Re: [SECURITY] [DLA 1865-1] sdl-image1.2 security update
> I don't think it's explicitly documented; I inferred it from these > rules: > > 1. Corrections should be sent to the same recipients as the original > incorrect information. > 2. All messages sent to debian-lts-announce about package updates > should be numbered DLAs. > 3. DLAs that are related to prior DLAs should use the same first part > and an incremented second part. Sounds reasonable. Thanks! regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Re: [SECURITY] [DLA 1865-1] sdl-image1.2 security update
On Sat, 2019-07-27 at 18:30 -0300, Hugo Lefeuvre wrote: > Hi Ben, > > > > > For Debian 8 "Jessie", these problems have been fixed in version > > > > 1.2.12-5+deb9u2. > > > > > > Typo: version number is 1.2.12-5+deb8u2, not 1.2.12-5+deb9u2. > > > > The proper way to make such a correction is to issue a -2 advisory with > > the correct information and a note about what changed. > > Thanks, I wasn't aware of this. I can't find any information about it in > our documentation, did I miss something? > > (just in case: this is not a regression, just a typo in the advisory) I don't think it's explicitly documented; I inferred it from these rules: 1. Corrections should be sent to the same recipients as the original incorrect information. 2. All messages sent to debian-lts-announce about package updates should be numbered DLAs. 3. DLAs that are related to prior DLAs should use the same first part and an incremented second part. Ben. -- Ben Hutchings If at first you don't succeed, you're doing about average. signature.asc Description: This is a digitally signed message part
Re: [SECURITY] [DLA 1865-1] sdl-image1.2 security update
Hi Ben, > > > For Debian 8 "Jessie", these problems have been fixed in version > > > 1.2.12-5+deb9u2. > > > > Typo: version number is 1.2.12-5+deb8u2, not 1.2.12-5+deb9u2. > > The proper way to make such a correction is to issue a -2 advisory with > the correct information and a note about what changed. Thanks, I wasn't aware of this. I can't find any information about it in our documentation, did I miss something? (just in case: this is not a regression, just a typo in the advisory) regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Re: [SECURITY] [DLA 1865-1] sdl-image1.2 security update
On Sat, 2019-07-27 at 16:04 -0300, Hugo Lefeuvre wrote: > On Sat, Jul 27, 2019 at 03:30:14PM -0300, Hugo Lefeuvre wrote: > > Package: sdl-image1.2 > > Version: 1.2.12-5+deb9u2 > > CVE ID : CVE-2018-3977 CVE-2019-5051 CVE-2019-5052 CVE-2019-7635 > > CVE-2019-12216 CVE-2019-12217 CVE-2019-12218 > > CVE-2019-12219 > > CVE-2019-12220 CVE-2019-12221 CVE-2019-1 > > > > [...] > > > > For Debian 8 "Jessie", these problems have been fixed in version > > 1.2.12-5+deb9u2. > > Typo: version number is 1.2.12-5+deb8u2, not 1.2.12-5+deb9u2. The proper way to make such a correction is to issue a -2 advisory with the correct information and a note about what changed. Ben. -- Ben Hutchings Lowery's Law: If it jams, force it. If it breaks, it needed replacing anyway. signature.asc Description: This is a digitally signed message part
Re: [SECURITY] [DLA 1865-1] sdl-image1.2 security update
On Sat, Jul 27, 2019 at 03:30:14PM -0300, Hugo Lefeuvre wrote: > Package: sdl-image1.2 > Version: 1.2.12-5+deb9u2 > CVE ID : CVE-2018-3977 CVE-2019-5051 CVE-2019-5052 CVE-2019-7635 > CVE-2019-12216 CVE-2019-12217 CVE-2019-12218 CVE-2019-12219 > CVE-2019-12220 CVE-2019-12221 CVE-2019-1 > > [...] > > For Debian 8 "Jessie", these problems have been fixed in version > 1.2.12-5+deb9u2. Typo: version number is 1.2.12-5+deb8u2, not 1.2.12-5+deb9u2. -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
On tomcat FTBFS.
Hi,
I don't think the link you gave on commit [fe932dd39d] is the reason for
FTBFS. I tried building on a VM that matches the certificate date and it
was successful. I also tried disabling all ssl related tests and was fine.
While doing these all I found TestSendFile test is the culprit. In
CVE-2017-5647 security patch a good amount of changes is applied for
SendFile*.java and *Nio2*.java. These are mostly about conditions on how
long the socket of sendfile keep active and to take away from it. But I
couldn't see any those change in its test file. Please take a look on
the attached patch. :)
--abhijith
From: Markus Koschany
Date: Sat, 15 Apr 2017 17:25:03 +0200
Subject: CVE-2017-5647
Bug-Debian: https://bugs.debian.org/860068
Origin: http://svn.apache.org/r1788999
---
java/org/apache/coyote/AbstractProtocol.java | 7 +-
.../apache/coyote/http11/Http11AprProcessor.java | 38 +++
.../apache/coyote/http11/Http11Nio2Processor.java | 11 +++-
.../apache/coyote/http11/Http11NioProcessor.java | 26 ++--
java/org/apache/tomcat/util/net/AprEndpoint.java | 49 +-
java/org/apache/tomcat/util/net/Nio2Endpoint.java | 25 ---
java/org/apache/tomcat/util/net/NioEndpoint.java | 76 --
.../tomcat/util/net/SendfileKeepAliveState.java| 39 +++
java/org/apache/tomcat/util/net/SendfileState.java | 37 +++
9 files changed, 222 insertions(+), 86 deletions(-)
create mode 100644 java/org/apache/tomcat/util/net/SendfileKeepAliveState.java
create mode 100644 java/org/apache/tomcat/util/net/SendfileState.java
diff --git a/java/org/apache/coyote/AbstractProtocol.java b/java/org/apache/coyote/AbstractProtocol.java
index 9886cef..cabfbf6 100644
--- a/java/org/apache/coyote/AbstractProtocol.java
+++ b/java/org/apache/coyote/AbstractProtocol.java
@@ -710,10 +710,9 @@ public abstract class AbstractProtocol implements ProtocolHandler,
release(wrapper, processor, false, true);
} else if (state == SocketState.SENDFILE) {
// Sendfile in progress. If it fails, the socket will be
-// closed. If it works, the socket will be re-added to the
-// poller
-connections.remove(socket);
-release(wrapper, processor, false, false);
+// closed. If it works, the socket either be added to the
+// poller (or equivalent) to await more data or processed
+// if there are any pipe-lined requests remaining.
} else if (state == SocketState.UPGRADED) {
// Don't add sockets back to the poller if this was a
// non-blocking write otherwise the poller may trigger
diff --git a/java/org/apache/coyote/http11/Http11AprProcessor.java b/java/org/apache/coyote/http11/Http11AprProcessor.java
index e4ecd1a..a08da6f 100644
--- a/java/org/apache/coyote/http11/Http11AprProcessor.java
+++ b/java/org/apache/coyote/http11/Http11AprProcessor.java
@@ -37,6 +37,7 @@ import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState;
import org.apache.tomcat.util.net.AprEndpoint;
import org.apache.tomcat.util.net.SSLSupport;
+import org.apache.tomcat.util.net.SendfileKeepAliveState;
import org.apache.tomcat.util.net.SocketStatus;
import org.apache.tomcat.util.net.SocketWrapper;
@@ -197,22 +198,31 @@ public class Http11AprProcessor extends AbstractHttp11Processor {
// Do sendfile as needed: add socket to sendfile and end
if (sendfileData != null && !getErrorState().isError()) {
sendfileData.socket = socketWrapper.getSocket().longValue();
-sendfileData.keepAlive = keepAlive;
-if (!((AprEndpoint)endpoint).getSendfile().add(sendfileData)) {
-// Didn't send all of the data to sendfile.
-if (sendfileData.socket == 0) {
-// The socket is no longer set. Something went wrong.
-// Close the connection. Too late to set status code.
-if (log.isDebugEnabled()) {
-log.debug(sm.getString(
-"http11processor.sendfile.error"));
-}
-setErrorState(ErrorState.CLOSE_NOW, null);
+if (keepAlive) {
+if (getInputBuffer().available() == 0) {
+sendfileData.keepAliveState = SendfileKeepAliveState.OPEN;
} else {
-// The sendfile Poller will add the socket to the main
-// Poller once sendfile processing is complete
-sendfileInProgress = true;
+sendfileData.keepAliveState = SendfileKeepAliveState.PIPELINED;
+}
+} else {
+sendfileData.keepAliveState = SendfileKeepAliveState.NONE;
+}
Accepted sdl-image1.2 1.2.12-5+deb8u2 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 23 Jul 2019 11:25:46 -0300 Source: sdl-image1.2 Binary: libsdl-image1.2 libsdl-image1.2-dbg libsdl-image1.2-dev Architecture: source amd64 Version: 1.2.12-5+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Debian SDL packages maintainers Changed-By: Hugo Lefeuvre Description: libsdl-image1.2 - Image loading library for Simple DirectMedia Layer 1.2, libraries libsdl-image1.2-dbg - Image loading library for Simple DirectMedia Layer 1.2, debugging libsdl-image1.2-dev - Image loading library for Simple DirectMedia Layer 1.2, developme Changes: sdl-image1.2 (1.2.12-5+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * CVE-2018-3977: buffer overflow in do_layer_surface (IMG_xcf.c). * CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c. * CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c). * CVE-2019-12216, CVE-2019-12217, CVE-2019-12218, CVE-2019-12219, CVE-2019-12220, CVE-2019-12221, CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c). Checksums-Sha1: 64c0b251f14ff968c20d4b414dbfae44a755ea54 2191 sdl-image1.2_1.2.12-5+deb8u2.dsc 16c2eb46407b2d62f331615ad2344a73047019eb 12092 sdl-image1.2_1.2.12-5+deb8u2.debian.tar.xz bd8f6cf15bf65fd99b885907bffd819d2114e3ef 35766 libsdl-image1.2_1.2.12-5+deb8u2_amd64.deb 885a01cf23f3313b360776abce8988277c9d42df 59356 libsdl-image1.2-dbg_1.2.12-5+deb8u2_amd64.deb 706ac0f952ca277a77d2b23c043767e20a3cbbc2 39408 libsdl-image1.2-dev_1.2.12-5+deb8u2_amd64.deb Checksums-Sha256: 56f61ea8c58ec9e1623fe475cef73fb568c51bfd93a2796951745b1e9cbeed4a 2191 sdl-image1.2_1.2.12-5+deb8u2.dsc 92c1f60825de3e1b4bc995194e978278ae5d5be7abfa90b7744d084d0a91b07e 12092 sdl-image1.2_1.2.12-5+deb8u2.debian.tar.xz 218e75b016f40e9b1ac2f07884dd7c241d61b79ceee266b5edf68013988c03c1 35766 libsdl-image1.2_1.2.12-5+deb8u2_amd64.deb 7e45efc451a1d097f04bc1e6dc0860ec456c7d6d8386c779519d3705a415a9a0 59356 libsdl-image1.2-dbg_1.2.12-5+deb8u2_amd64.deb b720e53ae4bb20f764bb4e103cf9e076d81bdc7560cc7ac3aad313a25a2aa1a0 39408 libsdl-image1.2-dev_1.2.12-5+deb8u2_amd64.deb Files: a795e8a8fc167201eb1d4b02a6328764 2191 libs optional sdl-image1.2_1.2.12-5+deb8u2.dsc cf01e819e2728dd16bfd00ad68360869 12092 libs optional sdl-image1.2_1.2.12-5+deb8u2.debian.tar.xz 175c70c32e36f8ea8de8a9900ae03e0b 35766 libs optional libsdl-image1.2_1.2.12-5+deb8u2_amd64.deb 032f8af76ec1612e695e70aab24f507d 59356 debug extra libsdl-image1.2-dbg_1.2.12-5+deb8u2_amd64.deb e8770377d76e3c0c71b175d2af3eb698 39408 libdevel optional libsdl-image1.2-dev_1.2.12-5+deb8u2_amd64.deb -BEGIN PGP SIGNATURE- iQHDBAEBCgAtFiEEeDb9QWtkMa2LX4zREeMFjl5EGkIFAl08idsPHGhsZUBkZWJp YW4ub3JnAAoJEBHjBY5eRBpCltYL/06Kgppx3r94smQbX240pQJiP57jSkEclrD3 Kt4gejiKJLSOJc2ijfdPqQIODLaNnN/9RVOL8iTfAWxkGc7lZGg71HZZyXOLNNi/ Jg92tFRaWckJ3uqktPvy96xnKU8cuXAw2jckThmVn6kHPuCilpJNRzaDkL6fSMvn PRFRlctyARnKoyYA4ZHXrUWNUE/LLShD3WoY4oWcDUbqo5uOCqu3YnSSM864A7dJ 976b3xEUYhd+LEgnvvSpIqkI7v/ip/QejNizF76y5fBX3/9TB+nMDQY78BSv5hQj 9RZtcxFE0Q3kjM3Y25SH30pcVeZlDg5IyFwwMeuw3aOC2cHf6ig5SSBzCXKLvl6K NjPl7xclJUp1qfvY2N9r2K/ppiDSFXQwHMFcGcFhCeWypWv15Z4cgQ77IkMzZNeb g/tS0g5UVdJwgPt+Kxq6TUEswMCkNHJIGLFbDobYxIFUz29BVBA4565glhosakAC jLnYmnlAJ4E0c88LNdsieyYpRbcqHg== =Da/0 -END PGP SIGNATURE-
Re: MariaDB uploaders: Please use Salsa and Salsa-CI
Hi, On 25/07/2019 22:03, Otto Kekäläinen wrote: > Hello Emilio and anybody else who might at some point upload MariaDB > to jessie-security or stretch-security! > > Please use as the starting point the latest version in the MariaDB > team Salsa repos > - mariadb-10.0 branch 'jessie' > - mariadb-10.1 branch 'stretch' (from 2020 onwards LTS) > > I have prepared there Gitlab-CI automation that does not affect the > package itself in any way, but does help quite a bit in ensuring that > whatever you upload is well tested and unlikely to cause regressions. > > Do not just checkout the latest version in Jessie or Stretch, but work > using the repository instead. Also, please push to the branch when you > are done. I am happy to include LTS maintainers in the mariadb-team so > you can use the official repository. (Emilio is already there.) > > Repo and example of pipeline: > - https://salsa.debian.org/mariadb-team/mariadb-10.0/pipelines > - https://salsa.debian.org/mariadb-team/mariadb-10.1/pipelines > > Slides on my talk on MariaDB packaging and Salsa-CI/Gitlab-CI use in > case you are interested in the longer story: > https://www.slideshare.net/ottokekalainen/how-mariadb-packaging-uses-salsaci-to-ensure-smooth-upgrades-and-avoid-regressions > > > - Otto > > PS. I've done this all assuming the security uploads in this case do > allow changes to the debian/gitlab-ci.yml file since it does not cause > functional changes to the package itself and is perfectly safe. Thanks for improving security by providing easier testing :) I referenced your e-mail at: https://wiki.debian.org/LTS/TestSuites Cheers! Sylvain
