[SECURITY] [DLA 1826-1] glib2.0 security update

2019-06-18 Thread Sylvain Beucler
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: glib2.0 Version: 2.42.1-1+deb8u1 CVE ID : CVE-2019-12450 Debian Bug : 929753 It was discovered that GLib does not properly restrict some file permissions while a copy operation is in progress; instead, default

Accepted glib2.0 2.42.1-1+deb8u1 (source all amd64) into oldstable

2019-06-18 Thread Sylvain Beucler
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 18 Jun 2019 21:27:05 +0200 Source: glib2.0 Binary: libglib2.0-0 libglib2.0-tests libglib2.0-udeb libglib2.0-bin libglib2.0-dev libglib2.0-0-dbg libglib2.0-data libglib2.0-doc libgio-fam libglib2.0-0-refdbg Architecture:

Re: libqb / CVE-2019-12779

2019-06-18 Thread Markus Koschany
Hello, Am 18.06.19 um 10:05 schrieb Brian May: > The upstream patch patches "c->description" which is not used in > Jessie. OK, so probably not vulnerable. [...] I requested feedback from upstream about CVE-2019-12779 before. https://github.com/ClusterLabs/libqb/issues/338 It seems they do

[SECURITY] [DLA 1825-1] kdepim security update

2019-06-18 Thread Sylvain Beucler
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: kdepim Version: 4:4.14.1-1+deb8u2 CVE ID : CVE-2019-10732 Debian Bug : 926996 A reply-based decryption oracle was found in kdepim, which provides the KMail e-mail client. An attacker in possession of S/MIME or

Accepted kdepim 4:4.14.1-1+deb8u2 (source all amd64) into oldstable

2019-06-18 Thread Sylvain Beucler
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 18 Jun 2019 10:55:26 +0200 Source: kdepim Binary: kdepim kdepim-mobile akregator kaddressbook kaddressbook-mobile kalarm kdepim-kresources storageservicemanager kleopatra kmail kmail-mobile knode knotes notes-mobile

[SECURITY] [DLA 1824-1] linux-4.9 security update

2019-06-18 Thread Ben Hutchings
Package: linux-4.9 Version: 4.9.168-1+deb9u3~deb8u1 CVE ID : CVE-2019-3846 CVE-2019-5489 CVE-2019-9500 CVE-2019-9503 CVE-2019-10126 CVE-2019-11477 CVE-2019-11478 CVE-2019-11479 CVE-2019-11486 CVE-2019-11599 CVE-2019-11815 CVE-2019-11833

Re: libqb / CVE-2019-12779

2019-06-18 Thread Chris Lamb
Hi Brian, > libqb > NOTE: 20190616: Upstream patch does not apply at all, but it appears that > > NOTE: 20190616: package is still vulnerable in ipc_posix_mq.c etc. or > NOTE: 20190616: wherever it uses c->pid w/NAME_MAX. (lamby) NB. "appears that" — it was a rather cursory glance

libqb / CVE-2019-12779

2019-06-18 Thread Brian May
The upstream patch patches "c->description" which is not used in Jessie. OK, so probably not vulnerable. Looking at data/dla-needed.txt: libqb NOTE: 20190616: Upstream patch does not apply at all, but it appears that NOTE: 20190616: package is still vulnerable in ipc_posix_mq.c etc. or