Your message dated Mon, 13 Jul 2026 08:32:07 +0000
with message-id <[email protected]>
and subject line Bug#1139717: fixed in onionshare 2.6.3-1+deb13u2
has caused the Debian Bug report #1139717,
regarding onionshare: OnionShare follows symlinks in shared directories,
allowing unintended disclosure of local files
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139717: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139717
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: onionshare
Version: 2.6.3-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi
>From
>https://github.com/onionshare/onionshare/security/advisories/GHSA-22p9-r2f5-22mf
> OnionShare CLI/Desktop 2.6.3 can follow symbolic links inside a
> selected Share or Website directory and serve the symlink target
> rather than limiting access to files physically contained in the
> selected directory. If a user shares a directory that contains
> attacker-supplied or otherwise untrusted symlinks, a remote recipient
> with access to the OnionShare service can read arbitrary local files
> readable by the OnionShare process that the symlink points to.
>
> This affects the shipped onionshare-cli Python package and the desktop
> application because both call the same onionshare_cli.web
> file-indexing and streaming code.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: onionshare
Source-Version: 2.6.3-1+deb13u2
Done: Sandro Knauß <[email protected]>
We believe that the bug you reported is fixed in the latest version of
onionshare, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sandro Knauß <[email protected]> (supplier of updated onionshare package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 11 Jul 2026 19:28:08 +0200
Source: onionshare
Architecture: source
Version: 2.6.3-1+deb13u2
Distribution: trixie
Urgency: medium
Maintainer: Debian Privacy Tools Maintainers
<[email protected]>
Changed-By: Sandro Knauß <[email protected]>
Closes: 1139716 1139717
Changes:
onionshare (2.6.3-1+deb13u2) trixie; urgency=medium
.
* Use CVE identifiers.
.
onionshare (2.6.3-1+deb13u1) trixie; urgency=medium
.
* Update debian branch in gbp.conf.
* Fixes CVE-2026-54707. (Closes: #1139716)
Backport upstream patches from 2.6.4:
- a090e97193efc91fbeac9dace7793ea568b83cf5
- e4ed559908b55cf41b993ed3d02052911025785b
- 1d76494f5d819adc4c69f08f3842d564a425aa89
* Fixes CVE-2026-54706. (Closes: #1139717)
Backport upstream patches from 2.6.4:
- 48f31cfac077fcc9c04c67c2a6dbf87d956f5eec
- 96827bdd0580bd34b921a7b269198f65434178d8
- d0697fa3d05a193138c6052422c313612301d98a
Checksums-Sha1:
e7866becb12d3c4fca66b70a1b2744882abd01a1 3241 onionshare_2.6.3-1+deb13u2.dsc
dddb51d8f667cc28622131595a38d8d4c9c969ff 121712
onionshare_2.6.3-1+deb13u2.debian.tar.xz
d40a18caea8fb69d61f6538ccb52d8672c693db5 10832192
onionshare_2.6.3-1+deb13u2.git.tar.xz
0abc8c7574b1ed77b4129e45af50b427ff85cebc 17548
onionshare_2.6.3-1+deb13u2_source.buildinfo
Checksums-Sha256:
88a5b5bfc7b19c0ae85a19ec156af5cca3e3802196216a922cb99fa6b6696ff6 3241
onionshare_2.6.3-1+deb13u2.dsc
6fe50d63f049c10f7a5874af9346302db3af128da822339fba103008e18058c5 121712
onionshare_2.6.3-1+deb13u2.debian.tar.xz
92b80705616150932a5a5a1e8a4fc991358398f55ca86d16935e1d7ef8a27fd6 10832192
onionshare_2.6.3-1+deb13u2.git.tar.xz
ed642983d113f73ca55aae8f233aa3962cdf382c7681c350699d64171f8a9402 17548
onionshare_2.6.3-1+deb13u2_source.buildinfo
Files:
f0fa9d51a467d7de6db08cdfbe010a76 3241 net optional
onionshare_2.6.3-1+deb13u2.dsc
a63c0ab206e7b014cf0a6ecfbb94f1a4 121712 net optional
onionshare_2.6.3-1+deb13u2.debian.tar.xz
bcab60499f38ff3a02c62a60a73904ff 10832192 net optional
onionshare_2.6.3-1+deb13u2.git.tar.xz
2c87bf381f402e4903c610aeec450a45 17548 net optional
onionshare_2.6.3-1+deb13u2_source.buildinfo
Git-Tag-Info: tag=d34ecd1b56643732ed52dd8d619c8b2ae051af85
fp=39ec11a02016b72926491a06e3adb00850605636
Git-Tag-Tagger: Sandro Knauß <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmpSfg4ACgkQYG0ITkaD
wHnvqA//eZbBhYPWa0SUnZOLNlqmVConFVawrjM+ORbc5lcLn5wsg66es6yedrh7
3hg5MYymQqll7WJTmKHOx3e3ysXQfIWoT0L0VxP6SC5VF+hFsEze/7BKs8juxI+X
RMlCpbBiRknpy0841FgC0UIpLd8gHcrATk862O8ijDUMkRkQ/jlfaNHH+oVXMWRY
tWrYZpD1Nz5Olgo+Huwusgj5iwUX0drQ5z7jFHHMnF2/MGeuvXhZzHa5zmKrN0Ir
j5iG/AoApkwF6/31u7aYSikcO/oUPwinnMVtrmFD1pVBUYHQXVgbNbfMVnfA40MT
Wn5xXBFMfqFmCDNYr4oJObPUkrSIwuV3Rk86BpRpGaj3XUubsvoMOKHR+Y9GPsvL
gNIP7KnsjyYQIanenhoSk+CecgJrf+gGDx0BF3lFg7ppzkZUqCN3MGjA50Zfbj57
uDb/JYyVPZU5OJCr5KH/0oh+EcUZ7UzC5ezoYBoVvnTmZtytoj/4Mfp1csf2UxQE
pAqGB8dVeL9hmYKGB8zFvkZqL533+1iEihfhcxDL8xLElJTf0zKufeTWqWYpZpOt
KlNY7Lva1qSDex6dXkGTMmTcauPaRPxxvgItBKdpjFAxo9JZRN2geTnUwGTn9Pey
zGW169zN0SrlD4znORCfm6eiVv/VVn2/XVJ3++8b2+e6lJ2kRhs=
=WN5x
-----END PGP SIGNATURE-----
pgpY4LzEqXs3y.pgp
Description: PGP signature
--- End Message ---