Debian GNU/Linux 8 (Jessie) Extended LTS:
ELA-1289-1 python-reportlab security update
ELA-1291-1 tomcat7 security update
Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1290-1 rsync security update
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1288-1 linux-6.1 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4015-1] rsync security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5843-1] rsync security update
ELA-1288-1 linux-6.1 security update
Package : linux-6.1
Version : 6.1.119-1~deb9u1 (stretch), 6.1.119-1~deb10u1 (buster)
Related CVEs :
CVE-2022-45888
CVE-2023-52812
CVE-2024-26952
CVE-2024-26954
CVE-2024-35964
CVE-2024-36244
CVE-2024-36478
CVE-2024-36914
CVE-2024-36915
CVE-2024-36923
CVE-2024-38540
CVE-2024-38553
CVE-2024-41080
CVE-2024-42322
CVE-2024-43868
CVE-2024-43904
CVE-2024-43911
CVE-2024-44949
CVE-2024-49950
CVE-2024-49960
CVE-2024-49974
CVE-2024-49986
CVE-2024-49991
CVE-2024-50012
CVE-2024-50036
CVE-2024-50067
CVE-2024-50072
CVE-2024-50126
CVE-2024-50215
CVE-2024-50218
CVE-2024-50229
CVE-2024-50230
CVE-2024-50232
CVE-2024-50233
CVE-2024-50234
CVE-2024-50235
CVE-2024-50236
CVE-2024-50237
CVE-2024-50242
CVE-2024-50243
CVE-2024-50244
CVE-2024-50245
CVE-2024-50247
CVE-2024-50249
CVE-2024-50250
CVE-2024-50251
CVE-2024-50252
CVE-2024-50255
CVE-2024-50256
CVE-2024-50257
CVE-2024-50259
CVE-2024-50261
CVE-2024-50262
CVE-2024-50264
CVE-2024-50265
CVE-2024-50267
CVE-2024-50268
CVE-2024-50269
CVE-2024-50271
CVE-2024-50272
CVE-2024-50273
CVE-2024-50276
CVE-2024-50278
CVE-2024-50279
CVE-2024-50280
CVE-2024-50282
CVE-2024-50283
CVE-2024-50284
CVE-2024-50286
CVE-2024-50287
CVE-2024-50290
CVE-2024-50292
CVE-2024-50295
CVE-2024-50296
CVE-2024-50299
CVE-2024-50301
CVE-2024-50302
CVE-2024-53042
CVE-2024-53043
CVE-2024-53052
CVE-2024-53055
CVE-2024-53057
CVE-2024-53058
CVE-2024-53059
CVE-2024-53060
CVE-2024-53061
CVE-2024-53063
CVE-2024-53066
CVE-2024-53070
CVE-2024-53072
CVE-2024-53081
CVE-2024-53082
CVE-2024-53088
CVE-2024-53093
Several vulnerabilities have been discovered in the Linux kernel that may
lead to privilege escalation, denial of service or information leaks.ELA-1288-1 linux-6.1 security update
[SECURITY] [DSA 5843-1] rsync security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5843-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 14, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : rsync
CVE ID : CVE-2024-12084 CVE-2024-12085 CVE-2024-12086 CVE-2024-12087
CVE-2024-12088 CVE-2024-12747
Several vulnerabilities were discovered in rsync, a fast, versatile,
remote (and local) file-copying tool.
CVE-2024-12084
Simon Scannell, Pedro Gallegos and Jasiel Spelman discovered a
heap-based buffer overflow vulnerability due to improper handling of
attacker-controlled checksum lengths. A remote attacker can take
advantage of this flaw for code execution.
CVE-2024-12085
Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a flaw in
the way rsync compares file checksums, allowing a remote attacker to
trigger an information leak.
CVE-2024-12086
Simon Scannell, Pedro Gallegos and Jasiel Spelman discovered a flaw
which would result in a server leaking contents of an arbitrary file
from the client's machine.
CVE-2024-12087
Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a path
traversal vulnerability in the rsync daemon affecting the
--inc-recursive option, which could allow a server to write files
outside of the client's intended destination directory.
CVE-2024-12088
Simon Scannell, Pedro Gallegos and Jasiel Spelman reported that when
using the --safe-links option, rsync fails to properly verify if a
symbolic link destination contains another symbolic link with it,
resulting in path traversal and arbitrary file write outside of the
desired directory.
CVE-2024-12747
Aleksei Gorban "loqpa" discovered a race condition when handling
symbolic links resulting in an information leak which may enable
escalation of privileges.
For the stable distribution (bookworm), these problems have been fixed in
version 3.2.7-1+deb12u1.
We recommend that you upgrade your rsync packages.
For the detailed security status of rsync please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/rsync
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1290-1 rsync security update
Package : rsync
Version : 3.1.1-3+deb8u3 (jessie), 3.1.2-1+deb9u4 (stretch), 3.1.3-6+deb10u1 (buster)
Related CVEs :
CVE-2024-12085
CVE-2024-12086
CVE-2024-12087
CVE-2024-12088
CVE-2024-12747
Several vulnerabilities were discovered in rsync, a fast, versatile,
remote (and local) file-copying tool.
CVE-2024-12085
Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a flaw in
the way rsync compares file checksums, allowing a remote attacker to
trigger an information leak.
CVE-2024-12086
Simon Scannell, Pedro Gallegos and Jasiel Spelman discovered a flaw
which would result in a server leaking contents of an arbitrary file
from the client's machine.
CVE-2024-12087
Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a path
traversal vulnerability in the rsync daemon affecting the
--inc-recursive option, which could allow a server to write files
outside of the client's intended destination directory.
CVE-2024-12088
Simon Scannell, Pedro Gallegos and Jasiel Spelman reported that when
using the --safe-links option, rsync fails to properly verify if a
symbolic link destination contains another symbolic link with it,
resulting in path traversal and arbitrary file write outside of the
desired directory.
CVE-2024-12747
Aleksei Gorban "loqpa" discovered a race condition when handling
symbolic links resulting in an information leak which may enable
escalation of privileges.ELA-1290-1 rsync security update
ELA-1289-1 python-reportlab security update
Package : python-reportlab
Version : 3.1.8-3+deb8u3 (jessie)
Related CVEs :
CVE-2019-19450
CVE-2020-28463
CVE-2019-19450
Ravi Prakash Giri discovered a remote code execution vulnerability
via crafted XML document whereELA-1289-1 python-reportlab security update
[SECURITY] [DLA 4015-1] rsync security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4015-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
January 14, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : rsync
Version : 3.2.3-4+deb11u2
CVE ID : CVE-2024-12085 CVE-2024-12086 CVE-2024-12087
CVE-2024-12088 CVE-2024-12747
Several vulnerabilities were discovered in rsync, a fast, versatile,
remote (and local) file-copying tool.
CVE-2024-12085
Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a flaw in
the way rsync compares file checksums, allowing a remote attacker to
trigger an information leak.
CVE-2024-12086
Simon Scannell, Pedro Gallegos and Jasiel Spelman discovered a flaw
which would result in a server leaking contents of an arbitrary file
from the client's machine.
CVE-2024-12087
Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a path
traversal vulnerability in the rsync daemon affecting the
--inc-recursive option, which could allow a server to write files
outside of the client's intended destination directory.
CVE-2024-12088
Simon Scannell, Pedro Gallegos and Jasiel Spelman reported that when
using the --safe-links option, rsync fails to properly verify if a
symbolic link destination contains another symbolic link with it,
resulting in path traversal and arbitrary file write outside of the
desired directory.
CVE-2024-12747
Aleksei Gorban "loqpa" discovered a race condition when handling
symbolic links resulting in an information leak which may enable
escalation of privileges.
For Debian 11 bullseye, these problems have been fixed in version
3.2.3-4+deb11u2.
We recommend that you upgrade your rsync packages.
For the detailed security status of rsync please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rsync
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1291-1 tomcat7 security update
Package : tomcat7
Version : 7.0.56-3+really7.0.109-1+deb8u7 (jessie)
Related CVEs :
CVE-2024-23672
A denial-of-service vulnerability was found in Tomcat 7, a Java based web
server, servlet and JSP engine. It was possible for WebSocket clients to keep
WebSocket connections open leading to increased resource consumption.ELA-1291-1 tomcat7 security update
