Bug#1053292: bookworm-pu: package amd64-microcode/3.20230808.1.1~deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
As requested by the security team, I would like to bring the microcode
update level for AMD64 processors in Bullseye and Bookworm to match what
we have in Sid and Trixie. This is the bug report for Bookworm, a
separate one will be filled for Bullseye.
This fixes:
CVE-2023-20569 "AMD Inception" on AMD Zen4 processors
There are no releavant issues reported on this microcode update,
considering the version of amd64-microcode already available as security
updates for bookworm and bullseye.
[ Impact ]
If this update is not approved, owners of some Zen4 processors will
depend on UEFI updates to be protected against CVE-2023-20569.
[ Tests ]
There were no bug reports from users of Debian sid or Trixie, these
packages have been tested there since 2023-08-10 (sid), 2023-08-12
(trixie).
[ Risks ]
Unknown, but not believed to be any different from other AMD microcode
updates.
Linux kernel updates related to these microcode update fixes are already
available in Bookworm and Bullseye.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
As per the debdiff, only documentation changes, package documentation
changes, and the binary blob change from upstream.
Diffstat:
README | 15 +
amd-ucode/README | 13 +++
amd-ucode/microcode_amd_fam19h.bin |binary
amd-ucode/microcode_amd_fam19h.bin.asc | 16 +++---
debian/NEWS| 15 +
debian/changelog | 37 +
6 files changed, 88 insertions(+), 8 deletions(-)
[ Other info ]
The package version with "~" is needed to guarantee smooth updates to
the next debian release.
--
Henrique Holschuh
diff --git a/README b/README
index cd7c30b..798d2e7 100644
--- a/README
+++ b/README
@@ -8,6 +8,21 @@ the newest of either amd-ucode or amd-sev.
latest commits in this release:
+commit f2eb058afc57348cde66852272d6bf11da1eef8f
+Author: John Allen
+Date: Tue Aug 8 19:02:39 2023 +
+
+linux-firmware: Update AMD cpu microcode
+
+* Update AMD cpu microcode for processor family 19h
+
+Key Name= AMD Microcode Signing Key (for signing microcode container files only)
+Key ID = F328AE73
+Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+
+Signed-off-by: John Allen
+Signed-off-by: Josh Boyer
+
commit 0bc3126c9cfa0b8c761483215c25382f831a7c6f
Author: John Allen
Date: Wed Jul 19 19:17:57 2023 +
diff --git a/amd-ucode/README b/amd-ucode/README
index 1d39da3..fac1152 100644
--- a/amd-ucode/README
+++ b/amd-ucode/README
@@ -37,6 +37,19 @@ Microcode patches in microcode_amd_fam17h.bin:
Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126e Length=3200 bytes
Microcode patches in microcode_amd_fam19h.bin:
+ Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a10113e Length=5568 bytes
+ Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e Length=5568 bytes
+ Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212 Length=5568 bytes
Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d1 Length=5568 bytes
Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a001079 Length=5568 bytes
Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001234 Length=5568 bytes
+ Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116 Length=5568 bytes
+
+NOTE: For Genoa (Family=0x19 Model=0x11) and Bergamo (Family=0x19 Model=0xa0),
+either AGESA version >= 1.0.0.8 OR a kernel with the following commit is
+required:
+a32b0f0db3f3 ("x86/microcode/AMD: Load late on both threads too")
+
+When late loading the patches for Genoa or Bergamo, there may be one spurious
+NMI observed per physical core. These NMIs are benign and don't cause any
+functional issue but will result in kernel messages being logged.
diff --git a/amd-ucode/microcode_amd_fam19h.bin b/amd-ucode/microcode_amd_fam19h.bin
index 50470c3..02a5d05 100644
Binary files a/amd-ucode/microcode_amd_fam19h.bin and b/amd-ucode/microcode_amd_fam19h.bin differ
diff --git a/amd-ucode/microcode_amd_fam19h.bin.asc b/amd-ucode/microcode_amd_fam19h.bin.asc
index a32b4d6..8cff901 100644
--- a/amd-ucode/microcode_amd_fam19h.bin.asc
+++ b/amd-ucode/microcode_amd_fam19h.bin.asc
@@ -1,11 +1,11 @@
-BEGIN PGP SIGNATURE-
-iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmS3F00ACgkQ5L5TOfMo
-rnNEhQgAizSV8IFpvaYNytaJKLA4uevrZneGPV4czjCXnnj1yHpfQmCTyZQnoLnx
-7gyzf7K5271zO51FBQ5z2Nm48a3XPUhMbQLNP4BZdekLiA3bRpMtSyHct6zD0ULm
-xaFaOQ7MR1tGADhlon1bDvtnOuixUhwrZhEIlR9MzQAzERKDMOAVTbxn9ZhMfYiT
-LhA791Blyyi+6Z9uh7BpaA8l8uvoxt+uuvlBTjQMR3ER/TEjgcsoy+XhhK4QKS0V
Bug#1053290: bullseye-pu: package amd64-microcode/3.20230808.1.1~deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
As requested by the security team, I would like to bring the microcode
update level for AMD64 processors in Bullseye and Bookworm to match what
we have in Sid and Trixie. This is the bug report for Bullseye, a
separate one will be filled for Bookmorm.
This fixes:
CVE-2023-20569 "AMD Inception" on AMD Zen4 processors
There are no releavant issues reported on this microcode update,
considering the version of amd64-microcode already available as security
updates for bookworm and bullseye.
[ Impact ]
If this update is not approved, owners of some Zen4 processors will
depend on UEFI updates to be protected against CVE-2023-20569.
[ Tests ]
There were no bug reports from users of Debian sid or Trixie, these
packages have been tested there since 2023-08-10 (sid), 2023-08-12
(trixie).
[ Risks ]
Unknown, but not believed to be any different from other AMD microcode
updates.
Linux kernel updates related to these microcode update fixes are already
available in Bookworm and Bullseye.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
As per the debdiff, only documentation changes, package documentation
changes, and the binary blob change from upstream.
Diffstat:
README | 15 +
amd-ucode/README | 13 +++
amd-ucode/microcode_amd_fam19h.bin |binary
amd-ucode/microcode_amd_fam19h.bin.asc | 16 ++---
debian/NEWS| 15 +
debian/changelog | 38 +
6 files changed, 89 insertions(+), 8 deletions(-)
[ Other info ]
The package version with "~" is needed to guarantee smooth updates to
the next debian release.
--
Henrique Holschuh
diff --git a/README b/README
index cd7c30b..798d2e7 100644
--- a/README
+++ b/README
@@ -8,6 +8,21 @@ the newest of either amd-ucode or amd-sev.
latest commits in this release:
+commit f2eb058afc57348cde66852272d6bf11da1eef8f
+Author: John Allen
+Date: Tue Aug 8 19:02:39 2023 +
+
+linux-firmware: Update AMD cpu microcode
+
+* Update AMD cpu microcode for processor family 19h
+
+Key Name= AMD Microcode Signing Key (for signing microcode container files only)
+Key ID = F328AE73
+Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+
+Signed-off-by: John Allen
+Signed-off-by: Josh Boyer
+
commit 0bc3126c9cfa0b8c761483215c25382f831a7c6f
Author: John Allen
Date: Wed Jul 19 19:17:57 2023 +
diff --git a/amd-ucode/README b/amd-ucode/README
index 1d39da3..fac1152 100644
--- a/amd-ucode/README
+++ b/amd-ucode/README
@@ -37,6 +37,19 @@ Microcode patches in microcode_amd_fam17h.bin:
Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126e Length=3200 bytes
Microcode patches in microcode_amd_fam19h.bin:
+ Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a10113e Length=5568 bytes
+ Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e Length=5568 bytes
+ Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212 Length=5568 bytes
Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d1 Length=5568 bytes
Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a001079 Length=5568 bytes
Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001234 Length=5568 bytes
+ Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116 Length=5568 bytes
+
+NOTE: For Genoa (Family=0x19 Model=0x11) and Bergamo (Family=0x19 Model=0xa0),
+either AGESA version >= 1.0.0.8 OR a kernel with the following commit is
+required:
+a32b0f0db3f3 ("x86/microcode/AMD: Load late on both threads too")
+
+When late loading the patches for Genoa or Bergamo, there may be one spurious
+NMI observed per physical core. These NMIs are benign and don't cause any
+functional issue but will result in kernel messages being logged.
diff --git a/amd-ucode/microcode_amd_fam19h.bin b/amd-ucode/microcode_amd_fam19h.bin
index 50470c3..02a5d05 100644
Binary files a/amd-ucode/microcode_amd_fam19h.bin and b/amd-ucode/microcode_amd_fam19h.bin differ
diff --git a/amd-ucode/microcode_amd_fam19h.bin.asc b/amd-ucode/microcode_amd_fam19h.bin.asc
index a32b4d6..8cff901 100644
--- a/amd-ucode/microcode_amd_fam19h.bin.asc
+++ b/amd-ucode/microcode_amd_fam19h.bin.asc
@@ -1,11 +1,11 @@
-BEGIN PGP SIGNATURE-
-iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmS3F00ACgkQ5L5TOfMo
-rnNEhQgAizSV8IFpvaYNytaJKLA4uevrZneGPV4czjCXnnj1yHpfQmCTyZQnoLnx
-7gyzf7K5271zO51FBQ5z2Nm48a3XPUhMbQLNP4BZdekLiA3bRpMtSyHct6zD0ULm
-xaFaOQ7MR1tGADhlon1bDvtnOuixUhwrZhEIlR9MzQAzERKDMOAVTbxn9ZhMfYiT
-LhA791Blyyi+6Z9uh7BpaA8l8uvoxt+uuvlBTjQMR3ER/TEjgcsoy+XhhK4QKS0V
NEW changes in stable-new
Processing changes file: glibc_2.36-9+deb12u2_mipsel-buildd.changes ACCEPT
Processed: Re: Bug#1053219: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u2
Processing control commands: > tags -1 confirmed Bug #1053219 [release.debian.org] bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u2 Added tag(s) confirmed. -- 1053219: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053219 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1053219: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u2
Control: tags -1 confirmed On Fri, 2023-09-29 at 17:37 +0400, Yadd wrote: > Two new vulnerabilities have been dicovered and fixed in lemonldap- > ng: > - an open redirection only when configuration is edited by hand and >doesn't follow OIDC specifications > - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol: >A little-know feature of OIDC allows the OpenID Provider to fetch > the >Authorization request parameters itself by indicating a > request_uri >parameter. This feature is now restricted to a white list using > this >patch > --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,13 @@ +lemonldap-ng (2.16.1+ds-deb12u2) bullseye; urgency=medium As Salvatore pointed out, the suite is wrong in the header. + + A little-know feature of OIDC allows the OpenID Provider to fetch the s/little-know// Please go ahead. Regards, Adam
Bug#1053189: bookworm-pu: package foot/1.13.1-2+deb12u1
Control: tags -1 confirmed On Fri, 2023-09-29 at 08:35 +0200, Birger Schacht wrote: > The terminal emulator foot contains a vulnerability. The issue is > that, if an XTGETTCAP escape sequence printed to the terminal > contains newline characters, foot will echo the newline characters > back into the PTY as part of the "invalid capability" response. > (XTGETTCAP strings are supposed to be hex-encoded, so it's not valid > for them to contain newline characters.) > Please go ahead. Regards, Adam
Processed: Re: Bug#1053189: bookworm-pu: package foot/1.13.1-2+deb12u1
Processing control commands: > tags -1 confirmed Bug #1053189 [release.debian.org] bookworm-pu: package foot/1.13.1-2+deb12u1 Added tag(s) confirmed. -- 1053189: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053189 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#1053220: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u5
Processing control commands: > tags -1 confirmed Bug #1053220 [release.debian.org] bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u5 Added tag(s) confirmed. -- 1053220: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053220 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1053220: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u5
Control: tags -1 confirmed On Fri, 2023-09-29 at 17:45 +0400, Yadd wrote: > Two new vulnerabilities have been dicovered and fixed in lemonldap- > ng: > - an open redirection due to incorrect escape handling > - an open redirection only when configuration is edited by hand and >doesn't follow OIDC specifications > - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol: >A little-know feature of OIDC allows the OpenID Provider to fetch > the >Authorization request parameters itself by indicating a > request_uri >parameter. This feature is now restricted to a white list using > this >patch > Please go ahead. Regards, Adam
Processed: Re: Bug#1053270: bullseye-pu: package curl/7.74.0-1.3+deb11u9
Processing control commands: > tags -1 confirmed Bug #1053270 [release.debian.org] bullseye-pu: package curl/7.74.0-1.3+deb11u9 Added tag(s) confirmed. -- 1053270: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053270 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1053270: bullseye-pu: package curl/7.74.0-1.3+deb11u9
Control: tags -1 confirmed On Sat, 2023-09-30 at 20:46 +0800, Carlos Henrique Lima Melara wrote: > Vulnerabilities were discovered and reported to Curl upstream [1][2] > with the > following CVE IDs: > > - CVE-2023-28321 > - CVE-2023-28322 > Please go ahead. Regards, Adam
Bug#1052467: marked as done (transition: svt-av1)
Your message dated Sat, 30 Sep 2023 18:22:22 +0200 with message-id and subject line Re: Bug#1052467: transition: svt-av1 has caused the Debian Bug report #1052467, regarding transition: svt-av1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1052467: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052467 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Dear Release Team, Please schedule a transition slot for svt-av1. The auto-generated ben tracker looks good: https://release.debian.org/transitions/html/auto-svt-av1.html All reverse deps (ffmpeg, libavif and libheif) build fine with the new version in experimental. Thanks, Dylan --- End Message --- --- Begin Message --- On 2023-09-23 15:19:42 +0200, Dylan Aïssi wrote: > Le ven. 22 sept. 2023 à 21:25, Sebastian Ramacher > a écrit : > > > > Please go ahead. > > > > Thanks, uploaded. The old binaries got removed from testing. Closing. Cheers -- Sebastian Ramacher--- End Message ---
Bug#1053272: bookworm-pu: package rmlint/2.9.0-2.5~deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Julian Gilbey , Carlos Maddela
This adds the #1040940 fix to the #1040939 upload for an unrelated
issue that is already included for the next point release.
#1040940 happens with python3.11/sid but not with python3.11/bookworm,
but it is unclear which python3.11 change caused it or whether this
might at some point get backported as part of a security fix to
python3.11/bookworm. The fix is an obvious off-by-one fix.
Regarding the versioning:
My debdiff is against the already approved #1040939,
but I am changing the versioning from 2.9.0-2.3+deb12u*
to 2.9.0-2.5~deb12u1 for two reasons:
1. it documents that this is a backport of a version, and
2. people won't see the same changes twice in apt-listchanges
These are not very strong reasons, I wouldn't have made such a change
had 2.9.0-2.3+deb12u1 already been released.
diffstat for rmlint-2.9.0 rmlint-2.9.0
changelog | 19
++-
patches/0001-cmdline-do-not-write-NUL-byte-to-GUI-bootstrap-scrip.patch | 26
++
patches/0001-fix-link-error-on-compilers-with-fno-common-enabled.patch |9
---
patches/series |1
4 files changed, 46 insertions(+), 9 deletions(-)
diff -Nru rmlint-2.9.0/debian/changelog rmlint-2.9.0/debian/changelog
--- rmlint-2.9.0/debian/changelog 2023-07-12 18:18:40.0 +0300
+++ rmlint-2.9.0/debian/changelog 2023-09-30 15:52:45.0 +0300
@@ -1,10 +1,25 @@
-rmlint (2.9.0-2.3+deb12u1) bookworm; urgency=medium
+rmlint (2.9.0-2.5~deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Rebuild for bookworm.
+
+ -- Adrian Bunk Sat, 30 Sep 2023 15:52:45 +0300
+
+rmlint (2.9.0-2.5) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Add upstream fix for GUI startup failure with recent python3.11.
+(Closes: #1040940)
+
+ -- Adrian Bunk Sat, 05 Aug 2023 17:16:05 +0300
+
+rmlint (2.9.0-2.4) unstable; urgency=medium
* Non-maintainer upload.
* Fix error in other packages caused by invalid python package version
number (cherry-picking upstream patch; closes: #1040179)
- -- Julian Gilbey Wed, 12 Jul 2023 16:18:40 +0100
+ -- Julian Gilbey Wed, 05 Jul 2023 09:31:46 +0100
rmlint (2.9.0-2.3) unstable; urgency=medium
diff -Nru
rmlint-2.9.0/debian/patches/0001-cmdline-do-not-write-NUL-byte-to-GUI-bootstrap-scrip.patch
rmlint-2.9.0/debian/patches/0001-cmdline-do-not-write-NUL-byte-to-GUI-bootstrap-scrip.patch
---
rmlint-2.9.0/debian/patches/0001-cmdline-do-not-write-NUL-byte-to-GUI-bootstrap-scrip.patch
1970-01-01 02:00:00.0 +0200
+++
rmlint-2.9.0/debian/patches/0001-cmdline-do-not-write-NUL-byte-to-GUI-bootstrap-scrip.patch
2023-08-05 17:13:47.0 +0300
@@ -0,0 +1,26 @@
+From e811a34bdf81f0f5366b07077432f8ab9c776ddd Mon Sep 17 00:00:00 2001
+From: Cebtenzzre
+Date: Wed, 2 Aug 2023 21:29:15 -0400
+Subject: cmdline: do not write NUL byte to GUI bootstrap script
+
+Fixes #628
+---
+ lib/cmdline.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/cmdline.c b/lib/cmdline.c
+index d5b1338c..07ba104a 100644
+--- a/lib/cmdline.c
b/lib/cmdline.c
+@@ -176,7 +176,7 @@ static void rm_cmd_start_gui(int argc, const char **argv) {
+ return;
+ }
+
+-if(write(bootstrap_fd, RM_PY_BOOTSTRAP, sizeof(RM_PY_BOOTSTRAP)) < 0) {
++if(write(bootstrap_fd, RM_PY_BOOTSTRAP, strlen(RM_PY_BOOTSTRAP)) < 0) {
+ rm_log_warning_line("Could not bootstrap gui: Unable to write to
tempfile: %s",
+ g_strerror(errno));
+ return;
+--
+2.30.2
+
diff -Nru
rmlint-2.9.0/debian/patches/0001-fix-link-error-on-compilers-with-fno-common-enabled.patch
rmlint-2.9.0/debian/patches/0001-fix-link-error-on-compilers-with-fno-common-enabled.patch
---
rmlint-2.9.0/debian/patches/0001-fix-link-error-on-compilers-with-fno-common-enabled.patch
2023-07-12 18:18:40.0 +0300
+++
rmlint-2.9.0/debian/patches/0001-fix-link-error-on-compilers-with-fno-common-enabled.patch
2023-07-05 11:31:46.0 +0300
@@ -10,11 +10,9 @@
lib/config.h.in | 62 ++---
1 file changed, 33 insertions(+), 29 deletions(-)
-diff --git a/lib/config.h.in b/lib/config.h.in
-index 44d7e5d9..d9fdeabd 100644
--- a/lib/config.h.in
+++ b/lib/config.h.in
-@@ -121,9 +121,13 @@
+@@ -123,9 +123,13 @@
# define N_(String) gettext_noop (String)
#endif
@@ -30,7 +28,7 @@
typedef guint64 RmOff;
-@@ -150,33 +154,33 @@ typedef guint64 RmOff;
+@@ -152,33 +156,33 @@
///
@@ -91,6 +89,3 @@
/* Domain for reporting errors. Needed by GOptions */
#define RM_ERROR_QUARK (g_quark_from_static_string("rmlint"))
---
-2.20.1
-
diff -Nru rmlint-2.9.0/debian/patches/series rmlint-2.9.0/debian/patches/series
---
Bug#1053271: bullseye-pu: package cpio/2.13+dfsg-7.1~deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: t...@security.debian.org, Anibal Monsalve Salazar This updates the cpio package in bullseye to the package in bookworm/trixie/sid (same upstream version). The first 3 post-bullseye uploads are CVE-2021-38185 plus regression fixes for this change. The 2.13+dfsg-7.1 changes are one documentation change and two changes that look desirable (even though they alone might not have warranted a stable update): * Suggest libarchive-dev (Closes: #662718). * d/copyright: Convert to machine-readable format. * Fix CRC with new ASCII format when file > 2GB (Closes: #962188). There are no bugs in the BTS that any regressions have been caused by any of these changes during the 1 year since they were uploaded to bookworm/sid. diffstat for cpio-2.13+dfsg cpio-2.13+dfsg changelog| 39 control |2 copyright| 51 - patches/992045-CVE-2021-38185-rewrite-dynamic-string-support | 454 +++ patches/992098-regression-of-orig-fix-for-CVE-2021-38185 | 36 patches/992192-Fix-dynamic-string-reallocations.patch| 80 + patches/Wrong-CRC-with-ASCII-CRC-for-large-files.patch | 34 patches/series |4 8 files changed, 685 insertions(+), 15 deletions(-) diff -Nru cpio-2.13+dfsg/debian/changelog cpio-2.13+dfsg/debian/changelog --- cpio-2.13+dfsg/debian/changelog 2020-09-17 14:16:18.0 +0300 +++ cpio-2.13+dfsg/debian/changelog 2023-09-30 15:18:55.0 +0300 @@ -1,3 +1,42 @@ +cpio (2.13+dfsg-7.1~deb11u1) bullseye; urgency=medium + + * Non-maintainer upload. + * Rebuild for bullseye. + + -- Adrian Bunk Sat, 30 Sep 2023 15:18:55 +0300 + +cpio (2.13+dfsg-7.1) unstable; urgency=medium + + * Non-maintainer upload. + * Suggest libarchive-dev (Closes: #662718). + * d/copyright: Convert to machine-readable format. + * Fix CRC with new ASCII format when file > 2GB (Closes: #962188). + + -- Bastian Germann Wed, 14 Sep 2022 21:45:55 +0200 + +cpio (2.13+dfsg-7) unstable; urgency=medium + + [ Salvatore Bonaccorso ] + * Fix dynamic string reallocations (Closes: #992192) + + -- Anibal Monsalve Salazar Sun, 22 Aug 2021 15:21:53 +1000 + +cpio (2.13+dfsg-6) unstable; urgency=high + + * Fix regression of original fix for CVE-2021-38185 +Add patch 992098-regression-of-orig-fix-for-CVE-2021-38185 +Closes: #992098 + + -- Anibal Monsalve Salazar Fri, 13 Aug 2021 13:06:27 +1000 + +cpio (2.13+dfsg-5) unstable; urgency=medium + + * Fix CVE-2021-38185 +Add patch 992045-CVE-2021-38185-rewrite-dynamic-string-support +Closes: #992045 + + -- Anibal Monsalve Salazar Wed, 11 Aug 2021 01:18:33 +1000 + cpio (2.13+dfsg-4) unstable; urgency=medium * Source only upload to enable migration. diff -Nru cpio-2.13+dfsg/debian/control cpio-2.13+dfsg/debian/control --- cpio-2.13+dfsg/debian/control 2020-02-01 15:11:00.0 +0200 +++ cpio-2.13+dfsg/debian/control 2022-09-14 22:45:55.0 +0300 @@ -17,7 +17,7 @@ Replaces: cpio-mt Conflicts: mt-st (<< 0.6), cpio-mt Multi-Arch: foreign -Suggests: libarchive1 +Suggests: libarchive-dev Description: GNU cpio -- a program to manage archives of files GNU cpio is a tool for creating and extracting archives, or copying files from one place to another. It handles a number of cpio formats diff -Nru cpio-2.13+dfsg/debian/copyright cpio-2.13+dfsg/debian/copyright --- cpio-2.13+dfsg/debian/copyright 2020-02-01 15:11:00.0 +0200 +++ cpio-2.13+dfsg/debian/copyright 2022-09-14 22:45:55.0 +0300 @@ -1,16 +1,39 @@ -This is the Debian GNU/Linux prepackaged version of GNU cpio -(including mt). +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Comment: + This is the Debian GNU/Linux prepackaged version of GNU cpio + (including mt). + . + This package was put together by Clint Adams . +Source: ftp://ftp.gnu.org/gnu/cpio -This package was put together by Clint Adams , -from sources obtained from ftp://ftp.gnu.org:/gnu/cpio +Files: * +Copyright: (C) 1984-2019 Free Software Foundation, Inc. +License: GPL-3+ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3, or (at your option) + any later version. +Comment: + The text of the GPL version 3 can be found on Debian systems in + /usr/share/common-licenses/GPL-3. -GNU cpio is Copyright (C) 1990, 1991, 1992, 2001, 2003, 2004, 2005, -2006, 2007 Free Software Foundation, Inc. - -This program is free software; you can redistribute it and/or modify -it under the terms of the GNU General Public License as published by -the Free Software Foundation;
Bug#1053270: bullseye-pu: package curl/7.74.0-1.3+deb11u9
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: c...@packages.debian.org, charlesmel...@riseup.net Control: affects -1 + src:curl [ Reason ] Vulnerabilities were discovered and reported to Curl upstream [1][2] with the following CVE IDs: - CVE-2023-28321 - CVE-2023-28322 The description of the CVE-2023-28321 is: > An improper certificate validation vulnerability exists in curl > listed as "Subject Alternative Name" in TLS server certificates. curl > can be built to use its own name matching function for TLS rather than > one provided by a TLS library. This private wildcard matching function > would match IDN (International Domain Name) hosts incorrectly and > could as a result accept patterns that otherwise should mismatch. IDN > hostnames are converted to puny