Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1471-1 symfony security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4227-1] dcmtk security update
[DLA 4228-1] nginx security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5948-1] trafficserver security update
[SECURITY] [DLA 4227-1] dcmtk security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4227-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
June 24, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : dcmtk
Version : 3.6.5-1+deb11u4
CVE ID : CVE-2022-2119 CVE-2022-2120 CVE-2024-47796 CVE-2025-2357
CVE-2025-25472 CVE-2025-25474 CVE-2025-25475
Debian Bug : 1017743 1098373 1098374 1100724
Multiple vulnerabilities were fixed in dcmtk an OFFIS DICOM toolkit.
CVE-2022-2119/CVE-2022-2120
Path traversal issues were found, allowing an attacker
to write DICOM files into arbitrary directories under
controlled names. This could allow remote code execution.
CVE-2024-47796
An improper array index validation vulnerability exists
in the nowindow functionality.
A specially crafted DICOM file can lead to an out-of-bounds write.
CVE-2025-2357
An issue was found in the dcmjpls JPEG-LS Decoder.
The manipulation leads to memory corruption.
CVE-2025-25472
A buffer overflow was found that cause a Denial of Service
(DoS) via a crafted DCM file.
CVE-2025-25474
A buffer overflow was found via the component
dcmimgle/diinpxt.h
CVE-2025-25475
A NULL pointer dereference was found in the component /libsrc/dcrleccd.cc
For Debian 11 bullseye, these problems have been fixed in version
3.6.5-1+deb11u4.
We recommend that you upgrade your dcmtk packages.
For the detailed security status of dcmtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dcmtk
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5948-1] trafficserver security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5948-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 24, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : trafficserver
CVE ID : CVE-2024-53868 CVE-2025-31698 CVE-2025-49763
Several vulnerabilities were discovered in Apache Traffic Server, a
reverse and forward proxy server, which could result in denial of
service, HTTP request smuggling or incorrect processing of ACLs.
For the stable distribution (bookworm), these problems have been fixed in
version 9.2.5+ds-0+deb12u3.
We recommend that you upgrade your trafficserver packages.
For the detailed security status of trafficserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/trafficserver
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4228-1] nginx security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4228-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
June 24, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : nginx
Version : 1.18.0-6.1+deb11u5
CVE ID : CVE-2020-36309 CVE-2024-33452
Debian Bug : 986787
Two vulnerabilities were discovered in Nginx, a high-performance web
and reverse proxy server, more precisely in ngx_http_lua_module, which
embeds the Lua scripting language into Nginx. This could lead to
request smuggling or contribute to cache poisoning and authentication
bypass.
ngx_http_lua_module is provided by the optional libnginx-mod-http-lua
binary package.
CVE-2020-36309
ngx_http_lua_module allows unsafe characters in an argument when
using the API to mutate a URI, or a request or response header.
CVE-2024-33452
lua-nginx-module allows a remote attacker to conduct HTTP request
smuggling via a crafted HEAD request.
For Debian 11 bullseye, these problems have been fixed in version
1.18.0-6.1+deb11u5.
We recommend that you upgrade your nginx packages.
For the detailed security status of nginx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nginx
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1471-1 symfony security update
Package : symfony
Version : 3.4.22+dfsg-2+deb10u4 (buster)
Related CVEs :
CVE-2024-50343
CVE-2024-50345
CVE-2024-50343
It was discovered input ending with \n could bypass Validators.
CVE-2024-50345
Sam Mush discovered that due to URI parsing mismatch between common
browsers and the Request class, an attacker could supply a specially
crafted URI to bypass validation and redirect users to another
domain.
ELA-1471-1 symfony security update
