[SECURITY] [DLA 810-1] libarchive security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libarchive Version: 3.0.4-3+wheezy5+deb7u1 CVE ID : CVE-2017-5601 Debian Bug : #853278 It was discovered that there was a heap buffer overflow in libarchive, a multi-format archive and compression library. For Debian 7 "Wheezy", this issue has been fixed in libarchive version 3.0.4-3+wheezy5+deb7u1. We recommend that you upgrade your libarchive packages. Regards, - -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAliQQIYACgkQHpU+J9Qx HlhWBBAArVcNIQgBYFQR6A6+zk37Z6q4pslH2JiaRW4Ol2ySH6H7LS6UiU4Rpvgo QH8/fXujvt1/242Fx2W8cjv4L8HnE4GVszLML6bMiyWhLVZ9TLRMmlTyvBk6xdy8 fpJTeC3rCEzTvID5KsIciJhDIssGnlgyGBTyxqFE03hmtO5aWn9cPxs0aFY8dTXa aH+CWaG3M4efMxKFNJWiSY8R8jayUHoUaBCNeKeP7fR8Q9qROQX+tFaV14el24C0 W2MQgBH3E8sCXYMbLvnCDFWq0bAKkF/1KUGXnfYBTbft6G9s/BD7s1hQ3a1ZhGDY RRwNgj9Ss+zR1znBfNvm3l9331Vgwdnt4ihNvbiAzgqDY1SrdkzGvqts5w1T2cDQ R0uy3VozWbUEjjTEVSwDhEtSNpZF52Nv2EHNbSg8b3r/Lgcsl2oUHUZ0IKJgjeP0 CveFujs5kN+W/DfBpwXTKvLV6UrjwsQ87p02OOCep9Hiw+CheGeugR+JZNpB1uCV Z9R+6nhxBOE25ZP66Yt5axjjgsZmD+k+z527KJD6+Z8UEQM4wOQ1B5VRcNdSlfbD R6j/cPKJH9IgDScdk9MGx8jDNAdf/RfM+g4At+aGgCTl0oweFtP89uW8ebOmB0+y Cf+29NWULOuMeye9y2zXj7u+D6O7242mp5P48eDKEVzJqCCKJo8= =9PcV -END PGP SIGNATURE-
Re: Accepted openjdk-7 7u121-2.6.8-1~deb7u1 (source all amd64) into oldstable
On 27/01/17 22:18, Ola Lundqvist wrote: > Hi Emilio > > I saw that you have uploaded a new openjdk-7 package. Were that > package supposed to fix the current issues reported for openjdk-7 or > was that corrections for earlier version? It doesn't fix the latest round of CVEs. > I'm asking because: > 1) I have not seen the DLA. It seems to have gone missing. afaics it's there: https://lists.debian.org/debian-lts-announce/2017/01/msg00037.html > 2) I would like to know whether I should (re-)add the openjdk-7 > package to dla-needed.txt or not. I did that. Still waiting for upstream to release the update. Cheers, Emilio
Re: Accepted tcpdump 4.9.0-1~deb7u1 (amd64 source) into oldstable
On 30/01/17 22:19, Ola Lundqvist wrote: > Hi > > Will you send the DLA or do you want me to do that? Adding Romain to Cc. Cheers, Emilio > > // Ola > > On 30 January 2017 at 19:40, Romain Francoisewrote: > Format: 1.8 > Date: Sun, 29 Jan 2017 22:17:21 +0100 > Source: tcpdump > Binary: tcpdump > Architecture: amd64 source > Version: 4.9.0-1~deb7u1 > Distribution: wheezy-security > Urgency: high > Maintainer: Romain Francoise > Changed-By: Romain Francoise > Description: > tcpdump- command-line network traffic analyzer > Changes: > tcpdump (4.9.0-1~deb7u1) wheezy-security; urgency=high > . >* Backport to wheezy. >* Disable the pppoes_id test, and reset B-D on libpcap-dev to what it > was in wheezy. > Checksums-Sha1: > f9d5b9e50181e205fa1b713bf906cc9aaa311ddd 1952 tcpdump_4.9.0-1~deb7u1.dsc > c241ea71d658ea46edc1bb0a0867ab7cda59973a 12776 > tcpdump_4.9.0-1~deb7u1.debian.tar.xz > 90de03d602d41e824dd5073bffb510af74a5974c 484900 > tcpdump_4.9.0-1~deb7u1_amd64.deb > Checksums-Sha256: > f8d328894bf0e23c28d153a8ea10975579bdbc7ccb25e566d42fb8d071dec076 1952 > tcpdump_4.9.0-1~deb7u1.dsc > cfde49ea7cc7250571a76e1451cfe85d4adc80a86dbb1251720845b81f973253 12776 > tcpdump_4.9.0-1~deb7u1.debian.tar.xz > 11ec542ca49d79755637b41413205cb7158c01e4dd4f2bab9209b7aa439378f0 484900 > tcpdump_4.9.0-1~deb7u1_amd64.deb > Files: > 9e84eb9b5b63d542cd072b1c607706b8 1952 net optional tcpdump_4.9.0-1~deb7u1.dsc > ea4321a8ad585e590ee8f85db8c8dd9c 12776 net optional > tcpdump_4.9.0-1~deb7u1.debian.tar.xz > 1d2032e577c6aa2c9c6e375a04c4f1f5 484900 net optional > tcpdump_4.9.0-1~deb7u1_amd64.deb > >> > > >
[SECURITY] [DLA 809-1] tcpdump security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: tcpdump Version: 4.9.0-1~deb7u1 CVE ID : CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925 CVE-2016-7926 CVE-2016-7927 CVE-2016-7928 CVE-2016-7929 CVE-2016-7930 CVE-2016-7931 CVE-2016-7932 CVE-2016-7933 CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 CVE-2016-7937 CVE-2016-7938 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973 CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984 CVE-2016-7985 CVE-2016-7986 CVE-2016-7992 CVE-2016-7993 CVE-2016-8574 CVE-2016-8575 CVE-2017-5202 CVE-2017-5203 CVE-2017-5204 CVE-2017-5205 CVE-2017-5341 CVE-2017-5342 CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485 CVE-2017-5486 Multiple vulnerabilities have been discovered in tcpdump, a command-line network traffic analyzer. These vulnerabilities might result in denial of service or the execution of arbitrary code. CVE-2016-7922 Buffer overflow in parser. CVE-2016-7923 Buffer overflow in parser. CVE-2016-7924 Buffer overflow in parser. CVE-2016-7925 Buffer overflow in parser. CVE-2016-7926 Buffer overflow in parser. CVE-2016-7927 Buffer overflow in parser. CVE-2016-7928 Buffer overflow in parser. CVE-2016-7929 Buffer overflow in parser. CVE-2016-7930 Buffer overflow in parser. CVE-2016-7931 Buffer overflow in parser. CVE-2016-7932 Buffer overflow in parser. CVE-2016-7933 Buffer overflow in parser. CVE-2016-7934 Buffer overflow in parser. CVE-2016-7935 Buffer overflow in parser. CVE-2016-7936 Buffer overflow in parser. CVE-2016-7937 Buffer overflow in parser. CVE-2016-7938 Buffer overflow in parser. CVE-2016-7939 Buffer overflow in parser. CVE-2016-7940 Buffer overflow in parser. CVE-2016-7973 Buffer overflow in parser. CVE-2016-7974 Buffer overflow in parser. CVE-2016-7975 Buffer overflow in parser. CVE-2016-7983 Buffer overflow in parser. CVE-2016-7984 Buffer overflow in parser. CVE-2016-7985 Buffer overflow in parser. CVE-2016-7986 Buffer overflow in parser. CVE-2016-7992 Buffer overflow in parser. CVE-2016-7993 Buffer overflow in parser. CVE-2016-8574 Buffer overflow in parser. CVE-2016-8575 Buffer overflow in parser. CVE-2017-5202 Buffer overflow in parser. CVE-2017-5203 Buffer overflow in parser. CVE-2017-5204 Buffer overflow in parser. CVE-2017-5205 Buffer overflow in parser. CVE-2017-5341 Buffer overflow in parser. CVE-2017-5342 Buffer overflow in parser. CVE-2017-5482 Buffer overflow in parser. CVE-2017-5483 Buffer overflow in parser. CVE-2017-5484 Buffer overflow in parser. CVE-2017-5485 Buffer overflow in parser. CVE-2017-5486 Buffer overflow in parser. For Debian 7 "Wheezy", these problems have been fixed in version 4.9.0-1~deb7u1. We recommend that you upgrade your tcpdump packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- -- Ola Lundqvist / o...@debian.org GPG fingerprint \ | o...@inguza.com22F2 32C6 B1E0 F4BF 2B26 | | http://inguza.com/0A6A 5E90 DCFA 9426 876F / - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJYj7kVAAoJEF6Q3PqUJodv760P/iglBWp9kHkBlTtX3CqZDulq MbOU9fZxjqXeDgo3WIyRd1OCRMoWjIr0NqkYfa/XTqIQTIBSqY4U0yeKe2B90Xeg ZJzVxd8hiY0VZ1e4InlaXObGZWvRUX7kGZ3/zRDTr0CTSvNPG4Mv64+Y/Wrj4Ts9 NnyQmWyiG66571EOYeh+nTL7UVXo3U4HWp9/UJL0b0MmxwbON370qETBcNQvoKmx V1SVWAFsVgtIXHLToSMGGlA0IDhBrvaONOUpwUzzihOTpjJm1Zci7LKRJZc/Sb85 07819v4qTNaONA5q58SBu/rEaI+kufKYBKAhcDfb1iIJ5PUCD8hNafIQSFsTALWX 71gXAGPPA95932PSLfMknudifuOfemsVXqv41M9807Gf0dz4JbLkWUfg8UZIc+EB p+vOWwUqUpXPAD0PmeSxKZkIh+cqKTbODWqYnR0pLIHL1/wzZKsQAmQQgD1RHTMA iloV+4WMBD/bvqR6HSDu+VGSfeIwNZXLxoiTTWL6XoEvv8SpUeNfPxuv6rfAoFeE MgMvOQxu+ae7GVvdVFH5uPNQpCp1YQd3tEnMIpAU0a6NYNDCI9E1rAQOYgpHlTjD lipSE2iF/iMn3AFUpekxw5IL8Qeps1rUe7vsDvOxDtlrTmDtrgu1BBoP1YmbIJ3N Z3+wp0QwMaYEJukmbwHI =/Lay -END PGP SIGNATURE-
Re: Accepted tcpdump 4.9.0-1~deb7u1 (amd64 source) into oldstable
Hi Will you send the DLA or do you want me to do that? // Ola On 30 January 2017 at 19:40, Romain Francoisewrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Format: 1.8 > Date: Sun, 29 Jan 2017 22:17:21 +0100 > Source: tcpdump > Binary: tcpdump > Architecture: amd64 source > Version: 4.9.0-1~deb7u1 > Distribution: wheezy-security > Urgency: high > Maintainer: Romain Francoise > Changed-By: Romain Francoise > Description: > tcpdump- command-line network traffic analyzer > Changes: > tcpdump (4.9.0-1~deb7u1) wheezy-security; urgency=high > . >* Backport to wheezy. >* Disable the pppoes_id test, and reset B-D on libpcap-dev to what it > was in wheezy. > Checksums-Sha1: > f9d5b9e50181e205fa1b713bf906cc9aaa311ddd 1952 tcpdump_4.9.0-1~deb7u1.dsc > c241ea71d658ea46edc1bb0a0867ab7cda59973a 12776 > tcpdump_4.9.0-1~deb7u1.debian.tar.xz > 90de03d602d41e824dd5073bffb510af74a5974c 484900 > tcpdump_4.9.0-1~deb7u1_amd64.deb > Checksums-Sha256: > f8d328894bf0e23c28d153a8ea10975579bdbc7ccb25e566d42fb8d071dec076 1952 > tcpdump_4.9.0-1~deb7u1.dsc > cfde49ea7cc7250571a76e1451cfe85d4adc80a86dbb1251720845b81f973253 12776 > tcpdump_4.9.0-1~deb7u1.debian.tar.xz > 11ec542ca49d79755637b41413205cb7158c01e4dd4f2bab9209b7aa439378f0 484900 > tcpdump_4.9.0-1~deb7u1_amd64.deb > Files: > 9e84eb9b5b63d542cd072b1c607706b8 1952 net optional tcpdump_4.9.0-1~deb7u1.dsc > ea4321a8ad585e590ee8f85db8c8dd9c 12776 net optional > tcpdump_4.9.0-1~deb7u1.debian.tar.xz > 1d2032e577c6aa2c9c6e375a04c4f1f5 484900 net optional > tcpdump_4.9.0-1~deb7u1_amd64.deb > > -BEGIN PGP SIGNATURE- > > iQIzBAEBCAAdFiEEvjSXQsqYfs1+d+QtrRX0NfBfli0FAliPhkUACgkQrRX0NfBf > li0acRAAkIF5gYBNVEej0OUl5XzQiq5TNtXGFJlHmSPPG+pOg9Pv6PaNSWSWMRTv > Ml+L43VDJrZuwBGalbLbw47zJPmvpU9TUBJ6vxn3VPHOiOZpmRo5VvYD2LO8WJps > BYCKHMY47zTNlwn7edKKOOx+CTHPiLUdGVd/EON5Y0OP9EWUzyWkXJR7dXyM1ABu > z1OU12upCU3ZIYHtzfzhPWrg764NNAIGGKBAcnV6fDPqu+wc1BtjEUBBrEAC1D/y > t45DRBZ/3L/oXlJE7I9SrloNxz2a8P5lkITriXo7FPoF/NTnfzIdo9M1Mp/EI/lY > XHxNx8Vy9EmtULP7gngfNuwOnP3lsH+vQj2BIpDKCuuXSA+gwD58d3HvITpyyqeF > mC7Pci0zwMleRaYbluLHrudgdYG0sJasZDYZvxToslxD8s/iy72vLQTUuKCsZcWA > TVFywbRJjRIKEkieeEfRK/q9XiH3nfHzPOQEru3cDNmZ+pICaESbRuJki97Ax+Br > zA8gtIWwfO2eZmPAB15qW/7sz1z32yJdOA3RDhI/uNZL/pz+Bbe3yPkGtUfDzXS9 > z87gjEZMtpPFSV/GEl6/rkwIJeHs4m/9JmDqFojnisw8jxzsi/EQnmX39e8d/TbJ > NSLYwaBQ+Oll7daD2miI53Nh9tQwvD/tyw9Mn9tNKCyoiEACAhM= > =pY0x > -END PGP SIGNATURE- > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: possible regressing in tiff4/libtiff3 update (deb7u1)
