Here are the latest security advisories for the Debian Linux distribution:

• DSA-5846-1 libreoffice - security update
  Thomas Rinsma discovered two security vulnerabilities in LibreOffice, which could result in information disclosure or overwriting of files when opening malformed documents. https://security-tracker.debian.org/tracker/DSA-5846-1
• DSA-5845-1 tomcat10 - security update
  Several problems have been addressed in Tomcat 10, a Java based web server, servlet and JSP engine which may lead to a denial-of-service. CVE-2024-38286 Apache Tomcat, under certain configurations, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process. CVE-2024-52316 Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. CVE-2024-50379 / CVE-2024-56337 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). Some users may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat. https://security-tracker.debian.org/tracker/DSA-5845-1
• DSA-5843-2 rsync - regression update
  The update for rsync announced in DSA 5843-1 introduced a regression when using the -H option to preserve hard links. Updated packages are now available to correct this issue. https://security-tracker.debian.org/tracker/DSA-5843-2
• DSA-5844-1 chromium - security update
  Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. https://security-tracker.debian.org/tracker/DSA-5844-1
• DSA-5843-1 rsync - security update
  Several vulnerabilities were discovered in rsync, a fast, versatile, remote (and local) file-copying tool. CVE-2024-12084 Simon Scannell, Pedro Gallegos and Jasiel Spelman discovered a heap-based buffer overflow vulnerability due to improper handling of attacker-controlled checksum lengths. A remote attacker can take advantage of this flaw for code execution. CVE-2024-12085 Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a flaw in the way rsync compares file checksums, allowing a remote attacker to trigger an information leak. CVE-2024-12086 Simon Scannell, Pedro Gallegos and Jasiel Spelman discovered a flaw which would result in a server leaking contents of an arbitrary file from the client's machine. CVE-2024-12087 Simon Scannell, Pedro Gallegos and Jasiel Spelman reported a path traversal vulnerability in the rsync daemon affecting the --inc-recursive option, which could allow a server to write files outside of the client's intended destination directory. CVE-2024-12088 Simon Scannell, Pedro Gallegos and Jasiel Spelman reported that when using the --safe-links option, rsync fails to properly verify if a symbolic link destination contains another symbolic link with it, resulting in path traversal and arbitrary file write outside of the desired directory. CVE-2024-12747 Aleksei Gorban "loqpa" discovered a race condition when handling symbolic links resulting in an information leak which may enable escalation of privileges. https://security-tracker.debian.org/tracker/DSA-5843-1
• DSA-5842-1 openafs - security update
  Several vulnerabilities were discovered in OpenAFS, an implementation of the AFS distributed filesystem, which may result in theft of credentials in Unix client PAGs (CVE-2024-10394), fileserver crashes and information leak on StoreACL/FetchACL (CVE-2024-10396) or buffer overflows in XDR responses resulting in denial of service and potentially code execution (CVE-2024-10397). https://security-tracker.debian.org/tracker/DSA-5842-1
• DSA-5841-1 thunderbird - security update
  Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code. https://security-tracker.debian.org/tracker/DSA-5841-1
• DSA-5840-1 chromium - security update
  Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. https://security-tracker.debian.org/tracker/DSA-5840-1
• DSA-5839-1 firefox-esr - security update
  Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or privilege escalation. https://security-tracker.debian.org/tracker/DSA-5839-1
• DSA-5838-1 gst-plugins-good1.0 - security update
  Multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. https://security-tracker.debian.org/tracker/DSA-5838-1
• DSA-5837-1 fastnetmon - security update
  Two security issues have been discovered in FastNetMon, a fast DDoS analyzer: Malformed Netflow/sFlow traffic could result in denial of service. https://security-tracker.debian.org/tracker/DSA-5837-1
• DSA-5836-1 xen - security update
  Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in privilege escalation, denial of service or information leaks. https://security-tracker.debian.org/tracker/DSA-5836-1
• DSA-5835-1 webkit2gtk - security update
  The following vulnerabilities have been discovered in the WebKitGTK web engine: CVE-2024-54479 Seunghyun Lee discovered that processing maliciously crafted web content may lead to an unexpected process crash. CVE-2024-54502 Brendon Tiszka discovered that processing maliciously crafted web content may lead to an unexpected process crash. CVE-2024-54505 Gary Kwong discovered that processing maliciously crafted web content may lead to memory corruption. CVE-2024-54508 linjy, chluo and Xiangwei Zhang discovered that processing maliciously crafted web content may lead to an unexpected process crash. https://security-tracker.debian.org/tracker/DSA-5835-1
• DSA-5834-1 chromium - security update
  Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. https://security-tracker.debian.org/tracker/DSA-5834-1
• DSA-5833-1 dpdk - security update
  A buffer overflow was discovered in the vhost code of DPDK, a set of libraries for fast packet processing, which could result in denial of service or the execution of arbitrary code by malicious guests/containers. https://security-tracker.debian.org/tracker/DSA-5833-1
• DSA-5832-1 gstreamer1.0 - security update
  Antonio Morales reported an integer overflow vulnerability in the memory allocator in the Core GStreamer libraries, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is processed. https://security-tracker.debian.org/tracker/DSA-5832-1
• DSA-5831-1 gst-plugins-base1.0 - security update
  Multiple multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. https://security-tracker.debian.org/tracker/DSA-5831-1
• DSA-5830-1 smarty4 - security update
  A security vulnerability was discovered in Smarty, a template engine for PHP, which could result in PHP code injection. https://security-tracker.debian.org/tracker/DSA-5830-1
• DSA-5829-1 chromium - security update
  Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. https://security-tracker.debian.org/tracker/DSA-5829-1
• DSA-5828-1 python-aiohttp - security update
  Multiple security vulnerabilities were discovered in python-aiohttp, a HTTP client/server for asyncio, which could result in denial of service, directory traversal, CRLF injection or request smuggling. https://security-tracker.debian.org/tracker/DSA-5828-1
• More...