Debian 10260 Published by

Updated Flatpak packages are available for both Debian GNU/Linux 11 and 12. In addition, Firefox-ESR and Tomcat 9 security updates have been released for Debian GNU/Linux 10 LTS.

[DSA 5666-1] flatpak security update
[DLA 3790-1] firefox-esr security update
[DSA 5667-1] tomcat9 security update




[DSA 5666-1] flatpak security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5666-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 19, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : flatpak
CVE ID : CVE-2024-32462

Gergo Koteles discovered that sandbox restrictions in Flatpak, an
application deployment framework for desktop apps, could by bypassed in
combination with xdg-desktop-portal.

For the oldstable distribution (bullseye), this problem has been fixed
in version 1.10.8-0+deb11u2.

For the stable distribution (bookworm), this problem has been fixed in
version 1.14.4-1+deb12u1.

We recommend that you upgrade your flatpak packages.

For the detailed security status of flatpak please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/flatpak

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DLA 3790-1] firefox-esr security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3790-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
April 19, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : firefox-esr
Version : 115.10.0esr-1~deb10u1
CVE ID : CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854
CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or clickjacking.

For Debian 10 buster, these problems have been fixed in version
115.10.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DSA 5667-1] tomcat9 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5667-1 security@debian.org
https://www.debian.org/security/ Markus Koschany
April 19, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tomcat9
CVE ID : CVE-2023-46589 CVE-2024-23672 CVE-2024-24549
Debian Bug : 1057082 1066877 1066878

Several security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine.

CVE-2023-46589

Tomcat 9 did not correctly parse HTTP trailer headers. A trailer header
that exceeded the header size limit could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.

CVE-2024-24549

Denial of Service due to improper input validation vulnerability for
HTTP/2. When processing an HTTP/2 request, if the request exceeded any of
the configured limits for headers, the associated HTTP/2 stream was not
reset until after all of the headers had been processed.

CVE-2024-23672

Denial of Service via incomplete cleanup vulnerability. It was possible
for WebSocket clients to keep WebSocket connections open leading to
increased resource consumption.

For the oldstable distribution (bullseye), these problems have been fixed
in version 9.0.43-2~deb11u10.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/