[DLA 4038-1] dcmtk security update
ELA-1315-1 sssd security update
ELA-1314-1 ffmpeg security update
ELA-1313-1 ffmpeg security update
[SECURITY] [DLA 4038-1] dcmtk security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4038-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
January 31, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : dcmtk
Version : 3.6.5-1+deb11u1
CVE ID : CVE-2021-41687 CVE-2021-41688 CVE-2021-41689 CVE-2021-41690
CVE-2022-2121 CVE-2022-43272 CVE-2024-28130 CVE-2024-34508
CVE-2024-34509 CVE-2024-47796 CVE-2024-52333
Debian Bug : 1014044 1027165 1070207 1093043 1093047
Multiple vulnerabilities have been fixed in DCMTK, a collection of
libraries and applications implementing large parts the DICOM standard
for medical images.
CVE-2021-41687
Incorrect freeing of memory
CVE-2021-41688
Incorrect freeing of memory
CVE-2021-41689
NULL pointer dereference
CVE-2021-41690
Incorrect freeing of memory
CVE-2022-2121
NULL pointer dereference
CVE-2022-43272
Memory leak in single process mode
CVE-2024-28130
Segmentation faults due to incorrect typecast
CVE-2024-34508
Segmentation fault via invalid DIMSE message
CVE-2024-34509
Segmentation fault via invalid DIMSE message
CVE-2024-47796
Improper array index validation
CVE-2024-52333
Improper array index validation
For Debian 11 bullseye, these problems have been fixed in version
3.6.5-1+deb11u1.
We recommend that you upgrade your dcmtk packages.
For the detailed security status of dcmtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dcmtk
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1315-1 sssd security update
Package : sssd
Version : 1.15.0-3+deb9u3 (stretch), 1.16.3-3.2+deb10u3 (buster)
Related CVEs :
CVE-2018-10852
CVE-2018-16838
CVE-2019-3811
CVE-2023-3758
CVE-2018-10852
It was discovered that when SSSD created the UNIX pipe for
communication between sudo and the sssd-sudo responder,
the umask() call was set to be too permissive, which resulted in
the pipe being readable and writable. Then, if an attacker used the
same communication protocol that sudo uses to talk to SSSD, they
could obtain the list of sudo rules for any user who stores their
sudo rules in a remote directory.
While the sudo responder is not started by default by SSSD itself,
utilities like ipa-client-install configure the sudo responder to be
started.
CVE-2018-16838
It was discovered that when the Group Policy Objects (GPO) are not
readable by SSSD due to a too strict permission settings on the
server side, SSSD allows all authenticated users to login instead of
denying access.
A new boolean setting ad_gpo_ignore_unreadable (defaulting to
False) is introduced for environments where attributes in the
groupPolicyContainer are not readable and changing the permissions
on the GPO objects is not possible or desirable. See sssd-ad(5).
CVE-2019-3811
It was discovered that if a user was configured with no home
directory set, then sssd(8) returns / (i.e., the root directory)
instead of the empty string (meaning no home directory). This could
impact services that restrict the user’s filesystem access to within
their home directory through chroot() or similar.
CVE-2023-3758
A race condition flaw was found in SSSD where the GPO policy is not
consistently applied for authenticated users. This may lead to
improper authorization issues, granting access to resources
inappropriately.
(sssd 1.16.3-3.2+deb10u3 only fixes CVE-2023-3758 as the previous
version was already immune to the other vulnerabilities.)ELA-1315-1 sssd security update
ELA-1314-1 ffmpeg security update
Package : ffmpeg
Version : 7:3.2.19-0+deb9u6 (stretch)
Related CVEs :
CVE-2024-35366
CVE-2024-35367
CVE-2024-36616
CVE-2024-36617
CVE-2024-36618
Several issues have been found in ffmpeg, a package that contains tools
for transcoding, streaming and playing of multimedia files
Those issues are related to possible integer overflows, double-free on
errors, out-of-bounds access and an incomplete check of negative durations..ELA-1314-1 ffmpeg security update
ELA-1313-1 ffmpeg security update
Package : ffmpeg
Version : 7:4.1.11-0+deb10u3 (buster)
Related CVEs :
CVE-2024-35366
CVE-2024-35367
CVE-2024-35368
CVE-2024-36616
CVE-2024-36617
CVE-2024-36618
Several issues have been found in ffmpeg, a package that contains tools
for transcoding, streaming and playing of multimedia files
Those issues are related to possible integer overflows, double-free on
errors, out-of-bounds access, seeks beyond 64bit and an incomplete
check of negative durations..ELA-1313-1 ffmpeg security update
