During the month of April 2024 and on behalf of Freexian, I worked on the following: gnutls28 -------- Triaged CVE-2024-28834 and -28835. util-linux ---------- Uploaded 2.33.1-0.1+deb10u1 and issued DLA-3782-1. https://lists.debian.org/msgid-search/?m=ZhJ4LNfSe0Rh2R2Z@debian.org * CVE-2021-37600: Potential integer overflow in ipcutils.c. * CVE-2024-28085: Escape sequence injection in wall(1), which may lead could lead to information disclosure or account takeover. * Prerequisite for the CVE-2024-28085 fix: Backport upstream changes to use fputs_careful() in order to handle UTF-8 characters. mediawiki --------- Uploaded 1:1.31.16-1+deb10u8 and issued DLA-3796-1. https://lists.debian.org/msgid-search/?m=Zi0t9aYJrTlnLXK1@debian.org * CVE-2023-51704: group-.*-member messages were not properly escaped in Special:log/rights. * CVE-2024-PENDING: Special:MovePage did not limit nor truncate the list of subpages, which could lead to denial of service when trying to move pages with thousands of subpages. nghttp2 ------- Uploaded 1.36.0-2+deb10u3 and issued DLA-3804-1. https://lists.debian.org/msgid-search/?m=ZjFitmq-hyJDZXSG@debian.org * CVE-2024-28182: An implementation using the nghttp2 library will continue to receive CONTINUATION frames, and will not callback to the application to allow visibility into this information before it resets the stream, resulting in Denial of Service. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem.
Attachment:
signature.asc
Description: PGP signature