Debian 10324 Published by

Debian GNU/Linux has been updated with multiple security enhancements, including updates for git, pdns-recursor, python-django, iperf3, and libtar:

Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1307-1 git security update
ELA-1306-1 python-django security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4031-1] git security update
[DLA 4032-1] iperf3 security update
[DLA 4033-1] libtar security update

Debian GNU/Linux 12 (Bookworm):
[DSA 5851-1] pdns-recursor security update



[SECURITY] [DLA 4031-1] git security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4031-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
January 28, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : git
Version : 1:2.30.2-1+deb11u4
CVE ID : CVE-2024-50349 CVE-2024-52006
Debian Bug : 1093042

Multiple vulnerabilities were discovered in git, a fast, scalable and
distributed revision control system.

CVE-2024-50349

When Git asks for credentials via a terminal prompt (i.e. without
using any credential helper), it prints out the host name for which
the user is expected to provide a username and/or a password. At
this stage, any URL-encoded parts have been decoded already, and are
printed verbatim. This could allow attackers to craft URLs that
contain ANSI escape sequences that the terminal interpret to confuse
users e.g. into providing passwords for trusted Git hosting sites
when in fact they are then sent to untrusted sites that are under
the attacker's control.

CVE-2024-52006

Git defines a line-based protocol that is used to exchange
information between Git and Git credential helpers. Some ecosystems
(most notably, .NET and node.js) interpret single Carriage Return
characters as newlines, which renders the protections against
CVE-2020-5260 incomplete for credential helpers that treat Carriage
Returns in this way.

For Debian 11 bullseye, these problems have been fixed in version
1:2.30.2-1+deb11u4.

We recommend that you upgrade your git packages.

For the detailed security status of git please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/git

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 5851-1] pdns-recursor security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5852-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 28, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : pdns-recursor
CVE ID : CVE-2024-25590

Toshifumi Sakaguchi discovered that too permissive parsing of some
resource record sets in the zone file parsing of PDNS Recursor could
result in denial of service.

For the stable distribution (bookworm), this problem has been fixed in
version 4.8.8-1+deb12u1.

We recommend that you upgrade your pdns-recursor packages.

For the detailed security status of pdns-recursor please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pdns-recursor

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


ELA-1307-1 git security update


Package : git
Version : 1:2.1.4-2.1+deb8u15 (jessie), 1:2.11.0-3+deb9u12 (stretch), 1:2.20.1-2+deb10u10 (buster)

Related CVEs :
CVE-2024-50349
CVE-2024-52006

Multiple vulnerabilities were discovered in git, a fast, scalable and
distributed revision control system.

CVE-2024-50349
When Git asks for credentials via a terminal prompt (i.e. without using any
credential helper), it prints out the host name for which the user is expected
to provide a username and/or a password. At this stage, any URL-encoded parts
have been decoded already, and are printed verbatim. This could allow
attackers to craft URLs that contain ANSI escape sequences that the terminal
interpret to confuse users e.g. into providing passwords for trusted Git
hosting sites when in fact they are then sent to untrusted sites that are
under the attacker’s control.
CVE-2024-52006
Git defines a line-based protocol that is used to exchange information between
Git and Git credential helpers. Some ecosystems (most notably, .NET and
node.js) interpret single Carriage Return characters as newlines, which
renders the protections against CVE-2020-5260 incomplete for credential
helpers that treat Carriage Returns in this way.


ELA-1307-1 git security update



ELA-1306-1 python-django security update


Package : python-django
Version : 1.7.11-1+deb8u18 (jessie), 1:1.10.7-2+deb9u24 (stretch), 1:1.11.29-1+deb10u13 (buster)

Related CVEs :
CVE-2024-53907
CVE-2024-56374

Two vulnerabilities were discovered in Django,
a Python-based web development framework:

CVE-2024-53907: Prevent a potential Denial of Service (DoS) attack. The
strip_tags method and striptags template filter were subject to a
potential denial-of-service attack via certain inputs containing large
sequences of nested incomplete HTML entities.

CVE-2024-56374: Prevent another potential Denial of Service (DoS) attack.
Lack of upper-bound limit enforcement in strings passed when performing IPv6
validation could have led to a potential denial-of-service attack. The
clean_ipv6_address and is_valid_ipv6_address functions were vulnerable as
was the GenericIPAddressField form field. The GenericIPAddressField model
field was not affected.


ELA-1306-1 python-django security update



[SECURITY] [DLA 4032-1] iperf3 security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-4032-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
January 28, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : iperf3
Version : 3.9-1+deb11u2
CVE ID : CVE-2023-7250 CVE-2024-26306 CVE-2024-53580
Debian Bug : 1071751 1090931

Several security vulnerabilities have been discovered in iperf3, an internet
protocol bandwidth measuring tool, which may lead to a denial-of-service. When
iperf3 was used as a server with RSA authentication CVE-2024-26306 allowed a
timing side channel attack in RSA decryption operations sufficient for an
attacker to recover credential plaintext.

For Debian 11 bullseye, these problems have been fixed in version
3.9-1+deb11u2.

We recommend that you upgrade your iperf3 packages.

For the detailed security status of iperf3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/iperf3

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 4033-1] libtar security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4033-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
January 28, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libtar
Version : 1.2.20-8+deb12u1~deb11u1
CVE ID : CVE-2021-33643 CVE-2021-33644 CVE-2021-33645 CVE-2021-33646

Multiple vulnerabilities have been fixed in libtar,
a library for manipulating tar archives.

CVE-2021-33643

out-of-bounds read in gnu_longlink()

CVE-2021-33644

out-of-bounds read in gnu_longname()

CVE-2021-33645

memory leak in th_read()

CVE-2021-33646

memory leak in th_read()

For Debian 11 bullseye, these problems have been fixed in version
1.2.20-8+deb12u1~deb11u1.

We recommend that you upgrade your libtar packages.

For the detailed security status of libtar please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libtar

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS