Debian 10249 Published by

Debian GNU/Linux 11 (Bullseye) LTS has received various security updates, including the ruby-httparty, unbound, ruby-rails-html-sanitizer, and ruby-loofah packages:

[SECURITY] [DLA 3900-1] ruby-httparty security update
[SECURITY] [DLA 3903-1] unbound security update
[SECURITY] [DLA 3902-1] ruby-rails-html-sanitizer security update
[SECURITY] [DLA 3901-1] ruby-loofah security update




[SECURITY] [DLA 3900-1] ruby-httparty security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3900-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 28, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : ruby-httparty
Version : 0.18.1-2+deb11u1
CVE ID : CVE-2024-22049

multipart/form-data request tampering has been fixed in ruby-httparty,
a Ruby library for using Web-based APIs and related services.

For Debian 11 bullseye, this problem has been fixed in version
0.18.1-2+deb11u1.

We recommend that you upgrade your ruby-httparty packages.

For the detailed security status of ruby-httparty please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-httparty

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3903-1] unbound security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3903-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
September 29, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : unbound
Version : 1.13.1-1+deb11u3
CVE ID : CVE-2024-43167 CVE-2024-43168
Debian Bug : 1078647

Two vulnerabilities were discovered in unbound, a validating,
recursive, caching DNS resolver. Specially crafted input could cause a
heap-buffer-overflow leading to memory corruption and potentially
causing the application to crash or allowing arbitrary code execution
(CVE-2024-43168). A NULL pointer dereference flaw could allow an
attacker who can invoke specific sequences of API calls to cause a
segmentation fault and a denial of service (CVE-2024-43167).

For Debian 11 bullseye, these problems have been fixed in version
1.13.1-1+deb11u3.

We recommend that you upgrade your unbound packages.

For the detailed security status of unbound please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/unbound

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3902-1] ruby-rails-html-sanitizer security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3902-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 28, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : ruby-rails-html-sanitizer
Version : 1.3.0-1+deb11u1
CVE ID : CVE-2022-23517 CVE-2022-23518 CVE-2022-23519 CVE-2022-23520
CVE-2022-32209
Debian Bug : 1013806 1027153

Multiple vulnerabilities have been fixed in ruby-rails-html-sanitizer,
a Ruby library for sanitizing HTML fragments in Rails applications.

CVE-2022-23517

Inefficient Regular Expression Complexity

CVE-2022-23518

XSS in data URIs

CVE-2022-23519
CVE-2022-23520
CVE-2022-32209

XSS vulnerability

For Debian 11 bullseye, these problems have been fixed in version
1.3.0-1+deb11u1.

We recommend that you upgrade your ruby-rails-html-sanitizer packages.

For the detailed security status of ruby-rails-html-sanitizer please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-rails-html-sanitizer

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3901-1] ruby-loofah security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3901-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 28, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : ruby-loofah
Version : 2.7.0+dfsg-1+deb11u1
CVE ID : CVE-2022-23514 CVE-2022-23515 CVE-2022-23516
Debian Bug : 1026083

Multiple vulnerabilities have been fixed in ruby-loofah, a Ruby library
for manipulating and transforming HTML/XML documents and fragments.

CVE-2022-23514

slow regex attribute check with crass parser

CVE-2022-23515

XSS with "image/svg+xml" in data URIs

CVE-2022-23516

Uncontrolled CDATA recursion

For Debian 11 bullseye, these problems have been fixed in version
2.7.0+dfsg-1+deb11u1.

We recommend that you upgrade your ruby-loofah packages.

For the detailed security status of ruby-loofah please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-loofah

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS