Debian 10236 Published by

Debian GNU/Linux has received multiple security updates, which include pypy3, mpg123, php8.2, and python3.7:

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1244-1 python3.7 security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3966-1] pypy3 security update
[DLA 3967-1] mpg123 security update

Debian GNU/Linux 12 (Bookworm):
[DSA 5819-1] php8.2 security update




[SECURITY] [DLA 3966-1] pypy3 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3966-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andrej Shadura
November 26, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : pypy3
Version : 7.3.5+dfsg-2+deb11u4
CVE ID : CVE-2020-10735 CVE-2020-29651 CVE-2021-3737 CVE-2021-28861
CVE-2022-0391 CVE-2022-45061 CVE-2023-27043 CVE-2024-9287

Multiple vulnerabilities have been fixed in pypy3, an alternative
implementation of the Python 3.x language.

CVE-2020-10735

A flaw was found in Python. In algorithms with quadratic time
complexity using non-binary bases, when using int("text"), a system
could take 50ms to parse an int string with 100,000 digits and 5s
for 1,000,000 digits (float, decimal, int.from_bytes(), and int()
for binary bases 2, 4, 8, 16, and 32 are not affected). The highest
threat from this vulnerability is to system availability.

CVE-2020-29651

A denial of service via regular expression in the py.path.svnwc
component of py (aka python-py) through 1.9.0 could be used by
attackers to cause a compute-time denial of service attack by
supplying malicious input to the blame functionality.
python-py is a part of the pypy3 distribution.

CVE-2021-3737

A flaw was found in Python. An improperly handled HTTP response in the
HTTP client code of Python may allow a remote attacker, who controls
the HTTP server, to make the client script enter an infinite loop,
consuming CPU time. The highest threat from this vulnerability is
to system availability.

CVE-2021-28861

Python has an open redirection vulnerability in lib/http/server.py
due to no protection against multiple (/) at the beginning of URI
path which may leads to information disclosure.
NOTE: this is disputed by a third party because the http.server.html
documentation page states "Warning: http.server is not recommended
for production. It only implements basic security checks."

CVE-2022-0391

A flaw was found in Python within the urllib.parse module. This
module helps break Uniform Resource Locator (URL) strings into
components. The issue involves how the urlparse method does not
sanitize input and allows characters like '\r' and '\n' in the URL
path. This flaw allows an attacker to input a crafted URL, leading
to injection attacks.

CVE-2022-45061

An unnecessary quadratic algorithm exists in one path when processing
some inputs to the IDNA (RFC 3490) decoder, such that a crafted,
unreasonably long name being presented to the decoder could lead to a
CPU denial of service. Hostnames are often supplied by remote servers
that could be controlled by a malicious actor; in such a scenario,
they could trigger excessive CPU consumption on the client attempting
to make use of an attacker-supplied supposed hostname. For example,
the attack payload could be placed in the Location header of an HTTP
response with status code 302.

CVE-2023-27043

The email module of Python incorrectly parses e-mail addresses that
contain a special character. The wrong portion of an RFC2822 header
is identified as the value of the addr-spec. In some applications,
an attacker can bypass a protection mechanism in which application
access is granted only after verifying receipt of e-mail to a
specific domain (e.g., only @company.example.com addresses may
be used for signup). This occurs in email/_parseaddr.py.

CVE-2024-9287

A vulnerability has been found in the `venv` module and CLI where
path names provided when creating a virtual environment were not
quoted properly, allowing the creator to inject commands into virtual
environment "activation" scripts (ie "source venv/bin/activate"). This
means that attacker-controlled virtual environments are able to
run commands when the virtual environment is activated. Virtual
environments which are not created by an attacker or which aren't
activated before being used (ie "./venv/bin/python") are not
affected.v

For Debian 11 bullseye, these problems have been fixed in version
7.3.5+dfsg-2+deb11u4.

We recommend that you upgrade your pypy3 packages.

For the detailed security status of pypy3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pypy3

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3967-1] mpg123 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3967-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
November 26, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : mpg123
Version : 1.26.4-1+deb11u1
CVE ID : CVE-2024-10573
Debian Bug : 1086443

mpg123 a popular MPEG layer 1/2/3 audio player was afected
by a vulnerability.

An out-of-bounds write flaw was found in mpg123 when handling crafted
streams. When decoding PCM, the libmpg123 may write past the end
of a heap-located buffer. Consequently, heap corruption may happen.

For Debian 11 bullseye, this problem has been fixed in version
1.26.4-1+deb11u1.

We recommend that you upgrade your mpg123 packages.

For the detailed security status of mpg123 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mpg123

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 5819-1] php8.2 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5819-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 26, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php8.2
CVE ID : CVE-2024-8929 CVE-2024-8932 CVE-2024-11233 CVE-2024-11234
CVE-2024-11236

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language which could result in denial of
service, CLRF injection or information disclosure.

For the stable distribution (bookworm), these problems have been fixed in
version 8.2.26-1~deb12u1.

We recommend that you upgrade your php8.2 packages.

For the detailed security status of php8.2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php8.2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


ELA-1244-1 python3.7 security update

Package : python3.7
Version : 3.7.3-2+deb10u9 (buster)

Related CVEs :
CVE-2023-27043
CVE-2024-6232
CVE-2024-6923
CVE-2024-7592
CVE-2024-9287
CVE-2024-11168

Multiple vulnerabilities were found in python3.7, an interactive high-level
object-oriented language.

CVE-2023-27043:
The email module of Python
incorrectly parsed e-mail addresses that contain
a special character. The wrong portion of an
RFC2822 header was identified as the value of the addr-spec.
In some applications, an attacker could bypass a protection
mechanism in which application access is granted only after
verifying receipt of e-mail to a specific domain (e.g.,
only @company.example.com addresses may be used for signup).

CVE-2024-6232:
Regular expressions that allowed excessive
backtracking during tarfile.TarFile header parsing were vulnerable
to ReDoS via specifically-crafted tar archives.

CVE-2024-6923
The email module didn’t properly quote
newlines for email headers when serializing an email message,
allowing for header injection when an email is serialized.

CVE-2024-7592
When parsing cookies that contained
backslashes for quoted characters in the cookie value,
the parser would use an algorithm with quadratic complexity,
resulting in excess CPU resources being used while parsing
the value

CVE-2024-9287
A vulnerability has been found in the `venv`
module and CLI where path names provided when creating a
virtual environment were not quoted properly, allowing the
creator to inject commands into virtual environment "activation"
scripts (ie "source venv/bin/activate").

CVE-2024-11168
The urllib.parse.urlsplit() and urlparse()
functions improperly validated bracketed hosts (`[]`),
allowing hosts that weren't IPv6 or IPvFuture. This behavior
was not conformant to RFC 3986 and potentially enabled SSRF
if a URL is processed by more than one URL parser.

ELA-1244-1 python3.7 security update