Debian Linux Security Advisory 5813-1 - Moritz Rauch discovered that the Symfony PHP framework implemented persisted remember-me cookies incorrectly, which could result in authentication bypass.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5813-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 15, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : symfonyCVE ID         : CVE-2024-51996Moritz Rauch discovered that the Symfony PHP framework implementedpersisted remember-me cookies incorrectly, which could result inauthentication bypass.For the stable distribution (bookworm), this problem has been fixed inversion 5.4.23+dfsg-1+deb12u4.We recommend that you upgrade your symfony packages.For the detailed security status of symfony please refer toits security tracker page at:https://security-tracker.debian.org/tracker/symfonyFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmc3hfcACgkQEMKTtsN8TjZZqQ//UwZZ1H2r1s4Dn/wxuq7Wx2Gn9x4Mn2ZeRcmLWf8AEQlOTEUo7GyR539YWqvbTpPiik9kIHF6qOaH9ANSWs0Up/8a3NTueHwrLqOsa1YLm4mMGgAlzO12idwS8+nZLUs16mtlOSKzSdqPxymeVu58QEoKx336pAwkG6ntYnfjo85G/gfrp17UGiKYfcjY7xIMoEC+/LhcLleExtxe7roFfMDtagBxuwJ88/ZdYG0ge7DOfrOvH5Eay3/g2sDo1gxB8texfosV+kFzPIZd7reJMZRuIY4rqvJ31uu85R4yXQSa8mPbm8jFBVsKwyqzuqhKgBlJC3bIoZ6HyoO7bqRqOysr697CrS+jgQ2bqNxEQYwj9Hy3EWezwElT4YxJsFyoq2TpNf2wzAa6WTh2ucA7mAu3KxuddykGjtiPHNU8JwONS2nw1KfGwgrqvz4J9bZZoWaWBQF1RyMA2nFDyc5P13R8LbvLE8eI9uoF/AkHT3AI1Ve7FpmIbqvrPlnpPUTFFn/I+QxrhttRYkZ8KSI48Xrq7XhfpDmirQOhMOeRM+bAo96l9J9xksBle3rP8laI6fUNbDp0C/HSbAYCOvpGt65rPdzlbP8Qg3JcdcBpSyDhxHI7D6Cf6oqqfAHHnjY8ag6ASvoLISu+xshJe1uY48AcbBx8ORaknxJ5bIYi7Zw==ywf6-----END PGP SIGNATURE-----

Debian Security Advisory 5813-1

Debian Linux Security Advisory 5812-1 - Multiple security issues were discovered in PostgreSQL, which may result in the execution of arbitrary code, privilege escalation or log manipulation.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5812-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 15, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : postgresql-15CVE ID         : CVE-2024-10976 CVE-2024-10977 CVE-2024-10978 CVE-2024-10979Multiple security issues were discovered in PostgreSQL, which may result inthe execution of arbitrary code, privilege escalation or log manipulation.For the stable distribution (bookworm), these problems have been fixed inversion 15.9-0+deb12u1.We recommend that you upgrade your postgresql-15 packages.For the detailed security status of postgresql-15 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/postgresql-15Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmc3hfUACgkQEMKTtsN8TjalVxAAmmEGwof8hC+HRIlI65sI/pwgMrmmJSWjAYMYMJbED7cSFbk66SMBa/GId+yXBJY8WFwLrkJAqjsn8iFDdILEjoY7uMTsbaf4aKZUgLEPLH8wSjRVGlg63q4SRc4pK7eNwPI1T3IqEfhmnJQFLh/WC34iPpuokL+52FpfajRXZ3yxA3ZSuE5cqBVp/JRvtq6NNaVz5uLSdCDrSHm+eV+TC16XZSPJVYCT8Rt21D93xn7HS3bidWuqhTbBLRJCD4FOJ9gSGGAG+BME5h33NpqyZboE43ikLAfWmGKhL50ymSnZ5waPUW990RmXa4D+HKgVynumjaZHohUnT5L+6Baw1UnqaaevkZa7wo8iaanmf2odYGYP1pJavCJprKQ5yCLCErFL5IACTcC7tergpffZlrZXt8owt9h/ahW+BglBfB2PglxTYhDrIRl9A4d0lG0DfltPAFyOMB3VgrKd6w9myIK6W6KDrN4B/dnu7bDf8XCxfdDe7KsFaScz7ZXz7tYkC5/k2KOxLo43i1yaQRXLhei1OuklcaEZy2oD/RU1C1by5GQCIvfvKg9D0eGipGy6rh12wIq66Ef0neUHbuja6/zR304nU/1XPAV+2qPWGRN5SsScf1lbkXD2CcpgR7n5S3mU1fN9Ufd42koI/oQ0Q5gCKvVm2VUzQZrjnWfj5H4==ab7S-----END PGP SIGNATURE-----

Debian Security Advisory 5812-1

Mozilla’s 0Din uncovers critical flaws in ChatGPT’s sandbox, allowing Python code execution and access to internal configurations. OpenAI…

Mozilla’s 0Din uncovers critical flaws in ChatGPT’s sandbox, allowing Python code execution and access to internal configurations. OpenAI has addressed only one of five issues.

Cybersecurity researchers at Mozilla’s 0Din have identified multiple vulnerabilities in OpenAI’s **ChatGPT** sandbox environment. These flaws grant extensive access, allowing the upload and execution of Python scripts and the retrieval of the language model’s internal configurations. Despite reporting five distinct issues, OpenAI has so far addressed only one.

The investigation began when Marco Figueroa, GenAI Bug Bounty Programs Manager at 0Din, encountered an unexpected error while using ChatGPT for a Python project. This led to an in-depth investigation of the sandbox, revealing a Debian-based setup that was more accessible than anticipated.

Through detailed prompt engineering, the researcher discovered that simple commands could expose internal directory structures and allow users to manipulate files, raising serious security concerns.

****Exploiting the Sandbox****

The researchers detailed a step-by-step process demonstrating how users could upload, execute, and move files within ChatGPT’s environment. By leveraging prompt injections, they were able to run Python scripts that could list, modify, and relocate files within the sandbox.

One particularly troubling discovery was the ability to extract the model’s core instructions and knowledge base, effectively accessing the “playbook” that guides ChatGPT’s interactions.

This level of access is bad news, as it allows users to gain insights into the model’s configuration and exploit sensitive data embedded within the system. The ability to share file links between users further increases the threat, enabling the spread of malicious scripts or unauthorized data access.

****OpenAI’s Response: Features, not Flaws****

According to the **technical writeup** published by Marco, upon discovering these vulnerabilities, the research team reported them to OpenAI. However, the response from the AI firm has been rather unexpected. Out of the five reported flaws, OpenAI has only addressed one, with no clear plans to mitigate the remaining issues.

**OpenAI** maintains that the sandbox is designed to be a controlled environment, allowing users to execute code without compromising the overall system. They argue that most interactions within the sandbox are intentional features rather than security issues. However, the researchers claim that the extent of access provided exceeds what should be permissible which leads to possibly exposing the system to unauthorized exploitation.

Screenshot via 0din

Experts warn that the current state of AI security is still in its early years, with many vulnerabilities yet to be **discovered and addressed**. However, the ability to extract internal configurations and execute arbitrary code within the sandbox shows the need for proper security measures

**Roger Grimes**, a Data-Driven Defense Evangelist at KnowBe4, weighed in on the situation and commended Marco Figueroa for responsibly identifying and reporting flaws in AI systems.

_“_Kudos to Mozilla’s Marco Figueroa for finding and responsibly reporting these flaws. Many people are finding a ton of flaws in various LLM AI’s. I’ve got a list now growing to 15 different ways to abuse LLM AI’s, all like these new ones, publicly known._“_

Roger added that as AI matures, simpler vulnerabilities will be fixed, but new, more complex ones will continue to emerge, similar to the constant discovery of vulnerabilities in non-AI systems.

_“_But like today’s non-AI world, where 35,000 separate new publicly known vulnerabilities were discovered just this year, the vulnerabilities in AI will just keep coming….even when we tell AI to go fix itself. It’s just the nature of everything, especially code._“_

1.  **OpenAI Kept Mum About Hack of Sensitive AI Research**
2.  **Thousands of Dark Web Posts Expose ChatGPT Abuse Plans**
3.  **ChatGPT Plugins Exposed to Critical Flaws, Risked User Data**
4.  **Savvy Seahorse Using Fake ChatGPT in DNS Investment Scam**
5.  **Massive Sale of Compromised ChatGPT Credentials Uncovered**

Mozilla 0Din Warns of ChatGPT Sandbox Flaws Enabling Python Execution

According to Mozilla, users have a lot more power to manipulate ChatGPT than they might realize. OpenAI hopes those manipulations remain within a clearly delineated sandbox.

Source: mundissima via Alamy Stock Photo

ChatGPT exposes significant data pertaining to its instructions, history, and the files it runs on, placing public GPTs at risk of sensitive data exposure, and raising questions about OpenAI's security on the whole.

The world's leading AI chatbot is more malleable and multifunctional than most people realize. With some specific prompt engineering, users can execute commands almost like one would in a shell, upload and manage files as they would in an operating system, and access the inner workings of the large language model (LLM) it runs on: the data, instructions, and configurations that influence its outputs.

OpenAI argues that this is all by design, but Marco Figueroa, a generative AI (GenAI) bug-bounty programs manager at Mozilla who has uncovered prompt-injection concerns before in ChatGPT, disagrees.

"They're not documented features," he says. "I think this is a pure design flaw. It's a matter of time until something happens, and some zero-day is found," by virtue of the data leakage.

**Prompt Injection: What ChatGPT Will Tell You**

Figueroa didn't set out to expose the guts of ChatGPT. "I wanted to refactor some Python code, and I stumbled upon this," he recalls. When he asked the model to refactor his code, it returned an unexpected response: directory not found. "That's odd, right? It's like a \[glitch in\] the Matrix."

Related:Microsoft Pulls Exchange Patches Amid Mail Flow Issues

Was ChatGPT processing his request using more than just its general understanding of programming? Was there some kind of file system hidden underneath it? After some brainstorming, he thought of a follow-up prompt that might help elucidate the matter: "list files /", an English translation of the Linux command "ls /".

In response, ChatGPT provided a list of its files and directories: common Linux ones like "bin", "dev", "tmp", "sys", etc. Evidently, Figueroa says, ChatGPT runs on the Linux distribution "Debian Bookworm," within a containerized environment.

By probing the bot's internal file system — and in particular, the directory "/home/sandbox/.openai\_internal/" — he discovered that besides just observing, he could also upload files, verify their location, move them around, and execute them.

**OpenAI Access: Feature or Flaw?**

In a certain light, all of this added visibility and functionality is a positive — offering even more ways for users to customize and level up how they use ChatGPT, and enhancing OpenAI's reputation for transparency and trustworthiness.

Indeed, the risk that a user could really do anything malicious here — say, upload and execute a malicious Python script — is softened by the fact that ChatGPT runs in a sandboxed environment. Anything a user can do will, in theory, be limited only to their specific environment, strictly cordoned off from any of OpenAI's broader infrastructure and most sensitive data.

Related:Trump 2.0 May Mean Fewer Cybersecurity Regs, Shift in Threats

Figueroa warns, though, that the extent of information ChatGPT leaks via prompt injection might one day help hackers find zero-day vulnerabilities, and break out of their sandboxes. "The reason why I stumbled onto everything I did was because of an error. This is what hackers do \[to find bugs\]," he says. And if trial and error doesn't work for them, he adds, "the LLM could assist you in figuring out how to get through it."

In an email to Dark Reading, a representative of OpenAI reaffirmed that it does not consider any of this a vulnerability, or otherwise unexpected behavior, and claimed that there were "technical inaccuracies" in Figueroa's research. Dark Reading has followed up for more specific information.

**The More Immediate Risk: Reverse-Engineering**

There is one risk here, however, that isn't so abstract.

Besides standard Linux files, ChatGPT also allows its users to access and extract much more actionable information. With the right prompts, they can unearth its internal instructions — the rules and guidelines that shape the model's behavior. And even deeper down, they can access its knowledge data: the foundational structure and guidelines that define how the model "thinks," and interacts with users.

Related:Cloud Ransomware Flexes Fresh Scripts Against Web Apps

On one hand, users might be grateful to have such a clear view into how ChatGPT operates, including how it handles safety and ethical concerns. On the other hand, this insight could potentially help bad actors reverse engineer those guardrails, and better engineer malicious prompts.

Worse still is what this means for the millions of custom GPTs available in the ChatGPT store today. Users have designed custom ChatGPT models with focuses in programming, security, research, and more, and the instructions and data that gives them their particular flavor is accessible to anyone who feeds them the right prompts.

"People have put secure data and information from their organizations into these GPTs, thinking it's not available to everyone. I think that is an issue, because it's not explicitly clear that your data potentially could be accessed," Figueroa says.

In an email to Dark Reading, an OpenAI representative pointed to GPT Builder documentation, which warns developers about the risk: "Don't include information you do not want the user to know" it reads, and flags its user interface, which warns, "if you upload files under Knowledge, conversations with your GPT may include file contents. Files can be downloaded when Code Interpreter is enabled."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

ChatGPT Exposes Its Instructions, Knowledge &amp; OS Files

Debian Linux Security Advisory 5810-1 - Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5810-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonNovember 11, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-10826 CVE-2024-10827Security issues were discovered in Chromium which could resultin the execution of arbitrary code, denial of service, or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 130.0.6723.116-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmcyV0cACgkQZF0CR8NudjexWQ/9FC13RC4Jwxn09Ca4LNZs6WFB+LJBltvMAh49gkqOdDBOqZIs8l6DP61JA1y5PvcX17V0zNBXfCadOyvNhttmGd/T6GQHd8DTCWdlrOcnPpHdnTkswB3o/gYXbTPyD9s6hSZPOnawO7+dDsnb+7s0ivI+rBIPadA4aGNdRf0/rqVKGMO1UYQPs/29DCk+O8JhB6JEMFZJpTnuwY8PVE/Av9iEj2o8fHvioQnPQttqRx87mfjjSu1Cj1lMhwzpPZ85Jw+Zj107dLp9+yx0IlRNijbOtxw0wMBVWyJCBqlvhd8EDBFFmw4ZjvXNfuNhUJ6aSzOm7WD3uByyI6yZjDXEIjauBprmdoW8rRZ/QSCb8hin0HBG5pV4WJ5q6qCj+Zpk0YTnMVhyHMJSDZr64MbK3/I4qmWkU5BG+COum3ZgWIoFlFpZoUEeMrVd16uCK7L021ELSbcalz37veA+IdPnzNlZHK3OdE65Q6Nfhwxj9+y7hcNe9QWwMwngUCWhRrMM9PlLk9qW+Nr5j0ZE0RaSCYEpZ7LOwxDRbqfut2gH9gQksjmz/cHCFHjQxCMRN9Zwh5ksF8HemiW2YHnZv1aqb/1kO8CfKf5iW8G6F148te3vuZveiGaFOUhx6VTtYe6boice5Pyf8u980guIwz3d2pteIGqjd0Y6XBQk5EUcUeM==7bY/-----END PGP SIGNATURE-----

Debian Security Advisory 5810-1

Debian Linux Security Advisory 5811-1 - An out-of-bounds write vulnerability when handling crafted streams was discovered in mpg123, a real time MPEG 1.0/2.0/2.5 audio player/decoder for layers 1, 2 and 3, which could result in the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5811-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoNovember 11, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : mpg123CVE ID         : CVE-2024-10573Debian Bug     : 1086443An out-of-bounds write vulnerability when handling crafted streams wasdiscovered in mpg123, a real time MPEG 1.0/2.0/2.5 audio player/decoderfor layers 1, 2 and 3, which could result in the execution of arbitrarycode.For the stable distribution (bookworm), this problem has been fixed inversion 1.31.2-1+deb12u1.We recommend that you upgrade your mpg123 packages.For the detailed security status of mpg123 please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/mpg123Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmcyWeBfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TeBA/6AxHGN840gcJbF44ZG9yPQetGT0x5l2JqY3xYWWdAdDRsDpduYrLT4JT13W0wuGjbuYkBM12iS07gNZzSHJCz8+/W4nIdp64qs2kNLvfRkyUJIweKiX+zhpTtzstdx4Bj1y0xEVoPiCmHHwXwuo9UrAaThtJ6dY3k1wrS7pNiYg9KvedVBZSD7pVbq2qckY0Sl5VD6a3Tlm3CoXg9b8rQmtO28ATYAAeZNod2HhhpwXX7z1Za2o0iEVWpt3eghP/W9NBJFrbjXW+U0WuzKj4kaJBRIjPKZqaYG7SA184XOtFGgWzTPu/ee0+N8H58n9US1boHMsTtq9F8z3lnAlbn1GYyEHVT79Lk6Je0PnzJvA0mG/ytIO4tJrpnGji3fCD/IC+yer+vDiXry3StB5FklzXBcdNnBvf+qaP+MOoRGqlPS5kBoKrD28MmAa9b/7LZBjk90PisT45Wv6Ui4yLTcpMvPH+2x4VGafhNhv3jeu0ya1EuCj01Dwz0IUSU+3hXXVLPhxfiHiWQlhR3tdrzBd8wkulLAHg0vVy0vZ2+TkmH+Q98zY05sngjBE0C3lfUggu+snMRFXKpy3aSSVznx6W6KR0kUGnFPEMlwd3FkB8HTefPH9fWMn38X41D8fm7+hgOYBaFgUftgLQrhXmlNjb6ZOb+WBz2rt95lNERH5M==HcPy-----END PGP SIGNATURE-----

Debian Security Advisory 5811-1

Debian Linux Security Advisory 5809-1 - Multiple vulnerabilities have been found in the Symfony PHP framework which could lead to privilege escalation, information disclosure, incorrect validation or an open redirect.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5809-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 11, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : symfonyCVE ID         : CVE-2024-50340 CVE-2024-50342 CVE-2024-50343 CVE-2024-50345Multiple vulnerabilities have been found in the Symfony PHP frameworkwhich could lead to privilege escalation, information disclosure,incorrect validation or an open redirect.For the stable distribution (bookworm), these problems have been fixed inversion 5.4.23+dfsg-1+deb12u3.We recommend that you upgrade your symfony packages.For the detailed security status of symfony please refer toits security tracker page at:https://security-tracker.debian.org/tracker/symfonyFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcyVZAACgkQEMKTtsN8TjZCahAApzS2JYSnSrbhyvDcwh/74Ilxz9TYphGz0/tefvNjbjzxbtXlGSSrO//6M+wOV2q+H0+NWbhJTAnF89LKXZilojWu+swfr6taoKaIWr0YH/4uQ7fIDG4otZbJXvbW5N5lhhl+mmzVoa+T9KwLssAZS49YGJ/oPn1rSQN5mrx4ZPHKf441s+eNjgdO0tmlBUYkUlhkBhsTdpA6y80hnrYn/a8Xsli3zXnFx5+2AAScKHtWIyCHgYE4iQyOzlriL96EuNv06uKKbQVoMxSTaq5m9po8MmMl3WnlWQplDr6qYr+7INF3farb1Zi+yJoVvwV6tOOYTOE3xxqDlq6eez9p9z7vd2YopHcvXdr3qOZ/mHE4JZcL5kKebFhXzVRxK6u0XJZ6WYY+YQ4Fel8lGriZSd1jBvzGn428ePNV2HHUj/9tNqcKMwXEvytRkRUKwSTG/Adp4M2X5uThHcGPY+3UC+oHh6YWq6o4duVGfC1ZPsbxvkx39QxSducGT5fpcoe8Knf4U3ZfElXb/sbi3SYqugoUzCTNjNaYA58HD+cRMuFF6lZaBMJM7o6jN6/9tmJveckpNgE/n2h0jtk0EoKjD34E8CNdAuBstq0DXIlO++/KT5v04U7nWSaGVKJYZs3piCv5fRTtFxYVePOGMSiF3jq5r1WsHZa5AI1n0KHfxIE==SPKd-----END PGP SIGNATURE-----

