Debian 10020 Published by

For Debian GNU/Linux 10 LTS, three new security updates are available that fix issues with Amanda, ncurses, and OpenDKIM:

[DLA 3680-1] opendkim security update
[DLA 3681-1] amanda security update
[DLA 3682-1] ncurses security update





[DLA 3680-1] opendkim security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3680-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
December 03, 2023 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : opendkim
Version : 2.11.0~alpha-12+deb10u1
CVE ID : CVE-2022-48521
Debian Bug : 1041107

An issue (CVE-2022-48521) was discovered in OpenDKIM through 2.10.3, and
2.11.x through 2.11.0-Beta2. It fails to keep track of ordinal numbers
when removing fake Authentication-Results header fields, which allows a
remote attacker to craft an e-mail message with a fake sender address
such that programs that rely on Authentication-Results from OpenDKIM
will treat the message as having a valid DKIM signature when in fact it
has none.

For Debian 10 buster, this problem has been fixed in version
2.11.0~alpha-12+deb10u1.

We recommend that you upgrade your opendkim packages.

For the detailed security status of opendkim please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/opendkim

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3681-1] amanda security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3681-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
December 03, 2023 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : amanda
Version : 1:3.5.1-2+deb10u2
CVE ID : CVE-2022-37703 CVE-2022-37705 CVE-2023-30577
Debian Bug : 1021017 1029829 1055253

Multiple vulnerabilties have been found in Amanda,a backup system
designed to archive many computers on a network to a single
large-capacity tape drive. The vulnerabilties potentially allows local
privilege escalation from the backup user to root or leak information
whether a directory exists in the filesystem.

CVE-2022-37703

In Amanda 3.5.1, an information leak vulnerability was found in the
calcsize SUID binary. An attacker can abuse this vulnerability to
know if a directory exists or not anywhere in the fs. The binary
will use `opendir()` as root directly without checking the path,
letting the attacker provide an arbitrary path.

CVE-2022-37705

A privilege escalation flaw was found in Amanda 3.5.1 in which the
backup user can acquire root privileges. The vulnerable component is
the runtar SUID program, which is a wrapper to run /usr/bin/tar with
specific arguments that are controllable by the attacker. This
program mishandles the arguments passed to tar binary.

CVE-2023-30577

The SUID binary "runtar" can accept the possibly malicious GNU tar
options if fed with some non-argument option starting with
"--exclude" (say --exclude-vcs). The following option will be
accepted as "good" and it could be an option passing some
script/binary that would be executed with root permissions.

For Debian 10 buster, these problems have been fixed in version
1:3.5.1-2+deb10u2.

We recommend that you upgrade your amanda packages.

For the detailed security status of amanda please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/amanda

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3682-1] ncurses security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3682-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
December 03, 2023 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : ncurses
Version : 6.1+20181013-2+deb10u5
CVE ID : CVE-2021-39537 CVE-2023-29491
Debian Bug : 1034372

Issues were found in ncurses, a collection of shared libraries for
terminal handling, which could lead to denial of service.

CVE-2021-39537

It has been discovered that the tic(1) utility is susceptible to a
heap overflow on crafted input due to improper bounds checking.

CVE-2023-29491

Jonathan Bar Or, Michael Pearse and Emanuele Cozzi have discovered
that when ncurses is used by a setuid application, a local user can
trigger security-relevant memory corruption via malformed data in a
terminfo database file found in $HOME/.terminfo or reached via the
TERMINFO or TERM environment variables.

In order to mitigate this issue, ncurses now further restricts
programs running with elevated privileges (setuid/setgid programs).
Programs run by the superuser remain able to load custom terminfo
entries.

This change aligns ncurses' behavior in buster-security with that of
Debian Bullseye's latest point release (6.2+20201114-2+deb11u2).

For Debian 10 buster, these problems have been fixed in version
6.1+20181013-2+deb10u5.

We recommend that you upgrade your ncurses packages.

For the detailed security status of ncurses please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ncurses

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS