Re: qemu status
Hi Sylvain, On Mo 09 Sep 2019 21:37:31 CEST, Sylvain Beucler wrote: I can make myself available on Friday 10AM, that sounds good. Good. Stencilled into my calendar now. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpVuKP8MyhOr.pgp Description: Digitale PGP-Signatur
[SECURITY] [DLA 1914-1] icedtea-web security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: icedtea-web Version: 1.5.3-1+deb8u1 CVE ID : CVE-2019-10181 CVE-2019-10182 CVE-2019-10185 Debian Bug : 934319 Several security vulnerabilities were found in icedtea-web, an implementation of the Java Network Launching Protocol (JNLP). CVE-2019-10181 It was found that in icedtea-web executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox. CVE-2019-10182 It was found that icedtea-web did not properly sanitize paths from elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user. CVE-2019-10185 It was found that icedtea-web was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox. For Debian 8 "Jessie", these problems have been fixed in version 1.5.3-1+deb8u1. We recommend that you upgrade your icedtea-web packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl12q/1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeS/2Q//ZQBvQ7mrxB077LEbIivjIU72+wuY/wd1VPtS3usD6e0GbyZJQPHCwm0X qri94JLolCBh/MZelSd5gt4LjWCF5mFy6dUnYfbxQ2u5kMf4ylfbCjc6eJsaDQDV FmvkWrALyjDtwF8kqTKcZQOfw/5j0oXGhgFO2oysrNuNt2AgwUEaaqqQ9A6JpVN3 ie9MVgoLRzGu0o+aqbZ9x6hkYhU5XIjwrxF5kFHiwFTU8xKuFymwqm0DZiwJgVLA 96t2DzWkWyMykUpUpcB6b4Z4OTPudfxlASnhFiM0KugMQ3absfJIpdeIt5tzgm24 duYEdP9/SulYkM7PHv/335zAI0nezeO3RMaJ9d+/410jNFKkDZdVIR7Wn89dgZeU r5H0PQq6nah5WPn+vlU/DZLKO+InrPftjxIxDRxGg2Tw9Hp4TGPBWF6UwZzuiPhS nmZ1Th+V7UPUFopzdYw3P6ydGYZcr7GniSa3LCmEvlmKgxK+iKn3S6JVjq8mSROu L8D9QzDdvQ6osQQJRE0b3QYA+MvAyEOFRmYhlzIg3XqSJOrr2c51O6c4XjMWI3Lk EIeOXvtRWcJX0X6KS5KdVd4688oiYCvZ7M8Lzbd+Si/5jpYCqNPBxxCSMiG8ggSY 2Bu9QmEvAS7sNguuuZKIZ9p/VPAP7VAyTFJcMv0urBhxF6Ke6Co= =2qp1 -END PGP SIGNATURE-
Re: qemu status
Hi! On Mon, Sep 09, 2019 at 06:35:37PM +, Mike Gabriel wrote: > On Mo 09 Sep 2019 11:23:59 CEST, Sylvain Beucler wrote: > > On 04/09/2019 15:41, Sylvain Beucler wrote: > > > We have a prepared QEMU update from 3 months ago that needs attention: > > > https://packages.sunweavers.net/debian/pool/main/q/qemu/ > > > > > > It fixes: > > > CVE-2017-9375 CVE-2019-12155 CVE-2017-15124 CVE-2016-5403 CVE-2016-5126 > > > > > > Since then we got: > > > CVE-2019-14378 CVE-2019-13164 CVE-2019-12068 CVE-2019-12067 > > > and possibly CVE-2018-19665 to reconsider. > > > > > > I can take the time to setup a physical box and provide more testing / > > > more patching. > > > Before doing so, I thought I'd first check: > > > what are you plans for this month regarding this update? :) > > Ping? > > Thanks for pinging. And: sorry, I did not get any work on this done on > Saturday. > > Did you get any testing work done on this already? If not, I'd suggest to > meet on IRC on Friday this week, after 10am (CEST) and get to work on this > together. Is that a plan? Let me know, if you are available then. No extensive testing yet. I setup a physical Jessie machine (an AMD/svm, btw) and started triaging the pending issues. I plan to integrate more issues and prepare some tests (e.g. LVM so as to test partition disk images and possibly install an old ProxMox). I can make myself available on Friday 10AM, that sounds good. Cheers! Sylvain
Accepted icedtea-web 1.5.3-1+deb8u1 (source amd64 all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 09 Sep 2019 20:26:24 +0200 Source: icedtea-web Binary: icedtea-netx icedtea-plugin icedtea-netx-common icedtea-7-plugin Architecture: source amd64 all Version: 1.5.3-1+deb8u1 Distribution: jessie-security Urgency: high Maintainer: OpenJDK Team Changed-By: Markus Koschany Description: icedtea-7-plugin - web browser plugin based on OpenJDK and IcedTea to execute Java a icedtea-netx - NetX - implementation of the Java Network Launching Protocol (JNL icedtea-netx-common - NetX - implementation of the Java Network Launching Protocol (JNL icedtea-plugin - web browser plugin to execute Java applets (dependency package) Changes: icedtea-web (1.5.3-1+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2019-10181: It was found that in icedtea-web executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox. * Fix CVE-2019-10182: It was found that icedtea-web did not properly sanitize paths from elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user. * Fix CVE-2019-10185: It was found that icedtea-web was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox. Checksums-Sha1: e26a157737e25c70c6acc4d553c17f24b7f0f3e5 2736 icedtea-web_1.5.3-1+deb8u1.dsc 4b8f157fd5090fd862a549e1c1fbb82f9a6f12b4 1593900 icedtea-web_1.5.3.orig.tar.gz 5d55012a734871fe73eec096485bca19759b759c 20488 icedtea-web_1.5.3-1+deb8u1.debian.tar.xz f64163c4870df940ac3e6a882c36f76dac734470 25438 icedtea-netx_1.5.3-1+deb8u1_amd64.deb 5c145b7e7a3dbc922e2ee62e033915bf85e6bddc 200516 icedtea-7-plugin_1.5.3-1+deb8u1_amd64.deb 4f0d9952c37db5e35534380b9c4d1d77e5165049 1131930 icedtea-netx-common_1.5.3-1+deb8u1_all.deb 4dabc37fe4247eca48eabad7696955f48e825355 9076 icedtea-plugin_1.5.3-1+deb8u1_all.deb Checksums-Sha256: 53c1d9469b4d6d73f8f88cb94509eb44b77aceca57e85e68f4b2d0328c6d5973 2736 icedtea-web_1.5.3-1+deb8u1.dsc 9b4b4477711930cb1d40bde752b17492fe8462a9c0cbd89bfe2c361b64d466b9 1593900 icedtea-web_1.5.3.orig.tar.gz 8b8b170dd6e50179818cf3edbb442dea3d844a7d1c3efe7f053650c5ee4e00cb 20488 icedtea-web_1.5.3-1+deb8u1.debian.tar.xz 3210874fc7e57ec217b549e37528042d8e62559c445e72eb7efa1e0b8f021c5f 25438 icedtea-netx_1.5.3-1+deb8u1_amd64.deb 53467b9f1e673ac82a84289530136ede466aa428565ebb457d0859720970b4bd 200516 icedtea-7-plugin_1.5.3-1+deb8u1_amd64.deb bf9df6009cbe0bf6d37bbf3d3f5933d98a457629fe74364e2765cf126dc573be 1131930 icedtea-netx-common_1.5.3-1+deb8u1_all.deb 432e8841658e5a5d0e1e3a4fd56f8c0d7f0645cafc6ad659e51c4586174c3d6b 9076 icedtea-plugin_1.5.3-1+deb8u1_all.deb Files: d3fef072c30c4db2f58d80f0ebb14e82 2736 java extra icedtea-web_1.5.3-1+deb8u1.dsc 72d288739968732a4efa0e0664391fde 1593900 java extra icedtea-web_1.5.3.orig.tar.gz 600e9be96246b8b6c63ec07c325abf14 20488 java extra icedtea-web_1.5.3-1+deb8u1.debian.tar.xz 7434962c82802ef3ef60e35dfd682121 25438 java extra icedtea-netx_1.5.3-1+deb8u1_amd64.deb 7ced8ab4ef0a892e0188e8148454f476 200516 web extra icedtea-7-plugin_1.5.3-1+deb8u1_amd64.deb a26bff474cacf7aaa75eb274c1e0732c 1131930 java extra icedtea-netx-common_1.5.3-1+deb8u1_all.deb 48781c9d312148bf9d09dcf8bd0f515e 9076 web extra icedtea-plugin_1.5.3-1+deb8u1_all.deb -BEGIN PGP SIGNATURE- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl12mvhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk3eIP/2PZEPv5Nxo+bFVgoTgheoBJ00Zo8g0v2/0B qBH0GUx4+UDrqKrHN+iktddPq+a9HnKwavTQAQv1VbieQ8o1GNRfn61zj6OPpIDE BW3ysM7ePFLHwJg84/hc+fpjp4PqXjhh6bN2SY1VY64KGmfBqIofoxVZv1KFbK0o 0D7HtlL+uYOinYJA9acogAqv9b79aQ0epmO9R+bYFoaxllBHfBjgdc+r3f2lBmef MYOKvtSVKcdXeHyhRGo3PYeWos0gt4hOJ2WXTC24Ss+6gNk/JcMIrF1REeQwXaM9 2kA56J1kkmMQOcI4V3nK4mfToyYw2FCZYOYK+Wj/Cv8Fnjbx3JUYn+HdSR8ShdHl FbyMlztC/0PgBWgohEz2S5/wmKpsE9JywWhieZBvVZcrugF0IYMbOtFuw5qwzCub R0JGmgk5r10bAylHq0juGDd9XwRGV4Vy4b1IhpAskB54+g38wQ+9437g23zyT8nQ BHdosipJuqo5yo40IZiDFYI5xwGrdIOxX08jLIItyupnnSihvWSq+uRI0Pb4zwIZ Qq5bqA8SdjzcyrL3cgMm+GjL8iqzFV9yNz1QA2ygskDgVUTyUfvI7luyYQrQCTwU T+5kNzFV8OR1HQkK4tgVOozStwSBMkpW+xd5TKS2ltS2DZ2dqTRPd0UEE7qP3T0P lluGLTLq =AZbs -END PGP SIGNATURE-
Re: qemu status
Hi Sylvain, On Mo 09 Sep 2019 11:23:59 CEST, Sylvain Beucler wrote: On 04/09/2019 15:41, Sylvain Beucler wrote: Hi Mike, hi all :) We have a prepared QEMU update from 3 months ago that needs attention: https://packages.sunweavers.net/debian/pool/main/q/qemu/ It fixes: CVE-2017-9375 CVE-2019-12155 CVE-2017-15124 CVE-2016-5403 CVE-2016-5126 Since then we got: CVE-2019-14378 CVE-2019-13164 CVE-2019-12068 CVE-2019-12067 and possibly CVE-2018-19665 to reconsider. I can take the time to setup a physical box and provide more testing / more patching. Before doing so, I thought I'd first check: what are you plans for this month regarding this update? :) Cheers! Sylvain Ping? Thanks for pinging. And: sorry, I did not get any work on this done on Saturday. Did you get any testing work done on this already? If not, I'd suggest to meet on IRC on Friday this week, after 10am (CEST) and get to work on this together. Is that a plan? Let me know, if you are available then. Thanks, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp1mhcswPfs6.pgp Description: Digitale PGP-Signatur
(semi-)automatic unclaim of packages with more than 2 weeks of inactivity
hi, today I unclaimed: for LTS: -clamav (Hugo Lefeuvre) -dnsmasq (Mike Gabriel) -hdf5 (Hugo Lefeuvre) -ruby-mini-magick (Thorsten Alteholz) -tika (Hugo Lefeuvre) and nothing for eLTS. Please update those notes (with a date). -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Accepted ghostscript 9.26a~dfsg-0+deb8u5 (source all amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 09 Sep 2019 11:33:35 +0200 Source: ghostscript Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg Architecture: source all amd64 Version: 9.26a~dfsg-0+deb8u5 Distribution: jessie-security Urgency: medium Maintainer: Debian Printing Team Changed-By: Emilio Pozuelo Monfort Description: ghostscript - interpreter for the PostScript language and for PDF ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo ghostscript-doc - interpreter for the PostScript language and for PDF - Documentati ghostscript-x - interpreter for the PostScript language and for PDF - X11 support libgs-dev - interpreter for the PostScript language and for PDF - Development libgs9 - interpreter for the PostScript language and for PDF - Library libgs9-common - interpreter for the PostScript language and for PDF - common file Changes: ghostscript (9.26a~dfsg-0+deb8u5) jessie-security; urgency=medium . * Non-maintainer upload by the LTS Team. * Backport changes from stretch: * make .forceput inaccessible (CVE-2019-14811, CVE-2019-14812, CVE-2019-14813) * Issue an error message if an ExtGstate is not found * PDF interpreter - review .forceput security (CVE-2019-14817) Checksums-Sha1: a8c54027cfa81226ad834e162fe485ef67935f8c 2885 ghostscript_9.26a~dfsg-0+deb8u5.dsc 3bc2fd605063bfd1dcd481b54a81159cb1f33a7e 17614652 ghostscript_9.26a~dfsg.orig.tar.xz 010010987724fc0cd4705550890a23ba38167367 123416 ghostscript_9.26a~dfsg-0+deb8u5.debian.tar.xz 99d0b4c247bb902192148581d80a2ee0de8884c7 3484314 ghostscript-doc_9.26a~dfsg-0+deb8u5_all.deb b4f386c5d4e7a767084e8640091b3f6dd4c1d23c 5145004 libgs9-common_9.26a~dfsg-0+deb8u5_all.deb 67042ed670cc0acf78dcf5bb95d5a8b5e2c479da 98862 ghostscript_9.26a~dfsg-0+deb8u5_amd64.deb a895513e485ce586590a067cecab8f2ba9543a13 94292 ghostscript-x_9.26a~dfsg-0+deb8u5_amd64.deb 9981c16c12cdd40efc1a434978af756d06501307 2210760 libgs9_9.26a~dfsg-0+deb8u5_amd64.deb a478656f1c1d0995a8630c9abe73a27488bdb308 76488 libgs-dev_9.26a~dfsg-0+deb8u5_amd64.deb 94d6cd13877c98865ab13cf5e3eb5d77429c90dc 5761550 ghostscript-dbg_9.26a~dfsg-0+deb8u5_amd64.deb Checksums-Sha256: 199f2f40002019b97a05919405b20c586d9c1ab480ad0566e070212dd3c865d7 2885 ghostscript_9.26a~dfsg-0+deb8u5.dsc 1c3647c42a3f894df22a7a12473f60ff4be38c38ed97232ecfab9b7f3a4fc8f4 17614652 ghostscript_9.26a~dfsg.orig.tar.xz 39cbad7dfeefc6636608ed8a799e4e2b2a5ec51bb1de9b46039a187dd12753d0 123416 ghostscript_9.26a~dfsg-0+deb8u5.debian.tar.xz 06a2f54ac1131d638dda8527f892d0a8e420f527cca01d197744e0b515e466d3 3484314 ghostscript-doc_9.26a~dfsg-0+deb8u5_all.deb e87b87e79d62886ad4a1aba9ff0b7e2d7422b423d32998c5ee0e61e888e1a798 5145004 libgs9-common_9.26a~dfsg-0+deb8u5_all.deb ca00a223324198a4ca8580f70a214d7782b9b512bcd34b41579827572c2eceb6 98862 ghostscript_9.26a~dfsg-0+deb8u5_amd64.deb 6769223341bae39ce6374dd0621116891bfccb5473725ec1045f5452af59710f 94292 ghostscript-x_9.26a~dfsg-0+deb8u5_amd64.deb f46d9b8fcdc238712aa9443c18e3d002c34a0fadf568523a95e9dd9c94978396 2210760 libgs9_9.26a~dfsg-0+deb8u5_amd64.deb 0112613777f2cfd2472d90d03c491976fde9069f76f41344f1a8e612198bdf4b 76488 libgs-dev_9.26a~dfsg-0+deb8u5_amd64.deb e55128df006c7d437a7305f8912b970151e59484002a388ab75f357aa8acdb03 5761550 ghostscript-dbg_9.26a~dfsg-0+deb8u5_amd64.deb Files: f781f39c2890b49fd366e259edde 2885 text optional ghostscript_9.26a~dfsg-0+deb8u5.dsc 93cc537385e51eee94b96102616e338a 17614652 text optional ghostscript_9.26a~dfsg.orig.tar.xz d627c0dba58103bcc56d478292bde74f 123416 text optional ghostscript_9.26a~dfsg-0+deb8u5.debian.tar.xz 032f1f41e9026bb4577e3c8de2583c9f 3484314 doc optional ghostscript-doc_9.26a~dfsg-0+deb8u5_all.deb 310fd1ef8f5d8f03616e98fc383821db 5145004 libs optional libgs9-common_9.26a~dfsg-0+deb8u5_all.deb b32f22afeecd6227934325a8521abe3d 98862 text optional ghostscript_9.26a~dfsg-0+deb8u5_amd64.deb e76763c2d7670541cd70b48b2b02d0ca 94292 text optional ghostscript-x_9.26a~dfsg-0+deb8u5_amd64.deb aa2ed5bdefe9d8aa3440511c3d551756 2210760 libs optional libgs9_9.26a~dfsg-0+deb8u5_amd64.deb 3886e2762ca1551b206621808eac9950 76488 libdevel optional libgs-dev_9.26a~dfsg-0+deb8u5_amd64.deb 2c38c890d6d85602bdeb905de900338e 5761550 debug extra ghostscript-dbg_9.26a~dfsg-0+deb8u5_amd64.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAl12OOEACgkQnUbEiOQ2 gwL72w/+IKlRpVPSEsf3jqU294t4F3gCTNfkwW6QU3EsiqliabqaLSVJtpEP0xE7 OBAdQcdKwB9KbWK/uBOufnusViG/yOmdXLf6FyMxGyCKsmLYk1VicTtsTuKgTSCX X34DqRG4GMIeMwyS1E1zID2Kk8qoaw+nLylJD+oLE6YetAU4EiAhu5U9slWot3fh ok2qinN70sQ4LIm8pbWpVSU7N3WRHP6dOs5SpbPT7qiy3Cxn143a2011zem416lx 2vI93AOhVcGt7oD9753sAt2kkx9rub2OAyXb/lBbGc4PlEUQ8I1ujlLWy4cRCQrm arP+xi5c+m+ZdvjekqzBuaRFsUtmAGKjgdehree3nDtV/W2SGt5bw96V1dXGBl4P kV+OkdGrcdvDDxhMpD5vNV7Uii4YHqRZYGV7FJbzfmh5O+gMDEPtLVJJtKX7KSjf
Re: qemu status
Ping? - Sylvain On 04/09/2019 15:41, Sylvain Beucler wrote: > Hi Mike, hi all :) > > We have a prepared QEMU update from 3 months ago that needs attention: > https://packages.sunweavers.net/debian/pool/main/q/qemu/ > > It fixes: > CVE-2017-9375 CVE-2019-12155 CVE-2017-15124 CVE-2016-5403 CVE-2016-5126 > > Since then we got: > CVE-2019-14378 CVE-2019-13164 CVE-2019-12068 CVE-2019-12067 > and possibly CVE-2018-19665 to reconsider. > > I can take the time to setup a physical box and provide more testing / > more patching. > Before doing so, I thought I'd first check: > what are you plans for this month regarding this update? :) > > Cheers! > Sylvain >
