Bug#890860: stretch-pu: package ruby-redis-store/1.1.6-1

[Cédric Boutillier]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu


Hi,

I have prepared a patch for Debian bug #882034 (CVE-2017-1000248) from
by adapting the upstream patch from

https://github.com/redis-store/redis-store/pull/290

(which should be applied after
https://github.com/redis-store/redis-store/commit/bcd1c28cf10ff18b4352cdacbe04113af3fec68d,
not present in the version 1.1.6)

Please find attached the debdiff for the version in Stretch.
It is the same as the change for 1.1.6-2 which went to unstable (without
the additional packaging change).

It was proposed by the security team to fx it with a Stretch update
instead of a security upload.

Thanks

Cédric

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index d28f11f..83455a6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ruby-redis-store (1.1.6-1+deb9u1) stretch; urgency=high
+
+  * Team upload
+  * Add upstream patch to fix CVE-2017-1000248, allowing unsafe objects to be
+loaded from redis (Closes: #882034)
+
+ -- Cédric Boutillier   Fri, 01 Dec 2017 17:22:29 +0100
+
 ruby-redis-store (1.1.6-1) unstable; urgency=medium
 
   * Upstream update
diff --git a/debian/patches/CVE-2017-1000248.patch 
b/debian/patches/CVE-2017-1000248.patch
new file mode 100644
index 000..44c91de
--- /dev/null
+++ b/debian/patches/CVE-2017-1000248.patch
@@ -0,0 +1,551 @@
+Description: Replace marshalling with pluggable serializers
+Author: Tom Scott 
+Bug: https://github.com/redis-store/redis-store/issues/289
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882034
+Applied-Upstream: 
https://github.com/redis-store/redis-store/commit/e0c1398d54a9661c8c70267c3a925ba6b192142e
+Origin: upstream
+Last-Update: Tue, 15 Aug 2017 11:07:07 -0400
+
+This is in response to a vulnerability warning we received on Friday,
+August 11th, 2017. While most users will not be affected by this
+change, we recommend that developers of new applications use a different
+serializer other than `Marshal`. This, along with the removal of the
+`:marshalling` option, will enforce "sane defaults" in terms of securely
+serializing/de-serializing data.
+
+- Add `:serializer` option and deprecate `:marshalling`. Although you
+  will still be able to enable/disable serialization with Marshal using
+  `:marshalling` in the 1.x series, this will be removed by 2.0.
+
+- Rename `Redis::Store::Marshalling` to `Redis::Store::Serialization` to
+  reflect its new purpose.
+
+Fixes #289
+---
+ lib/redis-store.rb | 12 ---
+ lib/redis/store.rb | 28 +--
+ lib/redis/store/factory.rb |  9 -
+ lib/redis/store/namespace.rb   |  4 +--
+ .../store/{marshalling.rb => serialization.rb} |  6 ++--
+ test/redis/store/factory_test.rb   | 40 --
+ test/redis/store/namespace_test.rb |  4 +--
+ .../{marshalling_test.rb => serialization_test.rb} |  4 +--
+ 8 files changed, 80 insertions(+), 27 deletions(-)
+ rename lib/redis/store/{marshalling.rb => serialization.rb} (90%)
+ rename test/redis/store/{marshalling_test.rb => serialization_test.rb} (98%)
+
+--- a/lib/redis-store.rb
 b/lib/redis-store.rb
+@@ -1,12 +1 @@
+-require 'redis'
+ require 'redis/store'
+-require 'redis/store/factory'
+-require 'redis/distributed_store'
+-require 'redis/store/namespace'
+-require 'redis/store/marshalling'
+-require 'redis/store/version'
+-
+-class Redis
+-  class Store < self
+-  end
+-end
+--- a/lib/redis/store.rb
 b/lib/redis/store.rb
+@@ -1,3 +1,9 @@
++require 'redis'
++require 'redis/store/factory'
++require 'redis/distributed_store'
++require 'redis/store/namespace'
++require 'redis/store/serialization'
++require 'redis/store/version'
+ require 'redis/store/ttl'
+ require 'redis/store/interface'
+ 
+@@ -7,6 +13,24 @@
+ 
+ def initialize(options = { })
+   super
++
++  unless options[:marshalling].nil?
++puts %(
++  DEPRECATED: You are passing the :marshalling option, which has been
++  replaced with `serializer: Marshal` to support pluggable 
serialization
++  backends. To disable serialization (much like disabling 
marshalling),
++  pass `serializer: nil` in your configuration.
++
++  The :marshalling option will be removed for redis-store 2.0.
++)
++  end
++
++  @serializer = options.key?(:serializer) ? 

Bug#871937: Direktoriaus kontaktai - tai Jūsų klientas

[Gautas pranešimas]

Laba diena,


Noriu Jus informuoti apie šių metų pasikeitimą dėl atnaujintos visos Lietuvos 
įmonių bazės 2018 metų sausio vidurio.
Visi juridiniai asmenys pateikti bazėje yra veikiantys, realiai vykdantys 
veiklą, turintys įdarbintų darbuotojų. Duomenys pagal Sodrą, Registrų centrą.
 
Bazėje nurodoma ir apyvarta, darbuotojų atlyginimai, darbuotojų skaičius, 
transporto skaičius ir daug kitų duomenų, kuriuos matysite pavyzdyje.
 
Duomenis galima filtruoti pagal veiklas, miestus ir kitus duomenis.
 
 
Šią bazę verta turėti visoms įmonėms. Pateiksiu priežastis:
 
1) Kontaktai pateikti bazėje direktorių ir kitų atsakingų asmenų, didelė 
tikimybė Jums surasti naujų klientų, partnerių, tiekėjų, kai tiesiogiai 
bendrausite su direktoriais, komercijos vadovais.
 
2) Konkurentų analizavimas, tiekėjų atsirinkimas pagal Jums reikalingus 
kriterijus, galite atsifiltruoti pagal įmonės dydį, bazėje nurodoma kiek įmonės 
skolingos Sodrai.
 
3) Lengva, greita ir patogu dirbti su šia baze, elektroninius pašto adresus 
galite importuoti į elektroninių laiškų siuntimo programas ar sistemas iš kurių 
siunčiate elektroninius laiškus.
Taip pat galite importuoti mobiliųjų telefonų numerius į SMS siuntimo programas.
 
 
Išsirinkite iš "Veiklų sąrašo" veiklas kurių Jums reikia.
( Sąrašas prisegtas laiške excel faile )
 
Parašykite, kurias veiklas išsirinkote 
ir atsiųsime pavyzdį ir pasiūlymą su sąlygomis įmonių bazei įsigyti



Pagarbiai,
Tadas Giedraitis
Tel. nr. +37067881041


Veiklos.xlsx
Description: Binary data

Bug#871937: Direktoriaus kontaktai - tai Jūsų klientas

[Gautas pranešimas]

Laba diena,


Noriu Jus informuoti apie šių metų pasikeitimą dėl atnaujintos visos Lietuvos 
įmonių bazės 2018 metų sausio vidurio.
Visi juridiniai asmenys pateikti bazėje yra veikiantys, realiai vykdantys 
veiklą, turintys įdarbintų darbuotojų. Duomenys pagal Sodrą, Registrų centrą.
 
Bazėje nurodoma ir apyvarta, darbuotojų atlyginimai, darbuotojų skaičius, 
transporto skaičius ir daug kitų duomenų, kuriuos matysite pavyzdyje.
 
Duomenis galima filtruoti pagal veiklas, miestus ir kitus duomenis.
 
 
Šią bazę verta turėti visoms įmonėms. Pateiksiu priežastis:
 
1) Kontaktai pateikti bazėje direktorių ir kitų atsakingų asmenų, didelė 
tikimybė Jums surasti naujų klientų, partnerių, tiekėjų, kai tiesiogiai 
bendrausite su direktoriais, komercijos vadovais.
 
2) Konkurentų analizavimas, tiekėjų atsirinkimas pagal Jums reikalingus 
kriterijus, galite atsifiltruoti pagal įmonės dydį, bazėje nurodoma kiek įmonės 
skolingos Sodrai.
 
3) Lengva, greita ir patogu dirbti su šia baze, elektroninius pašto adresus 
galite importuoti į elektroninių laiškų siuntimo programas ar sistemas iš kurių 
siunčiate elektroninius laiškus.
Taip pat galite importuoti mobiliųjų telefonų numerius į SMS siuntimo programas.
 
 
Išsirinkite iš "Veiklų sąrašo" veiklas kurių Jums reikia.
( Sąrašas prisegtas laiške excel faile )
 
Parašykite, kurias veiklas išsirinkote 
ir atsiųsime pavyzdį ir pasiūlymą su sąlygomis įmonių bazei įsigyti



Pagarbiai,
Tadas Giedraitis
Tel. nr. +37067881041


Veiklos.xlsx
Description: Binary data

Bug#873102: [release.debian.org] transition: imagemagick

[roucaries bastien]

On Fri, Feb 16, 2018 at 3:02 PM, Emilio Pozuelo Monfort
 wrote:
> Control: tags -1 confirmed

Done waiting from your side
>
> On 16/02/18 14:30, roucaries bastien wrote:
>> On Wed, Oct 25, 2017 at 2:02 PM, roucaries bastien
>>  wrote:
>>> On Sat, Oct 21, 2017 at 6:26 PM, Emilio Pozuelo Monfort
>>>  wrote:
 Control: retitle -1 transition: imagemagick
 Control: severity -1 normal

 On 24/08/17 17:21, Bastien ROUCARIÈS wrote:
> Package: release.debian.org
> Severity: important
>
> Hi,
>
> I have just landed an imagemagick version in experimental, that break the 
> ABI.
> Previous ABI used double_t that is not ABI stable...
>
> Could we get a transition of libmagickcore, libmagickwand and libmagick++
>
> I have rebuilded reverse deps a few week ago (waiting for ftpmaster) and 
> it
> was fine.
>
> I will fix ASAP the problems.

 What problems?

 FWIW this can't start until imagemagick builds on all release 
 architectures:

 https://buildd.debian.org/status/package.php?p=imagemagick=experimental
>>>
>>> Smell like a compiler bug :S
>>
>> Fixed, could you please go for transition. Due to huge backlog of
>> security problem the sooener the better
>
> Go ahead.
>
> Emilio

Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1

[intrigeri]

Hi Adam & other release managers,

Adam D. Barratt:
> Any news on this?

Yes: the main blocker (in src:linux) has been fixed a few weeks ago
so it's now feasible to make progress on the src:apparmor side.
The next steps are tracked on #879585 that I've kept up-to-date.

> We're likely to be looking at freezing p-u for the next point
> release in a couple of weeks time.

I've been following the Stretch 9.4 scheduling thread with this in
mind. My current plan is to prepare an updated stable p-u around
February 24-25.

Thanks for the ping! :)

Cheers,
-- 
intrigeri

Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1

[Adam D. Barratt]

On 2018-01-07 11:23, intrigeri wrote:

Control: tag -1 + moreinfo

The issue in Linux 4.14 with feature set pinning vs. mount operations
was not fixed yet so the 2.11.0-3+deb9u1 package that was accepted in
the proposed-updates stable queue is not suitable for Stretch
currently ⇒ dear release team, feel free to reject or delete it if it
helps you ensure it does not land in the next point release.

Also, after some discussion with Fabian the proposed change was
re-implemented slightly differently in testing/sid; I want to do the
same for the Stretch proposed update ⇒ tagging "moreinfo".


Any news on this? We're likely to be looking at freezing p-u for the 
next point release in a couple of weeks time.


Regards,

Adam

Processed: mbedtls transition blockers

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> # for charybdis
> block 890448 by 890411
Bug #890448 [release.debian.org] transition: mbedtls
890448 was not blocked by any bugs.
890448 was not blocking any bugs.
Added blocking bug(s) of 890448: 890411
> # for neko
> block 890448 by 888095
Bug #890448 [release.debian.org] transition: mbedtls
890448 was blocked by: 890411
890448 was not blocking any bugs.
Added blocking bug(s) of 890448: 888095
> affects 888095 src:neko
Bug #888095 [src:mariadb-connector-c] mariadb-connector-c: ships libmariadb3 
version 3.0.3-1, which is lower than the one in mariadb-10.[23]
Added indication that 888095 affects src:neko
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
888095: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888095
890448: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890448
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#890740: marked as done (nmu: proftpd-mod-case_0.7-1)

[Debian Bug Tracking System]

Your message dated Mon, 19 Feb 2018 09:15:45 +0100
with message-id <9d97c8f7-a722-d89a-5d29-f441784ba...@debian.org>
and subject line Re: Bug#890740: nmu: proftpd-mod-case_0.7-1
has caused the Debian Bug report #890740,
regarding nmu: proftpd-mod-case_0.7-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
890740: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890740
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: binnmu

The following packages have unmet dependencies:
 proftpd-mod-case : Depends: proftpd-abi-1.3.5d but it is not installable


nmu proftpd-mod-case_0.7-1 . ANY . unstable . -m "Rebuild with 
proftpd-abi-1.3.5e"
--- End Message ---
--- Begin Message ---
On 18/02/18 11:00, Adrian Bunk wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: binnmu
> 
> The following packages have unmet dependencies:
>  proftpd-mod-case : Depends: proftpd-abi-1.3.5d but it is not installable
> 
> 
> nmu proftpd-mod-case_0.7-1 . ANY . unstable . -m "Rebuild with 
> proftpd-abi-1.3.5e"

Scheduled.

Emilio--- End Message ---