Re: policykit-1 CVE-2018-19788 in jessie
El 20/12/18 a las 12:57, Moritz Muehlenhoff escribió: > On Thu, Dec 20, 2018 at 03:11:49PM +0530, Abhijith PA wrote: > > Hi Santiago, > > > > On Thursday 20 December 2018 01:00 AM, Santiago Ruano Rincón wrote: > > > Dear Maintainers, > > > > > > (It seems my first attempt to send this mail failed. Sorry if you > > > received it twice) > > > > > > As opposed to stretch, I have been unable to reproduce CVE-2018-19788 in > > > jessie. i.e. systemctl correctly doesn't allow me to stop services, and > > > pkexec blocks me from executing applications that need privileges. > > > > I couldn't reproduce in my jessie machine either. > > > > > Do you think is it safe to consider jessie as not-affected? Or is it > > > still worth to apply the patch? > > > > I think its okay to mark as not-affected. > > Don't mark issues as not-affected just because some specific reproducer > doesn't trigger. This should only be done if source code analysis > has shown it to be not affected. Thanks Abhijith and Moritz. For different reasons, and despite the differences with stretch are minimal, I have been unable to carry out a serious source code analysis. I won't be able to actually work on this (including following-up if a reversion/problem arises), so I have unclaimed it. Sorry if it has taken so long. Cheers, S signature.asc Description: PGP signature
testing wireshark for Jessie LTS and Wheezy ELTS
Hi everybody, I uploaded version 1.12.1+g01b65bf-4+deb8u16 of wireshark to: https://people.debian.org/~alteholz/packages/jessie-lts/wireshark/ I also uploaded version 1.12.1+g01b65bf-4+deb8u6~deb7u13 of wireshark to: https://people.debian.org/~alteholz/packages/wheezy-elts/wireshark/ Please give it a try and tell me about any problems you met. The patches concern basically problems with length checks or invalid memory access in different dissectors. This could result in infinite loops or crashes by malicious packets. Thanks and a Happy New Year! Thorsten CVEs fixed in the Jessie version: CVE-2018-19626 CVE-2018-19625 CVE-2018-19624 CVE-2018-19623 CVE-2018-19622 CVE-2018-16058 CVE-2018-16057 CVE-2018-11359 CVE-2018-11357 CVE-2018-11356 CVE-2018-9270 CVE-2018-9269 CVE-2018-9268 CVE-2018-9267 CVE-2018-9265 CVE-2018-9263 CVE-2018-9262 CVE-2018-9260 CVE-2018-9259 CVE-2018-9256 CVE-2018-7420 CVE-2018-7418 CVE-2018-7417 CVE-2018-7336 CVE-2018-7331 CVE-2018-7325 CVE-2018-7324 CVE-2018-7323 CVE-2018-7322 CVE-2018-7746 CVE-2017-17997 CVE-2017-17935 CVE-2017-15191 CVE-2017-13765 CVE-2017-11409 CVE-2017-11407 CVE-2017-11406 CVE-2017-9766 CVE-2017-7747 CVE-2017-7703 CVE-2017-7700 CVEs fixed in the Wheezy version: CVE-2018-19626 CVE-2018-19625 CVE-2018-19624 CVE-2018-19623 CVE-2018-19622 CVE-2018-16058 CVE-2018-16057 CVE-2018-11359 CVE-2018-11357 CVE-2018-11356 CVE-2018-9262 CVE-2018-9259 CVE-2018-9256 CVE-2018-7746 CVE-2018-7331 CVE-2018-7325 CVE-2017-17997 CVE-2017-17935 CVE-2017-15191 CVE-2017-13765 CVE-2017-11409 CVE-2017-11407 CVE-2017-11406 CVE-2017-9766 CVE-2017-7747 CVE-2017-7703
[SECURITY] [DLA 1622-1] debian-security-support security update
Package: debian-security-support Version: 2018.11.25~deb8u2 debian-security-support, the Debian security support coverage checker, has been updated in jessie. The jessie relevant changes are: * Mark jasperreports as end-of-life in Jessie. * Mark webkit2gtk as unsupported in all releases. (Closes: #914567) * Mark jruby in jessie as end-of-life as per DSA-4219-1 (Closes: #901032) * Mark vlc in jessie as end-of-life as per DSA 4203-1 * mark frontaccounting as unsupported * Mark redmine as end-of-life for Debian 8 (jessie) (Closes: #897609) For Debian 8 "Jessie", the package version is 2018.11.25~deb8u2. We recommend that you upgrade your debian-security-support packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
Hi Salvatore, On Sun, Dec 30, 2018 at 09:38:57AM +0100, Salvatore Bonaccorso wrote: > > There is an alternative approach wich was raised by Magnus in the > respective bug: https://bugs.debian.org/914632#12 (and see followup > from Moritz). > I suppose I should have looked more carefully at the bugs associatd with CVE-2018-19518 and subscribed to this one. Thank you for pointing it out to me. The suggestion from Magnus is certainly less likely than mine to allow for a future exploit of the same mechanism via different means. Magnus, Would you prefer to handle the jessie update? If not, I will wait until you have patch ready and I can build/upload for jessie and release the corresponding advisory. Regards, -Roberto -- Roberto C. Sánchez
Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
Unsubscribe me please On December 30, 2018 1:38:57 AM MST, Salvatore Bonaccorso wrote: >Hi Roberto, > >On Sat, Dec 29, 2018 at 10:24:40AM -0500, Roberto C. Sánchez wrote: >> On Sat, Dec 22, 2018 at 10:27:18PM -0500, Roberto C. Sánchez wrote: >> > [note: I am not subscribed to debian-security; please keep me or >> > debian-lts addressed on replies] >> > >> > If this seems like a sensible approach, I propose to apply the >attached >> > patch to uw-imap 8:2007f~dfsg-5 (the current stretch/buster/sid >version) >> > to create version 8:2007f~dfsg-6 for upload to sid and eventual >> > inclusion in stretch (perhaps via a point release) and then also in >> > parallel create a 8:2007f~dfsg-4+deb8u1 package for upload to >jessie. >> > >> > Please reply with your comments. In particular, feedback from the >> > security team on the appropriateness of this for a stable point >release >> > and my suggested route for the update to take to get there would be >very >> > useful. >> > >> >> Hi all, >> >> Since Tomas and Ola have reviewed the patch and we have had some >> discussion which makes it seem like this is the most sensible >approach >> to the vulnerability given the constraints, I wonder if the Security >> team could weigh in. >> >> I have forwarded my initial message and the patch to Magnus Holngren >> (the uw-imap maintainer) and also added him as a recipient of this >> message, as he may wish to be the one to upload to unstable and >> coordinate the future point release inclusion. >> >> I ask for some indication now from the security team and/or the >> maintainer since I don't think it makes sense to fix this only in >jessie >> and not in stretch/buster/sid. > >There is an alternative approach wich was raised by Magnus in the >respective bug: https://bugs.debian.org/914632#12 (and see followup >from Moritz). > >Regards, >Salvatore -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
LTS report for December 2018 - Abhijith PA
December 2018 was my 11th month as a Debian LTS paid contributor. I was assigned 8 hours and I spend all of them for the following: * pdns/pdns-recursor: Spend some time working on CVE-2018-10851. But it will going to be a no-DSA as it was. * libvncserver: Fixed CVE-2018-15127, CVE-2018-20019, CVE-2018-20020, CVE-2018-20021, CVE-2018-20022, CVE-2018-20023, CVE-2018-20024 and CVE-2018-6307. Uploaded and released DLA[1]. Also marked CVE-2018-15126 as not affected. * libraw: Started working on very old CVEs. Also uploaded libphp-phpmailer to fix a possible regression.[2] Regards Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2018/12/msg00017.html [2] - https://lists.debian.org/debian-lts-announce/2018/12/msg00020.html
Re: RFC: proposed fix for CVE-2018-19518 in uw-imap
Hi Roberto, On Sat, Dec 29, 2018 at 10:24:40AM -0500, Roberto C. Sánchez wrote: > On Sat, Dec 22, 2018 at 10:27:18PM -0500, Roberto C. Sánchez wrote: > > [note: I am not subscribed to debian-security; please keep me or > > debian-lts addressed on replies] > > > > If this seems like a sensible approach, I propose to apply the attached > > patch to uw-imap 8:2007f~dfsg-5 (the current stretch/buster/sid version) > > to create version 8:2007f~dfsg-6 for upload to sid and eventual > > inclusion in stretch (perhaps via a point release) and then also in > > parallel create a 8:2007f~dfsg-4+deb8u1 package for upload to jessie. > > > > Please reply with your comments. In particular, feedback from the > > security team on the appropriateness of this for a stable point release > > and my suggested route for the update to take to get there would be very > > useful. > > > > Hi all, > > Since Tomas and Ola have reviewed the patch and we have had some > discussion which makes it seem like this is the most sensible approach > to the vulnerability given the constraints, I wonder if the Security > team could weigh in. > > I have forwarded my initial message and the patch to Magnus Holngren > (the uw-imap maintainer) and also added him as a recipient of this > message, as he may wish to be the one to upload to unstable and > coordinate the future point release inclusion. > > I ask for some indication now from the security team and/or the > maintainer since I don't think it makes sense to fix this only in jessie > and not in stretch/buster/sid. There is an alternative approach wich was raised by Magnus in the respective bug: https://bugs.debian.org/914632#12 (and see followup from Moritz). Regards, Salvatore
