Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1270-1 ntp security update
Debian GNU/Linux 11 (Bookworm) LTS:
[DSA 5827-1] proftpd-dfsg security update
[DSA 5826-1] smarty3 security update
[SECURITY] [DSA 5827-1] proftpd-dfsg security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5827-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 10, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : proftpd-dfsg
CVE ID : CVE-2024-48651
Debian Bug : 1082326
Brian Ristuccia discovered that in ProFTPD, a powerful modular
FTP/SFTP/FTPS server, supplemental group inheritance grants unintended
access to GID 0 because of the lack of supplemental groups from mod_sql.
For the stable distribution (bookworm), this problem has been fixed in
version 1.3.8+dfsg-4+deb12u4.
We recommend that you upgrade your proftpd-dfsg packages.
For the detailed security status of proftpd-dfsg please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/proftpd-dfsg
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5826-1] smarty3 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5826-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
December 10, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : smarty3
CVE ID : CVE-2023-28447 CVE-2024-35226
Two security vulnerabilities were discovered in Smarty, a template
engine for PHP, which could result in PHP code injection or cross-site
scripting.
For the stable distribution (bookworm), these problems have been fixed in
version 3.1.47-2+deb12u1.
We recommend that you upgrade your smarty3 packages.
For the detailed security status of smarty3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/smarty3
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1270-1 ntp security update
Package : ntp
Version : 1:4.2.8p12+dfsg-4+deb10u1 (buster)
Related CVEs :
CVE-2020-11868
CVE-2020-15025
CVE-2023-26555
Multiple vulnerabilities were discovered in ntp, a Network Time Protocol
daemon and set of utility programs.
CVE-2020-11868
It was possible for an off-path attacker to block unauthenticated
synchronisation via a server mode packet with a spoofed source IP address.
CVE-2020-15025
A remote attacker could cause a denial-of-service because of a memory leak in
situations where a CMAC key is used and associated with a CMAC algorithm in
the ntp.keys file.
CVE-2023-26555
The clock driver for the Trimble Palisade GPS timing receiver contained an
out-of-bounds write, which could cause memory corruption or a crash.
