During the month of November 2024 and on behalf of Freexian, I worked on the following:
opensc ------ Kept backporting more fixes for known vulnerabilities, notably CVE-2023-5992, CVE-2023-40660 and CVE-2023-40661, but didn't upload yet as more security issues need to fixed first. Work is ongoing for the remaining CVEs. lemonldap-ng ------------ Uploaded 2.0.11+ds-4+deb11u6 and issued DLA-3979-1. https://lists.debian.org/msgid-search/[email protected] * CVE-2024-48933: XSS vulnerability in the login page when ‘userControl’ has been set to a non-default value that allows special HTML characters. * CVE-2024-52946: Improper Check during session refresh which allows an authenticated user to raise their authentication level under specific "Adaptative authentication rule". * CVE-2024-52947: XSS vulnerability in the upgrade session confirmation page (upgradeSession) Also, release ELA-1263-1 fixing CVE-2024-48933 and CVE-2024-52947 (the buster version is immune to the 3rd issue as Adaptative Authentication Plugin was introduced later). Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem.
signature.asc
Description: PGP signature
