Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1326-1 python-urllib3 security update
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1324-1 openssh security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4059-1] mosquitto security update
[DLA 4060-1] djoser security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5869-1] chromium security update
[SECURITY] [DLA 4059-1] mosquitto security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4059-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
February 20, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : mosquitto
Version : 2.0.11-1+deb11u2
CVE ID : CVE-2024-3935 CVE-2024-10525
The following vulnerabilities have been discovered in the package
mosquitto, MQTT message broker.
CVE-2024-3935
If a Mosquitto broker is configured to create an outgoing bridge
connection, and that bridge connection has an incoming topic
configured that makes use of topic remapping, then if the remote
connection sends a crafted PUBLISH packet to the broker a double
free will occur with a subsequent crash of the broker.
CVE-2024-10525
If a malicious broker sends a crafted SUBACK packet with no reason
codes, a client using libmosquitto may make out of bounds memory
access when acting in its on_subscribe callback. This affects the
mosquitto_sub and mosquitto_rr clients.
For Debian 11 bullseye, these problems have been fixed in version
2.0.11-1+deb11u2.
We recommend that you upgrade your mosquitto packages.
For the detailed security status of mosquitto please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mosquitto
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5869-1] chromium security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5869-1 security@debian.org
https://www.debian.org/security/ Andres Salomon
February 21, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : chromium
CVE ID : CVE-2025-0999 CVE-2025-1006 CVE-2025-1426
Security issues were discovered in Chromium which could result
in the execution of arbitrary code, denial of service, or information
disclosure.
For the stable distribution (bookworm), these problems have been fixed in
version 133.0.6943.126-1~deb12u1.
We recommend that you upgrade your chromium packages.
For the detailed security status of chromium please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/chromium
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4060-1] djoser security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4060-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
February 20, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : djoser
Version : 2.1.0-1+deb11u1
CVE ID : CVE-2024-21543
Debian Bug : 1089915
djoser is a REST implementation of Django authentication system.
It has a very low install count according to popularity contest
so you most likely don't have it installed and are thus not affected.
For Debian 11 bullseye, this problem has been fixed in version
2.1.0-1+deb11u1.
(Similar update for debian 12 bookworm is currently being processed.)
We recommend that you upgrade your djoser packages.
For the detailed security status of djoser please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/djoser
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1326-1 python-urllib3 security update
Package : python-urllib3
Version : 1.9.1-3+deb8u3 (jessie), 1.19.1-1+deb9u3 (stretch), 1.24.1-1+deb10u3 (buster)
Related CVEs :
CVE-2024-37891
It was discovered that when sending HTTP requests without using
urllib3’s proxy support, it’s possible to accidentally set the
Proxy-Authorization header even though it won’t have any effect as the
request is not using a forwarding proxy or a tunneling proxy.
In those cases, urllib3 doesn’t treat the Proxy-Authorization HTTP
header as one carrying authentication material and thus doesn’t strip
the header on cross-origin redirects, which might lead to authorization
bypass.ELA-1326-1 python-urllib3 security update
ELA-1324-1 openssh security update
Package : openssh
Version : 1:7.4p1-10+deb9u10 (stretch), 1:7.9p1-10+deb10u5 (buster)
Related CVEs :
CVE-2025-26465
The Qualys Threat Research Unit (TRU) discovered that the OpenSSH client
is vulnerable to a machine-in-the-middle attack if the VerifyHostKeyDNS
option is enabled (disabled by default).
The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy
leading to an information leak in the algorithm negotiation. This allows
man-in-the-middle attackers to target initial connection attempts (where
no host key for the server has been cached by the client). This issue was
assigned CVE-2020-14145. Completely removing this information leak would
cause other problems, but this update includes a partial mitigation by
preferring the default ordering if the user has a key that matches the
best-preference default algorithm.
In addition, the stretch update contains a regression introduced with the
fix for CVE-2023-48795, which could cause segmentation faults under some
circumstances.ELA-1324-1 openssh security update
