Debian Linux Security Advisory 5550-1 - Multiple security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in cross-site scripting, SQL injection, an open redirect or command injection.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5550-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 08, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : cactiCVE ID         : CVE-2023-39357 CVE-2023-39359 CVE-2023-39361 CVE-2023-39362                  CVE-2023-39364 CVE-2023-39365 CVE-2023-39513 CVE-2023-39515                  CVE-2023-39516 CVE-2023-39514 CVE-2023-39512 CVE-2023-39510     CVE-2023-39366 Multiple security vulnerabilities have been discovered in Cacti, a webinterface for graphing of monitoring systems, which could result incross-site scripting, SQL injection, an open redirect or command injection. For the oldstable distribution (bullseye), these problems have been fixedin version 1.2.16+ds1-2+deb11u2.For the stable distribution (bookworm), these problems have been fixed inversion 1.2.24+ds1-1+deb12u1.We recommend that you upgrade your cacti packages.For the detailed security status of cacti please refer toits security tracker page at:https://security-tracker.debian.org/tracker/cactiFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVMDYgACgkQEMKTtsN8TjYzmhAAny8lZgRdlKAadeOGxULyDwZMzGhq9zoHUX2otN3nwIuQEotG6m9/Lc3+IQNpase5cNYZZMlF7lA5u34cbHNmnVnraEARUnU1PwsFOjAamv8JWxEfyGEV/V0fSaj7TNBYarHBGGHXhX1uFYQXMyVSTGNWmof7AmvhHol+CqgxSfzhq5i/ue+dtnNAfx1pZ+SzznBJsndUeltEi8CdsIqcdGlldO0UWIj9G0pF2Fs6bvfi9heVKF1D1WaxUzjUZUdmSgzNZ3d6RAjhfA7ButjKdViaKjE93ARfOcl1I5kvR2whqe6RILkx+7NqoQ/JdR1uYbg7wmKPb5+zivmJWk+PBXXlncSTkzuUC9JTx/ypO5x4/op0SD/hz2YHhFonL4Y2tSgQGiAuBqYwWTBjy6NyX+59lKSrbNF2Dt1GdTtR1Dwvzxe8NneEV+kDMwgTEli9D0QDYu8pF6b8OegkK0UJk/gu6w/88xF+E4zTvoFjeXI/Wp9c0sN0zqgyUIWnLyhv5PVYa5TJt1W0RK9QmZyNJ6uLv0xS4LKf28TYU4rI8ilw4/w8lDFE3ox7pUuSa52b2cK5R5I9UXCwIuT+RQZD9QMu8/MFgbmBlI0fXol7Qr7BblK7vEy+HADgXcJQXJxhDcsIfy5YXNj1N1ps3My/FUD/Ui1gCM/4zt9sg9OMiJ4==Exbi-----END PGP SIGNATURE-----

Debian Security Advisory 5550-1

Debian Linux Security Advisory 5548-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5548-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
November 05, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openjdk-17  
CVE ID         : CVE-2023-22025 CVE-2023-22081

Several vulnerabilities have been discovered in the OpenJDK Java runtime,  
which may result in denial of service.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 17.0.9+9-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 17.0.9+9-1~deb12u1.

We recommend that you upgrade your openjdk-17 packages.

For the detailed security status of openjdk-17 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/openjdk-17

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVH8rMACgkQEMKTtsN8  
Tjahiw/+KV2CipWhe7kpI5GXnMkCH9lOIYYv6S/zSu3RpB/zEH72QoAfJVRPazNy  
6ubJtk1kbrkc/mo6RFRw+0yVuo8czZ2NiVYc7E+pmVdCu1QT+M1BlV6xhN9KntpY  
pw2V+/+toyi0lmMRl13FgMC9loUdBHJO7zHbfNCKZAQHoBt1JK1UChwKDUC+UeGr  
0A/4wk5gMaKLMizr5nSEXsJS1D0cnAeqogIU42G6MdHTQnF1dTtXOtA3VbS+AnAl  
cPea29ALDnpruizp/7pBCu4q9hGvCrKYHxZ5ZIwfS7shfYSN0qqAtqmsw8ZSnAp6  
MlPwbdKfYWFhujvT3prQEtgPqowK+sMjSRHvjZyXIYrYK6/ORduckVpSHN3Ue3V7  
UcFKiZvVrub6YB9nFB0fbHs7FL4N/Eb75n8B5OzaHM1RrH12NNKWw9aghHEMofQB  
Isai5wglPnERZqDOYuUnrwxBfsRKGbRsYl86wYCnDBYSDtO5o6Fdp5daZBtm40dl  
fo4GoM2FVlkIFKR/xLviQ/l+q8bc3jOcT4ZtgiVlYHD5YuunT9pMxOYHHMF4NeP7  
ve+hB46m3GxVgeu50L3e7bOLEDbsMwXbhzN+IvR1IBNuwEvXUWy0jg4GZJQ30u7b  
l10rG4HjAvcL0U/axHmQcaKZWwd9cc9EfbQMUTJ5UzuSN9YcutA=  
=vysv  
-----END PGP SIGNATURE-----

Debian Security Advisory 5548-1

Debian Linux Security Advisory 5546-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5546-1                   security@debian.org  
https://www.debian.org/security/                           Andres Salomon  
November 02, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : chromium  
CVE ID         : CVE-2023-5480 CVE-2023-5482 CVE-2023-5849 CVE-2023-5850   
                 CVE-2023-5851 CVE-2023-5852 CVE-2023-5853 CVE-2023-5854   
                 CVE-2023-5855 CVE-2023-5856 CVE-2023-5857 CVE-2023-5858   
                 CVE-2023-5859

Multiple security issues were discovered in Chromium, which could result  
in the execution of arbitrary code, denial of service or information  
disclosure.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 119.0.6045.105-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 119.0.6045.105-1~deb12u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmVFF04ACgkQZF0CR8Nu  
djdzWhAAwLgUKUHw7DKsOlj52comEvShKoVSVrMM34ZDpcIizK/MtkQm/d7GsOU2  
D6AV6pI4vjR7mlbFiN9l99VIGF919iFsQdXdrq+49m/YafFVV3Q2EMagvhDRFRoF  
DJLtNml9gaWgvLoN77Uh0HShpoSWpVc9cXq8w+Xq8mpu+c9dkzquigY0Q0VWZqOs  
munuVIouMH7RhhCAiL+uJ67f1rDW49OEFvcFTyGWrdzpAgWP61u9Zq3iC4S9ovZP  
UprMUQt6+1wDH3/Mp020/Ln1XhCXfnlsvjXAmpygegbRttJAHwWPTyfvX0+ZdZ2h  
uLqDcF7EEtox+mZfLdVJZZVJyYugsGO5tqRk8psc77o1eW3BTaOgdSUYoereOm6O  
/47UJvpqQYRSjN52/FTGHAkXJhjOQHi0/BzSwXsi1szeNbAAUUThhSa6tXev0eTN  
xgW5xwP40gHScHEzla4rXnM/uyE/cRwBzyiocMQJi3eOREAyMGxUktruRehCSUS1  
GtUzWmFOlwtMIDPuzfK2ZJE1iv4stkfzcZtwfpHKiCkqY5fmkeSNrhVP8PmsK0bk  
kGW9AHnsLpYJj1MGNuIaGF1AxcWT6n3DrkUU7X/0ETxpA+2EVIrzgkikuq8mFfHe  
iEoBHpVeY3/iF1coGhHLFhSRD1OHECJ7ydU46Ji9fPH9tqcmTb0=  
=/Wn5  
-----END PGP SIGNATURE-----

Debian Security Advisory 5546-1

Debian Linux Security Advisory 5545-1 - An out-of-bounds write was discovered in the MMS demuxer of the VLC media player.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5545-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffNovember 02, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : vlcCVE ID         : not yet availableAn out-of-bounds write was discovered in the MMS demuxer of the VLC mediaplayer.For the oldstable distribution (bullseye), this problem has been fixedin version 3.0.20-0+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 3.0.20-0+deb12u1.We recommend that you upgrade your vlc packages.For the detailed security status of vlc please refer toits security tracker page at:https://security-tracker.debian.org/tracker/vlcFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVEH5kACgkQEMKTtsN8TjYMow/+KOrk/MxdRYRFak834AI5p0eEiDJIJm9mdZmoW50O2w6ojYzhXMaMor91FYcE7EqhwbxIUnXayeMkRYktH0ihPVQA6J/Gzn3IVGVRR9Qk/er1YjHmTgaGRz642138+QB3YoZuYYcbTOMDfKLihDRIjW9qt1SSJibOS5qXOlYQ/YTYdNSSUu4xt7attLUDL/fYyuCiRGk9dkh0joc6UHzymufLHjN0YE63izBIx6LrygGLpueRqgGsphJGkf8KtZa7mE7aLidn/6RCEKf+egBvVukF7oFU9YrlNo2pChdpacB1f6Yj6p1kmHiMQifST6ZCVc+n4FkwpVfPMVxs/XWzuJDtqV6nOKQE0omNfbHDjYRykGkzWqIJVPl5ysHSYGf00I0YO6eiA7oXkfv6QKItHw3XS1PtXczlJVJE7GkrO9h9n+tgaq50Qq9L3dfHxHgifCLk6wkSls42GRpvpmChsI1rLNQBYE2+BqHeygeshmntJAjhZpKBSTIjdEJq2QdKW2S2YngN0FAdWvH1UhgtaZmiKCmflNbMij+4tuE09OGZyTyMcqZh0dt31S4jNLlzk5BqAjeEgkn/SJYFI5bhItHLnDsglJAsQHdFpRX2DObMZmmfRRVjFGSxa8aTO/mMpPzyg2IxQwt08XZlj5diO25Gtvdt8W17MCQ3W+Y7bEQ==5Fzr-----END PGP SIGNATURE-----

Debian Security Advisory 5545-1

Debian Linux Security Advisory 5544-1 - Damien Diederen discovered that SASL quorum peer authentication within Zookeeper, a service for maintaining configuration information, was insufficiently enforced in some configurations.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5544-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 31, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : zookeeperCVE ID         : CVE-2023-44981Damien Diederen discovered that SASL quorum peer authentication withinZookeeper, a service for maintaining configuration information, wasinsufficiently enforced in some configurations.For the oldstable distribution (bullseye), this problem has been fixedin version 3.4.13-6+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 3.8.0-11+deb12u1.We recommend that you upgrade your zookeeper packages.For the detailed security status of zookeeper please refer toits security tracker page at:https://security-tracker.debian.org/tracker/zookeeperFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVBUggACgkQEMKTtsN8TjaJAQ//RJ2xwJfLXiLajonTRcY6uhLmMT65GCkzbaVs+WExii/Ip1RWLTh4LScQG/OkOQGEs4OhlxSEBzkQJTSuEvY42AU4aBBSjollcA7HmlXZIJCabuZ69CWWOBJW4Ad57iIi1orRhVjt7Yyd2puZlDeKisnwmPB4kJeYUPGxIWFe8FXnHfrUEUs3xexugjJoMNXQ1xLEjtg8pRCbgDtxZEeuV0Bycbcd/TZj5m8j9UcwXRcA+IX7usHQXYH8fCFTfl+GtWE2/5sOnsVpSK5/u6l2FabvkdswzcehShNAAdamj1i4SCF/p3yGSgw1FoW7Lsz7rPXRBzlo8x4iAa9X4ykqHByowt3H4GwJcOS66E2+7AUhrZFRzTDq0npC9/xQ0orwWwMd1jRBKTWob2H/FMyjcZnRB+eeT1fERTHPQWXAuFkqDzh5YOMevWgx/YP8nfEAAiVWtLiJ45VhUJcjyM9lqoGL9d3YoUVHVmsFu8UI3W0WsM7eQaz18Ql2FQ315O7eFhK2VY7NTwlKgsFdA3pMtR3oYPXgsUHJVhZJHT7wT/ZJsd5CEVSo/wwks14xoVC/vOmhOaUBoPI2wvqzF85tJ1DNhnN3qSq79cLO2e3I4/XJwApAUarELzcOe5J/T7PxF2YyCzmUvdGoOZimzaYMtt+xRIoplqXcrSOJW2X5BGA==f4nP-----END PGP SIGNATURE-----

Debian Security Advisory 5544-1

Debian Linux Security Advisory 5543-1 - Two security issues have been discovered in the Open VMware Tools, which could result in privilege escalation.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5543-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
October 31, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : open-vm-tools  
CVE ID         : CVE-2023-34058 CVE-2023-34059

Two security issues have been discovered in the Open VMware Tools, which  
could result in privilege escalation.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 2:11.2.5-2+deb11u3.

For the stable distribution (bookworm), these problems have been fixed in  
version 2:12.2.0-1+deb12u2.

We recommend that you upgrade your open-vm-tools packages.

For the detailed security status of open-vm-tools please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/open-vm-tools

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmVBVQYACgkQEMKTtsN8  
TjYsrg/9F9eIADdIEeqnR+hc0Dc9YE6yK49aTbADMw3CBAARSRKHtcDsWjqcnRON  
hvzZapmYQ64g7Cxp5/8eD+NnL/69zf+hYV171QJVJ62gfnY0jISZ2hsvqDFWkZK2  
D3CxX+8OVrwAJClFgE7BztjkWE8xl7KkpdD4EsbODZeFbGRvq5/fMrfltfZ+iik6  
5RcHLXWtWVPQ5B/HPkL02D6iMleB3USl9r92EhM94dGVpziW37a/mPlsm/MjWFVp  
XXXEXSGX23t33A8iihBLJxroPNLcTG5KKl725zocg4VSmxuzUOX1DbtSNWP+jKfb  
SrB+a3F6Y2VWN1R2F1sv0zEjpsJmkFysIMa7NN1ngPM+L8F/A7aD8HPgjmYObAmj  
UQdSTm/C4Zl7XqyHR13i3uJI9XPa4lys7B8RwY6MOJIDOy3UMiFhRlw/G9m0WNLF  
JLlsbQPr5so/WqKln7bDaMBJLdRyMv1o8yR+5hSBqwu1rnsIBv8EDWwiIAmBYmzw  
MOkNdi+N3gaK+5q5pwQM5rJmN4/pWNzb0kWOH8Is/ZuYIAie1mjYFUngG0Ef49b/  
Hsq5Se4cShDvl/WZDYWuyyy4azbjI00ukWXbj81/c7jw0lwzosthtV0piEJO2oQh  
3ymplyXXtPQedQ1nwgOHBx4eb3dSsYRAj71Blbf9BLD8UdndywA=  
=VMwp  
-----END PGP SIGNATURE-----

Debian Security Advisory 5543-1

SchedMD Slurm 23.02.x before 23.02.6 and 22.05.x before 22.05.10 allows filesystem race conditions for gaining ownership of a file, overwriting a file, or deleting files.

**SchedMD Slurm Security Response Process**

SchedMD takes security seriously. We follow a coordinated disclosure process which is outlined below.

While we strongly encourage discoverers to report potential security issues to us and follow our disclosure process, we will respect their wishes and work with them in cases where their preferred process may vary.

**Past Security Disclosures****Contact:**

security@schedmd.com

If required, please contact us for GPG keys.

**Scope:**

This process covers the Slurm workload manager itself. Issues with closely related components — such as MUNGE or third-party SPANK plugins — may be raised with us and we will work with the reporter to identify the appropriate contacts and coordinate disclosure.

**Slurm Vulnerability Disclosure Process:**

1.  Problem identification and triage.
    1.  The issue is identified, and the code base reviewed for similar and related issues.
    2.  Potential mitigations and related configuration options identified.
    3.  Fix is developed and tested internally.
    4.  A CVE number is requested, identifying the original problem reporter. Details are not released until the end of the embargo period.
2.  Pre-advisory embargo period and SchedMD customer notification
    1.  Pre-advisory announcement is made to the private SchedMD customer mailing list, and any mitigations and patches are made available upon further request.
    2.  Customers requesting fixes and further details on the issue are required to adhere to the embargo period, and not disclose the issue outside of their operational staff and management.
    3.  If maintenance outages are required and require notification of system users, we request that customers do not identify the specific issue that is leading to that maintenance outage.
    4.  Any fixes prepared in response will not be applied to the main SchedMD/slurm Git distribution until the embargo period has expired.
    5.  SchedMD may, at its discretion, notify external Slurm package maintainers (e.g., Debian, EPEL, FreeBSD) during this embargo period that a security fix will be published on the established end of the embargo period. Such notification will not include specifics of the issue, only that a security issue will be leading to the publication of new releases.
    6.  In most circumstances, the embargo expiration will be set for two weeks after customer notification.
    7.  If, in SchedMD’s opinion, details of the issue have been made publically available, the embargo period may end earlier than the scheduled date.
3.  Advisory public release:
    1.  Public release is generally made in conjunction with publication of the next maintenance release of all supported branches. (Currently, this is the major releases made within the past 18 months, which corresponds to the last two major releases.)
    2.  Notification is made to the slurm-announce and slurm-users lists of the immediate availability of the fixed releases, alongside disclosure of the security issue they address.
    3.  All vulnerable releases will be removed from public download on SchedMD's website.

CVE-2023-41914: Security Policy | SchedMD

Debian Linux Security Advisory 5542-1 - Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5542-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
October 30, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : request-tracker4  
CVE ID         : CVE-2023-41259 CVE-2023-41260  
Debian Bug     : 1054516

Multiple vulnerabilities have been discovered in Request Tracker, an  
extensible trouble-ticket tracking system.

CVE-2023-41259

    Tom Wolters reported that Request Tracker is vulnerable to accepting  
    unvalidated RT email headers in incoming email and the mail-gateway  
    REST interface.

CVE-2023-41260

    Tom Wolters reported that Request Tracker is vulnerable to  
    information leakage via response messages returned from requests  
    sent via the mail-gateway REST interface.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 4.4.4+dfsg-2+deb11u3.

For the stable distribution (bookworm), these problems have been fixed in  
version 4.4.6+dfsg-1.1+deb12u1.

We recommend that you upgrade your request-tracker4 packages.

For the detailed security status of request-tracker4 please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/request-tracker4

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmVAFIhfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Rh2xAAiVD21hoYb0v/KZ2tvBYCzLPn5Gt8TGtIAkjfK2Ld11tP+T4T4Y5+rqvd  
pt19lHHpq7Sv8KintaRXBZvDbFCNd1M9oBjXPf0Cf/Rc3IP8LOKuHA+53wt6mP+q  
mN589zah9CCjN91qhP+S6viaybIunB8G5qnWXcrkwk/nTAlqtkq9wtMohLfipKEm  
TYwFFwAeFJhcSnQNN1EmMX4jOY4abE5RmrMPUAHsfLlxXrPqZ8orRYfCh7DZIAnk  
jeastNtbpOpZbrbPNXAdl4iiGgE2kZc6IiE7siFZYhGhNL1NN3cQh1lG5eRpynZ9  
q+UvUlbDM2HE5RZi8ZIdcvysEW3YZR3Tghdcb/cQJxtXKn1auXwmlo/Jf30M9gii  
kneMxP7SRrhmdFHsWrOlFg8B0TDiOMNs43Q7O80DFzv/e73GZFyawkklc9X1zMj/  
LvN+Z2oqcfsiy7XYi88++RK8Q/M9Cs8Y4Hsct9xwGW2qtV7/quLHpJ3NHmuqC8bg  
AJdVxva33Of5YkZ4e/hygtu8yttlq5ZGnsxHStAC8IziCL/rUQdRRCIoLVjnQTMQ  
s8A+yYtJJaprCmDvHJU4pSlSMxMjqYHFR8AIO+AMsTUgKyuNzwlTpczE0KtlmB6X  
F5P0NExyVQE3kWvZzVVqj44M/MiysmNDHuH8qJjdjmm/hFvllaw=tItS  
-----END PGP SIGNATURE-----

Debian Security Advisory 5542-1

Debian Linux Security Advisory 5541-1 - Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5541-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
October 30, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : request-tracker5  
CVE ID         : CVE-2023-41259 CVE-2023-41260 CVE-2023-45024  
Debian Bug     : 1054517

Multiple vulnerabilities have been discovered in Request Tracker, an  
extensible trouble-ticket tracking system.

CVE-2023-41259

    Tom Wolters reported that Request Tracker is vulnerable to accepting  
    unvalidated RT email headers in incoming email and the mail-gateway  
    REST interface.

CVE-2023-41260

    Tom Wolters reported that Request Tracker is vulnerable to  
    information leakage via response messages returned from requests  
    sent via the mail-gateway REST interface.

CVE-2023-45024

    It was reported that Request Tracker is vulnerable to information  
    leakage via transaction searches made by authenticated users in the  
    transaction query builder.

For the stable distribution (bookworm), these problems have been fixed in  
version 5.0.3+dfsg-3~deb12u2.

We recommend that you upgrade your request-tracker5 packages.

For the detailed security status of request-tracker5 please refer to its  
security tracker page at:  
https://security-tracker.debian.org/tracker/request-tracker5

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmVAExFfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0Rb4w/+L1YcgCKoOMVBlwGlYnlEYZivThfDm1S/hwRwThqZtuDn0PPHw/Skl9Tp  
z2D7KjB0OEV3bixDCrYowOe4sUpxt8nAmHu0+LM9yik5ZbUh/GkX1gFQhleTA6l1  
Oa6PHuukFr31qwIvFse2D1MHyeKTgmWvDN8/l+mL1QB3oQ52Yh82fIBgky1x4tJl  
NZZKE6GVIyptnUUMYGa3QHK2oGW6RV41htB4aNl3boPrmpIXfw5dS86ZoMi1Tx2Q  
ww8tvsexwpWhXkGk8DTxgd+gTd0UKQixn+bRm50nuiFx5HZxTieg9ma6wbX4psPA  
43r9H4lOxC5K3s/WIvfwexm0057O87BZSa1HvQE/6iGZ/ehQlP1WPxRADxAqdSGD  
5G7JonHfSpVWQMa7u6qOZj6A/rWojWq3LN9I7t/SBdxIAYuV6mkLnWK+eYQz3oxQ  
cR2ob/ymdNrT2Nfafs2WKFpZNDx8pLFl9NVjNEoHrklTfPhZFlDXcPtm0+pk7M73  
lfYdMP+3xHVELuL0wckMuoSoddHHv0LmwgXXY+6YVISrQ970YEnxV23Y4dBvI7dY  
31TnGKjZ6MwWnqO3kwOlTLj/Zb+fnIfsQwRway9Q0vNa6c2NR0ONASaMtVfS3MsJ  
jeNKFbuRweOsj9JO3eceDevpS68kBEi1ev071LNhh/oP7KTwRDw=DPKi  
-----END PGP SIGNATURE-----

Debian Security Advisory 5541-1

Debian Linux Security Advisory 5540-1 - Two remotely exploitable security vulnerabilities were discovered in Jetty 9, a Java based web server and servlet engine. The HTTP/2 protocol implementation did not sufficiently verify if HPACK header values exceed their size limit. Furthermore the HTTP/2 protocol allowed a denial of service (server resource consumption) because request cancellation can reset many streams quickly. This problem is also known as Rapid Reset Attack.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5540-1                   security@debian.org  
https://www.debian.org/security/                          Markus Koschany  
October 30, 2023                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : jetty9  
CVE ID         : CVE-2023-36478 CVE-2023-44487

Two remotely exploitable security vulnerabilities were discovered in Jetty 9, a  
Java based web server and servlet engine. The HTTP/2 protocol implementation  
did not sufficiently verify if HPACK header values exceed their size limit.  
Furthermore the HTTP/2 protocol allowed a denial of service (server resource  
consumption) because request cancellation can reset many streams quickly. This  
problem is also known as Rapid Reset Attack.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 9.4.50-4+deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 9.4.50-4+deb12u2.

We recommend that you upgrade your jetty9 packages.

For the detailed security status of jetty9 please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/jetty9

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmVABttfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD  
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7  
UeTJ2g/9E8TKXU1Mko9WhumkvRQNsYxAM43L/gmYMRm4JEqhqpjHHZECJIOAVyxs  
uN0uE13T+JckplIAhfdsZgbmDDNjASyFWv9OfOdf2h4Y9ZhoXP22MXI2MjKb9MSH  
KfmPtX4S95UyF/Ty0kK17W63p4EvtNlcgRokx5yFpUF/rN72GXVx25W6WQ1pSHrJ  
ESJMqOr8d3Wn5/4yaPEunQrvPa4WkQSTv8nHAIxIenP3wiNuK2tZWN6GCAdbirQp  
MWt282W/ueGcRDq8UJB2tWkxqx8CNnqeIeh0LpaSZRbaf62DChtyj+5OnYyhwBTk  
1mhwuveCFtNzRQyHRBrOrVWRAG43ktSyEYG90Il9iDchQROi0sJkQFVB0TXG6FnC  
hIFBcPw9VW5+7I+4gxexhpguq/SXZV9V9QH+jSeEBOgdKY/qX0farjElmhgFLRuS  
/weJAqnc9C6w4BB7gnE9ow4nbGqKqMEj1yoO8itMhCWBCaEIia0INpao7pfpf/9r  
KekLFoi6Gux0gqVMhhBw3latxW9zth93tNEeuuGb+kP/TDreBVkZnqrYVbtj49Wv  
IMX77Q8OB/TDQ8K5cEq05wcq59TIkAaVKGrP3sXsjbt4umbkjhbp8Oxv+chMOgPQ  
E8ThC0Q+lbZ4nth0vw2R93ObMfzlxZN2YJUqKf3aw/yAKd8YIys=CO/+  
-----END PGP SIGNATURE-----

Tag

#debian