Debian 10225 Published by

The following security updates have been released for Debian GNU/Linux:

Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1159-1 apache2 security update

Debian GNU/Linux 12 (Bookworm):
[SECURITY] [DSA 5757-1] chromium security update




ELA-1159-1 apache2 security update

Package : apache2
Version : 2.4.25-3+deb9u18 (stretch), 2.4.59-1~deb10u2 (buster)

Related CVEs :
CVE-2024-36387
CVE-2024-38476
CVE-2024-38477
CVE-2024-38573
CVE-2024-39884
CVE-2024-40725

Multiple vulnerabilities were found on apache, a popular webserver.

CVE-2024-36387
Serving WebSocket protocol upgrades over a HTTP/2 connection could
result in a NULL Pointer dereference, leading to a crash of the
server process

CVE-2024-38476
Backend application whose reponse headers are malicious
rendered apache2 vulnerable to SSRF
(Server-side Request Forgery) and local script execution.

CVE-2024-38477
A NULL pointer dereference was found in
mod_proxy allowing an attacker to crash the server via
a malicious request.

CVE-2024-38573
A potential SSRF in mod_rewrite allowed an
attacker to cause unsafe RewriteRules to unexpectedly
setup URL's to be handled by mod_proxy.

CVE-2024-39884
A regression of CVE-2024-38476 in the core of Apache
HTTP Server ignores some use of the legacy content-type based
configuration of handlers. "AddType" and similar configuration,
under some circumstances where files are requested indirectly,
result in source code disclosure of local content. For example,
PHP scripts may be served instead of interpreted.

CVE-2024-40725
A partial fix for CVE-2024-38476 in the core of
Apache HTTP Server ignores some use of the legacy content-type based
configuration of handlers. "AddType" and similar configuration,
under some circumstances where files are requested indirectly,
result in source code disclosure of local content. For example,
PHP scripts may be served instead of interpreted.

Moreover a functionality bug was fixed in webdav list of well known
browser by adding dolphin and Konqueror/5 browsers.

ELA-1159-1 apache2 security update


[SECURITY] [DSA 5757-1] chromium security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5757-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
August 23, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2024-7964 CVE-2024-7965 CVE-2024-7966 CVE-2024-7967
CVE-2024-7968 CVE-2024-7969 CVE-2024-7971 CVE-2024-7972
CVE-2024-7973 CVE-2024-7974 CVE-2024-7975 CVE-2024-7976
CVE-2024-7977 CVE-2024-7978 CVE-2024-7979 CVE-2024-7980
CVE-2024-7981 CVE-2024-8033 CVE-2024-8034 CVE-2024-8035

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the stable distribution (bookworm), these problems have been fixed in
version 128.0.6613.84-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/