Re: Wheezy update of icu?

[Guido Günther]

On Wed, Sep 07, 2016 at 07:15:56PM -0400, Roberto C. Sánchez wrote:
> On Wed, Sep 07, 2016 at 09:10:16PM +0200, Moritz Muehlenhoff wrote:
> > 
> > So, you've identified the upstream fix for CVE-2016-6293 and why does
> > that not get commited to the security tracker?
> > 
> > That really sucks. LTS development almost fully relies on the
> > security tracker, so why don't you submit generic vulnerability information
> > you come across?
> > 
> I was not aware that I needed to do that.  It is not documented anywhere
> in the LTS workflow [0] or in the security tracker itself [1].
> 
> Please let me know how I go about adding this to the security tracker
> and I will.

If you find useful information on e.g. howto reproduce the bug or about
the proper upstream fix use

   NOTE:

See e.g. this entry from the top of the current data/CVE/list:


CVE-2016-7155 [scsi: pvscsi: OOB read and infinite loop while setting 
descriptor rings]
- qemu 
- qemu-kvm 
NOTE: Upstream patch: 
https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00050.html
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1373462
NOTE: http://www.openwall.com/lists/oss-security/2016/09/06/2

Cheers,
 -- Guido

Re: Wheezy update of icu?

[Roberto C . Sánchez]

On Wed, Sep 07, 2016 at 09:10:16PM +0200, Moritz Muehlenhoff wrote:
> 
> So, you've identified the upstream fix for CVE-2016-6293 and why does
> that not get commited to the security tracker?
> 
> That really sucks. LTS development almost fully relies on the
> security tracker, so why don't you submit generic vulnerability information
> you come across?
> 
I was not aware that I needed to do that.  It is not documented anywhere
in the LTS workflow [0] or in the security tracker itself [1].

Please let me know how I go about adding this to the security tracker
and I will.

Regards,

-Roberto

[0] https://wiki.debian.org/LTS/Development
[1] https://security-tracker.debian.org/tracker/

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

curl security update for Wheezy LTS

[Bálint Réczey]

Hi,

I have prepared an update for curl in Wheezy.

Please see the diff to previous version attached.

Changes:
 curl (7.26.0-1+wheezy15) wheezy-security; urgency=medium
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2016-7141: Incorrect reuse of client certificates

The binary packages for amd64 are also available for testing here:
https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/

The build-time tests did not show any regression and the fix is very
simple thus I believe it can be used without reproducing the actual
issue. I'm not aware of any available exploit.

Cheers,
Balint


diff -Nru curl-7.26.0/debian/changelog curl-7.26.0/debian/changelog
--- curl-7.26.0/debian/changelog	2016-08-04 13:40:13.0 +0200
+++ curl-7.26.0/debian/changelog	2016-09-07 20:31:51.0 +0200
@@ -1,3 +1,10 @@
+curl (7.26.0-1+wheezy15) wheezy-security; urgency=medium
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2016-7141: Incorrect reuse of client certificates
+
+ -- Balint Reczey   Wed, 07 Sep 2016 20:28:07 +0200
+
 curl (7.26.0-1+wheezy14) wheezy-security; urgency=high
 
   * Non-maintainer upload by the LTS team.
diff -Nru curl-7.26.0/debian/patches/CVE-2016-7141.patch curl-7.26.0/debian/patches/CVE-2016-7141.patch
--- curl-7.26.0/debian/patches/CVE-2016-7141.patch	1970-01-01 01:00:00.0 +0100
+++ curl-7.26.0/debian/patches/CVE-2016-7141.patch	2016-09-07 20:27:28.0 +0200
@@ -0,0 +1,37 @@
+From 7700fcba64bf5806de28f6c1c7da3b4f0b38567d Mon Sep 17 00:00:00 2001
+From: Kamil Dudka 
+Date: Mon, 22 Aug 2016 10:24:35 +0200
+Subject: [PATCH] nss: refuse previously loaded certificate from file
+
+... when we are not asked to use a certificate from file
+
+Origin: upstream
+Reviewed-by: Balint Reczey 
+
+--- a/lib/nss.c
 b/lib/nss.c
+@@ -779,10 +779,10 @@
+   struct ssl_connect_data *connssl = (struct ssl_connect_data *)arg;
+   struct SessionHandle *data = connssl->data;
+   const char *nickname = connssl->client_nickname;
++  static const char pem_slotname[] = "PEM Token #1";
+ 
+   if(connssl->obj_clicert) {
+ /* use the cert/key provided by PEM reader */
+-static const char pem_slotname[] = "PEM Token #1";
+ SECItem cert_der = { 0, NULL, 0 };
+ void *proto_win = SSL_RevealPinArg(sock);
+ 
+@@ -839,6 +839,12 @@
+   if(NULL == nickname)
+ nickname = "[unknown]";
+ 
++  if(!strncmp(nickname, pem_slotname, sizeof(pem_slotname) - 1U)) {
++failf(data, "NSS: refusing previously loaded certificate from file: %s",
++  nickname);
++return SECFailure;
++  }
++
+   if(NULL == *pRetKey) {
+ failf(data, "NSS: private key not found for certificate: %s", nickname);
+ return SECFailure;
diff -Nru curl-7.26.0/debian/patches/series curl-7.26.0/debian/patches/series
--- curl-7.26.0/debian/patches/series	2016-08-04 13:40:13.0 +0200
+++ curl-7.26.0/debian/patches/series	2016-09-07 20:22:24.0 +0200
@@ -22,6 +22,7 @@
 22_CVE-2015-3148-2.patch
 CVE-2016-5419.patch
 CVE-2016-5420.patch
+CVE-2016-7141.patch
 # Add new patches before the ones below this line
 
