Bug#893828: nmu: unintended ruby dependencies
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu Some packages built from the libprelude and redland-bindings sources have gained spurious dependencies on ruby due to #892131. They should be rebuilt with gem2deb 0.38.1, which on some architectures is not yet available. nmu libprelude_4.1.0-4 . ANY . unstable . -m "Rebuild with fixed gem2deb (see #892131)." dw libprelude_4.1.0-4 . ANY . -m 'gem2deb (>= 0.38.1)' nmu redland-bindings_1.0.17.1+dfsg-1.3 . ANY -alpha -hppa -hurd-i386 -kfreebsd-amd64 -kfreebsd-i386 -mipsel -powerpcspe . unstable . -m "Rebuild with fixed gem2deb (see #892131)." dw redland-bindings_1.0.17.1+dfsg-1.3 . ANY . -m 'gem2deb (>= 0.38.1)'
Bug#890791: stretch-pu: package dpkg/1.18.25
Hi, 2018-03-20 7:33 GMT+01:00 Karsten Merker: > On Wed, Feb 28, 2018 at 06:45:49PM +, Adam D. Barratt wrote: >> >> We've been discussing this amongst the SRMs and are quite wary of a >> dpkg update this close to the p-u freeze. We appreciate that the >> changes individually seem self-contained but would like to have an >> update of such a key package able to be tested more than is feasible in >> the time available. >> [...] >> We understand that this is inconvenient for the riscv porters, so are >> exploring whether it would be possible to have the dak support made >> available via p-u after the upcoming point release. > > Hello, > > I wanted to kindly ask whether there are any news on this topic > and whether there is anything that the RISC-V porters can do > to help. I pinged Guillem today, basically he's waiting for an ack of the .debdiff before uploading to proposed-updates. Cheers. -- Manuel A. Fernandez Montecelo
Bug#893804: Bug#893668: adminer: CVE-2018-7667
Hi Sébastien, > Salvatore is mostly away till the end of the week, but he marked those > no-dsa on the 21st, so I guess that would go toward s-p-u instead. Thanks! I did not spot you had done that before my ping, so apologies for that. I've filed bugs against release.debian.org as #893803 and #893804 respectfully. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#893804: jessie-pu: package adminer/3.3.3-1+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Dear stable release manager, Please consider adminer (3.3.3-1+deb8u1) for jessie: adminer (3.3.3-1+deb8u1) jessie; urgency=high * CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated to arbitrary systems and ports which coul bypass external firewalls to identify internal hosts and/or perform port scanning of other servers. (Closes: #893668) The full diff is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- commit 05a84a7afd8c8e059f9e08a9502417fa5f79e63d Author: Chris LambDate: Thu Mar 22 10:56:21 2018 -0400 CVE-2018-7667 diff --git a/debian/changelog b/debian/changelog index 9e044c6..d878f1e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +adminer (3.3.3-1+deb8u1) jessie; urgency=high + + * CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated +to arbitrary systems and ports which coul bypass external firewalls to +identify internal hosts and/or perform port scanning of other servers. +(Closes: #893668) + + -- Chris Lamb Tue, 20 Mar 2018 22:40:06 -0400 + adminer (3.3.3-1) unstable; urgency=low * Initial release (Closes: #658861) diff --git a/debian/patches/CVE-2018-7667.patch b/debian/patches/CVE-2018-7667.patch new file mode 100644 index 000..1d445a2 --- /dev/null +++ b/debian/patches/CVE-2018-7667.patch @@ -0,0 +1,13 @@ +--- pkg-adminer.orig/adminer/include/auth.inc.php pkg-adminer/adminer/include/auth.inc.php +@@ -90,6 +90,10 @@ if (isset($_GET["username"])) { + page_footer("auth"); + exit; + } ++ list($host, $port) = explode(":", SERVER, 2); ++ if (is_numeric($port) && $port < 1024) { ++ auth_error('Connecting to privileged ports is not allowed.'); ++ } + $connection = connect(); + } + if (is_string($connection) || !$adminer->login($_GET["username"], get_session("pwds"))) { diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..e4d99c3 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2018-7667.patch
Bug#893803: stretch-pu: package adminer/4.2.5-3+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Dear stable release manager, Please consider adminer (4.2.5-3+deb9u1) for stretch: adminer (4.2.5-3+deb9u1) stretch; urgency=high * CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated to arbitrary systems and ports which coul bypass external firewalls to identify internal hosts and/or perform port scanning of other servers. (Closes: #893668) The full diff is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- commit f195f52274eef1cbea6c268c2b236bd299b7592c Author: Chris LambDate: Thu Mar 22 11:04:48 2018 -0400 CVE-2018-7667 diff --git a/debian/changelog b/debian/changelog index 47403b2..8445861 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +adminer (4.2.5-3+deb9u1) stretch; urgency=high + + * CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated +to arbitrary systems and ports which coul bypass external firewalls to +identify internal hosts and/or perform port scanning of other servers. +(Closes: #893668) + + -- Chris Lamb Tue, 20 Mar 2018 22:40:06 -0400 + adminer (4.2.5-3) unstable; urgency=medium * Move mysql-server to default-mysql-server due to diff --git a/debian/patches/CVE-2018-7667.patch b/debian/patches/CVE-2018-7667.patch new file mode 100644 index 000..1d445a2 --- /dev/null +++ b/debian/patches/CVE-2018-7667.patch @@ -0,0 +1,13 @@ +--- pkg-adminer.orig/adminer/include/auth.inc.php pkg-adminer/adminer/include/auth.inc.php +@@ -90,6 +90,10 @@ if (isset($_GET["username"])) { + page_footer("auth"); + exit; + } ++ list($host, $port) = explode(":", SERVER, 2); ++ if (is_numeric($port) && $port < 1024) { ++ auth_error('Connecting to privileged ports is not allowed.'); ++ } + $connection = connect(); + } + if (is_string($connection) || !$adminer->login($_GET["username"], get_session("pwds"))) { diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..e4d99c3 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2018-7667.patch
Processed: retitle 893765 to transition: ruby2.3 removal
Processing commands for cont...@bugs.debian.org: > retitle 893765 transition: ruby2.3 removal Bug #893765 [release.debian.org] transition: ruby2.3 Changed Bug title to 'transition: ruby2.3 removal' from 'transition: ruby2.3'. > thanks Stopping processing here. Please contact me if you need assistance. -- 893765: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893765 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems