Debian 10225 Published by

Debian GNU/Linux has received a number of security updates, including ELA-1232-1 libseccomp, DLA 3949-1 ruby-saml, DLA 3950-1 libarchive, DSA 5810-1 chromium, DSA 5811-1 mpg123, DSA 5809-1 symfony, DSA 5808-1 ghostscript, and ELA-1233-1 libarchive:

Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1232-1 libseccomp security update
ELA-1233-1 libarchive security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3949-1] ruby-saml security update
[DLA 3950-1] libarchive security update

Debian GNU/Linux 12 (Bookworm):
[DSA 5810-1] chromium security update
[DSA 5811-1] mpg123 security update
[DSA 5809-1] symfony security update
[DSA 5808-1] ghostscript security update




ELA-1232-1 libseccomp security update

Package : libseccomp
Version : 2.4.1-1~deb8u1 (jessie), 2.4.1-1~deb9u1 (stretch), 2.4.1-1~deb10u1 (buster)

Related CVEs :
CVE-2019-9893

The kernel syscall filtering library libseccomp has been upgraded to version 2.4.1 to fix 64-bit argument comparisons.

ELA-1232-1 libseccomp security update


[SECURITY] [DLA 3949-1] ruby-saml security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3949-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
November 11, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : ruby-saml
Version : 1.11.0-1+deb11u1
CVE ID : CVE-2024-45409

It was discovered that ruby-saml, a library for implementing the
client side of a SAML authorization does not properly verify the
signature of the SAML Response. An unauthenticated attacker with
access to any signed saml document (by the IdP) can thus forge a SAML
Response/Assertion with arbitrary contents. This would allow the
attacker to log in as arbitrary user within the vulnerable system.

For Debian 11 bullseye, this problem has been fixed in version
1.11.0-1+deb11u1.

We recommend that you upgrade your ruby-saml packages.

For the detailed security status of ruby-saml please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-saml

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3950-1] libarchive security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3950-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
November 11, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libarchive
Version : 3.4.3-2+deb11u2
CVE ID : CVE-2021-36976 CVE-2022-26280 CVE-2022-36227 CVE-2024-20696
Debian Bug : 991442 1008953 1024669 1086155

Multiple vulnerabilities have been fixed in libarchive,
a multi-format archive and compression library.

CVE-2021-36976

RAR reader use-after-free

CVE-2022-26280

ZIP reader out-of-bounds-read

CVE-2022-36227

archive_write NULL dereference

CVE-2024-20696

RAR reader out-of-bounds write

For Debian 11 bullseye, these problems have been fixed in version
3.4.3-2+deb11u2.

We recommend that you upgrade your libarchive packages.

For the detailed security status of libarchive please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libarchive

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 5810-1] chromium security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5810-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
November 11, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2024-10826 CVE-2024-10827

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the stable distribution (bookworm), these problems have been fixed in
version 130.0.6723.116-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DSA 5811-1] mpg123 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5811-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 11, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : mpg123
CVE ID : CVE-2024-10573
Debian Bug : 1086443

An out-of-bounds write vulnerability when handling crafted streams was
discovered in mpg123, a real time MPEG 1.0/2.0/2.5 audio player/decoder
for layers 1, 2 and 3, which could result in the execution of arbitrary
code.

For the stable distribution (bookworm), this problem has been fixed in
version 1.31.2-1+deb12u1.

We recommend that you upgrade your mpg123 packages.

For the detailed security status of mpg123 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/mpg123

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DSA 5809-1] symfony security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5809-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 11, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : symfony
CVE ID : CVE-2024-50340 CVE-2024-50342 CVE-2024-50343 CVE-2024-50345

Multiple vulnerabilities have been found in the Symfony PHP framework
which could lead to privilege escalation, information disclosure,
incorrect validation or an open redirect.

For the stable distribution (bookworm), these problems have been fixed in
version 5.4.23+dfsg-1+deb12u3.

We recommend that you upgrade your symfony packages.

For the detailed security status of symfony please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/symfony

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DSA 5808-1] ghostscript security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5808-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 11, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ghostscript
CVE ID : CVE-2024-46951 CVE-2024-46952 CVE-2024-46953 CVE-2024-46955
CVE-2024-46956

Multiple security issues were discovered in Ghostscript, the GPL
PostScript/PDF interpreter, which could result in denial of service and
potentially the execution of arbitrary code if malformed document files
are processed.

For the stable distribution (bookworm), these problems have been fixed in
version 10.0.0~dfsg-11+deb12u6.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


ELA-1233-1 libarchive security update

Package : libarchive
Version : 3.1.2-11+deb8u12 (jessie), 3.2.2-2+deb9u5 (stretch), 3.3.3-4+deb10u4 (buster)
Related CVEs :
CVE-2024-20696

RAR reader out-of-bounds write has been fixed in libarchive, a multi-format archive and compression library.

ELA-1233-1 libarchive security update