Debian GNU/Linux 8 (Jessie), 9 (Stretch), and 10 (Buster) Extended LTS:
ELA-1369-1 tzdata new timezone database
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4105-1] tzdata new timezone database
[DLA 4108-1] tomcat9 security update
[DLA 4107-1] openjpeg2 security update
[DLA 4106-1] jetty9 security update
[SECURITY] [DLA 4105-1] tzdata new timezone database
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4105-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
April 01, 2025 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : tzdata
Version : 2025b-0+deb11u1
This update includes the changes in tzdata 2025b. Notable changes are:
- - New America/Coyhaique zone for Ays??n Region in Chile, which moves
from -04/-03 to -03. It will not change its clocks on 2025-04-05.
For Debian 11 bullseye, this problem has been fixed in version
2025b-0+deb11u1.
We recommend that you upgrade your tzdata packages.
For the detailed security status of tzdata please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tzdata
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
ELA-1369-1 tzdata new timezone database
Package : tzdata
Version : 2025b-0+deb8u1 (jessie), 2025b-0+deb9u1 (stretch), 2025b-0+deb10u1 (buster)
This update includes the changes in tzdata 2025b. Notable changes are:
New America/Coyhaique zone for Aysén Region in Chile, which moves
from -04/-03 to -03. It will not change its clocks on 2025-04-05.ELA-1369-1 tzdata new timezone database
[SECURITY] [DLA 4108-1] tomcat9 security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4108-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
April 02, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : tomcat9
Version : 9.0.43-2~deb11u12
CVE ID : CVE-2025-24813
A security vulnerability was found in Tomcat 9, a Java based web server and
servlet engine. A malicious user was able to view security sensitive files
and/or inject content into those files when writes were enabled for the default
servlet (disabled by default) and support for partial PUT was enabled
(default). Under certain circumstances, depending on the application in use,
remote code execution may have been possible.
For Debian 11 bullseye, this problem has been fixed in version
9.0.43-2~deb11u12.
We recommend that you upgrade your tomcat9 packages.
For the detailed security status of tomcat9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat9
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4107-1] openjpeg2 security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4107-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
April 02, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : openjpeg2
Version : 2.4.0-3+deb11u1
CVE ID : CVE-2021-3575 CVE-2021-29338 CVE-2022-1122 CVE-2024-56826
CVE-2024-56827
Debian Bug : 989775 987276 1092675 1092676
Multiple vulnerabilities have been discovered in openjpeg2, the
open-source JPEG 2000 codec, which could result in denial of service or
the execution of arbitrary code if malformed images are processed.
For Debian 11 bullseye, these problems have been fixed in version
2.4.0-3+deb11u1.
We recommend that you upgrade your openjpeg2 packages.
For the detailed security status of openjpeg2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjpeg2
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 4106-1] jetty9 security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4106-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Markus Koschany
April 02, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : jetty9
Version : 9.4.57-0+deb11u1
CVE ID : CVE-2024-6762 CVE-2024-8184 CVE-2024-9823
Debian Bug : 1085697
Jetty 9 is a Java based web server and servlet engine. Several security
vulnerabilities have been discovered which may allow remote attackers to cause
a denial of service by repeatedly sending crafted requests which can trigger
OutofMemory errors and exhaust the server's memory.
CVE-2024-6762: In addition PushSessionCacheFilter and PushCacheFilter have been
deprecated. These classes should no longer be used in a production environment.
For Debian 11 bullseye, these problems have been fixed in version
9.4.57-0+deb11u1.
We recommend that you upgrade your jetty9 packages.
For the detailed security status of jetty9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jetty9
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
