[SECURITY] [DLA 815-1] ntfs-3g security update

2017-02-02 Thread Emilio Pozuelo Monfort 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: ntfs-3g
Version: 1:2012.1.15AR.5-2.1+deb7u3
CVE ID : CVE-2017-0358

Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write
NTFS driver for FUSE, does not scrub the environment before executing
modprobe with elevated privileges. A local user can take advantage of
this flaw for local root privilege escalation.

For Debian 7 "Wheezy", these problems have been fixed in version
1:2012.1.15AR.5-2.1+deb7u3.

We recommend that you upgrade your ntfs-3g packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAliTbrkACgkQnUbEiOQ2
gwI4KhAAnCZ7TKpQtYa+vR7+sEe0kTTjeRLtW91f+qO/E52MMKW4qdONNFXr5p4U
ox8zMECyqHIsszQNYTaSyRKLiwiwRg9GL6A89YPqIQcNESHkj3p0jqdJc1073Tdv
JLa9NK8gAaOsAHIDVEsJN++UPds1F0PtGZA7Ynts9it74QemKaQz3jzpzUS9eMUK
LTqwgqaLPpBJdDb9cwMzmRbb1tuszOTONtmOdgiD0NEw5tRy/7+Vrn6OfHRidEPN
TrHA+SwnTtKHUYPIM4fesOZY7LJ8PGxhjfZy9tL/AOnFDkXEUMsX5KVOC2uvuhmD
5QZbAz/IdDrp7ahwuNdRwAKxiyJ5+5ngRFklpd9odAKkaFGpAnbKU0aixLD7Y9sG
jBAhRsGXdIKPIRt5IriC/bhI2SVQAEWGSjUS2h7MSdWO7NQljH1Ow5X47aQUIPzw
B1P3j26vDkMoAhkRCkwWEg8zaSjA+xykJbhClcgPjE1Tx0o0d9wlFpGGorYt3ACz
zD1cXneHYAG/BxydoPxn07ccv/PPBCRmgjBLlel4YeuUoVPULFuP58xXuk8Da0o7
EMmMVyKnlOoNZotga6T96hvZAhWXZ9GjhUSj6u5vDI6Ndldh8TuDfWUtpTXkVdb3
Ucf8FSmgYDrgB4XgyaISP1e8kSnPjc+rEHQmOobfF+YYHS+56Go=
=lckG
-END PGP SIGNATURE-

Wheezy update of libphp-phpmailer?

2017-02-02 Thread Guido Günther 
Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of libphp-phpmailer:
https://security-tracker.debian.org/tracker/source-package/libphp-phpmailer

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of libphp-phpmailer updates
for the LTS releases.

Thank you very much.

Guido Günther,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

LTS Report for January 2017

2017-02-02 Thread Roberto C . Sánchez 
For January I spent 12.5 hours as follows:

* php5: multiple issues
  - CVE-2016-7125, CVE-2016-9137, CVE-2016-9138: researched and
documented non-applicable or already fixed issues
  - CVE-2016-3141: picked up Raphaël's work in progress and based on his
notes integrated/backported an additional patch, verified fix, and
ensured unit test passed
  - CVE-2016-3142, CVE-2016-4342, CVE-2016-9934, CVE-2016-9935,
CVE-2016-10158: integrated/backported upstream fixes, verified
fixes, and ensured unit tests passed

Regards,

-Roberto

-- 
Roberto C. Sánchez

Accepted ntfs-3g 1:2012.1.15AR.5-2.1+deb7u3 (source amd64 all) into oldstable

2017-02-02 Thread Emilio Pozuelo Monfort 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Wed, 01 Feb 2017 19:51:36 +0100
Source: ntfs-3g
Binary: ntfs-3g ntfs-3g-dbg ntfs-3g-dev ntfs-3g-udeb ntfsprogs
Architecture: source amd64 all
Version: 1:2012.1.15AR.5-2.1+deb7u3
Distribution: wheezy-security
Urgency: medium
Maintainer: Daniel Baumann 
Changed-By: Emilio Pozuelo Monfort 
Description: 
 ntfs-3g- read/write NTFS driver for FUSE
 ntfs-3g-dbg - read/write NTFS driver for FUSE (debug)
 ntfs-3g-dev - read/write NTFS driver for FUSE (development)
 ntfs-3g-udeb - read/write NTFS driver for FUSE (udeb)
 ntfsprogs  - read/write NTFS driver for FUSE (transitional package)
Changes: 
 ntfs-3g (1:2012.1.15AR.5-2.1+deb7u3) wheezy-security; urgency=medium
 .
   * Non-maintainer upload by the LTS team.
   * CVE-2017-0358: modprobe influence vulnerability via environment variables.
Checksums-Sha1: 
 7d2e5fd2c89d930c0f207b18eac7600eb71f0ddd 2151 
ntfs-3g_2012.1.15AR.5-2.1+deb7u3.dsc
 374bf58976d73d513bab0d6c776ee340f7914539 1165281 
ntfs-3g_2012.1.15AR.5.orig.tar.gz
 4899e33cd95f97ee214f64a1d22bd6f4e38c04b6 29810 
ntfs-3g_2012.1.15AR.5-2.1+deb7u3.debian.tar.gz
 42440bab4ac10cb70b545965e6787e23b01c0f73 631340 
ntfs-3g_2012.1.15AR.5-2.1+deb7u3_amd64.deb
 ea10bbc9660c3d63ee0465e2e12bdeee88f69a6d 1402364 
ntfs-3g-dbg_2012.1.15AR.5-2.1+deb7u3_amd64.deb
 7588abc7a5b8b2635c51641652935e2c028e75ca 253306 
ntfs-3g-dev_2012.1.15AR.5-2.1+deb7u3_amd64.deb
 5c4cd9698798f321625455b41ecf9abfb14dfb0f 178806 
ntfs-3g-udeb_2012.1.15AR.5-2.1+deb7u3_amd64.udeb
 32ac9d3810adcb7ec281a77c8158ef684887c781 17744 
ntfsprogs_2012.1.15AR.5-2.1+deb7u3_all.deb
Checksums-Sha256: 
 3a8a9807519dc4f383b70ff5ef6b54e09ab36e29437041ff682232b9581b9072 2151 
ntfs-3g_2012.1.15AR.5-2.1+deb7u3.dsc
 72f93c5c003ce22b5da451ece5eb94faa5fd1b46c69c3c5a9c5c17a96d9de79d 1165281 
ntfs-3g_2012.1.15AR.5.orig.tar.gz
 6ff98902dbb90163e2c1839c7fdd9cb99e7869be482e39e58d752826625daa7a 29810 
ntfs-3g_2012.1.15AR.5-2.1+deb7u3.debian.tar.gz
 51ee3e93f982a816f8d59a901740997e514426a3984bbc29a4f16790ee6fe130 631340 
ntfs-3g_2012.1.15AR.5-2.1+deb7u3_amd64.deb
 fec310ce87c09796dce397391ab96634c91d3edd0115fedb00954c9a6d651bab 1402364 
ntfs-3g-dbg_2012.1.15AR.5-2.1+deb7u3_amd64.deb
 6a811f9259af661194d756e4efd5623f7976ca76c2894f26fd6830d731f5efe3 253306 
ntfs-3g-dev_2012.1.15AR.5-2.1+deb7u3_amd64.deb
 5f2129f5ff4c10ca51bb3777be42d2dd4cbc532d5763d3d1202a41565692f8ef 178806 
ntfs-3g-udeb_2012.1.15AR.5-2.1+deb7u3_amd64.udeb
 5fef9c8f5c8333f9ce8c355888e3e74ec18fcabfdc0ee7243a8c6cf104ced48b 17744 
ntfsprogs_2012.1.15AR.5-2.1+deb7u3_all.deb
Files: 
 e1f09c51518c3a110e894669c05bc2de 2151 otherosfs optional 
ntfs-3g_2012.1.15AR.5-2.1+deb7u3.dsc
 5fa418ef6e2f6ce96dc535331c524ec3 1165281 otherosfs optional 
ntfs-3g_2012.1.15AR.5.orig.tar.gz
 995c0442870ca40a8e71cd850f75ef98 29810 otherosfs optional 
ntfs-3g_2012.1.15AR.5-2.1+deb7u3.debian.tar.gz
 3ae2154e8a2eda820cfe09b7e3d64706 631340 otherosfs optional 
ntfs-3g_2012.1.15AR.5-2.1+deb7u3_amd64.deb
 bbf70ffe87e929b957535d5289826210 1402364 debug extra 
ntfs-3g-dbg_2012.1.15AR.5-2.1+deb7u3_amd64.deb
 d86581bff2c2a1a5a352e8596e0775e2 253306 libdevel optional 
ntfs-3g-dev_2012.1.15AR.5-2.1+deb7u3_amd64.deb
 85e27dd87c720d6db29252cddcdbc6c7 178806 debian-installer optional 
ntfs-3g-udeb_2012.1.15AR.5-2.1+deb7u3_amd64.udeb
 bcc0e685817f15d1cacd773e6eea2830 17744 metapackages optional 
ntfsprogs_2012.1.15AR.5-2.1+deb7u3_all.deb
Package-Type: udeb

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAliS/HcACgkQnUbEiOQ2
gwLm4RAAyMSljTVTeJ87ZRDkT7ieg+EKnI1jcXjOtHASQlSO2EVXbpJ8gY8BHa91
S4EIztG2FE9nvBL7+dWmkJqJTO4X/vLLZn5gaZ4tg19qDFSa5PRo8bCQn2c/zPuy
dAQoFKMe7UdvfQF2Q7kY6Lk5GVg1aqyqUSaIvJneD+PTTA1dSCNPxl8wwnWlw5Jt
oxNgdbDV0qUn8+rAUnP7k4yZ9BzA2anvpZh4Tm/yCLh+YrkiDFzKjgKSOvOvsKYZ
Jx0l5zMtJE4WPBRGEVT/jQmRmRXMDAdQQJ3AMmadcg19vsXXFsaBjFeKeTzJxNzM
pUV5x8IMtUMmDVcZeeCk/dQBenAvE6CIXKWl2wu9Q92XYvqPrQoA/FaOgRtsPHim
fwXjH+UiS3cm31pIIupgEdxXUbLI4mpUx2Ty5shGLEXQT9Rz02jpXMfhEO0gIB4H
YMNpAfeRJYieA/l+SYN5q9u+6Tt1B9vPRRmo6WK1mUCDQkn2yBj+E/SSzRqHdEn2
hlo/mmqMYyMsNmnsi26pHZlhEh6o8viqkuvRucbYLCzZ3PMvHaMmUQbRFPsVK7RR
FTBZOC7mdFiJ7MNRMcS+r7rDJ51zRU3pQtKIU3Ol/msDc7T+qm0hjvOzHah4CC4a
b1dzHfSwKz5l0jf1FmDb57u/OUPZlZzxw61soOHOYkvfuh0ePTw=
=5rtb
-END PGP SIGNATURE-