During the month of December 2023 and on behalf of Freexian, I worked on the following:
ncurses ------- Uploaded 6.1+20181013-2+deb10u5 and issued DLA-3682-1 https://lists.debian.org/msgid-search/?m=zwznc9mam3buc...@debian.org * CVE-2021-39537: The tic(1) utility was susceptible to a heap overflow on crafted input due to improper bounds checking. * CVE-2023-29491: Local users could trigger security-relevant memory corruption via crafted terminfo database file. ncurses now further restricts programs running with elevated privileges (setuid/setgid programs). This change aligns ncurses' behavior in buster-security with that of Bullseye's latest point release (6.2+20201114-2+deb11u2). roundcube --------- Uploaded 1.3.17+dfsg.1-1~deb10u5 and issued DLA-3683-1 https://lists.debian.org/msgid-search/?m=zw5naj2p259dw...@debian.org * CVE-2023-47272: cross-site scripting (XSS) vulnerability via a Content-Type or Content-Disposition header (used for attachment preview or download). 1.3.x is no longer supported upstream and the code has changed quite a lot in 1.4.x, so I ended up backporting the entire download_headers() function. spip ---- Uploaded 3.2.4-1+deb10u12 and issued DLA-3691-1 https://lists.debian.org/msgid-search/?m=zx-pl_ux-td7j...@debian.org Backported upstream security fixes from 4.1.10 and 4.1.11. No CVEs have been assigned for these vulnerabilities yet. tinyxml ------- Uploaded 2.6.2-4+deb10u2 and issued DLA-3701-1 https://lists.debian.org/msgid-search/?m=zzckmin1i4fhc...@debian.org * CVE-2023-34194: Reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace. tinyxml has been abandoned upstream so I wrote the patch myself. Fortunately in this case the fix turned out to be simple. * After looking at the researchers' report, I concluded that other CVEs (CVE-2023-40462 and CVE-2023-40458) were duplicates for another product *using* tinyxml. Also, uploaded 2.6.2-6.1 to sid after consultation with the maintainer, and submitted the patch to the Security Team for bullseye and bookworm which have the same upstream version 2.6.2. libspreadsheet-parseexcel-perl ------------------------------ Uploaded 0.6500-1+deb10u1 and issued DLA-3702-1 https://lists.debian.org/msgid-search/?m=zzc_sl-wtc5dy...@debian.org * CVE-2023-7101: Improper directive sanitation dynamically evaluated code could lead to the execution of arbitrary code by using specially crafted Number format strings within XLS and XLSX files. xerces-c -------- Uploaded 3.2.2+debian-1+deb10u2 and issued DLA-3704-1 https://lists.debian.org/msgid-search/?m=zzfqal46y-a9u...@debian.org * CVE-2023-37536: Integer overflow via crafted .xsd files, which can lead to out-of-bounds access. * While reviewing the upstream history I discovered that CVE-2018-1311 was recently fixed upstream in 3.2.5, so replaced the previous mitigation patch (which introduced a memory leak) with that upstream vetted fix. Also, uploaded 3.2.4+debian-1.1 to sid after consultation with the maintainer, and submitted a debdiff (targeting bullseye) to the Security Team with the aforementioned fixes. php-guzzlehttp-psr7 ------------------- Uploaded 1.4.2-0.1+deb10u2 and issued DLA-3705-1 https://lists.debian.org/msgid-search/?m=zzhwp6bkkp5nf...@debian.org * CVE-2023-29197: Improper header parsing which may lead to information disclosure or authorization bypass via crafted requests. (This is a follow-up to CVE-2022-24775 where the fix was incomplete.) Ended up backporting assertHeader() and its call sites, which had been omitted in 1.4.2-0.1+deb10u1. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem.
signature.asc
Description: PGP signature
