Security

An out-of-bounds write vulnerability when handling crafted streams was discovered in mpg123, a real time MPEG 1.0/2.0/2.5 audio player/decoder for layers 1, 2 and 3, which could result in the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-5811-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5810-1

Multiple vulnerabilities have been found in the Symfony PHP framework which could lead to privilege escalation, information disclosure, incorrect validation or an open redirect.

https://security-tracker.debian.org/tracker/DSA-5809-1

Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed.

https://security-tracker.debian.org/tracker/DSA-5808-1

Several vulnerabilities were discovered in NSS, a set of cryptographic libraries, which may result in denial of service or potentially the execution of arbitary code.

https://security-tracker.debian.org/tracker/DSA-5807-1

A heap-based out-of-bounds write vulnerability was discovered in libarchive, a multi-format archive and compression library, which may result in the execution of arbitrary code if a specially crafted RAR archive is processed.

https://security-tracker.debian.org/tracker/DSA-5806-1

It was discovered that the daemon of the GNU Guix functional package manager was susceptible to privilege escalation. For additional information please refer to https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability/

https://security-tracker.debian.org/tracker/DSA-5805-1

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2024-44244

An anonymous researcher, Q1IQ (@q1iqF) and P1umer discovered that processing maliciously crafted web content may lead to an unexpected process crash.

CVE-2024-44296

Narendra Bhati discovered that processing maliciously crafted web content may prevent Content Security Policy from being enforced.

https://security-tracker.debian.org/tracker/DSA-5804-1

Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

Debian follows the Thunderbird upstream releases. Support for the 115.x series has ended, so starting with this update we're now following the 128.x series.

https://security-tracker.debian.org/tracker/DSA-5803-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5802-1

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, cross-site scripting, spoofing or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5801-1

Jan-Niklas Sohn discovered that a heap-based buffer overflow in the _XkbSetCompatMap function in the X Keyboard Extension of the X.org X server may result in privilege escalation if the X server is running privileged.

https://security-tracker.debian.org/tracker/DSA-5800-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5799-1

Christoper L. Shannon discovered that the implementation of the OpenWire protocol in Apache ActiveMQ was susceptible to the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-5798-1

Multiple security issues were found in Twisted, an event-based framework for internet applications, which could result in incorrect ordering of HTTP requests or cross-site scripting.

https://security-tracker.debian.org/tracker/DSA-5797-1

Multiple security issues were found in libheif, a library to parse HEIF and AVIF files, which could result in denial of service or potentially the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-5796-1

Cedric Krier discovered that python-sql, a library to write SQL queries in a pythonic way, performed insufficient sanitising which could result in SQL injection.

https://security-tracker.debian.org/tracker/DSA-5795-1

Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5794-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-5793-1

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2024-40866

Hafiizh and YoKo Kho discovered that visiting a malicious website may lead to address bar spoofing.

CVE-2024-44187

Narendra Bhati discovered that a malicious website may exfiltrate data cross-origin.

https://security-tracker.debian.org/tracker/DSA-5792-1