During the month of March 2024 and on behalf of Freexian, I worked on the
following:
phpseclib
---------
Uploaded 1.0.19-3~deb10u3 and issued DLA-3749-1.
https://lists.debian.org/msgid-search/?m=Zeck08zg6Y-jZez3@debian.org
* CVE-2024-27354: An attacker can construct a malformed certificate
containing an extremely large prime to cause a denial of service.
* CVE-2024-27355: When processing the ASN.1 object identifier of a
certificate, a sub identifier may be provided that leads to a denial of
service.
php-phpseclib
-------------
Uploaded 2.0.30-2~deb10u3 and issued DLA-3750-1.
https://lists.debian.org/msgid-search/?m=Zeck396hzVNXM2dk@debian.org
* CVE-2024-27354: An attacker can construct a malformed certificate
containing an extremely large prime to cause a denial of service.
* CVE-2024-27355: When processing the ASN.1 object identifier of a
certificate, a sub identifier may be provided that leads to a denial of
service.
dask.distributed
----------------
Ended up triaging the package after further testing and bisecting.
(CVE-2021-42343 was unreproducible with <2.0 and likely introduced in 2.0.0.)
spip
----
Uploaded 3.2.4-1+deb10u13 and issued DLA-3761-1.
https://lists.debian.org/msgid-search/?m=ZfRhIsyGvWItLJHR@debian.org
* CVE-2023-52322: XSS vulnerability because input from _request() is
not sanitized.
nodejs
------
Uploaded 10.24.0~dfsg-1~deb10u4 and issued DLA-3776-1.
https://lists.debian.org/msgid-search/?m=ZgNrGlwvgme2aZr3@debian.org
* CVE-2023-30590: Documentation change for generateKeys() API function to
align on the actual behavior, that is, only generate a private key if none has
been set yet.
* CVE-2023-46809: Marvin Attack vulnerability in the privateDecrypt() API of
the crypto library. This is a timing variant of the Bleichenbacher attack
against PKCS#1 v1.5 padding. The fix disables RSA_PKCS1_PADDING and includes
a security revert flag that can be used to restore support (and the
vulnerability).
* CVE-2024-22025: Denial of Service by resource exhaustion in fetch() brotli
decoding.
* Also backport upstream commit a1121b456c (unit tests for CVE-2022-32212).
* Fix DNS unit tests which caused FTFBS in some build environments.
libvirt
-------
Uploaded 5.0.0-4+deb10u2 and issued DLA-3778-1.
https://lists.debian.org/msgid-search/?m=ZgqmNnznSz4aPHUm@debian.org
(The upload was done on April 1st but all backport and testing work was done in
March.)
* CVE-2020-10703: NULL pointer dereference in the libvirt API that is
responsible for fetching a storage pool based on its target path.
* CVE-2020-12430: Memory leak in the virDomainListGetStats libvirt API
that is responsible for retrieving domain statistics when managing QEMU
guests.
* CVE-2020-25637: Double free memory issue in the libvirt API that is
responsible for requesting information about network interfaces of a running
QEMU domain.
* CVE-2021-3631: SELinux MCS may be accessed by another machine.
* CVE-2021-3667: Improper locking in the virStoragePoolLookupByTargetPath
API.
* CVE-2021-3975: Use-after-free vulnerability. The qemuMonitorUnregister()
function in qemuProcessHandleMonitorEOF is called using multiple threads
without being adequately protected by a monitor lock.
* CVE-2021-4147: Deadlock and crash in libxl driver.
* CVE-2022-0897: Missing locking in nwfilterConnectNumOfNWFilters.
* CVE-2024-1441: Off-by-one error in the udevListInterfacesByStatus() function.
* CVE-2024-2494: Missing check for negative array lengths in RPC server
de-serialization routines.
* CVE-2024-2496: NULL pointer dereference in the udevConnectListAllInterfaces()
function.
Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature