[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian LTS report for November 2024



During the month of November 2024 and on behalf of Freexian, I worked on the
following:

opensc
------

Kept backporting more fixes for known vulnerabilities, notably
CVE-2023-5992, CVE-2023-40660 and CVE-2023-40661, but didn't upload yet
as more security issues need to fixed first.  Work is ongoing for the
remaining CVEs.

lemonldap-ng
------------

Uploaded 2.0.11+ds-4+deb11u6 and issued DLA-3979-1.
https://lists.debian.org/msgid-search/?m=Z0uB0kuEuSJ9FZLf@debian.org

  * CVE-2024-48933: XSS vulnerability in the login page when
    ‘userControl’ has been set to a non-default value that allows
    special HTML characters.
  * CVE-2024-52946: Improper Check during session refresh which allows
    an authenticated user to raise their authentication level under
    specific "Adaptative authentication rule".
  * CVE-2024-52947: XSS vulnerability in the upgrade session
    confirmation page (upgradeSession)

Also, release ELA-1263-1 fixing CVE-2024-48933 and CVE-2024-52947 (the
buster version is immune to the 3rd issue as Adaptative Authentication
Plugin was introduced later).

Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature


Reply to: