Re: Long term improvement to Debian's security and LTS

[Raphael Hertzog]

Hi,

On Fri, 30 Oct 2015, Guido Günther wrote:
> Should we apply the attached patch to templates/lts-update-planned.txt
> then?

Yes, we should.

> Salvatore suggested to move to a newer version of nss in all suites (and
> keeping it that way). This plus adding some autpkgtests would be
> something I'd be happy to work on since backporting nss patches is a
> major effort at the moment given the version skew.

Given that Red Hat did that, I think it would make sense for us to
investigate it too, yes.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

[SECURITY] [DLA 338-1] xscreensaver security update

[Chris Lamb]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: xscreensaver
Version: 5.11-1+deb6u11
CVE ID : CVE-2015-8025
Debian Bug : 802914

xscreensaver, a screensaver daemon and frontend for X11 was vulnerable
to crashing when hot-swapping monitors.

For Debian 6 Squeeze, this issue has been fixed in xscreensaver version
5.11-1+deb6u11.


Regards,

- -- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-



-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJWNRkBAAoJEB6VPifUMR5YNj8P/0s6hCihupSowSjzR+euW7cn
7aAKlAhL7L9KQMpflGzzZsh9LSbB2hAS5I2tpzNPFY15I1M4u9u2tdKqtoM51kiw
t95g94H+3pO91RZ5EcPpkEqtt9VpuMjNyIIztf35SQCip2ss82O9BbVaIv/KiW1Y
GJWbQRUZ2dfLaRj9PHgldLl/4PxpICLggtjlOwTSz8TGK1SB1V5IjCYGXq5GOH+q
ZJv0uuDyJILgSGSRI+VWKRIXtdtJT9TPOMW1oCVmfkP/X6+yYOVeDpun+rHSvuT1
lpYLBH8FSwx9XvAaacSb5gQac8anR2HnKaWVAu7iM77iHXzLWyuTD8ORIraOz/dm
joJn02kbNZm2NqINmS4O82dKDoDBbNiSMw4f7Yt0Rb+WCcikQ1I6HsU/w6iLPs+V
8IP5BygEQubvjjzfs95xU4CMHx0V36BNwyEhgrI3DgHJnjRYDJDVMzgEbmPthm0C
QxJ7g+IT0g5l8YVDggM17pu2kcGqLm0pfoHncUrVT2Z6flOF8ZyRgiJK2kyijdxu
CdbAoS1L4zXzi23oXvwH7js+w5SWN0LeCn/SK5h2bfJqULuQhsWuWKxEfPnD7oje
cWeOO1tzgvo0u4+9+KqdvXUxmAsekvkkcJNZetRKBrSxr9kL/HvEHiRkl7ZSxKSW
8EfZTT32PVON8Gp4IwAZ
=UmsD
-END PGP SIGNATURE-

