Debian 10236 Published by

Debian GNU/Linux Extended LTS has been updated with security enhancements, including ELA-1216-1 for graphicsmagick, ELA-1218-1 for asterisk, and ELA-1217-1 for asterisk:

Debian GNU/Linux 8 (Jessie) Extended LTS:
ELA-1216-1 graphicsmagick security update

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1218-1 asterisk security update

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1217-1 asterisk security update




ELA-1216-1 graphicsmagick security update

Package : graphicsmagick
Version : 1.3.20-3+deb8u14 (jessie)

Related CVEs :
CVE-2020-21679

It was discovered that a buffer overflow in GraphicsMagick, a collection
of image processing tools, could result in denial of service or potentially
in the execution of arbitrary code when converting crafted images to the PCX
format.

ELA-1216-1 graphicsmagick security update


ELA-1218-1 asterisk security update

Package : asterisk
Version : 1:13.14.1~dfsg-2+deb9u10 (stretch)

Related CVEs :
CVE-2024-42365

One issues have been found in asterisk, an Open Source Private Branch Exchange.

CVE-2024-42365
Due to a privilege escalation, remote code execution and/or
blind server-side request forgery with arbitrary protocol are
possible.

Thanks to Niels Galjaard, a minor privilege escalation has been fixed. More information about ths can be found at:
https://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/2024-July/038664.html
Please be aware that this fix explicitly sets the gid of the asterisk process to “asterisk”.
In case you added the user asterisk to other groups, please update your systemd service file accordingly.
~

ELA-1218-1 asterisk security update


ELA-1217-1 asterisk security update

Package : asterisk
Version : 1:16.28.0~dfsg-0+deb10u5 (buster)

Related CVEs :

CVE-2024-42365
CVE-2024-42491

Two issues have been found in asterisk, an Open Source Private Branch Exchange.

CVE-2024-42365
Due to a privilege escalation, remote code execution and/or
blind server-side request forgery with arbitrary protocol are
possible.

CVE-2024-42491
Due to bad handling of malformed Contact or Record-Route URI in an
incoming SIP request, Asterisk might crash when res_resolver_unbound
is used.

Thanks to Niels Galjaard, a minor privilege escalation has been fixed. More information about ths can be found at:
https://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/2024-July/038664.html
Please be aware that this fix explicitly sets the gid of the asterisk process to “asterisk”.
In case you added the user asterisk to other groups, please update your systemd service file accordingly.

ELA-1217-1 asterisk security update