Debian 10241 Published by

The following security updates are available for Debian GNU/Linux:

[DSA 5621-1] bind9 security update
[DSA 5620-1] unbound security update
[DSA 5624-1] edk2 security update
[DSA 5623-1] postgresql-15 security update
[DSA 5622-1] postgresql-13 security update




[DSA 5621-1] bind9 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5621-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 14, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : bind9
CVE ID : CVE-2023-4408 CVE-2023-5517 CVE-2023-5679 CVE-2023-6516
CVE-2023-50387 CVE-2023-50868

Several vulnerabilities were discovered in BIND, a DNS server
implementation, which may result in denial of service.

For the oldstable distribution (bullseye), these problems have been fixed
in version 1:9.16.48-1.

For the stable distribution (bookworm), these problems have been fixed in
version 1:9.18.24-1.

We recommend that you upgrade your bind9 packages.

For the detailed security status of bind9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/bind9

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DSA 5620-1] unbound security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5620-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 14, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : unbound
CVE ID : CVE-2023-50387 CVE-2023-50868
Debian Bug : 1063845

Two vulnerabilities were discovered in unbound, a validating, recursive,
caching DNS resolver. Specially crafted DNSSEC answers could lead
unbound down a very CPU intensive and time costly DNSSEC
(CVE-2023-50387) or NSEC3 hash (CVE-2023-50868) validation path,
resulting in denial of service.

Details can be found at
https://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txt

For the oldstable distribution (bullseye), these problems have been fixed
in version 1.13.1-1+deb11u2.

For the stable distribution (bookworm), these problems have been fixed in
version 1.17.1-2+deb12u2.

We recommend that you upgrade your unbound packages.

For the detailed security status of unbound please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/unbound

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DSA 5624-1] edk2 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5624-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 14, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : edk2
CVE ID : CVE-2023-48733

Mate Kukri discovered the Debian build of EDK2, a UEFI firmware
implementation, used an insecure default configuration which could result
in Secure Boot bypass via the UEFI shell.

This updates disables the UEFI shell if Secure Boot is used.

For the oldstable distribution (bullseye), this problem has been fixed
in version 2020.11-2+deb11u2.

For the stable distribution (bookworm), this problem has been fixed in
version 2022.11-6+deb12u1. This update also addresses several security
issues in the ipv6 network stack (CVE-2022-36763, CVE-2022-36764,
CVE-2022-36765, CVE-2023-45230, CVE-2023-45229, CVE-2023-45231,
CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235)

We recommend that you upgrade your edk2 packages.

For the detailed security status of edk2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/edk2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DSA 5623-1] postgresql-15 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5623-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 14, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : postgresql-15
CVE ID : CVE-2024-0985

It was discovered that a late privilege drop in the "REFRESH MATERIALIZED
VIEW CONCURRENTLY" command could allow an attacker to trick a user with
higher privileges to run SQL commands with these permissions.

For the stable distribution (bookworm), this problem has been fixed in
version 15.6-0+deb12u1.

We recommend that you upgrade your postgresql-15 packages.

For the detailed security status of postgresql-15 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-15

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DSA 5622-1] postgresql-13 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5622-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 14, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : postgresql-13
CVE ID : CVE-2024-0985

It was discovered that a late privilege drop in the "REFRESH MATERIALIZED
VIEW CONCURRENTLY" command could allow an attacker to trick a user with
higher privileges to run SQL commands with these permissions.

For the oldstable distribution (bullseye), this problem has been fixed
in version 13.14-0+deb11u1.

We recommend that you upgrade your postgresql-13 packages.

For the detailed security status of postgresql-13 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-13

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/