Accepted linux-4.9 4.9.189-3+deb9u1~deb8u1 (all source) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 30 Sep 2019 15:49:24 +0100 Binary: linux-doc-4.9 linux-headers-4.9.0-0.bpo.11-common linux-headers-4.9.0-0.bpo.11-common-rt linux-manual-4.9 linux-source-4.9 linux-support-4.9.0-0.bpo.11 Source: linux-4.9 Architecture: all source Version: 4.9.189-3+deb9u1~deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Kernel Team Changed-By: Ben Hutchings Description: linux-doc-4.9 - Linux kernel specific documentation for version 4.9 linux-headers-4.9.0-0.bpo.11-common - Common header files for Linux 4.9.0-0.bpo.11 linux-headers-4.9.0-0.bpo.11-common-rt - Common header files for Linux 4.9.0-0.bpo.11-rt linux-manual-4.9 - Linux kernel API manual pages for version 4.9 linux-source-4.9 - Linux kernel source for version 4.9 with Debian patches linux-support-4.9.0-0.bpo.11 - Support files for Linux 4.9 Changes: linux-4.9 (4.9.189-3+deb9u1~deb8u1) jessie-security; urgency=medium . * Backport to jessie; no further changes required . linux (4.9.189-3+deb9u1) stretch-security; urgency=high . * vhost: make sure log_num < in_num (CVE-2019-14835) * ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit (CVE-2019-15117) * ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term (CVE-2019-15118) * [x86] ptrace: fix up botched merge of spectrev1 fix (CVE-2019-15902) * KVM: coalesced_mmio: add bounds checking (CVE-2019-14821) Checksums-Sha1: 9e4c19a3ed9e6f4e18905657efa747fd3fa7f27b 15751 linux-4.9_4.9.189-3+deb9u1~deb8u1.dsc 7b05c2c621c331b58e03d0cbf04ef8e00134af7b 2028376 linux-4.9_4.9.189-3+deb9u1~deb8u1.debian.tar.xz ac279987526e87d7e435c2ec5fa0737b76b67abb 7710232 linux-headers-4.9.0-0.bpo.11-common_4.9.189-3+deb9u1~deb8u1_all.deb 9e82b2116834a97c72ebd31dad9e6b94bba8f59d 5767012 linux-headers-4.9.0-0.bpo.11-common-rt_4.9.189-3+deb9u1~deb8u1_all.deb 871f7d26d3b75c64d0a9a8996ebaabb157e0f719 708822 linux-support-4.9.0-0.bpo.11_4.9.189-3+deb9u1~deb8u1_all.deb 11c626f31315c40596d1af934d0f2d631151c667 11442010 linux-doc-4.9_4.9.189-3+deb9u1~deb8u1_all.deb 0edc3f35e4627e54c87140507dcd6c809303843d 3247976 linux-manual-4.9_4.9.189-3+deb9u1~deb8u1_all.deb 01b6f488f8c7fa0340dc9f5e98112ee76c1ac925 96898772 linux-source-4.9_4.9.189-3+deb9u1~deb8u1_all.deb Checksums-Sha256: 586342ea99969ffa7f56b13e48e21746013846b89606d26dfd0c41a11b8f7b54 15751 linux-4.9_4.9.189-3+deb9u1~deb8u1.dsc 02a6ed85333f832354f4b3191e0294dedf85b49ae6da7e9bb968635b4a7962cb 2028376 linux-4.9_4.9.189-3+deb9u1~deb8u1.debian.tar.xz 2da03ffb13d9e04892804252f7d30fb4b4020f8d5072b2902cb1f0014034b32d 7710232 linux-headers-4.9.0-0.bpo.11-common_4.9.189-3+deb9u1~deb8u1_all.deb 8b72a01f9592e0f598262f476de2ae3757d68f30118c2f770379ce89af6e931a 5767012 linux-headers-4.9.0-0.bpo.11-common-rt_4.9.189-3+deb9u1~deb8u1_all.deb 7ae0f150fd31345d3ad01f8a404d1df2db59456601839ef45b3b9e07f5c1751a 708822 linux-support-4.9.0-0.bpo.11_4.9.189-3+deb9u1~deb8u1_all.deb a3f79c3277d1f42dad825a6478b25d8e1cbe9f01d9853f900f0ea7cda5229148 11442010 linux-doc-4.9_4.9.189-3+deb9u1~deb8u1_all.deb 90f41f355e3da98f6c2f52d1f1cda354b4efa6a42c5135406c959e3efc66e2e9 3247976 linux-manual-4.9_4.9.189-3+deb9u1~deb8u1_all.deb 7038f703b34f38431904d46b52e41c2d906120c0b8c1fa1f69589e40f8ec0880 96898772 linux-source-4.9_4.9.189-3+deb9u1~deb8u1_all.deb Files: 354af74003a39f10f78737f3491ad597 15751 kernel optional linux-4.9_4.9.189-3+deb9u1~deb8u1.dsc 99f64ba83e17682b16dc6853e173a240 2028376 kernel optional linux-4.9_4.9.189-3+deb9u1~deb8u1.debian.tar.xz aa9dd83c2fec34dee0ddbe34c977f37b 7710232 kernel optional linux-headers-4.9.0-0.bpo.11-common_4.9.189-3+deb9u1~deb8u1_all.deb 23f7ad7461dc0e3e3ab40a71d8a4fc76 5767012 kernel optional linux-headers-4.9.0-0.bpo.11-common-rt_4.9.189-3+deb9u1~deb8u1_all.deb 026b0e008f16add0deaf2f21bee5aa1a 708822 devel optional linux-support-4.9.0-0.bpo.11_4.9.189-3+deb9u1~deb8u1_all.deb c93adf547e751acc5e38b873999ccd28 11442010 doc optional linux-doc-4.9_4.9.189-3+deb9u1~deb8u1_all.deb 28cb1ddad73cbddfbf781f2869df481c 3247976 doc optional linux-manual-4.9_4.9.189-3+deb9u1~deb8u1_all.deb 4e3d8ea064acac893212967b11966c9a 96898772 kernel optional linux-source-4.9_4.9.189-3+deb9u1~deb8u1_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl2SulcACgkQ57/I7JWG EQkLfRAAq3ZSFFtAd1jwW2d8OGLxbIBRyHujQIRxKD8t7n51GOLIv3z/rGUPNKo+ 3BT26swlp7JppB+L4bvFlG/+MGgFYMXMaUe76e67oMc3e99OsavfUJ08LJoQ9Ctq YnHfvGAdofYXtYVQrkTIRG5K1++CF7lYGv6x2JBAszaI3NI9aICCESo3+X7+9rdl WrUOLF+FfnlG5sCkE0Eqm5UnwkVdMVcaqskS3Utnz4o7TtIzjnHOUuiq60g5SIs9 03DBmEugESqKzjFBYr2xKYbw5TAQVzOiS1pewE0ubLfU8m+qe6yLxGG5dKcY55tO IgpUJYqzvH8hBE85ZlcvgHx8+dFhDOO7VmIX/P+MVQ+VuSr6UDGqWSWV9KV6K8hQ DLYsdN0vyJEwk3uP3Zqrl5HBFNj+AiukvuRNoQZPD9ODGAomWgTDZXkBuvbmpe+P nUMvYIY3zqEZHs4SRE9IxsB64naqYEiLwAAT5WU2OYs40jjoTrVNhfABtT8yAV84 w22s5I52lYudCsJTznYVOBaElUttxcBNNvIq2RacC7tK7XD91tSxqfmIMgrkIGwI
Accepted phpbb3 3.0.12-5+deb8u4 (source all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 01 Oct 2019 00:58:32 +0200 Source: phpbb3 Binary: phpbb3 phpbb3-l10n Architecture: source all Version: 3.0.12-5+deb8u4 Distribution: jessie-security Urgency: medium Maintainer: phpBB packaging team Changed-By: Mike Gabriel Description: phpbb3 - full-featured, skinnable non-threaded web forum phpbb3-l10n - additional language files for phpBB Changes: phpbb3 (3.0.12-5+deb8u4) jessie-security; urgency=medium . * Non-maintainer upload by the LTS team. * CVE-2019-13376, CVE-2019-16993: includes/acp/acp_bbcodes.php: Check form key in acp_bbcodes, and check form key no matter if submit is set. CVE-2019-13376 has been a regression of the fix for CVE-2019-16993. Checksums-Sha1: 6d6d9affe388f4d8510eaeacee4cab9a8975cf5e 15438 phpbb3_3.0.12-5+deb8u4.dsc afbacef7b089b24a718f06a84a7f437747f80889 99052 phpbb3_3.0.12-5+deb8u4.debian.tar.xz 459eef08644bda4ed4ea0f3022f36710980cffeb 1484840 phpbb3_3.0.12-5+deb8u4_all.deb 8c9a24e851be7bcbd2cf5a9d1cd14b3bd1c2bc9d 5731834 phpbb3-l10n_3.0.12-5+deb8u4_all.deb Checksums-Sha256: 9c05add1960763674d5e56eb453525f9c7389cc7e1ca7cb030a495b81e009440 15438 phpbb3_3.0.12-5+deb8u4.dsc bb5752e45f148bf77b36151c2f951845b504c0510f7b909cb94a718186e7bd5a 99052 phpbb3_3.0.12-5+deb8u4.debian.tar.xz 61d04be8d0925a2d6f589fc843c85c3b1260ef645eede899edfbacd369603d49 1484840 phpbb3_3.0.12-5+deb8u4_all.deb c2843bb96ea06b487bb118ae3cfb8055308c04b5c1220b360f40be91040cec1c 5731834 phpbb3-l10n_3.0.12-5+deb8u4_all.deb Files: 967f06cb7ca3439989e9ba9d5e308d46 15438 web optional phpbb3_3.0.12-5+deb8u4.dsc fd97298982c26125b9009b225b0df4e9 99052 web optional phpbb3_3.0.12-5+deb8u4.debian.tar.xz 02a4f62f077642a74737e6c49451266f 1484840 web optional phpbb3_3.0.12-5+deb8u4_all.deb c3d35ae8ecf02f4ab3c8895bc7d0f3b7 5731834 localization optional phpbb3-l10n_3.0.12-5+deb8u4_all.deb -BEGIN PGP SIGNATURE- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl2Si1cVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxroUP/AhZFBvugq12tb3/S6l2g40YSe42 mrhjgf6VkNfrfJYw92uvGMgtIJOcxVtWnAqhpwd8KrD/WasTDwHV1xtJEBsZv0G/ 1jC4ItJy9NrIvBdUTQRFyHPZ6EbV451bynXnCoOjTCMLHFUSOTHrRxg/sm3lFoX4 jtPgxqOcQAV8rl5UdU7Wcvj1+3L6FdpBSeyZ0PZDsyipR5YaCahiC4szYAbIaGSv GYKW0G4q/DHiqLwmJiBLOY7bjVUdGRFXf+8HTnQ0+ERMYsfDZVQco8e/jPF12gfZ QAy7jpW3XFduJ9Ff2cb9zsfPDPje5imAKvzW2jYyW9seU3CJVPheAjNSoZZmZmSD RlNust9sWFjt7CjLIPe6ATflOzzFgvGrKigV0dtWv0FklTtCcvWwEvsD4N/oDl8c M6mc1k67O3jE5BsnXs+4KXpwqTnaGb1EOTPcH4yyYR/9fysfwXIfid7McdtfEwo6 MtyvhpkDM+viZ89rWUmxi8DVnyHjWzsDxUDprZFo3l+FnoOc6nqs52t3+Ji0AtgY yZP8J1/1s/y5cidt2MIosRUDcjuAlPYqiw5rAiRnb4aVdqBA44yU+8ws1bRasRHn l6hCR7+/KNqWYjZGK82VSCNmzmWuGsCKr1fQW6nliETVxKPiPXZq8suSOWrtV9vH 10XRyXFNfg/ApBbJ =/g1M -END PGP SIGNATURE-
[SECURITY] [DLA 1942-1] phpbb3 security update
Package: phpbb3 Version: 3.0.12-5+deb8u4 CVE ID : CVE-2019-16993 In phpBB, includes/acp/acp_bbcodes.php had improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack was possible if an attacker also managed to retrieve the session id of a reauthenticated administrator prior to targeting them. The description in this DLA does not match what has been documented in the changelog.Debian.gz of this package version. After the upload of phpbb3 3.0.12-5+deb8u4, it became evident that CVE-2019-13776 has not yet been fixed. The correct fix for CVE-2019-13776 has been identified and will be shipped in a soon-to-come follow-up security release of phpbb3. For Debian 8 "Jessie", these problems have been fixed in version 3.0.12-5+deb8u4. We recommend that you upgrade your phpbb3 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 1941-1] netty security update
Package: netty Version: 1:3.2.6.Final-2+deb8u1 CVE ID : CVE-2019-16869 Netty mishandled whitespace before the colon in HTTP headers (such as a “Transfer-Encoding : chunked” line), which lead to HTTP request smuggling. For Debian 8 "Jessie", this problem has been fixed in version 1:3.2.6.Final-2+deb8u1. We recommend that you upgrade your netty packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Accepted netty 1:3.2.6.Final-2+deb8u1 (source all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 27 Sep 2019 15:13:36 +0200 Source: netty Binary: libnetty-java Architecture: source all Version: 1:3.2.6.Final-2+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Chris Grzegorczyk Changed-By: Mike Gabriel Description: libnetty-java - Java NIO client/server socket framework Changes: netty (1:3.2.6.Final-2+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload by the LTS team. * CVE-2019-16869: Correctly handle whitespaces in HTTP header names as defined by RFC7230#section-3.2.4. * debian/control: + Drop 'DM-Upload-Allowed: yes' field. Not supported in jessie anymore. (The netty src:pkg never got updated during the jessie release cycle). * debian/build.xml: + Enable deprecations. Fixes FTBFS against OpenJDK in Debian jessie LTS. Checksums-Sha1: 3b1e928d0b9f1aebfccae2866cfe9b41cee8699b 2256 netty_3.2.6.Final-2+deb8u1.dsc 7f827bef533e48d7de9cc8d4f8d77e4f9fef3668 616765 netty_3.2.6.Final.orig.tar.gz 39e0f837a4d708c9e87716628920ec812843c604 6728 netty_3.2.6.Final-2+deb8u1.debian.tar.xz ae5834dad673a8943c6649701731da5bed0c374b 662648 libnetty-java_3.2.6.Final-2+deb8u1_all.deb Checksums-Sha256: 47784bf99b746fed7eb08e0b0c5a3855a9f94cee860ef5e0758423d00f6cf7c0 2256 netty_3.2.6.Final-2+deb8u1.dsc 49a4097ea1575934521c375acfe7aa1f497a4d450df33c6f5273f63c951d9726 616765 netty_3.2.6.Final.orig.tar.gz ca3de4bff95ecefbf0d1bcbf3340e091431da3d9de2f0bbf0db1c97617f17cc0 6728 netty_3.2.6.Final-2+deb8u1.debian.tar.xz 1ce6d7a491a1aa878c6a79b3f9e2e630bacb8554140211c4be4312b6417943ee 662648 libnetty-java_3.2.6.Final-2+deb8u1_all.deb Files: 087f8d6dc2815ce4f528118257a3c44c 2256 java optional netty_3.2.6.Final-2+deb8u1.dsc 60090b47433147396031b28ee50de4cc 616765 java optional netty_3.2.6.Final.orig.tar.gz 641d92730fd122955260c32694d866a6 6728 java optional netty_3.2.6.Final-2+deb8u1.debian.tar.xz 1ffa8b36d5d9135df5d686c4a3fe84f7 662648 java optional libnetty-java_3.2.6.Final-2+deb8u1_all.deb -BEGIN PGP SIGNATURE- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl2SbwsVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxJKAP/RM97yz4jxFDxEgAO0WGtDp4LVaS QkZ6w6Q8YrAaWup4oP/a4e0lJazhi4MYXziE3GzGNoCn2Nyu7PGCg9/XcH+Kd+vT 5QGmyILSqLhDtgPHl23BJ01wt7k8q53gf6k5xGS1c69IFeduSOXwTEsTHopMGwPT dHaFdeX8Job2RNs07qjaQSxQ2lH26gWXQDyg08hy3ZF4wt6VWFMIrVdQg+xL4mPa /cRsFBuVOhYRdAwbTeY4jISxeSvMTpsSxJXNefTnumTbCCcdkCgXwKN/IbgLLBnp P1E/FyiUFANx2pZ6p/P60VP1/x2t29sU2JVKXIdcwleDehyGEzsSpnbcKqRGZywg i+nLTbBG8Ar04dssIPQwWye/IV8LY4UeuUSzm/3OcD6BbC5g6FYYhL3YKh+9EDAC EVIot0uVTtiYvBXd/+dObsskl6WSlV3S2O5eqDanXeLY0tV5Uhs1d2Pos+a10TDX Xx430x9A/q0WS/4UMJh26pqIg4Qy2B0ZIiMRBZL/4dq5FPbfENgezm4pUNFQKVef vnVp1wDJG5FDao0tgOWPGP88eFxqkEk0Rj3L1qbZYGgg1+64T7YoFrZyA99zxOyw q5LUNLsOvEREvMMCXTyOUwbHUi4dho7MU0f5luT47J0jwDc/TVqMGPrkPvknI+2u n3gjPEuP4TrXstBP =xJrL -END PGP SIGNATURE-
[SECURITY] [DLA 1900-2] apache2 regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: apache2 Version: 2.4.10-10+deb8u16 CVE ID : CVE-2019-10092 Debian Bug : 941202 The update of apache2 released as DLA-1900-1 contained an incomplete fix for CVE-2019-10092, a limited cross-site scripting issue affecting the mod_proxy error page. The old patch rather introduced a new CSRF protection which also caused a regression, an inability to dynamically change the status of members in the balancer via the balancer-manager. This update reverts the change and provides the correct upstream patch to address CVE-2019-10092. For Debian 8 "Jessie", this problem has been fixed in version 2.4.10-10+deb8u16. We recommend that you upgrade your apache2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl2SaGVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeREiQ//dEH8CbZr2EDeFNu7PbUc/9OHPHdlzZ8MBkYVqSlF2NQAnfXgCowtFIbb U4Tf4lTQHBjDcJth5QXlPdeuBbZ4CT/N0FOm5N99L6I/7XbirjQSXQTxL2bKja+H LKId+lre05oe13du3y9MpkmTxI4Zkz5Qb2V3X/dD1IHLU28wVQqkryMv1iWHqqdC 6T10RkZUOJJtmQvL9V0QAnVPOlMSZ1/4V5TxIYfXDOmebu8g1l4nbgX6BK2H/aCx g5vKEycVYuwWqKxiZ7uoi5KXXL13ocJSy49DlZMO2swbIwBwIkoDD5aNzW3lBnwI EVOUWSuFYywdwApnn3fUJRnneq2W8GID6qI2v+3rcq4gjd/C4ZeSnPOiLQilLZae 9lRKRaLaYQMLv3IOM0+Ozc8W4dCu8Zi46nZ/C+CBke536yy7FwC0iUFIqDib2Pvm FRf1tfY0W41KqDeu2AIBKLGQ+MD4oLpPm9gzztg5RDumS8v9Ebo7vWSGgWqMrV79 SskLp+pGQFM8djFbpjS7dM5N4oIhm5XFapgMItOy17/8UOZIG81fCEqhy521v1RT lfwumjFJ49AnaHbY5EqqDFcNraTE1wEbInpLnOaUVfIMfPF4xMfWCAyuNCR+3CXE 9j6jbv8ZhOGdhFcb6VKvBz+J4AkE4MEKFmrX9NFVrmGxHl/OZ7M= =w7AO -END PGP SIGNATURE-
[SECURITY] [DLA 1939-1] poppler security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: poppler Version: 0.26.5-2+deb8u11 CVE ID : CVE-2018-20650 CVE-2018-21009 CVE-2019-12493 Several issues in poppler, a PDF rendering library, have been fixed. CVE-2018-20650 A missing check for the dict data type could lead to a denial of service. CVE-2018-21009 An integer overflow might happen in Parser::makeStream. CVE-2019-12493 A stack-based buffer over-read by a crafted PDF file might happen in PostScriptFunction::transform because some functions mishandle tint transformation. For Debian 8 "Jessie", these problems have been fixed in version 0.26.5-2+deb8u11. We recommend that you upgrade your poppler packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl2SZahfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEeCDQ//flO9VHvtRUMFIHI81ru/pGWGKqaa9qOF6gF17EXYe/3Nx4CWykvNYgoC XH72Vwt68II0VgGOAJDUDLIVn3Ao8wA1rDcNpb1GCg7dGlCLnZ00PMKVctfjm8UC mUnN9avnyvJk7sUrOEIL4YJWpNObUfsRQ/IThnt+2Yh28p0s3GD2xTbz0S85nU+Q mzhBIfUtYKJGQXUQhwzvBC9VttYNQodqNrveXRocbvmVlFL9+hvEGGrLurkDUU3H oOQ9BxHsRUHi2B+PZywNfuM57BaQQFgnEbXOnTZu/3DBoYaObz+Rc3jvwtD9Q2f+ zdiqu5YGN6ZIeukqqFkfxM3DVnKdFkmhh4NIpQjFGm1LLF5i9HV5mYvqFBICy0jn oStU2tUmumjCvjHkz3oSwepDHueDVqueIjR8fL4roXOKcI0uQXNGTPB8D4CteOml rqveHH49eo680gevmKOpnx2Z6PgP0b7iMu6dnbNTt6s0dVLR2jFjO5bU6CbuZ6gg J+OijBMYkpU4gdX3fg39Yu7pX/LQ50aD+3J1SqGHcA4R5FDYkH03p/L5nOSVnWYS VP+Zu4zH1gbdZ53f1mDuzX4px5gM+06dDNE84K9gscCvnWOQXebSFjTCKeC2VvUZ brL1c2TqOaPpeRpLOJO1Jl4fnGHvxnfIouMesVBUMsmnmG4PTb4= =rfBY -END PGP SIGNATURE-
Accepted poppler 0.26.5-2+deb8u11 (source amd64 all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 26 Sep 2019 19:13:02 +0200 Source: poppler Binary: libpoppler46 libpoppler-dev libpoppler-private-dev libpoppler-glib8 libpoppler-glib-dev libpoppler-glib-doc gir1.2-poppler-0.18 libpoppler-qt4-4 libpoppler-qt4-dev libpoppler-qt5-1 libpoppler-qt5-dev libpoppler-cpp0 libpoppler-cpp-dev poppler-utils poppler-dbg Architecture: source amd64 all Version: 0.26.5-2+deb8u11 Distribution: jessie-security Urgency: medium Maintainer: Loic Minier Changed-By: Thorsten Alteholz Description: gir1.2-poppler-0.18 - GObject introspection data for poppler-glib libpoppler-cpp-dev - PDF rendering library -- development files (CPP interface) libpoppler-cpp0 - PDF rendering library (CPP shared library) libpoppler-dev - PDF rendering library -- development files libpoppler-glib-dev - PDF rendering library -- development files (GLib interface) libpoppler-glib-doc - PDF rendering library -- documentation for the GLib interface libpoppler-glib8 - PDF rendering library (GLib-based shared library) libpoppler-private-dev - PDF rendering library -- private development files libpoppler-qt4-4 - PDF rendering library (Qt 4 based shared library) libpoppler-qt4-dev - PDF rendering library -- development files (Qt 4 interface) libpoppler-qt5-1 - PDF rendering library (Qt 5 based shared library) libpoppler-qt5-dev - PDF rendering library -- development files (Qt 5 interface) libpoppler46 - PDF rendering library poppler-dbg - PDF rendering library -- debugging symbols poppler-utils - PDF utilities (based on Poppler) Changes: poppler (0.26.5-2+deb8u11) jessie-security; urgency=medium . * Non-maintainer upload by the LTS Team. * CVE-2019-12493 stack-based buffer over-read because GfxSeparationColorSpace and GfxDeviceNColorSpace mishandle tint transform functions * CVE-2018-21009 integer overflow in Parser::makeStream in Parser.cc * CVE-2018-20650 denial of service due to the lack of a check for the dict data type Checksums-Sha1: 9155a17eb9fe8a7e43141e40533fff6dd5338c44 3465 poppler_0.26.5-2+deb8u11.dsc 12937666faee80bae397a8338a3357e864d77d53 1595232 poppler_0.26.5.orig.tar.xz 05b77095ee2fe0d819a0dee3b6dd267c18c3f98c 47584 poppler_0.26.5-2+deb8u11.debian.tar.xz 6be77790a8ed91ae629d557eb29a981301d37d3b 1213966 libpoppler46_0.26.5-2+deb8u11_amd64.deb 0f07ff8700ec7c8d3ebf9162e0ecb5bc0d360986 768402 libpoppler-dev_0.26.5-2+deb8u11_amd64.deb 87dd3b5dbc4198651a0b83edc9c8ab500f91 181534 libpoppler-private-dev_0.26.5-2+deb8u11_amd64.deb c111f3314a4879e870020b6b46d4d45f48c7c9aa 122676 libpoppler-glib8_0.26.5-2+deb8u11_amd64.deb 7e8517b0514b1eaae8814a0d15f3b398aa1656b8 164584 libpoppler-glib-dev_0.26.5-2+deb8u11_amd64.deb f2d6056a6f8b2285fa4431d2a7f0fb8357fd9752 86762 libpoppler-glib-doc_0.26.5-2+deb8u11_all.deb a979aa07959e7f6f02bd99db90fb0be8a450dc44 35264 gir1.2-poppler-0.18_0.26.5-2+deb8u11_amd64.deb 89156edc3b832d732ccb07c4eca20a281a5d6063 128756 libpoppler-qt4-4_0.26.5-2+deb8u11_amd64.deb 8dc0050856caab3c3a58774498adec553e3ee3cb 159692 libpoppler-qt4-dev_0.26.5-2+deb8u11_amd64.deb cceaf9e00b8feda9f7a8f69d6d22ac222030d876 132966 libpoppler-qt5-1_0.26.5-2+deb8u11_amd64.deb 4ba352f2525c1c7e7c0a7facc22ae2c7e8364b8d 166438 libpoppler-qt5-dev_0.26.5-2+deb8u11_amd64.deb c8284f829eba99fddf84ac2e7ac609f2f1662a40 45768 libpoppler-cpp0_0.26.5-2+deb8u11_amd64.deb fc560e84ac008add0aa176a469257ae585ec8688 50252 libpoppler-cpp-dev_0.26.5-2+deb8u11_amd64.deb f1f1bbc914aa734657a901146f39ac5eed338d33 141910 poppler-utils_0.26.5-2+deb8u11_amd64.deb 478a4d92d2b4d492333173a4a3290b01b2c5ec05 7684854 poppler-dbg_0.26.5-2+deb8u11_amd64.deb Checksums-Sha256: 3ba446c14cea36932a8b18953bc4a247f40958dd599a78aa0e4767be794377cc 3465 poppler_0.26.5-2+deb8u11.dsc de7de5fa337431e5d1f372e8577b3707322f1dbc1dc28a70f2927476f134d1ee 1595232 poppler_0.26.5.orig.tar.xz e690a293978249f8c5dfe880605caca2b9a7e551679ef8a2221184f0305ae04e 47584 poppler_0.26.5-2+deb8u11.debian.tar.xz 42537ca68efb23fe56c71d19e6ce32a5f71292ade52a327979c557164b2b2959 1213966 libpoppler46_0.26.5-2+deb8u11_amd64.deb 8e23092eeebe020b5befd670ae1542a8e5619f7959a380b8fc58eccacdefba18 768402 libpoppler-dev_0.26.5-2+deb8u11_amd64.deb f22858cd358cb009795e6e40eaf1c3d4a6f158410a10a91e748f730e90e0d10b 181534 libpoppler-private-dev_0.26.5-2+deb8u11_amd64.deb 6ec9dc85b7fe944fe306b42637c79912d89e501231851bc284d9f519e8a28fe6 122676 libpoppler-glib8_0.26.5-2+deb8u11_amd64.deb 9751b3fbc4940dbeb952fc332016e1edae588483f1dd0773f3edcc09c340ff28 164584 libpoppler-glib-dev_0.26.5-2+deb8u11_amd64.deb db73bc41d4906a09e0604cc586c1630f269afd4b523211a84b6229208ec60eb6 86762 libpoppler-glib-doc_0.26.5-2+deb8u11_all.deb 24776b844965dca9bc76c1e559734cdc65e78357ca6ba7fa701fe37aa4df2205 35264 gir1.2-poppler-0.18_0.26.5-2+deb8u11_amd64.deb bb0d2f0859452e2092ec255d3bb2a859baea3e817edb6c4b98097c07ef549984 128756 libpoppler-qt4-4_0.26.5-2+deb8u11_amd64.deb
Re: CVE-2019-16935/python*
Hi jython and pypy-lib added now. Also marked it as ignored for LTS. Best regards // Ola On Mon, 30 Sep 2019 at 12:48, Sylvain Beucler wrote: > Hi, > > On 28/09/2019 22:36, Ola Lundqvist wrote: > > I have looked a little into CVE-2019-16935. My conclusion is that the > > package is vulnerable but I could not really judge its severity. I have > > a question though. If we find that we should correct it, shouldn't we > > correct also jython and pypy-lib in that case? > > > > The problem is in DocXMLRPCServer.py and that file exist also in the > > other two packages. Or should we assume there will be a different CVE > > for those packages? > > > > > https://packages.debian.org/search?searchon=contents=DocXMLRPCServer.py=exactfilename=oldstable=any > > > I would reference python and pypy-lib in data/CVE/list, indeed. > Do you want to do that? > > As for the severity, from what I read this is a reflected XSS, that is > also hypothetical as this would affect an unknown third-party app making > use of DocXMLRPCServer and setting the server title from untrusted input. > So low IMHO. > > Cheers! > Sylvain > > -- --- Inguza Technology AB --- MSc in Information Technology | o...@inguza.como...@debian.org| | http://inguza.com/Mobile: +46 (0)70-332 1551 | ---
Re: Training process
Hi Sylvain, On Mon, Sep 30, 2019 at 01:13:45PM +0200, Sylvain Beucler wrote: > First, welcome to Utkarsh Gupta in the team :) thanks and indeed! Welcome as an LTS contributor, Utkarsh! > >From what I understand there was a training during July and August, > resulting in active status this month. yes, done by me (and a bit from Raphael), done in private. > I saw zero traces of this training besides a passing anonymous > mention in Raphael's reports. I expect a welcome with the full name in the upcoming report for September. :) > Possibly we can clarify this a lil' bit? Or did I miss an information > source? see above. > This would also help welcome new members, I myself remember a solid > silence when I joined (while I explicitly introduced my application at > debian-lts@l.d.o). I was traveling the last two days and the little LTS time I had I used for reviewing & sponsoring Utkarsh's uploads, discussing with him and sending his DLAs. TBH it also didnt occur to me to introduce him here, but you are right. I'm just a bit unsure where to remark this, so that we will remember in future, templates/new-candidacy.txt doesn't feel right. Suggestions? -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Training process
Hi, First, welcome to Utkarsh Gupta in the team :) >From what I understand there was a training during July and August, resulting in active status this month. I saw zero traces of this training besides a passing anonymous mention in Raphael's reports. Possibly we can clarify this a lil' bit? Or did I miss an information source? This would also help welcome new members, I myself remember a solid silence when I joined (while I explicitly introduced my application at debian-lts@l.d.o). Cheers! Sylvain
Re: CVE-2019-16935/python*
Hi, On 28/09/2019 22:36, Ola Lundqvist wrote: > I have looked a little into CVE-2019-16935. My conclusion is that the > package is vulnerable but I could not really judge its severity. I have > a question though. If we find that we should correct it, shouldn't we > correct also jython and pypy-lib in that case? > > The problem is in DocXMLRPCServer.py and that file exist also in the > other two packages. Or should we assume there will be a different CVE > for those packages? > > https://packages.debian.org/search?searchon=contents=DocXMLRPCServer.py=exactfilename=oldstable=any > I would reference python and pypy-lib in data/CVE/list, indeed. Do you want to do that? As for the severity, from what I read this is a reflected XSS, that is also hypothetical as this would affect an unknown third-party app making use of DocXMLRPCServer and setting the server title from untrusted input. So low IMHO. Cheers! Sylvain
(semi-)automatic unclaim of packages with more than 2 weeks of inactivity
hi, today I unclaimed no packages for neither LTS nor eLTS. Yay! -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
[SECURITY] [DLA 1938-1] file-roller security update
Package: file-roller Version: 3.14.1-1+deb8u1 CVE ID : CVE-2019-16680 An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction. For Debian 8 "Jessie", this problem has been fixed in version 3.14.1-1+deb8u1. We recommend that you upgrade your file-roller packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature