Re: NodeJS Security

[Salvatore Bonaccorso]

Hi Sven,

On Wed, Jun 15, 2016 at 02:08:17PM +, Sven Buesing wrote:
> Dear Debian Security-Team,
> 
> Are you going to address the following issues in nodejs for jessie
> (CVE-2016-2107, CVE-2016-2105, CVE-2016-0705, CVE-2016-0702)? For more
> information see below.

I'm afraid, but nodejs and lib8-3.14 related packages are not
supported security-wise. See for that the explanation in the release
notes at
https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.en.html#libv8

Regards,
Salvatore

Call for testing: regression update for samba security update (DSA-3548-1)

[Salvatore Bonaccorso]

Hi

The last Samba security update issued as DSA-3548-1 introduced several
upstream regressions, which are addressed in this update.

Before we release the packages we would like to call for additional
testing. The packages can be found on

  https://people.debian.org/~carnil/tmp/samba/jessie

(amd64 builds only; no apt repository available).

If you find new problems introduced by updating to these packages from
the ones which are currently on the security archive
(2:4.2.10+dfsg-0+deb8u2), please report the problem directly to
t...@security.debian.org .

Regards,
Salvatore, on behalf of the Debian security team


signature.asc
Description: PGP signature

Call for testing: upcoming libxml2 security update

[Salvatore Bonaccorso]

Hi

The upcoming libxml2 security update is little more bigger than usual,
thus we want to expose the package a bit for additional testing. If
you find a problem introduced by updating to these packages, please
report the problem directly to t...@security.debian.org .

The packages can be found at:

https://people.debian.org/~carnil/tmp/libxml2/jessie/

(amd64 builds only)

While preparing the jessie-security update, The commits were
backported as well for libxml2 in wheezy. If you are using them please
test the packages at

https://people.debian.org/~carnil/tmp/libxml2/wheezy/

(amd64 builds only)

Regards,
Salvatore


signature.asc
Description: PGP signature

Re: Update tracker for CVE-2012-1620

[Salvatore Bonaccorso]

Hi Ilias,

On Sat, May 07, 2016 at 12:54:47PM +0300, Ilias Tsitsimpis wrote:
> Could someone update the security tracker for suckless-tools?
> CVE-2012-1620 has been fixed since version suckless-tools/39-1.
> The corresponding Debian Bug is #667796.

Thanks. I have updated the tracker information.

Regards,
Salvatore

Call for testing: upcoming samba security update

[Salvatore Bonaccorso]

Hi

The upcoming Samba update is bigger than usual since for Jessie an
update is needed to 4.2. We want to expose the package a bit more for
additional testing. Please test the packages found on

https://people.debian.org/~carnil/tmp/samba/

(no apt repository available for these test packages at this time)

If you find a problem introduced by updating to these packages, please
report the problem directly to t...@security.debian.org, and including
abart...@samba.org and sath...@debian.org.

The update is planned to be released already tomorrow, 2016-04-13.

Regards,
Salvatore, on behalf of the Debian security team


signature.asc
Description: PGP signature

Re: tracking security issues without CVEs

[Salvatore Bonaccorso]

Hi Brian, hi Paul,

On Sun, Mar 06, 2016 at 04:59:43PM +0100, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote:
> > Just wondering if there is some other way we can track security issues
> > for when CVEs are not available.
> > 
> > Thinking of imagemagick here, it has a lot of security issues, and
> > requests for CVEs are not getting any responses.
> 
> Creating individual bugs in the Debian BTS, including more details
> like fixing commits would be a great start, since we use either CVEs
> or references to the Debian BTS in DSAs (and DLAs). Furthermore the
> security-tracker handles both (you can actually search items there via
> either CVE id, bug number or package name).
> 
> The original CVE request at
> http://www.openwall.com/lists/oss-security/2014/12/24/1 was IMHO not
> fully optimal, since it just pasted a collection of items. Adding
> references to fixing commits would have helped to get CVEs assigned to
> issues.  The original request at least makes it really hard to
> identify the issues and make sure the CVEs are assigned correctly.

Just one comment which I forgot to address in the previous mail,
regarding the OVE identifiers. The question about the CVE assignments
were just re-raised yesterday on oss-security. The whole might look
promissing indeed. But I think as well that is right now to early to
start adopting these for not yet assigned issues. Instead follow the
current discussion on oss-security and let's see if across
distributions there is going to be some consensus/approach for this
issue.

For the record, the thread is starting at 

http://www.openwall.com/lists/oss-security/2016/03/04/4

where Kurt Seifried from Red Hat raised the concern.

Regards,
Salvatore

Re: tracking security issues without CVEs

[Salvatore Bonaccorso]

Hi Brian, hi Paul,

On Sun, Mar 06, 2016 at 04:59:43PM +0100, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote:
> > Just wondering if there is some other way we can track security issues
> > for when CVEs are not available.
> > 
> > Thinking of imagemagick here, it has a lot of security issues, and
> > requests for CVEs are not getting any responses.
> 
> Creating individual bugs in the Debian BTS, including more details
> like fixing commits would be a great start, since we use either CVEs
> or references to the Debian BTS in DSAs (and DLAs). Furthermore the
> security-tracker handles both (you can actually search items there via
> either CVE id, bug number or package name).
> 
> The original CVE request at
> http://www.openwall.com/lists/oss-security/2014/12/24/1 was IMHO not
> fully optimal, since it just pasted a collection of items. Adding
> references to fixing commits would have helped to get CVEs assigned to
> issues.  The original request at least makes it really hard to
> identify the issues and make sure the CVEs are assigned correctly.

Just one comment which I forgot to address in the previous mail,
regarding the OVE identifiers. The question about the CVE assignments
were just re-raised yesterday on oss-security. The whole might look
promissing indeed. But I think as well that is right now to early to
start adopting these for not yet assigned issues. Instead follow the
current discussion on oss-security and let's see if across
distributions there is going to be some consensus/approach for this
issue.

For the record, the thread is starting at 

http://www.openwall.com/lists/oss-security/2016/03/04/4

where Kurt Seifried from Red Hat raised the concern.

Regards,
Salvatore

Re: tracking security issues without CVEs

[Salvatore Bonaccorso]

Hi,

On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote:
> Just wondering if there is some other way we can track security issues
> for when CVEs are not available.
> 
> Thinking of imagemagick here, it has a lot of security issues, and
> requests for CVEs are not getting any responses.

Creating individual bugs in the Debian BTS, including more details
like fixing commits would be a great start, since we use either CVEs
or references to the Debian BTS in DSAs (and DLAs). Furthermore the
security-tracker handles both (you can actually search items there via
either CVE id, bug number or package name).

The original CVE request at
http://www.openwall.com/lists/oss-security/2014/12/24/1 was IMHO not
fully optimal, since it just pasted a collection of items. Adding
references to fixing commits would have helped to get CVEs assigned to
issues.  The original request at least makes it really hard to
identify the issues and make sure the CVEs are assigned correctly.

Regards,
Salvatore

Re: tracking security issues without CVEs

[Salvatore Bonaccorso]

Hi,

On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote:
> Just wondering if there is some other way we can track security issues
> for when CVEs are not available.
> 
> Thinking of imagemagick here, it has a lot of security issues, and
> requests for CVEs are not getting any responses.

Creating individual bugs in the Debian BTS, including more details
like fixing commits would be a great start, since we use either CVEs
or references to the Debian BTS in DSAs (and DLAs). Furthermore the
security-tracker handles both (you can actually search items there via
either CVE id, bug number or package name).

The original CVE request at
http://www.openwall.com/lists/oss-security/2014/12/24/1 was IMHO not
fully optimal, since it just pasted a collection of items. Adding
references to fixing commits would have helped to get CVEs assigned to
issues.  The original request at least makes it really hard to
identify the issues and make sure the CVEs are assigned correctly.

Regards,
Salvatore

Re: squid3: CVE-2016-2569 CVE-2016-2570 CVE-2016-2571

[Salvatore Bonaccorso]

Hi Amos,

On Sat, Feb 27, 2016 at 07:20:57AM +1300, Amos Jeffries wrote:
> Hi,
>   FYI the "squid" (version 2.7.*) source packages still hanging around
> in squeeze and wheezy are not affected by these.

Thanks. I will update the tracker information.

Regards,
Salvatore

Re: [SECURITY] [DSA 3482-1] libreoffice security update

[Salvatore Bonaccorso]

Hi Rene,

On Wed, Feb 17, 2016 at 11:40:17PM +0100, Rene Engelhard wrote:
> On Wed, Feb 17, 2016 at 07:29:59PM +, Sebastien Delafond wrote:
> > For the testing (stretch) and unstable (sid) distributions, these
> > problems have been fixed in version 1:5.1.1~rc1-1.
> 
> Actually, as I said (and as said upstream, it's fixed in 5.0.5 release), it's
> fixed since 5.0.5 rc1, so the version in stretch is already unaffected
> (it contains 1:5.0.5~rc2-1)

Thanks for the correction. I have updated the security-tracker
information to reflect that.

Regards,
Salvatore

Re: stalin: CVE-2015-8697: Insecure use of temporary files

[Salvatore Bonaccorso]

Hi Rob,

On Wed, Jan 20, 2016 at 05:41:56AM -0600, Rob Browning wrote:
> Rob Browning  writes:
> 
> > I believe the package is scheduled to be removed next week, and I'm
> > still waiting on a discussion with upstream about a (non-trivial) patch
> > I wrote to attempt to address the problem.
> >
> > So I wanted to ask for an opinion about the claim here that it might be
> > reasonable to lower the severity:
> >
> >   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808730#20
> >
> > Thanks
> 
> I just wanted to ping you, since today's the removal deadline.

Yes I think we can downgrade the severity for it to important, since
the attack vector is mitigated by the symlink restrictions enabled.

Regards,
Salvatore


signature.asc
Description: PGP signature

Re: [SECURITY] [DSA 3448-1] linux security update

[Salvatore Bonaccorso]

Hi,

On Wed, Jan 20, 2016 at 10:42:04AM +0800, Bjoern Nyjorden wrote:
> Thanks Holger & Ben,
> 
> Most appreciated.  So, just to confirm; my take away on this is:
> 
>  * 1. "Wheezy" Linux kernels are NOT AFFECTED.
> 
>  * 2. "Wheezy" & "Jessie" BACKPORTS Linux kernels are VUNERABLE.
> 
> If I have understood correctly?

For the most important CVE,
https://security-tracker.debian.org/tracker/CVE-2016-0728 this is
right. The issue was introduced in upstream commit
3a50597de8635cd05133bd12c95681c82fe7b878 which is in Kernels v3.8-rc1
onways. Wheezy Kernel is not affected, Wheezy and Jessie backports are
vunerable but beeing fixed.

You can get the full picture for Wheezy and Jessie status by starting
from https://security-tracker.debian.org/tracker/DSA-3448-1 and
following the CVE references for details. The other issues which
affect Wheezy as well will be fixed for Wheezy in a later DSA.

(yes, the security-tracker does not track backports).

Hope this helps,

Regards,
Salvatore

Re: Bug#810799: libcgi-session-perl: Perl DSA-3441-1 exposes taint bug in CGI::Session::Driver::file

[Salvatore Bonaccorso]

Hi,

On Tue, Jan 12, 2016 at 01:38:51PM +, Dominic Hargreaves wrote:
> Control: tags -1 - security
> Control: found -1 4.46-1
> 
> On Tue, Jan 12, 2016 at 12:54:19PM +, Chris Boot wrote:
> > Control: tag -1 security
> > 
> > On 12/01/16 12:28, Chris Boot wrote:
> > [snip]
> > > Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=80346
> > > 
> > > Dear Maintainer,
> > > 
> > > With Perl upgraded from 5.20.2-3+deb8u1 to 5.20.2-3+deb8u2, our
> > > installation of TWiki (http://twiki.org/) no longer functions. This
> > > happens due to CGI::Session::Driver::file complaining about taint.
> > 
> > I'm bringing this bug to the attention of the security team, as it has
> > only come to light since the Jessie DSA of Perl (DSA-3441-1), so it's a
> > stable security regression.
> 
> Indeed, this is unfortunate - confirmed that this is trivially
> reproducible. It is misleading to call this a security bug in itself,
> so I am removing that tag.
> 
> I am happy to prepare an updated package with the patch in from the RT
> ticket, though it would be good to get some second opinions on the
> correctness of that patch. I guess that should be released as a DSA
> update, given (as you point out) it's a regression indirectly introduced
> by the DSA. Another alternative would be the jessie point release, which
> for which the freeze date is later this week.
> 
> I'm puzzled about why this wasn't spotted as an issue for wheezy, which
> doesn't have the perl taint bug, and does suffer from this problem: we
> should fix that there too, probably in the next point release.

My gut feeling about this: Since the issue was already present before,
uncovered indirectly by the perl DSA, and currently affects twiki (not
packaged in Debian), I would tend to ask the SRM to have the fix for
libcgi-session-perl to be scheduled via the next Jessie point release
rather than a DSA.

Do you feel strong about having it the fix earlier via a DSA?

Thanks for bringing that to our attention!

Regards,
Salvatore

Call for testing: libxml2 update

[Salvatore Bonaccorso]

Hi

The upcoming libxml2 security update is little more bigger than usual,
thus we want to expose the package a bit for additional testing. If
you find a problem introduced by updating to these packages, please
report the problem directly to t...@security.debian.org . 

The packages can be found at:

wheezy: https://people.debian.org/~carnil/tmp/libxml2/wheezy/
jessie: https://people.debian.org/~carnil/tmp/libxml2/jessie/

(amd64 builds only).

Regards,
Salvatore


signature.asc
Description: PGP signature

Re: Cannot retrieve updates from security repos

[Salvatore Bonaccorso]

Hi,

On Thu, Dec 17, 2015 at 11:40:47PM +0200, Pavlos K. Ponos wrote:
> Hello everyone,
> 
> First of all, apologies in advance if this mailing list is not the correct
> one :)
> 
> While I was trying to do my usual updates in my Jessie installation, I took
> the following message:
> 
> Err http://security.debian.org/ jessie/updates/main linux-libc-dev amd64
> 3.16.7-ckt20-1+deb8u1
>   404  Not Found [IP: 133.242.99.74 80]
> E: Failed to fetch 
> http://security.debian.org/pool/updates/main/l/linux/linux-libc-dev_3.16.7-ckt20-1+deb8u1_amd64.deb
> 404  Not Found [IP: 133.242.99.74 80]
> 
> Do you have any idea what is this or how should I fix? Is this a problem
> with the security repositories? I tried several times, outcome was the same.

There is an ongoing process to issue a DSA for linux indeed.

But there is a problem with the security mirrors right now.

Regards,
Salvatore

Bug#805079: security-tracker: External check for CVEs from Red Hat not working anymore

[Salvatore Bonaccorso]

Package: security-tracker
Severity: normal
Owner: car...@debian.org

Currently the external check for CVEs found on Red Hat but not in the
security-tracker is not working anymore due to changes on Red Hat's
site listing the CVEs.

Working on trying to find an alternative method.

Regards,
Salvatore

Re: [SECURITY] [DSA 3386-2] unzip regression update

[Salvatore Bonaccorso]

Hi David,

On Tue, Nov 10, 2015 at 08:59:04AM +0100, Thijs Kinkhorst wrote:
> Hi David,
> 
> On Mon, November 9, 2015 23:25, David McDonald wrote:
> > Hi Salvatore,
> >
> > Your e-mail below states:
> >
> > "For the stable distribution (jessie), this problem has been fixed in
> > version 6.0-16+deb8u2" (Note bene the last digit)
> >
> > However, https://www.debian.org/security/2015/dsa-3386 states:
> >
> > "For the stable distribution (jessie), these problems have been fixed in
> > version 6.0-16+deb8u1"
> 
> The website is updated periodically so it can take a short while before it
> reflects the update that was sent out in the email.

Just an additional note on the version numbers: the 6.0-16+deb8u1 was
the version which fixed the security isses with CVE. 6.0-16+deb8u2 is
an additional update which fixes a regression when extracting 0-byte
files. So what the webpage reflects is the version where the security
issues were fixed.

Hope this helps!

Regards,
Salvatore

Re: [SECURITY] [DSA 3386-2] unzip regression update

[Salvatore Bonaccorso]

Hi Dave,

On Tue, Nov 10, 2015 at 09:54:19PM +, David McDonald wrote:
> Thank you Salvatore & Thijs for your responses.
> 
> I appreciate and understand your advice.
> 
> My specific interest in the matter arose after receiving the alert.
> I prepared to install the update that was listed in the e-mail and
> found that the latest I could obtain (using apt-get) was the earlier
> version. I investigated further to ensure the system was
> appropriately up-to-date. Fortunately the web site confirmed that
> the version I had obtained with apt-get addressed the particular
> issue identified in the alert.
> 
> It did, however leave me with some niggling doubts - as the
> difference might be interpreted as an indication of error or
> omission. (Your e-mail has, of course, dispelled such doubts).
> 
> So, though perhaps this has been considered previously, in the
> interests of improving Debian may I suggest that it might be better
> to delay the e-mail until the web page is updated (or, better yet,
> "push" the update of the web page)?

Updating in timely matter will probably not work with the current
infrastructure unless the specific website can be updated on demand
(instead of the regular interval triggered). But it is inportant to us
that delivered updates and debian-security-announce mail are closely
followed.

As you said above that you actually didn't recieved the update
immediately via apt-get upgrade after the mail announce: I have sent
out the advisory just after the package got installed into the
archive, but I have heard from the Debian system administrators, that
two security-mirrors were not updates and were only fixed later. So
maybe you got hit by this issue.

If you check it now, you have unzip 6.0-16+deb8u2 available via apt,
right?

Regards,
Salvatore

Re: [SECURITY] [DSA 3355-2] libvdpau regression update

[Salvatore Bonaccorso]

Hi Ansgar,

On Tue, Nov 03, 2015 at 08:30:56AM +0100, Ansgar Burchardt wrote:
> Hi,
> 
> Salvatore Bonaccorso <car...@debian.org> writes:
> > On Tue, Nov 03, 2015 at 01:08:36AM +0100, Cyril Brulebois wrote:
> >> Daniel Reichelt <deb...@nachtgeist.net> (2015-11-03):
> >> > the amd64 build for 0.8-3+deb8u2 seems to be missing from [1].
> >> >
> >> > Is this an error or am I missing something?
> >
> > The problem seems to be the following: the upload was done only
> > including the arch:all packages, but the changes fil was named
> > _amd64.changes.
> 
> That was indeed the problem. For uploads to policy queues, we keep the
> .changes around and, as dak uses the uploader-provided name and doesn't
> rename them, uploads are rejected if they reuse an already used name.
> 
> > I guess the reuploading the amd64 builds with a renamed changes file
> > might work in this case?
> 
> dak needs to forget that it has seen the file. Which means either
> resigning it or ftp-master telling dak to do so. I just did the latter
> and moved the upload back to the processing queue.

Thanks!

Regards,
Salvatore

Re: [SECURITY] [DSA 3355-2] libvdpau regression update

[Salvatore Bonaccorso]

Hi,

Adding FTP masters to the loop, since they might help best in this
case.

On Tue, Nov 03, 2015 at 01:08:36AM +0100, Cyril Brulebois wrote:
> Hi,
> 
> Daniel Reichelt  (2015-11-03):
> > Hi *
> > 
> > the amd64 build for 0.8-3+deb8u2 seems to be missing from [1].
> > 
> > Is this an error or am I missing something?

The problem seems to be the following: the upload was done only
including the arch:all packages, but the changes fil was named
_amd64.changes.

At least from the processing of the _amd64.changes I have:

libvdpau_0.8-3+deb8u2_amd64.changes uploaded successfully to 
ftp.upload.debian.org
along with the files:
  libvdpau_0.8-3+deb8u2.dsc
  libvdpau_0.8-3+deb8u2.debian.tar.xz
  libvdpau-doc_0.8-3+deb8u2_all.deb

I guess the reuploading the amd64 builds with a renamed changes file
might work in this case?

Regards,
Salvatore

Re: Embedded code copy in passwordsafe

[Salvatore Bonaccorso]

Hi Bill,

On Tue, Oct 13, 2015 at 06:46:02PM -0400, Bill Blough wrote:
> 
> Hi!
> 
> The passwordsafe package (still in NEW) contains an embedded copy of pugixml
> (src:pugixml).  
> 
> The version of pugixml included in passwordsafe uses a different compile-time
> configuration than the packaged version.  I have requested that an additional
> version of the pugixml package be created with the altered configuration [1].
> Once that occurs, I will be able to remove the embedded copy and instead use
> the packaged version.
> 
> Note: I am not subscribed, so please CC me on any replies.

Thanks for the notice. I added a corresponding entry for passwordsafe
in our embedded-code-copies file to document this for now.

Regards,
Salvatore

Re: Missing package in Debian Security Tracker site

[Salvatore Bonaccorso]

Hi

On Tue, Oct 13, 2015 at 05:08:39PM +0800, Xiaoguang Bai wrote:
> Hi,
> 
> For DSA-3348-1, the information in following 2 sources does not match. The
> security tracker site does not show the fixed package/version for wheezy.
> 
> https://lists.debian.org/debian-security-announce/2015/msg00247.html
> https://security-tracker.debian.org/tracker/DSA-3348-1
> 
> 
> Actually, I have noticed quite a few of differences between the DSA mailing
> list and this tracker site. Should they match each other? May I know what
> might be the reason if they are different?

This is sort of current limitation for the security-tracker when you
have not overlapping fixing versions. The free text form explains that
only two CVEs affect wheezy. If you then check the CVEs explicitly,
say CVE-2015-5165:

https://security-tracker.debian.org/CVE-2015-5165

this has the correct information (which cannot be displayed correctly
for DSA-3348-1 overview page regarding the versions).

Regards,
Salvatore

Re: Correction to CVE-2015-3330 information

[Salvatore Bonaccorso]

Hi Will,

On Mon, Jun 01, 2015 at 02:31:15PM -0600, Will Aoki wrote:
 https://security-tracker.debian.org/tracker/CVE-2015-3330 shows
 everything but squeeze-lts as vulnerable. There are two corrections I
 suggest:
 
 - As I understand it, wheezy isn't affected unless someone has upgraded
   Apache to 2.4.
 
 - This problem was fixed in 5.6.7+dfsg-1, the version currently in
   jessie. The changelog only mentions PHP bugs #68486 and #69218 because
   a CVE number hadn't been issued yet.

Thanks for your update. I have marked the fixed version. I have though
not changed the information for wheezy due to the source beeing
affected.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150601210447.GA27055@eldamar.local

Re: [SECURITY] [DSA 3269-1] postgresql-9.* security update

[Salvatore Bonaccorso]

Hi,

On Thu, May 28, 2015 at 12:50:43PM +0200, ma...@wk3.org wrote:
 Hi,
 
 it seems this upgrade introduced some issues regarding symlinks.
 
 It's very easy to mitigate, but I guess less stressful if you know about it 
 in advance:
 
 https://wiki.postgresql.org/wiki/May_2015_Fsync_Permissions_Bug

Just additional for information: we plan to release a regression
update when the final fix for this issiue is clear and packages are
ready.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150529051315.GB18006@eldamar.local

Re: upgrading soler.d.o

[Salvatore Bonaccorso]

Hi.

On Thu, May 28, 2015 at 06:34:44AM +0200, Salvatore Bonaccorso wrote:
 Hi,
 
 On Thu, May 28, 2015 at 11:39:34AM +0800, Paul Wise wrote:
  On Wed, 2015-05-27 at 22:16 +0200, Salvatore Bonaccorso wrote:
  
   It was updated already and did afterwards some testing. Looks fine so far.
  
  The PTS is now failing to download this URL:
  
  https://security-tracker.debian.org/tracker/data/pts/1
 
 FTR, after restarting the security-tracker daemon it works again.
 Temporary problem only? Let's keep an eye on it!

There seems to be a memory leak, the tracker was again unresponsive
and needed to kill the tracker process and restart the daemon. It is
nicely visible as well in the munin graphs for the security-tracker
host.

Have not done any further investigation.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150528083319.ga12...@lorien.valinor.li

Re: upgrading soler.d.o

[Salvatore Bonaccorso]

Hi all,

On Thu, May 28, 2015 at 10:33:19AM +0200, Salvatore Bonaccorso wrote:
 Hi.
 
 On Thu, May 28, 2015 at 06:34:44AM +0200, Salvatore Bonaccorso wrote:
  Hi,
  
  On Thu, May 28, 2015 at 11:39:34AM +0800, Paul Wise wrote:
   On Wed, 2015-05-27 at 22:16 +0200, Salvatore Bonaccorso wrote:
   
It was updated already and did afterwards some testing. Looks fine so 
far.
   
   The PTS is now failing to download this URL:
   
   https://security-tracker.debian.org/tracker/data/pts/1
  
  FTR, after restarting the security-tracker daemon it works again.
  Temporary problem only? Let's keep an eye on it!
 
 There seems to be a memory leak, the tracker was again unresponsive
 and needed to kill the tracker process and restart the daemon. It is
 nicely visible as well in the munin graphs for the security-tracker
 host.
 
 Have not done any further investigation.

If one tries to access the JSON format url this triggers the issue.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150528125646.ga23...@lorien.valinor.li

Re: upgrading soler.d.o

[Salvatore Bonaccorso]

Hi Florian,

On Wed, May 27, 2015 at 10:08:12PM +0200, Florian Weimer wrote:
 * Peter Palfrader:
 
  we'd like to upgrade soler.d.o jessie shortly.
 
  Any objections?  Should we just do it and let you pick up the pieces, if
  any, or would you rather stop by in #debian-admin on IRC to coordinate?
 
 If you do it closer to the weekend, I'll probably be around to pick up
 the pieces.

It was updated already and did afterwards some testing. Looks fine so
far.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150527201657.GA9666@eldamar.local

Call for testing: libapache-mod-jk fixing CVE-2014-8111

[Salvatore Bonaccorso]

Hi

Markus Koschany prepared updated package for libapache-mod-jk for
wheezy-security and jessie-security. If you run libapache-mod-jk in
production testing of the prepared packages would be very welcome. If
you find a problem introduced by updating to these packages, please
report the problem directly to t...@security.debian.org and Markus
Koschany a...@gambaru.de . The packages can be found at:

wheezy: https://people.debian.org/~carnil/tmp/libapache-mod-jk/wheezy/
jessie: https://people.debian.org/~carnil/tmp/libapache-mod-jk/jessie/

(amd64 builds only).

Regards,
Salvatore


signature.asc
Description: Digital signature

Re: Sub-release information on per-source-package page

[Salvatore Bonaccorso]

Hi Florian,

On Mon, May 25, 2015 at 05:57:20PM +0200, Salvatore Bonaccorso wrote:
 Hi Florian,
 
 On Mon, May 25, 2015 at 05:52:00PM +0200, Florian Weimer wrote:
  * Florian Weimer:
  
   Salvatore pointed me to the long-standing bug which causes the
   per-source-package pages such as
  
   https://security-tracker.debian.org/tracker/source-package/dnsmasq
  
   not to display fixes which have not yet migrated to the master archive
   (i.e. are currently fixed in the security archive only).
  
   If I manage to fix this, would it be important to perserve the
   “squeeze (lts)”, “wheezy (security)” etc. columns, or do you only need
   the information if squeeze, wheezy and the other releases are fixed
   somewhere?
  
  I have removed the sub-release information.  The issue which led to
  completely vanishing bugs has been fixed, and the open/resolved
  distinction now disregards the unfixed master archive if there is a
  fix in security/tls.
  
  This is visible here:
  
https://security-tracker.debian.org/tracker/source-package/dnsmasq
  
  (CVE-2015-3294 was missing.)
  
  Or here:
  
https://security-tracker.debian.org/tracker/source-package/bind9
  
  (Some long-fixed issues were listed as open, presumably due to lack of
  migration into a point release.)
 
 Nice! Thanks for taking the time, investigating the issue and fixing
 it. And with the new yellow status for no-dsa it looks really great.

One small addition, since we now consider fixed in somewhere in
codename as fixed in $codename, would it be possible to reflect this
as well in the header section of e.g.
https://security-tracker.debian.org/tracker/CVE-2015-3294

But please keep the detail view below in the section Vulnerable and
fixed packages.

Regards and thanks again,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150525160123.GA23653@eldamar.local

Re: Sub-release information on per-source-package page

[Salvatore Bonaccorso]

Hi Florian,

On Mon, May 25, 2015 at 05:52:00PM +0200, Florian Weimer wrote:
 * Florian Weimer:
 
  Salvatore pointed me to the long-standing bug which causes the
  per-source-package pages such as
 
  https://security-tracker.debian.org/tracker/source-package/dnsmasq
 
  not to display fixes which have not yet migrated to the master archive
  (i.e. are currently fixed in the security archive only).
 
  If I manage to fix this, would it be important to perserve the
  “squeeze (lts)”, “wheezy (security)” etc. columns, or do you only need
  the information if squeeze, wheezy and the other releases are fixed
  somewhere?
 
 I have removed the sub-release information.  The issue which led to
 completely vanishing bugs has been fixed, and the open/resolved
 distinction now disregards the unfixed master archive if there is a
 fix in security/tls.
 
 This is visible here:
 
   https://security-tracker.debian.org/tracker/source-package/dnsmasq
 
 (CVE-2015-3294 was missing.)
 
 Or here:
 
   https://security-tracker.debian.org/tracker/source-package/bind9
 
 (Some long-fixed issues were listed as open, presumably due to lack of
 migration into a point release.)

Nice! Thanks for taking the time, investigating the issue and fixing
it. And with the new yellow status for no-dsa it looks really great.

Thank you!

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150525155720.GA23434@eldamar.local

Re: External check

[Salvatore Bonaccorso]

Hi,

On Tue, May 19, 2015 at 05:49:44AM +, Raphael Geissert wrote:
 CVE-2015-8146: missing from list
 CVE-2015-8147: missing from list

These two seem wrong both in the Debian bug #784773 subject and as
consequence in the Red Hat bugzilla. They should be CVE-2014-8146 and
CVE-2014-8147 afaics.

Contacted Martin Prpic from Red Hat about it and retitled #784773.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150519062913.GA16717@eldamar.local

Re: [SECURITY] [DSA 3258-1] quassel security update

[Salvatore Bonaccorso]

Hi,

On Wed, May 13, 2015 at 07:43:47PM +0800, Paul Wise wrote:
 On Wed, May 13, 2015 at 5:26 PM, Dominic Hargreaves wrote:
 
  As far as I can tell from
 
  https://security-tracker.debian.org/tracker/CVE-2013-4422
 
  wheezy wasn't affected by the original CVE since the version of QT
  there is  4.8.5. Is that correct? If so, what's the right way to mark this
  fact in the security-tracker data?
 
 Add something like the third line here to data/CVE/list:
 
 CVE-2013-4422 (SQL injection vulnerability in Quassel IRC before
 0.9.1, when Qt 4.8.5 ...)
   - quassel 0.9.1-1
   [wheezy] - quassel not-affected (Vulnerable code not present)

not-affected (Vulnerable code not present) would not be correct,
since the issue appears if one would use qt4 with backported fix
https://bugreports.qt-project.org/browse/QTBUG-30076 . But it can be
marked as unimportant saying that for (now) binary packages are
unaffected since in Debian QTBUG-30076 is not backported to wheezy.

Or just leave it that way, the notes makes clear when the issue
applies to the binary packages as well.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150513165007.GA27892@eldamar.local

Bug#783491: security-tracker: document what needs to be done on releases and other archive changes

[Salvatore Bonaccorso]

Hi all,

FTR/for documentation: I as well reverted a change to
bin/add-dsa-needed.sh since it otherwise looked as well at
oldoldstable and generated wrong suggestions for addition to
dsa-needed.txt. (r34131)

Reference is added as well in
https://wiki.debian.org/SuitesAndReposExtension#secure-testing

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150508171117.GA20123@eldamar.local

Bug#783491: security-tracker: document what needs to be done on releases and other archive changes

[Salvatore Bonaccorso]

Hi

I think two more changes were actually needed to get the testing
status view show the correct information: r34072 and 34073.

https://security-tracker.debian.org/tracker/status/release/testing

should look better now.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150505044932.GA6316@eldamar.local

Re: Embedded code copy in flightcrew

[Salvatore Bonaccorso]

Hi Mattia,

On Sun, Mar 01, 2015 at 07:42:49PM +0100, Mattia Rizzolo wrote:
 Hi!
 The flightcrew package, recently accepted by the ftp folks, contains a patched
 copy of zipios.
 Look at
 https://sources.debian.net/src/flightcrew/0.7.2%2Bdfsg-1/src/zipios/changes_made.txt/
 for more info.
 
 Thanks for your works!

Thank you for this heads up, I have added this to our embedded-copies
file.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150303061447.ga12...@lorien.valinor.li

Bug#761859: security-tracker json deployed

[Salvatore Bonaccorso]

Hi Paul,

On Fri, Feb 27, 2015 at 07:31:10AM +0800, Paul Wise wrote:
 On Thu, 2015-02-26 at 17:41 +0100, Holger Levsen wrote:
  On Donnerstag, 26. Februar 2015, Paul Wise wrote:
   I noticed the description fields are truncated, is that intentional?
  
  that's all that is stored in the db...
 
 Are you sure? By way of example, take a look at CVE-2012-0833, the
 description listed on the web page is much longer than in the JSON.
 
 https://security-tracker.debian.org/tracker/CVE-2012-0833

See https://bugs.debian.org/761859#185 . In the data/CVE/list file
itself, it also just only contains the truncated one (which is fine in
this case).

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150227083558.ga24...@lorien.valinor.li

Bug#777456: security-tracker: DSA-2978-2 vs. tracker

[Salvatore Bonaccorso]

Hi Francesco, 

On Sun, Feb 08, 2015 at 12:35:56PM +0100, Francesco Poli (wintermute) wrote:
 Package: security-tracker
 Severity: normal
 
 Hello again,
 there seems to be a typo in the tracker page for CVE-2014-3660 [1]:
 it states that the vulnerability is fixed in jessie by
 libxml2/2.9.1+dfsg1-5 , while DSA-2978-2 [2] says that the fixed
 version is 2.9.1+dfsg1-4 ...

The situation for the update in DSA-2978-2 is actually a bit
complicated.

DSA-2978-1: Fixed CVE-2014-0191:
 - wheezy: 2.8.0+dfsg1-7+wheezy1
 - jessie: 2.9.1+dfsg1-4
 - unstable: 2.9.1+dfsg1-4

A regression in functionality was found, so releaing updates for it.

DSA-3057-1: Fixed CVE-2014-3660:
 - wheezy: 2.8.0+dfsg1-7+wheezy2
 - jessie unfixed
 - unstable: 2.9.2+dfsg1-1

libxml2 could not migrate to jessie in this version, so the fix for
CVE-2014-3660 did never reach jessie.

After that regressions in functionality were addressed with the DSA
you are mentioning. For jessie to fix the issue in CVe-2014-3660 a
pre-approval for an upload to t-p-u was opened in
https://bugs.debian.org/776748 so the version fixing CVE-2014-3660
will be correct as libxml2/2.9.1+dfsg1-5 once the package is accepted.
The entry in the tracker was only a bit prematurely added as the
package was not yet accepted by the release team.

So I would say (unless I now missed something) all the versions in
tracker are correct (apart we should have delayed adding 2.9.1+dfsg1-5
already, since it is not yet approved), and the advisory text itself
was a bit complicated to write up to reflect all this correctly.

So I would tend to close this bug, right away, or wait until
2.9.1+dfsg1-5 is accepted into jessie via t-p-u, but unfortuantely the
advisory text
https://lists.debian.org/debian-security-announce/2015/msg00039.html
in the list archives is now out this way.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150208125836.GA27762@eldamar.local

Call for testing: c-icap security update

[Salvatore Bonaccorso]

Hi

There is an upcoming update for c-icap for wheezy-security. If you run
a c-icap setup, testing of the prepared packages would be very
welcome. If you find a problem introduced by updating to these
packages, please report the problem directly to
t...@security.debian.org . The packages can be found at
https://people.debian.org/~carnil/tmp/c-icap/

Regards,
Salvatore


signature.asc
Description: Digital signature

Bug#771121: security-tracker: often returns 502 Proxy Error

[Salvatore Bonaccorso]

Hi Francesco,

On Wed, Nov 26, 2014 at 11:56:26PM +0100, Francesco Poli (wintermute) wrote:
 Am I the only one who experiences such issues?
 I was hoping to see the problem fixed, but no joy yet...

Just to confirm: you are not the only one, I'm seeing the same from
time to time in the last couple of weeks. :(

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141127063536.ga1...@lorien.valinor.li

Bug#764091: security-tracker: CVE overview does not sort group anymore by Source Package when one CVE affects multiple source packages

[Salvatore Bonaccorso]

Package: security-tracker
Severity: normal

Hi


After the changes in #761889 when a CVE affects multiple source
packages the vulnerable and fixed packages the table sorts only by
release.

So now for example CVE-2014-0207 shows:


Source Package Release Version   Status
file (PTS) squeeze (security), squeeze 5.04-5+squeeze5   vulnerable
php5 (PTS) squeeze (security), squeeze 5.3.3-7+squeeze19 vulnerable
file (PTS) squeeze (lts)   5.04-5+squeeze7   fixed
php5 (PTS) squeeze (lts)   5.3.3-7+squeeze22 fixed
file (PTS) wheezy  5.11-2+deb7u3 vulnerable
php5 (PTS) wheezy  5.4.4-14+deb7u11  vulnerable
file (PTS) wheezy (security)   5.11-2+deb7u5 fixed
php5 (PTS) wheezy (security)   5.4.4-14+deb7u14  fixed
file (PTS) jessie, sid 1:5.19-2  fixed
php5 (PTS) jessie, sid 5.6.0+dfsg-16 fixed

Please have the table first group again by source package and then
within this table sort by release, like:

Source Package Release Version   Status
file (PTS) squeeze, squeeze (security) 5.04-5+squeeze5   vulnerable
   squeeze (lts)   5.04-5+squeeze7   fixed
   wheezy  5.11-2+deb7u3 vulnerable
   wheezy (security)   5.11-2+deb7u5 fixed
   jessie, sid 1:5.19-2  fixed
php5 (PTS) squeeze, squeeze (security) 5.3.3-7+squeeze19 vulnerable
   squeeze (lts)   5.3.3-7+squeeze21 fixed
   wheezy  5.4.4-14+deb7u11  vulnerable
   wheezy (security)   5.4.4-14+deb7u14  fixed
   jessie, sid 5.6.0+dfsg-1  fixed

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20141005120320.28091.34337.reportbug@eldamar.local

Re: [SECURITY] [DSA 3032-1] bash security update

[Salvatore Bonaccorso]

Hi Jens,

On Thu, Sep 25, 2014 at 10:05:28AM +0200, Rabe, Jens wrote:
 is there a chance to get the bash-update for squeeze (6.0)?

Note that regular security support for squeeze has endet. You will
need to use squeeze-lts for recieving still updates, more details are
in [1].

 [1] https://wiki.debian.org/LTS
 [2] https://lists.debian.org/debian-lts-announce/2014/09/msg00016.html

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140925091008.ga23...@lorien.valinor.li

Re: Guidance on no-dsa and adding entries to dsa/dla-needed.txt

[Salvatore Bonaccorso]

Hi all,

On Wed, Sep 24, 2014 at 02:37:00PM +0200, Holger Levsen wrote:
[...]
  Then the separate text files could go away, and we can just use
  no-dsa in the CVE list to keep those pages up to date.
 
 you mean those dsa-needed.txt and dla-needed.txt files?

We could. But right now we also use the (dla|dsa)-needed.txt lists to
have an assigment who is working on what DSA/DLA.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140924124251.ga31...@lorien.valinor.li

Re: Switching the tracker to git

[Salvatore Bonaccorso]

Hi

I forgot about two more points: One is the sectracker user is
subscribed to the commits mailinglists, and the commit messages
trigger updates of the tracker.

The other thing, the svn checkout is also used for
http://security-team.debian.org, but this should be a simple case.

I will add all items to be considered - and which comes to my mind -
for a svn to git migration into

org/TODO

Please add there further todos!

Hope that helps anybody who wants to volunteer for that.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140915110031.ga32...@lorien.valinor.li

Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view

[Salvatore Bonaccorso]

Hi Holger,

On Mon, Sep 15, 2014 at 02:32:54PM +0200, Holger Levsen wrote:
 On Samstag, 13. September 2014, Salvatore Bonaccorso wrote:
  I had a look at this patch. It can only address isolated URLs in the
  notes this way. We usually use this in other ways, one example is that
  was Florian mentioned in the first message:
   - https://security-tracker.debian.org/tracker/CVE-2014-3122
 
 right, thanks for this example. I'll wrap regexes around my head til it 
 matches - or so :-)

Hmm, would something wrapping around of the following work?
Considering there might be more than one matching group in each line,
so the example holds only for a simplest case again :(

cut-cut-cut-cut-cut-cut-
import re
string = Fixed by 
https://git.kernel.org/linus/57e68e9cd65b4b8eb4045a1e0d0746458502554c 
(v3.15-rc1)
print re.search((?Purlhttps?://[^\s]+), string).group(url)
cut-cut-cut-cut-cut-cut-

  Thanks for also looking into this one!
 
 my pleasure, thank you all very much for many years of working on all these 
 security issues! I can now slightly better appreciate what huge task you're 
 working on!

Thanks Holger!

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140915125654.ga22...@lorien.valinor.li

Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view

[Salvatore Bonaccorso]

Hi Holger,

On Mon, Sep 15, 2014 at 03:30:05PM +0200, Holger Levsen wrote:
 Hi,
 
 On Montag, 15. September 2014, Salvatore Bonaccorso wrote:
  Hmm, would something wrapping around of the following work?
 
 sounds like a good start...
 
  Considering there might be more than one matching group in each line,
  so the example holds only for a simplest case again :(
 
 are there really examples with two urls in one line?

We have, e.g.

https://security-tracker.debian.org/tracker/CVE-2011-2825

But if that will not work, I think we can workaround and split these
lines when we encounter them. If we can find a working solution then
better clearly :)

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140915160529.GA7462@eldamar.local

Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view

[Salvatore Bonaccorso]

Hi Holger,

On Mon, Sep 15, 2014 at 06:05:29PM +0200, Salvatore Bonaccorso wrote:
 Hi Holger,
 
 On Mon, Sep 15, 2014 at 03:30:05PM +0200, Holger Levsen wrote:
  Hi,
  
  On Montag, 15. September 2014, Salvatore Bonaccorso wrote:
   Hmm, would something wrapping around of the following work?
  
  sounds like a good start...
  
   Considering there might be more than one matching group in each line,
   so the example holds only for a simplest case again :(
  
  are there really examples with two urls in one line?
 
 We have, e.g.
 
 https://security-tracker.debian.org/tracker/CVE-2011-2825
 
 But if that will not work, I think we can workaround and split these
 lines when we encounter them. If we can find a working solution then
 better clearly :)

We only have a handfull of those, so: If you find a solution to catch
also these then good. Otherwise we will need to workaround. Do you
have an idea to catch also these?

Please commit this change, I will activate it on the security-tracker.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140915162538.GA9439@eldamar.local

Bug#742855: Sort releases correctly in tabular view. (Closes: #742855)

[Salvatore Bonaccorso]

Hi Holger,

On Mon, Sep 15, 2014 at 01:47:57AM +0200, Holger Levsen wrote:
 Hi Salvatore,
 
 On Samstag, 13. September 2014, Salvatore Bonaccorso wrote:
  I tested the patch in my local instance. 
 
 yeah, it's clearly the wrong patch, I attached, sorry.
 
  libspring-java as by now, might change in future, shows right now:
  This should be ordered (and for future releases):
  
  Bug   | wheezy | jessie | sid| Description
 
 the instance here does so, and it also orders them within releases by '', 
 'security', 'lts' :)
 
 And that's the patch posted for #742382, which I've attached for clarity.

Yep, my comment was about the the wrongly attached patch does not
solve the problem, and the tabular view would still be the old one.

 Regarding the patch I accidently send to this bug:
 
  I tested the patch in my local instance. It does sort now the CVEs in
  descending order, which was not what I meant. We had so far the oldest
  CVEs on top which this patch would changes.
 
 I think this should still be done, newer stuff is usually more interesting 
 (so 
 here) and should thus be displayed on top. The reasoning because it has been 
 like this since always is not so convincing.

Not necessarly, that would be my point which I want to higlight. If
you have the older CVE -- still unresolved -- on top, this will draw
your attention to them. One will fix hopefully anyway the newly found
ones, maybe referenced to you via a bugreport in the BTS, and looking
at the security-tracker it will redirect you also to older ones which
were not addressed.

Anyway, we seem the only two people invoved in this arguing ;-) I
don't have time/energy to furhter defend my point of view. So if you
think it really would help working on the tracker to invert the CVE
ordering, then please go ahead!

p.s.: I'm for example really happy to see the improvements you
  implemented regarding the URL linking in TODO and NOTE! They
  really will help on working on the tracker IMHO. Thanks!

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140915164632.GA10368@eldamar.local

Re: RFC: Invert ordering of issues in source package view: newest should be up

[Salvatore Bonaccorso]

Hi,

On Mon, Sep 15, 2014 at 02:24:34PM +0200, Holger Levsen wrote:
 Hi Salvatore,
 
 On Samstag, 13. September 2014, Salvatore Bonaccorso wrote:
  This changes the ordering in the 'Security announcements section,
  ordering it by release date of the DSA/DLA, right? So for example
  file will show with your patch:
  
  DSA / DLA  Description
  DLA-50-1   file - security update
  DSA-3021-1 file - security update
  DLA-27-1   file - security update
  [...]
  
  This looks like a good change to do, so ack at least from my side to
  do so.
 
 Ok, I've pushed this one now to svn, so that we can focus on the less 
 straightforward ones. Also, as someone said, reverting is easy, even with svn 
 ;)

I just have activated this change on security-tracker, see e.g.
https://security-tracker.debian.org/tracker/source-package/bind9.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140915180338.GA19299@eldamar.local

Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view

[Salvatore Bonaccorso]

Hi,

On Mon, Sep 15, 2014 at 07:59:53PM +0200, Holger Levsen wrote:
 Hi Salvatore,
 
 On Montag, 15. September 2014, Salvatore Bonaccorso wrote:
   https://security-tracker.debian.org/tracker/CVE-2011-2825
 
 hmpf, that works for 1 out 3, the other 2 are detected as one :/ 
  
  We only have a handfull of those, so: If you find a solution to catch
  also these then good. Otherwise we will need to workaround. Do you
  have an idea to catch also these?
 
 no yet...
  
  Please commit this change, I will activate it on the security-tracker.
 
 ...but I will commit now and then will see if I find the cause why 
 CVE-2011-2825 isnt displayed properly :)

Activated that change (not closing the bug, as there is still one part
to be addressed possibly).

Thanks for your work,

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140915181233.GA19840@eldamar.local

Bug#742382: Display oldstable/stable security and olstable-lts repositories in tabular view. (Closes: #742382)

[Salvatore Bonaccorso]

Hi,

On Mon, Sep 15, 2014 at 11:40:59PM +0200, Holger Levsen wrote:
 Hi,
 
 On Samstag, 13. September 2014, Salvatore Bonaccorso wrote:
  I have your patch running on my testinstance and looks good so far!
  (But having done only some basic tests).
 
 I'd like to push this one next, as this really makes a difference, whether 
 security+lts are considered, or not ;-) 
 
 Any objections? Works fine and looks fine to me...

I was hoping to see some other feedback/tests on that. But it worked
for me as well in my testinstance.

Please go ahead with the commit!

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140916045702.ga31...@lorien.valinor.li

Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view

[Salvatore Bonaccorso]

Control: tags -1 - pending

Hi Holger,

On Fri, Sep 12, 2014 at 12:19:06PM +0200, Holger Levsen wrote:
 attached is a patch to lib/python/web_support.py which turns the notes (used 
 in CVEs) into hyperlinks - if they start with http(s)://
 
 Please tell me whether it's ok to commit this.

I had a look at this patch. It can only address isolated URLs in the
notes this way. We usually use this in other ways, one example is that
was Florian mentioned in the first message:

Note: see https://

which should turn into

see a 
href='http://www.example.com/info.html'codehttp://www.example.com/info.html/code/a

Other examples were we use the free form extensively is when we
document which commits introduced a given problem, where fixed, etc:

I'm adding also the corresponding note, as this might change when
looking next time into it:

 - https://security-tracker.debian.org/tracker/CVE-2014-3620

NOTE: http://curl.haxx.se/docs/adv_20140910B.html
NOTE: Introduced by https://github.com/bagder/curl/commit/85b9dc8023

 - https://security-tracker.debian.org/tracker/CVE-2014-3145

NOTE: Upstream fix 
https://git.kernel.org/linus/05ab8f2647e4221cbdb3856dd7d32bd5407316b3
NOTE: Introduced by 
https://git.kernel.org/linus/4738c1db1593687713869fa69e733eebc7b0d6d8
NOTE: 
https://git.kernel.org/linus/d214c7537bbf2f247991fb65b3420b0b3d712c67


 - https://security-tracker.debian.org/tracker/CVE-2014-3122

NOTE: Introduced by 
https://git.kernel.org/linus/b291f000393f5a0b679012b39d79fbc85c018233
NOTE: Fixed by 
https://git.kernel.org/linus/57e68e9cd65b4b8eb4045a1e0d0746458502554c 
(v3.15-rc1)

the last one is particulary interessant as it contains normal text
before, and after a reference which should be turned into a link.

