Accepted wireshark 1.12.1+g01b65bf-4+deb8u6~deb7u7 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 17 Mar 2017 01:17:24 +0100 Source: wireshark Binary: wireshark-common wireshark wireshark-qt tshark wireshark-dev wireshark-dbg wireshark-doc libwireshark5 libwsutil4 libwsutil-dev libwireshark-data libwireshark-dev libwiretap4 libwiretap-dev Architecture: source amd64 all Version: 1.12.1+g01b65bf-4+deb8u6~deb7u7 Distribution: wheezy-security Urgency: medium Maintainer: Balint Reczey <bal...@balintreczey.hu> Changed-By: Balint Reczey <bal...@balintreczey.hu> Description: libwireshark-data - network packet dissection library -- data files libwireshark-dev - network packet dissection library -- development files libwireshark5 - network packet dissection library -- shared library libwiretap-dev - network packet capture library -- development files libwiretap4 - network packet capture library -- shared library libwsutil-dev - network packet dissection utilities library -- shared library libwsutil4 - network packet dissection utilities library -- shared library tshark - network traffic analyzer - console version wireshark - network traffic analyzer - GTK+ version wireshark-common - network traffic analyzer - common files wireshark-dbg - network traffic analyzer - debug symbols wireshark-dev - network traffic analyzer - development tools wireshark-doc - network traffic analyzer - documentation wireshark-qt - network traffic analyzer - Qt version Changes: wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u7) wheezy-security; urgency=medium . * security fixes from Wireshark 2.0.10: - The ASTERIX dissector could go into an infinite loop. Discovered by Antti Levomäki and Christian Jalio, Forcepoint. (CVE-2017-5596) - The DHCPv6 dissector could go into a large loop. Discovered by Antti Levomäki and Christian Jalio, Forcepoint.(CVE-2017-5597) * security fixes from Wireshark 2.0.11: - The NetScaler file parser could enter an infinite loop (CVE-2017-6467) - The NetScaler file parser could crash (CVE-2017-6468) - The LDSS dissector could crash (CVE-2017-6469) - The IAX2 dissector could enter an infinite loop (CVE-2017-6470) - The WSP dissector could enter an infinite loop (CVE-2017-6471) - The K12 file parser could crash (CVE-2017-6473) - The NetScaler file parser could enter an infinite loop (CVE-2017-6474) * security fixes from Wireshark 2.2.5: - The RTMPT dissector could enter an infinite loop (CVE-2017-6472) Checksums-Sha1: c5ba0a03458dd552179967137ba4ea3fb040ccf7 3187 wireshark_1.12.1+g01b65bf-4+deb8u6~deb7u7.dsc 407f0a5f28c4ea34b0ea2b5a43e1da7632e357a9 25091052 wireshark_1.12.1+g01b65bf.orig.tar.xz 07fc595d4e1e8f66e2353c2a5894557357107252 215355 wireshark_1.12.1+g01b65bf-4+deb8u6~deb7u7.debian.tar.gz 91d04ddabf629279b1138a836227a994a2ebfd10 211062 wireshark-common_1.12.1+g01b65bf-4+deb8u6~deb7u7_amd64.deb 4b6967305d9e2fdaea7128ff123fce602881ea83 1008258 wireshark_1.12.1+g01b65bf-4+deb8u6~deb7u7_amd64.deb a9b495e8e8de4511bf4982c897d79f5852c60cbf 1254982 wireshark-qt_1.12.1+g01b65bf-4+deb8u6~deb7u7_amd64.deb 9955eee9f5ad0d7b2d99159bb0ac2c5bbe45ccec 183286 tshark_1.12.1+g01b65bf-4+deb8u6~deb7u7_amd64.deb 2d6464e20f55d8ba2a752fdf4b3bf7bd13daf4d1 161368 wireshark-dev_1.12.1+g01b65bf-4+deb8u6~deb7u7_amd64.deb cfb445cfc27d538fc1f6fed6dc02b34ab7085bae 42256468 wireshark-dbg_1.12.1+g01b65bf-4+deb8u6~deb7u7_amd64.deb 807ad41ec28c9d6b7b0a109a7feaec922305fc9e 4267862 wireshark-doc_1.12.1+g01b65bf-4+deb8u6~deb7u7_all.deb a7693905942d98508487d3d13cbf8f79b23ced77 15997806 libwireshark5_1.12.1+g01b65bf-4+deb8u6~deb7u7_amd64.deb 516af40d2ea6648a0f5784fd15a25d6d42d71209 107996 libwsutil4_1.12.1+g01b65bf-4+deb8u6~deb7u7_amd64.deb 3c970d12f970afbd1990e61b1eb5f714f8cddcbf 78308 libwsutil-dev_1.12.1+g01b65bf-4+deb8u6~deb7u7_amd64.deb c64547f82fa9818641fe0a2c901eff3040ac0bab 1150592 libwireshark-data_1.12.1+g01b65bf-4+deb8u6~deb7u7_all.deb b585b8079bede781aaf68d121b823f3c05c2a1aa 1033818 libwireshark-dev_1.12.1+g01b65bf-4+deb8u6~deb7u7_amd64.deb b8b2fd7c9b2493d51f952ccfb282258ae37ca133 216732 libwiretap4_1.12.1+g01b65bf-4+deb8u6~deb7u7_amd64.deb 22de06a68aade9eabc148f6e5c886ec890d7ec40 88992 libwiretap-dev_1.12.1+g01b65bf-4+deb8u6~deb7u7_amd64.deb Checksums-Sha256: 083265eac8eeb43ea13a92635d1296e9906fc5f04cf400a054195a8976fcc26d 3187 wireshark_1.12.1+g01b65bf-4+deb8u6~deb7u7.dsc 5244081064ba37780804983724e09263440866587f33f2a525a684b6d393d4cf 25091052 wireshark_1.12.1+g01b65bf.orig.tar.xz a7eb1e11410ee5c5d2448402c18a49a4456e72517a3bd2e5b0874cc331baba16 215355 wireshark_1.12.1+g01b65bf-4+deb8u6~deb7u7.debian.tar.gz 34ebb9fc372be174d4093235e5e3ecc8b57578787c935896e9fce500c56e1cd9 211062 wireshark-common_1.12.1+g01b65bf-4+deb8u6~deb7u7_amd64.deb d3dedcadb311fbb9cc02edecd6e31034e6125ab9d1a86d2d6085b8f0adbd0f04 1008258 wireshark_1.12.1+g01b65bf-4+deb8u6~deb7
[SECURITY] [DLA 858-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: wireshark Version: 1.12.1+g01b65bf-4+deb8u6~deb7u7 CVE ID : CVE-2017-5596 CVE-2017-5597 CVE-2017-6467 CVE-2017-6468 CVE-2017-6469 CVE-2017-6470 CVE-2017-6471 CVE-2017-6472 CVE-2017-6473 CVE-2017-6474 It was discovered that Wireshark, a network protocol analyzer, contained several vulnerabilities in the dissectors for ASTERIX, DHCPv6, LDSS, IAX2, WSP and RTMPT and the NetScaler and K12 file parsers, that could lead to various crashes, denial-of-service, or execution of arbitrary code. For Debian 7 "Wheezy", these problems have been fixed in version 1.12.1+g01b65bf-4+deb8u6~deb7u7. We recommend that you upgrade your wireshark packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJYyzxDAAoJEPZk0la0aRp9z+wQAKDFTMaMTgHsvwqiJjMaYsp2 rbJ+PlXsvYLaz6WkY+CZI6OHw++D9VEXgpqOa5OF+OS8l9kvJM05rYbxxxqPjVvq 4b2PYWyfsp/0yrm0SxS1WzhBLBdiDqOHSzop/hYv5E7mUKrwGXORP4VhLg9MY30f CWajIv+pFT+BR6PGEd0Sakz3N7iDYLQprayEEPbYuyQsVXLE1Bx/CQwqQwl8sQ4X lmXSjEEnjnhG8pXz8RrkBTAwFJGxuD4HiqtMAQ750ksCJYGd1JMC1XzdJBLlbS/K bxTIKkDos4YDr5sAgZ/EYswkkvf/SNtzTwZDqhQuGStkqPLBNEEUOzuYjSiGyLjO Kag3KRrcOboaaZnG5I2E746uQlnCqGpqDZa1PF6o2tnAv9s/+H17GMGxXyIXmmSv MXiqw4GdxWN7wv83o7qrMeLWP1zLKHTTT2lpuUHZJMUbJ89K5H/WXtwh10nnoEyl yG87671xm3YWrtYN8WAupDdSSrO1SftX4xh+F5pBivz/ZJpsf+WPqEP6TNjd2SsH pungceDxEEIUR3DUZ2XN4MpbeFZlr6GDGp82HjqQKEtQdda+3/cpDsHHv1sahDYA xMO7HRkZO6KI+cprHqZr7O3XGlPvMaGnvl8woBdYuGpM6SQhdXXdkxOxiep7bbXt IdRFrbsWDj/TYwvUbPTg =JF7t -END PGP SIGNATURE-
Re: LTS report for February
Corrected the month in the subject. 2017-03-05 22:11 GMT+01:00 Balint Reczey <bal...@balintreczey.hu>: > This month I was allocated 13 hours and carried over 1.25 hours > from January. > > I used 13 hours in which I worked on the following: > > * [DLA 824-1] libevent security update >Fixed wheezy and also adopted the package and fixed jessie and >unstable > * [DLA 838-1] shadow security update > * [DLA 844-1] libquicktime security update >Prepared fix for upstream and also fixed jessie and unstable > * updated gen-DLA/gen-DSA script to parse CVEs, bugs, package name and >version from .changes file to make DSA/DLA preparation less >error-prone and more automated. > * tested libreoffice's CVE-2017-3157 fix multiple ways, but it seems to >be missing some parts thus the final fix will be released in March > > Cheers, > Balint > > > >
LTS report for January
This month I was allocated 13 hours and carried over 1.25 hours from January. I used 13 hours in which I worked on the following: * [DLA 824-1] libevent security update Fixed wheezy and also adopted the package and fixed jessie and unstable * [DLA 838-1] shadow security update * [DLA 844-1] libquicktime security update Prepared fix for upstream and also fixed jessie and unstable * updated gen-DLA/gen-DSA script to parse CVEs, bugs, package name and version from .changes file to make DSA/DLA preparation less error-prone and more automated. * tested libreoffice's CVE-2017-3157 fix multiple ways, but it seems to be missing some parts thus the final fix will be released in March Cheers, Balint signature.asc Description: OpenPGP digital signature
[SECURITY] [DLA 844-1] libquicktime security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libquicktime Version: 2:1.2.4-3+deb7u1 CVE ID : CVE-2016-2399 Debian Bug : 855099 Marco 'nemux' Romano discovered that an integer overflow in the quicktime_read_pascal function in libquicktime 1.2.4 and earlier allows remote attackers to cause a denial of service or possibly have other unspecified impact via a crafted hdlr MP4 atom. For Debian 7 "Wheezy", these problems have been fixed in version 2:1.2.4-3+deb7u1. We recommend that you upgrade your libquicktime packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJYtiFTAAoJEPZk0la0aRp9hnoP/i67nnjVtc6J6Kdz/08Dx4MX YxbPDCvlFbmQT/EkL6Y5qpaD8UHxEzHPiu+uZijvEbONtHZJ4ZppX4155lmYY2TT Wj1DskONEc3pbRLX9AkQ9yDW+O62tfsWqzD5cUYv0ZLU6+BB1f+Q4iq5t9KUyde7 u8CHCC2bf7HVJftEvVCi1PNy21KKjguvn08x2jRaHVr+FkBYlK8tAphg2iYgrYEr qSG5ruBJrrptpUtnWX/scERPCb+I8Cq03nqqD9ARkN1fYst8oTSO/CXENbUzL3Vm y5ZriHBWFak2ZnKRqMpL6YjeAAFcnqcJJHkRtrhn/YGnmV0occG2I2uIV3Osy1Fs qMrRencGnZEKIndMoHPTB8fsfpOL4z2cMm787Wun2qzGEVSkT7I7TwiwXLIzeTej szhWdy/tEG571QJ7lBzK2IYxscyAOlmKiFjRrsn6uj29cwQ7rl+wscYdwUBhftz8 2bW2UxKhY0LEmVbA2oA3StGTvj+cMlH3cduTw0Ajkf/W+sBCpe7aNM+tQAlemAsC 9VJ29R4mT1Q4VNXl9GthO+1ukylGLhTdbN0pHaemRFl5u1SNdWNSxXKWDzXh2zB8 azuoEQkprLefDIzTRLAqIbDgw6sczUZJMOKUZKlA+lJ8b9bUlJuHgvYL4/Pl+7MN x9hvPgBvrvOFoD2yW3X5 =Z/1G -END PGP SIGNATURE-
Accepted libquicktime 2:1.2.4-3+deb7u1 (source all amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 27 Feb 2017 23:39:00 +0100 Source: libquicktime Binary: libquicktime2 libquicktime-dev libquicktime-doc quicktime-utils quicktime-x11utils Architecture: source all amd64 Version: 2:1.2.4-3+deb7u1 Distribution: wheezy-security Urgency: medium Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintain...@lists.alioth.debian.org> Changed-By: Balint Reczey <bal...@balintreczey.hu> Description: libquicktime-dev - library for reading and writing Quicktime files (development) libquicktime-doc - library for reading and writing Quicktime files (documentation) libquicktime2 - library for reading and writing Quicktime files quicktime-utils - library for reading and writing Quicktime files (utilities) quicktime-x11utils - library for reading and writing Quicktime files (x11 utilities) Closes: 855099 Changes: libquicktime (2:1.2.4-3+deb7u1) wheezy-security; urgency=medium . * Team Upload * Fix integer overflow in the quicktime_read_pascal function (CVE-2016-2399) (Closes: #855099) Checksums-Sha1: ff225870dce68a3e15c3cfc3c7c09611be5abd8a 2706 libquicktime_1.2.4-3+deb7u1.dsc 7008b2dc27b9b40965bd2df42d39ff4cb8b6305e 1028626 libquicktime_1.2.4.orig.tar.gz a4825f16b0d88d849e3cbe5c72e234494c3affc4 15587 libquicktime_1.2.4-3+deb7u1.debian.tar.gz 5f105fd4e03f04c1c929259cbc1dc5b119507da8 208494 libquicktime-doc_1.2.4-3+deb7u1_all.deb 17ca8fafe340997080f059d49c076f9757b7469f 360030 libquicktime2_1.2.4-3+deb7u1_amd64.deb 24fddc1a09aec4b35ca7a6e267917655ea67a713 44274 libquicktime-dev_1.2.4-3+deb7u1_amd64.deb d52ac909fbcc1fa9deb009e64d114bf54b5de264 38604 quicktime-utils_1.2.4-3+deb7u1_amd64.deb 3685fa0a037ea3267b8f5325c21571ceec202d20 47612 quicktime-x11utils_1.2.4-3+deb7u1_amd64.deb Checksums-Sha256: 7399bdddff1403050587c73de190da258bc274bf71c6a8a49ba198ecfa73fb25 2706 libquicktime_1.2.4-3+deb7u1.dsc 1c53359c33b31347b4d7b00d3611463fe5e942cae3ec0fefe0d2fd413fd47368 1028626 libquicktime_1.2.4.orig.tar.gz fb1fedade7ff4e0188de081894c102a2867f34b6b885265093aaed12c466d84f 15587 libquicktime_1.2.4-3+deb7u1.debian.tar.gz 400755056347efb61128846af285c9f27aa3dccebb41ac7fac8dd8e13d8b0a89 208494 libquicktime-doc_1.2.4-3+deb7u1_all.deb 5348c02138182d5b9c9ef4c9b76a61e95986010d9a9bcc3d916dda8f86dd8b79 360030 libquicktime2_1.2.4-3+deb7u1_amd64.deb de75e7ef15f8cd62eebe92325f9e5d18cc7d8db24f9b6bd499d1bceac773 44274 libquicktime-dev_1.2.4-3+deb7u1_amd64.deb 1ebb1bacbe360679df3c46d07e3160327cd4338d0a6e5334e3b05752716200d4 38604 quicktime-utils_1.2.4-3+deb7u1_amd64.deb 0a333b9552bf9cef4aea22054505d3565fa10a4c7cfa155b7982f64c14013ee3 47612 quicktime-x11utils_1.2.4-3+deb7u1_amd64.deb Files: da28877ba8c0a1b2bf6c493be5e66ff9 2706 devel optional libquicktime_1.2.4-3+deb7u1.dsc 81cfcebad9b7ee7e7cfbefc861d6d61b 1028626 devel optional libquicktime_1.2.4.orig.tar.gz e9a8fea3c460abf8e50c3491a9748537 15587 devel optional libquicktime_1.2.4-3+deb7u1.debian.tar.gz 4c5d010c9421fc714fb1b80926492beb 208494 doc optional libquicktime-doc_1.2.4-3+deb7u1_all.deb c2bfa446a790d18c55831f29010a0b24 360030 libs optional libquicktime2_1.2.4-3+deb7u1_amd64.deb f87fd1626ef09b7be5c4521a05b24e7a 44274 libdevel optional libquicktime-dev_1.2.4-3+deb7u1_amd64.deb eecd38db5e0221b1d446cc8f02178087 38604 utils extra quicktime-utils_1.2.4-3+deb7u1_amd64.deb a8b9304eb1a16cc462358c6ae53423ce 47612 utils extra quicktime-x11utils_1.2.4-3+deb7u1_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJYtbKqAAoJEPZk0la0aRp9MuEQALVIF/3z14qtjQ88NnJs1TbV VBQfhnbVyPL9GXqOeIy5KsKLhLJodUM63O0HYC5LeqqIH8kRqMRuRgcd2L9Xpy5N GFUEw/yeninAX97DR7ObY5/3xGBJ6YAfFaJOdzVeSTwIngBIdX2BuOClGx8Sgom7 Zw5JIkm7ulKYrJJOouTIt0zg+Hmdf44xWakciPkv4H5UQ4AOgnjfGc5eRVwuYSV0 fAuJFseew6kr686zUG2rEPZKfqGP7H2yGkgxsz2766dqfAX/tlaAFqWrYRmDf8ho xUcdx6r5YiOvq2g7/FBaeHwRl41P+CCcJIncdi6iicNmUDAguolhHLozxrHMh+cb Shf4aK68wfz9Ei9W0Voz4w30WohGzvvFtdksNed1uCCBkkWmxy7r0fzXRWzX8kTp RkbStEGwrvBH1PMW/eAfiAU9qGbAU1XcWgvA9utWDlgy6X3xRGUIy15G6cqLqwzq Rka10aF5EOWr7dzTMoDWbkqJM34xSAnskZjX9VLkx+i8G9Ffm/Gyxlcdwb3XrXZI 4OaxtyKvT0syiCoBbE6ZAYmLhuy7hmB+YI5GP6C1UI5wPrWZ+YngfEXL3tY0oAbC NOLAWN3pdD4G2mb2erWuNrdCqTcgV2qLAYBoXtictfl2iRMOd/uXeSS+Dbqevs23 ueFtSWfrCVRyjgyARdx1 =wPhr -END PGP SIGNATURE-
