Debian 10253 Published by

The following security updates are available for Debian GNU/Linux:

Debian GNU/Linux 8 Extended LTS (Jessie):
ELA-1082-1 phpmyadmin security update

Debian GNU/Linux 9 Extended LTS (Stretch):
ELA-1083-1 qtbase-opensource-src security update

Debian GNU/Linux 10 LTS (Buster):
[DLA 3802-1] org-mode security update
[DLA 3805-1] qtbase-opensource-src security update
[DLA 3804-1] nghttp2 security update
[3803-1] astropy security update




[DLA 3802-1] org-mode security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3802-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
April 30, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : org-mode
Version : 9.1.14+dfsg-3+deb10u2
CVE ID : CVE-2024-30203 CVE-2024-30204 CVE-2024-30205
Debian Bug : 1067663

Multiple problems were discovered in Org-mode, a GNU Emacs major mode
for keeping notes, authoring documents, and maintaining to-do lists.

CVE-2024-30203 & CVE-2024-30204

In Emacs before 29.3, LaTeX preview is enabled by default for e-mail
attachments in some Emacs MUAs. This can lead to denial of service.

(A request has been submitted to MITRE to merge these CVE numbers.)

CVE-2024-30205

In Emacs before 29.3, Org mode considers the contents of remote
files to be trusted. This affects Org Mode before 9.6.23.

For Debian 10 buster, these problems have been fixed in version
9.1.14+dfsg-3+deb10u2.

We recommend that you upgrade your org-mode packages.

For the detailed security status of org-mode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/org-mode

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1082-1 phpmyadmin security update

Package : phpmyadmin
Version : 4:4.2.12-2+deb8u12 (jessie)

Related CVEs :
CVE-2020-22452

A potential SQL injection vulnerability was discovered in phpmyadmin, the
popular MySQL web administration tool.
This could have been exploited by a malicious storage engine value.

ELA-1082-1 phpmyadmin security update


[DLA 3805-1] qtbase-opensource-src security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3805-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
May 01, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : qtbase-opensource-src
Version : 5.11.3+dfsg1-1+deb10u6
CVE ID : CVE-2023-24607 CVE-2023-32762 CVE-2023-32763
CVE-2023-33285 CVE-2023-37369 CVE-2023-38197
CVE-2023-51714

Several issues have been found in qtbase-opensource-src, a collection of
several Qt modules/libraries.
The issues are related to buffer overflows, infinite loops or application
crashs due to processing of crafted input files.

For Debian 10 buster, these problems have been fixed in version
5.11.3+dfsg1-1+deb10u6.

We recommend that you upgrade your qtbase-opensource-src packages.

For the detailed security status of qtbase-opensource-src please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/qtbase-opensource-src

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3804-1] nghttp2 security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3804-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
April 30, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : nghttp2
Version : 1.36.0-2+deb10u3
CVE ID : CVE-2024-28182
Debian Bug : 1068415

Bartek Nowotarskis discovered that nghttp2, a set of programs
implementing the HTTP/2, keeps reading CONTINUATION frames even after a
stream is reset to keep HPACK context in sync. This causes excessive
CPU usage to decode HPACK stream, which could lead to Denial of Service.

The issue is mitigated by limiting the number of CONTINUATION frames it
can accept after a HEADERS frame. The limit is configurable and
defaults to 8.

For Debian 10 buster, this problem has been fixed in version
1.36.0-2+deb10u3.

We recommend that you upgrade your nghttp2 packages.

For the detailed security status of nghttp2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nghttp2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[3803-1] astropy security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3803-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
April 30, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : astropy
Version : 3.1.2-2+deb10u1
CVE ID : CVE-2023-41334

It was discovered that there was a potential remote code execution
vulnerability in Astropy, a suite of tools, utilities and Python
utilities for astrophysics.

Improper input validation in the TranformGraph().to_dot_graph
function could have led to arbitary command execution as values were
passed as the first argument to subprocess.Popen. Although an error
will be raised, the command or script would still be executed
successfully.

For Debian 10 buster, this problem has been fixed in version
3.1.2-2+deb10u1.

We recommend that you upgrade your astropy packages.

For the detailed security status of astropy please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/astropy

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1083-1 qtbase-opensource-src security update

Package : qtbase-opensource-src
Version : 5.7.1+dfsg-3+deb9u4 (stretch)

Related CVEs :
CVE-2023-24607
CVE-2023-32763
CVE-2023-33285
CVE-2023-37369
CVE-2023-38197

Several issues have been found in qtbase-opensource-src, a collection of
several Qt modules/libraries.
The issues are related to buffer overflows, infinite loops or application
crashes due to processing of crafted input files.

ELA-1083-1 qtbase-opensource-src security update