Debian GNU/Linux 8 (Jessie) Extended LTS:
ELA-1388-1 twitter-bootstrap3 security update
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1389-1 twitter-bootstrap3 security update
ELA-1387-1 erlang security update
Debian GNU/Linux 11 (Buster) LTS:
[DLA 4125-1] twitter-bootstrap4 security update
[DLA 4127-1] subversion security update
[DLA 4126-1] jinja2 security update
[DLA 4124-1] twitter-bootstrap3 security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5901-1] mediawiki security update
[DSA 5902-1] perl security update
[SECURITY] [DLA 4125-1] twitter-bootstrap4 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4125-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
April 13, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : twitter-bootstrap4
Version : 4.5.2+dfsg1-8~deb11u2
CVE ID : CVE-2024-6531
Debian Bug : 1084059
Bootstrap (formerly Twitter Bootstrap), a free and open-source CSS framework,
was affected by a XSS vulnerability in the carousel component.
If you use bootstrap through a module bundler, you may need to rebuild your
application.
For Debian 11 bullseye, this problem has been fixed in version
4.5.2+dfsg1-8~deb11u2.
We recommend that you upgrade your twitter-bootstrap4 packages.
For the detailed security status of twitter-bootstrap4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/twitter-bootstrap4
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5901-1] mediawiki security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5901-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 13, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : mediawiki
CVE ID : CVE-2025-3469 CVE-2025-32696 CVE-2025-32697
CVE-2025-32698 CVE-2025-32699 CVE-2025-32700
Multiple security issues were discovered in MediaWiki, a website engine
for collaborative work, which could result in information disclosure,
cross-site scripting or restriction bypass.
For the stable distribution (bookworm), these problems have been fixed in
version 1:1.39.12-1~deb12u1.
We recommend that you upgrade your mediawiki packages.
For the detailed security status of mediawiki please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mediawiki
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4127-1] subversion security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4127-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
April 13, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : subversion
Version : 1.14.1-3+deb11u2
CVE ID : CVE-2024-46901
Denial-of-service via control characters in paths has been fixed in the
mod_dav_svn module of the version control system Subversion.
For Debian 11 bullseye, this problem has been fixed in version
1.14.1-3+deb11u2.
We recommend that you upgrade your subversion packages.
For the detailed security status of subversion please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/subversion
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4126-1] jinja2 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4126-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Lucas Kanashiro
April 13, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : jinja2
Version : 2.11.3-1+deb11u3
CVE ID : CVE-2024-56326 CVE-2025-27516
Debian Bug : #1091331, #1099690
A couple of vulnerabilities were found in jinja2, a template engine. The
rendering of untrusted templates could lead to attackers executing arbitrary
Python code.
CVE-2024-56326
Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects
calls to str.format allows an attacker that controls the content of a
template to execute arbitrary Python code. To exploit the vulnerability, an
attacker needs to control the content of a template. Whether that is the
case depends on the type of application using Jinja. This vulnerability
impacts users of applications which execute untrusted templates. Jinja's
sandbox does catch calls to str.format and ensures they don't escape the
sandbox. However, it's possible to store a reference to a malicious string's
format method, then pass that to a filter that calls it. No such filters are
built-in to Jinja, but could be present through custom filters in an
application. After the fix, such indirect calls are also handled by the
sandbox.
CVE-2025-27516
Prior to 3.1.6, an oversight in how the Jinja sandboxed environment
interacts with the |attr filter allows an attacker that controls the
content of a template to execute arbitrary Python code. To exploit the
vulnerability, an attacker needs to control the content of a template.
Whether that is the case depends on the type of application using Jinja.
This vulnerability impacts users of applications which execute untrusted
templates. Jinja's sandbox does catch calls to str.format and ensures they
don't escape the sandbox. However, it's possible to use the |attr filter to
get a reference to a string's plain format method, bypassing the sandbox.
After the fix, the |attr filter no longer bypasses the environment's
attribute lookup.
