[SECURITY] [DSA 5743-2] roundcube security update
ELA-1151-1 gdk-pixbuf security update
ELA-1150-1 ruby2.5 security update
ELA-1149-1 ruby2.3 security update
ELA-1148-1 ruby2.1 security update
[SECURITY] [DSA 5743-2] roundcube security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5743-2 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 13, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : roundcube
CVE ID : CVE-2024-42008 CVE-2024-42009 CVE-2024-42010
Multiple cross-site scripting vulnerabilities were discovered in
RoundCube webmail.
For the oldstable distribution (bullseye), these problems have been fixed in
version 1.4.15+dfsg.1-1+deb11u4.
For the stable distribution (bookworm), these problems have already been
addressed in DSA-5743-1. The initial fixes introduced a regression in
print previews, which has now been addressed in 1.6.5+dfsg-1+deb12u4.
We recommend that you upgrade your roundcube packages.
For the detailed security status of roundcube please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/roundcube
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1151-1 gdk-pixbuf security update
Package : gdk-pixbuf
Version : 2.31.1-2+deb8u10 (jessie), 2.36.5-2+deb9u3 (stretch), 2.38.1+dfsg-1+deb10u1 (buster)
Related CVEs :
CVE-2022-48622
Memory corruption has been fixed in the loader for ANI (animated cursors) files in GDK Pixbuf, a library used by the GTK widget toolkit.
ELA-1150-1 ruby2.5 security update
Package : ruby2.5
Version : 2.5.5-3+deb10u7 (buster)
Related CVEs :
CVE-2023-36617
CVE-2024-27280
CVE-2024-27281
CVE-2024-27282
Several vulnerabilities have been discovered in the interpreter for
the Ruby language, which may result in denial-of-service (DoS),
information leak, and remote code execution.
CVE-2023-36617
Follow-up fix for CVE-2023-28755.
A ReDoS issue was discovered in the URI component. The URI parser
mishandles invalid URLs that have specific characters. It causes
an increase in execution time for parsing strings to URI objects.
CVE-2024-27280
A buffer-overread issue was discovered in StringIO. The ungetbyte
and ungetc methods on a StringIO can read past the end of a
string, and a subsequent call to StringIO.gets may return the
memory value.
CVE-2024-27281
When parsing .rdoc_options (used for configuration in RDoc) as a
YAML file, object injection and resultant remote code execution
are possible because there are no restrictions on the classes that
can be restored. (When loading the documentation cache, object
injection and resultant remote code execution are also possible if
there were a crafted cache.)
CVE-2024-27282
If attacker-supplied data is provided to the Ruby regex compiler,
it is possible to extract arbitrary heap data relative to the
start of the text, including pointers and sensitive strings.
ELA-1149-1 ruby2.3 security update
Package : ruby2.3
Version : 2.3.3-1+deb9u12 (stretch)
Related CVEs :
CVE-2021-28965
CVE-2021-33621
CVE-2022-28739
CVE-2023-28755
CVE-2023-28756
CVE-2023-36617
CVE-2024-27281
CVE-2024-27282
Several vulnerabilities have been discovered in the interpreter for
the Ruby language, which may result in denial-of-service (DoS),
information leak, HTTP response splitting, XML round-trip issues, and
remote code execution.
CVE-2021-28965
The REXML gem does not properly address XML round-trip issues. An
incorrect document can be produced after parsing and serializing.
CVE-2021-33621
The cgi gem allows HTTP response splitting. This is relevant to
applications that use untrusted user input either to generate an
HTTP response or to create a CGI::Cookie object.
CVE-2022-28739
Buffer over-read occurs in String-to-Float conversion, including
Kernel#Float and String#to_f.
CVE-2023-28755, CVE-2023-36617
A ReDoS issue was discovered in the URI component. The URI parser
mishandles invalid URLs that have specific characters. It causes
an increase in execution time for parsing strings to URI objects.
CVE-2023-28756
A ReDoS issue was discovered in the Time component. The Time
parser mishandles invalid URLs that have specific characters. It
causes an increase in execution time for parsing strings to Time
objects.
CVE-2024-27281
When parsing .rdoc_options (used for configuration in RDoc) as a
YAML file, object injection and resultant remote code execution
are possible because there are no restrictions on the classes that
can be restored. (When loading the documentation cache, object
injection and resultant remote code execution are also possible if
there were a crafted cache.)
CVE-2024-27282
If attacker-supplied data is provided to the Ruby regex compiler,
it is possible to extract arbitrary heap data relative to the
start of the text, including pointers and sensitive strings.
ELA-1148-1 ruby2.1 security update
Package : ruby2.1
Version : 2.1.5-2+deb8u14 (jessie)
Related CVEs :
CVE-2016-2338
CVE-2021-28965
CVE-2021-33621
CVE-2021-41817
CVE-2022-28739
CVE-2023-28756
CVE-2024-27281
CVE-2024-27282
Several vulnerabilities have been discovered in the interpreter for
the Ruby language, which may result in denial-of-service (DoS),
information leak, HTTP response splitting, XML round-trip issues, and
remote code execution.
CVE-2021-28965
The REXML gem does not properly address XML round-trip issues. An
incorrect document can be produced after parsing and serializing.
CVE-2021-33621
The cgi gem allows HTTP response splitting. This is relevant to
applications that use untrusted user input either to generate an
HTTP response or to create a CGI::Cookie object.
CVE-2022-28739
Buffer over-read occurs in String-to-Float conversion, including
Kernel#Float and String#to_f.
CVE-2023-28756
A ReDoS issue was discovered in the Time component. The Time
parser mishandles invalid URLs that have specific characters. It
causes an increase in execution time for parsing strings to Time
objects.
CVE-2024-27281
When parsing .rdoc_options (used for configuration in RDoc) as a
YAML file, object injection and resultant remote code execution
are possible because there are no restrictions on the classes that
can be restored. (When loading the documentation cache, object
injection and resultant remote code execution are also possible if
there were a crafted cache.)
CVE-2024-27282
If attacker-supplied data is provided to the Ruby regex compiler,
it is possible to extract arbitrary heap data relative to the
start of the text, including pointers and sensitive strings.
This release also provide follow-up fixes for CVE-2016-2338
(ELA-1148-1) and CVE-2021-41817 (ELA-531-1).
