Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1209-1 libsepol security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1210-1 openjdk-11 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3931-1] ghostscript security update
[DLA 3930-1] libsepol security update
[DLA 3932-1] python-sql security update
[DLA 3934-1] libheif security update
[DLA 3933-1] dmitry security update
[SECURITY] [DLA 3931-1] ghostscript security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3931-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
October 22, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : ghostscript
Version : 9.53.3~dfsg-7+deb11u8
CVE ID : CVE-2024-29508
A heap-based pointer disclosure problem was found in Ghostscript, an
interpreter for the PostScript language and for PDF. This could lead to
information disclosure.
For Debian 11 bullseye, this problem has been fixed in version
9.53.3~dfsg-7+deb11u8.
We recommend that you upgrade your ghostscript packages.
For the detailed security status of ghostscript please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ghostscript
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 3930-1] libsepol security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3930-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
October 22, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : libsepol
Version : 3.1-1+deb11u1
CVE ID : CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 CVE-2021-36087
Debian Bug : 990526
Multiple vulnerabilities were discovered in libsepol, a set of userspace
utilities and libraries for manipulating SELinux policies.
CVE-2021-36084, CVE-2021-36085, CVE-2021-36086
Three use-after-free problems were discovered in the CIL compiler.
These could lead to data corruption, denial of service or possibly
arbitrary code execution.
CVE-2021-36087
A heap-based buffer over-read was discovered in the CIL compiler.
This could lead to confidentiality or integrity violations, or
crashes.
For Debian 11 bullseye, these problems have been fixed in version
3.1-1+deb11u1.
We recommend that you upgrade your libsepol packages.
For the detailed security status of libsepol please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libsepol
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 3932-1] python-sql security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3932-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Santiago Ruano Rincón
October 22, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : python-sql
Version : 1.2.1-1+deb11u1
CVE ID : CVE-2024-9774
Cédric Krier discovered that python-sql, a library to write SQL queries
in a pythonic way, performed insufficient sanitising which could result
in SQL injection.
For Debian 11 bullseye, this problem has been fixed in version
1.2.1-1+deb11u1.
We recommend that you upgrade your python-sql packages.
For the detailed security status of python-sql please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-sql
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1209-1 libsepol security update
Package : libsepol
Version : 2.6-2+deb9u1 (stretch), 2.8-1+deb10u1 (buster)
Related CVEs :
CVE-2021-36084
CVE-2021-36085
CVE-2021-36086
CVE-2021-36087
Multiple vulnerabilities were discovered in libsepol, a set of userspace
utilities and libraries for manipulating SELinux policies.
CVE-2021-36084, CVE-2021-36085, CVE-2021-36086
Three use-after-free problems were discovered in the CIL compiler. These
could lead to data corruption, denial of service or possibly arbitrary code
execution.
CVE-2021-36087
A heap-based buffer over-read was discovered in the CIL compiler. This could
lead to confidentiality or integrity violations, or crashes.
[SECURITY] [DLA 3934-1] libheif security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3934-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
October 22, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libheif
Version : 1.11.0-1+deb11u1
CVE ID : CVE-2024-41311
It was discovered that there was a potential out-of-bounds read
vulnerability in libheif, a decoder and encoder for the HEIF and AVIF
image formats.
Insufficient checks in ImageOverlay::parse() could have been
exploited by an overlay image with forged offsets which could, in
turn, have led to undefined behaviour.
For Debian 11 bullseye, this problem has been fixed in version
1.11.0-1+deb11u1.
We recommend that you upgrade your libheif packages.
For the detailed security status of libheif please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libheif
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 3933-1] dmitry security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3933-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
October 22, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : dmitry
Version : 1.3a-1.1+deb11u1
CVE ID : CVE-2017-7938 CVE-2020-14931 CVE-2024-31837
Debian Bug : 1070370
Multiple vulnerabilities have been fixed in DMitry,
a tool to gather as much information as possible about a host.
CVE-2017-7938
stack-based buffer overflow
CVE-2020-14931
stack-based buffer overflow
CVE-2024-31837
format-string vulnerability
For Debian 11 bullseye, these problems have been fixed in version
1.3a-1.1+deb11u1.
We recommend that you upgrade your dmitry packages.
For the detailed security status of dmitry please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dmitry
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1210-1 openjdk-11 security update
Package : openjdk-11
Version : 11.0.25+9-1~deb10u1 (buster)
Related CVEs :
CVE-2024-21208
CVE-2024-21210
CVE-2024-21217
CVE-2024-21235
Several vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in denial of service, information disclosure or bypass
of Java sandbox restrictions.
