Re: MySQL 5.5 EOL before Debian 8 LTS ends
On 2018-12-27 18:51, Lars Tangvald wrote: Upgrading to 5.6 would be less risky than MariaDB 10.1, but it's a similar sort of risk. I don't know what the risk with switching to MariaDB 10.1 would be, but as a general principle, MariaDB lags behind (the already annoyingly delayed) Oracle security patches often days, sometimes weeks. Based on our experience with a few thousand databases, though, upgrading from 5.5 to 5.6 is as good as invisible for DB users and software using MySQL. A few users noticed the differences between MySQL 5.5 and MariaDB 10.0 (5.6-based), nearly no-one noticed the upgrade from MariaDB 10.0 to 10.3. It would be very welcome if upgrade scripts in Debian would substitute configuration options correctly, with the usual dselect option list of "compare, keep current, install package maintainer's" versions. The risk mostly lies in software relying on the removed features listed in the URL you linked (https://dev.mysql.com/doc/refman/5.6/en/mysql-nutshell.html#mysql-nutshell-removals). As a side note, anyone using MySQL WorkBench with MariaDB 10.x or MySQL 5.5 will probably be very annoyed about the version warnings. I expect the current issues with 5.6 compatibility alerts to be fixed. :) -- Cheers, Jan
[SECURITY] [DLA 1591-2] libphp-phpmailer regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libphp-phpmailer Version: 5.2.9+dfsg-2+deb8u5 CVE ID : CVE-2018-19296 A possible regression was found in the recent security update for libphp-phpmailer, announced as DLA 1591-1. During backporting a new variable have accidentally introduced to a conditional statement from a much later version. Thanks to Salvatore Bonaccorso (carnil) for reporting this. For Debian 8 "Jessie", this problem has been fixed in version 5.2.9+dfsg-2+deb8u5. We recommend that you upgrade your libphp-phpmailer packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlwlqqYACgkQhj1N8u2c KO87YBAAkFS7E0MOPkxwRUkxcuV561O1jutWulsKv4xQxi4t2019HNgA4r0FTER0 pcegRb605IiDAbBlDDhbMZxRYW3De/GA3i2M/PCp4PffCgDzRVpd166DkgAnZlKR KEPA42TaJZOKSffgrETMU2kvgbS6Oj5Jf8Q1csssEGhQAgqDpqoSydkrfxhMyWMJ v+yzrXeJ1TUJXF40aDLk0xiDXYe8zLlCaQShaNFbW7p4Vj0Ka75Bb0DIZ4W+oB/Y 36icnKPvvEa6hFvrLw+R3pLtqggxxJ1NCG4A7ylDW9xZ/A+owlN4beGSxgPWgubw 7dugkCAP2KoA4XIIjCdT2oTlEPfsXBr9XnQwdmX/NXP/tk+XJmIcb5VDQK1otIUD AtGYQh9sNtUk1kJTjXn8haqOYYhn6srwtToUdpT0iTT5HyInLOCGZAHewfOcNkQM O0qL1crpQk/xRVIl5e3hlAzl7CZVEYJEuWc1IlS91/W94L39eJwhMMgoxlilbJtl kuizvEF56T5+PX9e612H0N9Ds6PkQN8X8RElP6UlPzhJeRTvktr8IygeJEn23/F1 0CG1IRSJKDXI0GQqn3E2/NLnjOL/WefAEomyQpIAJuPdc41GtWsqwpGJHydJNsfB lFKaj/P7BvH0obIv9YFLlzBOFcHPqKE7sMwMNeZq4vvn/4WbQ9w= =GDog -END PGP SIGNATURE-
Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
Hi Tomas, On Mon, Dec 24, 2018 at 08:47:55PM +, Tomas Bortoli wrote: >Hi Robert, > >Your patch seems not to be definitive against CVE-2018-19518. >This because checking for spaces won't be enough if an attacker uses some >"bash trick" to get a space... >In fact you can get a space by not typing it, with something like this: > > a=`date`;echo${a:3:1}asd > >Will print "asd".. it gets the space from a substring of "a". > I tried this along with a few different variants and none of them produced the vulnerability described in the CVE. I am confident that an actual space is required in order to exploit the vulnerability. On Tue, Dec 25, 2018 at 07:12:38PM +, Tomas Bortoli wrote: > Hi Roberto, > > On 12/24/18 10:40 PM, Roberto C. Sánchez wrote: > > There are two command templates involved in this section of code: > > rshcommand and sshcommand. The two for loops each operate on a > > different command template. > > Ah ahn.. I missed that single byte difference, thanks. > > > Yes, the description could certainly use more detail. That said, I did > > include this in my original post: > > > > I also wondered whether it was possible to cause the vulnerability > > without a space in the hostname (somewhat related to the first > > question). In any event, I concluded that the question of whether > > something is a valid hostname might be a bit complex to tackle and > > despite numerous attempts I was not able to exploit the > > vulnerability without the space between the host name and the > > command switch '-'. > > > > I suppose it would be possible to apply the approach of counting tokens > > to the host variable to ensure that it only contains a single token. > > However, I do not think that is any better or worse than the approach I > > came up with. > > > > What about "shell escaping" the host name? Not sure about escaping the > other parameters too..but that shouldn't harm. > It should be the best security practice against command injection, AFAIK. > You have lost me here. First, I am not certain what you mean by "shell escaping" in this context. Second, would this be something that is done when the configuration is read or when the rsh/ssh command is to be executed? Third, is the shell escaping you describe possible without introducing additional library dependencies? Without knowing for certain what you mean, I would think that shell escaping (like URL encoding/decoding, for instance) would best be handled by a purpose-built library. However, if there is a way to accomplish what you describe without such an additional component, I would interested to know. Regards, -Roberto -- Roberto C. Sánchez
Re: limits of automatic unclaiming (Re: pdns/pdns-recursor)
On 2018-12-27 14:16:22, Holger Levsen wrote: > Hi Abhijith, Antoine, > > I just ran "./bin/review-update-needed --lts --unclaim 1814400 --exclude > linux linux-4.9" today and it unclaimed pdns/pdns-recursor as the last > NOTE entries were more than 3 weeks ago. However Abhijith wrote here: > > On Sat, Dec 22, 2018 at 01:02:06PM +0530, Abhijith PA wrote: >> I am currently working on pdns[1] and pdns-recursor's[2] security issues >> and which are marked as no-DSA, postponed. Last month I picked it up as >> I had some time remaining. Upstream patch is available for the remaining >> issues(CVE-2018-10851, CVE-2018-14644). Both patches contain C++11 >> specific code and I was only able to port CVE-2018-14644. In >> CVE-2018-10851 I used 'boost' library's smart pointers to deal with the >> default C++11 smart pointers, but I am not quite there. I was wondering >> whether anyone here can _help_ me with it. I don't want to spend anymore > > Abhijith, thanks for this update! Just please also update the notes for > these packages in data/dla-needed.txt. > > Antoine, this is an example were automatic unclaim might be problematic, > as it would have unclaimed pdns/pdns-recursor which is not ideal. (For > now, just ment as a data point.) I'm not sure it would be that problematic. I think Abhijith could (should?) have posted a note in dla-needed.txt summarizing this situation or adding a pointer to the above email. The idea, anyways, is that worst case the issue gets unclaimed and reclaimed by someone else. In the above case, Abhijith specifically identified that as a *desirable* outcome, so I'm not sure it's really a problem. Personally, I believe the general case of unexpected unclaims will be the package will be unclaimed and *not* claimed by anyone else. At least that's my experience of unclaiming "hard" packages that I couldn't finish within a month. A. -- Non qui parum habet, sed qui plus cupit, pauper est. It is not the man who has too little, but the man who craves more, that is poor.- Lucius Annaeus Seneca (65 AD)
Re: MySQL 5.5 EOL before Debian 8 LTS ends
Hi, On 19.12.2018 17:01, Holger Levsen wrote: Hi Emilio, thanks for bringing up this issue on the LTS list. On Mon, Dec 17, 2018 at 10:49:57AM +0100, Emilio Pozuelo Monfort wrote: MySQL 5.5 should be EOL this month if nothing has changed, although I don't see an announcement on [1] yet. Maybe it will be published next month when the next CPU (critical patch update) is released. Norvald, do you know if 5.5 is effectively EOL already? Or will it receive another update next month? [Norvald replied, saying that 5.5.62 in October was the last 5.5 release.] Right. 5.5.62 was the final 5.5 release. Also note that mariadb 10.0 is EOL in three months[2]. I think this rules out mariadb 10.0 as a sensible upgrade path here. (Also, switching from mysql to mariadb in an LTS security upload???) I don't think it makes much sense to upload mysql-5.6, since stretch has no mysql at all. Since users will have to migrate to MariaDB anyway (or to externally provided MySQL packages if they so choose), they can do so now. following that logic they could also upgrade to Stretch now... :) For mariadb 10.0, we may be able to backport important security fixes, or we could backport 10.1 which will be supported upstream until October 2020. I would lean towards one of those last two options. I think I'm rather *leaning* towards mysql-5.6 or declaring mysql-5.5 unsupported/EOL in jessie, but that's really leaning, nothing more. (And then I believe mysql-5.6 in jessie isnt simple/feasable neither, so... :/ Other comments/suggestions? Upgrading to 5.6 would be less risky than MariaDB 10.1, but it's a similar sort of risk. Building: Since both 5.5 and 5.6 have libmysqlclient18 I don't expect many issues, but 5.6 and 5.5 "leaked" symbols, so even internal symbols were published. Third-party packages using internal symbols in 5.5 may fail to build with 5.6. User experience: 5.5 and 5.6 will be very similar for most users (particularly, init scripts in third-party packages shouldn't be impacted), but anyone still using jessie and 5.5 may have pretty strict stability requirements. There's a summary of changes here: https://dev.mysql.com/doc/refman/5.6/en/mysql-nutshell.html -- Lars
Accepted libphp-phpmailer 5.2.9+dfsg-2+deb8u5 (source all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 27 Dec 2018 09:46:16 +0530 Source: libphp-phpmailer Binary: libphp-phpmailer Architecture: source all Version: 5.2.9+dfsg-2+deb8u5 Distribution: jessie-security Urgency: medium Maintainer: Debian PHP PEAR Maintainers Changed-By: Abhijith PA Description: libphp-phpmailer - full featured email transfer class for PHP Changes: libphp-phpmailer (5.2.9+dfsg-2+deb8u5) jessie-security; urgency=medium . * Non-maintainer upload by the Debian LTS Team. * Possible regression update for CVE-2018-19296.patch: Removing accidently added DKIM_private_string which introduced only from 5.2.17 Checksums-Sha1: a73c9511f0db9d42974bfe6b4cf38cab7f58e8c7 2155 libphp-phpmailer_5.2.9+dfsg-2+deb8u5.dsc 17f9c7b40747f1a8189a09b3d03946e0bdeed8cc 9232 libphp-phpmailer_5.2.9+dfsg-2+deb8u5.debian.tar.xz 9542ae38c0387ff2c69a9077b7a32e446c13b28b 131792 libphp-phpmailer_5.2.9+dfsg-2+deb8u5_all.deb Checksums-Sha256: aa0edc34828d1d439c4d53ba1e0fa860504823f898d78e74d3db0de8622cd82f 2155 libphp-phpmailer_5.2.9+dfsg-2+deb8u5.dsc e1e08057158536187e001aff25ea91d60f062ea2a3064838be81c12cb4a3ea9c 9232 libphp-phpmailer_5.2.9+dfsg-2+deb8u5.debian.tar.xz c9bd1dcd09524c7ec57806d3f44ac68b3283adf2167023438d4775da6087a5bf 131792 libphp-phpmailer_5.2.9+dfsg-2+deb8u5_all.deb Files: 244fc8a4ace2d92e388ca4c42ee9fedc 2155 php optional libphp-phpmailer_5.2.9+dfsg-2+deb8u5.dsc 0d4ab1d9cf78a7d94ac38fde31395f8d 9232 php optional libphp-phpmailer_5.2.9+dfsg-2+deb8u5.debian.tar.xz 8caec5e2ceb6c16102443e0bfb8ab15a 131792 php optional libphp-phpmailer_5.2.9+dfsg-2+deb8u5_all.deb -BEGIN PGP SIGNATURE- iQJIBAEBCgAyFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlwk8tEUHGFiaGlqaXRo QGRlYmlhbi5vcmcACgkQhj1N8u2cKO93Sg/7BS/qhpMUiYucAWK9kNdgB+1QxcDE xtlZV15Gf3RtVeQwXmsG0WrH2ZbVQw+GZJRZNKZ30ZPMO6EciOxht1o0p6hcxkiD d/Cp2/AilNvkBJAijTzP6eBZHvhyW8proBNtbT4L547ejyz0PCy3YAGfDzqZgNLE eOT5Oz/BupL4kmkQ/bt+Q02UNzw0B4wIbDXbbPfvp8BBCw1m+WwtiOlbTbB8yrHe W91FhBZvnGCrjSgpTNqY3/AfPSmlv7IqoAS8zBPN4WSkTkbWgjMalPLu3GlKdKGk Xuu+lEPubmj4CHYz/wpRgwtL4T9lajwIGmBFeDLvNvw0GaEGrPdBU7KWf3Ik4VMF liN8uU6E1UYWxazB58FZaUuTUxWTSqn3+RG7rfj42HAaIGUsRJh3SmWqYDt6XQXQ /r/GDguepdS6xmpUKkPxAMJtCHr1/+cnmxvvlpy8JmpZEt593V2UEczgUodpoMvC lRjOZoVYq8QGOdxhTw/Yjs1NheTx6BIwGF7SibgXq5t6UTxqvkuvAAw4K4gP/HXb nUO874KBBO7WLfwHTiskxQD4bNbOvqh5MPr8BqQ+Ux2ysmy02aTJmdd1CfSZP9NM TA1oDJsFcq3czH0EGW7kd6ABMNuvtDWMGei7Nv5Q0v3ibr03Zm3pJ9XDCOAL9sOi XjYIiLM1vUcMWF0= =5JFo -END PGP SIGNATURE-
Re: limits of automatic unclaiming (Re: pdns/pdns-recursor)
Hi Abhijith, On Thu, Dec 27, 2018 at 09:01:32PM +0530, Abhijith PA wrote: > > Abhijith, thanks for this update! Just please also update the notes for > > these packages in data/dla-needed.txt. > I will. Thank you. > >> time in it as it is not so popular one and it has no-DSA postponed > >> priority. > > pdnsd is used by our sponsors so we should support it as best as we can. > pdnsd is a different package. thanks for correcting me. Then adopting 'no-DSA' is probably ok. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: limits of automatic unclaiming (Re: pdns/pdns-recursor)
Hi, Holger.. On Thursday 27 December 2018 07:46 PM, Holger Levsen wrote: > Hi Abhijith, Antoine, > > I just ran "./bin/review-update-needed --lts --unclaim 1814400 --exclude > linux linux-4.9" today and it unclaimed pdns/pdns-recursor as the last > NOTE entries were more than 3 weeks ago. However Abhijith wrote here: > > On Sat, Dec 22, 2018 at 01:02:06PM +0530, Abhijith PA wrote: >> I am currently working on pdns[1] and pdns-recursor's[2] security issues >> and which are marked as no-DSA, postponed. Last month I picked it up as >> I had some time remaining. Upstream patch is available for the remaining >> issues(CVE-2018-10851, CVE-2018-14644). Both patches contain C++11 >> specific code and I was only able to port CVE-2018-14644. In >> CVE-2018-10851 I used 'boost' library's smart pointers to deal with the >> default C++11 smart pointers, but I am not quite there. I was wondering >> whether anyone here can _help_ me with it. I don't want to spend anymore > > Abhijith, thanks for this update! Just please also update the notes for > these packages in data/dla-needed.txt. I will. > Antoine, this is an example were automatic unclaim might be problematic, > as it would have unclaimed pdns/pdns-recursor which is not ideal. (For > now, just ment as a data point.) > >> time in it as it is not so popular one and it has no-DSA postponed >> priority. > > pdnsd is used by our sponsors so we should support it as best as we can. pdnsd is a different package. --a
[SECURITY] [DLA 1620-1] ghostscript security update
Package: ghostscript Version: 9.06~dfsg-2+deb8u13 CVE ID : CVE-2018-19134 CVE-2018-19478 Some vulnerabilities were discovered in ghostscript, an interpreter for the PostScript language and for PDF. CVE-2018-19134 The setpattern operator did not properly validate certain types. A specially crafted PostScript document could exploit this to crash Ghostscript or, possibly, execute arbitrary code in the context of the Ghostscript process. This is a type confusion issue because of failure to check whether the Implementation of a pattern dictionary was a structure type. CVE-2018-19478 Attempting to open a carefully crafted PDF file results in long-running computation. A sufficiently bad page tree can lead to us taking significant amounts of time when checking the tree for recursion. For Debian 8 "Jessie", these problems have been fixed in version 9.06~dfsg-2+deb8u13. We recommend that you upgrade your ghostscript packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
limits of automatic unclaiming (Re: pdns/pdns-recursor)
Hi Abhijith, Antoine, I just ran "./bin/review-update-needed --lts --unclaim 1814400 --exclude linux linux-4.9" today and it unclaimed pdns/pdns-recursor as the last NOTE entries were more than 3 weeks ago. However Abhijith wrote here: On Sat, Dec 22, 2018 at 01:02:06PM +0530, Abhijith PA wrote: > I am currently working on pdns[1] and pdns-recursor's[2] security issues > and which are marked as no-DSA, postponed. Last month I picked it up as > I had some time remaining. Upstream patch is available for the remaining > issues(CVE-2018-10851, CVE-2018-14644). Both patches contain C++11 > specific code and I was only able to port CVE-2018-14644. In > CVE-2018-10851 I used 'boost' library's smart pointers to deal with the > default C++11 smart pointers, but I am not quite there. I was wondering > whether anyone here can _help_ me with it. I don't want to spend anymore Abhijith, thanks for this update! Just please also update the notes for these packages in data/dla-needed.txt. Antoine, this is an example were automatic unclaim might be problematic, as it would have unclaimed pdns/pdns-recursor which is not ideal. (For now, just ment as a data point.) > time in it as it is not so popular one and it has no-DSA postponed > priority. pdnsd is used by our sponsors so we should support it as best as we can. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Accepted ghostscript 9.06~dfsg-2+deb8u13 (source all amd64) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 27 Dec 2018 13:26:27 + Source: ghostscript Binary: ghostscript ghostscript-x ghostscript-doc libgs9 libgs9-common libgs-dev ghostscript-dbg Architecture: source all amd64 Version: 9.06~dfsg-2+deb8u13 Distribution: jessie-security Urgency: high Maintainer: Debian Printing Team Changed-By: Lucas Kanashiro Description: ghostscript - interpreter for the PostScript language and for PDF ghostscript-dbg - interpreter for the PostScript language and for PDF - Debug symbo ghostscript-doc - interpreter for the PostScript language and for PDF - Documentati ghostscript-x - interpreter for the PostScript language and for PDF - X11 support libgs-dev - interpreter for the PostScript language and for PDF - Development libgs9 - interpreter for the PostScript language and for PDF - Library libgs9-common - interpreter for the PostScript language and for PDF - common file Changes: ghostscript (9.06~dfsg-2+deb8u13) jessie-security; urgency=high . * Non-maintainer upload by the Debian LTS team. * Fix CVE-2018-19134: the setpattern operator did not properly validate certain types. A specially crafted PostScript document could exploit this to crash Ghostscript or, possibly, execute arbitrary code in the context of the Ghostscript process. This is a type confusion issue because of failure to check whether the Implementation of a pattern dictionary was a structure type. * Fix CVE-2018-19478: Attempting to open a carefully crafted PDF file results in long-running computation. Checksums-Sha1: 62a894400dc740c0b70a1b14b02c970243508179 2896 ghostscript_9.06~dfsg-2+deb8u13.dsc 0599b1ceb95f6b0215c4db0031645c9f2a5f8542 18454793 ghostscript_9.06~dfsg.orig.tar.gz 59bd1ae67d4ae4e0e7279d7cf837a95ce93b268d 152804 ghostscript_9.06~dfsg-2+deb8u13.debian.tar.xz cd1146b0cb1c605e2b1e55f5f54f1aad7e3b74a5 4956496 ghostscript-doc_9.06~dfsg-2+deb8u13_all.deb ab691c66db5a83666996d818b23c9f55b5708ec6 1972516 libgs9-common_9.06~dfsg-2+deb8u13_all.deb f18811adec798031b4acfea526797433c7429b5a 85788 ghostscript_9.06~dfsg-2+deb8u13_amd64.deb 8aaa9a841f42c4aa0ada059e10dddea09591b147 77046 ghostscript-x_9.06~dfsg-2+deb8u13_amd64.deb 6aed5385cc825f405299bc2e7e26d065a4ea7776 1919888 libgs9_9.06~dfsg-2+deb8u13_amd64.deb ec6a85edffb5b7b7884a443ce53359a547f124e0 2123584 libgs-dev_9.06~dfsg-2+deb8u13_amd64.deb 3665fc611f938babe4b802061c270d748c52ce49 4884582 ghostscript-dbg_9.06~dfsg-2+deb8u13_amd64.deb Checksums-Sha256: b321a0f0a38a13e663d6e6afb5f0735c6aab34805bb98103b5ffcddff8470820 2896 ghostscript_9.06~dfsg-2+deb8u13.dsc 4a98384df28f0a1cc90943292714311ce33d600c6358c24c80e182a40592dbbf 18454793 ghostscript_9.06~dfsg.orig.tar.gz c074b38ac7c0eee92e91385a2a50b10350bc0a3487ec1b217238da324112d85f 152804 ghostscript_9.06~dfsg-2+deb8u13.debian.tar.xz 5d6163336e203e64359f9db07c92be1cd00e161180547ff4824060b450538b60 4956496 ghostscript-doc_9.06~dfsg-2+deb8u13_all.deb eebb942ab9660adc76a62ea4c29e7a651e596de04d5fb32c0d3085d005ee9593 1972516 libgs9-common_9.06~dfsg-2+deb8u13_all.deb 730ba714c0f6ce944bf79cc2e19fcf86428b396835f6567cc85d305fa6b5e2f8 85788 ghostscript_9.06~dfsg-2+deb8u13_amd64.deb 76f24b966b5b328294cdbccd84347eaddb39ba278f9bb97cfd5e16fa30752168 77046 ghostscript-x_9.06~dfsg-2+deb8u13_amd64.deb ce5be548e6cbdddabb319cc93ea88fb84106651244b38048c56983f117e7c390 1919888 libgs9_9.06~dfsg-2+deb8u13_amd64.deb 3b7739c59472e7406ad2fabe6c2f698924379dfbf6f63ab3bd43f433e46d4186 2123584 libgs-dev_9.06~dfsg-2+deb8u13_amd64.deb d114b66bdc77aa0442b043be080df4ffb8120598887dc52f953b04ace0930c67 4884582 ghostscript-dbg_9.06~dfsg-2+deb8u13_amd64.deb Files: 42a30c94da5201e95c5da77b49b1d2da 2896 text optional ghostscript_9.06~dfsg-2+deb8u13.dsc 68d22f8b67369af932d9f0a396a1f63d 18454793 text optional ghostscript_9.06~dfsg.orig.tar.gz 20dbb27b84c3bf2296c98bd8f67b6a21 152804 text optional ghostscript_9.06~dfsg-2+deb8u13.debian.tar.xz 9bdf9115296b4c212367d529ff5fbe3d 4956496 doc optional ghostscript-doc_9.06~dfsg-2+deb8u13_all.deb d5b296d7e071bf3f913d3acad735a2ff 1972516 libs