Debian GNU/Linux 8 (Jessie), 9 (Stretch), 10 (Buster) LTS:
ELA-1269-1 avahi security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3990-1] avahi security update
[DLA 3988-2] jinja2 regression update
[SECURITY] [DLA 3990-1] avahi security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3990-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
December 09, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : avahi
Version : 0.8-5+deb11u3
CVE ID : CVE-2023-1981 CVE-2023-38469 CVE-2023-38470 CVE-2023-38471
CVE-2023-38472 CVE-2023-38473
Debian Bug : 1034594 1054876 1054877 1054878 1054879 1054880
Multiple vulnerabilities have been fixed in the service discovery system Avahi.
CVE-2023-1981
avahi-daemon can be crashed via DBus
CVE-2023-38469
Reachable assertion in avahi_dns_packet_append_record
CVE-2023-38470
Reachable assertion in avahi_escape_label
CVE-2023-38471
Reachable assertion in dbus_set_host_name
CVE-2023-38472
Reachable assertion in avahi_rdata_parse
CVE-2023-38473
Reachable assertion in avahi_alternative_host_name
For Debian 11 bullseye, these problems have been fixed in version
0.8-5+deb11u3.
We recommend that you upgrade your avahi packages.
For the detailed security status of avahi please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/avahi
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1269-1 avahi security update
Package : avahi
Version : 0.6.31-5+deb8u3 (jessie), 0.6.32-2+deb9u3 (stretch), 0.7-4+deb10u4 (buster)
Related CVEs :
CVE-2023-38469
CVE-2023-38470
CVE-2023-38471
CVE-2023-38472
CVE-2023-38473
Multiple vulnerabilities have been fixed in the service discovery system Avahi.
Additionally, a GetAlternativeServiceName regression introduced by the CVE-2023-1981 fix in DLA-3414-1 (buster) and ELA-844-1 (jessie, stretch) has been fixed.
CVE-2023-1981
avahi-daemon can be crashed via DBus
CVE-2023-38469
Reachable assertion in avahi_dns_packet_append_record
CVE-2023-38470
Reachable assertion in avahi_escape_label
CVE-2023-38471
Reachable assertion in dbus_set_host_name
CVE-2023-38472
Reachable assertion in avahi_rdata_parse
CVE-2023-38473
Reachable assertion in avahi_alternative_host_name
[SECURITY] [DLA 3988-2] jinja2 regression update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3988-2 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
December 09, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : jinja2
Version : 2.11.3-1+deb11u2
This update fixes a regression that broke the python-jinja2 package
for Python 2.
Note that while this regression has been fixed, running applications
with Python 2 continues to be unsupported in Debian 11 bullseye:
https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#obsolescense-and-deprecation
For Debian 11 bullseye, this problem has been fixed in version
2.11.3-1+deb11u2.
We recommend that you upgrade your jinja2 packages.
For the detailed security status of jinja2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jinja2
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
