Bug#1070702: bookworm-pu: package nano/7.2-1+deb12u1
Hi Jordi, On Tue, May 07, 2024 at 04:00:15PM +0200, Jordi Mallach wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: n...@packages.debian.org > Control: affects -1 + src:nano > User: release.debian@packages.debian.org > Usertags: pu > > As we did in previous Debian releases, this is an update > for Debian stable's nano package with selected patches from > the upstream maintainer. > > 3 of the patches minor security issues, and the other one > fixes a potential data-loss issue. > > Additionally there's a minor update to the default nanorc which > is a backport from 7.2-2, which was meant to be included in > Debian 12.0 but freeze came along. It just gets rid of some > control characters in some commented-out example bindings, > replacing them with the new style syntax. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > This source update was prompted by Salvatore while discussing one of the > 3 security issues. FTR, https://git.savannah.gnu.org/cgit/nano.git/commit/?id=5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2 has now as well a CVE assigned: CVE-2024-5742. But no need to redo an upload, but would be great to get it accepted for the next point release. Regards, Salvatore
Uploading linux (6.8.12-1)
Hi I would like to upload lnux version 6.8.12-1 to unstable, which is importing the last stable version for the 6.8.y series which is EOL with 6.8.12. After that a switch to 6.9.y will need to happen. No packaging changes are included. Regards, Salvatore signature.asc Description: PGP signature
Uploading linux (6.8.11-1)
Hi I would like to upload over the weekend linux verison 6.8.11-1 to unstable (importing two stable versions 6.8.10 and 6.8.11). No other changes are aimed to be included, but brings unstable just up to pair to upstream stable version for the 6.8.y series. Regards, Salvatore signature.asc Description: PGP signature
Bug#1070998: bookworm-pu: package fossil/2.24-5~deb11u1
Hi Bastien, On Sun, May 12, 2024 at 05:47:31PM +, Bastien Roucariès wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: fos...@packages.debian.org > Control: affects -1 + src:fossil > User: release.debian@packages.debian.org > Usertags: pu > > this bug was opened by previous arrangement with maintainer. > > [ Reason ] > fossil is affected by a regression due to a security update of apache > CVE-2024-24795. Backport was choosen > because upstream does not document all commit needed for fixing the > regression. Disclaimer, not SRM so this is not an authoritative answer. But that means that as well packaing changes beween 1:2.21-1 and the proposed one are included. Are all of those allowed to be done or should you individually revert some changes? E.g. there is * Bump policy * Build depend on pkgconfig instead of obsolete pkg-config and * Oops, typo: pkgconf which might indeed be fine. But should defintitively be checked. Regards, Salvatore
Bug#1069891: bookworm-pu: package ansible/7.7.0+dfsg-3+deb12u1
Hi Lee, (disclaimer, not a member of the release team) On Fri, May 10, 2024 at 12:15:56PM +0200, Lee Garrett wrote: > I have just pushed some meta-data updates, and also a change that fixes > CVE-2023-4237 in this package. See the commit logs here: > > https://salsa.debian.org/python-team/packages/ansible/-/commits/debian/bookworm-proposed/ My understanding is that SRM would like to have a debdiff posted to the list with the changes. I realize the previous one was 10M big, and so actually might have not made to the list, and so not on the radar of the SRM. Stuff might be as well filtered out if needed from the debdiff, and explained in the mail. As your proposed update covers as well a CVE fix, that would be great if it can make it to the next point release. Regards, Salvatore
Bug#1070739: bookworm-pu: package python-glance-store/4.1.0-4
Hi, On Wed, May 08, 2024 at 09:52:01AM +0200, Thomas Goirand wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: python-glance-st...@packages.debian.org > Control: affects -1 + src:python-glance-store > > [ Reason ] > I would like to update python-glance-store/4.1.0-4 to > python-glance-store/4.1.1-1+deb12u1 to address CVE-2024-1141 > (aka: #1063795). Should that be 4.1.1-0+deb12u1 instead? (I do know that 4.1.1-1 was never in the archive ,but that makes sure it sorts before 4.1.1-1). Regards, Salvatore
Bug#1069690: bookworm-pu: package libkf5ksieve/4:22.12.3-1+deb12u1
Hi Patrick, On Mon, Apr 22, 2024 at 09:36:54PM +0200, Patrick Franz wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: delta...@debian.org > User: release.debian@packages.debian.org > Usertags: pu > > [ Reason ] > There is a bug in libkf5sieve where the password instead of the > username is sent when using managesieve and could therefore be > logged on a server as the login will fail. > > [ Impact ] > Potentially sensitive passwords are logged on a server. > > [ Tests ] > Affected user has successfully tested the patched version. > > [ Risks ] > The patch is trivial (1 line is changed) and it's quite obvious > that it was a bug in the first place. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > 1-line patch to fix the bug. > diffstat for libkf5ksieve-22.12.3 libkf5ksieve-22.12.3 As it is not yet uploaded for bookworm, you might add as well the CVE id reference in the changelog: CVE-2023-52723 . p.s.: I think you can take advantage of the improved workflow for this specific one, if you are sure the package will be accepted as it is from SRM, you can with the proposed update bug filling, along as well already do the upload. (but note, just commenting this with no authrotiy speaking, as not part of the release team) Regards, Salvatore
Uploading linux (6.7.12-1)
Hi I plan to upload 6.7.12-1 later to unstable. Note, this is a situation far from ideal and personally not very happy with. 6.7.12 was the last version in the 6.7.y release and upstream has long moved already to 6.8.y while EOL'ing 6.7.y. This upload will thus release with a couple of known unfixed regressions in the 6.7.y series, but is intented as intermediary upload only and as preparation for the next 6.8.y upload. Work in progress for that is already in https://salsa.debian.org/kernel-team/linux/-/merge_requests/1053 I was pondering to actually cherry-pick on top known fixes (like the workqueue regressions or the native BHI mitigations), but I concluded it will be safer and better to just move to a 6.8.y version after that. Please do raise your voice if you have concerns. Regards, Salvatore signature.asc Description: PGP signature
Bug#1065413: bookworm-pu: package openssl/3.0.13-1~deb12u1
Hi Sebastian, On Tue, Apr 09, 2024 at 06:18:13PM +0200, Sebastian Andrzej Siewior wrote: > On 2024-04-07 23:46:28 [+0200], To Adam D. Barratt wrote: > > On 2024-03-24 20:06:12 [+], Adam D. Barratt wrote: > > > > > > Sorry for not getting to this sooner. Is this still the case? > > > > So. This happened #1068045 (yapet broke with 1.0 format) due to the > > update. On the bright side it has been broken in unstable but unnoticed. > > Looking into it but also sleeping (but making progress). > > yapet is fixed in unstable. My understanding is that the maintainer will > take care of it. After exposure of the upload in unstable for two days, uploaded now as well to bookworm. Filled #1068836. Regards, Salvatore
Bug#1068836: bookworm-pu: package yapet/2.6-2~deb12u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: ya...@packages.debian.org, car...@debian.org Control: affects -1 + src:yapet User: release.debian@packages.debian.org Usertags: pu Hi, [ Reason ] After the update of openssl/3.0.13-1~deb12u1 in bookworm-pu Sean found that old 1.0 format databases. While most of people should have moved some time ago to 2.0 format databases, they are still claimed to be supported. The update of openssl uncovered though a bug in yapet (as well present in unstable, and fixed as well). Sebastian explained the situation in https://bugs.debian.org/1068045#94 [ Impact ] Users using the old 1.0 format could not open anymore their store. [ Tests ] Done explicitly with an old 1.0 format database provided by sean, running the testsuite, and manual checks with 2.0 format databases. [ Risks ] Patches provided by the openssl maintainer. While they are not yet applied upstream, they tackle the bug in yapet as isolated by the openssl maintainers. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The two patches drop EVP_CIPHER_CTX_set_key_length() invocation to keep compatiblity with 1.0 databases and with openssl versions. Quoting the commit: |yapet did for blowfish: | || EVP_CipherInit_ex(ctx, cipher, NULL, KEY, iv, mode); || EVP_CIPHER_CTX_set_key_length(ctx, KEY_LENGTH); || EVP_CipherUpdate(ctx, …); | |this worked in earlier OpenSSL versions and stopped working in |openssl-3.0.13. The problem here is that the |EVP_CIPHER_CTX_set_key_length() is ignored and the later OpenSSL version |returns rightfully an error "Provider routines::no key set" here. | |Blowfish does support variable key lenghts but the key length has to be |set first followed by the actual key. Otherwise the blocksize (16) will |be used. |The correct way to deal with this would be: || EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, mode); || EVP_CIPHER_CTX_set_key_length(ctx, KEY_LENGTH); || EVP_CipherInit_ex(ctx, NULL, NULL, KEY, IV, mode); || EVP_CipherUpdate(ctx, …); | |Using now the proper way will break earlier databases because in the |blowfish case, always the default blocksize / 16 has been used. | |In order to keep compatibility with earlier versions of the database and |openssl remove the EVP_CIPHER_CTX_set_key_length() invocation. While at it Sebastian fixed as well the invocation present for the crypt/aes code. [ Other info ] None. Regards, Salvatore diff -Nru yapet-2.6/debian/changelog yapet-2.6/debian/changelog --- yapet-2.6/debian/changelog 2022-03-14 14:19:11.0 +0100 +++ yapet-2.6/debian/changelog 2024-04-11 20:40:18.0 +0200 @@ -1,3 +1,16 @@ +yapet (2.6-2~deb12u1) bookworm; urgency=medium + + * Rebuild for bookworm + + -- Salvatore Bonaccorso Thu, 11 Apr 2024 20:40:18 +0200 + +yapet (2.6-2) unstable; urgency=medium + + * crypt/blowfish: Remove EVP_CIPHER_CTX_set_key_length() (Closes: #1064724) + * crypt/aes: Remove EVP_CIPHER_CTX_set_key_length() + + -- Salvatore Bonaccorso Mon, 08 Apr 2024 21:32:50 +0200 + yapet (2.6-1) unstable; urgency=medium * New upstream version 2.6 diff -Nru yapet-2.6/debian/patches/crypt-aes-Remove-EVP_CIPHER_CTX_set_key_length.patch yapet-2.6/debian/patches/crypt-aes-Remove-EVP_CIPHER_CTX_set_key_length.patch --- yapet-2.6/debian/patches/crypt-aes-Remove-EVP_CIPHER_CTX_set_key_length.patch 1970-01-01 01:00:00.0 +0100 +++ yapet-2.6/debian/patches/crypt-aes-Remove-EVP_CIPHER_CTX_set_key_length.patch 2024-04-11 20:40:18.0 +0200 @@ -0,0 +1,41 @@ +From aaa573b14bafcc9a6b46495bd4ffc15b90d35902 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Mon, 8 Apr 2024 18:19:12 +0200 +Subject: [PATCH] crypt/aes: Remove EVP_CIPHER_CTX_set_key_length(). + +The EVP_CIPHER_CTX_set_key_length() in the AES-256-CBC case is pointless +because the key here is fixed EVP_CIPHER_CTX_set_key_length() and the +function does not change the size. + +Remove the EVP_CIPHER_CTX_set_key_length() invocation. + +Signed-off-by: Sebastian Andrzej Siewior +--- + src/libs/crypt/aes256.cc | 11 --- + 1 file changed, 11 deletions(-) + +diff --git a/src/libs/crypt/aes256.cc b/src/libs/crypt/aes256.cc +index 1041b9c57347..e105b1a5bedd 100644 +--- a/src/libs/crypt/aes256.cc b/src/libs/crypt/aes256.cc +@@ -113,17 +113,6 @@ EVP_CIPHER_CTX* Aes256::initializeOrThrow(const SecureArray& ivec, MODE mode) { + throw CipherError{_("Error initializing cipher")}; + } + +-success = EVP_CIPHER_CTX_set_key_length(context, getKey()->keySize()); +-if (success != SSL_SUCCESS) { +-LOG_MESSAGE(std::string{__func__} + ": Error setting key length"); +-destroyContext(context); +-char msg[YAPET::Consts::EXCEPTION_MESSAGE_BUFF
Bug#1068633: bookworm-pu: package cjson/1.7.15-1+deb12u1
Hi, Disclaimer, this is not an authoritative answer as I'm not part of the stable release managers. On Mon, Apr 08, 2024 at 12:27:50PM +0300, Maytham Alsudany wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: cj...@packages.debian.org > Control: affects -1 + src:cjson > > [ Reason ] > CVE-2023-50472, CVE-2023-50471 > > [ Impact ] > Segmentation violation via the function cJSON_InsertItemInArray at cJSON.c > > [ Tests ] > Upstream's test continue to pass, and they have also added new tests to > cover this security issue. > > [ Risks ] > Minimal, no change to API. Only minimal changes were made to fix this > security issue. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > - Set myself as Maintainer (I am adopting the package, #1067510) > - Bump Standards-Version to 4.6.2 > - Add Build-Depends-Package to symbools > - Backport upstream's patch to 'add NULL checkings'. > Upstream adds a few more if statements to avoid the segmentation > fault, and thus resolve the security vulnerability. > > [ Other info ] > If you can spare the time, could you please upload this for me? (I need > a sponsor, #1068624.) I'm also still waiting for someone to give me > access to the Salsa repo. > > Thanks, > Maytham > diff -Nru cjson-1.7.15/debian/changelog cjson-1.7.15/debian/changelog > --- cjson-1.7.15/debian/changelog 2021-08-29 23:30:06.0 +0300 > +++ cjson-1.7.15/debian/changelog 2024-04-03 06:57:10.0 +0300 > @@ -1,3 +1,13 @@ > +cjson (1.7.15-1+deb12u1) bookworm-security; urgency=medium The target distribution should be simply bookworm. > + > + * Update Maintainer field > + * Bump Standards-Version to 4.6.2 (no changes) This is usually not allowed to do in a stable update. > + * Backport patch to add NULL checkings (CVE-2023-50472, CVE-2023-50471) > +(Closes: #1059287) > + * Add Build-Depends-Package to symbols While this might be sensible, I'm not sure if SRM will accept it. So you might want to adjust already the things above and seek for an ack from SRM. Regards, Salvatore
Bug#1066965: bookworm-pu: package newlib/3.3.0-2
Hi, On Tue, Apr 02, 2024 at 12:36:53PM +0200, Petter Reinholdtsen wrote: > > Btw, what is the timeline for approval or rejection for this security > upload proposal? Note that if you are confident that the upload is accepted as it, you *could* already upload according to the improved workflow. *But* given the uncertainity if SRM want you to have the version changed I would wait for their ack. Regards, Salvatore
Bug#1066965: bookworm-pu: package newlib/3.3.0-2
Hi [disclaimer, not an authoritative answer as not part of the stable release managers] On Sat, Mar 16, 2024 at 09:09:05AM +0100, Petter Reinholdtsen wrote: > > Package: release.debian.org > > The https://tracker.debian.org/pkg/newlib > package got an open > security problem with malloc and friends in stable and oldstable, see > https://bugs.debian.org/984446 > for the CVE issue. The package > is orphaned. > > I would like to fix the bug at least in stable, and propose the > following upload. The change is already in the git repo on salsa in the > debian/bookworm branch. The problem is already fixed in unstable and > testing with a new version of the upstream code. The fix to stable is > only the minimal patch to solve the issue. > > I propose to use the version number 3.3.0-2, but am open to better > proposals. The version in testing is 4.4.0.20231231-2. Usually you would choose for this update 3.3.0-1.3+deb12u1, but given 3.3.0-2 was never present in unstable and the version later moved on, this is in theory possible. > > Complete proposed patch is below: > > diff --git a/debian/changelog b/debian/changelog > index b3e3ef851..1c8ddc5cb 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,12 @@ > +newlib (3.3.0-2) bookworm; urgency=medium > + > + * QA upload. > + * Orphan package to reflect status in Unstable. > + * Added mallocr-CVE-2021-3420.patch to solve incorrect overflow > +check in malloc and friends. I would add as well the bug closer for #984446. Regards, Salvatore
Uploading linux (6.7.9-2)
Hi While I realize there are much of changes going on unstable, I still would like to upload linux version (6.7.9-2) (yes no new upstream version) mitigating the Register File Data Sampling (RFDS) vulnerability (CVE-2023-28746). This goes along with a intel-microcode update which already was uploaded to unstable: https://tracker.debian.org/news/1511674/accepted-intel-microcode-3202403121-source-into-unstable/ * [x86] Mitigate Register File Data Sampling (RFDS) vulnerability (CVE-2023-28746): - x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is set - Documentation/hw-vuln: Add documentation for RFDS - x86/rfds: Mitigate Register File Data Sampling (RFDS) - KVM/x86: Export RFDS_NO and RFDS_CLEAR to guests Regards, Salvatore signature.asc Description: PGP signature
Uploading linux (6.7.9-1)
Hi I would like to upload linux version 6.7.9-1 to unstable soon if possible. There is the import of 6.7.8 and 6.7.9 from the 6.7.y stable series. Note that src:linux is not binNMU safe buildable and thus this is (for the time beeing) disabled since https://salsa.debian.org/kernel-team/linux/-/commit/d7ea1ea90ff4901a89fec9065427ed522f2fa2d9 This means that the triggered rebuilds for the time_t transition did fail: https://buildd.debian.org/status/package.php?p=linux There is planned to include a bugfix as well on top: * [x86] platform/x86: p2sb: On Goldmont only cache P2SB and SPI devfn BAR (Closes: #1065320) Regards, Salvatore signature.asc Description: PGP signature
Uploading linux (6.7.7-1)
Hi I would like to upload linux version 6.7.7-1 to unstable over the weekend. The new upload would consist of a new upstream version switching to the 6.7.y series in unstable. Apart from switching from 6.6.y to 6.7.y series there are additional changes covering: * Enable CONFIG_MFD_RK8XX_SPI for RK3588 SoC - MFD_RK8XX_SPI as built-in, same behavior as MFD_RK8XX_I2C * [armhf] Enable DRM_PANEL_MIPI_DBI as a module for stm32mp157c-lxa-tac-gen2. * Backport a patch from v6.8-rc1 to be more verbose about pending deferred probes helping debugging of failed boot attempts. * [arm64] Make PINCTRL_ROCKCHIP builtin. * [x86] drivers/hwmon: Enable SENSORS_HP_WMI as module (Closes: #1064507) * [loong64] Build kernel image and udebs for loong64 (Closes: #1053650) The following were already included in earlier experimental uploads: * [riscv64] Add clock, MFD, PCIe PHYs, regulator and RTC drivers to kernel-image udeb. * [riscv64] Disable CRYPTO_DEV_JH7110, it is broken. * Make linux-libc-dev provide all cross packages. * Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID (Closes: #1061521) * [arm64] drivers/thermal/qcom: enable QCOM_SPMI_ADC_TM5 as module for thermal throttling on the Lenovo ThinkPad X13s. * drivers/hwmon: Enable SENSORS_IIO_HWMON as module (Closes: #1057272) * Enable bcachefs filesystem support - fs/bcachefs: Enable BCACHEFS_FS as module - fs/bcachefs: Enable BCACHEFS_QUOTA - fs/bcachefs: Enable BCACHEFS_POSIX_ACL * media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c) * [riscv64] Enable ARCH_SOPHGO and ARCH_THEAD. * [riscv64] Disable ARCH_R9A07G043 as it now depends on NONPORTABLE. * [riscv64] Enable PHY_STARFIVE_JH7110_DPHY_RX, PHY_STARFIVE_JH7110_PCIE and PHY_STARFIVE_JH7110_USB as modules. * [powerpc,ppc64,ppc64el] Drop ipddp from nic-modules. * [riscv64] Enable LEDS_PWM and LEDS_PWM_MULTICOLOR as modules. * [arm64, armhf] drivers/net/phy: Enable ADIN_PHY as module (Closes: #1043354) * [arm64] Enable CSI camera stack for i.MX8M SoCs (Closes: #1055442) * Enable configs for MT8195 Chromebooks: - COMMON_CLK_MT8195 as built-in - COMMON_CLK_MT8195_APUSYS, COMMON_CLK_MT8195_AUDSYS, COMMON_CLK_MT8195_IMP_IIC_WRAP, COMMON_CLK_MT8195_MFGCFG, COMMON_CLK_MT8195_MSDC, COMMON_CLK_MT8195_SCP_ADSP, COMMON_CLK_MT8195_VDOSYS, COMMON_CLK_MT8195_VPPSYS, COMMON_CLK_MT8195_CAMSYS, COMMON_CLK_MT8195_IMGSYS, COMMON_CLK_MT8195_WPESYS, COMMON_CLK_MT8195_VDECSYS, COMMON_CLK_MT8195_VENCSYS as modules - MFD_MT6360, REGULATOR_MT6315, REGULATOR_MT6359, REGULATOR_CROS_EC, MTK_LVTS_THERMAL as modules - MTK_ADSP_MBOX, MTK_ADSP_IPC, SND_SOC_SOF_OF, SND_SOC_MT8195, SND_SOC_MT8195_MT6359, SND_SOC_SOF_MT8195 as modules - SND_SOC_SOF_TOPLEVEL, SND_SOC_SOF_MTK_TOPLEVEL as built-in - DRM_MEDIATEK_DP, PHY_MTK_DP, PHY_MTK_PCIE, PHY_MTK_UFS as modules - PINCTRL_MT8195, PCIE_MEDIATEK_GEN3, SPMI_MTK_PMIF as built-in * [arm64] drivers/rtc: Enable RTC_DRV_RS5C372 as module * Revert "Run dh_movetousr also in signed images." * Fix config specified CFLAGS on kernel builds. Also drop old definitions that have not worked for a long time. * Disable ability to do binNMU. The Debian infrastructure is not ready to binNMU signed packages. But they instead just break the dependencies within this package. * Restructure and cleanup complete config: - Uses TOML instead of our home-grown INI based format. - Don't export a config dump anymore, it is not longer in use. * Generate and ship vmlinux.h in linux-headers package. * [arm64] Set QCOM_QSEECOM and QCOM_QSEECOM_UEFISECAPP to 'y' in order to add support for EFI variables on the Lenovo X13s. * [arm64] Support HDMI output on TI SK-AM62. Enable DRM_SII902X and DRM_TIDSS as modules. * [arm64] udeb: Include sun8i-drm-hdmi module in installer (Closes: #1050315) * Generate separate package tests for every flavour. * Fix stripping of vmlinux binaries. (closes: #1059713) * Ignore vmlinux for shlibs. (closes: #1059676) * Drop not working selftests. (closes: #1059765) * Always build with CROSS_COMPILE set. * Run dh_movetousr also in signed images. * Fix some remaining cross build problems. * Enable MODULE_DECOMPRESS * [ppc64] Build PowerNV PCIe hotplug driver as a module * [riscv64] udeb: Add efi-modules and xfs-modules. * [arm64] Add support for NXP i.MX8M PCIe - drivers/phy/freescale: Enable PHY_FSL_IMX8M_PCIE as module I hope it's not too much controversial to make this switch now to the 6.7.y series. Regards, Salvatore signature.asc Description: PGP signature
Bug#1061190: bullseye-pu: package gnutls28/3.7.1-5+deb11u5
Hi Andreas, On Thu, Feb 01, 2024 at 06:35:38AM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sat, 2024-01-20 at 15:53 +0100, Andreas Metzler wrote: > > I would like to fix both CVE-2024-0567 and CVE-2024-0553 via a > > oldstable-updates since they do not require a DSA. > > Please go ahead. Andreas did you saw the ack from Adam? FTR, please keep the CVE references now as we have the incomplete fix in bullseye for CVE-2023-5981 with the 3.7.1-5+deb11u4 . Regards, Salvatore
Bug#1063675: bookworm-pu: package nvidia-graphics-drivers/525.147.05-6~deb12u1
Hi Andreas, On Mon, Feb 12, 2024 at 12:37:44AM +0100, Andreas Beckmann wrote: > On 11/02/2024 21.36, Salvatore Bonaccorso wrote: > > If I can add a comment: I (but note I'm not wearing a > > nvidia-graphics-drivers maintainer hat) would support that, as there > > are enough people affected by this. This is quite unfortunate and I'm > > open to hear ideas how we can try to avoid such fallouts. > > I was aware of the bug (#1062932) but not of the fact a point release was > upcoming. Even if I had been aware of the point release I'm not sure if I > had realized the impact of this bug to make me yell ;-) > Perhaps once point release dates have been choosen, this could be announced > to d-d-a@ as well. > I'm not following debian-release@ ... -ENOTIME > > > As you know we are strictly following upstream stable series (and > > trying our best to keep an eye on as well regression reports upstream, > > but OOT modules are not explicitly tested, so neither the nvidia ones) > > Are autopkgtests being run for proposed-updates? That should have shown the > issue. Yes there are in fact autopkgtests being run, so this should have been catched (and at least decided what to do, i.e. not release 6.1.76-1, nod ideal, or deal during the still allowed window with the nvidia drivers as well). But to be very honest: I did miss this regression report on the overview page. At least according to Paul on IRC the test should have been run. > It was unfortunate that this upstream backported change appeared in > proposed-updates first and in sid only a few days later. And the > metapackages from linux-signed-amd64 are still depending on the version > before this change was introduced ... so I only could reproduce the issue > (and verify fixes) manually. (The module build test done during the package > build did not use the regressing headers.) Right, 6.6.15 upload to unstable had a couple of issues, first failing to build the arch:all packages then the linux-signed-amd64 were waiting to be processed, and once that happened, we have now a FTBFS due to interaction with a new kmod upload (Filled #1063804). It is not that usual that otherwise we would have that change in bookworm (queued in proposed-updates) before we had a similar change in unstable (or experimental). > Then I had to spent quite some time verifying that the issue only happened > on amd64 and since the 460 series (despite of ppc64el having even more calls > to pfn_valid() dating back to the 418 series). I would like to thank you again for the time you invested here to deal with that issue! > Andreas > > PS: @Salvatore: Looking forward to see some linux 6.8 packages in > experimental s.t. I can throw them in my module build chroot to see what > breaks next :-) Or do you already have some early build available somewhere > while experimental is still preparing 6.7? We have to move 6.7.y next to unstable. But I'm not completely sure if we are there yet, need to ask Bastian Blank about the plan. After that experimental is freed we can go aehad with 6.8.y for experimental, but there are yet no packages to test with :( Regards, Salvatore
Bug#1063675: bookworm-pu: package nvidia-graphics-drivers/525.147.05-6~deb12u1
Hi Jonathan, On Sun, Feb 11, 2024 at 12:29:45AM +, Jonathan Wiltshire wrote: > Control: tag -1 confirmed > > On Sat, Feb 10, 2024 at 11:00:58PM +0100, Andreas Beckmann wrote: > > [ Reason ] > > 1) A backported (by upstream) change in Linux 6.1.76 (included in > > today's point release) broke compilation of the non-free nvidia kernel > > module. A patched version of the driver is available in sid. > > > > 2) In order to simplify future maintenance of the many Nvidia driver > > packages (also in stable and oldstable) I'm going to remove the > > distinction between "normal" and "Tesla" drivers (they were at the > > same version in stable anyway). The Tesla specific bits > > (src:nvidia-graphics-drivers-tesla) will be merged into > > src:nvidia-graphics-drivers (that mainly means addition of the ppc64el > > architecture to these packages, and building some binary packages from > > src:nvidia-graphics-drivers instead: nvidia-powerd, nvidia-cuda-mps). > > nvidia-detect has been updated, too, as it no longer needs to > > distinguish the Tesla variants. > > There will be one further update to src:nvidia-graphics-drivers-tesla > > in stable that turns these packages into transitional packages depending > > on their counterparts from src:nvidia-graphics-drivers. (Separate PU > > request upcoming.) > > There will also be a PU request for nvidia-settings, as we need to > > enable building that on ppc64el. (The src:nvidia-settings-tesla package > > will then become obsolete.) > > > > 3) In order to better integrate the nvidia driver with the system power > > management, a new package nvidia-suspend-common is being introduced > > which properly ships and enables some systemd units that were previously > > only being shipped as examples. These power management changes are an > > enhancement for the 525 series, but seem to be required in the 535 > > series. (We will have to switch to the 535 LTSB series in stable soon, > > as 525 has reached EoL. 535 will be supported till mid 2026, so that will > > be the last driver branch switch for bookworm.) > > nvidia-suspend-common was already prepared in the previous pu update, > > but not yet enabled on stable as it hadn't undergone enough testing. As > > no new issues have popped up on sid, I'm confident to enable this in > > stable now. > > Please go ahead. Is this something we should release early through > stable-updates, given the breakage is caused by a point release? If I can add a comment: I (but note I'm not wearing a nvidia-graphics-drivers maintainer hat) would support that, as there are enough people affected by this. This is quite unfortunate and I'm open to hear ideas how we can try to avoid such fallouts. As you know we are strictly following upstream stable series (and trying our best to keep an eye on as well regression reports upstream, but OOT modules are not explicitly tested, so neither the nvidia ones) Regards, Salvatore
Bug#1057107: bullseye-pu: package libssh2/1.9.0-2
Hi Nicolas, On Tue, Feb 06, 2024 at 01:46:04PM -0500, Nicolas Mora wrote: > Control: tag - moreinfo > > Thanks, > > Sorry, it seems that I'm not very well aware of the BTS process, according > to [1] this is how I should untag the bug. > > [1] https://www.debian.org/Bugs/server-control If you provide the moreinfo which was requested, then you can remove the tag as follows (or with an equivalent control command, e.g. using -1 for the bug if directly interacting with the bug). tags 1057107 - moreinfo Hope this helps, too bad we missed for this upload the 11.9. Regards, Salvatore
Re: Uploading linux (6.6.15-1)
Hi, On Sat, Feb 03, 2024 at 12:32:08AM +0100, Cyril Brulebois wrote: > Salvatore Bonaccorso (2024-02-02): > > One thing is still unresolved, thus additonally to the explicit CC to > > kibi, as well including debian-boot. We have the armel d-i situation > > not yet resolved, debian-boot folks, do you have any imput on the > > situation from the thread in > > https://lists.debian.org/debian-release/2024/01/msg00089.html ? > > My gut feeling from what was discussed is that nobody will ever use > > the d-i on armel. > > I'm not sure how much time armel will stick around (for existing > systems), but it looks to me that d-i/armel is no longer relevant. Thanks for your reply on d-i side of this. So i suggest we move ahead with transitioning 6.6.y to testing accordingly. Thanks a lot! Regards, Salvatore
Uploading linux (6.6.15-1)
Hi, I would like to upload linux version 6.6.15-1 ideally over the weekend to unstable. The new version imports two versions of the 6.6.y stable series (which is upstream an LTS) up to 6.6.15. It contains a larger amount of changes as it consisted of versions released after the merge window upstream for 6.8. Some CVEs are addressed in this update: CVE-2023-46838, CVE-2023-50431, CVE-2024-1085 and CVE-2024-1085. As there is an upcoming pont release on weekend of 10th of february and as the linux uploads for both bullseye 11.9 and bookworm 12.5 needs to be ready over the weekend, those should get priority in terms of having the signed packages available (the rest is done). So maybe 6.6.15-1 should be accetepd to be build and then signed packages done only after we have the linux-signed-{i386,amd64,arm64} for both bullseye-pu and bookworm-pu. One thing is still unresolved, thus additonally to the explicit CC to kibi, as well including debian-boot. We have the armel d-i situation not yet resolved, debian-boot folks, do you have any imput on the situation from the thread in https://lists.debian.org/debian-release/2024/01/msg00089.html ? My gut feeling from what was discussed is that nobody will ever use the d-i on armel. There are no other packaging changes apart patches refresh (and upstream applied patches) for the rt featureset due to the 6.6.14 and 6.1.15 imports. Regards, Salvatore signature.asc Description: PGP signature
Uploading linux (6.6.13-1)
I would like to upload linux version 6.6.13-1 later today to unstable. The new version imports two versions of 6.6.y stable series (though the only commit from 6.6.12 was already included in the last update). The new upstream stable version fixes CVE-2023-6610 and CVE-2023-6915. Note, that the armel situation is still unresolved from the https://lists.debian.org/debian-release/2024/01/msg00089.html thread. Still still will prevent us thus to go with the 6.6.y series to testing. Regards, Salvatore signature.asc Description: PGP signature
Bug#1061190: bullseye-pu: package gnutls28/3.7.1-5+deb11u5
Hi, On Sat, Jan 20, 2024 at 03:53:45PM +0100, Andreas Metzler wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: gnutl...@packages.debian.org, t...@security.debian.org > Control: affects -1 + src:gnutls28 > > Hello, > > I would like to fix both CVE-2024-0567 and CVE-2024-0553 via a > oldstable-updates since they do not require a DSA. Only a small remark about the CVE tracking, no direct need to change anything: CVE-2024-0553 exists because of an incomplete fix of CVE-2024-0553, so technically weh ave that incomplete fix not yet in any official bullseye release (apart the bullseye-pu). For the security-tracker so I tend to consider CVE-2024-0553 not-affected for bullseye, but then CVE-2023-5981 only fixed in 3.7.1-5+deb11u5 rather than 3.7.1-5+deb11u4. For that I have done the following two commits: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f30f93b036b864eb245daf7dec5f70a824a7fb5c https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fd218ec683140739797aa973d354e00b8660e9b Let me know if you diagree and we should revert that to track all 3 CVEs for gnutls28 in bullseye. Regards, Salvatore
Bug#1061177: bullseye-pu: package tar/1.34+dfsg-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: t...@packages.debian.org, Janos Lenart , car...@debian.org Control: affects -1 + src:tar Dear Stable release managers, [ Reason ] tar in bullseye is affected by two issues with assigned CVEs, CVE-2022-48303 and CVE-2023-39804 both which do not warrant a DSA and have minor impact. [ Impact ] Remain vulnerable to the two CVEs, with DoS potential. [ Tests ] Verified the fixes against the PoCs available for both CVEs. [ Risks ] Should be minor, the fixes are targeted to address the respective issues and taken from upstream git repository. Both fixes are available in unstable and testing with no regression reporting to the best of my knowledge. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The upstream changes fix the boundary checking in base-256 decoder for CVE-2022-48303 and the handling of extended header prefixes for CVE-2023-39804. [ Other info ] Nothing else. Regards, Salvatore diff -Nru tar-1.34+dfsg/debian/changelog tar-1.34+dfsg/debian/changelog --- tar-1.34+dfsg/debian/changelog 2021-02-17 10:55:26.0 +0100 +++ tar-1.34+dfsg/debian/changelog 2024-01-20 10:59:10.0 +0100 @@ -1,3 +1,12 @@ +tar (1.34+dfsg-1+deb11u1) bullseye; urgency=medium + + * Non-maintainer upload. + * Fix boundary checking in base-256 decoder (CVE-2022-48303) + * Fix handling of extended header prefixes (CVE-2023-39804) +(Closes: #1058079) + + -- Salvatore Bonaccorso Sat, 20 Jan 2024 10:59:10 +0100 + tar (1.34+dfsg-1) unstable; urgency=medium * New upstream version diff -Nru tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch --- tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch 1970-01-01 01:00:00.0 +0100 +++ tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch 2024-01-20 10:59:10.0 +0100 @@ -0,0 +1,31 @@ +From: Sergey Poznyakoff +Date: Sat, 11 Feb 2023 11:57:39 +0200 +Subject: Fix boundary checking in base-256 decoder +Origin: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-48303 + +* src/list.c (from_header): Base-256 encoding is at least 2 bytes +long. +--- + src/list.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/list.c b/src/list.c +index 9fafc425a824..86bcfdd1cc30 100644 +--- a/src/list.c b/src/list.c +@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type, + where++; + } + } +- else if (*where == '\200' /* positive base-256 */ +- || *where == '\377' /* negative base-256 */) ++ else if (where <= lim - 2 ++ && (*where == '\200' /* positive base-256 */ ++ || *where == '\377' /* negative base-256 */)) + { + /* Parse base-256 output. A nonnegative number N is +represented as (256**DIGS)/2 + N; a negative number -N is +-- +2.43.0 + diff -Nru tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch --- tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch 1970-01-01 01:00:00.0 +0100 +++ tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch 2024-01-20 10:59:10.0 +0100 @@ -0,0 +1,62 @@ +From: Sergey Poznyakoff +Date: Sat, 28 Aug 2021 16:02:12 +0300 +Subject: Fix handling of extended header prefixes +Origin: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 +Bug-Debian: https://bugs.debian.org/1058079 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-39804 + +* src/xheader.c (locate_handler): Recognize prefix keywords only +when followed by a dot. +(xattr_decoder): Use xmalloc/xstrdup instead of alloc +--- + src/xheader.c | 17 + + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/xheader.c b/src/xheader.c +index 4f8b2b27cc62..3cd694d1b12a 100644 +--- a/src/xheader.c b/src/xheader.c +@@ -637,11 +637,11 @@ static struct xhdr_tab const * + locate_handler (char const *keyword) + { + struct xhdr_tab const *p; +- + for (p = xhdr_tab; p->keyword; p++) + if (p->prefix) + { +-if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0) ++ size_t kwlen = strlen (p->keyword); ++if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0) + return p; + } + else +@@ -1716
Bug#1061176: bookworm-pu: package tar/1.34+dfsg-1.2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: t...@packages.debian.org, Janos Lenart , car...@debian.org Control: affects -1 + src:tar Dear Stable release managers, [ Reason ] tar in bookworm is affected by two issues with assigned CVEs, CVE-2022-48303 and CVE-2023-39804 both which do not warrant a DSA and have minor impact. [ Impact ] Remain vulnerable to the two CVEs, with DoS potential. [ Tests ] Verified the fixes against the PoCs available for both CVEs. [ Risks ] Should be minor, the fixes are targeted to address the respective issues and taken from upstream git repository. Both fixes are available in unstable and testing with no regression reporting to the best of my knowledge. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The upstream changes fix the boundary checking in base-256 decoder for CVE-2022-48303 and the handling of extended header prefixes for CVE-2023-39804. [ Other info ] Nothing else. Regards, Salvatore diff -Nru tar-1.34+dfsg/debian/changelog tar-1.34+dfsg/debian/changelog --- tar-1.34+dfsg/debian/changelog 2023-04-06 16:25:47.0 +0200 +++ tar-1.34+dfsg/debian/changelog 2024-01-20 10:27:07.0 +0100 @@ -1,3 +1,12 @@ +tar (1.34+dfsg-1.2+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * Fix boundary checking in base-256 decoder (CVE-2022-48303) + * Fix handling of extended header prefixes (CVE-2023-39804) +(Closes: #1058079) + + -- Salvatore Bonaccorso Sat, 20 Jan 2024 10:27:07 +0100 + tar (1.34+dfsg-1.2) unstable; urgency=medium * Non-maintainer upload. diff -Nru tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch --- tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch 1970-01-01 01:00:00.0 +0100 +++ tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch 2024-01-20 10:27:07.0 +0100 @@ -0,0 +1,31 @@ +From: Sergey Poznyakoff +Date: Sat, 11 Feb 2023 11:57:39 +0200 +Subject: Fix boundary checking in base-256 decoder +Origin: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-48303 + +* src/list.c (from_header): Base-256 encoding is at least 2 bytes +long. +--- + src/list.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/list.c b/src/list.c +index 9fafc425a824..86bcfdd1cc30 100644 +--- a/src/list.c b/src/list.c +@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const *type, + where++; + } + } +- else if (*where == '\200' /* positive base-256 */ +- || *where == '\377' /* negative base-256 */) ++ else if (where <= lim - 2 ++ && (*where == '\200' /* positive base-256 */ ++ || *where == '\377' /* negative base-256 */)) + { + /* Parse base-256 output. A nonnegative number N is +represented as (256**DIGS)/2 + N; a negative number -N is +-- +2.43.0 + diff -Nru tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch --- tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch 1970-01-01 01:00:00.0 +0100 +++ tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch 2024-01-20 10:27:07.0 +0100 @@ -0,0 +1,62 @@ +From: Sergey Poznyakoff +Date: Sat, 28 Aug 2021 16:02:12 +0300 +Subject: Fix handling of extended header prefixes +Origin: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 +Bug-Debian: https://bugs.debian.org/1058079 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-39804 + +* src/xheader.c (locate_handler): Recognize prefix keywords only +when followed by a dot. +(xattr_decoder): Use xmalloc/xstrdup instead of alloc +--- + src/xheader.c | 17 + + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/xheader.c b/src/xheader.c +index 4f8b2b27cc62..3cd694d1b12a 100644 +--- a/src/xheader.c b/src/xheader.c +@@ -637,11 +637,11 @@ static struct xhdr_tab const * + locate_handler (char const *keyword) + { + struct xhdr_tab const *p; +- + for (p = xhdr_tab; p->keyword; p++) + if (p->prefix) + { +-if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0) ++ size_t kwlen = strlen (p->keyword); ++if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0) + return p; + } + else +@@ -1716
Re: Uploading linux (6.6.10-1)
Hi, On Sun, Jan 07, 2024 at 02:14:30PM +0100, Bastian Blank wrote: > On Sun, Jan 07, 2024 at 02:03:32PM +0100, Salvatore Bonaccorso wrote: > > I would like to upload linux version 6.6.10-1 later today to unstable. > > I would like to have 6.6.9 in testing first, but we can also ignore > that. No it's fine, I will wait for the 6.6.10-1 upload until 6.6.9-1 migrates. It should, but I'm unsure about the failing glibc autopkgtest on arm64 (OTOH you have filled #1060202, so if that's as well flacky then we could ignore those and let 6.6.9-1 migrate). Regards, Salvatore
Uploading linux (6.6.10-1)
Hi I would like to upload linux version 6.6.10-1 later today to unstable. The new version imports one more 6.6.y stable series version (6.6.10). The new upstream stable version fixes in particular CVE-2024-0193 (which is already addressed in bookworm-security and bullseye-security). There is one additional commit included (which is already queued for the next stable series) to address #1058887: * wifi: iwlwifi: pcie: don't synchronize IRQs from IRQ (Closes: #1058887) Regards, Salvatore signature.asc Description: PGP signature
Bug#1059291: bookworm-pu: package spip/4.1.9+dfsg-1+deb12u3
Hi, On Fri, Dec 22, 2023 at 01:28:00PM +0100, David Prévot wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: s...@packages.debian.org, t...@security.debian.org > Control: affects -1 + src:spip > > Hi, > > This issue is similar to #1059289 for oldstable. > > Another upstream release fixed a security (XSS) issue. The last two > updates of this kind didn’t warrant a DSA, so I guess this one will not > warrant one either (security team X-D-CCed in case I’m wrong). To confirm, from security team perspective, this does not warrant a DSA and can be fixed in the upcoming point release. Regards, Salvatore
Bug#1059289: bullseye-pu: package spip/3.2.11-3+deb11u10
Hi, On Fri, Dec 22, 2023 at 01:21:56PM +0100, David Prévot wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: s...@packages.debian.org, t...@security.debian.org > Control: affects -1 + src:spip > > Another upstream release fixed a security (XSS) issue. The last two > updates of this kind didn’t warrant a DSA, so I guess this one will not > warrant one either (security team X-D-CCed in case I’m wrong). To confirm, from security team perspective, this does not warrant a DSA and can be fixed in the upcoming point release. Regards, Salvatore
Bug#1059427: bullseye-pu: package haproxy/2.2.9-2+deb11u6