optional libgs9-common_9.06~dfsg-2+deb8u13_all.deb a4e09844f329d6761b51d418fcf46ec5 85788 text optional ghostscript_9.06~dfsg-2+deb8u13_amd64.deb 13163c5a18d4fa580b856d1e5502135a 77046 text optional ghostscript-x_9.06~dfsg-2+deb8u13_amd64.deb cd8f46656b3d35305eedc5dbb5e3ea73 1919888 libs optional libgs9_9.06~dfsg-2+deb8u13_amd64.deb 60fa51e1c65070c7945d716e2bb3ad54 2123584 libdevel optional libgs-dev_9.06~dfsg-2+deb8u13_amd64.deb 6dd1cf7914b2b4c7a6fc82a680582469 4884582 debug extra ghostscript-dbg_9.06~dfsg-2+deb8u13_amd64.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEjtbD+LrJ23/BMKhw+COicpiDyXwFAlwk1bkACgkQ+COicpiD yXwbxhAAg6lhEz0APmaEf/Co3OQTNE9I3f8HrOikf9hAsrf9Lfd/k48okD+Oje/f p6/IjNyd6Jwmyqt2i1iAH7WOP2QABg5fAzfZrFZycAwLCSduw5MAsGeHOQmAeiTZ 1yu1lqPMrW8cR330PDQZMV9US/A7pq1bRKk1y6w2CVb9b/Jc0groUnuEBDLXKsRt
[SECURITY] [DLA 1619-1] graphicsmagick security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: graphicsmagick Version: 1.3.20-3+deb8u5 CVE ID : CVE-2018-20184 CVE-2018-20185 CVE-2018-20189 Debian Bug : 916752 916719 916721 Multiple vulnerabilities have been found in GraphicsMagick, the image processing system. CVE-2018-20184 The WriteTGAImage function (tga.c) is affected by a heap-based buffer overflow. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted image file. CVE-2018-20185 The ReadBMPImage function (bmp.c) is affected by a heap-based buffer over-read. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted image file. CVE-2018-20189 The ReadDIBImage function (coders/dib.c) is affected by an assertion error. Remote attackers might leverage this vulnerability to cause a denial of service via a crafted image file. For Debian 8 "Jessie", these problems have been fixed in version 1.3.20-3+deb8u5. We recommend that you upgrade your graphicsmagick packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEUFZhdgIWqBhwqCvuZYVUZx9w0DQFAlwk1jMACgkQZYVUZx9w 0DQP/wf+LCE2kx897d4LwosqAQROdO/Dr01v0KDm9Jvc+qMahL9HEFDSkWT5uxxX 3llovYRgxbFBCtwwfQ5etWFge5GuUOHeBKzh2x5d+5Ml/FzVfPbocR1ou2avKHi4 4jlb6QbV+dvqnpGrkgzPUkix65RcgV4nVS7XbpNAs07BzADnH97MXjK1MPBqnPTA 7VY5Z4OXfrjcw7U3ZI1VZtjNRS5A8BX5pWGJ1CV/9hLLkwb3WY/MR3MTlZMQ97XJ mY07PZJyGEJNwi16Q/77Mvsen2MoGSCz+rxjvoBtH7S+3kY1pU8rdeuHwhorr4Tp j5U/1ndWtlbKSkZzqjGn35thyFTisw== =MAph -END PGP SIGNATURE-
Accepted graphicsmagick 1.3.20-3+deb8u5 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 26 Dec 2018 09:51:39 +0100 Source: graphicsmagick Binary: graphicsmagick libgraphicsmagick3 libgraphicsmagick1-dev libgraphicsmagick++3 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg Architecture: source amd64 all Version: 1.3.20-3+deb8u5 Distribution: jessie-security Urgency: high Maintainer: Laszlo Boszormenyi (GCS) Changed-By: Hugo Lefeuvre Description: graphicsmagick - collection of image processing tools graphicsmagick-dbg - format-independent image processing - debugging symbols graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface libgraphics-magick-perl - format-independent image processing - perl interface libgraphicsmagick++1-dev - format-independent image processing - C++ development files libgraphicsmagick++3 - format-independent image processing - C++ shared library libgraphicsmagick1-dev - format-independent image processing - C development files libgraphicsmagick3 - format-independent image processing - C shared library Closes: 916719 916721 916752 Changes: graphicsmagick (1.3.20-3+deb8u5) jessie-security; urgency=high . * Non-maintainer upload by the LTS Team. * CVE-2018-20184: heap-based buffer overflow in the WriteTGAImage function (tga.c) (closes: #916721). * CVE-2018-20185: heap-based buffer over-read in the ReadBMPImage function (bmp.c) (closes: #916719). * CVE-2018-20189: assertion failure in ReadDIBImage (coders/dib.c) (closes: #916752). Checksums-Sha1: a2e79241ff734a350550325f38d593ed74d166ea 2457 graphicsmagick_1.3.20-3+deb8u5.dsc 5a73dc055bcb47ad2d94e1b164a1f31c5443c388 209136 graphicsmagick_1.3.20-3+deb8u5.debian.tar.xz e7484046147bcc1928389c9371a4f7dda911e84d 796882 graphicsmagick_1.3.20-3+deb8u5_amd64.deb ae7dde337fe227e6049ac50fb9fc130e9cf0a7a3 1105084 libgraphicsmagick3_1.3.20-3+deb8u5_amd64.deb 31299e16ffeb1e5f274e0617713f04f601698ffa 1291966 libgraphicsmagick1-dev_1.3.20-3+deb8u5_amd64.deb 7a45223cd455965711adbe08f50d08299bd3e994 119420 libgraphicsmagick++3_1.3.20-3+deb8u5_amd64.deb 4f0ccfdc0ec1d9b3c1af3e5317c55bed834d853a 301640 libgraphicsmagick++1-dev_1.3.20-3+deb8u5_amd64.deb 0e4f5db71c9bb0324ee8788c378af0acf311ae3c 77496 libgraphics-magick-perl_1.3.20-3+deb8u5_amd64.deb c4f60cff58b3eefb315a41364f036dfc49758274 2221078 graphicsmagick-dbg_1.3.20-3+deb8u5_amd64.deb e224a5542c4352c875dfe8af4c041cd2fe793d28 29384 graphicsmagick-imagemagick-compat_1.3.20-3+deb8u5_all.deb 3d7271b13154266f9bf69c5acd46ec4b775df888 32890 graphicsmagick-libmagick-dev-compat_1.3.20-3+deb8u5_all.deb Checksums-Sha256: f7be7295571ea11835f37a2ee4d3501b668f37cb3e8fb53c9095c1b02089f138 2457 graphicsmagick_1.3.20-3+deb8u5.dsc aa6b05590d659a5b2101d4b60a82cd81917bece632b8b5930f18b884432ea643 209136 graphicsmagick_1.3.20-3+deb8u5.debian.tar.xz d415812b2298c8db9935be2e24a9296911e2b3032d5c98272ec4c89f3d12cdbd 796882 graphicsmagick_1.3.20-3+deb8u5_amd64.deb 59e97cd1be859b2b252c14bf2bb886cb35d9658a920ed2e99bf40f0ef634891e 1105084 libgraphicsmagick3_1.3.20-3+deb8u5_amd64.deb bd911840b1bc5895f46b306dd6db69f773ee28c70793dcaf2eb894183e1cd2ee 1291966 libgraphicsmagick1-dev_1.3.20-3+deb8u5_amd64.deb 8d555423f021ef07c46231a28e5a45199d810e17a3638b986d1a70a258622864 119420 libgraphicsmagick++3_1.3.20-3+deb8u5_amd64.deb c9f3bbcf6486d0e81f19a5b40cf309d8f205dd3bce3eef0df370b84156b932af 301640 libgraphicsmagick++1-dev_1.3.20-3+deb8u5_amd64.deb 4b9d32853f8bb32ca323703db7e683d28cf4157f58aebc9ce5f20615fea7b748 77496 libgraphics-magick-perl_1.3.20-3+deb8u5_amd64.deb 559081b11d304beb0e6358e8c0a31480a18ef78449830bad4984defe43eff629 2221078 graphicsmagick-dbg_1.3.20-3+deb8u5_amd64.deb 875e2db18feda255cc0b8aa92c82169dbb303f8a5b61980147c1fd5cbfdfd635 29384 graphicsmagick-imagemagick-compat_1.3.20-3+deb8u5_all.deb 762ee306967cd656cdfc68c828ad88323e3eaf8d0dd205ffbd2b8176f3014ef9 32890 graphicsmagick-libmagick-dev-compat_1.3.20-3+deb8u5_all.deb Files: a269221c3d6b3a2b591e695746d62a59 2457 graphics optional graphicsmagick_1.3.20-3+deb8u5.dsc 7631f32a154a910d9eaec6b7be0b7e1a 209136 graphics optional graphicsmagick_1.3.20-3+deb8u5.debian.tar.xz f24c7b2d9a23459d6e1fe73f8728d7ef 796882 graphics optional graphicsmagick_1.3.20-3+deb8u5_amd64.deb 73d3e50c98133a83ba941f54b1a43be8 1105084 libs optional libgraphicsmagick3_1.3.20-3+deb8u5_amd64.deb d5f48c3a5a4f19cb5c4557a590bf1bcf 1291966 libdevel optional libgraphicsmagick1-dev_1.3.20-3+deb8u5_amd64.deb 4e297730ae9d4de837d3cc265ee8891f 119420 libs optional libgraphicsmagick++3_1.3.20-3+deb8u5_amd64.deb bf41fa3068f68bbc0fbefcac14f61087 301640 libdevel optional libgraphicsmagick++1-dev_1.3.20-3+deb8u5_amd64.deb d6b5a928ceef21b5cb35f4b154d67feb 77496 perl optional