[DLA 4158-1] fossil security update
[DLA 4159-1] postgresql-13 security update
[DLA 4160-1] libbson-xs-perl security update
[DLA 4161-1] simplesamlphp security update
[SECURITY] [DLA 4158-1] fossil security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4158-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
May 09, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : fossil
Version : 1:2.15.2-1+deb11u1
Debian Bug : 1070069
Fossil is all-in-one DSCM (Distributed Software Configuration
Management) with built-in bug tracking, wiki and web interface.
Following the fix for CVE-2024-24795 for apache2, the fossil HTTP
client could no longer clone remote Fossil repositories hosted on
fixed Apache servers.
For Debian 11 bullseye, this problem has been fixed in version
1:2.15.2-1+deb11u1.
We recommend that you upgrade your fossil packages.
For the detailed security status of fossil please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/fossil
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4159-1] postgresql-13 security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4159-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Carlos Henrique Lima Melara
May 09, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : postgresql-13
Version : 13.21-0+deb11u1
CVE ID : CVE-2025-4207
Debian Bug :
A security issue was discovered in the PostgreSQL database system. Under
certain conditions, the server or applications using libpq can crash causing a
Denial of Service.
For Debian 11 bullseye, this problem has been fixed in version
13.21-0+deb11u1.
We recommend that you upgrade your postgresql-13 packages.
For the detailed security status of postgresql-13 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-13
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4160-1] libbson-xs-perl security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4160-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
May 09, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : libbson-xs-perl
Version : 0.8.4-1+deb11u1
CVE ID : CVE-2017-14227 CVE-2018-16790 CVE-2023-0437 CVE-2024-6381
CVE-2024-6383 CVE-2025-0755
Several vulnerabilities have been found in libbson-xs-perl, the Perl XS
implementation of MongoDB's BSON serialization.
CVE-2017-14227
The bson_iter_codewscope function in bson-iter.c miscalculates a
bson_utf8_validate length argument, which allows remote attackers to
cause a denial of service (heap-based buffer over-read in the
bson_utf8_validate function in bson-utf8.c), as demonstrated by
bson-to-json.c.
CVE-2018-16790
_bson_iter_next_internal has a heap-based buffer over-read via a
crafted bson buffer.
CVE-2023-0437
When calling bson_utf8_validate on some inputs a loop with an exit
condition that cannot be reached may occur, i.e. an infinite loop.
CVE-2024-6381
The bson_strfreev function in the MongoDB C driver library may be
susceptible to an integer overflow where the function will try to
free memory at a negative offset. This may result in memory
corruption.
CVE-2024-6383
The bson_string_append function in MongoDB C Driver may be
vulnerable to a buffer overflow where the function might attempt to
allocate too small of buffer and may lead to memory corruption of
neighbouring heap memory.
CVE-2025-0755
The various bson_append functions in the MongoDB C driver library
may be susceptible to buffer overflow when performing operations
that could result in a final BSON document which exceeds the maximum
allowable size (INT32_MAX), resulting in a segmentation fault and
possible application crash.
For Debian 11 bullseye, these problems have been fixed in version
0.8.4-1+deb11u1.
We recommend that you upgrade your libbson-xs-perl packages.
For the detailed security status of libbson-xs-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libbson-xs-perl
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4161-1] simplesamlphp security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4161-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
May 09, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : simplesamlphp
Version : 1.19.0-1+deb11u2
CVE ID : CVE-2025-27773
Debian Bug : 1100595
A vulnerability has been discovered in SimpleSAMLphp, a framework for
authentication, primarily via the SAML protocol.
CVE-2025-27773
The SimpleSAMLphp SAML2 library is a PHP library for SAML2
related functionality. Prior to versions 4.17.0 and 5.0.0-alpha.20,
there is a signature confusion attack in the HTTPRedirect binding.
An attacker with any signed SAMLResponse via the HTTP-Redirect
binding can cause the application to accept an unsigned message.
Versions 4.17.0 and 5.0.0-alpha.20 contain a fix for the issue.
For Debian 11 bullseye, this problem has been fixed in version
1.19.0-1+deb11u2.
We recommend that you upgrade your simplesamlphp packages.
For the detailed security status of simplesamlphp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/simplesamlphp
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
