Re: April report

[Brian May]

On 2017-04-26 12:03, Antoine Beaupré wrote:

> For the record, I haven't *quite* figured out how to extract the data
> from my own Kodi instance at home, running 16.1 from backports. The /vfs
> trick doesn't work, nor the /image/image trick from the advisory - but
> god knows what's possible at this point...

Will reply to the easy part for now: 

I found it very difficult to work out the exact URLs too. Eventually I
found strace, and found it helped a lot by showing me the filename it
was trying to open. Although these are relative to the CWD of the kodi
process. IIRC "strace -eopen -p" worked.

Re: April report

[Antoine Beaupré]

On 2017-04-20 08:08:50, Brian May wrote:
> Antoine Beaupré  writes:
>
>> On 2017-04-19 19:05:36, Brian May wrote:
>>
>> [...]
>>
>>> As I have run out of hours this month, if anybody else wants to take
>>> over either of these, please let me know and I will provide more
>>> details.
>>
>> I'd take a look at the XBMC thing...
>
> The webserver is in xbmc/network/WebServer.cpp, see AnswerToConnection()
>
> Case (a), URL prefixed with "/vfs", we return the result of
> CreateFileDownloadResponse().  The first 5 characters are removed - so
> if "/vfs/" prefixed it strips the entire prefix - but curously doesn't
> check the 5th character. So /vfss would also get stripped. (what happens
> if we pass only 4 characters???  "/vfs"?)

Hmm... I am not sure, but it seems to me it takes the "right" part of
the string, starting from the "fifth" character, so whatever comes after
the "fourth" character, ie. after "/vfs". in my tests:

http://localhost:8080/vfs/etc/passwd

returns /etc/passwd... So just clean passthrough.

> Case (b), any other static file (not ending with /), we fall down to
> CreateFileDownloadResponse() also. In this case I believe the first
> character of the URL is always '/'.

Yeah, that's pretty much what I see as well, but I'm not sure how it
works out in the end - those all give 404s:

http://localhost:8080/temp/xbmc.log
http://localhost:8080/.xbmc/temp/xbmc.log
http://localhost:8080/etc/passwd

so i'm not sure that's such a good vector.

> I don't see any sanity checking of the URL, at any stage.

Clearly, that's something that never crossed the author's mind.

Even the configured username/password protection is bypassed here, which
just boggles my mind. At *least* that should work...

> CreateFileDownloadResponse is in the same file. It opens a CFile to the
> URL, reads it, and sends it.

boom. :)

> CFile stuff is in xbmc/filesystem/File.cpp. CFile in turn passes
> everything to CFileFactory:
>
> CFileFactory::CreateLoader(url), which is in
> xbmc/filesystem/FileFactory.cpp

I just love reading the XBMC source code... Next is a URL factory? :p

> The URL is parsed with CURL. xbmc/URL.cpp

And here I was assuming this was cURL. silly me. would have given even
amusing consequences though.

> For case (a) protocol used in the exploit is "special" - this comes from
> the untrusted user supplied URL - now stripped of /vfs/ - and can be
> anything.  As such we use CFileSpecialProtocol. (or any other possible
> protocol). For case (b) (starting with '/') protocol is empty and uses
> CFileHD (not to be confused with CFile which we already used).
>
> Case (a) CFileSpecialProtocol just reads the file, and same with case
> (b) CFileHD just reads the file.
>
> ./xbmc/filesystem/FileSpecialProtocol.cpp
> ./xbmc/filesystem/FileHD.cpp
>
>
> Somewhere for case (a) there must be decoding of the special characters
> in the URL. I am not sure where this decoding takes place. In my scan of
> the source code I think I missed it. Might need to attach a debugger and
> double check what I have said, plus see where the decoding happens.

Maybe this is in CUtil::ValidatePath(), called early in URL::Parse()?

> I am speculating CURL might be the best place to strip "../" sequences
> from the file name, however this really depends on where the above
> decoding takes place.

Problem is "../" doesn't matter at this point - the user can just send
arbitrary absolute paths and kodi just happily gobbles it up. First step
is to make paths relative...

The other problem is that we use that generic CURL interface which is
used internally to refer to media files and whatnot. It seems like
handling path sanitization there could break unrelated things. We need
to fix things upstream, before we pass paths into CURL, in the webserver
directly.

I would sanitize paths there. Maybe through a helper function in
Util.cpp, since there are already path sanitization functions there...

But then *how* do you sanitize this? In the original advisory, Kodi uses
this interface to load thumbnails, _using an absolute path_! If we make
this relative without fixing the caller, we just break thumbnails, and
therefore a significant feature of the web interface (you know,
images).

I may be wrong here, but it seems to me we not only need to fix those
paths to be relative and without path escapes (after entities parsing,
mind you), but we also need to fix *all* possible callers.

This is one nasty horrible bug, if you ask me.

For the record, I haven't *quite* figured out how to extract the data
from my own Kodi instance at home, running 16.1 from backports. The /vfs
trick doesn't work, nor the /image/image trick from the advisory - but
god knows what's possible at this point...

I'll rest my case for tonight and sleep on this one, hopefully, some
brilliant idea will come up tomorrow.

A.

-- 
Quidquid latine dictum sit, altum sonatur.
Whatever is said in Latin sounds profound.

[SECURITY] [DLA 917-1] rtmpdump security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: rtmpdump
Version: 2.4+20111222.git4e06e21-1+deb7u1
CVE ID : CVE-2015-8270 CVE-2015-8271 CVE-2015-8272

Several vulnerabilities were found in rtmpdump and the librtmp
library.

CVE-2015-8270

A bug in AMF3ReadString in librtmp can cause a denial of service via
application crash to librtmp users that talk to a malicious server.

CVE-2015-8271

The AMF3_Decode function in librtmp doesn't properly validate its
input, which can lead to arbitrary code execution when talking
to a malicious attacker.

CVE-2015-8272

A bug in rtmpsrv can lead to a crash when talking to a malicious
client.

For Debian 7 "Wheezy", these problems have been fixed in version
2.4+20111222.git4e06e21-1+deb7u1.

We recommend that you upgrade your rtmpdump packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlj/ynIACgkQnUbEiOQ2
gwJskw/7BPnBRS8VtHBVhoRyMBdLItmKfhu9mdIIcFm8U2sBjXlmDG63bpor6w4V
3FwbA5g21wYmUc7ZsbeorzTNInKr/UCx+Q8XkVD6gKSN8cefqQJKV3BOhvhjLhIS
JZNEE6l7gk4IRwL4lLquL8n2yd7RxGghistY53BT4w1WlGQvJpPDblnO4b9kPjwy
zyFlxJirNiaxYudSoEjId6gVWB9BhDhpvA0YFMEMAoELkygmZyWlmkstIADIgNqd
4EH6ml1/slubVQhO46DxiM5ZE11xtmwbdo1yBGzcAwjZjjX/8cJwVBwaF33BEzNq
A5yiqslYIEMqUjmneEBtTGB1LCv9f+X+G6rOdHAavaHDe4mqNaOYy+868OlDRR35
rqJ6/3B/cQA54v+30h83Th3vgmxXfM8vZXXcYuH2lHX71gI0apOOhcCDd375FrOs
aKD8VPU3Tl/1/Ktuh8SH5+uQnkac57UCTR8QmCi2QDg0DwPFlZ4JUm9G+IoVlTve
eOr4bZwPh8RKCzt0tMGNH7tSAN4cXbrkFANgz8i6gH2V2gsb3ftsZrxLNFD+OEvM
CXsyq6wEg0KSPzHvLpA7uFczoqcQRL1ZSV/ACP44jbsDPMZsqq3/4N7c1xfa60Me
REj2gGu9CH6BKoqH2Ktlz0vZSrGD31cwy4Mt0LYrzHjkxUIvUbg=
=C3Jl
-END PGP SIGNATURE-

Accepted rtmpdump 2.4+20111222.git4e06e21-1+deb7u1 (source amd64) into oldstable

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 25 Apr 2017 23:08:29 +0200
Source: rtmpdump
Binary: rtmpdump librtmp0 librtmp-dev
Architecture: source amd64
Version: 2.4+20111222.git4e06e21-1+deb7u1
Distribution: wheezy-security
Urgency: medium
Maintainer: Debian Multimedia Maintainers 

Changed-By: Emilio Pozuelo Monfort 
Description: 
 librtmp-dev - toolkit for RTMP streams (development files)
 librtmp0   - toolkit for RTMP streams (shared library)
 rtmpdump   - small dumper for media content streamed over the RTMP protocol
Changes: 
 rtmpdump (2.4+20111222.git4e06e21-1+deb7u1) wheezy-security; urgency=medium
 .
   * Non-maintainer upload by the LTS team.
   * CVE-2015-8270-AMF3ReadString-crash.patch:
 - Fix DoS by application crash.
   * CVE-2015-8271-AMF3_Decode-arbitrary-code-execution-1.patch,
 CVE-2015-8271-AMF3_Decode-arbitrary-code-execution-2.patch:
 - Fix possible arbitrary code execution by sending malicious data to an
   rtpmdump client.
   * CVE-2015-8272-dumpAMF-crash.patch:
 - Fix DoS in rtmpsrv.
Checksums-Sha1: 
 8be13547831fd1d66bc4c5bcaaabbef627141832 2231 
rtmpdump_2.4+20111222.git4e06e21-1+deb7u1.dsc
 16f7e7470939ce8801e7d499345fa7d8f195c636 137391 
rtmpdump_2.4+20111222.git4e06e21.orig.tar.gz
 fbd8b03b6f7f57c7825bbf3d20fbc1e893de81c3 7735 
rtmpdump_2.4+20111222.git4e06e21-1+deb7u1.debian.tar.gz
 a9bca6d25d99cff85f5628a2a9c1956983d05e97 57628 
rtmpdump_2.4+20111222.git4e06e21-1+deb7u1_amd64.deb
 061d22249f3c1eea652f9cff6f56f35b2f229ee4 62530 
librtmp0_2.4+20111222.git4e06e21-1+deb7u1_amd64.deb
 55089cff39ef62e72742b143078c7d962b570a92 73538 
librtmp-dev_2.4+20111222.git4e06e21-1+deb7u1_amd64.deb
Checksums-Sha256: 
 fda2a79452563ca827a9ed8961d06cd64c2b2987294e940474e5d87cf0fecba4 2231 
rtmpdump_2.4+20111222.git4e06e21-1+deb7u1.dsc
 69dd9cc5228869efdeed234ae63327c14d0935da3b5a2cd7011688c1f66fb385 137391 
rtmpdump_2.4+20111222.git4e06e21.orig.tar.gz
 b76a37e5bb7fd642cd4e67df734d0bbebef307991d0ae7ddd35f98bc9ee35ca9 7735 
rtmpdump_2.4+20111222.git4e06e21-1+deb7u1.debian.tar.gz
 470d5e4f94a1a4af3b35f6684a2f00f5a278bbb3560fdbfe4f77fc410f9049bd 57628 
rtmpdump_2.4+20111222.git4e06e21-1+deb7u1_amd64.deb
 be328efeeb099426894cbe726c4dcee6989484fc01ab2b91b82d9616b2def830 62530 
librtmp0_2.4+20111222.git4e06e21-1+deb7u1_amd64.deb
 20d8c6946335cd0d7432f7344dd98d502e8918700912c098b0f522a805c4712d 73538 
librtmp-dev_2.4+20111222.git4e06e21-1+deb7u1_amd64.deb
Files: 
 1e488d2e6ba481d61835eb15b5f10f76 2231 web extra 
rtmpdump_2.4+20111222.git4e06e21-1+deb7u1.dsc
 060e3f26c2610c057a7088fc15f8534d 137391 web extra 
rtmpdump_2.4+20111222.git4e06e21.orig.tar.gz
 f2f15b7718562bf8b5e88831b8311932 7735 web extra 
rtmpdump_2.4+20111222.git4e06e21-1+deb7u1.debian.tar.gz
 f9c336d4ce039c2e31e6f2c617888162 57628 web extra 
rtmpdump_2.4+20111222.git4e06e21-1+deb7u1_amd64.deb
 6a0297654d60845545ed524e1759044b 62530 libs extra 
librtmp0_2.4+20111222.git4e06e21-1+deb7u1_amd64.deb
 64638780e0bd9b95f877823e3f32fd46 73538 libdevel extra 
librtmp-dev_2.4+20111222.git4e06e21-1+deb7u1_amd64.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlj/wHkACgkQnUbEiOQ2
gwLoPw/7B4MTEgp83fqsR6NvOmoAtJ6/4cZQocQRnnAk2ivdTKO0xthXyxCUhP23
VFnlW0cKPGF+9KwaG6VFPg5ga0eeMKFVnoCPzxtlt919oEReErpRQ6nH+ZlGPYze
Qs77n7biBekc62Hc3xYi9cZlDgENHTryMF3790xQNrTHZ1MSDlbxf/5R6m1kGrrw
P6anzIuJ3ciEkCWiJ1jsNH7U3mwntlHi+TJ5W+oqhgMZQKXsZPND15afFPz+VDbv
zCuRT8vWLXgTxpnn5kt51KH9iNKaudWTHGXWPD44B+3cd4hssP9LcoqoOTG7zl+w
erkuGTT9cfPQ7XoCGwdZiALDAmCHryFRy8F6+/4DQVWjEiKeLuedues681yC9LJt
PAVuN1En49V+feaqffnKgY25I2t9LPy/DkACLN8q8EyNmVpXdXad7hadXS1XA9vO
OUn81Xc5LaKKCt4yHemcLO0J/iK2H5Gxw2oPzxIirip+vHgOFSWSItbuOSJ8Eia4
yn78ItL0WGgLqPkzI54/J09TJzWJ0thqZbTjvP38UFanySFvy90wBqZRRdjsSPOP
dnnDoLtzgJbmozwGYW8Kw1ABBBrari4ro1dogRNQblFHsnKb/RUh832AdffzC0Uz
Q6JlhA7MZIMt8fHGUl5ng1TwIShWIRRRFO+TxP5tUaYSZ+8YxJg=
=fbDu
-END PGP SIGNATURE-

Accepted mysql-5.5 5.5.55-0+deb7u1 (source all amd64) into oldstable

[Lars Tangvald]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Wed, 19 Apr 2017 07:05:34 +0200
Source: mysql-5.5
Binary: libmysqlclient18 libmysqld-pic libmysqld-dev libmysqlclient-dev 
mysql-common mysql-client-5.5 mysql-server-core-5.5 mysql-server-5.5 
mysql-server mysql-client mysql-testsuite-5.5 mysql-source-5.5
Architecture: source all amd64
Version: 5.5.55-0+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Debian MySQL Maintainers 
Changed-By: Lars Tangvald 
Description: 
 libmysqlclient-dev - MySQL database development files
 libmysqlclient18 - MySQL database client library
 libmysqld-dev - MySQL embedded database development files
 libmysqld-pic - PIC version of MySQL embedded server development files
 mysql-client - MySQL database client (metapackage depending on the latest 
versio
 mysql-client-5.5 - MySQL database client binaries
 mysql-common - MySQL database common files, e.g. /etc/mysql/my.cnf
 mysql-server - MySQL database server (metapackage depending on the latest 
versio
 mysql-server-5.5 - MySQL database server binaries and system database setup
 mysql-server-core-5.5 - MySQL database server binaries
 mysql-source-5.5 - MySQL source
 mysql-testsuite-5.5 - MySQL testsuite
Closes: 854713 860544
Changes: 
 mysql-5.5 (5.5.55-0+deb7u1) wheezy-security; urgency=high
 .
   * Imported upstream version 5.5.55 to fix security issues:
 - 
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
 - CVE-2017-3302 CVE-2017-3305 CVE-2017-3308 CVE-2017-3309
 - CVE-2017-3329 CVE-2017-3453 CVE-2017-3456 CVE-2017-3461
 - CVE-2017-3462 CVE-2017-3463 CVE-2017-3464 CVE-2017-3600
 (Closes: #860544)
 (Closes: #854713)
   * d/patches: refreshed 62_disable_tests.patch
   * d/patches: dropped fix_test_events_2.patch. Issue fixed upstream
   * d/patches: dropped fix use after free patch. Issue fixed upstream
Checksums-Sha1: 
 7f802243ce1b2a2b69eee24878dda9801a7f0a8c 2971 mysql-5.5_5.5.55-0+deb7u1.dsc
 8ab934610e09e5325e143680a201d86ba7f2f70d 21040959 mysql-5.5_5.5.55.orig.tar.gz
 ffeeab77a7837b8c81d5f569f69558347712b82e 380149 
mysql-5.5_5.5.55-0+deb7u1.debian.tar.gz
 d3111581919a953630c015e80f931fb424787c1a 85684 
mysql-common_5.5.55-0+deb7u1_all.deb
 d00c00d6ddb48c75a610ea1847b53747aa4955db 83884 
mysql-server_5.5.55-0+deb7u1_all.deb
 c023d81e124f307d59c35af9cc38f65e57d80e11 83762 
mysql-client_5.5.55-0+deb7u1_all.deb
 f943b55b61479a2ed9ee5e01ef062481b07ea39c 692074 
libmysqlclient18_5.5.55-0+deb7u1_amd64.deb
 6866440649221adf5f3c865c90a2ed91c3e03a17 3186096 
libmysqld-pic_5.5.55-0+deb7u1_amd64.deb
 120ccd68d09802aec5838aa689a947370d835d1f 3184558 
libmysqld-dev_5.5.55-0+deb7u1_amd64.deb
 5fe12c7d88e7daf1697c9f01abae3f156b699d11 961670 
libmysqlclient-dev_5.5.55-0+deb7u1_amd64.deb
 3b2e5f5cc3fbb8beb80673a4149d83b4f1d9d22f 1781958 
mysql-client-5.5_5.5.55-0+deb7u1_amd64.deb
 fd4987f924326de97d6f534e57f525656da553ef 3979138 
mysql-server-core-5.5_5.5.55-0+deb7u1_amd64.deb
 5ce0393b18c863af2b120fc2cab16ddf135ce67c 1969916 
mysql-server-5.5_5.5.55-0+deb7u1_amd64.deb
 015a173848b7314ab21d5fa1bf8c896d032bdc8a 4361644 
mysql-testsuite-5.5_5.5.55-0+deb7u1_amd64.deb
 b6cfe76591a9e5374ed7bb67915a1288e91fd38f 22857788 
mysql-source-5.5_5.5.55-0+deb7u1_amd64.deb
Checksums-Sha256: 
 f78e5aa1009b9c79cd543380e873b034bf9fc1e3402452a799236fd3b6ae82af 2971 
mysql-5.5_5.5.55-0+deb7u1.dsc
 9af0a504e2603b0bc0c7c3a4a747df064fb51670a0022b1ad6114f9058b64171 21040959 
mysql-5.5_5.5.55.orig.tar.gz
 9042933a4043efc88fb725a91fee7fc70d7be649ed6e3a310be2473f47675788 380149 
mysql-5.5_5.5.55-0+deb7u1.debian.tar.gz
 07289d0f726996ac04765ffb9e56bd6fe5746b28c72ed9455405457896b14c76 85684 
mysql-common_5.5.55-0+deb7u1_all.deb
 2c48492d68fbb28d8829edcc45ed694bf1c6a6800fd7e966441f28d59db7c2ef 83884 
mysql-server_5.5.55-0+deb7u1_all.deb
 fc18686b4401a651c791164609bdb8e0660cbeed42b816d880cb80dad1f99781 83762 
mysql-client_5.5.55-0+deb7u1_all.deb
 860aa57043fae208f4b3032e51aaab150ece0a979a93332e3e8f63bd657478b6 692074 
libmysqlclient18_5.5.55-0+deb7u1_amd64.deb
 77814fe72f5f6df794a261dfebdcd27a5b7e45ed32c36c947be9ea9a5f0181a3 3186096 
libmysqld-pic_5.5.55-0+deb7u1_amd64.deb
 f445dea7d3eae1a0ab31b24ca9c7e834883701cd1477dc1d7292b711ca6406e9 3184558 
libmysqld-dev_5.5.55-0+deb7u1_amd64.deb
 d7dc5a4fa0115877d4a6a06803ad44735ea7e8177186707116413184aefa5479 961670 
libmysqlclient-dev_5.5.55-0+deb7u1_amd64.deb
 e5bc9fbbdea3ab6f74b29cbc0f1fc21f33535017e128819a12d286e7ad3d3b0a 1781958 
mysql-client-5.5_5.5.55-0+deb7u1_amd64.deb
 c142d44f4024aa523d0ad7e56b22d0ea880b0b6fd3b25fa037b256e7ed725055 3979138 
mysql-server-core-5.5_5.5.55-0+deb7u1_amd64.deb
 10f1efbc8f3b55c6213855d0bbdd8acd39b04013ca07711d9ebe4f03417fcbbe 1969916 
mysql-server-5.5_5.5.55-0+deb7u1_amd64.deb
 231c7f28e2536995edb9f4e96a5cc9dc19f9bf0d82bca6cc86f194c6f11eca8f 4361644 
mysql-testsuite-5.5_5.5.55-0+deb7u1_amd64.deb
 

[SECURITY] [DLA 916-1] mysql-5.5 security update

[Emilio Pozuelo Monfort]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: mysql-5.5
Version: 5.5.55-0+deb7u1
CVE ID : CVE-2016-5483 CVE-2017-3302 CVE-2017-3305 CVE-2017-3308
 CVE-2017-3309 CVE-2017-3329 CVE-2017-3453 CVE-2017-3456
 CVE-2017-3461 CVE-2017-3462 CVE-2017-3463 CVE-2017-3464
 CVE-2017-3600
Debian Bug : 854713 860544

Several issues have been discovered in the MySQL database server. The
vulnerabilities are addressed by upgrading MySQL to the new upstream
version 5.5.55, which includes additional changes, such as performance
improvements, bug fixes, new features, and possibly incompatible
changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical
Patch Update advisory for further details:

 https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-55.html
 http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html

For Debian 7 "Wheezy", these problems have been fixed in version
5.5.55-0+deb7u1.

We recommend that you upgrade your mysql-5.5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlj/te4ACgkQnUbEiOQ2
gwKgMw/+NZ/uuQMUVuxvzewhsVp2nhzczO59a//oN4nruynXPKf7MeYu7YDBVQbb
1uGWxU8IfyA935uurflfzlMcmCCTS9i1CLlevgFvS8r+ZeqUAqBd99PLLgIDBrMZ
/GzSPaJgGnOxPkl3YTCOz/79mpivIj3XsYxrB9voZdFlbsTVSJUiDkv3AKbek+0Q
LNf6k2h0Y1LcVZdRSvYhCL0JaczJrU2o8kKcDvg69HYWXIBohcwIUnqQs8tDxZq2
ACiSZr73zv6OjNNalHhcXnTfeDSZqNT5jWDSOMr3WW5TXkWg1PVcKziC4MeNQldw
qb4satdsWIfAyM+tFdubokDl2R9cg3vFjigAWUuBIPm+giDV/Gh2e4J9kHvZjnAs
YxBhpTT2ZFVX5JaWBa/b0IpVyksySr9iNWVHVgBbMXYiDlcNdx5ZJK/V18UNYirx
i/5ZKZDnzH7VpzpW48+T8PGTU7rBzDhoG2jve0EIf60Sez9rEkE/M1ltcazqYWhH
KRYpyWHQNN0Pw3zrPTt2TPVfaBUAp0KQ02/KP3mzCc3E84cLIf5isyPwF6VCSGEM
Nl1H4ByhrzIX48ojbadrF9UHSJl4TqLf1eg++FTO7b2LnuwvFgJfY8n1tZHC3XaX
wd82AUselfJWCSO6QoFL7BRT0iIzmyoLC9nBsZuGBDI/vXiX6uw=
=fXMI
-END PGP SIGNATURE-

[SECURITY] [DLA 915-1] botan1.10 security update

[Thorsten Alteholz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: botan1.10
Version: 1.10.5-1+deb7u3
CVE ID : CVE-2017-2801
Debian Bug : 860072


A bug in X509 DN string comparisons could result in out of bound reads. 
This could result in information leakage, denial of service, or 
potentially incorrect certificate validation results.



For Debian 7 "Wheezy", these problems have been fixed in version
1.10.5-1+deb7u3.

We recommend that you upgrade your botan1.10 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ7BAEBCgBmBQJY/6adXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHL5gP+JodehfT1ijWVRcfWpQ0uLI2
rgh1wmsBetup2geIa4VeBT/lfpB7Zc9vtmTFAcBEmfpDQSAqUmYbwrqX4C3DM3yn
/AqEZlm/bm+lq1k/Y1FVP8WtOv0siInpXgPOYY2OLarCadbMQo7zFMIGGqoLK937
SD9JjzDU/2vPUjhXx/ZwIjivbX6BhG/bMpw6S4LiOGbaHq43AlrSRHvwhVvFsRud
QvWdbZG0wpQsuIsUjzO6I835lQBDz+ZLV40pkhmS8UcJQp4hahUpf4rhTdQBBOP4
LNL5DtlbtiNv2Np+qzGTI6pesaaSamp6QZ5Wh5CZjU3nDJMfRL7U+k1rCxOpBcm+
jgTlWswIMZu06Wmawt3eV7mLXyTQ7jRY2o7ZwqDC4L1Mzulldd7lo9ck37mxe6jd
o6rETa/5yzvzpJphYBMS5jfhXa2TFOKe00FumIfaDE3ll38dLdWK4sibvjDayLcy
KcpOXeZNUmMSiFyK5k+x7Q2uEe97T0nK5mWHI4ngG6EmP/hd8gsmXMOZsJcbGIp/
qSZcisJfc1+U4JxZ3qAa2q7DRHbDh+5mzUOYs4HYLB2pPF0h+9+PT3oxrULGjQ5r
LF9cJi4v9DOrgec+/vWgLAvoOOZRE0ONtThO9qnrMaeETa0ko913zE1DHx9yo2rg
mN/oPNHCiW+H+XPNkhA=
=/dkk
-END PGP SIGNATURE-

Re: Wheezy update of gnutls26?

[Antoine Beaupré]

On 2017-04-25 18:57:44, Andreas Metzler wrote:
> On 2017-04-24 Antoine Beaupré  wrote:
>> On 2017-04-19 21:37:30, Ola Lundqvist wrote:
>>> The Debian LTS team would like to fix the security issues which are
>>> currently open in the Wheezy version of gnutls26:
>>> https://security-tracker.debian.org/tracker/CVE-2017-5337
>>> https://security-tracker.debian.org/tracker/CVE-2017-5336
>>> https://security-tracker.debian.org/tracker/CVE-2017-5335
>>> https://security-tracker.debian.org/tracker/CVE-2017-7869
>>>  (The last one is a minor issue but an easy fix so it is probably
>>>   worth fixing anyway).
>
>> Actually, all 4 of those are minor issues, in my opinion. They have been
>> marked "no-dsa" by the Debian security team, and upstream said:
>
>> Recommendation: The support of OpenPGP certificates in GnuTLS is
>> considered obsolete. As such, it is not recommended to use OpenPGP
>> certificates with GnuTLS. To address the issues found upgrade to
>> GnuTLS 3.5.10 or later versions.
>
>> Indeed, two weeks ago, OpenPGP support was completely disabled upstream
>> for newer GnuTLS releases.
> [...]
>> So after a long reflexion (I've look at those CVEs a few times already),
>> I have marked the 4 CVEs as "no-dsa".
>
>> Feel free to say so if you are actually using those extensions and want
>> us to take a look again.
>
>> To the GnuTLS maintainers: of course, if you want to produce an update
>> for wheezy (and, for that matter, jessie), we'd be happy to assist you.
>
> Hello,
> Just for completeness sake: Although they are marked no-dsa, we intend
> to fix them for stable .
>
> Regarding LTS I would rather not touch GnuTLS 2.x anymore. If this box
> was opened it probably would make sense to upgrade to 2.12.24.

Agreed!

A.

-- 
Every time I see an adult on a bicycle I no longer despair for the
future of the human race.
 - H. G. Wells

Re: Wheezy update of gnutls26?

[Andreas Metzler]

On 2017-04-24 Antoine Beaupré  wrote:
> On 2017-04-19 21:37:30, Ola Lundqvist wrote:
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of gnutls26:
>> https://security-tracker.debian.org/tracker/CVE-2017-5337
>> https://security-tracker.debian.org/tracker/CVE-2017-5336
>> https://security-tracker.debian.org/tracker/CVE-2017-5335
>> https://security-tracker.debian.org/tracker/CVE-2017-7869
>>  (The last one is a minor issue but an easy fix so it is probably
>>   worth fixing anyway).

> Actually, all 4 of those are minor issues, in my opinion. They have been
> marked "no-dsa" by the Debian security team, and upstream said:

> Recommendation: The support of OpenPGP certificates in GnuTLS is
> considered obsolete. As such, it is not recommended to use OpenPGP
> certificates with GnuTLS. To address the issues found upgrade to
> GnuTLS 3.5.10 or later versions.

> Indeed, two weeks ago, OpenPGP support was completely disabled upstream
> for newer GnuTLS releases.
[...]
> So after a long reflexion (I've look at those CVEs a few times already),
> I have marked the 4 CVEs as "no-dsa".

> Feel free to say so if you are actually using those extensions and want
> us to take a look again.

> To the GnuTLS maintainers: of course, if you want to produce an update
> for wheezy (and, for that matter, jessie), we'd be happy to assist you.

Hello,
Just for completeness sake: Although they are marked no-dsa, we intend
to fix them for stable .

Regarding LTS I would rather not touch GnuTLS 2.x anymore. If this box
was opened it probably would make sense to upgrade to 2.12.24.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

Re: testing Mysql 5.5.55 for LTS

[Salvatore Bonaccorso]

Hi Emilio,

On Tue, Apr 25, 2017 at 01:30:39PM +0200, Emilio Pozuelo Monfort wrote:
> On 25/04/17 13:26, Ola Lundqvist wrote:
> > Hi
> > 
> > Just for my understanding what is the reason for waiting for the jessie 
> > uplozd?
> 
> Not having a higher version in wheezy than in jessie.

I'm planning to release the jessie version tonight, although it has
only be basic tested (but OTOH the upstream testsuite is extensive and
was tested by upstream).

Regards,
Salvatore

Re: testing Mysql 5.5.55 for LTS

[Ola Lundqvist]

Hi

Just for my understanding what is the reason for waiting for the jessie
uplozd?

/ Ola

Sent from a phone

Den 24 apr 2017 13:46 skrev "Emilio Pozuelo Monfort" :

> On 24/04/17 07:41, Lars Tangvald wrote:
> > Hi,
> >
> > The debian/wheezy branch should now be updated.
>
> Thanks Lars. Test packages for amd64 are available at
>
> https://people.debian.org/~pochu/lts/mysql/
>
> I did some smoke testing, but we have to wait for the jessie update, so if
> someone wants to give this some more testing that'd be nice.
>
> Thanks,
> Emilio
>
>

Re: testing Mysql 5.5.55 for LTS

[Emilio Pozuelo Monfort]

On 25/04/17 13:26, Ola Lundqvist wrote:
> Hi
> 
> Just for my understanding what is the reason for waiting for the jessie 
> uplozd?

Not having a higher version in wheezy than in jessie.

Emilio