Debian 10260 Published by

The following security updates have been released for Debian GNU/Linux:

[SECURITY] [DSA 5743-2] roundcube security update
ELA-1151-1 gdk-pixbuf security update
ELA-1150-1 ruby2.5 security update
ELA-1149-1 ruby2.3 security update
ELA-1148-1 ruby2.1 security update




[SECURITY] [DSA 5743-2] roundcube security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5743-2 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 13, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : roundcube
CVE ID : CVE-2024-42008 CVE-2024-42009 CVE-2024-42010

Multiple cross-site scripting vulnerabilities were discovered in
RoundCube webmail.

For the oldstable distribution (bullseye), these problems have been fixed in
version 1.4.15+dfsg.1-1+deb11u4.

For the stable distribution (bookworm), these problems have already been
addressed in DSA-5743-1. The initial fixes introduced a regression in
print previews, which has now been addressed in 1.6.5+dfsg-1+deb12u4.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/roundcube

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


ELA-1151-1 gdk-pixbuf security update

Package : gdk-pixbuf


Version : 2.31.1-2+deb8u10 (jessie), 2.36.5-2+deb9u3 (stretch), 2.38.1+dfsg-1+deb10u1 (buster)


Related CVEs :

CVE-2022-48622



Memory corruption has been fixed in the loader for ANI (animated cursors) files in GDK Pixbuf, a library used by the GTK widget toolkit.

ELA-1151-1 gdk-pixbuf security update


ELA-1150-1 ruby2.5 security update

Package : ruby2.5


Version : 2.5.5-3+deb10u7 (buster)


Related CVEs :

CVE-2023-36617

CVE-2024-27280

CVE-2024-27281

CVE-2024-27282



Several vulnerabilities have been discovered in the interpreter for
the Ruby language, which may result in denial-of-service (DoS),
information leak, and remote code execution.


CVE-2023-36617
Follow-up fix for CVE-2023-28755.
A ReDoS issue was discovered in the URI component. The URI parser
mishandles invalid URLs that have specific characters. It causes
an increase in execution time for parsing strings to URI objects.


CVE-2024-27280
A buffer-overread issue was discovered in StringIO. The ungetbyte
and ungetc methods on a StringIO can read past the end of a
string, and a subsequent call to StringIO.gets may return the
memory value.


CVE-2024-27281
When parsing .rdoc_options (used for configuration in RDoc) as a
YAML file, object injection and resultant remote code execution
are possible because there are no restrictions on the classes that
can be restored. (When loading the documentation cache, object
injection and resultant remote code execution are also possible if
there were a crafted cache.)


CVE-2024-27282
If attacker-supplied data is provided to the Ruby regex compiler,
it is possible to extract arbitrary heap data relative to the
start of the text, including pointers and sensitive strings.

ELA-1150-1 ruby2.5 security update


ELA-1149-1 ruby2.3 security update

Package : ruby2.3


Version : 2.3.3-1+deb9u12 (stretch)


Related CVEs :

CVE-2021-28965

CVE-2021-33621

CVE-2022-28739

CVE-2023-28755

CVE-2023-28756

CVE-2023-36617

CVE-2024-27281

CVE-2024-27282



Several vulnerabilities have been discovered in the interpreter for
the Ruby language, which may result in denial-of-service (DoS),
information leak, HTTP response splitting, XML round-trip issues, and
remote code execution.


CVE-2021-28965
The REXML gem does not properly address XML round-trip issues. An
incorrect document can be produced after parsing and serializing.


CVE-2021-33621
The cgi gem allows HTTP response splitting. This is relevant to
applications that use untrusted user input either to generate an
HTTP response or to create a CGI::Cookie object.


CVE-2022-28739
Buffer over-read occurs in String-to-Float conversion, including
Kernel#Float and String#to_f.


CVE-2023-28755, CVE-2023-36617
A ReDoS issue was discovered in the URI component. The URI parser
mishandles invalid URLs that have specific characters. It causes
an increase in execution time for parsing strings to URI objects.


CVE-2023-28756
A ReDoS issue was discovered in the Time component. The Time
parser mishandles invalid URLs that have specific characters. It
causes an increase in execution time for parsing strings to Time
objects.


CVE-2024-27281
When parsing .rdoc_options (used for configuration in RDoc) as a
YAML file, object injection and resultant remote code execution
are possible because there are no restrictions on the classes that
can be restored. (When loading the documentation cache, object
injection and resultant remote code execution are also possible if
there were a crafted cache.)


CVE-2024-27282
If attacker-supplied data is provided to the Ruby regex compiler,
it is possible to extract arbitrary heap data relative to the
start of the text, including pointers and sensitive strings.

ELA-1149-1 ruby2.3 security update


ELA-1148-1 ruby2.1 security update

Package : ruby2.1


Version : 2.1.5-2+deb8u14 (jessie)


Related CVEs :

CVE-2016-2338

CVE-2021-28965

CVE-2021-33621

CVE-2021-41817

CVE-2022-28739

CVE-2023-28756

CVE-2024-27281

CVE-2024-27282



Several vulnerabilities have been discovered in the interpreter for
the Ruby language, which may result in denial-of-service (DoS),
information leak, HTTP response splitting, XML round-trip issues, and
remote code execution.


CVE-2021-28965
The REXML gem does not properly address XML round-trip issues. An
incorrect document can be produced after parsing and serializing.


CVE-2021-33621
The cgi gem allows HTTP response splitting. This is relevant to
applications that use untrusted user input either to generate an
HTTP response or to create a CGI::Cookie object.


CVE-2022-28739
Buffer over-read occurs in String-to-Float conversion, including
Kernel#Float and String#to_f.


CVE-2023-28756
A ReDoS issue was discovered in the Time component. The Time
parser mishandles invalid URLs that have specific characters. It
causes an increase in execution time for parsing strings to Time
objects.


CVE-2024-27281
When parsing .rdoc_options (used for configuration in RDoc) as a
YAML file, object injection and resultant remote code execution
are possible because there are no restrictions on the classes that
can be restored. (When loading the documentation cache, object
injection and resultant remote code execution are also possible if
there were a crafted cache.)


CVE-2024-27282
If attacker-supplied data is provided to the Ruby regex compiler,
it is possible to extract arbitrary heap data relative to the
start of the text, including pointers and sensitive strings.


This release also provide follow-up fixes for CVE-2016-2338
(ELA-1148-1) and CVE-2021-41817 (ELA-531-1).

ELA-1148-1 ruby2.1 security update