Hi [Adding CC to security-team alias]
On Mon, Mar 01, 2021 at 08:31:54AM +0000, Chris Knadle wrote: > Salvatore Bonaccorso: > > Source: mumble > > Version: 1.3.3-1 > > Severity: grave > > Tags: security upstream > > Justification: user security hole > > Forwarded: https://github.com/mumble-voip/mumble/pull/4733 > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > > > Hi, > > > > The following vulnerability was published for mumble. > > > > CVE-2021-27229[0]: > > | Mumble before 1.3.4 allows remote code execution if a victim navigates > > | to a crafted URL on a server list and clicks on the Open Webpage text. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2021-27229 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27229 > > [1] https://github.com/mumble-voip/mumble/pull/4733 > > [2] > > https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648 > > > > Please adjust the affected versions in the BTS as needed. > > I've reviewed the upstream git repo; there are 2 patches that are security > related -- the other is for an OCB2 XEXStarAttack on encryption, both of > which comprise the majority of the bugfix release of mumble 1.3.4. It seems > to me that the best way to proceed is to upload mumble 1.3.4 as the other > changes are incidental, and I hope that this will be acceptable during the > soft freeze. Yes new upstream version might still be possible in the soft-freeze, so if that's the most sensible solution then I would go for that. https://release.debian.org/bullseye/freeze_policy.html For buster btw we marked in no-dsa, so if you can shedule a fix via a point release this would be great. Regards, Salvatore