Debian 10225 Published by

Debian GNU/Linux has been updated with several security updates, including openjdk, ffmpeg, perl, and Python-sql:

Debian GNU/Linux 11 (Bullseye) LTS:
[SECURITY] [DLA 3929-1] openjdk-11 security update
[SECURITY] [DLA 3928-1] ffmpeg security update
[SECURITY] [DLA 3927-1] openjdk-17 security update
[SECURITY] [DLA 3926-1] perl security update

Debian GNU/Linux 12 (Bookworm):
[SECURITY] [DSA 5795-1] python-sql security update
[SECURITY] [DSA 5794-1] openjdk-17 security update



[SECURITY] [DLA 3929-1] openjdk-11 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3929-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
October 21, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : openjdk-11
Version : 11.0.25+9-1~deb11u1
CVE ID : CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in denial of service, information disclosure or bypass
of Java sandbox restrictions.

For Debian 11 bullseye, these problems have been fixed in version
11.0.25+9-1~deb11u1.

We recommend that you upgrade your openjdk-11 packages.

For the detailed security status of openjdk-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-11

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3928-1] ffmpeg security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3928-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
October 21, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : ffmpeg
Version : 7:4.3.8-0+deb11u1
CVE ID : CVE-2023-49502 CVE-2024-7055 CVE-2024-31578

Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.

For Debian 11 bullseye, these problems have been fixed in version
7:4.3.8-0+deb11u1.

We recommend that you upgrade your ffmpeg packages.

For the detailed security status of ffmpeg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ffmpeg

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3927-1] openjdk-17 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3927-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
October 21, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : openjdk-17
Version : 17.0.13+11-1~deb11u1
CVE ID : CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in denial of service, information disclosure or bypass
of Java sandbox restrictions.

For Debian 11 bullseye, these problems have been fixed in version
17.0.13+11-1~deb11u1.

We recommend that you upgrade your openjdk-17 packages.

For the detailed security status of openjdk-17 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-17

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3926-1] perl security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3926-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
October 21, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : perl
Version : 5.32.1-4+deb11u4
CVE ID : CVE-2020-16156 CVE-2023-31484
Debian Bug : 1015985 1035109

Vulnerabilities were found in Perl's CPAN.pm, which could lead CPAN
clients to install malicious modules.

CVE-2020-16156

Stig Palmquist discovered that an attacker can prepend checksums for
modified packages to the beginning of CHECKSUMS files, before the
cleartext PGP headers, resulting in signature verification bypass.

CPAN.pm has been updated so that when configured to validate the
signature on CHECKSUMS, it will refuse to install a tarball if the
associated CHECKSUMS file isn't signed. The gpg(1) executable is
required in order to validate signatures.

CVE-2023-31484

Stig Palmquist discovered that CPAN::HTTP::Client did not verify
X.509 certificates in the HTTP::Tiny call, which could allows an
attacker to MITM the connection with the CPAN mirror.

CPAN::HTTP::Client now enables the `verify_SSL` flag. HTTPS mirrors
therefore require a valid certificate. The identity of the default
mirror https://cpan.org can be verified after installing the
'ca-certificates' package.

For Debian 11 bullseye, these problems have been fixed in version
5.32.1-4+deb11u4.

We recommend that you upgrade your perl packages.

For the detailed security status of perl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/perl

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 5795-1] python-sql security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5795-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 21, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : python-sql
CVE ID : CVE-2024-9774

Cedric Krier discovered that python-sql, a library to write SQL queries
in a pythonic way, performed insufficient sanitising which could result
in SQL injection.

For the stable distribution (bookworm), this problem has been fixed in
version 1.4.0-1+deb12u1.

We recommend that you upgrade your python-sql packages.

For the detailed security status of python-sql please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-sql

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DSA 5794-1] openjdk-17 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5794-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 21, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-17
CVE ID : CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in denial of service or information disclosure.

For the stable distribution (bookworm), these problems have been fixed in
version 17.0.13+11-2~deb12u1.

We recommend that you upgrade your openjdk-17 packages.

For the detailed security status of openjdk-17 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-17

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/