Re: Array IBM x3100 M4
On 5/17/22 18:22, OLCESE, Marcelo Oscar.- wrote: > Good afternoon people!! > > > > I am trying to install Debian 11 on an IBM System x3100 M4 2582AC1 > server and the ARRAY is not recognizing me. > > I'm looking at IBM but it only has REDHAT and Susex. > > Someone who has a driver or who has been able to install it on that > computer? > Hi Marcelo, what RAID level do you want to use and how many disks do you want to put in RAID? If you want to use RAID 1 (mirroring) with 2 disks then you can disable RAID mode in the SATA controller and you can configure software RAID 1 in Debian installer. For questions like this you can ask in Debian users' mailing list - debian-u...@lists.debian.org Kind regards Georgi
Re: CVE-2017-5715
On 3/25/22 19:19, Leandro Cunha wrote: > Hi, > > On Fri, Mar 25, 2022 at 4:19 AM Georgi Naplatanov wrote: >> >> On 3/25/22 03:24, Leandro Cunha wrote: >>> Hi, >>> >>> On Wed, Mar 23, 2022 at 6:18 PM Georgi Naplatanov wrote: >>>> >>>> On 3/23/22 22:43, Leandro Cunha wrote: >>>>> Hi, >>>>> >>>>> On Wed, Mar 23, 2022 at 2:33 PM Georgi Naplatanov wrote: >>>>>> >>>>>> On 3/23/22 18:35, piorunz wrote: >>>>>>> On 23/03/2022 15:41, Leandro Cunha wrote: >>>>>>> >>>>>>>> Please, take into consideration what is in the link and you can >>>>>>>> consult through >>>>>>>> it about CVE: https://security-tracker.debian.org/tracker/CVE-2017-5715 >>>>>>> >>>>>>> Leandro, >>>>>>> I've been on this website before I posted with spectre-meltdown-checker >>>>>>> results. I have vulnerable status just like author of this topic. I am >>>>>>> on intel-microcode 3.20210608.2, and by the look of it, this bug >>>>>>> supposed to be fixed in: >>>>>>> >>>>>>> "intel-microcode: Some microcode updates to partially adress >>>>>>> CVE-2017-5715 included in 3.20171215.1 >>>>>>> Further updates in 3.20180312.1" >>>>>>> >>>>>>> So my version of microcode is 3-4 years newer than that. >>>>>>> >>>>>>> Is it microcode problem, or spectre-meltdown-checker displaying wrong >>>>>>> information, or something else entirely? >>>>>>> >>>>>> >>>>>> I want to mention that on the same computer with kernel Debian 5.10.92-2 >>>>>> >>>>>> spectre-meltdown-checker >>>>>> >>>>>> reports that the system is not vulnerable to CVE-2017-5715 >>>>>> >>>>>> Kind regards >>>>>> Georgi >>>>>> >>>>> >>>>> This script is reporting an already patched CVE as vulnerable. >>>> >>>> >>>> Are you sure this behavior on 5.10.103-1 is not some kind of regression? >>>> What is the evidence that vulnerability is still fixed? >>>> >>>> >>>> Kind regards >>>> Georgi >>>> >>> >>> When replying to your email I was aware of the script issue that was >>> reporting >>> several already resolved CVEs as unresolved. As Salvatore sent the issue >>> link. >>> But it seems to me that this problem was solved 7 days ago, it would be >>> interesting if there was an update or a backport to stable. >>> >> >> Hi Leandro, >> >> I also think that an update would be nice. >> >> Kind regards >> Georgi >> > > I applied a patch from upstream and repackaged it from unstable. > And this CVE is displayed as resolved. > Thank you, Leandro! I guess that the patch will appear in Debian stable (11.4), right? Kind regards Georgi
Re: CVE-2017-5715
On 3/25/22 03:24, Leandro Cunha wrote: > Hi, > > On Wed, Mar 23, 2022 at 6:18 PM Georgi Naplatanov wrote: >> >> On 3/23/22 22:43, Leandro Cunha wrote: >>> Hi, >>> >>> On Wed, Mar 23, 2022 at 2:33 PM Georgi Naplatanov wrote: >>>> >>>> On 3/23/22 18:35, piorunz wrote: >>>>> On 23/03/2022 15:41, Leandro Cunha wrote: >>>>> >>>>>> Please, take into consideration what is in the link and you can >>>>>> consult through >>>>>> it about CVE: https://security-tracker.debian.org/tracker/CVE-2017-5715 >>>>> >>>>> Leandro, >>>>> I've been on this website before I posted with spectre-meltdown-checker >>>>> results. I have vulnerable status just like author of this topic. I am >>>>> on intel-microcode 3.20210608.2, and by the look of it, this bug >>>>> supposed to be fixed in: >>>>> >>>>> "intel-microcode: Some microcode updates to partially adress >>>>> CVE-2017-5715 included in 3.20171215.1 >>>>> Further updates in 3.20180312.1" >>>>> >>>>> So my version of microcode is 3-4 years newer than that. >>>>> >>>>> Is it microcode problem, or spectre-meltdown-checker displaying wrong >>>>> information, or something