Change in libcrypt1 prevents upgrades from Buster to Bookworm
Hello! Are LTS folks aware about the change in libcrypt1 where tt was split out of libc into a separate package? Perl needs /lib/x86_64-linux-gnu/libcrypt.so.1 to run, and when it gets removed Perl immediately stops working, and thus no dpkg command will proceed anymore [1]. As it breaks dpkg, it affects to my understanding *all* upgrades from Stretch to Bookworm, and some upgrades from Bullseye to Bookworm too[2] on packages I maintain. This makes LTS kind of moot, as systems that want to stay on LTS and "skip" at least one release can no longer do so. What is your take here? If the issue is not fixed, then at least LTS should document it well for LTS users? - Otto (I am not on list, please use reply-to-all) [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993755 [2] https://salsa.debian.org/mariadb-team/galera-4/-/pipelines/300049
Re: libapache2-mod-proxy-uwsgi - CVE-2021-36160 regression, altered PATH_INFO
Hi, Thanks for your answer but also thanks for the information about wrong configuration of apache. I have tested both solution you explain here and both works good. If I apply change in Apache configuration (like explain in the official documentation about "/") my app works good. If I just apply your Debian patch, app works good also. So, we wait for the debian patch for the oldest installation and I now can create a fix for Tracim project about wrong usage of "/" in apache2 configuration. Thanks a lot for your solution :) :) :) Best regards. Philippe Sys Admin Algoo Le 2021-10-09 18:04, Sylvain Beucler a écrit : Hi, On 05/10/2021 18:41, Sylvain Beucler wrote: forwarded 995368 https://bz.apache.org/bugzilla/show_bug.cgi?id=65616 The Apache developers say there's an incorrect configuration in the first place. For example, ProxyPassMatch ^/ui uwsgi://127.0.0.1:8081/ should be ProxyPassMatch ^/ui uwsgi://127.0.0.1:8081 following the warning about slashes in the documentation: http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass However, they are currently considering an additional patch to restore the previous (less strict) behavior. Philippe, Josef, I prepared a build with the new patch, so you can test early: https://people.debian.org/~beuc/lts/uwsgi/ https://people.debian.org/~beuc/lts/uwsgi/libapache2-mod-proxy-uwsgi_2.0.14+20161117-3+deb9u5_amd64.deb I'm interested in your feedback. Cheers! Sylvain Beucler Debian LTS Team
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
On Sat, Oct 09, 2021 at 10:33:47AM +0200, Sylvain Beucler wrote: > This would be the ELTS (not LTS) repo at > https://salsa.debian.org/freexian-team/extended-lts/security-tracker/. > > See the ELTS README at gitlab.com:freexian-lts/extended-lts [...] > See > https://wiki.debian.org/LTS/Development#Prepare_an_update_for_the_website Thanks, Sylvain! :) (and sorry for having been busy with other stuff. I shall reply timely again now.) -- cheers, Holger ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org ⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C ⠈⠳⣄ Today, over 800 women will have died due to preventable pregnancy and birth complications, over 130 due to femicide. https://www.who.int/news-room/fact-sheets/detail/maternal-mortality https://en.wikipedia.org/wiki/Femicide#Worldwide signature.asc Description: PGP signature
