Re: libgcrypt11 same issue? Was: Re: [SECURITY] [DLA 1283-1] python-crypto security update
Hi Ola, On Mon, Apr 09, 2018 at 08:59:32PM +0200, Ola Lundqvist wrote: > Hi all > > I found another issue that looks very similar. It is > https://security-tracker.debian.org/tracker/CVE-2018-6594 > > Should we treat it the same way, marking it as ignored? I guess you mean CVE-2018-6829? If so this has already been marked unimportant with an explanation why we think so in the notes. Regards, Salvatore
libgcrypt11 same issue? Was: Re: [SECURITY] [DLA 1283-1] python-crypto security update
Hi all I found another issue that looks very similar. It is https://security-tracker.debian.org/tracker/CVE-2018-6594 Should we treat it the same way, marking it as ignored? Best regards // Ola On 9 April 2018 at 07:26, Salvatore Bonaccorsowrote: > Hi Brian, > > On Fri, Apr 06, 2018 at 07:06:30PM +1000, Brian May wrote: > > Ola Lundqvist writes: > > > > > This is what I think we should do. > > > > > > 1) Send a new DLA telling that the fix is only partial and not > complete and > > > in addtion that elgamal encryption is not supported by the library and > > > should not be used. > > > > > > 2) Mark the CVE as no-dsa/ignored in the security database. > > > > If so, do we update the DLA 1283-1 to remove the fixed status? I assume > > we just have to update the entry in security-tracker/data/DLA/list? > > Yes if that what you want to do, to remove the fixed status, just > remove the CVE entry from the DLA-1283-1 block in data/DLA/list. > > At same time remove as well the cross-reference to DLA-1283-1 in > data/CVE/list, which OTOH otherwise will be dropped on next automatic > run. > > Regards, > Salvatore > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
[SECURITY] [DLA 1343-1] ming security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: ming Version: 0.4.4-1.1+deb7u8 CVE ID : CVE-2018-6358 CVE-2018-7867 CVE-2018-7868 CVE-2018-7870 CVE-2018-7871 CVE-2018-7872 CVE-2018-7875 CVE-2018-9165 Multiple vulnerabilities have been discovered in Ming: CVE-2018-6358 Heap-based buffer overflow vulnerability in the printDefineFont2 function (util/listfdb.c). Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7867 Heap-based buffer overflow vulnerability in the getString function (util/decompile.c) during a RegisterNumber sprintf. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7868 Heap-based buffer over-read vulnerability in the getName function (util/decompile.c) for CONSTANT8 data. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7870 Invalid memory address dereference in the getString function (util/decompile.c) for CONSTANT16 data. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7871 Heap-based buffer over-read vulnerability in the getName function (util/decompile.c) for CONSTANT16 data. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7872 Invalid memory address dereference in the getName function (util/decompile.c) for CONSTANT16 data. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-7875 Heap-based buffer over-read vulnerability in the getName function (util/decompile.c) for CONSTANT8 data. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted swf file. CVE-2018-9165 The pushdup function (util/decompile.c) performs shallow copy of String elements (instead of deep copy), allowing simultaneous change of multiple elements of the stack, which indirectly makes the library vulnerable to a NULL pointer dereference in getName (util/decompile.c). Remote attackers might leverage this vulnerability to cause dos via a crafted swf file. For Debian 7 "Wheezy", these problems have been fixed in version 0.4.4-1.1+deb7u8. We recommend that you upgrade your ming packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlrLWxMACgkQLVy48vb3 khndugf9G1fRWhVJaXb1vOvfztyqweHyu1ppZeVhG7P9EdJcLM/jHPfRU6UZlmcj /0WgxNoMxHmcnIv7f1c64gfWdqJfAkPXxjAyrjzDMam7LuJI7T25B4VGcXg4G4N0 +m4lWvZn+tBJzigDx1Fs9ZYE7bVTNJP+hApyNSDPuDTLlD0NOpTs4Lq0kM14wVIU mJTloRIuHWLkfUiRu9v+c6i5aKoBuqY7XenzqxrEU515HmfOPnTejxlSzyAyH6or yShz6eWExvBs7pXu9TB3cCirtP5gsqrANE/UxGSzPwlk//XtpojSMlysyRwEXxLX Y30B4a+e1VkqDPNMUhtJ+fIOBZBq2Q== =ZzkF -END PGP SIGNATURE-
[SECURITY] [DLA 1342-1] ldap-account-manager security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: ldap-account-manager Version: 3.7-2+deb7u1 CVE ID : CVE-2018-8763 Michal Kedzior found two vulnerabilities in LDAP Account Manager, a web front-end for LDAP directories. CVE-2018-8763 The found Reflected Cross Site Scripting (XSS) vulnerability might allow an attacker to execute JavaScript code in the browser of the victim or to redirect her to a malicious website if the victim clicks on a specially crafted link. For Debian 7 "Wheezy", these problems have been fixed in version 3.7-2+deb7u1. We recommend that you upgrade your ldap-account-manager packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlrLFwYACgkQKpJZkldk SvrWuQ//QRn2ZlJjG4WVs5XJNGOGdmjcxh9D41ndUk4kdazI++nRI4tftEkEdkFM 6y6dpOzpJ/RM2h1nSG4yC9NJoTfpRqkeYTPcO035Bmg8QZkqN/RvPOR5G+pqJbRr S74OpI6cslTW2hEHBZ9g9ZydTxWKZkiAzWCvMdncbyy19zFGVlPZ456DOoykYga+ ILX/6C8uBZ5aTGUSZvRc7Vsz1+iI2ibUK9cHdqHixI7gpeMredahJf6cOabghfMi XnC4VFXaqpnstVfK7PQEGaR8gcBkD05XIcyyc6kIx0xMnIFjll6oXa+AoPtnXFIH guhIl3fWSs2rfo+xWF5el63Z0mrzjVqdG0pfeXrPWdY9GlZZyuQz1S+lqoO0NtVs TNMx3T40WSvqQnQAFRT0w66UwmTfVOSw56J9Y/NjR8X8gjRAD5rRRrSYdzg3x/rc In4oQGZIdWm0LXjccFtS0vsGrHws8AuHWUIHwA0SuJNCrNoNHsRpS77/+qbQVX9B Giwl4Ijaa4YwpVMyV694xzC1AOQk18dP7hCylKTMJ5ky/GslREClIFUC6v9KD9w9 0qWE/28YIzrpuFoz19HTVxWqB/GGxaFUS3TK8KIWpEEKhNJIcfLhzBAmbKlMofKs UGrQ1KmqbYDWOlGPtevkD0LIdfDN7hArvctpxxZuLXoPuR8Lda8= =YRH1 -END PGP SIGNATURE-
Accepted ldap-account-manager 3.7-2+deb7u1 (source all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 04 Apr 2018 17:46:49 +1000 Source: ldap-account-manager Binary: ldap-account-manager ldap-account-manager-lamdaemon Architecture: source all Version: 3.7-2+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Roland GruberChanged-By: Brian May Description: ldap-account-manager - webfrontend for managing accounts in an LDAP directory ldap-account-manager-lamdaemon - Quota and home directory management for LDAP Account Manager Changes: ldap-account-manager (3.7-2+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2018-8763: XSS attacks via untrusted parameters. Checksums-Sha1: 7d2b81cd5621c5c2d0330d0a0c7e57e58ae8ffaa 1920 ldap-account-manager_3.7-2+deb7u1.dsc 0b9201a09b67ca8a80107be15061253763716e5a 9157357 ldap-account-manager_3.7.orig.tar.gz a1b5ffecc8c5bb66f038a182147b890fa5f9de4b 26366 ldap-account-manager_3.7-2+deb7u1.debian.tar.gz b73fb14673b8457674adc8d4810d77cbfc7fdd8f 9106286 ldap-account-manager_3.7-2+deb7u1_all.deb 2d56646ff0b7dc151a8c7f3bbe887ae7c448aec7 4932946 ldap-account-manager-lamdaemon_3.7-2+deb7u1_all.deb Checksums-Sha256: aa240db3445b85dd083fa0a58f36fe83e09449b0061ceebd07059d46e7255538 1920 ldap-account-manager_3.7-2+deb7u1.dsc 75aa09ed390c13a7ad3a1a53964f48847afae4d4697f611cfd71b51e1b0f71d3 9157357 ldap-account-manager_3.7.orig.tar.gz bf3eb1c84abdce7ce09678205ca747ac826157ec76844d423c90ab7b3ff2369a 26366 ldap-account-manager_3.7-2+deb7u1.debian.tar.gz 33e40f485bb276e12c80480968ca80a69697ff90b6ddbea40ea1a1784dddb348 9106286 ldap-account-manager_3.7-2+deb7u1_all.deb f899cb0077d3e08757eff41fb49182622090e99233df8476e64dc65021c59e5c 4932946 ldap-account-manager-lamdaemon_3.7-2+deb7u1_all.deb Files: 1f6e1aef17410e4741ea395fab6d501e 1920 web extra ldap-account-manager_3.7-2+deb7u1.dsc 75504a4131632a20d5551649f5da4a0e 9157357 web extra ldap-account-manager_3.7.orig.tar.gz ba619b80cb7aa9926d83083d24a135d6 26366 web extra ldap-account-manager_3.7-2+deb7u1.debian.tar.gz 9a90fa989ae1525799f667fa42ee92b9 9106286 web extra ldap-account-manager_3.7-2+deb7u1_all.deb 85e71438a754bc359a200d22183f85f1 4932946 web extra ldap-account-manager-lamdaemon_3.7-2+deb7u1_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlrLFekACgkQKpJZkldk SvrVEw//ekyKQHXLracec4bZA0scw2FILDg3I7Zun2+fhlB0tpg+IX5wEAkmkCvB vVR5JGtxrwVNCFyM8ze8nObe5CNUk/ROlHX7cQVE5gEldJnprzYWfDG5QOdAhNAN N8L40MKgVqAH6FgKyqRa7Bn9oMF005A9E5homck2K8XSvGyzSk8QoVWhoLqHfzcX NlK1N8eCT9kcSSq121Dw9dvdR/SQxW7jwf/p2dkJp7fbavN/CDx69iejDnQgwyY8 sEi7jLpbb/KeW+WsIjIj8b4A9DmESkChcxKLd32mIlx2KR9ByN2JZ8Zpeip/YnEo P6NROJs7+uttt5Q0OCudY9Ds1mTdAajxH8gTQKO9bsB8uyr7Jaadl7mDYRvu2Tte 0iJ+wqrsSyImgdwButpB64nTfpvKA7UpKozEnv7ENph6gt15pR+uUvPS/cH4LCp0 +rl709TInm/UiHDcZ/f4CejEKihfRtH2ZXULVlIMl1H+8AfMKK5gVz6PMpqk+/p7 Ek5OVObI16oZ3RWHYVefoToqILIIKNdc07wB5rVEC69coCc7mwWOvD3V/An2iT4A cDFDBQ0Y4EbUf6Hzyy/HBpcc0uBp7KLDV+X1osR2wp1Zg0SuamJ6b1JwFPxkE0fn AxTUlNtZJTl5xAU9fRNOewY+Y/xYWhAs0761oA1vbdji8VXKyWU= =EuEE -END PGP SIGNATURE-
[SECURITY] [DLA 1283-2] python-crypto security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: python-crypto Version: 2.6-4+deb7u8 This is an update to DLA-1283-1. In DLA-1283-1 it is claimed that the issue described in CVE-2018-6594 is fixed. It turns out that the fix is partial and upstream has decided not to fix the issue as it would break compatibility and that ElGamal encryption was not intended to work on its own. The recommendation is still to upgrade python-crypto packages. In addition please take into account that the fix is not complete. If you have an application using python-crypto is implementing ElGamal encryption you should consider changing to some other encryption method. There will be no further update to python-crypto for this specific CVE. A fix would break compatibility, the problem has been ignored by regular Debian Security team due to its minor nature and in addition to that we are close to the end of life of the Wheezy security support. CVE-2018-6594: python-crypto generated weak ElGamal key parameters, which allowed attackers to obtain sensitive information by reading ciphertext data (i.e., it did not have semantic security in face of a ciphertext-only attack). We recommend that you upgrade your python-crypto packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlrLEasACgkQKpJZkldk Svpnbg/+IF7MHoZMtr9FEjzy/KWbIWlztoAiEwtrf8OC2zwoKwDF91F0hJXF6z9w sWcaIsUiL6mj/j/QlOYMVSpJCN6escC2truu+UW5uVHBtEL+ng38s3CqyPMgy/vf t37pEqti9mHlJoPzNPdSaLXT60LMSpt5mb8mOLP1mc9lDr22PrRF//8USrbU2Iqf 8iy3vIIo+hmSbATHlo1RQzvkzLZQ1unA6dQ747QOWGQuPxPtXc1jCJUymp8hVB38 /pKEzcsAakvhyZGWD2Nlo6jKVrFdGynXoq5iYGz8Knzhw+AUAJyURlA/UIubsRnT 5RTFPV9cWOeiOITAtP2aTp+P10zXJsj2icE2K8ujKIcp3kRRzKYbxnOsBb/CCGhs 2SWsASPswKYgJY4bHGpU9OVs7D/eLXNrjDa4e1yjQGQqp+QfTI705hUjSbj1XxYU v1ZqXrB/rITx+KaxCCIwCmjaPy5Llv0Hrqk+jlIa2oKf7gffrpb38LjOxMf6SFbL c1/7YG74sS4w/9VDpydcVoEHwDTFx04wpBT/nXxOrAPGctE7wZRvBHYDkVaRABuS L5nZnvTYZfmcKySp0xcG2XLknE9UYSjNSi5h9BhivFxb70o160YboIX127SYH6Bm K99oYuMlw21ITP5lfv12LEJcHZOz6rLO4k0t4qyUjodL82DwQcQ= =pY2g -END PGP SIGNATURE-