The remote Debian 11 / 12 host has packages installed that are affected by a vulnerability as referenced in the dsa-5638 advisory.

    -----BEGIN PGP SIGNED MESSAGE-----     Hash: SHA512

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5638-1                   security@debian.org     https://www.debian.org/security/                     Salvatore Bonaccorso     March 10, 2024                        https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : libuv1     CVE ID         : CVE-2024-24806     Debian Bug     : 1063484

    It was discovered that the uv_getaddrinfo() function in libuv, an     asynchronous event notification library, incorrectly truncated certain     hostnames, which may result in bypass of security measures on internal     APIs or SSRF attacks.

    For the oldstable distribution (bullseye), this problem has been fixed     in version 1.40.0-2+deb11u1.

    For the stable distribution (bookworm), this problem has been fixed in     version 1.44.2-1+deb12u1.

    We recommend that you upgrade your libuv1 packages.

    For the detailed security status of libuv1 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/libuv1

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org
    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmXtrrFfFIAAAAAALgAo     aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2     NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND     z0TOBw//UDY7qqzhavYjzvVxQ6ka9PGfBLJcRXhMjpwH5JxR6T0KOqCQkasoXCxm     NTSzczr0zrtU4Hdtv6tb/E5QfemTpdEfMOtuuKxhQ3jrQNjnqtfDD5ouomrckxMc     PtB3SsJ0e1BV97ORDEqrym39VQTIaVgxdZwXU5/mcqaboZx8uxv8XjaDURhAU1eY     z5PDno6bTg/zL7bSSugTnxSPHwokv4FICxaG8rR6y6drbI7hndsx+LL+sXs426O8     xDzro+deanl3i9kdXxQujhTxJA+7vUTeaCl8rLFs7kOyNxDbCVADYc+Cc0h8Z0xn     v/xNDYkIMprGcUx2QgW9mwfDgKGxDVtltPwb6oIBsKzrYBF/gVUqM5aym3VquS8n     +lL7+uA0ZHKMxeQRrCtHCIoDUAhjVarQPqbxIX92tftSIRHU7e8Qfmyo7PdbPs9U     C4zUUwIwQ6UtRR8OWIKE8IFa+BRxL2/3KCDjDvpK60VUfanRqdF7zcvifFQMw9mq     J/s/IIY6Unhvk9/6QSKrNiaLnFBOVBZ4E4A5OU6W1KAKvixlH8bmv0XCgrlDr2fx     /7+Xn8wNA86qPAd9/t6DAVzyjdlis+P6LYzAfrAguWQQS0xkDW+5OQqV3wyKvK1m     9PRJK4vfmiX5kw+VclGbJM4ToaKOLbSlns/QNhHuRw2RDem0/+s=     =ai3N
    -----END PGP SIGNATURE-----



Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Detections

Analytics

Debian dsa-5638 : libuv1 - security update

high Nessus Plugin ID 191783

Version 1.1

Version 1.0

Version 1.1 Jan 24, 2025, 9:25 PM CVSS metrics ("Cvssv4 score" set to 0.0) CVSSv2 severity (based on None, severity decreased from "High" to "Low") Plugin metadata Plugin Feed: 202501242125
Version 1.0 Mar 10, 2024, 10:44 PM New Plugin Feed: 202403102244