date:20160117

Re: squeeze update of librsvg?

2016-01-17 Thread Salvatore Bonaccorso

Hi Santiago,

Sorry for the late reply.

On Sat, Jan 09, 2016 at 07:06:35PM +0100, Santiago Ruano Rincón wrote:
> Hi,
> 
> El 30/12/15 a las 01:49, Ben Hutchings escribió:
> > Hello dear maintainer(s),
> > 
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Squeeze version of librsvg:
> > https://security-tracker.debian.org/tracker/CVE-2015-7557
> > https://security-tracker.debian.org/tracker/CVE-2015-7558
> 
> Regarding Squeeze and AFAICS, while the fix for CVE-2015-7557 is simple,
> the CVE-2015-7558 is not trivial. It has been fixed by many changes in the
> checks of cyclic references, using the new rsvg_acquire_node function
> (i.e. 
> https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61).
> 
> I cannot find info about how CVE-2015-7558 is exploitable, but I'd say
> that is no-dsa. What do you think? What's the security team position
> about it?

I have marked one issue as no-dsa for wheezy- and jessie
(CVE-2015-7557). Regarding CVE-2015-7558, not sure here. But if the
fix is too intrusive to backport we can mark it as  (Too
intrusive to backport).

Regards,
Salvatore

Re: isc-dhcp-server in squeeze-lst broken after update

2016-01-17 Thread Mike Gabriel


Hi Ben, hi all,

On  So 17 Jan 2016 23:42:19 CET, Ben Hutchings wrote:


On Sun, 2016-01-17 at 13:10 +0100, Olivier Dousse wrote:

Hi Mike,

I have the exact same problem on my server. I simply upgraded from
4.1.1-P1-15+squeeze8 to 4.1.1-P1-15+squeeze9.
Given the patch you attached, this is very strange. But after
downgrading back to 4.1.1-P1-15+squeeze8, everything was fine again.
So there seems to be indeed a (critical) issue with 4.1.1-P1-
15+squeeze9, as it basically breaks the DHCP server.


I can't see anything wrong with the patch, so I wonder whether there
was something wrong with the build environment.


The package has been source-built on Debian jessie (debuild -uc -us  
-S) and then binary-built with sbuild in a squeeze-lts (not squeeze)  
chroot.


I have checked my build log again. It seems that the CFLAGS specified  
in debian/rules do not get exported properly to the build environment  
and thus are not used at build time:


""" (from +squeeze9 build log)
[...]
Making all in server
make[2]: Entering directory `/«PKGBUILDDIR»/server'
gcc -DHAVE_CONFIG_H -I. -I../includes  -I.. -DLOCALSTATEDIR='"/var"'
-g -O2  -Wall -Werror -fno-strict-aliasing -MT dhcpd.o -MD -MP -MF  
.deps/dhcpd.Tpo -c -o dhcpd.o dhcpd.c

[...]
"""

When adding "export CFLAGS" at the end of the CFLAGS declarations in  
debian/rules, I get this:


""" (from upcoming +squeeze10 build log)
[...]
make[1]: Entering directory `/«PKGBUILDDIR»/server'
gcc -DHAVE_CONFIG_H -I. -I../includes  -I.. -DLOCALSTATEDIR='"/var"'  
-DLDAP_DEPRECATED   -Wall -g -O2  
-D_PATH_DHCLIENT_SCRIPT='"/sbin/dhclient-script"'  
-D_PATH_DHCPD_CONF='"/etc/dhcp/dhcpd.conf"'  
-D_PATH_DHCLIENT_CONF='"/etc/dhcp/dhclient.conf"' -DNOMINUM  -MT  
dhcpd-dhcpd.o -MD -MP -MF .deps/dhcpd-dhcpd.Tpo -c -o dhcpd-dhcpd.o  
`test -f 'dhcpd.c' || echo './'`dhcpd.c

[...]
"""

I wonder why this has been working in the first place.


Additionally, the patch is *not* being applied isc-dhcp-server.  It is
only applied when building isc-dhcp-server-ldap (see the commands for
the build-stamp target).  It needs to be moved further up the patch
series.


Oh wow... Thanks for spotting this. I am currenly preparing a  
+squeeze10 revision upload, but I'd really like to get the dhcpd.conf  
issue sorted out and addressed with next upload first.



I will upload +squeeze10 with attached .debdiff later today.

Any feedback on the provided .debdiff is welcome.

Thanks+Greets,
Mike

--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de
diff -u isc-dhcp-4.1.1-P1/debian/rules isc-dhcp-4.1.1-P1/debian/rules
--- isc-dhcp-4.1.1-P1/debian/rules
+++ isc-dhcp-4.1.1-P1/debian/rules
@@ -37,6 +37,8 @@
 CFLAGS += -D_PATH_DHCLIENT_CONF='"/etc/dhcp/dhclient.conf"'
 CFLAGS += -DNOMINUM
 
+export CFLAGS
+
 patched-ldap/build-stamp:
dh_testdir
 
diff -u isc-dhcp-4.1.1-P1/debian/changelog isc-dhcp-4.1.1-P1/debian/changelog
--- isc-dhcp-4.1.1-P1/debian/changelog
+++ isc-dhcp-4.1.1-P1/debian/changelog
@@ -1,3 +1,16 @@
+isc-dhcp (4.1.1-P1-15+squeeze10) squeeze-lts; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS Team (regression fix).
+  * debian/patches:
++ Move CVE-2015-8605.dpatch further up in the patch series. Assure that
+  the patch is applied to the non-LDAP build variant. Thanks to Ben
+  Hutchings for spotting this.
+  * debian/rules:
++ Export CFLAGS before build. Make sure that our Debianic path definitions
+  end-up in the binary builds of isc-dhcp-server*.
+
+ -- Mike Gabriel   Mon, 18 Jan 2016 05:19:44 +0100
+
 isc-dhcp (4.1.1-P1-15+squeeze9) squeeze-lts; urgency=medium
 
   * Non-maintainer upload by the Debian LTS Team.
diff -u isc-dhcp-4.1.1-P1/debian/patches/00list 
isc-dhcp-4.1.1-P1/debian/patches/00list
--- isc-dhcp-4.1.1-P1/debian/patches/00list
+++ isc-dhcp-4.1.1-P1/debian/patches/00list
@@ -17,6 +17,7 @@
 security-20110810
 CVE-2012-3571_CVE-2012-3954
 CVE-2011-4539_CVE-2012-3955
+CVE-2015-8605
 
 # must be applied before the LDAP stuff
 no-libcrypto
@@ -26,6 +27,4 @@
 dhcp-4.1.0-ldap-code
 
-CVE-2015-8605
-
 # fix build when gcc option -Werror is used
 drop_unused_vars_from_ldap-c.dpatch


pgpxdtRDldEiP.pgp
Description: Digitale PGP-Signatur

Accepted srtp 1.4.4~dfsg-6+deb6u2 (source all i386) into squeeze-lts

2016-01-17 Thread Thorsten Alteholz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sun, 17 Jan 2015 22:03:02 +0100
Source: srtp
Binary: libsrtp0-dev libsrtp0 srtp-docs srtp-utils
Architecture: source all i386
Version: 1.4.4~dfsg-6+deb6u2
Distribution: squeeze-lts
Urgency: high
Maintainer: Jonas Smedegaard 
Changed-By: Thorsten Alteholz 
Description: 
 libsrtp0   - Secure RTP (SRTP) and UST Reference Implementations - shared libr
 libsrtp0-dev - Secure RTP (SRTP) and UST Reference Implementations - 
development
 srtp-docs  - Secure RTP (SRTP) and UST Reference Implementations - documentati
 srtp-utils - Secure RTP (SRTP) and UST Reference Implementations - utilities
Changes: 
 srtp (1.4.4~dfsg-6+deb6u2) squeeze-lts; urgency=high
 .
   * Non-maintainer upload by the Squeeze LTS Team.
   * CVE-2015-6360
 Patch against denial of service via crafted RTP header.
Checksums-Sha1: 
 390d89f0be75a24732cf58b741b3dff6f1d259da 2140 srtp_1.4.4~dfsg-6+deb6u2.dsc
 fdc0db5be8102ab061dc7aba1c59062904e6871f 241720 srtp_1.4.4~dfsg.orig.tar.gz
 a4bf3e29ce514e5ecbf7799e2d980ebe57608d4e 33329 
srtp_1.4.4~dfsg-6+deb6u2.debian.tar.gz
 e146fe13278ae2c1c21e20d2cec17c1fa9c46524 224742 
srtp-docs_1.4.4~dfsg-6+deb6u2_all.deb
 bcaafc94ec8d6c997f2958e8386a53017026e287 84478 
libsrtp0-dev_1.4.4~dfsg-6+deb6u2_i386.deb
 5b3f80bee4b43b93b7a8bee28a3ad6586eaa2804 49930 
libsrtp0_1.4.4~dfsg-6+deb6u2_i386.deb
 898a7221f9a1450d15b937039479eff4e7f4f5cd 174412 
srtp-utils_1.4.4~dfsg-6+deb6u2_i386.deb
Checksums-Sha256: 
 db47b0be0c11f145c0a38cbf5242ab9b01444941593256eb6570c4ef22fbbd06 2140 
srtp_1.4.4~dfsg-6+deb6u2.dsc
 57581a5cd1fe6918497588c24745b257e197be6beffb1314705a62c4d5760166 241720 
srtp_1.4.4~dfsg.orig.tar.gz
 a32bb113e54f6692972b976058a1584afdd1e1b981e8da6bc80f4d5b99bc1834 33329 
srtp_1.4.4~dfsg-6+deb6u2.debian.tar.gz
 5cc049abc4872e59736e155dd936e54314b2310a0e9ac90700dc3ad8ba07172d 224742 
srtp-docs_1.4.4~dfsg-6+deb6u2_all.deb
 e1bed54c965d7c29fc4c8fe3b16359f93127ad21ac1883befefdd8227fa2c8bf 84478 
libsrtp0-dev_1.4.4~dfsg-6+deb6u2_i386.deb
 891521a4bbf21fc30d2f4b802a87e1c828939f68384cefdd5c312f301aee2662 49930 
libsrtp0_1.4.4~dfsg-6+deb6u2_i386.deb
 18ab472f261518e30f70e117f4b40105ed9b6996d0e84f27cf8a7468de1dd620 174412 
srtp-utils_1.4.4~dfsg-6+deb6u2_i386.deb
Files: 
 af94c46ecb2e337ac67808b9902ddcad 2140 libs optional 
srtp_1.4.4~dfsg-6+deb6u2.dsc
 d3326fe2e129e94e29462ab60acae390 241720 libs optional 
srtp_1.4.4~dfsg.orig.tar.gz
 d7fca726621405f0dcefc1df8d4fa534 33329 libs optional 
srtp_1.4.4~dfsg-6+deb6u2.debian.tar.gz
 21f72e9e114b6fd701dfd30bf40dc79a 224742 doc optional 
srtp-docs_1.4.4~dfsg-6+deb6u2_all.deb
 2b5594ad69716c54c8bbb07f901707f6 84478 libdevel optional 
libsrtp0-dev_1.4.4~dfsg-6+deb6u2_i386.deb
 cda870a7bdc669880524208486732ec9 49930 libs optional 
libsrtp0_1.4.4~dfsg-6+deb6u2_i386.deb
 4b42fc5fad6e0db19a4ddf3f812ba67d 174412 libs optional 
srtp-utils_1.4.4~dfsg-6+deb6u2_i386.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQJ8BAEBCgBmBQJWnA8AXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHeogP/jDxl+X6nu0f47+/H32f/v15
RKQaG3EeSGO+Y4JAS4RQwhWd7qAjkUh5+FfJJ+gGDkwbwSuWT/jYLiBi1Drt9VqI
wtax8rOFZ2YzsCR0h0d1aDMefQU37Qu5tDg1pYtGl7H3CLEyQOEaiWK2yhBimIwY
UR5unulW6qmIzxOtmSVNCz4R5kW5ZfmkGE3kp3msdrxltjv261ioyYzw/OrvUQPY
8Kd7kigK2WzNuClYeFrs4WkBsT9zoC2qx1Z9V0o3hZupY6w5CgVH3XiOLuz+jiTH
huQlro/8XE59VNC4Y4s40idZ3Q+ZnQnQxwx8AMkerQh27orPCBvGzAstfjftxgP4
Coiqe+sa6h80k5dvgb7Tp7o8NktlxcJsin63MOYCVeDOrzbUZVSCcmErVbnlkgtg
U25MHzBGP5bI9V5dzEeHj3XTRF07NL7c4pdQWhH/GMj7FdoJP7cuA9hg2+bx1dn6
2REfB3XYYBbBCdyr/r4+9lE8adpCz4uFAemxhWavXh3w/Em6bmWbIoe7Iy4KcOd2
kPH/bc0p3qQ3SPiOymx3VyQ3/EKCIdqwi1lkCnlefTp92J1IPBPHj67MG/3gycyy
ILWnfsuQY+n6/FztTmcZPhqLSMfS3sV0cNr07emK6c2LGOg2cKo9YRuId7BdKh38
fBeEkq7iHM7zKx6JKn1/
=rmfB
-END PGP SIGNATURE-

Re: Re: isc-dhcp-server in squeeze-lst broken after update

2016-01-17 Thread Ben Hutchings

On Sun, 2016-01-17 at 13:10 +0100, Olivier Dousse wrote:
> Hi Mike,
> 
> I have the exact same problem on my server. I simply upgraded from
> 4.1.1-P1-15+squeeze8 to 4.1.1-P1-15+squeeze9.
> Given the patch you attached, this is very strange. But after
> downgrading back to 4.1.1-P1-15+squeeze8, everything was fine again.
> So there seems to be indeed a (critical) issue with 4.1.1-P1-
> 15+squeeze9, as it basically breaks the DHCP server.

I can't see anything wrong with the patch, so I wonder whether there
was something wrong with the build environment.

Additionally, the patch is *not* being applied isc-dhcp-server.  It is
only applied when building isc-dhcp-server-ldap (see the commands for
the build-stamp target).  It needs to be moved further up the patch
series.

Ben.

-- 
Ben Hutchings
Theory and practice are closer in theory than in practice.
- John Levine, moderator of comp.compilers

signature.asc
Description: This is a digitally signed message part

Re: Re: isc-dhcp-server in squeeze-lst broken after update

2016-01-17 Thread Olivier Dousse

Hi Mike,

I have the exact same problem on my server. I simply upgraded from 
4.1.1-P1-15+squeeze8 to 4.1.1-P1-15+squeeze9.
Given the patch you attached, this is very strange. But after downgrading back 
to 4.1.1-P1-15+squeeze8, everything was fine again. So there seems to be indeed 
a (critical) issue with 4.1.1-P1-15+squeeze9, as it basically breaks the DHCP 
server.

Cheers,
Olivier

Re: squeeze update of librsvg?

Re: isc-dhcp-server in squeeze-lst broken after update

Accepted srtp 1.4.4~dfsg-6+deb6u2 (source all i386) into squeeze-lts

Re: Re: isc-dhcp-server in squeeze-lst broken after update

Re: Re: isc-dhcp-server in squeeze-lst broken after update

5 matches

Site Navigation

Mail list logo

Footer information