[SECURITY] [DLA 1786-1] qt4-x11 security update

2019-05-13 Thread Mike Gabriel 
Package: qt4-x11
Version: 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2
CVE ID : CVE-2018-15518 CVE-2018-19869 CVE-2018-19870 CVE-2018-19871 
 CVE-2018-19873
Debian Bug : #923003


Multiple issues have been addressed in Qt4.

CVE-2018-15518

A double-free or corruption during parsing of a specially crafted 
illegal XML document.

CVE-2018-19869

A malformed SVG image could cause a segmentation fault in
qsvghandler.cpp.

CVE-2018-19870

A malformed GIF image might have caused a NULL pointer dereference in 
QGifHandler resulting in a segmentation fault.

CVE-2018-19871

There was an uncontrolled resource consumption in QTgaFile.

CVE-2018-19873

QBmpHandler had a buffer overflow via BMP data.

For Debian 8 "Jessie", these problems have been fixed in version
4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2.

We recommend that you upgrade your qt4-x11 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-- 

mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunwea...@debian.org, http://sunweavers.net



signature.asc
Description: PGP signature

Re: openjdk-7 status

2019-05-13 Thread Ola Lundqvist 
Great!

Sent from a phone

Den mån 13 maj 2019 22:52Emilio Pozuelo Monfort  skrev:

> On 13/05/2019 12:09, Emilio Pozuelo Monfort wrote:
> > It was not clear to me at the time of upload if it was addressed in
> 7u221. It
> > was not mentioned in the upstream announcement. I asked upstream for
> > clarification on its status, it may be that that CVE is Oracle specific
> and
> > doesn't affect OpenJDK. Though I haven't received a reply yet. But let's
> wait
> > for their answer.
>
> Upstream confirmed that CVE-2019-2697 doesn't affect OpenJDK as it's a
> vulnerability in a proprietary 2D component only present in Oracle Java. I
> updated the tracker accordingly.
>
> Cheers,
> Emilio
>
>

Re: openjdk-7 status

2019-05-13 Thread Emilio Pozuelo Monfort 
On 13/05/2019 12:09, Emilio Pozuelo Monfort wrote:
> It was not clear to me at the time of upload if it was addressed in 7u221. It
> was not mentioned in the upstream announcement. I asked upstream for
> clarification on its status, it may be that that CVE is Oracle specific and
> doesn't affect OpenJDK. Though I haven't received a reply yet. But let's wait
> for their answer.

Upstream confirmed that CVE-2019-2697 doesn't affect OpenJDK as it's a
vulnerability in a proprietary 2D component only present in Oracle Java. I
updated the tracker accordingly.

Cheers,
Emilio

Re: dns-root-data in Jessie LTS

2019-05-13 Thread Sylvain Beucler 
Hi,

AFAICS dns-root-data has no reverse-dependency in Jessie (I ran the
script in a more recent box and got confused).
Does it make sense to update it after all?

bind9 ships 3 keys in /etc/bind/bind.keys with the comment "Servers
which were already using the old key (19036) should roll seamlessly to
this new one via RFC 5011 rollover" - hmm, so isn't this working as
intended?

unbound doesn't seem to ship any key (I only see the old 19036 in
testdata/ in the source package).
However it populated /var/lib/unbound/root.key with 20326 on install.

Cheers!
Sylvain

On 13/05/2019 20:45, Ondřej Surý wrote:
> Hi Sylvain,
>
> I am actually not sure whether BIND 9 in Jessie already uses dns-root-data,
> so maybe same procedure will be needed for bind9 package.
>
> Could you perhaps also check unbound?
>
> This is the most probable cause of the weird traffic with old key that DNS 
> Root Operators
> see at root servers.
>
> Just make sure it contains only the new DNSKEY (2017) and not both.
>
> Thanks,
> Ondrej
> --
> Ondřej Surý
> ond...@isc.org
>
>> On 14 May 2019, at 01:38, Sylvain Beucler  wrote:
>>
>> Hi,
>>
>> On 13/05/2019 05:43, Ondřej Surý wrote:
>>> could you please update dns-root-data package in Jessie LTS to latest 
>>> version from Unstable/Stretch?
>> I'll backport it following dkg's stretch update.
>>
>> Besides setting up a bind9, anything we should test?
>>
>> Cheers!
>> Sylvain
>>

Re: dns-root-data in Jessie LTS

2019-05-13 Thread Ondřej Surý 
Hi Sylvain,

I am actually not sure whether BIND 9 in Jessie already uses dns-root-data,
so maybe same procedure will be needed for bind9 package.

Could you perhaps also check unbound?

This is the most probable cause of the weird traffic with old key that DNS Root 
Operators
see at root servers.

Just make sure it contains only the new DNSKEY (2017) and not both.

Thanks,
Ondrej
--
Ondřej Surý
ond...@isc.org

> On 14 May 2019, at 01:38, Sylvain Beucler  wrote:
> 
> Hi,
> 
> On 13/05/2019 05:43, Ondřej Surý wrote:
>> could you please update dns-root-data package in Jessie LTS to latest 
>> version from Unstable/Stretch?
> 
> I'll backport it following dkg's stretch update.
> 
> Besides setting up a bind9, anything we should test?
> 
> Cheers!
> Sylvain
>

Re: dns-root-data in Jessie LTS

2019-05-13 Thread Sylvain Beucler 
Hi,

On 13/05/2019 05:43, Ondřej Surý wrote:
> could you please update dns-root-data package in Jessie LTS to latest version 
> from Unstable/Stretch?

I'll backport it following dkg's stretch update.

Besides setting up a bind9, anything we should test?

Cheers!
Sylvain

Re: openjdk-7 status

2019-05-13 Thread Emilio Pozuelo Monfort 
On 13/05/2019 10:55, Sylvain wrote:
> Thanks Ola.
> 
> Emilio, can you confirm your latest upload also addresses CVE-2019-2697?
> 
> It's MITRE page points to:
> https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
> "Mateusz Jurczyk of Google Project Zero: CVE-2019-2697, CVE-2019-2698"
> 
> which also references CVE-2019-2698, which DLA-1782-1 addressed.
> So it is likely that this is an oversight in data/CVE/list, as the
> upload was a new upstream version (i.e. not cherry-picking).

It was not clear to me at the time of upload if it was addressed in 7u221. It
was not mentioned in the upstream announcement. I asked upstream for
clarification on its status, it may be that that CVE is Oracle specific and
doesn't affect OpenJDK. Though I haven't received a reply yet. But let's wait
for their answer.

Emilio

> 
> Cheers!
> Sylvain
> 
> On 13/05/2019 17:00, Ola Lundqvist wrote:
>> Hi Sylvain
>>
>> It was meant to consider CVE-2019-2697.
>> I do not know anything about re-consider this CVE as nothing has been
>> noted to that CVE that it has been ignored or should be treated in
>> some other way.
>>
>> // Ola 
>>
>> On Mon, 13 May 2019 at 10:57, Sylvain Beucler > > wrote:
>>
>> Hi,
>>
>> openjdk-7 is back in dla-needed.txt with the commit message "Sounds
>> serious enough".
>> However it was re-added the day after DLA-1782-1 and there's no
>> new CVE
>> since.
>>
>> Was it an oversight, or was it meant to reconsider
>> https://security-tracker.debian.org/tracker/CVE-2019-2697 which wasn't
>> addressed by that DLA?
>>
>> Cheers!
>> Sylvain
>>
>>
>>
>> -- 
>>  --- Inguza Technology AB --- MSc in Information Technology 
>> |  o...@inguza.com                  
>>   o...@debian.org             |
>> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
>>  ---
>>
>

Re: openjdk-7 status

2019-05-13 Thread Sylvain 
Thanks Ola.

Emilio, can you confirm your latest upload also addresses CVE-2019-2697?

It's MITRE page points to:
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
"Mateusz Jurczyk of Google Project Zero: CVE-2019-2697, CVE-2019-2698"

which also references CVE-2019-2698, which DLA-1782-1 addressed.
So it is likely that this is an oversight in data/CVE/list, as the
upload was a new upstream version (i.e. not cherry-picking).

Cheers!
Sylvain

On 13/05/2019 17:00, Ola Lundqvist wrote:
> Hi Sylvain
>
> It was meant to consider CVE-2019-2697.
> I do not know anything about re-consider this CVE as nothing has been
> noted to that CVE that it has been ignored or should be treated in
> some other way.
>
> // Ola 
>
> On Mon, 13 May 2019 at 10:57, Sylvain Beucler  > wrote:
>
> Hi,
>
> openjdk-7 is back in dla-needed.txt with the commit message "Sounds
> serious enough".
> However it was re-added the day after DLA-1782-1 and there's no
> new CVE
> since.
>
> Was it an oversight, or was it meant to reconsider
> https://security-tracker.debian.org/tracker/CVE-2019-2697 which wasn't
> addressed by that DLA?
>
> Cheers!
> Sylvain
>
>
>
> -- 
>  --- Inguza Technology AB --- MSc in Information Technology 
> |  o...@inguza.com                  
>   o...@debian.org             |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
>  ---
>

Re: openjdk-7 status

2019-05-13 Thread Ola Lundqvist 
Hi Sylvain

It was meant to consider CVE-2019-2697.
I do not know anything about re-consider this CVE as nothing has been noted
to that CVE that it has been ignored or should be treated in some other way.

// Ola

On Mon, 13 May 2019 at 10:57, Sylvain Beucler  wrote:

> Hi,
>
> openjdk-7 is back in dla-needed.txt with the commit message "Sounds
> serious enough".
> However it was re-added the day after DLA-1782-1 and there's no new CVE
> since.
>
> Was it an oversight, or was it meant to reconsider
> https://security-tracker.debian.org/tracker/CVE-2019-2697 which wasn't
> addressed by that DLA?
>
> Cheers!
> Sylvain
>
>

-- 
 --- Inguza Technology AB --- MSc in Information Technology 
|  o...@inguza.como...@debian.org|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
 ---

[SECURITY] [DLA 1784-1] postgresql-9.4 new minor release

2019-05-13 Thread Christoph Berg 
Package: postgresql-9.4
Version: 9.4.22-0+deb8u1

The PostgreSQL project has release a new minor release of the 9.4
branch.

For Debian 8 "Jessie", this has been uploaded as version
9.4.22-0+deb8u1.

We recommend that you upgrade your postgresql-9.4 packages.

Note that the end of life of the 9.4 branch is scheduled for February
2020. Please consider upgrading to a newer major release before that
point.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

openjdk-7 status

2019-05-13 Thread Sylvain Beucler 
Hi,

openjdk-7 is back in dla-needed.txt with the commit message "Sounds
serious enough".
However it was re-added the day after DLA-1782-1 and there's no new CVE
since.

Was it an oversight, or was it meant to reconsider
https://security-tracker.debian.org/tracker/CVE-2019-2697 which wasn't
addressed by that DLA?

Cheers!
Sylvain

(semi-)automatic unclaim of packages with more than 2 weeks of inactivity

2019-05-13 Thread Holger Levsen 
hi,

I've done this again, today I unclaimed:

- no packages for LTS.
- apache2 for eLTS (from Markus Koschany).


-- 
tschau,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature

Re: Bug#928660: hyperv-daemons matching linux-image-4.9-amd64 in jessie-security are missing

2019-05-13 Thread Christoph Martin 


Am 12.05.19 um 23:58 schrieb Ben Hutchings:
> On Sun, 2019-05-12 at 22:35 +0200, Ola Lundqvist wrote:
>> Hi fellow LTS contributors
>>
>> How do we normally handle this. Do we add the package to dla-
>> needed.txt or?
> 
> See my answer to the bug report.  The "missing" binary package is
> intentional in this case, and no action needs to be taken.
> 

We should think about changing the packaging for hyperv-daemons, usbip
and maybe linux-cpupower to have the kernel version in its name and
having a meta-package hyperv-daemons like it is done for linux-perf etc.

Christoph



signature.asc
Description: OpenPGP digital signature