Debian 10261 Published by

Debian GNU/Linux has been updated with multiple security enhancements, including ELA-1234-1 for apache2 and ELA-1235-1 for unbound, DLA 3953-1 for icinga2, DSA 5814-1 for thunderbird, DSA 5813-1 for symfony, and DSA 5812-1 for postgresql-15:

Debian GNU/Linux 10 (Buster ) Extended LTS:
ELA-1234-1 apache2 security update
ELA-1235-1 unbound security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3953-1] icinga2 security update

Debian GNU/Linux 12 (Bookworm):
[DSA 5814-1] thunderbird security update
[DSA 5813-1] symfony security update
[DSA 5812-1] postgresql-15 security update




ELA-1234-1 apache2 security update

Package : apache2
Version : 2.4.59-1~deb10u4 (buster)

Related CVEs :
CVE-2024-38473

A vulnerability was found in apache2, a popular web server.
An encoding problem in mod_proxy allowed request URLs with incorrect encoding to be sent
to backend services, potentially bypassing authentication via crafted requests.
This affects configurations where mechanisms other than ProxyPass/ProxyPassMatch
or RewriteRule with the ‘P’ flag are used to configure a request to be proxied,
such as SetHandler or inadvertent proxying via CVE-2024-39573.
Note that these alternate mechanisms may be used within .htaccess.

ELA-1234-1 apache2 security update


ELA-1235-1 unbound security update

Package : unbound
Version : 1.9.0-2+deb10u5 (buster)

Related CVEs :
CVE-2024-8508
CVE-2024-43167
CVE-2024-43168

Multiple vulnerabilities were discovered in unbound, a validating,
recursive, caching DNS resolver.

CVE-2024-8508
When handling replies with very large RRsets that unbound needs to perform
name compression for, it can spend a considerable time applying name
compression to downstream replies, potentially leading to degraded
performance and eventually denial of service in well orchestrated attacks.

CVE-2024-43167
A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in
Unbound. This issue could allow an attacker who can invoke specific
sequences of API calls to cause a segmentation fault. When certain API
functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are called in a
particular order, the program attempts to read from a NULL pointer,
leading to a crash. This issue can result in a denial of service by causing
the application to terminate unexpectedly.

CVE-2024-43168
A heap-buffer-overflow flaw was found in the cfg_mark_ports function within
Unbound's config_file.c, which can lead to memory corruption. This issue
could allow an attacker with local access to provide specially crafted
input, potentially causing the application to crash or allowing arbitrary
code execution. This could result in a denial of service or unauthorized
actions on the system.

ELA-1235-1 unbound security update


[SECURITY] [DLA 3953-1] icinga2 security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3953-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
November 16, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : icinga2
Version : 2.12.3-1+deb11u1
CVE ID : CVE-2021-32739 CVE-2021-32743 CVE-2021-37698 CVE-2024-49369
Debian Bug : 991494 1087384

Icinga 2 is a general-purpose monitoring application to fit the needs
of any size of network.

CVE-2021-32739

From version 2.4.0 through version 2.12.4, a vulnerability exists that
may allow privilege escalation for authenticated API users. With a
read-only user's credentials, an attacker can view most attributes of
all config objects including `ticket_salt` of `ApiListener`. This salt
is enough to compute a ticket for every possible common name (CN). A
ticket, the master node's certificate, and a self-signed certificate are
enough to successfully request the desired certificate from Icinga. That
certificate may in turn be used to steal an endpoint or API user's
identity.

CVE-2021-32743

In versions prior to 2.11.10 and from version 2.12.0 through version
2.12.4, some of the Icinga 2 features that require credentials for
external services expose those credentials through the API to
authenticated API users with read permissions for the corresponding
object types. An attacker who obtains these credentials can impersonate
Icinga to these services and add, modify and delete information there.

CVE-2021-37698

In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter,
InfluxdbWriter and Influxdb2Writer do not verify the server's certificate
despite a certificate authority being specified. Icinga 2 instances which
connect to any of the mentioned time series databases (TSDBs) using TLS
over a spoofable infrastructure should change the credentials (if any)
used by the TSDB writer feature to authenticate against the TSDB.

CVE-2024-49369

The TLS certificate validation in all Icinga 2 versions starting from
2.4.0 was flawed, allowing an attacker to impersonate both trusted
cluster nodes as well as any API users that use TLS client certificates
for authentication (ApiUser objects with the client_cn attribute set).

For Debian 11 bullseye, these problems have been fixed in version
2.12.3-1+deb11u1.

We recommend that you upgrade your icinga2 packages.

For the detailed security status of icinga2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/icinga2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 5814-1] thunderbird security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5814-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 15, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : thunderbird
CVE ID : CVE-2024-11159

A security issue was discovered in Thunderbird, which could result in
the disclosure of OpenPGP encrypted messages.

For the stable distribution (bookworm), this problem has been fixed in
version 1:128.4.3esr-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DSA 5813-1] symfony security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5813-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 15, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : symfony
CVE ID : CVE-2024-51996

Moritz Rauch discovered that the Symfony PHP framework implemented
persisted remember-me cookies incorrectly, which could result in
authentication bypass.

For the stable distribution (bookworm), this problem has been fixed in
version 5.4.23+dfsg-1+deb12u4.

We recommend that you upgrade your symfony packages.

For the detailed security status of symfony please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/symfony

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DSA 5812-1] postgresql-15 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5812-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 15, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : postgresql-15
CVE ID : CVE-2024-10976 CVE-2024-10977 CVE-2024-10978 CVE-2024-10979

Multiple security issues were discovered in PostgreSQL, which may result in
the execution of arbitrary code, privilege escalation or log manipulation.

For the stable distribution (bookworm), these problems have been fixed in
version 15.9-0+deb12u1.

We recommend that you upgrade your postgresql-15 packages.

For the detailed security status of postgresql-15 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-15

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/