Debian 10270 Published by

The following security updates have been released for Debian GNU/Linux:

Debian GNU/Linux 8 (Jessie) Extended LTS:
ELA-1174-1 postgresql-9.4 security update

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1171-1 mariadb-10.1 security update
ELA-1173-1 postgresql-9.6 security update

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1172-1 postgresql-11 security update

Debian GNU/Linux 11 (Bullseye) LTS:
[SECURITY] [DLA 3875-1] gnutls28 security update
[SECURITY] [DLA 3876-1] setuptools security update
[SECURITY] [DLA 3873-1] nova security update
[SECURITY] [DLA 3872-1] glance security update
[SECURITY] [DLA 3871-1] cinder security update
[SECURITY] [DLA 3870-1] python-oslo.utils new upstream release
[SECURITY] [DLA 3874-1] nsis security update




ELA-1171-1 mariadb-10.1 security update

Package : mariadb-10.1
Version : 10.1.48-0+deb9u3 (stretch)

Related CVEs :
CVE-2021-2154
CVE-2021-2166
CVE-2021-2194
CVE-2021-2389
CVE-2021-46657
CVE-2021-46661
CVE-2021-46663
CVE-2021-46664
CVE-2021-46665
CVE-2021-46666
CVE-2021-46667
CVE-2021-46668
CVE-2021-46669

Multiple vulnerabilities were fixed in MariaDB, a popular database server.

CVE-2021-2154
An easily exploitable vulnerability related to the UDF_INIT()
function, used by MariaDB allows
high privileged attacker with network access via multiple
protocols to compromise MariaDB Server.
Successful attacks of this vulnerability can result
in unauthorized ability to cause the server to hang or frequently
repeatable crashes.

CVE-2021-2166
MySQL's SET plug-in variables wrongly locked making it possible for
high privileged attackers with network access to compromise the MariaDB
server, potentially causing Denial-of-Service (DoS).

CVE-2021-2194
Incorrect handling of filters related to full-text search could be used by
remote attackers to cause MariaDB Server to crash.

CVE-2021-2389
Incorrect handling of SELECT and UPDATE queries on tables with full-text
indices may cause out-of-memory errors.

CVE-2021-46657
get_sort_by_table in MariaDB could be used to cause an
application crash via certain subquery uses of ORDER BY.

CVE-2021-46661
Incorrect handling of find functions in tables and lists makes it possible
to cause a DoS.

CVE-2021-46663
Incorrect handling of certain SELECT statements made it possible to crash
the MariaDB server by the use of ha_maria::extra application.

CVE-2021-46664
MariaDB crash in sub_select_postjoin_aggr for a NULL value of aggr.

CVE-2021-46665
Incorrect handling of used_tables makes it possible to cause MariaDB to crash.

CVE-2021-46666
Mishandling of HAVING and WHERE clauses allows attacker to produce a DoS.

CVE-2021-46667
Integer overflow in sql_lex.cc may yield to an application crash.

CVE-2021-46668
MariaDB crash via certain long
SELECT DISTINCT statements that improperly interact with
storage-engine resource limitations for temporary data structures.

CVE-2021-46669
convert_const_to_int use-after-free when the BIGINT data type is used.

ELA-1171-1 mariadb-10.1 security update


[SECURITY] [DLA 3875-1] gnutls28 security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3875-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
September 05, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : gnutls28
Version : 3.7.1-5+deb11u6
CVE ID : CVE-2024-28834 CVE-2024-28835
Debian Bug : 1067463 1067464

Vulnerabilities have been found in GnuTLS, which could lead to
information disclosure or Denial of Service.

CVE-2024-28834

Hubert Kario and George Pantelakis discovered that GnuTLS was
vulnerable to a side-channel attack known as the Minerva attack.
In specific scenarios, such as when using the
GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, the deterministic ECDSA code
leaks bit-length of random nonce which allows for full recovery of
the private key used after observing a few hundreds to a few
thousands of signatures on known messages.

CVE-2024-28835

It was discovered attempting to verify a specially crafted .pem
bundle using the `certtool --verify-chain` command could yield an
application clash.

For Debian 11 bullseye, these problems have been fixed in version
3.7.1-5+deb11u6.

We recommend that you upgrade your gnutls28 packages.

For the detailed security status of gnutls28 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gnutls28

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3876-1] setuptools security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3876-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
September 05, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : setuptools
Version : 52.0.0-4+deb11u1
CVE ID : CVE-2022-40897 CVE-2024-6345
Debian Bug :

Brief introduction

CVE-2022-40897

setuptools before 65.5.1 allows remote attackers to cause a denial
of service via HTML in a crafted package or custom PackageIndex
page. There is a Regular Expression Denial of Service (ReDoS)
inĀ package_index.py.

CVE-2024-6345

A vulnerability in the package_index module allows for remote code
execution via its download functions. These functions, which are
used to download packages from URLs provided by users or retrieved
from package index servers, are susceptible to code injection. If
these functions are exposed to user-controlled inputs, such as
package URLs, they can execute arbitrary commands on the system.

For Debian 11 bullseye, these problems have been fixed in version
52.0.0-4+deb11u1.

We recommend that you upgrade your setuptools packages.

For the detailed security status of setuptools please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/setuptools

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3873-1] nova security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3873-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thomas Goirand
September 05, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : nova
Version : 2:22.4.0-1~deb11u5
CVE ID : CVE-2024-32498 CVE-2024-40767
Debian Bug : 1074762

Martin Kaesberger discovered a vulnerability which affects multiple
OpenStack components (Nova, Glance and Cinder): Malformed QCOW2 disk
images may result in the disclosure of arbitrary files.

Arnaud Morin later discovered that the initial fix was not sufficient,
and that nova was still vulnerable with some VM images types.

For Debian 11 bullseye, these problems have been fixed in version
2:22.4.0-1~deb11u5.

We recommend that you upgrade your nova packages.

For the detailed security status of nova please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nova

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3872-1] glance security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3872-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thomas Goirand
September 05, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : glance
Version : 2:21.1.0-1+deb11u2
CVE ID : CVE-2024-32498
Debian Bug : 1074761

Martin Kaesberger discovered a vulnerability which affects multiple
OpenStack components (Nova, Glance and Cinder): Malformed QCOW2 disk
images may result in the disclosure of arbitrary files.

For Debian 11 bullseye, this problem has been fixed in version
2:21.1.0-1+deb11u2.

We recommend that you upgrade your glance packages.

For the detailed security status of glance please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/glance

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3871-1] cinder security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3871-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thomas Goirand
September 05, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : cinder
Version : 2:17.4.0-1~deb11u2
CVE ID : CVE-2023-2088 CVE-2024-32498
Debian Bug : 1035961 1074763

Martin Kaesberger discovered a vulnerability which affects multiple
OpenStack components (Nova, Glance and Cinder): Malformed QCOW2 disk
images may result in the disclosure of arbitrary files.

This update also fixes unauthorized volume access through deleted
volume attachments (only Cinder deployments using the LVM over iSCSI
driver were affected).

For Debian 11 bullseye, these problems have been fixed in version
2:17.4.0-1~deb11u2.

We recommend that you upgrade your cinder packages.

For the detailed security status of cinder please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cinder

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3870-1] python-oslo.utils new upstream release


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3870-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thomas Goirand
September 05, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python-oslo.utils
Version : 4.6.1-0+deb11u1

python-oslo.utils, a set of utilities used by OpenStack, was updated
as a requirement to fix CVE-2024-32498 in the cinder, glance and
nova OpenStack components.

For Debian 11 bullseye, this was addressed in version 4.6.1-0+deb11u1.

We recommend that you upgrade your python-oslo.utils packages.

For the detailed security status of python-oslo.utils please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-oslo.utils

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3874-1] nsis security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3874-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
September 05, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : nsis
Version : 3.06.1-1+deb11u1
CVE ID : CVE-2023-37378
Debian Bug : 1040880

CVE-2023-37378

Nullsoft Scriptable Install System (NSIS) before 3.09 mishandles
access control for an uninstaller directory.

For Debian 11 bullseye, this problem has been fixed in version
3.06.1-1+deb11u1.

We recommend that you upgrade your nsis packages.

For the detailed security status of nsis please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nsis

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1174-1 postgresql-9.4 security update

Package : postgresql-9.4
Version : 9.4.26-0+deb8u10 (jessie)

Related CVEs :
CVE-2024-7348

Noah Misch discovered a race condition in the pg_dump tool included in
PostgreSQL, which may result in privilege escalation.

ELA-1174-1 postgresql-9.4 security update


ELA-1173-1 postgresql-9.6 security update

Package : postgresql-9.6
Version : 9.6.24-0+deb9u7 (stretch)

Related CVEs :
CVE-2024-7348

Noah Misch discovered a race condition in the pg_dump tool included in
PostgreSQL, which may result in privilege escalation.

ELA-1173-1 postgresql-9.6 security update


ELA-1172-1 postgresql-11 security update

Package : postgresql-11
Version : 11.22-0+deb10u3 (buster)

Related CVEs :
CVE-2024-7348

Noah Misch discovered a race condition in the pg_dump tool included in
PostgreSQL, which may result in privilege escalation.

ELA-1172-1 postgresql-11 security update