Debian 10260 Published by

A number of security upgrades have been made available for Debian GNU/Linux, including the following:

Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1179-1 firmware-nonfree security update

Debian GNU/Linux 11 (Buster):
[SECURITY] [DLA 3887-1] ring security update
[SECURITY] [DLA 3886-1] nodejs security update




ELA-1179-1 firmware-nonfree security update

Package : firmware-nonfree
Version : 20190114+really20220913-0+deb8u3 (jessie), 20190114+really20220913-0+deb9u3 (stretch), 20190114+really20220913-0+deb10u3 (buster)

Related CVEs :
CVE-2023-35061
CVE-2023-38417
CVE-2023-47210

Intel:registered: has released two advisories about potential security vulnerabilities in some Intel:registered: PROSet/Wireless WiFi, Bluetooth:registered: and Killer:tm: WiFi products may allow information disclosurre or denial of service. The full advisories are available at [1] and [2].
[1] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html
[2] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html
This updated firmware-nonfree package includes the following firmware files:
intel/ibt-0041-0041.sfi
intel/ibt-17-16-1.sfi
intel/ibt-17-2.sfi
intel/ibt-18-16-1.sfi
intel/ibt-18-2.sfi
intel/ibt-19-0-0.sfi
intel/ibt-19-0-1.sfi
intel/ibt-19-0-4.sfi
intel/ibt-19-16-4.sfi
intel/ibt-19-240-1.sfi
intel/ibt-19-240-4.sfi
intel/ibt-19-32-0.sfi
intel/ibt-19-32-1.sfi
intel/ibt-19-32-4.sfi
intel/ibt-20-0-3.sfi
intel/ibt-20-1-3.sfi
intel/ibt-20-1-4.sfi
iwlwifi-Qu-b0-hr-b0-77.ucode
iwlwifi-Qu-b0-jf-b0-77.ucode
iwlwifi-Qu-c0-hr-b0-77.ucode
iwlwifi-Qu-c0-jf-b0-77.ucode
iwlwifi-QuZ-a0-hr-b0-77.ucode
iwlwifi-QuZ-a0-jf-b0-77.ucode
iwlwifi-cc-a0-77.ucode
iwlwifi-so-a0-gf-a0-84.ucode
iwlwifi-so-a0-gf-a0-86.ucode
iwlwifi-so-a0-gf-a0.pnvm
iwlwifi-so-a0-gf4-a0-84.ucode
iwlwifi-so-a0-gf4-a0-86.ucode
iwlwifi-so-a0-gf4-a0.pnvm
iwlwifi-so-a0-hr-b0-83.ucode
iwlwifi-so-a0-hr-b0-84.ucode
iwlwifi-so-a0-hr-b0-86.ucode
iwlwifi-ty-a0-gf-a0-84.ucode
iwlwifi-ty-a0-gf-a0-86.ucode
iwlwifi-ty-a0-gf-a0.pnvm

The updated firmware files might need updated kernel to work and as old firmware versions might loaded
on older kernels, it is encouraged to verify whether the kernel loaded the updated firmware file and take
additional measures if needed.
CVE-2023-35061
Improper initialization for some Intel:registered: PROSet/Wireless and Intel:registered: Killer:tm: Wi-Fi software before version 22.240 may allow an unauthenticated user to potentially enable information disclosure via adjacent access.

CVE-2023-38417
Improper input validation for some Intel:registered: PROSet/Wireless WiFi software before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

CVE-2023-47210
Improper input validation for some Intel:registered: PROSet/Wireless WiFi software for linux before version 23.20 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

ELA-1179-1 firmware-nonfree security update


[SECURITY] [DLA 3887-1] ring security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3887-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Roberto C. Sánchez
September 14, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : ring
Version : 20210112.2.b757bac~ds1-1+deb11u1
CVE ID : CVE-2021-32686 CVE-2021-37706 CVE-2021-43299 CVE-2021-43300
CVE-2021-43301 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804
CVE-2021-43845 CVE-2022-21722 CVE-2022-21723 CVE-2022-23537
CVE-2022-23547 CVE-2022-23608 CVE-2022-24754 CVE-2022-24763
CVE-2022-24764 CVE-2022-24793 CVE-2022-31031 CVE-2022-39244
CVE-2023-27585

Multiple vulnerabilities were found to affect ring, a secure and
distributed voice, video, and chat platform.

CVE-2021-32686

The embedded copy of pjproject is affected by this CVE.
A race condition between callback and destroy, due to the accepted socket
having no group lock. Additionally, the SSL socket parent/listener may get
destroyed during handshake. Both issues were reported to happen
intermittently in heavy load TLS connections. They cause a crash, resulting
in a denial of service.

CVE-2021-37706

The embedded copy of pjproject is affected by this CVE.
If the incoming STUN message contains an ERROR-CODE attribute, the header
length is not checked before performing a subtraction operation, potentially
resulting in an integer underflow scenario. This issue affects all users
that use STUN. A malicious actor located within the victim's network may
forge and send a specially crafted UDP (STUN) message that could remotely
execute arbitrary code on the victim’s machine.

CVE-2021-43299

The embedded copy of pjproject is affected by these CVEs.
An attacker-controlled 'filename' argument may cause a buffer overflow since
it is copied to a fixed-size stack buffer without any size validation.

CVE-2021-43300

The embedded copy of pjproject is affected by these CVEs.
An attacker-controlled 'filename' argument may cause a buffer overflow since
it is copied to a fixed-size stack buffer without any size validation.

CVE-2021-43301

The embedded copy of pjproject is affected by these CVEs.
An attacker-controlled 'filename' argument may cause a buffer overflow since
it is copied to a fixed-size stack buffer without any size validation.

CVE-2021-43302

The embedded copy of pjproject is affected by these CVEs.
An attacker-controlled 'filename' argument may cause a buffer overflow since
it is copied to a fixed-size stack buffer without any size validation.

CVE-2021-43303

The embedded copy of pjproject is affected by these CVEs.
An attacker-controlled 'filename' argument may cause a buffer overflow since
it is copied to a fixed-size stack buffer without any size validation.

CVE-2021-43804

The embedded copy of pjproject is affected by this CVE.
In affected versions if the incoming RTCP BYE message contains a reason's
length, this declared length is not checked against the actual received
packet size, potentially resulting in an out-of-bound read access.

CVE-2021-43845

The embedded copy of pjproject is affected by this CVE.
If incoming RTCP XR message contain block, the data field is not checked
against the received packet size, potentially resulting in an out-of-bound
read access.

CVE-2022-21722

The embedded copy of pjproject is affected by this CVE.
There are various cases where it is possible that certain incoming RTP/RTCP
packets can potentially cause out-of-bound read access.

CVE-2022-21723

The embedded copy of pjproject is affected by this CVE.
Parsing an incoming SIP message that contains a malformed multipart can
potentially cause out-of-bound read access.

CVE-2022-23537

The embedded copy of pjproject is affected by this CVE.
Buffer overread is possible when parsing a specially crafted STUN message
with unknown attribute.

CVE-2022-23547

The embedded copy of pjproject is affected by this CVE.
Possible buffer overread when parsing a certain STUN message.

CVE-2022-23608

The embedded copy of pjproject is affected by this CVE.
When in a dialog set (or forking) scenario, a hash key shared by multiple
UAC dialogs can potentially be prematurely freed when one of the dialogs is
destroyed . The issue may cause a dialog set to be registered in the hash
table multiple times (with different hash keys) leading to undefined
behavior such as dialog list collision which eventually leading to endless
loop.

CVE-2022-24754

The embedded copy of pjproject is affected by this CVE.
There is a stack-buffer overflow vulnerability which only impacts PJSIP
users who accept hashed digest credentials (credentials with data_type
`PJSIP_CRED_DATA_DIGEST`).

CVE-2022-24763

The embedded copy of pjproject is affected by this CVE.
A denial-of-service vulnerability affects PJSIP users that consume PJSIP's
XML parsing in their apps.

CVE-2022-24764

The embedded copy of pjproject is affected by this CVE.
A stack buffer overflow vulnerability affects PJSUA2 users or users that
call the API `pjmedia_sdp_print(), pjmedia_sdp_media_print()`.

CVE-2022-24793

The embedded copy of pjproject is affected by this CVE.
A buffer overflow vulnerability in affects applications that use PJSIP DNS
resolution.

CVE-2022-31031

The embedded copy of pjproject is affected by this CVE.
A stack buffer overflow vulnerability affects PJSIP users that use STUN in
their applications, either by: setting a STUN server in their account/media
config in PJSUA/PJSUA2 level, or directly using `pjlib-util/stun_simple`
API.

CVE-2022-39244

The embedded copy of pjproject is affected by this CVE.
The PJSIP parser, PJMEDIA RTP decoder, and PJMEDIA SDP parser are affeced
by a buffer overflow vulnerability. Users connecting to untrusted clients
are at risk.

CVE-2023-27585

The embedded copy of pjproject is affected by this CVE.
A buffer overflow vulnerability affects applications that use PJSIP DNS
resolver.

For Debian 11 bullseye, these problems have been fixed in version
20210112.2.b757bac~ds1-1+deb11u1.

We recommend that you upgrade your ring packages.

For the detailed security status of ring please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ring

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3886-1] nodejs security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3886-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
September 14, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : nodejs
Version : 12.22.12~dfsg-1~deb11u5
CVE ID : CVE-2023-30589 CVE-2023-30590 CVE-2023-32559 CVE-2023-46809
CVE-2024-22019 CVE-2024-22025 CVE-2024-27982 CVE-2024-27983

Node.js a JavaScript runtime environment that executes JavaScript code
outside a web browser (server side) was vulnerable.

CVE-2023-30589

The llhttp parser in the http module in Node does not strictly
use the CRLF sequence to delimit HTTP requests. This can lead to
HTTP Request Smuggling (HRS). The CR character (without LF) is
sufficient to delimit HTTP header fields in the llhttp parser.
According to RFC7230 section 3, only the CRLF sequence should
delimit each header-field.

CVE-2023-30590

The generateKeys() API function returned from
crypto.createDiffieHellman() only generates missing (or outdated)
keys, that is, it only generates a private key if none has been
set yet, but the function is also needed to compute the
corresponding public key after calling setPrivateKey(). However,
the documentation says this API call: "Generates private and
public Diffie-Hellman key values". The documented behavior is very
different from the actual behavior, and this difference could
easily lead to security issues.

CVE-2023-32559

A privilege escalation vulnerability exists in the experimental
policy mechanism.
The use of the deprecated API `process.binding()` can bypass
the policy mechanism by requiring internal modules and eventually
take advantage of `process.binding('spawn_sync')` run arbitrary
code, outside of the limits defined in a `policy.json` file

CVE-2023-46809

Node.js versions are vulnerable to the Marvin Attack,
if PCKS #1 v1.5 padding is allowed when performing RSA descryption
using a private key.

CVE-2024-22019

A vulnerability in Node.js HTTP servers allows an attacker to send a
specially crafted HTTP request with chunked encoding, leading
to resource exhaustion and denial of service (DoS).
The server reads an unbounded number of bytes from a single connection,
exploiting the lack of limitations on chunk extension bytes.
The issue can cause CPU and network bandwidth exhaustion, bypassing
standard safeguards like timeouts and body size limits.

CVE-2024-22025

A vulnerability in Node.js has been identified, allowing for a
Denial of Service (DoS) attack through resource exhaustion when
using the fetch() function to retrieve content from an untrusted URL.
The vulnerability stems from the fact that the fetch() function in Node.js
always decodes Brotli, making it possible for an attacker to cause
resource exhaustion when fetching content from an untrusted URL.
An attacker controlling the URL passed into fetch() can exploit this
vulnerability to exhaust memory, potentially leading to process
termination, depending on the system configuration.

CVE-2024-27982

Malformed headers can lead to HTTP request smuggling. Specifically,
if a space is placed before a content-length header, it is not
interpreted correctly, enabling attackers to smuggle in a
second request within the body of the first.

CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely
unavailable by sending a small amount of HTTP/2 frames packets
with a few HTTP/2 frames inside. It is possible to leave some data
in nghttp2 memory after reset when headers with HTTP/2
CONTINUATION frame are sent to the server and then a TCP
connection is abruptly closed by the client triggering the
Http2Session destructor while header frames are still being
processed (and stored in memory) causing a race condition.

For Debian 11 bullseye, these problems have been fixed in version
12.22.12~dfsg-1~deb11u5.

We recommend that you upgrade your nodejs packages.

For the detailed security status of nodejs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nodejs

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS