Debian 10253 Published by

Debian GNU/Linux has been updated with two security updates: ELA-1254-1 for icinga2 and DLA 3975-1 for proftpd-dfsg:

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1254-1 icinga2 security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3975-1] proftpd-dfsg security update




ELA-1254-1 icinga2 security update

Package : icinga2
Version : 2.10.3-2+deb10u2 (buster)

Related CVEs :
CVE-2020-29663
CVE-2021-32739
CVE-2021-32743
CVE-2021-37698
CVE-2024-49369

Multiple vulnerabilities were discovered in icinga2, a general-purpose
monitoring application.

CVE-2020-29663
An issue was discovered where revoked certificates due for renewal were
automatically being renewed, ignoring the CRL.

CVE-2021-32739
A vulnerability was discovered that may allow privilege escalation for
authenticated API users. With a read-only user's credentials, an attacker can
view most attributes of all config objects including `ticket_salt` of
`ApiListener`. This salt is enough to compute a ticket for every possible
common name (CN). A ticket, the master node's certificate, and a self-signed
certificate are enough to successfully request the desired certificate from
Icinga. That certificate may in turn be used to steal an endpoint or API user's
identity.

CVE-2021-32743
Some of the Icinga 2 features that require credentials for external
services expose those credentials through the API to authenticated API users
with read permissions for the corresponding object types. IdoMysqlConnection
and IdoPgsqlConnection (every released version) exposes the password of the
user used to connect to the database. ElasticsearchWriter (added in 2.8.0)
exposes the password used to connect to the Elasticsearch server. An attacker
who obtains these credentials can impersonate Icinga to these services and add,
modify and delete information there.

CVE-2021-37698
ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do
not verify the server's certificate despite a certificate authority being
specified. Instances which connect to any of the mentioned time series
databases (TSDBs) using TLS over a spoofable infrastructure should change the
credentials (if any) used by the TSDB writer feature to authenticate against
the TSDB.

CVE-2024-49369
The TLS certificate validation in all Icinga 2 versions starting from
2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster
nodes as well as any API users that use TLS client certificates for
authentication (ApiUser objects with the `client_cn` attribute set).

ELA-1254-1 icinga2 security update


[SECURITY] [DLA 3975-1] proftpd-dfsg security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3975-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
November 29, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : proftpd-dfsg
Version : 1.3.7a+dfsg-12+deb11u3
CVE ID : CVE-2023-48795 CVE-2023-51713 CVE-2024-48651
Debian Bug : 1082326

ProFTPD a popular FTP server was affected by multiple
vulnerabilities.

CVE-2023-48795

The SSH transport protocol and variant like SFTP protocol used by
ProFTPD allowed remote attackers to bypass integrity checks
such that some packets are omitted (from the extension negotiation message),
and a client and server may consequently end up with a connection
for which some security features have been downgraded or disabled,
aka a Terrapin attack.

CVE-2023-51713

make_ftp_cmd function has a one-byte out-of-bounds read,
because of mishandling of quote/backslash semantics.

CVE-2024-48651

In proftpd with mod_sftp and mod_sql, an user with
no supplemental groups will incorrectly inherit supplemental
groups from the parent process. This behavior resulted in users gaining supplemental
membership in nogroup, or depending of version root group (GID=0).

For Debian 11 bullseye, these problems have been fixed in version
1.3.7a+dfsg-12+deb11u3.

We recommend that you upgrade your proftpd-dfsg packages.

For the detailed security status of proftpd-dfsg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/proftpd-dfsg

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS