Re: [SECURITY] [DLA 1942-2] phpbb3 regression update

[howard]

Please discontinue sending [SECURITY] [XXX --] items,Thank you!

On 10/7/19 12:23 AM, Mike Gabriel wrote:

This is a follow-up to DLA-1942-1.

There was some confusion about the correct
fix for CVE-2019-13776.

The correct announcement for this DLA should have been:

Package: phpbb3
Version: 3.0.12-5+deb8u4
CVE ID : CVE-2019-13776 CVE-2019-16993

CVE-2019-16993

In phpBB, includes/acp/acp_bbcodes.php had improper verification of a
CSRF token on the BBCode page in the Administration Control Panel. An
actual CSRF attack was possible if an attacker also managed to retrieve
the session id of a reauthenticated administrator prior to targeting
them.

CVE-2019-13776

phpBB allowed the stealing of an Administration Control Panel session id
by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking
lead to stored XSS.

For Debian 8 "Jessie", these problems have been fixed in version
3.0.12-5+deb8u4.

We recommend that you upgrade your phpbb3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Re: libsdl2 patches cause regressions in Jessie

[Hugo Lefeuvre]

> This looks like a regression, indeed. I will provide a regression update
> as soon as possible.

Looks like I'm actually not the one who issued this update.  Abhijith: do
you want to handle this, or should I proceed with a fix tomorrow?

cheers,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

Re: libsdl2 patches cause regressions in Jessie

[Hugo Lefeuvre]

Hi,

> If my understanding is correct, some patches in libsdl2
> (2.0.2+dfsg1-6+deb8u1) as applied in Jessie cause issues because they were
> intended for libsdl1.2, not libsdl2.
> The patch for CVE-2019-7637 causes regressions (more info here
> ), the commit here
>  fixes the CVE.
> The patch for CVEs CVE-2019-7635, CVE-2019-7638 and CVE-2019-7636 has
> unreachable code. The commit here
>  fixes CVE-2019-7635 and the
> commit here  fixes CVEs
> CVE-2019-7638 and CVE-2019-7636.

This looks like a regression, indeed. I will provide a regression update
as soon as possible.

regards,
Hugo

-- 
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C


signature.asc
Description: PGP signature

libsdl2 patches cause regressions in Jessie

[Avital Ostromich]

Hello,

If my understanding is correct, some patches in libsdl2
(2.0.2+dfsg1-6+deb8u1) as applied in Jessie cause issues because they were
intended for libsdl1.2, not libsdl2.
The patch for CVE-2019-7637 causes regressions (more info here
), the commit here
 fixes the CVE.
The patch for CVEs CVE-2019-7635, CVE-2019-7638 and CVE-2019-7636 has
unreachable code. The commit here
 fixes CVE-2019-7635 and the
commit here  fixes CVEs
CVE-2019-7638 and CVE-2019-7636.

Thanks,
Avital

Re: [SECURITY] [DLA 1942-1] phpbb3 security update

[mike . gabriel]

Hi Holger,

Am Montag, 7. Oktober 2019 schrieb Holger Levsen:
> Hi Mike,
> 
> On Sun, Oct 06, 2019 at 10:14:23PM +, Mike Gabriel wrote:
> > I tried another time, like described by Ben (a new DLA-1942-2), but the mail
> > still has not arrived on the list.
> 
> I've now send it for you. (mutt -H $file is what I've used for that.)

Thanks!
 
> > I will be afk for the next couple of days, so I will not be able to look
> > into this again after my VAC (I am sorry)!
> 
> enjoy your VAC and please rememeber to update DLA-1942-2 for webwml.git
> when you're back.

I had already done that and Carsten already merged my MR.

Thanks,
Mike

-- 
Gesendet von meinem Fairphone2 (powered by Sailfish OS).

[SECURITY] [DLA 1948-1] ruby-mini-magick security update

[Abhijith PA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: ruby-mini-magick
Version: 3.8.1-1+deb8u1
CVE ID : CVE-2019-13574
Debian Bug : 931932


In lib/mini_magick/image.rb in ruby-mini-magick, a fetched remote
image filename could cause remote command execution because Image.open
input is directly passed to Kernel#open, which accepts a '|' character
followed by a command.

For Debian 8 "Jessie", this problem has been fixed in version
3.8.1-1+deb8u1.

We recommend that you upgrade your ruby-mini-magick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl2bHiYACgkQhj1N8u2c
KO9suw//QH6KVmBZ2JpUUEWpvscKkGdKwf7/HClsm819enQ2gC9ntVwzArSVNtHO
QW0lTlPU+akocop3qqZPS1YJsCmHECLT2soGdtAitUTpPleU7lVNdvcCrHznYybl
2dnQTINRoRlN0GWwjtez/HqdmfOUnIRDjcax7FzvnagCHn/ivh36uZWvffDRMqIK
wnS0Oks3LMYmgfQIADKrn3hpS5vin24PbhZawjxLocFfixpt6gOoba4GxKTBgwGh
tVKgYB7xiOpDdaUOQs8jtrG96xhRcPFE+BfSwVxh3dnmdMDCSvGgRRf7w1Hs0BfC
RLZcGip7XsMaUJf1z9i8RS/hLxo+eOJ619e+R6oUE1F/aJrfAKQn9oAmtLjbHz6Z
PeXeSHA7Md8Z+6aupjAUrPzIGXxPGxatVZCl/oPxOPwoeusKHXmyLJwH2GQBmKcW
wVg5eLfUV7O2s7d3286dQEW1KexeBMAvf79XrysoxCHCGqfoRSUjcJefufJgWhp+
M+un4ZKfWFWZmV9FiIgNQD2M8ygAD+VkzBLDRyAK8njVmMZmfPnKwAoDsIrSPRpd
5VXEo355OWDTrJVF+liVogere0Xf8w/TzdrF/hXL7A67TL2L7bahhKoU9lFHUL5X
7II6KtzI7MiBAmwF3ykvgcQYfWkyPX1F4kc3kYBTz23ASV33O+w=
=HnaL
-END PGP SIGNATURE-

Accepted ruby-mini-magick 3.8.1-1+deb8u1 (source all) into oldoldstable

[Utkarsh Gupta]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 30 Sep 2019 22:56:54 +0530
Source: ruby-mini-magick
Binary: ruby-mini-magick
Architecture: source all
Version: 3.8.1-1+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers 

Changed-By: Utkarsh Gupta 
Description:
 ruby-mini-magick - wrapper for ImageMagick with a small memory footprint
Closes: 931932
Changes:
 ruby-mini-magick (3.8.1-1+deb8u1) jessie-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Team.
   * Add patch to not allow remote shell execution.
 (Closes: #931932) (Fixes: CVE-2019-13574)
   * Add patch to remove PSD and disable TIFF from tests.
Checksums-Sha1:
 f63f8a5540f32700ac72da950f1d905e17b82fb9 2236 
ruby-mini-magick_3.8.1-1+deb8u1.dsc
 1b4aca841e3d19779964b538c6d70ef64a420d25 219340 
ruby-mini-magick_3.8.1.orig.tar.gz
 5a71843d1d93bc88482c6a0e7123278443cff311 6948 
ruby-mini-magick_3.8.1-1+deb8u1.debian.tar.xz
 8c0c9f7895f73079039d9c7dbf4f8961ea23759b 14842 
ruby-mini-magick_3.8.1-1+deb8u1_all.deb
Checksums-Sha256:
 ea54afb595edfccb27d5349d25c730e36812251ce4e499c4cc58a5a7c5ac620a 2236 
ruby-mini-magick_3.8.1-1+deb8u1.dsc
 2c44e5d8a8d4cd1dbef15a1f67517c03d16081f916eb8612e35ebd942b4d6e1e 219340 
ruby-mini-magick_3.8.1.orig.tar.gz
 bb12c0d01bdf23be003e62496daf7df70b7312eba79f7acd0dc0145670d2e44b 6948 
ruby-mini-magick_3.8.1-1+deb8u1.debian.tar.xz
 28927ae989397b3d48fbd3cfd217195e6b442a8abf5eb909737b6b4601d31c05 14842 
ruby-mini-magick_3.8.1-1+deb8u1_all.deb
Files:
 a7b296087b85d1d5699cecd4f2df7fe5 2236 ruby optional 
ruby-mini-magick_3.8.1-1+deb8u1.dsc
 14cc8c3dde8fa20cc4a79ebc2bd263bf 219340 ruby optional 
ruby-mini-magick_3.8.1.orig.tar.gz
 d15d821db3ed1fe89bad3f7bf6649837 6948 ruby optional 
ruby-mini-magick_3.8.1-1+deb8u1.debian.tar.xz
 ac9dfa96a1b572d8ec30da3cea58f83b 14842 ruby optional 
ruby-mini-magick_3.8.1-1+deb8u1_all.deb

-BEGIN PGP SIGNATURE-

iQJIBAEBCgAyFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl2bDnEUHGFiaGlqaXRo
QGRlYmlhbi5vcmcACgkQhj1N8u2cKO93qQ//RUX8kfrtMeAmujSx7JTp8OZfMyDV
Gkp1f8Q8fmJixhsWW0Q7bliXfzbAqo3uEjdmWtMWEwlt+N1HxiDhCQSgxEK9zuzO
89i9BcvYfEVrWnCm+TLr1SboGwk5zgN70Uc6QAkJmEQ9M24r0TBwOqR19dJctvEI
LV7QmmeAzNv/5LZo+28rqEec7YLQZlV2TKKYIx3AZ8UoDrIteAsMhfICzyi/8uGQ
imtQGLTMquKS0iQPyW0dc0EMO5B0hwV4hVA8swkTCxmOjNkSkyrKX8CSqKLOgf5n
ZtkaEoKhsSNIfLJ1mKuedgGfVJtbukSKYDQxbYsUmanThV6WwVIUTqPkxcarK8Jz
xShCXykslvrmCgtle4t+GC7Uk+Q+9zdAAbqEZwHHTeXQmYO5CYZFgkrSjmQnIfms
7ls+HG01PiuJkYY8MIvAV//ONqYP4goGl5kPBovmDB/b+wTKcsHKhBLLG3Q9GGqr
KcPyNKJh0tm4Plw+uNV2D1e7v67f0d2OYvR++6KiVtFhxKdFIPCriyBXTNgUf4B8
UEPXtEYrSF8CsFy+P3qSJs+5OiQGUs4btDLVJCZ47lyF0+H+zjGdaOCajDdkcHTI
Wz6iFwaI5AqsziO3Lj5V4LmpHDanEfo605SjwW738cAeuRpUU+o4s/5qv306duqi
gcACELfZK/3+8bY=
=oeXS
-END PGP SIGNATURE-

Re: [SECURITY] [DLA 1942-1] phpbb3 security update

[Holger Levsen]

Hi Mike,

On Sun, Oct 06, 2019 at 10:14:23PM +, Mike Gabriel wrote:
> I tried another time, like described by Ben (a new DLA-1942-2), but the mail
> still has not arrived on the list.

I've now send it for you. (mutt -H $file is what I've used for that.)

> I will be afk for the next couple of days, so I will not be able to look
> into this again after my VAC (I am sorry)!

enjoy your VAC and please rememeber to update DLA-1942-2 for webwml.git
when you're back.


-- 
cheers,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C



signature.asc
Description: PGP signature

[SECURITY] [DLA 1942-2] phpbb3 regression update

[Mike Gabriel]

This is a follow-up to DLA-1942-1.

There was some confusion about the correct
fix for CVE-2019-13776.

The correct announcement for this DLA should have been:

Package: phpbb3
Version: 3.0.12-5+deb8u4
CVE ID : CVE-2019-13776 CVE-2019-16993

CVE-2019-16993

   In phpBB, includes/acp/acp_bbcodes.php had improper verification of a
   CSRF token on the BBCode page in the Administration Control Panel. An
   actual CSRF attack was possible if an attacker also managed to retrieve
   the session id of a reauthenticated administrator prior to targeting
   them.

CVE-2019-13776

   phpBB allowed the stealing of an Administration Control Panel session id
   by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking
   lead to stored XSS.

For Debian 8 "Jessie", these problems have been fixed in version
3.0.12-5+deb8u4.

We recommend that you upgrade your phpbb3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: PGP signature

(semi-)automatic unclaim of packages with more than 2 weeks of inactivity

[Holger Levsen]

hi,

today I unclaimed for LTS:

-xtrlock (Chris Lamb)

and nothing for eLTS.


-- 
tschau,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature