Debian 10260 Published by

The following security updates are available for Debian GNU/Linux:

[DSA 5603-1] xorg-server security update
[DLA 3716-1] ruby-httparty security update
[DLA 3715-1] jinja2 security update
[DSA 5604-1] openjdk-11 security update




[DSA 5603-1] xorg-server security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5603-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 23, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : xorg-server
CVE ID : CVE-2023-6816 CVE-2024-0229 CVE-2024-0408 CVE-2024-0409
CVE-2024-21885 CVE-2024-21886

Several vulnerabilities were discovered in the Xorg X server, which may
result in privilege escalation if the X server is running privileged
or denial of service.

For the oldstable distribution (bullseye), these problems have been fixed
in version 2:1.20.11-1+deb11u11.

For the stable distribution (bookworm), these problems have been fixed in
version 2:21.1.7-3+deb12u5.

We recommend that you upgrade your xorg-server packages.

For the detailed security status of xorg-server please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xorg-server

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/


[DLA 3716-1] ruby-httparty security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3716-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
January 23, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : ruby-httparty
Version : 0.16.2+dfsg1-3+deb10u1
CVE ID : CVE-2024-22049

It was discovered that there was a HTTP header injection
vulnerability in ruby-httparty, a web service library used in
various Ruby applications.

A remote, unauthenticated attacker could have provided a
crafted filename parameter during "multipart/form-data" uploads
which could have resulted in, for example, an attacker controlling
filenames being written to disk.

For Debian 10 buster, this problem has been fixed in version
0.16.2+dfsg1-3+deb10u1.

We recommend that you upgrade your ruby-httparty packages.

For the detailed security status of ruby-httparty please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ruby-httparty

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DLA 3715-1] jinja2 security update


- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3715-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Chris Lamb
January 23, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : jinja2
Version : 2.10-2+deb10u1
CVE ID : CVE-2024-22195
Debian Bug : 1060748

It was discovered that there was an injection attack in jinja2, a
popular templating engine used in various Python applications.

It was possible to inject arbitrary HTML attributes into rendered
HTML via the "xmlattr" filter, potentially leading to a Cross-Site
Scripting (XSS) attack. It may also have been possible to bypass
attribute validation checks if they were blacklist-based.

For Debian 10 buster, this problem has been fixed in version
2.10-2+deb10u1.

We recommend that you upgrade your jinja2 packages.

For the detailed security status of jinja2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jinja2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS



[DSA 5604-1] openjdk-11 security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5604-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
January 23, 2024 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : openjdk-11
CVE ID : CVE-2024-20918 CVE-2024-20919 CVE-2024-20921 CVE-2024-20926
CVE-2024-20945 CVE-2024-20952

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in side channel attacks, leaking sensitive data to log
files, denial of service or bypass of sandbox restrictions.

For the oldstable distribution (bullseye), these problems have been fixed
in version 11.0.22+7-1~deb11u1.

We recommend that you upgrade your openjdk-11 packages.

For the detailed security status of openjdk-11 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openjdk-11

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/