Debian GNU/Linux 8 (Jessie), 9 (Stretch), 10 (Buster) Extended LTS:
ELA-1272-1 libsoup2.4 security update
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1271-1 linux-6.1 new linux version
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3993-1] pgpool2 security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5830-1] smarty4 security update
[DSA 5829-1] chromium security update
ELA-1272-1 libsoup2.4 security update
Package : libsoup2.4
Version : 2.48.0-1+deb8u3 (jessie), 2.56.0-2+deb9u3 (stretch), 2.64.2-2+deb10u1 (buster)
Related CVEs :
CVE-2024-52530
CVE-2024-52531
CVE-2024-52532
Multiple vulnerabilities were discovered in libsoup2.4, an HTTP library
for Gtk+ programs.
CVE-2024-52530
In some configurations, HTTP request smuggling is possible because null
characters at the end of the names of HTTP headers were ignored.
CVE-2024-52531
There was a buffer overflow in applications that perform conversion to
UTF-8 in soup_header_parse_param_list_strict. This could lead to memory
corruption, crashes or information disclosure. (Contrary to the CVE
description, it is now believed that input received over the network could
trigger this.)
CVE-2024-52532
An infinite loop in the processing of WebSocket data from clients could
lead to a denial-of-service problem through memory exhaustion.
ELA-1271-1 linux-6.1 new linux version
Package : linux-6.1
Version : 6.1.112-1~deb9u1 (stretch), 6.1.112-1~deb10u1 (buster)
This update introduces Linux kernel 6.1 to Debian 9 stretch and Debian 10 buster.
This kernel will be supported along with 5.10, but for a longer period. Linux 4.19
was discontinued as announced in ELA-1116-1.
Instructions on how to update to 6.1 and support periods can be found
in the kernel backports page.
[SECURITY] [DLA 3993-1] pgpool2 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3993-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
December 12, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : pgpool2
Version : 4.1.4-3+deb11u1
CVE ID : CVE-2023-22332 CVE-2024-45624
Two vulnerabilities were discovered in pgpool2, a connection pool
server and replication proxy for PostgreSQL.
CVE-2023-22332
A specific database user's authentication information may be
obtained by another database user. As a result, the information
stored in the database may be altered and/or database may be
suspended by a remote attacker who successfully logged in the
product with the obtained credentials.
CVE-2024-45624
When the query cache feature is enabled, it was possible that a
database user can read rows from tables that should not be visible
for the user through query cache.
For Debian 11 bullseye, these problems have been fixed in version
4.1.4-3+deb11u1.
We recommend that you upgrade your pgpool2 packages.
For the detailed security status of pgpool2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pgpool2
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5830-1] smarty4 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5830-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
December 12, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : smarty4
CVE ID : CVE-2024-35226
A security vulnerability was discovered in Smarty, a template engine for
PHP, which could result in PHP code injection.
For the stable distribution (bookworm), this problem has been fixed in
version 4.3.0-1+deb12u2.
We recommend that you upgrade your smarty4 packages.
For the detailed security status of smarty4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/smarty4
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5829-1] chromium security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5829-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
December 12, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : chromium
CVE ID : CVE-2024-12381 CVE-2024-12382
Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.
For the stable distribution (bookworm), these problems have been fixed in
version 131.0.6778.139-1~deb12u1.
We recommend that you upgrade your chromium packages.
For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
