<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    Hi,<br>

    <br>

    <div class="moz-cite-prefix">Le 23/10/2022 à 18:27, Clément Hermann

      a écrit :<br>

    </div>

    <blockquote type="cite"

      cite="mid:a118aedd-5788-87a9-736c-06b945d1a441@nodens.org">Hi,

      <br>

      <br>

      Le 22/10/2022 à 15:01, Salvatore Bonaccorso a écrit :

      <br>

      <br>

      <blockquote type="cite">Thanks for the quick reply! (much

        appreciated). I think it would be

        <br>

        good to get a confirmation from upstream and if possible to have

        <br>

        those advisories updates. E.g.

        <br>

<a class="moz-txt-link-freetext" href="https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v">https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v</a>

        <br>

        while mentioning "affected versions < 2.4" the patched

        version remains

        <br>

        "none". this might be that the < 2.4 just reflects the point

        in time

        <br>

        when the advisory was filled. OTOH you have arguments with the

        v2.5

        <br>

        release information that they might all be fixed.

        <br>

        <br>

        To be on safe side, explicitly confirming by upstream would be

        great.

        <br>

      </blockquote>

      <br>

      Agreed. And asked upstream:

      <a class="moz-txt-link-freetext" href="https://github.com/onionshare/onionshare/issues/1633">https://github.com/onionshare/onionshare/issues/1633</a>.

      <br>

    </blockquote>

    <br>

    Upstream replied quickly (yay!) and confirms the known issues are

    fixed in 2.5.<br>

    <br>

    Also, the detail of the vulnerable/patched versions has been

    updated. Quoting from the upstream issue:<br>

    <blockquote type="cite">

      <p dir="auto">Only affected >= 2.3 - < 2.5: <a

          title="CVE-2021-41867" data-hovercard-type="advisory"

          data-hovercard-url="/advisories/GHSA-6rvj-pw9w-jcvc/hovercard"

          href="https://github.com/advisories/GHSA-6rvj-pw9w-jcvc">CVE-2021-41867</a>,

        <a title="CVE-2022-21691" data-hovercard-type="advisory"

          data-hovercard-url="/advisories/GHSA-w9m4-7w72-r766/hovercard"

          href="https://github.com/advisories/GHSA-w9m4-7w72-r766">CVE-2022-21691</a>,

        <a title="CVE-2022-21695" data-hovercard-type="advisory"

          data-hovercard-url="/advisories/GHSA-99p8-9p2c-49j4/hovercard"

          href="https://github.com/advisories/GHSA-99p8-9p2c-49j4">CVE-2022-21695</a>,

        <a title="CVE-2022-21696" data-hovercard-type="advisory"

          data-hovercard-url="/advisories/GHSA-68vr-8f46-vc9f/hovercard"

          href="https://github.com/advisories/GHSA-68vr-8f46-vc9f">CVE-2022-21696</a><br>

        Only affected >= 2.2 - < 2.5: <a title="CVE-2022-21694"

          data-hovercard-type="advisory"

          data-hovercard-url="/advisories/GHSA-h29c-wcm8-883h/hovercard"

          href="https://github.com/advisories/GHSA-h29c-wcm8-883h">CVE-2022-21694</a><br>

        Only affected >=2.0 - < 2.5: <a title="CVE-2022-21689"

          data-hovercard-type="advisory"

          data-hovercard-url="/advisories/GHSA-jh82-c5jw-pxpc/hovercard"

          href="https://github.com/advisories/GHSA-jh82-c5jw-pxpc">CVE-2022-21689</a><br>

        Only affected >=2.0 - < 2.4: <a title="CVE-2021-41868"

          data-hovercard-type="advisory"

          data-hovercard-url="/advisories/GHSA-7g47-xxff-9p85/hovercard"

          href="https://github.com/advisories/GHSA-7g47-xxff-9p85">CVE-2021-41868</a>

        (Receive mode bug, fixed by changing the authentication from

        HTTP auth to using Client Auth in Tor itself)<br>

        All versions < 2.5: <a title="CVE-2022-21690"

          data-hovercard-type="advisory"

          data-hovercard-url="/advisories/GHSA-ch22-x2v3-v6vq/hovercard"

          href="https://github.com/advisories/GHSA-ch22-x2v3-v6vq">CVE-2022-21690</a>,

        and possibly depending on the Qt version, <a

          title="CVE-2022-21688" data-hovercard-type="advisory"

          data-hovercard-url="/advisories/GHSA-x7wr-283h-5h2v/hovercard"

          href="https://github.com/advisories/GHSA-x7wr-283h-5h2v">CVE-2022-21688</a></p>

      <p dir="auto"><a title="GHSA-jgm9-xpfj-4fq6"

href="https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6">GHSA-jgm9-xpfj-4fq6</a>

        is a complicated one, as a <a

          href="https://github.com/onionshare/onionshare/pull/1474"

          data-hovercard-type="pull_request"

          data-hovercard-url="/onionshare/onionshare/pull/1474/hovercard">fix</a>

        we reduced the scope of access for Flatpak but you could argue

        that on 'native' Debian the whole file system, or at least the

        parts accessible to the user running OnionShare, is available

        not even in read-only mode. I'm not sure there's really a 'fix'

        for the deb package.</p>

    </blockquote>

    The advisories on

    <a class="moz-txt-link-freetext" href="https://github.com/onionshare/onionshare/security/advisories">https://github.com/onionshare/onionshare/security/advisories</a> have

    been updated to reflect this.<br>

    <br>

    <pre class="moz-signature" cols="72">-- 

nodens</pre>

  </body>

</html>