Accepted xscreensaver 5.11-1+deb6u11 (source amd64) into squeeze-lts

[Chris Lamb]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Sat, 31 Oct 2015 19:28:04 +
Source: xscreensaver
Binary: xscreensaver xscreensaver-data xscreensaver-data-extra xscreensaver-gl 
xscreensaver-gl-extra xscreensaver-screensaver-webcollage 
xscreensaver-screensaver-bsod
Architecture: source amd64
Version: 5.11-1+deb6u11
Distribution: squeeze-lts
Urgency: high
Maintainer: Jose Luis Rivas 
Changed-By: Chris Lamb 
Description: 
 xscreensaver - Automatic screensaver for X
 xscreensaver-data - data files to be shared among screensaver frontends
 xscreensaver-data-extra - data files to be shared among screensaver frontends
 xscreensaver-gl - GL(Mesa) screen hacks for xscreensaver
 xscreensaver-gl-extra - GL(Mesa) screen hacks for xscreensaver
 xscreensaver-screensaver-bsod - BSOD hack from XScreenSaver
 xscreensaver-screensaver-webcollage - Webcollage hack from XScreenSaver
Closes: 802914
Changes: 
 xscreensaver (5.11-1+deb6u11) squeeze-lts; urgency=high
 .
   * CVE-2015-8025: Fix crash when hot-swapping monitors while locked.
 (Closes: #802914)
Checksums-Sha1: 
 43e39ebb2f92a614987a14c4d17d52c2b4c3aaec 2446 xscreensaver_5.11-1+deb6u11.dsc
 b31f33def5659826750a6a5369f573989798747c 75578 
xscreensaver_5.11-1+deb6u11.diff.gz
 770528fb02ef83c59c16f74b8460256fb91c5dd9 748612 
xscreensaver_5.11-1+deb6u11_amd64.deb
 ff64d726974eb955b07eff65bbc5d1d47877ff93 543616 
xscreensaver-data_5.11-1+deb6u11_amd64.deb
 fc17c35f7b44a2722cd6a8bf21fd29cc74457514 2693438 
xscreensaver-data-extra_5.11-1+deb6u11_amd64.deb
 01aa1022f31934d9aa4e8973bbf05287e2b05b91 2198962 
xscreensaver-gl_5.11-1+deb6u11_amd64.deb
 41732405df80545cc5fd69fc67bf74d442992c9f 2291932 
xscreensaver-gl-extra_5.11-1+deb6u11_amd64.deb
 35414c9eea0c5be53863851c1a836eead00adf87 64022 
xscreensaver-screensaver-webcollage_5.11-1+deb6u11_amd64.deb
 33b09484f0baa78a0ddf10d869a99f0ee6d3bb47 168210 
xscreensaver-screensaver-bsod_5.11-1+deb6u11_amd64.deb
Checksums-Sha256: 
 12478d6e6ea7af272ba462f68061aec6bf0a9f07f4baa0d4a17c8a90bafc72ac 2446 
xscreensaver_5.11-1+deb6u11.dsc
 67b4b266fe8f6afd3f1509916ae457aead021c02109ef3e0affab0844bd799c3 75578 
xscreensaver_5.11-1+deb6u11.diff.gz
 92371ef4879efaa46c51390d761a74b638bffe87acddcb22cbfa07cb98b924d0 748612 
xscreensaver_5.11-1+deb6u11_amd64.deb
 5eda7552f748696502b3afd34bc6e848baac30baaa65fa2570715665b4d36afc 543616 
xscreensaver-data_5.11-1+deb6u11_amd64.deb
 dc0ffee182733279fa9b5230d5191564b981249a96346fdff21962cf63ad3bb6 2693438 
xscreensaver-data-extra_5.11-1+deb6u11_amd64.deb
 237b90ad0ee2bad5260d20e32182cb61747e292b46c21f5d6d4b8180d4d9faf8 2198962 
xscreensaver-gl_5.11-1+deb6u11_amd64.deb
 a5982492f0dd0318e50be4e6541031a46da6a6772949348070aa9d2e5444ce2c 2291932 
xscreensaver-gl-extra_5.11-1+deb6u11_amd64.deb
 e07ebaef8b19b569fb98bf283c9bc6bb3c91e0de9bb902d7c6d111608ee4d87b 64022 
xscreensaver-screensaver-webcollage_5.11-1+deb6u11_amd64.deb
 976fe29ca7809502a2b61a559d67e70847c5e5ad0fc920ce4404d60771ff06e4 168210 
xscreensaver-screensaver-bsod_5.11-1+deb6u11_amd64.deb
Files: 
 c4efc83355c14d64824b71f995c2ccc7 2446 x11 optional 
xscreensaver_5.11-1+deb6u11.dsc
 7ff847e3b406118a99db0ce3424ff2c8 75578 x11 optional 
xscreensaver_5.11-1+deb6u11.diff.gz
 82b154afc893b0c1679085eadc555117 748612 x11 optional 
xscreensaver_5.11-1+deb6u11_amd64.deb
 a39957fa87302d7a0d981dcca6acfb6a 543616 x11 optional 
xscreensaver-data_5.11-1+deb6u11_amd64.deb
 8749fe51aa465be9a8af8c72d1eec1ca 2693438 x11 optional 
xscreensaver-data-extra_5.11-1+deb6u11_amd64.deb
 d90373ea4c46a8da68d733aefb9c40ab 2198962 x11 optional 
xscreensaver-gl_5.11-1+deb6u11_amd64.deb
 b77debf564df6a2e993c8a45ad4f0027 2291932 x11 optional 
xscreensaver-gl-extra_5.11-1+deb6u11_amd64.deb
 720b675476ab8d88b93057f1cc9b3349 64022 x11 optional 
xscreensaver-screensaver-webcollage_5.11-1+deb6u11_amd64.deb
 ae421608cf93384d79a6fb25d0b45ca4 168210 x11 optional 
xscreensaver-screensaver-bsod_5.11-1+deb6u11_amd64.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJWNRf+AAoJEB6VPifUMR5YsxIP/AsbKmVjAKZbpvye1l8578RS
OmvNq7w8z99/5J9FCDXhGV2eg1Sp6gavn0u2/CB2WTM1Pr3tV1ZLf3T9c+R7XrJA
DivTse3yLVj0/cIydgECVGhZzsGC/sj+wWQNpu76qOJE/DVGCckX0MIzQOndu4gh
udOleKKLJmbFlTh5MDn4u57k/NvnJyS3EOL839vtiwAEVAj/RMnwHw/9qwZRs3u3
WOlXfmIlMsjFcMXmMUDoxjjIb2r7TeVpGaLlgN0iwJX7GxreIcVx9EkIC/fgike3
DsDL3pDexaulruTWxC1zlV5F8jH2ZToqs5WQB7ImKsJTa96vxfIw2ZaWz/2NJf9+
JmOzmfB0Ct23SZ/HSsh3UpJ4Fk6nPPjPjJNOjQn0G/sTXcnfelYTZ3X7InpoUk7J
DNYZ+yg1fHsYzQE0Iyyvq3B7R4BLy1OcRaiVEm0c8p9Z7v3y91WyNZ+2bnNV7b0K
uROnF3/TGE+uhyjGvSO25X0619BIOwcyjECCLz9FGrGmgMTCBizT+1iO8DTLd4vw
o4RkHRfdGEyxg5LnCv6SBqyqkn+vWBBj6wGKuDYYy76e6TkCoS8DsQu3VEJS9C8s
Pkq4n6nxl8tiy5Ug5oCG9X/SCLS7Q9GFcOVW1nhOsnDmC6Qxt/4mvvxoQs+obM6z
0cftrUOh9sMVkByuloHZ
=y9d9
-END PGP SIGNATURE-

