CVE-2018-17144 also affects groestlcoin << 2.16.3

[Jonas Smedegaard]

Hi,

Bitcoin << 0.16.3 is affected by CVE-2018-17144.

Groestlcoin is derived from Bitcoin with major version bumped.  They 
just issued a new version 2.16.3 with the following in its release 
notes:

> A denial-of-service vulnerability (CVE-2018-17144) exploitable by 
> miners has been discovered in Groestlcoin Core versions 2.13.3 up to 
> 2.16.0. It is recommended to upgrade any of the vulnerable versions to 
> 2.16.3 as soon as possible.

Here's the related news entry: 
https://www.groestlcoin.org/24-sep-2018-release/#Groestlcoin_Core_v2163__Please_Update_ASAP_139


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Bug#837056: ruby-babel-source: contains embedded code copies of Javascript libraries babel and core-js

[Jonas Smedegaard]

Package: ruby-babel-source
Version: 5.8.35-1
Severity: important

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi,

Great that you you have packaged ruby-babel-source.

Unfortunately, in its current form this package ships Javascript
libraries babel and core-js¹.

¹ Polyfills merged with Regenerater and called "babel-polyfill":



Instead, a) those libraries should be packaged separately, tracking
their own upstream sources  and
, b) babel-polyfill should be
packaged separately (either build-depending on Regenerator or created
some way), and c) this package should symlink those libraries and depend
on those other packages.

See Debian Policy § 4.13 for more info.


 - Jonas

-BEGIN PGP SIGNATURE-

iQIcBAEBCAAGBQJX0VCkAAoJECx8MUbBoAEh+tsQAIodwzwM5GRwd9hcc/jtjd4G
7ntgffjWT5clwarA4ECO9nTFUYdRTYsjQdswoFslWc0oGXOAonReEiITn91wN/5o
fE9ff9MkOLM+qvjFCsbHNG/k+cBNjY919B/MVeb9I5RVxrRvJQAgJ+LZz5HOvwTT
mLIGK6PNPlZcbb85CiS3HyCbz5uNanAIZuR3kAjbv30ySSr7I7EpEVzrtaTeY5h/
f3pD8DlVF6U/HT57SUBdJ0YZisRJEJdi8JXvDRGK/pNzF21Wp4fXJpJ90gEuM/YX
rYhmQp9C6gkl0Yxl+dcU4rNtFgZtEpVf0YXeOx/ygaNoPe8YdqJstqctiTvqShIx
DSQc3cNdvVLHuQahSi/lcNubgZmf/jZxgUsnrFeivIsrkZ7sg5HcHDyuIQ/XDBW2
Qw1VilBYWLf2p1kKR9vxN2QLHR6L8MUDWFmN48loXX8DU6vHv8eYD7ZgRTeYrFqa
TrvpCwhZrHyoji00OTGDdTTAtzD9TriEpEwD/nvbnUhdCrlKoa3FLiXLa9SExTrL
Htd1PNQMe0fITKIAXUpe/0vkZHgbyJ1QTbtiqWLE5FQd/kJNXjiks/uDc/Vh3QKx
K+hSX/bBU/0f2Ii3ZWf3N67lEMvtj/kVILNuIITofzzLiIvpMi/CfHlRRg6dHF0C
MO9FzMK0Y9nTyu4/Cdzq
=fpIj
-END PGP SIGNATURE-

Bug#836577: python-chartkick: contains embedded code copy of Javascript library Chartkick.js

[Jonas Smedegaard]

Source: python-chartkick
Version: 0.5.0-1
Severity: important

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

This package ships Javascript library Chartkick.js.

Instead, that library should be packaged separately, tracking its own
upstream source , and this
package should symlink that library and depend on that other package.

See Debian Policy § 4.13 for more info.

 - Jonas

-BEGIN PGP SIGNATURE-

iQIcBAEBCAAGBQJXy9L/AAoJECx8MUbBoAEh3FwQAJi3CRKNIlxykTt4WzDhq95V
uLtKZx0s5fugOmuEQEIkN7/IY1VplWvKrYaSGu4hALEDpXWzREaEVosssJPFtCqn
3hRR/PyL+B17PutIufKtEkEz1Z3DnIwYxzj0U16YJFl5BsvdiAHYsgvR6JPk1VNL
hSiRSW6Jrvm8JQj6m+ugg2o7x8uVOS0or3OYDrKB0glH6T/iIMVAvM1VzD6F5R9h
K3HJtq73fyjdeOoRvqnePfm2Gi1+Qr+1MQIes1J1Z+MMYOiQ6fdEQYhmCp1sTOWW
sIdiARs2xTqX14MS0OhJP1dkrJXDoDrqZzrSRRz+mCL7y1Qhm41vlCqPwBQ4Jo7Q
3ufTk8lASztR6RLuj4/Jse/lDuxwlgEYA9aO3qjtVecZ1pLrHpANpHaTRsPDs5GO
gC3C6r9oLU/BQ7KKu7qvbW1NxgDJpcKRGsa5n9S4dpZYUMTRYYyQnD1shXXoQqrQ
h6x8gG6MS6/twhCKcYwPu0t0K1+YO85UZB1r/7phQw6dauap0D6SGsio/iNHgxdE
lUsg7RMMebm0hPeXzrBVV5preqtxVbGSpVWq5Wg2t/MY39EObRahYT5L1OCsdNNF
FymJcaa6wvG3zp6pYkDv3Vc/vhdyX4p4hedeVnh+rjDpLBs8W2+5Aagk1WRIFRzT
X6rrezPv2JKFHvu/VcQX
=l2LP
-END PGP SIGNATURE-

squeak-vm embeds libjpeg and libpcre (currently unused)

[Jonas Smedegaard]

Hi,

Here are some (additional) info on embedded code copies in squeak-vm:

libjpeg:
 squeak-vm (unused since 1:4.4.7.2357-1.1 - bug#634240)

PCRE:
 squeak-vm (unused since 1:4.4.7.2357-1.1 - bug#634240)


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

embedded code copies in ruby packages

[Jonas Smedegaard]

Hi,

The wiki pages https://wiki.debian.org/EmbeddedCodeCopies encourages to 
report here when spotting embedded code copies in Debian packages:

jquery-iframe-transport
  * ruby-remotipart (bug#835512)

Leaflet
  * ruby-leaflet-rails (bug#835508)

Select2:
  * ruby-select2-rails (bug#835510)


  * ruby-rails-assets-diaspora-jsxc (bug#835519)


Related is bug#835517 against lintian about what seems a common pattern.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

embedded code copies of libsrtp

[Jonas Smedegaard]

Hi,

https://anonscm.debian.org/viewvc/secure-testing/data/embedded-code-copies?view=co
 
seems outdated regarding libsrtp.

Bug#770659 indicates that chromium now uses shared copy.

These source packages include copy of libsrtp but currently links 
against the shared copy: asterisk chromium-browser gst-plugins-bad1.0 
kopete opal pjproject resiprocate

These source packages include copy of libsrtp and potentially use it 
(i.e. don't currently link against the separately shipped package): 
icedove iceweasel qutecom wine-gecko-2.21 wine-gecko-2.24 sflphone


 - Jonas

-- 
 * Jonas Smedegaard - idealist  Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature