Debian 10236 Published by

Debian GNU/Linux 11 (Bullseye) LTS has received two security updates: a curl security update and an unbound security update:

[DLA 3951-1] curl security update
[DLA 3952-1] unbound security update




[SECURITY] [DLA 3951-1] curl security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3951-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
November 14, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : curl
Version : 7.74.0-1.3+deb11u14
CVE ID : CVE-2024-8096

curl a command line tool for transferring data with URL syntax was
affected by CVE-2024-8096. When the TLS backend is GnuTLS, curl may
incorrectly handle OCSP stapling. If the OCSP status reports an error
other than "revoked" (e.g., "unauthorized"), it is not treated as a
bad certificate, potentially allowing invalid certificates to be
considered valid.

For Debian 11 bullseye, this problem has been fixed in version
7.74.0-1.3+deb11u14.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/curl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3952-1] unbound security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3952-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
November 14, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : unbound
Version : 1.13.1-1+deb11u4
CVE ID : CVE-2024-8508
Debian Bug : 1083282

A vulnerability has been discovered in unbound, a validating,
recursive, caching DNS resolver. Malicious upstreams responses with
very large RRsets can cause Unbound to spend a considerable time
applying name compression to downstream replies. This can lead to
degraded performance and eventually denial of service in well
orchestrated attacks. The vulnerability can be exploited by a malicious
actor querying Unbound for the specially crafted contents of a
malicious zone with very large RRsets.

For Debian 11 bullseye, this problem has been fixed in version
1.13.1-1+deb11u4.

We recommend that you upgrade your unbound packages.

For the detailed security status of unbound please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/unbound

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS