Debian 10260 Published by

The following security updates have been released for Debian GNU/Linux:

[DLA 3740-1] gnutls28 security update
[DLA 3741-1] engrampa security update




[DLA 3740-1] gnutls28 security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3740-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
February 26, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : gnutls28
Version : 3.6.7-4+deb10u12
CVE ID : CVE-2024-0553
Debian Bug : 1061046

Hubert Kario discovered that GnuTLS, a portable library which implements
the Transport Layer Security and Datagram Transport Layer Security
protocols, was vulnerable to timing side-channel attack in the RSA-PSK
key exchange, which could lead to leakage of sensitive data. The issue
stems from an incomplete resolution for CVE-2023-5981.

This vulnerability is also known as GNUTLS-SA-2024-01-14.

For Debian 10 buster, this problem has been fixed in version
3.6.7-4+deb10u12.

We recommend that you upgrade your gnutls28 packages.

For the detailed security status of gnutls28 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gnutls28

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3741-1] engrampa security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3741-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
February 26, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : engrampa
Version : 1.20.2-1+deb10u1
CVE ID : CVE-2023-52138

It was discovered that engrampa, an archive manager for the MATE
desktop environment was susceptible to path traversal when handling
CPIO archives.

For Debian 10 buster, this problem has been fixed in version
1.20.2-1+deb10u1.

We recommend that you upgrade your engrampa packages.

For the detailed security status of engrampa please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/engrampa

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS