Salvatore Bonaccorso:
Source: mumble
Version: 1.3.3-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/mumble-voip/mumble/pull/4733
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for mumble.
CVE-2021-27229[0]:
| Mumble before 1.3.4 allows remote code execution if a victim navigates
| to a crafted URL on a server list and clicks on the Open Webpage text.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-27229
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27229
[1] https://github.com/mumble-voip/mumble/pull/4733
[2]
https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648
Please adjust the affected versions in the BTS as needed.
I've reviewed the upstream git repo; there are 2 patches that are security
related -- the other is for an OCB2 XEXStarAttack on encryption, both of which
comprise the majority of the bugfix release of mumble 1.3.4. It seems to me that
the best way to proceed is to upload mumble 1.3.4 as the other changes are
incidental, and I hope that this will be acceptable during the soft freeze.
-- Chris
--
Chris Knadle
chris.kna...@coredump.us
