NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.

Remediation

Upgrade Debian:11 curl to version 7.74.0-1.3+deb11u8 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-27533
• https://hackerone.com/reports/1891474
• https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/
• https://security.gentoo.org/glsa/202310-12
• https://security.netapp.com/advisory/ntap-20230420-0011/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde () character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /2/foo while accessing a server with a specific user.

Remediation

Upgrade Debian:11 curl to version 7.74.0-1.3+deb11u8 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-27534
• https://hackerone.com/reports/1892351
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/
• https://security.gentoo.org/glsa/202310-12
• https://security.netapp.com/advisory/ntap-20230420-0012/
• https://lists.debian.org/debian-lts-announce/2024/03/msg00016.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/

NVD Description

Note: Versions mentioned in the description apply only to the upstream cyrus-sasl2 package and not the cyrus-sasl2 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.

Remediation

Upgrade Debian:11 cyrus-sasl2 to version 2.1.27+dfsg-2.1+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-24407
• http://www.openwall.com/lists/oss-security/2022/02/23/4
• https://github.com/cyrusimap/cyrus-sasl/blob/fdcd13ceaef8de684dc69008011fa865c5b4a3ac/docsrc/sasl/release-notes/2.1/index.rst
• https://lists.debian.org/debian-lts-announce/2022/03/msg00002.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FIXU75Q6RBNK6UYM7MQ3TCFGXR7AX4U/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H26R4SMGM3WHXX4XYNNJB4YGFIL5UNF4/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZC6BMPI3V3MC2IGNLN377ETUWO7QBIH/
• https://security.netapp.com/advisory/ntap-20221007-0003/
• https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28
• https://www.debian.org/security/2022/dsa-5087
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FIXU75Q6RBNK6UYM7MQ3TCFGXR7AX4U/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H26R4SMGM3WHXX4XYNNJB4YGFIL5UNF4/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZC6BMPI3V3MC2IGNLN377ETUWO7QBIH/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).

Remediation

Upgrade Debian:11 expat to version 2.2.10-2+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-45960
• https://bugzilla.mozilla.org/show_bug.cgi?id=1217609
• https://github.com/libexpat/libexpat/issues/531
• https://github.com/libexpat/libexpat/pull/534
• http://www.openwall.com/lists/oss-security/2022/01/17/3
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://security.gentoo.org/glsa/202209-24
• https://security.netapp.com/advisory/ntap-20220121-0004/
• https://www.debian.org/security/2022/dsa-5073
• https://www.tenable.com/security/tns-2022-05

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Remediation

Upgrade Debian:11 expat to version 2.2.10-2+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-22825
• http://www.openwall.com/lists/oss-security/2022/01/17/3
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://github.com/libexpat/libexpat/pull/539
• https://security.gentoo.org/glsa/202209-24
• https://www.debian.org/security/2022/dsa-5073
• https://www.tenable.com/security/tns-2022-05

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Remediation

Upgrade Debian:11 expat to version 2.2.10-2+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-22827
• http://www.openwall.com/lists/oss-security/2022/01/17/3
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://github.com/libexpat/libexpat/pull/539
• https://security.gentoo.org/glsa/202209-24
• https://www.debian.org/security/2022/dsa-5073
• https://www.tenable.com/security/tns-2022-05

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Remediation

Upgrade Debian:11 expat to version 2.2.10-2+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-22826
• http://www.openwall.com/lists/oss-security/2022/01/17/3
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://github.com/libexpat/libexpat/pull/539
• https://security.gentoo.org/glsa/202209-24
• https://www.debian.org/security/2022/dsa-5073
• https://www.tenable.com/security/tns-2022-05

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.

Remediation

Upgrade Debian:11 git to version 1:2.30.2-1+deb11u3 or higher.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1387
• https://security-tracker.debian.org/tracker/CVE-2019-1387
• https://lore.kernel.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/T/#u
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/
• https://security.gentoo.org/glsa/202003-30
• https://security.gentoo.org/glsa/202003-42
• https://public-inbox.org/git/xmqqr21cqcn9.fsf@gitster-ct.c.googlers.com/
• https://lists.debian.org/debian-lts-announce/2020/01/msg00019.html
• https://access.redhat.com/errata/RHSA-2020:0124
• https://access.redhat.com/errata/RHSA-2020:0228
• https://access.redhat.com/errata/RHSA-2019:4356
• https://access.redhat.com/errata/RHSA-2020:0002
• http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00056.html
• http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00003.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-1387
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6UGTEOXWIYSM5KDZL74QD2GK6YQNQCP/
• https://lore.kernel.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/T/#u
• https://public-inbox.org/git/xmqqr21cqcn9.fsf%40gitster-ct.c.googlers.com/
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

Git is an open source, scalable, distributed revision control system. git shell is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an int to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to execv(), it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to git shell as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling git shell access via remote logins is a viable short-term workaround.

Remediation

Upgrade Debian:11 git to version 1:2.30.2-1+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-39260
• http://seclists.org/fulldisclosure/2022/Nov/1
• https://github.com/git/git/security/advisories/GHSA-rjr6-wcq6-83p6
• https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKFHE4KVD7EKS5J3KTDFVBEKU3CLXGVV/
• https://support.apple.com/kb/HT213496
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C7B6JPKX5CGGLAHXJVQMIZNNEEB72FHD/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHNO2FB55CPX47BAXMBWUBGWHO6N6ZZH/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKFHE4KVD7EKS5J3KTDFVBEKU3CLXGVV/
• https://security.gentoo.org/glsa/202312-15

NVD Description

Note: Versions mentioned in the description apply only to the upstream gzip package and not the gzip package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

Remediation

Upgrade Debian:11 gzip to version 1.10-4+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-1271
• https://access.redhat.com/security/cve/CVE-2022-1271
• https://bugzilla.redhat.com/show_bug.cgi?id=2073310
• https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6
• https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html
• https://security.gentoo.org/glsa/202209-01
• https://security.netapp.com/advisory/ntap-20220930-0006/
• https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch
• https://www.openwall.com/lists/oss-security/2022/04/07/8
• https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0589cb63d6

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."

Remediation

Upgrade Debian:11 krb5 to version 1.18.3-6+deb11u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-42898
• https://bugzilla.samba.org/show_bug.cgi?id=15203
• https://github.com/heimdal/heimdal/security/advisories/GHSA-64mq-fvfj-5x3c
• https://github.com/krb5/krb5/commit/ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583
• https://security.netapp.com/advisory/ntap-20230216-0008/
• https://security.netapp.com/advisory/ntap-20230223-0001/
• https://web.mit.edu/kerberos/advisories/
• https://web.mit.edu/kerberos/krb5-1.19/
• https://web.mit.edu/kerberos/krb5-1.20/README-1.20.1.txt
• https://www.samba.org/samba/security/CVE-2022-42898.html
• https://security.gentoo.org/glsa/202309-06
• https://security.gentoo.org/glsa/202310-06

NVD Description

Note: Versions mentioned in the description apply only to the upstream xz-utils package and not the xz-utils package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

Remediation

Upgrade Debian:11 xz-utils to version 5.2.5-2.1~deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-1271
• https://access.redhat.com/security/cve/CVE-2022-1271
• https://bugzilla.redhat.com/show_bug.cgi?id=2073310
• https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6
• https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html
• https://security.gentoo.org/glsa/202209-01
• https://security.netapp.com/advisory/ntap-20220930-0006/
• https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch
• https://www.openwall.com/lists/oss-security/2022/04/07/8
• https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0589cb63d6

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).

Remediation

Upgrade Debian:11 curl to version 7.74.0-1.3+deb11u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-22576
• https://hackerone.com/reports/1526328
• https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
• https://security.gentoo.org/glsa/202212-01
• https://security.netapp.com/advisory/ntap-20220609-0008/
• https://www.debian.org/security/2022/dsa-5197

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.

Remediation

Upgrade Debian:11 expat to version 2.2.10-2+deb11u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-40674
• https://github.com/libexpat/libexpat/pull/629
• https://github.com/libexpat/libexpat/pull/640
• https://lists.debian.org/debian-lts-announce/2022/09/msg00029.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSVZN3IJ6OCPSJL7AEX3ZHSHAHFOGESK/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J2IGJNHFV53PYST7VQV3T4NHVYAMXA36/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LQB6FJAM5YQ35SF5B2MN25Y2FX56EOEZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2ZKEPGFCZ7R6DRVH3K6RBJPT42ZBEG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCGBVQQ47URGJAZWHCISHDWF6QBTV2LE/
• https://security.gentoo.org/glsa/202209-24
• https://security.gentoo.org/glsa/202211-06
• https://security.netapp.com/advisory/ntap-20221028-0008/
• https://www.debian.org/security/2022/dsa-5236
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSVZN3IJ6OCPSJL7AEX3ZHSHAHFOGESK/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J2IGJNHFV53PYST7VQV3T4NHVYAMXA36/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQB6FJAM5YQ35SF5B2MN25Y2FX56EOEZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2ZKEPGFCZ7R6DRVH3K6RBJPT42ZBEG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XCGBVQQ47URGJAZWHCISHDWF6QBTV2LE/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.

Remediation

Upgrade Debian:11 expat to version 2.2.10-2+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-46143
• https://github.com/libexpat/libexpat/issues/532
• https://github.com/libexpat/libexpat/pull/538
• http://www.openwall.com/lists/oss-security/2022/01/17/3
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://security.gentoo.org/glsa/202209-24
• https://security.netapp.com/advisory/ntap-20220121-0006/
• https://www.debian.org/security/2022/dsa-5073
• https://www.tenable.com/security/tns-2022-05

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted .gitmodules file with submodule URLs that are longer than 1024 characters can used to exploit a bug in config.c::git_config_copy_or_rename_section_in_file(). This bug can be used to inject arbitrary configuration into a user's $GIT_DIR/config when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as core.pager, core.editor, core.sshCommand, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GIT_DIR/config.

Remediation

Upgrade Debian:11 git to version 1:2.30.2-1+deb11u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-29007
• https://github.com/git/git/blob/9ce9dea4e1c2419cca126d29fa7730baa078a11b/Documentation/RelNotes/2.30.9.txt
• https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
• https://github.com/git/git/security/advisories/GHSA-v48j-4xgg-4844
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/
• https://security.gentoo.org/glsa/202312-15
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.

Remediation

Upgrade Debian:11 git to version 1:2.30.2-1+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-29187
• http://seclists.org/fulldisclosure/2022/Nov/1
• http://www.openwall.com/lists/oss-security/2022/07/14/1
• https://github.blog/2022-04-12-git-security-vulnerability-announced
• https://github.com/git/git/security/advisories/GHSA-j342-m5hw-rr3v
• https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIKWISWUDFT2FAITYIA6372BVLH3OOOC/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVOLER2PIGMHPQMDGG4RDE2KZB74QLA2/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDZRZAL7QULOB6V7MKT66MOMWJLBJPX4/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YROCMBWYFKRSS64PO6FUNM6L7LKBUKVW/
• https://lore.kernel.org/git/xmqqv8s2fefi.fsf@gitster.g/T/#u
• https://support.apple.com/kb/HT213496
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DIKWISWUDFT2FAITYIA6372BVLH3OOOC/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVOLER2PIGMHPQMDGG4RDE2KZB74QLA2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDZRZAL7QULOB6V7MKT66MOMWJLBJPX4/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YROCMBWYFKRSS64PO6FUNM6L7LKBUKVW/
• https://lore.kernel.org/git/xmqqv8s2fefi.fsf%40gitster.g/T/#u
• https://security.gentoo.org/glsa/202312-15
• https://security.gentoo.org/glsa/202401-17

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder C:\.git, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set GIT_PS1_SHOWDIRTYSTATE are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in C:\.git\config. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder .git on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend GIT_CEILING_DIRECTORIES to cover the parent directory of the user profile, e.g. C:\Users if the user profile is located in C:\Users\my-user-name.

Remediation

Upgrade Debian:11 git to version 1:2.30.2-1+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-24765
• http://seclists.org/fulldisclosure/2022/May/31
• http://www.openwall.com/lists/oss-security/2022/04/12/7
• https://git-scm.com/book/en/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Bash
• https://git-scm.com/docs/git#Documentation/git.txt-codeGITCEILINGDIRECTORIEScode
• https://github.com/git-for-windows/git/security/advisories/GHSA-vw2c-22j4-2fh2
• https://lists.debian.org/debian-lts-announce/2022/12/msg00025.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PTN5NYEHYN2OQSHSAMCNICZNK2U4QH6/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BENQYTDGUL6TF3UALY6GSIEXIHUIYNWM/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIKWISWUDFT2FAITYIA6372BVLH3OOOC/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVOLER2PIGMHPQMDGG4RDE2KZB74QLA2/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SLP42KIZ6HACTVZMZLJLFJQ4W2XYT27M/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDZRZAL7QULOB6V7MKT66MOMWJLBJPX4/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YROCMBWYFKRSS64PO6FUNM6L7LKBUKVW/
• https://support.apple.com/kb/HT213261
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5PTN5NYEHYN2OQSHSAMCNICZNK2U4QH6/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BENQYTDGUL6TF3UALY6GSIEXIHUIYNWM/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDI325LOO2XBDDKLINOAQJEG6MHAURZE/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DIKWISWUDFT2FAITYIA6372BVLH3OOOC/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVOLER2PIGMHPQMDGG4RDE2KZB74QLA2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SLP42KIZ6HACTVZMZLJLFJQ4W2XYT27M/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRZG5CDUQ27OWTPC5MQOR4UASNXHWEZS/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UDZRZAL7QULOB6V7MKT66MOMWJLBJPX4/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YROCMBWYFKRSS64PO6FUNM6L7LKBUKVW/
• https://security.gentoo.org/glsa/202312-15

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.

Remediation

Upgrade Debian:11 glibc to version 2.31-13+deb11u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-3999
• https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e
• https://access.redhat.com/errata/RHSA-2022:0896
• https://access.redhat.com/security/cve/CVE-2021-3999
• https://bugzilla.redhat.com/show_bug.cgi?id=2024637
• https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html
• https://security.netapp.com/advisory/ntap-20221104-0001/
• https://sourceware.org/bugzilla/show_bug.cgi?id=28769
• https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e
• https://www.openwall.com/lists/oss-security/2022/01/24/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

Remediation

Upgrade Debian:11 glibc to version 2.31-13+deb11u7 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-4911
• http://www.openwall.com/lists/oss-security/2023/10/03/2
• http://www.openwall.com/lists/oss-security/2023/10/03/3
• http://www.openwall.com/lists/oss-security/2023/10/05/1
• https://access.redhat.com/errata/RHSA-2023:5453
• https://access.redhat.com/errata/RHSA-2023:5454
• https://access.redhat.com/errata/RHSA-2023:5455
• https://bugzilla.redhat.com/show_bug.cgi?id=2238352
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/
• https://security.gentoo.org/glsa/202310-03
• https://www.debian.org/security/2023/dsa-5514
• https://www.qualys.com/cve-2023-4911/
• http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html
• http://packetstormsecurity.com/files/176288/Glibc-Tunables-Privilege-Escalation.html
• http://seclists.org/fulldisclosure/2023/Oct/11
• http://www.openwall.com/lists/oss-security/2023/10/13/11
• http://www.openwall.com/lists/oss-security/2023/10/14/3
• http://www.openwall.com/lists/oss-security/2023/10/14/5
• http://www.openwall.com/lists/oss-security/2023/10/14/6
• https://access.redhat.com/errata/RHSA-2023:5476
• https://access.redhat.com/errata/RHSA-2024:0033
• https://security.netapp.com/advisory/ntap-20231013-0006/
• https://access.redhat.com/security/cve/CVE-2023-4911
• https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
• https://github.com/projectdiscovery/nuclei-templates/blob/master/code/cves/2023/CVE-2023-4911.yaml
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.

Remediation

Upgrade Debian:11 ncurses to version 6.2+20201114-2+deb11u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-29491
• http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56
• http://www.openwall.com/lists/oss-security/2023/04/19/10
• http://www.openwall.com/lists/oss-security/2023/04/19/11
• https://www.openwall.com/lists/oss-security/2023/04/12/5
• https://www.openwall.com/lists/oss-security/2023/04/13/4
• https://security.netapp.com/advisory/ntap-20230517-0009/
• https://support.apple.com/kb/HT213843
• https://support.apple.com/kb/HT213844
• https://support.apple.com/kb/HT213845
• http://ncurses.scripts.mit.edu/?p=ncurses.git%3Ba=commit%3Bh=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56
• https://lists.debian.org/debian-lts-announce/2023/12/msg00004.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.

Remediation

Upgrade Debian:11 perl to version 5.32.1-4+deb11u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-47038
• https://access.redhat.com/security/cve/CVE-2023-47038
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056746
• https://bugzilla.redhat.com/show_bug.cgi?id=2249523
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNEEWAACXQCEEAKSG7XX2D5YDRWLCIZJ/
• https://perldoc.perl.org/perl5382delta#CVE-2023-47038-Write-past-buffer-end-via-illegal-user-defined-Unicode-property
• https://access.redhat.com/errata/RHSA-2024:2228
• https://access.redhat.com/errata/RHSA-2024:3128

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (--ssl-reqd on the command line orCURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations withoutTLS contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.

Remediation

Upgrade Debian:11 curl to version 7.74.0-1.3+deb11u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-22946
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/
• https://hackerone.com/reports/1334111
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://lists.debian.org/debian-lts-announce/2021/09/msg00022.html
• http://seclists.org/fulldisclosure/2022/Mar/29
• https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/
• https://security.gentoo.org/glsa/202212-01
• https://security.netapp.com/advisory/ntap-20211029-0003/
• https://security.netapp.com/advisory/ntap-20220121-0008/
• https://support.apple.com/kb/HT213183
• https://www.debian.org/security/2022/dsa-5197
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APOAK4X73EJTAPTSVT7IRVDMUWVXNWGD/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWLEC6YVEM2HWUBX67SDGPSY4CQB72OE/

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.

Remediation

There is no fixed version for Debian:11 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2022-42916
• http://seclists.org/fulldisclosure/2023/Jan/19
• http://seclists.org/fulldisclosure/2023/Jan/20
• http://www.openwall.com/lists/oss-security/2022/12/21/1
• https://curl.se/docs/CVE-2022-42916.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/
• https://security.gentoo.org/glsa/202212-01
• https://security.netapp.com/advisory/ntap-20221209-0010/
• https://support.apple.com/kb/HT213604
• https://support.apple.com/kb/HT213605
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/37YEVVC6NAF6H7UHH6YAUY5QEVY6LIH2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVU3IMZCKR4VE6KJ4GCWRL2ILLC6OV76/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q27V5YYMXUVI6PRZQVECON32XPVWTKDK/

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) .. Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the info IDN encoded but look for it IDN decoded.

Remediation

There is no fixed version for Debian:11 curl.

References

• https://security-tracker.debian.org/tracker/CVE-2022-43551
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TVWZW5CNSJ7UYAF2BGSYAWAEXDJYUBHA/
• https://hackerone.com/reports/1755083
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TVWZW5CNSJ7UYAF2BGSYAWAEXDJYUBHA/
• https://security.gentoo.org/glsa/202310-12
• https://security.netapp.com/advisory/ntap-20230427-0007/

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead.

Remediation

Upgrade Debian:11 curl to version 7.74.0-1.3+deb11u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-27775
• https://hackerone.com/reports/1546268
• https://security.gentoo.org/glsa/202212-01
• https://security.netapp.com/advisory/ntap-20220609-0008/
• https://www.debian.org/security/2022/dsa-5197

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.

Remediation

Upgrade Debian:11 curl to version 7.74.0-1.3+deb11u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-27782
• https://hackerone.com/reports/1555796
• https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
• https://security.gentoo.org/glsa/202212-01
• https://security.netapp.com/advisory/ntap-20220609-0009/
• https://www.debian.org/security/2022/dsa-5197
• http://www.openwall.com/lists/oss-security/2023/03/20/6

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

libcurl provides the CURLOPT_CERTINFO option to allow applications torequest details to be returned about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.

Remediation

Upgrade Debian:11 curl to version 7.74.0-1.3+deb11u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-27781
• https://hackerone.com/reports/1555441
• https://lists.debian.org/debian-lts-announce/2022/08/msg00017.html
• https://security.gentoo.org/glsa/202212-01
• https://security.netapp.com/advisory/ntap-20220609-0009/
• https://www.debian.org/security/2022/dsa-5197

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

Remediation

Upgrade Debian:11 expat to version 2.2.10-2+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-23990
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://github.com/libexpat/libexpat/pull/551
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/34NXVL2RZC2YZRV74ZQ3RNFB7WCEUP7D/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R7FF2UH7MPXKTADYSJUAHI2Y5UHBSHUH/
• https://security.gentoo.org/glsa/202209-24
• https://www.debian.org/security/2022/dsa-5073
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.tenable.com/security/tns-2022-05
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/34NXVL2RZC2YZRV74ZQ3RNFB7WCEUP7D/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R7FF2UH7MPXKTADYSJUAHI2Y5UHBSHUH/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.

Remediation

Upgrade Debian:11 expat to version 2.2.10-2+deb11u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-25314
• http://www.openwall.com/lists/oss-security/2022/02/19/1
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://github.com/libexpat/libexpat/pull/560
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/
• https://security.gentoo.org/glsa/202209-24
• https://security.netapp.com/advisory/ntap-20220303-0008/
• https://www.debian.org/security/2022/dsa-5085
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

Remediation

Upgrade Debian:11 expat to version 2.2.10-2+deb11u6 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-52425
• https://github.com/libexpat/libexpat/pull/789
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV/
• https://lists.debian.org/debian-lts-announce/2024/04/msg00006.html
• http://www.openwall.com/lists/oss-security/2024/03/20/5
• https://security.netapp.com/advisory/ntap-20240614-0003/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

Remediation

Upgrade Debian:11 expat to version 2.2.10-2+deb11u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-43680
• https://github.com/libexpat/libexpat/issues/649
• https://github.com/libexpat/libexpat/pull/616
• https://github.com/libexpat/libexpat/pull/650
• https://lists.debian.org/debian-lts-announce/2022/10/msg00033.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AJ5VY2VYXE4WTRGQ6LMGLF6FV3SY37YE/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BY4OPSIB33ETNUXZY2UPZ4NGQ3OKDY4D/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DPQVIF6TOJNY2T3ZZETFKR4G34FFREBQ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFCOMBSOJKLIKCGCJWHLJXO4EVYBG7AR/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IUJ2BULJTZ2BMSKQHB6US674P55UCWWS/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XG5XOOB7CD55CEE6OJYKSACSIMQ4RWQ6/
• https://security.gentoo.org/glsa/202210-38
• https://security.netapp.com/advisory/ntap-20221118-0007/
• https://www.debian.org/security/2022/dsa-5266
• http://www.openwall.com/lists/oss-security/2023/12/28/5
• http://www.openwall.com/lists/oss-security/2024/01/03/5
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AJ5VY2VYXE4WTRGQ6LMGLF6FV3SY37YE/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BY4OPSIB33ETNUXZY2UPZ4NGQ3OKDY4D/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPQVIF6TOJNY2T3ZZETFKR4G34FFREBQ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFCOMBSOJKLIKCGCJWHLJXO4EVYBG7AR/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUJ2BULJTZ2BMSKQHB6US674P55UCWWS/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG5XOOB7CD55CEE6OJYKSACSIMQ4RWQ6/

NVD Description

Note: Versions mentioned in the description apply only to the upstream freetype package and not the freetype package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size.

Remediation

Upgrade Debian:11 freetype to version 2.10.4+dfsg-1+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-27406
• http://freetype.com
• https://gitlab.freedesktop.org/freetype/freetype/-/issues/1140
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EFPNRKDLCXHZVYYQLQMP44UHLU32GA6Z/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FDU2FOEMCEF6WVR6ZBIH5MT5O7FAK6UP/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWQ7IB2A75MEHM63WEUXBYEC7OR5SGDY/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYVC2NPKKXKP3TWJWG4ONYWNO6ZPHLA5/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TCEMWCM46PKM4U5ENRASPKQD6JDOLKRU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EFPNRKDLCXHZVYYQLQMP44UHLU32GA6Z/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FDU2FOEMCEF6WVR6ZBIH5MT5O7FAK6UP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWQ7IB2A75MEHM63WEUXBYEC7OR5SGDY/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYVC2NPKKXKP3TWJWG4ONYWNO6ZPHLA5/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TCEMWCM46PKM4U5ENRASPKQD6JDOLKRU/
• https://security.gentoo.org/glsa/202402-06

NVD Description

Note: Versions mentioned in the description apply only to the upstream freetype package and not the freetype package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request.

Remediation

Upgrade Debian:11 freetype to version 2.10.4+dfsg-1+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-27405
• http://freetype.com
• https://gitlab.freedesktop.org/freetype/freetype/-/issues/1139
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EFPNRKDLCXHZVYYQLQMP44UHLU32GA6Z/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FDU2FOEMCEF6WVR6ZBIH5MT5O7FAK6UP/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWQ7IB2A75MEHM63WEUXBYEC7OR5SGDY/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYVC2NPKKXKP3TWJWG4ONYWNO6ZPHLA5/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TCEMWCM46PKM4U5ENRASPKQD6JDOLKRU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EFPNRKDLCXHZVYYQLQMP44UHLU32GA6Z/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FDU2FOEMCEF6WVR6ZBIH5MT5O7FAK6UP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IWQ7IB2A75MEHM63WEUXBYEC7OR5SGDY/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYVC2NPKKXKP3TWJWG4ONYWNO6ZPHLA5/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TCEMWCM46PKM4U5ENRASPKQD6JDOLKRU/
• https://security.gentoo.org/glsa/202402-06

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to git apply, a path outside the working tree can be overwritten as the user who is running git apply. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use git apply --stat to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.

Remediation

Upgrade Debian:11 git to version 1:2.30.2-1+deb11u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-23946
• https://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd
• https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh
• https://security.gentoo.org/glsa/202312-15

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using git apply with --reject when applying patches from an untrusted source. Use git apply --stat to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the *.rej file exists.

Remediation

Upgrade Debian:11 git to version 1:2.30.2-1+deb11u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-25652
• http://www.openwall.com/lists/oss-security/2023/04/25/2
• https://github.com/git/git/commit/18e2b1cfc80990719275d7b08e6e50f3e8cbc902
• https://github.com/git/git/commit/668f2d53613ac8fd373926ebe219f2c29112d93e
• https://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fx
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BSXOGVVBJLYX26IAYX6PJSYQB36BREWH/
• https://security.gentoo.org/glsa/202312-15
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases. NOTE: the vendor states "the bug cannot be invoked through user input and requires iconv to be invoked with a NULL inbuf, which ought to require a separate application bug to do so unintentionally. Hence there's no security impact to the bug.

Remediation

Upgrade Debian:11 glibc to version 2.31-13+deb11u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-43396
• https://sourceware.org/bugzilla/show_bug.cgi?id=28524
• https://blog.tuxcare.com/vulnerability/vulnerability-in-iconv-identified-by-tuxcare-team-cve-2021-43396
• https://sourceware.org/git/?p=glibc.git;a=commit;h=ff012870b2c02a62598c04daa1e54632e020fd7d
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=ff012870b2c02a62598c04daa1e54632e020fd7d

NVD Description

Note: Versions mentioned in the description apply only to the upstream gmp package and not the gmp package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.

Remediation

Upgrade Debian:11 gmp to version 2:6.2.1+dfsg-1+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-43618
• https://bugs.debian.org/994405
• https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html
• https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e
• http://seclists.org/fulldisclosure/2022/Oct/8
• http://www.openwall.com/lists/oss-security/2022/10/13/3
• https://lists.debian.org/debian-lts-announce/2021/12/msg00001.html
• https://security.netapp.com/advisory/ntap-20221111-0001/
• https://security.gentoo.org/glsa/202309-13

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.

Remediation

Upgrade Debian:11 gnutls28 to version 3.7.1-5+deb11u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-2509
• https://access.redhat.com/security/cve/CVE-2022-2509
• https://lists.debian.org/debian-lts-announce/2022/08/msg00002.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FL27JS3VM74YEQU7PGB62USO3KSBYZX/
• https://lists.gnupg.org/pipermail/gnutls-help/2022-July/004746.html
• https://www.debian.org/security/2022/dsa-5203
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FL27JS3VM74YEQU7PGB62USO3KSBYZX/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust. This issue occurs when validating a certificate chain with cockpit-certificate-ensure. This flaw allows an unauthenticated, remote client or attacker to initiate a denial of service attack.

Remediation

Upgrade Debian:11 gnutls28 to version 3.7.1-5+deb11u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-0567
• http://www.openwall.com/lists/oss-security/2024/01/19/3
• https://access.redhat.com/security/cve/CVE-2024-0567
• https://bugzilla.redhat.com/show_bug.cgi?id=2258544
• https://gitlab.com/gnutls/gnutls/-/issues/1521
• https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html
• https://access.redhat.com/errata/RHSA-2024:0533
• https://access.redhat.com/errata/RHSA-2024:1082
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/
• https://security.netapp.com/advisory/ntap-20240202-0011/
• https://access.redhat.com/errata/RHSA-2024:1383
• https://access.redhat.com/errata/RHSA-2024:2094

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

Remediation

Upgrade Debian:11 gnutls28 to version 3.7.1-5+deb11u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-0553
• http://www.openwall.com/lists/oss-security/2024/01/19/3
• https://access.redhat.com/security/cve/CVE-2024-0553
• https://bugzilla.redhat.com/show_bug.cgi?id=2258412
• https://gitlab.com/gnutls/gnutls/-/issues/1522
• https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/
• https://access.redhat.com/errata/RHSA-2024:0533
• https://access.redhat.com/errata/RHSA-2024:0627
• https://security.netapp.com/advisory/ntap-20240202-0011/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/
• https://access.redhat.com/errata/RHSA-2024:0796
• https://lists.debian.org/debian-lts-announce/2024/02/msg00010.html
• https://access.redhat.com/errata/RHSA-2024:1082
• https://access.redhat.com/errata/RHSA-2024:1108
• https://access.redhat.com/errata/RHSA-2024:1383
• https://access.redhat.com/errata/RHSA-2024:2094

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.

Remediation

Upgrade Debian:11 krb5 to version 1.18.3-6+deb11u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-37370
• https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef
• https://web.mit.edu/kerberos/www/advisories/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh2 package and not the libssh2 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out of bounds memory.

Remediation

Upgrade Debian:11 libssh2 to version 1.9.0-2+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-22218
• https://github.com/libssh2/libssh2/pull/476
• https://lists.debian.org/debian-lts-announce/2023/09/msg00006.html
• https://security.netapp.com/advisory/ntap-20231006-0002/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libtirpc package and not the libtirpc package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.

Remediation

Upgrade Debian:11 libtirpc to version 1.3.1-1+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-46828
• http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed
• https://lists.debian.org/debian-lts-announce/2022/08/msg00004.html
• https://security.gentoo.org/glsa/202210-33
• https://security.netapp.com/advisory/ntap-20221007-0004/
• https://www.debian.org/security/2022/dsa-5200
• http://git.linux-nfs.org/?p=steved/libtirpc.git%3Ba=commit%3Bh=86529758570cef4c73fb9b9c4104fdc510f701ed

NVD Description

Note: Versions mentioned in the description apply only to the upstream nghttp2 package and not the nghttp2 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Remediation

Upgrade Debian:11 nghttp2 to version 1.43.0-1+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-44487
• https://chaos.social/@icing/111210915918780532
• https://github.com/hyperium/hyper/issues/3337
• http://www.openwall.com/lists/oss-security/2023/10/13/4
• https://access.redhat.com/security/cve/cve-2023-44487
• https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
• https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
• https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
• https://blog.vespa.ai/cve-2023-44487/
• https://bugzilla.redhat.com/show_bug.cgi?id=2242803
• https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
• https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
• https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
• https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
• https://github.com/Azure/AKS/issues/3947
• https://github.com/Kong/kong/discussions/11741
• https://github.com/akka/akka-http/issues/4323
• https://github.com/apache/apisix/issues/10320
• https://github.com/apache/httpd-site/pull/10
• https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
• https://github.com/junkurihara/rust-rpxy/issues/97
• https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632
• https://github.com/ninenines/cowboy/issues/1615
• https://github.com/nodejs/node/pull/50121
• https://github.com/openresty/openresty/issues/930
• https://github.com/tempesta-tech/tempesta/issues/1986
• https://github.com/varnishcache/varnish-cache/issues/3996
• https://istio.io/latest/news/security/istio-security-2023-004/
• https://my.f5.com/manage/s/article/K000137106
• https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/
• https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
• https://security.paloaltonetworks.com/CVE-2023-44487
• https://ubuntu.com/security/CVE-2023-44487
• https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
• https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
• https://www.debian.org/security/2023/dsa-5521
• https://www.debian.org/security/2023/dsa-5522
• https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
• https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/
• https://www.openwall.com/lists/oss-security/2023/10/10/6
• https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
• http://www.openwall.com/lists/oss-security/2023/10/13/9
• https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
• https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
• https://github.com/advisories/GHSA-vx74-f528-fxqg
• https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
• https://github.com/alibaba/tengine/issues/1872
• https://github.com/apache/trafficserver/pull/10564
• https://github.com/bcdannyboy/CVE-2023-44487
• https://github.com/caddyserver/caddy/issues/5877
• https://github.com/dotnet/announcements/issues/277
• https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
• https://github.com/eclipse/jetty.project/issues/10679
• https://github.com/envoyproxy/envoy/pull/30055
• https://github.com/facebook/proxygen/pull/466
• https://github.com/golang/go/issues/63417
• https://github.com/grpc/grpc-go/pull/6703
• https://github.com/haproxy/haproxy/issues/2312
• https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
• https://github.com/kubernetes/kubernetes/pull/121120
• https://github.com/micrictor/http2-rst-stream
• https://github.com/microsoft/CBL-Mariner/pull/6381
• https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
• https://github.com/nghttp2/nghttp2/pull/1961
• https://github.com/opensearch-project/data-prepper/issues/3474
• https://github.com/oqtane/oqtane.framework/discussions/3367
• https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
• https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
• https://netty.io/news/2023/10/10/4-1-100-Final.html
• https://news.ycombinator.com/item?id=37830987
• https://news.ycombinator.com/item?id=37830998
• https://news.ycombinator.com/item?id=37831062
• https://security.netapp.com/advisory/ntap-20231016-0001/
• https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
• https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
• https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
• https://bugzilla.suse.com/show_bug.cgi?id=1216123
• https://github.com/advisories/GHSA-qppj-fm5r-hxr3
• https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
• https://github.com/etcd-io/etcd/issues/16740
• https://github.com/line/armeria/pull/5232
• https://github.com/projectcontour/contour/pull/5826
• https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
• https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html
• https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/
• https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
• https://news.ycombinator.com/item?id=37837043
• http://www.openwall.com/lists/oss-security/2023/10/18/4
• http://www.openwall.com/lists/oss-security/2023/10/18/8
• http://www.openwall.com/lists/oss-security/2023/10/19/6
• http://www.openwall.com/lists/oss-security/2023/10/20/8
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/
• https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
• https://bugzilla.proxmox.com/show_bug.cgi?id=4988
• https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
• https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715
• https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
• https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
• https://github.com/caddyserver/caddy/releases/tag/v2.7.5
• https://github.com/h2o/h2o/pull/3291
• https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
• https://github.com/kazu-yamamoto/http2/issues/93
• https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
• https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
• https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
• https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html
• https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html
• https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html
• https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/
• https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html
• https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
• https://security.gentoo.org/glsa/202311-09
• https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
• https://www.debian.org/security/2023/dsa-5540
• https://www.debian.org/security/2023/dsa-5549
• https://www.debian.org/security/2023/dsa-5558
• https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/
• https://www.debian.org/security/2023/dsa-5570
• https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
• https://security.netapp.com/advisory/ntap-20240426-0007/
• https://security.netapp.com/advisory/ntap-20240621-0006/
• https://security.netapp.com/advisory/ntap-20240621-0007/
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack.

The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected.

These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0.

The OpenSSL asn1parse command line application is also impacted by this issue.

Remediation

Upgrade Debian:11 openssl to version 1.1.1n-0+deb11u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-4450
• https://www.openssl.org/news/secadv/20230207.txt
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b
• https://security.gentoo.org/glsa/202402-08

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A security vulnerability has been identified in all supported versions

of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems.

Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function.

Remediation

Upgrade Debian:11 openssl to version 1.1.1n-0+deb11u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-0464
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1
• https://www.openssl.org/news/secadv/20230322.txt
• https://www.debian.org/security/2023/dsa-5417
• https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e
• https://www.couchbase.com/alerts/
• https://security.gentoo.org/glsa/202402-08
• https://security.netapp.com/advisory/ntap-20240621-0006/

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

Remediation

Upgrade Debian:11 openssl to version 1.1.1k-1+deb11u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-0778
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=380085481c64de749a6dd25cdf0bcf4360b30f83
• http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html
• http://seclists.org/fulldisclosure/2022/May/33
• http://seclists.org/fulldisclosure/2022/May/35
• http://seclists.org/fulldisclosure/2022/May/38
• https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a466912611aa6cbdf550cd10601390e587451246
• https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html
• https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002
• https://security.gentoo.org/glsa/202210-02
• https://security.netapp.com/advisory/ntap-20220321-0002/
• https://security.netapp.com/advisory/ntap-20220429-0005/
• https://support.apple.com/kb/HT213255
• https://support.apple.com/kb/HT213256
• https://support.apple.com/kb/HT213257
• https://www.debian.org/security/2022/dsa-5103
• https://www.openssl.org/news/secadv/20220315.txt
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.tenable.com/security/tns-2022-06
• https://www.tenable.com/security/tns-2022-07
• https://www.tenable.com/security/tns-2022-08
• https://www.tenable.com/security/tns-2022-09
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3118eb64934499d93db3230748a452351d1d9a65
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=380085481c64de749a6dd25cdf0bcf4360b30f83
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a466912611aa6cbdf550cd10601390e587451246
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/
• https://security.netapp.com/advisory/ntap-20240621-0006/

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications.

The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash.

This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.

Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream.

The OpenSSL cms and smime command line applications are similarly affected.

Remediation

Upgrade Debian:11 openssl to version 1.1.1n-0+deb11u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-0215
• https://www.openssl.org/news/secadv/20230207.txt
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344
• https://security.netapp.com/advisory/ntap-20230427-0007/
• https://security.netapp.com/advisory/ntap-20230427-0009/
• https://security.gentoo.org/glsa/202402-08
• https://security.netapp.com/advisory/ntap-20240621-0006/

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.9 package and not the python3.9 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

There is a MEDIUM severity vulnerability affecting CPython.

Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.

Remediation

There is no fixed version for Debian:11 python3.9.

References

• https://security-tracker.debian.org/tracker/CVE-2024-6232
• https://github.com/python/cpython/commit/4eaf4891c12589e3c7bdad5f5b076e4c8392dd06
• https://github.com/python/cpython/commit/743acbe872485dc18df4d8ab2dc7895187f062c4
• https://github.com/python/cpython/commit/d449caf8a179e3b954268b3a88eb9170be3c8fbf
• https://github.com/python/cpython/commit/ed3a49ea734ada357ff4442996fd4ae71d253373
• https://github.com/python/cpython/issues/121285
• https://github.com/python/cpython/pull/121286
• https://mail.python.org/archives/list/security-announce@python.org/thread/JRYFTPRHZRTLMZLWQEUHZSJXNHM4ACTY/
• https://github.com/python/cpython/commit/7d1f50cd92ff7e10a1c15a8f591dde8a6843a64d
• https://github.com/python/cpython/commit/b4225ca91547aa97ed3aca391614afbb255bc877

NVD Description

Note: Versions mentioned in the description apply only to the upstream subversion package and not the subversion package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected.

Remediation

Upgrade Debian:11 subversion to version 1.14.1-3+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-24070
• http://seclists.org/fulldisclosure/2022/Jul/18
• https://bz.apache.org/bugzilla/show_bug.cgi?id=65861
• https://cwiki.apache.org/confluence/display/HTTPD/ModuleLife
• https://issues.apache.org/jira/browse/SVN-4880
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/
• https://support.apple.com/kb/HT213345
• https://www.debian.org/security/2022/dsa-5119
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PZ4ARNGLMGYBKYDX2B7DRBNMF6EH3A6R/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YJPMCWCGWBN3QWCDVILWQWPC75RR67LT/

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Remediation

Upgrade Debian:11 systemd to version 247.3-7+deb11u6 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-50387
• https://datatracker.ietf.org/doc/html/rfc4035
• http://www.openwall.com/lists/oss-security/2024/02/16/2
• http://www.openwall.com/lists/oss-security/2024/02/16/3
• https://access.redhat.com/security/cve/CVE-2023-50387
• https://bugzilla.suse.com/show_bug.cgi?id=1219823
• https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
• https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
• https://kb.isc.org/docs/cve-2023-50387
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/
• https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387
• https://news.ycombinator.com/item?id=39367411
• https://news.ycombinator.com/item?id=39372384
• https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
• https://www.athene-center.de/aktuelles/key-trap
• https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf
• https://www.isc.org/blogs/2024-bind-security-release/
• https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/
• https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
• https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/
• https://security.netapp.com/advisory/ntap-20240307-0007/
• https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Remediation

Upgrade Debian:11 zlib to version 1:1.2.11.dfsg-2+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2018-25032
• http://seclists.org/fulldisclosure/2022/May/33
• http://seclists.org/fulldisclosure/2022/May/35
• http://seclists.org/fulldisclosure/2022/May/38
• http://www.openwall.com/lists/oss-security/2022/03/25/2
• http://www.openwall.com/lists/oss-security/2022/03/26/1
• https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf
• https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
• https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
• https://github.com/madler/zlib/issues/605
• https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html
• https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html
• https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/
• https://security.gentoo.org/glsa/202210-42
• https://security.netapp.com/advisory/ntap-20220526-0009/
• https://security.netapp.com/advisory/ntap-20220729-0004/
• https://support.apple.com/kb/HT213255
• https://support.apple.com/kb/HT213256
• https://support.apple.com/kb/HT213257
• https://www.debian.org/security/2022/dsa-5111
• https://www.openwall.com/lists/oss-security/2022/03/24/1
• https://www.openwall.com/lists/oss-security/2022/03/28/1
• https://www.openwall.com/lists/oss-security/2022/03/28/3
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.

Remediation

Upgrade Debian:11 gnutls28 to version 3.7.1-5+deb11u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-0361
• https://access.redhat.com/security/cve/CVE-2023-0361
• https://github.com/tlsfuzzer/tlsfuzzer/pull/679
• https://gitlab.com/gnutls/gnutls/-/issues/1050
• https://lists.debian.org/debian-lts-announce/2023/02/msg00015.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFIA3X4IZ3CW7SRQ2UHNHNPMRIAWF2FI/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WS4KVDOG6QTALWHC2QE4Y7VPDRMLTRWQ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z634YBXAJ5VLDI62IOPBVP5K6YFHAWCY/
• https://security.netapp.com/advisory/ntap-20230324-0005/
• https://security.netapp.com/advisory/ntap-20230725-0005/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UFIA3X4IZ3CW7SRQ2UHNHNPMRIAWF2FI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS4KVDOG6QTALWHC2QE4Y7VPDRMLTRWQ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z634YBXAJ5VLDI62IOPBVP5K6YFHAWCY/

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.

When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Remediation

Upgrade Debian:11 openssl to version 1.1.1n-0+deb11u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-0286
• https://www.openssl.org/news/secadv/20230207.txt
• https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt
• https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d
• https://security.gentoo.org/glsa/202402-08

NVD Description

Note: Versions mentioned in the description apply only to the upstream apr package and not the apr package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.

Remediation

Upgrade Debian:11 apr to version 1.7.0-6+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-35940
• http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCACsi251B8UaLvM-rrH9fv57-zWi0zhyF3275_jPg1a9VEVVoxw@mail.gmail.com%3E
• https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch
• https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E
• http://svn.apache.org/viewvc?view=revision&revision=1891198
• https://lists.apache.org/thread.html/r1c788464a25fbc046a72aff451bc8186386315d92a2dd0349903fa4f@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r317c398ee5736e627f7887b06607e5c58b45a696d352ba8c14615f55@%3Cdev.apr.apache.org%3E
• https://lists.apache.org/thread.html/r54c755c74b9e3846cfd84039b1967d37d2870750a02d7c603983f6ed@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r72479f4dcffaa8a4732d5a0e87fecc4bace4932e28fc26f7d400e2b3@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r72a069753b9363c29732e59ad8f0d22a633fb6a699980407511ac961@%3Cdev.apr.apache.org%3E
• https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b@%3Cdev.apr.apache.org%3E
• https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b@%3Cdev.httpd.apache.org%3E
• https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e@%3Cdev.apr.apache.org%3E
• https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8@%3Cdev.apr.apache.org%3E
• https://lists.apache.org/thread.html/rafe54755850e93de287c36540972457b2dd86332106aa7817c7c27fb@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b@%3Cannounce.apache.org%3E
• http://www.openwall.com/lists/oss-security/2021/08/23/1
• https://www.oracle.com/security-alerts/cpujul2022.html
• http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCACsi251B8UaLvM-rrH9fv57-zWi0zhyF3275_jPg1a9VEVVoxw%40mail.gmail.com%3E
• https://lists.apache.org/thread.html/r1c788464a25fbc046a72aff451bc8186386315d92a2dd0349903fa4f%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r317c398ee5736e627f7887b06607e5c58b45a696d352ba8c14615f55%40%3Cdev.apr.apache.org%3E
• https://lists.apache.org/thread.html/r54c755c74b9e3846cfd84039b1967d37d2870750a02d7c603983f6ed%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r72479f4dcffaa8a4732d5a0e87fecc4bace4932e28fc26f7d400e2b3%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r72a069753b9363c29732e59ad8f0d22a633fb6a699980407511ac961%40%3Cdev.apr.apache.org%3E
• https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b%40%3Cdev.apr.apache.org%3E
• https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b%40%3Cdev.httpd.apache.org%3E
• https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8%40%3Cdev.apr.apache.org%3E
• https://lists.apache.org/thread.html/rafe54755850e93de287c36540972457b2dd86332106aa7817c7c27fb%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b%40%3Cannounce.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.

Remediation

Upgrade Debian:11 ncurses to version 6.2+20201114-2+deb11u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-29458
• http://seclists.org/fulldisclosure/2022/Oct/41
• https://lists.debian.org/debian-lts-announce/2022/10/msg00037.html
• https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html
• https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html
• https://support.apple.com/kb/HT213488
• http://seclists.org/fulldisclosure/2022/Oct/28

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.

Remediation

Upgrade Debian:11 openssh to version 1:8.4p1-5+deb11u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-41617
• https://bugzilla.suse.com/show_bug.cgi?id=1190975
• https://security.netapp.com/advisory/ntap-20211014-0004/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XJIONMHMKZDTMH6BQR5TNLF2WDCGWED/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KVI7RWM2JLNMWTOFK6BDUSGNOIPZYPUT/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W44V2PFQH5YLRN6ZJTVRKAD7CU6CYYET/
• https://www.openssh.com/security.html
• https://www.openssh.com/txt/release-8.8
• https://www.openwall.com/lists/oss-security/2021/09/26/1
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.starwindsoftware.com/security/sw-20220805-0001/
• https://www.tenable.com/plugins/nessus/154174
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XJIONMHMKZDTMH6BQR5TNLF2WDCGWED/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KVI7RWM2JLNMWTOFK6BDUSGNOIPZYPUT/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W44V2PFQH5YLRN6ZJTVRKAD7CU6CYYET/
• https://www.debian.org/security/2023/dsa-5586
• https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html