Accepted libdatetime-timezone-perl 1:1.58-1+2017c (source all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 31 Oct 2017 18:49:10 +0100 Source: libdatetime-timezone-perl Binary: libdatetime-timezone-perl Architecture: source all Version: 1:1.58-1+2017c Distribution: wheezy-security Urgency: medium Maintainer: Debian Perl GroupChanged-By: Emilio Pozuelo Monfort Description: libdatetime-timezone-perl - framework exposing the Olson time zone database to Perl Changes: libdatetime-timezone-perl (1:1.58-1+2017c) wheezy-security; urgency=medium . * Update to Olson database version 2017c. Checksums-Sha1: 91c3caaf536d3cc3232a77103b36f87478c760a6 2460 libdatetime-timezone-perl_1.58-1+2017c.dsc 8c6b6f43885160a8f782b1a6d1036346291a5520 852884 libdatetime-timezone-perl_1.58.orig.tar.gz 0cb48c9869bd4cec5b46255c8778d3f4bb96c265 348792 libdatetime-timezone-perl_1.58-1+2017c.debian.tar.xz 7a978956baf503e20a672f385bb6cda2b88b7832 266908 libdatetime-timezone-perl_1.58-1+2017c_all.deb Checksums-Sha256: 621b6ce95cca6153b369725852600249f25168db47ac46c1e2f482de7be7c5f3 2460 libdatetime-timezone-perl_1.58-1+2017c.dsc 82c3e94140908af96aca2f46c0334631b1739f8a444b64260814a6974bc44367 852884 libdatetime-timezone-perl_1.58.orig.tar.gz b3502694f2dc872329603c130a69a4e589f7bae23d20aa95cda6dc3c14f8bb79 348792 libdatetime-timezone-perl_1.58-1+2017c.debian.tar.xz 807e487b5f0efba7b34b483c10acfd1a9db384d25780f9035ad7d1c61b0bec28 266908 libdatetime-timezone-perl_1.58-1+2017c_all.deb Files: 93388fb9a6095b065a25779c63fbfd61 2460 perl optional libdatetime-timezone-perl_1.58-1+2017c.dsc a815c7a18b3386ff2d2f6bcadab61fb6 852884 perl optional libdatetime-timezone-perl_1.58.orig.tar.gz 6fc2a2351ea45c0522f7698539f802bd 348792 perl optional libdatetime-timezone-perl_1.58-1+2017c.debian.tar.xz 4a550db639c3afafd1cf9f6471a52371 266908 perl optional libdatetime-timezone-perl_1.58-1+2017c_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAln4waAACgkQnUbEiOQ2 gwJOjxAAg/Am48PbTEcACZEJjN+zEGtjZNurBtNjrFGHNOzZYUc+5f4IVyqfJ2CY BDjL3HHny5apkYBOj/767TnIt6vzlNx49f5cQTZcg07jND4RKg9oaY9rBWkSpR6B MGsY1kaWmVVmtu23hDowiyi9P+R5vQewOIuIO/7As/qvQ8qJCfNNyb/jGQsbmfEa Q4JYjJeYBGTrmwMOuHRhCNEq6wzR02qR2e16KMqy+C6+loLqGZRpvwdadDcbRV4S IeelVaIj7zI2GZmITz6joxSYRlnIGCHKTG+1Sj6UNgW7C1lH2dSVEc4hIGkHO3QI harRNL01goQAuE8B1PZ2wWWuGzeYrti8WDE5neEbFjJyu0W6IbxpqnCI9bEj00hN A/UsHq2iLSRcfQ0rRLLfO3p0rMB1Oe0C49r7rPbh7i/yjWsG+mrOOmvjx/hLSE28 CEfjTN5px/14GJ7huq0WpeG91MnNnm+NUnttDQmQBHHMd336//0o11XSpq32cBkj Fwlj/YAq7GqKDhnYugV+En0iMBs0YKHqQKggEz64zSN43hdKx0+SRFkOCfUwWLPA nhJPW58+a0AEDZBkDJKIlleW4YxPlk/cNoTOBPY787p2keGsFiXyTZkzP3WyMHD5 kbJ2HKmre9yAc1QK0kn4QOJJBZ5BjNkYKCNdkb8LE6vG6rIWnEM= =OhBS -END PGP SIGNATURE-
Accepted tzdata 2017c-0+deb7u1 (source all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 31 Oct 2017 18:08:50 +0100 Source: tzdata Binary: tzdata tzdata-java Architecture: source all Version: 2017c-0+deb7u1 Distribution: wheezy-security Urgency: medium Maintainer: GNU Libc MaintainersChanged-By: Emilio Pozuelo Monfort Description: tzdata - time zone and daylight-saving time data tzdata-java - time zone and daylight-saving time data for use by java runtimes Changes: tzdata (2017c-0+deb7u1) wheezy-security; urgency=medium . * New upstream version, affecting the following timestamps: - Northern Cyprus resumed EU rules starting 2017-10-29. - Namibia will switch from +01 with DST to +02 all year, affecting UT offsets starting 2018-04-01. - Sudan will switch from +03 to +02 on 2017-11-01. - Tonga will not observe DST on 2017-11-05. - Turks & Caicos will switch from -04 all year to -05 with US DST, affecting UT offset starting 2018-11-04. Checksums-Sha1: f3eb277eac6d218217e415b87fd2c7ab6a25a119 1966 tzdata_2017c-0+deb7u1.dsc d7b686e550b824f6f832332efa65594e2f570954 335571 tzdata_2017c.orig.tar.gz 64cb3eecffcc5ff3b0a6899c5381447e077d38d4 102100 tzdata_2017c-0+deb7u1.debian.tar.xz 0be98e2623be1948ca1c4c5a2634e67a91c438d0 493072 tzdata_2017c-0+deb7u1_all.deb 782309247ab7980ccdf6b1ba1940a59af5e6c31c 136738 tzdata-java_2017c-0+deb7u1_all.deb Checksums-Sha256: 8d1398642a537a57ec210bcd39956458b9ff6b148f73a3a28597d042961ff95a 1966 tzdata_2017c-0+deb7u1.dsc d6543f92a929826318e2f44ff3a7611ce5f565a43e10250b42599d0ba4cbd90b 335571 tzdata_2017c.orig.tar.gz 5da97af6fa8054321d817dacd9ea43bef9b0f343b296554feff1d81b38b181a1 102100 tzdata_2017c-0+deb7u1.debian.tar.xz 64cf707c97f2bb6687d6b10b0c4dca01b9c3cbfe481a830cb01011c00a8c62b1 493072 tzdata_2017c-0+deb7u1_all.deb 0a58331ce99e3e20517f6457ae2f6dbbd77ca8991b89da46d5bcbf5ce00274aa 136738 tzdata-java_2017c-0+deb7u1_all.deb Files: d349f4a0183e554e60e37c6edc8c6787 1966 libs required tzdata_2017c-0+deb7u1.dsc 1e751e7e08f8b68530674f04619d894d 335571 libs required tzdata_2017c.orig.tar.gz 3c68dfee909cd51dbcf93eafdce83c33 102100 libs required tzdata_2017c-0+deb7u1.debian.tar.xz abbec9434f9aae2128f39090e2b061d3 493072 libs required tzdata_2017c-0+deb7u1_all.deb 0685c2f3cf1f82740311c796594d30e7 136738 java optional tzdata-java_2017c-0+deb7u1_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAln4wXUACgkQnUbEiOQ2 gwLzWA//ZlA7cAwm3FdBIhhV6hcR0j/+A4gbW1sK+x/tyixf2CV31NBdDLTOc+5N papJqK1XK/yDYq6ld7+hFxfN59etCcSbmAnm+P8oiX6Fjs67USYy8jpHhV17s11L ujakiDukU3b75CfVyXoOeVUrJeA0VuJtQCZy+AnS99hg/o3JQIoP/58XAX0LxZpR 6l3kvcO7sEg9GGpkQ1jWHFw9k0WGEc8Qs8v4j1IU+9WhcyvIDNfSqGqkg6EBKyuG R+PSxNJimd2Y5BooDuLy3Kxd2TyPOpAl1m432wFzS6Tsif4E7kHXbKZGXYxods3d HBV2pWCFkAvUpxyTSkWS5UAmMOSDaB8VjwXEm337F0mUQhLyj9FFlEI9ThpnoHDX BGkaSVesZ6dfEK/6byg5RE0l1UnEKK3uT5kwIhq6UOZiKMDs+G9zhGFRLzShxGJR XYEBFnANEkiMjSVSpwVIp5dDoI9ySIUxom58yl3uww9narsnKWPtgdrv3sRPZdub Ll5+YTvoVG6dmLPc0F+QxUpmAlewHJpz/loyKj50fqo2R32QlKzy/pEFrVKKDZP/ jnBAjKKxkqI4u0UdGoQiu4mgydbaUiUdaXrO9yPZcTK1VeUeE2L+PdVJE0cPIkGU KWBXSAuLGxZzEvjZKnjuYAOqhSFiWcWhW1O5hfw3zMZe19wcUJY= =RMnU -END PGP SIGNATURE-
[SECURITY] [DLA 1155-1] tzdata new upstream version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: tzdata Version: 2017c-0+deb7u1 This update includes the changes in tzdata 2017b. Notable changes are: - Northern Cyprus resumed EU rules starting 2017-10-29. - Namibia will switch from +01 with DST to +02 all year, affecting UT offsets starting 2018-04-01. - Sudan will switch from +03 to +02 on 2017-11-01. - Tonga will not observe DST on 2017-11-05. - Turks & Caicos will switch from -04 all year to -05 with US DST, affecting UT offset starting 2018-11-04. For Debian 7 "Wheezy", these problems have been fixed in version 2017c-0+deb7u1. We recommend that you upgrade your tzdata packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAln4w8UACgkQnUbEiOQ2 gwLXDw//SjmcCJip9FXaj57Ha33fwg5hDHSCckMcfv7hnMyf6lg+HENYMKg58yhE zp1x1VaBVJumH9YWb3ir5UaOTAjkCjSl+j9uZx1b6ZA2WcJ4Wa6mIar0if4jIFn9 SZ3rlzW9S9In8xvwKnehzvCDztjktzQBEqANOpREea4Y+tnjyBSwz8hPd/Fdoq6o gtXfSBfdx1uj2lEOWazMBqLOw83dzwHvy3Z6pYjmLm906kJFMQ/yVD5WNdg7p9hq 8kogpdF2Eib5BI4k1RjzSfOubvckFxr7uG23yt4TUp/0jTuN7RZp4jXWAUkzWwbH CnXDzdn8lM0rEMc3vQyTcgSU22tEZI98YBdyH0MdgjUSNqIYOmxhcDk4iUbk2IQ8 Qn6Sbfruxmz23ibENQEDzXvt7OJ8W3NY8LACb3DCgCwnKeiH/Di68zOUX6BKnWO5 asemSN98yWqbndbRA6Acal69EkrLO5jSTYmxVdN8nmOqLdcayH+Kjfn652jNELaa ZTM2NtLOUG4F3ONLhqEZ93rE1avcQCVEPYKdZb0TmYmQ/SPzVy3xfjBjbJwncqO6 ObZu70dAT9uAniC7Kfv9KkE91qf/o1pNb6dJtm4vqPS2DOIHAabTYixD/TQSCuPa U8gk8faEtI0enNh17j9Mt/tKG04qXEk5FZaas7Zhsh60AQYhdws= =/kiR -END PGP SIGNATURE-
[SECURITY] [DLA 1154-1] graphicsmagick security update
Package: graphicsmagick Version: 1.3.16-1.1+deb7u12 CVE ID : CVE-2017-14103 CVE-2017-14314 CVE-2017-14504 CVE-2017-14733 CVE-2017-14994 CVE-2017-14997 CVE-2017-15930 Debian Bug : 87 Multiple vulnerabilities were found in graphicsmagick. CVE-2017-14103 The ReadJNGImage and ReadOneJNGImage functions in coders/png.c in GraphicsMagick 1.3.26 do not properly manage image pointers after certain error conditions, which allows remote attackers to conduct use-after-free attacks via a crafted file, related to a ReadMNGImage out-of-order CloseBlob call. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-11403. CVE-2017-14314 Off-by-one error in the DrawImage function in magick/render.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (DrawDashPolygon heap-based buffer over-read and application crash) via a crafted file. CVE-2017-14504 ReadPNMImage in coders/pnm.c in GraphicsMagick 1.3.26 does not ensure the correct number of colors for the XV 332 format, leading to a NULL Pointer Dereference. CVE-2017-14733 ReadRLEImage in coders/rle.c in GraphicsMagick 1.3.26 mishandles RLE headers that specify too few colors, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. CVE-2017-14994 ReadDCMImage in coders/dcm.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted DICOM image, related to the ability of DCM_ReadNonNativeImages to yield an image list with zero frames. CVE-2017-14997 GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (excessive memory allocation) because of an integer underflow in ReadPICTImage in coders/pict.c. CVE-2017-15930 In ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26, a Null Pointer Dereference occurs while transferring JPEG scanlines, related to a PixelPacket pointer. For Debian 7 "Wheezy", CVE-2017-15930 has been fixed in version 1.3.16-1.1+deb7u12. The other security issues were fixed in 1.3.16-1.1+deb7u10 on 10 Oct 2017 in DLA-1130-1 but that announcement was never sent out so this advisory also contains the notice about those vulnerabilities. We recommend that you upgrade your graphicsmagick packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Re: missing DLAs
> The mailing list web archives are being rebuilt, according to > #debian-lists. > > So even though you don't see your message in the web interface, it may > have actually gone through, SMTP-wise. > > Mine (DLA-1150-1, wpa) did, in any case. Oh, you're right, the web archive is now displaying them. I should really subscribe to -announce. Thanks ! cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com 4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA signature.asc Description: PGP signature
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
On 2017-10-31 15:45:31, Raphael Hertzog wrote: > On Tue, 31 Oct 2017, Antoine Beaupré wrote: >> I'll take care of it then. Should I just reuse the old DLA id? or >> simply mention the old DLA id in the announcement? Or mention all the >> CVEs fixed in the old DLA in the new DLA? >> >> Not actually sure how to merge this. :) > > You prepare your DLA like usual but then you also document the CVE > fixed by the old DLA in the mail sent to debian-lts-announce. But when > you generate your template with bin/gen-DLA you only pass the newly fixed > CVE (to not fix the same CVE twice in data/DLA/list). Excellent, this will come out this afternoon once the package is accepted. A. -- A genius is someone who discovers that the stone that falls and the moon that doesn't fall represent one and the same phenomenon. - Ernesto Sabato
Re: missing DLAs
On 2017-10-31 17:40:30, Hugo Lefeuvre wrote: > Hi, > >> In my case, I also previously had issues because I added a new signing >> subkey that took some time to propagate across Debian's infrastructure. >> >> The main issue is we have currently no way of noticing when a number is >> skipped. It would be nice to automate this stuff somehow, yet I can't >> quite think of how... Maybe by adding (signed) DLA files themselves into >> security tracker and have *that* send out the announcements? > > Hum, I think something is still going wrong here. The last DLA I sent > (1152-1) didn't reach debian-lts-announce, and it may also be the case > of 1150-1 and 1151-1 (both uploaded today, though). > > Raphaël, Antoine, did you already publish your DLAs ? The mailing list web archives are being rebuilt, according to #debian-lists. So even though you don't see your message in the web interface, it may have actually gone through, SMTP-wise. Mine (DLA-1150-1, wpa) did, in any case. A. -- Ils versent un pauvre miel sur leurs mots pourris et te parlent de pénurie Et sur ta faim, sur tes amis, ils aiguisent leur appétit - Richard Desjardins, La maison est ouverte
Re: missing DLAs
Hi, > In my case, I also previously had issues because I added a new signing > subkey that took some time to propagate across Debian's infrastructure. > > The main issue is we have currently no way of noticing when a number is > skipped. It would be nice to automate this stuff somehow, yet I can't > quite think of how... Maybe by adding (signed) DLA files themselves into > security tracker and have *that* send out the announcements? Hum, I think something is still going wrong here. The last DLA I sent (1152-1) didn't reach debian-lts-announce, and it may also be the case of 1150-1 and 1151-1 (both uploaded today, though). Raphaël, Antoine, did you already publish your DLAs ? Cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com 4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA signature.asc Description: PGP signature
[SECURITY] [DLA 1151-1] wordpress security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: wordpress Version: 3.6.1+dfsg-1~deb7u17 CVE ID : CVE-2016-9263 CVE-2017-14718 CVE-2017-14719 CVE-2017-14720 CVE-2017-14721 CVE-2017-14722 CVE-2017-14723 CVE-2017-14725 CVE-2017-14990 Debian Bug : 876274 877629 Several vulnerabilities were discovered in wordpress, a web blogging tool. The Common Vulnerabilities and Exposures project identifies the following issues. CVE-2016-9263 When domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file. This issue was resolved by completely removing flashmediaelement.swf. CVE-2017-14718 WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. CVE-2017-14719 WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components. CVE-2017-14720 WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. CVE-2017-14721 WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. CVE-2017-14722 WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename. CVE-2017-14723 WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks. CVE-2017-14725 WordPress was susceptible to an open redirect attack in wp-admin/user-edit.php. CVE-2017-14990 WordPress stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability). For Debian 7 "Wheezy", these problems have been fixed in version 3.6.1+dfsg-1~deb7u17. We recommend that you upgrade your wordpress packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAln4lRlfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQeXBAAsg+z+OUvK5teqWOEg0hz4r0zIRvAJtslymt3N9UkhBUk02dg1AmPjmgi su4HJB9/cfiB6GLQnp3kbvqOLyOX+DnSbDdk3oknUDsm3wfBsVYk3U69l5ePQLNT pcXGsXtENIx4zp4pzl7QVuchzggM7oPv36H3fc/NFuzCypojRz+Ua5aVO01zRd0K yAwXxxI8hyLlb3nI53EWEmfsbGUj1pyMmbKU8mOxmyezikYJrucA/fyB1VJbdU3N Z32jh5GUhvmx7mDC8Mb7NJGeUOeihHMLpNS7bFPMM2YoCnEIdeG3zUQ768sUDaUV cijuzfg+6o5KR9zKcBm33Vs95JXRib27sFBfJXOPI6E7TyKt7nO0bKc4yaftL4p9 6EX5bF3vON476shhLPHD7GgGjyzZB5YBAuGNtB/7S7esFYidptEh97bbCHoA7C6n sY1Vf9PWWEDC/M/cm38SLRt2Qw62/iXHiO9E2IsgW9bLG71Dd9DoVLmBMAnuUhhV txFmzGBn2sPxdS8oC79FfFfVuQFj2LWtjIUjuYLCA7ShLHtyj1XaRg31aLUwfFGq ggJZxRhEc3HBz4QOQ1K41DRKkzuOA7IUesAt+vHniLeLt4YOB6DJdNdrBiAbLTQW igC1gcTy6nXd25C7Z9jywkNE8l9+J9691KpLxaiwOXiEyIkUHmM= =R75A -END PGP SIGNATURE-
[SECURITY] [DLA 1152-1] quagga security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: quagga Version: quagga_0.99.22.4-1+wheezy3+deb7u2 CVE ID : CVE-2017-16227 Debian Bug : 879474 It was discovered that the bgpd daemon in the Quagga routing suite does not properly calculate the length of multi-segment AS_PATH UPDATE messages, causing bgpd to drop a session and potentially resulting in loss of network connectivity. For Debian 7 "Wheezy", these problems have been fixed in version quagga_0.99.22.4-1+wheezy3+deb7u2. We recommend that you upgrade your quagga packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAln4jecACgkQLVy48vb3 khk9Lwf+O6XzblrxsJ6cBJGR+zes2B2ztLWhut/+fM1J8x9M+iNQGzNyXqp+cgZv 5jOik68Mq2cj3vB4MJIhHoYlEUQS8iaKZHih9/0uTzPw9mgY08ZgkChl71a6JVbY U2Nuo4FxAMTRQ2a43YpEvuct8/YOHuFBORntvBmILN3OYCRGCHSpCk8om3QgdaM/ AD0ql6nH+d0dajI/zMIDCcG4ZN5k81t0Vpo1keH/Y2agb+zzl8vWdxeytIYYBBfD ldMmuMSsrpjYmPkbkAT6bCBYwZQvIVyIHjRdjsbPtPtnsYkdscfgOcIV55KBBzZS t+Et40tN3a/bEAKROdtL5CrqPa7d4w== =NQ5a -END PGP SIGNATURE-
[SECURITY] [DLA 1150-1] wpa security update
Package: wpa Version: 1.0-3+deb7u5 CVE ID : CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087 CVE-2017-13088 A vulnerability was found in how WPA code can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific frame that is used to manage the keys. Such reinstallation of the encryption key can result in two different types of vulnerabilities: disabling replay protection and significantly reducing the security of encryption to the point of allowing frames to be decrypted or some parts of the keys to be determined by an attacker depending on which cipher is used. Those issues are commonly known under the "KRACK" appelation. According to US-CERT, "the impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others." CVE-2017-13077 Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake. CVE-2017-13078 Reinstallation of the group key (GTK) in the 4-way handshake. CVE-2017-13079 Reinstallation of the integrity group key (IGTK) in the 4-way handshake. CVE-2017-13080 Reinstallation of the group key (GTK) in the group key handshake. CVE-2017-13081 Reinstallation of the integrity group key (IGTK) in the group key handshake. CVE-2017-13082 Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it. CVE-2017-13084 Reinstallation of the STK key in the PeerKey handshake. CVE-2017-13086 reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake. CVE-2017-13087 reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame. CVE-2017-13088 reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame. For Debian 7 "Wheezy", these problems have been fixed in version 1.0-3+deb7u5. Note that the latter two vulnerabilities (CVE-2017-13087 and CVE-2017-13088) were mistakenly marked as fixed in the changelog whereas they simply did not apply to the 1.0 version of the WPA source code, which doesn't implement WNM sleep mode responses. We recommend that you upgrade your wpa packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
On Tue, 31 Oct 2017, Antoine Beaupré wrote: > I'll take care of it then. Should I just reuse the old DLA id? or > simply mention the old DLA id in the announcement? Or mention all the > CVEs fixed in the old DLA in the new DLA? > > Not actually sure how to merge this. :) You prepare your DLA like usual but then you also document the CVE fixed by the old DLA in the mail sent to debian-lts-announce. But when you generate your template with bin/gen-DLA you only pass the newly fixed CVE (to not fix the same CVE twice in data/DLA/list). Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Accepted quagga 0.99.22.4-1+wheezy3+deb7u2 (source amd64 all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 30 Oct 2017 16:57:40 +0100 Source: quagga Binary: quagga quagga-dbg quagga-doc Architecture: source amd64 all Version: 0.99.22.4-1+wheezy3+deb7u2 Distribution: wheezy-security Urgency: high Maintainer: Christian HammersChanged-By: Hugo Lefeuvre Description: quagga - BGP/OSPF/RIP routing daemon quagga-dbg - BGP/OSPF/RIP routing daemon (debug symbols) quagga-doc - documentation files for quagga Closes: 879474 Changes: quagga (0.99.22.4-1+wheezy3+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the LTS Team. * CVE-2017-16227: BGP session termination due to rather long AS paths in update messages (Closes: #879474). Checksums-Sha1: 8e6759bb51611861555c55386199dce85e47ea08 1836 quagga_0.99.22.4-1+wheezy3+deb7u2.dsc fa65170118ee112c76394f9fc7c1ab6f87251c35 43713 quagga_0.99.22.4-1+wheezy3+deb7u2.debian.tar.gz 47cfe113862ddf3804fe3b0d22253a120fc01ead 1727756 quagga_0.99.22.4-1+wheezy3+deb7u2_amd64.deb 9dc6770a85e883b072a63d3197d2b1e39994f70f 2528892 quagga-dbg_0.99.22.4-1+wheezy3+deb7u2_amd64.deb 546de1e19d945b5bcb5e6c55ddcadb0c3eeb8ea9 656714 quagga-doc_0.99.22.4-1+wheezy3+deb7u2_all.deb Checksums-Sha256: 5ea683110dfcd765107bafbe774a83da8ea002f8b929e8725ba0ee4fb3413247 1836 quagga_0.99.22.4-1+wheezy3+deb7u2.dsc 8afe0fd3388f41eda70b0b4f9da656fe8d9c0fd96aa0dd58f82b979adaa6a6f1 43713 quagga_0.99.22.4-1+wheezy3+deb7u2.debian.tar.gz 889483d04743f58ed05208e4086f5a467a21cd989a208295c81dac0bd38e4d76 1727756 quagga_0.99.22.4-1+wheezy3+deb7u2_amd64.deb 1ee260f5bd8b9361315766cf572dbe21bf8f61dbfdff67905ddb8f6a2bbceb37 2528892 quagga-dbg_0.99.22.4-1+wheezy3+deb7u2_amd64.deb 86fd5f0cd6ea56e820258e06c204c5cf50668eb934059bada071e8da76c983a6 656714 quagga-doc_0.99.22.4-1+wheezy3+deb7u2_all.deb Files: 51ea5ebed99879a658dae84a16bfa41d 1836 net optional quagga_0.99.22.4-1+wheezy3+deb7u2.dsc 5a1e21e724548bc61314d35e73ee6b7d 43713 net optional quagga_0.99.22.4-1+wheezy3+deb7u2.debian.tar.gz 70679383622817a9c4970eca6ca1dba0 1727756 net optional quagga_0.99.22.4-1+wheezy3+deb7u2_amd64.deb b38b29f0855bf40ebed6e589042e54da 2528892 debug extra quagga-dbg_0.99.22.4-1+wheezy3+deb7u2_amd64.deb 9c31b0cd28c1834c809013d590a1fd5d 656714 net optional quagga-doc_0.99.22.4-1+wheezy3+deb7u2_all.deb -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAln4h3wACgkQLVy48vb3 khkg/Af+O8GNNoMcODJAqbnun6jaIOqR8qPN4gMqKPd3z63+g1zSkMEULpMClfJA Oc0e3tWMPEAdH0mQE39sa5pDukeeUvWhB6DwOVkTtGhsDImzf1TUxiTxXKPmK6/I rKFXBL/qqKXkR+Ihl5cW3vIt1b3br1p1nS3QmbYLq8tlwdZtOua5DyyQq3V6fOEP IpSEBCsiNWHXMXs/M93SLS9tlqH/KJ/xgFtCctpioeSyujtJ8tBPkoc+Q93fkmjv RjjqM1049BjGsU/nIdl1QyXFPgzaVUit4Nbmwdj/0cCs2fotR7X51bYj1TyRgJGT KG8xb6RKunFg0E5gKj6r6Th77oJXZw== =6C2j -END PGP SIGNATURE-
Accepted wordpress 3.6.1+dfsg-1~deb7u17 (source all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 31 Oct 2017 15:13:56 +0100 Source: wordpress Binary: wordpress wordpress-l10n Architecture: source all Version: 3.6.1+dfsg-1~deb7u17 Distribution: wheezy-security Urgency: high Maintainer: Giuseppe IuculanoChanged-By: Markus Koschany Description: wordpress - weblog manager wordpress-l10n - weblog manager - language files Changes: wordpress (3.6.1+dfsg-1~deb7u17) wheezy-security; urgency=high . * Non-maintainer upload by the LTS team. * Backport security fixes from 4.8.2. * CVE-2016-9263: When domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file. This issue was resolved by completely removing flashmediaelement.swf. * CVE-2017-14718: WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. * CVE-2017-14719: WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components. * CVE-2017-14720: WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. * CVE-2017-14721: WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. * CVE-2017-14722: WordPress allowed a Directory Traversal attack in the Customizer component via a crafted theme filename. * CVE-2017-14723: WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks. * CVE-2017-14725: WordPress was susceptible to an open redirect attack in wp-admin/user-edit.php. * CVE-2017-14990: WordPress stores cleartext wp_signups.activation_key values (but stores the analogous wp_users.user_activation_key values as hashes), which might make it easier for remote attackers to hijack unactivated user accounts by leveraging database read access (such as access gained through an unspecified SQL injection vulnerability). Checksums-Sha1: 841ea3f7ee82299c35c19cd43677a6d5a2fd2ca0 2488 wordpress_3.6.1+dfsg-1~deb7u17.dsc 9993b964732b530d8f52181db90ee036708a2776 5279372 wordpress_3.6.1+dfsg-1~deb7u17.debian.tar.xz 8b412db73c039ecf7953f3bd4fd33835cec4f074 3959110 wordpress_3.6.1+dfsg-1~deb7u17_all.deb e6ec78d49e4f34a3bd6edf771e03587f1585024f 8871762 wordpress-l10n_3.6.1+dfsg-1~deb7u17_all.deb Checksums-Sha256: 58df783cc0e96ddc57aeeab25a8e089adf57297e7c881f31c7f2c0046170d906 2488 wordpress_3.6.1+dfsg-1~deb7u17.dsc 4427792e5fb04942c9d719f170baa2786d7cbe9b1bc8eb624a5fae4a423290d4 5279372 wordpress_3.6.1+dfsg-1~deb7u17.debian.tar.xz 52f5c9e349350d31157354373545be7a65c1ca4e62ed7d3d9b22c2a50616d001 3959110 wordpress_3.6.1+dfsg-1~deb7u17_all.deb 7f81c7bf5436dd9266a9607132165e39c1a5b91b36e9324fac21813c683ef3e2 8871762 wordpress-l10n_3.6.1+dfsg-1~deb7u17_all.deb Files: bcd80d029c57fe99e950e0d3a7aecd8a 2488 web optional wordpress_3.6.1+dfsg-1~deb7u17.dsc a844dbc470fb7b90f624f753d9636a53 5279372 web optional wordpress_3.6.1+dfsg-1~deb7u17.debian.tar.xz 8b5dd4d8ed9cd3794f1434aa84c23651 3959110 web optional wordpress_3.6.1+dfsg-1~deb7u17_all.deb 7cfbae96da6ed29eddecf4d377369857 8871762 localization optional wordpress-l10n_3.6.1+dfsg-1~deb7u17_all.deb -BEGIN PGP SIGNATURE- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAln4h0tfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkD/kP/RsBpX3DKx7Qf6dGjxntT7SfH61m0yAQva7Y ARKArWMKYRyt6/qItp963le/9WxPW9jlLVDSY0JSxsuzkNSjnR8+FJZT5/ST+lgG Qi75O/oGEaHDiW9MRoBmE3H84l28rU5hn0LFW7gD+b+LX443MHk32aWQxXZHZ6/g gxbdR2DsjUSdW/uPdF4tb75n6zYIKr8o5W9cocOFfN98tFj0UOBX/rWXhxAFEC64 dlVWGpUiQKvKiOKrh3WhD9UG8gvN967IR7sEFcQpbAf/geOiThbAhG+EOLZNhQgQ g8J/HHz6SwleKhMmSVF0ofR6qX84wyMtbaR8lNEqAJU4/bbzWA5w+CXaD4U9cNRl sEKc0EUBZQgw3rsOQazn0xJzAv4cBypW/64UGSwkFgZgGPT2UP8pNzreJsF/9fU9 I71e/3lbrvMAqUAukL92UAqDpYagiZDbVQsk7B9Zpcdr9X2fVMMa+m5mpYofUsDp 1VMOAx9UneV1QuVSdrbv6uvcJSaqRbwIop6xx7GZd6zLFVkimKZODOwfKXKjPPgH hiIZUTy2tChF1pKYcWg/BmjGQYJe3BbBI68WlTFuBkm1KC+skq5BnmNDBIZxwpqL CRLakrPbewmu2xIYfixLgFpxJ1EVBHlG3DmWSsF0hlPah12mExF9OHziIFjxfdXk B2eJYYLO =s5+d -END PGP SIGNATURE-
Re: Version number for the next quagga update
Hi Markus, Chris, > I think using 0.99.22.4-1+wheezy4 would have been correct in this case > but I would continue with 0.99.22.4-1+wheezy3+deb7u2 now. In the light > of our proposed change to reportbug it makes even sense to append > +deb7u1 because this is the string we are looking for when we want to > determine whether someone reports a regressions because of a security > update. Thanks, I have opted for 0.99.22.4-1+wheezy3+deb7u2. Cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com 4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA signature.asc Description: PGP signature
Accepted wpa 1.0-3+deb7u5 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 23 Oct 2017 17:09:19 -0400 Source: wpa Binary: hostapd wpagui wpasupplicant wpasupplicant-udeb Architecture: source amd64 Version: 1.0-3+deb7u5 Distribution: wheezy-security Urgency: high Maintainer: Debian/Ubuntu wpasupplicant MaintainersChanged-By: Antoine Beaupré Description: hostapd- user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authentica wpagui - graphical user interface for wpa_supplicant wpasupplicant - client support for WPA and WPA2 (IEEE 802.11i) wpasupplicant-udeb - Client support for WPA and WPA2 (IEEE 802.11i) (udeb) Changes: wpa (1.0-3+deb7u5) wheezy-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * Fix multiple issues in WPA protocol, branded as the "KRACK" vulnerability (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) Checksums-Sha1: 3de6c8f55ccfcf0dc03286d1a2ae1c6497d7635d 2135 wpa_1.0-3+deb7u5.dsc dbd260ac0a32284f99d4c8c7cc3f6487fcf52e8f 104058 wpa_1.0-3+deb7u5.debian.tar.gz b381c5ea49a6ceec20704565ab41030c6468080a 477406 hostapd_1.0-3+deb7u5_amd64.deb 7d5970e67ecbce6cf3b10eaf792eb53ddfcd537f 369520 wpagui_1.0-3+deb7u5_amd64.deb d18413185603fba1d23699270c05e659202bd96c 610830 wpasupplicant_1.0-3+deb7u5_amd64.deb b460880896d789b5401a6a812208e8d46540b317 155224 wpasupplicant-udeb_1.0-3+deb7u5_amd64.udeb Checksums-Sha256: 8acc1dfdd270721dd85a4895484f9bcee0d695badfbf2b23840ff0ed634d2e0e 2135 wpa_1.0-3+deb7u5.dsc ba0b08c5d8ba9da5890e607931a4e834ea2b9919f36909f1676b51020bec7315 104058 wpa_1.0-3+deb7u5.debian.tar.gz 982160261faa8663f34e6b3b73cfd3d1d3996d046f563b4ae146b05c99cb9dfc 477406 hostapd_1.0-3+deb7u5_amd64.deb c8adf7129d6e9131305cc97287aefe2ad9c4658d0893fb08da028bcf81da9a3d 369520 wpagui_1.0-3+deb7u5_amd64.deb 7b284293dcb91f3d831387e3dc8419301ae2a713ab5656a03c9e08c7a7dc1b94 610830 wpasupplicant_1.0-3+deb7u5_amd64.deb d965659a6f2c14d87a730999202e50d596f3008008ad164dd224f09fe9a894a2 155224 wpasupplicant-udeb_1.0-3+deb7u5_amd64.udeb Files: ba09f4a3f758cf34cd5b92474b233751 2135 net optional wpa_1.0-3+deb7u5.dsc b4ee418c9da556f24a3ceb774b60b096 104058 net optional wpa_1.0-3+deb7u5.debian.tar.gz b754fb89f1e9f2d7b0471e617b7980e9 477406 net optional hostapd_1.0-3+deb7u5_amd64.deb 75050607f0ea7bbee85e9b274efc6484 369520 net optional wpagui_1.0-3+deb7u5_amd64.deb 9f86b245d73472b04582d588ae202ae0 610830 net optional wpasupplicant_1.0-3+deb7u5_amd64.deb 61d6549fbe2de235792bff9e245b86c9 155224 debian-installer standard wpasupplicant-udeb_1.0-3+deb7u5_amd64.udeb -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAln4exkACgkQPqHd3bJh 2XvTLwf8CYn/Ma7W4GCViMAF2lWwOb3a9h3W9h3tGUh04VkefHMhQdo47mqYIMw5 byNdYo2rG50i2lK+RfkXW8NyKiZw2vQtCr/nYi2h4Pqe7BxG2yU7otg2LtzXMq+Y iAZIUme73vRP1tLuQRNijchKD9D5yvK9VwtDHZZsPjdCTLixzvhjCbXie8TF7QeY FT22niGM2NprD4hud8j/GpX7XHpVogVFREzcIfvgUDrfy4sMqTsstDc4MXUDAxBf ydZjD/FBhhD3iRc410bkymsG6sstoxnbTPK+vWpyCNyFSp4Djk+xsRvt+aVll9v3 G9SF80J1VuvcTkKx4SiAOTasboNEKQ== =RZHu -END PGP SIGNATURE-
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
On 2017-10-31 14:13:13, Raphael Hertzog wrote: > On Tue, 31 Oct 2017, Antoine Beaupré wrote: >> > Please send it again and add a small sentence explaining that you send an >> > old advisory that never made it to the list... IOW if you expect >> > confusion, add an explanation to clear it up. >> >> I will be looking at a GM update later today - should i merge that >> announcement in? > > That also works, sure. I'll take care of it then. Should I just reuse the old DLA id? or simply mention the old DLA id in the announcement? Or mention all the CVEs fixed in the old DLA in the new DLA? Not actually sure how to merge this. :) A. -- If you have come here to help me, you are wasting our time. But if you have come because your liberation is bound up with mine, then let us work together.- Aboriginal activists group, Queensland, 1970s
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
On Tue, 31 Oct 2017, Antoine Beaupré wrote: > > Please send it again and add a small sentence explaining that you send an > > old advisory that never made it to the list... IOW if you expect > > confusion, add an explanation to clear it up. > > I will be looking at a GM update later today - should i merge that > announcement in? That also works, sure. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
On 2017-10-31 11:56:31, Raphael Hertzog wrote: > Hi, > > On Sat, 28 Oct 2017, Brian May wrote: >> I didn't realize until after I uploaded the newer version associated >> with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by >> DLA-1140-1. >> >> Unfortunately DLA-1140-1 made it to the list, but DLA-1130-1 still >> didn't. I am concerned if I send DLA-1130-1 now that DLA-1140-1 has been >> published it would cause confusion. > > Please send it again and add a small sentence explaining that you send an > old advisory that never made it to the list... IOW if you expect > confusion, add an explanation to clear it up. I will be looking at a GM update later today - should i merge that announcement in? > But not sending the announce is not a good option IMO. FWIW checking that the > announce went through is part of my routine for each DLA. Agreed. What I do is that I have the DLA template in my secure-testing SVN checkout after I sent it, and leave it there until I have verified it shows up in the archives. (Or that I received it, but my email client (notmuch) strangely makes that quite difficult, as it deduplicates multiple messages with the same message ID, so I can't really tell if I actually received my own messages! That will fortunately be fixed in the 0.26 release though... ) A. -- Il n'existe aucune limite sacrée ou non à l'action de l'homme dans l'univers. Depuis nos origines nous avons le choix: être aveuglé par la vérité ou coudre nos paupières. - [no one is innocent]
Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable
Hi, On Sat, 28 Oct 2017, Brian May wrote: > I didn't realize until after I uploaded the newer version associated > with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by > DLA-1140-1. > > Unfortunately DLA-1140-1 made it to the list, but DLA-1130-1 still > didn't. I am concerned if I send DLA-1130-1 now that DLA-1140-1 has been > published it would cause confusion. Please send it again and add a small sentence explaining that you send an old advisory that never made it to the list... IOW if you expect confusion, add an explanation to clear it up. But not sending the announce is not a good option IMO. FWIW checking that the announce went through is part of my routine for each DLA. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: Wheezy update of icedove?
Hello Guido and Moritz, Am 30.10.2017 um 09:29 schrieb Moritz Mühlenhoff: > On Mon, Oct 30, 2017 at 08:06:27AM +0100, Guido Günther wrote: >> I've seen preparation mails for Stretch and Jessie. Is there anything >> missing that I can help with? I guess we are done with the things that are possible now, jessie and stretch are on the way. Upstream was discussing about releasing a version 52.4.1 due some bugs that aren't fixed in time for 52.4.0 but due a lack of personal resources no progress until today. And I don't expect this planned version will still happen. Right now again upstream has again build issues for the next beta version 57.0b1 ... but that's a bit OT here. > The stretch version is in NEW due to the rename and needs FTP master > processing. jessie is ready. sounds good so far. :) The git tree on Alioth is up2date about both branches. -- Regards Carsten Schoenert signature.asc Description: OpenPGP digital signature