python3-onionshare-2.6-4.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13635 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python3-onionshare-2.6-4.1 on GA media These are all security issues fixed in the python3-onionshare-2.6-4.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13635 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13635 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-19960/ SUSE CVE CVE-2018-19960 page https://www.suse.com/security/cve/CVE-2021-41867/ SUSE CVE CVE-2021-41867 page https://www.suse.com/security/cve/CVE-2021-41868/ SUSE CVE CVE-2021-41868 page https://www.suse.com/security/cve/CVE-2022-21688/ SUSE CVE CVE-2022-21688 page https://www.suse.com/security/cve/CVE-2022-21690/ SUSE CVE CVE-2022-21690 page https://www.suse.com/security/cve/CVE-2022-21691/ SUSE CVE CVE-2022-21691 page https://www.suse.com/security/cve/CVE-2022-21692/ SUSE CVE CVE-2022-21692 page https://www.suse.com/security/cve/CVE-2022-21693/ SUSE CVE CVE-2022-21693 page https://www.suse.com/security/cve/CVE-2022-21694/ SUSE CVE CVE-2022-21694 page https://www.suse.com/security/cve/CVE-2022-21695/ SUSE CVE CVE-2022-21695 page https://www.suse.com/security/cve/CVE-2022-21696/ SUSE CVE CVE-2022-21696 page openSUSE Tumbleweed python3-onionshare-2.6-4.1 python3-onionshare-2.6-4.1 as a component of openSUSE Tumbleweed The debug_mode function in web/web.py in OnionShare through 1.3.1, when --debug is enabled, uses the /tmp/onionshare_server.log pathname for logging, which might allow local users to overwrite files or obtain sensitive information by using this pathname. CVE-2018-19960 openSUSE Tumbleweed:python3-onionshare-2.6-4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19960.html CVE-2018-19960 https://bugzilla.suse.com/1120205 SUSE Bug 1120205 An information disclosure vulnerability in OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to retrieve the full list of participants of a non-public OnionShare node via the --chat feature. CVE-2021-41867 openSUSE Tumbleweed:python3-onionshare-2.6-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-41867.html CVE-2021-41867 https://bugzilla.suse.com/1191311 SUSE Bug 1191311 OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to upload files on a non-public node when using the --receive functionality. CVE-2021-41868 openSUSE Tumbleweed:python3-onionshare-2.6-4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-41868.html CVE-2021-41868 https://bugzilla.suse.com/1191312 SUSE Bug 1191312 OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. Affected versions of the desktop application were found to be vulnerable to denial of service via an undisclosed vulnerability in the QT image parsing. Roughly 20 bytes lead to 2GB memory consumption and this can be triggered multiple times. To be abused, this vulnerability requires rendering in the history tab, so some user interaction is required. An adversary with knowledge of the Onion service address in public mode or with authentication in private mode can perform a Denial of Service attack, which quickly results in out-of-memory for the server. This requires the desktop application with rendered history, therefore the impact is only elevated. This issue has been patched in version 2.5. CVE-2022-21688 openSUSE Tumbleweed:python3-onionshare-2.6-4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-21688.html CVE-2022-21688 https://bugzilla.suse.com/1194866 SUSE Bug 1194866 OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions The path parameter of the requested URL is not sanitized before being passed to the QT frontend. This path is used in all components for displaying the server access history. This leads to a rendered HTML4 Subset (QT RichText editor) in the Onionshare frontend. CVE-2022-21690 openSUSE Tumbleweed:python3-onionshare-2.6-4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-21690.html CVE-2022-21690 https://bugzilla.suse.com/1194866 SUSE Bug 1194866 OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions chat participants can spoof their channel leave message, tricking others into assuming they left the chatroom. CVE-2022-21691 openSUSE Tumbleweed:python3-onionshare-2.6-4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-21691.html CVE-2022-21691 https://bugzilla.suse.com/1194866 SUSE Bug 1194866 OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions anyone with access to the chat environment can write messages disguised as another chat participant. CVE-2022-21692 openSUSE Tumbleweed:python3-onionshare-2.6-4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-21692.html CVE-2022-21692 https://bugzilla.suse.com/1194866 SUSE Bug 1194866 OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions an adversary with a primitive that allows for filesystem access from the context of the Onionshare process can access sensitive files in the entire user home folder. This could lead to the leaking of sensitive data. Due to the automatic exclusion of hidden folders, the impact is reduced. This can be mitigated by usage of the flatpak release. CVE-2022-21693 openSUSE Tumbleweed:python3-onionshare-2.6-4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-21693.html CVE-2022-21693 https://bugzilla.suse.com/1194866 SUSE Bug 1194866 OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. The website mode of the onionshare allows to use a hardened CSP, which will block any scripts and external resources. It is not possible to configure this CSP for individual pages and therefore the security enhancement cannot be used for websites using javascript or external resources like fonts or images. CVE-2022-21694 openSUSE Tumbleweed:python3-onionshare-2.6-4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-21694.html CVE-2022-21694 https://bugzilla.suse.com/1194866 SUSE Bug 1194866 OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions authenticated users (or unauthenticated in public mode) can send messages without being visible in the list of chat participants. This issue has been resolved in version 2.5. CVE-2022-21695 openSUSE Tumbleweed:python3-onionshare-2.6-4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-21695.html CVE-2022-21695 https://bugzilla.suse.com/1194866 SUSE Bug 1194866 OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions it is possible to change the username to that of another chat participant with an additional space character at the end of the name string. An adversary with access to the chat environment can use the rename feature to impersonate other participants by adding whitespace characters at the end of the username. CVE-2022-21696 openSUSE Tumbleweed:python3-onionshare-2.6-4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-21696.html CVE-2022-21696 https://bugzilla.suse.com/1194866 SUSE Bug 1194866