Re: Gaps in security coverage?
On Wed, Nov 7, 2018 at 6:28 AM Moritz Mühlenhoff wrote: > E.g. your specific example of busybox/CVE-2011-5325 is fixed in the > upcoming stretch point release. I noticed that this isn't reflected in the security tracker website but it is in data/next-point-update.txt. If anyone wants to get involved in enhancing the security tracker this would probably be an ideal place to start. -- bye, pabs https://wiki.debian.org/PaulWise
Re: Gaps in security coverage?
John Goerzen schrieb: Hi John, > So I recently started running debsecan on one of my boxes. debsecan hasn't seen any feature work for about a decade and is far too noisy to the point of being useless these days. > It's a > fairly barebones server install, uses unattended-upgrades and is fully > up-to-date. I expected a clean bill of health, but didn't get that. I > got pages and pages and pages of output. Some of it (especially kernel > related) I believe may be false positives, but not all. Some of it > simply isn't patched yet. No distro backports everything, that would be outright insane :-) As such there's no clean bill of health. We look at everything and if it's important enough it gets fixed via security.debian.org and if not, via point releases or not at all (there's plenty of cases where the tradeoff of changing stable clearly balances towards not fixing stuff!) E.g. your specific example of busybox/CVE-2011-5325 is fixed in the upcoming stretch point release. > Marked fixed in jessie After introducing a regression (https://packages.qa.debian.org/b/busybox/news/20180803T045026Z.html) which is a good example of the balance I mentioned above. > 2) If so, what kinds of volunteering would be appreciated? Sure! If you tell us what languages you feel comfortable to backport security fixes in, I'm sure we can find you some tasks to work on, best to reply to the team alias (t...@security.debian.org) and can pick it up from there. Thanks, Moritz
Re: Call for testing: Testers needed for ghostscript update
On 06/11/2018 16:16, Salvatore Bonaccorso wrote: We plan to rebase ghostscript via stretch-security to 9.25 plus cherry picked security fixes which happened after that release. Packages are at https://people.debian.org/~carnil/tmp/ghostscript/ I'm using Buster, but I have download ghostscript_9.25~dfsg-0+deb9u1~1.gbpb6a7bd_amd64.deb libgs9_9.25~dfsg-0+deb9u1~1.gbpb6a7bd_amd64.deb libgs9-common_9.25~dfsg-0+deb9u1~1.gbpb6a7bd_all.deb and installed. $ ghostscript a.pdf GPL Ghostscript 9.25 (2018-09-13) Copyright (C) 2018 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. Processing pages 1 through 1. Page 1 Loading NimbusSans-Regular font from /usr/share/ghostscript/9.25/Resource/Font/NimbusSans-Regular... 4451500 2921389 6492968 5150597 3 done. Loading NimbusSans-Bold font from /usr/share/ghostscript/9.25/Resource/Font/NimbusSans-Bold... 4517612 3103754 6513168 5168226 3 done. >>showpage, press to continue<< XIO: fatal IO error 0 (Success) on X server ":0" after 120 requests (120 known processed) with 0 events remaining. $ gs Linux-Voice-Issue-001.pdf GPL Ghostscript 9.25 (2018-09-13) Copyright (C) 2018 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. Processing pages 1 through 116. Page 1 >>showpage, press to continue<< XIO: fatal IO error 0 (Success) on X server ":0" after 1244 requests (1244 known processed) with 0 events remaining. This one is a multi-page PDF and it show only the first. I have open gimp and exported as PDF, I try to open and I see the drawing. $ gs /tmp/1/Senzanome.pdf GPL Ghostscript 9.25 (2018-09-13) Copyright (C) 2018 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. Processing pages 1 through 1. Page 1 >>showpage, press to continue<< XIO: fatal IO error 2 (No such file or directory) on X server ":0" after 84 requests (84 known processed) with 0 events remaining. I have converted the drawing to ps $ pdftops Senzanome.pdf $ gs Senzanome.ps GPL Ghostscript 9.25 (2018-09-13) Copyright (C) 2018 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. >>showpage, press to continue<< XIO: fatal IO error 2 (No such file or directory) on X server ":0" after 84 requests (84 known processed) with 0 events remaining. I see the correct image in the PDF, I don't know what is these 2 fatal IO error I get. I have checked and I get the same fatal IO error with the gs present in Buster. Let me know if you want me to make more test and what type of test. Ciao Davide
Re: Gaps in security coverage?
On 06/11/2018 02:34, Paul Wise wrote: On Mon, Nov 5, 2018 at 10:29 PM John Goerzen wrote: So I recently started running debsecan on one of my boxes. It's a fairly barebones server install, uses unattended-upgrades and is fully up-to-date. I expected a clean bill of health, but didn't get that. I got pages and pages and pages of output. Some of it (especially kernel related) I believe may be false positives, but not all. Some of it simply isn't patched yet. That has been the normal state of things since I started running debsecan many many years ago. I'm not a security expert, but: * security bugs are found daily * security bugs are found also by people that don't work on the project and upstream can consider these bugs in different way: lower security bug; no security bug; no bug at all; ... * a software without security bugs (or fewer) is not intricately more secure than one with a lot of security bugs... the first one can be not checked for security bugs... * a security bug of a software that you are using can also not impact you, that depend on how you use that software and the system/network on which it is installed * ... Ciao Davide
Re: Bug#905332: debdiff
Hi Ferenc, On Tue, Nov 06, 2018 at 05:12:12PM +0100, Ferenc Wágner wrote: > "Adam D. Barratt" writes: > > > On 2018-11-06 14:43, wf...@niif.hu wrote: > > > >> Dear Security Team, please consider yourselves notified and please > > > > debian-security@lists.debian.org is *not* a contact point for the > > Security Team, it's a public discussion list. > > Ah, thanks, Adam (https://security-team.debian.org/contact.html is > pretty confusing in its current state). I sent a pointer to > t...@security.debian.org. For reference: https://www.debian.org/security/faq#contact the above is an attempt to try to centralize documentation and for now consist still of our notes what we want to write up. I just added a note to the site. Regards, Salvatore
Re: Bug#905332: debdiff
"Adam D. Barratt" writes: > On 2018-11-06 14:43, wf...@niif.hu wrote: > >> Dear Security Team, please consider yourselves notified and please > > debian-security@lists.debian.org is *not* a contact point for the > Security Team, it's a public discussion list. Ah, thanks, Adam (https://security-team.debian.org/contact.html is pretty confusing in its current state). I sent a pointer to t...@security.debian.org. -- Regards, Feri
Re: Bug#905332: debdiff
On 2018-11-06 14:43, wf...@niif.hu wrote: Dear Security Team, please consider yourselves notified and please debian-security@lists.debian.org is *not* a contact point for the Security Team, it's a public discussion list. Regards, Adam
Call for testing: Testers needed for ghostscript update
Hi We plan to rebase ghostscript via stretch-security to 9.25 plus cherry picked security fixes which happened after that release. Tests so far were limited, and thus we need a certain amount of further external testing before we can release an update. Packages are at https://people.debian.org/~carnil/tmp/ghostscript/ Please reply for both positive and negative test feedback directly to me or/and including t...@security.debian.org . Regards, Salvatore signature.asc Description: PGP signature
Re: Bug#905332: debdiff
wagner.fer...@kifu.gov.hu (Ferenc Wágner) writes: > Christian Fischer writes: > >> On Fri, 03 Aug 2018 14:42:16 +0200 wf...@niif.hu (Ferenc Wágner) wrote: >> >>> Unfortunately the CVE hasn't arrived yet; I'll >>> forward it to you once it does. My acknowledgement mail is of >>> subject "CVE Request 548000 for CVE ID Request" from >>> cve-requ...@mitre.org (just for the record). >> >> have you received a CVE for this issue yet? Tried to look around in >> various sources but wasn't able to identify a published CVE for this >> issue yet. > > I haven't received a CVE for this issue, unfortunately. My original > request was deflected by Mitre saying that the Apache Software > Foundation should issue this CVE. However, the Apache webpage states > that they issue IDs for undisclosed vulnerabilities only. My three > followup mails asking for clarification remained unanswered by Mitre. > > To add more bad news, according to http://santuario.apache.org/ the just > released 2.0.2 fixes a very similar bug, which might mean another DoS; I > couldn't investigate yet. But if it does, we'll need yet another CVE > for that. I'm sending out some queries. Shibboleth upstream confirmed that it's basically more of the same issue: https://alioth-lists.debian.net/pipermail/pkg-shibboleth-devel/2018-November/005382.html "I would suggest you just attach this to the same CVE as before and update it to reflect the versions involved." Dear Security Team, please consider yourselves notified and please advise how we should track/handle this. I'm looking into backporting the fix to the stable version 1.7.3-4+deb9u1. -- Regards, Feri
Re: Gaps in security coverage?
On Tue, Nov 06, 2018 at 07:08:20PM +0800, Paul Wise wrote: > Bug#908678: security-tracker - Breaks salsa.d.o thank you. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: Gaps in security coverage?
On Tue, Nov 6, 2018 at 7:01 PM Holger Levsen wrote: > is there a bug or wiki page describing the issues/requirements for that and > what has been tried / the status? Woops, I should have included that in the mail: Bug#908678: security-tracker - Breaks salsa.d.o https://bugs.debian.org/908678 -- bye, pabs https://wiki.debian.org/PaulWise
Re: Gaps in security coverage?
On Tue, Nov 06, 2018 at 02:42:59PM +0800, Paul Wise wrote: > Also, a much more important task is restructuring the git repo so that > it doesn't cause responsiveness and resource usage issues with salsa. is there a bug or wiki page describing the issues/requirements for that and what has been tried / the status? (I just cloned the tracker yesterday and could see the problem 'live'..) -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature