Detections
Analytics

Debian dla-4513 : gvfs - security update

medium Nessus Plugin ID 304178

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4513 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-4513-1 [email protected] https://www.debian.org/lts/security/ Andreas Henriksson March 28, 2026 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : gvfs Version : 1.46.2-2+deb11u1 CVE ID : CVE-2026-28295 CVE-2026-28296 Debian Bug : 1129285 1129286

 Codean Labs found that gvfs, a virtual filesystem implementation, was affected by multiple vulnerabililies including FTP bounce attack which could lead to probing open ports on client network and improper CRLF validation which could allow an attacker to inject arbitrary FTP commands.

 CVE-2026-28295

 A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode (PASV) response. The client unconditionally trusts this information and attempts to connect to the specified endpoint, allowing the malicious server to probe for open ports accessible from the client's network.

 CVE-2026-28296

 A remote attacker could exploit this input validation vulnerability by supplying specially crafted file paths containing carriage return and line feed (CRLF) sequences. These unsanitized sequences allow the attacker to terminate intended FTP commands and inject arbitrary FTP commands, potentially leading to arbitrary code execution or other severe impacts.

 For Debian 11 bullseye, these problems have been fixed in version 1.46.2-2+deb11u1.

 We recommend that you upgrade your gvfs packages.

 For the detailed security status of gvfs please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/gvfs

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the gvfs packages.

See Also

https://security-tracker.debian.org/tracker/source-package/gvfs

https://security-tracker.debian.org/tracker/CVE-2026-28295

https://security-tracker.debian.org/tracker/CVE-2026-28296

https://packages.debian.org/source/bullseye/gvfs

Plugin Details

Severity: Medium

ID: 304178

File Name: debian_DLA-4513.nasl

Version: 1.2

Type: local

Agent: unix

Published: 3/28/2026

Updated: 3/30/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2026-28296

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:gvfs-backends, cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:gvfs-common, p-cpe:/a:debian:debian_linux:gvfs-libs, p-cpe:/a:debian:debian_linux:gvfs-daemons, p-cpe:/a:debian:debian_linux:gvfs-bin, p-cpe:/a:debian:debian_linux:gvfs, p-cpe:/a:debian:debian_linux:gvfs-fuse

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 3/28/2026

Vulnerability Publication Date: 2/26/2026

Reference Information

CVE: CVE-2026-28295, CVE-2026-28296