Re: OpenSSL for wheezy

2016-09-23 Thread Kurt Roeckx 
On Fri, Sep 23, 2016 at 09:43:03PM +0200, Moritz Mühlenhoff wrote:
> On Fri, Sep 23, 2016 at 09:38:10PM +0200, Kurt Roeckx wrote:
> > So I would like to just upload the 1.0.1u version to
> > wheezy-security.  If nobody complains that is what I will do.
> 
> Then the version number in jessie would be lower than in wheezy,
> breaking updates.

It would be the version from jessie with a different number ...


Kurt

Re: Wheezy update for qemu ?

2016-09-23 Thread Guido Günther 
Hi Hugo,
On Fri, Sep 23, 2016 at 11:08:20AM +0200, Hugo Lefeuvre wrote:
> Hi,
> 
> I've had a look at the latest security issues for qemu, and it's quite
> unclear to me that qemu is affected by CVE-2016-7466 in wheezy. The affected
> source code seems to be absent, and the issue looks hard to reproduce.

The Wheezy version lacks usb_xhci_exit completely. Isn't that a much
bigger leak? Did you try to unplug/replug xhci and see if it leaks?

> Concerning CVE-2016-7170, an upstream approved patch has been released,
> and it may apply with some adaptations on the wheezy version. Should I
> prepare a qemu update only for this little patch?

I always feel more comfortable with these things fixed than unfixed.
Cheers,
 -- Guido

> 
> Otherwise, I'd like to mark it as non-dsa.
> 
> Regards,
>  Hugo
> 
> -- 
>  Hugo Lefeuvre (hle)|www.owl.eu.com
> 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E

Wheezy update for qemu ?

2016-09-23 Thread Hugo Lefeuvre 
Hi,

I've had a look at the latest security issues for qemu, and it's quite
unclear to me that qemu is affected by CVE-2016-7466 in wheezy. The affected
source code seems to be absent, and the issue looks hard to reproduce.

Concerning CVE-2016-7170, an upstream approved patch has been released,
and it may apply with some adaptations on the wheezy version. Should I
prepare a qemu update only for this little patch? 

Otherwise, I'd like to mark it as non-dsa.

Regards,
 Hugo

-- 
 Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E


signature.asc
Description: PGP signature

[SECURITY] [DLA 634-1] dropbear security update

2016-09-23 Thread Chris Lamb 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: dropbear
Version: 2012.55-1.3+deb7u1
CVE IDs: CVE-2016-7406 CVE-2016-7407

It was discovered that there were two issues in dropbear, a lightweight SSH2
server and client:

 - CVE-2016-7406: Potential issues in exit message formatting.
 - CVE-2016-7407: Overflows when parsing OpenSSH's ASN.1 key format.

For Debian 7 "Wheezy", this issue has been fixed in dropbear version
2012.55-1.3+deb7u1.

We recommend that you upgrade your dropbear packages.


Regards,

- -- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

-BEGIN PGP SIGNATURE-

iQIcBAEBCAAGBQJX5YHdAAoJEB6VPifUMR5YDN8QAKQRjPC64F3fMrMzL3r0fGjP
ox/21rB3/IoLPexQ4hNRy0Y42z3hZeSGwvmS+aI7Qag9OsRvuAggyeG/hcWx4VBB
8a7DolUYa3Ep/+yY7IWkeu+qdoO5MooB+HRl7gBbd7hVJ+K3cWOIvh3fOkCST+9w
G7RfpJzFFcTzzCbU/te87Q/SIHIPvVMwWJ0+NoRud7FrZoOfyqLVIkDgF+N5xtoA
3vjsz5rXDtj26W16RjOq0PlHeOQub1JT5lyUfNcgxkfy9DK3TTcPKeQEefX42z3Z
atS5LUJRREpwTnjiPwOV0MZw5hSd7qUWkDldF9tOnKlLIPGWEAokhcC7O3rLrjYs
ZkJrSzSjN37S/z08AhqqvKgm6gQUh3NAyQVAZV4QkHgocpsqJQ+XxBrNWiIKgBMf
87OSUsmDSqB3W6dolIbYZGWhKIG5wP4aEUDXUuwqlqL4Elac2sJhH60yCQIL8GDp
m8zGtzq7hts6L2uJkQlPT/CSPQHk8pTXsVMqCW4xV/STufiI0Z8avHR3TmLcJn2S
UOTIqC8dWrDIR6uVhB65ChqtW291NoBW+qZVunRyd9XOJrhOxj7qPGHU3dS2bpDM
dKws5tvlSBX6SxIij68sYQuyu1UjwWDdps8sK7Sgd4LviEqknBMP4fnJweTEV0ZP
5e6GnKiQm2JnQo40brHa
=BKpe
-END PGP SIGNATURE-

OpenSSL for wheezy

2016-09-23 Thread Kurt Roeckx 
Hi,

The version in wheezy-security is currently 1.0.1e-2+deb7u21.
Recently I've changed the jessie version from 1.0.1k to 1.0.1t
without any problem.

Supporting the 1.0.1e now requires a great deal of extra work
because the patches just don't apply.  If it's not because of the
reformatting of the code, it's because various other bugs in the
same code got fixed over the years.

So I would like to just upload the 1.0.1u version to
wheezy-security.  If nobody complains that is what I will do.


Kurt

Re: OpenSSL for wheezy

2016-09-23 Thread Moritz Mühlenhoff 
On Fri, Sep 23, 2016 at 09:38:10PM +0200, Kurt Roeckx wrote:
> So I would like to just upload the 1.0.1u version to
> wheezy-security.  If nobody complains that is what I will do.

Then the version number in jessie would be lower than in wheezy,
breaking updates.

Cheers,
Moritz

Re: Wheezy update of firefox-esr?

2016-09-23 Thread Bálint Réczey 
Hi,

2016-09-20 23:43 GMT+02:00 Chris Lamb :
> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of firefox-esr:
> https://security-tracker.debian.org/tracker/source-package/firefox-esr
>
> Would you like to take care of this yourself?
>
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development
>
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
>
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
>
> You can also opt-out from receiving future similar emails in your
> answer and then the LTS Team will take care of firefox-esr updates
> for the LTS releases. (In case we don't get any answer for months,
> we may also take it as an opt-out, too.)

I think Mike would like the LTS Team to prepare the future updates:

On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote:
> On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote:
> > Hello Mike,
> >
> > Thank you for preparing the security update of firefox-esr. I have just
> > sent a security announcement for your update in Wheezy to the
> > debian-lts-announce mailing list. If you want to take care of this next
> > time, please follow our guidelines which we have outlined at [1]. If
> > this is a burden for you, no problem, we will do our best and take care
> > of the rest. In this case we would like to ask you to send a short
> > reminder to debian-lts, so that we can prepare the announcement in a
> > timely manner.
>
> Heh, I hadn't realized that wasn't handled by standard DSAs, sorry about
> that. That these updates go through the same security-master doesn't
> help making it obvious they are different.
>
> Anyways, I'd rather not have more work to do, so if can send
> announcements, that works for me. Or you can deal with the backport
> from back to back.
...

I have added firefox-esr to lts-do-not-call and started preparing the update.

Cheers,
Balint