Accepted elfutils 0.159-4.2+deb8u1 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 25 Jan 2018 19:03:02 +0100 Source: elfutils Binary: elfutils libelf1 libelf-dev libdw-dev libdw1 libasm1 libasm-dev Architecture: source amd64 Version: 0.159-4.2+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Kurt Roeckx Changed-By: Thorsten Alteholz Description: elfutils - collection of utilities to handle ELF objects libasm-dev - libasm development libraries and header files libasm1- library with a programmable assembler interface libdw-dev - libdw1 development libraries and header files libdw1 - library that provides access to the DWARF debug information libelf-dev - libelf1 development libraries and header files libelf1- library to read and write ELF files Changes: elfutils (0.159-4.2+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload by the LTS Team. * CVE-2019-7665 Due to a heap-buffer-overflow problem in function elf32_xlatetom() a crafted ELF input can cause segmentation faults. * CVE-2019-7150 Add sanity check for partial core file dynamic data read. * CVE-2019-7149 Due to a heap-buffer-overflow problem in function read_srclines() a crafted ELF input can cause segmentation faults. * CVE-2018-18521 By using a crafted ELF file, containing a zero sh_entsize, a divide-by-zero vulnerability could allow remote attackers to cause a denial of service (application crash). * CVE-2018-18520 By fuzzing an Invalid Address Deference problem in function elf_end has been found. * CVE-2018-18310 By fuzzing an Invalid Address Read problem in eu-stack has been found. * CVE-2018-16062 By using an AddressSanitizer a heap-buffer-overflow has been found. * CVE-2017-7613 By using fuzzing it was found that an allocation failure was not handled properly. * CVE-2017-7612 By using a crafted ELF file, containing an invalid sh_entsize, a remote attackers could cause a denial of service (application crash). * CVE-2017-7611 By using a crafted ELF file a remote attackers could cause a denial of service (application crash). * CVE-2017-7610 By using a crafted ELF file a remote attackers could cause a denial of service (application crash). * CVE-2017-7608 By fuzzing a heap based buffer overflow has been detected. Checksums-Sha1: 93e11c9cf1a9e7ff2564ae812a14dc68714c36ae 2460 elfutils_0.159-4.2+deb8u1.dsc 4ff214cdb95a10b03cf413f3d018393a838f98fc 5469000 elfutils_0.159.orig.tar.bz2 f3213fdf8c524ebd4d0ec335804dea9df097dd0c 54752 elfutils_0.159-4.2+deb8u1.debian.tar.xz 505c85572f227f8244c8cdd19e0cc9f02a608ddc 274896 elfutils_0.159-4.2+deb8u1_amd64.deb c90c4c62b8780dfc9850449eadf7d04a40bc6d1f 160044 libelf1_0.159-4.2+deb8u1_amd64.deb 6fe42e1cd5817214da621234e03243e55dc57289 59328 libelf-dev_0.159-4.2+deb8u1_amd64.deb 6096d6c99025e822f5cee0414e3ec5d8345f0fb7 152224 libdw-dev_0.159-4.2+deb8u1_amd64.deb 08c6962981a328db021df9f114af4a7d48fa01f6 191148 libdw1_0.159-4.2+deb8u1_amd64.deb 521890676723acd15bd762b900605b3693888139 26564 libasm1_0.159-4.2+deb8u1_amd64.deb ba442ecd7627f5d8dd44ae818d97e6024ec7eef1 28522 libasm-dev_0.159-4.2+deb8u1_amd64.deb Checksums-Sha256: 86450e04f505b6494f37c3feb7e49dfd45b1e41cab1feb8fd2e076289ab331cf 2460 elfutils_0.159-4.2+deb8u1.dsc fffaad1ba0c4ac5c8cee56dc195746e1f1e7197ba3eba7052ad5a3635ac1242e 5469000 elfutils_0.159.orig.tar.bz2 afa398db92ca15a2561edb75196a83dda66acc48fb4e1b52259e2312306a 54752 elfutils_0.159-4.2+deb8u1.debian.tar.xz 1653b554eda07bdcdc9a8b87bf3021efdc01b990ae8f271cc6d28c6e96361919 274896 elfutils_0.159-4.2+deb8u1_amd64.deb 876b1ba0cac1f74a93c52967cb6e2b7d073b8f830ed7f591e99f7e0f769edd56 160044 libelf1_0.159-4.2+deb8u1_amd64.deb 935ef605ebe135e7d5f597a8959233f81a8f45759404231870e69de71bb479b3 59328 libelf-dev_0.159-4.2+deb8u1_amd64.deb 9d5d50c6b0559f3a7f698158e99eb90bf80c24602f05879b319e44aa6289c7c1 152224 libdw-dev_0.159-4.2+deb8u1_amd64.deb bebf676408d5a77ac7c515dbb80e49b27c53ee34cb8bb6df39b631063902691d 191148 libdw1_0.159-4.2+deb8u1_amd64.deb a03010a3cffcab42869d8fd3f8b384693940c3e21cd0bec53da12ba683e3c690 26564 libasm1_0.159-4.2+deb8u1_amd64.deb cf71a23800366db33e302f012d02c77a44b8902fb19e8e4ad9435a5a9a11bd89 28522 libasm-dev_0.159-4.2+deb8u1_amd64.deb Files: b56c771a056f7defaf8256856160f609 2460 libs optional elfutils_0.159-4.2+deb8u1.dsc 1f45a18231c782ccd0966059e2e42ea9 5469000 libs optional elfutils_0.159.orig.tar.bz2 bb973234c8384c7e89b50b665cf8a02c 54752 libs optional elfutils_0.159-4.2+deb8u1.debian.tar.xz 92a159b1300e7ff373c3a4a2c6e1e84a 274896 utils optional elfutils_0.159-4.2+deb8u1_amd64.deb 977185d681ee395d798506ba78802fc9 160044 libs optional libelf1_0.159-4.2+deb8u1_amd64.deb cfd84d1795cefdbf8b359d35ee8cfd39 59328 libdevel optional libelf-dev_0.159-4.2+deb8u1_amd64.deb 3b2af85149bbdc7a33a5e4c61bcb9c47 152224 libdevel optional
[SECURITY] [DLA 1689-1] elfutils security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: elfutils Version: 0.159-4.2+deb8u1 CVE ID : CVE-2017-7608 CVE-2017-7610 CVE-2017-7611 CVE-2017-7612 CVE-2017-7613 CVE-2018-16062 CVE-2018-18310 CVE-2018-18520 CVE-2018-18521 CVE-2019-7149 CVE-2019-7150 CVE-2019-7665 Several issues in elfutils, a collection of utilities to handle ELF objects, have been found either by fuzzing or by using an AddressSanitizer. CVE-2019-7665 Due to a heap-buffer-overflow problem in function elf32_xlatetom() a crafted ELF input can cause segmentation faults. CVE-2019-7150 Add sanity check for partial core file dynamic data read. CVE-2019-7149 Due to a heap-buffer-overflow problem in function read_srclines() a crafted ELF input can cause segmentation faults. CVE-2018-18521 By using a crafted ELF file, containing a zero sh_entsize, a divide-by-zero vulnerability could allow remote attackers to cause a denial of service (application crash). CVE-2018-18520 By fuzzing an Invalid Address Deference problem in function elf_end has been found. CVE-2018-18310 By fuzzing an Invalid Address Read problem in eu-stack has been found. CVE-2018-16062 By using an AddressSanitizer a heap-buffer-overflow has been found. CVE-2017-7613 By using fuzzing it was found that an allocation failure was not handled properly. CVE-2017-7612 By using a crafted ELF file, containing an invalid sh_entsize, a remote attackers could cause a denial of service (application crash). CVE-2017-7611 By using a crafted ELF file a remote attackers could cause a denial of service (application crash). CVE-2017-7610 By using a crafted ELF file a remote attackers could cause a denial of service (application crash). CVE-2017-7608 By fuzzing a heap based buffer overflow has been detected. For Debian 8 "Jessie", these problems have been fixed in version 0.159-4.2+deb8u1. We recommend that you upgrade your elfutils packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAlx0X6pfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEcgqxAAxz8KSA5vZOa05AKPJwKuzbGioKl8HEzM2EZk37bb/vZgElCJRjxKqg7O AN6HRvHFYOKBrR2WqovQ3V0DQb06JodEgmxFwHUgQ+CHgUZsHUCEVZE3PSSO8LXk Jcry72sUTE8HwUGFMQDUdADgmi5ZT1cdHi646RnN7qLuIt7obidQKpeNrLxrHtqg qJH279FrWzUfmblVWMmwdEKVIK0oN4hZPKq7g2XHaf940ZSriTw34t3Yq2v+KLzn 1CqpYkvuReJdrtQU7/vqDsRGmmLM/efncezJTOeTWaaj94rWVKekMoJUS+6+3UgV lDj879kiKjbi6L8dzIAMI2Em+queZPsqPbrMA0pxCFejhrHZnLAOEmhvimPkbZbL M2rqxlkbRz4CtT2e2ZKA4bzCGvbSc4XwmSULls/I6Bi8AacLhpBhzZ6U/OG2RM0p +GgIWg2BBE90B97lt29kv4ktquR10ejr8L9cNJ9C+JpAOqIs1Xidb9Pob2laL272 jwSdzCkzv74Hthld/sGJuM7dT/bIdH7n1xs7Oq2tlv0ArEemetSQyPBeSmkIvhuI fZYpcOLg/sECiLaAJNl0Yxdt+YuLWFgIH5PiFkvDG+fgYWDQ4hF5TUWEJlbGveBD CDdzSaCHuGvG2jvRQkz+NHq1ei9A3YtGqjJ2TBY3hIXwFxk2gIE= =0obI -END PGP SIGNATURE-
Experimenting with phpmyadmin's testsuite
Hi, Since phpmyadmin is a regular guest here, I checked how its repository testsuite performs. (I didn't find prior work in that area on the list.) Lots of errors/incomplete/skipped even with the upstream source, lots of deprecation warnings. The unit tests quickly halts on Debian's patched codebase due to removing bundled libraries and getFilePath()/CVE-2016-6621. The Selenium tests can be run from the upstream phpmyadmin source while targetting a Debian install. The testsuite recommends compiling and installing PECL runkit for additional tests, but it makes it crash/halt. It is not entirely stable, here are 2 full runs on +deb8u4: Tests: 2192, Assertions: 4800, Failures: 4, Errors: 120, Incomplete: 9, Skipped: 93. Tests: 2192, Assertions: 4798, Failures: 4, Errors: 122, Incomplete: 8, Skipped: 93. (most of the Errors are actually "PHPUnit_Framework_Assert::assertTag is deprecated") That's still an indicator on whether an update significantly broke something :) Install instructions: - apt install phpunit-selenium ant php5-gd php5-gmp mkdir -p /usr/share/selenium/ # using the latest selenium 2.x (didn't try 3.x) wget -c http://selenium-release.storage.googleapis.com/2.53/selenium-server-standalone-2.53.1.jar \ -O /usr/share/selenium/selenium-server.jar # Needs old Firefox 58 (not 60) otherwise Selenium can't install its extension wget http://ftp.fr.debian.org/debian/pool/main/f/firefox-esr/firefox-esr_52.8.1esr-1~deb8u1_amd64.deb wget http://ftp.fr.debian.org/debian/pool/main/f/firefox-esr/firefox-esr-l10n-fr_52.8.1esr-1~deb8u1_all.deb apt install libjsoncpp0 dpkg -i *.deb # In a graphical session (possibly disable the screen saver): java -jar /usr/share/selenium/selenium-server.jar - # additional selenium tests (headers) require runkit # well drop that - actually that make the non-selenium testsuite crash... wget http://pecl.php.net/get/runkit-1.0.4.tgz apt install php5-dev tar xzf runkit-1.0.4.tgz cd runkit-1.0.4/ # README phpize ./configure make make test make install cat < /etc/php5/mods-available/runkit.ini extension=runkit.so runkit.internal_override=1 EOF #php5enmod runkit - git clone https://github.com/phpmyadmin/phpmyadmin/ cd phpmyadmin/ git checkout RELEASE_4_2_12 # Note: build.xml => phpunit --configuration phpunit.xml.dist => test/bootstrap-dist.php edit test/bootstrap-dist.php: # 'TESTSUITE_PASSWORD' => 'mysql_root_password', # 'TESTSUITE_SELENIUM_HOST' => '127.0.0.1', ant You should see browser windows popping in and out. Takes ~10mn per run. Cheers! Sylvain
Re: change in LTS procedures: publish DLAs on www.debian.org
Holger Levsen wrote: > Last and least, 31 DLAs are still missing on www.d.o, 25 of them are > from 2014, but the follwing 6 are pretty recent and I would very much > appreciate if those who did those DLAs could add them to webwm.git as > well: If it helps, here is the same list but with names: [DLA 1682-1] uriparser security update — Thorsten Alteholz [DLA 1683-1] rdesktop security update — Emilio Pozuelo Monfort [DLA 1684-1] systemd security update — Emilio Pozuelo Monfort [DLA 1685-1] drupal7 security update — Abhijith PA [DLA 1687-1] sox security update — Adrian Bunk [DLA 1688-1] waagent update — Bastian Blank Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
change in LTS procedures: publish DLAs on www.debian.org
Hi, as hopefully most of you will have noted, DLAs are now being published on https://www.debian.org/lts/security/ (and as such some of them have already been translated in various languages)! As such, *you* are now also responsible for publishing DLAs on the website, which is outlined in https://wiki.debian.org/LTS/Development#Publishing_updates_on_the_website The method described there assumes one cannot push directly, in which case I (or someone else) will merge the DLA into webwml.git. However, I would pretty very much prefer if many of you could request commit access and push directly themselves. Last and least, 31 DLAs are still missing on www.d.o, 25 of them are from 2014, but the follwing 6 are pretty recent and I would very much appreciate if those who did those DLAs could add them to webwm.git as well: DLA 1688-1 DLA 1687-1 DLA 1685-1 DLA 1684-1 DLA 1683-1 DLA 1682-1 Thank you! -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C Our civilization is being sacrificed for the opportunity of a very small number of people to continue making enormous amounts of money... It is the sufferings of the many which pay for the luxuries of the few... You say you love your children above all else, and yet you are stealing their future in front of their very eyes... signature.asc Description: PGP signature
(semi-)automatic unclaim of packages with more than 2 weeks of inactivity
hi, I've just unclaimed some packages where the last documented activity on these packages was more than two weeks ago: libav (Mike Gabriel) libraw (Abhijith PA) openssh (Mike Gabriel) symfony (Roberto C. Sánchez) uw-imap (Roberto C. Sánchez) If you intend to continue working on them, please just reclaim them and update the note. Thanks. -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C Our civilization is being sacrificed for the opportunity of a very small number of people to continue making enormous amounts of money... It is the sufferings of the many which pay for the luxuries of the few... You say you love your children above all else, and yet you are stealing their future in front of their very eyes... signature.asc Description: PGP signature
[SECURITY] [DLA 1688-1] waagent update
Package: waagent Version: 2.2.18-3~deb8u1 A newer version of waagent is needed for several features of the Azure platform. For Debian 8 "Jessie", this problem has been fixed in version 2.2.18-3~deb8u1. We recommend that you upgrade your waagent packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