else entirely? >>>>> >>>> >>>> I want to mention that on the same computer with kernel Debian 5.10.92-2 >>>> >>>> spectre-meltdown-checker >>>> >>>> reports that the system is not vulnerable to CVE-2017-5715 >>>> >>>> Kind regards >>>> Georgi >>>> >>> >>> This script is reporting an already patched CVE as vulnerable. >> >> >> Are you sure this behavior on 5.10.103-1 is not some kind of regression? >> What is the evidence that vulnerability is still fixed? >> >> >> Kind regards >> Georgi >> > > When replying to your email I was aware of the script issue that was reporting > several already resolved CVEs as unresolved. As Salvatore sent the issue link. > But it seems to me that this problem was solved 7 days ago, it would be > interesting if there was an update or a backport to stable. > Hi Leandro, I also think that an update would be nice. Kind regards Georgi
Re: CVE-2017-5715
On 3/23/22 23:36, Salvatore Bonaccorso wrote: > Hi, > > On Wed, Mar 23, 2022 at 11:17:41PM +0200, Georgi Naplatanov wrote: >> On 3/23/22 22:43, Leandro Cunha wrote: >>> Hi, >>> >>> On Wed, Mar 23, 2022 at 2:33 PM Georgi Naplatanov wrote: >>>> >>>> On 3/23/22 18:35, piorunz wrote: >>>>> On 23/03/2022 15:41, Leandro Cunha wrote: >>>>> >>>>>> Please, take into consideration what is in the link and you can >>>>>> consult through >>>>>> it about CVE: https://security-tracker.debian.org/tracker/CVE-2017-5715 >>>>> >>>>> Leandro, >>>>> I've been on this website before I posted with spectre-meltdown-checker >>>>> results. I have vulnerable status just like author of this topic. I am >>>>> on intel-microcode 3.20210608.2, and by the look of it, this bug >>>>> supposed to be fixed in: >>>>> >>>>> "intel-microcode: Some microcode updates to partially adress >>>>> CVE-2017-5715 included in 3.20171215.1 >>>>> Further updates in 3.20180312.1" >>>>> >>>>> So my version of microcode is 3-4 years newer than that. >>>>> >>>>> Is it microcode problem, or spectre-meltdown-checker displaying wrong >>>>> information, or something else entirely? >>>>> >>>> >>>> I want to mention that on the same computer with kernel Debian 5.10.92-2 >>>> >>>> spectre-meltdown-checker >>>> >>>> reports that the system is not vulnerable to CVE-2017-5715 >>>> >>>> Kind regards >>>> Georgi >>>> >>> >>> This script is reporting an already patched CVE as vulnerable. >> >> >> Are you sure this behavior on 5.10.103-1 is not some kind of regression? >> What is the evidence that vulnerability is still fixed? > > See: https://github.com/speed47/spectre-meltdown-checker/issues/420 > > (Background of this is > https://www.vusec.net/projects/bhi-spectre-bhb/). > Thanks you, Salvatore, for the links and clarification. Kind regards Georgi
Re: CVE-2017-5715
On 3/23/22 22:43, Leandro Cunha wrote: > Hi, > > On Wed, Mar 23, 2022 at 2:33 PM Georgi Naplatanov wrote: >> >> On 3/23/22 18:35, piorunz wrote: >>> On 23/03/2022 15:41, Leandro Cunha wrote: >>> >>>> Please, take into consideration what is in the link and you can >>>> consult through >>>> it about CVE: https://security-tracker.debian.org/tracker/CVE-2017-5715 >>> >>> Leandro, >>> I've been on this website before I posted with spectre-meltdown-checker >>> results. I have vulnerable status just like author of this topic. I am >>> on intel-microcode 3.20210608.2, and by the look of it, this bug >>> supposed to be fixed in: >>> >>> "intel-microcode: Some microcode updates to partially adress >>> CVE-2017-5715 included in 3.20171215.1 >>> Further updates in 3.20180312.1" >>> >>> So my version of microcode is 3-4 years newer than that. >>> >>> Is it microcode problem, or spectre-meltdown-checker displaying wrong >>> information, or something else entirely? >>> >> >> I want to mention that on the same computer with kernel Debian 5.10.92-2 >> >> spectre-meltdown-checker >> >> reports that the system is not vulnerable to CVE-2017-5715 >> >> Kind regards >> Georgi >> > > This script is reporting an already patched CVE as vulnerable. Are you sure this behavior on 5.10.103-1 is not some kind of regression? What is the evidence that vulnerability is still fixed? Kind regards Georgi
Re: CVE-2017-5715
On 3/23/22 18:35, piorunz wrote: > On 23/03/2022 15:41, Leandro Cunha wrote: > >> Please, take into consideration what is in the link and you can >> consult through >> it about CVE: https://security-tracker.debian.org/tracker/CVE-2017-5715 > > Leandro, > I've been on this website before I posted with spectre-meltdown-checker > results. I have vulnerable status just like author of this topic. I am > on intel-microcode 3.20210608.2, and by the look of it, this bug > supposed to be fixed in: > > "intel-microcode: Some microcode updates to partially adress > CVE-2017-5715 included in 3.20171215.1 > Further updates in 3.20180312.1" > > So my version of microcode is 3-4 years newer than that. > > Is it microcode problem, or spectre-meltdown-checker displaying wrong > information, or something else entirely? > I want to mention that on the same computer with kernel Debian 5.10.92-2 spectre-meltdown-checker reports that the system is not vulnerable to CVE-2017-5715 Kind regards Georgi
Re: CVE-2017-5715
On 3/23/22 17:41, Leandro Cunha wrote: > Hi, > > On Wed, Mar 23, 2022 at 11:47 AM Georgi Naplatanov wrote: >> >> On 3/23/22 15:58, piorunz wrote: >>> On 12/03/2022 09:48, Georgi Naplatanov wrote: >>> >>>> spectre-meltdown-checker script reports that my system is vulnerable to >>>> CVE-2017-5715. My CPU is Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz >>>> >>>> Is this normal? >>>> >>>> In the past all checks from spectre-meltdown-checker were green (my >>>> system was not vulnerable). >>> >>> Is your vulnerability shown as follows? >>> >>> CVE-2017-5715 aka 'Spectre Variant 2, branch target injection' >>> * Mitigated according to the /sys interface: YES (Mitigation: >>> Retpolines, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) >>> * Mitigation 1 >>> * Kernel is compiled with IBRS support: YES >>> * IBRS enabled and active: YES (for firmware code only) >>> * Kernel is compiled with IBPB support: YES >>> * IBPB enabled and active: YES >>> * Mitigation 2 >>> * Kernel has branch predictor hardening (arm): NO >>> * Kernel compiled with retpoline option: YES >>> * Kernel supports RSB filling: YES >>>> STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is >>> needed to mitigate the vulnerability) >>> >> >> Yes, it seems the same but to avoid possible confusion/mistake I'm >> pasting the output below: >> >> >> CVE-2017-5715 aka 'Spectre Variant 2, branch target injection' >> * Mitigated according to the /sys interface: YES (Mitigation: >> Retpolines, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) >> * Mitigation 1 >> * Kernel is compiled with IBRS support: YES >> * IBRS enabled and active: YES (for firmware code only) >> * Kernel is compiled with IBPB support: YES >> * IBPB enabled and active: YES >> * Mitigation 2 >> * Kernel has branch predictor hardening (arm): NO >> * Kernel compiled with retpoline option: YES >> * Kernel supports RSB filling: YES >>> STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is >> needed to mitigate the vulnerability) >> > > Please, take into consideration what is in the link and you can consult > through > it about CVE: https://security-tracker.debian.org/tracker/CVE-2017-5715 > Hey Leandro, I'm using kernel 5.10.103-1 and intel-microcode 3.20210608.2 but spectre-meltdown-checker reports that my system is vulnerable. Could you clarify what you meant? Kind regards Georgi
Re: CVE-2017-5715
On 3/23/22 15:58, piorunz wrote: > On 12/03/2022 09:48, Georgi Naplatanov wrote: > >> spectre-meltdown-checker script reports that my system is vulnerable to >> CVE-2017-5715. My CPU is Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz >> >> Is this normal? >> >> In the past all checks from spectre-meltdown-checker were green (my >> system was not vulnerable). > > Is your vulnerability shown as follows? > > CVE-2017-5715 aka 'Spectre Variant 2, branch target injection' > * Mitigated according to the /sys interface: YES (Mitigation: > Retpolines, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) > * Mitigation 1 > * Kernel is compiled with IBRS support: YES > * IBRS enabled and active: YES (for firmware code only) > * Kernel is compiled with IBPB support: YES > * IBPB enabled and active: YES > * Mitigation 2 > * Kernel has branch predictor hardening (arm): NO > * Kernel compiled with retpoline option: YES > * Kernel supports RSB filling: YES >> STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is > needed to mitigate the vulnerability) > Yes, it seems the same but to avoid possible confusion/mistake I'm pasting the output below: CVE-2017-5715 aka 'Spectre Variant 2, branch target injection' * Mitigated according to the /sys interface: YES (Mitigation: Retpolines, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling) * Mitigation 1 * Kernel is compiled with IBRS support: YES * IBRS enabled and active: YES (for firmware code only) * Kernel is compiled with IBPB support: YES * IBPB enabled and active: YES * Mitigation 2 * Kernel has branch predictor hardening (arm): NO * Kernel compiled with retpoline option: YES * Kernel supports RSB filling: YES > STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is needed to mitigate the vulnerability)