On Fri, 27 Jan 2017, Matthias Geerdsen wrote: > > The full upload is available: > > $ dget > > https://people.debian.org/~hertzog/packages/tiff3_3.9.6-11+deb7u3_amd64.changes > > I took your patched libtiff4 and tested several images and compression > schemes using ImageMagick and GraphicsMagick in a wheezy chroot without > any problems. I have not encountered any unexpected error messages or > any corrupted images. Ok, thanks for the tests. I uploaded the fixed version. > > If we are satisfied by this fix, then we should do something similar on > > source package tiff 4.x (which provides libtiff5 4.x). I'll take care of this later this week if no one beats me to it. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: Anyone having more information about the tcpdump security CVEs?
On Mon, Jan 30, 2017 at 07:34:59PM +0100, Romain Francoise wrote: > On Sun, Jan 29, 2017 at 05:14:33PM +0100, Romain Francoise wrote: > > Ok, I will prepare the package and upload it next week. > > Done! I didn't include the upstream tarball as I already uploaded it to > jessie-security and IIUC it's the same archive, but I'm not absolutely > certain this is right--if the upload gets rejected, I will reupload. It is correct. The upstream tarball can only be uploaded to securit-master once. Cheers, -- Guido
Re: Anyone having more information about the tcpdump security CVEs?
On Sun, Jan 29, 2017 at 05:14:33PM +0100, Romain Francoise wrote: > Ok, I will prepare the package and upload it next week. Done! I didn't include the upstream tarball as I already uploaded it to jessie-security and IIUC it's the same archive, but I'm not absolutely certain this is right--if the upload gets rejected, I will reupload. -- Romain Francoisehttp://people.debian.org/~rfrancoise/
[SECURITY] [DLA 610-2] tiff3 regression update
Package: tiff3 Version: 3.9.6-11+deb7u3 Debian Bug : 852610 Version 3.9.6-11+deb7u1 and 3.9.6-11+deb7u2 introduced changes that resulted in libtiff writing out invalid tiff files when the compression scheme in use relies on codec-specific TIFF tags embedded in the image. For Debian 7 "Wheezy", these problems have been fixed in version 3.9.6-11+deb7u3. We recommend that you upgrade your tiff3 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/ signature.asc Description: PGP signature
[SECURITY] [DLA 807-1] imagemagick security update
Package: imagemagick Version: 8:6.7.7.10-5+deb7u11 CVE ID : CVE-2016-10144 CVE-2016-10145 CVE-2016-10146 CVE-2017-5506 CVE-2017-5507 CVE-2017-5508 CVE-2017-5510 CVE-2017-5511 Debian Bug : #851485, #851483, #851380, #851383, #851382, #851381, #851376, #851374 Numerous vulnerabilities were discovered in ImageMagick, an image manipulation program. Issues include memory leaks, out of bound reads and missing checks. This update also includes an update of the fix for CVE-2016-8677 which was incomplete in the previous version. For Debian 7 "Wheezy", these problems have been fixed in version 8:6.7.7.10-5+deb7u11. We recommend that you upgrade your imagemagick packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature