Debian 10264 Published by

The following security updates have been released for Debian GNU/Linux:

Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1145-1 curl security update

Debian GNU/Linux 11 (Bullseye) and 12 (Bookworm):
[SECURITY] [DSA 5737-1] libreoffice security update





[SECURITY] [DSA 5737-1] libreoffice security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5737-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 05, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : libreoffice
CVE ID : CVE-2024-6472

If LibreOffice failed to validate a signed macro, it displayed a warning
but still allowed execution of the script after printing a warning.
Going forward in high macro security mode such macros are now disabled.

For additional information please refer to
https://www.libreoffice.org/about-us/security/advisories/cve-2024-6472/

For the oldstable distribution (bullseye), this problem has been fixed
in version 1:7.0.4-4+deb11u10.

For the stable distribution (bookworm), this problem has been fixed in
version 4:7.4.7-1+deb12u4.

We recommend that you upgrade your libreoffice packages.

For the detailed security status of libreoffice please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libreoffice

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


ELA-1145-1 curl security update

Package : curl
Version : 7.38.0-4+deb8u28 (jessie), 7.52.1-5+deb9u22 (stretch), 7.64.0-4+deb10u10 (buster)

Related CVEs :
CVE-2024-7264

A denial-of-service vulnerability was found in cURL, an easy-to-use client-side
URL transfer library. libcurl’s ASN1 parser code has the GTime2str() function,
used for parsing an ASN.1 Generalized Time field. If given an syntactically
incorrect field, the parser might end up crashing but this flaw can also lead
to heap contents getting returned to the application when CURLINFO_CERTINFO is
used.

ELA-1145-1 curl security update