Debian GNU/Linux has released several important security updates for its various distributions, specifically addressing vulnerabilities in Zabbix, the Linux kernel, Python, and Libsoup2.4. These updates are essential for users of Debian 9 (Jessie), 10 (Buster), 11 (Bullseye), and 12 (Bookworm).
1. Zabbix (ELA-1409-1):
- Versions affected are 1:2.2.23+dfsg-0+deb8u10 (Jessie) and 1:4.0.4+dfsg-1+deb10u6 (Buster).
- Several vulnerabilities identified by CVEs, including risks of XSS, code execution, information disclosure, and denial of service.
- Specific CVEs of concern include:
- CVE-2024-22114: Unauthorized access to host statistics.
- CVE-2024-22116: Code execution via script execution functionality by users with limited permissions.
- CVE-2024-22122: AT command injection in SMS configuration, potentially allowing remote command execution.
- CVE-2024-45700: Denial of service vulnerability through resource exhaustion.
2. Linux Kernel (DSA 5907-1):
- Addressing multiple vulnerabilities, including privilege escalation and denial of service.
- The issues have been fixed in version 6.1.135-1 for the stable release (Bookworm).
3. Python (ELA-1410-1):
- Vulnerability in Python 3.7.3-2+deb10u10 (Buster) related to improper Unicode encoding in email headers (CVE-2025-1795).
4. Libsoup2.4 (DLA 4140-1):
- Version 2.72.0-2+deb11u2 (Bullseye) addresses numerous vulnerabilities, including buffer over-reads and null pointer dereferences that could lead to crashes or memory corruption.
- For detailed security status and guidance on applying these updates, users can refer to the Debian security tracker and related advisories.
Key Updates:
1. Zabbix (ELA-1409-1):
- Versions affected are 1:2.2.23+dfsg-0+deb8u10 (Jessie) and 1:4.0.4+dfsg-1+deb10u6 (Buster).
- Several vulnerabilities identified by CVEs, including risks of XSS, code execution, information disclosure, and denial of service.
- Specific CVEs of concern include:
- CVE-2024-22114: Unauthorized access to host statistics.
- CVE-2024-22116: Code execution via script execution functionality by users with limited permissions.
- CVE-2024-22122: AT command injection in SMS configuration, potentially allowing remote command execution.
- CVE-2024-45700: Denial of service vulnerability through resource exhaustion.
2. Linux Kernel (DSA 5907-1):
- Addressing multiple vulnerabilities, including privilege escalation and denial of service.
- The issues have been fixed in version 6.1.135-1 for the stable release (Bookworm).
3. Python (ELA-1410-1):
- Vulnerability in Python 3.7.3-2+deb10u10 (Buster) related to improper Unicode encoding in email headers (CVE-2025-1795).
4. Libsoup2.4 (DLA 4140-1):
- Version 2.72.0-2+deb11u2 (Bullseye) addresses numerous vulnerabilities, including buffer over-reads and null pointer dereferences that could lead to crashes or memory corruption.
Recommendations:
- Users of Debian are strongly advised to update their systems to mitigate the risks posed by these vulnerabilities.- For detailed security status and guidance on applying these updates, users can refer to the Debian security tracker and related advisories.
Conclusion:
The recent updates demonstrate Debian's commitment to maintaining security across its distributions. Users should remain proactive in applying updates and monitoring for any new vulnerabilities that may arise in the futureZabbix, Linux kernel, Python, Libsoup2.4 updates for Debian
Debian GNU/Linux has issued multiple security updates, which include Zabbix, Linux kernel, Python, and Libsoup2.4:
Debian GNU/Linux 9 (Jessie) and 10 (Buster) Extended LTS:
ELA-1409-1 zabbix security update
Debian GNU/Linux 10 (Buster):
ELA-1410-1 python3.7 security update
Debian GNU/Linux 11 (Bullseye):
[DLA 4140-1] libsoup2.4 security update
Debian GNU/Linux 12 (Bookworm):
[DSA 5907-1] linux security updateZabbix, Linux kernel, Python, Libsoup2.4 updates for Debian @ Linux Compatible
