subject:"Re\: Wheezy update of libsys\-syslog\-perl\?"

Re: Wheezy update of libsys-syslog-perl?

2016-08-03 Thread Jonas Meurer

Dear LTS team,

Am 03.08.2016 um 01:15 schrieb Jonas Meurer:
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of libsys-syslog-perl:
> https://security-tracker.debian.org/tracker/CVE-2016-1238
> [...]
>
> PPS: Dominic Hargreaves of the pkg-perl team already uploaded a fixed
> libsys-syslog-perl 0.33 to jessie-security. The fix is simple and can be
> overtaken for 0.29 in wheezy. I have already prepared packages. So if
> you don't object, I could do the upload.

Please find changes file and debdiff for libsys-syslog-perl
0.29-1+deb7u1 attached to this mail. This is going to be my first upload
on behalf of the LTS team, so a quick review by more experienced team
members would be awesome.

The patch itself is pretty straightforward and already applied to
libsys-syslog-perl in Jessie, so I don't expect any problems. Still, a
review would be appreciated, especially regarding things to consider
when uploading to wheezy-security.

I certainly tested upgrade and basic functionality of the built package
in a Wheezy LTS VM.

Cheers,
 jonas

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Wed, 03 Aug 2016 01:47:54 +0200
Source: libsys-syslog-perl
Binary: libsys-syslog-perl
Architecture: source amd64
Version: 0.29-1+deb7u1
Distribution: wheezy-stable
Urgency: high
Maintainer: Debian Perl Group 
Changed-By: Jonas Meurer 
Description:
 libsys-syslog-perl - Perl interface to the UNIX syslog(3) calls
Changes:
 libsys-syslog-perl (0.29-1+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2016-1238: unsafe module load path flaw.
Checksums-Sha1:
 82ae6f5af77a187e3e517cdec289333f4297b85e 2265 
libsys-syslog-perl_0.29-1+deb7u1.dsc
 7b51fca449de2e0cd210d9af2621367cfc91a515 79657 
libsys-syslog-perl_0.29.orig.tar.gz
 568e24519496797f0b19827c711010b7d8cc1b15 5115 
libsys-syslog-perl_0.29-1+deb7u1.debian.tar.gz
 a7edf1f24f7bfa949f953c7756bc9ea1bd52e416 43780 
libsys-syslog-perl_0.29-1+deb7u1_amd64.deb
Checksums-Sha256:
 612690f1b7e03a25ef72a8b10f1a535351b501acd1f0e29f728d1424e8bc91c7 2265 
libsys-syslog-perl_0.29-1+deb7u1.dsc
 121f3cf22de99cb714bb9257fb9a3427c51d375d11d3552437305691075bb6a9 79657 
libsys-syslog-perl_0.29.orig.tar.gz
 5a8475fc1aa4df0f49ecc59ce5ac1e6aba47c1cc7d5c08a7e82e2af6e25b8277 5115 
libsys-syslog-perl_0.29-1+deb7u1.debian.tar.gz
 c2f121f5d7dbf70abbb08e66a0991c43f009fff16627c6f1a5ee1b8c238b5e70 43780 
libsys-syslog-perl_0.29-1+deb7u1_amd64.deb
Files:
 bd833b71e12b7605a79e61aad09d464b 2265 perl optional 
libsys-syslog-perl_0.29-1+deb7u1.dsc
 4c7aeb0a05e8dde2ab05a0b3be19d72c 79657 perl optional 
libsys-syslog-perl_0.29.orig.tar.gz
 cc88d1e630688cf11a6287fb0c850b57 5115 perl optional 
libsys-syslog-perl_0.29-1+deb7u1.debian.tar.gz
 da434337206d36ef799b45bcd10ff51d 43780 perl optional 
libsys-syslog-perl_0.29-1+deb7u1_amd64.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJXobG0AAoJEBvzc5c7ZRqn7SMQALroJUuUXwnQGIoBZ7fIIe66
MmdxtuqxBbT8zOHe+E5V0rMKbZ2tH5CWZhcmerlqFowqvydS2Rd0I3Im/gLyvwX7
DSZ7hxHpBULAGhkoytob5UVmjnW/vsnkH7jO+XHT2zMjoN4owl57rpjd6OccvB3m
cCMYLFZI1kOGxgMGMW3Y98ra9a7zjKKpz9u6QDVSfv7DW6fCms2LSaSVHHOau6zG
BDYyU8xi8ayWGKLuyyFChVjY4jxu0uDzadGTpPouf8LTseRbXm4rqFBMWaF3YhVj
VVvOZ8XRbaOEVf03gexfEA/0O9DfOk0Psp6Oq4gN4+32j9V5yGMxviwaL61jgCb5
nOjoP4xw7lSwTH/B0wxOBzURsw3e318+xWhYfTh6H1shNS+LBOwn5LFzC3xodflK
YCdu5d8NLhCzjq16Qqpyrem5QwP+g/SL7X5bMPTHN0Q0sRg279iDSjQ/ALBUJGH+
j4ZxWqdwXasYekph9n7sA0PP1dnN6tk8h6O9xtBugku03LatVrlOPb3JrGVyju3b
i+lQn8TardFaIYjv4K8nm8uD0SqyOpVehPcuDdwVMjzEISD3UHYpPy+Pp2HvFMIl
4ZZg7pA3JA+BbJSGnlmnlO7u5shweh8GB1wqpQafMw0GhXXlUpA8nUfRvn/JaMbs
TFytO5wxwUm2kLdZVCnz
=04VH
-END PGP SIGNATURE-
diff -Nru libsys-syslog-perl-0.29/debian/changelog libsys-syslog-perl-0.29/debian/changelog
--- libsys-syslog-perl-0.29/debian/changelog	2011-04-19 19:36:38.0 +0200
+++ libsys-syslog-perl-0.29/debian/changelog	2016-08-03 01:47:54.0 +0200
@@ -1,3 +1,10 @@
+libsys-syslog-perl (0.29-1+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2016-1238: unsafe module load path flaw.
+
+ -- Jonas Meurer   Wed, 03 Aug 2016 01:47:54 +0200
+
 libsys-syslog-perl (0.29-1) unstable; urgency=low
 
   [ Jonathan Yu ]
diff -Nru libsys-syslog-perl-0.29/debian/patches/CVE-2016-1238.patch libsys-syslog-perl-0.29/debian/patches/CVE-2016-1238.patch
--- libsys-syslog-perl-0.29/debian/patches/CVE-2016-1238.patch	1970-01-01 01:00:00.0 +0100
+++ libsys-syslog-perl-0.29/debian/patches/CVE-2016-1238.patch	2016-08-03 01:41:36.0 +0200
@@ -0,0 +1,22 @@
+From: Jonas Meurer  (taken over from Dominic Hargreaves )
+Date: Wed, 03 Aug 2016 01:41:25 +0200
+Subject: [PATCH] Remove . from @INC when loading modules dynamically
+ [CVE-2016-1238]
+
+---
+ Syslog.pm | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Syslog.pm b/Syslog.pm
+index a68f817..d972134 100644
+--- a/Syslog.pm
 b/Syslog.pm
+@@ -859,6 +859,8 @@ sub sile

Re: Wheezy update of libsys-syslog-perl?

2016-08-03 Thread Markus Koschany

Hello Jonas,

On 03.08.2016 18:18, Jonas Meurer wrote:
[...]
> Please find changes file and debdiff for libsys-syslog-perl
> 0.29-1+deb7u1 attached to this mail. This is going to be my first upload
> on behalf of the LTS team, so a quick review by more experienced team
> members would be awesome.
[...]

The patch looks good to me. However I would suggest not to publish the
signed changes file because everyone could use it to upload the package now.

Regards,

Markus

signature.asc
Description: OpenPGP digital signature

Re: Wheezy update of libsys-syslog-perl?

2016-08-03 Thread Chris Lamb

> The patch looks good to me

Same here.


Regards,

-- 
Chris Lamb
chris-lamb.co.uk / @lolamby

Re: Wheezy update of libsys-syslog-perl?

2016-08-03 Thread Jonas Meurer

Am 03.08.2016 um 18:47 schrieb Markus Koschany:
> On 03.08.2016 18:18, Jonas Meurer wrote:
> [...]
>> Please find changes file and debdiff for libsys-syslog-perl
>> 0.29-1+deb7u1 attached to this mail. This is going to be my first upload
>> on behalf of the LTS team, so a quick review by more experienced team
>> members would be awesome.
> [...]
> 
> The patch looks good to me. However I would suggest not to publish the
> signed changes file because everyone could use it to upload the package now.

Thanks Markus and Chris for the review. I just uploaded the package to
security-master and claimed a DLA ID for it.

And indeed, publishing signed changes files is not very smart. Sorry for
doing so, I've learned my lesson ;)

Cheers,
 jonas




signature.asc
Description: OpenPGP digital signature

Re: Wheezy update of libsys-syslog-perl?

Re: Wheezy update of libsys-syslog-perl?

Re: Wheezy update of libsys-syslog-perl?

Re: Wheezy update of libsys-syslog-perl?

4 matches

Site Navigation

Mail list logo

Footer information