Wheezy update of curl?

2016-12-25 Thread Ola Lundqvist 
Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of curl:
https://security-tracker.debian.org/tracker/CVE-2016-9586

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of curl updates
for the LTS releases.

Thank you very much.

Ola Lundqvist,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

Accepted qemu-kvm 1.1.2+dfsg-6+deb7u19 (source amd64) into oldstable

2016-12-25 Thread Hugo Lefeuvre 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 13 Dec 2016 10:19:22 +0200
Source: qemu-kvm
Binary: qemu-kvm qemu-kvm-dbg kvm
Architecture: source amd64
Version: 1.1.2+dfsg-6+deb7u19
Distribution: wheezy-security
Urgency: medium
Maintainer: Michael Tokarev 
Changed-By: Hugo Lefeuvre 
Description: 
 kvm- dummy transitional package from kvm to qemu-kvm
 qemu-kvm   - Full virtualization on x86 hardware
 qemu-kvm-dbg - Debugging info for qemu-kvm
Closes: 847951 847960
Changes: 
 qemu-kvm (1.1.2+dfsg-6+deb7u19) wheezy-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Team.
   * CVE-2016-9921, CVE-2016-9922: display: cirrus_vga: a divide by zero
 in cirrus_do_copy (Closes: #847960)
   * CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer
 (Closes: #847951)
Checksums-Sha1: 
 6a8d5eaad933f160503eba2904558e4bf3139249 2524 qemu-kvm_1.1.2+dfsg-6+deb7u19.dsc
 b43005a3342aaabfbc54c2c5581bb2e7f76d1591 141061 
qemu-kvm_1.1.2+dfsg-6+deb7u19.debian.tar.gz
 97c29a600dc77eb760a9c3c09773dbe4671cc5de 1685798 
qemu-kvm_1.1.2+dfsg-6+deb7u19_amd64.deb
 954eade4f9ecbe06385ffbb5365e4b844bb7bff2 5279282 
qemu-kvm-dbg_1.1.2+dfsg-6+deb7u19_amd64.deb
 e9c75d68687d561c9bacc85a6be3fe0a66eba8b1 26288 
kvm_1.1.2+dfsg-6+deb7u19_amd64.deb
Checksums-Sha256: 
 a166e2712d2eb5a446fe35b83135292214cd0c967b888b92da8bff5c87ae18d0 2524 
qemu-kvm_1.1.2+dfsg-6+deb7u19.dsc
 1cc91428db4f140c78ddc880bbaaad1d76419c4cad101af6f8d135f7a0449a40 141061 
qemu-kvm_1.1.2+dfsg-6+deb7u19.debian.tar.gz
 c3baf4f53cedac5ca17ac678f805c4a2a4426b2214cc7e78a76017d397df49c8 1685798 
qemu-kvm_1.1.2+dfsg-6+deb7u19_amd64.deb
 95895aa970d95ae4e51c8047056ba9c82754fa31a79f3bf7fc951d0a12c50e8c 5279282 
qemu-kvm-dbg_1.1.2+dfsg-6+deb7u19_amd64.deb
 d71b2e8d774618d7ffee42b6f77ca31b64e377efa06db1f667075bfefa85e11f 26288 
kvm_1.1.2+dfsg-6+deb7u19_amd64.deb
Files: 
 fbf8fa3cb04e916ecd7661b9c85a185e 2524 misc optional 
qemu-kvm_1.1.2+dfsg-6+deb7u19.dsc
 fff9af24d4ae58894970b6523241d367 141061 misc optional 
qemu-kvm_1.1.2+dfsg-6+deb7u19.debian.tar.gz
 2c627111033fbdac82b85d5fb3bde2a9 1685798 misc optional 
qemu-kvm_1.1.2+dfsg-6+deb7u19_amd64.deb
 ff99ffdd9d12e043e895729f294e2c76 5279282 debug extra 
qemu-kvm-dbg_1.1.2+dfsg-6+deb7u19_amd64.deb
 e9ed9ab04a139be62188e09308337f60 26288 oldlibs extra 
kvm_1.1.2+dfsg-6+deb7u19_amd64.deb

