[DLA 4091-1] nginx security update
[DSA 5886-1] ruby-rack security update
[SECURITY] [DLA 4091-1] nginx security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4091-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andrej Shadura
March 25, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : nginx
Version : 1.18.0-6.1+deb11u4
CVE ID : CVE-2024-7347 CVE-2025-23419
This upload fixes two security issues in the version of nginx shipped
in bullseye.
CVE-2024-7347
Nginx has a vulnerability in the ngx_http_mp4_module, which might
allow an attacker to over-read nginx worker memory resulting in
its termination using a specially crafted mp4 file. The issue only
affects nginx if it is built with the ngx_http_mp4_module and the
mp4 directive is used in the configuration file. Additionally, the
attack is possible only if an attacker can trigger the processing
of a specially crafted mp4 file with the ngx_http_mp4_module.
CVE-2025-23419
When multiple server blocks are configured to share the same
IP address and port, an attacker can use session resumption
to bypass client certificate authentication requirements on
these servers. This vulnerability arises when TLS Session Tickets
are used and/or the SSL session cache
are used in the default server and the default server is performing
client certificate authentication.
This issue did not affect ngx_stream_ssl_module in bullseye since
the stream virtual servers funcionality was added in a later
release.
For Debian 11 bullseye, these problems have been fixed in version
1.18.0-6.1+deb11u4.
We recommend that you upgrade your nginx packages.
For the detailed security status of nginx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nginx
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5886-1] ruby-rack security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5886-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 25, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : ruby-rack
CVE ID : CVE-2025-25184 CVE-2025-27111 CVE-2025-27610
Multiple security issues were found in Rack, an interface for developing
web applications in Ruby, which could result in log injection or
information disclosure.
For the stable distribution (bookworm), these problems have been fixed in
version 2.2.13-1~deb12u1.
We recommend that you upgrade your ruby-rack packages.
For the detailed security status of ruby-rack please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-rack
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
