Bug#982904: mumble: CVE-2021-27229
Hi Chris, On Sun, May 02, 2021 at 01:18:58PM +, Chris Knadle wrote: > Salvatore Bonaccorso: > > Hi Chris, > > > > On Sat, May 01, 2021 at 05:52:04PM +, Chris Knadle wrote: > > > Salvatore Bonaccorso: > [...] > > > Yes I submitted release.debian.org bug #987859 last night and did the > > > upload > > > (and was "accepted"), which I think fits almost all of the criteria in the > > > link above except that I did a "source only" upload rather than upload a > > > built package; hopefully a source-only upload is acceptable here -- if > > > it's > > > not let me know. > > > > Yes defintively, in meanwhile source-only are possible (and would > > encourage so) to do as well for stable (buster, and buster-security) > > uploads. > > Last question on this: for non-dsa security uploads, is it better to target > "buster" or "buster-security"? In my upload I targeted "buster" but I still > have some confusion as to whether buster-security would be "better". The target distribution would be 'buster' in case of an upload as you prepared it now for the point release and uploading to the main archive. Only when you would upload to the security archive host the target distribution would be buster-security. Hope this helps! Regards, Salvatore
Bug#982904: mumble: CVE-2021-27229
Salvatore Bonaccorso: Hi Chris, On Sat, May 01, 2021 at 05:52:04PM +, Chris Knadle wrote: Salvatore Bonaccorso: [...] Yes I submitted release.debian.org bug #987859 last night and did the upload (and was "accepted"), which I think fits almost all of the criteria in the link above except that I did a "source only" upload rather than upload a built package; hopefully a source-only upload is acceptable here -- if it's not let me know. Yes defintively, in meanwhile source-only are possible (and would encourage so) to do as well for stable (buster, and buster-security) uploads. Last question on this: for non-dsa security uploads, is it better to target "buster" or "buster-security"? In my upload I targeted "buster" but I still have some confusion as to whether buster-security would be "better". Thanks -- Chris -- Chris Knadle chris.kna...@coredump.us
Bug#982904: mumble: CVE-2021-27229
Salvatore Bonaccorso: Hi Chris, On Sat, May 01, 2021 at 05:52:04PM +, Chris Knadle wrote: Salvatore Bonaccorso: [...] Yes I submitted release.debian.org bug #987859 last night and did the upload (and was "accepted"), which I think fits almost all of the criteria in the link above except that I did a "source only" upload rather than upload a built package; hopefully a source-only upload is acceptable here -- if it's not let me know. Yes defintively, in meanwhile source-only are possible (and would encourage so) to do as well for stable (buster, and buster-security) uploads. I hoped as much, I've gotten into the habit of doing source-only uploads for everything ... the one exception I think might still exist is the very *first* upload of a new package (last I knew) requiring to be a built package rather than source-only. I forget at the moment if Debian update that (like Ubuntu). -- Chris -- Chris Knadle chris.kna...@coredump.us
Bug#982904: mumble: CVE-2021-27229
Hi Chris, On Sat, May 01, 2021 at 05:52:04PM +, Chris Knadle wrote: > Salvatore Bonaccorso: > > Hi Chris, > > > > On Fri, Apr 30, 2021 at 08:12:54PM +, Chris Knadle wrote: > > > Salvatore Bonaccorso: > [...] > > > So now re-reading it, it seems the upload should target "buster" and the > > > upload I ship should likely be to the "proposed-updates-new" queue. > > > Probably? Somehow I find the wording a little difficult to be certain in > > > its > > > parsing. If this is correct please let me know. > > > > That is correct, and then one it hits there the NEW queue, a stable > > release mnager will decide if the upload should be accepted into the > > proposed-updates section. It should be accompanied with a respective > > release.debian.org bugreport accordingly as mentioned in the above > > rerference. Note there is as well this "improved" workflow: > > https://lists.debian.org/debian-devel-announce/2019/08/msg0.html . > > Yes I submitted release.debian.org bug #987859 last night and did the upload > (and was "accepted"), which I think fits almost all of the criteria in the > link above except that I did a "source only" upload rather than upload a > built package; hopefully a source-only upload is acceptable here -- if it's > not let me know. Yes defintively, in meanwhile source-only are possible (and would encourage so) to do as well for stable (buster, and buster-security) uploads. Regards, Salvatore
Bug#982904: mumble: CVE-2021-27229
Salvatore Bonaccorso: Hi Chris, On Fri, Apr 30, 2021 at 08:12:54PM +, Chris Knadle wrote: Salvatore Bonaccorso: [...] So now re-reading it, it seems the upload should target "buster" and the upload I ship should likely be to the "proposed-updates-new" queue. Probably? Somehow I find the wording a little difficult to be certain in its parsing. If this is correct please let me know. That is correct, and then one it hits there the NEW queue, a stable release mnager will decide if the upload should be accepted into the proposed-updates section. It should be accompanied with a respective release.debian.org bugreport accordingly as mentioned in the above rerference. Note there is as well this "improved" workflow: https://lists.debian.org/debian-devel-announce/2019/08/msg0.html . Yes I submitted release.debian.org bug #987859 last night and did the upload (and was "accepted"), which I think fits almost all of the criteria in the link above except that I did a "source only" upload rather than upload a built package; hopefully a source-only upload is acceptable here -- if it's not let me know. Thanks -- Chris -- Chris Knadle chris.kna...@coredump.us
Bug#982904: mumble: CVE-2021-27229
Hi Chris, On Fri, Apr 30, 2021 at 09:09:10PM +, Chris Knadle wrote: > Note: for the three messages recently sent (Benedikt, Salvatorie, Chris/me) > that have recently been sent, none went to #982904 because the bug had been > archived. I've unarchived the bug since fixing it for Buster is still > pending. Ah right, thanks for spotting this and unarchiving the bug again. Regards, Salvatore
Bug#982904: mumble: CVE-2021-27229
Hi Chris, On Fri, Apr 30, 2021 at 08:12:54PM +, Chris Knadle wrote: > Salvatore Bonaccorso: > > Hi Benedikt, > > > > On Thu, Apr 29, 2021 at 10:48:56AM +0200, Benedikt Tuchen wrote: > > > Hello > > > > > > Is this bug still observed? > > > > > > We would be very happy to see this problem solved for Buster as > > > well. > > > > That would be great. For a security team perspective this is marked as > > no-dsa, this means we think that it will not warrant a dedicated DSA, > > but fixing the issue in buster would be possible via one of the > > upcoming point releases. > > I also want to fix this but got lost in the documentation when I was last > doing the work. When I read the documentation in the Debian Developer's > Reference about how to do an upload to Stable, it wasn't immediately clear > to me which release to target and which upload queue to send the package to. > > https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#upload-stable > > So now re-reading it, it seems the upload should target "buster" and the > upload I ship should likely be to the "proposed-updates-new" queue. > Probably? Somehow I find the wording a little difficult to be certain in its > parsing. If this is correct please let me know. That is correct, and then one it hits there the NEW queue, a stable release mnager will decide if the upload should be accepted into the proposed-updates section. It should be accompanied with a respective release.debian.org bugreport accordingly as mentioned in the above rerference. Note there is as well this "improved" workflow: https://lists.debian.org/debian-devel-announce/2019/08/msg0.html . Regards, Salvatore
Bug#982904: mumble: CVE-2021-27229
Note: for the three messages recently sent (Benedikt, Salvatorie, Chris/me) that have recently been sent, none went to #982904 because the bug had been archived. I've unarchived the bug since fixing it for Buster is still pending. -- Chris -- Chris Knadle chris.kna...@coredump.us
Bug#982904: mumble: CVE-2021-27229
Salvatore Bonaccorso: Hi [Adding CC to security-team alias] On Mon, Mar 01, 2021 at 08:31:54AM +, Chris Knadle wrote: Salvatore Bonaccorso: Source: mumble Version: 1.3.3-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/mumble-voip/mumble/pull/4733 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for mumble. CVE-2021-27229[0]: | Mumble before 1.3.4 allows remote code execution if a victim navigates | to a crafted URL on a server list and clicks on the Open Webpage text. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-27229 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27229 [1] https://github.com/mumble-voip/mumble/pull/4733 [2] https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648 Please adjust the affected versions in the BTS as needed. I've reviewed the upstream git repo; there are 2 patches that are security related -- the other is for an OCB2 XEXStarAttack on encryption, both of which comprise the majority of the bugfix release of mumble 1.3.4. It seems to me that the best way to proceed is to upload mumble 1.3.4 as the other changes are incidental, and I hope that this will be acceptable during the soft freeze. Yes new upstream version might still be possible in the soft-freeze, so if that's the most sensible solution then I would go for that. https://release.debian.org/bullseye/freeze_policy.html For buster btw we marked in no-dsa, so if you can shedule a fix via a point release this would be great. Yep, I'm working on this for fixing CVE-2021-27229 for Buster. It looks like the commit ([2], above) can apply as a patch for 1.3.0~git20190125.440b173+dfsg-2 so this looks straightforward as far as I can tell. -- Chris -- Chris Knadle chris.kna...@coredump.us
Bug#982904: mumble: CVE-2021-27229
Hi [Adding CC to security-team alias] On Mon, Mar 01, 2021 at 08:31:54AM +, Chris Knadle wrote: > Salvatore Bonaccorso: > > Source: mumble > > Version: 1.3.3-1 > > Severity: grave > > Tags: security upstream > > Justification: user security hole > > Forwarded: https://github.com/mumble-voip/mumble/pull/4733 > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > > > > Hi, > > > > The following vulnerability was published for mumble. > > > > CVE-2021-27229[0]: > > | Mumble before 1.3.4 allows remote code execution if a victim navigates > > | to a crafted URL on a server list and clicks on the Open Webpage text. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2021-27229 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27229 > > [1] https://github.com/mumble-voip/mumble/pull/4733 > > [2] > > https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648 > > > > Please adjust the affected versions in the BTS as needed. > > I've reviewed the upstream git repo; there are 2 patches that are security > related -- the other is for an OCB2 XEXStarAttack on encryption, both of > which comprise the majority of the bugfix release of mumble 1.3.4. It seems > to me that the best way to proceed is to upload mumble 1.3.4 as the other > changes are incidental, and I hope that this will be acceptable during the > soft freeze. Yes new upstream version might still be possible in the soft-freeze, so if that's the most sensible solution then I would go for that. https://release.debian.org/bullseye/freeze_policy.html For buster btw we marked in no-dsa, so if you can shedule a fix via a point release this would be great. Regards, Salvatore
Bug#982904: mumble: CVE-2021-27229
Salvatore Bonaccorso: Source: mumble Version: 1.3.3-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/mumble-voip/mumble/pull/4733 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for mumble. CVE-2021-27229[0]: | Mumble before 1.3.4 allows remote code execution if a victim navigates | to a crafted URL on a server list and clicks on the Open Webpage text. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-27229 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27229 [1] https://github.com/mumble-voip/mumble/pull/4733 [2] https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648 Please adjust the affected versions in the BTS as needed. I've reviewed the upstream git repo; there are 2 patches that are security related -- the other is for an OCB2 XEXStarAttack on encryption, both of which comprise the majority of the bugfix release of mumble 1.3.4. It seems to me that the best way to proceed is to upload mumble 1.3.4 as the other changes are incidental, and I hope that this will be acceptable during the soft freeze. -- Chris -- Chris Knadle chris.kna...@coredump.us
Bug#982904: mumble: CVE-2021-27229
Source: mumble Version: 1.3.3-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/mumble-voip/mumble/pull/4733 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for mumble. CVE-2021-27229[0]: | Mumble before 1.3.4 allows remote code execution if a victim navigates | to a crafted URL on a server list and clicks on the Open Webpage text. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-27229 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27229 [1] https://github.com/mumble-voip/mumble/pull/4733 [2] https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648 Please adjust the affected versions in the BTS as needed. Regards, Salvatore