During the month of May 2024 and on behalf of Freexian, I worked on the
following:
php7.3
------
Uploaded 7.3.31-1~deb10u6 and issued DLA-3810-1.
https://lists.debian.org/msgid-search/?m=Zjq5oR0VQPtNg09m@debian.org
* CVE-2024-2756: Due to an incomplete fix to CVE-2022-31629, network
and same-site attackers can set a standard insecure cookie in the
victim's browser which is treated as a __Host- or __Secure- cookie
by PHP applications.
* CVE-2024-3096: If a password stored with password_hash starts with a
null byte (\x00), testing a blank string as the password via
password_verify() will incorrectly return true.
python-idna
-----------
Uploaded 2.6-1+deb10u1 and issued DLA-3811-1.
https://lists.debian.org/msgid-search/?m=ZjuwwznA9sjMNLyL@debian.org
* CVE-2024-3651: A specially crafted argument to the idna.encode()
function could consume significant resources, which may lead to a
denial-of-service.
Also, upload a deferred NMU to sid for the above, and prepare debdiffs
for bullseye- and bookworm-proposed-updates.
less
----
Uploaded 487-0.1+deb10u1 and issued DLA-3823-1.
https://lists.debian.org/msgid-search/?m=ZlTkDIGFmCwHf8sT@debian.org
* CVE-2022-48624: LESSCLOSE handling does not quote
shell metacharacters.
* CVE-2024-32487: Filenames containing a newline character
could result in arbitrary command execution during input
preprocessor invocation.
nodejs
------
WIP for CVE-2024-27983
roundcube
---------
Prepare fixes for 2 security issues for which no CVE has been assigned
yet (upload pending meanwhile).
https://roundcube.net/news/2024/05/19/security-updates-1.6.7-and-1.5.7
Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature