Hi Clément, > Sadly, upstream rectified and confirms it affects 2.2 [0], and has been > tested and reproduced on Bullseye. We do need to fix it. Upstream has a few > suggestions, but I guess our choices are either uploading 2.5 to stable, if > that's possible. python-stem at least will need to be updated as well, from > 1.8.0 to 1.8.1 which luckily is bugfix only.
With the upstream confirmation about affected states I had a look at the remaining issues affecting Bullseye: CVE-2022-21694 (https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h) is not a vulnerability by itself, it's a lack of a feature at most. We can ignore it for Bullseye. CVE-2022-21688 (https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v) is just a stop gap, the actual issue is in QT and I'll reach out to upstream for more information when this was fixed in QT so that it can be backported to Bullseye's QT packages. This leaves: https://security-tracker.debian.org/tracker/CVE-2022-21690 https://security-tracker.debian.org/tracker/CVE-2022-21689 https://security-tracker.debian.org/tracker/CVE-2021-41868 I think it's fair to ignore CVE-2021-41868 for Bullseye, it sounds like an edge case and invasive to fix. This leaves CVE-2022-21690 and CVE-2022-21689 which have isolated patches which could be backported? Given that the primary use case for onionshare will be tails, my suggestion would be that CVE-2022-21689 and CVE-2022-21690 get backported fixes for the next Bullseye point release (which Tails will sync up to). What do you think? Cheers, Moritz
