Debian 10253 Published by

Debian GNU/Linux has received multiple security updates, including chromium, linux, zabbix, libxml2, vlc, mariadb, and zabbix:

Debian GNU/Linux 8 (Jessie) and 9 (Stretch) Extended LTS:
ELA-1193-1 zabbix security update

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1195-1 libxml2 security update
ELA-1194-1 vlc security update
ELA-1192-1 mariadb-10.3 security update

Debian GNU/Linux 11 (Bullseye):
[SECURITY] [DLA 3909-1] zabbix security update

Debian GNU/Linux 12 (Bookworm):
[SECURITY] [DSA 5781-1] chromium security update
[SECURITY] [DSA 5782-1] linux security update



[SECURITY] [DSA 5781-1] chromium security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5781-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
October 03, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2024-7025 CVE-2024-9369 CVE-2024-9370

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the stable distribution (bookworm), these problems have been fixed in
version 129.0.6668.89-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DSA 5782-1] linux security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5782-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 03, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2023-31083 CVE-2024-27017 CVE-2024-35937 CVE-2024-35943
CVE-2024-35966 CVE-2024-40972 CVE-2024-41016 CVE-2024-41096
CVE-2024-41098 CVE-2024-42228 CVE-2024-42314 CVE-2024-43835
CVE-2024-43859 CVE-2024-43884 CVE-2024-43892 CVE-2024-44931
CVE-2024-44938 CVE-2024-44939 CVE-2024-44940 CVE-2024-44946
CVE-2024-44947 CVE-2024-44974 CVE-2024-44977 CVE-2024-44982
CVE-2024-44983 CVE-2024-44985 CVE-2024-44986 CVE-2024-44987
CVE-2024-44988 CVE-2024-44989 CVE-2024-44990 CVE-2024-44991
CVE-2024-44995 CVE-2024-44998 CVE-2024-44999 CVE-2024-45000
CVE-2024-45002 CVE-2024-45003 CVE-2024-45006 CVE-2024-45007
CVE-2024-45008 CVE-2024-45009 CVE-2024-45010 CVE-2024-45011
CVE-2024-45016 CVE-2024-45018 CVE-2024-45019 CVE-2024-45021
CVE-2024-45022 CVE-2024-45025 CVE-2024-45026 CVE-2024-45028
CVE-2024-45029 CVE-2024-46673 CVE-2024-46674 CVE-2024-46675
CVE-2024-46676 CVE-2024-46677 CVE-2024-46679 CVE-2024-46685
CVE-2024-46686 CVE-2024-46689 CVE-2024-46694 CVE-2024-46702
CVE-2024-46707 CVE-2024-46711 CVE-2024-46713 CVE-2024-46714
CVE-2024-46715 CVE-2024-46716 CVE-2024-46717 CVE-2024-46719
CVE-2024-46720 CVE-2024-46721 CVE-2024-46722 CVE-2024-46723
CVE-2024-46724 CVE-2024-46725 CVE-2024-46726 CVE-2024-46731
CVE-2024-46732 CVE-2024-46734 CVE-2024-46735 CVE-2024-46737
CVE-2024-46738 CVE-2024-46739 CVE-2024-46740 CVE-2024-46743
CVE-2024-46744 CVE-2024-46745 CVE-2024-46746 CVE-2024-46747
CVE-2024-46750 CVE-2024-46752 CVE-2024-46755 CVE-2024-46756
CVE-2024-46757 CVE-2024-46758 CVE-2024-46759 CVE-2024-46761
CVE-2024-46763 CVE-2024-46770 CVE-2024-46771 CVE-2024-46773
CVE-2024-46777 CVE-2024-46780 CVE-2024-46781 CVE-2024-46782
CVE-2024-46783 CVE-2024-46784 CVE-2024-46791 CVE-2024-46794
CVE-2024-46795 CVE-2024-46798 CVE-2024-46800 CVE-2024-46802
CVE-2024-46804 CVE-2024-46805 CVE-2024-46807 CVE-2024-46810
CVE-2024-46812 CVE-2024-46814 CVE-2024-46815 CVE-2024-46817
CVE-2024-46818 CVE-2024-46819 CVE-2024-46821 CVE-2024-46822
CVE-2024-46826 CVE-2024-46828 CVE-2024-46829 CVE-2024-46830
CVE-2024-46832 CVE-2024-46835 CVE-2024-46836 CVE-2024-46840
CVE-2024-46844 CVE-2024-46846 CVE-2024-46848 CVE-2024-46849
CVE-2024-46852 CVE-2024-46853 CVE-2024-46854 CVE-2024-46855
CVE-2024-46857 CVE-2024-46858 CVE-2024-46859 CVE-2024-46865

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

For the stable distribution (bookworm), these problems have been fixed in
version 6.1.112-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DLA 3909-1] zabbix security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3909-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
October 03, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : zabbix
Version : 1:5.0.44+dfsg-1+deb11u1
CVE ID : CVE-2022-23132 CVE-2022-23133 CVE-2022-24349 CVE-2022-24917
CVE-2022-24918 CVE-2022-24919 CVE-2022-35229 CVE-2022-35230
CVE-2022-43515 CVE-2023-29449 CVE-2023-29450 CVE-2023-29454
CVE-2023-29455 CVE-2023-29456 CVE-2023-29457 CVE-2023-29458
CVE-2023-32721 CVE-2023-32722 CVE-2023-32724 CVE-2023-32726
CVE-2023-32727 CVE-2024-22114 CVE-2024-22116 CVE-2024-22119
CVE-2024-22122 CVE-2024-22123 CVE-2024-36460 CVE-2024-36461
Debian Bug : 1014992 1014994 1026847 1053877 1055175 1078553

Several security vulnerabilities have been discovered in zabbix, a network
monitoring solution, potentially among other effects allowing XSS, Code
Execution, information disclosure, remote code execution, impersonation or
session hijacking.

As the version uploaded is a new upstrea maintainance version, there a a
few minor new features and behavioural changes with this version. Please
see below for further information.

CVE-2022-23132

During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability is
in use to access PID files in [/var/run/zabbix] folder. In this case,
Zabbix Proxy or Server processes can bypass file read, write and execute
permissions check on the file system level

CVE-2022-23133

An authenticated user can create a hosts group from the configuration
with XSS payload, which will be available for other users. When XSS is
stored by an authenticated malicious actor and other users try to search
for groups during new host creation, the XSS payload will fire and the
actor can steal session cookies and perform session hijacking to
impersonate users or take over their accounts.

CVE-2022-24349

An authenticated user can create a hosts group from the configuration
with XSS payload, which will be available for other users. When XSS is
stored by an authenticated malicious actor and other users try to search
for groups during new host creation, the XSS payload will fire and the
actor can steal session cookies and perform session hijacking to
impersonate users or take over their accounts.

CVE-2022-24917

An authenticated user can create a link with reflected Javascript code
inside it for services’ page and send it to other users. The payload can
be executed only with a known CSRF token value of the victim, which is
changed periodically and is difficult to predict. Malicious code has
access to all the same objects as the rest of the web page and can make
arbitrary modifications to the contents of the page being displayed to a
victim during social engineering attacks.

CVE-2022-24918

An authenticated user can create a link with reflected Javascript code
inside it for items’ page and send it to other users. The payload can be
executed only with a known CSRF token value of the victim, which is
changed periodically and is difficult to predict. Malicious code has
access to all the same objects as the rest of the web page and can make
arbitrary modifications to the contents of the page being displayed to a
victim during social engineering attacks.

CVE-2022-24919

An authenticated user can create a link with reflected Javascript code
inside it for graphs’ page and send it to other users. The payload can
be executed only with a known CSRF token value of the victim, which is
changed periodically and is difficult to predict. Malicious code has
access to all the same objects as the rest of the web page and can make
arbitrary modifications to the contents of the page being displayed to a
victim during social engineering attacks.

CVE-2022-35229

An authenticated user can create a link with reflected Javascript code
inside it for the discovery page and send it to other users. The payload
can be executed only with a known CSRF token value of the victim, which
is changed periodically and is difficult to predict.

CVE-2022-35230

An authenticated user can create a link with reflected Javascript code
inside it for the graphs page and send it to other users. The payload
can be executed only with a known CSRF token value of the victim, which
is changed periodically and is difficult to predict.

CVE-2022-43515

Zabbix Frontend provides a feature that allows admins to maintain the
installation and ensure that only certain IP addresses can access it. In
this way, any user will not be able to access the Zabbix Frontend while
it is being maintained and possible sensitive data will be prevented
from being disclosed. An attacker can bypass this protection and access
the instance using IP address not listed in the defined range.

CVE-2023-29449

JavaScript preprocessing, webhooks and global scripts can cause
uncontrolled CPU, memory, and disk I/O utilization.
Preprocessing/webhook/global script configuration and testing are only
available to Administrative roles (Admin and Superadmin). Administrative
privileges should be typically granted to users who need to perform
tasks that require more control over the system. The security risk is
limited because not all users have this level of access.

CVE-2023-29450

JavaScript pre-processing can be used by the attacker to gain access to
the file system (read-only access on behalf of user "zabbix") on the
Zabbix Server or Zabbix Proxy, potentially leading to unauthorized
access to sensitive data.

CVE-2023-29454

A Stored or persistent cross-site scripting (XSS) vulnerability was
found on “Users” section in “Media” tab in “Send to” form field. When
new media is created with malicious code included into field “Send to”
then it will execute when editing the same media.

CVE-2023-29455

A Reflected XSS attacks, also known as non-persistent attacks, was found
where an attacker can pass malicious code as GET request to graph.php
and system will save it and will execute when current graph page is
opened.

CVE-2023-29456

URL validation scheme receives input from a user and then parses it to
identify its various components. The validation scheme can ensure that
all URL components comply with internet standards.

CVE-2023-29457

A Reflected XSS attacks, also known as non-persistent attacks, was found
where XSS session cookies could be revealed, enabling a perpetrator to
impersonate valid users and abuse their private accounts.

CVE-2023-29458

Duktape is an 3rd-party embeddable JavaScript engine, with a focus on
portability and compact footprint. When adding too many values in
valstack JavaScript will crash. This issue occurs due to bug in Duktape
2.6 which is an 3rd-party solution that we use.

CVE-2023-32721

A stored XSS has been found in the Zabbix web application in the Maps
element if a URL field is set with spaces before URL.

CVE-2023-32722

The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow
when parsing JSON files via zbx_json_open.

CVE-2023-32724

Memory pointer is in a property of the Ducktape object. This leads to
multiple vulnerabilities related to direct memory access and
manipulation.

CVE-2023-32726

Possible buffer overread from reading DNS responses.

CVE-2023-32727

An attacker who has the privilege to configure Zabbix items can use
function icmpping() with additional malicious command inside it to
execute arbitrary code on the current Zabbix server.

CVE-2024-22114

A user with no permission to any of the Hosts can access and view host
count & other statistics through System Information Widget in Global
View Dashboard.

CVE-2024-22116

An administrator with restricted permissions can exploit the script
execution functionality within the Monitoring Hosts section. The lack of
default escaping for script parameters enabled this user ability to
execute arbitrary code via the Ping script, thereby compromising
infrastructure.

CVE-2024-22119

Stored XSS in graph items select form

CVE-2024-22122

Zabbix allows to configure SMS notifications. AT command injection
occurs on "Zabbix Server" because there is no validation of "Number"
field on Web nor on Zabbix server side. Attacker can run test of SMS
providing specially crafted phone number and execute additional AT
commands on the modem.

CVE-2024-22123

Setting SMS media allows to set GSM modem file. Later this file is used
as Linux device. But due everything is a file for Linux, it is possible
to set another file, e.g. log file and zabbix_server will try to
communicate with it as modem. As a result, log file will be broken with
AT commands and small part for log file content will be leaked to UI.

CVE-2024-36460

The front-end audit log allows viewing of unprotected plaintext
passwords, where the passwords are displayed in plain text.

CVE-2024-36461

Direct access to memory pointers within the JS engine for modification.
This vulnerability allows users with access to a single item
configuration (limited role) to compromise the whole infrastructure of
the monitoring solution by remote code execution.

For Debian 11 bullseye, these problems have been fixed in version
1:5.0.44+dfsg-1+deb11u1.

We recommend that you upgrade your zabbix packages.

For the detailed security status of zabbix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zabbix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

As stated above, this version is a new upstream maintaince release.
Upstream's "upgrade notes" lists the following changes:
(Changes not relevant for Debian bullseye have been omitted.)

Upgrade notes for 5.0.11

VMware event collector - The behavior of VMware event collector has been
changed to fix a memory overload issue.

Upgrade notes for 5.0.31

Improved performance of history syncers

The performance of history syncers has been improved by introducing a
new read-write lock. This reduces locking between history syncers,
trappers and proxy pollers by using a shared read lock while accessing
the configuration cache. The new lock can be write locked only by the
configuration syncer performing a configuration cache reload.

Upgrade notes for 5.0.32

The following limits for JavaScript objects in preprocessing have been
introduced:

The total size of all messages that can be logged with the Log() method
has been limited to 8 MB per script execution.
The initialization of multiple CurlHttpRequest objects has been limited
to 10 per script execution. The total length of header fields that can
be added to a single CurlHttpRequest object with the AddHeader() method
has been limited to 128 Kbytes (special characters and header names
included).



ELA-1195-1 libxml2 security update

Package : libxml2
Version : 2.9.4+dfsg1-7+deb10u8 (buster)

Related CVEs :
CVE-2016-9318

An XML External Entity (XXE) attack via crafted documents has been fixed in the XML library libxml2.

ELA-1195-1 libxml2 security update


ELA-1194-1 vlc security update

Package : vlc
Version : 3.0.21-0+deb9u1 (stretch), 3.0.21-0+deb10u1 (buster)

Related CVEs :
CVE-2024-46461

A buffer overflow with MMS streams has been fixed by upgrading the VLC media player to the latest upstream version.

ELA-1194-1 vlc security update


ELA-1192-1 mariadb-10.3 security update

Package : mariadb-10.3

Version : 1:10.3.39-0+deb10u3 (buster)

Related CVEs :
CVE-2024-21096

Several vulnerabilities have been fixed in MariaDB, a popular database server.
CVE-2024-21096

A difficult to exploit vulnerability allows unauthenticated
attacker with logon to the infrastructure where MariaDB Server
executes to compromise MariaDB Server.
Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of
MariaDB Server accessible data as well as unauthorized
read access to a subset of MariaDB Server accessible
data and unauthorized ability to cause a partial
denial of service (partial DoS)

Note that fixes related to CVE-2024-21096 may break forwards and backwards
compatibility in certain situations when doing logical backup and restore
with plain SQL files (e.g. when using mariadb-dump or mysqldump).
The MariaDB client now has the command-line option --sandbox and the
MariaDB client database prompt command \-. This enables sandbox mode for
the rest of the session, until disconnected. Once in sandbox mode, any
command that could do something on the shell is disabled.
Additionally mysqldump now adds the following command inside a comment
at the very top of the logical SQL file to trigger sandbox mode:
/*M!999999\- enable the sandbox mode */

Newer version of MariaDB clients strip away the backslash and dash (-), and
then tries to execute the internal command with a dash.
Older versions of MariaDB client and all versions of MySQL client considers
this a comment, and will ignore it. There may however be situations where
importing logical SQL dump files may fail due to this, so users should be
advised.
Users are best protected from both security issues and interoperability
issues by using the latest mariadb-dump shipped in MariaDB 11.4.3, 10.11.9,
10.6.19 and 10.5.26. The CVE-2024-21096 was officially fixed already in
11.4.2, but the latest batch of MariaDB minor maintenance releases include
further improvements on the sandbox mode.
Note that the mariadb-dump can be used to make the logical backups from
both MariaDB and MySQL servers. Also the mariadb client program can connect
to both MariaDB and MySQL servers and import those SQL dump files.

ELA-1192-1 mariadb-10.3 security update


ELA-1193-1 zabbix security update

Package : zabbix

Version : 2.2.23+dfsg-0+deb8u8 (jessie), 1:3.0.32+dfsg-0+deb9u7 (stretch)

Related CVEs :

CVE-2024-22114
CVE-2024-22116
CVE-2024-22122
CVE-2024-22123

Several security vulnerabilities have been discovered in zabbix, a network
monitoring solution.

CVE-2024-22114
A user with no permission to any of the Hosts can access and view host
count & other statistics through System Information Widget in Global
View Dashboard.

CVE-2024-22116
An administrator with restricted permissions can exploit the script
execution functionality within the Monitoring Hosts section. The lack of
default escaping for script parameters enabled this user ability to
execute arbitrary code via the Ping script, thereby compromising
infrastructure.

CVE-2024-22119
Stored XSS in graph items select form

CVE-2024-22122
Zabbix allows to configure SMS notifications. AT command injection
occurs on "Zabbix Server" because there is no validation of "Number"
field on Web nor on Zabbix server side. Attacker can run test of SMS
providing specially crafted phone number and execute additional AT
commands on the modem.

CVE-2024-22123
Setting SMS media allows to set GSM modem file. Later this file is used
as Linux device. But due everything is a file for Linux, it is possible
to set another file, e.g. log file and zabbix_server will try to
communicate with it as modem. As a result, log file will be broken with
AT commands and small part for log file content will be leaked to UI.

ELA-1193-1 zabbix security update