Debian 10250 Published by

Debian GNU/Linux has received several security updates, including libreoffice, thunderbird, and samba:

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1203-1 samba security update

Debian GNU/Linux 11 (Bullseye) LTS:
[SECURITY] [DLA 3915-1] libreoffice security update
[SECURITY] [DLA 3916-1] thunderbird security update

Debian GNU/Linux 12 (Bookworm):
[SECURITY] [DSA 5789-1] thunderbird security update



[SECURITY] [DLA 3915-1] libreoffice security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3915-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
October 12, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libreoffice
Version : 1:7.0.4-4+deb11u11
CVE ID : CVE-2024-7788

Various file formats are based on the zip file format. In cases of
corruption of the underlying zip's central directory,
LibreOffice offers a "repair mode" which will attempt to
recover the zip file structure by scanning for secondary local
file headers in the zip to reconstruct the document.

Prior to this fix, in the case of digitally signed zip files,
an attacker could construct a document which, when repaired,
reported a signature status not valid for the recovered file.

Previously if verification failed the user could choose
to ignore the failure and enable the macros anyway.

Repair document mode has to be inherently tolerant,
so now in fixed versions all signatures are implied to
be invalid in recovery mode.

For Debian 11 bullseye, this problem has been fixed in version
1:7.0.4-4+deb11u11.

We recommend that you upgrade your libreoffice packages.

For the detailed security status of libreoffice please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libreoffice

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3916-1] thunderbird security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3916-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
October 12, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : thunderbird
Version : 1:115.16.0esr-1~deb11u1
CVE ID : CVE-2024-9392 CVE-2024-9393 CVE-2024-9394 CVE-2024-9401
CVE-2024-9680

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

For Debian 11 bullseye, these problems have been fixed in version
1:115.16.0esr-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 5789-1] thunderbird security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5789-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 12, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : thunderbird
CVE ID : CVE-2024-9392 CVE-2024-9393 CVE-2024-9394 CVE-2024-9401
CVE-2024-9680

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

For the stable distribution (bookworm), these problems have been fixed in
version 1:115.16.0esr-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


ELA-1203-1 samba security update

Package : samba
Version : 2:4.5.16+dfsg-1+deb9u5 (stretch)

Related CVEs :
CVE-2016-2124
CVE-2020-25717
CVE-2021-44142
CVE-2022-2127
CVE-2022-3437
CVE-2022-32742
CVE-2023-4091

Several vulnerabilities were discovered in Samba, SMB/CIFS file,
print, and login server for Unix.

CVE-2016-2124
A flaw was found in the way samba implemented SMB1 authentication. An
attacker could use this flaw to retrieve the plaintext password sent over
the wire even if Kerberos authentication was required.

CVE-2020-25717
Andrew Bartlett reported that Samba may map domain users to local
users in an undesired way, allowing for privilege escalation. The
update introduces a new parameter "min domain uid" (default to 1000)
to not accept a UNIX uid below this value.

CVE-2021-44142
Orange Tsai reported an out-of-bounds heap write vulnerability in
the VFS module vfs_fruit, which could result in remote execution of
arbitrary code as root.

CVE-2022-2127
Out-of-bounds read in winbind AUTH_CRAP.

CVE-2022-3437
Heimdal des/des3 heap-based buffer overflow.

CVE-2022-32742
Server memory information leak via SMB1.

CVE-2023-4091
Client can truncate files even with read-only permissions.

ELA-1203-1 samba security update