Re: Jessie update of ansible (minor security issues)?
On Wed, Sep 04, 2019 at 02:07:39PM -0400, Roberto C. Sánchez wrote: > In any event, I have moved my work onto that branch and have already > some commits locally. Would you like for me to push my commits (one per > CVE) as I go so that you can look them over? Or would prefer that I > push all the changes together once all my work is complete? create a branch jessie-proposed (or whatever) and push it now? -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.
On Thu, Aug 29, 2019 at 09:36:39AM +0200, Moritz Mühlenhoff wrote: > Adding the radare2 uploaders to CC. > > On Fri, Aug 16, 2019 at 11:23:05PM +0200, Markus Koschany wrote: > > >> + NOTE: 20190816: Affected by CVE-2019-14745. Vulnerable code is in > > >> + NOTE: libr/core/bin.c. Many no-dsa issues in Jessie and Stretch. > > >> Should we > > >> + NOTE: continue the current approach, update to a newer upstream > > >> version or mark > > >> + NOTE: radare2 as unsupported? Also note that there is a r2-pwnDebian > > >> challenge... > > >> + NOTE: https://bananamafia.dev/post/r2-pwndebian/ (apo) > > > > > > I'd be in favor of marking radare2 as unsupported, probably even for > > > stable, > > > but definitly for oldstable and older. > > > > > > I'd be happy to do these changes in src:debian-security-tracker and > > > uploading this to sid. > > > > +1 > > > > I just noticed that we are not consistent with fixing CVE in radare2 and > > I would also be in favor of marking it as unsupported. Another option > > would be to package always the latest upstream release and backport that > > to stable and oldstable but it seems we already lag behind a few > > versions in unstable, so I'd rather choose the first option. > > The upstream link makes it sound as if they are one of those upstreams > which reject the idea of distributions shipping an older release to > a stable distro. For a tool like radare2 that seems fair enough, so > how about simply excluding it from stable releases (and retroactively > drop it from Buster/Stretch in the forthcoming point releases)? Hilko/Sebastian, as the last uploaders; what do you think? How should we proceed wrt radare in oldstable/stable? Cheers, Moritz
Re: Jessie update of ansible (minor security issues)?
On Sat, Aug 31, 2019 at 04:22:38PM +0200, Lee Garrett wrote: > > If you think it's a good thing I'm more than happy to help. I agree with > your assessment that all CVEs are of very low impact. There's a jessie > git branch you can make releases from which I can give you access to. If > you need any help feel free to help. I currently don't have capacity to > commit to maintaining LTS, too, as IRL tends to come in between. :) > Lee, I took a look yesterday and I saw that the ansible project in Salsa has 1000+ maintainers, which I think is every DD. I cloned it and found the jessie branch with Chris Lamb's security update from last year as the most recent changelog entry on that branch. That matches with what is in the archive. In any event, I have moved my work onto that branch and have already some commits locally. Would you like for me to push my commits (one per CVE) as I go so that you can look them over? Or would prefer that I push all the changes together once all my work is complete? Regards, -Roberto -- Roberto C. Sánchez
qemu status
Hi Gabriel, hi all :) We have a prepared QEMU update from 3 months ago that needs attention: https://packages.sunweavers.net/debian/pool/main/q/qemu/ It fixes: CVE-2017-9375 CVE-2019-12155 CVE-2017-15124 CVE-2016-5403 CVE-2016-5126 Since then we got: CVE-2019-14378 CVE-2019-13164 CVE-2019-12068 CVE-2019-12067 and possibly CVE-2018-19665 to reconsider. I can take the time to setup a physical box and provide more testing / more patching. Before doing so, I thought I'd first check: what are you plans for this month regarding this update? :) Cheers! Sylvain
[SECURITY] [DLA 1909-1] freetype security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: freetype Version: 2.5.2-3+deb8u4 CVE ID : CVE-2015-9381 CVE-2015-9382 CVE-2015-9383 Several newly-referenced issues have been fixed in the FreeType 2 font engine. CVE-2015-9381 heap-based buffer over-read in T1_Get_Private_Dict in type1/t1parse.c CVE-2015-9382 buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation CVE-2015-9383 a heap-based buffer over-read in tt_cmap14_validate in sfnt/ttcmap.c For Debian 8 "Jessie", these problems have been fixed in version 2.5.2-3+deb8u4. We recommend that you upgrade your freetype packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl1vsDIACgkQj/HLbo2J BZ99vwf/dhn8Cc2ypa3wHUPHzs5vk6Y1RLQexTgWloSxpG9yVZyrjOVKE4VKNAEz MDg4B27vmW7aMvILHGgP5HQ5gnUQVkveKtU2vHQMB1ZPHbWDLBT88niQ0HQP8Yct F/dCK88x6+/32I+O8H+irEZXj94wbK023AvKUHXHjkX7cHh9Xbn2y9TT9iQxnwrD pjENycIp63Kfayk+iMHZaDoZfsyIGB3DZbEnoDICQWgzt+bCxcLkBSPbLgrF2o0j zTpY2h8f6reMGEW/hEUxyh+yJEE8jjd7go04EZmjhCWArav6tPt0ByrSFfYIMkbF mDWOhZ64MrQyP6op+/+0DGE0uNYN3g== =MSV8 -END PGP SIGNATURE-
Accepted freetype 2.5.2-3+deb8u4 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 04 Sep 2019 11:48:40 +0200 Source: freetype Binary: libfreetype6 libfreetype6-dev freetype2-demos libfreetype6-udeb Architecture: source amd64 Version: 2.5.2-3+deb8u4 Distribution: jessie-security Urgency: high Maintainer: Steve Langasek Changed-By: Sylvain Beucler Description: freetype2-demos - FreeType 2 demonstration programs libfreetype6 - FreeType 2 font engine, shared library files libfreetype6-dev - FreeType 2 font engine, development files libfreetype6-udeb - FreeType 2 font engine for the debian-installer (udeb) Changes: freetype (2.5.2-3+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * CVE-2015-9381: FreeType before 2.6.1 has a heap-based buffer over-read in T1_Get_Private_Dict in type1/t1parse.c. * CVE-2015-9382: FreeType before 2.6.1 has a buffer over-read in skip_comment in psaux/psobjs.c because ps_parser_skip_PS_token is mishandled in an FT_New_Memory_Face operation. * CVE-2015-9383: FreeType before 2.6.2 has a heap-based buffer over-read in tt_cmap14_validate in sfnt/ttcmap.c. * Remove spurious quilt .pc/ directory from debian diff (introduced in 2.5.2-2) Checksums-Sha1: dc454250adf18ca98cc2976a23881012da1b2185 1783 freetype_2.5.2-3+deb8u4.dsc b44b8fb1ecd1aeb4671c0aac6e779a316cf97505 72104 freetype_2.5.2-3+deb8u4.diff.gz 0cbee1704e82d616d3ef60bc91f9cdb613ed4a1d 467422 libfreetype6_2.5.2-3+deb8u4_amd64.deb 2b35bec8219169c4d2ad90ba42077b537fcba764 639740 libfreetype6-dev_2.5.2-3+deb8u4_amd64.deb cb31e5e8f970bccefe9ffe9cb943c4d146b6928d 94002 freetype2-demos_2.5.2-3+deb8u4_amd64.deb c93bd870f5582a27abd34d8d05d9955d7f9d3713 294788 libfreetype6-udeb_2.5.2-3+deb8u4_amd64.udeb Checksums-Sha256: ba32ac993642ed5e1712b064b6072f0f67c95c01eafcaa3d5a1d63b2c03c9e5d 1783 freetype_2.5.2-3+deb8u4.dsc 9160b5c1069c763e2b3b55a8e825fa46f054764bf37d8d2d4df3b003859b7e21 72104 freetype_2.5.2-3+deb8u4.diff.gz 7e15413b1e2c5d6e762a9ef6755459f47536435397cd5cc6f48de50f688fd2af 467422 libfreetype6_2.5.2-3+deb8u4_amd64.deb 36ec5496231d708ad304c4d9c6be357c63d9ba4a600c04a04604311a13445426 639740 libfreetype6-dev_2.5.2-3+deb8u4_amd64.deb 2a71609dfdaa2d49c19d6d717c642be00c22b7ec0879da2cfaf899237a72c998 94002 freetype2-demos_2.5.2-3+deb8u4_amd64.deb ef4f6a45a4deb682c2e8dcacbfd9c26eeadcf65bf1f35e10e9adefe0575256de 294788 libfreetype6-udeb_2.5.2-3+deb8u4_amd64.udeb Files: 74924ba8ee528b0f22bd87ed44e44b6a 1783 libs optional freetype_2.5.2-3+deb8u4.dsc effed3161cb08cd46efd3c055a028c25 72104 libs optional freetype_2.5.2-3+deb8u4.diff.gz 56f9fad698bdb6c45ace416fa51ca8d0 467422 libs optional libfreetype6_2.5.2-3+deb8u4_amd64.deb 42c70dc1895505a39fd884e5660eb0df 639740 libdevel optional libfreetype6-dev_2.5.2-3+deb8u4_amd64.deb f84b23bf14ccafaa781df329b6712be0 94002 utils optional freetype2-demos_2.5.2-3+deb8u4_amd64.deb 86487c6461e36718c757f03ea7bb1ded 294788 debian-installer extra libfreetype6-udeb_2.5.2-3+deb8u4_amd64.udeb Package-Type: udeb -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl1vrFQACgkQj/HLbo2J BZ/82ggAqZNCk4/GEUoUIZ/c5RyESYYjipLVny7D2V2FQLZ0RF2ZUJtlkCk1Xsv2 OmnZzhOKaC1cjsOgQ5RNNcx3NENqivSJ9UvrRqp47L2N+knJONUgS7y+emziwaUz u62aUYGe6M2lOje7CD/o8TM5TfSlPDnkODXsEjN39HZRQigp8KtkXrDCwrZREP2I H1knsjRDOkg4S3KXy1O1WUPlX5kH6NqlittrLOaKy6mwhTeRkCsLNnBBE9XI00Ey 14Q6KCxppH7FNs3zS3ZAUB/tPbVL9ZKXllMK2B/eHl+Na+rFRdEZSieGl9qqdlQO ftGrMC+OxuICy01Lhvf+SPk1twY/zA== =iggT -END PGP SIGNATURE-
