Debian 10260 Published by

Debian GNU/Linux has received security updates, including the mediawiki, trafficserver, and chromium security updates:

Debian GNU/Linux 11 (Bullseye) LTS:
[SECURITY] [DLA 3896-1] mediawiki security update
[SECURITY] [DLA 3897-1] trafficserver security update

Debian GNU/Linux 12 (Bookworm):
[SECURITY] [DSA 5775-1] chromium security update




[SECURITY] [DLA 3896-1] mediawiki security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3896-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 26, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : mediawiki
Version : 1:1.35.13-1+deb11u3
CVE ID : CVE-2023-51704

Privileged XSS in the user rights log has been fixed in the MediaWiki
wiki engine.

For Debian 11 bullseye, this problem has been fixed in version
1:1.35.13-1+deb11u3.

We recommend that you upgrade your mediawiki packages.

For the detailed security status of mediawiki please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mediawiki

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3897-1] trafficserver security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3897-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 27, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : trafficserver
Version : 8.1.11+ds-0+deb11u1
CVE ID : CVE-2023-38522 CVE-2024-35161 CVE-2024-35296
Debian Bug : 1077141

Multiple vulnerabilities were fixed in trafficserver,
a caching proxy server.

CVE-2023-38522

Incomplete field name check allows request smuggling

CVE-2024-35161

Incomplete check for chunked trailer section allows
request smuggling

CVE-2024-35296

Invalid Accept-Encoding can force forwarding requests

For Debian 11 bullseye, these problems have been fixed in version
8.1.11+ds-0+deb11u1.

We recommend that you upgrade your trafficserver packages.

For the detailed security status of trafficserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/trafficserver

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 5775-1] chromium security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5775-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
September 26, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2024-9120 CVE-2024-9121 CVE-2024-9122 CVE-2024-9123

Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.

For the stable distribution (bookworm), these problems have been fixed in
version 129.0.6668.70-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/