Re: Tools for testing LTS updates
On 2017-01-24 08:37:05, Guido Günther wrote: > I'm using a qemu VM bootstrapped via > > > http://honk.sigxcpu.org/con/Preseeding_Debian_virtual_machines_with_virt_install.html > > Note that there's also autopkgtest-virt-qemu but since it doesn't use > libvirt I'd have to handle it differently so I'm using the above. Cool, that's great. I discovered this project recently, from another DD (smvc): https://github.com/smcv/vectis Really interesting and promising... In any case, it seems to me this should be documented *somewhere*. The LTS/Development page in the wiki may be a good place, but I wonder if that shouldn't be more "upstream" in the docs pages... Any ideas? -- La propriété est un piège: ce que nous croyons posséder nous possède. - Alphonse Karr
Re: [Secure-testing-commits] r48631 - in data: . CVE
Hi Emilio, 2017-01-31 22:23 GMT+01:00 Bálint Réczey: > Hi Emilio, > > 2017-01-31 22:14 GMT+01:00 Emilio Pozuelo Monfort : >> Hi Balint, >> >> On 31/01/17 21:46, Balint Reczey wrote: >>> Log: >>> wavpack's issues don't affect wheezy >>> >>> The first part of the upstream patch is not needed since the >>> code is very different and not vulnerable. >>> The second part applies, but does not make any difference when >>> trying the exploits. Tested with valgrind on Wheezy. >> >> These issues were found with address sanitizer, so I don't think checking >> with >> valgrind is enough (it's not the same). >> >> May be worth checking with asan (it should be available in wheezy's llvm >> 3.1). > > I was able to reproduce the heap issues on sid with valgrind but i > give llvm a try, too. Llvm 3.1 supports ASAN, but I could not find clang in the llvm-3.1 packages. What am I missing? :-) Cheers, Balint
Re: Wheezy update of mysql-5.5?
Hi, I have prepared a patch for the issue, I'm just waiting for the CVE assignment till tomorrow (2 Feb) with the upload. Cheers, Balint 2017-01-28 22:03 GMT+01:00 Ola Lundqvist: > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of mysql-5.5: > https://security-tracker.debian.org/tracker/source-package/mysql-5.5 > > Would you like to take care of this yourself? > > If yes, please follow the workflow we have defined here: > https://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-lts@lists.debian.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. > > You can also opt-out from receiving future similar emails in your > answer and then the LTS Team will take care of mysql-5.5 updates > for the LTS releases. > > Thank you very much. > > Ola Lundqvist, > on behalf of the Debian LTS team. > > PS: A member of the LTS team might start working on this update at > any point in time. You can verify whether someone is registered > on this update in this file: > https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup > From 5b4cc37b12751e3a5ec4a30e61cafef9ff3563a7 Mon Sep 17 00:00:00 2001 From: Balint Reczey Date: Mon, 30 Jan 2017 19:32:04 +0100 Subject: [PATCH 1/2] Fix use after free bug in mysql_prune_stmt_list() --- ...x_use_after_free_in_mysql_prune_stmt_list.patch | 142 + debian/patches/series | 1 + 2 files changed, 143 insertions(+) create mode 100644 debian/patches/fix_use_after_free_in_mysql_prune_stmt_list.patch diff --git a/debian/patches/fix_use_after_free_in_mysql_prune_stmt_list.patch b/debian/patches/fix_use_after_free_in_mysql_prune_stmt_list.patch new file mode 100644 index 000..23bff1a --- /dev/null +++ b/debian/patches/fix_use_after_free_in_mysql_prune_stmt_list.patch @@ -0,0 +1,142 @@ +From 1037977895aa4a145de16719df0a2375c71bbf26 Mon Sep 17 00:00:00 2001 +From: Nisha Gopalakrishnan +Date: Mon, 21 Jul 2014 21:21:15 +0530 +Subject: [PATCH] BUG#17512527: LIST HANDLING INCORRECT IN + MYSQL_PRUNE_STMT_LIST() + +Analysis: +- +Invalid memory access maybe observed when using prepared statements if: +a) The mysql client connection is lost after statement preparation + is complete and +b) There is at least one statement which is in initialized state but + not prepared yet. + +When the client detects a closed connection, it calls end_server() +to shutdown the connection. As part of the clean up, the +mysql_prune_stmt_list() removes the statements which has transitioned +beyond the initialized state and retains only the statements which +are in a initialized state. During this processing, the initialized +statements are moved from 'mysql->stmts' to a temporary 'pruned_list'. +When moving the first 'INIT_DONE' element to the pruned_list, +'element->next' is set to NULL. Hence the rest of the list is never +traversed and the statements which have transitioned beyond the +initialized state are never invalidated. + +When the mysql_stmt_close() is called for the statement which is not +invalidated; the statements list is updated in order to remove the +statement. This would end up accessing freed memory(freed by the +mysql_stmt_close() for a previous statement in the list). + +Fix: +--- +mysql_prune_stmt_list() called list_add() incorrectly to create a +temporary list. The use case of list_add() is to add a single +element to the front of the doubly linked list. +mysql_prune_stmt_list() called list_add() by passing an entire +list as the 'element'. + +mysql_prune_stmt_list() now uses list_delete() to remove the +statement which has transitioned beyond the initialized phase. +Thus the statement list would contain only elements where the +the state of the statement is initialized. + +Note: Run the test with valgrind-mysqltest and leak-check=full +option to see the invalid memory access. + +Back-ported to MySQL 5.5 branch by Balint Reczey + +Conflicts: + sql-common/client.c + tests/mysql_client_test.c +--- + sql-common/client.c | 11 +++ + tests/mysql_client_test.c | 41 + + 2 files changed, 48 insertions(+), 4 deletions(-) + +diff --git a/sql-common/client.c b/sql-common/client.c +index cd9b6a7..be60cc1 100644 +--- a/sql-common/client.c b/sql-common/client.c +@@ -3790,12 +3790,15
Re: openssl wheezy update
On Tue, Jan 31, 2017 at 11:13:55PM +0100, Emilio Pozuelo Monfort wrote: > Hi Kurt, > > I have prepared an update of openssl for wheezy based on 1.0.1t-1+deb8u6. I > have > done some smoke testing on it and it seems fine, but I haven't been able to > verify the three fixes as I can't find exploits for them (there is mention of > one for CVE-2016-8610 in [1] but I can't find the actual file). > > Do you have any suggestion for how to verify / test the update? > > Do you want to upload this or should I take care of it? Feel free to upload this. The usptream version in jessie and wheezy, so the patches should just apply. I only have a test for the 32 bit crashes. It would require to get the fuzzers working in the 1.0.1 version, which should be that hard. The other would be a cache timing attack, and I really have no good way to test that. I suggest you just upload it. Kurt
Re: Wheezy update of xrdp?
Hi Dominik, 2016-12-23 12:08 GMT+01:00 Dominik George: > Hi Chris, > >> the Debian LTS team would like to fix the security issues which are >> currently open in the Wheezy version of xrdp: >> https://security-tracker.debian.org/tracker/source-package/xrdp >> >> Would you like to take care of this yourself? > > I will use this as a chance to retreat from Christmas celebrations at > some point this weekend ;). Do you still plan fixing the issue? Cheers, Balint > > -nik > > -- > PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 > > Dominik George · Hundeshagenstr. 26 · 53225 Bonn > Mobile: +49-1520-1981389 · https://www.dominik-george.de/ > > Teckids e.V. · FrOSCon e.V. > Fellowship of the FSFE · Piratenpartei Deutschland > Opencaching Deutschland e.V. · Debian Maintainer > > LPIC-3 Linux Enterprise Professional (Security)
LTS report for January
Hi, This month I was allocated 12.75h (plus 2.5h carried from last month). I spent this time doing the following: - DLA 684-2: libx11 regression update - DLA 784-1: gcc-mozilla new package - DLA 800-1: firefox-esr security update - DLA 801-1: libxpm security update - DLA 802-1: openjdk-7 security update - DLA 803-1: lcms2 security update - DLA 811-1: libplist security update - DLA 812-1: ikiwiki security update - prepared and tested openssl update - reviewed pending graphicsmagick update Cheers, Emilio
openssl wheezy update
Hi Kurt, I have prepared an update of openssl for wheezy based on 1.0.1t-1+deb8u6. I have done some smoke testing on it and it seems fine, but I haven't been able to verify the three fixes as I can't find exploits for them (there is mention of one for CVE-2016-8610 in [1] but I can't find the actual file). Do you have any suggestion for how to verify / test the update? Do you want to upload this or should I take care of it? Test packages at https://people.debian.org/~pochu/lts/openssl/ in case someone can give them a try. Thanks, Emilio [1] http://www.openwall.com/lists/oss-security/2016/10/24/3 diff -Nru openssl-1.0.1t/debian/changelog openssl-1.0.1t/debian/changelog --- openssl-1.0.1t/debian/changelog 2016-09-25 11:19:14.0 +0200 +++ openssl-1.0.1t/debian/changelog 2017-01-31 22:04:44.0 +0100 @@ -1,3 +1,13 @@ +openssl (1.0.1t-1+deb7u2) wheezy-security; urgency=medium + + * Non-maintainer upload by the LTS team. + * Backport changes from 1.0.1t-1+deb8u6: + * Fix CVE-2016-8610 + * Fix CVE-2017-3731 + * Fix CVE-2016-7056 + + -- Emilio Pozuelo MonfortTue, 31 Jan 2017 22:04:44 +0100 + openssl (1.0.1t-1+deb7u1) wheezy-security; urgency=medium * New upstream version, based on the version in jessie. diff -Nru openssl-1.0.1t/debian/patches/CVE-2016-7056.patch openssl-1.0.1t/debian/patches/CVE-2016-7056.patch --- openssl-1.0.1t/debian/patches/CVE-2016-7056.patch 1970-01-01 01:00:00.0 +0100 +++ openssl-1.0.1t/debian/patches/CVE-2016-7056.patch 2017-01-31 22:03:37.0 +0100 @@ -0,0 +1,12 @@ +--- a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c +@@ -147,6 +147,8 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, + if (!BN_add(k, k, order)) + goto err; + ++BN_set_flags(k, BN_FLG_CONSTTIME); ++ + /* compute r the x-coordinate of generator * k */ + if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); + diff -Nru openssl-1.0.1t/debian/patches/CVE-2016-8610.patch openssl-1.0.1t/debian/patches/CVE-2016-8610.patch --- openssl-1.0.1t/debian/patches/CVE-2016-8610.patch 1970-01-01 01:00:00.0 +0100 +++ openssl-1.0.1t/debian/patches/CVE-2016-8610.patch 2017-01-31 22:03:37.0 +0100 @@ -0,0 +1,128 @@ +Subject: CVE-2016-8610 + +This is a combination of commit 22646a075e75991b4e8f5d67171e45a6aead5b48 and +f1185392189641014dca94f3fe7834bccb5f4c16 + +index 7e3a7b480e..cb74d467bb 100644 +Index: openssl-1.0.1t/ssl/s3_pkt.c +=== +--- openssl-1.0.1t.orig/ssl/s3_pkt.c openssl-1.0.1t/ssl/s3_pkt.c +@@ -1057,6 +1057,13 @@ int ssl3_read_bytes(SSL *s, int type, un + return (ret); + } + ++/* ++ * Reset the count of consecutive warning alerts if we've got a non-empty ++ * record that isn't an alert. ++ */ ++if (rr->type != SSL3_RT_ALERT && rr->length != 0) ++s->cert->alert_count = 0; ++ + /* we now have a packet which can be read and processed */ + + if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, +@@ -1271,6 +1278,14 @@ int ssl3_read_bytes(SSL *s, int type, un + + if (alert_level == SSL3_AL_WARNING) { + s->s3->warn_alert = alert_descr; ++ ++s->cert->alert_count++; ++if (s->cert->alert_count == MAX_WARN_ALERT_COUNT) { ++al = SSL_AD_UNEXPECTED_MESSAGE; ++SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS); ++goto f_err; ++} ++ + if (alert_descr == SSL_AD_CLOSE_NOTIFY) { + s->shutdown |= SSL_RECEIVED_SHUTDOWN; + return (0); +@@ -1406,16 +1421,13 @@ int ssl3_read_bytes(SSL *s, int type, un + + switch (rr->type) { + default: +-#ifndef OPENSSL_NO_TLS + /* +- * TLS up to v1.1 just ignores unknown message types: TLS v1.2 give +- * an unexpected message alert. ++ * TLS 1.0 and 1.1 say you SHOULD ignore unrecognised record types, but ++ * TLS 1.2 says you MUST send an unexpected message alert. We use the ++ * TLS 1.2 behaviour for all protocol versions to prevent issues where ++ * no progress is being made and the peer continually sends unrecognised ++ * record types, using up resources processing them. + */ +-if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) { +-rr->length = 0; +-goto start; +-} +-#endif + al = SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD); + goto f_err; +Index: openssl-1.0.1t/ssl/d1_pkt.c +=== +--- openssl-1.0.1t.orig/ssl/d1_pkt.c openssl-1.0.1t/ssl/d1_pkt.c +@@ -924,6 +924,13 @@ int dtls1_read_bytes(SSL *s, int type, u
Re: graphicsmagick update
On Tue, Jan 31, 2017 at 04:07:19PM -0500, Antoine Beaupré wrote: > On 2017-01-31 21:42:41, Emilio Pozuelo Monfort wrote: > > I'd say it makes sense to release a regression update. > > > > BTW I'm not sure about this change, which is not mentioned in your > > changelog entry: > > > > --- graphicsmagick-1.3.16/debian/rules 2016-09-20 23:52:26.0 +0200 > > +++ graphicsmagick-1.3.16/debian/rules 2017-01-16 19:22:54.0 +0100 > > @@ -36,7 +36,7 @@ > > CFLAGS = -Wall -g -fno-strict-aliasing > > LDFLAGS = > > > > -include /usr/share/hardening-includes/hardening.make > > +-include /usr/share/hardening-includes/hardening.make > > CFLAGS += $(HARDENING_CFLAGS) > > LDFLAGS += $(HARDENING_LDFLAGS) > > This is to silence failure to include the file in later versions of > hardening-includes (from stretch and later) that would prevent pdebuild, > git-buildpackage and other tools from firing the build from sid or > stretch. > > I still build the package inside a woody chroot, of course, this is just > to trigger the build. > > But maybe there's another way to fix this that I don't know? > > Are you people all still running wheezy or jessie? ;) You can run with '-nc' to avoid pbuilder invoking clean outside of the chroot. -- Guido > > A. > > -- > Choose a job you love and you will never have to work a day in your > life. > - Confucius >
Re: [Secure-testing-commits] r48631 - in data: . CVE
Hi Emilio, 2017-01-31 22:14 GMT+01:00 Emilio Pozuelo Monfort: > Hi Balint, > > On 31/01/17 21:46, Balint Reczey wrote: >> Log: >> wavpack's issues don't affect wheezy >> >> The first part of the upstream patch is not needed since the >> code is very different and not vulnerable. >> The second part applies, but does not make any difference when >> trying the exploits. Tested with valgrind on Wheezy. > > These issues were found with address sanitizer, so I don't think checking with > valgrind is enough (it's not the same). > > May be worth checking with asan (it should be available in wheezy's llvm 3.1). I was able to reproduce the heap issues on sid with valgrind but i give llvm a try, too. Cheers, Balint
Re: [Secure-testing-commits] r48631 - in data: . CVE
Hi Balint, On 31/01/17 21:46, Balint Reczey wrote: > Log: > wavpack's issues don't affect wheezy > > The first part of the upstream patch is not needed since the > code is very different and not vulnerable. > The second part applies, but does not make any difference when > trying the exploits. Tested with valgrind on Wheezy. These issues were found with address sanitizer, so I don't think checking with valgrind is enough (it's not the same). May be worth checking with asan (it should be available in wheezy's llvm 3.1). Cheers, Emilio
Re: graphicsmagick update
On 2017-01-31 21:42:41, Emilio Pozuelo Monfort wrote: > I'd say it makes sense to release a regression update. > > BTW I'm not sure about this change, which is not mentioned in your changelog > entry: > > --- graphicsmagick-1.3.16/debian/rules 2016-09-20 23:52:26.0 +0200 > +++ graphicsmagick-1.3.16/debian/rules 2017-01-16 19:22:54.0 +0100 > @@ -36,7 +36,7 @@ > CFLAGS = -Wall -g -fno-strict-aliasing > LDFLAGS = > > -include /usr/share/hardening-includes/hardening.make > +-include /usr/share/hardening-includes/hardening.make > CFLAGS += $(HARDENING_CFLAGS) > LDFLAGS += $(HARDENING_LDFLAGS) This is to silence failure to include the file in later versions of hardening-includes (from stretch and later) that would prevent pdebuild, git-buildpackage and other tools from firing the build from sid or stretch. I still build the package inside a woody chroot, of course, this is just to trigger the build. But maybe there's another way to fix this that I don't know? Are you people all still running wheezy or jessie? ;) A. -- Choose a job you love and you will never have to work a day in your life. - Confucius
Re: graphicsmagick update
On 16/01/17 20:48, Antoine Beaupré wrote: > Hi, > > I've looked at updating the graphicsmagick (GM) update to fix the issues > outlined in a [recent discussion][1]. The fix to CVE-2016-5240.patch is > trivial. I can also confirm the current GM version in wheezy-security > segfaults with the POC. > > I've had difficulties fixing the pending CVE-2016-9830 in wheezy, > however. The patch depends on the fairly new heigth/width "magick > resource limit" management, which was introduced in [January > 2015][2]. The [patch][2] is rather intrusive and i don't think is a good > candidate for wheezy, especially because it probably breaks ABI > compatibility. Attached is my best shot at porting the patch for > CVE-2016-9830, which fails to comply, but may be useful for jessie or > others. > > So I don't see any choice but to mark that issue as no-dsa. The impact > of the patch is more of a DOS (memory exhaustion, from what I can tell) > than code execution, so I think it doesn't warrant major code changes. > > I have built a package for amd64 in the [usual location][3] and attached > the debdiff for the debu6 update. I confirm the patch here fixes > CVE-2016-5240 properly. > > I am not sure I should upload this directly now considering it's such a > small fix, but given that it crashes with the bad data, maybe it's worth > it? I'd say it makes sense to release a regression update. BTW I'm not sure about this change, which is not mentioned in your changelog entry: --- graphicsmagick-1.3.16/debian/rules 2016-09-20 23:52:26.0 +0200 +++ graphicsmagick-1.3.16/debian/rules 2017-01-16 19:22:54.0 +0100 @@ -36,7 +36,7 @@ CFLAGS = -Wall -g -fno-strict-aliasing LDFLAGS = -include /usr/share/hardening-includes/hardening.make +-include /usr/share/hardening-includes/hardening.make CFLAGS += $(HARDENING_CFLAGS) LDFLAGS += $(HARDENING_LDFLAGS) Cheers, Emilio
[SECURITY] [DLA 812-1] ikiwiki security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: ikiwiki Version: 3.20120629.2+deb7u2 CVE ID : CVE-2016-9646 CVE-2016-10026 CVE-2017-0356 Several vulnerabilities have been found in ikiwiki, a wiki compiler: CVE-2016-9646 Commit metadata forgery CVE-2016-10026 Authorization bypass when reverting changes CVE-2017-0356 Authentication bypass via repeated parameters For Debian 7 "Wheezy", these problems have been fixed in version 3.20120629.2+deb7u2. We recommend that you upgrade your ikiwiki packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAliQ834ACgkQnUbEiOQ2 gwIoeRAAxEo7VM/VfbH88o89gI42UpqnpC7m4/p83bpPP3WTbW5KwBemJ8IRfn/i QesVtU0f8qJFtNeouTqDQTKb23g28PZGfAfNTinYb0jOJRouk8PS/D17YSxal4LL scfb9X8GgScDQ+vZ/QyfvFa4f7Xwbz0Uo4btiUtw8v1WrcbmRjuV1ISWRu3sGzmJ CTzVGa0Y8Rq0yGgDBzw+jzF0DAKEXVBx1Ccmr6fTkM6x6EbVK5phdSo4Fe1uZGc+ 2s6nfTrseKP89n8TlXkcTKXGoOrGz8aZ9NBENEf9BxGzXLFcVmGJ0m6iDdQ6zUwl n/guav6cYB0ElFMtfGOJyf/A01pesWMAggvzb0mg79L/acWNhZjP6f3GbCJr+xkt xZPz+GBEsytyAkJ2RowyDd/aZlhy23DAFwf1BaKmayYxnWeuaymF5uY7zvEvRlBc RB53CKMnfivdfR2b/i7GuICEeDQy0sG73GggWdFvHPAkX1p4c3SimNHqlg2xXvWO tJk3eNJGeUG5kkbNDYOxbn5vZazkKvRGbtHJ6Xbd6tnE5HWtAU1IUiRHNbIsLNwc vrs5SUE1AOFjo9mOgUrEu+pPnwUDeIso+j+OT7slRfIzTdVmRqNCL6vuwoMvbFMX SCjeKj/H6QRthAw+hfex2+pw30dMXYkR3ACDc0krs1lDNowILs0= =0A0c -END PGP SIGNATURE-
[SECURITY] [DLA 811-1] libplist security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libplist Version: 1.8-1+deb7u1 CVE ID : CVE-2017-5209 CVE-2017-5545 Debian Bug : 851196 852385 The following vulnerabilities have been fixed in libplist: CVE-2017-5209 Out of bounds read when parsing specially crafted Apple plist file CVE-2017-5545 Heap buffer overflow via crafted Apple plist file For Debian 7 "Wheezy", these problems have been fixed in version 1.8-1+deb7u1. We recommend that you upgrade your libplist packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAliQ7isACgkQnUbEiOQ2 gwIjuQ//YlwY0krAlw2j4D0j1cE7e/l1VPkdDsGTPhLrNNE++Hqr/4lrNYed4Oh2 mT9d/bYldAiSK3Gisni3TIeso9beZZAj6GDwyke7ifDIegTfAllFOIdq33ThIXsm 06+aNVXyDPOKKrNVFS5fwuz7ADkjx/yatknrqqUT3WNLo8yhNe8M3hynOLP5S7GS fb7dLFqRQGXeDBcd5pWGUrCwd+dXWbwdIQhwiQ0QfftIjLALOsXrtZr8ZIe4uiT1 3sqehzoQUxpgkWsIf8RQBEbjF+AxRAz437KciG05r46dHOAUoQEGo3i0zksuSMp3 +Ug1bUQubQffmHo7xscc0buCCzWbP0IIm5+e9fFeoUAowkzU/FVWGLds2G/F1rz1 13/23N4dxNgUyJCH/DZyxqV4IUw3izTxwhKjs5Ti2jTjaAUp7DmAHADAmETuSRHl zveM6Spra5lAt1cJj1QawsTEyqoGBQ0NGU9teDpKW/DELOmDT6i61r0tAzLkCnHO 8GyQ1sNKoJbSbYrhdGDUCAyLPEe7+ugsYLFQxInq4lg8MVMyhUipi8fdxuK6EO5u OjA3vHqnkwEJ5+nh1NvKtvnE5WX7Ntl11ZBwPKqkCiIqPbQsP6CeScFZypWyEEir p245j2c0pMk+kDCzI2aJIz7zGqSIomoWQT3v5Y6woQD7lHvNm8w= =WV/r -END PGP SIGNATURE-
Accepted ikiwiki 3.20120629.2+deb7u2 (source all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 31 Jan 2017 19:00:50 +0100 Source: ikiwiki Binary: ikiwiki Architecture: source all Version: 3.20120629.2+deb7u2 Distribution: wheezy-security Urgency: medium Maintainer: Simon McVittieChanged-By: Emilio Pozuelo Monfort Description: ikiwiki- a wiki compiler Closes: 682237 835612 Changes: ikiwiki (3.20120629.2+deb7u2) wheezy-security; urgency=medium . [ Simon McVittie ] * Security: force CGI::FormBuilder->field to scalar context where necessary, avoiding unintended function argument injection analogous to CVE-2014-1572. - passwordauth: prevent authentication bypass via multiple name parameters (CVE-2017-0356, OVE-20170111-0001) - passwordauth: prevent userinfo forgery via repeated email parameter (also CVE-2017-0356) - comments, editpage: prevent commit metadata forgery (CVE-2016-9646, OVE-20161226-0001) - CGI, attachment, comments, editpage, notifyemail, passwordauth, po, rename: harden against similar issues that are not believed to be exploitable * t/passwordauth.t: new automated test for CVE-2017-0356 * Backport IkiWiki::Plugin::git from 3.20170110 to fix the following bugs, including one minor security vulnerability: - Security: try revert operations before approving them. Previously, automatic rename detection could result in a revert writing outside the wiki srcdir or altering a file that the reverting user should not be able to alter, an authorization bypass. (CVE-2016-10026 represents the original vulnerability.) The incomplete fix released in 3.20161219 was not effective for git versions prior to 2.8.0rc0. (CVE-2016-9645 represents that incomplete solution. Debian stable was never vulnerable to this one.) - Fix the warnings "cannot chdir to .../ikiwiki-temp-working: No such file or directory" seen in the initial fixes for those security issues - If no committer identity is known, set it to "IkiWiki " in .git/config. This resolves commit errors in versions of git that require a non-trivial committer identity. - Use git log --no-renames to generate recentchanges, fixing the git test-case with git 2.9 (Closes: #835612) - Don't issue a warning if the rcsinfo CGI parameter is undefined - Do not fail to commit changes with a recent git version and an anonymous committer - Do not fail on filenames starting with a dash (patch from Florian Wagner) - Don't add a redundant "--" and run "git rev-list ... -- -- ..." * Backport t/git-cgi.t from 3.20170110 to have automated test coverage for using the CGI with git, including tests for CVE-2016-10026 - Build-depend on libipc-run-perl for better build-time test coverage * Backport tests' installed-test (autopkgtest) support from 3.20160121, adjusted for compatibility with the older pkg-perl-autopkgtest in jessie - d/control: add enough build-dependencies to run all tests, except for non-git VCSs * Split CFLAGS into words when building wrapper, fixing build-time test failure. Closes: #682237 (patch from Joey Hess, backported from 3.20120630) * In the CGI wrapper, incorporate $config{ENV} into the environment before executing Perl code, so that PERL5LIB can point to a non-system-wide installation of IkiWiki. Some build-time tests rely on this, in particular t/git-cgi.t. (patch from Lafayette Chamber Singers Webmaster, backported from 3.20140916) . [ Emilio Pozuelo Monfort ] * Upload to wheezy-security. Checksums-Sha1: 3a9e3121597b333b76aee80d244f76475b7591b3 2095 ikiwiki_3.20120629.2+deb7u2.dsc 6b12392969ff8ea2f5a5f34ee0afc093d5753c86 2853725 ikiwiki_3.20120629.2+deb7u2.tar.gz 27f858b57736b3658fb5595dc2ce12129dc6ede8 1802612 ikiwiki_3.20120629.2+deb7u2_all.deb Checksums-Sha256: 20a1ed49d27581a84a6fe05eaac93767e219d8070aca581fceb37aa42054f9a5 2095 ikiwiki_3.20120629.2+deb7u2.dsc b28409b2ed8f1da4daf40e5b803b96ae4e760d2f68b4754b3da27700b92278f5 2853725 ikiwiki_3.20120629.2+deb7u2.tar.gz b845aa8800e70774bca7423f37e1618ef62756979322b67e8f98ffee9d6b501a 1802612 ikiwiki_3.20120629.2+deb7u2_all.deb Files: 013df2bd139b40eb321d768a7fec77df 2095 web optional ikiwiki_3.20120629.2+deb7u2.dsc 3bcf594c3c94cf491a23e4de78a9ba0d 2853725 web optional ikiwiki_3.20120629.2+deb7u2.tar.gz 625f5aa8475f0031da89840788f9a6c4 1802612 web optional ikiwiki_3.20120629.2+deb7u2_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAliQ2BEACgkQnUbEiOQ2 gwI/5hAAh6GWmjMkIvo1QOzKcuufqZKgeW3FIuzuXtSWfyl/PIm/9N8vapMflo2p Rd9rzLo5GdczwxZwq9qVIeNj47HC3JhmxKq8AhCFWFvDaGuQIzZDNbRZIb9M6ZZ+ I2ODtz0aO56YsXZ5aGsAQrfOh3x6FkgCXJJVrMGKmBtQxeWzew5B6gIXberMgz90 sYKrglDiYGKwMbgpgfXumHCIJfOaO5RrXZIA40uVLX73TjYwNqvWVUgXualBkmOu
Re: Accepted openjdk-7 7u121-2.6.8-1~deb7u1 (source all amd64) into oldstable
Ok, thanks. // Ola On 31 January 2017 at 00:35, Emilio Pozuelo Monfortwrote: > On 27/01/17 22:18, Ola Lundqvist wrote: >> Hi Emilio >> >> I saw that you have uploaded a new openjdk-7 package. Were that >> package supposed to fix the current issues reported for openjdk-7 or >> was that corrections for earlier version? > > It doesn't fix the latest round of CVEs. > >> I'm asking because: >> 1) I have not seen the DLA. It seems to have gone missing. > > afaics it's there: > > https://lists.debian.org/debian-lts-announce/2017/01/msg00037.html > >> 2) I would like to know whether I should (re-)add the openjdk-7 >> package to dla-needed.txt or not. > > I did that. Still waiting for upstream to release the update. > > Cheers, > Emilio -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---