date:20160730

Re: Security update of openssh for wheezy

2016-07-30 Thread Adrian Zaugg


Is the security breech also present in openssh of wheezy-backports
(openssh-server 1:6.6p1-4~bpo70+1, I guess yes because 1.6.0 and 1.6.7
are affected)?

Is wheezy-backports in generally supported or not by the LTS Team?

Thank you for your quick answer!

Regards, Adrian.

On 26.07.16 23:24, Ola Lundqvist wrote:
> Hi OpenSSH Maintainers and LTS team
> 
> I have prepared a security update of openssh for wheezy.
> 
> For more information about the issue solved see here:
> https://security-tracker.debian.org/tracker/CVE-2016-6210
> I have applied the same patch as in sid and it applied fine, except that
> I had to change a call to a clear memory function to a loop instead. ...or 
> This function is not available in wheezy.
> 
> You can find the debdiff here:
> http://apt.inguza.net/wheezy-security/openssh/CVE-2016-6210.debdiff
> 
> You can also find the packages that I intend to upload here:
> http://apt.inguza.net/wheezy-security/openssh/
> 
> I have regression tested and I could login still, and use the client too.
> I could not reproduce the problem good enough to tell for sure that they
> are solved. However they should be solved just as good as in sid and jessie.
> 
> If no-one objects I will upload this package in four days, that is on
> Saturday.
> 
> Best regards
> 
> // Ola

lovely

2016-07-30 Thread Leslie S Satenstein

Hey! 

Have you  seen something as lovely  as that stuff? I swear you  haven't, just 
take a look here 

Pardon my monkey thumbs, Leslie S Satenstein

[SECURITY] [DLA 578-1] openssh security update

2016-07-30 Thread Ola Lundqvist

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: openssh
Version: 6.0p1-4+deb7u5
CVE ID : CVE-2016-6210

OpenSSH secure shell client and server had a user enumeration
problem reported.

CVE-2016-6210

  User enumeration via covert timing channel


For Debian 7 "Wheezy", this problem has been fixed in version
6.0p1-4+deb7u5.

We recommend that you upgrade your openssh packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -- 
 - Ola Lundqvist ---
/  o...@debian.org Folkebogatan 26  \
|  o...@inguza.com  654 68 KARLSTAD  |
|  http://inguza.com/  +46 (0)70-332 1551   |
\  gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26  0A6A 5E90 DCFA 9426 876F /
 ---
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJXnR7eAAoJEF6Q3PqUJodv//QP/RzUhwWNrKgttgDNCxZPZba+
3b1PSM04QiOSTCheaBGIumu0Ad7trSut48yTaQazTWULImYAK2PTUEUYJ1VSG2BQ
M2wQ0yD/RoevUdMKgwIM9ekCNweHTZQpISKkew2jIW0v3wpK/NBMXIQy63VDtump
cuuwnivi2utm3cVIbY+r9DgqqLleYgZVs8NdkaRzE1VVT/b7hFk0NODfxVBpEBot
7GE6h+Tl+AO1rXr3UXdg0AKWSG9h79gkBggpcn3u1pKHR/jFk3xnL+4zrgSqytU6
iGeyqT79Tdsy+46rHyBatjDhvYvIA/p0d57Cf6H8a0KP0PHbM1VZRg9jxBLse2X4
ppvesJZ7YWEE9Iiorov5sw25aHqnYxYFDGxQQXGN905JQBDzmJf2EkFWbukzMfgf
eelhwrfosMGKC5T9IYcQbn0kWKkxINd4aAu/bl52GDOZLE11x6rSwd30voZxb5PJ
MlFl59vMbi1giNKhFeHP05ZtPk9dcSQLGGGqO/exPKYtN8SN4XYTXyD/KKxOPt71
bblt6CdjhgdXuq+sxTxxkgaYTgdk86jPLchHaJ2f/mKZXGmtGQp/xNYuCgFFfTmb
IwPw0VQt4hu/U8Gi+snmoxfcE1amrSagUnV2Jd+rgPjWx80pmdsuQUUKSwqGIogp
qAB6AyE6HpI+A5IpLOnm
=MzvQ
-END PGP SIGNATURE-

Re: Wheezy update of libreoffice?

2016-07-30 Thread Guido Günther

Hi,

Just a random comment:

On Sat, Jul 30, 2016 at 09:45:51PM +0200, Balint Reczey wrote:
>  Priority: optional
>  Maintainer: Debian LibreOffice Maintainers 
> 
>  Uploaders: Rene Engelhard 
> -Build-Depends: dpkg-dev (>= 1.16.1), lsb-release, bzip2, bison, flex | 
> flex-old, libxaw7-dev, unzip, zip, autoconf, automake, sharutils, pkg-config, 
> libfontconfig1-dev, libc0.1 (>= 2.10.2-7) [kfreebsd-i386 kfreebsd-amd64], 
> zlib1g-dev, libfreetype6-dev, libx11-dev, libsm-dev, libxt-dev, libxext-dev, 
> libxtst-dev, libice-dev, libcups2-dev, libarchive-zip-perl, fastjar, 
> xsltproc, libxkbfile-dev, libxinerama-dev, x11proto-render-dev, 
> libxml-parser-perl, gperf, po-debconf, bc, wget | curl, gcc-4.4 [mips 
> mipsel], g++-4.4 [mips mipsel], libgl1-mesa-dev [!armel !mips !mipsel], 
> libglu1-mesa-dev [!armel !mips !mipsel], libpoppler-dev (>= 0.8.0), 
> libpoppler-private-dev, libpoppler-cpp-dev, libgraphite2-dev (>= 0.9.3) 
> [!alpha !armel !sparc], libexttextcat-dev (>= 3.1.1), libjpeg-dev, 
> libxml2-dev, libxslt1-dev, libexpat1-dev, unixodbc-dev (>= 2.2.11), 
> libsane-dev, libxrender-dev, libpng12-dev, libssl-dev, librsvg2-dev, 
> libdb-dev, python (>= 2.6.6-3+squeeze4), python-dev (>= 2.6), python3-dev (>= 
> 3.2), debhelper (>= 7.2.3~), libcppunit-dev (>= 1.12), gdb, junit4 (>= 
> 4.8.2-2), openjdk-6-jdk (>= 6b23~pre8-2) [alpha amd64 armel armhf i386 mips 
> mipsel powerpc powerpcspe ppc64 s390 s390x sparc], openjdk-7-jdk [ia64], 
> gcj-jdk [hppa kfreebsd-i386 kfreebsd-amd64], gcj-native-helper [hppa 
> kfreebsd-amd64 kfreebsd-i386], libgcj-common (>= 1:4.4.1) [hppa 
> kfreebsd-amd64 kfreebsd-i386], ant (>= 1.7.0), ant-optional (>= 1.7.0), 
> g++-mingw-w64-i686 [i386 amd64], libcommons-codec-java, 
> libcommons-httpclient-java, libcommons-lang-java, libcommons-logging-java (>= 
> 1.1.1-9), libservlet2.5-java, libbase-java [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], libsac-java [!hppa !kfreebsd-amd64 !kfreebsd-i386], 
> libxml-java (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], libflute-java 
> (>= 1.1.6) [!hppa !kfreebsd-amd64 !kfreebsd-i386], 
> libpentaho-reporting-flow-engine-java (>= 0.9.4) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], liblayout-java (>= 0.2.10) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], libloader-java (>= 1.1.6) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], libformula-java (>= 1.1.7) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], librepository-java (>= 1.1.6) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], libfonts-java (>= 1.1.6) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], libserializer-java (>= 1.1.6) [!hppa !kfreebsd-amd64 
> !kfreebsd-i386], libcommons-logging-java (>= 1.1.1-9), libservlet2.5-java, 
> javahelper (>= 0.37~), libnss3-dev (>= 3.12.3), dmake (>= 1:4.11), 
> libhunspell-dev (>= 1.1.5-2), libhyphen-dev (>= 2.4), libstlport4.6-dev (>= 
> 4.6.2-3) [i386], libboost-dev (>= 1.38), libmdds-dev (>= 0.5.0), 
> libvigraimpex-dev, libsampleicc-dev, libicc-utils-dev, libwpd-dev (>= 0.9.0), 
> libmythes-dev (>= 2:1.2), libwps-dev (>= 0.2.0), libwpg-dev (>= 0.2.0), 
> libvisio-dev, libcmis-dev, libicu-dev (>= 4.0), libcairo2-dev, kdelibs5-dev 
> (>= 4:4.3.4), libqt4-dev (>= 4:4.8), libmysqlclient-dev, libmysqlcppconn-dev 
> (>= 1.1.0~r791), libgtk2.0-dev (>= 2.10), libgtk-3-dev (>= 3.2~), 
> libebook1.2-dev, libpq-dev (>= 9.0~), libxrandr-dev, liblucene2-java (>= 
> 2.3.2), libhsqldb-java (>> 1.8.0.10), bsh (>= 2.0b4), liblpsolve55-dev (>= 
> 5.5.0.13-5+b1), lp-solve (>= 5.5.0.13-5+b1), libsuitesparse-dev (>= 1:3.4.0), 
> libdbus-glib-1-dev (>= 0.70), libgstreamer-plugins-base0.10-dev, 
> libneon27-gnutls-dev, librdf0-dev (>= 1.0.8), libglib2.0-dev (>= 2.15.0), 
> libgconf2-dev, liborbit2-dev, gettext, make (>= 3.81-8.2), libldap2-dev
> +Build-Depends: dpkg-dev (>= 1.16.1), lsb-release, bzip2, bison, flex | 
> flex-old, libxaw7-dev, unzip, zip, autoconf, automake, sharutils, pkg-config, 
> libfontconfig1-dev, libc0.1 (>= 2.10.2-7) [kfreebsd-i386 kfreebsd-amd64], 
> zlib1g-dev, libfreetype6-dev, libx11-dev, libsm-dev, libxt-dev, libxext-dev, 
> libxtst-dev, libice-dev, libcups2-dev, libarchive-zip-perl, fastjar, 
> xsltproc, libxkbfile-dev, libxinerama-dev, x11proto-render-dev, 
> libxml-parser-perl, gperf, po-debconf, bc, wget | curl, gcc-4.4 [mips 
> mipsel], g++-4.4 [mips mipsel], libgl1-mesa-dev [!armel !mips !mipsel], 
> libglu1-mesa-dev [!armel !mips !mipsel], libpoppler-dev (>= 0.8.0), 
> libpoppler-private-dev, libpoppler-cpp-dev, libgraphite2-dev (>= 
> 1.3.6-1~deb7u2) [!alpha !armel !sparc], libexttextcat-dev (>= 3.1.1), 
> libjpeg-dev, libxml2-dev, libxslt1-dev, libexpat1-dev, unixodbc-dev (>= 
> 2.2.11), libsane-dev, libxrender-dev, libpng12-dev, libssl-dev, librsvg2-dev, 
> libdb-dev, python (>= 2.6.6-3+squeeze4), python-dev (>= 2.6), python3-dev (>= 
> 3.2), debhelper (>= 7.2.3~), libcppunit-dev (>= 1.12), gdb, junit4 (>= 
> 4.8.2-2), openjdk-6-jdk (>= 6b23~pre8-2) [alpha amd64 armel armhf i386 mips 
> mipsel powerpc

Re: Wheezy update of libreoffice?

2016-07-30 Thread Balint Reczey

Hi Rene,

On 07/28/2016 08:36 PM, Rene Engelhard wrote:
> Hi,
> 
> On Thu, Jul 28, 2016 at 07:12:16PM +0200, Bálint Réczey wrote:
>> Thank you for preparing the patch.
>> I'm building it right now and would like to test it if you have not done so 
>> yet.
>> After it is tested feel free to upload it.
> 
> Then it's best you mergechanges and upload after testing, I only built the
> source package, I didn't build it, so if you have a build...

It took some time to get it built due to libgraphite2-dev FTBFS-ing
libreoffice but the attached patch for graphite2 solves that.

A binary build was needed anyway since wheezy-security does not accept
source-only uploads AFAIK.

The fix for the vulnerability works and a the fixed libreoffice can
still parse a valid RTF [1].

Please see the final proposed patch for libreoffice attached, too.

The binary packages for amd64 will also be available for testing here
when the upload is finished:
https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/

I plan uploading both fixed packages tomorrow.

Cheers,
Balint

[1] http://thewalter.net/stef/software/rtfx/sample.rtf

diff -Nru graphite2-1.3.6/debian/changelog graphite2-1.3.6/debian/changelog
--- graphite2-1.3.6/debian/changelog	2016-03-09 12:12:34.0 +0100
+++ graphite2-1.3.6/debian/changelog	2016-07-29 19:30:16.0 +0200
@@ -1,3 +1,10 @@
+graphite2 (1.3.6-1~deb7u2) oldstable-security; urgency=medium
+
+  * LTS Team upload
+  * Fix .shlibs file to let reverse depenencies build
+
+ -- Balint Reczey   Fri, 29 Jul 2016 19:29:22 +0200
+
 graphite2 (1.3.6-1~deb7u1) oldstable-security; urgency=high
 
   * rebuild for oldstable-security 
diff -Nru graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs
--- graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs	2016-03-09 12:09:32.0 +0100
+++ graphite2-1.3.6/debian/libgraphite2-2.0.0.shlibs	2016-07-30 00:38:31.0 +0200
@@ -1 +1 @@
-libgraphite2	3	libgraphite2-2.0.0
+libgraphite2	2.0.0	libgraphite2-2.0.0 (>= 1.3.6-1~)
diff -Nru libreoffice-3.5.4+dfsg2/debian/changelog libreoffice-3.5.4+dfsg2/debian/changelog
--- libreoffice-3.5.4+dfsg2/debian/changelog	2016-02-11 18:15:51.0 +0100
+++ libreoffice-3.5.4+dfsg2/debian/changelog	2016-07-30 12:58:16.0 +0200
@@ -1,3 +1,17 @@
+libreoffice (1:3.5.4+dfsg2-0+deb7u7) wheezy-security; urgency=high
+
+  [ Rene Engelhard ]
+  * merge from Ubuntu:
+- SECURITY UPDATE: Denial of service and possible arbitrary code execution
+  via a crafted RTF file
+  + debian/patches/rtf-use-after-free.diff: Prevent rtf use-after-free
+  + CVE-2016-4324
+
+  [ Balint Reczey ]
+  * depend on libgraphite2-dev version which has working shlibs file
+
+ -- Balint Reczey   Sat, 30 Jul 2016 12:58:14 +0200
+
 libreoffice (1:3.5.4+dfsg2-0+deb7u6) wheezy-security; urgency=high
 
   * debian/patches/V-1lp8t84lh4.diff: fix "LibreOffice Writer Lotus Word Pro
diff -Nru libreoffice-3.5.4+dfsg2/debian/control libreoffice-3.5.4+dfsg2/debian/control
--- libreoffice-3.5.4+dfsg2/debian/control	2013-05-29 23:22:11.0 +0200
+++ libreoffice-3.5.4+dfsg2/debian/control	2016-07-30 12:52:29.0 +0200
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Debian LibreOffice Maintainers 
 Uploaders: Rene Engelhard 
-Build-Depends: dpkg-dev (>= 1.16.1), lsb-release, bzip2, bison, flex | flex-old, libxaw7-dev, unzip, zip, autoconf, automake, sharutils, pkg-config, libfontconfig1-dev, libc0.1 (>= 2.10.2-7) [kfreebsd-i386 kfreebsd-amd64], zlib1g-dev, libfreetype6-dev, libx11-dev, libsm-dev, libxt-dev, libxext-dev, libxtst-dev, libice-dev, libcups2-dev, libarchive-zip-perl, fastjar, xsltproc, libxkbfile-dev, libxinerama-dev, x11proto-render-dev, libxml-parser-perl, gperf, po-debconf, bc, wget | curl, gcc-4.4 [mips mipsel], g++-4.4 [mips mipsel], libgl1-mesa-dev [!armel !mips !mipsel], libglu1-mesa-dev [!armel !mips !mipsel], libpoppler-dev (>= 0.8.0), libpoppler-private-dev, libpoppler-cpp-dev, libgraphite2-dev (>= 0.9.3) [!alpha !armel !sparc], libexttextcat-dev (>= 3.1.1), libjpeg-dev, libxml2-dev, libxslt1-dev, libexpat1-dev, unixodbc-dev (>= 2.2.11), libsane-dev, libxrender-dev, libpng12-dev, libssl-dev, librsvg2-dev, libdb-dev, python (>= 2.6.6-3+squeeze4), python-dev (>= 2.6), python3-dev (>= 3.2), debhelper (>= 7.2.3~), libcppunit-dev (>= 1.12), gdb, junit4 (>= 4.8.2-2), openjdk-6-jdk (>= 6b23~pre8-2) [alpha amd64 armel armhf i386 mips mipsel powerpc powerpcspe ppc64 s390 s390x sparc], openjdk-7-jdk [ia64], gcj-jdk [hppa kfreebsd-i386 kfreebsd-amd64], gcj-native-helper [hppa kfreebsd-amd64 kfreebsd-i386], libgcj-common (>= 1:4.4.1) [hppa kfreebsd-amd64 kfreebsd-i386], ant (>= 1.7.0), ant-optional (>= 1.7.0), g++-mingw-w64-i686 [i386 amd64], libcommons-codec-java, libcommons-httpclient-java, libcommons-lang-java, libcommons-logging-java (>= 1.1.1-9), libservlet2.5-java,

Re: xen_4.1.6.1-1+deb7u2.dsc

2016-07-30 Thread Guido Günther

On Fri, Jul 29, 2016 at 01:26:22PM +0200, Bastian Blank wrote:
> Hi Guido
> 
> On Fri, Jul 29, 2016 at 01:13:33PM +0200, Guido Günther wrote:
> > * the complete removal of tools/ioemu-qemu-xen - guess this was unused
> >   anyway since quiet some time, right?
> 
> I have no idea and found not one reference to that folder.
> 
> > * there are some XSA related patches in debian/patches. Will these move
> >   into
> >   https://github.com/credativ/xen-lts/
> >   eventually?
> 
> I think I forgot to delete some.  The rest most likely won't as it is
> either qemu or libxl.
> 
> > If Brian has no objections feel free to upload, Please let me know once
> > done so I can then release the DLA (in case you don't want to handle it
> > youself).
> 
> I have no idea how to do that yet.  So feel free.

Thanks for uploading! I've put out the DSA and marked XSA-166 as fixed
in the tracker (since it has no CVE assigned). The tracker lists these

CVE-2016-5403   virtio: unbounded memory allocation on host via guest leading 
to DoS
CVE-2016-5242   The p2m_teardown function in arch/arm/p2m.c in Xen 4.4.x 
through 4.6.x ...
CVE-2016-4963   The libxl device-handling in Xen through 4.6.x allows local 
guest OS ...
CVE-2016-4962   The libxl device-handling in Xen 4.6.x and earlier allows local 
OS ...

as affecting Wheezy. I've marked CVE-2016-5242 as not-affected since we
don't have ARM xen in wheezy. What about the other ones?

Cheers,
 -- Guido

Accepted icedove 1:45.2.0-2~deb7u1 (source amd64 all) into oldstable

2016-07-30 Thread Guido Günther

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Fri, 29 Jul 2016 16:58:24 +0200
Source: icedove
Binary: icedove icedove-dev icedove-dbg iceowl-extension 
calendar-google-provider icedove-l10n-all icedove-l10n-ar icedove-l10n-ast 
icedove-l10n-be icedove-l10n-bg icedove-l10n-bn-bd icedove-l10n-br 
icedove-l10n-ca icedove-l10n-cs icedove-l10n-da icedove-l10n-de icedove-l10n-el 
icedove-l10n-en-gb icedove-l10n-es-ar icedove-l10n-es-es icedove-l10n-et 
icedove-l10n-eu icedove-l10n-fi icedove-l10n-fr icedove-l10n-fy-nl 
icedove-l10n-ga-ie icedove-l10n-gd icedove-l10n-gl icedove-l10n-he 
icedove-l10n-hr icedove-l10n-hu icedove-l10n-hy-am icedove-l10n-id 
icedove-l10n-is icedove-l10n-it icedove-l10n-ja icedove-l10n-ko icedove-l10n-lt 
icedove-l10n-nb-no icedove-l10n-nl icedove-l10n-nn-no icedove-l10n-pa-in 
icedove-l10n-pl icedove-l10n-pt-br icedove-l10n-pt-pt icedove-l10n-rm 
icedove-l10n-ro icedove-l10n-ru icedove-l10n-si icedove-l10n-sk icedove-l10n-sl 
icedove-l10n-sq icedove-l10n-sr icedove-l10n-sv-se icedove-l10n-ta-lk 
icedove-l10n-tr icedove-l10n-uk icedove-l10n-vi
 icedove-l10n-zh-cn icedove-l10n-zh-tw iceowl-l10n-ar iceowl-l10n-be 
iceowl-l10n-bg iceowl-l10n-bn-bd iceowl-l10n-br iceowl-l10n-ca iceowl-l10n-cs 
iceowl-l10n-cy iceowl-l10n-da iceowl-l10n-de iceowl-l10n-el iceowl-l10n-es-ar 
iceowl-l10n-es-es iceowl-l10n-en-gb iceowl-l10n-et iceowl-l10n-eu 
iceowl-l10n-fi iceowl-l10n-fr iceowl-l10n-fy-nl iceowl-l10n-ga-ie 
iceowl-l10n-gd iceowl-l10n-gl iceowl-l10n-he iceowl-l10n-hr iceowl-l10n-hu 
iceowl-l10n-hy-am iceowl-l10n-id iceowl-l10n-is iceowl-l10n-it iceowl-l10n-ja 
iceowl-l10n-ko iceowl-l10n-lt iceowl-l10n-nb-no iceowl-l10n-nl 
iceowl-l10n-nn-no iceowl-l10n-pa-in iceowl-l10n-pl iceowl-l10n-pt-br 
iceowl-l10n-pt-pt iceowl-l10n-rm iceowl-l10n-ro iceowl-l10n-ru iceowl-l10n-si 
iceowl-l10n-sk iceowl-l10n-sl iceowl-l10n-sr iceowl-l10n-sq iceowl-l10n-sv-se 
iceowl-l10n-ta-lk iceowl-l10n-tr iceowl-l10n-uk iceowl-l10n-vi iceowl-l10n-zh-cn
 iceowl-l10n-zh-tw
Architecture: source amd64 all
Version: 1:45.2.0-2~deb7u1
Distribution: wheezy-security
Urgency: medium
Maintainer: Christoph Goehre 
Changed-By: Guido Günther 
Description: 
 calendar-google-provider - Google Calendar support for lightning- and 
iceowl-extension
 icedove- mail/news client with RSS and integrated spam filter support
 icedove-dbg - Debug Symbols for Icedove
 icedove-dev - Development files for Icedove
 icedove-l10n-all - All language packages for Icedove (meta)
 icedove-l10n-ar - Arabic language package for Icedove
 icedove-l10n-ast - Asturian language package for Icedove
 icedove-l10n-be - Belarusian language package for Icedove
 icedove-l10n-bg - Bulgarian language package for Icedove
 icedove-l10n-bn-bd - Bengali language package for Icedove
 icedove-l10n-br - Breton language package for Icedove
 icedove-l10n-ca - Catalan/Valencian language package for Icedove
 icedove-l10n-cs - Czech language package for Icedove
 icedove-l10n-da - Danish language package for Icedove
 icedove-l10n-de - German language package for Icedove
 icedove-l10n-el - Greek language package for Icedove
 icedove-l10n-en-gb - English (Great Britain) language package for Icedove
 icedove-l10n-es-ar - Spanish (Argentina) language package for Icedove
 icedove-l10n-es-es - Spanish (Spain) language package for Icedove
 icedove-l10n-et - Estonian language package for Icedove
 icedove-l10n-eu - Basque language package for Icedove
 icedove-l10n-fi - Finnish language package for Icedove
 icedove-l10n-fr - French language package for Icedove
 icedove-l10n-fy-nl - Frisian language package for Icedove
 icedove-l10n-ga-ie - Irish (Ireland) language package for Icedove
 icedove-l10n-gd - Gaelic (Scottish) language package for Icedove
 icedove-l10n-gl - Galician language package for Icedove
 icedove-l10n-he - Hebrew language package for Icedove
 icedove-l10n-hr - Croatian language package for Icedove
 icedove-l10n-hu - Hungarian language package for Icedove
 icedove-l10n-hy-am - Armenian language package for Icedove
 icedove-l10n-id - Indonesian language package for Icedove
 icedove-l10n-is - Icelandic language package for Icedove
 icedove-l10n-it - Italian language package for Icedove
 icedove-l10n-ja - Japanese language package for Icedove
 icedove-l10n-ko - Korean language package for Icedove
 icedove-l10n-lt - Lithuanian language package for Icedove
 icedove-l10n-nb-no - Bokmaal (Norway) language package for Icedove
 icedove-l10n-nl - Dutch language package for Icedove
 icedove-l10n-nn-no - Nynorsk (Norway) language package for Icedove
 icedove-l10n-pa-in - Punjabi (India) language package for Icedove
 icedove-l10n-pl - Polish language package for Icedove
 icedove-l10n-pt-br - Portuguese (Brazil) language package for Icedove
 icedove-l10n-pt-pt - Portuguese (Portugal) language package for Icedove
 icedove-l10n-rm - Romansh language package for Icedove
 icedove-l10n-ro - Romania language package for Icedove

Accepted qemu-kvm 1.1.2+dfsg-6+deb7u14 (source amd64) into oldstable

2016-07-30 Thread Guido Günther

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Fri, 29 Jul 2016 16:32:58 +0200
Source: qemu-kvm
Binary: qemu-kvm qemu-kvm-dbg kvm
Architecture: source amd64
Version: 1.1.2+dfsg-6+deb7u14
Distribution: wheezy-security
Urgency: medium
Maintainer: Michael Tokarev 
Changed-By: Guido Günther 
Description: 
 kvm- dummy transitional package from kvm to qemu-kvm
 qemu-kvm   - Full virtualization on x86 hardware
 qemu-kvm-dbg - Debugging info for qemu-kvm
Closes: 832767
Changes: 
 qemu-kvm (1.1.2+dfsg-6+deb7u14) wheezy-security; urgency=medium
 .
   * Non-maintainer upload by the LTS team.
   * CVE-2016-5403: virtio: error out if guest exceeds virtqueue size
 (Closes: #832767)
   * CVE-2016-4439, CVE-2016-6351, CVE-2016-6351: several issue in the 53C9X
 Fast SCSI Controller
   * CVE-2016-4020: The patch_instruction function in hw/i386/kvmvapic.c in
 QEMU does not initialize the imm32 variable, which allows local guest OS
 administrators to obtain sensitive information from host stack memory by
 accessing the Task Priority Register (TPR).
   * CVE-2016-2857: The net_checksum_calculate function in net/checksum.c in
 QEMU allows local guest OS users to cause a denial of service
 (out-of-bounds heap read and crash) via the payload length in a crafted
 packet.
   * CVE-2015-5239: Integer overflow in vnc_client_read() and
 protocol_client_msg()
Checksums-Sha1: 
 55b5958cb052410320b76c49f23c94efcc202b38 2471 qemu-kvm_1.1.2+dfsg-6+deb7u14.dsc
 345ad82cfe41c4b584ba36e45918cbaeef6f3c64 128457 
qemu-kvm_1.1.2+dfsg-6+deb7u14.debian.tar.gz
 4b158fc59b8b4d85775bb96f10dee1ea52670ec8 1682278 
qemu-kvm_1.1.2+dfsg-6+deb7u14_amd64.deb
 2927e1fa1b5ea80452efb73d121b90ba677cd15d 5277662 
qemu-kvm-dbg_1.1.2+dfsg-6+deb7u14_amd64.deb
 97534db21940cd4fafee2d435a1476f2ce591c10 25672 
kvm_1.1.2+dfsg-6+deb7u14_amd64.deb
Checksums-Sha256: 
 89d567c61df07c96fca17da857b7ca9a9dfd36eea3212eda253e4c12585473fa 2471 
qemu-kvm_1.1.2+dfsg-6+deb7u14.dsc
 141ce80a6d54ff7e953ed21e96f5ff16bbdbabc2df963f356109518ffde1b0c0 128457 
qemu-kvm_1.1.2+dfsg-6+deb7u14.debian.tar.gz
 57385cb443185ac77f30c03bbde0fa61653f02c70bf4a7f948a907ac9e9de705 1682278 
qemu-kvm_1.1.2+dfsg-6+deb7u14_amd64.deb
 f82507c84dd249fbe37b74747ca053fa8c2e11401b6d445d63b308e13dbac60b 5277662 
qemu-kvm-dbg_1.1.2+dfsg-6+deb7u14_amd64.deb
 89995f0a705bfad97faa3ae84e6f6ae27c1116dfb0fa965182ac489cdaf72eeb 25672 
kvm_1.1.2+dfsg-6+deb7u14_amd64.deb
Files: 
 0a1505ffa5ac686918c1872c6619d44c 2471 misc optional 
qemu-kvm_1.1.2+dfsg-6+deb7u14.dsc
 54d90987d263bdad22934387dd2a3531 128457 misc optional 
qemu-kvm_1.1.2+dfsg-6+deb7u14.debian.tar.gz
 12ebd25d808efcc780f857aa887cee3b 1682278 misc optional 
qemu-kvm_1.1.2+dfsg-6+deb7u14_amd64.deb
 84f0ec9e483810a5936040302046ecb3 5277662 debug extra 
qemu-kvm-dbg_1.1.2+dfsg-6+deb7u14_amd64.deb
 510b68dcccf03cb26ffd0861b0c2a604 25672 oldlibs extra 
kvm_1.1.2+dfsg-6+deb7u14_amd64.deb

-BEGIN PGP SIGNATURE-

iQIcBAEBCAAGBQJXm3pAAAoJEAe4t7DqmBILM6QQAMkucpe+5bKht1PqGOj1KH6u
rkPz2iXlBC8cuXqU7iWR8FibMhlybyt/kJ4Gm7s+wM7Ydg61kI1oyqnwCX41B5aU
7v3LN4brS0Znfozc5Na+ws1SVXDrocwk0hMRiktCVbvUJDAikyKs8qI2JAcZik5m
I8OhLEBY+stx0f/IvdueAnfkP33+9Lg4W91S/lGcER73DGAjzHazGfDEIUHsQ/Ei
OrBa4Ah/EpBd4+NSRf8ffnZi+Rkz4/PkiF3yOIHlYh1dVdWuBASMLDkPoO9AfVC8
ksemxY1UsJW8o50QT7onzu2f8nLvnamQxlPDYNiNFxS/z4OoSGZ41AdUhvTVYgpf
AkSOSuwbuACjV9ezGcb8/CqdFLSGx6jYtAi2xnva5WJ+TzqDtJWb2cPbw4xKsgkl
eq+HmzYNztYP4qunZ50XIL+y8NVjW9FCxRXnfJCDnBN6ve+Z/zJ8+9c8yk067msA
CzfLgCHPHw0RCODq4kOsIU8AubuMFtmbMUeLtQIVT+gmrgXEWAy6jvVzinYzrAm5
lL7KeL5pUeuvXr0YlWrFpMM0hB9cmLpXeQ13lKFSOSoJw5RP8CFdnFB0lAMdJFbT
koqKVWwMJelr0tKkBbeqcabhaIVSuG+hCfhfHMBD1wcjohrhAOcwR6z5CAdrPw9Q
lzAgPx+G+/MXc0bnH64R
=VUYa
-END PGP SIGNATURE-

Re: Wheezy update of twisted?

2016-07-30 Thread Free Ekanayaka

Hello,

I'm going on vacation shortly, and likely won't have time to address the
bug timely enough. So unless Matthias has cycles to work on it, I'd say yes
go ahead please. Thanks

Free

On 28 July 2016 at 22:37, Thorsten Alteholz  wrote:

> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of twisted:
> https://security-tracker.debian.org/tracker/CVE-2016-1000111
>
> Would you like to take care of this yourself?
>
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development
>
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
>
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
>
> Thank you very much.
>
> Thorsten Alteholz,
>   on behalf of the Debian LTS team.
>
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
>
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
>
>
>

[SECURITY] [DLA 571-1] xen security update

2016-07-30 Thread Guido Günther

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: xen
Version: 4.1.6.lts1-1
CVE ID : CVE-2014-3672 CVE-2016-3158 CVE-2016-3159 CVE-2016-3710 
 CVE-2016-3712 CVE-2016-3960 CVE-2016-4480 CVE-2016-6258
Debian Bug : 

Multiple vulnerabilities have been discovered in the Xen hypervisor. The
Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2014-3672 (XSA-180)

Andrew Sorensen discovered that a HVM domain can exhaust the hosts
disk space by filling up the log file.

CVE-2016-3158, CVE-2016-3159 (XSA-172)

Jan Beulich from SUSE discovered that Xen does not properly handle
writes to the hardware FSW.ES bit when running on AMD64 processors.
A malicious domain can take advantage of this flaw to obtain address
space usage and timing information, about another domain, at a
fairly low rate.

CVE-2016-3710 (XSA-179)

Wei Xiao and Qinghao Tang of 360.cn Inc discovered an out-of-bounds
read and write flaw in the QEMU VGA module. A privileged guest user
could use this flaw to execute arbitrary code on the host with the
privileges of the hosting QEMU process.

CVE-2016-3712 (XSA-179)

Zuozhi Fzz of Alibaba Inc discovered potential integer overflow
or out-of-bounds read access issues in the QEMU VGA module. A
privileged guest user could use this flaw to mount a denial of
service (QEMU process crash).

CVE-2016-3960 (XSA-173)

Ling Liu and Yihan Lian of the Cloud Security Team, Qihoo 360
discovered an integer overflow in the x86 shadow pagetable code. A
HVM guest using shadow pagetables can cause the host to crash. A PV
guest using shadow pagetables (i.e. being migrated) with PV
superpages enabled (which is not the default) can crash the host, or
corrupt hypervisor memory, potentially leading to privilege
escalation.

CVE-2016-4480 (XSA-176)

Jan Beulich discovered that incorrect page table handling could
result in privilege escalation inside a Xen guest instance.

CVE-2016-6258 (XSA-182)

Jérémie Boutoille discovered that incorrect pagetable handling in
PV instances could result in guest to host privilege escalation.

Additionally this Xen Security Advisory without a CVE was fixed:

XSA-166

Konrad Rzeszutek Wilk and Jan Beulich discovered that ioreq handling
is possibly susceptible to a multiple read issue.

For Debian 7 "Wheezy", these problems have been fixed in version
4.1.6.lts1-1.

We recommend that you upgrade your xen packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIcBAEBCAAGBQJXnG7HAAoJEAe4t7DqmBILHEQP/Rc4wQC3bIp3FC1EWf+ZmrZ7
IKSCmujP9gdpnm8O2nswcFTd+XaJ1ncYK0Q4Te7yppspAmyF9YLBoyOxcQstXNbA
Wu/+kR3bvZJIR48wzBsGocZL9NvKnHdGHs3d4tkd9MUGU7rx1BGNqxBW/8h49nmC
HQVRQGTYKlW+slljMzVi3RPUB4VRWy2EzVtHcAHXdje4WJDora4RdLc4iqtfKpgJ
q+5NnilNClYa617i220AyKcUsgvzY4lLXCtQM4LotOY4YX9js1Lr0e+B/kLs8fVs
pJxkJVTrsLa1NlE1Wj3IuwYRNnyEoPUngZX9E6YKyA797FGotwrGenmyTpeWLi+W
IQbyVFlYIdKX88OgEmz+j7LIs9YSV2wXkigpcddqXnL6yHFZ0Zl7iAC7vyT/MgSV
lHtV9w0hAjC/g/Y/TDxEHzusHNo97pAMJQVuEpmB9T+bzkg6hfJin+OjldQtQ6lW
3MGvkztwfhiYsRJyoDxYuVBr4GT5MdCgTujTtThVxdntmPk0aLvbYsvKyKecAIMU
+Y1iVx5ErboP06vlzdJ7RBNAc3lvYvpvtbfMYSGCCyYMREPdLnwaDaZ234RNOvI3
QbSAbuPrjf9L5HaSDpdFMgFaJtrNCKKiXO5zSXTx8BYL9bkFJ8ORlDdxGe5ScbO0
cq++Ai7qDrQDTZpQVv9m
=yWuS
-END PGP SIGNATURE-

Re: Security update of openssh for wheezy

lovely

[SECURITY] [DLA 578-1] openssh security update

Re: Wheezy update of libreoffice?

Re: Wheezy update of libreoffice?

Re: xen_4.1.6.1-1+deb7u2.dsc

Accepted icedove 1:45.2.0-2~deb7u1 (source amd64 all) into oldstable

Accepted qemu-kvm 1.1.2+dfsg-6+deb7u14 (source amd64) into oldstable

Re: Wheezy update of twisted?

[SECURITY] [DLA 571-1] xen security update

10 matches

Site Navigation

Mail list logo

Footer information