Debian 10261 Published by

Updated tiff, qemu, and openssh packages are available for Debian GNU/Linux:

[DLA 3758-1] tiff security update
[DLA 3759-1] qemu security update
ELA-1055-1 openssh security update




[DLA 3758-1] tiff security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-3758-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
March 11, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : tiff
Version : 4.1.0+git191117-2~deb10u9
CVE ID : CVE-2023-3576 CVE-2023-52356

Two vulnerabilities were discovered in tiff, Tag Image File Format
library.

CVE-2023-3576

A memory leak flaw was found in Libtiff's tiffcrop utility. This
issue occurs when tiffcrop operates on a TIFF image file, allowing
an attacker to pass a crafted TIFF image file to tiffcrop utility,
which causes this memory leak issue, resulting an application
crash, eventually leading to a denial of service

CVE-2023-52356

A segment fault (SEGV) flaw was found in libtiff that could be
triggered by passing a crafted tiff file to the
TIFFReadRGBATileExt() API. This flaw allows a remote attacker to
cause a heap-buffer overflow, leading to a denial of service.

For Debian 10 buster, these problems have been fixed in version
4.1.0+git191117-2~deb10u9.

We recommend that you upgrade your tiff packages.

For the detailed security status of tiff please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tiff

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3759-1] qemu security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3759-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Adrian Bunk
March 11, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : qemu
Version : 1:3.1+dfsg-8+deb10u12
CVE ID : CVE-2023-2861 CVE-2023-3354 CVE-2023-5088

Multiple vulnerabilities have been fixed in the machine emulator
and virtualizer QEMU.

CVE-2023-2861

9pfs did not prohibit opening special files on the host side

CVE-2023-3354

remote unauthenticated clients could cause denial of service in VNC server

CVE-2023-5088

IDE guest I/O operation addressed to an arbitrary disk offset might
get targeted to offset 0 instead

For Debian 10 buster, these problems have been fixed in version
1:3.1+dfsg-8+deb10u12.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/qemu

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1055-1 openssh security update

Package : openssh


Version : 1:6.7p1-5+deb8u10 (jessie)


Related CVEs :

CVE-2021-41617

CVE-2023-51385



Several vulnerabilities have been discovered in OpenSSH, an implementation of
the SSH protocol suite.
CVE-2021-41617
It was discovered that sshd failed to correctly initialise supplemental
groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the command
as a different user. Instead these commands would inherit the groups that
sshd was started with.

CVE-2023-51385
It was discovered that if an invalid user or hostname that contained shell
metacharacters was passed to ssh, and a ProxyCommand, LocalCommand
directive or "match exec" predicate referenced the user or hostname via
expansion tokens, then an attacker who could supply arbitrary
user/hostnames to ssh could potentially perform command injection. The
situation could arise in case of git repositories with submodules, where the
repository could contain a submodule with shell characters in its user or
hostname.

Unfortunately, the changes required to fix the Terrapin Attack (CVE-2023-48795)
in jessie are too intrusive to be backported and represent a high risk of
introducing regressions. We also concluded that the Terrapin Attack is hardly
exploitable on the server side of the OpenSSH packaged in jessie, since it does
not support EXT_INFO messages, which are required to take advantage of the
attack. To mitigate this attack, we recommend to OpenSSH users to disable the
ChaCha20-Poly1305 algorithm from the allowed cipher suites used by both OpenSSH
client and server. For convenience, we include here examples of the Ciphers
configuration option that can be used removing ChaCha20-Poly1305 from the
default list. This is the example for OpenSSH server’s /etc/ssh/sshd_config:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
And this is for system-wise OpenSSH client’s /etc/ssh/ssh_config:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour
Users should adapt those examples to their local configuration.

ELA-1055-1 openssh security update