Re: Firefox insecure because of missing extensions
Hi, On 06/05/2019 23:33, Sylvain Beucler wrote: > On 06/05/2019 15:47, Hideki Yamane wrote: >> On Mon, 6 May 2019 15:04:09 +0200 Karsten wrote: >>> Package: firefox-esr >>> Version: 60.6.1esr-1~deb8u1 >> It was already done in unstable and stable-proposed-updates, and >> reporter asks about oldstable, so CC:ed to lts mailing list. >> >> LTS maintainers, could you build it for oldstable, please? > I'm rebuilding the new version with the previous oldstable changes. > (any estimated time for parallel build 4CPU/SSD?) > > If the build succeeds and if I can install extensions again, I'll upload > to LTS. https://lists.debian.org/debian-lts-announce/2019/05/msg9.html Packages should be building now :) Cheers! Sylvain
[SECURITY] [DLA 1780-1] firefox-esr new upstream version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: firefox-esr Version: 60.6.2esr-1~deb8u1 Debian Bug : 928415 928449 928509 Firefox 60.6.2 ESR repairs a certificate chain issue that caused extensions to be disabled in the past few days. More information, and details of known remaining issues, can be found at https://www.mozilla.org/firefox/60.6.2/releasenotes/ and https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/ Installing this update will re-enable any extensions that were disabled due to this issue. Extensions installed from Debian packages were not affected. For Debian 8 "Jessie", this problem has been fixed in version 60.6.2esr-1~deb8u1. We recommend that you upgrade your firefox-esr packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAlzQ0nYACgkQj/HLbo2J BZ+OOQgArZOatJ05dmqz4yPmaNgdAlyscgTQNwW4IhWq+eGB1Pyn5MgbDTSpcS8t +6+P13uV5cwsaSrJj3u/kZyIdM5i9GHkfm8l2jxmtDnoXnrgMbyhmJi9ZUqOGPG/ XeRM11aox63ZN9G0auxPvV8i0kxSofOdTS3z7KF0il1NLC3lApSXos07wqcL48Ie acupvV3WKGAcoElpIw9Q5VGzrOIbvVnontSuIWWpSsTcJYMPleULpoXuiH1v/L5U Iosv3wnV0CWX6D9P9pS9RnQ5+Tsyywz2LHj9msPrUDikG92G9ptmWYA0L0/akz0M /X9Ur50z38q48cfYZ/1Ffqu/sbJTOw== =X1Uv -END PGP SIGNATURE-
Accepted firefox-esr 60.6.2esr-1~deb8u1 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 6 May 2019 21:52:00 +0200 Source: firefox-esr Binary: firefox-esr iceweasel firefox-esr-dbg iceweasel-dbg firefox-esr-l10n-all iceweasel-l10n-all firefox-esr-l10n-ach iceweasel-l10n-ach firefox-esr-l10n-af iceweasel-l10n-af firefox-esr-l10n-an iceweasel-l10n-an firefox-esr-l10n-ar iceweasel-l10n-ar firefox-esr-l10n-as iceweasel-l10n-as firefox-esr-l10n-ast iceweasel-l10n-ast firefox-esr-l10n-az iceweasel-l10n-az firefox-esr-l10n-be iceweasel-l10n-be firefox-esr-l10n-bg iceweasel-l10n-bg firefox-esr-l10n-bn-bd iceweasel-l10n-bn-bd firefox-esr-l10n-bn-in iceweasel-l10n-bn-in firefox-esr-l10n-br iceweasel-l10n-br firefox-esr-l10n-bs iceweasel-l10n-bs firefox-esr-l10n-ca iceweasel-l10n-ca firefox-esr-l10n-cak iceweasel-l10n-cak firefox-esr-l10n-cs iceweasel-l10n-cs firefox-esr-l10n-cy iceweasel-l10n-cy firefox-esr-l10n-da iceweasel-l10n-da firefox-esr-l10n-de iceweasel-l10n-de firefox-esr-l10n-dsb iceweasel-l10n-dsb firefox-esr-l10n-el iceweasel-l10n-el firefox-esr-l10n-en-gb iceweasel-l10n-en-gb firefox-esr-l10n-en-za iceweasel-l10n-en-za firefox-esr-l10n-eo iceweasel-l10n-eo firefox-esr-l10n-es-ar iceweasel-l10n-es-ar firefox-esr-l10n-es-cl iceweasel-l10n-es-cl firefox-esr-l10n-es-es iceweasel-l10n-es-es firefox-esr-l10n-es-mx iceweasel-l10n-es-mx firefox-esr-l10n-et iceweasel-l10n-et firefox-esr-l10n-eu iceweasel-l10n-eu firefox-esr-l10n-fa iceweasel-l10n-fa firefox-esr-l10n-ff iceweasel-l10n-ff firefox-esr-l10n-fi iceweasel-l10n-fi firefox-esr-l10n-fr iceweasel-l10n-fr firefox-esr-l10n-fy-nl iceweasel-l10n-fy-nl firefox-esr-l10n-ga-ie iceweasel-l10n-ga-ie firefox-esr-l10n-gd iceweasel-l10n-gd firefox-esr-l10n-gl iceweasel-l10n-gl firefox-esr-l10n-gn iceweasel-l10n-gn firefox-esr-l10n-gu-in iceweasel-l10n-gu-in firefox-esr-l10n-he iceweasel-l10n-he firefox-esr-l10n-hi-in iceweasel-l10n-hi-in firefox-esr-l10n-hr iceweasel-l10n-hr firefox-esr-l10n-hsb iceweasel-l10n-hsb firefox-esr-l10n-hu iceweasel-l10n-hu firefox-esr-l10n-hy-am iceweasel-l10n-hy-am firefox-esr-l10n-ia iceweasel-l10n-ia firefox-esr-l10n-id iceweasel-l10n-id firefox-esr-l10n-is iceweasel-l10n-is firefox-esr-l10n-it iceweasel-l10n-it firefox-esr-l10n-ja iceweasel-l10n-ja firefox-esr-l10n-ka iceweasel-l10n-ka firefox-esr-l10n-kab iceweasel-l10n-kab firefox-esr-l10n-kk iceweasel-l10n-kk firefox-esr-l10n-km iceweasel-l10n-km firefox-esr-l10n-kn iceweasel-l10n-kn firefox-esr-l10n-ko iceweasel-l10n-ko firefox-esr-l10n-lij iceweasel-l10n-lij firefox-esr-l10n-lt iceweasel-l10n-lt firefox-esr-l10n-lv iceweasel-l10n-lv firefox-esr-l10n-mai iceweasel-l10n-mai firefox-esr-l10n-mk iceweasel-l10n-mk firefox-esr-l10n-ml iceweasel-l10n-ml firefox-esr-l10n-mr iceweasel-l10n-mr firefox-esr-l10n-ms iceweasel-l10n-ms firefox-esr-l10n-my iceweasel-l10n-my firefox-esr-l10n-nb-no iceweasel-l10n-nb-no firefox-esr-l10n-ne-np iceweasel-l10n-ne-np firefox-esr-l10n-nl iceweasel-l10n-nl firefox-esr-l10n-nn-no iceweasel-l10n-nn-no firefox-esr-l10n-oc iceweasel-l10n-oc firefox-esr-l10n-or iceweasel-l10n-or firefox-esr-l10n-pa-in iceweasel-l10n-pa-in firefox-esr-l10n-pl iceweasel-l10n-pl firefox-esr-l10n-pt-br iceweasel-l10n-pt-br firefox-esr-l10n-pt-pt iceweasel-l10n-pt-pt firefox-esr-l10n-rm iceweasel-l10n-rm firefox-esr-l10n-ro iceweasel-l10n-ro firefox-esr-l10n-ru iceweasel-l10n-ru firefox-esr-l10n-si iceweasel-l10n-si firefox-esr-l10n-sk iceweasel-l10n-sk firefox-esr-l10n-sl iceweasel-l10n-sl firefox-esr-l10n-son iceweasel-l10n-son firefox-esr-l10n-sq iceweasel-l10n-sq firefox-esr-l10n-sr iceweasel-l10n-sr firefox-esr-l10n-sv-se iceweasel-l10n-sv-se firefox-esr-l10n-ta iceweasel-l10n-ta firefox-esr-l10n-te iceweasel-l10n-te firefox-esr-l10n-th iceweasel-l10n-th firefox-esr-l10n-tr iceweasel-l10n-tr firefox-esr-l10n-uk iceweasel-l10n-uk firefox-esr-l10n-ur iceweasel-l10n-ur firefox-esr-l10n-uz iceweasel-l10n-uz firefox-esr-l10n-vi iceweasel-l10n-vi firefox-esr-l10n-xh iceweasel-l10n-xh firefox-esr-l10n-zh-cn iceweasel-l10n-zh-cn firefox-esr-l10n-zh-tw iceweasel-l10n-zh-tw Architecture: source amd64 all Version: 60.6.2esr-1~deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Maintainers of Mozilla-related packages Changed-By: Sylvain Beucler Description: firefox-esr - Mozilla Firefox web browser - Extended Support Release (ESR) firefox-esr-dbg - Debugging symbols for Firefox ESR firefox-esr-l10n-ach - Acoli language package for Firefox ESR firefox-esr-l10n-af - Afrikaans language package for Firefox ESR firefox-esr-l10n-all - All language packages for Firefox ESR (meta) firefox-esr-l10n-an - Aragonese language package for Firefox ESR firefox-esr-l10n-ar - Arabic language package for Firefox ESR firefox-esr-l10n-as - Assamese language package for Firefox ESR firefox-esr-l10n-ast - Asturian language package for Firefox ESR firefox-esr-l10n-az - Azerbaijani language package for Firefox ESR firefox-esr-l10n-be -
Re: Firefox insecure because of missing extensions
Hi, On 06/05/2019 15:47, Hideki Yamane wrote: > On Mon, 6 May 2019 15:04:09 +0200 Karsten wrote: >> Package: firefox-esr >> Version: 60.6.1esr-1~deb8u1 > It was already done in unstable and stable-proposed-updates, and > reporter asks about oldstable, so CC:ed to lts mailing list. > > LTS maintainers, could you build it for oldstable, please? I'm rebuilding the new version with the previous oldstable changes. (any estimated time for parallel build 4CPU/SSD?) If the build succeeds and if I can install extensions again, I'll upload to LTS. Cheers! Sylvain
[SECURITY] [DLA 1779-1] 389-ds-base security update
Package: 389-ds-base Version: 1.3.3.5-4+deb8u6 CVE ID : CVE-2019-3883 Debian Bug : 927939 In 389-ds-base up to version 1.4.1.2, requests were handled by worker threads. Each socket had been waited for by the worker for at most 'ioblocktimeout' seconds. However, this timeout applied only to un-encrypted requests. Connections using SSL/TLS were not taking this timeout into account during reads, and may have hung longer. An unauthenticated attacker could have repeatedly created hanging LDAP requests to hang all the workers, resulting in a Denial of Service. For Debian 8 "Jessie", this problem has been fixed in version 1.3.3.5-4+deb8u6. We recommend that you upgrade your 389-ds-base packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 1778-1] symfony security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: symfony Version: 2.3.21+dfsg-4+deb8u5 CVE ID : CVE-2019-10909 CVE-2019-10910 CVE-2019-10911 CVE-2019-10913 Several security vulnerabilities have been discovered in symfony, a PHP web application framework. Numerous symfony components are affected: Framework Bundle, Dependency Injection, Security, HttpFoundation CVE-2019-10909 Validation messages were not escaped when using the form theme of the PHP templating engine which, when validation messages may contain user input, could result in an XSS. For further information, see the upstream advisory at https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine CVE-2019-10910 Service IDs derived from unfiltered user input could result in the execution of any arbitrary code, resulting in possible remote code execution. For further information, see the upstream advisory at https://symfony.com/blog/cve-2019-10910-check-service-ids-are-valid CVE-2019-10911 This fixes situations where part of an expiry time in a cookie could be considered part of the username, or part of the username could be considered part of the expiry time. An attacker could modify the remember me cookie and authenticate as a different user. This attack is only possible if remember me functionality is enabled and the two users share a password hash or the password hashes (e.g. UserInterface::getPassword()) are null for all users (which is valid if passwords are checked by an external system, e.g. an SSO). For further information, see the upstream advisory at https://symfony.com/blog/cve-2019-10911-add-a-separator-in-the-remember-me-cookie-hash CVE-2019-10913 HTTP methods, from either the HTTP method itself or using the X-Http-Method-Override header were previously returned as the method in question without validation being done on the string, meaning that they could be used in dangerous contexts when left unescaped. For further information, see the upstream advisory at https://symfony.com/blog/cve-2019-10913-reject-invalid-http-method-overrides For Debian 8 "Jessie", these problems have been fixed in version 2.3.21+dfsg-4+deb8u5. We recommend that you upgrade your symfony packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- Jonas Meurer -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAlzQh9UACgkQUmLn/0kQ Sf7pWxAAtYjN2qxy1HVoLYS/tG8C4I5BH5E5n2unqrkC+5djku4tg9RZf/3IpbJ6 iDQI/qWNUzbq3NvMISmPF0PnAFG+MzMgQrQZxBAZof81ZglD8c258+oESZBSJC9r iQThGUJEKcPtMDD/2tory83Q+KtlYr8gvEZj3kOKTDw+W8ThGQ+ErfNnFBhWTnNm iOWquQTl490155bCAn7Phaw+0MB+K8mJqSWTF8UNsyLHMiDFLTdtygzKnurjgoOW YNbNrHbAxMd58R6i5GrtNpUnWohsF/q6fgywhN6Mxt3+ojwtsf6YKVK7pahXo/kD uGmhf/BOl2PvIOFixWSQ9ZuYrLaS+yHt2LChvj6comPjRVelQvOomCq02DGK9gcV NgWsro+HOTuO3KxY8AeQvIDpoMEpy5G5uiuoUt9bJxs4Dp+rics4unLWm1Q5BobE kwBcfZ+t8llkZj0P0RyjWMKn1gP6mvGQWd+0vxVYqxfLoBF0HxQcY2+EZgigb1hR LvXd2UFQDY3auZu6SlyahV6d66cYQoGUiMDEV7aUdmeOZcpwO8O8hFpZzmdzSXRm 2XC+OH4vR9nEHE604s8yxqEv5v6LUPAboE3FP4djSKDdXC1TXS4ls0cKKeSPQYLK S1VmpAWlUb0AGJVP+7Krui3Fpx76HrNVFpx1MSEz+3MVcfcvFoM= =C1Jm -END PGP SIGNATURE-
Accepted 389-ds-base 1.3.3.5-4+deb8u6 (source all amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 06 May 2019 18:42:39 +0200 Source: 389-ds-base Binary: 389-ds 389-ds-base-libs 389-ds-base-libs-dbg 389-ds-base-dev 389-ds-base 389-ds-base-dbg Architecture: source all amd64 Version: 1.3.3.5-4+deb8u6 Distribution: jessie-security Urgency: medium Maintainer: Debian 389ds Team Changed-By: Mike Gabriel Description: 389-ds - 389 Directory Server suite - metapackage 389-ds-base - 389 Directory Server suite - server 389-ds-base-dbg - 389 Directory Server suite - server debugging symbols 389-ds-base-dev - 389 Directory Server suite - development files 389-ds-base-libs - 389 Directory Server suite - libraries 389-ds-base-libs-dbg - 389 Directory Server suite - library debugging symbols Closes: 927939 Changes: 389-ds-base (1.3.3.5-4+deb8u6) jessie-security; urgency=medium . * Non-maintainer upload by the LTS team. * CVE-2019-3883: Before reading from a secure socket, the LDAP consumer now polls the socket for a read. The socket is polled (with a 0.1s timeout) until read is possible or sum of poll timeout is greater than ioblocktimeout. (Closes: #927939). Checksums-Sha1: 011767f02382d4e1a0b2cad6cfc39056ccec5840 2651 389-ds-base_1.3.3.5-4+deb8u6.dsc bb43dc34bde87175c169cccb9981999f263c0c03 3273753 389-ds-base_1.3.3.5.orig.tar.bz2 c00a4d1a7299256b034ee0cfe03244f75c9642b7 38716 389-ds-base_1.3.3.5-4+deb8u6.debian.tar.xz 9d4e252729aafc8e6d25f4ce94f6cf5a58290938 16676 389-ds_1.3.3.5-4+deb8u6_all.deb f1c2fd9d8930473ab61488211e5b2171947425be 387980 389-ds-base-libs_1.3.3.5-4+deb8u6_amd64.deb 270f8f9dee8116d5635c00f11de289902fc770e0 1283512 389-ds-base-libs-dbg_1.3.3.5-4+deb8u6_amd64.deb fc2ee3bead573910ae2949f9a7bbb464bbbca146 70026 389-ds-base-dev_1.3.3.5-4+deb8u6_amd64.deb 71966d1d8417415cc405839bec6bee1c5b58a18a 1458794 389-ds-base_1.3.3.5-4+deb8u6_amd64.deb 4ffb5bb4f4b3eec666d7ec4cf0ce05cc546b7637 4183064 389-ds-base-dbg_1.3.3.5-4+deb8u6_amd64.deb Checksums-Sha256: fcc106cf2267fcdf6a06d3d90a43c751fcca7384da42e8140899f7be46eb31b3 2651 389-ds-base_1.3.3.5-4+deb8u6.dsc 85f69e65909f7a8286717290f699e61be89c6534e926bcb5b4a6644f950e8827 3273753 389-ds-base_1.3.3.5.orig.tar.bz2 5560e2211e0170d5734c34ab0d2a7b02d1b03ebc5c718d8e270b7ba4145b9ee8 38716 389-ds-base_1.3.3.5-4+deb8u6.debian.tar.xz 861945d1eda1ca28c5d3167dd40388c41fbc6b5054e0387b54b07b53f4953069 16676 389-ds_1.3.3.5-4+deb8u6_all.deb b233d08cbe4bec53408f32ea4285c92b502f947a33dda79ffa9bccad62fdfb96 387980 389-ds-base-libs_1.3.3.5-4+deb8u6_amd64.deb 76b2f2ab3ba43e2d2e29e57ee58b30c29b9759beb92760d092c9a266d82f3da1 1283512 389-ds-base-libs-dbg_1.3.3.5-4+deb8u6_amd64.deb 3821f5f086d2a25a4176903ce2831c560741c33e47aa9e5fae25b048d5cb9230 70026 389-ds-base-dev_1.3.3.5-4+deb8u6_amd64.deb 4f1024603763ae7eeb3c2705a0dee0d54577b4cf847394cf82e3edb6d75c988e 1458794 389-ds-base_1.3.3.5-4+deb8u6_amd64.deb 6854aab6e7f74ea4ed050bd8bfec3705267017ed3ccd142d8b3e2e714209d862 4183064 389-ds-base-dbg_1.3.3.5-4+deb8u6_amd64.deb Files: 72a74eaad20fe776eeb2db123c264490 2651 net optional 389-ds-base_1.3.3.5-4+deb8u6.dsc 84869d46184039fce976b858e663232e 3273753 net optional 389-ds-base_1.3.3.5.orig.tar.bz2 ee64c7283148e558bcd6acb9750770ef 38716 net optional 389-ds-base_1.3.3.5-4+deb8u6.debian.tar.xz 9cc22916c35ce031845c96a17a2d2105 16676 net optional 389-ds_1.3.3.5-4+deb8u6_all.deb 85253669c742fa3d93766106eb2d015c 387980 libs optional 389-ds-base-libs_1.3.3.5-4+deb8u6_amd64.deb 75acebdfd673ba60a9a9fba2caf5310e 1283512 debug extra 389-ds-base-libs-dbg_1.3.3.5-4+deb8u6_amd64.deb aecb72feb45c801b1a754d61b8581ffe 70026 libdevel optional 389-ds-base-dev_1.3.3.5-4+deb8u6_amd64.deb 52920e0f422ad39d8a53e9ecab3e3296 1458794 net optional 389-ds-base_1.3.3.5-4+deb8u6_amd64.deb 45ca90300d3a72f7dae3a139aea5d07c 4183064 debug extra 389-ds-base-dbg_1.3.3.5-4+deb8u6_amd64.deb -BEGIN PGP SIGNATURE- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAlzQc08VHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxHWIQAIc34pStgID6EbPWJF7V8nrz2GMF IxlOaKxWXlV8Ay+dqYSvobwRDVtwvKyU+4/dBrStbTbdpjnqjJukg8Eao80wZVju fYwH0iJO7LHmI78NNCSjx9UOjUjprDLkqUYo7Cmz33uNCowMVGjhCx8fgBSnoZ7x RdXmPx9D7rnrD9dEqbVQqrp/3XRlOXyLH5nHkUQYW9VpNNCO8PGRkj4Uv6URH40r fNd/s8ygSgpwcCXZBLUgRc3VuPBWDBNERBDrSODJg34EA4tdlh4D1j4rwEr7oc8n m6w3R/1fPmeYvooEMRYcJwkiYWH6Bt1VyYu1jvk6P7e5OTEpKpRJXvq+npG+XtWs wqzv3TAEaZjUsf8KTGl0fSjKuXn0K58ENj8+BuqbIBS9nSJGtfOg/4B/iJrfj0VW xB+A1ZTm+39gWOAs67/heBi54LMQpKoc6hdtZQwKpd4b3BfwOe3ztcplo3KYdfDv ieZk47ropIoLPc3cBuHqYkqh6N7qhebKU+HkkAyYmdz6HDFR/f1JipVAaY96A8L3 6fMJSXvUOYLetLm8dYj9HRc4CYqStz7Yzv1glatCdcx3otclL2D56f7Phbs2ZKSD KsXVYgkWGpr6p6vETbzgdhihrOXbuHLtIhVuGm8HQcL73sZFNguqaKwuhnhl/vlb cwivlAMw1Vc5WcLZ =KfMh -END PGP SIGNATURE-
Accepted symfony 2.3.21+dfsg-4+deb8u5 (source all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 06 May 2019 18:33:45 +0200 Source: symfony Binary: php-symfony-browser-kit php-symfony-class-loader php-symfony-classloader php-symfony-config php-symfony-console php-symfony-css-selector php-symfony-debug php-symfony-dependency-injection php-symfony-dom-crawler php-symfony-event-dispatcher php-symfony-eventdispatcher php-symfony-filesystem php-symfony-finder php-symfony-form php-symfony-http-foundation php-symfony-http-kernel php-symfony-intl php-symfony-locale php-symfony-options-resolver php-symfony-process php-symfony-property-access php-symfony-routing php-symfony-security php-symfony-serializer php-symfony-stopwatch php-symfony-templating php-symfony-translation php-symfony-validator php-symfony-yaml php-symfony-doctrine-bridge php-symfony-monolog-bridge php-symfony-propel1-bridge php-symfony-proxy-manager-bridge php-symfony-swiftmailer-bridge php-symfony-twig-bridge php-symfony-framework-bundle php-symfony-security-bundle php-symfony-twig-bundle php-symfony-web-profiler-bundle Architecture: source all Version: 2.3.21+dfsg-4+deb8u5 Distribution: jessie-security Urgency: medium Maintainer: Debian PHP PEAR Maintainers Changed-By: Jonas Meurer Description: php-symfony-browser-kit - simulate the behavior of a web browser php-symfony-class-loader - load PHP classes automatically php-symfony-classloader - transitional dummy package php-symfony-config - load configurations from different data sources php-symfony-console - run tasks from the command line php-symfony-css-selector - convert CSS selectors to XPath expressions php-symfony-debug - tools to make debugging of PHP code easier php-symfony-dependency-injection - standardize and centralize construction of objects php-symfony-doctrine-bridge - integration for Doctrine with Symfony Components php-symfony-dom-crawler - ease DOM navigation for HTML and XML documents php-symfony-event-dispatcher - dispatch events and listen to them php-symfony-eventdispatcher - transitional dummy package php-symfony-filesystem - basic filesystem utilities php-symfony-finder - find files and directories php-symfony-form - create HTML forms and process request data php-symfony-framework-bundle - basic, robust and flexible MVC framework php-symfony-http-foundation - object-oriented layer for the HTTP specification php-symfony-http-kernel - building blocks for flexible and fast HTTP-based frameworks php-symfony-intl - limited replacement layer for the PHP extension intl php-symfony-locale - deprecated replacement layer for the PHP extension intl php-symfony-monolog-bridge - integration for Monolog with Symfony Components php-symfony-options-resolver - configure objects with option arrays php-symfony-process - execute commands in sub-processes php-symfony-propel1-bridge - integration for Propel with Symfony Components php-symfony-property-access - read from and write to an object or array php-symfony-proxy-manager-bridge - integration for ProxyManager with Symfony Components php-symfony-routing - associate a request with code that generates a response php-symfony-security - infrastructure for sophisticated authorization systems php-symfony-security-bundle - configurable security system for the Symfony framework php-symfony-serializer - convert PHP objects into specific formats and vice versa php-symfony-stopwatch - profile PHP code php-symfony-swiftmailer-bridge - integration for Swift Mailer with Symfony Components php-symfony-templating - tools needed to build a template system php-symfony-translation - tools to internationalize an application php-symfony-twig-bridge - integration for Twig with Symfony Components php-symfony-twig-bundle - configurable integration of Twig with the Symfony framework php-symfony-validator - tools to validate classes php-symfony-web-profiler-bundle - collect requests information for analysis and debugging php-symfony-yaml - convert YAML to PHP arrays and the other way around Changes: symfony (2.3.21+dfsg-4+deb8u5) jessie-security; urgency=medium . * Non-maintainer upload by the LTS Security Team. * Cherry-pick upstream commits to fix security issues + Fix CVE-2019-10909: Escape validation messages in the PHP templating engine + Fix CVE-2019-10910: Check service IDs are valid + Fix CVE-2019-10911: Add a separator in the remember me cookie hash + Fix CVE-2019-10913: Reject invalid HTTP method overrides Checksums-Sha1: 647de6b760c20321bf84ab8a9b5cfe3f4d3a3847 5244 symfony_2.3.21+dfsg-4+deb8u5.dsc aebc500e74465ab1ae4d0d02c73d11d4cebc239c 57484 symfony_2.3.21+dfsg-4+deb8u5.debian.tar.xz 9c3e6e2831d957cc635d6ea15290fbe339b73ef6 21760 php-symfony-browser-kit_2.3.21+dfsg-4+deb8u5_all.deb 767da5e09463f46217c3f7033e967434fcc7d287 22110 php-symfony-class-loader_2.3.21+dfsg-4+deb8u5_all.deb 7414ae56d3f108981802671489a54345455d92fe 39648
Re: Firefox insecure because of missing extensions
Hi, On Mon, 6 May 2019 15:04:09 +0200 Karsten wrote: > Package: firefox-esr > Version: 60.6.1esr-1~deb8u1 It was already done in unstable and stable-proposed-updates, and reporter asks about oldstable, so CC:ed to lts mailing list. LTS maintainers, could you build it for oldstable, please? > When there is no fix for the used Firefox-Version, then a new browser > solution is needed for Debian. No, you can migrate to Debian9 at least... -- Regards, Hideki Yamane henrich @ debian.org/iijmio-mail.jp
(semi-)automatic unclaim of packages with more than 2 weeks of inactivity
hi, I've done this again, today I unclaimed: - no packages. Yay! :) -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
[SECURITY] [DLA 1777-1] jquery security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: jquery Version: 1.7.2+dfsg-3.2+deb8u6 CVE ID : CVE-2019-11358 jQuery mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. For additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2019-006 . For Debian 8 "Jessie", this problem has been fixed in version 1.7.2+dfsg-3.2+deb8u6. We recommend that you upgrade your jquery packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlzP4J8ACgkQKpJZkldk Svpt1g/+MYT8NDzUW5U62FYWxdCAJ3LdG59tacSZ0TS1JR1erFbI4HGs/SzqgmmJ ZV1cR2hehh2f40UypfX840NqigWNGPsTkOKMGjZL8q/aggkq4BPbPJcUnZ4+9Vrx /PLjSG8Pyu1gYeANtbiQZ3OzOXnBJLU6R43zmlOJ6A7nYhkPnCVZ4g5+Siwcj1Tj FeLHTZhLgQfNl+19Cvt9vJe/w2UZLEX0RwLZYC3XWNPgiXG3LF+0oleKARTp/iwz vJ4E/wKICMWVFTsrqNfOI6lKbyeyAveFPs0AHcayoWoEbp2ZKwL9iwlKt5nk3doB QedkRH540+jfSPX/P8ruCtrTPD0z3gM6xF6iyYPdWo4DkhVl/VwqtxB/ng1KFmML QH6rZ+hVAcYE/lbh3RzH5cj3DSQgqNj932792Mq1f9J0kCOh0pcDtma5hiNVX97R Zz1aRQ74+49HhVMxCgc12wTNSrSBVV1BncfnHb1eHwwJQgvdQKneuV8PMQrcuVQm KILkKQjw9MlRX+B9DwzWUUwCMYu8MKznAe0O78QcoKiUWFk8wV7QbjM0Vw1P6elw nxcILgEgmHKs+y2A9w0CTUcvValL9qu7RNjzbP1NOoHqYoIFMDVQT3CJySyLsIZH vogQEdiSeAXpoHVhD7ZPVXOFL+uCO/ObCkimSuajBitPNUGmwy0= =rRg7 -END PGP SIGNATURE-
Accepted jquery 1.7.2+dfsg-3.2+deb8u6 (source all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 01 May 2019 17:38:43 +1000 Source: jquery Binary: libjs-jquery Architecture: source all Version: 1.7.2+dfsg-3.2+deb8u6 Distribution: jessie-security Urgency: high Maintainer: Debian Javascript Maintainers Changed-By: Brian May Description: libjs-jquery - JavaScript library for dynamic web applications Changes: jquery (1.7.2+dfsg-3.2+deb8u6) jessie-security; urgency=high . * Non-maintainer upload by the LTS Team. * Fix CVE-2019-11358, jQuery.extend could be used to pollute the native Object.prototype. * Fix problem calling uglify during build. Checksums-Sha1: f707e6c867b557f3f084fa065a841b55483c1c98 2028 jquery_1.7.2+dfsg-3.2+deb8u6.dsc 1c17c0b49b4a37af469fb63a5c56cfdf919f769e 147053 jquery_1.7.2+dfsg.orig.tar.gz 925162f0b4d5142686ab3337e032107b95747bec 6348 jquery_1.7.2+dfsg-3.2+deb8u6.debian.tar.xz b99e4ae85e281aa98f3f3033d2e4eb3f09c8c084 98168 libjs-jquery_1.7.2+dfsg-3.2+deb8u6_all.deb Checksums-Sha256: ebb8947e539092493b9684146bdf9456689acc179f76717e7d3417e5e804c5db 2028 jquery_1.7.2+dfsg-3.2+deb8u6.dsc 43384d8c975c723a3b7d6f46e7ff1518d161760e0781a37675eeda1a05a503fe 147053 jquery_1.7.2+dfsg.orig.tar.gz 007b6eb38a4787c74173840b1dec1e86cd50494398b8fda50208b83718508ab3 6348 jquery_1.7.2+dfsg-3.2+deb8u6.debian.tar.xz 87e0097abedb97b75f693b42c677571c4e72905539efd79009b58d43b258f20d 98168 libjs-jquery_1.7.2+dfsg-3.2+deb8u6_all.deb Files: e10b2e5493fb8c5d141ce9db4326aa83 2028 web optional jquery_1.7.2+dfsg-3.2+deb8u6.dsc c75b2e33e0d769bedfea8f4e7ca45d4c 147053 web optional jquery_1.7.2+dfsg.orig.tar.gz f3c2c7799a07dfdbaff7f8756ec10e3b 6348 web optional jquery_1.7.2+dfsg-3.2+deb8u6.debian.tar.xz 9a2fefa81227d3d5258b98e7f241a407 98168 web optional libjs-jquery_1.7.2+dfsg-3.2+deb8u6_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlzP3dQACgkQKpJZkldk Svo9+g//XJnVzcsLLFWEmVdlfgL61I+DtzpAlnt/eGPDJrNET7ytptBihM6hEQH1 fr4H/Xuo/AJq3sXq4aaIXv41MCzKVeRKUQ68SdfQ94Y9vpRE+D60P4OHX4td8jvB a18k2JOELKXhOZcQ65cPhy5oYB8YSZWMRTpspyyp/EfA2PY8bdOgXi5HqYYPtNG3 NzgMcpIQKVRyhWNahLQ1/gpPwoQn5jcFxn+Zm70th9PwIXWs2aV+3Wsv++NgraYM jS2+6SQVpne7MezTo6aULlTCr6EsN176BMmAggDXM3mAKC9DFRDq9BepAweaxAs6 8G/J1RG17peeXlAHQHEwj/IiOpUwsPY/Yywl6XGeN0KBc7cQcUhW48J9Sg8dkLAv 1CDpfSAyS5yUK3/LZxYIl4t08xZ/3238p4KQVlcfNhVznPfPC2mw/qxtOVUwHWRD VnMLG/ZD94dktxePJvTF9mcWcB13yyeHkPXS9mYs7XwkHQckgzgnie/HZb9uE15t sHYi7iDo8aQtRnEX3IyrO8qIpShaaCwQljrOysuCwzgdMzWRO2ktfE9KZG/ur0Tx U15+r8lOhfijqHGr/he8ERSMY61pOhIr+cMuJ6aAsIpLj1xowjS/uCTlmaa9rVSK DcUW01xHqOuDM9aIK9ahiHMIPiTQsj9gjXwApzaV5TeQmXUv72g= =1omx -END PGP SIGNATURE-