Debian 10385 Published by

Debian GNU/Linux has been updated with various security enhancements, including AMD64 Microcode, Flatpak, Libdata-Entropy-Perl, Intel Microcode, Varnish, Ruby 2.1, Freetype, and Suricata:

Debian GNU/Linux 8 (Jessie) ELTS:
ELA-1333-1 ruby2.1 security update

Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) ELTS:
ELA-1365-1 amd64-microcode security update
ELA-1364-1 intel-microcode security update

Debian GNU/Linux 9 (Stretch) and 10 (Buster) ELTS:
ELA-1368-1 freetype security update

Debian GNU/Linux 10 (Buster) ELTS:
ELA-1366-1 libdata-entropy-perl security update
ELA-1367-1 suricata security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4098-1] amd64-microcode security update
[DLA 4099-1] flatpak security update
[DLA 4100-1] libdata-entropy-perl security update
[DLA 4102-1] linux-6.1 security update
[DLA 4101-1] varnish security update
[DLA 4104-1] freetype security update
[DLA 4103-1] suricata security update



ELA-1365-1 amd64-microcode security update


Package : amd64-microcode
Version : 3.20250311.1~deb8u1 (jessie), 3.20250311.1~deb9u1 (stretch), 3.20250311.1~deb10u1 (buster)

Related CVEs :
CVE-2024-56161

A potential vulnerability has been found for certain AMD platforms which creates a possible confidential computing vulnerability.
AMD has released updated microcode to prevent an attacker from loading tampered microcode.
Additionally an SEV firmware update might be required for some platforms to support SEV-SNP attestation, which may also necessitate a BIOS update.
For details please see the AMD security bulletin AMD-SB-3019.
CVE-2024-56161 (AMD-SB-3019):
Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privileges to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP.


ELA-1365-1 amd64-microcode security update



[SECURITY] [DLA 4098-1] amd64-microcode security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4098-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
March 31, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : amd64-microcode
Version : 3.20250311.1~deb11u1
CVE ID : CVE-2024-56161
Debian Bug : 1095470

A potential vulnerability has been found for certain AMD platforms which
creates a possible confidential computing vulnerability.

AMD has released updated microcode to prevent an attacker from loading
tampered microcode.

Additionally an SEV firmware update might be required for some platforms
to support SEV-SNP attestation, which may also necessitate a BIOS
update.

For details please see the AMD security bulletin AMD-SB-3019.

CVE-2024-56161 (AMD-SB-3019):

Improper signature verification in AMD CPU ROM microcode patch
loader may allow an attacker with local administrator privileges to
load malicious CPU microcode resulting in loss of confidentiality
and integrity of a confidential guest running under AMD SEV-SNP.

For Debian 11 bullseye, this problem has been fixed in version
3.20250311.1~deb11u1.

We recommend that you upgrade your amd64-microcode packages.

For the detailed security status of amd64-microcode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/amd64-microcode

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4099-1] flatpak security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4099-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
March 31, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : flatpak
Version : 1.10.8-0+deb11u3
CVE ID : CVE-2024-42472
Debian Bug : 1082927

Access to files outside sandbox has been fixed in Flatpak,
an application deployment framework for desktop apps.

As a prerequisite for the fix, the bubblewrap package has also
been updated.

For Debian 11 bullseye, this problem has been fixed in version
1.10.8-0+deb11u3.

We recommend that you upgrade your flatpak packages.

For the detailed security status of flatpak please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/flatpak

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4100-1] libdata-entropy-perl security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4100-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
March 31, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libdata-entropy-perl
Version : 0.007-3.1+deb11u1
CVE ID : CVE-2025-1860
Debian Bug : 1101503

The perl module Data::Entropy was using the cryptographically insecure
rand() function as default entropy source.

For Debian 11 bullseye, this problem has been fixed in version
0.007-3.1+deb11u1.

We recommend that you upgrade your libdata-entropy-perl packages.

For the detailed security status of libdata-entropy-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libdata-entropy-perl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1366-1 libdata-entropy-perl security update


Package : libdata-entropy-perl
Version : 0.007-3.1+deb11u1~deb10u1 (buster)

Related CVEs :
CVE-2025-1860

The perl module Data::Entropy was using the cryptographically insecure rand() function as the default entropy source.


ELA-1366-1 libdata-entropy-perl security update



ELA-1364-1 intel-microcode security update


Package : intel-microcode

Version : 3.20250211.1~deb8u1 (jessie), 3.20250211.1~deb9u1 (stretch), 3.20250211.1~deb10u1 (buster)

Related CVEs :
CVE-2023-34440
CVE-2023-43758
CVE-2024-24582
CVE-2024-28047
CVE-2024-28127
CVE-2024-29214
CVE-2024-31068
CVE-2024-31157
CVE-2024-36293
CVE-2024-37020
CVE-2024-39279
CVE-2024-39355

Microcode updates have been released for Intel(R) processors, addressing
multiple potential vulnerabilties that may allow local privilege escalation,
denial of service or information disclosure.
CVE-2023-34440 (INTEL-SA-01139)
Improper input validation in UEFI firmware for some Intel(R) Processors
may allow a privileged user to potentially enable escalation of
privilege via local access.

CVE-2023-43758 (INTEL-SA-01139)
Improper input validation in UEFI firmware for some Intel(R) processors
may allow a privileged user to potentially enable escalation of
privilege via local access.

CVE-2024-24582 (INTEL-SA-01139)
Improper input validation in XmlCli feature for UEFI firmware for some
Intel(R) processors may allow privileged user to potentially enable
escalation of privilege via local access.

CVE-2024-28047 (INTEL-SA-01139)
Improper input validation in UEFI firmware for some Intel(R) Processors
may allow a privileged user to potentially enable information disclosure
via local access.

CVE-2024-28127 (INTEL-SA-01139)
Improper input validation in UEFI firmware for some Intel(R) Processors
may allow a privileged user to potentially enable escalation of
privilege via local access.

CVE-2024-29214 (INTEL-SA-01139)
Improper input validation in UEFI firmware CseVariableStorageSmm for
some Intel(R) Processors may allow a privileged user to potentially
enable escalation of privilege via local access.

CVE-2024-31068 (INTEL-SA-01166)
Improper Finite State Machines (FSMs) in Hardware Logic for some
Intel(R) Processors may allow privileged user to potentially enable
denial of service via local access.

CVE-2024-31157 (INTEL-SA-01139)
Improper initialization in UEFI firmware OutOfBandXML module in some
Intel(R) Processors may allow a privileged user to potentially enable
information disclosure via local access.

CVE-2024-36293 (INTEL-SA-01213)
Improper access control in the EDECCSSA user leaf function for some
Intel(R) Processors with Intel(R) SGX may allow an authenticated user to
potentially enable denial of service via local access.

CVE-2024-37020 (INTEL-SA-01194)
Sequence of processor instructions leads to unexpected behavior in the
Intel(R) DSA V1.0 for some Intel(R) Xeon(R) Processors may allow an
authenticated user to potentially enable denial of service via local
access.

CVE-2024-39279 (INTEL-SA-01139)
Insufficient granularity of access control in UEFI firmware in some
Intel(R) processors may allow a authenticated user to potentially enable
denial of service via local access.

CVE-2024-39355 (INTEL-SA-01228)
Improper handling of physical or environmental conditions in some
Intel(R) Processors may allow an authenticated user to enable denial of
service via local access.


ELA-1364-1 intel-microcode security update



[SECURITY] [DLA 4102-1] linux-6.1 security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4102-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Ben Hutchings
March 31, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : linux-6.1
Version : 6.1.129-1~deb11u1
CVE ID : CVE-2024-26596 CVE-2024-40945 CVE-2024-42069 CVE-2024-42122
CVE-2024-45001 CVE-2024-47726 CVE-2024-49989 CVE-2024-50061
CVE-2024-54458 CVE-2024-56549 CVE-2024-57834 CVE-2024-57973
CVE-2024-57978 CVE-2024-57979 CVE-2024-57980 CVE-2024-57981
CVE-2024-57986 CVE-2024-57993 CVE-2024-57996 CVE-2024-57997
CVE-2024-57998 CVE-2024-58001 CVE-2024-58007 CVE-2024-58009
CVE-2024-58010 CVE-2024-58011 CVE-2024-58013 CVE-2024-58014
CVE-2024-58016 CVE-2024-58017 CVE-2024-58020 CVE-2024-58034
CVE-2024-58051 CVE-2024-58052 CVE-2024-58054 CVE-2024-58055
CVE-2024-58056 CVE-2024-58058 CVE-2024-58061 CVE-2024-58063
CVE-2024-58068 CVE-2024-58069 CVE-2024-58071 CVE-2024-58072
CVE-2024-58076 CVE-2024-58077 CVE-2024-58080 CVE-2024-58083
CVE-2024-58085 CVE-2024-58086 CVE-2025-21684 CVE-2025-21700
CVE-2025-21701 CVE-2025-21703 CVE-2025-21704 CVE-2025-21705
CVE-2025-21706 CVE-2025-21707 CVE-2025-21708 CVE-2025-21711
CVE-2025-21715 CVE-2025-21716 CVE-2025-21718 CVE-2025-21719
CVE-2025-21722 CVE-2025-21724 CVE-2025-21725 CVE-2025-21726
CVE-2025-21727 CVE-2025-21728 CVE-2025-21731 CVE-2025-21734
CVE-2025-21735 CVE-2025-21736 CVE-2025-21738 CVE-2025-21744
CVE-2025-21745 CVE-2025-21748 CVE-2025-21749 CVE-2025-21750
CVE-2025-21753 CVE-2025-21758 CVE-2025-21760 CVE-2025-21761
CVE-2025-21762 CVE-2025-21763 CVE-2025-21764 CVE-2025-21765
CVE-2025-21766 CVE-2025-21767 CVE-2025-21772 CVE-2025-21775
CVE-2025-21776 CVE-2025-21779 CVE-2025-21780 CVE-2025-21781
CVE-2025-21782 CVE-2025-21785 CVE-2025-21787 CVE-2025-21790
CVE-2025-21791 CVE-2025-21792 CVE-2025-21794 CVE-2025-21795
CVE-2025-21796 CVE-2025-21799 CVE-2025-21802 CVE-2025-21804
CVE-2025-21806 CVE-2025-21811 CVE-2025-21812 CVE-2025-21814
CVE-2025-21819 CVE-2025-21820 CVE-2025-21821 CVE-2025-21823
CVE-2025-21826 CVE-2025-21829 CVE-2025-21830 CVE-2025-21832
CVE-2025-21835
Debian Bug : 1071562 1087807 1088159 1091517 1091858 1093371 1095435
1095745 1095764 1098250 1098354 1099138

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

For Debian 11 bullseye, these problems have been fixed in version
6.1.129-1~deb11u1. This additionally includes many more bug fixes
from stable update 6.1.129, and a fix for a regression affecting some
Rockchip SoCs.

We recommend that you upgrade your linux-6.1 packages.

For the detailed security status of linux-6.1 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/linux-6.1

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4101-1] varnish security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4101-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
March 31, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : varnish
Version : 6.5.1-1+deb11u4
CVE ID : CVE-2025-30346

A HTTP/1 client-side desync vulnerability has been fixed in Varnish,
a caching HTTP reverse proxy.

For Debian 11 bullseye, this problem has been fixed in version
6.5.1-1+deb11u4.

We recommend that you upgrade your varnish packages.

For the detailed security status of varnish please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/varnish

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1333-1 ruby2.1 security update


Package : ruby2.1

Version : 2.1.5-2+deb8u15 (jessie)

Related CVEs :
CVE-2024-35176
CVE-2024-39908
CVE-2024-41123
CVE-2024-41946
CVE-2024-43398
CVE-2024-49761

Multiple vulnerabilities were found in ruby a popular programming
language.

CVE-2024-35176
The REXML gem has a Denial of Service (DoS) vulnerability
when it parses an XML that has many ] and ]>.

CVE-2024-41123
The REXML gem has some Denial of Service (DoS) vulnerabilities
when it parses an XML that has many specific characters
such as whitespace character, >] and ]>.
If you need to parse untrusted XMLs, you may be impacted
to these vulnerabilities.

CVE-2024-41946
The REXML gem had a Denial of Service (DoS) vulnerability
when it parses an XML that has many entity expansions
with SAX2 or pull parser API.

CVE-2024-43398
REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.6 has a Denial of Service (DoS)
vulnerability when it parses an XML that has many deep
elements that have same local name attributes.
If you need to parse untrusted XMLs with tree parser
API like REXML::Document.new, you may be impacted
to this vulnerability. If you use other parser APIs
such as stream parser API and SAX2 parser API,
you are not impacted.

CVE-2024-49761
REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.9 has a ReDoS vulnerability
when it parses an XML that has many digits between
&# and x...; in a hex numeric character reference (&#x...;)


ELA-1333-1 ruby2.1 security update



[SECURITY] [DLA 4104-1] freetype security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4104-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
April 01, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : freetype
Version : 2.10.4+dfsg-1+deb11u2
CVE ID : CVE-2025-27363

An out of bounds write with subglyph structures has been fixed in
the font rendering library FreeType.

For Debian 11 bullseye, this problem has been fixed in version
2.10.4+dfsg-1+deb11u2.

We recommend that you upgrade your freetype packages.

For the detailed security status of freetype please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/freetype

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4103-1] suricata security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4103-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
March 31, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : suricata
Version : 1:6.0.1-3+deb11u1
CVE ID : CVE-2021-45098 CVE-2023-35852 CVE-2024-32663
CVE-2024-37151 CVE-2024-45796 CVE-2024-55626
CVE-2025-29918

Several issues have been found in suricata, the next Generation Intrusion
Detection and Prevention Tool. They are related to bypass of HTTP-based
signature, mishandling of multiple fragmented packets, logic errors,
infinite loops, buffer overflows, unintended file access and using large
amount of memory.

For Debian 11 bullseye, these problems have been fixed in version
1:6.0.1-3+deb11u1.

We recommend that you upgrade your suricata packages.

For the detailed security status of suricata please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/suricata

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1368-1 freetype security update


Package : freetype

Version : 2.6.3-3.2+deb9u4 (stretch), 2.9.1-3+deb10u4 (buster)

Related CVEs :

CVE-2025-27363

An out of bounds write with subglyph structures has been fixed in the font rendering library FreeType.


ELA-1368-1 freetype security update



ELA-1367-1 suricata security update


Package : suricata

Version : 1:4.1.2-2+deb10u3 (buster)

Related CVEs :
CVE-2021-45098
CVE-2024-37151
CVE-2024-45796
CVE-2024-55626
CVE-2025-29918

Several issues have been found in suricata, the next Generation Intrusion
Detection and Prevention Tool.
They are related to bypass of HTTP-based signature, mishandling of multiple
fragmented packets, logic errors, infinite loops and buffer overflows.


ELA-1367-1 suricata security update