[CLSA-2024:1734028058] Fix CVE(s): CVE-2024-11003, CVE-2024-48990, CVE-2024-48991, CVE-2024-48992

Type:

security

Severity:

Moderate

Release date:

2024-12-12 18:27:43 UTC

Description:

   * SECURITY UPDATE: Prevent running the Python interpreter with an
     attacker-controlled PYTHONPATH environment variable
     - debian/patches/CVE-2024-48990-CVE-2024-48991.patch: do not set
       PYTHONPATH environment variable to prevent a LPE and prevent
       race condition on /proc/$PID/exec evaluation
     - CVE-2024-48990
     - CVE-2024-48991
   * SECURITY UPDATE: Prevent running the Ruby interpreter with an
     attacker-controlled RUBYLIB environment variable
     - debian/patches/CVE-2024-48992.patch: do not set RUBYLIB environment
       variable to prevent a LPE
     - CVE-2024-48992
   * SECURITY UPDATE: Prevent running the Ruby interpreter with an
     attacker-controlled RUBYLIB environment variable
     - debian/patches/CVE-2024-11003.patch, debian/control: drop usage of
       Module::ScanDeps to prevent LPE
     - CVE-2024-11003

Updated packages:

needrestart_2.6-1+tuxcare.els1_all.deb
sha:3e0857f8f1a0f57d6460d11c5f04be5a08ac32bd

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.