Debian 10165 Published by

The following security updates have been released for Debian GNU/Linux:

Debian GNU/Linux 8 (Jessie) and 9 (Stretch) Extended LTS:
ELA-1113-1 libndp security update

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1114-1 composer security update

Debian GNU/Linux 10 (Buster) LTS:
[DLA 3836-1] thunderbird security update
[DLA 3838-1] composer security update
[DLA 3837-1] libndp security update

Debian GNU/Linux 12 (Bookworm):
[DSA 5716-1] chromium security update



[DLA 3836-1] thunderbird security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3836-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
June 19, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : thunderbird
Version : 1:115.12.0-1~deb10u1
CVE ID : CVE-2024-5688 CVE-2024-5690 CVE-2024-5691 CVE-2024-5693
CVE-2024-5696 CVE-2024-5700 CVE-2024-5702

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

For Debian 10 buster, these problems have been fixed in version
1:115.12.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3838-1] composer security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3838-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
June 19, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : composer
Version : 1.8.4-1+deb10u4
CVE IDs : CVE-2024-35241 CVE-2024-35242
Debian Bugs : 1073125 1073126

It was discovered that there were a number of command-line injection
vulnerabilities in Composer, a popular dependency manager for PHP.

The 'install', 'status', 'reinstall' and 'remove' functionality had
issues when used with Git or Hg repositories which used maliciously-
crafted branch names, which could have been abused to execute
arbitrary shell commands.

For Debian 10 buster, this problem has been fixed in version
1.8.4-1+deb10u4.

We recommend that you upgrade your composer packages.

For the detailed security status of composer please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/composer

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3837-1] libndp security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3837-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
June 19, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libndp
Version : 1.6-1+deb10u1
CVE ID : CVE-2024-5564
Debian Bug : 1072366

It was discovered that there was a buffer overflow vulnerability in
libndp, a library for implementing IPv6's "Neighbor Discovery
Protocol" (NDP) and is used by Network Manager and other networking
tools.

A local, malicious user could have caused a buffer overflow in
Network Manager by sending a malformed IPv6 router advertisement
packet. This issue existed because libndp was not correctly
validating route length information.

For Debian 10 buster, this problem has been fixed in version
1.6-1+deb10u1.

We recommend that you upgrade your libndp packages.

For the detailed security status of libndp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libndp

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DSA 5716-1] chromium security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5716-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
June 19, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2024-6100 CVE-2024-6101 CVE-2024-6102 CVE-2024-6103

Security issues were discovered in Chromium, which could result
in the execution of arbitrary code, denial of service or information
disclosure.

For the stable distribution (bookworm), these problems have been fixed in
version 126.0.6478.114-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


ELA-1114-1 composer security update

Package : composer
Version : 1.2.2-1+deb9u3 (stretch)

Related CVEs :
CVE-2024-35241
CVE-2024-35242

It was discovered that there were a number of command-line injection
vulnerabilities in Composer, a popular dependency manager for PHP.
The install, status, reinstall and remove functionality had issues when
used with Git or Hg repositories which used maliciously- crafted branch names,
which could have been abused to execute arbitrary shell commands.

ELA-1114-1 composer security update


ELA-1113-1 libndp security update

Package : libndp
Version : 1.4-2+deb8u2 (jessie), 1.6-1+deb9u1 (stretch)

Related CVEs :
CVE-2024-5564

It was discovered that there was a buffer overflow vulnerability in libndp, a
library for implementing IPv6’s “Neighbor Discovery Protocol” (NDP) and is used
by Network Manager and other networking tools.
A local, malicious user could have caused a buffer overflow in Network Manager
by sending a malformed IPv6 router advertisement packet. This issue existed
because libndp was not correctly validating route length information.

ELA-1113-1 libndp security update