NVD Description

Note: Versions mentioned in the description apply only to the upstream dav1d package and not the dav1d package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. We recommend upgrading past version 1.4.0 of dav1d.

Remediation

Upgrade Debian:12 dav1d to version 1.0.0-2+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-1580
• http://seclists.org/fulldisclosure/2024/Mar/36
• http://seclists.org/fulldisclosure/2024/Mar/37
• http://seclists.org/fulldisclosure/2024/Mar/38
• http://seclists.org/fulldisclosure/2024/Mar/39
• http://seclists.org/fulldisclosure/2024/Mar/40
• http://seclists.org/fulldisclosure/2024/Mar/41
• https://code.videolan.org/videolan/dav1d/-/blob/master/NEWS
• https://code.videolan.org/videolan/dav1d/-/releases/1.4.0
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EPMUNDMEBGESOJ2ZNCWYEAYOOEKNWOO/
• https://support.apple.com/kb/HT214093
• https://support.apple.com/kb/HT214094
• https://support.apple.com/kb/HT214095
• https://support.apple.com/kb/HT214096
• https://support.apple.com/kb/HT214097
• https://support.apple.com/kb/HT214098

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2 for ImageMagick's 32-bit build, a 32-bit integer overflow in the BMP encoder’s scanline-stride computation collapses bytes_per_line (stride) to a tiny value while the per-row writer still emits 3 × width bytes for 24-bpp images. The row base pointer advances using the (overflowed) stride, so the first row immediately writes past its slot and into adjacent heap memory with attacker-controlled bytes. This is a classic, powerful primitive for heap corruption in common auto-convert pipelines. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-57803
• https://github.com/ImageMagick/ImageMagick/commit/2c55221f4d38193adcb51056c14cf238fbcc35d7
• https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mxvv-97wh-cfmm

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-55298
• https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5
• https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645

NVD Description

Note: Versions mentioned in the description apply only to the upstream libde265 package and not the libde265 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at motion.cc.

Remediation

Upgrade Debian:12 libde265 to version 1.0.11-1+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-27103
• https://github.com/strukturag/libde265/issues/394
• https://lists.debian.org/debian-lts-announce/2023/11/msg00032.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libde265 package and not the libde265 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at slice.cc.

Remediation

Upgrade Debian:12 libde265 to version 1.0.11-1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-49468
• https://github.com/strukturag/libde265/issues/432
• https://lists.debian.org/debian-lts-announce/2023/12/msg00022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libde265 package and not the libde265 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merging_candidates function at motion.cc.

Remediation

Upgrade Debian:12 libde265 to version 1.0.11-1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-49467
• https://github.com/strukturag/libde265/issues/434
• https://lists.debian.org/debian-lts-announce/2023/12/msg00022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libde265 package and not the libde265 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function at motion.cc.

Remediation

Upgrade Debian:12 libde265 to version 1.0.11-1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-49465
• https://github.com/strukturag/libde265/issues/435
• https://lists.debian.org/debian-lts-announce/2023/12/msg00022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libheif package and not the libheif package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libheif v1.17.5 was discovered to contain a segmentation violation via the component /libheif/exif.cc.

Remediation

Upgrade Debian:12 libheif to version 1.15.1-1+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-49462
• https://github.com/strukturag/libheif/issues/1043

NVD Description

Note: Versions mentioned in the description apply only to the upstream libwebp package and not the libwebp package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Remediation

Upgrade Debian:12 libwebp to version 1.2.4-0.2+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-4863
• https://www.vicarius.io/vsociety/posts/zero-day-webp-vulnerability-cve-2023-4863
• http://www.openwall.com/lists/oss-security/2023/09/21/4
• http://www.openwall.com/lists/oss-security/2023/09/22/1
• http://www.openwall.com/lists/oss-security/2023/09/22/3
• http://www.openwall.com/lists/oss-security/2023/09/22/4
• http://www.openwall.com/lists/oss-security/2023/09/22/5
• http://www.openwall.com/lists/oss-security/2023/09/22/6
• http://www.openwall.com/lists/oss-security/2023/09/22/7
• http://www.openwall.com/lists/oss-security/2023/09/22/8
• http://www.openwall.com/lists/oss-security/2023/09/26/1
• http://www.openwall.com/lists/oss-security/2023/09/26/7
• http://www.openwall.com/lists/oss-security/2023/09/28/1
• http://www.openwall.com/lists/oss-security/2023/09/28/2
• http://www.openwall.com/lists/oss-security/2023/09/28/4
• https://adamcaudill.com/2023/09/14/whose-cve-is-it-anyway/
• https://blog.isosceles.com/the-webp-0day/
• https://bugzilla.suse.com/show_bug.cgi?id=1215231
• https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
• https://crbug.com/1479274
• https://en.bandisoft.com/honeyview/history/
• https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a
• https://github.com/webmproject/libwebp/releases/tag/v1.3.2
• https://lists.debian.org/debian-lts-announce/2023/09/msg00015.html
• https://lists.debian.org/debian-lts-announce/2023/09/msg00016.html
• https://lists.debian.org/debian-lts-announce/2023/09/msg00017.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T655QF7CQ3DYAMPFV7IECQYGDEUIVVT/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYYKLG6CRGEDTNRBSU26EEWAO6D6U645/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZDGWWMJREPAGKWCJKSCM4WYLANSKIFX/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYZV7TMKF4QHZ54SFJX54BDN52VHGGCX/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHOLML7N2G5KCAZXFWC5IDFFHSQS5SDB/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTRUIS3564P7ZLM2S2IH4Y4KZ327LI4I/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-4863
• https://news.ycombinator.com/item?id=37478403
• https://security.gentoo.org/glsa/202309-05
• https://security.gentoo.org/glsa/202401-10
• https://security.netapp.com/advisory/ntap-20230929-0011/
• https://sethmlarson.dev/security-developer-in-residence-weekly-report-16
• https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/
• https://www.bentley.com/advisories/be-2023-0001/
• https://www.bleepingcomputer.com/news/google/google-fixes-another-chrome-zero-day-bug-exploited-in-attacks/
• https://www.debian.org/security/2023/dsa-5496
• https://www.debian.org/security/2023/dsa-5497
• https://www.debian.org/security/2023/dsa-5498
• https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://github.com/caoweiquan322/NotEnough

NVD Description

Note: Versions mentioned in the description apply only to the upstream postgresql-15 package and not the postgresql-15 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.9-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-10979
• https://www.postgresql.org/support/security/CVE-2024-10979/
• https://github.com/fmora50591/postgresql-env-vuln/blob/main/README.md
• https://security.netapp.com/advisory/ntap-20250110-0003/

NVD Description

Note: Versions mentioned in the description apply only to the upstream postgresql-15 package and not the postgresql-15 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.5-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-5869
• https://security.netapp.com/advisory/ntap-20240119-0003/
• https://access.redhat.com/errata/RHSA-2023:7545
• https://access.redhat.com/errata/RHSA-2023:7579
• https://access.redhat.com/errata/RHSA-2023:7580
• https://access.redhat.com/errata/RHSA-2023:7581
• https://access.redhat.com/errata/RHSA-2023:7616
• https://access.redhat.com/errata/RHSA-2023:7656
• https://access.redhat.com/errata/RHSA-2023:7666
• https://access.redhat.com/errata/RHSA-2023:7667
• https://access.redhat.com/errata/RHSA-2023:7694
• https://access.redhat.com/errata/RHSA-2023:7695
• https://access.redhat.com/errata/RHSA-2023:7714
• https://access.redhat.com/errata/RHSA-2023:7770
• https://access.redhat.com/errata/RHSA-2023:7771
• https://access.redhat.com/errata/RHSA-2023:7772
• https://access.redhat.com/errata/RHSA-2023:7778
• https://access.redhat.com/errata/RHSA-2023:7783
• https://access.redhat.com/errata/RHSA-2023:7784
• https://access.redhat.com/errata/RHSA-2023:7785
• https://access.redhat.com/errata/RHSA-2023:7786
• https://access.redhat.com/errata/RHSA-2023:7788
• https://access.redhat.com/errata/RHSA-2023:7789
• https://access.redhat.com/errata/RHSA-2023:7790
• https://access.redhat.com/errata/RHSA-2023:7878
• https://access.redhat.com/errata/RHSA-2023:7883
• https://access.redhat.com/errata/RHSA-2023:7884
• https://access.redhat.com/errata/RHSA-2023:7885
• https://access.redhat.com/errata/RHSA-2024:0304
• https://access.redhat.com/errata/RHSA-2024:0332
• https://access.redhat.com/errata/RHSA-2024:0337
• https://access.redhat.com/security/cve/CVE-2023-5869
• https://bugzilla.redhat.com/show_bug.cgi?id=2247169
• https://www.postgresql.org/about/news/postgresql-161-155-1410-1313-1217-and-1122-released-2749/
• https://www.postgresql.org/support/security/CVE-2023-5869/

NVD Description

Note: Versions mentioned in the description apply only to the upstream postgresql-15 package and not the postgresql-15 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.5-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-39417
• https://access.redhat.com/errata/RHSA-2023:7545
• https://access.redhat.com/errata/RHSA-2023:7579
• https://access.redhat.com/errata/RHSA-2023:7580
• https://access.redhat.com/errata/RHSA-2023:7581
• https://access.redhat.com/errata/RHSA-2023:7616
• https://access.redhat.com/errata/RHSA-2023:7656
• https://access.redhat.com/errata/RHSA-2023:7666
• https://access.redhat.com/errata/RHSA-2023:7667
• https://access.redhat.com/errata/RHSA-2023:7694
• https://access.redhat.com/errata/RHSA-2023:7695
• https://access.redhat.com/errata/RHSA-2023:7714
• https://access.redhat.com/errata/RHSA-2023:7770
• https://access.redhat.com/errata/RHSA-2023:7772
• https://access.redhat.com/errata/RHSA-2023:7784
• https://access.redhat.com/errata/RHSA-2023:7785
• https://access.redhat.com/errata/RHSA-2023:7883
• https://access.redhat.com/errata/RHSA-2023:7884
• https://access.redhat.com/errata/RHSA-2023:7885
• https://access.redhat.com/errata/RHSA-2024:0304
• https://access.redhat.com/errata/RHSA-2024:0332
• https://access.redhat.com/errata/RHSA-2024:0337
• https://access.redhat.com/security/cve/CVE-2023-39417
• https://bugzilla.redhat.com/show_bug.cgi?id=2228111
• https://lists.debian.org/debian-lts-announce/2023/10/msg00003.html
• https://security.netapp.com/advisory/ntap-20230915-0002/
• https://www.debian.org/security/2023/dsa-5553
• https://www.debian.org/security/2023/dsa-5554
• https://www.postgresql.org/support/security/CVE-2023-39417

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file.

By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.

Remediation

There is no fixed version for Debian:12 tiff.

References

• https://security-tracker.debian.org/tracker/CVE-2025-9900
• https://access.redhat.com/security/cve/CVE-2025-9900
• https://bugzilla.redhat.com/show_bug.cgi?id=2392784
• https://access.redhat.com/errata/RHSA-2025:17651
• https://access.redhat.com/errata/RHSA-2025:17675
• https://github.com/SexyShoelessGodofWar/LibTiff-4.7.0-Write-What-Where?tab=readme-ov-file

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure.

This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-32988
• https://access.redhat.com/security/cve/CVE-2025-32988
• https://bugzilla.redhat.com/show_bug.cgi?id=2359622
• https://access.redhat.com/errata/RHSA-2025:16115
• https://access.redhat.com/errata/RHSA-2025:16116
• https://access.redhat.com/errata/RHSA-2025:17348
• https://access.redhat.com/errata/RHSA-2025:17361
• https://access.redhat.com/errata/RHSA-2025:17415

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-32990
• https://access.redhat.com/security/cve/CVE-2025-32990
• https://bugzilla.redhat.com/show_bug.cgi?id=2359620
• https://access.redhat.com/errata/RHSA-2025:16115
• https://access.redhat.com/errata/RHSA-2025:16116
• https://access.redhat.com/errata/RHSA-2025:17348
• https://access.redhat.com/errata/RHSA-2025:17361
• https://access.redhat.com/errata/RHSA-2025:17415

NVD Description

Note: Versions mentioned in the description apply only to the upstream freetype package and not the freetype package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

Remediation

Upgrade Debian:12 freetype to version 2.12.1+dfsg-5+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-27363
• https://www.facebook.com/security/advisories/cve-2025-27363
• http://www.openwall.com/lists/oss-security/2025/03/13/1
• http://www.openwall.com/lists/oss-security/2025/03/13/11
• http://www.openwall.com/lists/oss-security/2025/03/13/12
• http://www.openwall.com/lists/oss-security/2025/03/13/2
• http://www.openwall.com/lists/oss-security/2025/03/13/3
• http://www.openwall.com/lists/oss-security/2025/03/13/8
• http://www.openwall.com/lists/oss-security/2025/03/14/1
• http://www.openwall.com/lists/oss-security/2025/03/14/2
• http://www.openwall.com/lists/oss-security/2025/03/14/3
• http://www.openwall.com/lists/oss-security/2025/03/14/4
• http://www.openwall.com/lists/oss-security/2025/05/06/3
• https://lists.debian.org/debian-lts-announce/2025/03/msg00030.html
• https://source.android.com/docs/security/bulletin/2025-05-01
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://github.com/tin-z/CVE-2025-27363

NVD Description

Note: Versions mentioned in the description apply only to the upstream libde265 package and not the libde265 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the num_tile_columns and num_tile_row parameters in the function pic_parameter_set::dump.

Remediation

Upgrade Debian:12 libde265 to version 1.0.11-1+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-43887
• https://github.com/strukturag/libde265/commit/63b596c915977f038eafd7647d1db25488a8c133
• https://github.com/strukturag/libde265/issues/418
• https://lists.debian.org/debian-lts-announce/2023/11/msg00032.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libheif package and not the libheif package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In Libheif 1.17.6, insufficient checks in ImageOverlay::parse() decoding a heif file containing an overlay image with forged offsets can lead to an out-of-bounds read and write.

Remediation

Upgrade Debian:12 libheif to version 1.15.1-1+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-41311
• https://gist.github.com/flyyee/79f1b224069842ee320115cafa5c35c0
• https://github.com/strukturag/libheif/commit/a3ed1b1eb178c5d651d6ac619c8da3d71ac2be36
• https://github.com/strukturag/libheif/issues/1226
• https://github.com/strukturag/libheif/pull/1227
• https://lists.debian.org/debian-lts-announce/2024/10/msg00025.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

Remediation

Upgrade Debian:12 openssh to version 1:9.2p1-2+deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-6387
• http://seclists.org/fulldisclosure/2024/Jul/18
• http://seclists.org/fulldisclosure/2024/Jul/19
• http://seclists.org/fulldisclosure/2024/Jul/20
• http://www.openwall.com/lists/oss-security/2024/07/01/12
• http://www.openwall.com/lists/oss-security/2024/07/01/13
• http://www.openwall.com/lists/oss-security/2024/07/02/1
• http://www.openwall.com/lists/oss-security/2024/07/03/1
• http://www.openwall.com/lists/oss-security/2024/07/03/11
• http://www.openwall.com/lists/oss-security/2024/07/03/2
• http://www.openwall.com/lists/oss-security/2024/07/03/3
• http://www.openwall.com/lists/oss-security/2024/07/03/4
• http://www.openwall.com/lists/oss-security/2024/07/03/5
• http://www.openwall.com/lists/oss-security/2024/07/04/1
• http://www.openwall.com/lists/oss-security/2024/07/04/2
• http://www.openwall.com/lists/oss-security/2024/07/08/2
• http://www.openwall.com/lists/oss-security/2024/07/08/3
• http://www.openwall.com/lists/oss-security/2024/07/09/2
• http://www.openwall.com/lists/oss-security/2024/07/09/5
• http://www.openwall.com/lists/oss-security/2024/07/10/1
• http://www.openwall.com/lists/oss-security/2024/07/10/2
• http://www.openwall.com/lists/oss-security/2024/07/10/3
• http://www.openwall.com/lists/oss-security/2024/07/10/4
• http://www.openwall.com/lists/oss-security/2024/07/10/6
• http://www.openwall.com/lists/oss-security/2024/07/11/1
• http://www.openwall.com/lists/oss-security/2024/07/11/3
• http://www.openwall.com/lists/oss-security/2024/07/23/4
• http://www.openwall.com/lists/oss-security/2024/07/23/6
• http://www.openwall.com/lists/oss-security/2024/07/28/2
• http://www.openwall.com/lists/oss-security/2024/07/28/3
• https://access.redhat.com/errata/RHSA-2024:4312
• https://access.redhat.com/errata/RHSA-2024:4340
• https://access.redhat.com/errata/RHSA-2024:4389
• https://access.redhat.com/errata/RHSA-2024:4469
• https://access.redhat.com/errata/RHSA-2024:4474
• https://access.redhat.com/errata/RHSA-2024:4479
• https://access.redhat.com/errata/RHSA-2024:4484
• https://access.redhat.com/security/cve/CVE-2024-6387
• https://archlinux.org/news/the-sshd-service-needs-to-be-restarted-after-upgrading-to-openssh-98p1/
• https://arstechnica.com/security/2024/07/regresshion-vulnerability-in-openssh-gives-attackers-root-on-linux/
• https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
• https://bugzilla.redhat.com/show_bug.cgi?id=2294604
• https://explore.alas.aws.amazon.com/CVE-2024-6387.html
• https://forum.vmssoftware.com/viewtopic.php?f=8&t=9132
• https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2024-002.txt.asc
• https://github.com/AlmaLinux/updates/issues/629
• https://github.com/Azure/AKS/issues/4379
• https://github.com/PowerShell/Win32-OpenSSH/discussions/2248
• https://github.com/PowerShell/Win32-OpenSSH/issues/2249
• https://github.com/microsoft/azurelinux/issues/9555
• https://github.com/openela-main/openssh/commit/e1f438970e5a337a17070a637c1b9e19697cad09
• https://github.com/oracle/oracle-linux/issues/149
• https://github.com/rapier1/hpn-ssh/issues/87
• https://github.com/zgzhang/cve-2024-6387-poc
• https://lists.almalinux.org/archives/list/announce@lists.almalinux.org/thread/23BF5BMGFVEVUI2WNVAGMLKT557EU7VY/
• https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html
• https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html
• https://news.ycombinator.com/item?id=40843778
• https://packetstorm.news/files/id/190587/
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0010
• https://santandersecurityresearch.github.io/blog/sshing_the_masses.html
• https://security.netapp.com/advisory/ntap-20240701-0001/
• https://sig-security.rocky.page/issues/CVE-2024-6387/
• https://stackdiary.com/openssh-race-condition-in-sshd-allows-remote-code-execution/
• https://support.apple.com/kb/HT214118
• https://support.apple.com/kb/HT214119
• https://support.apple.com/kb/HT214120
• https://ubuntu.com/security/CVE-2024-6387
• https://ubuntu.com/security/notices/USN-6859-1
• https://www.akamai.com/blog/security-research/2024-openssh-vulnerability-regression-what-to-know-and-do
• https://www.arista.com/en/support/advisories-notices/security-advisory/19904-security-advisory-0100
• https://www.exploit-db.com/exploits/52269
• https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc
• https://www.openssh.com/txt/release-9.8
• https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
• https://www.splunk.com/en_us/blog/security/cve-2024-6387-regresshion-vulnerability.html
• https://www.suse.com/security/cve/CVE-2024-6387.html
• https://www.theregister.com/2024/07/01/regresshion_openssh/
• https://www.vicarius.io/vsociety/posts/regresshion-an-openssh-regression-error-cve-2024-6387
• https://github.com/0x4D31/cve-2024-6387_hassh

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

Remediation

Upgrade Debian:12 perl to version 5.36.0-7+deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-31484
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/
• http://www.openwall.com/lists/oss-security/2023/04/29/1
• http://www.openwall.com/lists/oss-security/2023/05/03/3
• http://www.openwall.com/lists/oss-security/2023/05/03/5
• http://www.openwall.com/lists/oss-security/2023/05/07/2
• https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
• https://github.com/andk/cpanpm/pull/175
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/
• https://metacpan.org/dist/CPAN/changes
• https://security.netapp.com/advisory/ntap-20240621-0007/
• https://www.openwall.com/lists/oss-security/2023/04/18/14

NVD Description

Note: Versions mentioned in the description apply only to the upstream postgresql-15 package and not the postgresql-15 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.6-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-0985
• https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
• https://saites.dev/projects/personal/postgres-cve-2024-0985/
• https://security.netapp.com/advisory/ntap-20241220-0005/
• https://www.postgresql.org/support/security/CVE-2024-0985/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gdk-pixbuf package and not the gdk-pixbuf package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.

Remediation

Upgrade Debian:12 gdk-pixbuf to version 2.42.10+dfsg-1+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-48622
• https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/202

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted .gitmodules file with submodule URLs that are longer than 1024 characters can used to exploit a bug in config.c::git_config_copy_or_rename_section_in_file(). This bug can be used to inject arbitrary configuration into a user's $GIT_DIR/config when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as core.pager, core.editor, core.sshCommand, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GIT_DIR/config.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-29007
• https://github.com/git/git/blob/9ce9dea4e1c2419cca126d29fa7730baa078a11b/Documentation/RelNotes/2.30.9.txt
• https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
• https://github.com/git/git/security/advisories/GHSA-v48j-4xgg-4844
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/
• https://security.gentoo.org/glsa/202312-15
• https://github.com/ethiack/CVE-2023-29007

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-4911
• http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html
• http://packetstormsecurity.com/files/176288/Glibc-Tunables-Privilege-Escalation.html
• http://seclists.org/fulldisclosure/2023/Oct/11
• http://www.openwall.com/lists/oss-security/2023/10/03/2
• http://www.openwall.com/lists/oss-security/2023/10/03/3
• http://www.openwall.com/lists/oss-security/2023/10/05/1
• http://www.openwall.com/lists/oss-security/2023/10/13/11
• http://www.openwall.com/lists/oss-security/2023/10/14/3
• http://www.openwall.com/lists/oss-security/2023/10/14/5
• http://www.openwall.com/lists/oss-security/2023/10/14/6
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/
• https://security.gentoo.org/glsa/202310-03
• https://security.netapp.com/advisory/ntap-20231013-0006/
• https://www.debian.org/security/2023/dsa-5514
• https://access.redhat.com/errata/RHBA-2024:2413
• https://access.redhat.com/errata/RHSA-2023:5453
• https://access.redhat.com/errata/RHSA-2023:5454
• https://access.redhat.com/errata/RHSA-2023:5455
• https://access.redhat.com/errata/RHSA-2023:5476
• https://access.redhat.com/errata/RHSA-2024:0033
• https://access.redhat.com/security/cve/CVE-2023-4911
• https://bugzilla.redhat.com/show_bug.cgi?id=2238352
• https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
• https://www.qualys.com/cve-2023-4911/
• https://github.com/projectdiscovery/nuclei-templates/blob/main/code/cves/2023/CVE-2023-4911.yaml
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://github.com/KernelKrise/CVE-2023-4911

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-6246
• http://packetstormsecurity.com/files/176931/glibc-qsort-Out-Of-Bounds-Read-Write.html
• http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html
• http://seclists.org/fulldisclosure/2024/Feb/3
• http://seclists.org/fulldisclosure/2024/Feb/5
• https://access.redhat.com/security/cve/CVE-2023-6246
• https://bugzilla.redhat.com/show_bug.cgi?id=2249053
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWQ6BZJ6CV5UAW4VZSKJ6TO4KIW2KWAQ/
• https://security.gentoo.org/glsa/202402-01
• https://security.netapp.com/advisory/ntap-20240216-0007/
• https://www.openwall.com/lists/oss-security/2024/01/30/6
• https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt
• https://github.com/projectdiscovery/nuclei-templates/blob/main/code/cves/2023/CVE-2023-6246.yaml

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1, the magnified size calculations in ReadOneMNGIMage (in coders/png.c) are unsafe and can overflow, leading to memory corruption. This issue has been patched in versions 6.9.13-27 and 7.1.2-1.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-55154
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp29-wxp5-wh82
• https://goo.gle/bigsleep

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcap2 package and not the libcap2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.

Remediation

Upgrade Debian:12 libcap2 to version 1:2.66-4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-2603
• https://bugzilla.redhat.com/show_bug.cgi?id=2209113
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZ57ICDLMVYEREXQGZWL4GWI7FRJCRQT/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IPEGCFMCN5KGCFX5Y2VTKR732TTD4ADW/
• https://www.x41-dsec.de/static/reports/X41-libcap-Code-Review-2023-OSTIF-Final-Report.pdf

NVD Description

Note: Versions mentioned in the description apply only to the upstream libx11 package and not the libx11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges.

Remediation

Upgrade Debian:12 libx11 to version 2:1.8.4-2+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-43787
• http://www.openwall.com/lists/oss-security/2024/01/24/9
• https://jfrog.com/blog/xorg-libx11-vulns-cve-2023-43786-cve-2023-43787-part-two/
• https://security.netapp.com/advisory/ntap-20231103-0006/
• https://access.redhat.com/errata/RHSA-2024:2145
• https://access.redhat.com/errata/RHSA-2024:2973
• https://access.redhat.com/security/cve/CVE-2023-43787
• https://bugzilla.redhat.com/show_bug.cgi?id=2242254

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-49043
• https://github.com/php/php-src/issues/17467
• https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.

Remediation

There is no fixed version for Debian:12 libxslt.

References

• https://security-tracker.debian.org/tracker/CVE-2025-7425
• https://access.redhat.com/security/cve/CVE-2025-7425
• https://bugzilla.redhat.com/show_bug.cgi?id=2379274
• https://access.redhat.com/errata/RHSA-2025:12447
• https://access.redhat.com/errata/RHSA-2025:12450
• https://access.redhat.com/errata/RHSA-2025:13267
• https://access.redhat.com/errata/RHSA-2025:13313
• https://access.redhat.com/errata/RHSA-2025:13314
• https://access.redhat.com/errata/RHSA-2025:13308
• https://access.redhat.com/errata/RHSA-2025:13309
• https://access.redhat.com/errata/RHSA-2025:13310
• https://access.redhat.com/errata/RHSA-2025:13311
• https://access.redhat.com/errata/RHSA-2025:13312
• https://access.redhat.com/errata/RHSA-2025:13335
• https://access.redhat.com/errata/RHSA-2025:13464
• https://access.redhat.com/errata/RHSA-2025:13622
• https://access.redhat.com/errata/RHSA-2025:14059
• https://access.redhat.com/errata/RHSA-2025:14396
• https://access.redhat.com/errata/RHSA-2025:14819
• https://access.redhat.com/errata/RHSA-2025:14818
• https://access.redhat.com/errata/RHSA-2025:14853
• https://access.redhat.com/errata/RHSA-2025:14858
• https://access.redhat.com/errata/RHSA-2025:15308
• https://access.redhat.com/errata/RHSA-2025:15828
• https://access.redhat.com/errata/RHSA-2025:15827
• https://access.redhat.com/errata/RHSA-2025:15672
• https://gitlab.gnome.org/GNOME/libxslt/-/issues/140

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjpeg2 package and not the openjpeg2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg.

Remediation

Upgrade Debian:12 openjpeg2 to version 2.5.0-2+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-3575
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZ54FGM2IGAP4AWSJ22JKHOPHCR3FGYU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QB6AI7CWXWMEDZIQY4LQ6DMIEXMDOHUP/
• https://access.redhat.com/errata/RHSA-2021:4251
• https://access.redhat.com/security/cve/CVE-2021-3575
• https://bugzilla.redhat.com/show_bug.cgi?id=1957616
• https://github.com/uclouvain/openjpeg/issues/1347
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZ54FGM2IGAP4AWSJ22JKHOPHCR3FGYU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB6AI7CWXWMEDZIQY4LQ6DMIEXMDOHUP/
• https://ubuntu.com/security/CVE-2021-3575

NVD Description

Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.

Remediation

There is no fixed version for Debian:12 pam.

References

• https://security-tracker.debian.org/tracker/CVE-2025-6020
• https://access.redhat.com/security/cve/CVE-2025-6020
• https://bugzilla.redhat.com/show_bug.cgi?id=2372512
• http://www.openwall.com/lists/oss-security/2025/06/17/1
• https://access.redhat.com/errata/RHSA-2025:9526
• https://access.redhat.com/errata/RHSA-2025:10024
• https://access.redhat.com/errata/RHSA-2025:10027
• https://access.redhat.com/errata/RHSA-2025:10180
• https://access.redhat.com/errata/RHSA-2025:10354
• https://access.redhat.com/errata/RHSA-2025:10357
• https://access.redhat.com/errata/RHSA-2025:10358
• https://access.redhat.com/errata/RHSA-2025:10359
• https://access.redhat.com/errata/RHSA-2025:10361
• https://access.redhat.com/errata/RHSA-2025:10362
• https://access.redhat.com/errata/RHSA-2025:10735
• https://access.redhat.com/errata/RHSA-2025:10823
• https://access.redhat.com/errata/RHSA-2025:11386
• https://access.redhat.com/errata/RHSA-2025:11487
• https://access.redhat.com/errata/RHSA-2025:14557
• https://access.redhat.com/errata/RHSA-2025:15099
• https://access.redhat.com/errata/RHSA-2025:15709
• https://access.redhat.com/errata/RHSA-2025:15828
• https://access.redhat.com/errata/RHSA-2025:15827
• https://access.redhat.com/errata/RHSA-2025:16524

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.

Remediation

Upgrade Debian:12 perl to version 5.36.0-7+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-47038
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNEEWAACXQCEEAKSG7XX2D5YDRWLCIZJ/
• https://perldoc.perl.org/perl5382delta#CVE-2023-47038-Write-past-buffer-end-via-illegal-user-defined-Unicode-property
• https://access.redhat.com/errata/RHSA-2024:2228
• https://access.redhat.com/errata/RHSA-2024:3128
• https://access.redhat.com/security/cve/CVE-2023-47038
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056746
• https://bugzilla.redhat.com/show_bug.cgi?id=2249523
• https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010
• https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6
• https://github.com/Perl/perl5/commit/ff1f9f59360afeebd6f75ca1502f5c3ebf077da3
• https://github.com/aquasecurity/trivy/discussions/8400
• https://ubuntu.com/security/CVE-2023-47100
• https://www.suse.com/security/cve/CVE-2023-47100.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-9287
• https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7
• https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db
• https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8
• https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97
• https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b
• https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483
• https://github.com/python/cpython/issues/124651
• https://github.com/python/cpython/pull/124712
• https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/
• https://security.netapp.com/advisory/ntap-20250425-0006/

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API.

However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

Remediation

Upgrade Debian:12 curl to version 7.88.1-10+deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-38039
• http://seclists.org/fulldisclosure/2023/Oct/17
• http://seclists.org/fulldisclosure/2024/Jan/34
• http://seclists.org/fulldisclosure/2024/Jan/37
• http://seclists.org/fulldisclosure/2024/Jan/38
• https://hackerone.com/reports/2072338
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DCZMYODALBLVOXVJEN2LF2MLANEYL4F/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6KGKB2JNZVT276JYSKI6FV2VFJUGDOJ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEAWTYHC3RT6ZRS5OZRHLAIENVN6CCIS/
• https://security.gentoo.org/glsa/202310-12
• https://security.netapp.com/advisory/ntap-20231013-0005/
• https://support.apple.com/kb/HT214036
• https://support.apple.com/kb/HT214057
• https://support.apple.com/kb/HT214058
• https://support.apple.com/kb/HT214063
• https://www.insyde.com/security-pledge/SA-2023064

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A use after free vulnerability exists in curl <v8.1.0 in the way libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash. When this check fails, libcurl would free the memory for the fingerprint before it returns an error message containing the (now freed) hash. This flaw risks inserting sensitive heap-based data into the error message that might be shown to users or otherwise get leaked and revealed.

Remediation

Upgrade Debian:12 curl to version 7.88.1-10 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-28319
• http://seclists.org/fulldisclosure/2023/Jul/47
• http://seclists.org/fulldisclosure/2023/Jul/48
• http://seclists.org/fulldisclosure/2023/Jul/52
• https://hackerone.com/reports/1913733
• https://security.gentoo.org/glsa/202310-12
• https://security.netapp.com/advisory/ntap-20230609-0009/
• https://support.apple.com/kb/HT213843
• https://support.apple.com/kb/HT213844
• https://support.apple.com/kb/HT213845

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

Remediation

Upgrade Debian:12 expat to version 2.5.0-1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-52425
• http://www.openwall.com/lists/oss-security/2024/03/20/5
• https://github.com/libexpat/libexpat/pull/789
• https://lists.debian.org/debian-lts-announce/2024/04/msg00006.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/
• https://security.netapp.com/advisory/ntap-20240614-0003/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

Remediation

Upgrade Debian:12 expat to version 2.5.0-1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-8176
• https://access.redhat.com/security/cve/CVE-2024-8176
• https://bugzilla.redhat.com/show_bug.cgi?id=2310137
• https://github.com/libexpat/libexpat/issues/893
• http://www.openwall.com/lists/oss-security/2025/03/15/1
• https://blog.hartwork.org/posts/expat-2-7-0-released/
• https://bugzilla.suse.com/show_bug.cgi?id=1239618
• https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes#L40-L52
• https://gitlab.alpinelinux.org/alpine/aports/-/commit/d068c3ff36fc6f4789988a09c69b434db757db53
• https://ubuntu.com/security/CVE-2024-8176
• https://security.netapp.com/advisory/ntap-20250328-0009/
• https://access.redhat.com/errata/RHSA-2025:3531
• https://access.redhat.com/errata/RHSA-2025:3734
• https://access.redhat.com/errata/RHSA-2025:3913
• https://access.redhat.com/errata/RHSA-2025:4048
• https://access.redhat.com/errata/RHSA-2025:4447
• https://access.redhat.com/errata/RHSA-2025:4446
• https://access.redhat.com/errata/RHSA-2025:4448
• https://access.redhat.com/errata/RHSA-2025:4449
• https://www.kb.cert.org/vuls/id/760160
• https://access.redhat.com/errata/RHSA-2025:7444
• https://access.redhat.com/errata/RHSA-2025:7512
• https://access.redhat.com/errata/RHSA-2025:8385
• https://access.redhat.com/errata/RHSA-2025:13681

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.

Remediation

Upgrade Debian:12 expat to version 2.5.0-1+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-45490
• https://github.com/libexpat/libexpat/issues/887
• https://github.com/libexpat/libexpat/pull/890
• https://security.netapp.com/advisory/ntap-20241018-0004/

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using git apply with --reject when applying patches from an untrusted source. Use git apply --stat to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the *.rej file exists.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-25652
• http://www.openwall.com/lists/oss-security/2023/04/25/2
• https://github.com/git/git/commit/18e2b1cfc80990719275d7b08e6e50f3e8cbc902
• https://github.com/git/git/commit/668f2d53613ac8fd373926ebe219f2c29112d93e
• https://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fx
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BSXOGVVBJLYX26IAYX6PJSYQB36BREWH/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/
• https://security.gentoo.org/glsa/202312-15

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-6779
• http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html
• http://seclists.org/fulldisclosure/2024/Feb/3
• https://access.redhat.com/security/cve/CVE-2023-6779
• https://bugzilla.redhat.com/show_bug.cgi?id=2254395
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWQ6BZJ6CV5UAW4VZSKJ6TO4KIW2KWAQ/
• https://security.gentoo.org/glsa/202402-01
• https://security.netapp.com/advisory/ntap-20240223-0006/
• https://www.openwall.com/lists/oss-security/2024/01/30/6
• https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-0567
• http://www.openwall.com/lists/oss-security/2024/01/19/3
• https://access.redhat.com/errata/RHSA-2024:0533
• https://access.redhat.com/errata/RHSA-2024:1082
• https://access.redhat.com/errata/RHSA-2024:1383
• https://access.redhat.com/errata/RHSA-2024:2094
• https://access.redhat.com/security/cve/CVE-2024-0567
• https://bugzilla.redhat.com/show_bug.cgi?id=2258544
• https://gitlab.com/gnutls/gnutls/-/issues/1521
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/
• https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html
• https://security.netapp.com/advisory/ntap-20240202-0011/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-0553
• http://www.openwall.com/lists/oss-security/2024/01/19/3
• https://access.redhat.com/errata/RHSA-2024:0533
• https://access.redhat.com/errata/RHSA-2024:0627
• https://access.redhat.com/errata/RHSA-2024:0796
• https://access.redhat.com/errata/RHSA-2024:1082
• https://access.redhat.com/errata/RHSA-2024:1108
• https://access.redhat.com/errata/RHSA-2024:1383
• https://access.redhat.com/errata/RHSA-2024:2094
• https://access.redhat.com/security/cve/CVE-2024-0553
• https://bugzilla.redhat.com/show_bug.cgi?id=2258412
• https://gitlab.com/gnutls/gnutls/-/issues/1522
• https://lists.debian.org/debian-lts-announce/2024/02/msg00010.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/
• https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html
• https://security.netapp.com/advisory/ntap-20240202-0011/

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2, passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-55212
• https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355
• https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629
• https://github.com/ImageMagick/ImageMagick/commit/5f0bcf986b8b5e90567750d31a37af502b73f2af
• https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fh55-q5pj-pxgw

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A heap-based buffer overflow vulnerability was found in ImageMagick in versions prior to 7.0.11-14 in ReadTIFFImage() in coders/tiff.c. This issue is due to an incorrect setting of the pixel array size, which can lead to a crash and segmentation fault.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-3610
• http://www.openwall.com/lists/oss-security/2023/05/29/4
• http://www.openwall.com/lists/oss-security/2023/06/05/1
• https://bugzilla.redhat.com/show_bug.cgi?id=1973689
• https://github.com/ImageMagick/ImageMagick/commit/930ff0d1a9bc42925a7856e9ea53f5fc9f318bf3

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.

Remediation

Upgrade Debian:12 krb5 to version 1.20.1-2+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-37370
• https://security.netapp.com/advisory/ntap-20241108-0007/
• https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef
• https://web.mit.edu/kerberos/www/advisories/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libwebp package and not the libwebp package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

There exists a use after free/double free in libwebp. An attacker can use the ApplyFiltersAndEncode() function and loop through to free best.bw and assign best = trial pointer. The second loop will then return 0 because of an Out of memory error in VP8 encoder, the pointer is still assigned to trial and the AddressSanitizer will attempt a double free.

Remediation

Upgrade Debian:12 libwebp to version 1.2.4-0.2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-1999
• https://chromium.googlesource.com/webm/libwebp
• https://security.gentoo.org/glsa/202309-05

NVD Description

Note: Versions mentioned in the description apply only to the upstream libx11 package and not the libx11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.

Remediation

Upgrade Debian:12 libx11 to version 2:1.8.4-2+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-3138
• https://access.redhat.com/security/cve/CVE-2023-3138
• https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654a0d57bf0f00d8998185f0360332cfa36c
• https://lists.x.org/archives/xorg-announce/2023-June/003406.html
• https://lists.x.org/archives/xorg-announce/2023-June/003407.html
• https://security.netapp.com/advisory/ntap-20231208-0008/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-27113
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/861
• https://security.netapp.com/advisory/ntap-20250306-0004/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-2309
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HGYC6L7ENH5VEGN3YWFBYMGKX6WNS7HZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/URHHSIBTPTALXMECRLAC2EVDNAFSR5NO/
• https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f
• https://huntr.dev/bounties/8264e74f-edda-4c40-9956-49de635105ba
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HGYC6L7ENH5VEGN3YWFBYMGKX6WNS7HZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/URHHSIBTPTALXMECRLAC2EVDNAFSR5NO/
• https://security.gentoo.org/glsa/202208-06
• https://security.netapp.com/advisory/ntap-20220915-0006/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-32415
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/890

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-6021
• https://access.redhat.com/security/cve/CVE-2025-6021
• https://bugzilla.redhat.com/show_bug.cgi?id=2372406
• https://access.redhat.com/errata/RHSA-2025:10630
• https://access.redhat.com/errata/RHSA-2025:10698
• https://access.redhat.com/errata/RHSA-2025:10699
• https://access.redhat.com/errata/RHSA-2025:11580
• https://access.redhat.com/errata/RHSA-2025:12098
• https://access.redhat.com/errata/RHSA-2025:12099
• https://access.redhat.com/errata/RHSA-2025:12199
• https://access.redhat.com/errata/RHSA-2025:12239
• https://access.redhat.com/errata/RHSA-2025:12240
• https://access.redhat.com/errata/RHSA-2025:12241
• https://access.redhat.com/errata/RHSA-2025:12237
• https://access.redhat.com/errata/RHSA-2025:13267
• https://access.redhat.com/errata/RHSA-2025:13335
• https://access.redhat.com/errata/RHSA-2025:13325
• https://access.redhat.com/errata/RHSA-2025:13336
• https://access.redhat.com/errata/RHSA-2025:13289
• https://access.redhat.com/errata/RHSA-2025:14059
• https://access.redhat.com/errata/RHSA-2025:14396
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/926
• https://access.redhat.com/errata/RHSA-2025:15308
• https://access.redhat.com/errata/RHSA-2025:15672

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-32414
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/889

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-25062
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
• https://gitlab.gnome.org/GNOME/libxml2/-/tags

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in the libxslt library. The same memory field, psvi, is used for both stylesheet and input data, which can lead to type confusion during XML transformations. This vulnerability allows an attacker to crash the application or corrupt memory. In some cases, it may lead to denial of service or unexpected behavior.

Remediation

Upgrade Debian:12 libxslt to version 1.1.35-1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-7424
• https://access.redhat.com/security/cve/CVE-2025-7424
• https://bugzilla.redhat.com/show_bug.cgi?id=2379228

NVD Description

Note: Versions mentioned in the description apply only to the upstream nghttp2 package and not the nghttp2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Remediation

Upgrade Debian:12 nghttp2 to version 1.52.0-1+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-44487
• https://chaos.social/@icing/111210915918780532
• https://github.com/hyperium/hyper/issues/3337
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/
• https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/
• http://www.openwall.com/lists/oss-security/2023/10/10/6
• http://www.openwall.com/lists/oss-security/2023/10/10/7
• https://github.com/grpc/grpc/releases/tag/v1.59.2
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ
• http://www.openwall.com/lists/oss-security/2023/10/13/4
• http://www.openwall.com/lists/oss-security/2023/10/13/9
• http://www.openwall.com/lists/oss-security/2023/10/18/4
• http://www.openwall.com/lists/oss-security/2023/10/18/8
• http://www.openwall.com/lists/oss-security/2023/10/19/6
• http://www.openwall.com/lists/oss-security/2023/10/20/8
• https://access.redhat.com/security/cve/cve-2023-44487
• https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
• https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
• https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
• https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
• https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
• https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
• https://blog.vespa.ai/cve-2023-44487/
• https://bugzilla.proxmox.com/show_bug.cgi?id=4988
• https://bugzilla.redhat.com/show_bug.cgi?id=2242803
• https://bugzilla.suse.com/show_bug.cgi?id=1216123
• https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
• https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
• https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
• https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
• https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715
• https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
• https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
• https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
• https://github.com/Azure/AKS/issues/3947
• https://github.com/Kong/kong/discussions/11741
• https://github.com/advisories/GHSA-qppj-fm5r-hxr3
• https://github.com/advisories/GHSA-vx74-f528-fxqg
• https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
• https://github.com/akka/akka-http/issues/4323
• https://github.com/alibaba/tengine/issues/1872
• https://github.com/apache/apisix/issues/10320
• https://github.com/apache/httpd-site/pull/10
• https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
• https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
• https://github.com/apache/trafficserver/pull/10564
• https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
• https://github.com/bcdannyboy/CVE-2023-44487
• https://github.com/caddyserver/caddy/issues/5877
• https://github.com/caddyserver/caddy/releases/tag/v2.7.5
• https://github.com/dotnet/announcements/issues/277
• https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
• https://github.com/eclipse/jetty.project/issues/10679
• https://github.com/envoyproxy/envoy/pull/30055
• https://github.com/etcd-io/etcd/issues/16740
• https://github.com/facebook/proxygen/pull/466
• https://github.com/golang/go/issues/63417
• https://github.com/grpc/grpc-go/pull/6703
• https://github.com/h2o/h2o/pull/3291
• https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
• https://github.com/haproxy/haproxy/issues/2312
• https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
• https://github.com/junkurihara/rust-rpxy/issues/97
• https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
• https://github.com/kazu-yamamoto/http2/issues/93
• https://github.com/kubernetes/kubernetes/pull/121120
• https://github.com/line/armeria/pull/5232
• https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632
• https://github.com/micrictor/http2-rst-stream
• https://github.com/microsoft/CBL-Mariner/pull/6381
• https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
• https://github.com/nghttp2/nghttp2/pull/1961
• https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
• https://github.com/ninenines/cowboy/issues/1615
• https://github.com/nodejs/node/pull/50121
• https://github.com/openresty/openresty/issues/930
• https://github.com/opensearch-project/data-prepper/issues/3474
• https://github.com/oqtane/oqtane.framework/discussions/3367
• https://github.com/projectcontour/contour/pull/5826
• https://github.com/tempesta-tech/tempesta/issues/1986
• https://github.com/varnishcache/varnish-cache/issues/3996
• https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
• https://istio.io/latest/news/security/istio-security-2023-004/
• https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
• https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
• https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
• https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html
• https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html
• https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html
• https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html
• https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html
• https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html
• https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html
• https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
• https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
• https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
• https://my.f5.com/manage/s/article/K000137106
• https://netty.io/news/2023/10/10/4-1-100-Final.html
• https://news.ycombinator.com/item?id=37830987
• https://news.ycombinator.com/item?id=37830998
• https://news.ycombinator.com/item?id=37831062
• https://news.ycombinator.com/item?id=37837043
• https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/
• https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
• https://security.gentoo.org/glsa/202311-09
• https://security.netapp.com/advisory/ntap-20231016-0001/
• https://security.netapp.com/advisory/ntap-20240426-0007/
• https://security.netapp.com/advisory/ntap-20240621-0006/
• https://security.netapp.com/advisory/ntap-20240621-0007/
• https://security.paloaltonetworks.com/CVE-2023-44487
• https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
• https://ubuntu.com/security/CVE-2023-44487
• https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
• https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
• https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
• https://www.debian.org/security/2023/dsa-5521
• https://www.debian.org/security/2023/dsa-5522
• https://www.debian.org/security/2023/dsa-5540
• https://www.debian.org/security/2023/dsa-5549
• https://www.debian.org/security/2023/dsa-5558
• https://www.debian.org/security/2023/dsa-5570
• https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
• https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/
• https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
• https://www.openwall.com/lists/oss-security/2023/10/10/6
• https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
• https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://github.com/studiogangster/CVE-2023-44487
• https://www.exploit-db.com/exploits/52426

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process.

Impact summary: Abnormal termination of an application can a cause a denial of service.

Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an otherName subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program.

Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address.

TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.14-1~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-6119
• https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f
• https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6
• https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2
• https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0
• https://openssl-library.org/news/secadv/20240903.txt
• http://www.openwall.com/lists/oss-security/2024/09/03/4
• https://lists.freebsd.org/archives/freebsd-security/2024-September/000303.html
• https://security.netapp.com/advisory/ntap-20240912-0001/

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers.

Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes.

When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.

For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse.

Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical.

Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary.

OpenSSL 3.1 and 3.0 are vulnerable to this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.11-1~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-5363
• http://www.openwall.com/lists/oss-security/2023/10/24/1
• https://security.netapp.com/advisory/ntap-20231027-0010/
• https://security.netapp.com/advisory/ntap-20240201-0003/
• https://security.netapp.com/advisory/ntap-20240201-0004/
• https://www.debian.org/security/2023/dsa-5532
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee
• https://www.openssl.org/news/secadv/20231024.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A security vulnerability has been identified in all supported versions

of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems.

Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function.

Remediation

Upgrade Debian:12 openssl to version 3.0.9-1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-0464
• https://security.netapp.com/advisory/ntap-20230406-0006/
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1
• https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html
• https://security.gentoo.org/glsa/202402-08
• https://security.netapp.com/advisory/ntap-20240621-0006/
• https://www.couchbase.com/alerts/
• https://www.debian.org/security/2023/dsa-5417
• https://www.openssl.org/news/secadv/20230322.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream postgresql-15 package and not the postgresql-15 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.8-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-7348
• https://www.postgresql.org/support/security/CVE-2024-7348/
• http://www.openwall.com/lists/oss-security/2024/08/11/1
• https://security.netapp.com/advisory/ntap-20240822-0002/

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-24329
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/
• https://github.com/python/cpython/issues/102153
• https://github.com/python/cpython/pull/99421
• https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/
• https://pointernull.com/security/python-url-parse-problem.html
• https://security.netapp.com/advisory/ntap-20230324-0004/
• https://www.kb.cert.org/vuls/id/127587

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module.

When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-7592
• https://github.com/python/cpython/issues/123067
• https://github.com/python/cpython/pull/123075
• https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/
• https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621
• https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef
• https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06
• https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a
• https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f
• https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774
• https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1
• https://security.netapp.com/advisory/ntap-20241018-0006/

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

There is a MEDIUM severity vulnerability affecting CPython.

Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-6232
• https://github.com/python/cpython/commit/4eaf4891c12589e3c7bdad5f5b076e4c8392dd06
• https://github.com/python/cpython/commit/743acbe872485dc18df4d8ab2dc7895187f062c4
• https://github.com/python/cpython/commit/d449caf8a179e3b954268b3a88eb9170be3c8fbf
• https://github.com/python/cpython/commit/ed3a49ea734ada357ff4442996fd4ae71d253373
• https://github.com/python/cpython/issues/121285
• https://github.com/python/cpython/pull/121286
• https://mail.python.org/archives/list/security-announce@python.org/thread/JRYFTPRHZRTLMZLWQEUHZSJXNHM4ACTY/
• https://github.com/python/cpython/commit/34ddb64d088dd7ccc321f6103d23153256caa5d4
• https://github.com/python/cpython/commit/7d1f50cd92ff7e10a1c15a8f591dde8a6843a64d
• https://github.com/python/cpython/commit/b4225ca91547aa97ed3aca391614afbb255bc877
• http://www.openwall.com/lists/oss-security/2024/09/03/5
• https://security.netapp.com/advisory/ntap-20241018-0007/

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-41105
• https://mail.python.org/archives/list/security-announce@python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/
• https://github.com/python/cpython/issues/106242
• https://github.com/python/cpython/pull/107981
• https://github.com/python/cpython/pull/107982
• https://github.com/python/cpython/pull/107983
• https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/
• https://security.netapp.com/advisory/ntap-20231006-0015/

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Remediation

Upgrade Debian:12 systemd to version 252.23-1~deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-50387
• https://datatracker.ietf.org/doc/html/rfc4035
• http://www.openwall.com/lists/oss-security/2024/02/16/2
• http://www.openwall.com/lists/oss-security/2024/02/16/3
• https://access.redhat.com/security/cve/CVE-2023-50387
• https://bugzilla.suse.com/show_bug.cgi?id=1219823
• https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
• https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
• https://kb.isc.org/docs/cve-2023-50387
• https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html
• https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/
• https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387
• https://news.ycombinator.com/item?id=39367411
• https://news.ycombinator.com/item?id=39372384
• https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
• https://security.netapp.com/advisory/ntap-20240307-0007/
• https://www.athene-center.de/aktuelles/key-trap
• https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf
• https://www.isc.org/blogs/2024-bind-security-release/
• https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/
• https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
• https://github.com/knqyf263/CVE-2023-50387

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A null pointer dereference flaw was found in Libtiff via tif_dirinfo.c. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service.

Remediation

Upgrade Debian:12 tiff to version 4.5.0-6+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-7006
• https://access.redhat.com/security/cve/CVE-2024-7006
• https://bugzilla.redhat.com/show_bug.cgi?id=2302996
• https://access.redhat.com/errata/RHSA-2024:6360
• https://access.redhat.com/errata/RHSA-2024:8833
• https://access.redhat.com/errata/RHSA-2024:8914
• https://security.netapp.com/advisory/ntap-20240920-0001/

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.

Remediation

Upgrade Debian:12 tiff to version 4.5.0-6+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-52356
• https://access.redhat.com/errata/RHSA-2024:5079
• http://seclists.org/fulldisclosure/2024/Jul/16
• http://seclists.org/fulldisclosure/2024/Jul/17
• http://seclists.org/fulldisclosure/2024/Jul/18
• http://seclists.org/fulldisclosure/2024/Jul/19
• http://seclists.org/fulldisclosure/2024/Jul/20
• http://seclists.org/fulldisclosure/2024/Jul/21
• http://seclists.org/fulldisclosure/2024/Jul/22
• http://seclists.org/fulldisclosure/2024/Jul/23
• https://access.redhat.com/security/cve/CVE-2023-52356
• https://bugzilla.redhat.com/show_bug.cgi?id=2251344
• https://gitlab.com/libtiff/libtiff/-/issues/622
• https://gitlab.com/libtiff/libtiff/-/merge_requests/546
• https://lists.debian.org/debian-lts-announce/2024/03/msg00011.html
• https://support.apple.com/kb/HT214116
• https://support.apple.com/kb/HT214117
• https://support.apple.com/kb/HT214118
• https://support.apple.com/kb/HT214119
• https://support.apple.com/kb/HT214120
• https://support.apple.com/kb/HT214122
• https://support.apple.com/kb/HT214123
• https://support.apple.com/kb/HT214124

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.

Remediation

Upgrade Debian:12 sqlite3 to version 3.40.1-2+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-7104
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AYONA2XSNFMXLAW4IHLFI5UVV3QRNG5K/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D6C2HN4T2S6GYNTAUXLH45LQZHK7QPHP/
• https://security.netapp.com/advisory/ntap-20240112-0008/
• https://sqlite.org/forum/forumpost/5bcbf4571c
• https://sqlite.org/src/info/0e4e7a05c4204b47
• https://vuldb.com/?ctiid.248999
• https://vuldb.com/?id.248999

NVD Description

Note: Versions mentioned in the description apply only to the upstream icu package and not the icu package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A stack buffer overflow was found in Internationl components for unicode (ICU ). While running the genrb binary, the 'subtag' struct overflowed at the SRBRoot::addTag function. This issue may lead to memory corruption and local arbitrary code execution.

Remediation

Upgrade Debian:12 icu to version 72.1-3+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-5222
• https://access.redhat.com/errata/RHSA-2025:11888
• https://access.redhat.com/errata/RHSA-2025:12083
• https://access.redhat.com/errata/RHSA-2025:12331
• https://access.redhat.com/errata/RHSA-2025:12332
• https://access.redhat.com/errata/RHSA-2025:12333
• https://access.redhat.com/security/cve/CVE-2025-5222
• https://bugzilla.redhat.com/show_bug.cgi?id=2368600
• https://lists.debian.org/debian-lts-announce/2025/06/msg00015.html