Debian 10250 Published by

Debian GNU/Linux has received a number of security upgrades, including libreoffice, galera-4, php-twig, and expat:

Debian GNU/Linux 8 (Stretch) and 9 (Buster) Extended LTS:
ELA-1181-1 libreoffice security update

Debian GNU/Linux 11 (Bullseye) LTS:
[SECURITY] [DLA 3890-1] galera-4 new upstream version

Debian GNU/Linux 12 (Bookworm):
[SECURITY] [DSA 5772-1] libreoffice security update
[SECURITY] [DSA 5771-1] php-twig security update
[SECURITY] [DSA 5770-1] expat security update




ELA-1181-1 libreoffice security update

Package : libreoffice
Version : 1:6.1.5-3+deb9u4 (stretch), 1:6.1.5-3+deb10u13 (buster)
Related CVEs :
CVE-2024-6472

libreoffice a popular office productivity software suite, was vulnerable.
Certificate Validation user interface in LibreOffice allowed a potential vulnerability.
Signed macros are scripts that have been digitally signed by the developer
using a cryptographic signature.
When a document with a signed macro is opened a warning is displayed by LibreOffice
before the macro is executed.
Previously, if verification failed the user could fail to understand the failure
and may choose to enable the macros anyway.

ELA-1181-1 libreoffice security update


[SECURITY] [DLA 3890-1] galera-4 new upstream version


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3890-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Otto Kekäläinen
September 17, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : galera-4
Version : 26.4.20-0+deb11u1

A new stable version was released for galera-4, a synchronous
multimaster replication engine for MySQL and MariaDB.

This fixes several issues detailed at:
https://github.com/codership/documentation/blob/master/release-notes/release-notes-galera-26.4.19.txt
https://github.com/codership/documentation/blob/master/release-notes/release-notes-galera-26.4.20.txt

For Debian 11 bullseye, the new release is available in version
26.4.20-0+deb11u1.

We recommend that you upgrade your galera-4 packages.

For the detailed security status of galera-4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/galera-4

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 5772-1] libreoffice security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5772-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 17, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libreoffice
CVE ID : CVE-2024-7788

Yufan You discovered that Libreoffice's handling of documents based on
ZIP archives was suspectible to spoofing attacks when the repair mode
attempts to address a malformed archive structure.

For additional information please refer to
https://www.libreoffice.org/about-us/security/advisories/cve-2024-7788/

For the stable distribution (bookworm), this problem has been fixed in
version 4:7.4.7-1+deb12u5.

We recommend that you upgrade your libreoffice packages.

For the detailed security status of libreoffice please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libreoffice

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DSA 5771-1] php-twig security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5771-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 17, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php-twig
CVE ID : CVE-2024-45411

Fabien Potencier discovered that under some conditions the sandbox
mechanism of Twig, a template engine for PHP, could by bypassed.

For the stable distribution (bookworm), this problem has been fixed in
version 3.5.1-1+deb12u1.

We recommend that you upgrade your php-twig packages.

For the detailed security status of php-twig please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-twig

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DSA 5770-1] expat security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5770-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 17, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : expat
CVE ID : CVE-2024-45490 CVE-2024-45491 CVE-2024-45492

Shang-Hung Wan discovered multiple vulnerabilities in the Expat
XML parsing C library, which could result in denial of service or
potentially the execution of arbitrary code.

For the stable distribution (bookworm), these problems have been fixed in
version 2.5.0-1+deb12u1.

We recommend that you upgrade your expat packages.

For the detailed security status of expat please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/expat

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/