Debian Bug report logs -
#992817
ledgersmb: CVE-2021-3693 CVE-2021-3694 CVE-2021-3731
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 23 Aug 2021 20:15:02 UTC
Severity: grave
Tags: security, upstream
Found in versions ledgersmb/1.6.9+ds-2, ledgersmb/1.6.9+ds-1
Fixed in versions ledgersmb/1.6.9+ds-1+deb10u2, ledgersmb/1.6.9+ds-2+deb11u2, ledgersmb/1.6.9+ds-2.1
Done: Mattia Rizzolo <mattia@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, LedgerSMB Core Team <devel@lists.ledgersmb.org>:
Bug#992817; Package src:ledgersmb.
(Mon, 23 Aug 2021 20:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, LedgerSMB Core Team <devel@lists.ledgersmb.org>.
(Mon, 23 Aug 2021 20:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ledgersmb
Version: 1.6.9+ds-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1.6.9+ds-1
Control: fixed -1 1.6.9+ds-1+deb10u2
Control: fixed -1 1.6.9+ds-2+deb11u2
Hi,
The following vulnerabilities were published for ledgersmb.
CVE-2021-3693[0]:
| LedgerSMB does not check the origin of HTML fragments merged into the
| browser's DOM. By sending a specially crafted URL to an authenticated
| user, this flaw can be abused for remote code execution and
| information disclosure.
CVE-2021-3694[1]:
| LedgerSMB does not sufficiently HTML-encode error messages sent to the
| browser. By sending a specially crafted URL to an authenticated user,
| this flaw can be abused for remote code execution and information
| disclosure.
CVE-2021-3731[2]:
| LedgerSMB does not sufficiently guard against being wrapped by other
| sites, making it vulnerable to 'clickjacking'. This allows an attacker
| to trick a targetted user to execute unintended actions.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-3693
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3693
[1] https://security-tracker.debian.org/tracker/CVE-2021-3694
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3694
[2] https://security-tracker.debian.org/tracker/CVE-2021-3731
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3731
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions ledgersmb/1.6.9+ds-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 23 Aug 2021 20:15:04 GMT) (full text, mbox, link).
Marked as fixed in versions ledgersmb/1.6.9+ds-1+deb10u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 23 Aug 2021 20:15:04 GMT) (full text, mbox, link).
Marked as fixed in versions ledgersmb/1.6.9+ds-2+deb11u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 23 Aug 2021 20:15:05 GMT) (full text, mbox, link).
Reply sent
to Mattia Rizzolo <mattia@debian.org>:
You have taken responsibility.
(Wed, 01 Sep 2021 18:51:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 01 Sep 2021 18:51:03 GMT) (full text, mbox, link).
Message #16 received at 992817-close@bugs.debian.org (full text, mbox, reply):
Source: ledgersmb
Source-Version: 1.6.9+ds-2.1
Done: Mattia Rizzolo <mattia@debian.org>
We believe that the bug you reported is fixed in the latest version of
ledgersmb, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 992817@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mattia Rizzolo <mattia@debian.org> (supplier of updated ledgersmb package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 01 Sep 2021 20:19:24 +0200
Source: ledgersmb
Architecture: source
Version: 1.6.9+ds-2.1
Distribution: unstable
Urgency: medium
Maintainer: LedgerSMB Core Team <devel@lists.ledgersmb.org>
Changed-By: Mattia Rizzolo <mattia@debian.org>
Closes: 992817
Changes:
ledgersmb (1.6.9+ds-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Upload the last security fixes also to unstable. Closes: #992817
.
ledgersmb (1.6.9+ds-2+deb11u3) bullseye-security; urgency=medium
.
* Fix a regression in the display of some search results
.
ledgersmb (1.6.9+ds-2+deb11u2) bullseye-security; urgency=medium
.
* Fix CVE-2021-3731, thanks to Erik Huelsmann
.
ledgersmb (1.6.9+ds-2+deb11u1) bullseye-security; urgency=medium
.
* Fix CVE-2021-3693 and CVE-2021-3694, thanks to Erik Huelsmann
Checksums-Sha1:
c5db18d0af429290e9258e4af13ba6fabd97a507 3241 ledgersmb_1.6.9+ds-2.1.dsc
afaad1d50b746bed816647acc2e1bdc83af853e9 38380 ledgersmb_1.6.9+ds-2.1.debian.tar.xz
11ff32e100ac28c47c1c13500d7cba52af5b8836 15237 ledgersmb_1.6.9+ds-2.1_amd64.buildinfo
Checksums-Sha256:
3af1270aee67be5af8298c51cfe4c2d475306e661d87ece2cd1c00d568186992 3241 ledgersmb_1.6.9+ds-2.1.dsc
91f28e5c0f6b6fca1c1555d7083ffbc8883b61b245c4db790e9c44fccf86aa67 38380 ledgersmb_1.6.9+ds-2.1.debian.tar.xz
d6f9f0b64da3b8619cd1250eeda8b9ae557909c70cfd3534956080d292ccbc49 15237 ledgersmb_1.6.9+ds-2.1_amd64.buildinfo
Files:
c4debdee8daeb6412314ab946e6e6722 3241 web optional ledgersmb_1.6.9+ds-2.1.dsc
90c9f6cab8c0e97ba8b536e5981c766c 38380 web optional ledgersmb_1.6.9+ds-2.1.debian.tar.xz
0aeaaf798b7b50314283466628240b51 15237 web optional ledgersmb_1.6.9+ds-2.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAmEvxhsACgkQCBa54Yx2
K634og//XG6bAL2cOJwSBU5vuHxow106v1Fz3Gge5yVM5v+y+2hPdRhf/tfGhy8T
yNZU9mifNzheOpo1/Y/STXLgTvO7Z5nmXVrWBa2qPO9EaJrH6cp/18XZldIv/kdP
HnvPlxeBKPPkkx5Jf1qnm2BW95LZ9NIN8xKsscaeOAZRhLaYNwnrjfwxaoXTy6Cn
pCAcUDk9u2/0MSVOIZoz8o7vv+5WwqHI41CRyCVxYAxuj6mE0KOIz+AT0KFpFDB8
VjBV6XmHYuV5d7ArxEVcz+bnl/ufifUmBDYGvkmN8MM0kpNX5McWaRrR49ZmNUaV
8G9+M8wOhZaxjVstHk31TDQV4DvrPE5q/9ZRB6U/lI5zub9k5C6ewncv8IV+7/jq
uqxSusV7bhfKTTCCVkCV2aoFDEyb2yjQqddLuLaKc4JAohafq8CiNFXBJM7kG8bz
bqGhHEj5rF6+BMVRJxfrvTOlTQvMZFJY+038Pckytr6nL7BWd0mc1agRai1PM2Hu
NifvQ1ciYNLKKPYtQsph9Mu/QpJ6fGP4xBNxheyt8AAkw2mAQR7MKRrPbO7NW/mv
S+D9foqDdskplZZb913Br7XpIzBJneCaYyLvAhR5+AXWTZ5AAj6/3q3BPjLo8wyu
pF8hPNmciBC1IMuecs3rBa6xE8pmZV+7svKIMLvP051slLnp/YI=
=uahl
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Sep 2 16:20:23 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon