[DLA 3750-1] php-phpseclib security update
[DLA 3749-1] phpseclib security update
[DLA 3752-1] libuv1 security update
[DLA 3751-1] libapache2-mod-auth-openidc security update
[DLA 3750-1] php-phpseclib security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3750-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
March 05, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : php-phpseclib
Version : 2.0.30-2~deb10u3
CVE ID : CVE-2024-27354 CVE-2024-27355
Security issues were discovered in php-phpseclib, a PHP library for
arbitrary-precision integer arithmetic, which could lead to Denial of
Service.
CVE-2024-27354
An attacker can construct a malformed certificate containing an
extremely large prime to cause a denial of service (CPU consumption
for an `isPrime` primality check).
This issue was introduced when attempting to fix CVE-2023-27560.
CVE-2024-27355
When processing the ASN.1 object identifier of a certificate, a sub
identifier may be provided that leads to a denial of service (CPU
consumption for `decodeOID`).
For Debian 10 buster, these problems have been fixed in version
2.0.30-2~deb10u3.
We recommend that you upgrade your php-phpseclib packages.
For the detailed security status of php-phpseclib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-phpseclib
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 3749-1] phpseclib security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3749-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
March 05, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : phpseclib
Version : 1.0.19-3~deb10u3
CVE ID : CVE-2024-27354 CVE-2024-27355
Security issues were discovered in phpseclib, a PHP library for
arbitrary-precision integer arithmetic, which could lead to Denial of
Service.
CVE-2024-27354
An attacker can construct a malformed certificate containing an
extremely large prime to cause a denial of service (CPU consumption
for an `isPrime` primality check).
This issue was introduced when attempting to fix CVE-2023-27560.
CVE-2024-27355
When processing the ASN.1 object identifier of a certificate, a sub
identifier may be provided that leads to a denial of service (CPU
consumption for `decodeOID`).
For Debian 10 buster, these problems have been fixed in version
1.0.19-3~deb10u3.
We recommend that you upgrade your phpseclib packages.
For the detailed security status of phpseclib please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/phpseclib
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 3752-1] libuv1 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3752-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
March 05, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libuv1
Version : 1.24.1-1+deb10u2
CVE ID : CVE-2024-24806
Debian Bug : 1063484
Improper Domain Lookup in uv_getaddrinfo() has been fixed in libuv,
an asynchronous event notification library.
For Debian 10 buster, this problem has been fixed in version
1.24.1-1+deb10u2.
We recommend that you upgrade your libuv1 packages.
For the detailed security status of libuv1 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libuv1
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 3751-1] libapache2-mod-auth-openidc security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3751-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
March 05, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libapache2-mod-auth-openidc
Version : 2.3.10.2-1+deb10u4
CVE ID : CVE-2024-24814
Debian Bug : 1064183
It was discovered that there was a potential Denial of Service (DoS)
attack in libapache2-mod-auth-openidc, an OpenID Connect (OpenIDC)
module for the Apache web server.
Missing input validation on mod_auth_openidc_session_chunks cookie
value made the server vulnerable to this attack. If an attacker
manipulated the value of the OpenIDC cookie to a very large integer
like 99999999, the server struggled with the request for a long time
and finally returned a 500 error. Making a few requests of this kind
caused servers to become unresponsive, and so attackers could thereby
craft requests that would make the server work very hard and/or crash
with minimal effort.
For Debian 10 buster, this problem has been fixed in version
2.3.10.2-1+deb10u4.
We recommend that you upgrade your libapache2-mod-auth-openidc packages.
For the detailed security status of libapache2-mod-auth-openidc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
