Debian 10260 Published by

Debian GNU/Linux has received several security updates, including PHP, WebKitGTK, and libapache-mod-jk:

Debian GNU/Linux 8 (Jessie) and 10 (Buster):
1204-1 libapache-mod-jk security update

Debian GNU/Linux 11 (Bullseye) LTS:
[SECURITY] [DLA 3920-1] php7.4 security update
[SECURITY] [DLA 3919-1] libapache-mod-jk security update

Debian GNU/Linux 12 (Bookworm):
[SECURITY] [DSA 5792-1] webkit2gtk security update



[SECURITY] [DLA 3920-1] php7.4 security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3920-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
October 14, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : php7.4
Version : 7.4.33-1+deb11u6
CVE ID : CVE-2022-4900 CVE-2024-5458 CVE-2024-8925 CVE-2024-8927
CVE-2024-9026
Debian Bug : 1072885

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language, which could result in execution of
arbitrary code, erroneous parsing of invalid URLs or multipart form
data, configuration setting bypass, or log pollution.

CVE-2022-4900

It was discovered that setting the environment variable
PHP_CLI_SERVER_WORKERS to a large value leads to a heap buffer
overflow.

CVE-2024-5458

Due to a code logic error, filtering functions such as filter_var
when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs
the function results in invalid user information (username +
password part of URLs) being treated as valid user information.
This may lead to the downstream code accepting invalid URLs as valid
and parsing them incorrectly.

This causes the same problems as CVE-2020-7071, but with IPv6 host
parts.

CVE-2024-8925

Mihail Kirov discovered an erroneous parsing of multipart form data
contained in an HTTP POST request, which could lead to legitimate
data not being processed thereby violating data integrity.

CVE-2024-8927

It was discovered that the `cgi.force_redirect` configuration
setting is bypassable due to environment variable collision.

CVE-2024-9026

In PHP-FPM, when configured to catch workers output through
catch_workers_output = yes configuration, it may be possible to
pollute the final log with up to 4 characters from the
FPM_STDIO_CMD_FLUSH macro, or remove up to 4 characters from the
logs.

For Debian 11 bullseye, these problems have been fixed in version
7.4.33-1+deb11u6.

We recommend that you upgrade your php7.4 packages.

For the detailed security status of php7.4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php7.4

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 5792-1] webkit2gtk security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5792-1 security@debian.org
https://www.debian.org/security/ Alberto Garcia
October 14, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : webkit2gtk
CVE ID : CVE-2024-40866 CVE-2024-44187

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2024-40866

Hafiizh and YoKo Kho discovered that visiting a malicious website
may lead to address bar spoofing.

CVE-2024-44187

Narendra Bhati discovered that a malicious website may exfiltrate
data cross-origin.

For the stable distribution (bookworm), these problems have been fixed in
version 2.46.0-2~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DLA 3919-1] libapache-mod-jk security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3919-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
October 14, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libapache-mod-jk
Version : 1:1.2.48-1+deb11u2
CVE ID : CVE-2024-46544
Debian Bug : 1082713

It was discovered that there was a configuration issue in
libapache-mod-jk, an Apache web server module used to forward
requests from Apache to Tomcat using the AJP protocol.

An issue with incorrect default permissions could have allowed local
users to view and modify shared memory containing mod_jk's
configuration, which may have potentially led to information
disclosure and/or a denial of service attack.

For Debian 11 bullseye, this problem has been fixed in version
1:1.2.48-1+deb11u2.

We recommend that you upgrade your libapache-mod-jk packages.

For the detailed security status of libapache-mod-jk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapache-mod-jk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



1204-1 libapache-mod-jk security update

Package : libapache-mod-jk
Version : 1:1.2.46-0+deb8u3 (jessie), 1:1.2.46-1+deb10u3 (buster)

Related CVEs :
CVE-2024-46544

It was discovered that there was an insecure configuration issue in
libapache-mod-jk, an Apache web server module used to forward requests from
Apache to Tomcat using the AJP protocol.
An issue with incorrect default permissions could have allowed local users to
view and modify shared memory containing mod_jk’s configuration, which may
have potentially led to information disclosure and/or a denial of service
attack.

1204-1 libapache-mod-jk security update