-BEGIN PGP SIGNATURE-

iQJDBAEBCgAtFiEErLe2fxl/mzIVM0McrJCsPsUkBl4FAlhgQIQPHGhsZUBkZWJp
YW4ub3JnAAoJEKyQrD7FJAZeU18P/2BmY3A52Y3zPiPwwCVQbKxFOcCU0/VcHfM1
FMyHI9M8yw22VHBJtsOow8wdCEt3BsmwVXmoOEPtXNs653DA3BBQJ01FVO3vKT7J
fU8l6vVKwRPAaeecDFhP5AvdZOBUHTJ4kBBdcGOV/PNblDSoZGnmRTNTWRd2BJV8
eLC7QiqwBGArkD89NxwWT3CHRNRNnhns2n0PJ1JfbTYq/egv5yX5riddH6d9ubgb
glDFWgyc3OGfu+JdymsHjGd+tYoAUKCP6FgUMDFDxMUeUOBI+lhS4Z8WWGj/nDL3
ASx0LgJoWPuQsTofsmjCeSlpJl+VLGVPy4MLCQR8x3hDOIqJfYS8D6+U6U21MVb7
g6hQ8njKU2OdlpRmBedfSP5rU/err0Y/VWqRq0wfBG1vt3kqHx0qMT7JkIiyTwSw
09LnDZwo5JUNqefqIvdoeJbDqDCkNlX1/Lu/RsBOgH1mSVsjBqzck/bk0xTudkFp
b1wy6VnlLCyMyIhSPGAG2R4G/Ocw4Ok3iuyrLZrJ6r1xJu4wxx04aunOf/JU18Y2
XyP1Xja+WbLDVUMiy3uZIHupOoPQsWA+8IxWx910I5JhNHO9J3Nq2wO0v5KsNS0l
B2n5tZDLEc8h1V/gnAxeioVBAThc8NINvpIjnRXdkfzTJPag6K2geT/MFFU90k+u
2ktZuHN3
=+qtP
-END PGP SIGNATURE-

[SECURITY] [DLA 763-1] squid3 security update

2016-12-25 Thread Markus Koschany 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: squid3
Version: 3.1.20-2.2+deb7u7
CVE ID : CVE-2016-10002
Debian Bug : 848493

Saulius Lapinskas from Lithuanian State Social Insurance Fund Board
discovered that Squid3, a fully featured web proxy cache, does not
properly process responses to If-None-Modified HTTP conditional
requests, leading to client-specific Cookie data being leaked to other
clients. A remote attacker can take advantage of this flaw to discover
private and sensitive information about another client's browsing
session.

For Debian 7 "Wheezy", these problems have been fixed in version
3.1.20-2.2+deb7u7.

We recommend that you upgrade your squid3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlhgKFhfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQdlw/+Ms7S4dsiltMz5nxz6GJXcrJkBvv0hsyEVWcltONaFCpCcL2jOkgpo1wd
NsaBoxBsInCtC2eU06rcaKqDZHy/Ag8pxk377vHoz6bHkOJOWUCFCBjyctkcugEx
kwy+++fdi9MGuW0e01J1MTY18K90zbuZPwJbDJIgSEzKTsu9OD7NOirjeQ4ZgPz6
vSE4jnIQpAS2z3SHbK2Uhzw+qGX/LMcmvR0nbOJEgGN+QcYexV8/q2TMjZhhtpqx
mJoaD+tTfGcO741bGc6MtYzud19ivICJptA9bZ2vCiCRDIUs1A3NLM1WEx3a8wMc
xsXhqNsbW2KfrTVacg8ITz0b6yElQHCdBmmZ+ryPv+Ywm6GphCQz8rGugTS2NScm
yli4DOJfGLFqnzyD78xv9V5GdXk6sEYVLqB4Z+CiEyxbhM93bcWKp5ygMwHWe5IT
FN8iuRtSLSuyr9nvjvAVyriqMV9jTERce6gbW6aW/bw60XGSEVAKd0gWdp+5TCZb
5xEEmIdZFHBMfAKO6AehiexBZ8cnMAchSrvCBYba6D/E82Z2wAlD0WRCHaWkAaWQ
aUNgFEiZlpPrnhY7SqOzR6RWgL1PZ3BGFb7RfsSB3Pb2APGpqClC0NuySbbHb3Na
1VLbs8QM2JnzQyCsKUo0gkE6t3QoayjPyc0/3y1L5Rm6s6SwD0U=
=WX07
-END PGP SIGNATURE-

Accepted qemu 1.1.2+dfsg-6+deb7u19 (source all amd64) into oldstable

2016-12-25 Thread Hugo Lefeuvre 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 13 Dec 2016 10:19:22 +0200
Source: qemu
Binary: qemu qemu-keymaps qemu-system qemu-user qemu-user-static qemu-utils
Architecture: source all amd64
Version: 1.1.2+dfsg-6+deb7u19
Distribution: wheezy-security
Urgency: medium
Maintainer: Debian QEMU Team 
Changed-By: Hugo Lefeuvre 
Description: 
 qemu   - fast processor emulator
 qemu-keymaps - QEMU keyboard maps
 qemu-system - QEMU full system emulation binaries
 qemu-user  - QEMU user mode emulation binaries
 qemu-user-static - QEMU user mode emulation binaries (static version)
 qemu-utils - QEMU utilities
Closes: 847951 847960
Changes: 
 qemu (1.1.2+dfsg-6+deb7u19) wheezy-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Team.
   * CVE-2016-9921, CVE-2016-9922: display: cirrus_vga: a divide by zero
 in cirrus_do_copy (Closes: #847960)
   * CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer
 (Closes: #847951)
Checksums-Sha1: 
 30876c8842792d629ab0c9e8df51689a11d390a5 3000 qemu_1.1.2+dfsg-6+deb7u19.dsc
 25165091c02571ba85bddeb50ff26306c6a52042 154166 
qemu_1.1.2+dfsg-6+deb7u19.debian.tar.gz
 f8083ecdd18c317fc12c0037371a324b05e962be 53268 
qemu-keymaps_1.1.2+dfsg-6+deb7u19_all.deb
 a494165a0e462a6af1bc432a0c71297324d0162e 119548 
qemu_1.1.2+dfsg-6+deb7u19_amd64.deb
 c0c69dbadcf2cf285255765a0eca184a24b0df49 27925910 
qemu-system_1.1.2+dfsg-6+deb7u19_amd64.deb
 94b1dd404aa793c3e9f5e4f6bd0abf2062d68795 7725838 
qemu-user_1.1.2+dfsg-6+deb7u19_amd64.deb
 39eea0e75202760a74c5f00216c10450cb441d4f 16576166 
qemu-user-static_1.1.2+dfsg-6+deb7u19_amd64.deb
 f1ae9a7643c928ddad6fd9d2cacf86ec35dc4a79 665990 
qemu-utils_1.1.2+dfsg-6+deb7u19_amd64.deb
Checksums-Sha256: 
 660a0635b03601bdf525a1cbf0b7be5223993edd2c2d4e8abcaf75de9dfb13a1 3000 
qemu_1.1.2+dfsg-6+deb7u19.dsc
 7a9423280cca2073eaa481e7d3ee5bf56aec383b04fa63b4adc98fb44cd5e9c1 154166 
qemu_1.1.2+dfsg-6+deb7u19.debian.tar.gz
 42eea99696da7a95daef6ab8882e58143d8215af5f176516f73eaa100618f811 53268 
qemu-keymaps_1.1.2+dfsg-6+deb7u19_all.deb
 abb6d3b76b90e227b8baba5742fce52d17ac770105b3e0d4120dc83f362aaf76 119548 
qemu_1.1.2+dfsg-6+deb7u19_amd64.deb
 b37788020f3c39785090df224e389ef7e69e57e8ef397fa335613cb25f8e1970 27925910 
qemu-system_1.1.2+dfsg-6+deb7u19_amd64.deb
 f0070c636a3844ff82e291a5d7b1ab441564c1873a8b46120c854d6120d7752e 7725838 
qemu-user_1.1.2+dfsg-6+deb7u19_amd64.deb
 0981ded388655769f17a51adc4635d11989697bde930091854301b7b836d2dc4 16576166 
qemu-user-static_1.1.2+dfsg-6+deb7u19_amd64.deb
 c47522debf63e4c2af9c2c4d3c0a39ed3ed13ba696b89a8be559d32c9d269113 665990 
qemu-utils_1.1.2+dfsg-6+deb7u19_amd64.deb
Files: 
 b9e2f2f3e009a99f08965efa535f8b05 3000 misc optional 
qemu_1.1.2+dfsg-6+deb7u19.dsc
 8846d16b1285c9b10082f0beddd3057b 154166 misc optional 
qemu_1.1.2+dfsg-6+deb7u19.debian.tar.gz
 8a330f690748e80189d4c97f1c611d8b 53268 misc optional 
qemu-keymaps_1.1.2+dfsg-6+deb7u19_all.deb
 8f36736beea6ecc1f4005e177a1c7856 119548 misc optional 
qemu_1.1.2+dfsg-6+deb7u19_amd64.deb
 fb69c6c4bc881e47a9372462271bf8d3 27925910 misc optional 
qemu-system_1.1.2+dfsg-6+deb7u19_amd64.deb
 2e642547825def19fcd26bb83ff8058b 7725838 misc optional 
qemu-user_1.1.2+dfsg-6+deb7u19_amd64.deb
 e32a20bcf04461afbd5bdae4fccbf71c 16576166 misc optional 
qemu-user-static_1.1.2+dfsg-6+deb7u19_amd64.deb
 6fb849055c24954aaf80de870cb371d2 665990 misc optional 
qemu-utils_1.1.2+dfsg-6+deb7u19_amd64.deb

-BEGIN PGP SIGNATURE-

iQJDBAEBCgAtFiEErLe2fxl/mzIVM0McrJCsPsUkBl4FAlhfrbIPHGhsZUBkZWJp
YW4ub3JnAAoJEKyQrD7FJAZeDDwQANRyNyUvIV4WlRdwqLjgaq/ncyWo9Xjpi3cA
5lS34P03OzD3ha7RjSfzUCqbDLiL2tGiT1lpy9vXn2VwCsR8fWZDNY9775P03/ED
jjxiHJn373vdLgYW4pS9MRB6NnG7XK1geqJoIKIfWW0A6iHYKITB0kP69t+oscL2
qsmQB1pbkmmWP/10JCO8mxRW7tTqbULXW3YjW0vdbwzY0EfdbofC6mVUANH61keu
cjmyXNnxLJ7Fvs5yWksWf7aBm/Kt8yS+PI5Xv+Jb9VnCyqwSz3m3ndOo6voYDnlo
tqAPWhTKWQSijt5G1F6BZnf5RY5et+88x4wuGMGwEOBD6mbM721jfqseWtaEe//Z
sH+2k/mzGjhT9mnHbgB+REO2qu+rehKHKYtnPWOUH6M8Sv9Cv8sXr1nsxhb8GL/X
bbQ4gsmRrmyo67Q+uYbr1BAC4q7LLWczkNyb70itZn7YzZ71XqtHN4bYiqJNXfVk
ndj7kdwNCzLtysnZGXtuIKeYey5TCGtNZvGtr35ZwANDzw6O6O4ABZMzMh7FdBP8
tU3srgFzVYjc4GE+QLJOOWipKJSnTWneGsDvpWxtX2i0CUiFs6CJkC47/J+LUU7N
VMfeH194oDpAOZc9XL5SuKiFLyIxOt4r+IkCF9AKcLhCBCOhF2jUs/N6zQlgAOt7
g0+AhQa6
=JFWT
-END PGP SIGNATURE-

Re: unrealize mechanism in 9pfs

2016-12-25 Thread Hugo Lefeuvre 
Hi Guido,

Thank you for your investigations.

I've marked CVE-2016-9914/15/16 as no-dsa and will upload my patches for
the two remaining issues.

Cheers,
 Hugo

-- 
 Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E


signature.asc
Description: PGP signature

Re: Call for advice regarding curl CVE-2016-9586

2016-12-25 Thread Guido Günther 
Hi Ola,
On Fri, Dec 23, 2016 at 11:54:11PM +0100, Ola Lundqvist wrote:
> Hi
> 
> I have looked into CVE-2016-9586 affecting curl.
> What I'm trying to figure out is whether it is worth the effort to fix
> it or not.
> 
> More info here:
> https://curl.haxx.se/docs/adv_20161221A.html
> 
> 1) There are no known exploits -> minor issue (?)

This can change at any time.

> 2) The functions have been documented as deprecated for a long time
> 3) The problem only occur on applications without proper input
> sanitizing (and using curl_mprintf) so one could even argue that this
> is not really a fault in curl at all.
>
> Due to this I could argue that it would mean a no-dsa tag.
> 
> However the patch is quite simple so maybe it would be worth fixing anyway.
> Also it is for a library and we do not really know how libraries are
> used.

The curl_mvprintf functions seem to invoke dprintf_formatf so it would
be time consuming to check if anythng in Debian is affected. Given the
simplicity of the patch I'd rather fix it than not.

Cheers,
 -- Guido

> 
> So what do you think?