NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains.

It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with domain=co.UK when the URL used a lower case hostname curl.co.uk, even though co.uk is listed as a PSL domain.

Remediation

Upgrade Debian:10 curl to version 7.64.0-4+deb10u8 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-46218
• https://curl.se/docs/CVE-2023-46218.html
• https://hackerone.com/reports/2212193
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/
• https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html
• https://www.debian.org/security/2023/dsa-5587
• https://security.netapp.com/advisory/ntap-20240125-0007/

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

Remediation

Upgrade Debian:10 krb5 to version 1.17-3+deb10u6 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-36054
• https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd
• https://github.com/krb5/krb5/compare/krb5-1.20.1-final...krb5-1.20.2-final
• https://github.com/krb5/krb5/compare/krb5-1.21-final...krb5-1.21.1-final
• https://web.mit.edu/kerberos/www/advisories/
• https://security.netapp.com/advisory/ntap-20230908-0004/
• https://lists.debian.org/debian-lts-announce/2023/10/msg00031.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

Upgrade Debian:10 ncurses to version 6.1+20181013-2+deb10u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-19189
• https://github.com/zjuchenyuan/fuzzpoc/blob/master/infotocap_poc5.md
• https://lists.debian.org/debian-lts-announce/2023/09/msg00033.html
• https://security.netapp.com/advisory/ntap-20231006-0005/
• https://support.apple.com/kb/HT214036
• https://support.apple.com/kb/HT214037
• https://support.apple.com/kb/HT214038
• http://seclists.org/fulldisclosure/2023/Dec/10
• http://seclists.org/fulldisclosure/2023/Dec/11
• http://seclists.org/fulldisclosure/2023/Dec/9

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.

Remediation

Upgrade Debian:10 openssh to version 1:7.9p1-10+deb10u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-51385
• https://www.openssh.com/txt/release-9.6
• https://www.openwall.com/lists/oss-security/2023/12/18/2
• https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a
• https://www.debian.org/security/2023/dsa-5586
• https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html
• https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html
• http://www.openwall.com/lists/oss-security/2023/12/26/4
• https://security.gentoo.org/glsa/202312-17
• https://security.netapp.com/advisory/ntap-20240105-0005/
• https://support.apple.com/kb/HT214084
• http://seclists.org/fulldisclosure/2024/Mar/21

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with xn-- and should not be allowed to pattern match, but the wildcard check in curl could still check for x*, which would match even though the IDN name most likely contained nothing even resembling an x.

Remediation

Upgrade Debian:10 curl to version 7.64.0-4+deb10u7 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-28321
• https://hackerone.com/reports/1950627
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/
• https://security.netapp.com/advisory/ntap-20230609-0009/
• https://support.apple.com/kb/HT213843
• https://support.apple.com/kb/HT213844
• https://support.apple.com/kb/HT213845
• http://seclists.org/fulldisclosure/2023/Jul/47
• http://seclists.org/fulldisclosure/2023/Jul/48
• http://seclists.org/fulldisclosure/2023/Jul/52
• https://security.gentoo.org/glsa/202310-12
• https://lists.debian.org/debian-lts-announce/2023/10/msg00016.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F4I75RDGX5ULSSCBE5BF3P5I5SFO7ULQ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2LIWHWKOVH24COGGBCVOWDXXIUPKOMK/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.

Remediation

Upgrade Debian:10 gnutls28 to version 3.6.7-4+deb10u11 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-5981
• https://access.redhat.com/security/cve/CVE-2023-5981
• https://bugzilla.redhat.com/show_bug.cgi?id=2248445
• https://gnutls.org/security-new.html#GNUTLS-SA-2023-10-23
• https://access.redhat.com/errata/RHSA-2024:0155
• http://www.openwall.com/lists/oss-security/2024/01/19/3
• https://access.redhat.com/errata/RHSA-2024:0319
• https://access.redhat.com/errata/RHSA-2024:0399
• https://access.redhat.com/errata/RHSA-2024:0451
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/
• https://access.redhat.com/errata/RHSA-2024:0533
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Remediation

Upgrade Debian:10 openssh to version 1:7.9p1-10+deb10u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-48795
• https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42
• https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25
• https://github.com/openssh/openssh-portable/commits/master
• https://github.com/ronf/asyncssh/tags
• https://gitlab.com/libssh/libssh-mirror/-/tags
• https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ
• https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/
• https://matt.ucc.asn.au/dropbear/CHANGES
• https://www.bitvise.com/ssh-server-version-history
• https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
• https://www.openssh.com/openbsd.html
• https://www.openssh.com/txt/release-9.6
• https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/
• https://www.terrapin-attack.com
• https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0
• https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d
• https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst
• https://github.com/warp-tech/russh/releases/tag/v0.40.2
• https://thorntech.com/cve-2023-48795-and-sftp-gateway/
• https://twitter.com/TrueSkrillor/status/1736774389725565005
• https://www.openwall.com/lists/oss-security/2023/12/18/2
• http://www.openwall.com/lists/oss-security/2023/12/18/3
• https://github.com/paramiko/paramiko/issues/2337
• https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg
• https://news.ycombinator.com/item?id=38684904
• https://news.ycombinator.com/item?id=38685286
• https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6
• https://github.com/mwiede/jsch/issues/457
• https://access.redhat.com/security/cve/cve-2023-48795
• https://bugs.gentoo.org/920280
• https://bugzilla.redhat.com/show_bug.cgi?id=2254210
• https://bugzilla.suse.com/show_bug.cgi?id=1217950
• https://github.com/advisories/GHSA-45x7-px36-x8w8
• https://github.com/drakkan/sftpgo/releases/tag/v2.5.6
• https://github.com/erlang/otp/releases/tag/OTP-26.2.1
• https://github.com/mwiede/jsch/pull/461
• https://security-tracker.debian.org/tracker/source-package/libssh2
• https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg
• https://ubuntu.com/security/CVE-2023-48795
• https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/
• https://github.com/libssh2/libssh2/pull/1291
• https://forum.netgate.com/topic/184941/terrapin-ssh-attack
• https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5
• https://github.com/rapier1/hpn-ssh/releases
• https://crates.io/crates/thrussh/versions
• https://github.com/NixOS/nixpkgs/pull/275249
• https://github.com/TeraTermProject/teraterm/releases/tag/v5.1
• https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab
• https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22
• https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3
• https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15
• https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES
• https://github.com/proftpd/proftpd/issues/456
• https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC
• https://oryx-embedded.com/download/#changelog
• https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
• https://www.netsarang.com/en/xshell-update-history/
• https://www.paramiko.org/changelog.html
• http://www.openwall.com/lists/oss-security/2023/12/19/5
• https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc
• https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/
• http://www.openwall.com/lists/oss-security/2023/12/20/3
• https://github.com/apache/mina-sshd/issues/445
• https://github.com/hierynomus/sshj/issues/916
• https://github.com/janmojzis/tinyssh/issues/81
• https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES
• https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES
• https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16
• https://security-tracker.debian.org/tracker/source-package/trilead-ssh2
• https://www.openwall.com/lists/oss-security/2023/12/20/3
• http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/
• https://www.debian.org/security/2023/dsa-5586
• https://filezilla-project.org/versions.php
• https://github.com/PowerShell/Win32-OpenSSH/issues/2189
• https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta
• https://github.com/cyd01/KiTTY/issues/520
• https://help.panic.com/releasenotes/transmit5/
• https://nova.app/releases/#v11.8
• https://roumenpetrov.info/secsh/#news20231220
• https://winscp.net/eng/docs/history#6.2.2
• https://www.bitvise.com/ssh-client-version-history#933
• https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508
• https://www.theregister.com/2023/12/20/terrapin_attack_ssh
• https://www.vandyke.com/products/securecrt/history.txt
• https://www.debian.org/security/2023/dsa-5588
• https://github.com/ssh-mitm/ssh-mitm/issues/165
• https://news.ycombinator.com/item?id=38732005
• https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html
• https://security.gentoo.org/glsa/202312-16
• https://security.gentoo.org/glsa/202312-17
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/
• https://security.netapp.com/advisory/ntap-20240105-0004/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/
• https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html
• https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/
• https://support.apple.com/kb/HT214084
• http://seclists.org/fulldisclosure/2024/Mar/21
• https://github.com/projectdiscovery/nuclei-templates/blob/master/javascript/cves/2023/CVE-2023-48795.yaml

NVD Description

Note: Versions mentioned in the description apply only to the upstream python2.7 package and not the python2.7 package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

Remediation

Upgrade Debian:10 python2.7 to version 2.7.16-2+deb10u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-23336
• https://security.netapp.com/advisory/ntap-20210326-0004/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/
• https://security.gentoo.org/glsa/202104-04
• https://github.com/python/cpython/pull/24297
• https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/
• https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367@%3Cusers.airflow.apache.org%3E
• https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432@%3Cannounce.apache.org%3E
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2021/02/msg00030.html
• https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html
• https://lists.debian.org/debian-lts-announce/2021/04/msg00015.html
• http://www.openwall.com/lists/oss-security/2021/02/19/4
• http://www.openwall.com/lists/oss-security/2021/05/01/2
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
• https://lists.apache.org/thread.html/ra8ce70088ba291f358e077cafdb14d174b7a1ce9a9d86d1b332d6367%40%3Cusers.airflow.apache.org%3E
• https://lists.apache.org/thread.html/rc005f4de9d9b0ba943ceb8ff5a21a5c6ff8a9df52632476698d99432%40%3Cannounce.apache.org%3E
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3EPYWWFDV22CJ5AOH5VCE72DOASZZ255/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YKKDLXL3UEZ3J426C2XTBS63AHE46SM/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46N6A52EGSXHJYCZWVMBJJIH4NWIV2B5/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZTM7KLHFCE3LWSEVO2NAFLUHMGYMCRY/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IHQDU7NXA7EWAE4W7VO6MURVJIULEPPR/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJXCMHLY7H3FIYLE4OKDYUILU2CCRUCZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LVNH6Z24IG3E67ZCQGGJ46FZB4XFLQNZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MNUN5SOMFL2BBKP6ZAICIIUPQKZDMGYO/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6VXJZSZ6N64AILJX4CTMACYGQGHHD5C/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJSCSN722JO2E2AGPWD4NTGVELVRPB4R/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OAGSWNGZJ6HQ5ISA67SNMK3CJRKICET7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFTELUMWZE3KV3JB2H5EE6VFRZFRD5MV/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W2LSKBEFI5SYEY5FM6ICZVZM5WRQUCS4/

NVD Description

Note: Versions mentioned in the description apply only to the upstream python2.7 package and not the python2.7 package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.

Remediation

Upgrade Debian:10 python2.7 to version 2.7.16-2+deb10u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-48566
• https://bugs.python.org/issue40791
• https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
• https://security.netapp.com/advisory/ntap-20231006-0013/
• https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream elfutils package and not the elfutils package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

The libcpu component which is used by libasm of elfutils version 0.177 (git 47780c9e), suffers from denial-of-service vulnerability caused by application crashes due to out-of-bounds write (CWE-787), off-by-one error (CWE-193) and reachable assertion (CWE-617); to exploit the vulnerability, the attackers need to craft certain ELF files which bypass the missing bound checks.

Remediation

Upgrade Debian:10 elfutils to version 0.176-1.1+deb10u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-21047
• https://sourceware.org/bugzilla/show_bug.cgi?id=25068
• https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=99dc63b10b3878616b85df2dfd2e4e7103e414b8
• https://lists.debian.org/debian-lts-announce/2023/09/msg00026.html
• https://sourceware.org/git/?p=elfutils.git%3Ba=commitdiff%3Bh=99dc63b10b3878616b85df2dfd2e4e7103e414b8

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2.0 package and not the glib2.0 package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service.

Remediation

Upgrade Debian:10 glib2.0 to version 2.58.3-2+deb10u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-32665
• https://access.redhat.com/security/cve/CVE-2023-32665
• https://bugzilla.redhat.com/show_bug.cgi?id=2211827
• https://gitlab.gnome.org/GNOME/glib/-/issues/2121
• https://lists.debian.org/debian-lts-announce/2023/09/msg00030.html
• https://security.gentoo.org/glsa/202311-18

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2.0 package and not the glib2.0 package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service.

Remediation

Upgrade Debian:10 glib2.0 to version 2.58.3-2+deb10u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-32611
• https://access.redhat.com/security/cve/CVE-2023-32611
• https://bugzilla.redhat.com/show_bug.cgi?id=2211829
• https://gitlab.gnome.org/GNOME/glib/-/issues/2797
• https://lists.debian.org/debian-lts-announce/2023/09/msg00030.html
• https://security.netapp.com/advisory/ntap-20231027-0005/
• https://security.gentoo.org/glsa/202311-18

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.

Remediation

There is no fixed version for Debian:10 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2022-4415
• https://www.openwall.com/lists/oss-security/2022/12/21/3
• https://github.com/systemd/systemd/commit/b7641425659243c09473cd8fb3aef2c0d4a3eb9c

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.

Remediation

Upgrade Debian:10 systemd to version 241-7~deb10u10 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-3821
• https://github.com/systemd/systemd/issues/23928
• https://github.com/systemd/systemd/commit/9102c625a673a3246d7e73d8737f3494446bad4e
• https://github.com/systemd/systemd/pull/23933
• https://bugzilla.redhat.com/show_bug.cgi?id=2139327
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RVBQC2VLSDVQAPJTEMTREXDL4HYLXG2P/
• https://security.gentoo.org/glsa/202305-15
• https://lists.debian.org/debian-lts-announce/2023/06/msg00036.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RVBQC2VLSDVQAPJTEMTREXDL4HYLXG2P/

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments.

Remediation

Upgrade Debian:10 util-linux to version 2.33.1-0.1+deb10u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-37600
• https://security.netapp.com/advisory/ntap-20210902-0002/
• https://github.com/karelzak/util-linux/commit/1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c
• https://github.com/karelzak/util-linux/issues/1395
• https://security.gentoo.org/glsa/202401-08
• https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

Issue summary: Checking excessively long DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p.

An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.

The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Remediation

Upgrade Debian:10 openssl to version 1.1.1n-0+deb10u6 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-3817
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5
• https://www.openssl.org/news/secadv/20230731.txt
• http://www.openwall.com/lists/oss-security/2023/07/31/1
• http://seclists.org/fulldisclosure/2023/Jul/43
• https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html
• https://security.netapp.com/advisory/ntap-20230818-0014/
• http://www.openwall.com/lists/oss-security/2023/09/22/9
• http://www.openwall.com/lists/oss-security/2023/09/22/11
• https://security.netapp.com/advisory/ntap-20231027-0008/
• http://www.openwall.com/lists/oss-security/2023/11/06/2
• https://security.gentoo.org/glsa/202402-08

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

Issue summary: Checking excessively long DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length.

However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large.

An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack.

The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option.

The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Remediation

Upgrade Debian:10 openssl to version 1.1.1n-0+deb10u6 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-3446
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23
• https://www.openssl.org/news/secadv/20230719.txt
• http://www.openwall.com/lists/oss-security/2023/07/19/4
• http://www.openwall.com/lists/oss-security/2023/07/19/5
• http://www.openwall.com/lists/oss-security/2023/07/19/6
• http://www.openwall.com/lists/oss-security/2023/07/31/1
• https://security.netapp.com/advisory/ntap-20230803-0011/
• https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html
• https://security.gentoo.org/glsa/202402-08

NVD Description

Note: Versions mentioned in the description apply only to the upstream python2.7 package and not the python2.7 package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)

Remediation

Upgrade Debian:10 python2.7 to version 2.7.16-2+deb10u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-40217
• https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/
• https://www.python.org/dev/security/
• https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
• https://security.netapp.com/advisory/ntap-20231006-0014/
• https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html
• https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/