Re: CVE-2023-33460, ruby-yajl affected?

[Anton Gladky]

Thanks all for the discussion.
@Tobias, thanks for marking the CVE in the list.

Best regards

Anton


Am Mi., 5. Juli 2023 um 17:56 Uhr schrieb Tobias Frost :

> On Wed, Jul 05, 2023 at 09:06:15AM +, Bastien Roucaričs wrote:
> > Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit :
> > > Hello,
> > >
> > > I am looking into CVE-2023-33460 and I am not sure that ruby-yajl
> > > is affected. There is no direct dependency on yajl, where the
> vulnerability
> > > was detected.
> > ruby-yajl include a old version of yajl 1.01.12
> >
> > The vuln code was introduced by
> https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb
> in version 2.1.0 in 2010
>
> This matches my investation, however, a small correction: This commit is
> already part of version 2.0.0.
>
> I've added note in data/CVE/list accordingly.
>
> --
> Cheers,
> tobi
>
>

CVE-2023-33460, ruby-yajl affected?

[Anton Gladky]

Hello,

I am looking into CVE-2023-33460 and I am not sure that ruby-yajl
is affected. There is no direct dependency on yajl, where the vulnerability
was detected.

Should ruby-yajl be unmarked as affected by this CVE?

Thank you

Anton

Re: c-ares, CVE-2023-31147, CVE-2023-31124

[Anton Gladky]

Thank you all for your replies!

@Moritz, could you please create an issue with a
the possible proposal, how it should look like?

Best regards

Anton

Am Fr., 23. Juni 2023 um 20:49 Uhr schrieb Ola Lundqvist :
>
> Hi Anton, all
>
> Well even if there are some systems affected I must say that if
> someone have removed urandom the behavior described is expected. I
> mean /dev/urandom is there for a reason. And yes there are better
> functions than rand() but I can hardly see this as a vulnerability. Or
> well it is, but it is the kind of vulnerability when you remove the
> device that provide randomness in the system.
>
> I would have marked them as "minor issue".
>
> Cheers
>
> // Ola
>
>
> On Fri, 23 Jun 2023 at 06:49, Anton Gladky  wrote:
> >
> > Hi,
> >
> > two CVEs might be irrelevant for Debian systems. Can they be
> > tagged as "unaffected"? Or we have some systems, where
> > /dev/urandom is not existing?
> >
> > Thanks
> >
> > Anton
> >
>
>
> --
>  --- Inguza Technology AB --- MSc in Information Technology 
> |  o...@inguza.como...@debian.org|
> |  http://inguza.com/Mobile: +46 (0)70-332 1551 |
>  ---

c-ares, CVE-2023-31147, CVE-2023-31124

[Anton Gladky]

Hi,

two CVEs might be irrelevant for Debian systems. Can they be
tagged as "unaffected"? Or we have some systems, where
/dev/urandom is not existing?

Thanks

Anton

Bug#987283: Fixed

[Anton Gladky]

MR is merged

https://salsa.debian.org/security-tracker-team/security-tracker/-/merge_requests/114

Anton

amd64-microcode_3.20181128.1+deb9u1 pre-approval request, CVE-2017-5715

[Anton Gladky]

Dear security team,

I have prepared an update for amd64-microcode for Debian Stretch, which
fixes CVE-2017-5715. Please see an attached debdiff.

This is the newer upstream release, which fixes CVE-2017-5715.

Also I want to ask anybody to test this package on the hardware with
amd-processor to escape regressions. The pre-built package is available
here [1]. But it looks like this version is working for Ubuntu already [2].

Please, let me know, whether I may proceed with the upload.

[1] https://people.debian.org/~gladk/amd64-microcode_stretch/
[2] https://bugs.launchpad.net/ubuntu/+source/amd64-microcode/+bug/1853614

Thanks,

Anton
diff -Nru amd64-microcode-3.20160316.3/debian/changelog 
amd64-microcode-3.20181128.1+deb9u1/debian/changelog
--- amd64-microcode-3.20160316.3/debian/changelog   2016-11-30 
02:54:53.0 +0100
+++ amd64-microcode-3.20181128.1+deb9u1/debian/changelog2020-03-12 
20:29:09.0 +0100
@@ -1,3 +1,72 @@
+amd64-microcode (3.20181128.1+deb9u1) stretch-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * New upstream release.
+  * Add IBPB support for family 17h AMD processors (CVE-2017-5715)
+(since version 3.20180515.1).
+
+ -- Anton Gladky   Thu, 12 Mar 2020 20:29:09 +0100
+
+amd64-microcode (3.20181128.1) unstable; urgency=medium
+
+  * New microcode update packages from AMD upstream:
++ New Microcodes:
+  sig 0x00800f82, patch id 0x0800820b, 2018-06-20
+  * README: update for new release
+
+ -- Henrique de Moraes Holschuh   Sat, 15 Dec 2018 18:42:12 
-0200
+
+amd64-microcode (3.20180524.1) unstable; urgency=high
+
+  * New microcode update packages from AMD upstream:
++ Re-added Microcodes:
+  sig 0x00610f01, patch id 0x06001119, 2012-07-13
+  * This update avoids regressing sig 0x610f01 processors on systems with
+outdated firmware by adding back exactly the same microcode patch that was
+present before [for these processors].  It does not implement Spectre-v2
+mitigation for these processors.
+  * README: update for new release
+
+ -- Henrique de Moraes Holschuh   Fri, 25 May 2018 15:38:22 
-0300
+
+amd64-microcode (3.20180515.1) unstable; urgency=high
+
+  * New microcode update packages from AMD upstream:
++ New Microcodes:
+  sig 0x00800f12, patch id 0x08001227, 2018-02-09
++ Updated Microcodes:
+  sig 0x00600f12, patch id 0x0600063e, 2018-02-07
+  sig 0x00600f20, patch id 0x06000852, 2018-02-06
++ Removed Microcodes:
+  sig 0x00610f01, patch id 0x06001119, 2012-07-13
+  * Adds Spectre v2 (CVE-2017-5715) microcode-based mitigation support,
+plus other unspecified fixes/updates.
+  * README, debian/copyright: update for new release
+
+ -- Henrique de Moraes Holschuh   Sat, 19 May 2018 13:51:06 
-0300
+
+amd64-microcode (3.20171205.2) unstable; urgency=medium
+
+  * debian/control: update Vcs-* fields for salsa.debian.org
+
+ -- Henrique de Moraes Holschuh   Fri, 04 May 2018 07:51:40 
-0300
+
+amd64-microcode (3.20171205.1) unstable; urgency=high
+
+  * New microcode updates (closes: #886382):
+sig 0x00800f12, patch id 0x08001213, 2017-12-05
+Thanks to SuSE for distributing these ahead of AMD's official release!
+  * Add IBPB support for family 17h AMD processors (CVE-2017-5715)
+  * README: describe source for faml17h microcode update
+  * Upload to unstable to match IBPB microcode support on Intel in Debian
+unstable.
+  * WARNING: requires at least kernel 4.15, 4.14.13, 4.9.76, 4.4.111 (or a
+backport of commit f4e9b7af0cd58dd039a0fb2cd67d57cea4889abf
+"x86/microcode/AMD: Add support for fam17h microcode loading") otherwise
+it will not be applied to the processor.
+
+ -- Henrique de Moraes Holschuh   Mon, 08 Jan 2018 12:19:57 
-0200
+
 amd64-microcode (3.20160316.3) unstable; urgency=medium
 
   * initramfs: Make the early initramfs reproducible (closes: #845194)
diff -Nru amd64-microcode-3.20160316.3/debian/control 
amd64-microcode-3.20181128.1+deb9u1/debian/control
--- amd64-microcode-3.20160316.3/debian/control 2016-11-30 02:53:04.0 
+0100
+++ amd64-microcode-3.20181128.1+deb9u1/debian/control  2018-12-15 
03:43:55.0 +0100
@@ -5,8 +5,8 @@
 Uploaders: Giacomo Catenazzi 
 Build-Depends: debhelper (>= 9)
 Standards-Version: 3.9.8
-Vcs-Git: git://git.debian.org/users/hmh/amd64-microcode.git
-Vcs-Browser: http://git.debian.org/?p=users/hmh/amd64-microcode.git
+Vcs-Git: https://salsa.debian.org/hmh/amd64-microcode.git
+Vcs-Browser: https://salsa.debian.org/hmh/amd64-microcode
 XS-Autobuild: yes
 
 Package: amd64-microcode
diff -Nru amd64-microcode-3.20160316.3/debian/copyright 
amd64-microcode-3.20181128.1+deb9u1/debian/copyright
--- amd64-microcode-3.20160316.3/debian/copyright   2016-11-30 
02:53:04.0 +0100
+++ amd64-microcode-3.20181128.1+deb9u1/debian/copyright2018-12-15 
03:43:55.0 +0100
@@ -2,8 +2,9 @@
 Sun Jun 10 10:54:36 BRT 2012
 
 It was downloaded from http://www.amd6