There are 2 open security issues in bullseye.
2 issues left for the package maintainer to handle:
- CVE-2022-45063:
(needs triaging)
xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default configurations of some Linux distributions.
- CVE-2023-40359:
(needs triaging)
xterm before 380 supports ReGIS reporting for character-set names even if they have unexpected characters (i.e., neither alphanumeric nor underscore), aka a pointer/overflow issue. This can only occur for xterm installations that are configured at compile time to use a certain experimental feature.
You can find information about how to handle these issues in the security team's documentation.