Re: Wheezy update of tor?

[Peter Palfrader]

On Tue, 18 Oct 2016, Chris Lamb wrote:

> Hello dear maintainer(s),
> 
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of tor:
> https://security-tracker.debian.org/tracker/source-package/tor
> 
> Would you like to take care of this yourself?

It's already in progress.

-- 
|  .''`.   ** Debian **
  Peter Palfrader   | : :' :  The  universal
 https://www.palfrader.org/ | `. `'  Operating System
|   `-https://www.debian.org/

Accepted quagga 0.99.22.4-1+wheezy3+deb7u1 (source amd64 all) into oldstable

[Chris Lamb]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 18 Oct 2016 14:02:41 +0200
Source: quagga
Binary: quagga quagga-dbg quagga-doc
Architecture: source amd64 all
Version: 0.99.22.4-1+wheezy3+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Christian Hammers 
Changed-By: Chris Lamb 
Description: 
 quagga - BGP/OSPF/RIP routing daemon
 quagga-dbg - BGP/OSPF/RIP routing daemon (debug symbols)
 quagga-doc - documentation files for quagga
Closes: 841162
Changes: 
 quagga (0.99.22.4-1+wheezy3+deb7u1) wheezy-security; urgency=high
 .
   * CVE-2016-1245: Fix stack overrun in IPv6 RA receive code. The buffer size
 specified when receiving mixed up two constants that have different values.
 (Closes: #841162)
Checksums-Sha1: 
 debbe4e4d83f185eccfc28b620f19b71545bb45f 2149 
quagga_0.99.22.4-1+wheezy3+deb7u1.dsc
 73019bf915ff4fe7cd497f11579c05f35fe09df5 2352406 quagga_0.99.22.4.orig.tar.gz
 430472e673a5e73c024492cefb8063104cb344c3 43452 
quagga_0.99.22.4-1+wheezy3+deb7u1.debian.tar.gz
 58d7551e33028f7abb93856c6c2af6ea226e16f3 1726330 
quagga_0.99.22.4-1+wheezy3+deb7u1_amd64.deb
 0889c73f08ae6ddc62fda9c550d3f172ec0aae7f 2529024 
quagga-dbg_0.99.22.4-1+wheezy3+deb7u1_amd64.deb
 77e1f60010496a85587dfe6871e1e41b7788f374 656708 
quagga-doc_0.99.22.4-1+wheezy3+deb7u1_all.deb
Checksums-Sha256: 
 e9914529084fe139be15e783a5e62c6f27cc2dc56ac81c3f5fec9797c3bc05b9 2149 
quagga_0.99.22.4-1+wheezy3+deb7u1.dsc
 cbe48d5cc57bbaa07cfd8362ba598447dc94aa866ddc5794e57172709d36ba79 2352406 
quagga_0.99.22.4.orig.tar.gz
 4507f90d7ff8a56f6e4a229d1585828c24c6711bb16a106ba10464a3ed2027e5 43452 
quagga_0.99.22.4-1+wheezy3+deb7u1.debian.tar.gz
 6ffe7432ecbad1db31ee424b13f3b50b7055208042a1e5f96e07fa51e167cc42 1726330 
quagga_0.99.22.4-1+wheezy3+deb7u1_amd64.deb
 baa2d2f4179768a40746a6853bef729281647312fc60e27d715fdf34578bbce0 2529024 
quagga-dbg_0.99.22.4-1+wheezy3+deb7u1_amd64.deb
 b26ad5b2860ab6560c8af1f80b540227d22ac5ba8071c53bb5113aad45993ee5 656708 
quagga-doc_0.99.22.4-1+wheezy3+deb7u1_all.deb
Files: 
 8272e06550efbf8871fa246b29c3e45e 2149 net optional 
quagga_0.99.22.4-1+wheezy3+deb7u1.dsc
 27ef98abb1820bae19eb71f631a10853 2352406 net optional 
quagga_0.99.22.4.orig.tar.gz
 bc6d25eaff7a8f9b410c3592c18f51a0 43452 net optional 
quagga_0.99.22.4-1+wheezy3+deb7u1.debian.tar.gz
 6368948725b6262dc5e7a9ae52201f03 1726330 net optional 
quagga_0.99.22.4-1+wheezy3+deb7u1_amd64.deb
 d640ea48007eabd0d93f9f2819f4d9dc 2529024 debug extra 
quagga-dbg_0.99.22.4-1+wheezy3+deb7u1_amd64.deb
 bb987789f87e4b20a249785ff578ed9b 656708 net optional 
quagga-doc_0.99.22.4-1+wheezy3+deb7u1_all.deb

