Processed: reassign 872058 to src:linux, forcibly merging 869511 872058
Processing commands for cont...@bugs.debian.org: > reassign 872058 src:linux Bug #872058 {Done: Ben Hutchings } [linux-headers-4.11.0-2-all] linux-headers-4.11.0-2-all: impossible to install due to version incompatibility with common header package Bug reassigned from package 'linux-headers-4.11.0-2-all' to 'src:linux'. No longer marked as found in versions linux/4.11.11-1. No longer marked as fixed in versions 4.12.6-1. > forcemerge 869511 872058 Bug #869511 {Done: Ben Hutchings } [src:linux] linux: binNMU-unsafe dependency on linux-headers-*-common Bug #869670 {Done: Ben Hutchings } [src:linux] Depends: linux-headers-4.11.0-2-common ... but it is not going to be installed Bug #869824 {Done: Ben Hutchings } [src:linux] missing package Bug #870132 {Done: Ben Hutchings } [src:linux] linux-headers-amd64 broken, can't install Bug #870298 {Done: Ben Hutchings } [src:linux] 4.11.0-2-amd64 headers cannot be installed Bug #872058 {Done: Ben Hutchings } [src:linux] linux-headers-4.11.0-2-all: impossible to install due to version incompatibility with common header package 865614 was blocked by: 869511 870298 869824 870132 869670 867257 865614 was not blocking any bugs. Added blocking bug(s) of 865614: 872058 866389 was blocked by: 869602 826471 866317 869383 869139 865033 869576 866934 826502 865034 826505 865477 866315 869583 827640 866944 869670 865020 869579 869824 870132 866978 826497 869418 865045 867213 870298 809352 867514 826473 867046 865898 865380 869504 869578 869436 867984 865893 869580 865482 865224 869357 869511 826489 867210 869433 865888 866389 was not blocking any bugs. Added blocking bug(s) of 866389: 872058 Marked as fixed in versions linux/4.12.6-1. The source linux and version 4.11.11-1+b1 do not appear to match any binary packages Marked as found in versions linux/4.11.11-1+b1 and linux/4.11.11-1. Added tag(s) newcomer. Bug #869670 {Done: Ben Hutchings } [src:linux] Depends: linux-headers-4.11.0-2-common ... but it is not going to be installed Bug #869824 {Done: Ben Hutchings } [src:linux] missing package Bug #870132 {Done: Ben Hutchings } [src:linux] linux-headers-amd64 broken, can't install Bug #870298 {Done: Ben Hutchings } [src:linux] 4.11.0-2-amd64 headers cannot be installed Merged 869511 869670 869824 870132 870298 872058 > thanks Stopping processing here. Please contact me if you need assistance. -- 865614: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865614 866389: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866389 869511: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869511 869670: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869670 869824: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869824 870132: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870132 870298: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870298 872058: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872058 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#872056: jessie-pu: package krb5/1.12.1+dfsg-19+deb8u2
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu Hi. I'd like to get some security updates that were not serious enough for a DSA into jessie. The security team encouraged me to make this request, so they are in the loop, but have not reviewed the diff or the specific set of cves fixed. Diff produced with git diff dgit/dgit/jessie debian after looking at git diff --numstat dgit/dgit/jessie to make sure that all the changes outside of debian were because of new applied patches. Also confirmed that dgit quilt-fixup shows no changes between the produced source package and my tree. I've confirmed this builds, but have not reviewed the diffs line-by-line (although all these changes are shipping in stretch or sid now) and have not finished my testing. I'll do both of those things before uploading. diff --git a/debian/changelog b/debian/changelog index d90f21581b..6aa052a1c5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +krb5 (1.12.1+dfsg-19+deb8u3) jessie; urgency=high + + * CVE-2017-11368: Remote authenticated attackers can crash the KDC, +Closes: #869260 + * fix for CVE-2016-3120 (kdc crash on restrict_anon_to_tgt), , Closes: +#832572 + * fix for CVE-2016-3119: remote DOS with ldap for authenticated +attackers, Closes: #819468 + * Prevent requires_preauth bypass (CVE-2015-2694), Closes: #783557 + + -- Sam Hartman Sun, 13 Aug 2017 18:02:34 -0400 + krb5 (1.12.1+dfsg-19+deb8u2) jessie-security; urgency=high * Non-maintainer upload by the Security Team. diff --git a/debian/patches/fix-ldap-null-deref-on-empty-arg-cve-201.patch b/debian/patches/fix-ldap-null-deref-on-empty-arg-cve-201.patch new file mode 100644 index 00..f1f5ff13a8 --- /dev/null +++ b/debian/patches/fix-ldap-null-deref-on-empty-arg-cve-201.patch @@ -0,0 +1,37 @@ +From: Greg Hudson +Date: Mon, 14 Mar 2016 17:26:34 -0400 +X-Dgit-Generated: 1.12.1+dfsg-19+deb8u3 f7e4ca67d86a5a5b280b859072bbc5015a2ddd27 +Subject: Fix LDAP null deref on empty arg [CVE-2016-3119] + +In the LDAP KDB module's process_db_args(), strtok_r() may return NULL +if there is an empty string in the db_args array. Check for this case +and avoid dereferencing a null pointer. + +CVE-2016-3119: + +In MIT krb5 1.6 and later, an authenticated attacker with permission +to modify a principal entry can cause kadmind to dereference a null +pointer by supplying an empty DB argument to the modify_principal +command, if kadmind is configured to use the LDAP KDB module. + +CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND + +(cherry picked from commit 08c642c09c38a9c6454ab43a9b53b2a89b9eef99) + +ticket: 8383 +version_fixed: 1.14.2 + +(cherry picked from commit b5abd8c4872d7a024d49439342a6643f774afb1c) + +--- + +--- krb5-1.12.1+dfsg.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c krb5-1.12.1+dfsg/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +@@ -268,6 +268,7 @@ process_db_args(krb5_context context, ch + if (db_args) { + for (i=0; db_args[i]; ++i) { + arg = strtok_r(db_args[i], "=", &arg_val); ++arg = (arg != NULL) ? arg : ""; + if (strcmp(arg, TKTPOLICY_ARG) == 0) { + dptr = &xargs->tktpolicydn; + } else { diff --git a/debian/patches/fix-s4u2self-kdc-crash-when-anon-is-rest.patch b/debian/patches/fix-s4u2self-kdc-crash-when-anon-is-rest.patch new file mode 100644 index 00..4b63bd8ee0 --- /dev/null +++ b/debian/patches/fix-s4u2self-kdc-crash-when-anon-is-rest.patch @@ -0,0 +1,51 @@ +From: Greg Hudson +Date: Tue, 19 Jul 2016 11:00:28 -0400 +X-Dgit-Generated: 1.12.1+dfsg-19+deb8u3 862d5e532d03db566ee2955f69e008a253d39dec +Subject: Fix S4U2Self KDC crash when anon is restricted + +In validate_as_request(), when enforcing restrict_anonymous_to_tgt, +use client.princ instead of request->client; the latter is NULL when +validating S4U2Self requests. + +CVE-2016-3120: + +In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc +to dereference a null pointer if the restrict_anonymous_to_tgt option +is set to true, by making an S4U2Self request. + + CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C + +(cherry picked from commit 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7) + +ticket: 8458 +version_fixed: 1.14.3 + +(cherry picked from commit 85c3046d42eeb821967ad5625fcb08e8c6177b1a) + +--- + +--- krb5-1.12.1+dfsg.orig/src/kdc/kdc_util.c krb5-1.12.1+dfsg/src/kdc/kdc_util.c +@@ -688,7 +688,7 @@ validate_as_request(kdc_realm_t *kdc_act + return(KDC_ERR_MUST_USE_USER2USER); + } + +-if (check_anon(kdc_active_realm, request->client, request->server) != 0) { ++if (check_anon(kdc_active_realm, client.princ, request->server) != 0) { + *status = "ANONYMOUS NOT ALLOWED"; + return(KDC_ERR_POLICY); + } +--- krb5-1.12.1+dfsg.orig/src/tests/t_pkinit.py krb5-1.12.1+dfsg/src/tests/t_pkinit.py +@@ -81,6 +81
Bug#866335: Python3.6 blocker: automake
control: block -1 by 872052 control: affects 872052 src:imagemagick Hi, I have found why phythonmagick fail: automake is at fault automake does not support python3.6... I have made a patch and I plan to NMU if you are ok ASAP
Processed: Python3.6 blocker: automake