Re: [SECURITY] [DLA 2777-1] tiff security update
Hi, On 04/10/2021 01:20, Utkarsh Gupta wrote: > Hello LTS team, > > Apparently, I've sent the following mail thrice to the -announce > list but it doesn't seem to be going through. Could somebody > please send the below announcement from my end? TIA! \o/ > > The website update has already been pushed long back. Done. Cheers! Sylvain Beucler Debian LTS Team
[SECURITY] [DLA 2777-1] tiff security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - --- Debian LTS Advisory DLA-2777-1 debian-...@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta October 03, 2021https://wiki.debian.org/LTS - --- Package: tiff Version: 4.0.8-2+deb9u7 CVE ID : CVE-2020-19131 CVE-2020-19144 Two security issues were found in TIFF, a widely used format for storing image data, as follows: CVE-2020-19131 Buffer Overflow in LibTiff allows attackers to cause a denial of service via the "invertImage()" function in the component "tiffcrop". CVE-2020-19144 Buffer Overflow in LibTiff allows attackers to cause a denial of service via the 'in _TIFFmemcpy' funtion in the component 'tif_unix.c'. For Debian 9 stretch, these problems have been fixed in version 4.0.8-2+deb9u7. We recommend that you upgrade your tiff packages. For the detailed security status of tiff please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tiff Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmFh178ACgkQDTl9HeUl XjDiNQ/+Oj6juJ04ey0Crr+s6fd/R1wR7SyF80J7nVTwPT0bU5f/4MB5R+/kIg0v P3FE5wE71gaeQ/yuRRT0DQgUiQoSj4N1LB0TubcB96x4KfAyc2Hm7qp85DRPNfx3 ZIO6wbsgmEb7xwQzoV7Y3fJzRIf+ato5ZxqvUPltENV+oplTOKLce0n7iWj1g2O/ 5B1Yam67fGbE1eO54dgQ0DqdjdEnXMiGNMapd8I3IEEkZY54+pNltKpN9J35lkI1 w51aZ59s+nvjbdkpZ+miHMYrq4xNhCNHPia8Om7SYYVDBC3ABw3KaPu82M2Y7Vex vzuCizJCT31uLEeVO48Pf6dJHzx3aobBt+G9zMVLr2c6QTn46k0OSd5yIy/gvIZu 0P4srk+RGLN9qd0MYVUudmj2B7/wJIYt4NdS4Qb0NyFOKyHQrCQpCOE8tkb4y35z 9uAZJtFIVtEDxXNca/08yF3X4j5Jt4rlyhPWI4JutOWNaYXJ1nQ+6hS4BkZy9O0d TVP59wLeiWhmHtjVQbJXjJK+Ajb15c4FsqxSCfvFM4p3Qz6E9a8iPPXO0y2gn480 8dJeb9oOgMkmeWhaRefTyEzhctCO55oUuOncKLSXBanxPMWszWFWrV56Ig8MxAZJ Hx7IONfyWr/GCmy0AFUY6T7gS/FDPHJHTMRsFI50ogj61bdCELo= =1VJN -END PGP SIGNATURE-
[SECURITY] [DLA 2779-1] mediawiki security update
- Debian LTS Advisory DLA-2779-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany October 09, 2021 https://wiki.debian.org/LTS - Package: mediawiki Version: 1:1.27.7-1~deb9u10 CVE ID : CVE-2021-35197 CVE-2021-41798 CVE-2021-41799 Multiple security issues were found in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting, denial of service and certain unintended API access. For Debian 9 stretch, these problems have been fixed in version 1:1.27.7-1~deb9u10. We recommend that you upgrade your mediawiki packages. For the detailed security status of mediawiki please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mediawiki Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: This is a digitally signed message part
Accepted mediawiki 1:1.27.7-1~deb9u10 (source) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 09 Oct 2021 16:59:52 +0200 Source: mediawiki Architecture: source Version: 1:1.27.7-1~deb9u10 Distribution: stretch-security Urgency: high Maintainer: Kunal Mehta Changed-By: Markus Koschany Changes: mediawiki (1:1.27.7-1~deb9u10) stretch-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2021-35197: In MediaWiki bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to still "purge" pages through the MediaWiki Action API (which a "sitewide block" should have prevented). * Fix CVE-2021-41798: XSS vulnerability in Special:Search. Fix CVE-2021-41799: * ApiQueryBacklinks can cause a full table scan. Checksums-Sha1: 10942a3655fab750feac47aba9c5e4bea1d83961 2186 mediawiki_1.27.7-1~deb9u10.dsc e3dd06a407b7c2955336b28d5202739022990589 83524 mediawiki_1.27.7-1~deb9u10.debian.tar.xz 7e231f18363dc22ef3022c73c1244a48c954f284 5670 mediawiki_1.27.7-1~deb9u10_source.buildinfo Checksums-Sha256: 6f1b4811226da6ec3eb63b10af41b31bd5a99912001aad318f133a5b9e028fd2 2186 mediawiki_1.27.7-1~deb9u10.dsc 6320e0585ed0fac72dab96cbc42eaf7aa4ebcb35dc56bbbaefb710bc4241ca60 83524 mediawiki_1.27.7-1~deb9u10.debian.tar.xz 73c2e9b66c23c2d2bd72a07763683ac70548a8472e4871a536d6ebdad857bfcd 5670 mediawiki_1.27.7-1~deb9u10_source.buildinfo Files: 232f63a89904a103209edb8ae68388ec 2186 web optional mediawiki_1.27.7-1~deb9u10.dsc 7ee6969dadfce646b67756d970ff9c11 83524 web optional mediawiki_1.27.7-1~deb9u10.debian.tar.xz a3c3d863f912d5b7b4e0828cfea65582 5670 web optional mediawiki_1.27.7-1~deb9u10_source.buildinfo -BEGIN PGP SIGNATURE- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmFhuXJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkV6gP+gNEV7cO/RG7k+PVnBoUPZgdn9gyPJ5ViFZI 495Pc2/8pzVTctQiF9RRsTodtn3A8L9I2f9ojS8i9YTrx4V0kIQzBecMNqQK1ov0 YHFp5UAY61VwmWKXhvBiFRYTnjOkmSJKXHfSmXvrYr91V1MyFd7WHEZzQl1P07SY aeeNEHDcx6l0pab5PVPTHRHKuZ1inBzNTB9/LBHjpQabTKT/9Vf7JHLIAMX1UoiM vLOddWm/4XfovF2wNiXWcZ3sITPjeYH1+xG0hZ+XmVs0VD+ELAfb5scWu3bfT4K6 EL79lsU3jXnHbfaPbIrlefX68xDjg33YiAovq1LeT8tMt6y3xkwysW1G4R++grHq q00yOWHCJkbvvrHqkkrzeUM64YphNnZGaktpz3cyJ/9N/Yz3esh6Bng4iIfRfAJD gObXFJB75TZUVSlaDYcd/+KRx5sKfEqSmmN1N4LzIE6PKN8jtqixEvFNc9ygZAPX nbx31Np1r1qrIEmeA5K0m8PMkyluHc55HagDvQP0adWikDeywfhTAclrTYVXukMB KLWnDbgtnLvJjtD5STdB+tAKu8DyCAwUgQfQH+L8kkLn0i5GGeN7noDSr3nfrL7f b9qY/hfsZr9+7sW2e5z+maI624A+lp1L1FeL2UrhyfmcstpxAgUS+ZArEZIzMTtg znUSRjEI =rh5R -END PGP SIGNATURE-
Re: libapache2-mod-proxy-uwsgi - CVE-2021-36160 regression, altered PATH_INFO
Hi, On 05/10/2021 18:41, Sylvain Beucler wrote: forwarded 995368 https://bz.apache.org/bugzilla/show_bug.cgi?id=65616 The Apache developers say there's an incorrect configuration in the first place. For example, ProxyPassMatch ^/ui uwsgi://127.0.0.1:8081/ should be ProxyPassMatch ^/ui uwsgi://127.0.0.1:8081 following the warning about slashes in the documentation: http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass However, they are currently considering an additional patch to restore the previous (less strict) behavior. Philippe, Josef, I prepared a build with the new patch, so you can test early: https://people.debian.org/~beuc/lts/uwsgi/ https://people.debian.org/~beuc/lts/uwsgi/libapache2-mod-proxy-uwsgi_2.0.14+20161117-3+deb9u5_amd64.deb I'm interested in your feedback. Cheers! Sylvain Beucler Debian LTS Team