Debian 10225 Published by

The following security updates have been released for Debian GNU/Linux:

Debian GNU/Linux 8 (Jessie) and 9 (Stretch) Extended LTS:
ELA-1119-1 glibc security update

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1118-1 dcmtk security update

Debian GNU/Linux 10 (Buster) LTS:
[DLA 3850-1] glibc security update
[DLA 3846-1] libmojolicious-perl security update
[DLA 3855-1] pdns-recursor security update
[DLA 3854-1] tryton-client security update
[DLA 3853-1] tryton-server security update
[DLA 3852-1] edk2 security update
[DLA 3851-1] gunicorn security update



[DLA 3850-1] glibc security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3850-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
June 30, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : glibc
Version : 2.28-10+deb10u4
CVE ID : CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602

Multiple vulnerabilities have been fixed in the Name Service Cache Daemon
that is built by the GNU C library and shipped in the nscd binary package.

CVE-2024-33599

nscd: Stack-based buffer overflow in netgroup cache

CVE-2024-33600

nscd: Null pointer crashes after notfound response

CVE-2024-33601

nscd: Daemon may terminate on memory allocation failure

CVE-2024-33602

nscd: Possible memory corruption

For Debian 10 buster, these problems have been fixed in version
2.28-10+deb10u4.

We recommend that you upgrade your glibc packages.

For the detailed security status of glibc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/glibc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3846-1] libmojolicious-perl security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3846-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Arturo Borrero Gonzalez
June 28, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libmojolicious-perl
Version : 8.12+dfsg-1.1~deb10u1
CVE ID : CVE-2020-36829

Mojolicious is a Perl Web Application Framework built around the familiar
Model-View-Controller philosophy. It supports a simple single file mode via
Mojolicious::Lite, RESTful routes, plugins, Perl-ish templates, session
management, signed cookies, a testing framework, internationalization, first
class Unicode support, and more.

The libmojolicious-perl package had a timing attack vulnerability that allowed
an attacker to guess the length of a secret string.

For Debian 10 buster, this problem has been fixed in version
8.12+dfsg-1.1~deb10u1.

We recommend that you upgrade your libmojolicious-perl packages.

For the detailed security status of libmojolicious-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libmojolicious-perl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3855-1] pdns-recursor security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3855-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Daniel Leidert
July 01, 2024                                 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : pdns-recursor
Version        : 4.1.11-1+deb10u2
CVE ID         : CVE-2020-14196 CVE-2020-25829
Debian Bug     : 964103 972159

Brief introduction

CVE-2020-14196

    The ACL restricting access to the internal web server is not properly
    enforced.

CVE-2020-25829

    A remote attacker can cause the cached records for a given name to be
    updated to the Bogus DNSSEC validation state, instead of their actual
    DNSSEC Secure state, via a DNS ANY query. This results in a denial of
    service for installation that always validate (dnssec=validate), and
    for clients requesting validation when on-demand validation is enabled.

For Debian 10 buster, these problems have been fixed in version
4.1.11-1+deb10u2.

We recommend that you upgrade your pdns-recursor packages.

For the detailed security status of pdns-recursor please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pdns-recursor

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3854-1] tryton-client security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3854-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
June 30, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : tryton-client
Version : 5.0.5-1+deb10u1
CVE ID : not yet available

Cédric Krier has found that trytond, the Tryton application server, accepts
compressed content from unauthenticated requests which makes it vulnerable to
zip bomb attacks.

This update fixes a potential regression in tryton-client. It allows users only
to send gzip content within a session.

For Debian 10 buster, this problem has been fixed in version
5.0.5-1+deb10u1.

We recommend that you upgrade your tryton-client packages.

For the detailed security status of tryton-client please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tryton-client

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3853-1] tryton-server security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3853-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
June 30, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : tryton-server
Version : 5.0.4-2+deb10u3
CVE ID : not yet available

Cédric Krier has found that trytond, the Tryton application server, accepts
compressed content from unauthenticated requests which makes it vulnerable to
zip bomb attacks.

For Debian 10 buster, this problem has been fixed in version
5.0.4-2+deb10u3.

We recommend that you upgrade your tryton-server packages.

For the detailed security status of tryton-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tryton-server

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3852-1] edk2 security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3852-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
June 30, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : edk2
Version : 0~20181115.85588389-3+deb10u4
CVE ID : CVE-2023-48733

Mate Kukri discovered the Debian build of EDK2, a UEFI firmware
implementation, used an insecure default configuration which could result
in Secure Boot bypass via the UEFI shell.

For Debian 10 buster, this problem has been fixed in version
0~20181115.85588389-3+deb10u4.

We recommend that you upgrade your edk2 packages.

For the detailed security status of edk2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/edk2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3851-1] gunicorn security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3851-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
June 30, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : gunicorn
Version : 19.9.0-1+deb10u1
CVE ID : CVE-2024-1135
Debian Bug : 1069126

Gunicorn, an event-based HTTP/WSGI server, fails to properly validate Transfer-
Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By
crafting requests with conflicting Transfer-Encoding headers, attackers can
bypass security restrictions and access restricted endpoints. This issue is due
to Gunicorn’s handling of Transfer-Encoding headers, where it incorrectly
processes requests with multiple, conflicting Transfer-Encoding headers,
treating them as chunked regardless of the final encoding specified. This
vulnerability allows for a range of attacks including cache poisoning, session
manipulation, and data exposure.

For Debian 10 buster, this problem has been fixed in version
19.9.0-1+deb10u1.

We recommend that you upgrade your gunicorn packages.

For the detailed security status of gunicorn please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gunicorn

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1119-1 glibc security update

Package : glibc
Version : 2.19-18+deb8u14 (jessie), 2.24-11+deb9u7 (stretch)

Related CVEs :
CVE-2024-33599
CVE-2024-33600
CVE-2024-33601
CVE-2024-33602

Multiple vulnerabilities have been fixed in the Name Service Cache Daemon
that is built by the GNU C library and shipped in the nscd binary package.

CVE-2024-33599
nscd: Stack-based buffer overflow in netgroup cache

CVE-2024-33600
nscd: Null pointer crashes after notfound response

CVE-2024-33601
nscd: Daemon may terminate on memory allocation failure

CVE-2024-33602
nscd: Possible memory corruption

ELA-1119-1 glibc security update


ELA-1118-1 dcmtk security update

Package : dcmtk
Version : 3.6.1~20160216-4+deb10u1 (stretch)

Related CVEs :
CVE-2019-1010228
CVE-2021-41687
CVE-2021-41688
CVE-2021-41689
CVE-2021-41690
CVE-2022-2121
CVE-2022-43272
CVE-2024-28130
CVE-2024-34508
CVE-2024-34509

Multiple vulnerabilities havebenn fixed in DCMTK, a collection of
libraries and applications implementing large parts the DICOM standard
for medical images.

CVE-2019-1010228
Buffer overflow in DcmRLEDecoder::decompress()

CVE-2021-41687
Incorrect freeing of memory

CVE-2021-41688
Incorrect freeing of memory

CVE-2021-41689
NULL pointer dereference

CVE-2021-41690
Incorrect freeing of memory

CVE-2022-2121
NULL pointer dereference

CVE-2022-43272
Memory leak in single process mode

CVE-2024-28130
Segmentation faults due to incorrect typecast

CVE-2024-34508
Segmentation fault via invalid DIMSE message

CVE-2024-34509
Segmentation fault via invalid DIMSE message

ELA-1118-1 dcmtk security update