Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: 1700aad1 by Markus Koschany at 2023-07-25T19:26:29+02:00 Claim openimageio in dla-needed.txt - - - - - 6eaf8f4b by Markus Koschany at 2023-07-25T19:29:33+02:00 Remove sabnzbdplus from dla-needed.txt - - - - - aa1f07ca by Markus Koschany at 2023-07-25T19:30:36+02:00 CVE-2023-34237,sabnzbdplus: Buster is no-dsa In Buster the vulnerable code is in the external_script function in sabnzbd/newsunpack.py. It is possible to manipulate the parameters argument and execute random programs with the privileges of the sabnzbd process provided sabnzbd is accessible via the web interface and no username and password were set. Upstream's idea is to modify the parameters only via environment variables which would reduce the attack surface. We could also just disable passing parameters to the external script but this could cause a regression for some use cases. However, since there is a simple workaround available, setting a username and a password and/or not making sabnzbd accessible via the web interface, we can mark this as a minor issue and don't need to issue a DLA. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -5539,6 +5539,7 @@ CVE-2023-34237 (SABnzbd is an open source automated Usenet download tool. A desi - sabnzbdplus 4.0.2+dfsg-1 (bug #1038949) [bookworm] - sabnzbdplus <no-dsa> (Minor issue) [bullseye] - sabnzbdplus <no-dsa> (Minor issue) + [buster] - sabnzbdplus <no-dsa> (Minor issue; simple workaround exists) NOTE: https://github.com/sabnzbd/sabnzbd/commit/422b4fce7bfd56e95a315be0400cdfdc585df7cc (4.0.2RC2) NOTE: https://github.com/sabnzbd/sabnzbd/commit/e3a722664819d1c7c8fab97144cc299b1c18b429 (4.0.2RC2) NOTE: https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-hhgh-xgh3-985r ===================================== data/dla-needed.txt ===================================== @@ -95,7 +95,7 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -openimageio +openimageio (Markus Koschany) NOTE: 20230406: Re-added due to regressions (apo) NOTE: 20230612: Backporting is mostly done, but still some failures. (gladk) -- @@ -152,9 +152,6 @@ ruby-rails-html-sanitizer NOTE: 20221231: Added by Front-Desk (ola) NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh) -- -sabnzbdplus (Markus Koschany) - NOTE: 20230618: Added by Front-Desk (opal) --- salt NOTE: 20220814: Added by Front-Desk (gladk) NOTE: 20220814: I am not sure, whether it is possible to fix issues View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a98dd2aab243f1cbe249ac01f93236495fdb0284...aa1f07caf408682ca75bda191d6d8872eaabc665 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a98dd2aab243f1cbe249ac01f93236495fdb0284...aa1f07caf408682ca75bda191d6d8872eaabc665 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits