Advisories: Debian

Here are the latest security advisories for the Debian Linux distribution:

  • DSA-5816-1 libmodule-scandeps-perl - security update
    The Qualys Threat Research Unit discovered that libmodule-scandeps-perl, a Perl module to recursively scan Perl code for dependencies, allows an attacker to execute arbitrary shell commands via specially crafted file names. Details can be found in the Qualys advisory at https://www.qualys.com/2024/11/19/needrestart/needrestart.txt https://security-tracker.debian.org/tracker/DSA-5816-1
  • DSA-5815-1 needrestart - security update
    The Qualys Threat Research Unit discovered several local privilege escalation vulnerabilities in needrestart, a utility to check which daemons need to be restarted after library upgrades. A local attacker can execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable (CVE-2024-48990) or running the Ruby interpreter with an attacker-controlled RUBYLIB environment variable (CVE-2024-48992). Additionally a local attacker can trick needrestart into running a fake Python interpreter (CVE-2024-48991) or cause needrestart to call the Perl module Module::ScanDeps with attacker-controlled files (CVE-2024-11003). Details can be found in the Qualys advisory at https://www.qualys.com/2024/11/19/needrestart/needrestart.txt https://security-tracker.debian.org/tracker/DSA-5815-1
  • DSA-5814-1 thunderbird - security update
    A security issue was discovered in Thunderbird, which could result in the disclosure of OpenPGP encrypted messages. https://security-tracker.debian.org/tracker/DSA-5814-1
  • DSA-5813-1 symfony - security update
    Moritz Rauch discovered that the Symfony PHP framework implemented persisted remember-me cookies incorrectly, which could result in authentication bypass. https://security-tracker.debian.org/tracker/DSA-5813-1
  • DSA-5812-1 postgresql-15 - security update
    Multiple security issues were discovered in PostgreSQL, which may result in the execution of arbitrary code, privilege escalation or log manipulation. https://security-tracker.debian.org/tracker/DSA-5812-1
  • DSA-5811-1 mpg123 - security update
    An out-of-bounds write vulnerability when handling crafted streams was discovered in mpg123, a real time MPEG 1.0/2.0/2.5 audio player/decoder for layers 1, 2 and 3, which could result in the execution of arbitrary code. https://security-tracker.debian.org/tracker/DSA-5811-1
  • DSA-5810-1 chromium - security update
    Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. https://security-tracker.debian.org/tracker/DSA-5810-1
  • DSA-5809-1 symfony - security update
    Multiple vulnerabilities have been found in the Symfony PHP framework which could lead to privilege escalation, information disclosure, incorrect validation or an open redirect. https://security-tracker.debian.org/tracker/DSA-5809-1
  • DSA-5808-1 ghostscript - security update
    Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed. https://security-tracker.debian.org/tracker/DSA-5808-1
  • DSA-5807-1 nss - security update
    Several vulnerabilities were discovered in NSS, a set of cryptographic libraries, which may result in denial of service or potentially the execution of arbitary code. https://security-tracker.debian.org/tracker/DSA-5807-1
  • DSA-5806-1 libarchive - security update
    A heap-based out-of-bounds write vulnerability was discovered in libarchive, a multi-format archive and compression library, which may result in the execution of arbitrary code if a specially crafted RAR archive is processed. https://security-tracker.debian.org/tracker/DSA-5806-1
  • DSA-5805-1 guix - security update
    It was discovered that the daemon of the GNU Guix functional package manager was susceptible to privilege escalation. For additional information please refer to https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability/ https://security-tracker.debian.org/tracker/DSA-5805-1
  • DSA-5804-1 webkit2gtk - security update
    The following vulnerabilities have been discovered in the WebKitGTK web engine: CVE-2024-44244 An anonymous researcher, Q1IQ (@q1iqF) and P1umer discovered that processing maliciously crafted web content may lead to an unexpected process crash. CVE-2024-44296 Narendra Bhati discovered that processing maliciously crafted web content may prevent Content Security Policy from being enforced. https://security-tracker.debian.org/tracker/DSA-5804-1
  • DSA-5803-1 thunderbird - security update
    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code. Debian follows the Thunderbird upstream releases. Support for the 115.x series has ended, so starting with this update we're now following the 128.x series. https://security-tracker.debian.org/tracker/DSA-5803-1
  • DSA-5802-1 chromium - security update
    Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. https://security-tracker.debian.org/tracker/DSA-5802-1
  • DSA-5801-1 firefox-esr - security update
    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, cross-site scripting, spoofing or information disclosure. https://security-tracker.debian.org/tracker/DSA-5801-1
  • DSA-5800-1 xorg-server - security update
    Jan-Niklas Sohn discovered that a heap-based buffer overflow in the _XkbSetCompatMap function in the X Keyboard Extension of the X.org X server may result in privilege escalation if the X server is running privileged. https://security-tracker.debian.org/tracker/DSA-5800-1
  • DSA-5799-1 chromium - security update
    Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. https://security-tracker.debian.org/tracker/DSA-5799-1
  • DSA-5798-1 activemq - security update
    Christoper L. Shannon discovered that the implementation of the OpenWire protocol in Apache ActiveMQ was susceptible to the execution of arbitrary code. https://security-tracker.debian.org/tracker/DSA-5798-1
  • DSA-5797-1 twisted - security update
    Multiple security issues were found in Twisted, an event-based framework for internet applications, which could result in incorrect ordering of HTTP requests or cross-site scripting. https://security-tracker.debian.org/tracker/DSA-5797-1
  • More...

Tell me what you are thinking?