Debian GNU/Linux 9 (Stretch) Extended LTS:
ELA-1330-1 ruby2.3 security update
ELA-1329-1 apache2 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4068-1] php-nesbot-carbon security update
[DLA 4067-1] nodejs security update
[SECURITY] [DLA 4068-1] php-nesbot-carbon security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4068-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
February 25, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : php-nesbot-carbon
Version : 2.32.2-1+deb11u1
CVE ID : CVE-2025-22145
Debian Bug : 1092680
Arbitrary file include in Carbon::setLocale has been fixed in Carbon,
a PHP API extension for DateTime.
For Debian 11 bullseye, this problem has been fixed in version
2.32.2-1+deb11u1.
We recommend that you upgrade your php-nesbot-carbon packages.
For the detailed security status of php-nesbot-carbon please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php-nesbot-carbon
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4067-1] nodejs security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4067-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucari??s
February 25, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : nodejs
Version : 12.22.12~dfsg-1~deb11u6
CVE ID : CVE-2025-23085
Debian Bug : 1094134
Node.js a JavaScript runtime environment was affected by a vulnerability.
A memory leak could occur when a remote peer abruptly closes the socket
without sending a GOAWAY notification. Additionally, if an invalid header
was detected by nghttp2, causing the connection to be terminated by the peer,
the same leak was triggered. This flaw could lead to
increased memory consumption and potential denial of service under
certain conditions.
For Debian 11 bullseye, this problem has been fixed in version
12.22.12~dfsg-1~deb11u6.
We recommend that you upgrade your nodejs packages.
For the detailed security status of nodejs please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nodejs
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1330-1 ruby2.3 security update
Package : ruby2.3
Version : 2.3.3-1+deb9u13 (stretch)
Related CVEs :
CVE-2021-28965
CVE-2024-35176
CVE-2024-39908
CVE-2024-41946
CVE-2024-43398
CVE-2024-49761
Multiple vulnerabilities were found in ruby a popular programming
language.
CVE-2024-35176
The REXML gem has a Denial of Service (DoS) vulnerability
when it parses an XML that has many ] and ]>.
If you need to parse untrusted XMLs, you may be impacted
to these vulnerabilities.
CVE-2024-41946
The REXML gem had a Denial of Service (DoS) vulnerability
when it parses an XML that has many entity expansions
with SAX2 or pull parser API.
CVE-2024-43398
REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.6 has a Denial of Service (DoS)
vulnerability when it parses an XML that has many deep
elements that have same local name attributes.
If you need to parse untrusted XMLs with tree parser
API like REXML::Document.new, you may be impacted
to this vulnerability. If you use other parser APIs
such as stream parser API and SAX2 parser API,
you are not impacted.
CVE-2024-49761
REXML is an XML toolkit for Ruby.
The REXML gem before 3.3.9 has a ReDoS vulnerability
when it parses an XML that has many digits between
&# and x...; in a hex numeric character reference (&#x...;)ELA-1330-1 ruby2.3 security update
ELA-1329-1 apache2 security update
Package : apache2
Version : 2.4.25-3+deb9u20 (stretch)
Related CVEs :
CVE-2024-38473
apache2 a popular webserver was affected by a vulnerability.
Encoding problem allows request URLs with incorrect encoding to be sent
to backend services, potentially bypassing authentication via crafted
requests.ELA-1329-1 apache2 security update
