[SECURITY] [DLA 3900-1] ruby-httparty security update
[SECURITY] [DLA 3903-1] unbound security update
[SECURITY] [DLA 3902-1] ruby-rails-html-sanitizer security update
[SECURITY] [DLA 3901-1] ruby-loofah security update
[SECURITY] [DLA 3900-1] ruby-httparty security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3900-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 28, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : ruby-httparty
Version : 0.18.1-2+deb11u1
CVE ID : CVE-2024-22049
multipart/form-data request tampering has been fixed in ruby-httparty,
a Ruby library for using Web-based APIs and related services.
For Debian 11 bullseye, this problem has been fixed in version
0.18.1-2+deb11u1.
We recommend that you upgrade your ruby-httparty packages.
For the detailed security status of ruby-httparty please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-httparty
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 3903-1] unbound security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3903-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
September 29, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : unbound
Version : 1.13.1-1+deb11u3
CVE ID : CVE-2024-43167 CVE-2024-43168
Debian Bug : 1078647
Two vulnerabilities were discovered in unbound, a validating,
recursive, caching DNS resolver. Specially crafted input could cause a
heap-buffer-overflow leading to memory corruption and potentially
causing the application to crash or allowing arbitrary code execution
(CVE-2024-43168). A NULL pointer dereference flaw could allow an
attacker who can invoke specific sequences of API calls to cause a
segmentation fault and a denial of service (CVE-2024-43167).
For Debian 11 bullseye, these problems have been fixed in version
1.13.1-1+deb11u3.
We recommend that you upgrade your unbound packages.
For the detailed security status of unbound please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/unbound
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 3902-1] ruby-rails-html-sanitizer security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3902-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 28, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : ruby-rails-html-sanitizer
Version : 1.3.0-1+deb11u1
CVE ID : CVE-2022-23517 CVE-2022-23518 CVE-2022-23519 CVE-2022-23520
CVE-2022-32209
Debian Bug : 1013806 1027153
Multiple vulnerabilities have been fixed in ruby-rails-html-sanitizer,
a Ruby library for sanitizing HTML fragments in Rails applications.
CVE-2022-23517
Inefficient Regular Expression Complexity
CVE-2022-23518
XSS in data URIs
CVE-2022-23519
CVE-2022-23520
CVE-2022-32209
XSS vulnerability
For Debian 11 bullseye, these problems have been fixed in version
1.3.0-1+deb11u1.
We recommend that you upgrade your ruby-rails-html-sanitizer packages.
For the detailed security status of ruby-rails-html-sanitizer please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-rails-html-sanitizer
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 3901-1] ruby-loofah security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3901-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 28, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : ruby-loofah
Version : 2.7.0+dfsg-1+deb11u1
CVE ID : CVE-2022-23514 CVE-2022-23515 CVE-2022-23516
Debian Bug : 1026083
Multiple vulnerabilities have been fixed in ruby-loofah, a Ruby library
for manipulating and transforming HTML/XML documents and fragments.
CVE-2022-23514
slow regex attribute check with crass parser
CVE-2022-23515
XSS with "image/svg+xml" in data URIs
CVE-2022-23516
Uncontrolled CDATA recursion
For Debian 11 bullseye, these problems have been fixed in version
2.7.0+dfsg-1+deb11u1.
We recommend that you upgrade your ruby-loofah packages.
For the detailed security status of ruby-loofah please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-loofah
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
