Debian LTS report for September 2023

To: debian-lts@lists.debian.org
Subject: Debian LTS report for September 2023
From: Guilhem Moulin <guilhem@debian.org>
Date: Sun, 1 Oct 2023 17:19:12 +0200
Message-id: <[🔎] vRREvMODJjF8bZwI@debian.org>
Mail-followup-to: debian-lts@lists.debian.org

During the month of September 2023 and on behalf of Freexian, I worked on the
following:

php7.3
------

Uploaded 7.3.31-1~deb10u5 and issued DLA-3555-1
https://lists.debian.org/msgid-search/?m=ZPeXM9JokfktZEnq@debian.org

  * CVE-2023-3823: Security issue with external entity loading in XML
    without enabling it.
  * CVE-2023-3824: Buffer overflow and overread in phar_dir_read().

libssh2
-------

Uploaded 1.8.0-2.1+deb10u1 and issued DLA-3559-1
https://lists.debian.org/msgid-search/?m=ZPsEuJsKGuNcItKM@debian.org

  * CVE-2019-17498: Integer overflow in a bounds check.  Backported the
    patch from SUSE, which includes the struct string_buf overhaul.
  * CVE-2019-13115: Integer overflow vulnerability in kex.c's
    kex_method_diffie_hellman_group_exchange_sha256_key_exchange()
    function.
    One could at first think that the issue was fixed in SUSE's patch
    for CVE-2019-17498 since it embeds the bound check, but it's not the
    case; backported _libssh2_get_bignum_bytes() and
    kex_method_diffie_hellman_group_exchange_*_key_exchange() for proper
    bound checking in _libssh2_check_length().
  * CVE-2020-22218: Out of bounds memory access.

libraw
------

Uploaded 0.19.2-2+deb10u4 and issued DLA-3560-1
https://lists.debian.org/msgid-search/?m=ZP3QgQFN5E7M0DcO@debian.org

  * CVE-2020-22628: Buffer Overflow vulnerability in LibRaw::stretch().

roundcube
---------

Uploaded 1.3.17+dfsg.1-1~deb10u3 and issued DLA-3577-1
https://lists.debian.org/msgid-search/?m=ZQ15LNmgs-TF4G9V@debian.org

  * CVE-2023-43770: Cross-site scripting vulnerability via malicious
    link references in plain/text messages.

python-git
----------

Uploaded 2.1.11-1+deb10u2 and issued DLA-3589-1
https://lists.debian.org/msgid-search/?m=ZRcSJLJPF4h6-q-5@debian.org

  * CVE-2023-41040: Blind local file inclusion.  Backported upstream
    patch and added python2 compatibility.

python-reportlab
----------------

Uploaded 3.5.13-1+deb10u2 and issued DLA-3590-1
https://lists.debian.org/msgid-search/?m=ZRcsLN499VTLqk_K@debian.org

  * CVE-2019-19450: Code injection in paraparser.py allows code execution.
  * CVE-2020-28463: Server-side Request Forgery (SSRF) via <img> tags.

pandoc
------

2.9.2.1-1+deb11u1 and 2.17.1.1-2~deb12u1 were respectively confirmed and
uploaded to bullseye- and bookworm-pu.  See DLA-3507-1 for details
https://lists.debian.org/msgid-search/?m=ZMAeCNO5W6pxB%2BDr@debian.org

Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature

Reply to:

Next by Date: binNMUs needed for new pandoc in *stable
Next by thread: Debian LTS report for September 2023
Index(es):
- Date
- Thread