Debian GNU/Linux 9 (Stretch) and 10 (Buster) Extended LTS:
ELA-1325-1 bind9 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4052-2] postgresql-13 regression update
[DLA 4061-1] libtasn1-6 security update
[DLA 4062-1] python-werkzeug security update
[DLA 4063-1] gnutls28 security update
[SECURITY] [DLA 4052-2] postgresql-13 regression update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4052-2 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
February 21, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : postgresql-13
Version : 13.20-0+deb11u1
CVE ID : CVE-2025-1094
The fix for CVE-2025-1094 included an error that caused the
PQescapeLiteral and PQescapeIdentifier methods to ignore their
length parameter, reading until the null terminating byte instead.
That could cause unintended characters to be included on the output,
or worse, buffer overflows.
For Debian 11 bullseye, this problem has been fixed in version
13.20-0+deb11u1.
We recommend that you upgrade your postgresql-13 packages.
For the detailed security status of postgresql-13 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-13
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1325-1 bind9 security update
Package : bind9
Version : 1:9.10.3.dfsg.P4-12.3+deb9u18 (stretch), 1:9.11.5.P4+dfsg-5.1+deb10u14 (buster)
Related CVEs :
CVE-2024-11187
One vulnerability was discovered in BIND, a DNS server implementation, which
may result in denial of service.
It is possible to construct a zone such that some queries to it will generate
responses containing numerous records in the Additional section. An attacker
sending many such queries can cause either the authoritative server itself or
an independent resolver to use disproportionate resources processing the
queries. Zones will usually need to have been deliberately crafted to exploit
this flaw.ELA-1325-1 bind9 security update
[SECURITY] [DLA 4061-1] libtasn1-6 security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4061-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
February 21, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : libtasn1-6
Version : 4.16.0-2+deb11u2
CVE ID : CVE-2024-12133
Debian Bug : 1095406
Bing Shi discovered that libtasn1-6, a runtime library to manage ASN.1
structures, had inefficient handling of certificate data with a large
number of names or name constraints, potentially leading to Denial of
Service upon specially crafted certificates.
For Debian 11 bullseye, this problem has been fixed in version
4.16.0-2+deb11u2.
We recommend that you upgrade your libtasn1-6 packages.
For the detailed security status of libtasn1-6 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libtasn1-6
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4062-1] python-werkzeug security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4062-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
February 21, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : python-werkzeug
Version : 1.0.1+dfsg1-2+deb11u2
CVE ID : CVE-2024-34069
Debian Bug : 1070711
It was discovered that there was a potential remote code execution
vulnerability in python-werkzeug, a library used to create WSGI-based
web applications in Python.
This attack required the attacker to manipulate a developer into
interacting with a domain & subdomain they control as well as enter
the debugger PIN. But if successful, it would have allowed full
access to the debugger, even if the server was only running on
localhost.
For Debian 11 bullseye, this problem has been fixed in version
1.0.1+dfsg1-2+deb11u2.
We recommend that you upgrade your python-werkzeug packages.
For the detailed security status of python-werkzeug please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-werkzeug
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4063-1] gnutls28 security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4063-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
February 21, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : gnutls28
Version : 3.7.1-5+deb11u7
CVE ID : CVE-2024-12243
Bing Shi discovered that GnuTLS, a portable library which implements
the Transport Layer Security and Datagram Transport Layer Security
protocols, had inefficient handling of certificate data with a large
number of names or name constraints, potentially leading to Denial of
Service upon specially crafted certificates.
For Debian 11 bullseye, this problem has been fixed in version
3.7.1-5+deb11u7.
We recommend that you upgrade your gnutls28 packages.
For the detailed security status of gnutls28 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gnutls28
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
