Wheezy update of openssh?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of openssh: https://security-tracker.debian.org/tracker/CVE-2016-6515 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
Re: find-work script no longer working on stable
> ola@tigereye:~/git/debian-lts$ ./find-work > Traceback (most recent call last): > File "./find-work", line 3, in > import requests > I think I'm missing some bit of your traceback/testcase here? > 8056874b90d35883fd3a1747b911d935367edda3 Guessing from this, I think you had locale issues. This is orthogonal to stable/unstable but rather an invalid/missing/whatever LANG setting. For example, under sid if I unset LANG: $ LANG= ./find-work [..] File "./find-work", line 66, in dla_needed[package]['more'], UnicodeEncodeError: 'ascii' codec can't encode character '\xe1' in position 13: ordinal not in range(128) > Or can we in some other way make it work also on Debian stable? I've fixed the above issue in 19dab98. No need to jump to reverting stuff.. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Re: [SECURITY] [DLA 588-1] mongodb security update
On Mon, 2016-08-08 at 11:52 +0200, Ola Lundqvist wrote: > Package: mongodb > Version: 2.0.6-1+deb7u1 > CVE ID : CVE-2016-6494 > Debian Bug : 832908, 833087 > > Two security related problems have been found in the mongodb > package, related to logging. > > CVE-2016-6494 > World-readable .dbshell history file > > TEMP-0833087-C5410D > Bruteforcable challenge responses in unprotected logfile [...] This temporary ID is not stable and shouldn't be used in a DLA or DSA. The Debian bug number, which you already included, is more useful. Ben. -- Ben Hutchings Beware of bugs in the above code; I have only proved it correct, not tried it. - Donald Knuth signature.asc Description: This is a digitally signed message part
find-work script no longer working on stable
Hi Chris First thanks for impoving find-work. The additions have been good, except for one thing. I have Debian stable on my workstation and the latest find-work update make it spit out the following: ola@tigereye:~/git/debian-lts$ ./find-work Traceback (most recent call last): File "./find-work", line 3, in import requests Actually it works as late as ola@tigereye:~/git/debian-lts$ git checkout 6ab3667026232e67701345c6f8f44b84fe8e5a9a ... ola@tigereye:~/git/debian-lts$ ./find-work The following packages are used by our customers (by order of decreasing importance, more hours means more important): * openssl (20 hours/month) ... My conclusion is that it is the following commit that makes it go wrong. 8056874b90d35883fd3a1747b911d935367edda3 Is that change important? Can we reverse this change? I can do that if you like. Or can we in some other way make it work also on Debian stable? Thanks in advance // Ola -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Security check of libical
Hi libical developers, libical maintainer and LTS team As part of the Debian Long Term Security team I have started to look into a few possible security related vulnerabilities. More details are available here: https://security-tracker.debian.org/tracker/source-package/libical My problem is that each CVE refers to a bugzilla bug id and they are not public CVE-2016-5827 https://bugzilla.mozilla.org/show_bug.cgi?id=1281043 CVE-2016-5826 https://bugzilla.mozilla.org/show_bug.cgi?id=1281041 CVE-2016-5825 https://bugzilla.mozilla.org/show_bug.cgi?id=1280832 CVE-2016-5824 https://bugzilla.mozilla.org/show_bug.cgi?id=1275400 CVE-2016-5823 reserved, do you know anything about it? My question to you are whether any of you know who I should contact about these bugs? Or if I can get access to them? (my login is o...@inguza.com) Or who I should contact for requesting access. Whether you know of any other security issues in libical (wheezy is using revision 0.48) Thanks a lot in advance! // Ola -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Security update of ntp
Hi Kurt Thanks a lot for a quick and good answer. Will mark it as unaffected in wheezy too then. Best regards // Ola On Mon, Aug 8, 2016 at 6:30 PM, Kurt Roeckxwrote: > On Mon, Aug 08, 2016 at 01:12:28PM +0200, Ola Lundqvist wrote: > > Hi Kurt > > > > As a member of the LTS team I have started to look into a ntp security > > update of CVE-2016-4953 mentioned here: > > https://security-tracker.debian.org/tracker/source-package/ntp > > > > I see that you have prepared security updates for Debian wheezy in the > past > > so I would like to check with you if you want to do it this time too, or > if > > you'd like me to do that for you. > > > > Or alternatively that you know it is a non-issue already. > > > > I can see the following comment about jessie in the security tracker: > > [jessie] - ntp (Fix for CVE-2016-1547 or CVE-2015-7979 > > wasn't backported) > > > > But it looks like ntp-4.2.6p5-cve-2015-7979.patch is in the wheezy > version > > so I guess it is affected, or? > > > > I have not looked into the details yet as I want to check with you first > > whether you know about this already (I guess you do). > > First, the situation for wheezy and jessie should be identical. > They have the same upstream source and should have the same > patches for all security issues. > > The fix we use for CVE-2015-7979 is unrelated to the upstream fix, > and so we're not affected by what the upstream patch broke. > > > Kurt > > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Security update of ntp
On Mon, Aug 08, 2016 at 01:12:28PM +0200, Ola Lundqvist wrote: > Hi Kurt > > As a member of the LTS team I have started to look into a ntp security > update of CVE-2016-4953 mentioned here: > https://security-tracker.debian.org/tracker/source-package/ntp > > I see that you have prepared security updates for Debian wheezy in the past > so I would like to check with you if you want to do it this time too, or if > you'd like me to do that for you. > > Or alternatively that you know it is a non-issue already. > > I can see the following comment about jessie in the security tracker: > [jessie] - ntp (Fix for CVE-2016-1547 or CVE-2015-7979 > wasn't backported) > > But it looks like ntp-4.2.6p5-cve-2015-7979.patch is in the wheezy version > so I guess it is affected, or? > > I have not looked into the details yet as I want to check with you first > whether you know about this already (I guess you do). First, the situation for wheezy and jessie should be identical. They have the same upstream source and should have the same patches for all security issues. The fix we use for CVE-2015-7979 is unrelated to the upstream fix, and so we're not affected by what the upstream patch broke. Kurt
Security update of ntp
Hi Kurt As a member of the LTS team I have started to look into a ntp security update of CVE-2016-4953 mentioned here: https://security-tracker.debian.org/tracker/source-package/ntp I see that you have prepared security updates for Debian wheezy in the past so I would like to check with you if you want to do it this time too, or if you'd like me to do that for you. Or alternatively that you know it is a non-issue already. I can see the following comment about jessie in the security tracker: [jessie] - ntp (Fix for CVE-2016-1547 or CVE-2015-7979 wasn't backported) But it looks like ntp-4.2.6p5-cve-2015-7979.patch is in the wheezy version so I guess it is affected, or? I have not looked into the details yet as I want to check with you first whether you know about this already (I guess you do). Best regards // Ola -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Security update of nettle
Hi all I have now prepared a build of nettle for wheezy, based on the patch that Magnus prepared for me (thanks a lot for that!). You can find the debdiff here: http://apt.inguza.net/wheezy-security/nettle/nettle.debdiff You can find the prepared packages here: http://apt.inguza.net/wheezy-security/nettle/ I have done basic regression testing by installing lsh-server (and lsh-client) and normal operations seems to be working fine. I choose lsh as it is the only application in wheezy that I know is using nettle. I have not tried to reproduce the potential side-channel issue as that one is rather hard to trigger. If anyone know about a tool for that, please let me know. I will upload a corrected version of nettle in four days (that is on Thursday) unless anyone object of course. Best regards // Ola On Sun, Aug 7, 2016 at 10:16 PM, Ola Lundqvistwrote: > Hi Andreas > > It looks like you have managed without the context. I'm sorry that I was a > little too brief. > > First thank you a lot for confirming that gnutls do not use nettle in > wheezy. This is very good to know as I can safely patch nettle without > considering gnutls usage of nettle. Thanks! It saves me the burden of > patching and coordinating several uploads. > > The follow up patches that are needed are to modify gnutls (as long as it > is using nettle). > > This (below) is what I have understood from Niels Möller. He is the source > of my knowledge so please be in contact with him about the details. > > The correction in nettle is to use mpz_powm_sec instead of mpz_powm. The > problem is that mpz_powm_sec will crash if the modulo argument is an even > number. So a check is needed to ensure that or else we have a denial of > service problem. > You can see the detailed correction here: > https://git.lysator.liu.se/nettle/nettle/commit/ > 3fe1d6549765ecfb24f0b80b2ed086fdc818bff3 > > Nettle have added such checks in the *_key_prepare functions, see here: > https://git.lysator.liu.se/nettle/nettle/commit/ > 5eb30d94f6f5f3f0cb9ba9ed24bc52b7376176b6 > https://git.lysator.liu.se/nettle/nettle/commit/ > 52b9223126b3f997c00d399166c006ae28669068 > https://git.lysator.liu.se/nettle/nettle/commit/ > 544b4047de689519ab3e6ec55b776b95b3e264a9 > > I think this merge commit may be of help: > https://git.lysator.liu.se/nettle/nettle/commit/ > b721591c051ce9e2304033dd19564f089775df17 > > The issue is that gnutls do not use (or do not check the return code) > these prepare functions so there is therefore nothing that prevent the > service from crashing in case an invalid signature is provided. The attack > would for example be possible on some service provider having a common web > server for multiple clients where the client can add their own > certificate/key. In such case the whole server will go down instead of just > this client. > > So a check is needed in gnutls to check that the modulo is not even. This > can be done either by using the prepare functions (and check the return > code) or by checking it explicitly. > > Was this enough context? > > // Ola > > On Sun, Aug 7, 2016 at 8:04 AM, Andreas Metzler wrote: > >> On 2016-08-07 Ola Lundqvist wrote: >> > On Sat, Aug 6, 2016 at 8:40 PM, Niels Möller >> wrote: >> >> Ola Lundqvist writes: >> >>> Magnus, Niels and I have been discussing the nettle update due to >> >>> https://security-tracker.debian.org/tracker/CVE-2016-6489 >> >> >> Please note that some coordinatoino with gnutls may be needed, to avoid >> >> a denial-of-service problem involving invalid private keys. >> >> >>> I suggest something like this: "Protect against potential timing >> >>> attacks against exponentiation operations as described in >> >>> CVE-2016-6489 RSA code is vulnerable to cache sharing related >> >>> attacks." >> >> >> I'd suggest the more general "side-channel attacks" over "timing >> >> attacks". >> >> > I do not think coordination with gnutls is needed. I can not see that >> > gnutls depend on nettle in wheezy. >> > I can see that it can potentially do that, but I do not think it do. >> >> > There are no dependencies declared on nettle library and from unstable >> > changelog it looks like this build dependency was first added in >> gnutls28. >> > Wheezy has gnutls28. >> >> > I may be wrong however. >> >> > Or can it be so that nettle is built in statically and that a build >> > dependency is not needed as some other package has a build dependency >> so we >> > get it indirectly? >> >> > I'm including the gnutls maintainers to get their opinion. >> >> >> Hello Ola, >> >> I think I am missing a little bit context, according to the security >> tracker the issue applies to practically all versions of, from oldstable >> up to and including unstable but the discussion seems to focus on LTS. >> >> You are right regarding wheezy/oldstable. It shipped gnutls 2.12.x built >> against libgcrypt instead of nettle, there should not be a
[SECURITY] [DLA 589-1] mupdf security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: mupdf Version: 0.9-2+deb7u3 CVE ID : CVE-2016-6525 Debian Bug : 833417 A flaw was discovered in the pdf_load_mesh_params() function allowing out-of-bounds write access to memory locations. With carefully crafted input, that could trigger a heap overflow, resulting in application crash or possibly having other unspecified impact. For Debian 7 "Wheezy", these problems have been fixed in version 0.9-2+deb7u3. We recommend that you upgrade your mupdf packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXqGIYAAoJEBvzc5c7ZRqnuREP/R6L6QMe/WDWjVZmRpm/bB2p dERyIwxrMSUe57V+cyYru1nVZ6uAvDGfGEsJz9IL1aNQc4EZGw9MA6GXQiynFnS+ wQtPNGEuLLXyA7lgH9A4DrCeiEFthNLADXe87GXqgflqY8+oyrGnDs2qjh6/dIzq 3Wh8a8FyYdM6zKgW77zrQFRrNGa4R2OD9wBhUNUFRdgR7BYdMrF3nw7llwGOC/Qj /iW5Xuh++B7a1pEOscZ36hUnlav/8Trj4hliyg8c3C8hD38wojKjwdSguT42lh1U nsgG8TvtEAQ9dEH7jC6J108MCgWLXYZ8iZ0FqwKZ6RpreBjjLB6vhQPDVcy8uESB L5B/B/yFoaI3vJwhTR7WK9IHL/8LiQ4AhJeoHp4Wqtrrx9Hvu2QIu2Hft8usrQlx cc/8CDvI0IZMkYfJmVNYwOUjOQ5qMd5WIyoNc285+8q1W74jswe6qoodM+gK1uLL RjMYnHRJfALgjKv80fmQD/v8d7QmP65oKP2Xc/Jc6THu8aGTP0m1ym7HsIygVLQF wgsImfOIy77Mg4AWA2t+pDsv6wgYgVtxSK1ucY3RuFXwV4ZVQy+ZXolMVttqS085 oc0aG3fVi85JAS882yP0+V15v5RMuzlDUFTG6DrHTPr/rlGAz20gyz9plzS5PMg0 2UwET3tP9FjQ7pLehLZe =JloS -END PGP SIGNATURE-
Accepted mupdf 0.9-2+deb7u3 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Sat, 06 Aug 2016 16:13:05 +0200 Source: mupdf Binary: libmupdf-dev mupdf mupdf-tools Architecture: source amd64 Version: 0.9-2+deb7u3 Distribution: wheezy-security Urgency: high Maintainer: Kan-Ru ChenChanged-By: Jonas Meurer Description: libmupdf-dev - development files for the MuPDF viewer mupdf - lightweight PDF viewer mupdf-tools - commmand line tools for the MuPDF viewer Changes: mupdf (0.9-2+deb7u3) wheezy-security; urgency=high . * Non-maintainer upload by the LTS Team. * Backport fix for CVE-2016-6525: heap overflow in pdf_load_mesh_params() from upstream git commit 39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e. Checksums-Sha1: 00a3da26d54b2f811591f2806e50394cfad176f1 2026 mupdf_0.9-2+deb7u3.dsc 8e18de98f1119ec6b5bdcbd1fc22e0dd55d7f95c 12151 mupdf_0.9-2+deb7u3.debian.tar.gz 4a943ba68767d69d7f7013241b6956744d12180f 3227706 libmupdf-dev_0.9-2+deb7u3_amd64.deb 53387e9fbb81d69f56fadbaa04dda8596d748c1b 3149678 mupdf_0.9-2+deb7u3_amd64.deb 9b0ebb688e0ac156fd6edf06e1c02a27175b229d 3426616 mupdf-tools_0.9-2+deb7u3_amd64.deb Checksums-Sha256: 49b878fd815033f84dc7bdc6623e54397676d39e5d00651527ccd10524e7d741 2026 mupdf_0.9-2+deb7u3.dsc ed18fdf83966d33f56c02191b6a044fb2c329e6b5b927b61138619b80614cceb 12151 mupdf_0.9-2+deb7u3.debian.tar.gz e40327b9ee30d29881f31fcb24977870696368f182ca3806b28713a68c613e7d 3227706 libmupdf-dev_0.9-2+deb7u3_amd64.deb 8fa8c48065ea342f6c101c4eb617100cbd151b471d9edfbcf3f2c1f9846a3543 3149678 mupdf_0.9-2+deb7u3_amd64.deb edfefdc4da9ade359a5b91f30d6af4c18469460f33997ec878762da719c6 3426616 mupdf-tools_0.9-2+deb7u3_amd64.deb Files: 5de12d83f68b9001da680d7dab5ec07b 2026 text optional mupdf_0.9-2+deb7u3.dsc 7c4cdf495719525c726a9b5aa95952f7 12151 text optional mupdf_0.9-2+deb7u3.debian.tar.gz e95b7ad999ae873f840da543e827449c 3227706 libdevel optional libmupdf-dev_0.9-2+deb7u3_amd64.deb 6c4966ccb8a7d0d0684152b02a49cc5c 3149678 text optional mupdf_0.9-2+deb7u3_amd64.deb 7a00d16944c4f86ce48eba367e9d01fb 3426616 text optional mupdf-tools_0.9-2+deb7u3_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJXp2JfAAoJEBvzc5c7ZRqnlVsP/R+Gpl77tFQopHZaMGtyF434 CKp7eH5HPdqFrWUMNzSleBuCHHJZnyB0p1qy0lc64ayMe4KdwWDHwaChiGAUQnGl 62AF4leI7Das2d8QokYp8YLybDKopqGqMJC1sNRvmzR34og3AJBGijqJPfkRVOzJ 2nRZ4/8t2k5NFMm5e1Ak7qZrumWvjS5+1Bxtpfp7vjuAG8TiiHwmuCqGmJUMK8Dy hckWBDq0ybATGWt+TtZ0DguXMgDtxwhistAF17g1uCBFLXp6mQEuh5iLU1391fJk 0lV7VxYzsadeViYEzgR9rCxPpe0OF3ukmVu1jvTs6vpNq7hO4oj3BkjF5ASqrLns gQ/pMYuqEm8ykwZ40Fjts15ggjiX56oL6t/DVfYP3N1Lv9B3b1FNopr/vGg7+aRU zVwcT2vzoIF4MoVnKoBlBHuW6Vj1n+hPeAX1vzy8sJ125ImzQncf9XXOxCpsfgQA gNp81Ix/DXKaYgA29A4n1MGs+HHXfKib5bYddMebkyD9c7SaXyYlVtVr5x5pg/l6 Qom8g7iIAAnqVhgh/y+kJ2TYSxRJLEEm33HFvIqQzfHP1HDfOTRn8ev+AjhKAALM uRO38wamFbdPyFiZtLIMYovTTCxy5RzyFY86fOLMwzHwfWkWgjc1H1fxYXuY3b8j +v+6AimZ3I29gUsTo68r =QZ2e -END PGP SIGNATURE-
Accepted mongodb 1:2.0.6-1+deb7u1 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 01 Aug 2016 21:10:47 + Source: mongodb Binary: mongodb mongodb-server mongodb-clients mongodb-dev Architecture: source amd64 Version: 1:2.0.6-1+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Antonin KralChanged-By: Ola Lundqvist Description: mongodb- object/document-oriented database (metapackage) mongodb-clients - object/document-oriented database (client apps) mongodb-dev - object/document-oriented database (development) mongodb-server - object/document-oriented database (server package) Closes: 832908 Changes: mongodb (1:2.0.6-1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Long Term Security Team. * Make sure dbshell log file is not readable by others CVE-2016-6494 (Closes: #832908). Checksums-Sha1: ccb5ac86f8e07280c685af50503c58846d5558ee 2271 mongodb_2.0.6-1+deb7u1.dsc 0e276274e32c589117635f3d6df0ff0d64a62ae0 2836857 mongodb_2.0.6.orig.tar.gz 88fe57d1e2af14e07f9772c0e24bb2a9297dfe44 25491 mongodb_2.0.6-1+deb7u1.debian.tar.gz 293636245eb5674d3aeea0092b9ce311ed9339af 10578 mongodb_2.0.6-1+deb7u1_amd64.deb 56985ce94fa33b8c70f8eeea7c11c26c965272a8 4310042 mongodb-server_2.0.6-1+deb7u1_amd64.deb a3e89a91eb0e418c024e2bea80376f476002dd66 16794736 mongodb-clients_2.0.6-1+deb7u1_amd64.deb c84b47caf847a905c20ea43dec019927ca8973ed 1908304 mongodb-dev_2.0.6-1+deb7u1_amd64.deb Checksums-Sha256: c75d964ccf4da8f4724f11fb54ad0e851ccf1beeb18c85a4a4c6cfe7fef9c99b 2271 mongodb_2.0.6-1+deb7u1.dsc 201133a810c908140ea00f84c8257a96cdd6bb84fa0c0a33e42e478628666c3f 2836857 mongodb_2.0.6.orig.tar.gz 4c74755f23bb6f3f7694b298068862fb4c21c254d96c8242f7c93a5a3355a0d2 25491 mongodb_2.0.6-1+deb7u1.debian.tar.gz a89f3471515bddeae293d4201f46d9c26cf0ea6bfa12bbbe78e71175570ba349 10578 mongodb_2.0.6-1+deb7u1_amd64.deb 513aa5034a8cc46ccfce62a1e66bac60cb58aa3cbd2fa7397bc29c42a1145c87 4310042 mongodb-server_2.0.6-1+deb7u1_amd64.deb f2322c0e1e7ec2b00aa7235e8b4c67288e8b33fb429bfdd5e1fc03230aebfa34 16794736 mongodb-clients_2.0.6-1+deb7u1_amd64.deb f03cb8430c69c0503636453a4022a5aac877a709f8245aac096cc7649bcd9e94 1908304 mongodb-dev_2.0.6-1+deb7u1_amd64.deb Files: e97bb661442c335c3b4464633ef1acb3 2271 database optional mongodb_2.0.6-1+deb7u1.dsc 111521f1b6b3379b4dd5fbc1e8f038cf 2836857 database optional mongodb_2.0.6.orig.tar.gz 218dc5bb1cb93996d3274e405f4e4e59 25491 database optional mongodb_2.0.6-1+deb7u1.debian.tar.gz 10d9e75108d52074798c8c2be86d5d93 10578 database optional mongodb_2.0.6-1+deb7u1_amd64.deb 7dfd6d5fa21e44c5d4039e7fda31ff71 4310042 database optional mongodb-server_2.0.6-1+deb7u1_amd64.deb 5a221611b6f0e091470126c191c9726c 16794736 database optional mongodb-clients_2.0.6-1+deb7u1_amd64.deb b989a7a8f64028b14be804452c7098b8 1908304 libdevel optional mongodb-dev_2.0.6-1+deb7u1_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJXolo8AAoJEF6Q3PqUJodv2WEP/3kFLFmkrKS3xjDPczJZyHNx 04+/F5cDWafn9U3sLUhOMTGT6HhDPOuufn/Mio61Bq2tTzNPcltP0vvzE0ccFy0/ /hiMztzvm2RLo0CpXfc59owZanQNIAb5Tdq4Prb2V73yRP/2QLd+cNVxmapsbbS0 sWiIrk5uA550tHNlGjBFgd+fShTDcuKMM2qOBflEJmIw8iGsDWv8or4RkgayggCJ ZM/s1PGXHgEiu/DXF+yU8wfkRawh7cOdP6McLeiXPgpbcpy318E8QE9ZohDAusXl XbeE5KoO4cBLbTZHMrm/Wj5TUnvT9+s6VvYXMl00J3TkGscyxGLZrjOYxL+kncwL mkpW6zf93I17r6yE36USIlXi3OKfNhDhlF5XF/wvH8Q6ANemJqz3vrLAbqyqr1yt aq5g9v2nyCNhhg/80f/lWMm5uikliTGm0xYGXRnJYaRqbtdfLGZzj0efYROrrEQS Mb96/2ZiAAUda4ZRy+cazqIzwmoY0n/Zz6PXSkb/K9JABnwulKICK0HBEaJhxKZX fBLaP6XwbP9RRHMw4/QU/KEQ9Q3DRHzK56J13FoEYj//vfBl3frYQu0W+V9VD3UN 1t7eWFbMKnOE2g7pyYbDTwlHSeK79AvODVWZ7XC969/kH8iHELPbQYqGZdtZ6mPf ybYn4LHX2uB0Pn/0zT7N =QCgT -END PGP SIGNATURE-
Re: Wheezy update of twisted?
Hi, Just a quick comment on: On Mon, Aug 08, 2016 at 06:29:30PM +1000, Brian May wrote: > I am inclined to say that no version of twisted, by itself, has this > vulnerability. However like I said earlier it is possible that > applications that use twisted have this vulnerability. Looking at the upstream ticket https://twistedmatrix.com/trac/ticket/8623 I suspect that Twisted 16.3.1 will have something to help mitigating the issue in application that use twisted. For Jessie, we do not plan to release any DSA related to this for src:twisted. Don't know if you want to follow that on LTS side. Regards, Salvatore
Re: Wheezy update of python-django?
Hi, On Mon, Aug 08, 2016 at 05:59:36PM +1000, Brian May wrote: > Brian Maywrites: > > > Attached is my latest debdiff patch, only includes changes to debian/*. > > I just uploaded this to wheezy-security. Not 100% certain my upload will > get accepted yet, my first attempt failed due to timeout error. python-django_1.4.22-1.dsc has incorrect md5 checksum; deleting it. python-django_1.4.22.orig.tar.gz has incorrect size; deleting it You need to either reupload the dsc and orig.tar.gz as long the other files are still keept in the upload directory, or alternatively remove the upload from the SecurtiyUploadQueue on security-master with dcut, resign the changes and then reupload. (Those mails are not sent to the uploader; the signature is not yet verified at that stage). Regards, Salvatore
Re: Wheezy update of twisted?
Free Ekanayakawrites: > I had a quick look at the code too (both in wheezy and jessie), but I > couldn't find the offending bits. Perhaps it'd be good to put together a > small web server and see what happens when you pass the 'Proxy' > header. So I created the following code: === cut === from twisted.internet import reactor from twisted.web.server import Site from twisted.web.resource import Resource import time import os class ClockPage(Resource): isLeaf = True def render_GET(self, request): print(os.environ) return "%s" % (time.ctime(),) resource = ClockPage() factory = Site(resource) reactor.listenTCP(8880, factory) reactor.run() === cut === Then I attempted to run from wheezy. In particular, I used the following command: curl -H "Proxy: http://meow/; http://localhost:8880/ I inspected the console output, but could not find any references to meow or HTTP_PROXY: {'TERM': 'xterm-256color', 'SHELL': '/bin/bash', 'SCHROOT_UID': '1000', 'SCHROOT_COMMAND': '-bash', 'SHLVL': '1', 'OLDPWD': '/root', 'SCHROOT_CHROOT_NAME': 'wheezy-amd64-default', 'PWD': '/home/brian/tree/debian/debian-lts/wheezy/twisted/test', 'SCHROOT_SESSION_ID': 'wheezy-amd64-default-76337752-1661-47c2-b322-f2a73ff7314b', 'SCHROOT_USER': 'brian', 'USER': 'root', 'HOME': '/root', 'SCHROOT_GID': '1000', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'LOGNAME': 'root', 'SCHROOT_GROUP': 'brian', 'SCHROOT_ALIAS_NAME': 'wheezy-amd64-default', '_': '/usr/bin/python'} I get similar results when testing on stretch. It looks like sid is the same version 16.3.0-1. I am inclined to say that no version of twisted, by itself, has this vulnerability. However like I said earlier it is possible that applications that use twisted have this vulnerability. -- Brian May
Re: Security update of firefox-esr for Wheezy
On Mon, 08 Aug 2016, Emilio Pozuelo Monfort wrote: > > Shall we mark gcc-4.8 as unsupported in wheezy, explaining that its only > > purpose is to enable build of other packages? > > That would make sense. > > I'll see if I can take a look at this. The problematic part is likely libstdc++. I would expect the new gcc to assume that you have the corresponding libstdc++. Mike once told that Firefox has special code to avoid the increased dependency but that might not be the case of other packages that we might want to build with a newer gcc. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/