[SECURITY] [DSA 3910-1] knot security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3910-1 secur...@debian.org https://www.debian.org/security/Yves-Alexis Perez July 14, 2017 https://www.debian.org/security/faq - - Package: knot CVE ID : CVE-2017-11104 Debian Bug : 865678 Clément Berthaux from Synaktiv discovered a signature forgery vulnerability in knot, an authoritative-only DNS server. This vulnerability allows an attacker to bypass TSIG authentication by sending crafted DNS packets to a server. For the oldstable distribution (jessie), this problem has been fixed in version 1.6.0-1+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 2.4.0-3+deb9u1. For the testing (buster) and unstable (sid), this problem will be fixed in a later update. We recommend that you upgrade your knot packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEl0WwInMjgf6efq/1bdtT8qZ1wKUFAllpF4IACgkQbdtT8qZ1 wKXLNAgApLZt8aZMFy2KgjAJUh439M6i3UjxJ/Hm/iSFhc0we+JM69RfT6juAc1h AMVlFh4Ifc+G7QpfBSZJzSS8ihpP5FxUmG9Lcad9OT2mVrHLIaT7ZLLElQEQsK2u /wSNF86CLSSfffLSYObFLZl9JGMZVSJUvIu3K/s6vbnf0lfAJ+vn6UQv+SR4VdgM Wlnl+LTEnqy03XMpAuW49IMAXKYpwjngCbBS+l/YjzPDE6NoHAffs9MmGWLtZxdp e1okJX5vhWQFdslhy5PKz2m9QHSfe72/g+mx9aPtWYwr2KuaqlpwkwB4GQ5gmMvg IwWF4TVLIquKjxo9IdqqxWxe8jhdvQ== =lkd8 -END PGP SIGNATURE-
[SECURITY] [DSA 3911-1] evince security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3911-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 14, 2017 https://www.debian.org/security/faq - - Package: evince CVE ID : CVE-2017-183 Felix Wilhelm discovered that the Evince document viewer made insecure use of tar when opening tar comic book archives (CBT). Opening a malicious CBT archive could result in the execution of arbitrary code. This update disables the CBT format entirely For the oldstable distribution (jessie), this problem has been fixed in version 3.14.1-2+deb8u2. For the stable distribution (stretch), this problem has been fixed in version 3.22.1-3+deb9u1. For the unstable distribution (sid), this problem has been fixed in version 3.22.1-4. We recommend that you upgrade your evince packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAllpGgYACgkQEMKTtsN8 TjYrxQ//Z1jnIyHsSlPYjzVcV80U1wp8Yciow3XyBTF32aSEae9S2aEj8Bc0rvbv vkjU0H1BM1aodNLD6YnexyOx4Zc3wu7btTHQWE19Re7BLuaNMlZs5egbBPhsaBcA c+Cp8xF2Heslx5anY45QudPLShYun+xvfZ5KLH403O1l2ywEhglhwcNPaKZEoh7Q avEEGHF+0rvrT6y72J/NtgSg5AEpla/jDujycdBPfkaIPGb8eYIs/dLYAQQof7Ai 64kuOzRrHHJsGpcw7pQTf/VN2wsGgV24fgQwefzTnPeQtcbffHWZy1HvutsesHBE 3IaAzOIM+Pz7rB1mBer22MMn4X/6WWFtR1RHa16pXs4mUWZW8+Wq+o1xlC56saHT 9KUVq0ByrJ7impVR7dMK3b7fQnPmQAikEyJ/GjjPdw98GzVx4r4ef0HdLC/es3Sa 53PeVpiYUxr/MFx0vw/QXQgNxA/E5Hv73UwlWB65JZdaW5pvDrbODsZvpNd2m9XZ 5pQrJNHH7VY1jTgru9SJYEeU3rJe2AOe1MET67ly9QPNP7TZFjUXfdN0h74qazxA vzIiRd8sdoJFsBHaH0uf1J10iM4XbXXIwZCRH5wDlNCLfmOQ/AmAjKdmSSJotltZ ye/BbcWMTOQPWnEtOc4ubu6NjdMr6aS8V0hEBPCbdyNfIBrzc6c= =U0Uc -END PGP SIGNATURE-
Re: [SECURITY] [DSA 3909-1] samba security update
On Fri, 2017-07-14 at 16:19 +0200, Sven Hartge wrote: > On 14.07.2017 14:25, Yves-Alexis Perez wrote: > > > For the oldstable distribution (jessie), this problem has been fixed > > in version 2:4.2.14+dfsg-0+deb8u7. > > Is this just me or has the update for Jessie x86_64 been built in an > unclean environment or from the wrong sources? > > For me the binary packages have dependencies unfulfillable in Jessie: Yes, this was spotted earlier this afternoon and rebuilds for amd64 are in progress. Regards, Adam
Re: [SECURITY] [DSA 3909-1] samba security update
On 14.07.2017 16:19, Sven Hartge wrote: > For me the binary packages have dependencies unfulfillable in Jessie: > > The following packages have unmet dependencies: > samba-common-bin : Depends: libncurses5 (>= 6) but 5.9+20140913-1+b1 is > to be installed > Depends: libreadline7 (>= 6.0) but it is not installable > Depends: libtinfo5 (>= 6) but 5.9+20140913-1+b1 is > to be installed > Depends: samba-libs (= 2:4.2.14+dfsg-0+deb8u7) but > 2:4.2.14+dfsg-0+deb8u6 is to be installed Same here. Thanks for jumping in and reporting this, I wasn't sure if I hadn't just messed up my apt-pinning... > The 32bit i386 packages on the hand are fine, probably because they > were built by a buildd. On an i386 VM the upgrade ran fine here as well. Cheers Daniel signature.asc Description: OpenPGP digital signature
Re: samba4 package didn't bundle Heimdal
Hi Andrew, On Thu, Jul 13, 2017 at 09:17:57PM +1200, Andrew Bartlett wrote: > https://security-tracker.debian.org/tracker/CVE-2017-11103 > > Back when samba4 (which has been eviscerated to a client) was a > package, it linked against the system heimdal. > > You can see this because it depends on heimdal. > > https://packages.debian.org/wheezy/libsamba-credentials0 > > Additionally, the link the heimdal code has always been dynamic, not > static, it just changed from dynamic to the system libs to dynamic to > the vendored lib embedded in our tree with the Samba 4.2 packages. Thanks for having a look! I just double checked and indeed the build logs have: [..snip..] Checking for program krb5-config.heimdal : /usr/bin/krb5-config.heimdal ... Selected system Heimdal build [..snip..] There is some stuff compiled from heimdal ... [ 147/2938] Compiling source4/heimdal/lib/vers/print_version.c [ 148/2938] Compiling source4/heimdal_build/version.c [ 149/2938] Compiling source4/heimdal/lib/vers/print_version.c [ 150/2938] Compiling source4/heimdal_build/version.c [ 151/2938] Compiling source4/heimdal/lib/asn1/main.c [ 152/2938] Compiling source4/heimdal/lib/asn1/gen.c [ 153/2938] Compiling source4/heimdal/lib/asn1/gen_copy.c [ 154/2938] Compiling source4/heimdal/lib/asn1/gen_decode.c [ 155/2938] Compiling source4/heimdal/lib/asn1/gen_encode.c [ 156/2938] Compiling source4/heimdal/lib/asn1/gen_free.c [ 157/2938] Compiling source4/heimdal/lib/asn1/gen_glue.c [ 158/2938] Compiling source4/heimdal/lib/asn1/gen_length.c [ 159/2938] Compiling source4/heimdal/lib/asn1/gen_seq.c [ 160/2938] Compiling source4/heimdal/lib/asn1/gen_template.c [ 161/2938] Compiling source4/heimdal/lib/asn1/hash.c [ 162/2938] Compiling source4/heimdal/lib/asn1/symbol.c [ 163/2938] Compiling source4/heimdal/lib/asn1/asn1parse.c [ 164/2938] Compiling source4/heimdal/lib/asn1/lex.c ... but none of the affected code so I've marked samba4 as not affected. Thanks a lot! -- Guido
Re: [SECURITY] [DSA 3909-1] samba security update
On 14.07.2017 14:25, Yves-Alexis Perez wrote: > For the oldstable distribution (jessie), this problem has been fixed > in version 2:4.2.14+dfsg-0+deb8u7. Is this just me or has the update for Jessie x86_64 been built in an unclean environment or from the wrong sources? For me the binary packages have dependencies unfulfillable in Jessie: The following packages have unmet dependencies: samba-common-bin : Depends: libncurses5 (>= 6) but 5.9+20140913-1+b1 is to be installed Depends: libreadline7 (>= 6.0) but it is not installable Depends: libtinfo5 (>= 6) but 5.9+20140913-1+b1 is to be installed Depends: samba-libs (= 2:4.2.14+dfsg-0+deb8u7) but 2:4.2.14+dfsg-0+deb8u6 is to be installed The 32bit i386 packages on the hand are fine, probably because they were built by a buildd. Grüße, Sven. signature.asc Description: OpenPGP digital signature
[SECURITY] [DSA 3909-1] samba security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3909-1 secur...@debian.org https://www.debian.org/security/Yves-Alexis Perez July 14, 2017 https://www.debian.org/security/faq - - Package: samba CVE ID : CVE-2017-11103 Debian Bug : 868209 Jeffrey Altman, Viktor Duchovni and Nico Williams identified a mutual authentication bypass vulnerability in samba, the SMB/CIFS file, print, and login server. Also known as Orpheus' Lyre, this vulnerability is located in Samba Kerberos Key Distribution Center (KDC-REP) component and could be used by an attacker on the network path to impersonate a server. More details can be found on the vulnerability website (https://orpheus-lyre.info/) and on the Samba project website (https://www.samba.org/samba/security/CVE-2017-11103.html) For the oldstable distribution (jessie), this problem has been fixed in version 2:4.2.14+dfsg-0+deb8u7. For the stable distribution (stretch), this problem has been fixed in version 2:4.5.8+dfsg-2+deb9u1. For the testing distribution (buster), this problem has been fixed in version 2:4.6.5+dfsg-4. For the unstable distribution (sid), this problem has been fixed in version 2:4.6.5+dfsg-4. We recommend that you upgrade your samba packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEl0WwInMjgf6efq/1bdtT8qZ1wKUFAllotnEACgkQbdtT8qZ1 wKUelggAmbHEA545HOANov7vXy0CWTjdzg+JXoWwqnAZi7ucyFZ5fdqeiVEL5kl0 +mM2R6DebZhmu6xFJf+PZv6VGKx0KmN1XeJCQxz2x72omKUlyOddnptebeyvpLz3 Pp0nzQqeq70aFF46Cbh3w+9kRAQoaOG2kBmjvPwL+ZkpJlYCy5nPfC35K4lG5QSv pXSqV6S2oD95+j8RReZ0v3DeI4tpbuAvCMtNaSOPmDoBxoVBNuMk7xmLTZuTLlaJ f/cFDQC0Ykx6cmV2SxN49Eo2pnMCz2uT9Iv/7kEzJ1C4mI7vUNgAq/XwMjeAPx7h SOae2x1DVIWPewpJa0pLO7iaOmNiZQ== =2zvn -END PGP SIGNATURE-