Debian 10253 Published by

Debian GNU/Linux has implemented a series of security updates, which include DLA 3942- for openssl, DSA 5801-1 for firefox-esr, DLA 3943-1, ELA-1223-1 for xorg-server, ELA-1222-1 for ffmpeg, and ELA-1221-1 for mariadb-10.1:

Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1223-1 xorg-server security update
ELA-1222-1 ffmpeg security update

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1221-1 mariadb-10.1 security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3942-1] openssl security update
[DLA 3943-1] firefox-esr security update

Debian GNU/Linux 12 (Bookworm):
[SECURITY] [DSA 5801-1] firefox-esr security update



[SECURITY] [DLA 3942-1] openssl security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3942-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
October 31, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : openssl
Version : 1.1.1n-0+deb11u6
CVE ID : CVE-2023-5678 CVE-2024-0727 CVE-2024-2511 CVE-2024-4741
CVE-2024-5535 CVE-2024-9143
Debian Bug : 1055473 1061582 1068658 1072113 1074487 1085378

Multiple vulnerabilities were discovered in OpenSSL, the Secure Sockets
Layer toolkit.

CVE-2023-5678

A denial of service could occur with excessively long X9.42 DH keys.

CVE-2024-0727

A denial of service could occur with a null field in a PKCS12 file.

CVE-2024-2511

A denial of service could occur when the SSL_OP_NO_TICKET flag is
set, with TLSv1.3.

CVE-2024-4741

A use-after-free problem was found in the SSL_free_buffers function.

CVE-2024-5535

Calling the OpenSSL API function SSL_select_next_proto with an empty
supported client protocols buffer may cause a crash or memory
contents to be sent to the peer.

CVE-2024-9143

Use of the low-level GF(2^m) elliptic curve APIs with untrusted
explicit values for the field polynomial can lead to out-of-bounds
memory reads or writes. This could lead to information disclosure
or possibly remote code execution.

For Debian 11 bullseye, these problems have been fixed in version
1.1.1n-0+deb11u6.

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openssl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 5801-1] firefox-esr security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5801-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 31, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : firefox-esr
CVE ID : CVE-2024-10458 CVE-2024-10459 CVE-2024-10460 CVE-2024-10461
CVE-2024-10462 CVE-2024-10463 CVE-2024-10464 CVE-2024-10465
CVE-2024-10466 CVE-2024-10467

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, cross-site scripting, spoofing or information disclosure.

For the stable distribution (bookworm), these problems have been fixed in
version 128.4.0esr-1~deb12u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DLA 3943-1] firefox-esr security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3943-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
October 31, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : firefox-esr
Version : 128.4.0esr-1~deb11u1
CVE ID : CVE-2024-10458 CVE-2024-10459 CVE-2024-10460 CVE-2024-10461
CVE-2024-10462 CVE-2024-10463 CVE-2024-10464 CVE-2024-10465
CVE-2024-10466 CVE-2024-10467

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, cross-site scripting, spoofing or information disclosure.

For Debian 11 bullseye, these problems have been fixed in version
128.4.0esr-1~deb11u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1223-1 xorg-server security update

Package : xorg-server
Version : 2:1.16.4-1+deb8u17 (jessie), 2:1.19.2-1+deb9u20 (stretch), 2:1.20.4-1+deb10u15 (buster)

Related CVEs :
CVE-2024-9632

Jan-Niklas Sohn working with Trend Micro Zero Day Initiative found an
issue in the X server and Xwayland implementations published by X.Org.
CVE-2024-9632 can be triggered by providing a modified bitmap to the X.Org
server. This may lead to local privilege escalation if the server is run
as root or remote code execution (e.g. x11 over ssh).

ELA-1223-1 xorg-server security update


ELA-1222-1 ffmpeg security update

Package : ffmpeg
Version : 7:3.2.19-0+deb9u5 (stretch), 7:4.1.11-0+deb10u2 (buster)

Related CVEs :
CVE-2020-20898
CVE-2020-22040
CVE-2020-22051
CVE-2020-22056
CVE-2021-38090
CVE-2021-38091
CVE-2021-38092
CVE-2021-38093
CVE-2021-38094
CVE-2022-48434
CVE-2023-49502
CVE-2023-50010
CVE-2023-51793
CVE-2023-51794
CVE-2023-51798
CVE-2024-31578
CVE-2024-32230

Multiple vulnerabilities have been fixed in the FFmpeg multimedia framework.

CVE-2020-20898 (buster)
avfilter/vf_convolution integer overflow

CVE-2020-22040
avfilter/f_reverse memory leaks

CVE-2020-22051 (buster)
avfilter/vf_tile memory leak

CVE-2020-22056 (buster)
avfilter/af_acrossover memory leak

CVE-2021-38090 (buster)
avfilter/vf_convolution integer overflow

CVE-2021-38091 (buster)
avfilter/vf_convolution integer overflow

CVE-2021-38092 (buster)
avfilter/vf_convolution integer overflow

CVE-2021-38093 (buster)
avfilter/vf_convolution integer overflow

CVE-2021-38094 (buster)
avfilter/vf_convolution integer overflow

CVE-2022-48434 (buster)
lavc/pthread_frame hwaccel use-after-free

CVE-2023-49502
avfilter/bwdif buffer overflow

CVE-2023-50010 (buster)
avfilter/vf_gradfun buffer overflow

CVE-2023-51793 (buster)
avfilter/vf_weave buffer overflow

CVE-2023-51794 (buster)
avfilter/af_stereowiden buffer overflow

CVE-2023-51798 (buster)
avfilter/vf_minterpolate floating point exception

CVE-2024-31578 (buster)
avutil/hwcontext use-after-free

CVE-2024-32230
avcodec/mpegvideo_enc buffer overflow

ELA-1222-1 ffmpeg security update


ELA-1221-1 mariadb-10.1 security update

Package : mariadb-10.1
Version : 10.1.48-0+deb9u5 (stretch)

Related CVEs :
CVE-2022-31621
CVE-2022-31623
CVE-2022-31624
CVE-2022-47015
CVE-2024-21096

Several vulnerabilities have been fixed in MariaDB, a popular database server.

CVE-2022-31621
In extra/mariabackup/ds_xbstream.cc, when an error occurs
(stream_ctxt->dest_file == NULL) while executing the method xbstream_open,
the held lock is not released correctly, which allows local users
to trigger a Denial of Service (DoS) due to the deadlock.

CVE-2022-31623
In extra/mariabackup/ds_compress.cc, when an error occurs
(i.e., going to the err label) while executing the method
create_worker_threads, the held lock thd->ctrl_mutex is not released
correctly, which allows local users to trigger a Denial of Service (DoS)
due to the deadlock.

CVE-2022-31624
While executing the plugin/server_audit/server_audit.c method log_statement_ex,
the held lock lock_bigbuffer is not released correctly, which allows local
users to trigger a Denial of Service (DoS) due to the deadlock.

CVE-2022-47015
It is possible for function spider_db_mbase::print_warnings to dereference
a null pointer, thus triggering a Denial of Service (DoS).

CVE-2024-21096
A difficult to exploit vulnerability allows unauthenticated
attacker with logon to the infrastructure where MariaDB Server
executes to compromise MariaDB Server.
Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of
MariaDB Server accessible data as well as unauthorized
read access to a subset of MariaDB Server accessible
data and unauthorized ability to cause a partial
denial of service (partial DoS)

Note that fixes related to CVE-2024-21096 may break forwards and backwards
compatibility in certain situations when doing logical backup and restore
with plain SQL files (e.g. when using mariadb-dump or mysqldump).
The MariaDB client now has the command-line option --sandbox and the
MariaDB client database prompt command \-. This enables sandbox mode for
the rest of the session, until disconnected. Once in sandbox mode, any
command that could do something on the shell is disabled.
Additionally mysqldump now adds the following command inside a comment
at the very top of the logical SQL file to trigger sandbox mode:
/*M!999999\- enable the sandbox mode */

Newer version of MariaDB clients strip away the backslash and dash (-), and
then tries to execute the internal command with a dash.
Older versions of MariaDB client and all versions of MySQL client considers
this a comment, and will ignore it. There may however be situations where
importing logical SQL dump files may fail due to this, so users should be
advised.
Users are best protected from both security issues and interoperability
issues by using the latest mariadb-dump shipped in MariaDB 11.4.3, 10.11.9,
10.6.19 and 10.5.26. The CVE-2024-21096 was officially fixed already in
11.4.2, but the latest batch of MariaDB minor maintenance releases include
further improvements on the sandbox mode. For buster ELTS this CVE
was fixed in verson 1:10.3.39-0+deb10u3.
Note that the mariadb-dump can be used to make the logical backups from
both MariaDB and MySQL servers. Also the mariadb client program can connect
to both MariaDB and MySQL servers and import those SQL dump files.

ELA-1221-1 mariadb-10.1 security update