[SECURITY] [DLA 3796-1] mediawiki security update
- Debian LTS Advisory DLA-3796-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin April 27, 2024https://wiki.debian.org/LTS - Package: mediawiki Version: 1:1.31.16-1+deb10u8 CVE ID : CVE-2023-51704 Security vulnerabilities were found in mediawiki, a website engine for collaborative work, that could lead to information disclosure, privilege escalation, or denial of service. CVE-2023-51704 group-.*-member messages were not properly escaped on Special:log/rights. CVE-2024-PENDING It was discovered that Special:MovePage did not limit nor truncate the list of subpages, which could lead to denial of service when. (The CVE ID for this issue has not been assigned yet.) For Debian 10 buster, this problem has been fixed in version 1:1.31.16-1+deb10u8. We recommend that you upgrade your mediawiki packages. For the detailed security status of mediawiki please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mediawiki Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3782-1] util-linux security update
- Debian LTS Advisory DLA-3782-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin April 07, 2024https://wiki.debian.org/LTS - Package: util-linux Version: 2.33.1-0.1+deb10u1 CVE ID : CVE-2021-37600 CVE-2024-28085 Debian Bug : 826596 991619 1067849 CVE-2024-28085 Skyler Ferrante discovered that the wall(1) utility found in util-linux, a collection of system utilities for Linux, does not filter escape sequences from command line arguments. This allows unprivileged local users to put arbitrary text on other users terminals if mesg is set to ‘y’ and the wall executable is setgid, which could lead to information disclosure. With this update the wall executable is no longer installed setgid tty. CVE-2021-37600 Kihong Heo found an integer overflow which can potentially lead to buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is issue is unexploitable in GNU C Library environments, and possibly in all realistic environments. For Debian 10 buster, these problems have been fixed in version 2.33.1-0.1+deb10u1. We recommend that you upgrade your util-linux packages. For the detailed security status of util-linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/util-linux Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Debian LTS report for March 2024
During the month of March 2024 and on behalf of Freexian, I worked on the following: phpseclib - Uploaded 1.0.19-3~deb10u3 and issued DLA-3749-1. https://lists.debian.org/msgid-search/?m=zeck08zg6y-jz...@debian.org * CVE-2024-27354: An attacker can construct a malformed certificate containing an extremely large prime to cause a denial of service. * CVE-2024-27355: When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service. php-phpseclib - Uploaded 2.0.30-2~deb10u3 and issued DLA-3750-1. https://lists.debian.org/msgid-search/?m=zeck396hzvnxm...@debian.org * CVE-2024-27354: An attacker can construct a malformed certificate containing an extremely large prime to cause a denial of service. * CVE-2024-27355: When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service. dask.distributed Ended up triaging the package after further testing and bisecting. (CVE-2021-42343 was unreproducible with <2.0 and likely introduced in 2.0.0.) spip Uploaded 3.2.4-1+deb10u13 and issued DLA-3761-1. https://lists.debian.org/msgid-search/?m=zfrhisygvwitl...@debian.org * CVE-2023-52322: XSS vulnerability because input from _request() is not sanitized. nodejs -- Uploaded 10.24.0~dfsg-1~deb10u4 and issued DLA-3776-1. https://lists.debian.org/msgid-search/?m=zgnrglwvgme2a...@debian.org * CVE-2023-30590: Documentation change for generateKeys() API function to align on the actual behavior, that is, only generate a private key if none has been set yet. * CVE-2023-46809: Marvin Attack vulnerability in the privateDecrypt() API of the crypto library. This is a timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding. The fix disables RSA_PKCS1_PADDING and includes a security revert flag that can be used to restore support (and the vulnerability). * CVE-2024-22025: Denial of Service by resource exhaustion in fetch() brotli decoding. * Also backport upstream commit a1121b456c (unit tests for CVE-2022-32212). * Fix DNS unit tests which caused FTFBS in some build environments. libvirt --- Uploaded 5.0.0-4+deb10u2 and issued DLA-3778-1. https://lists.debian.org/msgid-search/?m=zgqmnnznsz4ap...@debian.org (The upload was done on April 1st but all backport and testing work was done in March.) * CVE-2020-10703: NULL pointer dereference in the libvirt API that is responsible for fetching a storage pool based on its target path. * CVE-2020-12430: Memory leak in the virDomainListGetStats libvirt API that is responsible for retrieving domain statistics when managing QEMU guests. * CVE-2020-25637: Double free memory issue in the libvirt API that is responsible for requesting information about network interfaces of a running QEMU domain. * CVE-2021-3631: SELinux MCS may be accessed by another machine. * CVE-2021-3667: Improper locking in the virStoragePoolLookupByTargetPath API. * CVE-2021-3975: Use-after-free vulnerability. The qemuMonitorUnregister() function in qemuProcessHandleMonitorEOF is called using multiple threads without being adequately protected by a monitor lock. * CVE-2021-4147: Deadlock and crash in libxl driver. * CVE-2022-0897: Missing locking in nwfilterConnectNumOfNWFilters. * CVE-2024-1441: Off-by-one error in the udevListInterfacesByStatus() function. * CVE-2024-2494: Missing check for negative array lengths in RPC server de-serialization routines. * CVE-2024-2496: NULL pointer dereference in the udevConnectListAllInterfaces() function. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
[SECURITY] [DLA 3778-1] libvirt security update
- Debian LTS Advisory DLA-3778-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin April 01, 2024https://wiki.debian.org/LTS - Package: libvirt Version: 5.0.0-4+deb10u2 CVE ID : CVE-2020-10703 CVE-2020-12430 CVE-2020-25637 CVE-2021-3631 CVE-2021-3667 CVE-2021-3975 CVE-2021-4147 CVE-2022-0897 CVE-2024-1441 CVE-2024-2494 CVE-2024-2496 Debian Bug : 959447 971555 990709 991594 1002535 1009075 1066058 1067461 Multiple vulnerabilities were found in libvirt, a C toolkit to interact with the virtualization capabilities of Linux, which could lead to denial of service or information disclosure. CVE-2020-10703 A NULL pointer dereference was found in the libvirt API that is responsible for fetching a storage pool based on its target path. In more detail, this flaw affects storage pools created without a target path such as network-based pools like gluster and RBD. Unprivileged users with a read-only connection could abuse this flaw to crash the libvirt daemon, resulting in a potential denial of service. CVE-2020-12430 A memory leak was found in the virDomainListGetStats libvirt API that is responsible for retrieving domain statistics when managing QEMU guests. This flaw allows unprivileged users with a read-only connection to cause a memory leak in the domstats command, resulting in a potential denial of service. CVE-2020-25637 A double free memory issue was found in the libvirt API that is responsible for requesting information about network interfaces of a running QEMU domain. This flaw affects the polkit access control driver. Specifically, clients connecting to the read-write socket with limited ACL permissions could use this flaw to crash the libvirt daemon, resulting in a denial of service, or potentially escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2021-3631 An issue was found in the generation of SELinux MCS category pairs for VMs' dynamic labels. This flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out of sVirt confinement. CVE-2021-3667 An improper locking issue was found in the virStoragePoolLookupByTargetPath API. It occurs in the storagePoolLookupByTargetPath function where a locked virStoragePoolObj object is not properly released on ACL permission failure. Clients connecting to the read-write socket with limited ACL permissions could use this flaw to acquire the lock and prevent other users from accessing storage pool/volume APIs, resulting in a denial of service condition. CVE-2021-3975 A use-after-free issue was found in libvirt in qemuProcessHandleMonitorEOF(), where the qemuMonitorUnregister() function is called using multiple threads without being adequately protected by a monitor lock. This flaw could be triggered by the virConnectGetAllDomainStats API when the guest is shutting down. An unprivileged client with a read-only connection could use this flaw to perform a denial of service attack by causing the libvirt daemon to crash. CVE-2021-4147 Jim Fehlig discovered that a malicious guest using the libxl driver could cause libvirtd on the host to deadlock or crash when continuously rebooting itself. CVE-2022-0897 A flaw was found in the libvirt nwfilter driver. The virNWFilterObjListNumOfNWFilters method failed to acquire the driver->nwfilters mutex before iterating over virNWFilterObj instances. There was no protection to stop another thread from concurrently modifying the driver->nwfilters object. This flaw allows a malicious, unprivileged user to exploit this issue via libvirt's API virConnectNumOfNWFilters to crash the network filter management daemon (libvirtd/virtnwfilterd). CVE-2024-1441 An off-by-one error flaw was found in the udevListInterfacesByStatus() function in libvirt when the number of interfaces exceeds the size of the `names` array. This issue can be reproduced by sending specially crafted data to the libvirt daemon, allowing an unprivileged client to perform a denial of service attack by causing the libvirt daemon to crash. CVE-2024-2494 The ALT Linux Team discovered that the RPC server deserialization code allocates memory for arrays before the non-negative length check is performed by the C API entry points. Passing a negative length therefore results in a crash due to the negative length being treated as a huge positive number. This flaw
[SECURITY] [DLA 3776-1] nodejs security update
- Debian LTS Advisory DLA-3776-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin March 26, 2024https://wiki.debian.org/LTS - Package: nodejs Version: 10.24.0~dfsg-1~deb10u4 CVE ID : CVE-2023-30590 CVE-2023-46809 CVE-2024-22025 Debian Bug : 1039990 1064055 Vulnerabilities have been found in Node.js, which could lead to denial of service or information disclosure. CVE-2023-30590 Ben Smyth reported an inconsistency between implementation and documented design of the The generateKeys() API function, which only generates missing (or outdated) keys, that is, it only generates a private key if none has been set yet. The documented behavior has been updated to reflect the current implementation. CVE-2023-46809 It was discovered that Node.js was vulnerable to the Marvin Attack, allowing a covert timing side-channel during PKCS#1 v1.5 padding error handling. An attacker could remotely exploit the vulnerability to decrypt captured RSA ciphertexts or forge signatures, especially in scenarios involving API endpoints processing Json Web Encryption messages. The fix disables RSA_PKCS1_PADDING for crypto.privateDecrypt(), and includes a security revert flag that can be used to restore support (and the vulnerability). CVE-2024-22025 It was discovered that Node.js was vulnerable to Denial of Service by resource exhaustion in fetch() brotli decoding. For Debian 10 buster, these problems have been fixed in version 10.24.0~dfsg-1~deb10u4. We recommend that you upgrade your nodejs packages. For the detailed security status of nodejs please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nodejs Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3761-1] spip security update
- Debian LTS Advisory DLA-3761-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin March 15, 2024https://wiki.debian.org/LTS - Package: spip Version: 3.2.4-1+deb10u13 CVE ID : CVE-2023-52322 Debian Bug : 1059331 Hatim Chabik discovered a cross-site scripting (XSS) vulnerability in spip, a content management system, which can lead to privilege escalation or information disclosure. For Debian 10 buster, this problem has been fixed in version 3.2.4-1+deb10u13. We recommend that you upgrade your spip packages. For the detailed security status of spip please refer to its security tracker page at: https://security-tracker.debian.org/tracker/spip Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3750-1] php-phpseclib security update
- Debian LTS Advisory DLA-3750-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin March 05, 2024https://wiki.debian.org/LTS - Package: php-phpseclib Version: 2.0.30-2~deb10u3 CVE ID : CVE-2024-27354 CVE-2024-27355 Security issues were discovered in php-phpseclib, a PHP library for arbitrary-precision integer arithmetic, which could lead to Denial of Service. CVE-2024-27354 An attacker can construct a malformed certificate containing an extremely large prime to cause a denial of service (CPU consumption for an `isPrime` primality check). This issue was introduced when attempting to fix CVE-2023-27560. CVE-2024-27355 When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for `decodeOID`). For Debian 10 buster, these problems have been fixed in version 2.0.30-2~deb10u3. We recommend that you upgrade your php-phpseclib packages. For the detailed security status of php-phpseclib please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php-phpseclib Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3749-1] phpseclib security update
- Debian LTS Advisory DLA-3749-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin March 05, 2024https://wiki.debian.org/LTS - Package: phpseclib Version: 1.0.19-3~deb10u3 CVE ID : CVE-2024-27354 CVE-2024-27355 Security issues were discovered in phpseclib, a PHP library for arbitrary-precision integer arithmetic, which could lead to Denial of Service. CVE-2024-27354 An attacker can construct a malformed certificate containing an extremely large prime to cause a denial of service (CPU consumption for an `isPrime` primality check). This issue was introduced when attempting to fix CVE-2023-27560. CVE-2024-27355 When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for `decodeOID`). For Debian 10 buster, these problems have been fixed in version 1.0.19-3~deb10u3. We recommend that you upgrade your phpseclib packages. For the detailed security status of phpseclib please refer to its security tracker page at: https://security-tracker.debian.org/tracker/phpseclib Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Debian LTS report for February 2024
During the month of February 2024 and on behalf of Freexian, I worked on the following: gnutls28 Uploaded 3.6.7-4+deb10u12 and issued DLA-3740-1 https://lists.debian.org/msgid-search/?m=zdxck-hkepfc8...@debian.org * CVE-2024-0553: Timing side-channel attack in the RSA-PSK key exchange. nodejs -- * Backported upstream fix for CVE-2024-22025 (DoS by resource exhaustion in fetch() brotli decoding) and fixed the upstream test suite. * Started working on a fix for CVE-2023-46809 (Marvin Attack, timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) but this is still work in progress. dask.distributed * Fix failing DEP-8 tests for buster. * Started working on a fix for CVE-2021-42343 but didn't upload yet. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
[SECURITY] [DLA 3740-1] gnutls28 security update
- Debian LTS Advisory DLA-3740-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin February 26, 2024 https://wiki.debian.org/LTS - Package: gnutls28 Version: 3.6.7-4+deb10u12 CVE ID : CVE-2024-0553 Debian Bug : 1061046 Hubert Kario discovered that GnuTLS, a portable library which implements the Transport Layer Security and Datagram Transport Layer Security protocols, was vulnerable to timing side-channel attack in the RSA-PSK key exchange, which could lead to leakage of sensitive data. The issue stems from an incomplete resolution for CVE-2023-5981. This vulnerability is also known as GNUTLS-SA-2024-01-14. For Debian 10 buster, this problem has been fixed in version 3.6.7-4+deb10u12. We recommend that you upgrade your gnutls28 packages. For the detailed security status of gnutls28 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gnutls28 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Debian LTS report for January 2024
During the month of January 2024 and on behalf of Freexian, I worked on the following: php-phpseclib - Uploaded 2.0.30-2~deb10u2 and issued DLA-3718-1 https://lists.debian.org/msgid-search/?m=zbhgvxygvemfp...@debian.org * CVE-2023-48795: Terrapin attack phpseclib - Uploaded 1.0.19-3~deb10u2 and issued DLA-3719-1 https://lists.debian.org/msgid-search/?m=zbhgxnppbffqp...@debian.org * CVE-2023-48795: Terrapin attack libspreadsheet-parsexlsx-perl - Uploaded 0.27-2+deb10u1 and issued DLA-3723-1 https://lists.debian.org/msgid-search/?m=zbvpetjbe-uyu...@debian.org * CVE-2024-22368: Out-of-memory condition during parsing of a crafted XLSX document. * CVE-2024-23525: XXE attacks due to missing ‘no_xxe’ option of XML::Twig. dropbear Turns out the version shipped in buster isn't vulnerable to CVE-2023-48795 (terapin) as neither ChaCha20-Poly1305 nor *-EtM are supported. But the versions shipped in both bullseye and bookworm were vulnerable and I uploaded 2020.81-3+deb11u1 resp. 2022.83-1+deb12u1 via (o)s-pu. For bullseye, I also mitigated CVE-2021-36369 by backporting the addition of -oDisableTrivialAuth=yes. tinyxml --- Uploaded 2.6.2-4+deb11u2 resp. 2.6.2-6+deb12u1 via (o)s-pu. (The fix for buster-security was done last month with DLA-3701-1) * CVE-2023-34194: Reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace. xerces-c Uploaded 3.2.3+debian-3+deb11u1 via os-pu. (The fix for buster-security was done last month with DLA-3704-1.) * CVE-2023-37536: Integer overflow via crafted .xsd files, which can lead to out-of-bounds access. * Replace RedHat's mitigation patch for CVE-2018-1311 (which introduced a memory leak) with the upstream-vetted change. gnutls28 Backported CVE-2024-0553 (side-channel leakage in RSA-PSK ciphersuites, which stemps for an incomplete resolution for CVE-2023-5981) and investigated whether CVE-2024-0567 (assertion failure on cycle of cross-signed signatures of multiple CA) applies to buster, but haven't uploaded the fix yet. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
[SECURITY] [DLA 3723-1] libspreadsheet-parsexlsx-perl security update
- Debian LTS Advisory DLA-3723-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin January 27, 2024 https://wiki.debian.org/LTS - Package: libspreadsheet-parsexlsx-perl Version: 0.27-2+deb10u1 CVE ID : CVE-2024-22368 CVE-2024-23525 Debian Bug : 1061098 Security vulnerabilities were found in libspreadsheet-parsexlsx-perl, a Perl module to parse XLSX files, which could lead to denial of service or server-side request forgery via crafted input. CVE-2024-22368 Le Dinh Hai discovered that the memoize implementation allows attacker to allocate an arbitrary memory size, which could lead to denial of service via memory exhaustion. CVE-2024-23525 An Pham discovered an XML external entity (XXE) vulnerability via crafted input, which could lead to denial of service or server-side request forgery. For Debian 10 buster, these problems have been fixed in version 0.27-2+deb10u1. We recommend that you upgrade your libspreadsheet-parsexlsx-perl packages. For the detailed security status of libspreadsheet-parsexlsx-perl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libspreadsheet-parsexlsx-perl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3719-1] phpseclib security update
- Debian LTS Advisory DLA-3719-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin January 25, 2024 https://wiki.debian.org/LTS - Package: phpseclib Version: 1.0.19-3~deb10u2 CVE ID : CVE-2023-48795 It was discovered that phpseclib, a PHP library for arbitrary-precision integer arithmetic, was vulnerable to the so-called Terrapin Attack. The SSH transport protocol with certain OpenSSH extensions, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). For Debian 10 buster, this problem has been fixed in version 1.0.19-3~deb10u2. We recommend that you upgrade your phpseclib packages. For the detailed security status of phpseclib please refer to its security tracker page at: https://security-tracker.debian.org/tracker/phpseclib Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3718-1] php-phpseclib security update
- Debian LTS Advisory DLA-3718-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin January 25, 2024 https://wiki.debian.org/LTS - Package: php-phpseclib Version: 2.0.30-2~deb10u2 CVE ID : CVE-2023-48795 It was discovered that php-phpseclib, a PHP library for arbitrary-precision integer arithmetic, was vulnerable to the so-called Terrapin Attack. The SSH transport protocol with certain OpenSSH extensions, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). For Debian 10 buster, this problem has been fixed in version 2.0.30-2~deb10u2. We recommend that you upgrade your php-phpseclib packages. For the detailed security status of php-phpseclib please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php-phpseclib Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Debian LTS report for December 2023
During the month of December 2023 and on behalf of Freexian, I worked on the following: ncurses --- Uploaded 6.1+20181013-2+deb10u5 and issued DLA-3682-1 https://lists.debian.org/msgid-search/?m=zwznc9mam3buc...@debian.org * CVE-2021-39537: The tic(1) utility was susceptible to a heap overflow on crafted input due to improper bounds checking. * CVE-2023-29491: Local users could trigger security-relevant memory corruption via crafted terminfo database file. ncurses now further restricts programs running with elevated privileges (setuid/setgid programs). This change aligns ncurses' behavior in buster-security with that of Bullseye's latest point release (6.2+20201114-2+deb11u2). roundcube - Uploaded 1.3.17+dfsg.1-1~deb10u5 and issued DLA-3683-1 https://lists.debian.org/msgid-search/?m=zw5naj2p259dw...@debian.org * CVE-2023-47272: cross-site scripting (XSS) vulnerability via a Content-Type or Content-Disposition header (used for attachment preview or download). 1.3.x is no longer supported upstream and the code has changed quite a lot in 1.4.x, so I ended up backporting the entire download_headers() function. spip Uploaded 3.2.4-1+deb10u12 and issued DLA-3691-1 https://lists.debian.org/msgid-search/?m=zx-pl_ux-td7j...@debian.org Backported upstream security fixes from 4.1.10 and 4.1.11. No CVEs have been assigned for these vulnerabilities yet. tinyxml --- Uploaded 2.6.2-4+deb10u2 and issued DLA-3701-1 https://lists.debian.org/msgid-search/?m=zzckmin1i4fhc...@debian.org * CVE-2023-34194: Reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace. tinyxml has been abandoned upstream so I wrote the patch myself. Fortunately in this case the fix turned out to be simple. * After looking at the researchers' report, I concluded that other CVEs (CVE-2023-40462 and CVE-2023-40458) were duplicates for another product *using* tinyxml. Also, uploaded 2.6.2-6.1 to sid after consultation with the maintainer, and submitted the patch to the Security Team for bullseye and bookworm which have the same upstream version 2.6.2. libspreadsheet-parseexcel-perl -- Uploaded 0.6500-1+deb10u1 and issued DLA-3702-1 https://lists.debian.org/msgid-search/?m=zzc_sl-wtc5dy...@debian.org * CVE-2023-7101: Improper directive sanitation dynamically evaluated code could lead to the execution of arbitrary code by using specially crafted Number format strings within XLS and XLSX files. xerces-c Uploaded 3.2.2+debian-1+deb10u2 and issued DLA-3704-1 https://lists.debian.org/msgid-search/?m=zzfqal46y-a9u...@debian.org * CVE-2023-37536: Integer overflow via crafted .xsd files, which can lead to out-of-bounds access. * While reviewing the upstream history I discovered that CVE-2018-1311 was recently fixed upstream in 3.2.5, so replaced the previous mitigation patch (which introduced a memory leak) with that upstream vetted fix. Also, uploaded 3.2.4+debian-1.1 to sid after consultation with the maintainer, and submitted a debdiff (targeting bullseye) to the Security Team with the aforementioned fixes. php-guzzlehttp-psr7 --- Uploaded 1.4.2-0.1+deb10u2 and issued DLA-3705-1 https://lists.debian.org/msgid-search/?m=zzhwp6bkkp5nf...@debian.org * CVE-2023-29197: Improper header parsing which may lead to information disclosure or authorization bypass via crafted requests. (This is a follow-up to CVE-2022-24775 where the fix was incomplete.) Ended up backporting assertHeader() and its call sites, which had been omitted in 1.4.2-0.1+deb10u1. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
[SECURITY] [DLA 3705-1] php-guzzlehttp-psr7 security update
- Debian LTS Advisory DLA-3705-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 31, 2023 https://wiki.debian.org/LTS - Package: php-guzzlehttp-psr7 Version: 1.4.2-0.1+deb10u2 CVE ID : CVE-2023-29197 Debian Bug : 1034581 It was discovered that php-guzzlehttp-psr7, a PSR-7 message implementation, performed improper header parsing, which may lead to information disclosure or authorization bypass. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. For Debian 10 buster, these problems have been fixed in version 1.4.2-0.1+deb10u2. We recommend that you upgrade your php-guzzlehttp-psr7 packages. For the detailed security status of php-guzzlehttp-psr7 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php-guzzlehttp-psr7 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3704-1] xerces-c security update
- Debian LTS Advisory DLA-3704-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 31, 2023 https://wiki.debian.org/LTS - Package: xerces-c Version: 3.2.2+debian-1+deb10u2 CVE ID : CVE-2018-1311 CVE-2023-37536 Debian Bug : 947431 Even Rouault discovered that xerces-c, a validating XML parser library for C++, was vulnerable to integer overflow via crafted .xsd files, which can lead to out-of-bounds access. In addition, this version replaces RedHat's patch for CVE-2018-1311 (which contained a memory leak) with the upstream fix from v3.2.5. For Debian 10 buster, these problems have been fixed in version 3.2.2+debian-1+deb10u2. We recommend that you upgrade your xerces-c packages. For the detailed security status of xerces-c please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xerces-c Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3702-1] libspreadsheet-parseexcel-perl security update
- Debian LTS Advisory DLA-3702-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 31, 2023 https://wiki.debian.org/LTS - Package: libspreadsheet-parseexcel-perl Version: 0.6500-1+deb10u1 CVE ID : CVE-2023-7101 Debian Bug : 1059450 Le Dinh Hai discovered that libspreadsheet-parseexcel-perl, a Perl module allowing information extraction from Excel spreadsheets, improperly sanitizes directives in dynamically evaluated code. Attackers can exploit this vulnerability by using specially crafted Number format strings within XLS and XLSX files, triggering the execution of arbitrary code during the parsing process. For Debian 10 buster, this problem has been fixed in version 0.6500-1+deb10u1. We recommend that you upgrade your libspreadsheet-parseexcel-perl packages. For the detailed security status of libspreadsheet-parseexcel-perl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libspreadsheet-parseexcel-perl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3701-1] tinyxml security update
- Debian LTS Advisory DLA-3701-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 31, 2023 https://wiki.debian.org/LTS - Package: tinyxml Version: 2.6.2-4+deb10u2 CVE ID : CVE-2023-34194 CVE-2023-40462 Debian Bug : 1059315 A reachable assertion issue has been discovered in tinyxml, a C++ XML parsing library, which could lead to denial of service via a crafted XML document with a '\0' located after whitespace. For Debian 10 buster, these problems have been fixed in version 2.6.2-4+deb10u2. We recommend that you upgrade your tinyxml packages. For the detailed security status of tinyxml please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tinyxml Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3691-1] spip security update
- Debian LTS Advisory DLA-3691-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 18, 2023 https://wiki.debian.org/LTS - Package: spip Version: 3.2.4-1+deb10u12 Multiple security issues were discovered in SPIP, a content management system, which could lead to denial of service or information disclosure. For Debian 10 buster, this problem has been fixed in version 3.2.4-1+deb10u12. We recommend that you upgrade your spip packages. For the detailed security status of spip please refer to its security tracker page at: https://security-tracker.debian.org/tracker/spip Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3683-1] roundcube security update
- Debian LTS Advisory DLA-3683-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 05, 2023 https://wiki.debian.org/LTS - Package: roundcube Version: 1.3.17+dfsg.1-1~deb10u5 CVE ID : CVE-2023-47272 Debian Bug : 1055421 Rene Rehme discovered a cross-site scripting (XSS) vulnerability in Roundcube, a skinnable AJAX based webmail solution for IMAP servers, which could allow a remote attacker to load arbitrary JavaScript code from attachment preview/download via crafted Content-Type and/or Content-Disposition values. For Debian 10 buster, this problem has been fixed in version 1.3.17+dfsg.1-1~deb10u5. We recommend that you upgrade your roundcube packages. For the detailed security status of roundcube please refer to its security tracker page at: https://security-tracker.debian.org/tracker/roundcube Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3682-1] ncurses security update
- Debian LTS Advisory DLA-3682-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 03, 2023 https://wiki.debian.org/LTS - Package: ncurses Version: 6.1+20181013-2+deb10u5 CVE ID : CVE-2021-39537 CVE-2023-29491 Debian Bug : 1034372 Issues were found in ncurses, a collection of shared libraries for terminal handling, which could lead to denial of service. CVE-2021-39537 It has been discovered that the tic(1) utility is susceptible to a heap overflow on crafted input due to improper bounds checking. CVE-2023-29491 Jonathan Bar Or, Michael Pearse and Emanuele Cozzi have discovered that when ncurses is used by a setuid application, a local user can trigger security-relevant memory corruption via malformed data in a terminfo database file found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variables. In order to mitigate this issue, ncurses now further restricts programs running with elevated privileges (setuid/setgid programs). Programs run by the superuser remain able to load custom terminfo entries. This change aligns ncurses' behavior in buster-security with that of Debian Bullseye's latest point release (6.2+20201114-2+deb11u2). For Debian 10 buster, these problems have been fixed in version 6.1+20181013-2+deb10u5. We recommend that you upgrade your ncurses packages. For the detailed security status of ncurses please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ncurses Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Re: [SECURITY] [DLA 3676-1] horizon security update
On Thu, 30 Nov 2023 at 19:47:42 -0500, Roberto C. Sánchez wrote: > Yes, I would recommend two things. Done, thanks Roberto! -- Guilhem.
Re: [SECURITY] [DLA 3676-1] horizon security update - INCORRECT DLA ID
On Thu, 30 Nov 2023 at 23:59:28 +0100, Guilhem Moulin wrote: > - > Debian LTS Advisory DLA-3676-1debian-lts@lists.debian.org > https://www.debian.org/lts/security/ Guilhem Moulin > November 30, 2023 https://wiki.debian.org/LTS > - The DLA reference ID in this announcement was incorrect. The correct reference ID is DLA-3678-1. A new announcement has been sent under the correct reference ID [0]. Apologies for the inconvenience. -- Guilhem. [0] The correct announcement can be found under msgid=, or online at https://lists.debian.org/msgid-search/zwkvn7wyzjvz2...@debian.org . signature.asc Description: PGP signature
[SECURITY] [DLA 3678-1] horizon security update - CORRECTED ANNOUNCEMENT
- Debian LTS Advisory DLA-3678-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 30, 2023 https://wiki.debian.org/LTS - Package: horizon Version: 3:14.0.2-3+deb10u3 CVE ID : CVE-2022-45582 [ NB: The original message sent included the wrong DLA reference ID. This message corrects the reference ID in the subject line. Everything else about the content of the former message, including the CVE identified as fixed and the version of the package in which it is fixed, remains the same. ] Phan Nguyên Long discovered an Open Redirect vulnerability in horizon, a web application to control an OpenStack cloud, which could lead to phishing. For Debian 10 buster, this problem has been fixed in version 3:14.0.2-3+deb10u3. We recommend that you upgrade your horizon packages. For the detailed security status of horizon please refer to its security tracker page at: https://security-tracker.debian.org/tracker/horizon Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Debian LTS report for November 2023
During the month of November 2023 and on behalf of Freexian, I worked on the following: opensc -- Uploaded 0.19.0-1+deb10u3 and issued DLA-3668-1 https://lists.debian.org/msgid-search/?m=zwpsqzcsk_2as...@debian.org * CVE-2023-40660: Potential PIN bypass. The bypass was removed and explicit logout for most of the card drivers backported in order to prevent leaving unattended logged-in tokens. * CVE-2023-40661: Various security-related oss-fuzz issues, such as stack or heap buffer overflow. * Triage CVE-2023-4535. * Given many upstream commits did not apply cleanly, and touch several drivers for card readers I don't have access to, I spent some time testing the build against virtual card readers. cryptojs Uploaded 3.1.2+dfsg-2+deb10u1 and issued DLA-3669-1 https://lists.debian.org/msgid-search/?m=zwtl8rkvosqzp...@debian.org * CVE-2023-46233: Weak default PBKDF2 settings. Default settings are now changed to use SHA256 with 250k iterations, in accordance with OWASP's current recommendations and newer Debian suites. mediawiki - Uploaded 1:1.31.16-1+deb10u7 and issued DLA-3671-1 https://lists.debian.org/msgid-search/?m=zwxtc1xr4p2y-...@debian.org * CVE-2023-45362: diff-multi-sameuser (“X intermediate revisions by the same user not shown”) ignores username suppression, which can lead to information leak. Backporting the fix for 1.31 involved backporting multiple methods and function from newer releases, as well as namespace tweaks for the revision store and records. * CVE-2023-3550 and CVE-2023-45363 are included in the DLA but were worked on during October. However proper testing for these was done during November. * Spent some time trying writing a custom patch for CVE-2023-45360 (upstream extends $wgRawHtmlMessages for all supported branches however that was added in 1.32), only to later realize that sysops can edit sitewide JS already so that CVE moot for <1.32. Ended up reverting the fix and marking the CVE . horizon --- Uploaded 3:14.0.2-3+deb10u3 and issued DLA-3678-1 https://lists.debian.org/msgid-search/?m=zwkt0l4-ocq_y...@debian.org * CVE-2022-45582: Open Redirect vulnerability in Horizon Web Dashboard via the ‘success_url’ parameter. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
Re: [SECURITY] [DLA 3676-1] horizon security update
On Thu, 30 Nov 2023 at 23:59:28 +0100, Guilhem Moulin wrote: > - > Debian LTS Advisory DLA-3676-1debian-lts@lists.debian.org > https://www.debian.org/lts/security/ Guilhem Moulin > November 30, 2023 https://wiki.debian.org/LTS > - Crap, that should have been DLA-3678-1… Should I resend a new mail with the correct ID? -- Guilhem.
[SECURITY] [DLA 3676-1] horizon security update
- Debian LTS Advisory DLA-3676-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin November 30, 2023 https://wiki.debian.org/LTS - Package: horizon Version: 3:14.0.2-3+deb10u3 CVE ID : CVE-2022-45582 Phan Nguyên Long discovered an Open Redirect vulnerability in horizon, a web application to control an OpenStack cloud, which could lead to phishing. For Debian 10 buster, this problem has been fixed in version 3:14.0.2-3+deb10u3. We recommend that you upgrade your horizon packages. For the detailed security status of horizon please refer to its security tracker page at: https://security-tracker.debian.org/tracker/horizon Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3671-1] mediawiki security update
- Debian LTS Advisory DLA-3671-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin November 28, 2023 https://wiki.debian.org/LTS - Package: mediawiki Version: 1:1.31.16-1+deb10u7 CVE ID : CVE-2023-3550 CVE-2023-45362 CVE-2023-45363 Multiple vulnerabilities were found in mediawiki, a website engine for collaborative work, that could lead to information disclosure, privilege escalation, or denial of service. CVE-2023-3550 Carlos Bello reported a stored cross-site scripting (XSS) vulnerability when uploading crafted XML file to Special:Upload, which can lead to privilege escalation. (However .xml file uploads are not allowed in the default configuration.) CVE-2023-45362 Tobias Frei discovered that diff-multi-sameuser (“X intermediate revisions by the same user not shown”) ignores username suppression, which can lead to information leak. CVE-2023-45363 It was discovered that querying pages redirected to other variants with `redirects` and `converttitles` parameters set would cause a denial of service (unbounded loop and RequestTimeoutException). For Debian 10 buster, these problems have been fixed in version 1:1.31.16-1+deb10u7. We recommend that you upgrade your mediawiki packages. For the detailed security status of mediawiki please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mediawiki Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3669-1] cryptojs security update
- Debian LTS Advisory DLA-3669-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin November 27, 2023 https://wiki.debian.org/LTS - Package: cryptojs Version: 3.1.2+dfsg-2+deb10u1 CVE ID : CVE-2023-46233 Debian Bug : 1055525 Thomas Neil James Shadwell reported that cryptojs, a collection of cryptographic algorithms implemented in JavaScript, had default PBKDF2 settings 1000 times weaker than when specified back in 1993, and 1.3M times weaker than OWASP's current recommendations. The default settings are now changed to use SHA256 with 250k iterations. For Debian 10 buster, this problem has been fixed in version 3.1.2+dfsg-2+deb10u1. We recommend that you upgrade your cryptojs packages. For the detailed security status of cryptojs please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cryptojs Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3668-1] opensc security update
- Debian LTS Advisory DLA-3668-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin November 27, 2023 https://wiki.debian.org/LTS - Package: opensc Version: 0.19.0-1+deb10u3 CVE ID : CVE-2023-40660 CVE-2023-40661 Debian Bug : 1055521 1055522 Vulnerabilities were found in opensc, a set of libraries and utilities to access smart cards, which could lead to application crash or PIN bypass. CVE-2023-40660 When the token/card was plugged into the computer and authenticated from one process, it could be used to provide cryptographic operations from different process when the empty, zero-length PIN and the token can track the login status using some of its internals. This is dangerous for OS logon/screen unlock and small tokens that are plugged permanently to the computer. The bypass was removed and explicit logout implemented for most of the card drivers to prevent leaving unattended logged-in tokens. CVE-2023-40661 This advisory summarizes automatically reported issues from dynamic analyzers reports in pkcs15-init that are security relevant. * stack buffer overflow in sc_pkcs15_get_lastupdate() in pkcs15init; * heap buffer overflow in setcos_create_key() in pkcs15init; * heap buffer overflow in cosm_new_file() in pkcs15init; * stack buffer overflow in cflex_delete_file() in pkcs15init; * heap buffer overflow in sc_hsm_write_ef() in pkcs15init; * stack buffer overflow while parsing pkcs15 profile files; * stack buffer overflow in muscle driver in pkcs15init; and * stack buffer overflow in cardos driver in pkcs15init. All of these require physical access to the computer at the time user or administrator would be enrolling the cards (generating keys and loading certificates, other card/token management) operations. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs so they are considered a high-complexity and low-severity. This issue is not exploitable just by using a PKCS#11 module as done in most of the end-user deployments. For Debian 10 buster, these problems have been fixed in version 0.19.0-1+deb10u3. We recommend that you upgrade your opensc packages. For the detailed security status of opensc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/opensc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Re: MediaWiki on buster
Hi, On Sat, 18 Nov 2023 at 03:39:33 -0500, Chris Frey wrote: > I noticed that MediaWiki has suffered from the following CVE's for > a while: > > CVE-2023-45363 > CVE-2023-45362 > CVE-2023-45360 > > Is the work-in-progress available via git somewhere? Fixed CVE-2023-3550 and -45363, and am working on backports for -45362 and -45360. -- Guilhem.
Debian LTS report for October 2023
During the month of October 2023 and on behalf of Freexian, I worked on the following: python-urllib3 -- Uploaded 1.24.1-1+deb10u1 and issued DLA-3610-1 https://lists.debian.org/msgid-search/?m=zsknlpfmnhu4q...@debian.org * CVE-2018-25091: The fix for CVE-2018-20060 did not cover non-titlecase request headers; for instance ‘authorization’ request headers were not removed during during cross-origin redirects. I discovered that the buster version was vulnerable to this issue while backporting the upstream for CVE-2023-43804, and requested a CVE ID for it. * CVE-2019-11236: Header injection vulnerability via CR/LF character injections. * CVE-2019-11324: System CA certificates were loaded into the SSLContext by default in addition to any manually-specified CA certificates. * CVE-2020-26137: CRLF injection vulnerability via putrequest(). * CVE-2023-43804: Cookie request header weren't stripped during cross-origin redirects. * Fix upstream tests so they work with buster's older pytest. (These tests are neither run at build time nor via autopkgtests though.) inetutils - Uploaded 2:1.9.4-7+deb10u3 and issued DLA-3611-1 https://lists.debian.org/msgid-search/?m=zskpoz03b-fjt...@debian.org * CVE-2019-0053: Insufficient environment variable validation in the telnet client. Fix incomplete patch for this vulnerability, which unlike specified 2:1.9.4-7+deb10u2 was still vulnerable to. * CVE-2023-40303: Unchecked return values for set*uid(). roundcube - Uploaded 1.3.17+dfsg.1-1~deb10u4 and issued DLA-3630-1 https://lists.debian.org/msgid-search/?m=ztg8mxxunj7fi...@debian.org * CVE-2023-5631: Stored XSS via an HTML e-mail with a crafted SVG document. mediawiki - Work in progress; did not upload yet, but worked on fixing the following issues: * CVE-2023-3550: Namespaces used in XML files are not properly validated. * CVE-2023-45363: Denial of Service when querying pages redirected to other variants with redirects and ‘converttitles’ set. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
[SECURITY] [DLA 3630-1] roundcube security update
- Debian LTS Advisory DLA-3630-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin October 24, 2023 https://wiki.debian.org/LTS - Package: roundcube Version: 1.3.17+dfsg.1-1~deb10u4 CVE ID : CVE-2023-5631 Debian Bug : 1054079 Denys Klymenko discovered a cross-site scripting (XSS) vulnerability in Roundcube, a skinnable AJAX based webmail solution for IMAP servers, which could allow a remote attacker to load arbitrary JavaScript code via a malicious text/html e-mail message with a crafted SVG document. For Debian 10 buster, this problem has been fixed in version 1.3.17+dfsg.1-1~deb10u4. We recommend that you upgrade your roundcube packages. For the detailed security status of roundcube please refer to its security tracker page at: https://security-tracker.debian.org/tracker/roundcube Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3611-1] inetutils security update
- Debian LTS Advisory DLA-3611-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin October 08, 2023 https://wiki.debian.org/LTS - Package: inetutils Version: 2:1.9.4-7+deb10u3 CVE ID : CVE-2019-0053 CVE-2023-40303 Debian Bug : 945861 1049365 Security issues were discovered in inetutils, a collection of GNU network utilities, which could lead to privilege escalation or potentially execution of arbitrary code. CVE-2019-0053 Thorsten Alteholz discovered that CVE-2019-0053 was patched incorrectly in inetutils 2:1.9.4-7+deb10u3. The original vulnerability remained: inetutils' telnet client doesn't sufficiently validate environment variables, which can lead to stack-based buffer overflows. (This issue is limited to local exploitation from restricted shells.) CVE-2023-40303 Jeffrey Bencteux discovered that several setuid(), setgid(), seteuid() and setguid() return values were not checked in ftpd/ rcp/rlogin/rsh/rshd/uucpd code, which may lead to privilege escalation. For Debian 10 buster, these problems have been fixed in version 2:1.9.4-7+deb10u3. We recommend that you upgrade your inetutils packages. For the detailed security status of inetutils please refer to its security tracker page at: https://security-tracker.debian.org/tracker/inetutils Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3610-1] python-urllib3 security update
- Debian LTS Advisory DLA-3610-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin October 08, 2023 https://wiki.debian.org/LTS - Package: python-urllib3 Version: 1.24.1-1+deb10u1 CVE ID : CVE-2019-11236 CVE-2019-11324 CVE-2020-26137 CVE-2023-43804 Debian Bug : 927172 927412 1053626 Security vulnerabilities were found in python-urllib3, an HTTP library with thread-safe connection pooling for Python, which could lead to information disclosure or authorization bypass. CVE-2019-11236 Hanno Böck discovered that an attacker controlling the request parameter can inject headers by injecting CR/LF chars. The issue is similar to CPython's CVE-2019-9740. CVE-2019-11324 Christian Heimes discovered that when verifying HTTPS connections upon passing an SSLContext to urllib3, system CA certificates are loaded into the SSLContext by default in addition to any manually-specified CA certificates. This causes TLS handshakes that should fail given only the manually specified certs to succeed based on system CA certs. CVE-2020-26137 It was discovered that CRLF injection was possible if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). The issue is similar to urllib's CVE-2020-26116. CVE-2023-43804 It was discovered that the Cookie request header isn't stripped during cross-origin redirects. It is therefore possible for a user specifying a Cookie header to unknowingly leak information via HTTP redirects to a different origin (unless the user disables redirects explicitly). The issue is similar to CVE-2018-20060, but for Cookie request header rather than Authorization. Moreover “authorization” request headers were not removed redirecting to cross-site. Per RFC7230 sec. 3.2 header fields are to be treated case-insensitively. For Debian 10 buster, these problems have been fixed in version 1.24.1-1+deb10u1. We recommend that you upgrade your python-urllib3 packages. For the detailed security status of python-urllib3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-urllib3 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Debian LTS report for September 2023
During the month of September 2023 and on behalf of Freexian, I worked on the following: php7.3 -- Uploaded 7.3.31-1~deb10u5 and issued DLA-3555-1 https://lists.debian.org/msgid-search/?m=zpexm9jokfktz...@debian.org * CVE-2023-3823: Security issue with external entity loading in XML without enabling it. * CVE-2023-3824: Buffer overflow and overread in phar_dir_read(). libssh2 --- Uploaded 1.8.0-2.1+deb10u1 and issued DLA-3559-1 https://lists.debian.org/msgid-search/?m=zpseujskgunci...@debian.org * CVE-2019-17498: Integer overflow in a bounds check. Backported the patch from SUSE, which includes the struct string_buf overhaul. * CVE-2019-13115: Integer overflow vulnerability in kex.c's kex_method_diffie_hellman_group_exchange_sha256_key_exchange() function. One could at first think that the issue was fixed in SUSE's patch for CVE-2019-17498 since it embeds the bound check, but it's not the case; backported _libssh2_get_bignum_bytes() and kex_method_diffie_hellman_group_exchange_*_key_exchange() for proper bound checking in _libssh2_check_length(). * CVE-2020-22218: Out of bounds memory access. libraw -- Uploaded 0.19.2-2+deb10u4 and issued DLA-3560-1 https://lists.debian.org/msgid-search/?m=zp3qgqfn5e7m0...@debian.org * CVE-2020-22628: Buffer Overflow vulnerability in LibRaw::stretch(). roundcube - Uploaded 1.3.17+dfsg.1-1~deb10u3 and issued DLA-3577-1 https://lists.debian.org/msgid-search/?m=zq15lnmgs-tf4...@debian.org * CVE-2023-43770: Cross-site scripting vulnerability via malicious link references in plain/text messages. python-git -- Uploaded 2.1.11-1+deb10u2 and issued DLA-3589-1 https://lists.debian.org/msgid-search/?m=zrcsjljpf4h6-...@debian.org * CVE-2023-41040: Blind local file inclusion. Backported upstream patch and added python2 compatibility. python-reportlab Uploaded 3.5.13-1+deb10u2 and issued DLA-3590-1 https://lists.debian.org/msgid-search/?m=zrcsln499vtlq...@debian.org * CVE-2019-19450: Code injection in paraparser.py allows code execution. * CVE-2020-28463: Server-side Request Forgery (SSRF) via tags. pandoc -- 2.9.2.1-1+deb11u1 and 2.17.1.1-2~deb12u1 were respectively confirmed and uploaded to bullseye- and bookworm-pu. See DLA-3507-1 for details https://lists.debian.org/msgid-search/?m=zmaecno5w6pxb%2...@debian.org Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
[SECURITY] [DLA 3590-1] python-reportlab security update
- Debian LTS Advisory DLA-3590-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin September 29, 2023https://wiki.debian.org/LTS - Package: python-reportlab Version: 3.5.13-1+deb10u2 CVE ID : CVE-2019-19450 CVE-2020-28463 Security issues were discovered in python-reportlab, a Python library for generating PDFs and graphics, which could lead to remote code execution or authorization bypass. CVE-2019-19450 Ravi Prakash Giri discovered a remote code execution vulnerability via crafted XML document where ‘https://security-tracker.debian.org/tracker/python-reportlab Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3589-1] python-git security update
- Debian LTS Advisory DLA-3589-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin September 29, 2023https://wiki.debian.org/LTS - Package: python-git Version: 2.1.11-1+deb10u2 CVE ID : CVE-2023-41040 Santos Gallegos discovered a blind local file inclusion in python-git, a Python library to interact with Git repositories, which could lead to denial of service or potentially information disclosure. In order to resolve some git references, python-git reads files from the ".git" directory but, due to improper location check, an attacker can pass a file located outside this directory thereby making python-git read arbitrary file on the system. It remains unclear whether the attacker can gain access to actual file content, but denial of service can be achieved by passing a large or infinite file such as /dev/random. For Debian 10 buster, this problem has been fixed in version 2.1.11-1+deb10u2. We recommend that you upgrade your python-git packages. For the detailed security status of python-git please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-git Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3577-1] roundcube security update
- Debian LTS Advisory DLA-3577-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin September 22, 2023https://wiki.debian.org/LTS - Package: roundcube Version: 1.3.17+dfsg.1-1~deb10u3 CVE ID : CVE-2023-43770 Debian Bug : 1052059 Niraj Shivtarka discovered a cross-site scripting (XSS) vulnerability in Roundcube, a skinnable AJAX based webmail solution for IMAP servers, which could lead to information disclosure via malicious link references in plain/text messages. For Debian 10 buster, this problem has been fixed in version 1.3.17+dfsg.1-1~deb10u3. We recommend that you upgrade your roundcube packages. For the detailed security status of roundcube please refer to its security tracker page at: https://security-tracker.debian.org/tracker/roundcube Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3560-1] libraw security update
- Debian LTS Advisory DLA-3560-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin September 10, 2023https://wiki.debian.org/LTS - Package: libraw Version: 0.19.2-2+deb10u4 CVE ID : CVE-2020-22628 A Buffer Overflow vulnerability was found in the LibRaw::stretch() function, which could lead to denial of service or information disclosure when parsing a malicious CRW file. For Debian 10 buster, this problem has been fixed in version 0.19.2-2+deb10u4. We recommend that you upgrade your libraw packages. For the detailed security status of libraw please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libraw Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3559-1] libssh2 security update
- Debian LTS Advisory DLA-3559-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin September 08, 2023https://wiki.debian.org/LTS - Package: libssh2 Version: 1.8.0-2.1+deb10u1 CVE ID : CVE-2019-13115 CVE-2019-17498 CVE-2020-22218 Debian Bug : 932329 943562 Vulnerabilities were found in libssh2, a client-side C library implementing the SSH2 protocol, which could lead to denial of service or remote information disclosure. CVE-2019-13115 Kevin Backhouse discovered an integer overflow vulnerability in kex.c's kex_method_diffie_hellman_group_exchange_sha256_key_exchange() function, which could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises an SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. CVE-2019-17498 Kevin Backhouse discovered that the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, thereby enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A malicious SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. CVE-2020-22218 An issue was discovered in function _libssh2_packet_add(), which could allow attackers to access out of bounds memory. For Debian 10 buster, these problems have been fixed in version 1.8.0-2.1+deb10u1. We recommend that you upgrade your libssh2 packages. For the detailed security status of libssh2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libssh2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3555-1] php7.3 security update
- Debian LTS Advisory DLA-3555-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin September 05, 2023https://wiki.debian.org/LTS - Package: php7.3 Version: 7.3.31-1~deb10u5 CVE ID : CVE-2023-3823 CVE-2023-3824 Security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in information disclosure, denial of service or potentially remote code execution. CVE-2023-3823 Various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded. This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. Joas Schilling and Baptista Katapi discovered that, since the state is process-global, other modules — such as ImageMagick — may also use this library within the same process and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down. CVE-2023-3824 Niels Dossche discovered that when loading a Phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. For Debian 10 buster, these problems have been fixed in version 7.3.31-1~deb10u5. We recommend that you upgrade your php7.3 packages. For the detailed security status of php7.3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php7.3 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Debian LTS report for August 2023
During the month of August 2023 and on behalf of Freexian, I worked on the following: * DLA-3515-1 for cjose=0.6.1+dfsg1-1+deb10u1 [CVE-2023-37464] https://lists.debian.org/msgid-search/?m=zmzs4jlh%2bwykb...@debian.org * DLA-3551-1 for otrs2=6.0.16-2+deb10u1 [CVE-2019-11358, CVE-2019-12248, CVE-2019-12497, CVE-2019-12746, CVE-2019-13458, CVE-2019-16375, CVE-2019-18179, CVE-2019-18180, CVE-2020-1765, CVE-2020-1766, CVE-2020-1767, CVE-2020-1769, CVE-2020-1770, CVE-2020-1771, CVE-2020-1772, CVE-2020-1773, CVE-2020-1774, CVE-2020-1776, CVE-2020-11022, CVE-2020-11023, CVE-2021-21252, CVE-2021-21439, CVE-2021-21440, CVE-2021-21441, CVE-2021-21443, CVE-2021-36091, CVE-2021-36100, CVE-2021-41182, CVE-2021-41183, CVE-2021-41184, CVE-2022-4427 and CVE-2023-38060] https://lists.debian.org/msgid-search/?m=ZO/cyvbrobj6%2b...@debian.org * nodjs: Triage CVE-2023-30581, CVE-2023-30588, CVE-2023-30589, CVE-2023-32002, CVE-2023-32006 and CVE-2023-32559. Fix CVE-2023-30590 in git but defer the upload to a later point (that CVE alone doesn't warrant a DLA). Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
[SECURITY] [DLA 3551-1] otrs2 security update
- Debian LTS Advisory DLA-3551-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin August 31, 2023 https://wiki.debian.org/LTS - Package: otrs2 Version: 6.0.16-2+deb10u1 CVE ID : CVE-2019-11358 CVE-2019-12248 CVE-2019-12497 CVE-2019-12746 CVE-2019-13458 CVE-2019-16375 CVE-2019-18179 CVE-2019-18180 CVE-2020-1765 CVE-2020-1766 CVE-2020-1767 CVE-2020-1769 CVE-2020-1770 CVE-2020-1771 CVE-2020-1772 CVE-2020-1773 CVE-2020-1774 CVE-2020-1776 CVE-2020-11022 CVE-2020-11023 CVE-2021-21252 CVE-2021-21439 CVE-2021-21440 CVE-2021-21441 CVE-2021-21443 CVE-2021-36091 CVE-2021-36100 CVE-2021-41182 CVE-2021-41183 CVE-2021-41184 CVE-2022-4427 CVE-2023-38060 Debian Bug : 945251 959448 980891 989992 991593 Multiple vulnerabilities were found in otrs2, the Open-Source Ticket Request System, which could lead to impersonation, denial of service, information disclosure, or execution of arbitrary code. CVE-2019-11358 A Prototype Pollution vulnerability was discovered in OTRS' embedded jQuery 3.2.1 copy, which could allow sending drafted messages as wrong agent. This vulnerability is also known as OSA-2020-05. CVE-2019-12248 Matthias Terlinde discovered that when an attacker sends a malicious email to an OTRS system and a logged in agent user later quotes it, the email could cause the browser to load external image resources. A new configuration setting ‘Ticket::Frontend::BlockLoadingRemoteContent’ has been added as part of the fix. It controls whether external content should be loaded, and it is disabled by default. This vulnerability is also known as OSA-2019-08. CVE-2019-12497 Jens Meister discovered that in the customer or external frontend, personal information of agents, like Name and mail address in external notes, could be disclosed. New configuration settings ‘Ticket::Frontend::CustomerTicketZoom###DisplayNoteFrom’ has been added as part of the fix. It controls if agent information should be displayed in external note sender field, or be substituted with a different generic name. Another option named ‘Ticket::Frontend::CustomerTicketZoom###DefaultAgentName’ can then be used to define the generic agent name used in the latter case. By default, previous behavior is preserved, in which agent information is divulged in the external note From field, for the sake of backwards compatibility. This vulnerability is also known as OSA-2019-09. CVE-2019-12746 A user logged into OTRS as an agent might unknowingly disclose their session ID by sharing the link of an embedded ticket article with third parties. This identifier can be then potentially abused in order to impersonate the agent user. This vulnerability is also known as OSA-2019-10. CVE-2019-13458 An attacker who is logged into OTRS as an agent user with appropriate permissions can leverage OTRS tags in templates in order to disclose hashed user passwords. This vulnerability is also known as OSA-2019-12. CVE-2019-16375 An attacker who is logged into OTRS as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious JavaScript code as an article body. This malicious code is executed when an agent compose an answer to the original article. This vulnerability is also known as OSA-2019-13. CVE-2019-18179 An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, which are in the queue where attacker doesn't have permissions. This vulnerability is also known as OSA-2019-14. CVE-2019-18180 OTRS can be put into an endless loop by providing filenames with overly long extensions. This applies to the PostMaster (sending in email) and also upload (attaching files to mails, for example). This vulnerability is also known as OSA-2019-15. CVE-2020-1765 Sebastian Renker and Jonas Becker discovered an improper control of parameters, which allows the spoofing of the From fields in several screens, namely AgentTicketCompose, AgentTicketForward, AgentTicketBounce and AgentTicketEmailOutbound. This vulnerability is also known as OSA-2020-01. CVE-2020-1766 Anton Astaf'ev discovered that due to improper handling of uploaded images, it is possible — in very unlikely and rare conditions — to force the agents browser to execute malicious JavaScript from a special crafted SVG file rendered as inline jpg file. This vulnerability is also known as OSA-2020-02. CVE-2020
[SECURITY] [DLA 3515-1] cjose security update
- Debian LTS Advisory DLA-3515-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin August 04, 2023 https://wiki.debian.org/LTS - Package: cjose Version: 0.6.1+dfsg1-1+deb10u1 CVE ID : CVE-2023-37464 Debian Bug : 1041423 An incorrect Authentication Tag length usage was discovered in cjose, a C library implementing the Javascript Object Signing and Encryption (JOSE) standard, which could lead to integrity compromise. The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag as provided in the JSON Web Encryption (JWE) object, while the specification says that a fixed length of 16 octets must be applied. This could allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. For Debian 10 buster, this problem has been fixed in version 0.6.1+dfsg1-1+deb10u1. We recommend that you upgrade your cjose packages. For the detailed security status of cjose please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cjose Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Debian LTS report for July 2023
During the month of July 2023 and on behalf of Freexian, I worked on the following: * DLA-3488-1 for node-tough-cookie=2.3.4+dfsg-1+deb10u1 [CVE-2023-26136] https://lists.debian.org/msgid-search/?m=zkxrmnkoiqoif...@debian.org * DLA-3493-1 for symfony=3.4.22+dfsg-2+deb10u2 [CVE-2021-21424, CVE-2022-24894 and CVE-2022-24895] https://lists.debian.org/msgid-search/?m=zk3jf8mjqvymd...@debian.org * DLA-3496-1 for lemonldap-ng=2.0.2+ds-7+deb10u9 [CVE-2023-28862 and fix incorrect backport for CVE-2021-20874] https://lists.debian.org/msgid-search/?m=zlemv3qczpjl9...@debian.org * DLA-3499-1 for libapache2-mod-auth-openidc=2.3.10.2-1+deb10u3 [CVE-2021-39191 and CVE-2022-23527] https://lists.debian.org/msgid-search/?m=zlcxcsyvnie6p...@debian.org * DLA-3507-1 for pandoc=2.2.1-3+deb10u1 [CVE-2023-35936 and CVE-2023-38745, plus responsible disclosure for the latter] https://lists.debian.org/msgid-search/?m=zmaecno5w6pxb%2...@debian.org Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
[SECURITY] [DLA 3507-1] pandoc security update
- Debian LTS Advisory DLA-3507-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin July 25, 2023 https://wiki.debian.org/LTS - Package: pandoc Version: 2.2.1-3+deb10u1 CVE ID : CVE-2023-35936 CVE-2023-38745 Debian Bug : 1041976 Arbitrary file write vulnerabilities were discovered in pandoc, an Haskell library and CLI tool for converting from one markup format to another. These vulnerabilities can be triggered by providing a specially crafted image element in the input when generating files using the `--extract-media` option or outputting to PDF format, and allow an attacker to create or overwrite arbitrary files on the system (depending on the privileges of the process running pandoc). CVE-2023-35936 Entroy C discovered that appending percent-encoded directory components to the end of malicious data: URI, an attacker could trick pandoc into creating or or overwriting arbitrary files on the system. CVE-2023-38745 I discovered that the upstream fix for CVE-2023-35936 was incomplete, namely that the vulnerability remained when encoding '%' characters as '%25'. For Debian 10 buster, these problems have been fixed in version 2.2.1-3+deb10u1. We recommend that you upgrade your pandoc packages. For the detailed security status of pandoc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pandoc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3499-1] libapache2-mod-auth-openidc security update
- Debian LTS Advisory DLA-3499-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin July 19, 2023 https://wiki.debian.org/LTS - Package: libapache2-mod-auth-openidc Version: 2.3.10.2-1+deb10u3 CVE ID : CVE-2021-39191 CVE-2022-23527 Debian Bug : 993648 1026444 Open Redirect vulnerabilities were found in libapache2-mod-auth-openidc, OpenID Connect Relying Party implementation for Apache, which could lead to information disclosure via phishing attacks. CVE-2021-39191 The 3rd-party init SSO functionality of mod_auth_openidc was reported to be vulnerable to an open redirect attack by supplying a crafted URL in the target_link_uri parameter. CVE-2022-23527 When providing a logout parameter to the redirect URI, mod_auth_openidc failed to properly check for URLs starting with "/\t", leading to an open redirect. For Debian 10 buster, these problems have been fixed in version 2.3.10.2-1+deb10u3. We recommend that you upgrade your libapache2-mod-auth-openidc packages. For the detailed security status of libapache2-mod-auth-openidc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3496-1] lemonldap-ng security update
- Debian LTS Advisory DLA-3496-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin July 14, 2023 https://wiki.debian.org/LTS - Package: lemonldap-ng Version: 2.0.2+ds-7+deb10u9 CVE ID : CVE-2023-28862 Issues were discovered in Lemonldap::NG, an OpenID-Connect, CAS and SAML compatible Web-SSO system, which could lead to impersonation of users with a second factor authentication. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an AuthBasic session. Using the AuthBasic handler is now refused for users with a second factor. Admins who are *absolutely sure* that such accounts should be able to use AuthBasic handlers (which are password only) can append `and not $ENV{AuthBasic}` to the 2FA activation rules. For Debian 10 buster, these problems have been fixed in version 2.0.2+ds-7+deb10u9. We recommend that you upgrade your lemonldap-ng packages. For the detailed security status of lemonldap-ng please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lemonldap-ng Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3493-1] symfony security update
- Debian LTS Advisory DLA-3493-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin July 11, 2023 https://wiki.debian.org/LTS - Package: symfony Version: 3.4.22+dfsg-2+deb10u2 CVE ID : CVE-2021-21424 CVE-2022-24894 CVE-2022-24895 Multiple security vulnerabilities were found in symfony, a PHP framework for web and console applications and a set of reusable PHP components, which could lead to information disclosure or impersonation. CVE-2021-21424 James Isaac, Mathias Brodala and Laurent Minguet discovered that it was possible to enumerate users without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. 403s are now returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. CVE-2022-24894 Soner Sayakci discovered that when the Symfony HTTP cache system is enabled, the response header might be stored with a `Set-Cookie` header and returned to some other clients, thereby allowing an attacker to retrieve the victim's session. The `HttpStore` constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers. The default value for this parameter is `Set-Cookie`, but it can be overridden or extended by the application. CVE-2022-24895 Marco Squarcina discovered that CSRF tokens aren't cleared upon login, which could enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. For Debian 10 buster, these problems have been fixed in version 3.4.22+dfsg-2+deb10u2. We recommend that you upgrade your symfony packages. For the detailed security status of symfony please refer to its security tracker page at: https://security-tracker.debian.org/tracker/symfony Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3488-1] node-tough-cookie security update
- Debian LTS Advisory DLA-3488-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin July 10, 2023 https://wiki.debian.org/LTS - Package: node-tough-cookie Version: 2.3.4+dfsg-1+deb10u1 CVE ID : CVE-2023-26136 Kokorin Vsevolod discovered a Prototype Pollution vulnerability in node-tough-cookie, a RFC6265 Cookies and Cookie Jar library for node.js. The issue is due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. For Debian 10 buster, this problem has been fixed in version 2.3.4+dfsg-1+deb10u1. We recommend that you upgrade your node-tough-cookie packages. For the detailed security status of node-tough-cookie please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-tough-cookie Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Debian LTS report for June 2023
During the month of June 2023 and on behalf of Freexian, I worked on the following: * DLA-3442-1 for nbconvert=5.4-2+deb10u1 [CVE-2021-32862: GHSL-2021-1013 to -1028] https://lists.debian.org/msgid-search/?m=zhteirpktw6wr...@debian.org * DLA-3458-1 for php7.3=7.3.31-1~deb10u4 [CVE-2023-3247] https://lists.debian.org/msgid-search/?m=zjedyafkomsgp...@debian.org * DLA-3460-1 for python-mechanize=1:0.2.5-3+deb10u1 [CVE-2021-32837] https://lists.debian.org/msgid-search/?m=zjg1ykrw4kyn9...@debian.org * DLA-3463-1 for opensc=0.19.0-1+deb10u2 [CVE-2019-6502, CVE-2021-42779, CVE-2021-42780, CVE-2021-42781, CVE-2021-42782 and CVE-2023-2977] https://lists.debian.org/msgid-search/?m=ZJI9/b4xxwuwn...@debian.org * DLA-3469-1 for lua5.3=5.3.3-1.1+deb10u1 [CVE-2019-6706 and CVE-2020-24370] https://lists.debian.org/msgid-search/?m=zjtqrum3nm%2bcvj%...@debian.org Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
[SECURITY] [DLA 3469-1] lua5.3 security update
- Debian LTS Advisory DLA-3469-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin June 23, 2023 https://wiki.debian.org/LTS - Package: lua5.3 Version: 5.3.3-1.1+deb10u1 CVE ID : CVE-2019-6706 CVE-2020-24370 Debian Bug : 920321 988734 Issues were found in lua5.3, a powerful, light-weight programming language designed for extending applications, which may result in denial of service. CVE-2019-6706 Fady Osman discovered a heap-user-after-free vulnerability in lua_upvaluejoin() in lapi.c, which might result in denial of service upon calling debug.upvaluejoin() with specific arguments. CVE-2020-24370 Yongheng Chen discovered a negation overflow and segmentation fault issue in getlocal() and setlocal(), as demonstrated by getlocal(3,2^31). For Debian 10 buster, these problems have been fixed in version 5.3.3-1.1+deb10u1. We recommend that you upgrade your lua5.3 packages. For the detailed security status of lua5.3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lua5.3 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3463-1] opensc security update
- Debian LTS Advisory DLA-3463-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin June 21, 2023 https://wiki.debian.org/LTS - Package: opensc Version: 0.19.0-1+deb10u2 CVE ID : CVE-2019-6502 CVE-2021-42779 CVE-2021-42780 CVE-2021-42781 CVE-2021-42782 CVE-2023-2977 Debian Bug : 1037021 Multiple vulnerabilities were found in opensc, a set of libraries and utilities to access smart cards, which could lead to application crash or information leak. CVE-2019-6502 Dhiraj Mishra discovered a minor memory leak in the eidenv(1) CLI utility on an error-case. CVE-2021-42779 A heap use after free vulnerability was discovered in sc_file_valid(). CVE-2021-42780 An use after return vulnerability was discovered in insert_pin(), which could potentially crash programs using the library. CVE-2021-42781 Multiple heap buffer overflow vulnerabilities were discovered in pkcs15-oberthur.c, which could potentially crash programs using the library. CVE-2021-42782 Multiple stack buffer overflow vulnerabilities were discovered in various places, which could potentially crash programs using the library. CVE-2023-2977 A buffer overrun vulnerability was discovered in pkcs15 cardos_have_verifyrc_package(), which could lead to crash or information leak via smart card package with a malicious ASN1 context. For Debian 10 buster, these problems have been fixed in version 0.19.0-1+deb10u2. We recommend that you upgrade your opensc packages. For the detailed security status of opensc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/opensc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3460-1] python-mechanize security update
- Debian LTS Advisory DLA-3460-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin June 20, 2023 https://wiki.debian.org/LTS - Package: python-mechanize Version: 1:0.2.5-3+deb10u1 CVE ID : CVE-2021-32837 Erik Krogh Kristensen and Rasmus Petersen from the GitHub Security Lab discovered a ReDoS (Regular Expression Denial of Service) vulnerability in python-mechanize, a library to automate interaction with websites modeled after the Perl module WWW::Mechanize, which could lead to Denial of Service when parsing a malformed authentication header. For Debian 10 buster, this problem has been fixed in version 1:0.2.5-3+deb10u1. We recommend that you upgrade your python-mechanize packages. For the detailed security status of python-mechanize please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-mechanize Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3458-1] php7.3 security update
- Debian LTS Advisory DLA-3458-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin June 20, 2023 https://wiki.debian.org/LTS - Package: php7.3 Version: 7.3.31-1~deb10u4 CVE ID : CVE-2023-3247 Niels Dossche and Tim Düsterhus discovered that PHP's implementation of the SOAP HTTP Digest authentication did not check for failures, which may result in a stack information leak. Furthermore, the code used an insufficient number of random bytes. For Debian 10 buster, this problem has been fixed in version 7.3.31-1~deb10u4. We recommend that you upgrade your php7.3 packages. For the detailed security status of php7.3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php7.3 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3442-1] nbconvert security update
- Debian LTS Advisory DLA-3442-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin June 03, 2023 https://wiki.debian.org/LTS - Package: nbconvert Version: 5.4-2+deb10u1 CVE ID : CVE-2021-32862 Alvaro Muñoz from the GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert, a tool and library used to convert notebooks to various other formats via Jinja templates. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server without tight Content-Security-Policy (e.g., nbviewer). * GHSL-2021-1013: XSS in notebook.metadata.language_info.pygments_lexer; * GHSL-2021-1014: XSS in notebook.metadata.title; * GHSL-2021-1015: XSS in notebook.metadata.widgets; * GHSL-2021-1016: XSS in notebook.cell.metadata.tags; * GHSL-2021-1017: XSS in output data text/html cells; * GHSL-2021-1018: XSS in output data image/svg+xml cells; * GHSL-2021-1019: XSS in notebook.cell.output.svg_filename; * GHSL-2021-1020: XSS in output data text/markdown cells; * GHSL-2021-1021: XSS in output data application/javascript cells; * GHSL-2021-1022: XSS in output.metadata.filenames image/png and image/jpeg; * GHSL-2021-1023: XSS in output data image/png and image/jpeg cells; * GHSL-2021-1024: XSS in output.metadata.width/height image/png and image/jpeg; * GHSL-2021-1025: XSS in output data application/vnd.jupyter.widget-state+ json cells; * GHSL-2021-1026: XSS in output data application/vnd.jupyter.widget-view+ json cells; * GHSL-2021-1027: XSS in raw cells; and * GHSL-2021-1028: XSS in markdown cells. Some of these vulnerabilities, namely GHSL-2021-1017, -1020, -1021, and -1028, are actually design decisions where text/html, text/markdown, application/JavaScript and markdown cells should allow for arbitrary JavaScript code execution. These vulnerabilities are therefore left open by default, but users can now opt-out and strip down all JavaScript elements via a new HTMLExporter option `sanitize_html`. For Debian 10 buster, this problem has been fixed in version 5.4-2+deb10u1. We recommend that you upgrade your nbconvert packages. For the detailed security status of nbconvert please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nbconvert Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Debian LTS report for May 2023
During the month of May 2023 and on behalf of Freexian, I worked on the following: * DLA-3424-1 for python-ipaddress=1.0.17-1+deb10u1 CVE-2020-14422 https://lists.debian.org/msgid-search/?m=zglark8btpj4t...@debian.org * DLA-3425-1 for sqlparse=0.2.4-1+deb10u1 CVE-2023-30608 https://lists.debian.org/msgid-search/?m=zgnqjcg1ezp24...@debian.org * DLA-3433-1 for libraw=0.19.2-2+deb10u3 CVE-2021-32142 and CVE-2023-1729 https://lists.debian.org/msgid-search/?m=zhfjviz2o2hod...@debian.org * DLA-3435-1 for rainloop=1.12.1-2+deb10u1 CVE-2019-13389 and CVE-2022-29360 https://lists.debian.org/msgid-search/?m=zhkiwzezsjmpm...@debian.org * DLA-3436-1 for sssd=1.16.3-3.2+deb10u1 CVE-2018-16838, CVE-2019-3811, CVE-2021-3621 and CVE-2022-4254 https://lists.debian.org/msgid-search/?m=zhssgdjfo6rbn...@debian.org * DLA-3436-2 for sssd=1.16.3-3.2+deb10u2 https://lists.debian.org/msgid-search/?m=zhdysuwr6ufre...@debian.org Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
[SECURITY] [DLA 3436-2] sssd regression update
- Debian LTS Advisory DLA-3436-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin May 31, 2023 https://wiki.debian.org/LTS - Package: sssd Version: 1.16.3-3.2+deb10u2 sssd 1.16.3-3.2+deb10u1 (DLA 3436-1) had a broken upgrade path from version 1.16.3-3.2. One could upgrade sssd-common to 1.16.3-3.2+deb10u1 while leaving libsss-certmap0 at 1.16.3-3.2; the version mismatch broke SSSD as the the fix for CVE-2022-4254 introduces new symbols which are used in sssd-common's sssd_pam. For Debian 10 buster, this problem has been fixed in version 1.16.3-3.2+deb10u2. This version differs from 1.16.3-3.2+deb10u1 only in package metadata. (Bumping the minimum version for libsss-certmap0 in sssd-common's Depends: field ensures a safe upgrade path.) We recommend that you upgrade your sssd packages. For the detailed security status of sssd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sssd Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3436-1] sssd security update
- Debian LTS Advisory DLA-3436-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin May 29, 2023 https://wiki.debian.org/LTS - Package: sssd Version: 1.16.3-3.2+deb10u1 CVE ID : CVE-2018-16838 CVE-2019-3811 CVE-2021-3621 CVE-2022-4254 Debian Bug : 919051 931432 992710 Multiple vulnerabilities were found in sssd, a set of daemons to manage access to remote directories and authentication mechanisms, which could lead to privilege escalation. CVE-2018-16838 It was discovered that when the Group Policy Objects (GPO) are not readable by SSSD due to a too strict permission settings on the server side, SSSD allows all authenticated users to login instead of denying access. A new boolean setting ‘ad_gpo_ignore_unreadable’ (defaulting to False) is introduced for environments where attributes in the groupPolicyContainer are not readable and changing the permissions on the GPO objects is not possible or desirable. See sssd-ad(5). CVE-2019-3811 It was discovered that if a user was configured with no home directory set, then sssd(8) returns ‘/’ (i.e., the root directory) instead of the empty string (meaning no home directory). This could impact services that restrict the user's filesystem access to within their home directory through chroot() or similar. CVE-2021-3621 It was discovered that the sssctl(8) command was vulnerable to shell command injection via the ‘logs-fetch’ and ‘cache-expire’ subcommands. This flaw could allows an attacker to trick the root user into running a specially crafted sssctl(8) command, such as via sudo, in order to gain root privileges. CVE-2022-4254 It was discovered that libsss_certmap failed to sanitize certificate data used in LDAP filters. PKINIT enables a client to authenticate to the KDC using an X.509 certificate and the corresponding private key, rather than a passphrase or keytab. Mapping rules are used in order to map the certificate presented during a PKINIT authentication request to the corresponding principal. However the mapping filter was found to be vulnerable to LDAP filter injection. As the search result is be influenced by values in the certificate, which may be attacker controlled, this flaw could allow an attacker to gain control of the admin account, leading to full domain takeover. For Debian 10 buster, these problems have been fixed in version 1.16.3-3.2+deb10u1. We recommend that you upgrade your sssd packages. For the detailed security status of sssd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sssd Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3435-1] rainloop security update
- Debian LTS Advisory DLA-3435-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin May 28, 2023 https://wiki.debian.org/LTS - Package: rainloop Version: 1.12.1-2+deb10u1 CVE ID : CVE-2019-13389 CVE-2022-29360 Debian Bug : 1004548 Cross-site scripting (XSS) vulnerabilities were found in rainloop, a web-based email client, which could lead to information disclosure including passphrase leak. CVE-2019-13389 It was discovered that RainLoop Webmail lacked XSS protection mechanisms such as xlink:href validation, the X-XSS-Protection header, and the Content-Security-Policy header. CVE-2022-29360 Simon Scannell discovered that RainLoop's Email Viewer allows XSS via a crafted text/html email message. For Debian 10 buster, these problems have been fixed in version 1.12.1-2+deb10u1. We recommend that you upgrade your rainloop packages. For the detailed security status of rainloop please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rainloop Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3433-1] libraw security update
- Debian LTS Advisory DLA-3433-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin May 27, 2023 https://wiki.debian.org/LTS - Package: libraw Version: 0.19.2-2+deb10u3 CVE ID : CVE-2021-32142 CVE-2023-1729 Debian Bug : 1031790 1036281 Buffer Overflow vulnerabilities were found in libraw, a raw image decoder library, which could lead to application crash or privilege escalation. CVE-2021-32142 A Buffer Overflow vulnerability was found in LibRaw_buffer_datastream:: gets(char*, int), which could lead to privilege escalation or application crash. CVE-2023-1729 A heap-buffer-overflow was found in raw2image_ex(int), which may lead to application crash by maliciously crafted input file. For Debian 10 buster, these problems have been fixed in version 0.19.2-2+deb10u3. We recommend that you upgrade your libraw packages. For the detailed security status of libraw please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libraw Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3425-1] sqlparse security update
- Debian LTS Advisory DLA-3425-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin May 16, 2023 https://wiki.debian.org/LTS - Package: sqlparse Version: 0.2.4-1+deb10u1 CVE ID : CVE-2023-30608 Debian Bug : 1034615 Erik Krogh Kristensen discovered that sqlparse, a non-validating SQL parser, contained a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). For Debian 10 buster, this problem has been fixed in version 0.2.4-1+deb10u1. We recommend that you upgrade your sqlparse packages. For the detailed security status of sqlparse please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sqlparse Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3424-1] python-ipaddress security update
- Debian LTS Advisory DLA-3424-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin May 16, 2023 https://wiki.debian.org/LTS - Package: python-ipaddress Version: 1.0.17-1+deb10u1 CVE ID : CVE-2020-14422 Martin Wennberg discovered that python-ipaddress, a backport of Python 3's ipaddress module, improperly computed hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects. The attacker can then cause many dictionary entries to be created. For Debian 10 buster, this problem has been fixed in version 1.0.17-1+deb10u1. We recommend that you upgrade your python-ipaddress packages. For the detailed security status of python-ipaddress please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-ipaddress Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- signature.asc Description: PGP signature
Debian LTS report for April 2023
During the month of April 2023 and on behalf of Freexian, I worked on the following: * DLA-3410-1 for openvswitch=2.10.7+ds1-0+deb10u4 CVE-2023-1668 https://lists.debian.org/msgid-search/?m=ze8ep8fiq5ztl...@debian.org * Triage WordPress' outstanding CVEs and conclude no DLA is warranted at this time. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
[SECURITY] [DLA 3410-1] openvswitch security update
- Debian LTS Advisory DLA-3410-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin May 01, 2023 https://wiki.debian.org/LTS - Package: openvswitch Version: 2.10.7+ds1-0+deb10u4 CVE ID : CVE-2023-1668 Debian Bug : 1034042 David Marchand discovered that Open vSwitch, a multilayer, software-based, Ethernet virtual switch, was vulnerable to crafted IP packets with ip proto set to 0, potentially causing a denial of service. Triggering the vulnerability requires an attacker to send a crafted IP packet with protocol field set to 0 and the flow rules to contain 'set' actions on other fields in the IP protocol header. The resulting flows will omit required actions, and fail to mask the IP protocol field, resulting in a large bucket which captures all IP packets. For Debian 10 buster, this problem has been fixed in version 2.10.7+ds1-0+deb10u4. We recommend that you upgrade your openvswitch packages. For the detailed security status of openvswitch please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openvswitch Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Debian LTS report for March 2023
During the month of March 2023 and on behalf of Freexian, I worked on the following: * DLA-3347-2 for spip=3.2.4-1+deb10u11 [Regression update for DLA-3347-1] https://lists.debian.org/msgid-search/?m=zaj85ko1lavxw...@debian.org * DLA-3363-1 for pcre2=10.32-5+deb10u1 CVE-2019-20454, CVE-2022-1586 and CVE-2022-1587 https://lists.debian.org/msgid-search/?m=zbkah9bvesqzn...@debian.org * [WIP] Wordpress triaging Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
[SECURITY] [DLA 3363-1] pcre2 security update
- Debian LTS Advisory DLA-3363-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin March 16, 2023https://wiki.debian.org/LTS - Package: pcre2 Version: 10.32-5+deb10u1 CVE ID : CVE-2019-20454 CVE-2022-1586 CVE-2022-1587 Debian Bug : 1011954 Multiple out-of-bounds read vulnerabilities were found in pcre2, a Perl Compatible Regular Expression library, which could result in information disclosure or denial or service. CVE-2019-20454 Out-of-bounds read when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. CVE-2022-1586 Out-of-bounds read involving unicode property matching in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT. CVE-2022-1587 Out-of-bounds read affecting recursions in JIT-compiled regular expressions caused by duplicate data transfers. This upload also fixes a subject buffer overread in JIT when UTF is disabled and \X or \R has a greater than 1 fixed quantifier. This issue was found by Yunho Kim. For Debian 10 buster, these problems have been fixed in version 10.32-5+deb10u1. We recommend that you upgrade your pcre2 packages. For the detailed security status of pcre2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pcre2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3347-2] spip regression update
- Debian LTS Advisory DLA-3347-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin March 03, 2023https://wiki.debian.org/LTS - Package: spip Version: 3.2.4-1+deb10u11 It was discovered that the fix for CVE-2023-27372 broke (de)activation of plugins with dependencies. For Debian 10 buster, this problem has been fixed in version 3.2.4-1+deb10u11. We recommend that you upgrade your spip packages. For the detailed security status of spip please refer to its security tracker page at: https://security-tracker.debian.org/tracker/spip Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Debian LTS report for February 2023
During the month of February 2023 and on behalf of Freexian, I worked on the following: * DLA-3336-1 for node-url-parse=1.2.0-2+deb10u2 CVE-2021-3664, CVE-2021-27515, CVE-2022-0512, CVE-2022-0639, CVE-2022-0686 and CVE-2022-0691 https://lists.debian.org/msgid-search/?m=Y/a5cbemzr3li...@debian.org * DLA-3344-1 for nodejs=10.24.0~dfsg-1~deb10u3 CVE-2022-43548 and CVE-2023-23920 https://lists.debian.org/msgid-search/?m=Y/qzlst0te1eq...@debian.org * DLA-3345-1 for php7.3=7.3.31-1~deb10u3 CVE-2022-31631, CVE-2023-0567, CVE-2023-0568 and CVE-2023-0662 https://lists.debian.org/msgid-search/?m=Y/vwcggwy7trj...@debian.org * DLA-3347-1 for spip=3.2.4-1+deb10u10 CVE-2023-24258 and CVE-2023-27372 (DLA sent before the CVE IDs were assigned) https://lists.debian.org/msgid-search/?m=Y/0ow1d5ll7vp...@debian.org * DLA-3348-1 for syslog-ng=3.19.1-5+deb10u1 CVE-2022-38725 https://lists.debian.org/msgid-search/?m=Y/6o8zqo9zx8e...@debian.org Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
[SECURITY] [DLA 3348-1] syslog-ng security update
- Debian LTS Advisory DLA-3348-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin March 01, 2023https://wiki.debian.org/LTS - Package: syslog-ng Version: 3.19.1-5+deb10u1 CVE ID : CVE-2022-38725 It was discovered that syslog-ng, a system logging daemon, had integer overflow and buffer out-of-bounds issues, which could allow a remote attacker to cause Denial of Service via crafted syslog input. For Debian 10 buster, this problem has been fixed in version 3.19.1-5+deb10u1. We recommend that you upgrade your syslog-ng packages. For the detailed security status of syslog-ng please refer to its security tracker page at: https://security-tracker.debian.org/tracker/syslog-ng Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3347-1] spip security update
- Debian LTS Advisory DLA-3347-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin February 27, 2023 https://wiki.debian.org/LTS - Package: spip Version: 3.2.4-1+deb10u10 It was discovered that SPIP, a content management system, was vulnerable to SQL injection, remote code execution, and authorization bypass vulnerabilities. For Debian 10 buster, this problem has been fixed in version 3.2.4-1+deb10u10. We recommend that you upgrade your spip packages. For the detailed security status of spip please refer to its security tracker page at: https://security-tracker.debian.org/tracker/spip Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3345-1] php7.3 security update
- Debian LTS Advisory DLA-3345-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin February 26, 2023 https://wiki.debian.org/LTS - Package: php7.3 Version: 7.3.31-1~deb10u3 CVE ID : CVE-2022-31631 CVE-2023-0567 CVE-2023-0568 CVE-2023-0662 Debian Bug : 1031368 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language, which could result in denial of service or incorrect validation of BCrypt hashes. CVE-2022-31631 Due to an uncaught integer overflow, `PDO::quote()` of PDO_SQLite may return an improperly quoted string. The exact details likely depend on the implementation of `sqlite3_snprintf()`, but with some versions it is possible to force the function to return a single apostrophe, if the function is called on user supplied input without any length restrictions in place. CVE-2023-0567 Tim Düsterhus discovered that malformed BCrypt hashes that include a `$` within their salt part trigger a buffer overread and may erroneously validate any password as valid. (`Password_verify()` always return `true` with such inputs.) CVE-2023-0568 1-byte array overrun when appending slash to paths during path resolution. CVE-2023-0662 Jakob Ackermann discovered a Denial of Service vulnerability when parsing multipart request body: the request body parsing in PHP allows any unauthenticated attacker to consume a large amount of CPU time and trigger excessive logging. For Debian 10 buster, these problems have been fixed in version 7.3.31-1~deb10u3. We recommend that you upgrade your php7.3 packages. For the detailed security status of php7.3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php7.3 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3344-1] nodejs security update
- Debian LTS Advisory DLA-3344-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin February 26, 2023 https://wiki.debian.org/LTS - Package: nodejs Version: 10.24.0~dfsg-1~deb10u3 CVE ID : CVE-2022-43548 CVE-2023-23920 Debian Bug : 1023518 1031834 Vulnerabilities have been found in Node.js, which could result in DNS rebinding or arbitrary code execution. CVE-2022-43548 The Node.js rebinding protector for `--inspect` still allows invalid IP addresses, specifically in octal format, which browsers such as Firefox attempt to resolve via DNS. When combined with an active `--inspect` session, such as when using VSCode, an attacker can perform DNS rebinding and execute arbitrary code. CVE-2023-23920 Ben Noordhuis reported that Node.js would search and potentially load ICU data when running with elevated privileges. Node.js now builds with `ICU_NO_USER_DATA_OVERRIDE` to avoid this. For Debian 10 buster, these problems have been fixed in version 10.24.0~dfsg-1~deb10u3. We recommend that you upgrade your nodejs packages. For the detailed security status of nodejs please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nodejs Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3336-1] node-url-parse security update
- Debian LTS Advisory DLA-3336-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin February 23, 2023 https://wiki.debian.org/LTS - Package: node-url-parse Version: 1.2.0-2+deb10u2 CVE ID : CVE-2021-3664 CVE-2021-27515 CVE-2022-0512 CVE-2022-0639 CVE-2022-0686 CVE-2022-0691 Debian Bug : 985110 991577 Multiple vulnerabilities were found in node-types-url-parse, a Node.js module used to parse URLs, which may result in authorization bypass or redirection to untrusted sites. CVE-2021-3664 url-parse mishandles certain uses of a single (back)slash such as https:\ & https:/ and interprets the URI as a relative path. Browsers accept a single backslash after the protocol, and treat it as a normal slash, while url-parse sees it as a relative path. Depending on library usage, this may result in allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. CVE-2021-27515 Using backslash in the protocol is valid in the browser, while url-parse thinks it's a relative path. An application that validates a URL using url-parse might pass a malicious link. CVE-2022-0512 Incorrect handling of username and password can lead to failure to properly identify the hostname, which in turn could result in authorization bypass. CVE-2022-0639 Incorrect conversion of `@` characters in protocol in the `href` field can lead to lead to failure to properly identify the hostname, which in turn could result in authorization bypass. CVE-2022-0686 Rohan Sharma reported that url-parse is unable to find the correct hostname when no port number is provided in the URL, such as in `http://example.com:`. This could in turn result in SSRF attacks, open redirects or any other vulnerability which depends on the `hostname` field of parsed URL. CVE-2022-0691 url-parse is unable to find the correct hostname when the URL contains a backspace `\b` character. This tricks the parser into interpreting the URL as a relative path, bypassing all hostname checks. It can also lead to false positive in `extractProtocol()`. For Debian 10 buster, these problems have been fixed in version 1.2.0-2+deb10u2. We recommend that you upgrade your node-url-parse packages. For the detailed security status of node-url-parse please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-url-parse Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Debian LTS report for January 2023
During the month of January 2023 and on behalf of Freexian, I worked on the following: * DLA-3270-1: net-snmp 5.7.3+dfsg-5+deb10u4 CVE-2022-44793 and CVE-2022-44792 https://lists.debian.org/msgid-search/Y8Nreff/4mms8...@debian.org * DLA-3271-1: node-minimatch 3.0.4-3+deb10u1 CVE-2022-3517 https://lists.debian.org/msgid-search/y8qa+jo13podb...@debian.org * DLA-3284-1: libapache-session-ldap-perl 0.4-1+deb10u1 CVE-2020-36658 (filed that one and triaged it as it was needed for LemonLDAP::NG in some configurations for its CVE-2020-16093 fix) https://lists.debian.org/msgid-search/y9uqaz+ipzomj...@debian.org * DLA-3285-1: libapache-session-browseable-perl 1.3.0-1+deb10u1 CVE-2020-36659 (filed that one and triaged it as it was needed for LemonLDAP::NG in some configurations for its CVE-2020-16093 fix) https://lists.debian.org/msgid-search/y9uqf5z4nlvkr...@debian.org * DLA-3287-1: lemonldap-ng 2.0.2+ds-7+deb10u8 CVE-2020-16093 and CVE-2022-37186 https://lists.debian.org/msgid-search/y9vbkneclvewf...@debian.org * DLA-3289-1: dojo 1.14.2+dfsg1-1+deb10u3 CVE-2020-4051 and CVE-2021-23450 https://lists.debian.org/msgid-search/Y9ZMomJAkSfQWW/0...@debian.org * DLA-3291-1: node-object-path 0.11.4-2+deb10u2 CVE-2021-23434 and CVE-2021-3805 https://lists.debian.org/msgid-search/y9aco2albhu2m...@debian.org * DLA-3299-1: node-qs 6.5.2-1+deb10u1 CVE-2022-24999 https://lists.debian.org/msgid-search/Y9g+J/xmu6qw4...@debian.org Thanks to the sponsors for financing this work, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
[SECURITY] [DLA 3299-1] node-qs security update
- Debian LTS Advisory DLA-3299-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin January 30, 2023 https://wiki.debian.org/LTS - Package: node-qs Version: 6.5.2-1+deb10u1 CVE ID : CVE-2022-24999 Nathanael Braun and Johan Brissaud discovered a prototype poisoning vulnerability in node-qs, a Node.js module to parse and stringify query strings. node-qs 6.5.x before 6.5.3 allows for instance the creation of array-like objects by setting an Array in the `__ proto__` property; the resulting Objects inherit the `Array` prototype, thereby exposing native Array functions. For Debian 10 buster, this problem has been fixed in version 6.5.2-1+deb10u1. We recommend that you upgrade your node-qs packages. For the detailed security status of node-qs please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-qs Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3291-1] node-object-path security update
- Debian LTS Advisory DLA-3291-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin January 29, 2023 https://wiki.debian.org/LTS - Package: node-object-path Version: 0.11.4-2+deb10u2 CVE ID : CVE-2021-3805 CVE-2021-23434 It was discovered that node-object-path, a Node.js module to access deep object properties using dot-separated paths, was vulnerable to prototype pollution. CVE-2021-3805 Prototype pollution vulnerability in the `del()`, `empty()`, `push()` and `insert()` functions when using the "inherited props" mode (e.g. when a new `object-path` instance is created with the `includeInheritedProps` option set to `true` or when using the `withInheritedProps` default instance). CVE-2021-23434 A type confusion vulnerability can lead to a bypass of the CVE-2020-15256 fix when the path components used in the path parameter are arrays, because the === operator returns always false when the type of the operands is different. For Debian 10 buster, these problems have been fixed in version 0.11.4-2+deb10u2. We recommend that you upgrade your node-object-path packages. For the detailed security status of node-object-path please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-object-path Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3289-1] dojo security update
- Debian LTS Advisory DLA-3289-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin January 28, 2023 https://wiki.debian.org/LTS - Package: dojo Version: 1.14.2+dfsg1-1+deb10u3 CVE ID : CVE-2020-4051 CVE-2021-23450 Debian Bug : 97 1014785 Two vulnerabilities were found in dojo, a modular JavaScript toolkit, that could result in information disclosure. CVE-2020-4051 The Dijit Editor's LinkDialog plugin of dojo 1.14.0 to 1.14.7 is vulnerable to cross-site scripting (XSS) attacks. CVE-2021-23450 Prototype pollution vulnerability via the setObject() function. For Debian 10 buster, these problems have been fixed in version 1.14.2+dfsg1-1+deb10u3. We recommend that you upgrade your dojo packages. For the detailed security status of dojo please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dojo Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3287-1] lemonldap-ng security update
- Debian LTS Advisory DLA-3287-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin January 28, 2023 https://wiki.debian.org/LTS - Package: lemonldap-ng Version: 2.0.2+ds-7+deb10u8 CVE ID : CVE-2020-16093 CVE-2022-37186 Two vulnerabilities were found in lemonldap-ng, an OpenID-Connect, CAS and SAML compatible Web-SSO system, that could result in information disclosure or impersonation. CVE-2020-16093 Maxime Besson discovered that LemonLDAP::NG before 2.0.9 did not check validity of the X.509 certificate by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. This update changes the default behavior to require X.509 validation against the distribution bundle /etc/ssl/certs/ca-certificates.crt. Previous behavior can reverted by running `/usr/share/lemonldap-ng/bin/lemonldap-ng-cli set ldapVerify none`. If a session backend is set to Apache::Session::LDAP or Apache::Session::Browseable::LDAP, then the complete fix involves upgrading the corresponding Apache::Session module (libapache-session-ldap-perl resp. libapache-session-browseable-perl) to 0.4-1+deb10u1 (or ≥0.5) resp. 1.3.0-1+deb10u1 (or ≥1.3.8). See related advisories DLA-3284-1 and DLA-3285-1 for details. CVE-2022-37186 Mickael Bride discovered that under certain conditions the session remained valid on handlers after being destroyed on portal. For Debian 10 buster, these problems have been fixed in version 2.0.2+ds-7+deb10u8. We recommend that you upgrade your lemonldap-ng packages. For the detailed security status of lemonldap-ng please refer to its security tracker page at: https://security-tracker.debian.org/tracker/lemonldap-ng Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3285-1] libapache-session-browseable-perl security update
- Debian LTS Advisory DLA-3285-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin January 28, 2023 https://wiki.debian.org/LTS - Package: libapache-session-browseable-perl Version: 1.3.0-1+deb10u1 CVE ID : CVE-2020-36659 In Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. This update changes the default behavior to require X.509 validation against the distribution bundle /etc/ssl/certs/ca-certificates.crt. Previous behavior can reverted by setting `ldapVerify => "none"` when initializing the Apache::Session::Browseable::LDAP object. NOTE: this update is a prerequisite for LemonLDAP::NG's CVE-2020-16093 fix when its session backend is set to Apache::Session::Browseable::LDAP. For Debian 10 buster, this problem has been fixed in version 1.3.0-1+deb10u1. We recommend that you upgrade your libapache-session-browseable-perl packages. For the detailed security status of libapache-session-browseable-perl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libapache-session-browseable-perl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3284-1] libapache-session-ldap-perl security update
- Debian LTS Advisory DLA-3284-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin January 28, 2023 https://wiki.debian.org/LTS - Package: libapache-session-ldap-perl Version: 0.4-1+deb10u1 CVE ID : CVE-2020-36658 In Apache::Session::LDAP before 0.5, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. This update changes the default behavior to require X.509 validation against the distribution bundle /etc/ssl/certs/ca-certificates.crt. Previous behavior can reverted by setting `ldapVerify => "none"` when initializing the Apache::Session::LDAP object. NOTE: this update is a prerequisite for LemonLDAP::NG's CVE-2020-16093 fix when its session backend is set to Apache::Session::LDAP. For Debian 10 buster, this problem has been fixed in version 0.4-1+deb10u1. We recommend that you upgrade your libapache-session-ldap-perl packages. For the detailed security status of libapache-session-ldap-perl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libapache-session-ldap-perl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3271-1] node-minimatch security update
- Debian LTS Advisory DLA-3271-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin January 15, 2023 https://wiki.debian.org/LTS - Package: node-minimatch Version: 3.0.4-3+deb10u1 CVE ID : CVE-2022-3517 A Regular Expression Denial of Service (ReDoS) vulnerability was found in node-minimatch, a Node.js module used to convert glob expressions into RegExp objects, which could result in Denial of Service when calling the `braceExpand()` function with specific arguments. For Debian 10 buster, this problem has been fixed in version 3.0.4-3+deb10u1. We recommend that you upgrade your node-minimatch packages. For the detailed security status of node-minimatch please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-minimatch Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3270-1] net-snmp security update
- Debian LTS Advisory DLA-3270-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin January 15, 2023 https://wiki.debian.org/LTS - Package: net-snmp Version: 5.7.3+dfsg-5+deb10u4 CVE ID : CVE-2022-44792 CVE-2022-44793 Debian Bug : 1024020 menglong2234 discovered NULL pointer exceptions in net-snmp, a suite of Simple Network Management Protocol applications, which could could result in debian of service. CVE-2022-44792 A remote attacker (with write access) could trigger a NULL dereference while handling ipDefaultTTL via a crafted UDP packet. CVE-2022-44793 A remote attacker (with write access) could trigger a NULL dereference while handling ipv6IpForwarding via a crafted UDP packet. For Debian 10 buster, these problems have been fixed in version 5.7.3+dfsg-5+deb10u4. We recommend that you upgrade your net-snmp packages. For the detailed security status of net-snmp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/net-snmp Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
LTS report for December 2022
Hi, During the month of December 2022 and on behalf of Freexian, I worked on the following: * DLA-3221-1, node-cached-path-relative (prototype pollution) https://lists.debian.org/msgid-search/y40yr8jdg8vmg...@debian.org * DLA-3222-1, node-fetch (information leak) https://lists.debian.org/msgid-search/y4051d6z8ubq8...@debian.org * DLA-3235-1, node-eventsource (information leak) https://lists.debian.org/msgid-search/y5xkdbpcbi9nq...@debian.org * DLA 3237-1, node-tar (cache poisoning) https://lists.debian.org/msgid-search/y5c3modyc8ikj...@debian.org * DLA 3252-1, cacti (RCE, information disclosure, authentication bypass) https://lists.debian.org/msgid-search/y7aabrsu1xbds...@debian.org * DLA 3258-1, node-loader-utils (prototype pollution) https://lists.debian.org/msgid-search/Y7BiOJVHrQkW/o...@debian.org * DLA 3260-1, node-xmldom (incomplete validation) https://lists.debian.org/msgid-search/y7g8qm4fn8hhg...@debian.org [That one was uploaded and the DLA published on Jan 1, but all the work was done the day before so I'm adding it here.] Thanks to the sponsors for financing this, and to Freexian for coordinating! -- Guilhem. signature.asc Description: PGP signature
[SECURITY] [DLA 3260-1] node-xmldom security update
- Debian LTS Advisory DLA-3260-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin January 01, 2023 https://wiki.debian.org/LTS - Package: node-xmldom Version: 0.1.27+ds-1+deb10u2 CVE ID : CVE-2021-21366 CVE-2022-39353 Debian Bug : 1024736 It was discovered that node-xmldom, a standard XML DOM (Level2 CORE) implementation in pure javascript, processed ill-formed XML, which may result in bugs and security holes in downstream applications. CVE-2021-21366 xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. CVE-2022-39353 Mark Gollnick discovered that xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting or throwing any error. This breaks the assumption that there is only a single root node in the tree, and may open security holes such as CVE-2022-39299 in downstream applications. For Debian 10 buster, these problems have been fixed in version 0.1.27+ds-1+deb10u2. We recommend that you upgrade your node-xmldom packages. For the detailed security status of node-xmldom please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-xmldom Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3258-1] node-loader-utils security update
- Debian LTS Advisory DLA-3258-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 31, 2022 https://wiki.debian.org/LTS - Package: node-loader-utils Version: 1.1.0-2+deb10u1 CVE ID : CVE-2022-37601 Supraja Baskar discovered prototype pollution vulnerability in node-loader-utils, a Node.js module for webpack loaders. For Debian 10 buster, this problem has been fixed in version 1.1.0-2+deb10u1. We recommend that you upgrade your node-loader-utils packages. For the detailed security status of node-loader-utils please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-loader-utils Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3252-1] cacti security update
- Debian LTS Advisory DLA-3252-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 31, 2022 https://wiki.debian.org/LTS - Package: cacti Version: 1.2.2+ds1-2+deb10u5 CVE ID : CVE-2020-8813 CVE-2020-23226 CVE-2020-25706 CVE-2022-0730 CVE-2022-46169 Debian Bug : 951832 1008693 1025648 Multiple security vulnerabilities were discovered in cacti, a web interface for graphing of monitoring systems, which may result in information disclosure, authentication bypass, or remote code execution. CVE-2020-8813 Askar discovered that an authenticated guest user with the graph real-time privilege could execute arbitrary code on a server running Cacti, via shell meta-characters in a cookie. CVE-2020-23226 Jing Chen discovered multiple Cross Site Scripting (XSS) vulnerabilities in several pages, which can lead to information disclosure. CVE-2020-25706 joelister discovered an Cross Site Scripting (XSS) vulnerability in templates_import.php, which can lead to information disclosure. CVE-2022-0730 It has been discovered that Cacti authentication can be bypassed when LDAP anonymous binding is enabled. CVE-2022-46169 Stefan Schiller discovered a command injection vulnerability, allowing an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected (which is likely the case on a production instance) for any monitored device. For Debian 10 buster, these problems have been fixed in version 1.2.2+ds1-2+deb10u5. We recommend that you upgrade your cacti packages. For the detailed security status of cacti please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cacti Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3237-1] node-tar security update
- Debian LTS Advisory DLA-3237-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 12, 2022 https://wiki.debian.org/LTS - Package: node-tar Version: 4.4.6+ds1-3+deb10u2 CVE ID : CVE-2021-37701 CVE-2021-37712 Debian Bug : 993981 Cache poisoning vulnerabilities were found in node-tar, a Node.js module used to read and write portable tar archives, which may result in arbitrary file creation or overwrite. CVE-2021-37701 It was discovered that node-tar performed insufficient symlink protection, thereby making directory cache vulnerable to poisoning using symbolic links. Upon extracting an archive containing a directory 'foo/bar' followed with a symbolic link 'foo\\bar' to an arbitrary location, node-tar would extract arbitrary files into the symlink target, thus allowing arbitrary file creation and overwrite. Moreover, on case-insensitive filesystems, a similar issue occurred with a directory 'FOO' followed with a symbolic link 'foo'. CVE-2021-37712 Similar to CVE-2021-37701, a specially crafted tar archive containing two directories and a symlink with names containing unicode values that normalized to the same value, would bypass node-tar's symlink checks on directories, thus allowing arbitrary file creation and overwrite. For Debian 10 buster, these problems have been fixed in version 4.4.6+ds1-3+deb10u2. We recommend that you upgrade your node-tar packages. For the detailed security status of node-tar please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-tar Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3235-1] node-eventsource security update
- Debian LTS Advisory DLA-3235-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 11, 2022 https://wiki.debian.org/LTS - Package: node-eventsource Version: 0.2.1-1+deb10u1 CVE ID : CVE-2022-1650 Timothee Desurmont discovered an information leak vulnerability in node-eventsource, a W3C compliant EventSource client for Node.js: the module was not honoring the same-origin-policy and upon following a redirect would leak cookies to the the target URL. For Debian 10 buster, this problem has been fixed in version 0.2.1-1+deb10u1. We recommend that you upgrade your node-eventsource packages. For the detailed security status of node-eventsource please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-eventsource Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3222-1] node-fetch security update
- Debian LTS Advisory DLA-3222-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 05, 2022 https://wiki.debian.org/LTS - Package: node-fetch Version: 1.7.3-1+deb10u1 CVE ID : CVE-2022-0235 ranjit-git discovered an information leak vulnerability in node-fetch, a Node.js module exposing a window.fetch compatible API on Node.js runtime: the module was not honoring the same-origin-policy and upon following a redirect would leak cookies to the the target URL. For Debian 10 buster, this problem has been fixed in version 1.7.3-1+deb10u1. We recommend that you upgrade your node-fetch packages. For the detailed security status of node-fetch please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-fetch Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3221-1] node-cached-path-relative security update
- Debian LTS Advisory DLA-3221-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 05, 2022 https://wiki.debian.org/LTS - Package: node-cached-path-relative Version: 1.0.1-2+deb10u1 CVE ID : CVE-2018-16472 CVE-2021-23518 Debian Bug : #1004338 Cristian-Alexandru Staicu discovered a prototype pollution vulnerability in inode-cached-path-relative, a Node.js module used to cache (memoize) the result of path.relative. CVE-2018-16472 An attacker controlling both the path and the cached value, can mount a prototype pollution attack and thus overwrite arbitrary properties on Object.prototype, which may result in denial of service. CVE-2021-23518 The fix for CVE-2018-16472 was incomplete and other prototype pollution vulnerabilities were found in the meantime, resulting in a new CVE. For Debian 10 buster, these problems have been fixed in version 1.0.1-2+deb10u1. We recommend that you upgrade your node-cached-path-relative packages. For the detailed security status of node-cached-path-relative please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-cached-path-relative Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3206-1] heimdal security update
- Debian LTS Advisory DLA-3206-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin November 26, 2022 https://wiki.debian.org/LTS - Package: heimdal Version: 7.5.0+dfsg-3+deb10u1 CVE ID : CVE-2019-14870 CVE-2021-3671 CVE-2021-44758 CVE-2022-3437 CVE-2022-41916 CVE-2022-42898 CVE-2022-44640 Debian Bug : 946786 996586 1024187 Multiple security vulnerabilities were discovered in heimdal, an implementation of the Kerberos 5 authentication protocol, which may result in denial of service, information disclosure, or remote code execution. CVE-2019-14870 Isaac Boukris reported that the Heimdal KDC before 7.7.1 does not apply delegation_not_allowed (aka not-delegated) user attributes for S4U2Self. Instead the forwardable flag is set even if the impersonated client has the not-delegated flag set. CVE-2021-3671 Joseph Sutton discovered that the Heimdal KDC before 7.7.1 does not check for missing missing sname in TGS-REQ (Ticket Granting Server - Request) before before dereferencing. An authenticated user could use this flaw to crash the KDC. CVE-2021-44758 It was discovered that Heimdal is prone to a NULL dereference in acceptors when the initial SPNEGO token has no acceptable mechanisms, which may result in denial of service for a server application that uses the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). CVE-2022-3437 Evgeny Legerov reported that the DES and Triple-DES decryption routines in the Heimdal GSSAPI library before 7.7.1 were prone to buffer overflow on malloc() allocated memory when presented with a maliciously small packet. In addition, the Triple-DES and RC4 (arcfour) decryption routine were prone to non-constant time leaks, which could potentially yield to a leak of secret key material when using these ciphers. CVE-2022-41916 It was discovered that Heimdal's PKI certificate validation library before 7.7.1 can under some circumstances perform an out-of-bounds memory access when normalizing Unicode, which may result in denial of service. CVE-2022-42898 Greg Hudson discovered an integer multiplication overflow in the Privilege Attribute Certificate (PAC) parsing routine, which may result in denial of service for Heimdal KDCs and possibly Heimdal servers (e.g., via GSS-API) on 32-bit systems. CVE-2022-44640 Douglas Bagnall and the Heimdal maintainers independently discovered that Heimdal's ASN.1 compiler before 7.7.1 generates code that allows specially crafted DER encodings of CHOICEs to invoke the wrong free() function on the decoded structure upon decode error, which may result in remote code execution in the Heimdal KDC and possibly the Kerberos client, the X.509 library, and other components as well. For Debian 10 buster, these problems have been fixed in version 7.5.0+dfsg-3+deb10u1. We recommend that you upgrade your heimdal packages. For the detailed security status of heimdal please refer to its security tracker page at: https://security-tracker.debian.org/tracker/heimdal Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3205-1] inetutils security update
- Debian LTS Advisory DLA-3205-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin November 25, 2022 https://wiki.debian.org/LTS - Package: inetutils Version: 2:1.9.4-7+deb10u2 CVE ID : CVE-2019-0053 CVE-2021-40491 CVE-2022-39028 Debian Bug : 945861 956084 993476 Several security vulnerabilities were discovered in inetutils, a collection of common network programs. CVE-2019-0053 inetutils' telnet client doesn't sufficiently validate environment variables, which can lead to stack-based buffer overflows. This issue is limited to local exploitation from restricted shells. CVE-2021-40491 inetutils' ftp client before 2.2 does not validate addresses returned by PSV/LSPV responses to make sure they match the server address. A malicious server can exploit this flaw to reach services in the client's private network. (This is similar to curl's CVE-2020-8284.) CVE-2022-39028 inetutils's telnet server through 2.3 has a NULL pointer dereference which a client can trigger by sending 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a "telnet/tcp server failing (looping), service terminated" error. For Debian 10 buster, these problems have been fixed in version 2:1.9.4-7+deb10u2. We recommend that you upgrade your inetutils packages. For the detailed security status of inetutils please refer to its security tracker page at: https://security-tracker.debian.org/tracker/inetutils Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Re: roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content
Hi Sylvain! On Wed, 12 Jan 2022 at 15:48:51 +0100, Sylvain Beucler wrote: > On 12/01/2022 14:15, Guilhem Moulin wrote: >> In a recent post roundcube webmail upstream has announced the following >> security fix for #1003027. >> >> CVE-2021-46144: Cross-site scripting (XSS) vulnerability via HTML >> messages with malicious CSS content. >> >> (Upstream only released fixes for 1.4 and 1.5 LTS branches, but 1.2 and >> 1.3 are affected too and the same fix applies cleanly. buster- and >> bullseye-security are no longer affected.) >> >> Debdiff against 1.2.3+dfsg.1-4+deb9u9 tested and attached. I can upload >> if you'd like but would appreciate if you could take care of the DLA :-) > > Thanks for the update. Go ahead and upload to stretch-security, and I'll > publish the DLA accordingly :) Uploaded to security-master, thank you! > (out of curiosity, was there an issue with keeping the > "$this->config['charset']" bit from the original patch?) Ah yeah, forgot to mention that bit :-) There was no issue as far as I could tell. I don't have a strong opinion either way, but given htmlspecialchars()'s optional 3rd argument was added for 1.4-beta in https://github.com/roundcube/roundcubemail/commit/73ea8f94d01a87c3b9e83c96d1b795ca27151f16 I decided to drop it for stretch- and buster-security uploads. Cheers, -- Guilhem. signature.asc Description: PGP signature
roundcube: CVE-2021-46144: XSS vulnerability via HTML messages with malicious CSS content
Dear LTS Team, In a recent post roundcube webmail upstream has announced the following security fix for #1003027. CVE-2021-46144: Cross-site scripting (XSS) vulnerability via HTML messages with malicious CSS content. (Upstream only released fixes for 1.4 and 1.5 LTS branches, but 1.2 and 1.3 are affected too and the same fix applies cleanly. buster- and bullseye-security are no longer affected.) Debdiff against 1.2.3+dfsg.1-4+deb9u9 tested and attached. I can upload if you'd like but would appreciate if you could take care of the DLA :-) Thanks! Cheers, -- Guilhem. diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1 changelog|7 +++ patches/CVE-2021-46144.patch | 21 + patches/series |1 + 3 files changed, 29 insertions(+) diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog --- roundcube-1.2.3+dfsg.1/debian/changelog 2021-12-06 11:51:48.0 +0100 +++ roundcube-1.2.3+dfsg.1/debian/changelog 2022-01-12 12:56:32.0 +0100 @@ -1,3 +1,10 @@ +roundcube (1.2.3+dfsg.1-4+deb9u10) stretch-security; urgency=high + + * Backport fix for CVE-2021-46144: Fix cross-site scripting (XSS) via HTML +messages with malicious CSS content. (Closes: #1003027) + + -- Guilhem Moulin Wed, 12 Jan 2022 12:56:32 +0100 + roundcube (1.2.3+dfsg.1-4+deb9u9) stretch-security; urgency=high * Non-maintainer upload by the LTS team. diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2021-46144.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2021-46144.patch --- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2021-46144.patch 1970-01-01 01:00:00.0 +0100 +++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2021-46144.patch 2022-01-12 12:56:32.0 +0100 @@ -0,0 +1,21 @@ +commit b2400a4b592e3094b6c84e6000d512f99ae0eed8 +Author: Aleksander Machniak +Date: Wed Dec 29 19:02:43 2021 +0100 + +Security: Fix cross-site scripting (XSS) via HTML messages with malicious CSS content + +--- + program/lib/Roundcube/rcube_washtml.php |2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php +@@ -304,7 +304,7 @@ class rcube_washtml + if (preg_match('/^([a-z:]*url)\(\s*[\'"]?([^\'"\)]*)[\'"]?\s*\)/iu', $value, $match)) { + if ($url = $this->wash_uri($match[2])) { + $result .= ' ' . $attr->nodeName . '="' . $match[1] . '(' . htmlspecialchars($url, ENT_QUOTES) . ')' +- . substr($val, strlen($match[0])) . '"'; ++ . htmlspecialchars(substr($val, strlen($match[0])), ENT_QUOTES) . '"'; + continue; + } + } diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/series roundcube-1.2.3+dfsg.1/debian/patches/series --- roundcube-1.2.3+dfsg.1/debian/patches/series2021-12-06 11:51:48.0 +0100 +++ roundcube-1.2.3+dfsg.1/debian/patches/series2022-01-12 12:56:32.0 +0100 @@ -25,3 +25,4 @@ CVE-2020-35730.patch CVE-2021-44025.patch CVE-2021-44026.patch +CVE-2021-46144.patch signature.asc Description: PGP signature
Re: roundcube: CVE-2020-35730: XSS vulnerability via malious HTML or plaintext messages
On Mon, 28 Dec 2020 at 12:10:46 +0530, Utkarsh Gupta wrote: > On Mon, Dec 28, 2020 at 8:28 AM Guilhem Moulin wrote: >> Debdiff tested and attached. I can upload if you'd like but would >> appreciate if you could take care of the DLA :-) > > Yes, please. I can take care of the DLA. Please feel free to upload to > stretch-security. Thank you Utkarsh, uploaded! -- Guilhem. signature.asc Description: PGP signature
roundcube: CVE-2020-35730: XSS vulnerability via malious HTML or plaintext messages
Dear LTS team, In a recent post roundcube webmail upstream has announced the following security fix for #978491: Cross-site scripting (XSS) via HTML or Plain text messages with malicious content (CVE-2020-35730) — responsible disclosure from Alex Birnberg Debdiff tested and attached. I can upload if you'd like but would appreciate if you could take care of the DLA :-) Thanks! Cheers, -- Guilhem. diffstat for roundcube-1.2.3+dfsg.1 roundcube-1.2.3+dfsg.1 changelog|8 patches/CVE-2020-35730.patch | 77 +++ patches/series |1 3 files changed, 86 insertions(+) diff -Nru roundcube-1.2.3+dfsg.1/debian/changelog roundcube-1.2.3+dfsg.1/debian/changelog --- roundcube-1.2.3+dfsg.1/debian/changelog 2020-08-11 18:38:40.0 +0200 +++ roundcube-1.2.3+dfsg.1/debian/changelog 2020-12-28 03:25:57.0 +0100 @@ -1,3 +1,11 @@ +roundcube (1.2.3+dfsg.1-4+deb9u8) stretch-security; urgency=high + + * Backport security fix for CVE-2020-35730: Cross-site scripting (XSS) +Cross-site scripting (XSS) vulnerability via HTML or Plain text messages +with malicious content svg/namespace. (Closes: #978491) + + -- Guilhem Moulin Mon, 28 Dec 2020 03:25:57 +0100 + roundcube (1.2.3+dfsg.1-4+deb9u7) stretch-security; urgency=high * Backport security fix for CVE-2020-16145: Cross-site scripting (XSS) diff -Nru roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-35730.patch roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-35730.patch --- roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-35730.patch 1970-01-01 01:00:00.0 +0100 +++ roundcube-1.2.3+dfsg.1/debian/patches/CVE-2020-35730.patch 2020-12-28 03:25:57.0 +0100 @@ -0,0 +1,77 @@ +commit 47e4d44f62ea16f923761d57f1773a66d51afad4 +Author: Aleksander Machniak +Date: Sun Dec 27 18:27:42 2020 +0100 + +Fix cross-site scripting (XSS) via HTML or Plain text messages with malicious content [CVE-2020-35730] + +Credits to Alex Birnberg + +diff --git a/program/lib/Roundcube/rcube_string_replacer.php b/program/lib/Roundcube/rcube_string_replacer.php +index 284d58547..d4ec20f23 100644 +--- a/program/lib/Roundcube/rcube_string_replacer.php b/program/lib/Roundcube/rcube_string_replacer.php +@@ -24,7 +24,7 @@ + */ + class rcube_string_replacer + { +-public static $pattern = '/##str_replacement_(\d+)##/'; ++public $pattern; + public $mailto_pattern; + public $link_pattern; + public $linkref_index; +@@ -39,6 +39,10 @@ class rcube_string_replacer + + function __construct($options = array()) + { ++// Create hard-to-guess replacement string ++$uniq_ident= sprintf('%010d%010d', mt_rand(), mt_rand()); ++$this->pattern = '/##' . $uniq_ident . '##(\d+)##/'; ++ + // Simplified domain expression for UTF8 characters handling + // Support unicode/punycode in top-level domain part + $utf_domain = '[^?&@"\'\\/()<>\s\r\t\n]+\\.?([^\\x00-\\x2f\\x3b-\\x40\\x5b-\\x60\\x7b-\\x7f]{2,}|xn--[a-zA-Z0-9]{2,})'; +@@ -49,7 +53,7 @@ class rcube_string_replacer + $link_prefix = "([\w]+:\/\/|{$this->noword}[Ww][Ww][Ww]\.|^[Ww][Ww][Ww]\.)"; + + $this->options = $options; +-$this->linkref_index = '/\[([^\]#]+)\](:?\s*##str_replacement_(\d+)##)/'; ++$this->linkref_index = '/\[([^\]#]+)\](:?\s*' . substr($this->pattern, 1, -1) . ')/'; + $this->linkref_pattern = '/\[([^\]#]+)\]/'; + $this->link_pattern= "/$link_prefix($utf_domain([$url1]*[$url2]+)*)/"; + $this->mailto_pattern = "/(" +@@ -78,7 +82,7 @@ class rcube_string_replacer + */ + public function get_replacement($i) + { +-return '##str_replacement_' . $i . '##'; ++return str_replace('(\d+)', $i, substr($this->pattern, 1, -1)); + } + + /** +@@ -121,7 +125,7 @@ class rcube_string_replacer + public function linkref_addindex($matches) + { + $key = $matches[1]; +-$this->linkrefs[$key] = $this->urls[$matches[3]]; ++$this->linkrefs[$key] = isset($this->urls[$matches[3]]) ? $this->urls[$matches[3]] : null; + + return $this->get_replacement($this->add('['.$key.']')) . $matches[2]; + } +@@ -166,7 +170,7 @@ class rcube_string_replacer + */ + public function replace_callback($matches) + { +-return $this->values[$matches[1]]; ++return isset($this->values[$matches[1]]) ? $this->values[$matches[1]] : null; + } + + /** +@@ -193,7 +197,7 @@ class rcube_string_replacer + */ + public function resolve($str) + { +-return preg_replace_callback(self::$pattern, array($this, 'replace_callback'), $str); ++return preg_replace_callback($this->pattern, array($this, 'replace_callback'), $str); + } + + /** diff -
Re: roundcube: CVE-2020-16145: XSS vulnerability via HTML messages with malicious SVG or math content
Hi Roberto, On Tue, 11 Aug 2020 at 14:57:15 -0400, Roberto C. Sánchez wrote: >>> Dear security team, Should have been LTS team of course, bad templating from my side :-P >> I'll take care of it shortly. >> > I have uploaded the updated, published the DLA to the mailing list and > submitted a Salsa MR for the advisory update on the website. Many thanks for this! -- Guilhem. signature.asc Description: PGP signature