Debian 10260 Published by

Debian GNU/Linux has been updated to incorporate several security updates, which include guix, libmodule-scandeps-perl, and needrestart:

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3959-1] guix security update
[DLA 3958-1] libmodule-scandeps-perl security update
[DLA 3957-1] needrestart security update

Debian GNU/Linux 12 (Bookworm):
[DSA 5816-1] libmodule-scandeps-perl security update
[DSA 5815-1] needrestart security update




[SECURITY] [DLA 3959-1] guix security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3959-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
November 19, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : guix
Version : 1.2.0-4+deb11u3
CVE ID : CVE-2024-52867

Privilege escalation has been fixed in the GNU Guix package manager.

For Debian 11 bullseye, this problem has been fixed in version
1.2.0-4+deb11u3.

We recommend that you upgrade your guix packages.

For the detailed security status of guix please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/guix

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3958-1] libmodule-scandeps-perl security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3958-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Salvatore Bonaccorso
November 19, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libmodule-scandeps-perl
Version : 1.30-1+deb11u1
CVE ID : CVE-2024-10224

The Qualys Threat Research Unit discovered that libmodule-scandeps-perl,
a Perl module to recursively scan Perl code for dependencies, allows an
attacker to execute arbitrary shell commands via specially crafted file
names.

Details can be found in the Qualys advisory at
https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

For Debian 11 bullseye, this problem has been fixed in version
1.30-1+deb11u1.

We recommend that you upgrade your libmodule-scandeps-perl packages.

For the detailed security status of libmodule-scandeps-perl please refer
to its security tracker page at:
https://security-tracker.debian.org/tracker/libmodule-scandeps-perl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3957-1] needrestart security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3957-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Salvatore Bonaccorso
November 19, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : needrestart
Version : 3.5-4+deb11u4
CVE ID : CVE-2024-11003 CVE-2024-48990 CVE-2024-48991 CVE-2024-48992

The Qualys Threat Research Unit discovered several local privilege
escalation vulnerabilities in needrestart, a utility to check which
daemons need to be restarted after library upgrades. A local attacker
can execute arbitrary code as root by tricking needrestart into running
the Python interpreter with an attacker-controlled PYTHONPATH
environment variable (CVE-2024-48990) or running the Ruby interpreter
with an attacker-controlled RUBYLIB environment variable
(CVE-2024-48992). Additionally a local attacker can trick needrestart
into running a fake Python interpreter (CVE-2024-48991) or cause
needrestart to call the Perl module Module::ScanDeps with
attacker-controlled files (CVE-2024-11003).

Details can be found in the Qualys advisory at
https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

For Debian 11 bullseye, these problems have been fixed in version
3.5-4+deb11u4.

We recommend that you upgrade your needrestart packages.

For the detailed security status of needrestart please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/needrestart

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 5816-1] libmodule-scandeps-perl security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5816-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 19, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libmodule-scandeps-perl
CVE ID : CVE-2024-10224

The Qualys Threat Research Unit discovered that libmodule-scandeps-perl,
a Perl module to recursively scan Perl code for dependencies, allows an
attacker to execute arbitrary shell commands via specially crafted file
names.

Details can be found in the Qualys advisory at
https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

For the stable distribution (bookworm), this problem has been fixed in
version 1.31-2+deb12u1.

We recommend that you upgrade your libmodule-scandeps-perl packages.

For the detailed security status of libmodule-scandeps-perl please refer
to its security tracker page at:
https://security-tracker.debian.org/tracker/libmodule-scandeps-perl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DSA 5815-1] needrestart security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5815-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 19, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : needrestart
CVE ID : CVE-2024-11003 CVE-2024-48990 CVE-2024-48991 CVE-2024-48992

The Qualys Threat Research Unit discovered several local privilege
escalation vulnerabilities in needrestart, a utility to check which
daemons need to be restarted after library upgrades. A local attacker
can execute arbitrary code as root by tricking needrestart into running
the Python interpreter with an attacker-controlled PYTHONPATH
environment variable (CVE-2024-48990) or running the Ruby interpreter
with an attacker-controlled RUBYLIB environment variable
(CVE-2024-48992). Additionally a local attacker can trick needrestart
into running a fake Python interpreter (CVE-2024-48991) or cause
needrestart to call the Perl module Module::ScanDeps with
attacker-controlled files (CVE-2024-11003).

Details can be found in the Qualys advisory at
https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

For the stable distribution (bookworm), these problems have been fixed in
version 3.6-4+deb12u2.

We recommend that you upgrade your needrestart packages.

For the detailed security status of needrestart please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/needrestart

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/