Debian 9988 Published by

The following security updates have been released for Debian GNU/Linux:

ELA-1052-1 wireshark security update
ELA-1051-1 gsoap security update
ELA-1050-1 php-phpseclib security update
ELA-1049-1 evince security update
[DLA 3746-1] wireshark security update
[DLA 3745-1] gsoap security update
[DLA 3744-1] python-django security update




ELA-1052-1 wireshark security update

Package : wireshark
Version : 2.6.20-0+deb9u7 (stretch)

Related CVEs :
CVE-2023-4511
CVE-2023-4513
CVE-2023-6175
CVE-2024-0208

Multiple vulnerabilities have been fixed in the network traffic analyzer Wireshark.
CVE-2023-4511
BT SDP dissector infinite loop

CVE-2023-4513
BT SDP dissector memory leak

CVE-2023-6175
NetScreen file parser crash

CVE-2024-0208
GVCP dissector crash

ELA-1052-1 wireshark security update


ELA-1051-1 gsoap security update

Package : gsoap
Version : 2.8.35-4+deb9u3 (stretch)

Related CVEs :
CVE-2020-13574
CVE-2020-13575
CVE-2020-13576
CVE-2020-13577
CVE-2020-13578

Multiple vulnerabilities have been fixed in the gSOAP toolkit for
developing Web services.

CVE-2020-13574
WS-Security plugin denial-of-service

CVE-2020-13575
WS-Addressing plugin denial-of-service

CVE-2020-13576
WS-Addressing plugin code execution

CVE-2020-13577
WS-Security plugin denial-of-service

CVE-2020-13578
WS-Security plugin denial-of-service

ELA-1051-1 gsoap security update


ELA-1050-1 php-phpseclib security update

Package : php-phpseclib
Version : 2.0.30-2~deb9u1 (stretch)

Related CVEs :
CVE-2023-48795

The Terrapin attack is a cryptographic attack on the SSH prootocol reducing the security of SSH, by using a downgrade attack via man-in-the-middle interception.
By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.

ELA-1050-1 php-phpseclib security update


ELA-1049-1 evince security update

Package : evince
Version : 3.22.1-3+deb9u3 (stretch)

Related CVEs :
CVE-2023-51698

A security vulnerability was found in Evince, a document viewer, which may grant
an attacker immediate access to the target system when the target user opens a
crafted document or clicks on a crafted link/URL using a maliciously crafted
CBT (comic book archive) document which is a TAR archive. The comic book
backend of Evince uses libarchive now, which handles CBT and other comic book
archives correctly.

ELA-1049-1 evince security update


[DLA 3746-1] wireshark security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3746-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
February 29, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : wireshark
Version : 2.6.20-0+deb10u8
CVE ID : CVE-2023-4511 CVE-2023-4513 CVE-2023-6175 CVE-2024-0208

Multiple vulnerabilities hav been fixed in the network traffic analyzer Wireshark.

CVE-2023-4511

BT SDP dissector infinite loop

CVE-2023-4513

BT SDP dissector memory leak

CVE-2023-6175

NetScreen file parser crash

CVE-2024-0208

GVCP dissector crash

For Debian 10 buster, these problems have been fixed in version
2.6.20-0+deb10u8.

We recommend that you upgrade your wireshark packages.

For the detailed security status of wireshark please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wireshark

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3745-1] gsoap security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3745-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
February 29, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : gsoap
Version : 2.8.75-1+deb10u1
CVE ID : CVE-2020-13574 CVE-2020-13575 CVE-2020-13576 CVE-2020-13577
CVE-2020-13578
Debian Bug : 983596

Multiple vulnerabilities have been fixed in the gSOAP toolkit for
developing Web services.

CVE-2020-13574

WS-Security plugin denial-of-service

CVE-2020-13575

WS-Addressing plugin denial-of-service

CVE-2020-13576

WS-Addressing plugin code execution

CVE-2020-13577

WS-Security plugin denial-of-service

CVE-2020-13578

WS-Security plugin denial-of-service

For Debian 10 buster, these problems have been fixed in version
2.8.75-1+deb10u1.

We recommend that you upgrade your gsoap packages.

For the detailed security status of gsoap please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gsoap

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3744-1] python-django security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3744-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
February 29, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python-django
Version : 1:1.11.29-1+deb10u11
CVE IDs : CVE-2021-28658 CVE-2021-31542 CVE-2021-33203 CVE-2021-33571
Debian Bugs : 986447 988053 989394

It was discovered that there were a number of issues in Django, a
popular Python-based web development framework:

* CVE-2021-28658: Prevent a directory traversal issue which could
have been exploited by maliciously crafted filenames. However, the
built-in upload handlers were not affected by this vulnerability.
(#986447)

* CVE-2021-31542: Fix a potential directory-traversal vulnerability
that could have been exploited by uploaded files. The
MultiPartParser, UploadedFile and FieldFile classes allowed
directory-traversal via uploaded files with suitably crafted file
names. In order to mitigate this risk, stricter basename and path
sanitation is now applied. Specifically, empty file names and
paths with dot segments are rejected. (#988053)

* CVE-2021-33203: Prevent a potential directory traversal via
admindocs. Staff members could use the admindocs
TemplateDetailView view to check the existence of arbitrary files.
Additionally, if (and only if) the default admindocs templates
have been customized by the developers to also expose the file
contents, then not only the existence but also the file contents
would have been exposed. As a mitigation, path sanitation is now
applied and only files within the template root directories can be
loaded. (#989394)

* CVE-2021-33571: Prevent possible SSRF, RFI (Remote File Inclusion)
and LFI (Local File Inclusion) attacks, since validators accepted
leading zeros in IPv4 addresses URLValidator,
validate_ipv4_address() and validate_ipv46_address() did not
prohibit leading zeros in octal literals. (#989394)

For Debian 10 buster, these problems have been fixed in version
1:1.11.29-1+deb10u11.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS