Bug#916912: [pre-approval] stretch-pu: package freerdp/1.1.0~git20140921.1.440916e+dfsg1-13+deb9u3
Hi Adam, On Do 07 Feb 2019 06:59:25 CET, Adam D. Barratt wrote: On Wed, 2019-02-06 at 23:03 +, Mike Gabriel wrote: Maybe you can help... I just uploaded freerdp, BUT... the src:pkg contains an unwanted file: the .debdiff between +deb9u2 and +deb9u3. It does? I may possibly just not have had enough coffee, but: where? ht tps://release.debian.org/proposed- updates/stable_diffs/freerdp_1.1.0~git20140921.1.440916e+dfsg1- 13+deb9u3.debdiff is the automatically generated source debdiff based on your upload. Ah, interesting. After uploading I found the .debdiff in the sources folder that I sent to this bug in the first place. So, I assumed that it ended up in the just uploaded Debian source package. It is obviously not in the uploaded src:pkg as your .debdiff URL shows. So, all seems to be well. If you have means to reject it still, please do. Otherwise, we need to live with it. We can reject packages from stable-new (the holding queue in front on p-u). That's fine, I'd just like to confirm that it's really needed in this case. No, it's not needed. It can go into p-u. Thanks for feedback! Excuse my unnecessary panic attack. ;-) light+love Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpzQfLnZ_hzF.pgp Description: Digitale PGP-Signatur
Bug#916912: [pre-approval] stretch-pu: package freerdp/1.1.0~git20140921.1.440916e+dfsg1-13+deb9u3
On Wed, 2019-02-06 at 23:03 +, Mike Gabriel wrote: > Maybe you can help... I just uploaded freerdp, BUT... > > the src:pkg contains an unwanted file: the .debdiff between +deb9u2 > and +deb9u3. It does? I may possibly just not have had enough coffee, but: where? ht tps://release.debian.org/proposed- updates/stable_diffs/freerdp_1.1.0~git20140921.1.440916e+dfsg1- 13+deb9u3.debdiff is the automatically generated source debdiff based on your upload. > If you have means to reject it still, please do. Otherwise, we need > to live with it. We can reject packages from stable-new (the holding queue in front on p-u). That's fine, I'd just like to confirm that it's really needed in this case. Regards, Adam
Bug#916912: [pre-approval] stretch-pu: package freerdp/1.1.0~git20140921.1.440916e+dfsg1-13+deb9u3
Hi Adam, maybe some help from your side is needed... On Mo 04 Feb 2019 22:24:16 CET, Adam D. Barratt wrote: Control: tags -1 + confirmed Hi, On Thu, 2019-01-31 at 22:14 +, Mike Gabriel wrote: HI Adam, On Do 31 Jan 2019 21:28:43 CET, Adam D. Barratt wrote: > On Fri, 2019-01-11 at 15:26 +0100, Mike Gabriel wrote: > > Please review the attached .debdiff (for stretch) and give your > > go > > for uploading to stretch. > [...] > * debian/control: > + B-D on libssh1.0-dev (instead of libssh-dev). It's libssh1.0-dev for stretch and nothing needs to be changed. Well, no. As you go on to say yourself below, it's libss*l*1.0-dev > This change doesn't appear to have actually been included. (Which > is > just as well, as there is no such package in Debian.) Yeah, I guess I mixed those up in the changelog. The debian/jessie/updates branch needs a switch-back [1] from libssl1.0-dev to libssl-dev whereas the debian/stretch/updates branch does not need a change here. [...] I will also publish a blog post that will appear on Planet Debian > > that links to built binaries that users may be table to test. > > Has there been much take-up / feedback there? Over the last 8 days my webserver has registered 18 downloads of freerdp-x11 (either for jessie or for stretch). Without any positive feedback given (which I requested explicitly). That's unfortunate. Let's hope it simply means that people couldn't be bothered to provide feedback. Please go ahead. Regards, Adam Maybe you can help... I just uploaded freerdp, BUT... the src:pkg contains an unwanted file: the .debdiff between +deb9u2 and +deb9u3. If you have means to reject it still, please do. Otherwise, we need to live with it. I also pinged #debian-ftp on IRC. Maybe someone is on it and this mail is obsolete. Thanks+Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpwiGLsGO_Sn.pgp Description: Digitale PGP-Signatur
Bug#916912: [pre-approval] stretch-pu: package freerdp/1.1.0~git20140921.1.440916e+dfsg1-13+deb9u3
Control: tags -1 + confirmed Hi, On Thu, 2019-01-31 at 22:14 +, Mike Gabriel wrote: > HI Adam, > > On Do 31 Jan 2019 21:28:43 CET, Adam D. Barratt wrote: > > > On Fri, 2019-01-11 at 15:26 +0100, Mike Gabriel wrote: > > > Please review the attached .debdiff (for stretch) and give your > > > go > > > for uploading to stretch. > > [...] > > * debian/control: > > + B-D on libssh1.0-dev (instead of libssh-dev). > > It's libssh1.0-dev for stretch and nothing needs to be changed. Well, no. As you go on to say yourself below, it's libss*l*1.0-dev > > This change doesn't appear to have actually been included. (Which > > is > > just as well, as there is no such package in Debian.) > > Yeah, I guess I mixed those up in the changelog. The > debian/jessie/updates branch needs a switch-back [1] from > libssl1.0-dev to libssl-dev whereas the debian/stretch/updates > branch does not need a change here. [...] > I will also publish a blog post that will appear on Planet Debian > > > that links to built binaries that users may be table to test. > > > > Has there been much take-up / feedback there? > > Over the last 8 days my webserver has registered 18 downloads of > freerdp-x11 (either for jessie or for stretch). Without any > positive feedback given (which I requested explicitly). That's unfortunate. Let's hope it simply means that people couldn't be bothered to provide feedback. Please go ahead. Regards, Adam
Bug#916912: [pre-approval] stretch-pu: package freerdp/1.1.0~git20140921.1.440916e+dfsg1-13+deb9u3
HI Adam, On Do 31 Jan 2019 21:28:43 CET, Adam D. Barratt wrote: On Fri, 2019-01-11 at 15:26 +0100, Mike Gabriel wrote: Please review the attached .debdiff (for stretch) and give your go for uploading to stretch. + Add 0010_add-support-for-credssp-v3-and-rdpproto-v6.patch. Add CredSSP v3 and RDP proto v6 support. This allows users to connect to recently (since March 2018) update Microsoft RDP servers again. Thanks to Bernhard Miklautz and Martin Fleisz for helping out ith backporting this patch. Much appreciated! s/recently.*update// s/helping out ith/helping out with/ Thanks! Will fix that. * debian/control: + B-D on libssh1.0-dev (instead of libssh-dev). It's libssh1.0-dev for stretch and nothing needs to be changed. This change doesn't appear to have actually been included. (Which is just as well, as there is no such package in Debian.) Yeah, I guess I mixed those up in the changelog. The debian/jessie/updates branch needs a switch-back [1] from libssl1.0-dev to libssl-dev whereas the debian/stretch/updates branch does not need a change here. Glad that you spotted this. After that, I will upload the same version (slighty backported to jessie) to jessie-security. I will also publish a blog post that will appear on Planet Debian that links to built binaries that users may be table to test. Has there been much take-up / feedback there? Over the last 8 days my webserver has registered 18 downloads of freerdp-x11 (either for jessie or for stretch). Without any positive feedback given (which I requested explicitly). Unfortunately, log files on that machine use the default logrotate rules for Apache2. I have been using the patched version from my notebook (I downgraded from freerdp2 to freerdp1.1). And in fact, I forgot that I actually downgraded it. It simply worked with all kinds of recent RDP servers (Win 2016 server, Win 2012 server mainly). The patch author Bernhard Miklautz tested against Win7, Win10 and WinXP. I just did a quick test with the stretch version against an xRDP server. Mike [1] https://salsa.debian.org/debian-remote-team/freerdp-1.1-legacy/commit/c598db8583e5a0cc8c38ac55f680cd501b1fe892 -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpbyQgS6289T.pgp Description: Digitale PGP-Signatur
Bug#916912: [pre-approval] stretch-pu: package freerdp/1.1.0~git20140921.1.440916e+dfsg1-13+deb9u3
On Fri, 2019-01-11 at 15:26 +0100, Mike Gabriel wrote: > Please review the attached .debdiff (for stretch) and give your go > for uploading to stretch. + Add 0010_add-support-for-credssp-v3-and-rdpproto-v6.patch. Add CredSSP v3 and RDP proto v6 support. This allows users to connect to recently (since March 2018) update Microsoft RDP servers again. Thanks to Bernhard Miklautz and Martin Fleisz for helping out ith backporting this patch. Much appreciated! s/recently.*update// s/helping out ith/helping out with/ * debian/control: + B-D on libssh1.0-dev (instead of libssh-dev). This change doesn't appear to have actually been included. (Which is just as well, as there is no such package in Debian.) > After that, I will upload the same version (slighty backported to > jessie) to jessie-security. > > I will also publish a blog post that will appear on Planet Debian > that links to built binaries that users may be table to test. Has there been much take-up / feedback there? Regards, Adam
Bug#916912: [pre-approval] stretch-pu: package freerdp/1.1.0~git20140921.1.440916e+dfsg1-13+deb9u3
Dear release team, please review... On Thu, 20 Dec 2018 13:06:05 +0100 Mike Gabriel wrote: > Dear Debian stretch Release Team, > > in Debian LTS, we are currently discussing a complex update of the > freerdp (v1.1) package. The current status is this: > > * since March 2018 freerdp in stretch (and jessie) (Git > snapshot of never released v1.1) is unusable against > latest Windows servers. > All Windows OS versions switched to RDP proto version 6 > plus CredSSP version 3) and the freerdp versions in Debian > jessie/stretch do not support that. > * for people using Debian stretch, the only viable work-around > is using freerdp2 from stretch-backports. > * people using Debian jessie LTS don't have any options (except > from upgrading to stretch and using freerdp2 from stretch-bpo). > * currently, we know of four unfixed CVE issues in freerdp (v1.1) > (that are fixed in buster's freerdp2. > > With my Debian LTS contributor hat on, I have started working on the open > freerdp CVE issues (which luckily appeared in a Ubuntu security update, > so not much work on this side) _and_ ... > > ... I have started backporting the required patches (at least these: > [1,2,3]) to get RDP proto version 6 working in Debian jessie's freerdp > v1.1 version. > > This complete endeavour for LTS only makes sense if the stable release > team is open to accepting such a complex change to Debian stretch, too. > > While working on these patches, I regularly get feedback from FreeRDP > upstream developer Bernhard Miklautz. > > The Git version [4] of the proposed upload is not yet ready. After > feedback from Bernhard, I will have to backport various WinPR API calls > that are used around the RDP proto v6 implementation. So this whole thing > is still work in progress. > > The reason for this mail is: if the stable release team declines this > update, then we neither will bring it to Debian jessie LTS. > > Please give me a beacon single (mainly a "yes, go ahead", or a "no, no > way!"). > > Please let me know, if you need more info to consider. > > Cheers, > Mike > > [1] https://salsa.debian.org/debian-remote-team/freerdp-1.1-legacy/blob/debian/stretch/updates/debian/patches/0010_add-support-for-credssp-version-3.patch > [2] https://salsa.debian.org/debian-remote-team/freerdp-1.1-legacy/blob/debian/stretch/updates/debian/patches/0011_add-support-for-proto-version-6.patch > [3] https://salsa.debian.org/debian-remote-team/freerdp-1.1-legacy/blob/debian/stretch/updates/debian/patches/0012-fix-nla-don-t-use-server-version.patch > [4] https://salsa.debian.org/debian-remote-team/freerdp-1.1-legacy/tree/debian/stretch/updates Over the X-mas holidays, Bernhard Miklautz and Martin Fleisz from FreeRDP upstream worked hard on getting FreeRDP v1.1 (jessie + stretch) working again with latest Microsoft Windows RDP Servers. They used the above referenced patches as a starting point and came up with a working solution. Special credits, in fact, go to Bernhard Miklautz. Please review the attached .debdiff (for stretch) and give your go for uploading to stretch. After that, I will upload the same version (slighty backported to jessie) to jessie-security. I will also publish a blog post that will appear on Planet Debian that links to built binaries that users may be table to test. Thanks+Greets, Mike diff -Nru freerdp-1.1.0~git20140921.1.440916e+dfsg1/debian/changelog freerdp-1.1.0~git20140921.1.440916e+dfsg1/debian/changelog --- freerdp-1.1.0~git20140921.1.440916e+dfsg1/debian/changelog 2017-08-12 21:26:43.0 +0200 +++ freerdp-1.1.0~git20140921.1.440916e+dfsg1/debian/changelog 2019-01-10 16:07:19.0 +0100 @@ -1,3 +1,28 @@ +freerdp (1.1.0~git20140921.1.440916e+dfsg1-13+deb9u3) stretch; urgency=medium + + * debian/patches: Add security patches. +- CVE-2018-8786.patch: The count variable in update_read_bitmap() needs to + be UINT32 (not UINT16). +- CVE-2018-8787.patch: In gdi_Bitmap_Decompress, check for invalid bpp, + width and height before decompressing. + CVE-2018-8788.patch: In NSC encode/decode functions, catch data flawed in + various ways and bail out with failure. + CVE-2018-8789.patch: In ntlm_read_message_fields_buffer, check buffer + offset vs. Stream_Length and bail out if not appropriate. +- Thanks to Alex Murray for backporting them to FreeRDP 1.1. + * debian/patches: ++ Add 0010_add-support-for-credssp-v3-and-rdpproto-v6.patch. Add CredSSP v3 + and RDP proto v6 support. This allows users to connect to recently + (since March 2018) update Microsoft RDP servers again. + Thanks to Bernhard Miklautz and Martin Fleisz for helping out with + backporting this patch. Much appreciated! + * debian/control: ++ B-D on libssh1.0-dev (instead of libssh-dev). ++ Update Vcs-*: URLs. + * debian/lib{freerdp-core1.1,winpr-sspi0.1}.symbols: Update symbols. + + -- Mike Gabriel Thu, 10 Jan 2019 16:07:19 +0100 + freerdp
Bug#916912: [pre-approval] stretch-pu: package freerdp/1.1.0~git20140921.1.440916e+dfsg1-13+deb9u3
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Dear Debian stretch Release Team, in Debian LTS, we are currently discussing a complex update of the freerdp (v1.1) package. The current status is this: * since March 2018 freerdp in stretch (and jessie) (Git snapshot of never released v1.1) is unusable against latest Windows servers. All Windows OS versions switched to RDP proto version 6 plus CredSSP version 3) and the freerdp versions in Debian jessie/stretch do not support that. * for people using Debian stretch, the only viable work-around is using freerdp2 from stretch-backports. * people using Debian jessie LTS don't have any options (except from upgrading to stretch and using freerdp2 from stretch-bpo). * currently, we know of four unfixed CVE issues in freerdp (v1.1) (that are fixed in buster's freerdp2. With my Debian LTS contributor hat on, I have started working on the open freerdp CVE issues (which luckily appeared in a Ubuntu security update, so not much work on this side) _and_ ... ... I have started backporting the required patches (at least these: [1,2,3]) to get RDP proto version 6 working in Debian jessie's freerdp v1.1 version. This complete endeavour for LTS only makes sense if the stable release team is open to accepting such a complex change to Debian stretch, too. While working on these patches, I regularly get feedback from FreeRDP upstream developer Bernhard Miklautz. The Git version [4] of the proposed upload is not yet ready. After feedback from Bernhard, I will have to backport various WinPR API calls that are used around the RDP proto v6 implementation. So this whole thing is still work in progress. The reason for this mail is: if the stable release team declines this update, then we neither will bring it to Debian jessie LTS. Please give me a beacon single (mainly a "yes, go ahead", or a "no, no way!"). Please let me know, if you need more info to consider. Cheers, Mike [1] https://salsa.debian.org/debian-remote-team/freerdp-1.1-legacy/blob/debian/stretch/updates/debian/patches/0010_add-support-for-credssp-version-3.patch [2] https://salsa.debian.org/debian-remote-team/freerdp-1.1-legacy/blob/debian/stretch/updates/debian/patches/0011_add-support-for-proto-version-6.patch [3] https://salsa.debian.org/debian-remote-team/freerdp-1.1-legacy/blob/debian/stretch/updates/debian/patches/0012-fix-nla-don-t-use-server-version.patch [4] https://salsa.debian.org/debian-remote-team/freerdp-1.1-legacy/tree/debian/stretch/updates -- System Information: Debian Release: 9.6 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)