Re: [SECURITY] [DLA 3436-1] sssd security update
On Mon, May 29, 2023 at 03:43:53PM +0200, Guilhem Moulin wrote:
> Package: sssd
> Version: 1.16.3-3.2+deb10u1
> CVE ID : CVE-2018-16838 CVE-2019-3811 CVE-2021-3621 CVE-2022-4254
> Debian Bug : 919051 931432 992710
This update is broken. libsss-certmap.so.0 was changed in an
incompatible way (new symbols):
| +SSS_CERTMAP_0.2 {
| +global:
| +sss_certmap_expand_mapping_rule;
| +} SSS_CERTMAP_0.1;
But no proper dependency exists to pull in the new library:
| $ apt rdepends libsss-certmap0
| libsss-certmap0
| Reverse Depends:
| Depends: libsss-certmap-dev (= 1.16.3-3.2+deb10u1)
| Depends: sssd-common
This breaks of course with the "smallest step possible" upgrade mode of
unattended-upgrades.
Bastian
--
Where there's no emotion, there's no motive for violence.
-- Spock, "Dagger of the Mind", stardate 2715.1
[SECURITY] [DLA 3326-1] isc-dhcp update
- Debian LTS Advisory DLA-3326-1debian-...@lists.debian.org https://www.debian.org/lts/security/Bastian Blank February 20, 2023 https://wiki.debian.org/LTS - Package: isc-dhcp Version: 4.4.1-2+deb10u3 Debian Bug : 1022969 Under not completely understood conditions, dhclient completely removes IPv6 addresses from use and is unable to restore them. For Debian 10 buster, this problem has been fixed in version 4.4.1-2+deb10u3. We recommend that you upgrade your isc-dhcp packages. For the detailed security status of isc-dhcp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/isc-dhcp Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Re: Closing of buster-backports?
On Wed, Sep 07, 2022 at 09:32:15AM -0700, Noah Meyerhans wrote: > Is there a plan to continue offering new kernels for buster LTS? Yes, the same as with the older ones. It just is broken right now. Bastian -- Lots of people drink from the wrong bottle sometimes. -- Edith Keeler, "The City on the Edge of Forever", stardate unknown
Re: Update a fork for DLA publishing
On Tue, Jun 30, 2020 at 12:03:47PM +0200, Ola Lundqvist wrote: > Does anyone know how to rebase the fork? Or is my way the way to do it? git remote add upstream $url (once) git fetch upstream git checkout -b new-branch upstream/master git push --set-upstream origin new-branch > Not to rebase is not the best option, since the webmasters asked me to > rebase last time. No idea what you mean with "rebase"? You base your MR off new branches each time. Bastian -- Pain is a thing of the mind. The mind can be controlled. -- Spock, "Operation -- Annihilate!" stardate 3287.2
Re: Xen update request and status
Hi Roberto On Sat, Feb 22, 2020 at 09:14:10AM -0500, Roberto C. Sánchez wrote: > Is it then Credativ's intent to continue maintenance of Xen 4.4? If so, > could you provide some information on when we might expect the next > update? If not, I would like to request that you begin the process of > delcaring Xen in Debian LTS jessie as end-of-life [*]. Together with the LTS team we have decided to end support for Xen in Jessie. We will begin the process of declaring it as end-of-life shortly. Due to the required communication it took a bit longer to decide what can be done about Xen. Also there are no plans to support Xen for a possible Jessie ELTS. Regards, Bastian Blank -- Oh, that sound of male ego. You travel halfway across the galaxy and it's still the same song. -- Eve McHuron, "Mudd's Women", stardate 1330.1
Re: Xen update request and status
Hi Robert On Sat, Feb 22, 2020 at 09:14:10AM -0500, Roberto C. Sánchez wrote: > Is it then Credativ's intent to continue maintenance of Xen 4.4? If so, > could you provide some information on when we might expect the next > update? If not, I would like to request that you begin the process of > delcaring Xen in Debian LTS jessie as end-of-life [*]. Thanks for asking. I will come back to you with more information, after we agreed on a plan for the way forward. Regards, Bastian -- There are always alternatives. -- Spock, "The Galileo Seven", stardate 2822.3
[SECURITY] [DLA 2101-1] libemail-address-list-perl security update
Package: libemail-address-list-perl Version: 0.05-1+deb8u1 CVE ID : CVE-2018-18898 An denial of service via an algorithmic complexity attack on email address parsing have been identified in libemail-address-list-perl. For Debian 8 "Jessie", this problem has been fixed in version 0.05-1+deb8u1. We recommend that you upgrade your libemail-address-list-perl packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Accepted xen 4.4.4lts5-0+deb8u1 (source all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 08 Oct 2019 13:46:44 +0200 Source: xen Binary: libxen-4.4 libxenstore3.0 libxen-dev xenstore-utils xen-utils-common xen-utils-4.4 xen-hypervisor-4.4-amd64 xen-system-amd64 xen-hypervisor-4.4-arm64 xen-system-arm64 xen-hypervisor-4.4-armhf xen-system-armhf Architecture: source all Version: 4.4.4lts5-0+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Debian Xen Team Changed-By: Bastian Blank Description: libxen-4.4 - Public libs for Xen libxen-dev - Public headers and libs for Xen libxenstore3.0 - Xenstore communications library for Xen xen-hypervisor-4.4-amd64 - Xen Hypervisor on AMD64 xen-hypervisor-4.4-arm64 - Xen Hypervisor on ARM64 xen-hypervisor-4.4-armhf - Xen Hypervisor on ARMHF xen-system-amd64 - Xen System on AMD64 (meta-package) xen-system-arm64 - Xen System on ARM64 (meta-package) xen-system-armhf - Xen System on ARMHF (meta-package) xen-utils-4.4 - XEN administrative tools xen-utils-common - Xen administrative tools - common files xenstore-utils - Xenstore command line utilities for Xen Changes: xen (4.4.4lts5-0+deb8u1) jessie-security; urgency=medium . * Various security fixes: - XSA-275 (CVE-2018-19961 CVE-2018-19962) - XSA-280 (CVE-2018-19966) - XSA-285 - XSA-287 - XSA-288 Checksums-Sha1: 458141b98d4f9de728b49ee562db836a5553b6b1 2671 xen_4.4.4lts5-0+deb8u1.dsc b0e54f58732b5a4145b4155e6a62b5f07212f150 5463032 xen_4.4.4lts5.orig.tar.gz 41236017d092701344f51948f84987fbc578cca3 50352 xen_4.4.4lts5-0+deb8u1.debian.tar.xz 29f533835f79a133a721699327a76bd0d1bc48f1 123172 xen-utils-common_4.4.4lts5-0+deb8u1_all.deb Checksums-Sha256: 5703ff59fe8871cb4ae38863048da021c60400e15a0eaf2ecefd5ce4bab7d7c8 2671 xen_4.4.4lts5-0+deb8u1.dsc be6a1b37f8d79e1a27ed1a16d8a969e062e17fba4cccd524bf6fde0cdc2868ef 5463032 xen_4.4.4lts5.orig.tar.gz 1004e5e9d5da766e08bc31acba6eb2d29ac5c986ea17988dff1b7177b725601a 50352 xen_4.4.4lts5-0+deb8u1.debian.tar.xz 316aa86b56fb2ac1e135fec47e54faa6c6a3afcfb57b8f5308c760ec9e5edb9e 123172 xen-utils-common_4.4.4lts5-0+deb8u1_all.deb Files: bb186f4e900993173ceeff130a442c00 2671 kernel optional xen_4.4.4lts5-0+deb8u1.dsc 0a4afbff4e382c5553aedff590571753 5463032 kernel optional xen_4.4.4lts5.orig.tar.gz 1e49cb8b74e995f9a81e8b8ad6fbdb00 50352 kernel optional xen_4.4.4lts5-0+deb8u1.debian.tar.xz 9dbe16ba1c4e2d0c263726460579b232 123172 kernel optional xen-utils-common_4.4.4lts5-0+deb8u1_all.deb -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEER3HMN63jdS1rqjxLbZOIhYpp/lEFAl2cgGwACgkQbZOIhYpp /lEZfwgAono7jY+71wU+k0bZ7obLNi7a4IS+Vn1pMMuvyPl7at1VtgReIGUE618f 3/uxp6Kq90R59cHS/I/jZfTmEFlw+C57SL8BZ0pwKSLiKEn9rseGK4GYWxdS5UsW PQsX1wDMJ1fjODx5KrCqOHz3YX9dx0mJJMhEa3nZ4f2AtURHuxbSRML/gJy6LLVE DZRMG8jEsYi2QxJCX4FDi7xTXPIeJWm37Op3BVylF6FSGR1d2F6yVVCeg7bRGsv9 NYhw/rtf1PX9AuoMCojgswngS05pDbKJytUUVGm1HdPy2CszJFlfAdOp9a+mTUvD elmlIxoEvz6D1ECPLO/2DfvMR56Z/A== =uqT4 -END PGP SIGNATURE-
[SECURITY] [DLA 1949-1] xen security update
Package: xen Version: 4.4.4lts5-0+deb8u1 CVE ID : CVE-2018-19961 CVE-2018-19962 CVE-2018-19966 XSA ID : XSA-275 XSA-280 XSA-285 XSA-287 XSA-288 Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation. For Debian 8 "Jessie", these problems have been fixed in version 4.4.4lts5-0+deb8u1. We recommend that you upgrade your xen packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Re: Xen 4.4 updates vs. Xen Stretch backport
Hi Holger On Wed, Dec 19, 2018 at 03:33:43PM +, Holger Levsen wrote: > How are the Xen 4.4 fixes coming along? In the meantime I was informed by Peter that finishing anything like a usable backport is not feasible in a useful time frame. I updated the security tracker now and marked all the problems related and depending on it as ignored. Regards, Bastian -- You! What PLANET is this! -- McCoy, "The City on the Edge of Forever", stardate 3134.0
[SECURITY] [DLA 1709-1] waagent security update
Package: waagent Version: 2.2.18-3~deb8u2 CVE ID : CVE-2019-0804 Francis McBratney discovered that the Windows Azure Linux Agent created swap files with world-readable permissions, resulting in information disclosure. For Debian 8 "Jessie", this problem has been fixed in version 2.2.18-3~deb8u2. We recommend that you upgrade your waagent packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Accepted waagent 2.2.18-3~deb8u2 (source all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 12 Mar 2019 09:42:39 +0100 Source: waagent Binary: waagent Architecture: source all Version: 2.2.18-3~deb8u2 Distribution: jessie-security Urgency: high Maintainer: Bastian Blank Changed-By: Bastian Blank Description: waagent- Windows Azure Linux Agent Changes: waagent (2.2.18-3~deb8u2) jessie-security; urgency=high . * Set proper access rights on swap file. CVE-2019-0804 Checksums-Sha1: 41e17acc644cb319ed138233d3c815b45b8ae53a 1546 waagent_2.2.18-3~deb8u2.dsc 2bfcf4c9acfbed5e782785b7cdc799ac97146c4b 11192 waagent_2.2.18-3~deb8u2.debian.tar.xz 35cfa41ca103193241ffe1824b605d35b5809e55 103746 waagent_2.2.18-3~deb8u2_all.deb Checksums-Sha256: 3ae50e58a1c59a9b869e967bfff78ef8644cc67e9e21db5024408a39d50c7fc6 1546 waagent_2.2.18-3~deb8u2.dsc bf1bbd9edd779f3f6c67179bbc92f00658160e12b3a5859c1b43b35e1393e1a3 11192 waagent_2.2.18-3~deb8u2.debian.tar.xz d84918ddf77554fe4f372648387ffdf93cd08074407ae481d64f33ea911ff055 103746 waagent_2.2.18-3~deb8u2_all.deb Files: 64a34679854fb8ab8b21628a37807988 1546 admin optional waagent_2.2.18-3~deb8u2.dsc 6cc53f1d3ca148dbb52625efe369978c 11192 admin optional waagent_2.2.18-3~deb8u2.debian.tar.xz a7f8dd3f041922096fdce8aac56f4b26 103746 admin optional waagent_2.2.18-3~deb8u2_all.deb -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEER3HMN63jdS1rqjxLbZOIhYpp/lEFAlyHed4ACgkQbZOIhYpp /lFiwQf8CrxrPlQCwSiP5+o7iPOaWGLpOLkE/BMKMJeG8j1DfcsISXnYVhqhgVN1 qAnGBHL2GCl9AnNmYlT49OiC/vf2fcrSBkf8/HoRLHGVQDCWXMsmqO5M5Lq69NvA 7W3MPM+utgWHEamsPEk7knYBrzRmukhUeimHXjlr0Ltp2Ft+iq7oI7jqFTDVVbL+ +NLJNeGgBD8RHHyiXZDVJXbL9K/PV7QkK1MqARd0+uPuHCDZg/h3HM2cdws9AKJX o/gFGmIgc3xx0VgGpuofV6WIovdxYEM4J/Gsd4WnVUOTY2GbzD4YD1pc7C33lunw MqiE5fwqsh6eTrdwaFS76CF2u8yhMQ== =LOGh -END PGP SIGNATURE-
[SECURITY] [DLA 1688-1] waagent update
Package: waagent Version: 2.2.18-3~deb8u1 A newer version of waagent is needed for several features of the Azure platform. For Debian 8 "Jessie", this problem has been fixed in version 2.2.18-3~deb8u1. We recommend that you upgrade your waagent packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Accepted waagent 2.2.18-3~deb8u1 (source all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 21 Feb 2019 15:21:56 +0100 Source: waagent Binary: waagent Architecture: source all Version: 2.2.18-3~deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Bastian Blank Changed-By: Bastian Blank Description: waagent- Windows Azure Linux Agent Changes: waagent (2.2.18-3~deb8u1) jessie-security; urgency=medium . * Upload to jessie-security. Checksums-Sha1: 37e71f95da7ab98b7557d2352cf0489f2c83ea83 1543 waagent_2.2.18-3~deb8u1.dsc e11edff700ee8c6a0d019ce41f92f356da7ada86 690928 waagent_2.2.18.orig.tar.xz 7fa60b2902c9fc0f604fde99b5ed4fd61324f23f 9764 waagent_2.2.18-3~deb8u1.debian.tar.xz 644d022ff1256bd820e8a079fd227cb7cd1ce65c 103182 waagent_2.2.18-3~deb8u1_all.deb Checksums-Sha256: a486806cc235d3b9b22bf454ba3182a7c749eec38f54da41b8a9c2d5efe7dcc1 1543 waagent_2.2.18-3~deb8u1.dsc 61480f8f4380dc1ac7c332fc2b12efc6a0f24aa05f197d993b4c64d00b7e39c9 690928 waagent_2.2.18.orig.tar.xz 881ca51ddfd971e982f79c639ea88c8cedd85f394a986e22bbbfe244478b44e6 9764 waagent_2.2.18-3~deb8u1.debian.tar.xz e15f4060bde1ffa345a22a514b876564b8b3116a1f9af597ce970eaa37e94e62 103182 waagent_2.2.18-3~deb8u1_all.deb Files: fa965cbfd08adeca549a81d348ad6a9c 1543 admin optional waagent_2.2.18-3~deb8u1.dsc 1e13103586ebce8cffd848084e269669 690928 admin optional waagent_2.2.18.orig.tar.xz fa354b04eecae35bc005df33d52bbace 9764 admin optional waagent_2.2.18-3~deb8u1.debian.tar.xz f1e194f5cbcf4c85735a3caebf49a4b0 103182 admin optional waagent_2.2.18-3~deb8u1_all.deb -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEER3HMN63jdS1rqjxLbZOIhYpp/lEFAlxuwAEACgkQbZOIhYpp /lFpYwf+OBxKOt1cQKqU6+n6+pR8rhNG/yaR/uctExxlykb0o237jlSx7eYq8wJy Dh61d8NwfSCNjfYDLpLzo33Hg3YVN2UYjD+B4KqtM4MJuvzERmYalruEzVNTBw1x XWBW8KGYH7EYmDUlMZcuvRVk7fEGWRrFhpNoFN1eNRMbgTh+AGhK3TanQdaN3njR Yp+eV8UPBtCtqn/H3mHwSutGJzHEpWhYhUBiuFuLiAy55VObB3OeEEcAUqRg0luW Su+tjVgDRdkIL2HmvByqu7DATORW/pwYRWPEUfatGnsbyPuvVXIxib46y/oftGSM EAgiC2gVtm/nGCP2LoZjGvsoeADmBA== =Ohxu -END PGP SIGNATURE-
[SECURITY] [DLA 1493-1] xen security update
Package: xen Version: 4.4.4lts1-0+deb8u1 CVE ID : CVE-2016-4963 CVE-2017-14431 Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, informations leaks or privilege escalation. For Debian 8 "Jessie", these problems have been fixed in version 4.4.4lts1-0+deb8u1. We recommend that you upgrade your xen packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Accepted xen 4.4.4lts1-0+deb8u1 (source all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 31 Aug 2018 16:37:46 +0200 Source: xen Binary: libxen-4.4 libxenstore3.0 libxen-dev xenstore-utils xen-utils-common xen-utils-4.4 xen-hypervisor-4.4-amd64 xen-system-amd64 xen-hypervisor-4.4-arm64 