Debian Linux Security Advisory 5574-1 - Reginaldo Silva discovered two security vulnerabilities in LibreOffice, which could result in the execution of arbitrary scripts or Gstreamer plugins when opening a malformed file.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5574-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 11, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libreofficeCVE ID         : CVE-2023-6185 CVE-2023-6186Reginaldo Silva discovered two security vulnerabilities in LibreOffice,which could result in the execution of arbitrary scripts or Gstreamerplugins when opening a malformed file.For the oldstable distribution (bullseye), these problems have been fixedin version 1:7.0.4-4+deb11u8.For the stable distribution (bookworm), these problems have been fixed inversion 4:7.4.7-1+deb12u1.We recommend that you upgrade your libreoffice packages.For the detailed security status of libreoffice please refer toits security tracker page at:https://security-tracker.debian.org/tracker/libreofficeFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmV3VjIACgkQEMKTtsN8TjbwORAAuB60r1xUa5p57zhnUoQUsbnl/TvmwcHNX9mL8AgXgwN2ni0j5YdwpVbPlAuMHf/LaoHrOeHQM+rxV9ATErW28I7hHc2Iyys9nUVv8vKwqhu5U1bTloNUIH4tUcqxZS49ydLgAV6YqcycPJZMXQBq7N4rcWLf0oIS+3aR3ZW1bPcydOQuLUe9eTT19V8hSpn3w58xKn/f9kfhvCW4xjm8TICMqmHGFznUgr2zUvFIIL4jlQyWIOtC8vcvX/PGr5hCVOiUeFgnGltiEe6KKJoVuBzrO1FDnewVetsqzqUlWzJ4djyMiKn0rFDnvoo0DNA1HO32jQi1KNDmPYSyRr5h3VneYJSAfUdpW3Q5pX2KxaCgzKGLV58rr+qyfzEd9Z2DqCP9tiBYZmzFQRQ7WsTHiKHV1gKD+jTVO0thpGAZvh5XLS5JBs7FnrlVx4DCaXQLkLhshv9dsevSq2ssyzcfhUCuvA5m+tbXeZGmukulwH70sUZSCj2Uz7bNniUWUfu/kM/Y8SmynZYvNO0+daVAn32EY7xXmnTvNykRRuXDkL0r7mE4UXLfbWPisEZbANWHJGWeVT3Ucbroko66UMnygl/0TIzqZifo3wJTBEEVExmVlvunsnnsdl0xZPm2DUMhs/3T5xd0nP0ySCzM1BsF302PocN+I9M/LkaMhk6/X0U==yhb9-----END PGP SIGNATURE-----

Debian Security Advisory 5574-1

Debian Linux Security Advisory 5573-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5573-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonDecember 09, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-6508 CVE-2023-6509 CVE-2023-6510 CVE-2023-6511                  CVE-2023-6512Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), the updates are pending andwill be released shortly. When completed, fixes will be made availableas 120.0.6099.71-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 120.0.6099.71-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmVz/oUACgkQZF0CR8NudjeHiQ//b6jyIAPFtBShCoAqRE22aN0RvzWR2BNs0Dl7CaZxMf+/+W/c0dXH3P9UtfEDv4Wcf6l6N3SSwAkCSwQx/Fr1T3Fpm2Qgv4C1fBibU/HMK/McE47Ua22MD0ZZhuuVx6kiG3rmvlH0tfi7N9oBa+6MdlUbps2PAsa7sII7BGReYvj90z80HlPPFbSc94aw/5ywL1+14CqWEdnyRxRJj5Jk0HWolyuSAItdNF3fxExweSeYHha0UKJXwK8449833YdWXl3htjrrM0nqjOfkponeq8GbPUXXaV0hIHU0Vu3nRJ26rRiFsV9UV1gzc3JRihndHizFD+gnas2KI4EiMwFDns6u2yJv7r2YLcTGfamnPuBnwsiCFfphXA1h/1GUrhCPxxRZCXdRUS5DakiaXGNS9HhC6ELcwhMKY8YcQ3CFBubi+5Jj+nUXL+n98F1m6UwJ08KBPXMKAlNhqVlsoJ4vyPD0UlKxjsPXynnnGe0c+YJlnK4+Czo/rzTwhqPy0kStMea3I9jpsgu9iQuNODKiC1xrxt0G8iaaRePwaX/IbJyjw/8lumhMkTvQ8Os5HlZAZSiHRQUgYVonOup+QywJqidkDRqsp7dsz7yrR9n/k7H5j6/XjXkZRnb4BcB3AMJkyBy7wqL8r9UCTwBD5zdfYk3VrDqJ/Klg+tEFeRbNvik==t7or-----END PGP SIGNATURE-----

Debian Security Advisory 5573-1

The next parameter in the /accounts/login endpoint of Seafile 9.0.6 allows attackers to redirect users to arbitrary sites.

CVE-2023-28874: Seafile Community Edition - Seafile Admin Manual

WinterCMS version 1.2.3 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Stored XSS in WinterCMS 1.2.3 Plugin Components# Date: 12/7/2023# Exploit Author: tmrswrr# Vendor Homepage: https://wintercms.com/# Software Link: https://github.com/wintercms/winter# Version: 1.2.3# Tested on: debian 9PoC   1. Access the WinterCMS backend at http://localhost/backend/cms.   2. Navigate to the Plugin Components section.   3. In the Markup Code input field, insert the following payload:   "<sVg/onLy=1 onLoaD=confirm(1)//".   4. Save the input and click on the "Preview" button.   5. The injected script executes, demonstrating the XSS vulnerability.

WinterCMS 1.2.3 Cross Site Scripting

strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message.

CVE-2023-41913: Releases · strongswan/strongswan

Debian Linux Security Advisory 5572-1 - Rene Rehme discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly set headers when handling attachments. This would allow an attacker to load arbitrary JavaScript code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5572-1                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondDecember 04, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : roundcubeCVE ID         : CVE-2023-47272Debian Bug     : 1055421Rene Rehme discovered that roundcube, a skinnable AJAX based webmailsolution for IMAP servers, did not properly set headers when handlingattachments. This would allow an attacker to load arbitrary JavaScriptcode.For the oldstable distribution (bullseye), this problem has been fixedin version 1.4.15+dfsg.1-1~deb11u2.For the stable distribution (bookworm), this problem has been fixed inversion 1.6.5+dfsg-1~deb12u1.We recommend that you upgrade your roundcube packages.For the detailed security status of roundcube please refer toits security tracker page at:https://security-tracker.debian.org/tracker/roundcubeFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmVtkOQACgkQEL6Jg/PVnWTxhQgAimG1yVgg/Ic84EQIqpB014hb/ev5RzapM+xJ5Dwwb1Xs7HMNsvqYBBeXLNIbXgNKkSGF38k3MP2A9aBwyKMV256SVEtKUkiAzCQhX3xsUB5EkpNMXv0GRs9ksjjj/ATwChVVlz5OusTtuDpog44RYGH8CXJTuAVemK2GusdgkrsMu1EvGr7JhtMvjiFW5uYFjI+ADp5KcoIl3AtLCdYhDHz/p687Ze1vJQ0v18jiS2mUMvF7zd8SmwA4uLPAcLIJ+KCyd8A+LYzyWbHVxbxIqMxmuAjQ7TrOH3oE5Be5jN9ShKJv1pj50P2i5/g4H+e5fQ6gQm8oF1CMVJubS1NpIg===KGev-----END PGP SIGNATURE-----

Debian Security Advisory 5572-1

Debian Linux Security Advisory 5571-1 - It was discovered that missing input sanitising in the HTTP API endpoint of RabbitMQ, an implementation of the AMQP protocol, could result in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5571-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffDecember 01, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : rabbitmq-serverCVE ID         : CVE-2023-46118It was discovered that missing input sanitising in the HTTP API endpointof  RabbitMQ, an implementation of the AMQP protocol, could result indenial of service.For the oldstable distribution (bullseye), this problem has been fixedin version 3.8.9-3+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 3.10.8-1.1+deb12u1.We recommend that you upgrade your rabbitmq-server packages.For the detailed security status of rabbitmq-server please refer toits security tracker page at:https://security-tracker.debian.org/tracker/rabbitmq-serverFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVqQcwACgkQEMKTtsN8TjYyAg/+JsQaCGn5vhqe5bKN6WmJpnfR+WYTx9FtAfitkOcBb+s+g0dWudOS1kDCIn+gUtelwMXozX1uAt3XNTicHCY9tRaa8fNXG2nAkwq11p6Te20ZO1tbg6/OOtmlFsXO2yGszhWaqUwkw9GseSBpVyu5lr0cdFIrqdelzGFwXdAiVnlV5rWbvC1IgsWyL6dZLs+OZcrnIvPEG2lRHt8+0dvFh0p4bwFpKJXxnmBREMXH46D/RgyejkxNkqntacLala7coqO4ePsYFrCeXrP1IoC8VRtk5iz1jFSOqiPQY1q9nG10iiL2CnOPAJ8w6H5kEzoP8zHzZo2pWvcmQVtzaQ3IEh8xhF/jkiw248Fzf6spjxRM2Pa6XXtWmpUtNNQUps8vzbQOC7gNPDvYsy8ZgE7HlOj+fzG0v9Ny3YGPUTfG6Ag98pOZtko/QO8v5MIiYlMwxEb57wotAYXXYELO4IW6SI8EGisT5oaNjCfKRGDdg83GfUnhVPC2lT9jf29RbECgxjFh0YHV0Kd4sLzWKxV8eXtSMYi2aZCdahoyuk/9JejoevgdgcudsBaJLEXCNepqwpYdLyPxYAySpuo3WzyVgzjbR94zQGH1Z1xAumXdnFNhQH6riomKERZUwg7tUWcOGCyu1ey/h2+zaHPscvSm0DmlZS2lXMgpY3OQTfFsXVw==vX+w-----END PGP SIGNATURE-----

Debian Security Advisory 5571-1

Debian Linux Security Advisory 5569-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5569-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonNovember 30, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-6345 CVE-2023-6346 CVE-2023-6347 CVE-2023-6348                  CVE-2023-6350 CVE-2023-6351Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), these problems have been fixedin version 119.0.6045.199-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 119.0.6045.199-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmVouqQACgkQZF0CR8Nudjdmtg//WecYaNpTK78jbWWKXpBZaX5w5XN4gbYH5ky4g1uuyi/ux2U17ynh0b0Q50j5iX4g3obOch8BwNxLDIvsjNoWL30LU6DeiDVBfOP+w+sjMQLUDwI0YU6jW2kYyLnrOUUYEECEE7lIEnMogxVN/o4JESfleShgEgAlDayHfuL4BxwgiqsIM8PZgCVSCtrDamNBbLE7X9FXHPb32mcqUXYh5WoSIPjgo45pOWlUCSizMXBQ47BCm8iuQq38TCIscfvZhjwF7bWrP8NHRimFd1RnQtbQpLsKufJBllnHby7mM1U2+jUq8GIKHpFy2jTQ6q42x5P65H0q6MxOelDkAmdMMOBt68vVgvZ8zIgmpb5/RoIzZNtioPUkpmzFal5/vHTbE1dmIuylffnPOoM4wF16xG6Fs61HuhRWZscrBCflkIuL3UF7Y3rdIyGdyV7Unm2X8fkhVJ00PKg+qC2E73udBYFfTDlvrh8uHf68x12OrmOuNkd6JdNocCnW/se9wVFqLjtyzew//aXC2D3STuyfGMgt9LnGWJDqJx7Lbr+Fp1BCPYPNkinobkjEKKyvx9unR8tM14K16Pf+84xSX/FKpQagcSZ/koqeUjyJ0QpNUC1IuOMrRNgmW6PspLehwd3WExRnclzCsKuE7oNtla8Rjsap3bOGrfBOVeqYA1FjieI==Qn+X-----END PGP SIGNATURE-----

Debian Security Advisory 5569-1

A serialization vulnerability in logback receiver component part of 
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service 
attack by sending poisoned data.



CVE-2023-6378: News

Debian Linux Security Advisory 5568-1 - It was discovered that incorrect memory management in Fast DDS, a C++ implementation of the DDS (Data Distribution Service) might result in denial of service.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5568-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
November 27, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : fastdds  
CVE ID         : CVE-2023-42459  
Debian Bug     : 1054163

It was discovered that incorrect memory management in Fast DDS, a C++  
implementation of the DDS (Data Distribution Service) might result in  
denial of service.

The oldstable distribution (bullseye) is not affected.

For the stable distribution (bookworm), this problem has been fixed in  
version 2.9.1+ds-1+deb12u2.

We recommend that you upgrade your fastdds packages.

For the detailed security status of fastdds please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/fastdds

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVk6wsACgkQEMKTtsN8  
Tja2FRAAqpa1Zek52KcYiyQSucpEe6ZLajVfzKeGKvieFrfcf491GDYno3sQhF5w  
2uWRyZ3I1OjJk9uuFWj4ql2IwNs3nudefqR8OCEQk4oSZfnWBX4UWTMiuCncE1+g  
YobKkoWlGDGjpS36lT/GX+L9nfq46ERgZYPqQJjLb6xU+vJzGMo29LVGVDliF4VX  
5n7DZlVbnAWb+swXPp0sIIV/F5EPpdgbygisPSAVynCxF4eFqxQfiCOpkXkBdzKF  
27RSsJQJggfDaXiz11t8zkhWWJQU3pDyrRn79NfkyXc0IPNH4q2C0+vQZ4bHQLFD  
8NuoQqZ5Olqx9Z742z8+jXWpphP7nvEcEhItNFnZNE3EBqJ8T8Aum1NWC4vRSQIR  
8G/Ii9pd8dU7yTBGNbTSqyM8yTzMu4oEuvT309YVC4q3E2P51ZwUpgr7edPZRsXy  
+T8DgzVGgyB+iSVhxmmlUK0encc9O3JfVb0a8mCfM2DUSICJCTkXPYpZB5N4En57  
g8P/AF2u74Rq/y/SFwoJAZyE789wXDQOLTZJSQBmFbCSL+mLNe/8W8ZAl75TS2fE  
2YulahAVceLuy64TLXnOGNHmUiWFeoSY7Ad/NSQyjpCssPP7VcC5sJC94YgEsFey  
2/0mf72nviY4cT5K7D8f2cVnTR74Tc4ICVxbe2SMect/x8IRP/E=  
=eh2N  
-----END PGP SIGNATURE-----

Tag

#debian