Bug#696306: freeciv: CVE-2012-5645
On Wed, Dec 19, 2012 at 01:38:30PM +0200, Marko Lindqvist wrote: > On 19 December 2012 09:02, Moritz Muehlenhoff wrote: > > Package: freeciv > > Severity: important > > Tags: security > > > > Hi, > > please see http://aluigi.altervista.org/adv/freecivet-adv.txt > > That's two issues... > > > Bug: http://gna.org/bugs/?20003 > > ... reported in one freeciv ticket. > > That CVE is a bit unfortunate that it (currently) has description > containing both parts but fix provided is only one part. I think it's > quite likely that they will assign new CVE for the other half to sort > this out. > > > Fix: http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21670 > > Patch from stable S2_3 branch (where 2.3.x releases come from): > http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21672 > > And the other fix not listed in CVE: trunk: > http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21701 / > S2_3: http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21703 FTR, the additional issue has been assigned CVE-2012-6083: http://www.openwall.com/lists/oss-security/2012/12/31/2 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#694808: libv8: CVE-2012-5120 CVE-2012-5128
On Sun, Dec 16, 2012 at 11:08:34PM +0100, Jérémy Lal wrote: > On 16/12/2012 23:00, Allison Randal wrote: > > The details on these two CVE's are 403 for me: > > > > CVE-2012-5120 > > https://code.google.com/p/chromium/issues/detail?id=150729 > > > > CVE-2012-5128 > > https://code.google.com/p/chromium/issues/detail?id=157124 > > > > So presumably they're still embargoed and only accessible to certain > > members of pkg-javascript. > > Yes, they are. > I asked Chris (cc-ed to Giuseppe) access to those. Did you get a reply? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#697375: rpm: CVE-2012-6088
Package: rpm Severity: grave Tags: security Justification: user security hole This was assigned CVE-2012-6088: http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=3d74c43e7424bc8bf95f5e031446ecb6b08381e8 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#697580: connman: CVE-2012-6459
Package: connman Severity: grave Tags: security Please check, whether the version/configuration in Debian is affected: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6459 https://bugs.tizen.org/jira/browse/TIVI-211 http://git.kernel.org/?p=network/connman/connman.git;a=commit;h=01126286f96856aab6b0de171830f4e8e842e1da Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#697582: qt4-x11: CVE-2012-6093
Package: qt4-x11 Severity: important Tags: security Please see http://seclists.org/oss-sec/2013/q1/21 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#697543: Missing man page for cups-files.conf
On Mon, Jan 07, 2013 at 09:55:15AM +0100, Didier 'OdyX' Raboud wrote: > Le lundi, 7 janvier 2013 09.00:07, Didier 'OdyX' Raboud a écrit : > > But the manpage is definitely missing and the patch is quite trivial > > (attached). Security Team: would such a security upload be acceptable? > > Also, translating cups-files.conf's man is almost trivial with the existing > po4a infrastructure. Would the attached patch be acceptable as well? > > That said, given that both fixes (adding the manpage and its translations) > have no security implication, shouldn't these fixes go to stable-updates > instead? Another possibility would be to ship the english manpage as soon as > possible in debian-security and enhance the fix with translations later on > through stable-updates? WDYT? I think fixing this through a stable point update is sufficient. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#697584: cups: CVE-2012-6094
Package: cups Severity: important Tags: security I'm not sure if this affects Cups in Debian: http://www.openwall.com/lists/oss-security/2013/01/04/1 Stable isn't affected in any case, since systemd isn't present yet. Cheers, Moritz -- System Information: Debian Release: 5.0.7 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: i386 (i686) Kernel: Linux 2.6.18 (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8@euro, LC_CTYPE=de_DE.UTF-8@euro (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695097: sleuthkit: Fails to spot files named with a single dot on FAT filesystems
Package: sleuthkit Severity: normal I don't consider this a vulnerability, but it was assigned a CVE and should be fixed up nonetheless: http://seclists.org/oss-sec/2012/q4/384 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695138: dovecot: CVE-2012-5620
Package: dovecot Severity: grave Tags: security Justification: user security hole This entry from http://www.dovecot.org/list/dovecot-news/2012-November/000235.html was assigned CVE-2012-5620: > imap: Fixed crash when SEARCH contained multiple KEYWORD parameters. Fix: http://hg.dovecot.org/dovecot-2.1/rev/0306792cc843 The posting on oss-security claims 1.2 doesn't contain the affected code: http://seclists.org/oss-sec/2012/q4/395 However, mail_search_keywords_merge() also exists in 1.2.15 from Squeeze, so this needs further investigation or clarification from upstream. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695139: bogofilter-common: CVE-2012-5468
Package: bogofilter-common Severity: grave Tags: security Justification: user security hole Please see http://bogofilter.sourceforge.net/security/bogofilter-SA-2012-01 for details. Patch: http://bogofilter.svn.sourceforge.net/viewvc/bogofilter/trunk/bogofilter/src/iconvert.c?view=patch&r1=6973&r2=6972&pathrev=6973 Please upload an isolated fix to unstable and ask the release managers for an unblock. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695138: dovecot: CVE-2012-5620
On Tue, Dec 04, 2012 at 05:59:37PM +0200, Timo Sirainen wrote: > Not a security hole. A user can crash his/her own session. As bad as issuing > a LOGOUT command. Completely pointless CVE. Thanks for the clarification, I'll followup on the oss-security mailing list to get the ID rejected. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#692773: unblock: vlc/2.0.4-1
On Mon, Nov 26, 2012 at 12:47:51AM +0100, Julien Cristau wrote: > On Thu, Nov 8, 2012 at 18:44:42 +0100, Benjamin Drung wrote: > > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: unblock > > > > Please unblock package vlc > > > > The 2.0.4 release is a bug-fix only release of upstream 2.0.x branch. > > It fixes a lot of bugs, which only a few where reported against > > Debian/Ubuntu. > > The 2.0.4 release adds support for Opus besides the bug fixes. I enabled > > the sftp access and Opus codec plugin, because Opus is standardized and > > should be supported out-of-the box. > > > - The diff was so big it never made it to the mailing list. > - A freeze is not the time to be enabling new features. Standardized or > not. The isolated security fix can be found here: http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=47d4631ac62900484fac206abdfc33a2920b07bf Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#694999: cityhash: CVE-2012-6051
On Mon, Dec 03, 2012 at 12:00:18PM +0100, Alessandro Ghedini wrote: > forwarded 694999 http://code.google.com/p/cityhash/issues/detail?id=10 > kthxbye > > On Mon, Dec 03, 2012 at 08:22:47AM +0100, Moritz Muehlenhoff wrote: > > Package: cityhash > > Severity: grave > > Tags: security > > Justification: user security hole > > > > Hi, > > Hi, > > > please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6051 > > > > I'm not sure if/when this was fixed upstream, so better contact upstream. > > I opened a ticket upstream but it doesn't appear to be fixed. It's not clear > if > Debian is affected though: the CVE was published 6 days after the 1.1.0 > release > which partially reworked the hashing algorithms, but Debian currently has only > the one-year-old 1.0.3 version (the sid version was reverted to 1.0.3 > yesterday), which may not be affected. > > Though, if 1.0.3 is affected and if 1.1.0 is the fix (or if the fix is based > on > it) I don't think it would be suitable for a wheezy upload, since the reworked > algorithms are not retrocompatible (see #694916). Given that there are no rdeps in Wheezy and cityhash hasn't been part of a release it would make more sense to start with the reworked 1.1.0 version? Even if it's late in the freeze. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695192: bind9: CVE-2012-5688
Package: bind9 Severity: grave Tags: security Justification: user security hole Please see https://kb.isc.org/article/AA-00828 Stable is not affected. This needs to be fixed through testing-proposed-updates, since the testing and unstable packages have diverged and won't be updated that late in the freeze. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695237: unblock: gimp/2.8.2-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, please unblock gimp 2.8.2-2. It fixes CVE-2012-5576 Cheers, Moritz unblock gimp/2.8.2-2 -- System Information: Debian Release: wheezy/sid Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695248: mesa: CVE-2012-5129
Package: mesa Severity: grave Tags: security Justification: user security hole This issue affects mesa: http://googlechromereleases.blogspot.de/2012/11/stable-update-for-chrome-os_30.html Proposed patch: http://www.mail-archive.com/mesa-dev@lists.freedesktop.org/msg29015.html I don't see the vulnerable code in Squeeze, so I marked it not-affected in the Security Tracker. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695250: tomcat6: CVE-2012-4534 CVE-2012-4431 CVE-2012-3546
Package: tomcat6 Severity: grave Tags: security Justification: user security hole More Tomcat security issues have been disclosed: http://tomcat.apache.org/security-6.html The page contains links to the upstream fixes. BTW, is there a specific reason why both tomcat6 and tomcat7 are present in Wheezy? This will duplicate all efforts for security updates in Wheezy. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695251: tomcat7: CVE-2012-4431 CVE-2012-4534 CVE-2012-3546
Package: tomcat7 Severity: grave Tags: security Justification: user security hole New security issues in Tomcat have been disclosed: http://tomcat.apache.org/security-7.html The page contains links to upstream fixes. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695250: tomcat6: CVE-2012-4534 CVE-2012-4431 CVE-2012-3546
On Thu, Dec 06, 2012 at 10:23:17PM -0800, tony mancill wrote: > On 12/05/2012 11:43 PM, Moritz Muehlenhoff wrote: > > Package: tomcat6 > > Severity: grave > > Tags: security > > Justification: user security hole > > > > More Tomcat security issues have been disclosed: > > http://tomcat.apache.org/security-6.html > > > > The page contains links to the upstream fixes. > > > > BTW, is there a specific reason why both tomcat6 and tomcat7 are present in > > Wheezy? > > This will duplicate all efforts for security updates in Wheezy. > > Hi Moritz, > > I have an updated package that includes the patches for these 3 CVEs and > am doing some smoke-testing now. But before I upload, I have a question > about what is permissible to include in the upload. I'd like to rename > the patches that were included in the 6.0.35-5+nmu1 upload so they > follow the same naming convention as the other patches in the package > and include the origin patch header. (As you point out, after all, > we'll be supporting this package for a long time to come.) Also, I'd > like to "quilt refresh" the patches in the package, as they're getting a > bit fuzzy. So, no substantive or real packaging changes, but the > interdiff will be a bit larger. Is that okay, or should I upload with > only the new patches for the CVEs applied? Release managers are busy enough already, so please keep it as minimal as possible. > Regarding tomcat6 and tomcat7, although they are certainly related, they > implement different versions of the servlet and JSP specifications [1], > and there are a number still organizations running applications > developed for/tested on tomcat6 in production. There is a migration > guide for going from 6.x to 7.x that must be taken into consideration [2]. > > But specifically for Debian, there are still a number of packages in > wheezy that depend explicitly on tomcat6 and/or libservlet2.5-java. > According to popcon, tomcat6 is about 5x more popular than tomcat7, and > libservlet2.5 is quite popular indeed [3,4]. Ok, but tomcat6 should be removed for jessie, then. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695789: CVE-2012-2253
Package: mahara Severity: grave Tags: security Hi, CVE-2012-2253 needs to be fixed in Wheezy: https://mahara.org/interaction/forum/topic.php?id=5076 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#693112: glusterfs: CVE-2012-4417: Upstream patch available
On Thu, Nov 22, 2012 at 10:06:58AM +0100, Patrick Matthäi wrote: > Am 21.11.2012 18:37, schrieb Jakob Bohm: >> control: tags -1 + fixed-upstream + upstream >> >> FYI: >> >> An upstream patch for this hasbeen available since 2012-10-18 (33 >> days ago). This was reported in the upstream bugzilla on 2012-11-15 >> (6 days ago). > > Yes there is a patch available for 3.3.x in git, but it is not easy > backportable to 3.2.7. > >> >> You may wish to look at the possibility of fixing this for wheezy, if >> the patch is not too disruptive. > > @John and Louis: > Could you push the mills, so that this also will be fixed for 3.2.7? I > just need the diff :_) What's the status? Is a patch for 3.2 available? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#694693: tiff: CVE-2012-5581
On Thu, Nov 29, 2012 at 09:46:41AM -0500, Jay Berkenbilt wrote:
> Moritz Muehlenhoff wrote:
>
> >
> > Hi Jay,
> > another security issue was discovered by Red Hat's Huzaifa S. Sidhpurwala:
> > The Red Hat bug contains the necessary details:
> > https://bugzilla.redhat.com/show_bug.cgi?id=867235
>
> Looking at the bugzilla issue, it's not completely clear to me whether
> this was fixed in 4.0.2 or 4.0.3, and the patch will be pretty different
> for the 3.x versions and the 4.x versions. I'll see what I can do about
> finding time very soon to address this. I'm a little concerned about
> Tom Lane's comment about a behavioral change:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=867235#c6
>
> I'll look at it a little before blindly taking the diff.
I'm attaching the Ubuntu patch for 12.04 (based on 3.9.5-2)
Cheers,
Moritz
Author: Frank Warmerdam
Description: * libtiff/tif_dir.c, tif_print.c : Remove FIELD_CUSTOM handling
for PAGENUMBER, HALFTONEHINTS, and YCBCRSUBSAMPLING. Implement DOTRANGE
differently. This is to avoid using special TIFFGetField/TIFFSetField rules
for these fields in non-image directories (like EXIF).
Back-ported patch from upstream CVS by Huzaifa S. Sidhpurwala of Red Hat
Security Response Team.
https://bugzilla.redhat.com/show_bug.cgi?id=867235
https://bugzilla.redhat.com/attachment.cgi?id=640578
Index: tiff-3.9.5/libtiff/tif_dir.c
===
--- tiff-3.9.5.orig/libtiff/tif_dir.c 2010-07-08 09:17:59.0 -0700
+++ tiff-3.9.5/libtiff/tif_dir.c 2012-11-30 17:36:11.0 -0800
@@ -493,94 +493,90 @@
status = 0;
goto end;
}
+ if (fip->field_tag == TIFFTAG_DOTRANGE
+ && strcmp(fip->field_name,"DotRange") == 0) {
+ /* TODO: This is an evil exception and should not have been
+ handled this way ... likely best if we move it into
+ the directory structure with an explicit field in
+ libtiff 4.1 and assign it a FIELD_ value */
+ uint16 v[2];
+ v[0] = (uint16)va_arg(ap, int);
+ v[1] = (uint16)va_arg(ap, int);
+ _TIFFmemcpy(tv->value, &v, 4);
+ }
+
+ else if (fip->field_passcount
+ || fip->field_writecount == TIFF_VARIABLE
+ || fip->field_writecount == TIFF_VARIABLE2
+ || fip->field_writecount == TIFF_SPP
+ || tv->count > 1) {
- if ((fip->field_passcount
- || fip->field_writecount == TIFF_VARIABLE
- || fip->field_writecount == TIFF_VARIABLE2
- || fip->field_writecount == TIFF_SPP
- || tv->count > 1)
- && fip->field_tag != TIFFTAG_PAGENUMBER
- && fip->field_tag != TIFFTAG_HALFTONEHINTS
- && fip->field_tag != TIFFTAG_YCBCRSUBSAMPLING
- && fip->field_tag != TIFFTAG_DOTRANGE) {
_TIFFmemcpy(tv->value, va_arg(ap, void *),
tv->count * tv_size);
} else {
- /*
- * XXX: The following loop required to handle
- * TIFFTAG_PAGENUMBER, TIFFTAG_HALFTONEHINTS,
- * TIFFTAG_YCBCRSUBSAMPLING and TIFFTAG_DOTRANGE tags.
- * These tags are actually arrays and should be passed as
- * array pointers to TIFFSetField() function, but actually
- * passed as a list of separate values. This behaviour
- * must be changed in the future!
- */
- int i;
+assert( tv->count == 1 );
char *val = (char *)tv->value;
-
- for (i = 0; i < tv->count; i++, val += tv_size) {
- switch (fip->field_type) {
-case TIFF_BYTE:
-case TIFF_UNDEFINED:
-{
- uint8 v = (uint8)va_arg(ap, int);
- _TIFFmemcpy(val, &v, tv_size);
-}
-break;
-case TIFF_SBYTE:
-{
- int8 v = (int8)va_arg(ap, int);
- _TIFFmemcpy(val, &v, tv_size);
-}
-break;
-case TIFF_SHORT:
-{
- uint16 v = (uint16)va_arg(ap, int);
- _TIFFmemcpy(val, &v, tv_size);
-}
-break;
-case TIFF_SSHORT:
-{
- int16 v = (int16)va_arg(ap, int);
- _TIFFmemcpy(val, &v, tv_size);
-}
-break;
-case TIFF_LONG:
-case TIFF_IFD:
-{
- uint32 v = va_arg(ap, uint32);
- _TIFFmemcpy(val, &v, tv_size);
-}
-break;
-case TIFF_SLONG:
-{
- int32 v = va_arg(ap, int32);
- _TIFFmemcpy(val, &v, tv_size);
-}
-break;
-
Bug#694808: libv8: CVE-2012-5120 CVE-2012-5128
On Fri, Nov 30, 2012 at 03:56:49PM +0100, Moritz Muehlenhoff wrote: > Package: libv8 > Severity: grave > Tags: security > Justification: user security hole > > Please see > http://googlechromereleases.blogspot.de/2012/11/stable-channel-release-and-beta-channel.html What's the status? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695192: bind9: CVE-2012-5688
On Wed, Dec 05, 2012 at 05:25:36AM -0700, LaMont Jones wrote: > On Wed, Dec 05, 2012 at 09:31:00AM +0100, Moritz Muehlenhoff wrote: > > Package: bind9 > > Severity: grave > > Tags: security > > Justification: user security hole > > Please see https://kb.isc.org/article/AA-00828 > > Stable is not affected. This needs to be fixed through > > testing-proposed-updates, > > since the testing and unstable packages have diverged and won't be updated > > that > > late in the freeze. > > I've been holding unstable at 9.8 in the hope that it might make it into > testing. ISC has quit supporting 9.8.1, I'd like to as well. > > I'll look into the backport soon, if the security team doesn't beat me to it. LaMont, can you upload a version targeted at testing-proposed-updates based on 1:9.8.1.dfsg.P1-4.4 ? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695830: nova: CVE-2012-5625
Package: nova Severity: grave Tags: security Justification: user security hole Please see http://seclists.org/oss-sec/2012/q4/435 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695832: apt: CVE-2012-0961
Package: apt Severity: grave Tags: security Justification: user security hole This was assigned CVE-2012-0961: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/975199 Stable is not affected, the logging as done as 0600 there. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695156: Qt QML XmlHttpRequest insecure redirection
On Tue, Dec 04, 2012 at 07:04:51PM +0100, Thijs Kinkhorst wrote: > Package: qt4-x11 > Severity: serious > Tags: security patch > > Hi, > > A security advisory has been posted by Qt regarding XmlHttpRequest > insecure redirection: > http://lists.qt-project.org/pipermail/announce/2012-November/14.html > A patch is available in their advisory. > > This is CVE-2012-5624. AFAICS stable is not affected. QT maintainers, please double-check. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#695830: [Openstack-devel] Bug#695830: nova: CVE-2012-5625
On Thu, Dec 13, 2012 at 04:34:38PM +0800, Thomas Goirand wrote: > On 12/13/2012 03:37 PM, Moritz Muehlenhoff wrote: > > Package: nova > > Severity: grave > > Tags: security > > Justification: user security hole > > > > Please see http://seclists.org/oss-sec/2012/q4/435 > > > > Cheers, > > Moritz > > Hi Moritz, > > Thanks for opening this bug entry! I do appreciate (a lot) your > commitment to the security in Debian and tracking all issues. > > However, this CVE is present only in Openstack Folsom, as described in > the Affects: field of this link. Debian Wheezy/SID has Openstack Essex. > Therefor, Debian isn't affected by this problem, and I'm closing this bug. > > Also, I am receiving security alerts for Openstack directly from the > release manager (eg: ttx), and most of the time, one week in advance, if > the bug/security-fix can be embargoed. You can assume I am aware of it > (though reminding me is a good idea). > > Note that I'm about to upload Folsom in Experimental (it's ready on > Alioth, I'm only waiting for FTP masters to approve openstack-pkg-tools > which all packages now build-depends on). Thanks! I don't use OpenStack and I have no idea what these codenames mean. If you're notified of an OpenStack issue in the future, which doesn't affect the Debian version, please ping me on IRC or send a mail to t...@security.debian.org so that we can update the Debian Security Tracker. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#696306: freeciv: CVE-2012-5645
Package: freeciv Severity: important Tags: security Hi, please see http://aluigi.altervista.org/adv/freecivet-adv.txt Bug: http://gna.org/bugs/?20003 Fix: http://svn.gna.org/viewcvs/freeciv?view=revision&revision=21670 Please make an isolated upload with the security fix to unstable and ask the release managers for an unblock by filing a bug against release.debian.org Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#696424: sanlock: CVE-2012-5638
Package: sanlock Severity: grave Tags: security Justification: user security hole Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5638 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#689345: unblock: moodle/2.2.3.dfsg-2.3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package moodle It fixes multiple security issues. unblock moodle/2.2.3.dfsg-2.3 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#689344: unblock: gnugk/2:3.0.2-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package gnugk It fixes CVE-2012-3534. unblock gnugk/2:3.0.2-3 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#689417: opencryptoki: CVE-2012-4454 CVE-2012-4455
Package: opencryptoki Severity: grave Tags: security Justification: user security hole Please see the thread starting at http://www.openwall.com/lists/oss-security/2012/09/07/2 for details. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#689422: libxslt: Three security issues
Package: libxslt Severity: grave Tags: security patch Justification: user security hole The chrome developers found three security issues in libxslt: CVE-2012-2893: http://googlechromereleases.blogspot.de/2012/09/stable-channel-update_25.html Patch: http://git.gnome.org/browse/libxslt/commit/?id=54977ed7966847e305a2008cb18892df26eeb065 CVE-2012-2870: http://googlechromereleases.blogspot.in/2012/08/stable-channel-update_30.html Patches: http://git.gnome.org/browse/libxslt/commit/libxslt/pattern.c?id=8566ab4a10158d195adb5f1f61afe1ee8bfebd12 http://git.gnome.org/browse/libxslt/commit/libxslt/functions.c?id=4da0f7e207f14a03daad4663865c285eb27f93e9 http://git.gnome.org/browse/libxslt/commit/libexslt/functions.c?id=24653072221e76d2f1f06aa71225229b532f8946 http://git.gnome.org/browse/libxslt/commit/?id=1564b30e994602a95863d9716be83612580a2fed CVE-2012-2871: http://googlechromereleases.blogspot.in/2012/08/stable-channel-update_30.html Patch: http://git.gnome.org/browse/libxslt/commit/?id=937ba2a3eb42d288f53c8adc211bd1122869f0bf Can you please also prepare packages for stable-security? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#689423: eglibc: CVE-2012-4424: stack overflow in strcoll()
Package: eglibc Severity: important Tags: security Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4424 There's no fix upstream yet: http://sourceware.org/bugzilla/show_bug.cgi?id=14547 http://sourceware.org/bugzilla/show_bug.cgi?id=14552 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#689599: eucalyptus: CVE-2012-4063 CVE-2012-4064 CVE-2012-4065
Package: eucalyptus Severity: grave Tags: security Justification: user security hole Please see http://www.eucalyptus.com/eucalyptus-cloud/security/esa-06 http://www.eucalyptus.com/eucalyptus-cloud/security/esa-05 http://www.eucalyptus.com/eucalyptus-cloud/security/esa-07 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#685741: unblock: qpid-cpp/0.16-7
On Wed, Sep 19, 2012 at 08:45:27AM +0100, Adam D. Barratt wrote: > On 19.09.2012 08:23, Cajus Pollmeier wrote: >> Am Dienstag, 18. September 2012, 18:54:47 schrieben Sie: >>> On Mon, Sep 10, 2012 at 02:20:54PM +0200, Mehdi Dogguy wrote: >>> > Unfortunately, even if we can unblock qpid-cpp/0.16-7 for >>> migration, it >>> > will be blocked by redhat-cluster which doesn't seem ready (which >>> in >>> > turn, is also blocked by gfs2-utils). I think the best way forward >>> would >>> > be to prepare an upload targeting testing-proposed-updates. >>> >>> Cajus, can you prepare a testing-proposed-updates upload with the >>> fix >>> from qpid-cpp/0.16-7? > [...] >> hmm - do I need to upload a new version for unstable in this case, >> too? The >> docs say something about: the version for testing-proposed-updates >> needs to be >> above than the one in testing (check) and under the one in unstable >> (buzzer). > > Where's the issue? There's a multitude of available versions that > fulfil that criterion - 0.16-6+deb7u1, for instance. Cajus, what's the status? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#689663: RM: gksu-polkit/0.0.3-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Please remove gksu-polkit 0.0.3-1 from testing. No followup for #684489 since 1.5 months and apparently this was ignored also upstream (the Debian maintainer is also upstream) Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#689664: Multiple security issues
Package: letodms Version: 3.3.4+dfsg-1 Severity: grave Tags: security 3.3.7+dfsg-1 and 3.3.9+dfsg-1 fixed several security issues. These issues are still unfixed in Wheezy. Either 3.3.9 needs to be accepted into Wheezy or the security fixes need to be backported to 3.3.4. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#689945: ruby1.8: CVE-2012-4481
Package: ruby1.8 Severity: grave Tags: security Justification: user security hole Please see http://seclists.org/oss-sec/2012/q4/22 for details. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#689972: wireshark: CVE-2012-5237 CVE-2012-5238 CVE-2012-5240
Package: wireshark Severity: grave Tags: security Justification: user security hole Please see http://www.wireshark.org/security/wnpa-sec-2012-26.html http://www.wireshark.org/security/wnpa-sec-2012-27.html http://www.wireshark.org/security/wnpa-sec-2012-29.html Stable should not be affected, but please double-check. Since 1.8.3 changes more than just the security fixes, please cherrypick only the security-related fixes into an upload targeted at unstable and ask for an unblock. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690073: unblock: gunicorn/0.14.5-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, please unblock gunicorn 0.14.5-3 It fixes a security issue (no bug and no CVE yet) Cheers, Moritz unblock gunicorn/0.14.5-3 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690074: unblock: wpa/1.0-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, please unblock wpa 1.0-3 . It fixes CVE-2012-4445. I saw on IRC that it's currently held back due to it's udeb, but let's file a bug to keep it on the radar. Cheers, Moritz unblock wpa/1.0-3 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690075: unblock: dnsmasq/2.63-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package dnsmasq It fixes CVE-2012-3411 unblock dnsmasq/2.63-4 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#672880: CVE-2012-2132: does not indicate whether or not an SSL certificate is valid
reassign 672880 midori severity 672880 normal thanks On Fri, Sep 07, 2012 at 01:47:54PM +0200, Josselin Mouette wrote: > Le jeudi 06 septembre 2012 à 18:05 +0200, Moritz Muehlenhoff a écrit : > > On Mon, May 14, 2012 at 03:29:05PM +0300, Henri Salo wrote: > > > Package: libsoup2.4-1 > > > Version: 2.30.2-1+squeeze1 > > > Severity: important > > > Tags: security > > > > > > References: > > > https://bugzilla.novell.com/show_bug.cgi?id=758431 > > > https://bugzilla.redhat.com/show_bug.cgi?id=817692 > > > > > > This needs verification. Please ask if you need my help. > > > > What's the status? > > Epiphany in squeeze is not affected. It displays correctly the validity > status of a certificate, using the root authority in ca-certificates. > > From the comments in the upstream report, Midori might be affected > though. I agree this is rather a bug in Midori than in libsoup. Reassigning. I'm lowering the severity since Midori isn't covered by security support anyway (being webkit-based). Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#688151: fwknop: Multiple security issues
On Fri, Sep 21, 2012 at 01:00:18PM +0200, Moritz Muehlenhoff wrote: > On Thu, Sep 20, 2012 at 08:41:26AM +0200, Franck Joncourt wrote: > > Hi Luciano, > > > > Le 19/09/2012 22:40, Luciano Bello a écrit :[...] > > > >> The new fwknop fixes many security problems: > >> http://seclists.org/oss-sec/2012/q3/509 > >> > >> It's fixed in 2.0.3. The link include the patches too. > > > > I have upgraded my working copy with the latest 2.0.3 but I was working > > on the perl binding, so I did not upload it by now. > > > > I am going to upload it to fix theses issues. > > Since testing is frozen it's better to apply the isolated security fixes > in a 2.0.0rc2-2+deb7u1 upload to testing-proposed-updates to ensure these > are fixed in Wheezy. Franck, this is still unfixed in Debian Wheezy since testing is frozen. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#688956: dracut: CVE-2012-4453: creates non-world readable initramfs images
On Thu, Sep 27, 2012 at 01:41:22PM +0200, Thomas Lange wrote: > > On Thu, 27 Sep 2012 14:32:46 +0300, Henri Salo said: > > > > I haven't verified Debian packages are affected. If you want me to do > it send me an email :) > That would be great, because currently I'm very busy. Debian is affected. Please fix this in unstable with an upload with urgency=medium and request an unblock by filing a bug against release.debian.org Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690151: claws-mail: CVE-2012-4507
Package: claws-mail Severity: grave Tags: security Justification: user security hole Please see https://bugzilla.redhat.com/show_bug.cgi?id=862578 for details and a patch. Since we're in freeze, please upload a minimal fix to unstable and request an unblock. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#193061: Please provide free game data for LGeneral
On Thu, Oct 11, 2012 at 05:07:04PM +0200, Markus Koschany wrote: > Hi everyone, > > i intend to adopt LGeneral and would like to maintain it as part of the > Debian Games Team. Nice! > I'm also cc'ing Moritz and Drew because you seemed > to be interested in LGeneral in the past and to let you know what i've found > out about the "replacement" files. > > It's technically possible to substitute the game data of Panzer General > with the files provided at lgames.sourceforge.net. That wouldn't create > the most beautiful game on earth though. Again the main issue is about > finding the original creators and to obtain a free license from them. At > the moment these files don't provide any kind of copyright information. > > I've created a wiki page for LGeneral where i collect links to potential > free game data for LGeneral. > > http://wiki.debian.org/Games/LGeneral > > One of my ideas is to use files from > http://kukgen.tripod.com/ and create WW1 scenarios provided i can use > them with a free license. That's work in progress. I also try to > reintroduce a new version of LGeneral with lgc-pg. > > You can find more information at this thread. Sorry, no time for that. > https://lists.debian.org/debian-devel-games/2012/10/msg00035.html Another option to reviving lpc-pg is to integrate support for lgeneral into game-data-packager. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#688847: libav: multiple CVEs in ffmpeg/libav
On Sun, Oct 14, 2012 at 05:00:54PM -0400, Reinhard Tartler wrote: > On Wed, Sep 26, 2012 at 4:22 AM, Yves-Alexis Perez wrote: > > Source: libav > > Severity: grave > > Justification: user security hole > > > > Hi, > > > > it seems that a huge pile of CVE were allocated for ffmpeg/libav > > short status update: > > Most/all of the CVEs have now been backported upstream. Before > releaseing 0.8.4, I need to review the list to ensure that nothing was > forgotten. You can help with this by reviewing the list here: > > http://git.libav.org/?p=libav.git;a=shortlog;h=refs/heads/release/0.8 Hi Reinhard, I double-checked the list and the following CVE IDs fixed in the ffmpeg 0.11 release are not yet present in the 0.8 git branch (some are ffmpeg-specific I suppose): CVE-2012-2774, 59a4b73531428d2f420b4dad545172c8483ced0f CVE-2012-2782, 9a57a37b7041581c10629c8241260a5d7bfbc1e7 CVE-2012-2783, d85b3c4fff4c4b255232fcc01edbd57f19d60998 CVE-2012-2785, 326f7a68bbd429c63fd2f19f4050658982b5b081 d462949974668ffb013467d12dc4934b9106fe19 CVE-2012-2790, 2837d8dc276760db1821b81df3f794a90bfa56e6 CVE-2012-2791, 0846719dd11ab3f7a7caee13e7af71f71d913389 CVE-2012-2792, d442c4462a2692e27a24e1a9d0eb6f18725c7bd8 CVE-2012-2795, a0abefb0af64a311b15141062c77dd577ba590a3 2a7063de547b1d8fb1cef523469390fb59fb2c50 b3a43515827f3d22a881c33b87384f01c86786fd CVE-2012-2796, 5e59a77cec804a9b44c60ea22c17beba6453ef23 CVE-2012-2797, cca9528524c7a4b91451f4322bd50849af5d057e CVE-2012-2799, 64bd7f8e4db1742e86c5ed02bd530688b74063e3 CVE-2012-2803, 951cbea56fdc03ef96d07fbd7e5bed755d42ac8a CVE-2012-2804, 4a80ebe491609e04110a1dd540a0ca79d3be3d04 None of these are merged into 0.5.x, has the code diverged so much? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690556: condor: CVE-2012-4462
Package: condor Severity: grave Tags: security patch Justification: user security hole Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4462 for details and a patch. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690670: ruby1.9.1: CVE-2012-4522
Package: ruby1.9.1 Severity: grave Tags: security Justification: user security hole Please see http://www.ruby-lang.org/en/news/2012/10/12/poisoned-NUL-byte-vulnerability/ The advisory doesn't mention Ruby 1.8, can you please double-check, whether it is affected? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690672: librdmacm: CVE-2012-4516
Package: librdmacm Severity: grave Tags: security Justification: user security hole Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4516 for details an a patch. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690675: libsocialweb: CVE-2012-4511
Package: libsocialweb Severity: important Tags: security Please see https://bugzilla.redhat.com/show_bug.cgi?id=863206 for details. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690672: librdmacm: CVE-2012-4516
On Tue, Oct 16, 2012 at 09:47:54AM -0700, Roland Dreier wrote: > The first vulnerable version in Debian is 1.0.14. Upstream introduced > ACM support (where the vulnerability exists) in version 1.0.12, so > Debian's 1.0.10 is not vulnerable. Thanks, I'll mark Squeeze as not affected in the Debian Security Tracker. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690774: openjdk-6: Multiple security issues from October patch update
Package: openjdk-6 Severity: grave Tags: security Justification: user security hole http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690775: openjdk-7: Multiple security issues from October patch update
Package: openjdk-7 Severity: grave Tags: security Justification: user security hole http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690777: virtualbox: CVE-2012-3221
Package: virtualbox Severity: grave Tags: security Justification: user security hole Oracle fixed an unspecified security issue in their latest Patch Update: http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html CVE-2012-3221 Oracle VM Virtual Box NoneVirtualBox Core No 2.1 Local Low NoneNoneNone Partial+ 3.2, 4.0, 4.1 Please get in touch with upstream and ask them for a fix. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690778: mysql-5.5: New security issues from October Patch Update
Package: mysql-5.5 Severity: grave Tags: security Justification: user security hole Due to the usual intransparency we'll again have to update to a new upstream release in Wheezy and stable... http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html Also, it's amazing how the managed to not fix CVE-2012-4414... Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690795: unblock: icedove/10.0.9-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, please unblock icedove 10.0.9-1 It fixes multiple security issues Cheers, Moritz unblock icedove/10.0.9-1 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690795: unblock: icedove/10.0.9-1
On Thu, Oct 18, 2012 at 08:08:11PM +0100, Adam D. Barratt wrote: > On Thu, 2012-10-18 at 08:38 +0200, Guido Günther wrote: > > I'm not sure wheter there is active _upstream_ security support for > > lightning but I guess thats not different from some other packages. > > > > One of the reasons to build iceowl-extension from icedove instead of > > iceowl was to get all the fixes that go into that source tree for free > > including security ones (which might not be the case for standalone > > iceowl) and to have in sync versions of those two. So the situation is > > certainly better than in squeeze. I'm also happy to backport security > > issues for iceowl-extension (knowledge permitting). > > Thanks for the explanation. I'm happy enough with that as long as Moritz > is. Yes, sure. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690774: closing as invalid
On Thu, Oct 18, 2012 at 11:50:21AM +0200, Matthias Klose wrote: > the references point to Oracle products, not OpenJDK. If there were proper security references for openjdk I would post them, but openjdk and Oracle Java obviously have a common code base. > Another helpful report > from the Debian security team, like keeping long fixed security issues open > [1]. > [1] http://security-tracker.debian.org/tracker/source-package/openjdk-6 There's currently a technical problem with the Tracker not updating from the database. If you find additional entries that need fixing, follow the procedure listed here: http://security-tracker.debian.org/tracker/data/report -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690891: RM: xlockmore -- RoQA; buggy, unmaintained, security bugs
Package: ftp.debian.org Severity: normal Hi, please remove xlockmore. It's not part of oldstable/stable/testing and RC-buggy since 2008. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690924: mcrypt: CVE-2012-4527
Package: mcrypt Severity: grave Tags: security Justification: user security hole Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4527 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690986: CVE-2012-5363 CVE-2012-5365
Package: kfreebsd-8 Severity: important Tags: security Two security issues were found in the kfreebsd network stack: http://www.openwall.com/lists/oss-security/2012/10/10/8 Issue #1 was assigned CVE-2012-5363 Issue #1 was assigned CVE-2012-5365 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#691145: python-django: CVE-2012-4520
Package: python-django Severity: grave Tags: security Justification: user security hole Hi, please see https://www.djangoproject.com/weblog/2012/oct/17/security/ Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#691146: modsecurity-apache: CVE-2012-4528
Package: modsecurity-apache Severity: grave Tags: security patch Justification: user security hole Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4528 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#691184: unblock: cups-pk-helper/0.2.3-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock cups-pk-helper 0.2.3-2 It fixes CVE-2012-4510 cheers, Moritz unblock cups-pk-helper/0.2.3-2 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#691186: unblock: icecast2/2.3.2-9+deb7u2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Ok to upload to t-p-u with the attached debdiff?
This fixes CVE-2011-4612 / #652663)
unblock icecast2/2.3.2-9+deb7u2
Cheers,
Moritz
diff -Nru icecast2-2.3.2/debian/changelog icecast2-2.3.2/debian/changelog
--- icecast2-2.3.2/debian/changelog 2012-09-14 00:55:08.0 +0200
+++ icecast2-2.3.2/debian/changelog 2012-10-22 20:40:33.0 +0200
@@ -1,3 +1,9 @@
+icecast2 (2.3.2-9+deb7u2) wheezy; urgency=low
+
+ * CVE-2011-4612 (Closes: #652663)
+
+ -- Moritz Muehlenhoff Sun, 21 Oct 2012 18:32:47 +0200
+
icecast2 (2.3.2-9+deb7u1) wheezy; urgency=low
* Team upload.
diff -Nru icecast2-2.3.2/debian/patches/1004_CVE-2011-4612.patch icecast2-2.3.2/debian/patches/1004_CVE-2011-4612.patch
--- icecast2-2.3.2/debian/patches/1004_CVE-2011-4612.patch 1970-01-01 01:00:00.0 +0100
+++ icecast2-2.3.2/debian/patches/1004_CVE-2011-4612.patch 2012-10-22 20:43:21.0 +0200
@@ -0,0 +1,227 @@
+diff -aur icecast2-2.3.2.orig/src/format_mp3.c icecast2-2.3.2/src/format_mp3.c
+--- icecast2-2.3.2.orig/src/format_mp3.c 2007-10-19 05:02:35.0 +0200
icecast2-2.3.2/src/format_mp3.c 2012-10-22 20:37:31.0 +0200
+@@ -595,7 +595,7 @@
+ memcpy (meta->data, source_mp3->build_metadata,
+ source_mp3->build_metadata_len);
+
+-DEBUG1("shoutcast metadata %.4080s", meta->data+1);
++ DEBUG2("shoutcast metadata %.*s", 4080, meta->data+1);
+ if (strncmp (meta->data+1, "StreamTitle=", 12) == 0)
+ {
+ filter_shoutcast_metadata (source, source_mp3->build_metadata,
+diff -aur icecast2-2.3.2.orig/src/fserve.c icecast2-2.3.2/src/fserve.c
+--- icecast2-2.3.2.orig/src/fserve.c 2008-04-29 06:32:10.0 +0200
icecast2-2.3.2/src/fserve.c 2012-10-22 20:37:31.0 +0200
+@@ -397,7 +397,7 @@
+ FILE *file;
+
+ fullpath = util_get_path_from_normalised_uri (path);
+-INFO2 ("checking for file %s (%s)", path, fullpath);
++INFO2 ("checking for file %H (%H)", path, fullpath);
+
+ if (strcmp (util_get_extension (fullpath), "m3u") == 0)
+ m3u_requested = 1;
+@@ -411,7 +411,7 @@
+ /* the m3u can be generated, but send an m3u file if available */
+ if (m3u_requested == 0 && xspf_requested == 0)
+ {
+-WARN2 ("req for file \"%s\" %s", fullpath, strerror (errno));
++WARN2 ("req for file \"%H\" %s", fullpath, strerror (errno));
+ client_send_404 (httpclient, "The file you requested could not be found");
+ free (fullpath);
+ return -1;
+@@ -482,7 +482,7 @@
+ config = config_get_config();
+ if (config->fileserve == 0)
+ {
+-DEBUG1 ("on demand file \"%s\" refused", fullpath);
++DEBUG1 ("on demand file \"%H\" refused", fullpath);
+ client_send_404 (httpclient, "The file you requested could not be found");
+ config_release_config();
+ free (fullpath);
+@@ -493,7 +493,7 @@
+ if (S_ISREG (file_buf.st_mode) == 0)
+ {
+ client_send_404 (httpclient, "The file you requested could not be found");
+-WARN1 ("found requested file but there is no handler for it: %s", fullpath);
++WARN1 ("found requested file but there is no handler for it: %H", fullpath);
+ free (fullpath);
+ return -1;
+ }
+@@ -501,7 +501,7 @@
+ file = fopen (fullpath, "rb");
+ if (file == NULL)
+ {
+-WARN1 ("Problem accessing file \"%s\"", fullpath);
++WARN1 ("Problem accessing file \"%H\"", fullpath);
+ client_send_404 (httpclient, "File not readable");
+ free (fullpath);
+ return -1;
+diff -aur icecast2-2.3.2.orig/src/log/log.c icecast2-2.3.2/src/log/log.c
+--- icecast2-2.3.2.orig/src/log/log.c 2008-01-24 04:10:20.0 +0100
icecast2-2.3.2/src/log/log.c 2012-10-22 20:37:31.0 +0200
+@@ -420,11 +420,132 @@
+ _unlock_logger ();
+ }
+
++static void __vsnprintf(char *str, size_t size, const char *format, va_list ap) {
++int in_block = 0;
++int block_size = 0;
++int block_len;
++const char * arg;
++char buf[80];
++
++for (; *format && size; format++)
++{
++if ( !in_block )
++{
++if ( *format == '%' ) {
++in_block = 1;
++block_size = 0;
++block_len = 0;
++}
++else
++{
++*(str++) = *format;
++size--;
++}
++}
++else
++{
++// TODO: %l*[sdupi] as well as %.4080s
Bug#691262: unblock: revelation/0.4.13-1.2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, please unblock revelation 0.4.13-1.2. It fixes CVE-2012-3818. Cheers, Moritz unblock revelation/0.4.13-1.2 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#689003: unblock: bacula/5.2.6+dfsg-5
On Wed, Oct 10, 2012 at 12:42:42AM +0400, Alexander Golovko wrote: > Upstream recommend do not use hardening for bacula, so we have 71 > lintian warning about this fact. In git master branch this warnings was > hidden by adding lintian-overrides. This is cosmetic change and should > not present in next upload, intended for wheezy? Cosmetic changes should be avoided during the freeze, yes. > What is the best way to prepare package without rejected changes? > Should i upload new package into sid and reopen bugs with rejected > fixes or i should upload it directly (but how?) into wheezy? Use 5.2.6+dfsg-2+deb7u1 as the version number and upload as described here: http://www.debian.org/doc/manuals/developers-reference/pkgs.html#t-p-u Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#691728: phpmyadmin: CVE-2012-5339 CVE-2012-5368
Package: phpmyadmin Severity: grave Tags: security Justification: user security hole Hi, please see http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#688125: [Pkg-xen-devel] Bug#688125: Bug#688125: Bug#688125: marked as done (xen: CVE-2012-2625)
reopen 688125 retitle 688125 CVE-2012-2625 / CVE-2012-4544 thanks On Sun, Oct 07, 2012 at 06:07:31PM +0200, Bastian Blank wrote: > On Fri, Sep 21, 2012 at 02:23:13PM +0200, Bastian Blank wrote: > > The referenced bug marked with CVE-2012-2625 speaks about the pv loader > > for bzip2 and lzma kernels. This loader is implemented in libxenctrl and > > the hypervisor for dom0. I see no mitigation in this code against large > > decompressed files. Plus there is an integer overflow. > > > > 60f09d1ab1fe fixes reading too large files from guest filesystems using > > pygrub. > > I received no further information. Please reopen _after_ you figured > out, which one this is and this information got published in the CVE > list. Please see http://lists.xen.org/archives/html/xen-devel/2012-10/msg02015.html for clarification Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#691791: unblock: libav/6:0.8.4-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package libav. It fixes multiple security issues: CVE-2012-2772 CVE-2012-2775 CVE-2012-2776 CVE-2012-2777 CVE-2012-2779 CVE-2012-2784 CVE-2012-2786 CVE-2012-2787 CVE-2012-2788 CVE-2012-2789 CVE-2012-2790 CVE-2012-2793 CVE-2012-2794 CVE-2012-2796 CVE-2012-2798 CVE-2012-2800 CVE-2012-2801 CVE-2012-2802 We also used to ship the libav/ffmpeg micro releases in stable-security for Squeeze. unblock libav/6:0.8.4-1 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#691792: unblock: chromium-browser/22.0.1229.94~r161065-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package chromium-browser It fixes multiple security issues. In Wheezy Chromium will be updated by shipping the current upstream releases in stable-security. Cheers, Moritz unblock chromium-browser/22.0.1229.94~r161065-3 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#691793: FTBFS on kfreebsd-*
Package: ruby1.8 Version: 1.8.7.358-5 Severity: serious Hi, ruby1.8 FTBFSes on kfreebsd-*, see https://buildd.debian.org/status/package.php?p=ruby1.8 Cheers, Moritz -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ruby1.8 depends on: ii libc6 2.13-35 ii libruby1.8 1.8.7.358-4 ruby1.8 recommends no packages. Versions of packages ruby1.8 suggests: pn ri1.8 pn ruby1.8-examples -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#691882: unblock: python-django/1.4.2-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Hi, please unblock python-django 1.4.2-1. It fixes CVE-2012-4520 Cheers, Moritz unblock python-django/1.4.2-1 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#691881: unblock: icedove/10.0.10-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock icedove 10.0.10-1. It fixes multiple security issues. unblock icedove/10.0.10-1 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#659301: problem
On Sun, Feb 26, 2012 at 12:43:52PM +0400, Pavel Baranov wrote: > Package: icedove > Version: 3.0.11-1+squeeze7 > Severity: normal > > Hello! > > After upgrade the debian system to version 6.0.4, ice dove write: > /usr/lib/icedove/icedove-bin: symbol lookup error: > /usr/lib/icedove/components/libimgicon.so: undefined symbol: > NS_Get_ServiceManager > > after remove libimgicon.so write: > /usr/lib/icedove/icedove-bin: symbol lookup error: > /usr/lib/icedove/components/libmailcomps.so: undefined symbol: > NS_CStringContainerInit > > After removing libimgicon.so and libmailcomps.so run. > > I am using Debian 6.0.4, kernel linux-image-2.6.32-5-686, > icedove-3.0.11-1+squeeze7, icedove-l10n-ru-3.0.10-1 Does this still occur with Squeeze 6.0.6? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#691883: Multiple security issues
Package: mahara Severity: grave Tags: security Hi, The following security issues need to be fixed in mahara. Remember we're in freeze, so please only upload minimal security fixes: CVE-2012-2247: https://mahara.org/interaction/forum/topic.php?id=4938 https://bugs.launchpad.net/mahara/+bug/1061980 CVE-2012-2246: https://mahara.org/interaction/forum/topic.php?id=493 https://bugs.launchpad.net/mahara/+bug/1057240 CVE-2012-2244: https://mahara.org/interaction/forum/topic.php?id=4936 https://bugs.launchpad.net/mahara/+bug/1057238 CVE-2012-2243 https://mahara.org/interaction/forum/topic.php?id=4937 https://bugs.launchpad.net/mahara/+bug/1055232 https://bugs.launchpad.net/mahara/+bug/1063480 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#659994: [regression] icedove: symbol lookup error: [...]/libdbusservice.so: undefined symbol: NS_Alloc
On Fri, Feb 24, 2012 at 01:55:54PM +0100, Ansgar Burchardt wrote: > Hi, > > Am 21.02.2012 19:46, schrieb Christoph Goehre: >> On Mi, Feb 15, 2012 at 05:34:45 +0100, Ansgar Burchardt wrote: >>> since the last security update for icedove, the program does not >>> start on several computers here. Instead the following error >>> message is displayed: >>> >>> /usr/lib/icedove/icedove-bin: symbol lookup error: >>> /usr/lib/icedove/components/libdbusservice.so: undefined symbol: >>> NS_Alloc >> >> I could reproduce it, but I need to move my .icedove profile away. If I >> downgrade to libc6 version 2.11.2-10, everything is working fine. So >> here my steps to reproduce: >> >> 1) add >> >> deb http://snapshot.debian.org/archive/debian/20111215/ squeeze main >> >> to /etc/apt/sources.list and run 'apt-get update' >> >> 2) install older libc6 >> >> apt-get install libc-bin=2.11.2-10 libc-dev-bin=2.11.2-10 libc6=2.11.2-10 >> libc6-dev=2.11.2-10 libc6-i386=2.11.2-10 locales=2.11.2-10 >> >> 3) rerun Icedove > > Same here: icedove starts with the older version of libc6, but not with > version 2.11.3-3. The same is true when also downgrading icedove to > 3.0.11-1+squeeze6 (works with old libc6, not with newer libc6). > > I can also upgrade libc6 to 2.11.3-3 and icedove continues working, but > if I also change the version of icedove (by either upgrading or > downgrading), icedove again refuses to start. So this seems to be > something triggered by running icedove after an update. Does this still occur with Squeeze 6.0.6 ? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#671483: icedove: crashes on startup with failed assertion
On Fri, May 04, 2012 at 02:04:59PM +0100, Tim Chadburn wrote:
> Package: icedove
> Version: 3.0.11-1+squeeze9
> Severity: grave
> Justification: renders package unusable
>
> I've had icedove working fine for ages, up to and including the last version
> (3.0.11-1+squeeze8), but the latest version (3.0.11-1+squeeze9) breaks it.
> When
> icedove is started, the icedove window appears for about a second, and then,
> while the status bar at the bottom says "Looking for folders...", Icedove
> crashes with the following terminal output:
>
> icedove-bin: gconv.c:75: __gconv: Assertion `outbuf != ((void *)0) && *outbuf
> != ((void *)0)' failed.
> /usr/lib/icedove/run-mozilla.sh: line 131: 4455 Aborted
> "$prog" ${1+"$@"}
Does this still occur with Squeeze 6.0.6?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#682019: icedove: Please package thunderbird 14. The bug fix list is impressive.
severity 682019 wishlist thanks On Wed, Jul 18, 2012 at 09:28:37PM +0200, valette wrote: > Package: icedove > Version: 11.0-1 > Severity: wishlist > > Thunderbird is now loagging 3 versions behind. Wheezy will ship icedove based on the ESR 10.x branch to allow keeping the same security patches for iceweasel, iceape and icedove. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#689417: opencryptoki: CVE-2012-4454 CVE-2012-4455
On Sun, Oct 21, 2012 at 10:57:38PM +0200, Arthur de Jong wrote: > On Tue, 2012-10-02 at 14:37 +0200, Moritz Muehlenhoff wrote: > > Please see the thread starting at > > http://www.openwall.com/lists/oss-security/2012/09/07/2 > > for details. > > I've had a quick look at this bug to see if it can be fixed in Debian. > There are four patches referenced in the thread (I haven't verified if > there are more patches required): > > - > http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=b7fcb3eb0319183348f1f4fb90ede4edd6487c30 > 32 files changed, 182 insertions(+), 1166 deletions(-) > This change is huge and mainly seems to be quivalent to setting > SPINXPL as defined and ensuring SYSVSEM isn't. There are however a few > other changes in there which may be due to the removal of the > compatibility code. > This patch doesn't apply cleanly to 2.3.1 in Debian but I've managed > to manually fix it (attached is a version if anyone is interested). > - > http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=58345488c9351d9be9a4be27c8b407c2706a33a9 > 31 files changed, 2975 insertions(+), 280 deletions(-) > Lots of changes in the tests but it also seems to contain some > cleanups related to the previous change, a change from lock_shm() to > XProcLock(), some moving of locks to /var/lock and a few other > changes. > - > http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=8a63b3b17d34718d0f8c7525f93b5eb3c623076a > 23 files changed, 449 insertions(+), 99 deletions(-) > Includes a FAQ typo fix and the introduction of a lot of new code. > - > http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=commitdiff;h=5667edb52cd27b7e512f48f823b4bcc6b872ab15 > 1 files changed, 3 insertions(+), 3 deletions(-) > Very small change in the Makfile which creates the lock directory. > Should not be relevant for Debian because subdirectories of /var/lock > should be created on the fly. > > The changes are huge and can probably not be easily backported to > Debian's 2.3.1. A few other options come to mind: > - see if upstream can provide patches for 2.3.1 > - see if the necessary fixes can be made some other way > - upgrade to upstream 2.4.2 > - remove from wheezy > (the only reverse dependency for opencryptoki seems to be tpm-tools) > > Anyway, I don't think I can do much more for this bug because I'm afraid > it will take a little more time than I have available at the moment. I > was having a look and I though I would just add my notes to the bug log. > > Good luck with this bug! ;) Removing opencryptoki from Wheezy seems best to me. We should't keep outdated crypto toolkits without an active maintainer in the archive. CCing the Pierre, the tpm-tools maintainer to see, whether tpm-tools is usable withput opencryptoki or whether he's interested in adopting it himself. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#690672: librdmacm: CVE-2012-4516
On Thu, Oct 18, 2012 at 08:14:08PM +0100, Adam D. Barratt wrote: > On Wed, 2012-10-17 at 13:33 -0700, Roland Dreier wrote: > > > Whilst this has now been fixed in unstable, it was via the upload of a > > > new upstream which adds over 2000 lines of new code (and doesn't even > > > directly include the security fix) and with a debhelper compat bump > > > thrown in on the packaging side. > [...] > > I can easily prepare a 1.0.15-2 package that has just the CVE fix in it > > relative to what's in wheezy, but is there anywhere I can upload it to > > so that it gets into wheezy? > > Yes, t-p-u. :-) (i.e. testing-proposed-updates). > > A version of "1.0.15-1+deb7u1" would be more conventional here, in order > to indicate that the upload was made out of sequence and specifically > targeted at wheezy rather than unstable. 1.0.15-2 would work, assuming > it's never been used for any upload to Debian. > > Please prepare the upload, using "wheezy" as the distribution in the > changelog and attach the debdiff to a release.debian.org unblock bug - > reportbug will create a correctly usertagged bug - indicating in the > body of the report that it's intended for t-p-u. We'll check the debdiff > and assuming everything is okay you can then upload to ftp-master as > usual. Roland, can you please post the debdiff? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#691900: gwt: CVE-2012-4563
Package: gwt Severity: grave Tags: security Justification: user security hole Please see https://developers.google.com/web-toolkit/release-notes#Release_Notes_2_4_0 under "Security vulnerability in GWT 2.4". This was assigned CVE-2012-4563 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#617409: brasero: Brasero corrupts all blank CD-R when burning
On Sat, Oct 20, 2012 at 10:27:54AM +0200, Thomas Schmitt wrote: > Hi, > > a Brasero flaw was found in the course of Debian bug 688229. > It would provide an explanation for the problems which are > described here. Especially it is involved when burning directly > to optical media and not involved when writing ISO filesystems > to hard disk. > > The problem was introduced in october 2012 by > > http://git.gnome.org/browse/brasero/commit/?id=1b8397ee252df2d554682ca2d694d5937fbf6e39 > > A patch is provided by > > http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=124;filename=0001-Libburnia-plugin-Fix-while-loop-in-brasero_libisofs_.patch;att=1;bug=688229 > > > Have a nice day :) intrigeri, since you could reproduce the problem, could you test, whether this patch fixes the problem for you? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#691451: lgeneral: ships non-free files in contrib
On Fri, Oct 26, 2012 at 03:15:31PM +0200, Markus Koschany wrote: > tags 691451 patch > thanks > > My new package is available at mentors.debian.net > > http://mentors.debian.net/package/lgeneral > > and in Git at > > http://git.debian.org/pkg-games/lgeneral.git > > Please see also bug #690683. Hi Markus, I will review and upload your package in the next weeks (I won't have time before, so if anyone wants to do it earlier, please go ahead). The changes needed to fix lgeneral are massive and not suitable for inclusion in Wheezy at this point. Do you agree with removal from Wheezy for now? Once lgeneral ius fixed in sid, we can provide an updated package in wheezy-backports. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#691984: RM: lgeneral/1.1.1-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Please remove lgeneral from testing. A DFSG-clean and up-to-date version will be provided in unstable and delivered through wheezy-backports. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691451#22 Cheers, Moritz -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#687923: bacula: CVE-2012-4430
Package: bacula Severity: grave Tags: security Justification: user security hole This was assigned CVE-2012-4430: https://secunia.com/advisories/50535/ Upstream fix: http://www.bacula.org/git/cgit.cgi/bacula/commit/?id=67debcecd3d530c429e817e1d778e79dcd1db905 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#687924: moodle: Multiple security issues
Package: moodle Severity: grave Tags: security Justification: user security hole Please see http://moodle.org/security/ for details: MSA-12-0055: Web service access token issue MSA-12-0054: Course reset permission issue MSA-12-0053: Blog file access issue MSA-12-0052: Course topics permission issue MSA-12-0051: File upload size constraint issue Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#685741: unblock: qpid-cpp/0.16-7
On Mon, Sep 10, 2012 at 02:20:54PM +0200, Mehdi Dogguy wrote: > Unfortunately, even if we can unblock qpid-cpp/0.16-7 for migration, it > will be blocked by redhat-cluster which doesn't seem ready (which in > turn, is also blocked by gfs2-utils). I think the best way forward would > be to prepare an upload targeting testing-proposed-updates. Cajus, can you prepare a testing-proposed-updates upload with the fix from qpid-cpp/0.16-7? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#688071: RM: squidclamav/6.4-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm - No reaction to RC security bug #685398 for a month - Last upload a year ago, not in stable Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#688123: owncloud: CVE-2012-4753
Package: owncloud Severity: grave Tags: security Justification: user security hole Hi, CVE-2012-4753 is still unfixed in Wheezy: http://www.openwall.com/lists/oss-security/2012/09/05/17 It's not clear, which CSRF fixes were fixed in 4.0.5, so please contact upstream to identify the specific fixes and introduce them in another tpu upload. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#685397: gimp: CVE-2012-3403
On Fri, Sep 14, 2012 at 05:23:42PM +0200, Moritz Muehlenhoff wrote:
> Hi Ari,
>
> On Mon, Aug 20, 2012 at 03:16:50PM +0200, Moritz Muehlenhoff wrote:
> > On Mon, Aug 20, 2012 at 03:04:13PM +0200, Moritz Muehlenhoff wrote:
> > > Package: gimp
> > > Severity: grave
> > > Tags: security
> > > Justification: user security hole
> > >
> > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3403 for
> > > details
> > > and patches.
> >
> > And another issue:
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3481
>
> While this is fixed sid, it's still open in Wheezy, since testing is frozen.
>
> You need to either ask for an unblock (likely not welcome at this point of
> the freeze) or prepare an upload for testing-proposed-updates with the
> security fixes only.
The interdiff between 2.8.0 and 2.8.2 is too big and introduces an ABI change.
Proposed patch for tpu attached.
Cheers,
Moritz
diff -Naur gimp-2.8.0.orig/debian/changelog gimp-2.8.0/debian/changelog
--- gimp-2.8.0.orig/debian/changelog 2012-05-13 10:28:49.0 +0200
+++ gimp-2.8.0/debian/changelog 2012-09-19 17:27:25.782920744 +0200
@@ -1,3 +1,10 @@
+gimp (2.8.0-2+deb7u1) testing-proposed-updates; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2012-3403 and CVE-2012-3481 (Closes: #685397)
+
+ -- Moritz Mühlenhoff Wed, 19 Sep 2012 17:25:47 +0200
+
gimp (2.8.0-2) unstable; urgency=low
[ Jordi Mallach ]
diff -Naur gimp-2.8.0.orig/debian/patches/02_CVE-2012-3403.patch gimp-2.8.0/debian/patches/02_CVE-2012-3403.patch
--- gimp-2.8.0.orig/debian/patches/02_CVE-2012-3403.patch 1970-01-01 01:00:00.0 +0100
+++ gimp-2.8.0/debian/patches/02_CVE-2012-3403.patch 2012-09-19 17:24:54.014913400 +0200
@@ -0,0 +1,459 @@
+diff -Naur gimp-2.8.0.orig/plug-ins/common/file-cel.c gimp-2.8.0/plug-ins/common/file-cel.c
+--- gimp-2.8.0.orig/plug-ins/common/file-cel.c 2012-03-12 20:18:10.0 +0100
gimp-2.8.0/plug-ins/common/file-cel.c 2012-09-19 17:15:19.878886191 +0200
+@@ -44,8 +44,10 @@
+gint *nreturn_vals,
+GimpParam **return_vals);
+
+-static gint load_palette (FILE *fp,
+- gucharpalette[]);
++static gint load_palette (const gchar *file,
++ FILE *fp,
++ gucharpalette[],
++ GError **error);
+ static gint32load_image (const gchar *file,
+ const gchar *brief,
+ GError **error);
+@@ -55,7 +57,8 @@
+ gint32layer,
+ GError **error);
+ static void palette_dialog (const gchar *title);
+-static gboolean need_palette (const gchar *file);
++static gboolean need_palette (const gchar *file,
++ GError **error);
+
+
+ /* Globals... */
+@@ -150,6 +153,7 @@
+ gint32 image;
+ GimpExportReturn export = GIMP_EXPORT_CANCEL;
+ GError*error = NULL;
++ gint needs_palette = 0;
+
+ run_mode = param[0].data.d_int32;
+
+@@ -187,20 +191,32 @@
+ else if (run_mode == GIMP_RUN_INTERACTIVE)
+ {
+ /* Let user choose KCF palette (cancel ignores) */
+- if (need_palette (param[1].data.d_string))
+-palette_dialog (_("Load KISS Palette"));
++ needs_palette = need_palette (param[1].data.d_string, &error);
+
+- gimp_set_data (SAVE_PROC, palette_file, data_length);
+-}
++ if (! error)
++{
++ if (needs_palette)
++palette_dialog (_("Load KISS Palette"));
+
+- image = load_image (param[1].data.d_string, param[2].data.d_string,
+- &error);
++ gimp_set_data (SAVE_PROC, palette_file, data_length);
++}
++}
+
+- if (image != -1)
++ if (! error)
+ {
+- *nreturn_vals = 2;
+- values[1].type = GIMP_PDB_IMAGE;
+- values[1].data.d_image = image;
++ image = load_image (param[1].data.d_string, param[2].data.d_string,
++ &error);
++
++ if (image != -1)
++{
++ *nreturn_vals = 2;
++ values[1].type = GIMP_PDB_IMAGE;
++ values[1].data.d_image = image;
++}
++ else
++{
++ status = GIMP_PDB_EXECUTION_ERROR;
++}
+ }
+ else
+ {
+@@ -263,18 +279,33 @@
+
+ /* Peek into the file to determine whether we need a palette */
+ static gboolean
+-need_palette (const gchar *file)
++need_palette (cons
Bug#688125: xen: CVE-2012-2625
Package: xen Severity: important Tags: security Justification: user security hole Hi, This issue is still unfixed in Wheezy: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2625 Patch: http://xenbits.xensource.com/hg/xen-unstable.hg/rev/60f09d1ab1fe Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#688210: condor: Multiple security issues
Package: condor Severity: grave Tags: security Justification: user security hole Please see here for details: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3490 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3491 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3492 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3493 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#686867: jruby: CVE-2011-4838
On Thu, Sep 20, 2012 at 12:10:30PM -0700, tony mancill wrote: > On 09/20/2012 07:05 AM, Hideki Yamane wrote: > > It's my mistake that using static version for symlink... sorry for the > > mess. > > And a bit confusion for versioning, so prepared fix as below. > > If it seems to be okay, I'll upload to unstable. > > Hello Hideki, > > Thank you for the quick response. The 2nd patch you supplied looks good > to me. > > Also, I determined that I can build the jruby package successfully > against the nailgun package in wheezy, which I think might be preferable > anyway since this is a security bug that is being targeted for wheezy > (right?). The dependency on nailgun is a build-dep only, meaning that > it doesn't appear in the jruby Depends, and jruby is an architecture > "any" package. > > Moritz, for this bug with respect to wheezy, would you prefer that an > updated package be uploaded to unstable + an unblock request, or would > this be a case for targeting testing-security? testing-security doesn't work currently (only testing-proposed-updates works), so getting this via unstable (urgency=medium) and an unblock request is the way to go forward. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#687485: mysql-5.5: CVE-2012-4414
On Wed, Sep 19, 2012 at 07:07:23PM +0100, Nicholas Bamber wrote: > I am looking at this bug. However the patch involves 45 files. 17 of > these are test files. From what I have seen so far they do not apply > cleanly. Presumably they are meant for 5.5.27 rather than 5.5.24. I have > yet to form a judgement on quite how intractable adapting the patch is > going to be. Due to the intransparent nature of mysql security updates we will need to follow the 5.5.x releases for stable-security anyway. As such I don't see a reason not to upload 5.5.27 during the freeze as well. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#688210: condor: Multiple security issues
On Thu, Sep 20, 2012 at 01:55:52PM -0500, Jaime Frey wrote: > The commits were made on the V7_6-branch, then merged into the V7_8-branch. > We had to manually resolve conflicts during the merge, as the affected code > had been modified during the 7.7.x series. Thus, there's no commit that can > be cleanly cherry-picked. I can provide patch files that will apply cleanly. > > We should certainly get Condor 7.8.4 into Unstable. It only contains bug > fixes. I would prefer it if we could get it into Debian Testing as well, but > I thought we were too far into the freeze for that. During the freeze it's preferred to upload a 7.8.2~dfsg.1-1+deb7u1 version to unstable, which only contains the isolated security fixes. This version can then be unblocked by the Debian release managers (by filing a bug against release.debian.org) Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
