Debian GNU/Linux has been updated with two security patches: DLA 3961-1 for webkit2gtk and ELA-1239-1 for qtbase-opensource-src:

Debian GNU/Linx 8 (Jessie), 9 (Stretch), 10 (Buster) Extended LTS:
ELA-1239-1 qtbase-opensource-src security update

Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 3961-1] webkit2gtk security update

[SECURITY] [DLA 3961-1] webkit2gtk security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3961-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
November 22, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : webkit2gtk
Version : 2.46.3-1~deb11u2
CVE ID : CVE-2024-40866 CVE-2024-44185 CVE-2024-44187 CVE-2024-44244
CVE-2024-44296

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2024-40866

Hafiizh and YoKo Kho discovered that visiting a malicious website
may lead to address bar spoofing.

CVE-2024-44185

Gary Kwong discovered that processing maliciously crafted web
content may lead to an unexpected process crash.

CVE-2024-44187

Narendra Bhati discovered that a malicious website may exfiltrate
data cross-origin.

CVE-2024-44244

An anonymous researcher, Q1IQ (@q1iqF) and P1umer discovered that
processing maliciously crafted web content may lead to an
unexpected process crash.

CVE-2024-44296

Narendra Bhati discovered that processing maliciously crafted web
content may prevent Content Security Policy from being enforced.

For Debian 11 bullseye, these problems have been fixed in version
2.46.3-1~deb11u2.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1239-1 qtbase-opensource-src security update

Package : qtbase-opensource-src
Version : 5.3.2+dfsg-4+deb8u7 (jessie), 5.7.1+dfsg-3+deb9u5 (stretch), 5.11.3+dfsg1-1+deb10u7 (buster)

Related CVEs :
CVE-2023-24607
CVE-2023-32763
CVE-2023-33285
CVE-2023-34410
CVE-2023-37369
CVE-2023-38197


Multiple vulnerabilities have been fixed in qtbase-opensource-src, the core part of the Qt 5 application framework.

CVE-2023-24607 (jessie)
Qt SQL ODBC driver DoS

CVE-2023-32763 (jessie)
Qt SVG buffer overflow

CVE-2023-33285 (jessie)
QDnsLookup buffer over-read

CVE-2023-34410
certificate validation for TLS did not always consider whether the root of a chain is a configured CA certificate

CVE-2023-37369 (jessie)
QXmlStreamReader buffer overflow

CVE-2023-38197 (jessie)
QXmlStreamReader buffer overflow

ELA-1239-1 qtbase-opensource-src security update