Hi, On Mon, Dec 25, 2023 at 10:35:16AM +0100, Tobias Frost wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: hapr...@packages.debian.org, t...@security.debian.org > Control: affects -1 + src:haproxy > > Hi, > > For ELTS I was fixing haproxy's CVES CVE-2023-40225 and CVE-2023-45539, > and I also like to fix those for stable and oldstable. > > CC'ing the security team, in case they want to issue an DSA instead. > > The changes can also be found on the LTS repository: > https://salsa.debian.org/lts-team/packages/haproxy > > [ Tests ] > I've tested the fixes manually, using netcat to inject > problematic http requests and confirm that the patched > version rejects the malicous requests. (using nginx and > also netcat as http server.) > > (Being verbose here to document the tests for later reference ;-)) > > haproxy is listening on port 8080 > > e.g for CVE-2023-40225: > echo 'GET /index.nginx-debian.html# HTTP/1.0' | netcat localhost 8080 > must be rejected with 400 Bad Request > and without the "#" accepted. > > for CVE-2023-45539, nginx is stopped, and netcat listens on port 80: > echo 'GET / HTTP/.1.1 > host: whatever > content-length: > ' | netcat localhost 8080 > > If the request is accepted (and forwarded to the listening netcat), > haproxy is vulnerable. If a "400 Bad request" ist thrown, without > netcat receiving something, haproxy is not vulnerable. > > (haproxy is running on port 8080) > > [ Risks ] > Upstream patch, applied cleanly. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > Debdiff attached. > > I'v uploaded the package to o-s-p-u already. Thanks, but I have already worked on the haproxy update for bullseye and bookworm. SRM, can you please reject the packages from stable-new and olstable-new so once I release the DSA, that version won't clash versionwise? Regards, Salvatore
Bug#1059235: bookworm-pu: package fish/3.6.0-3.1+deb12u1
Hi, On Thu, Dec 21, 2023 at 03:16:22PM -0500, M. Zhou wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: f...@packages.debian.org > Control: affects -1 + src:fish > > > [ Reason ] > > Cherry-pick upstream fix to CVE-2023-49284 > > [ Impact ] > > This is a low severity security issue that affects basically > all historical releases of fish. The upstream created new > releases (i.e. 3.6.2) solely for fixing this bug. > https://github.com/fish-shell/fish-shell/commits/Integration_3.6.2/ > So it would be good if we can integrate the fix into stable. > > > [ Tests ] > > The fix is already included in fish/3.6.4-1 (sid). > The rebased patch passed my local sbuild test. > I installed the package in a chroot and tested it. > > [ Risks ] > > low. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > > Only one change. Please refer to the patch header for explanation. > > [ Other info ] > > diff -Nru fish-3.6.0/debian/changelog fish-3.6.0/debian/changelog > --- fish-3.6.0/debian/changelog 2023-05-01 13:01:01.0 -0400 > +++ fish-3.6.0/debian/changelog 2023-12-21 14:47:56.0 -0500 > @@ -1,3 +1,9 @@ > +fish (3.6.0-3.1+deb12u1) bookworm; urgency=medium > + > + * Cherry-pick upstream fix for CVE-2023-49284. Can you as well add a bug closer for #1057455? Regards, Salvatore
Bug#1057179: Acknowledgement (bookworm-pu: package mariadb-10.6 1:10.11.6-0+deb12u1)
Hi Otto, On Sat, Dec 09, 2023 at 10:58:09PM +0800, Otto Kekäläinen wrote: > Hi Debian security team! > > MariaDB 1:10.11.6-1 entered Trixie only today after being stuck in > pending migration since Nov 28th from unstable. This > 1:10.11.6-0+deb12u1 missed the point update window. > > Are you OK if we proceed with this as a security upload? I do not think we really need that. There is only scarce informtaion on the only CVE fixed, CVE-2023-22084, and the official description seem to require a high privileged attacker. But maybe you could reach out to MariaDB upstream so we can have a better idea on the fixed issue? I would suggest you just upload what you prepared to the proposed-updates queues so it can exposed by further testing of the release team tooling, and it will be included in the 12.4 point release. That is not even a problem if there will be a later incremental update on it. Regards, Salvatore
Re: Bug#1057843: linux: ext4 data corruption in 6.1.64-1
Hi, On Sat, Dec 09, 2023 at 03:07:37PM +0100, Salvatore Bonaccorso wrote: > Source: linux > Version: 6.1.64-1 > Severity: grave > Tags: upstream > Justification: causes non-serious data loss > X-Debbugs-Cc: debian-release@lists.debian.org, car...@debian.org, > a...@debian.org > > Hi > > I'm filling this for visibility. > > There might be a ext4 data corruption issue with the kernel released > in the 12.3 bookworm point release (which is addressed in 6.1.66 > upstream already). > > The report about the regression and some details: > > https://lore.kernel.org/stable/20231205122122.dfhhoaswsfscuhc3@quack3/ 6.1.66 upstream fixes the issue: # uname -a Linux bookworm-amd64 6.1.0-15-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.66-1 (2023-12-06) x86_64 GNU/Linux # LTP_SINGLE_FS_TYPE=ext4 LTP_DEV_FS_TYPE=ext4 ./preadv03_64 tst_device.c:96: TINFO: Found free device 0 '/dev/loop0' tst_test.c:1690: TINFO: LTP version: 20230929-194-g5c096b2cf tst_test.c:1574: TINFO: Timeout per run is 0h 00m 30s tst_supported_fs_types.c:149: TINFO: WARNING: testing only ext4 tst_supported_fs_types.c:90: TINFO: Kernel supports ext4 tst_supported_fs_types.c:55: TINFO: mkfs.ext4 does exist tst_test.c:1650: TINFO: === Testing on ext4 === tst_test.c:1105: TINFO: Formatting /dev/loop0 with ext4 opts='' extra opts='' mke2fs 1.47.0 (5-Feb-2023) tst_test.c:1119: TINFO: Mounting /dev/loop0 to /tmp/LTP_preGGYjTj/mntpoint fstyp=ext4 flags=0 preadv03.c:102: TINFO: Using block size 512 preadv03.c:87: TPASS: preadv(O_DIRECT) read 512 bytes successfully with content 'a' expectedly preadv03.c:87: TPASS: preadv(O_DIRECT) read 512 bytes successfully with content 'a' expectedly preadv03.c:87: TPASS: preadv(O_DIRECT) read 512 bytes successfully with content 'b' expectedly Summary: passed 3 failed 0 broken 0 skipped 0 warnings 0 Regards, Salvatore
Bug#1057843: linux: ext4 data corruption in 6.1.64-1
Source: linux Version: 6.1.64-1 Severity: grave Tags: upstream Justification: causes non-serious data loss X-Debbugs-Cc: debian-release@lists.debian.org, car...@debian.org, a...@debian.org Hi I'm filling this for visibility. There might be a ext4 data corruption issue with the kernel released in the 12.3 bookworm point release (which is addressed in 6.1.66 upstream already). The report about the regression and some details: https://lore.kernel.org/stable/20231205122122.dfhhoaswsfscuhc3@quack3/ Regards, Salvatore
Re: maintainer built binary package in stable release, still (Re: Bug#1054401: bookworm-pu: package nagios-plugins-contrib/42.20230308+deb12u1)
Hi Adam, On Thu, Dec 07, 2023 at 01:56:34PM +, Adam D. Barratt wrote: > On Thu, 2023-12-07 at 12:40 +0100, Paul Gevers wrote: > > Hi, > > > > On 07-12-2023 12:20, Adrian Bunk wrote: > > > On Thu, Dec 07, 2023 at 11:18:42AM +0100, Paul Gevers wrote: > > > > I hope that in several hours, > > > > https://release.debian.org/britney/excuses_s-p-u.html will have > > > > the answer. > > > > > > it should find packages like jtreg6 that are scheduled for the next > > > point release, but it won't find packages like gmp that went into > > > bullseye 2 years ago. > > > > Ack. Indeed it spots: > > cacti, fastdds, freetype, grub-efi-amd64-signed, grub-efi-arm64- > > signed, > > grub-efi-ia32-signed, jtreg6, llvm-toolchain-16, node-babel7, > > node-browserify-sign and slurm-wlm. A bunch of them have arch:all > > binaries. > > Heh at cacti being in the list. :-) > > fwiw the grub-efi-*-signed packages were built on buildds, in the > security archive. They got rejected when they were copied over to ftp- > master, due to the grub2 versus grub-efi-* naming issue that's been > mentioned on debian-release before. In order to get them into stable- > new, I resigned the changes files and re-uploaded them. The packages > themselves are identical to those released via security.d.o (they're > the same files). > > Similarly, the two fastdds uploads were rejected between the security > archive and ftp-master as the buildd keys had expired in the meantime, > so I simply re-signed and re-uploaded them. > > Relatedly, if a binary upload was performed to the security archive > then any binNMUs should likely happen there and then be synced across > to stable, otherwise we're only resolving part of the issue. Hmm technically likely right, but in security we cannot very well handle the binNMUs (only if the source is already present there, otherwise ftp-masters need to inject the sources first). This is related to https://wiki.debian.org/DebianSecurity/AdvisoryCreation/SecFull?highlight=%28gen-DSA%29#BinNMUs and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823820 (well more broadly to have source available). Regards, Salvatore
Re: Bug in linux 6.1.64-1 (source) into proposed-updates
Hi, On Tue, Dec 05, 2023 at 06:14:43PM +0100, djw6g6b5...@temp.mailbox.org wrote: > There' s a bug in linux-image-amd64 version 6.1.64-1 for bookworm. > The updates breaks wlan on a Lenovo T490s. Current versions used to work > fine. I' m unable to submit a bug report. ('Message with no Package: tag > cannot be processed! (linux-image-amd64 (version 6.1.64-1 breaks Wlan > functionality)) > ') > > Can you please pass this Info to the maintainers? If any more info is needed > please let me know. Please do fill a bug, ideally with reportbug so additional system information is already attached with the initial report. Please do attach to that bug report as well kernel logs. If you cannot use reportbug, the above seems to indicate that, then make sure to add the pseudo-headers as well as described in https://www.debian.org/Bugs/Reporting . Hope this helps already, Regards, Salvatore
Bug#1057274: bookworm-pu: package gimp/2.10.34-1+deb12u2
Hi Adrian, On Sat, Dec 02, 2023 at 04:46:22PM +0200, Adrian Bunk wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: Salvatore Bonaccorso > > * Add Conflicts+Replaces: gimp-dds to remove old versions of this > plugin shipped by gimp itself since 2.10.10. (Closes: #1057149) > > gimp-dds is an older version of a plugin already included > in gimp in bookworm, it also has CVE-2023-1 (DSA-5564-1) > unfixed. > > Removal of gimp-dds from bookworm has already been requested > in #1056710, this update additionally removes stale versions > a user might still have installed. Thanks for taking care of it. Regards, Salvatore
Bug#1054421: bookworm-pu: package weborf/0.19
Hi Salvo, On Wed, Nov 29, 2023 at 11:39:40PM +0100, Salvo Tomaselli wrote: > Hello, > > Go ahead with what? > > Do a new debdiff with the fixed version in the changelog? I understand Adam as "please just adjust the version as discussed to 0.19-2.1+deb12u1 and then feel free to upload the package for bookworm". Regards, Salvatore
Uploading linux (6.5.13-1)
Hi, I would like to upload linux version 6.5.13-1 today to unstable. The new version imports new stable series up to 6.5.13. A (manual) ABI bump is included. With the upload CVE-2023-6111 is addressed as well. The RT patchset remains disabled and is pending to be enabled with the 6.6.y versions to experimental. After at least one upload of the 6.6.y series to experimental, we *might* move it to unstable, but Bastian has a better overview if we will be already able to do it. There are no other packaging changes this time apart the ABI bump. Regards, Salvatore signature.asc Description: PGP signature
Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2
Hi Nicolas, On Mon, Nov 27, 2023 at 08:00:39AM -0500, Nicolas Mora wrote: > Hello, > > Here is a new debdiff for the glewlwyd/2.5.2-2+deb11u2 package, which now > also includes the fix for CVE-2023-49208. > diff -Nru glewlwyd-2.5.2/debian/changelog glewlwyd-2.5.2/debian/changelog > --- glewlwyd-2.5.2/debian/changelog 2021-12-17 07:51:46.0 -0500 > +++ glewlwyd-2.5.2/debian/changelog 2023-11-24 08:14:30.0 -0500 > @@ -1,3 +1,18 @@ > +glewlwyd (2.5.2-2+deb11u2.1) bullseye; urgency=medium Small remark, the version ideally is set to 2.5.2-2+deb11u3. Regards, Salvatore
Bug#1056711: RM: gimp-dds/3.0.1-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm X-Debbugs-Cc: t...@security.debian.org, Adrian Bunk , car...@debian.org Dear stable release managers, Please remove src:gimp-dds in the next bullseye point release. It has since gimp 2.10.10 upstream been integrated upstream. Removal is possible: carnil@coccia:~$ dak rm --suite=bullseye -n -R gimp-dds Will remove the following packages from bullseye: gimp-dds |3.0.1-1 | source gimp-dds | 3.0.1-1+b1 | amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x Maintainer: Debian Games Team --- Reason --- -- Checking reverse dependencies... No dependency problem found. carnil@coccia:~$ For unstable it has been removed this year with #1043520. Additionally a gimp point release update might add a Breaks so the package get as well deinstalled. Regards, Salvatore
Bug#1056710: RM: gimp-dds/3.0.1-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm X-Debbugs-Cc: t...@security.debian.org, b...@debian.org, car...@debian.org Dear stable release managers, Please remove src:gimp-dds in the next bookworm point release. It has since gimp 2.10.10 upstream been integrated upstream. Removal is possible: carnil@coccia:~$ dak rm --suite=bookworm -n -R gimp-dds Will remove the following packages from bookworm: gimp-dds |3.0.1-3 | source, amd64, arm64, armel, armhf, i386, mips64el, mipsel, ppc64el, s390x Maintainer: Debian QA Group --- Reason --- -- Checking reverse dependencies... No dependency problem found. carnil@coccia:~$ For unstable it has been removed this year with #1043520. Additionally a gimp point release update might add a Breaks so the package get as well deinstalled. Regards, Salvatore
Bug#1055965: bookworm-pu: package network-manager-openconnect/1.2.8-3+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: network-manager-openconn...@packages.debian.org, Florian Echtler , Luca Boccassi , car...@debian.org Control: affects -1 + src:network-manager-openconnect Hi Stable release managers, [ Reason ] In recent cases where institutions updated their Cisco AnyConnect server, connecting with openconnect requires to pass an appropriate UserAgent. Cf. for instance https://gitlab.com/openconnect/openconnect/-/issues/544 . network-manager-openconnect plugin for NetworkManager had no possibilty to configure this. As result after such updates users using the NetworkManager plugin cannot connect to the VPN servers. [ Impact ] Impossibility to use the NetworkManager plugin for openconnect in situations where the Cisco AnyConnect server has been updated. [ Tests ] I manually tested the plugin in one affected configuration. After the update the GUI field for configuring the UserAgent can be configured for the specific configuration. [ Risks ] Patches have been taken from upstream and apply with minor context tewak to the older version. Luca has reviewed and acked the MR in https://salsa.debian.org/debian/network-manager-openconnect/-/merge_requests/6 [ Checklist ] [x] *all* changes are documented in the d/changelog (the salsa pipleline one is not, but has not a user impact) [x] I reviewed all changes and I approve them [x ] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Adds support for the mentioned UserAgent field and setting. [ Other info ] Nothing. Regards, Salvatore diff -Nru network-manager-openconnect-1.2.8/debian/changelog network-manager-openconnect-1.2.8/debian/changelog --- network-manager-openconnect-1.2.8/debian/changelog 2022-05-21 15:35:15.0 +0200 +++ network-manager-openconnect-1.2.8/debian/changelog 2023-11-14 15:15:44.0 +0100 @@ -1,3 +1,14 @@ +network-manager-openconnect (1.2.8-3+deb12u1) bookworm; urgency=medium + + [ Salvatore Bonaccorso ] + * Add User Agent to Openconnect VPN for NetworkManager (Closes: +#1053467) + * Use openconnect_set_useragent() where available + * Add support for GTK4 in user-agent calls + * Add Build-Depends on libgtk-4-bin for gtk4-builder-tool + + -- Luca Boccassi Tue, 14 Nov 2023 14:15:44 + + network-manager-openconnect (1.2.8-3) unstable; urgency=medium * Bump Standards-Version to 4.6.1, no changes diff -Nru network-manager-openconnect-1.2.8/debian/control network-manager-openconnect-1.2.8/debian/control --- network-manager-openconnect-1.2.8/debian/control2022-05-21 15:35:15.0 +0200 +++ network-manager-openconnect-1.2.8/debian/control2023-11-14 15:15:44.0 +0100 @@ -8,6 +8,7 @@ libgcr-3-dev, libglib2.0-dev, libgtk-3-dev, + libgtk-4-bin, libgtk-4-dev, libnm-dev, libnma-dev, diff -Nru network-manager-openconnect-1.2.8/debian/gbp.conf network-manager-openconnect-1.2.8/debian/gbp.conf --- network-manager-openconnect-1.2.8/debian/gbp.conf 2022-03-14 00:08:09.0 +0100 +++ network-manager-openconnect-1.2.8/debian/gbp.conf 2023-11-14 15:15:44.0 +0100 @@ -1,5 +1,6 @@ [DEFAULT] pristine-tar = True +debian-branch = debian/bookworm [import-orig] upstream-vcs-tag = %(version)s diff -Nru network-manager-openconnect-1.2.8/debian/patches/0002-Add-User-Agent-to-Openconnect-VPN-for-NetworkManager.patch network-manager-openconnect-1.2.8/debian/patches/0002-Add-User-Agent-to-Openconnect-VPN-for-NetworkManager.patch --- network-manager-openconnect-1.2.8/debian/patches/0002-Add-User-Agent-to-Openconnect-VPN-for-NetworkManager.patch 1970-01-01 01:00:00.0 +0100 +++ network-manager-openconnect-1.2.8/debian/patches/0002-Add-User-Agent-to-Openconnect-VPN-for-NetworkManager.patch 2023-11-14 15:15:44.0 +0100 @@ -0,0 +1,302 @@ +From: Debasish Patra +Date: Sat, 29 Aug 2020 17:58:16 -0400 +Subject: Add User Agent to Openconnect VPN for NetworkManager +Origin: https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/commit/b5e154c06fd9013a925f85c2aa38d88e4ee53db0 +Bug-Debian: https://bugs.debian.org/1053467 + +--- + auth-dialog/main.c| 3 +- + properties/nm-openconnect-dialog.ui | 73 +-- + properties/nm-openconnect-editor-plugin.c | 5 ++ + properties/nm-openconnect-editor.c| 15 + + shared/nm-service-defines.h | 1 + + 5 files changed, 79 insertions(+), 18 deletions(-) + +diff --git a/auth-dialog/main.c b/auth-dialog/main.c +index 99cab7cd921f..305b568650ba 100644 +--- a/auth-dialog/main.c b/auth-dialog/main.c +@@ -1853,6 +1853,7 @@ static void build_main_dialog(auth_ui_data *ui_data) + + static auth_ui_data *init_ui_data (char *vpn_name, GHashTable *options, GHashTable *secrets
Bug#1054455: bullseye-pu: package weborf/0.17-3
Hi Salvo, On Tue, Oct 24, 2023 at 09:58:30AM +0200, Salvo Tomaselli wrote: > > This version was already used: > > https://snapshot.debian.org/package/weborf/0.17-4/ > > Sorry! > > Attaching a new debdiff file with the correct version Now there is a off-by-one in the distro version :) I believe it should be 0.17-3+deb11u1. Regards, Salvatore
Bug#1055155: bookworm-pu: package exim4/4.96-15+deb12u3 (2nd try for new bug)
Hi Andreas, On Wed, Nov 01, 2023 at 12:03:37PM +0100, Andreas Metzler wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > Control: affects -1 + src:exim4 > > Hello, > > I would like to push another round of cherry-picked upstream fixes to > bookworm, including the update to 4.96.2 to fix two non-DSA minor > security issues. > > The changes are included in the new upstream (4.97 rc) uploads to sid which= > are present in sid and testing. > > > * Multiple bugfixes from upstream GIT master: > + 75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch > + 75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch > (Upstream bug 2998) > + 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch > + 75_79-Fix-recipients-expansion-when-used-within-run.-.-Bug.patch > (Upstream bug 3013) > > ${run expansion breakage, similar to #1025420. > + 75_82-GnuTLS-fix-autogen-cert-expiry-date.-Bug-3014.patch: Fix on-demand > TLS cert expiry date. Closes: #1043233 > (Upstream bug 3014) > > This is major hickup, bordering on RC. > > + 75_83-Re-fix-live-variable-value-free.-The-inital-fix-resu.patch > > Another patch for ${run} expansion breakage. > + 76-10-Fix-tr.-and-empty-strings.-Bug-3023.patch ((Upstream bug 3023) > + 76-12-DNS-more-hardening-against-crafted-responses.patch > * tests/basic: Add isolation-container restriction (needs a running > exim daemon). > * Add ${run } expansion test to tests/basic. > * Update code to 4.96.2, fixing issues with the proxy protocol > (CVE-2023-42117) and the `dnsdb` lookup subsystem (CVE-2023-42219). It > also includes additional hardening for spf lookups, however CVE-2023-42218 The mentioned CVEs have a typo. I believe this should be CVE-2023-42117 and CVE-2023-42119 (and for completeness about the libspf2 mentioning CVE-2023-42118). Regards, Salvatore
Uploading linux (6.5.10-1)
Hi I would like to upload linux version 6.5.10-1 tomorrow to unstable. The new upload rebases unstable importing the new stable series versions up to 6.5.10. An ABI bump is included. CVE-2023-46813, CVE-2023-5717 and CVE-2023-46862 are fixed with the new stable import series. The RT patchset remains fo far disabled (it is enabled again for the 6.6 based upload to experimental). There are some other packaging packages apart of the stable imports pending with this upload: * Disable DEBUG_PREEMPT as it introduces slowdowns up to 20% on certain workloads. Modifed to actually not set DEBUG_PREEMPT, as it is not enabled by deault since .3-rc1: * Do not explicitly unset DEBUG_PREEMPT (not enabled by default since 6.3-rc1) Regards, Salvatore signature.asc Description: PGP signature
Bug#1054446: bookworm-pu: package wolfssl/5.5.4-2+deb12u1
On Mon, Oct 23, 2023 at 10:12:27PM +0200, Bastian Germann wrote: > Am 23.10.23 um 22:02 schrieb Salvatore Bonaccorso: > > > diff -Nru wolfssl-5.5.4/debian/changelog wolfssl-5.5.4/debian/changelog > > > --- wolfssl-5.5.4/debian/changelog2023-02-06 14:41:53.0 > > > + > > > +++ wolfssl-5.5.4/debian/changelog2023-10-23 17:46:16.0 > > > + > > > @@ -1,3 +1,10 @@ > > > +wolfssl (5.5.4-2+deb12u1) bookworm; urgency=medium > > > + > > > + * Stable update to address the following vulnerabilities: > > > +- Fix CVE-2023-3724. > > > > Should the changelog entry close as well #1041699? > > I do not mind adding the bug reference but usually, the Security Team's bugs > say that one should not close them but rather edit their fixed values. > And the bug is already closed. I am including the debdiff with the bug > reference and let you choose. I do not read that :), and you can close a bug with multiple versions in the Debian BTS. But anyway, both versions are ok, and I have anyway not a authoritative guidance on the bookworm-pu bug, as not member of the release team. Regards, Salvatore
Bug#1054446: bookworm-pu: package wolfssl/5.5.4-2+deb12u1
Hi Bastian, On Mon, Oct 23, 2023 at 09:48:45PM +0200, Bastian Germann wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-CC: sirkilam...@msn.com > > Hi, > > I am including a fix for wolfssl's CVE-2023-3724. > The vulnerability is tracked by the Security Team in #1041699 and is fixed in > unstable. > Aside from the changelog, this is exactly the same debdiff as provided by > 5.5.4-2.1. > The new patch is taken from upstream as suggested by Jacob Barthelmeh. > > Thanks, > Bastian > diff -Nru wolfssl-5.5.4/debian/changelog wolfssl-5.5.4/debian/changelog > --- wolfssl-5.5.4/debian/changelog2023-02-06 14:41:53.0 + > +++ wolfssl-5.5.4/debian/changelog2023-10-23 17:46:16.0 + > @@ -1,3 +1,10 @@ > +wolfssl (5.5.4-2+deb12u1) bookworm; urgency=medium > + > + * Stable update to address the following vulnerabilities: > +- Fix CVE-2023-3724. Should the changelog entry close as well #1041699? Regards, Salvatore
Bug#1054421: bookworm-pu: package weborf/0.19
Hi, On Mon, Oct 23, 2023 at 07:07:44PM +0200, Salvo "LtWorf" Tomaselli wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: web...@packages.debian.org, tipos...@tiscali.it > Control: affects -1 + src:weborf > > I have found a denial of service in all versions of weborf. > > It is tracked in #1054417 and solved in 1.0 upstream. > https://github.com/ltworf/weborf/pull/88 > > The issue is fixed in unstable but remains in stable and oldstable. > > [ Reason ] > The bug has been there undetected for years. The fix is minimal. > > [ Impact ] > The denial of service and extremely unlikely but theoretically possible > remote execution issue will remain. > > The issue exists only if the process has CGI enabled (not the default). > > [ Tests ] > > There are no automated tests covering the issue. > > [ Risks ] > > The patch is just 3 lines. > > [ Checklist ] > [*] *all* changes are documented in the d/changelog > [*] I reviewed all changes and I approve them > [*] attach debdiff against the package in (old)stable > [*] the issue is verified as fixed in unstable > > [ Changes ] > > A patch to remove a memory allocation and copy, where I forgot a +1 in the > copy. > > The resulting code just reuses the same buffer instead of copying, which was > not > needed to begin with. > > [ Other info ] > > Tracked in CVE-2023-46586 > diff -Nru weborf-0.19/debian/changelog weborf-0.19/debian/changelog > --- weborf-0.19/debian/changelog 2022-10-15 12:57:06.0 +0200 > +++ weborf-0.19/debian/changelog 2023-10-23 18:38:21.0 +0200 > @@ -1,3 +1,9 @@ > +weborf (0.19-3) bookworm; urgency=medium > + > + * Backport patch from upstream to fix denial of service (Closes: 1054417) > + > + -- Salvo 'LtWorf' Tomaselli Mon, 23 Oct 2023 > 18:38:21 +0200 The version works because 0.19-3 was never landing in the archive. Normally you would use a +debXuY suffix, in the above case +deb12u1. But I assume SRM will still ack the fix as it is (other package do as well not follow this as strict rule, e.g. src:linux but because its following the stable series). Regards, Salvatore
Uploading linux (6.5.8-1)
Hi I would like to upload linux version 6.5.8-1 later today to unstable. The new upload would constist of importing new stable series version up to 6.5.8. An ABI bump is included. Notably the RT patchset is still disabled as mentioned in the 6.5.6-1 upload announcement. CVE-2023-34324 is fixed with the new stable import series. There are some other packaging packages apart of the stable imports pending with this upload: * Bump ABI to 3 * [x86] KVM: SVM: always update the x2avic msr interception (CVE-2023-5090) * nvmet-tcp: Fix a possible UAF in queue intialization setup (CVE-2023-5178) * Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO (CVE-2023-31083) Regards, Salvatore signature.asc Description: PGP signature
Uploading linux (6.5.6-1)
Hi I would like to upload linux version 6.5.6-1 later today to unstable. The new upload would consist of importing new stable series version up to 6.5.6. An ABI bump is included. Notably given RT patchset is not updated anymore for 6.5.y series upstream, this update disables it temporarily. It might be re-enabled for 6.6.y. With the upload a couple of (known and CVEied) security fixes are addressed: CVE-2023-4921, CVE-2023-5197, CVE-2023-5345, CVE-2023-42754 and CVE-2023-42756. Via upstream changes, #1037142, #1052584 and #1052063 are addressed. There are some other packaging packages apart of the stable imports pending with this upload: * Bump ABI to 2 * [rt] Disable RT featureset as not supported in 6.5.y series * [x86] drivers/watchdog: Enable ADVANTECH_EC_WDT as module (Closes: #1051449) * [x86] drivers/platform/x86: Enable SYSTEM76_ACPI as module (Closes: #1050996) * [arm64] Add qrtr to kernel-image udeb, needed by Lenovo Thinkpad X13s. Regards, Salvatore signature.asc Description: PGP signature
Re: Bug#983912: grub2: consider renaming signed source packages to grub2-signed-*
Hi, On Sun, Nov 20, 2022 at 09:11:09PM +0100, Salvatore Bonaccorso wrote: > Hi, > > On Wed, Mar 03, 2021 at 10:52:39AM +0100, Ansgar wrote: > > Source: grub2 > > Version: 2.04-16 > > Severity: normal > > X-Debbugs-Cc: ftpmas...@debian.org, debian-release@lists.debian.org > > > > grub2 currently uses grub-efi-signed-* as source package names for the > > Secure Boot signed packages. While releasing the last security update > > we found a small issue with these names: > > > > dak processes source packages in lexiographic order, so it would > > process grub-efi-signed-* before grub2 when accepting all packages at > > once from the "embargoed" policy queue. But the grub-efi-signed-* > > binary packages have Built-Using: grub2; as grub2 is not accepted from > > embargoed at this point in time, the /binary/ uploads will be rejected > > in this case. (This problem exists in principle with all Built-Using > > relations.) > > > > We could avoid this particular problem if the source package names of > > the signed packages sort after grub2, i.e., if they were named > > grub2-signed-* or grub2-efi-signed-*. With linux this is already the > > case (src:linux and src:linux-signed-*). > > > > (As a minor thing, I think the changelog entry in the signed packages > > should also use the grub maintainer's name, not ftpmaster@ similar to > > what src:linux-signed-* has, but that is just cosmetics.) > > > > I've Cc'ed debian-release@ as it is already past soft freeze, but I > > think just renaming the source packages would be unlikely to break > > anything. > > As we were hit by this issue in the last DSA (DSA 5280-1) again, > should we attempt to have this changed at least for bookworm? For DSA 5519-1 I fortunately remembered this bug and did install the packages in two steps, first dak new-security-install grub2*.changes, then the grub-efi*.changes. I still think would be great if we can do the above mentioned renames, to avoid this problem (or ist maybe realistic that we could tackle the problem itself at dak level?). Regards, Salvatore
Re: Releasing linux/6.1.52-1 bookworm-security update without armel build, Image size problems
Hi Adrian, Sorry for not replying early, busy with preparing the updates. On Fri, Sep 29, 2023 at 03:41:15AM +0300, Adrian Bunk wrote: > On Sat, Sep 09, 2023 at 10:15:59AM +0200, Salvatore Bonaccorso wrote: > >... > > Note that the last time the problem arised already earlier in > > experimental and Ben workarounded it there with > > https://salsa.debian.org/kernel-team/linux/-/commit/9dfe6d33a4fd220394228b30cbbfdb3b444d36ec > > We probably can do that as well here. 60443c88f3a8 ("kallsyms: Improve > > the performance of kallsyms_lookup_name()") was in fact backported to > > 6.1.42. So this is next I would try and disable MPTCP and > > FUNCTION_TRACER. > >... > > Yes, that looks reasonable. Great thanks, this landed now for the point release udpates and in fact we have the armel builds back. > Additionally, one generic cause of bloat is: > debian/changelog: * Enable UNICODE. (closes: #985689) > debian/config/config:CONFIG_UNICODE=y > > That's 74 kB uncompressed, and there doesn't seem to be any > justification for not making it modular. It's not urgent since > Bens change handles the immediate problem, but worth changing > in unstable. Could you fill a bug against src:linux for it, so this might be further addressed in unstable for armel? Regards, Salvatore
Bug#1053240: bullseye-pu: package ghostscript/9.53.3~dfsg-7+deb11u6
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: ghostscr...@packages.debian.org, car...@debian.org Control: affects -1 + src:ghostscript Hi stable release managers, [ Reason ] Fix two CVEs which we did mark no-dsa (though one might after more thinking be a candiate). Fix CVE-2023-38559 and CVE-2023-43115. [ Impact ] CVE-2023-38559 and CVE-2023-43115 would remain open so far. [ Tests ] Performed manual test for CVE-2023-43115. [ Risks ] Should be low, following the upstream commits to resolve the issues which are very targeted. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Apply upstream fixes to address the CVEs. Adjust checks on input and for the second issue, prevent PostScript programs switching to the IJS device after SAFER has been activated (and prevent changes to the IjsServer parameter after SAFER has been activated). [ Other info ] None. Regards, Salvatore diff -Nru ghostscript-9.53.3~dfsg/debian/changelog ghostscript-9.53.3~dfsg/debian/changelog --- ghostscript-9.53.3~dfsg/debian/changelog2023-07-02 11:54:08.0 +0200 +++ ghostscript-9.53.3~dfsg/debian/changelog2023-09-29 14:24:57.0 +0200 @@ -1,3 +1,12 @@ +ghostscript (9.53.3~dfsg-7+deb11u6) bullseye; urgency=medium + + * Non-maintainer upload. + * Copy pcx buffer overrun fix from devices/gdevpcx.c (CVE-2023-38559) +(Closes: #1043033) + * IJS device - try and secure the IJS server startup (CVE-2023-43115) + + -- Salvatore Bonaccorso Fri, 29 Sep 2023 14:24:57 +0200 + ghostscript (9.53.3~dfsg-7+deb11u5) bullseye-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru ghostscript-9.53.3~dfsg/debian/patches/020230717~d81b82c.patch ghostscript-9.53.3~dfsg/debian/patches/020230717~d81b82c.patch --- ghostscript-9.53.3~dfsg/debian/patches/020230717~d81b82c.patch 1970-01-01 01:00:00.0 +0100 +++ ghostscript-9.53.3~dfsg/debian/patches/020230717~d81b82c.patch 2023-09-29 14:24:57.0 +0200 @@ -0,0 +1,28 @@ +From: Chris Liddell +Date: Mon, 17 Jul 2023 14:06:37 +0100 +Subject: Bug 706897: Copy pcx buffer overrun fix from devices/gdevpcx.c +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f +Bug-Debian: https://bugs.debian.org/1043033 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-38559 + +Bounds check the buffer, before dereferencing the pointer. +--- + base/gdevdevn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/gdevdevn.c b/base/gdevdevn.c +index 7b14d9c712b4..6351fb77ac75 100644 +--- a/base/gdevdevn.c b/base/gdevdevn.c +@@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file + byte data = *from; + + from += step; +-if (data != *from || from == end) { ++if (from >= end || data != *from) { + if (data >= 0xc0) + gp_fputc(0xc1, file); + } else { +-- +2.40.1 + diff -Nru ghostscript-9.53.3~dfsg/debian/patches/020230824~8b0f200.patch ghostscript-9.53.3~dfsg/debian/patches/020230824~8b0f200.patch --- ghostscript-9.53.3~dfsg/debian/patches/020230824~8b0f200.patch 1970-01-01 01:00:00.0 +0100 +++ ghostscript-9.53.3~dfsg/debian/patches/020230824~8b0f200.patch 2023-09-29 14:24:57.0 +0200 @@ -0,0 +1,53 @@ +From: Ken Sharp +Date: Thu, 24 Aug 2023 15:24:35 +0100 +Subject: IJS device - try and secure the IJS server startup +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b0f20002536867bd73ff4552408a72597190cbe +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-43115 + +Bug #707051 ""ijs" device can execute arbitrary commands" + +The problem is that the 'IJS' device needs to start the IJS server, and +that is indeed an arbitrary command line. There is (apparently) no way +to validate it. Indeed, this is covered quite clearly in the comments +at the start of the source: + + * WARNING: The ijs server can be selected on the gs command line + * which is a security risk, since any program can be run. + +Previously this used the awful LockSafetyParams hackery, which we +abandoned some time ago because it simply couldn't be made secure (it +was implemented in PostScript and was therefore vulnerable to PostScript +programs). + +This commit prevents PostScript programs switching to the IJS device +after SAFER has been activated, and prevents changes to the IjsServer +parameter after SAFER has been activated. + +SAFER is activated, unless explicitly disabled, before any user +PostScript is executed which means that the device and the server +invocation can only be configured on the command
Bug#1053239: bookworm-pu: package ghostscript/10.0.0~dfsg-11+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: ghostscr...@packages.debian.org, car...@debian.org Control: affects -1 + src:ghostscript Hi stable release managers, [ Reason ] Fix two CVEs which we did mark no-dsa (though one might after more thinking be a candiate). Fix CVE-2023-38559 and CVE-2023-43115. [ Impact ] CVE-2023-38559 and CVE-2023-43115 would remain open so far. [ Tests ] Performed manual test for CVE-2023-43115. [ Risks ] Should be low, following the upstream commits to resolve the issues which are very targeted. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Apply upstream fixes to address the CVEs. Adjust checks on input and for the second issue, prevent PostScript programs switching to the IJS device after SAFER has been activated (and prevent changes to the IjsServer parameter after SAFER has been activated). [ Other info ] None. Regards, Salvatore diff -Nru ghostscript-10.0.0~dfsg/debian/changelog ghostscript-10.0.0~dfsg/debian/changelog --- ghostscript-10.0.0~dfsg/debian/changelog2023-07-02 10:50:27.0 +0200 +++ ghostscript-10.0.0~dfsg/debian/changelog2023-09-29 14:33:30.0 +0200 @@ -1,3 +1,12 @@ +ghostscript (10.0.0~dfsg-11+deb12u2) bookworm; urgency=medium + + * Non-maintainer upload. + * Copy pcx buffer overrun fix from devices/gdevpcx.c (CVE-2023-38559) +(Closes: #1043033) + * IJS device - try and secure the IJS server startup (CVE-2023-43115) + + -- Salvatore Bonaccorso Fri, 29 Sep 2023 14:33:30 +0200 + ghostscript (10.0.0~dfsg-11+deb12u1) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0005-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch ghostscript-10.0.0~dfsg/debian/patches/0005-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch --- ghostscript-10.0.0~dfsg/debian/patches/0005-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch 1970-01-01 01:00:00.0 +0100 +++ ghostscript-10.0.0~dfsg/debian/patches/0005-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch 2023-09-29 14:17:17.0 +0200 @@ -0,0 +1,28 @@ +From: Chris Liddell +Date: Mon, 17 Jul 2023 14:06:37 +0100 +Subject: Bug 706897: Copy pcx buffer overrun fix from devices/gdevpcx.c +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f +Bug-Debian: https://bugs.debian.org/1043033 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-38559 + +Bounds check the buffer, before dereferencing the pointer. +--- + base/gdevdevn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/gdevdevn.c b/base/gdevdevn.c +index 7b14d9c712b4..6351fb77ac75 100644 +--- a/base/gdevdevn.c b/base/gdevdevn.c +@@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file + byte data = *from; + + from += step; +-if (data != *from || from == end) { ++if (from >= end || data != *from) { + if (data >= 0xc0) + gp_fputc(0xc1, file); + } else { +-- +2.40.1 + diff -Nru ghostscript-10.0.0~dfsg/debian/patches/0006-IJS-device-try-and-secure-the-IJS-server-startup.patch ghostscript-10.0.0~dfsg/debian/patches/0006-IJS-device-try-and-secure-the-IJS-server-startup.patch --- ghostscript-10.0.0~dfsg/debian/patches/0006-IJS-device-try-and-secure-the-IJS-server-startup.patch 1970-01-01 01:00:00.0 +0100 +++ ghostscript-10.0.0~dfsg/debian/patches/0006-IJS-device-try-and-secure-the-IJS-server-startup.patch 2023-09-29 14:22:09.0 +0200 @@ -0,0 +1,58 @@ +From: Ken Sharp +Date: Thu, 24 Aug 2023 15:24:35 +0100 +Subject: IJS device - try and secure the IJS server startup +Origin: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b0f20002536867bd73ff4552408a72597190cbe +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-43115 + +Bug #707051 ""ijs" device can execute arbitrary commands" + +The problem is that the 'IJS' device needs to start the IJS server, and +that is indeed an arbitrary command line. There is (apparently) no way +to validate it. Indeed, this is covered quite clearly in the comments +at the start of the source: + + * WARNING: The ijs server can be selected on the gs command line + * which is a security risk, since any program can be run. + +Previously this used the awful LockSafetyParams hackery, which we +abandoned some time ago because it simply couldn't be made secure (it +was implemented in PostScript and was therefore vulnerable to PostScript +programs). + +This commit prevents PostScript programs switching to the I
Bug#1053219: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u2
Hi Yadd, On Fri, Sep 29, 2023 at 05:37:25PM +0400, Yadd wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org > Control: affects -1 + src:lemonldap-ng > > [ Reason ] > Two new vulnerabilities have been dicovered and fixed in lemonldap-ng: > - an open redirection only when configuration is edited by hand and >doesn't follow OIDC specifications > - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol: >A little-know feature of OIDC allows the OpenID Provider to fetch the >Authorization request parameters itself by indicating a request_uri >parameter. This feature is now restricted to a white list using this >patch > > [ Impact ] > One low and one medium security issue. > > [ Tests ] > Patches includes test updates > > [ Risks ] > Outside of test changes, patches are not so big and the test coverage > provided by upstream is good, so risk is moderate. > > [ Checklist ] > [X] *all* changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in (old)stable > [X] the issue is verified as fixed in unstable > > [ Changes ] > - open redirection patch: just rejects requests with `redirect_uri` if > relying party configuration has no declared redirect URIs. > - SSRF patch: > * add new configuration parameter to list authorized "request_uris" > * change the algorithm that manage request_uri parameter > > Cheers, > Xavier > diff --git a/debian/NEWS b/debian/NEWS > index b8955920b..5295a3cbb 100644 > --- a/debian/NEWS > +++ b/debian/NEWS > @@ -1,3 +1,13 @@ > +lemonldap-ng (2.16.1+ds-deb12u2) bullseye; urgency=medium bookworm? (but that said I guess that can be considered minor if time is tight to get the upload in, but as well disclaimer, not part of the release team) Regards, Salvatore
Bug#1051466: bookworm-pu: package ovn/23.03.1-1~deb12u1
Hi (not a SRM here, but below some comments) On Fri, Sep 08, 2023 at 01:32:05PM +0200, Frode Nordahl wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: pkg-systemd-maintain...@lists.alioth.debian.org > > Dear Release Team, > > We would like to upload the latest stable point release of ovn 23.03 > to bookworm-p-u. Stable release branches are maintained upstream with > the intention of providing bug fixes only and no compatibility > breakages, and with automated non-trivial CI jobs that also cover > Debian and Ubuntu. > > Debdiff attached. Packaging updated with gbp/salsa config for new > bookworm stable branch and in-flight patches to fix an issue with > unnecessary logging breaking one of the tests introduced in the point > release. Your debdiff did not make it to the list I think because of the size. Two obervations: Can you please close #1043598 in the debian/changelog as well as the update addresses CVE-2023-3153. You would need first to make sure the fixes land in unstable unless you plan to diverge and go to a new upstream version for another branch. But make sure CVE-2023-3153 / #1043598 fix is included in usntable as well. Hope this helps, Regards, Salvatore
Bug#1052021: bookworm-pu: package nftables/1.0.6-2+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: nftab...@packages.debian.org, Timo Sigurdsson , Arturo Borrero Gonzalez , car...@debian.org Control: affects -1 + src:nftables Dear stable release managers, [ Reason ] Timo Sigurdsson reported, after I released DSA 5492-1 for linux, that in his case nftables rules won't be loaded anymore: https://bugs.debian.org/1051592 This was tracked down with a Linux change, 0ebc1064e487 ("netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID"), which is to address CVE-2023-4147, but uncovered an issue with nftables releases before v1.0.7 upstream. nftables is generating incorrect bytecode, which is hit with this new kernel check that rejects adding rules to bound chains. Following https://lore.kernel.org/stable/ZP+bUpxJiFcmTWhy@calendula/ and further discussion on the Linux kernel mailinglists it looks this has to be addressed in netfilter itself (arguably the change should not break userspace, but see Florian Westphal in the thread). [ Impact ] Users which have such rules, running unpatched nftables but updated the linux kernel due to address security fixes (and later to be included in the point release as well) are left without loaded nftables rules. [ Tests ] Explicit tests with the rules provided by Timo to verify they correctly get loaded with updated nftables userland and the updated kernel. [ Risks ] Pablo Neira Ayuso provided the series of commits required to address the issue. They apply cleanly for the bookworm version. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] See above. [ Other info ] Unfortunately this will be needed as well for bullseye, but the version of nftables there is substantial older, I have not yet verified how the patches apply, but will need to be asked anyway in a separate bullseye-pu update request. Regards, Salvatore diff -Nru nftables-1.0.6/debian/changelog nftables-1.0.6/debian/changelog --- nftables-1.0.6/debian/changelog 2023-06-20 16:55:52.0 +0200 +++ nftables-1.0.6/debian/changelog 2023-09-16 07:47:15.0 +0200 @@ -1,3 +1,13 @@ +nftables (1.0.6-2+deb12u2) bookworm; urgency=medium + + * [136245a] Fix incorrect bytecode generation hit with new kernel check that +rejects adding rules to bound chains (Closes: #1051592) +- rule: add helper function to expand chain rules intoi commands +- rule: expand standalone chain that contains rules +- src: expand table command before evaluation + + -- Salvatore Bonaccorso Sat, 16 Sep 2023 07:47:15 +0200 + nftables (1.0.6-2+deb12u1) bookworm; urgency=medium * [7edf72e] d/patches: add 0001-debian-bug-1038724.patch (Closes: #1038724) diff -Nru nftables-1.0.6/debian/patches/rule-add-helper-function-to-expand-chain-rules-into-.patch nftables-1.0.6/debian/patches/rule-add-helper-function-to-expand-chain-rules-into-.patch --- nftables-1.0.6/debian/patches/rule-add-helper-function-to-expand-chain-rules-into-.patch 1970-01-01 01:00:00.0 +0100 +++ nftables-1.0.6/debian/patches/rule-add-helper-function-to-expand-chain-rules-into-.patch 2023-09-16 07:47:15.0 +0200 @@ -0,0 +1,82 @@ +From 4e5b0a64227dde250f94bec45b3fb127d78b7fd2 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 6 Feb 2023 15:28:40 +0100 +Subject: [PATCH 1/3,nft] rule: add helper function to expand chain rules intoi + commands + +[ upstream commit 784597a4ed63b9decb10d74fdb49a1b021e22728 ] + +This patch adds a helper function to expand chain rules into commands. +This comes in preparation for the follow up patch. + +Signed-off-by: Pablo Neira Ayuso +--- + src/rule.c | 39 ++- + 1 file changed, 22 insertions(+), 17 deletions(-) + +diff --git a/src/rule.c b/src/rule.c +index 1402210acd8d..43c6520517ce 100644 +--- a/src/rule.c b/src/rule.c +@@ -1310,13 +1310,31 @@ void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc) + cmd->num_attrs++; + } + ++static void nft_cmd_expand_chain(struct chain *chain, struct list_head *new_cmds) ++{ ++ struct rule *rule; ++ struct handle h; ++ struct cmd *new; ++ ++ list_for_each_entry(rule, >rules, list) { ++ memset(, 0, sizeof(h)); ++ handle_merge(, >handle); ++ if (chain->flags & CHAIN_F_BINDING) { ++ rule->handle.chain_id = chain->handle.chain_id; ++ rule->handle.chain.location = chain->location; ++ } ++ new = cmd_alloc(CMD_ADD, CMD_OBJ_RULE, , ++ >location, rule_get(rule)); ++ list_add_tail(>list, new_cmds); ++ } ++} ++ + void nft_cm
Bug#1051937: bullseye-pu: package cairosvg/oldstable-new
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: cairo...@packages.debian.org, Joe Burmeister , car...@debian.org Control: affects -1 + src:cairosvg Dear SRM, [ Reason ] Triggered by a offlist-report from Joe Burmeister, cairosvg suffers from a regression from the original fix upstream for CVE-2023-27586, where embedded images using data URIs no longer work without the unsafe flag. To fix the issue it would only be necessary to dissalow loading of external files, but data URIs would be expected to still work. See: - https://bugs.debian.org/1050643 - https://github.com/Kozea/CairoSVG/issues/383 [ Impact ] Without using the unsafe flag, it is not possible to embed images using data URIs. [ Tests ] Joe tested the updated package with a (non public) testcase. [ Risks ] Syncs up with upstream fixes after the original fix for CVE-2023-27586. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Allow to handle data-URLs in safe mode as well, using a introduced safe_fetch which fetches the content of a passed url if it's a data URL and return an empty SVG otherwise. [ Other info ] None Regards, Salvatore diff -Nru cairosvg-2.5.0/debian/changelog cairosvg-2.5.0/debian/changelog --- cairosvg-2.5.0/debian/changelog 2023-03-23 20:51:51.0 +0100 +++ cairosvg-2.5.0/debian/changelog 2023-09-06 21:24:37.0 +0200 @@ -1,3 +1,10 @@ +cairosvg (2.5.0-1.1+deb11u2) bullseye; urgency=medium + + * Non-maintainer upload. + * Handle data-URLs in safe mode (Closes: #1050643) + + -- Salvatore Bonaccorso Wed, 06 Sep 2023 21:24:37 +0200 + cairosvg (2.5.0-1.1+deb11u1) bullseye-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch --- cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch 1970-01-01 01:00:00.0 +0100 +++ cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch 2023-09-06 21:24:37.0 +0200 @@ -0,0 +1,61 @@ +From: Guillaume Ayoub +Date: Tue, 18 Apr 2023 14:51:13 +0200 +Subject: Handle data-URLs in safe mode. +Origin: https://github.com/Kozea/CairoSVG/commit/2cbe3066e604af67c31d6651aa3acafe4ae0749d +Bug: https://github.com/Kozea/CairoSVG/issues/383 +Bug-Debian: https://bugs.debian.org/1050643 + +Fix #383. +--- + cairosvg/parser.py | 5 ++--- + cairosvg/url.py| 11 +++ + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/cairosvg/parser.py b/cairosvg/parser.py +index 61275f0a1073..06a65db5c0e2 100644 +--- a/cairosvg/parser.py b/cairosvg/parser.py +@@ -14,7 +14,7 @@ from defusedxml import ElementTree + from . import css + from .features import match_features + from .helpers import flatten, pop_rotation, rotations +-from .url import fetch, parse_url, read_url ++from .url import fetch, parse_url, read_url, safe_fetch + + # 'display' is actually inherited but handled differently because some markers + # are part of a none-displaying group (see test painting-marker-07-f.svg) +@@ -393,8 +393,7 @@ class Tree(Node): + + # Don’t allow fetching external files unless explicitly asked for + if 'url_fetcher' not in kwargs and not unsafe: +-self.url_fetcher = ( +-lambda *args, **kwargs: b'') ++self.url_fetcher = safe_fetch + + self.xml_tree = tree + root = cssselect2.ElementWrapper.from_xml_root(tree) +diff --git a/cairosvg/url.py b/cairosvg/url.py +index b4a78eaf6645..7b184e6e74d9 100644 +--- a/cairosvg/url.py b/cairosvg/url.py +@@ -84,6 +84,17 @@ def fetch(url, resource_type): + return urlopen(Request(url, headers=HTTP_HEADERS)).read() + + ++def safe_fetch(url, resource_type): ++"""Fetch the content of ``url`` only if it’s a data-URL. ++ ++Otherwise, return an empty SVG. ++ ++""" ++if url and url.startswith('data:'): ++return fetch(url, resource_type) ++return b'' ++ ++ + def parse_url(url, base=None): + """Parse an URL. + +-- +2.40.1 + diff -Nru cairosvg-2.5.0/debian/patches/series cairosvg-2.5.0/debian/patches/series --- cairosvg-2.5.0/debian/patches/series2023-03-23 20:51:07.0 +0100 +++ cairosvg-2.5.0/debian/patches/series2023-09-06 21:23:58.0 +0200 @@ -1,3 +1,4 @@ 0001-Remove-pytest-options-for-plugins-not-packaged-for-D.patch 0002-Don-t-use-overlapping-groups-for-regular-expressions.patch Don-t-allow-fetching-external-files-unless-explicitl.patch +Handle-data-URLs-in-safe-mode.patch
Bug#1051936: bookworm-pu: package cairosvg/2.5.2-1.1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: cairo...@packages.debian.org, Joe Burmeister , car...@debian.org Control: affects -1 + src:cairosvg Dear SRM, [ Reason ] Triggered by a offlist-report from Joe Burmeister, cairosvg suffers from a regression from the original fix upstream for CVE-2023-27586, where embedded images using data URIs no longer work without the unsafe flag. To fix the issue it would only be necessary to dissalow loading of external files, but data URIs would be expected to still work. See: - https://bugs.debian.org/1050643 - https://github.com/Kozea/CairoSVG/issues/383 [ Impact ] Without using the unsafe flag, it is not possible to embed images using data URIs. [ Tests ] Joe tested the updated package with a (non public) testcase. [ Risks ] Syncs up with upstream fixes after the original fix for CVE-2023-27586. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Allow to handle data-URLs in safe mode as well, using a introduced safe_fetch which fetches the content of a passed url if it's a data URL and return an empty SVG otherwise. [ Other info ] None Regards, Salvatore diff -Nru cairosvg-2.5.2/debian/changelog cairosvg-2.5.2/debian/changelog --- cairosvg-2.5.2/debian/changelog 2023-03-21 22:21:22.0 +0100 +++ cairosvg-2.5.2/debian/changelog 2023-09-06 21:20:16.0 +0200 @@ -1,3 +1,10 @@ +cairosvg (2.5.2-1.1+deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * Handle data-URLs in safe mode (Closes: #1050643) + + -- Salvatore Bonaccorso Wed, 06 Sep 2023 21:20:16 +0200 + cairosvg (2.5.2-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru cairosvg-2.5.2/debian/patches/Handle-data-URLs-in-safe-mode.patch cairosvg-2.5.2/debian/patches/Handle-data-URLs-in-safe-mode.patch --- cairosvg-2.5.2/debian/patches/Handle-data-URLs-in-safe-mode.patch 1970-01-01 01:00:00.0 +0100 +++ cairosvg-2.5.2/debian/patches/Handle-data-URLs-in-safe-mode.patch 2023-09-06 21:20:16.0 +0200 @@ -0,0 +1,61 @@ +From: Guillaume Ayoub +Date: Tue, 18 Apr 2023 14:51:13 +0200 +Subject: Handle data-URLs in safe mode. +Origin: https://github.com/Kozea/CairoSVG/commit/2cbe3066e604af67c31d6651aa3acafe4ae0749d +Bug: https://github.com/Kozea/CairoSVG/issues/383 +Bug-Debian: https://bugs.debian.org/1050643 + +Fix #383. +--- + cairosvg/parser.py | 5 ++--- + cairosvg/url.py| 11 +++ + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/cairosvg/parser.py b/cairosvg/parser.py +index 61275f0a1073..06a65db5c0e2 100644 +--- a/cairosvg/parser.py b/cairosvg/parser.py +@@ -14,7 +14,7 @@ from defusedxml import ElementTree + from . import css + from .features import match_features + from .helpers import flatten, pop_rotation, rotations +-from .url import fetch, parse_url, read_url ++from .url import fetch, parse_url, read_url, safe_fetch + + # 'display' is actually inherited but handled differently because some markers + # are part of a none-displaying group (see test painting-marker-07-f.svg) +@@ -393,8 +393,7 @@ class Tree(Node): + + # Don’t allow fetching external files unless explicitly asked for + if 'url_fetcher' not in kwargs and not unsafe: +-self.url_fetcher = ( +-lambda *args, **kwargs: b'') ++self.url_fetcher = safe_fetch + + self.xml_tree = tree + root = cssselect2.ElementWrapper.from_xml_root(tree) +diff --git a/cairosvg/url.py b/cairosvg/url.py +index b4a78eaf6645..7b184e6e74d9 100644 +--- a/cairosvg/url.py b/cairosvg/url.py +@@ -84,6 +84,17 @@ def fetch(url, resource_type): + return urlopen(Request(url, headers=HTTP_HEADERS)).read() + + ++def safe_fetch(url, resource_type): ++"""Fetch the content of ``url`` only if it’s a data-URL. ++ ++Otherwise, return an empty SVG. ++ ++""" ++if url and url.startswith('data:'): ++return fetch(url, resource_type) ++return b'' ++ ++ + def parse_url(url, base=None): + """Parse an URL. + +-- +2.40.1 + diff -Nru cairosvg-2.5.2/debian/patches/series cairosvg-2.5.2/debian/patches/series --- cairosvg-2.5.2/debian/patches/series2023-03-21 22:20:08.0 +0100 +++ cairosvg-2.5.2/debian/patches/series2023-09-06 21:19:48.0 +0200 @@ -1,2 +1,3 @@ 0001-Remove-pytest-options-for-plugins-not-packaged-for-D.patch Don-t-allow-fetching-external-files-unless-explicitl.patch +Handle-data-URLs-in-safe-mode.patch
Uploading linux (6.5.3-1)
Hi I would like to upload linux version 6.5.3-1 later today to unstable. The new upload would consist of a new upstream version switching to the 6.5.y series in unstable. An ABi bump is included. The new upload fixes CVE-2023-4623 and CVE-2023-25775. Apart from switching from 6.4.y to 6.5.y series there are additional changes covering: * Enable KFENCE support (not enabled by default) (Closes: #1025845) * net/xdp: Enable XDP_SOCKETS_DIAG as module (Closes: #1051455) * udeb: Make MPT modules optional in scsi-modules (fixes FTBFS on s390x) (Closes: #1051249) * Refresh "radeon, amdgpu: Firmware is required for DRM and KMS on R600 onward" * Set ABI to 1 * [rt] Update to 6.5.2-rt8 * [arm64] Add reset-rzg2l-usbphy-ctrl to usb-modules udeb in order to enable USB support on Renesas RZ/G2L-SMARC boards. * [arm64,armhf] drivers/hwspinlock: Enable CONFIG_HWSPINLOCK * [arm64] Add support for Lenovo ThinkPad X13s: enable as modules SC_DISPCC_8280XP, SC_GCC_8280XP, SC_GPUCC_8280XP, QCOM_SPMI_ADC5, INTERCONNECT_QCOM_OSM_L3, INTERCONNECT_QCOM_SC8280XP, LEDS_QCOM_LPG, QCOM_IPCC, QCOM_FASTRPC, NVMEM_SPMI_SDAM, PHY_QCOM_EDP, PHY_QCOM_QMP_PCIE, PHY_QCOM_USB_SNPS_FEMTO_V2, PINCTRL_SC8280XP, PINCTRL_SC8280XP_LPASS_LPI, PINCTRL_LPASS_LPI, POWER_RESET_QCOM_PON, BATTERY_QCOM_BATTMGR, QCOM_Q6V5_ADSP, QCOM_Q6V5_PAS, QCOM_Q6V5_WCSS, QCOM_SYSMON, QCOM_LLCC, QCOM_OCMEM, QCOM_PMIC_GLINK, QCOM_STATS, QCOM_APR, QCOM_ICC_BWMON, SPI_QCOM_GENI, TYPEC_MUX_GPIO_SBU, QRTR_SMD, SND_SOC_WCD938X_SDW, SND_SOC_LPASS_WSA_MACRO, SND_SOC_LPASS_VA_MACRO, SND_SOC_LPASS_RX_MACRO, SND_SOC_LPASS_TX_MACRO, SND_SOC_QDSP6 (Thanks Steve Capper!) * [arm64] Add Thinkpad X13s modules to udebs * drivers/char/hw_random: Change HW_RANDOM from module to built-in (Closes: #1041007) * drivers/char/tpm: Do not explicitly set HW_RANDOM_TPM * [arm64, cloud, x86] drivers/char/tpm: Do not explicitly enable TCG_TPM * [arm*,ppc64*,sparc64,s390x] drivers/char/hw_random: Prevent some HW Random Number Generator drivers from being built-in And the following already included in experimental uploads up to 6.5.1-1~exp1: * [riscv64] enable cpufreq support for Starfive JH7110: enable CPUFREQ_DT, MFD_AXP20X_I2C and REGULATOR_AXP20X as modules, and CPUFREQ_DT_PLATDEV as built-in. * [armel/rpi,armhf,arm64] enable CPUFREQ_DT_PLATDEV as built-in, as it does not get autoloaded as a module (Closes: #1050587) * Use pytest to test some of the code. * Re-add /usr/include/drm and /usr/include/scsi to linux-libc-dev; they don't longer conflict with other packages. (closes: #1050368) * Properly split host and build flags. (closes: #1050991) * [x86] drivers/hwtracing/intel_th: Enable INTEL_TH_ACPI Intel Trace Hub ACPI controller as module (Closes: #1050342) * [amd64] arch/x86/ras: Enable RAS_CEC (Correctable Errors Collector) (Closes: #1050940) * [arm64] sound/pci: Enable SND_CMIPCI as a module * linux-image: bug: Update taint list and use upstream descriptions * [rt] Refresh "serial: 8250: implement non-BKL console" * [amd64] mm: Enable MEMORY_HOTPLUG_DEFAULT_ONLINE: Enable Online the newly added memory blocks by default (Closes: #1049901) * [hppa] Add build-dependency on binutils-dev to get bfd.h and thus allow disassembly of jitted programs in bpftool * [riscv64] enable CONFIG_ACPI * [riscv64] improve Starfive JH7110 support: enable CRYPTO_DEV_JH7110, SND_SOC, SND_SOC_STARFIVE and SND_SOC_JH7110_TDM as modules * [x86] drivers/platform/x86/lenovo-ymc: Enable LENOVO_YMC as module * [arm64] Improve support for Allwinner H6 and affiliated SoCs (Closes: #1038986) - drivers/cpufreq: Enable ARM_ALLWINNER_SUN50I_CPUFREQ_NVMEM as module - drivers/iommu: Enable SUN50I_IOMMU - drivers/media/rc: Enable IR_SUNXI as module - drivers/phy/allwinner: Enable PHY_SUN50I_USB3 as module - sound/soc/sunxi: Enable SND_SUN50I_DMIC as module Regards, Salvatore signature.asc Description: PGP signature
Re: Releasing linux/6.1.52-1 bookworm-security update without armel build, Image size problems
Hi, On Sat, Sep 09, 2023 at 11:49:11AM +0300, Adrian Bunk wrote: > On Sat, Sep 09, 2023 at 10:15:59AM +0200, Salvatore Bonaccorso wrote: > >... > > - Relese the DSA without armel builds. This is not optimal and for the > > point release > > we need to have to have all builds, but this gives people who still are > > interested > > in this architecture to step up and propose a fix for the problem, > > otherwise then > > disable the image size check, and then effectively dropping some support. > >... > > armel people, can you have ideally look at it ASAP on the comments > > please, I would not like to delay the DSA for linux on > > bookworm-security too much. > > Releasing this DSA without armel and sorting out the issue for the point > release sounds like the best option to me. FWIW, following Ben's aproach for unstable, here is my proposed change for bookworm in the near-term: https://salsa.debian.org/kernel-team/linux/-/merge_requests/844 I have verified by cross-building that the image size goes down to Image size 2644124/2729712, using 96.86%. Image fits. Continuing. which would be sufficient so far. So we can at least include the above for the point release and releasing the DSA earlier without the armel builds. Thank you! Regards, Salvatore
Releasing linux/6.1.52-1 bookworm-security update without armel build, Image size problems
Hi all, We have problem with the image size of armel builds in bookworm. There is a pending bookworm-security linux update pending which is currently blocked due to armel FTBFS due to the image size increase: https://people.debian.org/~carnil/buildd-logs/linux/linux_6.1.52-1_armel-2023-09-07T08:53:41Z.gz debian/bin/buildcheck.py debian/build/build_armel_none_marvell armel none marvell Can't read ABI reference. ABI not checked! Image size 2753652/2729712, using 100.88%. Too large. Refusing to continue. make[2]: *** [debian/rules.real:169: debian/stamps/build_armel_none_marvell] Error 1 make[2]: Leaving directory '/<>' make[1]: *** [debian/rules.gen:1615: build-arch_armel_none_marvell_real_image] Error 2 make[1]: Leaving directory '/<>' make: *** [debian/rules:39: build-arch] Error 2 dpkg-buildpackage: error: debian/rules binary-arch subprocess returned exit status 2 In fact we are already too narrow to 100% in any case, but there was a bump between 6.1.41 and 6.1.42 upstream AFAICS: 6.1.52-1 Image size 2751596/2729712, using 100.80%. Too large. Refusing to continue. 6.1.51-1 Image size 2752212/2729712, using 100.82%. Too large. Refusing to continue. 6.1.47-1 Image size 2752676/2729712, using 100.84%. Too large. Refusing to continue. 6.1.45-1 Image size 2751292/2729712, using 100.79%. Too large. Refusing to continue. 6.1.43-1 Image size 2751348/2729712, using 100.79%. Too large. Refusing to continue. 6.1.42-1 Image size 2752924/2729712, using 100.85%. Too large. Refusing to continue. 6.1.41-1 Image size 2701348/2729712, using 98.96%. Image fits. Continuing. 6.1.40-1 Image size 2703956/2729712, using 99.06%. Under 1% space in UNRELEASED. Continuing. 6.1.38-1 Image size 2703076/2729712, using 99.02%. Under 1% space in bookworm. Continuing. I doupt anybody is sensibly using armel nowdays under bookworm, so my proposed course of action for unblock the bookworm-security update is: Either - ignore the image size and implicitly drop support for devices which would break due to size constraints, the current upper limit is adjusted for the following: # Buffalo Linkstation LS-WSXL/WXL/WVL (from stock kernel): 2729776 - 64 = 2729712 or: - Relese the DSA without armel builds. This is not optimal and for the point release we need to have to have all builds, but this gives people who still are interested in this architecture to step up and propose a fix for the problem, otherwise then disable the image size check, and then effectively dropping some support. Attached is the result of bloat-o-meter script between 6.1.41 and 6.1.42. I might put me in a bad spot, but should have been support for armel been dropped earlier and should we do it for trixie following the same done for mipsel? Note that the last time the problem arised already earlier in experimental and Ben workarounded it there with https://salsa.debian.org/kernel-team/linux/-/commit/9dfe6d33a4fd220394228b30cbbfdb3b444d36ec We probably can do that as well here. 60443c88f3a8 ("kallsyms: Improve the performance of kallsyms_lookup_name()") was in fact backported to 6.1.42. So this is next I would try and disable MPTCP and FUNCTION_TRACER. But the problem with armel will remain. armel people, can you have ideally look at it ASAP on the comments please, I would not like to delay the DSA for linux on bookworm-security too much. Thanks for having a look, Regards, Salvatore add/remove: 7/6 grow/shrink: 50/14 up/down: 3772/-2456 (1316) Function old new delta check_max_stack_depth_subprog - 720+720 psi_rtpoll_worker - 648+648 update_triggers- 504+504 kallsyms_lookup_names.constprop- 264+264 do_check_common 9892 10068+176 __mark_chain_precision 20082148+140 psi_trigger_create 564 684+120 dquot_writeback_dquots 428 548+120 psi_trigger_destroy 344 448+104 psi_schedule_rtpoll_work - 88 +88 __check_func_call880 968 +88 collect_percpu_times 368 452 +84 is_callback_calling_function - 64 +64 list_add22082256 +48 __inet_hash 436 484 +48 request_key_and_link14041448 +44 kvmalloc_array - 40 +40 bpf_lru_pop_free 708 748 +40 list_add_tail 22682304 +36 ip_send_unicast_reply784 820 +36 psi_avgs_work180 212 +32 bpf_check 10812 10844 +32
Uploading linux (6.4.13-1)
Hi I would like to upload linux version 6.4.13-1 later today. It consists of importing as usual the new stable series up to 6.4.13, and includes fixes for the following known CVEs: CVE-2023-20588, CVE-2023-3772, CVE-2023-3773 and CVE-2023-4569. The new upstream imports address as well #1042543 and #1050622. An ABI bump is included for this update. There are some other packaging packages apart of the stable imports pending with this upload: * Bump ABI to 4 * [arm64] Enable support for Renesas RZ/G2L-SMARC. Set ARCH_R9A07G044 for SoC support and enable RESET_RZG2L_USBPHY_CTRL as module for USB2. (Closes: #1049346) Regards, Salvatore signature.asc Description: PGP signature
Uploading linux (6.4.11-1)
Hi I would like to upload linux version 6.4.11-1 later today. It consists of importing as usual the new stable series 6.4.5 up to 6.4.11 and is covering the following known CVEs: CVE-2023-1206, CVE-2023-4004, CVE-2023-4128, CVE-2023-4147, CVE-2023-4155, CVE-2023-4194, CVE-2023-4273, CVE-2023-20588 and CVE-2023-34319. The new upstream version import addresses as well #1042540 and #1039092. An ABI bump is included for this update. There are some other packaging packages apart of the stable imports pending with this upload: * [x86] drivers/platform/x86/intel/int3472: Enable INTEL_SKL_INT3472 as module (Closes: #1038385) * Bump ABI to 3 * [rt] Drop "posix-timers: Ensure timer ID search-loop limit is valid" (applied upstream) * [rt] Update to 6.4.6-rt8 * [rt] Drop "locking/rtmutex: Fix task->pi_waiters integrity" (applied upstream) Regards, Salvatore signature.asc Description: PGP signature
Re: linux image for 12.2?
Hi, On Tue, Aug 08, 2023 at 06:12:56PM +0100, Adam D. Barratt wrote: > On Tue, 2023-08-08 at 11:53 -0500, Matt Zagrabelny wrote: > > Greetings Debian Release Team, > > > > Thank you for your service to Debian users, it is appreciated! > > > > Are there plans to update the linux kernel for the 12.2 point > > release? > > > > I'm hitting a bug that is fixed (commit 3de4d22cc9ac7) in 6.1.43 and > > am hoping that the next point release will include that kernel. > > > > There's basically always a kernel update in every point release, but > the specific version and any additional patches included is up to the > kernel maintainers; adding the -kernel list to CC. Yes it is planned to rebase linux to at least 6.1.45 or later for the next bookworm point release. Regards, Salvatore
Bug#1043270: bullseye-pu: package autofs/5.1.7-1+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: aut...@packages.debian.org, Mike Gabriel , car...@debian.org Control: affects -1 + src:autofs Dear SRMs, [ Reason ] A regression was noticed in autofs from buster to versions in the upper suites. After changes upstream related to fix NFS mounts from IPv6, regressions with delaying mounts were noticed when having dualstacked server, client though while beeing in a IPv6 capable subnet, equipped only with IPv4 address (and IPv6 link local addresses). It was initially reported at https://www.spinics.net/lists/autofs/msg02643.html tracking down the issue to missing checks for reachability when calculating the proximity. If an interface doesn't have an address of the family of the target host, or the interface address is the IPv6 link local address, or the target host address is the IPv6 link local address then don't add it to the list of hosts to probe. [ Impact ] Getting noticable delays in automounts in affected configurations. [ Tests ] Manual test with affected configuration and confirming back to upstream (see thread). [ Risks ] Upstream provided patch for the issue which should involve minimal risk to apply back to the affected versions. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] >From https://www.spinics.net/lists/autofs/msg02668.html - use correct reference for IN6 macro call > While the usage isn't strickly wrong it's also not correct and it > passes compiler checks but it doesn't match the usage within the > macro it's passed to. > > Change it to match the IN6_* macro definition to reduce the potential > for confusion. - dont probe interface that cant send packet See above in the reason paragraph. [ Other info ] For the debdiff: debdiff is generated against the current version which is in bullseye-proposed-updates as this was already acked in #1040950. If wanted I can additionally generate the debdiff against 5.1.7-1. Regards, Salvatore diff -Nru autofs-5.1.7/debian/changelog autofs-5.1.7/debian/changelog --- autofs-5.1.7/debian/changelog 2023-07-10 19:01:17.0 +0200 +++ autofs-5.1.7/debian/changelog 2023-08-08 10:31:29.0 +0200 @@ -1,3 +1,10 @@ +autofs (5.1.7-1+deb11u2) bullseye; urgency=medium + + * use correct reference for IN6 macro call + * dont probe interface that cant send packet (Closes: #1041051) + + -- Salvatore Bonaccorso Tue, 08 Aug 2023 10:31:29 +0200 + autofs (5.1.7-1+deb11u1) bullseye; urgency=medium * debian/patches: diff -Nru autofs-5.1.7/debian/patches/dont-probe-interface-that-cant-send-pac.patch autofs-5.1.7/debian/patches/dont-probe-interface-that-cant-send-pac.patch --- autofs-5.1.7/debian/patches/dont-probe-interface-that-cant-send-pac.patch 1970-01-01 01:00:00.0 +0100 +++ autofs-5.1.7/debian/patches/dont-probe-interface-that-cant-send-pac.patch 2023-08-08 10:30:32.0 +0200 @@ -0,0 +1,160 @@ +From: Ian Kent +Date: Thu, 13 Jul 2023 10:44:49 +0800 +Subject: autofs-5.1.8 - dont probe interface that cant send packet +Origin: https://www.spinics.net/lists/autofs/msg02667.html +Bug-Debian: https://bugs.debian.org/1041051 + +When calculating the proximity add checks for basic reachability. + +If an interface doesn't have an address of the family of the target +host, or the interface address is the IPv6 link local address, or +the target host address is the IPv6 link local address then don't +add it to the list of hosts to probe. + +Reported-by: Salvatore Bonaccorso +Tested-by: Salvatore Bonaccorso +Cc: Goldwyn Rodrigues +Cc: Mike Gabriel +Signed-off-by: Ian Kent +--- + CHANGELOG| 1 + + lib/parse_subs.c | 36 +++- + modules/replicated.c | 19 +++ + 3 files changed, 47 insertions(+), 9 deletions(-) + +diff --git a/lib/parse_subs.c b/lib/parse_subs.c +index 0ee00d517718..3c95996eaf02 100644 +--- a/lib/parse_subs.c b/lib/parse_subs.c +@@ -218,7 +218,7 @@ unsigned int get_proximity(struct sockaddr *host_addr) + int addr_len; + char buf[MAX_ERR_BUF]; + uint32_t mask, ha, ia, *mask6, *ha6, *ia6; +- int ret; ++ int ret, at_least_one; + + addr = NULL; + addr6 = NULL; +@@ -228,6 +228,7 @@ unsigned int get_proximity(struct sockaddr *host_addr) + ha6 = NULL; + ia6 = NULL; + ha = 0; ++ at_least_one = 0; + + switch (host_addr->sa_family) { + case AF_INET: +@@ -245,6 +246,14 @@ unsigned int get_proximity(struct sockaddr *host_addr) + hst6_addr = (struct in6_addr *) >sin6_addr; + ha6 = _addr->s6_addr32[0]; + addr_len = sizeof(*hst6_addr); ++ ++ /* The link-local address a
Bug#1043269: bookworm-pu: package autofs/5.1.8-2+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: aut...@packages.debian.org, Mike Gabriel , car...@debian.org Control: affects -1 + src:autofs Dear SRMs, [ Reason ] A regression was noticed in autofs from buster to versions in the upper suites. After changes upstream related to fix NFS mounts from IPv6, regressions with delaying mounts were noticed when having dualstacked server, client though while beeing in a IPv6 capable subnet, equipped only with IPv4 address (and IPv6 link local addresses). It was initially reported at https://www.spinics.net/lists/autofs/msg02643.html tracking down the issue to missing checks for reachability when calculating the proximity. If an interface doesn't have an address of the family of the target host, or the interface address is the IPv6 link local address, or the target host address is the IPv6 link local address then don't add it to the list of hosts to probe. [ Impact ] Getting noticable delays in automounts in affected configurations. [ Tests ] Manual test with affected configuration and confirming back to upstream (see thread). [ Risks ] Upstream provided patch for the issue which should involve minimal risk to apply back to the affected versions. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] >From https://www.spinics.net/lists/autofs/msg02668.html - use correct reference for IN6 macro call > While the usage isn't strickly wrong it's also not correct and it > passes compiler checks but it doesn't match the usage within the > macro it's passed to. > > Change it to match the IN6_* macro definition to reduce the potential > for confusion. - dont probe interface that cant send packet See above in the reason paragraph. [ Other info ] None. Regards, Salvatore diff -Nru autofs-5.1.8/debian/changelog autofs-5.1.8/debian/changelog --- autofs-5.1.8/debian/changelog 2023-07-05 11:56:29.0 +0200 +++ autofs-5.1.8/debian/changelog 2023-08-08 10:27:23.0 +0200 @@ -1,3 +1,10 @@ +autofs (5.1.8-2+deb12u2) bookworm; urgency=medium + + * use correct reference for IN6 macro call + * dont probe interface that cant send packet (Closes: #1041051) + + -- Salvatore Bonaccorso Tue, 08 Aug 2023 10:27:23 +0200 + autofs (5.1.8-2+deb12u1) bookworm; urgency=medium * debian/patches: diff -Nru autofs-5.1.8/debian/patches/dont-probe-interface-that-cant-send-pac.patch autofs-5.1.8/debian/patches/dont-probe-interface-that-cant-send-pac.patch --- autofs-5.1.8/debian/patches/dont-probe-interface-that-cant-send-pac.patch 1970-01-01 01:00:00.0 +0100 +++ autofs-5.1.8/debian/patches/dont-probe-interface-that-cant-send-pac.patch 2023-08-08 10:25:44.0 +0200 @@ -0,0 +1,160 @@ +From: Ian Kent +Date: Thu, 13 Jul 2023 10:44:49 +0800 +Subject: autofs-5.1.8 - dont probe interface that cant send packet +Origin: https://www.spinics.net/lists/autofs/msg02667.html +Bug-Debian: https://bugs.debian.org/1041051 + +When calculating the proximity add checks for basic reachability. + +If an interface doesn't have an address of the family of the target +host, or the interface address is the IPv6 link local address, or +the target host address is the IPv6 link local address then don't +add it to the list of hosts to probe. + +Reported-by: Salvatore Bonaccorso +Tested-by: Salvatore Bonaccorso +Cc: Goldwyn Rodrigues +Cc: Mike Gabriel +Signed-off-by: Ian Kent +--- + CHANGELOG| 1 + + lib/parse_subs.c | 36 +++- + modules/replicated.c | 19 +++ + 3 files changed, 47 insertions(+), 9 deletions(-) + +diff --git a/lib/parse_subs.c b/lib/parse_subs.c +index 0ee00d517718..3c95996eaf02 100644 +--- a/lib/parse_subs.c b/lib/parse_subs.c +@@ -218,7 +218,7 @@ unsigned int get_proximity(struct sockaddr *host_addr) + int addr_len; + char buf[MAX_ERR_BUF]; + uint32_t mask, ha, ia, *mask6, *ha6, *ia6; +- int ret; ++ int ret, at_least_one; + + addr = NULL; + addr6 = NULL; +@@ -228,6 +228,7 @@ unsigned int get_proximity(struct sockaddr *host_addr) + ha6 = NULL; + ia6 = NULL; + ha = 0; ++ at_least_one = 0; + + switch (host_addr->sa_family) { + case AF_INET: +@@ -245,6 +246,14 @@ unsigned int get_proximity(struct sockaddr *host_addr) + hst6_addr = (struct in6_addr *) >sin6_addr; + ha6 = _addr->s6_addr32[0]; + addr_len = sizeof(*hst6_addr); ++ ++ /* The link-local address always seems to be a problem so ++ * ignore it when trying to work out if the address we have ++ * is reachable. ++ */ ++ if (I
Uploading linux (6.4.4-2)
Hi I would like to upload linux version 6.4.4-2 later today. The rebase to a later 6.4.y will follow. The update consists of adding kernel side mitigation for CVE-2023-20593 (Zenbleed) and fixes for CVE-2023-3776 and CVE-2023-3611. No ABI bump is done. Additionally there is a packaging change as follows: * [sh4] Add i2c-modules udeb for sh7785lcr flavor Regards, Salvatore signature.asc Description: PGP signature
Uploading linux (6.4.4-1)
Hi I would like to upload linux version 6.4.4-1 later the upcoming days to unstable. This is quite unfortunate as i wanted to have the security fixes from 6.3.11-1 for a while now in unstable, but transition is blocked due #1040178. The new upload would consist of a new upstream version switching to the 6.4.y series in unstable. An ABi bump is included. Prominently the new version will finally fix CVE-2023-3269 (StackRot, cf. DSA-5448-1), and as well CVE-2023-31248 and CVE-2023-35001 in nf_tables. Apart from switching from 6.3.y to 6.4.y series there are additional changes covering: * [riscv64] enable CONFIG_SND_HDA_INTEL as module * Compile with gcc-13 on all architectures * [rt] Refresh "serial: 8250: implement non-BKL console" * kernel/trace: Enable FPROBE * d/rules.real: Fix CROSS_COMPILE definition for hppa native build (regression in 6.4~rc7-1~exp1) * Include kbuild package into ABI. (closes: #1040178) * [powerpc,riscv64,s390x] Enable DEBUG_INFO_BTF. * [riscv64] Enable devices added in 6.4 for StarFive JH7110 RISC-V SoC: SENSORS_SFCTEMP, MMC_DW, MMC_DW_STARFIVE and STARFIVE_WATCHDOG. * [hppa] Allow up to 16 CPUs with 32-bit kernel * [hppa] Build some more fbdev graphic card drivers as modules * Enable all RTW88 variants (USB + SDIO). (Closes: #1038409) * [rt] Update to 6.4-rt6 * [x86] drivers/platform/x86/hp: Enable X86_PLATFORM_DRIVERS_HP (Closes: #1038799) * mm: Enable Multi-Gen LRU implementation (by default) (Closes: #1030617) * linux-perf: Add libtraceevent-dev to Build-Depends (fixes FTBFS on several architectures) * linux-image: Define CROSS_COMPILE and CROSS_COMPILE_COMPAT more consistently * [hppa] linux-headers: Fix toolchain dependencies * [hppa] Make cross-builds work * [m68k] Fix invalid .section syntax (fixes FTBFS) * d/rules.real: Also remove executable bit from dtbo files * [mips*]: Enable more drivers for boston * [mips*]: Install dtbs for mipsel and mips64el * linux-perf: Update build rules and dependencies for change to demangling * linux-perf: Build C++ code with Debian standard compiler flags Having 6.3.11-1 into testing would really have been preferred but I understand people do not want to have #1040178 exposed, so let's try to move ahead with the 6.4.y series. Ben and Bastian, let me know loudly if you disagree on the plan to upload 6.4.4-1 for unstable. Regards, Salvatore signature.asc Description: PGP signature
Bug#1040818: bookworm-pu: package libxml2/2.9.14+dfsg-1.3~deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: libx...@packages.debian.org, car...@debian.org Control: affects -1 + src:libxml2 Hi stable release managers, [ Reason ] libxml2 in bookworm and older is affected by CVE-2022-2309. The issue does not warrant a DSA, so I prepared an update to be included in the next point release. [ Impact ] CVE-2022-2309 remains open for bookworm. [ Tests ] None specifically. [ Risks ] The two commits are isolated. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The two commits from upstream do reset ctxt->nsNr to 0 in xmlCtxtReset (the original report) and as well in htmlCtxtReset to address the issue in libxml2. [ Other info ] None. Thanks for considering accepting the update as well for bookworm. I'm aiming as well to do the same for bullseye-pu, but this has not been done yet. Regards, Salvatore diff -Nru libxml2-2.9.14+dfsg/debian/changelog libxml2-2.9.14+dfsg/debian/changelog --- libxml2-2.9.14+dfsg/debian/changelog2023-04-15 16:25:06.0 +0200 +++ libxml2-2.9.14+dfsg/debian/changelog2023-07-10 21:58:07.0 +0200 @@ -1,3 +1,17 @@ +libxml2 (2.9.14+dfsg-1.3~deb12u1) bookworm; urgency=medium + + * Rebuild for bookworm + + -- Salvatore Bonaccorso Mon, 10 Jul 2023 21:58:07 +0200 + +libxml2 (2.9.14+dfsg-1.3) unstable; urgency=medium + + * Non-maintainer upload. + * Reset nsNr in xmlCtxtReset (CVE-2022-2309) (Closes: #1039991) + * Also reset nsNr in htmlCtxtReset (CVE-2022-2309) (Closes: #1039991) + + -- Salvatore Bonaccorso Sat, 08 Jul 2023 21:18:29 +0200 + libxml2 (2.9.14+dfsg-1.2) unstable; urgency=medium * Non-maintainer upload. diff -Nru libxml2-2.9.14+dfsg/debian/patches/Also-reset-nsNr-in-htmlCtxtReset.patch libxml2-2.9.14+dfsg/debian/patches/Also-reset-nsNr-in-htmlCtxtReset.patch --- libxml2-2.9.14+dfsg/debian/patches/Also-reset-nsNr-in-htmlCtxtReset.patch 1970-01-01 01:00:00.0 +0100 +++ libxml2-2.9.14+dfsg/debian/patches/Also-reset-nsNr-in-htmlCtxtReset.patch 2023-07-10 21:58:07.0 +0200 @@ -0,0 +1,27 @@ +From: Nick Wellnhofer +Date: Thu, 28 Jul 2022 21:35:17 +0200 +Subject: Also reset nsNr in htmlCtxtReset +origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/a82ea25fc83f563c574ddb863d6c17d9c5abdbd2 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-2309 +Bug-Debian: https://bugs.debian.org/1039991 + +--- + HTMLparser.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 9079fa8aa52d..1520663ba2af 100644 +--- a/HTMLparser.c b/HTMLparser.c +@@ -6743,6 +6743,8 @@ htmlCtxtReset(htmlParserCtxtPtr ctxt) + ctxt->nameNr = 0; + ctxt->name = NULL; + ++ctxt->nsNr = 0; ++ + DICT_FREE(ctxt->version); + ctxt->version = NULL; + DICT_FREE(ctxt->encoding); +-- +2.40.1 + diff -Nru libxml2-2.9.14+dfsg/debian/patches/Reset-nsNr-in-xmlCtxtReset.patch libxml2-2.9.14+dfsg/debian/patches/Reset-nsNr-in-xmlCtxtReset.patch --- libxml2-2.9.14+dfsg/debian/patches/Reset-nsNr-in-xmlCtxtReset.patch 1970-01-01 01:00:00.0 +0100 +++ libxml2-2.9.14+dfsg/debian/patches/Reset-nsNr-in-xmlCtxtReset.patch 2023-07-10 21:58:07.0 +0200 @@ -0,0 +1,27 @@ +From: Nick Wellnhofer +Date: Mon, 18 Jul 2022 20:59:45 +0200 +Subject: Reset nsNr in xmlCtxtReset +origin: https://gitlab.gnome.org/GNOME/libxml2/-/commit/5930fe01963136ab92125feec0c6204d9c9225dc +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-2309 +Bug-Debian: https://bugs.debian.org/1039991 + +--- + parser.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/parser.c b/parser.c +index d278638dd6d4..e660b0a7d499 100644 +--- a/parser.c b/parser.c +@@ -14820,6 +14820,8 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt) + ctxt->nameNr = 0; + ctxt->name = NULL; + ++ctxt->nsNr = 0; ++ + DICT_FREE(ctxt->version); + ctxt->version = NULL; + DICT_FREE(ctxt->encoding); +-- +2.40.1 + diff -Nru libxml2-2.9.14+dfsg/debian/patches/series libxml2-2.9.14+dfsg/debian/patches/series --- libxml2-2.9.14+dfsg/debian/patches/series 2023-04-15 16:25:06.0 +0200 +++ libxml2-2.9.14+dfsg/debian/patches/series 2023-07-10 21:58:07.0 +0200 @@ -6,3 +6,5 @@ schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch +Reset-nsNr-in-xmlCtxtReset.patch +Also-reset-nsNr-in-htmlCtxtReset.patch
Uploading linux (6.3.10-1)
Hi I would like to upload linux version 6.3.10-1 later the upcoming days to unstable. It consists of importing as usual the new stable series 6.3.8 up to 6.3.10 and is covering as well CVE-2023-2156 and CVE-2023-3390. An ABI bump is included for this update. There are some other packaging packages apart of the stable imports pending with this upload: * Ignore ABI changes for xfrm_bpf_md_dst (only for use in xfrm subsystem) * [amd64,arm64] drivers/virtio: Enable VIRTIO_MEM as module (Closes: #1038665) * Bump ABI to 2 * Add pkg.linux.mintools profile for building minimal userland tools * d/b/test-patches: Build linux-{kbuild,bootwrapper} packages (Closes: #871216, #1035359) * [hppa] Allow up to 16 CPUs with 32-bit kernel Regards, Salvatore signature.asc Description: PGP signature
Bug#1038390: bookworm-pu: package vte2.91/0.70.6-1~deb12u1
Hi Simon, On Sat, Jun 17, 2023 at 03:22:21PM +0100, Simon McVittie wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: vte2...@packages.debian.org, debian-b...@lists.debian.org, > t...@security.debian.org > Control: affects -1 + src:vte2.91 > > [ Reason ] > Fix an infinite-loop bug processing a particular control sequence. > (#1037919, LP: #2022019) > > [ Impact ] > If unfixed, the infinite loop could be triggered by a malicious program > accessed via ssh, telnet or similar protocols and used as a denial of > service. I asked the security team whether they wanted to do a DSA for > this and haven't heard back, so I'm assuming the answer is no. Aplogies, we have missed to reply to your question in #1037919. Te point release approach looks indeed fine. FWIW, do you know if upstream has requested a CVE for it? Regards, Salvatore
Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Hi Pierre, On Wed, Jun 14, 2023 at 12:01:18AM +0200, Pierre Gruet wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: xerial-sqlite-j...@packages.debian.org > Control: affects -1 + src:xerial-sqlite-jdbc > > Dear Release team, > > I would like to upload xerial-sqlite-jdbc to stable-proposed-updates. > > [ Reason ] > Grave bug #1036706 has been filled a few days before the release of Bookworm. > This is a security bug associated to CVE-2023-32697. Although it has been > marked no-dsa by the security team, we exchanged a few emails and our > conclusion was the fix of this bug, which amounts to cherry-pick one commit of > upstream, should land in Bookworm during a point release. > > [ Impact ] > CVE-2023-32697 would remain. The Debian-packaged reverse dependencies of the > package are mainly used in a single-user environment, but possibly it is also > used in a network environment by some users for their own programs, and this > is > where there might be some hazard. > > [ Tests ] > The package was built in a Bookworm chroot and its autopkgtest is passing. > > [ Risks ] > Code is very simple, only 2 lines are changed. Upstream has published it > three weeks ago and it has issued new upstream versions since then. > > [ Checklist ] > [X] *all* changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in (old)stable > [X] the issue is verified as fixed in unstable > > [ Changes ] > Cherry-picking commit edb4b8adc2447bc04e05b9b908195a4bc7926242 from upstream, > which uses a random UUID instead of the hash of some fixed address in order to > define the DB file name. > > > > Thanks for your help, > > Best, > > -- > Pierre > diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog > xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog > --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 > 14:24:45.0 +0100 > +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 > 23:19:59.0 +0200 > @@ -1,3 +1,9 @@ > +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium > + > + * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm) > + > + -- Pierre Gruet Tue, 13 Jun 2023 23:19:59 +0200 Can you as well add the Debian bug closer for #1036706 here? Regards, Salvatore
Bug#1037444: bookworm-pu: package kanboard/1.2.26+ds-4
Hi Joseph, [disclaimer, not a release team member but I believe can give input on the debdiff below] On Mon, Jun 12, 2023 at 08:19:55PM -0400, Joseph Nahmias wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: kanbo...@packages.debian.org, j...@nahmias.net > Control: affects -1 + src:kanboard > > [ Reason ] > Security updates for kanboard since v1.2.26. > > [ Tests ] > upstream's unit test suite are run at build time and via autopkgtest. > there are also some other (superficial) autopkgtests. > > [ Risks ] > All listed CVEs have targeted fixes picked from upstream github. > > [ Checklist ] > [X] *all* changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in (old)stable > [X] the issue is verified as fixed in unstable > > [ Other info ] > > My first stable update, so please advise if I missed anything. > --Joe > diff -Nru kanboard-1.2.26+ds/debian/changelog > kanboard-1.2.26+ds/debian/changelog > --- kanboard-1.2.26+ds/debian/changelog 2023-05-16 22:49:38.0 > -0400 > +++ kanboard-1.2.26+ds/debian/changelog 2023-06-07 20:45:40.0 > -0400 > @@ -1,3 +1,24 @@ > +kanboard (1.2.26+ds-4) unstable; urgency=medium > + > + * backport security fixes from kanboard v1.2.30 > + > CVE-2023-33956: Parameter based Indirect Object Referencing leading > + to private file exposure > + > CVE-2023-33968: Missing access control allows user to move and > + duplicate tasks to any project in the software > + > CVE-2023-33969: Stored XSS in the Task External Link Functionality > + > CVE-2023-33970: Missing access control in internal task links feature > +(Closes: #1037167) > + > + -- Joseph Nahmias Wed, 07 Jun 2023 20:45:40 -0400 > + > +kanboard (1.2.26+ds-3) unstable; urgency=medium > + > + * backport fix for CVE-2023-32685 from kanboard v1.2.29 > + > https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv > +Based on upstream commits 26b6eeb & c9c1872. (Closes: #1036874) > + > + -- Joseph Nahmias Sun, 28 May 2023 21:42:46 -0400 This seems to be the current debdiff between bookworm and the unstable version. But now that bookworm is releases, a package does nto migrate anymore from there to stable. What is needed above is to apply the needed patches on top of the 1.2.26+ds-2 versiion in testing and version it such that it is 1.2.26+ds-2+deb12u1. The developers-reference has some additional hints: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions Hope this helps, Regards, Salvatore
Bug#1037175: [preapproval] bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u1
Hi Nicholas, On Mon, Jun 12, 2023 at 07:44:52PM -0400, Nicholas D Steeves wrote: > Control: block 1033341 by -1 > > Dear Salvatore and release team, > > Salvatore Bonaccorso writes: > > > On Tue, Jun 06, 2023 at 11:00:14PM -0400, Nicholas D Steeves wrote: > >> +org-mode (9.4.0+dfsg-1+deb11u1) bullseye-security; urgency=medium > >> + > >> + * Fix Org Mode command injection vulnerability CVE-2023-28617 by > >> backporting > >> +0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch like > >> src:emacs > >> +did (Closes: #1033341). Thanks to Rob Browning's work in that > >> package, > >> +fixing org-mode was trivially easy! > >> + > >> + -- Nicholas D Steeves Sun, 04 Jun 2023 13:26:52 -0400 > > > > Small remark, for the bullseye pu update please target at 'bullseye' > > not 'bullseye-security'. > > > > Done. That was actually my first instinct, but I thought the existence > of a CVE would destine the upload to the -security queue! I was wrong, > but this is a teaching/learning moment. > > Is it as simple as: Use the -security queue when a DSA is needed, > otherwise use the normal distribution code name and the foo-updates > queue? No need to explain if it's more complicated and if you're busy. > (I couldn't find documentation of this in the Dev Ref) What is as well different for the uploads is to which upload queue you would upload in the end. ftp-master for the proposed-updates via point release, security-master for the security uploads. There are two good entry points about the uploads for stable: https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#handling-security-related-bugs Hope this helps! Regards, Salvatore
Uploading linux (6.3.7-1)
Hi, Happy bookworm release :). I would like to upload linux version 6.3.7-1 later the upcoming days to unstable. It consist of a new upstream version switching from the 6.1.y series to 6.3.y. An ABI bump is included. Apart from switching from 6.1.y to 6.3.y there are additional changes covering: * [arm*] Add symbol information to raspberry pi device trees. This is useful when device tree overlays are used. * [rt] Update to 6.3.3-rt15 * drivers/ptp: Make PTP_1588_CLOCK builtin (except armel/marvell) (Closes: #1036744) * [riscv64] rtc: Enable RTC_DRV_DS1307, RTC_DRV_PCF85063 and RTC_DRV_PCF8563 as modules. * [arm64,armhf] drivers/mailbox: Enable ROCKCHIP_MBOX * [armhf] drivers/mailbox: Drop OMAP_MBOX_KFIFO_SIZE setting * drivers/input/joystick: Enable INPUT_JOYSTICK by default (except for s390x and cloud configuration) (Closes: #1035063) * [arm64] Improve support for rk3328 devices - drivers/clk: Enable COMMON_CLK - drivers/clk/rockchip: Enable CLK_RK3328 - drivers/cpuidle[arm]: Enable ARM_PSCI_CPUIDLE_DOMAIN - drivers/gpio: Enable GPIO_ROCKCHIP as module - drivers/gpio: Enable GPIO_SYSCON as module - drivers/pinctrl: Enable PINCTRL_ROCKCHIP as module - drivers/power/reset: Enable SYSCON_REBOOT_MODE as module - drivers/soc/rockchip: Enable ROCKCHIP_GRF * [arm64] Improve support for rk3399 devices - drivers/clk/rockchip: Enable CLK_RK3399 - drivers/mmc/core: Enable PWRSEQ_SIMPLE - drivers/soc/rockchip: Enable ROCKCHIP_DTPM as module - drivers/usb/dwc3: Enable USB_DWC3_OF_SIMPLE as module * [arm64] Improve support for rk356x devices - drivers/clk/rockchip: Enable CLK_RK3568 - drivers/firmware/arm_scmi: Enable ARM_SCMI_TRANSPORT_SMC - drivers/gpu/drm/bridge: Enable DRM_DISPLAY_CONNECTOR as module - drivers/misc: Enable SRAM * net/hsr: Enable PRP/HSR protocols as module (Closes: #1034506) * drivers/net/wireless/realtek/rtw89: Enable RTW89_8852BE and RTW89_8852CE as modules (Closes: #1035569) * drivers/tty: Unset LEGACY_TIOCSTI (Closes: #1033095) * d/rules.real: Fix typo in setup_image target. * [riscv64] Enable support for hardware added in Linux 6.2 and 6.3 based on the upstream defconfig update: ARCH_R9A07G043, ARCH_RENESAS, ARCH_SUNXI, DMADEVICES, DMA_SUN6I, DRM_SUN4I, HW_RANDOM_JH7110, I2C_MV64XXX, MMC_SUNXI, NOP_USB_XCEIV, NVMEM_SUNXI_SID, PHY_SUN4I_USB, REGULATOR, REGULATOR_FIXED_VOLTAGE, RTC_DRV_SUN6I, SERIAL_SH_SCI, SPI_SUN6I, STMMAC_ETH, SUN50I_IOMMU, SUNXI_WATCHDOG, USB_MUSB_HDRC, USB_MUSB_SUNXI. * [mips*] Increase RELOCATION_TABLE_SIZE to 0x1d (fixes FTBFS) * [sh4/sh7785lcr] Modularise drivers to shrink kernel image (fixes FTBFS): - ata: Change ATA, SATA_SIL from built-in to modular - SCSI: Change SCSI, BLK_DEV_SD from built-in to modular - USB: Change USB, USB_EHCI_HCD, USB_R8A66597_HCD,_USB_STORAGE from built-in to modular - udeb: Add ata-modules, scsi-core-modules, usb-modules packages * [armel/marvell]: Disable features to shrink kernel image (fixes FTBFS): - security: Disable SECURITY_APPARMOR_EXPORT_BINARY - tcp: Disable MPTCP - tracing: Disable FUNCTION_TRACER * linux-kbuild: Fix cross-build regression in objtool in 6.3 * linux-kbuild: Add support for objtool powerpc target * d/templates: Improve package description for "header" packages * d/rules.real: Enable limiting of compression threading * [arm64,armhf] drivers/hwtracing/coresight: Enable components * Enable MEI options for Intel ARC GPUs as modules (Closes: #1028463) - [amd64] drivers/gpu/drm/i915: Enable DRM_I915_PXP - [x86] drivers/misc/mei: Enable INTEL_MEI_GSC as module - [x86] drivers/misc/mei/pxp: Enable INTEL_MEI_PXP as module * Enable Intel Trust Domain Extensions - Guest Support (Closes: #1032437) - [amd64] arch/x86: Enable INTEL_TDX_GUEST - [amd64] drivers/virt/coco/tdx-guest: Enable TDX_GUEST_DRIVER as module * [amd64] drivers/platform/x86/intel/ifs: Enable Intel In-Field Scan (IFS) INTEL_IFS as module (Closes: #1033061) * Update for 6.2: - libcpupower1: Update symbols file - d/patches: Forward and add patches to fix hardening issues - d/rules: Let blhc ignore perf tests binaries that are compiled without fortification (by Uwe Kleine-König) - [rt] Update to 6.2-rt3 * Update for 6.3: - linux-kbuild: Stop building bin2c * iwlwifi: Enable device tracing * [arm*] Enable NVMEM_RMEM which is useful (at least) on raspberry pi Regards, Salvatore signature.asc Description: PGP signature
Bug#1037263: unblock: php8.2/8.2.7-1
Hi, On Fri, Jun 09, 2023 at 08:06:41PM +0200, Ondřej Surý wrote: > > > > On 9. 6. 2023, at 20:03, Paul Gevers wrote: > > > > Hi Ondřej, > > > >> On 09-06-2023 18:58, Ondřej Surý wrote: > >> php8.2 8.2.7-1 is a security release, so it would be pretty > >> wrong to release bookworm with the old PHP. I am sorry for > >> the timing, but that's just coincidence. > > > > Sorry, but this is really about 1 week too late (we are in the quite > > periode to prepare for tomorrow). From last weekend on security issues are > > handled by the security team. Otherwise you can prepare a point release > > update, but that's handled with different usertags and meta data. > > I’ve already reached to the security team, so I guess we’ll handle > it there. I didn’t know that bookworm-security has been open now. Let's close this unblock request, as mentioned already on the mail to team@s.d.o we can go trough bookworm-security. Only think to be careful here is the used verison, as 8.2.7-1 will go to unstable, for bookworm-security we would have 8.2.7-1~deb12u1 (as this is just a rebuild of the version, if on the other hand the packaging would have diverged and importing a new upstream version on top, then it would have been 8.2.7-0+deb12u1). Regards, Salvatore
Bug#1037175: [preapproval] bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u1
Hi, On Tue, Jun 06, 2023 at 11:00:14PM -0400, Nicholas D Steeves wrote: > +org-mode (9.4.0+dfsg-1+deb11u1) bullseye-security; urgency=medium > + > + * Fix Org Mode command injection vulnerability CVE-2023-28617 by > backporting > +0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch like src:emacs > +did (Closes: #1033341). Thanks to Rob Browning's work in that package, > +fixing org-mode was trivially easy! > + > + -- Nicholas D Steeves Sun, 04 Jun 2023 13:26:52 -0400 Small remark, for the bullseye pu update please target at 'bullseye' not 'bullseye-security'. Regards, Salvatore
Bug#1037079: unblock: configobj/5.0.8-2
Hi, On Sun, Jun 04, 2023 at 09:50:23PM +0200, Sebastian Ramacher wrote: > retitle 1037079 bookworm-pu: configobj/5.0.8-2 > tags 1037079 bookworm moreinfo > user release.debian@packages.debian.org > usertags 1037079 + pu - unblock > thanks > > Hi Stefano > > On 2023-06-03 16:28:41 -0400, Stefano Rivera wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: unblock > > X-Debbugs-Cc: config...@packages.debian.org > > Control: affects -1 + src:configobj > > > > Please unblock package configobj > > We have entered the quiet periold of bookworm [1]. Please consider > fixing this issue via bookworm-pu. As this update fixes a security > issue, please also check with the Security Team in case this update is > worth of a DSA. As it does not warrant a DSA, the first bookworm point release is fine for it. Regards, Salvatore
Bug#1035748: marked as done (unblock: modsecurity/3.0.9-1)
Hi Paul, On Sat, Jun 03, 2023 at 06:12:04AM +, Debian Bug Tracking System wrote: [...] > > Hi, > > On 02-06-2023 22:50, Ervin Hegedüs wrote: > > And these are the generated lines: > > > > https://github.com/SpiderLabs/ModSecurity/blob/v3/master/src/parser/Makefile.am#L36-L42 > > And excluding those, I can now confirm that this looks like a targeted > upstream fix release. > > unblocked. Thanks for the unblock! Regards, Salvatore
Bug#1035748: unblock: modsecurity/3.0.9-1
Hi Paul, On Thu, Jun 01, 2023 at 09:52:06PM +0200, Paul Gevers wrote: > control: tags -1 moreinfo > > Hi, > > On 28-05-2023 21:30, Alberto Gonzalez Iniesta wrote: > > 2) The risks on the release quality are almost zero. Only > > libnginx-mod-http-modsecurity depends on it (being modsecurity a > > library). > > That's not the only part that we mean here. We also mean, how big is the > risk we introduce new *unknown* issues. > > > 4) No idea > > Then I don't think so. If your upstream would have a decent stable update > policy, they wouldn't introduce so many gratuitous changes (e.g. white space > only). > > > 6) Yes > > I fail to spot it. Can you please point which version? > > > 7) Its too long but mainly because of line numbers being updated in code > > comments, like: > > -#line 1459 "seclang-parser.yy" > > +#line 1461 "seclang-parser.yy" > > 8) Not that many code changes > > Yet there is a huge amount of white space changes and other changes that > look gratuitous. This is really not looking like a targeted fix. @Salvatore, > can we do a targeted security upload via security? The targeted should be (Alberto, Ervin can you confirm) https://github.com/SpiderLabs/ModSecurity/commit/db84d8cf771d39db578707cd03ec2b60f74c9785 . While it would have been nice to start with modsecurity without (known) security issues open in bookworm, I guess at this point of the release preparation and soon entering the last week, skip it and the CVE can be fixed in the first bookworm point release. Regards, Salvatore p.s.: The PCRE to PCRE2 switch is one other aspect why it would have been nice to have 3.0.9 in bookworm.
