Debian 9988 Published by

The following updates have been released for Debian GNU/Linux:

[DSA 5590-1] haproxy security update
[DLA 3695-1] ansible security update
[DSA 5591-1] libssh security update
[DLA 3696-1] asterisk security update




[DSA 5590-1] haproxy security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5590-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 28, 2023 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : haproxy
CVE ID : CVE-2023-40225 CVE-2023-45539
Debian Bug : 1043502

Several vulnerabilities were discovered in HAProxy, a fast and reliable
load balancing reverse proxy, which can result in HTTP request smuggling
or information disclosure.

For the oldstable distribution (bullseye), these problems have been fixed
in version 2.2.9-2+deb11u6.

For the stable distribution (bookworm), these problems have been fixed in
version 2.6.12-1+deb12u1.

We recommend that you upgrade your haproxy packages.

For the detailed security status of haproxy please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/haproxy

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DLA 3695-1] ansible security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3695-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
December 28, 2023 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : ansible
Version : 2.7.7+dfsg-1+deb10u2
CVE ID : CVE-2019-10206 CVE-2021-3447 CVE-2021-3583 CVE-2021-3620
CVE-2021-20178 CVE-2021-20191 CVE-2022-3697 CVE-2023-5115
Debian Bug : 1053693

Ansible a configuration management, deployment, and task execution system
was affected by multiple vulnerabilities.

CVE-2019-10206

Fix a regression in test suite of CVE-2019-10206.

CVE-2021-3447

A flaw was found in several
ansible modules, where parameters containing credentials,
such as secrets, were being logged in plain-text on
managed nodes, as well as being made visible on the
controller node when run in verbose mode. These parameters
were not protected by the no_log feature. An attacker can
take advantage of this information to steal those credentials,
provided when they have access to the log files
containing them. The highest threat from this vulnerability
is to data confidentiality

CVE-2021-3583

A flaw was found in Ansible, where
a user's controller is vulnerable to template injection.
This issue can occur through facts used in the template
if the user is trying to put templates in multi-line YAML
strings and the facts being handled do not routinely
include special template characters. This flaw allows
attackers to perform command injection, which discloses
sensitive information. The highest threat from this
vulnerability is to confidentiality and integrity.

CVE-2021-3620

A flaw was found in Ansible Engine's
ansible-connection module, where sensitive information
such as the Ansible user credentials is disclosed by
default in the traceback error message. The highest
threat from this vulnerability is to confidentiality.

CVE-2021-20178

A flaw was found in ansible module
snmp_fact where credentials are disclosed in the console log by
default and not protected by the security feature
This flaw allows an attacker to steal privkey and authkey
credentials. The highest threat from this vulnerability
is to confidentiality.

CVE-2021-20191

A flaw was found in ansible. Credentials,
such as secrets, are being disclosed in console log by default
and not protected by no_log feature when using Cisco nxos moduel.
An attacker can take advantage of this information to steal those
credentials. The highest threat from this vulnerability is
to data confidentiality.

CVE-2022-3697

A flaw was found in Ansible in the amazon.aws
collection when using the tower_callback parameter from the
amazon.aws.ec2_instance module. This flaw allows an attacker
to take advantage of this issue as the module is handling the
parameter insecurely, leading to the password leaking in the logs.

CVE-2023-5115

An absolute path traversal attack existed
in the Ansible automation platform. This flaw allows an
attacker to craft a malicious Ansible role and make the
victim execute the role. A symlink can be used to
overwrite a file outside of the extraction path.

For Debian 10 buster, these problems have been fixed in version
2.7.7+dfsg-1+deb10u2.

We recommend that you upgrade your ansible packages.

For the detailed security status of ansible please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ansible

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DSA 5591-1] libssh security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5591-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 28, 2023 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libssh
CVE ID : CVE-2023-6004 CVE-2023-6918 CVE-2023-48795
Debian Bug : 1059004 1059059 1059061

Several vulnerabilities were discovered in libssh, a tiny C SSH library.

CVE-2023-6004

It was reported that using the ProxyCommand or the ProxyJump feature
may allow an attacker to inject malicious code through specially
crafted hostnames.

CVE-2023-6918

Jack Weinstein reported that missing checks for return values for
digests may result in denial of service (application crashes) or
usage of uninitialized memory.

CVE-2023-48795

Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that
the SSH protocol is prone to a prefix truncation attack, known as
the "Terrapin attack". This attack allows a MITM attacker to effect
a limited break of the integrity of the early encrypted SSH
transport protocol by sending extra messages prior to the
commencement of encryption, and deleting an equal number of
consecutive messages immediately after encryption starts.

Details can be found at https://terrapin-attack.com/

For the oldstable distribution (bullseye), these problems have been fixed
in version 0.9.8-0+deb11u1.

For the stable distribution (bookworm), these problems have been fixed in
version 0.10.6-0+deb12u1.

We recommend that you upgrade your libssh packages.

For the detailed security status of libssh please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/libssh

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DLA 3696-1] asterisk security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3696-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
December 28, 2023 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : asterisk
Version : 1:16.28.0~dfsg-0+deb10u4
CVE ID : CVE-2023-37457 CVE-2023-38703 CVE-2023-49294 CVE-2023-49786
Debian Bug : 1059303 1059032 1059033

Multiple security vulnerabilities have been discovered in Asterisk, an Open
Source Private Branch Exchange.

CVE-2023-37457

The 'update' functionality of the PJSIP_HEADER dialplan function can exceed
the available buffer space for storing the new value of a header. By doing
so this can overwrite memory or cause a crash. This is not externally
exploitable, unless dialplan is explicitly written to update a header based
on data from an outside source. If the 'update' functionality is not used
the vulnerability does not occur.

CVE-2023-38703

PJSIP is a free and open source multimedia communication library written in
C with high level API in C, C++, Java, C#, and Python languages. SRTP is a
higher level media transport which is stacked upon a lower level media
transport such as UDP and ICE. Currently a higher level transport is not
synchronized with its lower level transport that may introduce a
use-after-free issue. This vulnerability affects applications that have
SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media
transport other than UDP. This vulnerability’s impact may range from
unexpected application termination to control flow hijack/memory
corruption.

CVE-2023-49294

It is possible to read any arbitrary file even when the `live_dangerously`
option is not enabled.

CVE-2023-49786

Asterisk is susceptible to a DoS due to a race condition in the hello
handshake phase of the DTLS protocol when handling DTLS-SRTP for media
setup. This attack can be done continuously, thus denying new DTLS-SRTP
encrypted calls during the attack. Abuse of this vulnerability may lead to
a massive Denial of Service on vulnerable Asterisk servers for calls that
rely on DTLS-SRTP.

For Debian 10 buster, these problems have been fixed in version
1:16.28.0~dfsg-0+deb10u4.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/asterisk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS