Re: Wheezy update of icu?
On Wed, Sep 07, 2016 at 07:15:56PM -0400, Roberto C. Sánchez wrote: > On Wed, Sep 07, 2016 at 09:10:16PM +0200, Moritz Muehlenhoff wrote: > > > > So, you've identified the upstream fix for CVE-2016-6293 and why does > > that not get commited to the security tracker? > > > > That really sucks. LTS development almost fully relies on the > > security tracker, so why don't you submit generic vulnerability information > > you come across? > > > I was not aware that I needed to do that. It is not documented anywhere > in the LTS workflow [0] or in the security tracker itself [1]. > > Please let me know how I go about adding this to the security tracker > and I will. If you find useful information on e.g. howto reproduce the bug or about the proper upstream fix use NOTE: See e.g. this entry from the top of the current data/CVE/list: CVE-2016-7155 [scsi: pvscsi: OOB read and infinite loop while setting descriptor rings] - qemu - qemu-kvm NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00050.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1373462 NOTE: http://www.openwall.com/lists/oss-security/2016/09/06/2 Cheers, -- Guido
Re: Wheezy update of icu?
On Wed, Sep 07, 2016 at 09:10:16PM +0200, Moritz Muehlenhoff wrote: > > So, you've identified the upstream fix for CVE-2016-6293 and why does > that not get commited to the security tracker? > > That really sucks. LTS development almost fully relies on the > security tracker, so why don't you submit generic vulnerability information > you come across? > I was not aware that I needed to do that. It is not documented anywhere in the LTS workflow [0] or in the security tracker itself [1]. Please let me know how I go about adding this to the security tracker and I will. Regards, -Roberto [0] https://wiki.debian.org/LTS/Development [1] https://security-tracker.debian.org/tracker/ -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
curl security update for Wheezy LTS
Hi, I have prepared an update for curl in Wheezy. Please see the diff to previous version attached. Changes: curl (7.26.0-1+wheezy15) wheezy-security; urgency=medium . * Non-maintainer upload by the LTS team. * Fix CVE-2016-7141: Incorrect reuse of client certificates The binary packages for amd64 are also available for testing here: https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/ The build-time tests did not show any regression and the fix is very simple thus I believe it can be used without reproducing the actual issue. I'm not aware of any available exploit. Cheers, Balint diff -Nru curl-7.26.0/debian/changelog curl-7.26.0/debian/changelog --- curl-7.26.0/debian/changelog 2016-08-04 13:40:13.0 +0200 +++ curl-7.26.0/debian/changelog 2016-09-07 20:31:51.0 +0200 @@ -1,3 +1,10 @@ +curl (7.26.0-1+wheezy15) wheezy-security; urgency=medium + + * Non-maintainer upload by the LTS team. + * Fix CVE-2016-7141: Incorrect reuse of client certificates + + -- Balint ReczeyWed, 07 Sep 2016 20:28:07 +0200 + curl (7.26.0-1+wheezy14) wheezy-security; urgency=high * Non-maintainer upload by the LTS team. diff -Nru curl-7.26.0/debian/patches/CVE-2016-7141.patch curl-7.26.0/debian/patches/CVE-2016-7141.patch --- curl-7.26.0/debian/patches/CVE-2016-7141.patch 1970-01-01 01:00:00.0 +0100 +++ curl-7.26.0/debian/patches/CVE-2016-7141.patch 2016-09-07 20:27:28.0 +0200 @@ -0,0 +1,37 @@ +From 7700fcba64bf5806de28f6c1c7da3b4f0b38567d Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 22 Aug 2016 10:24:35 +0200 +Subject: [PATCH] nss: refuse previously loaded certificate from file + +... when we are not asked to use a certificate from file + +Origin: upstream +Reviewed-by: Balint Reczey + +--- a/lib/nss.c b/lib/nss.c +@@ -779,10 +779,10 @@ + struct ssl_connect_data *connssl = (struct ssl_connect_data *)arg; + struct SessionHandle *data = connssl->data; + const char *nickname = connssl->client_nickname; ++ static const char pem_slotname[] = "PEM Token #1"; + + if(connssl->obj_clicert) { + /* use the cert/key provided by PEM reader */ +-static const char pem_slotname[] = "PEM Token #1"; + SECItem cert_der = { 0, NULL, 0 }; + void *proto_win = SSL_RevealPinArg(sock); + +@@ -839,6 +839,12 @@ + if(NULL == nickname) + nickname = "[unknown]"; + ++ if(!strncmp(nickname, pem_slotname, sizeof(pem_slotname) - 1U)) { ++failf(data, "NSS: refusing previously loaded certificate from file: %s", ++ nickname); ++return SECFailure; ++ } ++ + if(NULL == *pRetKey) { + failf(data, "NSS: private key not found for certificate: %s", nickname); + return SECFailure; diff -Nru curl-7.26.0/debian/patches/series curl-7.26.0/debian/patches/series --- curl-7.26.0/debian/patches/series 2016-08-04 13:40:13.0 +0200 +++ curl-7.26.0/debian/patches/series 2016-09-07 20:22:24.0 +0200 @@ -22,6 +22,7 @@ 22_CVE-2015-3148-2.patch CVE-2016-5419.patch CVE-2016-5420.patch +CVE-2016-7141.patch # Add new patches before the ones below this line 90_gnutls.patch
Re: Wheezy update of icu?
On Wed, Sep 07, 2016 at 08:25:36AM -0400, Roberto C. Sánchez wrote: > On Wed, Sep 07, 2016 at 11:07:16AM +0200, Bálint Réczey wrote: > > > > I have not found however the proposed fix on the list thus I did not > > know if you used the upstream fix. > > > > I think it would be a good idea to send the patch to the list before the > > final upload. > > > Good point. I have attached the patch to this email. I intend to > upload tonight or tomorrow (the last few days have been quite busy and I > am playing catch up). > > Description: fix for null termination in uloc_acceptLanguageFromHTTP > Origin: upstream, http://bugs.icu-project.org/trac/changeset/39109 So, you've identified the upstream fix for CVE-2016-6293 and why does that not get commited to the security tracker? That really sucks. LTS development almost fully relies on the security tracker, so why don't you submit generic vulnerability information you come across? Cheers, Moritz
Re: Wheezy update of libtomcrypt?
Am 07.09.2016 um 13:23 schrieb Bálint Réczey: >>> I (on behalf of the LTS Team since I'm responsible for frontdesk now) take >>> your >>> answer as covering all future security updates for releases in LTS period >>> thus we won't contact you for each CVE. >> >> It's great idea to have maintainers actually "opt out" of future mails >> regarding LTS. >> >> Do we keep a list of packages where we don't want to contact maintainers >> since they don't want to work on LTS updates? Ideally this would be >> parsed by contact-maintainers. > > I have updated the contact-maintainers template and added an initial list in > data/packages/lts-do-not-call . > > If the format is OK, we can also update the contact-maintainers script. Awesome, thanks a lot for implementing this! Cheers, jonas signature.asc Description: OpenPGP digital signature
Re: Wheezy update of inspircd?
On Tue, 2016-09-06 at 22:28 -0400, Antoine Beaupré wrote: > I am a bit surprised to see this - are ircd packages sponsored now? > There's a similar issue in Charybdis and I deliberately marked it as > unsupported in LTS because, AFAIK, no customer expressed the need to > support those yet. If Freexian customers don't use it then it's low priority for those of us paid through Freexian. But that doesn't mean it should be marked unsupported by the LTS team. > I'd be glad to see if we can update charybdis in Wheezy as well, but to > be honest, i think people running IRCs on wheezy are really looking for > trouble, both in the case of charybdis and inspircd. I think they should > be marked as unsupported, because they are not supported upstream. > > I had an interesting conversation with the inspircd maintainers > recently, over IRC: they are basically saying that 2.0.5 is full of > security holes, and they do not bother with issuing CVEs, so it's really > hard to tell what version if affected by what. This, on the other hand, is a good reason to make it explicitly unsupported (or, if some LTS users really do want it, to move to a supportable upstream version). Ben. > It's only because I requested those CVEs that this issue propped up on > Debian's radar at all, btw... > > A. -- Ben Hutchings For every action, there is an equal and opposite criticism. - Harrison signature.asc Description: This is a digitally signed message part
Re: testing asterisk for Wheezy LTS
Hi Balint, On Wed, 7 Sep 2016, Bálint Réczey wrote: Are you still working on the remaining CVE-s? yes, I am still working on them. Thorsten
Re: Wheezy update of libtomcrypt?
Hi, Thanks for having a look! On Wed, Sep 07, 2016 at 01:23:49PM +0200, Bálint Réczey wrote: > Hi, > > 2016-09-07 8:00 GMT+02:00 Guido Günther: > > Hi Bálint, > > On Wed, Sep 07, 2016 at 12:21:28AM +0200, Bálint Réczey wrote: > >> Hi Michael, > >> > >> 2016-09-04 17:51 GMT+02:00 Michael Stapelberg : > >> > Thanks for your work on LTS. > >> > > >> > Time does not permit me to do any of this work myself. > >> > > >> > Please go ahead and make any changes as you see fit, there’s no need for > >> > my > >> > review. > >> > >> Thank you for your quick answer. > >> > >> I (on behalf of the LTS Team since I'm responsible for frontdesk now) take > >> your > >> answer as covering all future security updates for releases in LTS period > >> thus we won't contact you for each CVE. > > > > It's great idea to have maintainers actually "opt out" of future mails > > regarding LTS. > > > > Do we keep a list of packages where we don't want to contact maintainers > > since they don't want to work on LTS updates? Ideally this would be > > parsed by contact-maintainers. > > I have updated the contact-maintainers template and added an initial list in > data/packages/lts-do-not-call . > > If the format is OK, we can also update the contact-maintainers script. Looks o.k. to me. Since we have the tools that read that file and the file in the same repo we can switch to more complex format at any later point if necessary. Cheers, -- Guido
Re: Wheezy update of libtomcrypt?
Hi, 2016-09-07 8:00 GMT+02:00 Guido Günther: > Hi Bálint, > On Wed, Sep 07, 2016 at 12:21:28AM +0200, Bálint Réczey wrote: >> Hi Michael, >> >> 2016-09-04 17:51 GMT+02:00 Michael Stapelberg : >> > Thanks for your work on LTS. >> > >> > Time does not permit me to do any of this work myself. >> > >> > Please go ahead and make any changes as you see fit, there’s no need for my >> > review. >> >> Thank you for your quick answer. >> >> I (on behalf of the LTS Team since I'm responsible for frontdesk now) take >> your >> answer as covering all future security updates for releases in LTS period >> thus we won't contact you for each CVE. > > It's great idea to have maintainers actually "opt out" of future mails > regarding LTS. > > Do we keep a list of packages where we don't want to contact maintainers > since they don't want to work on LTS updates? Ideally this would be > parsed by contact-maintainers. I have updated the contact-maintainers template and added an initial list in data/packages/lts-do-not-call . If the format is OK, we can also update the contact-maintainers script. Cheers, Balint
Re: Wheezy update of icu?
Hi Roberto, 2016-09-07 4:06 GMT+02:00 Roberto C. Sánchez: > Hi Balint, > > On Wed, Sep 07, 2016 at 03:12:46AM +0200, Bálint Réczey wrote: >> Hi Roberto, >> >> I think there is no need wait more (wearing my frontdesk hat). >> There are fixes in upstream's repository: >> http://bugs.icu-project.org/trac/log/icu/trunk/source/common/uloc.cpp >> > I actually sent my August report yesterday where I mentioned that this > is nearly complete :-) Yes, I saw that and it is great. :-) > > I just have to build the package, sign it, and then publish the DLA. I > should be able to get to it in the next day or so. I have not found however the proposed fix on the list thus I did not know if you used the upstream fix. I think it would be a good idea to send the patch to the list before the final upload. Cheers, Balint
Re: Wheezy update of roundcube
Hi If you are sure CVE-2016-4068 is mitigated then we should be able to mark it as fixed. But you need to be sure. :-) // Ola On Tue, Sep 6, 2016 at 6:13 PM, Raphael Hertzogwrote: > Hi Markus, > > On Wed, 20 Jul 2016, Markus Koschany wrote: >> Feel free to work on everything you like. Fixing CVE-2014-9587 together >> with CVE-2016-4069 isn't strictly required but you could probably reuse >> some of your work if you try to tackle these issue. In any case the >> whole CSRF complex requires much more work IMO and unless you are >> already familiar with Roundcube and PHP it might not be the right >> package to start with. It's up to you. > > It was indeed a non-trivial amount of work... but the attached patch > fixes CVE-2016-4069 according to my tests (i.e. downloads requests > without _token do fail). > > On thursday I will see if I can deal with CVE-2014-9587 as well. > > Then there's https://security-tracker.debian.org/tracker/CVE-2016-4068 > you left it open but it's mitigated since one cannot view SVG files. > There is a patch available now > (https://github.com/roundcube/roundcubemail/commit/a1fdb205f824dee7fd42dda739f207abc85ce158) > but I'm not sure it's worth the effort of the backport. Because > backporting this patch would also require backporting the real > fix for https://security-tracker.debian.org/tracker/CVE-2015-8864 > which is also rather involved. > > Thus I'm tempted to just mark the CVE-2016-4068 as fixed with your DLA-537-1. > > What do you think? > > I just spent 5 hours just for the attached patch... > > Cheers, > -- > Raphaël Hertzog ◈ Debian Developer > > Support Debian LTS: http://www.freexian.com/services/debian-lts.html > Learn to master Debian: http://debian-handbook.info/get/ -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: testing php5 for Wheezy LTS
On 08/31/2016 08:37 PM, Thorsten Alteholz wrote: Hi everybody, I uploaded version 5.4.45-0+deb7u4 of php5 to: https://people.debian.org/~alteholz/packages/wheezy-lts/php5/amd64/ Please give it a try and tell me about any problems you met. As requested by Jan, besides the CVEs I also added patches for bug#70436 and bug#72681. I've tested it on a couple of servers, and find no obvious problems. -- Cheers, Jan
Re: Wheezy update of inspircd?
Hi The LTS team also tries to fix security holes in all packages. Not only the ones explicitly expressed a need for by the customers. The ones expressed a need for always have a higher priority. However if it is like you write that 2.0.5 is full of security holes and nobody have expressed a need, maybe we should mark it as unsupported instead. // Ola On Wed, Sep 7, 2016 at 4:28 AM, Antoine Beaupréwrote: > I am a bit surprised to see this - are ircd packages sponsored now? > There's a similar issue in Charybdis and I deliberately marked it as > unsupported in LTS because, AFAIK, no customer expressed the need to > support those yet. > > I'd be glad to see if we can update charybdis in Wheezy as well, but to > be honest, i think people running IRCs on wheezy are really looking for > trouble, both in the case of charybdis and inspircd. I think they should > be marked as unsupported, because they are not supported upstream. > > I had an interesting conversation with the inspircd maintainers > recently, over IRC: they are basically saying that 2.0.5 is full of > security holes, and they do not bother with issuing CVEs, so it's really > hard to tell what version if affected by what. > > It's only because I requested those CVEs that this issue propped up on > Debian's radar at all, btw... > > A. > -- > Le pouvoir n'est pas à conquérir, il est à détruire > - Jean-François Brient, de la servitude moderne > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Wheezy update of libtomcrypt?
Hi Bálint, On Wed, Sep 07, 2016 at 12:21:28AM +0200, Bálint Réczey wrote: > Hi Michael, > > 2016-09-04 17:51 GMT+02:00 Michael Stapelberg: > > Thanks for your work on LTS. > > > > Time does not permit me to do any of this work myself. > > > > Please go ahead and make any changes as you see fit, there’s no need for my > > review. > > Thank you for your quick answer. > > I (on behalf of the LTS Team since I'm responsible for frontdesk now) take > your > answer as covering all future security updates for releases in LTS period > thus we won't contact you for each CVE. It's great idea to have maintainers actually "opt out" of future mails regarding LTS. Do we keep a list of packages where we don't want to contact maintainers since they don't want to work on LTS updates? Ideally this would be parsed by contact-maintainers. Cheers, -- Guido