Debian 10263 Published by

The following security updates have been released for Debian GNU/Linux:

Debian GNU/Linux 11 (Bullseye) LTS:
[SECURITY] [DLA 3877-1] ruby-sinatra security update
[SECURITY] [DLA 3878-1] libxml2 security update

Debian GNU/Linux 12 (Bookworm):
[SECURITY] [DSA 5766-1] chromium security update



[SECURITY] [DSA 5766-1] chromium security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5766-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
September 05, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2024-7970 CVE-2024-8362

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the stable distribution (bookworm), these problems have been fixed in
version 128.0.6613.119-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DLA 3877-1] ruby-sinatra security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3877-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Jochen Sprickerhof
September 05, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : ruby-sinatra
Version : 2.0.8.1-2+deb11u1
CVE ID : CVE-2022-29970 CVE-2022-45442
Debian Bug : 1014717 1070953

Sinatra is an open source web framework for Ruby programming language.

CVE-2022-29970

A file traversal vulnerability was discovered. We now validate that
any expanded paths match the allowed `public_dir` when serving
static files.

CVE-2022-45442

It was discovered that there was a potential reflected file download
(RFD) vulnerability. A Content-Disposition HTTP header was being
incorrectly derived from a potentially user-supplied filename.

For Debian 11 bullseye, these problems have been fixed in version
2.0.8.1-2+deb11u1.

We recommend that you upgrade your ruby-sinatra packages.

For the detailed security status of ruby-sinatra please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-sinatra

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3878-1] libxml2 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3878-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 05, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libxml2
Version : 2.9.10+dfsg-6.7+deb11u5
CVE ID : CVE-2016-3709 CVE-2022-2309
Debian Bug : 1039991

Two vulnerabilities have been fixed in the XML library libxml2.

CVE-2016-3709

HTML 4 parser cross-site scripting

CVE-2022-2309

Parser NULL pointer dereference

For Debian 11 bullseye, these problems have been fixed in version
2.9.10+dfsg-6.7+deb11u5.

We recommend that you upgrade your libxml2 packages.

For the detailed security status of libxml2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxml2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS