Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1232-1 libseccomp security update
ELA-1233-1 libarchive security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3949-1] ruby-saml security update
[DLA 3950-1] libarchive security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5810-1] chromium security update
[DSA 5811-1] mpg123 security update
[DSA 5809-1] symfony security update
[DSA 5808-1] ghostscript security update
ELA-1232-1 libseccomp security update
Package : libseccomp
Version : 2.4.1-1~deb8u1 (jessie), 2.4.1-1~deb9u1 (stretch), 2.4.1-1~deb10u1 (buster)
Related CVEs :
CVE-2019-9893
The kernel syscall filtering library libseccomp has been upgraded to version 2.4.1 to fix 64-bit argument comparisons.
[SECURITY] [DLA 3949-1] ruby-saml security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3949-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
November 11, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : ruby-saml
Version : 1.11.0-1+deb11u1
CVE ID : CVE-2024-45409
It was discovered that ruby-saml, a library for implementing the
client side of a SAML authorization does not properly verify the
signature of the SAML Response. An unauthenticated attacker with
access to any signed saml document (by the IdP) can thus forge a SAML
Response/Assertion with arbitrary contents. This would allow the
attacker to log in as arbitrary user within the vulnerable system.
For Debian 11 bullseye, this problem has been fixed in version
1.11.0-1+deb11u1.
We recommend that you upgrade your ruby-saml packages.
For the detailed security status of ruby-saml please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-saml
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 3950-1] libarchive security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3950-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
November 11, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libarchive
Version : 3.4.3-2+deb11u2
CVE ID : CVE-2021-36976 CVE-2022-26280 CVE-2022-36227 CVE-2024-20696
Debian Bug : 991442 1008953 1024669 1086155
Multiple vulnerabilities have been fixed in libarchive,
a multi-format archive and compression library.
CVE-2021-36976
RAR reader use-after-free
CVE-2022-26280
ZIP reader out-of-bounds-read
CVE-2022-36227
archive_write NULL dereference
CVE-2024-20696
RAR reader out-of-bounds write
For Debian 11 bullseye, these problems have been fixed in version
3.4.3-2+deb11u2.
We recommend that you upgrade your libarchive packages.
For the detailed security status of libarchive please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libarchive
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5810-1] chromium security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5810-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
November 11, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : chromium
CVE ID : CVE-2024-10826 CVE-2024-10827
Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.
For the stable distribution (bookworm), these problems have been fixed in
version 130.0.6723.116-1~deb12u1.
We recommend that you upgrade your chromium packages.
For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5811-1] mpg123 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5811-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 11, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : mpg123
CVE ID : CVE-2024-10573
Debian Bug : 1086443
An out-of-bounds write vulnerability when handling crafted streams was
discovered in mpg123, a real time MPEG 1.0/2.0/2.5 audio player/decoder
for layers 1, 2 and 3, which could result in the execution of arbitrary
code.
For the stable distribution (bookworm), this problem has been fixed in
version 1.31.2-1+deb12u1.
We recommend that you upgrade your mpg123 packages.
For the detailed security status of mpg123 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/mpg123
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5809-1] symfony security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5809-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 11, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : symfony
CVE ID : CVE-2024-50340 CVE-2024-50342 CVE-2024-50343 CVE-2024-50345
Multiple vulnerabilities have been found in the Symfony PHP framework
which could lead to privilege escalation, information disclosure,
incorrect validation or an open redirect.
For the stable distribution (bookworm), these problems have been fixed in
version 5.4.23+dfsg-1+deb12u3.
We recommend that you upgrade your symfony packages.
For the detailed security status of symfony please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/symfony
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5808-1] ghostscript security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5808-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 11, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : ghostscript
CVE ID : CVE-2024-46951 CVE-2024-46952 CVE-2024-46953 CVE-2024-46955
CVE-2024-46956
Multiple security issues were discovered in Ghostscript, the GPL
PostScript/PDF interpreter, which could result in denial of service and
potentially the execution of arbitrary code if malformed document files
are processed.
For the stable distribution (bookworm), these problems have been fixed in
version 10.0.0~dfsg-11+deb12u6.
We recommend that you upgrade your ghostscript packages.
For the detailed security status of ghostscript please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/ghostscript
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1233-1 libarchive security update
Package : libarchive
Version : 3.1.2-11+deb8u12 (jessie), 3.2.2-2+deb9u5 (stretch), 3.3.3-4+deb10u4 (buster)
Related CVEs :
CVE-2024-20696
RAR reader out-of-bounds write has been fixed in libarchive, a multi-format archive and compression library.