xen-system-arm64 xen-hypervisor-4.4-armhf xen-system-armhf Architecture: source all Version: 4.4.4lts1-0+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Debian Xen Team Changed-By: Bastian Blank Description: libxen-4.4 - Public libs for Xen libxen-dev - Public headers and libs for Xen libxenstore3.0 - Xenstore communications library for Xen xen-hypervisor-4.4-amd64 - Xen Hypervisor on AMD64 xen-hypervisor-4.4-arm64 - Xen Hypervisor on ARM64 xen-hypervisor-4.4-armhf - Xen Hypervisor on ARMHF xen-system-amd64 - Xen System on AMD64 (meta-package) xen-system-arm64 - Xen System on ARM64 (meta-package) xen-system-armhf - Xen System on ARMHF (meta-package) xen-utils-4.4 - XEN administrative tools xen-utils-common - Xen administrative tools - common files xenstore-utils - Xenstore command line utilities for Xen Changes: xen (4.4.4lts1-0+deb8u1) jessie-security; urgency=medium . [ Felix Geyer ] * Lastest snapshot of the upstream 4.4 branch (6bf0560), fixing: - XSA-206 - XSA-207 / CVE-2017-14431 - XSA-178 / CVE-2016-4963 Checksums-Sha1: 8155aeb2237e2d0bfcdc1b3c4b05d878c6a4a25a 2671 xen_4.4.4lts1-0+deb8u1.dsc 24617e3e5dd9d400c6ed7618d9bdbb87d90c42c9 5451503 xen_4.4.4lts1.orig.tar.gz cbdeebb84d76ce57bdcf9fe8b6683d620a27c96e 49748 xen_4.4.4lts1-0+deb8u1.debian.tar.xz 0fdcea702f631b2ff7511aa74e9c6f5af66a6d73 122250 xen-utils-common_4.4.4lts1-0+deb8u1_all.deb 4ddbbecf9658db48e007031ae297297fd7f05bcc 8229 xen_4.4.4lts1-0+deb8u1_all.buildinfo Checksums-Sha256: a72e2eccaf76847af3113ddc478a474d685270a87f976a5f4f094f470e3fe5bc 2671 xen_4.4.4lts1-0+deb8u1.dsc 8cf42d7b308ba842ab433f3f65a084ee58021f6602a52508bf8225a75103320d 5451503 xen_4.4.4lts1.orig.tar.gz 4b536cefac8c23ae823f4498e1faaf2283e937eaaa1075ba9897ef7fa416bab6 49748 xen_4.4.4lts1-0+deb8u1.debian.tar.xz 3873d41b366b299005c28b94c90464cc76c6862d9ec2b13c5f2857e49214241b 122250 xen-utils-common_4.4.4lts1-0+deb8u1_all.deb 4128d1362c2c4b4e5008ae241d94079acf7d086b9e1b8bf15c685f78892b6578 8229 xen_4.4.4lts1-0+deb8u1_all.buildinfo Files: 1929f7cd772a767de34977f11f8e6670 2671 kernel optional xen_4.4.4lts1-0+deb8u1.dsc ef381e30b40c18c026ddafb74b899d85 5451503 kernel optional xen_4.4.4lts1.orig.tar.gz 2e690dcdd436674b7259e9099d3c4a5d 49748 kernel optional xen_4.4.4lts1-0+deb8u1.debian.tar.xz 2ef7c3d2ff8b09c94a3791b22998d718 122250 kernel optional xen-utils-common_4.4.4lts1-0+deb8u1_all.deb 12b2edb9fc18f0f3eb7ecb286ab11be7 8229 kernel optional xen_4.4.4lts1-0+deb8u1_all.buildinfo -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEER3HMN63jdS1rqjxLbZOIhYpp/lEFAluNFusACgkQbZOIhYpp /lGPbAgA7fDqwrLTGXihfQYpGu/iB2QH1laQr9IFthAsKBtlGbGdALLThJt4HGVG YqZUu3zDSvIhumisbXGW15XMLLSoHRZ9eeTHy1UL6Q5IQruwr4aootwpJFvyj2VZ AqFtiu1vwOstjUxje5Sgu2TuZB1GRroVkI1TRKORYeo+KjEH45UmQR6RN4gklldh XTk1NP1YOd9ykBg0Zt3x9WFx09dBG6sONrr1+BOBDJJKTWUvxkX9v+TILehEkwlG OopThblwfs8HzvUf6hix1adqHGabL9+UtqHacoNYb8ZkbBgyo/VSL7PDjkqdOiLD Et5Xr8xUDMjQuDGVSaG+hqk/rFiasw== =QXg7 -END PGP SIGNATURE-
[SECURITY] [DLA 1003-1] unrar-nonfree security update
Package: unrar-nonfree Version: 1:4.1.4-1+deb7u2 CVE ID : CVE-2012-6706 Debian Bug : #865461 It was reported that unrar fixed a VMSF_DELTA memory corruption issue in their latest version unrarsrc-5.5.5.tar.gz. This problem was reported to Sophos AV in 2012 but never reach upstream rar. For Debian 7 "Wheezy", these problems have been fixed in version 1:4.1.4-1+deb7u2. We recommend that you upgrade your unrar-nonfree packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
[SECURITY] [DLA 720-1] xen security update
Package: xen Version: 4.1.6.lts1-4 CVE ID : CVE-2016-9379 CVE-2016-9380 CVE-2016-9381 CVE-2016-9382 CVE-2016-9383 CVE-2016-9386 Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-9379, CVE-2016-9380 (XSA-198) pygrub, the boot loader emulator, fails to quote (or sanity check) its results when reporting them to its caller. A malicious guest administrator can obtain the contents of sensitive host files CVE-2016-9381 (XSA-197) The compiler can emit optimizations in qemu which can lead to double fetch vulnerabilities. Malicious administrators can exploit this vulnerability to take over the qemu process, elevating its privilege to that of the qemu process. CVE-2016-9382 (XSA-192) LDTR, just like TR, is purely a protected mode facility. Hence even when switching to a VM86 mode task, LDTR loading needs to follow protected mode semantics. A malicious unprivileged guest process can crash or escalate its privilege to that of the guest operating system. CVE-2016-9383 (XSA-195) When Xen needs to emulate some instruction, to efficiently handle the emulation, the memory address and register operand are recalculated internally to Xen.In this process, the high bits of an intermediate expression were discarded, leading to both the memory location and the register operand being wrong. A malicious guest can modify arbitrary memory. CVE-2016-9386 (XSA-191) The Xen x86 emulator erroneously failed to consider the unusability of segments when performing memory accesses. An unprivileged guest user program may be able to elevate its privilege to that of the guest operating system. For Debian 7 "Wheezy", these problems have been fixed in version 4.1.6.lts1-4. For Debian 8 "Jessie", these problems will be fixed shortly. We recommend that you upgrade your xen packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Accepted xen 4.1.6.lts1-4 (source all amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 21 Nov 2016 14:55:52 + Source: xen Binary: xen-docs-4.1 libxen-4.1 libxenstore3.0 libxen-dev xenstore-utils libxen-ocaml libxen-ocaml-dev xen-utils-common xen-utils-4.1 xen-hypervisor-4.1-amd64 xen-system-amd64 xen-hypervisor-4.1-i386 xen-system-i386 Architecture: source all amd64 Version: 4.1.6.lts1-4 Distribution: wheezy-security Urgency: medium Maintainer: Debian Xen Team <pkg-xen-de...@lists.alioth.debian.org> Changed-By: Bastian Blank <wa...@debian.org> Description: libxen-4.1 - Public libs for Xen libxen-dev - Public headers and libs for Xen libxen-ocaml - OCaml libraries for controlling Xen libxen-ocaml-dev - OCaml libraries for controlling Xen (devel package) libxenstore3.0 - Xenstore communications library for Xen xen-docs-4.1 - Documentation for Xen xen-hypervisor-4.1-amd64 - Xen Hypervisor on AMD64 xen-hypervisor-4.1-i386 - Xen Hypervisor on i386 xen-system-amd64 - Xen System on AMD64 (meta-package) xen-system-i386 - Xen System on i386 (meta-package) xen-utils-4.1 - XEN administrative tools xen-utils-common - Xen administrative tools - common files xenstore-utils - Xenstore utilities for Xen Changes: xen (4.1.6.lts1-4) wheezy-security; urgency=medium . [ Bastian Blank ] * Various security fixes. - CVE-2016-9386 (XSA-191) - CVE-2016-9382 (XSA-192) - CVE-2016-9383 (XSA-195) - CVE-2016-9381 (XSA-197) - CVE-2016-9379, CVE-2016-9380 (XSA-198) Checksums-Sha1: 2ed2c14d0a2a00c4d997564a7fcecf408b4ab621 2698 xen_4.1.6.lts1-4.dsc 9c12ab685943700924ddd6889d726a0d90697b36 220346 xen_4.1.6.lts1-4.debian.tar.gz c52f73b0308b6766fbb4cf71a2a683fce02261c1 1173672 xen-docs-4.1_4.1.6.lts1-4_all.deb ca377645e2ab14fd1d8b886c8220bdff9b5108af 82474 xen-utils-common_4.1.6.lts1-4_all.deb fd42c530edc9ad1d9ac3173325c05c36b6e70f9d 774220 xen-hypervisor-4.1-amd64_4.1.6.lts1-4_amd64.deb 3e33510bc9cd70820f2920ef6a66b90ebdcc8818 20108 xen-system-amd64_4.1.6.lts1-4_amd64.deb 8d16d959a061cf6c7d422b898de5f280266a7446 142916 libxen-4.1_4.1.6.lts1-4_amd64.deb fdb4a7a97b0eb03260ef09f29f566cf5812a2d05 295830 libxen-dev_4.1.6.lts1-4_amd64.deb 14fdfa39cd9438b7a3d5e14217d4329177641b34 31754 libxenstore3.0_4.1.6.lts1-4_amd64.deb a47a3bd6288e24c1bc5a9b98b89872ba07659f39 1619620 xen-utils-4.1_4.1.6.lts1-4_amd64.deb 7ec962b0f4a2335f5396217267218c8240b20ac5 28862 xenstore-utils_4.1.6.lts1-4_amd64.deb 7434cbef54f1deb568108dd3865c8802cc3ab55a 91664 libxen-ocaml-dev_4.1.6.lts1-4_amd64.deb cfb51f392cdea4100116c2457c8d26bb4415ae46 66006 libxen-ocaml_4.1.6.lts1-4_amd64.deb Checksums-Sha256: b8cce7510a19c83a1a05c1da680d85dc454af515c78e10590d94a88ac1406576 2698 xen_4.1.6.lts1-4.dsc a8cf1bca856c09a55d085741d5356f2ff16ba56828291427c17e1c63fd412793 220346 xen_4.1.6.lts1-4.debian.tar.gz 290dab046b059fc75ec6aba7ba3508c31e0cdef9d2af88f8fe4c4715ccb8e0bd 1173672 xen-docs-4.1_4.1.6.lts1-4_all.deb 1a8fc659deecec991a0970162990f51c340dc3d3d2d8307346147883b939284c 82474 xen-utils-common_4.1.6.lts1-4_all.deb 229f79ab6dc74d91d253465ba12563be05761bd3cb2440870428e1b6fb1e1c8e 774220 xen-hypervisor-4.1-amd64_4.1.6.lts1-4_amd64.deb 1ddfe8a8d359d8424e64edd4321bd139225f00524730cb13184fe13e132d91bf 20108 xen-system-amd64_4.1.6.lts1-4_amd64.deb 605b6a9544df492aa2b3ac5c99b7724c9957e56379c9af803a42649331431bae 142916 libxen-4.1_4.1.6.lts1-4_amd64.deb 82b1d3b12fc2908e93ee5486ae669eabbe6db80bbe68cbb7381be5a6b8945b39 295830 libxen-dev_4.1.6.lts1-4_amd64.deb 9e45dad9f87de221b68e8d2701c31ea3ba89d309361ad858656b1991197f6710 31754 libxenstore3.0_4.1.6.lts1-4_amd64.deb fef3cbbb86b1febe05cd83147e98f318bdba814d70e24beafab1493a481fdd03 1619620 xen-utils-4.1_4.1.6.lts1-4_amd64.deb 13ee6d48463396c7b54fe635aab4d1ba7f22d10982b4e61cd056c39ea669d998 28862 xenstore-utils_4.1.6.lts1-4_amd64.deb 7610be5f705e335021b8353980beef2d658f4d34812ee26f68f0da9bc090cd20 91664 libxen-ocaml-dev_4.1.6.lts1-4_amd64.deb 4121d0fa15562565175910c266965f3abc6a3f9c5bfa596b2e539afd8bd87e50 66006 libxen-ocaml_4.1.6.lts1-4_amd64.deb Files: 9640d1af98904b974d7699e3edc953ac 2698 kernel optional xen_4.1.6.lts1-4.dsc d8b09d963c046e14b0c895ca1533c581 220346 kernel optional xen_4.1.6.lts1-4.debian.tar.gz 2a44d80253af44706e469567242a3d02 1173672 doc optional xen-docs-4.1_4.1.6.lts1-4_all.deb cc438a66b5445cc26ca309ba807793f0 82474 kernel optional xen-utils-common_4.1.6.lts1-4_all.deb e9bd2b9004fa4b67166e34124ac06764 774220 kernel optional xen-hypervisor-4.1-amd64_4.1.6.lts1-4_amd64.deb 4d2c02f9173e3eacf03a00dbf69d90c9 20108 kernel optional xen-system-amd64_4.1.6.lts1-4_amd64.deb db25311662ea1c797c753368f11f2d05 142916 libs optional libxen-4.1_4.1.6.lts1-4_amd64.deb 0c59589fcd8a83d41d2413e2024b5b96 295830 libdevel optional libxen-dev_4.1.6.lts1-4_amd64.deb beb27e281c796962701e20b0374e0cad 31754 libs optional libxenstore3.0_4.1.6.lts1-4_amd64.deb 74d8607fdef4066f375148ca3985aa3f 1619620 kernel optional xen-utils-4.
Re: xen_4.1.6.1-1+deb7u2.dsc
Hi Guido On Fri, Jul 29, 2016 at 01:13:33PM +0200, Guido Günther wrote: > * the complete removal of tools/ioemu-qemu-xen - guess this was unused > anyway since quiet some time, right? I have no idea and found not one reference to that folder. > * there are some XSA related patches in debian/patches. Will these move > into > https://github.com/credativ/xen-lts/ > eventually? I think I forgot to delete some. The rest most likely won't as it is either qemu or libxl. > If Brian has no objections feel free to upload, Please let me know once > done so I can then release the DLA (in case you don't want to handle it > youself). I have no idea how to do that yet. So feel free. Regards, Bastian -- I have never understood the female capacity to avoid a direct answer to any question. -- Spock, "This Side of Paradise", stardate 3417.3
Re: xen_4.1.6.1-1+deb7u2.dsc
Hi Hyacinthe On Wed, Jul 27, 2016 at 05:41:47PM +0200, Hyacinthe Cartiaux wrote: > I've tested in PV mode under wheezy x86_64: Thanks about the tests. Regards, Bastian -- Each kiss is as the first. -- Miramanee, Kirk's wife, "The Paradise Syndrome", stardate 4842.6
Re: xen_4.1.6.1-1+deb7u2.dsc
Hi Guido I fixed the problem with i386. Turns out it was I way too large shift. Fixed sources: https://korte.credativ.com/~bbl/xen/xen_4.1.6.lts1~f5a8dc19-1.dsc On Mon, Jul 25, 2016 at 06:57:13PM +0200, Guido Günther wrote: > Can you give us an idea what you tested and what would be needed to > get this in a DLA ready state? Will you perform the remaining tests > so we can upload the package and release the DSA? I tested on AMD hardware the following combinations: - x86-32 hypervisor, i386 system - x86-64 hypervisor, i386 system - x86-64 hypervisor, am64 system I tested a minimal PV domain with the following config: | name="test" | kernel="/boot/vmlinuz-3.2.0-4-amd64" | ramdisk="/boot/initrd.img-3.2.0-4-amd64" | on_crash="preserve" I tested HVM with a full debian 7 system. I tested migration (non-live and live) with itself: | # xen migrate --live test localhost I'm missing any test on Intel hardware. If this works I'll make a release. Regards, Bastian -- One does not thank logic. -- Sarek, "Journey to Babel", stardate 3842.4
Re: xen_4.1.6.1-1+deb7u2.dsc
Hi Raphael, Brian On Fri, Jul 15, 2016 at 02:59:00PM +0200, Bastian Blank wrote: > > So I would suggest that you go for this and provide some Xen tree free > > of known security issues, then Brian (or someone else) can build test > > packages and we can ask some users to test the update. > All security problems affecting the hypervisor itself are fixed in here: Did you get the chance to look at this source? Regards, Bastian -- Insults are effective only where emotion is present. -- Spock, "Who Mourns for Adonais?" stardate 3468.1
Re: xen_4.1.6.1-1+deb7u2.dsc
On Wed, Jun 22, 2016 at 08:23:10AM +1000, Brian May wrote: > Just wondering if you included this in version 4.1.6.1-1+deb7u2 by any > chance? The provided patches are incomplete, remove previous security fixes and does not compile. I'm currently backporting a larger bunch of the locking changes, so we get a recursive mm_lock. Regards, Bastian -- There are some things worth dying for. -- Kirk, "Errand of Mercy", stardate 3201.7
