Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

2020-09-15 Thread Eduardo M KALINOWSKI 
On 15/09/2020 10:44, Greg Wooledge wrote:
> Another choice would be to run Debian stable, but don't install Debian's
> version of nginx.  Use upstream's releases, compile them yourself, and
> update them yourself whenever you need to (for security reasons or
> otherwise).

If one chooses to do so, it might be better to fetch the debian source
package of the newer version and create a .deb out of it. At least the
benefits of the debian packaging are retained.

(In other words, you create your own backport.)

But if the versions of libraries required for building the newer version
are not available in stable, the process becomes much more difficult.
(But so would be building from the upstream source, probably.)


-- 
I enjoy the time that we spend together.

Eduardo M KALINOWSKI
edua...@kalinowski.com.br

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

2020-09-15 Thread Eduardo M KALINOWSKI 
On 15/09/2020 10:38, Klaus Singvogel wrote:
> No: no new version.
> 
> If you're unhappy with that, think about these choices:
> 
> - install upcoming Debian 11 (Testing, Bullseye) and live with the changes
>   of packages and possible errors in the system. Release date unknown.
> 
> - install Debian Sid (Unstable) and live with many more changes

You can also check if there is a newer version in backports (there
doesn't seem to be), and you can request one (but it will depend on some
volunteer's effort to create it, so no guarantees).

But note that there is no offical security support for backports. A
newer version may also get backported, but it might take a while, or it
might not happen.


-- 
We gave you an atomic bomb, what do you want, mermaids?
-- I. I. Rabi to the Atomic Energy Commission

Eduardo M KALINOWSKI
edua...@kalinowski.com.br

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

2020-09-15 Thread Greg Wooledge 
On Tue, Sep 15, 2020 at 03:38:33PM +0200, Klaus Singvogel wrote:
> No: no new version.
> 
> If you're unhappy with that, think about these choices:
> 
> - install upcoming Debian 11 (Testing, Bullseye) and live with the changes
>   of packages and possible errors in the system. Release date unknown.
> 
> - install Debian Sid (Unstable) and live with many more changes
> 
> - if both are not fullfilling your needs, think about a different
>   distribution: LFS (Linux from Scratch), or Yocto, or commerical one.

Another choice would be to run Debian stable, but don't install Debian's
version of nginx.  Use upstream's releases, compile them yourself, and
update them yourself whenever you need to (for security reasons or
otherwise).

Personally I'd prefer to let the Debian security team do all that work
for me, but the OP seems to value large numbers for their own sake.

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

2020-09-15 Thread Klaus Singvogel 
Hi Revanth,

Suryadevara, Revanth wrote:
> Hi  Klaus,
> 
> Just needed to re-confirm couple of things here
> 
> 1. I understand that the NGINX version shipped by default is secured and will 
> be updated with patches should there be some security issues. But my question 
> is, Can we expect the latest version of NGINX(i.e. v1.18.x) to be available 
> in Debian 10, soon ? If yes, when ?

As others said, and I explained already: no.

Debian 10's version of a package will never change. No new features, no
loss of features, no new syntax of configurations, no other changes.

> 2.  Please provide some kind of confirmation on CVE-2020-11879
>   If Vulnerability was already addressed, please point me to some article 
> which confirms the same.
>   If not addressed, please confirm on when can we expect 3.35.91 or 
> greater version to be available in Debian 10?

No: no new version.

If you're unhappy with that, think about these choices:

- install upcoming Debian 11 (Testing, Bullseye) and live with the changes
  of packages and possible errors in the system. Release date unknown.

- install Debian Sid (Unstable) and live with many more changes

- if both are not fullfilling your needs, think about a different
  distribution: LFS (Linux from Scratch), or Yocto, or commerical one.

  But beware of the security updates. AFAIK both, LFS and Yocto, needs
  your effort to keep your machine(s) secure.

Best regards,
Klaus.
-- 
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D  1994-06-27

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

2020-09-15 Thread Dan Ritter 
Suryadevara, Revanth wrote: 
> Just needed to re-confirm couple of things here
> 
> 1. I understand that the NGINX version shipped by default is secured and will 
> be updated with patches should there be some security issues. But my question 
> is, Can we expect the latest version of NGINX(i.e. v1.18.x) to be available 
> in Debian 10, soon ? If yes, when ?

No, never.

Debian creates stable releases. That means that, unless there is
a compelling reason, no new major versions are packaged.
Instead, security patches are applied as necessary.

When Debian 11 is released, most likely in 2021, there will be a new
major version of nginx.

You want to subscribe to the debian-security-announce list, and
at least look at the archives of debian-security.

You should read through the Debian Handbook, too. 
https://debian-handbook.info/

-dsr-

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

2020-09-15 Thread tomas 
On Tue, Sep 15, 2020 at 12:23:11PM +, Suryadevara, Revanth wrote:
> Hi  Klaus,
> 
> Just needed to re-confirm couple of things here
> 
> 1. I understand that the NGINX version shipped by default is secured and will 
> be updated with patches should there be some security issues. But my question 
> is, Can we expect the latest version of NGINX(i.e. v1.18.x) to be available 
> in Debian 10, soon ? If yes, when ?

Debian doesn't change package versions in its stable release
(except exceptions, see Greg's post in this thread).

That's the meaning of "stable". Debian 10, aka Buster is
the current stable version [1]. So the answer is "most
probably not".

> 2.  Please provide some kind of confirmation on CVE-2020-11879
>   If Vulnerability was already addressed, please point me to some article 
> which confirms the same.
>   If not addressed, please confirm on when can we expect 3.35.91 or 
> greater version to be available in Debian 10?

Well, you can do that yourself. Enter "CVE-2020-11879 site:debian.org"
into your favourite Internet search engine (which hopefully isn't
Google, but I disgress), you'll be lead to [2]. Follow the links
from there, and you'll get lots of information :-)

Cheers

[1] https://www.debian.org/releases/index.html
[2] https://security-tracker.debian.org/tracker/CVE-2020-11879

 - t


signature.asc
Description: Digital signature

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

2020-09-15 Thread Greg Wooledge 
On Tue, Sep 15, 2020 at 12:23:11PM +, Suryadevara, Revanth wrote:
> 1. I understand that the NGINX version shipped by default is secured and will 
> be updated with patches should there be some security issues. But my question 
> is, Can we expect the latest version of NGINX(i.e. v1.18.x) to be available 
> in Debian 10, soon ? If yes, when ?

No.

Please read .

RE: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

2020-09-15 Thread Suryadevara, Revanth 
Hi  Klaus,

Just needed to re-confirm couple of things here

1. I understand that the NGINX version shipped by default is secured and will 
be updated with patches should there be some security issues. But my question 
is, Can we expect the latest version of NGINX(i.e. v1.18.x) to be available in 
Debian 10, soon ? If yes, when ?

2.  Please provide some kind of confirmation on CVE-2020-11879
If Vulnerability was already addressed, please point me to some article 
which confirms the same.
If not addressed, please confirm on when can we expect 3.35.91 or 
greater version to be available in Debian 10?

Thanks,
Revanth.

-Original Message-
From: Klaus Singvogel  
Sent: 15 September 2020 15:10
To: Suryadevara, Revanth 
Cc: debian-user@lists.debian.org
Subject: Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

Hi Revanth,

as you might have found out now, the Debian Security team is backporting 
security patches to older versions of OpenSource software, and Debian 10 isn't 
insecure.

The advantage of backporting is, that you don't have to adapt config files to 
latest syntax on an update, nor introduce incompatible libraries to your system 
on update.

So, don't worry about the older versions of software regarding security.
They are getting regular patches by the Debian Security team, even when the 
package maintainer doesn't support this version anymore.

I want to thank here the Debian Security team for there excellent job they did 
in the past and the future. Thank you.

Regarding missing CVE-2020-11879 for GNOME Evolution: I don't have the proof, 
but I think this points out to the fact the shipped version isn't affected.

Best regards,
Klaus.

Suryadevara, Revanth wrote:
> Hi Klaus,
>   
> 1.) Pertaining to Nginx there is no CVE-ID, main concern is, According 
> to nginx download page, 
> (https://us-east-2.protection.sophos.com?d=nginx.org=aHR0cDovL25naW54Lm9yZy9lbi9kb3dubG9hZC5odG1s=cmV2YW50aC5zdXJ5YWRldmFyYUBhcmNzZXJ2ZS5jb20==QjhjRHpDSVhOY2tZQWxCRzZrQTdxSXRJRklrSko2bEVqbnBFcGhvZGhzZz0==8babb3b80f934e38bc57897e4ca56711)
>  Nginx 1.14.x is no longer supported and will not be getting regular patches. 
> So, if any security Vulnerabilities arise then system would be at high risk 
> as the vendor no longer provide updates.
> 
> 2.) Pertaining to GNOME Evolution , the CVE-ID is  CVE-2020-11879 . This ID 
> isn't present in the links which you've shared.
> 
> Thanks,
> Revanth.
> 
> -Original Message-
> From: Klaus Singvogel 
> Sent: 15 September 2020 13:32
> To: Suryadevara, Revanth 
> Cc: debian-user@lists.debian.org
> Subject: Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME 
> Evolution
> 
> Suryadevara, Revanth wrote:
> > 
> > We have a system running on Debian 10 with Nginx v1.14.2, GNOME Evolution 
> > v3.30.5-1.1 installed along with other packages.
> > 
> [...]
> > When can we expect latest versions of Nginx and GNOME Evolution to be 
> > available in Debian 10 ?
> 
> Which security bugs do you think are in the Debian 10 version of Nginx
> v1.14.2 or GNOME Evolution v3.30.5-1.1 not fixed?
> 
>   
> https://us-east-2.protection.sophos.com?d=debian.org=aHR0cHM6Ly9tZXR
> hZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9uL25naW54L
> 25naW54XzEuMTQuMi0yK2RlYjEwdTNfY2hhbmdlbG9n=cmV2YW50aC5zdXJ5YWRldmFy
> YUBhcmNzZXJ2ZS5jb20==V1JzK082WlRla1JMWEFzNjR4WDJvK1gwSHRoQTVkOWtISkF
> Pc084Y0NRdz0==1d129af62b6248948c99efacbb1de4f1
> 
>   
> https://us-east-2.protection.sophos.com?d=debian.org=aHR0cHM6Ly9tZXR
> hZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9lL2V2b2x1d
> Glvbi9ldm9sdXRpb25fMy4zMC41LTEuMV9jaGFuZ2Vsb2c==cmV2YW50aC5zdXJ5YWRl
> dmFyYUBhcmNzZXJ2ZS5jb20==eVVUdmdWUGNsVzVrTHp2N0M0cmU0UklHZzl5T0xGN3N
> tNno3aHRtY25yVT0==1d129af62b6248948c99efacbb1de4f1
> 
> Please name us the CVE identifiers, which you believe Debian 10 is affected 
> by.
> 
> Thanks in advance.
> 
> Best regards,
>   Klaus.
> --
> Klaus Singvogel
> GnuPG-Key-ID: 1024R/5068792D  1994-06-27

--
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D  1994-06-27

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

2020-09-15 Thread Greg Wooledge 
On Tue, Sep 15, 2020 at 09:13:04AM +, Suryadevara, Revanth wrote:
> 1.) Pertaining to Nginx there is no CVE-ID, main concern is, 
> According to nginx download page, (http://nginx.org/en/download.html) Nginx 
> 1.14.x is no longer supported and will not be getting regular patches. So, if 
> any security Vulnerabilities arise then system would be at high risk as the 
> vendor no longer provide updates.

The Debian security team backports patches to fix security issues
whenever possible.

*If* in the future a vulnerability is discovered which cannot easily be
fixed by a patch backported from a future version of nginx, then the
security team *may* opt to use a newer upstream version of nginx in
the stable release.  There is some precedent for this with other packages
such as samba and bind9.

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

2020-09-15 Thread Klaus Singvogel 
Hi Revanth,

as you might have found out now, the Debian Security team is backporting
security patches to older versions of OpenSource software, and Debian 10
isn't insecure.

The advantage of backporting is, that you don't have to adapt config files
to latest syntax on an update, nor introduce incompatible libraries to
your system on update.

So, don't worry about the older versions of software regarding security.
They are getting regular patches by the Debian Security team, even when
the package maintainer doesn't support this version anymore.

I want to thank here the Debian Security team for there excellent job they
did in the past and the future. Thank you.

Regarding missing CVE-2020-11879 for GNOME Evolution: I don't have the
proof, but I think this points out to the fact the shipped version isn't
affected.

Best regards,
Klaus.

Suryadevara, Revanth wrote:
> Hi Klaus,
>   
> 1.) Pertaining to Nginx there is no CVE-ID, main concern is, 
> According to nginx download page, (http://nginx.org/en/download.html) Nginx 
> 1.14.x is no longer supported and will not be getting regular patches. So, if 
> any security Vulnerabilities arise then system would be at high risk as the 
> vendor no longer provide updates.
> 
> 2.) Pertaining to GNOME Evolution , the CVE-ID is  CVE-2020-11879 . This ID 
> isn't present in the links which you've shared.
> 
> Thanks,
> Revanth.
> 
> -Original Message-
> From: Klaus Singvogel  
> Sent: 15 September 2020 13:32
> To: Suryadevara, Revanth 
> Cc: debian-user@lists.debian.org
> Subject: Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution
> 
> Suryadevara, Revanth wrote:
> > 
> > We have a system running on Debian 10 with Nginx v1.14.2, GNOME Evolution 
> > v3.30.5-1.1 installed along with other packages.
> > 
> [...]
> > When can we expect latest versions of Nginx and GNOME Evolution to be 
> > available in Debian 10 ?
> 
> Which security bugs do you think are in the Debian 10 version of Nginx
> v1.14.2 or GNOME Evolution v3.30.5-1.1 not fixed?
> 
>   
> https://us-east-2.protection.sophos.com?d=debian.org=aHR0cHM6Ly9tZXRhZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9uL25naW54L25naW54XzEuMTQuMi0yK2RlYjEwdTNfY2hhbmdlbG9n=cmV2YW50aC5zdXJ5YWRldmFyYUBhcmNzZXJ2ZS5jb20==V1JzK082WlRla1JMWEFzNjR4WDJvK1gwSHRoQTVkOWtISkFPc084Y0NRdz0==1d129af62b6248948c99efacbb1de4f1
> 
>   
> https://us-east-2.protection.sophos.com?d=debian.org=aHR0cHM6Ly9tZXRhZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9lL2V2b2x1dGlvbi9ldm9sdXRpb25fMy4zMC41LTEuMV9jaGFuZ2Vsb2c==cmV2YW50aC5zdXJ5YWRldmFyYUBhcmNzZXJ2ZS5jb20==eVVUdmdWUGNsVzVrTHp2N0M0cmU0UklHZzl5T0xGN3NtNno3aHRtY25yVT0==1d129af62b6248948c99efacbb1de4f1
> 
> Please name us the CVE identifiers, which you believe Debian 10 is affected 
> by.
> 
> Thanks in advance.
> 
> Best regards,
>   Klaus.
> -- 
> Klaus Singvogel
> GnuPG-Key-ID: 1024R/5068792D  1994-06-27

-- 
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D  1994-06-27

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

2020-09-15 Thread Reco 
Hi.

Please do not top post.

On Tue, Sep 15, 2020 at 09:13:04AM +, Suryadevara, Revanth wrote:
> Hi Klaus,
>   
> 1.) Pertaining to Nginx there is no CVE-ID, main concern is, 
> According to nginx download page, (http://nginx.org/en/download.html)
> Nginx 1.14.x is no longer supported and will not be getting regular
> patches. So, if any security Vulnerabilities arise then system would
> be at high risk as the vendor no longer provide updates.

No known CVE = no problem. Unless of course you just happen to know a
private zero-day.
And, as the version of nginx shows, they've fixed some CVEs in past,
trice for the duration of buster.


> 2.) Pertaining to GNOME Evolution , the CVE-ID is  CVE-2020-11879 .
> This ID isn't present in the links which you've shared.

Buster's evolution is vulnerable indeed - [1]. Security impact is low,
so it's hardly a surprise it is not fixed yet.

Reco

[1] https://security-tracker.debian.org/tracker/source-package/evolution

RE: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

2020-09-15 Thread Suryadevara, Revanth 
Hi Klaus,

1.) Pertaining to Nginx there is no CVE-ID, main concern is, 
According to nginx download page, (http://nginx.org/en/download.html) Nginx 
1.14.x is no longer supported and will not be getting regular patches. So, if 
any security Vulnerabilities arise then system would be at high risk as the 
vendor no longer provide updates.

2.) Pertaining to GNOME Evolution , the CVE-ID is  CVE-2020-11879 . This ID 
isn't present in the links which you've shared.

Thanks,
Revanth.

-Original Message-
From: Klaus Singvogel  
Sent: 15 September 2020 13:32
To: Suryadevara, Revanth 
Cc: debian-user@lists.debian.org
Subject: Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

Suryadevara, Revanth wrote:
> 
> We have a system running on Debian 10 with Nginx v1.14.2, GNOME Evolution 
> v3.30.5-1.1 installed along with other packages.
> 
[...]
> When can we expect latest versions of Nginx and GNOME Evolution to be 
> available in Debian 10 ?

Which security bugs do you think are in the Debian 10 version of Nginx
v1.14.2 or GNOME Evolution v3.30.5-1.1 not fixed?


https://us-east-2.protection.sophos.com?d=debian.org=aHR0cHM6Ly9tZXRhZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9uL25naW54L25naW54XzEuMTQuMi0yK2RlYjEwdTNfY2hhbmdlbG9n=cmV2YW50aC5zdXJ5YWRldmFyYUBhcmNzZXJ2ZS5jb20==V1JzK082WlRla1JMWEFzNjR4WDJvK1gwSHRoQTVkOWtISkFPc084Y0NRdz0==1d129af62b6248948c99efacbb1de4f1


https://us-east-2.protection.sophos.com?d=debian.org=aHR0cHM6Ly9tZXRhZGF0YS5mdHAtbWFzdGVyLmRlYmlhbi5vcmcvY2hhbmdlbG9ncy8vbWFpbi9lL2V2b2x1dGlvbi9ldm9sdXRpb25fMy4zMC41LTEuMV9jaGFuZ2Vsb2c==cmV2YW50aC5zdXJ5YWRldmFyYUBhcmNzZXJ2ZS5jb20==eVVUdmdWUGNsVzVrTHp2N0M0cmU0UklHZzl5T0xGN3NtNno3aHRtY25yVT0==1d129af62b6248948c99efacbb1de4f1

Please name us the CVE identifiers, which you believe Debian 10 is affected by.

Thanks in advance.

Best regards,
Klaus.
-- 
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D  1994-06-27

Re: Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

2020-09-15 Thread Klaus Singvogel 
Suryadevara, Revanth wrote:
> 
> We have a system running on Debian 10 with Nginx v1.14.2, GNOME Evolution 
> v3.30.5-1.1 installed along with other packages.
> 
[...]
> When can we expect latest versions of Nginx and GNOME Evolution to be 
> available in Debian 10 ?

Which security bugs do you think are in the Debian 10 version of Nginx
v1.14.2 or GNOME Evolution v3.30.5-1.1 not fixed?


https://metadata.ftp-master.debian.org/changelogs//main/n/nginx/nginx_1.14.2-2+deb10u3_changelog


https://metadata.ftp-master.debian.org/changelogs//main/e/evolution/evolution_3.30.5-1.1_changelog

Please name us the CVE identifiers, which you believe Debian 10 is affected by.

Thanks in advance.

Best regards,
Klaus.
-- 
Klaus Singvogel
GnuPG-Key-ID: 1024R/5068792D  1994-06-27

Security Vulnerabilities with Nginx v1.14.2 and GNOME Evolution

2020-09-15 Thread Suryadevara, Revanth 
Hi,

We have a system running on Debian 10 with Nginx v1.14.2, GNOME Evolution 
v3.30.5-1.1 installed along with other packages.


  1.  Security Vulnerability with Nginx v1.14.2:

THREAT:
According to nginx download page, (http://nginx.org/en/download.html) Nginx 
1.14.x is no longer supported and will not be getting regular patches

IMPACT:
The system is at high risk of being exposed to security vulnerabilities because 
the vendor no longer provides updates.

SOLUTION:
Upgrading to latest version of NGINX would resolve this Vulnerability.



  1.  Security Vulnerability with GNOME Evolution v3.30.5-1.1:

THREAT:
Gnome Evolution is prone to information disclosure vulnerability using the 
proprietary (non-RFC6068) quote"mailto?attach=..."quote parameter, a website 
(or other source of mailto links) can make Evolution attach local files or 
directories to a composed email message without showing a warning to the user, 
as demonstrated by an attach=. value.
Affected Version:
GNOME Evolution before 3.35.91

IMPACT:
Successful exploitation of this issue will lead to information disclosure.

SOLUTION:
Upgrading to 3.35.91 or to the latest version of GNOME Evolution 
(http://www.gnome.org/projects/evolution/) would resolve this Vulnerability.


When can we expect latest versions of Nginx and GNOME Evolution to be available 
in Debian 10 ?


Thanks,
Revanth.