Re: CVE-2021-32642 in radsecproxy
On 27.05.21 15:51, Utkarsh Gupta wrote: On Thu, May 27, 2021 at 4:22 PM Sven Hartge wrote: I'll ultimately leave it up to whoever is on LTS frontdesk duty this week, but I suspect we will do the same too. Happy to do the actual upload if FD believes the vulnerability does warrant an update, mind you. (Thanks either way, of course.) Absolutely fair. Thanks for preparing the upload. But since you admit that the severity is "very very low", I'll rather like to postpone this and we can roll out this fix with the next fix (whenever that'd be)? Warranting a DLA for this alone wouldn't benefit a lot if I get everything right. Do you think it makes sense? Let me know if you're okay with this? I am absolutely fine with this. Most people using radsecproxy by now will be using the 1.8.2 package on Buster anyway. For bullseye I have pushed a new version to mentors.debian.net, awaiting upload by a sponsor, in the hope of getting this in before the release. I've sponsored your upload to unstable. For it to reach bullseye, please also file an unblock request, if you haven't already. :) Thank you for sponsoring the upload. I will file the unblock request later this evening. Grüße. Sven. OpenPGP_signature Description: OpenPGP digital signature
Re: CVE-2021-32642 in radsecproxy
Hello Sven, Chris, On Thu, May 27, 2021 at 4:22 PM Sven Hartge wrote: > > I'll ultimately leave it up to whoever is on LTS frontdesk duty this > > week, but I suspect we will do the same too. Happy to do the actual > > upload if FD believes the vulnerability does warrant an update, mind > > you. (Thanks either way, of course.) > > Absolutely fair. Thanks for preparing the upload. But since you admit that the severity is "very very low", I'll rather like to postpone this and we can roll out this fix with the next fix (whenever that'd be)? Warranting a DLA for this alone wouldn't benefit a lot if I get everything right. Do you think it makes sense? Let me know if you're okay with this? Just in case you (or Chris) think that it's something worth doing an LTS upload and releasing a DLA, then by all means go ahead! \o/ > For bullseye I have pushed a new version to mentors.debian.net, awaiting > upload by a sponsor, in the hope of getting this in before the release. I've sponsored your upload to unstable. For it to reach bullseye, please also file an unblock request, if you haven't already. :) - u
Re: CVE-2021-32642 in radsecproxy
On 27.05.21 12:08, Chris Lamb wrote: I'll ultimately leave it up to whoever is on LTS frontdesk duty this week, but I suspect we will do the same too. Happy to do the actual upload if FD believes the vulnerability does warrant an update, mind you. (Thanks either way, of course.) Absolutely fair. For bullseye I have pushed a new version to mentors.debian.net, awaiting upload by a sponsor, in the hope of getting this in before the release. Grüße, Sven. OpenPGP_signature Description: OpenPGP digital signature
Re: CVE-2021-32642 in radsecproxy
Hi Sven, > > Thanks for preparing a package and, at a quick glance, I would be > > happy to upload it. Just to 100% check though: you are not in a > > position to upload it, create and publish a DLA, update the website, > > etc.? (Just avoiding duplicate work.) > No, I am just a sponsored uploader, not a DD or DM. > > As for the security issue: two example scripts were vulnerable but those > are not installed into any bin-directory in Debian and only shipped in > the examples/ directory in the documentation. Ah indeed -- I saw just after I sent my previous email. In that case, I think this will almost certainly be marked by the [non-LTS] Security Team to the effect that it does not justify an update. I'll ultimately leave it up to whoever is on LTS frontdesk duty this week, but I suspect we will do the same too. Happy to do the actual upload if FD believes the vulnerability does warrant an update, mind you. (Thanks either way, of course.) Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Re: CVE-2021-32642 in radsecproxy
On 27.05.21 11:18, Chris Lamb wrote: Hi Sven, there is a (very) minor security flaw in the radsecproxy package. I have prepared updated packages, available via https://mentors.debian.net/debian/pool/main/r/radsecproxy/radsecproxy_1.6.8-1+deb9u1.dsc for you. Thanks for preparing a package and, at a quick glance, I would be happy to upload it. Just to 100% check though: you are not in a position to upload it, create and publish a DLA, update the website, etc.? (Just avoiding duplicate work.) Hello Chris, No, I am just a sponsored uploader, not a DD or DM. As for the security issue: two example scripts were vulnerable but those are not installed into any bin-directory in Debian and only shipped in the examples/ directory in the documentation. So the severity is very very low. Grüße, Sven. OpenPGP_signature Description: OpenPGP digital signature
Re: CVE-2021-32642 in radsecproxy
Hi Sven, > there is a (very) minor security flaw in the radsecproxy package. > > I have prepared updated packages, available via > https://mentors.debian.net/debian/pool/main/r/radsecproxy/radsecproxy_1.6.8-1+deb9u1.dsc > for you. Thanks for preparing a package and, at a quick glance, I would be happy to upload it. Just to 100% check though: you are not in a position to upload it, create and publish a DLA, update the website, etc.? (Just avoiding duplicate work.) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org chris-lamb.co.uk `-
Re: CVE-2021-30130 php-phpseclib and phpseclib
Hi Ola, On 26/05/21 01:45 PM, Ola Lundqvist wrote: >Hi fellow LTS contributors > >I have checked this CVE and my conclusions are as follows. >The CVE actually cover five different problems. I guess CVEs should not >do that, but it did anyway. > >Quote from upstream: > >Two were vulnerabilities in v3.0 involving the new >RSA::SIGNATURE_RELAXED_PKCS1 mode (which doesn't exist in 2.0) > >Two were bugs in v3.0 involving the new RSA::SIGNATURE_RELAXED_PKCS1 >mode (which again, doesn't exist in 2.0) > >One was a bug in v1.0, v2.0 and v3.0. > >The bug refers to "We have also found incompatibility issue in >phpseclib v1, v2, v3 (strict mode)'s RSA PKCS#1 v1.5 signature >verification suffering from rejecting valid signatures whose encoded >message uses implicit hash algorithm's NULL parameter." > >My conclusion is that one bug can be fixed. But I do not think it is a >security problem. The problem is that some signatures fail valid >signatures, if they are encoded in a special way. > >What I have done is to mark the CVE as not-affected with a note about >this. > >Let me know if you think my analysis is correct. I've gone through those comments and fixes. Since valid signature failing bug in v1 and v2 is not a security issue. I think marking CVE-2021-30130 as not-affected is the way to go. Sorry for holding the package. --abhijith signature.asc Description: PGP signature
CVE-2021-32642 in radsecproxy
Hi LTS Team, there is a (very) minor security flaw in the radsecproxy package. I have prepared updated packages, available via https://mentors.debian.net/debian/pool/main/r/radsecproxy/radsecproxy_1.6.8-1+deb9u1.dsc for you. Thanks for your continued and valued work! Grüße, Sven. -- Sigmentation fault. Core dumped.
