Debian GNU/Linux 8 (Jessie) Extended LTS:
ELA-1108-1 php5 security update
Debian GNU/Linux 8 (Jessie) and 9 (Stretch) Extended LTS:
ELA-1112-1 libvpx security update
Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1107-1 php7.0 security update
Debian GNU/Linux 10 (Buster) LTS:
[DLA 3833-1] php7.3 security update
Debian GNU/Linux 11 (Bullseye) and 12 (Bookworm):
[DSA 5715-1] composer security update
[DSA 5714-1] roundcube security update
[DLA 3833-1] php7.3 security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3833-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
June 17, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : php7.3
Version : 7.3.31-1~deb10u7
CVE ID : CVE-2024-5458
Debian Bug : 1072885
PHP, a widely-used open source general purpose scripting language, is affected
by a security problem when parsing certain types of URLs.
Due to a code logic error filtering functions such as filter_var when
validating URLs (FILTER_VALIDATE_URL) will result in invalid user information
(username + password part of URLs) being treated as valid user information.
This may lead to the downstream code accepting invalid URLs as valid and
parsing them incorrectly. The problem is related to CVE-2020-7071 but affects
IPv6 host parts.
For Debian 10 buster, this problem has been fixed in version
7.3.31-1~deb10u7.
We recommend that you upgrade your php7.3 packages.
For the detailed security status of php7.3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.3
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DSA 5715-1] composer security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5715-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 18, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : composer
CVE ID : CVE-2024-35241 CVE-2024-35242
Two vulnerabilities have been discovered in Composer, a dependency
manager for PHP, which could result in arbitrary command execution by
operating on malicious git/hg repositories.
For the oldstable distribution (bullseye), these problems have been fixed
in version 2.0.9-2+deb11u3.
For the stable distribution (bookworm), these problems have been fixed in
version 2.5.5-1+deb12u2.
We recommend that you upgrade your composer packages.
For the detailed security status of composer please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/composer
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[DSA 5714-1] roundcube security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5714-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
June 18, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : roundcube
CVE ID : CVE-2024-37383 CVE-2024-37384
Debian Bug : 1071474
Huy Nguyễn Phạm Nhật, and Valentin T. and Lutz Wolf of CrowdStrike,
discovered that roundcube, a skinnable AJAX based webmail solution for
IMAP servers, did not correctly process and sanitize requests. This
would allow an attacker to perform Cross-Side Scripting (XSS) attacks.
For the oldstable distribution (bullseye), these problems have been fixed
in version 1.4.15+dfsg.1-1+deb11u3.
For the stable distribution (bookworm), these problems have been fixed in
version 1.6.5+dfsg-1+deb12u2.
We recommend that you upgrade your roundcube packages.
For the detailed security status of roundcube please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/roundcube
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1107-1 php7.0 security update
Package : php7.0
Version : 7.0.33-0+deb9u18 (stretch)
Related CVEs :
CVE-2024-5458
PHP, a widely-used open source general purpose scripting language, is affected
by a security problem when parsing certain types of URLs.
Due to a code logic error filtering functions such as filter_var when
validating URLs (FILTER_VALIDATE_URL) will result in invalid user information
(username + password part of URLs) being treated as valid user information.
This may lead to the downstream code accepting invalid URLs as valid and
parsing them incorrectly. The problem is related to CVE-2020-7071 but affects
IPv6 host parts.
ELA-1108-1 php5 security update
Package : php5
Version : 5.6.40+dfsg-0+deb8u20 (jessie)
Related CVEs :
CVE-2024-5458
PHP, a widely-used open source general purpose scripting language, is affected
by a security problem when parsing certain types of URLs.
Due to a code logic error filtering functions such as filter_var when
validating URLs (FILTER_VALIDATE_URL) will result in invalid user information
(username + password part of URLs) being treated as valid user information.
This may lead to the downstream code accepting invalid URLs as valid and
parsing them incorrectly. The problem is related to CVE-2020-7071 but affects
IPv6 host parts.
ELA-1112-1 libvpx security update
Package : libvpx
Version : 1.3.0-3+deb8u5 (jessie), 1.6.1-3+deb9u6 (stretch)
Related CVEs :
CVE-2016-6711
CVE-2017-0393
CVE-2024-5197
Multiple vulnerabilities have been fixed in libvpx, a library for decoding and encoding VP8 and VP9 videos.
CVE-2016-6711 (vulnerability was not present in stretch)
VP8 decoder crash with invalid leading keyframes
CVE-2017-0393 (vulnerability was not present in stretch)
VP8 threading issues
CVE-2024-5197
Integer overflows
