subject:"Bug#885183\: stretch\-pu\: package ntopng\/2.4\+dfsg1\-3\+deb9u1"

Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1

2019-03-09 Thread Adam D. Barratt

On Fri, 2018-11-09 at 06:55 +0100, Salvatore Bonaccorso wrote:
> Hi Ludovico,
> 
> On Sat, Feb 10, 2018 at 10:25:47AM +0100, Julien Cristau wrote:
> > Control: tag -1 confirmed
> > 
> > On Mon, Dec 25, 2017 at 21:26:58 +0100, Ludovico Cavedon wrote:
> > 
> > > I would like to submit to your consideration an update to ntopng
> > > in
> > > stretch.
> > > 
> > > The main bug that triggered this upload is #856048, which causes
> > > the
> > > user management and preferences section of the web interface to
> > > be unusuable.
> > > 
> > > The fix is already in version 2.4+dfsg1-4 in unstable.
> > > 
> > > There are three additional important issues from 2.4+dfsg1-4 that
> > > I
> > > think it would make sense to include:
> > > - #859653 which causes ntopng to crash if the mysql backend is
> > > selected.
> > >   This change only affects mysql users. On the other side it is
> > > an
> > >   obvious usage-after-free and out-of-bound memeory access
> > > issues.
> > > - #866721 and #866719, which are securirity-related issues. Do
> > > you want
> > >   me to reach out to the security team about these first? Do we
> > > need to
> > >   treat the whole update as a security one instead, or split it?
> > > 
> > 
> > Assuming this has been properly tested in a stretch environment,
> > please
> > go ahead and upload.
> 
> Friendly ping ;-)

Re-ping.

If nothing happens within a couple of weeks then I plan on closing this
bug.

Regards,

Adam

Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1

2018-11-08 Thread Salvatore Bonaccorso

Hi Ludovico,

On Sat, Feb 10, 2018 at 10:25:47AM +0100, Julien Cristau wrote:
> Control: tag -1 confirmed
> 
> On Mon, Dec 25, 2017 at 21:26:58 +0100, Ludovico Cavedon wrote:
> 
> > I would like to submit to your consideration an update to ntopng in
> > stretch.
> > 
> > The main bug that triggered this upload is #856048, which causes the
> > user management and preferences section of the web interface to
> > be unusuable.
> > 
> > The fix is already in version 2.4+dfsg1-4 in unstable.
> > 
> > There are three additional important issues from 2.4+dfsg1-4 that I
> > think it would make sense to include:
> > - #859653 which causes ntopng to crash if the mysql backend is selected.
> >   This change only affects mysql users. On the other side it is an
> >   obvious usage-after-free and out-of-bound memeory access issues.
> > - #866721 and #866719, which are securirity-related issues. Do you want
> >   me to reach out to the security team about these first? Do we need to
> >   treat the whole update as a security one instead, or split it?
> > 
> Assuming this has been properly tested in a stretch environment, please
> go ahead and upload.

Friendly ping ;-)

Regards,
Salvatore

Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1

2018-02-10 Thread Julien Cristau

Control: tag -1 confirmed

On Mon, Dec 25, 2017 at 21:26:58 +0100, Ludovico Cavedon wrote:

> I would like to submit to your consideration an update to ntopng in
> stretch.
> 
> The main bug that triggered this upload is #856048, which causes the
> user management and preferences section of the web interface to
> be unusuable.
> 
> The fix is already in version 2.4+dfsg1-4 in unstable.
> 
> There are three additional important issues from 2.4+dfsg1-4 that I
> think it would make sense to include:
> - #859653 which causes ntopng to crash if the mysql backend is selected.
>   This change only affects mysql users. On the other side it is an
>   obvious usage-after-free and out-of-bound memeory access issues.
> - #866721 and #866719, which are securirity-related issues. Do you want
>   me to reach out to the security team about these first? Do we need to
>   treat the whole update as a security one instead, or split it?
> 
Assuming this has been properly tested in a stretch environment, please
go ahead and upload.

Cheers,
Julien

Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1

2017-12-27 Thread Salvatore Bonaccorso

Hi,

On Wed, Dec 27, 2017 at 02:21:14PM +, Ludovico Cavedon wrote:
> Hi Moritz,
> 
> On Tue, Dec 26, 2017 at 12:18 PM Moritz Mühlenhoff  wrote:
> 
> > On Mon, Dec 25, 2017 at 09:26:58PM +0100, Ludovico Cavedon wrote:
> > > - #866721 and #866719, which are securirity-related issues. Do you want
> > >   me to reach out to the security team about these first?
> >
> > Those are marked no-dsa for quite a while, so not needed
> >
> 
> Of course, sorry for missing that.
> 
> I tried to search/read but I am not completely sure of what the next step
> is: should I wait for feedback based on the attached debdiff, or should I
> upload to pu first?

Always wait first for an ack of the SRMs before doing an update to pu.

This avoid turnarounds in case SRM are not happy yet with the debdiff,
and packages would be rejected from pu-NEW.

Regards and hope this helps,
Salvatore

Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1

2017-12-27 Thread Ludovico Cavedon

Hi Moritz,

On Tue, Dec 26, 2017 at 12:18 PM Moritz Mühlenhoff  wrote:

> On Mon, Dec 25, 2017 at 09:26:58PM +0100, Ludovico Cavedon wrote:
> > - #866721 and #866719, which are securirity-related issues. Do you want
> >   me to reach out to the security team about these first?
>
> Those are marked no-dsa for quite a while, so not needed
>

Of course, sorry for missing that.

I tried to search/read but I am not completely sure of what the next step
is: should I wait for feedback based on the attached debdiff, or should I
upload to pu first?

Thank you,
Ludovico

Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1

2017-12-26 Thread Moritz Mühlenhoff

On Mon, Dec 25, 2017 at 09:26:58PM +0100, Ludovico Cavedon wrote:
> - #866721 and #866719, which are securirity-related issues. Do you want
>   me to reach out to the security team about these first? 

Those are marked no-dsa for quite a while, so not needed.

Cheers,
Moritz

Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1

2017-12-25 Thread Ludovico Cavedon

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I would like to submit to your consideration an update to ntopng in
stretch.

The main bug that triggered this upload is #856048, which causes the
user management and preferences section of the web interface to
be unusuable.

The fix is already in version 2.4+dfsg1-4 in unstable.

There are three additional important issues from 2.4+dfsg1-4 that I
think it would make sense to include:
- #859653 which causes ntopng to crash if the mysql backend is selected.
  This change only affects mysql users. On the other side it is an
  obvious usage-after-free and out-of-bound memeory access issues.
- #866721 and #866719, which are securirity-related issues. Do you want
  me to reach out to the security team about these first? Do we need to
  treat the whole update as a security one instead, or split it?

debdiff attached.

Thank you,
Ludovico


-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'stable-updates'), (500, 
'testing'), (500, 'stable'), (470, 'unstable'), (460, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru ntopng-2.4+dfsg1/debian/changelog ntopng-2.4+dfsg1/debian/changelog
--- ntopng-2.4+dfsg1/debian/changelog   2017-02-04 04:43:00.0 +0100
+++ ntopng-2.4+dfsg1/debian/changelog   2017-12-24 21:18:54.0 +0100
@@ -1,8 +1,22 @@
-ntopng (2.4+dfsg1-3) unstable; urgency=high
+ntopng (2.4+dfsg1-3+deb9u1) stretch; urgency=medium
+
+  * Update Check-for-presence-of-crsf-in-admin-scripts.patch to avoid the
+'Missing CSRF parameter' error (Closes: #856048).
+  * Add CVE-2017-7458.patch to prevent an empty host to crash ntopng
+(Closes: #866721, CVE-2017-7458).
+  * Add CVE-2017-7459.patch to prevent \r\n from being injected into HTTP URIs
+(Closes: #866719, CVE-2017-7459).
+  * Add Avoid-access-after-free.patch and
+Avoid-access-to-unintialized-memory.patch to fix crash with mysql (thanks
+to Bernhard Übelacker, Closes: #859653).
+
+ -- Ludovico Cavedon   Sun, 24 Dec 2017 21:18:54 +0100
+
+ntopng (2.4+dfsg1-3) unstable; urgency=medium
 
   * Import upstream patches fixing CVE-2017-5473. (Closes: #852109)
 
- -- Ludovico Cavedon   Fri, 03 Feb 2017 19:43:00 -0800
+ -- Ludovico Cavedon   Sun, 24 Dec 2017 21:14:54 +0100
 
 ntopng (2.4+dfsg1-2) unstable; urgency=high
 
diff -Nru ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch 
ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch
--- ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch   
1970-01-01 01:00:00.0 +0100
+++ ntopng-2.4+dfsg1/debian/patches/Avoid-access-after-free.patch   
2017-12-24 21:17:07.0 +0100
@@ -0,0 +1,48 @@
+Description: Avoid access after free
+Author: Bernhard Übelacker 
+Bug-Debian: https://bugs.debian.org/859653
+Applied-Upstream: yes
+
+Found while investigating for https://bugs.debian.org/859653
+
+==10143== Invalid read of size 8
+==10143==at 0x616E301: mysql_num_rows (client.c:4561)
+==10143==by 0x11C1AD: MySQLDB::exec_sql_query(st_mysql*, char*, bool, 
bool, bool) (MySQLDB.cpp:593)
+==10143==by 0x11CF4F: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:295)
+==10143==by 0x13F5EF: NetworkInterface::NetworkInterface(char const*) 
(NetworkInterface.cpp:133)
+==10143==by 0x122041: Prefs::add_default_interfaces() (Prefs.cpp:1059)
+==10143==by 0x1187D3: main (main.cpp:117)
+==10143==  Address 0x144527a8 is 8 bytes inside a block of size 208 free'd
+==10143==at 0x4C2CDDB: free (vg_replace_malloc.c:530)
+==10143==by 0x11C1A5: MySQLDB::exec_sql_query(st_mysql*, char*, bool, 
bool, bool) (MySQLDB.cpp:592)
+==10143==by 0x11CF4F: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:295)
+==10143==by 0x13F5EF: NetworkInterface::NetworkInterface(char const*) 
(NetworkInterface.cpp:133)
+==10143==by 0x122041: Prefs::add_default_interfaces() (Prefs.cpp:1059)
+==10143==by 0x1187D3: main (main.cpp:117)
+==10143==  Block was alloc'd at
+==10143==at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
+==10143==by 0x61A7D95: my_malloc (my_malloc.c:101)
+==10143==by 0x616C1D5: mysql_store_result (client.c:4094)
+==10143==by 0x11C190: MySQLDB::exec_sql_query(st_mysql*, char*, bool, 
bool, bool) (MySQLDB.cpp:589)
+==10143==by 0x11CF4F: MySQLDB::MySQLDB(NetworkInterface*) (MySQLDB.cpp:295)
+==10143==by 0x13F5EF: NetworkInterface::NetworkInterface(char const*) 
(NetworkInterface.cpp:133)
+==10143==by 0x122041: Prefs::add_default_interfaces() (Prefs.cpp:1059)
+==10143==by 0x1187D3:

Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1

Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1

Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1

Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1

Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1

Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1

Bug#885183: stretch-pu: package ntopng/2.4+dfsg1-3+deb9u1

7 matches

Site Navigation

Mail list logo

Footer information