Debian Linux Security Advisory 5533-1 - Multiple vulnerabilities were discovered in plugins for the GStreamer media framework and its codecs and demuxers, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5533-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
October 24, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : gst-plugins-bad1.0  
CVE ID         : CVE-2023-40474 CVE-2023-40475 CVE-2023-40476  
Debian Bug     : 1053259 1053260 1053261

Multiple vulnerabilities were discovered in plugins for the GStreamer  
media framework and its codecs and demuxers, which may result in denial  
of service or potentially the execution of arbitrary code if a malformed  
media file is opened.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1.18.4-3+deb11u2.

For the stable distribution (bookworm), these problems have been fixed in  
version 1.22.0-4+deb12u2.

We recommend that you upgrade your gst-plugins-bad1.0 packages.

For the detailed security status of gst-plugins-bad1.0 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/gst-plugins-bad1.0

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmU4L/BfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0TxqQ//eRO99HAGSxBpe+slujteJrf9SkyJBdolvoEvz2ZjbiDVSJlwcGdpeYI+  
61ADafQx5L/klbx9FJoiIgRq9OtfzQMAMH3RBhL637EuzFOeQBwBWAQBqs6/MAbi  
tiYrFusMxPUsxt8EEBCrDZSCOgyW+HOP2nKnmxsx1LnVvYbdHF15m7hRoj6SKvpG  
Kf8oCHzFKG+4iEKzrSPPRjxVe1ao7I1/xzVPvDN6pFibj3wNNBRM+a5KyHpaAcpw  
F0V9yT+qYr9FJQEaaIk3rx5JtzNw1KHn8qds8wTZh71mGRI8WkAls8DeKNAE4xtz  
SGF/SLAUfKukRdYYk2IKe2zLzcrn/KCq9wcdGLOm2ufKJNeiNZUHIr0GxIf/hPOa  
Kh6yauX7CbUPbYlMRvG1ikt5i3uywNoaClyRXv/8viYrZJC8FfW7Q702UrbBzXzc  
fkG2jhYXboaZmaMZeX/jXp1tw/GmOvZoPkxQfaf9QHG57ly3gu132dKezzAmXQS8  
DHrDFvTqL8QKbS9532YvMsS6/JTMqnoZ6ykcSjgXn1pOedxENxA0xw6S0K9aV4PJ  
CR9i3DK7CRe/Sf53IlK6+zhsBgrXce3TU8EOAz9PavICEedVaOSIwnW/uPyxQlNe  
omGF2ka6RC4NvK42/i8SioDWNHtVpUYA/L6hhRrLXP2V9hGHznU=  
=GYlt  
-----END PGP SIGNATURE-----

Debian Security Advisory 5533-1

Debian Linux Security Advisory 5532-1 - Tony Battersby reported that incorrect cipher key and IV length processing in OpenSSL, a Secure Sockets Layer toolkit, may result in loss of confidentiality for some symmetric cipher modes.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5532-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoOctober 24, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : opensslCVE ID         : CVE-2023-5363Tony Battersby reported that incorrect cipher key and IV lengthprocessing in OpenSSL, a Secure Sockets Layer toolkit, may result inloss of confidentiality for some symmetric cipher modes.Additional details can be found in the upstream advisory:https://www.openssl.org/news/secadv/20231024.txtFor the stable distribution (bookworm), this problem has been fixed inversion 3.0.11-1~deb12u2.We recommend that you upgrade your openssl packages.For the detailed security status of openssl please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/opensslFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmU4GHNfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TXww//aymYKy2Mo+x2RSQkTt3ojSPDCR0nOfdMPy5yYVUQ0CL4NdngPvtGuTTbH2pdTOBo9RF0YJzCnVA1jCS2UBc//grcsnB3RkW2zzRZbXPTELsLow43/w/jo5lZvm4VYlxiYUiTzXS88LM4vUGPc62cDE+BzZUDOxsygvwqpqa248T+ZdhDFSoIyoCNWaTBjBmyhiqD7OMp4nv4ui6qX+srBbOrLNoiCbzStwbg03pi4WNrfCIKadIy5ibYFjLL73Uyp/mHj+C1OLotPiKV1CLkW1MsHZYhen4zTchTRNEMORsoVKHLvW/X+njEHCMmRfqIvF82EN+9fw33FGpiI70HLjyQIwVQ+NabJNLANOJG/w7NqVMPngQz7BNDddPOnKMXFpaxmlWM+LR7HBkArSOz/cUb3lpyCheL5rs07FZDGmGZZrHKcvuFKvwS4gvNoBSkNSMHMloAPcYI6SQsKk6ps62E55tzzhyAgIZChJYy4RH3azT/Ud2JohWedhN6ScXXYEOQpSePA6egfdY+2ZiH+WJnZu6yoX0WL4gbR2PQTysy/P8HMnd1QvE+OmzyfBeUPlYEBW7Wg/7u9vROGJEQWmbwbIWptV3/BBVh+b79AvegDARNvh6y+5aXVSbE5QHowfYzmwIASYIJoSggb6LQQY1h+SDVj/E6zlglxDE6qQ8==OgKn-----END PGP SIGNATURE-----

Debian Security Advisory 5532-1

Debian Linux Security Advisory 5531-1 - It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize HTML messages. This would allow an attacker to load arbitrary JavaScript code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5531-1                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondOctober 23, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : roundcubeCVE ID         : CVE-2023-5631Debian Bug     : 1054079It was discovered that roundcube, a skinnable AJAX based webmailsolution for IMAP servers, did not properly sanitize HTMLmessages. This would allow an attacker to load arbitrary JavaScriptcode.For the oldstable distribution (bullseye), this problem has been fixedin version 1.4.15+dfsg.1-1~deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 1.6.4+dfsg-1~deb12u1.We recommend that you upgrade your roundcube packages.For the detailed security status of roundcube please refer toits security tracker page at:https://security-tracker.debian.org/tracker/roundcubeFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmU2FhEACgkQEL6Jg/PVnWTgbQf/T08r3SQ/NFUpzs1/8k+euPOyysNFnW7JZ1LcI+ug5iF8RrdEVVuURZHK7i/SuRNomgEQbUyVpgSb9rb6z5qkc0k6gbfh2+KMRk0ViHhG1+tuEe1O99abXt+5LUQNtXWVMAniWWdbtdQeCBHWgxMpstarWq4akgCnx1Dj7Tj8PyX05+bYFpR79WMqCKypX4lz1kP8U3U5c0tPDi/zjuzGT1IvVSyWPesaNHzmD4ZMr9A/dcDBtxQ+kTaPN3GVPJoDG9TVOcHQTqcb2MmTQY5FtvQswVCXiEsugbmgOQ4wiUYlV90C8s4ALSxBBiv+mOUCKZH/mNNjNeHKADW+nOkOeg===TSzb-----END PGP SIGNATURE-----

Debian Security Advisory 5531-1

Debian Linux Security Advisory 5530-1 - Several vulnerabilities were discovered in ruby-rack, a modular Ruby webserver interface, which may result in denial of service and shell escape sequence injection.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5530-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoOctober 22, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ruby-rackCVE ID         : CVE-2022-30122 CVE-2022-30123 CVE-2022-44570 CVE-2022-44571                 CVE-2022-44572 CVE-2023-27530 CVE-2023-27539Debian Bug     : 1029832 1032803 1033264Several vulnerabilities were discovered in ruby-rack, a modular Rubywebserver interface, which may result in denial of service and shellescape sequence injection.For the oldstable distribution (bullseye), these problems have been fixedin version 2.1.4-3+deb11u1.We recommend that you upgrade your ruby-rack packages.For the detailed security status of ruby-rack please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/ruby-rackFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmU1FpxfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0SAig/+MS3miFMErKy2l1DjwlzjchJC0cyfMHdVn1mpWZMd3iRVuKqqhRt/GlLSXYFRaU6loJ69WqZGLdnDJtKiOUkJPip5BIL2EZccYdg7nDkvvXs6ATffnC11B/SnJ0N7YAYubtyE/924H+mLh+rpx5sMkmGWHKGssQzP1e2erpBl3FRIQcWm/E1PkvZY3VmRbSluAxb3nQ6+bm+5RDNZOzPtkFQkEuGFV4BNFYqh0JWO2lKLkdG6r8+SaeBGKq5i+WtuHxYEVLB1Go6mvyymh8vDq6Mfimfas9B9SYDKjdiU3VOLoiaXEkjepdQFzSm1QVyk9aYJ6Qb5yy8hrr8XPfVuqlumF+ACpsAK1wH+WtKdiQkdZsvFpcYKn5g4q3zMa8RSoDAEnnc9AmGGdDOT/5sdosby1XAlrO7EoVGuhzKR7i1CtAdmnvABwf1dVqv3Jrn6pg+1c278vFc/n/fyXaHiPolRhr4xSxaNiT0OQ/f+ZUJg5NAT8WIS355kefSzAWVpOYB4kMM3OcWWwohkYWf6WuUoZZsIKvdE8dnAhV6NYaChrS6wA3fiLoQu0U9m+4jdB0IDLy+uffIzYCfeFepyq/Gg8e6TIx/T8Rf1uX8VFAvqiBXc3oIlGQMfaulmQel8mGBXceLIMU+Ze0kRmMf3j5JLWotnKRFNDHAW11U2OWU==tPF2-----END PGP SIGNATURE-----

Debian Security Advisory 5530-1

The threat actor known as DoNot Team has been linked to the use of a novel .NET-based backdoor called Firebird targeting a handful of victims in Pakistan and Afghanistan.
Cybersecurity company Kaspersky, which disclosed the findings in its APT trends report Q3 2023, said the attack chains are also configured to deliver a downloader named CSVtyrei, so named for its resemblance to Vtyrei.
"Some

Cyber Espionage / Malware

The threat actor known as DoNot Team has been linked to the use of a novel .NET-based backdoor called **Firebird** targeting a handful of victims in Pakistan and Afghanistan.

Cybersecurity company Kaspersky, which disclosed the findings in its APT trends report Q3 2023, said the attack chains are also configured to deliver a downloader named CSVtyrei, so named for its resemblance to Vtyrei.

"Some code within the examples appeared non-functional, hinting at ongoing development efforts," the Russian firm said.

Vtyrei (aka BREEZESUGAR) refers to a first-stage payload and downloader strain previously harnessed by the adversary to deliver a malware framework known as **RTY**.

DoNot Team, also known by the names APT-C-35, Origami Elephant, and SECTOR02, is suspected to be of Indian origin, with its attacks employing spear-phishing emails and rogue Android apps to propagate malware.

The latest assessment from Kaspersky builds on an analysis of the threat actor's twin attack sequences in April 2023 to deploy the Agent K11 and RTY frameworks.

The disclosure also follows Zscaler ThreatLabz's uncovering of new malicious activity carried out by the Pakistan-based Transparent Tribe (aka APT36) actor targeting Indian government sectors using an updated malware arsenal that comprises a previously undocumented Windows trojan dubbed ElizaRAT.

"ElizaRAT is delivered as a .NET binary and establishes a C2 communication channel via Telegram, enabling threat actors to exert complete control over the targeted endpoint," security researcher Sudeep Singh noted last month.

Active since 2013, Transparent Tribe has utilized credential harvesting and malware distribution attacks, often distributing trojanized installers of Indian government applications like Kavach multi-factor authentication and weaponizing open-source command-and-control (C2) frameworks such as Mythic.

In a sign that the hacking crew has also set its eyes on Linux systems, Zscaler said it identified a small set of desktop entry files that pave the way for the execution of Python-based ELF binaries, including GLOBSHELL for file exfiltration and PYSHELLFOX for stealing session data from the Mozilla Firefox browser.

"Linux-based operating systems are widely used in the Indian government sector," Singh said, adding the targeting of the Linux environment is also likely motivated by India's decision to replace Microsoft Windows OS with Maya OS, a Debian Linux-based operating system, across government and defense sectors.

Joining DoNot Team and Transparent Tribe is another nation-state actor from the Asia-Pacific region with a focus on Pakistan.

Codenamed Mysterious Elephant (aka APT-K-47), the hacking group has been attributed to a spear-phishing campaign that drops a novel backdoor called ORPCBackdoor that's capable of executing files and commands on the victim's computer, and receive files or commands from a malicious server.

According to the Knownsec 404 Team, APT-K-47 shares tooling and targeting overlaps with that of other actors such as SideWinder, Patchwork, Confucius, and Bitter, most of which are assessed to be aligned with India.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

DoNot Team's New Firebird Backdoor Hits Pakistan and Afghanistan

Debian Linux Security Advisory 5527-2 - The webkit2gtk update released as 5527-1 introduced a regression that is causing programs such as yelp, liferea or gnucash to stop working in certain cases.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5527-2                   security@debian.orghttps://www.debian.org/security/                           Alberto GarciaOctober 20, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : webkit2gtkDebian Bug     : 1054101The webkit2gtk update released as 5527-1 introduced a regression thatis causing programs such as yelp, liferea or gnucash to stop workingin certain cases.For the oldstable distribution (bullseye), this problem has been fixedin version 2.42.1-1~deb11u2.We recommend that you upgrade your webkit2gtk packages.For the detailed security status of webkit2gtk please refer toits security tracker page at:https://security-tracker.debian.org/tracker/webkit2gtkFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmUyH/UACgkQAAyEYu0C2AIhCg/7BId/Qgv5kasQ8yZE0iPYI7cBsXq6dYAkwCzdLcE3JI7zKej9QtPrXOAp8dPdu5hMGrC/jOS0P+iVcFNCUeIr6VMAFXjHtmF4ZsjdyWBfhtNsU+IoSgGpFpGys3qlBiAjGnLAzfYs1qeMxwmf6+NLyh0x3Z3T2sRijchsJ8+mxIWH24XV4qmy86TyJ3Ce4KuDSV/W9+ATgEjar0HQXxTRVGAsFbReMzo4LPjVKC9Ml6cBXIXJ63N/5WLXSwgqtyeQoFytrS387rQngktg+5mjT9Ergi5O4BCNpSeZ4oXEmvrhS37R+urCx3Kb0ZrqLrQjp9dE1H1s308UQTtgxEqzZaq0Q6w8mHdJnkm7kW1Q9DBIGYs+sNTj/jsyBt3yw4KJsmoKLH7lToKCMlVxaPbLv6k/da1UnQDn/D+hyVeUs7WxCxQDWZcu+isaZABNt/GJ3i9AWtYDqCIRoXKSNOemX6gywhCFN83FERmZpzGekyCFM6t9GNU13QXzsz95xcCwncKAJvHVmu1t82MXjtojkPK148OWdueH5upsLl746JHI+K+oKjJ1XuhmaxGwiP4e65k5TBfcqdz8MVoE4oDlPi8tzr5FCo8TZ40WuN1vF11UqTBE6mRz43Kgc/DTAGBnl2u13WesvYW2WYBilcgUE11V7XFbU7pGw67Htruoi3E=/OcM-----END PGP SIGNATURE-----

Debian Security Advisory 5527-2

Terminal character injection in Mintty before 3.6.3 allows code execution via unescaped output to the terminal.

CVE-2022-47583: "[31m"?! ANSI Terminal security in 2023 and finding 10 CVEs

Debian Linux Security Advisory 5522-3 - A regression was discovered in the Http2UpgradeHandler class of Tomcat 9 introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong value for the overheadcount variable forced HTTP2 connections to close early.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5522-3                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
October 16, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : tomcat9  
CVE ID         : CVE-2023-44487

A regression was discovered in the Http2UpgradeHandler class of Tomcat 9  
introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong  
value for the overheadcount variable forced HTTP2 connections to close early.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 9.0.43-2~deb11u9.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUtrGRfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeRklBAAg7AmsDgaOQ6E4PR41JewkEIlV/n/jfqEkhHXRxG9zG4yijcszgTcF3Ii  
rf3lBgytAMlSD7dRyy9HG6tRpgMTaajEgeAZdeL01mQf0JnJMg3WPZbkDV9kgyzy  
TMhKjMwaSi65nuBETud5OTZIVsnpaonWsQsTxjaIrbdGnQFJrr13cRVKrY8aT5Ur  
AxtxTFL8FGQxU+RgTehV5KMbtCY9kZhemwyQ6LRk1UstWhype8/ydK7UCaQEJ777  
zyl7ioGvv15GmZMMJCZ1zH0Z6FXlhbVDLCcVshJN3/ddlVTC9Xx10lCEx/hZY29x  
b6Stq/YMayZMoKQY2V3JeQbM3OMCPalpcPU+/WbhuX9eZuWHapnlyTwgsjQOVLNc  
prPfuUAAGCmNFuPMqN//EtmSQV5SP+dqJrwcGMxWDmuagB4qD9nbwtr1zNb5QJpK  
rK24yHlY3Pmu1yegPIeZIJxuFMc5N5cIDj7BfKY51nnV5kbHRshSacBmbm4Sxvfv  
lqEPeqZKogGIAXvmPSeC1gCoL0l98rKVOq3bc8+9z2TgB7W/vB60/IyM1pR8svPu  
+ShPWFh+tkWvt4PjgZ+qThM+xGkcMX12lhRDmFhs4rE8IQIDChiZWBMReggtw6Ii  
ETuYDmr5EAd5u5ymMyQmououeNKwRDi4AbGRPV7JddIVkcbUxgk=  
=ENCN  
-----END PGP SIGNATURE-----

Debian Security Advisory 5522-3

Debian Linux Security Advisory 5528-1 - William Khem-Marquez discovered that using malicious plugins for the the Babel JavaScript compiler could result in arbitrary code execution during compilation.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5528-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
October 16, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : node-babel7  
CVE ID         : CVE-2023-45133  
Debian Bug     : 1053880

William Khem-Marquez discovered that using malicious plugins for the  
the Babel JavaScript compiler could result in arbitrary code execution  
during compilation

For the oldstable distribution (bullseye), this problem has been fixed  
in version 7.12.12+~cs150.141.84-6+deb11u1.

For the stable distribution (bookworm), this problem has been fixed in  
version 7.20.15+ds1+~cs214.269.168-3+deb12u1.

We recommend that you upgrade your node-babel7 packages.

For the detailed security status of node-babel7 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/node-babel7

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmUtbwUACgkQEMKTtsN8  
TjYapA//Vuqb5K/bR0A/QrHahZ4kkNNHN/5ooZA+AWdb0wh2yMhEnRsBRn4dCR6y  
ZloOzHKq2GUFSFyQzOs3IdNKAiT4wfXsAHe1pOO/pH+cbJvKREHYKU3gq7oKlvih  
MZnAtXi4CsF2W+qnIUyOsF4q2JbcE5KYdK6zej7R+nu2IlSfddMoSbz/ogkmw64S  
doMM9KeAWNl53UM0pmOH38n7k3n3W4WI3xJq87tzB0l2QJEghNWB2UuqdnsSCxiU  
UBhrSAzIPGsvrq317e3sVmDtJcJKmTbKg38qwsojDF2fUyIWtn4VCJwsYG+yuGA4  
xousmIcKBheDoDmPBSU0uTxm4YxCtlVjAX664wKuCVrMWtCkII5xG4QQ+klpDjP+  
12zMiJY5+CrE+29Jfk4zYnIuu4wdp8pa0QVR4DStaxj9AHAZtlFBkz2BIbK6917G  
127QpuG+NaVHMWBkDDr5+DZOpzN4jIuRW+fM6oOtFzAWkzy5Hd7KdMVsUJGA4GFs  
ywfkRTnJC7DSsH+gVCzso/5hXn7q4LM5628A05X4+KAzQoc+wJT6p9o/VBGs7OcB  
/9nQF/AYSd2ISxF03ruZ+arHA/A8RWq0mxKY8jTGdJON2omKw5lmoZdQ2RYplVfH  
TZilImDfbdzCRRJwCnS9qqYb8p1ydM0WB4Jz21ZEI3jmEe/OyIE=  
=c0aQ  
-----END PGP SIGNATURE-----

Debian Security Advisory 5528-1

Debian Linux Security Advisory 5522-2 - The patch to address CVE-2023-44487 (Rapid Reset Attack) was incomplete and caused a regression when using asynchronous I/O (the default for NIO and NIO2). DATA frames must be included when calculating the HTTP/2 overhead count to ensure that connections are not prematurely terminated.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5522-2                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
October 12, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : tomcat9  
CVE ID         : CVE-2023-44487  
Debian Bug     : 1053820

The patch to address CVE-2023-44487 (Rapid Reset Attack) was incomplete and  
caused a regression when using asynchronous I/O (the default for NIO and NIO2).  
DATA frames must be included when calculating the HTTP/2 overhead count to  
ensure that connections are not prematurely terminated.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 9.0.43-2~deb11u8.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUoVnpfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeTdbw/+O6hd6miJKAJtK7QqgsstFL9TdqVLv8cLsOli5tobVkH+G00iXk6umG7E  
dzE7xekBXhR3rT/3rFw9AdJAl4wdiy7JySZGVfWWP+vLpBfnXX4tmIy8hCaoFc2d  
/IarTTfW9TZ+R166cB16m9UGPNP9beYqvx+kuuQlF4CRV/WWLGcpnZ/hiWb656BW  
BBsCh5Ig0BkBOundI44ofcWR2S/+4VQw0tNMEChqOJBkgNSVSD/IO/ia0n4Zy2so  
NvWVi7FMAE8xNz1afsjwY9opJXCAHZSKJjzVU9qRPNmwsdJMExP26E73cmSObSZo  
cUV95wFA6SFKoo5fWn5WSeC4BVGlXr0jrgE0kQy7NzPBM2KLmsB0l917ejdquHIy  
CFoNSmdX+mFJgmvBgtnvR1tFa2VgLZFMROYFSCf39XzBF0XmfiqVc5ejEy6yZRtg  
T9a8tA6yux8kzwC7aw+ZFfBfhmRcDt9m3hDlJO39ex7NP8Df9Wk++Jh2bIjj96LQ  
FH12q5zr4Dnyk2pG29MJbAgyCtYJrYubJR3XY97UhSva6uBOa92GYLjXjJVfcBQA  
UZ7vL2vIlwXF+7b/Xihb9mRAepPCKkHwROUGiFvVXnXNiNYUg84BZ1GhBTFo4M/G  
hoyYeUc8HrreGPsGY5dLoTwOqH6hUVnYbcLjwNV885FnH6Ccz78=tl0s  
-----END PGP SIGNATURE-----

Tag

#debian