Debian 9891 Published by

The following security updates have been released for Debian GNU/Linux:

[DLA 3732-1] sudo security update
ELA-1041-1 zabbix security update
[DLA 3733-1] rear security update
[DSA 5614-1] zbar security update
ELA-1042-1 sudo security update




[DLA 3732-1] sudo security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3732-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
February 03, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : sudo
Version : 1.8.27-1+deb10u6
CVE ID : CVE-2023-7090 CVE-2023-28486 CVE-2023-28487

Sudo, a program designed to allow a sysadmin to give limited
root privileges to users and log root activity, was vulnerable.

CVE-2023-7090

A flaw was found in sudo in the handling of ipa_hostname, where
ipa_hostname from /etc/sssd/sssd.conf was not propagated in sudo.
Therefore, it leads to privilege mismanagement vulnerability in
applications, where client hosts retain privileges even after
retracting them.

CVE-2023-28486

Sudo did not escape control characters in log messages.

CVE-2023-28487

Sudo did not escape control characters in sudoreplay output.

For Debian 10 buster, these problems have been fixed in version
1.8.27-1+deb10u6.

We recommend that you upgrade your sudo packages.

For the detailed security status of sudo please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sudo

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1041-1 zabbix security update

Package : zabbix
Version : 2.2.23+dfsg-0+deb8u7 (jessie), 1:3.0.32+dfsg-0+deb9u6 (stretch)

Related CVEs :
CVE-2023-32721
CVE-2023-32726

Several security vulnerabilities have been discovered in zabbix, a
network monitoring solution, potentially allowing an attacker to perform
a stored XSS, Server-Side Request Forgery (SSRF), exposure of sensitive
information, a system crash, or arbitrary code execution.

CVE-2023-32721
A stored XSS has been found in the Zabbix web application in the
Maps element if a URL field is set with spaces before URL.

CVE-2023-32726
Possible buffer overread from reading DNS responses.

ELA-1041-1 zabbix security update


[DLA 3733-1] rear security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3733-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
February 03, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : rear
Version : 2.4+dfsg-1+deb10u1
CVE ID : CVE-2024-23301

rear is a disaster recovery and system migration framework. It has
been discovered that rear creates a world-readable initrd when using
GRUB_RESCUE=y. This allows local attackers to gain access to system
secrets otherwise only readable by root.

For Debian 10 buster, this problem has been fixed in version
2.4+dfsg-1+deb10u1.

We recommend that you upgrade your rear packages.

For the detailed security status of rear please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rear

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DSA 5614-1] zbar security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5614-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 03, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : zbar
CVE ID : CVE-2023-40889 CVE-2023-40890
Debian Bug : 1051724

Two vulnerabilities were discovered in zbar, a library for scanning and
decoding QR and bar codes, which may result in denial of service,
information disclosure or potentially the execution of arbitrary code if
a specially crafted code is processed.

For the oldstable distribution (bullseye), these problems have been
fixed in version 0.23.90-1+deb11u1.

For the stable distribution (bookworm), these problems have been fixed
in version 0.23.92-7+deb12u1.

We recommend that you upgrade your zbar packages.

For the detailed security status of zbar please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/zbar

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


ELA-1042-1 sudo security update

Package : sudo
Version : 1.8.19p1-2.1+deb9u6 (stretch)

Related CVEs :
CVE-2023-28486
CVE-2023-28487

Sudo, a program designed to allow a sysadmin to give limited
root privileges to users and log root activity, was vulnerable.
CVE-2023-28486
Sudo did not escape control characters in log messages.

CVE-2023-28487
Sudo did not escape control characters in sudoreplay output.

ELA-1042-1 sudo security update