 90_gnutls.patch

Re: Wheezy update of icu?

[Moritz Muehlenhoff]

On Wed, Sep 07, 2016 at 08:25:36AM -0400, Roberto C. Sánchez wrote:
> On Wed, Sep 07, 2016 at 11:07:16AM +0200, Bálint Réczey wrote:
> > 
> > I have not found however the proposed fix on the list thus I did not
> > know if you used the upstream fix.
> > 
> > I think it would be a good idea to send the patch to the list before the
> > final upload.
> > 
> Good point.  I have attached the patch to this email.  I intend to
> upload tonight or tomorrow (the last few days have been quite busy and I
> am playing catch up).
>
> Description: fix for null termination in uloc_acceptLanguageFromHTTP
> Origin: upstream, http://bugs.icu-project.org/trac/changeset/39109

So, you've identified the upstream fix for CVE-2016-6293 and why does
that not get commited to the security tracker?

That really sucks. LTS development almost fully relies on the
security tracker, so why don't you submit generic vulnerability information
you come across?

Cheers,
Moritz

Re: Wheezy update of libtomcrypt?

[Jonas Meurer]

Am 07.09.2016 um 13:23 schrieb Bálint Réczey:
>>> I (on behalf of the LTS Team since I'm responsible for frontdesk now) take 
>>> your
>>> answer as covering all future security updates for releases in LTS period
>>> thus we won't contact you for each CVE.
>>
>> It's great idea to have maintainers actually "opt out" of future mails
>> regarding LTS.
>>
>> Do we keep a list of packages where we don't want to contact maintainers
>> since they don't want to work on LTS updates? Ideally this would be
>> parsed by contact-maintainers.
> 
> I have updated the contact-maintainers template and added an initial list in
> data/packages/lts-do-not-call .
> 
> If the format is OK, we can also update the contact-maintainers script.

Awesome, thanks a lot for implementing this!

Cheers,
 jonas





signature.asc
Description: OpenPGP digital signature

Re: Wheezy update of inspircd?

[Ben Hutchings]

On Tue, 2016-09-06 at 22:28 -0400, Antoine Beaupré wrote:
> I am a bit surprised to see this - are ircd packages sponsored now?
> There's a similar issue in Charybdis and I deliberately marked it as
> unsupported in LTS because, AFAIK, no customer expressed the need to
> support those yet.

If Freexian customers don't use it then it's low priority for those of
us paid through Freexian.  But that doesn't mean it should be marked
unsupported by the LTS team.

> I'd be glad to see if we can update charybdis in Wheezy as well, but to
> be honest, i think people running IRCs on wheezy are really looking for
> trouble, both in the case of charybdis and inspircd. I think they should
> be marked as unsupported, because they are not supported upstream.
> 
> I had an interesting conversation with the inspircd maintainers
> recently, over IRC: they are basically saying that 2.0.5 is full of
> security holes, and they do not bother with issuing CVEs, so it's really
> hard to tell what version if affected by what.

This, on the other hand, is a good reason to make it explicitly
unsupported (or, if some LTS users really do want it, to move to a
supportable upstream version).

Ben.

> It's only because I requested those CVEs that this issue propped up on
> Debian's radar at all, btw...
> 
> A.
-- 
Ben Hutchings
For every action, there is an equal and opposite criticism. - Harrison


signature.asc
Description: This is a digitally signed message part

Re: testing asterisk for Wheezy LTS

[Thorsten Alteholz]

Hi Balint,

On Wed, 7 Sep 2016, Bálint Réczey wrote:

Are you still working on the remaining CVE-s?


yes, I am still working on them.

  Thorsten

Re: Wheezy update of libtomcrypt?

[Guido Günther]

Hi,

Thanks for having a look!

On Wed, Sep 07, 2016 at 01:23:49PM +0200, Bálint Réczey wrote:
> Hi,
> 
> 2016-09-07 8:00 GMT+02:00 Guido Günther :
> > Hi Bálint,
> > On Wed, Sep 07, 2016 at 12:21:28AM +0200, Bálint Réczey wrote:
> >> Hi Michael,
> >>
> >> 2016-09-04 17:51 GMT+02:00 Michael Stapelberg :
> >> > Thanks for your work on LTS.
> >> >
> >> > Time does not permit me to do any of this work myself.
> >> >
> >> > Please go ahead and make any changes as you see fit, there’s no need for 
> >> > my
> >> > review.
> >>
> >> Thank you for your quick answer.
> >>
> >> I (on behalf of the LTS Team since I'm responsible for frontdesk now) take 
> >> your
> >> answer as covering all future security updates for releases in LTS period
> >> thus we won't contact you for each CVE.
> >
> > It's great idea to have maintainers actually "opt out" of future mails
> > regarding LTS.
> >
> > Do we keep a list of packages where we don't want to contact maintainers
> > since they don't want to work on LTS updates? Ideally this would be
> > parsed by contact-maintainers.
> 
> I have updated the contact-maintainers template and added an initial list in
> data/packages/lts-do-not-call .
> 
> If the format is OK, we can also update the contact-maintainers script.

Looks o.k. to me. Since we have the tools that read that file and the
file in the same repo we can switch to more complex format at any later
point if necessary.

Cheers,
 -- Guido

Re: Wheezy update of libtomcrypt?

[Bálint Réczey]

Hi,

2016-09-07 8:00 GMT+02:00 Guido Günther :
> Hi Bálint,
> On Wed, Sep 07, 2016 at 12:21:28AM +0200, Bálint Réczey wrote:
>> Hi Michael,
>>
>> 2016-09-04 17:51 GMT+02:00 Michael Stapelberg :
>> > Thanks for your work on LTS.
>> >
>> > Time does not permit me to do any of this work myself.
>> >
>> > Please go ahead and make any changes as you see fit, there’s no need for my
>> > review.
>>
>> Thank you for your quick answer.
>>
>> I (on behalf of the LTS Team since I'm responsible for frontdesk now) take 
>> your
>> answer as covering all future security updates for releases in LTS period
>> thus we won't contact you for each CVE.
>
> It's great idea to have maintainers actually "opt out" of future mails
> regarding LTS.
>
> Do we keep a list of packages where we don't want to contact maintainers
> since they don't want to work on LTS updates? Ideally this would be
> parsed by contact-maintainers.

I have updated the contact-maintainers template and added an initial list in
data/packages/lts-do-not-call .

If the format is OK, we can also update the contact-maintainers script.

Cheers,
Balint

Re: Wheezy update of icu?

[Bálint Réczey]

Hi Roberto,

2016-09-07 4:06 GMT+02:00 Roberto C. Sánchez :
> Hi Balint,
>
> On Wed, Sep 07, 2016 at 03:12:46AM +0200, Bálint Réczey wrote:
>> Hi Roberto,
>>
>> I think there is no need wait more (wearing my frontdesk hat).
>> There are fixes in upstream's repository:
>> http://bugs.icu-project.org/trac/log/icu/trunk/source/common/uloc.cpp
>>
> I actually sent my August report yesterday where I mentioned that this
> is nearly complete :-)

Yes, I saw that and it is great. :-)

>
> I just have to build the package, sign it, and then publish the DLA.  I
> should be able to get to it in the next day or so.

I have not found however the proposed fix on the list thus I did not
know if you used the upstream fix.

I think it would be a good idea to send the patch to the list before the
final upload.

Cheers,
Balint

Re: Wheezy update of roundcube

[Ola Lundqvist]

Hi

If you are sure CVE-2016-4068 is mitigated then we should be able to
mark it as fixed.
But you need to be sure. :-)

// Ola

On Tue, Sep 6, 2016 at 6:13 PM, Raphael Hertzog  wrote:
> Hi Markus,
>
> On Wed, 20 Jul 2016, Markus Koschany wrote:
>> Feel free to work on everything you like. Fixing CVE-2014-9587 together
>> with CVE-2016-4069 isn't strictly required but you could probably reuse
>> some of your work if you try to tackle these issue. In any case the
>> whole CSRF complex requires much more work IMO and unless you are
>> already familiar with Roundcube and PHP it might not be the right
>> package to start with. It's up to you.
>
> It was indeed a non-trivial amount of work... but the attached patch
> fixes CVE-2016-4069 according to my tests (i.e. downloads requests
> without _token do fail).
>
> On thursday I will see if I can deal with CVE-2014-9587 as well.
>
> Then there's https://security-tracker.debian.org/tracker/CVE-2016-4068
> you left it open but it's mitigated since one cannot view SVG files.
> There is a patch available now
> (https://github.com/roundcube/roundcubemail/commit/a1fdb205f824dee7fd42dda739f207abc85ce158)
> but I'm not sure it's worth the effort of the backport. Because
> backporting this patch would also require backporting the real
> fix for https://security-tracker.debian.org/tracker/CVE-2015-8864
> which is also rather involved.
>
> Thus I'm tempted to just mark the CVE-2016-4068 as fixed with your DLA-537-1.
>
> What do you think?
>
> I just spent 5 hours just for the attached patch...
>
> Cheers,
> --
> Raphaël Hertzog ◈ Debian Developer
>
> Support Debian LTS: http://www.freexian.com/services/debian-lts.html
> Learn to master Debian: http://debian-handbook.info/get/



-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Re: testing php5 for Wheezy LTS

[Jan Ingvoldstad]

On 08/31/2016 08:37 PM, Thorsten Alteholz wrote:

Hi everybody,

I uploaded version 5.4.45-0+deb7u4 of php5 to:
 https://people.debian.org/~alteholz/packages/wheezy-lts/php5/amd64/

Please give it a try and tell me about any problems you met. As
requested by Jan, besides the CVEs I also added patches for bug#70436
and bug#72681.


I've tested it on a couple of servers, and find no obvious problems.
--
Cheers,
Jan

Re: Wheezy update of inspircd?

[Ola Lundqvist]

Hi

The LTS team also tries to fix security holes in all packages. Not
only the ones explicitly expressed a need for by the customers. The
ones expressed a need for always have a higher priority.

However if it is like you write that 2.0.5 is full of security holes
and nobody have expressed a need, maybe we should mark it as
unsupported instead.

// Ola

On Wed, Sep 7, 2016 at 4:28 AM, Antoine Beaupré  wrote:
> I am a bit surprised to see this - are ircd packages sponsored now?
> There's a similar issue in Charybdis and I deliberately marked it as
> unsupported in LTS because, AFAIK, no customer expressed the need to
> support those yet.
>
> I'd be glad to see if we can update charybdis in Wheezy as well, but to
> be honest, i think people running IRCs on wheezy are really looking for
> trouble, both in the case of charybdis and inspircd. I think they should
> be marked as unsupported, because they are not supported upstream.
>
> I had an interesting conversation with the inspircd maintainers
> recently, over IRC: they are basically saying that 2.0.5 is full of
> security holes, and they do not bother with issuing CVEs, so it's really
> hard to tell what version if affected by what.
>
> It's only because I requested those CVEs that this issue propped up on
> Debian's radar at all, btw...
>
> A.
> --
> Le pouvoir n'est pas à conquérir, il est à détruire
> - Jean-François Brient, de la servitude moderne
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Re: Wheezy update of libtomcrypt?

[Guido Günther]

Hi Bálint,
On Wed, Sep 07, 2016 at 12:21:28AM +0200, Bálint Réczey wrote:
> Hi Michael,
> 
> 2016-09-04 17:51 GMT+02:00 Michael Stapelberg :
> > Thanks for your work on LTS.
> >
> > Time does not permit me to do any of this work myself.
> >
> > Please go ahead and make any changes as you see fit, there’s no need for my
> > review.
> 
> Thank you for your quick answer.
> 
> I (on behalf of the LTS Team since I'm responsible for frontdesk now) take 
> your
> answer as covering all future security updates for releases in LTS period
> thus we won't contact you for each CVE.

It's great idea to have maintainers actually "opt out" of future mails
regarding LTS.

Do we keep a list of packages where we don't want to contact maintainers
since they don't want to work on LTS updates? Ideally this would be
parsed by contact-maintainers.

Cheers,
 -- Guido