[SECURITY] [DLA 815-1] ntfs-3g security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: ntfs-3g Version: 1:2012.1.15AR.5-2.1+deb7u3 CVE ID : CVE-2017-0358 Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write NTFS driver for FUSE, does not scrub the environment before executing modprobe with elevated privileges. A local user can take advantage of this flaw for local root privilege escalation. For Debian 7 "Wheezy", these problems have been fixed in version 1:2012.1.15AR.5-2.1+deb7u3. We recommend that you upgrade your ntfs-3g packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAliTbrkACgkQnUbEiOQ2 gwI4KhAAnCZ7TKpQtYa+vR7+sEe0kTTjeRLtW91f+qO/E52MMKW4qdONNFXr5p4U ox8zMECyqHIsszQNYTaSyRKLiwiwRg9GL6A89YPqIQcNESHkj3p0jqdJc1073Tdv JLa9NK8gAaOsAHIDVEsJN++UPds1F0PtGZA7Ynts9it74QemKaQz3jzpzUS9eMUK LTqwgqaLPpBJdDb9cwMzmRbb1tuszOTONtmOdgiD0NEw5tRy/7+Vrn6OfHRidEPN TrHA+SwnTtKHUYPIM4fesOZY7LJ8PGxhjfZy9tL/AOnFDkXEUMsX5KVOC2uvuhmD 5QZbAz/IdDrp7ahwuNdRwAKxiyJ5+5ngRFklpd9odAKkaFGpAnbKU0aixLD7Y9sG jBAhRsGXdIKPIRt5IriC/bhI2SVQAEWGSjUS2h7MSdWO7NQljH1Ow5X47aQUIPzw B1P3j26vDkMoAhkRCkwWEg8zaSjA+xykJbhClcgPjE1Tx0o0d9wlFpGGorYt3ACz zD1cXneHYAG/BxydoPxn07ccv/PPBCRmgjBLlel4YeuUoVPULFuP58xXuk8Da0o7 EMmMVyKnlOoNZotga6T96hvZAhWXZ9GjhUSj6u5vDI6Ndldh8TuDfWUtpTXkVdb3 Ucf8FSmgYDrgB4XgyaISP1e8kSnPjc+rEHQmOobfF+YYHS+56Go= =lckG -END PGP SIGNATURE-
Wheezy update of libphp-phpmailer?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of libphp-phpmailer: https://security-tracker.debian.org/tracker/source-package/libphp-phpmailer Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libphp-phpmailer updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
LTS Report for January 2017
For January I spent 12.5 hours as follows: * php5: multiple issues - CVE-2016-7125, CVE-2016-9137, CVE-2016-9138: researched and documented non-applicable or already fixed issues - CVE-2016-3141: picked up Raphaël's work in progress and based on his notes integrated/backported an additional patch, verified fix, and ensured unit test passed - CVE-2016-3142, CVE-2016-4342, CVE-2016-9934, CVE-2016-9935, CVE-2016-10158: integrated/backported upstream fixes, verified fixes, and ensured unit tests passed Regards, -Roberto -- Roberto C. Sánchez
Accepted ntfs-3g 1:2012.1.15AR.5-2.1+deb7u3 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 01 Feb 2017 19:51:36 +0100 Source: ntfs-3g Binary: ntfs-3g ntfs-3g-dbg ntfs-3g-dev ntfs-3g-udeb ntfsprogs Architecture: source amd64 all Version: 1:2012.1.15AR.5-2.1+deb7u3 Distribution: wheezy-security Urgency: medium Maintainer: Daniel BaumannChanged-By: Emilio Pozuelo Monfort Description: ntfs-3g- read/write NTFS driver for FUSE ntfs-3g-dbg - read/write NTFS driver for FUSE (debug) ntfs-3g-dev - read/write NTFS driver for FUSE (development) ntfs-3g-udeb - read/write NTFS driver for FUSE (udeb) ntfsprogs - read/write NTFS driver for FUSE (transitional package) Changes: ntfs-3g (1:2012.1.15AR.5-2.1+deb7u3) wheezy-security; urgency=medium . * Non-maintainer upload by the LTS team. * CVE-2017-0358: modprobe influence vulnerability via environment variables. Checksums-Sha1: 7d2e5fd2c89d930c0f207b18eac7600eb71f0ddd 2151 ntfs-3g_2012.1.15AR.5-2.1+deb7u3.dsc 374bf58976d73d513bab0d6c776ee340f7914539 1165281 ntfs-3g_2012.1.15AR.5.orig.tar.gz 4899e33cd95f97ee214f64a1d22bd6f4e38c04b6 29810 ntfs-3g_2012.1.15AR.5-2.1+deb7u3.debian.tar.gz 42440bab4ac10cb70b545965e6787e23b01c0f73 631340 ntfs-3g_2012.1.15AR.5-2.1+deb7u3_amd64.deb ea10bbc9660c3d63ee0465e2e12bdeee88f69a6d 1402364 ntfs-3g-dbg_2012.1.15AR.5-2.1+deb7u3_amd64.deb 7588abc7a5b8b2635c51641652935e2c028e75ca 253306 ntfs-3g-dev_2012.1.15AR.5-2.1+deb7u3_amd64.deb 5c4cd9698798f321625455b41ecf9abfb14dfb0f 178806 ntfs-3g-udeb_2012.1.15AR.5-2.1+deb7u3_amd64.udeb 32ac9d3810adcb7ec281a77c8158ef684887c781 17744 ntfsprogs_2012.1.15AR.5-2.1+deb7u3_all.deb Checksums-Sha256: 3a8a9807519dc4f383b70ff5ef6b54e09ab36e29437041ff682232b9581b9072 2151 ntfs-3g_2012.1.15AR.5-2.1+deb7u3.dsc 72f93c5c003ce22b5da451ece5eb94faa5fd1b46c69c3c5a9c5c17a96d9de79d 1165281 ntfs-3g_2012.1.15AR.5.orig.tar.gz 6ff98902dbb90163e2c1839c7fdd9cb99e7869be482e39e58d752826625daa7a 29810 ntfs-3g_2012.1.15AR.5-2.1+deb7u3.debian.tar.gz 51ee3e93f982a816f8d59a901740997e514426a3984bbc29a4f16790ee6fe130 631340 ntfs-3g_2012.1.15AR.5-2.1+deb7u3_amd64.deb fec310ce87c09796dce397391ab96634c91d3edd0115fedb00954c9a6d651bab 1402364 ntfs-3g-dbg_2012.1.15AR.5-2.1+deb7u3_amd64.deb 6a811f9259af661194d756e4efd5623f7976ca76c2894f26fd6830d731f5efe3 253306 ntfs-3g-dev_2012.1.15AR.5-2.1+deb7u3_amd64.deb 5f2129f5ff4c10ca51bb3777be42d2dd4cbc532d5763d3d1202a41565692f8ef 178806 ntfs-3g-udeb_2012.1.15AR.5-2.1+deb7u3_amd64.udeb 5fef9c8f5c8333f9ce8c355888e3e74ec18fcabfdc0ee7243a8c6cf104ced48b 17744 ntfsprogs_2012.1.15AR.5-2.1+deb7u3_all.deb Files: e1f09c51518c3a110e894669c05bc2de 2151 otherosfs optional ntfs-3g_2012.1.15AR.5-2.1+deb7u3.dsc 5fa418ef6e2f6ce96dc535331c524ec3 1165281 otherosfs optional ntfs-3g_2012.1.15AR.5.orig.tar.gz 995c0442870ca40a8e71cd850f75ef98 29810 otherosfs optional ntfs-3g_2012.1.15AR.5-2.1+deb7u3.debian.tar.gz 3ae2154e8a2eda820cfe09b7e3d64706 631340 otherosfs optional ntfs-3g_2012.1.15AR.5-2.1+deb7u3_amd64.deb bbf70ffe87e929b957535d5289826210 1402364 debug extra ntfs-3g-dbg_2012.1.15AR.5-2.1+deb7u3_amd64.deb d86581bff2c2a1a5a352e8596e0775e2 253306 libdevel optional ntfs-3g-dev_2012.1.15AR.5-2.1+deb7u3_amd64.deb 85e27dd87c720d6db29252cddcdbc6c7 178806 debian-installer optional ntfs-3g-udeb_2012.1.15AR.5-2.1+deb7u3_amd64.udeb bcc0e685817f15d1cacd773e6eea2830 17744 metapackages optional ntfsprogs_2012.1.15AR.5-2.1+deb7u3_all.deb Package-Type: udeb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAliS/HcACgkQnUbEiOQ2 gwLm4RAAyMSljTVTeJ87ZRDkT7ieg+EKnI1jcXjOtHASQlSO2EVXbpJ8gY8BHa91 S4EIztG2FE9nvBL7+dWmkJqJTO4X/vLLZn5gaZ4tg19qDFSa5PRo8bCQn2c/zPuy dAQoFKMe7UdvfQF2Q7kY6Lk5GVg1aqyqUSaIvJneD+PTTA1dSCNPxl8wwnWlw5Jt oxNgdbDV0qUn8+rAUnP7k4yZ9BzA2anvpZh4Tm/yCLh+YrkiDFzKjgKSOvOvsKYZ Jx0l5zMtJE4WPBRGEVT/jQmRmRXMDAdQQJ3AMmadcg19vsXXFsaBjFeKeTzJxNzM pUV5x8IMtUMmDVcZeeCk/dQBenAvE6CIXKWl2wu9Q92XYvqPrQoA/FaOgRtsPHim fwXjH+UiS3cm31pIIupgEdxXUbLI4mpUx2Ty5shGLEXQT9Rz02jpXMfhEO0gIB4H YMNpAfeRJYieA/l+SYN5q9u+6Tt1B9vPRRmo6WK1mUCDQkn2yBj+E/SSzRqHdEn2 hlo/mmqMYyMsNmnsi26pHZlhEh6o8viqkuvRucbYLCzZ3PMvHaMmUQbRFPsVK7RR FTBZOC7mdFiJ7MNRMcS+r7rDJ51zRU3pQtKIU3Ol/msDc7T+qm0hjvOzHah4CC4a b1dzHfSwKz5l0jf1FmDb57u/OUPZlZzxw61soOHOYkvfuh0ePTw= =5rtb -END PGP SIGNATURE-