Re: xen_4.1.6.1-1+deb7u2.dsc

2016-07-29 Thread Bastian Blank 
Hi Guido

On Fri, Jul 29, 2016 at 01:13:33PM +0200, Guido Günther wrote:
> * the complete removal of tools/ioemu-qemu-xen - guess this was unused
>   anyway since quiet some time, right?

I have no idea and found not one reference to that folder.

> * there are some XSA related patches in debian/patches. Will these move
>   into
>   https://github.com/credativ/xen-lts/
>   eventually?

I think I forgot to delete some.  The rest most likely won't as it is
either qemu or libxl.

> If Brian has no objections feel free to upload, Please let me know once
> done so I can then release the DLA (in case you don't want to handle it
> youself).

I have no idea how to do that yet.  So feel free.

Regards,
Bastian

-- 
I have never understood the female capacity to avoid a direct answer to
any question.
-- Spock, "This Side of Paradise", stardate 3417.3

Re: Wheezy update of collectd?

2016-07-29 Thread Lucas Kanashiro 


On 07/28/2016 05:55 PM, Lucas Kanashiro wrote:
> On 07/28/2016 05:02 PM, Sebastian Harl wrote:
>> Thanks. I updated dla-needed.
>>
>> The fixed packages are ready for upload now. Please find the full
>> debdiff (source and binary) attached to this email. Note that the
>> (seemingly) added dependency on libxtables7 is a no-op. It's a virtual
>> package provided by iptables (which is a dependency already).
>> Apparently, there was some change after the original wheezy upload
>> that's causing this to now show up.
>>
>> Similar, the new dependency on zlib1g shouldn't make a difference
>> either. The package has priority=required. Not sure why it's now showing
>> up in the dependencies but didn't previously.
>>
>> I'll wait for your "Go" to actually upload the package.
> Sure, until tomorrow I'll try to test it and give you a feedback.
>

LGTM, I rebuilt the package and tested the upgrade in a clean wheezy
chroot and worked well. I used the package a little bit and seems good.
I did not try to exploit the vulnerabilities.

Cheers.

-- 
Lucas Kanashiro
8ED6 C3F8 BAC9 DB7F C130  A870 F823 A272 9883 C97C




signature.asc
Description: OpenPGP digital signature

Re: Wheezy update of lighttpd?

2016-07-29 Thread Krzysztof Krzyżaniak 



W dniu czw 28 lip, 2016 o 22∶36 użytkownik Thorsten Alteholz 
 napisał:

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of lighttpd:
https://u2049412.ct.sendgrid.net/wf/click?upn=d8cswn-2BnEH-2B7WbzLTEgT0MwTDeeKLsGDNIFV8KJZfrObNDv7NlR2TXTQRF-2FT59yQyGoM1zhUfPWEKNxawFq6-2F7DsjV1i7zi2r-2BYSkImPAEc-3D_GA3tWWLb1-2FLi-2BYT1t27j3D5iLcxG3FSys-2FMcFbz-2BegpSqSKuj8M9170MXC5pAVPT5LLoF76nSlQ6lUKohx2EQ9dGKoq5YdK-2FRMMmo32VylONnGswjmO-2B65yC2LEgsdtcltg0roJSRyXo-2Fg3BY9mkkR8798bTFLuWyurQAISRE4mhXtdgwP-2FFLgf6UVIu564S90ixPSPyncgZ-2BPkwTrLOEOfMLknauzOIMgzTs-2FBuy2s-3D

Would you like to take care of this yourself?


I don't have any Wheezy on my own. I would need to install it on some 
vm, it think I could maybe do this over the weekend. So if you have 
someone else to do it faster feel free to do it.


 eloy

Re: Wheezy update of collectd?

2016-07-29 Thread Sebastian Harl 
On Fri, Jul 29, 2016 at 09:43:39AM -0300, Lucas Kanashiro wrote:
> On 07/28/2016 05:55 PM, Lucas Kanashiro wrote:
> > On 07/28/2016 05:02 PM, Sebastian Harl wrote:
> >> Thanks. I updated dla-needed.
> >>
> >> The fixed packages are ready for upload now. Please find the full
> >> debdiff (source and binary) attached to this email. Note that the
> >> (seemingly) added dependency on libxtables7 is a no-op. It's a virtual
> >> package provided by iptables (which is a dependency already).
> >> Apparently, there was some change after the original wheezy upload
> >> that's causing this to now show up.
> >>
> >> Similar, the new dependency on zlib1g shouldn't make a difference
> >> either. The package has priority=required. Not sure why it's now showing
> >> up in the dependencies but didn't previously.
> >>
> >> I'll wait for your "Go" to actually upload the package.
> > Sure, until tomorrow I'll try to test it and give you a feedback.
> >
> 
> LGTM, I rebuilt the package and tested the upgrade in a clean wheezy
> chroot and worked well. I used the package a little bit and seems good.
> I did not try to exploit the vulnerabilities.

Cheers! Uploaded to security-master.

Sebastian

-- 
Sebastian "tokkee" Harl +++ GnuPG-ID: 0x2F1FFCC7 +++ http://tokkee.org/

Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin



signature.asc
Description: Digital signature

Accepted xmlrpc-epi 0.54.2-1+deb7u1 (source amd64) into oldstable

2016-07-29 Thread Thorsten Alteholz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Fri, 29 Jul 2016 19:03:02 +0200
Source: xmlrpc-epi
Binary: libxmlrpc-epi-dev libxmlrpc-epi0 libxmlrpc-epi0-dbg
Architecture: source amd64
Version: 0.54.2-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Robin Cornelius 
Changed-By: Thorsten Alteholz 
Description: 
 libxmlrpc-epi-dev - Development files for libxmlrpc-epi0, a XML-RPC request 
library
 libxmlrpc-epi0 - XML-RPC request serialisation/deserialisation library
 libxmlrpc-epi0-dbg - Debug symbols for libxmlrpc-epi0, a XML-RPC request 
library
Changes: 
 xmlrpc-epi (0.54.2-1+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Wheezy LTS Team.
   * CVE-2016-6296.patch
 Integer signedness error in the simplestring_addn function in
 simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP
 before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows
 remote attackers to cause a denial of service (heap-based buffer
 overflow) or possibly have unspecified other impact via a long
 first argument to the PHP xmlrpc_encode_request function.
Checksums-Sha1: 
 4b5c737cf745cb796b54c70561bbadb2eed5ef2e 2202 xmlrpc-epi_0.54.2-1+deb7u1.dsc
 256a790a6e2a61dc8cd6f99b7fb9c61543e3a3aa 526416 xmlrpc-epi_0.54.2.orig.tar.gz
 b25afc8d4b4840c7f7d92b1afcbee8a8c4abb013 6940 
xmlrpc-epi_0.54.2-1+deb7u1.diff.gz
 7af3a3ce544275b58cd5e906ddf4cd51a732ef77 54920 
libxmlrpc-epi-dev_0.54.2-1+deb7u1_amd64.deb
 bc4ba308f0f5f123fd71244c0a572a4d3fa2142b 40990 
libxmlrpc-epi0_0.54.2-1+deb7u1_amd64.deb
 8ba21bb768ad37932371ebb8b568cc78350fb41b 81962 
libxmlrpc-epi0-dbg_0.54.2-1+deb7u1_amd64.deb
Checksums-Sha256: 
 bc4e4e3399b18408dccab073967545afd16c5ab7e348d6c5436bb537adf5ccda 2202 
xmlrpc-epi_0.54.2-1+deb7u1.dsc
 397b60f39b51a339a2e505da1b9721a31c3e073aaac6c565de240f4e5356cf13 526416 
xmlrpc-epi_0.54.2.orig.tar.gz
 6585af6b3a774240dbad18b55f21cb7eb5c44cdcd03a423139c0943d90f355ee 6940 
xmlrpc-epi_0.54.2-1+deb7u1.diff.gz
 abc5cf3e674ff4527d4055044f0799150fff8cb0beebb4f982c4ee44c074f560 54920 
libxmlrpc-epi-dev_0.54.2-1+deb7u1_amd64.deb
 bcdbfe121eb7e1339589fdb206ba3731af42a4e70afa1fbf9febbb192c30b552 40990 
libxmlrpc-epi0_0.54.2-1+deb7u1_amd64.deb
 88f1450e702517de8a8c962454b7970b596dd95a260def79bfd89c499506a7e9 81962 
libxmlrpc-epi0-dbg_0.54.2-1+deb7u1_amd64.deb
Files: 
 2ce6a68a14d734f2ae77743bd4db759d 2202 libs extra xmlrpc-epi_0.54.2-1+deb7u1.dsc
 ea69b51ce4dbdb1a7223e287a4a96a49 526416 libs extra 
xmlrpc-epi_0.54.2.orig.tar.gz
 b26fd4eb0a170e1ecea3f235a3cef8b4 6940 libs extra 
xmlrpc-epi_0.54.2-1+deb7u1.diff.gz
 2ad3c86cba6c256616e6827d863c469e 54920 libdevel extra 
libxmlrpc-epi-dev_0.54.2-1+deb7u1_amd64.deb
 f899980f614ca812fcd4bed729997f43 40990 libs extra 
libxmlrpc-epi0_0.54.2-1+deb7u1_amd64.deb
 118e6a11bf110b2a50be0bea66418c31 81962 debug extra 
libxmlrpc-epi0-dbg_0.54.2-1+deb7u1_amd64.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQJ8BAEBCgBmBQJXm7D6XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hH4MsP/1Z4uU7KLuKOvUhh8XsAPp8U
CycqITEqNkpwasAbCQoXtXf1hNWZMqQrJ59Ljikzsm0AxypStEKPJ44UB2FEApO+
2AveRTS/LOO+EVZ2c/nkNu7sm65RTUyuaoTGe+j1M6hoJnN1NRen8WOJgk2H0slZ
jL3hpBKvSawBXQ2eMFNhaavWNqcqXiGzyJiXqTiEznbilwxtzER0fYN7k+rUHmH1
fYu2WQQMwINoNbOT+Ukyz6WZ9TlxdfsANbwyHz4dJ/vK0rFAlxRCtoSWfndYDHsA
DsL8ifGCXVrRYMQzp2xaB1KFAT3X2vHbeYLk4R21DSP95yvNyqCGGP215muwPL6E
hfVZDCZ1CYaY7ZnUVBclotgHOl6lO9A8aP23cyMsTTyFUrQxZNAQYyLDtcduxhrX
Qm3EmjOWqZ/RmCbeMVuPrxRnjxoyW5AA9f1J+HEx3Jw1HfPdW98CmKoNly4smLEr
tGwRLc8aD3g6my62AQDQVoK8pYd1OPS8M5cui2ZUpGG3WBKthdYSPSMTkFY3FsKg
69OPT8ACBUk2/q3KKAPhVrlDd4IuX8nNhQkQ+pPQ9CEXmQzHnu5CMhQhH/i4fBVc
6urCQw+iyf9ilme0gbXceLyz19lOEjrY8rUK/wreMfKjfo+2M5zGm+YGia4j582A
1OfpuVv2/DR7t1aK9T3l
=ggF1
-END PGP SIGNATURE-

