Debian GNU/Linux 9 (Stretch) and 10 (Buster) ELTS:
ELA-1382-1 linux-6.1 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4120-1] libnet-easytcp-perl security update
[DLA 4121-1] phpmyadmin security update
[DLA 4119-1] lemonldap-ng security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5897-1] lemonldap-ng security update
[SECURITY] [DLA 4120-1] libnet-easytcp-perl security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4120-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andrej Shadura
April 08, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libnet-easytcp-perl
Version : 0.26-6+deb11u1
CVE ID : CVE-2024-56830
Net::EasyTCP Perl module includes encryption functionality that requires
a secure random number generator. Until and including the version 0.26,
this module used a random number generator without any such guarantees.
The reason for this was that it relied on Crypt::Random, a Perl module
not available in Debian, and fell back to the insecure rand() built-in,
so only a tiny fraction of its users who had Crypt::Random installed
from CPAN used a suitable random number generator.
For Debian 11 bullseye, this problem has been fixed in version
0.26-6+deb11u1. The fallback to rand() has been removed, and the module
will use Bytes::Random::Secure to get random numbers, which has been
made a mandatory dependency. In the unlikely event Bytes::Random::Secure
is still unavailable (e.g. manually removed), Net::EasyTCP will crash
rather than use insecure random number generator.
We recommend that you upgrade your libnet-easytcp-perl packages.
For the detailed security status of libnet-easytcp-perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libnet-easytcp-perl
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1382-1 linux-6.1 security update
Package : linux-6.1
Version : 6.1.129-1~deb9u1 (stretch), 6.1.129-1~deb10u1 (buster)
Related CVEs :
CVE-2024-26596
CVE-2024-40945
CVE-2024-42069
CVE-2024-42122
CVE-2024-45001
CVE-2024-47726
CVE-2024-49989
CVE-2024-50061
CVE-2024-54458
CVE-2024-56549
CVE-2024-57834
CVE-2024-57973
CVE-2024-57978
CVE-2024-57979
CVE-2024-57980
CVE-2024-57981
CVE-2024-57986
CVE-2024-57993
CVE-2024-57996
CVE-2024-57997
CVE-2024-57998
CVE-2024-58001
CVE-2024-58007
CVE-2024-58009
CVE-2024-58010
CVE-2024-58011
CVE-2024-58013
CVE-2024-58014
CVE-2024-58016
CVE-2024-58017
CVE-2024-58020
CVE-2024-58034
CVE-2024-58051
CVE-2024-58052
CVE-2024-58054
CVE-2024-58055
CVE-2024-58056
CVE-2024-58058
CVE-2024-58061
CVE-2024-58063
CVE-2024-58068
CVE-2024-58069
CVE-2024-58071
CVE-2024-58072
CVE-2024-58076
CVE-2024-58077
CVE-2024-58080
CVE-2024-58083
CVE-2024-58085
CVE-2024-58086
CVE-2025-21684
CVE-2025-21700
CVE-2025-21701
CVE-2025-21703
CVE-2025-21704
CVE-2025-21705
CVE-2025-21706
CVE-2025-21707
CVE-2025-21708
CVE-2025-21711
CVE-2025-21715
CVE-2025-21716
CVE-2025-21718
CVE-2025-21719
CVE-2025-21722
CVE-2025-21724
CVE-2025-21725
CVE-2025-21726
CVE-2025-21727
CVE-2025-21728
CVE-2025-21731
CVE-2025-21734
CVE-2025-21735
CVE-2025-21736
CVE-2025-21738
CVE-2025-21744
CVE-2025-21745
CVE-2025-21748
CVE-2025-21749
CVE-2025-21750
CVE-2025-21753
CVE-2025-21758
CVE-2025-21760
CVE-2025-21761
CVE-2025-21762
CVE-2025-21763
CVE-2025-21764
CVE-2025-21765
CVE-2025-21766
CVE-2025-21767
CVE-2025-21772
CVE-2025-21775
CVE-2025-21776
CVE-2025-21779
CVE-2025-21780
CVE-2025-21781
CVE-2025-21782
CVE-2025-21785
CVE-2025-21787
CVE-2025-21790
CVE-2025-21791
CVE-2025-21792
CVE-2025-21794
CVE-2025-21795
CVE-2025-21796
CVE-2025-21799
CVE-2025-21802
CVE-2025-21804
CVE-2025-21806
CVE-2025-21811
CVE-2025-21812
CVE-2025-21814
CVE-2025-21819
CVE-2025-21820
CVE-2025-21821
CVE-2025-21823
CVE-2025-21826
CVE-2025-21829
CVE-2025-21830
CVE-2025-21832
CVE-2025-21835
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.ELA-1382-1 linux-6.1 security update
[SECURITY] [DLA 4121-1] phpmyadmin security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4121-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
April 08, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : phpmyadmin
Version : 4:5.0.4+dfsg2-2+deb11u2
CVE ID : CVE-2023-25727 CVE-2025-24529 CVE-2025-24530
Multiple XSS vulnerabilities have been fixed in phpMyAdmin,
an administration tool for MySQL and MariaDB databases.
CVE-2023-25727
XSS vulnerability in drag-and-drop upload
CVE-2025-24529
XSS on Insert page
CVE-2025-24530
XSS when checking tables
For Debian 11 bullseye, these problems have been fixed in version
4:5.0.4+dfsg2-2+deb11u2.
We recommend that you upgrade your phpmyadmin packages.
For the detailed security status of phpmyadmin please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/phpmyadmin
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4119-1] lemonldap-ng security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4119-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Yadd
April 08, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : lemonldap-ng
Version : 2.0.11+ds-4+deb11u7
CVE ID : CVE-2025-31510
lemonldap-ng is a powerful SSO solution that implement OpenID-Connect,
SAML, CAS,... An input validation vulnerability (XSS) has been
identified when using the "Choice" module. It permit to introduce HTML
code into login page, and if the default Content-Security-Policy headers
have been modify, it may be possible to inject JavaScript code also.
For Debian 11 bullseye, this problem has been fixed in version
2.0.11+ds-4+deb11u7.
We recommend that you upgrade your lemonldap-ng packages.
For the detailed security status of lemonldap-ng please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lemonldap-ng
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5897-1] lemonldap-ng security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5897-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 08, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : lemonldap-ng
CVE ID : CVE-2025-31510
A cross-site scripting vulnerability has been discovered in
Lemonldap::NG, a Web-SSO system compatible with OpenID-Connect, CAS and
SAML, when using the "Choice" module: It permits to introduce HTML code
into the login page and if the default Content-Security-Policy headers
have been modified, it may be possible to inject JavaScript code.
For the stable distribution (bookworm), this problem has been fixed in
version 2.16.1+ds-deb12u6.
We recommend that you upgrade your lemonldap-ng packages.
For the detailed security status of lemonldap-ng please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lemonldap-ng
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
