Debian 10228 Published by

The following security updates have been released for Debian GNU/Linux 11 (Bullseye):

[SECURITY] [DLA 3882-1] thunderbird security update
[SECURITY] [DLA 3883-1] python-jwcrypto security update
[SECURITY] [DLA 3884-1] cacti security update




[SECURITY] [DLA 3882-1] thunderbird security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3882-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
September 09, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : thunderbird
Version : 1:115.15.0-1~deb11u1
CVE ID : CVE-2024-8381 CVE-2024-8382 CVE-2024-8383 CVE-2024-8384

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

For Debian 11 bullseye, these problems have been fixed in version
1:115.15.0-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3883-1] python-jwcrypto security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3883-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
September 09, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python-jwcrypto
Version : 0.8.0-1+deb11u1
CVE ID : CVE-2024-28102
Debian Bug : 1065688

It was discovered that there was a potential denial of service (DoS)
attack in python-jwcrypto, an implementation of JSON Web Encryption
and similar object signing standards.

This could have been exploited by passing python-jwcrypto a malicious
JWE token with a high compression ratio. When the server processed
said token, it would have consumed a lot of memory and processing
time.

For Debian 11 bullseye, this problem has been fixed in version
0.8.0-1+deb11u1.

We recommend that you upgrade your python-jwcrypto packages.

For the detailed security status of python-jwcrypto please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-jwcrypto

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[SECURITY] [DLA 3884-1] cacti security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3884-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
September 09, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : cacti
Version : 1.2.16+ds1-2+deb11u4
CVE ID : CVE-2022-41444 CVE-2024-25641 CVE-2024-31443 CVE-2024-31444
CVE-2024-31445 CVE-2024-31458 CVE-2024-31459 CVE-2024-31460
CVE-2024-34340

Cacti, a web interface for graphing of monitoring systems, was vulnerable.

CVE-2022-41444

A Cross Site Scripting (XSS) vulnerability was found via crafted
POST request to graphs_new.php.

CVE-2024-25641

An arbitrary file write vulnerability was found, exploitable through
the "Package Import" feature. This vulnerability allowed authenticated
users having the "Import Templates" permission to execute
arbitrary PHP code (RCE) on the web server.

CVE-2024-31443

A Cross Site Scripting (XSS) vulnerabilty was found via crafted request
to data_queries.php file.

CVE-2024-31444

A Cross Site Scripting (XSS) vulnerabilty was found via crafted request
to automation_tree_rules.php file, via automation_tree_rules_form_save()
function.

CVE-2024-31445

A SQL injection vulnerabilty was found in automation_get_new_graphs_sql
function of `api_automation.php` allows authenticated users to exploit
these SQL injection vulnerabilities to perform privilege escalation and
remote code execution.

CVE-2024-31458

A SQL injection vulnerability was found in form_save() function in
graph_template_inputs.php file.

CVE-2024-31459

A file inclusion issue in the 'lib/plugin.php' file was found. Combined
with a SQL injection vulnerabilities, remote code execution (RCE) can
be implemented.

CVE-2024-31460

A SQL injection vulnerability was found in some of the data stored in
automation_tree_rules.php file.

CVE-2024-34340

A type juggling vulnerability was found in compat_password_verify function.
Md5-hashed user input is compared with correct password in database by
`$md5 == $hash`.
It is a loose comparison, not the correct stricter `===`.

For Debian 11 bullseye, these problems have been fixed in version
1.2.16+ds1-2+deb11u4.

We recommend that you upgrade your cacti packages.

For the detailed security status of cacti please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cacti

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS