Bug#945122: buster-pu: package cyrus-imapd/3.0.8-6+deb10u2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Hi,
cyrus-imapd is vulnerable to CVE-2019-18928: privilege escalation on HTTP
request. This is a minor vulnerability since authentication is already
vulnerable when using non-SSL connection. However, this little patch
fixes the problem.
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 8023011..b011c8f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+cyrus-imapd (3.0.8-6+deb10u2) buster; urgency=high
+
+ * Fix privilege escalation on HTTP request (Closes: CVE-2019-18928)
+
+ -- Xavier Guimard Tue, 19 Nov 2019 22:21:32 +0100
+
cyrus-imapd (3.0.8-6+deb10u1) buster; urgency=medium
* Add patch to fix data loss on upgrade from versions ≤ 3.0.0
diff --git a/debian/patches/CVE-2019-18928.patch
b/debian/patches/CVE-2019-18928.patch
new file mode 100644
index 000..41bbad8
--- /dev/null
+++ b/debian/patches/CVE-2019-18928.patch
@@ -0,0 +1,38 @@
+Description: fix privilege escalation
+ Only allow reuse of auth creds on a persistent connection against a backend
+ server in a Murder
+Author: Ken Murchison
+Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/e675bf7
+Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18928
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard
+Last-Update: 2019-11-19
+
+--- a/imap/httpd.c
b/imap/httpd.c
+@@ -1729,6 +1729,25 @@
+ txn->auth_chal.scheme = NULL;
+ }
+
++/* Drop auth credentials, if not a backend in a Murder */
++else if (!config_mupdate_server ||
!config_getstring(IMAPOPT_PROXYSERVERS)) {
++syslog(LOG_DEBUG, "drop auth creds");
++
++free(httpd_userid);
++httpd_userid = NULL;
++
++free(httpd_extrafolder);
++httpd_extrafolder = NULL;
++
++free(httpd_extradomain);
++httpd_extradomain = NULL;
++
++if (httpd_authstate) {
++auth_freestate(httpd_authstate);
++httpd_authstate = NULL;
++}
++}
++
+ /* Perform proxy authorization, if necessary */
+ else if (saslprops.authid &&
+ (hdr = spool_getheader(txn->req_hdrs, "Authorize-As")) &&
diff --git a/debian/patches/series b/debian/patches/series
index e9631e4..c66f980 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,3 +23,4 @@
0023-fix-memory-leak-on-ldap-failure.patch
CVE-2019-11356.patch
0024-dont-skip-records-with-modseq-0.patch
+CVE-2019-18928.patch
NEW changes in stable-new
Processing changes file: dpdk_18.11.2-2+deb10u2_source.changes ACCEPT Processing changes file: dpdk_18.11.2-2+deb10u2_all.changes ACCEPT Processing changes file: dpdk_18.11.2-2+deb10u2_amd64.changes ACCEPT Processing changes file: dpdk_18.11.2-2+deb10u2_arm64.changes ACCEPT Processing changes file: dpdk_18.11.2-2+deb10u2_armhf.changes ACCEPT Processing changes file: dpdk_18.11.2-2+deb10u2_i386.changes ACCEPT Processing changes file: dpdk_18.11.2-2+deb10u2_ppc64el.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u3_sourceonly.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u3_all.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u3_amd64.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u3_arm64.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u3_armel.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u3_armhf.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u3_i386.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u3_mips.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u3_mips64el.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u3_mipsel.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u3_ppc64el.changes ACCEPT Processing changes file: ghostscript_9.27~dfsg-2+deb10u3_s390x.changes ACCEPT Processing changes file: intel-microcode_3.20191112.1~deb10u1_multi.changes ACCEPT Processing changes file: linux_4.19.67-2+deb10u2_source.changes ACCEPT Processing changes file: linux_4.19.67-2+deb10u2_all.changes ACCEPT Processing changes file: linux_4.19.67-2+deb10u2_amd64.changes ACCEPT Processing changes file: linux_4.19.67-2+deb10u2_arm64.changes ACCEPT Processing changes file: linux_4.19.67-2+deb10u2_armel.changes ACCEPT Processing changes file: linux_4.19.67-2+deb10u2_armhf.changes ACCEPT Processing changes file: linux_4.19.67-2+deb10u2_i386.changes ACCEPT Processing changes file: linux_4.19.67-2+deb10u2_mips.changes ACCEPT Processing changes file: linux_4.19.67-2+deb10u2_mips64el.changes ACCEPT Processing changes file: linux_4.19.67-2+deb10u2_mipsel.changes ACCEPT Processing changes file: linux_4.19.67-2+deb10u2_ppc64el.changes ACCEPT Processing changes file: linux_4.19.67-2+deb10u2_s390x.changes ACCEPT Processing changes file: linux-signed-amd64_4.19.67+2+deb10u2_source.changes ACCEPT Processing changes file: linux-signed-amd64_4.19.67+2+deb10u2_amd64.changes ACCEPT Processing changes file: linux-signed-arm64_4.19.67+2+deb10u2_source.changes ACCEPT Processing changes file: linux-signed-arm64_4.19.67+2+deb10u2_arm64.changes ACCEPT Processing changes file: linux-signed-i386_4.19.67+2+deb10u2_source.changes ACCEPT Processing changes file: linux-signed-i386_4.19.67+2+deb10u2_i386.changes ACCEPT Processing changes file: mosquitto_1.5.7-1+deb10u1_sourceonly.changes ACCEPT Processing changes file: mosquitto_1.5.7-1+deb10u1_all.changes ACCEPT Processing changes file: mosquitto_1.5.7-1+deb10u1_amd64.changes ACCEPT Processing changes file: mosquitto_1.5.7-1+deb10u1_arm64.changes ACCEPT Processing changes file: mosquitto_1.5.7-1+deb10u1_armel.changes ACCEPT Processing changes file: mosquitto_1.5.7-1+deb10u1_armhf.changes ACCEPT Processing changes file: mosquitto_1.5.7-1+deb10u1_i386.changes ACCEPT Processing changes file: mosquitto_1.5.7-1+deb10u1_mips.changes ACCEPT Processing changes file: mosquitto_1.5.7-1+deb10u1_mips64el.changes ACCEPT Processing changes file: mosquitto_1.5.7-1+deb10u1_mipsel.changes ACCEPT Processing changes file: mosquitto_1.5.7-1+deb10u1_ppc64el.changes ACCEPT Processing changes file: mosquitto_1.5.7-1+deb10u1_s390x.changes ACCEPT Processing changes file: openjdk-11_11.0.5+10-1~deb10u1_amd64.changes ACCEPT Processing changes file: openjdk-11_11.0.5+10-1~deb10u1_arm64.changes ACCEPT Processing changes file: openjdk-11_11.0.5+10-1~deb10u1_armel.changes ACCEPT Processing changes file: openjdk-11_11.0.5+10-1~deb10u1_armhf.changes ACCEPT Processing changes file: openjdk-11_11.0.5+10-1~deb10u1_i386.changes ACCEPT Processing changes file: openjdk-11_11.0.5+10-1~deb10u1_mips.changes ACCEPT Processing changes file: openjdk-11_11.0.5+10-1~deb10u1_mips64el.changes ACCEPT Processing changes file: openjdk-11_11.0.5+10-1~deb10u1_mipsel.changes ACCEPT Processing changes file: openjdk-11_11.0.5+10-1~deb10u1_ppc64el.changes ACCEPT Processing changes file: openjdk-11_11.0.5+10-1~deb10u1_s390x.changes ACCEPT Processing changes file: postgresql-common_200+deb10u3_source.changes ACCEPT Processing changes file: postgresql-common_200+deb10u3_all.changes ACCEPT Processing changes file: qemu_3.1+dfsg-8+deb10u3_sourceonly.changes ACCEPT Processing changes file: qemu_3.1+dfsg-8+deb10u3_all.changes ACCEPT Processing changes file: qemu_3.1+dfsg-8+deb10u3_amd64.changes ACCEPT
Bug#942106: python3.8 / pandas py2removal
The binNMUs (to add python3.8 support) of pandas and statsmodels failed. I think this will make them work (but haven't tried it): - Apply the (existing) #943418 fix to python-xlrd. - Build matplotlib, pandas and statsmodels in that order. (ben can't work this out because the declared dependencies are circular, but I think the actual strict test dependencies only go that way.)
Bug#945113: transition: hwloc
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Hello, Version 2 of hwloc introduces a soname bump. It also introduces incompatible API changes, but with the latest upload of openmpi, I could check that all packages that build with and actually use libhwloc-dev (a dozen) now build fine with hwloc 2 (available in experimental). I'm thus requesting a transition slot for hwloc 2. Samuel Ben file: title = "hwloc"; is_affected = .depends ~ "libhwloc5" | .depends ~ "libhwloc15"; is_good = .depends ~ "libhwloc15"; is_bad = .depends ~ "libhwloc5"; -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'oldstable-proposed-updates-debug'), (500, 'oldstable-proposed-updates'), (500, 'oldoldstable'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.3.0 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
Processed: Re: Bug#944227: breaks
Processing control commands: > tags -1 - moreinfo + confirmed Bug #944227 [release.debian.org] transition: prompt-toolkit Removed tag(s) moreinfo. Bug #944227 [release.debian.org] transition: prompt-toolkit Added tag(s) confirmed. -- 944227: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944227 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#944227: breaks
Control: tags -1 - moreinfo + confirmed On Tue, 19 Nov 2019 at 13:48, Gordon Ball wrote: > I've added Breaks to the package in git: > > aws-shell (<= 0.2.1) [1] > mycli (<< 1.19) > pgcli (<< 2) > python3-ipython (<< 7) > python3-jupyter-console (<< 6) > python3-softlayer (<< 5.8) > > [1] No upstream version which fixes this, but I assume adding an > unversioned Breaks: is a bad idea. > > I think that having heard from sagemath, pgcli and mycli, the only > outstanding blockers are aws-shell (#944542) and possibly > mlbstreamer (#944545). > > For my part (ipython, jupyter-console) I'm waiting for python-backcall > and ipython-py2 to go through NEW before ipython can be upgraded. Great! Please go ahead.
Bug#943992: transition: qscintilla2, soname 13 -> 15
Hi On 2019/11/19 12:39, Dmitry Shachnev wrote: qscintilla2 is now built and installed on all release architectures. Thanks for the quick fix of the mips64el symbols! You can schedule binNMUs. Done a few hours ago. Regards Graham
Bug#944227: breaks
I've added Breaks to the package in git: aws-shell (<= 0.2.1) [1] mycli (<< 1.19) pgcli (<< 2) python3-ipython (<< 7) python3-jupyter-console (<< 6) python3-softlayer (<< 5.8) [1] No upstream version which fixes this, but I assume adding an unversioned Breaks: is a bad idea. I think that having heard from sagemath, pgcli and mycli, the only outstanding blockers are aws-shell (#944542) and possibly mlbstreamer (#944545). For my part (ipython, jupyter-console) I'm waiting for python-backcall and ipython-py2 to go through NEW before ipython can be upgraded.
Bug#943992: transition: qscintilla2, soname 13 -> 15
Hi all, On Fri, Nov 15, 2019 at 01:50:19PM +0200, Graham Inggs wrote: > On 2019/11/14 19:40, Lisandro Damián Nicanor Pérez Meyer wrote: > > I have just uploaded the fix... and now it FTBFS because it got tangled > > with the python3.8 transition :S > > > > So in order to get qscintilla2 going we need to wait for sip, then pyqt5 > > and then qscintilla2. > > Noted, thanks. I'll give back qscintilla2 after pyqt5. qscintilla2 is now built and installed on all release architectures. You can schedule binNMUs. -- Dmitry Shachnev signature.asc Description: PGP signature
Processed: block 945014 with 945066
Processing commands for cont...@bugs.debian.org: > block 945014 with 945066 Bug #945014 [enigmail] enigmail removed after installing thunderbird 68.2.2-1~deb10u1 Bug #945033 [enigmail] enigmail in Buster uninstallable due to thunderbird 1:68.2.2-1~deb10u1 945014 was not blocked by any bugs. 945014 was not blocking any bugs. Added blocking bug(s) of 945014: 945066 945033 was not blocked by any bugs. 945033 was not blocking any bugs. Added blocking bug(s) of 945033: 945066 > thanks Stopping processing here. Please contact me if you need assistance. -- 945014: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945014 945033: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945033 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#945066: buster-pu: package enigmail/2:2.1.3+ds1-4~deb10u1
Package: release.debian.org User: release.debian@packages.debian.org Usertags: pu Tags: buster Severity: normal Control: affects -1 enigmail Control: blocks 945014 with -1 thunderbird 68 is now in buster-new and in security.debian.org sadly, the enigmail upstream versions are closely tied to the thunderbird versions. (enigmail 2.0.x works with TB 60, but 2.1.x works with TB 68) See https://bugs.debian.org/945014 for more details. I'm proposing to upgrade the version of enigmail in buster to match the new version of thunderbird. You can see the proposed changes on the debian/buster git branch at https://salsa.debian.org/debian/enigmail.git. Because this is a major change to the version of enigmail, the compressed debdiff is 1.4MiB, which i think is pushing it to include in this message. You can generate the debdiff yourself with this command: git clone https://salsa.debian.org/debian/enigmail.git cd enigmail git diff --src-prefix=enigmail-2.0.12+ds1-1~deb10u1/ --dst-prefix=enigmail-2.1.3+ds1-4~deb10u1/ debian/2%2.0.12+ds1-1_deb10u1..debian/2%2.1.3+ds1-4_deb10u1 and i include the diffstat here: .eslintrc.js | 25 +- .gitignore | 15 +- .gitlab-ci.yml |8 +- .jsbeautifyrc | 41 +- Makefile | 10 +- config.guess | 1534 - config.sub | 1788 --- config/autoconf.mk.in | 16 +- configure.ac |7 +- debian/changelog | 74 + debian/clean |7 +- debian/compat |1 - debian/control | 21 +- debian/copyright | 69 +- debian/enigmail.links |1 + debian/gbp.conf|2 + .../0001-avoid-eslint-during-buildtest.patch |6 +- ...-auto-download-of-pEpEngine-Closes-891882.patch |6 +- .../0003-avoid-OpenPGP.js-when-building.patch | 511 ++- .../0004-copy-enums.armor-from-OpenPGP.js.patch| 31 +- ... 0005-add-more-logging-to-autocrypt-test.patch} | 13 +- ...5-avoid-OpenPGP.js-during-key-file-import.patch | 82 - ...of-OpenPGP.js-for-generating-minimal-keys.patch | 178 -- ...se-of-extra-file-descriptors-and-test-th.patch} | 34 +- ...do-symmetric-encryption-decryption-with-.patch} |4 +- ...nstead-of-openpgp.js-for-symmetric-encryp.patch | 326 ++ ...ndividual-tests-in-key-test-with-withTes.patch} | 15 +- ...0010-Avoid-errors-on-validKeyserversExist.patch | 26 + ...nstead-of-openpgp.js-for-symmetric-encryp.patch | 208 -- debian/patches/0011-drop-unnecessary-tests.patch | 37 + ...ldlist.py-to-unix-style-line-endings-no-f.patch | 98 + ...0013-use-py2to3-2.7-to-convert-to-python3.patch | 315 ++ .../0014-fix-shebang-lines-to-use-python3.patch| 29 + ...-rest-of-the-build-infrastructure-to-pyth.patch | 59 + .../patches/0016-always-return-a-struct_time.patch | 30 + ...ats-objects-as-Unicode-by-default-no-need.patch | 88 + .../0017-avoid-cmp-in-favor-of-__lt__.patch| 30 + ...9-Avoid-weird-Preprocessor.py-misbehavior.patch | 26 + debian/patches/series | 22 +- debian/rules | 13 +- debian/run-tests |9 +- debian/tests/control | 14 +- debian/tests/no-test.js|2 + debian/tests/tbird-sqlite | 13 +- debian/tests/tbird-sqlite.js | 10 +- debian/tests/unit-tests|5 +- include/postbox.h |1 + include/tbird.h|1 + ipc/modules/Makefile | 37 +- ipc/modules/enigmailprocess_common.jsm | 48 +- ipc/modules/enigmailprocess_main.jsm | 18 +- ipc/modules/enigmailprocess_shared.js |7 +- ipc/modules/enigmailprocess_shared_win.js | 13 +- ipc/modules/enigmailprocess_unix.jsm | 194 +- ipc/modules/enigmailprocess_win.jsm| 27 +- ipc/modules/enigmailprocess_worker_common.js | 186 +- ipc/modules/enigmailprocess_worker_unix.js |6 +- ipc/modules/enigmailprocess_worker_win.js | 51 +- ipc/modules/subprocess.jsm | 92 +- ipc/tests/Makefile |2 +- ipc/tests/main.js | 11 +- ipc/tests/subprocess-test.js | 14 +-
Processed (with 1 error): buster-pu: package enigmail/2:2.1.3+ds1-4~deb10u1
Processing control commands: > affects -1 enigmail Bug #945066 [release.debian.org] buster-pu: package enigmail/2:2.1.3+ds1-4~deb10u1 Added indication that 945066 affects enigmail > blocks 945014 with -1 Unknown command or malformed arguments to command. -- 945066: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945066 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
