Wheezy update of curl?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of curl: https://security-tracker.debian.org/tracker/CVE-2016-9586 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of curl updates for the LTS releases. Thank you very much. Ola Lundqvist, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
Accepted qemu-kvm 1.1.2+dfsg-6+deb7u19 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 13 Dec 2016 10:19:22 +0200 Source: qemu-kvm Binary: qemu-kvm qemu-kvm-dbg kvm Architecture: source amd64 Version: 1.1.2+dfsg-6+deb7u19 Distribution: wheezy-security Urgency: medium Maintainer: Michael TokarevChanged-By: Hugo Lefeuvre Description: kvm- dummy transitional package from kvm to qemu-kvm qemu-kvm - Full virtualization on x86 hardware qemu-kvm-dbg - Debugging info for qemu-kvm Closes: 847951 847960 Changes: qemu-kvm (1.1.2+dfsg-6+deb7u19) wheezy-security; urgency=medium . * Non-maintainer upload by the LTS Team. * CVE-2016-9921, CVE-2016-9922: display: cirrus_vga: a divide by zero in cirrus_do_copy (Closes: #847960) * CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (Closes: #847951) Checksums-Sha1: 6a8d5eaad933f160503eba2904558e4bf3139249 2524 qemu-kvm_1.1.2+dfsg-6+deb7u19.dsc b43005a3342aaabfbc54c2c5581bb2e7f76d1591 141061 qemu-kvm_1.1.2+dfsg-6+deb7u19.debian.tar.gz 97c29a600dc77eb760a9c3c09773dbe4671cc5de 1685798 qemu-kvm_1.1.2+dfsg-6+deb7u19_amd64.deb 954eade4f9ecbe06385ffbb5365e4b844bb7bff2 5279282 qemu-kvm-dbg_1.1.2+dfsg-6+deb7u19_amd64.deb e9c75d68687d561c9bacc85a6be3fe0a66eba8b1 26288 kvm_1.1.2+dfsg-6+deb7u19_amd64.deb Checksums-Sha256: a166e2712d2eb5a446fe35b83135292214cd0c967b888b92da8bff5c87ae18d0 2524 qemu-kvm_1.1.2+dfsg-6+deb7u19.dsc 1cc91428db4f140c78ddc880bbaaad1d76419c4cad101af6f8d135f7a0449a40 141061 qemu-kvm_1.1.2+dfsg-6+deb7u19.debian.tar.gz c3baf4f53cedac5ca17ac678f805c4a2a4426b2214cc7e78a76017d397df49c8 1685798 qemu-kvm_1.1.2+dfsg-6+deb7u19_amd64.deb 95895aa970d95ae4e51c8047056ba9c82754fa31a79f3bf7fc951d0a12c50e8c 5279282 qemu-kvm-dbg_1.1.2+dfsg-6+deb7u19_amd64.deb d71b2e8d774618d7ffee42b6f77ca31b64e377efa06db1f667075bfefa85e11f 26288 kvm_1.1.2+dfsg-6+deb7u19_amd64.deb Files: fbf8fa3cb04e916ecd7661b9c85a185e 2524 misc optional qemu-kvm_1.1.2+dfsg-6+deb7u19.dsc fff9af24d4ae58894970b6523241d367 141061 misc optional qemu-kvm_1.1.2+dfsg-6+deb7u19.debian.tar.gz 2c627111033fbdac82b85d5fb3bde2a9 1685798 misc optional qemu-kvm_1.1.2+dfsg-6+deb7u19_amd64.deb ff99ffdd9d12e043e895729f294e2c76 5279282 debug extra qemu-kvm-dbg_1.1.2+dfsg-6+deb7u19_amd64.deb e9ed9ab04a139be62188e09308337f60 26288 oldlibs extra kvm_1.1.2+dfsg-6+deb7u19_amd64.deb -BEGIN PGP SIGNATURE- iQJDBAEBCgAtFiEErLe2fxl/mzIVM0McrJCsPsUkBl4FAlhgQIQPHGhsZUBkZWJp YW4ub3JnAAoJEKyQrD7FJAZeU18P/2BmY3A52Y3zPiPwwCVQbKxFOcCU0/VcHfM1 FMyHI9M8yw22VHBJtsOow8wdCEt3BsmwVXmoOEPtXNs653DA3BBQJ01FVO3vKT7J fU8l6vVKwRPAaeecDFhP5AvdZOBUHTJ4kBBdcGOV/PNblDSoZGnmRTNTWRd2BJV8 eLC7QiqwBGArkD89NxwWT3CHRNRNnhns2n0PJ1JfbTYq/egv5yX5riddH6d9ubgb glDFWgyc3OGfu+JdymsHjGd+tYoAUKCP6FgUMDFDxMUeUOBI+lhS4Z8WWGj/nDL3 ASx0LgJoWPuQsTofsmjCeSlpJl+VLGVPy4MLCQR8x3hDOIqJfYS8D6+U6U21MVb7 g6hQ8njKU2OdlpRmBedfSP5rU/err0Y/VWqRq0wfBG1vt3kqHx0qMT7JkIiyTwSw 09LnDZwo5JUNqefqIvdoeJbDqDCkNlX1/Lu/RsBOgH1mSVsjBqzck/bk0xTudkFp b1wy6VnlLCyMyIhSPGAG2R4G/Ocw4Ok3iuyrLZrJ6r1xJu4wxx04aunOf/JU18Y2 XyP1Xja+WbLDVUMiy3uZIHupOoPQsWA+8IxWx910I5JhNHO9J3Nq2wO0v5KsNS0l B2n5tZDLEc8h1V/gnAxeioVBAThc8NINvpIjnRXdkfzTJPag6K2geT/MFFU90k+u 2ktZuHN3 =+qtP -END PGP SIGNATURE-
[SECURITY] [DLA 763-1] squid3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: squid3 Version: 3.1.20-2.2+deb7u7 CVE ID : CVE-2016-10002 Debian Bug : 848493 Saulius Lapinskas from Lithuanian State Social Insurance Fund Board discovered that Squid3, a fully featured web proxy cache, does not properly process responses to If-None-Modified HTTP conditional requests, leading to client-specific Cookie data being leaked to other clients. A remote attacker can take advantage of this flaw to discover private and sensitive information about another client's browsing session. For Debian 7 "Wheezy", these problems have been fixed in version 3.1.20-2.2+deb7u7. We recommend that you upgrade your squid3 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlhgKFhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQdlw/+Ms7S4dsiltMz5nxz6GJXcrJkBvv0hsyEVWcltONaFCpCcL2jOkgpo1wd NsaBoxBsInCtC2eU06rcaKqDZHy/Ag8pxk377vHoz6bHkOJOWUCFCBjyctkcugEx kwy+++fdi9MGuW0e01J1MTY18K90zbuZPwJbDJIgSEzKTsu9OD7NOirjeQ4ZgPz6 vSE4jnIQpAS2z3SHbK2Uhzw+qGX/LMcmvR0nbOJEgGN+QcYexV8/q2TMjZhhtpqx mJoaD+tTfGcO741bGc6MtYzud19ivICJptA9bZ2vCiCRDIUs1A3NLM1WEx3a8wMc xsXhqNsbW2KfrTVacg8ITz0b6yElQHCdBmmZ+ryPv+Ywm6GphCQz8rGugTS2NScm yli4DOJfGLFqnzyD78xv9V5GdXk6sEYVLqB4Z+CiEyxbhM93bcWKp5ygMwHWe5IT FN8iuRtSLSuyr9nvjvAVyriqMV9jTERce6gbW6aW/bw60XGSEVAKd0gWdp+5TCZb 5xEEmIdZFHBMfAKO6AehiexBZ8cnMAchSrvCBYba6D/E82Z2wAlD0WRCHaWkAaWQ aUNgFEiZlpPrnhY7SqOzR6RWgL1PZ3BGFb7RfsSB3Pb2APGpqClC0NuySbbHb3Na 1VLbs8QM2JnzQyCsKUo0gkE6t3QoayjPyc0/3y1L5Rm6s6SwD0U= =WX07 -END PGP SIGNATURE-
Accepted qemu 1.1.2+dfsg-6+deb7u19 (source all amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 13 Dec 2016 10:19:22 +0200 Source: qemu Binary: qemu qemu-keymaps qemu-system qemu-user qemu-user-static qemu-utils Architecture: source all amd64 Version: 1.1.2+dfsg-6+deb7u19 Distribution: wheezy-security Urgency: medium Maintainer: Debian QEMU TeamChanged-By: Hugo Lefeuvre Description: qemu - fast processor emulator qemu-keymaps - QEMU keyboard maps qemu-system - QEMU full system emulation binaries qemu-user - QEMU user mode emulation binaries qemu-user-static - QEMU user mode emulation binaries (static version) qemu-utils - QEMU utilities Closes: 847951 847960 Changes: qemu (1.1.2+dfsg-6+deb7u19) wheezy-security; urgency=medium . * Non-maintainer upload by the LTS Team. * CVE-2016-9921, CVE-2016-9922: display: cirrus_vga: a divide by zero in cirrus_do_copy (Closes: #847960) * CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (Closes: #847951) Checksums-Sha1: 30876c8842792d629ab0c9e8df51689a11d390a5 3000 qemu_1.1.2+dfsg-6+deb7u19.dsc 25165091c02571ba85bddeb50ff26306c6a52042 154166 qemu_1.1.2+dfsg-6+deb7u19.debian.tar.gz f8083ecdd18c317fc12c0037371a324b05e962be 53268 qemu-keymaps_1.1.2+dfsg-6+deb7u19_all.deb a494165a0e462a6af1bc432a0c71297324d0162e 119548 qemu_1.1.2+dfsg-6+deb7u19_amd64.deb c0c69dbadcf2cf285255765a0eca184a24b0df49 27925910 qemu-system_1.1.2+dfsg-6+deb7u19_amd64.deb 94b1dd404aa793c3e9f5e4f6bd0abf2062d68795 7725838 qemu-user_1.1.2+dfsg-6+deb7u19_amd64.deb 39eea0e75202760a74c5f00216c10450cb441d4f 16576166 qemu-user-static_1.1.2+dfsg-6+deb7u19_amd64.deb f1ae9a7643c928ddad6fd9d2cacf86ec35dc4a79 665990 qemu-utils_1.1.2+dfsg-6+deb7u19_amd64.deb Checksums-Sha256: 660a0635b03601bdf525a1cbf0b7be5223993edd2c2d4e8abcaf75de9dfb13a1 3000 qemu_1.1.2+dfsg-6+deb7u19.dsc 7a9423280cca2073eaa481e7d3ee5bf56aec383b04fa63b4adc98fb44cd5e9c1 154166 qemu_1.1.2+dfsg-6+deb7u19.debian.tar.gz 42eea99696da7a95daef6ab8882e58143d8215af5f176516f73eaa100618f811 53268 qemu-keymaps_1.1.2+dfsg-6+deb7u19_all.deb abb6d3b76b90e227b8baba5742fce52d17ac770105b3e0d4120dc83f362aaf76 119548 qemu_1.1.2+dfsg-6+deb7u19_amd64.deb b37788020f3c39785090df224e389ef7e69e57e8ef397fa335613cb25f8e1970 27925910 qemu-system_1.1.2+dfsg-6+deb7u19_amd64.deb f0070c636a3844ff82e291a5d7b1ab441564c1873a8b46120c854d6120d7752e 7725838 qemu-user_1.1.2+dfsg-6+deb7u19_amd64.deb 0981ded388655769f17a51adc4635d11989697bde930091854301b7b836d2dc4 16576166 qemu-user-static_1.1.2+dfsg-6+deb7u19_amd64.deb c47522debf63e4c2af9c2c4d3c0a39ed3ed13ba696b89a8be559d32c9d269113 665990 qemu-utils_1.1.2+dfsg-6+deb7u19_amd64.deb Files: b9e2f2f3e009a99f08965efa535f8b05 3000 misc optional qemu_1.1.2+dfsg-6+deb7u19.dsc 8846d16b1285c9b10082f0beddd3057b 154166 misc optional qemu_1.1.2+dfsg-6+deb7u19.debian.tar.gz 8a330f690748e80189d4c97f1c611d8b 53268 misc optional qemu-keymaps_1.1.2+dfsg-6+deb7u19_all.deb 8f36736beea6ecc1f4005e177a1c7856 119548 misc optional qemu_1.1.2+dfsg-6+deb7u19_amd64.deb fb69c6c4bc881e47a9372462271bf8d3 27925910 misc optional qemu-system_1.1.2+dfsg-6+deb7u19_amd64.deb 2e642547825def19fcd26bb83ff8058b 7725838 misc optional qemu-user_1.1.2+dfsg-6+deb7u19_amd64.deb e32a20bcf04461afbd5bdae4fccbf71c 16576166 misc optional qemu-user-static_1.1.2+dfsg-6+deb7u19_amd64.deb 6fb849055c24954aaf80de870cb371d2 665990 misc optional qemu-utils_1.1.2+dfsg-6+deb7u19_amd64.deb -BEGIN PGP SIGNATURE- iQJDBAEBCgAtFiEErLe2fxl/mzIVM0McrJCsPsUkBl4FAlhfrbIPHGhsZUBkZWJp YW4ub3JnAAoJEKyQrD7FJAZeDDwQANRyNyUvIV4WlRdwqLjgaq/ncyWo9Xjpi3cA 5lS34P03OzD3ha7RjSfzUCqbDLiL2tGiT1lpy9vXn2VwCsR8fWZDNY9775P03/ED jjxiHJn373vdLgYW4pS9MRB6NnG7XK1geqJoIKIfWW0A6iHYKITB0kP69t+oscL2 qsmQB1pbkmmWP/10JCO8mxRW7tTqbULXW3YjW0vdbwzY0EfdbofC6mVUANH61keu cjmyXNnxLJ7Fvs5yWksWf7aBm/Kt8yS+PI5Xv+Jb9VnCyqwSz3m3ndOo6voYDnlo tqAPWhTKWQSijt5G1F6BZnf5RY5et+88x4wuGMGwEOBD6mbM721jfqseWtaEe//Z sH+2k/mzGjhT9mnHbgB+REO2qu+rehKHKYtnPWOUH6M8Sv9Cv8sXr1nsxhb8GL/X bbQ4gsmRrmyo67Q+uYbr1BAC4q7LLWczkNyb70itZn7YzZ71XqtHN4bYiqJNXfVk ndj7kdwNCzLtysnZGXtuIKeYey5TCGtNZvGtr35ZwANDzw6O6O4ABZMzMh7FdBP8 tU3srgFzVYjc4GE+QLJOOWipKJSnTWneGsDvpWxtX2i0CUiFs6CJkC47/J+LUU7N VMfeH194oDpAOZc9XL5SuKiFLyIxOt4r+IkCF9AKcLhCBCOhF2jUs/N6zQlgAOt7 g0+AhQa6 =JFWT -END PGP SIGNATURE-
Re: unrealize mechanism in 9pfs
Hi Guido, Thank you for your investigations. I've marked CVE-2016-9914/15/16 as no-dsa and will upload my patches for the two remaining issues. Cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E signature.asc Description: PGP signature
Re: Call for advice regarding curl CVE-2016-9586
Hi Ola, On Fri, Dec 23, 2016 at 11:54:11PM +0100, Ola Lundqvist wrote: > Hi > > I have looked into CVE-2016-9586 affecting curl. > What I'm trying to figure out is whether it is worth the effort to fix > it or not. > > More info here: > https://curl.haxx.se/docs/adv_20161221A.html > > 1) There are no known exploits -> minor issue (?) This can change at any time. > 2) The functions have been documented as deprecated for a long time > 3) The problem only occur on applications without proper input > sanitizing (and using curl_mprintf) so one could even argue that this > is not really a fault in curl at all. > > Due to this I could argue that it would mean a no-dsa tag. > > However the patch is quite simple so maybe it would be worth fixing anyway. > Also it is for a library and we do not really know how libraries are > used. The curl_mvprintf functions seem to invoke dprintf_formatf so it would be time consuming to check if anythng in Debian is affected. Given the simplicity of the patch I'd rather fix it than not. Cheers, -- Guido > > So what do you think?