Re: Update of OpenVSwitch in Stretch
Hi everybody, On Mon, 15 Feb 2021, Thorsten Alteholz wrote: your suggestion sounds good. If nobody objects, I would upload version 2.6.10. the new version is available at: https://people.debian.org/~alteholz/packages/to-be-tested/openvswitch-2.6.10/ Maybe somebody is able to test the package before I upload it. At least the testsuite successfully run ... Thorsten
Re: Update of OpenVSwitch in Stretch
Hi Thomas, > There's been some serious security issues in OVS recently. My > recommendation to the LTS team would be to simply upgrade to the latest > point release for the given distribution. For example, Stretch has > 2.6.2~pre+git20161223-3. I would advise upgrading to 2.6.10. Anything > older than Stretch doesn't have any upstream support. This is a good idea. My only concern, of course, is regarding regressions — the diff between the two upstream tarballs in question is 156MB, although from a quick glance this is admittedly mostly test and autotools related changes. Can you vouch for upstream making sensible/reasonable decisions between these minor releases? That would be necessary for a hypothetical 2.6.11 too. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Update of OpenVSwitch in Stretch
Hi, There's been some serious security issues in OVS recently. My recommendation to the LTS team would be to simply upgrade to the latest point release for the given distribution. For example, Stretch has 2.6.2~pre+git20161223-3. I would advise upgrading to 2.6.10. Anything older than Stretch doesn't have any upstream support. Your thoughts? Can anyone from the team do it? Cheers, Thomas Goirand (zigo)
[SECURITY] [DLA 2559-1] busybox security update
- Debian LTS Advisory DLA-2559-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany February 15, 2021 https://wiki.debian.org/LTS - Package: busybox Version: 1:1.22.0-19+deb9u1 CVE ID : CVE-2011-5325 CVE-2015-9261 CVE-2016-2147 CVE-2016-2148 CVE-2017-15873 CVE-2017-16544 CVE-2018-1000517 Debian Bug : 902724 882258 879732 818497 818499 803097 802702 Busybox, utility programs for small and embedded systems, was affected by several security vulnerabilities. The Common Vulnerabilities and Exposures project identifies the following issues. CVE-2011-5325 A path traversal vulnerability was found in Busybox implementation of tar. tar will extract a symlink that points outside of the current working directory and then follow that symlink when extracting other files. This allows for a directory traversal attack when extracting untrusted tarballs. CVE-2013-1813 When device node or symlink in /dev should be created inside 2-or-deeper subdirectory (/dev/dir1/dir2.../node), the intermediate directories are created with incorrect permissions. CVE-2014-4607 An integer overflow may occur when processing any variant of a "literal run" in the lzo1x_decompress_safe function. Each of these three locations is subject to an integer overflow when processing zero bytes. This exposes the code that copies literals to memory corruption. CVE-2014-9645 The add_probe function in modutils/modprobe.c in BusyBox allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. CVE-2016-2147 Integer overflow in the DHCP client (udhcpc) in BusyBox allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. CVE-2016-2148 Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. CVE-2017-15873 The get_next_block function in archival/libarchive /decompress_bunzip2.c in BusyBox has an Integer Overflow that may lead to a write access violation. CVE-2017-16544 In the add_match function in libbb/lineedit.c in BusyBox, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. CVE-2018-1000517 BusyBox contains a Buffer Overflow vulnerability in Busybox wget that can result in a heap-based buffer overflow. This attack appears to be exploitable via network connectivity. CVE-2015-9621 Unziping a specially crafted zip file results in a computation of an invalid pointer and a crash reading an invalid address. For Debian 9 stretch, these problems have been fixed in version 1:1.22.0-19+deb9u1. We recommend that you upgrade your busybox packages. For the detailed security status of busybox please refer to its security tracker page at: https://security-tracker.debian.org/tracker/busybox Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
Accepted busybox 1:1.22.0-19+deb9u1 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 15 Feb 2021 11:42:15 +0100 Source: busybox Binary: busybox busybox-static busybox-udeb busybox-syslogd udhcpc udhcpd Architecture: source amd64 all Version: 1:1.22.0-19+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Install System Team Changed-By: Markus Koschany Description: busybox- Tiny utilities for small and embedded systems busybox-static - Standalone rescue shell with tons of builtin utilities busybox-syslogd - Provides syslogd and klogd using busybox busybox-udeb - Tiny utilities for the debian-installer (udeb) udhcpc - Provides the busybox DHCP client implementation udhcpd - Provides the busybox DHCP server implementation Changes: busybox (1:1.22.0-19+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2011-5325: A path traversal vulnerability was found in Busybox implementation of tar. tar will extract a symlink that points outside of the current working directory and then follow that symlink when extracting other files. This allows for a directory traversal attack when extracting untrusted tarballs. * Fix CVE-2014-9645: The add_probe function in modutils/modprobe.c in BusyBox allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. * Fix CVE-2016-2147: Integer overflow in the DHCP client (udhcpc) in BusyBox allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. * Fix CVE-2016-2148: Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. * Fix CVE-2017-15873: The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox has an Integer Overflow that may lead to a write access violation. * Fix CVE-2017-16544: In the add_match function in libbb/lineedit.c in BusyBox, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. * Fix CVE-2018-1000517: BusyBox project BusyBox wget contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appears to be exploitable via network connectivity. * CVE-2015-9261: Unziping a specially crafted zip file results in a computation of an invalid pointer and a crash reading an invalid address. Checksums-Sha1: 9118f0049604a07729841fb131850df18b9d5b7c 2449 busybox_1.22.0-19+deb9u1.dsc 486fb55c3efa71148fe07895fd713ea3a5ae343a 2218120 busybox_1.22.0.orig.tar.bz2 1c62cee71e7605133fa5aa6ab599d2c470ec89a9 65068 busybox_1.22.0-19+deb9u1.debian.tar.xz a2d42c905224eff64d93d13d88b4e8d1efdddb05 1383120 busybox-dbgsym_1.22.0-19+deb9u1_amd64.deb 7a2006ee63de423f59aaa79682e2b23d0098c849 1576320 busybox-static-dbgsym_1.22.0-19+deb9u1_amd64.deb ea80f5ac7f6789d09d77f46b98b6dd8dd6483664 856002 busybox-static_1.22.0-19+deb9u1_amd64.deb f30799f129ac20d4b9b445d85d06190bed143fc0 25048 busybox-syslogd_1.22.0-19+deb9u1_all.deb 6c89e849239f05a67be0e5c68122e9cf457e61e3 181078 busybox-udeb_1.22.0-19+deb9u1_amd64.udeb cbfa93eaf0a29a8589d820b01d15dfc59bdbab3a 8057 busybox_1.22.0-19+deb9u1_amd64.buildinfo 50c8170e04bdac9b26737dd22506f9f1f64834e8 405652 busybox_1.22.0-19+deb9u1_amd64.deb c32f4f186751ac29ebebcbbde2f0e385ed72ebd2 23226 udhcpc_1.22.0-19+deb9u1_amd64.deb 1bedc4a605ce6b9a32db044db737331228d3c127 25986 udhcpd_1.22.0-19+deb9u1_amd64.deb Checksums-Sha256: 3d5564a85e98d0ebc890ea55b0054a43d8b6a75c9054486617336b60bb1c520f 2449 busybox_1.22.0-19+deb9u1.dsc 92f00cd391b7d5fa2215c8450abe2ba15f9d16c226e8855fb21b6c9a5b723a53 2218120 busybox_1.22.0.orig.tar.bz2 89d983213df30b2f9828bb751f35776767bd19d9cfedf86b90349ae680a5217e 65068 busybox_1.22.0-19+deb9u1.debian.tar.xz 87f0d9420628e22deed0b405658d81b86f6a2d6521aaf96eb692237f215039a5 1383120 busybox-dbgsym_1.22.0-19+deb9u1_amd64.deb bebcc144c8e131e16b44ee4d120ee1498a814f42068da5680693831e38c569de 1576320 busybox-static-dbgsym_1.22.0-19+deb9u1_amd64.deb dd131cce144e1441889931385bf9689b654809710860a8cc2d7501d9037ae165 856002 busybox-static_1.22.0-19+deb9u1_amd64.deb 749c3945bd7a3b9e8deb51f4d6e1c562515b862e8fd84a0c806f367afff93e45 25048 busybox-syslogd_1.22.0-19+deb9u1_all.deb 1497c105aac7827fa0166b28c434ab463fea35c1dd87866c5ce2f0c75303eec5 181078 busybox-udeb_1.22.0-19+deb9u1_amd64.udeb 39cfcd0561f38b8be65fa3151e2278af7d2655bec1be6b19914cd63fe3d9eb72 8057
(semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
hi, today packages were unclaimed for LTS: - ansible (Markus Koschany) ELTS: - openjpeg2 (Roberto C. Sánchez) Then, Thorsten Alteholz probably claimed too many packages: - golang-github-appc-cni - libebml - openvswitch - subversion - wpa And three DLA have been reserved but not yet been published: - DLA 2557-1 (12 Feb 2021) (linux-4.19) - DLA 2552-1 (09 Feb 2021) (connman) - DLA 2551-1 (09 Feb 2021) (slirp) Have a great week! -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
