NVD Description

Note: Versions mentioned in the description apply only to the upstream gzip package and not the gzip package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

Remediation

Upgrade Debian:10 gzip to version 1.9-3+deb10u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-1271
• https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6
• https://access.redhat.com/security/cve/CVE-2022-1271
• https://bugzilla.redhat.com/show_bug.cgi?id=2073310
• https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0589cb63d6
• https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html
• https://security.gentoo.org/glsa/202209-01
• https://security.netapp.com/advisory/ntap-20220930-0006/
• https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch
• https://www.openwall.com/lists/oss-security/2022/04/07/8

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.

Remediation

Upgrade Debian:10 ncurses to version 6.1+20181013-2+deb10u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-39537
• http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/devel/ncurses/patches/patch-ncurses_tinfo_captoinfo.c?rev=1.1&content-type=text/x-cvsweb-markup
• https://lists.gnu.org/archive/html/bug-ncurses/2020-08/msg00006.html
• https://lists.gnu.org/archive/html/bug-ncurses/2021-10/msg00023.html
• http://seclists.org/fulldisclosure/2022/Oct/28
• http://seclists.org/fulldisclosure/2022/Oct/41
• http://seclists.org/fulldisclosure/2022/Oct/43
• http://seclists.org/fulldisclosure/2022/Oct/45
• https://support.apple.com/kb/HT213443
• https://support.apple.com/kb/HT213444
• https://support.apple.com/kb/HT213488
• https://security.netapp.com/advisory/ntap-20230427-0012/
• https://lists.debian.org/debian-lts-announce/2023/12/msg00004.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream xz-utils package and not the xz-utils package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

Remediation

Upgrade Debian:10 xz-utils to version 5.2.4-1+deb10u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-1271
• https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6
• https://access.redhat.com/security/cve/CVE-2022-1271
• https://bugzilla.redhat.com/show_bug.cgi?id=2073310
• https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0589cb63d6
• https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html
• https://security.gentoo.org/glsa/202209-01
• https://security.netapp.com/advisory/ntap-20220930-0006/
• https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch
• https://www.openwall.com/lists/oss-security/2022/04/07/8

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

Perl before 5.30.3 has an integer overflow related to mishandling of a "PL_regkind[OP(n)] == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection.

Remediation

Upgrade Debian:10 perl to version 5.28.1-6+deb10u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-10878
• https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
• https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8
• https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c
• https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
• https://security.netapp.com/advisory/ntap-20200611-0001/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
• https://security.gentoo.org/glsa/202006-03
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-10878
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Sandbox Bypass. It was discovered that the boundary checks in the java.nio.Buffer class in the Libraries component of OpenJDK could have been bypassed when class instance was accessed concurrently. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.

Remediation

Upgrade openjdk-jre to version 7.0.261, 8.0.251, 11.0.7, 14.0.1 or higher.

References

• Oracle Patch Notes
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Access Control Bypass via the Scripting component APIs. An attacker can gain unauthorized creation, deletion, or modification access to critical data by supplying crafted data through a web service or by leveraging untrusted code execution in sandboxed environments.

Remediation

Upgrade openjdk-jre to version 8.0.462, 11.0.28 or higher.

References

• GitHub Commit
• GitHub Commit
• Oracle Security Advisory
• Red Hat Bugzilla Bug

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.

Remediation

Upgrade Debian:10 perl to version 5.28.1-6+deb10u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-10543
• https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
• https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed
• https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
• https://security.netapp.com/advisory/ntap-20200611-0001/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
• https://security.gentoo.org/glsa/202006-03
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-10543
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gcc-8 package and not the gcc-8 package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.

Remediation

There is no fixed version for Debian:10 gcc-8.

References

• https://gcc.gnu.org/viewcvs/gcc/trunk/gcc/config/arm/arm-protos.h?revision=266379&view=markup
• https://security-tracker.debian.org/tracker/CVE-2018-12886
• https://www.gnu.org/software/gcc/gcc-8/changes.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.

Remediation

Upgrade Debian:10 glibc to version 2.28-10+deb10u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-6096
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPYXTDOOB4PQGTYAMZAZNJIB3FF6YQXI/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/URXOIA2LDUKHQXK4BE55BQBRI6ZZG3Y6/
• https://security.gentoo.org/glsa/202101-20
• https://sourceware.org/bugzilla/show_bug.cgi?id=25620
• https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1019
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
• https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPYXTDOOB4PQGTYAMZAZNJIB3FF6YQXI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/URXOIA2LDUKHQXK4BE55BQBRI6ZZG3Y6/

NVD Description

Note: Versions mentioned in the description apply only to the upstream nettle package and not the nettle package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.

Remediation

Upgrade Debian:10 nettle to version 3.4.1-1+deb10u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-20305
• https://www.debian.org/security/2021/dsa-4933
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQKWVVMAIDAJ7YAA3VVO32BHLDOH2E63/
• https://security.gentoo.org/glsa/202105-31
• https://bugzilla.redhat.com/show_bug.cgi?id=1942533
• https://lists.debian.org/debian-lts-announce/2021/09/msg00008.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MQKWVVMAIDAJ7YAA3VVO32BHLDOH2E63/
• https://security.netapp.com/advisory/ntap-20211022-0002/

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Modification of Assumed-Immutable Data (MAID) via serialization filter changes via jdk.serialFilter property modification.

Remediation

Upgrade openjdk-jre to version 7.0.251, 8.0.241, 11.0.6, 13.0.2 or higher.

References

• Oracle Security Advisory
• RedHat Bugzilla Bug

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.

Remediation

Upgrade Debian:10 glibc to version 2.28-10+deb10u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-3999
• https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e
• https://access.redhat.com/errata/RHSA-2022:0896
• https://access.redhat.com/security/cve/CVE-2021-3999
• https://bugzilla.redhat.com/show_bug.cgi?id=2024637
• https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html
• https://security.netapp.com/advisory/ntap-20221104-0001/
• https://sourceware.org/bugzilla/show_bug.cgi?id=28769
• https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e
• https://www.openwall.com/lists/oss-security/2022/01/24/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.

Remediation

Upgrade Debian:10 ncurses to version 6.1+20181013-2+deb10u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-29491
• http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56
• http://ncurses.scripts.mit.edu/?p=ncurses.git%3Ba=commit%3Bh=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56
• http://www.openwall.com/lists/oss-security/2023/04/19/10
• http://www.openwall.com/lists/oss-security/2023/04/19/11
• https://lists.debian.org/debian-lts-announce/2023/12/msg00004.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/
• https://security.netapp.com/advisory/ntap-20230517-0009/
• https://support.apple.com/kb/HT213843
• https://support.apple.com/kb/HT213844
• https://support.apple.com/kb/HT213845
• https://www.openwall.com/lists/oss-security/2023/04/12/5
• https://www.openwall.com/lists/oss-security/2023/04/13/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.

Remediation

Upgrade Debian:10 systemd to version 241-7~deb10u9 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-26604
• https://medium.com/@zenmoviefornotification/saidov-maxim-cve-2023-26604-c1232a526ba7
• http://packetstormsecurity.com/files/174130/systemd-246-Local-Root-Privilege-Escalation.html
• https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-2-insecure-functionality/
• https://github.com/systemd/systemd/blob/main/NEWS#L4335-L4340
• https://lists.debian.org/debian-lts-announce/2023/03/msg00032.html
• https://medium.com/%40zenmoviefornotification/saidov-maxim-cve-2023-26604-c1232a526ba7
• https://security.netapp.com/advisory/ntap-20230505-0009/
• https://www.exploit-db.com/exploits/51674

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.

Remediation

Upgrade Debian:10 systemd to version 241-7~deb10u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-1712
• https://github.com/systemd/systemd/commit/1068447e6954dc6ce52f099ed174c442cb89ed54
• https://github.com/systemd/systemd/commit/637486261528e8aa3da9f26a4487dc254f4b7abb
• https://github.com/systemd/systemd/commit/bc130b6858327b382b07b3985cf48e2aa9016b2d
• https://github.com/systemd/systemd/commit/ea0d0ede03c6f18dbc5036c5e9cccf97e415ccc2
• https://www.openwall.com/lists/oss-security/2020/02/05/1
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1712
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1712
• https://lists.debian.org/debian-lts-announce/2022/06/msg00025.html

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Access Control Bypass in the HTTP client. An attacker can obtain sensitive information by sending specially crafted HTTP requests that exploit improper header handling.

Remediation

Upgrade openjdk-jre to version 11.0.28, 17.0.16, 21.0.8, 24.0.2 or higher.

References

• Oracle Security Advisory
• Red Hat Bugzilla Bug

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.

Remediation

Upgrade Debian:10 glibc to version 2.28-10+deb10u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-3326
• https://security.netapp.com/advisory/ntap-20210304-0007/
• https://sourceware.org/bugzilla/show_bug.cgi?id=27256
• https://sourceware.org/git/?p=glibc.git;a=commit;h=7d88c6142c6efc160c0ee5e4f85cde382c072888
• http://www.openwall.com/lists/oss-security/2021/01/28/2
• https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html
• https://security.gentoo.org/glsa/202107-07
• https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=7d88c6142c6efc160c0ee5e4f85cde382c072888
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gmp package and not the gmp package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.

Remediation

Upgrade Debian:10 gmp to version 2:6.1.2+dfsg-4+deb10u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-43618
• https://bugs.debian.org/994405
• https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html
• https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e
• http://seclists.org/fulldisclosure/2022/Oct/8
• http://www.openwall.com/lists/oss-security/2022/10/13/3
• https://lists.debian.org/debian-lts-announce/2021/12/msg00001.html
• https://security.gentoo.org/glsa/202309-13
• https://security.netapp.com/advisory/ntap-20221111-0001/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.

Remediation

Upgrade Debian:10 gnutls28 to version 3.6.7-4+deb10u9 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-2509
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6FL27JS3VM74YEQU7PGB62USO3KSBYZX/
• https://access.redhat.com/security/cve/CVE-2022-2509
• https://lists.debian.org/debian-lts-announce/2022/08/msg00002.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FL27JS3VM74YEQU7PGB62USO3KSBYZX/
• https://lists.gnupg.org/pipermail/gnutls-help/2022-July/004746.html
• https://www.debian.org/security/2022/dsa-5203

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

Remediation

Upgrade Debian:10 gnutls28 to version 3.6.7-4+deb10u12 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2024-0553
• http://www.openwall.com/lists/oss-security/2024/01/19/3
• https://access.redhat.com/errata/RHSA-2024:0533
• https://access.redhat.com/errata/RHSA-2024:0627
• https://access.redhat.com/errata/RHSA-2024:0796
• https://access.redhat.com/errata/RHSA-2024:1082
• https://access.redhat.com/errata/RHSA-2024:1108
• https://access.redhat.com/errata/RHSA-2024:1383
• https://access.redhat.com/errata/RHSA-2024:2094
• https://access.redhat.com/security/cve/CVE-2024-0553
• https://bugzilla.redhat.com/show_bug.cgi?id=2258412
• https://gitlab.com/gnutls/gnutls/-/issues/1522
• https://lists.debian.org/debian-lts-announce/2024/02/msg00010.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/
• https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html
• https://security.netapp.com/advisory/ntap-20240202-0011/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure.

Remediation

Upgrade Debian:10 gnutls28 to version 3.6.7-4+deb10u7 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-24659
• https://security.netapp.com/advisory/ntap-20200911-0006/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/62BUAI4FQQLG6VTKRT7SUZPGJJ4NASQ3/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AWN56FDLQQXT2D2YHNI4TYH432TDMQ7N/
• https://security.gentoo.org/glsa/202009-01
• https://gitlab.com/gnutls/gnutls/-/issues/1071
• https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-09-04
• http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00054.html
• http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00060.html
• https://usn.ubuntu.com/4491-1/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62BUAI4FQQLG6VTKRT7SUZPGJJ4NASQ3/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AWN56FDLQQXT2D2YHNI4TYH432TDMQ7N/

NVD Description

Note: Versions mentioned in the description apply only to the upstream nettle package and not the nettle package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.

Remediation

Upgrade Debian:10 nettle to version 3.4.1-1+deb10u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-3580
• https://bugzilla.redhat.com/show_bug.cgi?id=1967983
• https://lists.debian.org/debian-lts-announce/2021/09/msg00008.html
• https://security.gentoo.org/glsa/202401-24
• https://security.netapp.com/advisory/ntap-20211104-0006/

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Access Restriction Bypass by an unauthenticated attacker with network access via multiple protocols. This is due to incorrect implementation of the ECDSA cryptographic signature in Java. Exploiting this vulnerability results in unauthorized creation, deletion, or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.

Notes:

1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

2. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service that supplies data to the APIs.

Remediation

Upgrade openjdk-jre to version 7.0.341, 8.0.331, 11.0.15, 17.0.3, 18.0.1 or higher.

References

• Graalvm Release Notes
• JDK Release notes
• Neil Madden Blog - Psychic Signatures in Java
• Oracle Security Advisory
• PoC by Khaled Nassar
• PoC in GitHub

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Buffer Overflow. A flaw was found in the boundary checks in the java.nio buffer classes in the Libraries component of OpenJDK, where it is bypassed in certain cases. This flaw allows an untrusted Java application or applet o bypass Java sandbox restrictions.

Remediation

Upgrade openjdk-jre to version 7.0.261, 8.0.251, 11.0.7, 14.0.1 or higher.

References

• Oracle Update Advisory
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Input Validation in the way the readObject() method of the MethodType class in the Libraries component of OpenJDK checked argument types. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.

Remediation

Upgrade openjdk-jre to version 7.0.261, 8.0.251, 11.0.7, 14.0.1 or higher.

References

• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Security Check in the TLS/SSL implementation in the JSSE component of OpenJDK, where it did not properly handle application data packets received before the handshake completion. This flaw allowed unauthorized injection of data at the beginning of a TLS session.

Remediation

Upgrade openjdk-jre to version 7.0.261, 8.0.251, 11.0.7, 14.0.1 or higher.

References

• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Information Exposure by allowing unauthenticated attackers with network access via multiple protocols to access critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs through a web service that supplies data to the APIs.

Remediation

Upgrade openjdk-jre to version 7.0.341, 8.0.331, 11.0.15, 17.0.3, 18.0.1 or higher.

References

• Oracle Security Report
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Integer Coercion Error through the Apache Java XSLT library, via the processing of a malicious XSLT stylesheet. Exploiting this vulnerability can allow an attacker to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service that supplies data to the APIs.

Remediation

Upgrade openjdk-jre to version 7.0.351, 8.0.342, 11.0.16, 17.0.4, 18.0.2 or higher.

References

• OpenJDK Security Advisory
• Oracle Security Advisory
• RedHat Bugzilla Bug
• PoC in GitHub

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Sandbox Bypass. A flaw was found in the way the Hotspot component of OpenJDK performed range check elimination. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.

Remediation

Upgrade openjdk-jre to version 8.0.301, 11.0.12, 16.0.2 or higher.

References

• RedHat Bugzilla Bug

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack.

The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected.

These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0.

The OpenSSL asn1parse command line application is also impacted by this issue.

Remediation

Upgrade Debian:10 openssl to version 1.1.1n-0+deb10u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-4450
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b
• https://security.gentoo.org/glsa/202402-08
• https://www.openssl.org/news/secadv/20230207.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

A security vulnerability has been identified in all supported versions

of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems.

Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function.

Remediation

Upgrade Debian:10 openssl to version 1.1.1n-0+deb10u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-0464
• https://security.netapp.com/advisory/ntap-20230406-0006/
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1
• https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html
• https://security.gentoo.org/glsa/202402-08
• https://security.netapp.com/advisory/ntap-20240621-0006/
• https://www.couchbase.com/alerts/
• https://www.debian.org/security/2023/dsa-5417
• https://www.openssl.org/news/secadv/20230322.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

Remediation

Upgrade Debian:10 openssl to version 1.1.1d-0+deb10u5 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-23840
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
• https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44846
• https://security.netapp.com/advisory/ntap-20210219-0009/
• https://www.openssl.org/news/secadv/20210216.txt
• https://www.tenable.com/security/tns-2021-03
• https://www.tenable.com/security/tns-2021-09
• https://www.tenable.com/security/tns-2021-10
• https://www.debian.org/security/2021/dsa-4855
• https://security.gentoo.org/glsa/202103-03
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2
• https://kc.mcafee.com/corporate/index?page=content&id=SB10366
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
• https://security.netapp.com/advisory/ntap-20240621-0006/
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

Remediation

Upgrade Debian:10 openssl to version 1.1.1d-0+deb10u8 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-0778
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=380085481c64de749a6dd25cdf0bcf4360b30f83
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a466912611aa6cbdf550cd10601390e587451246
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/
• http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html
• http://seclists.org/fulldisclosure/2022/May/33
• http://seclists.org/fulldisclosure/2022/May/35
• http://seclists.org/fulldisclosure/2022/May/38
• https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3118eb64934499d93db3230748a452351d1d9a65
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=380085481c64de749a6dd25cdf0bcf4360b30f83
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a466912611aa6cbdf550cd10601390e587451246
• https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html
• https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002
• https://security.gentoo.org/glsa/202210-02
• https://security.netapp.com/advisory/ntap-20220321-0002/
• https://security.netapp.com/advisory/ntap-20220429-0005/
• https://security.netapp.com/advisory/ntap-20240621-0006/
• https://support.apple.com/kb/HT213255
• https://support.apple.com/kb/HT213256
• https://support.apple.com/kb/HT213257
• https://www.debian.org/security/2022/dsa-5103
• https://www.openssl.org/news/secadv/20220315.txt
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.tenable.com/security/tns-2022-06
• https://www.tenable.com/security/tns-2022-07
• https://www.tenable.com/security/tns-2022-08
• https://www.tenable.com/security/tns-2022-09
• https://github.com/jkakavas/CVE-2022-0778-POC

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).

Remediation

Upgrade Debian:10 openssl to version 1.1.1d-0+deb10u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-1967
• https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee@%3Cdev.tomcat.apache.org%3E
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=eb563247aef3e83dda7679c43f9649270462e5b1
• https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44440
• https://security.netapp.com/advisory/ntap-20200717-0004/
• https://www.synology.com/security/advisory/Synology_SA_20_05
• https://www.synology.com/security/advisory/Synology_SA_20_05_OpenSSL
• https://www.tenable.com/security/tns-2020-03
• https://www.tenable.com/security/tns-2020-04
• https://www.tenable.com/security/tns-2020-11
• https://www.tenable.com/security/tns-2021-10
• https://www.debian.org/security/2020/dsa-4661
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/
• https://security.FreeBSD.org/advisories/FreeBSD-SA-20:11.openssl.asc
• https://security.gentoo.org/glsa/202004-10
• http://packetstormsecurity.com/files/157527/OpenSSL-signature_algorithms_cert-Denial-Of-Service.html
• https://github.com/irsl/CVE-2020-1967
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://security.netapp.com/advisory/ntap-20200424-0003/
• https://www.openssl.org/news/secadv/20200421.txt
• http://www.openwall.com/lists/oss-security/2020/04/22/2
• http://seclists.org/fulldisclosure/2020/May/5
• http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00004.html
• http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00011.html
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=eb563247aef3e83dda7679c43f9649270462e5b1
• https://lists.apache.org/thread.html/r66ea9c436da150683432db5fbc8beb8ae01886c6459ac30c2cea7345%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r94d6ac3f010a38fccf4f432b12180a13fa1cf303559bd805648c9064%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r9a41e304992ce6aec6585a87842b4f2e692604f5c892c37e3b0587ee%40%3Cdev.tomcat.apache.org%3E
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications.

The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash.

This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.

Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream.

The OpenSSL cms and smime command line applications are similarly affected.

Remediation

Upgrade Debian:10 openssl to version 1.1.1n-0+deb10u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-0215
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344
• https://security.gentoo.org/glsa/202402-08
• https://security.netapp.com/advisory/ntap-20230427-0007/
• https://security.netapp.com/advisory/ntap-20230427-0009/
• https://security.netapp.com/advisory/ntap-20240621-0006/
• https://www.openssl.org/news/secadv/20230207.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream p11-kit package and not the p11-kit package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

An issue was discovered in p11-kit 0.21.1 through 0.23.21. Multiple integer overflows have been discovered in the array allocations in the p11-kit library and the p11-kit list command, where overflow checks are missing before calling realloc or calloc.

Remediation

Upgrade Debian:10 p11-kit to version 0.23.15-2+deb10u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-29361
• https://www.debian.org/security/2021/dsa-4822
• https://github.com/p11-glue/p11-kit/releases
• https://github.com/p11-glue/p11-kit/security/advisories/GHSA-q4r3-hm6m-mvc2
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2021/01/msg00002.html
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E

NVD Description

Note: Versions mentioned in the description apply only to the upstream p11-kit package and not the p11-kit package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

An issue was discovered in p11-kit 0.23.6 through 0.23.21. A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array in a CK_ATTRIBUTE, the receiving entity may not allocate sufficient length for the buffer to store the deserialized value.

Remediation

Upgrade Debian:10 p11-kit to version 0.23.15-2+deb10u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-29363
• https://www.debian.org/security/2021/dsa-4822
• https://github.com/p11-glue/p11-kit/releases
• https://github.com/p11-glue/p11-kit/security/advisories/GHSA-5j67-fw89-fp6x
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted regular expression because of recursive S_study_chunk calls.

Remediation

Upgrade Debian:10 perl to version 5.28.1-6+deb10u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-12723
• https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
• https://github.com/perl/perl5/commit/66bbb51b93253a3f87d11c2695cfb7bdb782184a
• https://github.com/Perl/perl5/compare/v5.30.2...v5.30.3
• https://security.netapp.com/advisory/ntap-20200611-0001/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
• https://security.gentoo.org/glsa/202006-03
• https://github.com/Perl/perl5/issues/16947
• https://github.com/Perl/perl5/issues/17743
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00044.html
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-12723
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IN3TTBO5KSGWE5IRIKDJ5JSQRH7ANNXE/
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records.

Remediation

There is no fixed version for Debian:10 systemd.

References

• https://security-tracker.debian.org/tracker/CVE-2023-50387
• https://datatracker.ietf.org/doc/html/rfc4035
• http://www.openwall.com/lists/oss-security/2024/02/16/2
• http://www.openwall.com/lists/oss-security/2024/02/16/3
• https://access.redhat.com/security/cve/CVE-2023-50387
• https://bugzilla.suse.com/show_bug.cgi?id=1219823
• https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html
• https://gitlab.nic.cz/knot/knot-resolver/-/releases/v5.7.1
• https://kb.isc.org/docs/cve-2023-50387
• https://lists.debian.org/debian-lts-announce/2024/02/msg00006.html
• https://lists.debian.org/debian-lts-announce/2024/05/msg00011.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6FV5O347JTX7P5OZA6NGO4MKTXRXMKOZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BUIP7T7Z4T3UHLXFWG6XIVDP4GYPD3AI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVRDSJVZKMCXKKPP6PNR62T7RWZ3YSDZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IGSLGKUAQTW5JPPZCMF5YPEYALLRUZZ6/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNNHZSZPG2E7NBMBNYPGHCFI4V4XRWNQ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RGS7JN6FZXUSTC2XKQHH27574XOULYYJ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVYA42BLXUCIDLD35YIJPJSHDIADNYMP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEXGOYGW7DBS3N2QSSQONZ4ENIRQEAPG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQESRWMJCF4JEYJEAKLRM6CT55GLJAB7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZDZFMEKQTZ4L7RY46FCENWFB5MDT263R/
• https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-50387
• https://news.ycombinator.com/item?id=39367411
• https://news.ycombinator.com/item?id=39372384
• https://nlnetlabs.nl/news/2024/Feb/13/unbound-1.19.1-released/
• https://security.netapp.com/advisory/ntap-20240307-0007/
• https://www.athene-center.de/aktuelles/key-trap
• https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf
• https://www.isc.org/blogs/2024-bind-security-release/
• https://www.securityweek.com/keytrap-dns-attack-could-disable-large-parts-of-internet-researchers/
• https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
• https://github.com/knqyf263/CVE-2023-50387

NVD Description

Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Remediation

Upgrade Debian:10 zlib to version 1:1.2.11.dfsg-1+deb10u1 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2018-25032
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/
• http://seclists.org/fulldisclosure/2022/May/33
• http://seclists.org/fulldisclosure/2022/May/35
• http://seclists.org/fulldisclosure/2022/May/38
• http://www.openwall.com/lists/oss-security/2022/03/25/2
• http://www.openwall.com/lists/oss-security/2022/03/26/1
• https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf
• https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
• https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
• https://github.com/madler/zlib/issues/605
• https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html
• https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html
• https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/
• https://security.gentoo.org/glsa/202210-42
• https://security.netapp.com/advisory/ntap-20220526-0009/
• https://security.netapp.com/advisory/ntap-20220729-0004/
• https://support.apple.com/kb/HT213255
• https://support.apple.com/kb/HT213256
• https://support.apple.com/kb/HT213257
• https://www.debian.org/security/2022/dsa-5111
• https://www.openwall.com/lists/oss-security/2022/03/24/1
• https://www.openwall.com/lists/oss-security/2022/03/28/1
• https://www.openwall.com/lists/oss-security/2022/03/28/3
• https://www.oracle.com/security-alerts/cpujul2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.

Remediation

Upgrade Debian:10 gnutls28 to version 3.6.7-4+deb10u10 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-0361
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFIA3X4IZ3CW7SRQ2UHNHNPMRIAWF2FI/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WS4KVDOG6QTALWHC2QE4Y7VPDRMLTRWQ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z634YBXAJ5VLDI62IOPBVP5K6YFHAWCY/
• https://access.redhat.com/security/cve/CVE-2023-0361
• https://github.com/tlsfuzzer/tlsfuzzer/pull/679
• https://gitlab.com/gnutls/gnutls/-/issues/1050
• https://lists.debian.org/debian-lts-announce/2023/02/msg00015.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UFIA3X4IZ3CW7SRQ2UHNHNPMRIAWF2FI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS4KVDOG6QTALWHC2QE4Y7VPDRMLTRWQ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z634YBXAJ5VLDI62IOPBVP5K6YFHAWCY/
• https://security.netapp.com/advisory/ntap-20230324-0005/
• https://security.netapp.com/advisory/ntap-20230725-0005/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The earliest affected version is 3.6.3 (2018-07-16) because of an error in a 2017-10-06 commit. The DTLS client always uses 32 '\0' bytes instead of a random value, and thus contributes no randomness to a DTLS negotiation. This breaks the security guarantees of the DTLS protocol.

Remediation

Upgrade Debian:10 gnutls28 to version 3.6.7-4+deb10u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-11501
• https://www.debian.org/security/2020/dsa-4652
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7/
• https://security.gentoo.org/glsa/202004-06
• https://gitlab.com/gnutls/gnutls/-/commit/5b595e8e52653f6c5726a4cdd8fddeb6e83804d2
• https://gitlab.com/gnutls/gnutls/-/issues/960
• https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-03-31
• https://security.netapp.com/advisory/ntap-20200416-0002/
• http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00015.html
• https://usn.ubuntu.com/4322-1/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.

Remediation

Upgrade Debian:10 gnutls28 to version 3.6.7-4+deb10u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-13777
• https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03
• https://security.netapp.com/advisory/ntap-20200619-0004/
• https://www.debian.org/security/2020/dsa-4697
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6C4DHUKV6M6SJ5CV6KVHZNHNF7HCUE5P/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6RTXZOXC4MHTFE2HKY6IAZMF2WHD2WMV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RRQBFK3UZ7SV76IYDTS4PS6ABS2DSJHK/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMB3UGI5H5RCFRU6OGRPMNUCNLJGEN7Y/
• https://security.gentoo.org/glsa/202006-01
• http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00015.html
• https://usn.ubuntu.com/4384-1/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6C4DHUKV6M6SJ5CV6KVHZNHNF7HCUE5P/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RTXZOXC4MHTFE2HKY6IAZMF2WHD2WMV/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RRQBFK3UZ7SV76IYDTS4PS6ABS2DSJHK/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMB3UGI5H5RCFRU6OGRPMNUCNLJGEN7Y/

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Covert Timing Channel in the security-libs/java.security component. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Remediation

Upgrade openjdk-jre to version 8.0.401, 11.0.22, 17.0.10, 21.0.2 or higher.

References

• Security Advisory
• Vulnerability Advisory
• Vulnerability Report

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Privilege Management in the hotspot/compiler component.

Note This is only exploitable if the attacker utilizes APIs in the specified component, such as through a web service that provides data to the APIs. Additionally, the vulnerability affects Java deployments that execute untrusted code, relying on the Java sandbox for security.

Remediation

Upgrade openjdk-jre to version 8.0.401, 11.0.22, 17.0.10, 21.0.2 or higher.

References

• Security Advisory
• Vulnerability Advisory

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Information Exposure. Improper connection handling during TLS handshake. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all accessible data as well as unauthorized access to critical data or complete access to all accessible data.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Remediation

Upgrade openjdk-jre to version 8.0.372, 11.0.19, 17.0.7, 20.0.1 or higher.

