[DLA 3998-1] python-urllib3 security update
[DLA 3997-1] php-laravel-framework security update
[DLA 3999-1] gst-plugins-base1.0 security update
[DLA 4001-1] libxstream-java security update
[DLA 4000-1] sqlparse security update
[SECURITY] [DLA 3998-1] python-urllib3 security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3998-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
December 21, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : python-urllib3
Version : 1.26.5-1~exp1+deb11u1
CVE ID : CVE-2023-43804 CVE-2023-45803 CVE-2024-37891
Debian Bug : 1053626 1054226 1074149 1089507
Multiple vulnerabilities were found in python-urllib3, an HTTP library
with thread-safe connection pooling for Python, which could lead to
information disclosure or authorization bypass.
CVE-2023-43804
It was discovered that the cookie request header wasn't stripped
during cross-origin redirects. It is therefore possible for a user
to specify a Cookie header and unknowingly leak information via HTTP
redirects to a different origin if redirection isn't explicitly
disabled.
CVE-2023-45803
It was discovered that the request body wasn't stripped when an HTTP
redirect response using status 303 "See Other", after the request
had its method changed from one that could accept a request body
(like POST) to GET as is required by HTTP RFCs.
CVE-2024-37891
It was discovered that the Proxy-Authorization request header isn't
stripped during cross-origin redirects, when urllib3 is used without
proxy support.
For Debian 11 bullseye, these problems have been fixed in version
1.26.5-1~exp1+deb11u1.
We recommend that you upgrade your python-urllib3 packages.
For the detailed security status of python-urllib3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-urllib3
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 3997-1] php-laravel-framework security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3997-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
December 21, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : php-laravel-framework
Version : 6.20.14+dfsg-2+deb11u2
CVE ID : CVE-2024-52301
Debian Bug : 1088189
It was discovered that there was a remotely exploitable vulnerability
in php-laravel-framework, a popular web application framework written
in PHP.
When the register_argc_argv php directive was set to "on" and users
called a URL with a specially-crafted query string, they were able to
change the environment used by the framework when handling the
request.
Laravel now ignores argv values for environment detection on non-CLI
APIs.
For Debian 11 bullseye, this problem has been fixed in version
6.20.14+dfsg-2+deb11u2.
We recommend that you upgrade your php-laravel-framework packages.
For the detailed security status of php-laravel-framework please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-laravel-framework
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 3999-1] gst-plugins-base1.0 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3999-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
December 21, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : gst-plugins-base1.0
Version : 1.18.4-2+deb11u3
CVE ID : CVE-2024-47538 CVE-2024-47541 CVE-2024-47542 CVE-2024-47600
CVE-2024-47607 CVE-2024-47615 CVE-2024-47835
Multiple multiple vulnerabilities were discovered in plugins for the
GStreamer media framework and its codecs and demuxers, which may result
in denial of service or potentially the execution of arbitrary code if
a malformed media file is opened.
For Debian 11 bullseye, these problems have been fixed in version
1.18.4-2+deb11u3.
We recommend that you upgrade your gst-plugins-base1.0 packages.
For the detailed security status of gst-plugins-base1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-base1.0
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4001-1] libxstream-java security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4001-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
December 21, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libxstream-java
Version : 1.4.15-3+deb11u3
CVE ID : CVE-2021-43859 CVE-2024-47072
Debian Bug : 1087274
XStream is a simple java library to serialize objects to XML
and back again. Two vulnerabilities were fixed:
CVE-2021-43859:
XStream can cause a Denial of Service (DoS) by injecting highly
recursive collections or maps
CVE-2024-47072
XStream was vulnerable to a Denial of Service attack due
to stack overflow from a manipulated binary input stream
For Debian 11 bullseye, this problem has been fixed in version
1.4.15-3+deb11u3.
We recommend that you upgrade your libxstream-java packages.
For the detailed security status of libxstream-java please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libxstream-java
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4000-1] sqlparse security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4000-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
December 21, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : sqlparse
Version : 0.4.1-1+deb11u1
CVE ID : CVE-2021-32839 CVE-2023-30608 CVE-2024-4340
Debian Bug : 994841 1034615 1070148
Multiple vulnerabilities were found in sqlparse, a non-validating SQL
parser for Python, which can lead to Denial of Service.
CVE-2021-32839
Erik Krogh Kristensen discovered that the StripComments filter
contains a regular expression that is vulnerable to ReDOS (Regular
Expression Denial of Service). The regular expression may cause
exponential backtracking on strings containing many repetitions of
'\r\n' in SQL comments.
CVE-2023-30608
Erik Krogh Kristensen discovered that the Parser contains a regular
expression that is vulnerable to ReDOS (Regular Expression Denial of
Service).
CVE-2024-4340
Uriya Yavniely discovered that passing a heavily nested list to
sqlparse.parse() may raise a RecursionError exception. A generic
SQLParseError is now raised instead.
For Debian 11 bullseye, these problems have been fixed in version
0.4.1-1+deb11u1.
We recommend that you upgrade your sqlparse packages.
For the detailed security status of sqlparse please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sqlparse
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
