[SECURITY] [DLA 3819-1] fossil security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3819-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
May 25, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : fossil
Version : 1:2.8-1+deb10u1
CVE ID : CVE-2024-24795
Debian Bug : 1070069
Fossil was broken by fixes of CVE-2024-24795 for apache2 package,
and needed an update.
As part of the security fix, the Apache webserver
mod_cgi module has stopped relaying the Content-Length field
of the HTTP reply header from the CGI programs back to the client
in cases where the connection is to be closed and the client
is able to read until end-of-file.
Fossil was fixed by reading the whole input,
re-allocating the input buffer to fit as more input is received,
instead of trusting the CONTENT_LENGTH variable.
For Debian 10 buster, this problem has been fixed in version
1:2.8-1+deb10u1.
We recommend that you upgrade your fossil packages.
For the detailed security status of fossil please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/fossil
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmZRzGQACgkQADoaLapB
CF843g/5ATCi2HdJXx6CL49jMLG0q7UmnwkktLMukiKnnF7khnEnTALqnF6XMwau
an47cEOoQUJ8nYRAVq/OjisAG6S3ymPMn5xBqaI21OmcJ2Zk//27LEorYnYD/nod
5huA57QMQ1oQtgHh2rf5JvgzIakEfGbWBQZ6QFl31AeBOEkoCCvi1IjJxmKG1UEh
SLliCW41hgY5R34rQwDisnuwnVdgn94kpaB3xhbwGxUIJEH+MMFcYzUsZijHoe4a
rhApY1w9vAO4MGiPxM8s1wGevRRzRl83h5ZQ9/nAAHUk5kyj4RAVZXswPj6KfXqh
0AYgY5yokQ+JyHNOVEjNtzBZN3KMLHJNnASO8HZtE5ZLW4I/QQbzo3PiuXoNtS3d
rOcEOLAlAbYZhdKZaVISyOrWOb2rL8QmrykLoY97bPOjH4nMduTs8FdgncCFBDAl
qopO6g/80ezLNyjF3Ajg2k92MXn+s7n/4kv1poSiXO//To4VFv0tJ8eaHIXfZLxF
75AoDk3iFHi823pDarFsk9ICxxMEbUgp42DRIDxUARhRJ4zP3ivE2oVtKVwQ9PfS
CbfZNBq86sDzmrtR5qg1KuKfH/tqxuu4/4Lr1QhMNQxABdW6xXuSn25aufCH9mmM
j2dTLSOTn26fUzAaEE2W8PV6WlqPXwuQkDmnyHfg0ztS5XzMbGQ=
=/hiX
-----END PGP SIGNATURE-----
Reply to: