Debian 10261 Published by

The following security updates have been released for Debian GNU/Linux:

Debian GNU/Linux 10 LTS (Buster):
[DLA 3829-1] sendmail security update

Debian GNU/Linux 11 (Bullseye) and 12 (Bookworm):
[DSA 5711-1] thunderbird security update

Debian GNU/Linux 12 (Bookworm):
[DSA 5712-1] ffmpeg security update



[DSA 5711-1] thunderbird security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5711-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 15, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : thunderbird
CVE ID : CVE-2024-5688 CVE-2024-5690 CVE-2024-5691 CVE-2024-5693
CVE-2024-5696 CVE-2024-5700 CVE-2024-5702

Multiple security issues were discovered in Thunderbird, which could
result inthe execution of arbitrary code.

For the oldstable distribution (bullseye), these problems have been fixed
in version 1:115.12.0-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in
version 1:115.12.0-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DLA 3829-1] sendmail security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3829-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
June 15, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : sendmail
Version : 8.15.2-14~deb10u2
CVE ID : CVE-2023-51765
Debian Bug : 1059386

sendmail allowed SMTP smuggling in certain configurations.
Remote attackers can use a published exploitation technique to inject e-mail
messages with a spoofed MAIL FROM address, allowing bypass
of an SPF protection mechanism. This occurs because sendmail supports
. but some other popular e-mail servers do not.

This particular injection vulnerability has been closed,
unfortunatly full closure need to reject mail that
contain NUL (0x00 byte).

This is slighly non conformant with RFC and could
be opt-out by setting confREJECT_NUL to 'false'
in sendmail.mc file.

For Debian 10 buster, this problem has been fixed in version
8.15.2-14~deb10u2.

We recommend that you upgrade your sendmail packages.

For the detailed security status of sendmail please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/sendmail

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DSA 5712-1] ffmpeg security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5712-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
June 15, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : ffmpeg
CVE ID : CVE-2023-50010 CVE-2023-51793 CVE-2023-51794
CVE-2023-51795 CVE-2023-51798 CVE-2024-31585

Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.

For the stable distribution (bookworm), these problems have been fixed in
version 7:5.1.5-0+deb12u1.

We recommend that you upgrade your ffmpeg packages.

For the detailed security status of ffmpeg please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ffmpeg

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/