Re: Request for testing - symfony
On Mon, Mar 04, 2019 at 07:07:30PM +0100, Sylvain Beucler wrote: > > I haven't touched Symfony in a while, but I can contribute a few bits: > > - The symfony installer is not packaged in Debian > https://github.com/symfony/symfony-installer > I tried to run an old version from git but couldn't find the appropriate > tag matching symfony 2.3.21 (which the Symfony installers depends on (sic)) > This makes me wonder if the Symfony Framework is used in Debian, or if > only some of its sub-packages are useful. > Alternatively one could use composer which is not in oldstable (composer > create-project symfony/framework-standard-edition > ). > > - The closest I could get to a test environment is: > curl -LsS https://symfony.com/installer -o /usr/local/bin/symfony > apt install php5-mysql > symfony new myproject 2.3.22 # .21 N/A - we'll ditch this one anyway > cd myproject/ > mv vendor/symfony/symfony/src/Symfony vendor/symfony/symfony/src/Symfony.bak > ln -s /usr/share/php/Symfony vendor/symfony/symfony/src/ > # edit IP in web/app_dev.php > rm -rf app/bootstrap.php.cache > vendor/sensio/distribution-bundle/Sensio/Bundle/DistributionBundle/Resources/bin/build_bootstrap.php > php app/console server:run 0.0.0.0:8000 > > This gives access to a default application and its web control panel. > > Not sure if you need people to test for regressions or for the security > fix (or both) :) > > Hope this helps, > Sylvain > This was very helpful. I was convinced that there had to be some way to get to a working app with just the components in the Debian packages. I will try to perform some testing and will report back if I still need additional help. That said, if anyone out there is able to test, either positive or negative reports would be very helpful. Regards, -Roberto -- Roberto C. Sánchez
[SECURITY] [DLA 1704-1] nss security update
Package: nss Version: 2:3.26-1+debu8u4 CVE ID : CVE-2018-12404 CVE-2018-18508 Debian Bug : 921614 Vulnerabilities have been discovered in nss, the Mozilla Network Security Service library. CVE-2018-12404 Cache side-channel variant of the Bleichenbacher attack CVE-2018-18508 NULL pointer dereference in several CMS functions resulting in a denial of service For Debian 8 "Jessie", these problems have been fixed in version 2:3.26-1+debu8u4. We recommend that you upgrade your nss packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Accepted nss 2:3.26-1+debu8u4 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 04 Mar 2019 09:46:23 -0500 Source: nss Binary: libnss3 libnss3-1d libnss3-tools libnss3-dev libnss3-dbg Architecture: source amd64 Version: 2:3.26-1+debu8u4 Distribution: jessie-security Urgency: high Maintainer: Maintainers of Mozilla-related packages Changed-By: Roberto C. Sanchez Description: libnss3- Network Security Service libraries libnss3-1d - Network Security Service libraries - transitional package libnss3-dbg - Debugging symbols for the Network Security Service libraries libnss3-dev - Development files for the Network Security Service libraries libnss3-tools - Network Security Service tools Closes: 921614 Changes: nss (2:3.26-1+debu8u4) jessie-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * Update nss/tests/libpkix/certs/PayPalEE.cert to work-around the fact that the former certificate has expired. The new certificate expiry is 2020-08-18. Also update the expected OID through (adds debian/patches/replace_expired_paypal_cert.patch). * Add patches to fix two security issues: - CVE-2018-12404: Cache side-channel variant of the Bleichenbacher attack - CVE-2018-18508: NULL pointer dereference in several CMS functions resulting in a denial of service (Closes: #921614) Checksums-Sha1: 04a35fbbeba2da3cc19e2e5787b053e7bbd816a0 2252 nss_3.26-1+debu8u4.dsc a2908b09692480b25927615ea567070dd040e9b5 36516 nss_3.26-1+debu8u4.debian.tar.xz 38a821654b8d662c0a787dbe2b39fcdd5f704178 1160636 libnss3_3.26-1+debu8u4_amd64.deb 259eb66326c01a35dc4bc56451c4676f5ca33d3a 18606 libnss3-1d_3.26-1+debu8u4_amd64.deb 9e4c23f0bf21458d1fd13a530174b03b7d1b6ce5 784658 libnss3-tools_3.26-1+debu8u4_amd64.deb 67ba8c68d3d40d34983158b8ceb2f35efe13d884 233490 libnss3-dev_3.26-1+debu8u4_amd64.deb aeb67012202beac7d5e3e9eb23f5f68e8ca3ea51 8198252 libnss3-dbg_3.26-1+debu8u4_amd64.deb Checksums-Sha256: 8219df0d9c4eeda2086cedbbd09dc391bd0f427afe4ef1a2cc8b7895dffc6c7b 2252 nss_3.26-1+debu8u4.dsc 38df123c4be5903700abcbd34e3f290dc343e0821a2049a86346b359da783667 36516 nss_3.26-1+debu8u4.debian.tar.xz 13b834f9fc105ac011d15aaa4d8f8415fee85d78d1f56b17069bd449d98b5a94 1160636 libnss3_3.26-1+debu8u4_amd64.deb a3d38175122ac27070d3d0816ffd99bbb21fd7b2a394e01097910b866f06052f 18606 libnss3-1d_3.26-1+debu8u4_amd64.deb e6c4eccf1cf0c0387f937706b398f0b18d69140bbd0791e88775e44c07d7990e 784658 libnss3-tools_3.26-1+debu8u4_amd64.deb f5394992c92a753770becc1ba14427734ff0f9daf9083362280cb2da014acefb 233490 libnss3-dev_3.26-1+debu8u4_amd64.deb b41efc1ca3039120a53d8ee14e566d6ffe1492db8ed01618f386f50495c7f412 8198252 libnss3-dbg_3.26-1+debu8u4_amd64.deb Files: 580f2e8cfbbf628600ee822c2291983d 2252 libs optional nss_3.26-1+debu8u4.dsc 9fe34325c29f3b2bb8a5652251f200be 36516 libs optional nss_3.26-1+debu8u4.debian.tar.xz 7ef73741ba6c814d2ead6abd10f3a835 1160636 libs optional libnss3_3.26-1+debu8u4_amd64.deb 728d2f1278ec36768ede1a6dc3258322 18606 oldlibs extra libnss3-1d_3.26-1+debu8u4_amd64.deb 938e552db331cdeb25d237e74c5b2d2c 784658 admin optional libnss3-tools_3.26-1+debu8u4_amd64.deb bdb0fbc2dbaae49dcbc52b9595fe6e07 233490 libdevel optional libnss3-dev_3.26-1+debu8u4_amd64.deb e2d37088fe00d0d50f056c7cc724c8c5 8198252 debug extra libnss3-dbg_3.26-1+debu8u4_amd64.deb -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAlx95F4ACgkQLNd4Xt2n sg9p7g/+LXpJtrVZW+2gIAtFqBT5ZOpFp3smLffvdqKp/PQpyr2TX62MrcbkOG7q e8TYe6H+I1a7VtL9Jen1ZN8bYPXUC2t9A6vI6x5BYmN7Ka/xsK2ZtXQuqrHVN4DS jL/bNqFtaqXUc9g7+kcLd2x3h6FCzmdcFdhN6lseTXM5vPEmECiINuTvd6MQbNcd tSVv6dt7qtBDkShzmy7yrfvz48X7sj0us3PwCwUFg1t54HY7UBWZ+JZyOVQLZEft y2oiODPysXPBLNaE9nvIXOlZlyJ8NxItnLLs/AyAdqB6G43jQ4Q2xVomQZWyFhzd HtSlLSzvb5hwueApeLLfPJL2SQKGclj82BNMw8ZGVTOA7hUTzwpNWBjQLYOdVJx1 XXK1U1FkXLl0c6ObtJZ+iEzes/eF9gsPySjX/3GqUZqBdvWAblFjXssB6k+9z5hA 2CppwbCChNwg53IvG6a46HTYwB5FOfvEVEdfzWdsD5KlIfmfCPOy3zeq2mpzXopa hupXBjJIm0bP7p/Vwy81Rf64Fj2k+TyuOreRNto1O+dQRnjofEZzX7ON/+HQDs92 J+u/ad/hIKUbqK9o6lWSyEeRzczKF6G1PwLiW7cIflfRw18sRT0GrUhSXV6DA48N c9eV6ChVu0ED4PEUUBd1dZJ1LWFkrxWXVUpecnvLTuSPhRP6W6I= =ff1n -END PGP SIGNATURE-
Re: Request for testing - symfony
Hi, On 02/03/2019 18:46, Roberto C. Sánchez wrote: > I have prepared an update to symfony (version 2.3.21+dfsg-4+deb8u4) > which is need of testing. I intend to upload in one week's time if I do > not receive any reports of problems. Read on for details if you are in > a position to help with testing these packages. > > I attempted to test the changes myself (I am familiar with PHP) but it > turns out that Symfony an entirely different sort of matter. In > particular, the Debian package itself contains no documentation about > how to setup even a basic Symfony app and all of the online > documentation is geared toward the upstream preferred installation > method which, among other things requires downloading an installer > script and ends up creating a symfony executable binary. > > In any event, my attempts at testing have so far been unable to overcome > these obstacles and I fear that continuing to try to figure this out for > myself will only result in lots of wasted time and effort. > > To that end, I am requesting that anyone out there using Symfony on > jessie and familiar with it please consider installing this upload > candidate and report any issues encountered. > > Note that upstream has a very robust unit test suite and I made sure to > include any new or updated unit tests with each upstream commit that I > backported. > > The packages may be downloaded here: https://people.debian.org/~roberto/ > > symfony (2.3.21+dfsg-4+deb8u4) jessie-security; urgency=high > > * Non-maintainer upload by the LTS Team. > * Cherry-pick upstream commit to fix unit test regression caused by PHP > 5.6.27 (specifically, the fix for PHP bug 72972) > * Fix additional unit test failures resulting from dates too far in the past > * Cherry-pick upstream commits to fix security issues > + Fix CVE-2017-16652: [Security] Validate redirect targets using the > session cookie domain > + Fix CVE-2017-16654: prevent bundle readers from breaking out of paths > + Fix CVE-2018-11385: Adding session strategy to ALL listeners to avoid > *any* possible fixation > + Fix CVE-2018-11408: [SecurityBundle] Fail if security.http_utils cannot > be configured > + Fix CVE-2018-14773: [HttpFoundation] Remove support for legacy and risky > HTTP headers > + Fix CVE-2018-19789: [Form] Filter file uploads out of regular form types > + Fix CVE-2018-19790: [Security\Http] detect bad redirect targets using > backslashes > > -- Roberto C. Sanchez Fri, 01 Mar 2019 09:20:42 -0500 I haven't touched Symfony in a while, but I can contribute a few bits: - The symfony installer is not packaged in Debian https://github.com/symfony/symfony-installer I tried to run an old version from git but couldn't find the appropriate tag matching symfony 2.3.21 (which the Symfony installers depends on (sic)) This makes me wonder if the Symfony Framework is used in Debian, or if only some of its sub-packages are useful. Alternatively one could use composer which is not in oldstable (composer create-project symfony/framework-standard-edition ). - The closest I could get to a test environment is: curl -LsS https://symfony.com/installer -o /usr/local/bin/symfony apt install php5-mysql symfony new myproject 2.3.22 # .21 N/A - we'll ditch this one anyway cd myproject/ mv vendor/symfony/symfony/src/Symfony vendor/symfony/symfony/src/Symfony.bak ln -s /usr/share/php/Symfony vendor/symfony/symfony/src/ # edit IP in web/app_dev.php rm -rf app/bootstrap.php.cache vendor/sensio/distribution-bundle/Sensio/Bundle/DistributionBundle/Resources/bin/build_bootstrap.php php app/console server:run 0.0.0.0:8000 This gives access to a default application and its web control panel. Not sure if you need people to test for regressions or for the security fix (or both) :) Hope this helps, Sylvain
Re: gnutls/nettle (CVE-2018-16868/CVE-2018-16869)
Hi, On 04/03/2019 16:55, Markus Koschany wrote: > Am 04.03.19 um 16:33 schrieb Sylvain Beucler: > [...] >> I see this as a strong signal that we should not attempt to backport the >> fix, and go with a (minor). >> >> Alternatively we could upgrade nettle (libnettle4->libnettle6) which >> doesn't break gnutls28's test suite, though it's likely to introduce >> other issues (e.g. #789119). >> >> Thoughts? > I also worked on nettle/gnutls26 for Wheezy. There are too many changes > and just backporting rsa_sec_decrypt in nettle would be an incomplete > fix for CVE-2018-16869 because they introduced more hardening against > those side-channel attacks in other functions. An upgrade of nettle > would require a rebuild of all reverse-dependencies and that is probably > too intrusive. Thanks for your input Markus. Instead of upgrading I was thinking of providing libnettle6 /in addition to/ libnettle4, but that still sounds like more troubles than it solves. Cheers! Sylvain
Re: gnutls/nettle (CVE-2018-16868/CVE-2018-16869)
Am 04.03.19 um 16:33 schrieb Sylvain Beucler: [...] > I see this as a strong signal that we should not attempt to backport the > fix, and go with a (minor). > > Alternatively we could upgrade nettle (libnettle4->libnettle6) which > doesn't break gnutls28's test suite, though it's likely to introduce > other issues (e.g. #789119). > > Thoughts? > > Cheers! > Sylvain > I also worked on nettle/gnutls26 for Wheezy. There are too many changes and just backporting rsa_sec_decrypt in nettle would be an incomplete fix for CVE-2018-16869 because they introduced more hardening against those side-channel attacks in other functions. An upgrade of nettle would require a rebuild of all reverse-dependencies and that is probably too intrusive. Regards, Markus signature.asc Description: OpenPGP digital signature
gnutls/nettle (CVE-2018-16868/CVE-2018-16869)
Hi, I'm working on CVE-2018-16868/CVE-2018-16869, a side-channel attack that affects gnutls and nettle, disclosed 2018-12, tagged low/local. Unlike what I read in data/CVE/list, I understand that the nettle fix is not just a new function - it's a rewrite of the RSA functions, completemented by a new 'rsa_sec_decrypt' function. https://lists.lysator.liu.se/pipermail/nettle-bugs/2018/007363.html Consequently the diff is large, and based on a new major version (conflicts, missing files). I note that the patch was written by RedHat (Simo Sorce), and that gnutls is also maintained by a RedHat employee (Nikos Mavrogiannopoulos). Despite this, RHEL (all releases) issued a "Will not fix" for both: https://access.redhat.com/security/cve/cve-2018-16869 https://access.redhat.com/security/cve/cve-2018-16868 It's not in EPEL either after 3 months: https://bugzilla.redhat.com/show_bug.cgi?id=1654930 https://bugzilla.redhat.com/show_bug.cgi?id=1654929 https://apps.fedoraproject.org/packages/nettle https://apps.fedoraproject.org/packages/gnutls I see this as a strong signal that we should not attempt to backport the fix, and go with a (minor). Alternatively we could upgrade nettle (libnettle4->libnettle6) which doesn't break gnutls28's test suite, though it's likely to introduce other issues (e.g. #789119). Thoughts? Cheers! Sylvain
Re: Jessie update of drupal7?
Hi Chris! Chris Lamb dijo [Mon, Mar 04, 2019 at 03:22:35AM -0500]: > Dear maintainer(s), > > The Debian LTS team would like to fix the security issues which are > currently open in the Jessie version of drupal7: > https://security-tracker.debian.org/tracker/source-package/drupal7 > > Would you like to take care of this yourself? I would like to do it, of course. However, I know it is not going to happen ☹ I am really time-strapped as it is, and for the several last sets of updates, I have not done it. I know, it is usually just a matter of setting up a proper build envionment with pre-Stretch installations - But I'll leave it to somebody else. The patches are thankfully quite non-invasive, and I expect the patch I took from Git and prepared for Stretch will be easily applied to prior releases (at least for Jessie). FWIW - When I started taking care of Drupal7, I took over maintenance from Luigi. I never removed him as an uploader, but I think it's safe to assume he will also yield and let you take the work Thanks a *lot* to everybody involved for your work in LTS!
Re: recent DLAs not yet on www.debian.org
On Monday 04 March 2019 03:55 PM, Holger Levsen wrote: > hi, > > the following recent DLAs are missing on www.debian.org currently: .. > Feb 20 Abhijith PA [DLA 1685-1] drupal7 security update .. pushed. Waiting for changes to take place. --abhijith
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity
Hi. On Monday 25 February 2019 05:39 PM, Holger Levsen wrote: > hi, > > I've just unclaimed some packages where the last documented activity on > these packages was more than two weeks ago: .. > libraw (Abhijith PA) .. Last month was quite busy with life. I see that libraw is claimed by Thorsten Alteholz. Thorsten if you need any help let me know. --abhijith.
Re: recent DLAs not yet on www.debian.org
Am 04.03.19 um 13:35 schrieb Holger Levsen: > On Mon, Mar 04, 2019 at 01:22:27PM +0100, Markus Koschany wrote: >> but I don't really >> think that this is an efficient way. I doubt this is the workflow of the >> security team. > > the most efficient way is surely if you were to apply to become a member > of webmaster-team on salsa, so you can push yourself. I have done the same as Hugo now and submitted several merge requests and asked for team membership. Steve just granted those permissions. Thanks! > that said, (DLA) merge requests are usually merged very quickly by > either some "real" webmaster-team members and then I also check those > merge requests daily (and merge them if needed). > > I'm not sure how DSAs end up in webwml.git, indeed the commits are not > coming from the people releasing the DSAs. If someone wants to work on > improving the tooling/automatisation this is surely welcome. > > For now, I've made LTS/Development#Publishing_updates_on_the_website > more obvious. We should aim to make this fully automatic soon. The parse-dla.pl script works nicely when I just download the email from https://lists.debian.org/debian-lts-announce/, so I guess with a few more lines of code this could be a cron job. However I will rather take a look at how the DSAs are published again first, because this all feels like reinventing the wheel at the moment. signature.asc Description: OpenPGP digital signature
Re: recent DLAs not yet on www.debian.org
On Mon, Mar 04, 2019 at 01:22:27PM +0100, Markus Koschany wrote: > > >Am 04.03.19 um 13:13 schrieb Holger Levsen: >> Hi Markus, >> >> On Mon, Mar 04, 2019 at 01:06:07PM +0100, Markus Koschany wrote: the following recent DLAs are missing on www.debian.org currently: >>> I can't push to the webmaster-team repository. >>> GitLab: You are not allowed to push code to this project. >> >> did you read the URL I linked? >> >> if yes, any ideas how to make it more obvious what to do? >> >> if not, please do. > >Holger, I did read > > >https://wiki.debian.org/LTS/Development#Publishing_updates_on_the_website > >but I have no permission to push to > >https://salsa.debian.org/webmaster-team/webwml > >Someone has to grant all of us write permissions. > >If you want to create merge requests, then it should be mentioned but I don't >really >think that this is an efficient way. I doubt this is the workflow of the >security team. I've just granted you access to webmaster-team... -- Steve McIntyre, Cambridge, UK.st...@einval.com "Managing a volunteer open source project is a lot like herding kittens, except the kittens randomly appear and disappear because they have day jobs." -- Matt Mackall
Re: recent DLAs not yet on www.debian.org
On Mon, Mar 04, 2019 at 01:22:27PM +0100, Markus Koschany wrote: > Holger, I did read > https://wiki.debian.org/LTS/Development#Publishing_updates_on_the_website I expected that... > but I have no permission to push to > https://salsa.debian.org/webmaster-team/webwml > Someone has to grant all of us write permissions. > If you want to create merge requests, then it should be mentioned it is mentioned. though evidently, not visible enough. > but I don't really > think that this is an efficient way. I doubt this is the workflow of the > security team. the most efficient way is surely if you were to apply to become a member of webmaster-team on salsa, so you can push yourself. that said, (DLA) merge requests are usually merged very quickly by either some "real" webmaster-team members and then I also check those merge requests daily (and merge them if needed). I'm not sure how DSAs end up in webwml.git, indeed the commits are not coming from the people releasing the DSAs. If someone wants to work on improving the tooling/automatisation this is surely welcome. For now, I've made LTS/Development#Publishing_updates_on_the_website more obvious. -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: recent DLAs not yet on www.debian.org
> Holger, I did read > > https://wiki.debian.org/LTS/Development#Publishing_updates_on_the_website > > but I have no permission to push to > > https://salsa.debian.org/webmaster-team/webwml > > Someone has to grant all of us write permissions. > > If you want to create merge requests, then it should be mentioned but I don't > really > think that this is an efficient way. I doubt this is the workflow of the > security team. I have asked for commit rights and got them right away :) https://salsa.debian.org/webmaster-team/webwml/merge_requests/62 -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Re: recent DLAs not yet on www.debian.org
Am 04.03.19 um 13:13 schrieb Holger Levsen: > Hi Markus, > > On Mon, Mar 04, 2019 at 01:06:07PM +0100, Markus Koschany wrote: >>> the following recent DLAs are missing on www.debian.org currently: >> I can't push to the webmaster-team repository. >> GitLab: You are not allowed to push code to this project. > > did you read the URL I linked? > > if yes, any ideas how to make it more obvious what to do? > > if not, please do. Holger, I did read https://wiki.debian.org/LTS/Development#Publishing_updates_on_the_website but I have no permission to push to https://salsa.debian.org/webmaster-team/webwml Someone has to grant all of us write permissions. If you want to create merge requests, then it should be mentioned but I don't really think that this is an efficient way. I doubt this is the workflow of the security team. signature.asc Description: OpenPGP digital signature
[SECURITY] [DLA 1703-1] jackson-databind security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: jackson-databind Version: 2.4.2-2+deb8u5 CVE ID : CVE-2018-11307 CVE-2018-12022 CVE-2018-12023 CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 Several deserialization flaws were discovered in jackson-databind, a fast and powerful JSON library for Java, which could allow an unauthenticated user to perform code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. For Debian 8 "Jessie", these problems have been fixed in version 2.4.2-2+deb8u5. We recommend that you upgrade your jackson-databind packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlx9Fl9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeRF4RAAkTCnHYNQr68Eh8EpRuha6rB2p/s2CF6RKFsaBMJL8wxm/HeNkdpVwtp9 Hns38nmiSdUAwUba7hKNGyj+v59+Je8VOWAPdPmSQJb3xLKNZdSUNL1y2fCtpkxS XJiiGXG9KaDxRoZNQiStujE7lP8yte9myudoc0NZ9f/JpqczyJo0NruLSY/rNGIw QXnprMpfSioKMj7+cgL0KVUNImpDtKRiqVq62NetV+Gc32CG+d2u0R/2hbfu20d+ gwh4/QooNk0Q4O2c7anNuoMc+jMyyai1f1tZftJqWaKHKE+33CJJssf5ITLeCj0U QeJ9fR6kkpHyHsxhQRQYx/ch5gj5d6BEyxmljanrkIw1SU+oy9R+SQBysBs6n2bt wfdL+ykvMjPIIjfqks3jTRhy1xPX9jEp7wFe/XbD8GHqXlLMgmH3lhp2vHiN1S3w yyRE+CNh6RViq4KvA4T0yjnHbrnu2F/yO1PPAdsaGqg6tDx9fGtqhlGFaCFyWUs+ f+Ee2akIE5K68e6OBPKBfepOa4Z0lCkFgxZic2TzUIt8meWDhdiDxC2f7KYmyPbE B7UDz7aHh0+Q1p78iiEfK/XU8P9ivSLsWp3nqr7Al1KobD4LHt3DTQ3mTM8FgL57 HMp7BNaCUoPiIb3otWXpE4fxPrHjahm9545JIfvxKoUyHXch+vY= =NoXV -END PGP SIGNATURE-
Re: recent DLAs not yet on www.debian.org
Hi Markus, On Mon, Mar 04, 2019 at 01:06:07PM +0100, Markus Koschany wrote: > > the following recent DLAs are missing on www.debian.org currently: > I can't push to the webmaster-team repository. > GitLab: You are not allowed to push code to this project. did you read the URL I linked? if yes, any ideas how to make it more obvious what to do? if not, please do. -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: recent DLAs not yet on www.debian.org
Hi, Am 04.03.19 um 11:25 schrieb Holger Levsen: > hi, > > the following recent DLAs are missing on www.debian.org currently: I can't push to the webmaster-team repository. GitLab: You are not allowed to push code to this project. signature.asc Description: OpenPGP digital signature
Accepted jackson-databind 2.4.2-2+deb8u5 (source all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 04 Mar 2019 10:30:09 +0100 Source: jackson-databind Binary: libjackson2-databind-java libjackson2-databind-java-doc Architecture: source all Version: 2.4.2-2+deb8u5 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers Changed-By: Markus Koschany Description: libjackson2-databind-java - fast and powerful JSON library for Java -- data binding libjackson2-databind-java-doc - Documentation for jackson-databind Changes: jackson-databind (2.4.2-2+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361 and CVE-2018-19362. Several deserialization flaws were discovered in jackson-databind which could allow an unauthenticated user to perform code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. Checksums-Sha1: 0acda95edd6e755b3ecfc55d234adfeae5b97a2b 2691 jackson-databind_2.4.2-2+deb8u5.dsc f87ceb854ad19508eb4b9d97a369cd7023b51221 10316 jackson-databind_2.4.2-2+deb8u5.debian.tar.xz 7e90a56108dbb4333832d58e0b7b0f20d4e961f4 986992 libjackson2-databind-java_2.4.2-2+deb8u5_all.deb 9c47545c07e3f45f3a0bc899b8b0d7532460a7d8 4748130 libjackson2-databind-java-doc_2.4.2-2+deb8u5_all.deb Checksums-Sha256: 8238342f554d307d52bf50a2e39d4d777855ed7d1f5b2758dc83d68c9cfe72f3 2691 jackson-databind_2.4.2-2+deb8u5.dsc 8d2f7dd7f5facfea25cc4b2a80fdbdb1a413b2bbf8c7000e167a034e0a0a12fc 10316 jackson-databind_2.4.2-2+deb8u5.debian.tar.xz 09a3d7a7cb9848d60cbc7a08f330921ff5d1dcc99f26333b3db84b6b537cb2b5 986992 libjackson2-databind-java_2.4.2-2+deb8u5_all.deb 8bf0ecf5437626db9c0ec4307d969e063195f4f009f08d58631b7bb0d37a4226 4748130 libjackson2-databind-java-doc_2.4.2-2+deb8u5_all.deb Files: f786b0bc50a0c3c86b553658d8365ab3 2691 java optional jackson-databind_2.4.2-2+deb8u5.dsc 7d213399d23387f21b70569e0a78a405 10316 java optional