Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3991-1] upx-ucl security update
[DLA 3992-1] libsoup2.4 security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5828-1] python-aiohttp security update
[SECURITY] [DLA 3991-1] upx-ucl security update
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3991-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sylvain Beucler
December 11, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : upx-ucl
Version : 3.96-2+deb11u1
CVE ID : CVE-2023-23456
Debian Bug : 1033258
A heap-based buffer write overflow issue was discovered in UPX, an
efficient live-compressor for executables. An attacker could corrupt
memory via a crafted file, leading to undefined impact (from
denial-of-service to code execution).
For Debian 11 bullseye, this problem has been fixed in version
3.96-2+deb11u1.
We recommend that you upgrade your upx-ucl packages.
For the detailed security status of upx-ucl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/upx-ucl
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DLA 3992-1] libsoup2.4 security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3992-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Sean Whitton
December 12, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : libsoup2.4
Version : 2.72.0-2+deb11u1
CVE ID : CVE-2024-52530 CVE-2024-52531 CVE-2024-52532
Debian Bug : 1088812 1089238 1089240
Multiple vulnerabilities were discovered in libsoup2.4, an HTTP library
for Gtk+ programs.
CVE-2024-52530
In some configurations, HTTP request smuggling is possible because
null characters at the end of the names of HTTP headers were
ignored.
CVE-2024-52531
There was a buffer overflow in applications that perform conversion
to UTF-8 in soup_header_parse_param_list_strict. This could lead to
memory corruption, crashes or information disclosure.
(Contrary to the CVE description, it is now believed that input
received over the network could trigger this.)
CVE-2024-52532
An infinite loop in the processing of WebSocket data from clients
could lead to a denial-of-service problem through memory exhaustion.
For Debian 11 bullseye, these problems have been fixed in version
2.72.0-2+deb11u1.
We recommend that you upgrade your libsoup2.4 packages.
For the detailed security status of libsoup2.4 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libsoup2.4
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
[SECURITY] [DSA 5828-1] python-aiohttp security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5828-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
December 11, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : python-aiohttp
CVE ID : CVE-2023-47627 CVE-2023-49081 CVE-2023-49082
CVE-2024-23334 CVE-2024-30251 CVE-2024-52304
Multiple security vulnerabilities were discovered in python-aiohttp,
a HTTP client/server for asyncio, which could result in denial of
service, directory traversal, CRLF injection or request smuggling.
For the stable distribution (bookworm), these problems have been fixed in
version 3.8.4-1+deb12u1.
We recommend that you upgrade your python-aiohttp packages.
For the detailed security status of python-aiohttp please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/python-aiohttp
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
