Debian GNU/Linux has released important security updates for two of its packages: Shadow and PostgreSQL, addressing vulnerabilities that could potentially compromise system security.
1. Debian GNU/Linux 10 (Buster) Extended LTS:
- Update: ELA-1398-1 for PostgreSQL 11
- Affected Version: 11.22-0+deb10u5
2. Debian GNU/Linux 11 (Bullseye) LTS:
- Update: DLA 4130-1 for Shadow
- Affected Version: 1:4.8.1-1+deb11u1
- Release Date: April 18, 2025
- CVE Identifiers: CVE-2023-4641, CVE-2023-29383
- Summary:
- A vulnerability was identified in the Shadow suite, primarily affecting the password management tools. An attacker could potentially extract passwords from memory if they have sufficient access. Specifically, when a new password is requested, if the second entry fails, the system may not properly clear the buffer containing the first entry, allowing retrieval of sensitive data.
- Moreover, there exists a risk of control character injection in the SUID program `chfn` (used for changing user information), which could mislead administrators inspecting the `/etc/passwd` file.
Action Recommended: Users are urged to upgrade their Shadow packages to ensure protection against these vulnerabilities. More details about the security status of Shadow can be found on the [Debian Security Tracker page](https://security-tracker.debian.org/tracker/shadow).
- CVE Identifier: CVE-2025-1094
- Overview:
- PostgreSQL has been found to have a vulnerability related to the improper handling of quoting syntax in its libpq functions, which can lead to SQL injection risks. This could allow a malicious actor to manipulate database input under certain conditions, potentially compromising the database's integrity.
Further Actions: Users of PostgreSQL 11 are advised to apply the latest updates to mitigate the risk of SQL injection attacks.
Both updates are critical for maintaining the security and integrity of Debian systems. Users should prioritize these upgrades and consult the provided links for detailed guidance on applying updates and understanding the vulnerabilities further. For more information on Debian LTS security advisories, users can visit the [Debian Wiki](https://wiki.debian.org/LTS)
Security Updates Overview
1. Debian GNU/Linux 10 (Buster) Extended LTS:
- Update: ELA-1398-1 for PostgreSQL 11
- Affected Version: 11.22-0+deb10u5
2. Debian GNU/Linux 11 (Bullseye) LTS:
- Update: DLA 4130-1 for Shadow
- Affected Version: 1:4.8.1-1+deb11u1
Shadow Security Update (DLA 4130-1)
- Release Date: April 18, 2025
- CVE Identifiers: CVE-2023-4641, CVE-2023-29383
- Summary:
- A vulnerability was identified in the Shadow suite, primarily affecting the password management tools. An attacker could potentially extract passwords from memory if they have sufficient access. Specifically, when a new password is requested, if the second entry fails, the system may not properly clear the buffer containing the first entry, allowing retrieval of sensitive data.
- Moreover, there exists a risk of control character injection in the SUID program `chfn` (used for changing user information), which could mislead administrators inspecting the `/etc/passwd` file.
Action Recommended: Users are urged to upgrade their Shadow packages to ensure protection against these vulnerabilities. More details about the security status of Shadow can be found on the [Debian Security Tracker page](https://security-tracker.debian.org/tracker/shadow).
PostgreSQL Security Update (ELA-1398-1)
- CVE Identifier: CVE-2025-1094
- Overview:
- PostgreSQL has been found to have a vulnerability related to the improper handling of quoting syntax in its libpq functions, which can lead to SQL injection risks. This could allow a malicious actor to manipulate database input under certain conditions, potentially compromising the database's integrity.
Further Actions: Users of PostgreSQL 11 are advised to apply the latest updates to mitigate the risk of SQL injection attacks.
Conclusion
Both updates are critical for maintaining the security and integrity of Debian systems. Users should prioritize these upgrades and consult the provided links for detailed guidance on applying updates and understanding the vulnerabilities further. For more information on Debian LTS security advisories, users can visit the [Debian Wiki](https://wiki.debian.org/LTS)
Shadow and PostgreSQL updates for Debian
Debian GNU/Linux has been updated with two security patches for Shadow and PostgreSQL:
Debian GNU/Linux 10 (Buster) Extended LTS:
ELA-1398-1 postgresql-11 security update
Debian GNU/Linux 11 (Bullseye) LTS:
[DLA 4130-1] shadow security update
