Debian 10253 Published by

Debian GNU/Linux has received various security upgrades, including chromium, asterisk, php5, php7.0, and php7.3:

Debian GNU/Linux 8 (Jessie) Extended LTS:
ELA-1208-1 php5 security update

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1207-1 php7.0 security update

Debian GNU/Linux 10 Buster) Extended LTS:
ELA-1206-1 php7.3 security update

Debian GNU/Linux 11 (Bullseye) LTS:
[SECURITY] [DLA 3925-1] asterisk security update

Debian GNU/Linux 12 (Bookworm):
[SECURITY] [DSA 5793-1] chromium security update



[SECURITY] [DSA 5793-1] chromium security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5793-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
October 20, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2024-9954 CVE-2024-9955 CVE-2024-9956 CVE-2024-9957
CVE-2024-9958 CVE-2024-9959 CVE-2024-9960 CVE-2024-9961
CVE-2024-9962 CVE-2024-9963 CVE-2024-9964 CVE-2024-9965
CVE-2024-9966

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the stable distribution (bookworm), these problems have been fixed in
version 130.0.6723.58-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DLA 3925-1] asterisk security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3925-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
October 20, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : asterisk
Version : 1:16.28.0~dfsg-0+deb11u5
CVE ID : CVE-2024-42365 CVE-2024-42491

Two issues have been found in asterisk, an Open Source Private Branch
Exchange.

CVE-2024-42365

Due to a privilege escalation, remote code execution and/or
blind server-side request forgery with arbitrary protocol are
possible.

CVE-2024-42491

Due to bad handling of malformed Contact or Record-Route URI in an
incoming SIP request, Asterisk might crash when res_resolver_unbound
is used.

Thanks to Niels Galjaard, a minor privilege escalation has been fixed.
More information about ths can be found at:
https://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/2024-July/038664.html

For Debian 11 bullseye, these problems have been fixed in version
1:16.28.0~dfsg-0+deb11u5.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/asterisk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1208-1 php5 security update

Package : php5
Version : 5.6.40+dfsg-0+deb8u21 (jessie)

Related CVEs :
CVE-2024-8925
CVE-2024-8927

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language, which could result in erroneous
parsing of multipart/form-data or bypass of the cgi.force_direct
directive.

CVE-2024-8925: Mihail Kirov discovered an erroneous parsing of
multipart form data contained in an HTTP POST request, which could
lead to legitimate data not being processed thereby violating data
integrity.

CVE-2024-8927: It was discovered that the cgi.force_redirect
configuration setting is bypassable due to environment variable
collision.

ELA-1208-1 php5 security update


ELA-1207-1 php7.0 security update

Package : php7.0
Version : 7.0.33-0+deb9u19 (stretch)

Related CVEs :
CVE-2024-8925
CVE-2024-8927

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language, which could result in erroneous
parsing of multipart/form-data or bypass of the cgi.force_direct
directive.

CVE-2024-8925: Mihail Kirov discovered an erroneous parsing of
multipart form data contained in an HTTP POST request, which could
lead to legitimate data not being processed thereby violating data
integrity.

CVE-2024-8927: It was discovered that the cgi.force_redirect
configuration setting is bypassable due to environment variable
collision.

ELA-1207-1 php7.0 security update


ELA-1206-1 php7.3 security update

Package : php7.3
Version : 7.3.31-1~deb10u8 (buster)

Related CVEs :
CVE-2024-8925
CVE-2024-8927

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language, which could result in erroneous
parsing of multipart/form-data or bypass of the cgi.force_direct
directive.

CVE-2024-8925: Mihail Kirov discovered an erroneous parsing of
multipart form data contained in an HTTP POST request, which could
lead to legitimate data not being processed thereby violating data
integrity.

CVE-2024-8927: It was discovered that the cgi.force_redirect
configuration setting is bypassable due to environment variable
collision.

ELA-1206-1 php7.3 security update