Bug#890860: stretch-pu: package ruby-redis-store/1.1.6-1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, I have prepared a patch for Debian bug #882034 (CVE-2017-1000248) from by adapting the upstream patch from https://github.com/redis-store/redis-store/pull/290 (which should be applied after https://github.com/redis-store/redis-store/commit/bcd1c28cf10ff18b4352cdacbe04113af3fec68d, not present in the version 1.1.6) Please find attached the debdiff for the version in Stretch. It is the same as the change for 1.1.6-2 which went to unstable (without the additional packaging change). It was proposed by the security team to fx it with a Stretch update instead of a security upload. Thanks Cédric -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff --git a/debian/changelog b/debian/changelog index d28f11f..83455a6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +ruby-redis-store (1.1.6-1+deb9u1) stretch; urgency=high + + * Team upload + * Add upstream patch to fix CVE-2017-1000248, allowing unsafe objects to be +loaded from redis (Closes: #882034) + + -- Cédric BoutillierFri, 01 Dec 2017 17:22:29 +0100 + ruby-redis-store (1.1.6-1) unstable; urgency=medium * Upstream update diff --git a/debian/patches/CVE-2017-1000248.patch b/debian/patches/CVE-2017-1000248.patch new file mode 100644 index 000..44c91de --- /dev/null +++ b/debian/patches/CVE-2017-1000248.patch @@ -0,0 +1,551 @@ +Description: Replace marshalling with pluggable serializers +Author: Tom Scott +Bug: https://github.com/redis-store/redis-store/issues/289 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882034 +Applied-Upstream: https://github.com/redis-store/redis-store/commit/e0c1398d54a9661c8c70267c3a925ba6b192142e +Origin: upstream +Last-Update: Tue, 15 Aug 2017 11:07:07 -0400 + +This is in response to a vulnerability warning we received on Friday, +August 11th, 2017. While most users will not be affected by this +change, we recommend that developers of new applications use a different +serializer other than `Marshal`. This, along with the removal of the +`:marshalling` option, will enforce "sane defaults" in terms of securely +serializing/de-serializing data. + +- Add `:serializer` option and deprecate `:marshalling`. Although you + will still be able to enable/disable serialization with Marshal using + `:marshalling` in the 1.x series, this will be removed by 2.0. + +- Rename `Redis::Store::Marshalling` to `Redis::Store::Serialization` to + reflect its new purpose. + +Fixes #289 +--- + lib/redis-store.rb | 12 --- + lib/redis/store.rb | 28 +-- + lib/redis/store/factory.rb | 9 - + lib/redis/store/namespace.rb | 4 +-- + .../store/{marshalling.rb => serialization.rb} | 6 ++-- + test/redis/store/factory_test.rb | 40 -- + test/redis/store/namespace_test.rb | 4 +-- + .../{marshalling_test.rb => serialization_test.rb} | 4 +-- + 8 files changed, 80 insertions(+), 27 deletions(-) + rename lib/redis/store/{marshalling.rb => serialization.rb} (90%) + rename test/redis/store/{marshalling_test.rb => serialization_test.rb} (98%) + +--- a/lib/redis-store.rb b/lib/redis-store.rb +@@ -1,12 +1 @@ +-require 'redis' + require 'redis/store' +-require 'redis/store/factory' +-require 'redis/distributed_store' +-require 'redis/store/namespace' +-require 'redis/store/marshalling' +-require 'redis/store/version' +- +-class Redis +- class Store < self +- end +-end +--- a/lib/redis/store.rb b/lib/redis/store.rb +@@ -1,3 +1,9 @@ ++require 'redis' ++require 'redis/store/factory' ++require 'redis/distributed_store' ++require 'redis/store/namespace' ++require 'redis/store/serialization' ++require 'redis/store/version' + require 'redis/store/ttl' + require 'redis/store/interface' + +@@ -7,6 +13,24 @@ + + def initialize(options = { }) + super ++ ++ unless options[:marshalling].nil? ++puts %( ++ DEPRECATED: You are passing the :marshalling option, which has been ++ replaced with `serializer: Marshal` to support pluggable serialization ++ backends. To disable serialization (much like disabling marshalling), ++ pass `serializer: nil` in your configuration. ++ ++ The :marshalling option will be removed for redis-store 2.0. ++) ++ end ++ ++ @serializer = options.key?(:serializer) ?
Bug#871937: Direktoriaus kontaktai - tai Jūsų klientas
Laba diena, Noriu Jus informuoti apie šių metų pasikeitimą dėl atnaujintos visos Lietuvos įmonių bazės 2018 metų sausio vidurio. Visi juridiniai asmenys pateikti bazėje yra veikiantys, realiai vykdantys veiklą, turintys įdarbintų darbuotojų. Duomenys pagal Sodrą, Registrų centrą. Bazėje nurodoma ir apyvarta, darbuotojų atlyginimai, darbuotojų skaičius, transporto skaičius ir daug kitų duomenų, kuriuos matysite pavyzdyje. Duomenis galima filtruoti pagal veiklas, miestus ir kitus duomenis. Šią bazę verta turėti visoms įmonėms. Pateiksiu priežastis: 1) Kontaktai pateikti bazėje direktorių ir kitų atsakingų asmenų, didelė tikimybė Jums surasti naujų klientų, partnerių, tiekėjų, kai tiesiogiai bendrausite su direktoriais, komercijos vadovais. 2) Konkurentų analizavimas, tiekėjų atsirinkimas pagal Jums reikalingus kriterijus, galite atsifiltruoti pagal įmonės dydį, bazėje nurodoma kiek įmonės skolingos Sodrai. 3) Lengva, greita ir patogu dirbti su šia baze, elektroninius pašto adresus galite importuoti į elektroninių laiškų siuntimo programas ar sistemas iš kurių siunčiate elektroninius laiškus. Taip pat galite importuoti mobiliųjų telefonų numerius į SMS siuntimo programas. Išsirinkite iš "Veiklų sąrašo" veiklas kurių Jums reikia. ( Sąrašas prisegtas laiške excel faile ) Parašykite, kurias veiklas išsirinkote ir atsiųsime pavyzdį ir pasiūlymą su sąlygomis įmonių bazei įsigyti Pagarbiai, Tadas Giedraitis Tel. nr. +37067881041 Veiklos.xlsx Description: Binary data
Bug#871937: Direktoriaus kontaktai - tai Jūsų klientas
Laba diena, Noriu Jus informuoti apie šių metų pasikeitimą dėl atnaujintos visos Lietuvos įmonių bazės 2018 metų sausio vidurio. Visi juridiniai asmenys pateikti bazėje yra veikiantys, realiai vykdantys veiklą, turintys įdarbintų darbuotojų. Duomenys pagal Sodrą, Registrų centrą. Bazėje nurodoma ir apyvarta, darbuotojų atlyginimai, darbuotojų skaičius, transporto skaičius ir daug kitų duomenų, kuriuos matysite pavyzdyje. Duomenis galima filtruoti pagal veiklas, miestus ir kitus duomenis. Šią bazę verta turėti visoms įmonėms. Pateiksiu priežastis: 1) Kontaktai pateikti bazėje direktorių ir kitų atsakingų asmenų, didelė tikimybė Jums surasti naujų klientų, partnerių, tiekėjų, kai tiesiogiai bendrausite su direktoriais, komercijos vadovais. 2) Konkurentų analizavimas, tiekėjų atsirinkimas pagal Jums reikalingus kriterijus, galite atsifiltruoti pagal įmonės dydį, bazėje nurodoma kiek įmonės skolingos Sodrai. 3) Lengva, greita ir patogu dirbti su šia baze, elektroninius pašto adresus galite importuoti į elektroninių laiškų siuntimo programas ar sistemas iš kurių siunčiate elektroninius laiškus. Taip pat galite importuoti mobiliųjų telefonų numerius į SMS siuntimo programas. Išsirinkite iš "Veiklų sąrašo" veiklas kurių Jums reikia. ( Sąrašas prisegtas laiške excel faile ) Parašykite, kurias veiklas išsirinkote ir atsiųsime pavyzdį ir pasiūlymą su sąlygomis įmonių bazei įsigyti Pagarbiai, Tadas Giedraitis Tel. nr. +37067881041 Veiklos.xlsx Description: Binary data
Bug#873102: [release.debian.org] transition: imagemagick
On Fri, Feb 16, 2018 at 3:02 PM, Emilio Pozuelo Monfortwrote: > Control: tags -1 confirmed Done waiting from your side > > On 16/02/18 14:30, roucaries bastien wrote: >> On Wed, Oct 25, 2017 at 2:02 PM, roucaries bastien >> wrote: >>> On Sat, Oct 21, 2017 at 6:26 PM, Emilio Pozuelo Monfort >>> wrote: Control: retitle -1 transition: imagemagick Control: severity -1 normal On 24/08/17 17:21, Bastien ROUCARIÈS wrote: > Package: release.debian.org > Severity: important > > Hi, > > I have just landed an imagemagick version in experimental, that break the > ABI. > Previous ABI used double_t that is not ABI stable... > > Could we get a transition of libmagickcore, libmagickwand and libmagick++ > > I have rebuilded reverse deps a few week ago (waiting for ftpmaster) and > it > was fine. > > I will fix ASAP the problems. What problems? FWIW this can't start until imagemagick builds on all release architectures: https://buildd.debian.org/status/package.php?p=imagemagick=experimental >>> >>> Smell like a compiler bug :S >> >> Fixed, could you please go for transition. Due to huge backlog of >> security problem the sooener the better > > Go ahead. > > Emilio
Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
Hi Adam & other release managers, Adam D. Barratt: > Any news on this? Yes: the main blocker (in src:linux) has been fixed a few weeks ago so it's now feasible to make progress on the src:apparmor side. The next steps are tracked on #879585 that I've kept up-to-date. > We're likely to be looking at freezing p-u for the next point > release in a couple of weeks time. I've been following the Stretch 9.4 scheduling thread with this in mind. My current plan is to prepare an updated stable p-u around February 24-25. Thanks for the ping! :) Cheers, -- intrigeri
Bug#882697: stretch-pu: package apparmor/2.11.0-3+deb9u1
On 2018-01-07 11:23, intrigeri wrote: Control: tag -1 + moreinfo The issue in Linux 4.14 with feature set pinning vs. mount operations was not fixed yet so the 2.11.0-3+deb9u1 package that was accepted in the proposed-updates stable queue is not suitable for Stretch currently ⇒ dear release team, feel free to reject or delete it if it helps you ensure it does not land in the next point release. Also, after some discussion with Fabian the proposed change was re-implemented slightly differently in testing/sid; I want to do the same for the Stretch proposed update ⇒ tagging "moreinfo". Any news on this? We're likely to be looking at freezing p-u for the next point release in a couple of weeks time. Regards, Adam
Processed: mbedtls transition blockers
Processing commands for cont...@bugs.debian.org: > # for charybdis > block 890448 by 890411 Bug #890448 [release.debian.org] transition: mbedtls 890448 was not blocked by any bugs. 890448 was not blocking any bugs. Added blocking bug(s) of 890448: 890411 > # for neko > block 890448 by 888095 Bug #890448 [release.debian.org] transition: mbedtls 890448 was blocked by: 890411 890448 was not blocking any bugs. Added blocking bug(s) of 890448: 888095 > affects 888095 src:neko Bug #888095 [src:mariadb-connector-c] mariadb-connector-c: ships libmariadb3 version 3.0.3-1, which is lower than the one in mariadb-10.[23] Added indication that 888095 affects src:neko > thanks Stopping processing here. Please contact me if you need assistance. -- 888095: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888095 890448: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890448 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#890740: marked as done (nmu: proftpd-mod-case_0.7-1)
Your message dated Mon, 19 Feb 2018 09:15:45 +0100 with message-id <9d97c8f7-a722-d89a-5d29-f441784ba...@debian.org> and subject line Re: Bug#890740: nmu: proftpd-mod-case_0.7-1 has caused the Debian Bug report #890740, regarding nmu: proftpd-mod-case_0.7-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 890740: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890740 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: binnmu The following packages have unmet dependencies: proftpd-mod-case : Depends: proftpd-abi-1.3.5d but it is not installable nmu proftpd-mod-case_0.7-1 . ANY . unstable . -m "Rebuild with proftpd-abi-1.3.5e" --- End Message --- --- Begin Message --- On 18/02/18 11:00, Adrian Bunk wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: binnmu > > The following packages have unmet dependencies: > proftpd-mod-case : Depends: proftpd-abi-1.3.5d but it is not installable > > > nmu proftpd-mod-case_0.7-1 . ANY . unstable . -m "Rebuild with > proftpd-abi-1.3.5e" Scheduled. Emilio--- End Message ---