Debian 10225 Published by

Debian GNU/Linux has been updated with two security updates: ELA-1227-1 for libxml2 and DSA 5802-1 for chromium:

Debian GNU/Linux 8 (Jessie) and 9 (Buster) Extended LTS:
ELA-1227-1 libxml2 security update

Debian GNU/Linux 12 (Bookworm):
[DSA 5802-1] chromium security update




ELA-1227-1 libxml2 security update

Package : libxml2
Version : 2.9.1+dfsg1-5+deb8u17 (jessie), 2.9.4+dfsg1-7+deb10u9 (buster)

Related CVEs :
CVE-2016-9318
CVE-2017-16932
CVE-2023-39615
CVE-2023-45322
CVE-2024-25062

Several vulnerabilities were discovered in libxml2, a library providing
support to read, modify and write XML and HTML files, potentially allowing
an attacker to perform denial of service or trigger an use-after-free situation.

CVE-2016-9318 (Debian 8 update only)
XML External Entity (XXE) attacks via a crafted document.

Note: CVE-2016-9318 has been previously addressed for Debian 10 (buster) in ELA-1195.
CVE-2017-16932
When expanding a parameter entity in a DTD, infinite recursion could lead to
an infinite loop or memory exhaustion.

CVE-2023-39615
Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via
the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability
allows attackers to cause a Denial of Service (DoS) via supplying a crafted
XML file.

CVE-2023-45322
libxml2 through 2.11.5 has a use-after-free that can only occur after a
certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c.

CVE-2024-25062
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5.
When using the XML Reader interface with DTD validation and XInclude
expansion enabled, processing crafted XML documents can lead to an
xmlValidatePopElement use-after-free.

ELA-1227-1 libxml2 security update


[SECURITY] [DSA 5802-1] chromium security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5802-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
November 03, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2024-10487 CVE-2024-10488

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the stable distribution (bookworm), these problems have been fixed in
version 130.0.6723.91-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/