Debian 10253 Published by

Debian GNU/Linux has received multiple security updates, encompassing twisted, redis, tzdata, firefox-esr, unbound1.9, icinga2, redis, libmodule-scandeps-perl, mpg123, and tzdata:

Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1253-1 redis security update
ELA-1252-1 libmodule-scandeps-perl security update
ELA-1249-1 tzdata new timezone database

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1248-1 twisted security update
ELA-1255-1 unbound1.9 security update
ELA-1251-1 mpg123 security update

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1247-1 twisted security update
ELA-1254-1 icinga2 security update
ELA-1250-1 mpg123 security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3969-1] thunderbird security update
[DLA 3970-1] twisted security update
[DLA 3973-1] redis security update
[DLA 3972-1] tzdata new timezone database
[DLA 3971-1] firefox-esr security update



[SECURITY] [DLA 3969-1] thunderbird security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3969-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
November 28, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : thunderbird
Version : 1:128.5.0esr-1~deb11u1
CVE ID : CVE-2024-11692 CVE-2024-11694 CVE-2024-11695 CVE-2024-11696
CVE-2024-11697 CVE-2024-11699

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

For Debian 11 bullseye, these problems have been fixed in version
1:128.5.0esr-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3970-1] twisted security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3970-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
November 28, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : twisted
Version : 20.3.0-7+deb11u2
CVE ID : CVE-2022-39348 CVE-2023-46137 CVE-2024-41671 CVE-2024-41810
Debian Bug : 1023359 1054913 1077679 1077680

Multiple security issues were found in Twisted, an event-based framework
for internet applications, which could result in incorrect ordering of
HTTP requests or cross-site scripting.

CVE-2022-39348

When the host header does not match a configured host
`twisted.web.vhost.NameVirtualHost` will return a `NoResource`
resource which renders the Host header unescaped into the 404
response allowing HTML and script injection. In practice this
should be very difficult to exploit as being able to modify the
Host header of a normal HTTP request implies that one is already
in a privileged position.

CVE-2023-46137

When sending multiple HTTP requests in one TCP packet, twisted.web
will process the requests asynchronously without guaranteeing the
response order. If one of the endpoints is controlled by an
attacker, the attacker can delay the response on purpose to
manipulate the response of the second request when a victim
launched two requests using HTTP pipeline.

CVE-2024-41671

The HTTP 1.0 and 1.1 server provided by twisted.web could process
pipelined HTTP requests out-of-order, possibly resulting in
information disclosure.

CVE-2024-41810

The `twisted.web.util.redirectTo` function contains an HTML
injection vulnerability. If application code allows an attacker to
control the redirect URL this vulnerability may result in
Reflected Cross-Site Scripting (XSS) in the redirect response HTML
body.

For Debian 11 bullseye, these problems have been fixed in version
20.3.0-7+deb11u2.

We recommend that you upgrade your twisted packages.

For the detailed security status of twisted please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/twisted

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1248-1 twisted security update

Package : twisted
Version : 16.6.0-2+deb9u5 (stretch)

Related CVEs :
CVE-2024-41671
CVE-2024-41810

Multiple security issues were found in Twisted, an event-based framework
for internet applications, which could result in incorrect ordering of
HTTP requests or cross-site scripting.

CVE-2024-41671
The HTTP 1.0 and 1.1 server provided by twisted.web could process
pipelined HTTP requests out-of-order, possibly resulting in
information disclosure.


CVE-2024-41810
The twisted.web.util.redirectTo function contains an HTML
injection vulnerability. If application code allows an attacker to
control the redirect URL this vulnerability may result in
Reflected Cross-Site Scripting (XSS) in the redirect response HTML
body.

ELA-1248-1 twisted security update


ELA-1247-1 twisted security update

Package : twisted
Version : 18.9.0-3+deb10u3 (buster)

Related CVEs :
CVE-2023-46137
CVE-2024-41671
CVE-2024-41810

Multiple security issues were found in Twisted, an event-based framework
for internet applications, which could result in incorrect ordering of
HTTP requests or cross-site scripting.

CVE-2023-46137
When sending multiple HTTP requests in one TCP packet, twisted.web
will process the requests asynchronously without guaranteeing the
response order. If one of the endpoints is controlled by an
attacker, the attacker can delay the response on purpose to
manipulate the response of the second request when a victim
launched two requests using HTTP pipeline.

CVE-2024-41671
The HTTP 1.0 and 1.1 server provided by twisted.web could process
pipelined HTTP requests out-of-order, possibly resulting in
information disclosure.

CVE-2024-41810
The twisted.web.util.redirectTo function contains an HTML
injection vulnerability. If application code allows an attacker to
control the redirect URL this vulnerability may result in
Reflected Cross-Site Scripting (XSS) in the redirect response HTML
body.

ELA-1247-1 twisted security update


[SECURITY] [DLA 3973-1] redis security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3973-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
November 28, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : redis
Version : 5:6.0.16-1+deb11u4
CVE ID : CVE-2022-35977 CVE-2024-31228
Debian Bug : 1084805

Multiple vulnerabilities have been fixed in the key–value database Redis.

CVE-2022-35977

integer overflows in SETRANGE and SORT

CVE-2024-31228

unbounded pattern matching DoS

For Debian 11 bullseye, these problems have been fixed in version
5:6.0.16-1+deb11u4.

We recommend that you upgrade your redis packages.

For the detailed security status of redis please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/redis

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3972-1] tzdata new timezone database


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3972-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
November 28, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : tzdata
Version : 2024b-0+deb11u1

This update includes the changes in tzdata 2024b. Notable changes are:

- - Updated leap second list, which was set to expire by the end of
December.
- - Correction of historical data for Mexico, Mongolia and Portugal.

For Debian 11 bullseye, this problem has been fixed in version
2024b-0+deb11u1.

We recommend that you upgrade your tzdata packages.

For the detailed security status of tzdata please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tzdata

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3971-1] firefox-esr security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3971-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
November 28, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : firefox-esr
Version : 128.5.0esr-1~deb11u1
CVE ID : CVE-2024-11692 CVE-2024-11694 CVE-2024-11695 CVE-2024-11696
CVE-2024-11697 CVE-2024-11699

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, spoofing or cross-site scripting.

For Debian 11 bullseye, these problems have been fixed in version
128.5.0esr-1~deb11u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1255-1 unbound1.9 security update

Package : unbound1.9
Version : 1.9.0-2+deb10u2~deb9u5 (stretch)

Related CVEs :
CVE-2024-8508
CVE-2024-43167
CVE-2024-43168

Multiple vulnerabilities were discovered in unbound, a validating,
recursive, caching DNS resolver.

CVE-2024-8508
When handling replies with very large RRsets that unbound needs to perform
name compression for, it can spend a considerable time applying name
compression to downstream replies, potentially leading to degraded
performance and eventually denial of service in well orchestrated attacks.

CVE-2024-43167
A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in
Unbound. This issue could allow an attacker who can invoke specific
sequences of API calls to cause a segmentation fault. When certain API
functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are called in a
particular order, the program attempts to read from a NULL pointer,
leading to a crash. This issue can result in a denial of service by causing
the application to terminate unexpectedly.

CVE-2024-43168
A heap-buffer-overflow flaw was found in the cfg_mark_ports function within
Unbound's config_file.c, which can lead to memory corruption. This issue
could allow an attacker with local access to provide specially crafted
input, potentially causing the application to crash or allowing arbitrary
code execution. This could result in a denial of service or unauthorized
actions on the system.

ELA-1255-1 unbound1.9 security update


ELA-1254-1 icinga2 security update

Package : icinga2
Version : 2.10.3-2+deb10u2 (buster)

Related CVEs :
CVE-2020-29663
CVE-2021-32739
CVE-2021-32743
CVE-2021-37698
CVE-2024-49369

Multiple vulnerabilities were discovered in iconga2, a general-purpose
monitoring application.

CVE-2020-29663
An issue was discovered where revoked certificates due for renewal were
automatically be renewed, ignoring the CRL.

CVE-2021-32739
A vulnerability was discovered that may allow privilege escalation for
authenticated API users. With a read-only user's credentials, an attacker can
view most attributes of all config objects including `ticket_salt` of
`ApiListener`. This salt is enough to compute a ticket for every possible
common name (CN). A ticket, the master node's certificate, and a self-signed
certificate are enough to successfully request the desired certificate from
Icinga. That certificate may in turn be used to steal an endpoint or API user's
identity.

CVE-2021-32743
Some of the Icinga 2 features that require credentials for external
services expose those credentials through the API to authenticated API users
with read permissions for the corresponding object types. IdoMysqlConnection
and IdoPgsqlConnection (every released version) exposes the password of the
user used to connect to the database. ElasticsearchWriter (added in 2.8.0)
exposes the password used to connect to the Elasticsearch server. An attacker
who obtains these credentials can impersonate Icinga to these services and add,
modify and delete information there.

CVE-2021-37698
ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do
not verify the server's certificate despite a certificate authority being
specified. Instances which connect to any of the mentioned time series
databases (TSDBs) using TLS over a spoofable infrastructure should change the
credentials (if any) used by the TSDB writer feature to authenticate against
the TSDB.

CVE-2024-49369
The TLS certificate validation in all Icinga 2 versions starting from
2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster
nodes as well as any API users that use TLS client certificates for
authentication (ApiUser objects with the `client_cn` attribute set).

ELA-1254-1 icinga2 security update


ELA-1253-1 redis security update

Package : redis
Version : 2:2.8.17-1+deb8u13 (jessie), 3:3.2.6-3+deb9u13 (stretch), 5:5.0.14-1+deb10u6 (buster)

Related CVEs :
CVE-2022-35977
CVE-2022-36021
CVE-2023-25155
CVE-2024-31228
CVE-2024-31449

Multiple vulnerabilities have been fixed in the key–value database Redis.

CVE-2022-35977
integer overflows in SETRANGE and SORT

CVE-2022-36021 (jessie, stretch)
string pattern matching DoS

CVE-2023-25155
SRANDMEMBER integer overflow

CVE-2024-31228
unbounded pattern matching DoS

CVE-2024-31449 (stretch)
Lua bit library stack overflow

ELA-1253-1 redis security update


ELA-1252-1 libmodule-scandeps-perl security update

Package : libmodule-scandeps-perl
Version : 1.16-1+deb8u1 (jessie), 1.23-1+deb9u1 (stretch), 1.27-1+deb10u1 (buster)

Related CVEs :
CVE-2024-10224

The Qualys Threat Research Unit discovered that libmodule-scandeps-perl,
a Perl module to recursively scan Perl code for dependencies, allows an
attacker to execute arbitrary shell commands via specially crafted file
names.
Details can be found in the Qualys advisory at
https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

ELA-1252-1 libmodule-scandeps-perl security update


ELA-1251-1 mpg123 security update

Package : mpg123
Version : 1.23.8-1+deb9u1 (stretch)

Related CVEs :

CVE-2017-9545
CVE-2017-10683
CVE-2017-12797
CVE-2017-12839
CVE-2024-10573

mpg123 a popular MPEG layer 1/2/3 audio player was affected
by multiple vulnerabilities.

CVE-2017-9545
The next_text function allowed remote attackers to cause a
Denial Of Service (buffer over-read) via a crafted mp3 file.

CVE-2017-10683
A heap-based buffer over-read was found in the convert_latin1 function.
A crafted input will lead to a remote denial of service attack.

CVE-2017-12797
An Integer Overflow was found in the INT123_parse_new_id3 function
in the ID3 parser in mpg123 on 32-bit platforms. This vulnerability
allowed remote attackers to cause a denial of service via a crafted
file, which triggers a heap-based buffer overflow.

CVE-2017-12839
A heap-based buffer over-read was found in the getbits function.
This vulnerability allowed a remote attackers to cause
a possible denial-of-service (out-of-bounds read) via a
crafted mp3 file.

CVE-2024-10573
An out-of-bounds write flaw was found in mpg123 when handling crafted
streams. When decoding PCM, the libmpg123 may write past the end
of a heap-located buffer. Consequently, heap corruption may happen.

ELA-1251-1 mpg123 security update


ELA-1250-1 mpg123 security update

Package : mpg123
Version : 1.25.10-2+deb10u1 (buster)

Related CVEs :
CVE-2024-10573

mpg123 a popular MPEG layer 1/2/3 audio player was affected
by a vulnerability.
An out-of-bounds write flaw was found in mpg123 when handling crafted
streams. When decoding PCM, the libmpg123 may write past the end
of a heap-located buffer. Consequently, heap corruption may happen.

ELA-1250-1 mpg123 security update


ELA-1249-1 tzdata new timezone database

Package : tzdata
Version : 2024b-0+deb8u1 (jessie), 2024b-0+deb9u1 (stretch), 2024b-0+deb10u1 (buster)

This update includes the changes in tzdata 2024b. Notable
changes are:

Updated leap second list, which was set to expire by the end of
December.
Correction of historical data for Mexico, Mongolia and Portugal.

ELA-1249-1 tzdata new timezone database