Re: Bug#839607: Robustify manager_dispatch_notify_fd()
Am 03.10.2016 um 12:11 schrieb Michael Biebl: > Am 03.10.2016 um 08:22 schrieb Wolfgang Karall: >> Hello Michael, >> >> On 16-10-02 22:36:00, Michael Biebl wrote: >>> The news about systemd crashing when getting a zero sized message >>> on the notification socket made the rounds recently. While v215 is >>> not directly affected by this crash (the code to access messages of >>> length=0 was added in v219) >> [..] >>> I would propose to fix this in stable via regular stable update but >>> would appreciate if the debian-security team would comment on this. >>> If they would prefer a security upload I'm happy to do that as well. >> >> https://security-tracker.debian.org/tracker/CVE-2016-7796 says all but >> the version in sid are vulnerable to CVE-2016-7796 and reading > > No, sid is not vulnerable. It has been fixed in 231-9 > >> https://github.com/systemd/systemd/issues/4234#issuecomment-250441246 >> >> this sounds still rather serious, so a security upload would be >> appreciated. >> > > This bugs is *not* about CVE-2016-7796 and as I wrote, stable is not > affected by the crash. > > Are you a member of the security team? I've never seen your name before > so I'm a bit confused as I explicitly asked from input from the security > team. It was pointed out that I used the wrong list and that debian-security@l.d.o is not actually the correct list to contact the debian security team. So apologies for that. I've added t...@security.debian.org now and will drop debian-security@lists.debian.org on further replies. Dear security team, I'd appreciate your input on bug #839607 -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: Bug#839607: Robustify manager_dispatch_notify_fd()
Am 03.10.2016 um 12:11 schrieb Michael Biebl: > Am 03.10.2016 um 08:22 schrieb Wolfgang Karall: >> Hello Michael, >> >> On 16-10-02 22:36:00, Michael Biebl wrote: >>> The news about systemd crashing when getting a zero sized message >>> on the notification socket made the rounds recently. While v215 is >>> not directly affected by this crash (the code to access messages of >>> length=0 was added in v219) >> [..] >>> I would propose to fix this in stable via regular stable update but >>> would appreciate if the debian-security team would comment on this. >>> If they would prefer a security upload I'm happy to do that as well. >> >> https://security-tracker.debian.org/tracker/CVE-2016-7796 says all but >> the version in sid are vulnerable to CVE-2016-7796 and reading > > No, sid is not vulnerable. It has been fixed in 231-9 > >> https://github.com/systemd/systemd/issues/4234#issuecomment-250441246 >> >> this sounds still rather serious, so a security upload would be >> appreciated. >> Fwiw, we discussed this issue briefly within the pkg-systemd team. While a local DoS, which we consider the issue in stable to be, is not great, it's not like local users can't DoS the system via other means just as easily, like say fork bombs. Why would you consider this particular issue to be "rather serious"? -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: Robustify manager_dispatch_notify_fd()
Am 03.10.2016 um 08:22 schrieb Wolfgang Karall: > Hello Michael, > > On 16-10-02 22:36:00, Michael Biebl wrote: >> The news about systemd crashing when getting a zero sized message >> on the notification socket made the rounds recently. While v215 is >> not directly affected by this crash (the code to access messages of >> length=0 was added in v219) > [..] >> I would propose to fix this in stable via regular stable update but >> would appreciate if the debian-security team would comment on this. >> If they would prefer a security upload I'm happy to do that as well. > > https://security-tracker.debian.org/tracker/CVE-2016-7796 says all but > the version in sid are vulnerable to CVE-2016-7796 and reading No, sid is not vulnerable. It has been fixed in 231-9 > https://github.com/systemd/systemd/issues/4234#issuecomment-250441246 > > this sounds still rather serious, so a security upload would be > appreciated. > This bugs is *not* about CVE-2016-7796 and as I wrote, stable is not affected by the crash. Are you a member of the security team? I've never seen your name before so I'm a bit confused as I explicitly asked from input from the security team. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: Robustify manager_dispatch_notify_fd()
Control: fixed -1 231-9 Am 02.10.2016 um 22:36 schrieb Michael Biebl: > Package: systemd > Version: 215-17+deb8u5 > Severity: important > User: pkg-systemd-maintain...@lists.alioth.debian.org > Usertags: jessie-backport > > The news about systemd crashing when getting a zero sized message on the > notification socket made the rounds recently. > While v215 is not directly affected by this crash (the code to access > messages of length=0 was added in v21), the version in unstable still was added in v219, not v21 > get's confused when it receives such a message and basically disables > the notification system. This is bad, because services relying on the > notification system, e.g. using the watchdog functionality, are getting > killed. > > The relevant upstream issue is > https://github.com/systemd/systemd/pull/4240 > > 231-9 in unstable already contains this fix. Marking accordingly -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#839607: Robustify manager_dispatch_notify_fd()
Package: systemd Version: 215-17+deb8u5 Severity: important User: pkg-systemd-maintain...@lists.alioth.debian.org Usertags: jessie-backport The news about systemd crashing when getting a zero sized message on the notification socket made the rounds recently. While v215 is not directly affected by this crash (the code to access messages of length=0 was added in v21), the version in unstable still get's confused when it receives such a message and basically disables the notification system. This is bad, because services relying on the notification system, e.g. using the watchdog functionality, are getting killed. The relevant upstream issue is https://github.com/systemd/systemd/pull/4240 231-9 in unstable already contains this fix. I would propose to fix this in stable via regular stable update but would appreciate if the debian-security team would comment on this. If they would prefer a security upload I'm happy to do that as well. Regards, Michael -- Package-specific info: -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.7.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages systemd depends on: ii adduser 3.115 ii libacl1 2.2.52-3 ii libapparmor12.10.95-4+b1 ii libaudit1 1:2.6.7-1 ii libblkid1 2.28.2-1 ii libc6 2.24-3 ii libcap2 1:2.25-1 ii libcryptsetup4 2:1.7.0-2 ii libgcrypt20 1.7.3-1 ii libgpg-error0 1.24-1 ii libidn111.33-1 ii libip4tc0 1.6.0-3 ii libkmod222-1.1 ii liblzma55.1.1alpha+20120614-2.1 ii libmount1 2.28.2-1 ii libpam0g1.1.8-3.3 ii libseccomp2 2.3.1-2 ii libselinux1 2.5-3 ii libsystemd0 231-9 ii mount 2.28.2-1 ii util-linux 2.28.2-1 Versions of packages systemd recommends: ii dbus1.10.10-1 ii libpam-systemd 231-9 Versions of packages systemd suggests: ii policykit-10.105-16 ii systemd-container 231-9 pn systemd-ui Versions of packages systemd is related to: ii udev 231-9 -- no debconf information
Re: [SECURITY] [DSA 3337-1] gdk-pixbuf security update
Hi Moritz, Am 18.08.2015 um 15:37 schrieb Moritz Muehlenhoff: > - > Debian Security Advisory DSA-3337-1 secur...@debian.org > https://www.debian.org/security/ Moritz Muehlenhoff > August 18, 2015 https://www.debian.org/security/faq > - > > Package: gdk-pixbuf > CVE ID : CVE-2015-4491 > > Gustavo Grieco discovered a heap overflow in the processing of BMP images > which may result in the execution of arbitrary code if a malformed image > is opened. > > For the oldstable distribution (wheezy), this problem has been fixed > in version 2.26.1-1+deb7u1. > > For the stable distribution (jessie), this problem has been fixed in > version 2.31.1-2+deb8u2. Thanks for taking care of this. From a cursory glance, the patch in 2.31.1-2+deb8u2 seems to be incomplete and is missing the follow-up commit [1]. I'll update the package in unstable. Would be great if you can handle the stable upload. Regards, Michael [1] https://git.gnome.org/browse/gdk-pixbuf/commit/?id=8dba67cb4f38d62a47757741ad41e3f245b4a32a -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: Bug#614785: Found too in oldstable/lenny?
Am 24.02.2011 15:48, schrieb Alexander Kurtz: > So, the code which introduced this vulnerability (CVE-2011-1002[1]) was > actually added[2] when fixing another vulnerability (CVE-2010-2244[3]). > As a consequence, lenny IS indeed vulnerable and needs to be fixed too. Correct. I uploaded a fixed lenny package to oldstable-security 30min ago. Cheers, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: Bug#614785: Found too in oldstable/lenny?
Am 24.02.2011 15:52, schrieb Michael Biebl: > Am 24.02.2011 15:48, schrieb Alexander Kurtz: >> So, the code which introduced this vulnerability (CVE-2011-1002[1]) was >> actually added[2] when fixing another vulnerability (CVE-2010-2244[3]). >> As a consequence, lenny IS indeed vulnerable and needs to be fixed too. > > Correct. > > I uploaded a fixed lenny package to oldstable-security 30min ago. But you are right, the security tracker should be updated -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Re: [Pkg-utopia-maintainers] Bug#501443: CVE-2008-0595: possible DoS in dbus
Quoting Michael Gilbert <[EMAIL PROTECTED]>: retitle 501443 dbus: CVE-2008-3834, possible DoS thank you hello, now that ubuntu has released fixes for this issue [1], can we hope to see the same action from debian soon? Hi Michael, thanks for the detailed bug report and apologies for the late reply. I'll prepare a new release in the next few days and will also try to get this fix into lenny. Cheers, Michael This mail was sent through TecO-Webmail: http://www.teco.edu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
