Debian 10225 Published by

The following security updates are available for Debian GNU/Linux:

[DLA 3737-1] imagemagick security update
[DSA 5629-1] chromium security update
[DSA 5628-1] imagemagick security update
[DLA 3738-1] iwd security update




[DLA 3737-1] imagemagick security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3737-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
February 22, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : imagemagick
Version : 8:6.9.10.23+dfsg-2.1+deb10u6
CVE ID : CVE-2023-1289 CVE-2023-5341 CVE-2023-34151

Imagemagick a graphical software suite for displaying, creating and
modifying images was vulnerable.

CVE-2023-1289

A vulnerability was discovered
in ImageMagick where a specially created SVG file
loads itself and causes a segmentation fault.
This flaw allows a remote attacker to pass a
specially crafted SVG file that leads to a segmentation
fault, generating many trash files in "/tmp," resulting in
a denial of service. When ImageMagick crashes, it generates
a lot of trash files. These trash files can be large if the
SVG file contains many render actions.

CVE-2023-5341

A heap use-after-free flaw was found in coders/bmp.c

CVE-2023-34151

A vulnerability was found in ImageMagick,
due to undefined behaviors of casting double to size_t in
svg, mvg and other coders

Moreover a few potential security problems were fixed in the
TIFF coders like for instance memory leaks. These issues were
unfortunatly CVE less. CVE-2023-39978 (a deny of service)
was also fixed by being introduced by partial fixes
of these problems.

For Debian 10 buster, these problems have been fixed in version
8:6.9.10.23+dfsg-2.1+deb10u6.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DSA 5629-1] chromium security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5629-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
February 23, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2024-1669 CVE-2024-1670 CVE-2024-1671 CVE-2024-1672
CVE-2024-1673 CVE-2024-1674 CVE-2024-1675 CVE-2024-1676

Multiple security issues were discovered in Chromium, which could result
in the execution of arbitrary code, denial of service or information
disclosure.

For the stable distribution (bookworm), these problems have been fixed in
version 122.0.6261.57-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DSA 5628-1] imagemagick security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5628-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 22, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : imagemagick
CVE ID : CVE-2021-3610 CVE-2022-1115 CVE-2023-1289 CVE-2023-1906
CVE-2023-3428 CVE-2023-5341 CVE-2023-34151
Debian Bug : 1013282 1036999

This update fixes multiple vulnerabilities in Imagemagick: Various memory
handling problems and cases of missing or incomplete input sanitising
may result in denial of service, memory disclosure or potentially the
execution of arbitrary code if malformed image files are processed.

For the oldstable distribution (bullseye), these problems have been fixed
in version 8:6.9.11.60+dfsg-1.3+deb11u3.

For the stable distribution (bookworm), these problems have been fixed in
version 8:6.9.11.60+dfsg-1.6+deb12u1.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DLA 3738-1] iwd security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3738-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
February 22, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : iwd
Version : 0.14-2+deb10u1
CVE ID : CVE-2023-52161
Debian Bug : 1064062

It was discovered that there was an authentication bypass issue in
iwd, the Intel Wireless Daemon. Adversaries could have gained
unauthorised access to a protected 'home' (ie. non-WPA2-Enterprise)
WiFi network.

For Debian 10 buster, this problem has been fixed in version
0.14-2+deb10u1.

We recommend that you upgrade your iwd packages.

For the detailed security status of iwd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/iwd

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS