Debian 10260 Published by

The following security updates have been released for Debian GNU/Linux:

Debian GNU/Linux 8 (Jessie) and 9 (Stretch) Extended LTS:
ELA-1161-1 libvirt security update

Debian GNU/Linux 11 (Bullseye):
[SECURITY] [DLA 3856-1] python-html-sanitizer security update

Debian GNU/Linux 12 (Bookworm):
[SECURITY] [DSA 5758-1] trafficserver security update




[SECURITY] [DSA 5758-1] trafficserver security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5758-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 26, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : trafficserver
CVE ID : CVE-2023-38522 CVE-2024-35161 CVE-2024-35296

Several vulnerabilities were discovered in Apache Traffic Server,
a reverse and forward proxy server, which could result in denial
of service or request smuggling.

For the stable distribution (bookworm), these problems have been fixed in
version 9.2.5+ds-0+deb12u1.

We recommend that you upgrade your trafficserver packages.

For the detailed security status of trafficserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/trafficserver

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[SECURITY] [DLA 3856-1] python-html-sanitizer security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3856-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
August 26, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : python-html-sanitizer
Version : 1.9.1-2+deb11u1
CVE ID : CVE-2024-34078
Debian Bug : 1070710

It was discovered that there was a sanitisation bypass issue in
python-html-sanitizer, a library used ensure that user-specified
content cannot inject HTML or JavaScript into a webpage.

If the default "keep_typographic_whitespace=False" value was set,
malicous users could have exploited the fact that some Unicode
characters normalise to chevrons, which allowed specially-crafted
HTML to escape sanitization.

For Debian 11 bullseye, this problem has been fixed in version
1.9.1-2+deb11u1.

We recommend that you upgrade your python-html-sanitizer packages.

For the detailed security status of python-html-sanitizer please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-html-sanitizer

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



ELA-1161-1 libvirt security update

Package : libvirt
Version : 1.2.9-9+deb8u8 (jessie), 3.0.0-4+deb9u6 (stretch)

Related CVEs :
CVE-2021-3631
CVE-2021-3975
CVE-2022-0897
CVE-2024-1441
CVE-2024-2494
CVE-2024-2496

Several issue have been found in libvirt, a library for interfacing with different virtualization systems.
The issues are related to use-after-free, an off-by-one, a null pointer dereference and badly handled mutex, which could be used for a denial of service.
The other issues are related to privilege escalation and breaking out of the sVirt confinement.
(strictly speaking CVE-2021-3975 only affects Stretch)

ELA-1161-1 libvirt security update