATURE-
[SECURITY] [DSA 5724-1] openssh security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5724-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 01, 2024 https://www.debian.org/security/faq - - Package: openssh CVE ID : CVE-2024-6387 The Qualys Threat Research Unit (TRU) discovered that OpenSSH, an implementation of the SSH protocol suite, is prone to a signal handler race condition. If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe. A remote unauthenticated attacker can take advantage of this flaw to execute arbitrary code with root privileges. This flaw affects sshd in its default configuration. Details can be found in the Qualys advisory at https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt For the stable distribution (bookworm), this problem has been fixed in version 1:9.2p1-2+deb12u3. We recommend that you upgrade your openssh packages. For the detailed security status of openssh please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssh Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmaCZ8FfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q4Wg//aZsbkbZGHEu8MB05vKwMdJfyHaGfCdiC5QGLhjqQHTJuNC9zpiHAFopQ R7mwvxNUOvpfPLntsxELiQXFNgr3/y2SdJfWXYuewxegdvPte1vpeixh+EnsN7+l RBnKoLdQZoDZWz/kMRoDhDjAtecJBHbxO+z4GJ+BCRHL+jXbUPc03Q51Q9yhK84a 5XH2ys2obz2BtLUzOH786FTwFo1ddcZh1BaQmFv0gjC2vPUO5ZnFiC2lxXZ5kvrY +BP9YCVATw4M8wWrBqbDzrbL+9c+A1c5QCdzFuPj6O8KduPqG7PvDSiNHuh8Bubs V54zaKuxaDjJi+7gmGND/LqlEgrrXX5tztSUfglmfbX/5ccGeq+3J3ORoTaJcBL1 sFK6DNFGfNrUm+D5fFYOm6VpY9oULoNpk4BrxipvKvxZ2Oe36J7sBnXoQ6OwV9Vv DaijMfzFYo8yNRa1skChw8jOlN49CrN+DKLhUeKmcYIaTBjzB5996vlMxgL/wJxK I1fGmn/bgwBdUnobS18rknhqfwBh1oD9fM7aZlYFbZnVYc+gvJASXf6TxS7ung/c MTbXfArYHBrHrq3URDCemh1oxEpH1/TMmMvO8eCw6YOk9v5RaGVYChSBT/xY9utK MpejGbEpuyRay/liwRm8csA6AYNJsuk0O/K+mftf4SjjltX7b9o= =c8CM -END PGP SIGNATURE-
[SECURITY] [DSA 5725-1] znc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5725-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 03, 2024 https://www.debian.org/security/faq - - Package: znc CVE ID : CVE-2024-39844 Debian Bug : 1075729 Johannes Kuhn discovered that messages and channel names are not properly escaped in the modtcl module in ZNC, a IRC bouncer, which could result in remote code execution via specially crafted messages. For the oldstable distribution (bullseye), this problem has been fixed in version 1.8.2-2+deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 1.8.2-3.1+deb12u1. We recommend that you upgrade your znc packages. For the detailed security status of znc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/znc Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmaFtdJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SD/w/9GnF+OQrjFxg2waLPlyE25kUbjXQUN1XkSyJO44eVlpLl8C2QJHx1w6f+ +9WENFPxksEE5XcXi/tbdNw5haqvkWv8AvnQ8w0YAQzT9/p5US9Osm5WEky2XPhj invpQCSm19rUEKYhaU0PlTf3xIoxtI3SifTF0dQNv9WKRP2kBbSKnUYPITpXSz87 qgfqHZB/EW8IOBQ6hOn4DPGwtLGad3nqdPUij1PO5YRh2I/CjU9etj0JJtFSHowg g5d5P6vdmbCSQ02OB8NGD/qeJtgou62GPRnRkYacXZSD/x+znwfoRdJZhp/VbhRa PzGLWIwt6g0TX/VJ+NiK5mQ9JkAo78dVJUWpOmjtlRzisGD6OwZtEtuEul60E3d5 YS++IPkVZvy1yEZuChWwGtWwJA9u4kU3Yss4qbayQzXKS9tN1ZZnHIGaWE2zDekX hVf9/xpU6WPOeqVfiqeR0OoVnbVuh5zlZXqFupa5dCaXlyJDyXDAVDfuK4WwZK1d ODwBkYsjY4sxPfzFQ0ANTLorhqEpVrE8okpiVmkISG+sdqNXRbmQN8TN9D7P34/N S13+arq3/fTQTZFPKMgT37mKXs15XjTPpTlgTOwkoZWR36klZDvY7mbtyqjdifBx E9LstG9iXAXnwTum0s+NnEovBAOq9gkgu7Ahw45RIqmf0BRHF/w= =zbCH -END PGP SIGNATURE-
[SECURITY] [DSA 5726-1] krb5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5726-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 05, 2024 https://www.debian.org/security/faq - - Package: krb5 CVE ID : CVE-2024-37370 CVE-2024-37371 Two vulnerabilities were discovered in the GSS message token handling in krb5, the MIT implementation of Kerberos. An attacker can take advantage of these flaws to bypass integrity protections or cause a denial of service. For the oldstable distribution (bullseye), these problems have been fixed in version 1.18.3-6+deb11u5. For the stable distribution (bookworm), these problems have been fixed in version 1.20.1-2+deb12u2. We recommend that you upgrade your krb5 packages. For the detailed security status of krb5 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/krb5 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmaIYgxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QlXw//Zxf+qU8sOJoolWJrkNtWA4QXSkbSqPzzufgxH97Tac6qgYEo9KIDMZzS eThOW0r1OqqPS3131lMRgRpzDpJd502vHylsAOyKp9zUloVr9dSK0R1W1ALp0tOp I55xB9KnNxRwmuaXqpDbs/g9eBX+oLcbaLyq9krT4baQg/f4sfWd+mBFkPEAbVcH tvUzuGL34ANUaSwIaJ7pcCBjUWZtqL9XNC0DsB7n3xyuKk193/dASajAopsOavBR 6imyxmxNduO9F+MxSd7IELCyRqRZ7YkM30ZCmKgYM4velc8fFYSLmdT8lzvogBbc rCnH161JkSy2mxLS5MjmdbY8V/Pu37xL3lcejoYmq4RM5eceZuGOr6LYk3Xp3nzV ytVrZ852Az2KZa0EwZQ7Haz2csStbmKwTDQRbHkq21+BMZ5ZkWF6Lj0jeCx/UsSY gpWDDsKbSsrioIMM5W9q6avf1O0h/xUTy/S2k1+kY0RrAnI49NIivSc9J9ZwoRvV 5ygq7Cu7K/cYU4KxrmRQB0Us2EEUY9TCAOKNXXu9h/YpV3WQUzfBlkw+o0OYQ6vG poxo0kOR2bzfCwT2aKSbtq3uXMaeg64rHhMG1PrsO1gDn8NczoQ1nsWnZQ4rdeUj lEbzC7NBzPQNVpbCt+NvaXdZjI7CIB3kfrgRfwQSGji/VlSVhVk= =oNDx -END PGP SIGNATURE-
[SECURITY] [DSA 5727-1] firefox-esr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5727-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 10, 2024 https://www.debian.org/security/faq - - Package: firefox-esr CVE ID : CVE-2024-6601 CVE-2024-6602 CVE-2024-6603 CVE-2024-6604 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or privilege escalation. For the oldstable distribution (bullseye), these problems have been fixed in version 115.13.0esr-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 115.13.0esr-1~deb12u1. We recommend that you upgrade your firefox-esr packages. For the detailed security status of firefox-esr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/firefox-esr Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmaO6L9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RmFQ//eJd5G/2MtEuGtP7pbAh3hYThPjm2UNegQbHEddABS8xeNJYqG9znHTUk 63GIoZ9VeTYax9/dOe4qfw+S8TRtN1PUcyO4574rk0Xg2Qy5H8Ty+TE3W8jfEFpu CCOSTsug4ZypU7p4+aI5gvQUb0AFQyoAwt/tepaofbZXXXf2kGPXnY22pbyiwhhg lxqgbKgWCNI9j6OGMNAXoqSDnIpLYfSeTrJ8OW+D/m40krtbOw0iXxW7wgZrDGJh zigF/Tq9Pjzpl/pHnmc+jQT5ISMFoNcR6+CVyAucXVca5w7D8B1i2M4WmTe4jft8 ILTRKp7IIkHTyrfBDxORS2TpA0fXB5UloxyX3xuaX/scdFQooOXh/Pw612jEHAeW ehzmRuYYYFM3Sx6GKqVtUfz+oVF+jMzCZzkFeKJu+uox4tIOwiL1lIO8AcRmu+Kg u3o5JDk0OGl/I9oyocgqyXKDY8PCdwNIO7aNprbamg23MaK7URDVFkpQ5HwbikNF uoSHHYOxgTMaquH3SmIiOuZjEOeJlD+agMZn1zcQWtolOYNXnC3gDztQrzhAFXSs xMcXeoUnOev0VdVbPTsdCMZX4Vaq3A26Y1AOuYOPaJpKQd9NLxY2MZimh+BDIAwL Ic9ykGTn8OaFrAXODkLIHtylWtTTCh3LgtCca/dpUP3zJYFTjAM= =Lx/v -END PGP SIGNATURE-
[SECURITY] [DSA 5728-1] exim4 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5728-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 10, 2024 https://www.debian.org/security/faq - - Package: exim4 CVE ID : CVE-2024-39929 Debian Bug : 1075785 Phillip Szelat discovered that Exim, a mail transport agent, does not properly parse a multiline RFC 2231 header filename, allowing a remote attacker to bypass a $mime_filename based extension-blocking protection mechanism. For the oldstable distribution (bullseye), this problem has been fixed in version 4.94.2-7+deb11u3. For the stable distribution (bookworm), this problem has been fixed in version 4.96-15+deb12u5. We recommend that you upgrade your exim4 packages. For the detailed security status of exim4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/exim4 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmaO7kFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SQbQ//Xf0lnD7yltYNVPwznIlXWJYasQQUgq7B5s9p9djogOnGK1W8fHS4m5g7 7nk4P7mI6YeYp2LZ3uOll4WhqRDes7UtCIKYq18vs8PqljoWusvg1Ay8UPp8q8lZ ria6PTz3I0baMIzLtEilNNC2NYHwuS04wfs/7g6Rih/bzTRCJcUKa8tUtXVv7/7/ WCnWDOcSIuNFBX7aOeO+PNlSCo/Cc2ku/6e4HOsGR1Y6P2moWYhSZ+xOuP/lphxP IxMzzRjIZ7f9yUtoiajpTcZ2w6pCSGYs9WVsFyeajXiI5ZQjSF5iMs6W/9/ZcF8o Lf6ZPZxOt/hp1zfTL1UwQCacjMV6ZrGzjL1kXVwkFywc9xlEu6zgGApEi9pIAL9k yOT7RaU4UCJg5DMotNwlQaVop8X8NbKEFA1MBlDnVK/1I0zyPb3cOQjOT13kj0hr +RX9o7icU6X0G1BW2rMLrAFZZsTkRPkp6wH66zoXywfgNdk9u06sL4GrXUNAtU1j LvttKCiArpYQ1R3bEcq0SZPCiPXOQglwXRP0+lOnyvbnm7H+gq8qdhyp8AqELxcn 7W1PuvGD02p16cyYZLRX7QwooJQ2xu6ZF8pgWOUts4H5nacXLg6YR/eK53SGgGHT 9BNJzodKqmh72z1fdzpOeo7WhjQk29+/NEUipZ6aqQi/4wGpuTU= =gyDE -END PGP SIGNATURE-
