Debian 10158 Published by

The following security updates have been released for Debian GNU/Linux 11 (Bullseye):

[SECURITY] [DLA 3858-1] ruby2.7 security update
[SECURITY] [DLA 3860-1] dovecot security update
[SECURITY] [DLA 3859-1] systemd security update
[SECURITY] [DLA 3861-1] exfatprogs security update
[SECURITY] [DLA 3863-1] nbconvert security update
[SECURITY] [DLA 3865-1] frr security update
[SECURITY] [DLA 3864-1] webkit2gtk security update
[SECURITY] [DLA 3862-1] calibre security update




[SECURITY] [DLA 3858-1] ruby2.7 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3858-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
September 02, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : ruby2.7
Version : 2.7.4-1+deb11u2
CVE ID : CVE-2021-33621 CVE-2022-28739 CVE-2023-28755 CVE-2023-28756
CVE-2023-36617 CVE-2024-27280 CVE-2024-27281 CVE-2024-27282
Debian Bug : 1009957 1024799 1038408 1067802 1069966 1069968

Several vulnerabilities have been discovered in the interpreter for
the Ruby language, which may result in denial-of-service (DoS),
information leak, and remote code execution.

CVE-2021-33621

The cgi gem allows HTTP response splitting. This is relevant to
applications that use untrusted user input either to generate an
HTTP response or to create a CGI::Cookie object.

CVE-2022-28739

Buffer over-read occurs in String-to-Float conversion, including
Kernel#Float and String#to_f.

CVE-2023-28755

A ReDoS issue was discovered in the URI component. The URI parser
mishandles invalid URLs that have specific characters. It causes
an increase in execution time for parsing strings to URI objects.

CVE-2023-28756

A ReDoS issue was discovered in the Time component. The Time
parser mishandles invalid URLs that have specific characters. It
causes an increase in execution time for parsing strings to Time
objects.

CVE-2023-36617

Follow-up fix for CVE-2023-28755.

CVE-2024-27280

A buffer-overread issue was discovered in StringIO. The ungetbyte
and ungetc methods on a StringIO can read past the end of a
string, and a subsequent call to StringIO.gets may return the
memory value.

CVE-2024-27281

When parsing .rdoc_options (used for configuration in RDoc) as a
YAML file, object injection and resultant remote code execution
are possible because there are no restrictions on the classes that
can be restored. (When loading the documentation cache, object
injection and resultant remote code execution are also possible if
there were a crafted cache.)

CVE-2024-27282

If attacker-supplied data is provided to the Ruby regex compiler,
it is possible to extract arbitrary heap data relative to the
start of the text, including pointers and sensitive strings.

For Debian 11 bullseye, these problems have been fixed in version
2.7.4-1+deb11u2.

We recommend that you upgrade your ruby2.7 packages.

For the detailed security status of ruby2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby2.7

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3860-1] dovecot security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3860-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
September 02, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : dovecot
Version : 1:2.3.13+dfsg1-2+deb11u2
CVE ID : CVE-2024-23184 CVE-2024-23185
Debian Bug : 1078876 1078877

Vulnerabilities were discovered in dovecot, an POP3/IMAP server, which
could lead to Denial of Service.

CVE-2024-23184

Having a large number of address headers (From, To, Cc, Bcc, etc.)
becomes excessively CPU intensive.

CVE-2024-23185

Very large headers can cause resource exhaustion when parsing
message.

For Debian 11 bullseye, these problems have been fixed in version
1:2.3.13+dfsg1-2+deb11u2.

We recommend that you upgrade your dovecot packages.

For the detailed security status of dovecot please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dovecot

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3859-1] systemd security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3859-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 02, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : systemd
Version : 247.3-7+deb11u6
CVE ID : CVE-2023-7008 CVE-2023-50387 CVE-2023-50868
Debian Bug : 1059278

Multiple vulnerabilities have been fixed in systemd, the default init
system in Debian, when using systemd-resolved with DNSSEC.

CVE-2023-7008

Don't accept records of DNSSEC-signed domains when they have no signature.

CVE-2023-50387

DNSSEC denial of service (CPU consumption)

CVE-2023-50868

DNSSEC denial of service (CPU consumption)

For Debian 11 bullseye, these problems have been fixed in version
247.3-7+deb11u6.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/systemd

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3861-1] exfatprogs security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3861-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 02, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : exfatprogs
Version : 1.1.0-1+deb11u1
CVE ID : CVE-2023-45897

An out-of-bounds write has been fixed in the fsck.exfat tool that checks
and repairs exFAT filesystems.

For Debian 11 bullseye, this problem has been fixed in version
1.1.0-1+deb11u1.

We recommend that you upgrade your exfatprogs packages.

For the detailed security status of exfatprogs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/exfatprogs

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3863-1] nbconvert security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3863-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
September 02, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : nbconvert
Version : 5.6.1-3+deb11u1
CVE ID : CVE-2021-32862

Alvaro Muñoz from the GitHub Security Lab discovered sixteen ways to
exploit a cross-site scripting vulnerability in nbconvert, a tool and
library used to convert notebooks to various other formats via Jinja
templates.

When using nbconvert to generate an HTML version of a user-controllable
notebook, it is possible to inject arbitrary HTML which may lead to
cross-site scripting (XSS) vulnerabilities if these HTML notebooks are
served by a web server without tight Content-Security-Policy (e.g.,
nbviewer).

* GHSL-2021-1013: XSS in notebook.metadata.language_info.pygments_lexer;
* GHSL-2021-1014: XSS in notebook.metadata.title;
* GHSL-2021-1015: XSS in notebook.metadata.widgets;
* GHSL-2021-1016: XSS in notebook.cell.metadata.tags;
* GHSL-2021-1017: XSS in output data text/html cells;
* GHSL-2021-1018: XSS in output data image/svg+xml cells;
* GHSL-2021-1019: XSS in notebook.cell.output.svg_filename;
* GHSL-2021-1020: XSS in output data text/markdown cells;
* GHSL-2021-1021: XSS in output data application/javascript cells;
* GHSL-2021-1022: XSS in output.metadata.filenames image/png and
image/jpeg;
* GHSL-2021-1023: XSS in output data image/png and image/jpeg cells;
* GHSL-2021-1024: XSS in output.metadata.width/height image/png and
image/jpeg;
* GHSL-2021-1025: XSS in output data application/vnd.jupyter.widget-state+
json cells;
* GHSL-2021-1026: XSS in output data application/vnd.jupyter.widget-view+
json cells;
* GHSL-2021-1027: XSS in raw cells; and
* GHSL-2021-1028: XSS in markdown cells.

Some of these vulnerabilities, namely GHSL-2021-1017, -1020, -1021, and
-1028, are actually design decisions where text/html, text/markdown,
application/JavaScript and markdown cells should allow for arbitrary
JavaScript code execution. These vulnerabilities are therefore left open
by default, but users can now opt-out and strip down all JavaScript
elements via a new HTMLExporter option `sanitize_html`.

For Debian 11 bullseye, this problem has been fixed in version
5.6.1-3+deb11u1.

We recommend that you upgrade your nbconvert packages.

For the detailed security status of nbconvert please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nbconvert

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3865-1] frr security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3865-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
September 03, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : frr
Version : 7.5.1-1.1+deb11u3
CVE ID : CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128
CVE-2022-26129 CVE-2022-37035 CVE-2023-38406 CVE-2023-38407
CVE-2023-46752 CVE-2023-46753 CVE-2023-47234 CVE-2023-47235
CVE-2024-31948 CVE-2024-31949 CVE-2024-44070
Debian Bug : 1008010 1016978 1055852 1079649

Several vulnerabilities have been found in frr, the FRRouting suite of
internet protocols. An attacker could craft packages to potentially trigger
those effects: buffer overflows with the possibility to gain remote code
execution, buffer overreads, crashes or trick the software to enter an
infinite loop.

CVE-2022-26125

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
wrong checks on the input packet length in isisd/isis_tlvs.c.

CVE-2022-26126

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
the use of strdup with a non-zero-terminated binary string in
isis_nb_notifications.c.

CVE-2022-26127

A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
missing a check on the input packet length in the babel_packet_examin
function in babeld/message.c.

CVE-2022-26128

A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
a wrong check on the input packet length in the babel_packet_examin
function in babeld/message.c.

CVE-2022-26129

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
wrong checks on the subtlv length in the functions, parse_hello_subtlv,
parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c.

CVE-2022-37035

An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
there is a possible use-after-free due to a race condition. This could
lead to Remote Code Execution or Information Disclosure by sending
crafted BGP packets. User interaction is not needed for exploitation.

CVE-2023-38406

bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri
length of zero, aka a "flowspec overflow."

CVE-2023-38407

bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond
the end of the stream during labeled unicast parsing.

CVE-2023-46752

An issue was discovered in FRRouting FRR through 9.0.1. It mishandles
malformed MP_REACH_NLRI data, leading to a crash.

CVE-2023-46753

An issue was discovered in FRRouting FRR through 9.0.1. A crash can
occur for a crafted BGP UPDATE message without mandatory attributes,
e.g., one with only an unknown transit attribute.

CVE-2023-47234

An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
there is a possible use-after-free due to a race condition. This could
lead to Remote Code Execution or Information Disclosure by sending
crafted BGP packets. User interaction is not needed for exploitation.

CVE-2023-47235

An issue was discovered in FRRouting FRR through 9.0.1. A crash can
occur when a malformed BGP UPDATE message with an EOR is processed,
because the presence of EOR does not lead to a treat-as-withdraw
outcome.

CVE-2024-31948

In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID
attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.

CVE-2024-31949

In FRRouting (FRR) through 9.1, an infinite loop can occur when
receiving a MP/GR capability as a dynamic capability because malformed
data results in a pointer not advancing.

CVE-2024-44070

An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap
in bgpd/bgp_attr.c does not check the actual remaining stream length
before taking the TLV value.

For Debian 11 bullseye, these problems have been fixed in version
7.5.1-1.1+deb11u3.

We recommend that you upgrade your frr packages.

For the detailed security status of frr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/frr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3864-1] webkit2gtk security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3864-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
September 02, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : webkit2gtk
Version : 2.44.3-1~deb11u1
CVE ID : CVE-2024-4558 CVE-2024-40776 CVE-2024-40779 CVE-2024-40780
CVE-2024-40782 CVE-2024-40785 CVE-2024-40789 CVE-2024-40794

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2024-4558

An anonymous researcher discovered that processing maliciously
crafted web content may lead to an unexpected process crash.

CVE-2024-40776

Huang Xilin discovered that processing maliciously crafted web
content may lead to an unexpected process crash.

CVE-2024-40779

Huang Xilin discovered that processing maliciously crafted web
content may lead to an unexpected process crash.

CVE-2024-40780

Huang Xilin dicovered that processing maliciously crafted web
content may lead to an unexpected process crash.

CVE-2024-40782

Maksymilian Motyl discovered that processing maliciously crafted
web content may lead to an unexpected process crash.

CVE-2024-40785

Johan Carlsson discovered that processing maliciously crafted web
content may lead to a cross site scripting attack.

CVE-2024-40789

Seunghyun Lee discovered that processing maliciously crafted web
content may lead to an unexpected process crash.

CVE-2024-40794

Matthew Butler discovered that private Browsing tabs may be
accessed without authentication.

For Debian 11 bullseye, these problems have been fixed in version
2.44.3-1~deb11u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3862-1] calibre security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3862-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 02, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : calibre
Version : 5.12.0+dfsg-1+deb11u3
CVE ID : CVE-2021-44686 CVE-2023-46303
Debian Bug :

Two vulnerabilities have been fixed in the e-book manager Calibre.

CVE-2021-44686

Regular Expression Denial of Service

CVE-2023-46303

HTML Input: Don't add resources that exist outside the document root
by default

For Debian 11 bullseye, these problems have been fixed in version
5.12.0+dfsg-1+deb11u3.

We recommend that you upgrade your calibre packages.

For the detailed security status of calibre please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/calibre

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS