Apple Security Advisory 10-28-2024-4 - macOS Sonoma 14.7.1 addresses buffer overflow, bypass, information leakage, out of bounds access, out of bounds read, and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1

macOS Sonoma 14.7.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121570.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

App Support  
Available for: macOS Sonoma  
Impact: A malicious app may be able to run arbitrary shortcuts without  
user consent  
Description: A path handling issue was addressed with improved logic.  
CVE-2024-44255: an anonymous researcher

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: A sandboxed process may be able to circumvent sandbox  
restrictions  
Description: A logic issue was addressed with improved validation.  
CVE-2024-44270: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: A downgrade issue affecting Intel-based Mac computers was  
addressed with additional code-signing restrictions.  
CVE-2024-44280: Mickey Jin (@patch1t)

Assets  
Available for: macOS Sonoma  
Impact: A malicious app with root privileges may be able to modify the  
contents of system files  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-44260: Mickey Jin (@patch1t)

CoreMedia Playback  
Available for: macOS Sonoma  
Impact: A malicious app may be able to access private information  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2024-44273: pattern-f (@pattern_F_), Hikerell of Loadshine Lab

CoreServicesUIAgent  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: This issue was addressed with additional entitlement  
checks.  
CVE-2024-44295: an anonymous researcher

CoreText  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted font may result in the  
disclosure of process memory  
Description: The issue was addressed with improved checks.  
CVE-2024-44240: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative  
CVE-2024-44302: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

CUPS  
Available for: macOS Sonoma  
Impact: An attacker in a privileged network position may be able to leak  
sensitive user information  
Description: An issue existed in the parsing of URLs. This issue was  
addressed with improved input validation.  
CVE-2024-44213: Alexandre Bedard

DiskArbitration  
Available for: macOS Sonoma  
Impact: A sandboxed app may be able to access sensitive user data  
Description: The issue was addressed with improved checks.  
CVE-2024-40855: Csaba Fitzl (@theevilbit) of Kandji

Find My  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-44289: Kirin (@Pwnrin)

Foundation  
Available for: macOS Sonoma  
Impact: Parsing a file may lead to disclosure of user information  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-44282: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

Game Controllers  
Available for: macOS Sonoma  
Impact: An attacker with physical access can input Game Controller  
events to apps running on a locked device  
Description: The issue was addressed by restricting options offered on a  
locked device.  
CVE-2024-44265: Ronny Stiftel

ImageIO  
Available for: macOS Sonoma  
Impact: Processing an image may result in disclosure of process memory  
Description: This issue was addressed with improved checks.  
CVE-2024-44215: Junsung Lee working with Trend Micro Zero Day Initiative

ImageIO  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted message may lead to a denial-  
of-service  
Description: The issue was addressed with improved bounds checks.  
CVE-2024-44297: Jex Amro

Installer  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: An access issue was addressed with additional sandbox  
restrictions.  
CVE-2024-44216: Zhongquan Li (@Guluisacat)

Installer  
Available for: macOS Sonoma  
Impact: A malicious application may be able to modify protected parts of  
the file system  
Description: The issue was addressed with improved checks.  
CVE-2024-44287: Mickey Jin (@patch1t)

IOGPUFamily  
Available for: macOS Sonoma  
Impact: A malicious app may be able to cause a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2024-44197: Wang Yu of Cyberserval

Kernel  
Available for: macOS Sonoma  
Impact: An app may be able to leak sensitive kernel state  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-44239: Mateusz Krzywicki (@krzywix)

Kernel  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2024-44175: Csaba Fitzl (@theevilbit) of Kandji

LaunchServices  
Available for: macOS Sonoma  
Impact: An application may be able to break out of its sandbox  
Description: A logic issue was addressed with improved checks.  
CVE-2024-44122: an anonymous researcher

Maps  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44222: Kirin (@Pwnrin)

Messages  
Available for: macOS Sonoma  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved input sanitization.  
CVE-2024-44256: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Sonoma  
Impact: An app may be able to bypass Privacy preferences  
Description: A path deletion vulnerability was addressed by preventing  
vulnerable code from running with privileges.  
CVE-2024-44159: Mickey Jin (@patch1t)  
CVE-2024-44156: Arsenii Kostromin (0x3c3e)

PackageKit  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44196: Csaba Fitzl (@theevilbit) of Kandji

PackageKit  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: The issue was addressed with improved checks.  
CVE-2024-44253: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of  
Kandji

PackageKit  
Available for: macOS Sonoma  
Impact: A malicious application may be able to modify protected parts of  
the file system  
Description: The issue was addressed with improved checks.  
CVE-2024-44247: Un3xploitable of CW Research Inc  
CVE-2024-44267: Bohdan Stasiuk (@Bohdan_Stasiuk), Un3xploitable of CW  
Research Inc, Pedro Tôrres (@t0rr3sp3dr0)  
CVE-2024-44301: Bohdan Stasiuk (@Bohdan_Stasiuk), Un3xploitable of CW  
Research Inc, Pedro Tôrres (@t0rr3sp3dr0)  
CVE-2024-44275: Arsenii Kostromin (0x3c3e)

PackageKit  
Available for: macOS Sonoma  
Impact: An attacker with root privileges may be able to delete protected  
system files  
Description: A path deletion vulnerability was addressed by preventing  
vulnerable code from running with privileges.  
CVE-2024-44294: Mickey Jin (@patch1t)

SceneKit  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: A buffer overflow was addressed with improved size  
validation.  
CVE-2024-44144: 냥냥

SceneKit  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to heap  
corruption  
Description: This issue was addressed with improved checks.  
CVE-2024-44218: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Screen Capture  
Available for: macOS Sonoma  
Impact: An attacker with physical access may be able to share items from  
the lock screen  
Description: The issue was addressed with improved checks.  
CVE-2024-44137: Halle Winkler, Politepix @hallewinkler

Shortcuts  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44254: Kirin (@Pwnrin)

Shortcuts  
Available for: macOS Sonoma  
Impact: A malicious app may use shortcuts to access restricted files  
Description: A logic issue was addressed with improved checks.  
CVE-2024-44269: an anonymous researcher

sips  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-44236: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative  
CVE-2024-44237: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

sips  
Available for: macOS Sonoma  
Impact: Parsing a maliciously crafted file may lead to an unexpected app  
termination  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-44284: Junsung Lee, dw0r! working with Trend Micro Zero Day  
Initiative

sips  
Available for: macOS Sonoma  
Impact: Parsing a file may lead to disclosure of user information  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-44279: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative  
CVE-2024-44281: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

sips  
Available for: macOS Sonoma  
Impact: Parsing a maliciously crafted file may lead to an unexpected app  
termination  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2024-44283: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

Siri  
Available for: macOS Sonoma  
Impact: A sandboxed app may be able to access sensitive user data in  
system logs  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-44278: Kirin (@Pwnrin)

SystemMigration  
Available for: macOS Sonoma  
Impact: A malicious app may be able to create symlinks to protected  
regions of the disk  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2024-44264: Mickey Jin (@patch1t)

WindowServer  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44257: Bohdan Stasiuk (@Bohdan_Stasiuk)

Additional recognition

NetworkExtension  
We would like to acknowledge Patrick Wardle of DoubleYou & the  
Objective-See Foundation for their assistance.

Security  
We would like to acknowledge Bing Shi, Wenchao Li and Xiaolong Bai of  
Alibaba Group for their assistance.

Spotlight  
We would like to acknowledge Paulo Henrique Batista Rosa de Castro  
(@paulohbrc) for their assistance.

macOS Sonoma 14.7.1 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmcf/9kACgkQX+5d1TXa  
IvrUURAAwGoAU3ccWvDjKZw0r1ouPDWXvLoCzcHx1nQm18Usoo+GOevgBlJflGAz  
i7H8nUldqtFy3YW/Ttr0/B0ILhPZf/OzVmE4XqwjqNKXI5a7EvC9A9aLUjjcqNV9  
JY6We0EDT+zlOfKaG1SrKhSA7Iqm7sJ6euWotsf3SaJPtVdhabi6rQzi1G5aihsq  
B7w+2uLYg5ctywkwbm8Rl3XmorMIwrTrOokYhx+rZMaZwQGnB8UNrVksdaqaBQHU  
ak1t71gonnGcJxhy9ceK85xk+WwlCItpUGIvWvuvLBX/MxMZzdwIzoIP2SGNh8nV  
SYYmpbdM2fpAbX0gZQBU3zPPZIoi2pyCV37sV2VIgTtjPLVYBrB2XJXPnIU8pmHA  
Abrv7gE6oRY1gJHks1w3iaw8cBMhDVvFd9hr9qfCHikbKsFHfan4oYAQK4SHvxFB  
N9rRrgzGcpDP6l0WT+ae/LmLJHjJpzbu2XuNS2s6h9ohRFwyKXJ70dQku4w/YQIV  
4dciPFkiwNpd3bQpak82bPaIko/ihLT66y6pyi+SfYDfEBgEH45VvuxhZT9+u9z0  
+mxRIc+sPCD4avvt5bU/7q/wDIs0dAW6fjeFo8+KiM9JRPwNbTW+VPpr6QWH6JIy  
BpAEQH9m0WtlqVFurN4oQWOLnO+dUYKSPYS+QZufDfsLGpO+YtY=  
=LeMo  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-28-2024-4

I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties. This is the source code release version.

I2P 2.7.0

I2P 2.6.1

Apple Security Advisory 07-29-2024-8 - tvOS 17.6 addresses bypass, information leakage, integer overflow, out of bounds access, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-07-29-2024-8 tvOS 17.6

tvOS 17.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214122.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

AppleMobileFileIntegrity  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to bypass Privacy preferences  
Description: A downgrade issue was addressed with additional code-  
signing restrictions.  
CVE-2024-40774: Mickey Jin (@patch1t)

CoreGraphics  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2024-40799: D4m0n

dyld  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A malicious attacker with arbitrary read and write capability  
may be able to bypass Pointer Authentication  
Description: A race condition was addressed with additional validation.  
CVE-2024-40815: w0wbox

Family Sharing  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to read sensitive location information  
Description: This issue was addressed with improved data protection.  
CVE-2024-40795: Csaba Fitzl (@theevilbit) of Kandji

ImageIO  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing an image may lead to a denial-of-service  
Description: This is a vulnerability in open source code and Apple  
Software is among the affected projects. The CVE-ID was assigned by a  
third party. Learn more about the issue and CVE-ID at cve.org.  
CVE-2023-6277  
CVE-2023-52356

ImageIO  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2024-40806: Yisumi

ImageIO  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-40777: Junsung Lee working with Trend Micro Zero Day  
Initiative, and Amir Bazine and Karsten König of CrowdStrike Counter  
Adversary Operations

ImageIO  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2024-40784: Junsung Lee working with Trend Micro Zero Day Initiative  
and Gandalf4a

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A local attacker may be able to determine kernel memory layout  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-27863: CertiK SkyFall Team

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A local attacker may be able to cause unexpected system shutdown  
Description: A type confusion issue was addressed with improved memory  
handling.  
CVE-2024-40788: Minghao Lin and Jiaxun Zhu from Zhejiang University

libxpc  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to bypass Privacy preferences  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-40805

Sandbox  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed through improved state management.  
CVE-2024-40824: Wojciech Regula of SecuRing (wojciechregula.blog) and  
Zhongquan Li (@Guluisacat) from Dawn Security Lab of JingDong

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: A use-after-free issue was addressed with improved memory  
management.  
WebKit Bugzilla: 273176  
CVE-2024-40776: Huang Xilin of Ant Group Light-Year Security Lab  
WebKit Bugzilla: 268770  
CVE-2024-40782: Maksymilian Motyl

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
WebKit Bugzilla: 275431  
CVE-2024-40779: Huang Xilin of Ant Group Light-Year Security Lab  
WebKit Bugzilla: 275273  
CVE-2024-40780: Huang Xilin of Ant Group Light-Year Security Lab

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may lead to a cross  
site scripting attack  
Description: This issue was addressed with improved checks.  
WebKit Bugzilla: 273805  
CVE-2024-40785: Johan Carlsson (joaxcar)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-40789: Seunghyun Lee (@0x10n) of KAIST Hacking Lab working with  
Trend Micro Zero Day Initiative

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmaoIFQACgkQX+5d1TXa  
IvrqRg/+Klv/Cy1M7Ii5T/jTDQ9ggrY36CjR6GJaFwXMlC++eNYidc9LeVNU72PI  
F7GpQ6ZntYJZzEm1YGUOjkU38IYid5lnfDQHsfTTm8Pzmk+1vbcLDYEfsoeGK81F  
7qcirUzseRYBmvbei2X2HqiGh/bLJgHUb433lDPQcVIUNmvdYuGtaDYNnbhOJ80u  
+LET8E2GjIVWY15ZtSHC59OctUPtI6l6HrncqLTjXegePCqLC2Z4BIGmnPoyOGSf  
zTgFXSfekwZ/5y6PKPhDu+NgrrCI+IhP20mO0pj2IhQgd56yEdF6P7dYrWlElQmi  
/MoMZTzfxQPBzHxcfmG4ANqMSJzE3oZ737r32o4dwsdIiBJ9JG+UV9722kk+CH+7  
NKN1GBxf05kEXXJ+Y4c9VyCMQVxW9RaPQic89WoWA7JQsrmah8osHFnxTxL4d12X  
cR5JohihgI+EE4N+MqlT/CKE+0r/Oy6yalRCJQugA1fBQiIa57twRK3+sGQUqtn0  
fI2PmXTkF47pm9ed7foE+XtknEerfvGruWH3SUAKo46Q3yUGvR1cQ4v1lzXG51AR  
+6rV79CKWRztAqXS6uermURsTBcUDnnHH+9HH+2kLOyNuQ/F6Th1Ng1CUWrMJeSf  
eE1sp6m+eR3uuUPwfEPZwJxhlUlZj4kaQE8gipr3DBrZFCJY6To=  
=prdc  
-----END PGP SIGNATURE-----

Apple Security Advisory 07-29-2024-8

I2P 2.6.0

I2P 2.5.2

I2P 2.5.1

Debian Linux Security Advisory 5655-2 - The update of cockpit released in DSA 5655-1 did not correctly build binary packages due to unit test failures when building against libssh 0.10.6. This update corrects that problem.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5655-2                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
April 16, 2024                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : cockpit  
Debian Bug     : 1069059

The update of cockpit released in DSA 5655-1 did not correctly built  
binary packages due to unit test failures when building against libssh  
0.10.6. This update corrects that problem.

For the stable distribution (bookworm), this problem has been fixed in  
version 287.1-0+deb12u2.

We recommend that you upgrade your cockpit packages.

For the detailed security status of cockpit please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/cockpit

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYe2O9fFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0QK0RAAkGuh1qsgWCu60JxMYZjfeSyA/w+MlKlwANHCA74QbsvqOyadjrtdxRjK  
EgKRs8Gz7H8o3bpuVE/4mWkIyDjsn9yZeFlro/6wf3yGsxEL7I2MlKWa56A6hNJD  
4dCgdo9gKqcDR7YOpknemN7F8VElUINFjBHzQ6vzm+HMneg4JC3Nhh1TZfNj/trT  
em/LLoMb9VDHutpv8T0OQwt1tgUxfOfxKDFTsLzjxzYwBfAHqJPu/MZrS1kj15iU  
HK9nouDw7hYOx0FzTBhlobNnLod8kYN+McUMkiux84lv8PyYE3sxiDlTYcGeG+0n  
XQ4FHxB6wdolaGKRCwt8t3Bt1uTPvbDYwii6eDmjNLrSFnjbJlfihaVkng9fXb6R  
kfRHRWhcT15/Yv8GmJUAN7/vNlzPEAXkbXmP3O/MmrLymjsyC4p2Oo8PfKn1biK0  
K0s0BrGMd60DvrD6L07ntF0IfF7qoNvYwZLF3ELsXe/h9dlaNtqDHMG2O1OZNB/M  
VYW6S3reytzexMuqUtKPB2kAZeuiIK6iTJNLU7v1ZWPfHp2ApK3yGxTCXrNj3Ufa  
kO7Tw0g6w3xIvlxLjHPZ/V9TxBB75i2PmxQMLIk4VjAMY93I6XmESFhI4Me94oQw  
xYRGVjCCHd8J5Ky4VTgnS66Um2KUkF+nGCZLudTDVeyPzNBh9hk=  
=b5VL  
-----END PGP SIGNATURE-----

Debian Security Advisory 5655-2

I2P 2.5.0

Debian Linux Security Advisory 5587-1 - Two security issues were discovered in Curl: Cookies were incorrectly validated against the public suffix list of domains and in same cases HSTS data could fail to save to disk.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5587-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
December 23, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : curl  
CVE ID         : CVE-2023-46218 CVE-2023-46219

Two security issues were discovered in Curl: Cookies were incorrectly  
validated against the public suffix list of domains and in same cases  
HSTS data could fail to save to disk.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 7.74.0-1.3+deb11u11.

For the stable distribution (bookworm), these problems have been fixed in  
version 7.88.1-10+deb12u5.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/curl

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmWHL5wACgkQEMKTtsN8  
TjZQ6g//Vkn19s5W4JDyQToH46D/GS8HU0yFFxl2FCTaQNVwipu0/o7MXJhn/bGP  
SvSJUXXszXOrYNQXNLxnAb5HLkG98FZD+SNMLhz329ggYnUa3yOYjFnU5xbacRQV  
tw7UN79ouX8bPCE6zJMuGqC6aA6JC7/RDTw15E3nqHeUtZagRK/y6Pp6lOXBveo0  
+fRb3opi+hMeSMr4QC+zw2pAxCYn2mRaZl7a42vxZ4iiuEfjTxMzYdJZSqosmd4a  
PIMcYtl8e1AmyDxD154rOzIVMobokcgx1CCmpPYbipiCuY2mp1Srm9GttSQSRTR0  
buk0GJxjcsk+QU6HNJ58UHHSGiVhWlMr370kT3cotO0YDvtVBeF8vSdrP8zmNoKQ  
IyBW9WP56XHgUvd+t7YN7tlUH11r9yZBZ04DAgGmW/QzLu6JHzmwKJx9JxxDr34y  
Y+mimCp9wI/ft3C0i/uarT1q6AsXA/LNXc1pqdU8QuXrJg2lAaMqqU8YT8l6iVi5  
i169oP0oezvOii5R/vw3cd/zzpKsNVwLyZfUWATYLRqzpbUbr94MsPCS+7fKOawY  
hCnAhUxx6/aDIWZmlVXkFtxbkskkBe9TTgc4nD0WVev7gPyImzSKzoaWYRMnsGMV  
DbdJgai96T4lXYI2PM2Gh4mZDdjqC4jubvSKJaM4MNF5Pq6VHf0=rARX  
-----END PGP SIGNATURE-----

Tag

#i2p