Bug#1025647: buster-pu: package libapache2-mod-auth-mellon/0.14.2-1+deb10u1

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I propose this upload to buster to fix a relatively minor security issue
(open redirect) in libapache2-mod-auth-mellon.

The changes are already in sid and bookworm for a longer time, and in
bullseye for the first part.


Cheers,
Thijs
diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/changelog 
libapache2-mod-auth-mellon-0.14.2/debian/changelog
--- libapache2-mod-auth-mellon-0.14.2/debian/changelog  2019-03-22 
12:10:11.0 +
+++ libapache2-mod-auth-mellon-0.14.2/debian/changelog  2022-12-06 
15:39:13.0 +
@@ -1,3 +1,10 @@
+libapache2-mod-auth-mellon (0.14.2-1+deb10u1) buster; urgency=high
+
+  * Upload to fix security issues:
+- Open redirect in logout endpoint (CVE-2019-13038 CVE-2021-3639)
+
+ -- Thijs Kinkhorst   Tue, 06 Dec 2022 15:39:13 +
+
 libapache2-mod-auth-mellon (0.14.2-1) unstable; urgency=high
 
   * New upstream security release. (closes: #925197)
diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038.patch 
libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038.patch
--- libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038.patch   
1970-01-01 00:00:00.0 +
+++ libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2019-13038.patch   
2022-12-06 15:36:36.0 +
@@ -0,0 +1,29 @@
+From a52645391d08739a6a96df21e2506d3e57b888dc Mon Sep 17 00:00:00 2001
+From: Valentin 
+Date: Fri, 6 Sep 2019 13:30:36 +0300
+Subject: [PATCH] Fix open redirect CVE-2019-13038
+
+Resolves:
+https://github.com/latchset/mod_auth_mellon/issues/2
+
+The original reported redirect attack was:
+https://application.com/mellon/login?ReturnTo=http:www.malicious.com
+---
+ auth_mellon_util.c | 4 
+ 1 file changed, 4 insertions(+)
+
+diff --git a/auth_mellon_util.c b/auth_mellon_util.c
+index fd442f9..e53a98f 100644
+--- a/auth_mellon_util.c
 b/auth_mellon_util.c
+@@ -116,6 +116,10 @@ int am_validate_redirect_url(request_rec *r, const char 
*url)
+ 
+ /* Sanity check of the scheme of the domain. We only allow http and 
https. */
+ if (uri.scheme) {
++/* http and https schemes without hostname are invalid. */
++if (!uri.hostname) {
++return HTTP_BAD_REQUEST;
++}
+ if (strcasecmp(uri.scheme, "http")
+ && strcasecmp(uri.scheme, "https")) {
+ AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, 0, r,
diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2021-3639.patch 
libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2021-3639.patch
--- libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2021-3639.patch
1970-01-01 00:00:00.0 +
+++ libapache2-mod-auth-mellon-0.14.2/debian/patches/CVE-2021-3639.patch
2022-12-06 15:38:26.0 +
@@ -0,0 +1,44 @@
+From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001
+From: AIMOTO Norihito 
+Date: Tue, 6 Jul 2021 22:57:24 +0200
+Subject: [PATCH] Prevent redirect to URLs that begin with '///'
+
+Visiting a logout URL like this:
+
https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
+would have redirected the user to fishing-site.example.com
+
+With the patch, this URL would be rejected.
+
+Fixes: CVE-2021-3639
+---
+ auth_mellon_util.c | 10 ++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/auth_mellon_util.c b/auth_mellon_util.c
+index 2f8c9c3..6a686db 100644
+--- a/auth_mellon_util.c
 b/auth_mellon_util.c
+@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url)
+ {
+ const char *i;
+ 
++if (url == NULL) {
++return HTTP_BAD_REQUEST;
++}
++
+ for (i = url; *i; i++) {
+ if (*i >= 0 && *i < ' ') {
+ /* Deny all control-characters. */
+@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url)
+ }
+ }
+ 
++if (strstr(url, "///") == url) {
++AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
++  "URL starts with '///'");
++return HTTP_BAD_REQUEST;
++}
++
+ return OK;
+ }
+ 
diff -Nru libapache2-mod-auth-mellon-0.14.2/debian/patches/series 
libapache2-mod-auth-mellon-0.14.2/debian/patches/series
--- libapache2-mod-auth-mellon-0.14.2/debian/patches/series 2018-01-06 
12:58:18.0 +
+++ libapache2-mod-auth-mellon-0.14.2/debian/patches/series 2022-12-06 
15:39:01.0 +
@@ -0,0 +1,2 @@
+CVE-2019-13038.patch
+CVE-2021-3639.patch

Bug#1025646: bullseye-pu: package libapache2-mod-auth-mellon/0.17.0-1+deb11u1

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I propose this upload to bullseye to fix a relatively minor security issue
(open redirect) in libapache2-mod-auth-mellon.

The changes are already in sid and bookworm for a longer time.


Cheers,
Thijs
diff -Nru libapache2-mod-auth-mellon-0.17.0/debian/changelog 
libapache2-mod-auth-mellon-0.17.0/debian/changelog
--- libapache2-mod-auth-mellon-0.17.0/debian/changelog  2020-09-08 
12:56:41.0 +0200
+++ libapache2-mod-auth-mellon-0.17.0/debian/changelog  2022-12-06 
20:12:37.0 +0100
@@ -1,3 +1,10 @@
+libapache2-mod-auth-mellon (0.17.0-1+deb11u1) bullseye; urgency=medium
+
+  * Upload to fix security issue:
+- Open redirect in logout endpoint (CVE-2021-3639)
+
+ -- Thijs Kinkhorst   Tue, 06 Dec 2022 20:12:37 +0100
+
 libapache2-mod-auth-mellon (0.17.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru libapache2-mod-auth-mellon-0.17.0/debian/patches/CVE-2021-3639.patch 
libapache2-mod-auth-mellon-0.17.0/debian/patches/CVE-2021-3639.patch
--- libapache2-mod-auth-mellon-0.17.0/debian/patches/CVE-2021-3639.patch
1970-01-01 01:00:00.0 +0100
+++ libapache2-mod-auth-mellon-0.17.0/debian/patches/CVE-2021-3639.patch
2022-12-06 20:12:37.0 +0100
@@ -0,0 +1,44 @@
+From 42a11261b9dad2e48d70bdff7c53dd57a12db6f5 Mon Sep 17 00:00:00 2001
+From: AIMOTO Norihito 
+Date: Tue, 6 Jul 2021 22:57:24 +0200
+Subject: [PATCH] Prevent redirect to URLs that begin with '///'
+
+Visiting a logout URL like this:
+
https://rp.example.co.jp/mellon/logout?ReturnTo=///fishing-site.example.com/logout.html
+would have redirected the user to fishing-site.example.com
+
+With the patch, this URL would be rejected.
+
+Fixes: CVE-2021-3639
+---
+ auth_mellon_util.c | 10 ++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/auth_mellon_util.c b/auth_mellon_util.c
+index 2f8c9c3..6a686db 100644
+--- a/auth_mellon_util.c
 b/auth_mellon_util.c
+@@ -927,6 +927,10 @@ int am_check_url(request_rec *r, const char *url)
+ {
+ const char *i;
+ 
++if (url == NULL) {
++return HTTP_BAD_REQUEST;
++}
++
+ for (i = url; *i; i++) {
+ if (*i >= 0 && *i < ' ') {
+ /* Deny all control-characters. */
+@@ -943,6 +947,12 @@ int am_check_url(request_rec *r, const char *url)
+ }
+ }
+ 
++if (strstr(url, "///") == url) {
++AM_LOG_RERROR(APLOG_MARK, APLOG_ERR, HTTP_BAD_REQUEST, r,
++  "URL starts with '///'");
++return HTTP_BAD_REQUEST;
++}
++
+ return OK;
+ }
+ 
diff -Nru libapache2-mod-auth-mellon-0.17.0/debian/patches/series 
libapache2-mod-auth-mellon-0.17.0/debian/patches/series
--- libapache2-mod-auth-mellon-0.17.0/debian/patches/series 2020-01-27 
14:32:39.0 +0100
+++ libapache2-mod-auth-mellon-0.17.0/debian/patches/series 2022-12-06 
20:12:37.0 +0100
@@ -0,0 +1 @@
+CVE-2021-3639.patch

Bug#946841: buster-pu: package simplesamlphp/1.16.3-1+deb10u2

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

The simpleSAMLphp package in buster suffers from an incompatibility with
PHP 7.3 (also shipped in buster) that can be fixed with a one character
change.

The bug report is at https://bugs.debian.org/944820

This was missed during the release cycle because the already existing
and working simplesamlphp package was not fully re-tested when PHP 7.3
was introduced into buster.

Please see attached debdiff for a proposed fix for buster.


Thanks,
Thijs
diff -Nru simplesamlphp-1.16.3/debian/changelog 
simplesamlphp-1.16.3/debian/changelog
--- simplesamlphp-1.16.3/debian/changelog   2019-11-03 06:46:13.0 
+0100
+++ simplesamlphp-1.16.3/debian/changelog   2019-12-16 14:15:00.0 
+0100
@@ -1,3 +1,9 @@
+simplesamlphp (1.16.3-1+deb10u2) buster; urgency=medium
+
+  * Fix incompatibility with PHP 7.3 (closes: #944820).
+
+ -- Thijs Kinkhorst   Mon, 16 Dec 2019 14:15:00 +0100
+
 simplesamlphp (1.16.3-1+deb10u1) buster-security; urgency=high
 
   * Fix security issue CVE-2019-3465.
diff -Nru simplesamlphp-1.16.3/debian/patches/fix-xmlseclibs-php73.patch 
simplesamlphp-1.16.3/debian/patches/fix-xmlseclibs-php73.patch
--- simplesamlphp-1.16.3/debian/patches/fix-xmlseclibs-php73.patch  
1970-01-01 01:00:00.0 +0100
+++ simplesamlphp-1.16.3/debian/patches/fix-xmlseclibs-php73.patch  
2019-12-16 14:15:00.0 +0100
@@ -0,0 +1,24 @@
+From: Stefan Winter 
+Date: Thu, 18 Oct 2018 07:24:07 +0200
+Subject: [PATCH] make regex PCRE2 compliant
+
+PHP7.3 makes a hard switch from PCRE to PCRE2, where the hyphen needs to be 
escaped. I've tested and confirmed that with PHP 7.3rc3
+- the code as was before this PR breaks with a PHP error about unable to 
compile the regex
+- the code with this one-character PR applied works just fine
+---
+ src/Utils/XPath.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Utils/XPath.php b/src/Utils/XPath.php
+index 11e51fb..8cdc48e 100644
+--- a/vendor/robrichards/xmlseclibs/src/Utils/XPath.php
 b/vendor/robrichards/xmlseclibs/src/Utils/XPath.php
+@@ -7,7 +7,7 @@ class XPath
+ const ALPHANUMERIC = '\w\d';
+ const NUMERIC = '\d';
+ const LETTERS = '\w';
+-const EXTENDED_ALPHANUMERIC = '\w\d\s-_:\.';
++const EXTENDED_ALPHANUMERIC = '\w\d\s\-_:\.';
+ 
+ const SINGLE_QUOTE = '\'';
+ const DOUBLE_QUOTE = '"';
diff -Nru simplesamlphp-1.16.3/debian/patches/series 
simplesamlphp-1.16.3/debian/patches/series
--- simplesamlphp-1.16.3/debian/patches/series  2019-11-03 06:44:18.0 
+0100
+++ simplesamlphp-1.16.3/debian/patches/series  2019-12-16 14:15:00.0 
+0100
@@ -1,2 +1,3 @@
 debian_config.patch
 CVE-2019-3465.patch
+fix-xmlseclibs-php73.patch

Bug#940477: stretch-pu: package tmpreaper/1.6.13+nmu1+deb9u2

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

tmpreaper will clean up PrivateTmp dirs of processes that systemd
started, leading to those services periodically crashing (and it's
usually hard to diagnose that tmpreaper was the culprit here).

This update adds those dirs to tmpreapers' whitelist.

Kind regards,
Thijs

-- System Information:
Debian Release: 9.11
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8), 
LANGUAGE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: sysvinit (via /sbin/init)
diff -Nru tmpreaper-1.6.13+nmu1+deb9u1/ChangeLog 
tmpreaper-1.6.13+nmu1+deb9u2/ChangeLog
--- tmpreaper-1.6.13+nmu1+deb9u1/ChangeLog  2019-01-05 16:25:06.0 
+0100
+++ tmpreaper-1.6.13+nmu1+deb9u2/ChangeLog  2019-09-16 09:39:51.0 
+0200
@@ -1,3 +1,11 @@
+tmpreaper (1.6.13+nmu1+deb9u2) stretch; urgency=medium
+
+  * Non-maintainer upload with maintainer approval.
+  * Add `--protect '/tmp/systemd-private*/*'` to cron job to prevent
+breaking systemd services that have PrivateTmp=true (closes: #881725).
+
+ -- Thijs Kinkhorst   Mon, 16 Sep 2019 09:39:51 +0200
+
 tmpreaper (1.6.13+nmu1+deb9u1) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru tmpreaper-1.6.13+nmu1+deb9u1/debian/changelog 
tmpreaper-1.6.13+nmu1+deb9u2/debian/changelog
--- tmpreaper-1.6.13+nmu1+deb9u1/debian/changelog   2019-01-05 
16:25:06.0 +0100
+++ tmpreaper-1.6.13+nmu1+deb9u2/debian/changelog   2019-09-16 
09:39:51.0 +0200
@@ -1,3 +1,11 @@
+tmpreaper (1.6.13+nmu1+deb9u2) stretch; urgency=medium
+
+  * Non-maintainer upload with maintainer approval.
+  * Add `--protect '/tmp/systemd-private*/*'` to cron job to prevent
+breaking systemd services that have PrivateTmp=true (closes: #881725).
+
+ -- Thijs Kinkhorst   Mon, 16 Sep 2019 09:39:51 +0200
+
 tmpreaper (1.6.13+nmu1+deb9u1) stretch-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru tmpreaper-1.6.13+nmu1+deb9u1/debian/cron.daily 
tmpreaper-1.6.13+nmu1+deb9u2/debian/cron.daily
--- tmpreaper-1.6.13+nmu1+deb9u1/debian/cron.daily  2008-05-19 
19:10:16.0 +0200
+++ tmpreaper-1.6.13+nmu1+deb9u2/debian/cron.daily  2019-09-16 
09:39:51.0 +0200
@@ -105,5 +105,6 @@
   --protect '/tmp/lost+found' \
   --protect '/tmp/journal.dat' \
   --protect '/tmp/quota.{user,group}' \
+  --protect '/tmp/systemd-private*/*' \
   `for i in $TMPREAPER_PROTECT_EXTRA; do echo --protect "$i"; done` \
   $TMPREAPER_DIRS

Bug#940476: buster-pu: package tmpreaper/1.6.14+deb10u1

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

tmpreaper will clean up PrivateTmp dirs of processes that systemd
started, leading to those services periodically crashing (and it's
usually hard to diagnose that tmpreaper was the culprit here).

This update adds those dirs to tmpreapers' whitelist.

The problem has existed for a longer time but seems aggravated since
buster, likely because more services have started to use PrivateTmp.


Kind regards,
Thijs

-- System Information:
Debian Release: 9.11
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8), 
LANGUAGE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: sysvinit (via /sbin/init)
diff -Nru tmpreaper-1.6.14/ChangeLog tmpreaper-1.6.14+deb10u1/ChangeLog
--- tmpreaper-1.6.14/ChangeLog  2019-01-11 13:27:15.0 +0100
+++ tmpreaper-1.6.14+deb10u1/ChangeLog  2019-09-16 09:15:24.0 +0200
@@ -1,3 +1,11 @@
+tmpreaper (1.6.14+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload with maintainer approval.
+  * Add `--protect '/tmp/systemd-private*/*'` to cron job to prevent
+breaking systemd services that have PrivateTmp=true (closes: #881725).
+
+ -- Thijs Kinkhorst   Mon, 16 Sep 2019 07:15:24 +
+
 tmpreaper (1.6.14) unstable; urgency=medium
 
   * Upload to unstable to fix the race condition described in CVE-2019-3461:
diff -Nru tmpreaper-1.6.14/debian/changelog 
tmpreaper-1.6.14+deb10u1/debian/changelog
--- tmpreaper-1.6.14/debian/changelog   2019-01-11 13:27:15.0 +0100
+++ tmpreaper-1.6.14+deb10u1/debian/changelog   2019-09-16 09:15:24.0 
+0200
@@ -1,3 +1,11 @@
+tmpreaper (1.6.14+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload with maintainer approval.
+  * Add `--protect '/tmp/systemd-private*/*'` to cron job to prevent
+breaking systemd services that have PrivateTmp=true (closes: #881725).
+
+ -- Thijs Kinkhorst   Mon, 16 Sep 2019 07:15:24 +
+
 tmpreaper (1.6.14) unstable; urgency=medium
 
   * Upload to unstable to fix the race condition described in CVE-2019-3461:
diff -Nru tmpreaper-1.6.14/debian/cron.daily 
tmpreaper-1.6.14+deb10u1/debian/cron.daily
--- tmpreaper-1.6.14/debian/cron.daily  2008-05-19 19:10:16.0 +0200
+++ tmpreaper-1.6.14+deb10u1/debian/cron.daily  2019-09-16 09:15:24.0 
+0200
@@ -105,5 +105,6 @@
   --protect '/tmp/lost+found' \
   --protect '/tmp/journal.dat' \
   --protect '/tmp/quota.{user,group}' \
+  --protect '/tmp/systemd-private*/*' \
   `for i in $TMPREAPER_PROTECT_EXTRA; do echo --protect "$i"; done` \
   $TMPREAPER_DIRS

Bug#925345: unblock: libapache2-mod-auth-mellon/0.14.2-1

[Thijs Kinkhorst]

On Sat, March 23, 2019 16:56, Jonathan Wiltshire wrote:
> On Sat, Mar 23, 2019 at 03:00:06PM +0100, Thijs Kinkhorst wrote:
>> Please unblock package libapache2-mod-auth-mellon
>>
>> The upload contains fixes for two security issues, it is a new
>> upstream that only contains these fixes.
>
> Unblocked; thanks.

Thanks, can you also age it? I assumed that "urgency=high" would do this,
but apparently it does not.


Cheers,
Thijs

Bug#925345: unblock: libapache2-mod-auth-mellon/0.14.2-1

[Thijs Kinkhorst]

11 @@
+libapache2-mod-auth-mellon (0.14.2-1) unstable; urgency=high
+
+  * New upstream security release. (closes: #925197)
+- Auth bypass when used with reverse proxy [CVE-2019-3878]
+- Open redirect vulnerability in logout [CVE-2019-3877]
+
+ -- Thijs Kinkhorst   Fri, 22 Mar 2019 12:10:11 +
+
 libapache2-mod-auth-mellon (0.14.1-1) unstable; urgency=medium
 
   [ Thijs Kinkhorst ]
diff -Nru libapache2-mod-auth-mellon-0.14.1/mod_auth_mellon.c 
libapache2-mod-auth-mellon-0.14.2/mod_auth_mellon.c
--- libapache2-mod-auth-mellon-0.14.1/mod_auth_mellon.c 2018-01-18 
17:32:59.0 +
+++ libapache2-mod-auth-mellon-0.14.2/mod_auth_mellon.c 2019-03-20 
07:29:50.0 +
@@ -207,6 +207,12 @@
 
 static void register_hooks(apr_pool_t *p)
 {
+/* Our handler needs to run before mod_proxy so that it can properly
+ * return ECP AuthnRequest messages when running as a reverse proxy.
+ * See: https://github.com/Uninett/mod_auth_mellon/pull/196
+ */
+static const char * const run_handler_before[]={ "mod_proxy.c", NULL };
+
 ap_hook_access_checker(am_auth_mellon_user, NULL, NULL, APR_HOOK_MIDDLE);
 ap_hook_check_user_id(am_check_uid, NULL, NULL, APR_HOOK_MIDDLE);
 ap_hook_post_config(am_global_init, NULL, NULL, APR_HOOK_MIDDLE);
@@ -222,7 +228,7 @@
  * Therefore this hook must run before any handler that may check
  * r->handler and decide that it is the only handler for this URL.
  */
-ap_hook_handler(am_handler, NULL, NULL, APR_HOOK_FIRST);
+ap_hook_handler(am_handler, NULL, run_handler_before, APR_HOOK_FIRST);
 
 #ifdef ENABLE_DIAGNOSTICS
 ap_hook_open_logs(am_diag_log_init,NULL,NULL,APR_HOOK_MIDDLE);
diff -Nru libapache2-mod-auth-mellon-0.14.1/NEWS 
libapache2-mod-auth-mellon-0.14.2/NEWS
--- libapache2-mod-auth-mellon-0.14.1/NEWS  2019-02-11 07:26:04.0 
+
+++ libapache2-mod-auth-mellon-0.14.2/NEWS  2019-03-21 13:58:27.0 
+
@@ -1,3 +1,48 @@
+Version 0.14.2
+---
+
+Security fixes:
+
+* [CVE-2019-3878] Authentication bypass when Apache is used as a
+  reverse proxy
+
+  If Apache is configured as a reverse proxy with mod_auth_mellon for
+  authentication, the authentication can be bypassed by adding SAML
+  2.0 ECP headers to the request.
+
+  This vulnerability affects mod_auth_mellon 0.11.0 and newer.
+
+  This vulnerability is due to both mod_auth_mellon and mod_proxy
+  registering as handlers for the requests, with the same
+  priority. When mod_auth_mellon handles the request first, it will
+  trigger a ECP authentication request. If mod_proxy handles it first,
+  it will forward it to the backend server.
+
+  Which module handles it first depends on the order modules are
+  loaded by Apache.
+
+  This vulnerability is fixes by specifically registering that the
+  mod_auth_mellon handler should run before mod_proxy.
+
+  Thanks to Jakub Hrozek and John Dennis at RedHat for fixing this
+  vulnerability.
+
+* [CVE-2019-3877] Redirect URL validation bypass
+
+  Version 0.14.1 and older of mod_auth_mellon allows the redirect URL
+  validation to be bypassed by specifying an URL with backslashes
+  instead of forward slashes. Browsers silently convert backslashes to
+  forward slashes, which allows an attacker to bypass the redirect URL
+  validation by using `%5c` in the ReturnTo-parameter. E.g.:
+
+
https://sp.example.org/mellon/logout?ReturnTo=https:%5c%5cmalicious.example.org/
+
+  This version fixes that issue by rejecting all URLs with
+  backslashes.
+
+  Thanks to Eric Chamberland for discovering this vulnerability.
+
+
 Version 0.14.1
 ---
 

Bug#867461: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?

[Thijs Kinkhorst]

On Fri, January 12, 2018 10:24, Raphael Hertzog wrote:
> Hi,
>
> On Tue, 09 Jan 2018, Brian May wrote:
>> Raphael Hertzog  writes:
>>
>> > I think this mail went through the cracks as we haven't received a
>> reply
>> > from you so far. Can you let us know the status and whether we can
>> help to
>> > get the wheezy update out ?
>>
>> Hello Debian-LTS team:
>>
>> As we are lacking any response (yet) from Michael Shuler, I am wondering
>> if we should go ahead and upload the wheezy version anyway?
>
> Yes, please. I saw reports of failures on IRC due to missing CA
> certificates.

As co-maintainer of ca-certificates you have my ok for this change in
wheezy, indeed a good idea.


Cheers,
Thijs

Bug#875765: stretch-pu: package mailman/1:2.1.23-1+deb9u1

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

It was discovered that the SpamAssassin integration in Mailman (a Debian
specific piece of code) does not work in stretch. This is not enabled by
default but used often, and broke existing Mailman setups.

Attached patch rectifies the problem as confirmed by several users in
the bug reports. It is also in unstable and testing for a week without
reports of problems.

So please accept this stable update to fix this functionality.


Thanks,
Thijs
diff -Nru mailman-2.1.23/debian/changelog mailman-2.1.23/debian/changelog
--- mailman-2.1.23/debian/changelog 2016-09-13 18:01:59.0 +0200
+++ mailman-2.1.23/debian/changelog 2017-09-14 12:23:04.0 +0200
@@ -1,3 +1,10 @@
+mailman (1:2.1.23-1+deb9u1) stretch; urgency=medium
+
+  * Fixed broken dependencies in SpamAssassin.py (Closes: #838288).   
+Thanks Stephen Rothwell for the patch.
+
+ -- Thijs Kinkhorst <th...@debian.org>  Thu, 14 Sep 2017 12:23:04 +0200
+
 mailman (1:2.1.23-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru mailman-2.1.23/debian/contrib/SpamAssassin.py 
mailman-2.1.23/debian/contrib/SpamAssassin.py
--- mailman-2.1.23/debian/contrib/SpamAssassin.py   2016-09-13 
18:01:59.0 +0200
+++ mailman-2.1.23/debian/contrib/SpamAssassin.py   2017-09-14 
09:49:35.0 +0200
@@ -28,7 +28,6 @@
 from Mailman import Errors
 from Mailman.Logging.Syslog import syslog
 from Mailman.Handlers import Hold
-from Mailman.Handlers.Moderate import matches_p
 
 SPAMD_HOST= getattr(mm_cfg, 'SPAMASSASSIN_HOST', '')
 DISCARD_SCORE = getattr(mm_cfg, 'SPAMASSASSIN_DISCARD_SCORE', 10)
@@ -78,7 +77,7 @@
 if MEMBER_BONUS != 0:
 for sender in msg.get_senders():
 if mlist.isMember(sender) or \
-   matches_p(sender, mlist.accept_these_nonmembers, 
mlist.internal_name()):
+   mlist.GetPattern(sender, mlist.accept_these_nonmembers, 
at_list='accept_these_nonmembers'):
 score -= MEMBER_BONUS
 break
 

Bug#857712: unblock: libapache2-mod-auth-mellon/0.12.0-2

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package libapache2-mod-auth-mellon.

It fixes two security issues:
- Fix a denial of service attack in the logout handler.
- Fix a cross-site session transfer vulnerability
  [CVE-2017-6807].

unblock libapache2-mod-auth-mellon/0.12.0-2

Thanks,
Thijs
diff -Nru libapache2-mod-auth-mellon-0.12.0/debian/changelog 
libapache2-mod-auth-mellon-0.12.0/debian/changelog
--- libapache2-mod-auth-mellon-0.12.0/debian/changelog  2016-03-09 
10:14:01.0 +
+++ libapache2-mod-auth-mellon-0.12.0/debian/changelog  2017-03-13 
13:06:19.0 +
@@ -1,3 +1,11 @@
+libapache2-mod-auth-mellon (0.12.0-2) unstable; urgency=high
+
+  * Backport upstream patches for security issues:
+- Fix a denial of service attack in the logout handler.
+- Fix a cross-site session transfer vulnerability [CVE-2017-6807]. 
+
+ -- Thijs Kinkhorst <th...@debian.org>  Mon, 13 Mar 2017 13:06:19 +
+
 libapache2-mod-auth-mellon (0.12.0-1) unstable; urgency=high
 
   * New upstream release.
diff -Nru 
libapache2-mod-auth-mellon-0.12.0/debian/patches/01_logout_segfault.patch 
libapache2-mod-auth-mellon-0.12.0/debian/patches/01_logout_segfault.patch
--- libapache2-mod-auth-mellon-0.12.0/debian/patches/01_logout_segfault.patch   
1970-01-01 00:00:00.0 +
+++ libapache2-mod-auth-mellon-0.12.0/debian/patches/01_logout_segfault.patch   
2017-03-13 13:06:19.0 +
@@ -0,0 +1,39 @@
+From 6bdda9170a8f1757dabc5b109958657417728018 Mon Sep 17 00:00:00 2001
+From: Olav Morken <olav.mor...@uninett.no>
+Date: Tue, 24 May 2016 10:29:38 +0200
+Subject: [PATCH] Fix segmentation fault when receiving badly formed logout
+ message.
+
+If the logout message is badly formed, we won't get the entityID in
+`logout->parent.remote_providerID`. If we call `apr_hash_get()` with a
+null pointer, it will cause a segmentation fault.
+
+Add a check to validate that the entityID is correctly set.
+---
+ auth_mellon_handler.c | 6 --
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c
+index ffc7ff7..748ec45 100644
+--- a/auth_mellon_handler.c
 b/auth_mellon_handler.c
+@@ -678,7 +678,8 @@ static int am_handle_logout_request(request_rec *r,
+ /* Process the logout message. Ignore missing signature. */
+ res = lasso_logout_process_request_msg(logout, msg);
+ #ifdef HAVE_lasso_profile_set_signature_verify_hint
+-if(res != 0 && res != LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) {
++if(res != 0 && res != LASSO_DS_ERROR_SIGNATURE_NOT_FOUND &&
++   logout->parent.remote_providerID != NULL) {
+ if (apr_hash_get(cfg->do_not_verify_logout_signature,
+  logout->parent.remote_providerID,
+  APR_HASH_KEY_STRING)) {
+@@ -787,7 +788,8 @@ static int am_handle_logout_response(request_rec *r, 
LassoLogout *logout)
+ 
+ res = lasso_logout_process_response_msg(logout, r->args);
+ #ifdef HAVE_lasso_profile_set_signature_verify_hint
+-if(res != 0 && res != LASSO_DS_ERROR_SIGNATURE_NOT_FOUND) {
++if(res != 0 && res != LASSO_DS_ERROR_SIGNATURE_NOT_FOUND &&
++   logout->parent.remote_providerID != NULL) {
+ if (apr_hash_get(cfg->do_not_verify_logout_signature,
+  logout->parent.remote_providerID,
+  APR_HASH_KEY_STRING)) {
diff -Nru 
libapache2-mod-auth-mellon-0.12.0/debian/patches/02_session_transfer_vulnerability_CVE-2017-6807.patch
 
libapache2-mod-auth-mellon-0.12.0/debian/patches/02_session_transfer_vulnerability_CVE-2017-6807.patch
--- 
libapache2-mod-auth-mellon-0.12.0/debian/patches/02_session_transfer_vulnerability_CVE-2017-6807.patch
  1970-01-01 00:00:00.0 +
+++ 
libapache2-mod-auth-mellon-0.12.0/debian/patches/02_session_transfer_vulnerability_CVE-2017-6807.patch
  2017-03-13 13:06:19.0 +
@@ -0,0 +1,218 @@
+From 7af21c53da7bb1de024274ee6da30bc22316a079 Mon Sep 17 00:00:00 2001
+From: Olav Morken <olav.mor...@uninett.no>
+Date: Mon, 13 Mar 2017 09:55:48 +0100
+Subject: [PATCH] Fix Cross-Site Session Transfer vulnerability
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+mod_auth_mellon did not verify that the site the session was created
+for was the same site as the site the user accessed. This allows an
+attacker with access to one web site on a server to use the same
+session to get access to a different site running on the same server.
+
+This patch fixes this vulnerability by storing the cookie parameters
+used when creating the session in the session, and verifying those
+parameters when the session is loaded.
+
+Thanks to François Kooman for reporting this vulnerability.
+
+This vulnerability has been assigned CVE-2017-6807.
+---
+ NEWS   

Re: embedding openssl source in sslcan

[Thijs Kinkhorst]

On Fri, December 23, 2016 18:53, Moritz Mühlenhoff wrote:
> Sebastian Andrzej Siewior  schrieb:
>
> Please use t...@security.debian.org if you want to reach the security
> team, not debian-security@ldo.
>
>> tl;dr: Has anyone a problem if sslscan embeds openssl 1.0.2 in its
>> source?
>
> That's for post-stretch, right? Right now it can simply link against
> the 1.0.2 copy,
>
> Seems fine to me for that use case, and it won't need any security
> updates to the embedded openssl copy for all practical purposes anyway.

I agree, the risk for this use case is quite low, and having tools like
sslscan readily available in Debian is greatly beneficial for security.


Cheers,
Thijs

Bug#784670: jessie-pu: package pound/2.6-6+deb8u1

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I'd like to update pound in jessie to fix the ability to disable ssl client
renegotiation (#765649). The same patch has been uploaded to sid a few days ago.
Wheezy and earlier are not affected by this specific issue.

After this patch is applied I can get an A score at SSLlabs with pound.


Cheers,
Thijs

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
diff -Nru pound-2.6/debian/changelog pound-2.6/debian/changelog
--- pound-2.6/debian/changelog	2014-10-19 23:49:01.0 +
+++ pound-2.6/debian/changelog	2015-05-07 16:30:55.0 +
@@ -1,3 +1,11 @@
+pound (2.6-6+deb8u1) jessie; urgency=medium
+
+  * Non-maintainer upload by the security team with maintainer approval.
+  * Add missing part of anti_beast patch to fix disabling of client
+renegotiation. (Closes: #765649)
+
+ -- Thijs Kinkhorst th...@debian.org  Tue, 05 May 2015 13:27:06 +
+
 pound (2.6-6) unstable; urgency=low
 
   * Add options to disable SSLv2 and SSLv3.
diff -Nru pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch
--- pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch	1970-01-01 00:00:00.0 +
+++ pound-2.6/debian/patches/0008-disable_client_initiated_renegotiation.patch	2015-05-07 16:30:22.0 +
@@ -0,0 +1,120 @@
+Added the missing parts that makes the option SSLAllowClientRenegotiation
+work as advertised, allowing client initiated renegotiation to be turned off.
+This patch is a compliment to the changes introduced in the 0001-anti_beast.patch, 
+which was missing the changes to http.c as seen in the original patch from 
+Joe Gooch mrwiz...@k12system.com at:
+http://goochfriend.org/pound_2.6f_ssl_renegotiation_and_ciphers.patch
+
+--- a/http.c
 b/http.c
+@@ -273,6 +273,11 @@
+ 
+ static int  err_to = -1;
+ 
++typedef struct {
++int timeout;
++RENEG_STATE *reneg_state;
++} BIO_ARG;
++
+ /*
+  * Time-out for client read/gets
+  * the SSL manual says not to do it, but it works well enough anyway...
+@@ -280,6 +285,7 @@
+ static long
+ bio_callback(BIO *const bio, const int cmd, const char *argp, int argi, long argl, long ret)
+ {
++BIO_ARG *bio_arg;
+ struct pollfd   p;
+ int to, p_res, p_err;
+ 
+@@ -287,11 +293,22 @@
+ return ret;
+ 
+ /* a time-out already occured */
+-if((to = *((int *)BIO_get_callback_arg(bio)) * 1000)  0) {
++if((bio_arg = (BIO_ARG*)BIO_get_callback_arg(bio))==NULL) return ret;
++if((to = bio_arg-timeout * 1000)  0) {
+ errno = ETIMEDOUT;
+ return -1;
+ }
+ 
++/* Renegotiations */
++if (bio_arg-reneg_state != NULL  *bio_arg-reneg_state == RENEG_ABORT) {
++logmsg(LOG_NOTICE, REJECTING renegotiated session);
++errno = ECONNABORTED;
++return -1;
++}
++
++//logmsg(LOG_NOTICE, TO %d, to);
++if (to == 0) return ret;
++
+ for(;;) {
+ memset(p, 0, sizeof(p));
+ BIO_get_fd(bio, p.fd);
+@@ -326,7 +343,7 @@
+ return -1;
+ case 0:
+ /* timeout - mark the BIO as unusable for the future */
+-BIO_set_callback_arg(bio, (char *)err_to);
++bio_arg-timeout = err_to;
+ #ifdef  EBUG
+ logmsg(LOG_WARNING, (%lx) CALLBACK timeout poll after %d secs: %s,
+ pthread_self(), to / 1000, strerror(p_err));
+@@ -531,6 +548,15 @@
+ struct linger   l;
+ double  start_req, end_req;
+ 
++RENEG_STATE reneg_state;
++BIO_ARG ba1, ba2;
++
++reneg_state = RENEG_INIT;
++ba1.reneg_state =  reneg_state;
++ba2.reneg_state = reneg_state;
++ba1.timeout = 0;
++ba2.timeout = 0;
++
+ from_host = ((thr_arg *)arg)-from_host;
+ memcpy(from_host_addr, from_host.ai_addr, from_host.ai_addrlen);
+ from_host.ai_addr = (struct sockaddr *)from_host_addr;
+@@ -539,6 +565,8 @@
+ free(((thr_arg *)arg)-from_host.ai_addr);
+ free(arg);
+ 
++if(lstn-allow_client_reneg) reneg_state = RENEG_ALLOW;
++
+ n = 1;
+ setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)n, sizeof(n));
+ l.l_onoff = 1;
+@@ -562,10 +590,10 @@
+ close(sock);
+ return;
+ }
+-if(lstn-to  0) {
+-BIO_set_callback_arg(cl, (char *)lstn-to);
+-BIO_set_callback(cl, bio_callback);
+-}
++
++ba1.timeout = lstn-to;
++BIO_set_callback_arg(cl, (char *)ba1);
++BIO_set_callback(cl, bio_callback);
+ 
+ if(lstn-ctx != NULL) {
+ if((ssl = SSL_new(lstn-ctx-ctx)) == NULL) {
+@@ -574,6 +602,7

Bug#782565: unblock: commons-httpclient/3.1-11

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package commons-httpclient.

It fixes security issue CVE-2014-3577.

unblock commons-httpclient/3.1-11


Cheers,
Thijs
diff -Nru commons-httpclient-3.1/debian/ant.properties commons-httpclient-3.1/debian/ant.properties
--- commons-httpclient-3.1/debian/ant.properties	2011-08-30 09:42:03.0 +
+++ commons-httpclient-3.1/debian/ant.properties	2015-04-13 16:15:49.0 +
@@ -1,5 +1,5 @@
 # JSSE stub classes required for build
 lib.dir=/usr/share/java
 #jsse.jar=/usr/share/java/jsse.jar
-ant.build.javac.source=1.4
-ant.build.javac.target=1.4
+ant.build.javac.source=1.5
+ant.build.javac.target=1.5
diff -Nru commons-httpclient-3.1/debian/changelog commons-httpclient-3.1/debian/changelog
--- commons-httpclient-3.1/debian/changelog	2012-12-06 13:41:48.0 +
+++ commons-httpclient-3.1/debian/changelog	2015-04-13 16:15:49.0 +
@@ -1,3 +1,20 @@
+commons-httpclient (3.1-11) unstable; urgency=high
+
+  * Team upload.
+  * Add CVE-2014-3577.patch. (Closes: #758086)
+It was found that the fix for CVE-2012-6153 was incomplete: the code added
+to check that the server hostname matches the domain name in a subject's
+Common Name (CN) field in X.509 certificates was flawed. A
+man-in-the-middle attacker could use this flaw to spoof an SSL server using
+a specially crafted X.509 certificate. The fix for CVE-2012-6153 was
+intended to address the incomplete patch for CVE-2012-5783. The issue is
+now completely resolved by applying this patch and the
+06_fix_CVE-2012-5783.patch.
+  * Change java.source and java.target ant properties to 1.5, otherwise
+commons-httpclient will not compile with this patch.
+
+ -- Markus Koschany a...@gambaru.de  Mon, 23 Mar 2015 22:57:54 +0100
+
 commons-httpclient (3.1-10.2) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch
--- commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch	1970-01-01 00:00:00.0 +
+++ commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch	2015-04-13 16:15:49.0 +
@@ -0,0 +1,110 @@
+From: Markus Koschany a...@gambaru.de
+Date: Mon, 23 Mar 2015 22:45:14 +0100
+Subject: CVE-2014-3577
+
+It was found that the fix for CVE-2012-6153 was incomplete: the code added to
+check that the server hostname matches the domain name in a subject's Common
+Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker
+could use this flaw to spoof an SSL server using a specially crafted X.509
+certificate.
+The fix for CVE-2012-6153 was intended to address the incomplete patch for
+CVE-2012-5783. This means the issue is now completely resolved by applying
+this patch and the 06_fix_CVE-2012-5783.patch.
+
+References:
+
+upstream announcement:
+https://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577
+
+Fedora-Fix:
+http://pkgs.fedoraproject.org/cgit/jakarta-commons-httpclient.git/tree/jakarta-commons-httpclient-CVE-2014-3577.patch
+
+CentOS-Fix:
+https://git.centos.org/blob/rpms!jakarta-commons-httpclient/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch
+
+Debian-Bug: https://bugs.debian.org/758086
+Forwarded: not-needed, already fixed
+---
+ .../protocol/SSLProtocolSocketFactory.java | 57 ++
+ 1 file changed, 37 insertions(+), 20 deletions(-)
+
+diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+index fa0acc7..e6ce513 100644
+--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
 b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+@@ -44,9 +44,15 @@ import java.util.Iterator;
+ import java.util.LinkedList;
+ import java.util.List;
+ import java.util.Locale;
+-import java.util.StringTokenizer;
++import java.util.NoSuchElementException;
+ import java.util.regex.Pattern;
+ 
++import javax.naming.InvalidNameException;
++import javax.naming.NamingException;
++import javax.naming.directory.Attribute;
++import javax.naming.directory.Attributes;
++import javax.naming.ldap.LdapName;
++import javax.naming.ldap.Rdn;
+ import javax.net.ssl.SSLException;
+ import javax.net.ssl.SSLSession;
+ import javax.net.ssl.SSLSocket;
+@@ -424,28 +430,39 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+ 		return dots;
+ 	}
+ 
+-	private static String getCN(X509Certificate cert) {
+-// Note:  toString() seems to do a better job than getName()
+-//
+-// For example, getName() gives me this:
+-// 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
+-//
+-// whereas toString() gives me this:
+-// 

Bug#782147: unblock: mediawiki/1:1.19.20+dfsg-2.3

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package mediawiki.

The only change is an addition of an upstream patch for this release branch
which fixes a number of security issues.

unblock mediawiki/1:1.19.20+dfsg-2.3

Thanks,
Thijs
diff -Nru mediawiki-1.19.20+dfsg/debian/changelog mediawiki-1.19.20+dfsg/debian/changelog
--- mediawiki-1.19.20+dfsg/debian/changelog	2014-12-21 12:11:10.0 +
+++ mediawiki-1.19.20+dfsg/debian/changelog	2015-04-06 16:55:57.0 +
@@ -1,3 +1,21 @@
+mediawiki (1:1.19.20+dfsg-2.3) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Add patch fixing several security issues:
+- (bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that
+   contain XML entities, to prevent various DoS attacks.
+- (bug T88310) SECURITY: Always expand xml entities when checking
+  SVG's.
+- (bug T73394) SECURITY: Escape  in Html::expandAttributes to
+  prevent XSS.
+- (bug T85855) SECURITY: Don't execute another user's CSS or JS
+  on preview.
+- (bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues
+  fixed in SVG filtering to prevent XSS and protect viewer's
+  privacy.
+
+ -- Thijs Kinkhorst th...@debian.org  Mon, 06 Apr 2015 16:53:54 +
+
 mediawiki (1:1.19.20+dfsg-2.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru mediawiki-1.19.20+dfsg/debian/patches/security_1.19.24.patch mediawiki-1.19.20+dfsg/debian/patches/security_1.19.24.patch
--- mediawiki-1.19.20+dfsg/debian/patches/security_1.19.24.patch	1970-01-01 00:00:00.0 +
+++ mediawiki-1.19.20+dfsg/debian/patches/security_1.19.24.patch	2015-04-06 17:03:41.0 +
@@ -0,0 +1,636 @@
+From: Mediawiki
+Subject: Fix security issues as fixed in upstream security fix release 1.19.24:
+(bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.
+(bug T88310) SECURITY: Always expand xml entities when checking SVG's.
+(bug T73394) SECURITY: Escape  in Html::expandAttributes to prevent XSS.
+(bug T85855) SECURITY: Don't execute another user's CSS or JS on preview.
+(bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.
+Origin: upstream, https://lists.wikimedia.org/pipermail/mediawiki-announce/2015-March/000175.html
+
+diff -Nruw -x '*~' -x '.js*' -x '.git*' -x '*.xcf' -x '#*#' -x '.#*' -x '.rubocop*' -x .travis.yml -x package.json -x messages -x Gemfile -x '*.png' -x '*.jpg' -x '*.xcf' -x '*.gif' -x '*.svg' -x '*.tiff' -x '*.zip' -x '*.xmp' mediawiki-1.19.23/includes/EditPage.php mediawiki-1.19.24/includes/EditPage.php
+--- mediawiki-1.19.23/includes/EditPage.php	2015-03-31 13:24:03.0 +
 mediawiki-1.19.24/includes/EditPage.php	2015-03-31 13:23:38.0 +
+@@ -1988,14 +1988,19 @@
+ if ( $this-isWrongCaseCssJsPage ) {
+ 	$wgOut-wrapWikiMsg( div class='error' id='mw-userinvalidcssjstitle'\n$1\n/div, array( 'userinvalidcssjstitle', $this-mTitle-getSkinFromCssJsSubpage() ) );
+ }
++if ( $this-getTitle()-isSubpageOf( $wgUser-getUserPage() ) ) {
+ if ( $this-formtype !== 'preview' ) {
+-	if ( $this-isCssSubpage )
++		if ( $this-isCssSubpage ) {
+ 		$wgOut-wrapWikiMsg( div id='mw-usercssyoucanpreview'\n$1\n/div, array( 'usercssyoucanpreview' ) );
+-	if ( $this-isJsSubpage )
++		}
++
++		if ( $this-isJsSubpage ) {
+ 		$wgOut-wrapWikiMsg( div id='mw-userjsyoucanpreview'\n$1\n/div, array( 'userjsyoucanpreview' ) );
+ }
+ 			}
+ 		}
++			}
++		}
+ 
+ 		if ( $this-mTitle-getNamespace() != NS_MEDIAWIKI  $this-mTitle-isProtected( 'edit' ) ) {
+ 			# Is the title semi-protected?
+diff -Nruw -x '*~' -x '.js*' -x '.git*' -x '*.xcf' -x '#*#' -x '.#*' -x '.rubocop*' -x .travis.yml -x package.json -x messages -x Gemfile -x '*.png' -x '*.jpg' -x '*.xcf' -x '*.gif' -x '*.svg' -x '*.tiff' -x '*.zip' -x '*.xmp' mediawiki-1.19.23/includes/Html.php mediawiki-1.19.24/includes/Html.php
+--- mediawiki-1.19.23/includes/Html.php	2015-03-31 13:24:03.0 +
 mediawiki-1.19.24/includes/Html.php	2015-03-31 13:23:38.0 +
+@@ -525,17 +525,20 @@
+ 			} else {
+ # Apparently we need to entity-encode \n, \r, \t, although the
+ # spec doesn't mention that.  Since we're doing strtr() anyway,
+-# and we don't need  escaped here, we may as well not call
+-# htmlspecialchars().
++# we may as well not call htmlspecialchars().
+ # @todo FIXME: Verify that we actually need to
+ # escape \n\r\t here, and explain why, exactly.
+ #
+ # We could call Sanitizer::encodeAttribute() for this, but we
+ # don't because we're stubborn and like our marginal savings on
+ # byte size from not having to encode unnecessary quotes.
++# The only difference between this transform and the one by
++# Sanitizer::encodeAttribute() is '' is only

Bug#782146: unblock: mailman/1:2.1.18-2

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package mailman.

The diff is a security fix for CVE-2015-2775.

unblock mailman/1:2.1.18-2


Thanks,
Thijs
diff -Nru mailman-2.1.18/debian/changelog mailman-2.1.18/debian/changelog
--- mailman-2.1.18/debian/changelog	2014-07-10 18:01:59.0 +
+++ mailman-2.1.18/debian/changelog	2015-04-06 15:37:32.0 +
@@ -1,3 +1,13 @@
+mailman (1:2.1.18-2) unstable; urgency=high
+
+  * Fix security issue: path traversal through local_part.
+Affects installations which use an Exim or Postfix transport
+instead of fixed aliases; attacker needs to be able to place
+files on the local filesystem.
+(CVE-2015-2775, Closes: 781626)
+
+ -- Thijs Kinkhorst th...@debian.org  Mon, 06 Apr 2015 15:36:15 +
+
 mailman (1:2.1.18-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru mailman-2.1.18/debian/config mailman-2.1.18/debian/config
--- mailman-2.1.18/debian/config	2012-06-16 09:50:23.0 +
+++ mailman-2.1.18/debian/config	2015-04-06 15:30:32.0 +
@@ -1,5 +1,5 @@
 #! /bin/sh -e
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/config $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/config $
 # $Id: config 693 2011-10-08 15:30:38Z thijs $
 
 . /usr/share/debconf/confmodule
diff -Nru mailman-2.1.18/debian/control mailman-2.1.18/debian/control
--- mailman-2.1.18/debian/control	2014-07-10 18:19:25.0 +
+++ mailman-2.1.18/debian/control	2015-04-06 15:30:32.0 +
@@ -4,7 +4,6 @@
 Maintainer: Mailman for Debian pkg-mailman-hack...@lists.alioth.debian.org
 Uploaders: Lionel Elie Mamane lmam...@debian.org,
  Thijs Kinkhorst th...@debian.org,
- Thorsten Glaser t...@mirbsd.de,
  Hector Garcia hec...@debian.org
 Build-Depends: debhelper (= 7), autoconf, python-dev (= 2.6.6-3~), gettext, python-dnspython
 Standards-Version: 3.9.5
diff -Nru mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch
--- mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch	1970-01-01 00:00:00.0 +
+++ mailman-2.1.18/debian/patches/92_CVE-2015-2775.patch	2015-04-06 15:44:18.0 +
@@ -0,0 +1,34 @@
+From: Mark Sapiro m...@msapiro.net
+Subject: Fix path traversal through local_part (CVE-2015-2775)
+Origin: upstream, https://launchpadlibrarian.net/201407944/p
+Bug: https://bugs.launchpad.net/mailman/+bug/1437145
+Bug-Debian: http://bugs.debian.org/781626
+
+diff -ur mailman-2.1.18.orig/Mailman/Defaults.py.in mailman-2.1.18/Mailman/Defaults.py.in
+--- mailman-2.1.18.orig/Mailman/Defaults.py.in	2014-05-03 17:37:22.0 +
 mailman-2.1.18/Mailman/Defaults.py.in	2015-04-06 15:43:20.0 +
+@@ -138,7 +138,7 @@
+ 
+ # A Python regular expression character class which defines the characters
+ # allowed in list names.  Lists cannot be created with names containing any
+-# character that doesn't match this class.
++# character that doesn't match this class.  Do not include '/' in this list.
+ ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9]'
+ 
+ 
+diff -ur mailman-2.1.18.orig/Mailman/Utils.py mailman-2.1.18/Mailman/Utils.py
+--- mailman-2.1.18.orig/Mailman/Utils.py	2014-05-03 17:37:22.0 +
 mailman-2.1.18/Mailman/Utils.py	2015-04-06 15:43:20.0 +
+@@ -99,6 +99,12 @@
+ #
+ # The former two are for 2.1alpha3 and beyond, while the latter two are
+ # for all earlier versions.
++#
++# But first ensure the list name doesn't contain a path traversal
++# attack.
++if len(re.sub(mm_cfg.ACCEPTABLE_LISTNAME_CHARACTERS, '', listname))  0:
++syslog('mischief', 'Hostile listname: %s', listname)
++return False
+ basepath = Site.get_listpath(listname)
+ for ext in ('.pck', '.pck.last', '.db', '.db.last'):
+ dbfile = os.path.join(basepath, 'config' + ext)
diff -Nru mailman-2.1.18/debian/patches/series mailman-2.1.18/debian/patches/series
--- mailman-2.1.18/debian/patches/series	2014-07-10 17:59:41.0 +
+++ mailman-2.1.18/debian/patches/series	2015-04-06 15:36:11.0 +
@@ -10,3 +10,4 @@
 79_archiver_slash.patch
 90_gettext_errors.patch
 91_utf8.patch
+92_CVE-2015-2775.patch
diff -Nru mailman-2.1.18/debian/postinst mailman-2.1.18/debian/postinst
--- mailman-2.1.18/debian/postinst	2012-06-16 09:50:23.0 +
+++ mailman-2.1.18/debian/postinst	2015-04-06 15:30:32.0 +
@@ -7,7 +7,7 @@
 # Other modifications 2004-2007 by other maintainers of the Debian package:
 #  Lionel Elie Mamane, Thijs Kinkhorst, Riccardo Setti, Matej Vela, Hector Garcia, László Böszörményi, Bernd S. Brentrup, ...
 #
-# $URL: svn+ssh://svn.debian.org/svn/svn/pkg-mailman/trunk/debian/postinst $
+# $URL: svn+ssh://svn.debian.org/svn/pkg-mailman/trunk/debian/postinst $
 # $Id: postinst 693 2011-10-08 15:30:38Z thijs $
 #
 . /usr/share/debconf/confmodule
diff -Nru

Bug#776325: wheezy-pu: package pound/2.6-2+deb7u1

[Thijs Kinkhorst]

Hi Antonio,

On Mon, February 2, 2015 15:34, Antonio Terceiro wrote:
 ping :)

As a heads up, we're currently preparing a upload for stable-security
where this patch will most likely be included.

Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/fab621ab30eb2a53179abfe8c887fc6f.squir...@aphrodite.kinkhorst.nl

Bug#776204: unblock: python-django/1.7.1-1.1

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package python-django.

It fixes several security issues.

The NMU seems to add a stray .orig in the source package; but I reckon
that is harmless and should not block fixing the security issues.

unblock python-django/1.7.1-1.1

Thanks,
Thijs
diff -Nru python-django-1.7.1/debian/changelog python-django-1.7.1/debian/changelog
--- python-django-1.7.1/debian/changelog	2014-10-27 16:57:12.0 +0100
+++ python-django-1.7.1/debian/changelog	2015-01-17 00:22:26.0 +0100
@@ -1,3 +1,18 @@
+python-django (1.7.1-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2015-0219 - WSGI header spoofing via underscore/dash
+conflation
+  * Fix CVE-2015-0220 - Mitigated possible XSS attack via
+user-supplied redirect URLs.
+  * Fix CVE-2015-0221 - Denial-of-service attack against
+django.views.static.serve
+  * Fix CVE-2015-0222 - Database denial-of-service with 
+ModelMultipleChoiceField
+(Closes: #775375)
+
+ -- Neil Williams codeh...@debian.org  Fri, 16 Jan 2015 23:05:55 +
+
 python-django (1.7.1-1) unstable; urgency=medium
 
   [ Raphaël Hertzog ]
diff -Nru python-django-1.7.1/debian/patches/header-underscore.diff python-django-1.7.1/debian/patches/header-underscore.diff
--- python-django-1.7.1/debian/patches/header-underscore.diff	1970-01-01 01:00:00.0 +0100
+++ python-django-1.7.1/debian/patches/header-underscore.diff	2015-01-17 00:10:56.0 +0100
@@ -0,0 +1,128 @@
+Description: WSGI header spoofing via underscore/dash conflation
+ This issue has been assigned the CVE identifier CVE-2015-0219.
+ [PATCH] [1.7.x] Stripped headers containing underscores to prevent
+ spoofing in WSGI environ.
+ .
+ Thanks to Jedediah Smith for the report.
+ .
+---
+
+Author: Neil Williams codeh...@debian.org
+Bug-Debian: https://bugs.debian.org/775375
+Origin: upstream, https://github.com/django/django/commit/41b4bc73ee0da7b2e09f4af47fc1fd21144c710f.patch
+
+--- python-django-1.7.1.orig/django/core/servers/basehttp.py
 python-django-1.7.1/django/core/servers/basehttp.py
+@@ -155,6 +155,17 @@ class WSGIRequestHandler(simple_server.W
+ 
+ sys.stderr.write(msg)
+ 
++def get_environ(self):
++# Strip all headers with underscores in the name before constructing
++# the WSGI environ. This prevents header-spoofing based on ambiguity
++# between underscores and dashes both normalized to underscores in WSGI
++# env vars. Nginx and Apache 2.4+ both do this as well.
++for k, v in self.headers.items():
++if '_' in k:
++del self.headers[k]
++
++return super(WSGIRequestHandler, self).get_environ()
++
+ 
+ def run(addr, port, wsgi_handler, ipv6=False, threading=False):
+ server_address = (addr, port)
+--- python-django-1.7.1.orig/docs/howto/auth-remote-user.txt
 python-django-1.7.1/docs/howto/auth-remote-user.txt
+@@ -64,6 +64,22 @@ If your authentication mechanism uses a
+ class CustomHeaderMiddleware(RemoteUserMiddleware):
+ header = 'HTTP_AUTHUSER'
+ 
++.. warning::
++
++Be very careful if using a ``RemoteUserMiddleware`` subclass with a custom
++HTTP header. You must be sure that your front-end web server always sets or
++strips that header based on the appropriate authentication checks, never
++permitting an end-user to submit a fake (or spoofed) header value. Since
++the HTTP headers ``X-Auth-User`` and ``X-Auth_User`` (for example) both
++normalize to the ``HTTP_X_AUTH_USER`` key in ``request.META``, you must
++also check that your web server doesn't allow a spoofed header using
++underscores in place of dashes.
++
++This warning doesn't apply to ``RemoteUserMiddleware`` in its default
++configuration with ``header = 'REMOTE_USER'``, since a key that doesn't
++start with ``HTTP_`` in ``request.META`` can only be set by your WSGI
++server, not directly from an HTTP request header.
++
+ If you need more control, you can create your own authentication backend
+ that inherits from :class:`~django.contrib.auth.backends.RemoteUserBackend` and
+ override one or more of its attributes and methods.
+--- /dev/null
 python-django-1.7.1/tests/servers/test_basehttp.py
+@@ -0,0 +1,67 @@
++import sys
++
++from django.core.servers.basehttp import WSGIRequestHandler
++from django.test import TestCase
++from django.utils.six import BytesIO, StringIO
++
++
++class Stub(object):
++def __init__(self, **kwargs):
++self.__dict__.update(kwargs)
++
++
++class WSGIRequestHandlerTestCase(TestCase):
++
++def test_strips_underscore_headers(self):
++WSGIRequestHandler ignores headers containing underscores.
++
++This follows the lead of nginx and Apache 2.4, and is to avoid
++ambiguity between dashes and underscores in mapping to WSGI environ,
++which can have security 

Bug#776200: unblock: websvn/2.3.3-1.2

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package websvn.

It fixes a security issue.

unblock websvn/2.3.3-1.2


Thanks,
Thijs
diff -Nru websvn-2.3.3/debian/changelog websvn-2.3.3/debian/changelog
--- websvn-2.3.3/debian/changelog	2012-04-17 17:32:27.0 +
+++ websvn-2.3.3/debian/changelog	2015-01-24 12:42:37.0 +
@@ -1,3 +1,11 @@
+websvn (2.3.3-1.2) unstable; urgency=high
+
+  * Non-maintainer upload by the security team.
+  * Disable download of in-repository symlinks to prevent arbitrary
+file access (CVE-2013-6892, Closes: #775682).
+
+ -- Thijs Kinkhorst th...@debian.org  Sat, 24 Jan 2015 12:31:44 +
+
 websvn (2.3.3-1.1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch
--- websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch	1970-01-01 00:00:00.0 +
+++ websvn-2.3.3/debian/patches/13_security_CVE-2013-6892.patch	2015-01-24 12:41:10.0 +
@@ -0,0 +1,39 @@
+Arbitrary files with a known path can be accessed in websvn by committing a
+symlink to a repository and then downloading the file (using the download
+link).
+
+Author: Thijs Kinkhorst th...@debian.org
+
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775682
+
+diff -ur oud/dl.php nieuw/dl.php
+--- oud/dl.php	2015-01-18 16:03:30.688791512 +0100
 nieuw/dl.php	2015-01-18 16:27:00.950897749 +0100
+@@ -137,6 +137,18 @@
+ 		exit(0);
+ 	}
+ 
++	// For security reasons, disallow direct downloads of filenames that
++	// are a symlink, since they may be a symlink to anywhere (/etc/passwd)
++	// Deciding whether the symlink is relative and legal within the
++	// repository would be nice but seems to error prone at this moment.
++	if ( is_link($tempDir.DIRECTORY_SEPARATOR.$archiveName) ) {
++		header('HTTP/1.x 500 Internal Server Error', true, 500);
++		error_log('to be downloaded file is symlink, aborting: '.$archiveName);
++		print 'Download of symlinks disallowed: '.xml_entities($archiveName).'.';
++		removeDirectory($tempDir);
++		exit(0);
++	}
++
+ 	// Set timestamp of exported directory (and subdirectories) to timestamp of
+ 	// the revision so every archive of a given revision has the same timestamp.
+ 	$revDate = $logEntry-date;
+@@ -180,7 +192,7 @@
+ 		$downloadMimeType = 'application/x-zip';
+ 		$downloadArchive .= '.zip';
+ 		// Create zip file
+-		$cmd = $config-zip.' -r '.quote($downloadArchive).' '.quote($archiveName);
++		$cmd = $config-zip.' --symlinks -r '.quote($downloadArchive).' '.quote($archiveName);
+ 		execCommand($cmd, $retcode);
+ 		if ($retcode != 0) {
+ 			error_log('Unable to call zip command: '.$cmd);
diff -Nru websvn-2.3.3/debian/patches/series websvn-2.3.3/debian/patches/series
--- websvn-2.3.3/debian/patches/series	2011-06-11 15:01:59.0 +
+++ websvn-2.3.3/debian/patches/series	2015-01-24 12:41:27.0 +
@@ -1,3 +1,4 @@
+13_security_CVE-2013-6892.patch
 21_fix_conf_file.patch
 22_use_global_geshi.patch
 25_readme_multiviews

Bug#775165: nmu: binutils-mingw-w64_2 (wheezy-security, wheezy-p-u)

[Thijs Kinkhorst]

Hi ftpmaster,

Op maandag 12 januari 2015 19:18:28 schreef Adam D. Barratt:
 On Mon, 2015-01-12 at 19:15 +0100, Thijs Kinkhorst wrote:
  This is not something we do very routinely, so I'd like to confirm: if
  these  binNMU's are triggered for stable-security, do they still end up
  in the security-master queue so they can be released in a coordinated
  way?
 
 I think so, but it's nothing something I've any experience with for the
 security archive either; might be worth confirming with ftp-master?

Can you confirm: when triggering binNMU's for the security archive, do these 
end up in the embargoed queue so they can be released at a given moment by 
new-security-install, or are they installed immediately?


Thanks,
Thijs


signature.asc
Description: This is a digitally signed message part.

Bug#775165: nmu: binutils-mingw-w64_2 (wheezy-security, wheezy-p-u)

[Thijs Kinkhorst]

On Mon, January 12, 2015 20:18, Ansgar Burchardt wrote:
 Hi,

 Thijs Kinkhorst th...@debian.org writes:
 Op maandag 12 januari 2015 19:18:28 schreef Adam D. Barratt:
 On Mon, 2015-01-12 at 19:15 +0100, Thijs Kinkhorst wrote:
  This is not something we do very routinely, so I'd like to confirm:
 if
  these  binNMU's are triggered for stable-security, do they still end
 up
  in the security-master queue so they can be released in a coordinated
  way?

 I think so, but it's nothing something I've any experience with for the
 security archive either; might be worth confirming with ftp-master?

 Can you confirm: when triggering binNMU's for the security archive, do
 these
 end up in the embargoed queue so they can be released at a given moment
 by
 new-security-install, or are they installed immediately?

 They should[1] end up in the policy queue as long as no package with the
 same version number has been accepted yet (which can happen with binNMU
 version skew between architectures). In the latter case, you just have
 to make sure there are no ACCEPT(ED) comments for the uploads.

 Note that the archive requires the source package to already be in the
 target suite (or a base suite in case of overlays like p-u or
 experimental). In particular this means you cannot schedule binNMUs for
 the security archive for source packages not present there.

Thanks for the explanation. I'll add it to our documentation.

Stephen: the last sentence makes it clear that we'll need a sourceful
upload to security-master. Can you arrange for that?


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/f2525ff7050416f67d40b7d80921b807.squir...@aphrodite.kinkhorst.nl

Bug#775165: nmu: binutils-mingw-w64_2 (wheezy-security, wheezy-p-u)

[Thijs Kinkhorst]

Op maandag 12 januari 2015 08:15:39 schreef Adam D. Barratt:
 On Mon, 2015-01-12 at 06:47 +0100, Stephen Kitt wrote:
  binutils was recently updated in wheezy-security and wheezy-p-u to fix
  a number of security issues identified in DSA-3123-1; of these, a
  number concern binutils-mingw-w64 as well, so it would be great if it
  could be rebuilt in those suites... (It will pick up the patches from
  binutils-source.)
 
 We won't schedule binNMUs in -security for packages that DSAs haven't
 been issued for, at least not without the security team's request /
 agreement - it's just going to confuse everyone.

This is not something we do very routinely, so I'd like to confirm: if these 
binNMU's are triggered for stable-security, do they still end up in the 
security-master queue so they can be released in a coordinated way?

I think if so we can then send a -2 DSA announcing the availability of these 
packages (-2 because we 'normally' announce any such to-be-rebuilt packages in 
the same DSA -1 as the base package).


Cheers,
Thijs


signature.asc
Description: This is a digitally signed message part.

Bug#773782: unblock: znc/1.4-2

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package znc.

The upload adds an upstream patch that allows to disable SSL
protocols, and disables SSLv2 and SSLv3.

unblock znc/1.4-2

Thanks,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20141223093202.3886.66717.report...@tetraquark.soleus.nu

Bug#772124: unblock: simplesamlphp/1.13.1-2

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package simplesamlphp. This version adds a single patch
to address extreme memory consumption when processing large XML files.
This has become a significant real world problem because recently many
federations have been publishing more entities to e.g. the eduGAIN feed.
(Debian bug #772121)

The patch is from upstream and has been tested for a few years already
at different sites, and part of upstream release 1.13.2 released a month
ago with many relieved user reports and no bugs found.

unblock simplesamlphp/1.13.1-2

Thanks,
Thijs
diff -Nru simplesamlphp-1.13.1/debian/changelog simplesamlphp-1.13.1/debian/changelog
--- simplesamlphp-1.13.1/debian/changelog	2014-10-27 19:23:50.0 +
+++ simplesamlphp-1.13.1/debian/changelog	2014-12-05 10:14:08.0 +
@@ -1,3 +1,11 @@
+simplesamlphp (1.13.1-2) unstable; urgency=medium
+
+  * Add xmlc14n.patch fixing extreme resource consumption when processing
+large metadata files (closes: #772121).
+See: https://simplesamlphp.org/metaprocessing 
+
+ -- Thijs Kinkhorst th...@debian.org  Fri, 05 Dec 2014 10:13:00 +
+
 simplesamlphp (1.13.1-1) unstable; urgency=medium
 
   * New upstream bugfix release.
diff -Nru simplesamlphp-1.13.1/debian/patches/series simplesamlphp-1.13.1/debian/patches/series
--- simplesamlphp-1.13.1/debian/patches/series	2014-08-18 09:11:23.0 +
+++ simplesamlphp-1.13.1/debian/patches/series	2014-12-05 10:12:56.0 +
@@ -1 +1,2 @@
 debian_config.patch
+xmlc14n.patch
diff -Nru simplesamlphp-1.13.1/debian/patches/xmlc14n.patch simplesamlphp-1.13.1/debian/patches/xmlc14n.patch
--- simplesamlphp-1.13.1/debian/patches/xmlc14n.patch	1970-01-01 00:00:00.0 +
+++ simplesamlphp-1.13.1/debian/patches/xmlc14n.patch	2014-12-05 10:12:47.0 +
@@ -0,0 +1,24 @@
+Subject: Add a workaround to canonicalization to address performance
+ problems in PHP = 5.2.
+ https://bugs.php.net/bug.php?id=53655
+ https://simplesamlphp.org/metaprocessing
+Origin: upstream release 1.13.2 
+Bug-Debian: http://bugs.debian.org/772121
+
+diff --git a/xmlseclibs.php b/xmlseclibs.php
+index 76a14e3..5fc561e 100644
+--- a/vendor/robrichards/xmlseclibs/xmlseclibs.php
 b/vendor/robrichards/xmlseclibs/xmlseclibs.php
+@@ -792,7 +792,11 @@ private function canonicalizeData($node, $canonicalmethod, $arXPath=NULL, $prefi
+ }
+ return C14NGeneral($node, $exclusive, $withComments);
+ }
+-return $node-C14N($exclusive, $withComments, $arXPath, $prefixList);
++$element = $node;
++if ($node instanceof DOMNode  $node-ownerDocument !== NULL  $node-isSameNode($node-ownerDocument-documentElement)) {
++$element = $node-ownerDocument;
++}
++return $element-C14N($exclusive, $withComments, $arXPath, $prefixList);
+ }
+ 
+ public function canonicalizeSignedInfo() {

Bug#770799: RM: cyassl/2.9.4+dfsg-3 (ROST; NPOASR, security, no r-deps)

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

Hi,

Please remove cyassl from jessie. The library has a number of open security
issues affecting the version in jessie, but has no packages actually depending
on it.

While security team encourages packaging of cyassl separately to reduce
embedded code copies, for jessie this has not yet been achieved so we're
better off not shipping this library.


Thanks,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20141124073542.23731.68627.report...@tetraquark.soleus.nu

Bug#770611: unblock: gnutls28/3.3.8-5

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package gnutls28. The only change is a patch from upstream
to disable the obsolete protocol SSLv3. OpenSSL in jessie also has SSLv3
disabled.

unblock gnutls28/3.3.8-5


Thanks,
Thijs
diff -Nru gnutls28-3.3.8/debian/changelog gnutls28-3.3.8/debian/changelog
--- gnutls28-3.3.8/debian/changelog	2014-11-12 19:31:53.0 +0100
+++ gnutls28-3.3.8/debian/changelog	2014-11-20 19:25:24.0 +0100
@@ -1,3 +1,10 @@
+gnutls28 (3.3.8-5) unstable; urgency=medium
+
+  * Remove SSL 3.0 from default priorities list.
+Closes: #769904
+
+ -- Andreas Metzler ametz...@debian.org  Thu, 20 Nov 2014 19:25:20 +0100
+
 gnutls28 (3.3.8-4) unstable; urgency=high
 
   * Drop 31_fallback_to_RUSAGE_SELF.diff.
diff -Nru gnutls28-3.3.8/debian/patches/40_no_more_ssl3.diff gnutls28-3.3.8/debian/patches/40_no_more_ssl3.diff
--- gnutls28-3.3.8/debian/patches/40_no_more_ssl3.diff	1970-01-01 01:00:00.0 +0100
+++ gnutls28-3.3.8/debian/patches/40_no_more_ssl3.diff	2014-11-20 19:20:46.0 +0100
@@ -0,0 +1,64 @@
+Description: Remove SSL 3.0 from default priorities list.
+ .
+ This cherry-picks 0e75ac18627f8e92a2186cc7769df4851415ae4f (code change)
+ and ee83078f806d5ca6eccdbfd84371179589a37570 (doc update) from upstream
+ master branch.
+ .
+ Requested by Debian security for consistency with OpenSSL in jessie.
+Author: Nikos Mavrogiannopoulos n...@redhat.com
+Origin: upstream
+Bug-Debian: https://bugs.debian.org/769904
+Last-Update: 2014-11-19
+
+--- gnutls28-3.3.10.orig/doc/cha-gtls-app.texi
 gnutls28-3.3.10/doc/cha-gtls-app.texi
+@@ -992,7 +992,7 @@ algorithms to be enabled.
+ @end float
+ 
+ Unless the initial keyword is NONE the defaults (in preference
+-order) are for TLS protocols TLS 1.2, TLS1.1, TLS1.0, SSL3.0; for
++order) are for TLS protocols TLS 1.2, TLS1.1, TLS1.0; for
+ compression NULL; for certificate types X.509.
+ In key exchange algorithms when in NORMAL or SECURE levels the
+ perfect forward secrecy algorithms take precedence of the other
+@@ -1054,8 +1054,8 @@ GCM ciphers only). All algorithms from N
+ COMP-NULL, COMP-DEFLATE. Catch all is COMP-ALL.
+ 
+ @item TLS versions @tab
+-VERS-SSL3.0, VERS-TLS1.0, VERS-TLS1.1,
+-VERS-TLS1.2, VERS-DTLS1.2, VERS-DTLS1.0. 
++VERS-TLS1.0, VERS-TLS1.1, VERS-TLS1.2,
++VERS-DTLS1.0, VERS-DTLS1.2. 
+ Catch all is VERS-TLS-ALL and VERS-DTLS-ALL.
+ 
+ @item Signature algorithms @tab
+@@ -1199,8 +1199,8 @@ Specifying RSA with AES-128-CBC:
+ Specifying the defaults except ARCFOUR-128:
+ NORMAL:-ARCFOUR-128
+ 
+-Enabling the 128-bit secure ciphers, while disabling SSL 3.0 and enabling compression:
+-SECURE128:-VERS-SSL3.0:+COMP-DEFLATE
++Enabling the 128-bit secure ciphers, while disabling TLS 1.0 and enabling compression:
++SECURE128:-VERS-TLS1.0:+COMP-DEFLATE
+ 
+ Enabling the 128-bit and 192-bit secure ciphers, while disabling all TLS versions 
+ except TLS 1.2:
+@@ -1593,7 +1593,7 @@ options that are known to cause compatib
+ NORMAL:%COMPAT
+ @end verbatim
+ 
+-For broken peers that do not tolerate TLS version numbers over TLS 1.0
++For very old broken peers that do not tolerate TLS version numbers over TLS 1.0
+ another priority string is:
+ @verbatim
+ NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT
+--- gnutls28-3.3.10.orig/lib/gnutls_priority.c
 gnutls28-3.3.10/lib/gnutls_priority.c
+@@ -273,7 +273,6 @@ static const int protocol_priority[] = {
+ 	GNUTLS_TLS1_2,
+ 	GNUTLS_TLS1_1,
+ 	GNUTLS_TLS1_0,
+-	GNUTLS_SSL3,
+ 	GNUTLS_DTLS1_2,
+ 	GNUTLS_DTLS1_0,
+ 	0
diff -Nru gnutls28-3.3.8/debian/patches/series gnutls28-3.3.8/debian/patches/series
--- gnutls28-3.3.8/debian/patches/series	2014-11-12 19:16:31.0 +0100
+++ gnutls28-3.3.8/debian/patches/series	2014-11-20 19:20:49.0 +0100
@@ -5,3 +5,4 @@
 36_less_refresh-rnd-state.diff
 37_X9.63_sanity_check.diff
 38_testforsanitycheck.diff
+40_no_more_ssl3.diff

Re: Bug#769781: polarssl: disable SSLv3 also in jessie

[Thijs Kinkhorst]

Hi Roland,

On Mon, November 17, 2014 10:02, Roland Stigge wrote:
 On 11/16/2014 01:17 PM, Thijs Kinkhorst wrote:
 Sorry, I have to change my request because I've now seen that the new
 upstream release of polarssl also fixes some other security issues.

 Will you be contacting the release team for an unblock request?

 Yes, I also got the note from Moritz that polarssl 1.3.9 fixes 2 forther
 CVEs. Therefore, I'm requesting an unblock request for polarssl 1.3.9-2
 to jessie (formally attaching the diff and diffstat).

Thanks, but the release team has made it explicit that you need to file a
bug against release.debian.org with the unblock request (e.g. by using
reportug release.debian.org and choosing 'unblock').


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/60cf500f4cc022523819b95f8038c140.squir...@aphrodite.kinkhorst.nl

Bug#769583: unblock: bind9/ 9.9.5 with patch or 9.9.6?

[Thijs Kinkhorst]

On Sun, November 16, 2014 17:01, Daniel Pocock wrote:
 On 16 November 2014 16:58:47 CET, Jonathan Wiltshire j...@debian.org
Did you get any responses from elsewhere to this?

 Not yet, I'll follow up after the weekend.  If no response, I'm happy to
 NMU the one line fix to copy the missing header into the dev package,
 please advise if that would be OK for the release team.

From the security team side I don't think we see a strong case to move to
9.9.6 at this point...


Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/c47d3ccc860407573832ddefcf05cfa1.squir...@aphrodite.kinkhorst.nl

Bug#769279: Bug#769046: inn2: Allow for better TLS configurability

[Thijs Kinkhorst]

On Wed, November 12, 2014 12:55, Marco d'Itri wrote:
 Can I merge this for jessie?

I'd strongly prefer if we could indeed merge this for jessie.

 INN, at the moment, supports TLS connections to nnrpd, but does not
 allow any configuration besides the certificate and key.

 +=item Itlsprotocols
 +
 +The list of TLS protocol versions to support. Valid protocols are
 +BSSLv2, BSSLv3, BTLSv1, BTLSv1.1 and BTLSv1.2. The default
 +value is B[ SSLv3 TLSv1 TLSv1.1 TLSv1.2 ].

Can you remove SSLv3 from the default list?

You could consider to leave out SSLv2 from the possibilities.

 +=item Itlscompression
 +
 +Whether to enable or disable TLS compression support (boolean). The
 +default is true.

Can we default this to false?


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/e5c25d376e8b320619f815bcb934f4fe.squir...@aphrodite.kinkhorst.nl

Bug#769279: Bug#769046: inn2: Allow for better TLS configurability

[Thijs Kinkhorst]

On Wed, November 12, 2014 14:29, Marco d'Itri wrote:
 On Nov 12, Thijs Kinkhorst th...@debian.org wrote:

 Can you remove SSLv3 from the default list?
 I do not know the implications wrt clients support.
 Christian, did you do any tests?

  +=item Itlscompression
  +Whether to enable or disable TLS compression support (boolean). The
  +default is true.
 Can we default this to false?
 This is not really useful because CRIME cannot be exploited over NNTP.

Indeed. So that's not really necessary then.


Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/57e8635742a2dde3b9122e11d2b50aa3.squir...@aphrodite.kinkhorst.nl

Bug#769164: unblock: file/1:5.20-2

[Thijs Kinkhorst]

Package: release.debian.org
Severity: important
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package file.

 * Fixes a security issue, urgency set to high
 * Cherry-pick upstream commit FILE5_20-5-g39c7ac1:
   Fix note bounds reading, Francisco Alonso / Red Hat (CVE-2014-3710).
   Closes: #768806

unblock file/1:5.20-2


Thanks,
Thijs
diff -Nru file-5.20/debian/changelog file-5.20/debian/changelog
--- file-5.20/debian/changelog	2014-10-19 15:07:48.0 +0200
+++ file-5.20/debian/changelog	2014-11-09 17:53:20.0 +0100
@@ -1,3 +1,12 @@
+file (1:5.20-2) unstable; urgency=high
+
+  * Fixes a security issue, urgency set to high
+  * Cherry-pick upstream commit FILE5_20-5-g39c7ac1:
+Fix note bounds reading, Francisco Alonso / Red Hat (CVE-2014-3710).
+Closes: #768806
+
+ -- Christoph Biedl debian.a...@manchmal.in-ulm.de  Sun, 09 Nov 2014 14:46:05 +0100
+
 file (1:5.20-1) unstable; urgency=low
 
   * New upstream version 5.20. Addresses:
diff -Nru file-5.20/debian/patches/CVE-2014-3710.patch file-5.20/debian/patches/CVE-2014-3710.patch
--- file-5.20/debian/patches/CVE-2014-3710.patch	1970-01-01 01:00:00.0 +0100
+++ file-5.20/debian/patches/CVE-2014-3710.patch	2014-11-09 15:20:57.0 +0100
@@ -0,0 +1,24 @@
+Subject: Fix note bounds reading, Francisco Alonso / Red Hat
+ID: CVE-2014-3710
+Author: Christos Zoulas chris...@zoulas.com
+Date: Fri Oct 17 15:49:00 2014 +
+Origin:
+commit 39c7ac1106be844a5296d3eb5971946cc09ffda0
+Last-Update: 2014-11-09
+
+--- a/src/readelf.c
 b/src/readelf.c
+@@ -477,6 +477,13 @@
+ 	uint32_t namesz, descsz;
+ 	unsigned char *nbuf = CAST(unsigned char *, vbuf);
+ 
++	if (xnh_sizeof + offset  size) {
++		/*
++		 * We're out of note headers.
++		 */
++		return xnh_sizeof + offset;
++	}
++
+ 	(void)memcpy(xnh_addr, nbuf[offset], xnh_sizeof);
+ 	offset += xnh_sizeof;
+ 
diff -Nru file-5.20/debian/patches/series file-5.20/debian/patches/series
--- file-5.20/debian/patches/series	2014-10-19 12:06:17.0 +0200
+++ file-5.20/debian/patches/series	2014-11-09 15:14:12.0 +0100
@@ -9,3 +9,4 @@
 0010-mdadm.patch
 0011-btrfs.patch
 0012-lxt.patch
+CVE-2014-3710.patch

Bug#768402: unblock: simplesamlphp/1.13.1-1

[Thijs Kinkhorst]

On Sat, November 8, 2014 22:25, intrigeri wrote:
 I doubt it would add much value, but Jonathan's point was about
 getting enough information to assess severity, so perhaps you could
 tell the release team what severity you _would_ set for each of these
 bugs in the Debian BTS, if they were reported there?

These are the issues fixed in this release.
https://github.com/simplesamlphp/simplesamlphp/issues/97 - normal
https://github.com/simplesamlphp/simplesamlphp/issues/99 - important
https://github.com/simplesamlphp/simplesamlphp/issues/104 - important
https://github.com/simplesamlphp/simplesamlphp/issues/109 - minor
https://github.com/simplesamlphp/simplesamlphp/issues/114 - normal
https://github.com/simplesamlphp/simplesamlphp/issues/117 - minor


Thanks,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/46ac6ca8b9a10d7ec2cd17efe3cdc73d.squir...@aphrodite.kinkhorst.nl

Bug#768402: unblock: simplesamlphp/1.13.1-1

[Thijs Kinkhorst]

On Fri, November 7, 2014 12:52, Jonathan Wiltshire wrote:
 On 2014-11-07 07:30, Thijs Kinkhorst wrote:
 This is an upstream release limited to strictly bugfixes.

 Are there corresponding Debian bugs so we can assess severity please?

These are the issues fixed in this release.
https://github.com/simplesamlphp/simplesamlphp/issues/97
https://github.com/simplesamlphp/simplesamlphp/issues/99
https://github.com/simplesamlphp/simplesamlphp/issues/104
https://github.com/simplesamlphp/simplesamlphp/issues/109
https://github.com/simplesamlphp/simplesamlphp/issues/114
https://github.com/simplesamlphp/simplesamlphp/issues/117

Does it add much value to re-file them in the Debian BTS?


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/4052ddb9e746da2e91fa3904ff0eaa14.squir...@aphrodite.kinkhorst.nl

Bug#768403: unblock: ttytter/2.1.0+1-1

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package ttytter/2.1.0+1-1.

This update fixes two important or serious bugs: SSL connections to the
OAuth API are now over SSL by default (#736446, #760815) and a spurious
warning in the main display is addressed (#756960).

unblock ttytter/2.1.0+1-1

Thanks,
Thijs
diff -Nru ttytter-2.1.0/2.1.00.txt ttytter-2.1.0+1/2.1.00.txt
--- ttytter-2.1.0/2.1.00.txt	2012-12-28 00:56:55.0 +0100
+++ ttytter-2.1.0+1/2.1.00.txt	2014-01-15 06:20:47.0 +0100
@@ -634,6 +634,7 @@
 # default command line options
 
 $anonymous ||= 0;
+$ssl ||= 1;
 die(** -anonymous is no longer supported with Twitter (you must use -apibase also)\n)
 	if ($anonymous  !length($apibase));
 undef $user if ($anonymous);
@@ -4241,15 +4242,15 @@
 		# choose the MOST restrictive and normalize that.
 
 			$rate_limit_left = min(
-0+$rate_limit_ref-{'resources'}-{'statuses'}-{'/statuses/home_timeline'}-{'remaining'},
+0+$rate_limit_ref-{'resources'}-{'statuses'}-{'\\/statuses\\/home_timeline'}-{'remaining'},
 min(
-0+$rate_limit_ref-{'resources'}-{'statuses'}-{'/statuses/mentions_timeline'}-{'remaining'},
-0+$rate_limit_ref-{'resources'}-{'search'}-{'/search/tweets'}-{'remaining'}));
+0+$rate_limit_ref-{'resources'}-{'statuses'}-{'\\/statuses\\/mentions_timeline'}-{'remaining'},
+0+$rate_limit_ref-{'resources'}-{'search'}-{'\\/search\\/tweets'}-{'remaining'}));
 			$rate_limit_rate = min(
-0+$rate_limit_ref-{'resources'}-{'statuses'}-{'/statuses/home_timeline'}-{'limit'},
+0+$rate_limit_ref-{'resources'}-{'statuses'}-{'\\/statuses\\/home_timeline'}-{'limit'},
 min(
-0+$rate_limit_ref-{'resources'}-{'statuses'}-{'/statuses/mentions_timeline'}-{'limit'},
-0+$rate_limit_ref-{'resources'}-{'search'}-{'/search/tweets'}-{'limit'}));
+0+$rate_limit_ref-{'resources'}-{'statuses'}-{'\\/statuses\\/mentions_timeline'}-{'limit'},
+0+$rate_limit_ref-{'resources'}-{'search'}-{'\\/search\\/tweets'}-{'limit'}));
 			if ($rate_limit_left  3  $rate_limit_rate) {
 $estring = 
 *** warning: API rate limit imminent;
diff -Nru ttytter-2.1.0/debian/changelog ttytter-2.1.0+1/debian/changelog
--- ttytter-2.1.0/debian/changelog	2014-11-07 08:32:09.0 +0100
+++ ttytter-2.1.0+1/debian/changelog	2014-11-07 08:32:10.0 +0100
@@ -1,3 +1,11 @@
+ttytter (2.1.0+1-1) unstable; urgency=medium
+
+  * New upstream pseudorelease.
+- Accesses OAuth API over SSL by default (Closes: #736446, #760815).
+- Addresses rate limit warning (Closes: #756960).
+
+ -- Thijs Kinkhorst th...@debian.org  Thu, 30 Oct 2014 22:36:58 +0100
+
 ttytter (2.1.0-1) unstable; urgency=low
 
   * New upstream release (closes: #684335).
diff -Nru ttytter-2.1.0/debian/control ttytter-2.1.0+1/debian/control
--- ttytter-2.1.0/debian/control	2014-11-07 08:32:09.0 +0100
+++ ttytter-2.1.0+1/debian/control	2014-11-07 08:32:10.0 +0100
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Thijs Kinkhorst th...@debian.org
 Build-Depends: debhelper (= 9)
-Standards-Version: 3.9.3
+Standards-Version: 3.9.6
 Homepage: http://www.floodgap.com/software/ttytter/
 Vcs-Svn: https://svn.kinkhorst.nl/svn/debian/ttytter/trunk/
 Vcs-Browser: https://aphrodite.kinkhorst.nl/wsvn/debian/ttytter/

Bug#768402: unblock: simplesamlphp/1.13.1-1

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package simplesamlphp/1.13.1-1

This is an upstream release limited to strictly bugfixes.

Attached debdiff shows the changes with autogenerated files removed;
the original debdiff is much larger because the upstream tarball
contains some .svn dirs with changed contents. These dirs are not
present in the binary package, and will be removed in the next
upstream release.

unblock simplesamlphp/1.13.1-1


Thanks,
Thijs
diff -Nru simplesamlphp-1.13.0/debian/changelog simplesamlphp-1.13.1/debian/changelog
--- simplesamlphp-1.13.0/debian/changelog	2014-09-25 20:27:30.0 +0200
+++ simplesamlphp-1.13.1/debian/changelog	2014-10-27 20:23:50.0 +0100
@@ -1,3 +1,9 @@
+simplesamlphp (1.13.1-1) unstable; urgency=medium
+
+  * New upstream bugfix release.
+
+ -- Thijs Kinkhorst th...@debian.org  Mon, 27 Oct 2014 19:23:35 +
+
 simplesamlphp (1.13.0-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru simplesamlphp-1.13.0/debian/control simplesamlphp-1.13.1/debian/control
--- simplesamlphp-1.13.0/debian/control	2014-08-18 11:11:23.0 +0200
+++ simplesamlphp-1.13.1/debian/control	2014-10-27 20:24:41.0 +0100
@@ -7,7 +7,7 @@
 Homepage: http://simplesamlphp.org/
 Vcs-Git: git://git.assembla.com/confusa_packaging
 Vcs-Browser: http://www.assembla.com/code/confusa_packaging/git/nodes
-Standards-Version: 3.9.5
+Standards-Version: 3.9.6
 
 Package: simplesamlphp
 Architecture: all 
diff -Nru simplesamlphp-1.13.0/debian/lintian-overrides simplesamlphp-1.13.1/debian/lintian-overrides
--- simplesamlphp-1.13.0/debian/lintian-overrides	2014-08-18 11:11:23.0 +0200
+++ simplesamlphp-1.13.1/debian/lintian-overrides	2014-10-27 20:25:30.0 +0100
@@ -1,3 +1,2 @@
 simplesamlphp: non-standard-dir-perm var/lib/simplesamlphp/data/ 0730 != 0755
 simplesamlphp: non-standard-dir-perm var/log/simplesamlphp/ 0730 != 0755
-simplesamlphp: package-contains-empty-directory usr/share/simplesamlphp/modules/openid/hooks/
diff -Nru simplesamlphp-1.13.0/debian/rules simplesamlphp-1.13.1/debian/rules
--- simplesamlphp-1.13.0/debian/rules	2014-09-25 20:36:29.0 +0200
+++ simplesamlphp-1.13.1/debian/rules	2014-10-27 20:28:46.0 +0100
@@ -25,7 +25,7 @@
 	   debian/simplesamlphp/usr/share/simplesamlphp/vendor/simplesamlphp/saml2/LICENSE \
 	   debian/simplesamlphp/usr/share/simplesamlphp/vendor/robrichards/xmlseclibs/LICENSE
 	find . -type f -executable -not -path '*/bin/*' | xargs chmod -x
-	find . -type d -name \.svn | xargs rm -r
+	find . -type d -name \.svn | xargs -r rm -r
 	dh_fixperms
 	chgrp www-data debian/simplesamlphp/var/lib/simplesamlphp/data \
 		debian/simplesamlphp/var/log/simplesamlphp
diff -Nru simplesamlphp-1.13.0/docs/simplesamlphp-changelog.txt simplesamlphp-1.13.1/docs/simplesamlphp-changelog.txt
--- simplesamlphp-1.13.0/docs/simplesamlphp-changelog.txt	2014-09-25 14:25:08.0 +0200
+++ simplesamlphp-1.13.1/docs/simplesamlphp-changelog.txt	2014-10-27 16:28:10.0 +0100
@@ -6,6 +6,16 @@
 This document lists the changes between versions of simpleSAMLphp.
 See the upgrade notes for specific information about upgrading.
 
+## Version 1.13.1
+
+Released 2014-10-27
+
+  * Solved an issue with empty fields in metadata to cause SimpleSAMLphp to fail with a translation error. Issues #97 and #114.
+  * Added Basque language to the list of known languages. Issue #117.
+  * Optimized the execution of redirections by removing an additional, unnecessary function call.
+  * Solved an issue that caused SimpleSAMLphp to fail when the RelayState parameter was empty or missing on an IdP-initiated authentication. Issues #99 and # 104.
+  * Fixed a certificate check for SubjectConfirmations with Holder of Key methods.
+
 ## Version 1.13
 
 Released 2014-09-25.
diff -Nru simplesamlphp-1.13.0/lib/SimpleSAML/Configuration.php simplesamlphp-1.13.1/lib/SimpleSAML/Configuration.php
--- simplesamlphp-1.13.0/lib/SimpleSAML/Configuration.php	2014-09-25 14:25:08.0 +0200
+++ simplesamlphp-1.13.1/lib/SimpleSAML/Configuration.php	2014-10-27 16:28:10.0 +0100
@@ -289,7 +289,7 @@
 	 * @return string
 	 */
 	public function getVersion() {
-		return '1.13.0';
+		return '1.13.1';
 	}
 
 
diff -Nru simplesamlphp-1.13.0/lib/SimpleSAML/Metadata/SAMLParser.php simplesamlphp-1.13.1/lib/SimpleSAML/Metadata/SAMLParser.php
--- simplesamlphp-1.13.0/lib/SimpleSAML/Metadata/SAMLParser.php	2014-09-25 14:25:08.0 +0200
+++ simplesamlphp-1.13.1/lib/SimpleSAML/Metadata/SAMLParser.php	2014-10-27 16:28:10.0 +0100
@@ -636,7 +636,7 @@
 		$this-addExtensions($ret, $spd);
 
 		// prioritize mdui:DisplayName as the name if available
-		if (isset($ret['UIInfo'])  isset($ret['UIInfo']['DisplayName'])) {
+		if (!empty($ret['UIInfo']['DisplayName'])) {
 			$ret['name'] = $ret['UIInfo']['DisplayName'];
 		}
 
@@ -705,7 +705,7 @@
 		$this-addExtensions($ret, $idp

Re: binNMUs for dpkg-buildflags / -fstack-protector-strong

[Thijs Kinkhorst]

On Tue, September 23, 2014 22:36, Moritz Mühlenhoff wrote:
 On Sat, Sep 20, 2014 at 02:18:34PM +0200, Julien Cristau wrote:
 On Sat, Sep 20, 2014 at 12:53:54 +0200, Moritz Muehlenhoff wrote:

  On Sat, Sep 20, 2014 at 10:45:00AM +0200, Julien Cristau wrote:
   On Wed, Sep 17, 2014 at 22:29:10 +0200, Moritz Muehlenhoff wrote:
  
Hi release team,
dpkg-buildflags was switched to the strong stack protector on
the 10th of August. Many security-sensitive packages have already
been uploaded to unstable since then and I'm tracking which are
missing.
   
For the remaining ones I'd like to request binNMUs. Is that
ok with and when's the best time? Probably not to early before
the freeze since some maintainer uploads will follow anyway,
but also not to close to the freeze. Maybe mid-October?

 ATM I only have a list of source packages, see below. I can whip up a
 script to generate versions over the weekend, but since these packages
 haven't seen an upload since August 10th, there's probably little
 overhead if one or two would be built twice.

I'm not sure if this went through already, but it may be useful to include
those packages that build-depend on hardening-wrapper or
hardening-includes in your set, since that now also has the stronger
hardening configuration.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/e88c20a0d98f31973517f0fba018ad2a.squir...@aphrodite.kinkhorst.nl

Bug#753310: opu: ia32-libs/20140630 ia32-libs-gtk/20140630

[Thijs Kinkhorst]

Op dinsdag 8 juli 2014 20:52:08 schreef Adam D. Barratt:
 Unfortunately, something appears to have gone wrong with the
 ia32-libs-gtk upload and I've flagged that one for rejection.
 Specifically, the entire debdiff is:

Right, what went wrong is that there are 0 updates for ia32-libs-gtk since the 
last release and in my workflow I didn't expect that and created a borked 
update. Sorry for that - with the ia32-libs upload accepted we're done.


Thijs


signature.asc
Description: This is a digitally signed message part.

Bug#753310: opu: ia32-libs/20140630 ia32-libs-gtk/20140630

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: opu

Hi RT,

In preparation of the upcoming Squeeze point release I've prepared updated
versions of ia32-libs and ia32-libs-gtk, as usual. The changelogs are below.
Is it ok to upload?

Cheers,
Thijs


ia32-libs (20140630) squeeze-proposed-updates; urgency=low

  * Packages updated

  [ cups (1.4.4-7+squeeze4) oldstable-security; urgency=high ]

  * Backport security fix from cups-filters 1.0.47:
pdftoopvp: SECURITY FIX for CVE-2013-6474, CVE-2013-6475, and
CVE-2013-6476: Introduction of gmallocn and gmallocn3 to protect against
arbitrary code execution with the privileges of the lp user via
malicious PDF files. Also restrict the directory from where OPVP drivers
can get loaded (#741333)

  [ curl (7.21.0-2.1+squeeze8) squeeze-security; urgency=medium ]

  * Fix multiple security issues (#742728):
- Fix connection re-use when using different log-in credentials
  as per CVE-2014-0138
  http://curl.haxx.se/docs/adv_20140326A.html
- Reject IP address wildcard matches as per CVE-2014-0139
  http://curl.haxx.se/docs/adv_20140326B.html
  * Set urgency=high accordingly

  [ gnutls26 (2.8.6-1+squeeze3) oldstable-security; urgency=high ]

  * 22_gnutls-2.8.5-cve-2014-0092.patch by Nikos Mavrogiannopoulos: Fix
certificate validation issue. CVE-2014-0092

 -- Thijs Kinkhorst th...@debian.org  Mon, 30 Jun 2014 13:45:39 +0200

ia32-libs-gtk (20140630) squeeze-proposed-updates; urgency=low

  * Packages updated

  [ pixman (0.16.4-1+deb6u1) squeeze-security; urgency=high ]

  * pixman_trapezoid_valid(): Fix underflow when bottom is close to MIN_INT
Addresses CVE-2013-6425

 -- Thijs Kinkhorst th...@debian.org  Fri, 31 Jan 2014 11:18:31 +0100


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20140630115614.22231.16001.reportbug@localhost.localdomain

Bug#733564: pu: apache2 with ECDHE support

[Thijs Kinkhorst]

On Mon, June 16, 2014 00:06, Adam D. Barratt wrote:
 Control: tags -1 + pending

 On Sun, 2014-05-25 at 17:55 +0200, Stefan Fritsch wrote:
 I have just uploaded apache2_2.2.22-13+deb7u2:

 Flagged for acceptance; sorry for the delay.

 apache2 (2.2.22-13+deb7u2) wheezy; urgency=medium

   * Backport support for SSL ECC keys and ECDH ciphers.

 For anyone following the bug log, testing of the above change before the
 point release would be much appreciated.

Running this version successfully on two machines, but maybe more
interesting: we've been running a build of the same upstream patch on top
of deb7u1 on about a hundred machines since a few months.


Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/04210b4bf6a0beedc8048d7b781f3dc4.squir...@aphrodite.kinkhorst.nl

Bug#736494: About #736494

[Thijs Kinkhorst]

On Fri, April 18, 2014 17:46, Adam D. Barratt wrote:
 On 2014-04-16 16:18, William Dauchy wrote:
 On Apr16 11:06, Adam D. Barratt wrote:
 On a related note, it would be appreciated if comments such as
 cleanup
 series were more verbose in future, as it appears to have involved
 removing
 enabled patches (which ones hopes have been replaced by newer patches)
 as
 well as those which were already disabled.

 I will be more versbose on those; it was commented patches in series,
 so
 not used; this modification has also been made in unstable.

 Thanks.

 Just a gentle reminder, the window for getting an upload in to the 7.5
 point release closes over the weekend.

Thanks for the reminder. It should have been uploaded less than an hour ago.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/b274b3caf50e6f06e1af1c78e0a3f4d0.squir...@aphrodite.kinkhorst.nl

Bug#736494: About #736494

[Thijs Kinkhorst]

Hi Adam,

On Sun, April 13, 2014 14:39, Adam D. Barratt wrote:
 On Sun, 2014-04-13 at 13:58 +0200, William Dauchy wrote:
 Is there someone available to validate this package? Lots of present
 fixes are more than needed to have an usable version of php in
 production.

 Such comments really aren't that helpful. It's entirely possible to
 have an usable version of php in production using the current package
 in wheezy, or it wouldn't have made it in to wheezy in the first place
 and no-one would have been using it on stable systems for the past year.
 (That's not to say that some people aren't adversely affected by issues
 in the current package, but that's far from your claim that it's
 generally unusable.)

 I realise you've put a lot of effort in to the patch, and that's
 obviously appreciated, but a diff for stable of the size

  46 files changed, 4303 insertions(+), 372 deletions(-)

 where most of the diff appears to be actual changes (as opposed to
 translations, or autogenerated files) is non-trivial to review,
 particularly when people are already short on time. :(

I fully understand the lack of manpower. But also, obviously the update
fixes significant bugs and has seen lots of real world testing, probably
more than many of the other packages proposed for a stable update.

Is there a model or approach you can suggest that would work for the SRMs?

Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/aa74801f21a98566c5da9dfabe5cf027.squir...@aphrodite.kinkhorst.nl

Bug#742329: use softer colours for architecture qualification page

[Thijs Kinkhorst]

Package: release.debian.org
Severity: minor
Tags: patch

Attached patch uses softer colours which are easier on the eye for
the architecture qualification page.
From 3932bb06d69557a5d05efbf50459d9b7b9b5cccf Mon Sep 17 00:00:00 2001
From: Thijs Kinkhorst th...@debian.org
Date: Sat, 22 Mar 2014 14:39:18 +0100
Subject: [PATCH] Use less hard colours to reduce eyebleedage.

---
 www/jessie/arch_qualify.py |8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/www/jessie/arch_qualify.py b/www/jessie/arch_qualify.py
index 0e56ead..9ffa0ee 100644
--- a/www/jessie/arch_qualify.py
+++ b/www/jessie/arch_qualify.py
@@ -18,9 +18,9 @@ from collections import OrderedDict
 
 ### formatting helpers
 
-def FAIL(value): return (red,value)
-def WARN(value): return (yellow,value)
-def PASS(value): return (lime,value)
+def FAIL(value): return (#e87272,value)
+def WARN(value): return (#ccff66,value)
+def PASS(value): return (#60e760,value)
 
 def c_truth(value):
 if value == True or value == yes:
@@ -152,7 +152,7 @@ def dump_table(info,waivers):
 
 w = waivers.get(arch,{}).get(c,None)
 if w:
-col=cyan
+col=#00
 contents += ' a href=%s(w)/a' % (w)
 
 if col==red:
-- 
1.7.10.4

Bug#742329: use softer colours for architecture qualification page

[Thijs Kinkhorst]

On Sat, March 22, 2014 16:28, Julien Cristau wrote:
 looks like that if col==red is now broken?

Indeed, see fixed patch attached.

Thijs
From 8f84a1be4a9c49782ea8f736ef315508591e1608 Mon Sep 17 00:00:00 2001
From: Thijs Kinkhorst th...@debian.org
Date: Sat, 22 Mar 2014 16:47:16 +0100
Subject: [PATCH] Use less hard colours to reduce eyebleedage.

---
 www/jessie/arch_qualify.py |   10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/www/jessie/arch_qualify.py b/www/jessie/arch_qualify.py
index 0e56ead..f872f3c 100644
--- a/www/jessie/arch_qualify.py
+++ b/www/jessie/arch_qualify.py
@@ -18,9 +18,9 @@ from collections import OrderedDict
 
 ### formatting helpers
 
-def FAIL(value): return (red,value)
-def WARN(value): return (yellow,value)
-def PASS(value): return (lime,value)
+def FAIL(value): return (#e87272,value)
+def WARN(value): return (#ccff66,value)
+def PASS(value): return (#60e760,value)
 
 def c_truth(value):
 if value == True or value == yes:
@@ -152,10 +152,10 @@ def dump_table(info,waivers):
 
 w = waivers.get(arch,{}).get(c,None)
 if w:
-col=cyan
+col=#00
 contents += ' a href=%s(w)/a' % (w)
 
-if col==red:
+if col==#e87272:
 candidacy_at_risk[arch]=True
 
 print 'td style=background-color:%s%s/td' % (col,contents)
-- 
1.7.10.4

Bug#736494: Please consider to prioritize this update

[Thijs Kinkhorst]

Hi Clement,

On Tue, February 25, 2014 07:32, Clement Wong wrote:
 Our web servers has been using a self patched version for a long time
 because of the sybase regression from deb7u3, and this is a big problem
 for us in terms of security, we don’t have the manpower to keep our php up
 to date.

You can really help this process by taking the packages as included in
this bug log and verify that they (a) indeed solve the problem for you and
(b) do not cause other regressions, and report that back to the bug.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/abcda6e0eaf5a3aa1fa9849d626a793e.squir...@aphrodite.kinkhorst.nl

Re: PHP security upload not included in 6.0.9

[Thijs Kinkhorst]

Hi Lior,

On Mon, February 17, 2014 09:45, Lior Kaplan wrote:
 1. First time I encounter this problem, any idea where can I see the
 buildd
 logs for these security uploads to see
 why haven't they built fine.

The security team receives those. I'll forward them to you for this case.

 2. I see there are only a few of similar cases, would be nice to have them
 caught and generate some notification
 - finding out only when a fix doesn't go into a stable update sounds
 expensive to me (project benefit wise).

In general terms, the security team monitors what builds fail and tries to
involve the respective porters and maintainers; it seems in this case that
wasn't (yet) done. I would expect the buildd admins to also actively
monitor what fails on their archs but I'm not sure that actually happens
for all archs.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/9d47579c117b833d7e671cad7fed4228.squir...@aphrodite.kinkhorst.nl

Bug#737201: pu: package ia32-libs/20140131, ia32-libs-gtk/20140131

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: pu

Hi,

As customary I'd like to update ia32-libs and ia32-libs-gtk for the upcoming
Squeeze point update. Attached are what the diffs look like.


cheers,
Thijs
diff -Nru ia32-libs-20131011/debian/changelog ia32-libs-20140131/debian/changelog
--- ia32-libs-20131011/debian/changelog	2013-10-11 09:50:18.0 +0200
+++ ia32-libs-20140131/debian/changelog	2014-01-31 10:54:27.0 +0100
@@ -1,3 +1,46 @@
+ia32-libs (20140131) squeeze-proposed-updates; urgency=low
+
+  * Packages updated
+
+  [ curl (7.21.0-2.1+squeeze7) squeeze-security; urgency=high ]
+
+  * Fix re-use of wrong HTTP NTLM connection as per CVE-2014-0015
+http://curl.haxx.se/docs/adv_20140129.html
+  * Set urgency=high accordingly
+
+  [ curl (7.21.0-2.1+squeeze6) oldstable-security; urgency=low ]
+
+  * Disable host verification too when using the --insecure option
+(#729965)
+
+  [ curl (7.21.0-2.1+squeeze5) oldstable-security; urgency=high ]
+
+  * Fix OpenSSL checking of a certificate CN or SAN name field when the
+digital signature verification is turned off as per CVE-2013-4545
+http://curl.haxx.se/docs/adv_20131115.html
+  * Set urgency=high accordingly
+
+  [ libxml2 (2.7.8.dfsg-2+squeeze8) oldstable-security; urgency=high ]
+
+  * Non-maintainer upload by the Security Team.
+  * Fix cve-2013-2877: out-of-bounds read when handling documents that end
+abruptly.
+
+  [ nspr (4.8.6-1+squeeze1) squeeze-security; urgency=high ]
+
+  * Non-maintainer upload by the Security Team.
+  * Fix CVE-2013-5607: integer overflow on 64 bit systems
+
+  [ nss (3.12.8-1+squeeze7) squeeze-security; urgency=high ]
+
+  * Non-maintainer upload by the Security Team.
+  * Add CVE-2013-5605.patch.
+CVE-2013-5605: Null_Cipher() does not respect maxOutputLen; allowing
+remote attackers to cause a denial of service or possibly have
+unspecified other impact via invalid handshake packets.
+
+ -- Thijs Kinkhorst th...@debian.org  Fri, 31 Jan 2014 09:19:46 +0100
+
 ia32-libs (20131011) squeeze-proposed-updates; urgency=low
 
   * Packages updated
diff -Nru ia32-libs-20131011/debian/copyright ia32-libs-20140131/debian/copyright
--- ia32-libs-20131011/debian/copyright	2013-10-11 09:43:20.0 +0200
+++ ia32-libs-20140131/debian/copyright	2014-01-31 09:23:51.0 +0100
@@ -843,7 +843,7 @@
 
 
 ---
-Copyright for ./curl_7.21.0-2.1+squeeze4.dsc
+Copyright for ./curl_7.21.0-2.1+squeeze7.dsc
 This package was debianized by Domenico Andreoli ca...@debian.org on
 Fri, 17 Nov 2000 16:10:37 +0100
 
@@ -8666,7 +8666,7 @@
dealings in this Software without prior written authorization from Digital
Equipment Corporation.
 ---
-Copyright for ./libxml2_2.7.8.dfsg-2+squeeze7.dsc
+Copyright for ./libxml2_2.7.8.dfsg-2+squeeze8.dsc
 This package was debianized by Vincent Renardias vinc...@waw.com on
 Sat, 26 Sep 1998 16:50:54 +0200
 
@@ -9685,7 +9685,7 @@
 
 Translation:  You can do whatever you want with this software!
 ---
-Copyright for ./nspr_4.8.6-1.dsc
+Copyright for ./nspr_4.8.6-1+squeeze1.dsc
 This package was debianized by Mike Hommey gland...@debian.org on
 Sun, 25 Mar 2007 12:17:27 +0200.
 
@@ -10276,7 +10276,7 @@
   may use your version of this file under either the NPL or the
   [___] License.
 ---
-Copyright for ./nss_3.12.8-1+squeeze6.dsc
+Copyright for ./nss_3.12.8-1+squeeze7.dsc
 This package was debianized by Mike Hommey gland...@debian.org on
 Sun, 25 Mar 2007 19:36:42 +0200.
 
Binary files /tmp/4k5hzuEsof/ia32-libs-20131011/pkgs/libcurl3_7.21.0-2.1+squeeze4_i386.deb and /tmp/_8Usvk17_P/ia32-libs-20140131/pkgs/libcurl3_7.21.0-2.1+squeeze4_i386.deb differ
Binary files /tmp/4k5hzuEsof/ia32-libs-20131011/pkgs/libcurl3_7.21.0-2.1+squeeze7_i386.deb and /tmp/_8Usvk17_P/ia32-libs-20140131/pkgs/libcurl3_7.21.0-2.1+squeeze7_i386.deb differ
Binary files /tmp/4k5hzuEsof/ia32-libs-20131011/pkgs/libnspr4-0d_4.8.6-1+squeeze1_i386.deb and /tmp/_8Usvk17_P/ia32-libs-20140131/pkgs/libnspr4-0d_4.8.6-1+squeeze1_i386.deb differ
Binary files /tmp/4k5hzuEsof/ia32-libs-20131011/pkgs/libnspr4-0d_4.8.6-1_i386.deb and /tmp/_8Usvk17_P/ia32-libs-20140131/pkgs/libnspr4-0d_4.8.6-1_i386.deb differ
Binary files /tmp/4k5hzuEsof/ia32-libs-20131011/pkgs/libnss3-1d_3.12.8-1+squeeze6_i386.deb and /tmp/_8Usvk17_P/ia32-libs-20140131/pkgs/libnss3-1d_3.12.8-1+squeeze6_i386.deb differ
Binary files /tmp/4k5hzuEsof/ia32-libs-20131011/pkgs/libnss3-1d_3.12.8-1+squeeze7_i386.deb and /tmp/_8Usvk17_P/ia32-libs-20140131/pkgs/libnss3-1d_3.12.8-1+squeeze7_i386.deb differ
Binary files /tmp/4k5hzuEsof/ia32-libs-20131011/pkgs/libxml2-dev_2.7.8.dfsg-2+squeeze7_i386.deb and /tmp/_8Usvk17_P/ia32-libs-20140131/pkgs

Re: Bits from the Release Team: Architecture health check

[Thijs Kinkhorst]

On Thu, January 30, 2014 00:03, Niels Thykier wrote:
 On 2014-01-29 23:24, Steven Chamberlain wrote:
 What exactly does the 'scope of the port' mean?  Suites of packages,
 tasksel tasks, desktop environments?  Particular use cases (server,
 laptop, desktop)?  Or something else?
 So, at this point, I think that you get to choose an initial draft for
 the scope of the port.  Of course, I don't expect you to list some
 18k+ source packages, so defining it as something like Desktop
 environments except GNOME plus tasksel task X, Y and Z.
   Alternatively, you may want to define it as the set of packages you
 won't support (e.g. KDE, all webservers (except apache2 with PHP5),
 etc.)
   In fact, it is probably best for you if you combine the two
 approaches.  But anyhow, you get to serve the ball on this one.  Just
 remember, we will probably ask why did you choose this set? (or maybe
 even what would it take for you to also support Y?)

I believe that it's also important that the definition is uncomplicated
enough so our users can quickly understand what and what not to expect
from this port, perhaps with a little abstraction.


Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/a1eb8f128b0ff547b86a15fc53f23ebb.squir...@aphrodite.kinkhorst.nl

Bug#726013: opu: package ia32-libs/20131011

[Thijs Kinkhorst]

Package: release.debian.org
Tags: squeeze
User: release.debian@packages.debian.org
Usertags: opu

Hi,

A final check of ia32-libs against current repositories shows us one
additional updated package to be included for the point release. See
attached debdiff. Can I upload this?

For ia32-libs-gtk no updates are needed.

Cheers,
Thijs
diff -Nru ia32-libs-20130924/debian/changelog ia32-libs-20131011/debian/changelog
--- ia32-libs-20130924/debian/changelog	2013-09-24 08:21:12.0 +0200
+++ ia32-libs-20131011/debian/changelog	2013-10-11 09:50:18.0 +0200
@@ -1,3 +1,21 @@
+ia32-libs (20131011) squeeze-proposed-updates; urgency=low
+
+  * Packages updated
+
+  [ nas (1.9.2-4squeeze1) oldstable-security; urgency=high ]
+
+  * Fixes for various long-standing security issues found by Hamid
+Zamani m...@hamidx9.ir. #720287
++ Validate the port offset of nasd to fix a potential buffer overflow
+  (CVE-2013-4256)
++ Use better string functions to guard against heap overflows
+  (CVE-2013-4257)
++ Sanity-check the TCP_DEVICE environment variable for safety.
+  * Fix string handling in aulog.c:osLogMsg() to fix missing format string
+in call to syslog() (CVE-2013-4258).
+
+ -- Thijs Kinkhorst th...@debian.org  Fri, 11 Oct 2013 09:40:55 +0200
+
 ia32-libs (20130924) squeeze-proposed-updates; urgency=low
 
   * Packages updated
diff -Nru ia32-libs-20130924/debian/copyright ia32-libs-20131011/debian/copyright
--- ia32-libs-20130924/debian/copyright	2013-09-24 08:20:24.0 +0200
+++ ia32-libs-20131011/debian/copyright	2013-10-11 09:43:20.0 +0200
@@ -9643,7 +9643,7 @@
 be found in the file ROAD_TO_LGPL that is part of mpg123's source distribution.
 It is located in the 'doc' subdirectory.
 ---
-Copyright for ./nas_1.9.2-4.dsc
+Copyright for ./nas_1.9.2-4squeeze1.dsc
 This is the Debian GNU/Linux prepackaged version of NAS, the Network
 Audio System.  The Network Audio System was written by Jim Fulton,
 Greg Renda, and Dave Lemke at Network Computing Devices, Inc. and is
Binary files /tmp/lMHKt0Fl1d/ia32-libs-20130924/pkgs/libaudio-dev_1.9.2-4_i386.deb and /tmp/6G6mfOzNF3/ia32-libs-20131011/pkgs/libaudio-dev_1.9.2-4_i386.deb differ
Binary files /tmp/lMHKt0Fl1d/ia32-libs-20130924/pkgs/libaudio-dev_1.9.2-4squeeze1_i386.deb and /tmp/6G6mfOzNF3/ia32-libs-20131011/pkgs/libaudio-dev_1.9.2-4squeeze1_i386.deb differ
Binary files /tmp/lMHKt0Fl1d/ia32-libs-20130924/pkgs/libaudio2_1.9.2-4_i386.deb and /tmp/6G6mfOzNF3/ia32-libs-20131011/pkgs/libaudio2_1.9.2-4_i386.deb differ
Binary files /tmp/lMHKt0Fl1d/ia32-libs-20130924/pkgs/libaudio2_1.9.2-4squeeze1_i386.deb and /tmp/6G6mfOzNF3/ia32-libs-20131011/pkgs/libaudio2_1.9.2-4squeeze1_i386.deb differ
Binary files /tmp/lMHKt0Fl1d/ia32-libs-20130924/srcs/nas_1.9.2-4.diff.gz and /tmp/6G6mfOzNF3/ia32-libs-20131011/srcs/nas_1.9.2-4.diff.gz differ
diff -Nru ia32-libs-20130924/srcs/nas_1.9.2-4.dsc ia32-libs-20131011/srcs/nas_1.9.2-4.dsc
--- ia32-libs-20130924/srcs/nas_1.9.2-4.dsc	2010-11-14 19:17:08.0 +0100
+++ ia32-libs-20131011/srcs/nas_1.9.2-4.dsc	1970-01-01 01:00:00.0 +0100
@@ -1,38 +0,0 @@
--BEGIN PGP SIGNED MESSAGE-
-Hash: SHA256
-
-Format: 1.0
-Source: nas
-Binary: libaudio2, nas, libaudio-dev, nas-bin, nas-doc
-Architecture: any
-Version: 1.9.2-4
-Maintainer: Steve McIntyre 93...@debian.org
-Standards-Version: 3.8.2.0
-Build-Depends: autotools-dev, libxp-dev, libxau-dev, libsm-dev, libice-dev, libx11-dev, libxt-dev, libxaw7-dev, xutils-dev, bison, flex, file, po-debconf
-Checksums-Sha1: 
- b1d439c87eef89838ad463c140d0b9ca0f823f5e 1484369 nas_1.9.2.orig.tar.gz
- 592daa599dbfd173eb727138bc8e91f1c9b15a2d 40208 nas_1.9.2-4.diff.gz
-Checksums-Sha256: 
- 722d4f567f61e89e735277a0c1d3cfed98842160e3349bf956b1db525eacd2d3 1484369 nas_1.9.2.orig.tar.gz
- 6c2332c2bf8fa823b36396d49d9b596ef460c286d536e8f027e98778fca376d7 40208 nas_1.9.2-4.diff.gz
-Files: 
- ed7864f55b384452167959022cfb403b 1484369 nas_1.9.2.orig.tar.gz
- 9006a8591c9698f8d182071dbb191133 40208 nas_1.9.2-4.diff.gz
-
--BEGIN PGP SIGNATURE-
-Version: GnuPG v1.4.10 (GNU/Linux)
-
-iQIcBAEBCAAGBQJM4CQlAAoJEFh5eVc0QmhOVxMP/2oLdNPl5ajEJQxADHZtIc0f
-/2jMVYpAMThRH/+CDL5K553+ym86zefkqyeGnHlC0dpfabJCJFx3jbd5+ULuiIIE
-sIdf/3sk+oDV9Q7J2dA3/hU8wzjdRnBAuiROC0KIlv42vE7+LnkOthgKcZFFjFLf
-Zst/QrsZQUD/fi8c+p69pDCC6zOHZFj+aMk/HaHyQLhaKZzJHZ8yKqnGsoQExWoS
-9y0RKeAZ9FB8Oe0NIBURzi4R758yxJMGcJXq/GQ+Ob2hWQXwkZ1fnHJefzR1CvjK
-Jxol0g4LPzkBEcMPVZxR0T/tyQcDB/1msZwrsnR0lx4OUKuU/waqVrylzUR3yvLh
-eLDSDUY34HPebk3en5Livcpyr7O3o+8cvoDd/fQ7wv9Sc7uQ1A1pkd+JzoDDLt8j
-/JV9CeV5iHgrfnFHto6V/sgao9+fswsJskH8xPdAi8CtphmZWAOpUKVIql/CmE5z
-u2lwL+Sppj6O7oPPxPiqQYok+8uWc/PLbGzaeZtln/KelZK+/RsXstzgy/40Dh/S
-OYwJsU4purOLjpcjJOVQwrgWHZBH40+jIIQH44tnDfpAy66I3kH1C/ZX5f/a3sHR
-N96Dn2M8Y6/3lRYfTC1MZd8NshTKzbhujuXB5C37BhhMCvT8c4Hqkia4yqVUtAgf
-kV5bbv/jbR59arrWs0Pz
-=mBNS
--END PGP SIGNATURE-
Binary files /tmp/lMHKt0Fl1d/ia32-libs-20130924

Bug#723641: pu: package xen/4.1.4-5

[Thijs Kinkhorst]

On Wed, October 2, 2013 19:21, Bastian Blank wrote:
 On Tue, Oct 01, 2013 at 04:58:43PM +0200, Thijs Kinkhorst wrote:
 On Mon, September 30, 2013 18:52, Bastian Blank wrote:
  I don't think this will work.  The current security process ignores
  any communitation that is otherwise part of the NMU process.  As long
 as
  the security team does not have some policy to cummunicate first and
 do
  later, especially if the maintainer is already in the loop or, worse,
  did it herself, I see not why this should work now.
 I think you're confusing miscommunication that happened, with a policy
 of
 not communicating.

 Why are there no NMU diffs in the BTS as mandated by the developers
 reference?  Why do people prefer doing stuff themself instead of
 communicating?

 Something went wrong in the past, I don't know why, but there's
 definitely
 no process to ignore communication that should happen when working with
 other people's uploads.

 It happened with different people, I remember three.  This is called a
 pattern.  Patterns leads to informal policies.

Alright. I cannot easily verify the specific cases, but I think we can
resolve that at least from now on, there's no intention nor informal
policy to not communicate with people that are preparing uploads. And I
think we could find many of your DD-collegues that communication indeed
happened around the uploads they proposed.

  My main problem are the missing mails on uploads.  If the ftp-masters
  refuses to accept a patch---did they?---you have to do it by human
  relay.
 We definitely do this by human relay. We missed one, there.

 The person explicitely handling this case missed it also.

It's a pity and shouldn't have happened. I will not say that communication
will always be perfect and that no issues will be dropped. I hope all
parties involved will remember the human factor, and that if they perceive
a communication problem they proactively enquire, they ping the other
party, even if the ball is not strictly 'in their court', to ensure it
doesn't run out of hand. I think we can expect that from all contributours
in our project.

 All in all, I recognise that mistakes have been made but I do not think
 that they are 'a policy' by the team. I'm confident that it's possible
 to
 work together in a way that works for both parties. Why not just give it
 a
 fresh new chance?

 Why do you ignore what I wrote in my original mail?  This where the
 three points:

I thought I'd addressed it, but here we go.

 | - Fix dak to send mails, at least to the uploader and signer.

 Should be a small patch to dak.  Did noone try it or was it rejected?
 If it was rejected, why was CTTE not involved?  It is even listed as a
 bug somewhere.

I don't know all the history of this request, but have asked ftp-master
what they would think of it, so we get a fresh idea of where we stand.

 | - Push NMU-diffs to the BTS.

 This is a long-standing point.  And I never got an answer why this is
 not done.

I'll discuss it in the team. Of course, the information is always
available from the archive, so it's there now, but I agree that a NMU diff
in the BTS makes things slightly easier on the maintainer. I left it out
initially because I thought we were discussing issues where the maintainer
was already involved, and in such issues, NMU diffs were not so relevant.
I'll let you know the outcome of this.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/c6f733eecbcfa0eb42798f43b3b5c7a4.squir...@aphrodite.kinkhorst.nl

Bug#723641: pu: package xen/4.1.4-5

[Thijs Kinkhorst]

On Mon, September 30, 2013 18:52, Bastian Blank wrote:
 On Mon, Sep 30, 2013 at 04:38:24PM +0200, Thijs Kinkhorst wrote:
 Thanks. I've read them. My conclusion is that there are two problems:
 1/ On a previous upload, someone from the security team added extra
 changes without coordination or reporting them back.
 2/ It took long to process the upload and there was no feedback on
 problems.
 Agreed?

 No.  This are symptoms, not problems.  The main problem is
 _communication_.

 On the first point, although I don't know exactly what changes were
 added
 by whom, I fully agree that if such is the case that's not good and
 understanding that it's annoying to you. I'm sure that we can agree that
 this was a mistake and that this should not happen again.

 I don't think this will work.  The current security process ignores
 any communitation that is otherwise part of the NMU process.  As long as
 the security team does not have some policy to cummunicate first and do
 later, especially if the maintainer is already in the loop or, worse,
 did it herself, I see not why this should work now.

I think you're confusing miscommunication that happened, with a policy of
not communicating. There is no such policy and we communicate a lot with
maintainers that already work on the package on a daily basis. As with all
communication, this is never perfect and some side may accidentally make a
mistake.

Something went wrong in the past, I don't know why, but there's definitely
no process to ignore communication that should happen when working with
other people's uploads. Of course there's a bit more complication when
there's an embargoed issue, or when the issue is so critical that
immediate action is unavoidable, but for regular, unembargoed issues,
where the maintainer is already involved, we should not do anything to
change their package without consulting them.

 The second point is indeed unfortunate, reading back it seems related to
 two different problems with DAK.

 My main problem are the missing mails on uploads.  If the ftp-masters
 refuses to accept a patch---did they?---you have to do it by human
 relay.

We definitely do this by human relay. We missed one, there.

 Given the limitations of tools and manpower and the large number of
 issues
 that we need to deal with, the process will probably never be perfect.

 If you lack manpower, why don't I remember any calls for help like the
 ftp-team or ctte did?

We have in fact on several occasions done so, and are adding new members
to the team from time to time; the source mostly being people that start
to work on the security tracker. We do try to make this starting point as
easy as possible. The influx of people that actually stick around for
longer is not very high. But we could probably indeed call for help more
often, you're right.

(The call for adding someone to the tech ctte does not seem to have had
any measurable effect to date, despite it being done over a year ago, so
I'm not sure that's a good example of how to call for help.)

All in all, I recognise that mistakes have been made but I do not think
that they are 'a policy' by the team. I'm confident that it's possible to
work together in a way that works for both parties. Why not just give it a
fresh new chance?


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/f8e4d82e307c13a88f6f24f22f3d8d75.squir...@aphrodite.kinkhorst.nl

Bug#723641: pu: package xen/4.1.4-5

[Thijs Kinkhorst]

On Mon, September 23, 2013 10:47, Bastian Blank wrote:
 On Mon, Sep 23, 2013 at 09:47:32AM +0200, Thijs Kinkhorst wrote:
 Do you have a message ID for me? I'd rather try to see what the problems
 with the wheezy-security route are and how we can resolve them, rather
 than try to work around them via pu.

 20130512113628.GA16136@elende
 20130512200941.ga10...@waldi.eu.org

Thanks. I've read them. My conclusion is that there are two problems:

1/ On a previous upload, someone from the security team added extra
changes without coordination or reporting them back.
2/ It took long to process the upload and there was no feedback on problems.

Agreed?

On the first point, although I don't know exactly what changes were added
by whom, I fully agree that if such is the case that's not good and
understanding that it's annoying to you. I'm sure that we can agree that
this was a mistake and that this should not happen again.

The second point is indeed unfortunate, reading back it seems related to
two different problems with DAK. I have no ready-made solution for this.
The DAK instance we use is not run by us so we cannot influence the
shortcomings it has, we'll just have to work with them the best we can and
hope for the hard work of ftpmaster to solve issues when they pop up. I'm
sure we can do better with keeping you posted about any delay, and I hope
you would ping us (on irc for example) if you expected a response but it's
not there yet.

Given the limitations of tools and manpower and the large number of issues
that we need to deal with, the process will probably never be perfect. But
I hope that when a bumb arises we can just talk directly on irc to avoid
misunderstandings and frustraction. Do you think we could just try to
start anew? In the end it benefits our users most if Xen updates would
come through the security channel.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/6367f639a63007fb478955437c644c71.squir...@aphrodite.kinkhorst.nl

Bug#723641: pu: package xen/4.1.4-5

[Thijs Kinkhorst]

On Sun, September 22, 2013 23:34, Bastian Blank wrote:
 On Sun, Sep 22, 2013 at 09:58:54PM +0100, Adam D. Barratt wrote:
 On Wed, 2013-09-18 at 14:06 +0200, Bastian Blank wrote:
  There are several CVE pending for Xen, plus some embargoed ones.  This
  fixes all publicly ones that have fixes.
 Could we have a debdiff, rather than just the changelog please?

 If you insist. But don't cry that it is large.

 Have the
 security team confirmed that they don't plan to issue DSAs for these
 issues?

 I made it clear that no uploads to -security will come from me.  And
 most of this CVE are open for four or five months.

Do you have a message ID for me? I'd rather try to see what the problems
with the wheezy-security route are and how we can resolve them, rather
than try to work around them via pu.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/4dc3baf150d8edc4d9b25a599be5083c.squir...@aphrodite.kinkhorst.nl

Bug#718050: RM: jclicmoodle/0.1.0.11-1 -- not useful without Moodle

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: rm

Hi,

Please remove jcliclmoodle from wheezy.

It's only useful with Moodle, which isn't in wheezy. The package missed a
dependency on moodle so wasn't removed together with moodle; I've already
filed a bug about that.

Thanks,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20130728080253.4605.42142.reportbug@localhost.localdomain

Bug#711223: pu: package dpkg-ruby/0.3.6+nmu2

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
Tags: squeeze
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I'd like to propose an update to dpkg-ruby in Squeeze because of a bug that
prevents upgrades to wheezy if apt-listbugs is installed: #585448.

Filehandles weren't closed so apt-listbugs crashes on particularly large
upgrades paths. The patch is from the maintainer who applied it in a
release which is in wheezy and above, but this is too late for someone
upgrading from squeeze hence this opu-update. I've confirmed that my
updated package solves the problem.

Such an update has been requested in the bug log since Jan 2012, with a
few pings after that, but no maintainer response yet, so I think the NMU
is justified.


Cheers,
Thijs
diff -Nru dpkg-ruby-0.3.6+nmu1/debian/changelog dpkg-ruby-0.3.6+nmu2/debian/changelog
--- dpkg-ruby-0.3.6+nmu1/debian/changelog	2010-08-26 17:44:03.0 +0200
+++ dpkg-ruby-0.3.6+nmu2/debian/changelog	2013-06-05 18:12:51.0 +0200
@@ -1,3 +1,11 @@
+dpkg-ruby (0.3.6+nmu2) squeeze; urgency=low
+
+  * Non-maintainer upload.
+  * Apply maintainer patch to close files once they're parsed,
+preventing trouble on dist-upgrades to wheezy (Closes: #585448).
+
+ -- Thijs Kinkhorst th...@debian.org  Wed, 05 Jun 2013 18:11:23 +0200
+
 dpkg-ruby (0.3.6+nmu1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -Nru dpkg-ruby-0.3.6+nmu1/lib/debian.rb dpkg-ruby-0.3.6+nmu2/lib/debian.rb
--- dpkg-ruby-0.3.6+nmu1/lib/debian.rb	2010-08-26 17:25:15.0 +0200
+++ dpkg-ruby-0.3.6+nmu2/lib/debian.rb	2013-06-05 18:11:20.0 +0200
@@ -115,7 +115,10 @@
 
 def deb?(debfile)
   begin
-	Debian::Ar.new(debfile).open(debian-binary).read == DEBFORMAT_VERSION
+f = Debian::Ar.new(debfile)
+res = (f.open(debian-binary).read == DEBFORMAT_VERSION)
+f.close
+return res
   rescue NameError, Debian::ArError
 	false
   end
@@ -568,6 +571,7 @@
 	  @data.push(line.chomp)
 	}
   }
+  @artab.close
   freeze
 end
 def control= (c); @control = c; end

Bug#706488: Aw: Re: Bug#706488: RM: boinc-server-maker/7.0.27

[Thijs Kinkhorst]

On Thu, May 2, 2013 09:25, Steffen Möller wrote:
 I have talked back to my pkg-boinc mates and, well, feelings are mixed.
 The remaining source to this TV report and some prominent discussions
 about it I found at
 http://www.rechenkraft.net/phpBB/viewtopic.php?f=12amp;t=12717amp;start=12
 And while I think that no real damage is done (and the package could
 hence just remain as it is),  I also think that it might be unfortunate
 for Debian to ship any code with known vulnerabilities.

Isn't it possible to fix these vulnerabilities through a DSA or in the
first point release? Or alternatively remove the binary package in the
first point release?


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/8e007904d4f88e20ee669e8e824c7336.squir...@aphrodite.kinkhorst.nl

Bug#706488: RM: boinc-server-maker/7.0.27

[Thijs Kinkhorst]

Hi Steffen,

On Tue, April 30, 2013 22:07, Steffen Moeller wrote:
 The PHP code shipping with the BOINC Server Maker package was not updated
 for a long time because of the freeze coinciding with the general overhaul
 the BOINC package structure.  An important security update was missed.

 The package does not impose any security risk upon installation.
 And every regular BOINC server maintainer needed to manually update
 their installation.

Do you have a reference to more information on this security issue (bug
report, upstream info, ..)?


thanks,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/a4d74a0adda1af55a3ed9a46d223f081.squir...@aphrodite.kinkhorst.nl

Bug#706488: RM: boinc-server-maker/7.0.27

[Thijs Kinkhorst]

On Wed, May 1, 2013 12:17, Alyssa Milburn wrote:
 These missed server issues were presumably what's now CVE-2013-2018:

 http://article.gmane.org/gmane.comp.security.oss.general/10083

Thanks, noted.


Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/2703629283f91c611de96e59e1831b3c.squir...@aphrodite.kinkhorst.nl

Re: Security fix for jquery-jplayer 2.1.0-1

[Thijs Kinkhorst]

Hi Pau,

On Sat, April 27, 2013 01:31, Pau Garcia i Quiles wrote:
 Wheezy contains my package jquery-jplayer 2.1.0-1, which is affected by a
 few security issues which have been recently fixed upstream. One of the
 issues is CVE-2013-1942. Two other issues, although important, did not get
 a CVE number.

 I have backported the patches and created jquery-jplayer 2.1.0-2. Debdiff
 is attached.

 Is it OK to upload this to the archive?

Although I'm not in the release team, I'm sure the following changes are
unacceptable at this point:

 * Convert to source format 3.0 (quilt) to apply the patches that carry the
   fixes
 * Update standards to 3.9.4.0 (no changes needed)

Can you prepare an upload without these (where you just apply the patches
in the old-style 1.0 way)?


Thanks,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/cb5e856619f39ae20344bfd365a1944a.squir...@aphrodite.kinkhorst.nl

Bug#706192: unblock: phpmyadmin/4:3.4.11.1-2

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Please unblock package phpmyadmin.

This is a security update. The issues fixed are not present in squeeze.

unblock phpmyadmin/4:3.4.11.1-2


Thanks,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20130426053012.4354.84797.reportbug@localhost.localdomain

Bug#704530: RM: semanticscuttle/0.98.4+dfsg-1

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

Hi,

Please remove semanticscuttle from wheezy.

The problems are detailed in RC bug #659390. My last message details that
I had to conquer three different problems to get to an error-free home
screen. Even if we fix all three, the presence of the problems indicates
that this package didn't receive adequate testing to be releasable at
this point.

In the bug log, the maintainer has already agreed with removal from
wheezy as a course of action. It has never been in a stable release.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20130402152139.6424.23909.reportbug@localhost.localdomain

Bug#704297: unblock: dput/0.9.6.3+nmu2

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Please unblock package dput.

This is an update to 0.9.6.3+nmu1 which tries to prevent uploads to the wrong
archive. The changes in nmu1 were correct at the time of going to press, but
recently the backports archive was integrated into the main archive and this
change now works against us for bpo.

unblock dput/0.9.6.3+nmu2


Thanks,
Thijs

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru dput-0.9.6.3+nmu1/debian/changelog dput-0.9.6.3+nmu2/debian/changelog
--- dput-0.9.6.3+nmu1/debian/changelog	2012-10-14 17:22:48.0 +0200
+++ dput-0.9.6.3+nmu2/debian/changelog	2013-03-31 13:12:35.0 +0200
@@ -1,3 +1,11 @@
+dput (0.9.6.3+nmu2) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Update dput.cf to deal with backports.org being integrated into
+the main archive (Closes: #704228).
+
+ -- Thijs Kinkhorst th...@debian.org  Sun, 31 Mar 2013 13:09:54 +0200
+
 dput (0.9.6.3+nmu1) unstable; urgency=low
 
   * Non-maintainer upload.
diff -Nru dput-0.9.6.3+nmu1/dput.cf dput-0.9.6.3+nmu2/dput.cf
--- dput-0.9.6.3+nmu1/dput.cf	2012-10-14 14:54:17.0 +0200
+++ dput-0.9.6.3+nmu2/dput.cf	2013-03-31 13:11:49.0 +0200
@@ -25,7 +25,7 @@
 method			= ftp
 # Please, upload your package to the proper archive
 # http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security-upload
-allowed_distributions	= (?!UNRELEASED|.*-security|.*-backports)
+allowed_distributions	= (?!UNRELEASED|.*-security)
 
 # http://lists.debian.org/debian-project/2009/05/msg00036.html
 [ftp-eu]
@@ -36,7 +36,7 @@
 allow_dcut		= 1
 # Please, upload your package to the proper archive
 # http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security-upload
-allowed_distributions	= (?!UNRELEASED|.*-security|.*-backports)
+allowed_distributions	= (?!UNRELEASED|.*-security)
 
 # http://lists.debian.org/debian-devel-announce/2008/09/msg7.html
 [ssh-upload]
@@ -48,7 +48,7 @@
 allow_dcut		= 1
 # Please, upload your package to the proper archive
 # http://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security-upload
-allowed_distributions	= (?!UNRELEASED|.*-security|.*-backports)
+allowed_distributions	= (?!UNRELEASED|.*-security)
 
 # And if you want to override one of the defaults, add it here.
 # For example, comment out the next line
@@ -81,13 +81,6 @@
 incoming		= /pub/Incoming/upload
 login			= anonymous
 
-[backports]
-fqdn			= backports-master.debian.org
-method			= ftp
-incoming		= /pub/UploadQueue/
-login			= anonymous
-allow_dcut		= 1
-
 [ubuntu]
 fqdn			= upload.ubuntu.com
 method			= ftp

Re: Bug#703290: davical: possible code insertion or XSS

[Thijs Kinkhorst]

On Tue, March 19, 2013 01:37, Christoph Anton Mitterer wrote:
 severity 703290 important
 stop

 On Tue, 2013-03-19 at 10:20 +1300, Andrew McMillan wrote:
 Is there any way to do an XSS exploit in 12 characters?  If not, then I
 don't think this is 'grave'.
 Unless someone from the security or release team complains I've set the
 severity to important.

Agreed that it's not grave until we have a concrete vulnerability at hand.
The code could/should definitely be more robust, but there's not yet an
acute issue.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/6b5527658cc070ce38c49e6d0282f5b8.squir...@aphrodite.kinkhorst.nl

Re: Bug#703290: davical: possible code insertion or XSS

[Thijs Kinkhorst]

severity 703294 important
thanks

On Tue, March 19, 2013 11:20, Jonathan Wiltshire wrote:
 Agreed that it's not grave until we have a concrete vulnerability at
 hand.
 The code could/should definitely be more robust, but there's not yet
 an acute issue.

 Is it fair to apply this line of reasoning to #703294 also?

Indeed.

Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/123230525cd0e9bbd242965c532f1c9e.squir...@aphrodite.kinkhorst.nl

Bug#703125: tpu: wireshark/1.8.2-5wheezy1

[Thijs Kinkhorst]

On Sat, March 16, 2013 00:02, Balint Reczey wrote:
 I would like to upload wireshark/1.8.2-5wheezy1 to
 testing-proposed-updates to fix open security issues in wheezy.

This request can be postponed, as we're going to try to handle this
through wheezy-security as a first guinea pig. If this works as expected,
I'll close this request.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/87e75f20514145b0e1b0fa608ecd49e8.squir...@aphrodite.kinkhorst.nl

Bug#687583: RM: altos/wheezy

[Thijs Kinkhorst]

package release.debian.org
user release.debian@packages.debian.org
usertag 687583 + rm - unblock
retitle 687583 RM: altos/1.0.3
thanks

Hi Release Managers,

Please remove altos from testing as per maintainer comment in #676739.


Cheers,
Thijs


signature.asc
Description: This is a digitally signed message part.

Bug#702412: pre-approval unblock: postfix

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi Release Team,

I've been looking into Postfix RC bug #700719. In short, my proposal is to
fix the maintainer field and then unblock the package. Please see my message
in the bug log for details.

If LaMont is not currently available to make the upload to sid to fix the
maintainer field, I'll gladly NMU this.

Please let me know if you think is this a viable solution.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20130306080950.5772.91863.reportbug@localhost.localdomain

Bug#702412: pre-approval unblock: postfix

[Thijs Kinkhorst]

Op woensdag 6 maart 2013 10:16:18 schreef Adam D. Barratt:
 It looks like the maintainer field is already fixed in sid, in 
 2.10.0-1; that is a number of upstream releases more recent than the 
 current wheezy package, however.
 
 Your last message in #700719 indicates that your inclination towards an 
 unblock was based on the assumption that the package involved would be 
 2.9.6; is that correct? Even after filtering the diff down quite a lot 
 to remove documentation changes etc. we still appear to be left with a 
 diff of  217 files changed, 5476 insertions(+), 1476 deletions(-) 
 which isn't that bad but not ideal at this point.

Right, since I posted my proposal indeed a new upstream has been uploaded on 
Monday to sid making the migration impossible. I do not advocate migrating 
2.10.0. I was convinced that migration should be possible precisely because it 
was an upstream bugfix, not a new major rleease.

I'd like to reword my proposal then to uploading 2.9.6-1, as it was in sid, to 
tpu. Only changes would be a new version number (2.9.6-1+wheezy1?) and fixed 
maintainer. My filtered diff of that, as attached to #700719, amounts to:

 22 files changed, 155 insertions(+), 38 deletions(-)


Cheers,
Thijs


signature.asc
Description: This is a digitally signed message part.

Re: openjdk maintenance for wheezy and squeeze

[Thijs Kinkhorst]

Op donderdag 28 februari 2013 21:35:09 schreef Moritz Mühlenhoff:
 So we should proceed with providing backports for openjdk in the future.
 
 If Matthias keeps the Debian/Ubuntu packaging in a state that it's easily
 buildable on squeeze/wheezy for ojdk6 and for wheezy on ojdk7 I think
 we should be able to handle Java updates resource-wise.

So it seems we are in agreement that it's not feasible to remove OpenJDK-6 
from Wheezy, and there's the expectation that it can be supported in a 
relatively acceptable way.

Perhaps the RT can tag #675495 wheezy-ignore (and retitle). I'm pretty sure we 
don't want OpenJDK-6 in Jessie.


Cheers,
Thijs


signature.asc
Description: This is a digitally signed message part.

Bug#701833: unblock: pigz/2.2.4-2

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi RT,

Package pigz/2.2.4-2 was uploaded to sid fixing CVE-2013-0296 (#700608).

The maintainer also added hardening flags. This may be on the border of
acceptable/unacceptable for an unblock. Please let me know either way.

If unacceptable I propose that I make an upload to wheezy-security as a
guinea pig(z) for the setup, as according to my information it should
now be operational.

unblock pigz/2.2.4-2


Thanks,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20130227175205.16692.96566.reportbug@localhost.localdomain

Bug#701610: unblock: pktstat/1.8.5-3 + urgency bump

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Please unblock and bump the urgency of package pktstat.

It fixes security issue CVE-2013-0350; #701211: left over debug code caused
both a temp file race and information leak.

unblock pktstat/1.8.5-3
age-days 2 pktstat/1.8.5-3

Thanks,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20130225084936.29332.48894.report...@incagijs.uvt.nl

Bug#701476: unblock: nagios-nrpe/2.13-2

[Thijs Kinkhorst]

On Sat, February 23, 2013 17:55, Niels Thykier wrote:
 Control: reopen -1

 On 2013-02-23 17:45, Alexander Wirt wrote:
 Thijs Kinkhorst schrieb am Saturday, den 23. February 2013:

 Package: release.debian.org
 Severity: normal
 User: release.debian@packages.debian.org
 Usertags: unblock

 Dear release team,

 Please unblock package nagios-nrpe.

 The update is documentation only. It's done to address #547092: SSL
 support
 is fundamentally broken in NRPE, which cannot be fixed easily (breaking
 the protocol and hence compatibility with non-Debian npre hosts),

 The update changes the documentation to warn against using the option.
 This
 downgrades the bug to an important functionality problem, but not RC
 since
 NRPE is usable securely without SSL in many cases.

 unblock nagios-nrpe/2.13-2
 Hold on please :). We agreed on IRC earlier that morning to wait for the
 coming security update.

 Thanks
 Alex



 Alright, un-unblocked.

Can you clarify? Having another security update coming doesn't preclude
the current package from migrating, does it?


Cheers,
Thijs


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/ea310f8a7376eedb160086670e3f1dfb.squir...@aphrodite.kinkhorst.nl

Bug#700806: unblock: openconnect/3.20-3 (Fixes CVE-2012-6128)

[Thijs Kinkhorst]

 As mentioned in #700805, this line introduces a memory leak if realloc
 fails for any reason.

Upstream has committed a fix for the issue but also concluded that this 
causing real world trouble is not very probable.

So either the patch needs to be applied to openconnect or the package needs to 
be unblocked as-is. Both are valid options in my opinion.


Cheers,
Thijs


signature.asc
Description: This is a digitally signed message part.

Bug#701476: unblock: nagios-nrpe/2.13-2

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Dear release team,

Please unblock package nagios-nrpe.

The update is documentation only. It's done to address #547092: SSL support
is fundamentally broken in NRPE, which cannot be fixed easily (breaking
the protocol and hence compatibility with non-Debian npre hosts),

The update changes the documentation to warn against using the option. This
downgrades the bug to an important functionality problem, but not RC since
NRPE is usable securely without SSL in many cases.

unblock nagios-nrpe/2.13-2


Thanks,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20130223155911.7129.91132.reportbug@localhost.localdomain

Re: ia32-libs-* updates (was: Re: 6.0.7 planning)

[Thijs Kinkhorst]

Op vrijdag 15 februari 2013 17:58:23 schreef Adam D. Barratt:
 On Mon, 2013-02-11 at 10:41 +0100, Thijs Kinkhorst wrote:
[ cups (1.4.4-7+squeeze2) stable-security; urgency=high ] 
 
 Our sanity check grumbled about this one, as p-u has +squeeze3; is that
 intentional? I can't remember what we've done in such situations
 previously.

First of all, let's make it clear that this isn't a blocker for accepting the 
current packages right now: they are an improvement over what's currently in 
squeeze also without the squeeze3 update, and this one fix pertains to a man 
page which is not relevant to ia32-libs.

The issue of adding proposed-updates as a source for building ia32-libs was 
discussed last year on this mailinglist. The SRM by way of Philipp seemed to 
suggest that it was not desirable. I'm not decided anyway and left the final 
decision to the SRM, which to my knowledge wasn't yet followed up on:
http://lists.debian.org/debian-release/2011/12/msg00399.html

So the status quo remains. When SRM indicates that they'd like to add p-u to 
ia32-libs sources, then I'll gladly do that.


Cheers,
Thijs


signature.asc
Description: This is a digitally signed message part.

Re: 6.0.7 planning

[Thijs Kinkhorst]

On Sun, February 10, 2013 17:25, Adam D. Barratt wrote:
 We're somewhat overdue with the next Squeeze point release (6.0.7) and
 it'd be good to get it done before the wheezy release, so that we can
 pull in some upgrade fixes.

Attached are the proposed updates to ia32-libs and ia32-libs-core at the
time of writing. There are no updates packages in ia32-libs-gtk. I will
upload a variant of this (modulo packages updated in the meantime) not
long after the date has been set.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/187ca077c18f13abca4ef0dc9f7c9959.squir...@aphrodite.kinkhorst.nl

Re: 6.0.7 planning

[Thijs Kinkhorst]

On Mon, February 11, 2013 10:40, Thijs Kinkhorst wrote:
 On Sun, February 10, 2013 17:25, Adam D. Barratt wrote:
 We're somewhat overdue with the next Squeeze point release (6.0.7) and
 it'd be good to get it done before the wheezy release, so that we can
 pull in some upgrade fixes.

 Attached are

Classic.


Thijsia32-libs (20130211) stable; urgency=low

  * Packages updated

  [ cups (1.4.4-7+squeeze2) stable-security; urgency=high ]

  * Backport upstream configuration files split:
- Add split-configuration-files-STR4223.dpatch
- Install the new cups-files.conf
Fixes: CVE-2012-5519 (#692791)
  * Make cupsd.conf a non-conffile, as it is managed by cups itself.
- On new installs, set it up from cupsd.conf.default.
- On upgrades, move it away in preinst and move it back in postinst.
- On aborted upgrades, move the file back in place.
- On purge, delete it too.
  * Document changes in cups.NEWS.

  [ libexif (0.6.19-1+squeeze1) stable-security; urgency=high ]

  * Non-maintainer upload by the Security Team.
  * Cherry pick changes for CVE-2012-2814, CVE-2012-2840, CVE-2012-2813,
CVE-2012-2812, CVE-2012-2841, CVE-2012-2836, CVE-2012-2837.
(backport patches for fix-CVE-2012-2814, fix-CVE-2012-2836,
 fix-CVE-2012-2837)

  [ libxml2 (2.7.8.dfsg-2+squeeze6) stable-security; urgency=high ]

  [ Daniel Veillard ]
  * Fix potential out of bound access
CVE-2012-5134, #694521.

  [ libxslt (1.1.26-6+squeeze2) stable-security; urgency=high ]

  * Patch to fix three CVEs (#689422):
- CVE-2012-2870 by Daniel Veillard and Chris Evans
- CVE-2012-2871 by Daniel Veillard
- CVE-2012-2893 by Chris Evans

  [ libxslt (1.1.26-6+squeeze1) stable; urgency=low ]

  [ Daniel Veillard ]
  * Fix generate-id() to not expose object addresses
CVE-2011-1202, #617413.

  [ Abhishek Arya ]
  * Fix some case of pattern parsing errors
CVE-2011-3970, #660650.

  [ Chris Evans ]
  * [PATCH] Fix crash with unexpected DTD nodes in XSLT.
CVE-2012-2825, #679283.

  [ nss (3.12.8-1+squeeze6) stable-security; urgency=low ]

  * Explicitly distrust two intermediate CA certificates mis-issued by
TURKTRUST.

  [ tiff (3.9.4-5+squeeze8) stable-security; urgency=high ]

  * Add fix for CVE-2012-5581, reimplementing DOTRANGE handling to make it
safer.  Thanks to Red Hat security team for backporting the fix.

  [ tiff (3.9.4-5+squeeze7) stable-security; urgency=high ]

  * Add fix for CVE-2012-4564, a heap-buffer overflow.  Thanks Adrian La
Duca for doing all the work to prepare this upload.  (#692345)

  [ tiff (3.9.4-5+squeeze6) stable-security; urgency=high ]

  * Add fix for CVE-2012-4447, a buffer overrun.  (#688944)
  * CVE-2012-2088 was actually included in previous version but not listed
in the change log.

  [ tiff (3.9.4-5+squeeze5) stable-security; urgency=high ]

  * Added several additional security patches taken from the Ubuntu Natty
(11.04) tiff package.  (#678140)

CVE-2010-2482
CVE-2010-2595
CVE-2010-2597
CVE-2010-2630
CVE-2010-4665
CVE-2012-2113
CVE-2012-3401

 -- Thijs Kinkhorst th...@debian.org  Mon, 11 Feb 2013 09:43:13 +0100ia32-libs-core (20130211) stable; urgency=low

  * Packages updated

  [ bzip2 (1.0.5-6+squeeze1) stable; urgency=low ]

  * Non-maintainer upload by the Security Team
  * Fix CVE-2011-4089, thanks to vladz (#632862)

  [ eglibc (2.11.3-4) stable; urgency=low ]

  * Enable patches/any/cvs-dlopen-tls.diff, not enabled by mistake.  
#637239.
  * patches/any/cvs-FORTIFY_SOURCE-format-strings.diff: new patch from
upstream to fix FORTIFY_SOURCE format string protection bypass.  
#660611.
  * patches/any/local-sunrpc-dos.diff: fix a DoS in RPC implementation
(CVE-2011-4609).  #671478.

  [ eglibc (2.11.3-3) stable; urgency=low ]

  * patches/any/cvs-tzfile.diff: fix integer overflow in timezone code.
(CVE-2009-5029).  #650790.
  * patches/any/submitted-resolv-first-query-failure.diff: new patch to fix
resolving issues with broken servers returning NOTIMP or FORMERR to 
queries.  #658171.
  * local/manpages/gai.conf.5: update from latest RedHat version.  
#659504.

  [ eglibc (2.11.3-2) stable; urgency=low ]

  * Add patches/arm/cvs-tls-unallocated.diff and
patches/mips/cvs-tls-unallocated.diff to fix FTBFS on armel, mips
and mipsel.

  [ eglibc (2.11.3-1) stable; urgency=low ]

  * Update from stable upstream version, and update from the upstream
stable branch:
- fix wrong memmove/bcopy optimization with gcc-4.6.  #619963.
- fix an integer overflow in fnmatch() (CVE-2011-1659).  #626370.
- fix spurious warning in bswap_16() with -Wconversion.  #561249.
- fix auxiliary cache file creation.  #588218.
- fix memory corruption in fnmatch() that can lead to code execution
  (CVE-2011-1071).  #615120
- fix strchr() on x86-64 CPU with SSE4.2.  #635885
  * Update patches:
- patches/locale/locale-print-LANGUAGE.diff
- patches/hppa

Re: Please wheezy-ignore #695716

[Thijs Kinkhorst]

On Thu, January 17, 2013 23:50, Neil Williams wrote:
 On Thu, 17 Jan 2013 19:51:13 +
 Robert Lemmen rober...@semistable.com wrote:

 #695716 is a GFDL-bug, upstream has relicensed their docs and released a
 new version 0.6.7, I have updated the package and uploaded to unstable.

 ... which won't get into testing.

In the past it has been deemed acceptable that such licencing problems are
considered solved when upstream clearly declared a licence change, even if
updated licencing statements in the sources files have not yet permeated
into all supported releases.

I can therefore imagine that an upload to tpu which updates
debian/copyright to state the new licence of the documentation would be
enough to solve the administrative problem that this is, and doesn't
require to split source packages.

This is under the assumption that the existing documentation has actually
been relicenced, of course it would be different if the documentation has
been replaced with completely different documentation to solve the licence
issue. But as far as I understand this is not the case.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/88bafc850005beba743ace7f4576436b.squir...@aphrodite.kinkhorst.nl

Bug#692911: unblock: ca-certificates/20121114

[Thijs Kinkhorst]

retitle 692911 unblock: ca-certificates/20121114
thanks

Hi,

ca-certificates/20121114 has been uploaded in the meantime which addresses
both the wish for documentation expressed in this bug log above and fixes
RC bug #537051. It has been in unstable for over 30 days now without new
issues reported. Please

unblock ca-certificates/20121114


thanks,
Thijs


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/293f61e0284b6aaab37c62c7c63f7203.squir...@aphrodite.kinkhorst.nl

Re: [r...@cpan.org: CVE-2012-5195: heap buffer overrun with perl + glibc]

[Thijs Kinkhorst]

On Sun, December 9, 2012 16:10, Salvatore Bonaccorso wrote:
 On Sun, December 9, 2012 13:11, Salvatore Bonaccorso wrote:
  Thank you Dominic for keeping updated. Security team, attached is the
  proposed debdiff for the libcgi-pm-perl part.

 Yes, please upload this to security master.

 I did a grave mistake and the upload landed on ftp-master. Shortly
 after I noticed my mistake I tried to cancel but it was to late, and
 it's now on stable-new.

 I'm sorry that his happened, I'm normaly checking my uploads really
 well.

 I hope that I can sort this out soon.

I'm CC'ing the stable release managers, who can reject the upload after
which you can retry.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/3a6bc8d3e14e2ee50851cba098350261.squir...@aphrodite.kinkhorst.nl

let's remove flightgear/simgear from testing

[Thijs Kinkhorst]

Hi,

I propose that we remove the flightgear, simgear and probably associated 
packages fgfs-base and fgrun from wheezy, because they have RC bugs and there 
seems to be no concrete indication that this will be resolved anytime soon. 
This is based on the following observations.

Security issues have been reported against the packages (#669024, #669025) on 
16 April which have not seen any maintainer reponse since. The adding patches 
over three weeks ago to the bugs hasn't changed that either.

The current package versions in unstable are of a different branch than those 
in testing, and fail to build for months, whithout observable maintainer 
reaction (#690005).

Add to that that the packages currenly in wheezy are NMU's of up to three 
iterations, and I conclude that it may be better to not release them with 
wheezy.


Cheers,
Thijs


signature.asc
Description: This is a digitally signed message part.

Bug#691308: unblock: libgnomecanvas/2.30.3-1.2

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Please unblock package libgnomecanvas.

The net change is marking libgnomecanvas-common M-A: foreign,
which adds to the Multi-Arch release goal. 

unblock libgnomecanvas/2.30.3-1.2


Thanks,
Thijs
diff -Nru libgnomecanvas-2.30.3/debian/changelog libgnomecanvas-2.30.3/debian/changelog
--- libgnomecanvas-2.30.3/debian/changelog	2011-07-30 17:24:07.0 +0200
+++ libgnomecanvas-2.30.3/debian/changelog	2012-10-14 19:41:21.0 +0200
@@ -1,3 +1,20 @@
+libgnomecanvas (2.30.3-1.2) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Revert conversion to Multi-Arch: same done in 2.30.3-1.1.
+This needs to be done coordinated with changes to libglade2.
+  * Keep the Multi-Arch: foreign change for libgnomecanvas-common.
+
+ -- Thijs Kinkhorst th...@debian.org  Sun, 14 Oct 2012 17:39:04 +
+
+libgnomecanvas (2.30.3-1.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Convert package to Multiarch by applying patches from
+Adam Stokes and Steve Langasek (closes: #650777).
+
+ -- Thijs Kinkhorst th...@debian.org  Sun, 14 Oct 2012 11:10:26 +
+
 libgnomecanvas (2.30.3-1) unstable; urgency=low
 
   [ Josselin Mouette ]
diff -Nru libgnomecanvas-2.30.3/debian/control libgnomecanvas-2.30.3/debian/control
--- libgnomecanvas-2.30.3/debian/control	2011-07-30 17:30:21.0 +0200
+++ libgnomecanvas-2.30.3/debian/control	2012-10-14 19:42:37.0 +0200
@@ -56,6 +56,7 @@
 
 Package: libgnomecanvas2-common
 Architecture: all
+Multi-Arch: foreign
 Section: x11
 Depends: ${misc:Depends}
 Description: powerful object-oriented display engine - common files
diff -Nru libgnomecanvas-2.30.3/debian/control.in libgnomecanvas-2.30.3/debian/control.in
--- libgnomecanvas-2.30.3/debian/control.in	2011-07-30 17:15:45.0 +0200
+++ libgnomecanvas-2.30.3/debian/control.in	2012-10-14 19:42:31.0 +0200
@@ -51,6 +51,7 @@
 
 Package: libgnomecanvas2-common
 Architecture: all
+Multi-Arch: foreign
 Section: x11
 Depends: ${misc:Depends}
 Description: powerful object-oriented display engine - common files

Bug#690957: unblock: ia32-libs/1:0.3

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

I believe we should consider to have ia32-libs and friends migrate to
testing. In my perception the status is as follows.

All blocking bugs against ia32-libs have been closed. I have installed
and upgraded the package on a number of wheezy systems without trouble;
also tested it with some 3rd party apps and this yielded no problems.

A few blocking bugs against ia32-libs-gtk currently remain. The few
remaining packages this concerns have been downgraded to Recommends.
As I understood on IRC, the release team is reluctant to have library
packages converted to M-A: same at this point in the release, which is
understandable. We can therefore assume that the few remaining ones
are not going to be fixed in the short term. The package does install
and upgrade fine on various wheezy environments. We do not know if
and which external packages still depend on these few libraries.

My proposal is to go ahead with the migration of ia32-libs*. It's
unlikely that the few remains of ia32-libs-gtk will be fixed in the
short term. This is so far as I can see now a potential minor regression
for libraries in the lesser-used ia32-libs-gtk package of which it's
unknown if some 3rd party app still uses them. Migrating the packages
now allows for people to find out in time if there's still something
that may break.

I think the benefits of not including monolithic ia32-libs in wheezy
far outweigh the potential small regression. Of course, the remaining
packages can still be converted later if so desired.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20121019140930.6616.44557.report...@incagijs.uvt.nl

Bug#690074: wpa will not migrate, upload to tpu?

[Thijs Kinkhorst]

Hi,

wpa has been updated in unstable for CVE-2012-4445, and subsequently
unblocked. However it picked up an enhanced dependency on pcsc-lite in
unstable and hence cannot migrate.

One solution could be to unblock pcsc-lite, but the feasibility of this I
leave up to the release team.

The other solution is an upload to tpu; I've just taken all changes from
unstable since they were already unblocked and hence deemed acceptable for
wheeze. See attached debdiff. If this is the preferred solution, let me
know so I can actually upload.


Cheers,
Thijsdiff -Nru wpa-1.0/debian/changelog wpa-1.0/debian/changelog
--- wpa-1.0/debian/changelog	2012-05-13 20:39:47.0 +
+++ wpa-1.0/debian/changelog	2012-10-13 14:58:25.0 +
@@ -1,3 +1,19 @@
+wpa (1.0-2+wheezy1) testing-proposed-updates; urgency=high
+
+  * Non-maintainer upload.
+  * Rebuild for wheezy.
+
+  [ Stefan Lippers-Hollmann ]
+  * ship forgotten README-P2P.
+  * revert to GNU readline for wpa_cli, instead of using the internal readline
+implementation added in wpa 1~. Prefer libreadline-gplv2-dev, because libnl
+is GPL-2 (only) - switching back to the internal readline implementation is
+targeted for wheezy+1 (Closes: #677993, #678077).
+  * Fix DoS via specially crafted EAP-TLS messages with longer message
+length than TLS data length (CVE-2012-4445, DSA 2557-1, Closes: #689990).
+
+ -- Thijs Kinkhorst th...@debian.org  Sat, 13 Oct 2012 14:48:08 +
+
 wpa (1.0-2) unstable; urgency=low
 
   * Really enable hardened build flags, thanks Simon Ruderich
diff -Nru wpa-1.0/debian/config/wpasupplicant/kfreebsd wpa-1.0/debian/config/wpasupplicant/kfreebsd
--- wpa-1.0/debian/config/wpasupplicant/kfreebsd	2012-04-13 23:13:49.0 +
+++ wpa-1.0/debian/config/wpasupplicant/kfreebsd	2012-10-08 16:32:27.0 +
@@ -238,11 +238,11 @@
 # When building a wpa_cli binary for distribution, please note that these
 # libraries are licensed under GPL and as such, BSD license may not apply for
 # the resulting binary.
-#CONFIG_READLINE=y
+CONFIG_READLINE=y
 
 # Include internal line edit mode in wpa_cli. This can be used as a replacement
 # for GNU Readline to provide limited command line editing and history support.
-CONFIG_WPA_CLI_EDIT=y
+#CONFIG_WPA_CLI_EDIT=y
 
 # Remove debugging code that is printing out debug message to stdout.
 # This can be used to reduce the size of the wpa_supplicant considerably
diff -Nru wpa-1.0/debian/config/wpasupplicant/linux wpa-1.0/debian/config/wpasupplicant/linux
--- wpa-1.0/debian/config/wpasupplicant/linux	2012-04-13 23:13:49.0 +
+++ wpa-1.0/debian/config/wpasupplicant/linux	2012-10-08 16:32:27.0 +
@@ -237,11 +237,11 @@
 # When building a wpa_cli binary for distribution, please note that these
 # libraries are licensed under GPL and as such, BSD license may not apply for
 # the resulting binary.
-#CONFIG_READLINE=y
+CONFIG_READLINE=y
 
 # Include internal line edit mode in wpa_cli. This can be used as a replacement
 # for GNU Readline to provide limited command line editing and history support.
-CONFIG_WPA_CLI_EDIT=y
+#CONFIG_WPA_CLI_EDIT=y
 
 # Remove debugging code that is printing out debug message to stdout.
 # This can be used to reduce the size of the wpa_supplicant considerably
diff -Nru wpa-1.0/debian/control wpa-1.0/debian/control
--- wpa-1.0/debian/control	2012-04-14 00:57:03.0 +
+++ wpa-1.0/debian/control	2012-06-21 22:42:59.0 +
@@ -16,6 +16,7 @@
  libnl-genl-3-dev (= 3.2.3-2~) [linux-any],
  libpcap-dev [kfreebsd-any],
  libbsd-dev [kfreebsd-any],
+ libreadline-gplv2-dev,
  pkg-config,
  qt4-qmake,
  docbook-to-man,
diff -Nru wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch
--- wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch	1970-01-01 00:00:00.0 +
+++ wpa-1.0/debian/patches/EAP-TLS-server_fix-TLS-Message-length-validation.patch	2012-10-08 15:34:24.0 +
@@ -0,0 +1,43 @@
+From: Jouni Malinen j...@w1.fi
+Date: Sun, 7 Oct 2012 17:06:29 + (+0300)
+Subject: EAP-TLS server: Fix TLS Message Length validation
+X-Git-Url: http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=commitdiff_plain;h=586c446e0ff42ae00315b014924ec669023bd8de
+
+EAP-TLS server: Fix TLS Message Length validation
+
+EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS
+Message Length value properly and could end up trying to store more
+information into the message buffer than the allocated size if the first
+fragment is longer than the indicated size. This could result in hostapd
+process terminating in wpabuf length validation. Fix this by rejecting
+messages that have invalid TLS Message Length value.
+
+This would affect cases that use the internal EAP authentication server
+in hostapd either directly with IEEE 802.1X or when using hostapd as a
+RADIUS authentication server and when receiving

Bug#685960: unblock: gnupg/1.4.12-5 (pre-approval)

[Thijs Kinkhorst]

On Thu, October 11, 2012 10:07, Thijs Kinkhorst wrote:
 On Wed, October 10, 2012 22:43, Adam D. Barratt wrote:
 On Thu, 2012-08-30 at 22:13 +0100, Adam D. Barratt wrote:
 On Mon, 2012-08-27 at 23:00 -0400, David Prévot wrote:
  Can someone from the release team please confirm that you would
 consider
  unblocking such an upload of gnupg, knowing that a udeb is involved
 too?

 After a chat with KiBi the proposed changes shouldn't have any effect
 on
 the content / behaviour of the udeb, so please go ahead.

 Ping?

 There was some confusion about who would actually make the upload, but
 this has been cleared up and I will do so this week.

Uploaded now.


Thijs


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/3968ab0fbee802fd1e0d1aa7eee058aa.squir...@aphrodite.kinkhorst.nl

Bug#685960: unblock: gnupg/1.4.12-5 (pre-approval)

[Thijs Kinkhorst]

On Wed, October 10, 2012 22:43, Adam D. Barratt wrote:
 On Thu, 2012-08-30 at 22:13 +0100, Adam D. Barratt wrote:
 On Mon, 2012-08-27 at 23:00 -0400, David Prévot wrote:
  Can someone from the release team please confirm that you would
 consider
  unblocking such an upload of gnupg, knowing that a udeb is involved
 too?

 After a chat with KiBi the proposed changes shouldn't have any effect on
 the content / behaviour of the udeb, so please go ahead.

 Ping?

There was some confusion about who would actually make the upload, but
this has been cleared up and I will do so this week.


Cheers,
Thijs


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/f0375553c0c3dc8b71cd20b3b17a2ad6.squir...@aphrodite.kinkhorst.nl

Bug#689292: unblock: tinyproxy/1.8.3-3 (security issue)

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Please unblock package tinyproxy. It fixes a denial of service.

unblock tinyproxy/1.8.3-3


Thanks,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20121001073932.4172.31338.report...@incagijs.uvt.nl

Re: Squeeze point release (6.0.6)

[Thijs Kinkhorst]

On Fri, September 28, 2012 07:04, Adam D. Barratt wrote:
 Is adding the epoch any more involved than just changing the version
 number, from a packaging point of view?  If not, then doing that today
 would indeed be one way out of the issue, depending on your opinion of
 doing so, with your maintainer hat on.

Well, my maintenance has mostly been limited to making the stable uploads,
and that was actually my reason for joining the team in the first place.

However, I'm going to take this action. I think the suggestion of the
epoch in unstable was a good one anyway, and in any case we'll have more
time to sort out the situation in unstable - we don't have that time for
the point release now, so resolving this takes precedence for me.

 Apologies for not spotting the problem before accepting the
 packages. :-(

It's a pity none of the people involved spotted it, including myself, but
that's done now.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/0e9b7460da47fc09401b7129f3adf21e.squir...@aphrodite.kinkhorst.nl

Re: Squeeze point release (6.0.6)

[Thijs Kinkhorst]

On Thu, September 27, 2012 20:52, Adam D. Barratt wrote:
 On Wed, 2012-09-26 at 12:53 +0200, Thijs Kinkhorst wrote:
 On Wed, September 26, 2012 11:02, Philipp Kern wrote:
  On Wed, Sep 26, 2012 at 09:17:53AM +0200, Thijs Kinkhorst wrote:
  OK, so we need to update ia32-libs again, now that all changes are
 in.
 [...]
  ok, please upload as soon as possible (i.e. today).

 Thanks - uploaded.

 Unfortunately, this leaves us with a bit of an issue, given the
 imminence of a point release; namely:

  ia32-libs |   20120102 |stable | source, amd64, ia64
  ia32-libs |   20120102 |   testing | source, amd64, ia64
  ia32-libs |   20120701 |  unstable | source, amd64
  ia32-libs |   20120926 | proposed-updates | source, amd64, ia64

 As far as I can see, the choices we have are:

 a) prop-up the packages from p-u to testing (meh) and unstable (bad)
 during the point release
 b) exclude ia32-libs from the point release (not ideal)
 c) get a newer (well, higher versioned) ia32-libs package in to unstable
 - on both amd64 _and_ ia64 - before Saturday morning.

 Longer term, stable updates probably want a different version scheme...

Right... this worked in the past but fails now there's been some action on
ia32-libs in sid. I can upload a new version (20120102+squeeze1 I
propose), do you need to reject the current upload first?


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/91c3f2ce8dc1872426501e486de473b4.squir...@aphrodite.kinkhorst.nl

Re: Squeeze point release (6.0.6)

[Thijs Kinkhorst]

On Thu, September 27, 2012 22:38, Adam D. Barratt wrote:
 On Thu, 2012-09-27 at 22:10 +0200, Thijs Kinkhorst wrote:
 On Thu, September 27, 2012 20:52, Adam D. Barratt wrote:
  a) prop-up the packages from p-u to testing (meh) and unstable (bad)
  during the point release
  b) exclude ia32-libs from the point release (not ideal)
  c) get a newer (well, higher versioned) ia32-libs package in to
 unstable
  - on both amd64 _and_ ia64 - before Saturday morning.
 
  Longer term, stable updates probably want a different version
 scheme...

 Right... this worked in the past but fails now there's been some action
 on
 ia32-libs in sid. I can upload a new version (20120102+squeeze1 I
 propose), do you need to reject the current upload first?

 It's already in proposed-updates, so out of our hands to do anything
 about it; we can't reject it and a new upload to p-u would need a higher
 version than what's currently there. :-(

Let me know when I can do something.

FWIW, there has already been a proposal to epoch the sid version of
ia32-libs for different reasons (#688915), so perhaps the route to accept
this version in squeeze and wheezy may be viable.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/b5e1c16d4b7972926a5c6cb8e062cddd.squir...@aphrodite.kinkhorst.nl

Re: Squeeze point release (6.0.6)

[Thijs Kinkhorst]

On Mon, September 17, 2012 15:58, Philipp Kern wrote:
 ok, given the replies, let's settle on this:

 On Fri, Sep 07, 2012 at 09:43:03PM +0200, Philipp Kern wrote:
 * Sep 29/30: ok from RT side

OK, so we need to update ia32-libs again, now that all changes are in.
The other two ia32-libs-* do not require an update in this release.

Attached is the proposed changelog entry. Let me know when I can upload.


Cheers,
Thijs

ia32-libs
Description: Binary data

Re: Squeeze point release (6.0.6)

[Thijs Kinkhorst]

On Wed, September 26, 2012 11:02, Philipp Kern wrote:
 Hi,

 On Wed, Sep 26, 2012 at 09:17:53AM +0200, Thijs Kinkhorst wrote:
 OK, so we need to update ia32-libs again, now that all changes are in.
 The other two ia32-libs-* do not require an update in this release.

 Attached is the proposed changelog entry. Let me know when I can upload.

 ok, please upload as soon as possible (i.e. today).

Thanks - uploaded.


Cheers,
Thijs



-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/5e348fbaa972dbe939a850e9acd2ac34.squir...@aphrodite.kinkhorst.nl

Bug#686344: unblock: simplesamlphp/1.9.2.-1

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

Please unblock package simplesamlphp. It's a security-update only release
that further tightens the screws on the security issue addressed in 1.9.1,
after further discussion with the scientists who discovered the issue.

The debdiff is very simple.

Please
unblock simplesamlphp/1.9.2.-1


Thanks,
Thijs
diff -Nru simplesamlphp-1.9.1/debian/changelog simplesamlphp-1.9.2/debian/changelog
--- simplesamlphp-1.9.1/debian/changelog	2012-08-06 14:58:01.0 +0200
+++ simplesamlphp-1.9.2/debian/changelog	2012-08-29 17:45:36.0 +0200
@@ -1,3 +1,11 @@
+simplesamlphp (1.9.2-1) unstable; urgency=medium
+
+  * New upstream security release:
+Fix possible issue in PKCS 1.5 encryption when a key is
+correctly decrypted but its length is not the one expected.
+
+ -- Thijs Kinkhorst th...@debian.org  Wed, 29 Aug 2012 15:43:31 +
+
 simplesamlphp (1.9.1-1) unstable; urgency=medium
 
   * New upstream security release:
diff -Nru simplesamlphp-1.9.1/docs/simplesamlphp-changelog.txt simplesamlphp-1.9.2/docs/simplesamlphp-changelog.txt
--- simplesamlphp-1.9.1/docs/simplesamlphp-changelog.txt	2012-08-02 08:25:33.0 +0200
+++ simplesamlphp-1.9.2/docs/simplesamlphp-changelog.txt	2012-08-29 10:19:20.0 +0200
@@ -6,6 +6,12 @@
 This document lists the changes between versions of simpleSAMLphp.
 See the upgrade notes for specific information about upgrading.
 
+## Version 1.9.2
+
+Released 2012-08-29
+
+  * Fix related to the security issue addressed in version 1.9.1.
+
 ## Version 1.9.1
 
 Released 2012-08-02.
diff -Nru simplesamlphp-1.9.1/lib/SAML2/Utils.php simplesamlphp-1.9.2/lib/SAML2/Utils.php
--- simplesamlphp-1.9.1/lib/SAML2/Utils.php	2012-08-02 08:25:23.0 +0200
+++ simplesamlphp-1.9.2/lib/SAML2/Utils.php	2012-08-29 10:19:12.0 +0200
@@ -393,6 +393,10 @@
 
 			try {
 $key = $encKey-decryptKey($symmetricKeyInfo);
+if (strlen($key) != $keySize) {
+	throw new Exception('Unexpected key size (' . strlen($key) * 8 . 'bits) for encryption algorithm: ' .
+		var_export($symmetricKey-type, TRUE));
+}
 			} catch (Exception $e) {
 /* We failed to decrypt this key. Log it, and substitute a random key. */
 SimpleSAML_Logger::error('Failed to decrypt symmetric key: ' . $e-getMessage());
diff -Nru simplesamlphp-1.9.1/lib/SimpleSAML/Configuration.php simplesamlphp-1.9.2/lib/SimpleSAML/Configuration.php
--- simplesamlphp-1.9.1/lib/SimpleSAML/Configuration.php	2012-08-02 08:28:37.0 +0200
+++ simplesamlphp-1.9.2/lib/SimpleSAML/Configuration.php	2012-08-29 11:16:57.0 +0200
@@ -5,7 +5,7 @@
  *
  * @author Andreas Aakre Solberg, UNINETT AS. andreas.solb...@uninett.no
  * @package simpleSAMLphp
- * @version $Id: Configuration.php 3136 2012-08-02 06:28:37Z olavmrk $
+ * @version $Id: Configuration.php 3152 2012-08-29 09:16:57Z jaim...@gmail.com $
  */
 class SimpleSAML_Configuration {
 
@@ -295,7 +295,7 @@
 	 * @return string
 	 */
 	public function getVersion() {
-		return '1.9.1';
+		return '1.9.2';
 	}
 
 

Bug#685960: unblock: gnupg/1.4.12-5 (pre-approval)

[Thijs Kinkhorst]

On Mon, August 27, 2012 03:38, David Prévot wrote:
 Attached the current (from the gnupg package repository) debdiff,
 excluding the translation, since it contains other pending changes that
 may not be in line with the current freeze policy (so the release team
 may point what changes could be acceptable or not).

The changes for enable-minimal, I consider as gnupg's maintainer not
suitable to upload during the freeze. I can back them out if an upload for
the other changes is desired.


Thijs


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/7fe8f9d2ac65f3e8a33168b31a0b1540.squir...@wm.kinkhorst.nl

Bug#683299: please unblock: open-vm-tools/2:8.8.0+2012.05.21-724730-4

[Thijs Kinkhorst]

Hi,

As it seems, Daniel has uploaded a version of open-vm-tools that reverts
the contentious changes. This version has been in unstable for 11 days now
and no bugs have been reported since.

Can you please review and unblock?


thanks,
Thijs


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/05c281194a064c399a9c905fb1c30f65.squir...@wm.kinkhorst.nl

Bug#684955: unblock: phpmyadmin/4:3.4.11.1-1 (security issue)

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock


Hi,

Please unblock package phpmyadmin: it fixes two cross site scripting issues
and nothing else. The diff to db_structure.js may be a bit hard to read, but
it adds escapeHTML() calls to two parameters.

unblock phpmyadmin/4:3.4.11.1-1


Thanks,
Thijs
Title: phpMyAdmin 3.4.11 - Documentation
diff -Nru phpmyadmin-3.4.11/ChangeLog phpmyadmin-3.4.11.1/ChangeLog
--- phpmyadmin-3.4.11/ChangeLog	2012-04-14 11:42:20.0 +
+++ phpmyadmin-3.4.11.1/ChangeLog	2012-08-12 13:38:18.0 +
@@ -1,6 +1,9 @@
 phpMyAdmin - ChangeLog
 ==
 
+3.4.11.1 (2012-08-12)
+- [security] Fixed XSS vulnerabilities, see PMASA-2012-4
+
 3.4.11.0 (2012-04-14)
 - bug #3486970 [import] Exception on XML import
 - bug #3488777 [navi] $cfg['ShowTooltipAliasTB'] and blank names in navigation
diff -Nru phpmyadmin-3.4.11/Documentation.html phpmyadmin-3.4.11.1/Documentation.html
--- phpmyadmin-3.4.11/Documentation.html	2012-04-14 11:42:20.0 +
+++ phpmyadmin-3.4.11.1/Documentation.html	2012-08-12 13:38:18.0 +
@@ -9,7 +9,7 @@
 
 
 
-
+phpMyAdmin 3.4.11.1 - Documentation
 
 
 
@@ -17,7 +17,7 @@
 
 
 phpMyAdmin
-3.4.11
+3.4.11.1
 Documentation
 
 
diff -Nru phpmyadmin-3.4.11/Documentation.txt phpmyadmin-3.4.11.1/Documentation.txt
--- phpmyadmin-3.4.11/Documentation.txt	2012-04-14 11:42:20.0 +
+++ phpmyadmin-3.4.11.1/Documentation.txt	2012-08-12 13:38:18.0 +
@@ -1,4 +1,4 @@
-phpMyAdmin 3.4.11 Documentation
+phpMyAdmin 3.4.11.1 Documentation
 
   * Top
   * Requirements
diff -Nru phpmyadmin-3.4.11/README phpmyadmin-3.4.11.1/README
--- phpmyadmin-3.4.11/README	2012-04-14 11:42:20.0 +
+++ phpmyadmin-3.4.11.1/README	2012-08-12 13:38:18.0 +
@@ -1,7 +1,7 @@
 phpMyAdmin - Readme
 ===
 
-Version 3.4.11
+Version 3.4.11.1
 
 A set of PHP-scripts to manage MySQL over the web.
 
diff -Nru phpmyadmin-3.4.11/RELEASE-DATE-3.4.11 phpmyadmin-3.4.11.1/RELEASE-DATE-3.4.11
--- phpmyadmin-3.4.11/RELEASE-DATE-3.4.11	2012-04-14 11:42:20.0 +
+++ phpmyadmin-3.4.11.1/RELEASE-DATE-3.4.11	1970-01-01 00:00:00.0 +
@@ -1 +0,0 @@
-Sat Apr 14 11:41:12 UTC 2012
diff -Nru phpmyadmin-3.4.11/RELEASE-DATE-3.4.11.1 phpmyadmin-3.4.11.1/RELEASE-DATE-3.4.11.1
--- phpmyadmin-3.4.11/RELEASE-DATE-3.4.11.1	1970-01-01 00:00:00.0 +
+++ phpmyadmin-3.4.11.1/RELEASE-DATE-3.4.11.1	2012-08-12 13:38:18.0 +
@@ -0,0 +1 @@
+Sun Aug 12 13:37:09 UTC 2012
diff -Nru phpmyadmin-3.4.11/debian/changelog phpmyadmin-3.4.11.1/debian/changelog
--- phpmyadmin-3.4.11/debian/changelog	2012-04-18 10:28:38.0 +
+++ phpmyadmin-3.4.11.1/debian/changelog	2012-08-13 13:25:51.0 +
@@ -1,3 +1,10 @@
+phpmyadmin (4:3.4.11.1-1) unstable; urgency=high
+
+  * New upstream security release.
+- Fixes cross site scripting [PMASA-2012-4].
+
+ -- Thijs Kinkhorst <th...@debian.org>  Mon, 13 Aug 2012 13:24:09 +
+
 phpmyadmin (4:3.4.11-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru phpmyadmin-3.4.11/js/db_structure.js phpmyadmin-3.4.11.1/js/db_structure.js
--- phpmyadmin-3.4.11/js/db_structure.js	2012-04-14 11:42:20.0 +
+++ phpmyadmin-3.4.11.1/js/db_structure.js	2012-08-12 13:38:18.0 +
@@ -1,6 +1,6 @@
 function PMA_adjustTotals(a){var b=a.closest("tr");a=b.find(".tbl_rows");var d=b.find(".tbl_size");b=parseInt(a.text());a.text("0");d.text("-");if(!isNaN(b)){$total_rows_td=$("#tbl_summary_row").find(".tbl_rows");a=parseInt($total_rows_td.text());isNaN(a)||$total_rows_td.text(a-b)}a=$("#tbl_summary_row").find(".tbl_size");a.text(a.text().replace(/^/,"~"))}
-$(document).ready(function(){$(".truncate_table_anchor").live("click",function(a){a.preventDefault();var b=$(this);a="TRUNCATE "+b.parents("tr").children("th").children("a").text();b.PMA_confirm(a,b.attr("href"),function(d){PMA_ajaxShowMessage(PMA_messages.strProcessingRequest);$.get(d,{is_js_confirmed:1,ajax_request:true},function(c){if(c.success==true){PMA_ajaxShowMessage(c.message);c=b.html().replace(/b_empty.png/,"bd_empty.png");PMA_adjustTotals(b);b.replaceWith(c).removeClass("truncate_table_anchor")}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+
-" : "+c.error)})})});$(".drop_table_anchor").live("click",function(a){a.preventDefault();var b=$(this),d=b.parents("tr");a="DROP TABLE "+d.children("th").children("a").text();b.PMA_confirm(a,b.attr("href"),function(c){PMA_ajaxShowMessage(PMA_messages.strProcessingRequest);$.get(c,{is_js_confirmed:1,ajax_request:true},function(e){if(e.succes

Bug#684045: pre-approval simplesamlphp/1.9.1-1

[Thijs Kinkhorst]

On Wed, August 8, 2012 01:15, Cyril Brulebois wrote:
 Thijs Kinkhorst th...@debian.org (07/08/2012):
 On Tue, August 7, 2012 01:44, Cyril Brulebois wrote:
  while I have only glanced at it, that doesn't look bad at all,
  please go ahead and ping us once it's accepted.

 It has now been accepted.

 Thanks. Now that I have a little more time, finally looking at it for
 real.

 OK for doc changes, and $Id$ noise (…).

 I think I can see what the key dance part of the patch does, too.

 That is totally obscure to me though:
 - if (!$newDoc-loadXML($xml)) {
 + if (!@$newDoc-loadXML($xml)) {

 What does that do? Fix a bug, silence a language warning, or anything
 else?

It silences a language warning: if the loadXML call fails the interpreter
would output a warning, but this is handled more gracefully already by
throwing an exception straight below it.


Cheers,
Thijs


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/e75e1af8cecc6cce627ab3648049a038.squir...@wm.kinkhorst.nl

Bug#684045: pre-approval simplesamlphp/1.9.1-1

[Thijs Kinkhorst]

On Tue, August 7, 2012 01:44, Cyril Brulebois wrote:
 Hello Thijs,

 Thijs Kinkhorst th...@debian.org (06/08/2012):
 I would like to upload simplesamlphp/1.9.1-1: an upstream security
 release that only fixes a security issue and adds some minor
 documentation fixes.  The debdiff is attached.

 while I have only glanced at it, that doesn't look bad at all, please go
 ahead and ping us once it's accepted.

It has now been accepted.

Thanks,
Thijs


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/97da1a091aa535a797733fb5ba23c748.squir...@wm.kinkhorst.nl

Bug#684045: pre-approval simplesamlphp/1.9.1-1

[Thijs Kinkhorst]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

I would like to upload simplesamlphp/1.9.1-1: an upstream security release
that only fixes a security issue and adds some minor documentation fixes.
The debdiff is attached.

The security issue is described here:
http://www.nds.rub.de/research/publications/breaking-xml-encryption-pkcs15/

Please let me know if I can upload this to unstable so it will end up in
wheezy.


thanks,
Thijs

-- System Information:
Debian Release: 6.0.5
  APT prefers stable
  APT policy: (500, 'stable'), (400, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
diff -Nru simplesamlphp-1.9.0/debian/changelog simplesamlphp-1.9.1/debian/changelog
--- simplesamlphp-1.9.0/debian/changelog	2012-06-13 12:38:24.0 +0200
+++ simplesamlphp-1.9.1/debian/changelog	2012-08-06 14:58:01.0 +0200
@@ -1,3 +1,10 @@
+simplesamlphp (1.9.1-1) unstable; urgency=medium
+
+  * New upstream security release:
+Fix for an attack against PKCS 1.5 in XML encryption.
+
+ -- Thijs Kinkhorst th...@debian.org  Mon, 06 Aug 2012 12:57:02 +
+
 simplesamlphp (1.9.0-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru simplesamlphp-1.9.0/docs/simplesamlphp-changelog.txt simplesamlphp-1.9.1/docs/simplesamlphp-changelog.txt
--- simplesamlphp-1.9.0/docs/simplesamlphp-changelog.txt	2012-06-13 08:30:49.0 +0200
+++ simplesamlphp-1.9.1/docs/simplesamlphp-changelog.txt	2012-08-02 08:25:33.0 +0200
@@ -6,6 +6,12 @@
 This document lists the changes between versions of simpleSAMLphp.
 See the upgrade notes for specific information about upgrading.
 
+## Version 1.9.1
+
+Released 2012-08-02.
+
+  * Fix for a new attack against PKCS 1.5 in XML encryption.
+
 ## Version 1.9
 
 Released 2012-06-13.
@@ -170,6 +176,7 @@
   * Allow ISO8601 durations with subsecond precision.
   * Add support for parsing and serializing the lt;mdrpi:PublicationInfo metadata extension.
   * Ignore cacheDuration when validating metadata.
+  * Add support for the Holder-of-Key profile, on both the [SP](./simplesamlphp-hok-sp) and [IdP](./simplesamlphp-hok-idp).
   * Better error handling when receiving a SAML 2.0 artifact from an unknown entity.
   * Fix parsing of lt;md:AssertionIDRequestService metadata elements.
   * IdP: Do not always trigger reauthentication when the authentication request contains a IdPList-element.
diff -Nru simplesamlphp-1.9.0/docs/simplesamlphp-reference-idp-hosted.txt simplesamlphp-1.9.1/docs/simplesamlphp-reference-idp-hosted.txt
--- simplesamlphp-1.9.0/docs/simplesamlphp-reference-idp-hosted.txt	2012-04-12 14:40:08.0 +0200
+++ simplesamlphp-1.9.1/docs/simplesamlphp-reference-idp-hosted.txt	2012-06-18 14:01:46.0 +0200
@@ -293,6 +293,16 @@
 metadata overrides the one configured in the IdP metadata.
 
 
+Metadata extensions
+---
+
+SimpleSAMLphp supports generating metadata with the MDUI and EntityAttributes metadata extensions.
+See the documentation for those extensions for more details:
+
+  * [MDUI extension](./simplesamlphp-metadata-extensions-ui)
+  * [EntityAttributes](./simplesamlphp-metadata-extensions-attributes)
+
+
 Examples
 
 
diff -Nru simplesamlphp-1.9.0/docs/simplesamlphp-ukaccess.txt simplesamlphp-1.9.1/docs/simplesamlphp-ukaccess.txt
--- simplesamlphp-1.9.0/docs/simplesamlphp-ukaccess.txt	2011-01-12 15:25:46.0 +0100
+++ simplesamlphp-1.9.1/docs/simplesamlphp-ukaccess.txt	2012-06-28 10:40:27.0 +0200
@@ -7,7 +7,7 @@
 	http://daringfireball.net/projects/markdown/syntax
 --
 
-  * Version: `$Id: simplesamlphp-ukaccess.txt 2711 2011-01-12 14:25:46Z olavmrk $`
+  * Version: `$Id: simplesamlphp-ukaccess.txt 3127 2012-06-28 08:40:27Z olavmrk $`
 
 !-- {{TOC}} --
 
@@ -26,7 +26,7 @@
   * [Service Provider QuickStart](simplesamlphp-sp)
   * [Configuration Reference](./saml:sp)
 
-### Enablig a certificate for your Service Provider
+### Enabling a certificate for your Service Provider
 
 UK Access Federation and InCommon probably requires that you enable a certificate for your SP. Other federations do not always require that you do.
 
@@ -51,7 +51,7 @@
 Consuming Federation Metadata
 -
 
-In order to enable the functionality to automatically download and parse metadata from a remtote URL, enable the `metarefresh` and `cron` modules:
+In order to enable the functionality to automatically download and parse metadata from a remote URL, enable the `metarefresh` and `cron` modules:
 
 	touch modules/metarefresh/enable
 	cp modules/metarefresh/config-templates/*.php config/
@@ -86,7 +86,7 @@
 		),
 	);
 
-The example above is from **UK Acces Federation**. If you instead would like to get metadata from **InCommon**, use the following URL and fingerprint:
+The example above is from **UK Access

please unblock open-vm-tools (rc bugfix)

[Thijs Kinkhorst]

Hi,

open-vm-tools/2:8.8.0+2012.05.21-724730-3 was uploaded to fix an RC bug in the 
package (#679886). It has now aged for 11 days without problems discovered.

It must be noted that wheezy now contains -1. -2 was uploaded before the 
freeze and got an automatic unblock already. Its changes have been in unstable 
for a month and I'm using -3 on a wheezy machine for weeks to full 
satisfaction.

Please consider to unblock.

thanks,
Thijs


signature.asc
Description: This is a digitally signed message part.

Re: [php-maint] php5 testing transition

[Thijs Kinkhorst]

On Sun, May 6, 2012 10:00, Thijs Kinkhorst wrote:
 On Sat, May 5, 2012 20:49, Adam D. Barratt wrote:
 On Sat, 2012-05-05 at 20:39 +0200, Ondrej Sury wrote:
  For some reason I had it in my head that 5.4.2 was the upstream
 version
  with the fixed fix rather than the not-quite fixed fix.

 I think this is the case (e.g. 5.4.2 is the fixed version).

 I assume Thijs was referring to CVE-2012-2311, which covers the fix in
 5.4.2 being incomplete.

 PHP 5.4.2 does not fix the issue.

PHP upstream has now announced new releases for tomorrow, which also fix
another security issue:
http://www.php.net/archive/2012.php#id2012-05-06-1

It would be great if we could get that into unstable swiftly and then
start the migration process.


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/6b01636198eb33c3c8d20d0f2c991aed.squir...@wm.kinkhorst.nl

Re: [php-maint] php5 testing transition

[Thijs Kinkhorst]

On Sat, May 5, 2012 20:49, Adam D. Barratt wrote:
 On Sat, 2012-05-05 at 20:39 +0200, Ondrej Sury wrote:
  For some reason I had it in my head that 5.4.2 was the upstream
 version
  with the fixed fix rather than the not-quite fixed fix.

 I think this is the case (e.g. 5.4.2 is the fixed version).

 I assume Thijs was referring to CVE-2012-2311, which covers the fix in
 5.4.2 being incomplete.

PHP 5.4.2 does not fix the issue. Please see:
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://www.php-security.net/archives/9-New-PHP-CGI-exploit-CVE-2012-1823.html
https://twitter.com/i0n1c/status/198158078913417216


Cheers,
Thijs


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/140e14cc0e250ad700a98fc1ed3fd3cb.squir...@wm.kinkhorst.nl