- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3957-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                 Salvatore Bonaccorso
November 19, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : needrestart
Version        : 3.5-4+deb11u4
CVE ID         : CVE-2024-11003 CVE-2024-48990 CVE-2024-48991 CVE-2024-48992

The Qualys Threat Research Unit discovered several local privilege
escalation vulnerabilities in needrestart, a utility to check which
daemons need to be restarted after library upgrades. A local attacker
can execute arbitrary code as root by tricking needrestart into running
the Python interpreter with an attacker-controlled PYTHONPATH
environment variable (CVE-2024-48990) or running the Ruby interpreter
with an attacker-controlled RUBYLIB environment variable
(CVE-2024-48992).  Additionally a local attacker can trick needrestart
into running a fake Python interpreter (CVE-2024-48991) or cause
needrestart to call the Perl module Module::ScanDeps with
attacker-controlled files (CVE-2024-11003).

Details can be found in the Qualys advisory at
https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

For Debian 11 bullseye, these problems have been fixed in version
3.5-4+deb11u4.

We recommend that you upgrade your needrestart packages.

For the detailed security status of needrestart please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/needrestart

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS