Debian 10260 Published by

The following updates have been released for Debian GNU/Linux:

[DLA 3772-1] python3.7 security update
[DLA 3771-1] python2.7 security update
[DSA 5647-1] samba security update
ELA-1064-1 wpa security update
ELA-1063-1 qemu security update
[DSA 5646-1] cacti security update




[DLA 3772-1] python3.7 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3772-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
March 24, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python3.7
Version : 3.7.3-2+deb10u7
CVE ID : CVE-2023-6597 CVE-2024-0450

Two vulnerabilities have been fixed in the Python 3 interpreter.

CVE-2023-6597

tempfile.TemporaryDirectory failure to remove dir

CVE-2024-0450

quoted-overlap zipbomb DoS

For Debian 10 buster, these problems have been fixed in version
3.7.3-2+deb10u7.

We recommend that you upgrade your python3.7 packages.

For the detailed security status of python3.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python3.7

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3771-1] python2.7 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3771-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
March 24, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python2.7
Version : 2.7.16-2+deb10u4
CVE ID : CVE-2024-0450

The zipfile module was vulnerable to “quoted-overlap” zip-bombs
in the Python 2 interpreter.

For Debian 10 buster, this problem has been fixed in version
2.7.16-2+deb10u4.

We recommend that you upgrade your python2.7 packages.

For the detailed security status of python2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python2.7

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DSA 5647-1] samba security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5647-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
March 24, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : samba
CVE ID : CVE-2022-2127 CVE-2022-3437 CVE-2023-4091 CVE-2023-34966
CVE-2023-34967 CVE-2023-34968

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,
print, and login server for Unix, which might result in denial of service
or information disclosure.

For the oldstable distribution (bullseye), these problems have been fixed
in version 2:4.13.13+dfsg-1~deb11u6.

We recommend that you upgrade your samba packages.

For the detailed security status of samba please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/samba

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


ELA-1064-1 wpa security update

Package : wpa
Version : 2.3-1+deb8u14 (jessie), 2:2.4-1+deb9u10 (stretch)

Related CVEs :
CVE-2023-52160

The implementation of PEAP in wpa_supplicant allowed authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network’s TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.

ELA-1064-1 wpa security update


ELA-1063-1 qemu security update

Package : qemu
Version : 1:2.8+dfsg-6+deb9u19 (stretch)

Related CVEs :
CVE-2020-14394
CVE-2023-0330
CVE-2023-2861
CVE-2023-3180
CVE-2023-3354
CVE-2023-5088

Multiple vulnerabilities have been fixed in the machine emulator
and virtualizer QEMU.

CVE-2020-14394
infinite loop in the USB xHCI controller emulation

CVE-2023-0330
reentrancy issues in the LSI controller

CVE-2023-2861
9pfs did not prohibit opening special files on the host side

CVE-2023-3180
heap buffer overflow in the virtual crypto device

CVE-2023-3354
remote unauthenticated clients could cause denial of service in VNC server

CVE-2023-5088
IDE guest I/O operation addressed to an arbitrary disk offset might get targeted to offset 0 instead

ELA-1063-1 qemu security update


[DSA 5646-1] cacti security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5646-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 24, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : cacti
CVE ID : CVE-2023-39360 CVE-2023-39513 CVE-2023-49084 CVE-2023-49085
CVE-2023-49086 CVE-2023-49088 CVE-2023-50250 CVE-2023-50569
Debian Bug : 1059254

Multiple security vulnerabilities have been discovered in Cacti, a web
interface for graphing of monitoring systems, which could result in
cross-site scripting, SQL injection, or command injection.

For the oldstable distribution (bullseye), these problems have been fixed
in version 1.2.16+ds1-2+deb11u3.

For the stable distribution (bookworm), these problems have been fixed in
version 1.2.24+ds1-1+deb12u2.

We recommend that you upgrade your cacti packages.

For the detailed security status of cacti please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cacti

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/