During the month of September 2023 and on behalf of Freexian, I worked on the following: php7.3 ------ Uploaded 7.3.31-1~deb10u5 and issued DLA-3555-1 https://lists.debian.org/msgid-search/?m=ZPeXM9JokfktZEnq@debian.org * CVE-2023-3823: Security issue with external entity loading in XML without enabling it. * CVE-2023-3824: Buffer overflow and overread in phar_dir_read(). libssh2 ------- Uploaded 1.8.0-2.1+deb10u1 and issued DLA-3559-1 https://lists.debian.org/msgid-search/?m=ZPsEuJsKGuNcItKM@debian.org * CVE-2019-17498: Integer overflow in a bounds check. Backported the patch from SUSE, which includes the struct string_buf overhaul. * CVE-2019-13115: Integer overflow vulnerability in kex.c's kex_method_diffie_hellman_group_exchange_sha256_key_exchange() function. One could at first think that the issue was fixed in SUSE's patch for CVE-2019-17498 since it embeds the bound check, but it's not the case; backported _libssh2_get_bignum_bytes() and kex_method_diffie_hellman_group_exchange_*_key_exchange() for proper bound checking in _libssh2_check_length(). * CVE-2020-22218: Out of bounds memory access. libraw ------ Uploaded 0.19.2-2+deb10u4 and issued DLA-3560-1 https://lists.debian.org/msgid-search/?m=ZP3QgQFN5E7M0DcO@debian.org * CVE-2020-22628: Buffer Overflow vulnerability in LibRaw::stretch(). roundcube --------- Uploaded 1.3.17+dfsg.1-1~deb10u3 and issued DLA-3577-1 https://lists.debian.org/msgid-search/?m=ZQ15LNmgs-TF4G9V@debian.org * CVE-2023-43770: Cross-site scripting vulnerability via malicious link references in plain/text messages. python-git ---------- Uploaded 2.1.11-1+deb10u2 and issued DLA-3589-1 https://lists.debian.org/msgid-search/?m=ZRcSJLJPF4h6-q-5@debian.org * CVE-2023-41040: Blind local file inclusion. Backported upstream patch and added python2 compatibility. python-reportlab ---------------- Uploaded 3.5.13-1+deb10u2 and issued DLA-3590-1 https://lists.debian.org/msgid-search/?m=ZRcsLN499VTLqk_K@debian.org * CVE-2019-19450: Code injection in paraparser.py allows code execution. * CVE-2020-28463: Server-side Request Forgery (SSRF) via <img> tags. pandoc ------ 2.9.2.1-1+deb11u1 and 2.17.1.1-2~deb12u1 were respectively confirmed and uploaded to bullseye- and bookworm-pu. See DLA-3507-1 for details https://lists.debian.org/msgid-search/?m=ZMAeCNO5W6pxB%2BDr@debian.org Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem.
Attachment:
signature.asc
Description: PGP signature