Debian 10158 Published by

The following security updates are available for Debian GNU/Linux:

Debian GNU/Linux 10 LTS (Buster):
[DLA 3844-1] git security update

Debian GNU/Linux 11 (Bullseye):
[DSA 5721-1] ffmpeg security update

Debian GNU/Linux 11 (Bullseye) and 12 (Bookworm):
[DSA 5722-1] libvpx security update



[DLA 3844-1] git security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3844-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
June 26, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : git
Version : 1:2.20.1-2+deb10u9
CVE ID : CVE-2019-1387 CVE-2023-25652 CVE-2023-25815 CVE-2023-29007
CVE-2024-32002 CVE-2024-32004 CVE-2024-32021 CVE-2024-32465
Debian Bug : 1034835 1071160

Multiple vulnerabilities were found in git, a fast, scalable and
distributed revision control system.

CVE-2019-1387

It was possible to bypass the previous check for this vulnerability
using parallel cloning, or the --recurse-submodules option to
git-checkout(1).

CVE-2023-25652

Feeding specially-crafted input to 'git apply --reject' could
overwrite a path outside the working tree with partially controlled
contents, corresponding to the rejected hunk or hunks from the given
patch.

CVE-2023-25815

Low-privileged users could inject malicious messages into Git's
output under MINGW.

CVE-2023-29007

A specially-crafted .gitmodules file with submodule URLs longer than
1024 characters could be used to inject arbitrary configuration into
$GIT_DIR/config.

CVE-2024-32002

Repositories with submodules could be specially-crafted to write
hooks into .git/ which would then be executed during an ongoing
clone operation.

CVE-2024-32004

A specially-crafted local repository could cause the execution of
arbitrary code when cloned by another user.

CVE-2024-32021

When cloning a local repository that contains symlinks via the
filesystem, Git could have created hardlinks to arbitrary
user-readable files on the same filesystem as the target repository
in the objects/ directory.

CVE-2024-32465

When cloning a local repository obtained from a downloaded archive,
hooks in that repository could be used for arbitrary code execution.

For Debian 10 buster, these problems have been fixed in version
1:2.20.1-2+deb10u9.

We recommend that you upgrade your git packages.

For the detailed security status of git please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/git

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DSA 5722-1] libvpx security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5722-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 26, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libvpx
CVE ID : CVE-2024-5197

It was discovered that multiple integer overflows in libvpx, a
multimedia library for the VP8 and VP9 video codecs, may result in
denial of service and potentially the execution of arbitrary code.

For the oldstable distribution (bullseye), this problem has been fixed
in version 1.9.0-1+deb11u3.

For the stable distribution (bookworm), this problem has been fixed in
version 1.12.0-1+deb12u3.

We recommend that you upgrade your libvpx packages.

For the detailed security status of libvpx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libvpx

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DSA 5721-1] ffmpeg security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5721-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 26, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ffmpeg
CVE ID : CVE-2022-48434 CVE-2023-50010 CVE-2023-51793
CVE-2023-51794 CVE-2023-51798

Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.

For the oldstable distribution (bullseye), these problems have been fixed
in version 7:4.3.7-0+deb11u1.

We recommend that you upgrade your ffmpeg packages.

For the detailed security status of ffmpeg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ffmpeg

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/