[SECURITY] [DLA 1693-1] gpac security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: gpac Version: 0.5.0+svn5324~dfsg1-1+deb8u2 CVE ID : CVE-2018-7752 CVE-2018-20760 CVE-2018-20761 CVE-2018-20762 CVE-2018-20763 Several issues have been found by different authors in gpac, an Open Source multimedia framework for research and academic purposes. The issues are basically all buffer overflows in different functions all over the package. For Debian 8 "Jessie", these problems have been fixed in version 0.5.0+svn5324~dfsg1-1+deb8u2. We recommend that you upgrade your gpac packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAlx25aBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7 WEcORw/+KGWD/LH/EI2E6i4pskaY6KL02sliyugh7fZCdacffwLKpk/n9qAsvF1s qdxFwLB180hXfK/rqMMjo8EJYSLyWM+RaubfWZJbngXWSEJlxs18tAL5hgAQps9f IfKLzF/Xt4WOse9kpQARREC+ClQlkN8uSyCyyCvLAqTPAclxIP7C+MPg0vbg2iAl dVHl/VCxYYVwWhW+lzSOCFk5E83s50te2fEuxYUlqN3pfkEiRqGSaJg3IIgRwyPY dZUHpRDSEgsc1eQUcmjq41pJ0sis7LSSwtPpGOHjZ5X8YdcFkdaEwGpS8SoUdaZV Da6jrFaGkGy6HRYuAe9q9uEuzA21zUOWrx4ix+U8OecJfdZISQRpyToZ0M6kWvrE 0zYSwVbY8Pe4g/5nws4UcAy6WYlLx8fggUGVV7/6/AUom3svntgpWkCNSjYLZcHW FgFh2BiWcXDq7KTYwe3xDdbrWxemWtZXM2duJWZ88pPqEChtnJWJ0aoD8VKZkmYF B7otDsycLPWNAMbKGC0AnmxGwEN6/lUB80ycsgIfltpnljw8FvundqjgyoYZ72T9 9sRveYu0Kf1Lidq9x8YNK6P5xwv5kW1XQiiIpfJeEe6oZFjTDDQjMYLRgEyOfglV WMy2yPM2WZTSr3XNVO4bl2mi7++5v+59zGQGpevkrOvzrzKoE6Q= =cckW -END PGP SIGNATURE-
Re: [SECURITY] [DLA 1692-1] phpmyadmin security update
Thank you merci Le Mer 27 Fév 2019 14:58, Sylvain Beucler a écrit : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Package: phpmyadmin > Version: 4:4.2.12-2+deb8u5 > CVE ID : CVE-2019-6799 > Debian Bug : 920823 > > > An information leak issue was discovered in phpMyAdmin. An attacker > can read any file on the server that the web server's user can > access. This is related to the mysql.allow_local_infile PHP > configuration. When the AllowArbitraryServer configuration setting is > set to false (default), the attacker needs a local MySQL account. When > set to true, the attacker can exploit this with the use of a rogue > MySQL server. > > For Debian 8 "Jessie", this problem has been fixed in version > 4:4.2.12-2+deb8u5. > > We recommend that you upgrade your phpmyadmin packages. > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS > -BEGIN PGP SIGNATURE- > > iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAlx2ll4ACgkQj/HLbo2J > BZ9uwwgAioP4kzTcsHE2yIA4ZdW96aszHsyv8vqReg+ir4MtRodhRvlA/tAszdz2 > ov0DThc43uUEGBYCASpUYY8r5lD8EeCLLKkrZwanW4zvNF7m4few4JwfvZoWIMRw > PeB1mnkSF7dg0qPC+4OLRuaYgfyMeLSDIVJbmNlFfUYxK/0t1XvqTBUpPupgjPnv > uZw8OJzhjdaq5R/FaCR+gs5fD9f3CNy4lKPoGv0MVOCqaMW/2/AqvIEMTkjbNDmp > hzQfS/n8k5FPkfev8KfBaWBDn+y78FbZZQ81oqwzK5bRyyU2PMa8SnJldJgITOo7 > oq2uNscdwfJnhTpIvbPfxKCrSFJ5kQ== > =CJqr > -END PGP SIGNATURE- > >
Re: MySQL 5.5 EOL before Debian 8 LTS ends
> Thinking about this some more, maybe we could attempt this, backporting > security > fixes from MariaDB 10.1 or forward-porting them from MariaDB 5.5 (still > supported until April 2020). That way we don't force any 10.0 -> 10.1 > migration > on our users (though MySQL 5.5 users will still have to migrate). This will be > more work than backporting new upstream releases, but if we limit ourselves to > security fixes and possibly some minor stability fixes, it may be feasible. I am experimenting at https://salsa.debian.org/mariadb-team/mariadb-10.1/commits/jessie if it is feasible to get 10.1 running on Jessie at all. The good news is that it least builds without any modifications. The bad news is that mariadb-common depends on mysql-common (>= 5.6.25) to ensure /usr/share/mysql-common/configure-symlinks is available. Having and indentical mariadb-10.1 package in Jessie and Stretch would decrease the maintenance burden, but Jessie would also need an updated mysql-common package introduced..
Re: MySQL 5.5 EOL before Debian 8 LTS ends
Hi Otto, On Wed, Feb 27, 2019 at 04:32:24PM +0200, Otto Kekäläinen wrote: > > Thinking about this some more, maybe we could attempt this, backporting > > security > > fixes from MariaDB 10.1 or forward-porting them from MariaDB 5.5 (still > > supported until April 2020). That way we don't force any 10.0 -> 10.1 > > migration > > on our users (though MySQL 5.5 users will still have to migrate). This will > > be > > more work than backporting new upstream releases, but if we limit ourselves > > to > > security fixes and possibly some minor stability fixes, it may be feasible. > > I am experimenting at > https://salsa.debian.org/mariadb-team/mariadb-10.1/commits/jessie if > it is feasible to get 10.1 running on Jessie at all. nice. > The good news is that it least builds without any modifications. *g* > The bad news is that mariadb-common depends on mysql-common (>= > 5.6.25) to ensure /usr/share/mysql-common/configure-symlinks is > available. Having and indentical mariadb-10.1 package in Jessie and > Stretch would decrease the maintenance burden, but Jessie would also > need an updated mysql-common package introduced.. adding a new package, if sensible, is something which can be done. and it seems sensible here. -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: phpmyadmin: CVE-2019-6799: PMASA-2019-1
Uploaded to jessie-security.
[SECURITY] [DLA 1692-1] phpmyadmin security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: phpmyadmin Version: 4:4.2.12-2+deb8u5 CVE ID : CVE-2019-6799 Debian Bug : 920823 An information leak issue was discovered in phpMyAdmin. An attacker can read any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration. When the AllowArbitraryServer configuration setting is set to false (default), the attacker needs a local MySQL account. When set to true, the attacker can exploit this with the use of a rogue MySQL server. For Debian 8 "Jessie", this problem has been fixed in version 4:4.2.12-2+deb8u5. We recommend that you upgrade your phpmyadmin packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAlx2ll4ACgkQj/HLbo2J BZ9uwwgAioP4kzTcsHE2yIA4ZdW96aszHsyv8vqReg+ir4MtRodhRvlA/tAszdz2 ov0DThc43uUEGBYCASpUYY8r5lD8EeCLLKkrZwanW4zvNF7m4few4JwfvZoWIMRw PeB1mnkSF7dg0qPC+4OLRuaYgfyMeLSDIVJbmNlFfUYxK/0t1XvqTBUpPupgjPnv uZw8OJzhjdaq5R/FaCR+gs5fD9f3CNy4lKPoGv0MVOCqaMW/2/AqvIEMTkjbNDmp hzQfS/n8k5FPkfev8KfBaWBDn+y78FbZZQ81oqwzK5bRyyU2PMa8SnJldJgITOo7 oq2uNscdwfJnhTpIvbPfxKCrSFJ5kQ== =CJqr -END PGP SIGNATURE-
Accepted phpmyadmin 4:4.2.12-2+deb8u5 (source all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 27 Feb 2019 13:09:09 +0100 Source: phpmyadmin Binary: phpmyadmin Architecture: source all Version: 4:4.2.12-2+deb8u5 Distribution: jessie-security Urgency: high Maintainer: Thijs Kinkhorst Changed-By: Sylvain Beucler Description: phpmyadmin - MySQL web administration tool Changes: phpmyadmin (4:4.2.12-2+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the Debian LTS team. * Fix CVE-2019-6799: information leak (arbitrary file read) using SQL queries. Checksums-Sha1: 351659176393e08582f3c2b5a8e48c7410715051 1622 phpmyadmin_4.2.12-2+deb8u5.dsc 7e010bd059192c3aab5ed634f0c5faf080762621 71740 phpmyadmin_4.2.12-2+deb8u5.debian.tar.xz 191b89b3e0e88091d96ae26de42f201df4e497c8 3862686 phpmyadmin_4.2.12-2+deb8u5_all.deb Checksums-Sha256: 030b3a93e6c6fda6bc3a39e8738c652006d1abdd98a24aac8da7e00d44f463cc 1622 phpmyadmin_4.2.12-2+deb8u5.dsc 4b12244e03ffb3608530281cabc4a3a9a2e45e60069fe6251eeb7124d4d95407 71740 phpmyadmin_4.2.12-2+deb8u5.debian.tar.xz d6fc73b3a9a345a7903a9bba4aab2edd15470f31bd31802b4822eac48e5a68d1 3862686 phpmyadmin_4.2.12-2+deb8u5_all.deb Files: 6335f57542db9b145be8f8b785df6a8e 1622 web extra phpmyadmin_4.2.12-2+deb8u5.dsc 3e0d95e1e39abd5203f461f23d8c75af 71740 web extra phpmyadmin_4.2.12-2+deb8u5.debian.tar.xz 949caa174e321a5fcc09198cd22b4c3e 3862686 web extra phpmyadmin_4.2.12-2+deb8u5_all.deb -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAlx2jRwACgkQj/HLbo2J BZ9n6ggAtIz/SzWFw8h1Soct+eMrUgavg3fOHTWL2rQy1o31G9+PSsIfhww0yu6u 7O1KI582EJRkSdsCwp7MoMQ4Or7Bw/yheJsBW0nrA+tJ+STdwYS56epLzFuLljDa KY8J8HzwztYsOevZXRB5ansDClStxOG4qtWYBcje1tseLKqSoESPyN4llv9iB0P0 j+U+K3lwZeyKy6FLvAgbXLq5feagUkf6jWCkwl1hcYrm/umXCe7DQ3hdSSKhgRQG nIyx+gXCH1rFpDNgGhDGDFqrCl0eTwq9YO9cucOag2yQI7K4ocAdw1mMpOtyEqzH JxNtq3EWaO/x+g9EgnGrouI8dlneJA== =1LTz -END PGP SIGNATURE-