sqlalchemy security fix available for testing

[Sylvain Beucler]

Hi,

I made a fix for sqlalchemy available for testing (CVE-2019-7164/7548):
https://people.debian.org/~beuc/lts/sqlalchemy/

Upstream author Mike Bayer warns that this might break applications,
hence if you are depend on sqlalchemy you are encouraged to test:
https://gerrit.sqlalchemy.org/#/c/sqlalchemy/sqlalchemy/+/1165/

I'll update it if upstream makes more fine-tuning.
I plan to push it next week unless users/testers report breakage.

Cheers!
Sylvain

Accepted waagent 2.2.18-3~deb8u2 (source all) into oldstable

[Bastian Blank]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 12 Mar 2019 09:42:39 +0100
Source: waagent
Binary: waagent
Architecture: source all
Version: 2.2.18-3~deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Bastian Blank 
Changed-By: Bastian Blank 
Description:
 waagent- Windows Azure Linux Agent
Changes:
 waagent (2.2.18-3~deb8u2) jessie-security; urgency=high
 .
   * Set proper access rights on swap file.
 CVE-2019-0804
Checksums-Sha1:
 41e17acc644cb319ed138233d3c815b45b8ae53a 1546 waagent_2.2.18-3~deb8u2.dsc
 2bfcf4c9acfbed5e782785b7cdc799ac97146c4b 11192 
waagent_2.2.18-3~deb8u2.debian.tar.xz
 35cfa41ca103193241ffe1824b605d35b5809e55 103746 waagent_2.2.18-3~deb8u2_all.deb
Checksums-Sha256:
 3ae50e58a1c59a9b869e967bfff78ef8644cc67e9e21db5024408a39d50c7fc6 1546 
waagent_2.2.18-3~deb8u2.dsc
 bf1bbd9edd779f3f6c67179bbc92f00658160e12b3a5859c1b43b35e1393e1a3 11192 
waagent_2.2.18-3~deb8u2.debian.tar.xz
 d84918ddf77554fe4f372648387ffdf93cd08074407ae481d64f33ea911ff055 103746 
waagent_2.2.18-3~deb8u2_all.deb
Files:
 64a34679854fb8ab8b21628a37807988 1546 admin optional 
waagent_2.2.18-3~deb8u2.dsc
 6cc53f1d3ca148dbb52625efe369978c 11192 admin optional 
waagent_2.2.18-3~deb8u2.debian.tar.xz
 a7f8dd3f041922096fdce8aac56f4b26 103746 admin optional 
waagent_2.2.18-3~deb8u2_all.deb

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEER3HMN63jdS1rqjxLbZOIhYpp/lEFAlyHed4ACgkQbZOIhYpp
/lFiwQf8CrxrPlQCwSiP5+o7iPOaWGLpOLkE/BMKMJeG8j1DfcsISXnYVhqhgVN1
qAnGBHL2GCl9AnNmYlT49OiC/vf2fcrSBkf8/HoRLHGVQDCWXMsmqO5M5Lq69NvA
7W3MPM+utgWHEamsPEk7knYBrzRmukhUeimHXjlr0Ltp2Ft+iq7oI7jqFTDVVbL+
+NLJNeGgBD8RHHyiXZDVJXbL9K/PV7QkK1MqARd0+uPuHCDZg/h3HM2cdws9AKJX
o/gFGmIgc3xx0VgGpuofV6WIovdxYEM4J/Gsd4WnVUOTY2GbzD4YD1pc7C33lunw
MqiE5fwqsh6eTrdwaFS76CF2u8yhMQ==
=LOGh
-END PGP SIGNATURE-

Re: rdflib / CVE-2019-7653

[Chris Lamb]

Hi Brian,

> "Use easy_install provided scripts instead of our our custom scripts."
> 
> Any better?

Somewhat, although I believe truly helpful changelog entries typically
have both the "what" and "why" component, of which yours is currently
missing the latter.


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org  chris-lamb.co.uk
   `-

Re: ikiwiki / CVE-2019-9187

[Brian May]

Brian May  writes:

> Oh wait, this is a debian native package. Means I will probably have to
> patch the files directly, not rely on debian/patches. So was only
> working before because I was testing with patches applied.
>
> Curiously I am getting a test failure when testing without my patches.

Attached is the latest patch, now taking into account this is a Debian
native package without any patches applied.
-- 
Brian May 
diff -Nru ikiwiki-3.20141016.4/CHANGELOG ikiwiki-3.20141016.4+deb8u1/CHANGELOG
--- ikiwiki-3.20141016.4/CHANGELOG	2017-01-12 05:18:52.0 +1100
+++ ikiwiki-3.20141016.4+deb8u1/CHANGELOG	2019-03-07 17:35:55.0 +1100
@@ -1,3 +1,10 @@
+ikiwiki (3.20141016.4+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2019-9187: Fix server-side request forgery via aggregate plugin.
+
+ -- Brian May   Thu, 07 Mar 2019 17:35:55 +1100
+
 ikiwiki (3.20141016.4) jessie-security; urgency=high
 
   * Reference CVE-2016-4561 in 3.20141016.3 changelog
diff -Nru ikiwiki-3.20141016.4/debian/changelog ikiwiki-3.20141016.4+deb8u1/debian/changelog
--- ikiwiki-3.20141016.4/debian/changelog	2017-01-12 05:18:52.0 +1100
+++ ikiwiki-3.20141016.4+deb8u1/debian/changelog	2019-03-07 17:35:55.0 +1100
@@ -1,3 +1,10 @@
+ikiwiki (3.20141016.4+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2019-9187: Fix server-side request forgery via aggregate plugin.
+
+ -- Brian May   Thu, 07 Mar 2019 17:35:55 +1100
+
 ikiwiki (3.20141016.4) jessie-security; urgency=high
 
   * Reference CVE-2016-4561 in 3.20141016.3 changelog
diff -Nru ikiwiki-3.20141016.4/debian/control ikiwiki-3.20141016.4+deb8u1/debian/control
--- ikiwiki-3.20141016.4/debian/control	2017-01-12 05:18:52.0 +1100
+++ ikiwiki-3.20141016.4+deb8u1/debian/control	2019-03-07 17:35:55.0 +1100
@@ -17,7 +17,8 @@
   libnet-openid-consumer-perl,
   libxml-feed-perl,
   libxml-parser-perl,
-  libxml-twig-perl
+  libxml-twig-perl,
+  liblwpx-paranoidagent-perl,
 Maintainer: Simon McVittie 
 Uploaders: Josh Triplett 
 Standards-Version: 3.9.5
diff -Nru ikiwiki-3.20141016.4/doc/plugins/aggregate.mdwn ikiwiki-3.20141016.4+deb8u1/doc/plugins/aggregate.mdwn
--- ikiwiki-3.20141016.4/doc/plugins/aggregate.mdwn	2017-01-12 05:18:52.0 +1100
+++ ikiwiki-3.20141016.4+deb8u1/doc/plugins/aggregate.mdwn	2019-03-07 17:35:55.0 +1100
@@ -11,6 +11,10 @@
 one. Either the [[htmltidy]] or [[htmlbalance]] plugin is suggested, since
 feeds can easily contain html problems, some of which these plugins can fix.
 
+Installing the [[!cpan LWPx::ParanoidAgent]] Perl module is strongly
+recommended. The [[!cpan LWP]] module can also be used, but is susceptible
+to server-side request forgery.
+
 ## triggering aggregation
 
 You will need to run ikiwiki periodically from a cron job, passing it the
diff -Nru ikiwiki-3.20141016.4/doc/plugins/blogspam.mdwn ikiwiki-3.20141016.4+deb8u1/doc/plugins/blogspam.mdwn
--- ikiwiki-3.20141016.4/doc/plugins/blogspam.mdwn	2017-01-12 05:18:52.0 +1100
+++ ikiwiki-3.20141016.4+deb8u1/doc/plugins/blogspam.mdwn	2019-03-07 17:35:55.0 +1100
@@ -11,6 +11,8 @@
 go to your Preferences page, and click the "Comment Moderation" button.
 
 The plugin requires the [[!cpan JSON]] perl module.
+The [[!cpan LWPx::ParanoidAgent]] Perl module is recommended,
+although this plugin can also fall back to [[!cpan LWP]].
 
 You can control how content is tested via the `blogspam_options` setting.
 The list of options is [here](http://blogspam.net/api/testComment.html#options).
diff -Nru ikiwiki-3.20141016.4/doc/plugins/openid.mdwn ikiwiki-3.20141016.4+deb8u1/doc/plugins/openid.mdwn
--- ikiwiki-3.20141016.4/doc/plugins/openid.mdwn	2017-01-12 05:18:52.0 +1100
+++ ikiwiki-3.20141016.4+deb8u1/doc/plugins/openid.mdwn	2019-03-07 17:35:55.0 +1100
@@ -7,8 +7,11 @@
 The plugin needs the [[!cpan Net::OpenID::Consumer]] perl module.
 Version 1.x is needed in order for OpenID v2 to work.
 
-The [[!cpan LWPx::ParanoidAgent]] perl module is used if available, for
-added security. Finally, the [[!cpan Crypt::SSLeay]] perl module is needed
+The [[!cpan LWPx::ParanoidAgent]] Perl module is strongly recommended.
+The [[!cpan LWP]] module can also be used, but is susceptible to
+server-side request forgery.
+
+The [[!cpan Crypt::SSLeay]] Perl module is needed
 to support users entering "https" OpenID urls.
 
 This plugin is enabled by default, but can be turned off if you want to
diff -Nru ikiwiki-3.20141016.4/doc/plugins/pinger.mdwn ikiwiki-3.20141016.4+deb8u1/doc/plugins/pinger.mdwn
--- ikiwiki-3.20141016.4/doc/plugins/pinger.mdwn	2017-01-12 05:18:52.0 +1100
+++ ikiwiki-3.20141016.4+deb8u1/doc/plugins/pinger.mdwn	2019-03-07 17:35:55.0 +1100
@@ -10,9 +10,11 @@
 To configure what URLs to ping, use the [[ikiwiki/directive/ping]]
 [[ikiwiki/directive]].
 
-The [[!cpan LWP]] perl module is used for pinging. Or the [[!cpan

Re: rdflib / CVE-2019-7653

[Brian May]

Chris Lamb  writes:

>> > Hmm, I'm still seeing "reversed" bits in the chunk that don't make
>> > immediate sense to me. Perhaps we just need a more-detailed changelog
>> > entry (rather than an explanation reply on this list) however. (For
>> > example "debian/scripts/rdfs2dot"...?)
>> 
>> What parts seem confusing to you? We are deleting our custom scripts and
>> using the autogenerated scripts.
>
> It is not immediately and 100% clear from reading the changelog
> entry (ie. from our user's point of view) why one is doing this. :)

"Use easy_install provided scripts instead of our our custom scripts."

Any better? Or should I also go into more details as to how our custom
scripts caused problems in the first place?
-- 
Brian May