[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian LTS report for October 2023

During the month of October 2023 and on behalf of Freexian, I worked on the
following:

python-urllib3
--------------

Uploaded 1.24.1-1+deb10u1 and issued DLA-3610-1
https://lists.debian.org/msgid-search/?m=ZSKNLPFmNHU4Qi9D@debian.org

  * CVE-2018-25091: The fix for CVE-2018-20060 did not cover
    non-titlecase request headers; for instance ‘authorization’ request
    headers were not removed during during cross-origin redirects.
    I discovered that the buster version was vulnerable to this issue
    while backporting the upstream for CVE-2023-43804, and requested a
    CVE ID for it.
  * CVE-2019-11236: Header injection vulnerability via CR/LF character
    injections.
  * CVE-2019-11324: System CA certificates were loaded into the
    SSLContext by default in addition to any manually-specified CA
    certificates.
  * CVE-2020-26137: CRLF injection vulnerability via putrequest().
  * CVE-2023-43804: Cookie request header weren't stripped during
    cross-origin redirects.
  * Fix upstream tests so they work with buster's older pytest.  (These
    tests are neither run at build time nor via autopkgtests though.)

inetutils
---------

Uploaded 2:1.9.4-7+deb10u3 and issued DLA-3611-1
https://lists.debian.org/msgid-search/?m=ZSKPoz03b-FjtpzL@debian.org

  * CVE-2019-0053: Insufficient environment variable validation in the
    telnet client.
    Fix incomplete patch for this vulnerability, which unlike specified
    2:1.9.4-7+deb10u2 was still vulnerable to.
  * CVE-2023-40303: Unchecked return values for set*uid().

roundcube
---------

Uploaded 1.3.17+dfsg.1-1~deb10u4 and issued DLA-3630-1
https://lists.debian.org/msgid-search/?m=ZTg8MxxUnj7FiEav@debian.org

  * CVE-2023-5631: Stored XSS via an HTML e-mail with a crafted
    SVG document.

mediawiki
---------

Work in progress; did not upload yet, but worked on fixing the following
issues:

  * CVE-2023-3550: Namespaces used in XML files are not properly
    validated.
  * CVE-2023-45363: Denial of Service when querying pages redirected to
    other variants with redirects and ‘converttitles’ set.

Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature

Reply to: