Wheezy update of openssh?

2016-08-08 Thread Guido Günther 
Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of openssh:
https://security-tracker.debian.org/tracker/CVE-2016-6515

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Guido Günther,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

Re: find-work script no longer working on stable

2016-08-08 Thread Chris Lamb 
> ola@tigereye:~/git/debian-lts$ ./find-work
> Traceback (most recent call last):
>   File "./find-work", line 3, in 
> import requests
> 

I think I'm missing some bit of your traceback/testcase here?

> 8056874b90d35883fd3a1747b911d935367edda3

Guessing from this, I think you had locale issues. This is orthogonal
to stable/unstable but rather an invalid/missing/whatever LANG setting.

For example, under sid if I unset LANG:

$ LANG= ./find-work
[..]
  File "./find-work", line 66, in 
dla_needed[package]['more'],
UnicodeEncodeError: 'ascii' codec can't encode character '\xe1' in position 13: 
ordinal not in range(128)

> Or can we in some other way make it work also on Debian stable?

I've fixed the above issue in 19dab98. No need to jump to reverting
stuff..


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Re: [SECURITY] [DLA 588-1] mongodb security update

2016-08-08 Thread Ben Hutchings 
On Mon, 2016-08-08 at 11:52 +0200, Ola Lundqvist wrote:
> Package: mongodb
> Version: 2.0.6-1+deb7u1
> CVE ID : CVE-2016-6494
> Debian Bug : 832908, 833087
> 
> Two security related problems have been found in the mongodb
> package, related to logging.
> 
> CVE-2016-6494
>   World-readable .dbshell history file
> 
> TEMP-0833087-C5410D
>   Bruteforcable challenge responses in unprotected logfile
[...]

This temporary ID is not stable and shouldn't be used in a DLA or DSA.
The Debian bug number, which you already included, is more useful.

Ben.

-- 
Ben Hutchings
Beware of bugs in the above code;
I have only proved it correct, not tried it. - Donald Knuth


signature.asc
Description: This is a digitally signed message part

find-work script no longer working on stable

2016-08-08 Thread Ola Lundqvist 
Hi Chris

First thanks for impoving find-work. The additions have been good,
except for one thing.

I have Debian stable on my workstation and the latest find-work update
make it spit out the following:
ola@tigereye:~/git/debian-lts$ ./find-work
Traceback (most recent call last):
  File "./find-work", line 3, in 
import requests

Actually it works as late as
ola@tigereye:~/git/debian-lts$ git checkout
6ab3667026232e67701345c6f8f44b84fe8e5a9a
...
ola@tigereye:~/git/debian-lts$ ./find-work
The following packages are used by our customers (by order of
decreasing importance, more hours means more important):
* openssl (20 hours/month)
...

My conclusion is that it is the following commit that makes it go wrong.

8056874b90d35883fd3a1747b911d935367edda3

Is that change important?
Can we reverse this change? I can do that if you like.
Or can we in some other way make it work also on Debian stable?

Thanks in advance

// Ola

-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Security check of libical

2016-08-08 Thread Ola Lundqvist 
Hi libical developers, libical maintainer and LTS team

As part of the Debian Long Term Security team I have started to look
into a few possible security related vulnerabilities.
More details are available here:
https://security-tracker.debian.org/tracker/source-package/libical

My problem is that each CVE refers to a bugzilla bug id and they are not public
CVE-2016-5827 https://bugzilla.mozilla.org/show_bug.cgi?id=1281043
CVE-2016-5826 https://bugzilla.mozilla.org/show_bug.cgi?id=1281041
CVE-2016-5825 https://bugzilla.mozilla.org/show_bug.cgi?id=1280832
CVE-2016-5824 https://bugzilla.mozilla.org/show_bug.cgi?id=1275400
CVE-2016-5823 reserved, do you know anything about it?

My question to you are whether any of you know who I should contact
about these bugs?
Or if I can get access to them? (my login is o...@inguza.com)
Or who I should contact for requesting access.
Whether you know of any other security issues in libical (wheezy is
using revision 0.48)

Thanks a lot in advance!


// Ola

-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Re: Security update of ntp

2016-08-08 Thread Ola Lundqvist 
Hi Kurt

Thanks a lot for a quick and good answer. Will mark it as unaffected in
wheezy too then.

Best regards

// Ola

On Mon, Aug 8, 2016 at 6:30 PM, Kurt Roeckx  wrote:

> On Mon, Aug 08, 2016 at 01:12:28PM +0200, Ola Lundqvist wrote:
> > Hi Kurt
> >
> > As a member of the LTS team I have started to look into a ntp security
> > update of CVE-2016-4953 mentioned here:
> > https://security-tracker.debian.org/tracker/source-package/ntp
> >
> > I see that you have prepared security updates for Debian wheezy in the
> past
> > so I would like to check with you if you want to do it this time too, or
> if
> > you'd like me to do that for you.
> >
> > Or alternatively that you know it is a non-issue already.
> >
> > I can see the following comment about jessie in the security tracker:
> > [jessie] - ntp  (Fix for CVE-2016-1547 or CVE-2015-7979
> > wasn't backported)
> >
> > But it looks like ntp-4.2.6p5-cve-2015-7979.patch is in the wheezy
> version
> > so I guess it is affected, or?
> >
> > I have not looked into the details yet as I want to check with you first
> > whether you know about this already (I guess you do).
>
> First, the situation for wheezy and jessie should be identical.
> They have the same upstream source and should have the same
> patches for all security issues.
>
> The fix we use for CVE-2015-7979 is unrelated to the upstream fix,
> and so we're not affected by what the upstream patch broke.
>
>
> Kurt
>
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Re: Security update of ntp

2016-08-08 Thread Kurt Roeckx 
On Mon, Aug 08, 2016 at 01:12:28PM +0200, Ola Lundqvist wrote:
> Hi Kurt
> 
> As a member of the LTS team I have started to look into a ntp security
> update of CVE-2016-4953 mentioned here:
> https://security-tracker.debian.org/tracker/source-package/ntp
> 
> I see that you have prepared security updates for Debian wheezy in the past
> so I would like to check with you if you want to do it this time too, or if
> you'd like me to do that for you.
> 
> Or alternatively that you know it is a non-issue already.
> 
> I can see the following comment about jessie in the security tracker:
> [jessie] - ntp  (Fix for CVE-2016-1547 or CVE-2015-7979
> wasn't backported)
> 
> But it looks like ntp-4.2.6p5-cve-2015-7979.patch is in the wheezy version
> so I guess it is affected, or?
> 
> I have not looked into the details yet as I want to check with you first
> whether you know about this already (I guess you do).

First, the situation for wheezy and jessie should be identical.
They have the same upstream source and should have the same
patches for all security issues.

The fix we use for CVE-2015-7979 is unrelated to the upstream fix,
and so we're not affected by what the upstream patch broke.


Kurt

Security update of ntp

2016-08-08 Thread Ola Lundqvist 
Hi Kurt

As a member of the LTS team I have started to look into a ntp security
update of CVE-2016-4953 mentioned here:
https://security-tracker.debian.org/tracker/source-package/ntp

I see that you have prepared security updates for Debian wheezy in the past
so I would like to check with you if you want to do it this time too, or if
you'd like me to do that for you.

Or alternatively that you know it is a non-issue already.

I can see the following comment about jessie in the security tracker:
[jessie] - ntp  (Fix for CVE-2016-1547 or CVE-2015-7979
wasn't backported)

But it looks like ntp-4.2.6p5-cve-2015-7979.patch is in the wheezy version
so I guess it is affected, or?

I have not looked into the details yet as I want to check with you first
whether you know about this already (I guess you do).

Best regards

// Ola

-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Re: Security update of nettle

2016-08-08 Thread Ola Lundqvist 
Hi all

I have now prepared a build of nettle for wheezy, based on the patch that
Magnus prepared for me (thanks a lot for that!). You can find the debdiff
here:
http://apt.inguza.net/wheezy-security/nettle/nettle.debdiff

You can find the prepared packages here:
http://apt.inguza.net/wheezy-security/nettle/

I have done basic regression testing by installing lsh-server (and
lsh-client) and normal operations seems to be working fine. I choose lsh as
it is the only application in wheezy that I know is using nettle.

I have not tried to reproduce the potential side-channel issue as that one
is rather hard to trigger. If anyone know about a tool for that, please let
me know.

I will upload a corrected version of nettle in four days (that is on
Thursday) unless anyone object of course.

Best regards

// Ola


On Sun, Aug 7, 2016 at 10:16 PM, Ola Lundqvist  wrote:

> Hi Andreas
>
> It looks like you have managed without the context. I'm sorry that I was a
> little too brief.
>
> First thank you a lot for confirming that gnutls do not use nettle in
> wheezy. This is very good to know as I can safely patch nettle without
> considering gnutls usage of nettle. Thanks! It saves me the burden of
> patching and coordinating several uploads.
>
> The follow up patches that are needed are to modify gnutls (as long as it
> is using nettle).
>
> This (below) is what I have understood from Niels Möller. He is the source
> of my knowledge so please be in contact with him about the details.
>
> The correction in nettle is to use mpz_powm_sec instead of mpz_powm. The
> problem is that mpz_powm_sec will crash if the modulo argument is an even
> number. So a check is needed to ensure that or else we have a denial of
> service problem.
> You can see the detailed correction here:
> https://git.lysator.liu.se/nettle/nettle/commit/
> 3fe1d6549765ecfb24f0b80b2ed086fdc818bff3
>
> Nettle have added such checks in the *_key_prepare functions, see here:
> https://git.lysator.liu.se/nettle/nettle/commit/
> 5eb30d94f6f5f3f0cb9ba9ed24bc52b7376176b6
> https://git.lysator.liu.se/nettle/nettle/commit/
> 52b9223126b3f997c00d399166c006ae28669068
> https://git.lysator.liu.se/nettle/nettle/commit/
> 544b4047de689519ab3e6ec55b776b95b3e264a9
>
> I think this merge commit may be of help:
> https://git.lysator.liu.se/nettle/nettle/commit/
> b721591c051ce9e2304033dd19564f089775df17
>
> The issue is that gnutls do not use (or do not check the return code)
> these prepare functions so there is therefore nothing that prevent the
> service from crashing in case an invalid signature is provided. The attack
> would for example be possible on some service provider having a common web
> server for multiple clients where the client can add their own
> certificate/key. In such case the whole server will go down instead of just
> this client.
>
> So a check is needed in gnutls to check that the modulo is not even. This
> can be done either by using the prepare functions (and check the return
> code) or by checking it explicitly.
>
> Was this enough context?
>
> // Ola
>
> On Sun, Aug 7, 2016 at 8:04 AM, Andreas Metzler  wrote:
>
>> On 2016-08-07 Ola Lundqvist  wrote:
>> > On Sat, Aug 6, 2016 at 8:40 PM, Niels Möller 
>> wrote:
>> >> Ola Lundqvist  writes:
>> >>> Magnus, Niels and I have been discussing the nettle update due to
>> >>> https://security-tracker.debian.org/tracker/CVE-2016-6489
>>
>> >> Please note that some coordinatoino with gnutls may be needed, to avoid
>> >> a denial-of-service problem involving invalid private keys.
>>
>> >>> I suggest something like this: "Protect against potential timing
>> >>> attacks against exponentiation operations as described in
>> >>> CVE-2016-6489 RSA code is vulnerable to cache sharing related
>> >>> attacks."
>>
>> >> I'd suggest the more general "side-channel attacks" over "timing
>> >> attacks".
>>
>> > I do not think coordination with gnutls is needed. I can not see that
>> > gnutls depend on nettle in wheezy.
>> > I can see that it can potentially do that, but I do not think it do.
>>
>> > There are no dependencies declared on nettle library and from unstable
>> > changelog it looks like this build dependency was first added in
>> gnutls28.
>> > Wheezy has gnutls28.
>>
>> > I may be wrong however.
>>
>> > Or can it be so that nettle is built in statically and that a build
>> > dependency is not needed as some other package has a build dependency
>> so we
>> > get it indirectly?
>>
>> > I'm including the gnutls maintainers to get their opinion.
>>
>>
>> Hello Ola,
>>
>> I think I am missing a little bit context, according to the security
>> tracker the issue applies to practically all versions of, from oldstable
>> up to and including unstable but the discussion seems to focus on LTS.
>>
>> You are right regarding wheezy/oldstable. It shipped gnutls 2.12.x built
>> against libgcrypt instead of nettle, there should not be a

[SECURITY] [DLA 589-1] mupdf security update

2016-08-08 Thread Jonas Meurer 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: mupdf
Version: 0.9-2+deb7u3
CVE ID : CVE-2016-6525
Debian Bug : 833417

A flaw was discovered in the pdf_load_mesh_params() function allowing
out-of-bounds write access to memory locations. With carefully crafted
input, that could trigger a heap overflow, resulting in application
crash or possibly having other unspecified impact.

For Debian 7 "Wheezy", these problems have been fixed in version
0.9-2+deb7u3.

We recommend that you upgrade your mupdf packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJXqGIYAAoJEBvzc5c7ZRqnuREP/R6L6QMe/WDWjVZmRpm/bB2p
dERyIwxrMSUe57V+cyYru1nVZ6uAvDGfGEsJz9IL1aNQc4EZGw9MA6GXQiynFnS+
wQtPNGEuLLXyA7lgH9A4DrCeiEFthNLADXe87GXqgflqY8+oyrGnDs2qjh6/dIzq
3Wh8a8FyYdM6zKgW77zrQFRrNGa4R2OD9wBhUNUFRdgR7BYdMrF3nw7llwGOC/Qj
/iW5Xuh++B7a1pEOscZ36hUnlav/8Trj4hliyg8c3C8hD38wojKjwdSguT42lh1U
nsgG8TvtEAQ9dEH7jC6J108MCgWLXYZ8iZ0FqwKZ6RpreBjjLB6vhQPDVcy8uESB
L5B/B/yFoaI3vJwhTR7WK9IHL/8LiQ4AhJeoHp4Wqtrrx9Hvu2QIu2Hft8usrQlx
cc/8CDvI0IZMkYfJmVNYwOUjOQ5qMd5WIyoNc285+8q1W74jswe6qoodM+gK1uLL
RjMYnHRJfALgjKv80fmQD/v8d7QmP65oKP2Xc/Jc6THu8aGTP0m1ym7HsIygVLQF
wgsImfOIy77Mg4AWA2t+pDsv6wgYgVtxSK1ucY3RuFXwV4ZVQy+ZXolMVttqS085
oc0aG3fVi85JAS882yP0+V15v5RMuzlDUFTG6DrHTPr/rlGAz20gyz9plzS5PMg0
2UwET3tP9FjQ7pLehLZe
=JloS
-END PGP SIGNATURE-

Accepted mupdf 0.9-2+deb7u3 (source amd64) into oldstable

2016-08-08 Thread Jonas Meurer 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Sat, 06 Aug 2016 16:13:05 +0200
Source: mupdf
Binary: libmupdf-dev mupdf mupdf-tools
Architecture: source amd64
Version: 0.9-2+deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: Kan-Ru Chen 
Changed-By: Jonas Meurer 
Description:
 libmupdf-dev - development files for the MuPDF viewer
 mupdf  - lightweight PDF viewer
 mupdf-tools - commmand line tools for the MuPDF viewer
Changes:
 mupdf (0.9-2+deb7u3) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the LTS Team.
   * Backport fix for CVE-2016-6525: heap overflow in pdf_load_mesh_params()
 from upstream git commit 39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e.
Checksums-Sha1:
 00a3da26d54b2f811591f2806e50394cfad176f1 2026 mupdf_0.9-2+deb7u3.dsc
 8e18de98f1119ec6b5bdcbd1fc22e0dd55d7f95c 12151 mupdf_0.9-2+deb7u3.debian.tar.gz
 4a943ba68767d69d7f7013241b6956744d12180f 3227706 
libmupdf-dev_0.9-2+deb7u3_amd64.deb
 53387e9fbb81d69f56fadbaa04dda8596d748c1b 3149678 mupdf_0.9-2+deb7u3_amd64.deb
 9b0ebb688e0ac156fd6edf06e1c02a27175b229d 3426616 
mupdf-tools_0.9-2+deb7u3_amd64.deb
Checksums-Sha256:
 49b878fd815033f84dc7bdc6623e54397676d39e5d00651527ccd10524e7d741 2026 
mupdf_0.9-2+deb7u3.dsc
 ed18fdf83966d33f56c02191b6a044fb2c329e6b5b927b61138619b80614cceb 12151 
mupdf_0.9-2+deb7u3.debian.tar.gz
 e40327b9ee30d29881f31fcb24977870696368f182ca3806b28713a68c613e7d 3227706 
libmupdf-dev_0.9-2+deb7u3_amd64.deb
 8fa8c48065ea342f6c101c4eb617100cbd151b471d9edfbcf3f2c1f9846a3543 3149678 
mupdf_0.9-2+deb7u3_amd64.deb
 edfefdc4da9ade359a5b91f30d6af4c18469460f33997ec878762da719c6 3426616 
mupdf-tools_0.9-2+deb7u3_amd64.deb
Files:
 5de12d83f68b9001da680d7dab5ec07b 2026 text optional mupdf_0.9-2+deb7u3.dsc
 7c4cdf495719525c726a9b5aa95952f7 12151 text optional 
mupdf_0.9-2+deb7u3.debian.tar.gz
 e95b7ad999ae873f840da543e827449c 3227706 libdevel optional 
libmupdf-dev_0.9-2+deb7u3_amd64.deb
 6c4966ccb8a7d0d0684152b02a49cc5c 3149678 text optional 
mupdf_0.9-2+deb7u3_amd64.deb
 7a00d16944c4f86ce48eba367e9d01fb 3426616 text optional 
mupdf-tools_0.9-2+deb7u3_amd64.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJXp2JfAAoJEBvzc5c7ZRqnlVsP/R+Gpl77tFQopHZaMGtyF434
CKp7eH5HPdqFrWUMNzSleBuCHHJZnyB0p1qy0lc64ayMe4KdwWDHwaChiGAUQnGl
62AF4leI7Das2d8QokYp8YLybDKopqGqMJC1sNRvmzR34og3AJBGijqJPfkRVOzJ
2nRZ4/8t2k5NFMm5e1Ak7qZrumWvjS5+1Bxtpfp7vjuAG8TiiHwmuCqGmJUMK8Dy
hckWBDq0ybATGWt+TtZ0DguXMgDtxwhistAF17g1uCBFLXp6mQEuh5iLU1391fJk
0lV7VxYzsadeViYEzgR9rCxPpe0OF3ukmVu1jvTs6vpNq7hO4oj3BkjF5ASqrLns
gQ/pMYuqEm8ykwZ40Fjts15ggjiX56oL6t/DVfYP3N1Lv9B3b1FNopr/vGg7+aRU
zVwcT2vzoIF4MoVnKoBlBHuW6Vj1n+hPeAX1vzy8sJ125ImzQncf9XXOxCpsfgQA
gNp81Ix/DXKaYgA29A4n1MGs+HHXfKib5bYddMebkyD9c7SaXyYlVtVr5x5pg/l6
Qom8g7iIAAnqVhgh/y+kJ2TYSxRJLEEm33HFvIqQzfHP1HDfOTRn8ev+AjhKAALM
uRO38wamFbdPyFiZtLIMYovTTCxy5RzyFY86fOLMwzHwfWkWgjc1H1fxYXuY3b8j
+v+6AimZ3I29gUsTo68r
=QZ2e
-END PGP SIGNATURE-

Accepted mongodb 1:2.0.6-1+deb7u1 (source amd64) into oldstable

2016-08-08 Thread Ola Lundqvist 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Mon, 01 Aug 2016 21:10:47 +
Source: mongodb
Binary: mongodb mongodb-server mongodb-clients mongodb-dev
Architecture: source amd64
Version: 1:2.0.6-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Antonin Kral 
Changed-By: Ola Lundqvist 
Description: 
 mongodb- object/document-oriented database (metapackage)
 mongodb-clients - object/document-oriented database (client apps)
 mongodb-dev - object/document-oriented database (development)
 mongodb-server - object/document-oriented database (server package)
Closes: 832908
Changes: 
 mongodb (1:2.0.6-1+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Long Term Security Team.
   * Make sure dbshell log file is not readable by others
 CVE-2016-6494 (Closes: #832908).
Checksums-Sha1: 
 ccb5ac86f8e07280c685af50503c58846d5558ee 2271 mongodb_2.0.6-1+deb7u1.dsc
 0e276274e32c589117635f3d6df0ff0d64a62ae0 2836857 mongodb_2.0.6.orig.tar.gz
 88fe57d1e2af14e07f9772c0e24bb2a9297dfe44 25491 
mongodb_2.0.6-1+deb7u1.debian.tar.gz
 293636245eb5674d3aeea0092b9ce311ed9339af 10578 mongodb_2.0.6-1+deb7u1_amd64.deb
 56985ce94fa33b8c70f8eeea7c11c26c965272a8 4310042 
mongodb-server_2.0.6-1+deb7u1_amd64.deb
 a3e89a91eb0e418c024e2bea80376f476002dd66 16794736 
mongodb-clients_2.0.6-1+deb7u1_amd64.deb
 c84b47caf847a905c20ea43dec019927ca8973ed 1908304 
mongodb-dev_2.0.6-1+deb7u1_amd64.deb
Checksums-Sha256: 
 c75d964ccf4da8f4724f11fb54ad0e851ccf1beeb18c85a4a4c6cfe7fef9c99b 2271 
mongodb_2.0.6-1+deb7u1.dsc
 201133a810c908140ea00f84c8257a96cdd6bb84fa0c0a33e42e478628666c3f 2836857 
mongodb_2.0.6.orig.tar.gz
 4c74755f23bb6f3f7694b298068862fb4c21c254d96c8242f7c93a5a3355a0d2 25491 
mongodb_2.0.6-1+deb7u1.debian.tar.gz
 a89f3471515bddeae293d4201f46d9c26cf0ea6bfa12bbbe78e71175570ba349 10578 
mongodb_2.0.6-1+deb7u1_amd64.deb
 513aa5034a8cc46ccfce62a1e66bac60cb58aa3cbd2fa7397bc29c42a1145c87 4310042 
mongodb-server_2.0.6-1+deb7u1_amd64.deb
 f2322c0e1e7ec2b00aa7235e8b4c67288e8b33fb429bfdd5e1fc03230aebfa34 16794736 
mongodb-clients_2.0.6-1+deb7u1_amd64.deb
 f03cb8430c69c0503636453a4022a5aac877a709f8245aac096cc7649bcd9e94 1908304 
mongodb-dev_2.0.6-1+deb7u1_amd64.deb
Files: 
 e97bb661442c335c3b4464633ef1acb3 2271 database optional 
mongodb_2.0.6-1+deb7u1.dsc
 111521f1b6b3379b4dd5fbc1e8f038cf 2836857 database optional 
mongodb_2.0.6.orig.tar.gz
 218dc5bb1cb93996d3274e405f4e4e59 25491 database optional 
mongodb_2.0.6-1+deb7u1.debian.tar.gz
 10d9e75108d52074798c8c2be86d5d93 10578 database optional 
mongodb_2.0.6-1+deb7u1_amd64.deb
 7dfd6d5fa21e44c5d4039e7fda31ff71 4310042 database optional 
mongodb-server_2.0.6-1+deb7u1_amd64.deb
 5a221611b6f0e091470126c191c9726c 16794736 database optional 
mongodb-clients_2.0.6-1+deb7u1_amd64.deb
 b989a7a8f64028b14be804452c7098b8 1908304 libdevel optional 
mongodb-dev_2.0.6-1+deb7u1_amd64.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJXolo8AAoJEF6Q3PqUJodv2WEP/3kFLFmkrKS3xjDPczJZyHNx
04+/F5cDWafn9U3sLUhOMTGT6HhDPOuufn/Mio61Bq2tTzNPcltP0vvzE0ccFy0/
/hiMztzvm2RLo0CpXfc59owZanQNIAb5Tdq4Prb2V73yRP/2QLd+cNVxmapsbbS0
sWiIrk5uA550tHNlGjBFgd+fShTDcuKMM2qOBflEJmIw8iGsDWv8or4RkgayggCJ
ZM/s1PGXHgEiu/DXF+yU8wfkRawh7cOdP6McLeiXPgpbcpy318E8QE9ZohDAusXl
XbeE5KoO4cBLbTZHMrm/Wj5TUnvT9+s6VvYXMl00J3TkGscyxGLZrjOYxL+kncwL
mkpW6zf93I17r6yE36USIlXi3OKfNhDhlF5XF/wvH8Q6ANemJqz3vrLAbqyqr1yt
aq5g9v2nyCNhhg/80f/lWMm5uikliTGm0xYGXRnJYaRqbtdfLGZzj0efYROrrEQS
Mb96/2ZiAAUda4ZRy+cazqIzwmoY0n/Zz6PXSkb/K9JABnwulKICK0HBEaJhxKZX
fBLaP6XwbP9RRHMw4/QU/KEQ9Q3DRHzK56J13FoEYj//vfBl3frYQu0W+V9VD3UN
1t7eWFbMKnOE2g7pyYbDTwlHSeK79AvODVWZ7XC969/kH8iHELPbQYqGZdtZ6mPf
ybYn4LHX2uB0Pn/0zT7N
=QCgT
-END PGP SIGNATURE-

Re: Wheezy update of twisted?

2016-08-08 Thread Salvatore Bonaccorso 
Hi,

Just a quick comment on:

On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote:
> I am inclined to say that no version of twisted, by itself, has this
> vulnerability. However like I said earlier it is possible that
> applications that use twisted have this vulnerability.

Looking at the upstream ticket
https://twistedmatrix.com/trac/ticket/8623 I suspect that Twisted
16.3.1 will have something to help mitigating the issue in application
that use twisted.

For Jessie, we do not plan to release any DSA related to this for
src:twisted. Don't know if you want to follow that on LTS side.

Regards,
Salvatore

Re: Wheezy update of python-django?

2016-08-08 Thread Salvatore Bonaccorso 
Hi,

On Mon, Aug 08, 2016 at 05:59:36PM +1000, Brian May wrote:
> Brian May  writes:
> 
> > Attached is my latest debdiff patch, only includes changes to debian/*.
> 
> I just uploaded this to wheezy-security. Not 100% certain my upload will
> get accepted yet, my first attempt failed due to timeout error.

python-django_1.4.22-1.dsc has incorrect md5 checksum; deleting it.
python-django_1.4.22.orig.tar.gz has incorrect size; deleting it

You need to either reupload the dsc and orig.tar.gz as long the other
files are still keept in the upload directory, or alternatively remove
the upload from the SecurtiyUploadQueue on security-master with dcut,
resign the changes and then reupload.

(Those mails are not sent to the uploader; the signature is not yet
verified at that stage).

Regards,
Salvatore

Re: Wheezy update of twisted?

2016-08-08 Thread Brian May 
Free Ekanayaka  writes:

> I had a quick look at the code too (both in wheezy and jessie), but I
> couldn't find the offending bits. Perhaps it'd be good to put together a
> small web server and see what happens when you pass the 'Proxy'
> header.

So I created the following code:

=== cut ===
from twisted.internet import reactor
from twisted.web.server import Site
from twisted.web.resource import Resource
import time
import os


class ClockPage(Resource):
isLeaf = True

def render_GET(self, request):
print(os.environ)
return "%s" % (time.ctime(),)

resource = ClockPage()
factory = Site(resource)
reactor.listenTCP(8880, factory)
reactor.run()
=== cut ===

Then I attempted to run from wheezy. In particular, I used the following
command:

curl -H "Proxy: http://meow/; http://localhost:8880/

I inspected the console output, but could not find any references to
meow or HTTP_PROXY:

{'TERM': 'xterm-256color', 'SHELL': '/bin/bash', 'SCHROOT_UID': '1000', 
'SCHROOT_COMMAND': '-bash', 'SHLVL': '1', 'OLDPWD': '/root', 
'SCHROOT_CHROOT_NAME': 'wheezy-amd64-default', 'PWD': 
'/home/brian/tree/debian/debian-lts/wheezy/twisted/test', 'SCHROOT_SESSION_ID': 
'wheezy-amd64-default-76337752-1661-47c2-b322-f2a73ff7314b', 'SCHROOT_USER': 
'brian', 'USER': 'root', 'HOME': '/root', 'SCHROOT_GID': '1000', 'PATH': 
'/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'LOGNAME': 
'root', 'SCHROOT_GROUP': 'brian', 'SCHROOT_ALIAS_NAME': 'wheezy-amd64-default', 
'_': '/usr/bin/python'}

I get similar results when testing on stretch. It looks like sid is the
same version 16.3.0-1.

I am inclined to say that no version of twisted, by itself, has this
vulnerability. However like I said earlier it is possible that
applications that use twisted have this vulnerability.
-- 
Brian May

Re: Security update of firefox-esr for Wheezy

2016-08-08 Thread Raphael Hertzog 
On Mon, 08 Aug 2016, Emilio Pozuelo Monfort wrote:
> > Shall we mark gcc-4.8 as unsupported in wheezy, explaining that its only
> > purpose is to enable build of other packages?
> 
> That would make sense.
> 
> I'll see if I can take a look at this.

The problematic part is likely libstdc++. I would expect the new gcc to
assume that you have the corresponding libstdc++.

Mike once told that Firefox has special code to avoid the increased
dependency but that might not be the case of other packages that we might
want to build with a newer gcc.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/