[SECURITY] [DLA 838-1] shadow security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: shadow Version: 4.1.5.1-1+deb7u1 CVE ID : CVE-2017-2616 Debian Bug : 855943 Tobias Stoeckmann discovered that su does not properly handle clearing a child PID. A local attacker can take advantage of this flaw to send SIGKILL to other processes with root privileges, resulting in denial of service. For Debian 7 "Wheezy", these problems have been fixed in version 4.1.5.1-1+deb7u1. We recommend that you upgrade your shadow packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJYs2TMAAoJEPZk0la0aRp92h4P/AiI4RyMXC+6zWLWSNeAC2nM ubVHSCqJ0X+Ywn4YB0qm88BIni+xXFoZUuQS01qXW3vPPn2xLdR5apSwMAfhRyE6 NJAKQQplSARx33l5gdT+S1f2lqiga64OHeGq8cAXmV8LYL2xrfGf8ZjzRt3pS1fP 3vH17QfLEKlMVCN07ZeSu/lOQ8nPA5KKdpQg7NUfiheJT0TxdTch4zhDPEgwu3hr Ll/BSakluZiPUyQ7wMb/EwQcas64/5W/GE71FqDSi71vWZC0cijjxAx+ilcNCy4U zSHRVq+m35JiCyr5h2CEwWIef/Ot4kwdOPoGUP8zeYt8Stm5jsmSW7o1JFyiHq9d OaFi6+oWAJwVT3Mwra9+Gju2PL6BIuqiaeG1CZEpnWDnlZaMNsSf0wl0jnzzttFy qo+pX4rFbCqVUanf92ppNkFKQo0GNbyrRUA/DglXpctlD6K9y+GagV1ZF1RIHIjR eQlXgK5Uyx1F79SGupkZf/aHRJxgjd+lnPJR6mKOCfhazHLY7aQxU/JsS2BidVUn v91V4+tIHGHDoXfZom2EhLPKZTINgdhLQnzgr1ReOLZTS8jlG44VpBeDaGNak2f2 FVNu/oZfw/1QeEM1nov3Cjg9h1ZJhYH57d5ZphaOPUaoeG67Um275uFkEizEc9gI cLdDVx0wfRF5eLoTbaOV =ydYJ -END PGP SIGNATURE-
[SECURITY] [DLA 819-2] mysql-5.5 version number correction
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: mysql-5.5 Version: 5.5.54-0+deb7u2 CVE ID : Debian Bug : #854713 This is a correction of DLA 819-1 that mentioned that mysql-5.5 5.5.47-0+deb7u2 was corrected. The corrected package version was 5.5.54-0+deb7u2. For completeness the text from DLA 819-1 is available below with only corrected version information. No other changes. It has been found that the C client library for MySQL (libmysqlclient.so) has use-after-free vulnerability which can cause crash of applications using that MySQL client. For Debian 7 "Wheezy", these problems have been fixed in version 5.5.54-0+deb7u2. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJYnauEAAoJEPZk0la0aRp90xkP/jLroLDDyIik0viip9W6Ml/m Jj5F8iTjEUwsQmmLSkji+zXnMMz0VXPdB6UyM4QyNqslG4jG0DK16CVP+ElXg7ds MKCMrY9TtRlgG85KB6BXdRIdgCBX4GhijtinMCJQ8LzAc4KXx3fN1XnCdYKIh5m1 jes7/AAPIRErao0/+SWOo8nzRjdr/FAE1JAUFggMB3p9B1CgKrBlHyMku59EUz7w +6HI9NIlQAGaTlPjp+7FNZY5skB2nBcPqsxBxQ74Y9HUI3rRHlv7mi89WuMWt7+r C9EyLf+AO105JcA75WXYVPDgcFYCDMhZo7s5BuovH4Iw8e7pkiXCU9SfyZTR0ZJe 2UVMOAfZk/Dqo4PhY3H1V9ezM1Y24OyZzslnbpzkEP4EsAsconC3EETAxEcRbdbR ohIFm8X5pFZwMQmfIJ+P6fywetnD5HlD38hF2enRxqTN7fHIVz7xPixLC/4Lk3t9 aJactd+zyzRR2dtehFQsJnUODV7B8pGICoF6saYikEdHnY/o7Iq7lwo8UK1NZoAN zhmm3VkyQFNOWRPaghE3LCDkdvipabAIAqiX02UbPPUduSe5W6/MSdmXhS/Pg81a OxAwaLkt7FdGlpwm2hewqZeegRY/qCECg793dHFliofpgTJsNhG8nn7XEMaKrER8 fomkEBqmXUCLeEUZBo+g =yupE -END PGP SIGNATURE-
LTS report for January
This month I was allocated 12.75 hours and carried over 2.5 hours from December. I used 14 hours in which I worked on the following: * [DLA 799-1] ming security update Last month I have prepared several fixes which have been accepted since then. This month I have uploaded the package with some additional testing and hardening enabled during the build. * CVE-2016-9877 triaged this for wheezy and while finding wheezy not affected prepared a patch for Jessie which has been attached to the tracking bug. * Patched ratt to work on wheezy enabling automatic test-rebuilding of reverse dependencies of changed packages. This would help avoiding regressions with less manual labor. * [DLA 804-1] libgd2 security update * [DLA 808-1] ruby-archive-tar-minitar security update * [DLA 819-1] mysql-5.5 security update Cheers, Balint signature.asc Description: OpenPGP digital signature
[SECURITY] [DLA 819-1] mysql-5.5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: mysql-5.5 Version: 5.5.47-0+deb7u2 CVE ID : Debian Bug : #854713 It has been found that the C client library for MySQL (libmysqlclient.so) has use-after-free vulnerability which can cause crash of applications using that MySQL client. For Debian 7 "Wheezy", these problems have been fixed in version 5.5.47-0+deb7u2. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJYnMAMAAoJEPZk0la0aRp9c88P+wfcaIk3DssR/acJnGJyomKW 4MrYwqC+tGfB/5Lm3xPqaAMI2/FJ6mwiLjsIgCPJwdL7KjEtZWVys5NgFX5EFWxJ 94Fu5C1u1HRG1z4wzd0f4AdLWssjyffFbUrxvRpCXNMiBOFqu1DSCqcF6ILPTr5k 6LcB1mNVZUAcaPU51hT4Loq3dSaLJUI7xFmzioHcQLRCVzua9SdEP9dj7WNLytMn urT9cACkLG/JI8GTnUGH348ISqwuKcuKzAfqvX5XmoxMB1Xrkjn3nFgA7s6g1GSA seo78rCB/fXeG270RPB6JEaWY7oTyrFsXUxCh/20QLDF3NAhPeVAzzwoUPqCyQFS 0yyRDrJvjP3nhSE7A4be/X+jFlcdMIj3SOfpFhpxUFk1iE+GNZX0NjA/8/Vtw+OM BcspccgNhVShOWCQTeMZ94B/3+Zk5al+k3Mz9zbEM5y/tql0Vm7xrqvkmEvqX6y2 AI/7djoUPVUljghhVmpzdI7hEqz/QxhpPdfNf84Q11RtYk9XW7KXB9nVZmNNJSa+ Vnt8IcNZFQHvKmtHf0qUU4LF0xbPV4XQOwbQxBOlVh4EeJ6rAz5ALJ0J6NzSqkST hjmEQm84ZCqnxg/54o1e65JhoDia/rgDCKJWhYguW5rQE7BvnUXt7+rH1j5nDWzj 4QIBaalMi/bu09cZHCwN =sBXP -END PGP SIGNATURE-
Accepted libgd2 2.0.36~rc1~dfsg-6.1+deb7u8 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sun, 29 Jan 2017 01:50:54 +0100 Source: libgd2 Binary: libgd-tools libgd2-xpm-dev libgd2-noxpm-dev libgd2-xpm libgd2-noxpm Architecture: source amd64 Version: 2.0.36~rc1~dfsg-6.1+deb7u8 Distribution: wheezy-security Urgency: high Maintainer: GD team <pkg-gd-de...@lists.alioth.debian.org> Changed-By: Balint Reczey <bal...@balintreczey.hu> Description: libgd-tools - GD command line tools and example code libgd2-noxpm - GD Graphics Library version 2 (without XPM support) libgd2-noxpm-dev - GD Graphics Library version 2 (development version) libgd2-xpm - GD Graphics Library version 2 libgd2-xpm-dev - GD Graphics Library version 2 (development version) Changes: libgd2 (2.0.36~rc1~dfsg-6.1+deb7u8) wheezy-security; urgency=high . * LTS Team Upload. * CVE-2016-9317: Check for image size overflow in gdImageCreate() * CVE-2016-10168: Fix signed integer overflow in gd_io.c * CVE-2016-10167: Fix DOS vulnerability in gdImageCreateFromGd2Ctx() Checksums-Sha1: e1115cbfaebc5339e9119199166ebd75eb2ce72c 2411 libgd2_2.0.36~rc1~dfsg-6.1+deb7u8.dsc e93c43f3c2283c6fe09793ac06a4a106374e0cb3 761899 libgd2_2.0.36~rc1~dfsg.orig.tar.gz 22a3c22f67ea522d826b9a79bdb853b6949fa263 33604 libgd2_2.0.36~rc1~dfsg-6.1+deb7u8.debian.tar.gz ee06f0140692c499caef890ffdb1e26e77d2a7eb 168674 libgd-tools_2.0.36~rc1~dfsg-6.1+deb7u8_amd64.deb a93a4d1a599902886d8ed13b87e9ac04a08c3876 373978 libgd2-xpm-dev_2.0.36~rc1~dfsg-6.1+deb7u8_amd64.deb 7853df8008e5480f1867c3243c2c5f5f507cbc01 371514 libgd2-noxpm-dev_2.0.36~rc1~dfsg-6.1+deb7u8_amd64.deb 7536a304b085ba83fc638a0fc87ebf7404d449de 234394 libgd2-xpm_2.0.36~rc1~dfsg-6.1+deb7u8_amd64.deb b69e4ba22b8c28f0af9b0b8417a935dadd068a26 231922 libgd2-noxpm_2.0.36~rc1~dfsg-6.1+deb7u8_amd64.deb Checksums-Sha256: f92e6ff5f62adb6673bc6c1a8adf4dc7b64479099d6c209b86ec5cc9f0b7e0c2 2411 libgd2_2.0.36~rc1~dfsg-6.1+deb7u8.dsc 919df21310ad4a8b6155df01411138110589cc6c50b1bc414dc62aebb0a7f41a 761899 libgd2_2.0.36~rc1~dfsg.orig.tar.gz dcc3c67f2b5470c99e23be0e9d2e30ca72772af850b816d97400902f9542f1ba 33604 libgd2_2.0.36~rc1~dfsg-6.1+deb7u8.debian.tar.gz 8c552389345e6329bb06f921a64000d1880197da12276e3dc3bf2d0131c5f380 168674 libgd-tools_2.0.36~rc1~dfsg-6.1+deb7u8_amd64.deb b4a4af00da10128895f2fc6331144b5f5f133cb648ea68855471e2230c4bb143 373978 libgd2-xpm-dev_2.0.36~rc1~dfsg-6.1+deb7u8_amd64.deb 6d87b6644aed115c00152e37d4c60641e77280ab507b03e03220c13e471ee7cf 371514 libgd2-noxpm-dev_2.0.36~rc1~dfsg-6.1+deb7u8_amd64.deb 0285ebf3bf72894794e4b1164fd5267cc2dee5ab99376be7e829f6ca93d3a756 234394 libgd2-xpm_2.0.36~rc1~dfsg-6.1+deb7u8_amd64.deb 4c157be323bbec1feab3fffdce09d3b4887d17be4fecb9f299d9dafc3cad43c6 231922 libgd2-noxpm_2.0.36~rc1~dfsg-6.1+deb7u8_amd64.deb Files: 977d9c4219a8f8f2aa511eb708ae51d9 2411 graphics optional libgd2_2.0.36~rc1~dfsg-6.1+deb7u8.dsc 0f4d2fa45627af0e87fcb74f653b66dd 761899 graphics optional libgd2_2.0.36~rc1~dfsg.orig.tar.gz bc3bcbfc029c4a1d7de0002f20c058a1 33604 graphics optional libgd2_2.0.36~rc1~dfsg-6.1+deb7u8.debian.tar.gz 9e3c59b9807a8bc6d065eafb2fdfe96f 168674 graphics optional libgd-tools_2.0.36~rc1~dfsg-6.1+deb7u8_amd64.deb 5f83780c221aaeab077c2f9206f50f54 373978 libdevel optional libgd2-xpm-dev_2.0.36~rc1~dfsg-6.1+deb7u8_amd64.deb 8656f8f46aa70922720a69ef90eea52e 371514 libdevel optional libgd2-noxpm-dev_2.0.36~rc1~dfsg-6.1+deb7u8_amd64.deb c0d338c36add44bcefe626904260198c 234394 libs optional libgd2-xpm_2.0.36~rc1~dfsg-6.1+deb7u8_amd64.deb a578059216ed274522298619b19e3d2d 231922 libs optional libgd2-noxpm_2.0.36~rc1~dfsg-6.1+deb7u8_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJYjUF9AAoJEPZk0la0aRp9/QwQAKiwMTs4aBl5BSm79cT0+6RR jcTaWZ4mbNkEVlwbouGmr0beOzvQz3xkYYkd5CIuPh6K4U4GMRVqESn2JJPjL4+M qjAhvZy+0iMz2YdaYOfC00aSesZmqVgV14drfKjIFdutNwaNmtwUQBV0Fu4Z0PJM EZWnwRAchi3FYH5B/652W0QiZdrySBCe+GKdaXq9E2o7eknZaR/M/5ki9rRcrnTU u1iIOhJxwZ3ChMsoen8cG4AFd8DoBtCd1mLqAaDZtKrxDAxYiV0RwD67AXh07n4b h0lQr3hyQh5LGAs5oda03+llUBctErje6mKzOOmLXuR+1FYtS+EZHXsNHGygcZBc CvrIM81XgUW/3RayaHtuLAQJlJi+MJzH3J+AMHJOuxxQdRqQBx1LtEUQ/iIO82Ll BBeXe+rmcFzS/C++gExC7N9/8I/EdJvLaxOF9HCmZqMl9wKCoBKgt8KVDaw1Py0O vOEJvIdAAdLJNdmCQ58vV9Z7jCZEaGz1y1RqKnV8BztwNbt3Ijj8jXryDPaAPNCe ndwKsCbewVE5nYRcV62Hx1HHLCYNecUtwJ/p3N6o+FK7fjYiecyIftJKOC/N26pv 97/xaQSVNp3DABhx4+HhV172Eu328EVAPQoYtDqLH6MChU7YF+YIdWVOILIOw+kQ +e98sHBwJwhzxRjHl9j+ =dozk -END PGP SIGNATURE-
[SECURITY] [DLA 804-1] libgd2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libgd2 Version: 2.0.36~rc1~dfsg-6.1+deb7u8 CVE ID : CVE-2016-9317 CVE-2016-10167 CVE-2016-10168 Multiple security issues have been found in the GD Graphics Library. They may lead to the execution of arbitrary code or causing application crash. CVE-2016-9317 Signed integer overflow in gd_io.c CVE-2016-10167 Improper handling of issing image data can cause crash CVE-2016-10168 GD2 stores the number of horizontal and vertical chunks as words (i.e. 2 byte unsigned). These values are multiplied and assigned to an int when reading the image, what can cause integer overflows. For Debian 7 "Wheezy", these problems have been fixed in version 2.0.36~rc1~dfsg-6.1+deb7u8. We recommend that you upgrade your libgd2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJYjb6hAAoJEPZk0la0aRp9MXIP/1dm1VDPNMCU4MlrYx+4JsXe zGt5RROeZ+VQOpnmBHhy3jmLw6yH7GTXzOEuJqeuTfOIOTpSgDi1eBE/KZQsUN4R wEFpNorHdkFKJjrgtWd7TXOzaMechuscs7XZTPUktS12BHwoVebpywfrfm+6kPOg vh687jo8012nabpVRTA35Y70uOVs8kMZ40E+54BfriynXwt696pK+73xdwP923bK ygc/Rf5aPFGZ6ZiocHWegDUTPqL+qSaR+PRHFfk2n7WCGOLqDL9YtwOk4muPjBbT XD0zDrFGaedIdEjQSq5vrY6Ff4A01LHAAHSsmGWFn8rmRYJuwTz0ijWbjZlbjOOT uOh2kiJ/IO3PIU4tZFL/YU6HzPLBXyHqIVdpww+GyGBaYFk4VlGPLlYW5GOFu+Q9 EScc4RfNEKjWZKEznp0dmafQTZ1FhPJ8h39f8OT/2f3F3htIUaYQYZ6SLCSO5mKs Wgb9sGDIuCLyvsQjjnyG9Hxe7jBTiAkxDHnxkML+uEXqt0eo8ejkrXxV78HytsLI U8f8VR1RuysLaI4LYToA/fjdhBMy+cLw5BISMmThPl1r8by8kPjt7QjPdWT9WfFr CxyuTLHLGMCIjimXmSDVRKKfzV2b/3qmc1ixwkghe7kxreNN1j8J1WbyF74+mFuL GcDYaNpjC9i1+GszR9fD =LIcn -END PGP SIGNATURE-
Accepted ming 1:0.4.4-1.1+deb7u1 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 13 Jan 2017 17:25:31 +0100 Source: ming Binary: libming1 libming-dev ming-fonts-dejavu ming-fonts-opensymbol libswf-perl libming-util python-ming php5-ming Architecture: source amd64 all Version: 1:0.4.4-1.1+deb7u1 Distribution: wheezy-security Urgency: medium Maintainer: Stuart R. Anderson <ander...@netsweng.com> Changed-By: Balint Reczey <bal...@balintreczey.hu> Description: libming-dev - Library to generate SWF (Flash) Files (development files) libming-util - Library to generate SWF (Flash) Files - Utilities libming1 - Library to generate SWF (Flash) Files libswf-perl - Ming (SWF) module for Perl ming-fonts-dejavu - Ming format DejaVue Fonts ming-fonts-opensymbol - Ming format Opensymbol Fonts php5-ming - Ming module for php5 python-ming - Ming (SWF) module for Python Closes: 843928 Changes: ming (1:0.4.4-1.1+deb7u1) wheezy-security; urgency=medium . * LTS Team upload * Fix security vulnerabilites (Closes: #843928): - listswf: heap-based buffer overflow in parseSWF_RGBA (parser.c) (CVE-2016-9831) - listswf: heap-based buffer overflow in parseSWF_DEFINEFONT (parser.c) - (CVE-2016-9829) - listswf: NULL pointer dereference in dumpBuffer (read.c) (CVE-2016-9828) - listswf: heap-based buffer overflow in _iprintf (outputtxt.c) (CVE-2016-9827) - left shift in listmp3.c (CVE-2016-9266) - divide-by-zero in printMP3Headers (listmp3.c) (CVE-2016-9265) - global-buffer-overflow in printMP3Headers (listmp3.c) (CVE-2016-9264) * Enable tests during build * Enable all hardening build flags * Build-depend on dpkg-dev (>= 1.16.1~), it is needed for hardening flags Checksums-Sha1: 7ad802032ba6619e6e9b77655f5995188899bc31 2348 ming_0.4.4-1.1+deb7u1.dsc d2a684e743f30ff7416580904a3eb1c47e0ecf52 14838911 ming_0.4.4.orig.tar.gz 37157256d97177c8d95b37054caf3ab9cb262662 23826 ming_0.4.4-1.1+deb7u1.diff.gz fe9477f6c757d63a3710266c0674c32b23739d98 186058 libming1_0.4.4-1.1+deb7u1_amd64.deb 66180892b9e7f6456cdedf576d4de9c39ee5e2a1 241010 libming-dev_0.4.4-1.1+deb7u1_amd64.deb 676d41fcf6e690ccd3c9029d8ad2b493a0e1f412 212134 libswf-perl_0.4.4-1.1+deb7u1_amd64.deb 4c23d6d47b9827f6285b0cc49d36ae59a08092e9 711784 libming-util_0.4.4-1.1+deb7u1_amd64.deb 3cd6d86b5189991f6c9610ecc6f117a8e204036c 166342 python-ming_0.4.4-1.1+deb7u1_amd64.deb 9fc217a66f1b842d435bcc5216f1dc4fec6b0261 54004 php5-ming_0.4.4-1.1+deb7u1_amd64.deb daa77b25f3e2f6a41cb5c86b57d9115ae23e28cc 36362 ming-fonts-dejavu_0.4.4-1.1+deb7u1_all.deb 2d2767ccb002d9f34f735ff0c3b8677d785b392b 5392 ming-fonts-opensymbol_0.4.4-1.1+deb7u1_all.deb Checksums-Sha256: 76ab1e0a1aabcaabeba085158d6edc86dec0cd4c7ce78ac0c6957bfd7404d45b 2348 ming_0.4.4-1.1+deb7u1.dsc a9ab92d64cefdf42780c52b71e21e632f5bea211824c99c23dac9761003d969a 14838911 ming_0.4.4.orig.tar.gz 86eeba5118c46850c0834c241bc43960a7c9479c9a8c0ec7c7ed189a568aa569 23826 ming_0.4.4-1.1+deb7u1.diff.gz a48446850fcaa535aa87fa2821f5d295362962696507f886fd6d7836575e0686 186058 libming1_0.4.4-1.1+deb7u1_amd64.deb df0da41acb076060448b225f3da8d82d3a49ddb5d020db932860c30b51803d91 241010 libming-dev_0.4.4-1.1+deb7u1_amd64.deb 93e20beb9e5ae18c40a0dc7bb5ba591c91da74beba50d037a00c6e577c18f93d 212134 libswf-perl_0.4.4-1.1+deb7u1_amd64.deb b6817b9551174dcd97d3ee3ef25d56f83eb750ad46a9e2c6a3e113e1882b68fa 711784 libming-util_0.4.4-1.1+deb7u1_amd64.deb 04ebd690541a592e7889744b92437941dd75b7e4a0a5f62c681c679c2a5ad366 166342 python-ming_0.4.4-1.1+deb7u1_amd64.deb d9ff2d851e50978c8dc4974215af03806570bf1cf4bbc4ea5182c8047640ef24 54004 php5-ming_0.4.4-1.1+deb7u1_amd64.deb ed3d383ada53659d84f9e17336ba75495619297144072f1bbf18200a43e6ed39 36362 ming-fonts-dejavu_0.4.4-1.1+deb7u1_all.deb c800d4b51ba158fe1e59a7f6f01ac7c52ec6bce4b07233ff912f7b6deec60b6d 5392 ming-fonts-opensymbol_0.4.4-1.1+deb7u1_all.deb Files: 00390d2e872049d301cecb5b4375bf6e 2348 libs optional ming_0.4.4-1.1+deb7u1.dsc d8e75796f3ee9b9a0b582787283435cb 14838911 libs optional ming_0.4.4.orig.tar.gz 958bcdce220427772d876bd1bfaf0f5c 23826 libs optional ming_0.4.4-1.1+deb7u1.diff.gz 45b47d3f885e39ae166f95da11789ddf 186058 libs optional libming1_0.4.4-1.1+deb7u1_amd64.deb 78d911753f2128507c5a507228d674fc 241010 libdevel optional libming-dev_0.4.4-1.1+deb7u1_amd64.deb 4d4df5e9fb84088b105150110c124c4f 212134 perl optional libswf-perl_0.4.4-1.1+deb7u1_amd64.deb 3cd537465bed1e8cb5bd43d202248aad 711784 devel optional libming-util_0.4.4-1.1+deb7u1_amd64.deb c1c197ce34d4129050ee9a2ab5f91ac9 166342 python optional python-ming_0.4.4-1.1+deb7u1_amd64.deb 383c1c262fb3408338b7c2fc3d169e8d 54004 web optional php5-ming_0.4.4-1.1+deb7u1_amd64.deb 66100d8a50508b9127fe63f4bf074bda 36362 web optional ming-fonts-dejavu_0.4.4-1.1+deb7u1_all.deb d6d7d6408ac7d890cce02098c2d7800a 5392 web optional ming-fonts-opensymbol_0.4.4-1.1+deb7u1_all.deb -BEGIN PGP SIGNATURE- Ve
LTS report for December
This month I was allocated 13.5 hours. I used 11 hours in which I worked on the following: * [DLA 755-1] dcmtk security update I also tested the fix on Jessie and the patch I prepared was also used to update dcmtk in jessie-security. * [DLA 758-1] libgd2 security update * [DLA 767-1] curl security update It turned out the the vulnerable part was also buggy in a different way which needed test adjustments. Now the code is safe, just buggy. :-) * Prepared several patches for ming vulnerabilities because upstream development seems to be stalled. I'll publish those soon. Cheers, Balint signature.asc Description: OpenPGP digital signature
Accepted libgd2 2.0.36~rc1~dfsg-6.1+deb7u7 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 22 Dec 2016 03:53:42 +0100 Source: libgd2 Binary: libgd-tools libgd2-xpm-dev libgd2-noxpm-dev libgd2-xpm libgd2-noxpm Architecture: source amd64 Version: 2.0.36~rc1~dfsg-6.1+deb7u7 Distribution: wheezy-security Urgency: medium Maintainer: GD team <pkg-gd-de...@lists.alioth.debian.org> Changed-By: Balint Reczey <bal...@balintreczey.hu> Description: libgd-tools - GD command line tools and example code libgd2-noxpm - GD Graphics Library version 2 (without XPM support) libgd2-noxpm-dev - GD Graphics Library version 2 (development version) libgd2-xpm - GD Graphics Library version 2 libgd2-xpm-dev - GD Graphics Library version 2 (development version) Closes: 849038 Changes: libgd2 (2.0.36~rc1~dfsg-6.1+deb7u7) wheezy-security; urgency=medium . * LTS Team upload. * Fix imagefilltoborder stackoverflow (CVE-2016-9933) (Closes: #849038) Checksums-Sha1: ea96044760e8abf5c1e1529324e4a7446a1dad80 2411 libgd2_2.0.36~rc1~dfsg-6.1+deb7u7.dsc e93c43f3c2283c6fe09793ac06a4a106374e0cb3 761899 libgd2_2.0.36~rc1~dfsg.orig.tar.gz e326efff9a997e1961075b80eeb74febc8987aea 31473 libgd2_2.0.36~rc1~dfsg-6.1+deb7u7.debian.tar.gz 45f59c5328692fef13bf4f84264dc64849bf5bfd 168612 libgd-tools_2.0.36~rc1~dfsg-6.1+deb7u7_amd64.deb 742d3813c239fec0316f423be3e14417d5e89869 373910 libgd2-xpm-dev_2.0.36~rc1~dfsg-6.1+deb7u7_amd64.deb 4abfb9088a6244866a7ffc127c26810b6b5ba46e 371456 libgd2-noxpm-dev_2.0.36~rc1~dfsg-6.1+deb7u7_amd64.deb 59a060359fbe7355d7e3bebfb67e9f2d09fc8f99 234308 libgd2-xpm_2.0.36~rc1~dfsg-6.1+deb7u7_amd64.deb 6401250f331d2a619bcffb45d89f23a134ab21a8 231826 libgd2-noxpm_2.0.36~rc1~dfsg-6.1+deb7u7_amd64.deb Checksums-Sha256: 8a713b46e263d734a442f0f20c2bce926b6077c4aa04c74527d385c8f7767de7 2411 libgd2_2.0.36~rc1~dfsg-6.1+deb7u7.dsc 919df21310ad4a8b6155df01411138110589cc6c50b1bc414dc62aebb0a7f41a 761899 libgd2_2.0.36~rc1~dfsg.orig.tar.gz 60c92e71912dc919dfccddc2e262484fd82659e563454d14175c8267d5a67e59 31473 libgd2_2.0.36~rc1~dfsg-6.1+deb7u7.debian.tar.gz a023ed9c8994189ccb99a402d50a3b1c7cf0276ac7662889c544cdb0ea70b239 168612 libgd-tools_2.0.36~rc1~dfsg-6.1+deb7u7_amd64.deb de58a91cabd009b76ba45298667d11f6477a6d604a395f778fa2d2e78b586812 373910 libgd2-xpm-dev_2.0.36~rc1~dfsg-6.1+deb7u7_amd64.deb b5eeaf589c42e1911fbb0331c29e8276ad75f4acb92ade3ed0d1128115669192 371456 libgd2-noxpm-dev_2.0.36~rc1~dfsg-6.1+deb7u7_amd64.deb 49ab893a25f146c73dbe28603f00b3deb9dc8dea2d88b6642ca91fdcd1733ddf 234308 libgd2-xpm_2.0.36~rc1~dfsg-6.1+deb7u7_amd64.deb ff869e67d87d5a462866513f693f44a268c0b5a746617ed8b775d2ebda146162 231826 libgd2-noxpm_2.0.36~rc1~dfsg-6.1+deb7u7_amd64.deb Files: 6883a043f94f4485b7bcc5f5bf5b82aa 2411 graphics optional libgd2_2.0.36~rc1~dfsg-6.1+deb7u7.dsc 0f4d2fa45627af0e87fcb74f653b66dd 761899 graphics optional libgd2_2.0.36~rc1~dfsg.orig.tar.gz 19a0443b19afebfd667eea00da7d92b3 31473 graphics optional libgd2_2.0.36~rc1~dfsg-6.1+deb7u7.debian.tar.gz 88a0466fdd0932f8ec92839c8d9d884e 168612 graphics optional libgd-tools_2.0.36~rc1~dfsg-6.1+deb7u7_amd64.deb 4f3b14f1d6363edf7e67f8c3024be0be 373910 libdevel optional libgd2-xpm-dev_2.0.36~rc1~dfsg-6.1+deb7u7_amd64.deb e111d6443ce8e2b2dfac95271300d5d8 371456 libdevel optional libgd2-noxpm-dev_2.0.36~rc1~dfsg-6.1+deb7u7_amd64.deb 6dc3e5c84000accc354ac7876f366d21 234308 libs optional libgd2-xpm_2.0.36~rc1~dfsg-6.1+deb7u7_amd64.deb 5af78a9bc2b69a7fe9d34ba69e516d40 231826 libs optional libgd2-noxpm_2.0.36~rc1~dfsg-6.1+deb7u7_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJYW+FCAAoJEPZk0la0aRp9fE8P/0Z6p3oosjZFvceyCI9oK5IA Hej5TcQLldEXQfAsTzniyULlPmHK44jMUy3kfmlG59OnLR8jCFMAi1BmnmPRLTjj mw2qP2l5yn3DZLLR/P0i4zcrMz2hSYQjfObcqjgIcujRsNyDkEpR0jhZHENp1XoM deLsKVugmTwBWwMfHqMOG9K3WnXIo79RBGgmR/oJZW/3MCJE04B9zJ8tlNjZbwLj NQ1R9erG/UVkom/pne7n21wXBvYRV2PI44LFTrYoFGfT9eHioBGS8cF73iHAP2Go wiHI9JKlz11ij6F+jcrOXBJIb14H0Ajk/co9GohFv7YRHEBTFp2nNxZY4GM3F+JR gGsNsTcFAEdRPz6t1TxsMy2dBsPqysBz0UmC+zQE4saR/QaEUc9v1ARSCUr2NLiz KBk3xyyuy+muuphZbNvMy2Cf4EJFHAnisvPGo+PijXIs2DNSmpMP3ZAMMChGejiV qzUhVf0eJF9wyVuzLfdECnfOhiTpgpefgLkVeqrH2Ah1EHujXBYbXYbzfqMY1DpE ECk0MnGGSTGTHsrFDamfwRGTKmJEJlznM4jGak1WdKhZ782m6RNoJVpnwkTy2QcB L55V5x9fLFC7vEDg6lB7WFboFvbZEuNok7aSEYWzXgU/z9DnLMqjg2kzA4JRyeOu m3Qy0KXGulOSj/D4TnyJ =sqCj -END PGP SIGNATURE-
[SECURITY] [DLA 755-1] dcmtk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: dcmtk Version: 3.6.0-12+deb7u1 CVE ID : CVE-2015-8979 Debian Bug : 848830 At several places in the code a wrong length of ACSE data structures received over the network can cause overflows or underflows when processing those data structures. Related checks have been added at various places in order to prevent such (possible) attacks. Thanks to Kevin Basista for the report. The bug will indeed affect all DCMTK-based server applications that accept incoming DICOM network connections that are using the dcmtk-3.6.0 and earlier versions. (From: http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5384.php) For Debian 7 "Wheezy", these problems have been fixed in version 3.6.0-12+deb7u1. We recommend that you upgrade your dcmtk packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJYWb4AAAoJEPZk0la0aRp9Cs4P/RrPizhJS6JlSmgjBV1/rNdj xUVYflCT70UsM31gXwUy8tUZ3cTP6xWpcespY54fq2rXPfwjXQxf0vOX2wV/sTrS GtLxRFLnaE2wv8jTkHP0PxunaPvzRYdr+OPXFXoIn8BERXFsiulhhSzsRjTiaHE+ qAYnHoP9UCF5QeFruqW+v0SlG0VQe5fYONfbDJ2zGN/PmcyF38CkMBYb2gUoqHDs 6UT9Aa2LTpMG4MZSmCML1rSv+We17CWExZxfGqNA5+ecQLbjbEUaLkG6zm7ZtM8v i/IdumYDOJ+aiKxd6r4A3aBMVta/xC3L35xVau/D4mK3Z5tAWBSGxdKWv42czZDL Xoz2ac+pZOMGiUXoVINaRGsfMqc4lIgqMlialAmPBcD1R6Bbfnhh0W5tvwDci84N mClJyej6ePrp+agXPFuuzfRFv+LtrdEpfAPiHMVhOXeDbNimoWol0L82R/oOHQRm hH0aU1lHXRWaHI9I5j2J1ax+XHzHArz9oq8hjkqllKtvBUjdkfOvpZ2pHofNRXow O1nT6LDVdEhqYm3hJW9k4nkTnp/MbXAlHXqYI8KCrk0ydmL9slc6OMhCBwMmbcFj tUosFT+mdfKqJjlFu5SXmhW6qxSC6c9t4CnE+Dk287pZ7l09mGPvOT321nxzbWEv SlMdCheg0KTm8lLZLH+/ =SeY6 -END PGP SIGNATURE-
Accepted dcmtk 3.6.0-12+deb7u1 (source all amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 19 Dec 2016 20:41:08 +0100 Source: dcmtk Binary: dcmtk libdcmtk2 libdcmtk2-dev dcmtk-www dcmtk-doc Architecture: source all amd64 Version: 3.6.0-12+deb7u1 Distribution: wheezy-security Urgency: medium Maintainer: Debian Med Packaging Team <debian-med-packag...@lists.alioth.debian.org> Changed-By: Balint Reczey <bal...@balintreczey.hu> Description: dcmtk - OFFIS DICOM toolkit command line utilities dcmtk-doc - OFFIS DICOM toolkit documentation dcmtk-www - OFFIS DICOM toolkit worklist www server application libdcmtk2 - OFFIS DICOM toolkit runtime libraries libdcmtk2-dev - OFFIS DICOM toolkit development libraries and headers Closes: 848830 Changes: dcmtk (3.6.0-12+deb7u1) wheezy-security; urgency=medium . * LTS Team upload. * Fix remote stack buffer overflow (CVE-2015-8979) (Closes: #848830) * Enable tests for the fix Checksums-Sha1: 1b3e3c941dee3a765cd950b81c2f468a47c3e586 2366 dcmtk_3.6.0-12+deb7u1.dsc 469e017cffc56f36e834aa19c8612111f964f757 4673121 dcmtk_3.6.0.orig.tar.gz 87dbe850b62b9ac7696662124c2dd1097f6d0098 68986 dcmtk_3.6.0-12+deb7u1.debian.tar.gz cc30071f605510712b1ceb224b438065581a7d8e 11475048 dcmtk-doc_3.6.0-12+deb7u1_all.deb bfc989f018ee6839660ff9c3f9c368634751a940 1421932 dcmtk_3.6.0-12+deb7u1_amd64.deb 1fd45ea3378a641466613c848ef84fcdff3dfd52 3722922 libdcmtk2_3.6.0-12+deb7u1_amd64.deb 4e3ed85b5e4cceab5a1d0ef75f27cfcd720f6dcf 5660514 libdcmtk2-dev_3.6.0-12+deb7u1_amd64.deb ad4e91552feaa5f4bde35c65d7a7d7f1ef9a90fa 151984 dcmtk-www_3.6.0-12+deb7u1_amd64.deb Checksums-Sha256: d41f4b839262cf56558af0e0589d9082a691e1057edcb7c8cf1ac9b60559b4d9 2366 dcmtk_3.6.0-12+deb7u1.dsc cfc509701122adfa359f1ee160e943c1548c7696b607dbb646c5a06f015ed33a 4673121 dcmtk_3.6.0.orig.tar.gz 4ea13331392de47bf88b6ff87186c18f826262eeb67178cb15078fdecaf4414f 68986 dcmtk_3.6.0-12+deb7u1.debian.tar.gz 8d51b13a116158cd98d9cabd2beeb70acc72d6c498431b0754e2db3bf0639502 11475048 dcmtk-doc_3.6.0-12+deb7u1_all.deb 1f1ad95f2c80c546c12fd07ce65bd2c2690fc2eb3362e0f3a92578959973eb88 1421932 dcmtk_3.6.0-12+deb7u1_amd64.deb a8ccca38daf48fa128f995ac5e81c91556b80ec46dade3e2f3a9183248f3cfd8 3722922 libdcmtk2_3.6.0-12+deb7u1_amd64.deb 511c3b2e27ff60e6f25934f10515217535a70e740545a27add92630055ee68f5 5660514 libdcmtk2-dev_3.6.0-12+deb7u1_amd64.deb 875ba4c6c558359d8d86a88d7843ecca60ad13840d50b6fdfe0f1a5febced782 151984 dcmtk-www_3.6.0-12+deb7u1_amd64.deb Files: 54e8b897381b60a39a55876f2482cf8a 2366 science optional dcmtk_3.6.0-12+deb7u1.dsc 19409e039e29a330893caea98715390e 4673121 science optional dcmtk_3.6.0.orig.tar.gz c785947ca03b9817e64dad0f151cc167 68986 science optional dcmtk_3.6.0-12+deb7u1.debian.tar.gz 3ec72b846511e5f5fcb871d356bd2ef7 11475048 doc optional dcmtk-doc_3.6.0-12+deb7u1_all.deb a8264a20e5622f75b4b4f69620bc4f4f 1421932 science optional dcmtk_3.6.0-12+deb7u1_amd64.deb 4ddac7ec46d2802ddd9ea545bc1c6e1f 3722922 libs optional libdcmtk2_3.6.0-12+deb7u1_amd64.deb 8fcfeb788c0316d22ae94a177026cea0 5660514 libdevel optional libdcmtk2-dev_3.6.0-12+deb7u1_amd64.deb 5685f3781eb608d95f8caf6b400c24fd 151984 web optional dcmtk-www_3.6.0-12+deb7u1_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJYWbeSAAoJEPZk0la0aRp9GpEQAMr+1FYPsyuKD334r8gn07tA mzqbIHL4BxTLNTxiV5cVH7lcSRJxiOtBCTszIn/DG+vM5Wzm9r+wPh6juok0Y+8s /PLTZi4Kkc9kecmHGFvvxOUVZ+6277JbsNvniIK9se+W9w9qyocB6WPNypmO5MTs zjnFmZZSb4m+0kPj9RdlEGz+0cpVBNswYuO13owW2FI8npECd1vTRGTo7Ol0spRK 2WzD+cUEg+r8gzmGTqypZ6bRU86qHarZpEtuDZGGvUhcAAyhslfbmaHyVrugbwCy 5dpwNJOyI+FKaOKebellJS2LoIkPyCmvdYEBkShWiDm9V6rwxjHxksXKUqZHlobn 0HzOPYpbSTSwIDQ9iQBKC63vdnV4K2FNr1rLAyLufB/SPQ9fz/XZl75OPVVuBwgF lz44xYup9JzfEn7dHeeaUeIXPzTuYcP0sXppgtoydGuly+xcGhID05QKO6dKElhT OjRYADZDayWMR5NDbmPLNhK4KXePwTP9qKkcCVJhJNchJoiLz5zOnf/hiqs3GwmL Y6k+3I2EA4dIQMxNLhL0sGrPpagmqnon2qUkpe4wKq3nenDnVWwD7xYIXt5T3qzD kjG/PGoEIYrxApc4Gy6I/mG2zurbU9kpcexc/GtgOwRPBXvARVQAD+S1JHxxmz7e qntnonD5yJzt7u2AabbD =iTus -END PGP SIGNATURE-
Re: [Debian-med-packaging] Wheezy update of dcmtk?
On 12/19/2016 03:58 PM, Bálint Réczey wrote: > Hi, > > 2016-12-19 9:10 GMT+01:00 Sébastien Jodogne <s.jodo...@gmail.com>: >> Dear all, >> >>> On Sun, Dec 18, 2016 at 10:47:05PM +0100, Markus Koschany wrote: >>>> Hello dear maintainer(s), >>>> >>>> the Debian LTS team would like to fix the security issues which are >>>> currently open in the Wheezy version of dcmtk: >>>> https://security-tracker.debian.org/tracker/CVE-2015-8979 >>>> >>>> Would you like to take care of this yourself? >>> >>> I personally feel not capable to do so and Mathieu left the team - so I >>> would be astonished (but definitely happy!) if he would step in for this >>> task. If you do not receive a positive response from Gert I doubt that >>> anybody else from the team would take over. >> >> >> I personally consider this issue as severe, as any DCMTK 3.6.0-based DICOM >> SCP (server) is affected (including the well-known Horos/OsiriX viewer). >> >> Orthanc was also affected by this problem. Orthanc 1.2.0 was released last >> week in order to fix this vulnerability in its static builds (notably for >> Windows and OS X). The patch we applied can be found at the following >> location: >> https://bitbucket.org/sjodogne/orthanc/src/eb363ec95d863989abf5a59174ff3164c2831f2e/Resources/Patches/dcmtk-3.6.0-dulparse-vulnerability.patch?at=default=file-view-default >> >> As this patch is very simple (six lines of code), it should be easy to >> backport it to the DCMTK Debian package. >> >> Unfortunately, I do not know how to fix such issues in Wheezy, and I am >> currently under heavy pressure wrt. the Orthanc upstream project... maybe >> someone could do this backporting job? > > I'll do it in a few hours. > I have also claimed the package in dla-needed.txt. Thank you for the additional info and the potential patch. I have prepared the update for Wheezy based on the upstream patch instead to diverge less from upstream in case we have to patch the code further. The error reporting is also more verbose and accurate. Please see the diff to previous version attached. Changes: dcmtk (3.6.0-12+deb7u1) wheezy-security; urgency=medium . * LTS Team upload. * Fix remote stack buffer overflow (CVE-2015-8979) (Closes: #848830) * Enable tests for the fix I plan uploading the package today around 22:00 UTC. The binary packages for amd64 are also available for testing here: deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/ Cheers, Balint diff -Nru dcmtk-3.6.0/debian/changelog dcmtk-3.6.0/debian/changelog --- dcmtk-3.6.0/debian/changelog 2012-12-20 13:22:26.0 +0100 +++ dcmtk-3.6.0/debian/changelog 2016-12-20 03:23:36.0 +0100 @@ -1,3 +1,11 @@ +dcmtk (3.6.0-12+deb7u1) wheezy-security; urgency=medium + + * LTS Team upload. + * Fix remote stack buffer overflow (CVE-2015-8979) (Closes: #848830) + * Enable tests for the fix + + -- Balint Reczey <bal...@balintreczey.hu> Mon, 19 Dec 2016 20:41:08 +0100 + dcmtk (3.6.0-12) unstable; urgency=low [ Andrey Rahmatullin ] diff -Nru dcmtk-3.6.0/debian/patches/0001-Fixed-possible-underflows-and-overflows.patch dcmtk-3.6.0/debian/patches/0001-Fixed-possible-underflows-and-overflows.patch --- dcmtk-3.6.0/debian/patches/0001-Fixed-possible-underflows-and-overflows.patch 1970-01-01 01:00:00.0 +0100 +++ dcmtk-3.6.0/debian/patches/0001-Fixed-possible-underflows-and-overflows.patch 2016-12-20 16:47:41.0 +0100 @@ -0,0 +1,977 @@ +From 5475a01c74bdf6258eccd4238e5df42eaca8ba58 Mon Sep 17 00:00:00 2001 +From: Michael Onken <on...@open-connections.de> +Date: Mon, 14 Dec 2015 21:50:43 +0100 +Subject: [PATCH] Fixed possible underflows and overflows. + +At several places in the code a wrong length of ACSE data structures received +over the network can cause overflows or underflows when processing those +data structures. Related checks have been added at various places in order +to prevent such (possible) attacks. + +Thanks to Kevin Basista for the report. + +Conflicts: + dcmnet/libsrc/dulparse.cc + ofstd/tests/tests.cc + ofstd/tests/tofstd.cc + +Cutting safeAdd() to not pull in many new files by Balint Reczey. +--- + dcmnet/libsrc/dulparse.cc | 93 +-- + ofstd/include/dcmtk/ofstd/ofstd.h | 27 +- + ofstd/include/dcmtk/ofstd/oftest.h | 519 + ofstd/tests/Makefile.in | 15 +- + ofstd/tests/taddsub.cc | 47 + ofstd/tests/tests-new-framework.exp | 1 + + ofstd/tests/tests.cc| 28 ++ + 7 files changed, 705 insertions(+), 25 deletions(-) + create mode 100644 ofstd/include/dcmtk/ofstd/oftest.h + create mode 100644 ofstd/tests/taddsub.cc + create mode 100644 ofstd/tests/tests-new-fr
Accepted akonadi 1.7.2-3+deb7u1 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 17 Nov 2016 16:09:04 +0100 Source: akonadi Binary: akonadi-server libakonadiprotocolinternals1 libakonadi-dev akonadi-backend-mysql akonadi-backend-postgresql akonadi-backend-sqlite akonadi-dbg Architecture: source amd64 all Version: 1.7.2-3+deb7u1 Distribution: wheezy-security Urgency: medium Maintainer: Debian Qt/KDE Maintainers <debian-qt-...@lists.debian.org> Changed-By: Balint Reczey <bal...@balintreczey.hu> Description: akonadi-backend-mysql - MySQL storage backend for Akonadi akonadi-backend-postgresql - PostgreSQL storage backend for Akonadi akonadi-backend-sqlite - SQLite storage backend for Akonadi akonadi-dbg - debugging symbols for the Akonadi PIM storage service akonadi-server - Akonadi PIM storage service libakonadi-dev - development files for the Akonadi PIM storage service libakonadiprotocolinternals1 - libraries for the Akonadi PIM storage service Closes: 843534 Changes: akonadi (1.7.2-3+deb7u1) wheezy-security; urgency=medium . * LTS Team upload. * Add patch from kubuntu: kubuntu_disable_secure_file_priv_check.diff - fix compatibility with stricter defaults in mysql security update. (Closes: 843534) Thanks to fld for the report and Marc Deslauriers for the patch. Checksums-Sha1: 4c39812144774b65aed5bd62292fa9953a55f08c 2570 akonadi_1.7.2-3+deb7u1.dsc 6aef88b46f8f7ce2dbdfb3641bce2d0bb733f181 210944 akonadi_1.7.2.orig.tar.bz2 4da6844952502545244aa82d7fcc4c35a16847ef 12900 akonadi_1.7.2-3+deb7u1.debian.tar.gz 62e5f91bac40f1ce3e40d9717bdb5a50cb926c39 569296 akonadi-server_1.7.2-3+deb7u1_amd64.deb 862c1303248005b527fd24304b7008885a261ef2 43556 libakonadiprotocolinternals1_1.7.2-3+deb7u1_amd64.deb 1bba2868f3c890ab54845ac4799d4c49dd4731a6 18920 libakonadi-dev_1.7.2-3+deb7u1_amd64.deb fe7c6143ef8aa19bf6c002dcbaefde67ec547b88 11706 akonadi-backend-mysql_1.7.2-3+deb7u1_all.deb 6b4b9d21d27cdfd149646ee8fa5f99223f6e7cf6 9978 akonadi-backend-postgresql_1.7.2-3+deb7u1_all.deb 5cabd28345b8bbee3461bf1d66e08066a8b9871f 30596 akonadi-backend-sqlite_1.7.2-3+deb7u1_amd64.deb 93672befc91829c7759b0313ae416892bc7b57c1 6557458 akonadi-dbg_1.7.2-3+deb7u1_amd64.deb Checksums-Sha256: d4cb47aa625a9c86c89604d65cc20b0fb6373dfee887ed465d6dc6dbff77d02c 2570 akonadi_1.7.2-3+deb7u1.dsc 4b7217a847c6859a529f07bf456127dab4aac69694982ca449a80da510832b1f 210944 akonadi_1.7.2.orig.tar.bz2 027ab80580b753a0fc23e857ac4aeaacc42aeb5faa88bfe22d5005cd7671846b 12900 akonadi_1.7.2-3+deb7u1.debian.tar.gz 060776c2ae7aa0cd235fd2eb951e8a9be9940b810b7c676389feb60eecb470d4 569296 akonadi-server_1.7.2-3+deb7u1_amd64.deb 307d3ad4b9fec6336dc8e0aafeaafbe2d9708497ba428939b2594b2dbe46f898 43556 libakonadiprotocolinternals1_1.7.2-3+deb7u1_amd64.deb 1a6272ca5cb01f5febb378e38740e9ba6bd3e8d355286782d493ecd3050bcaf8 18920 libakonadi-dev_1.7.2-3+deb7u1_amd64.deb 613134edb0bd4511a488af0c68b66c4cd7f640a0cf59a991efb798f15c03a644 11706 akonadi-backend-mysql_1.7.2-3+deb7u1_all.deb ac1b427f8f91a87c1e90d75a4b990849257fae6cff64e64eb47b870070181e16 9978 akonadi-backend-postgresql_1.7.2-3+deb7u1_all.deb f3d20d2280a7ccd78851a5c038e7084f99daf756ae3adeb92da0fb48c4f6abbe 30596 akonadi-backend-sqlite_1.7.2-3+deb7u1_amd64.deb dffe9edae529ee986c8b3664f26a9469d023dafc29acbd07df2c339facf4a6ff 6557458 akonadi-dbg_1.7.2-3+deb7u1_amd64.deb Files: 15fb94949e1fa26c606a33d76cff4b69 2570 libs extra akonadi_1.7.2-3+deb7u1.dsc c73bb835057a3ee07d37a4f7daaf7ecf 210944 libs extra akonadi_1.7.2.orig.tar.bz2 bc695740629704396981ae28f8205939 12900 libs extra akonadi_1.7.2-3+deb7u1.debian.tar.gz e10494ae710ae396480e54226697902a 569296 net extra akonadi-server_1.7.2-3+deb7u1_amd64.deb 9ec93eb741b7656c3d5a1e6fdff2529d 43556 libs extra libakonadiprotocolinternals1_1.7.2-3+deb7u1_amd64.deb 98642d852580eead69550b3d380bc47d 18920 libdevel extra libakonadi-dev_1.7.2-3+deb7u1_amd64.deb a475fae297febbe1b2a5207f1eae40c4 11706 misc extra akonadi-backend-mysql_1.7.2-3+deb7u1_all.deb fec57d37da417f26f0b276c28826af2d 9978 misc extra akonadi-backend-postgresql_1.7.2-3+deb7u1_all.deb 550f609334f1e6e96cc1893811024c82 30596 misc extra akonadi-backend-sqlite_1.7.2-3+deb7u1_amd64.deb f17045bbc610fdeb470c9d2cf3cb72f2 6557458 debug extra akonadi-dbg_1.7.2-3+deb7u1_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJYLdgEAAoJEPZk0la0aRp9u3sP/1h09y1xDxAwT6iPlIQ8XKbJ X/QkHkMVXEJsKU7AcSpb+swHABxRU3NpWNw3anolfPcHb8g0xByJAr84s9EE6gLv rs4VjHAwIIHFEoPt7Qco0zDV1zmhpW02+qe0wNT2fG6XkxgGDKsf8fntuFQXtYS1 LyCngPv+evXvogZsYhwFfy1XYfAKJF9xOA3MqZ++Sh31v9gz/HlrXPeMRLGHdBNG vBcjwk6Cc/OOfjzWKVcKCUSY01ciNs3x4zScLSSxDcgeGOpXBDB6rlr+CWHuSDx0 ZRXNkAZBEH804Vb9alUKGNCS+Gd5cJMBAph95nGgRmnClla18GQ1XCnENBzxxrKe UgYYfXAQj5xYJsqiY1+8ID+aTZWDXDJbOIik/ixpFpDHvxpzTRiSbBqZYW2g/ns3 Mrm/CJOBhizcVriwI1GwLzvH8tOrw3lfieWIKpW94+aL1qUMpA0vCcDiiOoKMviW dqpN5HpnKtM0GUDFyR+ScCoVfDmbK/sFXTcqwFPrNSkXj5qdM8BbwHIO0I8WIYts bglvihuyOyfMJ/yaQh6jA
[SECURITY] [DLA 707-1] sudo security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: sudo Version: 1.8.5p2-1+nmu3+deb7u2 CVE ID : CVE-2016-7032 CVE-2016-7076 Debian Bug : 842507 It was discovered that the sudo noexec restriction could have been bypassed if application run via sudo executed system(), popen() or wordexp() C library functions with a user supplied argument. A local user permitted to run such application via sudo with noexec restriction could possibly use this flaw to execute arbitrary commands with elevated privileges. CVE-2016-7032 noexec bypass via system() and popen() CVE-2016-7076 noexec bypass via wordexp() For Debian 7 "Wheezy", these problems have been fixed in version 1.8.5p2-1+nmu3+deb7u2. We recommend that you upgrade your sudo packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJYKhbVAAoJEPZk0la0aRp9rLcQAKfu0p5Gv7tCzNgM34VPpXCG y/xrxEJeXhcDJ/Pff9GUDNm9+DSdcNSSCYHK6+PAlTJqppwkWsW+BiPyqMkQrg1w nsVxEcq+n0GH9X9ENQixc8CRXJCpYSYakJyLhDG6khtwjv98Ct6kjkidHuQBLVDg t6zBnC6O5aKHzg2knT4tmePPWVMe9MupXVnXd94cuGyFGodz/bHYk+tlwUjl+4+A T460blhsmoxkD6TUv5flhcjSFKP9H4W95V8tRNXBUpodrsTtA3Lw5CA8+8ZlR/rm QLeWN6ph7WCMkde+zUjRHef6IWEYcNls5VEq3mGw6dhZA/NczLJkH5LrhtXZbpk5 3S3c2cbYYBUabbM4uEgib1tKFKmIWfq/gbfKw3D+CtcUnenLJGXRrp01xKRnMAM5 GRWqLxR2bMFSMfv/JEFOG93o7/gJdtMRzGGURIWKVEZwF5y0y2Z19VzEgbvK+pXH 2E1SZMoIcV6cZcjVnol9mE9bbrX8xFcYs/yC5yMuDPDgdq/yKKHAxPYXsyjE2htv uH3GH+QgBDiIwhsFlCv9iXyaPAJOlnMbIgusw0jNDh8ictcru/RIq0PAUT8CMHjf r4GQDnsaBMLjrsdIWxa6QUrafOA6oiFjDYlx0TQBGopaLBYqZnvYxxTriSr1vAqV Kf2P3DYAa9xLWvpNB6XN =yXps -END PGP SIGNATURE-
LTS Report for October
September was my 5th month as a debian-lts contributor. I was allocated 13 hours in addition to the 4.5 hours not used in the previous month. I used 7 hours in which I worked on the following: * Was responsible for LTS frontdesk for two weeks triaging several security issues and following up everything needing attention. In the second week of my LTS frontdesk we (LTS Team) agreed to not locking packages for too long with the person at frontdesk having the responsibility of ensuring that people holding locks make progress or unlock their packages. I have not enforced this since I already observed people uploading or unlocking packages and also having the first week of this practice as a grace period seemed to be a good idea. * Prepared [DLA 694-1] libwmf security update also updating the package in unstable and jessie. I performed the actual uploads in November. Cheers, Balint signature.asc Description: OpenPGP digital signature
[SECURITY] [DLA 694-1] libwmf security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libwmf Version: 0.2.8.4-10.3+deb7u2 CVE ID : CVE-2016-9011 Debian Bug : 842090 Agostino Sarubbo from Gentoo discovered a flaw in libwmf's Windows Metafile Format (WMF) parser which caused allocation of excessive amount of memory potentially leading to a crash. For Debian 7 "Wheezy", these problems have been fixed in version 0.2.8.4-10.3+deb7u2. We recommend that you upgrade your libwmf packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJYGfjGAAoJEPZk0la0aRp97QcP/jocLxjkuNCeUSJJ6awFhTCe 5FA+Ufmbf4AnaccnmfCS1yenadgTkEmzbEJrBUPbfeqAsMaT+kaj7GXOtSAQHwCN jq30QZMSfNQJNzE+f9lPntM6ZD9xkjdt1twfuVS7JpA4bY3qgP7uBUEySnwOnSXU kxTr48dCi+WVksXQ9h7Snk6ov2wedmrNEI/j0ukC1vIQ97sX3y6aw9ijuIqNiW8x Hnl7/11zFjV5aDe7jaMHeT1xg4c6PVmZmXxcHzrqBEZVxpikc3wEAi+UPSjcc5+R ZPxKFq6HCSbttj9Ftw3nOvuvzex1o5Gn130MsBqIJJ1JTyZ2ytDGn7K5+nJOP8yl FFWMYKf02Xj3JmYqiuuv34QmZDO6wkI7gMCW2Ohm4SpYC2lTwr5BEi/2tSUV2Wrp TIt4zZsNq3gYUuPF73MKVktOd5SwMIWKIe1l37yFLtoFqukvxUc6Lw+aR6K7mEjT zU5Ge4amc7tjG02qgbvwpAOEdLGiiBhbD8ZNwWz6dOvzjWOzv3tkRylw9lX4OALI rGDtaf9jCQhGWAGxbBM6uD6hz+DVIZJBW9Euyl0hErb0OCcANpIlIr7nj28Raaqt pYL1GKc9Ajwbm5LQc6g0djC90cyoPushTnWds+JaPomCvlVX5aV0hxKjyQ/qKZTa epMQiVdakbDcB/PWQvi4 =eBHk -END PGP SIGNATURE-
Accepted libwmf 0.2.8.4-10.3+deb7u2 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 02 Nov 2016 13:49:51 +0100 Source: libwmf Binary: libwmf0.2-7 libwmf-bin libwmf-dev libwmf-doc Architecture: source amd64 all Version: 0.2.8.4-10.3+deb7u2 Distribution: wheezy-security Urgency: medium Maintainer: Loïc Minier <l...@debian.org> Changed-By: Balint Reczey <bal...@balintreczey.hu> Description: libwmf-bin - Windows metafile conversion tools libwmf-dev - Windows metafile conversion development libwmf-doc - Windows metafile documentation libwmf0.2-7 - Windows metafile conversion library Closes: 842090 Changes: libwmf (0.2.8.4-10.3+deb7u2) wheezy-security; urgency=medium . * LTS Team upload. * Fix allocating huge block of memory (CVE-2016-9011) (Closes: #842090) Checksums-Sha1: 920bae47b6e0700a922535c56a57b1b3511cc498 2062 libwmf_0.2.8.4-10.3+deb7u2.dsc ec724a102cb47cde6ece10791f63338ae19dead6 12198 libwmf_0.2.8.4-10.3+deb7u2.debian.tar.gz 19c63cfb7170a8c99009dbc3e213532ec1257198 193258 libwmf0.2-7_0.2.8.4-10.3+deb7u2_amd64.deb 7b432607272c853e358e3d070806a0adee6dc997 37896 libwmf-bin_0.2.8.4-10.3+deb7u2_amd64.deb fac0d1275457a842d739463386b67aab911eb9e7 231852 libwmf-dev_0.2.8.4-10.3+deb7u2_amd64.deb 896bbfddea54f9f8deb600c8d826862f161f7efe 306910 libwmf-doc_0.2.8.4-10.3+deb7u2_all.deb Checksums-Sha256: 53d6d325fc4f674ecef4bed8c5a31820ce91ca5aaef005670eacf19b841b83d8 2062 libwmf_0.2.8.4-10.3+deb7u2.dsc 74f23911f75ae4912891ecf497fb03f401854ab1695912c726a75fb891205ff1 12198 libwmf_0.2.8.4-10.3+deb7u2.debian.tar.gz e803835a40687c327b09019cdc06e858871f8644943606c603d962ae19427a26 193258 libwmf0.2-7_0.2.8.4-10.3+deb7u2_amd64.deb 63cad642994c0acd385fea5dd8f41816ea6ce5d20ab29632a8a1316b8ad47368 37896 libwmf-bin_0.2.8.4-10.3+deb7u2_amd64.deb 460a71ba5b741e9f07d81b273020d630dee8a6f45d9190f87891e8fd279375d3 231852 libwmf-dev_0.2.8.4-10.3+deb7u2_amd64.deb 49d69092acff14db506879dbcdb9873bc8e88595ae5fad44035e63b13204fe11 306910 libwmf-doc_0.2.8.4-10.3+deb7u2_all.deb Files: f86f3112ac6e70b675f836dc191f9049 2062 libs optional libwmf_0.2.8.4-10.3+deb7u2.dsc c85a4618012db841e0a34abfdb9a8fce 12198 libs optional libwmf_0.2.8.4-10.3+deb7u2.debian.tar.gz 675c3a62a4486112e2d5258fe193a106 193258 libs optional libwmf0.2-7_0.2.8.4-10.3+deb7u2_amd64.deb d7bcc91cad30f8ca26a77115601aec30 37896 graphics optional libwmf-bin_0.2.8.4-10.3+deb7u2_amd64.deb 2fca80306e2c2456e175e8d5e0609b44 231852 libdevel optional libwmf-dev_0.2.8.4-10.3+deb7u2_amd64.deb ea739899c6b81a70fcc49c260d461b1f 306910 doc optional libwmf-doc_0.2.8.4-10.3+deb7u2_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJYGeT0AAoJEPZk0la0aRp9tb4P/RkkLov9b1Y1040+nG1NEKng rJbBqQ5+dO3BZ1v6AP3FUWulCC+CeFBGDR8JwcKfnA4tSHbdwePt8YjIoWVcsJiP vkHqEG1W9flMHJlDLUKogA85Cl+JZLYG+HrakagFWCR9Ed3nS2fv+CIHBAqM0Ker u2jreeCS3YwNgWJoUWVh6jo6DprRmxj+dRRFceLETwQF/xLKpwW1je4EqC7axbWo H2f5rSQUTxWFjTVqNqJsdQlMctUcTIXe/OJeCZE3yWRYZxoxovMZLLEUw7lZ6MAO ZXzIjrtU+B52y8HVL/FSpKN9OpGm661vuKaYrWNGQUWEAScq1Is9z2/FDyBnUZKy Pfx40R1N4w+Lj16prwhgK8FMcuOJM+vuyReLFrC9fclnWhX/H9j7kWPzaRVgiZAl /9Oj0sg2sdAyVdUMNI0tDIKNprksiy1bdMgA1wsQQaE2z9JN/oKydoGh7WhDaiI4 ATh5QWwGZxmgBAEtZkP5uStr4MQ/qLOt19t6PBZJxo/EYYg2s63sB0ex0IQH+Avu bljIbtdVHtT5eugB3jpB4MAHSoPMe9jw/Ky6ebp6thPXVpooYUpZ1mPhDhA6nzSL BaIEIPY2H/jj0tiefW+G/lmhe3hE8d25wWEvafic4vp0cc41qq8e87YeJtfH4GO1 HPnYkR4YZWp6sUV88CTP =RSHn -END PGP SIGNATURE-
Wheezy update of tar?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of tar: https://security-tracker.debian.org/tracker/CVE-2016-6321 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of tar updates for the LTS releases. (In case we don't get any answer for months, we may also take it as an opt-out, too.) Thank you very much. Balint Reczey, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
Wheezy update of bash?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of bash: https://security-tracker.debian.org/tracker/CVE-2016-7543 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of bash updates for the LTS releases. (In case we don't get any answer for months, we may also take it as an opt-out, too.) Thank you very much. Balint Reczey, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
Wheezy update of libdbd-mysql-perl?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of libdbd-mysql-perl: https://security-tracker.debian.org/tracker/CVE-2016-1246 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libdbd-mysql-perl updates for the LTS releases. (In case we don't get any answer for months, we may also take it as an opt-out, too.) Thank you very much. Balint Reczey, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
LTS report for September
September was my fourth month as a debian-lts contributor. I was allocated 12.25 hours in addition to the 7.25 hours not used in the previous month. I used 15 hours in which I worked on the following: * Was responsible for LTS frontdesk for the first time triaging several security issues which I'm not listing here. * Implemented database for packages whose maintainers let the LTS Team handle the LTS updates without contacting them and made bin/contact-maintainers script respect that. * [DLA 616-1] curl security update (CVE-2016-7141) * [DLA 632-1] wireshark security update (5 CVE-s) * [DLA 636-1] firefox-esr security update (12 CVE-s) * [DLA 636-2] firefox-esr regression update - The security upgrade broke the build on arm* which I corrected in this one. I also had a transient issue causing armel build failed but only on the official buildd. * [DLA 643-1] chicken security update Cheers, Balint signature.asc Description: OpenPGP digital signature
[SECURITY] [DLA 636-2] firefox-esr regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: firefox-esr Version: 45.4.0esr-1~deb7u2 The update of firefox-esr to 45.4.0esr-1~deb7u1 caused build failure on armel and armhf architectures. For Debian 7 "Wheezy", these problems have been fixed in version 45.4.0esr-1~deb7u2. We recommend that you upgrade your firefox-esr packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJX7pm5AAoJEPZk0la0aRp9ZS4P/1QFwUfLRX0QIRDEcFM070KO ttG4mYVawuKqIKyoIZoPazRAXt124+eHFnNK1AONdRp7YfX/t0u0pz9LZLdK8yS3 cQWe9Fit1phbtcwjYrLHuK4pHbSwpN9763g6iLwAMdELQ3BJvrjdRDBlo+eWavvf u0sxQG4UeLYtLCiTsppccv2uvX57LAs2lK64CCe/G3T2UA0FGcnKSuHOyrK+2zxQ pAzEN9VYZ4Gqzk8W0HwUxdb3h1mlc9SUp3Y3PA2AuiuYY3elTor/X1fYrDQNEgqj rB9SDu15YfCAdY6cqhsoV9QIr8SU8ze2M/fvZetY5FRc6cyAl/6nJlcQIxcr7G7B GJU/ZYt3wWjVG8RpzPwTzb7GSfKe0phsQuOCOB88pawqbYCqG7mn6LjNk1Oukkmk /4YDn1w9vgU95ksTXV1Q0C9mSQU7GYQkK4kHoQLHura3vex+GyWvXEDWqnB0VZQx qA8aOf2Vt52Rfks/cKMhoZQarTgbMIg6F8U4K06N6ruWVcFL19MifIGU1G6VBEUm hS9LZwwmU1XX0vIXUKVdgI8cpd1jUXPiAzq53Qr5fxDtVgc0NUvQ5JYI221oChmZ +O5pHSqVpb1LLkvYkFMW6BFbPoC2+pRKxebhYreTtLC6cU8t7NdwwzyYqJxj3UhE w8D+l5whW5qGSbI7X/SG =MoG/ -END PGP SIGNATURE-
[SECURITY] [DLA 643-1] chicken security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: chicken Version: 4.7.0-1+deb7u1 CVE ID : CVE-2016-6830 CVE-2016-6831 Multiple vulnerabilities have been found in the CHICKEN Scheme compiler: CVE-2016-6830 Buffer overrun in CHICKEN Scheme's "process-execute" and "process-spawn" procedures from the posix unit CVE-2016-6831 Memory leak in CHICKEN Scheme's process-execute and process-spawn procedures For Debian 7 "Wheezy", these problems have been fixed in version 4.7.0-1+deb7u1. We recommend that you upgrade your chicken packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJX7pmBAAoJEPZk0la0aRp94LAP/i8dZ62I/fM/MnbJVjyhyWEb e2FmsHO6CFYP5KaR/hXQv8oKpssTlabLAQzJcbgN9RJbqZ7SpWmaFBXINIWxsCEB qJeCG8bLQs8qrKP/9JYbQxsr4TMvq31yk5i0AFTkELTcKdWi+ORa+1+5mmzBCh7g azlaONXKxTtKDzQ6hk4Cb8tihbJVZQ2S/8BHVn+EcSlUJBOe05lonuT8Nb/rCSer dQ3ZRtgqyVUd7hqR8eZu7Nms+2cxcjjSGfBPM3FnT0uajY9piwBD3lJtH99a7t96 zf/b3sFEvIkNie4I0otharywzcrXZU22MjVw6DT3PJxFdUDbfvsMLH+D0ezBdS28 DFTQ53tsLoby/LW7IEj8y18fYVZ276N0UCtDCbquv7HQa3JE8DbAZUDojlNu1WNI Fe/r8LW1v4ddA64VOg3aqxKDxZjLq7yv3aLxOf/QejSmP7EOxmrIcZ0q0SkAhaGt S0liJcAACY7RLxd2VCbWHPd75tNkbuQ8oYLEsGKeuXhgrpEyhV2C1zEvixaY5hom +Vp16GZROhT8PpsR/YB6wo0UQ55YWhOW4AzMYk5sZwpJrKDfjISPl+48RQUjq4Xc XUAru0HNx866VbzhTpuhur3XluaaHwUrll4m817xatRs9vcrl7KuIjPRGSeuYsPa Jlf08vQEUMEN6+eXQ/1f =9BJF -END PGP SIGNATURE-
Accepted chicken 4.7.0-1+deb7u1 (source amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 28 Sep 2016 13:26:52 +0200 Source: chicken Binary: chicken-bin libchicken6 libchicken-dev Architecture: source amd64 Version: 4.7.0-1+deb7u1 Distribution: wheezy-security Urgency: medium Maintainer: Davide Puricelli (evo) <e...@debian.org> Changed-By: Balint Reczey <bal...@balintreczey.hu> Description: chicken-bin - Practical and portable Scheme system - compiler libchicken-dev - Practical and portable Scheme system - development libchicken6 - Practical and portable Scheme system - runtime Changes: chicken (4.7.0-1+deb7u1) wheezy-security; urgency=medium . * LTS Team upload * Don't overflow statically allocated arrays in process-execute (CVE-2016-6830) * Stop leaking memory in process-execute when the process arguments or environment variables are not strings (CVE-2016-6831) Checksums-Sha1: 05215e1edcb8bf03769a66d7a532246324b1464c 1853 chicken_4.7.0-1+deb7u1.dsc a5de10ac27b756d2f60a03f0799ef444becfb675 3390484 chicken_4.7.0.orig.tar.gz ce960ac285d379329e3045e0e31a9f81c5be0779 103642 chicken_4.7.0-1+deb7u1.debian.tar.gz 094d7d5d2fc9a79bfe54649ccdc697990fb1a164 1339222 chicken-bin_4.7.0-1+deb7u1_amd64.deb 8333a775b922529c80a52b57f6f87a23c74f952f 1306336 libchicken6_4.7.0-1+deb7u1_amd64.deb 098d3ba07f4e7682484b22ece1aa496d2ede5fc9 1621134 libchicken-dev_4.7.0-1+deb7u1_amd64.deb Checksums-Sha256: 62bc5a4eef255e3d3a0f9ce39039d0f1fc9d760c288022fe3fce17e9be33921f 1853 chicken_4.7.0-1+deb7u1.dsc e1719fa404e73bc95023d54e0d09688329f7da2f217734d27dc6487baf163300 3390484 chicken_4.7.0.orig.tar.gz 739ba0aaf0e43fe4d2f89a9e400036bce2275ea63d3d68a9408931bd1cb4373b 103642 chicken_4.7.0-1+deb7u1.debian.tar.gz a55b3a726f713b50708734e4d2cff2f585e365787da3fabb83aac1169eeaf995 1339222 chicken-bin_4.7.0-1+deb7u1_amd64.deb dcb270492295053df5d30abe3e866bdedbc10858dc211e152b787335d8338ab9 1306336 libchicken6_4.7.0-1+deb7u1_amd64.deb d0ceb51a60a7da0b6a1ae639171660d237729ba7b01dd5e721448a6021e7ed8e 1621134 libchicken-dev_4.7.0-1+deb7u1_amd64.deb Files: ac4808d262bf0b6bd2eb96e01e59fe61 1853 interpreters optional chicken_4.7.0-1+deb7u1.dsc 69ee35a78c52b37b84178ffd93d324e9 3390484 interpreters optional chicken_4.7.0.orig.tar.gz 72cb0e6d375fc06a69b7acaaedd69e68 103642 interpreters optional chicken_4.7.0-1+deb7u1.debian.tar.gz 263c852c41f6b1c7a110eabf0aa5e166 1339222 lisp optional chicken-bin_4.7.0-1+deb7u1_amd64.deb 498759f51c6caa8c99be30b4d49827c7 1306336 libs optional libchicken6_4.7.0-1+deb7u1_amd64.deb 8ef5cddf123e714251a23a87fe66c7db 1621134 libdevel optional libchicken-dev_4.7.0-1+deb7u1_amd64.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJX7oSTAAoJEPZk0la0aRp9VgMP/3hO0dXtD9yQFxkK1d5AjT4q oXvxMdgrNHamAxk14OrpUgh0DuhqaZNegBIicVhwn/o2OSFAOcuFT96/zDdzLo6P NbJYG8EUCUTfX96KoDfpMmiIHnyM4gvvGi6g5Hh8XkeWDGsbPeatV7VcwqJxBjo4 B9BbtaANk1JfD1y7I88Zip/AILVxCmr5eUgpYhBTU2HJOQ0EFtP2H1I2sVQPaGhp GvrGmeEgcEGJlWca7HG+CNkd+J1gf8qzM9ImGsOfPnnNY8M93UAKaLuLH1EWwifZ CjR3p3Lhfmo3Dv8XpxPWDmKjHIC/HOAoH5H2LEi0+CTpti2O/v/k96MyklR25Bnr vuc9gSHzCBtK57WAuVBtkLcBEcRA3NiowtXA2jYawVFisnd5dfYJSmoENOLY4Wtt VyhQh8FIh44duLrJCW9TBmv0opqXd2+hdikbv8GYogubouFMXEctZvCmbw0HNNxd BUpzCfNdw3bT056T8AuzUBhftl8vYohHQ7d6w9JWJSugp5g80J2PX9lZT/2XPLUO zlIT5aJ9FsySwCkj9WA++ui8bqhQ1K63zt8XW3oIgpCzUVCxxkqlavn4r8sHH/+L navTEWbuxy3lj9GO56KpYXZAySWDvn37fEs7/NS7m/3d398VCe6md4SNOa0AeKLd RiA7cJFAefved3cuFqrn =WbeD -END PGP SIGNATURE-
[SECURITY] [DLA 636-1] firefox-esr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: firefox-esr Version: 45.4.0esr-1~deb7u1 CVE ID : CVE-2016-5250 CVE-2016-5257 CVE-2016-5261 CVE-2016-5270 CVE-2016-5272 CVE-2016-5274 CVE-2016-5276 CVE-2016-5277 CVE-2016-5278 CVE-2016-5280 CVE-2016-5281 CVE-2016-5284 Multiple security issues have been found in the Mozilla Firefox web browser: Multiple memory safety errors, buffer overflows and other implementation errors may lead to the execution of arbitrary code or information disclosure. For Debian 7 "Wheezy", these problems have been fixed in version 45.4.0esr-1~deb7u1. We recommend that you upgrade your firefox-esr packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJX6mCEAAoJEPZk0la0aRp9YSQP/iyTFaCmKBS37LK+IiQAvsQk jlf508vMQn6cBxO45/yazbHFN9pc5gUe7dxdvHnHMLmaEUoMlHOYUI3BA1XNwjG8 opbhfsltLEdm7pkqNw+qb+rQbjYTCgLMkehiyzjGcfc1q25ai4UsW4fR74KI4IhH psnl5JtP+QGKYcKM6+sgF57SGaf5qKjxw45aEbIrrK/ChmP1Ii8g2eBJ5+iE41u7 B9uY5AEpQ1nRb4TTAhLTykDSRWylPU1Pjvgh9TNlNkbwRm9EqUp/cDZj8Dm+8eXh flRFC19G+v2azHnfFkw3W32kjOR0IgOYoFPYwOenRp7WtIOWk+SZZGuqUUpDlwId Q+IwvFfmOR3Jp7QBcWt1XEQJtCHmyb713hhKJ9sV1mON+thDBrKvhPklh5cu3K7n 2RNEaSXmK0ISi52OqfLY+oX99vL8IyklPi4pIx0NdSSPFwfSjgtdYBBef1d9Utfz +WM+nASjfFOE9BiIvxacRj0DrFuQDGHSHXHWwKZ4qWW+goF9skGbz9OIhk2V76lM egsHA8W3qJaYHmqfSF2BQ/qD2bdoUT53JW79C41xXJmjyejy1snHUkzLBy7qafxQ jz/RlTurjWOdS/V1RBedKgYAsdX/yq1Cdpa//OhRdQ7nTrNh9D2N199MRluSQbop QSuI/CoQoHtKEjdwiUDa =MPZw -END PGP SIGNATURE-
Re: Wheezy update of firefox-esr?
Hi, On 09/24/2016 12:51 AM, Mike Hommey wrote: > On Fri, Sep 23, 2016 at 07:57:45PM +0200, Bálint Réczey wrote: >> Hi, >> >> 2016-09-20 23:43 GMT+02:00 Chris Lamb <la...@debian.org>: >>> Hello dear maintainer(s), >>> >>> the Debian LTS team would like to fix the security issues which are >>> currently open in the Wheezy version of firefox-esr: >>> https://security-tracker.debian.org/tracker/source-package/firefox-esr >>> >>> Would you like to take care of this yourself? >>> >>> If yes, please follow the workflow we have defined here: >>> https://wiki.debian.org/LTS/Development >>> >>> If that workflow is a burden to you, feel free to just prepare an >>> updated source package and send it to debian-lts@lists.debian.org >>> (via a debdiff, or with an URL pointing to the source package, >>> or even with a pointer to your packaging repository), and the members >>> of the LTS team will take care of the rest. Indicate clearly whether you >>> have tested the updated package or not. >>> >>> If you don't want to take care of this update, it's not a problem, we >>> will do our best with your package. Just let us know whether you would >>> like to review and/or test the updated package before it gets released. >>> >>> You can also opt-out from receiving future similar emails in your >>> answer and then the LTS Team will take care of firefox-esr updates >>> for the LTS releases. (In case we don't get any answer for months, >>> we may also take it as an opt-out, too.) >> >> I think Mike would like the LTS Team to prepare the future updates: >> >> On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote: >>> On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote: >>>> Hello Mike, >>>> >>>> Thank you for preparing the security update of firefox-esr. I have just >>>> sent a security announcement for your update in Wheezy to the >>>> debian-lts-announce mailing list. If you want to take care of this next >>>> time, please follow our guidelines which we have outlined at [1]. If >>>> this is a burden for you, no problem, we will do our best and take care >>>> of the rest. In this case we would like to ask you to send a short >>>> reminder to debian-lts, so that we can prepare the announcement in a >>>> timely manner. >>> >>> Heh, I hadn't realized that wasn't handled by standard DSAs, sorry about >>> that. That these updates go through the same security-master doesn't >>> help making it obvious they are different. >>> >>> Anyways, I'd rather not have more work to do, so if can send >>> announcements, that works for me. Or you can deal with the backport >>> from back to back. >> ... >> >> I have added firefox-esr to lts-do-not-call and started preparing the update. > > Thanks. I have prepared the update. Please see the diff to jessie-security's version attached. Changes: firefox-esr (45.4.0esr-1~deb7u1) wheezy-security; urgency=medium . [ Mike Hommey ] * New upstream release. * Fixes for mfsa2016-86, also known as: CVE-2016-5270, CVE-2016-5272, CVE-2016-5276, CVE-2016-5274, CVE-2016-5277, CVE-2016-5278, CVE-2016-5280, CVE-2016-5281, CVE-2016-5284, CVE-2016-5250, CVE-2016-5261, CVE-2016-5257. . * debian/control*, debian/rules: Compile with GCC 5 on testing/unstable on arm* because of crashes when building with GCC 6. (FTBFS) * debian/rules: Build with -fno-schedule-insns2 and -fno-delete-null-pointer-checks with GCC >= 6 because it miscompiles Firefox. Closes: #836533. . * config/gcc-stl-wrapper.template.h, memory/mozalloc/throw_gcc.h: Don't include mozalloc.h from the cstdlib wrapper. bz#1245076, bz#1259537. Closes: #822715. * build/gyp.mozbuild: Disable libyuv assembly on mips64. (FTBFS) The binary packages for amd64 are also available for testing here: deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/ I ran browser benchmarks to stress test the package and also visited a few sites manually. I plan uploading the package around 21:00 UTC. Cheers, Balint diff -Nru firefox-esr-45.4.0esr/debian/changelog firefox-esr-45.4.0esr/debian/changelog --- firefox-esr-45.4.0esr/debian/changelog 2016-09-21 00:29:05.0 +0200 +++ firefox-esr-45.4.0esr/debian/changelog 2016-09-24 01:09:02.00000 +0200 @@ -1,5 +1,6 @@ -firefox-esr (45.4.0esr-1~deb8u1) stable-security; urgency=medium +firefox-esr (45.4.0esr-1~deb7u1) wheezy-security; urgency=medium + [ Mike Hommey ] * New upstream release. * Fixes for mfsa2016-86, al
Accepted wireshark 1.12.1+g01b65bf-4+deb8u6~deb7u4 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 20 Sep 2016 18:05:16 +0200 Source: wireshark Binary: wireshark-common wireshark wireshark-qt tshark wireshark-dev wireshark-dbg wireshark-doc libwireshark5 libwsutil4 libwsutil-dev libwireshark-data libwireshark-dev libwiretap4 libwiretap-dev Architecture: source amd64 all Version: 1.12.1+g01b65bf-4+deb8u6~deb7u4 Distribution: wheezy-security Urgency: medium Maintainer: Balint Reczey <bal...@balintreczey.hu> Changed-By: Balint Reczey <bal...@balintreczey.hu> Description: libwireshark-data - network packet dissection library -- data files libwireshark-dev - network packet dissection library -- development files libwireshark5 - network packet dissection library -- shared library libwiretap-dev - network packet capture library -- development files libwiretap4 - network packet capture library -- shared library libwsutil-dev - network packet dissection utilities library -- shared library libwsutil4 - network packet dissection utilities library -- shared library tshark - network traffic analyzer - console version wireshark - network traffic analyzer - GTK+ version wireshark-common - network traffic analyzer - common files wireshark-dbg - network traffic analyzer - debug symbols wireshark-dev - network traffic analyzer - development tools wireshark-doc - network traffic analyzer - documentation wireshark-qt - network traffic analyzer - Qt version Changes: wireshark (1.12.1+g01b65bf-4+deb8u6~deb7u4) wheezy-security; urgency=medium . * security fixes from Wireshark 2.0.6: - The H.225 dissector could crash (CVE-2016-7176) - The Catapult DCT2000 dissector could crash (CVE-2016-7177) - The UMTS FP dissector could crash (CVE-2016-7178) - The Catapult DCT2000 dissector could crash (CVE-2016-7179) - The IPMI trace dissector could crash (CVE-2016-7180) Checksums-Sha1: 4a53dcb082ac0ba04a4981ded4535928c609a53e 3187 wireshark_1.12.1+g01b65bf-4+deb8u6~deb7u4.dsc 40906efef9e90432e6dfa3ed832bda3e78cd80b2 190947 wireshark_1.12.1+g01b65bf-4+deb8u6~deb7u4.debian.tar.gz 812c4bbc8cd1e73e126bdfa9e88103a196e10498 211050 wireshark-common_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb 5f34127fa2f6d5bb14f3604700cf7e47f3dbad54 1006004 wireshark_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb ab1e6ae301d6132642a22f642eea2305a85067f8 1253824 wireshark-qt_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb 88a6394ef5451afccd7051d8dd06419cbef89dba 182346 tshark_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb 158d7a89fab2221bed4a9cc2d4dcdae6e4f782a6 161714 wireshark-dev_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb 66e42171bab277c34949e707ab476ad9039fc0ee 42265782 wireshark-dbg_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb bd8e0a1cbe2b9e797e80957560772d3f1d084c6d 4267348 wireshark-doc_1.12.1+g01b65bf-4+deb8u6~deb7u4_all.deb a333fcb59c7cd813e037f014cbd7d5f694f2e1aa 15997092 libwireshark5_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb 59cde5bcc835c0f8bd70569e6ba59738819ed4aa 107468 libwsutil4_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb 044d088ce4aada6361d888196c1713187dc34ed2 78610 libwsutil-dev_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb bb3426f29e33473512b74e760c05da5105b7cb41 1148098 libwireshark-data_1.12.1+g01b65bf-4+deb8u6~deb7u4_all.deb 295c99f65cbd988c860113d9a3240d13d92d4bf3 1034118 libwireshark-dev_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb f2af6fee05d50330701f7091f147904191597e9d 216180 libwiretap4_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb dfbe3e266dc8bff6772dcd8c919dda67b7249b80 88562 libwiretap-dev_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb Checksums-Sha256: 6c57b3abfe1fce33f5933553cfcd1cd6048ec3532ad921b4f165911dcb0202ed 3187 wireshark_1.12.1+g01b65bf-4+deb8u6~deb7u4.dsc 659860155d5ba0ce2abf33887ee3c181bbb59f31fdf67c73f24c579ffb78731d 190947 wireshark_1.12.1+g01b65bf-4+deb8u6~deb7u4.debian.tar.gz 2a810930e692fea6ea979a299e1fe13489f71ea4c0491206a7d6216148da2faa 211050 wireshark-common_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb 19f8faa3560199c2671e48139171f7ebc519d47f36e1a631f71638b7dc231770 1006004 wireshark_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb af20c22f964b0f7bb111d5ee1ae7663efc0edcef9bf84dea5a798dc7baa438b5 1253824 wireshark-qt_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb 1fad85bbd1c2efb6b04f414a3dffd8e4d34d24567132f7654f2f6a0d4f231db4 182346 tshark_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb fa6ce250011224b7f63504bf9e689a44b7e29637058e27748272c0418cf225fa 161714 wireshark-dev_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb c82bc2722adcd3dcf5772cf52bdca3d40428cfe3d53472354a9fd03f87d878c9 42265782 wireshark-dbg_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb 47ac80398820cef2325743d26e090a0ed4aa83fc388ae3ff2cc511eeba2938b9 4267348 wireshark-doc_1.12.1+g01b65bf-4+deb8u6~deb7u4_all.deb b14b08734c00d45ae27f7f36be4042f18b37507a89e5405da72f0cfce6429ae1 15997092 libwireshark5_1.12.1+g01b65bf-4+deb8u6~deb7u4_amd64.deb 29659c6a6e5237b9bec11381f99d90c9313c41b889d96ad697d00cbcdd54589b 107468 libwsutil4_1.12.
Wheezy update of libphp-adodb?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of libphp-adodb: https://security-tracker.debian.org/tracker/CVE-2016-4855 https://security-tracker.debian.org/tracker/TEMP-000-B85664 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libphp-adodb updates for the LTS releases. (In case we don't get any answer for months, we may also take it as an opt-out, too.) Thank you very much. Balint Reczey, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup signature.asc Description: OpenPGP digital signature
Wheezy update of libarchive?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of libarchive: https://security-tracker.debian.org/tracker/CVE-2016-7166 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libarchive updates for the LTS releases. (In case we don't get any answer for months, we may also take it as an opt-out, too.) Thank you very much. Balint Reczey, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
Wheezy update of inspircd?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of inspircd: https://security-tracker.debian.org/tracker/CVE-2016-7142 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Balint Reczey, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
LTS report for August
August 2016 was my third month as a debian-lts contributor. I was allocated 14.75 hours in addition to the 2 hours not used in the previous month. I used 9.5 hours in which I worked on the following: * DLA 581-1 libreoffice security update (CVE-2016-1513) * DLA 595-1 wireshark security update (9 CVE-s) * DLA 597-1 libupnp security update (CVE-2016-6255) - did some further checking and also checked reverse dependencies * DLA 605-1 eog security update (CVE-2016-6855) - also prepared fix for Jessie in the packaging repo I also share Brian's observation that the backlog shrank to a very low level and the lack of actionable outstanding issues made me carry 7.25 hours to September. Cheers, Balint signature.asc Description: OpenPGP digital signature
[SECURITY] [DLA 605-1] eog security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: eog Version: 3.4.2-1+build1+deb7u1 CVE ID : CVE-2016-6855 It was discovered that Eye of GNOME incorrectly handled certain invalid UTF-8 strings. If a user were tricked into opening a specially-crafted image, a remote attacker could use this issue to cause Eye of GNOME to crash, resulting in a denial of service, or possibly execute arbitrary code. For Debian 7 "Wheezy", these problems have been fixed in version 3.4.2-1+build1+deb7u1. We recommend that you upgrade your eog packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXw2FOAAoJEPZk0la0aRp9cSQP/ArTK06dS78tcIsfcWiRWMJd 49HvUS4NW8HBckflneygrBHFouyPrcqSjAf4dWy3qsD6NViTkqzNRijd3/cRkU4U OUTdew/hTE+7zBsqHlFF+MfQRAV2bIzoWAIqPhFGCOK9YzVPQbgeGgfl/TbszvxC MypImPLBAeXDksO8tc6ykYI36AxVF48lIK9QVBGxjcDFNjEGtk+9kqwhbB2TznZc AI7fBAxTFI+AnVJbVPLKlkHwYd6icHFZNHxJdLy4E1ofQjNV/iUnG5bhl5VbpTgL b8qod70ftBjZtm/ivzrLJkujDp5/jNso9LNSOACk7VWsjr4xkOCtn3OWZ2fjpuKi /hM1M2QUkyHE6j2bdxmKi4gEthkxW9/AqkJr1zwWNx7JoNCqKqBLc/r5BS6KPTXs BIDQVz8nKVMOsW3s8baXUOnYROyxQY4YgTBYPTFf8isANZU7aa4vN8IGUgwf7T/Z 8ftJWh7dIUit0dObHBr7LXSdSl1LycGBgTtIWQx2JlTd7FV4rrMCwylzbfrQQZwG 2QNcVh6Qt3/6sO9nImyP6ubo5If2y2+ATK7nqmtYISn9niPVXrYN8LnsCXMx/Nva Gobr6aKNupYdW+1qmGb/n1o1wY/pj40PUuAQoBl4clpKsR1zwS/yPyATLwzIMrFq aswMAZmUsXLb8NZkrnzH =j4g/ -END PGP SIGNATURE-
Re: Security check of libical
Hi Allen, On 08/24/2016 05:38 PM, Allen Winter wrote: > I already responded to a similar question in July > see http://lists.infradead.org/pipermail/libical-devel/2016-July/000726.html > > I do have have access to those bug reports. > I do not have time to work on this at the moment. > > I'd be happy if you'd investigate. maybe I get you access somehow. > Can you tell me your account name at bugzilla.mozilla.org? Ola already provided his account name below. ;-) Can I please get access, too? My account name is bal...@balintreczey.hu. It can be useful if at least to people from the team can look at the issue. > > On Monday, August 08, 2016 07:38:31 PM Ola Lundqvist wrote: >> Hi libical developers, libical maintainer and LTS team >> >> As part of the Debian Long Term Security team I have started to look >> into a few possible security related vulnerabilities. >> More details are available here: >> https://security-tracker.debian.org/tracker/source-package/libical >> >> My problem is that each CVE refers to a bugzilla bug id and they are not >> public >> CVE-2016-5827 https://bugzilla.mozilla.org/show_bug.cgi?id=1281043 >> CVE-2016-5826 https://bugzilla.mozilla.org/show_bug.cgi?id=1281041 >> CVE-2016-5825 https://bugzilla.mozilla.org/show_bug.cgi?id=1280832 >> CVE-2016-5824 https://bugzilla.mozilla.org/show_bug.cgi?id=1275400 >> CVE-2016-5823 reserved, do you know anything about it? >> >> My question to you are whether any of you know who I should contact >> about these bugs? >> Or if I can get access to them? (my login is o...@inguza.com) ^^^ Cheers, Balint >> Or who I should contact for requesting access. >> Whether you know of any other security issues in libical (wheezy is >> using revision 0.48) >> >> Thanks a lot in advance! >> >> >> // Ola >> >> >
Accepted libupnp 1:1.6.17-1.2+deb7u1 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 27 Jul 2016 19:01:31 +0200 Source: libupnp Binary: libupnp6 libupnp6-dev libupnp-dev libupnp6-dbg libupnp6-doc Architecture: source amd64 all Version: 1:1.6.17-1.2+deb7u1 Distribution: wheezy-security Urgency: medium Maintainer: Nick Leverton <n...@leverton.org> Changed-By: Balint Reczey <bal...@balintreczey.hu> Description: libupnp-dev - Portable SDK for UPnP Devices (development files) libupnp6 - Portable SDK for UPnP Devices, version 1.6 (shared libraries) libupnp6-dbg - debugging symbols for libupnp6 libupnp6-dev - Portable SDK for UPnP Devices, version 1.6 (development files) libupnp6-doc - Documentation for the Portable SDK for UPnP Devices, version 1.6 Closes: 831857 Changes: libupnp (1:1.6.17-1.2+deb7u1) wheezy-security; urgency=medium . * Non-maintainer upload by the LTS Team * Don't allow unhandled POSTs to write to the filesystem by default (Closes: #831857) (CVE-2016-6255) Thanks to Matthew Garrett for the patch. Checksums-Sha1: 1cc29862a1a4d4e50f80e17293d1973ee9084878 1991 libupnp_1.6.17-1.2+deb7u1.dsc 179e0c1337915d45ea8c04c1fa86257c9dfc5924 1187499 libupnp_1.6.17.orig.tar.bz2 368021b19d7ab0dc1d2c28c2e101a5b3bde70d89 28030 libupnp_1.6.17-1.2+deb7u1.debian.tar.gz c389f677bc295821224c83936b8483f78a721f4f 181510 libupnp6_1.6.17-1.2+deb7u1_amd64.deb ec824d0767a1b3c5563eb1d3e0a7a6191f39170d 263208 libupnp6-dev_1.6.17-1.2+deb7u1_amd64.deb 8c165cca7f1293d32732d23d2af131f5be569fae 43234 libupnp-dev_1.6.17-1.2+deb7u1_all.deb 58c03d78d3e92c51f953c4ff4b953aec0bada793 393430 libupnp6-dbg_1.6.17-1.2+deb7u1_amd64.deb f9d9732b6fc38a3032e152d6ef953c8d2bb63461 13699546 libupnp6-doc_1.6.17-1.2+deb7u1_all.deb Checksums-Sha256: 97cb39eae55502bfd8468d7188cfa046c879b7186f4595b0d8d3e58e52797cf5 1991 libupnp_1.6.17-1.2+deb7u1.dsc a2e0d9a9f1a7b678bcdbef7610adec895a6c8cb8f9670d5e1fc963cf51cdd219 1187499 libupnp_1.6.17.orig.tar.bz2 d5188a7265f70089014c01464238c86bab43eda9419a07d3b80fc284bbd97419 28030 libupnp_1.6.17-1.2+deb7u1.debian.tar.gz a019b5d29a6de9936c90a800eab56a7d0f728a28706dc0c039c320fe7f1a2033 181510 libupnp6_1.6.17-1.2+deb7u1_amd64.deb 88f4db2e2c8ee0c435e48299e5c8045bf0f3c04ed60ace19dca477fd55f4de1a 263208 libupnp6-dev_1.6.17-1.2+deb7u1_amd64.deb a2e617fd7c54a9857f6ac7da83453841b67f4212ab23c14730aa222d61a11a70 43234 libupnp-dev_1.6.17-1.2+deb7u1_all.deb ecbc6208eb032d3491fd638a5a008b38d6abf640134a55dec2ee450e5902a146 393430 libupnp6-dbg_1.6.17-1.2+deb7u1_amd64.deb 288d30f61cd2f4e85b426d82bf1091d75ee1adf1f5b9d6d14dd5678d78167399 13699546 libupnp6-doc_1.6.17-1.2+deb7u1_all.deb Files: 130c7093f49303eca5ea85c1876cb301 1991 net extra libupnp_1.6.17-1.2+deb7u1.dsc efbf0d470ce7157bc0e6ca836e246de5 1187499 net extra libupnp_1.6.17.orig.tar.bz2 fd4b854533a9bdb437e4ba3c824b10c6 28030 net extra libupnp_1.6.17-1.2+deb7u1.debian.tar.gz 9413a271d54952e81fd9b40800d6d4ea 181510 libs extra libupnp6_1.6.17-1.2+deb7u1_amd64.deb d5285af366427dd0c1c953af3d6ebf1e 263208 libdevel extra libupnp6-dev_1.6.17-1.2+deb7u1_amd64.deb c2d3a4989c0297ef07b72e8fe89f53dd 43234 libdevel extra libupnp-dev_1.6.17-1.2+deb7u1_all.deb ee7f6d21ec74e4e95028439c8bc7ac8f 393430 debug extra libupnp6-dbg_1.6.17-1.2+deb7u1_amd64.deb 2ce9bd6e88b680d33a098405dbefa1b6 13699546 doc extra libupnp6-doc_1.6.17-1.2+deb7u1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJXtPjiAAoJEPZk0la0aRp9lBUP/1ofQ0XuCFBMJoiLggX8P81E DaYyj3kdAyZJzcUkq+RSLlJOaJwQBoRp7Atc7cybBqk9oAROraoKfp5SqIdGWGY0 Kbmz3I9MA5QPa+ewJPZFklqJH1G2XB9NxjEGy0SOvXGx6VOrl5s8K6z5hmQRHe53 KWPb65ZBrZ/6XOl6vnsZGwyF++VEvLPFFdyknnHetLk1ah4q9JfI5yXGaliyfNB9 SVZWCknyu6ILEkyB01a4ENRXYStQg6DczA+XDg0Vkz8BCupW2hwTeeA6ZoFILbQT BSe+7Q9xqJNwqt/3zFaE0KjIUr5gvOr1N2771x6e58Xg9T9rZy5MUn2zRv7btxXk nd4hZxcZbgQnkJSNOx4jEWIQSnwspaTcAGGhjYsa6+vewKzceCToepSuxWSENgCi vkoJVHeQ+lpV2K8PDE3520e/COOVShu/1i1h04MeZlfWs0xTUQT6B+nuevrT7O7S ewE+Op/i2eeaJqYOgfRQeH1+Jhwqyn3MA9Puz+5HMc4J4LeX9H7H/uv4hOtkM2Cf 1akyNUXBIa4nGRIKMJJ3TOcIT9CofcbILOHL/dWeI3rwynkwyXs7Kmvwv6VjitUO QvqYYvInQ9tcX7mPqmqrtBA4x7XJZslpeFpDX0N/qvhwdPHlcvm4+Qv2nJ1GHO2R herCls1+zdnqQu4ysCxi =37zH -END PGP SIGNATURE-
[SECURITY] [DLA 595-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: wireshark Version: 1.12.1+g01b65bf-4+deb8u6~deb7u3 CVE ID : CVE-2016-6504 CVE-2016-6505 CVE-2016-6506 CVE-2016-6507 CVE-2016-6508 CVE-2016-6509 CVE-2016-6510 CVE-2016-6511 Multiple vulnerabilities were discovered in the dissectors for NDS, PacketBB, WSP, MMSE, RLC, LDSS, RLC and OpenFlow, which could result in denial of service or the execution of arbitrary code. For Debian 7 "Wheezy", these problems have been fixed in version 1.12.1+g01b65bf-4+deb8u6~deb7u3. We recommend that you upgrade your wireshark packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXsddkAAoJEPZk0la0aRp9yUEQALcZFndaOAASfOg3zs3Uy22U yz8DWvOefoHy9cxOXW3sP7/gYY3xm5ojqzAxehSDty93OP5dOZQBTvPap/G/0g8n qdaRQC/D3i+AtMNBeOicu49UQC20FOW4w7xEGLVbHUGIP/OejeSG1nDPwPe9B6kb 5LFHf8O1vEUN2MEqKchj1TegdDDXCLMNGslg1/fShqCoP3wv07iFFONyFhCzOLo4 tkrQX0+pOJb29PRNnOic9cnROSi4hX0whcVrOWlfeJ+pK946+aJod/8fg4K9bJep BjIi8lSbAaISg+/T7HqZPDCyRVx9VTSnQa6CNd7Eflbpkxddp6LzxEVM9u09keIx 7sePt/r+9gkw5qLdXK9yNQJiLOnEZQqsd+78acfp31XffA0nygAdsxx6oX7FE0jM cExi4DTOACsaQ1inM1ygpIzIbAr4x7loxFspRH3mQuY8cwG0bG/uuBtv8IgXilZ+ kaL1q8bU9EA3xSC9+sfPzQFMdSZ9G+tAaM7bU1aGyYvPv7rSD+EtrWIlvbSzPHJT 4T54+mM3k6YnS+MZRIdcV1xLzgT7Y2wZlYg7Jp8nhz2qL6CROl6O/mSbp48NqlO3 umpw+D+NeGFC/+sygU0osOZVgyXdjdDlp3N+eUcp1koKjqtTv9MKy76Ifv/yu0+h tj7lmdh4ybkOBhQZO5LK =IOJq -END PGP SIGNATURE-
[SECURITY] [DLA 591-1] libreoffice security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libreoffice Version: 3.5.4+dfsg2-0+deb7u8 CVE ID : CVE-2016-1513 An OpenDocument Presentation .ODP or Presentation Template .OTP file can contain invalid presentation elements that lead to memory corruption when the document is loaded in LibreOffice Impress. The defect may cause the document to appear as corrupted and LibreOffice may crash in a recovery-stuck mode requiring manual intervention. A crafted exploitation of the defect can allow an attacker to cause denial of service (memory corruption and application crash) and possible execution of arbitrary code. For Debian 7 "Wheezy", this problem have been fixed in version 3.5.4+dfsg2-0+deb7u8. We recommend that you upgrade your libreoffice packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXqbyXAAoJEPZk0la0aRp9UWcP/Al22F5NbfIONEjvWxGl1LgG zRhIGsINBTrl/1PVyZ87L/KMPbUxev4KNazLoiKjYoqlxlb8GOUCf6n+azpMH+bl IrLenoUrUncaf/dQyg/ftGbsgofPbAgmRP0Fw4GNcMR6PTzuaCZ12OVoDbGTO/Jo YwHOERGS/p1s0oqPzFsag5WQx+/41eFgj44kQCQGPhCpbTwDDoO7aeOp6wlV7y4S Dr3ObfCaHREtEBUJWBmgUqpggoYlKjfSmh3Lp+QCD1OLiP+kjAmrUyilhtWnp32E q8Pg20wNFH5t9SFQI4E4LOnIvnyVZglH/FjpDjpSs5ljuqKw798MAEmKAa/btbbG YjDS3vKSTARpza072uYmfK7UNVQctKzB29e69DRTlVQLZLv6/Ada1/u/E1qDez/p 6/5uu0t/FX0ewXrksCPgVLNUq1HzNyobXbs+dMFFcYKMeONfLpbK8OC2k4IcRexK /ZNjx6Z0SNwq9Q/1iiAljvgORx/PLPjTBfx/zAQelSC0kIFSxdEw2rQVvH6QnGU7 RSCMsc6/ewWVweRHckEf3YB12agxvECmDof3XMkq1rhsYlffim+yZjkmm4FjfIWF kM5WCZVDUHYTpxY2rQfvFmijnEvckwTNvgaClio98imOD1B4hy1TUxhwv5Ti2kJb dec6ZMtwjvS7nlJA/8ZC =qvnG -END PGP SIGNATURE-
Re: Wheezy update of libupnp?
On 07/26/2016 10:51 PM, Bálint Réczey wrote: > Hi Nick, > > 2016-07-19 15:35 GMT+02:00 Nick Leverton <n...@leverton.org>: >> On Tue, Jul 19, 2016 at 08:54:18AM +0200, Chris Lamb wrote: >>> Hello dear maintainer(s), >>> >>> the Debian LTS team would like to fix the security issues which are >>> currently open in the Wheezy version of libupnp: >>> https://security-tracker.debian.org/tracker/TEMP-000-867096 >>> >>> Would you like to take care of this yourself? >> >> Hi, >> >> Thanks very much for the headsup on this. I've a bit to do for Squeeze >> at the moment and would really appreciate any help your team can provide >> on LTS. If I do get enough time though I'll check in on your task >> tracker as suggested. > > I will prepare a fix for Wheezy tomorrow. It took some more time but I also reported the problem upstream in their public bug tracker: https://sourceforge.net/p/pupnp/bugs/132/ Please see the attached patch which I will upload in a few days if upstream does not react. The binary packages for amd64 are also available for testing here: https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/ Cheers, Balint diff -Nru libupnp-1.6.17/debian/changelog libupnp-1.6.17/debian/changelog --- libupnp-1.6.17/debian/changelog 2013-02-01 21:56:14.0 +0100 +++ libupnp-1.6.17/debian/changelog 2016-07-27 19:05:24.0 +0200 @@ -1,3 +1,12 @@ +libupnp (1:1.6.17-1.2+deb7u1) wheezy-security; urgency=medium + + * Non-maintainer upload by the LTS Team + * Don't allow unhandled POSTs to write to the filesystem by +default (Closes: #831857) (CVE-2016-6255) +Thanks to Matthew Garrett for the patch. + + -- Balint Reczey <bal...@balintreczey.hu> Wed, 27 Jul 2016 19:01:31 +0200 + libupnp (1:1.6.17-1.2) unstable; urgency=high * Non-maintainer upload by the Security Team. diff -Nru libupnp-1.6.17/debian/patches/0002-Don-t-allow-unhandled-POSTs-to-write-to-the-filesyst.patch libupnp-1.6.17/debian/patches/0002-Don-t-allow-unhandled-POSTs-to-write-to-the-filesyst.patch --- libupnp-1.6.17/debian/patches/0002-Don-t-allow-unhandled-POSTs-to-write-to-the-filesyst.patch 1970-01-01 01:00:00.0 +0100 +++ libupnp-1.6.17/debian/patches/0002-Don-t-allow-unhandled-POSTs-to-write-to-the-filesyst.patch 2016-07-27 19:01:19.0 +0200 @@ -0,0 +1,59 @@ +From be0a01bdb83395d9f3a5ea09c1308a4f1a972cbd Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <mj...@srcf.ucam.org> +Date: Tue, 23 Feb 2016 13:53:20 -0800 +Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by + default + +If there's no registered handler for a POST request, the default behaviour +is to write it to the filesystem. Several million deployed devices appear +to have this behaviour, making it possible to (at least) store arbitrary +data on them. Add a configure option that enables this behaviour, and change +the default to just drop POSTs that aren't directly handled. +--- + configure.ac | 4 + upnp/inc/upnpconfig.h.in | 5 + + upnp/src/genlib/net/http/webserver.c | 4 + 3 files changed, 13 insertions(+) + +--- a/configure.ac b/configure.ac +@@ -452,6 +452,10 @@ + AC_DEFINE(UPNP_ENABLE_BLOCKING_TCP_CONNECTIONS, 1, [see upnpconfig.h]) + fi + ++RT_BOOL_ARG_ENABLE([postwrite], [no], [write to the filesystem on otherwise unhandled POST requests]) ++if test "x$enable_postwrite" = xyes ; then ++AC_DEFINE(UPNP_ENABLE_POST_WRITE, 1, [see upnpconfig.h]) ++fi + + RT_BOOL_ARG_ENABLE([samples], [yes], [compilation of upnp/sample/ code]) + +--- a/upnp/inc/upnpconfig.h.in b/upnp/inc/upnpconfig.h.in +@@ -131,5 +131,10 @@ + * header (i.e. configure --enable-unspecified_server) */ + #undef UPNP_ENABLE_UNSPECIFIED_SERVER + ++/** Defined to 1 if the library has been compiled to support filesystem writes on POST ++ * (i.e. configure --enable-postwrite) */ ++#undef UPNP_ENABLE_POST_WRITE ++ ++ + #endif /* UPNP_CONFIG_H */ + +--- a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c +@@ -1354,9 +1354,13 @@ + if (Fp == NULL) + return HTTP_INTERNAL_SERVER_ERROR; + } else { ++#ifdef UPNP_ENABLE_POST_WRITE + Fp = fopen(filename, "wb"); + if (Fp == NULL) + return HTTP_UNAUTHORIZED; ++#else ++ return HTTP_NOT_FOUND; ++#endif + } + parser->position = POS_ENTITY; + do { diff -Nru libupnp-1.6.17/debian/patches/series libupnp-1.6.17/debian/patches/series --- libupnp-1.6.17/debian/patches/series 2013-02-01 18:36:23.0 +0100 +++ libupnp-1.6.17/debian/patches/series 2016-07-27 19:00:56.0 +0200 @@ -4,3 +4,4 @@ 12-debian-always-debug.patch 18-url-upnpstrings.patch 0001-Security-fix-for-CERT-issue-VU-922681.branch-1.6.patch +0002-Don-t-allow-unhandled-POSTs-to-write-to-the-filesyst.patch
Accepted libreoffice 1:3.5.4+dfsg2-0+deb7u7 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 30 Jul 2016 12:58:14 +0200 Source: libreoffice Binary: libreoffice libreoffice-l10n-za libreoffice-l10n-in libreoffice-core libreoffice-common libreoffice-java-common libreoffice-writer libreoffice-calc libreoffice-impress libreoffice-draw libreoffice-math libreoffice-base-core libreoffice-base libreoffice-style-crystal libreoffice-style-oxygen libreoffice-style-tango libreoffice-style-hicontrast libreoffice-style-galaxy libreoffice-gtk libreoffice-gtk3 libreoffice-gnome libreoffice-emailmerge python-uno python3-uno libreoffice-officebean libreoffice-filter-mobiledev openoffice.org-dtd-officedocument1.0 libreoffice-script-provider-python libreoffice-script-provider-bsh libreoffice-script-provider-js libreoffice-l10n-af libreoffice-l10n-ar libreoffice-l10n-as libreoffice-l10n-ast libreoffice-l10n-be libreoffice-l10n-bg libreoffice-l10n-bn libreoffice-l10n-br libreoffice-l10n-bs libreoffice-l10n-ca libreoffice-l10n-cs libreoffice-l10n-cy libreoffice-l10n-da libreoffice-l10n-de libreoffice-l10n-dz libreoffice-l10n-el libreoffice-l10n-en-gb libreoffice-l10n-en-za libreoffice-l10n-eo libreoffice-l10n-es libreoffice-l10n-et libreoffice-l10n-eu libreoffice-l10n-fa libreoffice-l10n-fi libreoffice-l10n-fr libreoffice-l10n-ga libreoffice-l10n-gl libreoffice-l10n-gu libreoffice-l10n-he libreoffice-l10n-hi libreoffice-l10n-hr libreoffice-l10n-hu libreoffice-l10n-id libreoffice-l10n-is libreoffice-l10n-it libreoffice-l10n-ja libreoffice-l10n-ka libreoffice-l10n-km libreoffice-l10n-ko libreoffice-l10n-ku libreoffice-l10n-lt libreoffice-l10n-lv libreoffice-l10n-mk libreoffice-l10n-mn libreoffice-l10n-ml libreoffice-l10n-mr libreoffice-l10n-nb libreoffice-l10n-ne libreoffice-l10n-nl libreoffice-l10n-nn libreoffice-l10n-nr libreoffice-l10n-nso libreoffice-l10n-oc libreoffice-l10n-om libreoffice-l10n-or libreoffice-l10n-pa-in libreoffice-l10n-pl libreoffice-l10n-pt libreoffice-l10n-pt-br libreoffice-l10n-ro libreoffice-l10n-ru libreoffice-l10n-rw libreoffice-l10n-si libreoffice-l10n-sk libreoffice-l10n-sl libreoffice-l10n-sr libreoffice-l10n-ss libreoffice-l10n-st libreoffice-l10n-sv libreoffice-l10n-ta libreoffice-l10n-te libreoffice-l10n-tg libreoffice-l10n-th libreoffice-l10n-tn libreoffice-l10n-tr libreoffice-l10n-ts libreoffice-l10n-ug libreoffice-l10n-uk libreoffice-l10n-uz libreoffice-l10n-ve libreoffice-l10n-vi libreoffice-l10n-xh libreoffice-l10n-zh-cn libreoffice-l10n-zh-tw libreoffice-l10n-zu libreoffice-help-en-us libreoffice-help-ca libreoffice-help-cs libreoffice-help-da libreoffice-help-de libreoffice-help-dz libreoffice-help-el libreoffice-help-en-gb libreoffice-help-es libreoffice-help-et libreoffice-help-eu libreoffice-help-fi libreoffice-help-fr libreoffice-help-gl libreoffice-help-hi libreoffice-help-hu libreoffice-help-it libreoffice-help-ja libreoffice-help-km libreoffice-help-ko libreoffice-help-nl libreoffice-help-om libreoffice-help-pl libreoffice-help-pt libreoffice-help-pt-br libreoffice-help-ru libreoffice-help-sk libreoffice-help-sl libreoffice-help-sv libreoffice-help-zh-cn libreoffice-help-zh-tw uno-libs3 uno-libs3-dbg ure ure-dbg libreoffice-gcj libreoffice-ogltrans libreoffice-wiki-publisher libreoffice-report-builder libreoffice-report-builder-bin libreoffice-presentation-minimizer libreoffice-presenter-console libreoffice-pdfimport fonts-opensymbol ttf-opensymbol libreoffice-dbg libreoffice-dev libreoffice-dev-doc libreoffice-kde libreoffice-sdbc-postgresql libreoffice-mysql-connector libreoffice-evolution libreoffice-filter-binfilter Architecture: source amd64 all Version: 1:3.5.4+dfsg2-0+deb7u7 Distribution: wheezy-security Urgency: high Maintainer: Debian LibreOffice Maintainers <debian-openoff...@lists.debian.org> Changed-By: Balint Reczey <bal...@balintreczey.hu> Description: fonts-opensymbol - OpenSymbol TrueType font libreoffice - office productivity suite libreoffice-base - office productivity suite -- database libreoffice-base-core - office productivity suite -- shared library libreoffice-calc - office productivity suite -- spreadsheet libreoffice-common - office productivity suite -- arch-independent files libreoffice-core - office productivity suite -- arch-dependent files libreoffice-dbg - office productivity suite -- debug symbols libreoffice-dev - office productivity suite -- SDK libreoffice-dev-doc - office productivity suite -- SDK documentation libreoffice-draw - office productivity suite -- drawing libreoffice-emailmerge - office productivity suite -- email mail merge libreoffice-evolution - office productivity suite -- Evolution addressbook support libreoffice-filter-binfilter - office productivity suite -- legacy filters (e.g. StarOffice 5.2) libreoffice-filter-mobiledev - office productivity suite -- mobile devices filters libreoffice-gcj - office productivity suite -- Java libraries for GIJ libreoffice-gn
[SECURITY] [REGRESSION] [DLA -] graphite2 regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: graphite2 Version: 1.3.6-1~deb7u2 The previous upload of graphite2 (on 2016-04-26) included a .shlib file which did not match the shipped shared libraries preventing packages build-depending on graphite2 libraries to build. For Debian 7 "Wheezy", these problems have been fixed in version 1.3.6-1~deb7u2. We recommend that you upgrade your graphite2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXnx8DAAoJEPZk0la0aRp97uoP/jzwIsRlkymI4zVLe2jWprtS FYG2k41hg6YHXLoVSj4UK3B5iLf6nXY0G2JgrBmSBYfgOaW+slQflt7p7GkPGctF MheNJRSJ/5IqfOGVtdxNXW7TqlnzgVssDCg6tglTubxxRURRdcl577onnuMoIiUy pyDrkIyeiGa2xRZtKsB9Qv1DyDP2MhmUMKr41X4IFMzKGdJto4e4PjV0lq8PSHRK UIiWulIlg6EliIWjwziIg4ISq+RwtK1GFX7lILU/yrRSe+QInzTmXcgXZ4GXMkxn ckCWa2wUtw1RIZdfOEKOR/IM2ZrwSIhS/dzSKkI5kkjlb4tcZ7fxc7iBWJNWf1Bn ntorfrtbi+h2X02dYRi9aZ2lPvo9Or/wMh6PEMJVJb+oXROGbo8Fv1c9nPk7s+V7 dfInY7Hfr7iZqi1I2gsFExYJo29l3zF5Jqcmldch3REhS2dNT5wUKZh9ZP2PSrQo RNZMaRvE9US4iIWeNoy7vSCchIYoWC3IBtJG7oDO3Os332t4P0Vgudy3iTIV4+qR vefjLXuJG+J6NuMInO/LBblhEAEt9NqGP/yry+0c7rOC8Oac0JGe47bMqgOrODF1 P8SRRhPcTiDoiO6qge0uUL+kmTHrmA33Vyogu2438XIZUV/VxFOd4EqGoRuv2XtB LKyPgS3gCksYIobuHoG5 =CmfM -END PGP SIGNATURE-
Accepted graphite2 1.3.6-1~deb7u2 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 29 Jul 2016 19:29:22 +0200 Source: graphite2 Binary: libgraphite2-2.0.0 libgraphite2-dev libgraphite2-2.0.0-dbg libgraphite2-doc Architecture: source amd64 all Version: 1.3.6-1~deb7u2 Distribution: wheezy-security Urgency: medium Maintainer: Debian LibreOffice Maintainers <debian-openoff...@lists.debian.org> Changed-By: Balint Reczey <bal...@balintreczey.hu> Description: libgraphite2-2.0.0 - Font rendering engine for Complex Scripts -- library libgraphite2-2.0.0-dbg - Debug symbols for libgraphite2 libgraphite2-dev - Development files for libgraphite2 libgraphite2-doc - Documentation for libgraphite2 Changes: graphite2 (1.3.6-1~deb7u2) oldstable-security; urgency=medium . * LTS Team upload * Fix .shlibs file to let reverse depenencies build Checksums-Sha1: 7f6ff213c06b7134c499b1578a134e5473f91304 2160 graphite2_1.3.6-1~deb7u2.dsc 052ed2e3653f7a026bf9ff63ca42683ce0bcefb4 3881106 graphite2_1.3.6.orig.tar.gz 6fc15d66057612e8472fbb8293c07665055bf421 10826 graphite2_1.3.6-1~deb7u2.debian.tar.gz efa10b7589a2c663c3328838f2f44a8353ef8465 86320 libgraphite2-2.0.0_1.3.6-1~deb7u2_amd64.deb 10c8b65dde3b20a6cac88a74b3bfc5515a465a3a 22968 libgraphite2-dev_1.3.6-1~deb7u2_amd64.deb f4bde4e1aa99cf140434a85f47201700af13ac4a 679656 libgraphite2-2.0.0-dbg_1.3.6-1~deb7u2_amd64.deb 28deea08ca9c491e0cbfc3c08c6b81dc624e536d 610238 libgraphite2-doc_1.3.6-1~deb7u2_all.deb Checksums-Sha256: d45923609a55b4b50e575fcaa4fac25eeec8bef3a7bc14698df11ea6ae2b5f6f 2160 graphite2_1.3.6-1~deb7u2.dsc 475e7657ac606ed8805518031729c1273cf7d9d422169ac6f7882e01d832af75 3881106 graphite2_1.3.6.orig.tar.gz e2133cd295171fcc1e2dfc39cb7cf269dec2d50e853ca398c1a7e7438d7a1292 10826 graphite2_1.3.6-1~deb7u2.debian.tar.gz ee56267a7a348cb4d5ce3a561866612f4083e0d56b957fb26d1c529d0177efa5 86320 libgraphite2-2.0.0_1.3.6-1~deb7u2_amd64.deb 0ee228b9a2c8911d7c16122f4d7e18bbff10aa9ce6c4bdb57b099a0923d7998b 22968 libgraphite2-dev_1.3.6-1~deb7u2_amd64.deb 8754dfb22abe2147f147d14e442ea98b8e8e51f87745494732f9a233cb0817f4 679656 libgraphite2-2.0.0-dbg_1.3.6-1~deb7u2_amd64.deb 56dd841fcf0b6deeddeac7a55ab917d4f0bac74302d2df80a8c0564282dbe333 610238 libgraphite2-doc_1.3.6-1~deb7u2_all.deb Files: 697f2f845b92fea32dff3059cdc13ecb 2160 libs optional graphite2_1.3.6-1~deb7u2.dsc 12eb607e0f458febe348ae69b832b300 3881106 libs optional graphite2_1.3.6.orig.tar.gz 7ef2e4d94688826ac85ad488bc99c7d8 10826 libs optional graphite2_1.3.6-1~deb7u2.debian.tar.gz f8807a49d8337a212697ebfbf9505db4 86320 libs optional libgraphite2-2.0.0_1.3.6-1~deb7u2_amd64.deb cc8db4a1233cdf95369df351baf87a5d 22968 libdevel optional libgraphite2-dev_1.3.6-1~deb7u2_amd64.deb ab7da889cb09d248607a1a6df3fa3483 679656 debug extra libgraphite2-2.0.0-dbg_1.3.6-1~deb7u2_amd64.deb 1c4d39e24b88b56a98326027e0cc398b 610238 doc optional libgraphite2-doc_1.3.6-1~deb7u2_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJXnIPZAAoJEPZk0la0aRp9EtUP/0j6MQojiE/PUHnduUy97oV0 9FVDvrY9R4YTy2d2bpTPlUva+j2FFEJFEmYJHT++sYmCEGKD6u/trQMd73X3VzAp rnRChB9nNjIlABUXwgDDjrmnfh140iiLCOy+AIJ+Wawk8PC+U4F+rEO7Bz0MzVeZ rkVjHjSphZP71SHh1ntyjTd2LJ1VzSqFfW6Ubd6FBqc9ZqqGmQShczsnaM+EC6c1 EFcnQyC8aO/yhNeunqY4NOzx/EYrRnHz/YKbqumII54tgvPNNt9aTO/gmiwzpdor a+gmWmEoMukS/5SBwhPZCpmDVLnRWgQCgodm2TmzACsP2skMixC1VeUrEJ9Hukuh nmCkET7U18KjTiE0cmF2An/DZ5VWPkhQuWXWTpz/oJm76+pOENBQs4IZVcdMb69a nSCUShkL2r6Bjz01W5kaIsyJepWcw2BgLSuVMDQQHLGD1mkTt0dF4T4VrOewBCqy 5QXQ1jkwgtGKnXvyFPA38zo8NGeT9d+O2lqRPMjV7VbQsDYHq+ms4kSZuj4veIM3 5nJdkuqa1nUiwVog4htrLJQDIlx8V2swfXleSyFQeiAYDowcKNrG5R5YGgNBtpG/ pXFUjki9hyql/bLaykWnzAtmQDlUPqEPucIoT+PzoAr+x3Z49qE+pyp+Zt3Bc7cO IcBbXVUxinrbnEGJ6Ct3 =cEyv -END PGP SIGNATURE-
Re: Wheezy update of libreoffice?
Hi Rene, On 07/28/2016 08:36 PM, Rene Engelhard wrote: > Hi, > > On Thu, Jul 28, 2016 at 07:12:16PM +0200, Bálint Réczey wrote: >> Thank you for preparing the patch. >> I'm building it right now and would like to test it if you have not done so >> yet. >> After it is tested feel free to upload it. > > Then it's best you mergechanges and upload after testing, I only built the > source package, I didn't build it, so if you have a build... It took some time to get it built due to libgraphite2-dev FTBFS-ing libreoffice but the attached patch for graphite2 solves that. A binary build was needed anyway since wheezy-security does not accept source-only uploads AFAIK. The fix for the vulnerability works and a the fixed libreoffice can still parse a valid RTF [1]. Please see the final proposed patch for libreoffice attached, too. The binary packages for amd64 will also be available for testing here when the upload is finished: https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/ I plan uploading both fixed packages tomorrow. Cheers, Balint [1] http://thewalter.net/stef/software/rtfx/sample.rtf diff -Nru graphite2-1.3.6/debian/changelog graphite2-1.3.6/debian/changelog --- graphite2-1.3.6/debian/changelog 2016-03-09 12:12:34.0 +0100 +++ graphite2-1.3.6/debian/changelog 2016-07-29 19:30:16.0 +0200 @@ -1,3 +1,10 @@ +graphite2 (1.3.6-1~deb7u2) oldstable-security; urgency=medium + + * LTS Team upload + * Fix .shlibs file to let reverse depenencies build + + -- Balint Reczey <bal...@balintreczey.hu> Fri, 29 Jul 2016 19:29:22 +0200 + graphite2 (1.3.6-1~deb7u1) oldstable-security; urgency=high * rebuild for oldstable-security diff -Nru graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs --- graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs 2016-03-09 12:09:32.0 +0100 +++ graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs 2016-07-30 00:38:31.0 +0200 @@ -1 +1 @@ -libgraphite2 3 libgraphite2-2.0.0 +libgraphite2 2.0.0 libgraphite2-2.0.0 (>= 1.3.6-1~) diff -Nru libreoffice-3.5.4+dfsg2/debian/changelog libreoffice-3.5.4+dfsg2/debian/changelog --- libreoffice-3.5.4+dfsg2/debian/changelog 2016-02-11 18:15:51.0 +0100 +++ libreoffice-3.5.4+dfsg2/debian/changelog 2016-07-30 12:58:16.0 +0200 @@ -1,3 +1,17 @@ +libreoffice (1:3.5.4+dfsg2-0+deb7u7) wheezy-security; urgency=high + + [ Rene Engelhard ] + * merge from Ubuntu: +- SECURITY UPDATE: Denial of service and possible arbitrary code execution + via a crafted RTF file + + debian/patches/rtf-use-after-free.diff: Prevent rtf use-after-free + + CVE-2016-4324 + + [ Balint Reczey ] + * depend on libgraphite2-dev version which has working shlibs file + + -- Balint Reczey <bal...@balintreczey.hu> Sat, 30 Jul 2016 12:58:14 +0200 + libreoffice (1:3.5.4+dfsg2-0+deb7u6) wheezy-security; urgency=high * debian/patches/V-1lp8t84lh4.diff: fix "LibreOffice Writer Lotus Word Pro diff -Nru libreoffice-3.5.4+dfsg2/debian/control libreoffice-3.5.4+dfsg2/debian/control --- libreoffice-3.5.4+dfsg2/debian/control 2013-05-29 23:22:11.0 +0200 +++ libreoffice-3.5.4+dfsg2/debian/control 2016-07-30 12:52:29.0 +0200 @@ -3,7 +3,7 @@ Priority: optional Maintainer: Debian LibreOffice Maintainers <debian-openoff...@lists.debian.org> Uploaders: Rene Engelhard <r...@debian.org> -Build-Depends: dpkg-dev (>= 1.16.1), lsb-release, bzip2, bison, flex | flex-old, libxaw7-dev, unzip, zip, autoconf, automake, sharutils, pkg-config, libfontconfig1-dev, libc0.1 (>= 2.10.2-7) [kfreebsd-i386 kfreebsd-amd64], zlib1g-dev, libfreetype6-dev, libx11-dev, libsm-dev, libxt-dev, libxext-dev, libxtst-dev, libice-dev, libcups2-dev, libarchive-zip-perl, fastjar, xsltproc, libxkbfile-dev, libxinerama-dev, x11proto-render-dev, libxml-parser-perl, gperf, po-debconf, bc, wget | curl, gcc-4.4 [mips mipsel], g++-4.4 [mips mipsel], libgl1-mesa-dev [!armel !mips !mipsel], libglu1-mesa-dev [!armel !mips !mipsel], libpoppler-dev (>= 0.8.0), libpoppler-private-dev, libpoppler-cpp-dev, libgraphite2-dev (>= 0.9.3) [!alpha !armel !sparc], libexttextcat-dev (>= 3.1.1), libjpeg-dev, libxml2-dev, libxslt1-dev, libexpat1-dev, unixodbc-dev (>= 2.2.11), libsane-dev, libxrender-dev, libpng12-dev, libssl-dev, librsvg2-dev, libdb-dev, python (>= 2.6.6-3+squeeze4), python-dev (>= 2.6), python3-dev (>= 3.2), debhelper (>= 7.2.3~), libcppunit-dev (>= 1.12), gdb, junit4 (>= 4.8.2-2), openjdk-6-jdk (>= 6b23~pre8-2) [alpha amd64 armel armhf i386 mips mipsel powerpc powerpcspe ppc64 s390 s390x sparc], openjdk-7-jdk [ia64], gcj-jdk [hppa kfreebsd-i386 kfreebsd-amd64], gcj-native-helper [hppa kfreebsd-amd64 kfreebsd-i386], libgcj-common (>= 1:4.4.1) [hppa kfreebsd-amd64 kfreebsd-i386], ant (>= 1.7.0), ant-optional (>= 1.7.0), g++-mingw-w64-i686 [i386 amd64], libcommons-codec
[SECURITY] [DLA 570-1] kde4libs security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: kde4libs Version: 4:4.8.4-4+deb7u2 CVE ID : CVE-2016-6232 Debian Bug : 832620 It was possible to trick kde4libs's KArchiveDirectory::copyTo() function to extract files to arbitrary system locations from a specially prepared tar file outside of the extraction folder. For Debian 7 "Wheezy", these problems have been fixed in version 4:4.8.4-4+deb7u2. We recommend that you upgrade your kde4libs packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXm++mAAoJEPZk0la0aRp9QEIP/3hDZi/pjlxDpSrBN4PEvsjB eCjInlj0naRagCR3/AC/4IMVCtfwQZr5UrT5cm497FLZvvFvbgjFgOVa2GeUEYu1 WlGBVrzf6qvrjeM2TFMFhBGK1dtIpTedzI0MVC7n9nGhuCOCPWCKmTNLcjhrR1/I +nhYgTpLkYuTMnUPSd9yCeMXZDgeCTVtfMNLXQ+zl/Kn1XrLf9wN/2u8jQxQoTuX kg/kKYq8UwqNEVERWsmaePiFkeeEf2UdDZ5U2JDY+uGm34rcXuvsWFKnGV5O38Aj rT5HjUIgBEBzywjCxgj+GnkRyhtBX2YsR1h/Kc0lChi1xa+tY/rGH0kQKtUimYkC 1UQnVWZRQd+k7Fn2VyXHYh8W9pLoG6I+ocafDqWvJH71eFYxHcpjC601XLWP7LFd MEu9rkTd44FNaxSljW29E062eetbtJ1XlmKoKp3rn83RaJ8sVf123NVAzylxfLZ7 jR8zq6pAZYEkG/qJA38zLnDEXlfFnLec1J/6h8uQgq6gJZgd93Ca8mUwiNO1en7M Tnb8oY4DxgqDlI8Sp/ovc4EhXDTMQBbQuYSgMhXIL0zZ80kjXDLnKspBRo5GTfzB Vz7lBusQwb1CkJviV+9MgSJzhRutblUH1hy4v4bjPxl4zM3YBuhRU8reOm3RnJIv MpabyMBWLQWlXC2LwJG5 =tYnh -END PGP SIGNATURE-
[SECURITY] [DLA 566-1] cakephp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: cakephp Version: 1.3.15-1+deb7u1 Debian Bug : 832283 CakePHP, an open-source web application framework for PHP, was vulnerable to SSRF (Server Side Request Forgery) attacks. Remote attacker can utilize it for at least DoS (Denial of Service) attacks, if the target application accepts XML as an input. It is caused by insecure design of Cake's Xml class. For Debian 7 "Wheezy", these problems have been fixed in version 1.3.15-1+deb7u1. We recommend that you upgrade your cakephp packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXmnJvAAoJEPZk0la0aRp9BVYP/AwaEyVZleQ71EYHsjPafuoF 1d3FGeZTNkFR+D8bf7+mgmHHtRDHuTCV8Xg0hJS8duXrmVEMQoeNhq7bxaIjLkw6 0kPgtgOEGdUhZFq34C5vOOH0mef3nJcnrlkk2uEGyvrj73jqR557UUGG547msU9F dosYhFcslE79RtXFPj7IMURhKIXzNveWy36I0MUPqqRK6nbiCjEEUGkU2JlzJn0X g+xOlpZB+fsqgLb33Qncn+/ghFx6jL0Rd25fLUvsd7FNf0zFbIlV2ZFzOsUYDDuq HqYB1mXeSr3LveENVPHT3QdYhSCO6A+WEuI0fikoHOuHxvFtL0UehyclaKYWYl6h rRQqgoS7Bb81g1Xw8+/7US8kreIH5oJQ+Ql8l1kGseRoGwriPr+rKPUyWx41/1xe 8XaLmoxfTYIwy76Kt2xy7SMgT8o1UGfk3WG53n6j/wpHnaFwd6CnyfJQmuFig4Z4 M9l3l71UR/NPWvNxf8Im7Bxi5NosrED+2viCaWVenckIDmEaXifindZwcTXwCwug uplbTYaurjGKdjIV+L9cglw+96j+CEiWDzUnOAKY53RT18aHHqhLmApTP/Af6k7j 11WiOW1Alv4qDALWhvHzAbnQDl6+jjXW8/2KtZy5v7DxTH2P0LiwqE/cevEvizVg uGAaQ1KjPW3CfYRn80re =7bDr -END PGP SIGNATURE-
Re: Wheezy update of ruby-eventmachine?
Hi All, On 06/28/2016 01:59 PM, Bálint Réczey wrote: > Hi Christian, > > 2016-06-28 7:27 GMT+02:00 Christian Hofstaedtler <z...@debian.org>: >> Hi, >> >> * Bálint Réczey <bal...@balintreczey.hu> [160628 00:28]: >>> Dear Ruby and LTS Maintainers, >>> >>> I plan updating the ruby-eventmachine package in Wheezy LTS to >>> fix the following security issue: >>> https://security-tracker.debian.org/tracker/TEMP-0678512-2E167C >>> >>> Please see the diff to previous version attached. > > Thanks! I also tried the new test without fixing the issue in the code > and it crashes nicely. > >> >> Only gave this a quick glance, but LGTM. >> >>> I plan updating Jessie's version through jessie-proposed-updates, since >>> the issue is marked as no-DSA. >> >> This can probably still go through debian-security? > > I'll ask them, showing the proposed diff. I asked, but here is no clear new decision regarding handling the issue in Jessie. > >> Also, given there's no ruby1.8 in jessie, the diff will be a lot >> smaller I guess. > > IMO the difference is very small and I'd rather add the few macros for 1.8 > than breaking the source package's compatibility with the update. > > I have pushed my changes to the packaging repository in two new branches here: > https://anonscm.debian.org/cgit/pkg-ruby-extras/ruby-eventmachine.git While reading all the bug reports related to the crash I noticed that the fix introduced a memory leak which is fixed in successive commits. I have added them to the update growing it significantly, but at least we don't introduce a regression with the fix. Please see the diff attached and also in the git repository as separate commits. Cheers, Balint diff -Nru ruby-eventmachine-0.12.10/debian/changelog ruby-eventmachine-0.12.10/debian/changelog --- ruby-eventmachine-0.12.10/debian/changelog 2012-06-20 16:21:30.0 +0200 +++ ruby-eventmachine-0.12.10/debian/changelog 2016-06-29 22:53:09.0 +0200 @@ -1,3 +1,14 @@ +ruby-eventmachine (0.12.10-3+deb7u1) wheezy-security; urgency=medium + + * Fix remotely triggerable crash due to FD handling +(Closes: #678512, #696015) + * Add net-tools to build dependencies to let tests run + * Run all tests in tests/ directory + * Skip tests requiring network connection + * Fix memory leak caused when fixing crash + + -- Balint Reczey <bal...@balintreczey.hu> Wed, 29 Jun 2016 21:21:12 +0200 + ruby-eventmachine (0.12.10-3) unstable; urgency=low * Add myself to uploaders. diff -Nru ruby-eventmachine-0.12.10/debian/control ruby-eventmachine-0.12.10/debian/control --- ruby-eventmachine-0.12.10/debian/control 2012-06-20 16:21:30.0 +0200 +++ ruby-eventmachine-0.12.10/debian/control 2016-06-29 22:53:09.0 +0200 @@ -3,7 +3,7 @@ Priority: optional Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Uploaders: Daigo Moriwaki <da...@debian.org>, Ryan Niebur <ryanrya...@gmail.com>, Laurent Arnoud <laur...@spkdev.net>, Paul van Tilburg <pau...@debian.org>, Per Andersson <avtob...@gmail.com> -Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.2.7~) +Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.2.7~), net-tools Standards-Version: 3.9.3 Homepage: http://rubyeventmachine.com/ Vcs-Git: git://git.debian.org/pkg-ruby-extras/ruby-eventmachine.git diff -Nru ruby-eventmachine-0.12.10/debian/patches/0002-use-ruby-select-api-with-expandable-fd-sets.patch ruby-eventmachine-0.12.10/debian/patches/0002-use-ruby-select-api-with-expandable-fd-sets.patch --- ruby-eventmachine-0.12.10/debian/patches/0002-use-ruby-select-api-with-expandable-fd-sets.patch 1970-01-01 01:00:00.0 +0100 +++ ruby-eventmachine-0.12.10/debian/patches/0002-use-ruby-select-api-with-expandable-fd-sets.patch 2016-06-29 22:53:09.0 +0200 @@ -0,0 +1,158 @@ +From bd881bb291b30bf9de71d6ab45caa69f25707577 Mon Sep 17 00:00:00 2001 +From: Patrick Reynolds <patrick.reyno...@github.com> +Date: Tue, 11 Mar 2014 16:01:25 -0500 +Subject: [PATCH 2/4] use ruby select api with expandable fd sets + +Conflicts: + ext/em.cpp + ext/em.h +--- + ext/em.cpp | 30 +++--- + ext/em.h | 10 +- + tests/test_many_fds.rb | 22 ++ + 3 files changed, 42 insertions(+), 20 deletions(-) + create mode 100644 tests/test_many_fds.rb + +--- a/ext/em.cpp b/ext/em.cpp +@@ -774,9 +774,9 @@ + SelectData_t::SelectData_t() + { + maxsocket = 0; +- FD_ZERO (); +- FD_ZERO (); +- FD_ZERO (); ++ rb_fd_init (); ++ rb_fd_init (); ++ rb_fd_init (); + } + + +@@ -789,7 +789,7 @@ + static VALUE _SelectDataSelect (void *v) + { + SelectData_t *sd = (SelectData_t*)v; +- sd->nSockets = select (sd->maxsocket+1, &(sd-&
[SECURITY] [DLA 497-1] wireshark security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: wireshark Version: 1.12.1+g01b65bf-4+deb8u6~deb7u1 CVE ID : CVE-2012-6052 CVE-2012-6053 CVE-2012-6054 CVE-2012-6055 CVE-2012-6056 CVE-2012-6057 CVE-2012-6058 CVE-2012-6059 CVE-2012-6060 CVE-2012-6061 CVE-2012-6062 CVE-2013-1572 CVE-2013-1573 CVE-2013-1574 CVE-2013-1575 CVE-2013-1576 CVE-2013-1577 CVE-2013-1578 CVE-2013-1579 CVE-2013-1580 CVE-2013-1581 CVE-2013-2476 CVE-2013-2479 CVE-2013-2482 CVE-2013-2485 CVE-2013-2486 CVE-2013-2487 CVE-2013-4079 CVE-2013-4080 CVE-2013-4927 CVE-2013-4929 CVE-2013-4931 CVE-2013-5719 CVE-2013-5721 CVE-2013-6339 CVE-2013-7112 CVE-2015-6243 CVE-2015-6246 CVE-2015-6248 CVE-2016-4006 CVE-2016-4079 CVE-2016-4080 CVE-2016-4081 CVE-2016-4082 CVE-2016-4085 Multiple vulnerabilities were discovered in the dissectors/parsers for PKTC, IAX2, GSM CBCH and NCP which could result in denial of service. This update also fixes many older less important issues by updating the package to the version found in Debian 8 also known as Jessie. For Debian 7 "Wheezy", these problems have been fixed in version 1.12.1+g01b65bf-4+deb8u6~deb7u1. We recommend that you upgrade your wireshark packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXTWXnAAoJEPZk0la0aRp9b/EQAIskixovlNrvyC2YNJY/COvR qcMChf8hCa3N8ghW7U2nVvf7I7215CHqFjt5L7JaORkmTYCoethud7f9FgA/Os2L lpsRSCs0i2MOIKMcDdYd/2gF0k164uBsHnIKeZujr0mn4u98mYTgeWvuP/bBN8th VLhKzkrJFLhEDOeKStjL9sQ1de2tH4SOPPNxbo1hqXVNd8oPUGkfT5goAy8LzuUx m6xMOcBu1Ee+koJeJ94HpSydwPVcXVZse/w1gShllcPyCfASzNQP3pYWQRr9tDas cs3eNCUPpGsF/zmNlxea1IXVaaPdTsTiYATMykOcKj46MNXh3/dl0LiqpvSFbm1C TOvIIpEkXaQvka3qlXZ14yVMvQhSFxuqvE6147cCNk1eL46wySZ4587HxsSLyeaP c/FvRzBZlB/n4aF0N3ORKY6J0LkVMfr5Ye0nfPJVnp5ExYsLoHu+0uwdagi72yIb tHLN49ixPj9c2DePami1YOBBNyMB/AZqCpZMWyoHQ+3FriMq80u5snQLbgwXOMNH 7/GcoTITNdSUNR/VZU1Uc0PA6jh5tNr33luldLwyzLUVHlLnTy3IsEas4XmSVu4r mmveoxqvLCUBrpcoXdBlZYX6d52MD50KHXV8ZfkAnEQxqCC/316VM00pa5t+zVUf iwHPgkBSHx/+O9PFz7/f =Be8K -END PGP SIGNATURE-
Re: Wireshark in wheezy-lts
Hi All, 2016-05-23 12:36 GMT+02:00 Steffen Möller <steffen_moel...@gmx.de>: > Hi all, > > On 23/05/16 11:23, Markus Koschany wrote: >> Am 21.05.2016 um 16:31 schrieb Balint Reczey: >> Dear LTS Team, >> >> I would like to suggest (and volunteer for) back-porting >> jessie-security's wireshark version to wheezy-lts. > > FYI, Steffen Moeller is also currently working on a security update for >> wireshark (dla-needed.txt). Maybe you might want to coordinate your > > efforts with Steffen. We started the conversation privately but I proposed bringing the question to the list since switching to a different upstream version is not just the minimal fix which is usually preferred. > and I very much accept that the expertise is with Balint, here. > Please use me whenever I could be helpful and otherwise I just > step back. Thank you, I think with back-porting Jessie's version we get much better results with less work. If you don't mind I reassign the DLA to me then. > > We had agreed on me re-uploading (as a volunteer) > version 2.0.3 of wireshark to wheezy-backports-sloppy. I do > so today if you do not prefer otherwise. As I confirmed earlier I'm perfectly OK with the upload. Cheers, Balint
Wireshark in wheezy-lts
Dear LTS Team, I would like to suggest (and volunteer for) back-porting jessie-security's wireshark version to wheezy-lts. 1.8.x security issues are not tracked by upstream and it most probably contains many unpublished vulnerabilities. Jessie's 1.12.x will be supported by upstream till the next release around July this year and I plan back-porting all important security fixes during jessie's support period like did with other Wireshark versions supported by Debian but not supported by upstream. I manage lts-* branches [1] at upstream for the security fixes applied in Debian. Switching to jessie's wireshark breaks netexpect [2], but it has only a few users and it is absent from testing due to being broken in unstable. Cheers, Balint Disclaimer: I'm also in the upstream development team. [1] https://code.wireshark.org/review/gitweb?p=wireshark.git;a=heads [2] https://packages.qa.debian.org/n/netexpect.html
Accepted wireshark 1.8.2-5wheezy15~deb6u1 (source all amd64) into squeeze-lts, squeeze-lts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Sun, 12 Apr 2015 16:08:00 +0200 Source: wireshark Binary: wireshark-common wireshark tshark wireshark-dev wireshark-dbg wireshark-doc libwireshark2 libwsutil2 libwsutil-dev libwireshark-data libwireshark-dev libwiretap2 libwiretap-dev Architecture: source all amd64 Version: 1.8.2-5wheezy15~deb6u1 Distribution: squeeze-lts Urgency: high Maintainer: Balint Reczey bal...@balintreczey.hu Changed-By: Balint Reczey bal...@balintreczey.hu Description: libwireshark-data - network packet dissection library -- data files libwireshark-dev - network packet dissection library -- development files libwireshark2 - network packet dissection library -- shared library libwiretap-dev - network packet capture library -- development files libwiretap2 - network packet capture library -- shared library libwsutil-dev - network packet dissection utilities library -- shared library libwsutil2 - network packet dissection utilities library -- shared library tshark - network traffic analyzer - console version wireshark - network traffic analyzer - GTK+ version wireshark-common - network traffic analyzer - common files wireshark-dbg - network traffic analyzer - debug symbols wireshark-dev - network traffic analyzer - development tools wireshark-doc - network traffic analyzer - documentation Closes: 68746 179309 314833 419710 454621 539287 570132 582298 585370 591563 593214 593875 594390 594738 594780 596108 598498 608990 621801 626145 627146 630951 634671 635116 647082 649350 653938 661759 666058 678585 680056 689972 704561 709167 711918 769410 776135 780372 Changes: wireshark (1.8.2-5wheezy15~deb6u1) squeeze-lts; urgency=high . * Rebuild for Squeeze LTS . wireshark (1.8.2-5wheezy15) wheezy-security; urgency=high . * security fixes from Wireshark 1.12.4 (Closes: #780372): - The WCP dissector could crash (CVE-2015-2188) - The pcapng file parser could crash (CVE-2015-2189) - The TNEF dissector could go into an infinite loop. Discovered by Vlad Tsyrklevich. (CVE-2015-2191) . wireshark (1.8.2-5wheezy14) wheezy-security; urgency=high . * security fixes from Wireshark 1.10.12 (Closes: #776135): - The DEC DNA Routing Protocol dissector could crash (CVE-2015-0562) - Wireshark could crash while decypting TLS/SSL sessions. Discovered by Noam Rathaus. (CVE-2015-0564) . wireshark (1.8.2-5wheezy13) wheezy-security; urgency=high . * security fixes from Wireshark 1.10.11 (Closes: #769410): - SigComp UDVM buffer overflow (CVE-2014-8710) - AMQP crash (CVE-2014-8711) - NCP crashes (CVE-2014-8712, CVE-2014-8713) - TN5250 infinite loops (CVE-2014-8714) . wireshark (1.8.2-5wheezy12) wheezy-security; urgency=high . * security fixes from Wireshark 1.10.9: - RTP dissector crash (CVE-2014-6422) - MEGACO dissector infinite loop (CVE-2014-6423) - Netflow dissector crash (CVE-2014-6424) - RTSP dissector crash (CVE-2014-6427) - SES dissector crash (CVE-2014-6428) - Sniffer file parser crash. (CVE-2014-6429, CVE-2014-6430, CVE-2014-6431, CVE-2014-6432) . wireshark (1.8.2-5wheezy11) wheezy-security; urgency=high . * security fixes from Wireshark 1.10.9: - The Catapult DCT2000 and IrDA dissectors could underrun a buffer (CVE-2014-5161, CVE-2014-5162) - The GSM Management dissector could crash (CVE-2014-5163) - The RLC dissector could crash (CVE-2014-5164) - The ASN.1 BER dissector could crash (CVE-2014-5165) . wireshark (1.8.2-5wheezy10) wheezy-security; urgency=low . * security fixes from Wireshark 1.8.13: - The NFS dissector could crash. Discovered by Moshe Kaplan (CVE-2014-2281) - The RLC dissector could crash. (CVE-2014-2283) - The MPEG file parser could overflow a buffer. Discovered by Wesley Neelen. (CVE-2014-2299) . wireshark (1.8.2-5wheezy9) wheezy-security; urgency=high . * security fixes from (not yet released) Wireshark 1.8.13: - The BSSGP dissector could crash. Discovered by Laurent Butti. (CVE-2013-7113) The exploit provided for CVE-2013-7113 does not crash 1.8.2-5wheezy8 and earlier versions, but a modified exploit could. The fix is back-ported from Wireshark's 1.8.x branch. . wireshark (1.8.2-5wheezy8) wheezy-security; urgency=high . * security fixes from Wireshark 1.8.12: - The NTLMSSP v2 dissector could crash. Discovered by Garming Sam. (CVE-2013-7114) . wireshark (1.8.2-5wheezy7) wheezy-security; urgency=high . * security fixes from Wireshark 1.8.11: - The IEEE 802.15.4 dissector could crash. (CVE-2013-6336) - The NBAP dissector could crash. Discovered by Laurent Butti. (CVE-2013-6337) - The SIP dissector could crash. (CVE-2013-6338) - The TCP dissector could crash. (CVE-2013-6340) . wireshark (1.8.2-5wheezy6) wheezy-security; urgency=high
Please add me to the secure-testing project
I would like to prepare the wireshark DLA. Cheers, Balint -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53f48213.4010...@balintreczey.hu