For Debian 11 bullseye, these problems have been fixed in version
2.11.3-1+deb11u3.
We recommend that you upgrade your jinja2 packages.
For the detailed security status of jinja2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jinja2
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1389-1 twitter-bootstrap3 security update
Package : twitter-bootstrap3
Version : 3.3.7+dfsg-2+deb9u3 (stretch), 3.4.1+dfsg-1+deb10u1 (buster)
Related CVEs :
CVE-2024-6484
CVE-2024-6485
Bootstrap (formerly Twitter Bootstrap), a free and open-source CSS framework,
was affected by multiple XSS vulnerabilities.
If you use bootstrap through a module bundler, you may need to rebuild your
application.ELA-1389-1 twitter-bootstrap3 security update
[SECURITY] [DSA 5902-1] perl security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5902-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 13, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : perl
CVE ID : CVE-2024-56406
Nathan Mills discovered a heap-based buffer overflow vulnerability in
the implementation of the Perl programming language when transliterating
non-ASCII bytes with tr///, which may result in denial of service, or
potentially the execution of arbitrary code.
For the stable distribution (bookworm), this problem has been fixed in
version 5.36.0-7+deb12u2.
We recommend that you upgrade your perl packages.
For the detailed security status of perl please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/perl
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4124-1] twitter-bootstrap3 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4124-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
April 13, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : twitter-bootstrap3
Version : 3.4.1+dfsg-2+deb11u1
CVE ID : CVE-2024-6484 CVE-2024-6485
Debian Bug : 1084060
Bootstrap (formerly Twitter Bootstrap), a free and open-source CSS framework,
was affected by XSS vulnerabilities.
If you use bootstrap through a module bundler, you may need to rebuild your
application.
For Debian 11 bullseye, these problems have been fixed in version
3.4.1+dfsg-2+deb11u1.
We recommend that you upgrade your twitter-bootstrap3 packages.
For the detailed security status of twitter-bootstrap3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/twitter-bootstrap3
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1387-1 erlang security update
Package : erlang
Version : 1:19.2.1+dfsg-2+really23.3.4.18-0+deb9u3 (stretch), 1:22.2.7+dfsg-1+deb10u2 (buster)
Related CVEs :
CVE-2023-48795
CVE-2025-26618
CVE-2025-30211
Multiple vulnerabilities were found in Erlang/OTP, a set of libraries for the Erlang programming language.
CVE-2023-48795
The SSH transport protocol, as implemented in Erlang, allows remote attackers to bypass integrity
checks such that some packets are omitted (from the extension negotiation message), and
a client and server may consequently end up with a connection for which some security features
have been downgraded or disabled, aka a Terrapin attack
CVE-2025-26618
Packet size is not verified properly for SFTP packets. As a result when multiple SSH packets
(conforming to max SSH packet size) are received by ssh, they might be combined into an
SFTP packet which will exceed the max allowed packet size and potentially cause
large amount of memory to be allocated (causing a Deny of Service).
CVE-2025-30211
A maliciously formed KEX (Key EXchange message for SSH protocol) init message can result
with high memory usage. Implementation does not verify RFC specified limits on algorithm names
(64 characters) provided in KEX init message. Big KEX init packet may lead to inefficient
processing of the error data. As a result, large amount of memory will be allocated
for processing malicious data.ELA-1387-1 erlang security update
ELA-1388-1 twitter-bootstrap3 security update
Package : twitter-bootstrap3
Version : 3.3.7+dfsg-2+deb9u3~deb8u1 (jessie)
Related CVEs :
CVE-2018-20676
CVE-2018-20677
CVE-2019-8331
CVE-2024-6484
CVE-2024-6485
Bootstrap (formerly Twitter Bootstrap), a free and open-source CSS framework,
was affected by multiple XSS vulnerabilities.
If you use bootstrap through a module bundler, you may need to rebuild your
application.ELA-1388-1 twitter-bootstrap3 security update
