Thunderbird and Needrestart updates for Debian

Debian 10261 Published by

Debian GNU/Linux has been updated with two security patches: Thunderbird and Needrestart:

Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1238-1 needrestart security update

Debian GNU/Linux 11 (Bullseye) LTS:
[SECURITY] [DLA 3960-1] thunderbird security update





[SECURITY] [DLA 3960-1] thunderbird security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3960-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
November 20, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : thunderbird
Version : 1:128.4.3esr-1~deb11u1
CVE ID : CVE-2024-11159

A security issue was discovered in Thunderbird, which could result in
the disclosure of OpenPGP encrypted messages.

For Debian 11 bullseye, this problem has been fixed in version
1:128.4.3esr-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1238-1 needrestart security update

Package : needrestart
Version : 1.2-8+deb8u3 (jessie), 2.11-3+deb9u3 (stretch), 3.4-5+deb10u2 (buster)
Related CVEs :

CVE-2024-11003
CVE-2024-48990
CVE-2024-48991
CVE-2024-48992

The Qualys Threat Research Unit discovered several local privilege
escalation vulnerabilities in needrestart, a utility to check which
daemons need to be restarted after library upgrades.

CVE-2024-11003
Local attackers can trick needrestart to call the Perl module
Module::ScanDeps with attacker-controlled files.

CVE-2024-48990
Local attackers can execute arbitrary code as root by tricking needrestart
into running the Python interpreter with an attacker-controlled PYTHONPATH
environment variable.

CVE-2024-28991
Local attackers can execute arbitrary code as root by winning a race
condition and tricking needrestart into running their own, fake Python
interpreter (instead of the system's real Python interpreter).

CVE-2024-28992
Local attackers can also execute arbitrary code as root by tricking
needrestart into running the Ruby interpreter with an attacker-controlled
RUBYLIB environment variable.
Details can be found in the Qualys advisory at
https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

ELA-1238-1 needrestart security update

Linux Kernel and Ruby updates for Ubuntu

"AM" 9.1.2 released

Windows

Linux

macOS

Community

  • dhamu
    Hello Phil, I have a Linux Tutorial website that curre ...
  • StephanX
    Hi friends, i am new in the Linux universe but i try to ...
  • Philipp
    I would try the XanMod kernel: https://xanmod.orgĀ  I ...