Package: osslsigncode Version: 2.1-1 Severity: grave Tags: security X-Debbugs-Cc: secur...@debian.org, deb...@rocketjump.eu, Debian Security Team <t...@security.debian.org>
It was reported through IRC that the current stable version of osslsigncode contains an unpatched security vulnerability: https://github.com/mtrojnar/osslsigncode/releases/tag/2.3 Unfortunately, upstream has not assigned a CVE, and a quick glance at the closed bug reports didn't reveal any further details. Regards, Lee -- System Information: Debian Release: 12.0 APT prefers testing-security APT policy: (990, 'testing-security'), (990, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-8-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages osslsigncode depends on: ii libc6 2.36-9 ii libcurl4 7.88.1-9 ii libssl3 3.0.8-1 osslsigncode recommends no packages. osslsigncode suggests no packages.
