Debian (E)LTS report for December 2024

To: debian-lts@lists.debian.org
Subject: Debian (E)LTS report for December 2024
From: Guilhem Moulin <guilhem@debian.org>
Date: Thu, 2 Jan 2025 02:35:03 +0100
Message-id: <[🔎] 6g0BEqcPeUYFKTcz@debian.org>
Mail-followup-to: debian-lts@lists.debian.org

During the month of December 2024 and on behalf of Freexian, I worked on the
following:

php7.4, php7.3, php7.0 and php5
-------------------------------

Uploaded php7.4=7.4.33-1+deb11u7 and issued DLA-3986-1.
https://lists.debian.org/msgid-search/?m=Z1WxNL0Vw0ES6Y0Y@debian.org

  * CVE-2024-8929: Partial content leak of the heap through heap buffer
    over-read in mysqlnd.
  * CVE-2024-8932: Out-of-bound write in ldap_escape().
  * CVE-2024-11233: Single byte overread with convert.quoted-printable-decode
    filter.
  * CVE-2024-11234: Configuring a proxy in a stream context might allow for
    CRLF injection in URIs.
  * CVE-2024-11236: Out-of-bound writes in in the firebird and dblib quoters
    due integer overflow.
  * GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in sapi_read_post_data()
    processing in CLI SAPI Interface.

Uploaded php7.3=7.3.31-1~deb10u9 (buster) and issued ELA-1277-1 for the
same issues.
https://www.freexian.com/lts/extended/updates/ela-1277-1-php7.3/

Uploaded php7.0=7.0.33-0+deb9u20 (stretch) and issued ELA-1278-1 for the
same issues.
https://www.freexian.com/lts/extended/updates/ela-1278-1-php7.0/

Uploaded php5=5.6.40+dfsg-0+deb8u22 (jessie) and issued ELA-1279-1 for
the same issues, plus a segfault fix segfault on close() after
free_result() with mysqlnd.
https://www.freexian.com/lts/extended/updates/ela-1279-1-php5/

Most of my ELTS time was spent on backporting and testing the fix for
CVE-2024-8929 to older suites, especially jessie's php5.  The code of
the mysqlnd extension has changed quite a bit since then.

python-urllib3
--------------

Uploaded 1.26.5-1~exp1+deb11u1 and issued DLA-3998-1.
https://lists.debian.org/msgid-search/?m=Z2bpYcAwl98INS5H@debian.org

  * CVE-2023-43804: Cookie request header isn't stripped during
    cross-origin redirects.
  * CVE-2023-45803: Request body not stripped after redirect from 303
    status changes request method to GET.
  * CVE-2024-37891: Proxy-Authorization request header isn't stripped
    during cross-origin redirects.
  * Bugfix (#1089507): Use system 'six' module in urllib3.util.ssltransport.

Also, prepare 1.26.12-1+deb12u1 for bookworm fixing these same issues and
file spu bug #1091087 to that effect.

sqlparse
--------

Uploaded 0.4.1-1+deb11u1 and issued DLA-4000-1.
https://lists.debian.org/msgid-search/?m=Z2cMmfc3Zl5jkh9T@debian.org

  * CVE-2021-32839: StripComments filter contains a regular expression
    that is vulnerable to ReDOS.
  * CVE-2023-30608: Parser contains a regular expression that is
    vulnerable to ReDOS.
  * CVE-2024-4340: Parsing of heavily nested list leads to Denial of
    Service.

Also, prepare 0.4.2-1+deb12u1 for bookworm fixing these same issues and
file spu bug #1091547 to that effect.

opensc
------

Uploaded 0.21.0-1+deb11u1 and issued DLA-4004-1.
https://lists.debian.org/msgid-search/?m=Z2_9i71EqSjqkXd-@debian.org

  * CVE-2021-34193: Stack overflow vulnerability in OpenSC smart card
    middleware via crafted responses to APDUs.
  * CVE-2021-42778: Heap double free issue in sc_pkcs15_free_tokeninfo().
  * CVE-2021-42779: Heap use after free issue sc_file_valid().
  * CVE-2021-42780: Use after return issue insert_pin().
  * CVE-2021-42781. Heap buffer overflow in pkcs15-oberthur.c.
  * CVE-2021-42782: Multiple stack buffer overflow issues.
  * CVE-2023-2977: Buffer overrun vulnerability in pkcs15's
    cardos_have_verifyrc_package().
  * CVE-2023-5992: Side-channel leaks while stripping encryption PKCS#1.5
    padding in OpenSC.
  * CVE-2023-40660: Potential PIN bypass with empty PIN.
  * CVE-2023-40661: Multiple memory vulnerabilities in pkcs15-init.
  * CVE-2024-1454: Memory use after free in AuthentIC driver when updating
    token info.
  * CVE-2024-8443: Heap buffer overflow in OpenPGP driver when generating
    key.
  * CVE-2024-45615: Usage of uninitialized values in libopensc and
    pkcs15init.
  * CVE-2024-45616: Uninitialized values after incorrect check or usage of
    APDU response values in libopensc.
  * CVE-2024-45617: Uninitialized values after incorrect or missing
    checking return values of functions in libopensc.
  * CVE-2024-45618: Uninitialized values after incorrect or missing
    checking return values of functions in pkcs15init.
  * CVE-2024-45619: Incorrect handling length of buffers or files in
    libopensc.
  * CVE-2024-45620: Incorrect handling length of buffers or files in
    pkcs15init.

Also, prepare 0.23.0-0.3+deb12u2 for bookworm fixing the 9 open no-dsa
vulnerabilities (CVE-2023-5992, CVE-2024-1454, -8443 and -45615 to
-45620) and file spu bug #1091207 to that effect.

Also, prepare 0.25.1-2.1 for unstable fixing the 7 open no-dsa
vulnerabilities (CVE-2024-8443 and -45615 to -45620).  The NMU has since
been uploaded by the maintainer.


Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Report for (E)?LTS of December
Next by Date: Debian LTS and ELTS - December 2024
Previous by thread: Report for (E)?LTS of December
Next by thread: Debian (E)LTS report for December 2024
Index(es):
- Date
- Thread