References

• GitHub Commit
• Oracle Security Alerts
• RedHat Bugzilla Bug

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Sandbox Bypass. A flaw was found in the way the imaging library in the 2D component of OpenJDK performed affine transformations of images. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.

Remediation

Upgrade openjdk-jre to version 7.0.261, 8.0.251, 11.0.7, 14.0.1 or higher.

References

• Oracle Patch Notes
• RedHat Bugzilla Bug

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.

When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Remediation

Upgrade Debian:10 openssl to version 1.1.1n-0+deb10u4 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2023-0286
• https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt
• https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d
• https://security.gentoo.org/glsa/202402-08
• https://www.openssl.org/news/secadv/20230207.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).

Remediation

Upgrade Debian:10 openssl to version 1.1.1d-0+deb10u7 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2021-3712
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12
• https://security.netapp.com/advisory/ntap-20210827-0010/
• https://www.openssl.org/news/secadv/20210824.txt
• https://www.tenable.com/security/tns-2021-16
• https://www.debian.org/security/2021/dsa-4963
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html
• https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html
• http://www.openwall.com/lists/oss-security/2021/08/26/2
• https://cert-portal.siemens.com/productcert/pdf/ssa-244969.pdf
• https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=94d23fcff9b2a7a8368dfe52214d5c2569882c11
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=ccb0a11145ee72b042d10593a64eaf9e8a55ec12
• https://kc.mcafee.com/corporate/index?page=content&id=SB10366
• https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E
• https://security.gentoo.org/glsa/202209-02
• https://security.gentoo.org/glsa/202210-02
• https://security.netapp.com/advisory/ntap-20240621-0006/
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.tenable.com/security/tns-2022-02

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).

Remediation

Upgrade Debian:10 openssl to version 1.1.1n-0+deb10u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-1292
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=548d3f280a6e737673f5b61fce24bb100108dfeb
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VX4KWHPMKYJL6ZLW4M5IU7E5UV5ZWJQU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNU5M7BXMML26G3GPYKFGQYPQDRSNKDD/
• https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=548d3f280a6e737673f5b61fce24bb100108dfeb
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23
• https://gitlab.com/fraf0/cve-2022-1292-re_score-analysis
• https://lists.debian.org/debian-lts-announce/2022/05/msg00019.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VX4KWHPMKYJL6ZLW4M5IU7E5UV5ZWJQU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNU5M7BXMML26G3GPYKFGQYPQDRSNKDD/
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011
• https://security.gentoo.org/glsa/202210-02
• https://security.netapp.com/advisory/ntap-20220602-0009/
• https://security.netapp.com/advisory/ntap-20220729-0004/
• https://www.debian.org/security/2022/dsa-5139
• https://www.openssl.org/news/secadv/20220503.txt
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://github.com/alcaparra/CVE-2022-1292

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.

Remediation

Upgrade Debian:10 ncurses to version 6.1+20181013-2+deb10u3 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2022-29458
• http://seclists.org/fulldisclosure/2022/Oct/28
• http://seclists.org/fulldisclosure/2022/Oct/41
• https://lists.debian.org/debian-lts-announce/2022/10/msg00037.html
• https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html
• https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html
• https://support.apple.com/kb/HT213488

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for Debian:10 glibc.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1751
• https://security-tracker.debian.org/tracker/CVE-2020-1751
• https://security.gentoo.org/glsa/202006-04
• https://sourceware.org/bugzilla/show_bug.cgi?id=25423
• https://security.netapp.com/advisory/ntap-20200430-0002/
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1751
• https://usn.ubuntu.com/4416-1/

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.

Remediation

Upgrade Debian:10 glibc to version 2.28-10+deb10u2 or higher.

References

• https://security-tracker.debian.org/tracker/CVE-2020-1752
• https://sourceware.org/bugzilla/show_bug.cgi?id=25414
• https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c
• https://security.gentoo.org/glsa/202101-20
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
• https://security.netapp.com/advisory/ntap-20200511-0005/
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752
• https://usn.ubuntu.com/4416-1/
• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1752
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html
• https://sourceware.org/git/gitweb.cgi?p=glibc.git%3Bh=ddc650e9b3dc916eab417ce9f79e67337b05035c