[SECURITY] [DSA 5729-1] apache2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5729-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 11, 2024 https://www.debian.org/security/faq - - Package: apache2 CVE ID : CVE-2024-36387 CVE-2024-38473 CVE-2024-38474 CVE-2024-38475 CVE-2024-38476 CVE-2024-38477 CVE-2024-39573 Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in authentication bypass, execution of scripts in directories not directly reachable by any URL, server-side request forgery or denial of service. For the oldstable distribution (bullseye), these problems have been fixed in version 2.4.61-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 2.4.61-1~deb12u1. We recommend that you upgrade your apache2 packages. For the detailed security status of apache2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/apache2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmaQNRxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SZZxAAoEqC3wBFMdy9K6ZiNYlNYX/jnQEI8lvwTJJIivK19FZfA+/Tqjn94EUl zkG0MOkwU4KhuCKliFtUDQpTF0U7+BxTnJaCdjIXbSHJirrwQJpfH9urESpHoHx+ GD4eN7XL9zb3XIYSToX1rwcCiz5/Mh96+q8e1IF7mTEYcozZdrgLVGWDk7sCu/E9 MeXgUTn1nZPcNmWlky6yfeSdt8coywMUUJU9AXnb4znW2jA75M+38XajINHyRjuy iuxSVqwBmBFUMOpMf7mm+0KsMfg7DGX230wHszWi8QNNLsjUDpDx/wxuwVvAgw6E Kxk3OPbQ2o3zweyYS4BIypswBhyFM/UP4imnJ65dY+eFMYNy1gpXLKrU4ufr9ZwZ u/dbRglC7Lno9/6+a6y/KU7iSVeGJS59Bj0k8jMsnj10QjMLOQYOEeK80GHzsDdf 87fr8zVwYgkXngM3xfaGeYYziVn88xTTGp/WGo6Rrv/jAU0MLFXQnMvzKTk4wwGN sHH+wOTKlLWcpzPWOGPyIIxdA3fUqZMnqGLnq2NUDnjvAYJEmfrfp7b03sXRyXKx hQhBYL3yADm6Iabax5A/65XZQFKF6yIVAzfAbIUd4ZMMsSCrDBw8bKsfucVRu/YZ aw/5A9G6s8vumlbuLPTHoeJEAhBlefrVEkD26DPoTa455VLWnrI= =w/tp -END PGP SIGNATURE-
[SECURITY] [DSA 5730-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5730-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 15, 2024 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2022-43945 CVE-2022-48772 CVE-2024-25741 CVE-2024-26629 CVE-2024-27019 CVE-2024-31076 CVE-2024-33621 CVE-2024-33847 CVE-2024-34027 CVE-2024-35247 CVE-2024-36014 CVE-2024-36015 CVE-2024-36016 CVE-2024-36270 CVE-2024-36286 CVE-2024-36288 CVE-2024-36489 CVE-2024-36894 CVE-2024-36971 CVE-2024-36974 CVE-2024-36978 CVE-2024-37078 CVE-2024-37353 CVE-2024-37356 CVE-2024-38381 CVE-2024-38546 CVE-2024-38547 CVE-2024-38548 CVE-2024-38549 CVE-2024-38552 CVE-2024-38555 CVE-2024-38558 CVE-2024-38559 CVE-2024-38560 CVE-2024-38565 CVE-2024-38567 CVE-2024-38578 CVE-2024-38579 CVE-2024-38582 CVE-2024-38583 CVE-2024-38586 CVE-2024-38587 CVE-2024-38589 CVE-2024-38590 CVE-2024-38596 CVE-2024-38597 CVE-2024-38598 CVE-2024-38599 CVE-2024-38601 CVE-2024-38605 CVE-2024-38607 CVE-2024-38612 CVE-2024-38613 CVE-2024-38615 CVE-2024-38618 CVE-2024-38619 CVE-2024-38621 CVE-2024-38627 CVE-2024-38633 CVE-2024-38634 CVE-2024-38635 CVE-2024-38637 CVE-2024-38659 CVE-2024-38661 CVE-2024-38662 CVE-2024-38780 CVE-2024-39276 CVE-2024-39292 CVE-2024-39301 CVE-2024-39467 CVE-2024-39468 CVE-2024-39469 CVE-2024-39471 CVE-2024-39475 CVE-2024-39476 CVE-2024-39480 CVE-2024-39482 CVE-2024-39484 CVE-2024-39488 CVE-2024-39489 CVE-2024-39493 CVE-2024-39495 CVE-2024-39499 CVE-2024-39501 CVE-2024-39502 CVE-2024-39503 CVE-2024-39505 CVE-2024-39506 CVE-2024-39509 CVE-2024-40901 CVE-2024-40902 CVE-2024-40904 CVE-2024-40905 CVE-2024-40912 CVE-2024-40916 CVE-2024-40929 CVE-2024-40931 CVE-2024-40932 CVE-2024-40934 CVE-2024-40941 CVE-2024-40942 CVE-2024-40943 CVE-2024-40945 CVE-2024-40958 CVE-2024-40959 CVE-2024-40960 CVE-2024-40961 CVE-2024-40963 CVE-2024-40968 CVE-2024-40971 CVE-2024-40974 CVE-2024-40976 CVE-2024-40978 CVE-2024-40980 CVE-2024-40981 CVE-2024-40983 CVE-2024-40984 CVE-2024-40987 CVE-2024-40988 CVE-2024-40990 CVE-2024-40993 CVE-2024-40995 CVE-2024-41000 CVE-2024-41004 CVE-2024-41005 CVE-2024-41006 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the oldstable distribution (bullseye), these problems have been fixed in version 5.10.221-1. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmaVfQRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QTQBAAjbkSAUDxfo/lXRTOhZ/6AB3rmZY9aTl99Xb1ylIxr2BYJDS1HqPeHtv9 574sis7ZyHK6FfaTO0mgX1xvg4eVGtnMWkJrROOVX7DtbKeHAFzhw9tfB2Ed7Yw1 kz9y+AOkIZe1Rua35FmgoYz5kgKtKUO2VN0Ku61x4CrzIPdhICE3/GDoJLlB5vnK lPFId3Gkki5oZn3vdIj22uph1RFrdMsZKippTHfRXYPJGGbwjr5oOdmuWhIlsZuN 4M1mzVu9l0FkDwR1V3fTi7y5SdX0JOd9FxH0POiQ3udTAteeJC1Vh0YQHLVqIa/m xr6m+p8XUSf0bZt+SdnqcNhpWk4NaRUqqHjBISDpzHpIiRj6/c5WCzyxf+lhR/BH GsDXL2a8+pKGsJVd++GbmUp++2tv6b/DOT0OfIbgfpQdAemgpdGWhUcRUB650UaR jg+Z7hVDL1gAN3hL16eRfO99/OYakVcS35qXC2+b3fIggz2oer5qnLZI0svojkDt 9oHiANpGFe4GZQjTfamRtG79uua3jyrtEg2qzopMtVdDokuOIHPuKqtraMbJ1JMx Mtu7sYOSUsOLDSBqEJaPVzZUFoDOfBJ1/uZZ1msXefxkiTR2hyb4YMcd6MnV6nX4 NXAHKHsRChFeESP3b/z8Ca0alXQUrPUqb0U7fbW8mVYFnNT0R18= =IskL -END PGP SIGNATURE-
[SECURITY] [DSA 5731-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5731-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 16, 2024 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2023-52760 CVE-2024-25741 CVE-2024-27397 CVE-2024-36894 CVE-2024-36973 CVE-2024-36978 CVE-2024-37078 CVE-2024-38619 CVE-2024-39298 CVE-2024-39371 CVE-2024-39469 CVE-2024-39474 CVE-2024-39484 CVE-2024-39487 CVE-2024-39494 CVE-2024-39495 CVE-2024-39496 CVE-2024-39499 CVE-2024-39500 CVE-2024-39501 CVE-2024-39502 CVE-2024-39503 CVE-2024-39505 CVE-2024-39506 CVE-2024-39507 CVE-2024-39509 CVE-2024-39510 CVE-2024-40899 CVE-2024-40900 CVE-2024-40901 CVE-2024-40902 CVE-2024-40903 CVE-2024-40904 CVE-2024-40905 CVE-2024-40906 CVE-2024-40908 CVE-2024-40910 CVE-2024-40911 CVE-2024-40912 CVE-2024-40913 CVE-2024-40914 CVE-2024-40915 CVE-2024-40916 CVE-2024-40919 CVE-2024-40920 CVE-2024-40921 CVE-2024-40924 CVE-2024-40927 CVE-2024-40929 CVE-2024-40931 CVE-2024-40932 CVE-2024-40934 CVE-2024-40935 CVE-2024-40937 CVE-2024-40938 CVE-2024-40939 CVE-2024-40940 CVE-2024-40941 CVE-2024-40942 CVE-2024-40943 CVE-2024-40947 CVE-2024-40948 CVE-2024-40953 CVE-2024-40954 CVE-2024-40956 CVE-2024-40957 CVE-2024-40958 CVE-2024-40959 CVE-2024-40960 CVE-2024-40961 CVE-2024-40963 CVE-2024-40966 CVE-2024-40967 CVE-2024-40968 CVE-2024-40970 CVE-2024-40971 CVE-2024-40974 CVE-2024-40976 CVE-2024-40977 CVE-2024-40978 CVE-2024-40980 CVE-2024-40981 CVE-2024-40983 CVE-2024-40984 CVE-2024-40987 CVE-2024-40988 CVE-2024-40989 CVE-2024-40990 CVE-2024-40993 CVE-2024-40994 CVE-2024-40995 CVE-2024-40996 CVE-2024-41000 CVE-2024-41001 CVE-2024-41002 CVE-2024-41004 CVE-2024-41005 CVE-2024-41006 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the stable distribution (bookworm), these problems have been fixed in version 6.1.99-1. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmaWylhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SMThAAiAanrQH+A4sTcRMZgwj521PKppx6+06c3jbqktG8XwQeOmaRrA1tgeyV ABahFSib/84PJtdqpW8+EHSJvGvxm9TKND98pPV6SjId2Ly7D+ARnfm6vIZzW/Sv WOZx0IU/So8qbZ7OjvKTfT+869yJ+MfRnYhdfuFTSJaZYehMyeizUMM5fjBX3dSf BBKcxR9w/RI2OgxiN45Q9+FrCCMS26RBTzRcb3pskw8741gzDyEostjjG+k5B8XJ /gEu10O3dGKtRV/1Uhkd5R4ACkcXHovox9EmA2vizGNfhf981cTeBT2ZIPIzstIY +/vkd4uUPi/OgIEBlkvcQx0UUaYctqDOnpvRqrLU9hwBkhlk0ueHxaHiBl9tf6L2 CDYb1BROY2A0eDSqCFugYMjzZDIbihFUS1Ly1TKDqea5xDTfiZcWa1u7bFp/LR2C 075lTh79e3GMdFceWfJk9SiPrFZnpCiokTmvbg4c0U7ac8ruXbAcV4i79exMTgwe VtUBFRufnLesmMmolGnqWSDA4Mf+w04MXJj3tU9N4MfC0bG0Y46IlNrabDOhUlns VdHvDLQOIMcFOl8rfKjFs+wTuUkRZUSFNQotG1WDiTezcQqbMS2eodVCB6Cq/51W L6oukVbbmncmYgYY3BGLTfn7ZxHUK3nhu/WmxtmwI4KsViLd8+Q= =KPq+ -END PGP SIGNATURE-
[SECURITY] [DSA 5733-1] thunderbird security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5733-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 18, 2024 https://www.debian.org/security/faq - - Package: thunderbird CVE ID : CVE-2024-6601 CVE-2024-6602 CVE-2024-6603 CVE-2024-6604 Multiple security issues were discovered in Thunderbird, which could potentially result in the execution of arbitrary code. For the oldstable distribution (bullseye), these problems have been fixed in version 1:115.13.0-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 1:115.13.0-1~deb12u1. We recommend that you upgrade your thunderbird packages. For the detailed security status of thunderbird please refer to its security tracker page at: https://security-tracker.debian.org/tracker/thunderbird Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmaZf+RfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Sclg/+OfwoDBqKjzyky56WHN0DJFCDtEWZWBT4eo9u1JNmKwCTFdGSnT8uZxWD XZBnDK/o3tgs7n49qSimrhF77TyVDpDf7prFMwVOIdtZjrpYhW9OHEN6wPUxXc+M 6qZMOFxf7r4mVYXn3fUrx16MgMWj95kdQofoRZx71bVFAKKXFhar2J3quGDtxDer OqlA6mUI3XHJaV4U0kMqhGO8OQ2Y/ivIuNy6bRNoVAZYZtuWs+fVV948jnVSOOdA CWKUDOqFfjj9T8TJC5pCaA/9B8OnJ67uq7Y6mXwqOfyg7O4C9ieCiLk+uZrJiVQi /oyk5p6q9phwMizEOrS311mRGDa3Nh0PTfGA+HO5uVLNXmQADbIkOeglxRphJbae Pn5FjP/H+FdtRTWhU3+2CZw4XLky+OxfUWHCS/pqF4Jum/PJWHqIe47VuNRdTONQ MlpoCNF1DUgQ+AMCwu6HBkXJoGbnIY/18lYet+BhnIYwfCgKuyFI6IUBZ5plvEhR 1qzWCv3hAPf/XNAWTHO1STXX1LM9MPehqEQpZdxZTWuftoRrcLppNKOKFHM8UYcN /QQIu0E/iEQ36AxXyU4XmjeqZ0c1Yt2GcZKutCeJVH8Syy9/owMM+k6d5K9u/P2f Zw6Ujwq6/wVxu7ZZ3B0w6JOmOzqW6ZxeWQbKy+fwH3NZrGlrNaU= =kncb -END PGP SIGNATURE-
[SECURITY] [DSA 5734-1] bind9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5734-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 25, 2024 https://www.debian.org/security/faq - - Package: bind9 CVE ID : CVE-2024-0760 CVE-2024-1737 CVE-2024-1975 CVE-2024-4076 Several vulnerabilities were discovered in BIND, a DNS server implementation, which may result in denial of service. To mitigate CVE-2024-1737 two new configuration statements have been added to allow operators of secondary servers and recursive resolvers to set an upper bound on the growth of data in their zones or caches. Details can be found at: https://kb.isc.org/docs/rrset-limits-in-zones For the oldstable distribution (bullseye), these problems have been fixed in version 1:9.16.50-1~deb11u1. For the oldstable distribution (bullseye) the limits to mitigate CVE-2024-1737 are hardcoded and not configurable. For the stable distribution (bookworm), these problems have been fixed in version 1:9.18.28-1~deb12u1. We recommend that you upgrade your bind9 packages. For the detailed security status of bind9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/bind9 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmaiyWxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QuwQ//bkCb8JHKpgBGZ6R2LVEqJpvYW9v2h97Yc9UgTfU5TTP7PuJW8gB3yzD3 m1YwCvic9X3xq/oytm4qmwsSbh4NhSZkWZMBLvUZ+Mz3psG+lrySvH4tZef7YVGE E3tIYQ8qw+i68i1DhjbQ1IIylTJpppzlHZxIH+pKGK3unQC8BuhelP1J5CK6bPXH zId6gcF5OKQaiadblLpiykmcTaMwYHEwzyFJiH6VfsHZCm2+g3vSooowtofX034d DPX5RRIprdp9NEzBtGoknx5vjzEXeUITnp1KVTSmhq6KS1l7dyT4UfvFvuGBn7lO POWs1YpDVKynxjxH1rqqy8xEI/UW9lY1n4wcIXHc2i3QuUpTmQgUEj0yKAGZ7V8w 97V1k3A2qg+CAhy7p3fJH7ZuEfPhXrt9wZjF+yhVqQXte804UHe2o2Psg4Thayjj MXld0iWRbgVdIKod9MZxKcnIMcej5A3FoyPgRdjp1GK2ns+yWiJUsbotZyYBeH9W fHNB/a9OpmmzL7C+RtCuZrmoIo3vWvfRw2Um4psoFEko3b5hFzpLeRPSS3XpUd1x 9LYq6noJLCC9DwsaKaTpcvo3dqv8m/ZGmXGaUDceryYzz1jjttL4Il4rKjwmIN+I 3Xsow92i3SlwMuY2No23cpEoOeh4IzUzQfpJBLDCO+geVzB9L8w= =v+ir -END PGP SIGNATURE-
[SECURITY] [DSA 5734-2] bind9 regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5734-2 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 27, 2024 https://www.debian.org/security/faq - - Package: bind9 Debian Bug : 1074378 The security update announced as DSA 5734-1 caused a regression on configurations using the Samba DLZ module. Updated packages are now available to correct this issue. For the stable distribution (bookworm), this problem has been fixed in version 1:9.18.28-1~deb12u2. We recommend that you upgrade your bind9 packages. For the detailed security status of bind9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/bind9 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmalaGpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RQAA/+IIV9G8lTWHgh0YmMe1a84sYlo37BLBaCMeefUsBGBhngJlNCFT2m3YxA +zf6lMfHOvZPysMWoFqwIzRRo/wcQ9v4NhvZ0pEQaeUkCwqNzfWiUspoTLdGY/aw orrw6egUIv89lUDTixQpoI2+bhdM0ASrgpWV/AoAhELV0eUU29d2apsKr58um2W1 HS1cu7IystRKaRqhZHdaQg5aHiOsuATne19OKQ+Zp9mQmgpzaw6gupRFNwcQC0tT 9bVod4k4R5G/Z1takHW+ePrSEBfC7zWNYjrYLlEr0bf56tO1nZU9PQJuIPZfADaC TNtvkWTk5ZOEudDFiUXhkyjVT6o0sBS98/FzXqSRSlq1z51KeJy0QPziUdQjqcDV tV/314by4uXfLkRIXiTMQhtAP9HlTIdk8wy2ceX3sYwNPxfLT5oAoGVA2b1CLU7m MPU+qbu1fjJaebZJQA/L5WnHDLNPH4jMg6Pz3Kr7bbB8LEumC7zlp5T2IyY+BbHF ECBeZTsW27Gs1CS044ANmPrqoL5qE46YrIzWfYO5/hnvoM/f53JpshGGMYiKyW1r 9CWN3IlZpxk8cEjtoudO6H5TlLHlUpfs+zwOVcCoer5TVsCwzy/achxXYS29xLLY 3QeoAL3yBPnfvMUzynbUz9qovzt7p7csbg5cwf2C/lCP9imZUk8= =UY8Z -END PGP SIGNATURE-
[SECURITY] [DSA 5739-1] wpa security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5739-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 06, 2024 https://www.debian.org/security/faq - - Package: wpa CVE ID : CVE-2024-5290 Rory McNamara reported a local privilege escalation in wpasupplicant: A user able to escalate to the netdev group can load arbitrary shared object files in the context of the wpa_supplicant process running as root. For the oldstable distribution (bullseye), this problem has been fixed in version 2:2.9.0-21+deb11u2. For the stable distribution (bookworm), this problem has been fixed in version 2:2.10-12+deb12u2. We recommend that you upgrade your wpa packages. For the detailed security status of wpa please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wpa Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmaygRlfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QyKQ/+N0r1EUAN88sgtYvXYVc7h9EN1vZ0hvE6LGKfJDYyOGw+nXzDZWNwXBG5 uzzKo/aR1hBoJQTHTb47A7xXuHvHQjjbt0l+n2q3WtmhG+QcSLSy1iFk5JwDQ6AD 4U10+Hwfet0Lw13Qjd5ASXbEG70GYJ6bMPaP2C0O9vwEqpiyZRKhHuzbvS7FE0By Hz1aiS41wT3K2qAtXnDINAZGlAWuINz6eV3HubI/FUZ2DqpAky9xeP66WZ9EGDl9 YZqz+o7ezzvruHSztOl0oC0m/8igytN1E6qaRiSk1TmwcLLBxqTO4q4maSIbqEjT M43Gr23njg2NO11EnAi6j/9tsBsuNY3v1nKZgPl9EsWTicUYwi7YJVEwsTGnX5JB 910YbmzdXOWAUmkgeG6/m2oFFmuIZpS9cFjBr8NxVc1+nJZQCi7T7bxSADphLv5P 1hfymG/Y6Xmbxjl54vU+jzB14oLNJxOwdqNH+9gvHRZFRlMWrQAlNVKLT3MEsbSp 9PrFELAgmwprsMpihqW6EERCBST8MevAvEQkbcewZYA72RNOkjuZQZ/3SzMHnIqt Yy2GU2tmqNJTvyGzF6k0r9No9ZrEvFByxTytoZ48skad55kz1dJY0PJ3AHgM9jE0 VzGh9i6vTrOCIhcEYPY6DhZK3tT0suV/hLdnDtT9GVQANeantwk= =nPu+ -END PGP SIGNATURE-
[SECURITY] [DSA 5747-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5747-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 12, 2024 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2022-48666 CVE-2024-36484 CVE-2024-36901 CVE-2024-36938 CVE-2024-39487 CVE-2024-40947 CVE-2024-41007 CVE-2024-41009 CVE-2024-41012 CVE-2024-41015 CVE-2024-41017 CVE-2024-41020 CVE-2024-41022 CVE-2024-41034 CVE-2024-41035 CVE-2024-41040 CVE-2024-41041 CVE-2024-41044 CVE-2024-41046 CVE-2024-41049 CVE-2024-41055 CVE-2024-41059 CVE-2024-41063 CVE-2024-41064 CVE-2024-41065 CVE-2024-41068 CVE-2024-41070 CVE-2024-41072 CVE-2024-41077 CVE-2024-41078 CVE-2024-41081 CVE-2024-41090 CVE-2024-41091 CVE-2024-42101 CVE-2024-42102 CVE-2024-42104 CVE-2024-42105 CVE-2024-42106 CVE-2024-42115 CVE-2024-42119 CVE-2024-42120 CVE-2024-42121 CVE-2024-42124 CVE-2024-42127 CVE-2024-42131 CVE-2024-42137 CVE-2024-42143 CVE-2024-42145 CVE-2024-42148 CVE-2024-42152 CVE-2024-42153 CVE-2024-42154 CVE-2024-42157 CVE-2024-42161 CVE-2024-42223 CVE-2024-42224 CVE-2024-42229 CVE-2024-42232 CVE-2024-42236 CVE-2024-42244 CVE-2024-42247 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the oldstable distribution (bullseye), these problems have been fixed in version 5.10.223-1. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAma6T9JfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QQdw/+OGGxmpgZNx20CbIlzd6l7HTabFLT1VJZY/mVVmWOIGkCjOoTuvL4VOFq vAs6vPMk7P1x+XMJ8kqzdn9+OO+cKYb6fFC6cFNMigIvTP/5w9V8Llsyn4liI8XB u1TmLiLA9tvJ5rfSzWsFWOgpL+swzYJznlL7jcaFIcLemZCQuCwmrB8ZF04F5LOa i0PIQwu8Cic1BmCSe6TZy8as6D7hCLPBQvqY+xW5u4/07ncVQ0tOrZn8uxndVM+h TSI35otncMsgDNXw1TQYgLyDwIUm79MbIm+P0THXr/HGXO14ehOHxvJ8MG8iXt/Q +YM1NlS5tqGPXPI+0dlGdwSx/a4XuPFOUQyxlj2B3xvhUD+rbTCtzamcjY0Qw4l3 MhtkTjUZdOj9XdLyziAQs+bD0sKzuEu+Nkq2N6kl0Op2tRhge3aI9mwJK8v5CldY NiQS665HLwrjW+E4YT3hDl4ugnu66wBNDQMsR5x+gyQI9kK6vsm8xR123ugfPodL R4FXaf+DUQ0oVfOWJBcg6S3dmoaAwxUaJOCgHfTaqvatL8YOLvejeW1Vg+xCGGNg yKjdKA6bVzZjyTrqCEoSGkhx6MEiojHlwi8W+kLYNPssTkXgZ3p6dG6PPMMAxdwq ROJ+FccgiUApJNFmfbvU6x/pwaUzpbXP09a3bIFnNRSo40BxVio= =HNP3 -END PGP SIGNATURE-
[SECURITY] [DSA 5749-1] flatpak security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5749-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 14, 2024 https://www.debian.org/security/faq - - Package: flatpak CVE ID : CVE-2024-42472 Chris Williams discovered a flaw in the handling of mounts for persistent directories in Flatpak, an application deployment framework for desktop apps. A malicious or compromised Flatpak app using persistent directories could take advantage of this flaw to access files outside of the sandbox. Details can be found in the upstream advisory at https://github.com/flatpak/flatpak/security/advisories/GHSA-7hgv-f2j8-xw87 For the stable distribution (bookworm), this problem has been fixed in version 1.14.10-1~deb12u1. To address the vulnerability, flatpak uses a new feature provided in bubblewrap and provided in version 0.8.0-2+deb12u1 along with this update. We recommend that you upgrade your flatpak packages. For the detailed security status of flatpak please refer to its security tracker page at: https://security-tracker.debian.org/tracker/flatpak Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAma9F2xfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RINg/+OTenWEWdoatoO7F+184SOoVMYmmJTP2xtvuE8XC6S6NAcrYzjRQD1nyy xJK1IFmNjJrTf4HhfFTq2raOy60T6KRa0y71R1QS4+JOwNjdtr+zzDxdybXzg06T SOBKaLmped3PY4djFxoYnl9wEDLM+QAQuTWvnZugim4frEErmtlulwHRDA/qhWKT mzFiJgSWB7EJL61ddh2YVexru0b5rD6gyYcD7JoulbFjsOwvKyJhI4j1uuOrbNoj 7aArjlu9D3KymGQgCc5gg8yVp5Gt/ZFYsmFJ5BdAl5a8LmTBM4mMTDIsK39mPoLo waxpP0bJIfCxkNB+YOyJRPdj4mtT44nwDcG/LyM+M+f+R0HUr4Apftloheb72A0q XUS2tRrBEs0CzToeuwkIoo2XLQt7/vQ4HFMU47gtk6ZDKqIk7hWD0zcny8x3wL+p /Syd2xOA/KEmbLWFRDzoVVxpmLdkbqGJn+5p5FObMjOPNOFKyMs0Q7HukwKbyPGn YRhg1lcmOn30MWVFol2Z1Ex74IB//Wu/az7YZ4UIId1Y734NUVXEoTLvXGKV8Hnx 9m/0imWcz51T5DLqCv7MUX1i9V2s2R3Hj8GqQfVQTA39IH4GEmpZMR33XH/jvCDu p1GDW2KzIzObmLu+Kjkeg3NzRl/pKdDFiJncdNVG0PPhEn2hUY0= =hd0W -END PGP SIGNATURE-
[SECURITY] [DSA 5760-1] ghostscript security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5760-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 29, 2024 https://www.debian.org/security/faq - - Package: ghostscript CVE ID : CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed. For the stable distribution (bookworm), these problems have been fixed in version 10.0.0~dfsg-11+deb12u5. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmbQku1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Ryhw/9HZ3Ex7IRaIwKZvqanBkgjGakkk00PQES+3I9QRUMDuyKceUXxMZd3WoY GHjcvsIQmSHykmAxkuAZgBIE27eA7x/O/q12l5DekmNOaXNinhsDqWFfOXm+Ge2c A9UiyEIK5jl+Oef/NFoJeV4c+I5lbUoASdvudrg/GPuX182z7RHa3FN3d4ufXokU 3gIDoWE72ToS79fKC6esLNpPxgJ5YyIJKZcyY8++SDhE+752BZQkKgyq6ci5n5oP AuPnxu93G8L73RLYrh1SeS3P5aCyEDFw6O5WNVLAMBIq8EPaSmuEWplH6uS7OIjb iGlo+WEaeniHMyKeCbUndwFlFqnL02SHqjXnUSK13BLgElw1pIAqXq8BUqcWl/RS iZO9f52t4kC9Ew8hhCw1rZmHDP0DICMe2ZiXFAPe7gdGOrc3fkb/gmtCgPOv1sV4 4Vl/Rb+PyDmAig26LyUD2F4ivVuMJMzFbM0ED0KFYT+bNx9WLcVPHA3TTj3td+pb 2ixpTb96NTN5rSB70EkhC5MUFCaUQX9s6W8lse6wlVnLkMKtf67R8HqyVoTrZ3/M z0un9hMSF6w/dA+CrOkUdoCcD+HloKPcMfP/W1ziGoO5cFkdr+fEwHfIxXwCJCY5 DU1dQXqrJfM5Wfp4XP6scwj8qt9JWMeOauxg9YhEQRwfWd9FIX4= =NB+2 -END PGP SIGNATURE-
[SECURITY] [DSA 5764-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5764-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 03, 2024https://www.debian.org/security/faq - - Package: openssl CVE ID : CVE-2024-6119 David Benjamin reported a flaw in the X.509 name checks in OpenSSL, a Secure Sockets Layer toolkit, which may cause an application performing certificate name checks to crash, resulting in denial of service. Additional details can be found in the upstream advisory: https://openssl-library.org/news/secadv/20240903.txt For the stable distribution (bookworm), this problem has been fixed in version 3.0.14-1~deb12u2. We recommend that you upgrade your openssl packages. For the detailed security status of openssl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmbXW1pfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RXThAAjRoSSUyNd4LR8nETi9XB31OkPVx0KrvU2hfIRnPUHHb3hOoi8vEKxdqh gd1pHtEKUBB3TBkXnyMuQ1p79+wuIjvV6Jr7uEPK0w2GdvC0KaF4+cohRDB7Xpjk +AjVFprvljePzgR9BcX1LWX/Bj6k7j8Jit4hkSDxeWn2W4NvCk9+1FMaHPa1PCmX Axo83qzlJg/SMcI5s19No3TzY9z9RdXH622J6hZk/DUZi6YMSryxCoAuU7ur/Ol8 zGH8RG9THiC4hcnAnNjOrqAJqlLzoLgFxykwrvYGwWk//fsQsCeR2HXNQJiPBKq0 QyoXP0WFgIbjnQlRfJI2gxwr5KWn77sNnc2vGZ8HXScj+pKOxrdHyp6a3kaZ99AN DCU5UAo36wSUhZyX9I8nNxjZmb2w5fbeFnHkI2xx2onoLeUjv4hzipS4VS0OP5Th qXhXGjLng4L0bIc5Ad/LuC4T/PnXuwfDgMnAQHHM0zjQcDih/TaTfXn1v+j67FIV BxiqD5EI07ms/jysbmpydB4z2Fwl0D09goEtbO2m2ZE+BU4o8dQIk6UB7KiKTBcy VS3uTR7ZG9AbomfHceh9/3ycI0FMTXUXlifU9v3Btuwpb3DnjCwJKaoAEQNrfuV1 OjqV29oZd2ye2bwAC2uveAnS0wxe+26Gsr+PhmdUFSGSAPeULt4= =KHr5 -END PGP SIGNATURE-
[SECURITY] [DSA 5769-1] git security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5769-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 13, 2024https://www.debian.org/security/faq - - Package: git CVE ID : CVE-2023-25652 CVE-2023-25815 CVE-2023-29007 CVE-2024-32002 CVE-2024-32004 CVE-2024-32020 CVE-2024-32021 CVE-2024-32465 Debian Bug : 1034835 1071160 Multiple issues were found in Git, a fast, scalable, distributed revision control system, which may result in file overwrites outside the repository, arbitrary configuration injection or arbitrary code execution. For the stable distribution (bookworm), these problems have been fixed in version 1:2.39.5-0+deb12u1. We recommend that you upgrade your git packages. For the detailed security status of git please refer to its security tracker page at: https://security-tracker.debian.org/tracker/git Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmbklgFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QD9RAAiN4YarOU7lbe6MnW4vRpz1qJA4ph8WgtqRs5GKgMUBOPcLCCqDim/9Yl vib6iaH/8WW5Rh9TDXY5BuWZ/Ek5zU9oDcde2E3r4VUJDKdSICjyBpooc5iLsJpT jh8lHio+UjrNqBqoLAtyarCsj1muvO8l/f96O6qotP/wUJVqZfAyCpHFeeApzj7M dXWNt/j5YBSiu7dwZY+p0E1cKwGglJtZnUCcyJaelnLd6Igu2Lq+4OvuhqWhsmeE aDauOY43WA7Qwpu814XJG9lrMAyWZJFWnT/NEGYi0dm2vhbZzoS4V/WvCmtfyrCJ lkXzKgG737YMpI99T7eP75BhSF6dw8aC5HCT6cG5Gv1apEhVC2hMIVot3ZVL/7oj ml972rjltmMMgILStR7N9JWrDqXPpn8SWslwjMLfxHslZzG3YGJV5ihXtvefWafH 7c0X7WVT1yTdE1FrTOnCIUfPc/J+jEXMWNd+vsV3aHdVVdZoHj8bDso47CZqMYwT a2Q0opuv+4CDnuG1wUZzv4ap1w21C36tSwIZ1u8CEMhyYzdZV7TUf/0XsDNsms2e wRNmEWXHGvxsw1+wdTpFeb9iahoGTfcDPq3gdr4W74yRn5ZryREu6G2C0zGMaPkf yjGcnDiHTGsET2qxX5Je0iTsLraWbLAB0iyHmABzsDCn/pJc7lE= =iG6s -END PGP SIGNATURE-
[SECURITY] [DSA 3890-1] spip security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3890-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 21, 2017 https://www.debian.org/security/faq - - Package: spip CVE ID : CVE-2017-9736 Debian Bug : 864921 Emeric Boit of ANSSI reported that SPIP, a website engine for publishing, insufficiently sanitises the value from the X-Forwarded-Host HTTP header field. An unauthenticated attacker can take advantage of this flaw to cause remote code execution. For the stable distribution (stretch), this problem has been fixed in version 3.1.4-3~deb9u1. For the testing distribution (buster), this problem has been fixed in version 3.1.4-3. For the unstable distribution (sid), this problem has been fixed in version 3.1.4-3. We recommend that you upgrade your spip packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllKyx1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QerA/9Ht8bSm1F/5OvmtEKgEr51KO/QO/yLYs53RJ0FC7GY+kIMsgo/oG/30H6 XXHMZqgjt4HqzCUVQAuU4N40LKDdYToiL3sQb5csvwjmG8enAMnmudgpAEc+Hn2R cevTxpATuBI8hjzUiZ5eoYjNielawb8ttWrBVGc6RvKt0KxMflvL6igDal1QoxA7 /DVGwWwN848T+j+fbHWKFJ40J+eFeBMC15akzObjfCqvGOb46XLNV86CnrFtmxhJ /OcUwlS5B5Rfp8Aw603cYESiRsUwgUGty+DDpcIYvhPSs0iYHc9fjPOWsQPFwMv8 hcqo1B2EfWynPZJBYKvO2moC+sH2QnnZzl0qjOY8sPdgpPqUpnxUtwzH44yMqsJt XTkYr/hiSZZHs5OD6/IjSZn4Ul00zeXgRaX18Z/iNSu2Xcnop9x7l2Zxrl7H3xDC J4b9WlmQNhFMP1eDVAMw5lVodFP59b7fBrHOH0uHGMchJ35Wg4i3cTcVODRkRRR5 Fso+u/SeCzZ3OfEh9OrdLIEEp9thl0f+wgRS/f8nA6XhmAh709T5kb+ymh7hW/di DLC5hzEfeLi7wy7zwo0gRuxNJyXHb8fdYmfU0dkwKLeVm3Z7bowFTTEx0jtAOo5U ExvcqyPJOunxWmN+R+DOjsiagCnxt/7kq15TlLXcYxqcjnDFaPU= =oJxJ -END PGP SIGNATURE-
[SECURITY] [DSA 3893-1] jython security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3893-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 22, 2017 https://www.debian.org/security/faq - - Package: jython CVE ID : CVE-2016-4000 Debian Bug : 864859 Alvaro Munoz and Christian Schneider discovered that jython, an implementation of the Python language seamlessly integrated with Java, is prone to arbitrary code execution triggered when sending a serialized function to the deserializer. For the oldstable distribution (jessie), this problem has been fixed in version 2.5.3-3+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 2.5.3-16+deb9u1. For the unstable distribution (sid), this problem has been fixed in version 2.5.3-17. We recommend that you upgrade your jython packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllLudlfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0ToGw/+MK3U6RBkBbh3sv9fNxgY9Ou+yj7dSeUhN4P8511145goAHgM0PvSI/Ml PsPgOZDrnnymc8GYn2bGXWqVcWgqrXnIvycz1J8orvLnJfPb13ww3t+XlKs/Vrrv Prj6ROiC0cmbNeKbuR+ly2qaysYcippl5SmpnhOEbJkXf8fsBYqIWo+WThAIE2NO 0X2CPP3iiS3N0NLHmEUBicXd0osZGkTrDznSCJ/mi7RaY30WISJbkuUoepILg+Qi c9b2ZEkOGn9MxBfh8dAeY2j/hpUXGIWVZrmBE7t9ertMQ7wc2JS/Tmgiy/kAttFB D2CiQQ0laZfJFUXyTr00i+t80A4RamsIfnvMZ1fly4IjJnVaRw7M9umlw0dnQmBd hbLwDIOZnHSU0e5pBLMT6a62ENivyY8SoOmHC0lNyTAIHqHzKO9IOUx9taNuFiUM kEaE/9qTYNuUS4JstMZ04lonvx06pjg5oMd4JyMJrav5wq7xes7bLGVTgaKzUgxb nJwpSFyQhLJmz5XhjD4O/gMS1PdFHvoxTJeOfrB7E/kMSQnkT6+gvZGUb17n51Bo FB+k92EDlcsSRjYFPcxQmNw/H8pRjpMLTMQN07bltU2ZnILm212wrDsccw/qk960 SW7QsVoWzFuxVsk36xArq/96h5Y7lW4wHgUlw5H5g/F2KQvEeZ8= =3zEd -END PGP SIGNATURE-
[SECURITY] [DSA 3896-1] apache2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3896-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 22, 2017 https://www.debian.org/security/faq - - Package: apache2 CVE ID : CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668 CVE-2017-7679 Several vulnerabilities have been found in the Apache HTTPD server. CVE-2017-3167 Emmanuel Dreyfus reported that the use of ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. CVE-2017-3169 Vasileios Panopoulos of AdNovum Informatik AG discovered that mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port leading to a denial of service. CVE-2017-7659 Robert Swiecki reported that a specially crafted HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process. CVE-2017-7668 Javier Jimenez reported that the HTTP strict parsing contains a flaw leading to a buffer overread in ap_find_token(). A remote attacker can take advantage of this flaw by carefully crafting a sequence of request headers to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. CVE-2017-7679 ChenQin and Hanno Boeck reported that mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. For the oldstable distribution (jessie), these problems have been fixed in version 2.4.10-10+deb8u9. The oldstable distribution (jessie) is not affected by CVE-2017-7659. For the stable distribution (stretch), these problems have been fixed in version 2.4.25-3+deb9u1. For the unstable distribution (sid), these problems have been fixed in version 2.4.25-4. We recommend that you upgrade your apache2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllMG3FfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TeKRAAhVlS+pLGQzuA55qQUEWCi1I1r/BI4uZhA1+2lhH63o0yfkx7bmKLHGy/ TEQeBxY9MW6l/wVH3fuJinfnl72T3Q9MKuGgB9dFW+5j0G4EsX2Si4iHo49vcOOx o2jXCcZa3N08EOlIzjHAc1Ll7QXhGD4Oz0jHhtRY6Ah3L4Cp263Ntui+SajjBko7 GtlPS2wa60xKbUMLFyBJjZxtZDHR/dqrwD4WNoEYCgQonSpZ9O2QZ4lcYmrQ2tTc /sELhjDNQqgjYXG5PFS+1X0vfTMmLJpbG9/U6pbu6jP3PF/1zvvXnS8rZTCNA2WT 3BathHrPESOrFo2nSPSg4G9ZgQ9hw0q2ftXilWgXH7LV/ta2ZW4cf6qtxbQrKZH3 l+OukeZLn5F5EJRzQGrmKmzBA4IQKKlwOsvGGLr81yHPskEePTNZCoymsJm5Uj5u NfSdc40S/wEVnJlUroJDsqujY/2CekrKw6ppy0saLoTzhnjmBYWmzl71Bd7ZbkHh LtjmEjiAx7Aj9a3KGa9cnFk2oynDGUYKe1qY9lEP7iCDS8hCnkBYqkZ/w6MrahjL 0BfGCeLc3APdd/O4FDsfGhC9JL660OfYdvF4EcGT/o80xPmI7Gs2lVPaR+v+PilN d9lqVxm2xXzaZ+bYEHd7MR0cfc3emeDLJGQonTe5MV9qkETdNy4= =i4iT -END PGP SIGNATURE-
[SECURITY] [DSA 3897-1] drupal7 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3897-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 24, 2017 https://www.debian.org/security/faq - - Package: drupal7 CVE ID : CVE-2015-7943 CVE-2017-6922 Debian Bug : 865498 Two vulnerabilities were discovered in Drupal, a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2015-7943 Samuel Mortenson and Pere Orga discovered that the overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability. More information can be found at https://www.drupal.org/SA-CORE-2015-004 CVE-2017-6922 Greg Knaddison, Mori Sugimoto and iancawthorne discovered that files uploaded by anonymous users into a private file system can be accessed by other anonymous users leading to an access bypass vulnerability. More information can be found at https://www.drupal.org/SA-CORE-2017-003 For the oldstable distribution (jessie), these problems have been fixed in version 7.32-1+deb8u9. For the stable distribution (stretch), these problems have been fixed in version 7.52-2+deb9u1. For the stable distribution (stretch), CVE-2015-7943 was already fixed before the initial release. We recommend that you upgrade your drupal7 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllN9+FfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RsPw/+OI+sKb7Tug9hTpQSFiBNVkBqUCd3pvBofmVvu+peF/YTIL6iY/b9Gi5o Q86Jzj9Fnnv8rRVgVDuWWsUMi+hOcu8DzUEiEFB181rsU52xJX+CI5jvgjTRqr3R JFC8iGEELc09bUccmfBzujYx7XvUkUrodhjxhdphfi2cLIs9l10RYZGQZMpKTG8A MzC60GUCCWLbn20pvS2FgLPQSbMatS6kfT76xU7v2zpI78UDhuefqD9cFCqMNpA8 7sYyqIp+cLSS4abzfQFPjzbxqrsRlRwyS5WRIbFwxGefBJWDigDEOgwmAvjiHC17 lv6j7dgzdzJaGmsVdGjiKnG8GXMly5Jk7zA+c52LEkm9d5HsYX6mXwF6XLJypQT3 jDBpmBzyuZvBs8fZNNOv2Ym5X81BSDRx4LvFGMrkfrucZ6GEIHtxs4gPN4n/nfy8 +yhWG7tPqhnQQTyEV1aSBK5h0YwEpCkxRNEB4C8MjA69E8AhzEgu8bdiiKnGSjWP lZzkOs1gFgM+J5CR1RdxNWRvuR3Evf3H7QH5aanYAGBlCwG08NoN0DHgmK1NaScK kCD7wOWqe1eZxpjpP9KpZrloOBr1rLl5IDEUffDakNfzXnrFyNEnBth7sCvUimfR ash56i1MHn7n39RflEqZ1cctr/Wf4fnsBcTbVNRTKLSL+GG1hAs= =qpVD -END PGP SIGNATURE-
[SECURITY] [DSA 3898-1] expat security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3898-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 25, 2017 https://www.debian.org/security/faq - - Package: expat CVE ID : CVE-2016-9063 CVE-2017-9233 Multiple vulnerabilities have been discovered in Expat, an XML parsing C library. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-9063 Gustavo Grieco discovered an integer overflow flaw during parsing of XML. An attacker can take advantage of this flaw to cause a denial of service against an application using the Expat library. CVE-2017-9233 Rhodri James discovered an infinite loop vulnerability within the entityValueInitProcessor() function while parsing malformed XML in an external entity. An attacker can take advantage of this flaw to cause a denial of service against an application using the Expat library. For the oldstable distribution (jessie), these problems have been fixed in version 2.1.0-6+deb8u4. For the stable distribution (stretch), these problems have been fixed in version 2.2.0-2+deb9u1. For the stable distribution (stretch), CVE-2016-9063 was already fixed before the initial release. For the testing distribution (buster), these problems have been fixed in version 2.2.1-1 or earlier version. For the unstable distribution (sid), these problems have been fixed in version 2.2.1-1 or earlier version. We recommend that you upgrade your expat packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllPu2xfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0QizA//Wp2hSrXtkneSAlLbQb4sZ7I0t2YI/8oDEURDiT8mIP7Gh0lUGFgamIuv cQrODrz2TT2duCXLc7eNpnPNwESwza3sH0hnwbodrvevsv9Q2sjbyNAMkqpjxgXT UUJqRKZLJNM0KMVLpch2+MT3lQadtMQ2ycvtR3ZfQP80v2/LAFL/HoHYXTiVUBTX CCP6k7V9JRhDPhJDUXNT7XFBofqHRleXIMEKpShpuVWcVEgwvg6uSGgwUJzI+Ein 1f865XK10EjZGI0OcJWBrQGPhT5a1dVnLdYLfrgXhivYT0zoIpbuk9A/q4haUidU rLXI8MMB2ENtzPul6xuxBFeIinQqyYfz2O1mAo0YUiX+1k1KcFXEEnzfH+jXY006 yfLeRKqPj5yxc+ifcCqyvVsvRhBrVgYXH//cFXGIC91+0xHtTzcJMhIE2cbDbclY AG7nSH0O8PSW+UGQS+gQ9APSzWzCDLrWjMKrThqMSXRxcIbZiR+UickBZOyoc1+q /OUidu5gCqm5x+r4dVa5EjSH5IY/X2l3yypa1YtyT1MA2sqPBWEOitL2WuwUBv3X 4bBJcr+lfoLr3POX5yjL9gG1l2Wz4Ox46iWBUAW/VLgfpXukjKHBt6N8H6H4E6Ur tKC3fWH6sMLUrfQlpDyWyxrLRsDmzCvQBjUj9nEYhmaotALAups= =7QAw -END PGP SIGNATURE-
[SECURITY] [DSA 3899-1] vlc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3899-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 27, 2017 https://www.debian.org/security/faq - - Package: vlc CVE ID : CVE-2017-8310 CVE-2017-8311 CVE-2017-8312 CVE-2017-8313 Several vulnerabilities have been found in VLC, the VideoLAN project's media player. Processing malformed subtitles or movie files could lead to denial of service and potentially the execution of arbitrary code. For the oldstable distribution (jessie), these problems have been fixed in version 2.2.6-1~deb8u1. We recommend that you upgrade your vlc packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllSIIdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SqgRAAnVpui8WGnoZvmf5idXVwiiqRurGN+X87D0tvpDSxnT+9CHXTVYhK+y0m pyX1jiIdJRvtdtyYAScbBxbjcK5G2HTzaFd0QHbYQYhxqcEyzULO/A7uJaSoxcvr IGVgMbvakQH3DO9rhd2v7JYC7mmZ0T9r4G/A15z7MrMcSPGGtSQJhN1L4J4kW0PR K8XQq6nhLcc1Mw+VQrItfn/BT3H5f/XB/GUCGvG47eGOT4giEYhe4w24+uS7Xa4t XlQFNEf9KySwxEmGLndjF2oFBPTF24Avoa9rgblB3fRED9tqkBM1fehb8yhk05f6 b0dqBT5trHaZ4XIHh5o/etXYWyY2YzvIOdEsBqOnq25zmepR4mXcYjv/XXNn4PtJ /PHn4k8wONPem9PSdcmwW1VxgoEStDkkAdff9sF1+a8AVnthYFNH46rZ94m/sgSW 3Z7rFOkkjj+6iekUQJwcED2IU2gIbeSXEjv744WpYr/y11IUIxzOrCK/8V9EOA1M XGHm60tOYx9qZt338CvnzWNXhrj/9p3B/JYTNDuEFQnP1selo8z4bK0o06RXb6j0 aEmVr74gxPleHE/CxPl4lj0nQTwcrmhq4nLvpJk7eg/2XreM+/7AO+mmDIOl47KI +KFD7k9IJPAMdTht7Y77ilRi92/KlDEP0vLFHSyHkBqVM+WG3vU= =siyT -END PGP SIGNATURE-
[SECURITY] [DSA 3886-2] linux regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3886-2 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 27, 2017 https://www.debian.org/security/faq - - Package: linux Debian Bug : 865303 The security update announced as DSA-3886-1 caused regressions for some applications using Java - including jsvc, LibreOffice and Scilab - due to the fix for CVE-2017-1000364. Updated packages are now available to correct this issue. For reference, the relevant part of the original advisory text follows. CVE-2017-1000364 The Qualys Research Labs discovered that the size of the stack guard page is not sufficiently large. The stack-pointer can jump over the guard-page and moving from the stack into another memory region without accessing the guard-page. In this case no page-fault exception is raised and the stack extends into the other memory region. An attacker can exploit this flaw for privilege escalation. The default stack gap protection is set to 256 pages and can be configured via the stack_guard_gap kernel parameter on the kernel command line. Further details can be found at https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt For the oldstable distribution (jessie), this problem has been fixed in version 3.16.43-2+deb8u2. For the stable distribution (stretch), this problem has been fixed in version 4.9.30-2+deb9u2. We recommend that you upgrade your linux packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllSsjxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q7Bw//Sdd+3lkJjSOUvuFOVpyrXR6zGgCW4+iQEDkTtfit5NZ5Uwa+89gQ3akJ CRvYJ55aCVc/LCrBpxaGhI0lb8kUSK4dLFTPnC+zm5SJF4XbXCCYhS3+UAC85Imo ElRMySUDEmbHLsnUvdcWAjcBmgV06asT2Ia+QsaGajLMf/+5reDI1D/MNXb8AI8M mnCgSOIlSy4neZTxKwmyYHtdMfrKMTYbXMG9zUfrM7jsOfbn6KvsaPWTdP1+5EBO lPrHrNkVzA8VUrO9sje82/kLpfl4cYPYlEoQfaXQUogrKuvMkJ0gOn858OqdD038 nbItnvdcmbHsFMckhykOOheL3Iin3QxOWHBK93MZCZseubNAphrkqFV5+omki5eD +M1UkvR15dPBilub0l+a8cVUIO2TY2yJSSaDZgTEPepuyTbOxCc0hvwNoqdG0hH6 gD6edfWJ1TNiDVD1pW9SGRF0QIf+HyoKhEVGyuJfJQtRe4hdgCcKxu2VAGbpdqul qIlu4UaQhzclx4P2urIRR+HRMX6K61IAj3mxuItUkP+Xa+xxTby2soGRH6Q9IMHc iqgdYZmmWe3gc21I8BaKclefDP8tNJgHiLr7j+CwQawzuj3lWHJ9ZmXx0EfU1VJT ZYbZthQ7XChu5fI6uRfmGWMocE3700HzQDtb6/NFRnsElxlx5L4= =VAqb -END PGP SIGNATURE-
[SECURITY] [DSA 3901-1] libgcrypt20 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3901-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 02, 2017 https://www.debian.org/security/faq - - Package: libgcrypt20 CVE ID : CVE-2017-7526 Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon Groot Bruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom discovered that Libgcrypt is prone to a local side-channel attack allowing full key recovery for RSA-1024. See https://eprint.iacr.org/2017/627 for details. For the oldstable distribution (jessie), this problem has been fixed in version 1.6.3-2+deb8u4. For the stable distribution (stretch), this problem has been fixed in version 1.7.6-2+deb9u1. For the testing distribution (buster), this problem has been fixed in version 1.7.8-1. For the unstable distribution (sid), this problem has been fixed in version 1.7.8-1. We recommend that you upgrade your libgcrypt20 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllZTdlfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0ScFA//RdxEW0D0D03w+RFPZEQHpf3olGBb7QWaTF6ODi4puVG7N0T3pbVGh5BS YspylAdGhNgykFEHjZkefYQfntQ1XaUDxU1NgDHFYd9GYQeTyhrbOB2Ynng+j5Le WbWEVNnGI6EJqkgmFd54mdbvBSWBLr7KPtdJJ3pySMUQTzIoMr51U4lmdXCiEuii XLpmuvRarMvf3sXX69H/bOG4LS286Tc+LIjRVsNCQTyY14Yz2JJca87XXuhWubye uIZIvx8H5ZH1GcPl/aJAuyrUUQuHLo6/KSARj/ZjIn+dIjfjk3dW1jpyuG23wkD3 NmCZchAZBv6npIxmVERayeqxGjtObnOsUAGCpTfzJ2SohMmvzgR2iP+X3q7hk68x CpZF2ug1mdlk4yGxHjH0SkpL3KqTOcb8TxadC7RWeIiZYYQBGiL1XYpHiVHCCzTv 4Rk8QdAeBoyloo5Vr2eygy5u3LIBCpz9uJj7JQaTSwaAYW5czzcacMUGZX6beE3e po1snp/FTxaFne1hGozdCvq7qeJmanoeo/7mLkrzKJswXQL9kvIg3qORiT3PzD9M ZESe7YqRc0ktGAnpFE7N5MNlFmouZPM7wgv8P0StmbcD8h+DrD/y7jq4e7wmdn0v nHkq83THjoaA7ct1zVjB9+iABqHJRF7ZCXDo9oR8yrJXgOMTyZY= =/ZAS -END PGP SIGNATURE-
[SECURITY] [DSA 3902-1] jabberd2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3902-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 05, 2017 https://www.debian.org/security/faq - - Package: jabberd2 CVE ID : CVE-2017-10807 Debian Bug : 867032 It was discovered that jabberd2, a Jabber instant messenger server, allowed anonymous SASL connections, even if disabled in the configuration. For the stable distribution (stretch), this problem has been fixed in version 2.4.0-3+deb9u1. We recommend that you upgrade your jabberd2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlldQRVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SEcA//WbwE5D5DL4Poq7yXceakMJBKfaNM/I0tRgJI8eF+1kLfFIs3nWJxsPCA 1VYYFBATeoQbWtD4M7kUmx8X3YEar8LcuoLrRRlsMmTAScGgnjtrMeuE5gDlzzI/ 5/kjb8NFf+I13XiybSDLilrMWEucw61gmeSSwbaBb1y+c2Ms1LCIxSEHj9YeFAi5 UZL5db/H+5G2Q3S4gefJazGmDpSn4j9o+TWi7PHtSVeeNIAO40jdRcUMO+P8HB9Y y4utzaa/ePKS1eTyQi95AB1EXIlslGuCQ7ZS5F/jT6wdpcDHxuIECQXSJICFUxVC MFDpA6c9XrggFQWYPpuNo523P5BDV2hxvPyesFZVE602fZIg5Q191Ht2FfEb+jX/ 5Wm+jBt2/SyLrw1uohcfRVQD0P3ZGzQE7kcrmzAENIMPi+H9EgCXHThgcfBlUlG3 EpEuPlXXpFWdOWb1jwfzodXgyLIWdnpFyciKQQHCN5czY194Sr9ax49DwWQiIiL8 hxb8jNcNByRPcC0mSq3IP4PDl0tFGWgnCj4Nmc3Qu27O3c/dM9nTNxt5zQ5NsTl4 uZXG1coPtwkdBqV4a2FmwwZfJQj6bH2PIdF00CFju6lpQcgGC9BrPkWWX/TybcVe vXkbTgHmif4A2DoHPeszRXnZp3F51G8Bv4USH9M+kvDmaEpmRl8= =KhLz -END PGP SIGNATURE-
[SECURITY] [DSA 3912-1] heimdal security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3912-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 16, 2017 https://www.debian.org/security/faq - - Package: heimdal CVE ID : CVE-2017-11103 Debian Bug : 868208 Jeffrey Altman, Viktor Dukhovni, and Nicolas Williams reported that Heimdal, an implementation of Kerberos 5 that aims to be compatible with MIT Kerberos, trusts metadata taken from the unauthenticated plaintext (Ticket), rather than the authenticated and encrypted KDC response. A man-in-the-middle attacker can use this flaw to impersonate services to the client. See https://orpheus-lyre.info/ for details. For the oldstable distribution (jessie), this problem has been fixed in version 1.6~rc2+dfsg-9+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 7.1.0+dfsg-13+deb9u1. For the unstable distribution (sid), this problem has been fixed in version 7.4.0.dfsg.1-1. We recommend that you upgrade your heimdal packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllrYqJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Qd4w/8DdQRasssYylGZcOojdCQU8wA31IbhmeZVhRJ52y8kZG+Lv0h5qODHSkc LnPOBK8m8c4WIl/qgqc1TReHT/gTBay2xtmYIAl94e5BKClFVmk8QjTl2lwcBGK6 akg0OAiq7gPRtmvLdWWPouFXSZh8GXJ2+1UShTaO9tenD+6A75qiy0iExnSqTdNy mjH5kTDhUqY34nG/G2uSXTA/UUFtP+kSeRjC1XSvlXc6UsumDGni0/RCYer+6kn/ sDSGKIX/+JN7BG2nb3OhrXgbo40hEflRynAwB35ZPwCPytmp2x7XiCsMnDqFAK6o AeiDwPe8eRpUGZLbh7urFQ2UyQvPlNXLHxpjhHLb94OcFAQCPc/TKpuTqAXQ21dP luSd8Fai/cNOE1YwlQVG8LJPqm5Zxe8mVeTtQJ0c1PPpUcElgosU1AJYb0KjC8Vn u+TX9eHpo6ZLf4d+BfEqjLBjN87/VQnDCsjYcCAibFj1w+3Zh/cwThP1qpkaSyuI yCrJeDQlNbeqV96EMGg1l+E1P4aFDmk7Xyp4X7TGJ/hklz1bkr6esMLPZVcSZS5a eXmelXGY9ba5hWiGL9WqXsfODKh/PzQ0425ZMwyoQgBsCjupXtaNzY8JE51+k8JM uJylqEkb0aMAcRHiCiICpHJIidTcjpoyDrDAnUTtmEaqI7aydcs= =2FaP -END PGP SIGNATURE-
[SECURITY] [DSA 3913-1] apache2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3913-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 18, 2017 https://www.debian.org/security/faq - - Package: apache2 CVE ID : CVE-2017-9788 Debian Bug : 868467 Robert Swiecki reported that mod_auth_digest does not properly initialize or reset the value placeholder in [Proxy-]Authorization headers of type 'Digest' between successive key=value assignments, leading to information disclosure or denial of service. For the oldstable distribution (jessie), this problem has been fixed in version 2.4.10-10+deb8u10. For the stable distribution (stretch), this problem has been fixed in version 2.4.25-3+deb9u2. For the unstable distribution (sid), this problem has been fixed in version 2.4.27-1. We recommend that you upgrade your apache2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllubdFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SZwg//enifOmkmoMzdFfJR2mGsJJGwUNR2MaLs28qvnDo7PsTVni1OcU/kohnM cYyP0RWZcaZq3rWMLnKArU6gir0xAdRhIiyKR6F+uui1QBpKuMZyEON9c90U4u6T 6KsL4tXQ0EFwA8F/V7vladPqqnwlmXQ3GgadznWdJPQKcfbG1yWKtJEaxg69xqDO BXSwQmF5t7rvG1eGVSP8xGiBqeKu7TbTDI7k0SucDHpvCPRU6KRu3s7GcELShQEx n30rf3UdKJdYMtv+TGfxIKXqX+5/yBz5WPRkaGPJP7UOXFBTG1VnEku315l84tUA JjMJ44vHzqYQ7mva0abKYdHOyDoERbfvd6etlGPkunrnPPcTnM5AQGOKoZAC6LQ1 vGFmaH9V/LhGO9LI2eTAapGHNhQIQRkCMDZXUQ/O/llOIFuQOz0m1++Q6zOMr+j7 KtoJtcy8kuG70hDWL35VwbDrtt8wdXkh6IJp9RNgzVu0p9KqpKD2zhBwsCDZVF1h 3QYPwpbeQYpo1XCCxbLv4REFhZZviBYfZwNcNwRSbKAf0tyqttRw51W6iaWNVUdA LuWMxJmSGeW2WPlHa6ojgkRQaEccGzAL8se6q/1NWnuczEVKFMQ4nNvclho0ZfAQ 2Ixvp2a9FkOqkmdJQnIkpxcDC4Pz36WwslLQVM1ESaRxhMsD9IA= =bTmY -END PGP SIGNATURE-
[SECURITY] [DSA 3916-1] atril security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3916-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 21, 2017 https://www.debian.org/security/faq - - Package: atril CVE ID : CVE-2017-183 Debian Bug : 868500 It was discovered that Atril, the MATE document viewer, made insecure use of tar when opening tar comic book archives (CBT). Opening a malicious CBT archive could result in the execution of arbitrary code. This update disables the CBT format entirely. For the oldstable distribution (jessie), this problem has been fixed in version 1.8.1+dfsg1-4+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 1.16.1-2+deb9u1. We recommend that you upgrade your atril packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllyUBpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0R0dA/9GiNkXKQCYXSL5/WqIT4p05EoUx42AAjVLVeWuazpt7t4aDI9cGuD3glZ 4/uK/vS4CxDl+K6bCvBVlpBum7qkzXt1O2d3W/KQxuIXwn9dhVMi2/vPnJOtkGcw bDwFbGupiO8Yy1puIL/bERpUITcLaN2s0y/IVUS6UF0mfqivHZuyseD5YH7wnSOw vU1dJeV9GT6lhoN9Pd/XRluDMw0FIERz8LT1mHt92bXkxKCs12imukyp7H8JmhDT KjVDap54GEMXOeyU1URBm70ZkhazBjxeIoRo+AQdos+YMX82HxJChtBdlru4TV2x grWftRErfWBf6L4Mc9hKw9cD543SG5cSIN1vQ8L3f1gqtFEUvjylpzpX1nvpQnqS +m0RVsMO4Xr85U1nwGaNt1ZZ/sas39KLyV/wfl2LgLEZBRt5uCgXhGqnnogPqco7 tBUyW2FuXqQeTm2P7CaJW9vk8CDxTT/HNMImCBoFRrIyx78kARYAzD+oxormwKWC Okn/3mMpQk23ilUYXFL6hqugEBB8NJ5Az64236sZ9zOvQn8IwMwRgIcCV4nwqSk/ JxYjcCoNNCV1OcoEptWz6OejUf7U1u6cHMGlhl3SiJl1P/eYmPDWfOAWaZ0r57NH ge8R60dox39rRqUMJw3ICuWlxqVVZhFoto0qOPx9FLDfaHxS2JM= =GH/y -END PGP SIGNATURE-
[SECURITY] [DSA 3917-1] catdoc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3917-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 23, 2017 https://www.debian.org/security/faq - - Package: catdoc CVE ID : CVE-2017-0 Debian Bug : 867717 A heap-based buffer underflow flaw was discovered in catdoc, a text extractor for MS-Office files, which may lead to denial of service (application crash) or have unspecified other impact, if a specially crafted file is processed. For the oldstable distribution (jessie), this problem has been fixed in version 0.94.4-1.1+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 1:0.94.3~git20160113.dbc9ec6+dfsg-1+deb9u1. For the testing distribution (buster), this problem has been fixed in version 1:0.95-3. For the unstable distribution (sid), this problem has been fixed in version 1:0.95-3. We recommend that you upgrade your catdoc packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAll0t7dfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TJMA//ckF8jjN4EqoZfKAPI9EmvXWmSp7ZLXWXEGX3pNangfx8yE0+AzeqL2dw eq6WVtM7jVFxwW05BXIst6CFo/tYhH19GGtNi+mULVCmK/cAuhk5ztJO+xh39khB sm4I0a0bbbsDOwV2oHSk3AgCi6zrhgVhUkrj085zAIGyMVmRe3+lZV1Jc2M8cEMI ahbIDCZJxYZr9WNbAaBO/g3K1HB4DS2kP1TaFn2VDMi6x5SJFCHTCJj2mVcT19jU RjVcpWEr+6pdzVelPCyjlS3nSum9BWttTdPgZTI3ooRD/4MUrqus2zp6D51N/xo9 dEVfvgbSWjlYAgU+P5I6McWvTV0GrV4kMvzu1g4RwG6H3PDWlsWbPY4bNxdzvnLu xtgcTZn08jHAabrX0Iymmaj8CoZRowaq4Z8cGGc9U2ee/pU/TGmIkfCOPywln55Q 34x7xEkA5FLTgMUZBktZkToY1I7g15a3go/xYIew0Ez+J/m+dxC2pFRVctLOlhqD XWzfRQOWfxICCO36UH+eIExZ86j5rufEhgv3iPgqsHgt+2xeenxGS9xkBefkbQJf BNwfZA+18/SvSgYEpt1V23kBYD2FXs2QfCNYAdDIvvDLdLZr38+KDA6dCUH324Us 8TomdJ23CQzojrbv+kbs0pKwteegoUiXXZyDVRelWVTrMdXVmXg= =gP08 -END PGP SIGNATURE-
[SECURITY] [DSA 3922-1] mysql-5.5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3922-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 28, 2017 https://www.debian.org/security/faq - - Package: mysql-5.5 CVE ID : CVE-2017-3635 CVE-2017-3636 CVE-2017-3641 CVE-2017-3648 CVE-2017-3651 CVE-2017-3652 CVE-2017-3653 Debian Bug : 868788 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.57, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-56.html https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-57.html http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html For the oldstable distribution (jessie), these problems have been fixed in version 5.5.57-0+deb8u1. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAll7nKZfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TDzQ//STNTlquDV/Njc/PV8alLZS1+xDIfUgkPIZykQ/fYPuV9HO7TkJGlh4iZ g0nypyNpiy+V8IYdfU1ksAn2jEyzFrqkCYFSuDOwqdnn5Cpv6rO8NVBhaIZR8CY1 mlpekOON9Sp3dTGpLPbsK6DZlIU3GghU1kjkM1uqrzjyAuS0YBoY5uUWEd0EIK4a QJVS4/68jfif1PVLVWsDwFeMeFJO3qFfXYb9pgxaAdewlwuFMDIThgMkESeO2p4w LxqpXyWq2E9J2ce8TfVFJP/eWAD0egS36cHQ/LBAm6sc8P3SW7pIEbdGjr+i+IAQ 8fqTE/y8BMtm/BWwk9xoB5yvo246pnLwwnFcZJklRNRaSSbXU2YtLIHLJBM3uvhK mPqBTpg1JKiUmAZVbJ0O0CDCWMfHEdEw95QQQLCnHOyH3Kd1aqA0CAst3cRU/lTe 67A3u+QcqFYfyS7AsHFQ/ifzvgZn0xzJtIEXp0DOT2FlaGh1RKJ4da7tSozvnF57 IxuhpSoFOKPl1lVoa0AH5w5qsob1OGALEQtk8tANWCTXV2N/USTk0Af5jRFOf00c 1WVYXdsoIVOdaUAwC9hecfmiGHhXMJm4TfDgWRKdTSrRBmF8+Xe9vTAhRJgTM2Rt Sr/KJs4qtpdJQWATUf07rF65JbR/bW0dYBOQSKqjRcaRtPuIpbQ= =sEA2 -END PGP SIGNATURE-
[SECURITY] [DSA 3924-1] varnish security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3924-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 02, 2017 https://www.debian.org/security/faq - - Package: varnish CVE ID : not yet assigned Debian Bug : 870467 A denial of service vulnerability was discovered in Varnish, a state of the art, high-performance web accelerator. Specially crafted HTTP requests can cause the Varnish daemon to assert and restart, clearing the cache in the process. See https://varnish-cache.org/security/VSV1.html for details. For the oldstable distribution (jessie), this problem has been fixed in version 4.0.2-1+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 5.0.0-7+deb9u1. We recommend that you upgrade your varnish packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmBvk5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RtGA/+NEunyyxt3JyeKMnigZQ/OHC3Q/mAe88/PWbr+J11/pl7Gj8M8EMhbMRW A20e5B8QUmmcY5X0nwlqegbhVWTTSSMHfOUIcqT6BXPQ1wymeJ/ofSUGAudF0lG2 bzEidgK0MPFDScExy8P+fj/EnFoqeU0ChCAGe7TPGUJLumI/+KD72xoqltqfkSOK D6AgOeHdfbXD1g9gM11oqHvhQJoIVRIOrJyLB3v8fBmWWfqbyUWilxEj2JUXmweB ZsxMq17nwGbTXEeY8GMzTb9RwB3+IwFiAq6+UGtTaKoxszz3gmHe4Z5VBKyWuQuc a8caoLG5J2GLPCM517JfFy7AkeSiCTWKiBHVX8NMudo9eUeyfHwehcMmlOtaKYpT VIeLc8VkToRoBR8orU04koo9QYpF502K2+IjOYFGhOKLJPE4xyduU0/i6UOfIvXG PvR/SsUlgDxHElOebWBeN2tyNKDAdG7sHhxUaC2+mXveagzxhV4KfxHuL0QisCj3 LkJujSb+m3iC9+AsFwQr0X4D3sSRr7fP++KX6QCEjx7jPDu/IH+SfdUBX8Nmnv5W jK14bbV6ZHZNaPR+vFhQ1vJ3JkR/7Q5OdlTIDTxH6ByeE8/pOmzSsDq1V2arrigY stNFzbcRUt4HWbpu/pOvkwBEe6HcknR/rr1nRyS29icFjCBx79s= =wTIN -END PGP SIGNATURE-
[SECURITY] [DSA 3927-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3927-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 07, 2017 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2017-7346 CVE-2017-7482 CVE-2017-7533 CVE-2017-7541 CVE-2017-7542 CVE-2017-9605 CVE-2017-10810 CVE-2017-10911 CVE-2017-11176 CVE-2017-1000365 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2017-7346 Li Qiang discovered that the DRM driver for VMware virtual GPUs does not properly check user-controlled values in the vmw_surface_define_ioctl() functions for upper limits. A local user can take advantage of this flaw to cause a denial of service. CVE-2017-7482 Shi Lei discovered that RxRPC Kerberos 5 ticket handling code does not properly verify metadata, leading to information disclosure, denial of service or potentially execution of arbitrary code. CVE-2017-7533 Fan Wu and Shixiong Zhao discovered a race condition between inotify events and VFS rename operations allowing an unprivileged local attacker to cause a denial of service or escalate privileges. CVE-2017-7541 A buffer overflow flaw in the Broadcom IEEE802.11n PCIe SoftMAC WLAN driver could allow a local user to cause kernel memory corruption, leading to a denial of service or potentially privilege escalation. CVE-2017-7542 An integer overflow vulnerability in the ip6_find_1stfragopt() function was found allowing a local attacker with privileges to open raw sockets to cause a denial of service. CVE-2017-9605 Murray McAllister discovered that the DRM driver for VMware virtual GPUs does not properly initialize memory, potentially allowing a local attacker to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call. CVE-2017-10810 Li Qiang discovered a memory leak flaw within the VirtIO GPU driver resulting in denial of service (memory consumption). CVE-2017-10911 / XSA-216 Anthony Perard of Citrix discovered an information leak flaw in Xen blkif response handling, allowing a malicious unprivileged guest to obtain sensitive information from the host or other guests. CVE-2017-11176 It was discovered that the mq_notify() function does not set the sock pointer to NULL upon entry into the retry logic. An attacker can take advantage of this flaw during a user-space close of a Netlink socket to cause a denial of service or potentially cause other impact. CVE-2017-1000365 It was discovered that argument and environment pointers are not taken properly into account to the imposed size restrictions on arguments and environmental strings passed through RLIMIT_STACK/RLIMIT_INFINITY. A local attacker can take advantage of this flaw in conjunction with other flaws to execute arbitrary code. For the oldstable distribution (jessie), these problems will be fixed in a subsequent DSA. For the stable distribution (stretch), these problems have been fixed in version 4.9.30-2+deb9u3. We recommend that you upgrade your linux packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmH92RfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q3wg//Trx3JpxUkvUY1x33AnhJqGg/9GShz6U1MGnBjKkNwpUH8FICXDHbzYzP n7GULdxgvtVQypfJni9+Gsvk6EcILcNUTUb9e9gknfLFumHl5KUhAJIOh9Fdb/u2 VYvGwFT5OaO/JqXARhxa3a+SHCSybslUSuyp3hxvjTT0jcl8wBTgkeQYKdlqJp8v ArklOQoAHVXs+Xq1PFSFDdoN9aOryIXcqGytnx/y1KqH3U4FpQn8AcIIAB53YN5X NF+GmOewvgZn/7xkVGrqbvh8bhst/Yv5A3CTl1EvY8biApuWYGIKpQiThUtgQs8U eD/0xoP3rN+NxWoMWyACZqrKH5VaSkcwkkBTGa4BlklHaElFHhlIFXdnP4lMdCZ4 tSBd8UGPFwtF3cyq/nH+9tVmnAqH95sclLf8yvkxxv+vtbZsixJJRlnRdf/nszuT OOVFsRp/7l7MuqiLErHJkPKHoQ7rZ847GF5flCev6rz7OLQKA2IKPj4RdQKcQ+Ze Vv6/ZtTcKspD7EoQJyrTC8MBJYvY0g7kswzQDUxKqJA2hIkVY3FEhh94ONZAUady x6+Nb/a/oAlcZ0wjev1p8ayxtfAAaiuuqxoGbd7rdZkyB1C0eb13XdiOI7yDkdVp 4G8iVjOUdYdKRXlxW9FX+rZhS+yEX8ZbWNZGqThEc/oX0uj6XVo= =82mY -END PGP SIGNATURE-
[SECURITY] [DSA 3929-1] libsoup2.4 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3929-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 10, 2017 https://www.debian.org/security/faq - - Package: libsoup2.4 CVE ID : CVE-2017-2885 Debian Bug : 871650 Aleksandar Nikolic of Cisco Talos discovered a stack-based buffer overflow vulnerability in libsoup2.4, a HTTP library implementation in C. A remote attacker can take advantage of this flaw by sending a specially crafted HTTP request to cause an application using the libsoup2.4 library to crash (denial of service), or potentially execute arbitrary code. For the oldstable distribution (jessie), this problem has been fixed in version 2.48.0-1+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 2.56.0-2+deb9u1. We recommend that you upgrade your libsoup2.4 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmMW7pfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Rn2g//a7f8spfjwWWKsRoFzo1bJAaDoekT4mDQrgoNlQ2HsD6qiZOS6VgTobCz 6JXkaagMj+EQJQ+fiiIRnPUXpwmHyhxSBFjtZumb2FmTots3vFx8s2ygWFnAH2Bu cy+B26idvZUO9Md/kWLAu2rilFn4+pUo4QtoUuSTveO45/E3C9GiOY8DgpYk+bqg 0ryyW6We+UT406fArnL99xP2aOD6pT5JKEm4enJitVFPkln6G4XodAP7RBnqYR3i GbuI6nMsnvPzCibM9LT9Zded6bpNR4vJ7+rOO/uU0SgtgqTBHL7fcc3Y4XlBLZaD k6b6S4F5/Sbjo4SeLiNICddtcqCM7IZOs+tb2nGfX707KuGyD9zpRNtwaSXRcGOw cLJFp90JJ3mLNimajL/5UWoq181CEaRlz63jWkVb/Ov6AEKzF1P/u/LvFRML8wXN qAGbful7k4Tll00nDV7RnZoju3iFIa0VzkdPuKE3hnG+j0YC/ASxibFGuELCwJjY 838tjjX7d+Kd2KIOkK6FbSK5y54FCC62lPw4LeWMu5QIUBV7OgkLSP9OdMwmQoge Mj/2uUCmzajL93XaWD+9ZUzTHzSXBO3VLZCjN/lsHamJ7O+EF+wUDZlLutCkHgrZ tOxMZxrL+ft/eb4zG/oVK3tRX3fYV5vTo2Z5Fc3mITkhFIfugVo= =pvsy -END PGP SIGNATURE-
[SECURITY] [DSA 3938-1] libgd2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3938-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 12, 2017 https://www.debian.org/security/faq - - Package: libgd2 CVE ID : CVE-2017-7890 Debian Bug : 869263 Matviy Kotoniy reported that the gdImageCreateFromGifCtx() function used to load images from GIF format files in libgd2, a library for programmatic graphics creation and manipulation, does not zero stack allocated color map buffers before their use, which may result in information disclosure if a specially crafted file is processed. For the oldstable distribution (jessie), this problem has been fixed in version 2.1.0-5+deb8u10. For the stable distribution (stretch), this problem has been fixed in version 2.2.4-2+deb9u1. We recommend that you upgrade your libgd2 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmO9e5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SCVhAAk0unKNrQqvnzieUN9dm3xCKmHnn3msOrK+/WUEhwG1Genql/avk9vJCv 1Rb/GExb422o9BbFSddZDOSenNCnqJttRD7GNayAIdKlwcsjPfcsW5YO47wUIeuz 1WiKy1ez2ULRDqD5qfNWOdt+QJFmtpBrKodbiprxGbicxrPnwjT/vVOZBSJoLidy v1E9mszPLjfKrEmhxGLtwI/JwOnbQKklhcnVC5v8S7WlGRs425iQYn0GSFNEBxnI ieSL6K5in6C6/fnwGvWtj1ySiB9gzlxbF6ZMN4Gq/9CF9+Nl4FkKTxba8NtRsdI5 QfkJSxTZ4Ht/guJXc2fgfwG3NfIDlqJOBtGugmUISihVLMkSguTEE7WHzVFeg765 RBYDFpu8ITnCBv6Ob3UTauQ78b2TQ6zRmfTVGgDcIY3gowFFG5Ygpsjv6vgUVPPr ax6G7ePnk6hKIc+T6K++FJ7mUuW6s5SX4mUEz452tEnjdyL1xiTVqZl+OVqzBWEu hfmGQh1P09HLPPHw3H0OvBHWWfc2bUi0EdvAQ9/DNMThHnvCUh4Cnc23OaRRtKen uzmUVDFrWtGQsfhgsNFVZKoL1i+OeXXVMrT3GqKB0xmglxM51xuGoIVPvjcmrLpk wmhxt0j3edmPiqzayCll3G4SA/FNKJTJ8kWGv4AoROeQuPEFBvM= =84p8 -END PGP SIGNATURE-