Debian GNU/Linux ELTS has been updated with multiple security enhancements, including ELA-1342-1 for log4net, ELA-1343-1 for proftpd-dfsg, and ELA-1344-1 for commons-beanutils:

ELA-1342-1 log4net security update
ELA-1343-1 proftpd-dfsg security update
ELA-1344-1 commons-beanutils security update

ELA-1342-1 log4net security update

Package : log4net
Version : 1.2.10+dfsg-8~deb10u1 (buster)

Related CVEs :
CVE-2018-1285

XML external entities were not disabled when parsing configuration files in log4net, a logging library for the Common Language Infrastructure (Mono, .NET).

ELA-1342-1 log4net security update

ELA-1343-1 proftpd-dfsg security update

Package : proftpd-dfsg
Version : 1.3.5e+r1.3.5b-4+deb9u4 (stretch), 1.3.6-4+deb10u7 (buster)

Related CVEs :
CVE-2023-48795
CVE-2023-51713
CVE-2024-48651
CVE-2024-57392

Multiple vulnerabilities were fixed in ProFTPD, a popular FTP server.
C
VE-2023-48795:
The SSH transport protocol with certain OpenSSH extensions like the SFTP implementation found in ProFTPD, allows remote attackers
to bypass integrity checks such that some packets are omitted (from the extension negotiation message),
and a client and server may consequently end up with a connection for which some security features have been downgraded
or disabled.

This attack is also known as the Terrapin attack.

CVE-2023-51713:
The make_ftp_cmd function in ProFTPD has a one-byte out-of-bounds read.

CVE-2024-48651:
A user with no supplemental groups will incorrectly inherit supplemental groups
from the parent process. The parent process retains supplemental GID 0, which is inherited by child
processes and not overwritten if the authenticated user has no supplemental groups.

CVE-2024-57392:
A Buffer Overflow vulnerability allowed a remote attacker to execute arbitrary code (RCE) and can cause a
Denial of Service (DoS) on the FTP service by sending a maliciously crafted message to the ProFTPD service port.

Moreover two important bugs were fixed on this release
Blastradius fix:
Fix the computation of the RADIUS Message-Authenticator signature to conform
more properly to RFC 2869, and allow RADIUS authentification to work against
mitigations of CVE-2024-3596.

Debian bug #1090813:
The PassivePorts directive can cause proftpd to swap data streams across
clients when the server is in passive mode.

ELA-1343-1 proftpd-dfsg security update

ELA-1344-1 commons-beanutils security update

Package : commons-beanutils
Version : 1.9.3-1+deb10u1 (buster)

Related CVEs :
CVE-2019-10086

Arbitrary code execution was possible by default in Apache Commons BeanUtils, Java classes for working with JavaBeans classes.
If needed, users can restore the previous default with
final BeanUtilsBean bub = new BeanUtilsBean();
bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);

ELA-1344-1 commons-beanutils security update