Re: NodeJS Security
Hi Sven, On Wed, Jun 15, 2016 at 02:08:17PM +, Sven Buesing wrote: > Dear Debian Security-Team, > > Are you going to address the following issues in nodejs for jessie > (CVE-2016-2107, CVE-2016-2105, CVE-2016-0705, CVE-2016-0702)? For more > information see below. I'm afraid, but nodejs and lib8-3.14 related packages are not supported security-wise. See for that the explanation in the release notes at https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.en.html#libv8 Regards, Salvatore
Call for testing: regression update for samba security update (DSA-3548-1)
Hi The last Samba security update issued as DSA-3548-1 introduced several upstream regressions, which are addressed in this update. Before we release the packages we would like to call for additional testing. The packages can be found on https://people.debian.org/~carnil/tmp/samba/jessie (amd64 builds only; no apt repository available). If you find new problems introduced by updating to these packages from the ones which are currently on the security archive (2:4.2.10+dfsg-0+deb8u2), please report the problem directly to t...@security.debian.org . Regards, Salvatore, on behalf of the Debian security team signature.asc Description: PGP signature
Call for testing: upcoming libxml2 security update
Hi The upcoming libxml2 security update is little more bigger than usual, thus we want to expose the package a bit for additional testing. If you find a problem introduced by updating to these packages, please report the problem directly to t...@security.debian.org . The packages can be found at: https://people.debian.org/~carnil/tmp/libxml2/jessie/ (amd64 builds only) While preparing the jessie-security update, The commits were backported as well for libxml2 in wheezy. If you are using them please test the packages at https://people.debian.org/~carnil/tmp/libxml2/wheezy/ (amd64 builds only) Regards, Salvatore signature.asc Description: PGP signature
Re: Update tracker for CVE-2012-1620
Hi Ilias, On Sat, May 07, 2016 at 12:54:47PM +0300, Ilias Tsitsimpis wrote: > Could someone update the security tracker for suckless-tools? > CVE-2012-1620 has been fixed since version suckless-tools/39-1. > The corresponding Debian Bug is #667796. Thanks. I have updated the tracker information. Regards, Salvatore
Call for testing: upcoming samba security update
Hi The upcoming Samba update is bigger than usual since for Jessie an update is needed to 4.2. We want to expose the package a bit more for additional testing. Please test the packages found on https://people.debian.org/~carnil/tmp/samba/ (no apt repository available for these test packages at this time) If you find a problem introduced by updating to these packages, please report the problem directly to t...@security.debian.org, and including abart...@samba.org and sath...@debian.org. The update is planned to be released already tomorrow, 2016-04-13. Regards, Salvatore, on behalf of the Debian security team signature.asc Description: PGP signature
Re: tracking security issues without CVEs
Hi Brian, hi Paul, On Sun, Mar 06, 2016 at 04:59:43PM +0100, Salvatore Bonaccorso wrote: > Hi, > > On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote: > > Just wondering if there is some other way we can track security issues > > for when CVEs are not available. > > > > Thinking of imagemagick here, it has a lot of security issues, and > > requests for CVEs are not getting any responses. > > Creating individual bugs in the Debian BTS, including more details > like fixing commits would be a great start, since we use either CVEs > or references to the Debian BTS in DSAs (and DLAs). Furthermore the > security-tracker handles both (you can actually search items there via > either CVE id, bug number or package name). > > The original CVE request at > http://www.openwall.com/lists/oss-security/2014/12/24/1 was IMHO not > fully optimal, since it just pasted a collection of items. Adding > references to fixing commits would have helped to get CVEs assigned to > issues. The original request at least makes it really hard to > identify the issues and make sure the CVEs are assigned correctly. Just one comment which I forgot to address in the previous mail, regarding the OVE identifiers. The question about the CVE assignments were just re-raised yesterday on oss-security. The whole might look promissing indeed. But I think as well that is right now to early to start adopting these for not yet assigned issues. Instead follow the current discussion on oss-security and let's see if across distributions there is going to be some consensus/approach for this issue. For the record, the thread is starting at http://www.openwall.com/lists/oss-security/2016/03/04/4 where Kurt Seifried from Red Hat raised the concern. Regards, Salvatore
Re: tracking security issues without CVEs
Hi Brian, hi Paul, On Sun, Mar 06, 2016 at 04:59:43PM +0100, Salvatore Bonaccorso wrote: > Hi, > > On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote: > > Just wondering if there is some other way we can track security issues > > for when CVEs are not available. > > > > Thinking of imagemagick here, it has a lot of security issues, and > > requests for CVEs are not getting any responses. > > Creating individual bugs in the Debian BTS, including more details > like fixing commits would be a great start, since we use either CVEs > or references to the Debian BTS in DSAs (and DLAs). Furthermore the > security-tracker handles both (you can actually search items there via > either CVE id, bug number or package name). > > The original CVE request at > http://www.openwall.com/lists/oss-security/2014/12/24/1 was IMHO not > fully optimal, since it just pasted a collection of items. Adding > references to fixing commits would have helped to get CVEs assigned to > issues. The original request at least makes it really hard to > identify the issues and make sure the CVEs are assigned correctly. Just one comment which I forgot to address in the previous mail, regarding the OVE identifiers. The question about the CVE assignments were just re-raised yesterday on oss-security. The whole might look promissing indeed. But I think as well that is right now to early to start adopting these for not yet assigned issues. Instead follow the current discussion on oss-security and let's see if across distributions there is going to be some consensus/approach for this issue. For the record, the thread is starting at http://www.openwall.com/lists/oss-security/2016/03/04/4 where Kurt Seifried from Red Hat raised the concern. Regards, Salvatore
Re: tracking security issues without CVEs
Hi, On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote: > Just wondering if there is some other way we can track security issues > for when CVEs are not available. > > Thinking of imagemagick here, it has a lot of security issues, and > requests for CVEs are not getting any responses. Creating individual bugs in the Debian BTS, including more details like fixing commits would be a great start, since we use either CVEs or references to the Debian BTS in DSAs (and DLAs). Furthermore the security-tracker handles both (you can actually search items there via either CVE id, bug number or package name). The original CVE request at http://www.openwall.com/lists/oss-security/2014/12/24/1 was IMHO not fully optimal, since it just pasted a collection of items. Adding references to fixing commits would have helped to get CVEs assigned to issues. The original request at least makes it really hard to identify the issues and make sure the CVEs are assigned correctly. Regards, Salvatore
Re: tracking security issues without CVEs
Hi, On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote: > Just wondering if there is some other way we can track security issues > for when CVEs are not available. > > Thinking of imagemagick here, it has a lot of security issues, and > requests for CVEs are not getting any responses. Creating individual bugs in the Debian BTS, including more details like fixing commits would be a great start, since we use either CVEs or references to the Debian BTS in DSAs (and DLAs). Furthermore the security-tracker handles both (you can actually search items there via either CVE id, bug number or package name). The original CVE request at http://www.openwall.com/lists/oss-security/2014/12/24/1 was IMHO not fully optimal, since it just pasted a collection of items. Adding references to fixing commits would have helped to get CVEs assigned to issues. The original request at least makes it really hard to identify the issues and make sure the CVEs are assigned correctly. Regards, Salvatore
Re: squid3: CVE-2016-2569 CVE-2016-2570 CVE-2016-2571
Hi Amos, On Sat, Feb 27, 2016 at 07:20:57AM +1300, Amos Jeffries wrote: > Hi, > FYI the "squid" (version 2.7.*) source packages still hanging around > in squeeze and wheezy are not affected by these. Thanks. I will update the tracker information. Regards, Salvatore
Re: [SECURITY] [DSA 3482-1] libreoffice security update
Hi Rene, On Wed, Feb 17, 2016 at 11:40:17PM +0100, Rene Engelhard wrote: > On Wed, Feb 17, 2016 at 07:29:59PM +, Sebastien Delafond wrote: > > For the testing (stretch) and unstable (sid) distributions, these > > problems have been fixed in version 1:5.1.1~rc1-1. > > Actually, as I said (and as said upstream, it's fixed in 5.0.5 release), it's > fixed since 5.0.5 rc1, so the version in stretch is already unaffected > (it contains 1:5.0.5~rc2-1) Thanks for the correction. I have updated the security-tracker information to reflect that. Regards, Salvatore
Re: stalin: CVE-2015-8697: Insecure use of temporary files
Hi Rob, On Wed, Jan 20, 2016 at 05:41:56AM -0600, Rob Browning wrote: > Rob Browningwrites: > > > I believe the package is scheduled to be removed next week, and I'm > > still waiting on a discussion with upstream about a (non-trivial) patch > > I wrote to attempt to address the problem. > > > > So I wanted to ask for an opinion about the claim here that it might be > > reasonable to lower the severity: > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808730#20 > > > > Thanks > > I just wanted to ping you, since today's the removal deadline. Yes I think we can downgrade the severity for it to important, since the attack vector is mitigated by the symlink restrictions enabled. Regards, Salvatore signature.asc Description: PGP signature
Re: [SECURITY] [DSA 3448-1] linux security update
Hi, On Wed, Jan 20, 2016 at 10:42:04AM +0800, Bjoern Nyjorden wrote: > Thanks Holger & Ben, > > Most appreciated. So, just to confirm; my take away on this is: > > * 1. "Wheezy" Linux kernels are NOT AFFECTED. > > * 2. "Wheezy" & "Jessie" BACKPORTS Linux kernels are VUNERABLE. > > If I have understood correctly? For the most important CVE, https://security-tracker.debian.org/tracker/CVE-2016-0728 this is right. The issue was introduced in upstream commit 3a50597de8635cd05133bd12c95681c82fe7b878 which is in Kernels v3.8-rc1 onways. Wheezy Kernel is not affected, Wheezy and Jessie backports are vunerable but beeing fixed. You can get the full picture for Wheezy and Jessie status by starting from https://security-tracker.debian.org/tracker/DSA-3448-1 and following the CVE references for details. The other issues which affect Wheezy as well will be fixed for Wheezy in a later DSA. (yes, the security-tracker does not track backports). Hope this helps, Regards, Salvatore
Re: Bug#810799: libcgi-session-perl: Perl DSA-3441-1 exposes taint bug in CGI::Session::Driver::file
Hi, On Tue, Jan 12, 2016 at 01:38:51PM +, Dominic Hargreaves wrote: > Control: tags -1 - security > Control: found -1 4.46-1 > > On Tue, Jan 12, 2016 at 12:54:19PM +, Chris Boot wrote: > > Control: tag -1 security > > > > On 12/01/16 12:28, Chris Boot wrote: > > [snip] > > > Forwarded: https://rt.cpan.org/Public/Bug/Display.html?id=80346 > > > > > > Dear Maintainer, > > > > > > With Perl upgraded from 5.20.2-3+deb8u1 to 5.20.2-3+deb8u2, our > > > installation of TWiki (http://twiki.org/) no longer functions. This > > > happens due to CGI::Session::Driver::file complaining about taint. > > > > I'm bringing this bug to the attention of the security team, as it has > > only come to light since the Jessie DSA of Perl (DSA-3441-1), so it's a > > stable security regression. > > Indeed, this is unfortunate - confirmed that this is trivially > reproducible. It is misleading to call this a security bug in itself, > so I am removing that tag. > > I am happy to prepare an updated package with the patch in from the RT > ticket, though it would be good to get some second opinions on the > correctness of that patch. I guess that should be released as a DSA > update, given (as you point out) it's a regression indirectly introduced > by the DSA. Another alternative would be the jessie point release, which > for which the freeze date is later this week. > > I'm puzzled about why this wasn't spotted as an issue for wheezy, which > doesn't have the perl taint bug, and does suffer from this problem: we > should fix that there too, probably in the next point release. My gut feeling about this: Since the issue was already present before, uncovered indirectly by the perl DSA, and currently affects twiki (not packaged in Debian), I would tend to ask the SRM to have the fix for libcgi-session-perl to be scheduled via the next Jessie point release rather than a DSA. Do you feel strong about having it the fix earlier via a DSA? Thanks for bringing that to our attention! Regards, Salvatore
Call for testing: libxml2 update
Hi The upcoming libxml2 security update is little more bigger than usual, thus we want to expose the package a bit for additional testing. If you find a problem introduced by updating to these packages, please report the problem directly to t...@security.debian.org . The packages can be found at: wheezy: https://people.debian.org/~carnil/tmp/libxml2/wheezy/ jessie: https://people.debian.org/~carnil/tmp/libxml2/jessie/ (amd64 builds only). Regards, Salvatore signature.asc Description: PGP signature
Re: Cannot retrieve updates from security repos
Hi, On Thu, Dec 17, 2015 at 11:40:47PM +0200, Pavlos K. Ponos wrote: > Hello everyone, > > First of all, apologies in advance if this mailing list is not the correct > one :) > > While I was trying to do my usual updates in my Jessie installation, I took > the following message: > > Err http://security.debian.org/ jessie/updates/main linux-libc-dev amd64 > 3.16.7-ckt20-1+deb8u1 > 404 Not Found [IP: 133.242.99.74 80] > E: Failed to fetch > http://security.debian.org/pool/updates/main/l/linux/linux-libc-dev_3.16.7-ckt20-1+deb8u1_amd64.deb > 404 Not Found [IP: 133.242.99.74 80] > > Do you have any idea what is this or how should I fix? Is this a problem > with the security repositories? I tried several times, outcome was the same. There is an ongoing process to issue a DSA for linux indeed. But there is a problem with the security mirrors right now. Regards, Salvatore
Bug#805079: security-tracker: External check for CVEs from Red Hat not working anymore
Package: security-tracker Severity: normal Owner: car...@debian.org Currently the external check for CVEs found on Red Hat but not in the security-tracker is not working anymore due to changes on Red Hat's site listing the CVEs. Working on trying to find an alternative method. Regards, Salvatore
Re: [SECURITY] [DSA 3386-2] unzip regression update
Hi David, On Tue, Nov 10, 2015 at 08:59:04AM +0100, Thijs Kinkhorst wrote: > Hi David, > > On Mon, November 9, 2015 23:25, David McDonald wrote: > > Hi Salvatore, > > > > Your e-mail below states: > > > > "For the stable distribution (jessie), this problem has been fixed in > > version 6.0-16+deb8u2" (Note bene the last digit) > > > > However, https://www.debian.org/security/2015/dsa-3386 states: > > > > "For the stable distribution (jessie), these problems have been fixed in > > version 6.0-16+deb8u1" > > The website is updated periodically so it can take a short while before it > reflects the update that was sent out in the email. Just an additional note on the version numbers: the 6.0-16+deb8u1 was the version which fixed the security isses with CVE. 6.0-16+deb8u2 is an additional update which fixes a regression when extracting 0-byte files. So what the webpage reflects is the version where the security issues were fixed. Hope this helps! Regards, Salvatore
Re: [SECURITY] [DSA 3386-2] unzip regression update
Hi Dave, On Tue, Nov 10, 2015 at 09:54:19PM +, David McDonald wrote: > Thank you Salvatore & Thijs for your responses. > > I appreciate and understand your advice. > > My specific interest in the matter arose after receiving the alert. > I prepared to install the update that was listed in the e-mail and > found that the latest I could obtain (using apt-get) was the earlier > version. I investigated further to ensure the system was > appropriately up-to-date. Fortunately the web site confirmed that > the version I had obtained with apt-get addressed the particular > issue identified in the alert. > > It did, however leave me with some niggling doubts - as the > difference might be interpreted as an indication of error or > omission. (Your e-mail has, of course, dispelled such doubts). > > So, though perhaps this has been considered previously, in the > interests of improving Debian may I suggest that it might be better > to delay the e-mail until the web page is updated (or, better yet, > "push" the update of the web page)? Updating in timely matter will probably not work with the current infrastructure unless the specific website can be updated on demand (instead of the regular interval triggered). But it is inportant to us that delivered updates and debian-security-announce mail are closely followed. As you said above that you actually didn't recieved the update immediately via apt-get upgrade after the mail announce: I have sent out the advisory just after the package got installed into the archive, but I have heard from the Debian system administrators, that two security-mirrors were not updates and were only fixed later. So maybe you got hit by this issue. If you check it now, you have unzip 6.0-16+deb8u2 available via apt, right? Regards, Salvatore
Re: [SECURITY] [DSA 3355-2] libvdpau regression update
Hi Ansgar, On Tue, Nov 03, 2015 at 08:30:56AM +0100, Ansgar Burchardt wrote: > Hi, > > Salvatore Bonaccorso <car...@debian.org> writes: > > On Tue, Nov 03, 2015 at 01:08:36AM +0100, Cyril Brulebois wrote: > >> Daniel Reichelt <deb...@nachtgeist.net> (2015-11-03): > >> > the amd64 build for 0.8-3+deb8u2 seems to be missing from [1]. > >> > > >> > Is this an error or am I missing something? > > > > The problem seems to be the following: the upload was done only > > including the arch:all packages, but the changes fil was named > > _amd64.changes. > > That was indeed the problem. For uploads to policy queues, we keep the > .changes around and, as dak uses the uploader-provided name and doesn't > rename them, uploads are rejected if they reuse an already used name. > > > I guess the reuploading the amd64 builds with a renamed changes file > > might work in this case? > > dak needs to forget that it has seen the file. Which means either > resigning it or ftp-master telling dak to do so. I just did the latter > and moved the upload back to the processing queue. Thanks! Regards, Salvatore
Re: [SECURITY] [DSA 3355-2] libvdpau regression update
Hi, Adding FTP masters to the loop, since they might help best in this case. On Tue, Nov 03, 2015 at 01:08:36AM +0100, Cyril Brulebois wrote: > Hi, > > Daniel Reichelt(2015-11-03): > > Hi * > > > > the amd64 build for 0.8-3+deb8u2 seems to be missing from [1]. > > > > Is this an error or am I missing something? The problem seems to be the following: the upload was done only including the arch:all packages, but the changes fil was named _amd64.changes. At least from the processing of the _amd64.changes I have: libvdpau_0.8-3+deb8u2_amd64.changes uploaded successfully to ftp.upload.debian.org along with the files: libvdpau_0.8-3+deb8u2.dsc libvdpau_0.8-3+deb8u2.debian.tar.xz libvdpau-doc_0.8-3+deb8u2_all.deb I guess the reuploading the amd64 builds with a renamed changes file might work in this case? Regards, Salvatore
Re: Embedded code copy in passwordsafe
Hi Bill, On Tue, Oct 13, 2015 at 06:46:02PM -0400, Bill Blough wrote: > > Hi! > > The passwordsafe package (still in NEW) contains an embedded copy of pugixml > (src:pugixml). > > The version of pugixml included in passwordsafe uses a different compile-time > configuration than the packaged version. I have requested that an additional > version of the pugixml package be created with the altered configuration [1]. > Once that occurs, I will be able to remove the embedded copy and instead use > the packaged version. > > Note: I am not subscribed, so please CC me on any replies. Thanks for the notice. I added a corresponding entry for passwordsafe in our embedded-code-copies file to document this for now. Regards, Salvatore
Re: Missing package in Debian Security Tracker site
Hi On Tue, Oct 13, 2015 at 05:08:39PM +0800, Xiaoguang Bai wrote: > Hi, > > For DSA-3348-1, the information in following 2 sources does not match. The > security tracker site does not show the fixed package/version for wheezy. > > https://lists.debian.org/debian-security-announce/2015/msg00247.html > https://security-tracker.debian.org/tracker/DSA-3348-1 > > > Actually, I have noticed quite a few of differences between the DSA mailing > list and this tracker site. Should they match each other? May I know what > might be the reason if they are different? This is sort of current limitation for the security-tracker when you have not overlapping fixing versions. The free text form explains that only two CVEs affect wheezy. If you then check the CVEs explicitly, say CVE-2015-5165: https://security-tracker.debian.org/CVE-2015-5165 this has the correct information (which cannot be displayed correctly for DSA-3348-1 overview page regarding the versions). Regards, Salvatore
Re: Correction to CVE-2015-3330 information
Hi Will, On Mon, Jun 01, 2015 at 02:31:15PM -0600, Will Aoki wrote: https://security-tracker.debian.org/tracker/CVE-2015-3330 shows everything but squeeze-lts as vulnerable. There are two corrections I suggest: - As I understand it, wheezy isn't affected unless someone has upgraded Apache to 2.4. - This problem was fixed in 5.6.7+dfsg-1, the version currently in jessie. The changelog only mentions PHP bugs #68486 and #69218 because a CVE number hadn't been issued yet. Thanks for your update. I have marked the fixed version. I have though not changed the information for wheezy due to the source beeing affected. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150601210447.GA27055@eldamar.local
Re: [SECURITY] [DSA 3269-1] postgresql-9.* security update
Hi, On Thu, May 28, 2015 at 12:50:43PM +0200, ma...@wk3.org wrote: Hi, it seems this upgrade introduced some issues regarding symlinks. It's very easy to mitigate, but I guess less stressful if you know about it in advance: https://wiki.postgresql.org/wiki/May_2015_Fsync_Permissions_Bug Just additional for information: we plan to release a regression update when the final fix for this issiue is clear and packages are ready. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150529051315.GB18006@eldamar.local
Re: upgrading soler.d.o
Hi. On Thu, May 28, 2015 at 06:34:44AM +0200, Salvatore Bonaccorso wrote: Hi, On Thu, May 28, 2015 at 11:39:34AM +0800, Paul Wise wrote: On Wed, 2015-05-27 at 22:16 +0200, Salvatore Bonaccorso wrote: It was updated already and did afterwards some testing. Looks fine so far. The PTS is now failing to download this URL: https://security-tracker.debian.org/tracker/data/pts/1 FTR, after restarting the security-tracker daemon it works again. Temporary problem only? Let's keep an eye on it! There seems to be a memory leak, the tracker was again unresponsive and needed to kill the tracker process and restart the daemon. It is nicely visible as well in the munin graphs for the security-tracker host. Have not done any further investigation. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150528083319.ga12...@lorien.valinor.li
Re: upgrading soler.d.o
Hi all, On Thu, May 28, 2015 at 10:33:19AM +0200, Salvatore Bonaccorso wrote: Hi. On Thu, May 28, 2015 at 06:34:44AM +0200, Salvatore Bonaccorso wrote: Hi, On Thu, May 28, 2015 at 11:39:34AM +0800, Paul Wise wrote: On Wed, 2015-05-27 at 22:16 +0200, Salvatore Bonaccorso wrote: It was updated already and did afterwards some testing. Looks fine so far. The PTS is now failing to download this URL: https://security-tracker.debian.org/tracker/data/pts/1 FTR, after restarting the security-tracker daemon it works again. Temporary problem only? Let's keep an eye on it! There seems to be a memory leak, the tracker was again unresponsive and needed to kill the tracker process and restart the daemon. It is nicely visible as well in the munin graphs for the security-tracker host. Have not done any further investigation. If one tries to access the JSON format url this triggers the issue. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150528125646.ga23...@lorien.valinor.li
Re: upgrading soler.d.o
Hi Florian, On Wed, May 27, 2015 at 10:08:12PM +0200, Florian Weimer wrote: * Peter Palfrader: we'd like to upgrade soler.d.o jessie shortly. Any objections? Should we just do it and let you pick up the pieces, if any, or would you rather stop by in #debian-admin on IRC to coordinate? If you do it closer to the weekend, I'll probably be around to pick up the pieces. It was updated already and did afterwards some testing. Looks fine so far. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150527201657.GA9666@eldamar.local
Call for testing: libapache-mod-jk fixing CVE-2014-8111
Hi Markus Koschany prepared updated package for libapache-mod-jk for wheezy-security and jessie-security. If you run libapache-mod-jk in production testing of the prepared packages would be very welcome. If you find a problem introduced by updating to these packages, please report the problem directly to t...@security.debian.org and Markus Koschany a...@gambaru.de . The packages can be found at: wheezy: https://people.debian.org/~carnil/tmp/libapache-mod-jk/wheezy/ jessie: https://people.debian.org/~carnil/tmp/libapache-mod-jk/jessie/ (amd64 builds only). Regards, Salvatore signature.asc Description: Digital signature
Re: Sub-release information on per-source-package page
Hi Florian, On Mon, May 25, 2015 at 05:57:20PM +0200, Salvatore Bonaccorso wrote: Hi Florian, On Mon, May 25, 2015 at 05:52:00PM +0200, Florian Weimer wrote: * Florian Weimer: Salvatore pointed me to the long-standing bug which causes the per-source-package pages such as https://security-tracker.debian.org/tracker/source-package/dnsmasq not to display fixes which have not yet migrated to the master archive (i.e. are currently fixed in the security archive only). If I manage to fix this, would it be important to perserve the “squeeze (lts)”, “wheezy (security)” etc. columns, or do you only need the information if squeeze, wheezy and the other releases are fixed somewhere? I have removed the sub-release information. The issue which led to completely vanishing bugs has been fixed, and the open/resolved distinction now disregards the unfixed master archive if there is a fix in security/tls. This is visible here: https://security-tracker.debian.org/tracker/source-package/dnsmasq (CVE-2015-3294 was missing.) Or here: https://security-tracker.debian.org/tracker/source-package/bind9 (Some long-fixed issues were listed as open, presumably due to lack of migration into a point release.) Nice! Thanks for taking the time, investigating the issue and fixing it. And with the new yellow status for no-dsa it looks really great. One small addition, since we now consider fixed in somewhere in codename as fixed in $codename, would it be possible to reflect this as well in the header section of e.g. https://security-tracker.debian.org/tracker/CVE-2015-3294 But please keep the detail view below in the section Vulnerable and fixed packages. Regards and thanks again, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150525160123.GA23653@eldamar.local
Re: Sub-release information on per-source-package page
Hi Florian, On Mon, May 25, 2015 at 05:52:00PM +0200, Florian Weimer wrote: * Florian Weimer: Salvatore pointed me to the long-standing bug which causes the per-source-package pages such as https://security-tracker.debian.org/tracker/source-package/dnsmasq not to display fixes which have not yet migrated to the master archive (i.e. are currently fixed in the security archive only). If I manage to fix this, would it be important to perserve the “squeeze (lts)”, “wheezy (security)” etc. columns, or do you only need the information if squeeze, wheezy and the other releases are fixed somewhere? I have removed the sub-release information. The issue which led to completely vanishing bugs has been fixed, and the open/resolved distinction now disregards the unfixed master archive if there is a fix in security/tls. This is visible here: https://security-tracker.debian.org/tracker/source-package/dnsmasq (CVE-2015-3294 was missing.) Or here: https://security-tracker.debian.org/tracker/source-package/bind9 (Some long-fixed issues were listed as open, presumably due to lack of migration into a point release.) Nice! Thanks for taking the time, investigating the issue and fixing it. And with the new yellow status for no-dsa it looks really great. Thank you! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150525155720.GA23434@eldamar.local
Re: External check
Hi, On Tue, May 19, 2015 at 05:49:44AM +, Raphael Geissert wrote: CVE-2015-8146: missing from list CVE-2015-8147: missing from list These two seem wrong both in the Debian bug #784773 subject and as consequence in the Red Hat bugzilla. They should be CVE-2014-8146 and CVE-2014-8147 afaics. Contacted Martin Prpic from Red Hat about it and retitled #784773. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150519062913.GA16717@eldamar.local
Re: [SECURITY] [DSA 3258-1] quassel security update
Hi, On Wed, May 13, 2015 at 07:43:47PM +0800, Paul Wise wrote: On Wed, May 13, 2015 at 5:26 PM, Dominic Hargreaves wrote: As far as I can tell from https://security-tracker.debian.org/tracker/CVE-2013-4422 wheezy wasn't affected by the original CVE since the version of QT there is 4.8.5. Is that correct? If so, what's the right way to mark this fact in the security-tracker data? Add something like the third line here to data/CVE/list: CVE-2013-4422 (SQL injection vulnerability in Quassel IRC before 0.9.1, when Qt 4.8.5 ...) - quassel 0.9.1-1 [wheezy] - quassel not-affected (Vulnerable code not present) not-affected (Vulnerable code not present) would not be correct, since the issue appears if one would use qt4 with backported fix https://bugreports.qt-project.org/browse/QTBUG-30076 . But it can be marked as unimportant saying that for (now) binary packages are unaffected since in Debian QTBUG-30076 is not backported to wheezy. Or just leave it that way, the notes makes clear when the issue applies to the binary packages as well. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150513165007.GA27892@eldamar.local
Bug#783491: security-tracker: document what needs to be done on releases and other archive changes
Hi all, FTR/for documentation: I as well reverted a change to bin/add-dsa-needed.sh since it otherwise looked as well at oldoldstable and generated wrong suggestions for addition to dsa-needed.txt. (r34131) Reference is added as well in https://wiki.debian.org/SuitesAndReposExtension#secure-testing Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150508171117.GA20123@eldamar.local
Bug#783491: security-tracker: document what needs to be done on releases and other archive changes
Hi I think two more changes were actually needed to get the testing status view show the correct information: r34072 and 34073. https://security-tracker.debian.org/tracker/status/release/testing should look better now. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150505044932.GA6316@eldamar.local
Re: Embedded code copy in flightcrew
Hi Mattia, On Sun, Mar 01, 2015 at 07:42:49PM +0100, Mattia Rizzolo wrote: Hi! The flightcrew package, recently accepted by the ftp folks, contains a patched copy of zipios. Look at https://sources.debian.net/src/flightcrew/0.7.2%2Bdfsg-1/src/zipios/changes_made.txt/ for more info. Thanks for your works! Thank you for this heads up, I have added this to our embedded-copies file. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150303061447.ga12...@lorien.valinor.li
Bug#761859: security-tracker json deployed
Hi Paul, On Fri, Feb 27, 2015 at 07:31:10AM +0800, Paul Wise wrote: On Thu, 2015-02-26 at 17:41 +0100, Holger Levsen wrote: On Donnerstag, 26. Februar 2015, Paul Wise wrote: I noticed the description fields are truncated, is that intentional? that's all that is stored in the db... Are you sure? By way of example, take a look at CVE-2012-0833, the description listed on the web page is much longer than in the JSON. https://security-tracker.debian.org/tracker/CVE-2012-0833 See https://bugs.debian.org/761859#185 . In the data/CVE/list file itself, it also just only contains the truncated one (which is fine in this case). Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150227083558.ga24...@lorien.valinor.li
Bug#777456: security-tracker: DSA-2978-2 vs. tracker
Hi Francesco, On Sun, Feb 08, 2015 at 12:35:56PM +0100, Francesco Poli (wintermute) wrote: Package: security-tracker Severity: normal Hello again, there seems to be a typo in the tracker page for CVE-2014-3660 [1]: it states that the vulnerability is fixed in jessie by libxml2/2.9.1+dfsg1-5 , while DSA-2978-2 [2] says that the fixed version is 2.9.1+dfsg1-4 ... The situation for the update in DSA-2978-2 is actually a bit complicated. DSA-2978-1: Fixed CVE-2014-0191: - wheezy: 2.8.0+dfsg1-7+wheezy1 - jessie: 2.9.1+dfsg1-4 - unstable: 2.9.1+dfsg1-4 A regression in functionality was found, so releaing updates for it. DSA-3057-1: Fixed CVE-2014-3660: - wheezy: 2.8.0+dfsg1-7+wheezy2 - jessie unfixed - unstable: 2.9.2+dfsg1-1 libxml2 could not migrate to jessie in this version, so the fix for CVE-2014-3660 did never reach jessie. After that regressions in functionality were addressed with the DSA you are mentioning. For jessie to fix the issue in CVe-2014-3660 a pre-approval for an upload to t-p-u was opened in https://bugs.debian.org/776748 so the version fixing CVE-2014-3660 will be correct as libxml2/2.9.1+dfsg1-5 once the package is accepted. The entry in the tracker was only a bit prematurely added as the package was not yet accepted by the release team. So I would say (unless I now missed something) all the versions in tracker are correct (apart we should have delayed adding 2.9.1+dfsg1-5 already, since it is not yet approved), and the advisory text itself was a bit complicated to write up to reflect all this correctly. So I would tend to close this bug, right away, or wait until 2.9.1+dfsg1-5 is accepted into jessie via t-p-u, but unfortuantely the advisory text https://lists.debian.org/debian-security-announce/2015/msg00039.html in the list archives is now out this way. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150208125836.GA27762@eldamar.local
Call for testing: c-icap security update
Hi There is an upcoming update for c-icap for wheezy-security. If you run a c-icap setup, testing of the prepared packages would be very welcome. If you find a problem introduced by updating to these packages, please report the problem directly to t...@security.debian.org . The packages can be found at https://people.debian.org/~carnil/tmp/c-icap/ Regards, Salvatore signature.asc Description: Digital signature
Bug#771121: security-tracker: often returns 502 Proxy Error
Hi Francesco, On Wed, Nov 26, 2014 at 11:56:26PM +0100, Francesco Poli (wintermute) wrote: Am I the only one who experiences such issues? I was hoping to see the problem fixed, but no joy yet... Just to confirm: you are not the only one, I'm seeing the same from time to time in the last couple of weeks. :( Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141127063536.ga1...@lorien.valinor.li
Bug#764091: security-tracker: CVE overview does not sort group anymore by Source Package when one CVE affects multiple source packages
Package: security-tracker Severity: normal Hi After the changes in #761889 when a CVE affects multiple source packages the vulnerable and fixed packages the table sorts only by release. So now for example CVE-2014-0207 shows: Source Package Release Version Status file (PTS) squeeze (security), squeeze 5.04-5+squeeze5 vulnerable php5 (PTS) squeeze (security), squeeze 5.3.3-7+squeeze19 vulnerable file (PTS) squeeze (lts) 5.04-5+squeeze7 fixed php5 (PTS) squeeze (lts) 5.3.3-7+squeeze22 fixed file (PTS) wheezy 5.11-2+deb7u3 vulnerable php5 (PTS) wheezy 5.4.4-14+deb7u11 vulnerable file (PTS) wheezy (security) 5.11-2+deb7u5 fixed php5 (PTS) wheezy (security) 5.4.4-14+deb7u14 fixed file (PTS) jessie, sid 1:5.19-2 fixed php5 (PTS) jessie, sid 5.6.0+dfsg-16 fixed Please have the table first group again by source package and then within this table sort by release, like: Source Package Release Version Status file (PTS) squeeze, squeeze (security) 5.04-5+squeeze5 vulnerable squeeze (lts) 5.04-5+squeeze7 fixed wheezy 5.11-2+deb7u3 vulnerable wheezy (security) 5.11-2+deb7u5 fixed jessie, sid 1:5.19-2 fixed php5 (PTS) squeeze, squeeze (security) 5.3.3-7+squeeze19 vulnerable squeeze (lts) 5.3.3-7+squeeze21 fixed wheezy 5.4.4-14+deb7u11 vulnerable wheezy (security) 5.4.4-14+deb7u14 fixed jessie, sid 5.6.0+dfsg-1 fixed Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141005120320.28091.34337.reportbug@eldamar.local
Re: [SECURITY] [DSA 3032-1] bash security update
Hi Jens, On Thu, Sep 25, 2014 at 10:05:28AM +0200, Rabe, Jens wrote: is there a chance to get the bash-update for squeeze (6.0)? Note that regular security support for squeeze has endet. You will need to use squeeze-lts for recieving still updates, more details are in [1]. [1] https://wiki.debian.org/LTS [2] https://lists.debian.org/debian-lts-announce/2014/09/msg00016.html Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140925091008.ga23...@lorien.valinor.li
Re: Guidance on no-dsa and adding entries to dsa/dla-needed.txt
Hi all, On Wed, Sep 24, 2014 at 02:37:00PM +0200, Holger Levsen wrote: [...] Then the separate text files could go away, and we can just use no-dsa in the CVE list to keep those pages up to date. you mean those dsa-needed.txt and dla-needed.txt files? We could. But right now we also use the (dla|dsa)-needed.txt lists to have an assigment who is working on what DSA/DLA. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140924124251.ga31...@lorien.valinor.li
Re: Switching the tracker to git
Hi I forgot about two more points: One is the sectracker user is subscribed to the commits mailinglists, and the commit messages trigger updates of the tracker. The other thing, the svn checkout is also used for http://security-team.debian.org, but this should be a simple case. I will add all items to be considered - and which comes to my mind - for a svn to git migration into org/TODO Please add there further todos! Hope that helps anybody who wants to volunteer for that. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140915110031.ga32...@lorien.valinor.li
Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view
