Re: CVE-2011-1521 and CVE-2011-3389 - fixed packet
Hi, First: Could somebody perhaps enlighten me why all these issues show up as unimportant in [2] but up to medium in the separate pages (e.g. [3]) begin quotation from Michael Gilbert (in jnk14-84e...@gated-at.bofh.it): On Mon, Sep 24, 2012 at 4:27 AM, Arne Wichmann wrote: begin quotation from Michael Gilbert (in jmfpp-2t...@gated-at.bofh.it): On Fri, Sep 21, 2012 at 11:40 AM, Arne Wichmann wrote: Ok, I just created one more fixed version of python2.6 for my own use. Whoever is interested can find it at [1] for the time being. If anybody has comments or improvements I am also interested. Would you mind attaching a debdiff so we can see what you did? If your changes look reasonable, I may be willing to work with you to sponsor a stable-proposed update: http://www.debian.org/releases/proposed-updates Attached. Thanks for your work on this. There are a couple easily correctable issues. One is that the debdiff is backwards. Second, its better to Hopefully not this time. use cve numbers to name the patches rather than commit ids. Third, Done. the distribution should be stable-proposed-updates rather than stable, Not done. See other referenced mail. and there should only be one new entry in the changelog, and the version should be +squeeze1. Done. Finally, there are some other unfixed python2.6 issues. Would you mind taking a look at those? It would be good to include them all in a new update: http://security-tracker.debian.org/tracker/source-package/python2.6 CVE-2011-4940 is unimportant. CVE-2012-0876 is fixed (tracker updated). I do not feel comfortable including a solution to CVE-2012-1150, what I have seen looks quite intusive to me and the impact seems minor. If you think I should try [4] tell me and I will do so. A similar argument goes for CVE-2011-1015 - as already mentioned in [5]. I added CVE-2012-0845. The debdiff is attached. The packages can be found here: [6] begin quotation from Adam D. Barratt (in jno4g-2l...@gated-at.bofh.it): On Mon, 2012-09-24 at 12:39 -0400, Michael Gilbert wrote: the distribution should be stable-proposed-updates rather than stable, stable's fine. (As would be proposed-updates and squeeze.) Ok. [2] http://security-tracker.debian.org/tracker/source-package/python2.6 [3] http://security-tracker.debian.org/tracker/CVE-2012-0876 [4] http://bugs.python.org/file24563/hash-patch-3.1-gb-03.patch [5] http://security-tracker.debian.org/tracker/CVE-2011-1015 [6] http://www.saar.de/~aw/debian/python2.6_2.6.6-8+squeeze1.diff.gz http://www.saar.de/~aw/debian/python2.6_2.6.6-8+squeeze1.dsc http://www.saar.de/~aw/debian/python2.6_2.6.6-8+squeeze1_amd64.build http://www.saar.de/~aw/debian/python2.6_2.6.6-8+squeeze1_amd64.changes http://www.saar.de/~aw/debian/python2.6_2.6.6-8+squeeze1_amd64.deb http://www.saar.de/~aw/debian/python2.6-dbg_2.6.6-8+squeeze1_amd64.deb http://www.saar.de/~aw/debian/python2.6-dev_2.6.6-8+squeeze1_amd64.deb http://www.saar.de/~aw/debian/python2.6-doc_2.6.6-8+squeeze1_all.deb http://www.saar.de/~aw/debian/python2.6-examples_2.6.6-8+squeeze1_all.deb http://www.saar.de/~aw/debian/python2.6-minimal_2.6.6-8+squeeze1_amd64.deb http://www.saar.de/~aw/debian/idle-python2.6_2.6.6-8+squeeze1_all.deb http://www.saar.de/~aw/debian/libpython2.6_2.6.6-8+squeeze1_amd64.deb cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) diff -u python2.6-2.6.6/debian/changelog python2.6-2.6.6/debian/changelog --- python2.6-2.6.6/debian/changelog +++ python2.6-2.6.6/debian/changelog @@ -1,3 +1,12 @@ +python2.6 (2.6.6-8+squeeze1) stable; urgency=low + + * Non-maintainer upload. + * CVE-2011-1521. Closes: #628455 + * CVE-2011-3389. Closes: #684511 + * CVE-2012-0845. + + -- Arne Wichmann a...@linux.de Mon, 01 Oct 2012 14:38:46 +0200 + python2.6 (2.6.6-8) unstable; urgency=low * Disable the profiled builds on m68k and sparc. Closes: #606091. diff -u python2.6-2.6.6/debian/patches/series.in python2.6-2.6.6/debian/patches/series.in --- python2.6-2.6.6/debian/patches/series.in +++ python2.6-2.6.6/debian/patches/series.in @@ -62,0 +63,3 @@ +CVE-2011-3389.diff +CVE-2011-1521.diff +CVE-2012-0845.diff only in patch2: unchanged: --- python2.6-2.6.6.orig/.pbuilderrc +++ python2.6-2.6.6/.pbuilderrc @@ -0,0 +1,163 @@ +# Idea stolen at https://wiki.ubuntu.com/PbuilderHowto +# Enhanced to support experimental, backports and oldstable. +# Does not build with non-free by default anymore. + +unset CCACHEDIR + +# DIST NONFREE ARCH CUSTOM should be added to env_keep in your sudoers config. +OLDSTABLE=lenny +OLDSTABLE_ARCHIVED=false +STABLE=squeeze +TESTING=wheezy +UNSTABLE=sid + +# Codenames for Debian suites according to their alias. Update these when +# needed.
Re: CVE-2011-1521 and CVE-2011-3389 - fixed packet
On Mon, Oct 1, 2012 at 12:34 PM, Arne Wichmann wrote: Hi, First: Could somebody perhaps enlighten me why all these issues show up as unimportant in [2] but up to medium in the separate pages (e.g. [3]) That seems to be a tracker bug (possibly involving [squeeze],etc release-specific tags). If all releases have fixed versions, it should be considered a fixed issue, but it wasn't. However, for that specific case, I've just checked and the issue is not fixed in 2.6.6-8, so I reverted that change. I'll take a look at the rest in the next couple days. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANTw=MOyDPjdkqrGLzeTPNfuwWLy=pMX6hL4W0dc=rbud8h...@mail.gmail.com
Re: CVE-2011-1521 and CVE-2011-3389 - fixed packet
begin quotation from Michael Gilbert (in jmfpp-2t...@gated-at.bofh.it): On Fri, Sep 21, 2012 at 11:40 AM, Arne Wichmann wrote: Ok, I just created one more fixed version of python2.6 for my own use. Whoever is interested can find it at [1] for the time being. If anybody has comments or improvements I am also interested. Would you mind attaching a debdiff so we can see what you did? If your changes look reasonable, I may be willing to work with you to sponsor a stable-proposed update: http://www.debian.org/releases/proposed-updates Attached. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) reverted: --- python2.6-2.6.6/.pbuilderrc +++ python2.6-2.6.6.orig/.pbuilderrc @@ -1,163 +0,0 @@ -# Idea stolen at https://wiki.ubuntu.com/PbuilderHowto -# Enhanced to support experimental, backports and oldstable. -# Does not build with non-free by default anymore. - -unset CCACHEDIR - -# DIST NONFREE ARCH CUSTOM should be added to env_keep in your sudoers config. -OLDSTABLE=lenny -OLDSTABLE_ARCHIVED=false -STABLE=squeeze -TESTING=wheezy -UNSTABLE=sid - -# Codenames for Debian suites according to their alias. Update these when -# needed. -UNSTABLE_CODENAME=unstable -TESTING_CODENAME=testing -STABLE_CODENAME=stable -OLDSTABLE_CODENAME=oldstable - - -# List of Debian suites. -DEBIAN_SUITES=($UNSTABLE_CODENAME $TESTING_CODENAME $STABLE_CODENAME $OLDSTABLE_CODENAME -$UNSTABLE $TESTING $STABLE $OLDSTABLE experimental) - -# List of Ubuntu suites. Update these when needed. -UBUNTU_SUITES=(jaunty intrepid hardy gutsy lucid maverick) - -# Mirrors to use. Update these to your preferred mirror. -DEBIAN_MIRROR=ftp2.de.debian.org -UBUNTU_MIRROR=debian.netcologne.de - -# Use Cowbuilder -PDEBUILD_PBUILDER=cowbuilder - -# Optionally use the changelog of a package to determine the suite to use if -# none set. -if [ -z ${DIST} ] [ -r debian/changelog ]; then -DIST=$(dpkg-parsechangelog | awk '/^Distribution: / {print $2}') -fi - -# Optionally set a default distribution if none is used. Note that you can set -# your own default (i.e. ${DIST:=unstable}). -: ${DIST:=stable} - -# Optionally change Debian codenames in $DIST to their aliases. -case $DIST in -$UNSTABLE_CODENAME|UNRELEASED) -DIST=$UNSTABLE -;; - $TESTING_CODENAME|$TESTING_CODENAME-proposed-updates|$TESTING_CODENAME-security) -DIST=$TESTING -;; - $STABLE_CODENAME|$STABLE_CODENAME-proposed-updates|$STABLE_CODENAME-security) -DIST=$STABLE -;; - $OLDSTABLE_CODENAME|$OLDSTABLE_CODENAME-proposed-updates|$OLDSTABLE_CODENAME-security) -DIST=$OLDSTABLE -esac - -# Optionally set the architecture to the host architecture if none set. Note -# that you can set your own default (i.e. ${ARCH:=i386}). -: ${ARCH:=$(dpkg --print-architecture)} - -DEBOOTSTRAPOPTS=( -'--variant=buildd' -) - - -NAME=$DIST -if [ -n ${ARCH} ]; then -NAME=$NAME-$ARCH -DEBOOTSTRAPOPTS=(--arch $ARCH ${DEBOOTSTRAPOPTS[@]}) -fi -if [ -n ${NONFREE} ]; then -NAME=$NAME-nonfree -fi - -#CUSTOM allows to create chroots per customer, or for whatever you need it -if [ -n ${CUSTOM} ]; then -NAME=$NAME-$CUSTOM -fi - -BASETGZ=/var/cache/pbuilder/$NAME-base.tgz -BASEPATH=/var/cache/pbuilder/$NAME-base.cow -BUILDRESULT=/tmp/ -BUILDPLACE=/var/cache/pbuilder/build/ - -if $(echo ${DEBIAN_SUITES[@]} | grep -q ${DIST%-backports}); then -COMPONENTS=main -if [ -n ${NONFREE} ]; then -COMPONENTS=$COMPONENTS contrib non-free -fi -DEBOOTSTRAPOPTS=( -'--keyring' '/usr/share/keyrings/debian-archive-keyring.gpg' -${DEBOOTSTRAPOPTS[@]} -) - -case $DIST in -$OLDSTABLE) -if [ $OLDSTABLE_ARCHIVED = true ]; then -MIRRORSITE=http://archive.debian.org/debian/; -else -MIRRORSITE=http://$DEBIAN_MIRROR/debian/; -fi -;; -experimental) -if [ -z $OTHERMIRROR ]; then -OTHERMIRROR=deb http://$DEBIAN_MIRROR/debian experimental $COMPONENTS -else -OTHERMIRROR=deb http://$DEBIAN_MIRROR/debian experimental $COMPONENTS | ${OTHERMIRROR} -fi -;; -*-backports) -if [ -z $OTHERMIRROR ]; then -OTHERMIRROR=deb http://debian.netcologne.de/debian-backports/ $DIST $COMPONENTS -else -OTHERMIRROR=deb http://debian.netcologne.de/debian-backports/ $DIST $COMPONENTS | ${OTHERMIRROR} -fi -EXTRAPACKAGES=$EXTRAPACKAGES debian-backports-keyring -;; -esac - -elif $(echo ${UBUNTU_SUITES[@]} | grep -q ${DIST%-backports}); then -# Ubuntu configuration -MIRRORSITE=http://$UBUNTU_MIRROR/ubuntu/; -COMPONENTS=main universe -if [ -n ${NONFREE} ]; then
Re: CVE-2011-1521 and CVE-2011-3389 - fixed packet
On Mon, Sep 24, 2012 at 4:27 AM, Arne Wichmann wrote: begin quotation from Michael Gilbert (in jmfpp-2t...@gated-at.bofh.it): On Fri, Sep 21, 2012 at 11:40 AM, Arne Wichmann wrote: Ok, I just created one more fixed version of python2.6 for my own use. Whoever is interested can find it at [1] for the time being. If anybody has comments or improvements I am also interested. Would you mind attaching a debdiff so we can see what you did? If your changes look reasonable, I may be willing to work with you to sponsor a stable-proposed update: http://www.debian.org/releases/proposed-updates Attached. Thanks for your work on this. There are a couple easily correctable issues. One is that the debdiff is backwards. Second, its better to use cve numbers to name the patches rather than commit ids. Third, the distribution should be stable-proposed-updates rather than stable, and there should only be one new entry in the changelog, and the version should be +squeeze1. Finally, there are some other unfixed python2.6 issues. Would you mind taking a look at those? It would be good to include them all in a new update: http://security-tracker.debian.org/tracker/source-package/python2.6 Thanks again! Mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANTw=MMmOqRrK-g9gmLndxmxXxkYO3zwaDCis_hSvo2=n77...@mail.gmail.com
Re: CVE-2011-1521 and CVE-2011-3389 - fixed packet
On Mon, 2012-09-24 at 12:39 -0400, Michael Gilbert wrote: the distribution should be stable-proposed-updates rather than stable, stable's fine. (As would be proposed-updates and squeeze.) Regards, Adam -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1348520749.6724.17.ca...@jacala.jungle.funky-badger.org
CVE-2011-1521 and CVE-2011-3389 - fixed packet
Ok, I just created one more fixed version of python2.6 for my own use. Whoever is interested can find it at [1] for the time being. If anybody has comments or improvements I am also interested. [1] http://www.saar.de/~aw/debian/python2.6_2.6.6-8.aw2.dsc http://www.saar.de/~aw/debian/python2.6_2.6.6-8.aw2.diff.gz http://www.saar.de/~aw/debian/python2.6-dbg_2.6.6-8.aw2_amd64.deb http://www.saar.de/~aw/debian/python2.6-dev_2.6.6-8.aw2_amd64.deb http://www.saar.de/~aw/debian/python2.6-doc_2.6.6-8.aw2_all.deb http://www.saar.de/~aw/debian/python2.6-examples_2.6.6-8.aw2_all.deb http://www.saar.de/~aw/debian/python2.6-minimal_2.6.6-8.aw2_amd64.deb http://www.saar.de/~aw/debian/python2.6_2.6.6-8.aw2_amd64.deb http://www.saar.de/~aw/debian/idle-python2.6_2.6.6-8.aw2_all.deb http://www.saar.de/~aw/debian/libpython2.6_2.6.6-8.aw2_amd64.deb http://www.saar.de/~aw/debian/python2.6_2.6.6-8.aw2_amd64.build http://www.saar.de/~aw/debian/python2.6_2.6.6-8.aw2_amd64.changes cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (a...@linux.de) signature.asc Description: Digital signature
Re: CVE-2011-1521 and CVE-2011-3389 - fixed packet
On Fri, Sep 21, 2012 at 11:40 AM, Arne Wichmann wrote: Ok, I just created one more fixed version of python2.6 for my own use. Whoever is interested can find it at [1] for the time being. If anybody has comments or improvements I am also interested. Would you mind attaching a debdiff so we can see what you did? If your changes look reasonable, I may be willing to work with you to sponsor a stable-proposed update: http://www.debian.org/releases/proposed-updates Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CANTw=MPSr5+TBwG=xaxpgk0vbiw93va4_7enoev_wzbmxwg...@mail.gmail.com