Processing control commands: > block -1 by 872052 Bug #866335 [release.debian.org] transition: python3-defaults 866335 was blocked by: 866575 866335 was not blocking any bugs. Added blocking bug(s) of 866335: 872052 > affects 872052 src:imagemagick Bug #872052 [automake] [automake] Lack of python3.6 support Added indication that 872052 affects src:imagemagick -- 866335: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866335 872052: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872052 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
NEW changes in stable-new
Processing changes file: webkit2gtk_2.16.6-0+deb9u1_mips.changes ACCEPT
NEW changes in stable-new
Processing changes file: webkit2gtk_2.16.6-0+deb9u1_mips64el.changes ACCEPT
Bug#869836: Info received (Bug#869836: stretch-pu: package nvidia-graphics-drivers/375.82-1~deb9u1)
Hi, Also tested on a third machine w/ a GeForce GTX 760 and KDE and kernel 4.9 AMD64 and it works well too. Thanks 2017-08-13 16:51 GMT+02:00 Debian Bug Tracking System : > Thank you for the additional information you have supplied regarding > this Bug report. > > This is an automatically generated reply to let you know your message > has been received. > > Your message is being forwarded to the package maintainers and other > interested parties for their attention; they will reply in due course. > > Your message has been sent to the package maintainer(s): > Debian Release Team > > If you wish to submit further information on this problem, please > send it to 869...@bugs.debian.org. > > Please do not send mail to ow...@bugs.debian.org unless you wish > to report a problem with the Bug-tracking system. > > -- > 869836: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869836 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems >
NEW changes in stable-new
Processing changes file: webkit2gtk_2.16.6-0+deb9u1_mipsel.changes ACCEPT
Bug#872023: transition: nodejs
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Transition from nodejs 4 to nodejs 6, with module abi change from version 46 to version 48. All nodejs c++ addons (build-depending on nodejs-dev) must be rebuilt. Also Julien Puydt rebuilt all node modules packages against nodejs 6 to check for failures and report them: - node-chai #868319 fixed upstream - node-argparse #868294 might be fixed upstream - node-evp-bytestokey fails and is deprecated. #868298 Also i'm using nodejs 6 from experimental for some time now, and i don't see breakage. Ben file: title = "nodejs"; is_affected = .build-depends ~ /nodejs-dev/; is_good = .depends ~ /nodejs-abi-48/; is_bad = .depends ~ /nodejs-abi-46/; Regards, Jérémy -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.11.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Bug#869836: stretch-pu: package nvidia-graphics-drivers/375.82-1~deb9u1
On Sat, 12 Aug 2017 12:41:20 -0400 "Adam D. Barratt" < a...@adam-barratt.org.uk> wrote: > Control: tags -1 + pending > > On Wed, 2017-08-09 at 17:17 +0200, Andreas Beckmann wrote: > > On Tue, 08 Aug 2017 16:12:47 -0400 "Adam D. Barratt" > > wrote: > > > Please go ahead, and we'll hope it looks sane after that. :-p > > > > Uploaded, with the attached diff (from svn, excluding the blobs). > > Flagged for acceptance. > > Regards, > > Adam > > > Hi Adam, Just to confirm the fix does work fine for me, no regression seen. Hardware used : Intel Core i7 4790 32 GB RAM NVidia GeForce GTX 1070 Debian Stretch AMD64 w/ 4.9 kernel (i.e. not bpo) Environment : KDE Games tested : Civilization VI (benchmark only) Shadow of Mordor (benchmark only) Sudden Strike 4 Wargame Red Dragon Also tested on a GeForce GTX 970 (just boot test) w/o issue.
Bug#868284: stretch-pu: package suricata/3.2.1-1
On 8 August 2017 at 17:39, Adam D. Barratt wrote: > > Thanks. Please go ahead, with the tweaks from the earlier discussion - > i.e. 3.2.1-1+deb9u1, with a changelog distribution of "stretch". > Uploaded, thanks.
NEW changes in stable-new
Processing changes file: webkit2gtk_2.16.6-0+deb9u1_armhf.changes ACCEPT
NEW changes in stable-new
Processing changes file: webkit2gtk_2.16.6-0+deb9u1_armel.changes ACCEPT