Accepted wpa 2.3-1+deb8u8 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 31 Jul 2019 22:44:37 +0200 Source: wpa Binary: hostapd wpagui wpasupplicant wpasupplicant-udeb Architecture: source amd64 Version: 2.3-1+deb8u8 Distribution: jessie-security Urgency: medium Maintainer: Debian wpasupplicant Maintainers Changed-By: Mike Gabriel Description: hostapd- IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator wpagui - graphical user interface for wpa_supplicant wpasupplicant - client support for WPA and WPA2 (IEEE 802.11i) wpasupplicant-udeb - Client support for WPA and WPA2 (IEEE 802.11i) (udeb) Closes: 927463 Changes: wpa (2.3-1+deb8u8) jessie-security; urgency=medium . * Non-maintainer upload by the LTS team. . * CVE-2019-9495: only partial mitigation feasible for this wpa version + 2019-2/0001-OpenSSL-Use-constant-time-operations-for-private-big.patch + FIXME: too invasive to backport (or for someone with more time+expertise): [2019-2/0002-Add-helper-functions-for-constant-time-operations.patch] [2019-2/0003-OpenSSL-Use-constant-time-selection-for-crypto_bignu.patch] [2019-2/0004-EAP-pwd-Use-constant-time-and-memory-access-for-find.patch] + For more details, see https://w1.fi/security/2019-2/. . * Upstream cherry-picks: + Pick 2019-4/0001-Add-crypto_ec_point_cmp.patch, required for applying 2019-4/0012-EAP-pwd-server-Detect-reflection-attacks.patch [2019-4/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch] . * CVE-2019-9498 (partial): + 2019-4/0011-EAP-pwd-server-Verify-received-scalar-and-element.patch * CVE-2019-9497: + 2019-4/0012-EAP-pwd-server-Detect-reflection-attacks.patch * CVE-2019-9499 (partial): + 2019-4/0013-EAP-pwd-client-Verify-received-scalar-and-element.patch * CVE-2019-9498 + CVE-2019-9499 (FIXME): + too invasive to backport (or for someone with more time+expertise): [2019-4/0014-EAP-pwd-Check-element-x-y-coordinates-explicitly.patch] . * CVE-2019-11555 (Closes: #927463): + 2019-5/0001-EAP-pwd-server-Fix-reassembly-buffer-handling.patch + 2019-5/0003-EAP-pwd-peer-Fix-reassembly-buffer-handling.patch . * debian/rules: Forcefully enable compilation of the ECC code (NEED_ECC=y). Checksums-Sha1: 25a0c7541997367a59fa894ad6dc59666e0f47b8 2542 wpa_2.3-1+deb8u8.dsc f6fe1be17cabb673214554bce484210475ef1e9b 106176 wpa_2.3-1+deb8u8.debian.tar.xz 1f8a7e23d56849fe1883719ab5e90b6eef410c42 542120 hostapd_2.3-1+deb8u8_amd64.deb 2fd732a2d21b90ff2d5f6e5adc17012f09a1d5ee 346400 wpagui_2.3-1+deb8u8_amd64.deb 09bf8e319616cdc42d49c1d683a4a9d2f3b2cf8d 919484 wpasupplicant_2.3-1+deb8u8_amd64.deb 46103186388df9e4d213f0fa89bde048ee4469e9 223632 wpasupplicant-udeb_2.3-1+deb8u8_amd64.udeb Checksums-Sha256: 97681591351f0202fef995ea99c8539005eef798af2800f020bae48020fb4c9b 2542 wpa_2.3-1+deb8u8.dsc 1b704d1b66bc0afbc557424f07da94e9933cbd5be86af3c44179d5be570ee956 106176 wpa_2.3-1+deb8u8.debian.tar.xz eb4cf6f99d14205c902d55f3aa85fa861a9020e11f0fc08b2eff68512066140b 542120 hostapd_2.3-1+deb8u8_amd64.deb b27cae3918e00b67bad81573808b2c95fce468956fb9f49edec69eacaea51733 346400 wpagui_2.3-1+deb8u8_amd64.deb ef607cedeeac2814473f7cc056776c4caa3e85c5e84b5af74289a0b566e4ffe2 919484 wpasupplicant_2.3-1+deb8u8_amd64.deb 6b57333a77dd1a1c6ede53529959a7d3522f87fc8f13b54f632757eaae358535 223632 wpasupplicant-udeb_2.3-1+deb8u8_amd64.udeb Files: 1ca7cbac88e8eca578c5a3a87f1e309b 2542 net optional wpa_2.3-1+deb8u8.dsc 049d1770d947c77c0d982ae7cf8abaf7 106176 net optional wpa_2.3-1+deb8u8.debian.tar.xz 7d0d222090fc77e10a018a1e236446c0 542120 net optional hostapd_2.3-1+deb8u8_amd64.deb 455eed6db71e5798e538ef8efffb6fe9 346400 net optional wpagui_2.3-1+deb8u8_amd64.deb 1b6cfc7ff176f703de94ce419d56edf3 919484 net optional wpasupplicant_2.3-1+deb8u8_amd64.deb 0c8144990550efc5c1d44553c213c9b9 223632 debian-installer standard wpasupplicant-udeb_2.3-1+deb8u8_amd64.udeb -BEGIN PGP SIGNATURE- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl1CCncVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxgLoP/RjogEy+y022iSrQuJ965qP+SqQW GURQILqmHEbPNoqJXbvghg88tmwOUK4Kod9e3vQnYd5xuYlIKQr33S6Kt+0wQI0b kRPdZX7q7YOCJwW9UkeQxoF6+F9p5vFqwnoq+p9W2aBtqfJL5i+xURpY2By1lZ4Z 2ch4j7ajPLUXLouTtKLfjYXwcOq3FOoDB0pZtpvcSbp9Q84xRPyRqwXSIWJrMn9g Aqijx7000bqKamHETYi490O1QI7yWbPCGYDxjArsdj8y2F+jK3AFlET8zNsBFQEu aq7XSIOuh6pTW8RPdfWfAOpKZp++bc6t98vX3wmr7KNeGmbcyBy/btK9HvjO0BWz 1gOcWmieTWF2P4SDbImv4tWyQ10nZ5BDxeJCTMuBFq3GYV1mkLotE+tWrFQah/LD Xf0IupPkjHP5QpiIlfhayWTbwMBr60vGK4bKRYY5k4zjoy/bLhrtm8XzWvPqBrxH aEzuKVzpZvAcFxEZgBEYc4ldsWwICccwft5Z9eJ0WlnPqNuT2PPUL4QYnw1ylJrc dbQBb8ajXEsfVQECqjuBMcxVSGGvHkJ57msbmnJ7xnOeKXkWWQZKXqzvX6t+eH/d 4f66mg5zmk8iHgmQq/tkUIZNhiXaMZqtJRUh2Q/UWf9h+cpfUAj1XhA5IQJvchml Si/vjXoYbwHdTKJ3 =jY7m -END PGP SIGNATURE-
[SECURITY] [DLA 1867-1] wpa security update
Package: wpa Version: 2.3-1+deb8u8 CVE ID : CVE-2019-9495 CVE-2019-9497 CVE-2019-9498 CVE-2019-9499 CVE-2019-11555 Debian Bug : 927463 Several vulnerabilities were discovered in WPA supplicant / hostapd. Some of them could only partially be mitigated, please read below for details. CVE-2019-9495 Cache-based side-channel attack against the EAP-pwd implementation: an attacker able to run unprivileged code on the target machine (including for example javascript code in a browser on a smartphone) during the handshake could deduce enough information to discover the password in a dictionary attack. This issue has only very partially been mitigated against by reducing measurable timing differences during private key operations. More work is required to fully mitigate this vulnerability. CVE-2019-9497 Reflection attack against EAP-pwd server implementation: a lack of validation of received scalar and elements value in the EAP-pwd-Commit messages could have resulted in attacks that would have been able to complete EAP-pwd authentication exchange without the attacker having to know the password. This did not result in the attacker being able to derive the session key, complete the following key exchange and access the network. CVE-2019-9498 EAP-pwd server missing commit validation for scalar/element: hostapd didn't validate values received in the EAP-pwd-Commit message, so an attacker could have used a specially crafted commit message to manipulate the exchange in order for hostapd to derive a session key from a limited set of possible values. This could have resulted in an attacker being able to complete authentication and gain access to the network. This issue could only partially be mitigated. CVE-2019-9499 EAP-pwd peer missing commit validation for scalar/element: wpa_supplicant didn't validate values received in the EAP-pwd-Commit message, so an attacker could have used a specially crafted commit message to manipulate the exchange in order for wpa_supplicant to derive a session key from a limited set of possible values. This could have resulted in an attacker being able to complete authentication and operate as a rogue AP. This issue could only partially be mitigated. CVE-2019-11555 The EAP-pwd implementation did't properly validate fragmentation reassembly state when receiving an unexpected fragment. This could have lead to a process crash due to a NULL pointer derefrence. An attacker in radio range of a station or access point with EAP-pwd support could cause a crash of the relevant process (wpa_supplicant or hostapd), ensuring a denial of service. For Debian 8 "Jessie", these problems have been fixed in version 2.3-1+deb8u8. We recommend that you upgrade your wpa packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 1866-1] glib2.0 security update
Package: glib2.0 Version: 2.42.1-1+deb8u2 CVE ID : CVE-2018-16428 CVE-2018-16429 CVE-2019-13012 Debian Bug : 931234 Various minor issues have been addressed in the GLib library. GLib is a useful general-purpose C library used by projects such as GTK+, GIMP, and GNOME. CVE-2018-16428 In GNOME GLib, g_markup_parse_context_end_parse() in gmarkup.c had a NULL pointer dereference. CVE-2018-16429 GNOME GLib had an out-of-bounds read vulnerability in g_markup_parse_context_parse() in gmarkup.c, related to utf8_str(). CVE-2019-13012 The keyfile settings backend in GNOME GLib (aka glib2.0) before created directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it did not properly restrict directory (and file) permissions. Instead, for directories, 0777 permissions were used; for files, default file permissions were used. This issue is similar to CVE-2019-12450. For Debian 8 "Jessie", these problems have been fixed in version 2.42.1-1+deb8u2. We recommend that you upgrade your glib2.0 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Accepted glib2.0 2.42.1-1+deb8u2 (source all amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 30 Jul 2019 21:33:27 +0200 Source: glib2.0 Binary: libglib2.0-0 libglib2.0-tests libglib2.0-udeb libglib2.0-bin libglib2.0-dev libglib2.0-0-dbg libglib2.0-data libglib2.0-doc libgio-fam libglib2.0-0-refdbg Architecture: source all amd64 Version: 2.42.1-1+deb8u2 Distribution: jessie-security Urgency: medium Maintainer: Debian GNOME Maintainers Changed-By: Mike Gabriel Description: libgio-fam - GLib Input, Output and Streaming Library (fam module) libglib2.0-0 - GLib library of C routines libglib2.0-0-dbg - Debugging symbols for the GLib libraries libglib2.0-0-refdbg - GLib library of C routines - refdbg library libglib2.0-bin - Programs for the GLib library libglib2.0-data - Common files for GLib library libglib2.0-dev - Development files for the GLib library libglib2.0-doc - Documentation files for the GLib library libglib2.0-tests - GLib library of C routines - installed tests libglib2.0-udeb - GLib library of C routines - minimal runtime (udeb) Closes: 931234 Changes: glib2.0 (2.42.1-1+deb8u2) jessie-security; urgency=medium . * Non-maintainer upload by the LTS team. * CVE-2018-16428: gmarkup: Fix crash in error handling path for closing elements. * CVE-2018-16429: gmarkup: Fix unvalidated UTF-8 read in markup parsing error paths. * CVE-2019-13012: keyfile settings: Use tighter permissions. (Closes: #931234). Checksums-Sha1: af6a8f193794ecd9314a366b88a71629b058ffcf 3190 glib2.0_2.42.1-1+deb8u2.dsc 67f245dda369046c9830d58f8758e1c3f4453db2 70972 glib2.0_2.42.1-1+deb8u2.debian.tar.xz b3cc655624c5d44b5cd7028af9c5e6250c383571 2172070 libglib2.0-data_2.42.1-1+deb8u2_all.deb ed2d29e4c6da51b05c834ebdb47ac7f1a8cc3623 2658912 libglib2.0-doc_2.42.1-1+deb8u2_all.deb 8ed3fcb32e59b820de03538d1034d690b8854dc8 2399588 libglib2.0-0_2.42.1-1+deb8u2_amd64.deb 07d353538d852c15d0c4290b3cd208325671fd10 2248674 libglib2.0-tests_2.42.1-1+deb8u2_amd64.deb f1022b994097b44312b26197607a3ecfd03f2c43 1846094 libglib2.0-udeb_2.42.1-1+deb8u2_amd64.udeb 1d050e589fa72eca304dca0fecec653b014a997c 1335314 libglib2.0-bin_2.42.1-1+deb8u2_amd64.deb c8b091b1d27ad29768a28342c6ff0506f87ce0af 2642332 libglib2.0-dev_2.42.1-1+deb8u2_amd64.deb 176ac52f4ea4fb4d54cfaafd96cebd2b8f9d5a0c 6805606 libglib2.0-0-dbg_2.42.1-1+deb8u2_amd64.deb c6390fb8121e565fe9c6d6a14257e0031b6eb0fc 1674796 libglib2.0-0-refdbg_2.42.1-1+deb8u2_amd64.deb Checksums-Sha256: eba7e0b10c9e4d40446a3def3099c070e939dd3fc05050503b163e075612e6e3 3190 glib2.0_2.42.1-1+deb8u2.dsc 8047bf3c7b701a873ec773cef551f44ccfc473aea7eae3004d09cd2bd1e4c09e 70972 glib2.0_2.42.1-1+deb8u2.debian.tar.xz 82f594a69a6407cc7682aabb4c4f882430e71d6a719739cbf2b65dcc002f60ef 2172070 libglib2.0-data_2.42.1-1+deb8u2_all.deb 6a8c59fdf5af021b78234acf71bc1ce690a7551c44341269cfe5f70eacf479ee 2658912 libglib2.0-doc_2.42.1-1+deb8u2_all.deb a220e615d5d59150444c4ee10d267f025b3561d3ae52619123c34232b97fd033 2399588 libglib2.0-0_2.42.1-1+deb8u2_amd64.deb c91c068c90c11a3cebd9c04b73d7409bb1481cfc9b5e5db2d6de65c35b305651 2248674 libglib2.0-tests_2.42.1-1+deb8u2_amd64.deb 5a197f8b7460ebcd09b17dcc5630dc42edbbd0c477ab4d1d83a4e52225d0aeb2 1846094 libglib2.0-udeb_2.42.1-1+deb8u2_amd64.udeb 0f3f088e2a66ee7aaa38cb6fdf7709d8afe488c8ede963eb59bb031d5738f6ed 1335314 libglib2.0-bin_2.42.1-1+deb8u2_amd64.deb 2af4533899482c826ba3d64ca5bdb5c4db03959cdcce3ec22146594cae8d99f5 2642332 libglib2.0-dev_2.42.1-1+deb8u2_amd64.deb 5570968f288b6ada75733252198bf49b4c5e7eb29e66115bfbec0b6bf00041e3 6805606 libglib2.0-0-dbg_2.42.1-1+deb8u2_amd64.deb bd3b1f096d4c52f37e7643580dd0d385143ab78093afb8f9269e17dc6d28dbe4 1674796 libglib2.0-0-refdbg_2.42.1-1+deb8u2_amd64.deb Files: ea49ef7f98d5f20c0ae870eddd02ad63 3190 libs optional glib2.0_2.42.1-1+deb8u2.dsc 9a5ad4264ead70409426f31e99e95978 70972 libs optional glib2.0_2.42.1-1+deb8u2.debian.tar.xz aec1ce037f5435ab7329778f44047b01 2172070 libs optional libglib2.0-data_2.42.1-1+deb8u2_all.deb dc5bd9ccbba3f7baf10a42818be55dfe 2658912 doc optional libglib2.0-doc_2.42.1-1+deb8u2_all.deb 688cd5aaf7bc6d754d253a00b7e9769a 2399588 libs optional libglib2.0-0_2.42.1-1+deb8u2_amd64.deb 51bcc4d54cd5e4a2b8f828730a3d2e67 2248674 libs optional libglib2.0-tests_2.42.1-1+deb8u2_amd64.deb aa898ba5869c2720828a8fa3187e4cad 1846094 debian-installer optional libglib2.0-udeb_2.42.1-1+deb8u2_amd64.udeb 35b3aa3fe85c9e1346947d1cd7417fdf 1335314 misc optional libglib2.0-bin_2.42.1-1+deb8u2_amd64.deb 57c7bad5e856d2adeb52fa02194dfcba 2642332 libdevel optional libglib2.0-dev_2.42.1-1+deb8u2_amd64.deb 0e8582282735c862c151023bffebaa59 6805606 debug extra libglib2.0-0-dbg_2.42.1-1+deb8u2_amd64.deb d9f58734cfa2f90fa6c7ea9f1357eb1f 1674796 debug extra libglib2.0-0-refdbg_2.42.1-1+deb8u2_amd64.deb -BEGIN PGP SIGNATURE- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl1BsTIVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxvhgP/ikSsvVvJPSREGmaV0Ry/YP40/mM
Re: firefox-esr 60.8.0esr-1 still missing for jessie
Hi, (taking upon myself to answer since nobody else did) On 29/07/2019 20:12, Hoshi Hoshimoto wrote: > firefox-esr 60.8.0esr-1 is still missing for jessie-security. > > Is there a special reason behind this, or is this just an oversight? > > Thanks for looking into this. > > References: > https://www.debian.org/security/2019/dsa-4479 > https://security-tracker.debian.org/tracker/source-package/firefox-esr Emilio volunteered to fix it ~1 week ago: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt There should be some progress by next week (otherwise another LTS member will take care of it). Cheers! Sylvain Beucler - Debian LTS Team
Re: firefox-esr 60.8.0esr-1 still missing for jessie
Hi, (taking upon myself to answer since nobody else did) On 29/07/2019 20:12, Hoshi Hoshimoto wrote: > firefox-esr 60.8.0esr-1 is still missing for jessie-security. > > Is there a special reason behind this, or is this just an oversight? > > Thanks for looking into this. > > References: > https://www.debian.org/security/2019/dsa-4479 > https://security-tracker.debian.org/tracker/source-package/firefox-esr Emilio volunteered to fix it ~1 week ago: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt There should be some progress by next week (otherwise another LTS member will take care of it). Cheers! Sylvain Beucler - Debian LTS Team
