Debian GNU/Linux has implemented a range of security updates, which include DSA 5842-1 for openafs, DLA 4012-1 for thunderbird, DLA 4011-1 for firefox-esr, DLA 4013-1 for node-mocha, DLA 4010-1 for python-django, and ELA-1287-1 for python-tornado.

Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1287-1 python-tornado security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4012-1] thunderbird security update
[DLA 4011-1] firefox-esr security update
[DLA 4013-1] node-mocha security update
[DLA 4010-1] python-django security update

Debian GNU/Linux 12 (Bookworm):
[DSA 5842-1] openafs security update

[SECURITY] [DSA 5842-1] openafs security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5842-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 11, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openafs
CVE ID : CVE-2024-10394 CVE-2024-10396 CVE-2024-10397
Debian Bug : 1087406 1087407

Several vulnerabilities were discovered in OpenAFS, an implementation of
the AFS distributed filesystem, which may result in theft of credentials
in Unix client PAGs (CVE-2024-10394), fileserver crashes and information
leak on StoreACL/FetchACL (CVE-2024-10396) or buffer overflows in XDR
responses resulting in denial of service and potentially code execution
(CVE-2024-10397).

For the stable distribution (bookworm), these problems have been fixed
in version 1.8.9-1+deb12u1.

We recommend that you upgrade your openafs packages.

For the detailed security status of openafs please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/openafs

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DLA 4012-1] thunderbird security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4012-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
January 11, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : thunderbird
Version : 1:128.6.0esr-1~deb11u1
CVE ID : CVE-2024-50336 CVE-2025-0237 CVE-2025-0238 CVE-2025-0239
CVE-2025-0240 CVE-2025-0241 CVE-2025-0242 CVE-2025-0243

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

For Debian 11 bullseye, these problems have been fixed in version
1:128.6.0esr-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4011-1] firefox-esr security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4011-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
January 11, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : firefox-esr
Version : 128.6.0esr-1~deb11u3
CVE ID : CVE-2025-0237 CVE-2025-0238 CVE-2025-0239 CVE-2025-0240
CVE-2025-0241 CVE-2025-0242 CVE-2025-0243

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or privilege escalation.

For Debian 11 bullseye, these problems have been fixed in version
128.6.0esr-1~deb11u3.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4013-1] node-mocha security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4013-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
January 11, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : node-mocha
Version : 8.2.1+ds1+~cs29.4.27-3+deb11u1
CVE ID : CVE-2021-23566 CVE-2024-55565
Debian Bug :

mocha a javascript test framework was affected by two
vulnerabilities in nanoid component.

CVE-2021-23566

nanoid package is vulnerable to Information Exposure via the
valueOf() function which allows to reproduce the last id generated.

CVE-2024-55565

nanoid package mishandles non-integer values of size parameter.

For Debian 11 bullseye, these problems have been fixed in version
8.2.1+ds1+~cs29.4.27-3+deb11u1.

We recommend that you upgrade your node-mocha packages.

For the detailed security status of node-mocha please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-mocha

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4010-1] python-django security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4010-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
January 10, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python-django
Version : 2:2.2.28-1~deb11u4
CVE ID : CVE-2024-6923

The fix for CVE-2024-6923 in the python3.9 source package which was
released as part of a suite of updates in DLA 3980-1 [0] introduced
safer processing of input in the email module to order to increase
the security around email header injection attacks.

This change inadvertedly broke sending emails when using lazy
translation strings in the python-django package, however, resulting
in the package no longer building from source.

As the previous behaviour of Python's "email" module can be enabled
by passing the strict=False flag, the python-django package now does
so — Django detects and/or encodes newlines in its handling of
outbound emails elsewhere.

For Debian 11 bullseye, this change has been made in version
2:2.2.28-1~deb11u4.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-django

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[0] https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html

ELA-1287-1 python-tornado security update

Package : python-tornado
Version : 4.4.3-1+deb9u1 (stretch), 5.1.1-4+deb10u1 (buster)

Related CVEs :
CVE-2023-28370
CVE-2024-52804

Multiple vulnerabilities were discovered in python-tornado, a scalable,
non-blocking Python web framework and asynchronous networking library.

CVE-2023-28370
An open redirect vulnerability in Tornado versions 6.3.1 and earlier allows
a remote unauthenticated attacker to redirect a user to an arbitrary web
site and conduct a phishing attack by having the user access a specially
crafted URL.

CVE-2024-52804
The algorithm used for parsing HTTP cookies in Tornado versions prior to
6.4.2 sometimes has quadratic complexity, leading to excessive CPU
consumption when parsing maliciously-crafted cookie headers. This
parsing occurs in the event loop thread and may block the processing of
other requests.

ELA-1287-1 python-tornado security update