Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3980-1] python3.9 security update
[DLA 3981-1] simplesamlphp security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5822-1] simplesamlphp security update
[SECURITY] [DLA 3980-1] python3.9 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3980-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
December 02, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : python3.9
Version : 3.9.2-1+deb11u2
CVE ID : CVE-2015-20107 CVE-2020-10735 CVE-2021-3426 CVE-2021-3733
CVE-2021-3737 CVE-2021-4189 CVE-2021-28861 CVE-2021-29921
CVE-2022-42919 CVE-2022-45061 CVE-2023-6597 CVE-2023-24329
CVE-2023-27043 CVE-2023-40217 CVE-2024-0397 CVE-2024-0450
CVE-2024-4032 CVE-2024-6232 CVE-2024-6923 CVE-2024-7592
CVE-2024-8088 CVE-2024-9287 CVE-2024-11168
Debian Bug : 989195 1070135 1059298 1070133
Multiple vulnerabilities have been fixed in the Python3 interpreter.
CVE-2015-20107
The mailcap module did not add escape characters into commands
discovered in the system mailcap file
CVE-2020-10735
Prevent DoS with very large int
CVE-2021-3426
Remove the pydoc getfile feature which could be abused to read
arbitrary files on the disk
CVE-2021-3733
Regular Expression Denial of Service in urllib's
AbstractBasicAuthHandler class
CVE-2021-3737
Infinite loop in the HTTP client code
CVE-2021-4189
Make ftplib not trust the PASV response
CVE-2021-28861
Open redirection vulnerability in http.server
CVE-2021-29921
Leading zeros in IPv4 addresses are no longer tolerated
CVE-2022-42919
Don't use Linux abstract sockets for multiprocessing
CVE-2022-45061
Quadratic time in the IDNA decoder
CVE-2023-6597
tempfile.TemporaryDirectory failure to remove dir
CVE-2023-24329
Strip C0 control and space chars in urlsplit
CVE-2023-27043
Reject malformed addresses in email.parseaddr()
CVE-2023-40217
ssl.SSLSocket bypass of the TLS handshake
CVE-2024-0397
Race condition in ssl.SSLContext
CVE-2024-0450
Quoted-overlap zipbomb DoS
CVE-2024-4032
Incorrect information about private addresses in the ipaddress
module
CVE-2024-6232
ReDoS when parsing tarfile headers
CVE-2024-6923
Encode newlines in headers in the email module
CVE-2024-7592
Quadratic complexity parsing cookies with backslashes
CVE-2024-8088
Infinite loop when iterating over zip archive entry names
CVE-2024-9287
venv activation scripts did't quote paths
CVE-2024-11168
urllib functions improperly validated bracketed hosts
For Debian 11 bullseye, these problems have been fixed in version
3.9.2-1+deb11u2.
We recommend that you upgrade your python3.9 packages.
For the detailed security status of python3.9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python3.9
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 3981-1] simplesamlphp security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3981-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Santiago Ruano Rincón
December 02, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : simplesamlphp
Version : 1.19.0-1+deb11u1
CVE ID : CVE-2024-52596
It was discovered that in SimpleSAMLphp, an implementation of the SAML 2.0
protocol, is prone to an XXE vulnerability when loading an (untrusted) XML
document.
For Debian 11 bullseye, this problem has been fixed in version
1.19.0-1+deb11u1.
We recommend that you upgrade your simplesamlphp packages.
For the detailed security status of simplesamlphp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/simplesamlphp
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5822-1] simplesamlphp security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5822-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 02, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : simplesamlphp
CVE ID : CVE-2024-52596
It was discovered that in SimpleSAMLphp, an implementation of the SAML
2.0 protocol, is prone to a XXE vulnerability when loading an
(untrusted) XML document.
For the stable distribution (bookworm), this problem has been fixed in
version 1.19.7-1+deb12u1.
We recommend that you upgrade your simplesamlphp packages.
For the detailed security status of simplesamlphp please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/simplesamlphp
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