Re: should the Release Notes be updated concerning bookworm security
Hi Paul, On Mon, May 29, 2023 at 02:36:22PM +0200, Paul Gevers wrote: > Dear security team, > > I know it's a bit late, but are you aware of issues that are worth > mentioning in the release notes from your point of view? > > We have updated the text about golang and rustc in this cycle, chromium got > a mention about reduce support time wise and I updated the openjdk versions > and dates. Is that all? > > Paul > > Current version jumping straight to the security section: > https://www.debian.org/releases/testing/amd64/release-notes/ch-information.en.html#limited-security-support > or the source: > https://salsa.debian.org/ddp-team/release-notes/ Slight rewording for the sections proposed in https://salsa.debian.org/ddp-team/release-notes/-/merge_requests/182 after exchanging with Moritz. Regards, Salvatore
Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2
Hi Yadd, On Wed, May 31, 2023 at 03:13:06PM +0400, Yadd wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: jquer...@packages.debian.org > Control: affects -1 + src:jqueryui > > [ Reason ] > jqueryui is potentially vulnerable to cross-site scripting > (CVE-2022-31160) > > [ Impact ] > Low security issue > > [ Tests ] > Sadly tests are minimal in this package. Anyway passed > > [ Risks ] > Low risk, patch is trivial > > [ Checklist ] > [X] *all* changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in (old)stable > [X] the issue is verified as fixed in unstable > > [ Changes ] > Don't accept label outside of the root element > > Cheers, > Yadd > diff --git a/debian/changelog b/debian/changelog > index 3a6a587..9b1e9cc 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,10 @@ > +jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium > + > + * Team upload > + * Checkboxradio: Don't re-evaluate text labels as HTML (Closes: > CVE-2022-31160) > + > + -- Yadd Wed, 31 May 2023 15:08:55 +0400 Minor thing, you could as well close #1015982 with the upload. Regards, Salvatore
Bug#1036954: RM: matrix-synapse/1.78.0-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm X-Debbugs-Cc: matrix-syna...@packages.debian.org, matrix-syna...@packages.debian.org, t...@security.debian.org, Andrej Shadura , car...@debian.org Control: affects -1 + src:matrix-synapse Dear release team, As discussed with Andrej in #1036806 matrix-synapse will be hard to support during the bookworm release cycle. To avoid we ship it initially with bookworm, but relatively quickly might need to ask for removal, let's not ship it from the start. See https://bugs.debian.org/1036806#30 Regards, Salvatore
Bug#1036801: unblock: curl/7.88.1-10
Hi Samuel, On Sun, May 28, 2023 at 12:17:21PM +0100, Samuel Henrique wrote: > Hello Salvatore, > > > After a short discussion with Paul, wouldn't that imply though that > > there is an soname bump needed? Do you know has upstream considered > > this and if/or why not? Is there enough assurance nobody (even outside > > Debian world) is using that symbol? > > Those are all good questions, I should have done a better job at > explaining this, so let me try doing it now. > > sergiodj@ did a lot of work investigating this as well, so most of the > things I'll be saying here are his findings (although if I say > anything wrong here, blame it on me). > > The "curl_jmpenv" variable declaration was guarded by a "#ifdef > HAVE_SIGSETJMP", but the variable would only be used on "#ifdef > USE_ALARM_TIMEOUT". > For Debian, "HAVE_SIGSETJMP" is true but "USE_ALARM_TIMEOUT" is false, > this is because we use the threaded resolver. > > This means that "curl_jmpenv" was dead code, and double checking for > mentions of "curl_jmpenv" on codesearch.d.n only returns packages > which bundles curl, nothing using it. > > Considering the variable was exposed, but not used anywhere (in our > builds with threaded resolver), I don't think there was any possible > way dependencies could be making use of it in any meaningful way (this > is talking about things outside of our official repositories now). Thank you, I believe this is very important information to allow to decide on the unblock. Make sense now to me and for security-tracker point of view I have marked the issue as unimportant (due the implication of binary packages not affected from the affected source). > It doesn't make sense for upstream to bump SONAME because the variable > can still be exposed depending on the build config, it's just that it > wasn't supposed to be exposed for threaded resolvers first of all. Understood, I think. > The CVE that is being fixed by that change should not affect our > binaries since we build with the threaded resolver, but I ended up > making a decision to still apply the patch to safeguard even the > sources. Ok. I have updated the security-tracker accordingly, since we have source fixed, but binary packages not affected. > > These are just a couple of question trying to understand what > > potential question from release team members my come for your unblock > > request. > > Thank you for reviewing this. Did not do much, but was sitting together with Paul from the release team to go trough some unblock requests fixing CVEs and curl was yet still on the radar of packages which did not pass. > > p.s.: note it looks autopkgtest view for curl was still blocking it > > because cwltool has a flaky test (on armel). > > Yeah, curl suffers quite a bit from these since tons of reverse-deps > use it to fetch resources over the network and that's always flaky > (not sure if it's the case with cwitool specifically, but I'm used to > this sort of thing by now). Ok. Regards and thanks for your work on curl! Salvatore
Re: Upcoming OpenSSL release
Hi Sebastian On Sat, May 27, 2023 at 02:17:54PM +0200, Sebastian Andrzej Siewior wrote: > Hi, > > there is an upcoming OpenSSL scheduled for next TUE (2023-05-30) > including one security fix of moderate severity [0]. > For Bullseye I am going backport ~6 fixes (4 security fixes of minor > severity which were not yet addressed, the upcoming fix and an > alternative fix for CVE-2022-4304). > _Later_ (once time permits) I would open a pu for Bullseye to include > the final release (1.1.1u) since it only contains fixes. This sounds good, thanks and hope this time we can do the rebase to 1.1.1u in bullseye-pu accordingly. I suggest to make sure this is early on the radar of the stable release managers for review but feel free to ping. > For Bookworm I would much rather prefer to upload 3.0.9 to unstable and > open a unblock bug for Bookworm. Looking at the history it contains 169 > commits and only fixes which don't qualify as security issues. (Same for > the 1.1.1 series but I would prefer to do some testing first and push it > slowly via pu since it is much further behind (not that I expect > anything to happen)). > The Bookworm release is scheduled for the 10th and the announce mail > claims that the unblock should happen on the 28th (tomorrow) at the > latest. This will be hard to achieve given that my time machine is > currently out of operation. This probably means that I need to upload > to Bookworm-security unless there are exceptions. If Paul Gevers agrees then I think this is a good plan. If it is too risky for for the release managers at this point and rather not wanting to do it, we have already bookworm-security infrastructure setup. In later case we can have the upload done, have some exposure there, and upload a 3.0.9~deb12u1 released trhough bookworm-security (if done before bookworm release just without DSA advisory). > Are there other preferences/ suggestions from the release or security > team? Release managers (Paul, Sebastian, Graham), I know you are right now busy with the last bits, if you find to comment that would be great. Would you be fine to process an unblock request for the security update for openssl rebasing to 3.0.9? Regards, Salvatore
Bug#1035748: unblock: modsecurity/3.0.9-1
Hi Alberto, On Wed, May 24, 2023 at 12:26:33PM +0200, Paul Gevers wrote: > control: tags -1 moreinfo > > Hi, > > On Mon, 08 May 2023 18:16:51 +0200 Alberto Gonzalez Iniesta > wrote: > > A new upstream version of modsecurity fixes a security bug > > (CVE-2023-28882, #1035083). > > We also fixed a FTBFS in the meantime (#1034760). > > Also nginx moved to pcre2, which we also did after the current version > > in bookworm. > > Your message didn't reach our mail list, which typically is a bad sign > because it means your debdiff is big. New upstream releases are typically > not what we consider targeted fixes which are all we accept in this phase of > the release. Please read the FAQ [1] and provide all relevant information > pointed out there, particularly about upstream's policy on new releases. Did you saw Paul's query? I'm asking since the deadline for unblock requests is tomorrow already. Regards, Salvatore
Bug#1036081: pre-unblock: mariadb/1:10.11.3-1
Hi Otto, On Wed, May 24, 2023 at 05:47:58PM +0200, Paul Gevers wrote: > Hi Otto, > > On 24-05-2023 17:44, Otto Kekäläinen wrote: > > The CI > > detected a couple days ago a regression in Piuparts, potentially due > > to recent adduser 1.133 upload, which I still need to debug and decide > > what to do on. > > You can ignore it. It's known and being worked on. Any news on the upload for unstable? The deadline for unblock requests is *tomorrow*. Regards, Salvatore
Bug#1036801: unblock: curl/7.88.1-10
Hi Samuel, [not member of the release team, but was going trough some potential unblock requests with CVE fixes] On Fri, May 26, 2023 at 06:03:13PM +0100, Samuel Henrique wrote: > Package: release.debian.org > Control: affects -1 + src:curl > X-Debbugs-Cc: c...@packages.debian.org > User: release.debian@packages.debian.org > Usertags: unblock > Severity: normal > > Please unblock package curl > > [ Reason ] > 4 CVE fixes: > > * Add new patches to fix CVEs (closes: #1036239): > - CVE-2023-28319: UAF in SSH sha256 fingerprint check > - CVE-2023-28320: siglongjmp race condition > - CVE-2023-28321: IDN wildcard match > - CVE-2023-28322: more POST-after-PUT confusion > * d/libcurl*.symbols: Drop curl_jmpenv, not built anymore due to > CVE-2023-28320 > > [ Impact ] > The highest CVE severity from upstream is "Moderate". > > [ Tests ] > Curl has an extensive test suite that's run at build time and on > autopkgtest, no regressions were detected. > > [ Risks ] > The patches didn't require any changes which would be worrying. > Regarding the "curl_jmpenv", there's no package on Debian using that. After a short discussion with Paul, wouldn't that imply though that there is an soname bump needed? Do you know has upstream considered this and if/or why not? Is there enough assurance nobody (even outside Debian world) is using that symbol? Curl upstream has the following on it https://curl.se/libcurl/abi.html These are just a couple of question trying to understand what potential question from release team members my come for your unblock request. Regards, Salvatore p.s.: note it looks autopkgtest view for curl was still blocking it because cwltool has a flaky test (on armel).
Bug#1036592: pre-approval: unblock: c-ares/1.18.1-3
Hi Gregor, On Tue, May 23, 2023 at 02:56:41PM +0200, Salvatore Bonaccorso wrote: > Hi Gregor, > > On Tue, May 23, 2023 at 08:44:48AM +0200, Gregor Jasny wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: unblock > > X-Debbugs-Cc: c-a...@packages.debian.org > > Control: affects -1 + src:c-ares > > > > Hello, > > > > [ Reason ] > > > > yesterday a version 1.19.1 of c-ares was release which fixes four CVEs. > > The Debian Security team considers two of them relevant for Debian and > > I'd like to cherry-pick them into the unstable package so that the fixes > > can migrate to Bookworm. > > > > Attached you'll find the debdiff. The changes are also visible in Salsa: > > https://salsa.debian.org/debian/c-ares/-/compare/debian%2F1.18.1-2...master?from_project_id=11264=false > > > > [ Impact ] > > > > CVE-2023-31130 has a CVSS score of 4.1 > > CVE-2023-32067 has a CVSS score of 7.5 > > > > [ Tests ] > > > > On the experimental branch I enabled the unit and integration tests: > > would you consider that commit as acceptable, too? > > https://salsa.debian.org/debian/c-ares/-/commit/25f515f728eeae82013a9c1cb8aa6ce80e913d09 > > > > [ Risks ] > > > > The fix for the 0-byte DoS issue seems to be straight-forward. > > The fix for inet_net_pton_ipv6 has been synced from OpenBSD and > > is covered by the unit tests. > > > > Both changes are port of the 1.19.1 release which built and passed > > tests on experimental (except Hurd): > > https://buildd.debian.org/status/package.php?p=c-ares=experimental > > > > [ Checklist ] > > [x] all changes are documented in the d/changelog > > [x] I reviewed all changes and I approve them > > [x] attach debdiff against the package in testing > > > > unblock c-ares/1.18.1-3 > > Glad to see you worked on it already. I was on it today to propose a > NMU, due to the deadline for bookworm approaching quickly, until > Moritz pointed out to me that you did already filled a unblock > request pre-approval. > > Attached for reference what I did, and so they match. Release team, > can you accept it as we would like to see as well a bullseye-security > upload for the same two CVEs and avoid a regression > bullseye->bookworm? > > Leaving open the question on enabling the testsuite. Since deadline for unblock requests is approaching quickly I suggest to focus on the isolated security fixes only. Last possibility to get packages unblocked is 2023-05-28 12:00 UTC. Regards, Salvatore
Bug#1036806: matrix-synapse: not suitable for inclusion in bookworm
Source: matrix-synapse Version: 1.78.0-1 Severity: serious Tags: upstream security X-Debbugs-Cc: Andrej Shadura , debian-release@lists.debian.org, car...@debian.org, Debian Security Team Hi Andrej, I believe matrix-synapse is still in the same status as for #982991 back for the bullseye release, and not suitable to be included in bookworm as stable release. As such let it have removed from bookworm if you agree. If this is not correct, we need to have assurance security fixes arising during the bookworm cycle can be addressed. Regards, Salvatore
Re: Bug#1034824: tomcat9 should not be released with Bookworm
hey all, I was involved with a discussion on site here in Hamburg with Paul about it. On Fri, May 26, 2023 at 10:58:48AM +0200, Moritz Muehlenhoff wrote: > On Fri, May 26, 2023 at 12:10:18AM +0200, Markus Koschany wrote: > > First of all trapperkeeper-webserver-jetty9-clojure should add a build- > > dependency on logback to detect such regressions in advance. > > > > #1036250 is mainly a logback problem, not a tomcat problem. I still would > > like > > to hear Emmanuel's opinion. We still could revert to libtomcat9-java, if we > > don't find a solution though. > > > > The tomcatjss / dogtag-pki situation is simple too. If there is no way to > > make > > the application work with Tomcat 10, then there are three options: > > > > 1. Embed Tomcat 9 in your application by creating a standalone jar > > > > 2. Continue to use the current Tomcat 9 package as is but make sure that > > nobody > > else than dogtag-pki uses it. (Package descriptions should be adjusted, and > > the > > binary tomcat9 package should be probably removed too) Nobody should think > > that > > we support two major Tomcat versions. > > > > In any case the dogtag-pki maintainers must commit to at least three years > > of > > security support, web application + Tomcat 9. Otherwise this is pointless. > > > > 3. Remove dogtag-pki and tomcatjss from testing and prepare backports as > > soon > > as dogtag-pki and Co support Tomcat 10. > > Can't we just do the pragmatic fix of updating src:tomcat9 to only ship > libtomcat9-java and libtomcat9-embed-java? The maintenance burden for > security updates lies within the server stack, the percentage of issues > affecting the libtomcat9-java binary packages as used by rdeps will be small > to none? This indeed would have been the most desirable and pragmatic appraoch, which was looked at, but my (limited!) understanding of the situation is still that this won't work out as we have dogtak-pki's pki-server binary package depending on tomcat9-user: respighi:~$ dak rm --suite=bookworm -n -R -b tomcat9-user Will remove the following packages from bookworm: tomcat9-user | 9.0.70-1 | all Maintainer: Debian Java Maintainers --- Reason --- -- Checking reverse dependencies... # Broken Depends: dogtag-pki: pki-server Dependency problem found. See the followup on that by Markus in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034824#45 the answer seems to be from the the answer from Timo Aaltonen, that a switch to tomcat10-user won't work ... Thus the proposal to at this stage keep in need the both source packages. Paul made another way forward in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034824#98 which now involves one dependency rollback and documenting in release note and debian-security-support what support level we can we expect during the bookworm cycle for src:tomcat9. To otherwise drop tomcat9 and tomcat9-user binary package it would be needed to drop as well dogtag-pki. Does this make sense for you Moritz? Salvatore
Bug#1036678: unblock: ffmpeg/7:5.1.3-1
Hi release team, On Wed, May 24, 2023 at 12:46:45PM +0200, Sebastian Ramacher wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package ffmpeg > > [ Reason ] > ffmpeg releases stable updates with security fixes on a regular basis. > For Debian (old)stable, we publish these updates via DSAs. For bookworm, > we intend to follow 5.1.x release series. The upload to unstable updates > ffmpeg to the latest release of this series. FTR, confirming this will be followed as well for bookworm after the release similar as already done for bullseye and buster as explained above by Sebastian. Regards, Salvatore signature.asc Description: PGP signature
Bug#1036531: unblock: firefox-esr/102.11.0esr-1
Hi Release team, On Mon, May 22, 2023 at 09:57:13AM +0900, Mike Hommey wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package firefox-esr > > [ Reason ] > Security update for Firefox. The same package has already reached > bullseye. > > [ Impact ] > See above > > [ Tests ] > Usual smoke tests > > [ Risks ] > See above. > > [ Other info ] > There are no changes to the package debian/ directory other than > debian/changelog. Everything else is upstream changes for the security > update. > > unblock firefox-esr/102.11.0esr-1 To confirm: As we have 102.11.0esr-1~deb11u1 in bullseye, and this is exactly what will we will do as well for bookworm for DSAs please do accept this unblock request. According to the grep-excuses there should not be anything blocking it. Thanks for your hard work for the release. Regards, Salvatore
Bug#1036475: unblock: xen/4.17.1+2-gb773c48e36-1
Dear release team, On Sun, May 21, 2023 at 10:02:25PM +0200, Maximilian Engelhardt wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: x...@packages.debian.org, t...@security.debian.org, > m...@daemonizer.de > Control: affects -1 + src:xen > > Please unblock package xen. > > [ Reason ] > Xen in bookworm is currently affected by CVE-2022-42335 and > CVE-2022-42336 (see #1034842 and #1036298). > > [ Impact ] > The above mentioned CVEs are not fixed in bookworm. > > [ Tests ] > The Debian package is based only on upstream commits that have passed > the upstream automated tests. > The Debian package has been successfully tested by the xen packaging > team on their test machines. > > [ Risks ] > There could be upstream changes unrelated to the above mentioned > security fixes that cause regressions. However upstream has an automated > testing machinery (osstest) that only allows a commit in the upstream > stable branch if all test pass. > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > [ Other info ] > This security fix is based on the latest upstream stable-4.17 branch. > The branch in general only accepts bug fixes and does not allow new > features, so the changes there are mainly security and other bug fixes. > This does not strictly follow the "only targeted fixes" release policy, > but, as explained below, we believe it is still appropriate for an > unblock request. > The package we have uploaded to unstable is exactly what we would have > done as a security update in a stable release, what we have historically > done together with the security team and are planning to continue to do. > As upstream does extensive automated testing on their stable branches > chances for unnoticed regressions are low. We believe this way the risk > for bugs is lower than trying to manually pick and adjust patches > without all the deep knowledge that upstream has. This approach is > similar to what the linux package is doing. I can confirm that this is indeed the strategy for src:xen we would follow, like for bullseye already, as well in bookworm. Regards, Salvatore
Bug#1036453: unblock: libvirt/9.0.0-4
Hi Andrea, On Sun, May 21, 2023 at 12:37:17PM +0200, Andrea Bolognani wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: libv...@packages.debian.org > Control: affects -1 + src:libvirt > > Please unblock package libvirt > > > [ Reason ] > > Fix CVE-2023-2700. > > > [ Impact ] > > Fix CVE-2023-2700. > > > [ Tests ] > > I haven't found tests covering this specific functionality. However, > the change is part of libvirt 9.3.0, which is already in Debian > experimental as well as other distributions such as Fedora, and to > the best of my knowledge no issues with it have been reported. > > > [ Risks ] > > The change has already been reviewed and accepted upstream. The > function being patched hasn't changed between 9.0.0 and 9.3.0, so the > backport was a clean one. I have reviewed the changes again in the > context of the Debian package. > > > [ Checklist ] > > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > > [ Other info ] > > N/A > > > unblock libvirt/9.0.0-4 I think in this case you can take advantage of https://release.debian.org/testing/freeze_policy.html#full in "Applying for an unblock", item 5, as the diff is very small and targetted to add the missing g_free you could upload already to unstable to avoid the additional rountrip (in particular as the hard deadlines are approaching). Hope this helps, Regards, Salvatore
Bug#1036548: unblock: cups-filters/1.28.17-3
Hi, On Tue, May 23, 2023 at 03:55:26PM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Mon, May 22, 2023 at 09:39:34AM +, Thorsten Alteholz wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: unblock > > > > Please unblock and age package cups-filters > > > > [ Reason ] > > CVE-2023-24805 (RCE due to missing input sanitising) > > > > [ Impact ] > > The user would be vulnerable to remote code execution. > > > > [ Tests ] > > There is no special test for this patch, only a POC that no > > longer worked after applying the patch. > > > > [ Risks ] > > The patch was provided by upstream and approved by the security team > > (upload to Bullseye already done). > > > > [ Checklist ] > > [x] all changes are documented in the d/changelog > > [x] I reviewed all changes and I approve them > > [x] attach debdiff against the package in testing > > > > unblock cups-filters/1.28.17-3 > > FWIW, is was as well for bullseye released via a DSA. Thorsten, there > seems to be as well a piuparts regression blocking it, can you have a > look? Looking at the log from https://piuparts.debian.org/sid/fail/cups-browsed_1.28.17-3.log it looks this can be ignored, as it is due to the adduser and piuparts situation. Regards, Salvatore
Bug#1036548: unblock: cups-filters/1.28.17-3
Hi, On Mon, May 22, 2023 at 09:39:34AM +, Thorsten Alteholz wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock and age package cups-filters > > [ Reason ] > CVE-2023-24805 (RCE due to missing input sanitising) > > [ Impact ] > The user would be vulnerable to remote code execution. > > [ Tests ] > There is no special test for this patch, only a POC that no > longer worked after applying the patch. > > [ Risks ] > The patch was provided by upstream and approved by the security team > (upload to Bullseye already done). > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > unblock cups-filters/1.28.17-3 FWIW, is was as well for bullseye released via a DSA. Thorsten, there seems to be as well a piuparts regression blocking it, can you have a look? Regards, Salvatore