Debian alert DLA-3819-1 (fossil)
| From: | rouca@debian.org | |
| To: | <debian-lts-announce@lists.debian.org> | |
| Subject: | [SECURITY] [DLA 3819-1] fossil security update | |
| Date: | Sat, 25 May 2024 11:32:53 +0000 | |
| Message-ID: | <f2b025227b10e0a4a84fa4c03875dabf.rouca@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3819-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Bastien Roucariès May 25, 2024 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : fossil Version : 1:2.8-1+deb10u1 CVE ID : CVE-2024-24795 Debian Bug : 1070069 Fossil was broken by fixes of CVE-2024-24795 for apache2 package, and needed an update. As part of the security fix, the Apache webserver mod_cgi module has stopped relaying the Content-Length field of the HTTP reply header from the CGI programs back to the client in cases where the connection is to be closed and the client is able to read until end-of-file. Fossil was fixed by reading the whole input, re-allocating the input buffer to fit as more input is received, instead of trusting the CONTENT_LENGTH variable. For Debian 10 buster, this problem has been fixed in version 1:2.8-1+deb10u1. We recommend that you upgrade your fossil packages. For the detailed security status of fossil please refer to its security tracker page at: https://security-tracker.debian.org/tracker/fossil Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmZRzGQACgkQADoaLapB CF843g/5ATCi2HdJXx6CL49jMLG0q7UmnwkktLMukiKnnF7khnEnTALqnF6XMwau an47cEOoQUJ8nYRAVq/OjisAG6S3ymPMn5xBqaI21OmcJ2Zk//27LEorYnYD/nod 5huA57QMQ1oQtgHh2rf5JvgzIakEfGbWBQZ6QFl31AeBOEkoCCvi1IjJxmKG1UEh SLliCW41hgY5R34rQwDisnuwnVdgn94kpaB3xhbwGxUIJEH+MMFcYzUsZijHoe4a rhApY1w9vAO4MGiPxM8s1wGevRRzRl83h5ZQ9/nAAHUk5kyj4RAVZXswPj6KfXqh 0AYgY5yokQ+JyHNOVEjNtzBZN3KMLHJNnASO8HZtE5ZLW4I/QQbzo3PiuXoNtS3d rOcEOLAlAbYZhdKZaVISyOrWOb2rL8QmrykLoY97bPOjH4nMduTs8FdgncCFBDAl qopO6g/80ezLNyjF3Ajg2k92MXn+s7n/4kv1poSiXO//To4VFv0tJ8eaHIXfZLxF 75AoDk3iFHi823pDarFsk9ICxxMEbUgp42DRIDxUARhRJ4zP3ivE2oVtKVwQ9PfS CbfZNBq86sDzmrtR5qg1KuKfH/tqxuu4/4Lr1QhMNQxABdW6xXuSn25aufCH9mmM j2dTLSOTn26fUzAaEE2W8PV6WlqPXwuQkDmnyHfg0ztS5XzMbGQ= =/hiX -----END PGP SIGNATURE-----