Debian 10253 Published by

The following four security updates have been released for Debian GNU/Linux 10 LTS:

[DLA 3750-1] php-phpseclib security update
[DLA 3749-1] phpseclib security update
[DLA 3752-1] libuv1 security update
[DLA 3751-1] libapache2-mod-auth-openidc security update




[DLA 3750-1] php-phpseclib security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3750-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
March 05, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : php-phpseclib
Version : 2.0.30-2~deb10u3
CVE ID : CVE-2024-27354 CVE-2024-27355

Security issues were discovered in php-phpseclib, a PHP library for
arbitrary-precision integer arithmetic, which could lead to Denial of
Service.

CVE-2024-27354

An attacker can construct a malformed certificate containing an
extremely large prime to cause a denial of service (CPU consumption
for an `isPrime` primality check).

This issue was introduced when attempting to fix CVE-2023-27560.

CVE-2024-27355

When processing the ASN.1 object identifier of a certificate, a sub
identifier may be provided that leads to a denial of service (CPU
consumption for `decodeOID`).

For Debian 10 buster, these problems have been fixed in version
2.0.30-2~deb10u3.

We recommend that you upgrade your php-phpseclib packages.

For the detailed security status of php-phpseclib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-phpseclib

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3749-1] phpseclib security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3749-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
March 05, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : phpseclib
Version : 1.0.19-3~deb10u3
CVE ID : CVE-2024-27354 CVE-2024-27355

Security issues were discovered in phpseclib, a PHP library for
arbitrary-precision integer arithmetic, which could lead to Denial of
Service.

CVE-2024-27354

An attacker can construct a malformed certificate containing an
extremely large prime to cause a denial of service (CPU consumption
for an `isPrime` primality check).

This issue was introduced when attempting to fix CVE-2023-27560.

CVE-2024-27355

When processing the ASN.1 object identifier of a certificate, a sub
identifier may be provided that leads to a denial of service (CPU
consumption for `decodeOID`).

For Debian 10 buster, these problems have been fixed in version
1.0.19-3~deb10u3.

We recommend that you upgrade your phpseclib packages.

For the detailed security status of phpseclib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/phpseclib

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3752-1] libuv1 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3752-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
March 05, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libuv1
Version : 1.24.1-1+deb10u2
CVE ID : CVE-2024-24806
Debian Bug : 1063484

Improper Domain Lookup in uv_getaddrinfo() has been fixed in libuv,
an asynchronous event notification library.

For Debian 10 buster, this problem has been fixed in version
1.24.1-1+deb10u2.

We recommend that you upgrade your libuv1 packages.

For the detailed security status of libuv1 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libuv1

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3751-1] libapache2-mod-auth-openidc security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3751-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
March 05, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libapache2-mod-auth-openidc
Version : 2.3.10.2-1+deb10u4
CVE ID : CVE-2024-24814
Debian Bug : 1064183

It was discovered that there was a potential Denial of Service (DoS)
attack in libapache2-mod-auth-openidc, an OpenID Connect (OpenIDC)
module for the Apache web server.

Missing input validation on mod_auth_openidc_session_chunks cookie
value made the server vulnerable to this attack. If an attacker
manipulated the value of the OpenIDC cookie to a very large integer
like 99999999, the server struggled with the request for a long time
and finally returned a 500 error. Making a few requests of this kind
caused servers to become unresponsive, and so attackers could thereby
craft requests that would make the server work very hard and/or crash
with minimal effort.

For Debian 10 buster, this problem has been fixed in version
2.3.10.2-1+deb10u4.

We recommend that you upgrade your libapache2-mod-auth-openidc packages.

For the detailed security status of libapache2-mod-auth-openidc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS