Debian 10249 Published by

The following security updates have been released for Debian GNU/Linux:

Debian GNU/Linux 8 (Jessie) Extended LTS:
ELA-1108-1 php5 security update

Debian GNU/Linux 8 (Jessie) and 9 (Stretch) Extended LTS:
ELA-1112-1 libvpx security update

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1107-1 php7.0 security update

Debian GNU/Linux 10 (Buster) LTS:
[DLA 3833-1] php7.3 security update

Debian GNU/Linux 11 (Bullseye) and 12 (Bookworm):
[DSA 5715-1] composer security update
[DSA 5714-1] roundcube security update



[DLA 3833-1] php7.3 security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3833-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
June 17, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : php7.3
Version : 7.3.31-1~deb10u7
CVE ID : CVE-2024-5458
Debian Bug : 1072885

PHP, a widely-used open source general purpose scripting language, is affected
by a security problem when parsing certain types of URLs.

Due to a code logic error filtering functions such as filter_var when
validating URLs (FILTER_VALIDATE_URL) will result in invalid user information
(username + password part of URLs) being treated as valid user information.
This may lead to the downstream code accepting invalid URLs as valid and
parsing them incorrectly. The problem is related to CVE-2020-7071 but affects
IPv6 host parts.

For Debian 10 buster, this problem has been fixed in version
7.3.31-1~deb10u7.

We recommend that you upgrade your php7.3 packages.

For the detailed security status of php7.3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.3

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DSA 5715-1] composer security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5715-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 18, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : composer
CVE ID : CVE-2024-35241 CVE-2024-35242

Two vulnerabilities have been discovered in Composer, a dependency
manager for PHP, which could result in arbitrary command execution by
operating on malicious git/hg repositories.

For the oldstable distribution (bullseye), these problems have been fixed
in version 2.0.9-2+deb11u3.

For the stable distribution (bookworm), these problems have been fixed in
version 2.5.5-1+deb12u2.

We recommend that you upgrade your composer packages.

For the detailed security status of composer please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/composer

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DSA 5714-1] roundcube security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5714-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
June 18, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : roundcube
CVE ID : CVE-2024-37383 CVE-2024-37384
Debian Bug : 1071474

Huy Nguyễn Phạm Nhật, and Valentin T. and Lutz Wolf of CrowdStrike,
discovered that roundcube, a skinnable AJAX based webmail solution for
IMAP servers, did not correctly process and sanitize requests. This
would allow an attacker to perform Cross-Side Scripting (XSS) attacks.

For the oldstable distribution (bullseye), these problems have been fixed
in version 1.4.15+dfsg.1-1+deb11u3.

For the stable distribution (bookworm), these problems have been fixed in
version 1.6.5+dfsg-1+deb12u2.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/roundcube

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


ELA-1107-1 php7.0 security update

Package : php7.0
Version : 7.0.33-0+deb9u18 (stretch)

Related CVEs :
CVE-2024-5458

PHP, a widely-used open source general purpose scripting language, is affected
by a security problem when parsing certain types of URLs.
Due to a code logic error filtering functions such as filter_var when
validating URLs (FILTER_VALIDATE_URL) will result in invalid user information
(username + password part of URLs) being treated as valid user information.
This may lead to the downstream code accepting invalid URLs as valid and
parsing them incorrectly. The problem is related to CVE-2020-7071 but affects
IPv6 host parts.

ELA-1107-1 php7.0 security update


ELA-1108-1 php5 security update

Package : php5
Version : 5.6.40+dfsg-0+deb8u20 (jessie)

Related CVEs :
CVE-2024-5458

PHP, a widely-used open source general purpose scripting language, is affected
by a security problem when parsing certain types of URLs.
Due to a code logic error filtering functions such as filter_var when
validating URLs (FILTER_VALIDATE_URL) will result in invalid user information
(username + password part of URLs) being treated as valid user information.
This may lead to the downstream code accepting invalid URLs as valid and
parsing them incorrectly. The problem is related to CVE-2020-7071 but affects
IPv6 host parts.

ELA-1108-1 php5 security update


ELA-1112-1 libvpx security update

Package : libvpx
Version : 1.3.0-3+deb8u5 (jessie), 1.6.1-3+deb9u6 (stretch)

Related CVEs :
CVE-2016-6711
CVE-2017-0393
CVE-2024-5197

Multiple vulnerabilities have been fixed in libvpx, a library for decoding and encoding VP8 and VP9 videos.
CVE-2016-6711 (vulnerability was not present in stretch)
VP8 decoder crash with invalid leading keyframes

CVE-2017-0393 (vulnerability was not present in stretch)
VP8 threading issues

CVE-2024-5197
Integer overflows

ELA-1112-1 libvpx security update