-BEGIN PGP SIGNATURE-

iQIcBAEBCAAGBQJYBhFWAAoJEB6VPifUMR5Y2hsP/jGWY4zLxtaVTfEgGnrxxumI
EMvSz0Dq4sPVuKfuTdotGlVFl2vn+kNvb2jdonynuVuBdMkZIaQ1CH0nUVLdoGCM
6y6wCKoGsorvzCNRp3O1sMun2oAc0Xd+POS5LPb329ew5XudrhXgo4bSqRArX1f2
TEUDfGgOlyNRq5Zx8UeVILmowpyXyvBRutu804swUiUPgq7WwvVGxds+jn53UxWp
kCa0iLa2tpsYr170gQaBnbUdWv7WSrEmCvp2csIlnaoBz/23y/X7YNJT7wmPw9i0
ZW7Q7NllX1nlN+GDjBznvadDxQR+BvJDreaME/WqIas+m8GtZX7zkfxvarUXVskl
tXj23cVq1dkZnzhudz+isM0FWiZ8/1+U+yoMLY9ooJb/zgYiSNWmJmJSx7sV4JhP
AQQQFa0EYDXMpfgki696/ILBAN3PcsBBrtXKwf9tA3RldPdQtU4IriKY3YGxQBb6
Pzerr9WXbD4JuZAEp7xWqC20x9zztmx0vPkM1L+lXEjuHNbgADZMtjT0xAxgnDtY
PigMudU+Eywy3zK28sU7CzRuPN31QcImpoZ7H14qkFK1p1WPXqFNe6N6LwawpOrw
cqhhyLP8DtcqNwE8BLn6kPjbPEYadtkChj7pRgn9K8D4XURTJlSOzVA3N7Cc3Cjy
RJ2XlibC5WH+mZ5KBzMr
=Fngj
-END PGP SIGNATURE-

[SECURITY] [DLA 662-1] quagga security update

[Chris Lamb]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: quagga
Version: 0.99.22.4-1+wheezy3+deb7u1
CVE ID : CVE-2016-1245
Debian Bug : 841162

It was discovered that there was stack overrun in IPv6 RA receive code in
quagga, a BGP/OSPF/RIP routing daemon.

The buffer size specified when receiving mixed up two constants that have
different values.

For Debian 7 "Wheezy", this issue has been fixed in quagga version
0.99.22.4-1+wheezy3+deb7u1.

We recommend that you upgrade your quagga packages.


Regards,

- -- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

-BEGIN PGP SIGNATURE-

iQIcBAEBCAAGBQJYBhFxAAoJEB6VPifUMR5YOpIP/175M0cSbS9m6VNzvRmmPbzP
eqfV4e1rFSkTATpdh8dw5UOjzSa8PG8EROpiL1DUxXQRvQ+vh/eEpBcYULOChzDo
bsQSIsV/Is6DiKVGezAVQn4O1Oqwwzm3u/YmzQnQlKZJh/7cscjL75cQnP+q0cdj
uy+fC2J4xoe3tUy2Bl9o8L+nM/V3OCDHNRjQFeT/7u6SfMix0bzMaINSNsbdb7kS
VM+PanwO3y6fsSVUFdf0cA/gdd8eEz/0o/9MKMkyTWQdU5mh6j76w9UTQiEpSqy+
14W4rx9MtdH8An3qy8iLmnQhVxrCbsJ1pFQnipkXfBawgPcgjB8Gw9hZ4Pn2BrtN
haUW0o+yNvKcVk59h12Lz3FkXvR9QIsGaWVJD+mM/2+s/SlOmmp/Iv+q6FgnoytM
XF5tj1eTHQhxJA/xz4T5poqYl3nL4mm5B0Tcsewl4oaTLHHgkDQiyDjHIxhi3AoL
5pjCqe7POrW4cADa7XNqNr5F5mDr6kLlnldEt2YGLkf+xACMhNkArl6wDy2XX2Is
b+J11In1Yh5nhgvwEl6ead9HUe3pNHcNY8isVZgVdKvj6+4s/TvdZp+PL/xDixEu
VjsvdquF63DCo2WhnhQcR658yP+Dd3Xal8VdioGnIwru/pIdQQRMZPPUromKHtI0
VVC/1leGkYvP63mR3L9V
=lKjc
-END PGP SIGNATURE-

Accepted libxrender 1:0.9.7-1+deb7u3 (source amd64) into oldstable

[Markus Koschany]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 18 Oct 2016 15:17:15 +0200
Source: libxrender
Binary: libxrender1 libxrender1-udeb libxrender1-dbg libxrender-dev
Architecture: source amd64
Version: 1:0.9.7-1+deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: Debian X Strike Force 
Changed-By: Markus Koschany 
Description: 
 libxrender-dev - X Rendering Extension client library (development files)
 libxrender1 - X Rendering Extension client library
 libxrender1-dbg - X Rendering Extension client library (unstripped)
 libxrender1-udeb - X Rendering Extension client library (udeb)
Changes: 
 libxrender (1:0.9.7-1+deb7u3) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2016-7949 and CVE-2016-7950.
 Tobias Stoeckmann from the OpenBSD project has discovered a number of
 issues in the way various X client libraries handle the responses they
 receive from servers. Insufficient validation of data from the X server
 could cause out of boundary memory writes in the libXrender library
 potentially allowing the user to escalate their privileges.
Checksums-Sha1: 
 1763ac6f4340415faa47cb8870d638369c14870c 2295 libxrender_0.9.7-1+deb7u3.dsc
 a52523ae5fe92bdfd3712d8c2858200737a0fbee 21235 
libxrender_0.9.7-1+deb7u3.diff.gz
 ea64bebffbeb64f50518c11e004d4a4f3775281c 33466 
libxrender1_0.9.7-1+deb7u3_amd64.deb
 88fda2fbbf5aca1dd27ce5a4132f2e5f60a05897 15030 
libxrender1-udeb_0.9.7-1+deb7u3_amd64.udeb
 40b2df049c6dbbba898b59e9913c84a071a3977f 137806 
libxrender1-dbg_0.9.7-1+deb7u3_amd64.deb
 f28bb4b8007d9e3a84e203e7e2c4d7a9afb81a43 42140 
libxrender-dev_0.9.7-1+deb7u3_amd64.deb
Checksums-Sha256: 
 ebd70ff531bd0c38a99265638fe0121f33f4f3d3d822643269352b5bbf88beee 2295 
libxrender_0.9.7-1+deb7u3.dsc
 35bc64e73c2024639ad25a0f1cc41ad2d80af7be1219eec059a2809c4ad767c2 21235 
libxrender_0.9.7-1+deb7u3.diff.gz
 e863feeb034a437462cb3dea0f122fb5e94f4e049c5911161c76bd51f8683aed 33466 
libxrender1_0.9.7-1+deb7u3_amd64.deb
 c8394afd01bdc4d9e9000f6e44556c8a562144eb13b9981eb53a100ff3dadfb8 15030 
libxrender1-udeb_0.9.7-1+deb7u3_amd64.udeb
 00bb6b060abd0bada423f787153e35d0181d0c626e213e2cce621352f04f8c66 137806 
libxrender1-dbg_0.9.7-1+deb7u3_amd64.deb
 56c7a04e50e6b24a8a1283010277d79f30d6e0eae3b4a0a948a96d83c717394b 42140 
libxrender-dev_0.9.7-1+deb7u3_amd64.deb
Files: 
 c6e02770f3f806eeb6ca1082e1451b70 2295 x11 optional 
libxrender_0.9.7-1+deb7u3.dsc
 6eadb84cfad7945334abb4803a00cd66 21235 x11 optional 
libxrender_0.9.7-1+deb7u3.diff.gz
 eea0174ee6fb9a653d30b45bc5d644b4 33466 libs optional 
libxrender1_0.9.7-1+deb7u3_amd64.deb
 37e225676138343e7b8b4cee1e375d0c 15030 debian-installer optional 
libxrender1-udeb_0.9.7-1+deb7u3_amd64.udeb
 d50ee4eee9bd2e0476d37140f9289738 137806 debug extra 
libxrender1-dbg_0.9.7-1+deb7u3_amd64.deb
 e486fc54e665a9d806267a195a7a6e0e 42140 libdevel optional 
libxrender-dev_0.9.7-1+deb7u3_amd64.deb
Package-Type: udeb

-BEGIN PGP SIGNATURE-

iQKMBAEBCgB2BQJYBiWtXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0DxxhcG9AZGViaWFuLm9yZwAKCRDZrRS5UTtR5BlGEACi
AeSyJkSYegRRtjaCTgITkev2VO4+gnDYKWl0nXNdaLXFg+uH7chRdZNCqWEL0ILm
Kdzgorg6SNlqJZgN7hx2Qbfl4fo3MDjYF6dxGVyFdx6wA8eKQqcTy8j+yYWz+Fym
jjKoAs3bh51z1kUpOKCyU/ju632ZrDKs+sfJmOkVcjjUbbJdx7aV+W1v2f9LY4us
AOQhJ07HVR3Zl+O+RN9/VcswCWNVcjaz+vCqWAmEYK+d4EXvFGwrdoHEuLW3h5vm
jCcA//QiUH2LNg/f2e+tbPitiiISUBQN4lAXCRSsQz2M7bVXLfpj2/dN3OaNDMNR
c7v/3MCuKFFI86/Xv0YiX0mBoq/m47TX7sPkC8PLDzJWifpp3IEew1KxDibFU0aB
CtKiyz/JfovDm6vmxPDw3AQ44l1ERiasDjA4OMCSlSLWNh84JlaznP/h3txqwyP8
zXtKdf3uDIavEoR5Jq2IQ6uJxw1AjBKvTQnhR2yXAbNHNgwaz53dg7JjAstIbzDd
LfuISS7WABkeapSlL8BuSsNROEZS1yuZWdFZ5E2PybK407sE+kFFgYR0S2DU/Ygt
eibBQtkM9vNghh+1DFQ+xv5oG08ANrlidVelIUFyGWjvkPZpP0zdiWeQe1F1c5qs
pL6Z+ZY5gNrFJ6k7qPLZmfCL7j91MJLcriJyTepraA==
=1WGG
-END PGP SIGNATURE-

[SECURITY] [DLA 664-1] libxrender security update

[Markus Koschany]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: libxrender
Version: 1:0.9.7-1+deb7u3
CVE ID : CVE-2016-7949 CVE-2016-7950
Debian Bug : 840443


Tobias Stoeckmann from the OpenBSD project has discovered a number of
issues in the way various X client libraries handle the responses they
receive from servers. Insufficient validation of data from the X server
could cause out of boundary memory writes in the libXrender library
potentially allowing the user to escalate their privileges.

For Debian 7 "Wheezy", these problems have been fixed in version
1:0.9.7-1+deb7u3.

We recommend that you upgrade your libxrender packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYBjO3XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hk3zMP/1F268UQCAQfAb+YkwDKjKA4
2fLthgqK+4Fgh+I+PENwMImqarsP4TDQcH71ZNlhG9sdCg6hM47V3tNlbMTxx7E0
/Gj5NNkQGCKudOwW+zaZMm9hFrIuJziQEANHSz6J0BbZCFyy1kdCbPmBLvKvhiZ7
IF62BwDEvJy6Me3pRsuLEwo5yOC7f2WFAVIyWnaWUV9jOtQ2RtOcO044xVWDA2Nj
pSpkhlHP152ljIR4undPyEb9vStBVDE71lXR155N3XzWnZ63XU1p4UvgU++LkoVo
R1zRE6mLntP4/5zHDMwH/iKPMrTbBGn0SO3T01iTD01LOt0ic2Ay714XFSdq6mBM
xK6EtSOQrv35xJ+a0kJwAVnb68gBSCgrhVPgiE2oCeWawZRWBSzCIm/cH0a8Zxuh
wfWqehM0nokQEa4QNnwjCJudXvm7EdMWjeYOSby7o65fC0AHF/oMHQVsmg0BqIno
ztYK1tE1nzes/7jBgzgNpESBLB9MhlrT1rbrF8LJShQk8PaWPGb75Ys3eFRBhTxJ
Vh+u+7uOVEli8RsdvLSnC1fc4QAemAwOl04bZTg0D1dghsYQ2QACst7w6N9YNCEA
E1OyA/6By9nklTolHN5JAo4SWyWskILM8gD4YfS68Pw6CsL2tFnR7bMHDww2SKB2
UpJh7VLQNIW4iVOmpq1Q
=YwXc
-END PGP SIGNATURE-

Accepted libgd2 2.0.36~rc1~dfsg-6.1+deb7u6 (source amd64) into oldstable

[Thorsten Alteholz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 18 Oct 2016 19:07:47 +0200
Source: libgd2
Binary: libgd-tools libgd2-xpm-dev libgd2-noxpm-dev libgd2-xpm libgd2-noxpm
Architecture: source amd64
Version: 2.0.36~rc1~dfsg-6.1+deb7u6
Distribution: wheezy-security
Urgency: high
Maintainer: GD team 
Changed-By: Thorsten Alteholz 
Description:
 libgd-tools - GD command line tools and example code
 libgd2-noxpm - GD Graphics Library version 2 (without XPM support)
 libgd2-noxpm-dev - GD Graphics Library version 2 (development version)
 libgd2-xpm - GD Graphics Library version 2
 libgd2-xpm-dev - GD Graphics Library version 2 (development version)
Changes:
 libgd2 (2.0.36~rc1~dfsg-6.1+deb7u6) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Wheezy LTS Team.
   * CVE-2016-6911
 invalid read in gdImageCreateFromTiffPtr()
 (most of the code is not present in the Wheezy version)
   * CVE-2016-8670:
 Stack Buffer Overflow in GD dynamicGetbuf
Checksums-Sha1:
 5e7306d644fa56d5e3c422dc38442592bb492e42 2551 
libgd2_2.0.36~rc1~dfsg-6.1+deb7u6.dsc
 e93c43f3c2283c6fe09793ac06a4a106374e0cb3 761899 
libgd2_2.0.36~rc1~dfsg.orig.tar.gz
 0b925811dfa46e4b54661d2a3b9fa72f72adf9ec 31074 
libgd2_2.0.36~rc1~dfsg-6.1+deb7u6.debian.tar.gz
 8d80319743585436a06dd2542d42f819cbfaad2a 169970 
libgd-tools_2.0.36~rc1~dfsg-6.1+deb7u6_amd64.deb
 b25276a86b01a91d542c0b778c79f3e69c814854 374274 
libgd2-xpm-dev_2.0.36~rc1~dfsg-6.1+deb7u6_amd64.deb
 7016dee89c1416d84ad4acf4c8a0da655fc589ea 371652 
libgd2-noxpm-dev_2.0.36~rc1~dfsg-6.1+deb7u6_amd64.deb
 8399c2317e52f40d591cacaf830dc5d159590a3a 233234 
libgd2-xpm_2.0.36~rc1~dfsg-6.1+deb7u6_amd64.deb
 f12f2201fafef85d36eafbc6228df5019f4f4a2b 230828 
libgd2-noxpm_2.0.36~rc1~dfsg-6.1+deb7u6_amd64.deb
Checksums-Sha256:
 0895065d0333108dee189117081dde3e1439694ceb185766bc74fa8e5c5c59ad 2551 
libgd2_2.0.36~rc1~dfsg-6.1+deb7u6.dsc
 919df21310ad4a8b6155df01411138110589cc6c50b1bc414dc62aebb0a7f41a 761899 
libgd2_2.0.36~rc1~dfsg.orig.tar.gz
 4c334a7735132dd098246ede795b5386ac95068c7233e6430a03737b510b0444 31074 
libgd2_2.0.36~rc1~dfsg-6.1+deb7u6.debian.tar.gz
 3d8e753b60e7a0fd2f4155c27778b0bdebc16dac41d36876b1c206945343e37b 169970 
libgd-tools_2.0.36~rc1~dfsg-6.1+deb7u6_amd64.deb
 0845c99e6438e4382ac7ddf5eee5cac7694fbfa9424d21924f29e9e091c52627 374274 
libgd2-xpm-dev_2.0.36~rc1~dfsg-6.1+deb7u6_amd64.deb
 fc09ded71ba1014c37979b8f3d4cc9ea6304f00fab7539d20323ed759d7eeb79 371652 
libgd2-noxpm-dev_2.0.36~rc1~dfsg-6.1+deb7u6_amd64.deb
 a949a1e113ed7e4ce4dd211256e2c08792e7b0732e05bb9ca7c9d58fc1cd7252 233234 
libgd2-xpm_2.0.36~rc1~dfsg-6.1+deb7u6_amd64.deb
 6419cae5372caf61f425909134fce8791a1e3c2a6c366f2938c5fefba3183935 230828 
libgd2-noxpm_2.0.36~rc1~dfsg-6.1+deb7u6_amd64.deb
Files:
 41ea4b127778e98e82209ca195bd2f39 2551 graphics optional 
libgd2_2.0.36~rc1~dfsg-6.1+deb7u6.dsc
 0f4d2fa45627af0e87fcb74f653b66dd 761899 graphics optional 
libgd2_2.0.36~rc1~dfsg.orig.tar.gz
 76463b46ca2215e7d7ccde484bb32b26 31074 graphics optional 
libgd2_2.0.36~rc1~dfsg-6.1+deb7u6.debian.tar.gz
 cee74acf87afc7a6190d1eff36e70b8b 169970 graphics optional 
libgd-tools_2.0.36~rc1~dfsg-6.1+deb7u6_amd64.deb
 2ea674f85a314b960256a02ed51fb664 374274 libdevel optional 
libgd2-xpm-dev_2.0.36~rc1~dfsg-6.1+deb7u6_amd64.deb
 f9f166cba549942ed4c04ddac26d4ecd 371652 libdevel optional 
libgd2-noxpm-dev_2.0.36~rc1~dfsg-6.1+deb7u6_amd64.deb
 f391a757610b3ce78be83ca1603f49ae 233234 libs optional 
libgd2-xpm_2.0.36~rc1~dfsg-6.1+deb7u6_amd64.deb
 71d88ed468451553f5c0e81349b87a93 230828 libs optional 
libgd2-noxpm_2.0.36~rc1~dfsg-6.1+deb7u6_amd64.deb

-BEGIN PGP SIGNATURE-

iQKQBAEBCgB6BQJYBmPfXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3ExxkZWJpYW5AYWx0ZWhvbHouZGUACgkQlvysDTh7WEcr
5Q/6A6cnNyT1DpJ2f1qhcWG1/dWE90BCrVp8o9KBIG86m34blaOrP0OfLOFbQhy6
QNm8b5u1iy7cIfZYff+CKU4jQVGXfsWwh5IcoIFkWI1cbZzoImMxR/XuW9eI2gDP
kjXcfafBVv4WwSl5jQGFoVMxDbVPg+lspLHFaFGmLXMxxlFDlpBZttuIa1Ch9V39
DmdZa8EnoZ9gnT7hJouustL49RmMXF5Nl8Xrqy0+EyObpyG77AIqURJwF0/rS11f
CvbQMCofoRMGN3qSOio0oVU2eRS+cjscM332OARxg0BRBjTLlMt026TWbtfKbU7h
NcaCfhQNvrn500pkyiKzaQreucqaKEgKslqAOsBTMaCT8JWujQkX9+mj4+Chio+M
jcH3ZNNqpNbt5tUekrPMG6WZITRmG16E0BMEnWFsguupJRQLHoZP6qYsX8H2rdSK
qLMjk1zD1WEpGxZCyaZaz1xKmHkt3mWmakRJI+uIJTNU78WhfKCnbj83dxYaKwWk
bgUGAeGsd2ofCB2dslKHYfN4Ks60n66egTAFTdLM7WhAkYIJMRl29LqZwXh3AGof
XL7lUYv+bqBeUPKFy5F13ZH//U7jBkV83YKt5g5QXw9B498M0MpBJJb7q1cPdX0d
r7Nqq+V3jZNa1inIvOdWPIdxpX0GH4/66PL9fAHwo8N/AAM=
=/HYl
-END PGP SIGNATURE-

[SECURITY] [DLA 663-1] tor security update

[Peter Palfrader]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: tor
Version: 0.2.4.27-2

It has been discovered that Tor treats the contents of some buffer
chunks as if they were a NUL-terminated string.  This issue could
enable a remote attacker to crash a Tor client, hidden service, relay,
or authority.  This update aims to defend against this general
class of security bugs.

For Debian 7 "Wheezy", this problem has been fixed in version 0.2.4.27-2.

For the stable distribution (jessie), this problem has been fixed in
version 0.2.5.12-3., for unstable (sid) with version 0.2.8.9-1, and for
experimental with 0.2.9.4-alpha-1.

Additionally, for wheezy this updates the set of authority directory servers
to the one from Tor 0.2.8.7, released in August 2016.

We recommend that you upgrade your tor packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCAAGBQJYBj5YAAoJEIYCyCA4cjMfJlgIAKioP6EPic795VGJQAZmpUTy
qYxGwMpimRfdOvIAEGxJ9nZhEhFnc9JiHSfi5iSYXMaXU0AqIuYHPFAn3dxfIbJZ
dIGlTYgx4XtAuh6q9OYJ3HkUA7jE6BBhLxdVdI/Qkm5cfLCbXhpJLGJx9UF0NDNA
ZagIyTBHNtxt+iX3gO1CU1r2BI1IS/UrJD+o0/VeS9qaVaFlZ1nPiQ2XFwbigD1a
NOeIUEIou3hbpjZ7UPKnERplA4rCV42872zLJNAkpbqqjdsohxuTfkWEL9Cu72DO
9E9VBMnAubHLN3jY/DbVvsCl+NgT4ALm+0dkK2mL6fbNX3ihbPZQ/59mnKE2QpM=
=Xe2n
-END PGP SIGNATURE-

[SECURITY] [DLA 665-1] libgd2 security update

[Thorsten Alteholz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: libgd2
Version: 2.0.36~rc1~dfsg-6.1+deb7u6
CVE ID : CVE-2016-6911 CVE-2016-8670

CVE-2016-6911
 invalid read in gdImageCreateFromTiffPtr()
 (most of the code is not present in the Wheezy version)

CVE-2016-8670:
 Stack Buffer Overflow in GD dynamicGetbuf

For Debian 7 "Wheezy", these problems have been fixed in version
2.0.36~rc1~dfsg-6.1+deb7u6.

We recommend that you upgrade your libgd2 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJYBoahXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHSqkQAISpL4C2gRsIh2CK2dQ9uGcp
e8UgX0OygQN2Hbd7hzj0DQ2uMhAjFukNKpDkPFM0LWm8XKjqm3THyA7Mdax5Ktqw
nxTQmMP7K54ghguJ53O3BXVkIk8xV/a7tLvhvc4mzOI4rIbFbLfGDd8fY1h3ClSJ
VYiv7VPgNs7+5NSEmt8NQvODiyIsmPh7Z2pH8M4pQJtCjishuZdyganMw96DwlTx
JPa0z1KIbcuLJgE9tZR3Is0XClYWdrY0C0D2cWriuFOf/UYhWuprwXc2HSzZuRQe
Ma0gf1a/ypv9xudA+9cz6DR3nWAGWys1WOUk3DCZ289kW6LfPOKRiov/aJqCoeJj
wEK87wXISdwkySFjwU/tS3n9Y/46Jcq0hHR0/1hK/o6TAwbTlRCYXrbAe0zZtuGq
GScrznNMBx1Ogy+wFf0dOEDyCAwLEdIcwXQj8sJHryG4AD+RoZTYU/O5Fk4UoPE9
FPDEdk/HccUx8Y4oqo7HhnHRxtGMafFt0dwW85iD4kw7AGBghPkIXgT1/9wjqk6q
IKdcT5UTjLJCZ6e4m6/Zmve5AWkBwg86CXV4vF+5nTwWcIbmbxANM6B7tK1N+LvP
Q/IJ4dAho9N6fefpgRRMfLCEypOkvOWWPnSYzJqQb8WeztVi98AHcj3/WBxQKnLE
zCBrPFU+uWLUoKBEKi26
=ZipH
-END PGP SIGNATURE-

Wheezy update of guile-2.0?

[Chris Lamb]

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of guile-2.0:
https://security-tracker.debian.org/tracker/source-package/guile-2.0

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of guile-2.0 updates
for the LTS releases. (In case we don't get any answer for months,
we may also take it as an opt-out, too.)

Thank you very much.

Chris Lamb,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Re: Wheezy update of guile-2.0?

[Rob Browning]

Chris Lamb  writes:

> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of guile-2.0:
> https://security-tracker.debian.org/tracker/source-package/guile-2.0
>
> Would you like to take care of this yourself?

Hah, funny you should ask.  I worked on a release for the security team
last weekend (nearly ready), but they decided I should redirect to
jessie, but I hadn't had a chance to file the relevant bug/request yet.

Backporting the two upstream patches was relatively straightforward.

> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development

I should be able to work on it again this weekend if not sooner.

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Accepted guile-2.0 2.0.5+1-3+deb7u2 (source amd64 all) into oldstable

[Markus Koschany]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 19 Oct 2016 00:28:05 +0200
Source: guile-2.0
Binary: guile-2.0 guile-2.0-dev guile-2.0-doc guile-2.0-libs
Architecture: source amd64 all
Version: 2.0.5+1-3+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Rob Browning 
Changed-By: Markus Koschany 
Description: 
 guile-2.0  - GNU extension language and Scheme interpreter
 guile-2.0-dev - Development files for Guile 2.0
 guile-2.0-doc - Documentation for Guile 2.0
 guile-2.0-libs - Core Guile libraries
Changes: 
 guile-2.0 (2.0.5+1-3+deb7u2) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Disable the test suite on armel and armhf to prevent a segmentation fault.
Checksums-Sha1: 
 20131c42b821163cdf4e3ac6e8dcebbe0aa79078 2206 guile-2.0_2.0.5+1-3+deb7u2.dsc
 8de4a79a59cf419065f4e179395d8c9c12a1b0a8 19563 
guile-2.0_2.0.5+1-3+deb7u2.debian.tar.gz
 08eb2923e5c8c1488cb643c90e03159053e4d846 16298 
guile-2.0_2.0.5+1-3+deb7u2_amd64.deb
 8823d97b12d1346394c922c41504fc6d670b634b 1012064 
guile-2.0-dev_2.0.5+1-3+deb7u2_amd64.deb
 133a9db8f271ed71c3e5a13c518b8155e7798e81 797562 
guile-2.0-doc_2.0.5+1-3+deb7u2_all.deb
 ad9d0a44a41fe9446768a07a59ab499f40738d87 2854362 
guile-2.0-libs_2.0.5+1-3+deb7u2_amd64.deb
Checksums-Sha256: 
 547373723201a1d26e4ec07ecd2f9666118251a304e06c18bdd9ca2e15b55935 2206 
guile-2.0_2.0.5+1-3+deb7u2.dsc
 27ec26066647be4197bee314b0962f68857c3b03d65c584f4a3fb661da92 19563 
guile-2.0_2.0.5+1-3+deb7u2.debian.tar.gz
 80b55c1f607656f205fea1df784e44f2834acbc8f184801f71b3025ab1d7e244 16298 
guile-2.0_2.0.5+1-3+deb7u2_amd64.deb
 c9ad356e2e54c300781ef482fa452cee2aaf36379e3a97fa174068cfc8ea4a22 1012064 
guile-2.0-dev_2.0.5+1-3+deb7u2_amd64.deb
 ce40dad1cd70c8eb2803d84be444cd920ee2a28480e5d2320d7cfab78e7c1f2e 797562 
guile-2.0-doc_2.0.5+1-3+deb7u2_all.deb
 5833d43f34e2ce7475a89c1062250607b264eb40aacc282576de13891011b863 2854362 
guile-2.0-libs_2.0.5+1-3+deb7u2_amd64.deb
Files: 
 d4bcf2bf74b9b696593111e5392c4c4a 2206 interpreters optional 
guile-2.0_2.0.5+1-3+deb7u2.dsc
 b093c7399a1fb7baa92b75784b6587c1 19563 interpreters optional 
guile-2.0_2.0.5+1-3+deb7u2.debian.tar.gz
 822250ddf2ea8a7e5645db3882d927a5 16298 lisp optional 
guile-2.0_2.0.5+1-3+deb7u2_amd64.deb
 d5d083e4ea54e953da1a4a3ffd455cb6 1012064 lisp optional 
guile-2.0-dev_2.0.5+1-3+deb7u2_amd64.deb
 00bb912b02128ad68f7259ecc4bb1160 797562 doc optional 
guile-2.0-doc_2.0.5+1-3+deb7u2_all.deb
 b777b56f43ed091a7c1fc15f96f14b1e 2854362 lisp optional 
guile-2.0-libs_2.0.5+1-3+deb7u2_amd64.deb

-BEGIN PGP SIGNATURE-

iQKMBAEBCgB2BQJYBqv7XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0DxxhcG9AZGViaWFuLm9yZwAKCRDZrRS5UTtR5MQwD/99
KOV2OTDjs3y/zohCFYGfRuPMBo8Hed6HynEGNnCVNQBmUE/2Q6rgPV64zHR1uh2W
PQps5dnoO0+JxjmgMMXBqOnQymK3pFHncq9DOmst1YrGye0P6zo8xGzm1h5+SwXh
bi5c9rIUP0LqTz3mhji6E1NN57aOy2dL92dCkVuAblVWoXoAjhHZzdrZbOgop8ON
vwujudaAG18piL9Ejo8LSiFdCvPri7BXXPtDlAmk69dj4BTF2qdwwsaMmAsVZ8bP
Lnw2mWGRdC0bCvsFmNHSRMEivvQgQDofMWZrLV56iwsUTbSh5hvIC6Zv0z/LI60f
1/olnoJMjIGpay9flxQWZP8nM6Wt95D2EjhJ8UwqPdRlvc2D+RUsou3mf6LAgRyi
TX6yOsA5i56fS4kotULh2D2H6BrIYgJgWwWSM9BgxvRPY8/QmRJPcy+Q5dGHBULN
6N9hI3+C7CDeyv8NsCjMT8/HPZJMpvFWgcfD2oiQGQUn86qR9eOMt0Gp4fvtR80C
OS5m7SqeE/35UWkdoVDSjvfOYoqXALYMFBKxGmPD6Ke2QBL/8UFzKrqw8lFjjOin
wquqAUPk8MTEdA7S+PfXsxHX+B2uSt8+0R6PIqAP5EM+VmONiELLB046F7GQ3CVm
SJeVwJsJ+xNGUFltGkJGD+fqlY/WVv7QySop26GiIA==
=rhn8
-END PGP SIGNATURE-

[SECURITY] [DLA 666-1] guile-2.0 security update

[Markus Koschany]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: guile-2.0
Version: 2.0.5+1-3+deb7u1
CVE ID : CVE-2016-8605 CVE-2016-8606
Debian Bug : 840555 840556


Several vulnerabilities were discovered in GNU Guile, an
implementation of the Scheme programming language. The Common
Vulnerabilities and Exposures project identifies the following issues.

CVE-2016-8605:
The mkdir procedure of GNU Guile temporarily changed the process'
umask to zero. During that time window, in a multithreaded
application, other threads could end up creating files with
insecure permissions.

CVE-2016-8606:
GNU Guile provides a "REPL server" which is a command prompt that
developers can connect to for live coding and debugging purposes.
The REPL server is started by the '--listen' command-line option
or equivalent API.

It was reported that the REPL server is vulnerable to the HTTP
inter-protocol attack.

This constitutes a remote code execution vulnerability for
developers running a REPL server that listens on a loopback device
or private network. Applications that do not run a REPL server, as
is usually the case, are unaffected.


For Debian 7 "Wheezy", these problems have been fixed in version
2.0.5+1-3+deb7u1.

We recommend that you upgrade your guile-2.0 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYBp+qXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hk5N4QAJT7u7EsoO2KinnaJTnzCcZl
P7NG4dNsi/4QUy91sQa2lpY7+u8nxoNyetMdPzT73msdqBtXrSF0QlwL3w9C5Z//
VjkexG9bwPMiBLSt03odLYsupWRhFBweMHrBoxgDPGVosxCu/pDXDTICnvrUyIy9
bDJXlRaWbqe2LndfudIwodzEMcaBtfCuUH4ymPmebOHWJ8uYNYOrCMkOfPAQoBPO
d/WIH+tvbjRleKwXKmx4nvf6dUrXbMdpk/gx9wrmIfc91K9UMCMG1uNbEC17mwE/
UFsAEYEVE++lgYn/yqu67IY8hwtxDL7fuPumdC1Clm93WcTVulTtat4Pcf2rodTM
pL/m9M9IrObXHllCITBKFHwnbRKsWPlAPnNhLam2wLK1azZqYeLwYhLKarTIg7U9
kLIRmylsf6OIqe9EXbuAZpkE0yNPjVWMQQ9RCWtw3dzQP9RCxn98f28/SgpYHIWb
7Lzb+3P+RPC/QRke85M0SV4Er3bznXzqR8h/PiI7jYOBlEwowCGwyGykPOaS8oRT
kQ+xZmCJ9RIEtRscoCsFCLNqdO6U+I4WQw+kztl3yCRQjoHo5A9MFDA0JMbx7vwP
NkCYLyLF34Z1Rp8kvh4YQ9VwpnAistBtIDm+Eu3Oq6nSG8eywayPhh7IQu5QotGI
TUQC19dtlnJmgi7Fulxc
=9e39
-END PGP SIGNATURE-