NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then not get upgraded properly to HSTS.

Remediation

There is no fixed version for Debian:11 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2023-23915
• https://hackerone.com/reports/1874716
• https://hackerone.com/reports/1826048
• https://security.gentoo.org/glsa/202310-12
• https://security.netapp.com/advisory/ntap-20230309-0006/

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended.

This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform transfers with hosts like x.example.com as well as example.com where the first host is a subdomain of the second host.

(The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.)

When x.example.com responds with Strict-Transport-Security: headers, this bug can make the subdomain's expiry timeout bleed over and get set for the parent domain example.com in curl's HSTS cache.

The result of a triggered bug is that HTTP accesses to example.com get converted to HTTPS for a different period of time than what was asked for by the origin server. If example.com for example stops supporting HTTPS at its expiry time, curl might then fail to access http://example.com until the (wrongly set) timeout expires. This bug can also expire the parent's entry earlier, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.

Remediation

There is no fixed version for Debian:11 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2024-9681
• https://curl.se/docs/CVE-2024-9681.html
• https://curl.se/docs/CVE-2024-9681.json
• https://hackerone.com/reports/2764830
• http://www.openwall.com/lists/oss-security/2024/11/06/2
• https://security.netapp.com/advisory/ntap-20241213-0006/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().

Remediation

Upgrade Debian:11 gnutls28 to version 3.7.1-5+deb11u8 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-6395
• https://access.redhat.com/security/cve/CVE-2025-6395
• https://bugzilla.redhat.com/show_bug.cgi?id=2376755

NVD Description

Note: Versions mentioned in the description apply only to the upstream libbpf package and not the libbpf package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (8 bytes) in __bpf_object__open (called from bpf_object__open_mem and bpf-object-fuzzer.c).

Remediation

There is no fixed version for Debian:11 libbpf.

References

• https://security-tracker.debian.org/tracker/CVE-2021-45941
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957
• https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libbpf/OSV-2021-1576.yaml

NVD Description

Note: Versions mentioned in the description apply only to the upstream libbpf package and not the libbpf package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (4 bytes) in __bpf_object__open (called from bpf_object__open_mem and bpf-object-fuzzer.c).

Remediation

There is no fixed version for Debian:11 libbpf.

References

• https://security-tracker.debian.org/tracker/CVE-2021-45940
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40868
• https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libbpf/OSV-2021-1562.yaml

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.

Remediation

Upgrade Debian:11 libxml2 to version 2.9.10+dfsg-6.7+deb11u6 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-39615
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/535

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail."

Remediation

Upgrade Debian:11 libxml2 to version 2.9.10+dfsg-6.7+deb11u6 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-45322
• http://www.openwall.com/lists/oss-security/2023/10/06/5
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/344
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/583

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service.

Remediation

Upgrade Debian:11 tiff to version 4.2.0-1+deb11u6 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-3618
• https://access.redhat.com/security/cve/CVE-2023-3618
• https://bugzilla.redhat.com/show_bug.cgi?id=2215865
• https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html
• https://security.netapp.com/advisory/ntap-20230824-0012/
• https://support.apple.com/kb/HT214036
• https://support.apple.com/kb/HT214037
• https://support.apple.com/kb/HT214038

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path or a path that requires permissions like /dev/null) while specifying zones.

Remediation

Upgrade Debian:11 tiff to version 4.2.0-1+deb11u6 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-3316
• https://gitlab.com/libtiff/libtiff/-/issues/515
• https://gitlab.com/libtiff/libtiff/-/merge_requests/468
• https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html
• https://research.jfrog.com/vulnerabilities/libtiff-nullderef-dos-xray-522144/

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.

Remediation

There is no fixed version for Debian:11 glibc.

References

• https://security-tracker.debian.org/tracker/CVE-2023-4813
• http://www.openwall.com/lists/oss-security/2023/10/03/8
• https://security.netapp.com/advisory/ntap-20231110-0003/
• https://access.redhat.com/errata/RHBA-2024:2413
• https://access.redhat.com/errata/RHSA-2023:5453
• https://access.redhat.com/errata/RHSA-2023:5455
• https://access.redhat.com/errata/RHSA-2023:7409
• https://access.redhat.com/security/cve/CVE-2023-4813
• https://bugzilla.redhat.com/show_bug.cgi?id=2237798

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.

Remediation

Upgrade Debian:11 krb5 to version 1.18.3-6+deb11u7 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-3576
• https://access.redhat.com/security/cve/CVE-2025-3576
• https://bugzilla.redhat.com/show_bug.cgi?id=2359465
• https://lists.debian.org/debian-lts-announce/2025/05/msg00047.html
• https://access.redhat.com/errata/RHSA-2025:8411
• https://access.redhat.com/errata/RHSA-2025:9418
• https://access.redhat.com/errata/RHSA-2025:9430
• https://access.redhat.com/errata/RHSA-2025:11487
• https://web.mit.edu/kerberos/krb5-1.22/krb5-1.22.html
• https://access.redhat.com/errata/RHSA-2025:13664
• https://access.redhat.com/errata/RHSA-2025:13777
• https://access.redhat.com/errata/RHSA-2025:15000
• https://access.redhat.com/errata/RHSA-2025:15002
• https://access.redhat.com/errata/RHSA-2025:15004
• https://access.redhat.com/errata/RHSA-2025:15001
• https://access.redhat.com/errata/RHSA-2025:15003

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack

Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly.

A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue.

OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass().

We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

Remediation

Upgrade Debian:11 openssl to version 1.1.1w-0+deb11u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-0727
• http://www.openwall.com/lists/oss-security/2024/03/11/1
• https://security.netapp.com/advisory/ntap-20240208-0006/
• https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2
• https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a
• https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c
• https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8
• https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539
• https://www.openssl.org/news/secadv/20240125.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.

Remediation

Upgrade Debian:11 shadow to version 1:4.8.1-1+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-4641
• https://access.redhat.com/errata/RHSA-2023:6632
• https://access.redhat.com/errata/RHSA-2023:7112
• https://access.redhat.com/errata/RHSA-2024:0417
• https://access.redhat.com/errata/RHSA-2024:2577
• https://access.redhat.com/security/cve/CVE-2023-4641
• https://bugzilla.redhat.com/show_bug.cgi?id=2215945

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian.

Remediation

Upgrade Debian:11 tiff to version 4.2.0-1+deb11u6 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-26966
• https://gitlab.com/libtiff/libtiff/-/issues/530
• https://gitlab.com/libtiff/libtiff/-/merge_requests/473
• https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV.

Remediation

Upgrade Debian:11 tiff to version 4.2.0-1+deb11u6 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-25433
• https://gitlab.com/libtiff/libtiff/-/issues/520
• https://gitlab.com/libtiff/libtiff/-/merge_requests/467
• https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A null pointer dereference issue was found in Libtiff's tif_dir.c file. This issue may allow an attacker to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes undefined behavior. This will result in an application crash, eventually leading to a denial of service.

Remediation

Upgrade Debian:11 tiff to version 4.2.0-1+deb11u6 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-2908
• https://access.redhat.com/security/cve/CVE-2023-2908
• https://bugzilla.redhat.com/show_bug.cgi?id=2218830
• https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f
• https://gitlab.com/libtiff/libtiff/-/merge_requests/479
• https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html
• https://security.netapp.com/advisory/ntap-20230731-0004/

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted TIFF image.

Remediation

Upgrade Debian:11 tiff to version 4.2.0-1+deb11u6 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-26965
• https://gitlab.com/libtiff/libtiff/-/merge_requests/472
• https://lists.debian.org/debian-lts-announce/2023/07/msg00034.html
• https://security.netapp.com/advisory/ntap-20230706-0009/

NVD Description

Note: Versions mentioned in the description apply only to the upstream postgresql-13 package and not the postgresql-13 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Remediation

Upgrade Debian:11 postgresql-13 to version 13.17-0+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-10976
• https://www.postgresql.org/support/security/CVE-2024-10976/
• https://security.netapp.com/advisory/ntap-20250509-0010/

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use.

Remediation

There is no fixed version for Debian:11 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2023-46219
• https://curl.se/docs/CVE-2023-46219.html
• https://hackerone.com/reports/2236133
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/
• https://security.netapp.com/advisory/ntap-20240119-0007/
• https://www.debian.org/security/2023/dsa-5587

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.

Remediation

Upgrade Debian:11 gnutls28 to version 3.7.1-5+deb11u7 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-12243
• https://access.redhat.com/security/cve/CVE-2024-12243
• https://bugzilla.redhat.com/show_bug.cgi?id=2344615
• https://gitlab.com/gnutls/libtasn1/-/issues/52
• https://lists.debian.org/debian-lts-announce/2025/02/msg00027.html
• https://access.redhat.com/errata/RHSA-2025:4051
• https://access.redhat.com/errata/RHSA-2025:7076
• https://access.redhat.com/errata/RHSA-2025:8020
• https://security.netapp.com/advisory/ntap-20250523-0002/
• https://access.redhat.com/errata/RHSA-2025:8385

NVD Description

Note: Versions mentioned in the description apply only to the upstream libtasn1-6 package and not the libtasn1-6 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack.

Remediation

Upgrade Debian:11 libtasn1-6 to version 4.16.0-2+deb11u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-12133
• https://access.redhat.com/security/cve/CVE-2024-12133
• https://bugzilla.redhat.com/show_bug.cgi?id=2344611
• https://gitlab.com/gnutls/libtasn1/-/issues/52
• http://www.openwall.com/lists/oss-security/2025/02/06/6
• https://lists.debian.org/debian-lts-announce/2025/02/msg00025.html
• https://access.redhat.com/errata/RHSA-2025:4049
• https://access.redhat.com/errata/RHSA-2025:7077
• https://access.redhat.com/errata/RHSA-2025:8021
• https://security.netapp.com/advisory/ntap-20250523-0003/
• https://access.redhat.com/errata/RHSA-2025:8385

NVD Description

Note: Versions mentioned in the description apply only to the upstream nginx package and not the nginx package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header.

Remediation

Upgrade Debian:11 nginx to version 1.18.0-6.1+deb11u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-36309
• https://security.netapp.com/advisory/ntap-20210507-0005/
• https://github.com/openresty/lua-nginx-module/compare/v0.10.15...v0.10.16
• https://github.com/openresty/lua-nginx-module/pull/1654
• https://news.ycombinator.com/item?id=26712562

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters.

Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q.

An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.

DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().

Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Remediation

Upgrade Debian:11 openssl to version 1.1.1w-0+deb11u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-5678
• http://www.openwall.com/lists/oss-security/2023/11/06/2
• http://www.openwall.com/lists/oss-security/2024/03/11/1
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=34efaef6c103d636ab507a0cc34dca4d3aecc055
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6
• https://security.netapp.com/advisory/ntap-20231130-0010/
• https://www.openssl.org/news/secadv/20231106.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream nginx package and not the nginx package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Remediation

Upgrade Debian:11 nginx to version 1.18.0-6.1+deb11u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-7347
• https://my.f5.com/manage/s/article/K000140529
• http://www.openwall.com/lists/oss-security/2024/08/14/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.

A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

Remediation

Upgrade Debian:11 systemd to version 247.3-7+deb11u7 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-4598
• https://access.redhat.com/security/cve/CVE-2025-4598
• https://bugzilla.redhat.com/show_bug.cgi?id=2369242
• https://www.openwall.com/lists/oss-security/2025/05/29/3
• http://www.openwall.com/lists/oss-security/2025/06/05/1
• http://www.openwall.com/lists/oss-security/2025/06/05/3
• https://blogs.oracle.com/linux/post/analysis-of-cve-2025-4598
• https://ciq.com/blog/the-real-danger-of-systemd-coredump-cve-2025-4598/
• https://www.openwall.com/lists/oss-security/2025/08/18/3

NVD Description

Note: Versions mentioned in the description apply only to the upstream postgresql-13 package and not the postgresql-13 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Remediation

Upgrade Debian:11 postgresql-13 to version 13.17-0+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-10978
• https://www.postgresql.org/support/security/CVE-2024-10978/
• https://lists.debian.org/debian-lts-announce/2024/11/msg00018.html
• https://www.postgresql.org/message-id/173171334532.1547978.1518068370217143844%40wrigleys.postgresql.org