Re: tiff / CVE-2018-18661

2018-11-12 Thread Brian May 
Ola Lundqvist  writes:

> Interesting. I wonder what the fix do differently in this case. It is a
> little worrying that it exit with a zero return code, but maybe not major.
> On the other hand, if we cannot reproduce the problem maybe it is not worth
> patching... Hmm.

I tried to reproduce this in a stretch chroot using version
4.0.9-1. This version should be vulerable, it is the version mentioned
in the upstream bug report:

http://bugzilla.maptools.org/show_bug.cgi?id=2819

Still can't reproduce:

(stretch-amd64-default)root@silverfish:/tmp/brian/tmpog1hq_fw/build/amd64# 
tiff2bw /tmp/poc /dev/null
TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
LZWDecode: Not enough data at scanline 0 (short 6442004472 bytes).
TIFFWriteDirectoryTagData: IO error writing tag data.

>From upstream bug report:

$ ./tiff2bw poc /dev/null
TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
Segmentation fault

I might have missed something, however I can't see any sign of any
Debian specific changes in 4.0.9-1 either.
-- 
Brian May

[SECURITY] [DLA 1573-1] firmware-nonfree security update

2018-11-12 Thread Ben Hutchings 
Package: firmware-nonfree
Version: 20161130-4~deb8u1
CVE ID : CVE-2016-0801 CVE-2017-0561 CVE-2017-9417 CVE-2017-13077 
 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081
Debian Bug : 620066 724970 769633 774914 790061 793544 793874 795303
 800090 800440 800820 801514 802970 803920 808792 816350
 823402 823637 826996 832925 833355 833876 838038 838476
 838858 841092 842762 854695 854907 856853 862458 869639
 907320

Several vulnerabilities have been discovered in the firmware for
Broadcom BCM43xx wifi chips that may lead to a privilege escalation
or loss of confidentiality.

CVE-2016-0801

Broadgate Team discovered flaws in packet processing in the
Broadcom wifi firmware and proprietary drivers that could lead to
remote code execution.  However, this vulnerability is not
believed to affect the drivers used in Debian.

CVE-2017-0561

Gal Beniamini of Project Zero discovered a flaw in the TDLS
implementation in Broadcom wifi firmware.  This could be exploited
by an attacker on the same WPA2 network to execute code on the
wifi microcontroller.

CVE-2017-9417 / #869639

Nitay Artenstein of Exodus Intelligence discovered a flaw in the
WMM implementation in Broadcom wifi firmware.  This could be
exploited by a nearby attacker to execute code on the wifi
microcontroller.

CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
CVE-2017-13081

Mathy Vanhoef of the imec-DistriNet research group of KU Leuven
discovered multiple vulnerabilities in the WPA protocol used for
authentication in wireless networks, dubbed "KRACK".

An attacker exploiting the vulnerabilities could force the
vulnerable system to reuse cryptographic session keys, enabling a
range of cryptographic attacks against the ciphers used in WPA1
and WPA2.

These vulnerabilities are only being fixed for certain Broadcom
wifi chips, and might still be present in firmware for other wifi
hardware.

For Debian 8 "Jessie", these problems have been fixed in version
20161130-4~deb8u1.  This version also adds new firmware and packages
for use with Linux 4.9, and re-adds firmware-{adi,ralink} as
transitional packages.

We recommend that you upgrade your firmware-nonfree packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-- 
Ben Hutchings - Debian developer, member of kernel, installer and LTS teams


signature.asc
Description: This is a digitally signed message part

Re: tiff / CVE-2018-18661

2018-11-12 Thread Ola Lundqvist 
Hi Brian

Interesting. I wonder what the fix do differently in this case. It is a
little worrying that it exit with a zero return code, but maybe not major.
On the other hand, if we cannot reproduce the problem maybe it is not worth
patching... Hmm.

// Ola

On Mon, 12 Nov 2018 at 07:24, Brian May  wrote:

> Ola Lundqvist  writes:
>
> > Hi Brian
> >
> > To me it looks like you have been able to reproduce the problem. You
> > clearly get different results with and without the patch indicating
> > that you have in fact triggered the problem. I do not see that you
> > have run the program using a debugger, so are you sure that you did
> > not end up in a crash?
>
> Looks like it it exiting normally to me:
>
> (jessie-amd64-default)root@silverfish:/tmp/brian/tmph6ow42nt/build/amd64#
> gdb tiff2bw
> GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
> Copyright (C) 2014 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <
> http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-linux-gnu".
> Type "show configuration" for configuration details.
> For bug reporting instructions, please see:
> .
> Find the GDB manual and other documentation resources online at:
> .
> For help, type "help".
> Type "apropos word" to search for commands related to "word"...
> Reading symbols from tiff2bw...(no debugging symbols found)...done.
> (gdb) set args /tmp/poc /dev/null
> (gdb) r
> Starting program: /usr/bin/tiff2bw /tmp/poc /dev/null
> TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
> LZWDecode: Not enough data at scanline 0 (short 6442004472 bytes).
> TIFFWriteDirectoryTagData: IO error writing tag data.
> [Inferior 1 (process 31103) exited normally]
> (gdb)
> --
> Brian May 
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

[SECURITY] [DLA 1574-1] imagemagick security update

2018-11-12 Thread Thorsten Alteholz 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: imagemagick
Version: 8:6.8.9.9-5+deb8u15
CVE ID : CVE-2018-18025


CVE-2018-18025
 Fix for heap-based buffer over-read which can result in a denial of
 service via a crafted file.


For Debian 8 "Jessie", this problem has been fixed in version
8:6.8.9.9-5+deb8u15.

We recommend that you upgrade your imagemagick packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAlvp4YpfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEck7A/9GSxlT3782QgFpYi6NlvFbKIJfulkCHs6Y3Q/P1ViwZl6b/EM7eBxYUhS
z0Tb5OLlb8gSJxEOH7Z+AL4/rC5Epyn8CaDC8v9zofeSW1inrUsmRsZcXQ/k0N3T
pDSlcA9WUGaQ1fMWC/OqMdDXIMLeZncTMjp1awYHaP6trXNb/JM+nvEFPQalkErI
6syzKpGXLmHIEmjQ6TmwxZ0r2AAqEDyU4bPlgxjWh5lB3VfE11li3XRdJE1GFQjZ
+ruFSom67w2aWhXPS72A8HH/2CfUhgJHpJkmsCU1YTOiWdwVmqGnxb6HjXI3mwO3
u8QpRXjLkleILI/FN1+1lJaHFV4efI5GaJZ8BpCCP45r4mVBxhQVJ4sPSshChAk1
KO2g5Xve0ZJLlMMIZPEsXKYMDhge6LFM/RHPxxB7mQB0Eztv4srneQfNQ+s5sZRd
TTy9qPzh08y+cyUtG+M2EjZ9rsNQeBLaEQV25I3MOZ9N2lCD4jJJC/yMChlTdCiN
BFgd5bfP26zTtipwOuEj4fdDn1B9EEilSNiHs/GIJsnIE5ynDu/5dCtJe4SJiibc
lLYAHacdvG71iQXSwvJiDp4kNHL0tQo9PLezozGLBpCED4f3Py6Jckl+EN/8nNEy
5kVeXRWv+illUij4PCH+5IS8jvQJjXnrgGqObzOksca9UgB00yk=
=f4SY
-END PGP SIGNATURE-

Re: the way to enigmail: gnupg 2.1 backport considerations

2018-11-12 Thread Alexander Wirt 
On Mon, 12 Nov 2018, Antoine Beaupré wrote:

> Hi,
> 
> So I've been looking at Enigmail again, after a long journey helping
> people in stable getting that stuff fixed. It's pretty obvious there's
> no way to upload that without first doing a GnuPG 2.1 backport into
> jessie.
> 
> That, it turns out, requires *four* more source package
> backports. Fortunately for us, *all* of those are already in
> jessie-backports. They would, unfortunately, probably need to be
> uploaded straight into jessie-security, however, if only for
> consistency's sake.
Not only for consistency, jessie-backports is closed and will (hopefully) get
archived soon. 

Alex

the way to enigmail: gnupg 2.1 backport considerations

2018-11-12 Thread Antoine Beaupré 
Hi,

So I've been looking at Enigmail again, after a long journey helping
people in stable getting that stuff fixed. It's pretty obvious there's
no way to upload that without first doing a GnuPG 2.1 backport into
jessie.

That, it turns out, requires *four* more source package
backports. Fortunately for us, *all* of those are already in
jessie-backports. They would, unfortunately, probably need to be
uploaded straight into jessie-security, however, if only for
consistency's sake.

That would mean, however, a more or less forced update on the following
libraries in jessie:

 * libassuan (part of GPG, 2.1 -> 2.4)
 * libgcrypt20 (part of GnuTLS, 1.6 -> 1.7)
 * libgpg-error (GPG, 1.17 -> 1.26)
 * npth (GPG, 1.0 -> 1.3)

How should we handle this? I haven't looked at each backport in detail
to see if ABI changes are significant, but the version numbers seem to
indicate they are not (for what that's worth of course).

That said, with minor changes (to keep "gpg" pointing at the legacy 1.4
version, most notably), I've got a GPG 2.1 backport ready for jessie, at
the usual location:

https://people.debian.org/~anarcat/debian/jessie-lts/

I would very much welcome testing of this. There are still some clunky
things in there, for example critical lintian warnings I need to fix. I
haven't even tried to installed the thing yet, but I figured I would
share my work early and get feedback before going on a wild goose chase
after the dependencies.

Any feedback appreciated.

Thanks,

A.

-- 
For once you have tasted flight,
You will walk the earth with your eyes turned skyward;
For there you have been,
And there you long to return.
- Leonardo da Vinci

Accepted xen 4.4.4lts4-0+deb8u1 (source all amd64) into oldstable

2018-11-12 Thread Felix Geyer 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 12 Nov 2018 12:22:32 +0100
Source: xen
Binary: libxen-4.4 libxenstore3.0 libxen-dev xenstore-utils xen-utils-common 
xen-utils-4.4 xen-hypervisor-4.4-amd64 xen-system-amd64 
xen-hypervisor-4.4-arm64 xen-system-arm64 xen-hypervisor-4.4-armhf 
xen-system-armhf
Architecture: source all amd64
Version: 4.4.4lts4-0+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Xen Team 
Changed-By: Felix Geyer 
Description:
 libxen-4.4 - Public libs for Xen
 libxen-dev - Public headers and libs for Xen
 libxenstore3.0 - Xenstore communications library for Xen
 xen-hypervisor-4.4-amd64 - Xen Hypervisor on AMD64
 xen-hypervisor-4.4-arm64 - Xen Hypervisor on ARM64
 xen-hypervisor-4.4-armhf - Xen Hypervisor on ARMHF
 xen-system-amd64 - Xen System on AMD64 (meta-package)
 xen-system-arm64 - Xen System on ARM64 (meta-package)
 xen-system-armhf - Xen System on ARMHF (meta-package)
 xen-utils-4.4 - XEN administrative tools
 xen-utils-common - Xen administrative tools - common files
 xenstore-utils - Xenstore command line utilities for Xen
Changes:
 xen (4.4.4lts4-0+deb8u1) jessie-security; urgency=medium
 .
   * Various security fixes:
 - XSA-252 (CVE-2018-7540)
 - XSA-255 (CVE-2018-7541)
 - XSA-260 (CVE-2018-8897)
 - XSA-264 (CVE-2018-12891)
 - XSA-265 (CVE-2018-12893)
 - XSA-268 (CVE-2018-15469)
 - XSA-272 (CVE-2018-15470)
 - XSA-282
Checksums-Sha1:
 f7614cd3942bafe79e6f3d6f6e922c0e00e12f44 3016 xen_4.4.4lts4-0+deb8u1.dsc
 b182f370650a629604ed056e0a3cfff4e4ec0398 5459798 xen_4.4.4lts4.orig.tar.gz
 5f51c319abf7b22bf8cae7a9b7d90e70538d0e9d 50212 
xen_4.4.4lts4-0+deb8u1.debian.tar.xz
 b12de64fc862d1ab815147a5f0926b04d6b69de1 123128 
xen-utils-common_4.4.4lts4-0+deb8u1_all.deb
 3532908c743ad0dcf5e8fef8aa57770b049c1477 1694110 
xen-hypervisor-4.4-amd64_4.4.4lts4-0+deb8u1_amd64.deb
 3f149c21f94b37ebce441a16d81405dbb654c79d 21840 
xen-system-amd64_4.4.4lts4-0+deb8u1_amd64.deb
 a9f618c928e3ac752813c026dcf2ce4ecf3cc0b7 32720 
libxenstore3.0_4.4.4lts4-0+deb8u1_amd64.deb
 de6fc34acc3230e5f544f361837e6c253d982bbe 298644 
libxen-4.4_4.4.4lts4-0+deb8u1_amd64.deb
 171775b75a1b5f634500c7969458aa7367c6dd31 480412 
libxen-dev_4.4.4lts4-0+deb8u1_amd64.deb
 41b7b49b1aa5f8461bf184cef9044cfc4dfee9f9 398748 
xen-utils-4.4_4.4.4lts4-0+deb8u1_amd64.deb
 c2c25d6a101cb39e469fb0c86a02bf22e1f2ee6c 28338 
xenstore-utils_4.4.4lts4-0+deb8u1_amd64.deb
Checksums-Sha256:
 1ba4ed79956aaaeee8a9bd0508145b31651d4390c2673f1c1521ccd7247151d6 3016 
xen_4.4.4lts4-0+deb8u1.dsc
 7feac123634351df9ed63785e5cc22767a5551c9fd0e0558eae2fa8156c6c97d 5459798 
xen_4.4.4lts4.orig.tar.gz
 28378d657feac134af03faefba93bc5af5adf18b38d492e5e2c9f2d9e53adfde 50212 
xen_4.4.4lts4-0+deb8u1.debian.tar.xz
 228f6425ef2947034833979a35b82cbbdf10731ec23d4c7318c773acf2a5b366 123128 
xen-utils-common_4.4.4lts4-0+deb8u1_all.deb
 795511178783762a72019cf4ba8dece1fa81bd5498f02c61b5bf104fb192ac4b 1694110 
xen-hypervisor-4.4-amd64_4.4.4lts4-0+deb8u1_amd64.deb
 1210b83d34b4bceb34e0f1773308538b320a0c2827c51aa9fb5fa5e22b00a3b8 21840 
xen-system-amd64_4.4.4lts4-0+deb8u1_amd64.deb
 af8e5c28c4c98cb2f30a1de5da6b9a7299428db1ad303f4a4be9fca71a7ceda8 32720 
libxenstore3.0_4.4.4lts4-0+deb8u1_amd64.deb
 edef88c725a48b5a31fe9e1f84f082dea9d1b2f9be26619e2201c1a7ffa061e3 298644 
libxen-4.4_4.4.4lts4-0+deb8u1_amd64.deb
 8396a554cd6f76dacbdf10d484837d0e2f746db591fd2c234729d9ceaafcf53a 480412 
libxen-dev_4.4.4lts4-0+deb8u1_amd64.deb
 59d000d15518ea9900a487e03bcb9a256253427d997a18200e32fe68312b5a7f 398748 
xen-utils-4.4_4.4.4lts4-0+deb8u1_amd64.deb
 b09eb471bb988605e83769124aebffc7e56aa841b16017714458d9c994ed5a98 28338 
xenstore-utils_4.4.4lts4-0+deb8u1_amd64.deb
Files:
 aaf0561a62b931f8af87435012cf7bee 3016 kernel optional 
xen_4.4.4lts4-0+deb8u1.dsc
 f08a0786dd2246edd72a3af16c42306d 5459798 kernel optional 
xen_4.4.4lts4.orig.tar.gz
 80cf8559f31ec619cb5395a6fc9c1d84 50212 kernel optional 
xen_4.4.4lts4-0+deb8u1.debian.tar.xz
 355598be52d2c95410ec9f621fecc9da 123128 kernel optional 
xen-utils-common_4.4.4lts4-0+deb8u1_all.deb
 b7291244557550451e532a094978a0ff 1694110 kernel optional 
xen-hypervisor-4.4-amd64_4.4.4lts4-0+deb8u1_amd64.deb
 07dabcfc4d5ba7b1f94984f01e47c0a0 21840 kernel optional 
xen-system-amd64_4.4.4lts4-0+deb8u1_amd64.deb
 6c684468a061a3f5fb5e60ad1ec31324 32720 libs optional 
libxenstore3.0_4.4.4lts4-0+deb8u1_amd64.deb
 2c0aee782d28f313a53b006c31e675fb 298644 libs optional 
libxen-4.4_4.4.4lts4-0+deb8u1_amd64.deb
 08891ca4878e49af04fc271ce7bdcfd1 480412 libdevel optional 
libxen-dev_4.4.4lts4-0+deb8u1_amd64.deb
 9ae1214821aee68d875a354ed4f66d25 398748 kernel optional 
xen-utils-4.4_4.4.4lts4-0+deb8u1_amd64.deb
 8bc7b5bc189a01c50e67c8c49c12b9ca 28338 admin optional 
xenstore-utils_4.4.4lts4-0+deb8u1_amd64.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEFkxwUS95KUdnZKtW/iLG/YMTXUUFAlvpbFoACgkQ/iLG/YMT
XUUGcxAAtJDzY+bRu97/JiUh5+lQnjcits+4NFKOq+CVUD6s7nIjJjJir4+fzWYZ

[SECURITY] [DLA 1576-1] ansible security update

2018-11-12 Thread Chris Lamb 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: ansible
Version: 1.7.2+dfsg-2+deb8u1
CVE ID : CVE-2018-16837
Debian Bug : #912297

It was discovered that there was a potential SSH passphrase disclosure
vulnerability in the ansible configuration management system,

The "User" module leaked data that was passed as a parameter to the
ssh-keygen(1) utility, thus revealing any credentials in cleartext form
in the global process list.

For Debian 8 "Jessie", this issue has been fixed in ansible version
1.7.2+dfsg-2+deb8u1.

We recommend that you upgrade your ansible packages.


Regards,

- -- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlvpYiQACgkQHpU+J9Qx
HlhDWg/9Hz82c1ALOa5RRkaZbAOV0057vaxTQdpH3VjVOvfBtVI1L3PkRlcBd9rZ
Re+xbNm6bM766PeUkS/Nr195fQW2cxQhw0xRPdhcKkcLVShWK5WzmEvzDqT7WgO2
EsSXNDrDKYc9vFct2/IBM1xrlToNiMeoB87kZPYnav8MXwuquE4q/rPvI8EjHoYZ
C/w8iaSbwLwiNerexTC+ampARDKdH8QZtriUPifmFzRP2opFRXun2kGsxs+B9Dvi
Ly/tK30Awa6JgZqhdUMxIN/JiikUjAcFy+j95KGdU1dD5LF0OiMs/ew919A3KF5I
Hiiy/LlD4uZDCnXj2wBr/6r5NAZMFyeLwXS1DVBBiZt1Q0MEEsLUSnnsK/VYoD69
Z0dYSUoxJlthXgh490vw7H2sEXTk4BA8QaVPhjZ5o4shhEv9y6J6mBRan6mDkS0o
P93WsLyd9WLw2rGN9A4YhReNBbcT3ecIH27+Bfo6QySdx5dl+uim1Y0rBg+gbXuh
VIU82u56Lre+hp3BJZ2xVRszolkkjOwUcTr8NpvF0f6/9ue5p4kI1GSHcG46A0LE
ZVRwLlh67mfA2AUhfMhH17IoRLMAGYZIXKye/ZM8XsqPSvPTzL3P4t5O0vCJ/L0x
JT+CGCMtlKwRG/xa+Gyq9mFwNCdYuvItBn91R5iyuEUkZsmt0lY=
=M7Nd
-END PGP SIGNATURE-

Re: updates on the gnupg/enigmail/thunderbird/firefox situation

2018-11-12 Thread Emilio Pozuelo Monfort 
On 11/11/2018 23:18, Antoine Beaupré wrote:
> On 2018-11-11 23:03:07, Emilio Pozuelo Monfort wrote:
>> On 11/11/2018 15:47, Antoine Beaupré wrote:
>>> On 2018-11-11 13:21:05, Emilio Pozuelo Monfort wrote:
 Hi Antoine,

 On 09/11/2018 20:37, Antoine Beaupré wrote:
> On 2018-11-05 16:26:44, Emilio Pozuelo Monfort wrote:
>> Hi,
>>
>> On 30/10/2018 16:46, Antoine Beaupré wrote:
>>> Which brings us to Thunderbird (and Firefox) themselves. The last I
>>> heard of this is that LLVM was NEW in jessie. I wrote Emilio to see if
>>> he needed help on that last week, but haven't got a response. Hopefully
>>> all that work will come to fruitition synchronously in a grand fanfare
>>> of uploads all working out perfectly in the end. :)
>>
>> Sorry if I missed your mail. Anyway, here's an update:
>>
>> LLVM (and the necessary deps) were accepted. Unfortunately I run into 
>> some
>> trouble while bootstrapping rustc and cargo. I tried some different ways 
>> and
>> finally fixed the first one (bootstrap using upstream binaries). I am 
>> uploading
>> the packages now and will follow up with firefox/thunderbird if all goes 
>> well.
>
> Just so I see how fast I should be moving on Enigmail, when do you plan
> on uploading Thunderbird?

 The update is ready, and the blocker was an update to stretch, which has 
 already
 happen. So I believe we are ready, and this could happen anytime now.

 However since we don't have a working enigmail, should we delay the update 
 until
 we do? Given the security issues in thunderbird and the fact that the new
 version has a Breaks on the old enigmail, I would say that we can go ahead 
 with
 thunderbird, and enigmail can be fixed asynchronously. However if the 
 update is
 not too far ahead, we could also delay this a bit longer.

 Thoughts?
>>>
>>> I think we could manage a resolution with Enigmail soon enough, and
>>> considering how fast those updates were deployed on stretch, i don't
>>> know if we have a reasonable excuse to delay those in jessie.
>>
>> Just to be clear, with 'those' are you referring to thunderbird, i.e. saying
>> that we should release the update now, and update enigmail asynchronously? 
>> That
>> is what I think you meant, but perhaps you were referring to enigmail 
>> instead,
>> maybe suggesting that we shouldn't delay the enigmail updates, i.e. we should
>> block the thunderbird update until the enigmail changes are ready.
>>
>> Maybe I'm just being too dense, but if you could clarify which one you meant,
>> I'd appreciate it.
> 
> Sorry for being unclear - I meant that the Thunderbird and Firefox
> updates were deployed quickly, without waiting for Enigmail to be
> ready. So we should do the same with Jessie (upload FF and TB before
> Enigmail) especially since we had a long ways to prepare ourselves and
> indeed have a plan already.

Ack, pushed the new thunderbird now. Let me know if you need any help with the
enigmail / gpg updates.

Cheers,
Emilio

[SECURITY] [DLA 1575-1] thunderbird security update

2018-11-12 Thread Emilio Pozuelo Monfort 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: thunderbird
Version: 1:60.3.0-1~deb8u1
CVE ID : CVE-2017-16541 CVE-2018-5156 CVE-2018-5187 CVE-2018-12361
 CVE-2018-12367 CVE-2018-12371 CVE-2018-12376 CVE-2018-12377
 CVE-2018-12378 CVE-2018-12379 CVE-2018-12383 CVE-2018-12385
 CVE-2018-12389 CVE-2018-12390 CVE-2018-12392 CVE-2018-12393

Multiple security issues have been found in Thunderbird: Multiple memory
safety errors and use-after-frees may lead to the execution of arbitrary
code or denial of service.

Debian follows the Thunderbird upstream releases. Support for the 52.x
series has ended, so starting with this update we're now following the
60.x releases.

Between 52.x and 60.x, Thunderbird has undergone significant internal
updates, which makes it incompatible with a number of extensions. For
more information please refer to
https://support.mozilla.org/en-US/kb/new-thunderbird-60

For Debian 8 "Jessie", these problems have been fixed in version
1:60.3.0-1~deb8u1.

We recommend that you upgrade your thunderbird packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlvpSBYACgkQnUbEiOQ2
gwLbkRAAsy6YWmnMQsw2XsmLShkkOVFUa8Y0wuYAUNer1QRcWKkWsaLTCc6ytg2U
joxfwCGTdbalUaCj7Xsqa/+S9NFACZVjqZY1FYyuPPMNIIcG5i82IWUg+GKCDaGI
4S3gK9o/fHYki7Rnfj363SEGaRWhaLqnaIPbXiI8zYcFZ+6T1MgHEWcyN06RQ9fH
5BUVh8Om233+2Z0tIw8RTjdAPKyW+q442lWt5jcvKrlp7X8LXqYpiVM2382ss5VA
kC1RhaXI3M59wjntwZSx3dEKacrNVhvFQN+pfcAhW9u814XR06Uvtvl4/nVcq8aN
mIwU6f3870TgvpR7oNVb4laHFgA5RdjHOAtv1ZY5+PJ85v6apoqTDnmED/Cz6UsJ
Q8pK1b0+On6RjYwHX+sWGnv+QGxwC+XJ1nkb/oQIhy7GUXlKLpJGdvCFIY2zH24t
U8jsoTIUL48DaBg3541l7vJFb0gt81pBReYgzHL3rPxBpr2bKuLXfZ5OxAvvSLEy
zddjoXezi0ZNMDPA1mbZel3g06rzzCu9LmwIm9LcIfbqdg9dI/MsNDS0cRYdvNQI
YPK2hlekKlnp6bjrFj48c98ITxgLl1oHFPW6DsqWbXPy5lmwRM6p7SEee8/l/28D
LXHXGBH9xOqJN21YPdkm/mKPEZjSmz8WMUh258TRq710CU9dUpI=
=j+64
-END PGP SIGNATURE-

Accepted thunderbird 1:60.3.0-1~deb8u1 (source amd64 all) into oldstable, oldstable

2018-11-12 Thread Emilio Pozuelo Monfort 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 06 Nov 2018 18:50:50 +0100
Source: thunderbird
Binary: thunderbird thunderbird-dbg lightning calendar-google-provider 
thunderbird-l10n-all thunderbird-l10n-ar thunderbird-l10n-ast 
thunderbird-l10n-be thunderbird-l10n-bg thunderbird-l10n-br thunderbird-l10n-ca 
thunderbird-l10n-cs thunderbird-l10n-cy thunderbird-l10n-da thunderbird-l10n-de 
thunderbird-l10n-dsb thunderbird-l10n-el thunderbird-l10n-en-gb 
thunderbird-l10n-es-ar thunderbird-l10n-es-es thunderbird-l10n-et 
thunderbird-l10n-eu thunderbird-l10n-fi thunderbird-l10n-fr 
thunderbird-l10n-fy-nl thunderbird-l10n-ga-ie thunderbird-l10n-gd 
thunderbird-l10n-gl thunderbird-l10n-he thunderbird-l10n-hr 
thunderbird-l10n-hsb thunderbird-l10n-hu thunderbird-l10n-hy-am 
thunderbird-l10n-id thunderbird-l10n-is thunderbird-l10n-it thunderbird-l10n-ja 
thunderbird-l10n-kab thunderbird-l10n-kk thunderbird-l10n-ko 
thunderbird-l10n-lt thunderbird-l10n-ms thunderbird-l10n-nb-no 
thunderbird-l10n-nl thunderbird-l10n-nn-no thunderbird-l10n-pl 
thunderbird-l10n-pt-br thunderbird-l10n-pt-pt
 thunderbird-l10n-rm thunderbird-l10n-ro thunderbird-l10n-ru 
thunderbird-l10n-si thunderbird-l10n-sk thunderbird-l10n-sl thunderbird-l10n-sq 
thunderbird-l10n-sr thunderbird-l10n-sv-se thunderbird-l10n-tr 
thunderbird-l10n-uk thunderbird-l10n-vi thunderbird-l10n-zh-cn 
thunderbird-l10n-zh-tw lightning-l10n-ar lightning-l10n-ast lightning-l10n-be 
lightning-l10n-bg lightning-l10n-br lightning-l10n-ca lightning-l10n-cs 
lightning-l10n-cy lightning-l10n-da lightning-l10n-de lightning-l10n-dsb 
lightning-l10n-el lightning-l10n-es-ar lightning-l10n-es-es 
lightning-l10n-en-gb lightning-l10n-et lightning-l10n-eu lightning-l10n-fi 
lightning-l10n-fr lightning-l10n-fy-nl lightning-l10n-ga-ie lightning-l10n-gd 
lightning-l10n-gl lightning-l10n-he lightning-l10n-hr lightning-l10n-hsb 
lightning-l10n-hu lightning-l10n-hy-am lightning-l10n-id lightning-l10n-is 
lightning-l10n-it lightning-l10n-ja lightning-l10n-kab lightning-l10n-kk 
lightning-l10n-ko lightning-l10n-ms lightning-l10n-lt
 lightning-l10n-nb-no lightning-l10n-nl lightning-l10n-nn-no lightning-l10n-pl 
lightning-l10n-pt-br lightning-l10n-pt-pt lightning-l10n-rm lightning-l10n-ro 
lightning-l10n-ru lightning-l10n-si lightning-l10n-sk lightning-l10n-sl 
lightning-l10n-sr lightning-l10n-sq lightning-l10n-sv-se lightning-l10n-tr 
lightning-l10n-uk lightning-l10n-vi lightning-l10n-zh-cn lightning-l10n-zh-tw 
icedove icedove-dbg iceowl-extension icedove-l10n-all icedove-l10n-ar 
icedove-l10n-ast icedove-l10n-be icedove-l10n-bg icedove-l10n-br 
icedove-l10n-ca icedove-l10n-cs icedove-l10n-da icedove-l10n-de 
icedove-l10n-dsb icedove-l10n-el icedove-l10n-en-gb icedove-l10n-es-ar 
icedove-l10n-es-es icedove-l10n-et icedove-l10n-eu icedove-l10n-fi 
icedove-l10n-fr icedove-l10n-fy-nl icedove-l10n-ga-ie icedove-l10n-gd 
icedove-l10n-gl icedove-l10n-he icedove-l10n-hr icedove-l10n-hsb 
icedove-l10n-hu icedove-l10n-hy-am icedove-l10n-id icedove-l10n-is 
icedove-l10n-it icedove-l10n-ja icedove-l10n-kab
 icedove-l10n-ko icedove-l10n-lt icedove-l10n-nb-no icedove-l10n-nl 
icedove-l10n-nn-no icedove-l10n-pl icedove-l10n-pt-br icedove-l10n-pt-pt 
icedove-l10n-rm icedove-l10n-ro icedove-l10n-ru icedove-l10n-si icedove-l10n-sk 
icedove-l10n-sl icedove-l10n-sq icedove-l10n-sr icedove-l10n-sv-se 
icedove-l10n-tr icedove-l10n-uk icedove-l10n-vi icedove-l10n-zh-cn 
icedove-l10n-zh-tw iceowl-l10n-ar iceowl-l10n-ast iceowl-l10n-be iceowl-l10n-bg 
iceowl-l10n-br iceowl-l10n-ca iceowl-l10n-cs iceowl-l10n-cy iceowl-l10n-da 
iceowl-l10n-de iceowl-l10n-dsb iceowl-l10n-el iceowl-l10n-en-gb 
iceowl-l10n-es-ar iceowl-l10n-es-es iceowl-l10n-et iceowl-l10n-eu 
iceowl-l10n-fi iceowl-l10n-fr iceowl-l10n-fy-nl iceowl-l10n-ga-ie 
iceowl-l10n-gd iceowl-l10n-gl iceowl-l10n-he iceowl-l10n-hr iceowl-l10n-hsb 
iceowl-l10n-hu iceowl-l10n-hy-am iceowl-l10n-id iceowl-l10n-is iceowl-l10n-it 
iceowl-l10n-ja iceowl-l10n-kab iceowl-l10n-ko iceowl-l10n-lt iceowl-l10n-nb-no 
iceowl-l10n-nl iceowl-l10n-nn-no
 iceowl-l10n-pl iceowl-l10n-pt-br iceowl-l10n-pt-pt iceowl-l10n-rm 
iceowl-l10n-ro iceowl-l10n-ru iceowl-l10n-si iceowl-l10n-sk iceowl-l10n-sl 
iceowl-l10n-sq iceowl-l10n-sr iceowl-l10n-sv-se iceowl-l10n-tr iceowl-l10n-uk 
iceowl-l10n-vi iceowl-l10n-zh-cn
 iceowl-l10n-zh-tw
Architecture: source amd64 all
Version: 1:60.3.0-1~deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Carsten Schoenert 
Changed-By: Emilio Pozuelo Monfort 
Description:
 calendar-google-provider - Google Calendar support for lightning
 icedove- mail/news client with RSS and integrated spam filter support
 icedove-dbg - Debug Symbols for Icedove
 icedove-l10n-all - All language packages for Icedove (meta) - Transitional 
package
 icedove-l10n-ar - Arabic language package for Icedove - Transitional package
 icedove-l10n-ast - Asturian language package for Icedove - Transitional package
 icedove-l10n-be - Belarusian

Accepted firmware-nonfree 20161130-4~deb8u1 (all source) into oldstable, oldstable

2018-11-12 Thread Ben Hutchings 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 25 Oct 2018 00:57:47 +0100
Source: firmware-nonfree
Binary: firmware-linux firmware-linux-nonfree firmware-adi firmware-ralink 
firmware-amd-graphics firmware-atheros firmware-bnx2 firmware-bnx2x 
firmware-brcm80211 firmware-cavium firmware-intelwimax firmware-intel-sound 
firmware-ipw2x00 firmware-ivtv firmware-iwlwifi firmware-libertas 
firmware-misc-nonfree firmware-myricom firmware-netxen firmware-qlogic 
firmware-realtek firmware-samsung firmware-siano firmware-ti-connectivity
Architecture: all source
Version: 20161130-4~deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Kernel Team 
Changed-By: Ben Hutchings 
Closes: 620066 724970 769633 774914 790061 793544 793874 795303 800090 800440 
800820 801514 802970 803920 808792 816350 823402 823637 826996 832925 833355 
833876 838038 838476 838858 841092 842762 854695 854907 856853 862458 869639 
907320
Description: 
 firmware-adi - Binary firmware for Analog Devices Inc. DSL modem chips (dummmy 
p
 firmware-amd-graphics - Binary firmware for AMD/ATI graphics chips
 firmware-atheros - Binary firmware for Atheros wireless cards
 firmware-bnx2 - Binary firmware for Broadcom NetXtremeII
 firmware-bnx2x - Binary firmware for Broadcom NetXtreme II 10Gb
 firmware-brcm80211 - Binary firmware for Broadcom 802.11 wireless cards
 firmware-cavium - Binary firmware for Cavium Ethernet adapters
 firmware-intel-sound - Binary firmware for Intel sound DSPs
 firmware-intelwimax - Binary firmware for Intel WiMAX Connection
 firmware-ipw2x00 - Binary firmware for Intel Pro Wireless 2100, 2200 and 2915
 firmware-ivtv - Binary firmware for iTVC15-family MPEG codecs (ivtv and 
pvrusb2 d
 firmware-iwlwifi - Binary firmware for Intel Wireless cards
 firmware-libertas - Binary firmware for Marvell wireless cards
 firmware-linux - Binary firmware for various drivers in the Linux kernel 
(meta-pac
 firmware-linux-nonfree - Binary firmware for various drivers in the Linux 
kernel (meta-pac
 firmware-misc-nonfree - Binary firmware for various drivers in the Linux kernel
 firmware-myricom - Binary firmware for Myri-10G Ethernet adapters
 firmware-netxen - Binary firmware for QLogic Intelligent Ethernet (3000 and 
3100 Se
 firmware-qlogic - Binary firmware for QLogic HBAs
 firmware-ralink - Binary firmware for Ralink wireless cards (dummmy package)
 firmware-realtek - Binary firmware for Realtek wired/wifi/BT adapters
 firmware-samsung - Binary firmware for Samsung MFC video codecs
 firmware-siano - Binary firmware for Siano MDTV receivers
 firmware-ti-connectivity - Binary firmware for TI Connectivity wifi and 
BT/FM/GPS adapters
Changes:
 firmware-nonfree (20161130-4~deb8u1) jessie-security; urgency=high
 .
   * Rebuild for jessie:
 - Use linux-support-4.9.0-0.bpo.8
   * Re-add firmware that may be needed under older kernel versions:
 - bnx2x: firmware version 7.8.17.0
 - iwlwifi: firmware ABI 7 and 8
 - ti-connectivity: TI WL18xx default configuration
 .
 firmware-nonfree (20161130-4) stretch; urgency=medium
 .
   * debian/bin/gencontrol.py: Set encoding to UTF-8 globally
   * Add back firmware-{adi,ralink} as transitional packages (Closes: #907320)
   * debian/control: Point Vcs URLs to Salsa
   * Update to linux-support 4.9.0-8
   * firmware-brcm80211: Update Broadcom wifi firmware to fix security issues
 (Closes: #869639):
 - BCM4339 (CVE-2016-0801)
 - BCM4354 (CVE-2016-0801, CVE-2017-0561, CVE-2017-9417, CVE-2017-13077,
   CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081)
 - BCM4356-PCIe (CVE-2016-0801, CVE-2017-0561, CVE-2017-9417,
   CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
   CVE-2017-13081)
 - BCM43340 (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
   CVE-2017-13081) (also fixes issues when operating in 5GHz band)
 - BCM43362 (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
   CVE-2017-13081)
 - BCM43430 (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080,
   CVE-2017-13081)
 .
 firmware-nonfree (20161130-3~bpo8+1) jessie-backports; urgency=medium
 .
   * Rebuild for jessie-backports:
 - Use linux-support 4.9.0-0.bpo.3
 - debian/bin/gencontrol.py: Copy copyright files as binary, not default-
   encoded text
 .
 firmware-nonfree (20161130-3) unstable; urgency=medium
 .
   * misc-nonfree: Include Intel OPA Gen1 firmware (Closes: #862458)
   * misc-nonfree: Add Intel "Broxton" GuC firmware version 8.7 and
 Intel "Kabylake" GuC firmware version 9.14 (Closes: #854695)
   * iwlwifi: Fix DDC file format for Intel Bluetooth 8260/8265
 (Closes: #854907)
   * amd-graphics: Add radeon/si58_mc.bin (Closes: #856853)
   * Revert "ipw2x00: Downgrade Intel Pro 2200/2915 firwmare to version 3.0"
 (Closes: #833551)
   * Update to linux-support 4.9.0-1
 .
 firmware-nonfree (20161130-2~bpo8+1) jessie-backports; urgency=medium
 .
   *