Accepted postgresql-common 165+deb8u4 (source all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 12 Nov 2019 15:00:36 +0100 Source: postgresql-common Binary: postgresql-common postgresql-client-common postgresql-server-dev-all postgresql postgresql-client postgresql-doc postgresql-contrib Architecture: source all Version: 165+deb8u4 Distribution: jessie-security Urgency: medium Maintainer: Debian PostgreSQL Maintainers Changed-By: Christoph Berg Description: postgresql - object-relational SQL database (supported version) postgresql-client - front-end programs for PostgreSQL (supported version) postgresql-client-common - manager for multiple PostgreSQL client versions postgresql-common - PostgreSQL database-cluster manager postgresql-contrib - additional facilities for PostgreSQL (supported version) postgresql-doc - documentation for the PostgreSQL database management system postgresql-server-dev-all - extension build tool for multiple PostgreSQL versions Changes: postgresql-common (165+deb8u4) jessie-security; urgency=medium . * pg_ctlcluster: Drop privileges before creating socket and stats temp directories outside /var/run/postgresql. The default configuration is not affected by this change. Users with directories on volatile storage (tmpfs) in other locations have to make sure the parent directory is writable for the cluster owner. (CVE-2019-3466, discovered by Rich Mirch) Checksums-Sha1: 18d306504e8e2e1e81df6c70e1abb118d720aafa 2258 postgresql-common_165+deb8u4.dsc 03456d99687d6249f91632dd5f3fc66f5e447e24 188076 postgresql-common_165+deb8u4.tar.xz 17881c62e650f94885b2a7f25b1d5c6623291e6d 59662 postgresql-server-dev-all_165+deb8u4_all.deb 5cb7005c305d87efc90955a5cc0bf1f802dbfd95 52542 postgresql_9.4+165+deb8u4_all.deb 86abecd39252d8b3cbba6d862e9d8eba878d2fed 52558 postgresql-client_9.4+165+deb8u4_all.deb 4cfc97d96794883726674386ff99571261189d15 52548 postgresql-doc_9.4+165+deb8u4_all.deb 72fc0215d41b9bfa03c1b4e9b3e345946ac8a085 52550 postgresql-contrib_9.4+165+deb8u4_all.deb b19c73b0a52f4a6c2207f1ec66a4eaa1cacb034a 203376 postgresql-common_165+deb8u4_all.deb 19e6585f148d471218bc153516e14dc871fc081e 74150 postgresql-client-common_165+deb8u4_all.deb Checksums-Sha256: c6c75b4a18da81d2f005b1fa3b8f2a6aa7ecbb055f1e2cfbaff6c199bf0c641f 2258 postgresql-common_165+deb8u4.dsc e2611144e23b16557832a693b86ac58455302cfe5d7a7a9689b9317a46a1d8ea 188076 postgresql-common_165+deb8u4.tar.xz 983dc2c7bc84ffe2203743fe3129cf218caa2c233583d369751ebd84efa39790 59662 postgresql-server-dev-all_165+deb8u4_all.deb bf718e3b9cb785e20bcbeed48202a9fab0678b9ab71e247eff44cb52cbc6822c 52542 postgresql_9.4+165+deb8u4_all.deb 9132af8803d50a810aab3d64ed652852683f0e91f2f3fa47a23c18f110442f96 52558 postgresql-client_9.4+165+deb8u4_all.deb 3e3c93c601e24847aef5013a08b83c1ccf9ab0c3f11ddcaebc4bb5733404758b 52548 postgresql-doc_9.4+165+deb8u4_all.deb 0f101e257ed9bdea23087b1bf052517d720832df1817b54c5d6d881da71b29a7 52550 postgresql-contrib_9.4+165+deb8u4_all.deb 7be98e0c773d67ccf24a88a9220c6f13d0e6c3ba3c1371a9814e5be2453ad240 203376 postgresql-common_165+deb8u4_all.deb 83f7e3194641b73952deccfbbd5ec71e494c62afd6834ce0190938608616f5ac 74150 postgresql-client-common_165+deb8u4_all.deb Files: 490312b34b3cd92efccee16e8eac78f1 2258 database optional postgresql-common_165+deb8u4.dsc 3656a032cc44bb13d32ad2d75e70224c 188076 database optional postgresql-common_165+deb8u4.tar.xz cbd4fb6f9bccf5b7de80c81a85d3f5f7 59662 database optional postgresql-server-dev-all_165+deb8u4_all.deb 8a1ecfce5c5828d1d3e995c516406227 52542 database optional postgresql_9.4+165+deb8u4_all.deb 0d1df9898b500d3bfc9a5c84a9c2535c 52558 database optional postgresql-client_9.4+165+deb8u4_all.deb 617542c942b567726ecf9254e277ab7c 52548 doc optional postgresql-doc_9.4+165+deb8u4_all.deb b401fdcc561c6b1f09b72dfde3d8e2c2 52550 database optional postgresql-contrib_9.4+165+deb8u4_all.deb ff747d0fd110a9e13c7a51e99f8dae01 203376 database optional postgresql-common_165+deb8u4_all.deb f0c50e4eaeab0ecd5f5605689548a36c 74150 database optional postgresql-client-common_165+deb8u4_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEXEj+YVf0kXlZcIfGTFprqxLSp64FAl3NTd8ACgkQTFprqxLS p65zjw/+K/ciI65POdkBwVMurNVhbXaK11rTZU13hbEw/TH1JtW9YACkT3G8iHM8 3l+AXy461WJmwtru5gsF5v8LqEss7G3Jj44uMGBWeyk1yCgCD0UvuQZMeqvJEpn7 1kzfyJ63xMlSZbR+7Luc5aVryPS6hudALJDVVrIWyoZp3zp2emT8fdDpgIQce1cR WuodAhTfKKZT0MwrjphvXAHuDvT8fbdMeXWhwm4Jih9zG7ShFMr7G4MzOfcOeoMO o+gtGEXeIFXSC7PzbMdZILXraiRV3qi4ItD8NIuk5S2cSMI1WEbXeqsiJQcS0HL2 +/zfiuokyktGhyuVtwrrGjsQHD/YrvX6Ob+7OsIYQ5u5dtzKnH403yqcaAkiVCyX nh7CzgAMVYkrbByw36zTJC2mo8DHy+Xe7huwG9QipyBYoNzt1hiALGZjJTMDfxC9 XCFtiapslRdqG6VUwi0mjvuFSF1TsTKT/zTLOwMNYwdqF78VTrZUGm9qgTzPlCTW NdLKukre5T1XyivF6sbkSinJ4jTHXbat6V4U+KKkf/oS/Oouy+DrEOD1iF7xA4mt 2ssOPDpM/1M7C7GKT4gCHySwCJmXMF4x2pu/5DgIgPo/lATXulisURf5BFJTjZZt ElVZR1/8a+EYAxViB1LrHqaTB7H2zpsT7aEhGIUZRhBJDTswq+Q= =YdXX -END PGP SIGNATURE-
Re: Drop support for libqb?
On Wed, Nov 13, 2019 at 08:24:55AM -0500, Roberto C. Sánchez wrote: > > We usually mark affected CVE as in data/CVE/list and just > > add the package to security-support-ended.deb8 in > > debian-security-support. We then upload new versions of the package > > periodically and announce it via DLA. I believe now is a good time to do it. > Thanks for the information. I will start working on it today. As any DD can commit to debian-security-support.git and also can upload that package, just make sure to call it a team upload in d/changelog to appease lintian and possibly other tools. And then it would be ideal to upload the package to unstable and then file a SRM bug to update the package in stretch, in addition to uploading to jessie. (Probably this should also result in a DLA, not 100% sure though. Thoughts & comments definitly welcome.) I believe it's fine if the version contraints (package version in unstable higher than testing higher than stable higher than oldstable) are temporarily not met, but I also believe it's important that they are in the long run & most of the time. If doing all this work is too much or tedious to you, please shout and I will be happy to finish this. Please just do at least the initial change in git to security-support-ended.deb8. Thanks! -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: Drop support for libqb?
On Thu, Nov 14, 2019 at 01:31:27PM -0500, Roberto C. Sánchez wrote: > On Thu, Nov 14, 2019 at 05:19:03PM +, Holger Levsen wrote: > > On Wed, Nov 13, 2019 at 08:24:55AM -0500, Roberto C. Sánchez wrote: > > > > We usually mark affected CVE as in data/CVE/list and just > > > > add the package to security-support-ended.deb8 in > > > > debian-security-support. We then upload new versions of the package > > > > periodically and announce it via DLA. I believe now is a good time to > > > > do it. > > > Thanks for the information. I will start working on it today. > > > > As any DD can commit to debian-security-support.git and also can upload > > that package, just make sure to call it a team upload in d/changelog to > > appease lintian and possibly other tools. > > > I had not yet seen this message so I already submitted a MR. Should I > close that and make a direct commit? > > > And then it would be ideal to upload the package to unstable and then > > file a SRM bug to update the package in stretch, in addition to > > uploading to jessie. (Probably this should also result in a DLA, not > > 100% sure though. Thoughts & comments definitly welcome.) > > > > Looking at the previous updates, a DLA seems appropriate. I am in the > process of drafting the text. > > > I believe it's fine if the version contraints (package version in > > unstable higher than testing higher than stable higher than oldstable) > > are temporarily not met, but I also believe it's important that they are > > in the long run & most of the time. > > > > If doing all this work is too much or tedious to you, please shout and I > > will be happy to finish this. Please just do at least the initial > > change in git to security-support-ended.deb8. > > > If I close the MR and commit directly, is it then a simple matter of > build and upload to unstable? That is, no other special steps are > required? > Some additional follow-up: - Can I go ahead and mark the CVE in question as in data/CVE/list even before the update to debian-security-support is complete? - Any feedback on this proposed DLA text? Package: debian-security-support Version: 2019.11.15~deb8u1 debian-security-support, the Debian security support coverage checker, has been updated in jessie. This marks the end of life of the libqb package in jessie. A recently reported vulnerability against libqb which allows users to overwrite arbitrary files via a symlink attack cannot be adequately addressed in libqb in jessie. Upstream no longer supports this version and no packages in jessie depend upon libqb, thus making it a leaf package. We recommend that if your systems or applications depend upon the libqb package provided from the Debian archive that you upgrade your systems to a more recent Debian release or find an alternate and up to date source of libqb packages. Regards, -Roberto -- Roberto C. Sánchez
Re: (E)LTS report for October
On Tue, Nov 12, 2019 at 11:03:17AM +0100, Sylvain Beucler wrote: > I believe it's a matter of magnitude: the doc's example is about a 10% > excess, while this was about a ~200% excess. this, exactly. > Coordination allows to average the workload and reactivity, for instance > by adding more people to a task, reassigning the task, reconsidering the > task's scope, etc. also. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: Drop support for libqb?
On Thu, Nov 14, 2019 at 05:19:03PM +, Holger Levsen wrote: > On Wed, Nov 13, 2019 at 08:24:55AM -0500, Roberto C. Sánchez wrote: > > > We usually mark affected CVE as in data/CVE/list and just > > > add the package to security-support-ended.deb8 in > > > debian-security-support. We then upload new versions of the package > > > periodically and announce it via DLA. I believe now is a good time to do > > > it. > > Thanks for the information. I will start working on it today. > > As any DD can commit to debian-security-support.git and also can upload > that package, just make sure to call it a team upload in d/changelog to > appease lintian and possibly other tools. > I had not yet seen this message so I already submitted a MR. Should I close that and make a direct commit? > And then it would be ideal to upload the package to unstable and then > file a SRM bug to update the package in stretch, in addition to > uploading to jessie. (Probably this should also result in a DLA, not > 100% sure though. Thoughts & comments definitly welcome.) > Looking at the previous updates, a DLA seems appropriate. I am in the process of drafting the text. > I believe it's fine if the version contraints (package version in > unstable higher than testing higher than stable higher than oldstable) > are temporarily not met, but I also believe it's important that they are > in the long run & most of the time. > > If doing all this work is too much or tedious to you, please shout and I > will be happy to finish this. Please just do at least the initial > change in git to security-support-ended.deb8. > If I close the MR and commit directly, is it then a simple matter of build and upload to unstable? That is, no other special steps are required? Regards, -Roberto -- Roberto C. Sánchez
automatically strip no-dsa tags by gen-DLA
In an attempt to complete this TODO item from the wiki: automatically strip no-dsa tags by gen-DLA https://wiki.debian.org/LTS/TODO#automatically_strip_no-dsa_tags_by_gen-DLA This is my very early attempt to modify the CVE parser so that it can write the results back to the CVE file again. Meaning we can made deliberate modifications to the data before doing so. https://salsa.debian.org/snippets/354 Unfortunately in making the required changes, it is no longer compatible with the previous API. As we need to keep track of all the data in such away that any modifications are reversible. Which is why I copied the files completely rather then trying to edit in place. The original parser makes certain changes that are not reversible and can produce slightly different results (e.g. different ordering of values, different white-space, etc). Currently it produces a file with the following differences (see diff below), the first two changes are due to twp tab characters being replaced by spaces (not sure it matters enough to try and fix this...) and the last was due to deliberate filtering (line 273). The filtering is currently hard coded, this should be called somehow by gen-DLA. Any comments or suggestions? === cut === --- data/CVE/list 2019-11-12 16:54:16.835792742 +1100 +++ a 2019-11-15 16:51:09.043817845 +1100 @@ -354371,7 +354371,7 @@ NOT-FOR-US: Trend Micro Anti-Rootkit Common Module CVE-2007-0855 (Stack-based buffer overflow in RARLabs Unrar, as packaged in WinRAR an ...) - rar 1:3.7b1-1 (high; bug #410582) - [sarge] - rar (Non-free) + [sarge] - rar (Non-free) [etch] - rar (Non-free) - unrar-nonfree 1:3.7.3-1 (high; bug #410580) [sarge] - unrar-nonfree 1:3.5.2-0.2 @@ -359261,7 +359261,7 @@ NOT-FOR-US: BytesFall Explorer (bfExplorer) CVE-2006-5718 (Cross-site scripting (XSS) vulnerability in error.php in phpMyAdmin 2. ...) - phpmyadmin 4:2.9.0.3-1 (low; bug #396638) - [sarge] - phpmyadmin (Vulnerable code not present) + [sarge] - phpmyadmin (Vulnerable code not present) CVE-2006-5717 (Multiple cross-site scripting (XSS) vulnerabilities in Zend Google Dat ...) NOT-FOR-US: Zend Google Data Client Library (ZendGData) CVE-2006-5716 (Directory traversal vulnerability in aff_news.php in FreeNews 2.1 allo ...) @@ -376628,7 +376628,6 @@ NOT-FOR-US: Sun Java System Directory Server CVE-2005-3268 (yiff server (yiff-server) 2.14.2 on Debian GNU/Linux runs as root and ...) - yiff 2.14.2-8 (bug #334616; low) - [sarge] - yiff (Only a minor privacy leak) CVE-2005-3267 (Integer overflow in Skype client before 1.4.x.84 on Windows, before 1. ...) NOT-FOR-US: Skype CVE-2005-3266 === cut === -- Brian May
Accepted ghostscript 9.26a~dfsg-0+deb8u6 (source all amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 14 Nov 2019 19:06:21 -0500 Source: ghostscript Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg Architecture: source all amd64 Version: 9.26a~dfsg-0+deb8u6 Distribution: jessie-security Urgency: high Maintainer: Debian Printing Team Changed-By: Roberto C. Sanchez Description: ghostscript - interpreter for the PostScript language and for PDF ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo ghostscript-doc - interpreter for the PostScript language and for PDF - Documentati ghostscript-x - interpreter for the PostScript language and for PDF - X11 support libgs-dev - interpreter for the PostScript language and for PDF - Development libgs9 - interpreter for the PostScript language and for PDF - Library libgs9-common - interpreter for the PostScript language and for PDF - common file Changes: ghostscript (9.26a~dfsg-0+deb8u6) jessie-security; urgency=high . * Non-maintainer upload by the LTS Team. * Backport changes from stretch: + remove .forceput from /.charkeys (CVE-2019-14869) Checksums-Sha1: 045556d411b15eebf1be57e67be6ef99ee739206 2885 ghostscript_9.26a~dfsg-0+deb8u6.dsc 1889594772a0f17b3ae5546665e899f1df61cb28 123568 ghostscript_9.26a~dfsg-0+deb8u6.debian.tar.xz 45e1617b71dd5ef5d2f355642a5e894d7b197a38 3486852 ghostscript-doc_9.26a~dfsg-0+deb8u6_all.deb 057cfc400b83c734bea7c612efc49f548e569824 5144034 libgs9-common_9.26a~dfsg-0+deb8u6_all.deb 2823eb8638f131695143888df0a59a2869768ca5 99130 ghostscript_9.26a~dfsg-0+deb8u6_amd64.deb 83e77acc0787022df1bf0a0055b40e1f6a0cb823 94226 ghostscript-x_9.26a~dfsg-0+deb8u6_amd64.deb 8fb87521db1d78be8b81130eccdee25e15b06d45 2211958 libgs9_9.26a~dfsg-0+deb8u6_amd64.deb cfc444ef538050eda00e16c4ebae43f52b2dcd89 76460 libgs-dev_9.26a~dfsg-0+deb8u6_amd64.deb 37ff03baece4e2a168f4fd7f5c157cf0122a617e 5758818 ghostscript-dbg_9.26a~dfsg-0+deb8u6_amd64.deb Checksums-Sha256: 612ae8e2d8d177df18a199c2294498e123aeaf3f9700cb7933fccdc944655ea0 2885 ghostscript_9.26a~dfsg-0+deb8u6.dsc cdccead4be0c727271968aaffca79598839ffe96d09cdd8a7dabfde2235faa4d 123568 ghostscript_9.26a~dfsg-0+deb8u6.debian.tar.xz a5a50cfece44c0b6cdc86faeeb6f749d6ee29bc4b9d9395badc5c17a03140f3d 3486852 ghostscript-doc_9.26a~dfsg-0+deb8u6_all.deb 2c45add9f2458cf2f930b01992619d5ece041f0e6718eb1fe1e4f9268a5ada6e 5144034 libgs9-common_9.26a~dfsg-0+deb8u6_all.deb 133bbcbd5f5371eda6b09cdb23164dbb1ae4d0669f1c7d0c973ae15f7068ecd6 99130 ghostscript_9.26a~dfsg-0+deb8u6_amd64.deb 9cfd593d05f93f46719fc8856ac702c777e963718b99e54c638b736c281bd232 94226 ghostscript-x_9.26a~dfsg-0+deb8u6_amd64.deb 9fe9ab679bd42ec66bfd2743056ec8746f7d4eb57bdc210abc12b4e8034ec7a4 2211958 libgs9_9.26a~dfsg-0+deb8u6_amd64.deb 3acc6f48103ff55a284bd8fcebce6e7b7ba436ea146458eb55d11dadc7efc305 76460 libgs-dev_9.26a~dfsg-0+deb8u6_amd64.deb 369ad3bf23169f08b1162f3531108dd4321254da55a530c61408157e8d7a5029 5758818 ghostscript-dbg_9.26a~dfsg-0+deb8u6_amd64.deb Files: 3154afa5c41585d29ae14058c1fa915a 2885 text optional ghostscript_9.26a~dfsg-0+deb8u6.dsc f327b7ec1b49b54be676efb9ad6ef67f 123568 text optional ghostscript_9.26a~dfsg-0+deb8u6.debian.tar.xz 5df5103ed77bfd0af44de5a86c404ce3 3486852 doc optional ghostscript-doc_9.26a~dfsg-0+deb8u6_all.deb 20b0c43ddc0c634161a180671a7acf1e 5144034 libs optional libgs9-common_9.26a~dfsg-0+deb8u6_all.deb 9cd3846ccb0d592896af6cbde8fbe1a4 99130 text optional ghostscript_9.26a~dfsg-0+deb8u6_amd64.deb 6dd56d366dd0a0120e97dac6f4b1b4d0 94226 text optional ghostscript-x_9.26a~dfsg-0+deb8u6_amd64.deb f3e14ab234c84eb617d06c9a38bf4fdb 2211958 libs optional libgs9_9.26a~dfsg-0+deb8u6_amd64.deb 2698dd42f6ab9c96db8ff82c6b46d994 76460 libdevel optional libgs-dev_9.26a~dfsg-0+deb8u6_amd64.deb f97566729bd27fd6491be613875a1b4a 5758818 debug extra ghostscript-dbg_9.26a~dfsg-0+deb8u6_amd64.deb -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl3N+usACgkQLNd4Xt2n sg9gVxAAhtynxPDh29Fgg31c65VLRpoH9WDk7mB4Bvojx+h7OgnhU+/DzFelEtOe 5AxBolPj+XudQgzW6ArUrAq1VPcoZZFiBqX9H82Fr/SdW6uxpeunr3l6otrq/o2L MLdZpXjQP/007ONM0na/ASd44quCt2VJyrgPyylRCCR8CvWmkq+Bw4VQd2MaJyjT Jk/DpMcg+3B/POsohd3FXyst46PxvBFR3/sY8jOkagwQTCXnfPdQ2MPsz+8X10XS rXsciMA3SpoiTauyNCjXuiVRlfBb64lyz2udJKnH194uWq1Pl+ceRtxaWQxeRx0a UOZ8fEhngO204hd/fTuoEM6MVFPAp8fQ8IEjLfaknKi5zCIWI8mQnGutBbkV2i9W 2qpLor79uVbw9XzcQHrYQhjzuipmx1+5cO4d5DiZDfBpgpKIRydHQdC8ur/Cd/yT /neoVu6XjQtaH7hU8d8YcKfPKnvaWgoRU3S5pb6jSjIJeDmRNRlGKoZl2LwRkZOk IXybS/9PeKeK6y3TrPnbDsZohgcoOlveOnjD2qobx2RegMqf+MsTCHMWXo67pQjN Suo8Pbi4UWnrSKK90o1ai+B6V4gGqgKFOAArAlGioRYfCXypCo3IekiSToxk+Ph+ woSKrC9tbAF57HPLnEjP1UT3d/TuqFmBctNwTcQTLzwh3ybujHg= =dS9i -END PGP SIGNATURE-
[SECURITY] [DLA 1992-1] ghostscript security update
Package: ghostscript Version: 9.26a~dfsg-0+deb8u6 CVE ID : CVE-2019-14869 Manfred Paul and Lukas Schauer reported that the .charkeys procedure in Ghostscript, the GPL PostScript/PDF interpreter, does not properly restrict privileged calls, which could result in bypass of file system restrictions of the dSAFER sandbox. For Debian 8 "Jessie", this problem has been fixed in version 9.26a~dfsg-0+deb8u6. We recommend that you upgrade your ghostscript packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature