During the month of November 2024 and on behalf of Freexian, I worked on the
following:
opensc
------
Kept backporting more fixes for known vulnerabilities, notably
CVE-2023-5992, CVE-2023-40660 and CVE-2023-40661, but didn't upload yet
as more security issues need to fixed first. Work is ongoing for the
remaining CVEs.
lemonldap-ng
------------
Uploaded 2.0.11+ds-4+deb11u6 and issued DLA-3979-1.
https://lists.debian.org/msgid-search/?m=Z0uB0kuEuSJ9FZLf@debian.org
* CVE-2024-48933: XSS vulnerability in the login page when
‘userControl’ has been set to a non-default value that allows
special HTML characters.
* CVE-2024-52946: Improper Check during session refresh which allows
an authenticated user to raise their authentication level under
specific "Adaptative authentication rule".
* CVE-2024-52947: XSS vulnerability in the upgrade session
confirmation page (upgradeSession)
Also, release ELA-1263-1 fixing CVE-2024-48933 and CVE-2024-52947 (the
buster version is immune to the 3rd issue as Adaptative Authentication
Plugin was introduced later).
Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
--
Guilhem.
Attachment:
signature.asc
Description: PGP signature