Debian GNU/Linux 8 (Jessie) Extended LTS:
ELA-1333-1 ruby2.1 security update
ELA-1332-1 apache2 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4071-1] gst-plugins-good1.0 security update
[DLA 4070-1] freerdp2 security update and regression fix
Debian GNU/Linux 12 (Bookworm):
[DSA 5871-1] emacs security update
ELA-1333-1 ruby2.1 security update
Package : ruby2.1
Version : 2.1.5-2+deb8u15 (jessie)
Related CVEs :
CVE-2024-35176
CVE-2024-39908
CVE-2024-41946
CVE-2024-43398
CVE-2024-49761
Multiple vulnerabilities were found in ruby a popular programming
language.
CVE-2024-35176
The REXML gem has a Denial of Service (DoS) vulnerability
when it parses an XML that has many ] and ]>.
If you need to parse untrusted XMLs, you may be impacted
to these vulnerabilities.
CVE-2024-41946
The REXML gem had a Denial of Service (DoS) vulnerability
when it parses an XML that has many entity expansions
with SAX2 or pull parser API.
CVE-2024-43398
REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.6 has a Denial of Service (DoS)
vulnerability when it parses an XML that has many deep
elements that have same local name attributes.
If you need to parse untrusted XMLs with tree parser
API like REXML::Document.new, you may be impacted
to this vulnerability. If you use other parser APIs
such as stream parser API and SAX2 parser API,
you are not impacted.
CVE-2024-49761
REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.9 has a ReDoS vulnerability
when it parses an XML that has many digits between
&# and x...; in a hex numeric character reference (&#x...;)ELA-1333-1 ruby2.1 security update
ELA-1332-1 apache2 security update
Package : apache2
Version : 2.4.10-10+deb8u30 (jessie)
Related CVEs :
CVE-2024-38473
apache2 a popular webserver was affected by a vulnerability.
Encoding problem allows request URLs with incorrect encoding to be sent
to backend services, potentially bypassing authentication via crafted
requests.ELA-1332-1 apache2 security update
[SECURITY] [DLA 4071-1] gst-plugins-good1.0 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4071-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
February 27, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : gst-plugins-good1.0
Version : 1.18.4-2+deb11u3
CVE ID : CVE-2024-47537 CVE-2024-47539 CVE-2024-47540 CVE-2024-47543
CVE-2024-47544 CVE-2024-47545 CVE-2024-47546 CVE-2024-47596
CVE-2024-47597 CVE-2024-47598 CVE-2024-47599 CVE-2024-47601
CVE-2024-47602 CVE-2024-47603 CVE-2024-47606 CVE-2024-47613
CVE-2024-47774 CVE-2024-47775 CVE-2024-47776 CVE-2024-47777
CVE-2024-47778 CVE-2024-47834
Multiple vulnerabilities were discovered in plugins for the GStreamer
media framework and its codecs and demuxers, which may result in denial
of service or potentially the execution of arbitrary code if a malformed
media file is opened.
For Debian 11 bullseye, these problems have been fixed in version
1.18.4-2+deb11u3.
We recommend that you upgrade your gst-plugins-good1.0 packages.
For the detailed security status of gst-plugins-good1.0 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gst-plugins-good1.0
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4070-1] freerdp2 security update and regression fix
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4070-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
February 27, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : freerdp2
Version : 2.3.0+dfsg1-2+deb11u3
CVE ID : CVE-2022-24882 CVE-2022-39320
Debian Bug : 1024511 1098355
Multiple vulnerabilties have been found in freelrdp2, a free
implementation of the Remote Desktop Protocol (RDP) which
potentially allows potential buffer overreads or not properly abort
NTLM authentication on empty password, if used as server.
Additonally this update fixes a regression with DLA-4053-1 affecting
drive sharing.
CVE-2022-24882
FreeRDP is a free implementation of the Remote Desktop Protocol
(RDP). In versions prior to 2.7.0, NT LAN Manager (NTLM)
authentication does not properly abort when someone provides and
empty password value. This issue affects
FreeRDP based RDP Server implementations. RDP clients are not
affected.
CVE-2022-39320
FreeRDP is a free remote desktop protocol library and clients.
Affected versions of FreeRDP may attempt integer addition on too
narrow types leads to allocation of a buffer too small holding the
data written. A malicious server can trick a FreeRDP based client to
read out of bound data and send it back to the server. This issue
has been addressed in version 2.9.0 and all users are advised to
upgrade. Users unable to upgrade should not use the `/usb`
redirection switch.
For Debian 11 bullseye, these problems have been fixed in version
2.3.0+dfsg1-2+deb11u3.
We recommend that you upgrade your freerdp2 packages.
For the detailed security status of freerdp2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/freerdp2
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5871-1] emacs security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5871-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
February 27, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : emacs
CVE ID : CVE-2024-53920 CVE-2025-1244
Two security vulnerabilities were discovered in Emacs:
CVE-2024-53920
Elisp byte-compilation ('elisp-flymake-byte-compile') in the Flymake
mode is now disabled for untrusted files.
CVE-2025-1244
An incomplete escaping of shell meta characters in the man reader
component could potentially result in the execution of arbitrary
shell commands. Discovered by Maxim Nikulin.
For the stable distribution (bookworm), these problems have been fixed in
version 1:28.2+1-15+deb12u4.
We recommend that you upgrade your emacs packages.
For the detailed security status of emacs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/emacs
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