Accepted collectd 5.1.0-3+deb7u1 (source amd64 all) into oldstable

2016-07-29 Thread Sebastian Harl 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Format: 1.8
Date: Thu, 28 Jul 2016 20:52:12 +0200
Source: collectd
Binary: collectd-core collectd collectd-utils collectd-dbg collectd-dev 
libcollectdclient-dev libcollectdclient0
Architecture: source amd64 all
Version: 5.1.0-3+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Sebastian Harl 
Changed-By: Sebastian Harl 
Description:
 collectd   - statistics collection and monitoring daemon
 collectd-core - statistics collection and monitoring daemon (core system)
 collectd-dbg - statistics collection and monitoring daemon (debugging symbols)
 collectd-dev - statistics collection and monitoring daemon (development files)
 collectd-utils - statistics collection and monitoring daemon (utilities)
 libcollectdclient-dev - client library for collectd's control interface 
(development file
 libcollectdclient0 - client library for collectd's control interface
Closes: 832507 832577
Changes:
 collectd (5.1.0-3+deb7u1) wheezy-security; urgency=high
 .
   * debian/patches/CVE-2016-6254.dpatch: Fix heap overflow in the network
 plugin. Emilien Gaspar has identified a heap overflow in parse_packet(),
 the function used by the network plugin to parse incoming network packets.
 Thanks to Florian Forster for reporting the bug in Debian.
 (Closes: #832507, CVE-2016-6254)
   * debian/patches/bts832577-gcry-control.dpatch: Fix improper usage of
 gcry_control. A team of security researchers at Columbia University and
 the University of Virginia discovered that GCrypt's gcry_control is
 sometimes called without checking its return value for an error. This may
 cause the program to be initialized without the desired, secure settings.
 (Closes: #832577)
Checksums-Sha1:
 64747c23eae5eb7bc8f35db2cc239f041311d055 3303 collectd_5.1.0-3+deb7u1.dsc
 55f17b17a10710641a9bf4e8c5332cef661cafcd 1630323 collectd_5.1.0.orig.tar.gz
 9d6b74cf6787c65de447b87f755bdd9db90efdb3 71842 collectd_5.1.0-3+deb7u1.diff.gz
 8b927cb22580623f421f3a955b03dd00d2451934 920374 
collectd-core_5.1.0-3+deb7u1_amd64.deb
 18b84f4911ac99f466c978e30a2bfa29654079ec 76722 
collectd_5.1.0-3+deb7u1_amd64.deb
 3b6c299b1c15bc03ddeb2b4ffb73530b541c3a46 88328 
collectd-utils_5.1.0-3+deb7u1_amd64.deb
 3275cd70e383366031c6f3635784e8be195482d0 1348782 
collectd-dbg_5.1.0-3+deb7u1_amd64.deb
 863208f7ff2c5946991b0ab7dddcd47c4464fb2b 71308 
libcollectdclient-dev_5.1.0-3+deb7u1_amd64.deb
 0676fefeb907e5e30daf0612e0f0e8b4d8c37b96 78338 
libcollectdclient0_5.1.0-3+deb7u1_amd64.deb
 2bc4a45c6a9486e873e74edfde4226f9b2bea3ce 114422 
collectd-dev_5.1.0-3+deb7u1_all.deb
Checksums-Sha256:
 7635d9a3981b78dde6a9e58e99836ba45166434f41bac2f7875a7e3309de1b31 3303 
collectd_5.1.0-3+deb7u1.dsc
 8e06c03c5467f3021565570fc86c931a43579aa6dad25ca5999d66850cd19927 1630323 
collectd_5.1.0.orig.tar.gz
 dc924d44e65302e17512cbca3361cf4c3a1ff41431a25ab19711e0b6cda4dca2 71842 
collectd_5.1.0-3+deb7u1.diff.gz
 f031ec20e79100b9feae404df31a9848e1afd6b83be3bd47e73a58c14997484f 920374 
collectd-core_5.1.0-3+deb7u1_amd64.deb
 5bea8af8dc991d7e23f374ae44b7ada1e61cd6a1a5cbf7006f13e29d508f4c8b 76722 
collectd_5.1.0-3+deb7u1_amd64.deb
 ca032e55d0cf251fe554ae835aac57150b5c7aec8d42daba6497463499b077d5 88328 
collectd-utils_5.1.0-3+deb7u1_amd64.deb
 a1fdb6926a408d381bc2c8894980ba693fb13596ec0e639819225a0067018479 1348782 
collectd-dbg_5.1.0-3+deb7u1_amd64.deb
 c627d6682efe4e8ce92c25a025e97ca95a097938132c6459e6663d126f4690ec 71308 
libcollectdclient-dev_5.1.0-3+deb7u1_amd64.deb
 af08e5e13b013bee5c54e7b6e7ca44f98a188b34dde663f62d31459eb350a259 78338 
libcollectdclient0_5.1.0-3+deb7u1_amd64.deb
 4cfc3ca2e6d40af92e11d01041c1a3e9c9f3fda35b5163c066d2144f20fc1b0c 114422 
collectd-dev_5.1.0-3+deb7u1_all.deb
Files:
 ec071b3432a457be7aa92ddb40f19c45 3303 utils optional 
collectd_5.1.0-3+deb7u1.dsc
 adc58a0d448a359ecf737da9398898c6 1630323 utils optional 
collectd_5.1.0.orig.tar.gz
 ab73adf73860a69a8364df763cc12f74 71842 utils optional 
collectd_5.1.0-3+deb7u1.diff.gz
 528422ef617cf31a6574bd5e45078416 920374 utils optional 
collectd-core_5.1.0-3+deb7u1_amd64.deb
 b47a4d2cef9e24eb4f4cff095a1e06ed 76722 utils optional 
collectd_5.1.0-3+deb7u1_amd64.deb
 b7581b8b7fdb55310b6347b37b3cb1af 88328 utils optional 
collectd-utils_5.1.0-3+deb7u1_amd64.deb
 57a731459c918d1f50cec11c5eaec64a 1348782 debug extra 
collectd-dbg_5.1.0-3+deb7u1_amd64.deb
 90eebe78d6a2121ee0e4d74a70827e6c 71308 libdevel optional 
libcollectdclient-dev_5.1.0-3+deb7u1_amd64.deb
 2cce4f4bed850b8083686d30de1707bf 78338 libs optional 
libcollectdclient0_5.1.0-3+deb7u1_amd64.deb
 0f0da4202c516238a9f02a669e4f51ef 114422 utils optional 
collectd-dev_5.1.0-3+deb7u1_all.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJXmmCIAAoJEMwFfnIvH/zHkaMQAMRbJZhsmhkxMAPBJ8OpoXPq
9c1+NBsE88PJeLz8tS5CR7oZdn0At3uDy51lrsTFQhFeAnVBEPFkLuCbxw6mrquW
MNPi9wlRDIT4aKScd4Rngt62cGDpvT9kPPplwhtxngy4hUPYTrdmq/K8QLLlsT2+

[SECURITY] [DLA 570-1] kde4libs security update

2016-07-29 Thread Balint Reczey 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: kde4libs
Version: 4:4.8.4-4+deb7u2
CVE ID : CVE-2016-6232
Debian Bug : 832620


It was possible to trick kde4libs's KArchiveDirectory::copyTo()
function to extract files to arbitrary system locations from
a specially prepared tar file outside of the extraction folder.

For Debian 7 "Wheezy", these problems have been fixed in version
4:4.8.4-4+deb7u2.

We recommend that you upgrade your kde4libs packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJXm++mAAoJEPZk0la0aRp9QEIP/3hDZi/pjlxDpSrBN4PEvsjB
eCjInlj0naRagCR3/AC/4IMVCtfwQZr5UrT5cm497FLZvvFvbgjFgOVa2GeUEYu1
WlGBVrzf6qvrjeM2TFMFhBGK1dtIpTedzI0MVC7n9nGhuCOCPWCKmTNLcjhrR1/I
+nhYgTpLkYuTMnUPSd9yCeMXZDgeCTVtfMNLXQ+zl/Kn1XrLf9wN/2u8jQxQoTuX
kg/kKYq8UwqNEVERWsmaePiFkeeEf2UdDZ5U2JDY+uGm34rcXuvsWFKnGV5O38Aj
rT5HjUIgBEBzywjCxgj+GnkRyhtBX2YsR1h/Kc0lChi1xa+tY/rGH0kQKtUimYkC
1UQnVWZRQd+k7Fn2VyXHYh8W9pLoG6I+ocafDqWvJH71eFYxHcpjC601XLWP7LFd
MEu9rkTd44FNaxSljW29E062eetbtJ1XlmKoKp3rn83RaJ8sVf123NVAzylxfLZ7
jR8zq6pAZYEkG/qJA38zLnDEXlfFnLec1J/6h8uQgq6gJZgd93Ca8mUwiNO1en7M
Tnb8oY4DxgqDlI8Sp/ovc4EhXDTMQBbQuYSgMhXIL0zZ80kjXDLnKspBRo5GTfzB
Vz7lBusQwb1CkJviV+9MgSJzhRutblUH1hy4v4bjPxl4zM3YBuhRU8reOm3RnJIv
MpabyMBWLQWlXC2LwJG5
=tYnh
-END PGP SIGNATURE-

Re: xen_4.1.6.1-1+deb7u2.dsc

2016-07-29 Thread Holger Levsen 
Hi,

while I'm glad that the xen upload will finally happen soon…

On Fri, Jul 29, 2016 at 01:26:22PM +0200, Bastian Blank wrote:
> > If Brian has no objections feel free to upload, Please let me know once
> > done so I can then release the DLA (in case you don't want to handle it
> > youself).
> I have no idea how to do that yet.  So feel free.
 
It's documented really well. I'd be quite disappointed if we'd delegate
this to credative and you don't manage to do the uploads yourself…


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Re: xen_4.1.6.1-1+deb7u2.dsc

2016-07-29 Thread Holger Levsen 
On Fri, Jul 29, 2016 at 10:56:28PM +, Holger Levsen wrote:
> while I'm glad that the xen upload will finally happen soon…

oh, the joys of catching up on mails and reading not all mail before
replying… in other words: thanks for the upload, Waldi! (+sorry for
assuming the worst.)


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Re: CVE-2016-2313 fix wrong

2016-07-29 Thread Emilio Pozuelo Monfort 
On 28/07/16 14:59, Matus UHLAR - fantomas wrote:
>> On 28/07/16 13:35, Matus UHLAR - fantomas wrote:
>>> i believe the fix for CVE-2016-2313 in
>>> CVE-2016-2313-authentication-bypass.patch is invalid.
> 
> On 28.07.16 14:26, Emilio Pozuelo Monfort wrote:
>> Thanks for the report. I'll look at it later today.
> 
> I have posted cacti bug http://bugs.cacti.net/view.php?id=2697
> and attached patch
> http://bugs.cacti.net/file_download.php?file_id=1229=bug
> 
> that should fix the issue. The patch is to be applied to "fixed" version
> in debian

The patch looks sensible to me, but I'd like to give upstream a few days to 
comment.

BTW you may want to send a pull request at https://github.com/Cacti/cacti

Cheers,
Emilio