Hi Clément, On Sat, Oct 22, 2022 at 02:50:53PM +0200, Clément Hermann wrote: > Hi Salvatore, > > Le 22/10/2022 à 13:49, Salvatore Bonaccorso a écrit : > > > > > For further information see: > > > > > > [0] https://security-tracker.debian.org/tracker/CVE-2021-41867 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41867 > > > [1] https://security-tracker.debian.org/tracker/CVE-2021-41868 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41868 > > > [2] https://security-tracker.debian.org/tracker/CVE-2022-21688 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21688 > > > [3] https://security-tracker.debian.org/tracker/CVE-2022-21689 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21689 > > > [4] https://security-tracker.debian.org/tracker/CVE-2022-21690 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21690 > > > [5] https://security-tracker.debian.org/tracker/CVE-2022-21691 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21691 > > > [6] https://security-tracker.debian.org/tracker/CVE-2022-21692 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21692 > > > [7] https://security-tracker.debian.org/tracker/CVE-2022-21693 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21693 > > > [8] https://security-tracker.debian.org/tracker/CVE-2022-21694 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21694 > > > [9] https://security-tracker.debian.org/tracker/CVE-2022-21695 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21695 > > > [10] https://security-tracker.debian.org/tracker/CVE-2022-21696 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21696 > > From the reported list CVE-2021-41867 and CVE-2021-41868 were > > addressed in 2.4 upstream. But the other seem yet unfixed in 2.5, even > > though likely as well those who contain "has been patched in 2.5". I > > have not found any indication that this there is really the case. > > > > Any more insights OTOH from you on those? > According to onionshare 2.5 release notes [1], and to the vulnerabilities > list on the github project [2], I'd say they were fixed. > All vulnerabilities are marked as affecting <2.4 since 2.5 release, and for > instance for the username impersonation, it's been specified in the release > notes that the security have been tightened on this front. > > That said, I didn't check the code for every vuln individually, and I > definitely could ask upstream for clarification/confirmation if you think > it's necessary.
Thanks for the quick reply! (much appreciated). I think it would be good to get a confirmation from upstream and if possible to have those advisories updates. E.g. https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v while mentioning "affected versions < 2.4" the patched version remains "none". this might be that the < 2.4 just reflects the point in time when the advisory was filled. OTOH you have arguments with the v2.5 release information that they might all be fixed. To be on safe side, explicitly confirming by upstream would be great. Regards, Salvatore