Debian 9955 Published by

The following security updates have been released for Debian GNU/Linux:

[DLA 3791-1] thunderbird security update
[DSA 5671-1] openjdk-11 security update
[DSA 5670-1] thunderbird security update
[DSA 5669-1] guix security update
[DSA 5672-1] openjdk-17 security update
[DLA 3793-1] openjdk-11 security update
[DLA 3792-1] samba security update




[DLA 3791-1] thunderbird security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3791-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
April 22, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : thunderbird
Version : 1:115.10.1-1~deb10u1
CVE ID : CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854
CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

For Debian 10 buster, these problems have been fixed in version
1:115.10.1-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DSA 5671-1] openjdk-11 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5671-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 22, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-11
CVE ID : CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21085
CVE-2024-21094

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in denial of service or information disclosure.

For the oldstable distribution (bullseye), these problems have been fixed
in version 11.0.23+9-1~deb11u1.

We recommend that you upgrade your openjdk-11 packages.

For the detailed security status of openjdk-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-11

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DSA 5670-1] thunderbird security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5670-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 22, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : thunderbird
CVE ID : CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854
CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

For the oldstable distribution (bullseye), this problem has been fixed
in version 1:115.10.1-1~deb11u1.

For the stable distribution (bookworm), this problem has been fixed in
version 1:115.10.1-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DSA 5669-1] guix security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5669-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 22, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : guix
CVE ID : CVE-2024-27297

It was discovered that insufficient restriction of unix daemon sockets
in the GNU Guix functional package manager could result in sandbox
bypass.

For the oldstable distribution (bullseye), this problem has been fixed
in version 1.2.0-4+deb11u2.

For the stable distribution (bookworm), this problem has been fixed in
version 1.4.0-3+deb12u1.

We recommend that you upgrade your guix packages.

For the detailed security status of guix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/guix

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DSA 5672-1] openjdk-17 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5672-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 22, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-17
CVE ID : CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21094

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in denial of service or information disclosure.

For the oldstable distribution (bullseye), these problems have been fixed
in version 17.0.11+9-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in
version 17.0.11+9-1~deb12u1.

We recommend that you upgrade your openjdk-17 packages.

For the detailed security status of openjdk-17 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-17

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DLA 3793-1] openjdk-11 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3793-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
April 22, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : openjdk-11
Version : 11.0.23+9-1~deb10u1
CVE ID : CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21085
CVE-2024-21094

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in denial of service or information disclosure.

For Debian 10 buster, these problems have been fixed in version
11.0.23+9-1~deb10u1.

We recommend that you upgrade your openjdk-11 packages.

For the detailed security status of openjdk-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-11

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3792-1] samba security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3792-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Santiago Ruano Rincón
April 22, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : samba
Version : 2:4.9.5+dfsg-5+deb10u5
CVE ID : CVE-2020-14318 CVE-2020-14323 CVE-2020-14383 CVE-2022-2127
CVE-2022-3437 CVE-2022-32742 CVE-2023-4091

Several vulnerabilities were discovered in Samba, SMB/CIFS file,
print, and login server for Unix

CVE-2020-14318

Missing handle permissions check in ChangeNotify

CVE-2020-14323

Unprivileged user can crash winbind via invalid lookupsids DoS

CVE-2020-14383

DNS server crash via invalid records resulting from uninitialized
variables

CVE-2022-2127

Out-of-bounds read in winbind AUTH_CRAP

CVE-2022-3437

Heimdal des/des3 heap-based buffer overflow

CVE-2022-32742

Server memory information leak via SMB1

CVE-2023-4091

Client can truncate files even with read-only permissions

For Debian 10 buster, these problems have been fixed in version
2:4.9.5+dfsg-5+deb10u5.

We recommend that you upgrade your samba packages.

For the detailed security status of samba please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/samba

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS