[Pkg-privacy-maintainers] Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Salvatore Bonaccorso carnil at debian.org
Sat Oct 22 14:01:38 BST 2022


Hi Clément,

On Sat, Oct 22, 2022 at 02:50:53PM +0200, Clément Hermann wrote:
> Hi Salvatore,
> 
> Le 22/10/2022 à 13:49, Salvatore Bonaccorso a écrit :
> > 
> > > For further information see:
> > > 
> > > [0] https://security-tracker.debian.org/tracker/CVE-2021-41867
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41867
> > > [1] https://security-tracker.debian.org/tracker/CVE-2021-41868
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41868
> > > [2] https://security-tracker.debian.org/tracker/CVE-2022-21688
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21688
> > > [3] https://security-tracker.debian.org/tracker/CVE-2022-21689
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21689
> > > [4] https://security-tracker.debian.org/tracker/CVE-2022-21690
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21690
> > > [5] https://security-tracker.debian.org/tracker/CVE-2022-21691
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21691
> > > [6] https://security-tracker.debian.org/tracker/CVE-2022-21692
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21692
> > > [7] https://security-tracker.debian.org/tracker/CVE-2022-21693
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21693
> > > [8] https://security-tracker.debian.org/tracker/CVE-2022-21694
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21694
> > > [9] https://security-tracker.debian.org/tracker/CVE-2022-21695
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21695
> > > [10] https://security-tracker.debian.org/tracker/CVE-2022-21696
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21696
> >  From the reported list CVE-2021-41867 and CVE-2021-41868 were
> > addressed in 2.4 upstream. But the other seem yet unfixed in 2.5, even
> > though likely as well those who contain "has been patched in 2.5". I
> > have not found any indication that this there is really the case.
> > 
> > Any more insights OTOH from you on those?
> According to onionshare 2.5 release notes [1], and to the vulnerabilities
> list on the github project [2], I'd say they were fixed.
> All vulnerabilities are marked as affecting <2.4 since 2.5 release, and for
> instance for the username impersonation, it's been specified in the release
> notes that the security have been tightened on this front.
> 
> That said, I didn't check the code for every vuln individually, and I
> definitely could ask upstream for clarification/confirmation if you think
> it's necessary.

Thanks for the quick reply! (much appreciated). I think it would be
good to get a confirmation from upstream and if possible to have
those advisories updates. E.g.
https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v
while mentioning "affected versions < 2.4" the patched version remains
"none". this might be that the < 2.4 just reflects the point in time
when the advisory was filled. OTOH you have arguments with the v2.5
release information that they might all be fixed.

To be on safe side, explicitly confirming by upstream would be great.

Regards,
Salvatore



More information about the Pkg-privacy-maintainers mailing list