Debian 10260 Published by

Debian GNU/Linux has been updated with several security enhancements, including ghostscript, libsepol, python-sql, libheif, dmitry, and openjdk-11:

Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1209-1 libsepol security update

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1210-1 openjdk-11 security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3931-1] ghostscript security update
[DLA 3930-1] libsepol security update
[DLA 3932-1] python-sql security update
[DLA 3934-1] libheif security update
[DLA 3933-1] dmitry security update



[SECURITY] [DLA 3931-1] ghostscript security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3931-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
October 22, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : ghostscript
Version : 9.53.3~dfsg-7+deb11u8
CVE ID : CVE-2024-29508

A heap-based pointer disclosure problem was found in Ghostscript, an
interpreter for the PostScript language and for PDF. This could lead to
information disclosure.

For Debian 11 bullseye, this problem has been fixed in version
9.53.3~dfsg-7+deb11u8.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3930-1] libsepol security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3930-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
October 22, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : libsepol
Version : 3.1-1+deb11u1
CVE ID : CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 CVE-2021-36087
Debian Bug : 990526

Multiple vulnerabilities were discovered in libsepol, a set of userspace
utilities and libraries for manipulating SELinux policies.

CVE-2021-36084, CVE-2021-36085, CVE-2021-36086

Three use-after-free problems were discovered in the CIL compiler.
These could lead to data corruption, denial of service or possibly
arbitrary code execution.

CVE-2021-36087

A heap-based buffer over-read was discovered in the CIL compiler.
This could lead to confidentiality or integrity violations, or
crashes.

For Debian 11 bullseye, these problems have been fixed in version
3.1-1+deb11u1.

We recommend that you upgrade your libsepol packages.

For the detailed security status of libsepol please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libsepol

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3932-1] python-sql security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3932-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Santiago Ruano Rincón
October 22, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : python-sql
Version : 1.2.1-1+deb11u1
CVE ID : CVE-2024-9774

Cédric Krier discovered that python-sql, a library to write SQL queries
in a pythonic way, performed insufficient sanitising which could result
in SQL injection.

For Debian 11 bullseye, this problem has been fixed in version
1.2.1-1+deb11u1.

We recommend that you upgrade your python-sql packages.

For the detailed security status of python-sql please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-sql

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1209-1 libsepol security update

Package : libsepol
Version : 2.6-2+deb9u1 (stretch), 2.8-1+deb10u1 (buster)

Related CVEs :
CVE-2021-36084
CVE-2021-36085
CVE-2021-36086
CVE-2021-36087

Multiple vulnerabilities were discovered in libsepol, a set of userspace
utilities and libraries for manipulating SELinux policies.

CVE-2021-36084, CVE-2021-36085, CVE-2021-36086
Three use-after-free problems were discovered in the CIL compiler. These
could lead to data corruption, denial of service or possibly arbitrary code
execution.
CVE-2021-36087
A heap-based buffer over-read was discovered in the CIL compiler. This could
lead to confidentiality or integrity violations, or crashes.

ELA-1209-1 libsepol security update


[SECURITY] [DLA 3934-1] libheif security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3934-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
October 22, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libheif
Version : 1.11.0-1+deb11u1
CVE ID : CVE-2024-41311

It was discovered that there was a potential out-of-bounds read
vulnerability in libheif, a decoder and encoder for the HEIF and AVIF
image formats.

Insufficient checks in ImageOverlay::parse() could have been
exploited by an overlay image with forged offsets which could, in
turn, have led to undefined behaviour.

For Debian 11 bullseye, this problem has been fixed in version
1.11.0-1+deb11u1.

We recommend that you upgrade your libheif packages.

For the detailed security status of libheif please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libheif

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3933-1] dmitry security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3933-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
October 22, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : dmitry
Version : 1.3a-1.1+deb11u1
CVE ID : CVE-2017-7938 CVE-2020-14931 CVE-2024-31837
Debian Bug : 1070370

Multiple vulnerabilities have been fixed in DMitry,
a tool to gather as much information as possible about a host.

CVE-2017-7938

stack-based buffer overflow

CVE-2020-14931

stack-based buffer overflow

CVE-2024-31837

format-string vulnerability

For Debian 11 bullseye, these problems have been fixed in version
1.3a-1.1+deb11u1.

We recommend that you upgrade your dmitry packages.

For the detailed security status of dmitry please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dmitry

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1210-1 openjdk-11 security update

Package : openjdk-11
Version : 11.0.25+9-1~deb10u1 (buster)

Related CVEs :
CVE-2024-21208
CVE-2024-21210
CVE-2024-21217
CVE-2024-21235

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in denial of service, information disclosure or bypass
of Java sandbox restrictions.

ELA-1210-1 openjdk-11 security update