Debian Security Advisory 5809-1

Debian Linux Security Advisory 5808-1 - Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5808-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoNovember 11, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : ghostscriptCVE ID         : CVE-2024-46951 CVE-2024-46952 CVE-2024-46953 CVE-2024-46955                 CVE-2024-46956Multiple security issues were discovered in Ghostscript, the GPLPostScript/PDF interpreter, which could result in denial of service andpotentially the execution of arbitrary code if malformed document filesare processed.For the stable distribution (bookworm), these problems have been fixed inversion 10.0.0~dfsg-11+deb12u6.We recommend that you upgrade your ghostscript packages.For the detailed security status of ghostscript please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/ghostscriptFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmcyNyZfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0TsSw/+O3JZxFqbD0O/frfKj2MbMsIxEpVYEfezp1HBnbTC4KFvVyn81yye8yS6OS8T/3FZxMAu0VwDXah8Hc0aemk47GT0Nj1NzoqoDwTU9DUNtFZ1GxyvM67qKBiG/x4Detk5ikwjfA1vdg71O8Vpw9TYGI4+CZv4sS4W/AuwZXxvL2o0DEE8Gvi501FU7ppD95hA9f+LaP7D8+LlKWU2blaN5Iim2WRrRABTimujgXTQjuCBFLuUUqWhznuNHJU4nWMuEYMot31eummNHw0tUD6d/tHGipN/2b/TM+nmhBIS+1T/HBS/2gEuYF3f3arOGm1Fgk3zAACczdeMp4CFXzD0PUKCJfOeAI5kMMaHosAqjnvhWthz3Ye2s/3bVZ4INYvOo1J8/Bgr1l/k6b91HoCIb60DemUzDrQPZyzdAnEUm0W5ET1jKOvfF73vukl7V5SF/b4f90/zc/kTJDKf5lTgXOAER7Ci7DwPrkBFp+fAutqyUQzdZWrJCAyxuu75q2SjCqUCKiHhXNO3IipvE2DxXHxXgXOsw3SLwUt3+ciJbUY2+9bri1lcLiocSKvEYKw14bw72Eb01472NAoF87p1ectAlnMO6GOj0xzZoXat31W/DNe6wSUtIbekzMxHT0Cx06tcKdyfhq6AVTm4HspGB/1nA9MqU6ok0VR9B73rRLk==hMTY-----END PGP SIGNATURE-----

Debian Security Advisory 5808-1

Debian Linux Security Advisory 5807-1 - Several vulnerabilities were discovered in NSS, a set of cryptographic libraries, which may result in denial of service or potentially the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5807-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 10, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : nssCVE ID         : CVE-2024-0743 CVE-2024-6602 CVE-2024-6609Several vulnerabilities were discovered in NSS, a set of cryptographiclibraries, which may result in denial of service or potentially theexecution of arbitary code.For the stable distribution (bookworm), these problems have been fixed inversion 2:3.87.1-1+deb12u1.We recommend that you upgrade your nss packages.For the detailed security status of nss please refer toits security tracker page at:https://security-tracker.debian.org/tracker/nssFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmcxArIACgkQEMKTtsN8TjZ1rBAAqef9LTGZnLYnvNEeRHVOrazORvlEBe7AIpFcBIC1nSRBQ1ZAPENNMUFihkzJHkwS8hTy/VasgxnZTu2MTXhCQllQjISZk4bI+6EvMa+3p9930E9qgaIjPFPqTgYmnhFTq0bqzyDLlQpY6UJQDy0I47oRrHs8qVwEMsAtl6Wg/VkjLdQi68hPk7lpn7R1EihvKsYwKOv6cIU+wZiRk6LzbEdVCzG73FMQhjLh0bGq/R3EFpSL8Hb05j+xR3wWkrW+Gkw20rha5XG7tPqyl/QLLfpc3TO9UG3APUtC5LjBhKIEcUSst/9LkMRRfK5TyjQQQ4TF1K9HbcEkPTk7kAH6SOgOF8gAqftFvorQEAXv4PxrC7qwNYDdlwus2gZvGTif/H1SIfdQe6hZcZ7XWWP5oO1EK4IL4dXeFkbNvvbZu6HfXYKC9r5zzP0lPH5+Zh/LBnUyRibPnF+dCy+SaHHfGOY0Twl266DT2fq4VCUGD4eSI7uAkMniWBcJPdqcfSvOHaGSWkKiJzD7QIZ/51/wLC+6u3goQQc07dAdMhS0tOJAF5UDA33A3tVfpKwNffxW8d5XfyFnZm1D21K29vG1Jtfzk8io19u7UTRLVRRAu3OslvQSuvsoLZSQy6AwwqOUzB7niyXhZpHOqhHvBZa4C2ECB06b21YNc00xxnwiDl4==tVvV-----END PGP SIGNATURE-----

Debian Security Advisory 5807-1

Debian Linux Security Advisory 5806-1 - A heap-based out-of-bounds write vulnerability was discovered in libarchive, a multi-format archive and compression library, which may result in the execution of arbitrary code if a specially crafted RAR archive is processed.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5806-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoNovember 09, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : libarchiveCVE ID         : CVE-2024-20696Debian Bug     : 1086155A heap-based out-of-bounds write vulnerability was discovered inlibarchive, a multi-format archive and compression library, which mayresult in the execution of arbitrary code if a specially crafted RARarchive is processed.For the stable distribution (bookworm), this problem has been fixed inversion 3.6.2-1+deb12u2.We recommend that you upgrade your libarchive packages.For the detailed security status of libarchive please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/libarchiveFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmcvIfhfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0Q7lg/8Dq0QdIkhu9rjq/M6C3m87PYV9MUtp23uZASKIgN95uTMLMYT4AON0o6FZyUB8MZcwTsTabt8LdvgxyXBzGBq1TMKqeB44n2LjjI5cn3OZftQnvNQmqmuiJhSUvk2NyjOZ9TEpfwwGhlwcrFL3YFQxTIrWMbuIacxZRcCrnxTphXL4KxbS2+/gkn3nDG5GrYK0CI20PSOsbKz8nQJqMBuCpWGKU61mcDxivdP3nYQSfzexvhMPhKyuK+FCGWbyMbR70FnC3UmyNTVvSi70H28QHgJ8LSooLaZl9hLnHVdAPt0jRGeYR25JV6GPL4Hx1fq42W/nB+mzyb2Lv/rDf8fQUsVvyoLujhxz6dDJtYr8l0Oy3l4Y8YP4sIIWDYP26glQjggcS3uAACiZe2y6B0EOKuaOj64ZEDgZeTeMcCIyAU6SWZmE9vv4r3QrFA/jtsSmQLZQu3Ry2wrPpbwwDxSDXeAMR9970MxTJgpnltJx2kO6urk8d1SNlNUjkiwdTLA1caGh0HbrwlE+d/OUYIiOLZkBmIi815imbP83imk2yrl/yJIBBObDd192ah66BUFp4UBD28XY3R7bGQN/OpMFcGe3Kw2nVt8rsIA/ku3XWJE60611NFElTZl0QIa1j3dHzgjjYFWYVPlLHUD6XV2p0AXl+sQteToqx66e1sj9eM==2Rv1-----END PGP SIGNATURE-----

Tag

#debian