Re: [debian-mysql] Bug#878402: Bug#878402: Security fixes from the October 2017 CPU
On 18/10/17 20:46, Salvatore Bonaccorso wrote: > Hi lars, > > On Wed, Oct 18, 2017 at 03:51:26PM +0200, Lars Tangvald wrote: >> Hi, >> >> 5.5.58 packages for Debian 7 and 8 are built, and pass the test suite. >> Attached are debdiff files for Wheezy and Jessie (source is also pushed to >> https://anonscm.debian.org/cgit/pkg-mysql/mysql-5.5.git) >> As before, we unfortunately don't have a DD in our team that can sponsor the >> upload, so we need assistance with that. > > I will look into it for jessie-security then. > >> I'm not sure if the security team still handles Debian8, or if the lts team >> does now? > > Yes, Debian 8 Jessie is still yet handled by the security team. And I will take of Debian 7 (wheezy). Thanks for preparing the update! Cheers, Emilio
Re: [debian-mysql] Bug#878402: Bug#878402: Security fixes from the October 2017 CPU
On 10/19/2017 10:09 AM, Emilio Pozuelo Monfort wrote: On 18/10/17 20:46, Salvatore Bonaccorso wrote: Hi lars, On Wed, Oct 18, 2017 at 03:51:26PM +0200, Lars Tangvald wrote: Hi, 5.5.58 packages for Debian 7 and 8 are built, and pass the test suite. Attached are debdiff files for Wheezy and Jessie (source is also pushed to https://urldefense.proofpoint.com/v2/url?u=https-3A__anonscm.debian.org_cgit_pkg-2Dmysql_mysql-2D5.5.git=DwICaQ=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10=HPjEzLhETPj8fl9HCxxISaaV3f5tXDpGXDR3R2IELxg=00T7TUZCwXkig-wYCf-35nC5VNSQmjNOsNq0TOBoXBs=MPjTux6yCV6-5Si_VECXoTwgZxgsyNIHfNSpH1nq2ws= ) As before, we unfortunately don't have a DD in our team that can sponsor the upload, so we need assistance with that. I will look into it for jessie-security then. I'm not sure if the security team still handles Debian8, or if the lts team does now? Yes, Debian 8 Jessie is still yet handled by the security team. And I will take of Debian 7 (wheezy). Thanks for preparing the update! Cheers, Emilio Thanks for the help to both of you! :) -- Lars
Accepted graphicsmagick 1.3.16-1.1+deb7u11 (source amd64 all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 16 Oct 2017 15:21:09 +1100 Source: graphicsmagick Binary: graphicsmagick libgraphicsmagick3 libgraphicsmagick1-dev libgraphicsmagick++3 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg Architecture: source amd64 all Version: 1.3.16-1.1+deb7u11 Distribution: wheezy-security Urgency: medium Maintainer: Daniel KobrasChanged-By: Brian May Description: graphicsmagick - collection of image processing tools graphicsmagick-dbg - format-independent image processing - debugging symbols graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface libgraphics-magick-perl - format-independent image processing - perl interface libgraphicsmagick++1-dev - format-independent image processing - C++ development files libgraphicsmagick++3 - format-independent image processing - C++ shared library libgraphicsmagick1-dev - format-independent image processing - C development files libgraphicsmagick3 - format-independent image processing - C shared library Changes: graphicsmagick (1.3.16-1.1+deb7u11) wheezy-security; urgency=medium . * Non-maintainer upload by the LTS Team. * Fix CVE-2017-13737: Fix incorrect rounding up, resulting in scrambling the heap beyond the allocation. * Fix CVE-2017-15277: Leaves the palette uninitialized when processing a GIF file that has neither a global nor local palette. Checksums-Sha1: e38403a754e6c72c5a60d56311c8e4b59984b891 2686 graphicsmagick_1.3.16-1.1+deb7u11.dsc f2ec0392d7a7d5cbe0d5bdff2931edbacedd73e9 8736761 graphicsmagick_1.3.16.orig.tar.gz 2cf0d92987daa130d0bf6bd67fa005fabf218f4c 198789 graphicsmagick_1.3.16-1.1+deb7u11.debian.tar.gz 8db1c1e9941dfe0c203579566df726ca01a068d4 1034682 graphicsmagick_1.3.16-1.1+deb7u11_amd64.deb 37c58fe151af9916f18ca7295a6015addf4dc1c3 1324076 libgraphicsmagick3_1.3.16-1.1+deb7u11_amd64.deb 6e4e89f6fb5094877761084f62aa19862983fc05 1822954 libgraphicsmagick1-dev_1.3.16-1.1+deb7u11_amd64.deb d7aef8a9c2ef57f482c908f5af983e0a6c66e82d 154776 libgraphicsmagick++3_1.3.16-1.1+deb7u11_amd64.deb 778357b9c3a906b994b52183db21a0790eac6dd6 410996 libgraphicsmagick++1-dev_1.3.16-1.1+deb7u11_amd64.deb 53966320d168dfacbaf445d84352b685561bab0e 83554 libgraphics-magick-perl_1.3.16-1.1+deb7u11_amd64.deb 457518bad849a4d455fc1a8bddf5201619f35fd1 3270250 graphicsmagick-dbg_1.3.16-1.1+deb7u11_amd64.deb 54cc089e0723987e71892d64062a7820fa2b8712 18778 graphicsmagick-imagemagick-compat_1.3.16-1.1+deb7u11_all.deb 953118221c1a4ef0e57676f846adbd4eb9885c8d 22334 graphicsmagick-libmagick-dev-compat_1.3.16-1.1+deb7u11_all.deb Checksums-Sha256: f32013c5988d3d28156d61ba99230a2aa3b1c8298695628267eb38e07ba5bdae 2686 graphicsmagick_1.3.16-1.1+deb7u11.dsc ae2229370926dea6c2423cc1adaf551d33f38102677332294439365aaac1514b 8736761 graphicsmagick_1.3.16.orig.tar.gz 5c90d520e1aee2aeffee295ff2bc988d54de2d88825a08362d0995b1a8ded7cf 198789 graphicsmagick_1.3.16-1.1+deb7u11.debian.tar.gz b3a2eeecd801abe551f5868bf4c8f2389d914e5d3139217752ce95d6ee5d396b 1034682 graphicsmagick_1.3.16-1.1+deb7u11_amd64.deb 882ead6f5c372406a8baf842619d2b8759795cea5f419ec95d22a3fb255e8ef4 1324076 libgraphicsmagick3_1.3.16-1.1+deb7u11_amd64.deb 20721f6e92182f86ff781fcbbbd94263cf82f16cc98a0d50fb8403139251f04d 1822954 libgraphicsmagick1-dev_1.3.16-1.1+deb7u11_amd64.deb ac9755f23e2a118f23149b613e248d65c500fc95dd7714029bf391e2c36ade3b 154776 libgraphicsmagick++3_1.3.16-1.1+deb7u11_amd64.deb 6fda5fcea2ea3dd8eb8f4ee0077d886a8d068ee62b7e153c93909f31eb0bcdf5 410996 libgraphicsmagick++1-dev_1.3.16-1.1+deb7u11_amd64.deb 2a6287d7d6a230d11c0d1a424c74ebcb440a3926068513e0899e8a6f5ba0 83554 libgraphics-magick-perl_1.3.16-1.1+deb7u11_amd64.deb 7e7075af7f010a08d9c4c92b28f709f060cf0a05693a304b314d7eb4463a9d4d 3270250 graphicsmagick-dbg_1.3.16-1.1+deb7u11_amd64.deb 750dcaf5099a918cc4038ae09313c5a81ecef140913609f0053a8d56a687de3d 18778 graphicsmagick-imagemagick-compat_1.3.16-1.1+deb7u11_all.deb 948e108a36d581a212b1e36c4f8e1515abf1b317af23a1d4b612d59c1880c096 22334 graphicsmagick-libmagick-dev-compat_1.3.16-1.1+deb7u11_all.deb Files: 9de53e09dd572da154209026534cd59e 2686 graphics optional graphicsmagick_1.3.16-1.1+deb7u11.dsc 66a4b9c7af6165b5d293fed6ebe04e36 8736761 graphics optional graphicsmagick_1.3.16.orig.tar.gz 1355904ccc3bd7c245804853034c66fc 198789 graphics optional graphicsmagick_1.3.16-1.1+deb7u11.debian.tar.gz b6984546b4581c64646ff189b9c2c3f4 1034682 graphics optional graphicsmagick_1.3.16-1.1+deb7u11_amd64.deb d998d588a799d50da020d2457bfef06e 1324076 libs optional libgraphicsmagick3_1.3.16-1.1+deb7u11_amd64.deb 65fffd7cb6bd537e3435872b8d9e1277 1822954 libdevel optional
[SECURITY] [DLA 1140-1] graphicsmagick security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: graphicsmagick Version: 1.3.16-1.1+deb7u11 CVE ID : CVE-2017-13737 CVE-2017-15277 Immediately after the previous update to graphicsmagick, two more security issues were identified. These updates are included here. CVE-2017-13737 Incorrect rounding up resulted in scrambling the heap beyond the allocation. CVE-2017-15277 Left the palette uninitialized when processing a GIF file that has neither a global nor local palette. For Debian 7 "Wheezy", these problems have been fixed in version 1.3.16-1.1+deb7u11. We recommend that you upgrade your graphicsmagick packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE1jZRJqkttWDGJ6ztF4RXf4EfbqwFAlnoUN0ACgkQF4RXf4Ef bqzi7w//T94/9/tOVGfD02s6XyQdsHkv3CK4xSUs6mfJjSRzbH1tXT1rGacVI3K2 XFmIOiDkonv2QQIgA0e4TupkAwi9auFc/TWBku2W0f0Dm9JGPvPIcpYC8LlSVR4Z anJoYvWFwX2s56c3w54Op2prCcJ0st0tcLyYQLHspNzTVjtSfRA5k3BCkJn2c+vm udGDyIKvrEkTRp14y/Ct4fjbED8pDDxltrftmnXS+VB0+5/xrbvbWp2jQ3b9NnI+ vBJ2HeSVQRFlWmiWUZy4Jlb8hQ84cNxfsGz8+4qy0MH51zVew9ox62mG5BqZJQz9 Izt2Cd+/MNEnIjWgFwySMk2eiHOwSvCrpH5caXS8OaX+fPKS4hj50yhpxMz4rQDO UnDpvpSJcpuUj47SY/YRoDeIbUtk/0OvkgyAEkaXFMvV67bdX+g0L+50IHFKKgOy dmgJUQcE6jPmlLBNS9NJdp4J0+vjF+4ZDNKyTNZwZLSYlWCHP/vwhUBph1hgTUdu ew5JJVgBcIcXnk31GSulM0PrmMfUa2QVxDvdTyOIQ0LHcD1kuDwyxbbCFJbaSIO/ KZsVanexNpXGIA8EP7xYDf0B6kILCrTYCpi49ETNXlkEADKLZHRqdP6vByFgKT0R hLo+ej9GwSFKzt1LfIEo2eJMaYm2AAj/IAOONX2f7D5cA4NGcP0= =y8/A -END PGP SIGNATURE-
[SECURITY] [DLA 1138-1] nss security update
Package: nss Version: 2:3.26-1+debu7u5 CVE ID : CVE-2017-7805 Martin Thomson discovered that nss, the Mozilla Network Security Service library, is prone to a use-after-free vulnerability in the TLS 1.2 implementation when handshake hashes are generated. A remote attacker can take advantage of this flaw to cause an application using the nss library to crash, resulting in a denial of service, or potentially to execute arbitrary code. For Debian 7 "Wheezy", these problems have been fixed in version 2:3.26-1+debu7u5. We recommend that you upgrade your nss packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: Digital signature
Accepted mysql-5.5 5.5.58-0+deb7u1 (source all amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 17 Oct 2017 10:24:21 +0200 Source: mysql-5.5 Binary: libmysqlclient18 libmysqld-pic libmysqld-dev libmysqlclient-dev mysql-common mysql-client-5.5 mysql-server-core-5.5 mysql-server-5.5 mysql-server mysql-client mysql-testsuite-5.5 mysql-source-5.5 Architecture: source all amd64 Version: 5.5.58-0+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: Debian MySQL MaintainersChanged-By: Lars Tangvald Description: libmysqlclient-dev - MySQL database development files libmysqlclient18 - MySQL database client library libmysqld-dev - MySQL embedded database development files libmysqld-pic - PIC version of MySQL embedded server development files mysql-client - MySQL database client (metapackage depending on the latest versio mysql-client-5.5 - MySQL database client binaries mysql-common - MySQL database common files, e.g. /etc/mysql/my.cnf mysql-server - MySQL database server (metapackage depending on the latest versio mysql-server-5.5 - MySQL database server binaries and system database setup mysql-server-core-5.5 - MySQL database server binaries mysql-source-5.5 - MySQL source mysql-testsuite-5.5 - MySQL testsuite Closes: 878402 Changes: mysql-5.5 (5.5.58-0+deb7u1) wheezy-security; urgency=high . * Imported upstream version 5.5.58 to fix security issues: - http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html - CVE-2017-10268 CVE-2017-10378 CVE-2017-10379 CVE-2017-10384 (Closes: #878402) Checksums-Sha1: 268126f535519957479a405d842bbb5ea253350e 2971 mysql-5.5_5.5.58-0+deb7u1.dsc 37be5e6203e4c5c1b3095d714cc9800b11df 21045852 mysql-5.5_5.5.58.orig.tar.gz 7c04e500040f0402bf79f72c26d7e4b0ee992c55 380206 mysql-5.5_5.5.58-0+deb7u1.debian.tar.gz 545a04624e3b6683eda26cbeeca726c8bdbb49a5 78412 mysql-common_5.5.58-0+deb7u1_all.deb 9bd6d240ccad6527f0f1cac104d2e7c42dc58fb8 76634 mysql-server_5.5.58-0+deb7u1_all.deb 2f4aae8c6f3aaf75649f01b9143dfd722579b086 76518 mysql-client_5.5.58-0+deb7u1_all.deb 20aff132bbd7de733b467bc9f07cdb2598c52d5b 685190 libmysqlclient18_5.5.58-0+deb7u1_amd64.deb 59067bb6e837fcb357d826dae55ffef4e9e85f71 3179956 libmysqld-pic_5.5.58-0+deb7u1_amd64.deb a95419ba1b4e8bd2474fb8f79649f19265849f61 3177954 libmysqld-dev_5.5.58-0+deb7u1_amd64.deb 3d10157e61c5f8187daa63bd5ec7891547d0e2ef 953722 libmysqlclient-dev_5.5.58-0+deb7u1_amd64.deb 9f31c9d032854b55b25acae3eb338e61167552ff 1774094 mysql-client-5.5_5.5.58-0+deb7u1_amd64.deb 510f289769efee1d7e0461bff3360dccde5331a0 3994208 mysql-server-core-5.5_5.5.58-0+deb7u1_amd64.deb e9c3df50826670ca388fa5b6936cef1a6716d4cf 1961466 mysql-server-5.5_5.5.58-0+deb7u1_amd64.deb 6d792ada90b64378c7822aa623a229613630f774 4350324 mysql-testsuite-5.5_5.5.58-0+deb7u1_amd64.deb 573219339c6378071ec0819595a5b5bc1a947e27 22863342 mysql-source-5.5_5.5.58-0+deb7u1_amd64.deb Checksums-Sha256: 4ddcebf2f910a550d70ad7f9b9b3e4ff0f7a6e24e887c7f2d50c19aef94f5146 2971 mysql-5.5_5.5.58-0+deb7u1.dsc 9b6912faf261555c8975db24a987f63f36aaa28052a301e85538346ace0009b9 21045852 mysql-5.5_5.5.58.orig.tar.gz 53f2817258530052c5c8b6edd66efa846fa2cd231170c54522c8e635d7907437 380206 mysql-5.5_5.5.58-0+deb7u1.debian.tar.gz 98d6ea06b83cc738ad60204b46b189780191393a6deeb87985768ecb63cda5bc 78412 mysql-common_5.5.58-0+deb7u1_all.deb 69bced10203880b1875c51dabdd9e7b5a28767952bd48d0561d5ed25c08d8487 76634 mysql-server_5.5.58-0+deb7u1_all.deb b3fb1a3e091ab798c89b3da715d33f3083652e43d94f2a433f764cf05dacfddc 76518 mysql-client_5.5.58-0+deb7u1_all.deb d51776b174f4d5080de16dd2c1e5dc3b6ed997e35dbea61b11c779e8594ab4cc 685190 libmysqlclient18_5.5.58-0+deb7u1_amd64.deb 56a7d19eeb30bdde51300c8347b8e2d70836d3bfa31dae6c8af594404aec6a7b 3179956 libmysqld-pic_5.5.58-0+deb7u1_amd64.deb c311b6b679e155f1bc406cd23d4842ed839230f6e40218f5ec853c2c9e4df420 3177954 libmysqld-dev_5.5.58-0+deb7u1_amd64.deb 62975349eb90cc2aa32e491fb86b8456a692c542abca913e23e89bebc97d2121 953722 libmysqlclient-dev_5.5.58-0+deb7u1_amd64.deb c346c9d33e02ab686ca659f5b83cb416faf8ef83763e143b7f6f0e609582879e 1774094 mysql-client-5.5_5.5.58-0+deb7u1_amd64.deb 8e2c1071d8dcae6e6140192dfab4ac4a5e07247c560f525b47b96695036ce21c 3994208 mysql-server-core-5.5_5.5.58-0+deb7u1_amd64.deb ef35d88e8f2b30559543f3eccbfe38575c700dfd1d2229070eceb3e1c71f22a9 1961466 mysql-server-5.5_5.5.58-0+deb7u1_amd64.deb f294842353871a624ff2644eb8e9e1d5357ff96bc462ff2597c5d1803157ac37 4350324 mysql-testsuite-5.5_5.5.58-0+deb7u1_amd64.deb 72099f676041490203236dfc9b5d147ae4de4ffdfe9356f7c3f4620b2f08089d 22863342 mysql-source-5.5_5.5.58-0+deb7u1_amd64.deb Files: 1b8650432cf95c8759f8a1cd79792d48 2971 database optional mysql-5.5_5.5.58-0+deb7u1.dsc 615d82fb528c8c91048685abaf67ed50 21045852 database optional mysql-5.5_5.5.58.orig.tar.gz 9b1929b5e8d1393d9512cb6f8cbc6be2 380206 database optional
[SECURITY] [DLA 1141-1] mysql-5.5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: mysql-5.5 Version: 5.5.58-0+deb7u1 CVE ID : CVE-2017-10268 CVE-2017-10378 CVE-2017-10379 CVE-2017-10384 Debian Bug : 878402 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.58, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-58.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html For Debian 7 "Wheezy", these problems have been fixed in version 5.5.58-0+deb7u1. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlno69wACgkQnUbEiOQ2 gwKJMA//QPdVWVkIOXZLUf5MuQQp71mOOxxngbP8QVxYT8413BcCvKDHzjWu3Je8 djn7T5CzDElAuE8txb6TOZouDt5w85ZQR9vYdtlSOLcrKtNHtP5Xi+8WiI5GA82U 9qKWKgZXmQR8hHQ/cpkO3KHMTUx6TMK0TbEBv6GvO/bTnkvfed2FIjBlOYpq+Uey 6DuX7ng5MDQ9GnGuWxcxpSh0U/VtsnSFvb0vp05h9TksxMix49NFz2u6+5ktIem+ jwqoEHrXg/NUCkKQAgFzeSxAKf1K+PsiKQot0QGENRP1u7mHWAdgK7OBr85O3luQ 61uShxwReFKBFcm8NEUdHsL8w4wFJklZrG8odNJoYfbmV7pw0Cp7jI60PzL5d3da blmz344lBAe2cNse2i+epq8v1g8gRL3vwMwSb4sLlol04HgcXd+0XTVmKruee+Qy qRJfvD4E8HqbSeM/Nv0D0yUocSJGcge9/pV8P0J5Z3Q1pg+yZbWkHtSnXdJ1K24W kQ6bjhXwd1YOe4g1VEbc69NsMHkffgYbkfGvu40/8WXEgv4ZsIp6rDkc+Pjkblv/ 4nEbrqQnYUzfSNeCQbEImMUmY6Mh5FfygyXk1AYzJERGVC7rDjX6PwhaE2s9uMV+ H132WsSkHgsNT78G4WF7bpCiJLqQPLypU9BK8QveC7xgKYXH8dI= =nw/y -END PGP SIGNATURE-
Re: [debian-mysql] Bug#878402: Bug#878402: Security fixes from the October 2017 CPU
Hi Lars, On Thu, Oct 19, 2017 at 10:23:15AM +0200, Lars Tangvald wrote: > > > On 10/19/2017 10:09 AM, Emilio Pozuelo Monfort wrote: > > On 18/10/17 20:46, Salvatore Bonaccorso wrote: > > > Hi lars, > > > > > > On Wed, Oct 18, 2017 at 03:51:26PM +0200, Lars Tangvald wrote: > > > > Hi, > > > > > > > > 5.5.58 packages for Debian 7 and 8 are built, and pass the test suite. > > > > Attached are debdiff files for Wheezy and Jessie (source is also pushed > > > > to > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__anonscm.debian.org_cgit_pkg-2Dmysql_mysql-2D5.5.git=DwICaQ=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10=HPjEzLhETPj8fl9HCxxISaaV3f5tXDpGXDR3R2IELxg=00T7TUZCwXkig-wYCf-35nC5VNSQmjNOsNq0TOBoXBs=MPjTux6yCV6-5Si_VECXoTwgZxgsyNIHfNSpH1nq2ws= > > > > ) > > > > As before, we unfortunately don't have a DD in our team that can > > > > sponsor the > > > > upload, so we need assistance with that. > > > I will look into it for jessie-security then. > > > > > > > I'm not sure if the security team still handles Debian8, or if the lts > > > > team > > > > does now? > > > Yes, Debian 8 Jessie is still yet handled by the security team. > > And I will take of Debian 7 (wheezy). Thanks for preparing the update! > > > > Cheers, > > Emilio > Thanks for the help to both of you! :) FTR, I just released DSA-4002-1 for mysql-5.5 in jessie-security. Thanks for preparing the import. Regards, Salvatore