Re: data/CVE/list color

[Guido Günther]

Hi,
On Sat, Aug 15, 2015 at 12:17:44PM +0200, Moritz Mühlenhoff wrote:
> On Wed, Aug 12, 2015 at 06:23:25PM +0200, Guido Günther wrote:
> > Hi,
> > I wanted some color in debian/CVE/list so I hacked up some very simple 
> > highlighting
> > for emacs:
> > 
> > 
> > https://git.sigxcpu.org/cgit/emacs-tools/commit/?id=200d437c93536d911da85e080188fc68a5221122
> > 
> > I do wonder if there is something else around already and I just did not
> > spot it?
> 
> I'm adding debian-security-tracker@ldo to CC, since not everyone reads 
> debian-lts.
> 
> Nice! I had toyed around with a minor mode for emacs some years ago (to easily
> create NOT-FOR-US enties, but never actually started to use it since I ran 
> into
> some underdocumented elisp areas.. I'll check where I put that code and will
> try to integrate that again.
> 
> > If not, should we add this to the secure-testing repo?
> 
> Please do. Maybe we can merge it into debian-el at a later point.

For what it's worth I've also added some basic indentation:

 
https://git.sigxcpu.org/cgit/emacs-tools/commit/?id=4796b34454d6b3b29a479ef073328b70a0c0568b

so that hitting tab indents CVE-* to column 0 and everuthing to column 8.

I'm not much of a emacs hacker so improvements are certainly
welcome. I'll add this to conf/cvelist.el as well if there are no
objections.

Cheers,
 -- Guido

Re: Long term improvement to Debian's security and LTS

[Raphael Hertzog]

On Fri, 30 Oct 2015, Moritz Muehlenhoff wrote:
> > > - improving the security infrastructure
> 
> That has certainly the best net positive from my point of view.

>From my point of view too. But I'm not sure I would put the same
emphasis as you on dak related work.

I would possibly suggest to work on the security tracker:
- have stats about security updates on all packages so that we can
  easily identify which packages should be targetted in any pro-active
  security work
- have stats on the delay between issues appearing in our radar and having
  the issue fixed
- have stats on the number of open issues in each Debian release
- 
https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=security-tracker;dist=unstable

The general workflow of the security teams can possibly be improved with
better tools.

Also when Holger worked on the security tracker, he mentionned more than once
that it would possibly benefit from a clean rewrite.

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796095 and
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796784 are bugs
> which would make our lives easier.
> 
> Also the orig tarball handling is quite an nuisance (no bug for
> that, but outlined here:
> https://wiki.debian.org/DebianSecurity/AdvisoryCreation/dak-bugs
> 
> I'm not sure whether that can be speeded up by submitting patches
> from the LTS team or rather be reaching out whether FTP masters
> can work on that on a paid basis.

I don't know. I just fear that this could cause issues within the
ftpmasters team if someone of the team gets paid to work on dak.

On the other hand, Thorsten Alteholz is ftp assistant and is a member of
the paid LTS contributors.

> > > - adding DEP-8 tests to packages with regular security updates
> 
> Or rather have the proper infrastructure integrated into the
> security workflow so that the tests are automatically executed
> and test results are send around (compared to the previous status).

That would be nice but that kind of infrastructure gets interesting
when you have DEP-8 tests so I think it makes sense to contribute
some DEP-8 test suite to some packages with regular security updates.

Also this is not going to be easy:
- the test infrastructure needs to have access to unreleased packages
  waiting in the security queue (possibly the embargoed one)
- we decided that the LTS team would not use any "queue" in front of the
  repository, so that would be problematic to filter packages with failing
  tests...

Thus I wonder if it doesn't make sense to have such a service working as
an external gateway: you upload the package to the test service, the
package gets tested and if it's OK it's uploaded to the target repository,
otherwise it's withheld.

> > > - work on security features targeting stretch packages
> 
> That's all fairly well covered since people rather like to work
> on new thungs rather than maintaining the old. E.g. rootless x
> is already implemented in stretch. There are some worthwhile tasks
> in terms of upstream work, but not's not in the scope of some
> unused LTS hours.

While I mostly agree with this, there are things which are not
very well covered: we lack good apparmor profiles for many
(server) applications for examples.

> > > - work on stretch to make sure it can be supported over 5 years
> > >   (trying to identify packages which are too old/unsupported)
> 
> That's also more or less covered I think. Release team is usually
> very supportive to these kinds of request. Most of the problems
> we have a mindset problems at various upstreams.

When I wrote this, I thought in particular of many Java packages
which have new upstream versions which are supported but where we keep
around old versions for various reasons (including because they are
build-depends of other packages).

Filing bugs requesting new upstream versions and having at least a
documented trace of why we lag behind on such packages would be useful.

In the end, introducing a way for each maintainer to document how long
upstream supports each version would be useful. This could be a new
feature of the package tracker.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/