Bug#1082053: RUSTSEC-2023-0086
Source: rust-lexical-core Version: 0.7.6-2 Severity: important Tags: security X-Debbugs-Cc: Debian Security Team https://rustsec.org/advisories/RUSTSEC-2023-0086.html https://github.com/Alexhuszagh/rust-lexical/issues/102 https://github.com/Alexhuszagh/rust-lexical/issues/101 https://github.com/Alexhuszagh/rust-lexical/issues/104 https://github.com/Alexhuszagh/rust-lexical/issues/95 https://github.com/Alexhuszagh/rust-lexical/issues/126 Cheers, Moritz
Bug#1080080: RM: aiorwlock -- RoQA; RC-buggy, unmaintained
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: aiorwl...@packages.debian.org Control: affects -1 + src:aiorwlock User: ftp.debian@packages.debian.org Usertags: remove Please remove aiorwlock. It FTBFSes since three years and the last maintainer upload was in 2019. Cheers, Moritz
Bug#1079993: RM: evqueue-core -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: evqueue-c...@packages.debian.org Control: affects -1 + src:evqueue-core User: ftp.debian@packages.debian.org Usertags: remove Please remove evqueue-core. It's RC-buggy since over five years and the last maintainer upload was in 2018. Cheers, Moritz
Bug#1079992: RM: aiocoap -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: aioc...@packages.debian.org Control: affects -1 + src:aiocoap User: ftp.debian@packages.debian.org Usertags: remove Please remove aiocoap. It FTBFSes since over two years and the last maintainer upload was in 2019. Cheers, Moritz
Bug#1079991: RM: aws-shell -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: aws-sh...@packages.debian.org Control: affects -1 + src:aws-shell User: ftp.debian@packages.debian.org Usertags: remove Please remove aws-shell. It's RC-buggy and dropped from testing since 4.5 years and the last maintainer upload was in 2018. Cheers, Moritz
Bug#1079990: RM: fonts-alegreya-sans -- RoQA; ummaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: fonts-alegreya-s...@packages.debian.org Control: affects -1 + src:fonts-alegreya-sans User: ftp.debian@packages.debian.org Usertags: remove Please remove fonts-alegreya-sans. There was only ever a single upload back in 2019 and the package is RC-buggy since 5.5 years. It missed the last two stable releases. Cheers, Moritz
Bug#1079989: RM: python-arrayfire -- RoQA; blocks removal of arrayfire
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: python-arrayf...@packages.debian.org Control: affects -1 + src:python-arrayfire User: ftp.debian@packages.debian.org Usertags: remove src:arrayfire is RC-buggy and has a pending RM bug. This package contains the Python bindings and needs to be removed alongside. Cheers, Moritz
Bug#1079988: RM: arrayfire -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: arrayf...@packages.debian.org Control: affects -1 + src:arrayfire User: ftp.debian@packages.debian.org Usertags: remove Please remove arrayfire. The last upload was in 2016 and it's dropped from testing due to RC bugs since 2018 (e.g. FTBFSes since GCC 8 became the default...) The RM bug for python-arrayfire needs to be processed first. Cheers, Moritz
Bug#1079695: RM: xmms2-scrobbler -- RoQA; broken, unmaintained
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: xmms2-scrobb...@packages.debian.org Control: affects -1 + src:xmms2-scrobbler User: ftp.debian@packages.debian.org Usertags: remove Please remove xmms2-scrobbler. It's broken since last.fm changed their site in 2015 (!) (#798099) and the last maintainer upload was in 2013. Cheers, Moritz
Bug#1079694: RM: jajuk -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: ja...@packages.debian.org Control: affects -1 + src:jajuk User: ftp.debian@packages.debian.org Usertags: remove Please remove jajuk. The last upload happened in 2017 and it's RC-buggy/removed from testing for over five years now. Cheers, Moritz
Bug#1079690: RM: perl-doc-html -- RoQA; unmaintained, outdated
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: perl-doc-h...@packages.debian.org Control: affects -1 + src:perl-doc-html User: ftp.debian@packages.debian.org Usertags: remove Please remove perl-doc-html. It contains outdated docs, has been dropped from testing since 2018 and is orphaned without an adopter since 2018. Cheers, Moritz
Bug#1079657: RM: fakeroot-ng -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: fakeroot...@packages.debian.org Control: affects -1 + src:fakeroot-ng User: ftp.debian@packages.debian.org Usertags: remove Please remove fakeroot-ng. It FTBFSes since over two years without any reaction and the last maintainer upload (who's also upstream) was over a decade ago. Cheers, Moritz
Bug#1079656: RM: haskell98-tutorial -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: haskell98-tutor...@packages.debian.org Control: affects -1 + src:haskell98-tutorial User: ftp.debian@packages.debian.org Usertags: remove Please remove haskell98-tutorial. It's RC-buggy since 2021 and up for adoption without any takers since 2014. Cheers, Moritz
Bug#1079647: RM: libneo4j-client -- RoQA; RC-buggy, unmaintained
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: libneo4j-cli...@packages.debian.org Control: affects -1 + src:libneo4j-client User: ftp.debian@packages.debian.org Usertags: remove Please remove libneo4j-client. It's RC-buggy since 2021 when GCC 11 became the default and the last maintainer upload was in 2017. Cheers, Moritz
Bug#1079645: RM: ifscheme -- RoQA; RC-buggy, unmaintained
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: ifsch...@packages.debian.org Control: affects -1 + src:ifscheme User: ftp.debian@packages.debian.org Usertags: remove Please remove ifscheme. It's broken since at least 2021 (#981637) and orphaned without an adopter since 2020. Cheers, Moritz
Bug#1079643: RM: tldjs -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: tl...@packages.debian.org Control: affects -1 + src:tldjs User: ftp.debian@packages.debian.org Usertags: remove Please remove tldjs. It's RC-buggy since 2021, missed the last two stable releases and the last maintainer upload was in 2018. Cheers, Moritz
Bug#1079640: RM: binutils64 -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove Please remove binutils64. It's RC-buggy since (and thus never made it into a stable release) since April 2021 without any maintainer reaction and there were no further uploads after the initial ones in 2020. Cheers, Moritz
Bug#1079639: RM: bdfproxy -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: bdfpr...@packages.debian.org Control: affects -1 + src:bdfproxy User: ftp.debian@packages.debian.org Usertags: remove Please remove bdfproxy. It's RC-buggy since 1.5 years and never made it into any stable release. The last maintainer upload was in 2018. Cheers, Moritz
Bug#1079638: RM: beanbag -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: bean...@packages.debian.org Control: affects -1 + src:beanbag User: ftp.debian@packages.debian.org Usertags: remove Please remove beanbag. It FTBFSes since 2020 and the last maintainer upload happened in 2015. Cheers, Moritz
Bug#1079637: RM: qiskit-aer -- RoQA; RC-buggy, unmaintained
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: qiskit-...@packages.debian.org Control: affects -1 + src:qiskit-aer User: ftp.debian@packages.debian.org Usertags: remove Please remove qiskit-aer. There's multiple RC bugs, the last maintainer upload was in 2021 and it has been dropped from testing for 1.5 years now (and never made it to a stable release). Cheers, Moritz
Bug#1079636: RM: myhdl -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: my...@packages.debian.org Control: affects -1 + src:myhdl User: ftp.debian@packages.debian.org Usertags: remove Please remove myhdl. The last upload was in 2019 and it's RC-buggy and dropped from testing for over three years (and missed the last two stable releases for that) Cheers, Moritz
Bug#1079453: RM: itop -- RoQA; unmaintained, broken
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: i...@packages.debian.org Control: affects -1 + src:itop User: ftp.debian@packages.debian.org Usertags: remove Please remove itop. The last maintainer upload was in 2008 and the package is broken since 2018 (and dropped from testing since 2021). Cheers, Moritz
Bug#1079452: RM: obs-ptz -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: obs-...@packages.debian.org Control: affects -1 + src:obs-ptz User: ftp.debian@packages.debian.org Usertags: remove Please remove obs-ptz. There was only ever a single upload and the package FTBFSes since October 2022 without any maintainer reaction. Cheers, Moritz
Bug#1079451: RM: pdfrw -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: pd...@packages.debian.org Control: affects -1 + src:pdfrw User: ftp.debian@packages.debian.org Usertags: remove Please remove pdfrw. The last maintainer upload was in 2018 and it's broken since Python 3.7 became the default and thus dropped from testing since over four years. Cheers, Moritz
Bug#1079449: RM: literki -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: lite...@packages.debian.org Control: affects -1 + src:literki User: ftp.debian@packages.debian.org Usertags: remove Please remove literki. The last maintainer upload happened in 2010 and the package has multiple open RC bugs and hasn't been part of testing for over six years. Cheers, Moritz
Bug#1079448: RM: lilyterm -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: lilyt...@packages.debian.org Control: affects -1 + src:lilyterm User: ftp.debian@packages.debian.org Usertags: remove Please remove lilyterm. The last upload happened in 2017 and the package is RC-buggy since 2020. Cheers, Moritz
Bug#1079447: RM: ricochet-im -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: ricochet...@packages.debian.org Control: affects -1 + src:ricochet-im User: ftp.debian@packages.debian.org Usertags: remove Please remove ricochet-im. The last upload happened 5.5 years ago and the package is RC-buggy since 2021. Cheers, Moritz
Bug#1079445: RM: pstack -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: pst...@packages.debian.org Control: affects -1 + src:pstack User: ftp.debian@packages.debian.org Usertags: remove Please remove pstack. The last upload was in 2011 and it's RC-buggy since 4.5 years. Cheers, Moritz
Bug#1079444: RM: pxe-kexec -- RoQA; unmaintained, FTBFS
Package: ftp.debian.org Severity: normal Tags: ftbfs X-Debbugs-Cc: pxe-ke...@packages.debian.org Control: affects -1 + src:pxe-kexec User: ftp.debian@packages.debian.org Usertags: remove Please remove pxe-kexec. The last upload was in 2012 and it FTBFSes due to missing compat with GCC 11 since 2021. Cheers, Moritz
Bug#1079372: RM: watson -- RoQA; unmaintained, FTBFS
Package: ftp.debian.org Severity: normal Tags: ftbfs X-Debbugs-Cc: wat...@packages.debian.org Control: affects -1 + src:watson User: ftp.debian@packages.debian.org Usertags: remove Please remove watson. The last maintainer upload was in 2019 and the package FTBFSes since 2021. Cheers, Moritz
Bug#1079371: RM: drmips -- RoQA; RC-buggy, unmaintained
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: drm...@packages.debian.org Control: affects -1 + src:drmips User: ftp.debian@packages.debian.org Usertags: remove Please remove drmips. The last maintainer upload was in 2016 and the packages FTBFSes since four years. Cheers, Moritz
Bug#1079370: RM: effcee -- RoQA; RC-buggy, unmaintained
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: eff...@packages.debian.org Control: affects -1 + src:effcee User: ftp.debian@packages.debian.org Usertags: remove Please remove effcee. There was only ever a single upload and the package FTBFSes since three years. Cheers, Moritz
Bug#1079351: RM: rdup -- RoQA; RC-buggy, unmaintained
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: r...@packages.debian.org Control: affects -1 + src:rdup User: ftp.debian@packages.debian.org Usertags: remove Please remove rdup. It's RC-buggy since 2019 and dropped from testing since then. The last maintainer upload was in 2017. Cheers, Moritz
Bug#1079349: RM: pafy -- RoQA; Broken, unmaintained, alternatives exist
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: p...@packages.debian.org Control: affects -1 + src:pafy User: ftp.debian@packages.debian.org Usertags: remove Please remove pafy. It's broken since two years and already missed Bookworm for that. The last maintainer upload was in 2016. Cheers, Moritz
Bug#1079322: RM: origami -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: orig...@packages.debian.org Control: affects -1 + src:origami User: ftp.debian@packages.debian.org Usertags: remove Please remove origami. It's broken since 4.5 years (953144) and thus missed the last two stable releases. The last maintainer upload was in 2011. Cheers, Moritz
Bug#1079321: RM: privbind -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: privb...@packages.debian.org Control: affects -1 + src:privbind User: ftp.debian@packages.debian.org Usertags: remove Please remove privbind. The last maintainer upload was in 2010 and it is RC-buggy since 2021 (and thus missed Bookworm already) Cheers, Moritz
Bug#1079318: RM: mahimahi -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: mahim...@packages.debian.org Control: affects -1 + src:mahimahi User: ftp.debian@packages.debian.org Usertags: remove Please remove mahimahi, the last maintainer upload was in 2017 and it FTBFSes since 3.5 years (and thus missed Bookworm already) Cheers, Moritz
Bug#1079314: RM: ignore-me -- RoQA; RC-buggy, unmaintained
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: ignore...@packages.debian.org Control: affects -1 + src:ignore-me User: ftp.debian@packages.debian.org Usertags: remove Please remove ignore-me. There was only ever a single upload in 2018 and the package FTBFSes since 6.5 years. Cheers, Moritz
Bug#1079315: RM: bwctl -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: bw...@packages.debian.org Control: affects -1 + src:bwctl User: ftp.debian@packages.debian.org Usertags: remove Please remove bwctl. The last maintainer upload was in 2015 and it FTBFSes since 2021 (and thus missed Bookworm already). Cheers, Moritz
Bug#1079311: RM: gli -- RoQA; RC-buggy, unmaintained
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: g...@packages.debian.org Control: affects -1 + src:gli User: ftp.debian@packages.debian.org Usertags: remove Please remove gli. The last upload was in 2017 and it FTBFSes since 6.5 years. There are no reverse dependencies. Cheers, Moritz
Bug#1079309: RM: lsdb -- RoQA; RC-buggy, unmaintained
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: l...@packages.debian.org Control: affects -1 + src:lsdb User: ftp.debian@packages.debian.org Usertags: remove Please remove lsdb. It's RC-buggy since 2020 and missed Bookworm already. The last maintainer upload was in 2007 and it has been put out for adoption without any reply in 2012 (#654945). Cheers, Moritz
Bug#1079308: RM: picprog -- RoQA; RC-buggy, unmaintained
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: picp...@packages.debian.org Control: affects -1 + src:picprog User: ftp.debian@packages.debian.org Usertags: remove Please remove picprog. It's RC-buggy since 2019 and thus missed the last two stable releases (since Linux 5.5 entered Debian). It's orphaned without an adopter since 2017. Cheers, Moritz
Bug#1079306: RM: openmx -- RoQA; RC-buggy, unmaintained
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: ope...@packages.debian.org Control: affects -1 + src:openmx User: ftp.debian@packages.debian.org Usertags: remove Please remove openmx. It FTBFSes since GCC 10 was made the default in 2020 and thus missed the last two stable releases and it's orphaned without an adopter since 2019. Cheers, Moritz
Bug#1079303: RM: navi2ch -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: navi...@packages.debian.org Control: affects -1 + src:navi2ch User: ftp.debian@packages.debian.org Usertags: remove Please remove navi2ch. There was only ever a single upload in 2012 and the package is RC-buggy since 2020 and thus missed the two last stable releases. Cheers, Moritz
Bug#1079304: RM: mxt-app -- RoQA; RC-buggy, unmaintained
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: mxt-...@packages.debian.org Control: affects -1 + src:mxt-app User: ftp.debian@packages.debian.org Usertags: remove Please remove mxt-app. It's FTBFSes without any maintainer reaction since 4.5 years and thus missed the last two stable releases. Cheers, Moritz
Bug#1079294: RM: termtris -- RoQA; unmaintained, RC-buggy, not in any stable release
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: termt...@packages.debian.org Control: affects -1 + src:termtris User: ftp.debian@packages.debian.org Usertags: remove Please remove termtris. It's unmaintained (there was only ever a single upload in 2019) and it's RC-buggy since 2020 (and thus never made it in any stable release) Cheers, Moritz
Bug#1079290: RM: twofish -- RoQA; unmaintained, dead upstream, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: twof...@packages.debian.org Control: affects -1 + src:twofish User: ftp.debian@packages.debian.org Usertags: remove Please remove twofish. It's RC-buggy since 2021 and already missed Bookworm due to that. Upstream is dead and there are no reverse deps. Cheers, Moritz
Bug#1079289: RM: xjig -- RoQA; Unmaintained, RC-buggy, dead upstream
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: x...@packages.debian.org Control: affects -1 + src:xjig User: ftp.debian@packages.debian.org Usertags: remove Please remove xjig. It's dead upstream, unmaintained (last maintainer upload in 2013) and RC-buggy due to netpbm changes. It already missed Bookworm for that and is dropped from testing for over two years. Cheers, Moritz
Bug#1079287: RM: gems -- RoQA; unmaintained, RC-buggy, dead upstream
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: g...@packages.debian.org Control: affects -1 + src:gems User: ftp.debian@packages.debian.org Usertags: remove Please remove gems. It's unmaintained (last upload 13 years ago), it's RC-buggy since 2021 and missed the last stable release. Cheers, Moritz
Bug#1079286: RM: snort -- RoQA; unmaintained, RC-buggy
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: sn...@packages.debian.org Control: affects -1 + src:snort User: ftp.debian@packages.debian.org Usertags: remove Please remove snort. It's unmaintained (last upload three years ago), it missed two stable releases and there's plenty of open security issues. In addition snort 2 is EOLed since three years (1019230) and thus incompatible with rules updates. There's also plenty of other open RC bugs (#1064328, #1068036, #56) and it includes non-free code (#1067951) Cheers, Moritz
Bug#1079285: RM: enigmail -- RoQA; obsolete
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: enigm...@packages.debian.org Control: affects -1 + src:enigmail User: ftp.debian@packages.debian.org Usertags: remove Please remove enigmail. Thunderbird now has native GPG support and the package was only needed in old releases to support migrations (which are now all complete) Cheers, Moritz
Bug#1074275: Depends on gpac
Source: ogmrip Version: 1.0.1-4 Severity: serious gpac is unsupportable and thus orphaned and not in stable. It should be removed, but ogmrip depends on it. From a quick glance ogmrip also supports mencoder, so possibly that dependency could simply get removed? Cheers, Moritz
Bug#1074276: Depends on gpac
Source: ccextractor Version: 0.94+ds1-3 Severity: serious gpac is unsupportable, thus orphaned and not in Bookworm. It should be removed, but ccextractor build depends on it. From a quick glance is also has some build flags for ffmpeg, so maybe that's an alternative? Cheers, Moritz
Bug#1074225: RM: watchcatd -- RoQA; dead upstream, obsolete
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: watchc...@packages.debian.org Control: affects -1 + src:watchcatd User: ftp.debian@packages.debian.org Usertags: remove Please remove watchcatd. It's dead upstream and generally obsolete, such process supervision is built into systemd natively.
Bug#1073968: RM: sleepd -- RoQA; unmaintained, dead upstream
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: sle...@packages.debian.org Control: affects -1 + src:sleepd User: ftp.debian@packages.debian.org Usertags: remove Please remove sleepd. Upstream development has stopped a long time ago, and it's orphaned for a decade without an adopter. Cheers, Moritz
Bug#1073235: bookworm-pu: package bluez/5.66-1+deb12u2
On Mon, Jun 17, 2024 at 06:18:40PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Fri, 2024-06-14 at 23:25 +0200, Moritz Muehlenhoff wrote: > > Attached debdiff fixes three minor security issues. The update > > has been tested on a Bookworm system. debdiff below. > > Please go ahead. Uploaded, thanks. Cheers, Moritz
Bug#1072366: libndp: CVE-2024-5564
On Fri, Jun 14, 2024 at 07:30:46AM +0200, Florian Ernst wrote: > On Thu, Jun 13, 2024 at 08:17:41PM +0200, Moritz Muehlenhoff wrote: > > Thanks, these look good! Please upload to security-master, I'll take care > > of the DSA over the weekend. > > Thanks for verifying, thus just uploaded to security-master. And thanks > in advance for taking care of the DSA. DSA has been released, thanks! Cheers, Moritz
Bug#1073277: RM: ramond -- RoQA; unmaintained, dead upstream, unused
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: ram...@packages.debian.org Control: affects -1 + src:ramond User: ftp.debian@packages.debian.org Usertags: remove Please remove ramond. It's dead upstream, the last maintainer upload was in 2012 without a new adopter and it's basically non-existent in popcon. Cheers, Moritz
Bug#1073235: bookworm-pu: package bluez/5.66-1+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: bl...@packages.debian.org, iwama...@debian.org Control: affects -1 + src:bluez User: release.debian@packages.debian.org Usertags: pu Attached debdiff fixes three minor security issues. The update has been tested on a Bookworm system. debdiff below. Cheers, Moritz diff -Nru bluez-5.66/debian/changelog bluez-5.66/debian/changelog --- bluez-5.66/debian/changelog 2023-12-10 17:57:24.0 +0100 +++ bluez-5.66/debian/changelog 2024-06-12 23:13:32.0 +0200 @@ -1,3 +1,10 @@ +bluez (5.66-1+deb12u2) bookworm; urgency=medium + + * CVE-2023-27349 + * CVE-2023-50229 / CVE-2023-50230 + + -- Moritz Mühlenhoff Wed, 12 Jun 2024 23:13:32 +0200 + bluez (5.66-1+deb12u1) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru bluez-5.66/debian/patches/CVE-2023-27349.patch bluez-5.66/debian/patches/CVE-2023-27349.patch --- bluez-5.66/debian/patches/CVE-2023-27349.patch 1970-01-01 01:00:00.0 +0100 +++ bluez-5.66/debian/patches/CVE-2023-27349.patch 2024-06-12 16:27:04.0 +0200 @@ -0,0 +1,42 @@ +From f54299a850676d92c3dafd83e9174fcfe420ccc9 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Wed, 22 Mar 2023 11:34:24 -0700 +Subject: avrcp: Fix crash while handling unsupported events + +The following crash can be observed if the remote peer send and +unsupported event: + +ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11 + at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0 + WRITE of size 1 at 0x60b000148f11 thread T0 + #0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907 + #1 0x559644536c22 in control_response profiles/audio/avctp.c:939 + #2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108 + #3 0x7fbcb3e51c43 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43) + #4 0x7fbcb3ea66c7 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7) + #5 0x7fbcb3e512b2 in g_main_loop_run (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2) + #6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66 + #7 0x559644755606 in mainloop_run_with_signal src/shared/mainloop-notify.c:188 + #8 0x5596445bb963 in main src/main.c:1289 + #9 0x7fbcb3bafd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + #10 0x7fbcb3bafe3f in __libc_start_main_impl ../csu/libc-start.c:392 + #11 0x5596444e8224 in _start (/usr/local/libexec/bluetooth/bluetoothd+0xf0224) +--- + profiles/audio/avrcp.c | 6 ++ + 1 file changed, 6 insertions(+) + +--- bluez-5.66.orig/profiles/audio/avrcp.c bluez-5.66/profiles/audio/avrcp.c +@@ -3901,6 +3901,12 @@ static gboolean avrcp_handle_event(struc + case AVRCP_EVENT_UIDS_CHANGED: + avrcp_uids_changed(session, pdu); + break; ++ default: ++ if (event > AVRCP_EVENT_LAST) { ++ warn("Unsupported event: %u", event); ++ return FALSE; ++ } ++ break; + } + + session->registered_events |= (1 << event); diff -Nru bluez-5.66/debian/patches/CVE-2023-50229_CVE-2023-50230.patch bluez-5.66/debian/patches/CVE-2023-50229_CVE-2023-50230.patch --- bluez-5.66/debian/patches/CVE-2023-50229_CVE-2023-50230.patch 1970-01-01 01:00:00.0 +0100 +++ bluez-5.66/debian/patches/CVE-2023-50229_CVE-2023-50230.patch 2024-06-12 16:28:23.0 +0200 @@ -0,0 +1,61 @@ +From 5ab5352531a9cc7058cce569607f3a6831464443 Mon Sep 17 00:00:00 2001 +From: Luiz Augusto von Dentz +Date: Tue, 19 Sep 2023 12:14:01 -0700 +Subject: [PATCH] pbap: Fix not checking Primary/Secundary Counter length + +Primary/Secundary Counters are supposed to be 16 bytes values, if the +server has implemented them incorrectly it may lead to the following +crash: + += +==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address +0x60701878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328 + + READ of size 48 at 0x60701878 thread T0 + #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860 + #1 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892 + #2 0x7f95a1575ba6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887 + #3 0x564df69c77a0 in read_version obexd/client/pbap.c:288 + #4 0x564df69c77a0 in read_return_apparam obexd/client/pbap.c:352 + #5 0x564df69c77a0 in phonebook_size_callback obexd/client/pbap.c:374 + #6 0x564df69bea3c in session_terminate_transfer obexd/client/session.c:921 + #7 0x564df69d56b0 in get_xfer_progres
Bug#1072366: libndp: CVE-2024-5564
Hi Florian, > Please give those packages an additional check, and feel free to just > upload them when they indeed meet your requirements, or briefly ping me > back for me to upload them / possibly apply further changes, whatever > suits you best. Thanks, these look good! Please upload to security-master, I'll take care of the DSA over the weekend. Cheers, Moritz
Bug#1073012: Automatically rewrite incoming entries from some CNAs as NFUs
Package: security-tracker Severity: wishlist These days the scopes of CNAs are usually narrow and scoped to a specific vendor. We should leverage this for pre-processing incoming data and to reduce toil. We can do this by extending the "automatic update" job to automatically annotate CVEs assigned by a given CNA as NFU entries. As an example all CVEs coming from the "Wordfence" CNA should be automatically added as "NOT-FOR-US: WordPress plugin". This avoids cumbersome manual triage (and review would still happen on the commited entries). Same for many commercial software vendors, e.g. a company like SAP which has no ties to FLOSS everything coming from their CNA should automatically be added as "NOT-FOR-US: SAP" without human interaction. We should only extend this on a case-by-case basis. E.g. Oracle has a lot of propietary software, but they also maintain mysql, Java and virtualbox, so they need manual review still. Cheers, Moritz
Bug#1072366: libndp: CVE-2024-5564
Hi Florian, On Mon, Jun 10, 2024 at 08:41:27AM +0200, Florian Ernst wrote: > Dear Security Team, > > On Sat, Jun 01, 2024 at 04:57:53PM +0200, Salvatore Bonaccorso wrote: > > [...] > > [0] https://security-tracker.debian.org/tracker/CVE-2024-5564 > > https://www.cve.org/CVERecord?id=CVE-2024-5564 > > An updated package containing upstream's fix has just been uploaded and > is waiting to be processed for unstable. > > Upstream's fix: > https://github.com/jpirko/libndp/commit/05e4ba7b0d126eea4c04387dcf40596059ee24af > (as referenced from https://github.com/jpirko/libndp/issues/26 and > already seen by carnil) > Debian change: > https://salsa.debian.org/debian/libndp/-/commit/a6136d60ef278c1aebee32f805ff473f0ee6ef99 > > The corresponding Debian change applies cleanly on bookworm / stable > (naturally, as until today bookworm and sid both had libndp 1.8-1) and > also on bullseye / oldstable and buster / oldoldstable (both having > libndp 1.6-1). > > I could prepare packages targeting (old)stable, if so desired. Or would > it be easier for you if you just take over from here? It would be great if you could prepare updates for bullseye-security and bookworm-security [1]. Please use 1.6-1+deb11u1 and 1.8-1+deb12u1 as the respective version numbers. security.debian.org also has autopkgtests set up, so we should get some good coverage by reverse deps. Cheers, Moritz [1] https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security
Bug#1072720: libglib2.0-0: Following fix #1070745, typing `A keys doesn't type an À anymore
On Sun, Jun 09, 2024 at 06:23:00PM +0100, Simon McVittie wrote: > On Sun, 09 Jun 2024 at 17:23:27 +0200, gru...@laposte.net wrote: > > Please note that ^e gives ê correctly but `A doesn't > > Security team: > > Based on this information, I don't think this is a regression caused by > the GLib security update, or in fact anything to do with GLib: it seems > that ibus is "mostly" working, and the GLib regression resulted in ibus > not working at all. Ack, thanks for the detailed followup. Cheers, Moritz
Bug#1072527: Mark libreswan as EOLed in Bullseye
Source: debian-security-support Version: 1:13+2024.05.15 Severity: wishlist X-Debbugs-Cc: d...@fifthhorseman.net Security support for libreswan in Bullseye is EOLed, the recent security fixes for CVE-2023-38710 are too intrusive/risky to backport (also see https://github.com/libreswan/libreswan/issues/1233) Cheers, Moritz
Bug#1072124: gnome-shell: CVE-2024-36472
On Tue, May 28, 2024 at 05:33:32PM -0400, Jeremy Bícha wrote: > Control: forwarded -1 https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7688 > > On Tue, May 28, 2024 at 5:24 PM Moritz Mühlenhoff wrote: > > CVE-2024-36472[0]: > > | In GNOME Shell through 45.7, a portal helper can be launched > > | automatically (without user confirmation) based on network responses > > | provided by an adversary (e.g., an adversary who controls the local > > | Wi-Fi network), and subsequently loads untrusted JavaScript code, > > | which may lead to resource consumption or other impacts depending on > > | the JavaScript code's behavior. > > The initial GNOME issue was closed already (the CVE was requested by > someone who is not a GNOME developer). But GNOME Shell may change the > workflow for the captive portal helper so we can leave this bug open, > pointing to the new issue that was opened upstream. Yeah, the never filed a bug for the botched CVE assignment, this is the bug reference explocitly for the followup actionable filed by Michael Catanzaro Cheers, Moritz
Bug#1071628: python-pymysql: CVE-2024-36039
On Tue, May 28, 2024 at 09:06:51AM +0200, Thomas Goirand wrote: > On 5/22/24 17:08, Moritz Mühlenhoff wrote: > > The following vulnerability was published for python-pymysql. > > > > We should also fix this in a DSA, could you prepare debdiffs for > > bookworm-security and bullseye-security? > > > > CVE-2024-36039[0]: > > | PyMySQL through 1.1.0 allows SQL injection if used with untrusted > > | JSON input because keys are not escaped by escape_dict. > > > > https://github.com/advisories/GHSA-v9hf-5j83-6xpp > > https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c > > (v1.1.1) > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2024-36039 > > https://www.cve.org/CVERecord?id=CVE-2024-36039 > > > > Please adjust the affected versions in the BTS as needed. > > Hi, > > Please find attached to this message, the fixes I would like to upload to > bullseye and bookworm. Please allow these uploads. > > Note that I have uploaded latest upstream version 1.1.1-1 to unstable, that > includes the patch in these debdiffs. Thanks! These look fine, please build both with -sa and upload to security-master. Cheers, Moritz
Bug#1071746: clojure: CVE-2024-22871
On Fri, May 24, 2024 at 11:42:38AM -0400, Louis-Philippe Véronneau wrote: > On Fri, 24 May 2024 16:53:28 +0200 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= > wrote: > > Source: clojure > > X-Debbugs-CC: t...@security.debian.org > > Severity: important > > Tags: security > > > > Hi, > > > > The following vulnerability was published for clojure. > > > > CVE-2024-22871[0]: > > | An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an > > | attacker to cause a denial of service (DoS) via the > > | clojure.core$partial$fn__5920 function. > > > > https://github.com/advisories/GHSA-vr64-r9qj-h27f > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2024-22871 > > https://www.cve.org/CVERecord?id=CVE-2024-22871 > > > > Please adjust the affected versions in the BTS as needed. > > Hi, > > Thanks for the report. Maybe I'm reading this wrong, but the Debian archive > has clojure 1.10 (oldstable) and 1.11 (stable and up). > > The CVE seems to apply only from 1.12.0-alpha5 to 1.20. Can you confirm why > we are affected by this CVE? The CVE descriptions are often bogus, see the upstream I advisory I listed: | The affected Clojure classes (Cycle, Repeat, Iterate) exist in Clojure 1.7.0-1.11.1, 1.12.0-alpha1-1.12.0-alpha8. Cheers, Moritz
Bug#1053004: CVE-2019-10784 and CVE-2023-40619
On Wed, May 22, 2024 at 02:42:58PM -0300, Leandro Cunha wrote: > Hi everyone, > > On Wed, May 22, 2024 at 12:39 PM Moritz Mühlenhoff wrote: > > > > Am Wed, Mar 06, 2024 at 06:39:01AM -0300 schrieb Leandro Cunha: > > > Hi Christoph Berg, > > > > > > On Wed, Mar 6, 2024 at 5:42 AM Christoph Berg wrote: > > > > > > > > Re: Leandro Cunha > > > > > The > > > > > next job would be to make it available through backports and I would > > > > > choose to remove this package from stable. But I would only leave > > > > > bookworm backports due to other bugs found (this CVEs too) and fixed > > > > > in 7.14.7. > > > > > I have to search about the status of backports to oldstable. But I'm > > > > > also studying the possibility of working with patches for these two > > > > > versions. > > > > > > > > Why would you want to remove it from stable? In closed environments, > > > > CVEs are often not a problem. > > > > > > > > Christoph > > > > > > In addition to the CVEs, phppgadmin which is present in stable does > > > not connect to PostgreSQL 15 and 16 without a patch I inserted in > > > 7.13.0+dfsg-3, but I can add the same patch by reopening bug #1029516 > > > or opening another important bug (I am aware that the bug must have a > > > severity greater than important)[3] for the stable and submission of > > > new bug to the release team for approval. That way it would be > > > released in a future release a version with this issue fixed (if > > > approved). But CVE-2023-40619 is treated with critical severity and > > > CVE-2019-10784 is also critical according to the NVD[1][2]. The Debian > > > LTS team handled this with DLA-3644-1 (CVE-2023-40619)[4] in buster > > > (oldoldstable) and of OpenSUSE team also handled both CVEs in > > > Leap[5][6]. > > > Removing this package in stable will not leave users without them and > > > we can release it in backports. > > > I can treat this as a job of ensuring the quality of what is > > > distributed by Debian. > > > > Agreed, if the package is actually broken with the version of PostgreSQL > > in stable and if there's no sensible backport for the open security issues, > > then let's rather remove it by the next point release. > > > > Cheers, > > Moritz > > It's the best thing to do, the package with the necessary corrections > is already present in bookworm-backports and the user just needs to > run apt install -t bookworm-backports phppgadmin[1][2][3] with > sponsorship of Christoph Berg (thank you for that) and thanks also to > the Debian Security Team. Ack, will you do the removal request? You can do that with "reportbug release.debian.org" and then selecting the "rm stable/testing removal requests" option. Cheers, Moritz
Bug#1071127: Mark slurm-wlm as EOLed in Bullseye
Source: debian-security-support Version: 1:13+2024.01.30 Severity: wishlist X-Debbugs-Cc: gennaro.ol...@gmail.com Security support for slurm-wlm in Bullseye is EOLed, the recent changes were too intrusive too meaningfully backport.
Bug#1070175: RM: salt/3002.6+dfsg1-4+deb11u1
On Wed, May 01, 2024 at 06:29:29PM +0100, Adam D. Barratt wrote: > On Wed, 2024-05-01 at 13:02 +0200, Moritz Muehlenhoff wrote: > > Please remove salt in the next Bullseye point release. > > It was already removed frm unstable for being unsupportable > > and unmaintained (https:://bugs.debian.org/1069654). > > > > There are two related packages which need to be removed > > alongside, since salt-common depends on them (but which > > have no other dependencies outside of salt): > > > > pytest-salt-factories 0.93.0-1 > > pytest-testinfra 6.1.0-1 > > I'm not doubting whether at least the former should be removed, but > "salt-common depends on them" isn't a reason to remove things in > itself. A relationship in the opposite direction certainly would be > (i.e. "they depend on salt-common"). It's actually build dependencies, both pytest-salt-factories and pytest-testinfra build depend on salt-common. Cheers, Moritz
Bug#1070176: Mark pdns-recursor as EOLed in Bullseye
Source: debian-security-support Version: 1:13+2024.01.30 Severity: wishlist X-Debbugs-Cc: z...@debian.org Please mark pdns-recursor as EOL/no longer covered by security support in Bullseye. These packages can still be used for select use cases (internal resolver within a company network), but 4.4 is lagging too much behind to be supportable as a general purpose resolver. Cheers, Moritz
Bug#1070175: RM: salt/3002.6+dfsg1-4+deb11u1
Package: release.debian.org Severity: normal X-Debbugs-Cc: s...@packages.debian.org Control: affects -1 + src:salt User: release.debian@packages.debian.org Usertags: rm Please remove salt in the next Bullseye point release. It was already removed frm unstable for being unsupportable and unmaintained (https:://bugs.debian.org/1069654). There are two related packages which need to be removed alongside, since salt-common depends on them (but which have no other dependencies outside of salt): pytest-salt-factories 0.93.0-1 pytest-testinfra 6.1.0-1 Cheers, Moritz
Bug#1069762: pdns-recursor: CVE-2024-25583 - 4.8.8 for stable
On Thu, Apr 25, 2024 at 08:37:14AM +0200, Chris Hofstaedtler wrote: > Hi Moritz, > > could we once again use the upstream release for stable? > debdiff 4.8.7-1 -> 4.8.8-1 is attached. Ack. Following the 4.8 releases has served us well. debdiff looks fine, please build with -sa and upload to security-master. Cheers, Moritz
Bug#1068818: sngrep: CVE-2024-3119 CVE-2024-3120
On Sun, Apr 21, 2024 at 07:35:43PM +, Victor Seva wrote: > Hi, > > > I've just uploaded sngrep 1.8.1-1 to sid and prepared 1.6.0-1+deb12u1 for > bookworms-security [0]. > > Attached debdiff file. > > Waiting for you reply, > Victor > > [0] > https://salsa.debian.org/pkg-voip-team/sngrep/-/tags/debian%2F1.6.0-1+deb12u1 Hi Victor, diff looks fine, but I don't believe this really needs a DSA; it's rather obscure attack vector. I think addressing this via the next Bookworm point release is perfectly fine, what do you think? Procedure is outlined at https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions Cheers, Moritz
Bug#1064183: libapache2-mod-auth-openidc: CVE-2024-24814
On Thu, Apr 18, 2024 at 02:40:41PM +0200, Moritz Schlarb wrote: > Dear Salvatore, > > I've prepared, built, tested and uploaded fixed versions for bullseye > (2.4.9.4-0+deb11u4), bookworm (2.4.12.3-2+deb12u1) and trixie (2.4.15.7-1). > > Would you like to issue a DSA for them or is it enough that they are > included in the next stable point release? Hi Moritz, I think it's sufficient if we only fix these via the next point release(s), thanks! Cheers, Moritz
Bug#1068451: bookworm-pu: package libtommath/1.2.0-6+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: libtomm...@packages.debian.org Control: affects -1 + src:libtommath Addresses CVE-2023-36328, debdiff below. Acked by Dominique before. Cheers, Moritz diff -Nru libtommath-1.2.0/debian/changelog libtommath-1.2.0/debian/changelog --- libtommath-1.2.0/debian/changelog 2021-02-07 11:58:15.0 +0100 +++ libtommath-1.2.0/debian/changelog 2024-04-04 22:20:38.0 +0200 @@ -1,3 +1,9 @@ +libtommath (1.2.0-6+deb12u1) bookworm; urgency=medium + + * CVE-2023-36328 (Closes: #1051100) + + -- Moritz Mühlenhoff Thu, 04 Apr 2024 22:20:38 +0200 + libtommath (1.2.0-6) unstable; urgency=medium [ Helmut Grohne ] diff -Nru libtommath-1.2.0/debian/patches/CVE-2023-36328.patch libtommath-1.2.0/debian/patches/CVE-2023-36328.patch --- libtommath-1.2.0/debian/patches/CVE-2023-36328.patch1970-01-01 01:00:00.0 +0100 +++ libtommath-1.2.0/debian/patches/CVE-2023-36328.patch2024-04-04 22:20:38.0 +0200 @@ -0,0 +1,121 @@ +From beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 Mon Sep 17 00:00:00 2001 +From: czurnieden +Date: Tue, 9 May 2023 17:17:12 +0200 +Subject: [PATCH] Fix possible integer overflow + +--- + bn_mp_2expt.c| 4 + bn_mp_grow.c | 4 + bn_mp_init_size.c| 5 + + bn_mp_mul_2d.c | 4 + bn_s_mp_mul_digs.c | 4 + bn_s_mp_mul_digs_fast.c | 4 + bn_s_mp_mul_high_digs.c | 4 + bn_s_mp_mul_high_digs_fast.c | 4 + 8 files changed, 33 insertions(+) + +--- libtommath-1.2.0.orig/bn_mp_2expt.c libtommath-1.2.0/bn_mp_2expt.c +@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b) + { +mp_errerr; + ++ if (b < 0) { ++ return MP_VAL; ++ } ++ +/* zero a as per default */ +mp_zero(a); + +--- libtommath-1.2.0.orig/bn_mp_grow.c libtommath-1.2.0/bn_mp_grow.c +@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size) +int i; +mp_digit *tmp; + ++ if (size < 0) { ++ return MP_VAL; ++ } ++ +/* if the alloc size is smaller alloc more ram */ +if (a->alloc < size) { + /* reallocate the array a->dp +--- libtommath-1.2.0.orig/bn_mp_init_size.c libtommath-1.2.0/bn_mp_init_size.c +@@ -6,6 +6,11 @@ + /* init an mp_init for a given size */ + mp_err mp_init_size(mp_int *a, int size) + { ++ ++ if (size < 0) { ++ return MP_VAL; ++ } ++ +size = MP_MAX(MP_MIN_PREC, size); + +/* alloc mem */ +--- libtommath-1.2.0.orig/bn_mp_mul_2d.c libtommath-1.2.0/bn_mp_mul_2d.c +@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b, +mp_digit d; +mp_err err; + ++ if (b < 0) { ++ return MP_VAL; ++ } ++ +/* copy */ +if (a != c) { + if ((err = mp_copy(a, c)) != MP_OKAY) { +--- libtommath-1.2.0.orig/bn_s_mp_mul_digs.c libtommath-1.2.0/bn_s_mp_mul_digs.c +@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, co +mp_word r; +mp_digit tmpx, *tmpt, *tmpy; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ +/* can we use the fast multiplier? */ +if ((digs < MP_WARRAY) && +(MP_MIN(a->used, b->used) < MP_MAXFAST)) { +--- libtommath-1.2.0.orig/bn_s_mp_mul_digs_fast.c libtommath-1.2.0/bn_s_mp_mul_digs_fast.c +@@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int * +mp_digit W[MP_WARRAY]; +mp_word _W; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ +/* grow the destination as required */ +if (c->alloc < digs) { + if ((err = mp_grow(c, digs)) != MP_OKAY) { +--- libtommath-1.2.0.orig/bn_s_mp_mul_high_digs.c libtommath-1.2.0/bn_s_mp_mul_high_digs.c +@@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int * +mp_word r; +mp_digit tmpx, *tmpt, *tmpy; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ +/* can we use the fast multiplier? */ +if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST) +&& ((a->used + b->used + 1) < MP_WARRAY) +--- libtommath-1.2.0.orig/bn_s_mp_mul_high_digs_fast.c libtommath-1.2.0/bn_s_mp_mul_high_digs_fast.c +@@ -19,6 +19,10 @@ mp_err s_mp_mul_high_digs_fast(const mp_ +mp_digit W[MP_WARRAY]; +mp_word _W; + ++ if (digs < 0) { ++ return MP_VAL; ++ } ++ +/* grow the destination as required */ +pa = a->used + b->used; +if (c->alloc < pa) { diff -Nru libtommath-1.2.0/debian/patches/series libtommath-1.2.0/debian/patches/series --- libtommath-1.2.0/debian/patches/series 2021-02-07 11:58:15.0 +0100 +++ libtommath-1.2.0/debian/patches/series 2024-04-04 22:20:38.0 +0200 @@ -2,3 +2,4 @@ remove-undefined-macro fix-shift-count-overflow-on-x32 use-utc-timezone +CVE-2023-36328.patch
Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
On Fri, Apr 05, 2024 at 08:16:43AM +0400, Yadd wrote: > On 4/4/24 22:51, Moritz Mühlenhoff wrote: > > Source: apache2 > > X-Debbugs-CC: t...@security.debian.org > > Severity: grave > > Tags: security > > > > Hi, > > > > The following vulnerabilities were published for apache2. > > > > CVE-2024-27316[0]: > > https://www.kb.cert.org/vuls/id/421644 > > https://www.openwall.com/lists/oss-security/2024/04/04/4 > > > > CVE-2024-24795[1]: > > https://www.openwall.com/lists/oss-security/2024/04/04/5 > > > > CVE-2023-38709[2]: > > https://www.openwall.com/lists/oss-security/2024/04/04/3 > > > > If you fix the vulnerabilities please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2024-27316 > > https://www.cve.org/CVERecord?id=CVE-2024-27316 > > [1] https://security-tracker.debian.org/tracker/CVE-2024-24795 > > https://www.cve.org/CVERecord?id=CVE-2024-24795 > > [2] https://security-tracker.debian.org/tracker/CVE-2023-38709 > > https://www.cve.org/CVERecord?id=CVE-2023-38709 > > > > Please adjust the affected versions in the BTS as needed. > > Hi, > > I'm ready to push 2.4.59 into bookworm-security. Note that this includes a > test-framework update Target distribution needs to be bookworm-security, with that please upload. Can you also preparea the equivalent change for bullseye-security? The uploads can already happen, but let's keep the update unreleased until next week, then we can look for regressions reported in unstable (and check with Ondrej if we received reports based on his repo) Cheers, Moritz
Bug#1056156: varnish: CVE-2023-44487: VSV00013 Varnish HTTP/2 Rapid Reset Attack
On Thu, Apr 04, 2024 at 05:54:51AM +0200, Salvatore Bonaccorso wrote: > Hi Marco, > > [CC'ing security team] > > On Mon, Apr 01, 2024 at 04:25:05PM +0200, Marco d'Itri wrote: > > Control: found -1 5.0.0-1 > > Control: fixed -1 7.4.2 > > > > On Nov 17, Salvatore Bonaccorso wrote: > > > > > CVE-2023-44487[0]: > > > | The HTTP/2 protocol allows a denial of service (server resource > > > | consumption) because request cancellation can reset many streams > > > | quickly, as exploited in the wild in August through October 2023. > > Fixing this issue would require backporting a significant amount of > > new features in varnish and I do not believe that it would be practical. > > > > I am inclined to downgrade this bug because: > > - this is just a DoS attack > > - it only concerns people using hitch for TLS termination instead of > > a full web server like nginx or haproxy > > > > nginx in stable is also vulnerable, BTW. > > While I do agree (and it was filled with this severity), the bug > severity would not be RC, varnish currently seem to lack active > maintainership. Ok, fair enough. We'll mark CVE-2023-44487 (and also https://varnish-cache.org/security/VSV00014.html) as no-dsa for bookworm/bullseye. > As such an RC bug keeps it out of testing until someone steps up for a > commitment maintaining varnish. The reason here isn't really a commitment, but a lack of a suitable LTS branch for stable/oldstable. We wouldn't be in this position if Debian were following the official 6.0 LTS branch. That ship has now sailed but when upstream announces a new 7.x LTS at some point we need to use that for stable/oldstable, the current model isn't working. Cheers, Moritz
Bug#1060407: gtkwave update for {bookworm,bullseye,buster}-security
Hi Adrian, > >... > > > debdiffs contain only changes to debian/ > > > > The bookworm/bullseye debdiffs looks good, please upload to > > security-master, thanks! > > both are now uploaded. DSA has been released, thanks! > > Note that both need -sa, but dak needs some special attention when > > uploading to security-master. You'll need to wait for the ACCEPTED mail > > before you can upload the next one. > > Done, but I am not sure this was necessary in this case since these are > different upstream tarballs gtkwave_3.3.118.orig.tar.gz and > gtkwave_3.3.104+really3.3.118.orig.tar.gz > > (The contents also differs since as mentioned one is the GTK 2+3 > upstream tarball and the other one is the GTK 1+2 upstream tarball.) You're correct indeed. Cheers, Moritz
Bug#1032670: allegro4.4: CVE-2021-36489
On Thu, Mar 21, 2024 at 09:33:51PM +0100, Andreas Rönnquist wrote: > On Fri, 10 Mar 2023 18:04:23 +0100 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= > wrote: > > Source: allegro4.4 > > X-Debbugs-CC: t...@security.debian.org > > Severity: important > > Tags: security > > > > Hi, > > > > The following vulnerability was published for allegro4.4. > > > > CVE-2021-36489[0]: > > | Buffer Overflow vulnerability in Allegro through 5.2.6 allows > > | attackers to cause a denial of service via crafted PCX/TGA/BMP files > > | to allegro_image addon. > > > > https://github.com/liballeg/allegro5/issues/1251 > > https://github.com/liballeg/allegro5/pull/1253 > > > > These fixes landed in Allegro 5.2.8.0: > > https://github.com/liballeg/allegro5/commit/3f2dbd494241774d33aaf83910fd05b2a590604a > > (5.2.8.0) > > https://github.com/liballeg/allegro5/commit/cca179bc16827f358153060cd10ac73d394e758c > > (5.2.8.0) > > https://github.com/liballeg/allegro5/commit/a2c93939f6997a96ecac1865dbb4fa3f66b5e1b7 > > (5.2.8.0) > > https://github.com/liballeg/allegro5/commit/0294e28e6135292eab4b2916a7d2223b1bb6843e > > (5.2.8.0) > > > > In allegro 4.4, code is in src/[pcx|tga].c instead > > > > Hey > > I just tried to reproduce this now on the version of Allegro 4.4 in > Debian, and using the crash file as mentioned in > https://github.com/liballeg/allegro5/issues/1251 > > I cannot reproduce the crash on 4.4. > > Can you still reproduce the crash on allegro4.4 from the debian package? > > For me when running './ex_bitmap crash' I get a dialog "Error reading > bitmap file 'crash'", but no crash of the program I never tried to reproduce these, but reproducability of a given PoC made against a current version not working with an older version doesn't mean the old version isn't affected. From a quick glance the equivalent of the checks added in 5 are also needed in 4.4, e.g. rle_tga_read8() lacks a check for w overstepping c. Given that all these image files are typically read from a trusted location/source shipped by a given game it's not a big deal, but I'd suggest to keep the bug open until 4.4 has been fully phased out or the fixes backported. Cheers, Moritz
Bug#1064517: texlive-bin: CVE-2024-25262
On Fri, Feb 23, 2024 at 10:13:53PM +0100, Hilmar Preuße wrote: > On 23.02.24 16:31, Moritz Mühlenhoff wrote: > > Hello Moritz, > > > The following vulnerability was published for texlive-bin. > > > > CVE-2024-25262[0]: > > | texlive-bin commit c515e was discovered to contain heap buffer > > | overflow via the function ttfLoadHDMX:ttfdump. This vulnerability > > | allows attackers to cause a Denial of Service (DoS) via supplying a > > | crafted TTF file. > > > > I'll upload tl-bin -9 soon. Do we need a fix in Debian stable too? It's rather harmless, I don't believe we need a DSA. If you make an update for a forthcoming point release to fix other bugs it's worth piggybacking this, though. Cheers, Moritz
Bug#1060016: packagekit: CVE-2024-0217
On Wed, Feb 21, 2024 at 04:15:17PM +0100, Matthias Klumpp wrote: > I'd read the "unaffected at 1.2.7" as version 1.2.7 and higher not > having the bug... But then again, on another page it said that the > respective patch only lowered the impact... > I remember merging that patch, and it was a pretty good robustness > improvement, we didn't talk about any use-after-free issue there > though (so it's not obvious why this changes anything either). > > Let's see if we get a reply from the CVE reporter! Sounds good. If there's no further information provided I'll mark the entry as non actionable in the Debian security tracker and deassociate it from https://security-tracker.debian.org/tracker/source-package/packagekit Cheers, Moritz
Bug#1060016: packagekit: CVE-2024-0217
On Tue, Feb 20, 2024 at 10:11:35PM +0100, Matthias Klumpp wrote: > The CVE page lists that commit as "patch" now, and given that emitting > a finished transaction as finished multiple times could indeed cause > issues (and use-after-free issues potentially as well), I am inclined > to think that that's indeed the issue here and that the patch fixes > it. Ok. > That would mean though that all PK versions starting from and > including 1.2.7 are not vulnerable... But the CVE tells otherwise. > Very odd. But https://www.cve.org/CVERecord?id=CVE-2024-0217 only states "unaffected at 1.2.7", which seems to be based on the git tag of the referenced commit? Cheers, Moritz
Bug#1063736: snort removal from bullseye (Re: Bug#1063736: RM: snort -- RoQA; security issues, unmaintained)
On Mon, Feb 12, 2024 at 06:16:48PM +, Jonathan Wiltshire wrote: > On Mon, Feb 12, 2024 at 09:24:47AM +, Holger Levsen wrote: > > hi, > > > > On Sun, Feb 11, 2024 at 09:44:18PM +, Jonathan Wiltshire wrote: > > > Requested by security team. Not in stable or testing. > > > > once this has happened we should communicate this to our users via > > debian-security-upload to bullseye. > > Looping in security in case security support should be withdrawn earlier. > (The removal won't happen until the next and final point release.) That's fine, all current bugs are addressed in bullseye, except a minor logrotate issue. Cheers, Moritz
Bug#1063534: [Debian-iot-maintainers] Bug#1063534: libjwt: CVE-2024-25189
On Fri, Feb 09, 2024 at 04:40:31PM +0100, Thorsten Alteholz wrote: > Hi Moritz, > > thanks for the bug. Upstream knows about the issue and already fixed it [1] > + [2]. Thanks. I think the real worl impact is pretty negligible, it's enough to land a fix for the next release, but not for released suites. Cheers, Moritz
Bug#1061543: indent: CVE-2024-0911
On Fri, Jan 26, 2024 at 08:48:47PM +0100, Santiago Vila wrote: > severity 1061543 important > found 1061543 2.2.12-1 > found 1061543 2.2.12-4+deb12u2 > thanks > > El 26/1/24 a las 8:52, Moritz Mühlenhoff escribió: > > Source: indent > > X-Debbugs-CC: t...@security.debian.org > > Severity: normal > > Tags: security > > > > Hi, > > > > This was assigned CVE-2024-0911: > > https://lists.gnu.org/archive/html/bug-indent/2024-01/msg1.html > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > [...] > > Thanks for the report. > > I've just applied the (code part of the) patch for unstable. > > Can you confirm that proposed-updates is good enough to fix this in stable? > (i.e. no DSA, like other recent previous indent CVEs). Confirmed :-) Cheers, Moritz
Bug#1061572: bullseye-pu: package unadf/0.7.11a-4+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: un...@packages.debian.org Control: affects -1 + src:unadf Addresses two no-dsa security issues, same fix already rolled out for Bookworm. Debdiff below. Cheers, Moritz diff -Nru unadf-0.7.11a/debian/changelog unadf-0.7.11a/debian/changelog --- unadf-0.7.11a/debian/changelog 2016-09-24 17:43:06.0 +0200 +++ unadf-0.7.11a/debian/changelog 2023-11-24 16:39:48.0 +0100 @@ -1,3 +1,9 @@ +unadf (0.7.11a-4+deb11u1) bullseye; urgency=medium + + * CVE-2016-1243 / CVE-2016-1244 (Closes: #838248) + + -- Moritz Mühlenhoff Fri, 24 Nov 2023 18:34:16 +0100 + unadf (0.7.11a-4) unstable; urgency=high * Orphan package with security issues. diff -Nru unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-1244 unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-1244 --- unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-12441970-01-01 01:00:00.0 +0100 +++ unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-12442023-11-24 16:38:37.0 +0100 @@ -0,0 +1,146 @@ +Description: Fix unsafe extraction by using mkdir() instead of shell command + This commit fixes following vulnerabilities: + + - CVE-2016-1243: stack buffer overflow caused by blindly trusting on +pathname lengths of archived files + +Stack allocated buffer sysbuf was filled with sprintf() without any +bounds checking in extracTree() function. + + - CVE-2016-1244: execution of unsanitized input + +Shell command used for creating directory paths was constructed by +concatenating names of archived files to the end of the command +string. + + So, if the user was tricked to extract a specially crafted .adf file, + the attacker was able to execute arbitrary code with privileges of the + user. + + This commit fixes both issues by + +1) replacing mkdir shell commands with mkdir() function calls +2) removing redundant sysbuf buffer + +Author: Tuomas Räsänen +Last-Update: 2016-09-20 +-- +--- a/Demo/unadf.c b/Demo/unadf.c +@@ -24,6 +24,8 @@ + + #define UNADF_VERSION "1.0" + ++#include ++#include + + #include + #include +@@ -31,17 +33,15 @@ + + #include "adflib.h" + +-/* The portable way used to create a directory is to call the MKDIR command via the +- * system() function. +- * It is used to create the 'dir1' directory, like the 'dir1/dir11' directory ++/* The portable way used to create a directory is to call mkdir() ++ * which is defined by following standards: SVr4, BSD, POSIX.1-2001 ++ * and POSIX.1-2008 + */ + + /* the portable way to check if a directory 'dir1' already exists i'm using is to + * do fopen('dir1','rb'). NULL is returned if 'dir1' doesn't exists yet, an handle instead + */ + +-#define MKDIR "mkdir" +- + #ifdef WIN32 + #define DIRSEP '\\' + #else +@@ -51,6 +51,13 @@ + #define EXTBUFL 1024*8 + + ++static void mkdirOrLogErr(const char *const path) ++{ ++ if (mkdir(path, S_IRWXU | S_IRWXG | S_IRWXO)) ++ fprintf(stderr, "mkdir: cannot create directory '%s': %s\n", ++ path, strerror(errno)); ++} ++ + void help() + { + puts("unadf [-lrcsp -v n] dumpname.adf [files-with-path] [-d extractdir]"); +@@ -152,7 +159,6 @@ void extractTree(struct Volume *vol, str + { + struct Entry* entry; + char *buf; +-char sysbuf[200]; + + while(tree) { + entry = (struct Entry*)tree->content; +@@ -162,16 +168,14 @@ void extractTree(struct Volume *vol, str + buf=(char*)malloc(strlen(path)+1+strlen(entry->name)+1); + if (!buf) return; + sprintf(buf,"%s%c%s",path,DIRSEP,entry->name); +-sprintf(sysbuf,"%s %s",MKDIR,buf); + if (!qflag) printf("x - %s%c\n",buf,DIRSEP); ++if (!pflag) mkdirOrLogErr(buf); + } + else { +-sprintf(sysbuf,"%s %s",MKDIR,entry->name); + if (!qflag) printf("x - %s%c\n",entry->name,DIRSEP); ++if (!pflag) mkdirOrLogErr(entry->name); + } + +-if (!pflag) system(sysbuf); +- + if (tree->subdir!=NULL) { + if (adfChangeDir(vol,entry->name)==RC_OK) { + if (buf!=NULL) +@@ -301,21 +305,20 @@ void processFile(struct Volume *vol, cha + extractFile(vol, name, path, extbuf, pflag, qflag); + } + else { +-/* the all-in-one string : to call system(), to find the filename, the convert dir sep char ... */ +-bigstr=(char*)malloc(strlen(MKDIR)+1+strlen(path)+1+strlen(name)+1); ++bigstr=(char*)malloc(strlen(path)+1+strlen(name)+1); + if (!bigstr) { fprintf(stderr,"processFile : malloc"); return; } + + /* to build to extract path */ + if (strlen(path)>0) { +-sprintf(bigstr,"%s %s%c%s",MKDIR,path,DIRSEP,name); +-cdstr = bigstr+strlen(MKDIR)+1+str
Bug#1060861: RUSTSEC-2023-0078
On Mon, Jan 15, 2024 at 09:10:57PM +0100, Salvatore Bonaccorso wrote: > Hi Moritz, > > On Mon, Jan 15, 2024 at 08:49:04PM +0100, Moritz Muehlenhoff wrote: > > Source: rust-tracing > > Version: 0.1.37-1 > > Severity: important > > Tags: security > > X-Debbugs-Cc: Debian Security Team > > > > https://rustsec.org/advisories/RUSTSEC-2023-0078.html > > https://github.com/tokio-rs/tracing/pull/2765 > > Fixed by: > > https://github.com/tokio-rs/tracing/commit/20a1762b3fd5f1fafead198fd18e469c68683721 > > (tracing-0.1.40) > > Please double-check but I think no Debian released version was ever > affected. The issue is fixed in 0.1.40 already upstream, with the > above commit (backed by > https://rustsec.org/advisories/RUSTSEC-2023-0078.html). The issue on > the other hand is introduced in > https://github.com/tokio-rs/tracing/commit/3a65354837a0f176178e15787fc700dd6fa11a92 > which is first in 0.1.38. > > In unstable we ever had only 0.1.37-1, then moved to 0.1.40-1. That's in fact true! Still let's update to the latest release anyway. Cheers, Moritz
Bug#1060861: RUSTSEC-2023-0078
Source: rust-tracing Version: 0.1.37-1 Severity: important Tags: security X-Debbugs-Cc: Debian Security Team https://rustsec.org/advisories/RUSTSEC-2023-0078.html https://github.com/tokio-rs/tracing/pull/2765 Fixed by: https://github.com/tokio-rs/tracing/commit/20a1762b3fd5f1fafead198fd18e469c68683721 (tracing-0.1.40)
Bug#1060407: Multiple security issues
Source: gtkwave Version: 3.3.116-1 Severity: grave Tags: security X-Debbugs-Cc: Debian Security Team A very thorough security audit of gtkwave unveiled a total of 82 security issues in gtkwave, all fixed in 3.3.118: CVE-2023-32650 CVE-2023-34087 CVE-2023-34436 CVE-2023-35004 CVE-2023-35057 CVE-2023-35128 CVE-2023-35702 CVE-2023-35703 CVE-2023-35704 CVE-2023-35955 CVE-2023-35956 CVE-2023-35957 CVE-2023-35958 CVE-2023-35959 CVE-2023-35960 CVE-2023-35961 CVE-2023-35962 CVE-2023-35963 CVE-2023-35964 CVE-2023-35969 CVE-2023-35970 CVE-2023-35989 CVE-2023-35992 CVE-2023-35994 CVE-2023-35995 CVE-2023-35996 CVE-2023-35997 CVE-2023-36746 CVE-2023-36747 CVE-2023-36861 CVE-2023-36864 CVE-2023-36915 CVE-2023-36916 CVE-2023-37282 CVE-2023-37416 CVE-2023-37417 CVE-2023-37418 CVE-2023-37419 CVE-2023-37420 CVE-2023-37442 CVE-2023-37443 CVE-2023-37444 CVE-2023-37445 CVE-2023-37446 CVE-2023-37447 CVE-2023-37573 CVE-2023-37574 CVE-2023-37575 CVE-2023-37576 CVE-2023-37577 CVE-2023-37578 CVE-2023-37921 CVE-2023-37922 CVE-2023-37923 CVE-2023-38583 CVE-2023-38618 CVE-2023-38619 CVE-2023-38620 CVE-2023-38621 CVE-2023-38622 CVE-2023-38623 CVE-2023-38648 CVE-2023-38649 CVE-2023-38650 CVE-2023-38651 CVE-2023-38652 CVE-2023-38653 CVE-2023-38657 CVE-2023-39234 CVE-2023-39235 CVE-2023-39270 CVE-2023-39271 CVE-2023-39272 CVE-2023-39273 CVE-2023-39274 CVE-2023-39275 CVE-2023-39316 CVE-2023-39317 CVE-2023-39413 CVE-2023-39414 CVE-2023-39443 CVE-2023-39444 Let's first fix unstable and then we can simple build 3.3.118 for stable-security and oldstable-security as well. Full details in these advisories from TALOS: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1777 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1783 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1785 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1786 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1789 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1790 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1791 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1792 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1793 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1797 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1798 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1803 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1804 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1805 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1806 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1807 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1810 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1811 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1812 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1813 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1814 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1815 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1816 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1817 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1818 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1819 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1820 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1821 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1822 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1823 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1824 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1826 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1827 Cheers, Moritz
Bug#1059426: bookworm-pu: package haproxy/2.6.12-1+deb12u1
On Mon, Dec 25, 2023 at 10:32:41AM +0100, Tobias Frost wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: hapr...@packages.debian.org > X-Debbugs-Cc: t...@security.debian.org > Control: affects -1 + src:haproxy > > Hi, > > For ELTS I was fixing haproxy's CVES CVE-2023-40225 and CVE-2023-45539, > and I also like to fix those for stable and oldstable. Please don't just go ahead and prepare updates for bullseye/bookworm without prior coordination. haproxy is listed in data/dsa-needed.txt as Salvatore as working on it (and in fact updates are already uploaded/built on security-master) Cheers, Moritz
Bug#1039990: [Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
On Fri, Dec 22, 2023 at 05:47:20PM +0100, Jérémy Lal wrote: > Le jeu. 21 déc. 2023 à 23:30, Jérémy Lal a écrit : > > > > > > > Le jeu. 21 déc. 2023 à 20:34, Moritz Mühlenhoff a écrit : > > > >> Am Thu, Dec 21, 2023 at 11:29:12AM +0100 schrieb Jérémy Lal: > >> > Le jeu. 21 déc. 2023 à 10:54, Moritz Muehlenhoff a > >> écrit : > >> > > >> > > On Thu, Dec 21, 2023 at 06:43:35AM +0100, Salvatore Bonaccorso wrote: > >> > > > Hi, > >> > > > > >> > > > [CC'ing node-undici uploader] > >> > > > >> > > >> > [CC-ing the good email address for node-undici uploader] > >> > > >> > Attached is a debdiff for a node-undici update (which backports what has > >> > been done in testing). > >> > >> Looks good to me, please build with -sa (since it's the first upload > >> to bookworm-security) and upload to security-master. > >> > > > > Note that nodejs 18.19.0 doesn't need this node-undici version to be built, > > only typescript consumers need it (when rebuilding packages in bookworm, > > or when simply using a typescript compiler in bookworm). Ack! > nodejs (18.19.0+dfsg-6~deb11u1) is ready and built with -sa. The bookworm branch looks good, but the version is wrong, Bookworm was the 12th Debian release, so this should be 18.19.0+dfsg-6~deb12u1 instead. With that change, please upload to security-master. Cheers, Moritz
Bug#1059259: lwip: CVE-2023-49287
On Fri, Dec 22, 2023 at 10:28:42AM +0100, Samuel Thibault wrote: > Control: severity -1 wishlist > > Hello, > > Moritz Mühlenhoff, le ven. 22 déc. 2023 10:03:28 +0100, a ecrit: > > CVE-2023-49287[0]: > > | TinyDir is a lightweight C directory and file reader. Buffer > > | overflows in the `tinydir_file_open()` function. This vulnerability > > | has been patched in version 1.2.6. > > > > https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf > > https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d > > https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt > > > > falcosecurity-libs embeds a copy of tinydir, if it's not used to > > open files from potentially untrusted paths, feel free to downgrade. > > The tinydir_file_open function is not used at all indeed. > (and we don't ship the only lwip app that includes tinydir.h anyway) Thanks, I'll make a note in the Debian security, let's just close the bug, then I'd say, no need to keep it open for a random change not affecting the Debian build. Cheers, Moritz
Bug#1039990: [Pkg-javascript-devel] Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
On Thu, Dec 21, 2023 at 06:43:35AM +0100, Salvatore Bonaccorso wrote: > Hi, > > [CC'ing node-undici uploader] > > >> Ack, let's do that. Could you prepare bookworm-security updates > > >> based on 18.17.0 (after it has landed in unstable)? > > > > > nodejs 18.19.0 has landed in testing. > > It rebuilds fine in bookworm, and test-suite-during-build pass on amd64. > > > > It also requires "node-undici", precisely for that change: > > > > node-undici (5.28.2+dfsg1+~cs23.11.12.3-2) unstable; urgency=medium > > > > * Build and publish undici-types, needed by new @types/node > > > > Is there a way to deal with this ? > > Then I guess we need this as pre-requisite upload to bookworm as well. > > Maybe Moritz has a better idea, but one option is to propose this > update regularly as bookworm-pu and once it's in proposed update ask > DSA to make the security chroots pick as well updates from > prpopsoed-updates if we plan to release nodejs via a DSA (or otherwise > via bookworm-pu as well). > > One other alternative is to make a non-security upload for > node-unidici containing that change to the security archive, which the > nodejs update can pick. I think we can handle it similar to what we recently did when OpenJDK bumped it's requirement for jtreg: When we have a suitable update for node-undici we upload it to security-master and the security buildds will be able to use it to build the new nodejs. And then it simply gets released along with the nodejs update. Cheers, Moritz
Bug#1059054: nss: CVE-2023-6135
On Wed, Dec 20, 2023 at 11:43:11AM +0900, Mike Hommey wrote: > Version: 2:3.95-1 > > On Tue, Dec 19, 2023 at 10:21:27PM +0100, Moritz Mühlenhoff wrote: > > Source: nss > > X-Debbugs-CC: t...@security.debian.org > > Severity: grave > > Tags: security > > > > Hi, > > > > The following vulnerability was published for nss. > > > > CVE-2023-6135[0]: > > | Multiple NSS NIST curves were susceptible to a side-channel attack > > | known as "Minerva". This attack could potentially allow an attacker > > | to recover the private key. This vulnerability affects Firefox < > > | 121. > > > > The bug linked from > > https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6135 > > is restricted, do you happen to have a commit reference for NSS itself? > > It was fixed via https://bugzilla.mozilla.org/show_bug.cgi?id=1861728 > and https://bugzilla.mozilla.org/show_bug.cgi?id=1863605, apparently, in > a version that was released last month. Thanks! Cheers, Moritz
Bug#1057755: Qt WebEngine Security Support In Stable
On Fri, Dec 15, 2023 at 10:39:04AM +0200, Adrian Bunk wrote: > > That is a good point. However, I consider full coverage of security support > > for stable to be an improvement over the current situation. Explicitly > > stating that security support is not shipped for oldstable does not do any > > more harm to users than what we currently do by explicitly stating that > > security support is not shipped for either stable or oldstable. > > >From a policy point of view, the duration of security support is a > Debian-wide policy and not a per-package policy. > > >From a user point of view, an organization/company running Debian on > their user/employee desktops would not schedule upgrades to a new > stable on release day - 1 year of migration time is really necessary. We already set some tighter deadlines, Chromium security support will also end six months after the release of the next stable release. But I agree with the general sentiment that this too much work to directly commit to full security support. A first step would be to initially commit to rebase to the latest LTS release in every point release. That would already be an improvement. Cheers, Moritz
Bug#1058624: CVE-2023-5616: if sshd is enabled but socket-activated, control-center will say it's disabled
Hi Simon, > Unless the security team have reasons to want this to be treated as > urgent, I would suggest that instead of rushing to apply Ubuntu's > solution, we should see what happens upstream, and then follow that in > Debian when the dust has settled. Agreed, this isn't an issue we need to rush a fix for. Cheers, Moritz
Bug#1057418: Mark consul as EOLed in Bullseye
Source: debian-security-support Version: 1:13+2023.09.27 Severity: wishlist Hashicorp changed the license of Consul and MPLed patches are onky provided until Dec 31. As such, it has been removed from unstable and needs to be EOLed for bullseye (removal from bullseye isn't simple, it would require source uploads to packages like Prometheus currently building with Consul support).
Bug#1057343: Processed: Re: Bug#1057315: tiles: CVE-2023-49735
On Mon, Dec 04, 2023 at 09:13:41AM +, Holger Levsen wrote: > Hi Salvatore, > > thanks for your continous work on Debian security! > > On Sun, Dec 03, 2023 at 08:03:05PM +, Debian Bug Tracking System wrote: > > > clone -1 -2 -3 > > Bug #1057315 [src:tiles] tiles: CVE-2023-49735 > > Bug 1057315 cloned as bugs 1057342-1057343 > > > retitle -2 tiles: Add README.Debian.security to document support status > > > reassign -3 src:debian-security-support > > > retitle -3 Mark tiles as only supported for building applications shipped > > > in Debian > > ack & this starts when? with 3.0.7-4 in buster? or 20231204? or? The note to EOL libspring-java is only in Bookworm, so this is only needed for Bookworm as well. For Buster Spring is marked as EOLed, so it should probably just use the same, I'll someone from Debian LTS chime in. Cheers, Moritz
Bug#1057315: tiles: CVE-2023-49735
Salvatore Bonaccorso wrote: > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > The project is dead-upstream TTBOMK, so not sure if/what we can do at > all for this issue. Removal seems not possible as per: > > carnil@respighi:~$ dak rm --suite=unstable -n -R tiles > Will remove the following packages from unstable: > > libtiles-java |3.0.7-5 | all > libtiles-java-doc |3.0.7-5 | all > tiles |3.0.7-5 | source > > Maintainer: Debian Java Maintainers > > > --- Reason --- > > -- > > Checking reverse dependencies... > # Broken Build-Depends: > libspring-java: libtiles-java (>= 3.0) > > Dependency problem found. > > carnil@respighi:~$ > > But maybe we can set it as "no-dsa", is it only used as build > dependency for libspring-java and not sensible outside? Spring is already marked as unsupported, so we can simply extend that. Cheers, Moritz