[SECURITY] [DLA 2680-1] nginx security update
- Debian LTS Advisory DLA-2680-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany June 07, 2021 https://wiki.debian.org/LTS - Package: nginx Version: 1.10.3-1+deb9u7 CVE ID : CVE-2017-20005 Jamie Landeg-Jones and Manfred Paul discovered a buffer overflow vulnerability in NGINX, a small, powerful, scalable web/proxy server. NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module. For Debian 9 stretch, this problem has been fixed in version 1.10.3-1+deb9u7. We recommend that you upgrade your nginx packages. For the detailed security status of nginx please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nginx Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
Accepted nginx 1.10.3-1+deb9u7 (source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 07 Jun 2021 21:02:34 +0200 Source: nginx Binary: nginx nginx-doc nginx-common nginx-full nginx-light nginx-extras libnginx-mod-http-geoip libnginx-mod-http-image-filter libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libnginx-mod-http-perl libnginx-mod-http-auth-pam libnginx-mod-http-lua libnginx-mod-http-ndk libnginx-mod-nchan libnginx-mod-http-echo libnginx-mod-http-upstream-fair libnginx-mod-http-headers-more-filter libnginx-mod-http-cache-purge libnginx-mod-http-fancyindex libnginx-mod-http-uploadprogress libnginx-mod-http-subs-filter libnginx-mod-http-dav-ext Architecture: source Version: 1.10.3-1+deb9u7 Distribution: stretch-security Urgency: high Maintainer: Debian Nginx Maintainers Changed-By: Markus Koschany Description: libnginx-mod-http-auth-pam - PAM authentication module for Nginx libnginx-mod-http-cache-purge - Purge content from Nginx caches libnginx-mod-http-dav-ext - WebDAV missing commands support for Nginx libnginx-mod-http-echo - Bring echo and more shell style goodies to Nginx libnginx-mod-http-fancyindex - Fancy indexes module for the Nginx libnginx-mod-http-geoip - GeoIP HTTP module for Nginx libnginx-mod-http-headers-more-filter - Set and clear input and output headers for Nginx libnginx-mod-http-image-filter - HTTP image filter module for Nginx libnginx-mod-http-lua - Lua module for Nginx libnginx-mod-http-ndk - Nginx Development Kit module libnginx-mod-http-perl - Perl module for Nginx libnginx-mod-http-subs-filter - Substitution filter module for Nginx libnginx-mod-http-uploadprogress - Upload progress system for Nginx libnginx-mod-http-upstream-fair - Nginx Upstream Fair Proxy Load Balancer libnginx-mod-http-xslt-filter - XSLT Transformation module for Nginx libnginx-mod-mail - Mail module for Nginx libnginx-mod-nchan - Fast, flexible pub/sub server for Nginx libnginx-mod-stream - Stream module for Nginx nginx - small, powerful, scalable web/proxy server nginx-common - small, powerful, scalable web/proxy server - common files nginx-doc - small, powerful, scalable web/proxy server - documentation nginx-extras - nginx web/proxy server (extended version) nginx-full - nginx web/proxy server (standard version) nginx-light - nginx web/proxy server (basic version) Changes: nginx (1.10.3-1+deb9u7) stretch-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2017-20005: NGINX has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module. Checksums-Sha1: c4a1be57445bedc50441e405ca089fafb6b3a9ca 4383 nginx_1.10.3-1+deb9u7.dsc 8ba08b57b10b7fb7a96bf89ff8f2929f31d2994e 852708 nginx_1.10.3-1+deb9u7.debian.tar.xz bb07f14201c0f99d5f15579613572984f601d0b9 23014 nginx_1.10.3-1+deb9u7_amd64.buildinfo Checksums-Sha256: 2c139e6829665905fe6d244ba68d7fa971142716ea6693e2f09a6911eca67664 4383 nginx_1.10.3-1+deb9u7.dsc 2aad2914bcdcb0d2821edbd81a10d813ff93d01674f5048e83a1e7d49292f473 852708 nginx_1.10.3-1+deb9u7.debian.tar.xz 6bcd624fbb850845a35c714caddb0f5c2b692f3ff28f3a71fd44a8b6584f8890 23014 nginx_1.10.3-1+deb9u7_amd64.buildinfo Files: ba793e608b76969ad6de1d97bd923833 4383 httpd optional nginx_1.10.3-1+deb9u7.dsc 90d2ee925fb3b6c38a6e30329754cc90 852708 httpd optional nginx_1.10.3-1+deb9u7.debian.tar.xz 0a2a76e60b8c83d71fe478ec8294205c 23014 httpd optional nginx_1.10.3-1+deb9u7_amd64.buildinfo -BEGIN PGP SIGNATURE- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmC+fDBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkfmMP/04hvDMJcwY6WWSrvhXyp7CbN7Ho/uNKukhn Yc+FmWZDVp0onqANaYeczWCXZexjmo84Ts1Lr8BGbfvavK0M+/lYErtpPQQfPkl7 rkeKksATBQ8JImI6Ta5clQU+u5pE0Z5Jig/XOa44z3PVsXDAdz3IH+1FDXcI3pMM 6mNx9E+1Wo+CFR5hrPaGEOLmWe/goMWqLYs8Yr+NFOTKdrP6qFWhnvRYI5tsL3nl MDMSYEz81MN2b+9OL0YnmlYylA06pJZ88QnkCL/7rYDOlNNf8sCQLl1SiYxi4gvR KCZQAj63wlBihLva8cxGim4h6xBLKkm/hmYKDTymUxYDCrFO0Iq/3wNvd/I4noGF 9h83b9h4zFMzDtKnhftCGzzRJKgbONrlLWlES8Gv9h6dWLshUHq5XWx8Q/emZYgm dAb0UgVeQV/fihztLYxcjYL4dSZb8mwtTJqpQQv9LuTsTkaj6zTqo6GYyxj5ZOO+ Z3VJ1G2m4xnF0I1A1k6ZsqjxPvrXsAsxSmVxszqeB9fg1ZnA2j/AyBfg8DFC0kmb dpWtY/snEzYe2AImSxvH5kOND7LXk/FvTZjTeQJ4aXh1LpaRNXuT3YF+vY8EHpUf vHqzWdgqM72BqK6JoNcO/pd7eX9wl5AU1dFz6bYkMpnO5kZZga6dPLxUr0W0vhEL uVPTVeP9 =7KmD -END PGP SIGNATURE-
(semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
moining, today two packages were unclaimed for LTS: -ceph (Emilio) -thunderbird (Emilio) and two for ELTS: -ceph (Emilio) -openjdk-7 (Emilio) Nobody claimed 4 packages or more. Two DLAs have been reserved and haven't been published yet: - DLA 2678-1 (06 Jun 2021) (ruby-nokogiri) - DLA 2676-1 (05 Jun 2021) (python-django) Nice, noone claimed 4 packages or more. Have a good week! -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
[SECURITY] [DLA 2679-1] thunderbird security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian LTS Advisory DLA-2679-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Emilio Pozuelo Monfort June 07, 2021 https://wiki.debian.org/LTS - - Package: thunderbird Version: 1:78.11.0-1~deb9u1 CVE ID : CVE-2021-29956 CVE-2021-29957 CVE-2021-29967 Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code. In addition two security issues were addressed in the OpenPGP support. For Debian 9 stretch, these problems have been fixed in version 1:78.11.0-1~deb9u1. We recommend that you upgrade your thunderbird packages. For the detailed security status of thunderbird please refer to its security tracker page at: https://security-tracker.debian.org/tracker/thunderbird Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmC94iwACgkQnUbEiOQ2 gwLfGg//bdym2Z7tUoSC/JX0bqGlj4zB+nJaUzD0BgewQ0ZkWXyxKnGBSUsv5GwZ atpgFatar6LgGDvlZp5dCFEivJGVWJDETSGBDxxYaFFG4lVHYe8kNMjN8dyWnw+E X1B9VXG92VIiPkcCM4AU8xJlBki895T8AYWbXEmVt4kzKhPxWohzetL+F34jyV1y CRHmMjxy7spxzSiZ13s5mjTAq4JE2qVIyzdZyBT9kuDDGaXGN/Ntq+fRPlEvo3kY 00eG7zrLvmoqM09hxEgzDoUbOVaWt0IQI2CpdeAn0c2V/eljMBnrJpCmluQtX2jc 5mnzdz9sSWidYGp1yPYMDld+cQiGtQgMnFmjSQeWNyVIxFCM/PkA4VJbJTI4+a/G aXZby2CAD8/iqDJ7JwyGCfvRDR8cHKluMfQON0EzXIHUS1gaaVYeUtxREzRFcIKy Z9fyW3a8tWRsAFta7fkB1eXH/vY6An0C3xzpDFXTWi6L4vkCbL3LNcuvNxOPUQm8 yDsX8r5GWV4Ewbr8o47HVwr1G8LygQRS4faRAaX+zh6RNME/e+O48jXw9PAlq0yb bob2O1gJFuzwoL+NY+vKxhC+3g+Sd8GNxTCu9k6ZZyIXb2iLdBdNHKDSzrepzNfe M7X6aN2XY6pb6NSVWWse+JUeXMJS/u4EofYVCJOCzYtVYTS3rIw= =QZuX -END PGP SIGNATURE-
Accepted thunderbird 1:78.11.0-1~deb9u1 (source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 03 Jun 2021 21:51:27 +0200 Source: thunderbird Architecture: source Version: 1:78.11.0-1~deb9u1 Distribution: stretch-security Urgency: medium Maintainer: Carsten Schoenert Changed-By: Emilio Pozuelo Monfort Changes: thunderbird (1:78.11.0-1~deb9u1) stretch-security; urgency=medium . * Backport to stretch. Checksums-Sha1: 951ecd21f846b4e7511e2e4b23214c90c9c63c07 19430 thunderbird_78.11.0-1~deb9u1.dsc 9797e3168a679e134ee6bf3c7d181e4b05be4128 714616 thunderbird_78.11.0-1~deb9u1.debian.tar.xz 5432b849cabf555c3e1b7cea52e9c5f487289fb3 7704 thunderbird_78.11.0-1~deb9u1_source.buildinfo Checksums-Sha256: aa30f269d4f6783c95e50d148eecc3ab97b75f15795e4141f94bcedfa9c92764 19430 thunderbird_78.11.0-1~deb9u1.dsc c627d2cff2831d818d101142732e8d6188611db1414ec903618f21388d990c38 714616 thunderbird_78.11.0-1~deb9u1.debian.tar.xz 5355b176549d76a8b1564130bfe404648a1ba928dbdcab2151a7189597e28116 7704 thunderbird_78.11.0-1~deb9u1_source.buildinfo Files: 2e0c742269d0c6d06d6c735215414075 19430 mail optional thunderbird_78.11.0-1~deb9u1.dsc d1850172d49b1d5ddbdc3a5cd688cbbb 714616 mail optional thunderbird_78.11.0-1~deb9u1.debian.tar.xz 7cd19fd8673c8df148599b6811279b5f 7704 mail optional thunderbird_78.11.0-1~deb9u1_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmC9yOMACgkQnUbEiOQ2 gwJlUBAAxG4lt2QYDMRgqNCqh9ZoECOzrqUn7J+YCAA+j8/B1fIaA5Thuu9Vo2wD uSDlsZu41kpJZlrfRf27YZawbcUtE7bqA6WnFVUN3Gh99PBfQfk16UVIHwpX2Kzc iBxngWD7dTCZikEM7qn+UqCBmx4mfhe+bE+GsiUHpx98ot3IwMU6VrSxBsxlwYuE D62h5vb7PQmoar4SD4qjVn/nNS5XekZfH5wYRFK2JabfbfkbPGsI/mlloOGgYJvq RXKTdK77yTtHjMWEdckNpKlDdQAQKaOCFFbEkeu3xy4E2CizD+VNGjB1gwOOXLbl nm2/hrAwbABU2BoeXnNtNrAz1WKf68yfaXKZxcsIixonSIxDF3EjuW/ZK01wlfnZ 5wQbaErKNU5WBo1fdxO1zcDfxyfJuCcb55zNfRwUnRPBRWW2hL+vfd4mlNr6ntkK +hrLuS2HFATR1/yCSiMZ+9Slc32KAXVRag7OGYtHWMvxNkktbuvWlXQBAEbdE75h TM5jjQNfHc6m8J3a43wyc4Jp6LSEFvH+HVaV3Z+tU8wkot0flunjZ09aQ78jP1pR qKQ8QgCY8tm+IfNRSDqyFhV15ISNARi+s+ipccp3X0JBSUgPMtVCaSzQL2AVKvX8 KCRlEhyEHw0PM4kkjRvMgapFSLocP5CccaasnoSXmQSR2nkczgs= =UnfR -END PGP SIGNATURE-
Re: libxstream-java blacklist EOL?
On 02/06/2021 14:24, Markus Koschany wrote: Hi Emilio, Am Mittwoch, den 02.06.2021, 12:26 +0200 schrieb Emilio Pozuelo Monfort: I think it is time we declare the block list unsupported, asking users to switch to the allow list. Thoughts? I believe it is sensible to switch to the whitelist by default after we have tested the reverse-dependencies. This is quite similar to jackson-databind. Ack. I added this to [de]la-needed. Indeed some testing and/or code inspection on the rdeps will be needed. Cheers, Emilio
Re: [SECURITY] [DLA 2677-1] libwebp security update
On Sun, Jun 06, 2021 at 08:38:17PM +0200, Anton Gladky wrote: > Multiple security issues have been discovered in libwebp I always liked the idea of putting what a package really is used for / does in the security advisories. Something like: Lossy compression of digital photographic images support library.