Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4116-1] abseil security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5895-1] xz-utils security update
[DSA 5896-1] trafficserver security update
[SECURITY] [DSA 5895-1] xz-utils security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5895-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
April 05, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : xz-utils
CVE ID : CVE-2025-31115
Harri K. Koskinen discovered a flaw in the multithreaded .xz decoder
lzma_stream_decoder_mt in xz-utils, the XZ-format compression utilities,
which may lead to denial of service (application crash) or the execution
of arbitrary code.
For the stable distribution (bookworm), this problem has been fixed in
version 5.4.1-1.
We recommend that you upgrade your xz-utils packages.
For the detailed security status of xz-utils please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/xz-utils
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DSA 5896-1] trafficserver security update
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5896-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
April 05, 2025 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : trafficserver
CVE ID : CVE-2024-38311 CVE-2024-38479 CVE-2024-50305
CVE-2024-50306 CVE-2024-56195 CVE-2024-56202
Several vulnerabilities were discovered in Apache Traffic Server, a
reverse and forward proxy server, which could result in denial of
service, HTTP request smuggling, cache poisoning or incomplete
dropping of privileges.
For the stable distribution (bookworm), these problems have been fixed in
version 9.2.5+ds-0+deb12u2.
We recommend that you upgrade your trafficserver packages.
For the detailed security status of trafficserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/trafficserver
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
[SECURITY] [DLA 4116-1] abseil security update
-------------------------------------------------------------------------
Debian LTS Advisory DLA-4116-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Tobias Frost
April 05, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : abseil
Version : 0~20200923.3-2+deb11u1
CVE ID : CVE-2025-0838
Debian Bug : 1098903
A vulnerability has been found in abseil, a collection of open-source C++
libraries that extend the C++ standard library, which might cause an heap
buffer overflow.
CVE-2025-0838
There exists a heap buffer overflow vulnerable in Abseil-cpp. The sized
constructors, reserve(), and rehash() methods of
absl::{flat,node}hash{set,map} did not impose an upper bound on their
size argument. As a result, it was possible for a caller to pass a very
large size that would cause an integer overflow when computing the size
of the container's backing store, and a subsequent out-of-bounds memory
write. Subsequent accesses to the container might also access
out-of-bounds memory.
For Debian 11 bullseye, this problem has been fixed in version
0~20200923.3-2+deb11u1.
We recommend that you upgrade your abseil packages.
For the detailed security status of abseil please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/abseil
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
