During the month of April 2024 and on behalf of Freexian, I worked on the
following:
gnutls28
--------
Triaged CVE-2024-28834 and -28835.
util-linux
----------
Uploaded 2.33.1-0.1+deb10u1 and issued DLA-3782-1.
https://lists.debian.org/msgid-search/?m=ZhJ4LNfSe0Rh2R2Z@debian.org
* CVE-2021-37600: Potential integer overflow in ipcutils.c.
* CVE-2024-28085: Escape sequence injection in wall(1), which may lead
could lead to information disclosure or account takeover.
* Prerequisite for the CVE-2024-28085 fix: Backport upstream changes
to use fputs_careful() in order to handle UTF-8 characters.
mediawiki
---------
Uploaded 1:1.31.16-1+deb10u8 and issued DLA-3796-1.
https://lists.debian.org/msgid-search/?m=Zi0t9aYJrTlnLXK1@debian.org
* CVE-2023-51704: group-.*-member messages were not properly escaped
in Special:log/rights.
* CVE-2024-PENDING: Special:MovePage did not limit nor truncate
the list of subpages, which could lead to denial of service when
trying to move pages with thousands of subpages.
nghttp2
-------
Uploaded 1.36.0-2+deb10u3 and issued DLA-3804-1.
https://lists.debian.org/msgid-search/?m=ZjFitmq-hyJDZXSG@debian.org
* CVE-2024-28182: An implementation using the nghttp2 library will
continue to receive CONTINUATION frames, and will not callback to
the application to allow visibility into this information before it
resets the stream, resulting in Denial of Service.
Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature