Debian 10225 Published by

The following updates have been released for Debian GNU/Linux:

Debian GNU/Linux 10 (Buster) LTS:
[DLA 3829-2] sendmail regression update
[DLA 3839-1] putty security update

Debian GNU/Linux 12 (Bookworm) LTS:
[DSA 5717-1] php8.2 security update



[DLA 3829-2] sendmail regression update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3829-2 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
June 20, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : sendmail
Version : 8.15.2-14~deb10u3

Fixing CVE-2023-51765 (smtp smuggling) requires to reject
email that include NUL bytes, in some configuration.

Previous security version of sendmail, by default, does not
reject email that include NUL bytes.

For Debian 10 buster, this problem has been fixed in version
8.15.2-14~deb10u3.

We recommend that you upgrade your sendmail packages.

For the detailed security status of sendmail please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sendmail

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DSA 5717-1] php8.2 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5717-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 20, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : php8.2
CVE ID : CVE-2024-5458

It was discovered that user validation was incorrectly implemented
for filter_var(FILTER_VALIDATE_URL).

For the stable distribution (bookworm), this problem has been fixed in
version 8.2.20-1~deb12u1.

We recommend that you upgrade your php8.2 packages.

For the detailed security status of php8.2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/php8.2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DLA 3839-1] putty security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3839-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
June 20, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : putty
Version : 0.74-1+deb11u1~deb10u2
CVE ID : CVE-2024-31497

A biased ECDSA nonce generation allowed an attacker
to recover a user's NIST P-521 secret key via a quick attack in
approximately 60 signatures. In other words, an adversary
may already have enough signature information to compromise a victim's
private key, even if there is no further use of vulnerable PuTTY
versions.

This allowed an attacker to (for instance) log in to any servers
the victim uses that key for.

To obtain these signatures, an attacker need only briefly compromise
any server the victim uses the key to authenticate to.

Therefore, if you have any NIST-P521 ECDSA key, we strongly recommend
you to replace it with a freshly new created with a fixed version of
putty. Then, to revoke the old public key and remove it from any
machine where you use it to login into, so that a signature
from the compromised key has no value any more.

The only affected key type is 521-bit ECDSA. That is, a key that appears
in Windows PuTTYgen with ecdsa-sha2-nistp521 at the start of the
'Key fingerprint' box, or is described as 'NIST p521', or has an id
starting ecdsa-sha2-nistp521 in the SSH protocol or the key file.
Other sizes of ECDSA, and other key algorithms, are unaffected.
In particular, Ed25519 is not affected.

For Debian 10 buster, this problem has been fixed in version
0.74-1+deb11u1~deb10u2.

We recommend that you upgrade your putty packages.

For the detailed security status of putty please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/putty

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS