2022/02, FLOSS activity

LTS Link to heading

DLA-2907-1 apache2_2.4.25-3+deb9u12
- CVE-2021-44790: A buffer overflow in mod_lua may result in denial of service or potentially the execution of arbitrary code.
- CVE-2021-44224: When operating as a forward proxy, Apache was depending on the setup suspectable to denial of service or Server Side Request forgery.
DLA-2919-1 python2.7_2.7.13-2+deb9u6
- CVE-2021-4189: A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library when using it in PASV (passive) mode. The flaw lies in how the FTP client trusts the host from PASV response by default. An attacker could use this flaw to setup a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This could lead to FTP client scanning ports which otherwise would not have been possible. . Instead of using the returned address, ftplib now uses the IP address we’re already connected to. For the rare user who wants an old behavior, set a trust_server_pasv_ipv4_address attribute on your ftplib.FTP instance to True.
- CVE-2021-3177: Python has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input.
DLA-2929-1 ujson_1.35-1+deb9u1
- CVE-2021-45958: stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for example, use a large amount of indentation.

Several packages are in a pipeline and fixes will be released soon.

Though I invested some time to backport the fix for CVE-2020-8492, it decided not to apply it. Tests are failing and backporting python3->python2 was too destructive and too risky.
Participated the Debian LTS Jitsi-meeting.
FD-role:
- Triaged:
  - expat
  - freecad
  - asterisk
  - ring
  - mariadb-10.1 (some discussion on mailing list)
  - cyrus-sasl2
  - kcron
  - wireshark