Debian LTS report for November 2023

To: debian-lts@lists.debian.org
Subject: Debian LTS report for November 2023
From: Guilhem Moulin <guilhem@debian.org>
Date: Fri, 1 Dec 2023 01:50:26 +0100
Message-id: <61lVjX+42ghwjo/u@debian.org>
Mail-followup-to: debian-lts@lists.debian.org

During the month of November 2023 and on behalf of Freexian, I worked on the
following:

opensc
------

Uploaded 0.19.0-1+deb10u3 and issued DLA-3668-1
https://lists.debian.org/msgid-search/?m=ZWPsQzCsK_2asD6e@debian.org

  * CVE-2023-40660: Potential PIN bypass.  The bypass was removed and
    explicit logout for most of the card drivers backported in order to
    prevent leaving unattended logged-in tokens.
  * CVE-2023-40661: Various security-related oss-fuzz issues, such as
    stack or heap buffer overflow.
  * Triage CVE-2023-4535.
  * Given many upstream commits did not apply cleanly, and touch several
    drivers for card readers I don't have access to, I spent some time
    testing the build against virtual card readers.

cryptojs
--------

Uploaded 3.1.2+dfsg-2+deb10u1 and issued DLA-3669-1
https://lists.debian.org/msgid-search/?m=ZWTl8rKvoSqzPtfd@debian.org

  * CVE-2023-46233: Weak default PBKDF2 settings.  Default settings are
    now changed to use SHA256 with 250k iterations, in accordance with
    OWASP's current recommendations and newer Debian suites.

mediawiki
---------

Uploaded 1:1.31.16-1+deb10u7 and issued DLA-3671-1
https://lists.debian.org/msgid-search/?m=ZWXTC1Xr4p2y-EBj@debian.org

  * CVE-2023-45362: diff-multi-sameuser (“X intermediate
    revisions by the same user not shown”) ignores username suppression,
    which can lead to information leak.
    Backporting the fix for 1.31 involved backporting multiple methods
    and function from newer releases, as well as namespace tweaks for
    the revision store and records.
  * CVE-2023-3550 and CVE-2023-45363 are included in the DLA but were
    worked on during October.  However proper testing for these was done
    during November.
  * Spent some time trying writing a custom patch for CVE-2023-45360
    (upstream extends $wgRawHtmlMessages for all supported branches
    however that was added in 1.32), only to later realize that sysops
    can edit sitewide JS already so that CVE moot for <1.32.  Ended up
    reverting the fix and marking the CVE <no-dsa>.

horizon
-------

Uploaded 3:14.0.2-3+deb10u3 and issued DLA-3678-1
https://lists.debian.org/msgid-search/?m=ZWkT0L4-ocq_yWSr@debian.org

  * CVE-2022-45582: Open Redirect vulnerability in Horizon Web Dashboard
    via the ‘success_url’ parameter.

Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Re: [SECURITY] [DLA 3676-1] horizon security update
Next by Date: LTS meeting summary and notes
Previous by thread: Re: [SECURITY] [DLA 3676-1] horizon security update
Next by thread: Debian LTS report for November 2023
Index(es):
- Date
- Thread