Re: Support for ckeditor3 in Debian
Hi Moritz, Salvatore, Sylvain, On Mo 30 Mai 2022 20:04:14 CEST, Moritz Mühlenhoff wrote: Am Sun, May 29, 2022 at 09:36:43AM +0200 schrieb Salvatore Bonaccorso: While this is discouraged in general, we could opt here for this, to avoid that ckeditor3 might get additional users outside of php-horde-editor. This would also mean that only those bits of ckeditor3 which are actually used by Horde need to be updated. Cheers, Moritz I read that embedding is ok with the security team for the exceptional case php-horde-editor. I will put this on my todo list for the next Horde update round (which is already overdue). Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgplcfuCx6078.pgp Description: Digitale PGP-Signatur
Re: Support for ckeditor3 in Debian
Hi all, On Sa 21 Mai 2022 10:25:35 CEST, Sylvain Beucler wrote: Hi all, On 12/05/2022 08:35, Mike Gabriel wrote: On Tue, May 10, 2022 at 12:31:46PM +0200, Sylvain Beucler wrote: On 08/05/2022 21:17, Salvatore Bonaccorso wrote: Now, php-horde-editor is the only rdepends of ckeditor3. IMHO we need to do a re-evaluation of the current CVEs for ckeditor to see which affect ckeditor3 as well and in partiular try to get a picture how those known to affect ckeditor3 impact php-horde-editor. Some might be for instance negligible in context of php-horde-editor specifically. Just an idea, and not necessarily right now already the security team view: Depending on this outcome we might declare it as unsupported in general, and only to be considered if an issue impacts php-horde-editor. This sounds good to me. To get a clearer view, I associated ckeditor CVEs to ckeditor3, excluding those that are clearly specific to v4 or v5, and marking them when possible: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a55e943bca823e36337c8b47cd65adcf0405fd4 I think all vulnerabilities apply to ckeditor3 in the context of php-horde-editor, as I didn't witness any particular limitation in the way it's loaded. A few of them can be fixed, most of them (as with ckeditor4) are too unclear, and (unlike ckeditor4) we don't have the option to bump to a new upstream release. I believe we can either mark ckeditor3 as end-of-life, or maybe add it to debian-security-support:security-support-limited (best effort), what do you think? Cheers! Sylvain Beucler Debian LTS Team as I have a company interest in Horde and thus in ckeditor3, I'd be happy to co-fund work hours on ckeditor3. Esp. because ckeditor3 in unstable needs the same love as in LTS. And we are currently working on upgrading the company mailserver. The extra funding from DAS-NETZWETKTEAM could either be directly invoiced to me by the LTS contributor or funding could be piped through Freexian if they can go with that and see that as a requirement. So, ping@Raphael? I have something like 4-6 hours in mind. What is your preferred way of handling individual package funding such as described above. Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpef0PYDpmRR.pgp Description: Digitale PGP-Signatur
Re: Support for ckeditor3 in Debian
Hi all, On Tue, May 10, 2022 at 12:31:46PM +0200, Sylvain Beucler wrote: > Hello Salvatore, > > On 08/05/2022 21:17, Salvatore Bonaccorso wrote: > > On Fri, May 06, 2022 at 09:23:27PM +0200, Sylvain Beucler wrote: > > > Hello Security Team, > > > > > > I'm currently checking 'ckeditor' (v4), an HTML editor for web > > > applications, > > > currently v4), for vulnerabilities to fix. > > > (I may send a separate e-mail about this later) > > > > > > I noted that 'ckeditor3' (re-introduced as a dependency to horde in 2016) > > > did not reference any vulnerabilities. A quick check showed that it > > > contains > > > vulnerable code for at least CVE-2021-33829 and CVE-2021-37695. > > > https://security-tracker.debian.org/tracker/source-package/ckeditor3 > > > > > > Do you think we should we tag 'ckeditor3' with confirmed CVEs from > > > 'ckeditor'? Or mark it as end-of-life? > > > > Thanks for spotting this. > > > > Do we know something about php-horde-editor's compatibility with > > ckeditor version 4? I assume it's still incompatible and we either > > would need to use the embedded copy or ckeditor3 in the archive. > > There as only one upstream version following the introduction of > > ckeditor3. > > It seems the situation didn't change. Technically, the situation hasn't change. ckeditor3 works very well in Horde, whereas API changes in ckeditor4 block a direct replace of ckeditor3. That is the main reason why I reintroduced removed ckeditor3 in 2020. At the same time, I noted in d/changelog, that the reintroduction of ckeditor3 was supposed to be an interim solution. We are still, well..., in the interim, at the moment. Sorry for no progress on this part. Horde upstream is normally quite active regarding maintenance support and Horde normally receives CVE fixes very promptly. However, the ckeditor3 is not on the Horde devs' radar, I assume. At the same time, there is currently no heavy development going on in the Horde project, so a port of php-horde-editor to ckeditor4 (or later) does not have any ETA. > php-horde-editor used to depend on ckeditor4 in jessie but this caused > issues and was reverted to ckeditor3: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769031 Indeed. > AFAICS upstream is still using 3.6.6: > https://github.com/horde/Editor/tree/master/js/ckeditor Yep. > > Now, php-horde-editor is the only rdepends of ckeditor3. > > > > IMHO we need to do a re-evaluation of the current CVEs for ckeditor to > > see which affect ckeditor3 as well and in partiular try to get a > > picture how those known to affect ckeditor3 impact php-horde-editor. > > Some might be for instance negligible in context of php-horde-editor > > specifically. > > > > Just an idea, and not necessarily right now already the security team > > view: Depending on this outcome we might declare it as unsupported in > > general, and only to be considered if an issue impacts > > php-horde-editor. This sounds good to me. > > And I wonder if it should be a goal to try to get rid of ckeditor3 > > again for the bookworm release, which we still would be in time. > > Removing does not seem to be feasible right now, as the php-horde > > framework depends with the php-horde-core, php-horde-imp and > > php-horde-gollem in some form from the editor. Removing php-horde-editor/ckeditor3 would remove the WYSIWYG editor from Horde's webmailer (which people around me use and like). I will make Horde upstream aware of this thread and discuss with them how doable a ckeditor4 (or later) would be. > > Inputs, Ideas? > > This sounds sensible to me, but since I'm no Horde expert I'm adding Mike > and Juri in Cc so they can provide their thoughts on a way forward. Please also note, that Horde still needs love regarding the PHP8 transition. I have this on my radar and will get this resolved over the summer. Currently, due to paid work, my system shows ENOTIME for this. Thanks for bringing up this topic, Mike -- DAS-NETZWERKTEAM Mike Gabriel, Herweg 7, 24357 Fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x9AF46B3025771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de signature.asc Description: PGP signature
Re: ruby-rails update destroy redmine issue number linking
Hi Sylvain, On Mo 31 Aug 2020 12:34:07 CEST, Sylvain Beucler wrote: Hi all, On 03/08/2020 16:43, Utkarsh Gupta wrote: On Mon, Aug 3, 2020 at 6:02 PM Sylvain Beucler wrote: This version is now impacted by new security issues, such as CVE-2020-8163, so I would recommend upgrading anyway. There is no place to upload a new version (in particular, not in ELTS where neither rails nor redmine are supported), This is not part of Debian per-se, but rails was recently added back to the list of supported packages in ELTS. Mike (in Cc:) claimed the next upload, so this is an opportunity to address a possible regression in CVE-2020-8164/CVE-2020-8165. Cheers! Sylvain thanks for Cc:ing me! Will take a look into issues tackled above. Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpJnbXLtLuGh.pgp Description: Digitale PGP-Signatur
[SECURITY] [DLA 2356-1] freerdp security update
- Debian LTS Advisory DLA-2356-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Mike Gabriel August 30, 2020 https://wiki.debian.org/LTS - Package: freerdp Version: 1.1.0~git20140921.1.440916e+dfsg1-13+deb9u4 CVE ID : CVE-2014-0791 CVE-2020-11042 CVE-2020-11045 CVE-2020-11046 CVE-2020-11048 CVE-2020-11058 CVE-2020-11521 CVE-2020-11522 CVE-2020-11523 CVE-2020-11525 CVE-2020-11526 CVE-2020-13396 CVE-2020-13397 CVE-2020-13398 Several vulnerabilites have been reported against FreeRDP, an Open Source server and client implementation of the Microsoft RDP protocol. CVE-2014-0791 An integer overflow in the license_read_scope_list function in libfreerdp/core/license.c in FreeRDP allowed remote RDP servers to cause a denial of service (application crash) or possibly have unspecified other impact via a large ScopeCount value in a Scope List in a Server License Request packet. CVE-2020-11042 In FreeRDP there was an out-of-bounds read in update_read_icon_info. It allowed reading an attacker-defined amount of client memory (32bit unsigned -> 4GB) to an intermediate buffer. This could have been used to crash the client or store information for later retrieval. CVE-2020-11045 In FreeRDP there was an out-of-bound read in in update_read_bitmap_data that allowed client memory to be read to an image buffer. The result displayed on screen as colour. CVE-2020-11046 In FreeRDP there was a stream out-of-bounds seek in update_read_synchronize that could have lead to a later out-of-bounds read. CVE-2020-11048 In FreeRDP there was an out-of-bounds read. It only allowed to abort a session. No data extraction was possible. CVE-2020-11058 In FreeRDP, a stream out-of-bounds seek in rdp_read_font_capability_set could have lead to a later out-of-bounds read. As a result, a manipulated client or server might have forced a disconnect due to an invalid data read. CVE-2020-11521 libfreerdp/codec/planar.c in FreeRDP had an Out-of-bounds Write. CVE-2020-11522 libfreerdp/gdi/gdi.c in FreeRDP had an Out-of-bounds Read. CVE-2020-11523 libfreerdp/gdi/region.c in FreeRDP had an Integer Overflow. CVE-2020-11525 libfreerdp/cache/bitmap.c in FreeRDP had an Out of bounds read. CVE-2020-11526 libfreerdp/core/update.c in FreeRDP had an Out-of-bounds Read. CVE-2020-13396 An out-of-bounds (OOB) read vulnerability has been detected in ntlm_read_ChallengeMessage in winpr/libwinpr/sspi/NTLM/ntlm_message.c. CVE-2020-13397 An out-of-bounds (OOB) read vulnerability has been detected in security_fips_decrypt in libfreerdp/core/security.c due to an uninitialized value. CVE-2020-13398 An out-of-bounds (OOB) write vulnerability has been detected in crypto_rsa_common in libfreerdp/crypto/crypto.c. For Debian 9 stretch, these problems have been fixed in version 1.1.0~git20140921.1.440916e+dfsg1-13+deb9u4. We recommend that you upgrade your freerdp packages. For the detailed security status of freerdp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/freerdp Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2352-1] php-horde-gollem security update
- Debian LTS Advisory DLA-2352-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Mike Gabriel August 29, 2020 https://wiki.debian.org/LTS - Package: php-horde-gollem Version: 3.0.10-1+deb9u2 CVE ID : CVE-2017-15235 The File Manager (gollem) module in Horde Groupware has allowed remote attackers to bypass Horde authentication for file downloads via a crafted fn parameter that corresponded to the exact filename. For Debian 9 stretch, this problem has been fixed in version 3.0.10-1+deb9u2. We recommend that you upgrade your php-horde-gollem packages. For the detailed security status of php-horde-gollem please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php-horde-gollem Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2350-1] php-horde-kronolith security update
- Debian LTS Advisory DLA-2350-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Mike Gabriel August 29, 2020 https://wiki.debian.org/LTS - Package: php-horde-kronolith Version: 4.2.19-1+deb9u1 CVE ID : CVE-2017-16908 Debian Bug : 909738 In Horde Groupware, there has been an XSS via the Name field during creation of a new Resource. This could have been leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed. For Debian 9 stretch, this problem has been fixed in version 4.2.19-1+deb9u1. We recommend that you upgrade your php-horde-kronolith packages. For the detailed security status of php-horde-kronolith please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php-horde-kronolith Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2348-1] php-horde-core security update
- Debian LTS Advisory DLA-2348-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Mike Gabriel August 29, 2020 https://wiki.debian.org/LTS - Package: php-horde-core Version: 2.27.6+debian1-2+deb9u1 CVE ID : CVE-2017-16907 Debian Bug : 909800 In Horde Groupware, there has been an XSS vulnerability in two components via the Color field in a Create Task List action. For Debian 9 stretch, this problem has been fixed in version 2.27.6+debian1-2+deb9u1. We recommend that you upgrade your php-horde-core packages. For the detailed security status of php-horde-core please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php-horde-core Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2349-1] php-horde security update
- Debian LTS Advisory DLA-2349-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Mike Gabriel August 29, 2020 https://wiki.debian.org/LTS - Package: php-horde Version: 5.2.13+debian0-1+deb9u3 CVE ID : CVE-2017-16907 Debian Bug : 909739 In Horde Groupware, there has been an XSS vulnerability in two components via the Color field in a Create Task List action. For Debian 9 stretch, this problem has been fixed in version 5.2.13+debian0-1+deb9u3. We recommend that you upgrade your php-horde packages. For the detailed security status of php-horde please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php-horde Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2347-1] libvncserver security update
- Debian LTS Advisory DLA-2347-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Mike Gabriel August 28, 2020 https://wiki.debian.org/LTS - Package: libvncserver Version: 0.9.11+dfsg-1.3~deb9u5 CVE ID : CVE-2019-20839 CVE-2020-14397 CVE-2020-14399 CVE-2020-14400 CVE-2020-14401 CVE-2020-14402 CVE-2020-14403 CVE-2020-14404 CVE-2020-14405 Several minor vulnerabilities have been discovered in libvncserver, a server and client implementation of the VNC protocol. CVE-2019-20839 libvncclient/sockets.c in LibVNCServer had a buffer overflow via a long socket filename. CVE-2020-14397 libvncserver/rfbregion.c has a NULL pointer dereference. CVE-2020-14399 Byte-aligned data was accessed through uint32_t pointers in libvncclient/rfbproto.c. NOTE: This issue has been disputed by third parties; there is reportedly "no trust boundary crossed". CVE-2020-14400 Byte-aligned data was accessed through uint16_t pointers in libvncserver/translate.c. NOTE: This issue has been disputed by third parties. There is no known path of exploitation or cross of a trust boundary. CVE-2020-14401 libvncserver/scale.c had a pixel_value integer overflow. CVE-2020-14402 libvncserver/corre.c allowed out-of-bounds access via encodings. CVE-2020-14403 libvncserver/hextile.c allowed out-of-bounds access via encodings. CVE-2020-14404 libvncserver/rre.c allowed out-of-bounds access via encodings. CVE-2020-14405 libvncclient/rfbproto.c did not limit TextChat size. For Debian 9 stretch, these problems have been fixed in version 0.9.11+dfsg-1.3~deb9u5. We recommend that you upgrade your libvncserver packages. For the detailed security status of libvncserver please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libvncserver Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2268-2] mutt regression update
Package: mutt Version: 1.5.23-3+deb8u3 CVE ID : CVE-2020-14093 CVE-2020-14954 Debian Bug : Two vulnerabilities have been discovered in mutt, a console email client. CVE-2020-14093 Mutt allowed an IMAP fcc/postpone man-in-the-middle attack via a PREAUTH response. CVE-2020-14954 Mutt had a STARTTLS buffering issue that affected IMAP, SMTP, and POP3. When a server had sent a "begin TLS" response, the client read additional data (e.g., from a man-in-the-middle attacker) and evaluated it in a TLS context, aka "response injection." In Debian jessie, the mutt source package builds two variants of mutt: mutt and mutt-patched. The previous package version (1.5.23-3+deb8u2, DLA-2268-1) provided fixes for the issues referenced above, but they were only applied for the mutt-patched package build, not for the (vanilla) mutt package build. For Debian 8 "Jessie", this problem has been fixed in version 1.5.23-3+deb8u3. We recommend that you upgrade your mutt packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2268-1] mutt security update
Package: mutt Version: 1.5.23-3+deb8u2 CVE ID : CVE-2020-14093 CVE-2020-14954 Debian Bug : 962897 Two vulnerabilities have been discovered in mutt, a console email client. CVE-2020-14093 Mutt allowed an IMAP fcc/postpone man-in-the-middle attack via a PREAUTH response. CVE-2020-14954 Mutt had a STARTTLS buffering issue that affected IMAP, SMTP, and POP3. When a server had sent a "begin TLS" response, the client read additional data (e.g., from a man-in-the-middle attacker) and evaluated it in a TLS context, aka "response injection." For Debian 8 "Jessie", these problems have been fixed in version 1.5.23-3+deb8u2. We recommend that you upgrade your mutt packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2265-1] mailman security update
Package: mailman Version: 1:2.1.18-2+deb8u7 CVE ID : CVE-2020-15011 Debian Bug : GNU Mailman allowed arbitrary content injection via the Cgi/private.py private archive login page. For Debian 8 "Jessie", this problem has been fixed in version 1:2.1.18-2+deb8u7. We recommend that you upgrade your mailman packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2264-1] libvncserver security update
Package: libvncserver Version: 0.9.9+dfsg2-6.1+deb8u8 CVE ID : CVE-2019-20839 CVE-2020-14397 CVE-2020-14399 CVE-2020-14400 CVE-2020-14401 CVE-2020-14402 CVE-2020-14403 CVE-2020-14404 CVE-2020-14405 Debian Bug : Several vulnerabilities have been discovered in libVNC (libvncserver Debian package), an implemenantation of the VNC server and client protocol. CVE-2019-20839 libvncclient/sockets.c in LibVNCServer had a buffer overflow via a long socket filename. CVE-2020-14397 libvncserver/rfbregion.c had a NULL pointer dereference. CVE-2020-14399 Byte-aligned data was accessed through uint32_t pointers in libvncclient/rfbproto.c. CVE-2020-14400 Byte-aligned data was accessed through uint16_t pointers in libvncserver/translate.c. CVE-2020-14401 libvncserver/scale.c had a pixel_value integer overflow. CVE-2020-14402 libvncserver/corre.c allowed out-of-bounds access via encodings. CVE-2020-14403 libvncserver/hextile.c allowed out-of-bounds access via encodings. CVE-2020-14404 libvncserver/rre.c allowed out-of-bounds access via encodings. CVE-2020-14405 libvncclient/rfbproto.c does not limit TextChat size. For Debian 8 "Jessie", these problems have been fixed in version 0.9.9+dfsg2-6.1+deb8u8. We recommend that you upgrade your libvncserver packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
On Mo 29 Jun 2020 12:07:31 CEST, Holger Levsen wrote: - DLA 2230-1 (reserved by Mike Gabriel) Ouch. Here it is: https://salsa.debian.org/webmaster-team/webwml/-/merge_requests/504 Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpVPAzRXACsR.pgp Description: Digitale PGP-Signatur
Re: EOL'ing freerdp (v.1.1) for jessie and stretch
Hi again, On Mo 01 Jun 2020 12:55:02 CEST, Mike Gabriel wrote: * CVE-fix freerdp2 in buster for the record... the first round of CVE fixes has just been uploaded to buster: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961978 Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpTwUMhTvX75.pgp Description: Digitale PGP-Signatur
EOL'ing freerdp (v.1.1) for jessie and stretch
HI all, Currently, we have tons of CVE issues open for FreeRDP (v1.1) regarding jessie+stretch: https://security-tracker.debian.org/tracker/source-package/freerdp And the same set of CVEs for FreeRDP v2 for buster and testing/unstable: https://security-tracker.debian.org/tracker/source-package/freerdp2 All issues have been esp. filed against FreeRDP v2 and proposed patches are also applicable against FreeRDP v2. Triaging and patch-backporting for FreeRDP (v1.1) will mean a considerable effort. IMHO, we should think about avoiding this. With the end of jessie LTS and the upcoming of stretch LTS, I'd like to propose the following changes for FreeRDP in old versions of Debian: * EOL freerdp 1.1 for jessie (E)LTS -> impacts: jessie ELTS won't have any version of FreeRDP * consider EOL'ing freerdp 1.1 for stretch LTS -> impacts: ltsp-client (easy to resolve, it can use freerdp2) -> impacts: medusa (resolve by dropping freerdp support) -> impacts: vlc-plugin-access-extra (drop freerdp support) * CVE-fix freerdp2 in buster * consider shipping freerdp2 for stretch LTS (as found in buster / stretch-backports) -> impacts: remmina (ship buster's / stretch-backports version) Please send your thoughts and feedback on this! Thanks+Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpBnY2A4chPi.pgp Description: Digitale PGP-Signatur
[SECURITY] [DLA 2230-1] php-horde security update
Package: php-horde Version: 5.2.1+debian0-2+deb8u6 CVE ID : CVE-2020-8035 The image view functionality in Horde Groupware Webmail Edition was affected by a stored Cross-Site Scripting (XSS) vulnerability via an SVG image upload containing a JavaScript payload. An attacker could have obtained access to a victim's webmail account by making them visit a malicious URL. For Debian 8 "Jessie", this problem has been fixed in version 5.2.1+debian0-2+deb8u6. We recommend that you upgrade your php-horde packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2229-1] php-horde-gollem security update
Package: php-horde-gollem Version: 3.0.3-2+deb8u1 CVE ID : CVE-2020-8034 Debian Bug : 961649 Gollem, as used in Horde Groupware Webmail Edition and other products, had been affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. An attacker could have obtained access to a victim's webmail account by making them visit a malicious URL. For Debian 8 "Jessie", this problem has been fixed in version 3.0.3-2+deb8u1. We recommend that you upgrade your php-horde-gollem packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2228-1] json-c security update
Package: json-c Version: 0.11-4+deb8u1 CVE ID : CVE-2020-12762 Debian Bug : 960326 The json-c shared library had an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend. For Debian 8 "Jessie", this problem has been fixed in version 0.11-4+deb8u1. We recommend that you upgrade your json-c packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2222-1] libexif security update
Package: libexif Version: 0.6.21-2+deb8u3 CVE ID : CVE-2018-20030 CVE-2020-13112 CVE-2020-13113 CVE-2020-13114 Debian Bug : 918730 961407 961409 961410 Various minor vulnerabilities have been addredd in libexif, a library to parse EXIF metadata files. CVE-2018-20030 This issue had already been addressed via DLA-2214-1. However, upstream provided an updated patch, so this has been followed up on. CVE-2020-13112 Several buffer over-reads in EXIF MakerNote handling could have lead to information disclosure and crashes. This issue is different from already resolved CVE-2020-0093. CVE-2020-13113 Use of uninitialized memory in EXIF Makernote handling could have lead to crashes and potential use-after-free conditions. CVE-2020-13114 An unrestricted size in handling Canon EXIF MakerNote data could have lead to consumption of large amounts of compute time for decoding EXIF data. For Debian 8 "Jessie", these problems have been fixed in version 0.6.21-2+deb8u3. We recommend that you upgrade your libexif packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: [Pkg-phototools-devel] Jessie update of libexif?
Hi Hugh, On Mo 25 Mai 2020 14:15:43 CEST, Hugh McMaster wrote: Hi Mike, On Mon, 25 May 2020 at 14:21, Hugh McMaster wrote: On Mon, 25 May 2020 at 00:55, Adam D. Barratt wrote: Personally, it probably makes more sense for the new stretch version to be +deb9u3, built on top of the already uploaded package (and similar for buster) with a second release.d.o bug describing the new fixes. You /can/ re-use the version if that would be preferable, as the package is still in (old)stable-new right now, but that will require a reject+reupload cycle, and presumably corresponding re-tag on the git side. Good to know, but by the sound of things, incrementing is going to cleaner and quicker. I've prepared debdiffs for Jessie (0.6.21-2+deb9u3), Stretch (0.6.21-2+deb9u3) and Buster (0.6.21-5.1+deb10u3) with fixes for the three new CVEs. If you have time, I'd appreciate your help in once again uploading and completing the relevant documentation. Please note: I've replaced one of the CVE patches added to Jessie in the previous release because I included the wrong patch by mistake. I'm following Adam's suggestion and incrementing the Debian package version. I will also submit bugs for Stretch and Buster. Thanks, Hugh I'll take a look tonight (or tomorrow). Thanks for working on the updates. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpBNQkCo6m39.pgp Description: Digitale PGP-Signatur
Re: [Pkg-phototools-devel] Jessie update of libexif?
Hi Hugh, On Di 19 Mai 2020 13:24:45 CEST, Hugh McMaster wrote: Hi Mike, On Tue, 19 May 2020 at 00:37, Mike Gabriel wrote: On Mo 18 Mai 2020 16:14:39 CEST, Hugh McMaster wrote: > [...] > In many ways, the debdiff for Jessie is the same for Stretch. The > Developers Reference says SRUs need bug numbers and more detail in the > changelog, so I’ll get that ready. Excellent! I've prepared debdiffs targeting stretch and buster. Please let me know if anything needs to be changed. Hugh Sorry for the delay. I have uploaded +deb9u2 and +deb10u2 of libexif now. I will write the SRU acceptance request bugs this afternoon. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpawAl5S0klm.pgp Description: Digitale PGP-Signatur
Re: [Pkg-phototools-devel] Jessie update of libexif?
Dear Hugh, (re-including debian-lts) On Mo 18 Mai 2020 16:14:39 CEST, Hugh McMaster wrote: [...] In many ways, the debdiff for Jessie is the same for Stretch. The Developers Reference says SRUs need bug numbers and more detail in the changelog, so I’ll get that ready. Excellent! Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpLw78UHtHn8.pgp Description: Digitale PGP-Signatur
Re: [Pkg-phototools-devel] Jessie update of libexif?
