Debian 10225 Published by

Debian GNU/Linux has received various updates, such as libheif, thunderbird, and context:

Debian GNU/Linux 10 (Bullseye) Extended LTS:
ELA-1230-1 context bugfix update
ELA-1229-1 libheif security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3945-1] libheif security update
[DLA 3946-1] context bugfix update

Debian GNU/Linux 12 (Bookworm):
[DSA 5803-1] thunderbird security update





[SECURITY] [DLA 3945-1] libheif security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3945-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
November 05, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libheif
Version : 1.11.0-1+deb11u2
CVE IDs : CVE-2023-0996 CVE-2023-29659
Debian Bugs : 1032101 1035607

It was discovered that there were two issues in libheif, a decoder
and encoder for the HEIF and AVIF image formats that could have been
exploited by specially-crafted image files.

For Debian 11 bullseye, these problems have been fixed in version
1.11.0-1+deb11u2.

We recommend that you upgrade your libheif packages.

For the detailed security status of libheif please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libheif

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3946-1] context bugfix update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3946-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
November 05, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : context
Version : 2020.03.10.20200331-1+deb11u1

Context a general-purpose document processor was affected by
CVE-2023-32700 fix that by default disable luasocket.

This bugfix release, fix the mtxrun program used at install time
of context (postinst) that was broken by CVE-2023-32700 patch.

For Debian 11 bullseye, this problem has been fixed in version
2020.03.10.20200331-1+deb11u1.

We recommend that you upgrade your context packages.

For the detailed security status of context please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/context

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DSA 5803-1] thunderbird security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5803-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 05, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : thunderbird
CVE ID : CVE-2024-10458 CVE-2024-10459 CVE-2024-10460 CVE-2024-10461
CVE-2024-10462 CVE-2024-10463 CVE-2024-10464 CVE-2024-10465
CVE-2024-10466 CVE-2024-10467

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

Debian follows the Thunderbird upstream releases. Support for the
115.x series has ended, so starting with this update we're now
following the 128.x series.

For the stable distribution (bookworm), these problems have been fixed in
version 1:128.4.0esr-1~deb12u1. This version is not yet available for
the i386 architecture.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


ELA-1230-1 context bugfix update

Package : context
Version : 2018.04.04.20181118-1+deb10u1 (buster)

Context a general-purpose document processor was affected by
CVE-2023-32700 fix that by default disable luasocket.
This bugfix release, fix the mtxrun program used at install time
of context (postinst) that was broken by these patch.

ELA-1230-1 context bugfix update


ELA-1229-1 libheif security update

Package : libheif
Version : 1.3.2-2+deb10u3 (buster)

Related CVEs :
CVE-2023-0996

There was a vulnerability in the strided image parsing code in
libheif, a decoder/encoder for the
HEIF and AVIF image formats.
An attacker could have exploited this through a crafted image file to cause a
buffer overflow in linear memory during a memcpy call.

ELA-1229-1 libheif security update