Re: Drop support for libqb?
On Thu, Nov 14, 2019 at 05:19:03PM +, Holger Levsen wrote: > > And then it would be ideal to upload the package to unstable and then > file a SRM bug to update the package in stretch, in addition to > uploading to jessie. (Probably this should also result in a DLA, not > 100% sure though. Thoughts & comments definitly welcome.) > Hi Holger, I am hesitant to file the bugs with the SRMs and to do the jessie upload. I merged the 2019.11.15 tag into the jessie and stretch branches. I also created a new buster branch from that tag. The buster update goes from 2019.06.13..2019.11.15_deb10u1, the stretch update from debian/2019.02.01_deb9u1..2019.11.15_deb9u1 and the jessie update from debian/2019.02.01_deb8u1..2019.11.15_deb8u1. The git diffs look sane. However, after building each of the packages and checking the debdiffs (against source packages downloaded with debsnap), the stretch and jessie packages I built seem to be inducing many more changes than those revealed by git diff. Before I go ahead with pushing changes to salsa, uploading to jessie, releasing a DLA, and filing bugs requesting approval to upload to buster and stretch, I'd like to make sure that I have gone about all of this in the right way. What is the best way to facilitate this? Should I fork debian-security-support and push my proposed changes there for you to review? Should I post source packages and debdiffs for review? Let me know how I should proceed. Regards, -Roberto -- Roberto C. Sánchez
Re: Drop support for libqb?
On Fri, Nov 15, 2019 at 08:42:59PM +, Holger Levsen wrote: > On Thu, Nov 14, 2019 at 01:51:46PM -0500, Roberto C. Sánchez wrote: > > > I had not yet seen this message so I already submitted a MR. Should I > > > close that and make a direct commit? > > I believe you did this now, but in any case: yes, please. > Yes, that is done. > > - Any feedback on this proposed DLA text? > > a.) very cool! > > > Package: debian-security-support > > Version: 2019.11.15~deb8u1 > > > > > > debian-security-support, the Debian security support coverage checker, > > has been updated in jessie. > > > > This marks the end of life of the libqb package in jessie. A recently > > reported vulnerability against libqb which allows users to overwrite > > arbitrary files via a symlink attack cannot be adequately addressed in > > libqb in jessie. Upstream no longer supports this version and no > > packages in jessie depend upon libqb, thus making it a leaf package. > > b.) I would drop the 'thus making it a leaf package.' half-sentence and > it conveys no relevant information. > I have updated my draft. When I upload to jessie a bit later on tonight I will release the DLA with the updated wording. > & thanks again for taking care of the d-s-s upload! > My pleasure. Regards, -Roberto -- Roberto C. Sánchez
Re: automatically strip no-dsa tags by gen-DLA
On Fri, Nov 15, 2019 at 05:15:14PM +1100, Brian May wrote: > In an attempt to complete this TODO item from the wiki: > https://wiki.debian.org/LTS/TODO#automatically_strip_no-dsa_tags_by_gen-DLA [...] > Any comments or suggestions? nice work & many thanks for searching for work also in the LTS TODO! (& -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: Drop support for libqb?
On Thu, Nov 14, 2019 at 01:51:46PM -0500, Roberto C. Sánchez wrote: > > I had not yet seen this message so I already submitted a MR. Should I > > close that and make a direct commit? I believe you did this now, but in any case: yes, please. > - Any feedback on this proposed DLA text? a.) very cool! > Package: debian-security-support > Version: 2019.11.15~deb8u1 > > > debian-security-support, the Debian security support coverage checker, > has been updated in jessie. > > This marks the end of life of the libqb package in jessie. A recently > reported vulnerability against libqb which allows users to overwrite > arbitrary files via a symlink attack cannot be adequately addressed in > libqb in jessie. Upstream no longer supports this version and no > packages in jessie depend upon libqb, thus making it a leaf package. b.) I would drop the 'thus making it a leaf package.' half-sentence and it conveys no relevant information. & thanks again for taking care of the d-s-s upload! -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
[SECURITY] [DLA-1994-1] postgresql-common security update
Package: postgresql-common Version: 165+deb8u4 CVE ID : CVE-2019-3466 Rich Mirch discovered that the pg_ctlcluster script didn't drop privileges when creating socket/statistics temporary directories, which could result in local privilege escalation. For the oldoldstable distribution (jessie), this problem has been fixed in version 165+deb8u4. We recommend that you upgrade your postgresql-common packages. For the detailed security status of postgresql-common please refer to its security tracker page at: https://security-tracker.debian.org/tracker/postgresql-common signature.asc Description: PGP signature
Captain Mafia international 0007
مُرسل من هاتف Huawei الخاص بي
[SECURITY] [DLA-1994-1] postgresql-common security update
Package: postgresql-common Version: 165+deb8u4 CVE ID : CVE-2019-3466 Rich Mirch discovered that the pg_ctlcluster script didn't drop privileges when creating socket/statistics temporary directories, which could result in local privilege escalation. For the oldoldstable distribution (jessie), this problem has been fixed in version 165+deb8u4. We recommend that you upgrade your postgresql-common packages. For the detailed security status of postgresql-common please refer to its security tracker page at: https://security-tracker.debian.org/tracker/postgresql-common signature.asc Description: PGP signature
[SECURITY] [DLA 1993-1] mesa security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: mesa Version: 10.3.2-1+deb8u2 CVE ID : CVE-2019-5068 Debian Bug : 944298 Tim Brown discovered a shared memory permissions vulnerability in the Mesa 3D graphics library. Some Mesa X11 drivers use shared-memory XImages to implement back buffers for improved performance, but Mesa creates shared memory regions with permission mode 0777. An attacker can access the shared memory without any specific permissions. For Debian 8 "Jessie", this problem has been fixed in version 10.3.2-1+deb8u2. We recommend that you upgrade your mesa packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl3OsWIACgkQj/HLbo2J BZ85LwgAqmYHkjAgp1KlEiN+u53/R/SaMJutBdkOV14QGOM3fMvtdgke2hKD4N8J NFtiCPq2aLLQxn2wXFX7gCt984YXHXv/vPhDX6gHzQfwGS6f7pYA8663zc4CNcty JbnHFA98NyjpXqD3nlY4XLGDgzRg3k12NQ4QFUozV6YBE/ZGVJ27DUn2iVEXM6JB 6gvMy98/THuM11Pqv7Sqs1mvJB4ELe7J1iEweeBW81KjcHSpwqYSvgKGoERJFxw0 D0UJofPv/O82D6Uf9dW0VbpHOI5EjblZTfTQTEeGwNY5Mfq/gOTS6cUFr0cmfzd6 REz+f5EVwqEFYfVphj3EidGzZ1FCbw== =sLYh -END PGP SIGNATURE-
Accepted mesa 10.3.2-1+deb8u2 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 14 Nov 2019 17:49:36 +0100 Source: mesa Binary: libgl1-mesa-swx11 libgl1-mesa-swx11-dbg libgl1-mesa-swx11-i686 libgl1-mesa-swx11-dev libxatracker2 libxatracker2-dbg libxatracker-dev libgbm1 libgbm1-dbg libgbm-dev libegl1-mesa libegl1-mesa-dbg libegl1-mesa-dev libegl1-mesa-drivers libegl1-mesa-drivers-dbg libwayland-egl1-mesa libwayland-egl1-mesa-dbg libopenvg1-mesa libopenvg1-mesa-dbg libopenvg1-mesa-dev libgles1-mesa libgles1-mesa-dbg libgles1-mesa-dev libgles2-mesa libgles2-mesa-dbg libgles2-mesa-dev libglapi-mesa libglapi-mesa-dbg libgl1-mesa-glx libgl1-mesa-glx-dbg libgl1-mesa-dri libgl1-mesa-dri-dbg libgl1-mesa-dev mesa-common-dev libosmesa6 libosmesa6-dev mesa-vdpau-drivers mesa-vdpau-drivers-dbg mesa-opencl-icd mesa-opencl-icd-dbg Architecture: source amd64 Version: 10.3.2-1+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Debian X Strike Force Changed-By: Sylvain Beucler Description: libegl1-mesa - free implementation of the EGL API -- runtime libegl1-mesa-dbg - free implementation of the EGL API -- debugging symbols libegl1-mesa-dev - free implementation of the EGL API -- development files libegl1-mesa-drivers - free implementation of the EGL API -- hardware drivers libegl1-mesa-drivers-dbg - free implementation of the EGL API -- driver debugging symbols libgbm-dev - generic buffer management API -- development files libgbm1- generic buffer management API -- runtime libgbm1-dbg - generic buffer management API -- debugging symbols libgl1-mesa-dev - free implementation of the OpenGL API -- GLX development files libgl1-mesa-dri - free implementation of the OpenGL API -- DRI modules libgl1-mesa-dri-dbg - Debugging symbols for the Mesa DRI modules libgl1-mesa-glx - free implementation of the OpenGL API -- GLX runtime libgl1-mesa-glx-dbg - Debugging symbols for the Mesa GLX runtime libgl1-mesa-swx11 - free implementation of the OpenGL API -- runtime libgl1-mesa-swx11-dbg - free implementation of the OpenGL API -- debugging symbols libgl1-mesa-swx11-dev - free implementation of the OpenGL API -- development files libgl1-mesa-swx11-i686 - Mesa OpenGL runtime [i686 optimized] libglapi-mesa - free implementation of the GL API -- shared library libglapi-mesa-dbg - free implementation of the GL API -- debugging symbols libgles1-mesa - free implementation of the OpenGL|ES 1.x API -- runtime libgles1-mesa-dbg - free implementation of the OpenGL|ES 1.x API -- debugging symbols libgles1-mesa-dev - free implementation of the OpenGL|ES 1.x API -- development files libgles2-mesa - free implementation of the OpenGL|ES 2.x API -- runtime libgles2-mesa-dbg - free implementation of the OpenGL|ES 2.x API -- debugging symbols libgles2-mesa-dev - free implementation of the OpenGL|ES 2.x API -- development files libopenvg1-mesa - free implementation of the OpenVG API -- runtime libopenvg1-mesa-dbg - free implementation of the OpenVG API -- debugging symbols libopenvg1-mesa-dev - free implementation of the OpenVG API -- development files libosmesa6 - Mesa Off-screen rendering extension libosmesa6-dev - Mesa Off-screen rendering extension -- development files libwayland-egl1-mesa - implementation of the Wayland EGL platform -- runtime libwayland-egl1-mesa-dbg - implementation of the Wayland EGL platform -- debugging symbols libxatracker-dev - X acceleration library -- development files libxatracker2 - X acceleration library -- runtime libxatracker2-dbg - X acceleration library -- debugging symbols mesa-common-dev - Developer documentation for Mesa mesa-opencl-icd - free implementation of the OpenCL API -- ICD runtime mesa-opencl-icd-dbg - free implementation of the OpenCL API -- debugging symbols mesa-vdpau-drivers - Mesa VDPAU video acceleration drivers mesa-vdpau-drivers-dbg - Debugging symbols for the Mesa VDPAU video acceleration drivers Changes: mesa (10.3.2-1+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * CVE-2019-5068: an exploitable shared memory permissions vulnerability exists in the functionality of X11 Mesa 3D Graphics Library 19.1.2. An attacker can access the shared memory without any specific permissions to trigger this vulnerability. * Drop extra .dir-locals.el files (fixes patch-system-but-direct-changes-in-diff). Checksums-Sha1: b1380b08d29c7f1f877c64bb8807857304afb88f 5130 mesa_10.3.2-1+deb8u2.dsc a642d1fe460b4f5e4e650c71d07f4f0f511f8ba0 9649735 mesa_10.3.2.orig.tar.gz 8d318b6fe7f6bda361bf89ea8172740138fc37d8 82561 mesa_10.3.2-1+deb8u2.diff.gz 587a2362e18f17578c519ebc588933ef71063b9c 1217364 libgl1-mesa-swx11_10.3.2-1+deb8u2_amd64.deb e79c22120f21780f812c31e5ceeb6f0e1f9c3d0e 8207474 libgl1-mesa-swx11-dbg_10.3.2-1+deb8u2_amd64.deb d8d9357e5d4be41e17a6ddaaacd495902e54a6cb 1401798 libgl1-mesa-swx11-dev_10.3.2-1+deb8u2_amd64.deb 30a6675679e20b5f11da303e077af1d6c76cf8c5 960402
Re: Drop support for libqb?
On Fri, Nov 15, 2019 at 02:56:31PM +0100, Emilio Pozuelo Monfort wrote: > On 14/11/2019 19:51, Roberto C. Sánchez wrote: > > > - Any feedback on this proposed DLA text? > > > > Package: debian-security-support > > Version: 2019.11.15~deb8u1 > > > > > > debian-security-support, the Debian security support coverage checker, > > has been updated in jessie. > > > > This marks the end of life of the libqb package in jessie. A recently > > reported vulnerability against libqb which allows users to overwrite > > arbitrary files via a symlink attack cannot be adequately addressed in > > libqb in jessie. Upstream no longer supports this version and no > > packages in jessie depend upon libqb, thus making it a leaf package. > > > > We recommend that if your systems or applications depend upon the libqb > > package provided from the Debian archive that you upgrade your systems > > to a more recent Debian release or find an alternate and up to date > > source of libqb packages. > > Looks fine to me. I have also noticed that we didn't get a > debian-security-support update for the mysql-5.5 EOL, so if you can add a > paragraph about it in the announcement (the changes to the > debian-security-support were already there) that'd be great. Something such > as: > > In addition to that, MySQL 5.5 is no longer supported as upstream ended its > support and we are unable to backport fixes from newer versions due to the > lack > of patch details. Options are to switch to MariaDB 10.0 in jessie or to a > newer > version in more recent Debian releases. > I'll definitely add that. Regards, -Roberto -- Roberto C. Sánchez
Re: Drop support for libqb?
On 14/11/2019 19:51, Roberto C. Sánchez wrote: > On Thu, Nov 14, 2019 at 01:31:27PM -0500, Roberto C. Sánchez wrote: >> On Thu, Nov 14, 2019 at 05:19:03PM +, Holger Levsen wrote: >>> On Wed, Nov 13, 2019 at 08:24:55AM -0500, Roberto C. Sánchez wrote: > We usually mark affected CVE as in data/CVE/list and just > add the package to security-support-ended.deb8 in > debian-security-support. We then upload new versions of the package > periodically and announce it via DLA. I believe now is a good time to do > it. Thanks for the information. I will start working on it today. >>> >>> As any DD can commit to debian-security-support.git and also can upload >>> that package, just make sure to call it a team upload in d/changelog to >>> appease lintian and possibly other tools. >>> >> I had not yet seen this message so I already submitted a MR. Should I >> close that and make a direct commit? >> >>> And then it would be ideal to upload the package to unstable and then >>> file a SRM bug to update the package in stretch, in addition to >>> uploading to jessie. (Probably this should also result in a DLA, not >>> 100% sure though. Thoughts & comments definitly welcome.) >>> >> >> Looking at the previous updates, a DLA seems appropriate. I am in the >> process of drafting the text. >> >>> I believe it's fine if the version contraints (package version in >>> unstable higher than testing higher than stable higher than oldstable) >>> are temporarily not met, but I also believe it's important that they are >>> in the long run & most of the time. >>> >>> If doing all this work is too much or tedious to you, please shout and I >>> will be happy to finish this. Please just do at least the initial >>> change in git to security-support-ended.deb8. >>> >> If I close the MR and commit directly, is it then a simple matter of >> build and upload to unstable? That is, no other special steps are >> required? >> > Some additional follow-up: > > - Can I go ahead and mark the CVE in question as in > data/CVE/list even before the update to debian-security-support is > complete? Yeah that should be alright. > - Any feedback on this proposed DLA text? > > Package: debian-security-support > Version: 2019.11.15~deb8u1 > > > debian-security-support, the Debian security support coverage checker, > has been updated in jessie. > > This marks the end of life of the libqb package in jessie. A recently > reported vulnerability against libqb which allows users to overwrite > arbitrary files via a symlink attack cannot be adequately addressed in > libqb in jessie. Upstream no longer supports this version and no > packages in jessie depend upon libqb, thus making it a leaf package. > > We recommend that if your systems or applications depend upon the libqb > package provided from the Debian archive that you upgrade your systems > to a more recent Debian release or find an alternate and up to date > source of libqb packages. Looks fine to me. I have also noticed that we didn't get a debian-security-support update for the mysql-5.5 EOL, so if you can add a paragraph about it in the announcement (the changes to the debian-security-support were already there) that'd be great. Something such as: In addition to that, MySQL 5.5 is no longer supported as upstream ended its support and we are unable to backport fixes from newer versions due to the lack of patch details. Options are to switch to MariaDB 10.0 in jessie or to a newer version in more recent Debian releases.
Re: Drop support for libqb?
Hi I think the text looks good. Not exactly as previous updates but since it is the only change I think it is better to change the default template in the way you did it. Best regards // Ola On Thu, 14 Nov 2019 at 19:52, Roberto C. Sánchez wrote: > On Thu, Nov 14, 2019 at 01:31:27PM -0500, Roberto C. Sánchez wrote: > > On Thu, Nov 14, 2019 at 05:19:03PM +, Holger Levsen wrote: > > > On Wed, Nov 13, 2019 at 08:24:55AM -0500, Roberto C. Sánchez wrote: > > > > > We usually mark affected CVE as in data/CVE/list and > just > > > > > add the package to security-support-ended.deb8 in > > > > > debian-security-support. We then upload new versions of the package > > > > > periodically and announce it via DLA. I believe now is a good time > to do it. > > > > Thanks for the information. I will start working on it today. > > > > > > As any DD can commit to debian-security-support.git and also can upload > > > that package, just make sure to call it a team upload in d/changelog to > > > appease lintian and possibly other tools. > > > > > I had not yet seen this message so I already submitted a MR. Should I > > close that and make a direct commit? > > > > > And then it would be ideal to upload the package to unstable and then > > > file a SRM bug to update the package in stretch, in addition to > > > uploading to jessie. (Probably this should also result in a DLA, not > > > 100% sure though. Thoughts & comments definitly welcome.) > > > > > > > Looking at the previous updates, a DLA seems appropriate. I am in the > > process of drafting the text. > > > > > I believe it's fine if the version contraints (package version in > > > unstable higher than testing higher than stable higher than oldstable) > > > are temporarily not met, but I also believe it's important that they > are > > > in the long run & most of the time. > > > > > > If doing all this work is too much or tedious to you, please shout and > I > > > will be happy to finish this. Please just do at least the initial > > > change in git to security-support-ended.deb8. > > > > > If I close the MR and commit directly, is it then a simple matter of > > build and upload to unstable? That is, no other special steps are > > required? > > > Some additional follow-up: > > - Can I go ahead and mark the CVE in question as in > data/CVE/list even before the update to debian-security-support is > complete? > - Any feedback on this proposed DLA text? > > Package: debian-security-support > Version: 2019.11.15~deb8u1 > > > debian-security-support, the Debian security support coverage checker, > has been updated in jessie. > > This marks the end of life of the libqb package in jessie. A recently > reported vulnerability against libqb which allows users to overwrite > arbitrary files via a symlink attack cannot be adequately addressed in > libqb in jessie. Upstream no longer supports this version and no > packages in jessie depend upon libqb, thus making it a leaf package. > > We recommend that if your systems or applications depend upon the libqb > package provided from the Debian archive that you upgrade your systems > to a more recent Debian release or find an alternate and up to date > source of libqb packages. > > > Regards, > > -Roberto > > -- > Roberto C. Sánchez > > -- --- Inguza Technology AB --- MSc in Information Technology | o...@inguza.como...@debian.org| | http://inguza.com/Mobile: +46 (0)70-332 1551 | ---