[SECURITY] [DLA 3758-1] tiff security update
- Debian LTS Advisory DLA-3758-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA March 11, 2024https://wiki.debian.org/LTS - Package: tiff Version: 4.1.0+git191117-2~deb10u9 CVE ID : CVE-2023-3576 CVE-2023-52356 Two vulnerabilities were discovered in tiff, Tag Image File Format library. CVE-2023-3576 A memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service CVE-2023-52356 A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. For Debian 10 buster, these problems have been fixed in version 4.1.0+git191117-2~deb10u9. We recommend that you upgrade your tiff packages. For the detailed security status of tiff please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tiff Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3733-1] rear security update
- Debian LTS Advisory DLA-3733-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA February 03, 2024 https://wiki.debian.org/LTS - Package: rear Version: 2.4+dfsg-1+deb10u1 CVE ID : CVE-2024-23301 rear is a disaster recovery and system migration framework. It has been discovered that rear creates a world-readable initrd when using GRUB_RESCUE=y. This allows local attackers to gain access to system secrets otherwise only readable by root. For Debian 10 buster, this problem has been fixed in version 2.4+dfsg-1+deb10u1. We recommend that you upgrade your rear packages. For the detailed security status of rear please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rear Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3712-1] kodi security update
- Debian LTS Advisory DLA-3712-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA January 17, 2024 https://wiki.debian.org/LTS - Package: kodi Version: 2:17.6+dfsg1-4+deb10u1 CVE ID : CVE-2017-5982 CVE-2021-42917 CVE-2023-23082 CVE-2023-30207 Multiple vulnerabilities have been discovered in Kodi, a media-player and entertainment hub. CVE-2017-5982 Directory traversal vulnerability in the Kodi allows remote attackers to read arbitrary files via a %2E%2E%252e (encoded dot dot slash) in the image path. CVE-2021-42917 Buffer overflow vulnerability in Kodi, allows attackers to cause a denial of service due to improper length of values passed to istream CVE-2023-23082 A heap buffer overflow vulnerability in Kodi allows attackers to cause a denial of service due to an improper length of the value passed to the offset argument. CVE-2023-30207 A divide by zero issue discovered in Kodi allows attackers to cause a denial of service via use of crafted mp3 file For Debian 10 buster, these problems have been fixed in version 2:17.6+dfsg1-4+deb10u1. We recommend that you upgrade your kodi packages. For the detailed security status of kodi please refer to its security tracker page at: https://security-tracker.debian.org/tracker/kodi Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 3582-1] ghostscript security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3582-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA September 25, 2023https://wiki.debian.org/LTS - - Package: ghostscript Version: 9.27~dfsg-2+deb10u9 CVE ID : CVE-2020-21710 CVE-2020-21890 Vulnerabilities were found in ghostscript, an interpreter for pdf PostScript language, which allows remote attackers to cause denial of service. CVE-2020-21710 Divide by zero caused by custom resolution being too low CVE-2020-21890 Buffer Overflow vulnerability in clj_media_size function. For Debian 10 buster, these problems have been fixed in version 9.27~dfsg-2+deb10u9. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmURgn0ACgkQhj1N8u2c KO8wNw//QPwRXi6x8X/xqXhzKamvAjfcj6cSVjePVRY9ul6ltAsr/9cu0SNqgt9o ZhYLUhagdz+LVY/j3Il0cIBbJJwzIOXeZ6p4omuLXIG+jHpvP8at/DmZKHSVxyGE 3z6EeqmBz7L0muE5Q6TMDM5Gx7phEuNE13Koyr11aGV33b+FItiiNfQW1gGcRb36 aPa9Sp/l3q+2qv00xk4TkF1XPdlqO0o15IHeUZqYm8BkO5mrUIsu8ECHYGWRz2Bg 6GRBFZW1HeWusH+9I78orOUoD3fGppUpTg/weKgV6FK5oAeIvkufyZIfrgdOBEOD njDFsENw93o0uYFI2C/SdKM7AJFWZFEbg4mvyYkIpFqan8svfaMHjbtJptESLU0U hTuTtCU5beYMaahUSm6D9e8bkd/KJIZpR+mC+N9RvfSVLGfPsoR457y6Hk99/4bp QmzmIkQNUbXGTqv0Ss07p8hLxu8nDLMWB8q0O2hY0rGbP0esIofMX98RcUig5vNG rZ80IXOVaDwce1L9l/x+R9dWEQNrNGpxGw9jvsEYJVFp31sV2HF70uts2OHp4riJ wHhCfy1/cV0brXPl5jzGwPOQfTy6O4Htw2Yxa6/ehnjLaXWiIOztzZZL1Y1N2kQd RuwfwYtkUdSSCuwUIUj1VEt5akwj4UGywiM2Wng55IWQHILXZsY= =Tpk6 -END PGP SIGNATURE-
[no subject]
Hello Anton, >From 5b2bcfaa20e12d0c90eb3999fba8b6e942e201ab Mon Sep 17 00:00:00 2001 From: Anton Gladky Date: Tue, 16 May 2023 22:39:34 +0200 Subject: [PATCH] LTS: add libpcap to dla-needed.txt --- data/dla-needed.txt | 4 1 file changed, 4 insertions(+) diff --git a/data/dla-needed.txt b/data/dla-needed.txt index af27234348..4dc0051201 100644 --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -63,6 +63,10 @@ libfastjson (Thorsten Alteholz) NOTE: 20230507: Programming language: C. NOTE: 20230507: the CVE was fixed in json-c already -- +libpcap + NOTE: 20230516: Programming language: C. + NOTE: 20230516: VCS: https://salsa.debian.org/lts-team/packages/libpcap.git +-- linux (Ben Hutchings) NOTE: 20230111: Programming language: C -- I couldn't able to find any open CVE for libpcap. Any other issues ? --abhijith
[SECURITY] [DLA 3279-1] trafficserver security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3279-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA January 23, 2023 https://wiki.debian.org/LTS - - Package: trafficserver Version: 8.0.2+ds-1+deb10u7 CVE ID : CVE-2021-37150 CVE-2022-25763 CVE-2022-28129 CVE-2022-31780 Multiple vulnerabilities were found in trafficserver, a caching proxy server. CVE-2021-37150 Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources CVE-2022-25763 Improper Input Validation vulnerability in HTTP/2 request validation of Apache Traffic Server allows an attacker to create smuggle or cache poison attacks. CVE-2022-28129 Improper Input Validation vulnerability in HTTP/1.1 header parsing of Apache Traffic Server allows an attacker to send invalid headers CVE-2022-31780 Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests. For Debian 10 buster, these problems have been fixed in version 8.0.2+ds-1+deb10u7. We recommend that you upgrade your trafficserver packages. For the detailed security status of trafficserver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/trafficserver Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmPOawQACgkQhj1N8u2c KO+HfA/7BqH/Q9mQcq3WLzf2qEmxaRrwoN/t/TwmUJRdUrSIBVdCbf7VTtygVyIp eqnfdnWRp/4ZH1Sdg95vB6l0Wu8txVt0KjYltLWrWnjfdMqDBHFk1M45BkXmSHrv QKC8h68J1Y9inpZjGJ680PW0W0XkaSB75khUC58plctUbXeTV9Gchhr29+q96/3R acBBrfBicvebYeaMIE+tzbRIHva5S9R5byczITXCYaz+2+U8BUWDA+QQseO0Yeme STk3X+bNoexBY3BleNULqrcyWopMs3Hb1XcQsAUvJFP/0JqCj+87Ef++9y17efoM PYzPQlIM5uBJlslxH7/iqyC6sWJiK2qUTBhL7dcdKULsHX81szMek0VtOvj6MhsT w4PYGxAKiEk5P6e4NNAj6DngmnFJBZWC/qc3axtkVxH3Lkv/nqxhklowMsgxTkCb LPHOrIefj2Ae6xbCPNs3xcE2fYDmjK1ISqPEoGfX2DB6tItg/EKMbiJ752h0Hf93 4UtIDztOEiybvC8MfpA2xi9jTwWGvTTY1ThTMBB5y4dyb6SqcR5EbLPB6vV4kkoK mxYB4ABCYXv+Nb1c76yDd0qVrWl6Vs1uokdLHsLlzwfSf7us9dJbcRo1Uu3Rn7r4 PmOIPHNACTlY7/9iqcu9QYxqNasNKfGJaDUX+dN4tcJr9ZOyiDw= =ambk -END PGP SIGNATURE-
Re: Using Salsa-CI as pre-upload QA for Bullseye and Buster uploads: Lintian and Piuparts
Hey, On 14/11/22 01:56 PM, Sylvain Beucler wrote: > Hi! > > On 12/11/2022 22:31, Otto Kekäläinen wrote: > > I was wondering how common is it for DDs to use Salsa-CI while doing > > quality assurance prior to Bullseye and Buster uploads? > > I personally tend to run initial builds and dep-8 tests locally, because > when they fail, I have to re-run them manually to properly debug and fix the > failures anyway. > (not to mention additional manual tests) Same for me. > Also I do my LTS (security) work in a VM without access to my Debian > credentials (gpg, ssh) so I can e.g. run various vulnerability PoCs and > exploits with a reasonable peace of mind; which makes it inconvenient to > push to Salsa. I have custom(tools to share clipboard from host etc) live image that I run on QEMU (via libvirt commands) for testing PoCs, exploits and final build. --abhijith
Re: Asterisk: request for testing
Hello, On 18/10/22 11:05 PM, Markus Koschany wrote: > Hi, .. > I would appreciate it if actual users of Asterisk tested the update > and left some feedback on this list. You can find prebuilt amd64 > binary packages and the sources at Earlier my Jessie Asterisk builds were tested by Bastian Triller who is a user. Try contacting this person. --abhijith
[SECURITY] [DLA 3151-1] squid security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3151-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA October 13, 2022 https://wiki.debian.org/LTS - - Package: squid Version: 4.6-1+deb10u8 CVE ID : CVE-2022-41317 CVE-2022-41318 Multiple vulnerabilities were discovered in squid, a Web Proxy cache CVE-2022-41317 Due to inconsistent handling of internal URIs Squid is vulnerable to Exposure of Sensitive Information about clients using the proxy. CVE-2022-41318 Due to an incorrect integer overflow protection Squid SSPI and SMB authentication helpers are vulnerable to a Buffer Overflow attack. For Debian 10 buster, these problems have been fixed in version 4.6-1+deb10u8. We recommend that you upgrade your squid packages. For the detailed security status of squid please refer to its security tracker page at: https://security-tracker.debian.org/tracker/squid Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmNHFiAACgkQhj1N8u2c KO+NdQ/7BqUWW5B3Cgg+TQVzgTu2nHorETtl5Mtl59uZThys5ZdEeoK9XMkpbdZM /KPSglAwL5fod/ovZByXhC2NCaLpdPK4tFiqNTsNSyX6j13KWBLmMIALS6jXGfN4 Z/TVG+/w5gXkH73uvzG/fKomOZxYvmgCvK5oKo+TalTW7h1tb3HJ7uE0IS8XjULP PQKvmc1hT02yys6y844umJXdXd8eq9Yw0Cbw/RckLf9U4ahnOIguo2IMnQv/OsKD b2GyCpg9GiZ6zWCrlQzkIzJwxZX/eGfXunHryv+9BtvyULD7uF8eRIAZQvuH0cFM FhW7u+EI5g7jB62/037sTJKmfnWqs2QX5TP9tY1HmPj/6crflMdRqQtoN2Ciglsh a1NvOxNUcxBB6xKTqZNi+Bucgb86U5YDPm+8mrPvmZEPd4yNshz7Zy9U20Opc2YX F0cLSIvOgkrc7Y4JXNCVugXiqLM9tco5gbKNkkjwuUT9IRGkHPrp7kDn77hxsGdl 88X42ZqdEYjM1WVLtGNIP1/vRISFz5XWiqntM1EOPvJnu7FT5eeZwHGWLSX6NKmt lHtGYnPSOmc4xy8l0qwTyzSTnvvdA4YTYVfpjwVQeQlDFn5d9AZUhyjhuJfHxu2k 4PVhPEsudXCfATmh9cpCtJTiZGDnG+VnKGxIx7p7VtZXrnKIOu8= =VI5P -END PGP SIGNATURE-
[SECURITY] [DLA 3093-2] rails regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3093-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA September 15, 2022https://wiki.debian.org/LTS - - Package: rails Version: 2:5.2.2.1+dfsg-1+deb10u5 The security update announced as DLA 3093-1 which included fix for CVE-2022-32224 caused a regression due to incompatibility with ruby 2.5 version. We have dropped aforementioned fix. Updated rails packages are now available. For Debian 10 buster, this problem has been fixed in version 2:5.2.2.1+dfsg-1+deb10u5. We recommend that you upgrade your rails packages. For the detailed security status of rails please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rails Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmMi2yEACgkQhj1N8u2c KO/v4w/9FToLSewZXVuT0h8Q9bgcvvdyzVvHWHhsAoOwDWi12maBcIZwL4LAQBs1 gVA9kj79aVnBjERXOs/nGZoAY4MiFD+boE1Dh0yROjSaa7uJJtltHjKhJwdatlXn uw4XKDw6IUvNFjGG3w6bIU4BAQvRjV5Cy7wOGlj2ERFkKALAMX4RC1b7tSy6KHJL qFnkLHiYukXEheZgNNhiqFn8YRiamaGyXMBMVLxI9ZbXVX4uS46rKEdLs1/+TL7p gaZfjcZiWd+Cdaeq2UGspgGWO8UMZnbVBKubW9FFvtckIjRszwsqqm93ad7Lkedn J8Z7Ql8wSRHsm/jzQZaF6wSYltfGjHKTEFapBsK3OUSwtIRe9MP4IZqNFm+cAql3 RxhYTcKTrsIZPjwcViZexlQbQvNNJ7tx/v0IfC6eIC6qXegDkd9Zf9iqaITyzaM4 816OGTitVRTjL7LN/apGl0tNcOiYyTkQg3My9kNP3qbktZxhc3Edb2hJg51aGKI/ 5Sh1F7eEpfTrJ8t8XlTB00vUakau0Wk/53IytmqamU2PRifn7fHzfQAw/8Ewx6+k 1JzDsjLZ9YFZGRFEKCS2kLxmUw6Iq3JFt9S3cQgHAObP0wWEysJQvXZQ+P2q3YAj TXMZDVAMdmqCG6JzE5g9yhgRF5+VUFK4QurY0ZpmlHa8I6py6nw= =Tg54 -END PGP SIGNATURE-
Re: Regression in stretch update of ruby-activerecord 2:5.2.2.1+dfsg-1+deb10u4
Hey, On 12/09/22 04:08 PM, Utkarsh Gupta wrote: > Hi Abhijith, > > On Sat, Sep 10, 2022 at 11:31 PM Abhijith PA wrote: > > > Please don't upload yet. We either upload what I have or just rollback > > > the fix for CVE-2022-32224. Wait for the further decision or let me > > > handle that - whatever works for you. :D > > > > Should I rollback CVE-2022-32224 for now. And once we test your patch > > and upstream's on branch 5.2.x (if they produce), we can upload then. > > Yes, that'd make sense. I'll start a separate thread for > CVE-2022-32224. Roll back for now so there's no regression at least. I've disabled patch for CVE-2022-32224. Also tested against redmine. Looks good for me. Can you give a smoke test. I will upload to archive. https://people.debian.org/~abhijith/upload/fix_rails/ --abhijith
Re: Regression in stretch update of ruby-activerecord 2:5.2.2.1+dfsg-1+deb10u4
Hello Raphael, On 07/09/22 11:10 AM, Raphael Hertzog wrote: > Hello Abhijith and the LTS team, > > in Kali we have applied the last ruby-active* security updates and this > broke the web API part of autopkgtest.kali.org. Can you share how autopkgtest.kali.org service setup and how is it running. I am using https://ci.debian.net/doc/file.HACKING.html to reproduce this. What is your rack server like and you also run any proxy server. > Specifically line 51 in > /usr/share/rubygems-integration/all/gems/activerecord-5.2.2.1/lib/active_record/coders/yaml_column.rb > makes a call to YAML.safe_load() with parameters that the YAML implementation > in ruby 2.5 in stretch > does not support. > > We have this error in our logs: > > App 7518 output: 2022-09-07 07:55:07 - ArgumentError - unknown keywords: > permitted_classes, aliases: Even though I understand it now, Its just can't reproduce it with a local debci setup. Is this only triggered on certain action. --abhijith
Re: Regression in stretch update of ruby-activerecord 2:5.2.2.1+dfsg-1+deb10u4
Hello. On 07/09/22 11:10 AM, Raphael Hertzog wrote: > Hello Abhijith and the LTS team, > > in Kali we have applied the last ruby-active* security updates and this > broke the web API part of autopkgtest.kali.org. Ok, I am on it.
Re: [SECURITY] [DLA 3093-1] rails security update
[[resending with different mail address due couple of MTA rejections]] On 05/09/22 06:28 PM, Abhijith PA wrote: > Hey, > > On 05/09/22 06:09 PM, Utkarsh Gupta wrote: > > Hi Abhijith, > > > > On Sat, Sep 3, 2022 at 5:04 PM Abhijith PA wrote: > > > CVE-2022-32224 > > > > > > When serialized columns that use YAML (the default) are > > > deserialized, Rails uses YAML.unsafe_load to convert the YAML data > > > in to Ruby objects. If an attacker can manipulate data in the > > > database (via means like SQL injection), then it may be possible > > > for the attacker to escalate to an RCE. > > > > > > For Debian 10 buster, these problems have been fixed in version > > > 2:5.2.2.1+dfsg-1+deb10u4. > > > > I am afraid that CVE-2022-32224 brings in a bad regression for users, > > esp because of the newly added yaml_column_permitted_classes array - > > mostly because it didn't have an explicit entry for "Symbol". It's > > still being investigated and fixed but this regression is known. > > 6.1.6.1, which is a security upload (to unstable) also brings in a > > regression. I was waiting for the results of the unstable upload to > > decide whether to backport this for LTS/ETLS but since you have > > uploaded it already, I wonder if you checked for this? Did you > > reverse-build the affected components? Did you try this update with > > some application? > > I relied on https://wiki.debian.org/LTS/TestSuites/rails. And pulled > couple of random rails apps from Internet to run with my build. It was > ok for me. Sure I will look at this more. > > > I have an unverified fix but I need to inject this in unstable first > > to be actually able to tell if that works for other releases or not. > > ACK > > > That said, I'm going to take care of rails for Bullseye (since you > > haven't yet - which was supposed to happen first. :)) > > I saw someone working on rails in ruby-team. > https://lists.debian.org/debian-ruby/2022/08/msg00071.html > Assumed, there will be also an upload for buster. ^^ Oops bullseye
[SECURITY] [DLA 3099-1] qemu security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3099-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA September 05, 2022https://wiki.debian.org/LTS - - Package: qemu Version: 1:3.1+dfsg-8+deb10u9 CVE ID : CVE-2020-13253 CVE-2020-15469 CVE-2020-15859 CVE-2020-25084 CVE-2020-25085 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 CVE-2020-27617 CVE-2020-27821 CVE-2020-28916 CVE-2020-29129 CVE-2020-29443 CVE-2020-35504 CVE-2020-35505 CVE-2021-3392 CVE-2021-3416 CVE-2021-3507 CVE-2021-3527 CVE-2021-3582 CVE-2021-3607 CVE-2021-3608 CVE-2021-3682 CVE-2021-3713 CVE-2021-3748 CVE-2021-3930 CVE-2021-4206 CVE-2021-4207 CVE-2021-20181 CVE-2021-20196 CVE-2021-20203 CVE-2021-20221 CVE-2021-20257 CVE-2022-26354 CVE-2022-35414 Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service or the the execution of arbitrary code. For Debian 10 buster, these problems have been fixed in version 1:3.1+dfsg-8+deb10u9. We recommend that you upgrade your qemu packages. For the detailed security status of qemu please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmMVbMUACgkQhj1N8u2c KO+N6w//XuvPOvMxGsDw3swppKApkL1ECz7NC1L4xRouPyHhh0JZrqwovd5miY6M mmIq2zeurtEVhf6kkhw1NP3ywrfgURyf7RhpcLN3z/o8aqjLoxL6fIJGzv9URulC 6xDpu1n5mKTI/EX8Zeqy9ks3+HgHNAg9jr5s5TWIYlJLhhlYvrvMbUAeM04V8Zaw XGXJj0Jx1f83CMFVNXDJ6shBzfUZII3taZIjUFcME5DUFNxaG8492nYisRcwlDNy Z1AOGbhehZlgbk5t4cX2kOMq/qp9EiAqrBUZgqXtT+zCRBr4hQjK5OOmaq69p4N5 RsS8MA3/Rtvt9b3xuNXnDy28O50yvlQJK9GJa/p8KM894pn2fMTu3pxFVAn4xIsp umcx4LbxSYaBDygtK81xhxK3ODfakR8YGmXUffeRasPw/mFncdN9kTxCvuSgdoUO rgqcmJ+D38JAzV+ALjEnMZkrGYzscM6GzKHA5DR37qmdG/JNNKpqy3TRWBpNY4ZL QYmAIW5MvCx3SEgZBeAkUwPpfam6d3DwKm7RUvmvL5ul/UDcyowYRCpZGwgtyL57 8N3yu0V9IA0L04yuiUcd9RE3qXGsFQU7YvzpB7hEj2WQIV2i9LDb+5D2qnUJmdCR +dCiSgxf0qi14Rbhv9gZ4/jCAC4fWHHGuyCO4ySyLVmDgtgBpQo= =EhD5 -END PGP SIGNATURE-
Re: Fwd: qemu_3.1+dfsg-8+deb10u9_amd64.changes REJECTED
On 03/09/22 03:41 PM, Ansgar wrote: > Abhijith PA writes: > > My recent upload to security-master for the buster security got > > rejected, because glib2.0 (= 2.58.3-2+deb10u3) package is not > > available in the security archive. Can you please manually copy this > > package to security archive. > > Done. Thanks.
[SECURITY] [DLA 3093-1] rails security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3093-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA September 03, 2022https://wiki.debian.org/LTS - - Package: rails Version: 2:5.2.2.1+dfsg-1+deb10u4 CVE ID : CVE-2022-21831 CVE-2022-22577 CVE-2022-23633 CVE-2022-2 CVE-2022-32224 The following vulnerabilities have been discovered in rails, a ruby based MVC frame work for web development. CVE-2022-21831 A code injection vulnerability exists in the Active Storage that could allow an attacker to execute code via image_processing arguments. CVE-2022-22577 An XSS Vulnerability in Action Pack that could allow an attacker to bypass CSP for non HTML like responses. CVE-2022-23633 Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests. CVE-2022-2 A XSS Vulnerability in Action View tag helpers which would allow an attacker to inject content if able to control input into specific attributes. CVE-2022-32224 When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE. For Debian 10 buster, these problems have been fixed in version 2:5.2.2.1+dfsg-1+deb10u4. We recommend that you upgrade your rails packages. For the detailed security status of rails please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rails Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmMTO7IACgkQhj1N8u2c KO89+hAAlHdukBafPxAkxERCOgORBS+R3W3ahdz1hLnzuEjmjgXw0H3/48tOYUUl U7a7qV3GZY7g77y4iS4MSBNjBNDEkmn5bMoCmN3rcwbMbU/NBNltOpXGEAN8HzPb LoH3Um5OeaFsQFqN+UAa7Kdg61AgAAFQwe3aow5Ypz/7bWL9UQsnnS9RUMTUeGJs JMWay9MlDbuNb1B+0u13ZosdYGA/Yz2AlJKA9uV++0ab10S6EIp64iqm0TYarMpF oZvwUAP7Jx4cpuGxhdJC06Rh3W56RDSEXdWYOQ/aKd7UQbgWAz5VzqINrJ3VyLRE uU+m2loqfWkDeVNapLLt284XH6imbp6vVbJL5vZ23afjtJFjZ1ehe77m59P1qAjl lw/dAasbRLIIC0NbnHSOBfj9CLUzYO22A5FTP11QUH1gOp7CIQYMMSNWaFQQ+jmr xApDzZCwj/IXrnJcuRqAxf/Y4715+6gwiSk2OuFLOpNvaIMOChmC6XyVt0D/V0up EWmRpIN9Om2yVmaNBE9vSAEmefPF7axpzEh8GRwsHIsX/MRLnWHc3ru/rlQ48SC1 fkKwojwL3n7Fretbr4kEWL0FWFCzQ2HVu5g5iYldn3mWpDt1nXoB5e14EwLcSPWv lq8OSfN+Akf38RkxvtVv3E8Qc0WvkDMJ1zIqDhEE0V6UUJPci7w= =bov/ -END PGP SIGNATURE-
Fwd: qemu_3.1+dfsg-8+deb10u9_amd64.changes REJECTED
Hello FTP masters, My recent upload to security-master for the buster security got rejected, because glib2.0 (= 2.58.3-2+deb10u3) package is not available in the security archive. Can you please manually copy this package to security archive. refs: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823820 https://lists.debian.org/debian-lts/2020/02/msg00088.html --abhijith - Forwarded message from Debian FTP Masters - > Date: Sat, 03 Sep 2022 05:02:17 + > From: Debian FTP Masters > To: d...@security.debian.org, abhij...@debian.org > Subject: qemu_3.1+dfsg-8+deb10u9_amd64.changes REJECTED > > > qemu-user-static_3.1+dfsg-8+deb10u9_amd64.deb: Built-Using refers to > non-existing source package glib2.0 (= 2.58.3-2+deb10u3) > > > > > === > > Please feel free to respond to this email if you don't understand why > your files were rejected, or if you upload new files which address our > concerns. > - End forwarded message -
[SECURITY] [DLA 3091-1] sofia-sip security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3091-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA September 02, 2022https://wiki.debian.org/LTS - - Package: sofia-sip Version: 1.12.11+20110422.1-2.1+deb10u1 CVE ID : CVE-2022-31001 CVE-2022-31002 CVE-2022-31003 The following vulnerabilities have been discovered in the sofia-sip, a SIP user-agent library. CVE-2022-31001 An attacker can send a message with evil sdp to FreeSWITCH, which will make `n` bigger and trigger out-of-bound access and may cause crash CVE-2022-31002 An attacker can send a message with evil sdp to FreeSWITCH, which may cause crash.This type of crash is caused by url ending with %, the craft message looks like this. CVE-2022-31003 When parsing each line of a sdp message, `rest = record + 2` will access the memory behind `\0` and cause an out-of-bounds write. An attacker can send a message with evil sdp to FreeSWITCH, causing a crash or more serious consequence, such as remote code execution. For Debian 10 buster, these problems have been fixed in version 1.12.11+20110422.1-2.1+deb10u1. We recommend that you upgrade your sofia-sip packages. For the detailed security status of sofia-sip please refer to its security tracker page at: https://security-tracker.debian.org/tracker/sofia-sip Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmMRmHIACgkQhj1N8u2c KO8I6w//V/IjfhQDI62tvBRyFC2/T0rDeYKijdYbC5cyg8oVAD1/kLoUjaJwja6N m7wu3HvbG5ZHy+VlmTk3oP8NWrjEVyUQgGThoYJLtCj5nMFuZtK95lkUlp/G97/h 8hll5xKh+Hu44NtBSMVV6gLv2vwBFpPRD2vOpyFpB5e6PEQbGto8I5p1aCzNWoJF HiKtVwJ2OXCDxwRWyt07btHFZGIzSkpZHQL5+5QNQcvLWVMFyUigghBv5T0Ili9x MdbbCjjpG8TpdxtXBxGR2KNlCYsKC7d08lh6cPNtX9GRHIauwo849BvirvpujkVC kOaqSu4Ynn7G/KbONUt59Sk1vYlhJw36ZNtFItjU69kxcMrrZhOGR3PmCq4XlM0L mlgzoPWxbfkVmPEf25BhSJAoH1KY42UrE6VKEfgNHWcvchlWVgWa+hLdkY5AYmmg OgUYWZJw0sFa5LIDYm6m5Ugjo0Bh3uqBW9tA/IJ9sbQnt17SXgLLsuf8As5IgdKt aSQjR6NuYVNUbdng/KZyI2xGH9Al9JeH25lTgiOO4hK/5gp6A/xXUxpeKoDHSB0M a9B3LkQpemV0/Sa/uSDf/vB4+lLgSI+hbR7zysVRPi/Z4FJt4kCkErYzhFKrbFKV lExWujR73RYlJvnGUkY3gGqJruCba7N0Rfv+U/b7nf0eTG3dPzA= =cPZB -END PGP SIGNATURE-
[SECURITY] [DLA 3083-1] puma security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3083-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA August 28, 2022 https://wiki.debian.org/LTS - - Package: puma Version: 3.12.0-2+deb10u3 CVE ID : CVE-2021-29509 CVE-2021-41136 CVE-2022-23634 CVE-2022-24790 Multiple security issues have been found in puma, a web server for ruby/rack applications. CVE-2021-29509 Keepalive Connections Causing Denial Of Service in puma. CVE-2021-41136 puma with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. CVE-2022-23634 puma may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. CVE-2022-24790 using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma For Debian 10 buster, these problems have been fixed in version 3.12.0-2+deb10u3. We recommend that you upgrade your puma packages. For the detailed security status of puma please refer to its security tracker page at: https://security-tracker.debian.org/tracker/puma Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmMKa4AACgkQhj1N8u2c KO/g0RAAlWwo15hwfcDDYvECOydh4HYBcK9Z/lpSSHwDWFJ69eS2djnicDVVYGbu 7Ic/c7zLZy8nJ10UcyZ/9OarJbZ2N22sTPI7R5Rii3PqxSj6FRxB3IGVtrylIFdr 9i0qH4ONa2DHUqyJV8UzN+NWy55KdDnPz2+GGXKtzOTDEutSBQNwsXkM07SJ9YDp 6TUCegbAjlOZxKzh3HAANAQ/Ua0//3m8ofaoDJb9pfsAuxNrOhxNbCzVRH7qBYqd 87cnfnwX8AWNKree9OZWxLMh2gXgbgzJmwzcJjkQeN8JWMp+74yzAlN2/37yU/2d JSfyAqQCwOfe73x09T4v74IBKitVf0eDxgEzi1R8gfe2V7s3mNF7mAkvtt3mkRGi URsVhJUr0G4vQ2/UOFpeTAn/yIVv7eLOIDSsiMSJBfefmZPM2zrrrxjb1uAQ7cps U6LnMOr4M+w6Huq2K19T1scLomaEml3lZHbR4lJStRIVxmiJOo6NBBVYlv1P9VyO kChxXd2odH75EsILYVKIZa8GIXo1Gzm3Z2hVQim+pu2pSGYMWS16QVGr3jbNflEg TXjcMl2ED5iw7MxYZl6t2DUKgD3XcYPEd5da7OvPj+PxG+1tdZFc0g8K96ssGlyy tjHlJBEiGqoxjBzrEYVrWuSrSNoYXfZ+cy+iBiEXci247CPk4/I= =Y4/2 -END PGP SIGNATURE-
[SECURITY] [DLA 3081-1] open-vm-tools security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3081-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA August 25, 2022 https://wiki.debian.org/LTS - - Package: open-vm-tools Version: 2:10.3.10-1+deb10u3 CVE ID : CVE-2022-31676 open-vm-tools contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine. For Debian 10 buster, this problem has been fixed in version 2:10.3.10-1+deb10u3. We recommend that you upgrade your open-vm-tools packages. For the detailed security status of open-vm-tools please refer to its security tracker page at: https://security-tracker.debian.org/tracker/open-vm-tools Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmMHIvEACgkQhj1N8u2c KO8+0Q//Yn0qqTWDNcli33I/4GAKzZkhc9sAFUKxnGsav34QHAt1pgNxknAjGe+J cfiF5QHaN/pWQYO5cHc8RKLpCzYyC+n6ooEBnPUnzufVutGC0+WVw8RRmaqmmM3H +yHffG25dUrPYb+qMWBfrMe/gHw9LU9YlTdMjbW164hl3RdNXfqYU+GI/kHtRl8a tDtI+WELDgaIBHCoukxclV0tRMNE0fUC+ZTfwqeas1fPO3x6n7bZSwoZEhQllnuB +F4dww9+6NQzxOsfELo5tZCqX/qv9bS8Ye/CrUea6XzvzN1spzSEhyrfJ1pW3tNW SR9ip96sxngupXlngTRs/nkeIq3A5kHdOG7hAE2CVrwYnx9c+SaVx4gGTLusM6hs HULMZdMyFzgqQGsSaZAf8m0vbBMbtXzgIP/jCKzl7spv2IyymBaujdt6ZvZtktN/ Z6M34A9fQ2zgtSKkBhGurDqg9iFaPY7tfxr1y0NvJ1BiGB9k2DDgD05P1zgQ9SEC +SYNCWYKg+ccf4N2GSFH3vcdcaevHZcrEjEeKX5ITk40jqwPApm8UBrz4ZkrFiku pv7oeCMfz01KDUMLkt1hjPQj8ZGeMVYMSv62HSXPpqDak6U2bKOvcccZ4X4vgvSs 5QFJbfOtWrzKcPwMVKrBfQ2U9MmRv1PLaEGjN7Xn5s65+MZ0/kk= =kDJ4 -END PGP SIGNATURE-
LTS report for June 2022 - Abhijith
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello. During the month of June I worked on following packages: * qemu - Fixed postponed 32 CVEs for buster[1]. Planning for upcoming release once run all available reproducers. - Locate missing upstream patches. * libmatio - Backported 13 CVEs from the work of Sébastien Villemot in buster to stretch[2]. Unfortunely couldn't able to fix 6 failing tests before stretch's EOL. Regards Abhijith PA [1] - https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc [2] - https://people.debian.org/~abhijith/upload/patches/ -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmLAYNsACgkQhj1N8u2c KO+VDA//eKIBanLwErWTETMY+s9dGfFdvn2lofZUhuAXQf/AVcRkJkjD2AGuCAHL kZ5bLBWj8OssVO1uv5LMlDBVJ0OV1C60FLkHQ9t2zlxtrcjC64u1BhQUdMtNqFaG 99VeeUicS20WmVwaHImayAqULs16kpEBap35YNC1FDjXSS/TO2A3nP/YjNKGJYMU +fQ1eBsTnvt+qPUOy/W8hK2iajy2b4GAkeMQNDWvTHlrksERrDfiUt4E/6iACeWV fS5PuA2xZQ/FKK/fBZ/dp7+ilWW2Msn41lydd2IzOdtBOCtU/ANdaaAwfoXa+v97 bSiaORljkurT7g1i86w9orbvlAp1Y3a0hrzRFxiEu2ifS75W0eF6Gp64rc1fZj0j cP7RcfW8OgJb3z/TvJPg4nWS2whw13gIhdczqNzZIVTeX39DsGhyDMQD51x3NJQF GVQQ0G8k3oN8ZNb0i45PAqcNhlNmPJsbl7bNZ4LcfaytVd6Ky3+JhFiVmTBfmIBP 6RVpktVl9p5cVWIku4X23j/WyqoL+oFbUEYCwrl7+Ahp9dOrYlRQNzYWcI2csN87 5xucS8pzSNovFQCPs8XCW5b+eaUQ5gXxMwHp2k5exlyngdSBX1Mk1oNNjSLwOJdY DFthFd08uskV7ELgJXkrDernnuT9jk65lSQzvfnqLbTP39QBnZE= =2+7q -END PGP SIGNATURE-
Re: Taking from backports - icingaweb2
On 03/06/22 04:45 PM, Utkarsh Gupta wrote: > Hi Ahijith, ... > So ideally since the package is in the -backports pocket, I don't > think it'd be a problem but do make sure that you at least test the > package so it doesn't introduce any regressions or anything. Hope that > helps. Thank you. I've prepared the update. Will test and upload shortly. --abhijith
LTS report for May 2022 - Abhijith
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello. During the month of May I worked on following packages for LTS: * asterisk - Marked 8 CVEs as not-affected(related to pjproject) - CVE-2022-26651 postponed for next upload. * pjproject - CVE-2022-24786 not-affected - DLA-3036-1 * icingaweb2 - Continued work from last month - v2.6[1] * libmatio - Total of 28 CVEs - Working on CVE-2019-9026 to CVE-2019-9038 Misc: * Ring - No updates from upstream regarding [2] Regards Abhijith PA [1] - https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.6.2-3~bpo9+1+deb9u1.dsc [2] - https://alioth-lists.debian.net/pipermail/pkg-voip-maintainers/2022-May/036419.html -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmKY1S8ACgkQhj1N8u2c KO9/Ow/+P92ft6zETI2aoRZhqRwDTkdG6Zydaw1eX4gz8cZAi3aHep3PA1gLu5BW gMU9SGSf9/7u+6S2d3vSI2BJxTLaPohDQ/ZV6PJsrb2m8bR4A63+VI19qfOQxVjN 47RYot9b86imt/1K08RWvSgotTwh5oB4R63THnGzefGFS0Fpm3E/5Kzi1wnwp8U6 NtJkAeiiGxxHuSaR6bHKSRsCV/oyB22MN1Nl5wtv7xMnp0SEVo8GTn/+1MOTFT8h Mi6ubjIogbYz+2BPjWjKngJtp7FoxOZklch8FhO8bUsr1aY2c2sC9vf63c2cAPvc FH5a5JomDxy/ennwaCETocmIUZBWoDypzxImwFUN/Chi1GUTQeDWBimTY6J/BEqG 5DFWZXDy+poA5KWsUKftv3rPT3niaQuZhiSLaPs4cr/5wT+su+YcnPAI+2LicdlV ryr+d/phYPSnyBvO75dbWTPXnHXMTcvya7t9Hf4aCYq1EhB4GZjfJkDx//A5H3ii lCO42/z2NdVHcB0smtQU6kF3j5Psy+1WMEQ7a68u0FaI945M4xu0QcC71pcB5ada ThxkwrVw9Pj2o7zw5O9YOuWD645RBacV/4peLeDuaQHlix2yBvhSOwHDP5DMb24+ N7niMsC34VO7sYO3JKY0rL0y9fh41WgfRoc2fWIWwChtP7jiEIs= =fT21 -END PGP SIGNATURE-
Taking from backports - icingaweb2
Hello, Package icingaweb2 (2.4) in stretch have around 9 open CVEs. Most of them fixed in upstream v2.6. There isn't isolated patches available for CVE-2018-18246 to CVE-2018-18250. The changes from 2.4 .. 2.6 is pretty large and not much descriptive to comb through and cherry pick. I have pinged upstream security team to help, unfortunately they couldn't single out the patches. So I was wondering whether its ok to upload v2.6 from stretch-backports to -security and fix remaining CVEs on top of that. PS: Its not a priority package for us. --abhijith
[SECURITY] [DLA 3036-1] pjproject security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3036-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA May 31, 2022 https://wiki.debian.org/LTS - - Package: pjproject Version: 2.5.5~dfsg-6+deb9u5 CVE ID : CVE-2022-24763 CVE-2022-24792 CVE-2022-24793 Multiple security issues were discovered in pjproject, is a free and open source multimedia communication library CVE-2022-24763 a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML parsing in their apps. CVE-2022-24792 A denial-of-service vulnerability affects applications on a 32-bit systems to play/read invalid WAV files. The vulnerability occurs when reading WAV file data chunks with length greater than 31-bit integers. The vulnerability does not affect 64-bit apps and should not affect apps that only plays trusted WAV files CVE-2022-24793 A buffer overflow vulnerability affects applications that uses PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. For Debian 9 stretch, these problems have been fixed in version 2.5.5~dfsg-6+deb9u5. We recommend that you upgrade your pjproject packages. For the detailed security status of pjproject please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pjproject Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmKV2xMACgkQhj1N8u2c KO8kBRAAgyPZ9alaPMSLD4dGuspRYHl5xOmcw9DHxoj+Aj+2ymVLmcRhVhl0ffKP 2idEA3IcCET0uovn1sNG9ZLqyQ9HYCe56w812Ypdafbc6swDGYg0rRbX5bQ7jgD0 KiJfsJ7mC8leM6hFjQVbTJxGb4krFZTSFC0ll9NGBgFCPSg9K2kPDyY9PbdTKgHK l5G3ju1guFTHdo5y4j/xgpLysTxN/lNxIKoWf65Fzjb7TNSoxuhdTWvM/TN7nUw2 RAbW0TzIQumXXXpcdPUybjr2nS8Oe/2QPjSs0cokOWGA4AExxrH+1IIZyGzJizny kNcB7JWuSiokN/5RXdDjCnNIWSgLMzejJ6l5nielb3o8pVhllErKYnCw8hpSCR0P uI1ru16V3L9OHSynTGxZ7fKwdEGYD/3OC8waWHZAo7tk9RyJtU1+E4rZxCNqzlkr EETIpWyraP+iTejEIPVxw7hESJJEb4ZWn3S+Ff41PzlRdkwmKFY1iccKKvPkn8Ff JikJL5ow29ms1eFnFYTGMJ8+1w1bwuXTgAMqQwPoUtPLaWkV6g89uy0l4tspaXSC 8Cj8XyaMmVFloIyYR1xEgBardFLRfQ563Kev7VzVm+jkj7bQkEaxZpep8mWZojD0 FZNyt1+pOAxkYkhEkTjqBdCtf4HYDcgGivvZ+UDMFjb4gLIx7jA= =OQ2B -END PGP SIGNATURE-
[SECURITY] [DLA 2996-1] mruby security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2996-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA May 06, 2022 https://wiki.debian.org/LTS - - Package: mruby Version: 1.2.0+20161228+git30d5424a-1+deb9u1 CVE ID : CVE-2017-9527 CVE-2018-10191 CVE-2018-11743 CVE-2018-12249 CVE-2018-14337 CVE-2020-15866 Multiple security issues were discovered in mruby, a lightweight implementation of the Ruby language CVE-2017-9527 heap-based use-after-free vulnerability allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted .rb file CVE-2018-10191 an integer overflow exists when handling OP_GETUPVAR in the presence of deep scope nesting, resulting in a use-after-free. An attacker that can cause Ruby code to be run can use this to possibly execute arbitrary code CVE-2018-11743 uninitialized pointer which allows attackers to cause a denial of service or possibly have unspecified other impact. CVE-2018-12249 There is a NULL pointer dereference in mrb_class_real because "class BasicObject" is not properly supported in class.c. CVE-2018-14337 a signed integer overflow, possibly leading to out-of-bounds memory access because the mrb_str_resize function in string.c does not check for a negative length CVE-2020-15866 a heap-based buffer overflow in the mrb_yield_with_class function in vm.c because of incorrect VM stack handling For Debian 9 stretch, these problems have been fixed in version 1.2.0+20161228+git30d5424a-1+deb9u1. We recommend that you upgrade your mruby packages. For the detailed security status of mruby please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mruby Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmJ02wIACgkQhj1N8u2c KO9D5Q/9HNnc1LRSZ7lJm8+yE+sN9Pd+58VprfzlSC5VQoxkRM0UBMUPrDzfLyTj fs6rUn6tt78+XTorGj2nkB4REzEXVAcsdq09BZTs5kdQmYHxK1wSOcQKj6Dc5r34 jQcExVJvjWehqjKc7Y75OXIBCzzh7qBZnyDdM80Buaz1i4nSCpUCnFpcNLrlIhP5 AvYSuRyMBXTgPHY4XDvgBCMSuwq+Y5hf+6PWJXH/S/9g51lfvgz0dvhzR+zM2oQH 70CKeGVYhWugqpXFXlSFijeaDZAY2rBZCYvLvWistPSvNUVabrARaYNZPiAjGjYh Z/k8tYKyV7pIv3sJft/8cMmK3hqQ9ZDrvPH0r9qBE0WfD/syexcpM2VHKSOQU+4n nAWIo1TIp9vx5ob23vr+i/sg3CxRR5XeMLBrCGKsBqJBDnubRnJm/Zgm+euLgmDd tCLOZG+KzNcf4Qtv5DlmpmKMFvbFRrEuYjPoQvKjykc/XqKnXel7VsW2yU4Qnr4l 5vOSBe1G2fXcJmYoPo1AB5LUBgYKygmEfX6WGXA9fdK5P3/JXBYUCo6c+AGTxEFZ wcBKrc9f0LgwC65/mioAT02BRGQ4BjWeYbV38uX9f3KW8g+DnAaS7ao90ySMDu+d lZEMt63HrehZxJheZMuqNdkHjeDiaLcZSjR15d460064SC2CbqM= =b/x/ -END PGP SIGNATURE-
LTS report for April 2022 - Abhijith
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello. During the month of April I worked on following packages for LTS: * mitmproxy - Total of 3 CVEs - Due to lot of code refactoring, marked 2 CVEs as ignored. * mruby - Total of 18 CVEs - Fixed 5 CVEs. Marked 5 as not affected for stretch - Again due lot of code refactoring rest of the CVEs are no-DSA - https://people.debian.org/~abhijith/upload/mruby/mruby_1.2.0+20161228+git30d5424a-1+deb9u1.dsc * icingaweb2 - 10 CVEs - Fixed 3 CVEs. Marked 2 as not-affected for stretch - Asked upstream for more details and fixes for old vulnerabilities. - https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.4.1-1+deb9u2.dsc Regards Abhijith -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmJwYmsACgkQhj1N8u2c KO8LbQ/+Lr5AOWrmQ9Sy64bxsgUIzFTpF7pBWgWb0f+faOALOwi3ExXpem5dfXwX u57RpH42y2RaN86y8bNfHXG6C2TKSqFHF9Ao+zaoi4QRr9D715GANFZWm2zebxij yuPSAwUgfN3mrBT0djBSaSp6xnwPFunOxBXdAo/HbPbebQ9OF97aAM8cLXzr7xkW j3m6qQ+vNtDX6Y0kGgD7XD+ECWxYRXK9r/gjoffyqlivkOrk3GdLQRja95ZjCP4X aeCKEt8TWKk8wtjv0+QAMWKgrvZivLLogimD4h628ehwP9vhBkRp/BYraumzTTQL MOpIsj2qCQD44IyzlkXa6uA5gJjxmtfEX+KRfGSTcvRKl9TtoGkwPg4AyHvnHvc5 2zsVW56P3FXzVZAIwCSZZ27+e4PRwjFHx8473j8jjnsDCWnyiYIpcfX3SJQsvxf5 r4FAdGctl3DzrkGUOjjikdK5o1HgIPVphlMsRcY53X/X4BFpuqu31jO2bJdKzZk0 FnDAxdiuEWfu0d8MVniLU41kwU4+z1KGJt624l8Z3kPLrCK50FRnPShW6t7KNg3x a6Qldba5T6qOF3luQDLaeI+LfzKfxq0aXj+kMWQ2njaLmLBGMuI2FtA2meHilXHA NfAoA5xdMX2+kUoIjaRtT+i26vjevUfrS2IhCU+dFP7LPjm1h6g= =131E -END PGP SIGNATURE-
LTS report for March 2022 - Abhijith
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello. During the month of March I worked on following packages for LTS: * asterisk - Total of 22 CVEs - Fixed 6 CVEs, 5 CVEs as no-DSA (intrusive to backport) - Rest CVEs are of pjproject not affecting stretch - [DLA-2969-1] * pjproject - Almost all work completed in last month - Fixed 2 more CVEs - [DLA 2962-1] [DLA 2962-2] * ring - Work completed in last month - Fixed 2 more CVEs - package in stretch is faulty. Working on that - latest build[1] Regards Abhijith [1] - https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmJJSpEACgkQhj1N8u2c KO9gtw/+KOi3xAQK9Sai9+v4wMTHsxIJxv8lIpx3otgs2BHucS4NoLSV2UkWRscT Wy9iZga7+LM/6Tg+c6MFHLPv8wbqnfJiSfDzQKWKJLi/yj4Rr3pCootym1Jn2eVH vGoicyjToNnOzG0ajoDW+0BNQTtC+i1Xyod3kecUC5+FTEbxz9cigjQp0o8zBotM ApBR6z7MnQc3k1+Tel7w6EJiOXptncrRBqpeLtMV5nmNoK9eYFtfSO6VzrVImnX8 KV5XNut4CZNxngPNDk664VRTzMCa2BvOefRuzyWn/j0fndnJbNaPtyMvQtJB/WbP dv5XVzOylLJhjEYps3n7CGTy9cqpmtpcndyRi35fRcO6siTzeAVflkWDMbemCTse vZXYakQPPjMNkzS9f0VL9AYMsfgIIsxJ6kWdX26tfYltkYVtbyabaYWJATxqahqg qsjaj00BV0jwTEmyKPYQIVs1DLvc9JE9tvHkWbsm+yS4bWzYfKPV/Hf2Dnw285uh PV8RHH/dgSlBINynkErKfp0hsm9E6bkb/vLByIBUuguhe2EwoBHD5CmR2idqOk/C q4ada7lmNoKUtVSiPRnEnMuJLzqvQKFVVW+dD/ueK84XCAHBk4U0qm/ilidLsyqy q4Ip2mrS6S/1/xiMI3SmP0+f9Lea1C6s6JieCnXLWYO9v1B+2hw= =yFwO -END PGP SIGNATURE-
[SECURITY] [DLA 2969-1] asterisk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2969-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA April 03, 2022https://wiki.debian.org/LTS - - Package: asterisk Version: 1:13.14.1~dfsg-2+deb9u6 CVE ID : CVE-2019-13161 CVE-2019-18610 CVE-2019-18790 CVE-2019-18976 CVE-2020-28242 Multiple security issues were discovered in asterisk, an Open Source Private Branch Exchange (PBX). CVE-2019-13161 A pointer dereference in chan_sip while handling SDP negotiation allows an attacker to crash Asterisk CVE-2019-18610 A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a specially crafted Originate AMI request to execute arbitrary system commands CVE-2019-18790 A SIP request can be sent to Asterisk that can change a SIP peer's IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peer's name; authentication details such as passwords do not need to be known. This vulnerability is only exploitable when the nat option is set to the default, or auto_force_rport. CVE-2019-18976 A NULL pointer dereference and crash will occur when asterisk receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP CVE-2020-28242 If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk For Debian 9 stretch, these problems have been fixed in version 1:13.14.1~dfsg-2+deb9u6. We recommend that you upgrade your asterisk packages. For the detailed security status of asterisk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/asterisk Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmJJNyUACgkQhj1N8u2c KO9wrQ/8Ch7nPJrAS3Zr4TMeETjAaEOJ1oTg2VFo96SVhOGMhveqDCBpF2sj5U19 IzbXlK6zqgS4lM/xdvQQ7z5RuDuctIJ3/c8GKVDWbwpqY+AFNaDLhm+a8YHrLmVr kn2w10BdqTMH2q/ZsXHjAyiLcwAzGjQ879ByPt7heMSydZitJ+6BRICkExiJUtA4 hH/6UL1yFpLd4nisCa060Les7k4xf0uWknuGdcOi2beuAL6qheObsx3qEZ+vsQl6 VCBPBcSDpH0XTduvxLDDqt5TQp6bh5lUxzjGDMNXHmdvYkS5adT+oDtNGNn4ZCaq V6g1zkCkpwZGijG0//SY3F8LOqjNbWimQnlY2K82hj1WejtdLXMa9eFV4Fk8Ir6E GVsl7z67i770rCFYDfVFaMMD0aclwocpgfpCPteYHBfE1773CQs60b8yigLxoGw9 XT+VaPJY/e+ZXOGvENB2MVXvc0pB3RfqwFikfJXdPrN2V9Ye6ZLwYT7xjjlQ9ECj abxBIBCmD0zHN1Q/w454oGgC9DCYLeFaXIq9PzTUCPb2wQt2y1PvaXTvq6ZgFBtB hBJvTFbuBh/Xihk9A95a6kRjONZmOpxI0uIcCUL7DARsh6c+jvHZNR2zEglbdzpF V4zR6nbyeecficAtJIoqBfOvNgX8+EC7EwjPxQ3yc/ON9HMgytY= =O97K -END PGP SIGNATURE-
[SECURITY] [DLA 2962-2] pjproject regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2962-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA March 31, 2022https://wiki.debian.org/LTS - - Package: pjproject Version: 2.5.5~dfsg-6+deb9u4 CVE ID : CVE-2022-23608 The security update announced as DLA 2962-1 have a regression due to mistake in backported CVE-2022-23608 patch. Updated packages of pjproject are now available. For Debian 9 stretch, this problem has been fixed in version 2.5.5~dfsg-6+deb9u4. We recommend that you upgrade your pjproject packages. For the detailed security status of pjproject please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pjproject Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmJFc5sACgkQhj1N8u2c KO853Q//c7UIeaHlMYKc0ZvZWv4fG9xqM/jKIfnOT5tuybi5HywuXyhtnxG1slsV d/+WMTDfrE4zPFx+Xh+HyGyAK0C7ECDBt7Q8KcOqNBQYcRziyG0/1GoB7CCKHNJi Slbh5tgOg0AmeLfbbHtWEnES9Ge4jVtCxPIDQ1E5y4Sacy4LMajJe4sw4L7+Q283 501NuX66lDWSfFNIYZrRypTxcf/HJUlJImyhNqFEib8tFfwkRynFgE9WDDSeUW2H 4H4vAddzgCS4H0gnX4DrQDBK58jz/f4gRdLLSPn+ymlkQ+cj/LL04wUYzY5EDvK6 65xjFnIht36zHE43KtZqUMlZ2YrhFqIroDi+L6LGbVISE9WWcuJomsIZ0mu2U4Be efQJFk/Hn/kyO7U53I4oaToNUogSljXnP+Wfzii/DQ0rZ3ByyJKktEfE8Skj6c2/ X6PWwEbUPdnOJVgRnrhajv57rlaT93keXPPbAKiiaGpPIPqaGJR/2dM3RdZ75tQd 7ftT917qJPS2RnAELlQNAGjE3j5ip0b9PVq7f6/nkAIlzIDzLpMN7Nxr50B3X5J3 7321k9oPj12be04GPrM5UyPZD1wC+vslQkedbBV22QFcfDmxy2ecRB0RM97ouz7S tAHRYcdYCRn+UHeeAxU7Pli1j29yey+i1Xe/1ctlFemMY4Ile3M= =Vfgv -END PGP SIGNATURE-
Re: [SECURITY] [DLA 2962-1] pjproject security update
On 30/03/22 12:05 PM, Bastian Triller wrote: > Hello, > > we upgraded to 2.5.5~dfsg-6+deb9u3 and we're seeing crashes in > Asterisk. It seems the patch for CVE-2022-23608 is faulty. In your > patch, the hash table key is assigned twice in hunk #2 but not in hunk > #4. > Please see attached patch CVE-2022-23608_fixed.patch. Thank you for the regression report. I am taking a look. --abhijith
[SECURITY] [DLA 2962-1] pjproject security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2962-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA March 28, 2022https://wiki.debian.org/LTS - - Package: pjproject Version: 2.5.5~dfsg-6+deb9u3 CVE ID : CVE-2021-32686 CVE-2021-37706 CVE-2021-41141 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845 CVE-2022-21722 CVE-2022-21723 CVE-2022-23608 CVE-2022-24754 CVE-2022-24764 Multiple security issues were discovered in pjproject, is a free and open source multimedia communication library. CVE-2021-32686 A race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/listener may get destroyed during handshake. s. They cause crash, resulting in a denial of service. CVE-2021-37706 An incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim’s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim’s machine CVE-2021-41141 In various parts of PJSIP, when error/failure occurs, it is found that the function returns without releasing the currently held locks. This could result in a system deadlock, which cause a denial of service for the users. CVE-2021-43299 Stack overflow in PJSUA API when calling pjsua_player_create. An attacker-controlled 'filename' argument may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation. CVE-2021-43300 Stack overflow in PJSUA API when calling pjsua_recorder_create. An attacker-controlled 'filename' argument may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation. CVE-2021-43301 Stack overflow in PJSUA API when calling pjsua_playlist_create. An attacker-controlled 'file_names' argument may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation. CVE-2021-43302 Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An attacker-controlled 'filename' argument may cause an out-of-bounds read when the filename is shorter than 4 characters. CVE-2021-43303 Buffer overflow in PJSUA API when calling pjsua_call_dump. An attacker-controlled 'buffer' argument may cause a buffer overflow, since supplying an output buffer smaller than 128 characters may overflow the output buffer, regardless of the 'maxlen' argument supplied CVE-2021-43804 An incoming RTCP BYE message contains a reason's length, this declared length is not checked against the actual received packet size, potentially resulting in an out-of-bound read access. A malicious actor can send a RTCP BYE message with an invalid reason length CVE-2021-43845 if incoming RTCP XR message contain block, the data field is not checked against the received packet size, potentially resulting in an out-of-bound read access CVE-2022-21722 it is possible that certain incoming RTP/RTCP packets can potentially cause out-of-bound read access. This issue affects all users that use PJMEDIA and accept incoming RTP/RTCP. CVE-2022-21723 Parsing an incoming SIP message that contains a malformed multipart can potentially cause out-of-bound read access. This issue affects all PJSIP users that accept SIP multipart. CVE-2022-23608 When in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior such as dialog list collision which eventually leading to endless loop CVE-2022-24754 There is a stack-buffer overflow vulnerability which only impacts PJSIP users who accept hashed digest credentials (credentials with data_type `PJSIP_CRED_DATA_DIGEST`). CVE-2022-24764 A stack buffer overflow vulnerability that affects PJSUA2 users or users that call the API `pjmedia_sdp_print(), pjmedia_sdp_media_print()` For Debian 9 stretch, these problems have been fixed in version 2.5.5~dfsg-6+deb9u3. We recommend that you upgrade your
LTS report for February 2022 - Abhijith PA
Hello. During the month of February I worked on following packages for LTS: * pjproject: Fixed 13 CVEs. Currently testing[1]. * ring: Same 13 CVEs. Under testing[2] * asterisk: There were 22 open CVEs including the above same 11 CVEs. Started working on remaining no-DSA/pending fixes. Regards Abhijith PA [1] - https://people.debian.org/~abhijith/upload/vda/pjproject_2.5.5~dfsg-6+deb9u3.dsc [2] - https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc signature.asc Description: PGP signature
LTS report for January 2022 - Abhijith PA
Hello, For January I had 5 hours remaining from last month. I spent all of them for : * libraw: There were 28 open CVEs. Marked 6 among those as not-affected. Fixed 22 CVEs, tested and uploaded [DLA 2903-1] Regards Abhijith [DLA 2903-1] - https://lists.debian.org/debian-lts-announce/2022/01/msg00031.html signature.asc Description: PGP signature
[SECURITY] [DLA 2903-1] libraw security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2903-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA January 29, 2022 https://wiki.debian.org/LTS - - Package: libraw Version: 0.17.2-6+deb9u2 CVE ID : CVE-2017-13735 CVE-2017-14265 CVE-2017-14348 CVE-2017-14608 CVE-2017-16909 CVE-2017-16910 CVE-2018-5800 CVE-2018-5801 CVE-2018-5802 CVE-2018-5804 CVE-2018-5805 CVE-2018-5806 CVE-2018-5807 CVE-2018-5808 CVE-2018-5810 CVE-2018-5811 CVE-2018-5812 CVE-2018-5813 CVE-2018-5815 CVE-2018-5817 CVE-2018-5818 CVE-2018-5819 CVE-2018-20363 CVE-2018-20364 CVE-2018-20365 Several vulnerabilities have been discovered in libraw that may lead to the execution of arbitrary code, denial of service, or information leaks. CVE-2017-13735 There is a floating point exception in the kodak_radc_load_raw function. It will lead to a remote denial of service attack. CVE-2017-14265 A Stack-based Buffer Overflow was discovered in xtrans_interpolate method. It could allow a remote denial of service or code execution attack. CVE-2017-14348 There is a heap-based Buffer Overflow in the processCanonCameraInfo function. CVE-2017-14608 An out of bounds read flaw related to kodak_65000_load_raw has been reported in libraw. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash. CVE-2017-16909 An error related to the "LibRaw::panasonic_load_raw()" function can be exploited to cause a heap-based buffer overflow and subsequently cause a crash via a specially crafted TIFF image. xtrans_interpolate method. It could allow a remote denial of service or code execution attack. CVE-2017-16910 An error within the "LibRaw::xtrans_interpolate()" function can be exploited to cause an invalid read memory access and subsequently a Denial of Service condition. CVE-2018-5800 An off-by-one error within the "LibRaw::kodak_ycbcr_load_raw()" function can be exploited to cause a heap-based buffer overflow and subsequently cause a crash. CVE-2018-5801 An error within the "LibRaw::unpack()" function can be exploited to trigger a NULL pointer dereference. CVE-2018-5802 An error within the "kodak_radc_load_raw()" function can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash. CVE-2018-5804 A type confusion error within the "identify()" function can be exploited to trigger a division by zero. CVE-2018-5805 A boundary error within the "quicktake_100_load_raw()" function can be exploited to cause a stack-based buffer overflow and subsequently cause a crash. CVE-2018-5806 An error within the "leaf_hdr_load_raw()" function can be exploited to trigger a NULL pointer dereference. CVE-2018-5807 An error within the "samsung_load_raw()" function can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash. CVE-2018-5808 An error within the "find_green()" function can be exploited to cause a stack-based buffer overflow and subsequently execute arbitrary code. CVE-2018-5810 An error within the "rollei_load_raw()" function can be exploited to cause a heap-based buffer overflow and subsequently cause a crash. CVE-2018-5811 An error within the "nikon_coolscan_load_raw()" function can be exploited to cause an out-of-bounds read memory access and subsequently cause a crash. CVE-2018-5812 An error within the "nikon_coolscan_load_raw()" function can be exploited to trigger a NULL pointer dereference. CVE-2018-5813 An error within the "parse_minolta()" function can be exploited to trigger an infinite loop via a specially crafted file. CVE-2018-5815 An integer overflow error within the "parse_qt()" function can be exploited to trigger an infinite loop via a specially crafted Apple QuickTime file. CVE-2018-5817 A type confusion error within the "unpacked_load_raw()" function can be exploited to trigger an infinite loop. CVE-2018-5818 An error within the "parse_rollei()" function can be exploited to trigger an infinite loop. CVE-2018-5819 An error within the "parse_sinar_ia()" function can be exploited to exhaust available CPU resources. CVE-2
LTS report for Dec 2021 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello, In December I was assigned 08 hours to work on Debian LTS by Freexian SARL. I spent only 3 hour on package libraw's[1] open CVEs. I will carry rest of the hours to next month. - - --abhijith [1] - https://security-tracker.debian.org/tracker/source-package/libraw - -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmHcuf4ACgkQhj1N8u2c KO8qkQ/9Gd2oHCamNtztm2i1OJenFTPfgCA1TE1Fic2RXLw5oDmbi02I2xfOlXHQ 24BxtfuDeE3WmZwooXApLVyLn6gpwLIqO8OZfTgifeCgsn3AQebTIJAQ9ZpAXWhN RjydeF30FJLLe+I3hDxgCFqKuhtCvmT921KRXpp+Mo8dd3kdbmwZ0fJGuDVhcAe0 DRH3byPafa2YZ9AS8DyaZj6tsLP9Gp0Jp8F359lp7zPKHVs3R5+tNeun2yLHRGfc 13zbNZj8oZMFAxRVhF6ESOOfqgG1QIoISTKpCJ236El1Zco/2lRgpjEIbroM7D4a iP42JjhWPAu3ov7coPd5c853MIuzbBVPNThFTdfIMbcdeBf60eBN//yXovvuYq+p mF8VWswcnjRjxJzS7hJ0LoBuV5Wej2Jh7cuki1hSl62A+DsrU1aJMpNU3s1iIOIN kQFaT8giVj4loaO//gqsIwmfmFJWC4igdcFwPwFNPXoZPG+shOjHadWiknFGeupx pm6Tuu+UXuPQEBa9pgano99SIVDwVp+6nbfeY8k0sV+90CzPsO91CwlX+MwhLJpa XV5CXGtGVIp5flPFv+rOoN2jWvwz1g2J2ajgZLM+yisllWwbJvbSm0aBW7yK7SCT DWdf+LR6trsfk8ws0MXH1l1Ai95n5ILH0z5a3f7/+p+/A8ox2SM= =+73h - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmHcujYACgkQhj1N8u2c KO9sag/8C5VLKU9QmpvbiBDZMC6hH9OJWrtKVrwwpIchBCHbUxIjLd945Pf5erTZ FF8n/tDMA4n+GHlic1hHnDE3jETcA9LTNOvKEehCD80adVyBvM0x+7B0XMy+4VqG PPQhwYNpUhfjwjwFJQy4mlNjy4wnMwX2568Vtuc+Z/xA+OuDLK4mFz9loiqrp6Xn L/MQ9whNjSiykLO9nfc3dGRDCm5wtYEEZzitGh+0m6+cXByaroEyENZP8xPYLW1B zMZzOEpjGTvZuCo66hErVkh8p39+ugpfb4K0AxqSjnuA8cYTmfSmDt4z8wWcGqCY Qd2V7plG6/uqErO2PHJhWX14o5/gzrInMxYX9VSMeO2IsgW776BDYtTs2qGaoALD sUfaiNkn3IT2xrFMdO1OG4tqRxPOfTuzFjHYv7Wg02KwreY8arRRfZ1casZIBslL LdAM6is3l5DQNyKl1EMyC2ADBFyAlcx/wQrEY8rRU9JNc+nCoPex5uA5CugOtpV1 MSTs8+I6RqalaoF/kp1p3YplGGf7R0HSYncTiyjjfaZV7C+QXqP57lJn21Cehvfs pM0rrd5N6TIFkxy3WLSZZ7Z2622WZpIdGVtBVi8KSLptYC6qlZqX0KaNBA1iH8t9 8tV+t9+MVNOUWd/rB6pi09TTRHcpGgW3pt+doG1Gk9mTd+TnsGc= =oRNf -END PGP SIGNATURE-
LTS report for August 2021 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 August was my 42nd month as a Debian LTS paid contributor. I had 19h (both assigned and carried over from last month). I could only spend 4h and gave back rest to the pool. * pywps: Fixed CVE-2021-39371 and converted a test from pytest to unittest related to this CVE. Released DLA 2754-1[1] * smarty3: Prepared an update for reported regression #989141[2]. ELTS * ckeditor: 5 CVEs including postponed ones. Available patches have backported. Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2021/09/msg1.html [2] - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989141 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmE7UV4ACgkQhj1N8u2c KO+/wxAAlu0RlVeeSaFG5ozFKaTwCcyxOXtxMTJ3JTrnsDR2lWuuo+/gePeMRgeZ DK3157GsAonBeGSk7XYnX63yxkFuuGktDM2Xb8VPdGN95h/AjZLDh0GjqNnz3epH dCwggYCxD0isbBnRqa5qrhvs95m5sDVcTzHcdFrnbowfmsb7CeyTj6VS3A3sIA1x ClHW1J35uJ7BwRFCgYSSCBefDeYAaPWhHLZYbJyTUNJfa3FhIsyO1CCHksk2qs/O Vx3V0rjuYgV6gk1pbTZCtwkDKv//IE1FpZQAQSxnT4TNhKPHBTDmMNBXylQlMIML RN+tE6hnpqqlV+23tGtutjJe/LHySBU4g11PeVWyglpOXnrlIuO1dYTK5Q257MCp RQJlaGSUkNLq0YBiIJkfANdIPAKYlBj9j8GzyKontcAvN/utT5qJ9Bezdei7miKD lPN6bUMW1Fj93ecTY1C7GDcZTlBKAAibtqnL6G1OQ4DrA/Yhm8fpgXuXJDyHoXDl ZRLI7JO4tLhpnfTGVQakhY7qKMua4RsQoWTsRxn1LpsXSZ/rQW1UrSsv6mjkgq72 cYziq9WF7WVL7mjv5bYT1cUpSVUowlgd+uiw02lQtvCOo5Tt9tBMNPn4KvJWbxv2 XTSvKUxHzg2ILPrV51PuUlJqpz5O/GFafRAmZ7nDHnXgXoe+nII= =yXkm -END PGP SIGNATURE-
[SECURITY] [DLA 2754-1] pywps security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2754-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA September 04, 2021https://wiki.debian.org/LTS - - Package: pywps Version: 4.0.0-3+deb9u1 CVE ID : CVE-2021-39371 An XML external entity (XXE) injection in pywps allows an attacker to view files on the application server filesystem by assigning a path to the entity. For Debian 9 stretch, this problem has been fixed in version 4.0.0-3+deb9u1. We recommend that you upgrade your pywps packages. For the detailed security status of pywps please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pywps Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmEzVWIACgkQhj1N8u2c KO8l3A//aBYTDFgaNsPgCMUn+ipVY1/KOELbEpMOnXaww9fIwTNxBVPwrCQO7uej yEdstbMGrZ23pB+2IxO+6ma/1Z+y5XWUHgtnOLE6Qfcafo+22O/8WRYeJgf1a7id veKRQCspXVclFKnfkiPQb/Yr3BLE8m9OrAozRG7LUICE9ILKVpd5JQ8Qiexrhwp4 djWjPSdvDJWmRR4m30t8F4Y/gQK3DpNJrTZfWT5YPo6375JVDi+8FTfMyWWCHrMq 2tSDPyuA5ArZpsPCjRc2gfDy/OAjUpGoXMIqUbR/8lHZbO1Jqle+nb+Bj2kwBbR7 456dQQb03tvX+jhthyb6eXwvnngC0WhgpVqJ/QY+T5czZHLXDxxraCvzI80k+6w+ RGQ0uyO/b5UIwK70dfXNXAXio1dlw0o0IDqqY/AprqEbkMVBky0wKyiooeF56KsX Xf+zSyS+eikn0PloaV0RaEntjYeyWMyHPZbvRvdygYsy0NbANoxxHHCShGYBg6mV uAag4lhZ9qxzMrIIHtaR7ayVXqq7Sd7BHOvs2cAeJJWaLCzbAVIRL6v4EDxqMk+c osNW/OhIgApcCIFg87CVPBhn7GwS1EcB+i8r3qiAhOFXW4MyLj55bf425BnJwVyo MvE4OLLOq1WHy1gix4gKfLUIG3zU5kdYLL2FX+mUa2OuFUGLrsM= =TdJO -END PGP SIGNATURE-
LTS report for July 2021 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 July was my 41st month as a Debian LTS paid contributor. I was assigned 10 hours. I was only able to spent 5h and will carry remaining to next month. * rabbitmq-server: Released 3.6.6-1+deb9u2[1] for fixing a regression. * runc: Investigated on CVE-2021-30465. Marked as no-dsa * pjproject: Backporting fix for CVE-2021-32686. Regards Abhijith PA -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmESwxwACgkQhj1N8u2c KO8H4g//TAtPZdBS7v9z/zQpyukflYA1xIDT2L2DQcIrr0t/wXMaXfOa1t+/6SvD Tu/JJS6q6W+v048qGBMkol1oN7hp+NQYisCVNH8SX8GKSp/S49zEcGogMWPdQp1P QaEWwaVqjGtwGGWZXFfPcdb3BqJLuetnpEInpDjYgV3FojSiFCx1vJaV8suH/y+W nEFfzLNSXHNj+gu0wODWMsg7YoXFgLZ7qhqD85zw6A2Ch2B1DjqWvPDK5yWZc4ge HYxQJDgJ3Nxmtbq/fsl9ftBpm/GoQntkErLX2cYhcA3pHhub57SvyuPZdFkjPOOB YZuqp9u4PNjRPH2KEVwVq9wML1tlODiMq3LADviKGNH02qIdAHg5gnbqmOpxXeir QZ5q/do64dR3GXDgZVWf3kZf9MPr7JRVf2JGUiZ1zwLLqHJgMDRhWOuPzUPYrvVW mrXsnVUBBYoUsYksyO3yKt/t4DSeJ1btiI1Bu4o7Tu9mQibjOqKU8iJMlxNXqUyB 8r1Tkg+W3ymKUMvh0bw5P9xD2CdTb5WbfQP3GNhCXF2gdjuYwA2RTDfx8br9Lpxp RbzYNCIDunbC5jdUQqZPsddkONT2Y4oJppri7vZOYFluyZK5mtzYcZASQx9DYTY9 IJOcstnR3VvLW5eSTfNBo0R2dS4N2RA60AlQWM8hx/XbYpvh4P8= =ql0p -END PGP SIGNATURE-
[SECURITY] [DLA 2710-2] rabbitmq-server regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2710-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA July 25, 2021 https://wiki.debian.org/LTS - - Package: rabbitmq-server Version: 3.6.6-1+deb9u2 It was discovered that the previous upload of the package rabbitmq-server versioned 3.6.6-1+deb9u1 introduced a regression in function fmt_strip_tags. Big thanks to Christoph Haas for the reporting an issue and for testing the update. For Debian 9 stretch, this problem has been fixed in version 3.6.6-1+deb9u2. We recommend that you upgrade your rabbitmq-server packages. For the detailed security status of rabbitmq-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rabbitmq-server Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmD9I1QACgkQhj1N8u2c KO+QgA/+Mw6uRh/1YJCS2l3+QnPYSUPKZh8kAcmQ59ts9PRK5kuVFKB5YsgwyjjT DypKyQX6aJC7O0G0SZLjyXJFAM4F2U0PKeKv3ESKgnuvBYRUxtRqTAEg2G95tp++ 0/SO9OG7DMA2cuflY8ywbPaC43ugKgHL9Zgj9GHgyvECz0u0Qfc0rjqzL6F25n0F jIeZy7MzdSY91w2EQR39XvuBXeNlj26IZvPHJbRkZbdswrrgoZVqrSBTfhCuXPGh hoTvnRszA4Yf0YX5eu8JOuYPKA/ME9umrqugvcRwA5KAEcbpCTmKzV4XSX701zIh 2KVhd6H6m160ppQaLllmsxPaHwmnMmP7ED/SY2L+zWgtMhHI2AwP7g/hIkByIB5V 2GqsbtjLc0A/zPLF21wTieRHfXR4nZ3vUUwJ7/L7yJIfS3gWE8d+qwM1boP/tFw/ E5v152veFPXaXNVFkSyoAQH8ZHaS3E3NBDV+H5riKtvnNH12+TpR2otK+WroOz6Y HMbYmIOlOcqlGa/GDZiGDvWOJXzF22n1jXPaTICLs4KTFfNxmng2gf5++aBGPA2E 4VJDT7N/Q7X4sPZmZmD5USh+DknG6opfrwBDAO22SXvM5b/TiMgxMhmj3BG7SyZW cAf+8S68lQ1O6jOTSE2B4lEbbghzUgjIgvf+tXTscqUvDx87Xuc= =QKKp -END PGP SIGNATURE-
[SECURITY] [DLA 2710-1] rabbitmq-server security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2710-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA July 19, 2021 https://wiki.debian.org/LTS - - Package: rabbitmq-server Version: 3.6.6-1+deb9u1 CVE ID : CVE-2017-4965 CVE-2017-4966 CVE-2017-4967 CVE-2019-11281 CVE-2019-11287 CVE-2021-22116 Several vulnerabilities were discovered in rabbitmq-server, a message-broker software. CVE-2017-4965 Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. CVE-2017-4966 RabbitMQ management UI stores signed-in user credentials in a browser's local storage without expiration, making it possible to retrieve them using a chained attack CVE-2017-4967 Several forms in the RabbitMQ management UI are vulnerable to XSS attacks. CVE-2019-11281 The virtual host limits page, and the federation management UI, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack that would gain access to virtual hosts and policy management information CVE-2019-11287 The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing. CVE-2021-22116 A malicious user can exploit the vulnerability by sending malicious AMQP messages to the target RabbitMQ instance. For Debian 9 stretch, these problems have been fixed in version 3.6.6-1+deb9u1. We recommend that you upgrade your rabbitmq-server packages. For the detailed security status of rabbitmq-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rabbitmq-server Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmD1tJkACgkQhj1N8u2c KO8lIg//f/LcL1AyTtnwyXh5MMCs7OfZ2U4oychwStzEnZ5D7LAoblb9g97Inw15 KYRQOD/CU/TxokDgMP8x5TzJNyq4/exJi5/Ergyx1TinBNP/6QJB5QeTYp94OZrL l1nbI5xDDaNnyf1mnMJ04lk/sXAfMp19zeCIXy28SLSyVz0PivgOW+SARl5yEFpW U6QGy4wzkiDAVdqo8JPxF7H4wTCZEJxgQcBMrIUSTGxsHW9CZh6IiOEyz7DziH3Y YWYXFqZIkdJyQxWX6ukMysTLnb/fg6Fndt+cyXiHFvhjZH6IRu2LKXsVC6h3RJJh 8DTZgQS5Vy9g2wvuljiG5C8KQtijZ9vc1qMWELRnN7I1owcCRqUIUIxm9p/XfJLz 4p1ic9c8nMd55Gsi97SqEbSLKAR2Wkw2HePu8cmN48WCF2esB9xvyI2GSa7SHUov FIX+DwNV4gnuzE+BnQGvhpTpL1Cwpwwtmhvp9lJmf5b2z00ltlGfzPG/4jy6KLK0 ce+5yaGWsUAVP0r0UU8jfFfNfp/VqbcD1ijB3Dr2VEEkKSipXuKuv61ceA42qTgl X/cEOtZG8yW+jVU5ndFKnP/4AuQxqJWWPDeW2DzgeH4b6lzTjdZeh9g8Qu+kKju4 SkB0jkWEAm8Md3eYgrKB9cStN/uPZU7ni7Z/c0Xt1J/Jrv67GnM= =rAJ1 -END PGP SIGNATURE-
LTS report for June 2021 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 June was my 40th month as a Debian LTS paid contributor. I was assigned 14 hours plus 7h from last month. I have spent 18h and will carry rest to next month; * 1 week of frontdesk: From 14-06 to 20-06.[1] * python-urllib3: There were 4 CVEs. CVE-2018-20060 CVE-2019-11236 CVE-2019-11324 CVE-2020-26137. Fixed, tested and uploaded [DLA 2686-1][2] * rabbitmq-server. There were 9 issues. Fished out commits related to old issues from upstream repo. Marked CVE-2019-11291 CVE-2021-32718 CVE-2021-32719 as not-affected. Fixed CVE-2017-4965 CVE-2017-4966 CVE-2017-4967 CVE-2019-11281 CVE-2019-11287 CVE-2021-22116. currently on last minute testing. Debdiff[3] * runc: Investigating on CVE-2019-16884 CVE-2019-19921 CVE-2021-30465 Regards Abhijith [1] - https://salsa.debian.org/users/abhijith/activity [2] - https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html [3] - https://people.debian.org/~abhijith/upload/rabbitmq-server_deb9u1.debdiff -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmDpqaMACgkQhj1N8u2c KO/ayBAAgPxzGmrFiPu2Vq6L8Tf7CfH+rlxJaJuBoZZzf482FN7amy4IYeb7Ixz4 CMsbXgLW8F2BazBXUJese/KfiIa0NZcV0TQ/IDZ/+MlCiFVcrmMuBVEcYVETXHSF yf/5lLevLmdP/hNUsCzg+xM+UTcpth7EH99bWfxm20haPjtXMW/EfLxoyUukcPle 13zl8nkgJPLuOdWow6c08ZtOEmjoJ/Gtk1x1g1tnfsJTt18SzOj0EV0xb1MmrRI+ pt+cZBz0KKUBaRORobtx+yQ+HAiNd7ymL0/pLRlnHXzkcUAZp4XjXtnL3WlfciYl oIq5wBH0FsgYLOE/kMFGtdaE1EmMdBjz5G2wp/OdkD47aWrmJMVQ3A8tdoO9/zNF YNG6SPIqtbDPHnpI4TMcXAlblPG6R1OqrL7nCLZ8verTCwNalpwo5ZUk30qTTHfi Uy2lOByDCEovTTMERFshKKgjOhWSKvU6ZuWb9jy4WoWpV045T9K8NaFZ4IOlCKph 1znAiLlPWLUcA48I6cxnd/tKTcusMR/hC17hOyhG69H7XQpIhjtEuEeLEVVGxAoc oYHD7Un+D/mxyio/4EWldk8U27mkyXOwLapkqFG0L2uVZYgdy0/h0ryPvcLwqvHs 9o3SWwImXE/bPclw/0bVqY0uJMq3nZmSZgxKozuwZQVPg/taZkU= =MvSp -END PGP SIGNATURE-
Re: ieee-data: are you interested in fixing a non-security related issue?
Hi, On 06/06/21 07:59 PM, Utkarsh Gupta wrote: > Hi Samuel, > > On Sun, Jun 6, 2021 at 6:39 PM Samuel Henrique wrote: > > I wasn't very clear in the pu request; the ieee-data package ships 2 > > things; the data from ieee and a script to update that data. This > > issue fully breaks the script's functionality but the original data > > shipped still "works" fine (though outdated and now without an easy > > way to update it). > > > > [...] > > > > So I wouldn't say it's a critical issue, as the user can always > > manually update the data, but it might be worth it considering the > > cost/impact of fixing it (as the impact/blast radius is well > > contained) and there were at least 3 people interested on it (who > > interacted with the bug reports). > Thanks, that helps a lot in understanding the issue. > > I'll leave this to Emilio to decide and if he acks, I can issue the > update & publish the DLA. (I am on FD this week) I don't see any problem in fixing those broken URL and uploading. No need of DLA, I guess. Please also update the homepage link(broken in sid too) in the control file as well. --abhijith
[SECURITY] [DLA 2686-1] python-urllib3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2686-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA June 15, 2021 https://wiki.debian.org/LTS - - Package: python-urllib3 Version: 1.19.1-1+deb9u1 CVE ID : CVE-2018-20060 CVE-2019-11236 CVE-2019-11324 CVE-2020-26137 Several vulnerabilities were discovered in python-urllib3, a HTTP client for Python. CVE-2018-20060 Urllib3 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext. CVE-2019-11236 CRLF injection is possible if the attacker controls the request parameter. CVE-2019-11324 Urllib3 mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument. CVE-2020-26137 Urllib3 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). For Debian 9 stretch, these problems have been fixed in version 1.19.1-1+deb9u1. We recommend that you upgrade your python-urllib3 packages. For the detailed security status of python-urllib3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-urllib3 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmDI8sQACgkQhj1N8u2c KO/N/w/9G1Sckeyy2WO/mEmpMl8+q+0C61wErcxcD1ehdT26jLBQ52lrDFWAgXNO 1G/w4KRfvzW47sOMmTVpA4i5e3bizN1+70SEeqxHmRvy6QK9lmoD3Sx61qZ0bls6 wtuBWtCpFB3ijBTp7QQnZaZcSZpjhwHgfLf7yMZnn+ttWeumLwCMd1kEdNsTm/uf 2FhsD3IxVRgwD5q7XJ28DOuMaWlVvQzXxukmucALsrK3l0YseucXXNiXGwFmU4qi dZ4zCbLkFAjrMc9WFYvGbW7yQ8YKYj7nRdgePaLsSijzrMqTghHC0Qe7Ibd0P7T7 rIdfijPxCHD967+mpQlOSuqJh5UgKxO0IV1N2W2QOiuh8QnDG6VhEbhXOBWDofr7 it9SX99Y1vUAAPGGS7e78l6Z+ojrCDwid2t0Ne5ppQCxzvA3aJjzCRRtZrbXRcqE fKYaQDqV+riuytxzQc+qf74RLTxtMTVwpPHpfZNmBD/fU3h8Q7Q0rubR78Xxd9W0 MxhPGeVjLdmOnj8Mz1Kokt+YSCH3TOGtZNmR5rKF43fXnN4zyeisOkS5ZgycosuC VFebF58a5xFUf7+qCkbqTxTnj4Lwgn39fT0EEvIG8rpjfiWl3uSpxnt/OMXb6ZJn iliCSISVglUhFRamC/AuOUL6wmKCRf/OCV/m9FBn/GzeU3sA9P8= =8LQK -END PGP SIGNATURE-
LTS report for May 2021 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 May was my 39th month as a Debian LTS paid contributor. I was assigned 14 hours and I spent only 7h and will be carrying rest to next month. * samba: Continued work from last month. Backported rest CVE-2019-14902 CVE-2019-14907 CVE-2021-20254. Added couple of autopkgtest from unstable. Tested and uploaded[1]. * squid3: Investigated and tested on ubuntu[2] and Beuc patches[3]. Will upload soon. Misc: * mqtt-client: Uploaded 1.14-1+deb10u1[4] to proposed-updates. Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2021/05/msg00023.html [2] - https://launchpad.net/ubuntu/+source/squid3/3.5.27-1ubuntu1.11 [3] - https://www.beuc.net/tmp/debian-elts/squid3/ [4] - https://release.debian.org/proposed-updates/buster_diffs/mqtt-client_1.14-1+deb10u1.debdiff -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmDBvLYACgkQhj1N8u2c KO/s9Q//U8HaZXVg5zq9Za+TB7XIYar9d+DOgaHG0cNJnEe5X4jtnf3THp08GTwg rqQfMH+VuFWm15tl2vU8UG+eXGGM0kLsdJdS+OQvr7XveHcC+v6Ww7CRHjeE0HHt 7ykWZzHdsl2vytWvGC9b39X6krjb2mvyN6cKsezEceyTKOAPS902B3y4LAuqXpZS rvOIe9XqiM+AIRsF2aegnZ/JA4sWfcsCNuznMOIC+6x6ngp8AxDMVAxEWclI5hhP pBjSQ8byAl9Fe4X8ZiWnQ82Lpor4odxRUYVBcyAoo0wrATvLmN+z0Djsjrhim6DK oASinaGz2QsxBHvH8u/ijoSCenQAgzB0NlZ9QgPzZ2VOUUH/hKUfp6ncx+rqrWz4 q12D1P1pr7rckpJQPlA37GON/JgTWIzQBuXfJ9Qx+5mCPJFTes0A9WOaOuPiLnzx PSVH5yCfzeHvYLuivwXiE7tSQSSu+dzVuuJRvc9V/GPMZAES16WvitJvVDSLGd8Y bH5HMycwcttNYoEi29GHSYN10wT+PnNoz6jJXBfXlTvk//B1zvg8QLLfbu2zXXkG 6eE8Np+p5a6jSyM6qNKXU0w0krK9qxCSk9LsbmGOcFQgWdlbDx/Z/7OKCwL3U0lH kP/McJB7zE03+FYucQ6K/KqyPQtbnkST4o0ID8hPl7ep9XHDpn0= =w0qz -END PGP SIGNATURE-
[SECURITY] [DLA 2668-1] samba security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2668-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA May 29, 2021 https://wiki.debian.org/LTS - - Package: samba Version: 2:4.5.16+dfsg-1+deb9u4 CVE ID : CVE-2019-10218 CVE-2019-14833 CVE-2019-14847 CVE-2019-14861 CVE-2019-14870 CVE-2019-14902 CVE-2019-14907 CVE-2021-20254 Debian Bug : 946786 Several vulnerabilities were discovered in Samba, SMB/CIFS file, print, and login server for Unix CVE-2019-10218 A flaw was found in the samba client, where a malicious server can supply a pathname to the client with separators. This could allow the client to access files and folders outside of the SMB network pathnames. An attacker could use this vulnerability to create files outside of the current working directory using the privileges of the client user. CVE-2019-14833 A flaw was found in Samba, in the way it handles a user password change or a new password for a samba user. The Samba Active Directory Domain Controller can be configured to use a custom script to check for password complexity. This configuration can fail to verify password complexity when non-ASCII characters are used in the password, which could lead to weak passwords being set for samba users, making it vulnerable to dictionary attacks. CVE-2019-14847 A flaw was found in samba where an attacker can crash AD DC LDAP server via dirsync resulting in denial of service. Privilege escalation is not possible with this issue. CVE-2019-14861 Samba have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permissions on the DNS partition allow creation of new records by authenticated users. This is used for example to allow machines to self-register in DNS. If a DNS record was created that case-insensitively matched the name of the zone, the ldb_qsort() and dns_name_compare() routines could be confused into reading memory prior to the list of DNS entries when responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and so following invalid memory as a pointer. CVE-2019-14870 Samba have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set. CVE-2019-14902 There is an issue in samba, where the removal of the right to create or modify a subtree would not automatically be taken away on all domain controllers. CVE-2019-14907 samba have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process(such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-per-client and so a crash there is harmless). CVE-2021-20254 A flaw was found in samba. The Samba smbd file server must map Windows group identities (SIDs) into unix group ids (gids). The code that performs this had a flaw that could allow it to read data beyond the end of the array in the case where a negative cache entry had been added to the mapping cache. This could cause the calling code to return those values into the process token that stores the group membership for a user. The highest threat from this vulnerability is to data confidentiality and integrity. For Debian 9 stretch, these problems have been fixed in version 2:4.5.16+dfsg-1+deb9u4. We recommend that you upgrade your samba packages. For the detailed security status of samba please refer to its security tracker page at: https://security-tracker.debian.org/tracker/samba Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP
Re: CVE-2021-30130 php-phpseclib and phpseclib
Hi Ola, On 26/05/21 01:45 PM, Ola Lundqvist wrote: >Hi fellow LTS contributors > >I have checked this CVE and my conclusions are as follows. >The CVE actually cover five different problems. I guess CVEs should not >do that, but it did anyway. > >Quote from upstream: > >Two were vulnerabilities in v3.0 involving the new >RSA::SIGNATURE_RELAXED_PKCS1 mode (which doesn't exist in 2.0) > >Two were bugs in v3.0 involving the new RSA::SIGNATURE_RELAXED_PKCS1 >mode (which again, doesn't exist in 2.0) > >One was a bug in v1.0, v2.0 and v3.0. > >The bug refers to "We have also found incompatibility issue in >phpseclib v1, v2, v3 (strict mode)'s RSA PKCS#1 v1.5 signature >verification suffering from rejecting valid signatures whose encoded >message uses implicit hash algorithm's NULL parameter." > >My conclusion is that one bug can be fixed. But I do not think it is a >security problem. The problem is that some signatures fail valid >signatures, if they are encoded in a special way. > >What I have done is to mark the CVE as not-affected with a note about >this. > >Let me know if you think my analysis is correct. I've gone through those comments and fixes. Since valid signature failing bug in v1 and v2 is not a security issue. I think marking CVE-2021-30130 as not-affected is the way to go. Sorry for holding the package. --abhijith signature.asc Description: PGP signature
Re: Upgrade problems from LTS -> LTS+1
On 17/05/21 04:54 PM, Utkarsh Gupta wrote: > Hello, > > On Mon, May 17, 2021 at 3:08 PM Ola Lundqvist wrote: > > mqtt-client: 1.14-1+deb9u1 newer than 1.14-1 > > Abhijith, can you please take care of this? You need a -pu update > prepared for this. Okay, I will take care of this. Issue is no DSA in buster. So I guess this will be in next point release. --abhijith
Re: LTS report for April 2021 - Abhijith PA
On 10/05/21 12:34 AM, Abhijith PA wrote: > March was my 38th month as a Debian LTS paid contributor. ^ Oops, April.
LTS report for April 2021 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 March was my 38th month as a Debian LTS paid contributor. I was assigned 14 hours and I spent all of them for the following; * mediawiki: There were 8 CVEs reported. CVE-2021-20270 CVE-2021-27291 CVE-2021-30152 CVE-2021-30154 CVE-2021-30155 CVE-2021-30157 CVE-2021-30158 CVE-2021-30159. Marked CVE-2021-30154 CVE-2021-30157 as not-affected and fixed rest. Uploaded and released [DLA 2648-1][1], [DLA 2648-2][2] regression update. * smarty3: Fixed a regression and uploaded [DLA 2618-2][3]. Thanks to Benjamin Renard for finding it. * samba: There were 9 CVEs including the no-dsa tagged ones. So far backported CVE-2019-10218 CVE-2019-14833 CVE-2019-14847 CVE-2019-14861 CVE-2019-14870. Continuing work on remaining fixes. Build available[4] for testing. Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2021/05/msg3.html [2] - https://lists.debian.org/debian-lts-announce/2021/05/msg6.html [3] - https://lists.debian.org/debian-lts-announce/2021/04/msg00014.html [4] - https://people.debian.org/~abhijith/upload/vda/samba_4.5.16+dfsg-1+deb9u4.dsc -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmCYMksACgkQhj1N8u2c KO8xkQ/9EuCjBRqU6Pz+5H732IsybV5Ypftxn1nvISLZe0W/VTDfjKuFdQGEJxQX qAkPbzrjKca+TPwd30NKNWM1K8EI0Y7GBsgkg1JHOCGzBFdaOj8Kv78qgKHFFVTg dSOsRRVUPnD8aR69lZXL5/EzaLJrbddLQlCcTSp3By28/0PydOyRasdLEnN9EMnY NWzCqCeuorPWWvHR50lZyWPXokzSfmXz8zb2qKjVAuAIOiJToNbh5b2rFx8HEufW AMb5seQQye6qrkIm4xtpAuDOTM8qaqU73C6qFa+6aFb+GmiFMTGGN53dkUaPdNS+ JVP8znRegfeyQ+MlLApBhyVStylS8hM4hPhrc7ybnPrmEbzYujdjOkQh030YsUp3 Ksx6vQTHbkGExPx/C4qOKzsmg6ycY1um3xtISIRWaxpkMbFladksb9dFOVDVRic/ wgRs1OI9V70+cxZa5ewvNsj59bRXOuOxCJS2rwXf4GiSb7XKuK4YfHXgtZfNCDYH Yzxa3BO+IjsDFR2jQnhBA5wh6IMju059O8gceZBqyEpqd7nFATkdlP5AK7lanvjw FytFd7SalN5PXWkPsdVcml2/NSVlSbsLcJtldwwAAnOqbnuG23Xx1qxv2Cvs74cN mtYUQEeJy/KprmqWmOFLAaio88fr0h3njr8ocaPHq/7bXyJwdrw= =SH1q -END PGP SIGNATURE-
[SECURITY] [DLA 2648-2] mediawiki regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2648-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA May 07, 2021 https://wiki.debian.org/LTS - - Package: mediawiki Version: 1:1.27.7-1~deb9u9 CVE ID : CVE-2021-20270 CVE-2021-27291 CVE-2021-30152 CVE-2021-30155 CVE-2021-30158 CVE-2021-30159 Debian Bug : 985574 984664 The patch from latest upstream release to address CVE-2021-30152 was not portable to stretch-security version causing MediaWiki APIs to fail. This update includes a patch from upstream REL_31 release which fix the issue. For Debian 9 stretch, this problem has been fixed in version 1:1.27.7-1~deb9u9. We recommend that you upgrade your mediawiki packages. For the detailed security status of mediawiki please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mediawiki Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmCUSB4ACgkQhj1N8u2c KO8hpBAAkst5ahifh0prc0rkNOcEEZnfnzndhYG+NzLKK6H7rywKGV6v/HmHWyEP mR7AanUUhz71xmlq6EEkEqTuR4nwgTIQpvWkx6+Zs4wOoQ9Eqs75Z1gprYIIG8nM pC9TFH5q8UuldX7c50RuYVjLqusAqsF9Jua9AkqChdss2PicmgyJBbPkBeC3QwzK WQURobRofpLS+6f1OOcnk9/WV9aacYae6VG61oR+DS2bLNe+POvhlptWGqtx+12R GZpcHNTLYzmMaE04kBqH8WikrLYyEubXdSD9XWGms3OWZeRRLMdwHc4gv18cI2OP 27fniHnUZ5R77eOv8Dyxsv7Xm/Gkf5m7dAO/wLLmwTSXFeeLR9Q9DMsygHZrbyh1 GxtwXCSFAr7kvhUGaIa04efGkveKkK0uw1ZdS7wCybWQMpZEh3TytnNtwp20ERw3 EmIVuHghTQ0sHHkVDuJU/2KcqcJB9f+Ox8vfqK7LyVsyJDpEp9mW0NU0moLvh36w +DJgQXs2Jm7hJobka3L2CkfZEdkT4vBZkm/xMDfdvzsv64Tus1rRnJWE4rH/5clo 1oCfwzUGlnlAB1kNyiymf7nlnH5RCfNBFop0FFxZ4NYeps0T1L88bWLT/0hl2U+l Lq14rWSZuqQ/zOUMEbVhIXs1ZLIQCIEhspA/aSBeyQX+4bCGdgc= =8qMl -END PGP SIGNATURE-
[SECURITY] [DLA 2648-1] mediawiki security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2648-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA May 05, 2021 https://wiki.debian.org/LTS - - Package: mediawiki Version: 1:1.27.7-1~deb9u8 CVE ID : CVE-2021-20270 CVE-2021-27291 CVE-2021-30152 CVE-2021-30155 CVE-2021-30158 CVE-2021-30159 Debian Bug : 985574 984664 Several vulnerabilities were discovered in mediawiki, a wiki website engine for collaborative work. CVE-2021-20270 An infinite loop in SMLLexer in Pygments used by mediawiki as one if its lexers may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. CVE-2021-27291 pygments, the lexers used by mediawiki rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. CVE-2021-30152 An issue was discovered in MediaWiki. When using the MediaWiki API to "protect" a page, a user is currently able to protect to a higher level than they currently have permissions for. CVE-2021-30155 An issue was discovered in MediaWiki before. ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page. CVE-2021-30158 An issue was discovered in MediaWiki. Blocked users are unable to use Special:ResetTokens. This has security relevance because a blocked user might have accidentally shared a token, or might know that a token has been compromised, and yet is not able to block any potential future use of the token by an unauthorized party. CVE-2021-30159 An issue was discovered in MediaWiki. Users can bypass intended restrictions on deleting pages in certain "fast double move" situations. MovePage::isValidMoveTarget() uses FOR UPDATE, but it's only called if Title::getArticleID() returns non-zero with no special flags. Next, MovePage::moveToInternal() will delete the page if getArticleID(READ_LATEST) is non-zero. Therefore, if the page is missing in the replica DB, isValidMove() will return true, and then moveToInternal() will unconditionally delete the page if it can be found in the master. For Debian 9 stretch, these problems have been fixed in version 1:1.27.7-1~deb9u8. We recommend that you upgrade your mediawiki packages. For the detailed security status of mediawiki please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mediawiki Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmCSMIUACgkQhj1N8u2c KO+tbQ//V/7ZNA69utHLBwKZSwIgMO8qK/ZpS+tPLjXUyECZU2AO7116PiO4Vzx0 qrMJktxszh4vzbYfdVVtemO3DFpNY5rf8m4hyAvbmXSu5aoZF4xqKm9rCk/KwARy +943iy3D609DogqpFkZQBHQLmVCQoRvjj7NKFD67puGqhVAya7qD+sVnF4qzl1dP mRJhpWQoDS8hNmRCkUUJnb9p5Usax2lri8ybdd8PFSA3kOSdzRkarObvggIk/cBc Ga8CFmmak+FAAiCH8jWr4dodxR4ni7eCdYkooeazPWE8FY+GzfAdRlR9s6/jLPkZ DE4nCbSBIBw2GD2XM+oVl8YPz3Xer8drPvqMVMXkKUO4jtB/shvHjHKemC3Atdw/ qAtHZQY4h7B/HBYBqqlM4NCdxhf+YEAJL9W8uUO63TUu1VF7uQx8iMRBOxeJ8X/Q 0HhXNYeoBJ/Pwx/fl8BfHvMnYObW7hFmXuUeunMkRJQK5kjZyiopbX+y5qllvRkj 5ZRBinF0ojnSfRDRbBh0PEcFdsSoUblqmXvBnvFzfP5vXTe1XoPPfc7PwlJ6gFqz 4Lagjh9F56YcsrlD6PFlm3VLcQQZhkYJdj5qk1sVOTKrJzxQGfZnU5VqcL6BsE6T Cn5WHEwPQPBXzMo+xckXqNOO9QrRXWxubVMmOfmgLFhlXlXNhdU= =ChxD -END PGP SIGNATURE-
[SECURITY] [DLA 2618-2] smarty3 regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2618-2debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA April 16, 2021https://wiki.debian.org/LTS - - Package: smarty3 Version: 3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u3 CVE ID : CVE-2018-13982 CVE-2021-26119 CVE-2021-26120 Debian Bug : 986691 The update of smarty3 released as DLA-2618-1 induced a regression due to a syntax error in sysplugins/smarty_security.php. For Debian 9 stretch, this problem has been fixed in version 3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u3. We recommend that you upgrade your smarty3 packages. For the detailed security status of smarty3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/smarty3 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmB5QqEACgkQhj1N8u2c KO8Shw//dIKkx32oaUPT/u1xkmIdE0rwC04CaSpY4Bp9XGueFieg1IJvpTPrHdAE JM8DuFaQx5KymJtLBfVIdj4YFroTjID9Ke7GiYrJvSnRbH3lnFXXGl7uIOFKVXNT nsTpG1LG8NSGvxNJSkU4lQJRerViXrmXPlGETH37cdcyNVIW5qowbuzj/gOE6xNZ 65idfCqdTKrfwebngxn4mteOF6lEiAoJouR3mo5BHsjUR/og8e2a4cRcPH9mTm/x emn2QK9gqpB717Vfn2J/y5IYTP7x1n780eMrnJfmRzoOmH72Sl1GwQ67HO3EjrPH hAUb30M6olN/J4CXWvR9NAue9jpBVyN/efKGn8JOYAYPfpzy+M6kq0RGRgICIGAN HouVqXWL2WIYCeNfxTlpH2wUyZz3r7ah6iRiG/9/Sb51llL1rD0dI4mxgRXrQlNa 7fKgYVaJvIR6uC+beXTKZxjF0tdxoUiaQ43Ebwz5hMoDpcEBpnKsi9iuJ8LobCMD 3/On5fxk6dt6DOQbI1tu2+vVaI32gUJ8WcO/u6lTyK64bRmwUS780WUVom14Ukv8 P8v5M7rt2OFEpCxXoxrRUUD0nDxoZXv7BL+XHfjXXSpzHkvC6EhsHwrd0A+Zqnuv ycMXt0JODjLayxjlE1txWfK5dCECkpPiMdjT/EYmFA7stka7S9g= =6zg/ -END PGP SIGNATURE-
LTS report for March 2021 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 March was my 37th month as a Debian LTS paid contributor. I was assigned 9 hours and I spent all of them for the following; * smarty3: Backported patches for CVE-2018-13982, CVE-2021-26119, CVE-2021-26120, CVE-2018-16831. Tested and uploaded. [DLA 2618-1][1] * privoxy: Released [DLA 2587-1][2] and webpage announcements for privoxy_3.0.26-3+deb9u2 uploaded by Roland Rosenfeld. * gsoap: There are 5 CVEs remaining. Combing through the upstream source for patches. Pinged upstream dev for help. * ruby-activerecord-session-store: Marked CVE-2019-25025 as ignored[3] Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2021/04/msg4.html [2] - https://lists.debian.org/debian-lts-announce/2021/03/msg9.html [3] - https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6228ca3b86631280837cb1601bb368e316fc4307 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmBtg84ACgkQhj1N8u2c KO+SZA//RCzhQwfRgguFvfxCutIQuh6/R+3YkOKQZLjHqiY4X2Fu74s04Ad5MqaV Zba46j47zDjHBldEkDw7QLbCWUkGXDgdW84GuaJPsYRN1TczQIKemcCyJOg9mQpc oBv0odkfKtcyH5+Vpd9SrVQI9OBpmMA0kf91jbpTPgXVpkiqVNIfB4HkuJjdmZHh a+brF6+64j7eKu+rLdo2OMQRchv6LyNdYs3uVQF00LpRIb3IzzpbuRm4yX8XkQZC LYAZZkT8vgtTWsUx7Q3fyAuz+TrDrphA7DHxzGi6RsBhLvll2Y8FL5Su2T5tc6Zs P3DqzfFbHdoJhi4E+xTU9tRcyjFYv2cwNh/H+z4/l4rTtPr8mQuPXjFKgbCRNxPC g6X2h4IL49H2zkU+eLoYqTGR+6xvN+76KXudm6A6uAQeM4IJdKtBANsbg8B+Qtu5 vmC7nEBIMsozdOXbzBV8MRhmsPtRTaRW8IfPc8xqnCt/NfvkjUj7V/HCWryS7JRj QfzJjJMRtoqNvdiCd25vGYCUOMdTM6RI9962YfPE7oKL/nbq9ggwvDvdspP79Hwq duiigMn9+cEHFbjhBvU4/yAgFdICjOCCZggl49qBeYC0tZWCjRHbkS+mektsIpK+ Y2Ex5FhR9zmbJ9r++s3vCprXopo9vD/EzmwnOAsaFGN9UorOG2k= =C5i6 -END PGP SIGNATURE-
[SECURITY] [DLA 2618-1] smarty3 security update
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
- -
Debian LTS Advisory DLA-2618-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
April 05, 2021https://wiki.debian.org/LTS
- -
Package: smarty3
Version: 3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u2
CVE ID : CVE-2018-13982 CVE-2021-26119 CVE-2021-26120
Several vulnerabilities were discovered in smarty3, a template engine
for PHP.
CVE-2018-13982
path traversal vulnerability due to insufficient sanitization of
code in Smarty templates. This allows attackers controlling the
Smarty template to bypass the trusted directory security
restriction and read arbitrary files.
CVE-2021-26119
allows a Sandbox Escape because $smarty.template_object can be
accessed in sandbox mode.
CVE-2021-26120
allows code injection vulnerability via an unexpected function
name after a {function name= substring.
For Debian 9 stretch, these problems have been fixed in version
3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u2.
We recommend that you upgrade your smarty3 packages.
For the detailed security status of smarty3 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/smarty3
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmBqrWUACgkQhj1N8u2c
KO/5WhAAgrJavMnnEpxHvZoj/4PQoAw4tPzOKPSGtMHHYTUaVkry29F83B6BlAgc
3mkchFwTqLICOBhUX08Ypj9YrVIvQt7dqw6n2sVq2MQNAVbaD04L7fiLFYXXSK5W
OwqO/itqDHD9vzYkeWvRHIfZJxdOI7psHt5gCvQaJ2d6z8SkXkQ2lhkCEYt3vro1
qDyNiWHiX61aoKsE9NQDQNG2BBn0CM8q9NTWjqaGEcp641yxI7QuUtUhY/EPYLYM
WQfQSoB0K/7VXfzo36WMofiI/yaVDaqR1HVoG2pKMQ1yDxJRDwWuuJk7wEOJwmbl
4aYmiyh/RR0G/LG5c0TKd7aXBQaT7h/H6XUxTs1em+whO2+DlJuvq4ruvFszDHzq
onapVtusfhfSOpBgZeplID0dLwTQZUD3bw8nqG+mzjnqhWlsfyLfUrj2qPzRbfIW
nyeGnRlCM9+5c9sKyQXjCvl1h+/MBhH60zIfTv2XQrB4Tq6siDd93zTMC4pULNZM
xOYRU8bxf1E5jF+YttDAV0vu4Bn2LKeNM5YIHTmhk/np+/69GSm7rBNtEqSCnnWQ
9ta1lhb9+k8W5gQ4A9oLQdpDFAgptArmYzYbSjM3Uglpt/nY+DvCfyb0qa69Ix8J
tZ8c5yruJQwguNz11C/8KDglDpMehYnWSWEWl3Loaj7DLA8hQa4=
=wDuK
-END PGP SIGNATURE-
Re: privoxy stretch package 3.0.26-3+deb9u2 prepared
On 09/03/21 10:47 AM, Roland Rosenfeld wrote: > Hi Abhijith! > > On Di, 09 Mär 2021, Abhijith PA wrote: > > > Roland, thanks again for the patch. I can see that last LTS update > > (3.0.26-3+deb9u1) done by you. Hope you can upload this time as > > well. If not, let me know. I am happy to help. Once uploaded to > > archive I will take care of DLA and announcements. > > Thanks for your support. > > I just uploaded privoxy_3.0.26-3+deb9u2_source.changes to > security-master. > > Once it is installed, it would be great if you could do DLA etc. DLA 2587-1. This is done. Thanks --abhijith
[SECURITY] [DLA 2587-1] privoxy security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2587-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA March 09, 2021https://wiki.debian.org/LTS - - Package: privoxy Version: 3.0.26-3+deb9u2 CVE ID : CVE-2021-20272 CVE-2021-20273 CVE-2021-20275 CVE-2021-20276 Multiple vulnerabilites were discovered in privoxy, a web proxy with advanced filtering capabilities. CVE-2021-20272 An assertion failure could be triggered with a crafted CGI request leading to server crash. CVE-2021-20273 A crash can occur via a crafted CGI request if Privoxy is toggled off. CVE-2021-20275 An invalid read of size two may occur in chunked_body_is_complete() leading to denial of service. CVE-2021-20276 Invalid memory access with an invalid pattern passed to pcre_compile() may lead to denial of service. For Debian 9 stretch, these problems have been fixed in version 3.0.26-3+deb9u2. We recommend that you upgrade your privoxy packages. For the detailed security status of privoxy please refer to its security tracker page at: https://security-tracker.debian.org/tracker/privoxy Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmBHtbIACgkQhj1N8u2c KO/0Pg//bGq8GoIcW3Q75gd+suPhLU+WoqNrgbAVk3X6iaCTqQfp2fTa390xL51t Lb6enUhD9gnMQWfkyfZImKBjO/WMKkqek+f+iahSN7YdjZ06gQzMlZyGgW6m96xX EzbwW6kJOKKlvZq9wt5uRILZNzfd2k35d2ZKTW7/KFVXqSJegcftgtQYKtvaLLpx PxGGqPJrklKAin04X49Vqmnop9C5LPC/l4VxL1cB5CWXdL5/liDSRCsUTkPIUXej moTF0NfcWVPkB1pnrd9Hagh5jP1YcjklJCBIGOCVlFkyy18lMDqd9aVrQlit+C3p EjfaZpVwUhIj1sH44gG5Y5ary8+QotrGCArcZFpq1TrdYWuylBTA85sylqlg6x9z Wm4XYRLQ31bxOMVm6DZVktBktROt9FBmWCjjay2+/AwO2EAikTwJN0SHMSCqM9se EsGN5Lgkz9+uWvpReQOVs7l1YkM2DyH680cWE4M1JOBts3297DnSUNVCV11jGfW4 c2kRNEYWRtHBipWIhi6DSq8kEGHtRjeqUAe46KdG0VaIFWjjaWxLeBZNBOLXDEvE RcAsUG3W4jiHELFW8hTF7WXic4rkOCNH3qoUZA8m0JjiFMe4YXZ94CmNNG8Zyblc PFP0Zp1AdMtExtzHMQnhKnzWKsF10u3bfd1U9MvCNVzplAMZoT0= =+aeO -END PGP SIGNATURE-
Re: privoxy stretch package 3.0.26-3+deb9u2 prepared
Hello On 08/03/21 05:16 PM, Sylvain Beucler wrote: > Hi! > > Thanks for preparing a LTS fix for privoxy. > > For reference, our full procedure is documented at: > https://wiki.debian.org/LTS/Development > > To answer your points: > > - The debdiff looks good to me > > - Salvatore updated the CVE-2021-20274 status accordingly > > - 'minor issue' means there is not immediate urgency, so the buster/stable > fixes may be delayed to a point release. > LTS does not have a point release system so an LTS upload sounds good. > > - Abhijith (in Cc:) announced his intention to work on the package yesterday > [1], you probably can coordinate with him for the next steps, in particular > who will take care of sending the e-mail and website announcements. > [1] > https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/dla-needed.txt Roland, thanks again for the patch. I can see that last LTS update (3.0.26-3+deb9u1) done by you. Hope you can upload this time as well. If not, let me know. I am happy to help. Once uploaded to archive I will take care of DLA and announcements. --abhijith
LTS report for February 2021 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 February was my 36th month as a Debian LTS paid contributor. I had a total of 19h (assigned and carried from last month). I spent all of them for the following; * python-pysaml2: Fixed CVE-2017-1000433, CVE-2021-21239. Marked CVE-2021-21238 as ignored[1]. Kept other issues as it is due to invasive changes. DLA 2577-1[2]. * spip: Fixed TEMP-000-803658[3]. Backported all related patches from buster. DLA 2579-1[4]. * mqtt-client: Included mqtt-client in CVE-2019-0222. Fixed and released DLA 2582-1[5] * activemq: Fixed CVE-2017-15709 CVE-2018-11775 CVE-2019-0222 CVE-2021-26117. Thanks to Markus for testing the build. DLA 2583-1[6] * libcaca: Fixed CVE-2021-3410. Tested against PoC[7]. DLA 2584-1[8] * jackson-dataformat-cbor: Marked CVE-2020-28491 as no-dsa though fixes are backported patch and tests are adjusted. Patch[9] * 01/03 - 07/03, 1 week of front desk duty. Regards Abhijith PA [1] - https://security-tracker.debian.org/tracker/CVE-2021-21238 [2] - https://lists.debian.org/debian-lts-announce/2021/02/msg00038.html [3] - https://security-tracker.debian.org/tracker/TEMP-000-803658 [4] - https://lists.debian.org/debian-lts-announce/2021/03/msg1.html [5] - https://lists.debian.org/debian-lts-announce/2021/03/msg4.html [6] - https://lists.debian.org/debian-lts-announce/2021/03/msg5.html [7] - https://bugzilla.redhat.com/attachment.cgi?id=1756895 [8] - https://lists.debian.org/debian-lts-announce/2021/03/msg6.html [9] - https://people.debian.org/~abhijith/CVE-2020-28491.txt -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmBGZ6QACgkQhj1N8u2c KO8N2g/8CSoPZuwVMs2u1j6xVLsaqf7S3UMJgC2BlH+XxOUs8Eyl2buh3WQDzMuY 8Y/kjzJHSggANy/vPLJ4JEhOBCveSElPx4xNpokz/2EO1rY6oxZ1vjZdDkewd22o URNbkAwNZOn6fN3KUK2unCg2MyCtpbquxvs6G3RBM+09x7FGsVZ3xCj5OhpHTTT9 if4QDpdZvCZ9L06b51NHBJtUs/dMboL9q5PFT2DlTboWBHEhqCgdv2UVuNIg23J+ T2gzuYSNJbEoaMZRMp5cSSCi4+jt/OmfN9Aj3ZLnQWJfUz5BNHMNJj5xhQYb0nup tsQiOtwmv+GUW/26t1uJVl0PK84Zt32hgnyYH4AcqXDmpIXCPFwAxKwem/B+tjmG ElY8/OVi2s7oNC9/JerrFE+Q/oN7I4YNe37khyMBcFgBTxDC2P81EG18992DjQ8l QZFKweKlh8Jk8rHTrvivGbkjv11/BNaKaK7YAhB7qylsQwP+MeVx0i2sg6TJMzS5 yqhDLH5v8GnMUiFRp3df1KUI8Ktmb3z5pXGEHq/ldxR5sNlg/WIXHN6rgWqLaMpT Js0g0s3EmOwLzlefuT7thNE4VE81P2lwNegeHSjv9MYrQrSvQWvjSbaDK1JohsUF H1WkyzT32PY8wMoWAM2fHZYMQUT+/QT9HvA900qQ+hxxyPqOgXQ= =KZi8 -END PGP SIGNATURE-
[SECURITY] [DLA 2584-1] libcaca security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2584-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA March 07, 2021https://wiki.debian.org/LTS - - Package: libcaca Version: 0.99.beta19-2.1~deb9u2 CVE ID : CVE-2021-3410 Debian Bug : 983684 A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context. For Debian 9 stretch, this problem has been fixed in version 0.99.beta19-2.1~deb9u2. We recommend that you upgrade your libcaca packages. For the detailed security status of libcaca please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libcaca Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmBEbQEACgkQhj1N8u2c KO/rOg/9EfLQhJ4lag0jGfblNYa04HUg8BWpiVYPq4HbMXSwM/rB4V/bSS+4KrTx bhJLL7qyYhf7BlfM1mLXKgCS0BxU4bZkqTpmV3iOFF2kIoeEmvJBXRDD6aOfbVUt 8l8kP8iq7LCPaw5qqFtW4j133jjHKzoN6eUUctUEiui/jgWOlf6ZhrD/XGNwLMVw g4AHhJS4o2nuS4fvgrqdoi/WA2wy4Ts/WzSbqCpP0yP70KN7vSu847mKIXK1HPRc JFBFMN0CXMiC9dHevxyzkeojRAVfk8G0xVxCfzBCzLcDYQI+a8AsgYp+5YBzTrMN 0QmMhLeOBGVDqhVjzAwhDbs6AuacaYhCyCliNgNj19X+zG/OzN3UGPQHqIetpPDb ecPi/VF2V6DMhUf7BwS4GD6LwJhoiBcfs7k1jIvpTHYb3bV+DR+CObI0dsBtdCPE 6Uaixf5vXwW+ionVrm/zue0r3WTKkFI3JCtev23ZiumR/wH4c9Mz2O8oAUCgC2pw QG9OxxSYT55ekBYyw+KDb1MEb9q93PlFjZqN/9HM6HgxrsG6+G0J+kTT5lWOhXUq Vc15LPRvf/e8hsihjsV0VQxr64/nzLpfeLz0w0DvNBh66gpBuxMbu7eEjvB/a2pq qYfmfGow5Eov9Q8jU640W7Y2xDKc9GvBdeXFS5XjOLLN1Lqy9fc= =XyNc -END PGP SIGNATURE-
[SECURITY] [DLA 2583-1] activemq security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2583-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA March 05, 2021https://wiki.debian.org/LTS - - Package: activemq Version: 5.14.3-3+deb9u2 CVE ID : CVE-2017-15709 CVE-2018-11775 CVE-2019-0222 CVE-2021-26117 Debian Bug : 890352 908950 982590 Multiple security issues were discovered in activemq, a message broker built around Java Message Service. CVE-2017-15709 When using the OpenWire protocol in activemq, it was found that certain system details (such as the OS and kernel version) are exposed as plain text. CVE-2018-11775 TLS hostname verification when using the Apache ActiveMQ Client was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default. CVE-2019-0222 Unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive CVE-2021-26117 The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. The anonymous context is used to verify a valid users password in error, resulting in no check on the password. For Debian 9 stretch, these problems have been fixed in version 5.14.3-3+deb9u2. We recommend that you upgrade your activemq packages. For the detailed security status of activemq please refer to its security tracker page at: https://security-tracker.debian.org/tracker/activemq Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmBCZOwACgkQhj1N8u2c KO/k0g/8ClGG9rvRDmoOMkZT4yFBcerkt24teqJwVTxCqa+pJowiPxCG2jp/hd+t Q9w2hgHcQRES5icQVA2lE3f3Kbe84EXo67upBQks2eXbNyX3H4MSI8z8rfS4xfUx D+p0yBxPPDEglG9FBRJdWCBekjx/2GvONNyeQicUcb3VDqIJBxsgwt8Qsp+2XfAD uX3ntPM7DWU8kefopTCSAJBHfXG89o9sz63YZBC8xQavnTJPAaj6C+VXiFW7gdar GSZc7ck/s8ph7J0qdr1Eg7a/SVxBZIhJLDXHt3ZlVx5t7PldncpYtdiBgnhlUgPO LReFSZAkdTCLN5S+YqTYgCGNTru0U+qIlvp1WbOf6IEqn2DckZemmiZyLa3NrA+f pFLpq4p6Kr4xiUb3aqAzPLdYQsSrpnWwHxRhXkdd3nGyY+uqWgQHreBHVAbah/i3 QK08UWr5/OsfUz1hFZ1ZG2dUJ1xKQU3ZVHy2U9a9rvuAzzFnh3TjWswLYkhZHgJT MoViXcSqpjBjGVLlUtKE9x4VFJosWLVd9fMi299Lij9yuz6hCoYSWh2jJVknLes1 Ihx8DyS/4GVLnu43FILD8qFKDxXUuaP8wHcCru/fSrGKtlHbIYYbksZ9kgCtq1MA NrL/my6j8e9dUbt2ojzEozAlOeO2B0D1beb3V4GUV6bUMb4niYM= =H+6j -END PGP SIGNATURE-
[SECURITY] [DLA 2582-1] mqtt-client security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2582-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA March 05, 2021https://wiki.debian.org/LTS - - Package: mqtt-client Version: 1.14-1+deb9u1 CVE ID : CVE-2019-0222 Debian Bug : 925964 A vulnerability was discovered in mqtt-client wher unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive. For Debian 9 stretch, this problem has been fixed in version 1.14-1+deb9u1. We recommend that you upgrade your mqtt-client packages. For the detailed security status of mqtt-client please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mqtt-client Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmBCYQAACgkQhj1N8u2c KO/emg/+MOUnMNGQOfPdW7Y/KYa0hC/RQQlTvaJLzhZT3+bX4qLzqTc1mn/z6oiE yt1XnXHbzF7hT2+HkE7VnouPJfVZiJpIe9BNvExB+RYNtmjsz5vczQWUxNCmbFBv K7kA4RgE+wWb1CyiUWp3H1+P3pyYjTwpc+/wiXDJHb1lvMuhUYXXIG5+VE2SloNy YbbPTHKcXhA2HW/VDDgTdQqCUkj2RXUgnO6L8bgF2qNnWaKnRSy0IKG65jO0Sl1l WHBZUIJLp2TQlrkTc9yeHq3n5W8ho3WUBTgoDP7yhXRVy4wHChAi6iV9YUm7aCE6 S8Eb9PvysB6dIB9Xb3D7UhkyFiLXhkYtY/I5jNVRzd4s+P8nglM6hRl9HuaZsypB fQI/jTTpCWaNaqDRRr549HtF6oyZCG4W/VUfTFgStbjWZl0XU6iZYV8DaK4yEayF Ql/3m4226JZ1C7sjR6Y0zsrpxf5R1iO9sNZsEr3+peM07/NDQ7hSl0SoEgRMNa3l 5GhzopQTqDAT6yYdLFj7++ugMRDaj87yiQZpmADou0oTpJPUFRyyL3RQN03exhVY hXT8KQzXct+BVu1IzqQki+C0lF/B55ailgWaaNzoID6eVta4t0spq5RYfx/wma9b EkOsVWDbedWaDaLH8QjDST6Qe7IkQRQOR7pNg6NKxjEl1WJ0Kbs= =w/ss -END PGP SIGNATURE-
[SECURITY] [DLA 2579-1] spip security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2579-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA March 02, 2021https://wiki.debian.org/LTS - - Package: spip Version: 3.1.4-4~deb9u4+deb9u1 It was discovered that SPIP, a website engine for publishing, would allow a malicious user to perform cross-site scripting attacks, access sensitive information, or execute arbitrary code. For Debian 9 stretch, this problem has been fixed in version 3.1.4-4~deb9u4+deb9u1. We recommend that you upgrade your spip packages. For the detailed security status of spip please refer to its security tracker page at: https://security-tracker.debian.org/tracker/spip Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmA+Z+sACgkQhj1N8u2c KO+uCg//U1+XqYIkAFTFZ3rSlR+LHIT5vKu7jOMg1AcG419ucU9sPkd6mUwDXfZX ROwVRjUSix49Jxon7MkF0K4rMlIPNO89ipXmWUggZohJ7VVe70DYR100ujTkSuY+ Ki5ZY5VoPG8z/KbU6wg3JHw0clNBpBGR9EOIvyjQxQNC0Ye4X/Fwc0Ne87kU6jWl fUVAhwwts5cOA85UYHArsa4Zsf2iA0Lw9a1SbuvJieuas0eGa4b+ThPTR8erpPQg gPuohQWA9U0jDf1/rMmTtXFzCUvDE+6VHI2cZEFzmEg+A9j+HG7/MtbvoyRIeRCS Vcinhq5yWysRtFRauDxNydwJ8PmjHTua8QG93XO8KWEdFm8i+GFwCVNKMNhsB6C3 vC+9nIAz861wi2/FzYeN5eiaIapaeyciiQIz4DNGYDR4Y0jyjgelnxf84RSboh1m 63HaSQ+wyG0kB0rmdAXKTGZF2EwcEV5DYruWViIODNRYWJ+YJnYzbE5aAxBiKxFG kFPMkHLTXJvENCFGGOXN75R/TOYwAYvsCu3gRjCSqbP4WFqlC5+nfNaWAvUdnPXz 93uPlRfWj3TIf6c91RStpJMwaAePcmkjIOwB5Rlc87sauBvxkXbegfl/RsMa4phC Dew91kcniVdRdZAk1hkdzYoFAY8ooBZIuQ81KZf6qEdusCXfJcc= =KjgQ -END PGP SIGNATURE-
[SECURITY] [DLA 2577-1] python-pysaml2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2577-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA February 26, 2021 https://wiki.debian.org/LTS - - Package: python-pysaml2 Version: 3.0.0-5+deb9u2 CVE ID : CVE-2017-1000433 CVE-2021-21239 Debian Bug : 886423 CVE-2021-21239 Several issues have been found in python-pysaml2, a pure python implementation of SAML Version 2 Standard. CVE-2017-1000433 pysaml2 accept any password when run with python optimizations enabled. This allows attackers to log in as any user without knowing their password. CVE-2021-21239 pysaml2 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default CryptoBackendXmlSec1 backend and need to verify signed SAML documents are impacted. PySAML2 does not ensure that a signed SAML document is correctly signed. The default CryptoBackendXmlSec1 backend is using the xmlsec1 binary to verify the signature of signed SAML documents, but by default xmlsec1 accepts any type of key found within the given document. xmlsec1 needs to be configured explicitly to only use only _x509 certificates_ for the verification process of the SAML document signature. For Debian 9 stretch, these problems have been fixed in version 3.0.0-5+deb9u2. We recommend that you upgrade your python-pysaml2 packages. For the detailed security status of python-pysaml2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-pysaml2 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmA4ga8ACgkQhj1N8u2c KO/LTA//eEbx/AXF6YAQIhqpf7iJ/i3EiOWAPupCQWPdj3c8YPEi6iHmWS1ilka+ pNhll5fl/QmYrUUojKIr3915XWCcElzUVVfS5pfoZD7ZoC06E8fEPuC0RYDMPp3d +q4LlDFgEVgbG502lOCARj370VFZ/D1vK/jVYe9/ZH4CXlRFxVCLQl7oXFOK2l2s UGqGxQa0J1ROSHoazYuUL521opW/RWHKJvcjkT8OLRn/f0n8HUxQT3PEyP2VZ4Pz jtms+BjOfbbZbCGIzY9hW1TF97gWOXErwUwNoRt2jAqOKhDZmuXExSxNhLtGYs1y SyDvR8bmOZYQNJJRVn5KuvsVvoHm1NLXx1CczF+3STb+6dprTqAvtawGjjJ7DykJ ATcroKRXrUZ/YRsTNNSkqUDEIZ5NC0/jxXreZVfC0+SXpWUokuY7V2p3nPgL6IQj xrvmkohG+kdzG9t/6HAOHmwSrNf38FVfOxkvt+3AAdXcw1169u9ZqJGETjpzvctj AAKMJSWBVrhTYqK9ICli+0P47nqPB4h2Lvm0U1E/OxuSjxcXi+2VKURq6AIv5QRW D8hcxAFSxpT49L+F2iU2UKzF6eZSG2xl/lcZAnavd+Fw/DmrT34qv57oLm+VWckJ l5rrWXUSOO/vEE/xtriCb9solgP9nDG7c9+w6Uh9plFVzgPn+T8= =GU8r -END PGP SIGNATURE-
LTS report for January 2021 - Abhijith PA
January was my 35th month as a Debian LTS paid contributor. I had a total of 28h. I've spent only 9h and carrying remaining hours to next month. * spice-vdagent: Fixed CVE-2017-15108 CVE-2020-25650 CVE-2020-25651 CVE-2020-25652 CVE-2020-25653, tested and uploaded[1]. Also preparing build for Buster. Thanks to Liang Guo for testing the builds. * f2fs-tools: Marked open issues CVE-2020-6108 CVE-2020-6107 CVE-2020-6106 CVE-2020-6105 CVE-2020-6104 CVE-2020-6070 as no-dsa. * python-pysaml2: Working on CVE-2021-21239 CVE-2021-21238 CVE-2017-1000433. Brian May backported the patches for the first two CVEs. Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2021/01/msg00012.html signature.asc Description: PGP signature
[SECURITY] [DLA 2524-1] spice-vdagent security update
- Debian LTS Advisory DLA-2524-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA January 13, 2021 https://wiki.debian.org/LTS - Package: spice-vdagent Version: 0.17.0-1+deb9u1 CVE ID : CVE-2017-15108 CVE-2020-25650 CVE-2020-25651 CVE-2020-25652 CVE-2020-25653 Debian Bug : 883238 973769 Several vulnerabilities were discovered in spice-vdagent, a spice guest agent for enchancing SPICE integeration and experience. CVE-2017-15108 spice-vdagent does not properly escape save directory before passing to shell, allowing local attacker with access to the session the agent runs in to inject arbitrary commands to be executed. CVE-2020-25650 A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service for spice-vdagentd or even other processes in the VM system. The highest threat from this vulnerability is to system availability. This flaw affects spice-vdagent versions 0.20 and previous versions. CVE-2020-25651 A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest threat from this vulnerability is to data confidentiality as well as system availability. CVE-2020-25652 A flaw was found in the spice-vdagentd daemon, where it did not properly handle client connections that can be established via the UNIX domain socket in `/run/spice-vdagentd/spice-vdagent-sock`. Any unprivileged local guest user could use this flaw to prevent legitimate agents from connecting to the spice-vdagentd daemon, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVE-2020-25653 A race condition vulnerability was found in the way the spice-vdagentd daemon handled new client connections. This flaw may allow an unprivileged local guest user to become the active agent for spice-vdagentd, possibly resulting in a denial of service or information leakage from the host. The highest threat from this vulnerability is to data confidentiality as well as system availability. For Debian 9 stretch, these problems have been fixed in version 0.17.0-1+deb9u1. We recommend that you upgrade your spice-vdagent packages. For the detailed security status of spice-vdagent please refer to its security tracker page at: https://security-tracker.debian.org/tracker/spice-vdagent Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
LTS report for December 2020 - Abhijith PA
December was my 34th month as a Debian LTS paid contributor. I had a total of 14 hours. I've spent only 7 hours and carrying remaining hours to next month. * spip: Fixed CVE-2020-28984, tested and uploaded[1]. * opendmarc: Researching on the remaining CVEs * python-autobahn: Marked CVE-2020-35678 as ignored [2] * spice-vdagent: Preparing fix. Corresponding with old maintainer. Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2020/12/msg00036.html [2] - https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f352926176d82f2800f2594f3a189137eda0a33f.diff signature.asc Description: PGP signature
LTS report for November 2020 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 November was my 33rd month as a Debian LTS paid contributor. I had a total of 12 hours. I've spent all of them for the following, * 1 week of LTS front desk * lxml: Fixed CVE-2018-19787 CVE-2020-27783, tested and uploaded[1] * spice-vdagent: Working on open CVEs. Only CVE-2020-25650 partially backported. Asked maintainer for help, also agreed. * salt: Fixed CVE-2020-16846 CVE-2020-17490 CVE-2020-25592, tested and uploaded[2]. - Created new page LTS/TestSuites/salt[3] and documented running tests. Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2020/11/msg00044.html [2] - https://lists.debian.org/debian-lts-announce/2020/12/msg7.html [3] - https://wiki.debian.org/LTS/TestSuites/salt -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl/NxbIACgkQhj1N8u2c KO9zbRAAg4epgncJadT9kR2YkPudwuEGNDesBRiC+PWU/WDSug02YPjORXBkpWOC cq4UIg/hDaVtmyXQponnszjMB7sOj38S1FYOJIIW3HdrMf7F50ZXw5dzJ9x/jaVN /iU3F3UTjifNojZIvcImPFnIUL8z6FI2HcRLa9Wzsp77iPMQfBY7RZf3ysOuQvK9 sPfer3mfvTcUAD5TbSB4zzsxBqesPwmHNiTvopNM/YOFQuLF5jCiGHBr6bSjLmad JF+RLd5v3i3BJ1QcEy5NCxs68jFoog4zInM7wt8U/7UfkvMx5gVYzni01W0tiRyz ma/TMsxphMP+Uur6BaNqpv+EuhFN/DiqAXPFhQPuPEzIihyqFSKQv+K59P9q+XJd azlmz9vI1KmM2l+GOHWcRO4HQg6Qv+L7BzkPd5jLHWvSdVBW9WeJ8rXzEuTeCpCe 15/o7d9tXrtF9worGxiVbgcH2MpZjpmBfg3EU0b4bJyzGB96izgjL60EmjG/n/tk JqMxScg0eCJpNkJn5wa/fN39C1ZQmYabz35R6qQOYtYw1gD/NXlknefvfrxdUAvg Uo+i7OfgX+k9IA6SQXIsfeO+21F1MiDvXIc6GyAYAtaIasaJrvqzlqgFqdCX4hY9 dbeUDuYuVovTcNWGj5chM02BG4hDqGdAsppCfcwZs5oWAn4D5Fg= =mdr4 -END PGP SIGNATURE-
[SECURITY] [DLA 2480-1] salt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2480-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA December 04, 2020 https://wiki.debian.org/LTS - - Package: salt Version: 2016.11.2+ds-1+deb9u6 CVE ID : CVE-2020-16846 CVE-2020-17490 CVE-2020-25592 Several vulnerabilities were discovered in salt. CVE-2020-16846 An unauthenticated user with network access to the Salt API can use shell injections to run code on the Salt-API using the SSH client CVE-2020-17490 When using the functions create_ca, create_csr, and create_self_signed_cert in the tls execution module, it would not ensure the key was created with the correct permissions. CVE-2020-25592 Properly validate eauth credentials and tokens along with their Access Control Lists – ACLs. Prior to this change, eauth was not properly validated when calling Salt SSH via the salt-api. Any value for “eauth” or “token” would allow a user to bypass authentication and make calls to Salt SSH For Debian 9 stretch, these problems have been fixed in version 2016.11.2+ds-1+deb9u6. We recommend that you upgrade your salt packages. For the detailed security status of salt please refer to its security tracker page at: https://security-tracker.debian.org/tracker/salt Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl/Kcv8ACgkQhj1N8u2c KO/vwBAAk9zioBQsnvx2iyCoizykykTKXwAEvKXJaAp84W4Pfwz2+r+8+AXkmWkI Pwr8l793iFmitVsRmHCZkkC5fwHe5E/WFqSWRIYxVawy8VVdSdfMeMhhaAAZbTFW 9JRiAQSprSbs30RkUeo8xAJEpu8HjFOkbPQJfiOdbcxPdbvXyjtuhCbtZ39kEh98 4tvA1VZ+vRcHav3okz+bVlmIm+v3E2+BbEKBs7Boo9JsdDzxUPQCnAy/PXNP6lyE 1zJXUTbuRfeYWjLKlHHtQt/qbeiwP4e2OQ+J37MXMNfhxbRp2N5OwYZvLgpz8Ant UEucw9qKOisSi2JNj9xDLw09f/zpEzIH87d9mut0ZL52+Luz0achHip5WA/mjn1r Yv1QIotN0xXPfaKccIx27AWfFFjAvtoikX7Xc0Bh9Kyh3dJ20iCORSbZohpudVzO l+CoOaIT4E8qefDP4RLbkwfH2qvX3YXqHBBvZBi3g8A8F97OMg4SDsorgTaalk8X yAtJdZHKJgnRvXwxJhGYgYqYlKbvo8eBrufPquy6d/d5h1hlM7W9x+T7H7yeFTKk 73xaBuMsge4FP/DF6GAyGqBItJDFG3e4BPmmY1KvX8ysBQndmEiWomugpU4ROG0p KCH+pCClIeX565C1waQsCJai1P1wIYfAM7z6/NnhC4J7lhyLOxw= =cwDM -END PGP SIGNATURE-
[SECURITY] [DLA 2467-1] lxml security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2467-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA November 26, 2020 https://wiki.debian.org/LTS - - Package: lxml Version: 3.7.1-1+deb9u1 CVE ID : CVE-2018-19787 CVE-2020-27783 CVE-2018-19787 It was discovered that there was a XSS injection vulnerability in the LXML HTML/XSS manipulation library for Python. CVE-2020-27783 javascript escaping through the and
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Hello Brian, On 17/11/20 2:14 am, Brian May wrote: > Abhijith PA writes: > >> I generated DLA for jupyter-notebook just before upload. But upload was >> rejected due to `Built-Using refers to non-existing source package`. I have >> pinged ftp masters couple of times to manually move needed packages to >> security-master. If any ftp masters here, please help. > > I have a similar issue. I opened up a bug report: > > https://bugs.debian.org/974877 > > I suggest you do they same. At least with the bug report there is a > formal public record of the pending request. Thanks for the suggestion. I filed bug report(#974954) two days ago. Also my issue is cleared and jupyter-notebook *accepted* . I hope golang-github-ncw-rclone-dev cleared too. --abhijith
[SECURITY] [DLA 2432-1] jupyter-notebook security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2432-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA November 19, 2020 https://wiki.debian.org/LTS - - Package: jupyter-notebook Version: 4.2.3-4+deb9u1 CVE ID : CVE-2018-8768 CVE-2018-19351 CVE-2018-21030 Debian Bug : 893436 917409 Several vulnerabilities have been discovered in jupyter-notebook. CVE-2018-8768 A maliciously forged notebook file can bypass sanitization to execute Javascript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous. CVE-2018-19351 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. CVE-2018-21030 jupyter-notebook does not use a CSP header to treat served files as belonging to a separate origin. Thus, for example, an XSS payload can be placed in an SVG document. For Debian 9 stretch, these problems have been fixed in version 4.2.3-4+deb9u1. We recommend that you upgrade your jupyter-notebook packages. For the detailed security status of jupyter-notebook please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jupyter-notebook Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl+1+lQACgkQhj1N8u2c KO+VvQ/8DFSHy1UDGxYx+DGO76cG+Dp2ImZdGqJyUDUqnBt41aQkzveXn1HOBApi gRueQrvmVqIl4CyVasw2NokR6Ln+2cNOo9WBCfiW7b3M3lXyNHck3gHIVu2cNyt+ 3KeFEi0fQNFFQYk6rWuh1uUAdzcDp0M1z7h3TajTjBLsNVshhfm937rfFv78OxYE dB3TiMbvP7pQKmWT+4Fhe9wQp/2LwrP/tGpaZCWnjp+DLZmQh0qvjh0K1Bplqox4 vQ+X7OUAuu711lO+xlmIppQEtvR0uLZ5QWngUtpUjAqY7u2EABAdINgsTjFjbeyr HvDnkoW8sNA+YGkLrU4ZhoBJkZbaun8nkUcCYs0H4jlQQ+UTkAbGVey/6hGKRc1R VhU7plZfKlk/JgJFDLzjcRLoeCHyp4wwk7GBPDiMJoxWz/jL1BOIk58vM+BVtzzC +D8AjSiynUk8aQ9bIMAz2dBFvmWOq3WRTz+qKA6PokDY1u0Ge4yFoiZZU1ylQ5L/ qWgvPUueI6t4cH/pxEKfRsH5/RRxP+shAp/vvqk5WS0hQfQm8gHk1njd6t9N8xih c6mTgTw1yvdycv6pXBbaCZ+/cDps3qKSYiFayGq6h6qn2HtM/KRNyneJEwDxsiCd N7+ZEOmmB+4Fs1kYkB2sneZJjcGMuHCfEYECWtsoz2on/5QwXR4= =luvs -END PGP SIGNATURE-
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Hi, On 16/11/20 5:06 pm, Emilio Pozuelo Monfort wrote: > Hi, ... > fwiw the jupyter-notebook DLA is not in -announce either, so it's not just > missing in the website. I generated DLA for jupyter-notebook just before upload. But upload was rejected due to `Built-Using refers to non-existing source package`. I have pinged ftp masters couple of times to manually move needed packages to security-master. If any ftp masters here, please help. --abhijith
Re: Time to remove cacti from dla-needed?
Hey, On 06/11/20 11:03 am, Utkarsh Gupta wrote: > Hi Abhijith, > > If I am parsing your note for cacti in dla-needed correctly, does it > make sense to remove the package from dla-needed file altogether > (since all remaining issues are no-dsa and can be fixed with the next > upload)? Yes, it can be removed. --
LTS report for October 2020 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 October was my 32nd month as a Debian LTS paid contributor. I had a total of 16 hours (14h assigned and 2h from last month). I've spent all of them for the following, * Front-desk duty from 05-10 to 11-10 * tinymce: Marked CVE-2019-1010091, CVE-2020-12648 as ignored. Cannot able to reproduce. Marked CVE-2020-17480 as no-dsa. * phpmyadmin: Uploaded package prepared by William Desportes. And released DLA[1] * junit4: Fixed CVE-2020-15250, tested and uploaded[2]. * jupyter-notebook: There were 6 CVEs. Marked CVE-2018-19352 as not- affected[3]. Marked CVE-2019-10255, CVE-2019-9644 as no-dsa[4]. Fixed CVE-2018-19351 CVE-2018-21030 CVE-2018-8768. Upload stuck due to #823820[5] Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2020/10/msg00024.html [2] - https://lists.debian.org/debian-lts-announce/2020/11/msg3.html [3] - https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1166b5e0 [4] - https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1166b5e0 [5] - https://bugs.debian.org/823820 -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl+idnkACgkQhj1N8u2c KO+AJg/9F3BtXm6dfqRpjI8Q8n5KRZ3ku3j5J1a/Se3Ipi2eziavm0LJ+TeLl+SU AbLaLnIHsDT+jL8UOI+VXacp06wn5SJhjpcPElZRSyP04FLbm9euGyYRRSisrhnw US2IECVzMhYP90Y8JlbI0RW7aByGxwaEP9aUqwUNGr1E2oxKNwGosyLavpbtUq2u 5A33BVIIfYfg4oVz3VZ92F39/klN3VkleVkimhx2YeWfKy9GsCaBphEOxc7hqk9X yqmD3HGuI/LoFN8TP9ZKhFBUL4dB/Q0UPIigTIk2bpzjlJ8G+mYBZ/bQhB6Kwfeq DlANWEHzX5qf+9J1rTwBabFqDeBIYZBIjZSxY/2Lnu6/dlwYDbVDGpc52ihxTyMw EApja4/nz9iV6SO9h/P60v9wHG3SqZ+Ei9lhps5c3NZVHhJN5SInSYL3iePjcFuQ JVPLi56MEJfOhXpyeQeornw9sEcmEPTW438CN7gZa7VAXiMrMnrLU/VyW2670kgB 24aV86BEVIT1JDLj81SMU5K2NY+geI10xosnH4kzF9YOtt+tn6pgxQScpy4TwiJC shG1noJvWGtfrmX/HcI598tSObxXd7BtBH39/aK/ZNq+0whSdCDhu2HrCz4bX8Vo 573Km83pltcEArilM+TsluruqeGELEp6BJgGQvQx5H00IuHG9Is= =vThI -END PGP SIGNATURE-
[SECURITY] [DLA 2426-1] junit4 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2426-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA November 01, 2020 https://wiki.debian.org/LTS - - Package: junit4 Version: 4.12-4+deb9u1 CVE ID : CVE-2020-15250 Debian Bug : 972231 In junit4 the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. For Debian 9 stretch, this problem has been fixed in version 4.12-4+deb9u1. We recommend that you upgrade your junit4 packages. For the detailed security status of junit4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/junit4 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl+e7HMACgkQhj1N8u2c KO970w/8DmMTLdPz8rtUmFEnUZ4Gi8lAjZgvgKPkyCYxSRWpUkbBBEYtXr7DDaXZ c4ym50U3/XBKIplEN0oxp5sEv7AdO4loHMZu0n8IBjoFiAX+V4rb8U24MNnFET+K BQGqgVFas0m+e5deHXWpTb4pcWirMSph0NmQIhxucDm5HbGFuveU9RNnt6AuoWWv hG6y+Qzrhs1cs5hdON8FK0BSnWTKECzziKAbhArvzhotV73ha60/QZ1SC7fYKayG wrllMDtw4EQwvDLcwuO5Aei5VhZIuTrvkEUkvHfiUArWegevTh9tsOohxKcO21aW Kz2J0Hin0QjPz/y3NpwbzM405qtx8YsO4qhvVGYjFZwGA3gLdeA1NatdPoSbk9Yi Wg9V+GxvnCrASx5mAj6uLlp+B87p/r5/tDcKXi9LPoLvf5bznYowDCn6X2MpLGfh SjQ3esxNImw70ic5x025NSRJTN2bEzip5i1XRjLQVjLLdOuh6x5Ec414H01s5aa+ 53vJbuCroqGz+g1qjcEr/ynZWNhsBtC9sqzmbgXEwWkACPdluXlAtKz3e87pb+s+ p5BAOqED6m/2Buh9dDCF7UM/Hr5tuNgKi675UKDeWUiJQpWfjdYhK6PRyqkP5ZDJ KBiPUF16wudM6W+zrPu/fjdg0NEGLq7VJ8+eNZO9tWjSg/SOgpY= =eFH1 -END PGP SIGNATURE-
Re: phpMyAdmin upload for stretch
Hi, On 23/10/20 9:24 pm, Abhijith PA wrote: > Hi, > > On 23/10/20 8:20 pm, Utkarsh Gupta wrote: >> Hi Abhijith, >> >> William, both upstream and downstream maintainer, CCed here, has >> prepared an upload for stretch. >> cf: >> https://mentors.debian.net/debian/pool/main/p/phpmyadmin/phpmyadmin_4.6.6-4+deb9u2.dsc >> >> I generally sponsor all his upload and he asked me to do this as well. >> But since you have this claimed in dla-needed.txt, I'd want to know >> how would you like to proceed here? > > Thanks for pointing it out. I will take care of the upload. I've uploaded and released DLA as well. --abhijith signature.asc Description: OpenPGP digital signature
[SECURITY] [DLA 2413-1] phpmyadmin security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2413-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA October 25, 2020 https://wiki.debian.org/LTS - - Package: phpmyadmin Version: 4.6.6-4+deb9u2 CVE ID : CVE-2019-19617 CVE-2020-26934 CVE-2020-26935 Debian Bug : 971999 972000 Several vulnerabilities were found in package phpmyadmin. CVE-2019-19617 phpMyAdmin does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes /Footer.php. CVE-2020-26934 A vulnerability was discovered where an attacker can cause an XSS attack through the transformation feature. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker. CVE-2020-26935 An SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query. For Debian 9 stretch, these problems have been fixed in version 4.6.6-4+deb9u2. We recommend that you upgrade your phpmyadmin packages. For the detailed security status of phpmyadmin please refer to its security tracker page at: https://security-tracker.debian.org/tracker/phpmyadmin Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl+VYL0ACgkQhj1N8u2c KO+Gmg/9F4GPiakwVII8WG6ckIO6gHNnZnYm4bcNzCkp6D7aqV3sOb/hNQfbp4L7 79qPzV0RqXTQjNwDnM+gNsuFr0iDt4N2sC0cqmYpJmnIb86HZsWuCIbm9uPV+9vd QJP2hqWG+X+FO+hJ17+7lzJHTTO3WIOxIFbfRXHFv8lE7um9oIZ9I05TrsZ8hok5 7VeqGi31uZh1iMRi9t7AnoXo2vzN+i/PUsvAsi9RHilC/tcbbBNSSjgOBLE5i/NY zsUuaIwLUnqNEo0LXdIQ26in7CbTsbjnlFjA97noTK3hggdUKmyhUhQzgUowhsxx 1r+N7c0j48cTDGSoTavbbZTUxsQupgOjJNmNQgNt7uUhyfnVr2wg1Ub1RJenFoCv pOJa8ZHgogW3sRP35WsOsQYll/pYnq6SxQOzLOcQEPXIICYRgUkHzK/UZHvP/nD7 /bnP4TNtCZuv/0Y3hJT55yY3bwR5jEFL8wCzTxaZn48WuKpsRMsyCfYmFeqJ+dtC RxT/OkQDAt6udboh+uORfNIwjb2NV2jA42b53NT4+bn7vyy939RNaY7rsE5Vpw10 FJ9Czcs24SQQyKPr2w5jZM9d+Udo9u8kmJXAj2SRvs5wWZWFhdI6w/tBvdhVmvoS DO6vdcJGJeTgijNz7glXBQxrorCkmTKFKKTPU11J5OC5S6YyfUo= =T0Gs -END PGP SIGNATURE-
Re: phpMyAdmin upload for stretch
Hi, On 23/10/20 8:20 pm, Utkarsh Gupta wrote: > Hi Abhijith, > > William, both upstream and downstream maintainer, CCed here, has > prepared an upload for stretch. > cf: > https://mentors.debian.net/debian/pool/main/p/phpmyadmin/phpmyadmin_4.6.6-4+deb9u2.dsc > > I generally sponsor all his upload and he asked me to do this as well. > But since you have this claimed in dla-needed.txt, I'd want to know > how would you like to proceed here? Thanks for pointing it out. I will take care of the upload. --a
Re: Question regarding security issues in LTS/Extended LTS packages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Antoine, On 19/10/20 6:50 pm, Antoine Cervoise wrote: > Hi, > > > I'm not familiar with how to report security issues regarding > packages under LTS/Extended LTS support. I've reported this issue on > poppler-utils (included in poppler package, listed here: > > https://deb.freexian.com/extended-lts/docs/supported-packages/) few > months ago: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942391. > > Is this security issue supported by Extended LTS program? ELTS has a separate contact point. > If I found other security issues (such as this one > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944979 which is not > supported by Extended LTS), If you found security issues in jessie and unsupported by ELTS, it is very unlikely anyone fix it. shall I report the issue on the Debian bug > tracker or send it here (or both)? You can send it here or lts-secur...@debian.org (private alias) for reporting security issues in stretch. - --abhijith -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl+RJQUACgkQhj1N8u2c KO+Dkw//RqRTKiz2RdcM//Wheg7oJoZmnGK+MKt/TOoPE2WwPwrqwDoZHfmr9G97 fq6KYi4KOsv6lEL7JQOVSE/lzu+ewKuIZyHZjNC9cR/PKv1ZFPe9nZMIPXjs2x5N SSVANM4M79J966h7YhxYasLbqGUio32k/+H/DqlKg/aO0WnYjFbaT/6QFK0Qihyy r4nYL6365sT3lZuiKM+E3ONJrqtTWU4W6mRASIElR0fLRRw8McWES7TkaiXTD/Nz 7+w3n7tlCmERmxRQ27qDgRogWmnf4wWQicNDqo3mMUN88XYnnw22STOGCx/CHImU 6N2XlyvlsZknHQZAp3Xjbdq91KwosJLuZ4+lPMEHobfkoEfiEHdD6913WlgyYqLe sm4Md+KBmzwy0z/r4mtKrSN73m+ocGtgPEaiDM0Bb1ESUIW5C65JRvdbHvCxGmSw Tciy1EbGGZXdCQ8QdmKTxylPM8fcg8ScFtxocYW1d2Fycg0aV4Rq7102C3hv6vKK nbJjfC6GGjMarUNFaHAm5og+q0Oj2c+glI2lYjpa20Rgyrc72DWVMWOtxO7VI7gk 4BUkuG9FniJcCRWMjV18SRknPxi/E97KddInzpAWi79RhUzRAQf/SOG+Bnok6YLd IAcrSZQQNUBdC4SoJc/RKf3xdObfs6OD3OexWSB/fGg7/pKQKa8= =7oC0 -END PGP SIGNATURE-
LTS report for September 2020 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 September was my 31st month as a Debian LTS paid contributor. I had a total of 14 hours. I spent 12h and I am carrying rest to next month. * qemu: Continued work from last month. Uploaded and released DLA[1] * inspircd: Fixed CVE-2019-20917, CVE-2020-25269, tested and released DLA[2] * snmptt: Fixed CVE-2020-24361, tested and released DLA[3] * puma: There were 4 CVEs. After review CVE-2020-5249 changed to not- affected from no-dsa. Backport is intrusive for CVE-2020-5247 and kept as no-dsa.Fixed CVE-2020-11076, CVE-2020-11077 tested and uploaded[4]. * Attended #debian-lts irc meeting. Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2020/09/msg00013.html [2] - https://lists.debian.org/debian-lts-announce/2020/09/msg00015.html [3] - https://lists.debian.org/debian-lts-announce/2020/10/msg6.html [4] - https://lists.debian.org/debian-lts-announce/2020/10/msg9.html -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl99qPYACgkQhj1N8u2c KO/WSA//YJ04yq2Mbdxz5aYARl9DczHpObN13tFhXV30H3FGzEN/Yu/9WnAGEjef 5iphMLYAovm6W68QDCi7tuqP9YM1hJpfvryCfREAaJXVHzsfQZCiaNjHooQOMF8/ CT85jEkR5AoQVoSoyhYhd80206S+WVHotZXYOcPVYzQEWIfx0wSHIl2V5tp5Ji3V T/gk94TECHVTlJ7RC/DnJySxtkWDtrrCI1EPcaSzf4DwuvIh/GsfsaQJO+GvcmhN sxtAQ1T6pwbIJ/0hlJs+LLXXdUE6QdlWxA7ijbwcyHBZINeep05KzTVf6tn3tTQB 5c5XiaO5I6AACsrz+4i6qBCYWfG+Y31lAYGmlCo4AMxzD1w8MnHDCSt7T4yN2ffw jTmP0fymajlpcCgm96T7xFz7OWIN66GQRUGaVxS3LFPRXdcRXVwGPJAGJWmSoDkm Zqj0rnNR4MWoUq7wbB7lxHGoSHV1+8DKD8LiC7zS3mTFpzee3ryNp4oxzdD1x5ln QReNARP1qc2Zh9hnbmeXZSFNyKKEp8tDKBCpHcyimaHrn4fYU/s/aqqGsa3bGZnZ 9ORmSknItG3+m2uqeW00+im/Ql6Uk8HZe4EYQrZrFVo67l2XzA5fT2UrgiqWfjP2 YMkbfLUx/3/LTdJm+bIeOiy2Uzlt3SXsuOZtGE+eRUiL9A+ZemY= =CPDc -END PGP SIGNATURE-
[SECURITY] [DLA 2398-1] puma security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2398-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA October 07, 2020 https://wiki.debian.org/LTS - - Package: puma Version: 3.6.0-1+deb9u1 CVE ID : CVE-2020-11076 CVE-2020-11077 Several security vulnerabilities have been discovered in puma, highly concurrent HTTP server for Ruby/Rack applications. CVE-2020-11076 By using an invalid transfer-encoding header, an attacker could smuggle an HTTP response. CVE-2020-11077 client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. For Debian 9 stretch, this problem has been fixed in version 3.6.0-1+deb9u1. We recommend that you upgrade your puma packages. For the detailed security status of puma please refer to its security tracker page at: https://security-tracker.debian.org/tracker/puma Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl99oTUACgkQhj1N8u2c KO9RBg//dlVOP41CgoUs7hdfJDc8m3t68cFVatVq+0nXIO/ip/s7AlsTO1T/5yOU pKEUnLifkfuC1GGZ/l0F5FyaqKnwFzqVCgwCzl3y2S+AdmlbDrSqL+s+OgBvVZWs prespWiJMlkpdw1VkVj0tLYikrwBcVDdHEp+21ZKz2muTdNOqaHbqapbL2aGm7tn ZX3uVyN4J++f06hpfgsqrQnFxNxannm308gIicAvI4hb6nQy1qzJK9iR3v3r0rYH l9NPddVtTIXBurOLWjPrjGb7yjPaWrxSWg7kK38BiO6t1lvCqg0UL1xbDL2xHGwO fy/Qi+ccfrxjOc+nqXOIaZojXlntot8Nm7IHproKNN+JbtyOYreKRfh6ogIb0zhf PDtoNWVMQIqVF05lIaWY5PfljoOq9mIhojSRwU/RdaZPZWjQ0WJMkGYxIkphiSq0 fRU90q6P2gjwJ0MbEW/xMASkQSDb9cG5qTHH2q12RHjg0QjlMrMwTy98hIlM+/KT e755avOAzIHg/uBnNjK2+mu5MxJvB1g+tOEDhp6jPRraqPtFySV0MA6F2P0Ljz4s DqulOQhnhYpK1m8Aqfyn4eBNWv3uwYXgIMVB4S60NMg4HwlfdP8Auvh+ILeEJAJP qvAyW5s/+O2YRIpzzjGvQhtCX5c9Zk5MILsloJ4BroGNg6cfMsA= =BPss -END PGP SIGNATURE-
[SECURITY] [DLA 2393-1] snmptt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2393-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA October 01, 2020 https://wiki.debian.org/LTS - - Package: snmptt Version: 1.4-1+deb9u1 CVE ID : CVE-2020-24361 It was found that SNMP Trap Translator does not drop privileges as configured and does not properly escape shell commands in certain functions. A remote attacker, by sending a malicious crafted SNMP trap, could possibly execute arbitrary shell code with the privileges of the process or cause a Denial of Service condition. For Debian 9 stretch, this problem has been fixed in version 1.4-1+deb9u1. We recommend that you upgrade your snmptt packages. For the detailed security status of snmptt please refer to its security tracker page at: https://security-tracker.debian.org/tracker/snmptt Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl93bQEACgkQhj1N8u2c KO9knQ/9HwMgeN0a1W8Q2fwKz/G1yuBIvjYtrUE8Xeqi3rdPWGc4rTtiN8qKUSrD wBX+gy8KjIpR/DfFztxqE3OaWhRZV4PoLJlaWFtisxGgaMWvXPBKzsH0AI8Rx0xz 6F2JtGjUyePKFEFMkTvIHEKwmTXIBMBJdDIrh8qUtcxTlKBZWk4s4wUUPTjlfo5u d17wG2WGxH/oJP8ljkWsemf2+GZrI9iydMHq5rHeWlMtU18t9SoLLl05EX2SPCUA cVN2wFryxOAbAf6QMiLvMb3gQPLjZi19sZCFC8r+YgwoO6GSqFAMK/owC6bwMdYE p+Uf12Surwo5xK9b0CBr04TYFtUJnsWSh9E7uh1qGVw5pm7OSfmv/2lKSqz+z0ar d9JKnBFhjifGYBhw8Bli6iFfi47o8YgSSChGYs221MxLywqaaL27DI3znjPjs194 tVQoV+AEZ07KHPffVzk13r/xU+gTh4muyAb42p85IKhh48wqC6whpjYIM7heosbs kXgzHutpLGgmkPRxrj/E5ij2UN01pINMQ2jy2rTCvtfoF6yBdiuzwxOz1o5TJDhg DRyyThBUmZQP6gk3R/mpYlKXbWQaCtHBtOAFk5XsOyJ7Lg3ecrvQTnXXgrRrF59K AClEcUxhoA9kik7duv+u3G/AtCLVq12ouPDYqbHtERQ8rsxlQgE= =z42s -END PGP SIGNATURE-
[SECURITY] [DLA 2375-1] inspircd security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2375-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA September 19, 2020https://wiki.debian.org/LTS - - Package: inspircd Version: 2.0.23-2+deb9u1 CVE ID : CVE-2019-20917 CVE-2020-25269 Two security issues were discovered in the modules of the InspIRCd IRC daemon, which could result in denial of service. CVE-2019-20917 mysql module before v3.3.0 contains a null pointer dereference when built against mariadb-connector-c. When combined with the sqlauth or sqloper modules this vulnerability can be used to remotely crash an InspIRCd server by any user able to connect to a server. CVE-2020-25269 The pgsql module contains a use after free vulnerability. When combined with the sqlauth or sqloper modules this vulnerability can be used to remotely crash an InspIRCd server by any user able to connect to a server. For Debian 9 stretch, these problems have been fixed in version 2.0.23-2+deb9u1. We recommend that you upgrade your inspircd packages. For the detailed security status of inspircd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/inspircd Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl9m5QcACgkQhj1N8u2c KO8OMA/7BIjq6sonEzy7nPUgrt9jGw2HzKQ1Twyu+VdXjrFMgUbHgk8hQMUZjfWM KjxfNchkaEtnKjqM4f+YFjIfoEKGE/KsRgrZZNgMbyBfmStRKwjyLEX8zaPDzc6/ C39TuMelUGikuIN1UWcEkDbFLMYbIS9lnAb/OSo/JRBjAAqRk0NhvxQps9SGDiY0 S6xFyVgrGWbdMpE/NaFPPllwW8qt6rYalQhrOPSswO+uKlTuxWAOOPbSWf0qYHAJ UQF6hAfa6Pb+N9CgBEC5vr1UwSUc7BowIXgNOwdevJUIdCPsS7w/oUHDsgrHg/1a g0pPXQjEKVn83uxh7RaYTD8Jt/wHL3BC1wEZyic7dsjRDlu5wKitNDtq9p01wikt R5z1FrHJt+8/YdePkPafV//o3uiY+31P81LD7aJxvJ/2dxqP3rux3ZzYGHaALDSp leOeoej/OqyGjC8YxIOdmsiEvM3SNtzyEKZT+EWJ2hALRNSQBuVGNwWWRhiVE61/ IxmlXxHxE33/+3o2fwPheA6NiQ4M+9ALdLFU0TZa4IWrG0sENSJykZBpc3tmaaBd LhdQz1LHt3G5cTJoPwooq2kQKoW66GP2pJXoYGhTbeAMamVUAcmyawSrtrZdZ9ox uEKrKBlxJvID6n5rmUHamJxjznAsaE7cKRawT9oC9A8pwBKYnDc= =jhVN -END PGP SIGNATURE-
[SECURITY] [DLA 2373-1] qemu security update
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
- -
Debian LTS Advisory DLA-2373-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Abhijith PA
September 13, 2020https://wiki.debian.org/LTS
- -
Package: qemu
Version: 1:2.8+dfsg-6+deb9u11
CVE ID : CVE-2020-1711 CVE-2020-13253 CVE-2020-14364 CVE-2020-16092
Debian Bug : 968947 961297 949731
The following security issues have been found in qemu, which could
potentially result in DoS and execution of arbitrary code.
CVE-2020-1711
An out-of-bounds heap buffer access flaw was found in the way the iSCSI
Block driver in QEMU handled a response coming from an iSCSI server
while checking the status of a Logical Address Block (LBA) in an
iscsi_co_block_status() routine. A remote user could use this flaw to
crash the QEMU process, resulting in a denial of service or potential
execution of arbitrary code with privileges of the QEMU process on the
host.
CVE-2020-13253
An out-of-bounds read access issue was found in the SD Memory Card
emulator of the QEMU. It occurs while performing block write commands
via sdhci_write(), if a guest user has sent 'address' which is OOB of
's->wp_groups'. A guest user/process may use this flaw to crash the
QEMU process resulting in DoS.
CVE-2020-14364
An out-of-bounds read/write access issue was found in the USB emulator
of the QEMU. It occurs while processing USB packets from a guest, when
'USBDevice->setup_len' exceeds the USBDevice->data_buf[4096], in
do_token_{in,out} routines.
CVE-2020-16092
An assertion failure can occur in the network packet processing. This
issue affects the e1000e and vmxnet3 network devices. A malicious guest
user/process could use this flaw to abort the QEMU process on the host,
resulting in a denial of service condition in
net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c
For Debian 9 stretch, these problems have been fixed in version
1:2.8+dfsg-6+deb9u11.
We recommend that you upgrade your qemu packages.
For the detailed security status of qemu please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/qemu
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl9eaVMACgkQhj1N8u2c
KO+M3Q//ebK1iayHAU+lOFgWfa5HNgfmTXTDusWDIqJmqzsgi8IV9e25ZmCv7W1N
nPsPf/WH0yk6CSaUEYtu+h1OGYxGKM5OAYoojllSGGvHlMU4WIUK/i+9UXdCM/Fk
FPEcZcE7UrxHtUOZqI7t09ffLnf5CKM+/dY6b7qPiIptyxalyXCVyQXuu4PLhKQP
azNYEXg/BiPEkVZNC2VOxEAg80cxiDtVLrFtt1bhuxrWRVdSeHoeMNI44W37FFlO
zTSeTh66xHKwmpOYeApghe3SA/QoBcghovEUZdZk+TGntwZEJXgMKEScKGkKqDYr
wBqgUSV33s+qhZZdlySR3ehKpFcmNO6/1CbX1O1xk2t93U3rh/1PJSUqzkVhHqwa
zl8R3PKuA6V1xyijhk2Trmw2h9lUp0Kea4Vl/+sTJ/JPBWN1hszWqXdWgvgJRgCs
UvVFaR93pb4uanVC1mIwNqSK23to7Znvqc/5alngcXD6hAwZmCNFrd2b5/PyegEt
VdkgyHMuatf9x9l//UGYlagMHx0SvROwCRphzd7tCRO50WdKed1mgqS7ky6RTD43
/NhEq68XeeRbMYP8adi6NGG4dncuzbLtS5zrl0wS+DP1uB0RJ5+/qEnjCEwZQO/8
7IbwJ3ofI7EYSk9S5Rcq/9ejKNsfR9Yj+ItOfwNrnZ5mJnP7VS8=
=ihEC
-END PGP SIGNATURE-
LTS report for August 2020 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 August was my 30th month as a Debian LTS paid contributor. I had a total of 10 hours. I spent all of them for the following: * ark: Fix CVE-2020-24654 and CVE-2020-16116 partially (though GUI works CLI still escapes path traversal archives). Reported to upstream developer. * qemu: Fixed CVE-2020-13253, CVE-2020-14364, CVE-2020-16092, CVE-2020-1711. After couple more smoke tests, package will be uploaded[1]. Marked CVE-2020-15859, CVE-2020-17380 as postponed. Regards Abhijith PA [1] - https://people.debian.org/~abhijith/upload/qemu/qemu_deb9u11.debdiff -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl9ZAHUACgkQhj1N8u2c KO+zmQ/7BX+d9EdvICoFp8dYLQZJAZtlWhHuIhiTHF+m9WJGGPgDzXciwaPfM77V dTswPvVdbPSsQnXw7vQdHRfA+UvK0EDUs0pTTik66c6lQEWPS9vpw2bzlRXZqmgL 0eMt+tADVGzl1F7SF6tObz+Xwh1+p5xYczaewgdbtR+tPZi8kwrFnIax83V0ZYSu 8330XMcbK89kpDIfCpFeWijqnyXkJdsFHDnQSIfjLkhKOtbJBTjY1RI9486tm9Bl o5QCOPURBUxE7aY2j5jrXWfGUlzNczYZsuvZdTzoi+DRdvVc0yO+yDHMm5PTjJvJ su++TYEQ1e12j8uf90SANMxyEhRHUkXhBXWBpIiPv1ydwP0fB3Ad45DRmheHz4kt jlr7fA/nW650OFM21ZWQ0L5lA/pvpZVHYYrgSp5NsRvVs76NZciDvWPi2zKfR3fB NQjj9GFE4Re9nfdzM8gt+vBOrWH4+9nyV3ClL1E1TwxWan0hnWqIj2PRsSVzBhM4 mx843Nk2mLu43dvyT9ITm4g5lLDfe6hvsl2swqK1RwZbllOO8EdcXrBccWJnbt+l z3C1hHDkwXIKDtkzF0OOI0Z1+rl5rWNKfVv6LNfqj+7cAzftjABmZsjYJzf28Kpw 1K3QfHuKgB8GEFFFoIxA2IAqZn7K0djmKAPlWcjSKOzGAmL7QS8= =SwZY -END PGP SIGNATURE-
LTS report for July 2020 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 July was my 29th month as a Debian LTS paid contributor. I had a total of 18 hours which includes assigned and carried hours from last month. I spent all of them for the following: * libphp-phpmailer: Fixed CVE-2020-13625, tested and uploaded[1] * ruby-kramdown: Fixed CVE-2020-14001, tested and uploaded[2] * ark: Working on CVE-2020-16116. Upstream codebase refactored a lot with GSoC like programs. * cacti: Prepared a minimal patch[3] that solves CVE-2020-13230 partially. * xrdp: Fixed CVE-2020-4044, tested and uploaded[4] * 2 weeks of frontdesk duty (From 27-07 to 09-08). Most of my triage work can be seen in salsa activity[5] Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2020/08/msg4.html [2] - https://lists.debian.org/debian-lts-announce/2020/08/msg00014.html [3] - https://people.debian.org/~abhijith/upload/CVE-2020-13230.patch [4] - https://lists.debian.org/debian-lts-announce/2020/08/msg00015.html [5] - https://salsa.debian.org/users/abhijith/activity -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl8wPPAACgkQhj1N8u2c KO84Wg/+NTQ2RlJdVAx7Dgz9X966H8H2MCa8/mTjmS0MrwRtiKMhdPMfe+azDlQD JnJWgwjVD56Y8MN9c4rFFAC9jdtTj6GI+uvE4uxcnPnFotciNbOSeJM7lWD1SeGS h7fs4kSXvpwWkzuqDZCMGQ8yHbdpHMs6K1otbCd0wWS0dsmDYrdrI05JYbv7jhRb q8FX/GglmmFDUefqW2my1MHlgJcgsV8BzIlqx1nULX/oQxnbO3GpLRZx+KH/s6kM x9D/O1Iz+I3Z/qoobRI9vYjI+nhde8K1v4l7xi2tiEB3QcUhO6yBOup6W/2YqWI8 x0g/l4ITD1MGWWLgk/SbxzMAOp0WmAeiiMNPmK9J3UZ0ydqC5aMt2uEhB3iNdDzM ALFiUIonOmMJdSb/LTgbWHyAuA67PhCT2Tj7OVtut9n3MjV2Boxn5lf2MP3Pb4L0 dF8pzZcjulktng30/L6esbxoGde8YoN56IJVtrrxl2qOn7U0+wdt+IkB1nFRLjRg dey3e9UHARsQj/B1nd28sUXaBh3RGs738PLeGuMR8fpSgTFSFJApAwZ6pO+2aStg yEyyL6GuKeHXBWzWYkEi1o82v7QZDlLVnYa7VEp0v8oqjM6+7kIzG3QLmXGaPA7T tshAZ8N8zIeQSLPrBz2nFDPbqjlET7wYpouf6nW1u054ri9hUZ0= =wU3S -END PGP SIGNATURE-
[SECURITY] [DLA 2319-1] xrdp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2319-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA August 09, 2020 https://wiki.debian.org/LTS - - Package: xrdp Version: 0.9.1-9+deb9u4 CVE ID : CVE-2020-4044 Debian Bug : 964573 xrdp-sesman service in xrdp can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well. For Debian 9 stretch, this problem has been fixed in version 0.9.1-9+deb9u4. We recommend that you upgrade your xrdp packages. For the detailed security status of xrdp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xrdp Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl8wD/0ACgkQhj1N8u2c KO82Tw/9FdQb+Bjxsdo6Kj0FLFJAzh6NN0cEtM29OP1Z6Fd/foRUdM8/HIa9Kpkt oOXrQoLUThrsOqY5E0vOp5Suot72TeZn8Xm4FNIxGugMCazrZ46+tPfC7/njGdHy 2YHpe/tdBAD56ANvUs9QQ3hJLGhiUXREMUiSgm12tE5BsUvK22ah2fFZA3m8CuQr 3pMnDfLyzWQDk8CYCztzMeNaosFG9/wNOSV1/1+guf1wF8r+P1qaKnPqgZDmxTiA 4KO0w2LvZPYJyboA/JIchFDwpUydAmvkhSdsM0Ha3cB0ggBvNHJzu5aqj6+HquZo G1TghiKuIXF4LdKUQwhLbbIB6P2EEuikkmsEM+9qzZbgAp6S4ansNcgGyI0/gJ34 8DoIiGyDtyDqqjsAO5yb97Wb/YzKVWn8puPSk367u7Loq3phkoZY9mgwfNoXHvmS TCmfMP1MMWPMMd3KIYa/5Z142/Ms+i538Dam3xdQstNyRvs+JT1TnNarNF0fqQif MH9GBGJ5rNTg6iphkOnWsFBZn5oJYm6ExAERhcuVokRzwjMpi55zE3uNYo1h+qUY bQbpSIph1AaYUCRbw7QnXe8ElWtU0pX3D+weFHdOjQhaDnqMI72yfCsbCINOzfm/ 2b5lFlK6ifO6a60IpDFCAHwBoOyJUEX0BTZo5SGKhCX/gZhosTM= =6n5B -END PGP SIGNATURE-
[SECURITY] [DLA 2316-1] ruby-kramdown security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2316-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA August 08, 2020 https://wiki.debian.org/LTS - - Package: ruby-kramdown Version: 1.12.0-1+deb9u1 CVE ID : CVE-2020-14001 Debian Bug : 965305 ruby-kramdown processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum. For Debian 9 stretch, this problem has been fixed in version 1.12.0-1+deb9u1. We recommend that you upgrade your ruby-kramdown packages. For the detailed security status of ruby-kramdown please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-kramdown Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl8vZqMACgkQhj1N8u2c KO/Esw/7BTBQUguNywZEMycrYKksRnWJCeUN4xvx4U4W182sJ6ffDrT7JuR9t+/c IeNX9RA142EhTQFoXwruEMjWoSV8yeU1UiIsbsOt8OrELlGIz2zPsIoQcI7QZZIZ oun51743Z5Q111DyWWOpLIEVTi67kPsAP+Vy7m/1sB0XPXjOj0uSYzznnvDHjp91 60EaLDawwnJ8roZ61A7/RyYG57MkztBAwyIN9KwaTc3YTnsmTq/vJ/LDb/hWKEoL ZsaSnmEnjODqEeiZfXT00Sn2oCm5cHyI5d2JcCgxU9WAkrG7ISlbuLMIu8zgqwJH zUc/N50ufcjZ7lPYLjEtL/TQNTmTX+sMskk5obUacIoIT3ojOSen1/0aCGoYoTgn pLYK0JsMPe0sIkDQ15BGWt8Jyp7VKzTIL189Oolv3+c2xbktpuos4QLs2jvofu3N 9LQnXzlGOyekOXESmegXEjXjJPVwTjeC7NUudu5bpz1auo4faoW+HmU9pbY5dfs4 awJjWCklXAmtH+iyYhwVv/hediHDbQiZpqTVEzKgEyYthHJAedni1JMV410K8Hfh bJimwwb8yykd3CfEibtUcy6poqgS8TVxjAYO+2GZVF1bWkZA49LPK6bTwo40u4Nb k5YPlaAc25G2sSyCr6uRs4m2Sk9DNl/TXBGGNT0XQJC7WmZuZHU= =lehn -END PGP SIGNATURE-
[SECURITY] [DLA 2306-1] libphp-phpmailer security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2306-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA August 01, 2020 https://wiki.debian.org/LTS - - Package: libphp-phpmailer Version: 5.2.14+dfsg-2.3+deb9u2 CVE ID : CVE-2020-13625 Debian Bug : 962827 It was discovered that there was an escaping issue in libphp-phpmailer, an email generation utility class for the PHP programming language. The `Content-Type` and `Content-Disposition` headers could have permitted file attachments that bypassed attachment filters which match on filename extensions. For Debian 9 stretch, this problem has been fixed in version 5.2.14+dfsg-2.3+deb9u2. We recommend that you upgrade your libphp-phpmailer packages. For the detailed security status of libphp-phpmailer please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libphp-phpmailer Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl8mQ3gACgkQhj1N8u2c KO//lQ//cNjg4k7DZlsBE+ilFtDRb/KyvNJPM6UTXHOe2RkB1Pna22/b6zA+VkEd fDE/dO9gi8/pcLSGAeiUJO0kR70zAH0y/rkEGJN6RfK1lsUs9eUEoEkx/mPXuRy3 WQfElWLDLlDhsqBNPt7ml5HhuKRVpCy0kE5M/BwPsD+TyYg8Mun7+0PvcV8CTZcV 9T0FHu6BG6hPJ7zSHy5+HsOdc83e7T6YpwndGm/Dhz8EtMgMmUhA3qWKrO2vykRz Av+bqsrcsk+3Rtxn/7ERTD/LnwmiP1s0z3ZnjpB6IA/ILS44HyY5dAHf8rd6/Pvm pBUJ9M2oF2JiEhdtxt676XNcbMtYtP9Wy1l6NW+1/zmLI7ZqW0aVpzTGqWGLsFzl 8Oxw4qUTGq2URosz3Xr3qluvxNUhD7hZthUJGWqpI2pd6xKVORtPc0T2XQvUXHv1 Rzwjz7GVlRg/q0y6fcTxRiY1dco/UQbYwiGs1Se1kwf2jWEx+FKpbAOfT4oChqcj CCxQbHla/SITjaowjjSP6XP3boY+iM6tfkxHg92eoUjuFxUlG34nIrWpVbpWvILF 1FwpL8qJOZRxVAMqvb+Ah07tks+ahzrKilvTZEZlGD2ljUpKpDhDZOwG4LkCNZmn pACw9ChqLdXqtc9GdDAh9gjl/Rczh1dVfelzxm9hZK7fAfbbB0I= =2VjE -END PGP SIGNATURE-
Re: DLA template and user signatures
Hi, On 07/07/20 4:52 pm, Chris Lamb wrote: > Hi Emilio, > >> The header. It looks like a bit too much for the DLA to me, > > Not quite sure what you mean by this. I am assuming you mean something > along the lines of it being "too intense for a DLA" but if so I don't > understand what the concern is here. Isn't each of these a potentially- > important security release? I think Emilio meant or what I assumed and replied to IRC is having something like this on the top of every DLA - -- Debian LTS Advisory X @debian.org https://www.debian.org/ X July 06, 2020 https://www.debian.org//faq - --
LTS report for June 2020 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 June was my 28th month as a Debian LTS paid contributor. I was assigned 14 hours. I was only able to spent 8h. Rest will be given back to pool. * libupnp: Backported CVE-2020-13848. Uploaded and issued dla[1] * sqlite3: Marked CVE-2020-13631 as no-dsa. Marked CVE-2020-13871 and CVE-2020-13632 as not-affected * perl: Backported patches of CVE-2020-10543, CVE-2020-10878, CVE-2020-12723 and passed on to Emilio for uploading to Jessie ELTS. * wpa: Backported patches of CVE-2020-12695 and passed on to Utkarsh for ELTS. * cacti: Initially worked on CVE-2020-13231 for jessie. Will be updating on stretch. Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2020/06/msg6.html -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl8ArJYACgkQhj1N8u2c KO+YWhAAk9UdO3q/PYnedVJsDJOfNeclwKnqAvWUTPI15Z8lfrNk0vA6shqgHzo8 LlG6+f0BEDtyNf/gAkiE6WyvEoVT0KAW4DKzgnwdkwXg7tbXX8TCBX0rpK7Hzg7a JFUR0hOEzwZubYki4HttrtBXjFCWmeaxmJhcPcjnlatLngOWMmf1VgxxnCO9/32r 4CAAzQ9v14XIVr37KjY6PT1DDVOkS2q2vMTkBpGjZb61aKEEkiDigRw9wXTeEwfl yezdBNAFqFNNHradEJjSbC89LgAMxVFaeqKWMc3l+fgiaqLMXrCCs2THAu2pqT9x gUI3qX7nvdsCXD1o8J+UinEcpDpKcHUy08ZoO4IrDnccY/phx2jo3exry9sopnmh cqjGv+mUZQC0fnMzrdQyYShYCPkmDmEGWCrxh6Gbe54i1zFJQnowAA919rDxka6c h92MTAfgGHHt67PbXwtDdXoY/Zc5T3As+63XjOFgPuzhLPTVcA/xs18F9qeEzapx AyqwB6k8A36bc7aSkTADlQZ4dEb/EzDMj9GP1xq8YmYs8WUWegBt1N+I78rWeZwE jVLDz3pRcqwePawM63L8m/GN2Q2oDiPWuNt0uWqelUoWjeFupGMBfnvFv8RznGGL 21n1KyCsZeqSFVOr2+uzaTCFR0v/10TwFq1hYT4ncdLfdy5PTWc= =GHH0 -END PGP SIGNATURE-
LTS report for May 2020 - Abhijith PA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 May was my 27th month as a Debian LTS paid contributor.I was assigned 14 hours plus 4 hours from last month, a total of 18 hours. I spent all of them for the following * Salt: Backoprted CVE-2020-11651, CVE-2020-11652. Uploaded and issued dla[1] * Cacti: Backported CVE-2020-13231. Working on a patch for CVE-2020-13230. * sqlite3: Backported CVE-2020-13434. Uploaded and issued dla[2]. Also new CVEs piled up. Among that CVE-2020-13630 marked as not-affected. Working on rest of the issues. * python-httplib2: Backported CVE-2020-11078. Uploaded and issued dla[3] * 2 weeks of lts-frontdesk from 25-05 to 07-06. Most of my triage work can be seen in salsa activity[4] Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2020/05/msg00027.html [2] - https://lists.debian.org/debian-lts-announce/2020/05/msg00024.html [3] - https://lists.debian.org/debian-lts-announce/2020/06/msg0.html [4] - https://salsa.debian.org/users/abhijith/activity -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl7d+agACgkQhj1N8u2c KO9liQ//eW7pFTI25R4ilvsGWwlEGYKVMrWs1F01ZYsE7Hp6VgXIb6DHmUp3oAhK la9MOBxGwT0bnvML9/PJk007C4754Z7V3Yut8f0RxroMcdZfcbh7hiM4k1DNT2si pRGMxIJ2Z41QinxrHKptdlwEFjF7d9GpxphajYZbg1EgNg2i6BYoZ0vhqe4X5mc/ 93ggY4ii+LuQwp/5nFQTJfXyhoiDJB9c+u7edzdiWxU/gkZaxH95AaPN1jko/2TQ OZ08/9kj8E53phBDeQRk06msrUqvpkaCUPJKriUcox74teC/l1CQIYyl+B9CnQ0E XVYwOaJaIpk4g1oRtQgUvkEhLGmBQ+EHrYtyHh/AS5m2S9LM5hs2E/qnuwSy7MCa x7UNPd2Sg4XOBDCu4Aiu3ELlHA+C3/5Rl8zpL+d1JNgonn6XI8JBlai/o6BXxCOA ytJiuaPH6G7d8cjiDulgdlCnQTsyN/nLEgQxzfOH2O8FsVlAd3c58ALQ4t1hF5pY SuU+KqzTqaxP2kJ1JUw/MdJe5Xh1CfFYG1QolhXZQbRmaqZYl3B9UPRmmbBP7S2R guF8JdorhwZ7H0rsKYGhookYtNJjA7npYB6qnH7txpBlXIfSAJdefCyRXFtHSMlz BXBQRgdJaY1rZ7r+1VP4mwYRZQ31u6wWMQNjTkvRWlvqMO/46K4= =nU8f -END PGP SIGNATURE-
[SECURITY] [DLA 2238-1] libupnp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libupnp Version: 1.6.19+git20141001-1+deb8u2 CVE ID : CVE-2020-13848 Debian Bug : 962282 libupnp, the portable SDK for UPnP Devices allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c. This crash can be triggered by sending a malformed SUBSCRIBE or UNSUBSCRIBE using any of the attached files. For Debian 8 "Jessie", this problem has been fixed in version 1.6.19+git20141001-1+deb8u2. We recommend that you upgrade your libupnp packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl7d78UACgkQhj1N8u2c KO9Uqg//ep4riyzeth3AoPZTqe1kVbCP6crL3YeWxNH5rSRcqI9Z2S2VZMwObsM3 NYeYTn5gR4R+h4PFY6UjcZnkNbIby43eG2C5AWvAhncdajG2B6y+h6QLeoMHVkq2 JkIalLNRRGHiu4nSxPv9ISkaEbxAQ+Cl+JFj/koBx/wpbl8ubwil5A1HfRLteC9K IuE6B5J+iYMQaQYlsXgnF+2jJ35UHy/OykDv047N4HXo/NaEgOTq/dr+EdKXTuHc FTuvvRcOWYhv91YahWrHEl/lYsFBXyMCoEtxZVE5BMQvMe5x8AuLCdBughsKa1f5 bxywXvUBQiG+1tBuavsFFnhsz4PjdxKa3WjtzK+Tm+dB4pjbI+aVxrHynUcKQz8W NA4Cu9QP06Cyn27JwMuIfjuzISzIZRYVHcYP0gBjt0oyfwQh6dqUOVpY5H2/0bbB iXD+f4JLN0a5bES5erPG1FqiqdrCTcOgCPtiSy+siCo66inp8SukOG3cnhWchuF5 JgaTQ4nRytn/XljZbhVrELEwB2QIzIbgCXVCWrix/AUJ1UKTj1rxX5HTzqzlld3Y EwyrqDHpz5vOxQmediIq3xe+wBcRbaxFsCwRGIQJQS23ogzxF+Z4qSg+1KdPRzLe dPLJRTfpbuJzHQIv1RdgF9GvlkXPOqqQ+C1/RFuAu+Rp7ECXzVE= =HQLu -END PGP SIGNATURE-
Re: Bug#931376: debian-security-support: mention nodejs is not for untrusted content
On 05/06/20 6:39 pm, Sylvain Beucler wrote: > Hi, > > On 05/06/2020 15:03, Abhijith PA wrote: >> On 20/02/20 11:14 pm, Holger Levsen wrote: >>> On Thu, Feb 20, 2020 at 06:08:52PM +0100, Emilio Pozuelo Monfort wrote: >>>> So we should add it to security-support-ended for those releases, and >>>> let it be supported in buster. >>> >>> done in >>> https://salsa.debian.org/debian/debian-security-support/commit/c9b3de34947bc13cad9f18a53d0fb7b512bff0e1 >> >> Shouldn't there be a follow up announcement on debian-lts-announce >> mailing list. > > I don't think so because it's been documented in the release notes since > the beginning: > https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.en.html#libv8 Thank you for sharing this. --abhijith
Re: Bug#931376: debian-security-support: mention nodejs is not for untrusted content
Hi, On 20/02/20 11:14 pm, Holger Levsen wrote: > On Thu, Feb 20, 2020 at 06:08:52PM +0100, Emilio Pozuelo Monfort wrote: >> So we should add it to security-support-ended for those releases, and >> let it be supported in buster. > > done in > https://salsa.debian.org/debian/debian-security-support/commit/c9b3de34947bc13cad9f18a53d0fb7b512bff0e1 Shouldn't there be a follow up announcement on debian-lts-announce mailing list. --abhijith
[SECURITY] [DLA 2232-1] python-httplib2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: python-httplib2 Version: 0.9+dfsg-2+deb8u1 CVE ID : CVE-2020-11078 In httplib2, an attacker controlling unescaped part of uri for `httplib2.Http.request()` could change request headers and body, send additional hidden requests to same server. This vulnerability impacts software that uses httplib2 with uri constructed by string concatenation, as opposed to proper urllib building with escaping. For Debian 8 "Jessie", this problem has been fixed in version 0.9+dfsg-2+deb8u1. We recommend that you upgrade your python-httplib2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl7VKtcACgkQhj1N8u2c KO/TBBAAlhFBvNNcjiFVrwFjbPk+x+VDilxgq4PD/h3YAJaj6E/z2VAXj2/BV9p+ WctAU93AZhrWLEQQedGOsbcxrMUqYbNm/yjpfqoUxXqE38yD5mf0wmScdDq76C+w 91LMB+CidHiKBeQt3VRBNO+2JHMFjCv0fngJ+ZY4pPJ5wzjIyWk1p9PUz6DzGXuW iA1l/ZocWKeWxowZrWWzfflIptwJCByeSbaKQ+QteNYDG9yUt5ymlQDkgFcxoq+c cxDFsfbX+CmkBL2zmmVmgIi8K1EukVDKJ0xR2OaK06aK9pD08z91nqAXdtLBRsRp 0/eIgba9jcFPOlkYmSsreGsLfrq7OweIzyOVNrpAKpatwv9f0erQ/rWvS4pguFKY E0gJRS85d1Afdp63s02gm7s+OcTcoU64PQWTdqeGeG+HDYObMwtxZA4bWl34jVA7 hOYNBM9Riay4eaf64T16SiLpTVq30QfN23T7nLbNYCA9w8Yv8mBHvQo5pqTTEwxL 91lIR0aYw9Tc0CSNMD6eGa655a54fFL08T+DXyrfcVBSvW/6FrmVC8lMJRZ777FU 7pYqC7VJfg8rdyNHV/YpW7UFs8Cg/roMnBrnHQe23frTvwtDEjR3vZhTiUyx1wTD 7OxkX5BZd12VubHn4nHtdqOJKmaATW9zSO+72DUhFaIAYdIsWoM= =Mpch -END PGP SIGNATURE-
[SECURITY] [DLA 2223-1] salt security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: salt Version: 2014.1.13+ds-3+deb8u1 CVE ID : CVE-2020-11651 CVE-2020-11652 Debian Bug : 959684 Several vulnerabilities were discovered in package salt, a configuration management and infrastructure automation software. CVE-2020-11651 The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions. CVE-2020-11652 The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users. For Debian 8 "Jessie", these problems have been fixed in version 2014.1.13+ds-3+deb8u1. We recommend that you upgrade your salt packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl7R3zsACgkQhj1N8u2c KO/V0A/+I+O9Wtme0a+TfryuHJhQ5VsvyQwSzPItGSBCbq54jmATV5k7KbSBVyzR YEpG5fvIXlpwlAtJxC4uJH2qALQx+UuJtBiRvA4biG3vpXvF09LJdw1dFRCzzHxn wPzSIZVK0QTyrjzRvI/CJeCeaECwxZWmw5Qs9Y5FOJffNC1S3oyj6YAZVLhz9vBx 11sZXzsejzvZsS2HORi4+uEHrS8/pEcJdmQ7SuHLfL7rasvRzTvAPZ9mEkrX4Cs+ rr1AOm4KrBzyzARhK8t40ECsJQBWVAw8qo7Mv10PWDD7qsvnf6QYZi1DXwwqpihY PdZl+wF8hhRQFRzbwpHbXqZq4bRLTdjSFcrLaMkKVjnXHim7OmvZD7lTzAw0Skmd pRj6HuIHoudF142MVXY6cUXlyofZrnj2FwiM47bFHMx+KzBdu8DKrQFZltykk+/q gKsuBVyr+JUz23l4XeiBBf70o/NJeVFj/fY4VMravkYIYrkeNoEO4ugYCHkE4Jht ieOkubkpLeluMV2ouJAPa/L+59m6z4BTuwcfjkZ0rxAS7wpIr1yod0EcQT57x9SE YreW7s5T9L//d0TJt2UarqyRGhJfkgm2cJiUr4rKNS3mr8zvKuQHp5jBsA8xdTYR 4o+hCqXvsL50k4uuNx58gv+Fzux/PQnfE5+x9BcIiA3m2tYJAXE= =QPyo -END PGP SIGNATURE-
[SECURITY] [DLA 2221-1] sqlite3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: sqlite3 Version: 3.8.7.1-1+deb8u6 CVE ID : CVE-2020-13434 An integer overflow vulnerability was found in the sqlite3_str_vappendf function of the src/printf.c file of sqlite3 from version 3.8.3. For Debian 8 "Jessie", this problem has been fixed in version 3.8.7.1-1+deb8u6. We recommend that you upgrade your sqlite3 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl7M5O8ACgkQhj1N8u2c KO9gsg/5Ac85v8JERcydXq6a/9DgIxRFYHogzxKk6gsvq96IWkpAECGnIs1E6qZr RE8Pbxh7Aju1GzOuOwyho0w7qSHH/Kpd9KmMJB3AUzBYMmMaCj8g4vRq/vgEYmkR 5gPxo1a5ZQgtwRzHpQZBF8ljwNSfM/4NE9Oy33Gshx//SmPwP02Yi7jeolCwR+VW /wXQmM5w1HbJhtxwJtRaJnmHVuyUo8c+arPAjXUObRf22smjYuEQ8LqDOE5lFudF AX96WYShmp/P+Ih8tPKu/KTWoh/7rh6UZ3Jc4+dvVO3wiTkcwAuII8WlJrvM2HtS rCK3hUmAdhqO4I6OS6byh56jT9ESSD+pe4wpM5fTEB3fKE2YBSNgpU/39+wXxIQ1 8fGeA2aj/wFSHIT3ufT8l+S4W6McANd9IsxtKmDItzc/8CVuUhmPit7K+2jBFtJH wYUzWfo8ZOHdbLeMPFFDsFpemR3TUrJ6Rt/boIG6NKcUwcGeGWhITZ6yN5779iHg oWMq3st9uDWvrj7CqIizBt0CFmycBFzviRzPP5EJNjq8bKQsmveueFJx5OuLqpl2 xFKUJnmxd6P/N6mTJkwBkBOGUiXJKsuFn3YuBKLcS5pxRcwD0JeKBNzWpjipRJVy GcjG0rPpUrzatj+dCCU1ksteY87tfYabSN7ync/oLWX/rIGj2pY= =dzy+ -END PGP SIGNATURE-