code before used for certificate > checks. Puny coded names always start with `xn--` and should not be > allowed to pattern match, but the wildcard check in curl could still > check for `x*`, which would match even though the IDN name most likely > contained nothing even resembling an `x`. And the description of the CVE-2023-28322 is: > An information disclosure vulnerability exists in curl doing HTTP(S) transfers, libcurl might erroneously use the read > callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when > the `CURLOPT_POSTFIELDS` option has been set, if the same handle > previously wasused to issue a `PUT` request which used that callback. > This flaw may surprise the application and cause it to misbehave and > either send off the wrong data or use memory after free or similar in > the second transfer. The problem exists in the logic for a reused > handle when it is (expected to be) changed from a PUT to a POST. This proposed update is meant to fix those vulnerabilities. [ Impact ] As the vulnerabilities are present in bullseye's curl code, they can be exploited by malicious actors. [ Tests ] Automatic tests were executed (from the curl test suite) during build time. Everything passed after the changes were introduced. I also conducted a test to see if the CVE-2023-28321 was fixed. In order to do so, I've followed the report's reproduction steps [3] and tested in a bullseye container. The default bullseye curl version is vulnerable, but this new one is not. Unfortunately the PoC of CVE-2023-28322 was crafted using a newer version of libcurl, so I wasn't able to validate the fix of the backported patch. Also, note the fix for CVE-2023-28321 comes from CentOS and is already available there. [ Risks ] The changes for weren't big because the delta between bullseye's version and current upstream are not that large (true for CVE-2023-28322). Though they exist so I did a backport of the patch (obviously there is a chance of introducing bugs here, but we are using the tests to spot it). Also, the fix for CVE-2023-28321 is new code based on the fix applied in curl 8.1.0 done by a Red Hat engineer. So, new bugs could have been introduced. I reviewed this fix and samueloph reviewed everything (both fixes and packaging). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Here is a list of the commits applied to this pu release: commit a1190a634dcca9a85f8217c71b1073825885a16e Author: Carlos Henrique Lima Melara Date: Sun Sep 10 15:29:53 2023 +0530 Finalize changelog for 7.74.0-1.3+deb11u9 bullseye upload commit 39155aa17df39693c2f21ef5dbb0ddf11568256f Author: Carlos Henrique Lima Melara Date: Fri Sep 8 19:00:25 2023 +0530 d/p/CVE-2023-28322.patch: backport patch commit 156409a45db1c739edece8fd3b3d4d78d09c82ae Author: Carlos Henrique Lima Melara Date: Sun Aug 13 11:01:11 2023 -0300 Import 2 new patches fixing CVES One comes from upstream and another from CentOS. CVE-2023-28321 CVE-2023-28322 [ Other info ] Links: [1] https://security-tracker.debian.org/tracker/CVE-2023-28321 [2] https://security-tracker.debian.org/tracker/CVE-2023-28322 [3] https://hackerone.com/reports/1950627 Cheers, Charles diff -Nru curl-7.74.0/debian/changelog curl-7.74.0/debian/changelog --- curl-7.74.0/debian/changelog2023-04-03 03:34:17.0 +0800 +++ curl-7.74.0/debian/changelog2023-09-10 17:49:20.0 +0800 @@ -1,3 +1,14 @@ +curl (7.74.0-1.3+deb11u9) bullseye; urgency=medium + + * Team upload. + * Import 2 new patches to fix CVES: +- CVE-2023-28321: IDN wildcard match may lead to Improper Cerificate + Validation. +- CVE-2023-28322: more POST-after-PUT confusion. + * debian/patches/CVE-2023-28322.patch: backport patch. + + -- Carlos Henrique Lima Melara Sun, 10 Sep 2023 15:19:20 +0530 + curl (7.74.0-1.3+deb11u8) bullseye; urgency=medium * Backport upstream patches to fix 5 CVEs: diff -Nru
Processed: bullseye-pu: package curl/7.74.0-1.3+deb11u9
Processing control commands: > affects -1 + src:curl Bug #1053270 [release.debian.org] bullseye-pu: package curl/7.74.0-1.3+deb11u9 Added indication that 1053270 affects src:curl -- 1053270: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053270 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
NEW changes in stable-new
Processing changes file: linux_6.1.55-1_mips64el-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: linux_6.1.55-1_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: glibc_2.36-9+deb12u2_armhf-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: curl_7.88.1-10+deb12u3_mipsel-buildd.changes ACCEPT
Bug#1052445: marked as done (transition: libpqxx)
Your message dated Sat, 30 Sep 2023 08:16:06 +0200 with message-id and subject line Re: Bug#1052445: Uploaded to sid has caused the Debian Bug report #1052445, regarding transition: libpqxx to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1052445: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052445 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: libpqxx Version: 6.4.5-2 Severity: normal X-Debbugs-Cc: teusjanne...@gmail.com, team+postgre...@tracker.debian.org -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Release Team, Package libpqxx has a new update from upstream in experimental. Checked sqlsmith and osm2pgrouting source packages, which seem to be unaffected. Ben information: Affected: .depends ~ /\b(libpqxx\-7\.8|libpqxx\-6\.4)\b/ Good: .depends ~ /\b(libpqxx\-7\.8)\b/ Bad: .depends ~ /\b(libpqxx\-6\.4)\b/ Request scheduled binNMU for libpqxx into sid. Thank you. - - -- System Information: Debian Release: 12.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-12-amd64 (SMP w/24 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE Locale: LANG=en_NL.UTF-8, LC_CTYPE=en_NL.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled - -BEGIN PGP SIGNATURE- iQGzBAEBCgAdFiEEQHgC5j/bt9iVaqKB+i7cMmA+GmYFAmUNN1IACgkQ+i7cMmA+ GmYBJgwAiUrJV4IldAURd/sswIBfet9hORhPbOtaPOBmwgejnf5JZxWgoprxEZNB 0wxh5ZhTewGgmVONjVacUK4PnxfmK3hF6RIUtm8OPXkPJyryzDn7T0eRG/YWeuLa TYs6vV7YW7Ampq3Ga/JeAYJS0IJRIJEbIXfPDLFC0hKGud0GuwKNcW+mKgUmQO21 pzucie5Q5k3XmeVTg2/IFHCRqWR2GavSadapNzWGmve5zIiUdq13vJqBV79pio1Q wONPCWy+m0vLXsFjsUL4YlAZiJoxbm+LcfgwEyVxbnycfxtwkYXj72ZaBliZCJHi U3rLuwCPlDK1ai7C/u+qbVeEoPod11fcDvTZdgFS4qnX5KrFqoHuIEo6D65w4zZL s18zxLMVhuBbB33qbVYLrRW3Pd2v/vg7k9rw6KdncPSz6sXSLQ7vEUCw3XKaJq2i k3/SwwKftXVSswD9n100F1/nRP1DtboQZaOSnELOTeL2NdNCOaxA28iDt9yHW1kI Rm6swfJo =fqEi - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- iQGzBAEBCgAdFiEEQHgC5j/bt9iVaqKB+i7cMmA+GmYFAmUNN6EACgkQ+i7cMmA+ GmZqyQwAnDXiOfZc872ozCa7ZaCHpIiBhrjUlwVTyy1Av0Uh3rXZ27doKQq97p4L iQcXLKDGS0lbFIte4aAsiwwve9Gy8FR7E7VivbBiHPOVVRHFufaZlci/Gzlidmpj kiz8QufZKqvAipM64aNF3Bdhc2FB44n2e7HmkkLPEhz2slhUm1Fzg8UhDNgTaW06 EHq9O48tcQV0l5wRg530op700V4vhWuRvRVZQucct3b/tOB1ANyp4kKkPiisMmLh k4KtNhjF/JUCghkVAAELsVRi5kMGvVr7oiy+Y7C77ym+jQ9dyqq8ASugQnO+HYEd 7fVNMWygRIWfkBLmTFCYpR0qT2ix9M5B2w97uD8zkKZtpsm/HlXDZCsSq7Ejf/HO S6LbQZa+IOY+lV0SgQCYQetxxJ4QK7h+77Gg7g1TLNpQeYsVYEd4qFYj6P2XxLJc rLybO3RG8737j7P8pBel7ZNi638RbS7nD4ioo4rlbIBnBqVYcz3XtZy+i9Uli5e5 aOVqQ0xg =DTBd -END PGP SIGNATURE- --- End Message --- --- Begin Message --- On 2023-09-24 12:38:01 +0200, Teus Benschop wrote: > Thank you, Sebastian, for the go-ahead. > > The upload to sid was done, and things build well there. The old binaries got removed from testing. Cheers -- Sebastian Ramacher--- End Message ---
Processed: closing 1053151
Processing commands for cont...@bugs.debian.org: > # block removed > close 1053151 Bug #1053151 [release.debian.org] unblock: apt/2.7.6 Marked Bug as done > thanks Stopping processing here. Please contact me if you need assistance. -- 1053151: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053151 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
NEW changes in stable-new
Processing changes file: glibc_2.36-9+deb12u2_armel-buildd.changes ACCEPT
