Debian 10260 Published by

The following security updates have been released for Debian GNU/Linux:

Debian GNU/Linux 8 (Jessie) Extended LTS:
ELA-1138-1 python3.4 security update

Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1137-1 python3.5 security update
ELA-1136-1 imagemagick security update



ELA-1138-1 python3.4 security update

Package : python3.4
Version : 3.4.2-1+deb8u18 (jessie)

Related CVEs :
CVE-2024-4032
CVE-2024-5642

Multiple vulnerabilities have been fixed in the Python3 interpreter.
CVE-2024-4032

Incorrect information about private addresses in the ipaddress module

CVE-2024-5642
NPN buffer overread when using empty list in SSLContext.set_npn_protocols()

Note that the CVE-2024-5642 fix disables NPN (Next Protocol Negotiation) in the ssl module, NPN is a TLS extension for the obsolete SPDY protocol (HTTP/2 is the successor to SPDY).

ELA-1138-1 python3.4 security update


ELA-1137-1 python3.5 security update

Package : python3.5
Version : 3.5.3-1+deb9u10 (stretch)

Related CVEs :
CVE-2024-0397
CVE-2024-4032
CVE-2024-5642

Multiple vulnerabilities have been fixed in the Python3 interpreter.

CVE-2024-0397
Race condition in ssl.SSLContext

CVE-2024-4032
Incorrect information about private addresses in the ipaddress module

CVE-2024-5642
NPN buffer overread when using empty list in SSLContext.set_npn_protocols()

Note that the CVE-2024-5642 fix disables NPN (Next Protocol Negotiation) in the ssl module, NPN is a TLS extension for the obsolete SPDY protocol (HTTP/2 is the successor to SPDY). Support for the NPN-successor ALPN for HTTP/2 continues to be available.

ELA-1137-1 python3.5 security update


ELA-1136-1 imagemagick security update

Package : imagemagick
Version : 8:6.9.7.4+dfsg-11+deb9u20 (stretch)

Related CVEs :
CVE-2017-11752
CVE-2017-12566
CVE-2017-18022
CVE-2018-11655
CVE-2022-48541
CVE-2023-1289
CVE-2023-5341
CVE-2023-34151

Imagemagick, an image processing toolking was vulnerable.

CVE-2017-11752
The ReadMAGICKImage function allows remote attackers to cause
a denial of service (memory leak) via a crafted file.

CVE-2017-12566
A memory leak vulnerability was found in the function ReadMVGImage
in mvg coder, which allows attackers to cause a denial of service.

CVE-2017-18022
A memory leak vulnerability was found in MontageImageCommand.

CVE-2018-11655
A memory leak vulnerability was found in the function GetImagePixelCache
which allows attackers to cause a denial of service via a crafted
CALS image file.

CVE-2022-48541
A memory leak in was found that allows a remote attackers to perform
a denial of service via the "identify -help" command.

CVE-2023-1289
Loading a specially created SVG file may cause a segmentation fault.
When ImageMagick crashes, it generates a lot of trash files. These trash
files can be large if the SVG file contains many render actions, and could
result in a denial of service.

CVE-2023-5341
A heap use-after-free flaw was found in coders/bmp.c

CVE-2023-34151
Undefined behaviors of casting double to size_t in svg, mvg and other
coders.

ELA-1136-1 imagemagick security update