Bug#893828: nmu: unintended ruby dependencies

2018-03-22 Thread Sven Joachim 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

Some packages built from the libprelude and redland-bindings sources
have gained spurious dependencies on ruby due to #892131.  They should
be rebuilt with gem2deb 0.38.1, which on some architectures is not yet
available.


nmu libprelude_4.1.0-4 . ANY . unstable . -m "Rebuild with fixed gem2deb (see 
#892131)."
dw libprelude_4.1.0-4 . ANY . -m 'gem2deb (>= 0.38.1)'

nmu redland-bindings_1.0.17.1+dfsg-1.3 . ANY -alpha -hppa -hurd-i386 
-kfreebsd-amd64 -kfreebsd-i386 -mipsel -powerpcspe . unstable . -m "Rebuild 
with fixed gem2deb (see #892131)."
dw redland-bindings_1.0.17.1+dfsg-1.3 . ANY . -m 'gem2deb (>= 0.38.1)'

Bug#890791: stretch-pu: package dpkg/1.18.25

2018-03-22 Thread Manuel A. Fernandez Montecelo 
Hi,

2018-03-20 7:33 GMT+01:00 Karsten Merker :
> On Wed, Feb 28, 2018 at 06:45:49PM +, Adam D. Barratt wrote:
>>
>> We've been discussing this amongst the SRMs and are quite wary of a
>> dpkg update this close to the p-u freeze. We appreciate that the
>> changes individually seem self-contained but would like to have an
>> update of such a key package able to be tested more than is feasible in
>> the time available.
>> [...]
>> We understand that this is inconvenient for the riscv porters, so are
>> exploring whether it would be possible to have the dak support made
>> available via p-u after the upcoming point release.
>
> Hello,
>
> I wanted to kindly ask whether there are any news on this topic
> and whether there is anything that the RISC-V porters can do
> to help.

I pinged Guillem today, basically he's waiting for an ack of the
.debdiff before uploading to proposed-updates.


Cheers.
-- 
Manuel A. Fernandez Montecelo

Bug#893804: Bug#893668: adminer: CVE-2018-7667

2018-03-22 Thread Chris Lamb 
Hi Sébastien,

> Salvatore is mostly away till the end of the week, but he marked those
> no-dsa on the 21st, so I guess that would go toward s-p-u instead.

Thanks! I did not spot you had done that before my ping, so apologies
for that. I've filed bugs against release.debian.org as #893803 and
#893804 respectfully.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#893804: jessie-pu: package adminer/3.3.3-1+deb8u1

2018-03-22 Thread Chris Lamb 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Dear stable release manager,

Please consider adminer (3.3.3-1+deb8u1) for jessie:
  
  adminer (3.3.3-1+deb8u1) jessie; urgency=high
  
* CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated
  to arbitrary systems and ports which coul bypass external firewalls to
  identify internal hosts and/or perform port scanning of other servers.
  (Closes: #893668)


The full diff is attached.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
commit 05a84a7afd8c8e059f9e08a9502417fa5f79e63d
Author: Chris Lamb 
Date:   Thu Mar 22 10:56:21 2018 -0400

CVE-2018-7667

diff --git a/debian/changelog b/debian/changelog
index 9e044c6..d878f1e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+adminer (3.3.3-1+deb8u1) jessie; urgency=high
+
+  * CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated
+to arbitrary systems and ports which coul bypass external firewalls to
+identify internal hosts and/or perform port scanning of other servers.
+(Closes: #893668)
+
+ -- Chris Lamb   Tue, 20 Mar 2018 22:40:06 -0400
+
 adminer (3.3.3-1) unstable; urgency=low
 
   * Initial release (Closes: #658861)  
diff --git a/debian/patches/CVE-2018-7667.patch 
b/debian/patches/CVE-2018-7667.patch
new file mode 100644
index 000..1d445a2
--- /dev/null
+++ b/debian/patches/CVE-2018-7667.patch
@@ -0,0 +1,13 @@
+--- pkg-adminer.orig/adminer/include/auth.inc.php
 pkg-adminer/adminer/include/auth.inc.php
+@@ -90,6 +90,10 @@ if (isset($_GET["username"])) {
+   page_footer("auth");
+   exit;
+   }
++  list($host, $port) = explode(":", SERVER, 2);
++  if (is_numeric($port) && $port < 1024) {
++  auth_error('Connecting to privileged ports is not allowed.');
++  }
+   $connection = connect();
+ }
+ if (is_string($connection) || !$adminer->login($_GET["username"], 
get_session("pwds"))) {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..e4d99c3
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2018-7667.patch

Bug#893803: stretch-pu: package adminer/4.2.5-3+deb9u1

2018-03-22 Thread Chris Lamb 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Dear stable release manager,

Please consider adminer (4.2.5-3+deb9u1) for stretch:
  
  adminer (4.2.5-3+deb9u1) stretch; urgency=high
  
* CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated
  to arbitrary systems and ports which coul bypass external firewalls to
  identify internal hosts and/or perform port scanning of other servers.
  (Closes: #893668)


The full diff is attached.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
commit f195f52274eef1cbea6c268c2b236bd299b7592c
Author: Chris Lamb 
Date:   Thu Mar 22 11:04:48 2018 -0400

CVE-2018-7667

diff --git a/debian/changelog b/debian/changelog
index 47403b2..8445861 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+adminer (4.2.5-3+deb9u1) stretch; urgency=high
+
+  * CVE-2018-7667: Adminer allowed unauthenticated connections to be initiated
+to arbitrary systems and ports which coul bypass external firewalls to
+identify internal hosts and/or perform port scanning of other servers.
+(Closes: #893668)
+
+ -- Chris Lamb   Tue, 20 Mar 2018 22:40:06 -0400
+
 adminer (4.2.5-3) unstable; urgency=medium
 
   * Move mysql-server to default-mysql-server due to
diff --git a/debian/patches/CVE-2018-7667.patch 
b/debian/patches/CVE-2018-7667.patch
new file mode 100644
index 000..1d445a2
--- /dev/null
+++ b/debian/patches/CVE-2018-7667.patch
@@ -0,0 +1,13 @@
+--- pkg-adminer.orig/adminer/include/auth.inc.php
 pkg-adminer/adminer/include/auth.inc.php
+@@ -90,6 +90,10 @@ if (isset($_GET["username"])) {
+   page_footer("auth");
+   exit;
+   }
++  list($host, $port) = explode(":", SERVER, 2);
++  if (is_numeric($port) && $port < 1024) {
++  auth_error('Connecting to privileged ports is not allowed.');
++  }
+   $connection = connect();
+ }
+ if (is_string($connection) || !$adminer->login($_GET["username"], 
get_session("pwds"))) {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..e4d99c3
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2018-7667.patch

Processed: retitle 893765 to transition: ruby2.3 removal

2018-03-22 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

> retitle 893765 transition: ruby2.3 removal
Bug #893765 [release.debian.org] transition: ruby2.3
Changed Bug title to 'transition: ruby2.3 removal' from 'transition: ruby2.3'.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
893765: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893765
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems