Re: ghostscript testing
Hi, Am 26.03.19 um 15:55 schrieb Sylvain Beucler: [...] > Markus, I read in the archives that you backported fixes in earlier > security uploads - any other tip? :) I did all the testing myself by setting up a Jessie environment and then I tested with the POCs and the command line tools to spot any regressions. I could reproduce all issues, so at one point I was confident the problem at hand was solved. Without an extensive test suite or a reproducer this is quite challenging. Since we made the decision to follow new upstream releases, we just have to make sure that reverse-dependencies keep working. So I would do some smoke testing and verify that the reported problem is fixed. Regards, Markus signature.asc Description: OpenPGP digital signature
Re: jessie-updates gone
Am 26.03.19 um 15:27 schrieb Matus UHLAR - fantomas: >> On Tue, 26 Mar 2019, Jakob Hirsch wrote: >>> so I noticed this morning that jessie-updates is gone from the mirrors. >>> After some research, I found that this was kind of announced in >>> https://lists.debian.org/debian-devel-announce/2019/03/msg6.html. >>> Question is now, what should I put in my sources.list? I used >>> https://wiki.debian.org/LTS/Using#Using_Debian_Long_Term_Support_.28LTS.29 >>> >>> as the authorative source, but this is obviously outdated now. >>> >>> So, am I ok by just using these two? > > On 26.03.19 11:37, Alexander Wirt wrote: >> Its deprecated and unsupported for sime time now, please stop using it. > > It was working since jessie was released, so anyone using jessie will > apparently have it in sources.list. > > I believe one of LTS goals was to continue without need for changing > sources.list. [...] I believe Alexander confused jessie-backports with jessie-updates. I agree that this change should have been better communicated on the list beforehand. Please be assured that neither jessie-updates nor jessie-proposed are needed anymore and can be safely removed. Regards, Markus signature.asc Description: OpenPGP digital signature
Re: jessie-updates gone
Hi, Am 26.03.19 um 20:59 schrieb Pierre Fourès: [...] > I've got the same understanding of the situation and suspect I'm > missing nothing as all updates are supposed to be included in the main > repository of revision 8.11. Nonetheless, I would truly appreciate > some clear feedback on it that all is fine without jessie-updates > (and/or get it back). You only need the following lines in your sources.list. The -proposed and -updates repositories are not used in LTS. We publish all our updates via jessie-security. deb http://deb.debian.org/debian/ jessie main contrib non-free deb-src http://deb.debian.org/debian/ jessie main contrib non-free deb http://security.debian.org/ jessie/updates main contrib non-free deb-src http://security.debian.org/ jessie/updates main contrib non-free Regards, Markus signature.asc Description: OpenPGP digital signature
Re: jessie-updates gone
Le mar. 26 mars 2019 à 15:27, Matus UHLAR - fantomas a écrit : > It was working since jessie was released, so anyone using jessie will > apparently have it in sources.list. > > I believe one of LTS goals was to continue without need for changing > sources.list. As being still active (as part of the LTS effort), I would also have expected jessie to work without fiddling with the sources.list. Even if proposed as an empty repository, this would be nice to have jessie-updates/ on the mirrors. I guess this could save many hours around the globe of sysadmin wondering what have happened to their instances and/or install process and if it's ok or not to have lost jessie-updates. > I also believe that after last point release all stuff was moved to main > archive, so jessie-updates was supposed to be empty. I've got the same understanding of the situation and suspect I'm missing nothing as all updates are supposed to be included in the main repository of revision 8.11. Nonetheless, I would truly appreciate some clear feedback on it that all is fine without jessie-updates (and/or get it back).
Re: firmware-nonfree update
On Tue, 2019-03-26 at 17:51 +0100, Emilio Pozuelo Monfort wrote: > On 25/03/2019 18:20, Ben Hutchings wrote: > > On Tue, 2019-03-05 at 22:00 +, Ben Hutchings wrote: > > > On Fri, 2019-03-01 at 14:05 +0100, Emilio Pozuelo Monfort wrote: > > [...] > > > > (It > > > > may be unlikely for old suites to have users with new hardware, however > > > > it's > > > > possible and users that don't have it will be unaffected by the new > > > > firmware, so > > > > it wouldn't hurt to ship it.) > > > > > > > > My branch is for jessie but I can prepare it for stretch too if you > > > > think that's > > > > worth it. > > > > > > The current jessie-security version of firmware-nonfree is really a > > > backport from stretch. So I would prefer it if you update the stretch > > > branch first and then merge that to jessie-security. > > > > I've merged your changes to stretch, uploaded to stretch, and then > > merged stretch to jessie-security. Let me know if you want to do the > > upload to jessie-security or if I should do it. > > I don't mind either way. We should use -4~deb8u2 rather than -5~deb8u1 so that > we don't (temporarily) have a higher version in jessie than stretch until the > point release. I disagree. An upgrade should not undo security fixes, if we can avoid it. Ben. -- Ben Hutchings Beware of bugs in the above code; I have only proved it correct, not tried it. - Donald Knuth signature.asc Description: This is a digitally signed message part
Re: firmware-nonfree update
On 25/03/2019 18:20, Ben Hutchings wrote: > On Tue, 2019-03-05 at 22:00 +, Ben Hutchings wrote: >> On Fri, 2019-03-01 at 14:05 +0100, Emilio Pozuelo Monfort wrote: > [...] >>> (It >>> may be unlikely for old suites to have users with new hardware, however it's >>> possible and users that don't have it will be unaffected by the new >>> firmware, so >>> it wouldn't hurt to ship it.) >>> >>> My branch is for jessie but I can prepare it for stretch too if you think >>> that's >>> worth it. >> >> The current jessie-security version of firmware-nonfree is really a >> backport from stretch. So I would prefer it if you update the stretch >> branch first and then merge that to jessie-security. > > I've merged your changes to stretch, uploaded to stretch, and then > merged stretch to jessie-security. Let me know if you want to do the > upload to jessie-security or if I should do it. I don't mind either way. We should use -4~deb8u2 rather than -5~deb8u1 so that we don't (temporarily) have a higher version in jessie than stretch until the point release. Emilio
(E)LTS report for February
Hi, (late report, sorry for the delay) During the month of February, I spent 20.5 hours working on LTS on the following tasks: - testing new install media - CVE triaging - coturn security update - ghostscript security update - firefox-esr security update - thunderbird security update - reviewed and discussed gsoap ABI break - started with firmware-nonfree update - rdesktop security update - systemd security update I also spent 12h on ELTS: - mysql-5.5 status review - repository improvements - systemd security update Cheers, Emilio
Re: ghostscript testing
Hi, On 25/03/2019 16:13, Sylvain Beucler wrote: > On 25/03/2019 16:11, Sylvain Beucler wrote: >> Hi, >> >> I prepared an update for ghostscript. >> https://people.debian.org/~beuc/lts/ghostscript/ >> >> Even if we recently rebased to the latest upstream in jessie, the >> upstream patches did not apply cleanly and I did my best to replicate >> the changes. >> Note: we ship a 9.26*a* version which upstream does not provide publicly >> AFAICS (plus it was dfsg-modified), but the conflicts are due to >> upstream's master branch. >> >> Upstream seems to keep their test suite private. The documentation >> reference a "smoke.ps" file that was removed years ago, and even then it >> depended on PS files that I cannot locate. >> https://www.ghostscript.com/doc/9.26/Release.htm#Testing >> >> Is there a known test suite for ghostscript? >> (or maybe we should just wait for some 9.26 > [hit a shortcut by accident] > > (or maybe we should just wait for some 9.26b and backport it?) Emilio kindly provided some info in private. Debian Security intends to ship 9.27 when it comes out, so I'll probably follow suite, given my limited understanding of PostScript and the lack of test suite. Emilio got the info privately as the previous uploader. In the spirit of our continued transparency I would recommend to make recaps such as this one on the list, because browsing archives is usually informative and time-saving :) The previous ghostscript upload also benefited from private real-life testing on a cluster that was since then upgraded to squeeze, so ghostscript testing remains an open issue. Another argument in favor of going with 9.27. Markus, I read in the archives that you backported fixes in earlier security uploads - any other tip? :) Cheers! Sylvain
Re: jessie-updates gone
On Tue, 26 Mar 2019, Jakob Hirsch wrote: so I noticed this morning that jessie-updates is gone from the mirrors. After some research, I found that this was kind of announced in https://lists.debian.org/debian-devel-announce/2019/03/msg6.html. Question is now, what should I put in my sources.list? I used https://wiki.debian.org/LTS/Using#Using_Debian_Long_Term_Support_.28LTS.29 as the authorative source, but this is obviously outdated now. So, am I ok by just using these two? On 26.03.19 11:37, Alexander Wirt wrote: Its deprecated and unsupported for sime time now, please stop using it. It was working since jessie was released, so anyone using jessie will apparently have it in sources.list. I believe one of LTS goals was to continue without need for changing sources.list. I also believe that after last point release all stuff was moved to main archive, so jessie-updates was supposed to be empty. I did comment it out on all jessie machines: "sed -i -e '/jessie-updates/s/^#*/#/' /etc/apt/sources.list" -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines.
[SECURITY] [DLA 1730-1] libssh2 security update
Package: libssh2 Version: 1.4.3-4.1+deb8u2 CVE ID : CVE-2019-3855 CVE-2019-3856 CVE-2019-3857 CVE-2019-3858 CVE-2019-3859 CVE-2019-3860 CVE-2019-3861 CVE-2019-3862 CVE-2019-3863 Debian Bug : 924965 Several vulnerabilities have recently been discovered in libssh2, a client-side C library implementing the SSH2 protocol CVE-2019-3855 An integer overflow flaw which could have lead to an out of bounds write was discovered in libssh2 in the way packets were read from the server. A remote attacker who compromised an SSH server could have been able to execute code on the client system when a user connected to the server. CVE-2019-3856 An integer overflow flaw, which could have lead to an out of bounds write, was discovered in libssh2 in the way keyboard prompt requests were parsed. A remote attacker who compromised an SSH server could have been able to execute code on the client system when a user connected to the server. CVE-2019-3857 An integer overflow flaw which could have lead to an out of bounds write was discovered in libssh2 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal were parsed. A remote attacker who compromises an SSH server could have been able to execute code on the client system when a user connected to the server. CVE-2019-3858 An out of bounds read flaw was discovered in libssh2 when a specially crafted SFTP packet was received from the server. A remote attacker who compromised an SSH server could have been able to cause a Denial of Service or read data in the client memory. CVE-2019-3859 An out of bounds read flaw was discovered in libssh2's _libssh2_packet_require and _libssh2_packet_requirev functions. A remote attacker who compromised an SSH server could have be able to cause a Denial of Service or read data in the client memory. CVE-2019-3860 An out of bounds read flaw was discovered in libssh2 in the way SFTP packets with empty payloads were parsed. A remote attacker who compromised an SSH server could have be able to cause a Denial of Service or read data in the client memory. CVE-2019-3861 An out of bounds read flaw was discovered in libssh2 in the way SSH packets with a padding length value greater than the packet length were parsed. A remote attacker who compromised a SSH server could have been able to cause a Denial of Service or read data in the client memory. CVE-2019-3862 An out of bounds read flaw was discovered in libssh2 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload were parsed. A remote attacker who compromised an SSH server could have been able to cause a Denial of Service or read data in the client memory. CVE-2019-3863 A server could have sent multiple keyboard interactive response messages whose total length were greater than unsigned char max characters. This value was used as an index to copy memory causing an out of bounds memory write error. For Debian 8 "Jessie", these problems have been fixed in version 1.4.3-4.1+deb8u2. We recommend that you upgrade your libssh2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Accepted libssh2 1.4.3-4.1+deb8u2 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 25 Mar 2019 15:10:21 +0100 Source: libssh2 Binary: libssh2-1 libssh2-1-dev libssh2-1-dbg Architecture: source amd64 Version: 1.4.3-4.1+deb8u2 Distribution: jessie-security Urgency: medium Maintainer: Mikhail Gusarov Changed-By: Mike Gabriel Description: libssh2-1 - SSH2 client-side library libssh2-1-dbg - SSH2 client-side library (debug package) libssh2-1-dev - SSH2 client-side library (development headers) Closes: 924965 Changes: libssh2 (1.4.3-4.1+deb8u2) jessie-security; urgency=medium . * Non-maintainer upload by the LTS team. (Closes: #924965). * CVE-2019-3855: Do packet length bounds check in _libssh2_transport_read() (src/transport.c). * CVE-2019-3856, CVE-2019-3863: Bounds checks in userauth_keyboard_interactive() (src/userauth.c). * CVE-2019-3857: Fix possible out zero byte/incorrect bounds allocation in _libssh2_packet_add() (src/packet.c). * CVE-2019-3858: Prevent zero-byte allocation in sftp_packet_read() which could lead to an out-of-bounds read. * CVE-2019-3859: Response length check in session_startup() (src/transport.c), and bounds checks in various functions (src/kex.c, src/channel.c). * CVE-2019-3860: Add a required_size parameter to sftp_packet_require et. al. to require callers of these functions to handle packets that are too short. * CVE-2019-3861: Sanitize padding_length - _libssh2_transport_read(). This prevents an underflow resulting in a potential out-of-bounds read if a server sends a too-large padding_length, possibly with malicious intent. * CVE-2019-3862: Additional length checks to prevent out-of-bounds reads and writes in _libssh2_packet_add(). Checksums-Sha1: b1c4fcb56ba49ccf418e05acfc85d4d92fabe35f 1928 libssh2_1.4.3-4.1+deb8u2.dsc d1975057ffd8baaab4ad8fa663942cf32794e278 15352 libssh2_1.4.3-4.1+deb8u2.debian.tar.xz 30f62d9308d91943f5cf3a75ab7b01b02b51db5b 127306 libssh2-1_1.4.3-4.1+deb8u2_amd64.deb a0615d5becf8eda87f8050304a100fa5d3e84401 291884 libssh2-1-dev_1.4.3-4.1+deb8u2_amd64.deb a9750274bdd78f1b9366e00e43980b80d5ea25ef 232346 libssh2-1-dbg_1.4.3-4.1+deb8u2_amd64.deb Checksums-Sha256: 95da6c89b7bddca29753eef98cea1456071f2a6bacdce63522eb63ce698137e1 1928 libssh2_1.4.3-4.1+deb8u2.dsc b297c276f699c86da6e9190b5ece186f6712833034b2b5f5439f014338b42c77 15352 libssh2_1.4.3-4.1+deb8u2.debian.tar.xz ae7732bc4c922ee4b973cf124dc4e25be0f7c2a31ee2f2e3895fd83457abc180 127306 libssh2-1_1.4.3-4.1+deb8u2_amd64.deb e4ac22336122a18a8f9d3164180e88f0d2ef15367ec8abb01d8b98a572c639cc 291884 libssh2-1-dev_1.4.3-4.1+deb8u2_amd64.deb 1b0ad2969d8d0edd06fd34630840f6313eda3c5fbf0bfda61604f51b0412987f 232346 libssh2-1-dbg_1.4.3-4.1+deb8u2_amd64.deb Files: 61426bba6c2406fe6d88737a1bc22700 1928 libs optional libssh2_1.4.3-4.1+deb8u2.dsc d28cc909be104e1be6590ec33e976018 15352 libs optional libssh2_1.4.3-4.1+deb8u2.debian.tar.xz c1ffb41738accf8c497486fb89b60349 127306 libs optional libssh2-1_1.4.3-4.1+deb8u2_amd64.deb 9053b1c38654779a37024bb7b01f693e 291884 libdevel optional libssh2-1-dev_1.4.3-4.1+deb8u2_amd64.deb 08ba2d2b77d32955fd81fed6ef5a0739 232346 debug extra libssh2-1-dbg_1.4.3-4.1+deb8u2_amd64.deb -BEGIN PGP SIGNATURE- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAlyaJ/QVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxYxUP/1XZZri7jvL1u3nLpI/jXi5VF38Z kuz4Pvz419TZet3pYw+9jLsoUEo8LoOi/qrNRdc/+OZUyg3BBmtNGif5041NkW0h 1lBCDC1QLL7JqYf0+a5v5YGysYJ89yxcl8Meg+y7UytQIIhct0U6rYYyGurVM0U6 aNvHoiMkaYdvs0ddc5JMJdJ2fPLnBHumdKjwwYrb69EKBDeEhC5bTxrJRZiE1FHN hbimGHbVr7RzRms2LOUqlGq9j+QT5bwehCmZHWcn/SHeSjObrH7zf+U7pLmMkPhU Xj+YqVZ21JmD/kP0jSdEtjURi1ObsdLRgbXY6GiBR2SeN49IYoUz7YX/SpECtUU/ 7kTjdOQaNcjOnVakiNPRJvr7b/RpPl8QfGUOvoT3kyEHQuSY1/QuzymJBcDGDaSu FYeMVXnQZJME/Rma3kFO2eSzHhPtr7aA5zcY0GJv6fC5fT0pPqPF3CJ3jxZnku1B plAgrioMmXuBlOECNMgu+LQBCS6+sw8F4rbZWhIVXEQzfJ+GoGEDD2QuON4fCyvD FgyoovLM758Vw1K7OndF9s1eoVUA2cabjbo4H6jGX2aodPK6Jm0dslxI2j6I2pzf Q8fBrpipyqqMnK/eAio78nFHu+MMYT2oEexZdFYbqeMqzpAmAMH5QD1jS9lBqj9h 6cfWqCRaXGNVJEfA =V99n -END PGP SIGNATURE-
Re: Re: jessie-updates gone
Hi Jakob, I just stumbled on the same issue. I repported it on debian-user@ instead, in the thread [1]. I also found afterward that it was kind of announced on debian-devel-announce@ but I would not have thought to look there neither. But as you said, this is low traffic list, so I suscribed to it. I'm also concerned by the impact of not having jessie-updates/ anymore. Are the updates reintegrated somewhere ? Is it a null-sum reorganisation ? On a separate thread [2], Bernie Elbourn repported a lot of pending upgrade since the removal of jessie-updates/. I thus wonder if it's really works as expected just to remove the jessie-updates/ entry from our /etc/apt/sources.list ? Could somebody confirm or infirm it ? Regards, Pierre. [1] : https://lists.debian.org/debian-user/2019/03/msg00765.html [2] : https://lists.debian.org/debian-user/2019/03/msg00775.html PS: I hadn't yet suscribed to debian-lts@ list before expecting to answer this thread so I have not mail to reply to. I hope the mailto link will work accordingly. My apologizes in cas it doesn't.
Re: jessie-updates gone
On 2019-03-26 11:37, Alexander Wirt wrote: >> so I noticed this morning that jessie-updates is gone from the mirrors. > Its deprecated and unsupported for sime time now, please stop using it. You mean jessie-updates, right? So I will happily remove it from my sources.list. So using just the remaining two lines is ok then? Thanks for your quick reaction, I see that the wiki is already updated, too. I wonder what's the best way to notice such things earlier... AFAICS, it was not on debian-announce. There was a had a (vague) announcement on debian-devel-announce, but the list has a little too much organizational stuff (for me at least), traffic is low though.
Re: jessie-updates gone
On Tue, 26 Mar 2019, Jakob Hirsch wrote: > Hi, > > so I noticed this morning that jessie-updates is gone from the mirrors. > After some research, I found that this was kind of announced in > https://lists.debian.org/debian-devel-announce/2019/03/msg6.html. > Question is now, what should I put in my sources.list? I used > https://wiki.debian.org/LTS/Using#Using_Debian_Long_Term_Support_.28LTS.29 > as the authorative source, but this is obviously outdated now. > > So, am I ok by just using these two? Its deprecated and unsupported for sime time now, please stop using it. Alex
jessie-updates gone
Hi, so I noticed this morning that jessie-updates is gone from the mirrors. After some research, I found that this was kind of announced in https://lists.debian.org/debian-devel-announce/2019/03/msg6.html. Question is now, what should I put in my sources.list? I used https://wiki.debian.org/LTS/Using#Using_Debian_Long_Term_Support_.28LTS.29 as the authorative source, but this is obviously outdated now. So, am I ok by just using these two? deb http://deb.debian.org/debian/ jessie main contrib non-free deb http://security.debian.org/ jessie/updates main contrib non-free TIA Jakob