[DSA 5645-1] firefox-esr security update
[DLA 3770-1] libnet-cidr-lite-perl security update
[DLA 3769-1] thunderbird security update
ELA-1062-1 libnet-cidr-lite-perl security update
[DSA 5645-1] firefox-esr security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5645-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 23, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : firefox-esr
CVE ID : CVE-2024-29944
Manfred Paul discovered a flaw in the Mozilla Firefox web browser,
allowing an attacker to inject an event handler into a privileged object
that would allow arbitrary JavaScript execution in the parent process.
For the oldstable distribution (bullseye), this problem has been fixed
in version 115.9.1esr-1~deb11u1.
For the stable distribution (bookworm), this problem has been fixed in
version 115.9.1esr-1~deb12u1.
We recommend that you upgrade your firefox-esr packages.
For the detailed security status of firefox-esr please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[DLA 3770-1] libnet-cidr-lite-perl security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3770-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
March 23, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libnet-cidr-lite-perl
Version : 0.21-2+debu10u1
CVE ID : CVE-2021-47154
An issue has been found in libnet-cidr-lite-perl, a module for merging
IPv4 or IPv6 CIDR address ranges.
Extraneous zero characters at the beginning of an IP address string
might allow attackers to bypass access control that is based on IP
addresses.
Please check your application whether it accidentally allows such leading
zero characters (that are normally meant to indicate octal numbers).
For Debian 10 buster, this problem has been fixed in version
0.21-2+debu10u1.
We recommend that you upgrade your libnet-cidr-lite-perl packages.
For the detailed security status of libnet-cidr-lite-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libnet-cidr-lite-perl
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 3769-1] thunderbird security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3769-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
March 23, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : thunderbird
Version : 1:115.9.0-1~deb10u1
CVE ID : CVE-2023-5388 CVE-2024-0743 CVE-2024-1936 CVE-2024-2607
CVE-2024-2608 CVE-2024-2610 CVE-2024-2611 CVE-2024-2612
CVE-2024-2614 CVE-2024-2616
Multiple security issues were discovered in Thunderbird, which could
result in denial of service, the execution of arbitrary code or leaks
of encrypted email subjects.
For Debian 10 buster, these problems have been fixed in version
1:115.9.0-1~deb10u1.
We recommend that you upgrade your thunderbird packages.
For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1062-1 libnet-cidr-lite-perl security update
Package : libnet-cidr-lite-perl
Version : 0.21-1+deb9u1 (stretch)
Related CVEs :
CVE-2021-47154
An issue has been found in libnet-cidr-lite-perl, a module for merging
IPv4 or IPv6 CIDR address ranges.
Extraneous zero characters at the beginning of an IP address string
might allow attackers to bypass access control that is based on IP
addresses.
Please check your application whether it accidentally allows such leading
zero characters (that are normally meant to indicate octal numbers).