jackson-databind_2.4.2-2+deb8u5.debian.tar.xz d6e5cd84ac5e09b7de2f3e60c965667c 986992 java optional libjackson2-databind-java_2.4.2-2+deb8u5_all.deb 49aa611b4073fd93c48059028338f1ba 4748130 doc optional libjackson2-databind-java-doc_2.4.2-2+deb8u5_all.deb -BEGIN PGP SIGNATURE- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlx9Bc1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hkz0gQAIKLwh29sBqkkuDgDoCiPhy5YgkD4zjm4BDZ tvDSCWBuTQCzBE5IEECeb5VdOsfMPpnOhrZdqI/oHtvALirXhAzm257y6gAtCgCI K4ceILf1acFXR+jpqIMnY0jdj96mHTzCGbTgLF6wRcDz+OP1HF+swJpZS2ihk058 DD2tJ9FZxcvqY9ovP9D5vKKOeyZqtaeSqwLJ/vPPrLP8y/0oWSbEAzhmBNE+pKdo ebJwtlMpLoHnNuRhw7rL/104IaLf0dAZulljbcmJT7QqqXLi8BUXG36JS5v22kHm gpJYRceM6QtiNkoC4BxRrHxuFt2cm77Tpx12H1vjntGBR7L2btREQe/Ll9y2FPda gg3xYzZ6fKdi1QHHo7eONDcL4xq/qi+CF5FsMm8uhkrSqk9fjI6EJt9+hftdgtRS fWzmeUVS84yBOdHQTUwmH6Fp89jOJyJC5GwkvcAQznTl/Z0HhWoIh3/3GVVLLjRo s6VKwQ0Jw0SDJ80J5ThOYuVTdJmfDO3pXyXLKmlMSBly0GlBAJhl/9Xf4YLd7Xe1 a6/Bxnxo+9V0CCQU+OUI6Hq5UqClqEgYFRC8SykGMWy+eblHUYfH9gYlg1Qv7L7i RnE5HL11osgAGCTOIqmG0yoE30qRff8Nuda4oPG6SyBbxIRIfdW0gV14vL+SdD1o Xv/nCz5U =Zx9c -END PGP SIGNATURE-
recent DLAs not yet on www.debian.org
hi, the following recent DLAs are missing on www.debian.org currently: Mar 02 Markus Koschany [DLA 1702-1] advancecomp security update Mar 01 Markus Koschany [DLA 1701-1] openssl security update Mar 01 Markus Koschany [DLA 1696-1] ceph security update Feb 28 Thorsten Alteholz [DLA 1697-1] bind9 security updat Feb 27 Thorsten Alteholz [DLA 1693-1] gpac security update Feb 26 Thorsten Alteholz [DLA 1691-1] exiv2 security update Feb 25 Thorsten Alteholz [DLA 1689-1] elfutils security update Feb 25 Bastian Blank [DLA 1688-1] waagent update Feb 20 Abhijith PA [DLA 1685-1] drupal7 security update Feb 19 Emilio Pozuelo Monfo [DLA 1684-1] systemd security update Feb 19 Emilio Pozuelo Monfo [DLA 1683-1] rdesktop security update Feb 18 Thorsten Alteholz [DLA 1682-1] uriparser security update It would be really great if they could be added, following the instructions on https://wiki.debian.org/LTS/Development#Publishing_updates_on_the_website If you are a paid contributor, this is paid work too, and expected to be done as part of releasing DLAs. Besides these, we also have 25 older DLAs missing on www.d.o which someone will need to clean up eventually. I'd just would be glad if that backlog wouldnt grow further. And shouldnt the instructions be clear/complete enough, we need to fix those. -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
(semi-)automatic unclaim of packages with more than 2 weeks of inactivity
Hi, today there were no packages with more than 2 weeks of inactivity, yay! -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
LTS report for February 2019
Hours worked: 8 hours Work done: DLA-1687-1 sox CVE-2014-8145 DLA-1698-1 file CVE-2019-8905 CVE-2019-8907 As part of this also marked that the vulnerable code for CVE-2019-8904 and CVE-2019-8906 was added after the versions in jessie and stretch. DLA-1699-1 ldb CVE-2019-3824 cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
Jessie update of systemd?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of systemd: https://security-tracker.debian.org/tracker/source-package/systemd Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of systemd updates for the LTS releases. Thank you very much. Chris Lamb, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org - chris-lamb.co.uk `-
Jessie update of drupal7?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of drupal7: https://security-tracker.debian.org/tracker/source-package/drupal7 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of drupal7 updates for the LTS releases. Thank you very much. Chris Lamb, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org - chris-lamb.co.uk `-