[SECURITY] [DLA 1729-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: wireshark Version: 1.12.1+g01b65bf-4+deb8u18 CVE ID : CVE-2017-9344 CVE-2017-9349 CVE-2019-9209 Several vulnerabilities have been found in wireshark, a network traffic analyzer. CVE-2019-9209: Preventing the crash of the ASN.1 BER and related dissectors by avoiding a buffer overflow associated with excessive digits in time values. CVE-2017-9349: Fixing an infinite loop in the DICOM dissector by validating a length value. CVE-2017-9344: Avoid a divide by zero, by validating an interval value in the Bluetooth L2CAP dissector. For Debian 8 "Jessie", these problems have been fixed in version 1.12.1+g01b65bf-4+deb8u18. We recommend that you upgrade your wireshark packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAlyZSpJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEfVvBAApPbktkjqYaJsnVMKsEPlM//rjypYTw2+dXAlE9v4IcFmxYzQPrl0ncZF yDaWyhMdve9BtmIWyEAkOqiNxuePmvq2pkXDVC/Q5Mj3VF9cGymnXpF35Z3e8UDL 1zqHwmGv8h0Q6xz/1XLSu15dgbu431XykbCFSB2l5KvdoC28PyMgmtpC1pBM3tzM J4VKUP89B7njmUYbrY926X0Jr7aTtRdDSCB/PYboJpIHddxdKhWp8LG+WyHVgxVM /INZu62DmD9IMt7ds7XFWxmy/AUY/o4cQxaSJNTXxUCYeEGfrZobbl0bNrnmRkNF h6bu4LDkk1pxKldOjlY1iOqaAbNeg6uZHcgUzoyf92qDy0CxXgpBEfJUphwI3Obw LZ7NKi4eEtH1UB5Fm2v6tegg7NiOSWAWYTxRerBF/gHqDKm57Yv3d8OTzmJUGNUX jl40TsK2G4JXGlu/BmSJ2J4HAnT4ZqGF4pLJ4Va44ec3ML544nsyNcXmYs1jbK9u RTbz+ejVk+pOq3w/6Hwt9orXbetMjYeGxpW64uicLDnYEtQP0H7w+np0eTxOJgz6 8osV8+KFpMFOv52rc+mLZZT5WgXrFV6qRlabcFwtzYtPwAaZGJ0QlnR1gYfsAimn EXuKekxQkUYWsrM+5QhaZ6n7cZbW4rLxNr3UowaBl+woRXjGaLI= =7WiD -END PGP SIGNATURE-
Accepted wireshark 1.12.1+g01b65bf-4+deb8u18 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 25 Mar 2019 19:03:02 +0100 Source: wireshark Binary: wireshark-common wireshark wireshark-qt tshark wireshark-dev wireshark-dbg wireshark-doc libwireshark5 libwsutil4 libwsutil-dev libwireshark-data libwireshark-dev libwiretap4 libwiretap-dev Architecture: source amd64 all Version: 1.12.1+g01b65bf-4+deb8u18 Distribution: jessie-security Urgency: medium Maintainer: Balint Reczey Changed-By: Thorsten Alteholz Description: libwireshark-data - network packet dissection library -- data files libwireshark-dev - network packet dissection library -- development files libwireshark5 - network packet dissection library -- shared library libwiretap-dev - network packet capture library -- development files libwiretap4 - network packet capture library -- shared library libwsutil-dev - network packet dissection utilities library -- shared library libwsutil4 - network packet dissection utilities library -- shared library tshark - network traffic analyzer - console version wireshark - network traffic analyzer - GTK+ version wireshark-common - network traffic analyzer - common files wireshark-dbg - network traffic analyzer - debug symbols wireshark-dev - network traffic analyzer - development tools wireshark-doc - network traffic analyzer - documentation wireshark-qt - network traffic analyzer - Qt version Changes: wireshark (1.12.1+g01b65bf-4+deb8u18) jessie-security; urgency=medium . * Non-maintainer upload by the LTS Team. * CVE-2019-9209 Preventing the crash of the ASN.1 BER and related dissectors by avoiding a buffer overflow associated with excessive digits in time values. * CVE-2017-9349 Fixing an infinite loop in the DICOM dissector by validationg a length value. * CVE-2017-9344 Avoid a divide by zero, by validating an interval value in the Bluetooth L2CAP dissector. Checksums-Sha1: 813c88640657fde977df77b96850347057e54459 3505 wireshark_1.12.1+g01b65bf-4+deb8u18.dsc 407f0a5f28c4ea34b0ea2b5a43e1da7632e357a9 25091052 wireshark_1.12.1+g01b65bf.orig.tar.xz b6b18863af84a4531605f7b9df1a7f6d913505aa 202824 wireshark_1.12.1+g01b65bf-4+deb8u18.debian.tar.xz fd734766828b9f93933e0ae2d7b3842c6b4044ca 183150 wireshark-common_1.12.1+g01b65bf-4+deb8u18_amd64.deb c4e9818f9ed5ff5babb176f444e32ec655384ae4 790812 wireshark_1.12.1+g01b65bf-4+deb8u18_amd64.deb 6d93a640ed8fcce4c0e6d8a4403f8d1acb213be7 1067090 wireshark-qt_1.12.1+g01b65bf-4+deb8u18_amd64.deb 2b2bd2abd4676bb6fea464a7ae3943b2747d759c 164000 tshark_1.12.1+g01b65bf-4+deb8u18_amd64.deb 487530fb2dc83a3cd8be0af22a3ac958a9e41c82 147042 wireshark-dev_1.12.1+g01b65bf-4+deb8u18_amd64.deb c84ec90c0652815166848800fe1589a75bebe2b4 38776940 wireshark-dbg_1.12.1+g01b65bf-4+deb8u18_amd64.deb c73dd8a214712d5f2f8def649ab79790eb9aa5c7 3872706 wireshark-doc_1.12.1+g01b65bf-4+deb8u18_all.deb 43108698b79134b0e962cf30d23b82d2bb68dc15 11261306 libwireshark5_1.12.1+g01b65bf-4+deb8u18_amd64.deb 64dab4de93a0eaa08581ca118e2d51953cd8341e 96884 libwsutil4_1.12.1+g01b65bf-4+deb8u18_amd64.deb 4082415649739a5ebfa47447fa956dd0ae9a2881 73716 libwsutil-dev_1.12.1+g01b65bf-4+deb8u18_amd64.deb 08bbb24047c3a1085457a76f5778e41ae642a185 838778 libwireshark-data_1.12.1+g01b65bf-4+deb8u18_all.deb 1b07b9b9a9a27621aff9c3a25958940ef3354c7a 769620 libwireshark-dev_1.12.1+g01b65bf-4+deb8u18_amd64.deb d48b7b4360b0fe1ab0895f13551ffe5ec7f658c9 189326 libwiretap4_1.12.1+g01b65bf-4+deb8u18_amd64.deb e320a51be7557f47d5bfd9081b26d50eb8521bb3 80910 libwiretap-dev_1.12.1+g01b65bf-4+deb8u18_amd64.deb Checksums-Sha256: 42030891e3e672503a67890da69a84233d8b313a9810ab083084341e8abb144c 3505 wireshark_1.12.1+g01b65bf-4+deb8u18.dsc 5244081064ba37780804983724e09263440866587f33f2a525a684b6d393d4cf 25091052 wireshark_1.12.1+g01b65bf.orig.tar.xz e2322b97f69a50e4d07ae190fc678d43985f6fddca55acf29ac8c51bde4dfeb0 202824 wireshark_1.12.1+g01b65bf-4+deb8u18.debian.tar.xz c129991fa96c35a6249dd2cd801c6e604f02be2db819f9e0fa50c705cdc3786b 183150 wireshark-common_1.12.1+g01b65bf-4+deb8u18_amd64.deb bd09a0024876eac9edce47aaead43583734da6f075f3c7aa23923589dcfb6e85 790812 wireshark_1.12.1+g01b65bf-4+deb8u18_amd64.deb 707009b6d59da9d6903ba0ca15efd560a1292dfdd39554c48a6f6ebb3d876573 1067090 wireshark-qt_1.12.1+g01b65bf-4+deb8u18_amd64.deb 0c634d2603b22c86b3bde07784abf9abf4b16b4e2806789e559a6ed1a52859f8 164000 tshark_1.12.1+g01b65bf-4+deb8u18_amd64.deb bff0619a53874689850ad3b8d488530a0aeda6dc49973783e693bb60f687e684 147042 wireshark-dev_1.12.1+g01b65bf-4+deb8u18_amd64.deb 1ff0586f3cd3216214c5344b5f0247ba541cf62d821f729b7ca7f9a12a6445ba 38776940 wireshark-dbg_1.12.1+g01b65bf-4+deb8u18_amd64.deb 5c4f944e4ae9186982c8cad718a9659ced3e924d23b74bc4cdb3550639bb178e 3872706 wireshark-doc_1.12.1+g01b65bf-4+deb8u18_all.deb e67119f086889e171272275b484771af90c048e49278e9689d543524526b6043 11261306 libwireshark5_1.12.1+g01b65bf-4+deb8u18_amd64.deb
Re: firmware-nonfree update
On Tue, 2019-03-05 at 22:00 +, Ben Hutchings wrote: > On Fri, 2019-03-01 at 14:05 +0100, Emilio Pozuelo Monfort wrote: [...] > > (It > > may be unlikely for old suites to have users with new hardware, however it's > > possible and users that don't have it will be unaffected by the new > > firmware, so > > it wouldn't hurt to ship it.) > > > > My branch is for jessie but I can prepare it for stretch too if you think > > that's > > worth it. > > The current jessie-security version of firmware-nonfree is really a > backport from stretch. So I would prefer it if you update the stretch > branch first and then merge that to jessie-security. I've merged your changes to stretch, uploaded to stretch, and then merged stretch to jessie-security. Let me know if you want to do the upload to jessie-security or if I should do it. Ben. -- Ben Hutchings I'm not a reverse psychological virus. Please don't copy me into your signature. signature.asc Description: This is a digitally signed message part
Re: ghostscript testing
On 25/03/2019 16:11, Sylvain Beucler wrote: > Hi, > > I prepared an update for ghostscript. > https://people.debian.org/~beuc/lts/ghostscript/ > > Even if we recently rebased to the latest upstream in jessie, the > upstream patches did not apply cleanly and I did my best to replicate > the changes. > Note: we ship a 9.26*a* version which upstream does not provide publicly > AFAICS (plus it was dfsg-modified), but the conflicts are due to > upstream's master branch. > > Upstream seems to keep their test suite private. The documentation > reference a "smoke.ps" file that was removed years ago, and even then it > depended on PS files that I cannot locate. > https://www.ghostscript.com/doc/9.26/Release.htm#Testing > > Is there a known test suite for ghostscript? > (or maybe we should just wait for some 9.26 [hit a shortcut by accident] (or maybe we should just wait for some 9.26b and backport it?) Cheers! Sylvain
ghostscript testing
Hi, I prepared an update for ghostscript. https://people.debian.org/~beuc/lts/ghostscript/ Even if we recently rebased to the latest upstream in jessie, the upstream patches did not apply cleanly and I did my best to replicate the changes. Note: we ship a 9.26*a* version which upstream does not provide publicly AFAICS (plus it was dfsg-modified), but the conflicts are due to upstream's master branch. Upstream seems to keep their test suite private. The documentation reference a "smoke.ps" file that was removed years ago, and even then it depended on PS files that I cannot locate. https://www.ghostscript.com/doc/9.26/Release.htm#Testing Is there a known test suite for ghostscript? (or maybe we should just wait for some 9.26 Cheers! Sylvain
[SECURITY] [DLA 1728-1] openssh security update
Package: openssh Version: 1:6.7p1-5+deb8u8 CVE ID : CVE-2018-20685 CVE-2019-6109 CVE-2019-6111 Debian Bug : 793412 919101 923486 Multiple scp client vulnerabilities have been discovered in OpenSSH, the premier connectivity tool for secure remote shell login and secure file transfer. CVE-2018-20685 In scp.c, the scp client allowed remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact was modifying the permissions of the target directory on the client side. CVE-2019-6109 Due to missing character encoding in the progress display, a malicious server (or Man-in-The-Middle attacker) was able to employ crafted object names to manipulate the client output, e.g., by using ANSI control codes to hide additional files being transferred. This affected refresh_progress_meter() in progressmeter.c. CVE-2019-6111 Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performed cursory validation of the object name returned (only directory traversal attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) was able to overwrite arbitrary files in the scp client target directory. If recursive operation (-r) was performed, the server was able to manipulate subdirectories, as well (for example, to overwrite the .ssh/authorized_keys file). For Debian 8 "Jessie", these problems have been fixed in version 1:6.7p1-5+deb8u8. We recommend that you upgrade your openssh packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Accepted openssh 1:6.7p1-5+deb8u8 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 01 Feb 2019 00:45:09 +0100 Source: openssh Binary: openssh-client openssh-server openssh-sftp-server ssh ssh-krb5 ssh-askpass-gnome openssh-client-udeb openssh-server-udeb Architecture: source amd64 all Version: 1:6.7p1-5+deb8u8 Distribution: jessie-security Urgency: medium Maintainer: Debian OpenSSH Maintainers Changed-By: Mike Gabriel Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb) openssh-server - secure shell (SSH) server, for secure access from remote machines openssh-server-udeb - secure shell server for the Debian installer (udeb) openssh-sftp-server - secure shell (SSH) sftp server module, for SFTP access from remot ssh- secure shell client and server (metapackage) ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad ssh-krb5 - secure shell client and server (transitional package) Changes: openssh (1:6.7p1-5+deb8u8) jessie-security; urgency=medium . * Non-maintainer upload by the LTS Team. * CVE-2018-20685: Disallow empty incoming filename or ones that refer to the current directory; based on report/patch from Harry Sintonen. * CVE-2019-6109: Sanitize scp filenames via snmprintf. To do this we move the progressmeter formatting outside of signal handler context and have the atomicio callback called for EINTR, too. * CVE-2019-6111: Check in scp client that filenames sent during remote->local directory copies satisfy the wildcard specified by the user. Checksums-Sha1: 936ab1d04a214e1d78bccc2f44c5cf430f80ceb2 2752 openssh_6.7p1-5+deb8u8.dsc e41871be91b667a8affdfe42dd482ad5ff1cb04a 177024 openssh_6.7p1-5+deb8u8.debian.tar.xz 62d90e7cf4549e2e75c6cbd3e13f9800aa0f7da6 695954 openssh-client_6.7p1-5+deb8u8_amd64.deb d417d9ec76403f2941c740ab72bf780938aadb30 328780 openssh-server_6.7p1-5+deb8u8_amd64.deb 284b8ca4541d40b224705786a88a8541fb131186 38062 openssh-sftp-server_6.7p1-5+deb8u8_amd64.deb b20b98321a39c92fbcc3c57966b4f6596a759004 121092 ssh_6.7p1-5+deb8u8_all.deb da6cdf00f757ef32f0f90da362e42c639bec6671 120628 ssh-krb5_6.7p1-5+deb8u8_all.deb f4865729ffe558001b1b3f1223fafb9f50c53e36 128654 ssh-askpass-gnome_6.7p1-5+deb8u8_amd64.deb 49b968beca3a6fdeb168247ec617a914f052b9ee 262036 openssh-client-udeb_6.7p1-5+deb8u8_amd64.udeb 8013734c5d4090c51b7e1387c4d8cd0905e0f4a1 282566 openssh-server-udeb_6.7p1-5+deb8u8_amd64.udeb Checksums-Sha256: c5f97a39da07b386f11cd0da09d6ca9915f6c33b62dab6b86abfa33499cd7f17 2752 openssh_6.7p1-5+deb8u8.dsc 64a4d6fb4dd402bc95a23c3e3422ba177e3d59b294249fd80009b7d28f9810b0 177024 openssh_6.7p1-5+deb8u8.debian.tar.xz 50bf902cc680fd1442556325e47d892f24621d7f0c4baf826f298d737a1e8030 695954 openssh-client_6.7p1-5+deb8u8_amd64.deb 985012d5c9957265f8ff7a798ded28108019fa6abf571fa4be140523fba6ffde 328780 openssh-server_6.7p1-5+deb8u8_amd64.deb 52c36b2492e6fbd8948340943064f58619572000ee93193a35bd547541f100e4 38062 openssh-sftp-server_6.7p1-5+deb8u8_amd64.deb 809fb28102aac5ded2cb6740cf36c5449c3f0c42f5c469265fc2ea8dc3ddc1bd 121092 ssh_6.7p1-5+deb8u8_all.deb 647245073a22c66f9e82e08e5cdcf8449357dabb312435633ff55f4652e3d921 120628 ssh-krb5_6.7p1-5+deb8u8_all.deb 41e459d51671ee94c45d4dc7094b627aa11cce197993d6fcb16368c63f2d87ae 128654 ssh-askpass-gnome_6.7p1-5+deb8u8_amd64.deb d33b40b679dcf36397e326e46566a1e4b7b3edf1d13d6634c6ef44bde652ad85 262036 openssh-client-udeb_6.7p1-5+deb8u8_amd64.udeb 8694b9ca999ee9f86768d43e71dd35741d62ccd5eb6575ce0b8b580b2f90cc4c 282566 openssh-server-udeb_6.7p1-5+deb8u8_amd64.udeb Files: 91ef5456d83e691c05728718566e20b8 2752 net standard openssh_6.7p1-5+deb8u8.dsc 70a980feabd0efb3f0f0684f2e79390a 177024 net standard openssh_6.7p1-5+deb8u8.debian.tar.xz 716470ea992234058424c5c6d929eb1e 695954 net standard openssh-client_6.7p1-5+deb8u8_amd64.deb e5060c3022a0439be5ef81594fd48c3a 328780 net optional openssh-server_6.7p1-5+deb8u8_amd64.deb 4cba32e87e90db608324f939a005 38062 net optional openssh-sftp-server_6.7p1-5+deb8u8_amd64.deb 23ac53ac4d2f818c06fd0888a06cb0c0 121092 net extra ssh_6.7p1-5+deb8u8_all.deb 673528d9de9ebbd5151502a00707fa40 120628 oldlibs extra ssh-krb5_6.7p1-5+deb8u8_all.deb 2b49818fc605d1b065adbb64ff541bb7 128654 gnome optional ssh-askpass-gnome_6.7p1-5+deb8u8_amd64.deb 5d11d68fe297ce2acdd72747760c4fd6 262036 debian-installer optional openssh-client-udeb_6.7p1-5+deb8u8_amd64.udeb 9ea2567f9482431dff2a32f13edbb033 282566 debian-installer optional openssh-server-udeb_6.7p1-5+deb8u8_amd64.udeb -BEGIN PGP SIGNATURE- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAlyY0vUVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsx030P/0iVD2G+vuC4GQSOzehGHaREomiK 0pxe67XehDx6Vi1JPO3w0g52Bu2AHwUtUDIbpm0FZWj7VsFma9+1CCp/KdGqEtwr yboNqArMXSfccGZI2YX/um+9rO/90/xVLZT+W+TKQ+ZoNnwiyi+AlkQruwnBVgIv
[SECURITY] [DLA 1726-1] bash security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: bash Version: 4.3-11+deb8u2 CVE ID : CVE-2016-9401 CVE-2019-9924 Two issues have been fixed in bash, the GNU Bourne-Again Shell: CVE-2016-9401 The popd builtin segfaulted when called with negative out of range offsets. CVE-2019-9924 Sylvain Beucler discovered that it was possible to call commands that contained a slash when in restricted mode (rbash) by adding them to the BASH_CMDS array. For Debian 8 "Jessie", these problems have been fixed in version 4.3-11+deb8u2. We recommend that you upgrade your bash packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlyYwccACgkQnUbEiOQ2 gwJ00xAAha7Q/3rsy3EwilgHyJwnV5PkXBQ8EAgI1KQ6EuqWWLsDykSQ2zmG79dC DQDK1Re0ikpZJy8x70GwW+Nf61s6bJFMLRrxApnKcn80339qXEjMdgoHsHP5qIfm dPxKk8ulR+Ppdcq/Kjhu90wT0+v7k4XusucB6SAZBmUdAL4qns93AN4svjbSlsrb Nr5QM1mzc4d3rNXTCn2Ek5u2bMipHge5tJlmncWljOInvGXMTFsOozcL1A9V3+Wc l7o3dvF4bEnho/A1mRDUvdnPVrFmUfBJrIuSoTOvInLd2ebS1+Uijt4a+dxWudZX M1X9OERN3+uVCnLz/2AhVsmfO/AfRI8Vt0RL7dvAQKPWUmZqNDIKK7O8A6bh7tt2 5Fn+1SALP6TF/Rtb5E5fI90zIydsJDiNIBL2TyGsrL+w+kCxmhsj7BEnID6iC50/ GkpmT2IWx8etOHNag8DxImFwNLj1doDueXxp+nz8guhK2WV6ey+i1iYxbU9ow9kH Y5AlCD5pcPRezj0YEfSuDzvPlJ0qDEaT0mINPdChktaOYzGFzCw+Ufx7TgRm/mXX tdGjOnzo1J/GWMBK4D7Ztf7wzWmeInNA4vy0t0s859vhHgF+cdEs4al7MUWH/sZd Qs6EdrkWxBOyzEZLoOl59Fhn7i7KLSf/1cQlW1lNTzV/MGSRFGM= =qNdv -END PGP SIGNATURE-