NVD Description

Note: Versions mentioned in the description apply only to the upstream dav1d package and not the dav1d package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. We recommend upgrading past version 1.4.0 of dav1d.

Remediation

Upgrade Debian:12 dav1d to version 1.0.0-2+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-1580
• http://seclists.org/fulldisclosure/2024/Mar/36
• http://seclists.org/fulldisclosure/2024/Mar/37
• http://seclists.org/fulldisclosure/2024/Mar/38
• http://seclists.org/fulldisclosure/2024/Mar/39
• http://seclists.org/fulldisclosure/2024/Mar/40
• http://seclists.org/fulldisclosure/2024/Mar/41
• https://code.videolan.org/videolan/dav1d/-/blob/master/NEWS
• https://code.videolan.org/videolan/dav1d/-/releases/1.4.0
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EPMUNDMEBGESOJ2ZNCWYEAYOOEKNWOO/
• https://support.apple.com/kb/HT214093
• https://support.apple.com/kb/HT214094
• https://support.apple.com/kb/HT214095
• https://support.apple.com/kb/HT214096
• https://support.apple.com/kb/HT214097
• https://support.apple.com/kb/HT214098

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2 for ImageMagick's 32-bit build, a 32-bit integer overflow in the BMP encoder’s scanline-stride computation collapses bytes_per_line (stride) to a tiny value while the per-row writer still emits 3 × width bytes for 24-bpp images. The row base pointer advances using the (overflowed) stride, so the first row immediately writes past its slot and into adjacent heap memory with attacker-controlled bytes. This is a classic, powerful primitive for heap corruption in common auto-convert pipelines. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-57803
• https://github.com/ImageMagick/ImageMagick/commit/2c55221f4d38193adcb51056c14cf238fbcc35d7
• https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1
• https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-mxvv-97wh-cfmm

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-55298
• https://github.com/ImageMagick/ImageMagick/commit/439b362b93c074eea6c3f834d84982b43ef057d5
• https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1
• https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9ccg-6pjw-x645

NVD Description

Note: Versions mentioned in the description apply only to the upstream libde265 package and not the libde265 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Libde265 v1.0.11 was discovered to contain a heap buffer overflow via the function derive_collocated_motion_vectors at motion.cc.

Remediation

Upgrade Debian:12 libde265 to version 1.0.11-1+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-27103
• https://github.com/strukturag/libde265/issues/394
• https://lists.debian.org/debian-lts-announce/2023/11/msg00032.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libde265 package and not the libde265 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at slice.cc.

Remediation

Upgrade Debian:12 libde265 to version 1.0.11-1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-49468
• https://github.com/strukturag/libde265/issues/432
• https://lists.debian.org/debian-lts-announce/2023/12/msg00022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libde265 package and not the libde265 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merging_candidates function at motion.cc.

Remediation

Upgrade Debian:12 libde265 to version 1.0.11-1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-49467
• https://github.com/strukturag/libde265/issues/434
• https://lists.debian.org/debian-lts-announce/2023/12/msg00022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libde265 package and not the libde265 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function at motion.cc.

Remediation

Upgrade Debian:12 libde265 to version 1.0.11-1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-49465
• https://github.com/strukturag/libde265/issues/435
• https://lists.debian.org/debian-lts-announce/2023/12/msg00022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libheif package and not the libheif package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libheif v1.17.5 was discovered to contain a segmentation violation via the component /libheif/exif.cc.

Remediation

Upgrade Debian:12 libheif to version 1.15.1-1+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-49462
• https://github.com/strukturag/libheif/issues/1043

NVD Description

Note: Versions mentioned in the description apply only to the upstream postgresql-15 package and not the postgresql-15 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.9-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-10979
• https://www.postgresql.org/support/security/CVE-2024-10979/
• https://github.com/fmora50591/postgresql-env-vuln/blob/main/README.md
• https://security.netapp.com/advisory/ntap-20250110-0003/
• https://lists.debian.org/debian-lts-announce/2024/11/msg00011.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream postgresql-15 package and not the postgresql-15 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.5-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-5869
• https://security.netapp.com/advisory/ntap-20240119-0003/
• https://access.redhat.com/errata/RHSA-2023:7545
• https://access.redhat.com/errata/RHSA-2023:7579
• https://access.redhat.com/errata/RHSA-2023:7580
• https://access.redhat.com/errata/RHSA-2023:7581
• https://access.redhat.com/errata/RHSA-2023:7616
• https://access.redhat.com/errata/RHSA-2023:7656
• https://access.redhat.com/errata/RHSA-2023:7666
• https://access.redhat.com/errata/RHSA-2023:7667
• https://access.redhat.com/errata/RHSA-2023:7694
• https://access.redhat.com/errata/RHSA-2023:7695
• https://access.redhat.com/errata/RHSA-2023:7714
• https://access.redhat.com/errata/RHSA-2023:7770
• https://access.redhat.com/errata/RHSA-2023:7771
• https://access.redhat.com/errata/RHSA-2023:7772
• https://access.redhat.com/errata/RHSA-2023:7778
• https://access.redhat.com/errata/RHSA-2023:7783
• https://access.redhat.com/errata/RHSA-2023:7784
• https://access.redhat.com/errata/RHSA-2023:7785
• https://access.redhat.com/errata/RHSA-2023:7786
• https://access.redhat.com/errata/RHSA-2023:7788
• https://access.redhat.com/errata/RHSA-2023:7789
• https://access.redhat.com/errata/RHSA-2023:7790
• https://access.redhat.com/errata/RHSA-2023:7878
• https://access.redhat.com/errata/RHSA-2023:7883
• https://access.redhat.com/errata/RHSA-2023:7884
• https://access.redhat.com/errata/RHSA-2023:7885
• https://access.redhat.com/errata/RHSA-2024:0304
• https://access.redhat.com/errata/RHSA-2024:0332
• https://access.redhat.com/errata/RHSA-2024:0337
• https://access.redhat.com/security/cve/CVE-2023-5869
• https://bugzilla.redhat.com/show_bug.cgi?id=2247169
• https://lists.debian.org/debian-lts-announce/2023/11/msg00007.html
• https://www.postgresql.org/about/news/postgresql-161-155-1410-1313-1217-and-1122-released-2749/
• https://www.postgresql.org/support/security/CVE-2023-5869/

NVD Description

Note: Versions mentioned in the description apply only to the upstream postgresql-15 package and not the postgresql-15 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.5-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-39417
• https://access.redhat.com/errata/RHSA-2023:7545
• https://access.redhat.com/errata/RHSA-2023:7579
• https://access.redhat.com/errata/RHSA-2023:7580
• https://access.redhat.com/errata/RHSA-2023:7581
• https://access.redhat.com/errata/RHSA-2023:7616
• https://access.redhat.com/errata/RHSA-2023:7656
• https://access.redhat.com/errata/RHSA-2023:7666
• https://access.redhat.com/errata/RHSA-2023:7667
• https://access.redhat.com/errata/RHSA-2023:7694
• https://access.redhat.com/errata/RHSA-2023:7695
• https://access.redhat.com/errata/RHSA-2023:7714
• https://access.redhat.com/errata/RHSA-2023:7770
• https://access.redhat.com/errata/RHSA-2023:7772
• https://access.redhat.com/errata/RHSA-2023:7784
• https://access.redhat.com/errata/RHSA-2023:7785
• https://access.redhat.com/errata/RHSA-2023:7883
• https://access.redhat.com/errata/RHSA-2023:7884
• https://access.redhat.com/errata/RHSA-2023:7885
• https://access.redhat.com/errata/RHSA-2024:0304
• https://access.redhat.com/errata/RHSA-2024:0332
• https://access.redhat.com/errata/RHSA-2024:0337
• https://access.redhat.com/security/cve/CVE-2023-39417
• https://bugzilla.redhat.com/show_bug.cgi?id=2228111
• https://lists.debian.org/debian-lts-announce/2023/10/msg00003.html
• https://security.netapp.com/advisory/ntap-20230915-0002/
• https://www.debian.org/security/2023/dsa-5553
• https://www.debian.org/security/2023/dsa-5554
• https://www.postgresql.org/support/security/CVE-2023-39417

NVD Description

Note: Versions mentioned in the description apply only to the upstream tiff package and not the tiff package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file.

By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.

Remediation

Upgrade Debian:12 tiff to version 4.5.0-6+deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-9900
• https://access.redhat.com/security/cve/CVE-2025-9900
• https://bugzilla.redhat.com/show_bug.cgi?id=2392784
• https://access.redhat.com/errata/RHSA-2025:17651
• https://access.redhat.com/errata/RHSA-2025:17675
• https://access.redhat.com/errata/RHSA-2025:17710
• https://access.redhat.com/errata/RHSA-2025:17738
• https://access.redhat.com/errata/RHSA-2025:17739
• https://access.redhat.com/errata/RHSA-2025:17740
• https://access.redhat.com/errata/RHSA-2025:19113
• https://access.redhat.com/errata/RHSA-2025:19156
• https://access.redhat.com/errata/RHSA-2025:19276
• https://lists.debian.org/debian-lts-announce/2025/09/msg00031.html
• http://www.openwall.com/lists/oss-security/2025/09/26/3
• https://access.redhat.com/errata/RHSA-2025:19906
• https://gitlab.com/libtiff/libtiff/-/issues/704
• https://gitlab.com/libtiff/libtiff/-/merge_requests/732
• https://libtiff.gitlab.io/libtiff/releases/v4.7.1.html
• https://access.redhat.com/errata/RHSA-2025:19947
• https://access.redhat.com/errata/RHSA-2025:20956
• https://access.redhat.com/errata/RHSA-2025:20998
• https://access.redhat.com/errata/RHSA-2025:21061
• https://access.redhat.com/errata/RHSA-2025:21062
• https://access.redhat.com/errata/RHSA-2025:21060
• https://access.redhat.com/errata/RHSA-2025:21407
• https://access.redhat.com/errata/RHSA-2025:21506
• https://access.redhat.com/errata/RHSA-2025:21507
• https://access.redhat.com/errata/RHSA-2025:21508
• https://access.redhat.com/errata/RHSA-2025:21994
• https://access.redhat.com/errata/RHSA-2025:23078
• https://access.redhat.com/errata/RHSA-2025:23079
• https://access.redhat.com/errata/RHSA-2025:23080
• https://access.redhat.com/errata/RHSA-2026:0001
• https://access.redhat.com/errata/RHSA-2026:0078
• https://access.redhat.com/errata/RHSA-2026:0076
• https://access.redhat.com/errata/RHSA-2026:0077
• https://github.com/SexyShoelessGodofWar/LibTiff-4.7.0-Write-What-Where?tab=readme-ov-file

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Uncaught Exception in the SignTraits::DeriveBits() function, which incorrectly invokes ThrowException() based on user inputs when executing in a background thread. This allows an attacker to trigger a runtime crash.

Note: The cryptographic operations involved are commonly applied to untrusted input.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 20.19.2, 22.15.1, 23.11.1, 24.0.2 or higher.

References

• GitHub Commit
• GitHub Commit
• HackerOne Report
• Node.js Advisory

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Uncaught Exception due to the unhandled TLSSocket error ECONNRESET. An attacker can cause application crash by passing malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data.

Note:

This issue primary affects applications without explicit error handlers to secure sockets.

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

• GitHub Commit
• NodeJS Security Advisory

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure.

This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-32988
• https://access.redhat.com/security/cve/CVE-2025-32988
• https://bugzilla.redhat.com/show_bug.cgi?id=2359622
• https://access.redhat.com/errata/RHSA-2025:16115
• https://access.redhat.com/errata/RHSA-2025:16116
• https://access.redhat.com/errata/RHSA-2025:17348
• https://access.redhat.com/errata/RHSA-2025:17361
• https://access.redhat.com/errata/RHSA-2025:17415
• https://access.redhat.com/errata/RHSA-2025:19088
• https://lists.debian.org/debian-lts-announce/2025/08/msg00005.html
• http://www.openwall.com/lists/oss-security/2025/07/11/3
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:22529

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-32990
• https://access.redhat.com/security/cve/CVE-2025-32990
• https://bugzilla.redhat.com/show_bug.cgi?id=2359620
• https://access.redhat.com/errata/RHSA-2025:16115
• https://access.redhat.com/errata/RHSA-2025:16116
• https://access.redhat.com/errata/RHSA-2025:17348
• https://access.redhat.com/errata/RHSA-2025:17361
• https://access.redhat.com/errata/RHSA-2025:17415
• https://access.redhat.com/errata/RHSA-2025:19088
• https://lists.debian.org/debian-lts-announce/2025/08/msg00005.html
• http://www.openwall.com/lists/oss-security/2025/07/11/3
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:22529

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Directory Traversal in the path.join function. An attacker can bypass the path traversal protection and access restricted files by crafting specific path inputs that leverage Windows reserved driver names such as CON, PRN, and AUX.

Note: This issue only affects Windows systems and is a result of an incomplete fix for CVE-2025-23084

Details

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

• Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa

Note %2e is the URL encoded version of . (dot).

• Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

2018-04-15 22:04:29 .....           19           19  good.txt
2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys

Remediation

Upgrade node to version 20.19.4, 22.17.1, 24.4.1 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• Node.js Security Advisory
• Exploit DB

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Reliance on Undefined, Unspecified, or Implementation-Defined Behavior due to a flaw in error handling when async_hooks (or AsyncLocalStorage) is enabled. Normally, a "Maximum call stack size exceeded" error (stack overflow) is catchable by try-catch blocks or uncaughtException handlers. However, if this error occurs while an async_hooks callback is on the stack (which happens frequently in frameworks like Next.js or when using APM tools), Node.js treats it as a fatal error. Remote attackers can trigger this crash by sending payloads that cause deep recursion (e.g., deeply nested JSON objects), leading to a Denial of Service.

Notes:

1. Node.js 24.x and 25.x are less affected if using only AsyncLocalStorage, as they use a newer V8 feature that avoids this hook mechanism;

2. The patch improves recoverability in one edge case, but it does not remove the broader risk. Recovery from space exhaustion is unspecified, best‑effort behavior and is not a reliable basis for availability or security.

PoC

import { createHook } from 'node:async_hooks';

// This simulates what APM tools do
createHook({ init() {} }).enable();

function recursive() {
  new Promise(() => {}); // Creates async context
  return recursive();
}

try {
  recursive();
} catch (err) {
  console.log('This never runs', err);
}

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

• Blog Post
• GitHub Commit
• Node.js Security Releases

NVD Description

Note: Versions mentioned in the description apply only to the upstream freetype package and not the freetype package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

Remediation

Upgrade Debian:12 freetype to version 2.12.1+dfsg-5+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-27363
• https://www.facebook.com/security/advisories/cve-2025-27363
• http://www.openwall.com/lists/oss-security/2025/03/13/1
• http://www.openwall.com/lists/oss-security/2025/03/13/11
• http://www.openwall.com/lists/oss-security/2025/03/13/12
• http://www.openwall.com/lists/oss-security/2025/03/13/2
• http://www.openwall.com/lists/oss-security/2025/03/13/3
• http://www.openwall.com/lists/oss-security/2025/03/13/8
• http://www.openwall.com/lists/oss-security/2025/03/14/1
• http://www.openwall.com/lists/oss-security/2025/03/14/2
• http://www.openwall.com/lists/oss-security/2025/03/14/3
• http://www.openwall.com/lists/oss-security/2025/03/14/4
• http://www.openwall.com/lists/oss-security/2025/05/06/3
• https://lists.debian.org/debian-lts-announce/2025/03/msg00030.html
• https://source.android.com/docs/security/bulletin/2025-05-01
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27363
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://github.com/tin-z/CVE-2025-27363

NVD Description

Note: Versions mentioned in the description apply only to the upstream libde265 package and not the libde265 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the num_tile_columns and num_tile_row parameters in the function pic_parameter_set::dump.

Remediation

Upgrade Debian:12 libde265 to version 1.0.11-1+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-43887
• https://github.com/strukturag/libde265/commit/63b596c915977f038eafd7647d1db25488a8c133
• https://github.com/strukturag/libde265/issues/418
• https://lists.debian.org/debian-lts-announce/2023/11/msg00032.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libheif package and not the libheif package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In Libheif 1.17.6, insufficient checks in ImageOverlay::parse() decoding a heif file containing an overlay image with forged offsets can lead to an out-of-bounds read and write.

Remediation

Upgrade Debian:12 libheif to version 1.15.1-1+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-41311
• https://gist.github.com/flyyee/79f1b224069842ee320115cafa5c35c0
• https://github.com/strukturag/libheif/commit/a3ed1b1eb178c5d651d6ac619c8da3d71ac2be36
• https://github.com/strukturag/libheif/issues/1226
• https://github.com/strukturag/libheif/pull/1227
• https://lists.debian.org/debian-lts-announce/2024/10/msg00025.html

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Code Injection due to the incorrect handling of environment variables on Linux when the process is running with elevated privileges that the current user lacks (does not apply to CAP_NET_BIND_SERVICE).

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• RedHat Bugzilla Bug

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

Remediation

Upgrade Debian:12 openssh to version 1:9.2p1-2+deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-6387
• http://seclists.org/fulldisclosure/2024/Jul/18
• http://seclists.org/fulldisclosure/2024/Jul/19
• http://seclists.org/fulldisclosure/2024/Jul/20
• http://www.openwall.com/lists/oss-security/2024/07/01/12
• http://www.openwall.com/lists/oss-security/2024/07/01/13
• http://www.openwall.com/lists/oss-security/2024/07/02/1
• http://www.openwall.com/lists/oss-security/2024/07/03/1
• http://www.openwall.com/lists/oss-security/2024/07/03/11
• http://www.openwall.com/lists/oss-security/2024/07/03/2
• http://www.openwall.com/lists/oss-security/2024/07/03/3
• http://www.openwall.com/lists/oss-security/2024/07/03/4
• http://www.openwall.com/lists/oss-security/2024/07/03/5
• http://www.openwall.com/lists/oss-security/2024/07/04/1
• http://www.openwall.com/lists/oss-security/2024/07/04/2
• http://www.openwall.com/lists/oss-security/2024/07/08/2
• http://www.openwall.com/lists/oss-security/2024/07/08/3
• http://www.openwall.com/lists/oss-security/2024/07/09/2
• http://www.openwall.com/lists/oss-security/2024/07/09/5
• http://www.openwall.com/lists/oss-security/2024/07/10/1
• http://www.openwall.com/lists/oss-security/2024/07/10/2
• http://www.openwall.com/lists/oss-security/2024/07/10/3
• http://www.openwall.com/lists/oss-security/2024/07/10/4
• http://www.openwall.com/lists/oss-security/2024/07/10/6
• http://www.openwall.com/lists/oss-security/2024/07/11/1
• http://www.openwall.com/lists/oss-security/2024/07/11/3
• http://www.openwall.com/lists/oss-security/2024/07/23/4
• http://www.openwall.com/lists/oss-security/2024/07/23/6
• http://www.openwall.com/lists/oss-security/2024/07/28/2
• http://www.openwall.com/lists/oss-security/2024/07/28/3
• https://access.redhat.com/errata/RHSA-2024:4312
• https://access.redhat.com/errata/RHSA-2024:4340
• https://access.redhat.com/errata/RHSA-2024:4389
• https://access.redhat.com/errata/RHSA-2024:4469
• https://access.redhat.com/errata/RHSA-2024:4474
• https://access.redhat.com/errata/RHSA-2024:4479
• https://access.redhat.com/errata/RHSA-2024:4484
• https://access.redhat.com/security/cve/CVE-2024-6387
• https://archlinux.org/news/the-sshd-service-needs-to-be-restarted-after-upgrading-to-openssh-98p1/
• https://arstechnica.com/security/2024/07/regresshion-vulnerability-in-openssh-gives-attackers-root-on-linux/
• https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server
• https://bugzilla.redhat.com/show_bug.cgi?id=2294604
• https://explore.alas.aws.amazon.com/CVE-2024-6387.html
• https://forum.vmssoftware.com/viewtopic.php?f=8&t=9132
• https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2024-002.txt.asc
• https://github.com/AlmaLinux/updates/issues/629
• https://github.com/Azure/AKS/issues/4379
• https://github.com/PowerShell/Win32-OpenSSH/discussions/2248
• https://github.com/PowerShell/Win32-OpenSSH/issues/2249
• https://github.com/microsoft/azurelinux/issues/9555
• https://github.com/openela-main/openssh/commit/e1f438970e5a337a17070a637c1b9e19697cad09
• https://github.com/oracle/oracle-linux/issues/149
• https://github.com/rapier1/hpn-ssh/issues/87
• https://github.com/zgzhang/cve-2024-6387-poc
• https://lists.almalinux.org/archives/list/announce@lists.almalinux.org/thread/23BF5BMGFVEVUI2WNVAGMLKT557EU7VY/
• https://lists.mindrot.org/pipermail/openssh-unix-announce/2024-July/000158.html
• https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041431.html
• https://news.ycombinator.com/item?id=40843778
• https://packetstorm.news/files/id/190587/
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0010
• https://santandersecurityresearch.github.io/blog/sshing_the_masses.html
• https://security.netapp.com/advisory/ntap-20240701-0001/
• https://sig-security.rocky.page/issues/CVE-2024-6387/
• https://stackdiary.com/openssh-race-condition-in-sshd-allows-remote-code-execution/
• https://support.apple.com/kb/HT214118
• https://support.apple.com/kb/HT214119
• https://support.apple.com/kb/HT214120
• https://ubuntu.com/security/CVE-2024-6387
• https://ubuntu.com/security/notices/USN-6859-1
• https://www.akamai.com/blog/security-research/2024-openssh-vulnerability-regression-what-to-know-and-do
• https://www.arista.com/en/support/advisories-notices/security-advisory/19904-security-advisory-0100
• https://www.exploit-db.com/exploits/52269
• https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc
• https://www.openssh.com/txt/release-9.8
• https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
• https://www.splunk.com/en_us/blog/security/cve-2024-6387-regresshion-vulnerability.html
• https://www.suse.com/security/cve/CVE-2024-6387.html
• https://www.theregister.com/2024/07/01/regresshion_openssh/
• https://www.vicarius.io/vsociety/posts/regresshion-an-openssh-regression-error-cve-2024-6387
• https://github.com/xonoxitron/regreSSHion-checker

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

Remediation

Upgrade Debian:12 perl to version 5.36.0-7+deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-31484
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/
• http://www.openwall.com/lists/oss-security/2023/04/29/1
• http://www.openwall.com/lists/oss-security/2023/05/03/3
• http://www.openwall.com/lists/oss-security/2023/05/03/5
• http://www.openwall.com/lists/oss-security/2023/05/07/2
• https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
• https://github.com/andk/cpanpm/pull/175
• https://lists.debian.org/debian-lts-announce/2024/10/msg00017.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/
• https://metacpan.org/dist/CPAN/changes
• https://security.netapp.com/advisory/ntap-20240621-0007/
• https://www.openwall.com/lists/oss-security/2023/04/18/14

NVD Description

Note: Versions mentioned in the description apply only to the upstream postgresql-15 package and not the postgresql-15 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.6-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-0985
• https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
• https://saites.dev/projects/personal/postgres-cve-2024-0985/
• https://security.netapp.com/advisory/ntap-20241220-0005/
• https://www.postgresql.org/support/security/CVE-2024-0985/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gdk-pixbuf package and not the gdk-pixbuf package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A crafted file could allow an attacker to overwrite heap metadata, leading to a denial of service or code execution attack. This occurs in gdk_pixbuf_set_option() in gdk-pixbuf.c.

Remediation

Upgrade Debian:12 gdk-pixbuf to version 2.42.10+dfsg-1+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-48622
• https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/202

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted .gitmodules file with submodule URLs that are longer than 1024 characters can used to exploit a bug in config.c::git_config_copy_or_rename_section_in_file(). This bug can be used to inject arbitrary configuration into a user's $GIT_DIR/config when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as core.pager, core.editor, core.sshCommand, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GIT_DIR/config.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-29007
• https://github.com/git/git/blob/9ce9dea4e1c2419cca126d29fa7730baa078a11b/Documentation/RelNotes/2.30.9.txt
• https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
• https://github.com/git/git/security/advisories/GHSA-v48j-4xgg-4844
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/
• https://security.gentoo.org/glsa/202312-15
• https://github.com/ethiack/CVE-2023-29007

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-32004
• http://www.openwall.com/lists/oss-security/2024/05/14/2
• https://git-scm.com/docs/git-clone
• https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8
• https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with git clone --no-local to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a .zip file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-32465
• http://www.openwall.com/lists/oss-security/2024/05/14/2
• https://git-scm.com/docs/git#_security
• https://git-scm.com/docs/git-clone
• https://github.com/git/git/commit/7b70e9efb18c2cc3f219af399bd384c5801ba1d7
• https://github.com/git/git/security/advisories/GHSA-vm9j-46j9-qvq4
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-6246
• http://packetstormsecurity.com/files/176931/glibc-qsort-Out-Of-Bounds-Read-Write.html
• http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html
• http://seclists.org/fulldisclosure/2024/Feb/3
• http://seclists.org/fulldisclosure/2024/Feb/5
• https://access.redhat.com/security/cve/CVE-2023-6246
• https://bugzilla.redhat.com/show_bug.cgi?id=2249053
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWQ6BZJ6CV5UAW4VZSKJ6TO4KIW2KWAQ/
• https://security.gentoo.org/glsa/202402-01
• https://security.netapp.com/advisory/ntap-20240216-0007/
• https://www.openwall.com/lists/oss-security/2024/01/30/6
• https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt
• https://github.com/projectdiscovery/nuclei-templates/blob/main/code/cves/2023/CVE-2023-6246.yaml

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1, the magnified size calculations in ReadOneMNGIMage (in coders/png.c) are unsafe and can overflow, leading to memory corruption. This issue has been patched in versions 6.9.13-27 and 7.1.2-1.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-55154
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qp29-wxp5-wh82
• https://goo.gle/bigsleep
• https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-49043
• https://github.com/php/php-src/issues/17467
• https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b
• https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.

Remediation

Upgrade Debian:12 libxslt to version 1.1.35-1+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-55549
• https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
• https://lists.debian.org/debian-lts-announce/2025/03/msg00015.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.

Remediation

Upgrade Debian:12 libxslt to version 1.1.35-1+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-24855
• https://gitlab.gnome.org/GNOME/libxslt/-/issues/128
• https://lists.debian.org/debian-lts-announce/2025/03/msg00015.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.

Remediation

There is no fixed version for Debian:12 libxslt.

References

• https://security-tracker.debian.org/tracker/CVE-2025-7425
• https://access.redhat.com/security/cve/CVE-2025-7425
• https://bugzilla.redhat.com/show_bug.cgi?id=2379274
• https://access.redhat.com/errata/RHSA-2025:12447
• https://access.redhat.com/errata/RHSA-2025:12450
• https://access.redhat.com/errata/RHSA-2025:13267
• https://access.redhat.com/errata/RHSA-2025:13313
• https://access.redhat.com/errata/RHSA-2025:13314
• https://access.redhat.com/errata/RHSA-2025:13308
• https://access.redhat.com/errata/RHSA-2025:13309
• https://access.redhat.com/errata/RHSA-2025:13310
• https://access.redhat.com/errata/RHSA-2025:13311
• https://access.redhat.com/errata/RHSA-2025:13312
• https://access.redhat.com/errata/RHSA-2025:13335
• https://access.redhat.com/errata/RHSA-2025:13464
• https://access.redhat.com/errata/RHSA-2025:13622
• https://access.redhat.com/errata/RHSA-2025:14059
• https://access.redhat.com/errata/RHSA-2025:14396
• https://access.redhat.com/errata/RHSA-2025:14819
• https://access.redhat.com/errata/RHSA-2025:14818
• https://access.redhat.com/errata/RHSA-2025:14853
• https://access.redhat.com/errata/RHSA-2025:14858
• https://access.redhat.com/errata/RHSA-2025:15308
• https://access.redhat.com/errata/RHSA-2025:15828
• https://access.redhat.com/errata/RHSA-2025:15827
• https://access.redhat.com/errata/RHSA-2025:15672
• https://access.redhat.com/errata/RHSA-2025:18219
• https://lists.debian.org/debian-lts-announce/2025/09/msg00035.html
• http://seclists.org/fulldisclosure/2025/Aug/0
• http://seclists.org/fulldisclosure/2025/Jul/30
• http://seclists.org/fulldisclosure/2025/Jul/32
• http://seclists.org/fulldisclosure/2025/Jul/35
• http://seclists.org/fulldisclosure/2025/Jul/37
• http://www.openwall.com/lists/oss-security/2025/07/11/2
• https://access.redhat.com/errata/RHSA-2025:21885
• https://access.redhat.com/errata/RHSA-2025:21913
• https://gitlab.gnome.org/GNOME/libxslt/-/issues/140

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjpeg2 package and not the openjpeg2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg.

Remediation

Upgrade Debian:12 openjpeg2 to version 2.5.0-2+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-3575
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZ54FGM2IGAP4AWSJ22JKHOPHCR3FGYU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QB6AI7CWXWMEDZIQY4LQ6DMIEXMDOHUP/
• https://access.redhat.com/errata/RHSA-2021:4251
• https://access.redhat.com/security/cve/CVE-2021-3575
• https://bugzilla.redhat.com/show_bug.cgi?id=1957616
• https://github.com/uclouvain/openjpeg/issues/1347
• https://lists.debian.org/debian-lts-announce/2025/04/msg00002.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZ54FGM2IGAP4AWSJ22JKHOPHCR3FGYU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB6AI7CWXWMEDZIQY4LQ6DMIEXMDOHUP/
• https://ubuntu.com/security/CVE-2021-3575

NVD Description

Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.

Remediation

Upgrade Debian:12 pam to version 1.5.2-6+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-6020
• https://access.redhat.com/security/cve/CVE-2025-6020
• https://bugzilla.redhat.com/show_bug.cgi?id=2372512
• http://www.openwall.com/lists/oss-security/2025/06/17/1
• https://access.redhat.com/errata/RHSA-2025:9526
• https://access.redhat.com/errata/RHSA-2025:10024
• https://access.redhat.com/errata/RHSA-2025:10027
• https://access.redhat.com/errata/RHSA-2025:10180
• https://access.redhat.com/errata/RHSA-2025:10354
• https://access.redhat.com/errata/RHSA-2025:10357
• https://access.redhat.com/errata/RHSA-2025:10358
• https://access.redhat.com/errata/RHSA-2025:10359
• https://access.redhat.com/errata/RHSA-2025:10361
• https://access.redhat.com/errata/RHSA-2025:10362
• https://access.redhat.com/errata/RHSA-2025:10735
• https://access.redhat.com/errata/RHSA-2025:10823
• https://access.redhat.com/errata/RHSA-2025:11386
• https://access.redhat.com/errata/RHSA-2025:11487
• https://access.redhat.com/errata/RHSA-2025:14557
• https://access.redhat.com/errata/RHSA-2025:15099
• https://access.redhat.com/errata/RHSA-2025:15709
• https://access.redhat.com/errata/RHSA-2025:15828
• https://access.redhat.com/errata/RHSA-2025:15827
• https://access.redhat.com/errata/RHSA-2025:16524
• https://access.redhat.com/errata/RHSA-2025:18219
• https://lists.debian.org/debian-lts-announce/2025/09/msg00021.html
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:20181
• https://access.redhat.com/errata/RHSA-2025:21885
• https://access.redhat.com/errata/RHSA-2025:22019

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.

Remediation

Upgrade Debian:12 perl to version 5.36.0-7+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-47038
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNEEWAACXQCEEAKSG7XX2D5YDRWLCIZJ/
• https://perldoc.perl.org/perl5382delta#CVE-2023-47038-Write-past-buffer-end-via-illegal-user-defined-Unicode-property
• https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010
• https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6
• https://github.com/Perl/perl5/commit/ff1f9f59360afeebd6f75ca1502f5c3ebf077da3
• https://github.com/aquasecurity/trivy/discussions/8400
• https://ubuntu.com/security/CVE-2023-47100
• https://www.suse.com/security/cve/CVE-2023-47100.html
• https://access.redhat.com/errata/RHSA-2024:2228
• https://access.redhat.com/errata/RHSA-2024:3128
• https://access.redhat.com/security/cve/CVE-2023-47038
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056746
• https://bugzilla.redhat.com/show_bug.cgi?id=2249523
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMDZZ4SCEW6FRWZDMXGAKZ35THTAWFG6/

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-9287
• https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7
• https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db
• https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8
• https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97
• https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b
• https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483
• https://github.com/python/cpython/issues/124651
• https://github.com/python/cpython/pull/124712
• https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/
• https://security.netapp.com/advisory/ntap-20250425-0006/
• https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html
• https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2.0 package and not the glib2.0 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.

Remediation

Upgrade Debian:12 glib2.0 to version 2.74.6-2+deb12u8 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-13601
• https://access.redhat.com/security/cve/CVE-2025-13601
• https://bugzilla.redhat.com/show_bug.cgi?id=2416741
• https://gitlab.gnome.org/GNOME/glib/-/issues/3827
• https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4914

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-24928
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
• https://issues.oss-fuzz.com/issues/392687022
• https://security.netapp.com/advisory/ntap-20250321-0006/
• https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following in the fs.symlink() function. An attacker can escape the allowed path and read/write sensitive files by chaining directories and symlinks, bypassing --allow-fs-read and --allow-fs-write restrictions.

Remediation

Upgrade node to version 20.20.0, 22.22.0, 24.13.0, 25.3.0 or higher.

References

• GitHub Commit
• NodeJS Security Advisory

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

Remediation

Upgrade Debian:12 expat to version 2.5.0-1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-52425
• https://lists.debian.org/debian-lts-announce/2024/09/msg00036.html
• http://www.openwall.com/lists/oss-security/2024/03/20/5
• https://github.com/libexpat/libexpat/pull/789
• https://lists.debian.org/debian-lts-announce/2024/04/msg00006.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/
• https://security.netapp.com/advisory/ntap-20240614-0003/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

Remediation

Upgrade Debian:12 expat to version 2.5.0-1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-8176
• https://access.redhat.com/security/cve/CVE-2024-8176
• https://bugzilla.redhat.com/show_bug.cgi?id=2310137
• https://github.com/libexpat/libexpat/issues/893
• http://www.openwall.com/lists/oss-security/2025/03/15/1
• https://blog.hartwork.org/posts/expat-2-7-0-released/
• https://bugzilla.suse.com/show_bug.cgi?id=1239618
• https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes#L40-L52
• https://gitlab.alpinelinux.org/alpine/aports/-/commit/d068c3ff36fc6f4789988a09c69b434db757db53
• https://ubuntu.com/security/CVE-2024-8176
• https://security.netapp.com/advisory/ntap-20250328-0009/
• https://access.redhat.com/errata/RHSA-2025:3531
• https://access.redhat.com/errata/RHSA-2025:3734
• https://access.redhat.com/errata/RHSA-2025:3913
• https://access.redhat.com/errata/RHSA-2025:4048
• https://access.redhat.com/errata/RHSA-2025:4447
• https://access.redhat.com/errata/RHSA-2025:4446
• https://access.redhat.com/errata/RHSA-2025:4448
• https://access.redhat.com/errata/RHSA-2025:4449
• https://www.kb.cert.org/vuls/id/760160
• https://access.redhat.com/errata/RHSA-2025:7444
• https://access.redhat.com/errata/RHSA-2025:7512
• https://access.redhat.com/errata/RHSA-2025:8385
• https://access.redhat.com/errata/RHSA-2025:13681
• http://seclists.org/fulldisclosure/2025/May/10
• http://seclists.org/fulldisclosure/2025/May/11
• http://seclists.org/fulldisclosure/2025/May/12
• http://seclists.org/fulldisclosure/2025/May/6
• http://seclists.org/fulldisclosure/2025/May/7
• http://seclists.org/fulldisclosure/2025/May/8
• http://www.openwall.com/lists/oss-security/2025/09/24/11
• https://access.redhat.com/errata/RHSA-2025:22033
• https://access.redhat.com/errata/RHSA-2025:22035
• https://access.redhat.com/errata/RHSA-2025:22034
• https://access.redhat.com/errata/RHSA-2025:22607
• https://access.redhat.com/errata/RHSA-2025:22785
• https://access.redhat.com/errata/RHSA-2025:22842
• https://access.redhat.com/errata/RHSA-2025:22871

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.

Remediation

Upgrade Debian:12 expat to version 2.5.0-1+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-45490
• https://github.com/libexpat/libexpat/issues/887
• https://github.com/libexpat/libexpat/pull/890
• https://security.netapp.com/advisory/ntap-20241018-0004/
• http://seclists.org/fulldisclosure/2024/Dec/10
• http://seclists.org/fulldisclosure/2024/Dec/12
• http://seclists.org/fulldisclosure/2024/Dec/6
• http://seclists.org/fulldisclosure/2024/Dec/7
• http://seclists.org/fulldisclosure/2024/Dec/8
• https://lists.debian.org/debian-lts-announce/2024/09/msg00036.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gdk-pixbuf package and not the gdk-pixbuf package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw exists in gdk‑pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib’s g_base64_encode_step (glib/gbase64.c). When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding, allowing out-of-bounds reads from heap memory, potentially causing application crashes or arbitrary code execution.

Remediation

Upgrade Debian:12 gdk-pixbuf to version 2.42.10+dfsg-1+deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-7345
• https://access.redhat.com/security/cve/CVE-2025-7345
• https://bugzilla.redhat.com/show_bug.cgi?id=2377063
• https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/249
• https://access.redhat.com/errata/RHSA-2025:12841
• https://access.redhat.com/errata/RHSA-2025:12862
• https://access.redhat.com/errata/RHSA-2025:13315
• https://access.redhat.com/errata/RHSA-2025:14575
• https://access.redhat.com/errata/RHSA-2025:14576
• https://access.redhat.com/errata/RHSA-2025:14574
• https://access.redhat.com/errata/RHSA-2025:14585
• https://access.redhat.com/errata/RHSA-2025:14618
• https://access.redhat.com/errata/RHSA-2025:14646
• https://access.redhat.com/errata/RHSA-2025:14647
• https://access.redhat.com/errata/RHSA-2025:14683
• https://lists.debian.org/debian-lts-announce/2025/10/msg00024.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using git apply with --reject when applying patches from an untrusted source. Use git apply --stat to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the *.rej file exists.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-25652
• http://www.openwall.com/lists/oss-security/2023/04/25/2
• https://github.com/git/git/commit/18e2b1cfc80990719275d7b08e6e50f3e8cbc902
• https://github.com/git/git/commit/668f2d53613ac8fd373926ebe219f2c29112d93e
• https://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fx
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BSXOGVVBJLYX26IAYX6PJSYQB36BREWH/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/
• https://security.gentoo.org/glsa/202312-15

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit b01b9b8 which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.

Remediation

Upgrade Debian:12 git to version 1:2.39.5-0+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-52006
• https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g
• https://github.com/git/git/commit/b01b9b81d36759cdcd07305e78765199e1bc2060
• https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q
• https://github.com/git/git/security/advisories/GHSA-r5ph-xg7q-xfrp
• https://lists.debian.org/debian-lts-announce/2025/01/msg00025.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.

Remediation

Upgrade Debian:12 glibc to version 2.36-9+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-6779
• http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html
• http://seclists.org/fulldisclosure/2024/Feb/3
• https://access.redhat.com/security/cve/CVE-2023-6779
• https://bugzilla.redhat.com/show_bug.cgi?id=2254395
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWQ6BZJ6CV5UAW4VZSKJ6TO4KIW2KWAQ/
• https://security.gentoo.org/glsa/202402-01
• https://security.netapp.com/advisory/ntap-20240223-0006/
• https://www.openwall.com/lists/oss-security/2024/01/30/6
• https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-0567
• http://www.openwall.com/lists/oss-security/2024/01/19/3
• https://access.redhat.com/errata/RHSA-2024:0533
• https://access.redhat.com/errata/RHSA-2024:1082
• https://access.redhat.com/errata/RHSA-2024:1383
• https://access.redhat.com/errata/RHSA-2024:2094
• https://access.redhat.com/security/cve/CVE-2024-0567
• https://bugzilla.redhat.com/show_bug.cgi?id=2258544
• https://gitlab.com/gnutls/gnutls/-/issues/1521
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/
• https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html
• https://security.netapp.com/advisory/ntap-20240202-0011/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

Remediation

Upgrade Debian:12 gnutls28 to version 3.7.9-2+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-0553
• http://www.openwall.com/lists/oss-security/2024/01/19/3
• https://access.redhat.com/errata/RHSA-2024:0533
• https://access.redhat.com/errata/RHSA-2024:0627
• https://access.redhat.com/errata/RHSA-2024:0796
• https://access.redhat.com/errata/RHSA-2024:1082
• https://access.redhat.com/errata/RHSA-2024:1108
• https://access.redhat.com/errata/RHSA-2024:1383
• https://access.redhat.com/errata/RHSA-2024:2094
• https://access.redhat.com/security/cve/CVE-2024-0553
• https://bugzilla.redhat.com/show_bug.cgi?id=2258412
• https://gitlab.com/gnutls/gnutls/-/issues/1522
• https://lists.debian.org/debian-lts-announce/2024/02/msg00010.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/
• https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html
• https://security.netapp.com/advisory/ntap-20240202-0011/

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In MIFF image processing in ImageMagick before 7.1.1-44, image depth is mishandled after SetQuantumFormat is used.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-43965
• https://github.com/ImageMagick/ImageMagick/commit/bac413a26073923d3ffb258adaab07fb3fe8fdc9
• https://github.com/ImageMagick/Website/blob/main/ChangeLog.md#711-44---2025-02-22
• https://lists.debian.org/debian-lts-announce/2025/04/msg00035.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2, passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-55212
• https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/geometry.c#L355
• https://github.com/ImageMagick/ImageMagick/blob/0ba1b587be17543b664f7ad538e9e51e0da59d17/MagickCore/resize.c#L4625-L4629
• https://github.com/ImageMagick/ImageMagick/commit/5f0bcf986b8b5e90567750d31a37af502b73f2af
• https://github.com/dlemstra/Magick.NET/releases/tag/14.8.1
• https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fh55-q5pj-pxgw

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is an open source software suite for displaying, converting, and editing raster image files. In ImageMagick versions prior to 7.1.2-7 and 6.9.13-32, an integer overflow vulnerability exists in the BMP decoder on 32-bit systems. The vulnerability occurs in coders/bmp.c when calculating the extent value by multiplying image columns by bits per pixel. On 32-bit systems with size_t of 4 bytes, a malicious BMP file with specific dimensions can cause this multiplication to overflow and wrap to zero. The overflow check added to address CVE-2025-57803 is placed after the overflow occurs, making it ineffective. A specially crafted 58-byte BMP file with width set to 536,870,912 and 32 bits per pixel can trigger this overflow, causing the bytes_per_line calculation to become zero. This vulnerability only affects 32-bit builds of ImageMagick where default resource limits for width, height, and area have been manually increased beyond their defaults. 64-bit systems with size_t of 8 bytes are not vulnerable, and systems using default ImageMagick resource limits are not vulnerable. The vulnerability is fixed in versions 7.1.2-7 and 6.9.13-32.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-62171
• https://github.com/ImageMagick/ImageMagick/commit/cea1693e2ded51b4cc91c70c54096cbed1691c00
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9pp9-cfwx-54rm
• https://lists.debian.org/debian-lts-announce/2025/10/msg00019.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, in the WriteSVGImage function, using an int variable to store number_attributes caused an integer overflow. This, in turn, triggered a buffer overflow and caused a DoS attack. Version 7.1.2-12 fixes the issue.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-69204
• https://github.com/ImageMagick/ImageMagick/commit/2c08c2311693759153c9aa99a6b2dcb5f985681e
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hrh7-j8q2-4qcw

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0 and 6.9.13-26, in ImageMagick's magick stream command, specifying multiple consecutive %d format specifiers in a filename template causes a memory leak. Versions 7.1.2-0 and 6.9.13-26 fix the issue.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-53019
• https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cfh4-9f7v-fhrc

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A heap-based buffer overflow vulnerability was found in ImageMagick in versions prior to 7.0.11-14 in ReadTIFFImage() in coders/tiff.c. This issue is due to an incorrect setting of the pixel array size, which can lead to a crash and segmentation fault.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-3610
• http://www.openwall.com/lists/oss-security/2023/05/29/4
• http://www.openwall.com/lists/oss-security/2023/06/05/1
• https://bugzilla.redhat.com/show_bug.cgi?id=1973689
• https://github.com/ImageMagick/ImageMagick/commit/930ff0d1a9bc42925a7856e9ea53f5fc9f318bf3

NVD Description

Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-12, using Magick to read a malicious SVG file resulted in a DoS attack. Version 7.1.2-12 fixes the issue.

Remediation

Upgrade Debian:12 imagemagick to version 8:6.9.11.60+dfsg-1.6+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-68618
• https://github.com/ImageMagick/ImageMagick/commit/6f431d445f3ddd609c004a1dde617b0a73e60beb
• https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p27m-hp98-6637

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.

Remediation

Upgrade Debian:12 krb5 to version 1.20.1-2+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-37370
• https://security.netapp.com/advisory/ntap-20241108-0007/
• https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef
• https://web.mit.edu/kerberos/www/advisories/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-27113
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/861
• https://security.netapp.com/advisory/ntap-20250306-0004/
• http://seclists.org/fulldisclosure/2025/Apr/13
• http://seclists.org/fulldisclosure/2025/Apr/10
• http://seclists.org/fulldisclosure/2025/Apr/11
• http://seclists.org/fulldisclosure/2025/Apr/12
• http://seclists.org/fulldisclosure/2025/Apr/4
• http://seclists.org/fulldisclosure/2025/Apr/5
• http://seclists.org/fulldisclosure/2025/Apr/8
• http://seclists.org/fulldisclosure/2025/Apr/9
• https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-32415
• https://lists.debian.org/debian-lts-announce/2025/04/msg00041.html
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/890

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-6021
• https://access.redhat.com/errata/RHSA-2025:10630
• https://access.redhat.com/errata/RHSA-2025:10698
• https://access.redhat.com/errata/RHSA-2025:10699
• https://access.redhat.com/errata/RHSA-2025:11580
• https://access.redhat.com/errata/RHSA-2025:12098
• https://access.redhat.com/errata/RHSA-2025:12099
• https://access.redhat.com/errata/RHSA-2025:12199
• https://access.redhat.com/errata/RHSA-2025:12237
• https://access.redhat.com/errata/RHSA-2025:12239
• https://access.redhat.com/errata/RHSA-2025:12240
• https://access.redhat.com/errata/RHSA-2025:12241
• https://access.redhat.com/errata/RHSA-2025:13267
• https://access.redhat.com/errata/RHSA-2025:13289
• https://access.redhat.com/errata/RHSA-2025:13325
• https://access.redhat.com/errata/RHSA-2025:13335
• https://access.redhat.com/errata/RHSA-2025:13336
• https://access.redhat.com/errata/RHSA-2025:14059
• https://access.redhat.com/errata/RHSA-2025:14396
• https://access.redhat.com/errata/RHSA-2025:15308
• https://access.redhat.com/errata/RHSA-2025:15672
• https://access.redhat.com/security/cve/CVE-2025-6021
• https://bugzilla.redhat.com/show_bug.cgi?id=2372406
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/926
• https://access.redhat.com/errata/RHSA-2025:19020
• https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html
• https://access.redhat.com/errata/RHSA-2025:11673

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-32414
• https://lists.debian.org/debian-lts-announce/2025/04/msg00041.html
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/889

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Remediation

Upgrade Debian:12 libxml2 to version 2.9.14+dfsg-1.3~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-25062
• https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
• https://gitlab.gnome.org/GNOME/libxml2/-/tags
• https://security.netapp.com/advisory/ntap-20241018-0009/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxslt package and not the libxslt package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

A flaw was found in the libxslt library. The same memory field, psvi, is used for both stylesheet and input data, which can lead to type confusion during XML transformations. This vulnerability allows an attacker to crash the application or corrupt memory. In some cases, it may lead to denial of service or unexpected behavior.

Remediation

Upgrade Debian:12 libxslt to version 1.1.35-1+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2025-7424
• https://access.redhat.com/security/cve/CVE-2025-7424
• https://bugzilla.redhat.com/show_bug.cgi?id=2379228
• https://lists.debian.org/debian-lts-announce/2025/09/msg00024.html
• http://seclists.org/fulldisclosure/2025/Aug/0
• http://seclists.org/fulldisclosure/2025/Jul/30
• http://seclists.org/fulldisclosure/2025/Jul/32
• http://seclists.org/fulldisclosure/2025/Jul/33
• http://seclists.org/fulldisclosure/2025/Jul/35
• http://seclists.org/fulldisclosure/2025/Jul/37
• http://www.openwall.com/lists/oss-security/2025/07/11/2

NVD Description

Note: Versions mentioned in the description apply only to the upstream nghttp2 package and not the nghttp2 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Remediation

Upgrade Debian:12 nghttp2 to version 1.52.0-1+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-44487
• https://chaos.social/@icing/111210915918780532
• https://github.com/hyperium/hyper/issues/3337
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/
• https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/
• http://www.openwall.com/lists/oss-security/2023/10/10/6
• http://www.openwall.com/lists/oss-security/2023/10/10/7
• https://github.com/grpc/grpc/releases/tag/v1.59.2
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-44487
• http://www.openwall.com/lists/oss-security/2023/10/13/4
• http://www.openwall.com/lists/oss-security/2023/10/13/9
• http://www.openwall.com/lists/oss-security/2023/10/18/4
• http://www.openwall.com/lists/oss-security/2023/10/18/8
• http://www.openwall.com/lists/oss-security/2023/10/19/6
• http://www.openwall.com/lists/oss-security/2023/10/20/8
• http://www.openwall.com/lists/oss-security/2025/08/13/6
• https://access.redhat.com/security/cve/cve-2023-44487
• https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
• https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
• https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
• https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
• https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
• https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
• https://blog.vespa.ai/cve-2023-44487/
• https://bugzilla.proxmox.com/show_bug.cgi?id=4988
• https://bugzilla.redhat.com/show_bug.cgi?id=2242803
• https://bugzilla.suse.com/show_bug.cgi?id=1216123
• https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
• https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
• https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
• https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
• https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715
• https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
• https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
• https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
• https://github.com/Azure/AKS/issues/3947
• https://github.com/Kong/kong/discussions/11741
• https://github.com/advisories/GHSA-qppj-fm5r-hxr3
• https://github.com/advisories/GHSA-vx74-f528-fxqg
• https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
• https://github.com/akka/akka-http/issues/4323
• https://github.com/alibaba/tengine/issues/1872
• https://github.com/apache/apisix/issues/10320
• https://github.com/apache/httpd-site/pull/10
• https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
• https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
• https://github.com/apache/trafficserver/pull/10564
• https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
• https://github.com/bcdannyboy/CVE-2023-44487
• https://github.com/caddyserver/caddy/issues/5877
• https://github.com/caddyserver/caddy/releases/tag/v2.7.5
• https://github.com/dotnet/announcements/issues/277
• https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
• https://github.com/eclipse/jetty.project/issues/10679
• https://github.com/envoyproxy/envoy/pull/30055
• https://github.com/etcd-io/etcd/issues/16740
• https://github.com/facebook/proxygen/pull/466
• https://github.com/golang/go/issues/63417
• https://github.com/grpc/grpc-go/pull/6703
• https://github.com/h2o/h2o/pull/3291
• https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
• https://github.com/haproxy/haproxy/issues/2312
• https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
• https://github.com/junkurihara/rust-rpxy/issues/97
• https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
• https://github.com/kazu-yamamoto/http2/issues/93
• https://github.com/kubernetes/kubernetes/pull/121120
• https://github.com/line/armeria/pull/5232
• https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632
• https://github.com/micrictor/http2-rst-stream
• https://github.com/microsoft/CBL-Mariner/pull/6381
• https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
• https://github.com/nghttp2/nghttp2/pull/1961
• https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
• https://github.com/ninenines/cowboy/issues/1615
• https://github.com/nodejs/node/pull/50121
• https://github.com/openresty/openresty/issues/930
• https://github.com/opensearch-project/data-prepper/issues/3474
• https://github.com/oqtane/oqtane.framework/discussions/3367
• https://github.com/projectcontour/contour/pull/5826
• https://github.com/tempesta-tech/tempesta/issues/1986
• https://github.com/varnishcache/varnish-cache/issues/3996
• https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
• https://istio.io/latest/news/security/istio-security-2023-004/
• https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
• https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
• https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
• https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html
• https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html
• https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html
• https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html
• https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html
• https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html
• https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html
• https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
• https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
• https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
• https://my.f5.com/manage/s/article/K000137106
• https://netty.io/news/2023/10/10/4-1-100-Final.html
• https://news.ycombinator.com/item?id=37830987
• https://news.ycombinator.com/item?id=37830998
• https://news.ycombinator.com/item?id=37831062
• https://news.ycombinator.com/item?id=37837043
• https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/
• https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
• https://security.gentoo.org/glsa/202311-09
• https://security.netapp.com/advisory/ntap-20231016-0001/
• https://security.netapp.com/advisory/ntap-20240426-0007/
• https://security.netapp.com/advisory/ntap-20240621-0006/
• https://security.netapp.com/advisory/ntap-20240621-0007/
• https://security.paloaltonetworks.com/CVE-2023-44487
• https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
• https://ubuntu.com/security/CVE-2023-44487
• https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
• https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
• https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
• https://www.debian.org/security/2023/dsa-5521
• https://www.debian.org/security/2023/dsa-5522
• https://www.debian.org/security/2023/dsa-5540
• https://www.debian.org/security/2023/dsa-5549
• https://www.debian.org/security/2023/dsa-5558
• https://www.debian.org/security/2023/dsa-5570
• https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
• https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/
• https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
• https://www.openwall.com/lists/oss-security/2023/10/10/6
• https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
• https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://github.com/Appsynergy-io/CVE-2023-44487
• https://www.exploit-db.com/exploits/52426

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which allows an attacker to cause denial of service via CPU and network bandwidth exhaustion.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 18.19.1, 20.11.1, 21.6.2 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• RedHat Bugzilla Bug

Overview

node is a JavaScript runtime built on Chrome's V8 JavaScript engine.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a race condition in Http2Session when nghttp2 data is left in memory after a connection is reset while processing HTTP/2 CONTINUATION frames. An attacker can cause denial of service by sending such frames then triggering the Http2Session destructor.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade node to version 18.20.1, 20.12.1, 21.7.2 or higher.

References

• CERT/CC Advisory
• GitHub Commit
• GitHub Commit
• GitHub Commit
• Node.js Release Notes
• RedHat Bugzilla Bug
• Vulnerability Report

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process.

Impact summary: Abnormal termination of an application can a cause a denial of service.

Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an otherName subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program.

Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address.

TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.14-1~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-6119
• https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f
• https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6
• https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2
• https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0
• https://openssl-library.org/news/secadv/20240903.txt
• http://www.openwall.com/lists/oss-security/2024/09/03/4
• https://lists.freebsd.org/archives/freebsd-security/2024-September/000303.html
• https://security.netapp.com/advisory/ntap-20240912-0001/

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers.

Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes.

When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.

For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse.

Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical.

Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary.

OpenSSL 3.1 and 3.0 are vulnerable to this issue.

Remediation

Upgrade Debian:12 openssl to version 3.0.11-1~deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-5363
• http://www.openwall.com/lists/oss-security/2023/10/24/1
• https://security.netapp.com/advisory/ntap-20231027-0010/
• https://security.netapp.com/advisory/ntap-20240201-0003/
• https://security.netapp.com/advisory/ntap-20240201-0004/
• https://www.debian.org/security/2023/dsa-5532
• https://security.netapp.com/advisory/ntap-20241108-0002/
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee
• https://www.openssl.org/news/secadv/20231024.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream postgresql-15 package and not the postgresql-15 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.

Remediation

Upgrade Debian:12 postgresql-15 to version 15.8-0+deb12u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-7348
• https://www.postgresql.org/support/security/CVE-2024-7348/
• http://www.openwall.com/lists/oss-security/2024/08/11/1
• https://security.netapp.com/advisory/ntap-20240822-0002/

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-24329
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/
• https://github.com/python/cpython/issues/102153
• https://github.com/python/cpython/pull/99421
• https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
• https://lists.debian.org/debian-lts-announce/2024/11/msg00005.html
• https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PEVICI7YNGGMSL3UCMWGE66QFLATH72/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DSL6NSOAXWBJJ67XPLSSC74MNKZF3BBO/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EM2XLZSTXG44TMFXF4E6VTGKR2MQCW3G/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F2NY75GFDZ5T6YPN44D3VMFT5SUVTOTG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GR5US3BYILYJ4SKBV6YBNPRUBAL5P2CN/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H23OSKC6UG6IWOQAUPW74YUHWRWVXJP7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZTLGV2HYFF4AMYJL25VDIGAIHCU7UPA/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWC4WGXER5P6Q75RFGL7QUTPP3N5JR7T/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZEHSXSCMA4WWQKXT6QV7AAR6SWNZ2VP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O5SP4RT3RRS434ZS2HQKQJ3VZW7YPKYR/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHHJHJRLEF3TDT2K3676CAUVRDD4CCMR/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PEUN6T22UJFXR7J5F6UUHCXXPKJ2DVHI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PURM5CFDABEWAIWZFD2MQ7ZJGCPYSQ44/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q3J5N24ECS4B6MJDRO6UAYU6GPLYBDCL/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QRQHN7RWJQJHYP6E5EKESOYP5VDSHZG4/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RA2MBEEES6L46OD64OBSVUUMGKNGMOWW/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4IDB5OAR5Y4UK3HLMZBW4WEL2B7YFMJ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TZH26JGNZ5XYPZ5SAU3NKSBSPRE5OHTG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U2MZOJYGFCB5PPT6AKMAU72N7QOYWLBP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UONZWLB4QVLQIY5CPDLEUEKH6WX4VQMC/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOAUJNDWZDRWVSXJ354AYZYKRMT56HU/
• https://pointernull.com/security/python-url-parse-problem.html
• https://security.netapp.com/advisory/ntap-20230324-0004/
• https://www.kb.cert.org/vuls/id/127587

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module.

When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

Remediation

Upgrade Debian:12 python3.11 to version 3.11.2-6+deb12u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-7592
• https://github.com/python/cpython/issues/123067
• https://github.com/python/cpython/pull/123075
• https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/
• https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621
• https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef
• https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06
• https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a
• https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f
• https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774
• https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1
• https://security.netapp.com/advisory/ntap-20241018-0006/
• https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html