#debian

Debian Linux Security Advisory 5627-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure or spoofing.

### Summary Ever since https://github.com/agronholm/cbor2/pull/204 (or specifically https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542) was merged, I can create a reproducible crash when running the snippet under PoC on a current Debian bullseye aarm64 on a Raspberry Pi 3 (I was **not** able to reproduce this on my x86_64 Laptop with Python 3.11; I suspect because there is enough memory to allocate still) ## Details ### PoC ```py import json import concurrent.futures import cbor2 def test(): obj = "x" * 131128 cbor_enc = cbor2.dumps(obj) return cbor2.loads(cbor_enc) with concurrent.futures.ProcessPoolExecutor() as executor: future = executor.submit(test) print(future.result()) ``` ``` malloc(): unsorted double linked list corrupted Traceback (most recent call last): File "test.py", line 14, in <module> print(future.result()) File "/usr/lib/python3.9/concurrent/futures/_base.py", line 440, in result return self.__get_...

Debian Linux Security Advisory 5626-1 - It was discovered that malformed DNSSEC records within a DNS zone could result in denial of service against PDNS Recursor, a resolving name server.

Debian Linux Security Advisory 5624-1 - Mate Kukri discovered the Debian build of EDK2, a UEFI firmware implementation, used an insecure default configuration which could result in Secure Boot bypass via the UEFI shell.

Debian Linux Security Advisory 5623-1 - It was discovered that a late privilege drop in the "REFRESH MATERIALIZED VIEW CONCURRENTLY" command could allow an attacker to trick a user with higher privileges to run SQL commands with these permissions.

Debian Linux Security Advisory 5622-1 - It was discovered that a late privilege drop in the "REFRESH MATERIALIZED VIEW CONCURRENTLY" command could allow an attacker to trick a user with higher privileges to run SQL commands with these permissions.

Debian Linux Security Advisory 5621-1 - Several vulnerabilities were discovered in BIND, a DNS server implementation, which may result in denial of service.

Debian Linux Security Advisory 5620-1 - Two vulnerabilities were discovered in unbound, a validating, recursive, caching DNS resolver. Specially crafted DNSSEC answers could lead unbound down a very CPU intensive and time costly DNSSEC (CVE-2023-50387) or NSEC3 hash (CVE-2023-50868) validation path, resulting in denial of service.

Debian Linux Security Advisory 5619-1 - Two vulnerabilities were discovered in libgit2, a low-level Git library, which may result in denial of service or potentially the execution of arbitrary code.

Debian Linux Security Advisory 5618-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. An anonymous researcher discovered that a maliciously crafted webpage may be able to fingerprint the user. Wangtaiyu discovered that processing web content may lead to arbitrary code execution. Apple discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited.