During the month of September 2024 and on behalf of Freexian, I worked on the
following:
dovecot
-------
Uploaded 1:2.3.13+dfsg1-2+deb11u2 and issued DLA-3860-1.
https://lists.debian.org/msgid-search/?m=ZtXJLVoFWoqM2VoV@debian.org
* CVE-2024-23184: Having a large number of address headers (From, To, Cc, Bcc,
etc.) could become excessively CPU intensive.
* CVE-2024-23185: Very large headers can cause resource exhaustion when
parsing message.
Also, upload 1:2.3.4.1-5+deb10u8 resp. 1:2.2.27-3+deb9u8 to buster resp.
stretch ELTS, and issued ELA-1175-1.
(The uploads were done and DLA/ELA released in September, but backporting and
testing was actually done during August.)
nbconvert
---------
Uploaded 5.6.1-3+deb11u1 and issued DLA-3863-1.
https://lists.debian.org/msgid-search/?m=ZtYKF64X1RdaHAPS@debian.org
* CVE-2021-32862: When using nbconvert to generate an HTML version of
a user-controllable notebook, it is possible to inject arbitrary
HTML which may lead to cross-site scripting (XSS) vulnerabilities if
these HTML notebooks are served by a web server without tight
Content-Security-Policy (e.g., nbviewer).
gnutls28
--------
Uploaded 3.7.1-5+deb11u6 and issued DLA-3875-1.
https://lists.debian.org/msgid-search/?m=ZtjoBHYXqnR7lQtn@debian.org
* CVE-2024-28834 (Minerva attack): side-channel in the deterministic
ECDSA.
* CVE-2024-28835: certtool(1) crash when verifying a certificate chain
with more than 16 certificates.
* Memory leak in src/serv.c:listener_free() when a connected client
disappears.
* Segfault in lib/tls13/early_data.c:_gnutls13_recv_end_of_early_data().
* Potential segfault in lib/tls13/finished.c:_gnutls13_recv_finished().
expat
-----
Uploaded 2.2.10-2+deb11u6 and issued DLA-3893-1.
https://lists.debian.org/msgid-search/?m=ZuuCHntvIiW9c2Y4@debian.org
* CVE-2023-52425: Denial of Service (resource consumption) when
parsing a large token for which multiple buffer fills are needed.
* CVE-2024-45490: xmlparse.c does not reject a negative length for
XML_ParseBuffer(), which may cause memory corruption or code
execution.
* CVE-2024-45491: Integer overflow for nDefaultAtts on 32-bit
platforms.
* CVE-2024-45492: Integer overflow for m_groupSize on 32-bit
platforms.
* Run upstream test suite at build time.
Also, uploaded 2.2.6-2+deb10u8 resp. 2.2.0-2+deb9u9 resp. 2.1.0-6+deb8u12
to buster resp. stretch resp. jessie ELTS with fixes for CVE-2024-4549[0-2],
and issued ELA-1190-1.
opensc
------
Worked on fixes for:
* CVE-2021-34193 (stack overflow)
* CVE-2021-42778 (heap double free)
* CVE-2021-42779 (heap use after free)
* CVE-2021-42780 (use after return)
* CVE-2021-42781 (heap buffer overflow)
* CVE-2021-42782 (stack buffer overflow)
* CVE-2023-2977 (buffer overrun)
* CVE-2023-5992 (encryption padding removal is not side-channel resistant)
* CVE-2023-40660 (potential PIN bypass)
But did not upload yet.
Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature