[SECURITY] [DLA 1761-1] ghostscript security update

[Sylvain Beucler]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: ghostscript
Version: 9.26a~dfsg-0+deb8u2
CVE ID : CVE-2019-3835 CVE-2019-3838
Debian Bug : 925256 925257

Cedric Buissart discovered two vulnerabilities in Ghostscript, the GPL
PostScript/PDF interpreter, which could result in bypass of file system
restrictions of the dSAFER sandbox.

For Debian 8 "Jessie", these problems have been fixed in version
9.26a~dfsg-0+deb8u2.

We recommend that you upgrade your ghostscript packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAly+/PsACgkQj/HLbo2J
BZ/tewgAoNoQW58dj7dRrmtmuKklwTZ+kQcsTsjrJ3zM5TB+lVM3YyCbBlEOoIg5
/tpDtDPHItkBTPIQAav7n8JaSp2+A61j/VKQ4M21Er7YxsRrM6oHLTTeWXr0+AXR
OHs7Ywa6W/ys2tl5DNvvFkoC8qriNGdZigm0b/qLOUErlFEEYwb0EXJpaOXjhuIW
t67Gqs9wY+eM1+AOhXsW9vfy0ICkmkc/584D1D2XOQfs6JoWiwmL8DErTNZhUd3P
+XXKpz0luDt8O/RQ7QtCU73nENtp5bgo7mx1ojWMDxX4Oxb0X4+CXsPzyQ53FXma
tj+wyIt7viWK3SfL1iJaUNcSXKPbjw==
=wRFI
-END PGP SIGNATURE-

Re: debhelper and friends for LTS

[Adrian Bunk]

On Tue, Apr 23, 2019 at 12:46:54PM +0200, Ondřej Surý wrote:
> Hey,
> 
> the jessie-backports removal itself is a logical step and it’s good that it 
> was done.
> 
> That said, it complicates things a lot when backporting packages to Jessie. 
> Usually, it’s fine to just pull $random extra library to the extra 
> repository, but debhelper and friends is a different beast, as it often 
> requires upgrades in steps, or pulling some extra packages or dropping them, 
> etc.

The packages are still available after the removal:
  deb [check-valid-until=no] http://archive.debian.org/debian jessie-backports 
main

> This is now especially painful with the differences between debhelper compact 
> 9/10 and 11/12 as those changes require reverting lots of tiny bits in the 
> source packages as more and more gets converted to v12.
>
> I don’t have a good solution for this, but keeping the debhelper and friends 
> (dpkg-dev, dh_) in an extra suite would be very much helpful for people 
> like me backporting bigger stacks to Jessie. I provide PHP (5.6, 7.0 and up), 
> apache2, nginx, ... and it’s very painful from time to time.
>...

AFAIK debhelper >= 11 was never in jessie-backports-sloppy.

And the requirement to backport packages like cmake or meson from buster 
would make it *very* painful for anyone trying to backport debhelper 12 
to jessie.

> Cheers,
> Ondrej

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

Accepted ghostscript 9.26a~dfsg-0+deb8u2 (source all amd64) into oldstable

[Sylvain Beucler]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 23 Apr 2019 12:15:13 +0200
Source: ghostscript
Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common 
libgs-dev ghostscript-dbg
Architecture: source all amd64
Version: 9.26a~dfsg-0+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian Printing Team 
Changed-By: Sylvain Beucler 
Description:
 ghostscript - interpreter for the PostScript language and for PDF
 ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug 
symbo
 ghostscript-doc - interpreter for the PostScript language and for PDF - 
Documentati
 ghostscript-x - interpreter for the PostScript language and for PDF - X11 
support
 libgs-dev  - interpreter for the PostScript language and for PDF - Development
 libgs9 - interpreter for the PostScript language and for PDF - Library
 libgs9-common - interpreter for the PostScript language and for PDF - common 
file
Closes: 925256 925257
Changes:
 ghostscript (9.26a~dfsg-0+deb8u2) jessie-security; urgency=high
 .
   [Sylvain Beucler]
   * Non-maintainer upload by the LTS team.
   * Backport 9.26a~dfsg-0+deb9u2 to jessie.
 .
   [Salvatore Bonaccorso]
   * Have gs_cet.ps run from gs_init.ps
   * Undef /odef in gs_init.ps
   * Restrict superexec and remove it from internals and gs_cet.ps
 (CVE-2019-3835) (Closes: #925256)
   * Obliterate "superexec". We don't need it, nor do any known apps
 (CVE-2019-3835) (Closes: #925256)
   * Make a transient proc executeonly (in DefineResource) (CVE-2019-3838)
 (Closes: #925257)
   * an extra transient proc needs executeonly'ed (CVE-2019-3838)
 (Closes: #925257)
Checksums-Sha1:
 60d1fc1c53fe770beeb61ea2050421a44d1cfd08 2540 
ghostscript_9.26a~dfsg-0+deb8u2.dsc
 7982b872c82de6fd2512f13438c3990c2b734155 117296 
ghostscript_9.26a~dfsg-0+deb8u2.debian.tar.xz
 aaa6c1b5e8785fd52559a761f3a71616aabf7674 3488450 
ghostscript-doc_9.26a~dfsg-0+deb8u2_all.deb
 d20cfa66472529e47ece36cdc1fb3ceec314b469 5143630 
libgs9-common_9.26a~dfsg-0+deb8u2_all.deb
 7d12f3c79ac3c61aa0f26470f278792a5cd36141 98914 
ghostscript_9.26a~dfsg-0+deb8u2_amd64.deb
 96ffd05ac35d75b990167c98fd29bb8b6ad4da54 93856 
ghostscript-x_9.26a~dfsg-0+deb8u2_amd64.deb
 fe68c324becda211569bc121e9092b6f48a9b5d6 2214600 
libgs9_9.26a~dfsg-0+deb8u2_amd64.deb
 301ff258c53db66d8da5ae90fb0b8cfbae5b63f3 76278 
libgs-dev_9.26a~dfsg-0+deb8u2_amd64.deb
 9315ea8208b1fea84c8b8a42d64645e23157d2af 5764408 
ghostscript-dbg_9.26a~dfsg-0+deb8u2_amd64.deb
Checksums-Sha256:
 ca98bee7fb23fe68bc8d289f44d165041521655b428a0a4039961a98e310fd75 2540 
ghostscript_9.26a~dfsg-0+deb8u2.dsc
 4ae1b0ae0e84fc32198f8d05cd91d14a6c9feef83b5ab1e9022734708a31c15a 117296 
ghostscript_9.26a~dfsg-0+deb8u2.debian.tar.xz
 70832f41eaa3edeb48627d36b137458cd2d910695dfe119f16d8de5762cbf3a3 3488450 
ghostscript-doc_9.26a~dfsg-0+deb8u2_all.deb
 c5b5d167c5b732dd157ed262752fdb65cbb535db436cfe97cffc023ba57970df 5143630 
libgs9-common_9.26a~dfsg-0+deb8u2_all.deb
 374939c77028c71210efd42b9fec2f1f89cffedbe2891799246f717cd4babee6 98914 
ghostscript_9.26a~dfsg-0+deb8u2_amd64.deb
 dcd6a18054a2d5557f5541f91d2585c7273263d8d822d0286af76f0e48e9228b 93856 
ghostscript-x_9.26a~dfsg-0+deb8u2_amd64.deb
 fd87b4408d7a63fc4d45a83b9f26ff09385142b6261dbfefd68aa5cb110b7f3a 2214600 
libgs9_9.26a~dfsg-0+deb8u2_amd64.deb
 2f24986789e075796a301dbdd59f4870353e7dc105c11b59dc64d1617fcc9d80 76278 
libgs-dev_9.26a~dfsg-0+deb8u2_amd64.deb
 d205c69e0a6eb2c25f0f756fe2e67a413234c83d60146f4c43d2451ea3076e54 5764408 
ghostscript-dbg_9.26a~dfsg-0+deb8u2_amd64.deb
Files:
 11a01cef9f11d97f2c09d52d554797a6 2540 text optional 
ghostscript_9.26a~dfsg-0+deb8u2.dsc
 d278fae7ca83824f997480fce171d30e 117296 text optional 
ghostscript_9.26a~dfsg-0+deb8u2.debian.tar.xz
 73fea6b3e511b44197f91c915696f894 3488450 doc optional 
ghostscript-doc_9.26a~dfsg-0+deb8u2_all.deb
 cfacbf5d34f72680482a93b9ce9436c8 5143630 libs optional 
libgs9-common_9.26a~dfsg-0+deb8u2_all.deb
 b09ad8126ce727ebb11d51cd73d30559 98914 text optional 
ghostscript_9.26a~dfsg-0+deb8u2_amd64.deb
 7a2d5688d898b2aa571cd273f09c0b7e 93856 text optional 
ghostscript-x_9.26a~dfsg-0+deb8u2_amd64.deb
 e383a93dde54db1fbaa553ef6afa63cb 2214600 libs optional 
libgs9_9.26a~dfsg-0+deb8u2_amd64.deb
 0887718d0ffa6febf15df491c8732dd3 76278 libdevel optional 
libgs-dev_9.26a~dfsg-0+deb8u2_amd64.deb
 769dac4f8a3aeb1df162c5b7281b4d91 5764408 debug extra 
ghostscript-dbg_9.26a~dfsg-0+deb8u2_amd64.deb

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAly+8B4ACgkQj/HLbo2J
BZ9deAgAg50Ly49mLXMcenSgFktGZUoJvMkn/oMgyuWJfnL3VIQ9WHz5sYYwxlhb
oAB90BuuS6L9nW2c/I+yoXIzeVc2jTq28/fnFkbaTIk96NodigsmdxTmAuwAli4j
8DGQP2YOD6wq/mk3seug6pWvOYRdkhFRM01FhZVtN14BGIRuTpEykJSsmEk9+UI1
zonzdf57Cm2zDNL37N6pKwrCHsl/lhlQxoq7N/b5GVjCZsOHGtawf+gODqjtEAwm
yXWY0T1p0briqmFxm4m1Zq0K9qG4i24sp8emMPmS8pJTt8GNH6gk5MJW4FRPPF5S
kA8zgmJ46z7GHLWk/w/AbiAyMdCCcA==
=lSOE
-END PGP SIGNATURE-

debhelper and friends for LTS

[Ondřej Surý]

Hey,

the jessie-backports removal itself is a logical step and it’s good that it was 
done.

That said, it complicates things a lot when backporting packages to Jessie. 
Usually, it’s fine to just pull $random extra library to the extra repository, 
but debhelper and friends is a different beast, as it often requires upgrades 
in steps, or pulling some extra packages or dropping them, etc.

This is now especially painful with the differences between debhelper compact 
9/10 and 11/12 as those changes require reverting lots of tiny bits in the 
source packages as more and more gets converted to v12.

I don’t have a good solution for this, but keeping the debhelper and friends 
(dpkg-dev, dh_) in an extra suite would be very much helpful for people 
like me backporting bigger stacks to Jessie. I provide PHP (5.6, 7.0 and up), 
apache2, nginx, ... and it’s very painful from time to time.

(As a side remark, I would love to see Debian to settle on one way of 
maintaining packages, as packages in SVN or even without any SCM are also 
pain...)

Cheers,
Ondrej
--
Ondřej Surý 

Re: Re: Removal of Wheezy and Jessie (except LTS) from mirrors

[Ben Hutchings]

[Redirecting to debian-lts list, for real]

On Tue, 2019-04-23 at 08:54 +, Michael Firth wrote:
> Hi,
> 
> It would be useful if there were information somewhere on the
> following for Debian Jessie LTS architectures:
> 
> 
>   1.  What should we be using as our source.list file?

The same as before, minus jessie-backports if you used that.

>   2.  Which of the jessie repositories that existed until mid-March
> have now gone? (from a release that is supposed to still have some
> support for another year)

None of them.  jessie-updates was mistakenly removed and has now been
restored as an empty suite.

>   3.  What happens / happened to packages where the latest version
> was in those repositories? (in particular packages that were from the
> "deb http://deb.debian.org/debian/ jessie-updates main" line or
> equivalent on other mirrors)

There weren't any newer versions in jessie-updates.

> It does seem a little unfair to EOL and delete repositories from a
> release that is supposed to be LTS with virtually no notice it was
> happening.
> 
> And just saying "we're removing this stuff", without giving any
> guidance on what LTS users should / need to do is rather unhelpful.

I think the intent was that you would not need to do anything, so that
no guidance was needed.  Obviously that didn't quite work out as the
removal of jessie-updates resulted in error messages.  In future, the
-updates suite will not be removed until end of LTS.

As for jessie-backports, the removal was announced in July 2018.

Ben.

> OK, I am a little late to pick up on this, but I'm sure there are
> other people still running some Jessie systems who only run update
> commands on them every month or so.
-- 
Ben Hutchings
Horngren's Observation:
  Among economists, the real world is often a special case.




signature.asc
Description: This is a digitally signed message part

Re: change in LTS procedures: publish DLAs on www.debian.org

[Sylvain Beucler]

How about following the earlier instructions?

/!\ We recommend you request membership to the salsa webmaster-team group.

:)

- Sylvain

On 22/04/2019 19:33, Ola Lundqvist wrote:
> Great. Now I think I can follow the instructions. :-)
>
> On Mon, 22 Apr 2019 at 15:34, Holger Levsen  > wrote:
>
> On Mon, Apr 22, 2019 at 12:54:45PM +, Holger Levsen wrote:
> > On Mon, Apr 22, 2019 at 02:41:27PM +0200, Ola Lundqvist wrote:
> > > Thank you. I think I have successfully made a merge request now.
> > indeed you have. thank you, will merge in a bit.
>
> in the mean time someone else did the merge. :) I clarified
> https://wiki.debian.org/LTS/Development#Prepare_an_update_for_the_website
> further, review welcome.
>
>
> -- 
> tschau,
>         Holger
>
> 
> ---
>                holger@(debian|reproducible-builds|layer-acht).org
>        PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856
> 069A AA1C
>
>
>
> -- 
>  --- Inguza Technology AB --- MSc in Information Technology 
> |  o...@inguza.com                  
>   o...@debian.org             |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
>  ---
>