Debian 10225 Published by

The following security updates have been released for Debian GNU/Linux:

Debian GNU/Linux 8 (Jessie):
ELA-1099-1 apache2 security update

Debian GNU/Linux 9 (Stretch):
ELA-1098-1 apache2 security update
ELA-1100-1 python-pymysql security update

Debian GNU/Linux 10 (Buster):
[DLA 3822-1] python-pymysql security update
[DLA 3823-1] less security update



[DLA 3822-1] python-pymysql security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3822-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
May 27, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python-pymysql
Version : 0.9.3-1+deb10u1
CVE ID : CVE-2024-36039
Debian Bug : 1071628

It was discovered that there was a potential SQL injection attack
in python-pymysql, a MySQL client library for Python. This was
exploitable when python-pymysql was used with untrusted JSON input
as keys were not escaped by the escape_dict routine.

For Debian 10 buster, this problem has been fixed in version
0.9.3-1+deb10u1.

We recommend that you upgrade your python-pymysql packages.

For the detailed security status of python-pymysql please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-pymysql

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1099-1 apache2 security update

Package : apache2
Version : 2.4.10-10+deb8u26 (jessie)

Related CVEs :
CVE-2023-31122
CVE-2024-24795

CVE-2023-31122
An Out-of-bounds Read vulnerability was found in mod_macro of Apache HTTP Server.

CVE-2024-24795
HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.

Please note that the fix of CVE-2024-24795, may break unrelated CGI-BIN scripts. As part of the security fix, the Apache webserver
mod_cgi module has stopped relaying the Content-Length field of the HTTP reply header from the CGI programs back to the client in cases where the connection is to be closed and the client
is able to read until end-of-file. You may restore legacy behavior for trusted scripts by adding the following configuration environment variable to the
Apache configuration, scoped to the entry or entries in which script is being served via CGI,
SetEnv ap_trust_cgilike_cl "yes".
The definitive fix is to read the whole input, re-allocating the input buffer to fit as more input is received,
and to not trust that CONTENT_LENGTH variable is always present.

ELA-1099-1 apache2 security update


ELA-1098-1 apache2 security update

Package : apache2
Version : 2.4.25-3+deb9u16 (stretch)

Related CVEs :
CVE-2023-31122
CVE-2023-38709
CVE-2024-24795

CVE-2023-31122
An Out-of-bounds Read vulnerability was found in mod_macro of Apache HTTP Server.

CVE-2023-38709
A faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.

CVE-2024-24795
HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.

Please note that the fix of CVE-2024-24795, may break unrelated CGI-BIN scripts. As part of the security fix, the Apache webserver
mod_cgi module has stopped relaying the Content-Length field of the HTTP reply header from the CGI programs back to the client in cases where the connection is to be closed and the client
is able to read until end-of-file. You may restore legacy behavior for trusted scripts by adding the following configuration environment variable to the
Apache configuration, scoped to the entry or entries in which script is being served via CGI,
SetEnv ap_trust_cgilike_cl "yes".
The definitive fix is to read the whole input, re-allocating the input buffer to fit as more input is received,
and to not trust that CONTENT_LENGTH variable is always present.

ELA-1098-1 apache2 security update


[DLA 3823-1] less security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3823-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
May 27, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : less
Version : 487-0.1+deb10u1
CVE ID : CVE-2022-48624 CVE-2024-32487
Debian Bug : 1064293 1068938

Security vulnerabilities were found in less, a pager program similar to
more, which could result in arbitrary command execution when processing
files with crafted names.

CVE-2022-48624

It was discovered that LESSCLOSE handling in less did not quote
shell metacharacters.

CVE-2024-32487

It was discovered that filenames containing a newline character
could result in arbitrary command execution during input
preprocessor invocation.

For Debian 10 buster, these problems have been fixed in version
487-0.1+deb10u1.

We recommend that you upgrade your less packages.

For the detailed security status of less please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/less

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1100-1 python-pymysql security update

Package : python-pymysql
Version : 0.7.10-1+deb9u1 (stretch)

Related CVEs :
CVE-2024-36039

It was discovered that there was a potential SQL injection attack in
python-pymysql, a MySQL client library for Python. This was exploitable when
python-pymysql was used with untrusted JSON input as keys were not escaped by
the escape_dict routine.

ELA-1100-1 python-pymysql security update