(E)LTS report for April 2021
hi, in April 2021 I spent 10h managing (E)LTS contributors: - dispatch work hours for LTS and ELTS - prepare the monthly Freexian blog post published on raphaelhertzog.com - participate in the monthly team meeting on jitsi - mail and irc communication, incl. - semi-automatic unclaim packages - too many claimed packages - missing DLAs on www.d.o - onboarding Lynoure, explaining my work - onboarding Lee - front desk workflows -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: bind9 security update
Hi Anton, On Wed, May 5, 2021 at 12:51 AM Anton Gladky wrote: > I have added autopkgtest to the stretch-version of bind9 [1]. > And the pipelines passed [2]. Perfect, it matches what I have here. Thanks, I'll add them with the next update. - u
[SECURITY] [DLA 2650-1] exim4 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-2650-1debian-...@lists.debian.org https://www.debian.org/lts/security/Thorsten Alteholz May 05, 2021 https://wiki.debian.org/LTS - - Package: exim4 Version: 4.89-2+deb9u8 CVE ID : CVE-2020-28007 CVE-2020-28008 CVE-2020-28009 CVE-2020-28011 CVE-2020-28012 CVE-2020-28013 CVE-2020-28014 CVE-2020-28015 CVE-2020-28017 CVE-2020-28019 CVE-2020-28020 CVE-2020-28021 CVE-2020-28022 CVE-2020-28023 CVE-2020-28024 CVE-2020-28025 CVE-2020-28026 The Qualys Research Labs reported several vulnerabilities in Exim, a mail transport agent, which could result in local privilege escalation and remote code execution. Details can be found in the Qualys advisory at https://www.qualys.com/2021/05/04/21nails/21nails.txt For Debian 9 stretch, these problems have been fixed in version 4.89-2+deb9u8. We recommend that you upgrade your exim4 packages. For the detailed security status of exim4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/exim4 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmCSdaRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEdbjxAAs2u8DRFpTKQRB/RnUbobesrZUchr2FH96gJNUWLqQBvFdRs2fa5ub5MS G+fQxtTRvFdAADwtl5792m3TVsjcQW6P3uqa1CWgqqP3NMPhHPaOMy3pdSnKOA08 k17M//FQIhwpPlr1kK6MEn29vVpHH/1zR6EHfA1pJgYRTCRjLEuRc+fsTE7d0NjG I3wbMbv/tGlDo80Od5B22wfqP8i8M33ZX8lQAoQc+GyCuU+R5rRtGAhH/+JkMt+b iVvFo5L+V0TJBPkInPLCgnoOJJLnU9+o2hzbcJ6Lag0BcP67oIAqr91MVL7/p6MK YS7FDXN2d4jZzzRIRXaFvtyFb9ajbgoA5ozyti2+grbgHA+cX4x/awaAxJzoV4qY En75wx+0/Qbzzkk4zApsYOgmrBgUHa9y4plDT6JEOxM1gPPjVftxTO7ARGYNMQJl L2Udje2TkE9rxQQmm5jnAqIoX/uMrun0fOOwiY/zXL9PfcVZBShwQNo2Q7BKXQSA 46srW9a9WZu8CqIdofMQZXyzP2qmPeDuk2gwWnRPxwmnzmgFGLK2XMHzHUa3Fs+S kNWuk02X+UIL0owOr8dPlcZquH99QPUa1lwuVYz9AVl9+q30q6sspIyHWYI/GDtU o9OW1hyXjlgyNjBaJW8MsQvT7ggbtgy+ptyGaEI9LVVqzX39CQI= =audv -END PGP SIGNATURE-
Accepted exim4 4.89-2+deb9u8 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 04 May 2021 11:03:02 +0200 Source: exim4 Binary: exim4-base exim4-config exim4-daemon-light exim4 exim4-daemon-heavy eximon4 exim4-dbg exim4-daemon-light-dbg exim4-daemon-heavy-dbg exim4-dev Architecture: source amd64 all Version: 4.89-2+deb9u8 Distribution: stretch-security Urgency: high Maintainer: Exim4 Maintainers Changed-By: Thorsten Alteholz Description: exim4 - metapackage to ease Exim MTA (v4) installation exim4-base - support files for all Exim MTA (v4) packages exim4-config - configuration for the Exim MTA (v4) exim4-daemon-heavy - Exim MTA (v4) daemon with extended features, including exiscan-ac exim4-daemon-heavy-dbg - debugging symbols for the Exim MTA "heavy" daemon exim4-daemon-light - lightweight Exim MTA (v4) daemon exim4-daemon-light-dbg - debugging symbols for the Exim MTA "light" daemon exim4-dbg - debugging symbols for the Exim MTA (utilities) exim4-dev - header files for the Exim MTA (v4) packages eximon4- monitor application for the Exim MTA (v4) (X11 interface) Changes: exim4 (4.89-2+deb9u8) stretch-security; urgency=high . * Non-maintainer upload by the LTS Team. * Fix several security vulnerabilities reported by Qualys and add related robustness improvements. (Originally fixed in upstream release 4.94.3 and in upstream GIT branch exim-4.92.3+fixes. (Special thanks to Heiko) + CVE-2020-28007: Link attack in Exim's log directory + CVE-2020-28008: Assorted attacks in Exim's spool directory + CVE-2020-28009: Integer overflow in get_stdinput() + CVE-2020-28011: Heap buffer overflow in queue_run() + CVE-2020-28012: Missing close-on-exec flag for privileged pipe + CVE-2020-28013: Heap buffer overflow in parse_fix_phrase() + CVE-2020-28014, CVE-2021-27216: Arbitrary PID file creation, clobbering, and deletion. + CVE-2020-28015 and CVE-2020-28021: New-line injection into spool header file. + CVE-2020-28017: Integer overflow in receive_add_recipient() + CVE-2020-28019: Failure to reset function pointer after BDAT error + CVE-2020-28020: More checks on header line length during reception + CVE-2020-28022: Heap out-of-bounds read and write in extract_option() + CVE-2020-28023: Out-of-bounds read in smtp_setup_msg() + CVE-2020-28024: Heap buffer underflow in smtp_ungetc() + CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash() + CVE-2020-28026: Line truncation and injection in spool_read_header() Checksums-Sha1: 19359cd5cb64ec5108d56bab4959a1da709c1194 2977 exim4_4.89-2+deb9u8.dsc 75c4008100f313dfca73a1050e8ca59c7ee1dcf4 1686652 exim4_4.89.orig.tar.xz 6dbd309a990d5542eba98622d06c60c47d083305 470624 exim4_4.89-2+deb9u8.debian.tar.xz 4f0a702d7168bdcc2a0a1dcbb4ee429737d5 1094310 exim4-base_4.89-2+deb9u8_amd64.deb 296c123fc768ee0fd5ee1751fe69bb67e21f9e17 377496 exim4-config_4.89-2+deb9u8_all.deb 6dcfc2fa2171e6038ea0fafa19ffb49bd579b7ca 2090454 exim4-daemon-heavy-dbg_4.89-2+deb9u8_amd64.deb 4eda00db9a3fe2f3c30ef1a466270f22ddd4075d 596778 exim4-daemon-heavy_4.89-2+deb9u8_amd64.deb 7b2742b5b306559a8cc01846f7653d144aa7cb75 1795492 exim4-daemon-light-dbg_4.89-2+deb9u8_amd64.deb c3aa118475baea466bb7c53a37d3adfa6c0b401d 545892 exim4-daemon-light_4.89-2+deb9u8_amd64.deb 3118ccd83b8162031533b1d576793dc7a1df15df 618496 exim4-dbg_4.89-2+deb9u8_amd64.deb 186e812313b2832df07954bbc9502b3eeb48f5be 99780 exim4-dev_4.89-2+deb9u8_amd64.deb 5046ab8f38b61aa8c1cf30305ae9fac9eccb19f4 7868 exim4_4.89-2+deb9u8_all.deb 5486e07609053e4072e197e24633602b6136c26f 11509 exim4_4.89-2+deb9u8_amd64.buildinfo 754c024dfba3e250410612c31986a1fabe6b4d2c 130216 eximon4_4.89-2+deb9u8_amd64.deb Checksums-Sha256: c30fd2bed49dcd00b5bdbf3e57ea42467e2a13606464bf20b750dca34ea4f3d4 2977 exim4_4.89-2+deb9u8.dsc 0c490a1ca97bbb22d6079d2896de19af48ac3af109ea5f307dbc6b49c66e9626 1686652 exim4_4.89.orig.tar.xz 61f4f8d494d3d937cd1f741598c860936a62d325c7686be40b0e4ef30c23f3ca 470624 exim4_4.89-2+deb9u8.debian.tar.xz d959f0819ac4a17e71df51adfca8e007fda3c613a73bbc7fffdcffa7282eca66 1094310 exim4-base_4.89-2+deb9u8_amd64.deb b8f8d706e96918e8bf0621219da70334f4fd47624ce572b2fdb7f52e00a49967 377496 exim4-config_4.89-2+deb9u8_all.deb 9693029b739b3248db2fd14a45f27484bb684726e6c6c08248b20a45d5093614 2090454 exim4-daemon-heavy-dbg_4.89-2+deb9u8_amd64.deb b0a18d895f64401dbba0d5d3c00f0e2bc8c539c5ac2376af94fc955b5ee41b7c 596778 exim4-daemon-heavy_4.89-2+deb9u8_amd64.deb f2a35d9441d2ac934cd5414aabfbe19c3f4a8acf87140eaddf06e558551c4924 1795492 exim4-daemon-light-dbg_4.89-2+deb9u8_amd64.deb bccc83d8b9df4e52b68bad3df02d6bb67078196f17e7e6d23170f0846aa65d90 545892 exim4-daemon-light_4.89-2+deb9u8_amd64.deb 06d77709a0dcad836fba556453cc0d5580957b6b776894f5ca5049c8ec9fea6c 618496 exim4-dbg_4.89-2+deb9u8_amd64.deb 1c8c2ffaf03670ab03a49b498d1328b025a2556de4bf7ec44c5298543ea65eb1 99780