[Pkg-privacy-maintainers] Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696
Clément Hermann
clement.hermann at nodens.org
Sat Oct 22 13:50:53 BST 2022
Hi Salvatore,
Le 22/10/2022 à 13:49, Salvatore Bonaccorso a écrit :
>
>> For further information see:
>>
>> [0] https://security-tracker.debian.org/tracker/CVE-2021-41867
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41867
>> [1] https://security-tracker.debian.org/tracker/CVE-2021-41868
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41868
>> [2] https://security-tracker.debian.org/tracker/CVE-2022-21688
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21688
>> [3] https://security-tracker.debian.org/tracker/CVE-2022-21689
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21689
>> [4] https://security-tracker.debian.org/tracker/CVE-2022-21690
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21690
>> [5] https://security-tracker.debian.org/tracker/CVE-2022-21691
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21691
>> [6] https://security-tracker.debian.org/tracker/CVE-2022-21692
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21692
>> [7] https://security-tracker.debian.org/tracker/CVE-2022-21693
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21693
>> [8] https://security-tracker.debian.org/tracker/CVE-2022-21694
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21694
>> [9] https://security-tracker.debian.org/tracker/CVE-2022-21695
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21695
>> [10] https://security-tracker.debian.org/tracker/CVE-2022-21696
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21696
> From the reported list CVE-2021-41867 and CVE-2021-41868 were
> addressed in 2.4 upstream. But the other seem yet unfixed in 2.5, even
> though likely as well those who contain "has been patched in 2.5". I
> have not found any indication that this there is really the case.
>
> Any more insights OTOH from you on those?
According to onionshare 2.5 release notes [1], and to the
vulnerabilities list on the github project [2], I'd say they were fixed.
All vulnerabilities are marked as affecting <2.4 since 2.5 release, and
for instance for the username impersonation, it's been specified in the
release notes that the security have been tightened on this front.
That said, I didn't check the code for every vuln individually, and I
definitely could ask upstream for clarification/confirmation if you
think it's necessary.
[1] https://github.com/onionshare/onionshare/releases/tag/v2.5
[2] https://github.com/onionshare/onionshare/security/advisories
Cheers,
--
nodens
More information about the Pkg-privacy-maintainers
mailing list