Re: phpmyadmin / CVE-2018-19968
Sorry, somehow stuffed up the subject line. Meant to reference CVE-2018-19968. -- Brian May
phpmyadmin / CVE-2016-5739.patch
Ok, so as far as I can tell, looking at the version in wheezy, the problem is that we load source files like so (there are two occurances in the code that I can see, both very similar): include_once $include_file; Where include_file comes from: $file = $mime_map[$meta->name]['transformation']; $include_file = 'libraries/plugins/transformations/' . $file; The problem being $mime_map is loaded from the database, and considered untrusted, I think this is the source here: PMA_getMIME($this->__get('db'), $this->__get('table')) I don't fully understand this function yet, but I think it is safe to say it generates filenames based on untrusted data from the database. I am not sure what an attacker can do with include_once, but my guess is that if you try to load a file that doesn't have a "https://docs.phpmyadmin.net/en/qa_4_2/transformations.html I am wondering how important it is that we continue to support transformations? I suspect not many users of phpmyadmin 4.2.12 would actually use or want them... If so the easiest fix may be to remove these lines. -- Brian May https://linuxpenguins.xyz/brian/
[SECURITY] [DLA 1610-1] sleuthkit security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: sleuthkit Version: 4.1.3-4+deb8u1 CVE ID : CVE-2018-19497 Debian Bug : 914796 It was discovered that the Sleuth Kit (TSK) through version 4.6.4 is affected by a buffer over-read vulnerability. The tsk_getu16 call in hfs_dir_open_meta_cb (tsk/fs/hfs_dent.c) does not properly check boundaries. This vulnerability might be leveraged by remote attackers using crafted filesystem images to cause denial of service or any other unspecified behavior. For Debian 8 "Jessie", this problem has been fixed in version 4.1.3-4+deb8u1. We recommend that you upgrade your sleuthkit packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlwYIGkACgkQZYVUZx9w 0DRpSwf+I4o9JXqFz2AztMjg3Xe8tgWY8D804Bj2a4eZ5xZxcr4FzN2MirHxPnBV HiZ29H8DHuMv1NhXl5jTHZt5rANOkAzz3XavJyFIVKMRL6Wz8uMORSwt9QJS2Omm 4OGnbRtibknfMm76UAQ8lCo9bxLTKvdPJEhFizgK1fwRQJSLiAmnSOKkN1u6VFeB iflsMqX9DRwk7q4qBOfZomxY42HEApNdJ6S6bXM9qbBIDbM6w85EZ0tFE2qcjVOO 7A1DqNN1TjkNNtAQh5AbRNXlhh+BPrQI9QUnz1pxySCQcB+KVp33YiQ4lDN31Hgs 83VluIZwlKqd1hEjYT5thby+rrutZQ== =vCVP -END PGP SIGNATURE-
[SECURITY] [DLA 1609-1] libapache-mod-jk security update
Package: libapache-mod-jk Version: 1.2.46-0+deb8u1 CVE ID : CVE-2018-11759 A vulnerability has been discovered in libapache-mod-jk, the Apache 2 connector for the Tomcat Java servlet engine. The libapache-mod-jk connector is susceptible to information disclosure and privilege escalation because of a mishandling of URL normalization. The nature of the fix required that libapache-mod-jk in Debian 8 "Jessie" be updated to the latest upstream release. For reference, the upstream changes associated with each release version are documented here: http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html For Debian 8 "Jessie", this problem has been fixed in version 1.2.46-0+deb8u1. We recommend that you upgrade your libapache-mod-jk packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Accepted libapache-mod-jk 1:1.2.46-0+deb8u1 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 20 Nov 2018 01:39:48 -0500 Source: libapache-mod-jk Binary: libapache2-mod-jk libapache-mod-jk-doc Architecture: source amd64 all Version: 1:1.2.46-0+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers Changed-By: Roberto C. Sanchez Description: libapache-mod-jk-doc - Documentation of libapache2-mod-jk package libapache2-mod-jk - Apache 2 connector for the Tomcat Java servlet engine Changes: libapache-mod-jk (1:1.2.46-0+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the LTS Team. * New upstream version 1.2.46 + CVE-2018-11759: fix information disclosure and privilege escalation * debian/patches/0004-corrupted-worker-activation-status.patch: dropped + the change was included in upstream release 1.2.38 * debian/patches/CVE-2014-8111.patch: dropped + the change was included in upstream release 1.2.41 Checksums-Sha1: 1b02cbe36ff4e79cb01e93977dd3ff7cc050733e 2208 libapache-mod-jk_1.2.46-0+deb8u1.dsc a18c3a8a218d11ea220e6f8a9ae3cdd89dd96e1e 3252837 libapache-mod-jk_1.2.46.orig.tar.gz 856b15f182f309e51a1966d5dcb76e222cb8ab51 9248 libapache-mod-jk_1.2.46-0+deb8u1.debian.tar.xz fa6a7882d4ae5cf80c786c6779f33fc1b113df11 163942 libapache2-mod-jk_1.2.46-0+deb8u1_amd64.deb 592245312b2683ddeffe0524158f9f72fa757033 180264 libapache-mod-jk-doc_1.2.46-0+deb8u1_all.deb Checksums-Sha256: c988bcae74e563f18d841acbc00381ec1886d7cfb082f94dba4298de992d786e 2208 libapache-mod-jk_1.2.46-0+deb8u1.dsc 7e1d520e1d1dacd042087ae52be7aae47a093b93cf26931827724aa8ab66cbe9 3252837 libapache-mod-jk_1.2.46.orig.tar.gz 740372834a23624890c6695ca02805da86f96ace99c3729e7a80d2a768f915c9 9248 libapache-mod-jk_1.2.46-0+deb8u1.debian.tar.xz 4f193275f0ef35a8e9f1e0d0a6c33c52bec09f122858a1e84977733e36b3438d 163942 libapache2-mod-jk_1.2.46-0+deb8u1_amd64.deb 898c5f5f5ef17c681ec1dc358aa55679017ca1c73dd3a7de8bd5c84f1c4b29da 180264 libapache-mod-jk-doc_1.2.46-0+deb8u1_all.deb Files: bea3ab3b5794fdeb7aa0619bf5b93050 2208 httpd optional libapache-mod-jk_1.2.46-0+deb8u1.dsc 2f48f513a7bc0790c5473ac0f9cb6d3c 3252837 httpd optional libapache-mod-jk_1.2.46.orig.tar.gz c3342ff8dc5f494ee511f954dc173bfd 9248 httpd optional libapache-mod-jk_1.2.46-0+deb8u1.debian.tar.xz 32b44107b1b6042f3fd4d3f4e56d57a3 163942 httpd optional libapache2-mod-jk_1.2.46-0+deb8u1_amd64.deb 4de047c649fdac58cc2b3c6eff27332d 180264 doc optional libapache-mod-jk-doc_1.2.46-0+deb8u1_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAlwYFMAACgkQLNd4Xt2n sg/hTBAAhDHp6f3Lt73fQmTApj9abi14xq1Pmc31v2uM7id0uknB7H2a29oZ3yai 44YSNnYl2dQMmh8pTqlvhUemNQ9cohQV21BHu/uvF2+VQs1e1kSNj5V6YbfOTYiM jPU5HEswzJPFA7TFLS9j1C4tUJSkFPLJReNXT9wY2qbAGo1xgedHtxKNa7+w1ALe n4mv6595ULGxjFX9cYki/rwqGQoqcoQ5ygO90zAaW/RoF6XN5kNXYHPYsmdviyJJ ukotDqEpBLn4Hv5HBYXW5fvf7zLCHpEWTLowLLpuyVeb2w5tvi0sK8XOI9P6vCqn nOOGbqW0yDbvmHnNGlRrWoXStkEEPGsm5RJBmh80qS8xBPWVvwVp6cVQOp/+ATCN tJ3UcB4GL0Hi7erAM8vkrGGkNAkTkgjkqIxDaKNVtS3aEmafOF17DJYE0h2t7TLN 80P+ZSAITG9W24SSTSv/XZOzme8gqt6nD6/yaEq53W7p69PYOsY4zT2HAn7uLId7 KXm9IDvxluxVN34DAc9A9v5fesW9DH5PU2q5d4otRfBPiGr1R36GhgY4k/416O89 E7Ob3Nn26mMv6ZfiqvNvCxaZ1Q/P9P//mT+1ChUzFTamxazqZBkuoR6EbezqJnm5 rVc+brx/fADlLE9KAN9FaRLWyf/p3b9IhUQW5RFBlaq7Kt3gDhs= =82St -END PGP SIGNATURE-
Re: MySQL 5.5 EOL before Debian 8 LTS ends
On Mon, 17 Dec 2018 10:49:57 +0100 Emilio Pozuelo Monfort wrote: > MySQL 5.5 should be EOL this month if nothing has changed, although I > don't see an announcement on [1] yet. Maybe it will be published next > month when the next CPU (critical patch update) is released. Norvald, > do you know if 5.5 is effectively EOL already? Or will it receive > another update next month? It will not. The plan is to stop on 5.5.62 (released in October). Best regards, Norvald
