Debian 10225 Published by

Debian GNU/Linux has rolled out a bunch of security updates, featuring nghttp2, python-asyncssh, booth, tryton-server, iproute2, zeromq3, and apache2:

Debian GNU/Linux 8 (Jessie) and 9 (Stretch) Extended LTS:
ELA-1183-1 apache2 security update

Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1185-1 iproute2 security update
ELA-1184-1 zeromq3 security update

Debian GNU/Linux 11 (Bullseye) LTS:
[SECURITY] [DLA 3898-1] nghttp2 security update
[SECURITY] [DLA 3899-1] python-asyncssh security update

Debian GNU/Linux 12 (Bookworm):
[SECURITY] [DSA 5777-1] booth security update
[SECURITY] [DSA 5776-1] tryton-server security update




[SECURITY] [DLA 3898-1] nghttp2 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3898-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 27, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : nghttp2
Version : 1.43.0-1+deb11u2
CVE ID : CVE-2024-28182
Debian Bug : 1068415

Unbounded number of HTTP/2 CONTINUATION frames that could cause DoS
was fixed in nghttp2, an implementation of HTTP/2.

For Debian 11 bullseye, this problem has been fixed in version
1.43.0-1+deb11u2.

We recommend that you upgrade your nghttp2 packages.

For the detailed security status of nghttp2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nghttp2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3899-1] python-asyncssh security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3899-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
September 27, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : python-asyncssh
Version : 2.5.0-0.1+deb11u1
CVE ID : CVE-2023-46445 CVE-2023-46446 CVE-2023-48795
Debian Bug : 1055999 1056000 1059007

AsyncSSH is a Python package which provides an asynchronous client
and server implementation of the SSHv2 protocol on top of the Python
3.4+ asyncio framework. It has been discovered that it is vulnerable to

CVE-2023-46445

A vulnerability has been discovered that allows attackers to control
the extension info message (RFC 8308) via a man-in-the-middle attack
(aka Rogue Extension Negotiation).

CVE-2023-46446

A vulnerability has been discovered that allows attackers to control
the remote end of an SSH client session via packet injection/removal
and shell emulation (aka Rogue Session attack).

CVE-2023-48795

A vulnerability has been discovered allows remote attackers to bypass
integrity checks, and a client and server may consequently end up with
a connection for which some security features have been downgraded or
disabled (aka Terrapin attack).

For Debian 11 bullseye, these problems have been fixed in version
2.5.0-0.1+deb11u1.

We recommend that you upgrade your python-asyncssh packages.

For the detailed security status of python-asyncssh please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-asyncssh

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 5777-1] booth security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5777-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 27, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : booth
CVE ID : CVE-2024-3049

It was discovered that the Booth cluster ticket manager failed to
correctly validate some authentication hashes.

For the stable distribution (bookworm), this problem has been fixed in
version 1.0-283-g9d4029a-2+deb12u1.

We recommend that you upgrade your booth packages.

For the detailed security status of booth please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/booth

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DSA 5776-1] tryton-server security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5776-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 27, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tryton-server
CVE ID : not yet available

Albert Cervera discovered two missing authorisation checks in the Tryton
application platform.

For the stable distribution (bookworm), this problem has been fixed in
version 6.0.29-2+deb12u3.

We recommend that you upgrade your tryton-server packages.

For the detailed security status of tryton-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tryton-server

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


ELA-1185-1 iproute2 security update

Package : iproute2
Version : 4.20.0-2+deb10u2 (buster)

Related CVEs :
CVE-2019-20795

Use-after-free in get_netnsid_from_name() has been fixed in iproute2, a collection of utilities for controlling TCP/IP networking and traffic control.

ELA-1185-1 iproute2 security update


ELA-1184-1 zeromq3 security update

Package : zeromq3
Version : 4.3.1-4+deb10u3 (buster)

Related CVEs :
CVE-2021-20234
CVE-2021-20235
CVE-2021-20237

Multiple vulnerabilities have been fixed in the messaging library ZeroMQ.

CVE-2021-20234
Memory leak in client induced by malicious server(s)

CVE-2021-20235
Heap overflow when receiving malformed ZMTP v1 packets

CVE-2021-20237
Memory leak in PUB server induced by malicious client(s)

ELA-1184-1 zeromq3 security update


ELA-1183-1 apache2 security update

Package : apache2
Version : 2.4.10-10+deb8u29 (jessie), 2.4.25-3+deb9u19 (stretch)

Related CVEs :
CVE-2024-38474
CVE-2024-38475

Apache2, a popular webserver, was vulnerable.

CVE-2024-38474
Substitution encoding issue in mod_rewrite in Apache HTTP Server
allowed and attacker to execute scripts in directories permitted
by the configuration but not directly reachable by any URL or
source disclosure of scripts meant to only to be executed as CGI.
Some RewriteRules that capture and substitute unsafely will
now fail unless rewrite flag "UnsafeAllow3F" is specified.

CVE-2024-38475
Improper escaping of output in mod_rewrite allowed an attacker
to map URLs to filesystem locations that are permitted
to be served by the server but are not intentionally/directly
reachable by any URL, resulting in code execution
or source code disclosure.
Substitutions in server context that use a backreferences
or variables as the first segment of the substitution are affected.
Some unsafe RewiteRules will be broken by this change
and the rewrite flag "UnsafePrefixStat" can be used
to opt back in once ensuring the substitution is
appropriately constrained.

ELA-1183-1 apache2 security update