CVE-2017-5715
Hi, I use Debian stable with kernel 5.10.103-1 (2022-03-07) but spectre-meltdown-checker script reports that my system is vulnerable to CVE-2017-5715. My CPU is Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz Is this normal? In the past all checks from spectre-meltdown-checker were green (my system was not vulnerable). Kind regards Georgi
Re: deb.debian.org vs security.debian.org
On 8/19/21 09:25, Daniel Lewart wrote: > Debian Security, > > Is there a preferred sources.list URI for the Debian security > repository between: > * http://deb.debian.org/debian-security > * http://security.debian.org/debian-security > > I asked in debian-devel and received two replies: > * https://lists.debian.org/debian-devel/2021/08/msg00166.html > * https://lists.debian.org/debian-devel/2021/08/msg00167.html > * https://lists.debian.org/debian-devel/2021/08/msg00172.html > but no consensus. > I have no opinion but found this https://wiki.debian.org/SourcesList Kind regards Georgi
Re: Is chromium updated?
Hi Georgi Guninski, what is your opinion, what should Linux users use for their daily work? Firefox becomes more and more buggier, Chromium project doesn't provide binaries for any OS. Kind regards Georgi On 11/8/20 7:50 PM, Georgi Guninski wrote: > https://www.theregister.com/2020/11/04/google_chrome_critical_updates/ > > Wed 4 Nov 2020 > If you're an update laggard, buck up: Chrome zero-days are being > exploited in the wild > > Desktop and Android versions both at risk > > On Sat, Oct 17, 2020 at 9:31 PM wrote: >> >> Hi, >> >> 17 oct. 2020 à 14:28 de ggunin...@gmail.com: >> >>> On Debian stable, I have chromium Version: 83.0.4103.116-1~deb10u3 >>> >>> >From Arch advisory on 2020-10-10: >>> The package chromium before version 86.0.4240.75-1 is vulnerable to >>> multiple issues including arbitrary code execution, access restriction >>> bypass, information disclosure and insufficient validation. >>> https://lists.archlinux.org/pipermail/arch-security/2020-October/001608.html >>> >>> Is Debian's chromium vulnerable now? >>> >> I would say yes for the time being indeed: >> https://security-tracker.debian.org/tracker/source-package/chromium >> See "vulnerable" in 2nd column for CVE-2020-15967 to CVE-2020-15992 + >> CVE-2020-6557 >> >> Best regards, >> l0f4r0 >> >
Re: [SECURITY] [DSA 4774-1] linux security update
On 10/19/20 3:12 PM, Salvatore Bonaccorso wrote: > - > Debian Security Advisory DSA-4774-1 secur...@debian.org > https://www.debian.org/security/ Salvatore Bonaccorso > October 19, 2020 https://www.debian.org/security/faq > - > > Package: linux > CVE ID : CVE-2020-12351 CVE-2020-12352 CVE-2020-25211 CVE-2020-25643 > CVE-2020-25645 > Debian Bug : 908712 > > Several vulnerabilities have been discovered in the Linux kernel that > may lead to the execution of arbitrary code, privilege escalation, > denial of service or information leaks. > > CVE-2020-12351 > > Andy Nguyen discovered a flaw in the Bluetooth implementation in the > way L2CAP packets with A2MP CID are handled. A remote attacker in > short distance knowing the victim's Bluetooth device address can > send a malicious l2cap packet and cause a denial of service or > possibly arbitrary code execution with kernel privileges. > > CVE-2020-12352 > > Andy Nguyen discovered a flaw in the Bluetooth implementation. Stack > memory is not properly initialised when handling certain AMP > packets. A remote attacker in short distance knowing the victim's > Bluetooth device address address can retrieve kernel stack > information. > > CVE-2020-25211 > > A flaw was discovered in netfilter subsystem. A local attacker > able to inject conntrack Netlink configuration can cause a denial > of service. > > CVE-2020-25643 > > ChenNan Of Chaitin Security Research Lab discovered a flaw in the > hdlc_ppp module. Improper input validation in the ppp_cp_parse_cr() > function may lead to memory corruption and information disclosure. > > CVE-2020-25645 > > A flaw was discovered in the interface driver for GENEVE > encapsulated traffic when combined with IPsec. If IPsec is > configured to encrypt traffic for the specific UDP port used by the > GENEVE tunnel, tunneled data isn't correctly routed over the > encrypted link and sent unencrypted instead. > > For the stable distribution (buster), these problems have been fixed in > version 4.19.152-1. The vulnerabilities are fixed by rebasing to the new > stable upstream version 4.19.152 which includes additional bugfixes. > > We recommend that you upgrade your linux packages. > > For the detailed security status of linux please refer to its security > tracker page at: > https://security-tracker.debian.org/tracker/linux > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: debian-security-annou...@lists.debian.org > Hi Debian Linux kernel maintainers. Last Linux kernel security update was with newer patch level version, what in Linux is actually minor version. This way of updates works for my needs better. Thank you very much. Kind regards Georgi
Re: [SECURITY] [DSA 3359-1] virtualbox security update
On 09/13/2015 10:47 PM, Moritz Muehlenhoff wrote: > - > Debian Security Advisory DSA-3359-1 secur...@debian.org > https://www.debian.org/security/ Moritz Muehlenhoff > September 13, 2015https://www.debian.org/security/faq > - > > Package: virtualbox > CVE ID : CVE-2015-2594 > > This update fixes an unspecified security issue in VirtualBox related to > guests using bridged networking via WiFi. Oracle no longer provides > information on specific security vulnerabilities in VirtualBox. To still > support users of the already released Debian releases we've decided to > update these to the respective 4.1.40 and 4.3.30 bugfix releases. > > For the oldstable distribution (wheezy), this problem has been fixed > in version 4.1.40-dfsg-1+deb7u1. > > For the stable distribution (jessie), this problem has been fixed in > version 4.3.30-dfsg-1+deb8u1. > > For the testing distribution (stretch), this problem has been fixed > in version 4.3.30-dfsg-1. > > For the unstable distribution (sid), this problem has been fixed in > version 4.3.30-dfsg-1. > > We recommend that you upgrade your virtualbox packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: debian-security-annou...@lists.debian.org Dear maintainer(s), virtualbox-guest-additions-iso package version is 4.3.18. Are you going to update the package to version 4.3.30? Kind regards Georgi
Re: [SECURITY] [DSA 3080-1] openjdk-7 security update
On 11/29/2014 02:43 PM, Moritz Muehlenhoff wrote: - Debian Security Advisory DSA-3080-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff November 29, 2014 http://www.debian.org/security/faq - Package: openjdk-7 CVE ID : CVE-2014-6457 CVE-2014-6502 CVE-2014-6504 CVE-2014-6506 CVE-2014-6511 CVE-2014-6512 CVE-2014-6517 CVE-2014-6519 CVE-2014-6531 CVE-2014-6558 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, information disclosure or denial of service. For the stable distribution (wheezy), these problems have been fixed in version 7u71-2.5.3-2~deb7u1. For the upcoming stable distribution (jessie), these problems have been fixed in version 7u71-2.5.3-1. For the unstable distribution (sid), these problems have been fixed in version 7u71-2.5.3-1. We recommend that you upgrade your openjdk-7 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org The update is still not available for Wheezy. Is there any problem? Kind regards Georgi -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5479c631.5060...@oles.biz
Re: [SECURITY] [DSA 3080-1] openjdk-7 security update
