Re: Analysis of issue for phpmyadmin and request for comment on XSS issues
On Sun, 2016-06-26 at 23:47 +0200, Ola Lundqvist wrote: > Hi LTS team > > I have done some analysis of the issues for phpmyadmin. > > It would be good to know what your opinion about XSS issues for admin > software like phpmyadmin is. I do not see how that can be very important. I > mean you know the URL and do not really use external links for accessing it. > Or do anyone have another opinion? [...] So long as Javascript is enabled, there are many ways for a rogue site to generate HTTP requests to another site, and to obscure where a link really leads. Not many DBAs are going to turn Javascript off *and* check every link target before following it. However, I think XSS issues are generally treated as not meriting a DSA/DLA by themselves. Ben. -- Ben Hutchings Humour is the best antidote to reality. signature.asc Description: This is a digitally signed message part
Accepted java-common 0.47+deb7u2 (source all amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 26 Jun 2016 20:40:32 +0200 Source: java-common Binary: java-common default-jre default-jre-headless default-jdk default-jdk-doc gcj-native-helper Architecture: source all amd64 Version: 0.47+deb7u2 Distribution: wheezy-security Urgency: high Maintainer: Debian Java Mailing ListChanged-By: Markus Koschany Description: default-jdk - Standard Java or Java compatible Development Kit default-jdk-doc - Standard Java or Java compatible Development Kit (documentation) default-jre - Standard Java or Java compatible Runtime default-jre-headless - Standard Java or Java compatible Runtime (headless) gcj-native-helper - Standard helper tools for creating gcj native packages java-common - Base of all Java packages Changes: java-common (0.47+deb7u2) wheezy-security; urgency=high . * Team upload. * Switch default Java environment from OpenJDK 6 to OpenJDK 7 in Wheezy LTS. Checksums-Sha1: 7faa4e956da6ed96236c31f60ef9dc2edae629ca 2176 java-common_0.47+deb7u2.dsc 2d6a3595206c8ff296b552e6cd5f5e593035e77c 53746 java-common_0.47+deb7u2.tar.gz c51eb82c03323aa2896cd5fb7a300c82269c1479 138622 java-common_0.47+deb7u2_all.deb 0206eda901c1162cadd5ce219f2684ad491c025b 8522 default-jdk-doc_0.47+deb7u2_all.deb 9f96e94c700ca0aac3c7175bfd938d9d3485fc1d 842 default-jre_1.7-47+deb7u2_amd64.deb 35fd653665e3b3698c7dfe89e0867e753b2cae04 8794 default-jre-headless_1.7-47+deb7u2_amd64.deb 78faceb5812c0734cfd3042698006eca9822d138 844 default-jdk_1.7-47+deb7u2_amd64.deb 09a7880655db73b9decb6a6e0a2ca6ba81956b2b 988 gcj-native-helper_1.7-47+deb7u2_amd64.deb Checksums-Sha256: 44d2499989edba7b747c7eb1a56db962f7b99ed750490ce5f631e503edfc399d 2176 java-common_0.47+deb7u2.dsc 95bf99e22e505b877c053b9c9b024282c29fae9a6b3dfda4cc9a54bb195402fb 53746 java-common_0.47+deb7u2.tar.gz 86294d904db138c76412e3056b1e2755ec0452ce4b3f462170718a9f32f25cfa 138622 java-common_0.47+deb7u2_all.deb 4fbe9c0b6a46ca94ffc074dc6833549b55d66b7505719f22cb83b39552b90168 8522 default-jdk-doc_0.47+deb7u2_all.deb 4a8bd3322429ebf121c31524382baf17ba8639cafd321728158d842bb79de3a7 842 default-jre_1.7-47+deb7u2_amd64.deb 31ba1fe88ac41b069e35931c643b3cb9ee87306e3141263fe1514820debe398e 8794 default-jre-headless_1.7-47+deb7u2_amd64.deb dc81fb0ca9362e21445a37969a9cc94d8dfee89cdd1d4abdb506b50523510a3d 844 default-jdk_1.7-47+deb7u2_amd64.deb ae890f551439e93e910be8328a54890f924ba9a0646358e507c9b11fb003e7a1 988 gcj-native-helper_1.7-47+deb7u2_amd64.deb Files: aeae57d59502d621ee72550647b873f6 2176 java optional java-common_0.47+deb7u2.dsc e2393afb22443c585eee5cf545a5401e 53746 java optional java-common_0.47+deb7u2.tar.gz fa7a74e896021480a6ee5089fb9dc1fd 138622 java optional java-common_0.47+deb7u2_all.deb 3de1829f3904b8c7fb87387cdb1aa3a0 8522 doc optional default-jdk-doc_0.47+deb7u2_all.deb 578f2e35322b6d5e46e6122fb8ff810c 842 java optional default-jre_1.7-47+deb7u2_amd64.deb b0b77b5b370e94dba03c6f666ca4978d 8794 java optional default-jre-headless_1.7-47+deb7u2_amd64.deb ef36aee7b01ae0f16a1314de156ba6cc 844 java optional default-jdk_1.7-47+deb7u2_amd64.deb 98718dbbdcf9ce20bfdd03899c844342 988 java optional gcj-native-helper_1.7-47+deb7u2_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQJ8BAEBCgBmBQJXcCOZXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hkpp4QAJwEh8fH7sPqhRRVuRzW9VLP sbW6bvYO1W9JR83uChlCqzps0g6t4w4/Vi8NAaG/c81YG61/+ivWwDHZlD8Mwwrh dOoHwUPEi4cQvMQ74x2EmBxuY1Dn3dqWRzN+uyFizfc7ZDY18HEcwEMv+ns8GqGI S4wR8G7zSGplz3ufxHZgPVJKsuI9tvgoCVWLc5POFaVwSaF3Y5KaWrbdS0yJWYqO gndo80UziIzWhA75fsggqEvd75+LqjqMR6JUgxlTQOxH/fItiEg1WDiGNyyFoGWF LLjOW90s7Aw49foXhrG1Aq0BYED2qBHBAmWewBhHY4qF7FFz/lM1QGDJv7JG6Aa1 UI7vbMOGaMtkWGo93YS4+KYbJpXGX/G2KdmSB65o3JmVfRDDNx8YTIcDhAW2BaxG Q3PmVocvjgbCckwPylkZy+GwetsPIQrFl9UbMisZ1y3aGqHwFM2Ggiv08WbSkLXo 4pi96hqIKu9yQZ/zKg9NVqyHnIMLj1TQaBs6gsjOlC/0LsVGRyWWPr/C00m90/I5 XtpY/ZI/hH5sc5QBQjZCPANWBXVv43k0CQ96Nm0d5I+O/FWmCuSej53TgxWn0NO1 Pn4XTyXwT18Iop0B3O/QIyoGvvCaWZRquyktkGTRHwJUm8f5PzxiofUQqghSBHCk ElG4pdOEwMpOYZVgy3ua =f7Aw -END PGP SIGNATURE-
Accepted tomcat7 7.0.28-4+deb7u5 (source all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 26 Jun 2016 19:23:57 +0200 Source: tomcat7 Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs Architecture: source all Version: 7.0.28-4+deb7u5 Distribution: wheezy-security Urgency: high Maintainer: Debian Java MaintainersChanged-By: Markus Koschany Description: libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation libtomcat7-java - Servlet and JSP engine -- core libraries tomcat7- Servlet and JSP engine tomcat7-admin - Servlet and JSP engine -- admin web applications tomcat7-common - Servlet and JSP engine -- common files tomcat7-docs - Servlet and JSP engine -- documentation tomcat7-examples - Servlet and JSP engine -- example web applications tomcat7-user - Servlet and JSP engine -- tools to create user instances Changes: tomcat7 (7.0.28-4+deb7u5) wheezy-security; urgency=high . * Team upload. * Fix CVE-2016-3092. A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file. This caused the file upload process to take several orders of magnitude longer than if the boundary was the typical tens of bytes long. Tomcat's internal fork of Commons File Upload is also affected. Checksums-Sha1: 399521e131ff936e482d5857a5fa28c52b8b802c 2777 tomcat7_7.0.28-4+deb7u5.dsc ecf3d5a35582e8a0f397f24f275ae3e8ce9babd8 128925 tomcat7_7.0.28-4+deb7u5.debian.tar.gz f6dcd7495a87c95f0f1e99d3f2f5a5c492e8e7a7 64812 tomcat7-common_7.0.28-4+deb7u5_all.deb a8b3f5d435d2da51ef430179b9a12354ee0fccce 52048 tomcat7_7.0.28-4+deb7u5_all.deb ec9ba33a777d1c5b7d0861b2c661f7072b84a933 40076 tomcat7-user_7.0.28-4+deb7u5_all.deb bb459ff658786840c85432df7f136efd89dbf252 3511556 libtomcat7-java_7.0.28-4+deb7u5_all.deb ab0fa46960c468d868d3db1bd8f4f9d73d4eb27a 306170 libservlet3.0-java_7.0.28-4+deb7u5_all.deb 696a6ac58890d10dedd39d86a11b897ffb16d749 304382 libservlet3.0-java-doc_7.0.28-4+deb7u5_all.deb e7668367ceee49a83f86d327b286455d156cdde7 52754 tomcat7-admin_7.0.28-4+deb7u5_all.deb 9c70f6173c314d6f2b51f017f11a233246ad9fea 206400 tomcat7-examples_7.0.28-4+deb7u5_all.deb 773c92d13f375d7fc0bdff3dde729c6dc2256e25 647984 tomcat7-docs_7.0.28-4+deb7u5_all.deb Checksums-Sha256: 6be47e4442b1e2177dbce7511dc64e05e7409efa4534f22132e023c4c3f8f0ba 2777 tomcat7_7.0.28-4+deb7u5.dsc 89d4e1f487c1235cb2a6da0bfdcf3bef54af1445db543b1f13096a703c143467 128925 tomcat7_7.0.28-4+deb7u5.debian.tar.gz 645b738e05a117ffbf747c38aa1ec31110d7757f1d376569691996e8c3252f22 64812 tomcat7-common_7.0.28-4+deb7u5_all.deb 97437780ca5933cf3efab41756ff9e0bbf93077cb5f20fd30c5268c9ce0021dd 52048 tomcat7_7.0.28-4+deb7u5_all.deb 3725fa64b1019d03efcadbfdfed0236f9e5254e6c483c474d55e0e2e2d23cd9b 40076 tomcat7-user_7.0.28-4+deb7u5_all.deb ba2c5f356f6cbe630364efb1f7a421f94c5779d3d63ba414ee3062c179e3504b 3511556 libtomcat7-java_7.0.28-4+deb7u5_all.deb fb1c46322366c3967e3074bebf24bec430267df83a2b541c879fba4219275f0b 306170 libservlet3.0-java_7.0.28-4+deb7u5_all.deb 5155f0eb5359a1ca9f6e1e71bbf5467d5339025e9edc3d12a7c16674c2fe999e 304382 libservlet3.0-java-doc_7.0.28-4+deb7u5_all.deb 86880df6746bcfee9f96895c7c438612c0930247943c04b4b8bc071475068d9e 52754 tomcat7-admin_7.0.28-4+deb7u5_all.deb c78a7daef4981cee880c83bd135158dabfbc0652a09686fef5c848ba6993a18c 206400 tomcat7-examples_7.0.28-4+deb7u5_all.deb 06a2720b85309d0572acc5d4a15b21edb96dc05fa930c2e45b4e325e2387c8d0 647984 tomcat7-docs_7.0.28-4+deb7u5_all.deb Files: 5ecf326656bf71b8ed5c33534521411b 2777 java optional tomcat7_7.0.28-4+deb7u5.dsc 49acdc682f147ceb1474d63d0c5847ce 128925 java optional tomcat7_7.0.28-4+deb7u5.debian.tar.gz 94020e198090736770001b11ef8c1e41 64812 java optional tomcat7-common_7.0.28-4+deb7u5_all.deb 544f797131117994455f4a8e4a7518b0 52048 java optional tomcat7_7.0.28-4+deb7u5_all.deb 71eea9197d1dd3c7506b4b6b80340ad9 40076 java optional tomcat7-user_7.0.28-4+deb7u5_all.deb 0a32c3178aa54b281bb9c4fac83f2fab 3511556 java optional libtomcat7-java_7.0.28-4+deb7u5_all.deb 13bcff283b433f83fcd31c7857afa0a4 306170 java optional libservlet3.0-java_7.0.28-4+deb7u5_all.deb 44f16fd3ed40eb39029329b1938bdef8 304382 doc optional libservlet3.0-java-doc_7.0.28-4+deb7u5_all.deb 616c05e230e71752da06304608c4f659 52754 java optional tomcat7-admin_7.0.28-4+deb7u5_all.deb d51934c1860fd9448b4d2b0671f05595 206400 java optional tomcat7-examples_7.0.28-4+deb7u5_all.deb c8f0ce318b988ca23578e512c6512a0b 647984 doc optional tomcat7-docs_7.0.28-4+deb7u5_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux)
Accepted libcommons-fileupload-java 1.2.2-1+deb7u3 (source all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 26 Jun 2016 17:41:55 +0200 Source: libcommons-fileupload-java Binary: libcommons-fileupload-java libcommons-fileupload-java-doc Architecture: source all Version: 1.2.2-1+deb7u3 Distribution: wheezy-security Urgency: high Maintainer: Debian Java MaintainersChanged-By: Markus Koschany Description: libcommons-fileupload-java - File upload capability to your servlets and web applications libcommons-fileupload-java-doc - Javadoc API documentation for Commons FileUploads Changes: libcommons-fileupload-java (1.2.2-1+deb7u3) wheezy-security; urgency=high . * Team upload * Fix CVE-2016-3092: A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file. This caused the file upload process to take several orders of magnitude longer than if the boundary was the typical tens of bytes long. Checksums-Sha1: 577de36d18286be237c67bf85f7ffb1252140627 2552 libcommons-fileupload-java_1.2.2-1+deb7u3.dsc e37cba3cbe6f236c07316513de2f7c7e451dd95a 9883 libcommons-fileupload-java_1.2.2-1+deb7u3.debian.tar.gz 030e2d918fa8debf331db8f3734e583bbdb0f7b6 54574 libcommons-fileupload-java_1.2.2-1+deb7u3_all.deb 612d991b998a77caeadb634053493b309dd9beea 372994 libcommons-fileupload-java-doc_1.2.2-1+deb7u3_all.deb Checksums-Sha256: 13e1f0223d92977112c4bb6adb6219029b45dec9edea22bb274b4cff4c4e4fe2 2552 libcommons-fileupload-java_1.2.2-1+deb7u3.dsc 2193b4eade1f1f2903e34eed5cf4727ec65620ad55d73988e6ed2397872e0456 9883 libcommons-fileupload-java_1.2.2-1+deb7u3.debian.tar.gz 5dcab617af7a39e58a19282153f9944d96ea0e8feb89633d64e04dfb64dce09f 54574 libcommons-fileupload-java_1.2.2-1+deb7u3_all.deb 4cfb10390ec76bed64d4260923ed379fa24f743c1442dcb8b5a6b9969f7c6314 372994 libcommons-fileupload-java-doc_1.2.2-1+deb7u3_all.deb Files: f7a6fe975ddc0b54ed04dafc5aaae814 2552 java optional libcommons-fileupload-java_1.2.2-1+deb7u3.dsc 18dbfdeeaa791084e6d348e76b5f083d 9883 java optional libcommons-fileupload-java_1.2.2-1+deb7u3.debian.tar.gz ac951b51b59c37684e4bf39707b8d5f3 54574 java optional libcommons-fileupload-java_1.2.2-1+deb7u3_all.deb 9ceee4eaa7dbb3a6f34650de53eb70ff 372994 doc optional libcommons-fileupload-java-doc_1.2.2-1+deb7u3_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQJ8BAEBCgBmBQJXcBmUXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hkto4QAK/HPMGD4uUilHGhBdRtGafZ ucMPP1H+nN7JSMKbZl79jKk5ZH9kDSWHW4wEjmuP7uWaQ/L5Eji/AWSn7sg9WZbZ +sWhZ9kFEuleIWQ0bPCAGjhHeTvfoliHDXwRZNtm/AwX7liAj1DRU8GzaydXHadQ 8Rg/DTXQEcX+5mkj3prXLTQ3rm8se9dTBiiy8bqXSVjvCpi37IGJ8nfXbZC55EAB F0Adh/o5aIANDw+IDfpLzeH9d3y5Zm8i1XXl8gz4QSz8lx/Rl/iSgMDstk8qilCm bR52yy/vDiRO1DlgBukSxW6CpQnLZPZHARBfj9WC4ttPzyE+SfLDLr8pjM1Z6KBq Cl4d+hq1mvcnqsxab+YVaIVD/kCwOQZuhSIBF0q4qnacFp8WWxAgELvV3AgBs1d4 IaH/bCxQYYNlx1gTIgsePou4r87d/3mFWbUkmw7q52UFCyYZkUsgzjyMQMUVEfz6 bb2Ut4qD5BgMQBWn0qXEsVKMKQGFugmbpuMH9cESGR5uiBN/uDWxFjRa06PBAuvs El1pOcIXkeoyLmRyAb38y+2x1LnXyvTwUk1kDw92lqGzqNV4+0UB3hQcppu5sAbN uj1vjiKGsi+CYY0hgo8Tots3BZcYHFuWLdcALaYBp5fhz+cS5yb6nG5A2USbSaUF EQIApjwuI6L4I928EraN =Ts6H -END PGP SIGNATURE-
Re: claiming tiff
On 26/06/16 16:10, Bálint Réczey wrote: > Added that information in dla-needed.txt. Thanks. I added links to each cve in data/CVE/list but forgot to add a note to dla-needed. > In that case I don't claim them yet. Let's see how upstream responds. OK. Cheers, Emilio
Re: claiming tiff
Hi Emilio, 2016-06-26 9:58 GMT+02:00 Emilio Pozuelo Monfort: > On 26/06/16 02:19, Bálint Réczey wrote: >> Hi, >> >> There are newly discovered vulnerabilities in tiff [1]. >> >> I no one objects I plan looking into them and working with the >> maintainer(s) to get them fixed in Wheezy LTS and in newer >> releases. > > I looked at this yesterday. These CVEs aren't fixed upstream yet. I forwarded > all the new CVEs (and some old ones) to upstream yesterday, so hopefully that > will change. Added that information in dla-needed.txt. In that case I don't claim them yet. Let's see how upstream responds. Thanks! Cheers, Balint
Re: cacti LTS
Hi Emilio [By the way, I read debian-lts, so no need to mail me directly, dropped your To: as well]. On 26-06-16 10:40, Emilio Pozuelo Monfort wrote: >> I believe CVE-2016-2313 should be included in this fix. > > Certainly! I have backported the fix and included in this new debdiff. Looks good to me (but I haven't tested). > Unfortunately I'm not sure how to trigger the bug. For one thing, you have to change the authentication scheme, (maybe remove the template, not sure if one is included by default), and log into cacti with a valid http user (but non-existing cacti user). > Ah, nice. I don't think we have ci.debian.net running for wheezy, but this can > be useful to do some basic testing after an update. It was for the last point that I mentioned it. As cacti before the current stretch package didn't run out-of-the-box, it would require additional logic to even work on a CI framework (such as making sure that the admin password is the same as the cacti/www-data password and actually configuring the cacti pages). But if cacti works on your VM, it should be simple to run the test (usually takes several minutes though). My intention is to add tests for all the CVE's that I fix as well, but as you can see in the test, I wasn't successful with CVE-2016-3659, however, a check for CVE-2016-3172 is in. Paul signature.asc Description: OpenPGP digital signature
Re: testing php5 for Wheezy LTS
Hi, I installed some packages [1] and smoke tested with owncloud, no problems so far. I used the webclient, davdroid on android and a windows owncloud client to test. HTH Stefan [1] libapache2-mod-php5_5.4.45-0+deb7u4_i386.deb php-pear_5.4.45-0+deb7u4_all.deb php5_5.4.45-0+deb7u4_all.deb php5-cgi_5.4.45-0+deb7u4_i386.deb php5-cli_5.4.45-0+deb7u4_i386.deb php5-common_5.4.45-0+deb7u4_i386.deb php5-curl_5.4.45-0+deb7u4_i386.deb php5-gd_5.4.45-0+deb7u4_i386.deb php5-intl_5.4.45-0+deb7u4_i386.deb php5-ldap_5.4.45-0+deb7u4_i386.deb php5-mcrypt_5.4.45-0+deb7u4_i386.deb php5-mysql_5.4.45-0+deb7u4_i386.deb php5-pgsql_5.4.45-0+deb7u4_i386.deb php5-sqlite_5.4.45-0+deb7u4_i386.deb On Sat, Jun 25, 2016 at 03:49:13PM +0200, Thorsten Alteholz wrote: > Hi, > > it is this time of the month again, so I uploaded version > 5.4.45-0+deb7u4 of php5 to: > https://people.debian.org/~alteholz/packages/wheezy-lts/php5/amd64/ > https://people.debian.org/~alteholz/packages/wheezy-lts/php5/i386/ > > Please give it a try and tell me about any problems you met. > > Thanks! > Thorsten > > > >* CVE-2016-5093.patch > Absence of null character causes unexpected zend_string length and > leaks heap memory. The test script uses locale_get_primary_language > to reach get_icu_value_internal but there are some other functions > that also trigger this issue: >locale_canonicalize, locale_filter_matches, >locale_lookup, locale_parse >* CVE-2016-5094.patch > don't create strings with lengths outside int range >* CVE-2016-5095.patch > similar to CVE-2016-5094 > don't create strings with lengths outside int range >* CVE-2016-5096.patch > int/size_t confusion in fread >* CVE-TEMP-bug-70661.patch > bug70661: Use After Free Vulnerability in WDDX Packet Deserialization >* CVE-TEMP-bug-70728.patch > bug70728: Type Confusion Vulnerability in PHP_to_XMLRPC_worker() >* CVE-TEMP-bug-70741.patch > bug70741: Session WDDX Packet Deserialization Type Confusion >Vulnerability >* CVE-TEMP-bug-70480-raw.patch > bug70480: php_url_parse_ex() buffer overflow read > > -- BOFH excuse #382: Someone was smoking in the computer room and set off the halon systems.
Re: cacti LTS
On 26/06/16 09:23, Paul Gevers wrote: > Hi Emilio > > On 25-06-16 22:03, Emilio Pozuelo Monfort wrote: >>> Just in case somebody starts working on it, I'd like to review proposed >>> uploads of cacti to LTS. CVE-2016-2313 was initially wrongly fixed (a >>> sledgehammer for a simple nail). CVE-2016-3659 still needs reproducing >>> in Debian and a check if the fix by a contributer in the upstream bug >>> report is causing other damage. The third CVE has a trivial patch. >> >> I've had a look at this. I set up cacti on a wheezy VM, and I could reproduce >> CVE-2016-3172. However, like you, I couldn't reproduce CVE-2016-3659. I don't >> know if we are vulnerable or not, maybe we are and the attack needs some >> changes. In any case, I think the fix is very safe, sanitizing parenthesis, >> so I >> think we can just ship it. What do you think? Please see the attached >> debdiff. > > The patch for CVE-2016-3659 is accepted by upstream, so should be OK to > apply. > > The issue with CVE-2016-2313 has been resolved upstream, the > sledgehammer has been replaced by an appropriate hammer for the size of > the nail: > https://github.com/Cacti/cacti/commit/6e5f3be49b3f52e30c88ec75a576f89bb72c4e52 > > I believe CVE-2016-2313 should be included in this fix. Certainly! I have backported the fix and included in this new debdiff. Unfortunately I'm not sure how to trigger the bug. > Please be advised that since my previous e-mail, I actually created a > brute force regression test for cacti, see > http://anonscm.debian.org/cgit/pkg-cacti/cacti.git/tree/debian/tests/check-all-pages Ah, nice. I don't think we have ci.debian.net running for wheezy, but this can be useful to do some basic testing after an update. Cheers, Emilio diff -Nru cacti-0.8.8a+dfsg/debian/changelog cacti-0.8.8a+dfsg/debian/changelog --- cacti-0.8.8a+dfsg/debian/changelog 2016-02-24 21:00:15.0 +0100 +++ cacti-0.8.8a+dfsg/debian/changelog 2016-06-26 10:18:07.0 +0200 @@ -1,3 +1,15 @@ +cacti (0.8.8a+dfsg-5+deb7u9) wheezy-security; urgency=medium + + * Non-maintainer upload. + * debian/patches/CVE-2016-3172-sql-injection.patch: ++ CVE-2016-3172: Fix sql injection in tree.php. + * debian/patches/CVE-2016-3659-sql-injection.patch: ++ CVE-2016-3659: Fix sql injection in graph_view.php. + * debian/patches/CVE-2016-2313-authentication-bypass.patch: ++ CVE-2016-2313: Fix authentication bypass. + + -- Emilio Pozuelo MonfortSun, 26 Jun 2016 10:18:04 +0200 + cacti (0.8.8a+dfsg-5+deb7u8) wheezy-security; urgency=high * CVE-2015-8377: Fix SQL Injection vulnerability in graphs_new.php diff -Nru cacti-0.8.8a+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch cacti-0.8.8a+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch --- cacti-0.8.8a+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch 1970-01-01 01:00:00.0 +0100 +++ cacti-0.8.8a+dfsg/debian/patches/CVE-2016-2313-authentication-bypass.patch 2016-06-26 10:16:50.0 +0200 @@ -0,0 +1,23 @@ +Backport fix for CVE-2016-2313. + +This is http://svn.cacti.net/viewvc?view=rev=7770 +and https://github.com/Cacti/cacti/commit/6e5f3be49b3f52e30c88ec75a576f89bb72c4e52 + +Bug: http://bugs.cacti.net/view.php?id=2656 + +--- a/auth_login.php b/auth_login.php +@@ -86,6 +86,13 @@ + /* Locate user in database */ + $user = db_fetch_row("SELECT * FROM user_auth WHERE username = " . $cnn_id->qstr($username) . " AND realm = 2"); + ++ if (!$user && read_config_option('user_template') == '0') { ++ cacti_log("ERROR: User '" . $username . "' authenticated by Web Server, but a Template User is not defined in Cacti. Exiting.", false, 'AUTH'); ++ $username = htmlspecialchars($username); ++ auth_display_custom_error_message("$username authenticated by Web Server, but a Template User is not defined in Cacti."); ++ exit; ++ } ++ + break; + case "3": + /* LDAP Auth */ diff -Nru cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch --- cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch 1970-01-01 01:00:00.0 +0100 +++ cacti-0.8.8a+dfsg/debian/patches/CVE-2016-3172-sql-injection.patch 2016-06-25 21:57:13.0 +0200 @@ -0,0 +1,10 @@ +--- a/tree.php 2016/05/08 15:10:45 7804 a/tree.php 2016/05/08 15:35:30 7805 +@@ -153,6 +153,7 @@ + /* = input validation = */ + input_validate_input_number(get_request_var("id")); + input_validate_input_number(get_request_var("tree_id")); ++ input_validate_input_number(get_request_var("parent_id")); + /* */ + + if (!empty($_GET["id"])) { diff -Nru
Re: claiming tiff
On 26/06/16 02:19, Bálint Réczey wrote: > Hi, > > There are newly discovered vulnerabilities in tiff [1]. > > I no one objects I plan looking into them and working with the > maintainer(s) to get them fixed in Wheezy LTS and in newer > releases. I looked at this yesterday. These CVEs aren't fixed upstream yet. I forwarded all the new CVEs (and some old ones) to upstream yesterday, so hopefully that will change. Cheers, Emilio
Re: cacti LTS
Hi Emilio On 25-06-16 22:03, Emilio Pozuelo Monfort wrote: >> Just in case somebody starts working on it, I'd like to review proposed >> uploads of cacti to LTS. CVE-2016-2313 was initially wrongly fixed (a >> sledgehammer for a simple nail). CVE-2016-3659 still needs reproducing >> in Debian and a check if the fix by a contributer in the upstream bug >> report is causing other damage. The third CVE has a trivial patch. > > I've had a look at this. I set up cacti on a wheezy VM, and I could reproduce > CVE-2016-3172. However, like you, I couldn't reproduce CVE-2016-3659. I don't > know if we are vulnerable or not, maybe we are and the attack needs some > changes. In any case, I think the fix is very safe, sanitizing parenthesis, > so I > think we can just ship it. What do you think? Please see the attached debdiff. The patch for CVE-2016-3659 is accepted by upstream, so should be OK to apply. The issue with CVE-2016-2313 has been resolved upstream, the sledgehammer has been replaced by an appropriate hammer for the size of the nail: https://github.com/Cacti/cacti/commit/6e5f3be49b3f52e30c88ec75a576f89bb72c4e52 I believe CVE-2016-2313 should be included in this fix. Please be advised that since my previous e-mail, I actually created a brute force regression test for cacti, see http://anonscm.debian.org/cgit/pkg-cacti/cacti.git/tree/debian/tests/check-all-pages Paul signature.asc Description: OpenPGP digital signature