Re: squeeze update of librsvg?
Hi Santiago, Sorry for the late reply. On Sat, Jan 09, 2016 at 07:06:35PM +0100, Santiago Ruano Rincón wrote: > Hi, > > El 30/12/15 a las 01:49, Ben Hutchings escribió: > > Hello dear maintainer(s), > > > > the Debian LTS team would like to fix the security issues which are > > currently open in the Squeeze version of librsvg: > > https://security-tracker.debian.org/tracker/CVE-2015-7557 > > https://security-tracker.debian.org/tracker/CVE-2015-7558 > > Regarding Squeeze and AFAICS, while the fix for CVE-2015-7557 is simple, > the CVE-2015-7558 is not trivial. It has been fixed by many changes in the > checks of cyclic references, using the new rsvg_acquire_node function > (i.e. > https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61). > > I cannot find info about how CVE-2015-7558 is exploitable, but I'd say > that is no-dsa. What do you think? What's the security team position > about it? I have marked one issue as no-dsa for wheezy- and jessie (CVE-2015-7557). Regarding CVE-2015-7558, not sure here. But if the fix is too intrusive to backport we can mark it as (Too intrusive to backport). Regards, Salvatore
Re: isc-dhcp-server in squeeze-lst broken after update
Hi Ben, hi all, On So 17 Jan 2016 23:42:19 CET, Ben Hutchings wrote: On Sun, 2016-01-17 at 13:10 +0100, Olivier Dousse wrote: Hi Mike, I have the exact same problem on my server. I simply upgraded from 4.1.1-P1-15+squeeze8 to 4.1.1-P1-15+squeeze9. Given the patch you attached, this is very strange. But after downgrading back to 4.1.1-P1-15+squeeze8, everything was fine again. So there seems to be indeed a (critical) issue with 4.1.1-P1- 15+squeeze9, as it basically breaks the DHCP server. I can't see anything wrong with the patch, so I wonder whether there was something wrong with the build environment. The package has been source-built on Debian jessie (debuild -uc -us -S) and then binary-built with sbuild in a squeeze-lts (not squeeze) chroot. I have checked my build log again. It seems that the CFLAGS specified in debian/rules do not get exported properly to the build environment and thus are not used at build time: """ (from +squeeze9 build log) [...] Making all in server make[2]: Entering directory `/«PKGBUILDDIR»/server' gcc -DHAVE_CONFIG_H -I. -I../includes -I.. -DLOCALSTATEDIR='"/var"' -g -O2 -Wall -Werror -fno-strict-aliasing -MT dhcpd.o -MD -MP -MF .deps/dhcpd.Tpo -c -o dhcpd.o dhcpd.c [...] """ When adding "export CFLAGS" at the end of the CFLAGS declarations in debian/rules, I get this: """ (from upcoming +squeeze10 build log) [...] make[1]: Entering directory `/«PKGBUILDDIR»/server' gcc -DHAVE_CONFIG_H -I. -I../includes -I.. -DLOCALSTATEDIR='"/var"' -DLDAP_DEPRECATED -Wall -g -O2 -D_PATH_DHCLIENT_SCRIPT='"/sbin/dhclient-script"' -D_PATH_DHCPD_CONF='"/etc/dhcp/dhcpd.conf"' -D_PATH_DHCLIENT_CONF='"/etc/dhcp/dhclient.conf"' -DNOMINUM -MT dhcpd-dhcpd.o -MD -MP -MF .deps/dhcpd-dhcpd.Tpo -c -o dhcpd-dhcpd.o `test -f 'dhcpd.c' || echo './'`dhcpd.c [...] """ I wonder why this has been working in the first place. Additionally, the patch is *not* being applied isc-dhcp-server. It is only applied when building isc-dhcp-server-ldap (see the commands for the build-stamp target). It needs to be moved further up the patch series. Oh wow... Thanks for spotting this. I am currenly preparing a +squeeze10 revision upload, but I'd really like to get the dhcpd.conf issue sorted out and addressed with next upload first. I will upload +squeeze10 with attached .debdiff later today. Any feedback on the provided .debdiff is welcome. Thanks+Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de diff -u isc-dhcp-4.1.1-P1/debian/rules isc-dhcp-4.1.1-P1/debian/rules --- isc-dhcp-4.1.1-P1/debian/rules +++ isc-dhcp-4.1.1-P1/debian/rules @@ -37,6 +37,8 @@ CFLAGS += -D_PATH_DHCLIENT_CONF='"/etc/dhcp/dhclient.conf"' CFLAGS += -DNOMINUM +export CFLAGS + patched-ldap/build-stamp: dh_testdir diff -u isc-dhcp-4.1.1-P1/debian/changelog isc-dhcp-4.1.1-P1/debian/changelog --- isc-dhcp-4.1.1-P1/debian/changelog +++ isc-dhcp-4.1.1-P1/debian/changelog @@ -1,3 +1,16 @@ +isc-dhcp (4.1.1-P1-15+squeeze10) squeeze-lts; urgency=medium + + * Non-maintainer upload by the Debian LTS Team (regression fix). + * debian/patches: ++ Move CVE-2015-8605.dpatch further up in the patch series. Assure that + the patch is applied to the non-LDAP build variant. Thanks to Ben + Hutchings for spotting this. + * debian/rules: ++ Export CFLAGS before build. Make sure that our Debianic path definitions + end-up in the binary builds of isc-dhcp-server*. + + -- Mike GabrielMon, 18 Jan 2016 05:19:44 +0100 + isc-dhcp (4.1.1-P1-15+squeeze9) squeeze-lts; urgency=medium * Non-maintainer upload by the Debian LTS Team. diff -u isc-dhcp-4.1.1-P1/debian/patches/00list isc-dhcp-4.1.1-P1/debian/patches/00list --- isc-dhcp-4.1.1-P1/debian/patches/00list +++ isc-dhcp-4.1.1-P1/debian/patches/00list @@ -17,6 +17,7 @@ security-20110810 CVE-2012-3571_CVE-2012-3954 CVE-2011-4539_CVE-2012-3955 +CVE-2015-8605 # must be applied before the LDAP stuff no-libcrypto @@ -26,6 +27,4 @@ dhcp-4.1.0-ldap-code -CVE-2015-8605 - # fix build when gcc option -Werror is used drop_unused_vars_from_ldap-c.dpatch pgpxdtRDldEiP.pgp Description: Digitale PGP-Signatur
Accepted srtp 1.4.4~dfsg-6+deb6u2 (source all i386) into squeeze-lts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 17 Jan 2015 22:03:02 +0100 Source: srtp Binary: libsrtp0-dev libsrtp0 srtp-docs srtp-utils Architecture: source all i386 Version: 1.4.4~dfsg-6+deb6u2 Distribution: squeeze-lts Urgency: high Maintainer: Jonas SmedegaardChanged-By: Thorsten Alteholz Description: libsrtp0 - Secure RTP (SRTP) and UST Reference Implementations - shared libr libsrtp0-dev - Secure RTP (SRTP) and UST Reference Implementations - development srtp-docs - Secure RTP (SRTP) and UST Reference Implementations - documentati srtp-utils - Secure RTP (SRTP) and UST Reference Implementations - utilities Changes: srtp (1.4.4~dfsg-6+deb6u2) squeeze-lts; urgency=high . * Non-maintainer upload by the Squeeze LTS Team. * CVE-2015-6360 Patch against denial of service via crafted RTP header. Checksums-Sha1: 390d89f0be75a24732cf58b741b3dff6f1d259da 2140 srtp_1.4.4~dfsg-6+deb6u2.dsc fdc0db5be8102ab061dc7aba1c59062904e6871f 241720 srtp_1.4.4~dfsg.orig.tar.gz a4bf3e29ce514e5ecbf7799e2d980ebe57608d4e 33329 srtp_1.4.4~dfsg-6+deb6u2.debian.tar.gz e146fe13278ae2c1c21e20d2cec17c1fa9c46524 224742 srtp-docs_1.4.4~dfsg-6+deb6u2_all.deb bcaafc94ec8d6c997f2958e8386a53017026e287 84478 libsrtp0-dev_1.4.4~dfsg-6+deb6u2_i386.deb 5b3f80bee4b43b93b7a8bee28a3ad6586eaa2804 49930 libsrtp0_1.4.4~dfsg-6+deb6u2_i386.deb 898a7221f9a1450d15b937039479eff4e7f4f5cd 174412 srtp-utils_1.4.4~dfsg-6+deb6u2_i386.deb Checksums-Sha256: db47b0be0c11f145c0a38cbf5242ab9b01444941593256eb6570c4ef22fbbd06 2140 srtp_1.4.4~dfsg-6+deb6u2.dsc 57581a5cd1fe6918497588c24745b257e197be6beffb1314705a62c4d5760166 241720 srtp_1.4.4~dfsg.orig.tar.gz a32bb113e54f6692972b976058a1584afdd1e1b981e8da6bc80f4d5b99bc1834 33329 srtp_1.4.4~dfsg-6+deb6u2.debian.tar.gz 5cc049abc4872e59736e155dd936e54314b2310a0e9ac90700dc3ad8ba07172d 224742 srtp-docs_1.4.4~dfsg-6+deb6u2_all.deb e1bed54c965d7c29fc4c8fe3b16359f93127ad21ac1883befefdd8227fa2c8bf 84478 libsrtp0-dev_1.4.4~dfsg-6+deb6u2_i386.deb 891521a4bbf21fc30d2f4b802a87e1c828939f68384cefdd5c312f301aee2662 49930 libsrtp0_1.4.4~dfsg-6+deb6u2_i386.deb 18ab472f261518e30f70e117f4b40105ed9b6996d0e84f27cf8a7468de1dd620 174412 srtp-utils_1.4.4~dfsg-6+deb6u2_i386.deb Files: af94c46ecb2e337ac67808b9902ddcad 2140 libs optional srtp_1.4.4~dfsg-6+deb6u2.dsc d3326fe2e129e94e29462ab60acae390 241720 libs optional srtp_1.4.4~dfsg.orig.tar.gz d7fca726621405f0dcefc1df8d4fa534 33329 libs optional srtp_1.4.4~dfsg-6+deb6u2.debian.tar.gz 21f72e9e114b6fd701dfd30bf40dc79a 224742 doc optional srtp-docs_1.4.4~dfsg-6+deb6u2_all.deb 2b5594ad69716c54c8bbb07f901707f6 84478 libdevel optional libsrtp0-dev_1.4.4~dfsg-6+deb6u2_i386.deb cda870a7bdc669880524208486732ec9 49930 libs optional libsrtp0_1.4.4~dfsg-6+deb6u2_i386.deb 4b42fc5fad6e0db19a4ddf3f812ba67d 174412 libs optional srtp-utils_1.4.4~dfsg-6+deb6u2_i386.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQJ8BAEBCgBmBQJWnA8AXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHeogP/jDxl+X6nu0f47+/H32f/v15 RKQaG3EeSGO+Y4JAS4RQwhWd7qAjkUh5+FfJJ+gGDkwbwSuWT/jYLiBi1Drt9VqI wtax8rOFZ2YzsCR0h0d1aDMefQU37Qu5tDg1pYtGl7H3CLEyQOEaiWK2yhBimIwY UR5unulW6qmIzxOtmSVNCz4R5kW5ZfmkGE3kp3msdrxltjv261ioyYzw/OrvUQPY 8Kd7kigK2WzNuClYeFrs4WkBsT9zoC2qx1Z9V0o3hZupY6w5CgVH3XiOLuz+jiTH huQlro/8XE59VNC4Y4s40idZ3Q+ZnQnQxwx8AMkerQh27orPCBvGzAstfjftxgP4 Coiqe+sa6h80k5dvgb7Tp7o8NktlxcJsin63MOYCVeDOrzbUZVSCcmErVbnlkgtg U25MHzBGP5bI9V5dzEeHj3XTRF07NL7c4pdQWhH/GMj7FdoJP7cuA9hg2+bx1dn6 2REfB3XYYBbBCdyr/r4+9lE8adpCz4uFAemxhWavXh3w/Em6bmWbIoe7Iy4KcOd2 kPH/bc0p3qQ3SPiOymx3VyQ3/EKCIdqwi1lkCnlefTp92J1IPBPHj67MG/3gycyy ILWnfsuQY+n6/FztTmcZPhqLSMfS3sV0cNr07emK6c2LGOg2cKo9YRuId7BdKh38 fBeEkq7iHM7zKx6JKn1/ =rmfB -END PGP SIGNATURE-
Re: Re: isc-dhcp-server in squeeze-lst broken after update
On Sun, 2016-01-17 at 13:10 +0100, Olivier Dousse wrote: > Hi Mike, > > I have the exact same problem on my server. I simply upgraded from > 4.1.1-P1-15+squeeze8 to 4.1.1-P1-15+squeeze9. > Given the patch you attached, this is very strange. But after > downgrading back to 4.1.1-P1-15+squeeze8, everything was fine again. > So there seems to be indeed a (critical) issue with 4.1.1-P1- > 15+squeeze9, as it basically breaks the DHCP server. I can't see anything wrong with the patch, so I wonder whether there was something wrong with the build environment. Additionally, the patch is *not* being applied isc-dhcp-server. It is only applied when building isc-dhcp-server-ldap (see the commands for the build-stamp target). It needs to be moved further up the patch series. Ben. -- Ben Hutchings Theory and practice are closer in theory than in practice. - John Levine, moderator of comp.compilers signature.asc Description: This is a digitally signed message part
Re: Re: isc-dhcp-server in squeeze-lst broken after update
Hi Mike, I have the exact same problem on my server. I simply upgraded from 4.1.1-P1-15+squeeze8 to 4.1.1-P1-15+squeeze9. Given the patch you attached, this is very strange. But after downgrading back to 4.1.1-P1-15+squeeze8, everything was fine again. So there seems to be indeed a (critical) issue with 4.1.1-P1-15+squeeze9, as it basically breaks the DHCP server. Cheers, Olivier