Source: texlive-bin Version: 2022.20220321.62855-5 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for texlive-bin. CVE-2023-32668[0]: | LuaTeX before 1.17.0 allows a document (compiled with the default | settings) to make arbitrary network requests. This occurs because full | access to the socket library is permitted by default, as stated in the | documentation. This also affects TeX Live before 2023 r66984 and | MiKTeX before 23.5. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-32668 https://www.cve.org/CVERecord?id=CVE-2023-32668 [1] https://tug.org/pipermail/tex-live/2023-May/049188.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore