Debian GNU/Linux 9 Extended LTS (Stretch):
ELA-1117-1 gunicorn security update
Debian GNU/Linux 10 LTS (Buster):
[DLA 3849-1] org-mode security update
[DLA 3848-1] org-mode security update
[DLA 3849-1] org-mode security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3849-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
June 29, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : emacs
Version : emacs 1:26.1+1-3.2+deb10u6
CVE ID : CVE-2024-39331
Debian Bug : 1074136
A vulnerability was discovered in GNU Emacs, the extensible,
customisable, self-documenting display editor.
The org-link-expand-abbrev function expanded a %(...) link abbrev even
when the abbrev specified an unsafe function, such as
shell-command-to-string.
This could lead to arbitrary code execution as soon as an Org-mode
format file was opened, including one embedded in an e-mail message.
For Debian 10 buster, these problems have been fixed in version
1:26.1+1-3.2+deb10u6.
We recommend that you upgrade your org-mode packages.
For the detailed security status of org-mode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/org-mode
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 3848-1] org-mode security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3848-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
June 29, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : org-mode
Version : org-mode 9.1.14+dfsg-3+deb10u3
CVE ID : CVE-2024-39331
Debian Bug : 1074136
A vulnerability was discovered in Org-mode, a GNU Emacs major mode for
keeping notes, authoring documents, and maintaining to-do lists.
The org-link-expand-abbrev function expanded a %(...) link abbrev even
when the abbrev specified an unsafe function, such as
shell-command-to-string.
This could lead to arbitrary code execution as soon as an Org-mode
format file was opened, including one embedded in an e-mail message.
For Debian 10 buster, these problems have been fixed in version
9.1.14+dfsg-3+deb10u3.
We recommend that you upgrade your org-mode packages.
For the detailed security status of org-mode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/org-mode
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1117-1 gunicorn security update
Package : gunicorn
Version : 19.6.0-10+deb9u3 (stretch)
Related CVEs :
CVE-2024-1135
Gunicorn, an event-based HTTP/WSGI server, fails to properly validate
Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS)
vulnerabilities. By crafting requests with conflicting Transfer-Encoding
headers, attackers can bypass security restrictions and access restricted
endpoints. This issue is due to Gunicorn’s handling of Transfer-Encoding
headers, where it incorrectly processes requests with multiple, conflicting
Transfer-Encoding headers, treating them as chunked regardless of the final
encoding specified. This vulnerability allows for a range of attacks including
cache poisoning, session manipulation, and data exposure.