Debian 10260 Published by

The following updates are available for Debian GNU/Linux:

[DLA 3764-1] postgresql-11 security update
ELA-1058-1 kde4libs security update
ELA-1057-1 inetutils security update
ELA-1056-1 python3.4 security update
[DLA 3766-1] zfs-linux security update
[DLA 3765-1] cacti security update




[DLA 3764-1] postgresql-11 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3764-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
March 18, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : postgresql-11
Version : 11.22-0+deb10u2
CVE ID : CVE-2024-0985

In the PostgreSQL database server, a late privilege drop in the
REFRESH MATERIALIZED VIEW CONCURRENTLY command could allow an
attacker to trick a user with higher privileges to run SQL commands.

For Debian 10 buster, this problem has been fixed in version
11.22-0+deb10u2.

We recommend that you upgrade your postgresql-11 packages.

For the detailed security status of postgresql-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/postgresql-11

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1058-1 kde4libs security update

Package : kde4libs
Version : 4:4.14.26-2+deb9u1 (stretch)

Related CVEs :
CVE-2019-14744

Dominik Penner discovered a flaw in how KConfig interpreted shell commands
in desktop files and other configuration files. An attacker may trick users
into installing specially crafted files which could then be used to execute
arbitrary code, e.g. a file manager trying to find out the icon for a file
or any application using KConfig. Thus the entire feature of supporting
shell commands in KConfig entries has been removed.

ELA-1058-1 kde4libs security update


ELA-1057-1 inetutils security update

Package : inetutils
Version : 2:1.9.2.39.3a460-3+deb8u2 (jessie)

Related CVEs :
CVE-2019-0053
CVE-2021-40491
CVE-2022-39028
CVE-2023-40303

Mutiple vulnerabilities were found in the inetutils package, a collection
of common network programs.

CVE-2019-0053
A stack-based overflow is present in the handling of environment variables
when connecting via the telnet client to remote telnet servers. This issue
only affects the telnet client — accessible from the CLI or shell — in
Junos OS. Inbound telnet services are not affected by this issue.

CVE-2021-40491
The ftp client in inetutils does not validate addresses returned by
PASV/LSPV responses to make sure they match the server address.

CVE-2022-39028
telnetd in inetutils has a NULL pointer dereference via 0xff 0xf7 or 0xff
0xf8. In a typical installation, the telnetd application would crash but
the telnet service would remain available through inetd. However, if the
telnetd application has many crashes within a short time interval, the
telnet service would become unavailable after inetd logs a “telnet/tcp
server failing (looping), service terminated” error.

CVE-2023-40303
inetutils may allow privilege escalation because of unchecked return values
of set*id() family functions in ftpd, rcp, rlogin, rsh, rshd, and uucpd.
This is, for example, relevant if the setuid system call fails when a
process is trying to drop privileges before letting an ordinary user
control the activities of the process.

ELA-1057-1 inetutils security update


ELA-1056-1 python3.4 security update

Package : python3.4
Version : 3.4.2-1+deb8u16 (jessie)

Related CVEs :
CVE-2022-48560
CVE-2022-48564
CVE-2022-48565
CVE-2022-48566
CVE-2023-40217

Multiple vulnerabilities were found in python3.4, an interactive
high-level object-oriented language. An attacker could cause DoS
(denial-of-service) situations, exfiltrate private information, and
possibly execute arbitrary code.

CVE-2022-48560
A use-after-free exists via heappushpop in heapq.

CVE-2022-48564
read_ints in plistlib.py is vulnerable to a potential DoS attack
via CPU and RAM exhaustion when processing malformed Apple
Property List files in binary format.

CVE-2022-48565
An XML External Entity (XXE) issue was discovered. The
plistlib module no longer accepts entity declarations in XML plist
files to avoid XML vulnerabilities.

CVE-2022-48566
In compare_digest in Lib/hmac.py, constant-time-defeating
optimisations were possible in the accumulator variable in
hmac.compare_digest.

CVE-2023-40217
If a TLS server-side socket is created, receives data into the
socket buffer, and then is closed quickly, there is a brief window
where the SSLSocket instance will detect the socket as “not
connected” and won’t initiate a handshake, but buffered data will
still be readable from the socket buffer.

ELA-1056-1 python3.4 security update


[DLA 3766-1] zfs-linux security update


- -----------------------------------------------------------------------
Debian LTS Advisory DLA-3766-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
March 19, 2024 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package : zfs-linux
Version : 0.7.12-2+deb10u3
CVE ID : CVE-2013-20001 CVE-2023-49298
Debian Bug : 1059322 1056752

A couple of vulnerabilities were found in zfs-linux.

CVE-2013-20001

In OpenZFS, when an NFS share is exported to IPv6 addresses via the
sharenfs feature, there is a silent failure to parse the IPv6
address data, and access is allowed to everyone. IPv6 restrictions
from the configuration are not applied.

CVE-2023-49298

OpenZFS in certain scenarios involving applications that try to rely
on efficient copying of file data, can replace file contents with
zero-valued bytes and thus potentially disable security mechanisms.

For Debian 10 buster, these problems have been fixed in version
0.7.12-2+deb10u3.

We recommend that you upgrade your zfs-linux packages.

For the detailed security status of zfs-linux please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zfs-linux

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3765-1] cacti security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3765-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
March 18, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : cacti
Version : 1.2.2+ds1-2+deb10u6
CVE ID : CVE-2023-39357 CVE-2023-39360 CVE-2023-39361 CVE-2023-39362
CVE-2023-39364 CVE-2023-39365 CVE-2023-39513 CVE-2023-39515
CVE-2023-39516 CVE-2023-49084 CVE-2023-49085 CVE-2023-49086
CVE-2023-49088
Debian Bug : 1059254

Multiple vulnerabilities were found in Cacti, a network monitoring
system. An attacker could manipulate the database, execute code
remotely, launch DoS (denial-of-service) attacks or impersonate Cacti
users, in some situations.

CVE-2023-39357

When the column type is numeric, the sql_save function directly
utilizes user input. Many files and functions calling the sql_save
function do not perform prior validation of user input, leading to
the existence of multiple SQL injection vulnerabilities in
Cacti. This allows authenticated users to exploit these SQL
injection vulnerabilities to perform privilege escalation and
remote code execution.

CVE-2023-39360

Stored Cross-Site-Scripting (XSS) Vulnerability allows an
authenticated user to poison data. The vulnerability is found in
`graphs_new.php`. Several validations are performed, but the
`returnto` parameter is directly passed to `form_save_button`. In
order to bypass this validation, returnto must contain `host.php`.

CVE-2023-39361

SQL injection discovered in graph_view.php. Since guest users can
access graph_view.php without authentication by default, if guest
users are being utilized in an enabled state, there could be the
potential for significant damage. Attackers may exploit this
vulnerability, and there may be povssibilities for actions such as
the usurpation of administrative privileges or remote code
execution.

CVE-2023-39362

An authenticated privileged user, can use a malicious string in
the SNMP options of a Device, performing command injection and
obtaining remote code execution on the underlying server. The
`lib/snmp.php` file has a set of functions, with similar behavior,
that accept in input some variables and place them into an `exec`
call without a proper escape or validation.

CVE-2023-39364

Users with console access can be redirected to an arbitrary
website after a change password performed via a specifically
crafted URL. The `auth_changepassword.php` file accepts `ref` as a
URL parameter and reflects it in the form used to perform the
change password. It's value is used to perform a redirect via
`header` PHP function. A user can be tricked in performing the
change password operation, e.g., via a phishing message, and then
interacting with the malicious website where the redirection has
been performed, e.g., downloading malwares, providing credentials,
etc.

CVE-2023-39365

Issues with Cacti Regular Expression validation combined with the
external links feature can lead to limited SQL Injections and
subsequent data leakage.

CVE-2023-39513

Stored Cross-Site-Scripting (XSS) Vulnerability which allows an
authenticated user to poison data stored in the _cacti_'s
database. The script under `host.php` is used to monitor and
manage hosts in the _cacti_ app, hence displays useful information
such as data queries and verbose logs.

CVE-2023-39515

Stored Cross-Site-Scripting (XSS) Vulnerability allows an
authenticated user to poison data stored in the cacti's
database. These data will be viewed by administrative cacti
accounts and execute JavaScript code in the victim's browser at
view-time. The script under `data_debug.php` displays data source
related debugging information such as _data source paths, polling
settings, meta-data on the data source.

CVE-2023-39516

Stored Cross-Site-Scripting (XSS) Vulnerability which allows an
authenticated user to poison data stored in the _cacti_'s
database. These data will be viewed by administrative _cacti_
accounts and execute JavaScript code in the victim's browser at
view-time. The script under `data_sources.php` displays the data
source management information (e.g. data source path, polling
configuration etc.) for different data visualizations of the
_cacti_ app.

CVE-2023-49084

While using the detected SQL Injection and insufficient processing
of the include file path, it is possible to execute arbitrary code
on the server. Exploitation of the vulnerability is possible for
an authorized user. The vulnerable component is the `link.php`.

CVE-2023-49085

It is possible to execute arbitrary SQL code through the
`pollers.php` script. An authorized user may be able to execute
arbitrary SQL code. The vulnerable component is the `pollers.php`.

CVE-2023-49086

Bypassing an earlier fix (CVE-2023-39360) that leads to a DOM XSS
attack. Exploitation of the vulnerability is possible for an
authorized user. The vulnerable component is the `graphs_new.php`.

CVE-2023-49088

The fix applied for CVE-2023-39515 in version 1.2.25 is incomplete
as it enables an adversary to have a victim browser execute
malicious code when a victim user hovers their mouse over the
malicious data source path in `data_debug.php`.

For Debian 10 buster, these problems have been fixed in version
1.2.2+ds1-2+deb10u6.

We recommend that you upgrade your cacti packages.

For the detailed security status of cacti please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cacti

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS