Debian LTS report for January 2024

To: debian-lts@lists.debian.org
Subject: Debian LTS report for January 2024
From: Guilhem Moulin <guilhem@debian.org>
Date: Thu, 1 Feb 2024 15:06:28 +0100
Message-id: <[🔎] ITcESTu7gxW86ABe@debian.org>
Mail-followup-to: debian-lts@lists.debian.org

During the month of January 2024 and on behalf of Freexian, I worked on the
following:

php-phpseclib
-------------

Uploaded 2.0.30-2~deb10u2 and issued DLA-3718-1
https://lists.debian.org/msgid-search/?m=ZbHGvxYgVeMFpij0@debian.org

 * CVE-2023-48795: Terrapin attack

phpseclib
---------

Uploaded 1.0.19-3~deb10u2 and issued DLA-3719-1
https://lists.debian.org/msgid-search/?m=ZbHGxnppbFFQPaCI@debian.org

 * CVE-2023-48795: Terrapin attack

libspreadsheet-parsexlsx-perl
-----------------------------

Uploaded 0.27-2+deb10u1 and issued DLA-3723-1
https://lists.debian.org/msgid-search/?m=ZbVpEtjbe-uYutQz@debian.org

 * CVE-2024-22368: Out-of-memory condition during parsing of a crafted
   XLSX document.
 * CVE-2024-23525: XXE attacks due to missing ‘no_xxe’ option of
   XML::Twig.

dropbear
--------

Turns out the version shipped in buster isn't vulnerable to
CVE-2023-48795 (terapin) as neither ChaCha20-Poly1305 nor *-EtM are
supported.  But the versions shipped in both bullseye and bookworm were
vulnerable and I uploaded 2020.81-3+deb11u1 resp. 2022.83-1+deb12u1 via
(o)s-pu.

For bullseye, I also mitigated CVE-2021-36369 by backporting the
addition of -oDisableTrivialAuth=yes.

tinyxml
-------

Uploaded 2.6.2-4+deb11u2 resp. 2.6.2-6+deb12u1 via (o)s-pu.  (The fix
for buster-security was done last month with DLA-3701-1)

 * CVE-2023-34194: Reachable assertion (and application exit) via a
   crafted XML document with a '\0' located after whitespace.

xerces-c
--------

Uploaded 3.2.3+debian-3+deb11u1 via os-pu.  (The fix for buster-security
was done last month with DLA-3704-1.)

  * CVE-2023-37536: Integer overflow via crafted .xsd files,
    which can lead to out-of-bounds access.
  * Replace RedHat's mitigation patch for CVE-2018-1311 (which
    introduced a memory leak) with the upstream-vetted change.

gnutls28
--------

Backported CVE-2024-0553 (side-channel leakage in RSA-PSK ciphersuites,
which stemps for an incomplete resolution for CVE-2023-5981) and
investigated whether CVE-2024-0567 (assertion failure on cycle of
cross-signed signatures of multiple CA) applies to buster, but haven't
uploaded the fix yet.

Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Debian LTS and ELTS - January 2024
Next by Date: Debian LTS and ELTS -- January 2024
Previous by thread: Debian LTS and ELTS - January 2024
Next by thread: Debian LTS and ELTS -- January 2024
Index(es):
- Date
- Thread