Bug#931376: debian-security-support: mention nodejs is not for untrusted content
package: debian-security-support x-debbugs-cc: debian-lts@lists.debian.org On Wed, Jul 03, 2019 at 02:59:39PM +0200, Sylvain Beucler wrote: > I just discovered this while triaging node-fstream: > https://www.debian.org/releases/oldstable/amd64/release-notes/ch-information.en.html#libv8 > https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#libv8 > > "Unfortunately, this means that libv8-3.14, nodejs, and the associated > node-* package ecosystem should not currently be used with untrusted > content, such as unsanitized data from the Internet. > In addition, these packages will not receive any security updates during > the lifetime of the Jessie release." ouch. > I'm surprised that `grep -ir node` doesn't find any match in the > 'debian-security-support' repo. > Did I miss something or is it something we should do? see above & thanks! :) -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: Reference nodejs in debian-security-support?
Hello, Am 03.07.19 um 14:59 schrieb Sylvain Beucler: [...] > I'm surprised that `grep -ir node` doesn't find any match in the > 'debian-security-support' repo. > Did I miss something or is it something we should do? I think we should add nodejs to security-support-ended.deb8. This would make it more clear that those packages cannot receive proper security support and should not be used with untrusted data. Regards, Markus signature.asc Description: OpenPGP digital signature
Re: Request for help/comments: sqlite3
Hi Jonas, On Wed, Jul 03, 2019 at 02:48:51PM +0200, Jonas Meurer wrote: > Hi Ola, > > thanks for your response! > > Ola Lundqvist: > > I have now looked into this problem to see if I can out something. > > > > What I have done is to backtrack whether the code is ever executed by > > sqlite and I cannot find that it can be. > > > > rtreenode function is registered using sqlite3_create_function > > in sqlite3_rtree_init. But I cannot find that the sqlite4_rtree_init > > function to be called from anywhere. > > > > Based on this I think we can rather safely say that the function is not > > used in Debian and hence the package is not affected. > > Ok, great. So given that others didn't comment (yet) and we both agree > on ignoring CVE-2019-8457 for Jessie LTS, we should do so, at least for now. > > Let's wait for Security Team's opinion. My recommendation for them would > be to do the same, given that backporting the fix for CVE-2019-8457 to > the sqlite3 version in Stretch will be as complex as it is for Jessie. Ack we will look into it. > > I think we usually > > mark it as ignored with a description. An alternative is to mark it as > > not-affected but I'm not sure whether that should be done in this case > > since the vulnerability is there, just not triggered. Someone else can > > maybe help out with that decision. > > Marking it as 'non-affected' would be wrong as the package *is* > affected. It's just that we consider it a minor vulnerability that we > ignore for Jessie given that backporting a proper fix would mean very > invasive code changes. > > @Security Team: do you have a suggestion how to mark cases like this one > in data/CVE/list? The best probably would be to have a 'no-dla' flag, right? No there is no additional flag needed for that. Use no-dsa or if you want to make a stronger annotation that LTS team does not want to further look at the CVE . See https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory. Regards, Salvatore
[SECURITY] [DLA 1843-1] pdns security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: pdns Version: 3.4.1-4+deb8u10 CVE ID : CVE-2019-10162 CVE-2019-10163 Two vulnerabilities have been discovered in pdns, an authoritative DNS server which may result in denial of service via malformed zone records and excessive NOTIFY packets in a master/slave setup. CVE-2019-10162 An issue has been found in PowerDNS Authoritative Server allowing an authorized user to cause the server to exit by inserting a crafted record in a MASTER type zone under their control. The issue is due to the fact that the Authoritative Server will exit when it runs into a parsing error while looking up the NS/A/ records it is about to use for an outgoing notify. CVE-2019-10163 An issue has been found in PowerDNS Authoritative Server allowing a remote, authorized master server to cause a high CPU load or even prevent any further updates to any slave zone by sending a large number of NOTIFY messages. Note that only servers configured as slaves are affected by this issue. For Debian 8 "Jessie", these problems have been fixed in version 3.4.1-4+deb8u10. We recommend that you upgrade your pdns packages. For the detailed security status of pdns please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pdns Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -- Jonas Meurer -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAl0cq0AACgkQUmLn/0kQ Sf6uzRAAn57AZxX15uMo8TazTd4gFkT4MdP8BOdUKx05DPFVNCMcQCNheQsFoW83 Ewcdg9truLiG+NebnBpDnbVgXrkCmNXJbai6zrXuyqq+2m4PqUz/QkBT2GqaFE4G XPXcuh8En5xn7dTasBkJvTA9Tm5i9Omdmj+VsDHLA2JLsvjjhrHvkuYFpZiA62J1 a3Tvf5jBO2+dmnR17Kf6AF++mitTa+BqPKWt4KSoFMGdb/I+K+XRZPr/N2Dvi9ld Ankkjm7GwdcnXu2L5neU75EI0xAWEe5SGdRAAKAveAQ8qbDpGy/UtS42+t09ao69 C97PuB0P+0lH612u0NKybH20Mbtp9cY2lh+h8l3pteVO4I8SgUmr+Qgnj62e12Rw IoUCY7JBxII8rnSKlQ7SR2EJS23CHEk4brijaOl+o+ACqKLD3fmgdmTlO84zKXQv /pHJESvbpK/prZAy/GVVfpWDgx5IEq1lhUDZkHZBZ+qZjH2LXsLn59uxL7to8Gkl KD0TJxdrYFLVeu+CgvO2fNySr9VaAih9LV8EvS86y9m7fZZKTv5ivT0CVRDfv4re 6DyWMdn0nhmAYHBFxiAFL5qsO4pjte8YjR07SfKCTDwGboILMJA1QXFCszdJNCxr BXRXQ9NA5nsw2K+gq2rIn38iiq70JlO6OL0wGq190ALPkr41k4o= =0wei -END PGP SIGNATURE-
Accepted pdns 3.4.1-4+deb8u10 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 03 Jul 2019 14:20:41 +0200 Source: pdns Binary: pdns-server pdns-server-dbg pdns-backend-pipe pdns-backend-ldap pdns-backend-geo pdns-backend-mysql pdns-backend-pgsql pdns-backend-sqlite3 pdns-backend-lua pdns-backend-lmdb pdns-backend-remote pdns-backend-mydns Architecture: source amd64 Version: 3.4.1-4+deb8u10 Distribution: jessie-security Urgency: high Maintainer: Debian PowerDNS Maintainers Changed-By: Jonas Meurer Description: pdns-backend-geo - geo backend for PowerDNS pdns-backend-ldap - LDAP backend for PowerDNS pdns-backend-lmdb - lmdb backend for PowerDNS pdns-backend-lua - Lua backend for PowerDNS pdns-backend-mydns - MyDNS compatibility backend for PowerDNS pdns-backend-mysql - generic MySQL backend for PowerDNS pdns-backend-pgsql - generic PostgreSQL backend for PowerDNS pdns-backend-pipe - pipe/coprocess backend for PowerDNS pdns-backend-remote - remote backend for PowerDNS pdns-backend-sqlite3 - sqlite 3 backend for PowerDNS pdns-server - extremely powerful and versatile nameserver pdns-server-dbg - debugging symbols for PowerDNS Changes: pdns (3.4.1-4+deb8u10) jessie-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * CVE-2019-10162: Fix denial of service via crafted zone records * CVE-2019-10163: Fix denial of service via NOTIFY packets Checksums-Sha1: 29daece9eb4929879e5b1494087a3e921ca4301a 3161 pdns_3.4.1-4+deb8u10.dsc e4d807b4dc27ef130a49e0efaf82a74cb66f5b11 1237002 pdns_3.4.1.orig.tar.bz2 c1ed6c933739610328f55c983503b67e612e 54492 pdns_3.4.1-4+deb8u10.debian.tar.xz e7e60fe93d2a4adea3ea251be27bb5d9e799ae13 1591826 pdns-server_3.4.1-4+deb8u10_amd64.deb 2cbe3396ae43b55b88686bdd1053be8d55886d51 33109820 pdns-server-dbg_3.4.1-4+deb8u10_amd64.deb 32a3d6ea02ceda9d06601881e5a3040148b8b251 53760 pdns-backend-pipe_3.4.1-4+deb8u10_amd64.deb ed45830b1cf54cb912794f7593d06ce3a4219939 256590 pdns-backend-ldap_3.4.1-4+deb8u10_amd64.deb a1798988e1f2562b1b40bcdf322c64bfef3fff49 63482 pdns-backend-geo_3.4.1-4+deb8u10_amd64.deb eae49222dd8bb558c200bf6e90705acf3efb3b14 46150 pdns-backend-mysql_3.4.1-4+deb8u10_amd64.deb b7d559cf81ac5d13622e2274243f3639667fda0a 46242 pdns-backend-pgsql_3.4.1-4+deb8u10_amd64.deb 9fb77daa1339bf73234c1242a84915195aef57f8 38658 pdns-backend-sqlite3_3.4.1-4+deb8u10_amd64.deb 67453123b2f090f863b112cbb93b131141a2a5b9 60538 pdns-backend-lua_3.4.1-4+deb8u10_amd64.deb c3ad799c670e0578e5a77d24b5edbfd383c73c8f 41764 pdns-backend-lmdb_3.4.1-4+deb8u10_amd64.deb c01d18a48caa90228d908a1b3f8acf1f497ac3c7 147018 pdns-backend-remote_3.4.1-4+deb8u10_amd64.deb e8b69e24ae61ffb0ff0f7832826613a2a6fbb3b4 41346 pdns-backend-mydns_3.4.1-4+deb8u10_amd64.deb Checksums-Sha256: f68a09aac19395779ebeeea45f1986559b5c012523a5407c1b057d7a2cec91cd 3161 pdns_3.4.1-4+deb8u10.dsc 13e32a31759e7fd341b98c89fe551723a5c6a768350b3609c576f70602deb24a 1237002 pdns_3.4.1.orig.tar.bz2 6d16ec8f603e40b16d64ffb293e6ee13816b5a5e21ec817512ce3033b15f1ab9 54492 pdns_3.4.1-4+deb8u10.debian.tar.xz 3c79f0a3df3ea0d76e50ff1fad002295e6d328155bbd0b03a00b221c2a7335f3 1591826 pdns-server_3.4.1-4+deb8u10_amd64.deb c0c29d41c9b0c6de67bd1942c7a19490e792ab3a595d30d288d45d27ab9fe242 33109820 pdns-server-dbg_3.4.1-4+deb8u10_amd64.deb ceccfa23906c9b565882127922958911d6e1e58762a4f9c2c2bfb6cec6fdbc08 53760 pdns-backend-pipe_3.4.1-4+deb8u10_amd64.deb 6c4685d4cf262427ebfb1e6afe821d9db673ed819d3d1fefa5b35821bffdd560 256590 pdns-backend-ldap_3.4.1-4+deb8u10_amd64.deb 4698ea4c55b07b2ce1029763c31b41ca566be11e23e6b3f737db2707b89b0062 63482 pdns-backend-geo_3.4.1-4+deb8u10_amd64.deb b35d28dd8954e03eef636a3d4f41057db313b71cacd7c8ce944deb3b7bcb9ca9 46150 pdns-backend-mysql_3.4.1-4+deb8u10_amd64.deb 603078afc11e3eb3e79aa96ee326fce2e309ea1243a2b1857ae8297180f70969 46242 pdns-backend-pgsql_3.4.1-4+deb8u10_amd64.deb 02858aa05c1b2527887c21e96884de3317e466d3793d399cc4f5d0f37bb18fc9 38658 pdns-backend-sqlite3_3.4.1-4+deb8u10_amd64.deb e6ba27a9254828d6def470a772b92977092e35d65ff2841fb224ccca21d3e56d 60538 pdns-backend-lua_3.4.1-4+deb8u10_amd64.deb a6aa7c92dd3c1639a1f652f571dbfe51ae37c7124372dbcbd703ae5960ea9932 41764 pdns-backend-lmdb_3.4.1-4+deb8u10_amd64.deb 7be71f72d20feb611c3308b393206620b66aef0b2756351db07fc707f07546d5 147018 pdns-backend-remote_3.4.1-4+deb8u10_amd64.deb b53de4bf4f2867d89dc926dd3fdec9ab5aa01863c2effe758dc45c1f064133d7 41346 pdns-backend-mydns_3.4.1-4+deb8u10_amd64.deb Files: f506548b95880605a885737584b5d655 3161 net extra pdns_3.4.1-4+deb8u10.dsc 3259505caeaae2a5e9baf3255be437ff 1237002 net extra pdns_3.4.1.orig.tar.bz2 b136d5f874f7927cae29b4f95e6351d4 54492 net extra pdns_3.4.1-4+deb8u10.debian.tar.xz 75256e76889f699f04c6d8699358da63 1591826 net extra pdns-server_3.4.1-4+deb8u10_amd64.deb ff0fb0d214bb3ae67ab5f6f576892a2c 33109820 debug extra pdns-server-dbg_3.4.1-4+deb8u10_amd64.deb 21c5aff3851bafc551972be214443446 53760 net extra
Reference nodejs in debian-security-support?
Hi, I just discovered this while triaging node-fstream: https://www.debian.org/releases/oldstable/amd64/release-notes/ch-information.en.html#libv8 https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#libv8 "Unfortunately, this means that libv8-3.14, nodejs, and the associated node-* package ecosystem should not currently be used with untrusted content, such as unsanitized data from the Internet. In addition, these packages will not receive any security updates during the lifetime of the Jessie release." I'm surprised that `grep -ir node` doesn't find any match in the 'debian-security-support' repo. Did I miss something or is it something we should do? Cheers! Sylvain
Re: Request for help/comments: sqlite3
Hi Ola, thanks for your response! Ola Lundqvist: > I have now looked into this problem to see if I can out something. > > What I have done is to backtrack whether the code is ever executed by > sqlite and I cannot find that it can be. > > rtreenode function is registered using sqlite3_create_function > in sqlite3_rtree_init. But I cannot find that the sqlite4_rtree_init > function to be called from anywhere. > > Based on this I think we can rather safely say that the function is not > used in Debian and hence the package is not affected. Ok, great. So given that others didn't comment (yet) and we both agree on ignoring CVE-2019-8457 for Jessie LTS, we should do so, at least for now. Let's wait for Security Team's opinion. My recommendation for them would be to do the same, given that backporting the fix for CVE-2019-8457 to the sqlite3 version in Stretch will be as complex as it is for Jessie. > I think we usually > mark it as ignored with a description. An alternative is to mark it as > not-affected but I'm not sure whether that should be done in this case > since the vulnerability is there, just not triggered. Someone else can > maybe help out with that decision. Marking it as 'non-affected' would be wrong as the package *is* affected. It's just that we consider it a minor vulnerability that we ignore for Jessie given that backporting a proper fix would mean very invasive code changes. @Security Team: do you have a suggestion how to mark cases like this one in data/CVE/list? The best probably would be to have a 'no-dla' flag, right? > In addition to that I think we can rather safely mark it as ignored (at > least postponed) since should be seen as a minor issue. Such debug > functions should not be used in live applications and hence the problem is > not that big. SQL permissions in sqlite is not really something you give > access to any user, at least that is my interpretation of its general use. > > I hope this helps a little. It helped a lot, thanks. This leaves CVE-2019-5827 for sqlite3. As written in data/dla-needed, the fix presumably is to migrate to 64-bit memory allocators for integers in order to prevent possible integer overflows. There's been *a lot* of those migrations between Jessie and latest unstable version. If we want to properly fix CVE-2019-5827, we probably have to backport a large portion of them. Cheers jonas signature.asc Description: OpenPGP digital signature
