Debian LTS report for September 2023

Sun, 01 Oct 2023 08:19:41 -0700 

During the month of September 2023 and on behalf of Freexian, I worked on the
following:

php7.3
------

Uploaded 7.3.31-1~deb10u5 and issued DLA-3555-1
https://lists.debian.org/msgid-search/?m=zpexm9jokfktz...@debian.org

  * CVE-2023-3823: Security issue with external entity loading in XML
    without enabling it.
  * CVE-2023-3824: Buffer overflow and overread in phar_dir_read().

libssh2
-------

Uploaded 1.8.0-2.1+deb10u1 and issued DLA-3559-1
https://lists.debian.org/msgid-search/?m=zpseujskgunci...@debian.org

  * CVE-2019-17498: Integer overflow in a bounds check.  Backported the
    patch from SUSE, which includes the struct string_buf overhaul.
  * CVE-2019-13115: Integer overflow vulnerability in kex.c's
    kex_method_diffie_hellman_group_exchange_sha256_key_exchange()
    function.
    One could at first think that the issue was fixed in SUSE's patch
    for CVE-2019-17498 since it embeds the bound check, but it's not the
    case; backported _libssh2_get_bignum_bytes() and
    kex_method_diffie_hellman_group_exchange_*_key_exchange() for proper
    bound checking in _libssh2_check_length().
  * CVE-2020-22218: Out of bounds memory access.

libraw
------

Uploaded 0.19.2-2+deb10u4 and issued DLA-3560-1
https://lists.debian.org/msgid-search/?m=zp3qgqfn5e7m0...@debian.org

  * CVE-2020-22628: Buffer Overflow vulnerability in LibRaw::stretch().

roundcube
---------

Uploaded 1.3.17+dfsg.1-1~deb10u3 and issued DLA-3577-1
https://lists.debian.org/msgid-search/?m=zq15lnmgs-tf4...@debian.org

  * CVE-2023-43770: Cross-site scripting vulnerability via malicious
    link references in plain/text messages.

python-git
----------

Uploaded 2.1.11-1+deb10u2 and issued DLA-3589-1
https://lists.debian.org/msgid-search/?m=zrcsjljpf4h6-...@debian.org

  * CVE-2023-41040: Blind local file inclusion.  Backported upstream
    patch and added python2 compatibility.

python-reportlab
----------------

Uploaded 3.5.13-1+deb10u2 and issued DLA-3590-1
https://lists.debian.org/msgid-search/?m=zrcsln499vtlq...@debian.org

  * CVE-2019-19450: Code injection in paraparser.py allows code execution.
  * CVE-2020-28463: Server-side Request Forgery (SSRF) via <img> tags.

pandoc
------

2.9.2.1-1+deb11u1 and 2.17.1.1-2~deb12u1 were respectively confirmed and
uploaded to bullseye- and bookworm-pu.  See DLA-3507-1 for details
https://lists.debian.org/msgid-search/?m=zmaecno5w6pxb%2...@debian.org

Thanks to the sponsors for financing the above, and to Freexian for
coordinating!
-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature

Reply via email to