Le 24/10/2022 à 20:41, Clément Hermann a écrit :
- CVE-2022-21694 <https://github.com/advisories/GHSA-h29c-wcm8-883h>
affects Bullseye, but that might be an acceptable risk ? The issue is
that CSP can only be turned on or off, not configured to allow js etc,
so it is only useful for static websites. I believe that's the most
common usage of a website with onionshare, and it's arguably a missing
feature more than a vulnerability /per se/.
- CVE-2022-21689 <https://github.com/advisories/GHSA-jh82-c5jw-pxpc>
fix should be easy to backport, at a glance:
https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377
- CVE-2021-41868 <https://github.com/advisories/GHSA-7g47-xxff-9p85>
doesn't affect 2.2 I think, it must have been a mistake from mig5. I
just asked for confirmation. I do hope so since it's a bad one.
Sadly, upstream rectified and confirms it affects 2.2 [0], and has been
tested and reproduced on Bullseye. We do need to fix it. Upstream has a
few suggestions, but I guess our choices are either uploading 2.5 to
stable, if that's possible. python-stem at least will need to be updated
as well, from 1.8.0 to 1.8.1 which luckily is bugfix only.
- CVE-2022-21690 <https://github.com/advisories/GHSA-ch22-x2v3-v6vq>
seems like a one-line patch:
https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0
- CVE-2022-21688 <https://github.com/advisories/GHSA-x7wr-283h-5h2v>
seems like it should be worked around with the CVE-2022-21690
<https://github.com/advisories/GHSA-ch22-x2v3-v6vq> fix (OTF-001)?
I'd welcome input on those.
Of course if we choose to update onionshare to 2.5 in stable, we fix
those as well.
[0]
https://github.com/onionshare/onionshare/issues/1633#issuecomment-1289735350
Cheers,
--
nodens