Wheezy update of wget?

2018-05-08 Thread Ola Lundqvist 
Hi Noël

The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of wget:
https://security-tracker.debian.org/tracker/source-package/wget

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of wget updates
for the LTS releases.

Thank you very much.

Ola Lundqvist,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

signature.asc
Description: PGP signature

Re: Wheezy update of firebird2.5?

2018-05-08 Thread Damyan Ivanov 
-=| Brian May, 08.05.2018 17:19:56 +1000 |=-
> Damyan Ivanov  writes:
> > The only fix upstream has is to disable UDFs in firebird.conf -- 
> > https://salsa.debian.org/firebird-team/firebird3.0/blob/master/debian/patches/deb/cve-2017-11509.patch
> >  
> > (probebly needs adaptation for firebird2.5, but you get the idea).
> 
> The patch appears to apply fine without dramas. Attached is the debdiff
> from the previous LTS release.
> 
> Just compiling it now, but don't expect any problems.
> 
> Damyan,
> 
> Assuming I have write access to the firebird2.5 respository, do you have
> any objections if I push my changes (including the previous LTS release)
> to the wheezy branch in the git repository?

Sure!

I have added you to https://salsa.debian.org/firebird-team/firebird2.5 
so feel free to push you work. Thanks!


-- Damyan

Re: Wheezy update of firebird2.5?

2018-05-08 Thread Brian May 
Damyan Ivanov  writes:

> -=| Antoine Beaupré, 17.04.2018 12:59:26 -0400 |=-
>> I don't quite know where to go from here. I was somewhat hoping that
>> Wheezy would be magically not vulnerable to this issue, but obviously,
>> there's something wrong here that should probably be fixed.
>
> The only fix upstream has is to disable UDFs in firebird.conf -- 
> https://salsa.debian.org/firebird-team/firebird3.0/blob/master/debian/patches/deb/cve-2017-11509.patch
>  
> (probebly needs adaptation for firebird2.5, but you get the idea).

The patch appears to apply fine without dramas. Attached is the debdiff
from the previous LTS release.

Just compiling it now, but don't expect any problems.

Damyan,

Assuming I have write access to the firebird2.5 respository, do you have
any objections if I push my changes (including the previous LTS release)
to the wheezy branch in the git repository?

Regards
-- 
Brian May 

diff -Nru firebird2.5-2.5.2.26540.ds4/debian/changelog firebird2.5-2.5.2.26540.ds4/debian/changelog
--- firebird2.5-2.5.2.26540.ds4/debian/changelog	2017-03-30 06:01:20.0 +1100
+++ firebird2.5-2.5.2.26540.ds4/debian/changelog	2018-05-07 17:39:32.0 +1000
@@ -1,3 +1,13 @@
+firebird2.5 (2.5.2.26540.ds4-1~deb7u4) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * Disable UDFs in firebird.conf due to a remote authenticated code execution
+vilnerability
+https://www.tenable.com/security/research/tra-2017-36 (CVE-2017-11509)
+http://tracker.firebirdsql.org/browse/CORE-5518
+
+ -- Brian May   Mon, 07 May 2018 17:39:32 +1000
+
 firebird2.5 (2.5.2.26540.ds4-1~deb7u3) wheezy-security; urgency=high
 
   * Non-maintainer upload by the LTS Security Team.
diff -Nru firebird2.5-2.5.2.26540.ds4/debian/gbp.conf firebird2.5-2.5.2.26540.ds4/debian/gbp.conf
--- firebird2.5-2.5.2.26540.ds4/debian/gbp.conf	2013-07-23 08:21:41.0 +1000
+++ firebird2.5-2.5.2.26540.ds4/debian/gbp.conf	2018-05-07 17:39:32.0 +1000
@@ -1,2 +1,2 @@
 [DEFAULT]
-debian-branch=master
+debian-branch=wheezy
diff -Nru firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch
--- firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch	1970-01-01 10:00:00.0 +1000
+++ firebird2.5-2.5.2.26540.ds4/debian/patches/CVE-2017-11509.patch	2018-05-07 17:39:32.0 +1000
@@ -0,0 +1,23 @@
+Description: disable UDFs in firebird.conf
+ UDFs can be used for remote code execution. see
+ https://www.tenable.com/security/research/tra-2017-36 (CVE-2017-11509)
+ http://tracker.firebirdsql.org/browse/CORE-5518
+Author: Damyan Ivanov 
+Forwarded: no, because upstream doesn't consider this to be a problem
+
+Index: firebird2.5/builds/install/misc/firebird.conf.in
+===
+--- firebird2.5.orig/builds/install/misc/firebird.conf.in
 firebird2.5/builds/install/misc/firebird.conf.in
+@@ -137,7 +137,10 @@
+ #
+ # Type: string (special format)
+ #
+-#UdfAccess = Restrict UDF
++# Debian maintainer note: UDFs can be used for remote code execution as the
++# 'firebird' user. See https://www.tenable.com/security/research/tra-2017-36
++# (CVE-2017-11509)
++UdfAccess = None
+ 
+ 
+ # 
diff -Nru firebird2.5-2.5.2.26540.ds4/debian/patches/series firebird2.5-2.5.2.26540.ds4/debian/patches/series
--- firebird2.5-2.5.2.26540.ds4/debian/patches/series	2017-03-30 02:09:54.0 +1100
+++ firebird2.5-2.5.2.26540.ds4/debian/patches/series	2018-05-07 17:39:32.0 +1000
@@ -19,3 +19,4 @@
 out/crash-create-db-restricted.patch
 upstream/r60322-remote-crash.patch
 CVE-2017-6369.patch
+CVE-2017-11509.patch