There is one other problematic example with the patch, where we have
notes starting with http(s), but adding explanations/further text
afterwards:

 - https://security-tracker.debian.org/tracker/CVE-2014-6387

NOTE: http://www.mantisbt.org/bugs/view.php?id=17640
NOTE: http://github.com/mantisbt/mantisbt/commit/215968fa8 (1.2.x 
branch)
NOTE: http://github.com/mantisbt/mantisbt/commit/fc02c46ee (master 
branch)

So we would need something more complicated here, isolating first the
urls in the text and converting that part, but keeping the surrounding
ones.

Thanks for also looking into this one!

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140913062217.GA12503@eldamar.local

Bug#742382: Display oldstable/stable security and olstable-lts repositories in tabular view. (Closes: #742382)

[Salvatore Bonaccorso]

Hi Holger,

On Sat, Sep 13, 2014 at 01:51:52AM +0200, Holger Levsen wrote:
 Hi,
 
 commit b22f1ba0cd9499e716f7b729f546a98bd4950dda
 Author: Holger Levsen hol...@layer-acht.org
 Date:   Sat Sep 13 01:47:11 2014 +0200
 
 Display oldstable/stable security and olstable-lts repositories
 in tabular view. (Closes: #742382)

I have your patch running on my testinstance and looks good so far!
(But having done only some basic tests).

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140913155619.GA25028@eldamar.local

Re: small misc fixes

[Salvatore Bonaccorso]

Hi Holger,

On Fri, Sep 12, 2014 at 03:14:57PM +0200, Holger Levsen wrote:
 Hi,
 
 On Freitag, 12. September 2014, Holger Levsen wrote:
  attached are three small no brainer fixes I'd like to apply, please confirm
 
 thanks to Thijs, this diff even got smaller and better, see attached.
 
 I've verified that the code still works nicely.
 
 May I commit? (And test git-svn committing... *lalala*)

Thanks for posting the diff. I have activated the changes for the
security-tracker, so they are live now.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140912150026.GA24295@eldamar.local

Bug#742855: Sort releases correctly in tabular view. (Closes: #742855)

[Salvatore Bonaccorso]

Control: tags -1 - pending

Hi,

On Sat, Sep 13, 2014 at 01:32:38AM +0200, Holger Levsen wrote:
 Hi,
 
 commit baa7d44e460efe2b24e7b029633701cd29986d0d
 Author: Holger Levsen hol...@layer-acht.org
 Date:   Sat Sep 13 01:23:35 2014 +0200
 
 Sort releases correctly in tabular view. (Closes: #742855)

I tested the patch in my local instance. It does sort now the CVEs in
descending order, which was not what I meant. We had so far the oldest
CVEs on top which this patch would changes.

My change request however was about something else: In the tabular
view, from left to right, it should be sorted by releases and not
having a mix.

libspring-java as by now, might change in future, shows right now:

Bug   | jessie | sid| wheezy | Description
---
CVE-2014-0225 | fixed  | fixed  | vulnerable | Information disclosure 
via SSRF
CVE-2014-3578 | vulnerable | vulnerable | vulnerable | Spring framework 
directory traversal
---

This should be ordered (and for future releases):

Bug   | wheezy | jessie | sid| Description
---
CVE-2014-0225 | vulnerable | fixed  | fixed  | Information disclosure 
via SSRF
CVE-2014-3578 | vulnerable | vulnerable | vulnerable | Spring framework 
directory traversal
---

So (squeeze) = wheezy = jessie = sid, and for future releases
then (squeeze) = wheezy = jessie = X = sid in the collumns (and
keep the ordering from oldest to newest CVE).

Thanks for looking into this!

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140913035812.GA32080@eldamar.local

Re: RFC: Invert ordering of issues in source package view: newest should be up

[Salvatore Bonaccorso]

Hi Holger,

On Sat, Sep 13, 2014 at 01:35:06AM +0200, Holger Levsen wrote:
 Hi,
 
 I think this is clearly a bugfix ;-) Please comment.
 
 Both open and resolved issues will be inverse sorted, so that newest CVEs 
 will 
 be on top of the list.
 
 cheers,
   Holger
 
 commit dd7b75472e00cea9759eb6554decf26c6fe8eb11
 Author: Holger Levsen hol...@layer-acht.org
 Date:   Sat Sep 13 01:28:00 2014 +0200
 
 Invert ordering of issues in source package view: newest should be up.
 
 diff --git a/lib/python/security_db.py b/lib/python/security_db.py
 index 8580d5b..b15924e 100644
 --- a/lib/python/security_db.py
 +++ b/lib/python/security_db.py
 @@ -1690,7 +1690,8 @@ class DB:
  FROM bugs, package_notes as p
  WHERE p.bug_name = bugs.name
  AND ( bugs.name LIKE 'DSA-%' OR bugs.name LIKE 'DLA-%')
 -AND p.package = ?, (package,))
 +AND p.package = ?
 +ORDER BY bugs.release_date DESC, (package,))

This changes the ordering in the 'Security announcements section,
ordering it by release date of the DSA/DLA, right? So for example
file will show with your patch:

DSA / DLA  Description
DLA-50-1   file - security update
DSA-3021-1 file - security update
DLA-27-1   file - security update
[...]

This looks like a good change to do, so ack at least from my side to
do so.

But above you mention to invert also the open and resolved CVEs by
descending order? Why do you like to do that?

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140913045201.GA1701@eldamar.local

Re: fixing four bugs, let's start with a Makefile.diff

[Salvatore Bonaccorso]

Hi,

On Fri, Sep 12, 2014 at 01:04:01AM +0200, Holger Levsen wrote:
[...]
 So, may I commit this Makefile? :) (Further cleanup seems useful but I have 
 no 
 idea how the targets are called by cron...)

The documentation for for the setup on soler is in doc/soler.txt. I
can check this weekend if all the information there is still up to
date unless somebody else beats me to it.

As you only extend Makefile with an additional target I think this
is fine to be commited already without breaking the setup on soler.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140912051130.gb7...@lorien.valinor.li

Bug#761061: tracker doesnt show closed issues as done

[Salvatore Bonaccorso]

Hi,

On Wed, Sep 10, 2014 at 02:06:01PM +0200, Holger Levsen wrote:
 package: security-tracker
 severity: important
 x-debbugs-cc: debian-...@lists.debian.org
 
 Hi,
 
 the tracker doesnt show issues which are only closed in the security or lts 
 subreleases as closed, as for example can be seen on https://security-
 tracker.debian.org/tracker/source-package/file
 
 eg https://security-tracker.debian.org/tracker/CVE-2014-3478 is closed in 
 both 
 wheezy-security as well as squeeze-lts, yet the /tracker/source-package/file 
 lists it as open.

 (There pages like https://security-tracker.debian.org/tracker/CVE-2014-3478 
 also are less clean, but at least they contain the right info visibly, just a 
 bit scrambled.)
 
 I believe the bug is in getBugsForSourcePackage() in 
 lib/python/security_db.py 
 but I couldn't yet wrap my head around it properly to fix it. 
 
 There seem to be several functions (in security_db.py) which only deal with 
 the releases (sid, jessie, wheezy, squeeze) but not the subreleases 
 (security, 
 lts).

The tabular view clearly would need some improvement and making clear
where the fix is already, e.g. wheezy-security but not yet wheezy. I
try to explain. The version tracked on the individual CVE pages is
*correct* from the following point of view:  A fix is in wheezy-security
already, but not yet accepted into the wheezy suite. This happen, when
the release team accepts an upload through security, which get
uploaded to wheezy-proposed-updates-NEW to be intregrated into an
upcoming poing release[*]. It is not enough from stable point of view
for having the fix available in stable to have it only on
wheezy-security -- it also needs to be included into a wheezy point
release.

Thus for example taking CVE-2014-3478 we have:

squeeze, squeeze (security) 5.04-5+squeeze5 vulnerable
squeeze (lts)   5.04-5+squeeze6 fixed
wheezy  5.11-2+deb7u3   vulnerable
wheezy (security)   5.11-2+deb7u4   fixed
jessie, sid 1:5.19-2fixed

One issue is: with -lts this will never happen that packages will be
integrated into squeeze,  as there will be no pint releases including
the -lts fixes into squeeze.

 [*] As an example were this does not happen currently is openjdk-7.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140910150143.GA8592@eldamar.local

Call for testing: gnupg update

[Salvatore Bonaccorso]

Hi,

The upcoming gnupg update introduces import functions that apply a
constraining filter to imported keys, allowing to ensure that the keys
fetched from the keyserver are in fact those selected by the user
beforehand. The initial patch introduced regressions which were fixed
upstream. 

Please test the packages from
https://people.debian.org/~carnil/tmp/gnupg-pre-dsa/

If you find further regressions regarding those fixes please report
the problem directly to th...@debian.org and car...@debian.org

Regards,
Salvatore


signature.asc
Description: Digital signature

Bug#759727: patches for including LTS into security-tracker.d.o

[Salvatore Bonaccorso]

Hi Holger, hi Florian,

On Sun, Aug 31, 2014 at 02:37:34PM -0700, Holger Levsen wrote:
 Hi,
 
 On Sonntag, 31. August 2014, Florian Weimer wrote:
  You mean, with TEMP-%?
 
 yeah, thats what I ment...
  
  It's currently not possible to address TEMP- vulnerabilities reliably,
  so they cannot occur as copy targets.
 
 ah!

I reopened this bug and reverted the commits. The bin/update cronjob
is breaking the cross-references, adds empty {}.

I tried to quick-fix this by adding the DLA part in bin/updatelist,
but this let explode the cross-reference list.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140901051024.ga14...@lorien.valinor.li

Re: [SECURITY] [DSA 2992-1] linux security update

[Salvatore Bonaccorso]

Hello Romain,

On Tue, Jul 29, 2014 at 10:00:25AM +0200, Romain Francoise wrote:
 The advisory text should perhaps mention that 3.2.60-1+deb7u3 includes
 3.2.60-1+deb7u2, which reverts two commits from previous updates that
 caused networking regressions.

Yes indeed, I should have mentioned that.

The update reverts patches which introduced regressions, one
introduced in 3.2.57 (Revert net: ip, ipv6: handle gso skbs in
forwarding path) and one in 3.2.60 (Revert net: ipv4: ip_forward:
fix inverted local_df test, which also closes Debian Bug #754173).

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140729084652.ga24...@lorien.valinor.li

Re: CVE-2014-3477 fixed in dbus/1.6.8-1+deb7u2

[Salvatore Bonaccorso]

Hi Simon,

On Thu, Jun 12, 2014 at 08:15:24PM +0100, Simon McVittie wrote:
 In case the mention of the CVE ID in debian/changelog is not enough for
 someone to update the security tracker: CVE-2014-3477 is fixed in
 dbus/1.6.8-1+deb7u2, which was just accepted into proposed-updates.
 
 It was also fixed in dbus/1.8.4-1 for testing/unstable.
 
 If this change is desired in squeeze-lts (it's only a local denial of
 service and there was no DSA, so perhaps not), the upstream dbus-1.2
 branch on freedesktop.org has a commit with some trivial merge conflicts
 (whitespace) resolved. I don't intend to upload to squeeze-lts myself.

Just to confirm the security-tracker information: unstable already
marked as fixed. For wheezy it is on the next-point-update list, which
will be merged when the next Wheezy point release is released.

Thanks for notifying!

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140612213437.GA4659@eldamar.local

Re: [SECURITY] [DSA 2945-1] chkrootkit security update

[Salvatore Bonaccorso]

Hi,

On Wed, Jun 04, 2014 at 01:08:44AM +0200, Luigi Bianca wrote:
 what's about oldstable ? Mi system says 0.49-4 but apt-get doesn't find
 anything to update. Thanks in advance.

Security support for oldstable has ended at the end of the month, but
there is squeeze-lts available.

See

https://lists.debian.org/debian-security-announce/2014/msg00119.html

Updates for squeeze-lts for chkrootkit are also beeing prepared,
AFAIK.

Hope that helps,

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140604045351.gb...@lorien.valinor.li

Re: [SECURITY] [DSA 2911-1] icedove security update

[Salvatore Bonaccorso]

Hi,

On Thu, Apr 24, 2014 at 11:36:49AM -0400, charlie derr wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 On 04/24/2014 11:21 AM, Salvatore Bonaccorso wrote:
  This is indeed seem a typo in the DSA-2911-1. The fixed version
  for the unstable distribution for the given CVEs is
  icedove/24.4.0-1.
  
  For reference see also [1].
  
  [1] https://security-tracker.debian.org/tracker/DSA-2911-1
  
  Hope that thelps,
  
  Regards, Salvatore
 
 
 Thank you very much, that does help some, but still doesn't really
 completely explain the mystery to me.
 
 In searching through my /var/log/apt/history files, I see that my
 current version of icedove (24.4.0-1) was installed on 2014-03-26
 
 Was all of this really patched in the sid version of the icedove
 package a full month before the official announcement of these
 vulnerabilities?  This timing is confusing to me (though I suppose
 there may be a reasonable explanation for it).
 
 Any further information that might help me understand would be very
 welcome.

Apologies for the late reply. Yes it is true, the sid version was
uploaded not long after the thunderbird 24.4 release, which happened
on 2014-03-18. The corresponding issues are listed in [1].

 [1] https://www.mozilla.org/security/announce/

Note: The official announcement of thesee vulnerabilities in
thunderbird was at [1], so already in march. DSA-2911-1 fixes these
issues for icedove in wheezy (additionally if already know, it
mentions also the fixed version for testing and sid).

Hope this clarifies a bit your questions,

Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140428061733.ga6...@lorien.valinor.li

Re: [SECURITY] [DSA 2911-1] icedove security update

[Salvatore Bonaccorso]

Hi,

On Thu, Apr 24, 2014 at 10:05:08AM -0400, charlie derr wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA256
 
 On 04/22/2014 11:25 AM, Moritz Muehlenhoff wrote:
  -
 
  
 Debian Security Advisory DSA-2911-1   secur...@debian.org
  http://www.debian.org/security/Moritz
  Muehlenhoff April 22, 2014
  http://www.debian.org/security/faq 
  -
 
  
 snippage
  
  For the unstable distribution (sid), these problems have been fixed
  in version 24.4.0esr-1.
 
 I've been checking ever since I saw this announcement and I still
 don't see a sign of this version in the sid repos yet (I'm not pasting
 in my apt-get update, but I obviously did that immediately prior):
 
 
 root@yap:~# apt-get install icedove
 Reading package lists... Done
 Building dependency tree
 Reading state information... Done
 icedove is already the newest version.
 0 upgraded, 0 newly installed, 0 to remove and 1459 not upgraded.
 
 root@yap:~# dpkg -l icedove
 ii  icedove24.4.0-1
 
 Does anyone have any more information about the delay?  Or possibly
 I'm wrong about my own assumption(s)/understanding here.
 
 thanks so much in advance for any clues,

This is indeed seem a typo in the DSA-2911-1. The fixed version for
the unstable distribution for the given CVEs is icedove/24.4.0-1.

For reference see also [1].

 [1] https://security-tracker.debian.org/tracker/DSA-2911-1

Hope that thelps,

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140424152132.GA2695@eldamar.local

Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?

[Salvatore Bonaccorso]

Hi Frederik,

On Tue, Apr 08, 2014 at 04:01:37PM +, Fredrik Jonson wrote:
 Hi,
 
 After upgrading the packages in DSA 2896-2 (openssl security update),
 the second version, 1.0.1e-2+deb7u6, that detects services to restart, I
 noted that the postist script didn't suggest that I should restart
 apache2.
 
 As far as I can tell apache2 (apache2.2-bin) depends on libssl1.0.0 and
 could be affected by CVE-2014-0160. Correct?
 
 I note that the postinst script in libssl1.0.0 searches for the virtual
 package apache2-common which is not installed on my servers.
 
 Is this a bug in the postinst script, or is apache2 not affected, or is
 it a user error to not have the virtual package installed?
 
 BTW, thanks to all involved in Debian's rapid response to this CVE!

Yes this is unfortunately a bug in that part of the libssl1.0.0
postinst! apache2 is also affected and should be restarted after the
openssl update.

Salvatore


signature.asc
Description: Digital signature

Bug#742855: security-tracker: tabular view should always be by release order

[Salvatore Bonaccorso]

Package: security-tracker
Severity: normal

Hi

Unfortunately the tabular view is not always ordered by release. For
example [1] shows in the tablular view:

+---++---+++
| Bug   | jessie | sid   | wheezy | Description 
   |
+---++---+++
| CVE-2014-0054 | fixed  | fixed | vulnerable | 
   |
| CVE-2014-1904 | fixed  | fixed | vulnerable | Cross-site scripting (XSS) 
vulnerability in .. |
+---++---+++

but this should be always in the order of the releases preferably.

 [1] https://security-tracker.debian.org/tracker/source-package/libspring-java

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20140328061053.17682.69566.report...@lorien.valinor.li

Bug#742096: security-tracker: CVE table not shown in Open unimportant issues section

[Salvatore Bonaccorso]

Package: security-tracker
Severity: wishlist

Hi,

Paul Wise pointed on IRC out that the new CVE table view is shown on
the Open issues section, but not in the Open unimportant issues.

Open a but to track status/fix also for that part.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/20140319071519.15729.51817.report...@lorien.valinor.li

Re: [SECURITY] [DSA 2867-1] otrs2 security update

[Salvatore Bonaccorso]

Hi,

On Sun, Feb 23, 2014 at 08:42:01PM +, Salvatore Bonaccorso wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512
 
 - -
 Debian Security Advisory DSA-2867-1   secur...@debian.org
 http://www.debian.org/security/  Salvatore Bonaccorso
 February 23, 2014  http://www.debian.org/security/faq
 - -
 
 Package: otrs2
 Vulnerability  : several
 CVE ID : CVE-2014-1471 CVE-2014-1694
 
 Several vulnerabilities were discovered in otrs2, the Open Ticket
 Request System. The Common Vulnerabilities and Exposures project
 identifies the following problems:
 
 CVE-2014-1471
 
 Norihiro Tanaka reported missing challenge token checks. An attacker
 that managed to take over the session of a logged in customer could
 create tickets and/or send follow-ups to existing tickets due to
 these missing checks.
 
 CVE-2014-1694
 
 Karsten Nielsen from Vasgard GmbH discovered that an attacker with a
 valid customer or agent login could inject SQL code through the
 ticket search URL.

This should be:

CVE-2014-1694

Norihiro Tanaka reported missing challenge token checks. An attacker
that managed to take over the session of a logged in customer could
create tickets and/or send follow-ups to existing tickets due to
these missing checks.

CVE-2014-1471

Karsten Nielsen from Vasgard GmbH discovered that an attacker with a
valid customer or agent login could inject SQL code through the
ticket search URL.

apologies for not having spotted that earlier. I have commited the
changes for the websites so that they will be correct on next update.

Regards,
Salvatore


signature.asc
Description: Digital signature

Re: [SECURITY] [DSA 2858-1] iceweasel security update

[Salvatore Bonaccorso]

Hi Christoph,

On Wed, Feb 12, 2014 at 10:07:47PM +0100, Christoph Biedl wrote:
 Hello Debian security,
 
 Moritz Muehlenhoff wrote...
 
  Package: iceweasel
 (...)
  This update updates Iceweasel to the ESR24 series of Firefox.
 
 Unfortunately, this upgrade broke the xul-ext-certificatepatrol 
 package (src:certificatepatrol) in stable due to 
 Breaks: ... iceweasel (= 19.0+) there. There's already an updated
 package in stable-proposed-updates[0]. Since the next point release is
 several weeks away, this leaves stable users in an unpleseant
 situation of xul-ext-certificatepatrol being unavailable (or not
 upgrading iceweasel).
 
 So, could you consider releasing an upgraded src:certificatepatrol
 shortly to rectifiy that situation? A debdiff is linked in that
 document, let me know if you need more information.

Btw, this has been pushed trough wheezy-updates[1].

 [1] https://lists.debian.org/debian-stable-announce/2014/02/msg2.html

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140215220208.GA1088@eldamar.local

Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package

[Salvatore Bonaccorso]

Hi Antonio,

On Thu, Oct 24, 2013 at 09:49:19AM -0300, Antonio Terceiro wrote:
 It would be nice if someone familiar with the codebase could write up
 instructions on how to do that.

Actually at the Security Team meeting we are working now on this.
Mainly if you want to set up a testinstance of the security tracker is
doing the three steps:

make update-packages
make all
make serve

But Luciano is working on adding a section for this to the
documentation.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20140208103127.GA23612@eldamar.local

Testers for typo3-src security update (in particular squeeze packages)

[Salvatore Bonaccorso]

Hi

Christian Welzel, maintainer of typo3-src prepared backports for
security issues in typo3-src. Some testing of the squeeze packages in
particular would be welcome before releasing these packages.

Packages are uploaded at [1].

If you find a regression/problem explicitly caused by an update of
these packages please send your feedback directly to
car...@debian.org.

 [1] http://people.debian.org/~carnil/typo3-src/

Regards,
Salvatore


signature.asc
Description: Digital signature

Re: cmrekey.adv ?

[Salvatore Bonaccorso]

Hi Yanosz,

On Sat, Nov 16, 2013 at 10:32:27AM +0100, Jan Lühr wrote:
 Hello folks,
 
 short one: Is Debian GNU/Linux affected by 
 http://www.openssh.com/txt/gcmrekey.adv ?

See: https://security-tracker.debian.org/tracker/CVE-2013-4548 . In
short, oldstable and stable where not affected, for testing and
unstable fixed packages are also uploaded.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131116095709.GA18199@eldamar.local

Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package

[Salvatore Bonaccorso]

Package: security-tracker
Severity: wishlist

Hi

On last DebConf Antonio Terceiro brought up the following idea for an
additional view for a source package in the security-tracker. I'm
opening the bugreport to not forget about it.

It would be nice to have for a given source package a report/view
listing in a table each (in at least a suite open) CVE, with collumns
marking if fixed in the given suite.

srpkg:

+---+---++---+-+---+---+
| CVE   | oldstable | oldstable-security | stable| stable-security 
| testing   | unstable  |
+---+---++---+-+---+---+
| CVE-1234-5678 | unfixed | 1.2-3+squeeze1 | unfixed | 1.3-4+deb7u1
| unfixed | 1.5   |
| CVE-5678-1234 | unfixed | unfixed  | unfixed | unfixed   
| unfixed | unfixed |
+---+---++---+-+---+---+

Im principle it should look like an aggregated view of each CVE page,
for a queried source package.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20131024043615.3084.25242.report...@lorien.valinor.li

Automatic CVE updates cronjob problem?

[Salvatore Bonaccorso]

Hi

[Cc'ing Joey directly as I don't know if you are subscribed to the
list, let me know if I should drop]

I noticed that since the 2nd of September the automatic update of the
CVE list is not done anymore for the security-tracker. Joey do you
know if there is some problem with your cronjob running that?

I have done a manual one (see revision r23567) and indeed there were
updates which are usually updated by the cronjob.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130907034518.GA7085@eldamar.local

Re: Linking security tracker with exploit-db ?

[Salvatore Bonaccorso]

Hi all,

On Thu, Mar 21, 2013 at 11:53:33PM +0200, Henri Salo wrote:
 On Thu, Mar 21, 2013 at 10:38:47PM +0100, Raphael Hertzog wrote:
  (I'm not subscribed to debian-security-tracker@lists.debian.org, please
  keep me in CC)
  
  Hello,
  
  while discussing with someone at Offensive Security, I learned that
  there's a mapping between CVE numbers and exploits registered in
  http://www.exploit-db.com/.
  
  I was thinking that it could be interesting to know whether exploits
  are available and as such that it could be interesting to link CVE to the
  corresponding exploits within the Debian security-tracker.
  
  I believe that everything required is already available online, 
  albeit only on webpages and would thus require some heavy web
  scraping.
  
  Thus if you want to pursue this idea, I can put you in contact with the
  relevant person at Offensive Security. They might be willing to publish
  this mapping in a more convenient way (possibly as part of the CSV file
  in http://www.exploit-db.com/archive.tar.bz2 or something similar).
  
  I though that I would throw this idea away because I find it interesting
  but I just don't have the time and the desire to implement it.
  
  Cheers,
  -- 
  Raphaël Hertzog ◈ Debian Developer
  
  Get the Debian Administrator's Handbook:
  → http://debian-handbook.info/get/
 
 Good idea. I have been thinking same about OSVDB. If security team member
 approves I could try to implement this. OSVDB links also to exploit-db.com in
 some items.

FYI, this now was activated by Florian some days ago on the instance
for the security tracker.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130901190844.GA19459@eldamar.local

Bug#717103: security-tracker: DSA-2722-1 vs. tracker

[Salvatore Bonaccorso]

Hi Francesco,

On Tue, Jul 16, 2013 at 10:38:46PM +0200, Francesco Poli (wintermute) wrote:
 Package: security-tracker
 Severity: normal
 
 Hi,
 DSA-2722-1 [1] says that many vulnerabilities have been fixed for
 sid in openjdk-7/7u25-2.3.10-1 .
 
 The tracker seems to agree for all the vulnerabilities but CVE-2013-2454,
 which is claimed to be still present in sid [2].
 Is that an oversight?

Updated the tracker for openjdk-7. Moritz, do you know if this is also
fixed in openjdk-6 (recent changelog does not mention CVE-2013-2454)

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130717053544.GA17999@elende

security-tracker problems after alioth update

[Salvatore Bonaccorso]

Hi

After the alioth update there are still some problems for the
security-tracker. The website right now does not get updated anymore
automatically.

What I have done on vasks.d.o side:

 - /home/groups/secure-testing/repo relocated from
   svn://svn.debian.org/secure-testing to
   svn://anonscm.debian.org/secure-testing

 - post-commit hook: changed to use now
   /usr/share/subversion/hook-scripts/commit-email.pl (changed path)

There are also the docs refering to
svn://svn.debian.org/secure-testing and on soler/tracker will needs
also some adjustments (and relocating the checkouts).

I have not done the last ones. Florian can you have a look at the
tracker part?

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130612183135.GA13630@eldamar.local

Re: CVE-2012-5083 does not affect openjdk

[Salvatore Bonaccorso]

Hi Steven

On Tue, Apr 30, 2013 at 07:21:29PM +0100, Steven Chamberlain wrote:
 Bug #690774 was closed (as invalid), and the remaining CVEs from the
 Oracle Java October 2012 updates have been marked as invalid, except
 for CVE-2012-5083, which is still open in the security tracker.
 
 I don't think it was obvious at the time, but I agree now that this
 (and some of the other CVEs) affected the Oracle Fusion Middleware
 and not OpenJDK.  This is vaguely implied in the description of:
 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3202
 
 Please could this CVE be closed like the others?

Have update it.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20130501055147.GA8052@elende

Re: [SECURITY] [DSA 2593-1] moin security update

[Salvatore Bonaccorso]

Hi

On Sat, Dec 29, 2012 at 09:31:42PM +0100, Moritz Muehlenhoff wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 - -
 Debian Security Advisory DSA-2593-1   secur...@debian.org
 http://www.debian.org/security/Moritz Muehlenhoff
 December 29, 2012  http://www.debian.org/security/faq
 - -
 
 Package: moin
 Vulnerability  : several
 Problem type   : remote
 Debian-specific: no
 CVE ID : not available yet

This was announced yesterday, but it looks like moin 1.9.3-1+squeeze4.
is not yet present in the security repository.

Is this already known?

Regards,
Salvatore


signature.asc
Description: Digital signature

Re: Informazioni Log Analyzer Postfix

[Salvatore Bonaccorso]

Ciao Stefano

[ I'm first saying him in italian that this is a english spoken list
and that I'm trying to translate ]

Questa e una lista in inglese. Se hai domande in italiano potresti
contattare la lista debian-italian[1].

 [1]: https://lists.debian.org/debian-italian/

Cerco di tradurre adesso la tua domanda.

On Tue, Nov 27, 2012 at 11:53:00AM +0100, Zattara Stefano wrote:
 Buongiorno a tutta la lista,
 vi chiedo un consiglio riguardo un log analyzer per postfix.
 Ho già dato un'occhiata a pflogsum ed a varie interfaccie simili in
 python.
 Quello che mi interesserebbe è riuscire a ricostruitre la vita di
 una mail
 dall'ingresso alla consegna o allo scarto per qualche motivo
 ( ingresso-postfix-antispam-filtri-consegna )
 
 Qualunco ha qualche dritta da darmi in merito?

He is asking the following: Stefano needs advice regarding a log
analyzer for postfix. He already looked at pflogsum and various
similar tools in written in python. But he is interested in
reconstructing the 'life' of an email, from recieving up to the point
of delivery, or rejecting for some reason (so recieving - postifix -
antispam - filters - delivery)

He asks if someone can give hime hints to some direction.

Ciao,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20121201084821.GA12488@elende