Debian 10324 Published by

Debian GNU/Linux has been updated with security enhancements, including updates for pam-u2f and python-aiohttp for Debian 11 LTS and openjdk-17 for Debian 12:

[DLA 4040-1] pam-u2f security update
[DLA 4041-1] python-aiohttp security update
[DSA 5857-1] openjdk-17 security update




[SECURITY] [DLA 4040-1] pam-u2f security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4040-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
February 03, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : pam-u2f
Version : 1.1.0-1.1+deb11u1
CVE ID : CVE-2025-23013

Matthias Gerstner reported that pam-u2f, a PAM module which allows to
use U2F (Universal 2nd Factor) devices in the PAM authentication stack,
does not properly handle PAM_IGNORE return values, allowing to bypass
the second factor or password-less login without inserting the proper
device.

For Debian 11 bullseye, this problem has been fixed in version
1.1.0-1.1+deb11u1.

We recommend that you upgrade your pam-u2f packages.

For the detailed security status of pam-u2f please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pam-u2f

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4041-1] python-aiohttp security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4041-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Jochen Sprickerhof
February 03, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : python-aiohttp
Version : 3.7.4-1+deb11u1
CVE ID : CVE-2023-47627 CVE-2023-47641 CVE-2023-49081 CVE-2023-49082
CVE-2024-23334 CVE-2024-23829 CVE-2024-27306 CVE-2024-30251
CVE-2024-52304
Debian Bug :

Several issues have been found in aiohttp, an asynchronous HTTP
client/server framework for asyncio and Python. Those issues are related
to the HTTP parser, link traversal and XSS on the index pages.

CVE-2023-47627

The HTTP parser in AIOHTTP has numerous problems with header
parsing, which could lead to request smuggling. This parser is only
used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt
wheel).

CVE-2023-47641

Affected versions of aiohttp have a security vulnerability regarding
the inconsistent interpretation of the http protocol. HTTP/1.1 is a
persistent protocol, if both Content-Length(CL) and
Transfer-Encoding(TE) header values are present it can lead to
incorrect interpretation of two entities that parse the HTTP and we
can poison other sockets with this incorrect interpretation. A
possible Proof-of-Concept (POC) would be a configuration with a
reverse proxy(frontend) that accepts both CL and TE headers and
aiohttp as backend. As aiohttp parses anything with chunked, we can
pass a chunked123 as TE, the frontend entity will ignore this header
and will parse Content-Length. The impact of this vulnerability is
that it is possible to bypass any proxy rule, poisoning sockets to
other users like passing Authentication Headers, also if it is
present an Open Redirect an attacker could combine it to redirect
random users to another website and log the request.

CVE-2023-49081

Improper validation made it possible for an attacker to modify the
HTTP request (e.g. to insert a new header) or create a new HTTP
request if the attacker controls the HTTP version. The vulnerability
only occurs if the attacker can control the HTTP version of the
request.

CVE-2023-49082

Improper validation makes it possible for an attacker to modify the
HTTP request (e.g. insert a new header) or even create a new HTTP
request if the attacker controls the HTTP method. The vulnerability
occurs only if the attacker can control the HTTP method (GET, POST
etc.) of the request. If the attacker can control the HTTP version
of the request it will be able to modify the request (request
smuggling).

CVE-2024-23334

When using aiohttp as a web server and configuring static routes, it
is necessary to specify the root path for static files.
Additionally, the option 'follow_symlinks' can be used to determine
whether to follow symbolic links outside the static root directory.
When 'follow_symlinks' is set to True, there is no validation to
check if reading a file is within the root directory. This can lead
to directory traversal vulnerabilities, resulting in unauthorized
access to arbitrary files on the system, even when symlinks are not
present. Disabling follow_symlinks and using a reverse proxy are
encouraged mitigations.

CVE-2024-23829

Security-sensitive parts of the Python HTTP parser retained minor
differences in allowable character sets, that must trigger error
handling to robustly match frame boundaries of proxies in order to
protect against injection of additional requests. Additionally,
validation could trigger exceptions that were not handled
consistently with processing of other malformed input. Being more
lenient than internet standards require could, depending on
deployment environment, assist in request smuggling. The unhandled
exception could cause excessive resource consumption on the
application server and/or its logging facilities.

CVE-2024-27306

A XSS vulnerability exists on index pages for static file handling.

CVE-2024-30251

In affected versions an attacker can send a specially crafted POST
(multipart/form-data) request. When the aiohttp server processes
it, the server will enter an infinite loop and be unable to process
any further requests. An attacker can stop the application from
serving requests after sending a single request.

CVE-2024-52304

The Python parser parses newlines in chunk extensions incorrectly
which can lead to request smuggling vulnerabilities under certain
conditions. If a pure Python version of aiohttp is installed (i.e.
without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is
enabled, then an attacker may be able to execute a request smuggling
attack to bypass certain firewalls or proxy protections.

For Debian 11 bullseye, these problems have been fixed in version
3.7.4-1+deb11u1.

We recommend that you upgrade your python-aiohttp packages.

For the detailed security status of python-aiohttp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-aiohttp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 5857-1] openjdk-17 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5857-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 03, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-17
CVE ID : CVE-2025-21502

A vulnerability has been discovered in the OpenJDK Java runtime, which
may result in authorisation bypass or information disclosure.

For the stable distribution (bookworm), this problem has been fixed in
version 17.0.14+7-1~deb12u1.

We recommend that you upgrade your openjdk-17 packages.

For the detailed security status of openjdk-17 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-17

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/