Debian GNU/Linux 8 (Jessie) Extended LTS:
ELA-1258-1 openssl security update
Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1264-1 openssl1.0 security update
ELA-1257-1 openssl security update
Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1260-1 activemq security update
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1263-1 lemonldap-ng security update
ELA-1261-1 dnsmasq security update
ELA-1259-1 editorconfig-core security update
ELA-1256-1 openssl security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3979-1] lemonldap-ng security update
[DLA 3978-1] editorconfig-core security update
[DLA 3974-1] dnsmasq security update
[DLA 3977-1] xfpt security update
[DLA 3976-1] tgt security update
[SECURITY] [DLA 3979-1] lemonldap-ng security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3979-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
November 30, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : lemonldap-ng
Version : 2.0.11+ds-4+deb11u6
CVE ID : CVE-2024-48933 CVE-2024-52946 CVE-2024-52947
Debian Bug : 1084979
Multiple vulnerabilities were discovered in Lemonldap::NG, an
OpenID-Connect, CAS and SAML compatible Web-SSO system, which could lead
to injection of arbitrary scripts or authorization bypass.
CVE-2024-48933
Cross-site scripting (XSS) vulnerability which allows remote
attackers to inject arbitrary web script or HTML into the login page
via a username if ‘userControl’ has been set to a non-default value
that allows special HTML characters.
CVE-2024-52946
Improper Check during session refresh which allows an authenticated
user to raise their authentication level if the admin configured an
"Adaptative authentication rule" with an increment instead of an
absolute value.
CVE-2024-52947
Cross-site scripting (XSS) vulnerability which allows remote
attackers to inject arbitrary web script or HTML via the ‘url’
parameter of the upgrade session confirmation page (upgradeSession)
if the "Upgrade session" plugin has been enabled by an admin.
For Debian 11 bullseye, these problems have been fixed in version
2.0.11+ds-4+deb11u6.
We recommend that you upgrade your lemonldap-ng packages.
For the detailed security status of lemonldap-ng please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/lemonldap-ng
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 3978-1] editorconfig-core security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3978-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
November 30, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : editorconfig-core
Version : 0.12.1-1.1+deb11u1
CVE ID : CVE-2023-0341 CVE-2024-53849
Two issues have been found in editorconfig-core, a coding style indenter
for all editors. Both issues are related to buffer overflows in different
locations.
For Debian 11 bullseye, these problems have been fixed in version
0.12.1-1.1+deb11u1.
We recommend that you upgrade your editorconfig-core packages.
For the detailed security status of editorconfig-core please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/editorconfig-core
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 3974-1] dnsmasq security update
From: Lee Garrett [debian@rocketjump.eu]
To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3974-1] dnsmasq security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3974-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Lee Garrett
November 29, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : dnsmasq
Version : 2.85-1+deb11u1
CVE ID : CVE-2022-0934 CVE-2023-28450 CVE-2023-50387 CVE-2023-50868
Debian Bug :
Brief introduction
CVE-2022-0934
A single-byte, non-arbitrary write/use-after-free flaw was found in dnsmasq.
This flaw allows an attacker who sends a crafted packet processed by
dnsmasq, potentially causing a denial of service.
CVE-2023-28450
An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0
UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day
2020.
CVE-2023-50387
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840,
and related RFCs) allow remote attackers to cause a denial of service (CPU
consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One
of the concerns is that, when there is a zone with many DNSKEY and RRSIG
records, the protocol specification implies that an algorithm must evaluate
all combinations of DNSKEY and RRSIG records.
CVE-2023-50868
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC
9276 guidance is skipped) allows remote attackers to cause a denial of
service (CPU consumption for SHA-1 computations) via DNSSEC responses in a
random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification
implies that an algorithm must perform thousands of iterations of a hash
function in certain situations.
For Debian 11 bullseye, these problems have been fixed in version
2.85-1+deb11u1.
We recommend that you upgrade your dnsmasq packages.
For the detailed security status of dnsmasq please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dnsmasq
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 3977-1] xfpt security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3977-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
November 30, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : xfpt
Version : 0.11-1+deb11u1
CVE ID : CVE-2024-43700
An issue has been found in xfpt, a tool to generate XML from plain tex.
The issue is about bad handling of input data, which may result in a
stack-based buffer overflow and execution of arbitrary code, when
processing specially crafted files.
For Debian 11 bullseye, this problem has been fixed in version
0.11-1+deb11u1.
We recommend that you upgrade your xfpt packages.
For the detailed security status of xfpt please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xfpt
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 3976-1] tgt security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3976-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
November 30, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : tgt
Version : 1:1.0.80-1+deb11u1
CVE ID : CVE-2024-45751
An issue has been found in tgt, Linux SCSI target user-space daemon and
tools. The issue was related to using rand() without proper seed,
resulting in identical sequences of challenges.
For Debian 11 bullseye, this problem has been fixed in version
1:1.0.80-1+deb11u1.
We recommend that you upgrade your tgt packages.
For the detailed security status of tgt please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tgt
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1264-1 openssl1.0 security update
Package : openssl1.0
Version : 1.0.2u-1~deb9u10 (stretch)
Related CVEs :
CVE-2023-5678
CVE-2024-0727
Multiple vulnerabilities were discovered in OpenSSL, the Secure Sockets Layer
toolkit.
CVE-2023-5678
A denial of service could occur with excessively long X9.42 DH keys.
CVE-2024-0727
A denial of service could occur with a null field in a PKCS12 file.
ELA-1263-1 lemonldap-ng security update
Package : lemonldap-ng
Version : 2.0.2+ds-7+deb10u11 (buster)
Related CVEs :
CVE-2024-48933
CVE-2024-52947
Two Cross-site scripting (XSS) vulnerabilities were discovered in
Lemonldap::NG, an OpenID-Connect, CAS and SAML compatible Web-SSO
system, which could lead to injection of arbitrary scripts or HTML
content.
CVE-2024-48933: XSS vulnerability which allows remote attackers to
inject arbitrary web script or HTML into the login page via a
username if userControl has been set to a non-default value that
allows special HTML characters.
CVE-2024-52947: XSS vulnerability which allows remote attackers to
inject arbitrary web script or HTML via the url parameter of the
upgrade session confirmation page (upgradeSession) if the “Upgrade
session” plugin has been enabled by an admin.
ELA-1261-1 dnsmasq security update
Package : dnsmasq
Version : 2.80-1+deb10u3 (buster)
Related CVEs :
CVE-2023-50387
CVE-2023-50868
Two vulnerabilities were found in dnsmasq, a small caching DNS proxy and
DHCP/TFTP server, which could lead to denial of service by querying specially
crafted DNS resource records in control of an attacker.
CVE-2023-50387
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840,
and related RFCs) allow remote attackers to cause a denial of service (CPU
consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One
of the concerns is that, when there is a zone with many DNSKEY and RRSIG
records, the protocol specification implies that an algorithm must evaluate
all combinations of DNSKEY and RRSIG records.
CVE-2023-50868
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC
9276 guidance is skipped) allows remote attackers to cause a denial of
service (CPU consumption for SHA-1 computations) via DNSSEC responses in a
random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification
implies that an algorithm must perform thousands of iterations of a hash
function in certain situations.
ELA-1260-1 activemq security update
Package : activemq
Version : 5.14.3-3+deb9u3 (stretch) 5.15.16-0+deb10u2 (buster)
Related CVEs :
CVE-2023-46604
CVE-2022-41678
Two vulnerabilities were discovered in the activemq suite of packages. Activemq is the java-based
flexible & powerful open source multi-protocol message broker.
CVE-2022-41678
Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.
The fix for this problem has been added to both the Debian Stretch and the Debian Buster packages.
CVE-2023-46604
Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath.
The fix for this problem has been added to the Debian Stretch package. The Debian Buster package was fixed already
in a previous update, in version 5.15.16-0+deb10u1.
ELA-1259-1 editorconfig-core security update
Package : editorconfig-core
Version : 0.12.1-1.1+deb10u1 (buster)
Related CVEs :
CVE-2023-0341
CVE-2024-53849
Two issues have been found in editorconfig-core, a coding style indenter
for all editors. Both issues are related to buffer overflows in different
locations.
ELA-1258-1 openssl security update
Package : openssl
Version : 1.0.1t-1+deb8u22 (jessie)
Related CVEs :
CVE-2023-5678
CVE-2024-0727
Multiple vulnerabilities were discovered in OpenSSL, the Secure Sockets Layer
toolkit.
CVE-2023-5678
A denial of service could occur with excessively long X9.42 DH keys.
CVE-2024-0727
A denial of service could occur with a null field in a PKCS12 file.
ELA-1257-1 openssl security update
Package : openssl
Version : 1.1.0l-1~deb9u10 (stretch)
Related CVEs :
CVE-2023-5678
CVE-2024-0727
CVE-2024-2511
CVE-2024-9143
Multiple vulnerabilities were discovered in OpenSSL, the Secure Sockets Layer
toolkit.
CVE-2023-5678
A denial of service could occur with excessively long X9.42 DH keys.
CVE-2024-0727
A denial of service could occur with a null field in a PKCS12 file.
CVE-2024-2511
A denial of service could occur when the SSL_OP_NO_TICKET flag is set, with
TLSv1.3.
CVE-2024-9143
Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit
values for the field polynomial can lead to out-of-bounds memory reads or
writes. This could lead to information disclosure or possibly remote code
execution.
ELA-1256-1 openssl security update
Package : openssl
Version : 1.1.1n-0+deb10u7 (buster)
Related CVEs :
CVE-2023-5678
CVE-2024-0727
CVE-2024-2511
CVE-2024-4741
CVE-2024-5535
CVE-2024-9143
Multiple vulnerabilities were discovered in OpenSSL, the Secure Sockets Layer
toolkit.
CVE-2023-5678
A denial of service could occur with excessively long X9.42 DH keys.
CVE-2024-0727
A denial of service could occur with a null field in a PKCS12 file.
CVE-2024-2511
A denial of service could occur when the SSL_OP_NO_TICKET flag is set, with
TLSv1.3.
CVE-2024-4741
A use-after-free problem was found in the SSL_free_buffers function.
CVE-2024-5535
Calling the OpenSSL API function SSL_select_next_proto with an empty
supported client protocols buffer may cause a crash or memory contents to be
sent to the peer.
CVE-2024-9143
Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit
values for the field polynomial can lead to out-of-bounds memory reads or
writes. This could lead to information disclosure or possibly remote code
execution.
