Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1300-1 frr security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4029-1] frr security update
[DLA 4030-1] python-django security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5848-1] chromium security update
[SECURITY] [DLA 4029-1] frr security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4029-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Arturo Borrero Gonzalez
January 23, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : frr
Version : 7.5.1-1.1+deb11u4
CVE ID : CVE-2024-55553
In FRR, the internet routing protocol suite software, all routes are
re-validated if the total size of an update received via RTR exceeds the
internal socket's buffer size, default 4K on most OSes.
An attacker can use this to trigger re-parsing of the RIB for FRR routers
using RTR by causing more than this number of updates during an update
interval (usually 30 minutes). Additionally, this effect regularly occurs
organically. Furthermore, an attacker can use this to trigger route validation
continuously. Given that routers with large full tables may need more than
30 minutes to fully re-validate the table, continuous issuance/withdrawal of
large numbers of ROA may be used to impact the route handling performance of
all FRR instances using RPKI globally. Additionally, the re-validation will
cause heightened BMP traffic to ingestors.
For Debian 11 bullseye, this problem has been fixed in version
7.5.1-1.1+deb11u4.
We recommend that you upgrade your frr packages.
For the detailed security status of frr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/frr
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1300-1 frr security update
Package : frr
Version : 7.5.1-1.1+deb10u4 (buster)
Related CVEs :
CVE-2024-55553
In FRR, all routes are re-validated if the total size of an update received via RTR exceeds the internal socket’s buffer
size, default 4K on most OSes. An attacker can use this to trigger re-parsing of the RIB for FRR routers using RTR by
causing more than this number of updates during an update interval (usually 30 minutes). Additionally, this effect
regularly occurs organically. Furthermore, an attacker can use this to trigger route validation continuously. Given that
routers with large full tables may need more than 30 minutes to fully re-validate the table, continuous
issuance/withdrawal of large numbers of ROA may be used to impact the route handling performance of all FRR instances
using RPKI globally. Additionally, the re-validation will cause heightened BMP traffic to ingestors.ELA-1300-1 frr security update
[SECURITY] [DLA 4030-1] python-django security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4030-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
January 23, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : python-django
Version : 2:2.2.28-1~deb11u5
CVE ID : CVE-2024-56374
Debian Bug : 1093049
It was discovered that there was potential Denial of Service (DoS)
vulnerability in Django, the Python-based web development framework.
The lack of upper-bound limit enforcement in IPv6 validation could
have led to a potential denial-of-service attack. The undocumented
and private clean_ipv6_address and is_valid_ipv6_address functions
were vulnerable, as was the GenericIPAddressField form field.
For Debian 11 bullseye, this problem has been fixed in version
2:2.2.28-1~deb11u5.
We recommend that you upgrade your python-django packages.
For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5848-1] chromium security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5848-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
January 23, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : chromium
CVE ID : CVE-2025-0611 CVE-2025-0612
Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.
For the stable distribution (bookworm), these problems have been fixed in
version 132.0.6834.110-1~deb12u1.
We recommend that you upgrade your chromium packages.
For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
