Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1357-1 clamav security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4092-1] libcap2 security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5887-1] exim4 security update
[DSA 5888-1] ghostscript security update
[SECURITY] [DLA 4092-1] libcap2 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4092-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
March 26, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libcap2
Version : 1:2.44-1+deb11u1
CVE IDs : CVE-2023-2602 CVE-2023-2603 CVE-2025-1390
Debian Bugs : 1036114 1098318
It was discovered that there were three issues in libcap2, a library
for managing kernel "capabilities"; that is, partitioning the
powerful single "root" privilege into a set of distinct privileges,
typically used to limit any damage if a process running as the "root"
user is exploited. The three issues are as follows:
* CVE-2023-2602: A vulnerability was found in the pthread_create()
function. This issue could have allowed a malicious actor in order
to exhaust the system's memory.
* CVE-2023-2603: An issue was found in the _libcap_strdup function
which could have led to an integer overflow if the input string was
close to 4GiB.
* CVE-2025-1390: The pam_cap.so PAM module supports group names
starting with "@" but during parsing, configurations not starting
with "@" were incorrectly recognised as group names. This
user-group confusion may have resulted in unintended users being
granted an inherited capability set, potentially leading to
security risks. Attackers could have exploited this vulnerability
to achieve local privilege escalation on systems where
capability.conf was used to configure user inherited privileges by
constructing specific usernames.
For Debian 11 bullseye, these problems have been fixed in version
1:2.44-1+deb11u1.
We recommend that you upgrade your libcap2 packages.
For the detailed security status of libcap2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libcap2
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5887-1] exim4 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5887-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 26, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : exim4
CVE ID : CVE-2025-30232
It was discovered that a use-after-free vulnerability in Exim4, a mail
transport agent, may result in privilege escalation for a local
attacker.
For the stable distribution (bookworm), this problem has been fixed in
version 4.96-15+deb12u7.
We recommend that you upgrade your exim4 packages.
For the detailed security status of exim4 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/exim4
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5888-1] ghostscript security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5888-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 26, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : ghostscript
CVE ID : CVE-2025-27830 CVE-2025-27831 CVE-2025-27832 CVE-2025-27833
CVE-2025-27834 CVE-2025-27835 CVE-2025-27836
Multiple security issues were discovered in Ghostscript, the GPL
PostScript/PDF interpreter, which could result in denial of service and
potentially the execution of arbitrary code if malformed document files
are processed.
For the stable distribution (bookworm), these problems have been fixed in
version 10.0.0~dfsg-11+deb12u7.
We recommend that you upgrade your ghostscript packages.
For the detailed security status of ghostscript please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/ghostscript
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1357-1 clamav security update
Package : clamav
Version : 1.0.7+dfsg-1~deb9u1 (stretch)
This update brings ClamAV 1.0.7, which comes with the ability to keep
downloading the bytecode database (the previous version will be declared EOL by
upstream soon and loose that ability).
The following packages were updated/introduced to the archive to allow the new
ClamAV build. An important side note is that those packages will not become
officially supported:
libarchive-latest/t3.3.3-4~deb9u1
libuv1-latest/1.24.1-1~deb9u1
cmake-latest/3.18.4-2~deb9u1
protobuf-latest/3.6.1.3-2~deb9u1
grpc/1.16.1-1~deb9u1
llvm-toolchain-13/1:13.0.1-6~deb9u1
rustc-mozilla/1.63.0+dfsg1-2~deb9u1
cargo-mozilla/0.66.0+ds1-1~deb9u1
The folowing packages were also updated due to the new ClamAV library package:
dansguardian/2.10.1.1-5.1+deb9u3
havp/0.92a-4+deb9u2
c-icap-modules/1:0.4.4-1+deb9u3
libclamunrar/1.0.3-1~deb9u1
python-clamav/0.4.1-8+deb9u2ELA-1357-1 clamav security update
