Debian 10249 Published by

The following security updates have been released for Debian GNU/Linux:

[DLA 3725-1] postfix security update
[DLA 3726-1] bind9 security update
[DSA 5611-1] glibc security update
ELA-1038-1 openssh security update
ELA-1037-1 squid3 security update
ELA-1036-1 jasper security update




[DLA 3725-1] postfix security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3725-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
January 30, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : postfix
Version : 3.4.23-0+deb10u2
CVE ID : CVE-2023-51764
Debian Bug : 1059230

Postfix, a popular mail server,
allowed SMTP smuggling unless configured with
smtpd_data_restrictions=reject_unauth_pipelining
and smtpd_discard_ehlo_keywords=chunking
(or certain other options that exist in recent versions).

Remote attackers can use a published exploitation technique to
inject e-mail messages with a spoofed MAIL FROM address,
allowing bypass of an SPF protection mechanism.

This occurs because Postfix supported . but
some other popular e-mail servers do not.

To prevent attack variants (by always disallowing without ),
a different solution is required, such as setting the backported
configuration option smtpd_forbid_bare_newline=yes

For Debian 10 buster, this problem has been fixed in version
3.4.23-0+deb10u2.

We recommend that you upgrade your postfix packages.

For the detailed security status of postfix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postfix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3726-1] bind9 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3726-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
January 30, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : bind9
Version : 1:9.11.5.P4+dfsg-5.1+deb10u10
CVE ID : CVE-2023-3341

An issue has been discovered in BIND, a DNS server implementation.

A stack exhaustion flaw was discovered in the control channel code
which may result in denial of service (named daemon crash).

For Debian 10 buster, this problem has been fixed in version
1:9.11.5.P4+dfsg-5.1+deb10u10.

We recommend that you upgrade your bind9 packages.

For the detailed security status of bind9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/bind9

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DSA 5611-1] glibc security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5611-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 30, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : glibc
CVE ID : CVE-2023-6246 CVE-2023-6779 CVE-2023-6780

The Qualys Research Labs discovered several vulnerabilities in the GNU C
Library's __vsyslog_internal() function (called by syslog() and
vsyslog()). A heap-based buffer overflow (CVE-2023-6246), an off-by-one
heap overflow (CVE-2023-6779) and an integer overflow (CVE-2023-6780)
can be exploited for privilege escalation or denial of service.

Details can be found in the Qualys advisory at
https://www.qualys.com/2024/01/30/syslog

Additionally a memory corruption was discovered in the glibc's qsort()
function, due to missing bounds check and when called by a program
with a non-transitive comparison function and a large number of
attacker-controlled elements. As the use of qsort() with a
non-transitive comparison function is undefined according to POSIX and
ISO C standards, this is not considered a vulnerability in the glibc
itself. However the qsort() implementation was hardened against
misbehaving callers.

Details can be found in the Qualys advisory at
https://www.qualys.com/2024/01/30/qsort

For the stable distribution (bookworm), these problems have been fixed in
version 2.36-9+deb12u4.

We recommend that you upgrade your glibc packages.

For the detailed security status of glibc please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/glibc

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


ELA-1038-1 openssh security update

Package : openssh
Version : 1:7.4p1-10+deb9u9 (stretch)

Related CVEs :
CVE-2021-41617
CVE-2023-48795
CVE-2023-51385

Several vulnerabilities have been discovered in OpenSSH, an implementation of
the SSH protocol suite.

CVE-2021-41617
It was discovered that sshd failed to correctly initialise supplemental
groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the command
as a different user. Instead these commands would inherit the groups that
sshd was started with.

CVE-2023-48795
Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH
protocol is prone to a prefix truncation attack, known as the "Terrapin
attack". This attack allows a MITM attacker to effect a limited break of the
integrity of the early encrypted SSH transport protocol by sending extra
messages prior to the commencement of encryption, and deleting an equal
number of consecutive messages immediately after encryption starts.

Details can be found at https://terrapin-attack.com/

CVE-2023-51385
It was discovered that if an invalid user or hostname that contained shell
metacharacters was passed to ssh, and a ProxyCommand, LocalCommand
directive or "match exec" predicate referenced the user or hostname via
expansion tokens, then an attacker who could supply arbitrary
user/hostnames to ssh could potentially perform command injection. The
situation could arise in case of git repositories with submodules, where the
repository could contain a submodule with shell characters in its user or
hostname.

ELA-1038-1 openssh security update


ELA-1037-1 squid3 security update

Package : squid3
Version : 3.5.23-5+deb8u7 (jessie), 3.5.23-5+deb9u10 (stretch)

Related CVEs :
CVE-2023-46847
CVE-2023-49285
CVE-2023-49286
CVE-2023-50269
CVE-2024-23638

Several security vulnerabilities have been discovered in Squid, a full featured
web proxy cache. Due to programming errors in Squid’s HTTP request parsing,
remote attackers may be able to execute a denial of service attack by sending
large X-Forwarded-For header or trigger a stack buffer overflow while
performing HTTP Digest authentication. Other issues facilitate a denial of
service attack against Squid’s Helper process management. In regard to
CVE-2023-46728: Please note that support for the Gopher protocol has simply
been removed in future Squid versions. There is no fix available. We recommend
to reject all gopher URL requests instead.

ELA-1037-1 squid3 security update


ELA-1036-1 jasper security update

Package : jasper
Version : 1.900.1-debian1-2.4+deb8u12 (jessie)

Related CVEs :
CVE-2023-51257

An issue has been found in jasper, a library and programs for manipulating JPEG-2000 files.
The issue is about an invalid memory write which might allow a local attacker to execute arbitrary code.

ELA-1036-1 jasper security update