Debian 10158 Published by

The following security updates have been released for Debian GNU/Linux:

Debian GNU/Linux 8 (Jessie) Extended LTS:
ELA-1178-1 hsqldb1.8.0 security update

Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1176-1 libxml2 security update

Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1177-1 bluez security update

Debian GNU/Linux 11 (Bullseye) LTS:
[SECURITY] [DLA 3881-1] aom security update
[SECURITY] [DLA 3880-1] amanda security update
[SECURITY] [DLA 3879-1] bluez security update



[SECURITY] [DLA 3881-1] aom security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3881-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 07, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : aom
Version : 1.0.0.errata1-3+deb11u2
CVE ID : CVE-2024-5171

Integer overflows have been fixed in aom, an AV1 Codec Library.

For Debian 11 bullseye, this problem has been fixed in version
1.0.0.errata1-3+deb11u2.

We recommend that you upgrade your aom packages.

For the detailed security status of aom please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/aom

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3880-1] amanda security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3880-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 07, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : amanda
Version : 1:3.5.1-7+deb11u1
CVE ID : CVE-2022-37703 CVE-2022-37704 CVE-2022-37705 CVE-2023-30577
Debian Bug : 1021017 1029829 1055253

Multiple vulnerabilities have been fixed in the Amanda backup system.

CVE-2022-37703

Directory existence disclosure

CVE-2022-37704

Privilege escalation in rundump

CVE-2022-37705

Privilege escalation in runtar

CVE-2023-30577

Privilege escalation in runtar

For Debian 11 bullseye, these problems have been fixed in version
1:3.5.1-7+deb11u1.

We recommend that you upgrade your amanda packages.

For the detailed security status of amanda please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/amanda

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3879-1] bluez security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3879-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 07, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : bluez
Version : 5.55-3.1+deb11u2
CVE ID : CVE-2021-3658 CVE-2021-41229 CVE-2021-43400 CVE-2022-0204
CVE-2022-39176 CVE-2022-39177 CVE-2023-27349 CVE-2023-50229
CVE-2023-50230
Debian Bug : 991596 998626 1000262 1003712

Multiple vulnerabilities have been fixed in bluez library, tools and
daemons for using Bluetooth devices.

CVE-2021-3658

adapter: Fix storing discoverable setting

CVE-2021-41229

Memory leak in the SDP protocol

CVE-2021-43400

Use-after-free on client disconnect

CVE-2022-0204

GATT heap overflow

CVE-2022-39176

Proximate attackers could obtain sensitive information

CVE-2022-39177

Proximate attackers could cause denial of service

CVE-2023-27349

AVRCP crash while handling unsupported events

CVE-2023-50229

Phone Book Access profile Heap-based Buffer Overflow

CVE-2023-50230

Phone Book Access profile Heap-based Buffer Overflow

For Debian 11 bullseye, these problems have been fixed in version
5.55-3.1+deb11u2.

We recommend that you upgrade your bluez packages.

For the detailed security status of bluez please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/bluez

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1178-1 hsqldb1.8.0 security update

Package : hsqldb1.8.0
Version : 1.8.0.10+dfsg-3+deb8u1 (jessie)

Related CVEs :
CVE-2023-1183

Arbitrary file write with a SCRIPT command was fixed in the Java database engine hsqldb1.8.0.

ELA-1178-1 hsqldb1.8.0 security update


ELA-1177-1 bluez security update

Package : bluez
Version : 5.43-2+deb9u8 (stretch), 5.50-1.2~deb10u6 (buster)

Related CVEs :
CVE-2023-27349
CVE-2023-50229
CVE-2023-50230

Multiple vulnerabilities have been fixed in bluez, a library, tools and daemons for using Bluetooth devices.

CVE-2023-27349 (stretch)
AVRCP crash while handling unsupported events

CVE-2023-50229
Phone Book Access profile Heap-based Buffer Overflow

CVE-2023-50230
Phone Book Access profile Heap-based Buffer Overflow

ELA-1177-1 bluez security update


ELA-1176-1 libxml2 security update

Package : libxml2
Version : 2.9.1+dfsg1-5+deb8u16 (jessie), 2.9.4+dfsg1-2.2+deb9u11 (stretch), 2.9.4+dfsg1-7+deb10u7 (buster)

Related CVEs :
CVE-2016-3709
CVE-2022-2309

Two vulnerabilities have been fixed in the XML library libxml2.

CVE-2016-3709 (buster)
HTML 4 parser cross-site scripting

CVE-2022-2309
Parser NULL pointer dereference

ELA-1176-1 libxml2 security update