Debian GNU/Linux 10 (Bullseye) Extended LTS:
ELA-1230-1 context bugfix update
ELA-1229-1 libheif security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3945-1] libheif security update
[DLA 3946-1] context bugfix update
Debian GNU/Linux 12 (Bookworm):
[DSA 5803-1] thunderbird security update
[SECURITY] [DLA 3945-1] libheif security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3945-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
November 05, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : libheif
Version : 1.11.0-1+deb11u2
CVE IDs : CVE-2023-0996 CVE-2023-29659
Debian Bugs : 1032101 1035607
It was discovered that there were two issues in libheif, a decoder
and encoder for the HEIF and AVIF image formats that could have been
exploited by specially-crafted image files.
For Debian 11 bullseye, these problems have been fixed in version
1.11.0-1+deb11u2.
We recommend that you upgrade your libheif packages.
For the detailed security status of libheif please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libheif
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 3946-1] context bugfix update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3946-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
November 05, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : context
Version : 2020.03.10.20200331-1+deb11u1
Context a general-purpose document processor was affected by
CVE-2023-32700 fix that by default disable luasocket.
This bugfix release, fix the mtxrun program used at install time
of context (postinst) that was broken by CVE-2023-32700 patch.
For Debian 11 bullseye, this problem has been fixed in version
2020.03.10.20200331-1+deb11u1.
We recommend that you upgrade your context packages.
For the detailed security status of context please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/context
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5803-1] thunderbird security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5803-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 05, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : thunderbird
CVE ID : CVE-2024-10458 CVE-2024-10459 CVE-2024-10460 CVE-2024-10461
CVE-2024-10462 CVE-2024-10463 CVE-2024-10464 CVE-2024-10465
CVE-2024-10466 CVE-2024-10467
Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.
Debian follows the Thunderbird upstream releases. Support for the
115.x series has ended, so starting with this update we're now
following the 128.x series.
For the stable distribution (bookworm), these problems have been fixed in
version 1:128.4.0esr-1~deb12u1. This version is not yet available for
the i386 architecture.
We recommend that you upgrade your thunderbird packages.
For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
ELA-1230-1 context bugfix update
Package : context
Version : 2018.04.04.20181118-1+deb10u1 (buster)
Context a general-purpose document processor was affected by
CVE-2023-32700 fix that by default disable luasocket.
This bugfix release, fix the mtxrun program used at install time
of context (postinst) that was broken by these patch.
ELA-1229-1 libheif security update
Package : libheif
Version : 1.3.2-2+deb10u3 (buster)
Related CVEs :
CVE-2023-0996
There was a vulnerability in the strided image parsing code in
libheif, a decoder/encoder for the
HEIF and AVIF image formats.
An attacker could have exploited this through a crafted image file to cause a
buffer overflow in linear memory during a memcpy call.