Re: libgcrypt11 same issue? Was: Re: [SECURITY] [DLA 1283-1] python-crypto security update

[Salvatore Bonaccorso]

Hi Ola,

On Mon, Apr 09, 2018 at 08:59:32PM +0200, Ola Lundqvist wrote:
> Hi all
> 
> I found another issue that looks very similar. It is
> https://security-tracker.debian.org/tracker/CVE-2018-6594
> 
> Should we treat it the same way, marking it as ignored?

I guess you mean CVE-2018-6829?

If so this has already been marked unimportant with an explanation why
we think so in the notes.

Regards,
Salvatore

libgcrypt11 same issue? Was: Re: [SECURITY] [DLA 1283-1] python-crypto security update

[Ola Lundqvist]

Hi all

I found another issue that looks very similar. It is
https://security-tracker.debian.org/tracker/CVE-2018-6594

Should we treat it the same way, marking it as ignored?

Best regards

// Ola

On 9 April 2018 at 07:26, Salvatore Bonaccorso  wrote:

> Hi Brian,
>
> On Fri, Apr 06, 2018 at 07:06:30PM +1000, Brian May wrote:
> > Ola Lundqvist  writes:
> >
> > > This is what I think we should do.
> > >
> > > 1) Send a new DLA telling that the fix is only partial and not
> complete and
> > > in addtion that elgamal encryption is not supported by the library and
> > > should not be used.
> > >
> > > 2) Mark the CVE as no-dsa/ignored in the security database.
> >
> > If so, do we update the DLA 1283-1 to remove the fixed status? I assume
> > we just have to update the entry in security-tracker/data/DLA/list?
>
> Yes if that what you want to do, to remove the fixed status, just
> remove the CVE entry from the DLA-1283-1 block in data/DLA/list.
>
> At same time remove as well the cross-reference to DLA-1283-1 in
> data/CVE/list, which OTOH otherwise will be dropped on next automatic
> run.
>
> Regards,
> Salvatore
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

[SECURITY] [DLA 1343-1] ming security update

[Hugo Lefeuvre]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: ming
Version: 0.4.4-1.1+deb7u8
CVE ID : CVE-2018-6358 CVE-2018-7867 CVE-2018-7868 CVE-2018-7870 
 CVE-2018-7871 CVE-2018-7872 CVE-2018-7875 CVE-2018-9165

Multiple vulnerabilities have been discovered in Ming:

CVE-2018-6358

Heap-based buffer overflow vulnerability in the printDefineFont2 function
(util/listfdb.c). Remote attackers might leverage this vulnerability to
cause a denial of service via a crafted swf file.

CVE-2018-7867

Heap-based buffer overflow vulnerability in the getString function
(util/decompile.c) during a RegisterNumber sprintf. Remote attackers might
leverage this vulnerability to cause a denial of service via a crafted swf
file.

CVE-2018-7868

Heap-based buffer over-read vulnerability in the getName function
(util/decompile.c) for CONSTANT8 data. Remote attackers might leverage this
vulnerability to cause a denial of service via a crafted swf file.

CVE-2018-7870

Invalid memory address dereference in the getString function
(util/decompile.c) for CONSTANT16 data. Remote attackers might leverage this
vulnerability to cause a denial of service via a crafted swf file.

CVE-2018-7871

Heap-based buffer over-read vulnerability in the getName function
(util/decompile.c) for CONSTANT16 data. Remote attackers might leverage this
vulnerability to cause a denial of service via a crafted swf file.

CVE-2018-7872

Invalid memory address dereference in the getName function
(util/decompile.c) for CONSTANT16 data. Remote attackers might leverage this
vulnerability to cause a denial of service via a crafted swf file.

CVE-2018-7875

Heap-based buffer over-read vulnerability in the getName function
(util/decompile.c) for CONSTANT8 data. Remote attackers might leverage this
vulnerability to cause a denial of service via a crafted swf file.

CVE-2018-9165

The pushdup function (util/decompile.c) performs shallow copy of String
elements (instead of deep copy), allowing simultaneous change of multiple
elements of the stack, which indirectly makes the library vulnerable to a
NULL pointer dereference in getName (util/decompile.c). Remote attackers
might leverage this vulnerability to cause dos via a crafted swf file.

For Debian 7 "Wheezy", these problems have been fixed in version
0.4.4-1.1+deb7u8.

We recommend that you upgrade your ming packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlrLWxMACgkQLVy48vb3
khndugf9G1fRWhVJaXb1vOvfztyqweHyu1ppZeVhG7P9EdJcLM/jHPfRU6UZlmcj
/0WgxNoMxHmcnIv7f1c64gfWdqJfAkPXxjAyrjzDMam7LuJI7T25B4VGcXg4G4N0
+m4lWvZn+tBJzigDx1Fs9ZYE7bVTNJP+hApyNSDPuDTLlD0NOpTs4Lq0kM14wVIU
mJTloRIuHWLkfUiRu9v+c6i5aKoBuqY7XenzqxrEU515HmfOPnTejxlSzyAyH6or
yShz6eWExvBs7pXu9TB3cCirtP5gsqrANE/UxGSzPwlk//XtpojSMlysyRwEXxLX
Y30B4a+e1VkqDPNMUhtJ+fIOBZBq2Q==
=ZzkF
-END PGP SIGNATURE-

[SECURITY] [DLA 1342-1] ldap-account-manager security update

[Brian May]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: ldap-account-manager
Version: 3.7-2+deb7u1
CVE ID : CVE-2018-8763

Michal Kedzior found two vulnerabilities in LDAP Account Manager, a web
front-end for LDAP directories.

CVE-2018-8763

The found Reflected Cross Site Scripting (XSS) vulnerability might
allow an attacker to execute JavaScript code in the browser of the
victim or to redirect her to a malicious website if the victim clicks
on a specially crafted link.

For Debian 7 "Wheezy", these problems have been fixed in version
3.7-2+deb7u1.

We recommend that you upgrade your ldap-account-manager packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlrLFwYACgkQKpJZkldk
SvrWuQ//QRn2ZlJjG4WVs5XJNGOGdmjcxh9D41ndUk4kdazI++nRI4tftEkEdkFM
6y6dpOzpJ/RM2h1nSG4yC9NJoTfpRqkeYTPcO035Bmg8QZkqN/RvPOR5G+pqJbRr
S74OpI6cslTW2hEHBZ9g9ZydTxWKZkiAzWCvMdncbyy19zFGVlPZ456DOoykYga+
ILX/6C8uBZ5aTGUSZvRc7Vsz1+iI2ibUK9cHdqHixI7gpeMredahJf6cOabghfMi
XnC4VFXaqpnstVfK7PQEGaR8gcBkD05XIcyyc6kIx0xMnIFjll6oXa+AoPtnXFIH
guhIl3fWSs2rfo+xWF5el63Z0mrzjVqdG0pfeXrPWdY9GlZZyuQz1S+lqoO0NtVs
TNMx3T40WSvqQnQAFRT0w66UwmTfVOSw56J9Y/NjR8X8gjRAD5rRRrSYdzg3x/rc
In4oQGZIdWm0LXjccFtS0vsGrHws8AuHWUIHwA0SuJNCrNoNHsRpS77/+qbQVX9B
Giwl4Ijaa4YwpVMyV694xzC1AOQk18dP7hCylKTMJ5ky/GslREClIFUC6v9KD9w9
0qWE/28YIzrpuFoz19HTVxWqB/GGxaFUS3TK8KIWpEEKhNJIcfLhzBAmbKlMofKs
UGrQ1KmqbYDWOlGPtevkD0LIdfDN7hArvctpxxZuLXoPuR8Lda8=
=YRH1
-END PGP SIGNATURE-

Accepted ldap-account-manager 3.7-2+deb7u1 (source all) into oldoldstable

[Brian May]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Wed, 04 Apr 2018 17:46:49 +1000
Source: ldap-account-manager
Binary: ldap-account-manager ldap-account-manager-lamdaemon
Architecture: source all
Version: 3.7-2+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Roland Gruber 
Changed-By: Brian May 
Description:
 ldap-account-manager - webfrontend for managing accounts in an LDAP directory
 ldap-account-manager-lamdaemon - Quota and home directory management for LDAP 
Account Manager
Changes:
 ldap-account-manager (3.7-2+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2018-8763: XSS attacks via untrusted parameters.
Checksums-Sha1:
 7d2b81cd5621c5c2d0330d0a0c7e57e58ae8ffaa 1920 
ldap-account-manager_3.7-2+deb7u1.dsc
 0b9201a09b67ca8a80107be15061253763716e5a 9157357 
ldap-account-manager_3.7.orig.tar.gz
 a1b5ffecc8c5bb66f038a182147b890fa5f9de4b 26366 
ldap-account-manager_3.7-2+deb7u1.debian.tar.gz
 b73fb14673b8457674adc8d4810d77cbfc7fdd8f 9106286 
ldap-account-manager_3.7-2+deb7u1_all.deb
 2d56646ff0b7dc151a8c7f3bbe887ae7c448aec7 4932946 
ldap-account-manager-lamdaemon_3.7-2+deb7u1_all.deb
Checksums-Sha256:
 aa240db3445b85dd083fa0a58f36fe83e09449b0061ceebd07059d46e7255538 1920 
ldap-account-manager_3.7-2+deb7u1.dsc
 75aa09ed390c13a7ad3a1a53964f48847afae4d4697f611cfd71b51e1b0f71d3 9157357 
ldap-account-manager_3.7.orig.tar.gz
 bf3eb1c84abdce7ce09678205ca747ac826157ec76844d423c90ab7b3ff2369a 26366 
ldap-account-manager_3.7-2+deb7u1.debian.tar.gz
 33e40f485bb276e12c80480968ca80a69697ff90b6ddbea40ea1a1784dddb348 9106286 
ldap-account-manager_3.7-2+deb7u1_all.deb
 f899cb0077d3e08757eff41fb49182622090e99233df8476e64dc65021c59e5c 4932946 
ldap-account-manager-lamdaemon_3.7-2+deb7u1_all.deb
Files:
 1f6e1aef17410e4741ea395fab6d501e 1920 web extra 
ldap-account-manager_3.7-2+deb7u1.dsc
 75504a4131632a20d5551649f5da4a0e 9157357 web extra 
ldap-account-manager_3.7.orig.tar.gz
 ba619b80cb7aa9926d83083d24a135d6 26366 web extra 
ldap-account-manager_3.7-2+deb7u1.debian.tar.gz
 9a90fa989ae1525799f667fa42ee92b9 9106286 web extra 
ldap-account-manager_3.7-2+deb7u1_all.deb
 85e71438a754bc359a200d22183f85f1 4932946 web extra 
ldap-account-manager-lamdaemon_3.7-2+deb7u1_all.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlrLFekACgkQKpJZkldk
SvrVEw//ekyKQHXLracec4bZA0scw2FILDg3I7Zun2+fhlB0tpg+IX5wEAkmkCvB
vVR5JGtxrwVNCFyM8ze8nObe5CNUk/ROlHX7cQVE5gEldJnprzYWfDG5QOdAhNAN
N8L40MKgVqAH6FgKyqRa7Bn9oMF005A9E5homck2K8XSvGyzSk8QoVWhoLqHfzcX
NlK1N8eCT9kcSSq121Dw9dvdR/SQxW7jwf/p2dkJp7fbavN/CDx69iejDnQgwyY8
sEi7jLpbb/KeW+WsIjIj8b4A9DmESkChcxKLd32mIlx2KR9ByN2JZ8Zpeip/YnEo
P6NROJs7+uttt5Q0OCudY9Ds1mTdAajxH8gTQKO9bsB8uyr7Jaadl7mDYRvu2Tte
0iJ+wqrsSyImgdwButpB64nTfpvKA7UpKozEnv7ENph6gt15pR+uUvPS/cH4LCp0
+rl709TInm/UiHDcZ/f4CejEKihfRtH2ZXULVlIMl1H+8AfMKK5gVz6PMpqk+/p7
Ek5OVObI16oZ3RWHYVefoToqILIIKNdc07wB5rVEC69coCc7mwWOvD3V/An2iT4A
cDFDBQ0Y4EbUf6Hzyy/HBpcc0uBp7KLDV+X1osR2wp1Zg0SuamJ6b1JwFPxkE0fn
AxTUlNtZJTl5xAU9fRNOewY+Y/xYWhAs0761oA1vbdji8VXKyWU=
=EuEE
-END PGP SIGNATURE-

[SECURITY] [DLA 1283-2] python-crypto security update

[Brian May]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: python-crypto
Version: 2.6-4+deb7u8


This is an update to DLA-1283-1. In DLA-1283-1 it is claimed that the issue
described in CVE-2018-6594 is fixed. It turns out that the fix is partial and
upstream has decided not to fix the issue as it would break compatibility and
that ElGamal encryption was not intended to work on its own.

The recommendation is still to upgrade python-crypto packages. In addition
please take into account that the fix is not complete. If you have an
application using python-crypto is implementing ElGamal encryption you should
consider changing to some other encryption method.

There will be no further update to python-crypto for this specific CVE. A fix
would break compatibility, the problem has been ignored by regular Debian
Security team due to its minor nature and in addition to that we are close to
the end of life of the Wheezy security support.

CVE-2018-6594:

python-crypto generated weak ElGamal key parameters, which allowed attackers to
obtain sensitive information by reading ciphertext data (i.e., it did not have
semantic security in face of a ciphertext-only attack).

We recommend that you upgrade your python-crypto packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlrLEasACgkQKpJZkldk
Svpnbg/+IF7MHoZMtr9FEjzy/KWbIWlztoAiEwtrf8OC2zwoKwDF91F0hJXF6z9w
sWcaIsUiL6mj/j/QlOYMVSpJCN6escC2truu+UW5uVHBtEL+ng38s3CqyPMgy/vf
t37pEqti9mHlJoPzNPdSaLXT60LMSpt5mb8mOLP1mc9lDr22PrRF//8USrbU2Iqf
8iy3vIIo+hmSbATHlo1RQzvkzLZQ1unA6dQ747QOWGQuPxPtXc1jCJUymp8hVB38
/pKEzcsAakvhyZGWD2Nlo6jKVrFdGynXoq5iYGz8Knzhw+AUAJyURlA/UIubsRnT
5RTFPV9cWOeiOITAtP2aTp+P10zXJsj2icE2K8ujKIcp3kRRzKYbxnOsBb/CCGhs
2SWsASPswKYgJY4bHGpU9OVs7D/eLXNrjDa4e1yjQGQqp+QfTI705hUjSbj1XxYU
v1ZqXrB/rITx+KaxCCIwCmjaPy5Llv0Hrqk+jlIa2oKf7gffrpb38LjOxMf6SFbL
c1/7YG74sS4w/9VDpydcVoEHwDTFx04wpBT/nXxOrAPGctE7wZRvBHYDkVaRABuS
L5nZnvTYZfmcKySp0xcG2XLknE9UYSjNSi5h9BhivFxb70o160YboIX127SYH6Bm
K99oYuMlw21ITP5lfv12LEJcHZOz6rLO4k0t4qyUjodL82DwQcQ=
=pY2g
-END PGP SIGNATURE-