Debian 10216 Published by

The following security updates have been released for Debian GNU/Linux:

[DSA 5638-1] libuv1 security update
[DLA 3756-1] wordpress security update
[DLA 3757-1] nss security update
ELA-1054-1 nss security update




[DSA 5638-1] libuv1 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5638-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 10, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libuv1
CVE ID : CVE-2024-24806
Debian Bug : 1063484

It was discovered that the uv_getaddrinfo() function in libuv, an
asynchronous event notification library, incorrectly truncated certain
hostnames, which may result in bypass of security measures on internal
APIs or SSRF attacks.

For the oldstable distribution (bullseye), this problem has been fixed
in version 1.40.0-2+deb11u1.

For the stable distribution (bookworm), this problem has been fixed in
version 1.44.2-1+deb12u1.

We recommend that you upgrade your libuv1 packages.

For the detailed security status of libuv1 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libuv1

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DLA 3756-1] wordpress security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3756-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
March 10, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : wordpress
Version : 5.0.21+dfsg1-0+deb10u1
CVE ID : not yet available

Two security vulnerabilities have been discovered in Wordpress, a
popular content management framework, a PHP File Upload bypass via the plugin
installer and a possible remote code execution vulnerability which requires
an attacker to control all the properties of a deserialized object. No CVE have
been assigned for these problems yet.

https://wordpress.org/news/2024/01/wordpress-6-4-3-maintenance-and-security-release/

For Debian 10 buster, this problem has been fixed in version
5.0.21+dfsg1-0+deb10u1.

We recommend that you upgrade your wordpress packages.

For the detailed security status of wordpress please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wordpress

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3757-1] nss security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3757-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
March 10, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : nss
Version : 2:3.42.1-1+deb10u8
CVE ID : CVE-2023-5388 CVE-2024-0743
Debian Bug : 1056284

Multiple vulnerabilities were found in nss, a set of libraries designed
to support cross-platform development of security-enabled client and
server applications.

CVE-2023-5388

Timing attack against RSA decryption in TLS. This vulnerablity has been
named The Marvin Attack.

CVE-2024-0743

An unchecked return value in TLS handshake code could have caused a
potentially exploitable crash.

For Debian 10 buster, these problems have been fixed in version
2:3.42.1-1+deb10u8.

We recommend that you upgrade your nss packages.

For the detailed security status of nss please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nss

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1054-1 nss security update

Package : nss
Version : 2:3.26-1+debu8u18 (jessie), 2:3.26.2-1.1+deb9u7 (stretch)

Related CVEs :
CVE-2023-5388
CVE-2024-0743

Multiple vulnerabilities were found in nss, a set of libraries designed
to support cross-platform development of security-enabled client and
server applications.

CVE-2023-4421
A fuzzing project discovered vulnerabilities to Bleichenbacher
timing attacks in NSS's facilities for RSA cryptography.

CVE-2023-5388
A timing attack against RSA decryption in TLS. This vulnerablity has been
named The MArvin Attack a Bleichenbacher-like vulernability.

CVE-2024-0743
An unchecked return value in TLS handshake code could have caused a
potentially exploitable crash.

ELA-1054-1 nss security update