[SECURITY] [DLA 1600-1] libarchive security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libarchive Version: 3.1.2-11+deb8u4 CVE ID : CVE-2015-8915 CVE-2016-8687 CVE-2016-8688 CVE-2016-8689 CVE-2016-10209 CVE-2016-10349 CVE-2016-10350 CVE-2017-5601 CVE-2017-14166 CVE-2017-14501 CVE-2017-14502 CVE-2017-14503 Debian Bug : 853278 875960 875974 875966 874539 840934 840935 861609 859456 861609 784213 Multiple security vulnerabilities were found in libarchive, a multi-format archive and compression library. Heap-based buffer over-reads, NULL pointer dereferences and out-of-bounds reads allow remote attackers to cause a denial-of-service (application crash) via specially crafted archive files. For Debian 8 "Jessie", these problems have been fixed in version 3.1.2-11+deb8u4. We recommend that you upgrade your libarchive packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlwAaRJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeRywBAAr6V0AJOtQK/9k641h4l4xN8qNxG7mgDr5BYM0Y2JfW2Z34jauJuYiqJJ Pq/MipXJmqOPunGw8JSvC0fBN2W4rpz0uWGrwdEU31P60EtFVRXULk9h4eJyn7aF Kx2eRirY4+3piNsm1Z/mOqYpxQ+1BxTh4yaJ1hiCQdqu4kz0lmNNqn6nWFkO59Ww Cem83LMaP/u7cmWKiJpN3G+gDHPGu3LHKkeV+FoSw9a02a8RXjnYtG+DsIRtryuT lsl43bx/fZvS3gCMtWYMCuMLfalzfMkPertBfzxgjV4rzObEGhOVmt0PosJFhug8 SFierPflrY2NwD59+rngHPEI7peClfiCARxizIEnkINosQrxCdxr0mOle8f9DCX0 O0OzdEoTjL1e4DTBMdpJd0IVVWj0KmU86TyX5alsV/QG9Cyc1WpCF5LuVOrxlYGP LYDlU3LqFYgemMcX0upsLDy6MPlEOlHscVKVTA2Sjd8/mBvst0PmVCFKis5rpjFk lFJYqV1QhV5pAKouMxptcZB/OJ7B97JAnmCpn4OKc1GHsugcFq5GbtBE3fQuEoA8 PQpeKBIL3FcvWPm/7v3+O2sRLH9azCNh/jWJ3sJi7Wfbe0FihYVnCmpcUoKhZt3H yCcEaWySqrlYz5bdemOQoT8ZSfZ/pveIKZOlxXggo7iamuwlM+w= =KPK2 -END PGP SIGNATURE-
Accepted libarchive 3.1.2-11+deb8u4 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 29 Nov 2018 18:31:17 +0100 Source: libarchive Binary: libarchive-dev libarchive13 bsdtar bsdcpio Architecture: source amd64 Version: 3.1.2-11+deb8u4 Distribution: jessie-security Urgency: high Maintainer: Debian Libarchive Maintainers Changed-By: Markus Koschany Description: bsdcpio- Implementation of the 'cpio' program from FreeBSD bsdtar - Implementation of the 'tar' program from FreeBSD libarchive-dev - Multi-format archive and compression library (development files) libarchive13 - Multi-format archive and compression library (shared library) Changes: libarchive (3.1.2-11+deb8u4) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix the following security vulnerabilities: CVE-2015-8915, CVE-2016-10209, CVE-2016-10349, CVE-2016-10350, CVE-2016-8687, CVE-2016-8688, CVE-2016-8689, CVE-2017-14166, CVE-2017-14501, CVE-2017-14502, CVE-2017-14503, CVE-2017-5601. Multiple security vulnerabilities were found in libarchive, a multi-format archive and compression library. Heap-based buffer over-reads, NULL pointer dereferences and out-of-bounds reads allow remote attackers to cause a denial-of-service (application crash) via specially crafted archive files. Checksums-Sha1: 9e35b9207eb792ab402208719fe5d5524ac53e37 2478 libarchive_3.1.2-11+deb8u4.dsc c050fcc6e4a13334eaaee4c49c7fba3904d816ff 40212 libarchive_3.1.2-11+deb8u4.debian.tar.xz 283da740f7df538b7dd7700a1f1b3b32c6fb6b4e 434688 libarchive-dev_3.1.2-11+deb8u4_amd64.deb 9ea59ad8de3a1511210ee29758ac33cbe5abb0f1 270546 libarchive13_3.1.2-11+deb8u4_amd64.deb 2df1c818593d5e4ee1009dd67bf7e798d2e9a48a 54246 bsdtar_3.1.2-11+deb8u4_amd64.deb 4c8fa8c96d127ae4abb8fd0505f801f076f99e26 39760 bsdcpio_3.1.2-11+deb8u4_amd64.deb Checksums-Sha256: 9d6b58a15aa47b31430e5ab66e7109930ea76f575fcfbcedde7f94ff6cae3589 2478 libarchive_3.1.2-11+deb8u4.dsc cf947d4709166bd243e141990b080548f2bf6fe26d37ebc5d488e6a32a54d685 40212 libarchive_3.1.2-11+deb8u4.debian.tar.xz e456ead09382464b54e26f53ab1e81147c3feca9711f3d88b122394d3cd534a5 434688 libarchive-dev_3.1.2-11+deb8u4_amd64.deb bb897dfb0b8be0f82345000e575290e649e78a5f2cfa64d8e40615e3df4fcfa5 270546 libarchive13_3.1.2-11+deb8u4_amd64.deb acf28552c58c02885b3d03d1586c2e6316b354e4a5c4a0e3be123f0f24e9f19c 54246 bsdtar_3.1.2-11+deb8u4_amd64.deb e31ffde43e9ff0a79a2ac4c3b02f818c20fbfa92fafd65b551824eac825e14ec 39760 bsdcpio_3.1.2-11+deb8u4_amd64.deb Files: 693cc47d76aff5c7bda4c278d7a5609c 2478 libs optional libarchive_3.1.2-11+deb8u4.dsc 1f66a19b77019148a88c524b47ec5b95 40212 libs optional libarchive_3.1.2-11+deb8u4.debian.tar.xz e8db8a602f32cc51060506872d8c77ec 434688 libdevel optional libarchive-dev_3.1.2-11+deb8u4_amd64.deb ce3a8f029779b5bf2fd58a2f59b80fc6 270546 libs optional libarchive13_3.1.2-11+deb8u4_amd64.deb 8c898dbf2775ea9c27bd0fcd2de3b0c5 54246 utils optional bsdtar_3.1.2-11+deb8u4_amd64.deb ff983dd1efdb810738167a704e306e71 39760 utils optional bsdcpio_3.1.2-11+deb8u4_amd64.deb -BEGIN PGP SIGNATURE- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlwAI5lfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkPbkQALILthocWTa0zwkaXH4ywzRShF8YOUvjISPq Yn3hQiV7M68Fqk1ni41wubD8oWGL2edvPQu020H7QwjV8QTR4caimZgiSDtM7waW YW0WOafe05vkR1KtJGiu6GObLveojjEQBbD0+bDxmi9c8WF8BBbsByo1rOomf+Rp 39gSnxKd6yzzLuhzw/fyBaGJIG1acvWXaS/cybEP8Zz87LoF9acQedAwAfwVRQiM 6i4H+9+bPoUlS7n19TiYRawUzcUxRtkwUJZKkrRKrY6ULh51/7ayyzclCiWyIioa NtANCnVpS9kNEG8jheBNtXivboeojJXrET4q1tbOR815mN+y3DphjR9h4JBeoop0 Ke0yb0zzhEoniZJVJaM3uRLtDgVCIwUnPDjcXG9lKFHAF8QOIQ1LwOAWeWbM0oC0 Q6gvxqN165M3/av33OuGnMwvrc8WsdAF/Os/aRPWPCVJUsEdff0gSTwF6FkvFhM9 LS7rraJGfASQ8QmlSSN1nDlwc7cYVCD1tfzJq6nnRWxaGRxkwnALEAw08ignwryL OITns56pyxLel9kNMMXyTX6t7+p4o55VLuZedWxNZwbrkQ75UPb9sSmFdWUCj2uL UJwXE4Y6k8ZW/333AdgWUHbtCUMLXYV1MPCEOggX6dvxvM2eVBGjGoQ8v8sBxWO6 cp1R4yIe =ArsF -END PGP SIGNATURE-
Re: Xen 4.4 updates vs. Xen Stretch backport
On 2018-11-28 22:44:52, Moritz Muehlenhoff wrote: > On Wed, Nov 28, 2018 at 12:59:11PM +0100, Peter Dreuw wrote: >> Hi out there, >> Another option would be backporting the Xen >> 4.8.4+xsa273+shim4.10.1+xsa273-1+deb9u10 (and following) package from >> Stretch to Jessie. > > What would be the point? If you migrate to a complete new Xen release, > then you can just as well migrate to stretch (which will also have > proven, compatible matching versions of libvirt/Linux/qemu/ etc. > > If some of the Spectre mitigations can't be backported, make a detailed > writeup of what people are missing in 4.4 and let them handle it > based on that data (update to stretch or stick with 4.4/jessie); there's > still plenty of legitimate use cases which can be run in a secure > manner with 4.4 (internal VMs with trusted users etc). I agree. It's not like Spectre is trivial to exploit either, so the tradeoff might be acceptable for some users. Xen upgrades are usually fairly smooth, but considering the dom0 is most likely *only* running Xen, upgrading to stretch is probably equivalent than upgrading to a Xen backported from stretch. So while I usually am a proponent of aggressive backports, I think that, in this case, we would actually be doing a disservice to our users by forcibly backporting a version from stretch. :) Peter, are there non-speculative vulnerabilities remaining we could look at? Otherwise I would just publish a DLA saying we simply stop supporting that aspect of Xen... A. -- The future is already here – it's just not very evenly distributed. - William Gibson
Accepted qemu 1:2.1+dfsg-12+deb8u8 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 26 Nov 2018 11:22:21 +0100 Source: qemu Binary: qemu qemu-system qemu-system-common qemu-system-misc qemu-system-arm qemu-system-mips qemu-system-ppc qemu-system-sparc qemu-system-x86 qemu-user qemu-user-static qemu-user-binfmt qemu-utils qemu-guest-agent qemu-kvm Architecture: source amd64 Version: 1:2.1+dfsg-12+deb8u8 Distribution: jessie-security Urgency: medium Maintainer: Debian QEMU Team Changed-By: Santiago Ruano Rincón Description: qemu - fast processor emulator qemu-guest-agent - Guest-side qemu-system agent qemu-kvm - QEMU Full virtualization on x86 hardware qemu-system - QEMU full system emulation binaries qemu-system-arm - QEMU full system emulation binaries (arm) qemu-system-common - QEMU full system emulation binaries (common files) qemu-system-mips - QEMU full system emulation binaries (mips) qemu-system-misc - QEMU full system emulation binaries (miscelaneous) qemu-system-ppc - QEMU full system emulation binaries (ppc) qemu-system-sparc - QEMU full system emulation binaries (sparc) qemu-system-x86 - QEMU full system emulation binaries (x86) qemu-user - QEMU user mode emulation binaries qemu-user-binfmt - QEMU user mode binfmt registration for qemu-user qemu-user-static - QEMU user mode emulation binaries (static version) qemu-utils - QEMU utilities Closes: 815008 815009 815680 817181 817182 817183 821038 821061 821062 822344 824856 825210 825614 825615 825616 826152 827024 827026 832621 834902 834905 834944 836502 837174 837316 837339 838147 838850 839834 839835 840340 840341 841950 841955 842455 866674 910431 911468 911469 Changes: qemu (1:2.1+dfsg-12+deb8u8) jessie-security; urgency=medium . * Non-maintainer upload by the LTS Team. * Fix the following issues: * CVE-2016-2391: multiple eof_timers in ohci usb leads to null pointer dereference. Reported by Zuozhi Fzz (Closes:#815009) * CVE-2016-2392: usb: null pointer dereference in remote NDIS control message handling. Reported by Qinghao Tang (Closes: #815008) * CVE-2016-2538: usb: integer overflow in remote NDIS control message handling. Reported by Qinghao Tang (Closes: #815680) * CVE-2016-2841: net: ne2000: infinite loop in ne2000_receive. Reported by Yang Hongke (Closes: #817181) * CVE-2016-2857: net: out of bounds read in net_checksum_calculate. Reported by Liu Ling (Closes: #817182) * CVE-2016-2858: rng-random: arbitrary stack based allocation leading to corruption. (Closes: #817183) * CVE-2016-4001: net: buffer overflow in stellaris_enet emulator. Reported by Oleksandr Bazhaniuk (Closes: #821038) * CVE-2016-4002: net: buffer overflow in MIPSnet emulator. Reported by Oleksandr Bazhaniuk. (Closes: #821061) * CVE-2016-4020: i386: leakage of stack memory to guest in kvmvapic.c. Reported by Donghai Zdh. (Closes: #821062) * CVE-2016-4037: usb: Infinite loop vulnerability in usb_ehci using siTD process. Reported by 杜少博 . (Closes: #822344) * CVE-2016-4439: 53C9X Fast SCSI Controller (FSC) support does not properly check command buffer length. (Closes: #824856) * CVE-2016-4441: 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check DMA length. (Closes: #824856) * CVE-2016-4453: incorrect handling of the VMWare VGA module, that may be used to cause QEMU to crash. Reported by Li Qiang. * CVE-2016-4454: incorrect handling of incorrect handling of the VMWare VGA module, that may be used to obtain host sensitive information or cause QEMU to crash. * CVE-2016-4952: scsi: pvscsi: out-of-bounds access issue. Reported by Li Qiang. (Closes: #825210) * CVE-2016-5105: scsi: megasas: stack information leakage while reading configuration. Reported by Li Qiang. (Closes: #825614) * CVE-2016-5106: scsi: megasas: out-of-bounds write while setting controller properties. Reported by Li Qiang. (Closes: #825615) * CVE-2016-5107: scsi: megasas: out-of-bounds read in megasas_lookup_frame() function. Reported by Li Qiang. (Closes: #825616) * CVE-2016-5238: scsi: esp: OOB write when using non-DMA mode in get_cmd. Reported by Li Qiang. (Closes: #826152) * CVE-2016-5337: scsi: megasas: information leakage in megasas_ctrl_get_info. Reported by Li Qiang. (Closes: #827026) * CVE-2016-5338: scsi: out-of-bounds read/write access while processing ESP_FIFO. Reported by Li Qiang. (Closes: #827024) * CVE-2016-6351: scsi: esp: oob write access while reading ESP command. Reported by Li Qiang. (Closes: #832621) * CVE-2016-6834: infinite loop during packet fragmentation. Reported by Li Qiang. (Closes: #834905) * CVE-2016-6836: Information leak in vmxnet3_complete_packet. Reported by Li Qiang. (Closes: #834944) * CVE-2016-6888: vmxnet: integer