Re: Accepted cacti 0.8.7g-1+squeeze9+deb6u13 (source all) into squeeze-lts

2016-01-04 Thread Paul Gevers 
Hi Chris,

On 04-01-16 13:20, Chris Lamb wrote:
>  cacti (0.8.7g-1+squeeze9+deb6u13) squeeze-lts; urgency=high
>  .
>* Correct yet another regression in patch for CVE-2015-8369, introduced in
>  0.8.7g-1+squeeze9+deb6u12. Thanks to Marcel Meckel 
>  (Closes: #809260, #807599)

Apart from your weird continuation of the squeeze version numbers ;),
thanks a lot for the cacti updates in lts.

Would you mind sharing your fix for CVE-2015-8377 also with the rest of
the world, i.e. add a patch to the cacti bug tracker (be it in but 2652¹
if it really is the same, or in a new bug if bug 2652 is not the same
and not fixed by your patch)? To be honest, I would have expected you
would have shared your fix somewhere, e.g. also in a regular bug against
cacti such that the (old)stable releases could more easily see/use the
patch.

The patch looks extremely simple. Could you help me by telling how you
tested the patch?

Paul

¹ http://bugs.cacti.net/view.php?id=2652



signature.asc
Description: OpenPGP digital signature

[SECURITY] [DLA 374-3] cacti regression update

2016-01-04 Thread Chris Lamb 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: cacti
Version: 0.8.7g-1+squeeze9+deb6u13
CVE ID : CVE-2015-8369
Debian Bug : 807599

It was discovered that there was a regression in the patch intended to fix
CVE-2015-8369 in the recent upload of cacti 0.8.7g-1+squeeze9+deb6u12.

For Debian 6 Squeeze, this issue has been fixed in cacti version
0.8.7g-1+squeeze9+deb6u13.


Regards,

- -- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJWil7aAAoJEB6VPifUMR5YYzoQAI7kJdJvfTDBc/RsQn66GxUi
ohGZN3B22VFm+UebUyz6cu06ojnenG5+DESz2ldwJFijbsJ7WrvyElHiq1ymaRQy
YmT4aQRyEO21Do+8m0wrFDr+ILrQLENL/TCrgMBSBE+3dxUUBjy9FA9ze+U5YZph
6nZhP4+ZGcmLqxQai8YOFj5Ey9ktNkyumdMTadDIX+x2xPrPXuSGzc2VNUCeScHH
jN6vEsbJbAn8wsnvF8V+txNqx5da4GAUW6uZiXMFclK98049Nle0yVl+GsKNk/S6
/tT6udMRFbqIaPCD4iHEvUW4xb7VyfiI+uxo4iVynMCzTsGTGk0qxBMsHvHinz0U
jBiDQG8+yi/bv6HE9xaEE/eQkV8EgrK2I6EuSUguif0w0JutbckyX5ms0nwiRvCI
msF6J99VlPfkdAyOCYJXTkl07U3j/jWJZ6jvSPhhOiW+Wmg2mCAc3J8EE16ASLfV
4OtKqAXzyNpivb0dWR9Aw99xnt0OgcOgC7KG5X7GI3fi7Lkn6h0ZVyf4xkENFR+y
z8nmqkz1PQ3jFio4zH1HTuI1FkDDDa+37cydF5a2zFsnAxf5RypYKzjfFxbnuxs7
PnAoYvyYZn+5VGgiyUptu5tvoe2sRdrZlCw8OeBfTV9O52yYv3DFhbmlY6Zt/HIO
LCbjhpuj/p1VE7SewKp5
=sqT4
-END PGP SIGNATURE-

Re: Accepted cacti 0.8.7g-1+squeeze9+deb6u13 (source all) into squeeze-lts

2016-01-04 Thread Chris Lamb 
> Apart from your weird continuation of the squeeze version numbers ;),
> thanks a lot for the cacti updates in lts.

Well, once I started for this particular cacti version, I can hardly 
obstinately backtrack :)

> To be honest, I would have expected you would have shared your fix somewhere, 
> e.g. also in a regular bug against cacti such that the (old)stable releases 
> could more easily see/use the patch.

I will happily add it too your bug tracker as requested. I did not proactively 
send it upstream as it was simple and based on work that was already being 
distributed; I made the assumption that you would either not care or you had 
seen exactly what I had done.

Will do so in future though, noted.


Best,

-- 
Chris Lamb
chris-lamb.co.uk / @lolamby

[SECURITY] [DLA 380-1] libvncserver security update

2016-01-04 Thread Mike Gabriel 
Package: libvncserver
Version: 0.9.7-2+deb6u2


An issue had been discovered and resolved by the libvncserver upstream
developer Karl Runge addressing thread-safety in libvncserver when
libvncserver is used for handling multiple VNC connections [1].

Unfortunately, it is not trivially feasible (because of ABI breakage) to
backport the related patch to libvncserver 0.9.7 as shipped in Debian
squeeze(-lts).

However, the thread-safety patch discussed resolved a related issue of
memory corruption caused by freeing global variables without nullifying
them when reusing them in another "thread", especially occurring when
libvncserver is used for handling multiple VNC connections

The described issue has been resolved with this version of libvncserver
and users of VNC are recommended to upgrade to this version of the
package.

[1] 
https://github.com/LibVNC/libvncserver/commit/804335f9d296440bb708ca844f5d89b58b50b0c6

-- 

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunwea...@debian.org, http://sunweavers.net



signature.asc
Description: Digital signature

Re: Accepted linux-2.6 2.6.32-48squeeze18 (all source) into squeeze-lts

2016-01-04 Thread Ben Hutchings 
On Mon, 2016-01-04 at 08:32 +0100, Jan Ingvoldstad wrote:
> On 01/02/2016 06:06 PM, Ben Hutchings wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA512
> > 
> > Format: 1.8
> > Date: Sat, 02 Jan 2016 03:31:10 +
> > Source: linux-2.6
> 
> We're getting a warning about invalid signature for this update:
> 
> BADSIG 8B48AD6246925553
> 
> This occasionally seems to happen shortly after a package has been 
> uploaded, but it's now been two days, and that's a bit unusual.
> 
> We're using http.debian.net as our package source, so I don't know which 
> specific mirror, if it's specific, but it is reproducible.

What tool is showing that error, and which file is it validating -
Release.gpg or the .dsc file?

Which version of debian-archive-keyring is installed on that system?

Ben.

-- 
Ben Hutchings
Lowery's Law:
 If it jams, force it. If it breaks, it needed replacing anyway.

signature.asc
Description: This is a digitally signed message part

Re: squeeze update of tiff?

2016-01-04 Thread Mike Gabriel 

Hi László, hi Ondřej,

On  Do 31 Dez 2015 19:01:33 CET, László Böszörményi (GCS) wrote:


On Thu, Dec 31, 2015 at 10:04 AM, Ondřej Surý  wrote:

I have a git mirror[1] (git cvsimport) of upstream CVS and right now
it's a tad bit confusing which patches are relevant to those CVEs.

 I've packaged 4.0.6, fixed two CVEs and two other vulnerabilities
that don't have an id. However CVE-2015-8668 is not yet fixed by
upstream as I see.


I will have more time cherry-picking the patches next week, so if
somebody starts the work (even for unstable), I really won't mind. In
fact it would be much appreciated.

 I'm going to finish my investigations tomorrow even if my employer
counts on me from 6am. Will do the upload and other fixes can come in
later as upstream commit those.


Also feel free to prepare Debian LTS update, I will share relevant
patches, but we'll have to prepare security update for jessie and wheezy
(+ tiff3 for wheezy), so feel free to take care about this in Debian LTS
yourself.

 I can do the Wheezy + Jessie updates as well. But I've accepted
Raphaël's advice not to do LTS security work so I follow Ondřej here:
you can do the Squeeze LTS update yourself.


I (with my LTS team hat on) just signed up for looking at fixing tiff  
in squeeze-lts.


@László: once you finished your research tomorrow, could you send a  
short summary with your findings (or even upload a new package version  
to unstable)?


Thanks+>Greets,
Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de


pgp_42zjuAAts.pgp
Description: Digitale PGP-Signatur