[SECURITY] [DLA 1933-1] ruby-nokogiri security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: ruby-nokogiri Version: 1.6.3.1+ds-1+deb8u1 CVE ID : CVE-2019-5477 A command injection vulnerability in Nokogiri allows commands to be executed in a subprocess by Ruby's `Kernel.open` method. For Debian 8 "Jessie", this problem has been fixed in version 1.6.3.1+ds-1+deb8u1. We recommend that you upgrade your ruby-nokogiri packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAl2MDU4ACgkQKpJZkldk SvqM5w/+PAIhJC4VWaVsKog/4lKy/1it0Av9DUDobEmVTifN1gjEFmnQaed5HNod 9YCKkLcylUcE4e0sByGBuqcvhjCVLvUvoNtlVMVxYcTjpGH1mLCcerMKO81cDi9J vCL0H7CJDZVDVW5Sohk/UT776mS0lOfI4N4tKB1couAEO6AUNMsC3EzdzPaOXAQv MWDbo6B3HYK1Dr76AFkDqMAXNeU2LLNxzumAiGXgTnsZ2pPqpSKy49E8DKVSVaN3 yzUfdaw4T3jGAdkm0DGJHxSnFEFAeEpj7HOOpPOVY6SiazFgRN4w0zWquHxgeypQ WwvZPnZ++hZKNm/iwEZzazzUODf3+A9cvFBzoKDgwYUFW3GGAQ3Sxjo8FF/NqdsE oRtN/cU8aX6LL1PC+mqthpwKIGaI/mJqZOLW2N5l6aH6HESVpS+8LdfpEcaLCfr/ 9ZzHhd0OMK6jmqSMVXVwLLf4ZVdu7f5WIhgCG2jN6Mn9pNOpgP5ZqpACdXigfr47 aW0OSwySJ+cAk03ThgDu1YrsHk/OVtb+36J7lmbN7KZMWSSfFgqOcZl6BPRtE1uf 6YfAN7c1PgnLbzTyOF00nY6sc2V/PHPEu+mnqda5M7u/c42oczgKkIsU80rNUWEZ zu9Vp9/ExKCd8L6mbWP5gvCqmy+4fPoKeiO1me3oNFUBZ0cVVVg= =0wXO -END PGP SIGNATURE-
Accepted ruby-nokogiri 1.6.3.1+ds-1+deb8u1 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 24 Sep 2019 17:22:04 +1000 Source: ruby-nokogiri Binary: ruby-nokogiri Architecture: source amd64 Version: 1.6.3.1+ds-1+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Debian Ruby Extras Maintainers Changed-By: Brian May Description: ruby-nokogiri - HTML, XML, SAX, and Reader parser for Ruby Changes: ruby-nokogiri (1.6.3.1+ds-1+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload by the LTS Team. * Fix CVE-2019-5477: Command injection vulnerability in Nokogiri allows commands to be executed in a subprocess by Ruby's `Kernel.open` method. Checksums-Sha1: ac00f085aba0944d8a8f9494f7407b6f241efce1 2188 ruby-nokogiri_1.6.3.1+ds-1+deb8u1.dsc 5153f692f89d1c2c4e16716633d5371e7b780014 465163 ruby-nokogiri_1.6.3.1+ds.orig.tar.gz b307b413ef6f36a6a24a240e0a80cf07b7d2105f 7048 ruby-nokogiri_1.6.3.1+ds-1+deb8u1.debian.tar.xz 9c415334c42a2fec5577ca468fa6236f31f67bc2 103286 ruby-nokogiri_1.6.3.1+ds-1+deb8u1_amd64.deb Checksums-Sha256: 5c30cbd1bfcd2f7afd015458f1c14f5547db6eaf0981cf37a4d52bb8bc47dda8 2188 ruby-nokogiri_1.6.3.1+ds-1+deb8u1.dsc b0696bfad08cf8ac90d3db33b638ec96219f7d7552ae74cb83e3364944f986e4 465163 ruby-nokogiri_1.6.3.1+ds.orig.tar.gz 0f493427b58c4adab92d0434ea70ff9854fd0ecd20589f8bcc0fc5cd66f79d79 7048 ruby-nokogiri_1.6.3.1+ds-1+deb8u1.debian.tar.xz 23930380666c207d198feba0dbf42ba8b789e2ebe14ade93ac8aa1c589175916 103286 ruby-nokogiri_1.6.3.1+ds-1+deb8u1_amd64.deb Files: 6fe6a3f8bc3b25f26d4fd77dfd0a9648 2188 ruby optional ruby-nokogiri_1.6.3.1+ds-1+deb8u1.dsc 66ddd53b9496a1d56b619eafe390fd6b 465163 ruby optional ruby-nokogiri_1.6.3.1+ds.orig.tar.gz c682690f85d1139711c290708664244a 7048 ruby optional ruby-nokogiri_1.6.3.1+ds-1+deb8u1.debian.tar.xz cddc3139332e71a8837a295318f57205 103286 ruby optional ruby-nokogiri_1.6.3.1+ds-1+deb8u1_amd64.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAl2MDA4ACgkQKpJZkldk SvqsgxAAk5yYTYklTDTd/Dluy3mKoLxXKceERC564rrDDiTsxVeg+VUFs31sU/e/ k5XwN83XIv5efk+DX3Nk7Ib7QwU71GbXN2CQmmidIpuxA7zIQbU7rShjQmhkclAS gMb3hTFNBOYqT962nnjKvyVQMg3xMeIN5NwwRSgWFl0qkq93wsGV9IOMRA6T6qkV TsQKavZPQ4AUm8VAWrVWQKHXUS1KDJRKlkd9lK+6GMEM6o61gWVCoCh2joiQ3x6J GFg5y9xU04Nbcb7sohT0LaINNqK9hnVnghRfNTDpW3h6cIo/VKNX3Rdk/TLbQP9w oqdNhANMaL2ptYS1mcCVwd0HQnwZwwIVaApcLJbJi5SG7BTqq3aJ6xXKxMwbaEPw 3rnwFk5RFR5kSacPrIY0OW7RBjpz9yfR39Z2mEcB7FgTAL2nM77gHx0u0N5gEf6t scoHKYSU5fu+cXvkoToMANj2W9i2kHuffL7I95ZkkV/YBtwvqljljGhJLRT8Si/y BpE9dJYulxtl0mw+gewNAqHQtL8wqGjbR4wBswWRUuHHxnHwZ0VofiTfWKtXUPan XCFzEYS+NlU9sFA9KT1Ng5BBarKf53iY9Ohd3CRZtdTyRK9FBOpTvSyKEcobKaeN VX9OFHagKyl0RWdgWpUEL25k6knyXo3FawPvql+7QECU2NYBNMI= =E665 -END PGP SIGNATURE-
[SECURITY] [DLA 1932-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: openssl Version: 1.0.1t-1+deb8u12 CVE ID : CVE-2019-1547 CVE-2019-1563 Two security vulnerabilities were found in OpenSSL, the Secure Sockets Layer toolkit. CVE-2019-1547 Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. CVE-2019-1563 In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. For Debian 8 "Jessie", these problems have been fixed in version 1.0.1t-1+deb8u12. We recommend that you upgrade your openssl packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl2L4pJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQr5A//RW9tunRmRxsPPERNyfm1tD8vsSqZS2lEGh1f9ZuyMQQoR0t7BzWn0a+c RcDQtRe2iUtLYaX8PRvGQdWP7/0a/XWL6tqic6deQv+vnD/tZidc+WprvJ+ciNoG EBMfGafMQZ1nQ0lUth6A7wHtZNtyFUYsvvjS8hJ6CIdfpMBgofJX8ftYoaAhk5qC 3uvCk4gTE//Q6Ej4+fOwlrppbGqLvKGyEipK/OwK4X8xu7lVK4jINHN6mGG/Y8Co aiNGcICroqm6o4Yzwt+6vgUzTZwSt87EMJcU+1HrYJKWpFJgBUTcUlRUyAfFP/GG 9XV8UbmSrkK8mTEr0ebLj415PY7EnfGbSytbzpSBWYSS830mEWU38YlIdVuvSYm8 Ht/jSrnPHozvbrXUmZ1O9DCGgzjI4bYxUHNKzvdTTlkTtKLmPTAqkrNf29//NElF u3tU3WJXJPQzjK3bOR5IUXUFFQdTaI0Ntt4NZQYT0rRO4Q5bupGKpwpnZ2zBtp+q D5iuUXnKC9KsiALKat6Rl8P41Hae9NlslPN1PBDXCQm4QrrHvFJjEzHnGvy/aPju j8gm7EdVQj/a39Ftdlh58VwBf83PwuvwIRWe4ymlATnm+iswxcSNQBXQKPllvAed LwuaMne4b3G3rgvv+ku530h3itvXHj22yvpukBA/qbBjOVrtLz4= =RstY -END PGP SIGNATURE-
Accepted openssl 1.0.1t-1+deb8u12 (source all amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 25 Sep 2019 19:47:32 +0200 Source: openssl Binary: openssl libssl1.0.0 libcrypto1.0.0-udeb libssl-dev libssl-doc libssl1.0.0-dbg Architecture: source all amd64 Version: 1.0.1t-1+deb8u12 Distribution: jessie-security Urgency: high Maintainer: Debian OpenSSL Team Changed-By: Markus Koschany Description: libcrypto1.0.0-udeb - Secure Sockets Layer toolkit - libcrypto udeb (udeb) libssl-dev - Secure Sockets Layer toolkit - development files libssl-doc - Secure Sockets Layer toolkit - development documentation libssl1.0.0 - Secure Sockets Layer toolkit - shared libraries libssl1.0.0-dbg - Secure Sockets Layer toolkit - debug information openssl- Secure Sockets Layer toolkit - cryptographic utility Changes: openssl (1.0.1t-1+deb8u12) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2019-1547: Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. * Fix CVE-2019-1563: In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Checksums-Sha1: 1da94996d5e7890437ac0e677da151881ae4b7a5 2427 openssl_1.0.1t-1+deb8u12.dsc ad441c88f8a0941d23678140c229539868c7fb56 118796 openssl_1.0.1t-1+deb8u12.debian.tar.xz 778d96f40374ccef806eeb542237d07ba062eca7 1169498 libssl-doc_1.0.1t-1+deb8u12_all.deb 716061433b38fdca4fa1bb035ff5a30bdb16690c 665592 openssl_1.0.1t-1+deb8u12_amd64.deb 9a639061960b6a59da98f61d63ae4cd7812ce76a 1048576 libssl1.0.0_1.0.1t-1+deb8u12_amd64.deb 1abe157091a33ef3f471883104a24102384a190a 645666 libcrypto1.0.0-udeb_1.0.1t-1+deb8u12_amd64.udeb d6c48cabd4a247cce3997d933d4e446df5fb2c21 1283706 libssl-dev_1.0.1t-1+deb8u12_amd64.deb 66faec612f7c0546da3e4f89f2741921e1c4ed2d 2821754 libssl1.0.0-dbg_1.0.1t-1+deb8u12_amd64.deb Checksums-Sha256: 224da86e423639a661759e10d07e344a4d969f3b9125518701b718f158da2228 2427 openssl_1.0.1t-1+deb8u12.dsc 28bcb0510fe598a7ba4b2d6e6241f8e7d9d22d142a4cd1cd8e9d23a73a6ad0b8 118796 openssl_1.0.1t-1+deb8u12.debian.tar.xz d7b3cd99bbf59aaeea83eace17986394f7224d4df9c78c717ce83c2de131ac3a 1169498 libssl-doc_1.0.1t-1+deb8u12_all.deb e8cee7b0ab8898812499bbb24d2a6b5755d8b5982595beb6c2d87583f51a2c97 665592 openssl_1.0.1t-1+deb8u12_amd64.deb c91f6f016d0b02392cbd2ca4b04ff7404fbe54a7f4ca514dc1c499e3f5da23a2 1048576 libssl1.0.0_1.0.1t-1+deb8u12_amd64.deb b178a27413a682af53be9f2e8ab5b07a34c7d8f6ad586f97d5635e0dd4a3da58 645666 libcrypto1.0.0-udeb_1.0.1t-1+deb8u12_amd64.udeb 0b1425af6f6c33b3e68aaa870882e540bc343e07ea4d74167e61858467be4ff6 1283706 libssl-dev_1.0.1t-1+deb8u12_amd64.deb 5745f5bcf943e69734545106ad057b9d09e8eac92c1535fd40568617e95dda40 2821754 libssl1.0.0-dbg_1.0.1t-1+deb8u12_amd64.deb Files: 380abb085b0c078f1a2ae085f6e5fa8a 2427 utils optional openssl_1.0.1t-1+deb8u12.dsc d774aa6f3555337a0c4a022d2aea029a 118796 utils optional openssl_1.0.1t-1+deb8u12.debian.tar.xz 3e61773472c08d339b0dc229cab15462 1169498 doc optional libssl-doc_1.0.1t-1+deb8u12_all.deb 8b7208445c97d3304ed3bade428201bb 665592 utils optional openssl_1.0.1t-1+deb8u12_amd64.deb 02124c56a3fa64ab3f9a225f450dc0ac 1048576 libs important libssl1.0.0_1.0.1t-1+deb8u12_amd64.deb 1c991d117028567a0edbaf0cc7fd5b90 645666 debian-installer optional libcrypto1.0.0-udeb_1.0.1t-1+deb8u12_amd64.udeb 9b8c19ac61fb8f698fdd97e8d29ac654 1283706 libdevel optional libssl-dev_1.0.1t-1+deb8u12_amd64.deb 17d208050c5d4470a3902e9b93941443 2821754 debug extra libssl1.0.0-dbg_1.0.1t-1+deb8u12_amd64.deb Package-Type: udeb -BEGIN PGP SIGNATURE-
Re: [SECURITY] [DLA 1931-1] libgcrypt20 security update
Hi Chris, On Wed, Sep 25, 2019 at 02:27:43PM +0100, Chris Lamb wrote: > Hi Salvatore, > > > > > For Debian 8 "Jessie", this issue has been fixed in libgcrypt20 version > > > 1.6.3-2+deb8u6. > […] > > Just a heads-up in case not seen yet: For all (but the amd64 upload) > > it looks there were FTBFS: > > Thanks for the explicit notice. I addressed this in libgcrypt20 > 1.6.3-2+deb8u7. Thanks! Regards, Salvatore
Accepted libgcrypt20 1.6.3-2+deb8u7 (source all amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 25 Sep 2019 14:18:36 +0100 Source: libgcrypt20 Binary: libgcrypt20-doc libgcrypt20-dev libgcrypt20-dbg libgcrypt20 libgcrypt20-udeb libgcrypt11-dev Architecture: source all amd64 Version: 1.6.3-2+deb8u7 Distribution: jessie-security Urgency: high Maintainer: Debian GnuTLS Maintainers Changed-By: Chris Lamb Description: libgcrypt11-dev - transitional libgcrypt11-dev package libgcrypt20 - LGPL Crypto library - runtime library libgcrypt20-dbg - LGPL Crypto library - debugger files libgcrypt20-dev - LGPL Crypto library - development files libgcrypt20-doc - LGPL Crypto library - documentation libgcrypt20-udeb - LGPL Crypto library - runtime library (udeb) Changes: libgcrypt20 (1.6.3-2+deb8u7) jessie-security; urgency=high . * Update patch to CVE-2019-13627 (mitigation against an ECDSA timing attack) to avoid FTBFS. Checksums-Sha1: 182e3c6e2a9acbcf3c92bb0cb29674c3624fd31d 2587 libgcrypt20_1.6.3-2+deb8u7.dsc 9456e7b64db9df8360a1407a38c8c958da80bbf1 2494052 libgcrypt20_1.6.3.orig.tar.bz2 5d09193245855fe8f6c7c140f0f5ba9b71596e16 36280 libgcrypt20_1.6.3-2+deb8u7.debian.tar.xz de15b0da685ae7a43d9935a994c1ba382acf9134 65478 libgcrypt11-dev_1.5.4-3+really1.6.3-2+deb8u7_all.deb 6af3e4bdfcb05b38c7d504a9664f0cfb955eaa93 679336 libgcrypt20-doc_1.6.3-2+deb8u7_all.deb 2b4c7142bbe3675a1704d8607c53d96eee70cc21 438824 libgcrypt20-dev_1.6.3-2+deb8u7_amd64.deb c66f20274d4b6f0eaa048646702ac2994e178fee 656504 libgcrypt20-dbg_1.6.3-2+deb8u7_amd64.deb d418e6260f4f7a3a640ef58a91d0c9114e6e5ce4 393400 libgcrypt20_1.6.3-2+deb8u7_amd64.deb 26dd5494cf87bd88eae172e02c3abcd73f846c62 305860 libgcrypt20-udeb_1.6.3-2+deb8u7_amd64.udeb Checksums-Sha256: 19b70695823f679597b4a7f32c8b477b4872054ac12f6bd03ceb43c14d5e7f73 2587 libgcrypt20_1.6.3-2+deb8u7.dsc 41b4917b93ae34c6a0e2127378d7a4d66d805a2a86a09911d4f9bd871db7025f 2494052 libgcrypt20_1.6.3.orig.tar.bz2 2e328fa29871700207d2af9586f94c60770d784a8e93ba8dae39cf08fcafaf83 36280 libgcrypt20_1.6.3-2+deb8u7.debian.tar.xz daaa6e74a55c9275d632c5baf6c78a5a4d76b2adffcc120679c862cf4d1960bc 65478 libgcrypt11-dev_1.5.4-3+really1.6.3-2+deb8u7_all.deb b16da4ff9ab74a3d6bc3f063fb99b6e2472759073ba684a4d8ff43b1019bcfc9 679336 libgcrypt20-doc_1.6.3-2+deb8u7_all.deb 2f5a0df8551698faac7814481f605cdbe12294d7db8b76846a47a8f324a7a93a 438824 libgcrypt20-dev_1.6.3-2+deb8u7_amd64.deb d36d5173806294a3e32b3c7651f5af119d05497e2f9d3cf03fd70760e7a9b043 656504 libgcrypt20-dbg_1.6.3-2+deb8u7_amd64.deb 41167b3c900a11b2ca329992ecb6ae2a0a35faaea9aef2e5584e32e13cfb2831 393400 libgcrypt20_1.6.3-2+deb8u7_amd64.deb 2b3e2ef63cd6caef3423fcefdb5d08021635016b24eff2673a2062cd7e508040 305860 libgcrypt20-udeb_1.6.3-2+deb8u7_amd64.udeb Files: 64161f8a13ae985a4d9dfe969745a885 2587 libs optional libgcrypt20_1.6.3-2+deb8u7.dsc 4262c3aadf837500756c2051a5c4ae5e 2494052 libs optional libgcrypt20_1.6.3.orig.tar.bz2 f62767e58d56da7d62540a8b9bdee16a 36280 libs optional libgcrypt20_1.6.3-2+deb8u7.debian.tar.xz f41f4090934d744f93f2d6011de8fad0 65478 oldlibs extra libgcrypt11-dev_1.5.4-3+really1.6.3-2+deb8u7_all.deb 43dbad2297484694a3e777d8aef45f7a 679336 doc optional libgcrypt20-doc_1.6.3-2+deb8u7_all.deb 5863d6b95feaf3c8473cb77d45aa92c1 438824 libdevel optional libgcrypt20-dev_1.6.3-2+deb8u7_amd64.deb 4ce19fe6e677ec7915ad6ede0105fead 656504 debug extra libgcrypt20-dbg_1.6.3-2+deb8u7_amd64.deb ee9f2d946f3168f509170415dda8834c 393400 libs standard libgcrypt20_1.6.3-2+deb8u7_amd64.deb 734da2e3b4ff972020e6a0648a4aa399 305860 debian-installer optional libgcrypt20-udeb_1.6.3-2+deb8u7_amd64.udeb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAl2Lat0ACgkQHpU+J9Qx Hliu+xAArqZ7j8nfh+vOJmJXlUoII7iIw8gmALZkN0KQ4W3TH4MHsGPJBkTvVM1s i2wQY9+DMxpPIv8iRH6OdSvYrxRajLNhpw3Eqf32eJGC8F8abHi0+9obJ7kmUWDl JA7M9KizYwi0z4peHmC5LQcW7uskqqK0gOIktLHAk+uH+TotwUC/ZoULWyBJ4nS4 c8gX0y0H+Uqm9AulI0ZGwyqsV+PBcplIt1/fhhTAi8t3+6Plh5UHOBEm08vYrHM/ ynKnZw0wv8AxAcO76v5qIiayolb4J/67R70YVg6+SqYlBD7rrEesv1q6/vodyBam b1/rZEWZAkpwEfrx63PIC8qbP5vYbBt27wUtZehph/0r0aXQylbpTS+cJKYLId8c vDluBGE30Gayp60Ap93jjZWLWil7g3M7KfTV6ie0udNkwEPMBcFyGffo/aFIIu0o sS2JPA26Be5+gBs4ohVY3SxD36w9/7c9TJ1ZHtDLzY51mY+qbS8gkE8bT5JZFTGg aMizzsKPHH/RgR+iCcCwX+FQo7YOn7/JCZBs6u5vQqYFAlIaciTvXGMYzZvL7kf6 xF4bDzziDHJ3HkVFhuGmssfoVKkmo/YYZ5Vo5wAZyNcPkWIs1elGHJa7RrucLQ3u IDNnJI1DcnAMMsJisTSNFDcvG2MpMnc2sp8kUpOtlhq/1zZZn6U= =Cwrt -END PGP SIGNATURE-
Re: [SECURITY] [DLA 1931-1] libgcrypt20 security update
Hi Salvatore, > > For Debian 8 "Jessie", this issue has been fixed in libgcrypt20 version > > 1.6.3-2+deb8u6. […] > Just a heads-up in case not seen yet: For all (but the amd64 upload) > it looks there were FTBFS: Thanks for the explicit notice. I addressed this in libgcrypt20 1.6.3-2+deb8u7. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Re: Xen 4.4 updates vs. Xen Stretch backport
Hi Holger On Wed, Dec 19, 2018 at 03:33:43PM +, Holger Levsen wrote: > How are the Xen 4.4 fixes coming along? In the meantime I was informed by Peter that finishing anything like a usable backport is not feasible in a useful time frame. I updated the security tracker now and marked all the problems related and depending on it as ignored. Regards, Bastian -- You! What PLANET is this! -- McCoy, "The City on the Edge of Forever", stardate 3134.0
[SECURITY] [DLA 1930-1] linux security update
Package: linux Version: 3.16.74-1 CVE ID : CVE-2016-10905 CVE-2018-20976 CVE-2018-21008 CVE-2019-0136 CVE-2019-9506 CVE-2019-14814 CVE-2019-14815 CVE-2019-14816 CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15211 CVE-2019-15212 CVE-2019-15215 CVE-2019-15218 CVE-2019-15219 CVE-2019-15220 CVE-2019-15221 CVE-2019-15292 CVE-2019-15807 CVE-2019-15917 CVE-2019-15926 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2016-10905 A race condition was discovered in the GFS2 file-system implementation, which could lead to a use-after-free. On a system using GFS2, a local attacker could use this for denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2018-20976 It was discovered that the XFS file-system implementation did not correctly handle some mount failure conditions, which could lead to a use-after-free. The security impact of this is unclear. CVE-2018-21008 It was discovered that the rsi wifi driver did not correctly handle some failure conditions, which could lead to a use-after- free. The security impact of this is unclear. CVE-2019-0136 It was discovered that the wifi soft-MAC implementation (mac80211) did not properly authenticate Tunneled Direct Link Setup (TDLS) messages. A nearby attacker could use this for denial of service (loss of wifi connectivity). CVE-2019-9506 Daniele Antonioli, Nils Ole Tippenhauer, and Kasper Rasmussen discovered a weakness in the Bluetooth pairing protocols, dubbed the "KNOB attack". An attacker that is nearby during pairing could use this to weaken the encryption used between the paired devices, and then to eavesdrop on and/or spoof communication between them. This update mitigates the attack by requiring a minimum encryption key length of 56 bits. CVE-2019-14814, CVE-2019-14815, CVE-2019-14816 Multiple bugs were discovered in the mwifiex wifi driver, which could lead to heap buffer overflows. A local user permitted to configure a device handled by this driver could probably use this for privilege escalation. CVE-2019-14821 Matt Delco reported a race condition in KVM's coalesced MMIO facility, which could lead to out-of-bounds access in the kernel. A local attacker permitted to access /dev/kvm could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-14835 Peter Pi of Tencent Blade Team discovered a missing bounds check in vhost_net, the network back-end driver for KVM hosts, leading to a buffer overflow when the host begins live migration of a VM. An attacker in control of a VM could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation on the host. CVE-2019-15117 Hui Peng and Mathias Payer reported a missing bounds check in the usb-audio driver's descriptor parsing code, leading to a buffer over-read. An attacker able to add USB devices could possibly use this to cause a denial of service (crash). CVE-2019-15118 Hui Peng and Mathias Payer reported unbounded recursion in the usb-audio driver's descriptor parsing code, leading to a stack overflow. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15211 The syzkaller tool found a bug in the radio-raremono driver that could lead to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15212 The syzkaller tool found that the rio500 driver does not work correctly if more than one device is bound to it. An attacker able to add USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15215 The syzkaller tool found a bug in the cpia2_usb driver that leads to a use-after-free. An attacker able to add and remove USB devices could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-15218 The syzkaller tool found that the smsusb driver did not validate that USB devices have the expected endpoints, potentially leading to a null pointer dereference. An attacker able to add USB devices could use this to cause a denial of service (BUG/oops). CVE-2019-15219 The syzkaller tool found that a device initialisation error in the sisusbvga driver could lead to a null pointer dereference. An attacker
ruby-mini-magick
Hello All, I just noticed I can't build ruby-mini-magick in Jessie, required for a security update. expected no Exception, got #1, :output=>""}> with backtrace: Problem seems to be that the identify command, from imagemagick fails when supplied a *.psd file: # identify /tmp/tigerpsdfmt.psd ; echo $? 1 This same command with the same file works on stretch. Any ideas? Regards -- Brian May https://linuxpenguins.xyz/brian/
