Debian GNU/Linux 8 (Jessie) and 9 (Stretch) Extended LTS:
ELA-1119-1 glibc security update
Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1118-1 dcmtk security update
Debian GNU/Linux 10 (Buster) LTS:
[DLA 3850-1] glibc security update
[DLA 3846-1] libmojolicious-perl security update
[DLA 3855-1] pdns-recursor security update
[DLA 3854-1] tryton-client security update
[DLA 3853-1] tryton-server security update
[DLA 3852-1] edk2 security update
[DLA 3851-1] gunicorn security update
[DLA 3850-1] glibc security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3850-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
June 30, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : glibc
Version : 2.28-10+deb10u4
CVE ID : CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602
Multiple vulnerabilities have been fixed in the Name Service Cache Daemon
that is built by the GNU C library and shipped in the nscd binary package.
CVE-2024-33599
nscd: Stack-based buffer overflow in netgroup cache
CVE-2024-33600
nscd: Null pointer crashes after notfound response
CVE-2024-33601
nscd: Daemon may terminate on memory allocation failure
CVE-2024-33602
nscd: Possible memory corruption
For Debian 10 buster, these problems have been fixed in version
2.28-10+deb10u4.
We recommend that you upgrade your glibc packages.
For the detailed security status of glibc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/glibc
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 3846-1] libmojolicious-perl security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3846-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Arturo Borrero Gonzalez
June 28, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libmojolicious-perl
Version : 8.12+dfsg-1.1~deb10u1
CVE ID : CVE-2020-36829
Mojolicious is a Perl Web Application Framework built around the familiar
Model-View-Controller philosophy. It supports a simple single file mode via
Mojolicious::Lite, RESTful routes, plugins, Perl-ish templates, session
management, signed cookies, a testing framework, internationalization, first
class Unicode support, and more.
The libmojolicious-perl package had a timing attack vulnerability that allowed
an attacker to guess the length of a secret string.
For Debian 10 buster, this problem has been fixed in version
8.12+dfsg-1.1~deb10u1.
We recommend that you upgrade your libmojolicious-perl packages.
For the detailed security status of libmojolicious-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libmojolicious-perl
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 3855-1] pdns-recursor security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3855-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
July 01, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : pdns-recursor
Version : 4.1.11-1+deb10u2
CVE ID : CVE-2020-14196 CVE-2020-25829
Debian Bug : 964103 972159
Brief introduction
CVE-2020-14196
The ACL restricting access to the internal web server is not properly
enforced.
CVE-2020-25829
A remote attacker can cause the cached records for a given name to be
updated to the Bogus DNSSEC validation state, instead of their actual
DNSSEC Secure state, via a DNS ANY query. This results in a denial of
service for installation that always validate (dnssec=validate), and
for clients requesting validation when on-demand validation is enabled.
For Debian 10 buster, these problems have been fixed in version
4.1.11-1+deb10u2.
We recommend that you upgrade your pdns-recursor packages.
For the detailed security status of pdns-recursor please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pdns-recursor
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 3854-1] tryton-client security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3854-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
June 30, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : tryton-client
Version : 5.0.5-1+deb10u1
CVE ID : not yet available
Cédric Krier has found that trytond, the Tryton application server, accepts
compressed content from unauthenticated requests which makes it vulnerable to
zip bomb attacks.
This update fixes a potential regression in tryton-client. It allows users only
to send gzip content within a session.
For Debian 10 buster, this problem has been fixed in version
5.0.5-1+deb10u1.
We recommend that you upgrade your tryton-client packages.
For the detailed security status of tryton-client please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tryton-client
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 3853-1] tryton-server security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3853-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
June 30, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : tryton-server
Version : 5.0.4-2+deb10u3
CVE ID : not yet available
Cédric Krier has found that trytond, the Tryton application server, accepts
compressed content from unauthenticated requests which makes it vulnerable to
zip bomb attacks.
For Debian 10 buster, this problem has been fixed in version
5.0.4-2+deb10u3.
We recommend that you upgrade your tryton-server packages.
For the detailed security status of tryton-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tryton-server
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 3852-1] edk2 security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3852-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
June 30, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : edk2
Version : 0~20181115.85588389-3+deb10u4
CVE ID : CVE-2023-48733
Mate Kukri discovered the Debian build of EDK2, a UEFI firmware
implementation, used an insecure default configuration which could result
in Secure Boot bypass via the UEFI shell.
For Debian 10 buster, this problem has been fixed in version
0~20181115.85588389-3+deb10u4.
We recommend that you upgrade your edk2 packages.
For the detailed security status of edk2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/edk2
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 3851-1] gunicorn security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3851-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
June 30, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : gunicorn
Version : 19.9.0-1+deb10u1
CVE ID : CVE-2024-1135
Debian Bug : 1069126
Gunicorn, an event-based HTTP/WSGI server, fails to properly validate Transfer-
Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By
crafting requests with conflicting Transfer-Encoding headers, attackers can
bypass security restrictions and access restricted endpoints. This issue is due
to Gunicorn’s handling of Transfer-Encoding headers, where it incorrectly
processes requests with multiple, conflicting Transfer-Encoding headers,
treating them as chunked regardless of the final encoding specified. This
vulnerability allows for a range of attacks including cache poisoning, session
manipulation, and data exposure.
For Debian 10 buster, this problem has been fixed in version
19.9.0-1+deb10u1.
We recommend that you upgrade your gunicorn packages.
For the detailed security status of gunicorn please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gunicorn
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1119-1 glibc security update
Package : glibc
Version : 2.19-18+deb8u14 (jessie), 2.24-11+deb9u7 (stretch)
Related CVEs :
CVE-2024-33599
CVE-2024-33600
CVE-2024-33601
CVE-2024-33602
Multiple vulnerabilities have been fixed in the Name Service Cache Daemon
that is built by the GNU C library and shipped in the nscd binary package.
CVE-2024-33599
nscd: Stack-based buffer overflow in netgroup cache
CVE-2024-33600
nscd: Null pointer crashes after notfound response
CVE-2024-33601
nscd: Daemon may terminate on memory allocation failure
CVE-2024-33602
nscd: Possible memory corruption
ELA-1118-1 dcmtk security update
Package : dcmtk
Version : 3.6.1~20160216-4+deb10u1 (stretch)
Related CVEs :
CVE-2019-1010228
CVE-2021-41687
CVE-2021-41688
CVE-2021-41689
CVE-2021-41690
CVE-2022-2121
CVE-2022-43272
CVE-2024-28130
CVE-2024-34508
CVE-2024-34509
Multiple vulnerabilities havebenn fixed in DCMTK, a collection of
libraries and applications implementing large parts the DICOM standard
for medical images.
CVE-2019-1010228
Buffer overflow in DcmRLEDecoder::decompress()
CVE-2021-41687
Incorrect freeing of memory
CVE-2021-41688
Incorrect freeing of memory
CVE-2021-41689
NULL pointer dereference
CVE-2021-41690
Incorrect freeing of memory
CVE-2022-2121
NULL pointer dereference
CVE-2022-43272
Memory leak in single process mode
CVE-2024-28130
Segmentation faults due to incorrect typecast
CVE-2024-34508
Segmentation fault via invalid DIMSE message
CVE-2024-34509
Segmentation fault via invalid DIMSE message