Re: ruby-mini-magick
Hello Brian, On 25 Sep 2019 16:42:39, Brian May wrote: > Hello All, > > I just noticed I can't build ruby-mini-magick in Jessie, > required for a security update. > > expected no Exception, got # -quiet -ping /tmp/mini_magick20190925-3686-3v99mo.psd") failed: > {:status_code=>1, :output=>""}> with backtrace: > > Problem seems to be that the identify command, from > imagemagick fails when supplied a *.psd file: > > # identify /tmp/tigerpsdfmt.psd ; echo $? > 1 > > This same command with the same file works on stretch. > > Any ideas? Whilst I recently claimed ruby-mini-magick from the list, I did a little research on the same. Here are my findings: I guess the original version of ruby-mini-magick and the imagemagick in Jessie were working fine together. However, something messed up in imagemagick later on (not yet sure what it was). Following the upstream commits from 2014, 2015, and 2016, I found out that they removed PSD tests and the usage of TIFF in these commit[1][2] (just after the release of the version in Jessie) because imagemagick stopped supporting it by default from 6.9.0. However, the version of imagemagick in Jessie is 6.8.9.9-5+deb8u17. So I guess that should work but given the additional "deb8u17", I suspect something changed there which fails the ruby-mini-magick's test. Furthermore, PSD is a proprietary piece of software and that test doesn't really help us in checking anything important either. Neither does TIFFs (from specs). Thus, I don't think we actually need that here and can be safely disabled/patched because of the above reasons. Looking forward to your suggestions and opinions. I'd be happy to complete this and upload the same if it's fine by everyone. Best, Utkarsh --- [1]: https://github.com/minimagick/minimagick/commit/254ab7b06cfeb520918381fea6efe37b2a955ce7#diff-3bb5ea059ab3c1c6dbccd241014d50b2 [2]: https://github.com/minimagick/minimagick/commit/310dd98a32520fb4cadbdb5527bd776489d34b3c#diff-2d76fb5dce3205e175fbd79837d203c5 signature.asc Description: OpenPGP digital signature
[SECURITY] [DLA 1943-1] jackson-databind security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: jackson-databind Version: 2.4.2-2+deb8u9 CVE ID : CVE-2019-14540 CVE-2019-16335 CVE-2019-16942 CVE-2019-16943 Debian Bug : 940498 941530 More deserialization flaws were discovered in jackson-databind relating to the classes in com.zaxxer.hikari.HikariConfig, com.zaxxer.hikari.HikariDataSource, commons-dbcp and com.p6spy.engine.spy.P6DataSource, which could allow an unauthenticated user to perform remote code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. For Debian 8 "Jessie", these problems have been fixed in version 2.4.2-2+deb8u9. We recommend that you upgrade your jackson-databind packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl2VKUpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQVtA//W6ZHx4bRdGm9QLpcZziBwUScasGw+IZGoa6K8RGo33IZyciVTXeTsLRO WZrS4wRu1Z5U84pOlP6XkXnarty4r1NtdtSRR82OOiXuY++rIYj8VNvPhtEljApT udw9onmDk7KIvvY9yhXpqjtgU+mKHs41sKM2Y4T5QHOIk62oTZY0Jtzf/EtSWRO6 xmYB/UHOXcXnB8uypd/fkx8NsAngQzJiqmK2Ongx27lca+BaPWRSoVKZo0HYCu4M PvzVvCiL8VlbiptvA3OCGJG2K0a/M51hUr4pwznnMtU0OVq1DS173KFtwzcDLk6a zWkXQyRFrjL6FuEQ6volExhklRzk65Ghjf7XT7xzJYkcizb741yfznuDl6umyM2w lUtA6DW1peXEtA8Y7Szg7mUlGxipdFx+L1MrIA9AJJWpkNnf2OG4v2Gzo/0bYgHu hzbhwOaXPu8DKyiYlNV87zMkPdknfDjp8P2CmwLYhrDkKxfD5JNdjrTuTxM2uMqK FCCHUHlUyxzY0gr7i0k9v94AURm33B5+7iyQ9nJ3sGwZNDL/CyhwoI3JtMuOvRVE kZ2fmZQK33OVpbQUSadRdJ7t0ZIt7EgYPq/eg2L7b1lIWLYiapNfy41XOFX7KvWr 4QbEEZtWRtYor4e4WaJbKGn3R9qa1DvD4qH6h2ukTsovJZGE030= =wObA -END PGP SIGNATURE-
Accepted jackson-databind 2.4.2-2+deb8u9 (source all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 02 Oct 2019 21:36:21 +0200 Source: jackson-databind Binary: libjackson2-databind-java libjackson2-databind-java-doc Architecture: source all Version: 2.4.2-2+deb8u9 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers Changed-By: Markus Koschany Description: libjackson2-databind-java - fast and powerful JSON library for Java -- data binding libjackson2-databind-java-doc - Documentation for jackson-databind Changes: jackson-databind (2.4.2-2+deb8u9) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943. Deserialization flaws were discovered in jackson-databind relating to com.zaxxer.hikari.HikariConfig, com.zaxxer.hikari.HikariDataSource, commons-dbcp and com.p6spy.engine.spy.P6DataSource, which could allow an unauthenticated user to perform remote code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. Checksums-Sha1: a006955a518980e131a1d9a5d8063e833df23e10 2691 jackson-databind_2.4.2-2+deb8u9.dsc 7fceb674852fbd91daec6f878e409eeb8f617474 12036 jackson-databind_2.4.2-2+deb8u9.debian.tar.xz 84974bde19f0edfecd5b5351b20e71c32b784b6b 987756 libjackson2-databind-java_2.4.2-2+deb8u9_all.deb fa0f054ee5e220c95d232d3e2e435312bc4c6ab0 4743850 libjackson2-databind-java-doc_2.4.2-2+deb8u9_all.deb Checksums-Sha256: f7a05cc38f9ee4d9778e8c7aa4d7cbeb1824387849bea588f1f62625110170fe 2691 jackson-databind_2.4.2-2+deb8u9.dsc f5b9374cf02b2c19411275cbad2f669271e1eeed10eea868df133554e92c07e1 12036 jackson-databind_2.4.2-2+deb8u9.debian.tar.xz 43af9463c6b0bcf20d2944bf088a3b9b609c0f2f80d82d6a140e66100914289d 987756 libjackson2-databind-java_2.4.2-2+deb8u9_all.deb 64311ce46e1e5e9e068a5e685d68f55863b475bd83d141a6d9cfb1c698d592cd 4743850 libjackson2-databind-java-doc_2.4.2-2+deb8u9_all.deb Files: 4ffc12233765570d3d2ca979fd86bd1f 2691 java optional jackson-databind_2.4.2-2+deb8u9.dsc 92fddfbe7726055ec0a2c0ce66943762 12036 java optional jackson-databind_2.4.2-2+deb8u9.debian.tar.xz e0c42e490609be5e452effc14e29098b 987756 java optional libjackson2-databind-java_2.4.2-2+deb8u9_all.deb 753cc52f350a7f18edcf258987e1a12e 4743850 doc optional libjackson2-databind-java-doc_2.4.2-2+deb8u9_all.deb -BEGIN PGP SIGNATURE- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl2VEehfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HktgoP/2NT5QL8X1H3d++fbLuVT8mNSKzh5p8Ygynf jIW3DFt/YGnw0h7XI8mGy23zX+ZSolUIBR2bVy0/Ybj8+8FY/0QW9txfldF5/ZeL JdyLkNYB+m1AX3VBWJP/0vvMztis+J99couYjcDJ5hRFgW2Q7j6oGqy1GiLNlBZK 4eKq2ju0Jz3ZQO4byMdHx0+qP6NjSxvQlmizOmycE0EnUb3W2FenFR6FyWwmvZlX ulwqFx4amUQJRqjlCLZrLACiVcKaXpFfcRrCj2+Og335R4m6JgSdFR65uvlKfMzg qKeA65VNtBUyZ9WvXgqCpGW1McsFFICkRaE/QLFXewJmRi7WZDfE9l4ELGMlLPq+ hxw4r/KcV7jocQLFE/+EWSC3VbmJjEe1JdfTE0Uv9UUBd2cXLOW3ps0uIHgeOL+x CRLHXqB+sRD21EMeDRG/YjVzCqcV6JRtpKHTTqOtJ0vR+XCa6I3ZHgtoLu4LCOfD B9nEzaC8DrtW9ba9kh2dMODspH0pyGRFykpJYccPa7nrSPbPdbnG/Qksrf7ojs0/ Hp6JNIvsOSn+7IyJlqqcBTrqiOML6H7KhnGirHAEEy9SeZKdOEZqxZ+crNwbJGCw stdVMgFAP7l3IH16YUyde+bGZLp3VgHiBeaPQ+AGDmzFCbmoWNKMMEtUr08feAJR nmfXny4T =4QEu -END PGP SIGNATURE-
Re: ClamAV update in jessie
Hi Holger, > > This work has already been done for stretch, so we should be able to > > backport it to jessie. Still, I'm going to spend quite some time on it... > > what does 'some time' mean? in general, this seems reasonable to me. The debdiffs are fairly simple, and the versions are close. Probably six hours altogether, but this is a rough estimation. FTR, the transition in stretch was tracked as #924278[0]. cheers, Hugo [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924278 -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Re: ClamAV update in jessie
On Wed, Oct 02, 2019 at 07:16:10PM +0200, Hugo Lefeuvre wrote: > This work has already been done for stretch, so we should be able to > backport it to jessie. Still, I'm going to spend quite some time on it... what does 'some time' mean? in general, this seems reasonable to me. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
ClamAV update in jessie
Hi, I've spent a couple of hours working on ClamAV since yesterday. I have backported Sebastian Andrzej Siewior's work to jessie, and tested it. Fine so far, this fixes a couple of issues including the Zip bomb ones. Problem: we're backporting 0.101.4 to jessie. This implies an ABI bump and unless I am mistaken requires uploads for a few reverse dependencies: - python-pyclamav - havp - dansguardian - libc-icap-mod-virus-scan This work has already been done for stretch, so we should be able to backport it to jessie. Still, I'm going to spend quite some time on it... I'd like to know what you think about this, and if you can think of any alternative/less time consuming solution. (cherry picking changes does not seem reasonable to me) regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
Hi Mike, On Wed, Oct 02, 2019 at 02:01:25PM +, Mike Gabriel wrote: > On Di 01 Okt 2019 13:32:25 CEST, Sylvain Beucler wrote: > > I see you reverted affectation for CVE-2019-13376. > > > > CVE-2019-13376 is an follow-up fix to CVE-2019-16993 (2016) which I > > registered just yesterday toclarify that we've been missing this earlier > > fix (AFAICS unsuccessfully ;)). > > > > CVE-2019-13376 applies to 3.2.7 which already has the fix that you > > thought was related (phpbb's SECURITY-231), which is a different > > "vulnerability" (with quotes, as it just disables a feature by default, > > which is expected to be re-enabled for CVE-2019-13376 to apply, as > > mentioned in the write-up: "in the ACP, go to General > Avatar settings > > and enable remote avatars"). > > > > Consequently DLA 1942-1 fixes CVE-2019-13376 and CVE-2019-16993. > > SECURITY-231 doesn't have a CVE assigned. > > Are you 100% sure on this? That's what I conclude by reading the write-up and the code (and requesting the new CVE). I didn't exploit the vulnerability. If you wish to fix SECURITY-231 though you could request a CVE and fix it independently. > Let me collect my todos for this, then: > > * Uploaded package is ok (3.0.12-5+deb8u4), even the debian/changelog > entry(?) The changelog entry looks OK. > * security-tracker (data/DLA/list) needs to be adapted and CVE-2019-13376 > needs to be re-added to DLA-1942-1(?) I did so yesterday. > * the dla-announcement needs to be re-done / replied to, and it needs to be > declared that CVE-2019-13376 is in fact already fixed by +deb8u4 > * furthermore, I referenced CVE-2019-13776 in the announcement, > rather than CVE-2019-13376 (typo, g...) > > Correct? That sounds right. > Thanks for spotting this! NP, I was just doing FrontDesk :) Cheers! Sylvain
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
Hi Sylvain, On Di 01 Okt 2019 13:32:25 CEST, Sylvain Beucler wrote: Hi Gabriel, I see you reverted affectation for CVE-2019-13376. CVE-2019-13376 is an follow-up fix to CVE-2019-16993 (2016) which I registered just yesterday toclarify that we've been missing this earlier fix (AFAICS unsuccessfully ;)). CVE-2019-13376 applies to 3.2.7 which already has the fix that you thought was related (phpbb's SECURITY-231), which is a different "vulnerability" (with quotes, as it just disables a feature by default, which is expected to be re-enabled for CVE-2019-13376 to apply, as mentioned in the write-up: "in the ACP, go to General > Avatar settings and enable remote avatars"). Consequently DLA 1942-1 fixes CVE-2019-13376 and CVE-2019-16993. SECURITY-231 doesn't have a CVE assigned. Cheers! Sylvain Are you 100% sure on this? Let me collect my todos for this, then: * Uploaded package is ok (3.0.12-5+deb8u4), even the debian/changelog entry(?) * security-tracker (data/DLA/list) needs to be adapted and CVE-2019-13376 needs to be re-added to DLA-1942-1(?) * the dla-announcement needs to be re-done / replied to, and it needs to be declared that CVE-2019-13376 is in fact already fixed by +deb8u4 * furthermore, I referenced CVE-2019-13776 in the announcement, rather than CVE-2019-13376 (typo, g...) Correct? Thanks for spotting this! Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpbjrtbFHy2c.pgp Description: Digitale PGP-Signatur
Re: Introduction
Hi Urkarsh, On Wed, Oct 02, 2019 at 06:35:29AM +0530, Utkarsh Gupta wrote: > Hey, I joined back in July as a trainee and now a part of the LTS team > since this October, and all this while I forgot to introduce myself, so > here it goes.. I am 19 y/o Debian Maintainer (opening a NM process for > DM -> DD this weekend :)). Being a part of the Ruby, JS, Golang, Perl, > and the Python team, I mostly help in maintaining GitLab, Rails, Ruby, > et al. The other libraries/applications that I maintain are available on > my DDPO[1]. Besides Debian, [...] > Apart from open source, [...] still very impressive (to read again, even though I knew most of it)! > Excited to be a part of the team :D Best, Utkarsh excited to have you among us! Welcome to the team! -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
September LTS Report
Hi, Here is my LTS report for September 2019. I was allocated 23.75h. Unfortunately I did not manage to spend any of them. Last month was very busy on the personal side, and I had to temporarily pause my Debian involvement. Everything should be back to normal now, and I expect to be able to spend these hours in october. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Re: Introduction
Hi Utkarsh, > Apart from open source, my interests lies in Parsers, Compilers, > and Computer Architecture. Though I haven't gotten much there, > but I hope I soon will (still figuring out how to go about it). Ah, I immediately think of my university days and the "Dragon Book"… Welcome to the team. :) Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-