Debian 10198 Published by

Debian GNU/Linux has been updated with security updates, which include updates for Python-git and xorg-server:

Debian GNU/Linux 11 (Bullseye) LTS:
[SECURITY] [DLA 3939-1] python-git security update
[SECURITY] [DLA 3940-1] xorg-server security update

Debian GNU/Linux 12 (Bookworm):
[SECURITY] [DSA 5800-1] xorg-server security update




[SECURITY] [DLA 3939-1] python-git security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3939-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
October 29, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : python-git
Version : 3.1.14-1+deb11u1
CVE ID : CVE-2022-24439 CVE-2023-40267 CVE-2023-41040
Debian Bug : 1027163 1043503

GitPython provides object model access to a Git repository.

CVE-2022-24439, CVE-2023-40267 (follow-up)

Remote Code Execution (RCE) is possible due to improper user input
validation, which makes it possible to inject a maliciously crafted
remote URL into the clone command. Exploiting this vulnerability is
possible because the library makes external calls to git without
sufficient sanitization of input arguments.

CVE-2023-41040

GitPython reads files from the `.git` directory, in some places the
name of the file being read is provided by the user, GitPython
doesn't check if this file is located outside the `.git` directory.
This allows an attacker to make GitPython read any file from the
system.

For Debian 11 bullseye, these problems have been fixed in version
3.1.14-1+deb11u1.

We recommend that you upgrade your python-git packages.

For the detailed security status of python-git please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-git

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3940-1] xorg-server security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3940-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Thorsten Alteholz
October 29, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : xorg-server
Version : 2:1.20.11-1+deb11u14
CVE ID : CVE-2024-9632

Jan-Niklas Sohn working with Trend Micro Zero Day Initiative found an
issue in the X server and Xwayland implementations published by X.Org.
CVE-2024-9632 can be triggered by providing a modified bitmap to the X.Org
server. This may lead to local privilege escalation if the server is run
as root or remote code execution (e.g. x11 over ssh).

For Debian 11 bullseye, this problem has been fixed in version
2:1.20.11-1+deb11u14.

We recommend that you upgrade your xorg-server packages.

For the detailed security status of xorg-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xorg-server

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently as



[SECURITY] [DSA 5800-1] xorg-server security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5800-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 29, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : xorg-server
CVE ID : CVE-2024-9632
Debian Bug : 1086244

Jan-Niklas Sohn discovered that a heap-based buffer overflow in the
_XkbSetCompatMap function in the X Keyboard Extension of the X.org X
server may result in privilege escalation if the X server is running
privileged.

For the stable distribution (bookworm), this problem has been fixed in
version 2:21.1.7-3+deb12u8.

We recommend that you upgrade your xorg-server packages.

For the detailed security status of xorg-server please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/xorg-server

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/