Bug#1081266: apache2: Reverse proxy via mod_rewrite broken after upgrade to 2.4.62-1~deb12u1
control: retitle -1 Regression: Reverse proxy via mod_rewrite broken after
2.4.62
Le mardi 10 septembre 2024, 15:18:48 UTC Salvatore Bonaccorso a écrit :
> Hi,
>
> On Tue, Sep 10, 2024 at 05:07:29PM +0200, Salvatore Bonaccorso wrote:
> > Hi,
> >
> > On Tue, Sep 10, 2024 at 06:59:51AM +, Markus Wollny wrote:
> > > Package: apache2
> > > Version: 2.4.62-1~deb12u1
> > > Severity: important
> > > X-Debbugs-Cc: markus.wol...@computec.de, t...@security.debian.org
> > >
> > > Dear Maintainer,
> > >
> > > After upgrading apache2 packages, we noticed that our SEO rewriting rules
> > > in apache2 no longer worked and Tomcat tried to access non-existing file
> > > paths with URL encoded questionmarks.
> > >
> > > I have first noticed that is issue affects Debian 12, but I can confirm
> > > that it also affects Debian 11, so this happens in oldstable, apache2
> > > 2.4.62-1~deb11u1, too.
> > >
> > > To show the issue, you'll want to enable the following mods:
> > > a2enmod lbmethod_byrequests proxy proxy_ajp proxy_balancer slotmem_shm
> > > rewrite
> > >
> > > I have set up a balancer worker in mods-available/proxy_balancer.conf:
> > >
> > > BalancerMember ajp://localhost:8009 secret=youllneverknow
> > >
> > >
> > > I have narrowed the issue down to using a proxy RewriteRule inside a
> > > Directory block. So to reproduce, set up
> > > /etc/apache2/sites-available/000-default.conf like this:
> > >
> > >
> > > ServerAdmin webmaster@localhost
> > > DocumentRoot /var/www/html
> > >
> > > ErrorLog ${APACHE_LOG_DIR}/error.log
> > > CustomLog ${APACHE_LOG_DIR}/access.log combined
> > >
> > >
> > > DirectoryIndex index.html
> > > RewriteEngine On
> > > RewriteRule ^/?(.*?)$
> > > balancer://tomcat/demo/index.jsp?rewrite=$1
> > > [P,L,env=AJP_REDIRECT_REAL_URL:$1,QSA]
> > >
> > >
> > >
> > > To illustrate the issue, I have set up a simple /demo/ application in
> > > Tomcat 10, but the problem is caused by the Apache2 webserver, so this
> > > part is not relevant here.
> > >
> > > Before the upgrade, i.e. with apache <= 2.4.61-1~deb12u1, a request to
> > > http://127.0.0.1/foo/bar/?someparam will result in the following request
> > > being proxied to tomcat, as is expected:
> > > GET /demo/index.jsp?rewrite=foo/bar/&someparam
> > >
> > > After the upgrade to 2.4.62-1~deb12u1, the same requests gets mangled:
> > > GET
> > > /demo/index.jsp%3Frewrite=foo/bar/&someparam?rewrite=foo/bar/&someparam
> > >
> > > You can see that the complete parameter string is added twice now, with
> > > the leading ? being escaped the first time around, which in turn causes
> > > the path to be completely messed up, so Tomcat won't be able to find the
> > > file and returns a 404 status.
> > >
> > > When turning on debug logging in apache2, one can see that the request
> > > path is still fine during mod_rewrite processing, it only gets broken
> > > during mod_proxy processing. The issue does not occur, when the
> > > RewriteRule is placed outside of the Directory block. Unfortunately, this
> > > is not a viable workaround for us, we really need to be able to use this
> > > inside and we need the full flexibility of mod_rewrite too,
> > > so we cannot implement the same thing using ProxyPass, either. For now,
> > > the only resolution is to downgrade the apache2 packages:
> > >
> > > apt -y --allow-downgrades install apache2=2.4.61-1~deb12u1
> > > apache2-data=2.4.61-1~deb12u1 apache2-bin=2.4.61-1~deb12u1
> > > apache2-utils=2.4.61-1~deb12u1
> > >
> > > After the downgrade, the RewriteRule with the proxy directive is back to
> > > working as expected. As 2.4.62-1~deb12u1 contains security fixes, it
> > > feels like having to pin the previous apache2 version is not a good
> > > solution, but upgrading it is not possible until this is fixed.
> > >
> > > If I had to guess, this may be caused by the following change:
> > > mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for
> > > "balancer:" URLs set via SetHandler, also allowing for "unix:"
> > > sockets
> > > with BalancerMember(s). PR 69168. [Yann Ylavic]
> >
> > Can you double-check is this #1079172 and as reported upstream in
> > https://bz.apache.org/bugzilla/show_bug.cgi?id=69197 ?
>
> Actually after a quick discussion with Bastien, he pointed out to
> https://bz.apache.org/bugzilla/show_bug.cgi?id=69241 .
Yes it is another regression of regression.
It was first introduced by https://github.com/apache/httpd/pull/457
Bastien
>
> Regards,
> Salvatore
>
signature.asc
Description: This is a digitally signed message part.
Bug#1079558: HDRI16 is not the default: Magick++.pc
control: tags -1 + upstream Le vendredi 30 août 2024, 12:59:12 UTC Christian Marillat a écrit : > On 30 août 2024 12:45, Bastien Roucariès wrote: > > > [...] > > >> >> Yes, as Magick++-7.Q16HDRI isn't the expected name. > >> > > >> > Does renaming to Magick++-7Q16HDRI.pc fix it ? > >> > >> No at all. meson expects a Magick++.pc > > > > Yes but this is shipped by the Q16 package > > > > Does installing libmagick++-dev that should install the correct default fix > > it ? > > > > If so the bug lie in meson that want to have HDRI version. > > No, because upstream doesn't provides .pc file to search for hdri libraries. > > "Magick++-7.Q16HDRI" is specific to Debian and can't be used in other > distributions. So the bug lie upstream Can you open a bug against upstream about your need ? Upstream is overbooked a patch is welcome; I suppose patching configure.ac is the way to go. Use the same name than debian in this case last time I ask to magisk it was ok but it lack a use case for this rouca > > Christian > > signature.asc Description: This is a digitally signed message part.
Bug#1079558: HDRI16 is not the default: Magick++.pc
Le vendredi 30 août 2024, 12:43:24 UTC Christian Marillat a écrit : > On 30 août 2024 12:39, Bastien Roucariès wrote: > > > Le vendredi 30 août 2024, 12:33:31 UTC Christian Marillat a écrit : > >> On 30 août 2024 12:23, Bastien Roucariès wrote: > >> > >> > Le vendredi 30 août 2024, 12:12:43 UTC Christian Marillat a écrit : > >> >> On 30 août 2024 09:33, Bastien Roucariès wrote: > >> >> > >> >> [...] > >> >> > >> >> > pkgconf with the HDRI name coded in it should work > >> >> > pkgconf --libs Magick++-7.Q16HDRI > >> >> > >> >> But as I'm saying before Magick++-7.Q16HDRI isn't a standard pkgconf > >> >> name. > >> > > >> > What do you means by a standard name ? Does it generate error ? > >> > >> Yes, as Magick++-7.Q16HDRI isn't the expected name. > > > > Does renaming to Magick++-7Q16HDRI.pc fix it ? > > No at all. meson expects a Magick++.pc Yes but this is shipped by the Q16 package Does installing libmagick++-dev that should install the correct default fix it ? If so the bug lie in meson that want to have HDRI version. > > Christian > signature.asc Description: This is a digitally signed message part.
Bug#1079558: HDRI16 is not the default: Magick++.pc
Le vendredi 30 août 2024, 12:33:31 UTC Christian Marillat a écrit : > On 30 août 2024 12:23, Bastien Roucariès wrote: > > > Le vendredi 30 août 2024, 12:12:43 UTC Christian Marillat a écrit : > >> On 30 août 2024 09:33, Bastien Roucariès wrote: > >> > >> [...] > >> > >> > pkgconf with the HDRI name coded in it should work > >> > pkgconf --libs Magick++-7.Q16HDRI > >> > >> But as I'm saying before Magick++-7.Q16HDRI isn't a standard pkgconf name. > > > > What do you means by a standard name ? Does it generate error ? > > Yes, as Magick++-7.Q16HDRI isn't the expected name. Does renaming to Magick++-7Q16HDRI.pc fix it ? > > , > | Called: `/usr/bin/pkg-config --modversion Magick++` -> 1 > | stderr: > | Package Magick++ was not found in the pkg-config search path. > | Perhaps you should add the directory containing `Magick++.pc' > | to the PKG_CONFIG_PATH environment variable > | Package 'Magick++', required by 'virtual:world', not found > | --- > | CMake binary for host machine is not cached > | CMake binary missing from cross or native file, or env var undefined. > | Trying a default CMake fallback at cmake > | Did not find CMake 'cmake' > | Found CMake: NO > | Dependency lookup for Magick++ with method 'cmake' failed: CMake binary for > machine host machine not found. Giving up. > | Run-time dependency magick++ found: NO (tried pkgconfig) > | > | ../meson.build:19:2: ERROR: Dependency "Magick++" not found, tried pkgconfig > ` > > > Christian > > signature.asc Description: This is a digitally signed message part.
Bug#1079558: HDRI16 is not the default: Magick++.pc
Le vendredi 30 août 2024, 12:12:43 UTC Christian Marillat a écrit : > On 30 août 2024 09:33, Bastien Roucariès wrote: > > > [...] > > > pkgconf with the HDRI name coded in it should work > > pkgconf --libs Magick++-7.Q16HDRI > > But as I'm saying before Magick++-7.Q16HDRI isn't a standard pkgconf name. What do you means by a standard name ? Does it generate error ? > > > BTW for slow FPU HDRI is not a goog idea and I believe the Q16 integer > > version except some exception (like astronomy package) is better > > suited for debian > > Then why we have HDRI packages ? > > For now, we don't have any reverse dependencies for all hdri > imagemagick 6 packages. > > Maybe a good idea to remove these packages with imagemagick 7. No because they are some scientific user for this > > , > | $ apt-cache rdepends libmagick++-6.q16hdri-9t64 > libmagickcore-6.q16hdri-7-extra libmagickcore-6.q16hdri-7t64 > libmagickwand-6.q16hdri-7t64 > | libmagick++-6.q16hdri-9t64 > | Reverse Depends: > | libmagick++-6.q16hdri-dev > | libmagickcore-6.q16hdri-7-extra > | Reverse Depends: > | libmagickcore-6.q16hdri-dev > | libmagickwand-6.q16hdri-dev > | imagemagick-6.q16hdri > | libmagickcore-6.q16hdri-7t64 > | libmagickcore-6.q16hdri-7t64 > | Reverse Depends: > | libmagickwand-6.q16hdri-7t64 > | libmagickcore-6.q16hdri-7-extra > | libmagickcore-6.q16hdri-dev > | libmagickcore-6.q16hdri-7-extra > | imagemagick-6.q16hdri > | libmagick++-6.q16hdri-9t64 > | libimage-magick-q16hdri-perl > | libmagickwand-6.q16hdri-7t64 > | Reverse Depends: > | imagemagick-6.q16hdri > | libmagickwand-6.q16hdri-dev > | libmagickcore-6.q16hdri-7-extra > | libmagick++-6.q16hdri-9t64 > ` > > Christian > > signature.asc Description: This is a digitally signed message part.
Bug#1079558: HDRI16 is not the default: Magick++.pc
Le vendredi 30 août 2024, 09:33:29 UTC Bastien Roucariès a écrit : > Le vendredi 30 août 2024, 09:26:54 UTC Christian Marillat a écrit : > > On 30 août 2024 08:23, Bastien Roucariès wrote: > > > > > control: tags -1 + moreinfo > > > > > > Hi, > > > > > > Magick++.pc is the name of the default config that is shipped by the Q16 > > > version. > > > > > > I would like to avoid conflict with Q16 package so for me it will be > > > won't fix, except if you could propose a patch for alternative system > > > but I really dislike for build to use alternative system. > > > Then tell me how to build a source with HDRI in Debian using pkgconf ? > > pkgconf with the HDRI name coded in it should work > pkgconf --libs Magick++-7.Q16HDRI > > BTW for slow FPU HDRI is not a goog idea and I believe the Q16 integer > version except some exception (like astronomy package) is better suited for > debian > > Using HDRI range for virtual reality may seems for me a bad idea performance > wise and real time wise For arm for instance if you want dynamic range a better choice will be Q8HDRI using half size float I planned to create arch optimized package but after getting imagemagick7 on sid Bastien > Bastien > > > > > > Christian > > > > signature.asc Description: This is a digitally signed message part.
Bug#1079558: HDRI16 is not the default: Magick++.pc
Le vendredi 30 août 2024, 09:26:54 UTC Christian Marillat a écrit : > On 30 août 2024 08:23, Bastien Roucariès wrote: > > > control: tags -1 + moreinfo > > > > Hi, > > > > Magick++.pc is the name of the default config that is shipped by the Q16 > > version. > > > > I would like to avoid conflict with Q16 package so for me it will be > > won't fix, except if you could propose a patch for alternative system > > but I really dislike for build to use alternative system. > > Then tell me how to build a source with HDRI in Debian using pkgconf ? pkgconf with the HDRI name coded in it should work pkgconf --libs Magick++-7.Q16HDRI BTW for slow FPU HDRI is not a goog idea and I believe the Q16 integer version except some exception (like astronomy package) is better suited for debian Using HDRI range for virtual reality may seems for me a bad idea performance wise and real time wise Bastien > > Christian > signature.asc Description: This is a digitally signed message part.
Bug#1079558: HDRI16 is not the default: Magick++.pc
control: tags -1 + moreinfo Hi, Magick++.pc is the name of the default config that is shipped by the Q16 version. I would like to avoid conflict with Q16 package so for me it will be won't fix, except if you could propose a patch for alternative system but I really dislike for build to use alternative system. Bastien signature.asc Description: This is a digitally signed message part.
Bug#1079579: bookworm-pu: package cacti/1.2.24+ds1-1+deb12u4
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: ca...@packages.debian.org Control: affects -1 + src:cacti User: release.debian@packages.debian.org Usertags: pu [ Reason ] Previous upload fail debci, forget to backport test [ Impact ] Low a few line [ Tests ] Salsa run [ Risks ] Code is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [C] attach debdiff against the package in (old)stable [C] the issue is verified as fixed in unstable [ Changes ] - use salsa for testing diff -Nru cacti-1.2.24+ds1/debian/changelog cacti-1.2.24+ds1/debian/changelog --- cacti-1.2.24+ds1/debian/changelog 2024-08-11 17:28:54.0 + +++ cacti-1.2.24+ds1/debian/changelog 2024-08-24 14:04:49.0 + @@ -1,3 +1,11 @@ +cacti (1.2.24+ds1-1+deb12u4) bookworm; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * Add SALSA-CI. + * Backport autopkgtest from trixie. + + -- Bastien Roucari??s Sat, 24 Aug 2024 14:04:49 + + cacti (1.2.24+ds1-1+deb12u3) bookworm; urgency=medium * Non-maintainer upload by the LTS Security Team. diff -Nru cacti-1.2.24+ds1/debian/gbp.conf cacti-1.2.24+ds1/debian/gbp.conf --- cacti-1.2.24+ds1/debian/gbp.conf 2024-08-11 17:10:05.0 + +++ cacti-1.2.24+ds1/debian/gbp.conf 2024-08-24 14:04:49.0 + @@ -4,5 +4,9 @@ [dch] meta = 1 -[import-org] +[import-orig] filter = .gitignore +component = [ 'docs-source' ] + +[export-orig] +component = [ 'docs-source' ] \ No newline at end of file diff -Nru cacti-1.2.24+ds1/debian/salsa-ci.yml cacti-1.2.24+ds1/debian/salsa-ci.yml --- cacti-1.2.24+ds1/debian/salsa-ci.yml 1970-01-01 00:00:00.0 + +++ cacti-1.2.24+ds1/debian/salsa-ci.yml 2024-08-24 14:04:49.0 + @@ -0,0 +1,7 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'bookworm' diff -Nru cacti-1.2.24+ds1/debian/tests/check-all-pages cacti-1.2.24+ds1/debian/tests/check-all-pages --- cacti-1.2.24+ds1/debian/tests/check-all-pages 2024-08-11 17:13:39.0 + +++ cacti-1.2.24+ds1/debian/tests/check-all-pages 2024-08-24 14:04:49.0 + @@ -114,6 +114,7 @@ FILTERED_LOG="$(grep -v \ -e "AUTH LOGIN: User 'admin' authenticated" \ -e "AUTH LOGIN FAILED: Local Login Failed for user 'admin' from IP Address '::1'." \ + -e "AUTOM8 Attempted SQL Injection found in Tree Automation for the field variable." \ -e "AUTOM8 .PID: .* Network " \ -e "CMDPHP Not Already Set" \ -e "CMDPHP SQL Backtrace: " \ signature.asc Description: This is a digitally signed message part.
Bug#1079353: bookworm-pu: package cacti/1.2.24+ds1-1+deb12u3
Le samedi 24 août 2024, 13:35:03 UTC Paul Gevers a écrit : > Hi Bastien, > > On 24-08-2024 15:18, Bastien Roucariès wrote: > > Le samedi 24 août 2024, 11:03:38 UTC Paul Gevers a écrit : > >> I'm wondering if you may have hardened cacti and that if fails on that > >> now. If this is to be expected, the string can be added to the "ignore" > >> lines. I'm not an SRM, so I wonder how much time you still have. It > >> might be better to have cacti in bookworm now, albeit with a broken test. > > > > Can we have a stuff like on elts with a special queue that need dcut > > migrate ? > > cacti has already been accepted into proposed-updates. The tests are run > to inform everyone of issues, to enable actions if needed. It's not nice > and trivial (IIUC) but if a package has issues, SRM can choose to skip > it when the point release is cut. Alternatively they can ignore the > failure and nothing special needs to happen in that case. Is that what > you're asking (I'm not sure I understood your question correctly)? Ok, but lts and elts team use something better a private queue that need manual dcut migrate command that could be run only after debci job In all the case see salsa here https://salsa.debian.org/debian/cacti/-/commit/49fcdcab9bbcbd9d202ed8d09ae2961c46f75fb5/pipelines?ref=bookworm It seems for me green light But if you want I could release ASAP or wait next iteration fixing last CVE openned Bastien > Paul > signature.asc Description: This is a digitally signed message part.
Bug#1079353: bookworm-pu: package cacti/1.2.24+ds1-1+deb12u3
Le samedi 24 août 2024, 11:03:38 UTC Paul Gevers a écrit : > Hi, > > On 24-08-2024 10:31, Bastien Roucariès wrote: > > Could you reject the time of investigation ? > > I'm wondering if you may have hardened cacti and that if fails on that > now. If this is to be expected, the string can be added to the "ignore" > lines. I'm not an SRM, so I wonder how much time you still have. It > might be better to have cacti in bookworm now, albeit with a broken test. Can we have a stuff like on elts with a special queue that need dcut migrate ? Bastien > > Paul > > 104s Unexpected output in /var/log/cacti/cacti.log: > 104s 2024-08-24 06:02:11 - AUTOM8 Attempted SQL Injection found in Tree > Automation for the field variable. > 104s 2024-08-24 06:02:12 - AUTOM8 Attempted SQL Injection found in Tree > Automation for the field variable. > 104s 2024-08-24 06:02:12 - AUTOM8 Attempted SQL Injection found in Tree > Automation for the field variable. > signature.asc Description: This is a digitally signed message part.
Bug#1079353: bookworm-pu: package cacti/1.2.24+ds1-1+deb12u3
Le samedi 24 août 2024, 06:04:39 UTC Paul Gevers a écrit : > Hi, > > On 22-08-2024 17:38, Bastien Roucariès wrote: > > [ Tests ] > > Automated test and manual test of the application by myself and others, > > including users. > > Did you run the autopkgtest? It now fails on the ci.d.n infrastructure > on all architectures. (Unfortunately, cacti has a rather large artifacts > file, so the logs are rotated a bit aggressive. I've retrigged the amd64 > job to get new logs.) Hi Locally and on salsa, but I may have forget something Could you reject the time of investigation ? Bastien > > Paul > signature.asc Description: This is a digitally signed message part.
Bug#1060103: New of imagemagick7
Hi, Le mercredi 21 août 2024, 12:53:39 UTC Bastien Roucariès a écrit : > Le mardi 20 août 2024, 07:37:46 UTC Bastien Roucariès a écrit : > > Le mardi 20 août 2024, 07:11:13 UTC Emilio Pozuelo Monfort a écrit : > > > On 28/07/2024 20:56, Bastien Roucariès wrote: > > > > control: tags -1 - moreinfo > > > > > > > > Hi, > > > > > > > > Last reverse deps of lib magick pipeline is not really bad > > > > https://salsa.debian.org/debian/imagemagick/-/pipelines/708187 > > > > > > > > A lot of failure are due to broken package or does not use pkgconfig > > > > > > > > I suppose we could go to experimental > > > > > > Yes, uploading to experimental would be the first step, as I said on my > > > previous > > > email. Then we would need bug reports for packages that fail to build > > > against > > > imagemagick 7. Make those bugs block this one and use some usertag to > > > ease tracking. > > > If you want this to be done for trixie, we need to move fast. I have just tested and linked FTBFS package to this bug > > > > Ok will go this night > > Just push to NEWS > > > > > > Cheers, > > > Emilio > > > > > > > > > signature.asc Description: This is a digitally signed message part.
Bug#1079465: FTBFS with newer imagemagick7
Source: ruby-mojo-magick Tags: ftbfs Control: block 1060103 by -1 Control: tag -1 + sid Dear Maintainer, You package FTBFS with newer imagemagick Could you help the transition Full log could be found here https://salsa.debian.org/debian/imagemagick/-/jobs/6167776 Thanks Rouca signature.asc Description: This is a digitally signed message part.
Bug#1079455: Moreinfo
control: tags -1 + moreinfo We get information that this upgrade may break some unrelated software Could you wait a little bit ? Thanks Bastien signature.asc Description: This is a digitally signed message part.
Bug#1079353: bookworm-pu: package cacti/1.2.24+ds1-1+deb12u3
Le jeudi 22 août 2024, 18:01:02 UTC Adam D. Barratt a écrit :
> Control: tags -1 + moreinfo
>
> On Thu, 2024-08-22 at 15:38 +, Bastien Roucariès wrote:
> > [ Reason ]
> > Security upload. Except CVE-2024-27082 that need
> > coordination with other packages.
>
> You appear to have forgotten the debdiff.
Yes I just resend
>
> Regards,
>
> Adam
>
diff -Nru cacti-1.2.24+ds1/debian/changelog cacti-1.2.24+ds1/debian/changelog
--- cacti-1.2.24+ds1/debian/changelog 2024-03-15 09:53:35.0 +
+++ cacti-1.2.24+ds1/debian/changelog 2024-08-11 17:28:54.0 +
@@ -1,3 +1,71 @@
+cacti (1.2.24+ds1-1+deb12u3) unstable; urgency=medium
+
+ * Non-maintainer upload by the LTS Security Team.
+ * Fix CVE-2024-25641: RCE vulnerability when importing packages
+An arbitrary file write vulnerability, exploitable through the
+"Package Import" feature, allows authenticated users having
+the "Import Templates" permission to execute arbitrary PHP
+code on the web server (RCE).
+ * Fix CVE-2024-29894: XSS vulnerability when using JavaScript
+based messaging API.
+raise_message_javascript from lib/functions.php now uses purify.js
+to fix CVE-2023-50250 (among others).
+However it still generates the code out of unescaped
+PHP variables $title and $header.
+If those variables contain single quotes, they can be used
+to inject JavaScript code.
+ * Fix CVE-2024-31443. XSS vulnerability when managing data queries
+Some of the data stored in form_save() function in data_queries.php
+is not thoroughly checked and is used to concatenate the
+HTML statement in grow_right_pane_tree() function from lib/html.php,
+finally resulting in XSS.
+ * Fix CVE-2024-31444: XSS vulnerability when reading tree rules with
+Automation API.
+Some of the data stored in automation_tree_rules_form_save() function
+in automation_tree_rules.php is not thoroughly checked and is used
+to concatenate the HTML statement in form_confirm() function from
+lib/html.php , finally resulting in XSS.
+ * Fix CVE-2024-31445: SQL injection vulnerability
+A SQL injection vulnerability in `automation_get_new_graphs_sql`
+function of `api_automation.php` allows authenticated users to exploit
+these SQL injection vulnerabilities to perform privilege escalation
+and remote code execution. In `api_automation.php` line 856, the
+`get_request_var('filter')` is being concatenated into the SQL
+statement without any sanitization. In `api_automation.php` line 717,
+The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no
+filter for it
+ * Fix CVE-2024-31458: SQL injection vulnerability
+Some of the data stored in `form_save()` function in
+`graph_template_inputs.php` is not thoroughly checked and is used to
+concatenate the SQL statement in
+`draw_nontemplated_fields_graph_item()` function from
+`lib/html_form_templates.php` , finally resulting in SQL injection
+ * Fix CVE-2024-31459: Remote code execution
+There is a file inclusion issue in the lib/plugin.php file.
+Combined with SQL injection vulnerabilities, RCE can be implemented.
+ * Fix CVE-2024-31460: SQL code injection
+Some of the data stored in `automation_tree_rules.php` is not
+thoroughly checked and is used to concatenate the SQL statement in
+`create_all_header_nodes()` function from `lib/api_automation.php` ,
+finally resulting in SQL injection. Using SQL based secondary
+injection technology, attackers can modify the contents of the Cacti
+database, and based on the modified content, it may be possible to
+achieve further impact, such as arbitrary file reading, and even
+remote code execution through arbitrary file writing
+ * Fix CVE-2024-34340: type juggling vulnerability
+Cacti calls `compat_password_hash` when users set their
+password. `compat_password_hash` use `password_hash` if there is it,
+else use `md5`. When verifying password, it calls
+`compat_password_verify`. In `compat_password_verify`,
+`password_verify` is called if there is it, else use
+`md5`. `password_verify` and `password_hash` are supported on PHP <
+5.5.0, following PHP manual. The vulnerability is in
+`compat_password_verify`. Md5-hashed user input is compared with
+correct password in database by `$md5 == $hash`. It is a loose
+comparison, not `===`.
+
+ -- Bastien Roucari??s Sun, 11 Aug 2024 17:28:54 +
+
cacti (1.2.24+ds1-1+deb12u2) bookworm-security; urgency=high
[Sylvain Beucler]
diff -Nru cacti-1.2.24+ds1/debian/patches/0026-CVE-2024-25641-Merge-pull-request-from-GHSA-7cmj-g5q.patch cacti-1.2.24+ds1/debian/patches/0026-CVE-2024-25641-Merge-pull-request-from-GHSA-7cmj-g5q.patch
--- cacti-1.2.24+ds1/debian/patches/0026-CVE-2024-25641-Merge-pull-request-from-GHSA-7cmj-g5q.patch 1970-0
Bug#1079353: bookworm-pu: package cacti/1.2.24+ds1-1+deb12u3
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: ca...@packages.debian.org
Control: affects -1 + src:cacti
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
Security upload. Except CVE-2024-27082 that need
coordination with other packages.
[ Impact ]
CVEs are not closed including RCE
[ Tests ]
Automated test and manual test of the application by myself and others,
including users.
[ Risks ]
Low
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* Fix CVE-2024-25641: RCE vulnerability when importing packages
An arbitrary file write vulnerability, exploitable through the
"Package Import" feature, allows authenticated users having
the "Import Templates" permission to execute arbitrary PHP
code on the web server (RCE).
* Fix CVE-2024-29894: XSS vulnerability when using JavaScript
based messaging API.
raise_message_javascript from lib/functions.php now uses purify.js
to fix CVE-2023-50250 (among others).
However it still generates the code out of unescaped
PHP variables $title and $header.
If those variables contain single quotes, they can be used
to inject JavaScript code.
* Fix CVE-2024-31443. XSS vulnerability when managing data queries
Some of the data stored in form_save() function in data_queries.php
is not thoroughly checked and is used to concatenate the
HTML statement in grow_right_pane_tree() function from lib/html.php,
finally resulting in XSS.
* Fix CVE-2024-31444: XSS vulnerability when reading tree rules with
Automation API.
Some of the data stored in automation_tree_rules_form_save() function
in automation_tree_rules.php is not thoroughly checked and is used
to concatenate the HTML statement in form_confirm() function from
lib/html.php , finally resulting in XSS.
* Fix CVE-2024-31445: SQL injection vulnerability
A SQL injection vulnerability in `automation_get_new_graphs_sql`
function of `api_automation.php` allows authenticated users to exploit
these SQL injection vulnerabilities to perform privilege escalation
and remote code execution. In `api_automation.php` line 856, the
`get_request_var('filter')` is being concatenated into the SQL
statement without any sanitization. In `api_automation.php` line 717,
The filter of `'filter'` is `FILTER_DEFAULT`, which means there is no
filter for it
* Fix CVE-2024-31458: SQL injection vulnerability
Some of the data stored in `form_save()` function in
`graph_template_inputs.php` is not thoroughly checked and is used to
concatenate the SQL statement in
`draw_nontemplated_fields_graph_item()` function from
`lib/html_form_templates.php` , finally resulting in SQL injection
* Fix CVE-2024-31459: Remote code execution
There is a file inclusion issue in the lib/plugin.php file.
Combined with SQL injection vulnerabilities, RCE can be implemented.
* Fix CVE-2024-31460: SQL code injection
Some of the data stored in `automation_tree_rules.php` is not
thoroughly checked and is used to concatenate the SQL statement in
`create_all_header_nodes()` function from `lib/api_automation.php` ,
finally resulting in SQL injection. Using SQL based secondary
injection technology, attackers can modify the contents of the Cacti
database, and based on the modified content, it may be possible to
achieve further impact, such as arbitrary file reading, and even
remote code execution through arbitrary file writing
* Fix CVE-2024-34340: type juggling vulnerability
Cacti calls `compat_password_hash` when users set their
password. `compat_password_hash` use `password_hash` if there is it,
else use `md5`. When verifying password, it calls
`compat_password_verify`. In `compat_password_verify`,
`password_verify` is called if there is it, else use
`md5`. `password_verify` and `password_hash` are supported on PHP <
5.5.0, following PHP manual. The vulnerability is in
`compat_password_verify`. Md5-hashed user input is compared with
correct password in database by `$md5 == $hash`. It is a loose
comparison, not `===`.
signature.asc
Description: This is a digitally signed message part.
Bug#1079348: FTBFS with newer imagemagick7
Source: converseen Severity: important Tags: ftbfs Control: block 1060103 by -1 Control: tag -1 + sid Dear Maintainer, You package FTBFS with newer imagemagick Could you help the transition Full log could be found here https://salsa.debian.org/debian/imagemagick/-/jobs/6158068 rouca signature.asc Description: This is a digitally signed message part.
Bug#1079342: FTBFS with newer imagemagick7
Source: lebiniou Tags: ftbfs Control: block 1060103 by -1 Control: tag -1 + sid Dear Maintainer, You package FTBFS with newer imagemagick Could you help the transition Full log could be found here https://salsa.debian.org/debian/imagemagick/-/jobs/6158076 Thanks Rouca signature.asc Description: This is a digitally signed message part.
Bug#1079339: FTBFS with newer imagemagick7
Source: pythonmagick Severity: important Tags: ftbfs Control: block 1060103 by -1 Control: tag -1 + sid Dear Maintainer, You package FTBFS with newer imagemagick Could you help the transition Full log could be found here https://salsa.debian.org/debian/imagemagick/-/jobs/6164324 signature.asc Description: This is a digitally signed message part.
Bug#1079343: FTBFS with newer imagemagick7
Source: jmagick Severity: important Tags: ftbfs Control: block 1060103 by -1 Control: tag -1 + sid Dear Maintainer, You package FTBFS with newer imagemagick Could you help the transition Full log could be found here https://salsa.debian.org/debian/imagemagick/-/jobs/6158077 signature.asc Description: This is a digitally signed message part.
Bug#1079337: FTBFS with newer imagemagick7
Source: ruby-rmagick Severity: important Tags: ftbfs Control: block 1060103 by -1 Control: tag -1 + sid Dear Maintainer, You package FTBFS with newer imagemagick Could you help the transition Full log could be found here https://salsa.debian.org/debian/imagemagick/-/jobs/6164327 signature.asc Description: This is a digitally signed message part.
Bug#1079338: FTBFS with newer imagemagick7
Source: rss-glx Severity: important Tags: ftbfs Control: block 1060103 by -1 Control: tag -1 + sid Dear Maintainer, You package FTBFS with newer imagemagick Could you help the transition Full log could be found here https://salsa.debian.org/debian/imagemagick/-/jobs/6164326 signature.asc Description: This is a digitally signed message part.
Bug#1079336: vdr-plugin-skinenigmang: FTBFS with newer imagemagick7
Source: vdr-plugin-skinenigmang Severity: important Tags: ftbfs Control: block 1060103 by -1 Control: tag -1 + sid Dear Maintainer, You package FTBFS with newer imagemagick Could you help the transition Full log could be found here https://salsa.debian.org/debian/imagemagick/-/jobs/6164331 signature.asc Description: This is a digitally signed message part.
Bug#1079335: synfig: FTBFS ffmpeg
Source: synfig Severity: serious Tags: ftbfs Justification: ftbfs Dear Maintainer, Your package fail to build from source, and seems to be related to ffmpeg Tested during rebuild for imagemagick could be found here https://salsa.debian.org/debian/imagemagick/-/jobs/6164328 configure:22159: result: no configure:22165: checking for ffmpeg/swscale.h configure:22165: g++ -c -ffile-prefix- map=/builds/debian/imagemagick/debian/output/synfig-1.5.1+dfsg=. -fstack- protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -O2 -DNDEBUG -W -Wall -Wdate-time -D_FORTIFY_SOURCE=2 conftest.cpp >&5 conftest.cpp:82:10: fatal error: ffmpeg/swscale.h: no such file or directory 82 | #include | ^~ compilation terminated. configure:22165: $? = 1 configure: failed program was: | /* confdefs.h */ | #define PACKAGE_NAME "Synfig Core" | #define PACKAGE_TARNAME "synfig" | #define PACKAGE_VERSION "1.5.1" | #define PACKAGE_STRING "Synfig Core 1.5.1" | #define PACKAGE_BUGREPORT "https://github.com/synfig/synfig/issues"; | #define PACKAGE_URL "" | #define PACKAGE "synfig" | #define VERSION "1.5.1" | #define HAVE_STDIO_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_UNISTD_H 1 | #define STDC_HEADERS 1 | #define HAVE_DLFCN_H 1 | #define LT_OBJDIR ".libs/" | #define LT_MODULE_EXT ".so" | #define LT_MODULE_PATH_VAR "LD_LIBRARY_PATH" | #define LT_DLSEARCH_PATH "/lib:/usr/lib:/usr/lib/x86_64-linux- gnu/libfakeroot:/usr/local/lib:/usr/local/lib/x86_64-linux- gnu:/lib/x86_64-linux-gnu:/usr/lib/x86_64-linux-gnu" | #define HAVE_LIBDL 1 | #define HAVE_DLERROR 1 | #define HAVE_LIBDLLOADER 1 | #define HAVE_ARGZ_H 1 | #define HAVE_ERROR_T 1 | #define HAVE_ARGZ_ADD 1 | #define HAVE_ARGZ_APPEND 1 | #define HAVE_ARGZ_COUNT 1 | #define HAVE_ARGZ_CREATE_SEP 1 | #define HAVE_ARGZ_INSERT 1 | #define HAVE_ARGZ_NEXT 1 | #define HAVE_ARGZ_STRINGIFY 1 | #define HAVE_WORKING_ARGZ 1 | #define HAVE_PRELOADED_SYMBOLS 1 | #define HAVE_LTDL 1 | #define HAVE_UNISTD_H 1 | #define HAVE_DIRENT_H 1 | #define HAVE_CLOSEDIR 1 | #define HAVE_OPENDIR 1 | #define HAVE_READDIR 1 | #define HAVE_STRLCAT 1 | #define HAVE_STRLCPY 1 | #define LT_LIBEXT "a" | #define LT_LIBPREFIX "lib" | #define LT_SCOPE extern | #define WITH_LIBAVCODEC /**/ | #define HAVE_LIBAVFORMAT_AVFORMAT_H 1 | #define HAVE_LIBSWSCALE_SWSCALE_H 1 | /* end confdefs.h. */ | #include | #ifdef HAVE_STDIO_H | # include | #endif | #ifdef HAVE_STDLIB_H | # include | #endif | #ifdef HAVE_STRING_H | # include | #endif | #ifdef HAVE_INTTYPES_H | # include | #endif | #ifdef HAVE_STDINT_H | # include | #endif | #ifdef HAVE_STRINGS_H | # include | #endif | #ifdef HAVE_SYS_TYPES_H | # include | #endif | #ifdef HAVE_SYS_STAT_H | # include | #endif | #ifdef HAVE_UNISTD_H | # include | #endif | #include configure:22165: result: no configure:22257: checking for freetype2 configure:22261: result: yes configure:22265: checking FREETYPE_CFLAGS configure:22268: result: -I/usr/include/freetype2 -I/usr/include/libpng16 configure:22271: checking FREETYPE_LIBS configure:22274: result: -lfreetype configure:22499: checking for fontconfig configure:22503: result: yes configure:22507: checking FONTCONFIG_CFLAGS configure:22510: result: -I/usr/include/freetype2 -I/usr/include/libpng16 configure:22513: checking FONTCONFIG_LIBS configure:22516: result: -lfontconfig -lfreetype -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.10.4-rt-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled signature.asc Description: This is a digitally signed message part.
Bug#1079288: virtuoso-opensource: FTBFS
Source: virtuoso-opensource
Severity: serious
Tags: ftbfs sid
Justification: FTBFS
Dear Maintainer,
Your package FTBFS:
Dksesstr.c: In function 'strdev_free_buf':
Dksesstr.c:152:44: warning: unused parameter 'arg' [-Wunused-parameter]
152 | strdev_free_buf (buffer_elt_t * b, caddr_t arg)
|^~~
Dksesstr.c: In function 'strdev_write':
Dksesstr.c:282:23: warning: comparison of integer expressions of different
signedness: 'size_t' {aka 'long unsigned int'} and 'int' [-Wsign-compare]
282 | if (len == -1)
| ^~
Dksesstr.c:359:18: warning: comparison of integer expressions of different
signedness: 'int' and 'long unsigned int' [-Wsign-compare]
359 | if (filled == (size_t) - 1)
| ^~
Dksesstr.c: In function 'strses_chars_length':
Dksesstr.c:710:41: error: passing argument 2 of 'virt_mbsnrtowcs' from
incompatible pointer type [-Wincompatible-pointer-types]
710 | last_len = virt_mbsnrtowcs (NULL, &ptr, ses->dks_out_fill, 0,
&mb);
| ^~~~
| |
| unsigned char **
in file included from ../../libsrc/libutil.h:41,
from dksesstr.c:29:
../../libsrc/util/utf8funs.h:52:68: note: expected 'const unsigned char **' but
argument is of type 'unsigned char **'
52 | extern size_t virt_mbsnrtowcs (wchar_t *dst, const unsigned char **src,
size_t nmc, size_t len, virt_mbstate_t *ps);
| ~~^~~
dksesstr.c: in function 'strses_write_out':
dksesstr.c:775:18: warning: comparison of integer expressions of different
signedness: 'int' and 'size_t' {aka 'long unsigned int'} [-wsign-compare]
775 | if (-1 == readed)
| ^~
Dksesstr.c: In function 'strses_skip_wchars':
Dksesstr.c:842:47: warning: unused parameter 'nbytes' [-Wunused-parameter]
842 | strses_skip_wchars (unsigned char *data, long nbytes, long ofs)
| ~^~
Dksesstr.c: In function 'strses_deserialize':
Dksesstr.c:982:51: warning: unused parameter 'macro' [-Wunused-parameter]
982 | strses_deserialize (dk_session_t * session, dtp_t macro)
| ~~^
Dksesstr.c: In function 'strses_get_part_1':
Dksesstr.c:1338:34: warning: comparison of integer expressions of different
signedness: 'size_t' {aka 'long unsigned int'} and 'int' [-Wsign-compare]
1338 | if (readed == -1)
| ^~
Dksesstr.c:1348:26: warning: comparison of integer expressions of different
signedness: 'size_t' {aka 'long unsigned int'} and 'int' [-Wsign-compare]
1348 | if (readed == -1)
| ^~
Dksesstr.c:1373:51: error: passing argument 2 of 'virt_mbsnrtowcs' from
incompatible pointer type [-Wincompatible-pointer-types]
1373 | last_len_chars = virt_mbsnrtowcs (NULL, &ptr,
ses->dks_out_fill, 0, &mb);
| ^~~~
| |
| unsigned char **
../../libsrc/util/utf8funs.h:52:68: note: expected 'const unsigned char **' but
argument is of type 'unsigned char **'
52 | extern size_t virt_mbsnrtowcs (wchar_t *dst, const unsigned char **src,
size_t nmc, size_t len, virt_mbstate_t *ps);
| ~~^~~
dksesstr.c:1374:30: warning: comparison of integer expressions of different
signedness: 'long int' and 'long unsigned int' [-wsign-compare]
1374 | if (last_len_chars == (size_t) - 1)
| ^~
Dksesstr.c: In function 'read_wides_from_utf8_file':
Dksesstr.c:1461:58: error: passing argument 2 of 'virt_mbsnrtowcs' from
incompatible pointer type [-Wincompatible-pointer-types]
1461 | converted = virt_mbsnrtowcs ((wchar_t *) dest, &data_ptr,
readed, nchars, &mb);
| ^
| |
| unsigned char
**
../../libsrc/util/utf8funs.h:52:68: note: expected 'const unsigned char **' but
argument is of type 'unsigned char **'
52 | extern size_t virt_mbsnrtowcs (wchar_t *dst, const unsigned char **src,
size_t nmc, size_t len, virt_mbstate_t *ps);
| ~~^~~
Dksesstr.c: In function 'strses_get_wide_part':
Dksesstr.c:1505:37: error: passing argument 2 of 'virt_mbsnrtowcs' from
incompatible pointer type [-Wincompatible-pointer-types]
1505 | if (virt_mbsnrtowcs (buf, &data_ptr,
| ^
Bug#1079164: devscripts: Files-Excluded version of regexp should be documented and if not pcre Files-Excluded-PCRE should be created
Le jeudi 22 août 2024, 02:43:41 UTC Yadd a écrit : > On 8/22/24 02:06, Bastien Roucariès wrote: > > Le mercredi 21 août 2024, 11:07:17 UTC Niels Thykier a écrit : > >> On Tue, 20 Aug 2024 18:50:20 + Bastien =?ISO-8859-1?Q?Roucari=E8s?= > >> wrote: > >>> Package: devscripts > >>> Version: 2.23.7 > >>> Severity: minor > >>> > >>> Dear Maintainer, > >>> > >>> I do not find the syntax of the regex used by Files-Excluded. > >>> > >>> I suppose it is POSIX RE. > >>> > >>> It should be documented if it is the case > >>> > >>> If it is not PCRE could be possible to add a Files-Excluded-PCRE field ? > >>> It > >>> will greatly help to remove all directory except one > >>> in case of JS monorep > >>> > >>> Rouca > >>> > >> > >> Drive by remark, it uses the DEP-5 `Files` semantics (that is, not a > >> regex at all). For the use-case you have, I think you want to combine > >> `Files-Excluded` with `Files-Included`. > >> > >> That was what I had for this bug. > > No it is does not work: > > - Files-Included is not documented > > - Does not work with component > > For components, use "Files-Excluded-componentname" Yes but Files-Included-componentname does not exist > > > Files-Included-PCRE per component may be better I believe > >> > >> Best regards, > >> Niels > >> > >> > > > signature.asc Description: This is a digitally signed message part.
Bug#1079164: devscripts: Files-Excluded version of regexp should be documented and if not pcre Files-Excluded-PCRE should be created
Le mercredi 21 août 2024, 11:07:17 UTC Niels Thykier a écrit : > On Tue, 20 Aug 2024 18:50:20 + Bastien =?ISO-8859-1?Q?Roucari=E8s?= > wrote: > > Package: devscripts > > Version: 2.23.7 > > Severity: minor > > > > Dear Maintainer, > > > > I do not find the syntax of the regex used by Files-Excluded. > > > > I suppose it is POSIX RE. > > > > It should be documented if it is the case > > > > If it is not PCRE could be possible to add a Files-Excluded-PCRE field ? It > > will greatly help to remove all directory except one > > in case of JS monorep > > > > Rouca > > > > Drive by remark, it uses the DEP-5 `Files` semantics (that is, not a > regex at all). For the use-case you have, I think you want to combine > `Files-Excluded` with `Files-Included`. > > That was what I had for this bug. No it is does not work: - Files-Included is not documented - Does not work with component Files-Included-PCRE per component may be better I believe > > Best regards, > Niels > > signature.asc Description: This is a digitally signed message part.
Bug#1060103: New of imagemagick7
Le mardi 20 août 2024, 07:37:46 UTC Bastien Roucariès a écrit : > Le mardi 20 août 2024, 07:11:13 UTC Emilio Pozuelo Monfort a écrit : > > On 28/07/2024 20:56, Bastien Roucariès wrote: > > > control: tags -1 - moreinfo > > > > > > Hi, > > > > > > Last reverse deps of lib magick pipeline is not really bad > > > https://salsa.debian.org/debian/imagemagick/-/pipelines/708187 > > > > > > A lot of failure are due to broken package or does not use pkgconfig > > > > > > I suppose we could go to experimental > > > > Yes, uploading to experimental would be the first step, as I said on my > > previous > > email. Then we would need bug reports for packages that fail to build > > against > > imagemagick 7. Make those bugs block this one and use some usertag to ease > > tracking. > > If you want this to be done for trixie, we need to move fast. > > Ok will go this night Just push to NEWS > > > > Cheers, > > Emilio > > > > signature.asc Description: This is a digitally signed message part.
Bug#1079206: CVE-2024-39884 Regression
Package: apache2 Severity: important Forwarded: https://github.com/apache/httpd/pull/475 Control: tags -1 + bullseye Control: tags -1 + bookworm Control: tags -1 + upstream Control: tags -1 + security Dear Maintainer, A tracking bug for a regression https://github.com/apache/httpd/pull/475 Rouca signature.asc Description: This is a digitally signed message part.
Bug#1079172: CVE-2024-38474/CVE-2024-38475 Regression
Package: apache2 Version: 2.4.61-1~deb12u1 Severity: important Forwarded: https://bz.apache.org/bugzilla/show_bug.cgi?id=69197 Control: tags -1 + bullseye Control: tags -1 + bookworm Control: tags -1 + upstream Control: Found -1 2.4.61-1~deb11u1 Dear Maintainer, A tracking bug for a regression > The SSRF fix in mod_rewrite introduced in r1918561 produces a "403 > Forbidden" response not only when an encoded question mark is introduced > through a backreference but also when an existing query string appended via > the QSA flag contains %3F. > > > Steps to Reproduce: > > 1) Prepare a webroot with an index.html file. > > 2) Setup a vhost with the following rewrite rules > >(or add them to a .htaccess file): > RewriteEngine On > RewriteRule ^.*$ index.html?_path=$1 [L,QSA] > > 3) Access /test?url=https%3A%2F%2Fexample.com%2F%3Ffoo%3Dbar in a web > browser > > > Actual Results: > > The HTTP server produces a "403 Forbidden" response. > > Only when the the flag UnsafeAllow3F is added to the RewriteRule the results > are as expected. > > > Expected Results: > > The URL should have been rewritten to /index.html?_path=%2Ftest&foo=bar and > the contents of index.html should have been delivered to the web browser. > > > Additional Information: > > Rewrite rules similar to the one used in step 2 above are common in htaccess > files delivered with PHP applications. To e.g. prevent issues with > mod_cache, the original path is passed to the target script via the query > string and all query string parameters from the original URL are appended > via QSA flag. > > This issue affects all URLs for these applications which contain a %3F > somewhere in the query string. This commonly happens e.g. for search forms > (the user may enter a question mark as part of the search query) and for > scripts that send an URL in a query string (for example > ?referer=https%3A%2F%2Fexample.com%2F%3Ffoo%3Dbar). > > Thanks Bastien signature.asc Description: This is a digitally signed message part.
Bug#1079171: CVE-2024-38473 Regression [2/2]: error parsing URL //: with space
Package: apache2 Version: 2.4.61-1~deb12u1 Severity: important Forwarded: https://bz.apache.org/bugzilla/show_bug.cgi?id=69203 Control: tags -1 + bullseye Control: tags -1 + bookworm Control: tags -1 + upstream Dear Maintainer, A tracking bug for a regression > After the update "http://domain.com/ja/アダプタ/index.php"; is encoded to > "/path_to_docroot/ja/%E3%82%A2%E3%83%80%E3%83%97%E3%82%BF/index.php" in the > filesystem. > >Jul 18 09:28:22 server apache2[657291]: [proxy_fcgi:debug] [pid 657291:tid >657383] mod_proxy_fcgi.c(123): [client ***] AH01060: set r->filename to >proxy:fcgi://user-php82fpm/path_to_docroot/ja/%E3%82%A2%E3%83%80%E3%83%97%E3%82%BF/index.php > >We fixed it with a symlink for now, which isn´t a good solution. Thanks Bastien signature.asc Description: This is a digitally signed message part.
Bug#1079164: devscripts: Files-Excluded version of regexp should be documented and if not pcre Files-Excluded-PCRE should be created
Package: devscripts Version: 2.23.7 Severity: minor Dear Maintainer, I do not find the syntax of the regex used by Files-Excluded. I suppose it is POSIX RE. It should be documented if it is the case If it is not PCRE could be possible to add a Files-Excluded-PCRE field ? It will greatly help to remove all directory except one in case of JS monorep Rouca signature.asc Description: This is a digitally signed message part.
Bug#1079101: devscripts: new means to get tag from github
Package: devscripts Version: 2.23.7 Severity: minor Tags: patch Dear Maintainer, I found a new efficient way to get the tarballs when they are more than 100 tags like in js package: version=4 opts=\ filenamemangle=s%.*/@ANY_VERSION@%@PACKAGE@-$1.tar.gz%,\ downloadurlmangle=s%(api.github.com/repos/[^/]+/[^/]+)/git/refs/%$1/tarball/refs/%g,\ searchmode=plain \ https://api.github.com/repos/isaacs/node-glob/git/matching-refs/tags/ \ https://api.github.com/repos/[^/]+/[^/]+/git/refs/tags/@ANY_VERSION@ I suppose this should go to documentation Morevover we could filter by tag begining by some string (here v): version=4 opts=\ filenamemangle=s%.*/@ANY_VERSION@%@PACKAGE@-$1.tar.gz%,\ downloadurlmangle=s%(api.github.com/repos/[^/]+/[^/]+)/git/refs/%$1/tarball/refs/%g,\ searchmode=plain \ https://api.github.com/repos/isaacs/node-glob/git/matching-refs/tags/v \ https://api.github.com/repos/[^/]+/[^/]+/git/refs/tags/@ANY_VERSION@ MR will follow if you agree Bastien signature.asc Description: This is a digitally signed message part.
Bug#1060103: New of imagemagick7
Le mardi 20 août 2024, 07:11:13 UTC Emilio Pozuelo Monfort a écrit : > On 28/07/2024 20:56, Bastien Roucariès wrote: > > control: tags -1 - moreinfo > > > > Hi, > > > > Last reverse deps of lib magick pipeline is not really bad > > https://salsa.debian.org/debian/imagemagick/-/pipelines/708187 > > > > A lot of failure are due to broken package or does not use pkgconfig > > > > I suppose we could go to experimental > > Yes, uploading to experimental would be the first step, as I said on my > previous > email. Then we would need bug reports for packages that fail to build against > imagemagick 7. Make those bugs block this one and use some usertag to ease > tracking. > If you want this to be done for trixie, we need to move fast. Ok will go this night > > Cheers, > Emilio > signature.asc Description: This is a digitally signed message part.
Bug#941627: Take grub-btrfs
Le lundi 19 août 2024, 08:00:10 UTC Fabio Fantoni a écrit : Hi > Il 27/09/2023 12:04, Bastien Roucariès ha scritto: > > control: owner -1 ! > > Control: retitle -1 ITP: grub-btrfs -- provides grub entries for btrfs > > snapshots (boot environments/restore points) > > Hi, > > > > I need this package for day work (for teaching). > > > > The kaisen linux is suitable for me to be imported and sponsored. Kaisen do > > you want some sponsoring and comaintain debian side this package ? > > > > I only need that dracut is supported and tested. > > > > Kaisen could you support dracut ? > > > > Bastien > > > > > > > Hi, is there any news? > > I think grub-btrfs could add to Debian even without waiting for > subvolume setting support to be added in the installer, I have seen many > howtos for Debian and derivatives, the latest was > https://github.com/orgs/linuxmint/discussions/549, so it seems quite > used and wanted, i think it's good to make it easier and faster to use > thanks to the package in Debian. dracut should be supported. If you want to work I can sponsor you Work need here: - https://github.com/Antynea/grub-btrfs/issues/314 Long term (for disaster recovery bash is not nice): - https://github.com/Antynea/grub-btrfs/issues/300 Note dracut support is needed due to for instance this https://github.com/Antynea/grub-btrfs/issues/260 Dracut upsteam is reactive https://github.com/dracut-ng/dracut-ng so you could open a bug Bastien > I give a fast look to https://github.com/kaisenlinux/grub-btrfs, have > timeshift support "only" and as default, I think is better have it in > specific package like grub-btrfs-timeshift (but on same source) as done > by other distro, so as not to hinder support for other backup programs > or snapshots with custom scripts. > > > signature.asc Description: This is a digitally signed message part.
Bug#1078951: civicrm: include vulnerable sinon without source
Source: civicrm Severity: serious Tags: security Justification: security problem X-Debbugs-Cc: Debian Security Team Dear Maintainer, You include a sinon in installed package and bundle without source (thus serious bug). This a duplication of package but moreover a security problem (even if minor due to being only local and during log reading) Could you use the packaged node-sinon ? npm audit sinon@1.14.1 # npm audit report braces <3.0.3 Severity: high Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg fix available via `npm audit fix` node_modules/braces elliptic 2.0.0 - 6.5.6 Elliptic's EDDSA missing signature length check - https://github.com/advisories/GHSA-f7q4-pwc6-w24p Elliptic's ECDSA missing check for whether leading bit of r and s is zero - https://github.com/advisories/GHSA-977x-g7h5-7qgw Elliptic allows BER-encoded signatures - https://github.com/advisories/GHSA-49q7-c7j4-3p7m fix available via `npm audit fix` node_modules/elliptic ws 8.0.0 - 8.17.0 Severity: high ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q fix available via `npm audit fix --force` Will install mochify@9.1.0, which is a breaking change node_modules/mochify/node_modules/ws node_modules/ws puppeteer 11.0.0 - 22.11.1 Depends on vulnerable versions of puppeteer-core Depends on vulnerable versions of ws node_modules/mochify/node_modules/puppeteer node_modules/puppeteer mochify >=9.2.0 Depends on vulnerable versions of puppeteer node_modules/mochify puppeteer-core 11.0.0 - 22.11.1 Depends on vulnerable versions of ws node_modules/puppeteer-core 6 vulnerabilities (1 low, 5 high) * -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.9.12-rt-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Bug#1077515: bookworm-pu: package putty/0.78-2+deb12u2
Le samedi 17 août 2024, 16:38:10 UTC Adam D. Barratt a écrit : > Control: tags -1 + confirmed > > On Mon, 2024-07-29 at 15:32 +, Bastien Roucariès wrote: > > Security fix CVE-2024-31497 Done > > Please go ahead. > > Regards, > > Adam > signature.asc Description: This is a digitally signed message part.
Bug#1078798: ITP: node-webpack-stream -- Run webpack as a stream
Package: wnpp Severity: wishlist Owner: Bastien Roucariès X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-webpack-stream Version : 7.0.0 Upstream Contact: https://github.com/shama * URL : https://github.com/shama/webpack-stream * License : Expat Programming Lang: javascript Description : Run webpack as a stream Run webpack as a NodeJS stream to conveniently integrate with gulp. This package is a build tool needed for building other tools Need to package in order to avoid circular deps signature.asc Description: This is a digitally signed message part.
Bug#1077999: bullseye-pu: package fusiondirectory/1.3-4+deb11u1
Le mercredi 14 août 2024, 19:54:15 UTC Bastien Roucariès a écrit : Dear adam Debdiff joined > Le mercredi 14 août 2024, 19:53:13 UTC Adam D. Barratt a écrit : > > COntrol: tags -1 + moreinfo > > > > On Mon, 2024-08-05 at 17:56 +0000, Bastien Roucariès wrote: > > > CVE-2022-39369 > > > > > > [ Impact ] > > > Service Hostname Discovery Exploitation > > > > diff -Nru fusiondirectory-1.3/debian/#control# > > fusiondirectory-1.3/debian/#control# > > --- fusiondirectory-1.3/debian/#control#1970-01-01 00:00:00.0 > > + > > +++ fusiondirectory-1.3/debian/#control#2024-07-11 18:02:29.0 > > + > > > > Why is this in the debdiff? > Agreed wil redo > > > > Regards, > > > > Adam > > > > diff -Nru fusiondirectory-1.3/debian/changelog fusiondirectory-1.3/debian/changelog --- fusiondirectory-1.3/debian/changelog 2020-12-07 11:25:31.0 + +++ fusiondirectory-1.3/debian/changelog 2024-07-11 18:02:29.0 + @@ -1,3 +1,15 @@ +fusiondirectory (1.3-4+deb11u1) bullseye; urgency=medium + + * Non-maintainer upload. + + [ Tobias Frost ] + * Backport compatibility with php-cas version addressing CVE 2022-39369. + + [ Abhijith PA ] + * Fix CVE-2022-36179, CVE-2022-36180. + + -- Bastien Roucari??s Thu, 11 Jul 2024 18:02:29 + + fusiondirectory (1.3-4) unstable; urgency=medium * debian/patches: diff -Nru fusiondirectory-1.3/debian/control fusiondirectory-1.3/debian/control --- fusiondirectory-1.3/debian/control 2020-12-07 11:25:31.0 + +++ fusiondirectory-1.3/debian/control 2024-07-11 18:02:29.0 + @@ -35,7 +35,7 @@ libxml-twig-perl, openssl, php, - php-cas, + php-cas (>= 1.3.8-1+deb11u1~), php-cli, php-curl, php-fpdf, @@ -56,6 +56,7 @@ Breaks: fusiondirectory-plugin-dashboard (<< 1.0.8.7), fusiondirectory-plugin-dashboard-schema (<< 1.0.8.7), + fusiondirectory-schema (<< 1.3-4+deb11u1~) Replaces: fusiondirectory-plugin-dashboard (<< 1.0.8.7), fusiondirectory-plugin-dashboard-schema (<< 1.0.8.7), diff -Nru fusiondirectory-1.3/debian/NEWS fusiondirectory-1.3/debian/NEWS --- fusiondirectory-1.3/debian/NEWS 1970-01-01 00:00:00.0 + +++ fusiondirectory-1.3/debian/NEWS 2024-07-11 18:02:29.0 + @@ -0,0 +1,30 @@ +fusiondirectory (1.3-4+deb11u1) bullseye; urgency=medium + + If you are using CAS for authentication: + To address CVE-2022-39369 in php-cas - the library used for CAS - had + to introduce an API breaking change which requires some additional + configuration in fusiondirectory. + + The php-cas package introducing the fix for bullseye is version + 1.3.8-1+deb11u1. After installing the php-cas update, a CAS enabled + fusiondirectory installation will no longer work until those steps are + done: + + - make sure to install the updated fusiondirectory-schema package for +bullseye. + + - update the fusiondirectory core schema in LDAP by running +fusiondirectory-insert-schema -m + + - switch to using the new php-cas API by running +fusiondirectory-setup --set-config-CasLibraryBool=TRUE + + - set the CAS ClientServiceName to the base URL of the fusiondirectory +installation, for example: +fusiondirectory-setup --set-config-CasClientServiceName="https://fusiondirectory.example.org/"; + + To troubleshoot php-cas problems, the property CasVerbose can be activated for + additional diagnostics: +fusiondirectory-setup --set-config-CasVerbose=TRUE + + -- Bastien Roucari??s Thu, 11 Jul 2024 18:08:39 + diff -Nru fusiondirectory-1.3/debian/patches/0010-phpCAS_API_change.patch fusiondirectory-1.3/debian/patches/0010-phpCAS_API_change.patch --- fusiondirectory-1.3/debian/patches/0010-phpCAS_API_change.patch 1970-01-01 00:00:00.0 + +++ fusiondirectory-1.3/debian/patches/0010-phpCAS_API_change.patch 2024-07-11 18:02:29.0 + @@ -0,0 +1,184 @@ +From: FusionDirectory Packagers +Date: Thu, 11 Jul 2024 17:52:17 + +Subject: Backport changes required for newer php-cas API + +Origin: https://github.com/fusiondirectory/fusiondirectory/commit/299a320a7fe905402aea85b899dbd5a9cab9324c +Origin: https://github.com/fusiondirectory/fusiondirectory/commit/7ded986a5f5aabe2670cd176caeb9d76f8555dca +Origin: https://github.com/fusiondirectory/fusiondirectory/commit/39019502aa36b211aa283fac3b922c3806c2fef5 +Last-Update: 2023-06-27 + +To adress CVE-2022-39369, php-cas needs an API change. +This patches backports the required upstream changes to the buster version. +The patch also adds the switch for php-cas verbose mode, for better troubleshooting. +Last-Update: 2023-06-27 +--- + core/contrib/openldap/core-fd-conf.schema | 21 - + core/html/index.php| 49 -- + core/plugins/config/class_configInLdap.inc
Bug#1077984: bullseye-pu: package php-cas/1.3.8-1+deb11u1
control: tags -1 + pending Le mercredi 14 août 2024, 19:49:55 UTC Adam D. Barratt a écrit : > Control: tags -1 + confirmed > > On Mon, 2024-08-05 at 13:16 +, Bastien Roucariès wrote: > > [ Reason ] > > CVE-2022-39369 > > > > [ Impact ] > > Service Hostname Discovery Exploitation > > > > The phpCAS library uses HTTP headers to determine the service URL > > used to validate tickets. This allows an attacker to control the host > > header and use a valid ticket granted for any authorized service in > > the same SSO realm (CAS server) to authenticate to the service > > protected by phpCAS. Depending on the settings of the CAS server > > service registry in worst case this may be any other service URL (if > > the allowed URLs are configured to "^(https)://.*") or may be > > strictly limited to known and authorized services in the same SSO > > federation if proper URL service validation is applied. > > > > This vulnerability may allow an attacker to gain access to a victim's > > account on a vulnerable CASified service without victim's knowledge, > > when the victim visits attacker's website while being logged in to > > the same CAS server. > > +php-cas (1.3.8-1+deb11u1) bullseye-security; urgency=high > > Both the changelog and NEWS file should use "bullseye" as the > distribution. > > With that fixed, please go ahead. Uploaded Thanks > > Regards, > > Adam > signature.asc Description: This is a digitally signed message part.
Bug#1077999: bullseye-pu: package fusiondirectory/1.3-4+deb11u1
Le mercredi 14 août 2024, 19:53:13 UTC Adam D. Barratt a écrit : > COntrol: tags -1 + moreinfo > > On Mon, 2024-08-05 at 17:56 +, Bastien Roucariès wrote: > > CVE-2022-39369 > > > > [ Impact ] > > Service Hostname Discovery Exploitation > > diff -Nru fusiondirectory-1.3/debian/#control# > fusiondirectory-1.3/debian/#control# > --- fusiondirectory-1.3/debian/#control# 1970-01-01 00:00:00.0 > + > +++ fusiondirectory-1.3/debian/#control# 2024-07-11 18:02:29.0 > + > > Why is this in the debdiff? Agreed wil redo > > Regards, > > Adam > signature.asc Description: This is a digitally signed message part.
Bug#1078705: lintian FTBFS: lintian-overrides/mystery/fields-multi-arch-same-package-has-arch-specific-overrides
Le mercredi 14 août 2024, 14:47:30 UTC Helmut Grohne a écrit : > Source: lintian > Version: 2.118.0 > Severity: serious > Tags: ftbfs > > I attempted building lintian in unstable and this is what I got. > > | > debian/test-out/eval/checks/debian/lintian-overrides/malformed/missing-colon/generic.t > ok > | # Hints do not match > | # > | # --- > debian/test-out/eval/checks/debian/lintian-overrides/mystery/fields-multi-arch-same-package-has-arch-specific-overrides/hints.specified.calibrated > | # +++ > debian/test-out/eval/checks/debian/lintian-overrides/mystery/fields-multi-arch-same-package-has-arch-specific-overrides/hints.actual.parsed > | # -fields-multi-arch-same-package-has-arch-specific-overrides-nonrel > (binary): alien-tag foo > [usr/share/lintian/overrides/fields-multi-arch-same-package-has-arch-specific-overrides-nonrel:1] > | # -fields-multi-arch-same-package-has-arch-specific-overrides (binary): > alien-tag foo > [usr/share/lintian/overrides/fields-multi-arch-same-package-has-arch-specific-overrides:1] > | # + > | # > | # Missing tags: > | # alien-tag > | # > | # Failed test 'Lintian passes for > fields-multi-arch-same-package-has-arch-specific-overrides' > | # at /<>/lib/Test/Lintian/Run.pm line 343. > | # Looks like you failed 1 test of 1. > | > debian/test-out/eval/checks/debian/lintian-overrides/mystery/fields-multi-arch-same-package-has-arch-specific-overrides/generic.t > . > | Dubious, test returned 1 (wstat 256, 0x100) > | Failed 1/1 subtests > | > debian/test-out/eval/checks/debian/lintian-overrides/mystery/lintian-overrides/generic.t > .. ok > | ... > | debian/test-out/eval/tracking/generic-dh-make-2008/generic.t > .. ok > | > | Test Summary Report > | --- > | > debian/test-out/eval/checks/debian/lintian-overrides/mystery/fields-multi-arch-same-package-has-arch-specific-overrides/generic.t >(Wstat: 256 (exited 1) Tests: 1 Failed: 1) > | Failed test: 1 > | Non-zero exit status: 1 > | Files=1491, Tests=63633, 1202 wallclock secs (10.41 usr 6.79 sys + 7425.94 > cusr 1098.65 csys = 8541.79 CPU) > | Result: FAIL > | > | The test suite ran for 20 minutes and 4 seconds. > | > | make[1]: *** [debian/rules:29: override_dh_auto_test] Error 1 > | make[1]: Leaving directory '/<>' > | make: *** [debian/rules:20: binary] Error 2 > | dpkg-buildpackage: error: debian/rules binary subprocess returned exit > status 2 Yes I know something strange Does reverting to previous commit fix ? Bastien > > Helmut > > signature.asc Description: This is a digitally signed message part.
Bug#1078505: developers-reference: document corner case of debian version and rational
Le mercredi 14 août 2024, 13:42:29 UTC Santiago Ruano Rincón a écrit : > El 12/08/24 a las 00:15, Bastien Roucariès escribió: > > Le lundi 12 août 2024, 00:04:15 UTC Henrique de Moraes Holschuh a écrit : > > > > salsa. Some user used +deb12u1~1 > > > > but it is not safe against +deb12u1~debu11u1 upgrade for instance. So a > > > > suffix > > > > like ~pre should be used, and should be documented > > > > > > Maybe we could set aside "~~~" for such uses. ~pre is not going to be > > > foolproof. > > You mean ~+~pre ? because +deb12u1~~~ is before +deb12u1~debu11u1 and we > > want to upgrade to deb12u1~debu11u1 to deb12u1~+~pre1 to +deb12u1 > > ~+~pre reads like too much. I would prefer something simpler. ~+~ is safe and look like a smiley throwed upon (memotechnic) Note the at the contrary +~+ will be perfect for user recompiled package So they are some sense on it. > > The corner(*) case you are describing is: there is a preview package > available via salsa ci/aptly job or whatever; we want a bullseye user to > avoid upgrading to that preview package, while still being able to > upgrade to the actual bookworm package. Please, tell me if that doesn't > match your thoughts. > > The broader question is how we *should* version an in-development > package. Myself, I tend to avoid using the final version in the VCS > until I release, to avoid creating any confusion for anyone looking at > the repo (or if I make the build artifacts available via aptly). So I > use gbp dch -S that creates a snapshot debian/changelog with a suffix > ~N.gbpCOMMIT_ID, but that is not safe for the corner case you describe. > > (*) and this is a very corner case. We are talking about PPA-like > repositories that only informed users would enable. But let's try to be > in the safest possible place anyway. > > > > I am *very* happy that ~deb sorts later than ~bpo, as that updates a > > > backport to a stable / oldstable / oldoldstable update. > > > > > But that was sheer luck. This is not true for ~pre, but would work for > > > ~~pre or whatever... > > > > Yes sheer luck do +~+pre will do the trik and be safe against +~ck of > > javascript > > ~+N... (where N is [0...)) would do the trick? I prefer here be on the safe side > signature.asc Description: This is a digitally signed message part.
Bug#1076022: Backport some security settings from upstream 3.2.5 release to mitigate BlastRADIUS
Le mardi 13 août 2024, 11:54:26 UTC Herwin Weststrate a écrit :
> I've found one possibly breaking change between the current 3.2.1 and
> the proposed 3.2.5: the encoding of binary attributes in JSON. This
> might be a fringe issue.
>
> I have used this configuration:
>
> update request {
> &Class := "0x313233"
> }
> rest
>
> This is put in the post-auth section of the default site. The Class
> attribute is a binary/octets type attribute, and is added to simplify
> reproduction. The rest module has been configured to work with the file
> `src/modules/rlm_rest/demo.pl` of the FreeRADIUS repository (but we only
> need to look at the request, so just listening with netcat on the
> correct port works too). The body type of the rest module is set to
> JSON.
>
> With version 3.2.1+dfsg-4+deb12u1 (bookworm stable), the HTTP request
> looks like this:
>
> "Class":{"type":"octets","value":["0x313233"]}
>
> Version 3.2.5+dfsg-3~deb12u1 does not add this hex conversion, but
> instead uses the textual representation:
>
> "Class":{"type":"octets","value":["123"]}
>
> Non-printable characters are escaped with unicode escaping (I guess
> that's the term?), so "0x01" is transmitted as:
>
> "Class":{"type":"octets","value":["\u0001"]}
>
> This change might break things if the REST backend (which is not part of
> freeradius itself) expects the hex strings. Our backend was dumb enough
> to just strip the first two characters of an octets type attribute
> (without checking if they were equal to "0x") and unescape the rest of
> the string, and that breaks pretty hard.
>
> The change is done in [1] and I'm not sure how to interpret the bug
> report: the second comment say "JSON is not valid", but the JSON string
> in the example is perfectly valid.
I think they said that the type does not correspond to the JSON schema, and I
agreed
with upstream here. Encoding as hex is an error.
JSON5 solve the problem by allowing integer to be encoded as hex but no string.
>
> The change can be reverted by reverting that single line commit linked
> in the bug report (I have tested that one). This does keep the behaviour
> stable for the Debian bookworm users, but it introduces an
> incompatibility with the upstream 3.2.5 version, which can be confusing
> when you're reading documentation for the upstream version.
I think it is more a bug fix that need maybe a changelog entry and a warning in
the DSA.
> I'm not sure what my advise here would be. Personally, I would love to
> see that change reverted simply because it saves me from some work, but
> that's not really a valid reason. The change is incompatible with the
> current version, but only in very specific setups, so I'm not sure if
> anybody else would be affected.
>
> [1] https://github.com/FreeRADIUS/freeradius-server/issues/5285
>
>
signature.asc
Description: This is a digitally signed message part.
Bug#1078505: developers-reference: document corner case of debian version and rational
Le mardi 13 août 2024, 03:03:31 UTC Sean Whitton a écrit : > Hello, > > Policy has a fair bit of this already but it's spread out. > E.g. take a look at 5.6.12.2. > > Rather than duplicating, it might be helpful to have a discussion in > dev-ref that is kind of an index to all these relevant bits of Policy. > > Yes I think so, except they are some stuff not in policy: - javascript and checksum that is in uscan - the backport of security release that is an interpretation of policy - the preview release I believe that policy is like law and devref is some kind of circulaire in civil law country (https://en.wikipedia.org/wiki/Circulaire) an interpretation of a legal text that do not introduce new rules but clarify law. rouca signature.asc Description: This is a digitally signed message part.
Bug#1078544: Moreinformation: dead since 2009
control: tags -1 + moreinfo Hi, The project is included in apache2 moreover top of website said: The project is in maintenance mode (only bugfixes and updates for new languages apis). Do not expect quick answers on github issues and/or pull requests (sorry for that) A big thanks to all of the users and contributors since 2009 As comaint of apache2 could you give use reason to use this ? Bastien signature.asc Description: This is a digitally signed message part.
Bug#1078505: developers-reference: document corner case of debian version and rational
Le lundi 12 août 2024, 00:04:15 UTC Henrique de Moraes Holschuh a écrit : > > salsa. Some user used +deb12u1~1 > > but it is not safe against +deb12u1~debu11u1 upgrade for instance. So a > > suffix > > like ~pre should be used, and should be documented > > Maybe we could set aside "~~~" for such uses. ~pre is not going to be > foolproof. You mean ~+~pre ? because +deb12u1~~~ is before +deb12u1~debu11u1 and we want to upgrade to deb12u1~debu11u1 to deb12u1~+~pre1 to +deb12u1 > > I am *very* happy that ~deb sorts later than ~bpo, as that updates a backport > to a stable / oldstable / oldoldstable update. > But that was sheer luck. This is not true for ~pre, but would work for ~~pre > or whatever... Yes sheer luck do +~+pre will do the trik and be safe against +~ck of javascript > > signature.asc Description: This is a digitally signed message part.
Bug#1078505: developers-reference: document corner case of debian version and rational
Package: developers-reference version: 13.8 Severity: important Dear Maintainer, could we have a definitive documentation of debian versionning including corner case - the +really scheme should be documented with better discussion than policy - the +~ multiple tarball, and uscan checksum should be documented. I have implemented this and I can explain why +~ - the +deb12u1 scheme for security release should be documented, including the ~deb12u1 in case of backport. We have in archive some +deb12u1~debu11u1 backport and it should be documented somewhere. - note that we should offer a preview suffix for instance for testing under salsa. Some user used +deb12u1~1 but it is not safe against +deb12u1~debu11u1 upgrade for instance. So a suffix like ~pre should be used, and should be documented Bastien signature.asc Description: This is a digitally signed message part.
Bug#1076022: Backport some security settings from upstream 3.2.5 release to mitigate BlastRADIUS
Le vendredi 9 août 2024, 09:29:44 UTC Bernhard Schmidt a écrit : > > >> Another story is bullseye, that one is affected as well but a backport > >> there is even harder. For now I have marked it as well no-dsa in the > >> security-tracker, but maybe it should be with mentioning > >> that backporting patches is too intrusive? > > > > Regarding the version in bullseye: upstream has kindly shared with me a > > set of patches. I've pushed them to: > > https://salsa.debian.org/debian/freeradius/-/tree/wip/debian/blastradius/bullseye. > > > > While they build, I haven't been able to test them (yet). The > > autopkgtest job fails, but that is related to a bug in Salsa CI and > > systemd when tmp.mount is masked. > > > > Bernhard, are you able to test them? I do not have any experience with > > FreeRADIUS, so I could test them, but I would take me some time. Just > > let me know if help is needed here. > > Cool, unfortunately I'm off to vacation tomorrow and I'm not sure how > much I can do before. I'll be back on August 20th. Ok not a problem > > So, if I understood you correctly, the plan is to use Bastien's and santiago > backported patches in > https://salsa.debian.org/debian/freeradius/-/tree/wip/debian/blastradius/bullseye > > and update the version in bookworm to the current trixie version, both > in a point release? Yes but time here is short, last PU is end of august > I can test drive the bulleye version on one of our production servers > after 20th, and I can certainly ask in the higher education group in > Germany who can test either locally available .debs or better use > -proposed uploads before the point release. Fine thansk Bookworm backport could go along ASAP. Risk is low here > Do we have a date for the next point release already? Last day of august > > Bernhard > signature.asc Description: This is a digitally signed message part.
Bug#1076022: Fwd: Autopkgtest fixed + backport
Hi, I have fixed the autopkgtest on bullseye. I have added a basic test for client with and whitout mitigation. It work. Real testing is needed and a NEWS file for explaining that it is only a bandaid and TLS is better. I plan to backport trixie version to bookworm, and propose a MR if you agree for bookworm. Bastien signature.asc Description: This is a digitally signed message part.
Bug#1078211: bugs.debian.org: add a salsa field like forwarded
Package: bugs.debian.org Severity: wishlist Dear Maintainer, Can we have a salsa field like forwarded to mark bugs that have for example a MR implemented. Ideally a automatic tools will mark the bug as pending when the MR is merged Bastein
Bug#929466: Merge request
control: tags -1 + patch Please found merge request here https://salsa.debian.org/debian/freeradius/-/merge_requests/12 signature.asc Description: This is a digitally signed message part.
Bug#1078160: bullseye-pu: package ocsinventory-server/2.8.1+dfsg1-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: ocsinventory-ser...@packages.debian.org Control: affects -1 + src:ocsinventory-server User: release.debian@packages.debian.org Usertags: pu [ Reason ] CVE-2022-39369 [ Impact ] Service Hostname Discovery Exploitation The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to "^(https)://.*") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied. This vulnerability may allow an attacker to gain access to a victim's account on a vulnerable CASified service without victim's knowledge, when the victim visits attacker's website while being logged in to the same CAS server. [ Tests ] autopkgtest and test [ Risks ] Break other software during upgrade (need API change) [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] CVE-2022-39369 fixes [ Other info ] Breaking change documented. I plan to upgrade affected software. diff -Nru ocsinventory-server-2.8.1+dfsg1/debian/changelog ocsinventory-server-2.8.1+dfsg1/debian/changelog --- ocsinventory-server-2.8.1+dfsg1/debian/changelog 2021-03-12 06:41:12.0 + +++ ocsinventory-server-2.8.1+dfsg1/debian/changelog 2024-08-05 14:11:17.0 + @@ -1,3 +1,17 @@ +ocsinventory-server (2.8.1+dfsg1-1+deb11u1) bullseye; urgency=medium + + * Non-maintainer upload. + + [ Tobias Frost ] + * Add patch to support php-cas fixed for CVE 2022 39369: +The CVE required a API-breaking change in php-cas. + + [ Bastien Roucaries ] + * Update version constraint on php-cas to require fixed version. + * Fix vendored php-cas + + -- Bastien Roucari??s Mon, 05 Aug 2024 14:11:17 + + ocsinventory-server (2.8.1+dfsg1-1) unstable; urgency=medium * Removes reference to an obsolete plugin diff -Nru ocsinventory-server-2.8.1+dfsg1/debian/control ocsinventory-server-2.8.1+dfsg1/debian/control --- ocsinventory-server-2.8.1+dfsg1/debian/control 2020-05-14 18:56:54.0 + +++ ocsinventory-server-2.8.1+dfsg1/debian/control 2024-08-05 14:11:17.0 + @@ -63,7 +63,7 @@ libjs-select2.js, libphp-phpmailer, php, - php-cas, + php-cas (>> 1.3.8-1+deb11u1~), php-cli, php-gd, php-imap, diff -Nru ocsinventory-server-2.8.1+dfsg1/debian/NEWS ocsinventory-server-2.8.1+dfsg1/debian/NEWS --- ocsinventory-server-2.8.1+dfsg1/debian/NEWS 1970-01-01 00:00:00.0 + +++ ocsinventory-server-2.8.1+dfsg1/debian/NEWS 2024-08-05 14:11:17.0 + @@ -0,0 +1,13 @@ +ocsinventory-server (2.8.1+dfsg1-1+deb11u1) bullseye; urgency=medium + + If you are using CAS for authentification to ocsinventory-reports: + + To mitigate CVE-2022-39369, a vulnerablity in php-cas, the library used to + implement the CAS protocol, had to introduce an API breaking change and now + requires the baseURL of to-be-authenticated service to be configured. + + For ocsinventory-reports, is configured with the variable + $cas_service_base_url in + /usr/share/ocsinventory-reports/backend/require/cas.config.php + + -- Bastien Roucari??s Thu, 11 Jul 2024 18:31:20 + diff -Nru ocsinventory-server-2.8.1+dfsg1/debian/patches/0006-Fix-vendored-CVE-2022-39369.patch ocsinventory-server-2.8.1+dfsg1/debian/patches/0006-Fix-vendored-CVE-2022-39369.patch --- ocsinventory-server-2.8.1+dfsg1/debian/patches/0006-Fix-vendored-CVE-2022-39369.patch 1970-01-01 00:00:00.0 + +++ ocsinventory-server-2.8.1+dfsg1/debian/patches/0006-Fix-vendored-CVE-2022-39369.patch 2024-08-05 14:11:17.0 + @@ -0,0 +1,940 @@ +From: Phy +Date: Mon, 31 Oct 2022 16:34:25 -0400 +Subject: Fix vendored CVE-2022-39369 + +Merge pull request from GHSA-8q72-6qq8-xv64 + +* Add ServerName classes and required service_name constructor argument + +This includes a refactoring of moving Client->_getClientUrl() method to a new class. + +Unit tests are also added and updated for the new constructor argument. + +* Add service_name argument to the static helper class and examples + +* Update docs for 1.6.0 release + +* Update versions for the 1.6.0 release + +* Rename ServerName class to ServiceBaseUrl and add protocol in allowedlist check + +* Update docs for the ServiceBaseUrl class and argument change + +* Minor typo fixes +--- + ocsreports/vendor/jasig/phpcas/source/CAS.php | 24 +- + .../vendor/jasig/phpcas/source/CAS/Client.php |
Bug#1078157: systemd: Backport pid1: only add a Wants= type dependency on /tmp when PrivateTmp=yes
Package: systemd Version: 247.3-7+deb11u5 Severity: important Tags: patch upstream jessie stretch buster bullseye Forwarded: https://github.com/systemd/systemd/commit/b2c7d1bbc2 Dear Maintainer, Without this commit autopkgtest on salsa are broken. See for instance https://salsa.debian.org/apache-team/apache2/-/jobs/5960590 Can you consider to release a PU release this patch ? I can do the work. It breaks your testing infrastructure, particularly for testing daemon, particularly security update testing. Rouca signature.asc Description: This is a digitally signed message part.
Bug#1077999: bullseye-pu: package fusiondirectory/1.3-4+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: fusiondirect...@packages.debian.org
Control: affects -1 + src:fusiondirectory
User: release.debian@packages.debian.org
Usertags: pu
Control: block -1 by 1077984
[ Reason ]
CVE-2022-39369
[ Impact ]
Service Hostname Discovery Exploitation
The phpCAS library uses HTTP headers to determine the service URL used to
validate tickets. This allows an attacker to control the host header and use a
valid ticket granted for any authorized service in the same SSO realm (CAS
server) to authenticate to the service protected by phpCAS.
Depending on the settings of the CAS server service registry in worst case this
may be any other service URL (if the allowed URLs are configured to
"^(https)://.*") or may be strictly limited to known and authorized services in
the same SSO federation if proper URL service validation is applied.
This vulnerability may allow an attacker to gain access to a victim's account
on a vulnerable CASified service without victim's knowledge, when the victim
visits attacker's website while being logged in to the same CAS server.
[Test]
Manual CAS test on application
[ Risks ]
Changes are already ported to buster.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
diff -Nru fusiondirectory-1.3/debian/changelog fusiondirectory-1.3/debian/changelog
--- fusiondirectory-1.3/debian/changelog 2020-12-07 11:25:31.0 +
+++ fusiondirectory-1.3/debian/changelog 2024-07-11 18:02:29.0 +
@@ -1,3 +1,15 @@
+fusiondirectory (1.3-4+deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload.
+
+ [ Tobias Frost ]
+ * Backport compatibility with php-cas version addressing CVE 2022-39369.
+
+ [ Abhijith PA ]
+ * Fix CVE-2022-36179, CVE-2022-36180.
+
+ -- Bastien Roucari??s Thu, 11 Jul 2024 18:02:29 +
+
fusiondirectory (1.3-4) unstable; urgency=medium
* debian/patches:
diff -Nru fusiondirectory-1.3/debian/#control# fusiondirectory-1.3/debian/#control#
--- fusiondirectory-1.3/debian/#control# 1970-01-01 00:00:00.0 +
+++ fusiondirectory-1.3/debian/#control# 2024-07-11 18:02:29.0 +
@@ -0,0 +1,1385 @@
+Source: fusiondirectory
+Section: web
+Priority: optional
+Maintainer: FusionDirectory Packagers
+Uploaders:
+ Benoit Mortier ,
+ Mike Gabriel ,
+Build-Depends:
+ debhelper-compat (= 13),
+Build-Depends-Indep:
+ po-debconf,
+Standards-Version: 4.5.1
+Homepage: https://www.fusiondirectory.org/
+Vcs-Git: https://salsa.debian.org/debian/fusiondirectory.git
+Vcs-Browser: https://salsa.debian.org/debian/fusiondirectory/
+
+Package: fusiondirectory
+Architecture: all
+Pre-Depends:
+ debconf,
+Depends:
+ apache2 | lighttpd | httpd | nginx,
+ fusiondirectory-smarty3-acl-render (= ${binary:Version}),
+ gettext,
+ javascript-common,
+ libarchive-extract-perl,
+ libcrypt-cbc-perl,
+ libdigest-sha-perl,
+ libfile-copy-recursive-perl,
+ libjs-prototype,
+ libjs-scriptaculous,
+ libnet-ldap-perl,
+ libpath-class-perl,
+ libterm-readkey-perl,
+ libxml-twig-perl,
+ openssl,
+ php,
+ php-cas (>= 1.3.8-1+deb11u1~),
+ php-cli,
+ php-curl,
+ php-fpdf,
+ php-gd,
+ php-imagick,
+ php-imap,
+ php-ldap,
+ php-mbstring,
+ php-xml,
+ schema2ldif (>= 1.3),
+ smarty-gettext (>= 1.1),
+ smarty3,
+ ${misc:Depends},
+Suggests:
+ argonaut-server,
+ fusiondirectory-schema (= ${binary:Version}),
+ slapd,
+Breaks:
+ fusiondirectory-plugin-dashboard (<< 1.0.8.7),
+ fusiondirectory-plugin-dashboard-schema (<< 1.0.8.7),
+ fusiondirectory-schema (<= 1.3-4+deb11u1~)
+Replaces:
+ fusiondirectory-plugin-dashboard (<< 1.0.8.7),
+ fusiondirectory-plugin-dashboard-schema (<< 1.0.8.7),
+Description: Web Based LDAP Administration Program
+ Provided is access to posix, shadow, samba, proxy, pureftp and
+ kerberos accounts. It is able to manage the postfix/cyrus server
+ combination and can write user adapted sieve scripts.
+ .
+ FusionDirectory is a combination of system-administrator and end-user web
+ interface, designed to handle LDAP based network infrastructures.
+
+Package: fusiondirectory-plugin-alias
+Architecture: all
+Depends:
+ fusiondirectory (= ${binary:Version}),
+ fusiondirectory-plugin-mail (= ${binary:Version}),
+ ${misc:Depends},
+Description: alias plugin for FusionDirectory
+ This plugin is designed to configure mail aliases for postfix.
+ It provide description and expiration Date
+ .
+ FusionDirectory is a combination of system-administrator and end-user web
+ interface, designed to handle LDAP based setups.
+
+Package: fusiondirectory-plugin-alias-schema
+Architecture: all
+Depends:
+ fusiondirectory-plugin-mail-schema (= ${binary:Version}),
+ ${misc:Depends},
+Suggests:
+ slapd,
+Description: LDAP schema for FusionDirectory alias plugin
+ This package includes the LDAP schema needed by the FusionDirectory
+ alias plugin
+ .
+ Fusi
Bug#1077984: debdiff
The debdiffdiff -Nru php-cas-1.3.8/debian/changelog php-cas-1.3.8/debian/changelog
--- php-cas-1.3.8/debian/changelog 2019-12-07 20:07:56.0 +
+++ php-cas-1.3.8/debian/changelog 2024-07-11 10:16:11.0 +
@@ -1,3 +1,22 @@
+php-cas (1.3.8-1+deb11u1) bullseye-security; urgency=high
+
+ * Security upload
+ * Fix CVE-2022-39369: The phpCAS library uses HTTP headers
+to determine the service URL used to validate tickets.
+This allows an attacker to control the host header
+and use a valid ticket granted for any authorized service in the same
+SSO realm (CAS server) to authenticate to the service protected by
+phpCAS. Depending on the settings of the CAS server service registry in
+worst case this may be any other service URL (if the allowed URLs are
+configured to "^(https)://.*") or may be strictly limited to known and
+authorized services in the same SSO federation if proper URL service
+validation is applied.
+The fix for this vulnerabilty requires an API breaking change
+in php-cas and will require that software using the library be updated.
+(Closes: #1023571)
+
+ -- Bastien Roucari??s Thu, 11 Jul 2024 10:16:11 +
+
php-cas (1.3.8-1) unstable; urgency=medium
* Bump debhelper compatibility level to 12
diff -Nru php-cas-1.3.8/debian/control php-cas-1.3.8/debian/control
--- php-cas-1.3.8/debian/control 2019-12-07 20:07:56.0 +
+++ php-cas-1.3.8/debian/control 2024-07-11 10:16:11.0 +
@@ -19,7 +19,10 @@
${phppear:Debian-Depends}
Recommends: ${phppear:Debian-Recommends}
Suggests: ${phppear:Debian-Suggests}
-Breaks: ${phppear:Debian-Breaks}
+Breaks: ${phppear:Debian-Breaks},
+fusiondirectory (<= 1.3-4+deb11u1~),
+fusiondirectory-schema (<= 1.3-4+deb11u1~),
+ocsinventory-reports (<= 2.8.1+dfsg1-1+deb11u1~)
Description: Central Authentication Service client library in php
phpCAS is an authentication library that allows PHP applications to easily
authenticate users via a Central Authentication Service (CAS) server.
diff -Nru php-cas-1.3.8/debian/NEWS php-cas-1.3.8/debian/NEWS
--- php-cas-1.3.8/debian/NEWS 1970-01-01 00:00:00.0 +
+++ php-cas-1.3.8/debian/NEWS 2024-07-11 10:16:11.0 +
@@ -0,0 +1,44 @@
+php-cas (1.3.8-1+deb11u1) bullseye-security; urgency=medium
+
+ * A vulnerability has been found in phpCAS, a Central Authentication
+Service client library in php, which may allow an attacker to gain
+access to a victim's account on a vulnerable CASified service without
+victim's knowledge, when the victim visits attacker's website while
+being logged in to the same CAS server.
+
+The fix for this vulnerabilty requires an API breaking change in php-cas
+and will require that software using the library be updated.
+
+For bullseye, all packages in the Debian repositories which are using
+php-cas have been updated, though additional manual configuration is to
+be expected, as php-cas needs additional site information -- the service
+base URL -- for it to function. The DLAs for the respective packages
+will have additional information, as well as the package's NEWS files.
+
+For 3rd party software using php-cas, please be note that upstream
+provided following instructions how to update this software [1]:
+
+phpCAS now requires an additional service base URL argument when
+constructing the client class. It accepts any argument of:
+
+1. A service base URL string. The service URL discovery will always use
+ this server name (protocol, hostname and port number) without using
+ any external host names.
+2. An array of service base URL strings. The service URL discovery
+ will check against this list before using the auto discovered base URL.
+ If there is no match, the first base URL in the array will be used as
+ the default. This option is helpful if your PHP website is accessible
+ through multiple domains without a canonical name, or through both
+ HTTP and HTTPS.
+3. A class that implements CAS_ServiceBaseUrl_Interface. If you need to
+ customize the base URL discovery behavior, you can pass in a class that
+ implements the interface.
+
+Constructing the client class is usually done with phpCAS::client().
+
+For example, using the first possiblity:
+ phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
+ could become:
+phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context, "https://casified-service.example.org:8080";;);
+
+ -- Bastien Roucari??s Thu, 11 Jul 2024 10:17:22 +
diff -Nru php-cas-1.3.8/debian/patches/CVE-2022-39369.patch php-cas-1.3.8/debian/patches/CVE-2022-39369.patch
--- php-cas-1.3.8/debian/patches/CVE-2022-39369.patch 1970-01-01 00:00:00.0 +
+++ php-cas-1.3.8/debian/patches/CVE-2022-39369.patch 2024-07-11 10:13:17.0 +
@@ -0,0 +1,967 @@
+Fro
Bug#1077984: bullseye-pu: package php-cas/1.3.8-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: php-...@packages.debian.org Control: affects -1 + src:php-cas User: release.debian@packages.debian.org Usertags: pu [ Reason ] CVE-2022-39369 [ Impact ] Service Hostname Discovery Exploitation The phpCAS library uses HTTP headers to determine the service URL used to validate tickets. This allows an attacker to control the host header and use a valid ticket granted for any authorized service in the same SSO realm (CAS server) to authenticate to the service protected by phpCAS. Depending on the settings of the CAS server service registry in worst case this may be any other service URL (if the allowed URLs are configured to "^(https)://.*") or may be strictly limited to known and authorized services in the same SSO federation if proper URL service validation is applied. This vulnerability may allow an attacker to gain access to a victim's account on a vulnerable CASified service without victim's knowledge, when the victim visits attacker's website while being logged in to the same CAS server. [ Tests ] autopkgtest and test [ Risks ] Break other software during upgrade (need API change) [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] CVE-2022-39369 [ Other info ] Breaking change documented. I plan to upgrade affected software. Bastien
Bug#1076350: May be related
Hi Can this bug could be due to libuv According to https://lists.archlinux.org/pipermail/arch-ports/2018-November/000839.html thread Did you try to recompile without --shared-libuv ? Bastien signature.asc Description: This is a digitally signed message part.
Bug#1077769: ITP: node-path-scurry -- Fast and cached directory traversal for javascript building tool
Package: wnpp Severity: wishlist Owner: Bastien Roucariès X-Debbugs-Cc: debian-de...@lists.debian.org Package name: node-path-scurry Version : 1.9.2 Upstream Contact: ttps://github.com/isaacs/path-scurry#readme URL : https://www.example.org/ License : BlueOak-1.0.0 Programming Lang: typescript Description : Fast and cached directory traversal for javascript building tool Extremely high performant utility for building tools that read the file system, minimizing filesystem and path string munging operations to the greatest degree possible, using cache as long as possible. . Cache as long as possible" approach means that changes to the filesystem may not be reflected in the results of repeated PathScurry operations. This is needed for typescript compiler tshy, used by some other projet like npm maint with js team signature.asc Description: This is a digitally signed message part.
Bug#1077760: pkg-js-tools: please allow to run a hook before testing
Package: pkg-js-tools Version: 0.15.22 Severity: important Dear Maintainer, Could you run an hook like pre-test in tests that will run something like for instance regenerating certicate. It will avoid a lot a failure and manual work I can work arround using d/rules for build but not for test Bastien -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.9.10-rt-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages pkg-js-tools depends on: ii dh-nodejs 0.15.22 ii libdpkg-perl 1.22.10 ii libwww-perl 6.77-1 Versions of packages pkg-js-tools recommends: ii apt-file 3.3 ii devscripts2.23.7 ii libcache-cache-perl 1.08-3 ii libprogress-any-output-termprogressbarcolor-perl 0.249-1 ii node-semver 7.6.1+~7.5.8-1 ii nodejs20.15.0+dfsg-1 ii npm 9.2.0~ds1-3 Versions of packages pkg-js-tools suggests: ii autodep8 0.28+nmu1 ii git-buildpackage 0.9.34 ii lintian 2.117.0 -- no debconf information
Bug#1077584: bullseye-pu: package putty/0.74-1+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: pu...@packages.debian.org Control: affects -1 + src:putty User: release.debian@packages.debian.org Usertags: pu [ Reason ] Security fix CVE-2024-31497 [ Impact ] Vulnerable biased nonce generation is still here. [ Tests ] Full crypto test suite testing particularly CVE-2024-31497 is run [ Risks ] Low reviewed by maintainer Approved by Colin [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] putty (0.74-1+deb11u2) bullseye; urgency=medium * Non-maintainer upload. * Cherry-pick from upstream: - Refactor the ssh_hash vtable. - Add an extra HMAC constructor function. - Fix CVE-2024-31497: biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. In other words, an adversary may already have enough signature information to compromise a victim's private key, even if there is no further use of vulnerable PuTTY versions. diff -Nru putty-0.74/debian/changelog putty-0.74/debian/changelog --- putty-0.74/debian/changelog 2023-12-22 17:36:21.0 + +++ putty-0.74/debian/changelog 2024-07-16 10:13:59.0 + @@ -1,3 +1,18 @@ +putty (0.74-1+deb11u2) bullseye; urgency=medium + + * Non-maintainer upload. + * Cherry-pick from upstream: +- Refactor the ssh_hash vtable. +- Add an extra HMAC constructor function. +- Fix CVE-2024-31497: biased ECDSA nonce generation allows an attacker +to recover a user's NIST P-521 secret key via a quick attack in +approximately 60 signatures. In other words, an adversary +may already have enough signature information to compromise a victim's +private key, even if there is no further use of vulnerable PuTTY +versions. + + -- Bastien Roucari??s Tue, 16 Jul 2024 10:13:59 + + putty (0.74-1+deb11u1) bullseye-security; urgency=medium * Cherry-pick from upstream: diff -Nru putty-0.74/debian/.git-dpm putty-0.74/debian/.git-dpm --- putty-0.74/debian/.git-dpm 2023-12-21 16:54:36.0 + +++ putty-0.74/debian/.git-dpm 2024-07-16 10:13:59.0 + @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -a24da4ff8e3a0d9f2b4adf9d092358f41df18432 -a24da4ff8e3a0d9f2b4adf9d092358f41df18432 +3b973f00dd0076ae305a0b5e7ddab9b811a833dd +3b973f00dd0076ae305a0b5e7ddab9b811a833dd 4bd8df1aca313a0da36e559bd4a4d0cf0bc2eaa8 4bd8df1aca313a0da36e559bd4a4d0cf0bc2eaa8 putty_0.74.orig.tar.gz diff -Nru putty-0.74/debian/.gitignore putty-0.74/debian/.gitignore --- putty-0.74/debian/.gitignore 2023-12-21 16:54:36.0 + +++ putty-0.74/debian/.gitignore 1970-01-01 00:00:00.0 + @@ -1,7 +0,0 @@ -/*.debhelper* -/*.substvars -/files -/pterm -/putty -/putty-doc -/putty-tools diff -Nru putty-0.74/debian/patches/0006-Refactor-the-ssh_hash-vtable.-NFC.patch putty-0.74/debian/patches/0006-Refactor-the-ssh_hash-vtable.-NFC.patch --- putty-0.74/debian/patches/0006-Refactor-the-ssh_hash-vtable.-NFC.patch 1970-01-01 00:00:00.0 + +++ putty-0.74/debian/patches/0006-Refactor-the-ssh_hash-vtable.-NFC.patch 2024-07-16 10:13:59.0 + @@ -0,0 +1,691 @@ +From 9f15a5795bf67d90aad97a394c4b1a93a56d4cba Mon Sep 17 00:00:00 2001 +From: Simon Tatham +Date: Sun, 15 Dec 2019 09:30:10 + +Subject: Refactor the ssh_hash vtable. (NFC) + +Refactor the ssh_hash vtable. (NFC) + +The idea is to arrange that an ssh_hash object can be reused without +having to free it and allocate a new one. So the 'final' method has +been replaced with 'digest', which does everything except the trailing +free; and there's also a new pair of methods 'reset' and 'copyfrom' +which overwrite the state of a hash with either the starting state or +a copy of another state. Meanwhile, the 'new' allocator function has +stopped performing 'reset' as a side effect; now it _just_ does the +administrative stuff (allocation, setting up vtables), and returns an +object which isn't yet ready to receive any actual data, expecting +that the caller will either reset it or copy another hash state into +it. + +In particular, that means that the SHA-384 / SHA-512 pair no longer +need separate 'new' methods, because only the 'reset' part has to +change between them. + +This commit makes no change to the user-facing API of wrapper +functions in ssh.h, except to add new functions which nothing yet +calls. The user-facing ssh_hash_new() calls the new and reset methods +in succession, and the copy and final methods still exist to do +new+copy and digest+free. + +origin: backport, https://git.tartarus.org/?p=simon/putty.git;a=commitdiff_plain;h=156762fc0246c4ff587c72eed7010552f9c1e5bb +--- + ssh.h | 26 ++ + sshmd5.c | 26 +++--- + sshsh256.c | 100 +++
Bug#1077557: Most changelog items missing in 2.117.1 changelog entry (Re: lintian_2.117.1_source.changes ACCEPTED into unstable)
Le lundi 29 juillet 2024, 23:40:28 UTC Axel Beckert a écrit :
> Package: lintian
> Version: 2.117.1
> Severity: serious
>
> Hi Bastien,
>
> Debian FTP Masters wrote:
> > Date: Sat, 27 Jul 2024 21:39:04 +
> > Source: lintian
> > Architecture: source
> > Version: 2.117.1
> > Distribution: unstable
> > Urgency: medium
> > Maintainer: Debian Lintian Maintainers
> > Changed-By: Bastien Roucariès
> > Closes: 1077112
> > Changes:
> > lintian (2.117.1) unstable; urgency=medium
> > .
> >[ Axel Beckert ]
> >* Retroactively mention #1033894 in previous changelog entry.
> > .
> >[ Otto Kekäläinen ]
> >* Declare compliance with Debian Policy 4.7.0
> >* Salsa-CI: Run both current and new Lintian to
> > ensure full compatibility
> > .
> >[ Bastien Roucariès ]
> >* Avoid an error with recent dpkg tools
> >* Workarround failure with recent gcc
> >* invalid-versioned-provides could not be anymore tested
> > due to dpkg-dev change
> >* rebuild against dh-elpa >=2.1.5 (Closes: #1077112)
> > Checksums-Sha1: […]
>
> Thanks a lot for stepping in and daring to do a Lintian release!
>
> Unfortunately a few things went rather bad and I wanted to fix
> this up quickly:
>
> * No tag change summary (private/generate-tag-summary not run)
>
> * Most changelog entries and closed bug numbers missing. (gbp dch not
> run or went weirdly bad?) IMHO this makes this version of Lintian
> unfit for release, hence the RC severity. Also to avoid that this
> version to migrates to testing.
>
> * Wrong version number. There are quite some new tags in this release,
> hence a feature additions, which requires the minor version to be
> bumped (i.e. to 2.118.0) according to Semantic Versioning (which
> Lintian tries to follow for a while now): https://semver.org/
>
> * The last git commits included in the upload are not pushed to the
> git repository on Salsa.
Will fix and add a checklist to CONTRIBUTING.md
Thansk
Bastien
>
> Especially because of the last issue, currently nobody can continue
> working on Lintian and fix the other things mentioned. So please push
> your work as soon as possible, so that we can fix the remaining issues
> with the 2.117.1.
>
> This is what I would retroactively add to the 2.117.1 changelog entry
> (based on current git with the current changelog entries from the
> upload manually fiddled in) and then just tagging an 2.118.0 release
> to get things back on track:
>
> + * Summary of tag changes:
> ++ Added:
> + - gir-package-name-does-not-match
> + - package-installs-deprecated-python2-path
> + - systemd-alternatives
> + - systemd-diversion
> + - uses-deprecated-python-stdlib
> ++ Removed:
> + - uses-python-distutils
>
>[ Axel Beckert ]
>* Retroactively mention #1033894 in previous changelog entry.
> + * data/changes-file/known-dists: Add trixie and forky
> + * Refresh data (fonts and debhelper add-ons and commands)
> + * Refresh data (add-ons, commands, fonts)
>
>[ Bastien Roucariès ]
> + * Avoid an error with recent dpkg tools
> + * Workarround failure with recent gcc
> + * invalid-versioned-provides could not be anymore tested due to
> +dpkg-dev change
>* rebuild against dh-elpa >=2.1.5 (Closes: #1077112)
>
> + [ Simon McVittie ]
> + * gobject-introspection | dh-sequence-gir implements dh --with=gir
> +(Closes: #964290, #1063709)
> + * gir: Also look for GIR XML in /usr/lib/${DEB_HOST_MULTIARCH}/gir-1.0
> + * t/recipes/checks/desktop/gnome/gir: Install multiarch files correctly
> + * t: Assert that desktop/gnome/gir checks are done on multiarch locations
> + * t: Exercise the good (no warnings) case for multiarch desktop/gnome/gir
> + * tags: Describe preferred Provides for typelib-package-name-does-not-match
> + * tags: Mention the multiarch directory for public GIR XML
> + * tags: Say how to add Depends/Provides for gir-missing-typelib-dependency
> + * t: Catch up with best practices for GIR XML packaging
> + * desktop/gnome/gir: Check for GIR XML canonical naming
> + * data: Add nogir as a known build-profile
> +
> + [ Louis-Philippe Véronneau ]
> + * missing-prerequisite-for-pyproject-backend: add support for whey
> + * Modify checks for the python3-pdm-pep517 -> python3-pdm-backend rename.
> + * New tag: uses-deprecated-python-stdlib
> + * New tag: package-installs-deprecated-python2-path (Closes: #1033294)
> + * Refactor 'python-module-in-wrong-location' check
> +
> + [ Nilesh Patra ]
> + * Obsolete
Bug#1077515: bookworm-pu: package putty/0.78-2+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: pu...@packages.debian.org Control: affects -1 + src:putty User: release.debian@packages.debian.org Usertags: pu [ Reason ] Security fix CVE-2024-31497 [ Impact ] Vulnerable biased nonce generation is still here. [ Tests ] Full crypto test suite testing particularly CVE-2024-31497 is run [ Risks ] Low reviewed by maintainer Approved by Colin [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] * Non-maintainer upload. * Cherry-pick from upstream: - Add an extra HMAC constructor function - Fix CVE-2024-31497: biased ECDSA nonce generation allows an attacker to recover a user's NIST P-521 secret key via a quick attack in approximately 60 signatures. In other words, an adversary may already have enough signature information to compromise a victim's private key, even if there is no further use of vulnerable PuTTY versions. * Run test/cryptsuite.py during build. diff -Nru putty-0.78/debian/changelog putty-0.78/debian/changelog --- putty-0.78/debian/changelog 2023-12-18 19:13:57.0 + +++ putty-0.78/debian/changelog 2024-07-16 10:44:03.0 + @@ -1,3 +1,18 @@ +putty (0.78-2+deb12u2) bookworm; urgency=medium + + * Non-maintainer upload. + * Cherry-pick from upstream: +- Add an extra HMAC constructor function +- Fix CVE-2024-31497: biased ECDSA nonce generation allows an attacker + to recover a user's NIST P-521 secret key via a quick attack in + approximately 60 signatures. In other words, an adversary + may already have enough signature information to compromise a victim's + private key, even if there is no further use of vulnerable PuTTY + versions. + * Run test/cryptsuite.py during build. + + -- Bastien Roucari??s Tue, 16 Jul 2024 10:44:03 + + putty (0.78-2+deb12u1) bookworm-security; urgency=medium * CVE-2023-48795: Cherry-pick from upstream: diff -Nru putty-0.78/debian/control putty-0.78/debian/control --- putty-0.78/debian/control 2023-12-18 19:13:47.0 + +++ putty-0.78/debian/control 2024-07-16 10:44:03.0 + @@ -8,6 +8,7 @@ debhelper-compat (= 13), dh-exec, dpkg-dev (>= 1.15.7~), + python3 , Build-Depends-Arch: imagemagick, libgtk-3-dev, libx11-dev, diff -Nru putty-0.78/debian/.git-dpm putty-0.78/debian/.git-dpm --- putty-0.78/debian/.git-dpm 2023-12-18 19:13:47.0 + +++ putty-0.78/debian/.git-dpm 2024-07-16 10:44:03.0 + @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -cbe541c94bed68e3a009f622d7f36bd4ca00a005 -cbe541c94bed68e3a009f622d7f36bd4ca00a005 +fc80bc63dba4a891e7fca2ffda5390d000e1971d +fc80bc63dba4a891e7fca2ffda5390d000e1971d e517b33826b38389d4d45a859603a635bd3cf55b e517b33826b38389d4d45a859603a635bd3cf55b putty_0.78.orig.tar.gz diff -Nru putty-0.78/debian/.gitignore putty-0.78/debian/.gitignore --- putty-0.78/debian/.gitignore 2023-12-18 19:13:47.0 + +++ putty-0.78/debian/.gitignore 1970-01-01 00:00:00.0 + @@ -1,9 +0,0 @@ -/*.debhelper* -/*.substvars -/build -/files -/pterm -/putty -/putty-doc -/putty-tools -/version.but.save diff -Nru putty-0.78/debian/patches/0009-Add-an-extra-HMAC-constructor-function.patch putty-0.78/debian/patches/0009-Add-an-extra-HMAC-constructor-function.patch --- putty-0.78/debian/patches/0009-Add-an-extra-HMAC-constructor-function.patch 1970-01-01 00:00:00.0 + +++ putty-0.78/debian/patches/0009-Add-an-extra-HMAC-constructor-function.patch 2024-07-16 10:44:03.0 + @@ -0,0 +1,108 @@ +From 5a6f12336d7ddfb0322898cba3cde010341e945c Mon Sep 17 00:00:00 2001 +From: Simon Tatham +Date: Mon, 1 Apr 2024 07:45:21 +0100 +Subject: Add an extra HMAC constructor function. + +Add an extra HMAC constructor function. + +This takes a plain ssh_hashalg, and constructs the most natural kind +of HMAC wrapper around it, taking its key length and output length +to be the hash's output length. In other words, it converts SHA-foo +into exactly the thing usually called HMAC-SHA-foo. + +It does it by constructing a new ssh2_macalg vtable, and including it +in the same memory allocation as the actual hash object. That's the +first time in PuTTY I've done it this way. + +Nothing yet uses this, but a new piece of code is about to. + +origin: backport, https://git.tartarus.org/?p=simon/putty.git;a=commitdiff_plain;h=dea3ddca0537299ebfe907dd4c883fe65bfb4035 +--- + crypto/hmac.c | 45 +++-- + ssh.h | 5 + + 2 files changed, 48 insertions(+), 2 deletions(-) + +diff --git a/crypto/hmac.c b/crypto/hmac.c +index adeccd29..fa70c8e6 100644 +--- a/crypto/hmac.c b/crypto/hmac.c +@@ -18,9
Bug#1060103: New of imagemagick7
control: tags -1 - moreinfo Hi, Last reverse deps of lib magick pipeline is not really bad https://salsa.debian.org/debian/imagemagick/-/pipelines/708187 A lot of failure are due to broken package or does not use pkgconfig I suppose we could go to experimental Bastien signature.asc Description: This is a digitally signed message part.
Bug#1076817: ocsinventory: php-cas does not work
Source: ocsinventory Version: 2.8.1+dfsg1-1 Severity: important Tags: patch bullseye Dear Maintainer, php-cas support was broken for bullseye It need (1) https://github.com/OCSInventory-NG/OCSInventory- ocsreports/commit/f8a667f9f19b285799ec6a25a28240165b039dfb (2) https://github.com/OCSInventory-NG/OCSInventory- ocsreports/commit/3693fb9f9aea1a6ff9df4e7fd0125a88147c98c2 signature.asc Description: This is a digitally signed message part.
Bug#1076562: forcemerge
control: forcemerge 1076158 -1 signature.asc Description: This is a digitally signed message part.
Bug#1076562: bullseye-pu: package imagemagick/8:6.9.11.60+dfsg-1.3+deb11u4
Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: imagemag...@packages.debian.org Control: affects -1 + src:imagemagick User: release.debian@packages.debian.org Usertags: pu [ Reason ] * CVE-2023-34151 fix was incomplete (Closes: #1070340) * Fix variation of CVE-2023-1289 found by testing. [ Impact ] * CVE are still open is not fixed [ Tests ] Manual test of CVE-2023-34151, automatic of CVE-2023-1289. Cross checked by santiago [ Risks ] Risk are low, crosscheck done by santiago. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [Other changes] Update d/changelog for old fixed CVE. Investigated status with carnil diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog --- imagemagick-6.9.11.60+dfsg/debian/changelog 2024-02-17 15:31:24.0 + +++ imagemagick-6.9.11.60+dfsg/debian/changelog 2024-07-11 16:52:37.0 + @@ -1,3 +1,12 @@ +imagemagick (8:6.9.11.60+dfsg-1.3+deb11u4) bullseye; urgency=medium + + * CVE-2023-34151 fix was incomplete (Closes: #1070340) + * Fix variation of CVE-2023-1289 found by testing. + * Fix CVE-2021-20312: Fix a divide by zero (Closes: #1013282) + * Fix CVE-2021-20313: Fix a divide by zero + + -- Bastien Roucari??s Thu, 11 Jul 2024 16:52:37 + + imagemagick (8:6.9.11.60+dfsg-1.3+deb11u3) bullseye-security; urgency=medium * Fix CVE-2021-3610 heap buffer overflow vulnerability in TIFF coder @@ -33,7 +42,7 @@ was found in coders/tiff.c in ImageMagick. This issue may allow a local attacker to trick the user into opening a specially crafted file, resulting in an application crash -and denial of service. +and denial of service. Fix also CVE-2022-3213. * Fix CVE-2023-5341: A heap use-after-free flaw was found in coders/bmp.c @@ -57,8 +66,11 @@ * Fix CVE-2022-28463: Buffer overflow in cin coder. * Fix CVE-2022-32545: Value outside the range of unsigned char (Closes: #1016442) + * Fix CVE-2021-40211: Division by zero in function ReadEnhMetaFile +of coders/emf.c. * Fix CVE-2022-32546: Value outside the range of representable -values of type 'unsigned long' at coders/pcl.c, +values of type 'unsigned long' at coders/pcl.c + * Fix CVE-2022-32547: fix a misaligned address access. * Use Salsa CI -- Bastien Roucari??s Fri, 29 Dec 2023 11:18:56 + diff -Nru imagemagick-6.9.11.60+dfsg/debian/control imagemagick-6.9.11.60+dfsg/debian/control --- imagemagick-6.9.11.60+dfsg/debian/control 2024-02-12 19:54:48.0 + +++ imagemagick-6.9.11.60+dfsg/debian/control 2024-07-11 16:46:06.0 + @@ -1,4 +1,4 @@ -# Autogenerated Mon Jul 27 10:33:31 CEST 2020 from make -f debian/rules update_pkg +# Autogenerated Tue Jun 25 18:15:31 UTC 2024 from make -f debian/rules update_pkg Source: imagemagick Section: graphics Priority: optional diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch 1970-01-01 00:00:00.0 + +++ imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch 2024-07-11 16:46:06.0 + @@ -0,0 +1,166 @@ +From: Cristy +Date: Thu, 25 Feb 2021 17:03:18 -0500 +Subject: CVE-2021-20312/CVE-2021-20313 possible divide by zero + clear + buffers + +--- + coders/thumbnail.c | 3 ++- + magick/cipher.c | 12 ++-- + magick/colorspace.c | 16 + magick/memory.c | 21 - + magick/signature.c | 2 +- + 5 files changed, 33 insertions(+), 21 deletions(-) + +diff --git a/coders/thumbnail.c b/coders/thumbnail.c +index f456faa..3833341 100644 +--- a/coders/thumbnail.c b/coders/thumbnail.c +@@ -198,7 +198,8 @@ static MagickBooleanType WriteTHUMBNAILImage(const ImageInfo *image_info, + break; + q++; + } +- if ((q+length) > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) ++ if ((q > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) || ++ (length > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)-q))) + ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail"); + thumbnail_image=BlobToImage(image_info,q,length,&image->exception); + if (thumbnail_image == (Image *) NULL) +diff --git a/magick/cipher.c b/magick/cipher.c +index a6d90fc..e7b5a81 100644 +--- a/magick/cipher.c b/magick/cipher.c +@@ -485,8 +485,8 @@ static void EncipherAESBlock(AESInfo *aes_info,const unsigned char *plaintext, + Reset registers. + */ + alpha=0; +- (void) memset(key,0,sizeof(key)); +- (void) memset(text
Bug#1076158: bullseye-pu: package imagemagick/8:6.9.11.60+dfsg-1.3+deb11u4
Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: imagemag...@packages.debian.org Control: affects -1 + src:imagemagick User: release.debian@packages.debian.org Usertags: pu [ Reason ] * CVE-2023-34151 fix was incomplete (Closes: #1070340) * Fix variation of CVE-2023-1289 found by testing. * Fix CVE-2021-20312: Fix a divide by zero (Closes: #1013282) * Fix CVE-2021-20313: Fix a divide by zero [ Impact ] CVE are still opened [ Tests ] Automatic test for CVE-2023-1289, other manual test with libasan [ Risks ] Low review of changes and testing cross checked with santiago [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog --- imagemagick-6.9.11.60+dfsg/debian/changelog 2024-02-17 15:31:24.0 + +++ imagemagick-6.9.11.60+dfsg/debian/changelog 2024-07-11 16:52:37.0 + @@ -1,3 +1,12 @@ +imagemagick (8:6.9.11.60+dfsg-1.3+deb11u4) bullseye; urgency=medium + + * CVE-2023-34151 fix was incomplete (Closes: #1070340) + * Fix variation of CVE-2023-1289 found by testing. + * Fix CVE-2021-20312: Fix a divide by zero (Closes: #1013282) + * Fix CVE-2021-20313: Fix a divide by zero + + -- Bastien Roucari??s Thu, 11 Jul 2024 16:52:37 + + imagemagick (8:6.9.11.60+dfsg-1.3+deb11u3) bullseye-security; urgency=medium * Fix CVE-2021-3610 heap buffer overflow vulnerability in TIFF coder @@ -33,7 +42,7 @@ was found in coders/tiff.c in ImageMagick. This issue may allow a local attacker to trick the user into opening a specially crafted file, resulting in an application crash -and denial of service. +and denial of service. Fix also CVE-2022-3213. * Fix CVE-2023-5341: A heap use-after-free flaw was found in coders/bmp.c @@ -57,8 +66,11 @@ * Fix CVE-2022-28463: Buffer overflow in cin coder. * Fix CVE-2022-32545: Value outside the range of unsigned char (Closes: #1016442) + * Fix CVE-2021-40211: Division by zero in function ReadEnhMetaFile +of coders/emf.c. * Fix CVE-2022-32546: Value outside the range of representable -values of type 'unsigned long' at coders/pcl.c, +values of type 'unsigned long' at coders/pcl.c + * Fix CVE-2022-32547: fix a misaligned address access. * Use Salsa CI -- Bastien Roucari??s Fri, 29 Dec 2023 11:18:56 + diff -Nru imagemagick-6.9.11.60+dfsg/debian/control imagemagick-6.9.11.60+dfsg/debian/control --- imagemagick-6.9.11.60+dfsg/debian/control 2024-02-12 19:54:48.0 + +++ imagemagick-6.9.11.60+dfsg/debian/control 2024-07-11 16:46:06.0 + @@ -1,4 +1,4 @@ -# Autogenerated Mon Jul 27 10:33:31 CEST 2020 from make -f debian/rules update_pkg +# Autogenerated Tue Jun 25 18:15:31 UTC 2024 from make -f debian/rules update_pkg Source: imagemagick Section: graphics Priority: optional diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch --- imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch 1970-01-01 00:00:00.0 + +++ imagemagick-6.9.11.60+dfsg/debian/patches/0068-CVE-2021-20312-CVE-2021-20313-possible-divide-by-zer.patch 2024-07-11 16:46:06.0 + @@ -0,0 +1,166 @@ +From: Cristy +Date: Thu, 25 Feb 2021 17:03:18 -0500 +Subject: CVE-2021-20312/CVE-2021-20313 possible divide by zero + clear + buffers + +--- + coders/thumbnail.c | 3 ++- + magick/cipher.c | 12 ++-- + magick/colorspace.c | 16 + magick/memory.c | 21 - + magick/signature.c | 2 +- + 5 files changed, 33 insertions(+), 21 deletions(-) + +diff --git a/coders/thumbnail.c b/coders/thumbnail.c +index f456faa..3833341 100644 +--- a/coders/thumbnail.c b/coders/thumbnail.c +@@ -198,7 +198,8 @@ static MagickBooleanType WriteTHUMBNAILImage(const ImageInfo *image_info, + break; + q++; + } +- if ((q+length) > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) ++ if ((q > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) || ++ (length > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)-q))) + ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail"); + thumbnail_image=BlobToImage(image_info,q,length,&image->exception); + if (thumbnail_image == (Image *) NULL) +diff --git a/magick/cipher.c b/magick/cipher.c +index a6d90fc..e7b5a81 100644 +--- a/magick/cipher.c b/magick/cipher.c +@@ -485,8 +485,8 @@ static void EncipherAESBlock(AESInfo *aes_info,const unsigned char *plaintext, + Reset registers. + */ + alpha=0; +- (void) memset(key,0,sizeof(key)); +- (void) memse
Bug#1076156: bookworm-pu: package imagemagick/8:6.9.11.60+dfsg-1.6+deb12u2
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: imagemag...@packages.debian.org
Control: affects -1 + src:imagemagick
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
* CVE-2023-34151 fix was incomplete (Closes: #1070340)
* Fix variation of CVE-2023-1289 found by testing.
[ Impact ]
* CVE are still open is not fixed
[ Tests ]
Manual test of CVE-2023-34151, automatic of CVE-2023-1289.
[ Risks ]
Risk are low, crosscheck done by santiago.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
diff -Nru imagemagick-6.9.11.60+dfsg/debian/changelog imagemagick-6.9.11.60+dfsg/debian/changelog
--- imagemagick-6.9.11.60+dfsg/debian/changelog 2024-02-12 20:15:47.0 +
+++ imagemagick-6.9.11.60+dfsg/debian/changelog 2024-07-11 10:48:47.0 +
@@ -1,3 +1,10 @@
+imagemagick (8:6.9.11.60+dfsg-1.6+deb12u2) bookworm; urgency=medium
+
+ * CVE-2023-34151 fix was incomplete (Closes: #1070340)
+ * Fix variation of CVE-2023-1289 found by testing.
+
+ -- Bastien Roucari??s Thu, 11 Jul 2024 10:48:47 +
+
imagemagick (8:6.9.11.60+dfsg-1.6+deb12u1) bookworm-security; urgency=high
* Acknowledge NMU
@@ -34,7 +41,7 @@
was found in coders/tiff.c in ImageMagick. This issue
may allow a local attacker to trick the user into opening
a specially crafted file, resulting in an application crash
-and denial of service.
+and denial of service. Fix also CVE-2022-3213.
* Fix CVE-2023-5341: A heap use-after-free flaw was found in
coders/bmp.c
diff -Nru imagemagick-6.9.11.60+dfsg/debian/control imagemagick-6.9.11.60+dfsg/debian/control
--- imagemagick-6.9.11.60+dfsg/debian/control 2024-02-12 19:54:48.0 +
+++ imagemagick-6.9.11.60+dfsg/debian/control 2024-07-11 10:48:47.0 +
@@ -1,4 +1,4 @@
-# Autogenerated Mon Jul 27 10:33:31 CEST 2020 from make -f debian/rules update_pkg
+# Autogenerated Mon Jun 24 16:27:31 UTC 2024 from make -f debian/rules update_pkg
Source: imagemagick
Section: graphics
Priority: optional
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0066-CVE-2023-34151-properly-cast-double-to-size_t.patch imagemagick-6.9.11.60+dfsg/debian/patches/0066-CVE-2023-34151-properly-cast-double-to-size_t.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0066-CVE-2023-34151-properly-cast-double-to-size_t.patch 1970-01-01 00:00:00.0 +
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0066-CVE-2023-34151-properly-cast-double-to-size_t.patch 2024-07-11 10:48:47.0 +
@@ -0,0 +1,29 @@
+From: Cristy
+Date: Tue, 23 Apr 2024 18:19:24 -0400
+Subject: CVE-2023-34151: properly cast double to size_t
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/6341
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070340
+
+forgot to cast double to unsigned int
+
+origin: https://github.com/ImageMagick/ImageMagick6/commit/be15ac962dea19536be1009d157639030fc42be9.patch
+---
+ coders/mvg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/coders/mvg.c b/coders/mvg.c
+index 2d503e1..d8e793e 100644
+--- a/coders/mvg.c
b/coders/mvg.c
+@@ -191,8 +191,8 @@ static Image *ReadMVGImage(const ImageInfo *image_info,ExceptionInfo *exception)
+ 96.0;
+ draw_info->affine.sy=image->y_resolution == 0.0 ? 1.0 : image->y_resolution/
+ 96.0;
+- image->columns=(size_t) (draw_info->affine.sx*image->columns);
+- image->rows=(size_t) (draw_info->affine.sy*image->rows);
++ image->columns=CastDoubleToUnsigned(draw_info->affine.sx*image->columns);
++ image->rows=CastDoubleToUnsigned(draw_info->affine.sy*image->rows);
+ status=SetImageExtent(image,image->columns,image->rows);
+ if (status == MagickFalse)
+ {
diff -Nru imagemagick-6.9.11.60+dfsg/debian/patches/0067-CVE-2023-34151.patch imagemagick-6.9.11.60+dfsg/debian/patches/0067-CVE-2023-34151.patch
--- imagemagick-6.9.11.60+dfsg/debian/patches/0067-CVE-2023-34151.patch 1970-01-01 00:00:00.0 +
+++ imagemagick-6.9.11.60+dfsg/debian/patches/0067-CVE-2023-34151.patch 2024-07-11 10:48:47.0 +
@@ -0,0 +1,72 @@
+From: Cristy
+Date: Mon, 21 Feb 2022 11:55:23 -0500
+Subject: CVE-2023-34151
+
+This is a prerequist for fixing it
+
+magick produces incorrect result possibly due to overflow
+
+bug: https://github.com/ImageMagick/ImageMagick/issues/4870
+origin: https://github.com/ImageMagick/ImageMagick6/commit/8b7b17c8fef72dab479e6ca676676d8c5e395dd6
+---
+ coders/txt.c | 24
+ magick/image-private.h | 11 +++
+ 2 files changed, 23 insertions(+), 12 deletions(-)
+
+diff --git a/coders/txt.c b/coders/txt.c
+index 0e5c794..bca071f 100644
+--- a/coders/txt.c
b/coders/txt.c
+@@ -573,18 +573,18 @@ static Image *ReadTXTImage(const ImageInfo *image_info,ExceptionInfo *exception)
+
Bug#1075759: isa-support: please add armv8 + crc support package
Le jeudi 4 juillet 2024, 12:51:01 UTC Luca Boccassi a écrit : Hi, > Source: isa-support > Severity: wishlist > X-Debbugs-Cc: pkg-dpdk-de...@lists.alioth.debian.org > > Dear Maintainer(s), > > For src:dpdk we would like to depend on a higher arm64 baseline, which > includes the crc extension. Would it be possible to add a new package > that matches it? > > For reference, we compile with: -march=armv8-a+crc I will really prefer to add an arch level like armv8.1-a if possible. Does it exist some processor with crc without ‘+lse’, ‘+rdma’ ? Next question how can I detect it ? rouca > > https://gcc.gnu.org/onlinedocs/gcc/AArch64-Options.html > > Thank you! > > signature.asc Description: This is a digitally signed message part.
Bug#1074391: More information
control: severity -1 important
control: retitle -1 should be split between arch and arch:all
Thanks to Yadd partially solved.
However this package should be split between arch and arch:all part
Bastien
> On 6/28/24 01:04, Bastien Roucariès wrote:
> > Hi,
> >
> > I get this backtrace (yadd could you get a glimpse)
> >
> > Error [ERR_MODULE_NOT_FOUND]: Cannot find package 'esbuild' imported from
> > assemblyscript/assemblyscript/scripts/build.js
> > Did you mean to import
> > "file:///usr/lib/x86_64-linux-gnu/nodejs/esbuild/lib/main.js"?
> > at packageResolve (node:internal/modules/esm/resolve:854:9)
> > at moduleResolve (node:internal/modules/esm/resolve:927:18)
> > at defaultResolve (node:internal/modules/esm/resolve:1157:11)
> > at ModuleLoader.defaultResolve
> > (node:internal/modules/esm/loader:383:12)
> > at ModuleLoader.resolve (node:internal/modules/esm/loader:352:25)
> > at ModuleLoader.getModuleJob (node:internal/modules/esm/loader:227:38)
> > at ModuleWrap. (node:internal/modules/esm/module_job:87:39)
> > at link (node:internal/modules/esm/module_job:86:36) {
> >code: 'ERR_MODULE_NOT_FOUND'
> >
> > In all the case maybe this package could be split between arch/not arch part
>
> Hi,
>
> maybe a `pkgjs-ln esbuild` could fix this
>
signature.asc
Description: This is a digitally signed message part.
Bug#1074391: More information
Hi,
I get this backtrace (yadd could you get a glimpse)
Error [ERR_MODULE_NOT_FOUND]: Cannot find package 'esbuild' imported from
assemblyscript/assemblyscript/scripts/build.js
Did you mean to import
"file:///usr/lib/x86_64-linux-gnu/nodejs/esbuild/lib/main.js"?
at packageResolve (node:internal/modules/esm/resolve:854:9)
at moduleResolve (node:internal/modules/esm/resolve:927:18)
at defaultResolve (node:internal/modules/esm/resolve:1157:11)
at ModuleLoader.defaultResolve (node:internal/modules/esm/loader:383:12)
at ModuleLoader.resolve (node:internal/modules/esm/loader:352:25)
at ModuleLoader.getModuleJob (node:internal/modules/esm/loader:227:38)
at ModuleWrap. (node:internal/modules/esm/module_job:87:39)
at link (node:internal/modules/esm/module_job:86:36) {
code: 'ERR_MODULE_NOT_FOUND'
In all the case maybe this package could be split between arch/not arch part
Bastien
signature.asc
Description: This is a digitally signed message part.
Bug#1074391: esbuild: build esbuild main.js
Package: esbuild Version: 0.20.2-1 Severity: serious Justification: could not be imported from node Dear Maintainer, Could you build the node package esbuild ? Without it the package is broken from node point of view so serious bug. I can help here Bastien signature.asc Description: This is a digitally signed message part.
Bug#1074369: luakit: please use sensible-utils
Source: luakit Severity: wishlist Tags: patch Dear Maintainer, Could you please merge https://salsa.debian.org/debian/luakit/-/merge_requests/3 Thanks Bastien signature.asc Description: This is a digitally signed message part.
Bug#1074366: x-terminal-emulator depends
Package: debian-policy Version: 4.7.0.0 Severity: wishlist Dear Maintainer, Could you documents the depends for x-terminal-emulator I suppose it is xterm | x-terminal-emulator ? Bastien signature.asc Description: This is a digitally signed message part.
Bug#1074360: debian-policy: document sensible-terminal
Package: debian-policy Version: 4.7.0.0 Severity: wishlist Dear Maintainer, sensible-utils will carry in trixie sensible-terminal. It will allow one user to custumize the terminal to be used like sensible- editor do. Could you document it, in policy ? Thanks Bastien -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (900, 'testing-debug'), (900, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 6.8.12-rt-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled debian-policy depends on no packages. Versions of packages debian-policy recommends: ii libjs-jquery 3.6.1+dfsg+~3.5.14-1 ii libjs-sphinxdoc 7.2.6-9 ii sphinx-rtd-theme-common 2.0.0+dfsg-1 Versions of packages debian-policy suggests: pn doc-base -- no debconf information
Bug#1070340: Bug CVE-2023-34151: Please add this doc here
Hi, Could you post as plain texte the document you put in a google doc and the image used as attached document ? It will help other to reproduce Thanks rouca signature.asc Description: This is a digitally signed message part.
Bug#1073231: bullseye-pu: package sendmail/8.15.2-22+deb11u1
Le dimanche 16 juin 2024, 20:15:33 UTC Adam D. Barratt a écrit : Hi I am sorry I forget to enable by default for bullseye the NUL reject (only for bullseye) I will upload ASAP Bastien > On Sun, 2024-06-16 at 20:09 +0000, Bastien Roucariès wrote: > > Le dimanche 16 juin 2024, 20:08:42 UTC Adam D. Barratt a écrit : > > > On Sat, 2024-06-15 at 19:43 +0100, Jonathan Wiltshire wrote: > > > > "slightly non-conformant" really good justification for a pop-up > > > > news item on upgrades? I don't recall the other MTAs doing this. > > > > > > > > It's up to you, either way please go ahead. > > > > > > As with the bookworm upload, the NEWS file won't work as designed: > > > > > > +W: incorrect-packaging-filename debian/NEWS.Debian -> debian/NEWS > > > > I have uploaded should I reupload ? > > If you want the NEWS file to actually be displayed to users, yes. :-) > > A deb11u2 / deb12u2 that simply renames the file appropriately would be > fine in each case. > > Regards, > > Adam > signature.asc Description: This is a digitally signed message part.
Bug#1073529: bookworm-pu: package pymongo/3.11.0-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: pymo...@packages.debian.org
Control: affects -1 + src:pymongo
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
CVE-2024-5629
[ Impact ]
An out-of-bounds read in the 'bson' module allows deserialization
of malformed BSON provided by a Server to raise an exception which may contain
arbitrary application memory
[ Tests ]
Test suite of package
[ Risks ]
code is near trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* QA upload
* Fix CVE-2024-5629: An out-of-bounds read in the
'bson' module allowed deserialization of malformed BSON
* Use correct salsa CI
[ Other info ]
QA upload package is orphaned
diff -Nru pymongo-3.11.0/debian/changelog pymongo-3.11.0/debian/changelog
--- pymongo-3.11.0/debian/changelog 2020-10-17 21:23:41.0 +
+++ pymongo-3.11.0/debian/changelog 2024-06-16 17:42:49.0 +
@@ -1,3 +1,13 @@
+pymongo (3.11.0-1+deb11u1) bullseye; urgency=medium
+
+ * QA upload
+ * Fix CVE-2024-5629: An out-of-bounds read in the
+'bson' module allowed deserialization of malformed BSON
+provided by a Server to raise an exception which may
+contain arbitrary application memory
+
+ -- Bastien Roucari??s Sun, 16 Jun 2024 17:42:49 +
+
pymongo (3.11.0-1) unstable; urgency=medium
[ Federico Ceratto ]
diff -Nru pymongo-3.11.0/debian/control pymongo-3.11.0/debian/control
--- pymongo-3.11.0/debian/control 2020-10-17 21:23:41.0 +
+++ pymongo-3.11.0/debian/control 2024-06-16 17:42:49.0 +
@@ -1,7 +1,7 @@
Source: pymongo
Section: python
Priority: optional
-Maintainer: Federico Ceratto
+Maintainer: Debian QA Group
Build-Depends: debhelper-compat (= 13),
dh-python,
python3-all-dev,
diff -Nru pymongo-3.11.0/debian/gitlab-ci.yml pymongo-3.11.0/debian/gitlab-ci.yml
--- pymongo-3.11.0/debian/gitlab-ci.yml 2020-10-17 21:23:41.0 +
+++ pymongo-3.11.0/debian/gitlab-ci.yml 2024-06-16 17:42:49.0 +
@@ -1,9 +1,7 @@
-image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
-build:
- artifacts:
-paths:
-- "*.deb"
-expire_in: 1 day
- script:
-- gitlab-ci-git-buildpackage-all
+variables:
+ RELEASE: 'bullseye'
diff -Nru pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch
--- pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch 1970-01-01 00:00:00.0 +
+++ pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch 2024-06-16 17:42:49.0 +
@@ -0,0 +1,51 @@
+From: Shane Harvey
+Date: Wed, 27 Mar 2024 13:16:55 -0700
+Subject: CVE-2024-5629 PYTHON-4305 Fix bson size check
+
+An out-of-bounds read in the 'bson' module allows deserialization
+of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.
+
+bug: https://jira.mongodb.org/browse/PYTHON-4305
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-5629
+origin: https://patch-diff.githubusercontent.com/raw/mongodb/mongo-python-driver/pull/1564.patch
+---
+ bson/_cbsonmodule.c | 11 +--
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/bson/_cbsonmodule.c b/bson/_cbsonmodule.c
+index f457f96..02d9105 100644
+--- a/bson/_cbsonmodule.c
b/bson/_cbsonmodule.c
+@@ -2334,6 +2334,7 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
+ uint32_t c_w_s_size;
+ uint32_t code_size;
+ uint32_t scope_size;
++uint32_t len;
+ PyObject* code;
+ PyObject* scope;
+ PyObject* code_type;
+@@ -2353,7 +2354,8 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
+ memcpy(&code_size, buffer + *position, 4);
+ code_size = BSON_UINT32_FROM_LE(code_size);
+ /* code_w_scope length + code length + code + scope length */
+-if (!code_size || max < code_size || max < 4 + 4 + code_size + 4) {
++len = 4 + 4 + code_size + 4;
++if (!code_size || max < code_size || max < len || len < code_size) {
+ goto invalid;
+ }
+ *position += 4;
+@@ -2371,12 +2373,9 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
+
+ memcpy(&scope_size, buffer + *position, 4);
+ scope_size = BSON_UINT32_FROM_LE(scope_size);
+-if (
Bug#1073524: bookworm-pu: package pymongo/3.11.0-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: pymo...@packages.debian.org
Control: affects -1 + src:pymongo
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
CVE-2024-5629
[ Impact ]
An out-of-bounds read in the 'bson' module allows deserialization
of malformed BSON provided by a Server to raise an exception which may contain
arbitrary application memory
[ Tests ]
Test suite of package
[ Risks ]
code is near trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* QA upload
* Fix CVE-2024-5629: An out-of-bounds read in the
'bson' module allowed deserialization of malformed BSON
* Use correct salsa CI
+provided by a Server to raise an exception which may
+contain arbitrary application memory
[ Other info ]
QA upload package is orphaned
diff -Nru pymongo-3.11.0/debian/changelog pymongo-3.11.0/debian/changelog
--- pymongo-3.11.0/debian/changelog 2020-10-17 21:23:41.0 +
+++ pymongo-3.11.0/debian/changelog 2024-06-16 17:42:49.0 +
@@ -1,3 +1,13 @@
+pymongo (3.11.0-1+deb12u1) bookworm; urgency=medium
+
+ * QA upload
+ * Fix CVE-2024-5629: An out-of-bounds read in the
+'bson' module allowed deserialization of malformed BSON
+provided by a Server to raise an exception which may
+contain arbitrary application memory
+
+ -- Bastien Roucari??s Sun, 16 Jun 2024 17:42:49 +
+
pymongo (3.11.0-1) unstable; urgency=medium
[ Federico Ceratto ]
diff -Nru pymongo-3.11.0/debian/control pymongo-3.11.0/debian/control
--- pymongo-3.11.0/debian/control 2020-10-17 21:23:41.0 +
+++ pymongo-3.11.0/debian/control 2024-06-16 17:42:49.0 +
@@ -1,7 +1,7 @@
Source: pymongo
Section: python
Priority: optional
-Maintainer: Federico Ceratto
+Maintainer: Debian QA Group
Build-Depends: debhelper-compat (= 13),
dh-python,
python3-all-dev,
diff -Nru pymongo-3.11.0/debian/gitlab-ci.yml pymongo-3.11.0/debian/gitlab-ci.yml
--- pymongo-3.11.0/debian/gitlab-ci.yml 2020-10-17 21:23:41.0 +
+++ pymongo-3.11.0/debian/gitlab-ci.yml 2024-06-16 17:42:49.0 +
@@ -1,9 +1,7 @@
-image: registry.salsa.debian.org/salsa-ci-team/ci-image-git-buildpackage:latest
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
-build:
- artifacts:
-paths:
-- "*.deb"
-expire_in: 1 day
- script:
-- gitlab-ci-git-buildpackage-all
+variables:
+ RELEASE: 'bookworm'
diff -Nru pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch
--- pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch 1970-01-01 00:00:00.0 +
+++ pymongo-3.11.0/debian/patches/0002-CVE-2024-5629-PYTHON-4305-Fix-bson-size-check.patch 2024-06-16 17:42:49.0 +
@@ -0,0 +1,51 @@
+From: Shane Harvey
+Date: Wed, 27 Mar 2024 13:16:55 -0700
+Subject: CVE-2024-5629 PYTHON-4305 Fix bson size check
+
+An out-of-bounds read in the 'bson' module allows deserialization
+of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.
+
+bug: https://jira.mongodb.org/browse/PYTHON-4305
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-5629
+origin: https://patch-diff.githubusercontent.com/raw/mongodb/mongo-python-driver/pull/1564.patch
+---
+ bson/_cbsonmodule.c | 11 +--
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/bson/_cbsonmodule.c b/bson/_cbsonmodule.c
+index f457f96..02d9105 100644
+--- a/bson/_cbsonmodule.c
b/bson/_cbsonmodule.c
+@@ -2334,6 +2334,7 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
+ uint32_t c_w_s_size;
+ uint32_t code_size;
+ uint32_t scope_size;
++uint32_t len;
+ PyObject* code;
+ PyObject* scope;
+ PyObject* code_type;
+@@ -2353,7 +2354,8 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
+ memcpy(&code_size, buffer + *position, 4);
+ code_size = BSON_UINT32_FROM_LE(code_size);
+ /* code_w_scope length + code length + code + scope length */
+-if (!code_size || max < code_size || max < 4 + 4 + code_size + 4) {
++len = 4 + 4 + code_size + 4;
++if (!code_size || max < code_size || max < len || len < code_size) {
+ goto invalid;
+ }
+ *position += 4;
+@@ -2371,12 +2373,9 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
+
+ memcpy(&scope_size, bu
Bug#1073231: bullseye-pu: package sendmail/8.15.2-22+deb11u1
Le dimanche 16 juin 2024, 20:08:42 UTC Adam D. Barratt a écrit : > On Sat, 2024-06-15 at 19:43 +0100, Jonathan Wiltshire wrote: > > "slightly non-conformant" really good justification for a pop-up > > news item on upgrades? I don't recall the other MTAs doing this. > > > > It's up to you, either way please go ahead. > > As with the bookworm upload, the NEWS file won't work as designed: > > +W: incorrect-packaging-filename debian/NEWS.Debian -> debian/NEWS I have uploaded should I reupload ? Bastien > > Regards, > > Adam > signature.asc Description: This is a digitally signed message part.
Bug#1068888: bookworm-pu: package zookeeper/3.8.0-11+deb12u2
control: tag -1 - moreinfo Le samedi 15 juin 2024, 22:49:24 UTC Jonathan Wiltshire a écrit : Hi, Thanks for the review > Control: tag -1 moreinfo > > Hi, > > On Fri, Apr 12, 2024 at 10:18:02PM +, Bastien Roucariès wrote: > > diff -Nru zookeeper-3.8.0/debian/changelog zookeeper-3.8.0/debian/changelog > > --- zookeeper-3.8.0/debian/changelog2023-10-29 07:57:11.0 > > + > > +++ zookeeper-3.8.0/debian/changelog2024-03-25 08:30:56.0 > > + > > @@ -1,3 +1,22 @@ > > +zookeeper (3.8.0-11+deb12u2) bookworm-security; urgency=medium > > Target should be bookworm.* Done > > > > diff -Nru > > zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > > > > zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > > --- > > zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > > 1970-01-01 00:00:00.0 + > > +++ > > zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > > 2024-03-25 08:30:56.0 + > > @@ -0,0 +1,1223 @@ > > > This patch confuses me. It seems to contain a whole series of nested > patches? How do they get applied to the source package? ??? I do not understand, see patch 0027 joined it is a simple patch... > > > > diff -Nru zookeeper-3.8.0/debian/patches/series > > zookeeper-3.8.0/debian/patches/series > > --- zookeeper-3.8.0/debian/patches/series 2023-10-29 07:57:11.0 > > + > > +++ zookeeper-3.8.0/debian/patches/series 2024-03-25 08:30:56.0 > > + > > @@ -1,19 +1,10 @@ > > -#01-add-jtoaster-to-zooinspector.patch > > -#02-patch-build-system.patch > > 03-disable-cygwin-detection.patch > > 05-ZOOKEEPER-770.patch > > 06-ftbfs-gcc-4.7.patch > > 07-remove-non-reproducible-manifest-entries.patch > > -#08-reproducible-javadoc.patch > > 10-cppunit-pkg-config.patch > > 11-disable-minikdc-tests.patch > > 12-add-yetus-annotations.patch > > -#13-disable-netty-connection-factory.patch > > -#14-ftbfs-with-gcc-8.patch > > -#15-javadoc-doclet.patch > > -#16-ZOOKEEPER-1392.patch > > -#17-gcc9-ftbfs-925869.patch > > -#18-java17-compatibility.patch > > 19-add_missing-plugins-versions.patch > > 20-no-Timeout-in-tests.patch > > 21-use-ValueSource-with-ints.patch > > @@ -33,3 +24,4 @@ > > 35-flaky-test.patch > > 36-JUnitPlatform-deprecation.patch > > CVE-2023-44981.patch > > +0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch > > Presumably these dropped patches get integrated into the nested set in > 0027? Or are they actually dropped? they are droped because disabled but I have re-added to series as disabled patch, thanks it is clearer now Bastien > > > > > diff -Nru zookeeper-3.8.0/debian/changelog zookeeper-3.8.0/debian/changelog --- zookeeper-3.8.0/debian/changelog 2023-10-29 07:57:11.0 + +++ zookeeper-3.8.0/debian/changelog 2024-06-16 10:40:07.0 + @@ -1,3 +1,22 @@ +zookeeper (3.8.0-11+deb12u2) bookworm; urgency=medium + + * Team upload + * Bug fix: CVE-2024-23944 (Closes: #1066947): +An information disclosure in persistent watchers handling was found in +Apache ZooKeeper due to missing ACL check. It allows an attacker to +monitor child znodes by attaching a persistent watcher (addWatch +command) to a parent which the attacker has already access +to. ZooKeeper server doesn't do ACL check when the persistent watcher +is triggered and as a consequence, the full path of znodes that a +watch event gets triggered upon is exposed to the owner of the +watcher. It's important to note that only the path is exposed by this +vulnerability, not the data of znode, but since znode path can contain +sensitive information like user name or login ID, this issue is +potentially critical. + * Add salsa CI + + -- Bastien Roucari??s Sun, 16 Jun 2024 10:40:07 + + zookeeper (3.8.0-11+deb12u1) bookworm-security; urgency=medium * Team upload: diff -Nru zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch --- zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch 1970-01-01 00:00:00.0 + +++ zookeeper-3.8.0/debian/patches/0027-CVE-2024-23944-ZOOKEEPER-4799-Refactor-ACL-check-in-.patch 2024-06-16 10:40:07.0 + @@ -0,0 +1,1223 @@ +From: Andor Molnar +Date: Tue, 28 Nov 2023 21:25:00 +
Bug#1073290: systemd: Please breaks against dracut-core << 102-2~
Package: systemd Severity: serious Tags: patch Justification: Breaks unrelated package Control: affects -1 dracut-core Dear Maintainer, Following #1071182 could you add to systemd a breaks: dracut-core << 102-2~ Change is simple so I add patch tag, please remove if needed Bastien signature.asc Description: This is a digitally signed message part.
Bug#1073231: bullseye-pu: package sendmail/8.15.2-22+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: sendm...@packages.debian.org Control: affects -1 + src:sendmail User: release.debian@packages.debian.org Usertags: pu [ Reason ] Fix CVE-2023-51765 (smtp smugling) [ Impact ] SMTP smugling [ Tests ] Manual test using virtual machine [ Risks ] Low [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] * QA-upload * Fix CVE-2023-51765 (Closes: #1059386): sendmail allowed SMTP smuggling in certain configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because sendmail supports . but some other popular e-mail servers do not. This is resolved with 'o' in srv_features. * Enable _FFR_REJECT_NUL_BYTE for rejecting mail that include NUL byte * By default enable rejecting mail that include NUL byte. set confREJECT_NUL to 'true' by default . User could disable by setting confREJECT_NUL to false. (Closes: #1070190). Close a variant of CVE-2023-51765 aka SMTP smuggling. diff -Nru sendmail-8.15.2/debian/changelog sendmail-8.15.2/debian/changelog --- sendmail-8.15.2/debian/changelog 2021-03-16 15:04:16.0 + +++ sendmail-8.15.2/debian/changelog 2024-05-13 18:44:56.0 + @@ -1,3 +1,24 @@ +sendmail (8.15.2-22+deb11u1) bullseye-security; urgency=medium + + * QA-upload + * Fix CVE-2023-51765 (Closes: #1059386): +sendmail allowed SMTP smuggling in certain configurations. +Remote attackers can use a published exploitation +technique to inject e-mail messages with a spoofed +MAIL FROM address, allowing bypass of an SPF protection +mechanism. This occurs because sendmail supports +. but some other popular e-mail servers +do not. This is resolved with 'o' in srv_features. + * Enable _FFR_REJECT_NUL_BYTE for rejecting mail that +include NUL byte + * By default enable rejecting mail that include NUL byte. +set confREJECT_NUL to 'true' by default . +User could disable by setting confREJECT_NUL to false. +(Closes: #1070190). Close a variant of CVE-2023-51765 +aka SMTP smuggling. + + -- Bastien Roucari??s Mon, 13 May 2024 18:44:56 + + sendmail (8.15.2-22) unstable; urgency=medium * QA upload. diff -Nru sendmail-8.15.2/debian/configure.ac sendmail-8.15.2/debian/configure.ac --- sendmail-8.15.2/debian/configure.ac 2021-03-16 15:04:16.0 + +++ sendmail-8.15.2/debian/configure.ac 2024-05-13 18:44:56.0 + @@ -468,6 +468,7 @@ sm_envdef="$sm_envdef -DHASFLOCK=0"; sm_libsm_envdef="$sm_libsm_envdef -DHAVE_NANOSLEEP=1"; sm_ffr="$sm_ffr -D_FFR_QUEUE_SCHED_DBG"; # %% TESTING +sm_ffr="$sm_ffr -D_FFR_REJECT_NUL_BYTE"; # # version specific setup if test "$sm_version_major" = "8.16"; then diff -Nru sendmail-8.15.2/debian/NEWS.Debian sendmail-8.15.2/debian/NEWS.Debian --- sendmail-8.15.2/debian/NEWS.Debian 1970-01-01 00:00:00.0 + +++ sendmail-8.15.2/debian/NEWS.Debian 2024-05-13 18:44:56.0 + @@ -0,0 +1,19 @@ +sendmail (8.18.1-3) unstable; urgency=medium + + Sendmail was affected by SMTP smurgling (CVE-2023-51765). + Remote attackers can use a published exploitation technique + to inject e-mail messages with a spoofed MAIL FROM address, + allowing bypass of an SPF protection mechanism. + This occurs because sendmail supports some combinaison of + . + . + This particular injection vulnerability has been closed, + unfortunatly full closure need to reject mail that + contain NUL. + . + This is slighly non conformant with RFC and could + be opt-out by setting confREJECT_NUL to 'false' + in sendmail.mc file. + + -- Bastien Roucari??s Sun, 12 May 2024 19:38:09 + + diff -Nru sendmail-8.15.2/debian/patches/0024-CVE-2023-51765.patch sendmail-8.15.2/debian/patches/0024-CVE-2023-51765.patch --- sendmail-8.15.2/debian/patches/0024-CVE-2023-51765.patch 1970-01-01 00:00:00.0 + +++ sendmail-8.15.2/debian/patches/0024-CVE-2023-51765.patch 2024-05-13 18:44:56.0 + @@ -0,0 +1,1242 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Thu, 15 Feb 2024 07:59:27 + +Subject: CVE-2023-51765 + +sendmail allowed SMTP smuggling in certain configurations. + +Remote attackers can use a published exploitation technique +to inject e-mail messages with a spoofed MAIL FROM address, +allowing bypass of an SPF protection mechanism. + +This occurs because sendmail supports . but some other popular +e-mail servers do not. This is resolved in 8.18 and later versions with 'o' in srv_features. +--- + RELEASE_NOTES | 24 - + libsm/lowercase.c | 168 + + sendmail/collect.c | 204 ++
Bug#1060103: transition: imagemagick7
Le dimanche 2 juin 2024, 11:17:33 UTC Sebastian Ramacher a écrit : > On 2024-02-02 17:21:43 +0000, Bastien Roucariès wrote: > > Le vendredi 2 février 2024, 16:53:10 UTC Sebastian Ramacher a écrit : > > > Control: tags -1 moreinfo > > > > > > Hi Bastien > > > > > > On 2024-01-05 22:35:44 +, Bastien Roucariès wrote: > > > > Package: release.debian.org > > > > Severity: important > > > > User: release.debian@packages.debian.org > > > > Usertags: transition > > > > X-Debbugs-CC: ftpmas...@debian.org > > > > > > > > Imagemagick will need a new major bump > > > > > > > > I achieved to get imagemagick 7 build for experimental (it is only on > > > > salsa not > > > > uploaded yet). > > > > > > > > Every package include a version in the package name (except legacy > > > > package name > > > > and perl*) so I plan to do some step by step migration, because it is > > > > mainly > > > > coinstallable with imagemagick 6. > > > > > > Why does this migration require co-instabillity with the old version? > > > This makes the transition overly complicated. Do you expect major > > > changes required in reverse dependencies of imagemagick's shared > > > library? > > > > The problem is not the library but the command line interface that may need > > change. > > > > Librarry will break (I think here about php module that will need a > > update), but it is treatable. > > > > convert6 is not fully compatible with convert7 > > > > convert6 will be co installable with convert7 in order to test, and convert > > will be provided by alternative system. > > If they are not fully compatible, then alternatives are not an option. They are 95% compatible > How many packages are we talking about? Have bugs been filed for > packages thar are not compatible with convert7? The problem is chicken and eggs problem. If you could not test then you could not report bug. A least both should be in experimental for running a full archive rebuild Not also that imagemagick6 is supported upstream only until 2027... So we should migrate to 7. That why I think my way is a good way. Suse and redhat transitionned see https://fedoraproject.org/wiki/Changes/ImageMagick7 Discussion point to a least broken on redhat * autotrace - plan to notify upstream * dvdauthor - point to GraphicsMagick or IM6, plan to notify upstream * q - dead upstream, planned to point to IM6 * vdr-skinnopacity - current upstream dead, plan to notify new upstream * vdr-tvguide - plan to notify upstream We could also drop imagemagick6 and use graphickmagick if needed but it introduce other problem Thanks Bastien > > Cheers > signature.asc Description: This is a digitally signed message part.
Bug#1071449: bookworm-pu: package sendmail/8.17.1.9-2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: sendm...@packages.debian.org Control: affects -1 + src:sendmail User: release.debian@packages.debian.org Usertags: pu [ Reason ] sendmail was affected by CVE-2023-51765 [ Impact ] close CVE-2023-51765 and reject NUL mail [ Tests ] CVE-2023-51765 fix was tested manually and cross checked [ Risks ] Code is complex and rejecting NUL is slighly RFC non conformant [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Fix CVE-2023-51765 (Closes: #1059386): sendmail allowed SMTP smuggling in certain configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because sendmail supports . but some other popular e-mail servers do not. This is resolved with 'o' in srv_features. * Enable _FFR_REJECT_NUL_BYTE for rejecting mail that include NUL byte * By default enable rejecting mail that include NUL byte. set confREJECT_NUL to 'true' by default . User could disable by setting confREJECT_NUL to false. (Closes: #1070190). Close a variant of CVE-2023-51765 aka SMTP smuggling. [ Other info ] No regression bugs in sid/trixie since at least two week diff -Nru sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in --- sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in 2023-01-11 22:26:28.0 + +++ sendmail-8.17.1.9/debian/cf/ostype/debian.m4.in 2024-05-13 18:44:56.0 + @@ -65,6 +65,9 @@ dnl # define(`confDEF_USER_ID', `mail:mail')dnl dnl # +ifelse(eval(index(sm_ffr, `-D_FFR_REJECT_NUL_BYTE') >= 0), `1',dnl +`define(`confREJECT_NUL',`true')')dnl +dnl # dnl #- dnl # mailer paths and options dnl #- diff -Nru sendmail-8.17.1.9/debian/changelog sendmail-8.17.1.9/debian/changelog --- sendmail-8.17.1.9/debian/changelog 2023-01-11 22:26:28.0 + +++ sendmail-8.17.1.9/debian/changelog 2024-05-13 18:44:56.0 + @@ -1,3 +1,24 @@ +sendmail (8.17.1.9-2+deb12u1) bookworm-security; urgency=high + + * QA upload + * Fix CVE-2023-51765 (Closes: #1059386): +sendmail allowed SMTP smuggling in certain configurations. +Remote attackers can use a published exploitation +technique to inject e-mail messages with a spoofed +MAIL FROM address, allowing bypass of an SPF protection +mechanism. This occurs because sendmail supports +. but some other popular e-mail servers +do not. This is resolved with 'o' in srv_features. + * Enable _FFR_REJECT_NUL_BYTE for rejecting mail that +include NUL byte + * By default enable rejecting mail that include NUL byte. +set confREJECT_NUL to 'true' by default . +User could disable by setting confREJECT_NUL to false. +(Closes: #1070190). Close a variant of CVE-2023-51765 +aka SMTP smuggling. + + -- Bastien Roucari??s Mon, 13 May 2024 18:44:56 + + sendmail (8.17.1.9-2) unstable; urgency=medium * QA upload. diff -Nru sendmail-8.17.1.9/debian/configure.ac sendmail-8.17.1.9/debian/configure.ac --- sendmail-8.17.1.9/debian/configure.ac 2023-01-11 22:26:28.0 + +++ sendmail-8.17.1.9/debian/configure.ac 2024-05-13 18:44:56.0 + @@ -466,6 +466,7 @@ sm_envdef="$sm_envdef -DHASFLOCK=1"; sm_libsm_envdef="$sm_libsm_envdef -DHAVE_NANOSLEEP=1"; sm_ffr="$sm_ffr -D_FFR_QUEUE_SCHED_DBG"; # %% TESTING +sm_ffr="$sm_ffr -D_FFR_REJECT_NUL_BYTE"; # # version specific setup if test "$sm_version_major" = "8.17"; then diff -Nru sendmail-8.17.1.9/debian/NEWS.Debian sendmail-8.17.1.9/debian/NEWS.Debian --- sendmail-8.17.1.9/debian/NEWS.Debian 1970-01-01 00:00:00.0 + +++ sendmail-8.17.1.9/debian/NEWS.Debian 2024-05-13 18:44:56.0 + @@ -0,0 +1,19 @@ +sendmail (8.17.1.9-2+deb12u1) bookworm-security; urgency=medium + + Sendmail was affected by SMTP smurgling (CVE-2023-51765). + Remote attackers can use a published exploitation technique + to inject e-mail messages with a spoofed MAIL FROM address, + allowing bypass of an SPF protection mechanism. + This occurs because sendmail supports some combinaison of + . + . + This particular injection vulnerability has been closed, + unfortunatly full closure need to reject mail that + contain NUL. + . + This is slighly non conformant with RFC and could + be opt-out by setting confREJECT_NUL to 'false' + in sendmail.mc file. + + -- Bastien Roucari??s Sun, 12 May 2024 19:38:09 + + diff -Nru sendmail-8.17.1.9/debian/patches/0024-CVE-2023-51765.patch sendmail-8.17.1.9/debian/patches/0024-CVE-2023-51765.patch
Bug#1071417: bullseye-pu: package fossil/2.15.2-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: fos...@packages.debian.org
Control: affects -1 + src:fossil
User: release.debian@packages.debian.org
Usertags: pu
this bug was opened by previous arrangement with maintainer.
[ Reason ]
fossil is affected by a regression due to a security update of apache
CVE-2024-24795. Backport was choosen
because upstream does not document all commit needed for fixing the regression.
[ Impact ]
Fossil is broken at least server part
[ Tests ]
Full upstream test suite
[ Risks ]
Broken fossil
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Cherry picked and backport fix
[ Other info ]
None
diff -Nru fossil-2.15.2/debian/changelog fossil-2.15.2/debian/changelog
--- fossil-2.15.2/debian/changelog 2021-06-15 09:55:20.0 +
+++ fossil-2.15.2/debian/changelog 2024-05-14 21:29:39.0 +
@@ -1,3 +1,13 @@
+fossil (1:2.15.2-1+deb11u1) bullseye; urgency=medium
+
+ * Non maintainer fix with acknowlegment by maintainer.
+ * Cherry-pick fix f4ffefe708793b03 for CVE-2024-24795 and add
+"Breaks: apache2 (<< 2.4.59-1~)" to stage fix; see
+https://bz.apache.org/bugzilla/show_bug.cgi?id=68905
+(closes: #1070069)
+
+ -- Bastien Roucari??s Tue, 14 May 2024 21:29:39 +
+
fossil (1:2.15.2-1) unstable; urgency=high
* New upstream version, announcement (expurgated) says:
diff -Nru fossil-2.15.2/debian/control fossil-2.15.2/debian/control
--- fossil-2.15.2/debian/control 2021-04-07 08:12:51.0 +
+++ fossil-2.15.2/debian/control 2024-05-14 21:29:39.0 +
@@ -22,6 +22,7 @@
Architecture: any
Multi-Arch: foreign
Depends: libtcl8.6 | libtcl, ${misc:Depends}, ${shlibs:Depends}
+Breaks: apache2 (<< 2.4.59-1~), apache2-bin (<< 2.4.59-1~)
Suggests: gnupg | gnupg2
Description: DSCM with built-in wiki, http interface and server, tickets database
Fossil is an easy-to-use Distributed Source Control Management system
diff -Nru fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch
--- fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch 1970-01-01 00:00:00.0 +
+++ fossil-2.15.2/debian/patches/0002-Deal-with-the-missing-Content-Length-field.patch 2024-05-14 21:29:39.0 +
@@ -0,0 +1,361 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?=
+Date: Tue, 14 May 2024 21:23:16 +
+Subject: Deal with the missing Content-Length field
+
+fix regression of CVE-2024-24795
+
+bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=68905
+origin: https://fossil-scm.org/home/vpatch?from=9c40ddbcd182f264&to=a8e33fb161f45b65
+---
+ src/cgi.c | 43 -
+ src/clone.c | 14 +++-
+ src/http.c | 71 +
+ src/main.c | 14 ++--
+ src/xfer.c | 1 +
+ 5 files changed, 121 insertions(+), 22 deletions(-)
+
+diff --git a/src/cgi.c b/src/cgi.c
+index d47575b..aade0fb 100644
+--- a/src/cgi.c
b/src/cgi.c
+@@ -1034,7 +1034,7 @@ void cgi_trace(const char *z){
+ }
+
+ /* Forward declaration */
+-static NORETURN void malformed_request(const char *zMsg);
++static NORETURN void malformed_request(const char *zMsg, ...);
+
+ /*
+ ** Initialize the query parameter database. Information is pulled from
+@@ -1080,6 +1080,7 @@ void cgi_init(void){
+ const char *zRequestUri = cgi_parameter("REQUEST_URI",0);
+ const char *zScriptName = cgi_parameter("SCRIPT_NAME",0);
+ const char *zPathInfo = cgi_parameter("PATH_INFO",0);
++ const char *zContentLength = 0;
+ #ifdef _WIN32
+ const char *zServerSoftware = cgi_parameter("SERVER_SOFTWARE",0);
+ #endif
+@@ -1186,7 +1187,15 @@ void cgi_init(void){
+ g.zIpAddr = fossil_strdup(z);
+ }
+
+- len = atoi(PD("CONTENT_LENGTH", "0"));
++ zContentLength = P("CONTENT_LENGTH");
++ if( zContentLength==0 ){
++len = 0;
++if( sqlite3_stricmp(PD("REQUEST_METHOD",""),"POST")==0 ){
++ malformed_request("missing CONTENT_LENGTH on a POST method");
++}
++ }else{
++len = atoi(zContentLength);
++ }
+ zType = P("CONTENT_TYPE");
+ zSemi = zType ? strchr(zType, ';') : 0;
+ if( zSemi ){
+@@ -1593,11 +1602,22 @@ void cgi_vprintf(const char *zFormat, va_list ap){
+ /*
+ ** Send a reply indicating that the HTTP request was malformed
+ */
+-static NORETURN void malformed_request(const char *zMsg){
+- cgi_set_status(501, "Not Implemented");
+- cgi_printf(
+-"Bad Request: %s\n", zMsg
+- );
++static NORETURN void malformed_request(const char *zMsg, ...){
++ va_list ap;
++ char *z;
++ va_start(ap, zMsg);
++ z = vmprintf(zMsg, ap);
++ va_end(ap);
++ cgi_set_status(400, "Bad Request");
++ zContentType = "text/plain";
++ if( g.zReqType
Bug#1070998: bookworm-pu: package fossil/2.24-5~deb11u1
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: fos...@packages.debian.org Control: affects -1 + src:fossil User: release.debian@packages.debian.org Usertags: pu this bug was opened by previous arrangement with maintainer. [ Reason ] fossil is affected by a regression due to a security update of apache CVE-2024-24795. Backport was choosen because upstream does not document all commit needed for fixing the regression. [ Impact ] Fossil is broken at least server part [ Tests ] Full upstream test suite [ Risks ] Broken fossil [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Backport from sid. They are no incompatibility and this is upstream maintenance and fix only version. [ Other info ] I have not attached the debdiff due to the fix beeing a backport from sid. Attached debdiff to sid instead diff -Nru fossil-2.24/debian/changelog fossil-2.24/debian/changelog --- fossil-2.24/debian/changelog 2024-04-30 14:32:05.0 + +++ fossil-2.24/debian/changelog 2024-05-07 19:26:27.0 + @@ -1,3 +1,10 @@ +fossil (1:2.24-6~deb12u1) bookworm; urgency=medium + + * Non maintainer upload with acknowledgement by maintainer + * Backport to bookworm + + -- Bastien Roucari??s Tue, 07 May 2024 19:26:27 + + fossil (1:2.24-6) unstable; urgency=medium * Add "Breaks: apache2-bin (<< 2.4.59-1~)" per #1070069 discussion. signature.asc Description: This is a digitally signed message part.
Bug#1070190: sendmail-bin: CVE-2023-51765 SMTP smuggling with NUL followup
Le samedi 4 mai 2024, 12:40:25 UTC Andreas Beckmann a écrit : > On 04/05/2024 13.02, Andreas Beckmann wrote: > >> I have patched sendmail in order to enable O RejectNUL=True directive, > >> but I do not achieved the fact to enable it by default. > > >> Andreas could you get a glimpse at how to render RejectNUL a default ? > > Second attempt. Completely untested. This should work for both fresh > installations and upgrades (as long as *.cf gets regenerated). > > Could you try that? And especially that the opt-out instructions are > working? > > Short explanation of the changes: > - Patch upstream proto.m4 to unconditionally emit 'O RejectNUL' with a >default of 'false'. As long as confREJECT_NUL is not defined (also the >default), this will be commented, so safe if built without >_FFR_REJECT_NUL_BYTE > - In debian.m4 define confREJECT_NUL to 'true' if sendmail was built >with _FFR_REJECT_NUL_BYTE, so it is enabled by default on Debian > - If sendmail.mc undefines confREJECT_NUL (or defines it to 'false'), >RejectNUL will be disabled again. > > If that works on sid, it should be trivially backportable to > (old)*stable. There should be NEWS about that change. Test validated and pushed to git. Lack only the NEWS entry. Due to the complexity of this issue, as an outsider due you have an idea how to explain to a simple user. Bastien > > Andreas > signature.asc Description: This is a digitally signed message part.
Bug#1070069: fossil: CVE-2024-24795 unreleated breakage
Le lundi 29 avril 2024, 18:40:39 UTC Barak A. Pearlmutter a écrit : > Bastien, > > Okay, got it. Thanks for letting me know. > > I can cherry-pick that fossil commit, but you know the right magic for > a versioned apache2 breakage and how to deal with proposed-updates. > So I think it would make sense for you to do all of this in a > coordinated fashion? > If that's okay with you, please feel free to just do a regular upload > if you want, or an NMU, as you please. > I will push your changes into the debian fossil branch, unless you'd > like write access to my fossil packaging repo > https://people.debian.org/~bap/fossil.fsl > which I'd be happy to set up. > > Cheers, > > --Barak. > Thanks for you work, do you think a full backport of fossil is worthwhile for stable ? Bastien signature.asc Description: This is a digitally signed message part.
Bug#1070190: sendmail-bin: CVE-2023-51765 SMTP smuggling with NUL followup
Package: sendmail-bin Severity: important Tags: security help Forwarded: https://marc.info/?l=oss-security&m=171447187004229&w=2 Dear Maintainer, CVE-2023-51765 is not fully fixed at least for forwarding bad mail. We must reject NUL including mail as a stop gap method. I have patched sendmail in order to enable O RejectNUL=True directive, but I do not achieved the fact to enable it by default. It will need a NEWS.debian entry I suppose Andreas could you get a glimpse at how to render RejectNUL a default ? Bastien signature.asc Description: This is a digitally signed message part.
Bug#1070155: bullseye-pu: package wpa/2.9.0-21+deb11u1
Package: release.debian.org Severity: important Tags: bullseye X-Debbugs-Cc: w...@packages.debian.org Control: affects -1 + src:wpa User: release.debian@packages.debian.org Usertags: pu tags: security [ Reason ] CVE-2023-52160 security bug [ Impact ] security bug is present [ Tests ] Test suite run fine [ Checklist ] [ X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [ X] attach debdiff against the package in (old)stable [ X] the issue is verified as fixed in unstable [ Changes ] The previous PEAP client behavior allowed the server to skip Phase 2 authentication with the expectation that the server was authenticated during Phase 1 through TLS server certificate validation. Various PEAP specifications are not exactly clear on what the behavior on this front is supposed to be and as such, this ended up being more flexible than the TTLS/FAST/TEAP cases. However, this is not really ideal when unfortunately common misconfiguration of PEAP is used in deployed devices where the server trust root (ca_cert) is not configured or the user has an easy option for allowing this validation step to be skipped. Change the default PEAP client behavior to be to require Phase 2 authentication to be successfully completed for cases where TLS session resumption is not used and the client certificate has not been configured. Those two exceptions are the main cases where a deployed authentication server might skip Phase 2 and as such, where a more strict default behavior could result in undesired interoperability issues. Requiring Phase 2 authentication will end up disabling TLS session resumption automatically to avoid interoperability issues. [ Other info ] Buster is fixed so upgrade reintroduce the CVE Bastiendiff -Nru wpa-2.9.0/debian/changelog wpa-2.9.0/debian/changelog --- wpa-2.9.0/debian/changelog 2021-02-25 21:19:14.0 + +++ wpa-2.9.0/debian/changelog 2024-04-30 22:45:18.0 + @@ -1,3 +1,19 @@ +wpa (2:2.9.0-21+deb11u1) bullseye; urgency=high + + * Non-maintainer upload on behalf of the Security Team. + * Fix CVE-2023-52160 (Closes: #1064061): +The implementation of PEAP in wpa_supplicant allows +authentication bypass. For a successful attack, +wpa_supplicant must be configured to not verify +the network's TLS certificate during Phase 1 +authentication, and an eap_peap_decrypt vulnerability +can then be abused to skip Phase 2 authentication. +The attack vector is sending an EAP-TLV Success packet +instead of starting Phase 2. This allows an adversary +to impersonate Enterprise Wi-Fi networks. + + -- Bastien Roucari??s Tue, 30 Apr 2024 22:45:18 + + wpa (2:2.9.0-21) unstable; urgency=high * Fix typos in the package descriptions. diff -Nru wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch --- wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 1970-01-01 00:00:00.0 + +++ wpa-2.9.0/debian/patches/0033-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 2024-04-30 22:45:18.0 + @@ -0,0 +1,211 @@ +From: Jouni Malinen +Date: Sat, 8 Jul 2023 19:55:32 +0300 +Subject: CVE-2023-52160 PEAP client: Update Phase 2 authentication + requirements + +The previous PEAP client behavior allowed the server to skip Phase 2 +authentication with the expectation that the server was authenticated +during Phase 1 through TLS server certificate validation. Various PEAP +specifications are not exactly clear on what the behavior on this front +is supposed to be and as such, this ended up being more flexible than +the TTLS/FAST/TEAP cases. However, this is not really ideal when +unfortunately common misconfiguration of PEAP is used in deployed +devices where the server trust root (ca_cert) is not configured or the +user has an easy option for allowing this validation step to be skipped. + +Change the default PEAP client behavior to be to require Phase 2 +authentication to be successfully completed for cases where TLS session +resumption is not used and the client certificate has not been +configured. Those two exceptions are the main cases where a deployed +authentication server might skip Phase 2 and as such, where a more +strict default behavior could result in undesired interoperability +issues. Requiring Phase 2 authentication will end up disabling TLS +session resumption automatically to avoid interoperability issues. + +Allow Phase 2 authentication behavior to be configured with a new phase1 +configuration parameter option: +'phase2_auth' option can be used to control Phase 2 (i.e., within TLS +tunnel) behavior for PEAP: + * 0 = do not require Phase 2 authentication + * 1 = require Phase 2 authentication when client certificate + (private_key/client_cert) is no used and TLS session resumption was + not used (defau
Bug#1070151: bookworm-pu: package wpa/2:2.10-12
Package: release.debian.org Severity: important Tags: bookworm X-Debbugs-Cc: w...@packages.debian.org Control: affects -1 + src:wpa User: release.debian@packages.debian.org Usertags: pu tags: security [ Reason ] CVE-2023-52160 security bug [ Impact ] security bug is present [ Tests ] Test suite run fine [ Checklist ] [ X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [ X] attach debdiff against the package in (old)stable [ X] the issue is verified as fixed in unstable [ Changes ] The previous PEAP client behavior allowed the server to skip Phase 2 authentication with the expectation that the server was authenticated during Phase 1 through TLS server certificate validation. Various PEAP specifications are not exactly clear on what the behavior on this front is supposed to be and as such, this ended up being more flexible than the TTLS/FAST/TEAP cases. However, this is not really ideal when unfortunately common misconfiguration of PEAP is used in deployed devices where the server trust root (ca_cert) is not configured or the user has an easy option for allowing this validation step to be skipped. Change the default PEAP client behavior to be to require Phase 2 authentication to be successfully completed for cases where TLS session resumption is not used and the client certificate has not been configured. Those two exceptions are the main cases where a deployed authentication server might skip Phase 2 and as such, where a more strict default behavior could result in undesired interoperability issues. Requiring Phase 2 authentication will end up disabling TLS session resumption automatically to avoid interoperability issues. [ Other info ] Buster is fixed so upgrade reintroduce the CVE Bastiendiff -Nru wpa-2.10/debian/changelog wpa-2.10/debian/changelog --- wpa-2.10/debian/changelog 2023-02-24 13:01:35.0 + +++ wpa-2.10/debian/changelog 2024-04-30 22:45:18.0 + @@ -1,3 +1,19 @@ +wpa (2:2.10-12+deb12u1) bookworm; urgency=high + + * Non-maintainer upload on behalf of the Security Team. + * Fix CVE-2023-52160 (Closes: #1064061): +The implementation of PEAP in wpa_supplicant allows +authentication bypass. For a successful attack, +wpa_supplicant must be configured to not verify +the network's TLS certificate during Phase 1 +authentication, and an eap_peap_decrypt vulnerability +can then be abused to skip Phase 2 authentication. +The attack vector is sending an EAP-TLV Success packet +instead of starting Phase 2. This allows an adversary +to impersonate Enterprise Wi-Fi networks. + + -- Bastien Roucari??s Tue, 30 Apr 2024 22:45:18 + + wpa (2:2.10-12) unstable; urgency=medium * Prevent hostapd units from being started if there???s diff -Nru wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch --- wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 1970-01-01 00:00:00.0 + +++ wpa-2.10/debian/patches/0013-CVE-2023-52160-PEAP-client-Update-Phase-2-authentica.patch 2024-04-30 22:42:02.0 + @@ -0,0 +1,211 @@ +From: Jouni Malinen +Date: Sat, 8 Jul 2023 19:55:32 +0300 +Subject: CVE-2023-52160 PEAP client: Update Phase 2 authentication + requirements + +The previous PEAP client behavior allowed the server to skip Phase 2 +authentication with the expectation that the server was authenticated +during Phase 1 through TLS server certificate validation. Various PEAP +specifications are not exactly clear on what the behavior on this front +is supposed to be and as such, this ended up being more flexible than +the TTLS/FAST/TEAP cases. However, this is not really ideal when +unfortunately common misconfiguration of PEAP is used in deployed +devices where the server trust root (ca_cert) is not configured or the +user has an easy option for allowing this validation step to be skipped. + +Change the default PEAP client behavior to be to require Phase 2 +authentication to be successfully completed for cases where TLS session +resumption is not used and the client certificate has not been +configured. Those two exceptions are the main cases where a deployed +authentication server might skip Phase 2 and as such, where a more +strict default behavior could result in undesired interoperability +issues. Requiring Phase 2 authentication will end up disabling TLS +session resumption automatically to avoid interoperability issues. + +Allow Phase 2 authentication behavior to be configured with a new phase1 +configuration parameter option: +'phase2_auth' option can be used to control Phase 2 (i.e., within TLS +tunnel) behavior for PEAP: + * 0 = do not require Phase 2 authentication + * 1 = require Phase 2 authentication when client certificate + (private_key/client_cert) is no used and TLS session resumption was + not used
Bug#1070069: fossil: CVE-2024-24795 unreleated breakage
Le mardi 30 avril 2024, 14:56:07 UTC Barak A. Pearlmutter a écrit : > I've uploaded a package with this fixed to unstable, 1:2.24-5, and > it's been autobuilt and pushed out. Seems to work okay, and can be > co-installed with apache2/sid. > > Just uploaded 1:2.24-6 that adds Breaks: apach2-bin per your recent message. > > Honestly, I'm not confident in my ability to properly back-port > security-related patches to old versions of fossil. It's a big > network-facing program with a large number of moving parts and a > substantial attack surface, all written in C. It uses its own sqlite3 > copy when the shared library in Debian isn't a high enough version or > doesn't have the right options enabled (currently Debian sqlite3 is > compiled without SQLITE_ENABLE_JSON1 so the internal version is used.) > All this means it would be super easy for me to miss some issue and > introduce a vulnerability if I try to back-port a security patch, > > particularly without myself deeply understanding the security issue. > > Stable has 1:2.21-1. > > I just made a debian-bookworm-proposed-updates branch rooted there and > tried to cherry-pick the fix, > https://fossil-scm.org/home/info/f4ffefe708793b03 but it does not > apply cleanly. Obviously I can do it manually though, however there > have been changes in the neighborhood. > > Also, are you *sure* I shouldn't also be applying > https://fossil-scm.org/home/info/71919ad1b542832c to the fixed > versions? Because I'm not! I'd be most comfortable if upstream simply > made a proper release with this fixed (which I bet they'd do upon > request), and I uploaded that with the appropriate "Breaks: > apache2-bin (<<...)", and did the (trivial) backport of that package > to bookworm and bullseye, with the "breaks:" modified to the > appropriate version. I agree with you, may be a fullbackport is better for bookworm see changes here (line with * are interesting commit to backport) Yadd do you have a piece of advice ? Bastien 2024-04-22 *16:29 cgi.md: be less specific about the Apache version in which the Content-Length change happened because a new forum post reports that it happens at least as far back as 2.4.41. ... 2024-04-21 18:51 Merge the update to zLib-1.3.1. ... 18:46 Improvements to comments in graph.c. No changes to actual code. ... *16:20 Fix parsing of the argument to the "Connection:" header of HTTP reply messages to deal with unusual arguments added by Apache mod_cgi. See forum thread ca6fc85c80f4704f. ... *15:37 Simplify parsing of the Connection: header in HTTP replies. ... *06:15 Only accept commas as separators for multiple values in "Connection:" HTTP headers, and ignore any white space surrounding (but not embedded into) values. The previous method would fall for (fictional) HTTP header values containing spaces, like "Connection: don't close", and recognize a value of "close". ... 2024-04-20 21:58 In /chat preview mode, apply the click handlers to pikchrs in the preview. ... *14:42 Fix parsing of "Connection:" HTTP headers with multiple values. ... 2024-04-19 16:08 Fix a minor problem in graph layout for timelines that made use of the offset-merge-riser enhancement. Problem originally seen on the bottom node of /timeline?p=6da255034b30b4b4&bt=47362306a7dd7c6f. ... *13:11 More change-log enhancements: More details about the work-around for the Apache mod_cgi breakage, and put that work-around first on the change log since it seems to be important to people. ... 12:59 Formatting enhancements to the change log for the upcoming 2.24 release. ... 2024-04-18 17:14 Update the built-in SQLite to the latest pre-release of version 3.46.0, including the bug fix for the use of VALUES-as-coroutine with an OUTER JOIN. ... 17:00 Typo fix and add specific Apache version number to the notes about the Content-Length change. ... 2024-04-17 17:59 Change log updates. ... *15:30 • Edit [18d76fff]: Edit check-in comment. ... *14:02 Output a warning if a client sync or clone gets back a keep-alive HTTP reply that lacks a content-length header. ... *13:27 Only process HTTP replies that lack a Content-Length header if the connection is set to be closed. Suggested by https://bz.apache.org/bugzilla/show_bug.cgi?id=68905. ... *13:21 Update the change log in order to mention the Apache mod_cgi/Content-Length fix. ... *13:14 Update Apache mod_cgi/Content-Length documentation. ... *12:58 Fix the HTTP-reply parser so that it is able to deal with replies that lack a Content-Length header field. This resolves the issue reported by forum post 12ac403fd29cfc89. Also in this merge: (1) Add the --xverbose option to "fossil clone". (2) Improved error messages when web
Bug#1070069: fossil: CVE-2024-24795 unreleated breakage
Le mardi 30 avril 2024, 14:56:07 UTC Barak A. Pearlmutter a écrit : > currently Debian sqlite3 is > compiled without SQLITE_ENABLE_JSON1 so the internal version is used.) On this proble could you cross check ? >SQLITE_ENABLE_JSON1 > >This compile-time option is a no-op. Prior to SQLite version 3.38.0 > (2022-02-22), it was necessary to compile with this option in order to > include the JSON SQL functions in the build. However, beginning with SQLite > version 3.38.0, those functions are included by default. Use the > -DSQLITE_OMIT_JSON option to omit them. If so you could drop for bookworm (if release team is ok) and sid this embeded code copy BTW I have just opened a bug and add some comment on embded code copy Bastien signature.asc Description: This is a digitally signed message part.
Bug#1070126: fossil: Do not use embded sqlite
Source: fossil Severity: important Dear Maintainer, > currently Debian sqlite3 is > compiled without SQLITE_ENABLE_JSON1 so the internal version is used.) On this proble could you cross check ? >SQLITE_ENABLE_JSON1 > >This compile-time option is a no-op. Prior to SQLite version 3.38.0 (2022-02-22), it was necessary to compile with this option in order to include the JSON SQL functions in the build. However, beginning with SQLite version 3.38.0, those functions are included by default. Use the -DSQLITE_OMIT_JSON option to omit them. If so you could drop for bookworm (if release team is ok) and sid this embeded code copy Bastien signature.asc Description: This is a digitally signed message part.
Bug#1069063: distro-info: Please support distro-info --alias=trixie -r
Le mardi 30 avril 2024, 15:24:11 UTC Benjamin Drung a écrit : > Hi, > > On Mon, 2024-04-15 at 18:58 +, Bastien Roucariès wrote: > > Package: distro-info > > Version: 1.7 > > Severity: minor > > > > Dear Maintainer, > > > > distro-info --alias=trixie -r is misleading it return trixie instead of > > 13... > > > > Maybe a feature but should be documented > > > > I workarround by doing in my script in two steps: > > distro-info --$(distro-info --alias=trixie) -r > > --alias was not developed to be combined with -c/-r/-f. So either > distro-info should reject this parameter combination or change the > behaviour to what you wanted to do. > > Yes that is the bug, with additionnally a documentation bug. Bastien signature.asc Description: This is a digitally signed message part.
Bug#1070120: postfix: can't send mail due to obsolete /var/spool/postfix/etc/resolv.conf on new network
Le mardi 30 avril 2024, 14:52:46 UTC Vincent Lefevre a écrit : Hi, > Control: tags -1 security > > On 2024-04-30 16:33:14 +0200, Vincent Lefevre wrote: > > If I try to restart postfix, I get: > > > > postfix/postfix-script: warning: /var/spool/postfix/etc/resolv.conf and > > /etc/resolv.conf differ A solution may be to bind mount ro /etc/resolv.conf to /var/spool/postfix/etc/resolv.conf Bastien > > BTW, note that this is a security issue, because with wifi, > the DNS server often corresponds to the local router (e.g. > 10.3.0.1), and it may happen that the obsolete IP address > may correspond to some random machine on the network, which > could act as a malicious DNS server. > > > Indeed, /var/spool/postfix/etc/resolv.conf contains obsolete data. > > > > I had to do "cp /etc/resolv.conf /var/spool/postfix/etc/resolv.conf". > > I don't know how the update should be done. I suppose that > /etc/network/if-up.d/postfix is pointless in case of wifi as > it says "Called when a new interface comes up", but for wifi, > this is the same interface, only a new network. > > And I don't understand why restarting postfix did not update > the file. > > BTW, even ethernet connections may be affected in case of > network reconfiguration. > > signature.asc Description: This is a digitally signed message part.
Bug#1070069: fossil: CVE-2024-24795 unreleated breakage
Le lundi 29 avril 2024, 18:40:39 UTC Barak A. Pearlmutter a écrit : > Bastien, > > Okay, got it. Thanks for letting me know. > > I can cherry-pick that fossil commit, but you know the right magic for > a versioned apache2 breakage and how to deal with proposed-updates. > So I think it would make sense for you to do all of this in a > coordinated fashion? > If that's okay with you, please feel free to just do a regular upload > if you want, or an NMU, as you please. > I will push your changes into the debian fossil branch, unless you'd > like write access to my fossil packaging repo > https://people.debian.org/~bap/fossil.fsl > which I'd be happy to set up. Hi I give up for fossil patches (i am not fossil fluent) The bookworm version will need: - to add the patch - Breaks against apache2-bin ( 2.4.59-1~) The bullseye version will need: - to add the patch - Breaks against apache2-bin ( 2.4.59-1~) We have done a full backport of apache due to several bug BTW I suppose that sid version should for extra safety break against apache2-bin ( 2.4.59-1~) instead of apache2 You should begin and apache2 will follow ASAP Bastien For buster I will reprod you when done, > > Cheers, > > --Barak. > signature.asc Description: This is a digitally signed message part.
