Debian GNU/Linux 8 (Jessie) ELTS:
ELA-1378-1 tomcat7 security update
Debian GNU/Linux 8 (Jessie) and 9 (Stretch) ELTS:
ELA-1380-1 openjpeg2 security update
ELA-1377-1 tomcat8 security update
Debian GNU/Linux 9 (Stretch) ELTS:
ELA-1375-1 shellinabox security update
ELA-1374-1 ruby2.3 security update
Debian GNU/Linux 10 (Buster) ELTS:
ELA-1379-1 openjpeg2 security update
ELA-1376-1 tomcat9 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4115-1] ruby-saml security update
[DLA 4106-2] jetty9 regression update
[DLA 4114-1] zfs-linux security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5894-1] jetty9 security update
[DSA 5893-1] tomcat10 security update
ELA-1375-1 shellinabox security update
Package : shellinabox
Version : 2.21~deb9u1 (stretch)
Related CVEs :
CVE-2018-16789
Denial of service with broken multipart/form-data has been fixed in shellinabox, a web server that can export arbitrary command line tools to a web based terminal emulator.ELA-1375-1 shellinabox security update
ELA-1374-1 ruby2.3 security update
Package : ruby2.3
Version : 2.3.3-1+deb9u14 (stretch)
Related CVEs :
CVE-2025-27219
CVE-2025-27220
CVE-2025-27221
Ruby, a popular scripting language, was affected by multiple vulnerabilities.
CVE-2025-27219
In the CGI gem, the CGI::Cookie.parse method in the CGI library
contains a potential Denial of Service (DoS) vulnerability.
The method does not impose any limit on the length of the raw cookie
value it processes. This oversight can lead to excessive
resource consumption when parsing extremely large cookies.
CVE-2025-27220
In the CGI gem, a Regular Expression Denial of Service (ReDoS)
vulnerability exists in the Util#escapeElement method.
CVE-2025-27221
In the URI gem, the URI handling methods
(URI.join, URI#merge, URI#+) have an inadvertent leakage of
authentication credentials because userinfo is retained
even after changing the host.ELA-1374-1 ruby2.3 security update
[SECURITY] [DLA 4115-1] ruby-saml security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4115-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
April 05, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : ruby-saml
Version : 1.11.0-1+deb11u2
CVE ID : CVE-2025-25291 CVE-2025-25292 CVE-2025-25293
Debian Bug : 1100441
Multiple vulnerabilities have been detected in ruby-saml, a library for
implementing the client side of a SAML authorization.
CVE-2025-25291 and CVE-2025-25292
ruby-saml is susceptible to an authentication bypass vulnerability.
CVE-2025-25293
ruby-saml is susceptible to a Zlib deflate decompression bomb and a
remote Denial of Service (DoS) caused by compressed SAML responses.
For Debian 11 bullseye, these problems have been fixed in version
1.11.0-1+deb11u2.
We recommend that you upgrade your ruby-saml packages.
For the detailed security status of ruby-saml please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-saml
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4106-2] jetty9 regression update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4106-2 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
April 05, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : jetty9
Version : 9.4.57-0+deb11u2
The security update DLA-4106-1 for jetty9 incorrectly required an unavailable
dependency on sysvinit-utils >= 3.05 when installing the jetty9 binary package.
This issue has been addressed by reverting back to requiring only the lsb-base
binary package.
For Debian 11 bullseye, this problem has been fixed in version
9.4.57-0+deb11u2.
We recommend that you upgrade your jetty9 packages.
For the detailed security status of jetty9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jetty9
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5894-1] jetty9 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5894-1 security@debian.org
https://www.debian.org/security/ Markus Koschany
April 05, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : jetty9
CVE ID : CVE-2024-6762 CVE-2024-8184 CVE-2024-9823
Debian Bug : 1085697
Jetty 9 is a Java based web server and servlet engine. Several security
vulnerabilities have been discovered which may allow remote attackers to cause
a denial of service by repeatedly sending crafted requests which can trigger
OutofMemory errors and exhaust the server's memory.
CVE-2024-6762: In addition PushSessionCacheFilter and PushCacheFilter have been
deprecated. These classes should no longer be used in a production environment.
For the stable distribution (bookworm), these problems have been fixed in
version 9.4.57-0+deb12u1.
We recommend that you upgrade your jetty9 packages.
For the detailed security status of jetty9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jetty9
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5893-1] tomcat10 security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5893-1 security@debian.org
https://www.debian.org/security/ Markus Koschany
April 05, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : tomcat10
CVE ID : CVE-2025-24813
A security vulnerability was found in Tomcat 10, a Java based web server and
servlet engine. A malicious user was able to view security sensitive files
and/or inject content into those files when writes were enabled for the default
servlet (disabled by default) and support for partial PUT was enabled
(default). Under certain circumstances, depending on the application in use,
remote code execution may have been possible.
For the stable distribution (bookworm), this problem has been fixed in
version 10.1.34-0+deb12u2.
We recommend that you upgrade your tomcat10 packages.
For the detailed security status of tomcat10 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat10
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4114-1] zfs-linux security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4114-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Daniel Leidert
April 05, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : zfs-linux
Version : 2.0.3-9+deb11u2
CVE ID : CVE-2013-20001 CVE-2023-49298
Debian Bug : 1056752 1059322
Multiple vulnerabilities were found in zfs-linux, the OpenZFS
filesystem for Linux.
CVE-2013-20001
When an NFS share is exported to IPv6 addresses via the sharenfs
feature, there is a silent failure to parse the IPv6 address data, and
access is allowed to everyone. IPv6 restrictions from the configuration
are not applied. With the fix, recognize when the host part of a
sharenfs attribute is an ipv6 Literal, and pass that through without
modification.
CVE-2023-49298
Check dnode and its data for dirtiness to prevent applications from
inadvertently replacing file contents with zero-valued bytes and
thus potentially disabling security mechanisms.
For Debian 11 bullseye, these problems have been fixed in version
2.0.3-9+deb11u2.
We recommend that you upgrade your zfs-linux packages.
For the detailed security status of zfs-linux please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/zfs-linux
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1380-1 openjpeg2 security update
Package : openjpeg2
Version : 2.1.2-1.1+deb8u1 (jessie), 2.1.2-1.1+deb9u8 (stretch)
Related CVEs :
CVE-2021-3575
CVE-2024-56826
CVE-2024-56827
Several security vulnerabilities have been discovered in openjpeg2, a JPEG 2000
image library. Processing of maliciously crafted image files may trigger
heap-based buffer overflows which may lead to an application crash or other
undefined behavior.
In order to improve the error handling of openjpeg2 in jessie, the version was
upgraded to 2.1.2, the same one as in stretch. This means long-standing minor
issues CVE-2014-7947, CVE-2016-1923 and CVE-2016-3183 are also fixed in Debian 8
“jessie” now.ELA-1380-1 openjpeg2 security update
ELA-1379-1 openjpeg2 security update
Package : openjpeg2
Version : 2.3.0-2+deb10u3 (buster)
Related CVEs :
CVE-2021-3575
CVE-2021-29338
CVE-2022-1122
CVE-2024-56826
CVE-2024-56827
Several security vulnerabilities have been discovered in openjpeg2, a JPEG 2000
image library. Processing of maliciously crafted image files may trigger
heap-based buffer overflows which may lead to an application crash or other
undefined behavior.ELA-1379-1 openjpeg2 security update
ELA-1376-1 tomcat9 security update
Package : tomcat9
Version : 9.0.31-1~deb10u14 (buster)
Related CVEs :
CVE-2025-24813
It was found that a malicious user was able to view security sensitive files
and/or inject content into those files when writes were enabled for the default
servlet (disabled by default) and support for partial PUT was enabled
(default). Under certain circumstances, depending on the application in use,
remote code execution may have been possible.ELA-1376-1 tomcat9 security update
ELA-1377-1 tomcat8 security update
Package : tomcat8
Version : 8.0.14-1+deb8u29 (jessie), 8.5.54-0+deb9u18 (stretch)
Related CVEs :
CVE-2025-24813
It was found that a malicious user was able to view security sensitive files
and/or inject content into those files when writes were enabled for the default
servlet (disabled by default) and support for partial PUT was enabled
(default). Under certain circumstances, depending on the application in use,
remote code execution may have been possible.ELA-1377-1 tomcat8 security update
ELA-1378-1 tomcat7 security update
Package : tomcat7
Version : 7.0.56-3+really7.0.109-1+deb8u8 (jessie)
Related CVEs :
CVE-2025-24813
It was found that a malicious user was able to view security sensitive files
and/or inject content into those files when writes were enabled for the default
servlet (disabled by default) and support for partial PUT was enabled
(default). Under certain circumstances, depending on the application in use,
remote code execution may have been possible.ELA-1378-1 tomcat7 security update