Hi Holger, On Mon, Sep 15, 2014 at 02:32:54PM +0200, Holger Levsen wrote: On Samstag, 13. September 2014, Salvatore Bonaccorso wrote: I had a look at this patch. It can only address isolated URLs in the notes this way. We usually use this in other ways, one example is that was Florian mentioned in the first message: - https://security-tracker.debian.org/tracker/CVE-2014-3122 right, thanks for this example. I'll wrap regexes around my head til it matches - or so :-) Hmm, would something wrapping around of the following work? Considering there might be more than one matching group in each line, so the example holds only for a simplest case again :( cut-cut-cut-cut-cut-cut- import re string = Fixed by https://git.kernel.org/linus/57e68e9cd65b4b8eb4045a1e0d0746458502554c (v3.15-rc1) print re.search((?Purlhttps?://[^\s]+), string).group(url) cut-cut-cut-cut-cut-cut- Thanks for also looking into this one! my pleasure, thank you all very much for many years of working on all these security issues! I can now slightly better appreciate what huge task you're working on! Thanks Holger! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140915125654.ga22...@lorien.valinor.li
Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view
Hi Holger, On Mon, Sep 15, 2014 at 03:30:05PM +0200, Holger Levsen wrote: Hi, On Montag, 15. September 2014, Salvatore Bonaccorso wrote: Hmm, would something wrapping around of the following work? sounds like a good start... Considering there might be more than one matching group in each line, so the example holds only for a simplest case again :( are there really examples with two urls in one line? We have, e.g. https://security-tracker.debian.org/tracker/CVE-2011-2825 But if that will not work, I think we can workaround and split these lines when we encounter them. If we can find a working solution then better clearly :) Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140915160529.GA7462@eldamar.local
Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view
Hi Holger, On Mon, Sep 15, 2014 at 06:05:29PM +0200, Salvatore Bonaccorso wrote: Hi Holger, On Mon, Sep 15, 2014 at 03:30:05PM +0200, Holger Levsen wrote: Hi, On Montag, 15. September 2014, Salvatore Bonaccorso wrote: Hmm, would something wrapping around of the following work? sounds like a good start... Considering there might be more than one matching group in each line, so the example holds only for a simplest case again :( are there really examples with two urls in one line? We have, e.g. https://security-tracker.debian.org/tracker/CVE-2011-2825 But if that will not work, I think we can workaround and split these lines when we encounter them. If we can find a working solution then better clearly :) We only have a handfull of those, so: If you find a solution to catch also these then good. Otherwise we will need to workaround. Do you have an idea to catch also these? Please commit this change, I will activate it on the security-tracker. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140915162538.GA9439@eldamar.local
Bug#742855: Sort releases correctly in tabular view. (Closes: #742855)
Hi Holger, On Mon, Sep 15, 2014 at 01:47:57AM +0200, Holger Levsen wrote: Hi Salvatore, On Samstag, 13. September 2014, Salvatore Bonaccorso wrote: I tested the patch in my local instance. yeah, it's clearly the wrong patch, I attached, sorry. libspring-java as by now, might change in future, shows right now: This should be ordered (and for future releases): Bug | wheezy | jessie | sid| Description the instance here does so, and it also orders them within releases by '', 'security', 'lts' :) And that's the patch posted for #742382, which I've attached for clarity. Yep, my comment was about the the wrongly attached patch does not solve the problem, and the tabular view would still be the old one. Regarding the patch I accidently send to this bug: I tested the patch in my local instance. It does sort now the CVEs in descending order, which was not what I meant. We had so far the oldest CVEs on top which this patch would changes. I think this should still be done, newer stuff is usually more interesting (so here) and should thus be displayed on top. The reasoning because it has been like this since always is not so convincing. Not necessarly, that would be my point which I want to higlight. If you have the older CVE -- still unresolved -- on top, this will draw your attention to them. One will fix hopefully anyway the newly found ones, maybe referenced to you via a bugreport in the BTS, and looking at the security-tracker it will redirect you also to older ones which were not addressed. Anyway, we seem the only two people invoved in this arguing ;-) I don't have time/energy to furhter defend my point of view. So if you think it really would help working on the tracker to invert the CVE ordering, then please go ahead! p.s.: I'm for example really happy to see the improvements you implemented regarding the URL linking in TODO and NOTE! They really will help on working on the tracker IMHO. Thanks! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140915164632.GA10368@eldamar.local
Re: RFC: Invert ordering of issues in source package view: newest should be up
Hi, On Mon, Sep 15, 2014 at 02:24:34PM +0200, Holger Levsen wrote: Hi Salvatore, On Samstag, 13. September 2014, Salvatore Bonaccorso wrote: This changes the ordering in the 'Security announcements section, ordering it by release date of the DSA/DLA, right? So for example file will show with your patch: DSA / DLA Description DLA-50-1 file - security update DSA-3021-1 file - security update DLA-27-1 file - security update [...] This looks like a good change to do, so ack at least from my side to do so. Ok, I've pushed this one now to svn, so that we can focus on the less straightforward ones. Also, as someone said, reverting is easy, even with svn ;) I just have activated this change on security-tracker, see e.g. https://security-tracker.debian.org/tracker/source-package/bind9. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140915180338.GA19299@eldamar.local
Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view
Hi, On Mon, Sep 15, 2014 at 07:59:53PM +0200, Holger Levsen wrote: Hi Salvatore, On Montag, 15. September 2014, Salvatore Bonaccorso wrote: https://security-tracker.debian.org/tracker/CVE-2011-2825 hmpf, that works for 1 out 3, the other 2 are detected as one :/ We only have a handfull of those, so: If you find a solution to catch also these then good. Otherwise we will need to workaround. Do you have an idea to catch also these? no yet... Please commit this change, I will activate it on the security-tracker. ...but I will commit now and then will see if I find the cause why CVE-2011-2825 isnt displayed properly :) Activated that change (not closing the bug, as there is still one part to be addressed possibly). Thanks for your work, Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140915181233.GA19840@eldamar.local
Bug#742382: Display oldstable/stable security and olstable-lts repositories in tabular view. (Closes: #742382)
Hi, On Mon, Sep 15, 2014 at 11:40:59PM +0200, Holger Levsen wrote: Hi, On Samstag, 13. September 2014, Salvatore Bonaccorso wrote: I have your patch running on my testinstance and looks good so far! (But having done only some basic tests). I'd like to push this one next, as this really makes a difference, whether security+lts are considered, or not ;-) Any objections? Works fine and looks fine to me... I was hoping to see some other feedback/tests on that. But it worked for me as well in my testinstance. Please go ahead with the commit! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140916045702.ga31...@lorien.valinor.li
Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view
Control: tags -1 - pending Hi Holger, On Fri, Sep 12, 2014 at 12:19:06PM +0200, Holger Levsen wrote: attached is a patch to lib/python/web_support.py which turns the notes (used in CVEs) into hyperlinks - if they start with http(s):// Please tell me whether it's ok to commit this. I had a look at this patch. It can only address isolated URLs in the notes this way. We usually use this in other ways, one example is that was Florian mentioned in the first message: Note: see https:// which should turn into see a href='http://www.example.com/info.html'codehttp://www.example.com/info.html/code/a Other examples were we use the free form extensively is when we document which commits introduced a given problem, where fixed, etc: I'm adding also the corresponding note, as this might change when looking next time into it: - https://security-tracker.debian.org/tracker/CVE-2014-3620 NOTE: http://curl.haxx.se/docs/adv_20140910B.html NOTE: Introduced by https://github.com/bagder/curl/commit/85b9dc8023 - https://security-tracker.debian.org/tracker/CVE-2014-3145 NOTE: Upstream fix https://git.kernel.org/linus/05ab8f2647e4221cbdb3856dd7d32bd5407316b3 NOTE: Introduced by https://git.kernel.org/linus/4738c1db1593687713869fa69e733eebc7b0d6d8 NOTE: https://git.kernel.org/linus/d214c7537bbf2f247991fb65b3420b0b3d712c67 - https://security-tracker.debian.org/tracker/CVE-2014-3122 NOTE: Introduced by https://git.kernel.org/linus/b291f000393f5a0b679012b39d79fbc85c018233 NOTE: Fixed by https://git.kernel.org/linus/57e68e9cd65b4b8eb4045a1e0d0746458502554c (v3.15-rc1) the last one is particulary interessant as it contains normal text before, and after a reference which should be turned into a link. There is one other problematic example with the patch, where we have notes starting with http(s), but adding explanations/further text afterwards: - https://security-tracker.debian.org/tracker/CVE-2014-6387 NOTE: http://www.mantisbt.org/bugs/view.php?id=17640 NOTE: http://github.com/mantisbt/mantisbt/commit/215968fa8 (1.2.x branch) NOTE: http://github.com/mantisbt/mantisbt/commit/fc02c46ee (master branch) So we would need something more complicated here, isolating first the urls in the text and converting that part, but keeping the surrounding ones. Thanks for also looking into this one! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140913062217.GA12503@eldamar.local
Bug#742382: Display oldstable/stable security and olstable-lts repositories in tabular view. (Closes: #742382)
Hi Holger, On Sat, Sep 13, 2014 at 01:51:52AM +0200, Holger Levsen wrote: Hi, commit b22f1ba0cd9499e716f7b729f546a98bd4950dda Author: Holger Levsen hol...@layer-acht.org Date: Sat Sep 13 01:47:11 2014 +0200 Display oldstable/stable security and olstable-lts repositories in tabular view. (Closes: #742382) I have your patch running on my testinstance and looks good so far! (But having done only some basic tests). Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140913155619.GA25028@eldamar.local
Re: small misc fixes
Hi Holger, On Fri, Sep 12, 2014 at 03:14:57PM +0200, Holger Levsen wrote: Hi, On Freitag, 12. September 2014, Holger Levsen wrote: attached are three small no brainer fixes I'd like to apply, please confirm thanks to Thijs, this diff even got smaller and better, see attached. I've verified that the code still works nicely. May I commit? (And test git-svn committing... *lalala*) Thanks for posting the diff. I have activated the changes for the security-tracker, so they are live now. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140912150026.GA24295@eldamar.local
Bug#742855: Sort releases correctly in tabular view. (Closes: #742855)
Control: tags -1 - pending Hi, On Sat, Sep 13, 2014 at 01:32:38AM +0200, Holger Levsen wrote: Hi, commit baa7d44e460efe2b24e7b029633701cd29986d0d Author: Holger Levsen hol...@layer-acht.org Date: Sat Sep 13 01:23:35 2014 +0200 Sort releases correctly in tabular view. (Closes: #742855) I tested the patch in my local instance. It does sort now the CVEs in descending order, which was not what I meant. We had so far the oldest CVEs on top which this patch would changes. My change request however was about something else: In the tabular view, from left to right, it should be sorted by releases and not having a mix. libspring-java as by now, might change in future, shows right now: Bug | jessie | sid| wheezy | Description --- CVE-2014-0225 | fixed | fixed | vulnerable | Information disclosure via SSRF CVE-2014-3578 | vulnerable | vulnerable | vulnerable | Spring framework directory traversal --- This should be ordered (and for future releases): Bug | wheezy | jessie | sid| Description --- CVE-2014-0225 | vulnerable | fixed | fixed | Information disclosure via SSRF CVE-2014-3578 | vulnerable | vulnerable | vulnerable | Spring framework directory traversal --- So (squeeze) = wheezy = jessie = sid, and for future releases then (squeeze) = wheezy = jessie = X = sid in the collumns (and keep the ordering from oldest to newest CVE). Thanks for looking into this! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140913035812.GA32080@eldamar.local
Re: RFC: Invert ordering of issues in source package view: newest should be up
Hi Holger, On Sat, Sep 13, 2014 at 01:35:06AM +0200, Holger Levsen wrote: Hi, I think this is clearly a bugfix ;-) Please comment. Both open and resolved issues will be inverse sorted, so that newest CVEs will be on top of the list. cheers, Holger commit dd7b75472e00cea9759eb6554decf26c6fe8eb11 Author: Holger Levsen hol...@layer-acht.org Date: Sat Sep 13 01:28:00 2014 +0200 Invert ordering of issues in source package view: newest should be up. diff --git a/lib/python/security_db.py b/lib/python/security_db.py index 8580d5b..b15924e 100644 --- a/lib/python/security_db.py +++ b/lib/python/security_db.py @@ -1690,7 +1690,8 @@ class DB: FROM bugs, package_notes as p WHERE p.bug_name = bugs.name AND ( bugs.name LIKE 'DSA-%' OR bugs.name LIKE 'DLA-%') -AND p.package = ?, (package,)) +AND p.package = ? +ORDER BY bugs.release_date DESC, (package,)) This changes the ordering in the 'Security announcements section, ordering it by release date of the DSA/DLA, right? So for example file will show with your patch: DSA / DLA Description DLA-50-1 file - security update DSA-3021-1 file - security update DLA-27-1 file - security update [...] This looks like a good change to do, so ack at least from my side to do so. But above you mention to invert also the open and resolved CVEs by descending order? Why do you like to do that? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140913045201.GA1701@eldamar.local
Re: fixing four bugs, let's start with a Makefile.diff
Hi, On Fri, Sep 12, 2014 at 01:04:01AM +0200, Holger Levsen wrote: [...] So, may I commit this Makefile? :) (Further cleanup seems useful but I have no idea how the targets are called by cron...) The documentation for for the setup on soler is in doc/soler.txt. I can check this weekend if all the information there is still up to date unless somebody else beats me to it. As you only extend Makefile with an additional target I think this is fine to be commited already without breaking the setup on soler. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140912051130.gb7...@lorien.valinor.li
Bug#761061: tracker doesnt show closed issues as done
Hi, On Wed, Sep 10, 2014 at 02:06:01PM +0200, Holger Levsen wrote: package: security-tracker severity: important x-debbugs-cc: debian-...@lists.debian.org Hi, the tracker doesnt show issues which are only closed in the security or lts subreleases as closed, as for example can be seen on https://security- tracker.debian.org/tracker/source-package/file eg https://security-tracker.debian.org/tracker/CVE-2014-3478 is closed in both wheezy-security as well as squeeze-lts, yet the /tracker/source-package/file lists it as open. (There pages like https://security-tracker.debian.org/tracker/CVE-2014-3478 also are less clean, but at least they contain the right info visibly, just a bit scrambled.) I believe the bug is in getBugsForSourcePackage() in lib/python/security_db.py but I couldn't yet wrap my head around it properly to fix it. There seem to be several functions (in security_db.py) which only deal with the releases (sid, jessie, wheezy, squeeze) but not the subreleases (security, lts). The tabular view clearly would need some improvement and making clear where the fix is already, e.g. wheezy-security but not yet wheezy. I try to explain. The version tracked on the individual CVE pages is *correct* from the following point of view: A fix is in wheezy-security already, but not yet accepted into the wheezy suite. This happen, when the release team accepts an upload through security, which get uploaded to wheezy-proposed-updates-NEW to be intregrated into an upcoming poing release[*]. It is not enough from stable point of view for having the fix available in stable to have it only on wheezy-security -- it also needs to be included into a wheezy point release. Thus for example taking CVE-2014-3478 we have: squeeze, squeeze (security) 5.04-5+squeeze5 vulnerable squeeze (lts) 5.04-5+squeeze6 fixed wheezy 5.11-2+deb7u3 vulnerable wheezy (security) 5.11-2+deb7u4 fixed jessie, sid 1:5.19-2fixed One issue is: with -lts this will never happen that packages will be integrated into squeeze, as there will be no pint releases including the -lts fixes into squeeze. [*] As an example were this does not happen currently is openjdk-7. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140910150143.GA8592@eldamar.local
Call for testing: gnupg update
Hi, The upcoming gnupg update introduces import functions that apply a constraining filter to imported keys, allowing to ensure that the keys fetched from the keyserver are in fact those selected by the user beforehand. The initial patch introduced regressions which were fixed upstream. Please test the packages from https://people.debian.org/~carnil/tmp/gnupg-pre-dsa/ If you find further regressions regarding those fixes please report the problem directly to th...@debian.org and car...@debian.org Regards, Salvatore signature.asc Description: Digital signature
Bug#759727: patches for including LTS into security-tracker.d.o
Hi Holger, hi Florian, On Sun, Aug 31, 2014 at 02:37:34PM -0700, Holger Levsen wrote: Hi, On Sonntag, 31. August 2014, Florian Weimer wrote: You mean, with TEMP-%? yeah, thats what I ment... It's currently not possible to address TEMP- vulnerabilities reliably, so they cannot occur as copy targets. ah! I reopened this bug and reverted the commits. The bin/update cronjob is breaking the cross-references, adds empty {}. I tried to quick-fix this by adding the DLA part in bin/updatelist, but this let explode the cross-reference list. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140901051024.ga14...@lorien.valinor.li
Re: [SECURITY] [DSA 2992-1] linux security update
Hello Romain, On Tue, Jul 29, 2014 at 10:00:25AM +0200, Romain Francoise wrote: The advisory text should perhaps mention that 3.2.60-1+deb7u3 includes 3.2.60-1+deb7u2, which reverts two commits from previous updates that caused networking regressions. Yes indeed, I should have mentioned that. The update reverts patches which introduced regressions, one introduced in 3.2.57 (Revert net: ip, ipv6: handle gso skbs in forwarding path) and one in 3.2.60 (Revert net: ipv4: ip_forward: fix inverted local_df test, which also closes Debian Bug #754173). Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140729084652.ga24...@lorien.valinor.li
Re: CVE-2014-3477 fixed in dbus/1.6.8-1+deb7u2
Hi Simon, On Thu, Jun 12, 2014 at 08:15:24PM +0100, Simon McVittie wrote: In case the mention of the CVE ID in debian/changelog is not enough for someone to update the security tracker: CVE-2014-3477 is fixed in dbus/1.6.8-1+deb7u2, which was just accepted into proposed-updates. It was also fixed in dbus/1.8.4-1 for testing/unstable. If this change is desired in squeeze-lts (it's only a local denial of service and there was no DSA, so perhaps not), the upstream dbus-1.2 branch on freedesktop.org has a commit with some trivial merge conflicts (whitespace) resolved. I don't intend to upload to squeeze-lts myself. Just to confirm the security-tracker information: unstable already marked as fixed. For wheezy it is on the next-point-update list, which will be merged when the next Wheezy point release is released. Thanks for notifying! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140612213437.GA4659@eldamar.local
Re: [SECURITY] [DSA 2945-1] chkrootkit security update
Hi, On Wed, Jun 04, 2014 at 01:08:44AM +0200, Luigi Bianca wrote: what's about oldstable ? Mi system says 0.49-4 but apt-get doesn't find anything to update. Thanks in advance. Security support for oldstable has ended at the end of the month, but there is squeeze-lts available. See https://lists.debian.org/debian-security-announce/2014/msg00119.html Updates for squeeze-lts for chkrootkit are also beeing prepared, AFAIK. Hope that helps, Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140604045351.gb...@lorien.valinor.li
Re: [SECURITY] [DSA 2911-1] icedove security update
Hi, On Thu, Apr 24, 2014 at 11:36:49AM -0400, charlie derr wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/24/2014 11:21 AM, Salvatore Bonaccorso wrote: This is indeed seem a typo in the DSA-2911-1. The fixed version for the unstable distribution for the given CVEs is icedove/24.4.0-1. For reference see also [1]. [1] https://security-tracker.debian.org/tracker/DSA-2911-1 Hope that thelps, Regards, Salvatore Thank you very much, that does help some, but still doesn't really completely explain the mystery to me. In searching through my /var/log/apt/history files, I see that my current version of icedove (24.4.0-1) was installed on 2014-03-26 Was all of this really patched in the sid version of the icedove package a full month before the official announcement of these vulnerabilities? This timing is confusing to me (though I suppose there may be a reasonable explanation for it). Any further information that might help me understand would be very welcome. Apologies for the late reply. Yes it is true, the sid version was uploaded not long after the thunderbird 24.4 release, which happened on 2014-03-18. The corresponding issues are listed in [1]. [1] https://www.mozilla.org/security/announce/ Note: The official announcement of thesee vulnerabilities in thunderbird was at [1], so already in march. DSA-2911-1 fixes these issues for icedove in wheezy (additionally if already know, it mentions also the fixed version for testing and sid). Hope this clarifies a bit your questions, Salvatore -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140428061733.ga6...@lorien.valinor.li
Re: [SECURITY] [DSA 2911-1] icedove security update
Hi, On Thu, Apr 24, 2014 at 10:05:08AM -0400, charlie derr wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/22/2014 11:25 AM, Moritz Muehlenhoff wrote: - Debian Security Advisory DSA-2911-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff April 22, 2014 http://www.debian.org/security/faq - snippage For the unstable distribution (sid), these problems have been fixed in version 24.4.0esr-1. I've been checking ever since I saw this announcement and I still don't see a sign of this version in the sid repos yet (I'm not pasting in my apt-get update, but I obviously did that immediately prior): root@yap:~# apt-get install icedove Reading package lists... Done Building dependency tree Reading state information... Done icedove is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 1459 not upgraded. root@yap:~# dpkg -l icedove ii icedove24.4.0-1 Does anyone have any more information about the delay? Or possibly I'm wrong about my own assumption(s)/understanding here. thanks so much in advance for any clues, This is indeed seem a typo in the DSA-2911-1. The fixed version for the unstable distribution for the given CVEs is icedove/24.4.0-1. For reference see also [1]. [1] https://security-tracker.debian.org/tracker/DSA-2911-1 Hope that thelps, Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140424152132.GA2695@eldamar.local
Re: DSA 2896-2 openssl - Apache 2 not detected as service to restart by postinst?
Hi Frederik, On Tue, Apr 08, 2014 at 04:01:37PM +, Fredrik Jonson wrote: Hi, After upgrading the packages in DSA 2896-2 (openssl security update), the second version, 1.0.1e-2+deb7u6, that detects services to restart, I noted that the postist script didn't suggest that I should restart apache2. As far as I can tell apache2 (apache2.2-bin) depends on libssl1.0.0 and could be affected by CVE-2014-0160. Correct? I note that the postinst script in libssl1.0.0 searches for the virtual package apache2-common which is not installed on my servers. Is this a bug in the postinst script, or is apache2 not affected, or is it a user error to not have the virtual package installed? BTW, thanks to all involved in Debian's rapid response to this CVE! Yes this is unfortunately a bug in that part of the libssl1.0.0 postinst! apache2 is also affected and should be restarted after the openssl update. Salvatore signature.asc Description: Digital signature
Bug#742855: security-tracker: tabular view should always be by release order
Package: security-tracker Severity: normal Hi Unfortunately the tabular view is not always ordered by release. For example [1] shows in the tablular view: +---++---+++ | Bug | jessie | sid | wheezy | Description | +---++---+++ | CVE-2014-0054 | fixed | fixed | vulnerable | | | CVE-2014-1904 | fixed | fixed | vulnerable | Cross-site scripting (XSS) vulnerability in .. | +---++---+++ but this should be always in the order of the releases preferably. [1] https://security-tracker.debian.org/tracker/source-package/libspring-java Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140328061053.17682.69566.report...@lorien.valinor.li
Bug#742096: security-tracker: CVE table not shown in Open unimportant issues section
Package: security-tracker Severity: wishlist Hi, Paul Wise pointed on IRC out that the new CVE table view is shown on the Open issues section, but not in the Open unimportant issues. Open a but to track status/fix also for that part. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140319071519.15729.51817.report...@lorien.valinor.li
Re: [SECURITY] [DSA 2867-1] otrs2 security update
Hi, On Sun, Feb 23, 2014 at 08:42:01PM +, Salvatore Bonaccorso wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2867-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso February 23, 2014 http://www.debian.org/security/faq - - Package: otrs2 Vulnerability : several CVE ID : CVE-2014-1471 CVE-2014-1694 Several vulnerabilities were discovered in otrs2, the Open Ticket Request System. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-1471 Norihiro Tanaka reported missing challenge token checks. An attacker that managed to take over the session of a logged in customer could create tickets and/or send follow-ups to existing tickets due to these missing checks. CVE-2014-1694 Karsten Nielsen from Vasgard GmbH discovered that an attacker with a valid customer or agent login could inject SQL code through the ticket search URL. This should be: CVE-2014-1694 Norihiro Tanaka reported missing challenge token checks. An attacker that managed to take over the session of a logged in customer could create tickets and/or send follow-ups to existing tickets due to these missing checks. CVE-2014-1471 Karsten Nielsen from Vasgard GmbH discovered that an attacker with a valid customer or agent login could inject SQL code through the ticket search URL. apologies for not having spotted that earlier. I have commited the changes for the websites so that they will be correct on next update. Regards, Salvatore signature.asc Description: Digital signature
Re: [SECURITY] [DSA 2858-1] iceweasel security update
Hi Christoph, On Wed, Feb 12, 2014 at 10:07:47PM +0100, Christoph Biedl wrote: Hello Debian security, Moritz Muehlenhoff wrote... Package: iceweasel (...) This update updates Iceweasel to the ESR24 series of Firefox. Unfortunately, this upgrade broke the xul-ext-certificatepatrol package (src:certificatepatrol) in stable due to Breaks: ... iceweasel (= 19.0+) there. There's already an updated package in stable-proposed-updates[0]. Since the next point release is several weeks away, this leaves stable users in an unpleseant situation of xul-ext-certificatepatrol being unavailable (or not upgrading iceweasel). So, could you consider releasing an upgraded src:certificatepatrol shortly to rectifiy that situation? A debdiff is linked in that document, let me know if you need more information. Btw, this has been pushed trough wheezy-updates[1]. [1] https://lists.debian.org/debian-stable-announce/2014/02/msg2.html Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140215220208.GA1088@eldamar.local
Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package
Hi Antonio, On Thu, Oct 24, 2013 at 09:49:19AM -0300, Antonio Terceiro wrote: It would be nice if someone familiar with the codebase could write up instructions on how to do that. Actually at the Security Team meeting we are working now on this. Mainly if you want to set up a testinstance of the security tracker is doing the three steps: make update-packages make all make serve But Luciano is working on adding a section for this to the documentation. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140208103127.GA23612@eldamar.local
Testers for typo3-src security update (in particular squeeze packages)
Hi Christian Welzel, maintainer of typo3-src prepared backports for security issues in typo3-src. Some testing of the squeeze packages in particular would be welcome before releasing these packages. Packages are uploaded at [1]. If you find a regression/problem explicitly caused by an update of these packages please send your feedback directly to car...@debian.org. [1] http://people.debian.org/~carnil/typo3-src/ Regards, Salvatore signature.asc Description: Digital signature
Re: cmrekey.adv ?
Hi Yanosz, On Sat, Nov 16, 2013 at 10:32:27AM +0100, Jan Lühr wrote: Hello folks, short one: Is Debian GNU/Linux affected by http://www.openssh.com/txt/gcmrekey.adv ? See: https://security-tracker.debian.org/tracker/CVE-2013-4548 . In short, oldstable and stable where not affected, for testing and unstable fixed packages are also uploaded. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131116095709.GA18199@eldamar.local
Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package
Package: security-tracker Severity: wishlist Hi On last DebConf Antonio Terceiro brought up the following idea for an additional view for a source package in the security-tracker. I'm opening the bugreport to not forget about it. It would be nice to have for a given source package a report/view listing in a table each (in at least a suite open) CVE, with collumns marking if fixed in the given suite. srpkg: +---+---++---+-+---+---+ | CVE | oldstable | oldstable-security | stable| stable-security | testing | unstable | +---+---++---+-+---+---+ | CVE-1234-5678 | unfixed | 1.2-3+squeeze1 | unfixed | 1.3-4+deb7u1 | unfixed | 1.5 | | CVE-5678-1234 | unfixed | unfixed | unfixed | unfixed | unfixed | unfixed | +---+---++---+-+---+---+ Im principle it should look like an aggregated view of each CVE page, for a queried source package. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131024043615.3084.25242.report...@lorien.valinor.li
Automatic CVE updates cronjob problem?
Hi [Cc'ing Joey directly as I don't know if you are subscribed to the list, let me know if I should drop] I noticed that since the 2nd of September the automatic update of the CVE list is not done anymore for the security-tracker. Joey do you know if there is some problem with your cronjob running that? I have done a manual one (see revision r23567) and indeed there were updates which are usually updated by the cronjob. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130907034518.GA7085@eldamar.local
Re: Linking security tracker with exploit-db ?
Hi all, On Thu, Mar 21, 2013 at 11:53:33PM +0200, Henri Salo wrote: On Thu, Mar 21, 2013 at 10:38:47PM +0100, Raphael Hertzog wrote: (I'm not subscribed to debian-security-tracker@lists.debian.org, please keep me in CC) Hello, while discussing with someone at Offensive Security, I learned that there's a mapping between CVE numbers and exploits registered in http://www.exploit-db.com/. I was thinking that it could be interesting to know whether exploits are available and as such that it could be interesting to link CVE to the corresponding exploits within the Debian security-tracker. I believe that everything required is already available online, albeit only on webpages and would thus require some heavy web scraping. Thus if you want to pursue this idea, I can put you in contact with the relevant person at Offensive Security. They might be willing to publish this mapping in a more convenient way (possibly as part of the CSV file in http://www.exploit-db.com/archive.tar.bz2 or something similar). I though that I would throw this idea away because I find it interesting but I just don't have the time and the desire to implement it. Cheers, -- Raphaël Hertzog ◈ Debian Developer Get the Debian Administrator's Handbook: → http://debian-handbook.info/get/ Good idea. I have been thinking same about OSVDB. If security team member approves I could try to implement this. OSVDB links also to exploit-db.com in some items. FYI, this now was activated by Florian some days ago on the instance for the security tracker. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130901190844.GA19459@eldamar.local
Bug#717103: security-tracker: DSA-2722-1 vs. tracker
Hi Francesco, On Tue, Jul 16, 2013 at 10:38:46PM +0200, Francesco Poli (wintermute) wrote: Package: security-tracker Severity: normal Hi, DSA-2722-1 [1] says that many vulnerabilities have been fixed for sid in openjdk-7/7u25-2.3.10-1 . The tracker seems to agree for all the vulnerabilities but CVE-2013-2454, which is claimed to be still present in sid [2]. Is that an oversight? Updated the tracker for openjdk-7. Moritz, do you know if this is also fixed in openjdk-6 (recent changelog does not mention CVE-2013-2454) Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130717053544.GA17999@elende
security-tracker problems after alioth update
Hi After the alioth update there are still some problems for the security-tracker. The website right now does not get updated anymore automatically. What I have done on vasks.d.o side: - /home/groups/secure-testing/repo relocated from svn://svn.debian.org/secure-testing to svn://anonscm.debian.org/secure-testing - post-commit hook: changed to use now /usr/share/subversion/hook-scripts/commit-email.pl (changed path) There are also the docs refering to svn://svn.debian.org/secure-testing and on soler/tracker will needs also some adjustments (and relocating the checkouts). I have not done the last ones. Florian can you have a look at the tracker part? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130612183135.GA13630@eldamar.local
Re: CVE-2012-5083 does not affect openjdk
Hi Steven On Tue, Apr 30, 2013 at 07:21:29PM +0100, Steven Chamberlain wrote: Bug #690774 was closed (as invalid), and the remaining CVEs from the Oracle Java October 2012 updates have been marked as invalid, except for CVE-2012-5083, which is still open in the security tracker. I don't think it was obvious at the time, but I agree now that this (and some of the other CVEs) affected the Oracle Fusion Middleware and not OpenJDK. This is vaguely implied in the description of: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3202 Please could this CVE be closed like the others? Have update it. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130501055147.GA8052@elende
Re: [SECURITY] [DSA 2593-1] moin security update
Hi On Sat, Dec 29, 2012 at 09:31:42PM +0100, Moritz Muehlenhoff wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2593-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff December 29, 2012 http://www.debian.org/security/faq - - Package: moin Vulnerability : several Problem type : remote Debian-specific: no CVE ID : not available yet This was announced yesterday, but it looks like moin 1.9.3-1+squeeze4. is not yet present in the security repository. Is this already known? Regards, Salvatore signature.asc Description: Digital signature
Re: Informazioni Log Analyzer Postfix
Ciao Stefano [ I'm first saying him in italian that this is a english spoken list and that I'm trying to translate ] Questa e una lista in inglese. Se hai domande in italiano potresti contattare la lista debian-italian[1]. [1]: https://lists.debian.org/debian-italian/ Cerco di tradurre adesso la tua domanda. On Tue, Nov 27, 2012 at 11:53:00AM +0100, Zattara Stefano wrote: Buongiorno a tutta la lista, vi chiedo un consiglio riguardo un log analyzer per postfix. Ho già dato un'occhiata a pflogsum ed a varie interfaccie simili in python. Quello che mi interesserebbe è riuscire a ricostruitre la vita di una mail dall'ingresso alla consegna o allo scarto per qualche motivo ( ingresso-postfix-antispam-filtri-consegna ) Qualunco ha qualche dritta da darmi in merito? He is asking the following: Stefano needs advice regarding a log analyzer for postfix. He already looked at pflogsum and various similar tools in written in python. But he is interested in reconstructing the 'life' of an email, from recieving up to the point of delivery, or rejecting for some reason (so recieving - postifix - antispam - filters - delivery) He asks if someone can give hime hints to some direction. Ciao, Salvatore -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121201084821.GA12488@elende