Debian Security

Several security vulnerabilities have been discovered in Netty, a Java NIO client/server socket framework. It was found that Netty was vulnerable to the MadeYouReset DDoS attack, a logical vulnerability in the HTTP/2 protocol itself and programming errors which enabled request smuggling attacks. Additionally Netty contained an SMTP command injection vulnerability due to insufficient input validation potentially allowing remote attackers to forge arbitrary emails from trusted servers.

The security update for bookworm also contains the fix for CVE-2024-29025. Julien Viet discovered that Netty was vulnerable to allocation of resources without limits or throttling due to the accumulation of data in the HttpPostRequestDecoder. This would allow an attacker to cause a denial of service.

https://security-tracker.debian.org/tracker/DSA-6160-1

Multiple security vulnerabilities were discovered in imagemagick, a software suite used for editing and manipulating digital images, which could lead to information leaks, bypass of security policies, denial of service or arbitrary code execution.

https://security-tracker.debian.org/tracker/DSA-6159-1

Multiple security vulnerabilities were discovered in imagemagick, a software suite used for editing and manipulating digital images, which could lead to information leaks, bypass of security policies, denial of service or arbitrary code execution.

https://security-tracker.debian.org/tracker/DSA-6158-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6157-1

Several vulnerabilities were discovered in GIMP, the GNU Image Manipulation Program, which could result in denial of service or potentially the execution of arbitrary code if malformed XWD, ICNS, PGM or ICO files are opened.

https://security-tracker.debian.org/tracker/DSA-6156-1

It was discovered that SPIP, a website engine for publishing, would allow a malicious user to access protected information, and perform various SQL injection, Cross-Side Scripting (XSS), and Server-Side Request Forgery (SSRF) attacks. In some cases this could result in arbitrary code execution.

https://security-tracker.debian.org/tracker/DSA-6155-1

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in denial of service or memory disclosure.

https://security-tracker.debian.org/tracker/DSA-6154-1

Two security issues were discovered in LXD, a system container and virtual machine manager, which could result the in execution of arbitrary commands via malformed images.

https://security-tracker.debian.org/tracker/DSA-6153-1

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6152-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6151-1

Multiple security issues were found in Django, a Python web development framework, which could result in denial of service, information disclosure or SQL injection.

https://security-tracker.debian.org/tracker/DSA-6150-1

Clay Ver Valen discovered an integer overflow in the AES-GCM implementation of the Mozilla Network Security Service libraries.

https://security-tracker.debian.org/tracker/DSA-6149-1

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape, bypass of the same-origin policy, information disclosure or privilege escalation.

https://security-tracker.debian.org/tracker/DSA-6148-1

Yarden Porat discovered that missing input sanitising in the PSD support of Pillow, a Python imaging library, could result in denial of service or the execution of arbitrary code if malformed images are processed.

The oldstable distribution (bookworm) is not affected.

https://security-tracker.debian.org/tracker/DSA-6147-1

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

https://security-tracker.debian.org/tracker/DSA-6146-1

Dan Smith discovered that nova, a cloud computing fabric controller, calls qemu-img without format restrictions for resize, which may result in unsafe image resize operations that could destroy data on the host system. Only compute nodes using the Flat image backend are affected.

https://security-tracker.debian.org/tracker/DSA-6145-1

Ron Ben Yizhak discovered that the inetutils implementation of telnetd didn't sanitise the CREDENTIALS_DIRECTORY environment variable before passing it to the login binary. This could be exploited to bypass authentication and login as root.

https://security-tracker.debian.org/tracker/DSA-6144-1

A buffer overflow was discovered in libvpx, a library implementing the VP8/VP9 open video codecs, which could result in denial of service or potentially the execution of arbitrary code.

https://security-tracker.debian.org/tracker/DSA-6143-1

A heap-based buffer overflow was discovered in the RGBE/HDR parser of GEGL, a graph-based image processing library, which could result in denial of service or the execution of arbitrary code if malformed files are processed.

https://security-tracker.debian.org/tracker/DSA-6142-1

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

https://security-tracker.debian.org/tracker/DSA-6141-1