Salvatore Bonaccorso:
Hi
[Adding CC to security-team alias]
On Mon, Mar 01, 2021 at 08:31:54AM +0000, Chris Knadle wrote:
Salvatore Bonaccorso:
Source: mumble
Version: 1.3.3-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/mumble-voip/mumble/pull/4733
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for mumble.
CVE-2021-27229[0]:
| Mumble before 1.3.4 allows remote code execution if a victim navigates
| to a crafted URL on a server list and clicks on the Open Webpage text.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-27229
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27229
[1] https://github.com/mumble-voip/mumble/pull/4733
[2]
https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648
Please adjust the affected versions in the BTS as needed.
I've reviewed the upstream git repo; there are 2 patches that are security
related -- the other is for an OCB2 XEXStarAttack on encryption, both of
which comprise the majority of the bugfix release of mumble 1.3.4. It seems
to me that the best way to proceed is to upload mumble 1.3.4 as the other
changes are incidental, and I hope that this will be acceptable during the
soft freeze.
Yes new upstream version might still be possible in the soft-freeze,
so if that's the most sensible solution then I would go for that.
https://release.debian.org/bullseye/freeze_policy.html
For buster btw we marked in no-dsa, so if you can shedule a fix via a
point release this would be great.
Yep, I'm working on this for fixing CVE-2021-27229 for Buster. It looks like the
commit ([2], above) can apply as a patch for 1.3.0~git20190125.440b173+dfsg-2 so
this looks straightforward as far as I can tell.
-- Chris
--
Chris Knadle
chris.kna...@coredump.us
