[DLA 4049-1] rust-openssl security update
[DLA 4018-2] ruby2.7 regression update
[DLA 4050-1] bind9 security update
[DLA 4048-1] cacti security update
ELA-1319-1 asterisk security update
[SECURITY] [DLA 4049-1] rust-openssl security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4049-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andrej Shadura
February 11, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : rust-openssl
Version : 0.10.29-1+deb11u1
CVE ID : CVE-2025-24898
A vulnerability has been discovered in rust-openssl, a set of OpenSSL
bindings for the Rust programming language.
In affected versions ssl::select_next_proto can return a slice pointing
into the server argument's buffer but with a lifetime bound to the
client argument. In situations where the sever buffer's lifetime is
shorter than the client buffer's, this can cause a use after free.
This could cause the server to crash or to return arbitrary memory
contents to the client. This security update fixes the signature of
ssl::select_next_proto to properly constrain the output buffer's lifetime
to that of both input buffers. In standard usage of ssl::select_next_proto
in the callback passed to SslContextBuilder::set_alpn_select_callback,
code is only affected if the server buffer is constructed within the
callback.
For Debian 11 bullseye, this problem has been fixed in version
0.10.29-1+deb11u1.
We recommend that you upgrade your rust-openssl packages.
For the detailed security status of rust-openssl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rust-openssl
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4018-2] ruby2.7 regression update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4018-2 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
February 11, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : ruby2.7
Version : 2.7.4-1+deb11u4
A regression was identified in rexml gem.
A corner case of XML namespace default namespace was not handled
correctly, and thus rexml failed to parse valid XML file.
For Debian 11 bullseye, this problem has been fixed in version
2.7.4-1+deb11u4.
We recommend that you upgrade your ruby2.7 packages.
For the detailed security status of ruby2.7 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby2.7
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4050-1] bind9 security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4050-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Paride Legovini
February 11, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : bind9
Version : 1:9.16.50-1~deb11u3
CVE ID : CVE-2024-11187
One vulnerability was discovered in BIND, a DNS server implementation, which
may result in denial of service.
It is possible to construct a zone such that some queries to it will generate
responses containing numerous records in the Additional section. An attacker
sending many such queries can cause either the authoritative server itself or
an independent resolver to use disproportionate resources processing the
queries. Zones will usually need to have been deliberately crafted to exploit
this flaw.
For Debian 11 bullseye, this problem has been fixed in version
1:9.16.50-1~deb11u3.
We recommend that you upgrade your bind9 packages.
For the detailed security status of bind9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/bind9
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4048-1] cacti security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4048-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
February 10, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : cacti
Version : 1.2.16+ds1-2+deb11u5
CVE ID : CVE-2024-43362 CVE-2024-43363 CVE-2024-43364 CVE-2024-43365
CVE-2024-45598 CVE-2024-47875 CVE-2024-48910 CVE-2024-54145
CVE-2025-22604 CVE-2025-24367 CVE-2025-24368
Multiple security vulnerabilities have been discovered in Cacti, a web
interface for graphing of monitoring systems, which could result in
cross-site scripting, SQL injection, or command injection.
For Debian 11 bullseye, these problems have been fixed in version
1.2.16+ds1-2+deb11u5.
We recommend that you upgrade your cacti packages.
For the detailed security status of cacti please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cacti
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1319-1 asterisk security update
Package : asterisk
Version : 1:13.14.1~dfsg-2+deb9u11 (stretch), 1:16.28.0~dfsg-0+deb10u6 (buster)
Related CVEs :
CVE-2024-53566
A vulnerability was discovered in asterisk, an Open Source Private Branch
Exchange.
CVE-2024-53566
It is possible to access files outside the configuration directory via AMI
and path traversal even when live_dangerously is not enabled.ELA-1319-1 asterisk security update
