[DLA 3772-1] python3.7 security update
[DLA 3771-1] python2.7 security update
[DSA 5647-1] samba security update
ELA-1064-1 wpa security update
ELA-1063-1 qemu security update
[DSA 5646-1] cacti security update
[DLA 3772-1] python3.7 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3772-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
March 24, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : python3.7
Version : 3.7.3-2+deb10u7
CVE ID : CVE-2023-6597 CVE-2024-0450
Two vulnerabilities have been fixed in the Python 3 interpreter.
CVE-2023-6597
tempfile.TemporaryDirectory failure to remove dir
CVE-2024-0450
quoted-overlap zipbomb DoS
For Debian 10 buster, these problems have been fixed in version
3.7.3-2+deb10u7.
We recommend that you upgrade your python3.7 packages.
For the detailed security status of python3.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python3.7
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DLA 3771-1] python2.7 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3771-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
March 24, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : python2.7
Version : 2.7.16-2+deb10u4
CVE ID : CVE-2024-0450
The zipfile module was vulnerable to “quoted-overlap” zip-bombs
in the Python 2 interpreter.
For Debian 10 buster, this problem has been fixed in version
2.7.16-2+deb10u4.
We recommend that you upgrade your python2.7 packages.
For the detailed security status of python2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python2.7
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DSA 5647-1] samba security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5647-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 24, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : samba
CVE ID : CVE-2022-2127 CVE-2022-3437 CVE-2023-4091 CVE-2023-34966
CVE-2023-34967 CVE-2023-34968
Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,
print, and login server for Unix, which might result in denial of service
or information disclosure.
For the oldstable distribution (bullseye), these problems have been fixed
in version 2:4.13.13+dfsg-1~deb11u6.
We recommend that you upgrade your samba packages.
For the detailed security status of samba please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/samba
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1064-1 wpa security update
Package : wpa
Version : 2.3-1+deb8u14 (jessie), 2:2.4-1+deb9u10 (stretch)
Related CVEs :
CVE-2023-52160
The implementation of PEAP in wpa_supplicant allowed authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network’s TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.
ELA-1063-1 qemu security update
Package : qemu
Version : 1:2.8+dfsg-6+deb9u19 (stretch)
Related CVEs :
CVE-2020-14394
CVE-2023-0330
CVE-2023-2861
CVE-2023-3180
CVE-2023-3354
CVE-2023-5088
Multiple vulnerabilities have been fixed in the machine emulator
and virtualizer QEMU.
CVE-2020-14394
infinite loop in the USB xHCI controller emulation
CVE-2023-0330
reentrancy issues in the LSI controller
CVE-2023-2861
9pfs did not prohibit opening special files on the host side
CVE-2023-3180
heap buffer overflow in the virtual crypto device
CVE-2023-3354
remote unauthenticated clients could cause denial of service in VNC server
CVE-2023-5088
IDE guest I/O operation addressed to an arbitrary disk offset might get targeted to offset 0 instead
[DSA 5646-1] cacti security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5646-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 24, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : cacti
CVE ID : CVE-2023-39360 CVE-2023-39513 CVE-2023-49084 CVE-2023-49085
CVE-2023-49086 CVE-2023-49088 CVE-2023-50250 CVE-2023-50569
Debian Bug : 1059254
Multiple security vulnerabilities have been discovered in Cacti, a web
interface for graphing of monitoring systems, which could result in
cross-site scripting, SQL injection, or command injection.
For the oldstable distribution (bullseye), these problems have been fixed
in version 1.2.16+ds1-2+deb11u3.
For the stable distribution (bookworm), these problems have been fixed in
version 1.2.24+ds1-1+deb12u2.
We recommend that you upgrade your cacti packages.
For the detailed security status of cacti please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cacti
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
