[DLA 3732-1] sudo security update
ELA-1041-1 zabbix security update
[DLA 3733-1] rear security update
[DSA 5614-1] zbar security update
ELA-1042-1 sudo security update
[DLA 3732-1] sudo security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3732-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
February 03, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : sudo
Version : 1.8.27-1+deb10u6
CVE ID : CVE-2023-7090 CVE-2023-28486 CVE-2023-28487
Sudo, a program designed to allow a sysadmin to give limited
root privileges to users and log root activity, was vulnerable.
CVE-2023-7090
A flaw was found in sudo in the handling of ipa_hostname, where
ipa_hostname from /etc/sssd/sssd.conf was not propagated in sudo.
Therefore, it leads to privilege mismanagement vulnerability in
applications, where client hosts retain privileges even after
retracting them.
CVE-2023-28486
Sudo did not escape control characters in log messages.
CVE-2023-28487
Sudo did not escape control characters in sudoreplay output.
For Debian 10 buster, these problems have been fixed in version
1.8.27-1+deb10u6.
We recommend that you upgrade your sudo packages.
For the detailed security status of sudo please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sudo
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1041-1 zabbix security update
Package : zabbix
Version : 2.2.23+dfsg-0+deb8u7 (jessie), 1:3.0.32+dfsg-0+deb9u6 (stretch)
Related CVEs :
CVE-2023-32721
CVE-2023-32726
Several security vulnerabilities have been discovered in zabbix, a
network monitoring solution, potentially allowing an attacker to perform
a stored XSS, Server-Side Request Forgery (SSRF), exposure of sensitive
information, a system crash, or arbitrary code execution.
CVE-2023-32721
A stored XSS has been found in the Zabbix web application in the
Maps element if a URL field is set with spaces before URL.
CVE-2023-32726
Possible buffer overread from reading DNS responses.
[DLA 3733-1] rear security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3733-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
February 03, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : rear
Version : 2.4+dfsg-1+deb10u1
CVE ID : CVE-2024-23301
rear is a disaster recovery and system migration framework. It has
been discovered that rear creates a world-readable initrd when using
GRUB_RESCUE=y. This allows local attackers to gain access to system
secrets otherwise only readable by root.
For Debian 10 buster, this problem has been fixed in version
2.4+dfsg-1+deb10u1.
We recommend that you upgrade your rear packages.
For the detailed security status of rear please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/rear
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[DSA 5614-1] zbar security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5614-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 03, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : zbar
CVE ID : CVE-2023-40889 CVE-2023-40890
Debian Bug : 1051724
Two vulnerabilities were discovered in zbar, a library for scanning and
decoding QR and bar codes, which may result in denial of service,
information disclosure or potentially the execution of arbitrary code if
a specially crafted code is processed.
For the oldstable distribution (bullseye), these problems have been
fixed in version 0.23.90-1+deb11u1.
For the stable distribution (bookworm), these problems have been fixed
in version 0.23.92-7+deb12u1.
We recommend that you upgrade your zbar packages.
For the detailed security status of zbar please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/zbar
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1042-1 sudo security update
Package : sudo
Version : 1.8.19p1-2.1+deb9u6 (stretch)
Related CVEs :
CVE-2023-28486
CVE-2023-28487
Sudo, a program designed to allow a sysadmin to give limited
root privileges to users and log root activity, was vulnerable.
CVE-2023-28486
Sudo did not escape control characters in log messages.
CVE-2023-28487
Sudo did not escape control characters in sudoreplay output.