ELA-1345-1 squid security update
[DLA 4083-1] squid security update
[DLA 4084-1] libmodbus security update
[SECURITY] [DLA 4083-1] squid security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4083-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Jochen Sprickerhof
March 11, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : squid
Version : 4.13-10+deb11u4
CVE ID : CVE-2024-25111 CVE-2024-37894 CVE-2024-45802
Debian Bug :
Several security vulnerabilities have been discovered in Squid, a full featured
web proxy cache.
CVE-2024-25111
A possible Denial of Service attack against HTTP Chunked decoder due
to an uncontrolled recursion bug. This problem allows a remote
attacker to cause Denial of Service when sending a crafted, chunked,
encoded HTTP Message.
CVE-2024-37894
Due to an Out-of-bounds Write error when assigning ESI variables,
Squid is susceptible to a Memory Corruption error. This error can
lead to a Denial of Service attack.
CVE-2024-45802
Disable ESI feature support.
- Due to Input Validation, Premature Release of Resource During Expected
Lifetime, and Missing Release of Resource after Effective Lifetime bugs,
Squid is vulnerable to Denial of Service attacks by a trusted server
against all clients using the proxy. This problem is fixed by changing
the build configuration to specify the --disable-esi option.
For Debian 11 bullseye, these problems have been fixed in version
4.13-10+deb11u4.
We recommend that you upgrade your squid packages.
For the detailed security status of squid please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/squid
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4084-1] libmodbus security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4084-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
March 11, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : libmodbus
Version : 3.1.6-2+deb11u1
CVE ID : CVE-2022-0367 CVE-2024-10918
CVE-2024-36843 CVE-2024-36844 CVE-2024-36845
Debian Bug : 1074422
Two separate issues where identified and have now been adressed in libmodbus.
For one of the problems multiple CVE identifiers have been allocated to the
same issue and all of them are mentioned below.
CVE-2022-0367
A heap-based buffer overflow flaw was found in libmodbus in function
modbus_reply() in src/modbus.c.
CVE-2024-10918
Stack-based Buffer Overflow vulnerability in libmodbus v3.1.10 allows to
overflow the buffer allocated for the Modbus response if the function tries
to reply to a Modbus request with an unexpected length.
CVE-2024-36843
This is a duplicate of CVE-2022-0367
CVE-2024-36844
This is a duplicate of CVE-2022-0367
CVE-2024-36845
This is a duplicate of CVE-2022-0367
For Debian 11 bullseye, these problems have been fixed in version
3.1.6-2+deb11u1.
We recommend that you upgrade your libmodbus packages.
For the detailed security status of libmodbus please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libmodbus
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1345-1 squid security update
Package : squid
Version : 4.6-1+deb10u11 (buster)
Related CVEs :
CVE-2024-23638
CVE-2024-25111
CVE-2024-25617
CVE-2024-37894
CVE-2024-45802
Several security vulnerabilities have been discovered in Squid, a full featured
web proxy cache.
CVE-2024-23638
A Denial of Service attack against Cache Manager error responses. This
problem allows a trusted client to perform Denial of Service when
generating error pages for Client Manager reports.
CVE-2024-25111
A possible Denial of Service attack against HTTP Chunked decoder due to an
uncontrolled recursion bug. This problem allows a remote attacker to cause
Denial of Service when sending a crafted, chunked, encoded HTTP Message.
CVE-2024-25617
A Denial of Service attack against HTTP header parsing. This problem allows
a remote client or a remote server to perform Denial of Service when
sending oversized headers in HTTP messages.
CVE-2024-37894
Due to an Out-of-bounds Write error when assigning ESI variables, Squid is
susceptible to a Memory Corruption error. This error can lead to a Denial
of Service attack.
CVE-2024-45802
Disable ESI feature support. Due to Input Validation, Premature Release of
Resource During Expected Lifetime, and Missing Release of Resource after
Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks
by a trusted server against all clients using the proxy. This problem is
fixed by changing the build configuration to specify the --disable-esi
option.ELA-1345-1 squid security update
