💾 Archived View for data.konfusator.de › feeds › dsa.gmi captured on 2023-12-28 at 15:16:42. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-11-14)

➡️ Next capture (2024-02-05)

🚧 View Differences

-=-=-=-=-=-=-

Debian Security

Debian Security Advisories

Zuletzt aktualisiert: 2023-12-28T19:37:56Z

DSA-5591-1 libssh - security update

2023-12-28

Several vulnerabilities were discovered in libssh, a tiny C SSH library.

CVE-2023-6004

It was reported that using the ProxyCommand or the ProxyJump feature

may allow an attacker to inject malicious code through specially

crafted hostnames.

CVE-2023-6918

Jack Weinstein reported that missing checks for return values for

digests may result in denial of service (application crashes) or

usage of uninitialized memory.

CVE-2023-48795

Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that

the SSH protocol is prone to a prefix truncation attack, known as

the "Terrapin attack". This attack allows a MITM attacker to effect

a limited break of the integrity of the early encrypted SSH

transport protocol by sending extra messages prior to the

commencement of encryption, and deleting an equal number of

consecutive messages immediately after encryption starts.

Details can be found at https://terrapin-attack.com/

https://security-tracker.debian.org/tracker/DSA-5591-1

Mehr

DSA-5590-1 haproxy - security update

2023-12-28

Several vulnerabilities were discovered in HAProxy, a fast and reliable

load balancing reverse proxy, which can result in HTTP request smuggling

or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5590-1

Mehr

DSA-5589-1 nodejs - security update

2023-12-27

Multiple vulnerabilities were discovered in Node.js, which could result in

HTTP request smuggling, bypass of policy feature checks, denial of service

or loading of incorrect ICU data.

https://security-tracker.debian.org/tracker/DSA-5589-1

Mehr

DSA-5588-1 putty - security update

2023-12-24

Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the

SSH protocol is prone to a prefix truncation attack, known as the

"Terrapin attack". This attack allows a MITM attacker to effect a

limited break of the integrity of the early encrypted SSH transport

protocol by sending extra messages prior to the commencement of

encryption, and deleting an equal number of consecutive messages

immediately after encryption starts.

Details can be found at https://terrapin-attack.com/

https://security-tracker.debian.org/tracker/DSA-5588-1

Mehr

DSA-5587-1 curl - security update

2023-12-23

Two security issues were discovered in Curl: Cookies were incorrectly

validated against the public suffix list of domains and in same cases

HSTS data could fail to save to disk.

https://security-tracker.debian.org/tracker/DSA-5587-1

Mehr

DSA-5586-1 openssh - security update

2023-12-22

Several vulnerabilities have been discovered in OpenSSH, an

implementation of the SSH protocol suite.

CVE-2021-41617

It was discovered that sshd failed to correctly initialise

supplemental groups when executing an AuthorizedKeysCommand or

AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or

AuthorizedPrincipalsCommandUser directive has been set to run the

command as a different user. Instead these commands would inherit

the groups that sshd was started with.

CVE-2023-28531

Luci Stanescu reported that a error prevented constraints being

communicated to the ssh-agent when adding smartcard keys to the

agent with per-hop destination constraints, resulting in keys being

added without constraints.

CVE-2023-48795

Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that

the SSH protocol is prone to a prefix truncation attack, known as

the "Terrapin attack". This attack allows a MITM attacker to effect

a limited break of the integrity of the early encrypted SSH

transport protocol by sending extra messages prior to the

commencement of encryption, and deleting an equal number of

consecutive messages immediately after encryption starts.

Details can be found at https://terrapin-attack.com/

CVE-2023-51384

It was discovered that when PKCS#11-hosted private keys were

added while specifying destination constraints, if the PKCS#11

token returned multiple keys then only the first key had the

constraints applied.

CVE-2023-51385

It was discovered that if an invalid user or hostname that contained

shell metacharacters was passed to ssh, and a ProxyCommand,

LocalCommand directive or "match exec" predicate referenced the user

or hostname via expansion tokens, then an attacker who could supply

arbitrary user/hostnames to ssh could potentially perform command

injection. The situation could arise in case of git repositories

with submodules, where the repository could contain a submodule with

shell characters in its user or hostname.

https://security-tracker.debian.org/tracker/DSA-5586-1

Mehr

DSA-5585-1 chromium - security update

2023-12-21

An important security issue was discovered in Chromium, which could result

in the execution of arbitrary code.

Google is aware that an exploit for CVE-2023-7024 exists in the wild.

https://security-tracker.debian.org/tracker/DSA-5585-1

Mehr

DSA-5584-1 bluez - security update

2023-12-21

It was reported that the BlueZ's HID profile implementation is not

inline with the HID specification which mandates the use of Security

Mode 4. The HID profile configuration option ClassicBondedOnly now

defaults to "true" to make sure that input connections only come from

bonded device connections.

https://security-tracker.debian.org/tracker/DSA-5584-1

Mehr

DSA-5583-1 gst-plugins-bad1.0 - security update

2023-12-21

A buffer overflow was discovered in the AV1 video plugin for the

GStreamer media framework, which may result in denial of service or

potentially the execution of arbitrary code if a malformed media file

is opened.

The oldstable distribution (bullseye) is not affected.

https://security-tracker.debian.org/tracker/DSA-5583-1

Mehr

DSA-5582-1 thunderbird - security update

2023-12-21

Multiple security issues were discovered in Thunderbird, which could

result in denial of service, the execution of arbitrary code or spoofing

of signed PGP/MIME and SMIME emails.

https://security-tracker.debian.org/tracker/DSA-5582-1

Mehr

DSA-5581-1 firefox-esr - security update

2023-12-20

Multiple security issues have been found in the Mozilla Firefox web

browser, which could potentially result in the execution of arbitrary

code, sandbox escape or clickjacking.

https://security-tracker.debian.org/tracker/DSA-5581-1

Mehr

DSA-5580-1 webkit2gtk - security update

2023-12-18

The following vulnerabilities have been discovered in the WebKitGTK

web engine:

CVE-2023-42883

The Zoom Offensive Security Team discovered that processing a SVG

image may lead to a denial-of-service.

https://security-tracker.debian.org/tracker/DSA-5580-1

Mehr

DSA-5579-1 freeimage - security update

2023-12-17

Multiple vulnerabilities were discovered in FreeImage, a support library

for graphics image formats, which could result in the execution of

arbitrary code if malformed image files are processed.

https://security-tracker.debian.org/tracker/DSA-5579-1

Mehr

DSA-5576-2 xorg-server - security update

2023-12-17

The initial fix for CVE-2023-6377 as applied in DSA 5576-1 did not fully

fix the vulnerability. Updated packages correcting this issue including

the upstream merged commit are now available.

https://security-tracker.debian.org/tracker/DSA-5576-2

Mehr

DSA-5578-1 ghostscript - security update

2023-12-15

It was discovered that Ghostscript, the GPL PostScript/PDF interpreter,

does not properly handle errors in the gdev_prn_open_printer_seekable()

function, which could result in the execution of arbitrary commands if

malformed document files are processed.

https://security-tracker.debian.org/tracker/DSA-5578-1

Mehr

DSA-5577-1 chromium - security update

2023-12-13

Multiple security issues were discovered in Chromium, which could result

in the execution of arbitrary code, denial of service or information

disclosure.

https://security-tracker.debian.org/tracker/DSA-5577-1

Mehr

DSA-5576-1 xorg-server - security update

2023-12-13

Jan-Niklas Sohn discovered several vulnerabilities in the Xorg X server,

which may result in privilege escalation if the X server is running

privileged.

https://security-tracker.debian.org/tracker/DSA-5576-1

Mehr

DSA-5575-1 webkit2gtk - security update

2023-12-11

The following vulnerabilities have been discovered in the WebKitGTK

web engine:

CVE-2023-42916

Clement Lecigne discovered that processing web content may

disclose sensitive information. Apple is aware of a report that

this issue may have been actively exploited.

