[DLA 3776-1] nodejs security update
ELA-1068-1 curl security update
[DLA 3776-1] nodejs security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3776-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
March 26, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : nodejs
Version : 10.24.0~dfsg-1~deb10u4
CVE ID : CVE-2023-30590 CVE-2023-46809 CVE-2024-22025
Debian Bug : 1039990 1064055
Vulnerabilities have been found in Node.js, which could lead to denial
of service or information disclosure.
CVE-2023-30590
Ben Smyth reported an inconsistency between implementation and
documented design of the The generateKeys() API function, which
only generates missing (or outdated) keys, that is, it only
generates a private key if none has been set yet.
The documented behavior has been updated to reflect the current
implementation.
CVE-2023-46809
It was discovered that Node.js was vulnerable to the Marvin Attack,
allowing a covert timing side-channel during PKCS#1 v1.5 padding
error handling. An attacker could remotely exploit the
vulnerability to decrypt captured RSA ciphertexts or forge
signatures, especially in scenarios involving API endpoints
processing Json Web Encryption messages.
The fix disables RSA_PKCS1_PADDING for crypto.privateDecrypt(), and
includes a security revert flag that can be used to restore support
(and the vulnerability).
CVE-2024-22025
It was discovered that Node.js was vulnerable to Denial of Service
by resource exhaustion in fetch() brotli decoding.
For Debian 10 buster, these problems have been fixed in version
10.24.0~dfsg-1~deb10u4.
We recommend that you upgrade your nodejs packages.
For the detailed security status of nodejs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nodejs
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1068-1 curl security update
Package : curl
Version : 7.52.1-5+deb9u21 (stretch)
Related CVEs :
CVE-2023-27534
CVE-2023-28321
CVE-2023-28322
CVE-2023-46218
curl, a tool for transferring data using various network protocols, was vulnerable.
CVE-2023-27534
A path traversal vulnerability existed in curl implementation that causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.
CVE-2023-28321
An improper certificate validation vulnerability existed in curl in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" (SNA) in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to pattern match, but the wildcard check in curl could still check for `x*`, which would match even though the IDN name most likely contained nothing even resembling an `x`.
CVE-2023-28322
An information disclosure vulnerability existed in curl when doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.
CVE-2023-46218
This flaw allowed a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with domain=co.UK when the URL used a lower case hostname curl.co.uk, even though co.uk is listed as a PSL domain.
