Here are the latest security advisories for the Debian Linux distribution:
- DSA-5816-1 libmodule-scandeps-perl - security update
The Qualys Threat Research Unit discovered that libmodule-scandeps-perl, a Perl module to recursively scan Perl code for dependencies, allows an attacker to execute arbitrary shell commands via specially crafted file names. Details can be found in the Qualys advisory at https://www.qualys.com/2024/11/19/needrestart/needrestart.txt https://security-tracker.debian.org/tracker/DSA-5816-1 - DSA-5815-1 needrestart - security update
The Qualys Threat Research Unit discovered several local privilege escalation vulnerabilities in needrestart, a utility to check which daemons need to be restarted after library upgrades. A local attacker can execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable (CVE-2024-48990) or running the Ruby interpreter with an attacker-controlled RUBYLIB environment variable (CVE-2024-48992). Additionally a local attacker can trick needrestart into running a fake Python interpreter (CVE-2024-48991) or cause needrestart to call the Perl module Module::ScanDeps with attacker-controlled files (CVE-2024-11003). Details can be found in the Qualys advisory at https://www.qualys.com/2024/11/19/needrestart/needrestart.txt https://security-tracker.debian.org/tracker/DSA-5815-1 - DSA-5814-1 thunderbird - security update
A security issue was discovered in Thunderbird, which could result in the disclosure of OpenPGP encrypted messages. https://security-tracker.debian.org/tracker/DSA-5814-1 - DSA-5813-1 symfony - security update
Moritz Rauch discovered that the Symfony PHP framework implemented persisted remember-me cookies incorrectly, which could result in authentication bypass. https://security-tracker.debian.org/tracker/DSA-5813-1 - DSA-5812-1 postgresql-15 - security update
Multiple security issues were discovered in PostgreSQL, which may result in the execution of arbitrary code, privilege escalation or log manipulation. https://security-tracker.debian.org/tracker/DSA-5812-1 - DSA-5811-1 mpg123 - security update
An out-of-bounds write vulnerability when handling crafted streams was discovered in mpg123, a real time MPEG 1.0/2.0/2.5 audio player/decoder for layers 1, 2 and 3, which could result in the execution of arbitrary code. https://security-tracker.debian.org/tracker/DSA-5811-1 - DSA-5810-1 chromium - security update
Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. https://security-tracker.debian.org/tracker/DSA-5810-1 - DSA-5809-1 symfony - security update
Multiple vulnerabilities have been found in the Symfony PHP framework which could lead to privilege escalation, information disclosure, incorrect validation or an open redirect. https://security-tracker.debian.org/tracker/DSA-5809-1 - DSA-5808-1 ghostscript - security update
Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed. https://security-tracker.debian.org/tracker/DSA-5808-1 - DSA-5807-1 nss - security update
Several vulnerabilities were discovered in NSS, a set of cryptographic libraries, which may result in denial of service or potentially the execution of arbitary code. https://security-tracker.debian.org/tracker/DSA-5807-1 - DSA-5806-1 libarchive - security update
A heap-based out-of-bounds write vulnerability was discovered in libarchive, a multi-format archive and compression library, which may result in the execution of arbitrary code if a specially crafted RAR archive is processed. https://security-tracker.debian.org/tracker/DSA-5806-1 - DSA-5805-1 guix - security update
It was discovered that the daemon of the GNU Guix functional package manager was susceptible to privilege escalation. For additional information please refer to https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability/ https://security-tracker.debian.org/tracker/DSA-5805-1 - DSA-5804-1 webkit2gtk - security update
The following vulnerabilities have been discovered in the WebKitGTK web engine: CVE-2024-44244 An anonymous researcher, Q1IQ (@q1iqF) and P1umer discovered that processing maliciously crafted web content may lead to an unexpected process crash. CVE-2024-44296 Narendra Bhati discovered that processing maliciously crafted web content may prevent Content Security Policy from being enforced. https://security-tracker.debian.org/tracker/DSA-5804-1 - DSA-5803-1 thunderbird - security update
Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code. Debian follows the Thunderbird upstream releases. Support for the 115.x series has ended, so starting with this update we're now following the 128.x series. https://security-tracker.debian.org/tracker/DSA-5803-1 - DSA-5802-1 chromium - security update
Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. https://security-tracker.debian.org/tracker/DSA-5802-1 - DSA-5801-1 firefox-esr - security update
Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, cross-site scripting, spoofing or information disclosure. https://security-tracker.debian.org/tracker/DSA-5801-1 - DSA-5800-1 xorg-server - security update
Jan-Niklas Sohn discovered that a heap-based buffer overflow in the _XkbSetCompatMap function in the X Keyboard Extension of the X.org X server may result in privilege escalation if the X server is running privileged. https://security-tracker.debian.org/tracker/DSA-5800-1 - DSA-5799-1 chromium - security update
Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. https://security-tracker.debian.org/tracker/DSA-5799-1 - DSA-5798-1 activemq - security update
Christoper L. Shannon discovered that the implementation of the OpenWire protocol in Apache ActiveMQ was susceptible to the execution of arbitrary code. https://security-tracker.debian.org/tracker/DSA-5798-1 - DSA-5797-1 twisted - security update
Multiple security issues were found in Twisted, an event-based framework for internet applications, which could result in incorrect ordering of HTTP requests or cross-site scripting. https://security-tracker.debian.org/tracker/DSA-5797-1 - More...