Debian 10260 Published by

Debian GNU/Linux has received a range of security updates, featuring chromium, nss, linux-5.10, asterisk, exim4, and shadow:

Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1219-1 linux-5.10 security update

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1218-1 asterisk security update

Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1220-1 shadow security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3937-1] nss security update
[DLA 3938-1] exim4 security update

Debian GNU/Linux 12 (Bookworm):
[DSA 5799-1] chromium security update



[SECURITY] [DSA 5799-1] chromium security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5799-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
October 28, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2024-10229 CVE-2024-10230 CVE-2024-10231

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the stable distribution (bookworm), these problems have been fixed in
version 130.0.6723.69-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DLA 3937-1] nss security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3937-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Arturo Borrero Gonzalez
October 27, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : nss
Version : 2:3.61-1+deb11u4
CVE ID : CVE-2024-0743 CVE-2024-6602 CVE-2024-6609

nss - Network Security Service libraries

This is a set of libraries designed to support cross-platform development
of security-enabled client and server applications. It can support SSLv2
and v4, TLS, PKCS #5, #7, #11, #12, S/MIME, X.509 v3 certificates and
other security standards.

Among other utilities, this package includes:
* certutil: manages certificate and key databases (cert7.db and key3.db)
* modutil: manages the database of PKCS11 modules (secmod.db)
* pk12util: imports/exports keys and certificates between the cert/key
databases and files in PKCS12 format.
* shlibsign: creates .chk files for use in FIPS mode.
* signtool: creates digitally-signed jar archives containing files and/or
code.
* ssltap: proxy requests for an SSL server and display the contents of
the messages exchanged between the client and server.

CVE-2024-0743

An unchecked return value in TLS handshake code could have caused
a potentially exploitable crash.

CVE-2024-6602

A mismatch between allocator and deallocator could have lead to
memory corruption.

CVE-2024-6609

When almost out-of-memory an elliptic curve key which was never
allocated could have been freed again.

For Debian 11 bullseye, these problems have been fixed in version
2:3.61-1+deb11u4.

We recommend that you upgrade your nss packages.

For the detailed security status of nss please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nss

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1219-1 linux-5.10 security update

Package : linux-5.10
Version : 5.10.226-1~deb8u1 (jessie), 5.10.226-1~deb9u1 (stretch), 5.10.226-1~deb10u1 (buster)

Related CVEs :
CVE-2021-3669
CVE-2022-48733
CVE-2023-31083
CVE-2023-52889
CVE-2024-27397
CVE-2024-38577
CVE-2024-41011
CVE-2024-41042
CVE-2024-41098
CVE-2024-42114
CVE-2024-42228
CVE-2024-42246
CVE-2024-42259
CVE-2024-42265
CVE-2024-42272
CVE-2024-42276
CVE-2024-42280
CVE-2024-42281
CVE-2024-42283
CVE-2024-42284
CVE-2024-42285
CVE-2024-42286
CVE-2024-42287
CVE-2024-42288
CVE-2024-42289
CVE-2024-42290
CVE-2024-42292
CVE-2024-42295
CVE-2024-42297
CVE-2024-42301
CVE-2024-42302
CVE-2024-42304
CVE-2024-42305
CVE-2024-42306
CVE-2024-42309
CVE-2024-42310
CVE-2024-42311
CVE-2024-42312
CVE-2024-42313
CVE-2024-43828
CVE-2024-43829
CVE-2024-43830
CVE-2024-43834
CVE-2024-43835
CVE-2024-43839
CVE-2024-43841
CVE-2024-43846
CVE-2024-43849
CVE-2024-43853
CVE-2024-43854
CVE-2024-43856
CVE-2024-43858
CVE-2024-43860
CVE-2024-43861
CVE-2024-43867
CVE-2024-43871
CVE-2024-43879
CVE-2024-43880
CVE-2024-43882
CVE-2024-43883
CVE-2024-43884
CVE-2024-43889
CVE-2024-43890
CVE-2024-43892
CVE-2024-43893
CVE-2024-43894
CVE-2024-43905
CVE-2024-43907
CVE-2024-43908
CVE-2024-43914
CVE-2024-44935
CVE-2024-44944
CVE-2024-44946
CVE-2024-44947
CVE-2024-44948
CVE-2024-44952
CVE-2024-44954
CVE-2024-44960
CVE-2024-44965
CVE-2024-44968
CVE-2024-44971
CVE-2024-44974
CVE-2024-44987
CVE-2024-44988
CVE-2024-44989
CVE-2024-44990
CVE-2024-44995
CVE-2024-44998
CVE-2024-44999
CVE-2024-45003
CVE-2024-45006
CVE-2024-45008
CVE-2024-45016
CVE-2024-45018
CVE-2024-45021
CVE-2024-45025
CVE-2024-45028
CVE-2024-46673
CVE-2024-46674
CVE-2024-46675
CVE-2024-46676
CVE-2024-46677
CVE-2024-46679
CVE-2024-46685
CVE-2024-46689
CVE-2024-46702
CVE-2024-46707
CVE-2024-46713
CVE-2024-46714
CVE-2024-46719
CVE-2024-46721
CVE-2024-46722
CVE-2024-46723
CVE-2024-46724
CVE-2024-46725
CVE-2024-46731
CVE-2024-46737
CVE-2024-46738
CVE-2024-46739
CVE-2024-46740
CVE-2024-46743
CVE-2024-46744
CVE-2024-46745
CVE-2024-46747
CVE-2024-46750
CVE-2024-46755
CVE-2024-46756
CVE-2024-46757
CVE-2024-46758
CVE-2024-46759
CVE-2024-46763
CVE-2024-46771
CVE-2024-46777
CVE-2024-46780
CVE-2024-46781
CVE-2024-46782
CVE-2024-46783
CVE-2024-46791
CVE-2024-46798
CVE-2024-46800
CVE-2024-46804
CVE-2024-46814
CVE-2024-46815
CVE-2024-46817
CVE-2024-46818
CVE-2024-46819
CVE-2024-46822
CVE-2024-46828
CVE-2024-46829
CVE-2024-46840
CVE-2024-46844

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.
For Debian 10 buster, the corresponding linux-signed packages have also
been updated using the Freexian CA certificate. Note that in order to
boot the updated kernels using Secure Boot, the updated shim-signed
packages (which ship the Freexian CA) need to be installed. For more
information see the shim announcement.

ELA-1219-1 linux-5.10 security update


ELA-1218-1 asterisk security update

Package : asterisk
Version : 1:13.14.1~dfsg-2+deb9u10 (stretch)

Related CVEs :
CVE-2024-42365

One issue has been found in asterisk, an Open Source Private Branch Exchange.

CVE-2024-42365
Due to a privilege escalation, remote code execution and/or
blind server-side request forgery with arbitrary protocol are
possible.

Thanks to Niels Galjaard, a minor privilege escalation has been fixed. More information about ths can be found at:
https://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/2024-July/038664.html
Please be aware that this fix explicitly sets the gid of the asterisk process to “asterisk”.
In case you added the user asterisk to other groups, please update your systemd service file accordingly.
~

ELA-1218-1 asterisk security update


[SECURITY] [DLA 3938-1] exim4 security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3938-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
October 29, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : exim4
Version : 4.94.2-7+deb11u4
CVE ID : CVE-2021-38371 CVE-2022-3559 CVE-2023-42117 CVE-2023-42119
Debian Bug : 992172

Multiple potential security vulnerabilities have been addressed in exim4, a
mail transport agent. These issues may allow remote attackers to disclose
sensitive information or execute arbitrary code but only if Exim4 is run behind
or with untrusted proxy servers or DNS resolvers. If your proxy-protocol proxy
or DNS resolver are trustworthy, you are not affected.

For Debian 11 bullseye, these problems have been fixed in version
4.94.2-7+deb11u4.

We recommend that you upgrade your exim4 packages.

For the detailed security status of exim4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/exim4

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1220-1 shadow security update

Package : shadow
Version : 1:4.4-4.1+deb9u2 (stretch), 1:4.5-1.1+deb10u1 (buster)

Related CVEs :
CVE-2018-7169
CVE-2023-4641
CVE-2023-29383

Multiple vulnerabilities have been fixed in shadow, commonly used utilities to change and administer password and group data.

CVE-2018-7169
unprivileged user can drop supplementary groups

CVE-2023-4641
gpasswd password leak

CVE-2023-29383
chfn missing control character check

ELA-1220-1 shadow security update