During the month of November 2023 and on behalf of Freexian, I worked on the following:
opensc ------ Uploaded 0.19.0-1+deb10u3 and issued DLA-3668-1 https://lists.debian.org/msgid-search/?m=zwpsqzcsk_2as...@debian.org * CVE-2023-40660: Potential PIN bypass. The bypass was removed and explicit logout for most of the card drivers backported in order to prevent leaving unattended logged-in tokens. * CVE-2023-40661: Various security-related oss-fuzz issues, such as stack or heap buffer overflow. * Triage CVE-2023-4535. * Given many upstream commits did not apply cleanly, and touch several drivers for card readers I don't have access to, I spent some time testing the build against virtual card readers. cryptojs -------- Uploaded 3.1.2+dfsg-2+deb10u1 and issued DLA-3669-1 https://lists.debian.org/msgid-search/?m=zwtl8rkvosqzp...@debian.org * CVE-2023-46233: Weak default PBKDF2 settings. Default settings are now changed to use SHA256 with 250k iterations, in accordance with OWASP's current recommendations and newer Debian suites. mediawiki --------- Uploaded 1:1.31.16-1+deb10u7 and issued DLA-3671-1 https://lists.debian.org/msgid-search/?m=zwxtc1xr4p2y-...@debian.org * CVE-2023-45362: diff-multi-sameuser (“X intermediate revisions by the same user not shown”) ignores username suppression, which can lead to information leak. Backporting the fix for 1.31 involved backporting multiple methods and function from newer releases, as well as namespace tweaks for the revision store and records. * CVE-2023-3550 and CVE-2023-45363 are included in the DLA but were worked on during October. However proper testing for these was done during November. * Spent some time trying writing a custom patch for CVE-2023-45360 (upstream extends $wgRawHtmlMessages for all supported branches however that was added in 1.32), only to later realize that sysops can edit sitewide JS already so that CVE moot for <1.32. Ended up reverting the fix and marking the CVE <no-dsa>. horizon ------- Uploaded 3:14.0.2-3+deb10u3 and issued DLA-3678-1 https://lists.debian.org/msgid-search/?m=zwkt0l4-ocq_y...@debian.org * CVE-2022-45582: Open Redirect vulnerability in Horizon Web Dashboard via the ‘success_url’ parameter. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem.
signature.asc
Description: PGP signature
