Debian 10228 Published by

The following four security updates have been released for Debian GNU/Linux 11 (Bullseye):

[SECURITY] [DLA 3868-1] ruby-nokogiri security update
[SECURITY] [DLA 3867-1] git security update
[SECURITY] [DLA 3866-1] ruby-tzinfo security update
[SECURITY] [DLA 3857-1] libtommath security update




[SECURITY] [DLA 3868-1] ruby-nokogiri security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3868-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
September 03, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : ruby-nokogiri
Version : 1.11.1+dfsg-2+deb11u1
CVE ID : CVE-2022-24836
Debian Bug : 1009787

A vulnerability was discovered in Nokogiri, an open source XML and HTML
library for Ruby. An inefficient regular expression was susceptible to
excessive backtracking when attempting to detect encoding in HTML
documents. This could lead to denial-of-service.

For Debian 11 bullseye, this problem has been fixed in version
1.11.1+dfsg-2+deb11u1.

We recommend that you upgrade your ruby-nokogiri packages.

For the detailed security status of ruby-nokogiri please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-nokogiri

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3867-1] git security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3867-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
September 03, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : git
Version : 1:2.30.2-1+deb11u3
CVE ID : CVE-2019-1387 CVE-2023-25652 CVE-2023-25815 CVE-2023-29007
CVE-2024-32002 CVE-2024-32004 CVE-2024-32021 CVE-2024-32465
Debian Bug : 1034835 1071160

Multiple vulnerabilities were discovered in git, a fast, scalable and
distributed revision control system.

CVE-2019-1387

It was possible to bypass the previous check for this vulnerability
using parallel cloning, or the --recurse-submodules option to
git-checkout(1).

CVE-2023-25652

Feeding specially-crafted input to 'git apply --reject' could
overwrite a path outside the working tree with partially controlled
contents, corresponding to the rejected hunk or hunks from the given
patch.

CVE-2023-25815

Low-privileged users could inject malicious messages into Git's
output under MINGW.

CVE-2023-29007

A specially-crafted .gitmodules file with submodule URLs longer than
1024 characters could be used to inject arbitrary configuration into
$GIT_DIR/config.

CVE-2024-32002

Repositories with submodules could be specially-crafted to write
hooks into .git/ which would then be executed during an ongoing
clone operation.

CVE-2024-32004

A specially-crafted local repository could cause the execution of
arbitrary code when cloned by another user.

CVE-2024-32021

When cloning a local repository that contains symlinks via the
filesystem, Git could have created hardlinks to arbitrary
user-readable files on the same filesystem as the target repository
in the objects/ directory.

CVE-2024-32465

When cloning a local repository obtained from a downloaded archive,
hooks in that repository could be used for arbitrary code execution.

For Debian 11 bullseye, these problems have been fixed in version
1:2.30.2-1+deb11u3.

We recommend that you upgrade your git packages.

For the detailed security status of git please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/git

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3866-1] ruby-tzinfo security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3866-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
September 03, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : ruby-tzinfo
Version : 1.2.6-1+deb11u1
CVE ID : CVE-2022-31163

Path traversal that allowed TZInfo::Timezone.get to load arbitrary files
has been fixed in ruby-tzinfo, a Ruby library for working with time zone
information.

For Debian 11 bullseye, this problem has been fixed in version
1.2.6-1+deb11u1.

We recommend that you upgrade your ruby-tzinfo packages.

For the detailed security status of ruby-tzinfo please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-tzinfo

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3857-1] libtommath security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3857-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
September 03, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libtommath
Version : 1.2.0-6+deb11u1
CVE ID : CVE-2023-36328

It was discovered that there was a series of integer overflow
vulnerabilities in LibTomMath, a multiple-precision mathematics
library.

This could have led attackers to execute arbitrary code and/or cause
a denial of service (DoS).

For Debian 11 bullseye, this problem has been fixed in version
1.2.0-6+deb11u1.

We recommend that you upgrade your libtommath packages.

For the detailed security status of libtommath please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libtommath

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS