Re: Tools for testing LTS updates

[Antoine Beaupré]

On 2017-01-24 08:37:05, Guido Günther wrote:
> I'm using a qemu VM bootstrapped via
>
> 
> http://honk.sigxcpu.org/con/Preseeding_Debian_virtual_machines_with_virt_install.html
>
> Note that there's also autopkgtest-virt-qemu but since it doesn't use
> libvirt I'd have to handle it differently so I'm using the above.

Cool, that's great.

I discovered this project recently, from another DD (smvc):

https://github.com/smcv/vectis

Really interesting and promising...

In any case, it seems to me this should be documented *somewhere*. The
LTS/Development page in the wiki may be a good place, but I wonder if
that shouldn't be more "upstream" in the docs pages...

Any ideas?

-- 
La propriété est un piège: ce que nous croyons posséder nous possède.
- Alphonse Karr

Re: [Secure-testing-commits] r48631 - in data: . CVE

[Bálint Réczey]

Hi Emilio,

2017-01-31 22:23 GMT+01:00 Bálint Réczey :
> Hi Emilio,
>
> 2017-01-31 22:14 GMT+01:00 Emilio Pozuelo Monfort :
>> Hi Balint,
>>
>> On 31/01/17 21:46, Balint Reczey wrote:
>>> Log:
>>> wavpack's issues don't affect wheezy
>>>
>>> The first part of the upstream patch is not needed since the
>>> code is very different and not vulnerable.
>>> The second part applies, but does not make any difference when
>>> trying the exploits. Tested with valgrind on Wheezy.
>>
>> These issues were found with address sanitizer, so I don't think checking 
>> with
>> valgrind is enough (it's not the same).
>>
>> May be worth checking with asan (it should be available in wheezy's llvm 
>> 3.1).
>
> I was able to reproduce the heap issues on sid with valgrind but i
> give llvm a try, too.

Llvm 3.1 supports ASAN, but I could not find clang in the llvm-3.1 packages.
What am I missing? :-)

Cheers,
Balint

Re: Wheezy update of mysql-5.5?

[Bálint Réczey]

Hi,

I have prepared a patch for the issue, I'm just waiting for the CVE
assignment till tomorrow (2 Feb) with the upload.

Cheers,
Balint

2017-01-28 22:03 GMT+01:00 Ola Lundqvist :
> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of mysql-5.5:
> https://security-tracker.debian.org/tracker/source-package/mysql-5.5
>
> Would you like to take care of this yourself?
>
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development
>
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
>
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
>
> You can also opt-out from receiving future similar emails in your
> answer and then the LTS Team will take care of mysql-5.5 updates
> for the LTS releases.
>
> Thank you very much.
>
> Ola Lundqvist,
>   on behalf of the Debian LTS team.
>
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
>
From 5b4cc37b12751e3a5ec4a30e61cafef9ff3563a7 Mon Sep 17 00:00:00 2001
From: Balint Reczey 
Date: Mon, 30 Jan 2017 19:32:04 +0100
Subject: [PATCH 1/2] Fix use after free bug in mysql_prune_stmt_list()

---
 ...x_use_after_free_in_mysql_prune_stmt_list.patch | 142 +
 debian/patches/series  |   1 +
 2 files changed, 143 insertions(+)
 create mode 100644 debian/patches/fix_use_after_free_in_mysql_prune_stmt_list.patch

diff --git a/debian/patches/fix_use_after_free_in_mysql_prune_stmt_list.patch b/debian/patches/fix_use_after_free_in_mysql_prune_stmt_list.patch
new file mode 100644
index 000..23bff1a
--- /dev/null
+++ b/debian/patches/fix_use_after_free_in_mysql_prune_stmt_list.patch
@@ -0,0 +1,142 @@
+From 1037977895aa4a145de16719df0a2375c71bbf26 Mon Sep 17 00:00:00 2001
+From: Nisha Gopalakrishnan 
+Date: Mon, 21 Jul 2014 21:21:15 +0530
+Subject: [PATCH] BUG#17512527: LIST HANDLING INCORRECT IN
+ MYSQL_PRUNE_STMT_LIST()
+
+Analysis:
+-
+Invalid memory access maybe observed when using prepared statements if:
+a) The mysql client connection is lost after statement preparation
+   is complete and
+b) There is at least one statement which is in initialized state but
+   not prepared yet.
+
+When the client detects a closed connection, it calls end_server()
+to shutdown the connection. As part of the clean up, the
+mysql_prune_stmt_list() removes the statements which has transitioned
+beyond the initialized state and retains only the statements which
+are in a initialized state. During this processing, the initialized
+statements are moved from 'mysql->stmts' to a temporary 'pruned_list'.
+When moving the first 'INIT_DONE' element to the pruned_list,
+'element->next' is set to NULL. Hence the rest of the list is never
+traversed and the statements which have transitioned beyond the
+initialized state are never invalidated.
+
+When the mysql_stmt_close() is called for the statement which is not
+invalidated; the statements list is updated in order to remove the
+statement. This would end up accessing freed memory(freed by the
+mysql_stmt_close() for a previous statement in the list).
+
+Fix:
+---
+mysql_prune_stmt_list() called list_add() incorrectly to create a
+temporary list. The use case of list_add() is to add a single
+element to the front of the doubly linked list.
+mysql_prune_stmt_list() called list_add() by passing an entire
+list as the 'element'.
+
+mysql_prune_stmt_list() now uses list_delete() to remove the
+statement which has transitioned beyond the initialized phase.
+Thus the statement list would contain only elements where the
+the state of the statement is initialized.
+
+Note: Run the test with valgrind-mysqltest and leak-check=full
+option to see the invalid memory access.
+
+Back-ported to MySQL 5.5 branch by Balint Reczey
+
+Conflicts:
+	sql-common/client.c
+	tests/mysql_client_test.c
+---
+ sql-common/client.c   | 11 +++
+ tests/mysql_client_test.c | 41 +
+ 2 files changed, 48 insertions(+), 4 deletions(-)
+
+diff --git a/sql-common/client.c b/sql-common/client.c
+index cd9b6a7..be60cc1 100644
+--- a/sql-common/client.c
 b/sql-common/client.c
+@@ -3790,12 +3790,15 

Re: openssl wheezy update

[Kurt Roeckx]

On Tue, Jan 31, 2017 at 11:13:55PM +0100, Emilio Pozuelo Monfort wrote:
> Hi Kurt,
> 
> I have prepared an update of openssl for wheezy based on 1.0.1t-1+deb8u6. I 
> have
> done some smoke testing on it and it seems fine, but I haven't been able to
> verify the three fixes as I can't find exploits for them (there is mention of
> one for CVE-2016-8610 in [1] but I can't find the actual file).
> 
> Do you have any suggestion for how to verify / test the update?
> 
> Do you want to upload this or should I take care of it?

Feel free to upload this.

The usptream version in jessie and wheezy, so the patches should
just apply.

I only have a test for the 32 bit crashes. It would require to get
the fuzzers working in the 1.0.1 version, which should be that
hard.

The other would be a cache timing attack, and I really have no
good way to test that.

I suggest you just upload it.


Kurt

Re: Wheezy update of xrdp?

[Bálint Réczey]

Hi Dominik,

2016-12-23 12:08 GMT+01:00 Dominik George :
> Hi Chris,
>
>> the Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of xrdp:
>> https://security-tracker.debian.org/tracker/source-package/xrdp
>>
>> Would you like to take care of this yourself?
>
> I will use this as a chance to retreat from Christmas celebrations at
> some point this weekend ;).

Do you still plan fixing the issue?

Cheers,
Balint

>
> -nik
>
> --
> PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296
>
> Dominik George · Hundeshagenstr. 26 · 53225 Bonn
> Mobile: +49-1520-1981389 · https://www.dominik-george.de/
>
> Teckids e.V. · FrOSCon e.V.
> Fellowship of the FSFE · Piratenpartei Deutschland
> Opencaching Deutschland e.V. · Debian Maintainer
>
> LPIC-3 Linux Enterprise Professional (Security)

LTS report for January

[Emilio Pozuelo Monfort]

Hi,

This month I was allocated 12.75h (plus 2.5h carried from last month). I spent
this time doing the following:

- DLA 684-2: libx11 regression update
- DLA 784-1: gcc-mozilla new package
- DLA 800-1: firefox-esr security update
- DLA 801-1: libxpm security update
- DLA 802-1: openjdk-7 security update
- DLA 803-1: lcms2 security update
- DLA 811-1: libplist security update
- DLA 812-1: ikiwiki security update
- prepared and tested openssl update
- reviewed pending graphicsmagick update

Cheers,
Emilio

openssl wheezy update

[Emilio Pozuelo Monfort]

Hi Kurt,

I have prepared an update of openssl for wheezy based on 1.0.1t-1+deb8u6. I have
done some smoke testing on it and it seems fine, but I haven't been able to
verify the three fixes as I can't find exploits for them (there is mention of
one for CVE-2016-8610 in [1] but I can't find the actual file).

Do you have any suggestion for how to verify / test the update?

Do you want to upload this or should I take care of it?

Test packages at https://people.debian.org/~pochu/lts/openssl/ in case someone
can give them a try.

Thanks,
Emilio

[1] http://www.openwall.com/lists/oss-security/2016/10/24/3
diff -Nru openssl-1.0.1t/debian/changelog openssl-1.0.1t/debian/changelog
--- openssl-1.0.1t/debian/changelog 2016-09-25 11:19:14.0 +0200
+++ openssl-1.0.1t/debian/changelog 2017-01-31 22:04:44.0 +0100
@@ -1,3 +1,13 @@
+openssl (1.0.1t-1+deb7u2) wheezy-security; urgency=medium
+
+  * Non-maintainer upload by the LTS team.
+  * Backport changes from 1.0.1t-1+deb8u6:
+  * Fix CVE-2016-8610
+  * Fix CVE-2017-3731
+  * Fix CVE-2016-7056
+
+ -- Emilio Pozuelo Monfort   Tue, 31 Jan 2017 22:04:44 +0100
+
 openssl (1.0.1t-1+deb7u1) wheezy-security; urgency=medium
 
   * New upstream version, based on the version in jessie.
diff -Nru openssl-1.0.1t/debian/patches/CVE-2016-7056.patch 
openssl-1.0.1t/debian/patches/CVE-2016-7056.patch
--- openssl-1.0.1t/debian/patches/CVE-2016-7056.patch   1970-01-01 
01:00:00.0 +0100
+++ openssl-1.0.1t/debian/patches/CVE-2016-7056.patch   2017-01-31 
22:03:37.0 +0100
@@ -0,0 +1,12 @@
+--- a/crypto/ecdsa/ecs_ossl.c
 b/crypto/ecdsa/ecs_ossl.c
+@@ -147,6 +147,8 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, 
BIGNUM **kinvp,
+ if (!BN_add(k, k, order))
+ goto err;
+
++BN_set_flags(k, BN_FLG_CONSTTIME);
++
+ /* compute r the x-coordinate of generator * k */
+ if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
+ ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
+
diff -Nru openssl-1.0.1t/debian/patches/CVE-2016-8610.patch 
openssl-1.0.1t/debian/patches/CVE-2016-8610.patch
--- openssl-1.0.1t/debian/patches/CVE-2016-8610.patch   1970-01-01 
01:00:00.0 +0100
+++ openssl-1.0.1t/debian/patches/CVE-2016-8610.patch   2017-01-31 
22:03:37.0 +0100
@@ -0,0 +1,128 @@
+Subject: CVE-2016-8610
+
+This is a combination of commit 22646a075e75991b4e8f5d67171e45a6aead5b48 and
+f1185392189641014dca94f3fe7834bccb5f4c16
+
+index 7e3a7b480e..cb74d467bb 100644
+Index: openssl-1.0.1t/ssl/s3_pkt.c
+===
+--- openssl-1.0.1t.orig/ssl/s3_pkt.c
 openssl-1.0.1t/ssl/s3_pkt.c
+@@ -1057,6 +1057,13 @@ int ssl3_read_bytes(SSL *s, int type, un
+ return (ret);
+ }
+ 
++/*
++ * Reset the count of consecutive warning alerts if we've got a non-empty
++ * record that isn't an alert.
++ */
++if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++s->cert->alert_count = 0;
++
+ /* we now have a packet which can be read and processed */
+ 
+ if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1271,6 +1278,14 @@ int ssl3_read_bytes(SSL *s, int type, un
+ 
+ if (alert_level == SSL3_AL_WARNING) {
+ s->s3->warn_alert = alert_descr;
++
++s->cert->alert_count++;
++if (s->cert->alert_count == MAX_WARN_ALERT_COUNT) {
++al = SSL_AD_UNEXPECTED_MESSAGE;
++SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++goto f_err;
++}
++
+ if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+ return (0);
+@@ -1406,16 +1421,13 @@ int ssl3_read_bytes(SSL *s, int type, un
+ 
+ switch (rr->type) {
+ default:
+-#ifndef OPENSSL_NO_TLS
+ /*
+- * TLS up to v1.1 just ignores unknown message types: TLS v1.2 give
+- * an unexpected message alert.
++ * TLS 1.0 and 1.1 say you SHOULD ignore unrecognised record types, 
but
++ * TLS 1.2 says you MUST send an unexpected message alert. We use the
++ * TLS 1.2 behaviour for all protocol versions to prevent issues where
++ * no progress is being made and the peer continually sends 
unrecognised
++ * record types, using up resources processing them.
+  */
+-if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) {
+-rr->length = 0;
+-goto start;
+-}
+-#endif
+ al = SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
+ goto f_err;
+Index: openssl-1.0.1t/ssl/d1_pkt.c
+===
+--- openssl-1.0.1t.orig/ssl/d1_pkt.c
 openssl-1.0.1t/ssl/d1_pkt.c
+@@ -924,6 +924,13 @@ int dtls1_read_bytes(SSL *s, int type, u

Re: graphicsmagick update

[Guido Günther]

On Tue, Jan 31, 2017 at 04:07:19PM -0500, Antoine Beaupré wrote:
> On 2017-01-31 21:42:41, Emilio Pozuelo Monfort wrote:
> > I'd say it makes sense to release a regression update.
> >
> > BTW I'm not sure about this change, which is not mentioned in your 
> > changelog entry:
> >
> > --- graphicsmagick-1.3.16/debian/rules  2016-09-20 23:52:26.0 +0200
> > +++ graphicsmagick-1.3.16/debian/rules  2017-01-16 19:22:54.0 +0100
> > @@ -36,7 +36,7 @@
> >  CFLAGS = -Wall -g -fno-strict-aliasing
> >  LDFLAGS =
> >
> > -include /usr/share/hardening-includes/hardening.make
> > +-include /usr/share/hardening-includes/hardening.make
> >  CFLAGS += $(HARDENING_CFLAGS)
> >  LDFLAGS += $(HARDENING_LDFLAGS)
> 
> This is to silence failure to include the file in later versions of
> hardening-includes (from stretch and later) that would prevent pdebuild,
> git-buildpackage and other tools from firing the build from sid or
> stretch.
> 
> I still build the package inside a woody chroot, of course, this is just
> to trigger the build.
> 
> But maybe there's another way to fix this that I don't know?
> 
> Are you people all still running wheezy or jessie? ;)

You can run with '-nc' to avoid pbuilder invoking clean outside of the
chroot.
 -- Guido

> 
> A.
> 
> -- 
> Choose a job you love and you will never have to work a day in your
> life.
>  - Confucius
> 

Re: [Secure-testing-commits] r48631 - in data: . CVE

[Bálint Réczey]

Hi Emilio,

2017-01-31 22:14 GMT+01:00 Emilio Pozuelo Monfort :
> Hi Balint,
>
> On 31/01/17 21:46, Balint Reczey wrote:
>> Log:
>> wavpack's issues don't affect wheezy
>>
>> The first part of the upstream patch is not needed since the
>> code is very different and not vulnerable.
>> The second part applies, but does not make any difference when
>> trying the exploits. Tested with valgrind on Wheezy.
>
> These issues were found with address sanitizer, so I don't think checking with
> valgrind is enough (it's not the same).
>
> May be worth checking with asan (it should be available in wheezy's llvm 3.1).

I was able to reproduce the heap issues on sid with valgrind but i
give llvm a try, too.

Cheers,
Balint

Re: [Secure-testing-commits] r48631 - in data: . CVE

[Emilio Pozuelo Monfort]

Hi Balint,

On 31/01/17 21:46, Balint Reczey wrote:
> Log:
> wavpack's issues don't affect wheezy
> 
> The first part of the upstream patch is not needed since the
> code is very different and not vulnerable.
> The second part applies, but does not make any difference when
> trying the exploits. Tested with valgrind on Wheezy.

These issues were found with address sanitizer, so I don't think checking with
valgrind is enough (it's not the same).

May be worth checking with asan (it should be available in wheezy's llvm 3.1).

Cheers,
Emilio

Re: graphicsmagick update

[Antoine Beaupré]

On 2017-01-31 21:42:41, Emilio Pozuelo Monfort wrote:
> I'd say it makes sense to release a regression update.
>
> BTW I'm not sure about this change, which is not mentioned in your changelog 
> entry:
>
> --- graphicsmagick-1.3.16/debian/rules  2016-09-20 23:52:26.0 +0200
> +++ graphicsmagick-1.3.16/debian/rules  2017-01-16 19:22:54.0 +0100
> @@ -36,7 +36,7 @@
>  CFLAGS = -Wall -g -fno-strict-aliasing
>  LDFLAGS =
>
> -include /usr/share/hardening-includes/hardening.make
> +-include /usr/share/hardening-includes/hardening.make
>  CFLAGS += $(HARDENING_CFLAGS)
>  LDFLAGS += $(HARDENING_LDFLAGS)

This is to silence failure to include the file in later versions of
hardening-includes (from stretch and later) that would prevent pdebuild,
git-buildpackage and other tools from firing the build from sid or
stretch.

I still build the package inside a woody chroot, of course, this is just
to trigger the build.

But maybe there's another way to fix this that I don't know?

Are you people all still running wheezy or jessie? ;)

A.

-- 
Choose a job you love and you will never have to work a day in your
life.
 - Confucius

Re: graphicsmagick update

[Emilio Pozuelo Monfort]

On 16/01/17 20:48, Antoine Beaupré wrote:
> Hi,
> 
> I've looked at updating the graphicsmagick (GM) update to fix the issues
> outlined in a [recent discussion][1]. The fix to CVE-2016-5240.patch is
> trivial. I can also confirm the current GM version in wheezy-security
> segfaults with the POC.
> 
> I've had difficulties fixing the pending CVE-2016-9830 in wheezy,
> however. The patch depends on the fairly new heigth/width "magick
> resource limit" management, which was introduced in [January
> 2015][2]. The [patch][2] is rather intrusive and i don't think is a good
> candidate for wheezy, especially because it probably breaks ABI
> compatibility. Attached is my best shot at porting the patch for
> CVE-2016-9830, which fails to comply, but may be useful for jessie or
> others.
> 
> So I don't see any choice but to mark that issue as no-dsa. The impact
> of the patch is more of a DOS (memory exhaustion, from what I can tell)
> than code execution, so I think it doesn't warrant major code changes.
> 
> I have built a package for amd64 in the [usual location][3] and attached
> the debdiff for the debu6 update. I confirm the patch here fixes
> CVE-2016-5240 properly.
> 
> I am not sure I should upload this directly now considering it's such a
> small fix, but given that it crashes with the bad data, maybe it's worth
> it?

I'd say it makes sense to release a regression update.

BTW I'm not sure about this change, which is not mentioned in your changelog 
entry:

--- graphicsmagick-1.3.16/debian/rules  2016-09-20 23:52:26.0 +0200
+++ graphicsmagick-1.3.16/debian/rules  2017-01-16 19:22:54.0 +0100
@@ -36,7 +36,7 @@
 CFLAGS = -Wall -g -fno-strict-aliasing
 LDFLAGS =

-include /usr/share/hardening-includes/hardening.make
+-include /usr/share/hardening-includes/hardening.make
 CFLAGS += $(HARDENING_CFLAGS)
 LDFLAGS += $(HARDENING_LDFLAGS)


Cheers,
Emilio

[SECURITY] [DLA 812-1] ikiwiki security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: ikiwiki
Version: 3.20120629.2+deb7u2
CVE ID : CVE-2016-9646 CVE-2016-10026 CVE-2017-0356

Several vulnerabilities have been found in ikiwiki, a wiki compiler:

CVE-2016-9646

Commit metadata forgery

CVE-2016-10026

Authorization bypass when reverting changes

CVE-2017-0356

Authentication bypass via repeated parameters

For Debian 7 "Wheezy", these problems have been fixed in version
3.20120629.2+deb7u2.

We recommend that you upgrade your ikiwiki packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAliQ834ACgkQnUbEiOQ2
gwIoeRAAxEo7VM/VfbH88o89gI42UpqnpC7m4/p83bpPP3WTbW5KwBemJ8IRfn/i
QesVtU0f8qJFtNeouTqDQTKb23g28PZGfAfNTinYb0jOJRouk8PS/D17YSxal4LL
scfb9X8GgScDQ+vZ/QyfvFa4f7Xwbz0Uo4btiUtw8v1WrcbmRjuV1ISWRu3sGzmJ
CTzVGa0Y8Rq0yGgDBzw+jzF0DAKEXVBx1Ccmr6fTkM6x6EbVK5phdSo4Fe1uZGc+
2s6nfTrseKP89n8TlXkcTKXGoOrGz8aZ9NBENEf9BxGzXLFcVmGJ0m6iDdQ6zUwl
n/guav6cYB0ElFMtfGOJyf/A01pesWMAggvzb0mg79L/acWNhZjP6f3GbCJr+xkt
xZPz+GBEsytyAkJ2RowyDd/aZlhy23DAFwf1BaKmayYxnWeuaymF5uY7zvEvRlBc
RB53CKMnfivdfR2b/i7GuICEeDQy0sG73GggWdFvHPAkX1p4c3SimNHqlg2xXvWO
tJk3eNJGeUG5kkbNDYOxbn5vZazkKvRGbtHJ6Xbd6tnE5HWtAU1IUiRHNbIsLNwc
vrs5SUE1AOFjo9mOgUrEu+pPnwUDeIso+j+OT7slRfIzTdVmRqNCL6vuwoMvbFMX
SCjeKj/H6QRthAw+hfex2+pw30dMXYkR3ACDc0krs1lDNowILs0=
=0A0c
-END PGP SIGNATURE-

[SECURITY] [DLA 811-1] libplist security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: libplist
Version: 1.8-1+deb7u1
CVE ID : CVE-2017-5209 CVE-2017-5545
Debian Bug : 851196 852385

The following vulnerabilities have been fixed in libplist:

CVE-2017-5209

Out of bounds read when parsing specially crafted Apple plist file

CVE-2017-5545

Heap buffer overflow via crafted Apple plist file

For Debian 7 "Wheezy", these problems have been fixed in version
1.8-1+deb7u1.

We recommend that you upgrade your libplist packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAliQ7isACgkQnUbEiOQ2
gwIjuQ//YlwY0krAlw2j4D0j1cE7e/l1VPkdDsGTPhLrNNE++Hqr/4lrNYed4Oh2
mT9d/bYldAiSK3Gisni3TIeso9beZZAj6GDwyke7ifDIegTfAllFOIdq33ThIXsm
06+aNVXyDPOKKrNVFS5fwuz7ADkjx/yatknrqqUT3WNLo8yhNe8M3hynOLP5S7GS
fb7dLFqRQGXeDBcd5pWGUrCwd+dXWbwdIQhwiQ0QfftIjLALOsXrtZr8ZIe4uiT1
3sqehzoQUxpgkWsIf8RQBEbjF+AxRAz437KciG05r46dHOAUoQEGo3i0zksuSMp3
+Ug1bUQubQffmHo7xscc0buCCzWbP0IIm5+e9fFeoUAowkzU/FVWGLds2G/F1rz1
13/23N4dxNgUyJCH/DZyxqV4IUw3izTxwhKjs5Ti2jTjaAUp7DmAHADAmETuSRHl
zveM6Spra5lAt1cJj1QawsTEyqoGBQ0NGU9teDpKW/DELOmDT6i61r0tAzLkCnHO
8GyQ1sNKoJbSbYrhdGDUCAyLPEe7+ugsYLFQxInq4lg8MVMyhUipi8fdxuK6EO5u
OjA3vHqnkwEJ5+nh1NvKtvnE5WX7Ntl11ZBwPKqkCiIqPbQsP6CeScFZypWyEEir
p245j2c0pMk+kDCzI2aJIz7zGqSIomoWQT3v5Y6woQD7lHvNm8w=
=WV/r
-END PGP SIGNATURE-

Accepted ikiwiki 3.20120629.2+deb7u2 (source all) into oldstable

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 31 Jan 2017 19:00:50 +0100
Source: ikiwiki
Binary: ikiwiki
Architecture: source all
Version: 3.20120629.2+deb7u2
Distribution: wheezy-security
Urgency: medium
Maintainer: Simon McVittie 
Changed-By: Emilio Pozuelo Monfort 
Description: 
 ikiwiki- a wiki compiler
Closes: 682237 835612
Changes: 
 ikiwiki (3.20120629.2+deb7u2) wheezy-security; urgency=medium
 .
   [ Simon McVittie ]
   * Security: force CGI::FormBuilder->field to scalar context where
 necessary, avoiding unintended function argument injection
 analogous to CVE-2014-1572.
 - passwordauth: prevent authentication bypass via multiple name
   parameters (CVE-2017-0356, OVE-20170111-0001)
 - passwordauth: prevent userinfo forgery via repeated email
   parameter (also CVE-2017-0356)
 - comments, editpage: prevent commit metadata forgery
   (CVE-2016-9646, OVE-20161226-0001)
 - CGI, attachment, comments, editpage, notifyemail, passwordauth,
   po, rename: harden against similar issues that are not believed
   to be exploitable
   * t/passwordauth.t: new automated test for CVE-2017-0356
   * Backport IkiWiki::Plugin::git from 3.20170110 to fix the following
 bugs, including one minor security vulnerability:
 - Security: try revert operations before approving them. Previously,
   automatic rename detection could result in a revert writing outside
   the wiki srcdir or altering a file that the reverting user should not
   be able to alter, an authorization bypass.
   (CVE-2016-10026 represents the original vulnerability.)
   The incomplete fix released in 3.20161219 was not effective for git
   versions prior to 2.8.0rc0.
   (CVE-2016-9645 represents that incomplete solution. Debian stable
   was never vulnerable to this one.)
 - Fix the warnings "cannot chdir to .../ikiwiki-temp-working: No such
   file or directory" seen in the initial fixes for those security issues
 - If no committer identity is known, set it to
   "IkiWiki " in .git/config. This resolves commit errors
   in versions of git that require a non-trivial committer identity.
 - Use git log --no-renames to generate recentchanges, fixing the git
   test-case with git 2.9 (Closes: #835612)
 - Don't issue a warning if the rcsinfo CGI parameter is undefined
 - Do not fail to commit changes with a recent git version
   and an anonymous committer
 - Do not fail on filenames starting with a dash
   (patch from Florian Wagner)
 - Don't add a redundant "--" and run "git rev-list ... -- -- ..."
   * Backport t/git-cgi.t from 3.20170110 to have automated test coverage
 for using the CGI with git, including tests for CVE-2016-10026
  - Build-depend on libipc-run-perl for better build-time test coverage
   * Backport tests' installed-test (autopkgtest) support from 3.20160121,
 adjusted for compatibility with the older pkg-perl-autopkgtest in jessie
 - d/control: add enough build-dependencies to run all tests, except for
   non-git VCSs
   * Split CFLAGS into words when building wrapper, fixing build-time test
 failure. Closes: #682237 (patch from Joey Hess, backported from
 3.20120630)
   * In the CGI wrapper, incorporate $config{ENV} into the environment
 before executing Perl code, so that PERL5LIB can point to a
 non-system-wide installation of IkiWiki. Some build-time tests rely
 on this, in particular t/git-cgi.t.
 (patch from Lafayette Chamber Singers Webmaster, backported from
 3.20140916)
 .
   [ Emilio Pozuelo Monfort ]
   * Upload to wheezy-security.
Checksums-Sha1: 
 3a9e3121597b333b76aee80d244f76475b7591b3 2095 ikiwiki_3.20120629.2+deb7u2.dsc
 6b12392969ff8ea2f5a5f34ee0afc093d5753c86 2853725 
ikiwiki_3.20120629.2+deb7u2.tar.gz
 27f858b57736b3658fb5595dc2ce12129dc6ede8 1802612 
ikiwiki_3.20120629.2+deb7u2_all.deb
Checksums-Sha256: 
 20a1ed49d27581a84a6fe05eaac93767e219d8070aca581fceb37aa42054f9a5 2095 
ikiwiki_3.20120629.2+deb7u2.dsc
 b28409b2ed8f1da4daf40e5b803b96ae4e760d2f68b4754b3da27700b92278f5 2853725 
ikiwiki_3.20120629.2+deb7u2.tar.gz
 b845aa8800e70774bca7423f37e1618ef62756979322b67e8f98ffee9d6b501a 1802612 
ikiwiki_3.20120629.2+deb7u2_all.deb
Files: 
 013df2bd139b40eb321d768a7fec77df 2095 web optional 
ikiwiki_3.20120629.2+deb7u2.dsc
 3bcf594c3c94cf491a23e4de78a9ba0d 2853725 web optional 
ikiwiki_3.20120629.2+deb7u2.tar.gz
 625f5aa8475f0031da89840788f9a6c4 1802612 web optional 
ikiwiki_3.20120629.2+deb7u2_all.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAliQ2BEACgkQnUbEiOQ2
gwI/5hAAh6GWmjMkIvo1QOzKcuufqZKgeW3FIuzuXtSWfyl/PIm/9N8vapMflo2p
Rd9rzLo5GdczwxZwq9qVIeNj47HC3JhmxKq8AhCFWFvDaGuQIzZDNbRZIb9M6ZZ+
I2ODtz0aO56YsXZ5aGsAQrfOh3x6FkgCXJJVrMGKmBtQxeWzew5B6gIXberMgz90
sYKrglDiYGKwMbgpgfXumHCIJfOaO5RrXZIA40uVLX73TjYwNqvWVUgXualBkmOu

Re: Accepted openjdk-7 7u121-2.6.8-1~deb7u1 (source all amd64) into oldstable

[Ola Lundqvist]

Ok, thanks.

// Ola

On 31 January 2017 at 00:35, Emilio Pozuelo Monfort  wrote:
> On 27/01/17 22:18, Ola Lundqvist wrote:
>> Hi Emilio
>>
>> I saw that you have uploaded a new openjdk-7 package. Were that
>> package supposed to fix the current issues reported for openjdk-7 or
>> was that corrections for earlier version?
>
> It doesn't fix the latest round of CVEs.
>
>> I'm asking because:
>> 1) I have not seen the DLA. It seems to have gone missing.
>
> afaics it's there:
>
> https://lists.debian.org/debian-lts-announce/2017/01/msg00037.html
>
>> 2) I would like to know whether I should (re-)add the openjdk-7
>> package to dla-needed.txt or not.
>
> I did that. Still waiting for upstream to release the update.
>
> Cheers,
> Emilio



-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---