Re: qemu status
Hi, I have an updated package at: https://www.beuc.net/tmp/debian-lts/qemu/ The packages appears globally stable with KVM and Xen. I found 1 regression: connecting to qemu's VNC server crashes the process. This means there's probably an issue among CVE-2017-15124's 10 patches :/ (on a positive note the memory exhaustion issue is definitely fixed ;)) I'm interested in backport details about this? Cheers! Sylvain
[SECURITY] [DLA 1918-1] libonig security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libonig Version: 5.9.5-3.2+deb8u3 CVE ID : CVE-2019-16163 Debian Bug : 939988 The Oniguruma regular expressions library, notably used in PHP mbstring, is vulnerable to stack exhaustion. A crafted regular expression can crash the process. For Debian 8 "Jessie", this problem has been fixed in version 5.9.5-3.2+deb8u3. We recommend that you upgrade your libonig packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl16EwoACgkQj/HLbo2J BZ+eJgf+OU8NBd0fwtVEmF2UgU66npBCYlsoO62ZVFXg3NuDo37+c5VKaw8JLxA5 q4/TageYMoBPDOAxb3aMaizPPW3Tcon4eFHaZ1rV6l/4rWTB7jp8ru+BwsdObIoz TIq4zGXlsYmMTC3S+u8UH1rsYkAANB5q5+Vy85BKuG8HOyxwassxgjmgW1quGfJ/ u8XB6unxSp/SzqZxH5+UFBu2dssP4o1GyNAZjcpf9naTiriyMk/AO1RU+tucRHMo 6USE5gNzFhoCiSQZRzjff2cYqd/88w/AsKq8G2gV1rAs1A0qcXSemFxA9iwD9q4A 39zRUUYSqosIBnv5aeOykQ2YQBVvnA== =oiDK -END PGP SIGNATURE-
Accepted libonig 5.9.5-3.2+deb8u3 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 11 Sep 2019 15:30:09 +0200 Source: libonig Binary: libonig2 libonig2-dbg libonig-dev Architecture: source amd64 Version: 5.9.5-3.2+deb8u3 Distribution: jessie-security Urgency: high Maintainer: Jörg Frings-Fürst Changed-By: Sylvain Beucler Description: libonig-dev - Development files for libonig2 libonig2 - Oniguruma regular expressions library libonig2-dbg - Debugging symbols for libonig2 Changes: libonig (5.9.5-3.2+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Backport recursion monitoring (with a fixed limit to avoid changing the API; higher limit exhausts the default stack size) * Fix CVE-2019-16163: Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c. Checksums-Sha1: a6c9820bd35f4e59c91585b64c312067dc391df7 1559 libonig_5.9.5-3.2+deb8u3.dsc c988f0f21d5d32510210a4dcb2deb86e70465443 10636 libonig_5.9.5-3.2+deb8u3.debian.tar.xz 5aa359feda7a2008218058dbddc0cf74f3fa3c8e 117756 libonig2_5.9.5-3.2+deb8u3_amd64.deb 6552842ae347b3b589a32987c0fb680ef57e4b6f 201112 libonig2-dbg_5.9.5-3.2+deb8u3_amd64.deb c4f52811d7a91dcefb0d7e0705722fde2efb9027 79628 libonig-dev_5.9.5-3.2+deb8u3_amd64.deb Checksums-Sha256: 6d86b3a5524f08262e68e9a6fe6c8e601427b4303e53880d7a78142214e1f1f2 1559 libonig_5.9.5-3.2+deb8u3.dsc 088289008e7f63d6eb5e347277f75d04b5e6825bcf3cbb4cc758c45beb5fbd85 10636 libonig_5.9.5-3.2+deb8u3.debian.tar.xz 7e82d5b089d123dfb1eff699b9e8cca8dd41ff9665906f00cf9b38a4afada2c0 117756 libonig2_5.9.5-3.2+deb8u3_amd64.deb 8f2e792e5194aacba6f964c0b2beb7c4367f0b5224ec9b4ce6771b84d23d647f 201112 libonig2-dbg_5.9.5-3.2+deb8u3_amd64.deb 4ef1d29d6173271dd0b31d9971ea78f6c602785eb88e0451d3f722c5507e78fc 79628 libonig-dev_5.9.5-3.2+deb8u3_amd64.deb Files: 1b84a8b079991bfca75df4159a06103d 1559 libs extra libonig_5.9.5-3.2+deb8u3.dsc d98726e472bee8d4992cf0c993a2e8a0 10636 libs extra libonig_5.9.5-3.2+deb8u3.debian.tar.xz d087b8813af79582c42af9a3444ea9cb 117756 libs optional libonig2_5.9.5-3.2+deb8u3_amd64.deb d3469c4643b1c963d72838e7ccb36acc 201112 debug extra libonig2-dbg_5.9.5-3.2+deb8u3_amd64.deb 1865c23fb2a7c3d707485685190bc94e 79628 libdevel optional libonig-dev_5.9.5-3.2+deb8u3_amd64.deb -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl16Df8ACgkQj/HLbo2J BZ+bRwgAp//oHoNQVwM9RZ9YNqyzm2BWw+JPwb1CrRQFBMFz49AjEP/TgVHLe1r8 HR5+lZQSHp6KX+ga0dAMA+Tzv3/LHZ3qr4MgeFDToOBmMzo+KaSGeMBEnBiS1YiO 3QbVuFuk9JLPjZ1Ku9JAaSxQ2bHJyVJRcE6ZTn5wHHq9dErejW3aH+LIHxDOfzHW WanflHqDDQUoivS/k1HVda+JmhW9yJEBoQFDXfWIEMUAFJdDnymteWCN2n9wBFWN cpsnyb8TXQgflUI+MWLM9NDP2Nm2QgcSg1vJFZ58J+HtBaw7zReneIUQJylFWWs6 DMWhmSgW5r9aa/hdNrC5qaivMChRJw== =zQ5X -END PGP SIGNATURE-
Re: since update 1.3.3.5-4+deb8u5 php ldap authentification failure
Hi Mike, hi Hugo, Am 11.09.19 um 14:04 schrieb Mike Gabriel: > Hi Hugo, > > sorry for the late reply on this urgent matter. > > On So 08 Sep 2019 10:46:26 CEST, Hugo Lefeuvre wrote: > >> Sorry for the very late answer. For some reason, it looks like the LTS >> team >> was not aware of this bug... >> >> I am the one who provided these updates. This issue must have slipped >> through my LDAP tests. I will investigate this as soon as possible and >> provide a fix consequently. >> >> Mike, you did the latest 389-ds-base update. Did you notice anything >> wrong >> during your tests? > > For uploading 1.3.3.5-4+deb8u6, I unfortunately did not do much smoke > testing regarding the LDAP query stuff (the patch was about indefinite > SSL connection hangs). > > Let me know, if you need help looking into this (due to e.g. time > constraints or what not on your side). as with version 1.3.5.17-2 everything worked fine, we didn't investiagte further... So I can only report that we didn't encounter any errors with all the versions shipped in debian 9. Regards Jan