CVE-2023-42917

Clement Lecigne discovered that processing web content may lead to

arbitrary code execution. Apple is aware of a report that this

issue may have been actively exploited.

https://security-tracker.debian.org/tracker/DSA-5575-1

Mehr

DSA-5574-1 libreoffice - security update

2023-12-11

Reginaldo Silva discovered two security vulnerabilities in LibreOffice,

which could result in the execution of arbitrary scripts or Gstreamer

plugins when opening a malformed file.

https://security-tracker.debian.org/tracker/DSA-5574-1

Mehr

DSA-5573-1 chromium - security update

2023-12-09

Multiple security issues were discovered in Chromium, which could result

in the execution of arbitrary code, denial of service or information

disclosure.

https://security-tracker.debian.org/tracker/DSA-5573-1

Mehr

DSA-5572-1 roundcube - security update

2023-12-04

Rene Rehme discovered that roundcube, a skinnable AJAX based webmail

solution for IMAP servers, did not properly set headers when handling

attachments. This would allow an attacker to load arbitrary JavaScript

code.

https://security-tracker.debian.org/tracker/DSA-5572-1

Mehr

DSA-5571-1 rabbitmq-server - security update

2023-12-01

It was discovered that missing input sanitising in the HTTP API endpoint

of RabbitMQ, an implementation of the AMQP protocol, could result in

denial of service.

https://security-tracker.debian.org/tracker/DSA-5571-1

Mehr

DSA-5570-1 nghttp2 - security update

2023-12-01

It was discovered that libnghttp2, a library implementing the HTTP/2

protocol, handled request cancellation incorrectly. This could result

in denial of service.

https://security-tracker.debian.org/tracker/DSA-5570-1

Mehr

DSA-5569-1 chromium - security update

2023-11-30

Multiple security issues were discovered in Chromium, which could result

in the execution of arbitrary code, denial of service or information

disclosure.

https://security-tracker.debian.org/tracker/DSA-5569-1

Mehr

DSA-5568-1 fastdds - security update

2023-11-27

It was discovered that incorrect memory management in Fast DDS, a C++

implementation of the DDS (Data Distribution Service) might result in

denial of service.

The oldstable distribution (bullseye) is not affected.

https://security-tracker.debian.org/tracker/DSA-5568-1

Mehr

DSA-5567-1 tiff - security update

2023-11-27

Brief introduction

Multiple buffer overflows and memory leak issues have been found in tiff,

the Tag Image File Format (TIFF) library and tools, which may cause denial

of service when processing a crafted TIFF image.

https://security-tracker.debian.org/tracker/DSA-5567-1

Mehr

DSA-5566-1 thunderbird - security update

2023-11-26

Multiple security issues were discovered in Thunderbird, which could

result in denial of service or the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-5566-1

Mehr

DSA-5565-1 gst-plugins-bad1.0 - security update

2023-11-25

Multiple vulnerabilities were discovered in plugins for the GStreamer

media framework and its codecs and demuxers, which may result in denial

of service or potentially the execution of arbitrary code if a malformed

media file is opened.

https://security-tracker.debian.org/tracker/DSA-5565-1

Mehr

DSA-5564-1 gimp - security update

2023-11-24

Michael Randrianantenaina reported several vulnerabilities in GIMP, the

GNU Image Manipulation Program, which could result in denial of service

(application crash) or potentially the execution of arbitrary code if

malformed DDS, PSD and PSP files are opened.

https://security-tracker.debian.org/tracker/DSA-5564-1

Mehr

DSA-5563-1 intel-microcode - security update

2023-11-23

Benoit Morgan, Paul Grosen, Thais Moreira Hamasaki, Ke Sun, Alyssa

Milburn, Hisham Shafi, Nir Shlomovich, avis Ormandy, Daniel Moghimi,

Josh Eads, Salman Qazi, Alexandra Sandulescu, Andy Nguyen, Eduardo Vela,

Doug Kwan, and Kostik Shtoyk discovered that some Intel processors

mishandle repeated sequences of instructions leading to unexpected

behavior, which may result in privilege escalation, information

disclosure or denial of service.

https://security-tracker.debian.org/tracker/DSA-5563-1

Mehr

════════════════════════

Skriptlauf: 2023-12-28T21:02:01

🏡