[DLA 4081-1] thunderbird security update
[DLA 4080-1] libaws security update
[DLA 4082-1] ruby2.7 security update
[SECURITY] [DLA 4081-1] thunderbird security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4081-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
March 10, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : thunderbird
Version : 1:128.8.0esr-1~deb11u1
CVE ID : CVE-2024-43097 CVE-2025-1931 CVE-2025-1932 CVE-2025-1933
CVE-2025-1934 CVE-2025-1935 CVE-2025-1936 CVE-2025-1937
CVE-2025-1938
Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.
For Debian 11 bullseye, these problems have been fixed in version
1:128.8.0esr-1~deb11u1.
We recommend that you upgrade your thunderbird packages.
For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4080-1] libaws security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4080-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
March 09, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : libaws
Version : 20.2-2+deb11u1
CVE ID : CVE-2024-55581
Debian Bug :
AdaCore released a security advisory for
"Insecure defaults in AWS.Client when linked with GnuTLS".
The debian package of libaws is built with GnuTLS and the reproducer
included in the advisory was used to confirm the (previous version of)
the package was affected. The upstream fix was backported to the
packaged version to address the problem.
For Debian 11 bullseye, this problem has been fixed in version
20.2-2+deb11u1.
We recommend that you upgrade your libaws packages.
For the detailed security status of libaws please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libaws
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4082-1] ruby2.7 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4082-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
March 10, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : ruby2.7
Version : 2.7.4-1+deb11u5
CVE ID : CVE-2025-27219 CVE-2025-27220 CVE-2025-27221
Ruby a popular language was affected by multiple vulnerabilities
CVE-2025-27219
In the CGI gem, the CGI::Cookie.parse method in the CGI library
contains a potential Denial of Service (DoS) vulnerability.
The method does not impose any limit on the length of the raw cookie
value it processes. This oversight can lead to excessive
resource consumption when parsing extremely large cookies
CVE-2025-27220
In the CGI gem, a Regular Expression Denial of Service (ReDoS)
vulnerability exists in the Util#escapeElement method.
CVE-2025-27221
In the URI gem, the URI handling methods
(URI.join, URI#merge, URI#+) have an inadvertent leakage of
authentication credentials because userinfo is retained
even after changing the host.
For Debian 11 bullseye, these problems have been fixed in version
2.7.4-1+deb11u5.
We recommend that you upgrade your ruby2.7 packages.
For the detailed security status of ruby2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby2.7
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
