Wheezy update of python-bottle?

2016-12-17 Thread Markus Koschany 
Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of python-bottle:
https://security-tracker.debian.org/tracker/CVE-2016-9964

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of python-bottle updates
for the LTS releases.

Thank you very much.

Markus Koschany,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

Re: unrealize mechanism in 9pfs

2016-12-17 Thread Guido Günther 
On Sat, Dec 17, 2016 at 10:29:57AM +0100, Hugo Lefeuvre wrote:
> Hi,
> 
> I'm currently finishing my upload for qemu, and a question is
> remaining concerning the fix of CVE-2016-99{14,15,16}[0,1,2].
> 
> It is clear to me that the 9pfs proxy/handle backend drivers may
> issue a memory leakage when unrealized (ctx->private not deallocated

We don't have virtfs-proxy-helper in wheezy so I think we don't need
support the "proxy" case.

As for "handle" did you check that it works in Wheezy including unplug?
If so please let me know and we can have a closer look.

I've only used "local" so far which does not seem to be affected by the
CVEs.
Cheers,
 -- Gudio

> for example). Thus, if they can be unrealized, we will need to
> implement a cleanup mechanism, as proposed in the upstream patch[3,4].
> 
> In recent versions following the QOM model, the unrealize operation
> is implemented in 9p.c. It is not the case in the wheezy version,
> for which I can't find any function performing unrealize operations[5]
> (the current unrealize function got implemented in this commit[6]).
> 
> So, I am having trouble defining whether it is possible to unrealize the
> 9pfs device in the wheezy version, and if yes, which method (if there's
> one) is handling it.
> 
> Does anybody have an idea ?
> 
> Cheers,
>  Hugo
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-9914
> [1] https://security-tracker.debian.org/tracker/CVE-2016-9915
> [2] https://security-tracker.debian.org/tracker/CVE-2016-9916
> [3] 
> http://git.qemu.org/?p=qemu.git;a=commit;h=971f406b77a6eb84e0ad27dcc416b663765aee30
> [4] 
> http://git.qemu.org/?p=qemu.git;a=commit;h=898ae90a44551d25b8e956fd87372d303c82fe68
> [5] For the record, the equivalent in wheezy of the modern realize function is
> virtio_9p_init in virtio-9p-device.c.
> [6] 
> http://git.qemu.org/?p=qemu.git;a=commit;h=6cecf093735f2e5af7d0e29d957350320044e354
> 
> -- 
>  Hugo Lefeuvre (hle)|www.owl.eu.com
> 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E

unrealize mechanism in 9pfs

2016-12-17 Thread Hugo Lefeuvre 
Hi,

I'm currently finishing my upload for qemu, and a question is
remaining concerning the fix of CVE-2016-99{14,15,16}[0,1,2].

It is clear to me that the 9pfs proxy/handle backend drivers may
issue a memory leakage when unrealized (ctx->private not deallocated
for example). Thus, if they can be unrealized, we will need to
implement a cleanup mechanism, as proposed in the upstream patch[3,4].

In recent versions following the QOM model, the unrealize operation
is implemented in 9p.c. It is not the case in the wheezy version,
for which I can't find any function performing unrealize operations[5]
(the current unrealize function got implemented in this commit[6]).

So, I am having trouble defining whether it is possible to unrealize the
9pfs device in the wheezy version, and if yes, which method (if there's
one) is handling it.

Does anybody have an idea ?

Cheers,
 Hugo

[0] https://security-tracker.debian.org/tracker/CVE-2016-9914
[1] https://security-tracker.debian.org/tracker/CVE-2016-9915
[2] https://security-tracker.debian.org/tracker/CVE-2016-9916
[3] 
http://git.qemu.org/?p=qemu.git;a=commit;h=971f406b77a6eb84e0ad27dcc416b663765aee30
[4] 
http://git.qemu.org/?p=qemu.git;a=commit;h=898ae90a44551d25b8e956fd87372d303c82fe68
[5] For the record, the equivalent in wheezy of the modern realize function is
virtio_9p_init in virtio-9p-device.c.
[6] 
http://git.qemu.org/?p=qemu.git;a=commit;h=6cecf093735f2e5af7d0e29d957350320044e354

-- 
 Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E


signature.asc
Description: PGP signature