[SECURITY] [DSA 4012-1] libav security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4012-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 31, 2017 https://www.debian.org/security/faq - - Package: libav CVE ID : CVE-2015-8365 CVE-2017-7208 CVE-2017-7862 CVE-2017-9992 Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library. A full list of the changes is available at https://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v11.11 For the oldstable distribution (jessie), these problems have been fixed in version 6:11.11-1~deb8u1. We recommend that you upgrade your libav packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAln3s6kACgkQEMKTtsN8 TjYW1xAAniTp/ZM/AozpOY7dvDyjiKC16VdMpThlx2nsYoloCGpq1RIga/J4lPQR lFI/twDVnP/bIhOmeZkiywTdxrcAZcoqxtyU97C1NOTzR7n+SySZVcrkqBlcnwK6 j0bv0EEtrAq1ATgKphTQkNwrL9fcGEYS3TQs6Fr+i+Xh2M9t/29neD+GNS32VB+7 np1CUPR2s6gTvzj8kHS/0LiM8J/JfXVQ6Xc4EMEMjQcz6jChL9clWaA5DQewQN/w aPPBw6rG9buJwGNmd4YTBzG0oWLJiTj51tpyZeY5oamJrNYfyZW0GXze26Zjo4kj 23l8LDQkr/MROrRaDW7QcLEkv6RFfAbxqa8d2s/4CIZEW/k+6A4MRkSf9o5tFaxi F6G/kHg1Yu7lgPems7rNIePHU3ROi3uQzgDADgWlLjXbxbaybcViyA1fGvho1QEl nl3dLH9vnrfVfAOJhYLRR2cQVDZAPVtAsvmeZj+9dN7iNLCMeTdljPr6c+gTOLJg 2vXk6H/QaYFgAclB6hQLDmjZ6HMl445S85SPWdTxCTzt+K2tw55mnV9QTqoRvjDF dCeeeIPbAiKI/s/SKC75iMLk2gZ3UbuaZPsaS0caw0XVHH1pLmjpYBUCw2JWAMQk S4l/K4/tjdFG7nHQKBgn+GP/JCzKAigaNUzG6PzxAQ/w75GruTM= =HxFN -END PGP SIGNATURE-
Re: HTTPS enabled Debian Security repository
Hi there On 30/10/17 12:24, Russell Coker wrote: I agree. There's little downside nowadays. Squid doesn't work particularly well caching APT repositories nowadays (strange timeouts and hangs during downloads) so the caching benefit of non-SSL has mostly gone away. I have no problems with Squid caching apt repositories. Squid can be made to act as a man in the middle, caching HTTPS, but this incompatible with DANE. Regards, Rob
[SECURITY] [DSA 4011-1] quagga security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4011-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 30, 2017 https://www.debian.org/security/faq - - Package: quagga CVE ID : CVE-2017-16227 Debian Bug : 879474 It was discovered that the bgpd daemon in the Quagga routing suite does not properly calculate the length of multi-segment AS_PATH UPDATE messages, causing bgpd to drop a session and potentially resulting in loss of network connectivity. For the oldstable distribution (jessie), this problem has been fixed in version 0.99.23.1-1+deb8u4. For the stable distribution (stretch), this problem has been fixed in version 1.1.1-3+deb9u1. We recommend that you upgrade your quagga packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAln3hTFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T8YA//dSQ0B+YeZ9Za852evhaIDQe0VmCy/q8ilGzvIRSdl3gAWm3WcG7RNnc1 J6iXtBrR6TzaXLC82vQpOLUjHrlwZdiyQqyA5hMUP+tNnP9jnU8eNYgDEgr86DkR ICV/cTPV0ZYXus68zXlElQGcnMny3DXD3nR7u1BlF7bYUB7r6xTUS2qvxV423XeZ Gor7LJhmBuIykmJcQuMIR6CUNsXSHa7ZB7ebREG7ltF6oPMRpwD4ekZN70RskAAA HXO29RR3Fio+oN36sT8gVsG1WSaKioPttQ+EmeoIy2UhoP92DQNw7YXhZzz94XE4 cTcTgLd5vCjNNwVU+I/zo1tAx54MJZRyPWcLtKnQ+/Q6Cw3FDQNWaBNKPI8FxnHu gZKotp8sJa+Om3cZirxLDTY+dA/1cJ6frJTMpqKovGJ0pOh7SikPXqdu5VfcBwA8 howsGEHxK+8IC30lYUIK85Qe9byZC0gQPok51hR1+jBJO4zFqeMRkNjw9TKPqoA9 RBGumvS0jR/rBJWaSjpfj2idTqzNYsK11lgfrD+ZvnWQuQniWGHhtwrp0JHRop8u IAcpJWxVYqO0+CJiez4Gj35XBVaYx5f5vZ6nYYxUwIzwuBOpgdeNx/Xs5axsWohT eyq4GwigItHnBb/Hw9R8Mxx78PnHNoC8kWOS1iXRtPMAZuokLtM= =EjLm -END PGP SIGNATURE-
Re: HTTPS enabled Debian Security repository
On Monday, 30 October 2017 8:57:00 AM AEDT Hans-Christoph Steiner wrote: > > The one from 2016 is harder to exploit: I asked on #-apt back then and > > the sample exploit had a 1/4 success change with a 1.3 GB InRelease file > > on a memory starved i386 system). > > That hit rate is enough to build malware around... 25% hit rate is enough to be worth exploiting, but 1.3G of extra data greatly reduces the incidence. The small i386 systems tend not to have fast enough networking that 1.3G of data could be downloaded without notice. > Don't get me wrong, I agree that HTTPS is very overcomplicated and > terrible in a lot of ways. But the days of plain HTTP/TCP are over. > All connections need to be moving towards encryption. Even with HTTPS' > faults, we are better off using it than plain HTTP. I agree. There's little downside nowadays. Squid doesn't work particularly well caching APT repositories nowadays (strange timeouts and hangs during downloads) so the caching benefit of non-SSL has mostly gone away. -- My Main Blog http://etbe.coker.com.au/ My Documents Bloghttp://doc.coker.com.au/
Re: HTTPS enabled Debian Security repository
Ansgar Burchardt: > Henrique de Moraes Holschuh writes: >> On Fri, 27 Oct 2017, Hans-Christoph Steiner wrote: >>> This idea that GPG signatures on the index files is enough has been >>> totally disproven. There was a bug in apt where Debian devices could be >>> exploited by feeding them crafted InRelease files: >>> >>> https://www.debian.org/security/2016/dsa-3733 >> >> This was the *one* bug of this sort in the entire lifetime of apt thus >> far, AFAIK. > > No, there was also >https://security-tracker.debian.org/tracker/CVE-2013-1051 > which I found. That one was fairly easy to exploit (concatenate > manipulated Release with wrong "-BEGIN PGP SIGNATURE" markers and > correctly signed InRelease; gpg would verify the signature at the end, > but apt would use the unsigned, manipulated Release from the beginning) > > Similar bugs were present in several other places in Debian's > infrastructure as well. > > The one from 2016 is harder to exploit: I asked on #-apt back then and > the sample exploit had a 1/4 success change with a 1.3 GB InRelease file > on a memory starved i386 system). That hit rate is enough to build malware around... >>> If HTTPS was used, that would mean exploiting that would require >> >> One of the dozens of zero-days already found in the TLS stack we had to >> run like crazy to patch ? > > That is still valid of course, though I'm not sure if GnuPG or TLS > libraries get wider testing... > > Ansgar > Don't get me wrong, I agree that HTTPS is very overcomplicated and terrible in a lot of ways. But the days of plain HTTP/TCP are over. All connections need to be moving towards encryption. Even with HTTPS' faults, we are better off using it than plain HTTP. .hc
[SECURITY] [DSA 4010-1] git-annex security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4010-1 secur...@debian.org https://www.debian.org/security/ Sebastien Delafond October 30, 2017 https://www.debian.org/security/faq - - Package: git-annex CVE ID : CVE-2017-12976 Debian Bug : 873088 It was discovered that git-annex, a tool to manage files with git without checking their contents in, did not correctly handle maliciously constructed ssh:// URLs. This allowed an attacker to run an arbitrary shell command. For the oldstable distribution (jessie), this problem has been fixed in version 5.20141125+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 6.20170101-1+deb9u1. We recommend that you upgrade your git-annex packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAln21ToACgkQEL6Jg/PV nWRtQAf9Ei+h60JxNnNzcD+Ymrw79U0YMEGLmvuBwDLVoChsHj9XYhMvW/AWCNhf G6zMjmhwNH33vY8XPfaOnTdZiKKY7sIdOqCFT0besXrxIutJqj9qv61A33s9XSXs KAvtCkI6IywY+Gwo7BYaohA2gIIvopLfW9ssc/ZwGMnNE5ahFX6jPFhZz4oL9Luj 9Y6HzJobJihAlVtaPki5wNwZcz2WshIp3yV6+0nsUpxDpomVimEWbcCkf2LdmP4p PsftHwRjMLNHZk4M1ZCF4EYi4rQh/P1ECxl45puuiOqI2kBIzxO/QJviTK2y3Rj0 +NLx8qR+fb/sKKLbgfKvQs0QSRkIpw== =VejX -END PGP SIGNATURE-