During the month of January 2024 and on behalf of Freexian, I worked on the following:
php-phpseclib ------------- Uploaded 2.0.30-2~deb10u2 and issued DLA-3718-1 https://lists.debian.org/msgid-search/?m=zbhgvxygvemfp...@debian.org * CVE-2023-48795: Terrapin attack phpseclib --------- Uploaded 1.0.19-3~deb10u2 and issued DLA-3719-1 https://lists.debian.org/msgid-search/?m=zbhgxnppbffqp...@debian.org * CVE-2023-48795: Terrapin attack libspreadsheet-parsexlsx-perl ----------------------------- Uploaded 0.27-2+deb10u1 and issued DLA-3723-1 https://lists.debian.org/msgid-search/?m=zbvpetjbe-uyu...@debian.org * CVE-2024-22368: Out-of-memory condition during parsing of a crafted XLSX document. * CVE-2024-23525: XXE attacks due to missing ‘no_xxe’ option of XML::Twig. dropbear -------- Turns out the version shipped in buster isn't vulnerable to CVE-2023-48795 (terapin) as neither ChaCha20-Poly1305 nor *-EtM are supported. But the versions shipped in both bullseye and bookworm were vulnerable and I uploaded 2020.81-3+deb11u1 resp. 2022.83-1+deb12u1 via (o)s-pu. For bullseye, I also mitigated CVE-2021-36369 by backporting the addition of -oDisableTrivialAuth=yes. tinyxml ------- Uploaded 2.6.2-4+deb11u2 resp. 2.6.2-6+deb12u1 via (o)s-pu. (The fix for buster-security was done last month with DLA-3701-1) * CVE-2023-34194: Reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace. xerces-c -------- Uploaded 3.2.3+debian-3+deb11u1 via os-pu. (The fix for buster-security was done last month with DLA-3704-1.) * CVE-2023-37536: Integer overflow via crafted .xsd files, which can lead to out-of-bounds access. * Replace RedHat's mitigation patch for CVE-2018-1311 (which introduced a memory leak) with the upstream-vetted change. gnutls28 -------- Backported CVE-2024-0553 (side-channel leakage in RSA-PSK ciphersuites, which stemps for an incomplete resolution for CVE-2023-5981) and investigated whether CVE-2024-0567 (assertion failure on cycle of cross-signed signatures of multiple CA) applies to buster, but haven't uploaded the fix yet. Thanks to the sponsors for financing the above, and to Freexian for coordinating! -- Guilhem.
signature.asc
Description: PGP signature