On 11/29/2014 03:12 PM, Georgi Naplatanov wrote: On 11/29/2014 02:43 PM, Moritz Muehlenhoff wrote: - Debian Security Advisory DSA-3080-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff November 29, 2014 http://www.debian.org/security/faq - Package: openjdk-7 CVE ID : CVE-2014-6457 CVE-2014-6502 CVE-2014-6504 CVE-2014-6506 CVE-2014-6511 CVE-2014-6512 CVE-2014-6517 CVE-2014-6519 CVE-2014-6531 CVE-2014-6558 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, information disclosure or denial of service. For the stable distribution (wheezy), these problems have been fixed in version 7u71-2.5.3-2~deb7u1. For the upcoming stable distribution (jessie), these problems have been fixed in version 7u71-2.5.3-1. For the unstable distribution (sid), these problems have been fixed in version 7u71-2.5.3-1. We recommend that you upgrade your openjdk-7 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org The update is still not available for Wheezy. Is there any problem? I've just installed the update. Thanks. Kind regards Georgi -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5479c865.2070...@oles.biz
Re: [SECURITY] [DSA 2939-1] chromium-browser security update
On 05/31/2014 10:27 AM, Michael Gilbert wrote: - Debian Security Advisory DSA-2939-1 secur...@debian.org http://www.debian.org/security/ Michael Gilbert May 31, 2014 http://www.debian.org/security/faq - Package: chromium-browser CVE ID : CVE-2014-1743 CVE-2014-1744 CVE-2014-1745 CVE-2014-1746 CVE-2014-1747 CVE-2014-1748 CVE-2014-1749 CVE-2014-3152 Several vulnerabilities were discovered in the chromium web browser. CVE-2014-1743 cloudfuzzer discovered a use-after-free issue in the Blink/Webkit document object model implementation. CVE-2014-1744 Aaron Staple discovered an integer overflow issue in audio input handling. CVE-2014-1745 Atte Kettunen discovered a use-after-free issue in the Blink/Webkit scalable vector graphics implementation. CVE-2014-1746 Holger Fuhrmannek discovered an out-of-bounds read issue in the URL protocol implementation for handling media. CVE-2014-1747 packagesu discovered a cross-site scripting issue involving malformed MHTML files. CVE-2014-1748 Jordan Milne discovered a user interface spoofing issue. CVE-2014-1749 The Google Chrome development team discovered and fixed multiple issues with potential security impact. CVE-2014-3152 An integer underflow issue was discovered in the v8 javascript library. For the stable distribution (wheezy), these problems have been fixed in version 35.0.1916.114-1~deb7u2. For the testing distribution (jessie), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 35.0.1916.114-1. We recommend that you upgrade your chromium-browser packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org When I choose About Chromium menu item it says: Version 35.0.1916.114 Built on Debian 7.1, running on Debian 7.5 (270117) Is that true that package for AMD64 is built on Debian 7.1? If yes, is using of this package secure? Best regards Georgi -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5389a078.6050...@oles.biz
Re: [SECURITY] [DSA 2939-1] chromium-browser security update
On 05/31/2014 05:25 PM, Michael Gilbert wrote: On Sat, May 31, 2014 at 5:27 AM, Georgi Naplatanov wrote: When I choose About Chromium menu item it says: Version 35.0.1916.114 Built on Debian 7.1, running on Debian 7.5 (270117) Is that true that package for AMD64 is built on Debian 7.1? If yes, is using of this package secure? Yes, that is correct. The reason you're seeing that is that the amd64 package was built on one of the wheezy security build daemon chroots, which apparently has not been updated in a while. It's not really a problem since only library headers are used at build time, and those don't change over the lifetime of the stable release. As long as the system libraries chromium links against on your machine are up to date, there is no issue at all. It could be nice if the stable buildds were kept more up to date. I've CC'd am...@buildd.debian.org to get their opinion on that. Best wishes, Mike Thank you Mike for the explanation. Best regards Georgi -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5389f297.7090...@oles.biz
Re: Testing needed: openjdk7 update for stable-security
On 07/12/2013 06:21 AM, Paul Wise wrote: It is more likely that people who are using OpenJDK on Debian wheezy aren't reading this list or are reading this list but not often enough to have responded in the last three days. It's exactly what I thought and I wonder why Moritz have not cced debian-u...@lists.debian.org. Anyway I'm going to test OpenJDK 7u25 with Eclipse 4.2.2 this weekend. I'm not sure that it will be valuable, but that is what I use daily. I have been happy with OpenJDK 7 from stable so far. Best regards Georgi -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51dfa9a1.8020...@oles.biz
