Bug#697936: [htcondor-debian] Bug#697936: condor: CVE-2012-5390: possible privilege escalation

2013-01-11 Thread Jaime Frey 
On Jan 11, 2013, at 8:45 AM, Salvatore Bonaccorso car...@debian.org wrote:

 Hi
 
 I have submitted this as grave severity, but could you double check if
 this is actually a problem for condor in Debian?
 
 [1]: 
 http://research.cs.wisc.edu/htcondor/security/vulnerabilities/CONDOR-2012-0003.html
 
 Regards,
 Salvatore


This security vulnerability only affects Condor's standard universe, which is 
disabled in the Debian package. Thus, the Debian package of Condor is 
unaffected.

Thanks and regards,
Jaime Frey
UW-Madison HTCondor Project


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#690556: [condor-debian] Bug#690556: condor: CVE-2012-4462

2012-10-15 Thread Jaime Frey 
On Oct 15, 2012, at 9:01 AM, Moritz Muehlenhoff j...@inutil.org wrote:

 Package: condor
 Severity: grave
 Tags: security patch
 Justification: user security hole
 
 Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4462 for
 details and a patch.


This bug only affects the Aviary contrib module, which isn't built in the 
Debian condor package. 

Thanks and regards,
Jaime Frey
UW-Madison Condor Team


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#688210: [condor-debian] Bug#688210: condor: Multiple security issues

2012-09-20 Thread Jaime Frey 
On Sep 20, 2012, at 5:50 AM, Moritz Muehlenhoff j...@inutil.org wrote:

 Package: condor
 Severity: grave
 Tags: security
 Justification: user security hole
 
 Please see here for details:
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3490
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3491
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3492
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3493


These security issues have been fixed in the just-released Condor 7.8.4.

Michael, here are the commit hashes in the Condor git repo for the fixes:
CVE-2012-3490: 94e84ce4
CVE-2012-3491: 1fff5d40
CVE-2012-3492: 1db67805
CVE-2012-3493: d2f33972

For Debian testing, I believe we want to create a new Condor 7.8.2 package with 
just these changes. Can you prepare that? I can offer whatever assistance you 
require.

Thanks and regards,
Jaime Frey
UW-Madison Condor Team


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#688210: condor: Multiple security issues

2012-09-20 Thread Jaime Frey 
On Sep 20, 2012, at 1:46 PM, Michael Hanke m...@debian.org wrote:

 On Thu, Sep 20, 2012 at 11:33:39AM -0500, Jaime Frey wrote:
 These security issues have been fixed in the just-released Condor 7.8.4.
 
 Michael, here are the commit hashes in the Condor git repo for the fixes:
 CVE-2012-3491: 1fff5d40
 CVE-2012-3493: d2f33972
 
 These two do not apply cleanly against 7.8.2:
 
 Applying patch Remove-unused-KILL_FRGN_JOB-DEACTIVATE_CLAIM_FORIBLY.patch
 patching file src/condor_schedd.V6/schedd.cpp
 Hunk #1 succeeded at 2961 with fuzz 1 (offset 94 lines).
 Hunk #2 FAILED at 10251.
 1 out of 2 hunks FAILED -- rejects in file src/condor_schedd.V6/schedd.cpp
 patching file src/condor_schedd.V6/scheduler.h
 Hunk #1 FAILED at 291.
 1 out of 1 hunk FAILED -- rejects in file src/condor_schedd.V6/scheduler.h
 Patch Remove-unused-KILL_FRGN_JOB-DEACTIVATE_CLAIM_FORIBLY.patch does not 
 apply (enforce with -f)
 
 
 Applying patch Remove-unused-GIVE_REQUEST_AD-command-from-the-start.patch
 patching file src/condor_startd.V6/command.cpp
 Hunk #1 succeeded at 624 (offset 79 lines).
 patching file src/condor_startd.V6/command.h
 Hunk #1 FAILED at 83.
 1 out of 1 hunk FAILED -- rejects in file src/condor_startd.V6/command.h
 patching file src/condor_startd.V6/startd_main.cpp
 Hunk #1 succeeded at 267 (offset -6 lines).
 Patch Remove-unused-GIVE_REQUEST_AD-command-from-the-start.patch does not 
 apply (enforce with -f)
 
 
 Before I dig deeper, could you please confirm that cherry-picking the
 four commits alone will fully address the security vulnerabilities? If
 that is the case, it seems that at least one more commit is missing.
 
 Looking into the 7.8 branch in the condor repo, it seems that quite a
 bit more has happened -- a long list of bug fixes. I wonder (7.8 being a
 stable maintenance branch) whether it wouldn't be a better idea to aim
 for an upload of 7.8.4 as a whole. Is there something in it that is not
 a bugfix of some kind?


The commits were made on the V7_6-branch, then merged into the V7_8-branch. We 
had to manually resolve conflicts during the merge, as the affected code had 
been modified during the 7.7.x series. Thus, there's no commit that can be 
cleanly cherry-picked. I can provide patch files that will apply cleanly.

We should certainly get Condor 7.8.4 into Unstable. It only contains bug fixes. 
I would prefer it if we could get it into Debian Testing as well, but I thought 
we were too far into the freeze for that.

Thanks and regards,
Jaime Frey
UW-Madison Condor Team


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org