Re: libxstream-java blacklist EOL?
Hi,
On Fri, Jun 18, 2021 at 06:35:11PM +0200, Sylvain Beucler wrote:
> On 07/06/2021 09:40, Emilio Pozuelo Monfort wrote:
> > On 02/06/2021 14:24, Markus Koschany wrote:
> > > Am Mittwoch, den 02.06.2021, 12:26 +0200 schrieb Emilio Pozuelo Monfort:
> > > > I think it is time
> > > > we declare the block list unsupported, asking users to switch to
> > > > the allow
> > > > list.
> > > >
> > > > Thoughts?
> > >
> > > I believe it is sensible to switch to the whitelist by default after
> > > we have
> > > tested the reverse-dependencies. This is quite similar to
> > > jackson-databind.
> >
> > Ack. I added this to [de]la-needed. Indeed some testing and/or code
> > inspection on the rdeps will be needed.
>
> (I'm checking the libxstream-java currently in dla-needed.txt.)
>
> The black->white list switch is planned for the unreleased XStream 1.4.18,
> or possibly 1.5.0.
> https://x-stream.github.io/security.html#explicit
>
> This may require changes in the reverse dependencies that didn't happen yet
> in their respective upstream versions.
>
> I think it would be safer to wait and check how these upstream projects
> handle the change, rather than branching our own solutions to this
> incompatible change, and just fix CVE-2021-29505 explicitly meanwhile (given
> it can trigger RCE).
>
> What do you think?
>
>
>
> Note: I also started checking the stretch reverse dependencies:
>
> None of the rdeps seem to set a policy
> (addPermission/addType*/denyPermission/denyType*).
>
> Direct rdeps are:
> groovy: not vulnerable (serialize-only)
> jajuk: possibly vulnerable
> jakarta-jmeter: possibly vulnerable
> jodconverter: possibly vulnerable
> jsap: possibly vulnerable
> maven-war-plugin: possibly vulnerable
> natbraille: not vulnerable (no direct use)
> powermock: possibly vulnerable
> tiles-autotag: possibly vulnerable
> uima-as: not vulnerable (no direct use)
>
> I don't think there are indirect uses involving more reverse-dependencies
> (would have probably been the case for the Groovy programming language, but
> fortunately its use of xstream is limited).
>
> I plan to further check which ones would break with a white list.
Follow-up: all would fail, since all serialize app-specific classes.
The (strict) default white-list can be simulated by calling
XStream.setupDefaultSecurity(xstream);
This blocks all app-specific classes.
Each package would need a patch with a series of:
XStream.setupDefaultSecurity(xstream);
xstream.allowTypes(new Class[] {AppSpecific.class, ...});
for each use of XStream, and annoyingly there are a few uses indirect
cases (powermock, jajuk, jakarta) where the expected classes are not
directly known.
Let's revisit this when there's a released XStream with the default
whitelist, and upstream reactions, as detailed above.
Meanwhile, should we update buster's black list?
Cheers!
Sylvain
[SECURITY] [DLA 2695-1] klibc security update
- Debian LTS Advisory DLA-2695-1debian-...@lists.debian.org https://www.debian.org/lts/security/Ben Hutchings June 28, 2021 https://wiki.debian.org/LTS - Package: klibc Version: 2.0.4-9+deb9u1 CVE ID : CVE-2021-31870 CVE-2021-31871 CVE-2021-31872 CVE-2021-31873 Debian Bug : 989505 Several vulnerabilities have been discovered in klibc. Depending on how klibc is used, these could lead to the execution of arbitrary code, privilege escalation, or denial of service. Thanks to Microsoft Vulnerability Research for reporting the heap bugs and going some of the way to identifying the cpio bugs. CVE-2021-31870 Multiplication in the calloc() function may result in an integer overflow and a subsequent heap buffer overflow. CVE-2021-31871 An integer overflow in the cpio command may result in a NULL pointer dereference. CVE-2021-31872 Multiple possible integer overflows in the cpio command on 32-bit systems may result in a buffer overflow or other security impact. CVE-2021-31873 Additions in malloc() function may result in integer overflow and subsequent heap buffer overflow. For Debian 9 stretch, these problems have been fixed in version 2.0.4-9+deb9u1. We recommend that you upgrade your klibc packages. For the detailed security status of klibc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/klibc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: PGP signature
Accepted klibc 2.0.4-9+deb9u1 (source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 28 Jun 2021 16:24:37 +0200 Source: klibc Binary: libklibc-dev libklibc klibc-utils Architecture: source Version: 2.0.4-9+deb9u1 Distribution: stretch-security Urgency: high Maintainer: maximilian attems Changed-By: Ben Hutchings Description: klibc-utils - small utilities built with klibc for early boot libklibc - minimal libc subset for use with initramfs libklibc-dev - kernel headers used during the build of klibc Closes: 989505 Changes: klibc (2.0.4-9+deb9u1) stretch-security; urgency=high . * Never clean files in quilt status directory * debian/rules: Use $(MAKE) for recursive make * debian/rules: Change override_dh_auto_test rule to actually run tests * Apply security fixes from 2.0.9 (Closes: #989505): - malloc: Set errno on failure - malloc: Fail if requested size > PTRDIFF_MAX (CVE-2021-31873) - calloc: Fail if multiplication overflows (CVE-2021-31870) - cpio: Fix possible integer overflow on 32-bit systems (CVE-2021-31872) - cpio: Fix possible crash on 64-bit systems (CVE-2021-31871) Checksums-Sha1: e5b35f36cf0a1549ecaac62133db0b8d3a610e2e 2066 klibc_2.0.4-9+deb9u1.dsc 250be6a2f365601fcbe86004673e6b6508984fe6 623576 klibc_2.0.4.orig.tar.gz 179d7b3c65f2bab4d34dfca313d5fa19227c5360 31636 klibc_2.0.4-9+deb9u1.debian.tar.xz b22f83550e549daf02472f62a5b088280830951f 5657 klibc_2.0.4-9+deb9u1_source.buildinfo Checksums-Sha256: 885339596012e5bc06b5bc1e1a3154c12b2473a9cf5e18a86161f78dc31b279d 2066 klibc_2.0.4-9+deb9u1.dsc 8c083b259ba3cf52f9ef0c82bfee84ea5ac1c8b60e4b25366970051e1e8771fa 623576 klibc_2.0.4.orig.tar.gz 10ce60738c066a584eaa8964bd84783cc08242a0ded7a629884cada0d6e53720 31636 klibc_2.0.4-9+deb9u1.debian.tar.xz 4ab233c9b36d26f62af8438be97894b4879ba058eaf908525a6f55148eff5d99 5657 klibc_2.0.4-9+deb9u1_source.buildinfo Files: 8ea1ca51d0d2541e60c7d990257a0d1f 2066 libs optional klibc_2.0.4-9+deb9u1.dsc fbe1af284a2a22c39e9daa5dd65f9133 623576 libs optional klibc_2.0.4.orig.tar.gz 03e6e1eee0c9177d32935a816e839a04 31636 libs optional klibc_2.0.4-9+deb9u1.debian.tar.xz 3f24ac16b96d0c62aff8f2a77388dc78 5657 libs optional klibc_2.0.4-9+deb9u1_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmDZ8WcACgkQ57/I7JWG EQm+6w/+Ig9Oi3/bXUmgjg/F2+b28zrmdM9w16nZxunlR6MALR8iWxgLNky+YaS4 3/UHdWfqr7K8nbQj8ZrYqovSyndV+4K4z5aY30P51G4eZnJYPsMJC9Ag4JqB5FeH b0reOReTmyERtiKYfe+/KqBgeHcnzeZaxsI80LAfAPXhDlRu3wqUxls8OARDNQNQ dU/jJwHe7nL72V7qzXaEJC+0DPM7ShocEvLlxBUI4k2C6Jb5WW+sneJ3cDztXFyj 80WliOS29yBb2zs3xq6x70x0PN6kZOd7b7vp4X2/u+HYgsm3FspwjahZOQcfj1d3 /na4Yey72t7UZr5LfVFFg7RRo6bCxVgM9lGaydkZ9ZbXBDS1dN3Pj/6Z7VixAgxR 9IlEJxst1DdwJeOb2Gq1COyjtmvY9Ze34rDVmH2F/2uvP/ftg8ufvqkK1zl8ODoZ GltoufsYM7dOWviAEBioSZiIuaBqqDW1ZKP67OQPfi0fxKQx4VcEvkntpm8xtnJ9 N8WwQ1nWhT80yGDiahuv1q6/mlyA/ZXPGwhA8Dg2oB+zv5vrRNjAPC/Ub5X1ErqZ Q0hjlZL52kTuUk+KjAChhLXsH3a/h5aRtfoJtQFnwTNRwrzDmFXsOV4yrDgia4lQ XRSX06DmKoqD+0O5aHr56EDMQFAlQZltYGpQsEdhI+q0WJ0vleI= =ZIy0 -END PGP SIGNATURE-
[SECURITY] [DLA 2693-1] xmlbeans security update
- Debian LTS Advisory DLA-2693-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany June 28, 2021 https://wiki.debian.org/LTS - Package: xmlbeans Version: 2.6.0+dfsg-1+deb9u1 CVE ID : CVE-2021-23926 The XML parsers used by XMLBeans did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include the possibility for XML Entity Expansion attacks which could lead to a denial-of-service. This update implements sensible defaults for the XML parsers to prevent these kind of attacks. For Debian 9 stretch, this problem has been fixed in version 2.6.0+dfsg-1+deb9u1. We recommend that you upgrade your xmlbeans packages. For the detailed security status of xmlbeans please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xmlbeans Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
Accepted xmlbeans 2.6.0+dfsg-1+deb9u1 (source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 28 Jun 2021 14:26:03 +0200 Source: xmlbeans Binary: libxmlbeans-java xmlbeans Architecture: source Version: 2.6.0+dfsg-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers Changed-By: Markus Koschany Description: libxmlbeans-java - Java library for accessing XML by binding it to Java types xmlbeans - Java library for accessing XML by binding it to Java types - tool Changes: xmlbeans (2.6.0+dfsg-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2021-23926: The XML parsers used by XMLBeans did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. * Compile for source/target 1.5 in order to fix a compilation failure. Checksums-Sha1: a68223f462865bdff1f08c0230d368d878c6d5b1 2331 xmlbeans_2.6.0+dfsg-1+deb9u1.dsc 9eb1fc0964768ae6313500fb314b1a30602ae71a 2063766 xmlbeans_2.6.0+dfsg.orig.tar.gz 9714bd085f9eec106c246270847b9b01babbdeff 14768 xmlbeans_2.6.0+dfsg-1+deb9u1.debian.tar.xz f21b0f14e6a06d48efdf35af28b3171bbe1f9cda 11889 xmlbeans_2.6.0+dfsg-1+deb9u1_amd64.buildinfo Checksums-Sha256: 7fef0beaa5fe8fca83d85eed01661ab1670e930a78bee1efa0dbb7e113c2104b 2331 xmlbeans_2.6.0+dfsg-1+deb9u1.dsc f758b2fad0249719e9859696866a1c6cc6c0fc9ee6f74532d1078f68c6d0265a 2063766 xmlbeans_2.6.0+dfsg.orig.tar.gz 364a0cbe19cf212ba8f711edf497ca30e21c6212bbb35ae81e74134e93be7bec 14768 xmlbeans_2.6.0+dfsg-1+deb9u1.debian.tar.xz 73d6f766a791642212dbb11a3edc30b21b77472049c3b46e27b11d4d6aa317d3 11889 xmlbeans_2.6.0+dfsg-1+deb9u1_amd64.buildinfo Files: d6eff6eea7b7cb8e8394edcb2d9cda5f 2331 java optional xmlbeans_2.6.0+dfsg-1+deb9u1.dsc f8a42472f251b0468b181814b3d1b317 2063766 java optional xmlbeans_2.6.0+dfsg.orig.tar.gz 0b274074ceb0b80582f953d0e96034de 14768 java optional xmlbeans_2.6.0+dfsg-1+deb9u1.debian.tar.xz 38468032a2a5e715fb8567e823374b02 11889 java optional xmlbeans_2.6.0+dfsg-1+deb9u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmDZykBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkCA4P/ieaUNFbS4vvDOD5+bQFJztUmQpZDOxBgl/5 J6BIz8EP6/6U7viFH+xefY+PnMAaOj8R4mr19QSXRY3TGUWbfSOO/AY6bPta1FF0 ZaRJ4m3K4vk4PYCxGvu0wFHoeb5rPgywSY6BV4GNgwtrH1sMx15YFzO9zskwQ0Hc ace2wTnABhGOAGgUuf4zQIV0Vs4ZjbBT6zV+4R9DAq11AID0tauZ2gjs0Z/KZzJZ uy9j5eyZKlwGTlE5lId2jq++LtzIcGaJPXrL3KlxaWVjoLH++eG69CbiyXYNXh6p Rxo2l/3BLefyZC9ouf8358xJ1wGezllNT3s/rSCMf7gdUubJFjLFA1Q91W7HLEpU UjTUsvSUiE3DAgddcrpNdscOwXKfw18TQ/G5E6yuOY+NxkKx8m4ag5k1UmJ7L/aR MnsZWkhgUBM3iJSV3dt9x7bgEvTmybLMxY3/BjQKlXvHkxMpAvZVxRf4qQhw+tr/ kUAlJlcD9YEYFro/XT6YRFZTuPkQIxkcFRo/qBX3SV77Hiib8pRNVncX+O+l4GAv 18pcLo13buWXmJYuVAKVy/nljHk3TKKdbGHGNhp6A2iuk65lDC/TDxwKna8SlTyr BLTO+1c//galPi7N31PPQbA+AT6uzMTDu6JC4KkeDnlzmHwmoO7LP0ycVF5LpP9x jfUsji10 =B6ez -END PGP SIGNATURE-
Re: A few delays delay
Thank you Den mån 28 juni 2021 14:22Holger Levsen skrev: > Hi Ola, > > On Mon, Jun 28, 2021 at 02:11:23PM +0200, Ola Lundqvist wrote: > > Due to a thunderstorm I have no proper workstation. I have ordered a new > > that I hope will arrive in a few days. Hopefully the SSD have survived. > If > > not it will take some days to restore it. > > ouch & good luck! > > > -- > cheers, > Holger > > ⢀⣴⠾⠻⢶⣦⠀ > ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org > ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C > ⠈⠳⣄ >
Re: A few delays delay
Hi Ola, On Mon, Jun 28, 2021 at 02:11:23PM +0200, Ola Lundqvist wrote: > Due to a thunderstorm I have no proper workstation. I have ordered a new > that I hope will arrive in a few days. Hopefully the SSD have survived. If > not it will take some days to restore it. ouch & good luck! -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ signature.asc Description: PGP signature
A few delays delay
Hi Due to a thunderstorm I have no proper workstation. I have ordered a new that I hope will arrive in a few days. Hopefully the SSD have survived. If not it will take some days to restore it. / Ola
(semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
moining, today four packages were unclaimed for LTS: - apache2 (Emilio) - htmldoc (Utkarsh Gupta) - nettle (Emilio) - runc (Abhijith PA) and four for ELTS: - apache2 (Emilio) - htmldoc (Utkarsh Gupta) - nettle (Emilio) - openjdk-7 (Emilio) Then, noone claimed 4 packages or more. Five DLAs have been reserved and haven't been published yet: - DLA 2694-1 (28 Jun 2021) (tiff) - DLA 2693-1 (28 Jun 2021) (xmlbeans) - DLA 2692-1 (27 Jun 2021) (bluez) - DLA 2691-1 (25 Jun 2021) (libgcrypt20) - DLA 2684-1 (10 Jun 2021) (lasso) Nice, noone claimed 4 packages or more. Have a good week! -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
