Hi Salvatore actually upstream marked both CVEs as fixed in 2.6.4: TEMP-1139716-6892B6 TEMP-1139717-36B614
I uploaded 2.6.4 to unstable, so at least sid and testing will be fixed. Unfortunately the diff between 2.6.3 and 2.6.4 is quite big :( So I'm currently investigating the source, if I can extract the patches to fix the CVEs. Thanks for all your work! Regards, hefee -- On Donnerstag, 11. Juni 2026 20:48 Salvatore Bonaccorso wrote: > Source: onionshare > Version: 2.6.3-3 > Severity: important > Tags: security upstream > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi > > From > https://github.com/onionshare/onionshare/security/advisories/GHSA-22p9-r2f5 > -22mf > > OnionShare CLI/Desktop 2.6.3 can follow symbolic links inside a > > selected Share or Website directory and serve the symlink target > > rather than limiting access to files physically contained in the > > selected directory. If a user shares a directory that contains > > attacker-supplied or otherwise untrusted symlinks, a remote recipient > > with access to the OnionShare service can read arbitrary local files > > readable by the OnionShare process that the symlink points to. > > > > This affects the shipped onionshare-cli Python package and the desktop > > application because both call the same onionshare_cli.web > > file-indexing and streaming code. > > Regards, > Salvatore > > _______________________________________________ > Pkg-privacy-maintainers mailing list > [email protected] > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-privacy-maintai > ners
signature.asc
Description: This is a digitally signed message part.

