Advisory: Debian LTS Essential and Critical Security Patch Updates
Find the information you need for your favorite open source distribution .
Find the information you need for your favorite open source distribution .
Two vulnerabilities were discovered in BIND, a DNS server implementation, which may result in denial of service. CVE-2023-50387
Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or clickjacking.
This release fixes various issues in shim bootloader and updates it to a supported version. Older versions of the shim may eventually be blocked by Secure Boot, so it is strongly advised for Secure Boot enabled systems to upgrade to this newer version to keep the system bootable.
Alicia Boya Garcia reported that the GDBus signal subscriptions in the GLib library are prone to a spoofing vulnerability. A local attacker can take advantage of this flaw to cause a GDBus-based client to behave incorrectly, with an application-dependent impact.
A possible SQL injection vulnerability was found in libpgjava, the PostgreSQL JDBC Driver. It allows an attacker to inject SQL if using PreferQueryMode=SIMPLE which is not the default mode. In the default mode there is no vulnerability.
Guido Vranken discovered an issue in python3-idna, a library to support the Internationalized Domain Names in Applications (IDNA) protocol. A specially crafted argument to the idna.encode() function could consume significant resources, which may lead to Denial of Service.
Security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in information disclosure or incorrect validation of password hashes.
A bug in libkf5ksieve, an email filtering library for KDE, exposed the user password in plaintext server logs. For Debian 10 buster, this problem has been fixed in version
Intel has released microcode updates, addressing serveral vulnerabilties. CVE-2023-22655
Out-of-bounds write in the iconv ISO-2022-CN-EXT module has been fixed in the GNU C library. For Debian 10 buster, this problem has been fixed in version
This is a routine update of the distro-info-data database for Debian LTS users. It adds Ubuntu 24.10.
Several issues have been found in qtbase-opensource-src, a collection of several Qt modules/libraries. The issues are related to buffer overflows, infinite loops or application
Bartek Nowotarskis discovered that nghttp2, a set of programs implementing the HTTP/2, keeps reading CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream, which could lead to Denial of Service.
It was discovered that there was a potential remote code execution vulnerability in Astropy, a suite of tools, utilities and Python utilities for astrophysics.
Multiple problems were discovered in Org-mode, a GNU Emacs major mode for keeping notes, authoring documents, and maintaining to-do lists. CVE-2024-30203 & CVE-2024-30204
Multiple problems were discovered in GNU Emacs, the extensible, customisable, self-documenting display editor. CVE-2024-30203 & CVE-2024-30204
Multiple vulnerabilities were fixed in ruby-rack, an interface for developing web applications in Ruby. CVE-2024-25126
Potential DoS attacks have been fixed by rate limiting HTTP/2 CONTINUATION frames in Apache Traffic Server, an HTTP/1.1 and HTTP/2 compliant caching proxy server.
Improper form input field validation has been fixed in Zabbix, a network monitoring solution. For Debian 10 buster, this problem has been fixed in version
Several vulnerabilities have been found in frr, the FRRouting suite of internet protocols. An attacker could craft packages to trigger buffer overflows with the possibility to gain remote code execution, buffer overreads, crashes or trick the software to enter an infinite loop.