Accepted sleuthkit 4.1.3-4+deb8u1 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 17 Dec 2018 15:50:45 +0100 Source: sleuthkit Binary: sleuthkit libtsk10 libtsk-dev Architecture: source amd64 Version: 4.1.3-4+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Forensics Changed-By: Hugo Lefeuvre Description: libtsk-dev - library for forensics analysis (development files) libtsk10 - library for forensics analysis on volume and filesystem data sleuthkit - tools for forensics analysis on volume and filesystem data Closes: 914796 Changes: sleuthkit (4.1.3-4+deb8u1) jessie-security; urgency=high . * Non-maintainer upload by the LTS Team. * CVE-2018-19497: OOB read in hfs_dir_open_meta_cb (tsk/fs/hfs_dent.c) (closes: #914796). Checksums-Sha1: 9851e57e2b64707c13f7c4c3917cf279a6752ad3 1911 sleuthkit_4.1.3-4+deb8u1.dsc 9350bb59bb5fbe41d6e29a8d0494460b937749ef 7952733 sleuthkit_4.1.3.orig.tar.gz 65924383354039ef5dd84fbc8e902d47db968343 29172 sleuthkit_4.1.3-4+deb8u1.debian.tar.xz bd3f0ce02dc31f8faf7995599188c4a9b25b5d63 243352 sleuthkit_4.1.3-4+deb8u1_amd64.deb 18968645d8e7ec2c0d8e70ef5e08eab0fd9030e6 298816 libtsk10_4.1.3-4+deb8u1_amd64.deb 722587147e3433c68f07cc4199e2197469ff1da9 368194 libtsk-dev_4.1.3-4+deb8u1_amd64.deb Checksums-Sha256: 9d9db4d845e7f33867ef039ec71af68337820afc90694422d45e849dfc032d02 1911 sleuthkit_4.1.3-4+deb8u1.dsc 67f9d2a31a8884d58698d6122fc1a1bfa9bf238582bde2b49228ec9b899f0327 7952733 sleuthkit_4.1.3.orig.tar.gz ac59ac4ff50f43c1df6143deee25d5e10eab0c1aa94acf20983b0da4f546a108 29172 sleuthkit_4.1.3-4+deb8u1.debian.tar.xz 3fa4d58fd17b8b1a79326269898815148c7ac4afa085b42c6e176713b93186d4 243352 sleuthkit_4.1.3-4+deb8u1_amd64.deb 322628e9e98da58ea418dae28054eef8869611315cd0b79ec1bcceaaf2574b2c 298816 libtsk10_4.1.3-4+deb8u1_amd64.deb 5326313a117be9965a8ccb67f1356e0997baae0262e2537a8970f98970947ce4 368194 libtsk-dev_4.1.3-4+deb8u1_amd64.deb Files: 63f0e61fd28d8351858af276c77ef7bb 1911 admin optional sleuthkit_4.1.3-4+deb8u1.dsc 139a12f06952d8a40bbe07884994cf5d 7952733 admin optional sleuthkit_4.1.3.orig.tar.gz c72ab23bf04c9008f2a44cc68aa44263 29172 admin optional sleuthkit_4.1.3-4+deb8u1.debian.tar.xz e25fd586f3237e8c996e84832b60c9d2 243352 admin optional sleuthkit_4.1.3-4+deb8u1_amd64.deb deca33dfaf83c0f313c73d1c2a01d023 298816 libs optional libtsk10_4.1.3-4+deb8u1_amd64.deb dc8417d18d05beb7ba44ca7d037a1811 368194 libdevel optional libtsk-dev_4.1.3-4+deb8u1_amd64.deb -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlwXvYIACgkQZYVUZx9w 0DQREgf+OXWK9hT+6b+DmVLlEncZJYF1HMsfZ/R2qckF7CN7nrw8bEtx/hjIoEgj qJXG4CjEoObREG5+7frBRoyAcvenSizRpWlFB0u1fzH54pHqZ8Bd7M6lDdLnjhe5 Z0QOCUWIgYpWucxGaSHHwEcSeozOhBMy06RHLVwaHYonrHhM6llC48sCy8jKoLBw 9dy9mApqec24BfC01D4qXxpZ1zLp3DD1n76whxFRJYjeSABNK7Fm+0pELJKgiVz2 ZHhn2FbvQxSDvaZny85mA24GsQQBh08qs9IppVvcWo/KVyCGzLLnzjSSRQ+EyaqC riEdAxYDgMOMoZ6hfImc/t67dtZVEw== =qkna -END PGP SIGNATURE-
Re: Possible patch-backport problem for libphp-phpmailer (DLA-1591-1)
On 12/12/2018 04:56, Abhijith PA wrote: > Hi. > > On Tuesday 11 December 2018 12:59 PM, Chris Lamb wrote: >> Hi Salvatore. >> >>> While preparing an update for libphp-phpmailer I noticed in the >>> patch/diff for DLA-1591-1 for libphp-phpmailer the following: >> >> Thanks for flagging. I will try and take a look at this over the next >> few days but I am pretty-solidly at a Reproducible Builds conference >> so if someone can jump in, please do so. > > I will look in to it. I have added this to dla-needed.txt so that it doesn't get forgotten. Cheers, Emilio
Re: MySQL 5.5 EOL before Debian 8 LTS ends
Hi, On 22/05/2018 07:10, Lars Tangvald wrote: > > > On 05/21/2018 03:22 PM, Matus UHLAR - fantomas wrote: Am 22.01.2018 um 13:42 schrieb Lars Tangvald: > First off, thanks for handling the 5.5.59 update for Wheezy. I had the > security announcement date mixed up so picked it up too late, sorry. > > MySQL 5.5 is expected to be EOL in December (it was first released > December 15, 2010, and we have 8 year security support), while Jessie > LTS is until April 2020 > How are such cases handled? Will the source package be removed, or is it > possible to have it upgraded to a more recent version? >> >>> On 22/01/18 16:35, Markus Koschany wrote: These are both possible options but given the significance of MySQL we would rather prefer to upgrade to a supported release provided this is viable for Jessie. >> > If an upgrade is possible, while we did a successful transition in > Ubuntu from 5.5 to 5.7, there were significant changes from 5.6 to 5.7, > requiring small changes to a lot of third-party packages as well as to > the default server behavior, so 5.6 (which is supported until 2021) > would be a better option. >> I also think it makes sense to take a smaller step and upgrade from 5.5 to 5.6. Are there any known issues with 5.6 or can you share any information about expected regressions with reverse-dependencies? >> >> On 19.05.18 20:41, Emilio Pozuelo Monfort wrote: >>> jessie ships mysql-5.5 and mariadb-10.0. Given that stretch no longer ships >>> mysql but only mariadb, we could just let mysql-5.5 go end of life, mark it >>> as >>> unsupported (or drop the server part), and keep supporting mariadb-10.0. >>> Users >>> will need to move to mariadb at some point anyway. The only problem is that >>> mariadb-10.0 goes EOL on March 2019. mariadb-10.1 is EOL on October 2020, >>> so if >>> we decided to provide that in jessie that would be enough. >> >> There are packages in jessie that depend on mysql (or libmysql), not on >> mariadb. >> >> IMHO If it's possible to migrate to mysql-5.6 and later from mysql-5.6 to >> stretch, it would be a better alternative than deprecate it. >> > If we can agree on this, I can work on updating the packaging (we did have 5.6 > in sid at one point, but would need to check that it didn't have any big > changes). > > Otto: MariaDB 10.1 supports migration from MySQL 5.6, right? This would be > important for users later upgrading to Stretch. MySQL 5.5 should be EOL this month if nothing has changed, although I don't see an announcement on [1] yet. Maybe it will be published next month when the next CPU (critical patch update) is released. Norvald, do you know if 5.5 is effectively EOL already? Or will it receive another update next month? Also note that mariadb 10.0 is EOL in three months[2]. I don't think it makes much sense to upload mysql-5.6, since stretch has no mysql at all. Since users will have to migrate to MariaDB anyway (or to externally provided MySQL packages if they so choose), they can do so now. For mariadb 10.0, we may be able to backport important security fixes, or we could backport 10.1 which will be supported upstream until October 2020. I would lean towards one of those last two options. Cheers, Emilio [1] https://www.mysql.com/support/eol-notice.html [2] https://mariadb.org/about/maintenance-policy/