HI Hugh, On Mo 18 Mai 2020 06:22:32 CEST, Mike Gabriel wrote: Hi Hugh, On So 17 Mai 2020 10:30:30 CEST, Hugh McMaster wrote: Hi Mike and LTS team, On Thu, 14 May 2020 at 15:42, Mike Gabriel wrote: The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of libexif: https://security-tracker.debian.org/tracker/CVE-2020-12767 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. I currently maintain libexif but am not a DD, so I can't upload the binary packages as per your workflow. I've prepared a debdiff covering all outstanding CVEs and two instances of undefined behaviour. Internal tests pass at build time. The patches are the same as those used in Sid, as the upstream version has not changed. Hope this helps. Please let me know if you need anything else. Feel free to adjust the changelog. Hugh I just reviewed your .debdiff. Thanks for the backporting of all those CVEs. libexif 0.6.21-2+deb8u2 has arrived in jessie-security. Paperwork for jessie LTS (DLA announcement mail, Debian website update, security-tracker update) has been done. Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpL4g_xbsBPj.pgp Description: Digitale PGP-Signatur
[SECURITY] [DLA 2214-1] libexif security update
Package: libexif Version: 0.6.21-2+deb8u2 CVE ID : CVE-2016-6328 CVE-2017-7544 CVE-2018-20030 CVE-2020-0093 CVE-2020-12767 Debian Bug : #960199 #918730 #876466 #873022 Various vulnerabilities have been addressed in libexif, a library to parse EXIF metadata files. CVE-2016-6328 An integer overflow when parsing the MNOTE entry data of the input file had been found. This could have caused Denial-of-Service (DoS) and Information Disclosure (disclosing some critical heap chunk metadata, even other applications' private data). CVE-2017-7544 libexif had been vulnerable to out-of-bounds heap read vulnerability in exif_data_save_data_entry function in libexif/exif-data.c caused by improper length computation of the allocated data of an ExifMnote entry which could have caused denial-of-service or possibly information disclosure. CVE-2018-20030 An error when processing the EXIF_IFD_INTEROPERABILITY and EXIF_IFD_EXIF tags within libexif version could have been exploited to exhaust available CPU resources. CVE-2020-0093 In exif_data_save_data_entry of exif-data.c, there was a possible out of bounds read due to a missing bounds check. This could have lead to local information disclosure with no additional execution privileges needed. User interaction was needed for exploitation. CVE-2020-12767 libexif had a divide-by-zero error in exif_entry_get_value in exif-entry.c For Debian 8 "Jessie", these problems have been fixed in version 0.6.21-2+deb8u2. We recommend that you upgrade your libexif packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: Jessie update of openconnect?
Hi Luca, On Do 14 Mai 2020 20:18:53 CEST, Luca Boccassi wrote: On Thu, 2020-05-14 at 13:32 +, Mike Gabriel wrote: Hi Luca, On Do 14 Mai 2020 11:52:22 CEST, Luca Boccassi wrote: > On Thu, 2020-05-14 at 08:03 +0200, Mike Gabriel wrote: > > Dear maintainer(s), > > [...] > > If that workflow is a burden to you, feel free to just prepare an > > updated source package and send it to debian-lts@lists.debian.org > > (via a debdiff, or with an URL pointing to the source package, > > or even with a pointer to your packaging repository), and the members > > of the LTS team will take care of the rest. Indicate clearly whether you > > have tested the updated package or not. > > > > If you don't want to take care of this update, it's not a problem, we > > will do our best with your package. Just let us know whether you would > > like to review and/or test the updated package before it gets released. > > > > You can also opt-out from receiving future similar emails in your > > answer and then the LTS Team will take care of openconnect updates > > for the LTS releases. > > Hi Mike, > > The patch seems to apply cleanly on v6.00, so I can take care of that > when I do a new upload. I will only build-test it though. Waiting for > the MR to be approved upstream first. Yeah, please only upload once the patch has been approved by upstream. Thanks! The fix looks pretty straight forward. I can test the new version once uploaded. I can also take care of the paper work (Debian LTS Announcement, website update, etc.). I will claim openconnect in our dla-needed.txt tracking file and act as your point of contact for the jessie update of openconnect. Thanks+Greets, Mike Hi, The patch has been merged upstream, so I just backported and upload to jessie-security. Paperwork (security-tracker update, DLA mail announcement, website update) has been done now. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpDF0KFCiTdO.pgp Description: Digitale PGP-Signatur
[SECURITY] [DLA 2212-1] openconnect security update
Package: openconnect Version: 6.00-2+deb8u2 CVE ID : CVE-2020-12823 Debian Bug : 960620 OpenConnect, a VPN software, had a buffer overflow, causing a denial of service (application crash) or possibly unspecified other impact, via crafted certificate data to get_cert_name in gnutls.c. For Debian 8 "Jessie", this problem has been fixed in version 6.00-2+deb8u2. We recommend that you upgrade your openconnect packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: Jessie update of openconnect?
Hi Luca, On Do 14 Mai 2020 11:52:22 CEST, Luca Boccassi wrote: On Thu, 2020-05-14 at 08:03 +0200, Mike Gabriel wrote: Dear maintainer(s), [...] If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of openconnect updates for the LTS releases. Hi Mike, The patch seems to apply cleanly on v6.00, so I can take care of that when I do a new upload. I will only build-test it though. Waiting for the MR to be approved upstream first. Yeah, please only upload once the patch has been approved by upstream. Thanks! The fix looks pretty straight forward. I can test the new version once uploaded. I can also take care of the paper work (Debian LTS Announcement, website update, etc.). I will claim openconnect in our dla-needed.txt tracking file and act as your point of contact for the jessie update of openconnect. Thanks+Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpQPI5OmTQ7K.pgp Description: Digitale PGP-Signatur
Jessie update of openconnect?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of openconnect: https://security-tracker.debian.org/tracker/CVE-2020-12823 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of openconnect updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of cups (minor security issues)?
The Debian LTS team recently reviewed the security issue(s) affecting your package in Jessie: https://security-tracker.debian.org/tracker/CVE-2019-8842 https://security-tracker.debian.org/tracker/CVE-2020-3898 We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. When resources are available on our side, one of the LTS team members will start working on fixes for those minor security issues, as we think that the jessie users would most certainly benefit from a fixed package. If you'd rather want to work on such an update yourself, you're welcome to do so. Please send us a short notification to the debian-lts mailing list (debian-lts@lists.debian.org), expressing your intention to work on issues yourself. Otherwise, no action is required from your side. When working on issues, please try to follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. However please make sure to submit a tested package. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of libexif?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of libexif: https://security-tracker.debian.org/tracker/CVE-2020-12767 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libexif updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of graphicsmagick?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of graphicsmagick: https://security-tracker.debian.org/tracker/CVE-2020-12672 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of graphicsmagick updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of log4net?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of log4net: https://security-tracker.debian.org/tracker/CVE-2018-1285 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of log4net updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of apt?
Dear maintainer(s), The Debian LTS team would like to see the following security issue fixed which is currently open in the Jessie version of apt: https://security-tracker.debian.org/tracker/CVE-2020-3810 The apt package has been registered as a package that its maintainers would like to care of in jessie LTS themselves or at least be involved in the patch review. Please follow the workflow we have defined for LTS uploads here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with a URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, please let us know. We will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of exim4?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of exim4: https://security-tracker.debian.org/tracker/CVE-2020-12783 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of exim4 updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: Jessie update of libpam-krb5?
Hi Russ, Am Mittwoch, 1. April 2020 schrieb Russ Allbery: > Mike Gabriel writes: > > On Di 31 Mär 2020 10:28:42 CEST, Mike Gabriel wrote: > > >> PS: A member of the LTS team might start working on this update at > >> any point in time. You can verify whether someone is registered > >> on this update in this file: > >> https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt > > > I have prepared libpam-krb5 4.6-3+deb8u1 and uploaded it to > > people.debian.org: > > https://people.debian.org/~sunweaver/LTS/libpam-krb5.pkg/ > > > Please send me (or rather Utkarsh on behalf of me) doing the upload > > during the day if you want to handle the upload and the DLA yourself. > > Hi Mike, > > Please go ahead and upload! Thank you for preparing that fix! > done! Mike -- Gesendet von meinem Sailfish Gerät
Re: Jessie update of libpam-krb5?
Hi Russ, hi Sam, On Di 31 Mär 2020 10:28:42 CEST, Mike Gabriel wrote: PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt I have prepared libpam-krb5 4.6-3+deb8u1 and uploaded it to people.debian.org: https://people.debian.org/~sunweaver/LTS/libpam-krb5.pkg/ Please send me (or rather Utkarsh on behalf of me) doing the upload during the day if you want to handle the upload and the DLA yourself. Thanks+Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpzxeCKDFaz1.pgp Description: Digitale PGP-Signatur
Jessie update of libpam-krb5?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of libpam-krb5: https://security-tracker.debian.org/tracker/source-package/libpam-krb5 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libpam-krb5 updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: spamassassin security update in Debian jessie LTS
Hi Salvatore, hi Noah, On Sa 01 Feb 2020 14:01:36 CET, Salvatore Bonaccorso wrote: Hi Mike, On Fri, Jan 31, 2020 at 10:01:05PM +, Mike Gabriel wrote: Hi Ola, Noah, On Fr 31 Jan 2020 20:32:01 CET, Ola Lundqvist wrote: > Hi > > Spamassassin (and a few other packages) are handled a little differently > compared to most packages in Debian. > > I'd advise that we go for the latest release. The only reason I see why we > would not, would be if we introduce some major backwards compatibility > issue. > > // Ola Looking into a 3.4.4-1 backported to jessie (i.e. 3.4.4.-1~deb8u3) right now... Please don't (unless, see below). Noah did already outline what is going to be released for stable and oldstable, the patches are extracted and applied. He referenced the needed patches. Now if you are going still the route of backporting 3.4.4 (btw. the version should be either 3.4.4-0+deb8u1 or if it's most backporting the version minus packaging changes to be reverted 3.4.4-1~deb8u1), then please first work on getting 3.4.4 backports in oldstable and stable accordingly. SRM would need to agree on having those versions rebased. Otherwise after your release of the DSA we will have that jessie version of spamassassin is higher than the versions in stretch and buster. Hope this helps. Regards, Salvatore Salvatore, thanks for your feedback on this. You are right. First, I, by now, have a spamassassin 3.4.4-1 that builds and works on jessie (and should similarly build and work on stretch/buster, with some minor DH related changes required). I get the point about the need of having 3.4.4 in stretch/buster before shipping it in jessie. Acknowledged. So, I'd like to play the ball back to Noah. Do you think, that applying the security patches is sufficient for spamassassin in stretch/buster? Or have their been so many other fixes(TM) that justify an upstream backport to jessie/stretch/buster. Esp. I am thinking about future compatibilitiy with (upstream'ish) ruleset updates when those are performed on a Debian (old(old))stable system using sa-update. For jessie, I will follow what Noah will be doing in stretch+buster, then. Valid point. Thanks for bringing it up again, Salvatore. Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp08Cf5cwOn9.pgp Description: Digitale PGP-Signatur
[SECURITY] [DLA 2092-1] qtbase-opensource-src security update
Package: qtbase-opensource-src Version: 5.3.2+dfsg-4+deb8u4 CVE ID : CVE-2020-0569 In Qt5's plugin loader code as found in qtbase-opensource-src, it was possible to (side-)load plugins from "the" local folder in addition to a system-widely defined library path. For Debian 8 "Jessie", this problem has been fixed in version 5.3.2+dfsg-4+deb8u4. We recommend that you upgrade your qtbase-opensource-src packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: spamassassin security update in Debian jessie LTS
HI Matus, On Fr 31 Jan 2020 17:16:53 CET, Matus UHLAR - fantomas wrote: On 31.01.20 14:31, Mike Gabriel wrote: Hi Noah, dear LTS contributors, Helo guys, I am about to look into CVE-2020-1930 and CVE-2020-1931 reported against spamassassin. The issues have been fixed in 3.4.4~rc1 FYI, 3.4.4 was released two days ago... and as spamassassin has been upstream version bumped in Debian jessie LTS before, I am asking for your opinion, if you'd rather recommend cherry-picking the fixes (which I haven't been able to identify yet in upstream SVN) or simply upstream version bump spamassassin in jessie LTS once more. @LTS team: sharing your feedback / opinions will be much appreciated, too. ... and I discussed this with some people on spamassassin mailing list. quoting one mail[1]: Key to the issue is I fail to see how the highly intrusive security work done for 3.4.3 can possibly be backported. My recommendation remains a strong: upgrade to 3.4.4. and its reply[2] The Debian patches for CVE-2018-11805 and CVE-2019-12420 onto 3.4.2 are roughly 100kb in size. I can't guess how big would be the fix now. the decision is of course up to you. [1] https://mail-archives.apache.org/mod_mbox/spamassassin-users/202001.mbox/<32172386-a795-1bea-ad6f-05218d5db...@apache.org> [2] https://mail-archives.apache.org/mod_mbox/spamassassin-users/202001.mbox/ Looking into 3.4.4-1~deb8u3 right now... Thanks for the above feedback. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpQZpBhXLLtT.pgp Description: Digitale PGP-Signatur
Re: spamassassin security update in Debian jessie LTS
Hi Ola, Noah, On Fr 31 Jan 2020 20:32:01 CET, Ola Lundqvist wrote: Hi Spamassassin (and a few other packages) are handled a little differently compared to most packages in Debian. I'd advise that we go for the latest release. The only reason I see why we would not, would be if we introduce some major backwards compatibility issue. // Ola Looking into a 3.4.4-1 backported to jessie (i.e. 3.4.4.-1~deb8u3) right now... Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp_79EgjqlUF.pgp Description: Digitale PGP-Signatur
spamassassin security update in Debian jessie LTS
Hi Noah, dear LTS contributors, I am about to look into CVE-2020-1930 and CVE-2020-1931 reported against spamassassin. The issues have been fixed in 3.4.4~rc1 and as spamassassin has been upstream version bumped in Debian jessie LTS before, I am asking for your opinion, if you'd rather recommend cherry-picking the fixes (which I haven't been able to identify yet in upstream SVN) or simply upstream version bump spamassassin in jessie LTS once more. @LTS team: sharing your feedback / opinions will be much appreciated, too. Thanks+Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpvk81i7YzO3.pgp Description: Digitale PGP-Signatur
[SECURITY] [DLA 2089-1] openjpeg2 security update
Package: openjpeg2 Version: 2.1.0-2+deb8u10 CVE ID : CVE-2020-8112 Debian Bug : 950184 opj_t1_clbl_decode_processor in openjp2/t1.c of OpenJPEG had a heap-based buffer overflow in the qmfbid==1 case, a similar but different issue than CVE-2020-6851. For Debian 8 "Jessie", this problem has been fixed in version 2.1.0-2+deb8u10. We recommend that you upgrade your openjpeg2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2088-1] libsolv security update
Package: libsolv Version: 0.6.5-1+deb8u1 CVE ID : CVE-2019-20387 Debian Bug : 949611 repodata_schema2id in repodata.c in libsolv, a dependency solver library, had a heap-based buffer over-read via a last schema whose length could be less than the length of the input schema. For Debian 8 "Jessie", this problem has been fixed in version 0.6.5-1+deb8u1. We recommend that you upgrade your libsolv packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2087-1] suricata security update
Package: suricata Version: 2.0.7-2+deb8u5 CVE ID : CVE-2019-18625 CVE-2019-18792 Two vulnerabilities have recently been discovered in the stream-tcp code of the intrusion detection and prevention tool Suricata. CVE-2019-18625 It was possible to bypass/evade any tcp based signature by faking a closed TCP session using an evil server. After the TCP SYN packet, it was possible to inject a RST ACK and a FIN ACK packet with a bad TCP Timestamp option. The client would have ignored the RST ACK and the FIN ACK packets because of the bad TCP Timestamp option. CVE-2019-18792 It was possible to bypass/evade any tcp based signature by overlapping a TCP segment with a fake FIN packet. The fake FIN packet had to be injected just before the PUSH ACK packet we wanted to bypass. The PUSH ACK packet (containing the data) would have been ignored by Suricata because it would have overlapped the FIN packet (the sequence and ack number are identical in the two packets). The client would have ignored the fake FIN packet because the ACK flag would not have been set. For Debian 8 "Jessie", these problems have been fixed in version 2.0.7-2+deb8u5. We recommend that you upgrade your suricata packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2081-1] openjpeg2 security update
Package: openjpeg2 Version: 2.1.0-2+deb8u9 CVE ID : CVE-2020-6851 OpenJPEG had a heap-based buffer overflow in opj_t1_clbl_decode_processor in libopenjp2.so. For Debian 8 "Jessie", this problem has been fixed in version 2.1.0-2+deb8u9. We recommend that you upgrade your openjpeg2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: Unable to announce the updates
Hi Utkarsh, On Di 14 Jan 2020 22:50:30 CET, Utkarsh Gupta wrote: Hi Mike, On 14/01/20 2:00 pm, Mike Gabriel wrote: please send over the announcement text, I'll handle the signed mail to d-lts-announce later today. Many thanks for doing so. Attached is the DLA-2060 for phpmyadmin and DLA-2063 for debian-lan-config. Best, Utkarsh I have sent both DLAs to the d-lts-announce mailing list now. I sent them under my UID in order to not confuse my or any other mail server nor my local GPG. I will accordingly document the sending on-behalf in my upcoming monthly report. Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpDgoLI9AURj.pgp Description: Digitale PGP-Signatur
[SECURITY] [DLA 2063-1] debian-lan-config security update
Package: debian-lan-config Version: 0.19+deb8u2 CVE ID : CVE-2019-3467 Debian Bug : 947459 In debian-lan-config < 0.26, configured too permissive ACLs for the Kerberos admin server allowed password changes for other Kerberos user principals. For Debian 8 "Jessie", this problem has been fixed in version 0.19+deb8u2. We recommend that you upgrade your debian-lan-config packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: Unable to announce the updates
Hi, On Di 14 Jan 2020 04:10:46 CET, Utkarsh Gupta wrote: Hi Chris, On Tue, 14 Jan, 2020, 5:27 AM Chris Lamb, wrote: > Running `gpg --clearsign DLA-2063-1` which generates DLA-2063-1.asc and > pasting its content and sending it via GMail. > > Whilst I BCCed myself, I do get a "Good signature from Utkarsh Gupta > " on Thunderbird. Whilst not conclusive, this would suggest to me that the mailing list software is not treating this key as authorised; did you perhaps do some Debian keyring changes recently? It may take some time to propagate, perhaps after a keyring update (usually once a month IIRC). Ah, though my keys were in the keyring (as a DM) since March, only 15 days before did I get a mail from the DSA Team telling that the process from DM -> DD has been completed. So I'm guessing it'll sync by next month at least. That said, I shall send the DLAs here in sometime. Requesting for someone to announce the update on my behalf :) Best, Utkarsh please send over the announcement text, I'll handle the signed mail to d-lts-announce later today. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp7nJinr377t.pgp Description: Digitale PGP-Signatur
Re: Unable to announce the updates
Hi Utkarsh, On Mo 13 Jan 2020 20:39:12 CET, Utkarsh Gupta wrote: Hi Chris, Emilio, On 13/01/20 2:41 pm, Emilio Pozuelo Monfort wrote: On 10/01/2020 19:12, Utkarsh Gupta wrote: Hi Chris, On 10/01/20 11:34 pm, Chris Lamb wrote: I've been trying to send DLA-2063 (and now DLA-2060) announcement to -lts-announce but for some reasons I can't seem to post there. This is invariably due to issues regarding the GPG signature. Ah, I am guessing that Thunderbird doesn't really work when a GPG signature is sent as an attachment? If it helps, I tend to BCC myself when making those announcements so that I can confirm that I used the correct key and (inline) signature scheme. Aha! Nice idea, I shall BCC myself, too. Perhaps I shall look up the inline signature scheme, thanks! :) Using enigmail with PGP/mime has problems with debian lists for some reason. So that's most likely the cause. Just use inline PGP signatures when sending mails to -announce lists and you should be good. Perhaps this doesn't seem to be working for me :/ Here's what I'm doing: Running `gpg --clearsign DLA-2063-1` which generates DLA-2063-1.asc and pasting its content and sending it via GMail. Whilst I BCCed myself, I do get a "Good signature from Utkarsh Gupta " on Thunderbird. Am I missing something? Maybe use a mail client like Mutt or Thunderbird providing native GPG support on top of your gmail account? Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpouJciE20Az.pgp Description: Digitale PGP-Signatur
Re: Regression in X2Go Client caused by CVE-2019-14889/libssh fix
Hi, On Sa 21 Dez 2019 21:43:43 CET, Salvatore Bonaccorso wrote: Hi Mike, On Sat, Dec 21, 2019 at 05:47:25PM +, Mike Gabriel wrote: Hi again, On Sa 21 Dez 2019 18:36:09 CET, Mike Gabriel wrote: > Hi again, > > On Sa 21 Dez 2019 17:27:15 CET, Mike Gabriel wrote: > > > Hi all, > > > > the recent libssh fix for CVE-2019-14889 causes a regresion in X2Go Client: > > > > ``` > > Connection failed. Couldn't create remote file > > ~/.x2go/ssh/key.X18947 - SCP: Warning: status code 1 received: > > scp: ~/.x2go/ssh: No such file or directory" > > ``` > > > > The solution to this is a fix to be applied against X2Go Client (in > > jessie/stretch/buster/unstable): > > https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1 > > > > Thanks, > > Mike > > See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129 > and https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795 > > Btw... if anyone with MOTU (Ubuntu maintainer) status is reading this, > please follow-up and provide regression fixes (i.e. a patched X2Go > Client, see LP:#1856795) to Ubuntu. > > Thanks+Greets, > Mike I just dput x2goclient 4.0.3.1-4+deb8u1 to jessie-security shipping a fix for regression with CVE-2019-14889/libssh Does that need a DLA? If yes, shall it be a regression DLA for DLA-2038-1/libssh? Or a new DLA number? In this case I would use a DLA-2038-2 regression update advisory, with tracking the x2goclient source package and (important) not tracking the CVE id. Its bit of an unsual case, but that is how it's then usually handled. You can see DSA-4539-2 as re respective example. So your entry would look like (data/DLA/list): [$date] DLA-2038-2 x2goclient - regression update [jessie] - x2goclient $version Regards, Salvatore Done. Thanks! Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpJqZRCz9Mf3.pgp Description: Digitale PGP-Signatur
Re: Jessie update of nethack (minor security issues)?
Hi, On Sa 21 Dez 2019 15:42:08 CET, Abhijith PA wrote: Hi Markus and Mike On 21/12/19 3:26 am, Mike Gabriel wrote: On Fr 20 Dez 2019 15:35:01 CET, Markus Koschany wrote: Nethack is a game and I believe it should be added to our end-of-life list. +1 from me. Mike I claimed it in dla-needed. Should I take care of eol procedure or you will be doing it. --abhijith If no one objects within the next two days or so, please go ahead and take care of the eol procedure. Thanks+Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpkqGPPDcK0Z.pgp Description: Digitale PGP-Signatur
Accepted x2goclient 4.0.3.1-4+deb8u1 (source amd64 all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sat, 21 Dec 2019 18:22:22 +0100 Source: x2goclient Binary: x2goclient x2goplugin x2goplugin-provider x2goclient-dbg x2goplugin-dbg Architecture: source amd64 all Version: 4.0.3.1-4+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: X2Go Packaging Team Changed-By: Mike Gabriel Description: x2goclient - X2Go Client application (Qt4) x2goclient-dbg - X2Go Client application (Qt4), debug symbols (client) x2goplugin - X2Go Client (Qt4) as browser plugin x2goplugin-dbg - X2Go Client application (Qt4), debug symbols (plugin) x2goplugin-provider - Provide X2Go Plugin via Apache webserver Closes: 947129 Changes: x2goclient (4.0.3.1-4+deb8u1) jessie-security; urgency=medium . * debian/patches: + Add libssh-regression-fix-CVE-2019-14889.patch. In src/sshprocess.cpp: strip ~/, ~user{,/}, ${HOME}{,/} and $HOME{,/} from destination paths in scp mode. Fixes: #1428. This was already necessary for pascp (PuTTY- based Windows solution for Kerberos support), but newer libssh versions with the CVE-2019-14889 also interpret paths as literal strings. (Closes: #947129). Checksums-Sha1: ed521ab5757b24c92b8a3ce5bd16174bc8ca38bf 2417 x2goclient_4.0.3.1-4+deb8u1.dsc 3f9e8932fa211fac725ef0b77d32b1a66f83bc3d 1539521 x2goclient_4.0.3.1.orig.tar.gz 3be6f7308a9e020942adf45607c0758c4fca1c1f 314756 x2goclient_4.0.3.1-4+deb8u1.debian.tar.xz 7f6272cd6aa69483d94a0228752d95503dae30b3 1191206 x2goclient_4.0.3.1-4+deb8u1_amd64.deb f996e4d15cd2565a141b18634b9f80032679ed8d 1207394 x2goplugin_4.0.3.1-4+deb8u1_amd64.deb 94ed121b95c486b105320bf60f756bb8e439dec4 26554 x2goplugin-provider_4.0.3.1-4+deb8u1_all.deb 0dcf42e12021971fefa08f7222e1d562bbf2e381 2890892 x2goclient-dbg_4.0.3.1-4+deb8u1_amd64.deb 2ccb9c2ccf06609d164c881b171d974968263ef3 3192872 x2goplugin-dbg_4.0.3.1-4+deb8u1_amd64.deb Checksums-Sha256: 48d71f1bd221a9c0beaaeaf60e1a398e9263ac4427587c5e8e38be18bcc9f7a7 2417 x2goclient_4.0.3.1-4+deb8u1.dsc 8a5a0d8112250ecc598a9811253081d16f87c17d0707e8f09671c7cb31942bad 1539521 x2goclient_4.0.3.1.orig.tar.gz a7cf87a9d77997f1852a2f115ed0d84a81f2a95e0b451ebf8a23bfefd52c8b4e 314756 x2goclient_4.0.3.1-4+deb8u1.debian.tar.xz 4ee0e3ffbb24e488fdf0663403a0defd62ea660157a28f0328272aaf435db0d8 1191206 x2goclient_4.0.3.1-4+deb8u1_amd64.deb c4eb42ba99f78a89a437ec0321079e43735b52b59d0c656afef76a3924dd1b62 1207394 x2goplugin_4.0.3.1-4+deb8u1_amd64.deb 883777847ee121092ea903a2d74fdefd91846a4557609217715e96fa855ce7a3 26554 x2goplugin-provider_4.0.3.1-4+deb8u1_all.deb e0f489a52d6f83320250d64e94344c11035ae20b1c64a6b20d44f4516b4dd21f 2890892 x2goclient-dbg_4.0.3.1-4+deb8u1_amd64.deb 9ae88cd4d1a957ebffa5599935e9657b75296ac2ae2b42e2c284f16d4882ae94 3192872 x2goplugin-dbg_4.0.3.1-4+deb8u1_amd64.deb Files: 6d659ebab8a0d700edf37b75cfa489ce 2417 x11 extra x2goclient_4.0.3.1-4+deb8u1.dsc ef9a20ef96f7c31cc20ece9ebbf1e007 1539521 x11 extra x2goclient_4.0.3.1.orig.tar.gz 3958c95a0e0ab651dcd814847b21f3e5 314756 x11 extra x2goclient_4.0.3.1-4+deb8u1.debian.tar.xz 57644268808797e2376e615960660479 1191206 x11 extra x2goclient_4.0.3.1-4+deb8u1_amd64.deb fc3e3cd03ea4ccddffc95f609ed13990 1207394 x11 extra x2goplugin_4.0.3.1-4+deb8u1_amd64.deb 23540c73adbbfeff3c066aa921be8402 26554 x11 extra x2goplugin-provider_4.0.3.1-4+deb8u1_all.deb 3b987ee4669455bccfb5ad05f53df480 2890892 debug extra x2goclient-dbg_4.0.3.1-4+deb8u1_amd64.deb bf364cfbf301a653171e85fd1cf8d276 3192872 debug extra x2goplugin-dbg_4.0.3.1-4+deb8u1_amd64.deb -BEGIN PGP SIGNATURE- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl3+WDwVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxYy4P/0KA4UwaqEttWG2OlTLjzCHBsUCX 4ZvY8MLNbNKOfd8SEVsfn4QNot5BOJz81IBp+wf503XUUZVjZimg3r/FHbHVKmMc zANT12/7vpwvDTMvLm5KW3RXiaPkT3nV0bmmrZs2vEuFiGUhVcfr+63DbpOYA8e/ miHUZLdsNP9ppbP9l6jQfCpOY86wkh6peH5vanTOmbtKyf6iGNyF65KeI3kbgNDo ToRPDXyT1hfo3rIHDdu0c2aQT2fpm5B38mWey+VivB7wWCAxn2jZB2X1G85YZ2k6 5Xj+sNd8HDyGdfZ6hej7AoIXCGTZy1BPrUnELgaHEIj5A9IH5TR6CWEqPWv4GUEw b+EPju28n2eeJy9lKXt3XM6A+fPWiMFADaE4ozBaMqZBPINHgxyRoAc6ilWsNCSE g9b6tWDRs6289ydS4mbO2Kj8VWxshdtyptOg1EZDIPjblXq3WAajDtTerunwdx7F Rds31HMk4Rk0SpwOVbpdeYhZWDY0Qu7lTcHvGfTY8rdlYIM4oyAQ1tiTPHH4T9Hz iS4E+dS35byLiA7aJK46vTP4lDr2eiK2rqHxaw/EWIL5432+ITaxbY3/s0WUmOy8 dU+9O6fXg4kqCls9+gNXtgEcNlElxjn8TVX33sYDsxXVnMwcto6hNyeBSoSVJ4ss 1K33bxmHYGXcv0zM =AzR+ -END PGP SIGNATURE-
Re: Regression in X2Go Client caused by CVE-2019-14889/libssh fix
Hi again, On Sa 21 Dez 2019 18:36:09 CET, Mike Gabriel wrote: Hi again, On Sa 21 Dez 2019 17:27:15 CET, Mike Gabriel wrote: Hi all, the recent libssh fix for CVE-2019-14889 causes a regresion in X2Go Client: ``` Connection failed. Couldn't create remote file ~/.x2go/ssh/key.X18947 - SCP: Warning: status code 1 received: scp: ~/.x2go/ssh: No such file or directory" ``` The solution to this is a fix to be applied against X2Go Client (in jessie/stretch/buster/unstable): https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1 Thanks, Mike See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129 and https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795 Btw... if anyone with MOTU (Ubuntu maintainer) status is reading this, please follow-up and provide regression fixes (i.e. a patched X2Go Client, see LP:#1856795) to Ubuntu. Thanks+Greets, Mike I just dput x2goclient 4.0.3.1-4+deb8u1 to jessie-security shipping a fix for regression with CVE-2019-14889/libssh Does that need a DLA? If yes, shall it be a regression DLA for DLA-2038-1/libssh? Or a new DLA number? Appreciating feedback, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpzJLLSh7Gvn.pgp Description: Digitale PGP-Signatur
Re: Regression in X2Go Client caused by CVE-2019-14889/libssh fix
Hi again, On Sa 21 Dez 2019 17:27:15 CET, Mike Gabriel wrote: Hi all, the recent libssh fix for CVE-2019-14889 causes a regresion in X2Go Client: ``` Connection failed. Couldn't create remote file ~/.x2go/ssh/key.X18947 - SCP: Warning: status code 1 received: scp: ~/.x2go/ssh: No such file or directory" ``` The solution to this is a fix to be applied against X2Go Client (in jessie/stretch/buster/unstable): https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1 Thanks, Mike See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129 and https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795 Btw... if anyone with MOTU (Ubuntu maintainer) status is reading this, please follow-up and provide regression fixes (i.e. a patched X2Go Client, see LP:#1856795) to Ubuntu. Thanks+Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgp1xlSFXmFzX.pgp Description: Digitale PGP-Signatur
Re: Jessie update of cyrus-sasl2?
Hi Roberto, On Fr 20 Dez 2019 16:36:05 CET, Roberto C. Sánchez wrote: On Fri, Dec 20, 2019 at 01:06:39PM +0100, Mike Gabriel wrote: Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of cyrus-sasl2: https://security-tracker.debian.org/tracker/CVE-2019-19906 Would you like to take care of this yourself? Hi Mike, I had intended to take care of this, but it seems you have already done it. Thanks for your help. Did you encounter any issues that might concern making the update or applying the patch in stretch or buster versions of cyrus-sasl? Regards, -Roberto In fact, I have upgrade my jessie-mailserver with the fix and it seems to be all good. However, I am not 100% sure, if my setup (cyrus-imap + postfix via saslauthd behind LDAP, etc.) hits the exact code path. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpS79aKjkWJR.pgp Description: Digitale PGP-Signatur
Regression in X2Go Client caused by CVE-2019-14889/libssh fix
Hi all, the recent libssh fix for CVE-2019-14889 causes a regresion in X2Go Client: ``` Connection failed. Couldn't create remote file ~/.x2go/ssh/key.X18947 - SCP: Warning: status code 1 received: scp: ~/.x2go/ssh: No such file or directory" ``` The solution to this is a fix to be applied against X2Go Client (in jessie/stretch/buster/unstable): https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1 Thanks, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpy0PbLXCW3d.pgp Description: Digitale PGP-Signatur
Accepted tightvnc 1.3.9-6.5+deb8u1 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 20 Dec 2019 16:04:53 +0100 Source: tightvnc Binary: tightvncserver xtightvncviewer Architecture: source amd64 Version: 1.3.9-6.5+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Ola Lundqvist Changed-By: Mike Gabriel Description: tightvncserver - virtual network computing server software xtightvncviewer - virtual network computing client software for X Changes: tightvnc (1.3.9-6.5+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload by the LTS team. * CVE-2014-6053: Check malloc() return value on client->server ClientCutText message. * CVE-2018-20020: Fix heap out-of-bound write vulnerability inside structure in VNC client code. * CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code. * CVE-2018-20022: CWE-665: Improper Initialization vulnerability. * CVE-2018-7225: Uninitialized and potentially sensitive data could be accessed by remote attackers because the msg.cct.length in rfbserver.c was not sanitized. * CVE-2019-15678: LibVNCClient: ignore server-sent cut text longer than 1MB. * Extra patch similar to the fix for CVE-2019-15678: LibVNCClient: ignore server-sent reason strings longer than 1MB (see CVE-2018-20748/libvncserver). * CVE-2019-15679: rfbproto.c/InitialiseRFBConnection: Check desktop name length received before allocating memory for it. * CVE-2019-15680: Fix null-pointer-deref issue in vncviewer/zlib.c. * CVE-2019-15681: rfbserver: don't leak stack memory to the remote. * Cherry-pick 782620-crashfix.patch from newer tightvnc src:pkg. Fixes segfault on amd64 systems when e.g. KDEPIM is being used inside an Xvnc session. Checksums-Sha1: d2bcf9b9a7294547f8d67e2b20f009d1de93c7c3 2037 tightvnc_1.3.9-6.5+deb8u1.dsc 0b21a60e060602e225b176695c1ddd787f007ed2 2246697 tightvnc_1.3.9.orig.tar.gz d53fd4dce5140b75258a176782b1c8339446fa11 55568 tightvnc_1.3.9-6.5+deb8u1.debian.tar.xz 8f23492f13b0eda65242e08e75181199f1c7767d 661368 tightvncserver_1.3.9-6.5+deb8u1_amd64.deb 154443c99984afa21337b7255a8aa5e392b3814e 88346 xtightvncviewer_1.3.9-6.5+deb8u1_amd64.deb Checksums-Sha256: 233b0d228df753aba61fea571e7ec44d7f9a4b517c9ee05952236fc623ffbfce 2037 tightvnc_1.3.9-6.5+deb8u1.dsc 56062708bb547425f8e8f0f9c571d4fa06fcc89a11146a5b15c608fd8debdb80 2246697 tightvnc_1.3.9.orig.tar.gz 94de3481d6a3db67571e9883229a91b875bb7c40b60a992c325b63abf8563f1f 55568 tightvnc_1.3.9-6.5+deb8u1.debian.tar.xz 22480ce862b66d0f8db540b6a0a90570f621f39e828cab3c4510a01b4627d4b5 661368 tightvncserver_1.3.9-6.5+deb8u1_amd64.deb 0aa98dcaec9712e41b898a4a04257413d8a8babf27fe47ba9f890361d66d8c77 88346 xtightvncviewer_1.3.9-6.5+deb8u1_amd64.deb Files: 59f805137181dbc42d860f42a4fbc6f8 2037 x11 optional tightvnc_1.3.9-6.5+deb8u1.dsc 80b904d4a10fccee9045d0feeaa65df8 2246697 x11 optional tightvnc_1.3.9.orig.tar.gz c8c4cf5d11e1d1aaa106867d2457c923 55568 x11 optional tightvnc_1.3.9-6.5+deb8u1.debian.tar.xz 9a28986b026246a1d2b86412fe603acc 661368 x11 optional tightvncserver_1.3.9-6.5+deb8u1_amd64.deb a06f5a3d6efa6fc80c4dc1f6e76d9960 88346 x11 optional xtightvncviewer_1.3.9-6.5+deb8u1_amd64.deb -BEGIN PGP SIGNATURE- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl3+OUEVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxXuUP/1vsy6X/C5mk/kABqJ6AhZYAkHo4 idz3TgkHYWJRmIWQ0eNXvLRmUhlZ7jX4YL9QpkruYuZTAEIjRmrJEfjAzRK6EruQ Lnu2UIrC0mXQNvZdZVfS7yChh573OTkIcc6ud9/S4g+6lYEXoi8wSrxrjlzwshPi tA5oz1jP29r1ND0x1jU2SIFGSpEeqnE0nfxqLMsZTEz8133wsWkN8iLXheFuNSAS EeSvDiG7hZQuebDNXx9nBxNSF5yOXw70LSb/IodZ1ZPMINrHtxunn5RgURbJd+F0 uCX1cDs9VD/yrkuGK5aLBmbMqU6ZDBd/1JJurBjnnKDSpzAXov5AqvtyHb/V6bBD dsVB41J01Jt+kNbcQIMVQih0LoWWg+P+wZLEN2T0iBdtDLCnlH2F0JA08zA8sSvQ oiRNceaw6lZr/U0RJpNalojfeHdGZnFBwaMAMtHgjOUV2kaLTQxC83jRKv3dqy9n UX1H9rsga7JaV/u2hSFirVFde48mrPtsTvCdksNs/54E+3ZICJkPBgG/XlYdAS1+ U36QsL9obsMY1a0zOrHEudMSDbQeSNjGkCamjnqZl9emOF/+OZynXWiPzX6bDkNA HBnkZ3/6MEIsj5UvpG0+0UpT3T6nwW5asromxvszkbMISnDEeYkD8tFdfFCTJsOS cEfKDUPdJrXK7fDE =eERf -END PGP SIGNATURE-
Re: Jessie update of transfig (minor security issues)?
Hi Roland, On Fr 20 Dez 2019 13:46:08 CET, Roland Rosenfeld wrote: Hi Mike! On Fr, 20 Dez 2019, Mike Gabriel wrote: The Debian LTS team recently reviewed the security issue(s) affecting your package in Jessie: https://security-tracker.debian.org/tracker/CVE-2019-19797 We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. When resources are available on our side, one of the LTS team members will start working on fixes for those minor security issues, as we think that the jessie users would most certainly benefit from a fixed package. If you'd rather want to work on such an update yourself, you're welcome to do so. Please send us a short notification to the debian-lts mailing list (debian-lts@lists.debian.org), expressing your intention to work on issues yourself. Otherwise, no action is required from your side. I'm currently waiting for the upstream maintainer fixing this issue, hoping that he will work on this soon. If he provides a patch, I'd upload a fixed package to sid and buster and stretch. To say the truth, I didn't have jessie on my focus for this issue, at least since it is tagged "minor issue". If you want to work on this issue, I'd prefer got get a patch against sid and then backport the patch to the older releases, since upstream fixed several issues and vulnerabilities in recent versions, while starting with jessie looks like the wrong direction to me. But feel free to do so, maybe I can port it to the newer versions :-) Greetings Roland Currently, only low prio issues are open for transfig. This means, that a paid member of the LTS team will take a look at it, if no other pressing issue needs fixing. As maintainer, you should get notified by dak via mail, if an upload occurs. Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpwl15Uhn0qh.pgp Description: Digitale PGP-Signatur
Re: Jessie update of nethack (minor security issues)?
On Fr 20 Dez 2019 15:35:01 CET, Markus Koschany wrote: Hi Mike, Am 20.12.19 um 13:33 schrieb Mike Gabriel: The Debian LTS team recently reviewed the security issue(s) affecting your package in Jessie: https://security-tracker.debian.org/tracker/CVE-2019-19905 We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. [...] Nethack is a game and I believe it should be added to our end-of-life list. Regards, Markus +1 from me. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgp3R8MpqvQL7.pgp Description: Digitale PGP-Signatur
Accepted cyrus-sasl2 2.1.26.dfsg1-13+deb8u2 (source amd64 all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 20 Dec 2019 15:26:43 +0100 Source: cyrus-sasl2 Binary: sasl2-bin cyrus-sasl2-doc libsasl2-2 libsasl2-modules libsasl2-modules-db libsasl2-modules-ldap libsasl2-modules-otp libsasl2-modules-sql libsasl2-modules-gssapi-mit libsasl2-dev libsasl2-modules-gssapi-heimdal cyrus-sasl2-dbg cyrus-sasl2-mit-dbg cyrus-sasl2-heimdal-dbg Architecture: source amd64 all Version: 2.1.26.dfsg1-13+deb8u2 Distribution: jessie-security Urgency: medium Maintainer: Debian Cyrus SASL Team Changed-By: Mike Gabriel Description: cyrus-sasl2-dbg - Cyrus SASL - debugging symbols cyrus-sasl2-doc - Cyrus SASL - documentation cyrus-sasl2-heimdal-dbg - Cyrus SASL - debugging symbols for Heimdal modules cyrus-sasl2-mit-dbg - Cyrus SASL - debugging symbols for MIT modules libsasl2-2 - Cyrus SASL - authentication abstraction library libsasl2-dev - Cyrus SASL - development files for authentication abstraction lib libsasl2-modules - Cyrus SASL - pluggable authentication modules libsasl2-modules-db - Cyrus SASL - pluggable authentication modules (DB) libsasl2-modules-gssapi-heimdal - Pluggable Authentication Modules for SASL (GSSAPI) libsasl2-modules-gssapi-mit - Cyrus SASL - pluggable authentication modules (GSSAPI) libsasl2-modules-ldap - Cyrus SASL - pluggable authentication modules (LDAP) libsasl2-modules-otp - Cyrus SASL - pluggable authentication modules (OTP) libsasl2-modules-sql - Cyrus SASL - pluggable authentication modules (SQL) sasl2-bin - Cyrus SASL - administration programs for SASL users database Changes: cyrus-sasl2 (2.1.26.dfsg1-13+deb8u2) jessie-security; urgency=medium . * Non-maintainer upload by the LTS team. * CVE-2019-19906: Fix off-by-one issue in _sasl_add_string function. Checksums-Sha1: 5c795dc75507246bd9c9d54530eff30b1286b456 3374 cyrus-sasl2_2.1.26.dfsg1-13+deb8u2.dsc 2e2e96dfb788974d7ab335f39bde526bc71815e5 1494337 cyrus-sasl2_2.1.26.dfsg1.orig.tar.gz e33aa62eeb888ba712e83969edcf19cf66b5a7fc 94624 cyrus-sasl2_2.1.26.dfsg1-13+deb8u2.debian.tar.xz 67d2ea65df3b22204a5b230c20ef896c18a76e8d 166318 sasl2-bin_2.1.26.dfsg1-13+deb8u2_amd64.deb 34091a7821df65605f2adf6d9ec629ffc1b0f4c7 107456 cyrus-sasl2-doc_2.1.26.dfsg1-13+deb8u2_all.deb ab2dcf7c5f7e1b8ad575f7fb3fa753b02776eb73 104732 libsasl2-2_2.1.26.dfsg1-13+deb8u2_amd64.deb f7401089730675b0f3f35f111cbad65a2e459015 101508 libsasl2-modules_2.1.26.dfsg1-13+deb8u2_amd64.deb 6349a30e34efb0fa07b260cbe4450dbd5cb940aa 67264 libsasl2-modules-db_2.1.26.dfsg1-13+deb8u2_amd64.deb 39d365c107374f11e17743ac121d06301fb93bc0 66114 libsasl2-modules-ldap_2.1.26.dfsg1-13+deb8u2_amd64.deb a5aee8c57a23b63c0287266827289a59b5671bee 78960 libsasl2-modules-otp_2.1.26.dfsg1-13+deb8u2_amd64.deb 440f0a1565b3587e99013af9302d54a7e3ae00f1 68714 libsasl2-modules-sql_2.1.26.dfsg1-13+deb8u2_amd64.deb db9284cf3301ded6c7ca44720110b70b47042d33 90140 libsasl2-modules-gssapi-mit_2.1.26.dfsg1-13+deb8u2_amd64.deb 2bf9af2548c7dbb7c5849e573fc5b3554d1f01ce 310072 libsasl2-dev_2.1.26.dfsg1-13+deb8u2_amd64.deb 56bf9132b610ee7e52722e4b796a7bf808096e58 70776 libsasl2-modules-gssapi-heimdal_2.1.26.dfsg1-13+deb8u2_amd64.deb 8eb357bf1779c216ad8270d7309e64a28254805b 767506 cyrus-sasl2-dbg_2.1.26.dfsg1-13+deb8u2_amd64.deb 607f6a7d8431d0bc83d68f5e2d91caad91bb0249 86708 cyrus-sasl2-mit-dbg_2.1.26.dfsg1-13+deb8u2_amd64.deb bada73f70b6b0aae84af3b37f44f12106095224c 87302 cyrus-sasl2-heimdal-dbg_2.1.26.dfsg1-13+deb8u2_amd64.deb Checksums-Sha256: fbffac72f4f1a2a89a7efe5c140a2c462d24461bdc86f520ba1f2f8d3e706dee 3374 cyrus-sasl2_2.1.26.dfsg1-13+deb8u2.dsc 172c39555012f479543ce7305949db75df708771fe8f8b34248027f09e53bb85 1494337 cyrus-sasl2_2.1.26.dfsg1.orig.tar.gz 65ae9250eb6f49bbec2fdc64390f016d4e3b00e51a6b9a90d85604cb805d4cf3 94624 cyrus-sasl2_2.1.26.dfsg1-13+deb8u2.debian.tar.xz 2cf614ffa52fcd860dc7d7c458d57a1d23e9745cbeec2888bc034ad1779b9900 166318 sasl2-bin_2.1.26.dfsg1-13+deb8u2_amd64.deb 7c0a578e89837046a577f3d4eda8d4e1ddbfa94f01ceb461185e212baa3fbd8e 107456 cyrus-sasl2-doc_2.1.26.dfsg1-13+deb8u2_all.deb 0c5a5d37894aa433d8eb3d43832bac5eee70bc29509f8c2467f466e09c27967b 104732 libsasl2-2_2.1.26.dfsg1-13+deb8u2_amd64.deb 9ab06db3590c5cfb6b98621d2429a2c18a6f14bd7d7e963a7e55355b4486f763 101508 libsasl2-modules_2.1.26.dfsg1-13+deb8u2_amd64.deb dd1061899a039e410dca3f492d7351ee0f82245afe9de1074e6eb91a7f2e8c08 67264 libsasl2-modules-db_2.1.26.dfsg1-13+deb8u2_amd64.deb d7cec64f8f2dbe969afc6b6f2d1f64f792a324f73c65356caf1a0d4ff43b5412 66114 libsasl2-modules-ldap_2.1.26.dfsg1-13+deb8u2_amd64.deb 23318e43dcc21c0fc46525fbd6c7977c863c6273048a1270d2ee8f4bc18cb3b2 78960 libsasl2-modules-otp_2.1.26.dfsg1-13+deb8u2_amd64.deb 85939722694bb248398d0863db3b5f1f61f18e494e1f7482c83a65c8c2dd1525 68714 libsasl2-modules-sql_2.1.26.dfsg1-13+deb8u2_amd64.deb 0034821eb85ca591f6dc59a1ed727e0e279bbd271881c49943af05ee10ae4d9c 90140 libsasl2-modules-gssapi-mit_2.1.26.dfsg1-13+deb8u2_amd64.deb
[SECURITY] [DLA 2044-1] cyrus-sasl2 security update
Package: cyrus-sasl2 Version: 2.1.26.dfsg1-13+deb8u2 CVE ID : CVE-2019-19906 Debian Bug : 947043 There has been an out-of-bounds write in Cyrus SASL leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet. The OpenLDAP crash was ultimately caused by an off-by-one error in _sasl_add_string in common.c in cyrus-sasl. For Debian 8 "Jessie", this problem has been fixed in version 2.1.26.dfsg1-13+deb8u2. We recommend that you upgrade your cyrus-sasl2 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of nethack (minor security issues)?
The Debian LTS team recently reviewed the security issue(s) affecting your package in Jessie: https://security-tracker.debian.org/tracker/CVE-2019-19905 We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. When resources are available on our side, one of the LTS team members will start working on fixes for those minor security issues, as we think that the jessie users would most certainly benefit from a fixed package. If you'd rather want to work on such an update yourself, you're welcome to do so. Please send us a short notification to the debian-lts mailing list (debian-lts@lists.debian.org), expressing your intention to work on issues yourself. Otherwise, no action is required from your side. When working on issues, please try to follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. However please make sure to submit a tested package. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of ruby-rack?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of ruby-rack: https://security-tracker.debian.org/tracker/CVE-2019-16782 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of ruby-rack updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt PPS: Please note that a member of the LTS team has already reviewed the upstream patches proposed to fix this CVE. The outcome of this review is: there might be regressions and possibly more when upstream's fix gets applied; see [1]. [1] https://salsa.debian.org/security-tracker-team/security-tracker/commit/e32ec7ffb4bfde893810967b08f90488f16d4be4 -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of transfig (minor security issues)?
The Debian LTS team recently reviewed the security issue(s) affecting your package in Jessie: https://security-tracker.debian.org/tracker/CVE-2019-19797 We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. When resources are available on our side, one of the LTS team members will start working on fixes for those minor security issues, as we think that the jessie users would most certainly benefit from a fixed package. If you'd rather want to work on such an update yourself, you're welcome to do so. Please send us a short notification to the debian-lts mailing list (debian-lts@lists.debian.org), expressing your intention to work on issues yourself. Otherwise, no action is required from your side. When working on issues, please try to follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. However please make sure to submit a tested package. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of cyrus-sasl2?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of cyrus-sasl2: https://security-tracker.debian.org/tracker/CVE-2019-19906 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of cyrus-sasl2 updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Accepted nss 2:3.26-1+debu8u9 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 29 Nov 2019 20:49:00 +0100 Source: nss Binary: libnss3 libnss3-1d libnss3-tools libnss3-dev libnss3-dbg Architecture: source amd64 Version: 2:3.26-1+debu8u9 Distribution: jessie-security Urgency: medium Maintainer: Maintainers of Mozilla-related packages Changed-By: Mike Gabriel Description: libnss3- Network Security Service libraries libnss3-1d - Network Security Service libraries - transitional package libnss3-dbg - Debugging symbols for the Network Security Service libraries libnss3-dev - Development files for the Network Security Service libraries libnss3-tools - Network Security Service tools Changes: nss (2:3.26-1+debu8u9) jessie-security; urgency=medium . * Non-maintainer upload by the LTS team. * debian/changelog: + Add missing CVE-2019-17007 description text in previous changelog stanza. Checksums-Sha1: 3d5f0056599e3858b52d5286b611bfeb1d47fd7f 2281 nss_3.26-1+debu8u9.dsc 028656b80e448e135d2295bc1eed4a790acd008c 42896 nss_3.26-1+debu8u9.debian.tar.xz 716d330ce8902452c21dfc77026df0423ceef168 1173102 libnss3_3.26-1+debu8u9_amd64.deb 7491b043339fc2b04e00056c3260d4c77f23d4da 19082 libnss3-1d_3.26-1+debu8u9_amd64.deb 2184151cd4a9a5b310a8aeed427203788ee87472 784576 libnss3-tools_3.26-1+debu8u9_amd64.deb 37350778ba5e617c5936a4ddd7e3751bd948c681 242256 libnss3-dev_3.26-1+debu8u9_amd64.deb d034e4916ba669dc732853bfff4ac73169f78fac 8205288 libnss3-dbg_3.26-1+debu8u9_amd64.deb Checksums-Sha256: 238a6820244f8698d011db11707f5f4288947f6551421f9d2ace8970455fa262 2281 nss_3.26-1+debu8u9.dsc afe9b6793743e803fefdbf6c4e009021b3da3bf12d5aa3e7a879be956ccfcc09 42896 nss_3.26-1+debu8u9.debian.tar.xz 1abf18133131036b0bef6d53baaaee6e26233f94c7423c33d07dfc58a982c837 1173102 libnss3_3.26-1+debu8u9_amd64.deb 4d564ad3ee18550c946ac2b617aa40b485e4375c08cbcd3b21ff9a267111b03b 19082 libnss3-1d_3.26-1+debu8u9_amd64.deb 782e8c053550e7925f222661cfbf92cb7b8bdba36f30d6f3dd8012d6ddec9dc6 784576 libnss3-tools_3.26-1+debu8u9_amd64.deb 4f18cab9478c22e2ff94417543146b75328a70f02d8f181e326bede4b4f1602a 242256 libnss3-dev_3.26-1+debu8u9_amd64.deb db0c2d2f509d73649304598c8719fdaab11e0ee3dbc0d04c2684a5326c185465 8205288 libnss3-dbg_3.26-1+debu8u9_amd64.deb Files: 5d31bcefa78b316ff6767f8d054b743d 2281 libs optional nss_3.26-1+debu8u9.dsc 5202ab359a6283649d65974c7431b0ab 42896 libs optional nss_3.26-1+debu8u9.debian.tar.xz 8cad95c2f5da7ed53e2bebb8636df471 1173102 libs optional libnss3_3.26-1+debu8u9_amd64.deb 160f0826657ab05568cea7c8fdc9f4ee 19082 oldlibs extra libnss3-1d_3.26-1+debu8u9_amd64.deb 90766dcae598fba82927214541a91a6d 784576 admin optional libnss3-tools_3.26-1+debu8u9_amd64.deb 31e06020a06a5b4090453dc5a4a826c9 242256 libdevel optional libnss3-dev_3.26-1+debu8u9_amd64.deb 0ef8c77aeee03bf6d2012051a05739a8 8205288 debug extra libnss3-dbg_3.26-1+debu8u9_amd64.deb -BEGIN PGP SIGNATURE- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl3hf/8VHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxzIYP/1l/6MskRkpB/d+8Wj3aofBmSjVl ww41RuvxRAoRJbD8X8/HexqEHgSdnYgGBNdrtYirgI6hgXxTu4f3hgcYtEG+u0mC ifCelBojVJwboDm3o+4dRsL4D26SmQfgHDuRTScJDF6JGtWL5vTxdA0WCNXxTbQF QCkjgmpe2l4ozHFmZIspmmPfg1jqmf0cIe9QEJzVx36qGx7gAdSqyPqJ7yz19ZBN aKa5CZnNa0Z7OjreXHTr8wGf9KmdMChmPCfsavWxaWSigOjSH6w7mWSD9+6VWAKU fsQKUyocVxQWL3zGqjegywJr6AcyJXPleEfLNSjLrtYxD/D5WythS5goK27vh5m5 0xAU/eYY+ywIQQeob0RYyf3JdYpUdxaUraWzR77FZL2bUMyFgss8OuaoRiTO1tTB eryb0v3dmM+XYxSZr/2PMuqN+cic/Knctmhy7mM2dtM8jtPbizWd6dWJGMau1Oa5 g7PPGLTfwu2dX5aLEurDTJhrJ6ozMtzCO+qCPXT17T5Ss7PsP8DTtFG3q2U1YBnI Cxh/3dKcN3OitrVuHlHaUGh82xHvdVno4koA88CeNWU+pSe0av+KtRIZaqEazK/2 cTVHC7rzZSqRSdCrlfgOaNUVf81bOgwBYmS/CgwyiGxygDxcB/sF8i0urCZNnSj3 SaSFPUNXB1XfW7oh =ifKF -END PGP SIGNATURE-
[SECURITY] [DLA 2004-1] 389-ds-base security update
Package: 389-ds-base Version: 1.3.3.5-4+deb8u7 CVE ID : CVE-2019-14824 Debian Bug : 944150 A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes. For Debian 8 "Jessie", this problem has been fixed in version 1.3.3.5-4+deb8u7. We recommend that you upgrade your 389-ds-base packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2005-1] tnef security update
Package: tnef Version: 1.4.9-1+deb8u4 CVE ID : CVE-2019-18849 Debian Bug : 944851 In tnef, an attacker may be able to write to the victim's .ssh/authorized_keys file via an e-mail message with a crafted winmail.dat application/ms-tnef attachment, because of a heap-based buffer over-read involving strdup. For Debian 8 "Jessie", this problem has been fixed in version 1.4.9-1+deb8u4. We recommend that you upgrade your tnef packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Accepted nss 2:3.26-1+debu8u8 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 29 Nov 2019 16:04:11 +0100 Source: nss Binary: libnss3 libnss3-1d libnss3-tools libnss3-dev libnss3-dbg Architecture: source amd64 Version: 2:3.26-1+debu8u8 Distribution: jessie-security Urgency: medium Maintainer: Maintainers of Mozilla-related packages Changed-By: Mike Gabriel Description: libnss3- Network Security Service libraries libnss3-1d - Network Security Service libraries - transitional package libnss3-dbg - Debugging symbols for the Network Security Service libraries libnss3-dev - Development files for the Network Security Service libraries libnss3-tools - Network Security Service tools Changes: nss (2:3.26-1+debu8u8) jessie-security; urgency=medium . * Non-maintainer upload by the LTS team. * CVE-2019-17007: Checksums-Sha1: 7f5a5a11f64939d4bedf6d30574f72339b4e9e84 2281 nss_3.26-1+debu8u8.dsc 4668aa2307b252b4e72876db0c260c9174e6258c 42848 nss_3.26-1+debu8u8.debian.tar.xz c26117744985932465dc4abb81023464bbedac9b 1173180 libnss3_3.26-1+debu8u8_amd64.deb cf56ddb2756c4ef4bc6829e57537212b6931f70e 19012 libnss3-1d_3.26-1+debu8u8_amd64.deb 9be8a3ec322f8bb149e24037e03fa39339f94eb2 784142 libnss3-tools_3.26-1+debu8u8_amd64.deb 05dabdf7f0871b5a68bf5dc7d42135ca0fca62cc 242130 libnss3-dev_3.26-1+debu8u8_amd64.deb dbf3029dbab1cecc84552d6ca7d0ba70b8a5d53e 8205688 libnss3-dbg_3.26-1+debu8u8_amd64.deb Checksums-Sha256: 90193fe6060ed154584c55e3ccc48ded625249e1e6eaa36397b2c3eb430e2bd8 2281 nss_3.26-1+debu8u8.dsc 72a2baf46a5ca57290ef13087f4f49ed158ff907396280a3147f9c9f58da 42848 nss_3.26-1+debu8u8.debian.tar.xz 95af27e96042e9087c4eca981900689a844de3451f56e2aa7aeb61b712f85e7e 1173180 libnss3_3.26-1+debu8u8_amd64.deb c7afdf709564983052210099fbbd1c1cc24d66d5b8d832ba7d0cddafd657ce43 19012 libnss3-1d_3.26-1+debu8u8_amd64.deb 7d4853d4e7cc50e32896ecb8aff1858b96e2a866792347803aa79a32292a6f5d 784142 libnss3-tools_3.26-1+debu8u8_amd64.deb 0165808416d07f0bb69dac389c83e8a096bb7e295708461d9e4b0f0c46e2ce63 242130 libnss3-dev_3.26-1+debu8u8_amd64.deb 9b26bfd3eeccd3b7b3c4847bdfe69fbf5ee441948b201ceec59540274e86be51 8205688 libnss3-dbg_3.26-1+debu8u8_amd64.deb Files: d0f79ae6f5f4d9f31b7d97f526cc3000 2281 libs optional nss_3.26-1+debu8u8.dsc 9731d74bd10f14f8ce4ce8b9b3c0b3c5 42848 libs optional nss_3.26-1+debu8u8.debian.tar.xz 17fd38a2cbc352fb6d7eee7318076b0d 1173180 libs optional libnss3_3.26-1+debu8u8_amd64.deb 7f23d581e968fa226fa02d0b76a8c6e1 19012 oldlibs extra libnss3-1d_3.26-1+debu8u8_amd64.deb 16d2f5fac277314956d49c9ac9f5f377 784142 admin optional libnss3-tools_3.26-1+debu8u8_amd64.deb 20bc146f5694cfee6534f2deddd41993 242130 libdevel optional libnss3-dev_3.26-1+debu8u8_amd64.deb fce52a426c77ecff7bbdf4f0ec4e3c21 8205688 debug extra libnss3-dbg_3.26-1+debu8u8_amd64.deb -BEGIN PGP SIGNATURE- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl3hPRcVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxThAP/jTFb61lYiN9xnm8trv7eJKg7uNx hDBg/Pak8LY4IKONZuXbuCL16QwPHBZclLnaSUUGZx4aQe/1UrgnnyDOh8yp77oJ NGiL4XrxU5jajoORZSf1UDUy/4AkvHb0V8nOX0+GbaGchmDmAQxbYDkM6c1grkQD k2Go10tKwNzVywWsSQJhm99XG7yPBRJUKkIc4RY4Wm34nhztDkFinOVj0iou0mjM vIsBKRaUMNSjhoe3kfm5PjjFb/b55nMm4jzb/zOWLs5Dg+WGVJSyDC6FdFq25VEc Yxn9CmIbhEzaFBfvcCdF9xqFOU7MvhYsYU1q4mAhuMv13rhUiCLDTrQGwbEMxblw +ix1aP5mu4kLBcrvdln+K21pbQCLcfv1HWRVa2GWngOGLKNzxhVwNETPOrtZSAdV mLx0I0i3M062ysIRePS0F4wKjbvZngjg3ftvgaKar08/FYu/b6JIY30s/lU7nAdD SyGH3PIylQdXFKbJk6jMO0e8Lw1Fynt0b59eTP+Lr8f33PXeOX0mNz2ah3aw+3j/ 77+sGyVYAEmtit6uZn2kLh5uVGre0IoBmcHHEWdxGQjT+OFQS4A0611fn3WGSeYB 7p4MRq9EKY/rbZSzhYaBGnf+552TFGQbjf8ENpHJUyhZB70SdBpQKB2tuLKF/GVH OPGJ2uQ9gLKgKzE+ =abN9 -END PGP SIGNATURE-
Accepted ssvnc 1.0.29-2+deb8u1 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 29 Nov 2019 12:15:33 +0100 Source: ssvnc Binary: ssvnc Architecture: source amd64 Version: 1.0.29-2+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Magnus Holmgren Changed-By: Mike Gabriel Description: ssvnc - Enhanced TightVNC viewer with SSL/SSH tunnel helper Closes: 945827 Changes: ssvnc (1.0.29-2+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload by the LTS team. * Porting of libvncclient security patches: (Closes: #945827). - CVE-2018-20020: heap out-of-bound write vulnerability inside structure in VNC client code. - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code. - CVE-2018-20022: CWE-665: Improper Initialization vulnerability. - CVE-2018-20024: null pointer dereference that can result DoS. Checksums-Sha1: f9282e40102a8f6d0ec312ae1b3c47689e50ee82 1918 ssvnc_1.0.29-2+deb8u1.dsc 135d212eab4d63609a94ce441e80e233a6d80261 552796 ssvnc_1.0.29.orig.tar.gz 19dae6704f86759824e59a8c26a3ca3cad3da158 8492 ssvnc_1.0.29-2+deb8u1.debian.tar.xz a53bc6e1ca5cfce80a1d6a9a74df818c30ebaf1c 431390 ssvnc_1.0.29-2+deb8u1_amd64.deb Checksums-Sha256: 413198decc3f7669c627362f9fb5fffb3d12e8e257eb67f8dead0858682a8f13 1918 ssvnc_1.0.29-2+deb8u1.dsc 74df32eb8eaa68b07c9693a232ebe42154617c7f3cbe1d4e68d3fe7c557d618d 552796 ssvnc_1.0.29.orig.tar.gz d012e92be93912b48e53fdf98dfa32dd583e5b0e2cb3d8626e67c6aea384bbb6 8492 ssvnc_1.0.29-2+deb8u1.debian.tar.xz 3251d1475cb86686eaaf7e87e7aabed337dd600132415fc04abc910b4079a1cd 431390 ssvnc_1.0.29-2+deb8u1_amd64.deb Files: 8be418437099440a06ac9d77b206ff68 1918 net extra ssvnc_1.0.29-2+deb8u1.dsc 52201aeb0417c2a0fe83639e52da6ae5 552796 net extra ssvnc_1.0.29.orig.tar.gz 83f347e575bec2bffc8fded9de94824b 8492 net extra ssvnc_1.0.29-2+deb8u1.debian.tar.xz 297b22f5438b86920e7bb8be08bc7717 431390 net extra ssvnc_1.0.29-2+deb8u1_amd64.deb -BEGIN PGP SIGNATURE- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl3hPYsVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxoM0QAJJ7CFB76N4AMZSCXIV9f4r+cKMi iYSoME3AFXwoB8YjvvJPLGSmRBE3MkJPJf6W15oe6k62x4WwGC8LoY96ucRETwqr 7pnj3Sul2Jj65LdFYp5KHEJJlWCkBdqDHkANU7f6GjqdwtLVvmj19d2Dr6uioMsn PwP/2y7ifoPO9fIL+KRtt+1G1FjwoFU+qg2zZqDLTLI1qerj3trAXo3R+14SQndf fAhwOqbnhQcGa7EQ5J0r/PZX0D561R1mSvoiRv1+8Kami+35UQ+FqDu4OTk3PPWw VbmAkYMcK5baYb9uEps/6Qq6QCx7p3WjFE0hb1ZlaNsc1yd5qV4ZHWEXnrG8GnMo Lv+8E/FP7hIK/wcKFjYPqBSibaQSy2TEypTIBE9klCGVNjD1cwmCS4aPxUtIY4XP 8eB+5FNwLFHoU3yqqcjsGTIGL2X8lWGGr4PHkV0/cf7f/6uZJMiHtAwdmxTGTV/y zOpf500+PcBUvai8h/UdCx2NG013JyBwFbKL+lis4he176ARtwu4DX0Je9A1ksao yy/85rww4NuLgLjXrxE/IMG6JMMTVcpGE4tJ8HURV/OExh7k/2dkJgkduWyjSCzU VZlVaov2MFhiCdcS7hfujwOvjYsVO2ntyJ/w12JUURrgYeWj4OdmAwyyNu3J2HbN 7Di3mhqdVVGTrXv5 =T8/X -END PGP SIGNATURE-
[SECURITY] [DLA 2015-1] nss security update
Package: nss Version: 2:3.26-1+debu8u8 CVE ID : CVE-2019-17007 Debian Bug : Handling of Netscape Certificate Sequences in CERT_DecodeCertPackage() may haved crash with a NULL deref leading to a Denial-of-Service. For Debian 8 "Jessie", this problem has been fixed in version 2:3.26-1+debu8u8. We recommend that you upgrade your nss packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 2016-1] ssvnc security update
Package: ssvnc Version: 1.0.29-2+deb8u1 CVE ID : CVE-2018-20020 CVE-2018-20021 CVE-2018-20022 CVE-2018-20024 Debian Bug : 945827 Several vulnerabilities have been identified in the VNC code of ssvnc, an encryption-capable VNC client.. The vulnerabilities referenced below are issues that have originally been reported against Debian source package libvncserver (which also ships the libvncclient shared library). The ssvnc source package in Debian ships a custom-patched, stripped down and outdated variant of libvncclient, thus some of libvncclient's security fixes required porting over. CVE-2018-20020 LibVNC contained heap out-of-bound write vulnerability inside structure in VNC client code that can result remote code execution CVE-2018-20021 LibVNC contained a CWE-835: Infinite loop vulnerability in VNC client code. Vulnerability allows attacker to consume excessive amount of resources like CPU and RAM CVE-2018-20022 LibVNC contained multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allowed attackers to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory layout and in bypassing ASLR. CVE-2018-20024 LibVNC contained null pointer dereference in VNC client code that could result DoS. For Debian 8 "Jessie", these problems have been fixed in version 1.0.29-2+deb8u1. We recommend that you upgrade your ssvnc packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of proftpd-dfsg?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of proftpd-dfsg: https://security-tracker.debian.org/tracker/CVE-2019-19269 https://security-tracker.debian.org/tracker/CVE-2019-19270 https://security-tracker.debian.org/tracker/CVE-2019-19271 https://security-tracker.debian.org/tracker/CVE-2019-19272 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of proftpd-dfsg updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of libjackson-json-java?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of libjackson-json-java: https://security-tracker.debian.org/tracker/CVE-2019-10172 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libjackson-json-java updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of asterisk?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of asterisk: https://security-tracker.debian.org/tracker/CVE-2019-18790 https://security-tracker.debian.org/tracker/CVE-2019-18610 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of asterisk updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: RFS: 389-ds-base
Hi Holger, On Fr 29 Nov 2019 13:46:23 CET, Holger Levsen wrote: Hi Mike, Utkarsh, On Fri, Nov 29, 2019 at 12:24:34PM +, Mike Gabriel wrote: Sorry for the delay. Looking into it right now. Mike (with LTS frontdesk hat on) thanks a lot for this and the uploads, Mike! Utkarsh has pinged me privately last night and thus it was on my list for today, but I'm glad to scratch it from there now! ;) I saw those mails yesterday and wondered why nobody picked those RFSs up... Then I realized this week's frontdesk hat of mine..., and it still took a day for the bells to start ringing gently, that this might be my task... You could hear the clockwork creak in my brain before the bell rang, tststs... :-) Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp7PoBvEvRMT.pgp Description: Digitale PGP-Signatur
Re: RFS: tnef
Hi, On Mo 25 Nov 2019 06:00:51 CET, Utkarsh Gupta wrote: Hey, I have fixed CVE-2019-18849 for tnef and uploaded the same to mentors.d.net. The relevant .dsc could be found at [1]. Requesting to upload the same on my behalf. Attaching the DLA file for the same. Also, sent a patch for Stretch, Buster, Bullseye, and Sid to the maintainer. CCed #944851 and the Security team as well. Best, Utkarsh --- [1]: https://mentors.debian.net/debian/pool/main/t/tnef/tnef_1.4.9-1+deb8u4.dsc Uploaded to security-master now. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpCEl1eXdxAi.pgp Description: Digitale PGP-Signatur
Re: RFS: 389-ds-base
Hi, On Mo 25 Nov 2019 02:11:35 CET, Utkarsh Gupta wrote: Hey, I have fixed CVE-2019-14824 for 389-ds-base and uploaded the same to mentors.d.net. The relevant .dsc could be found at [1]. Requesting to upload the same on my behalf. Attaching the DLA file for the same. Also, sent a patch for (Stretch,) Buster, Bullseye, and Sid to the maintainer. CCed #944150. Best, Utkarsh --- [1]: https://mentors.debian.net/debian/pool/main/3/389-ds-base/389-ds-base_1.3.3.5-4+deb8u7.dsc Upload to security-master now. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp8fJc2LbsIt.pgp Description: Digitale PGP-Signatur
Re: RFS: 389-ds-base
Hi Utkarsh, On Mo 25 Nov 2019 02:11:35 CET, Utkarsh Gupta wrote: Hey, I have fixed CVE-2019-14824 for 389-ds-base and uploaded the same to mentors.d.net. The relevant .dsc could be found at [1]. Requesting to upload the same on my behalf. Attaching the DLA file for the same. Also, sent a patch for (Stretch,) Buster, Bullseye, and Sid to the maintainer. CCed #944150. Best, Utkarsh --- [1]: https://mentors.debian.net/debian/pool/main/3/389-ds-base/389-ds-base_1.3.3.5-4+deb8u7.dsc Sorry for the delay. Looking into it right now. Mike (with LTS frontdesk hat on) -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp3nBL3t8Fg8.pgp Description: Digitale PGP-Signatur
Jessie update of ssvnc?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of ssvnc: https://security-tracker.debian.org/tracker/CVE-2018-20020 https://security-tracker.debian.org/tracker/CVE-2018-20021 https://security-tracker.debian.org/tracker/CVE-2018-20022 https://security-tracker.debian.org/tracker/CVE-2018-20024 These security issues have recently become known while looking into all Debian packages that bundle some or another version of code originally derived from the libvncserver source package. I will soon send a .debdiff to the Debian bugtracker that resolves above named issues for ssvnc in Debian jessie. The patches should be easily forward-portable to ssvnc in stretch, buster and testing/unstable. Would you like to take care of the jessie LTS upload yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just review the proposed fixes in the source package and give feedback, if there is any. I, with my LTS team member hat on, will take care of the upload then. If you don't want to take care of this update at all, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of ssvnc updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Accepted vino 3.14.0-2+deb8u1 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 28 Nov 2019 16:50:38 +0100 Source: vino Binary: vino Architecture: source amd64 Version: 3.14.0-2+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Debian GNOME Maintainers Changed-By: Mike Gabriel Description: vino - VNC server for GNOME Closes: 945784 Changes: vino (3.14.0-2+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload by the LTS team. * Porting of libvncserver security patches: (Closes: #945784) - CVE-2014-6053: Check malloc() return value on client->server ClientCutText message. - CVE-2018-7225: Uninitialized and potentially sensitive data could be accessed by remote attackers because the msg.cct.length in rfbserver.c was not sanitized. - CVE-2019-15681: rfbserver: don't leak stack memory to the remote. Checksums-Sha1: f9cee0857909bef1d60ba71ef74669fde964a9bc 2465 vino_3.14.0-2+deb8u1.dsc c26168b0a6dfa6f646dcc131a09aaca2789623f1 749784 vino_3.14.0.orig.tar.xz 017586e98f4cbe84319c99d3be56db8468ff07b9 12992 vino_3.14.0-2+deb8u1.debian.tar.xz ee14ec7bf9e07bfd8f6d6fe098fabe6e1020a2c5 406796 vino_3.14.0-2+deb8u1_amd64.deb Checksums-Sha256: b1160d80107d43104084fdf65362c4e29bb80a1f60930f05946e1ce3ce376239 2465 vino_3.14.0-2+deb8u1.dsc 8faf864009e697e8652e4833150eaaba3da6c5a85f9f95886a5b76b00e5a9c1b 749784 vino_3.14.0.orig.tar.xz dc1324d253fd2954548a5cddc3a541ebd3b0b8b4e66c9fee1dfa1b18526fa63c 12992 vino_3.14.0-2+deb8u1.debian.tar.xz 2de19ef08ad9efee7baaf3098c062d0765eb31bf5cbf13d1f1b48f38b74db10e 406796 vino_3.14.0-2+deb8u1_amd64.deb Files: a65c0b39ca5560518abad9858e098f8e 2465 gnome optional vino_3.14.0-2+deb8u1.dsc 3564333509f9554fe8047cc34748cec1 749784 gnome optional vino_3.14.0.orig.tar.xz efab54f7d2e173bf21dba41fa5cbf776 12992 gnome optional vino_3.14.0-2+deb8u1.debian.tar.xz 23426d17da6a8fd3964fcd310aaee15c 406796 gnome optional vino_3.14.0-2+deb8u1_amd64.deb -BEGIN PGP SIGNATURE- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl3gzp8VHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxgJwQAKa2zyct+L257togGVgKMyCNBqLf i3JiF8vW0EDSCrFP6bLPOy1X1dy8YxEj4O9Zcza9PetShnpLwROlLPxbUVwonnMZ +/Rc8kWODpvKXUPArboVtQzhnExpsUfQPMcwd6RBVp3QNw8IAfGzucJpo33yk5BU GALJlLbfhYgK3P9TcB7CcQW7Af355SpNTj4AlbCfGVEEWf8newS4Nrxksbg2mQj+ p7fi2ts88Yk5gi8DHIGrWkOtLsKc84jAsTfp+O9siILUUMukn/i+OmLPl5h/WVYN VtTIV3XxfroH4cP+5SqsFUegYGixUhUktfTIj6wNwumO7r3qOzIDft04vGI2Qk/m sK/5/y4kWYQ0DO4N7XWkwnrdApHYmKxfn2MzdnmsvPGwnM6uhLa5awuYCMTf8Aod BdXF/Hq1D3INEfIE08BHId9RGro1iFF3xNT1SCMRXcpDNqQHifcfYPjxmS7RXJjR Be2I2shQ7+3DfnWtQcg3N+D86EsdiaVBT2ngBK5fEqAl2PXYnUYDBC0gvQSDvKr1 uCGK+i+lylkVAHVTxazmWmL0nvZl7YhdVG59yDlZuxjx1ySxGXfEABevYjIWxAZq bMAo+e3DpO9Ivy2WSg/2IQtaeqNuWk441rL8zdXLxWsyZzJ+7dLdmMt00GyvpUGL Ub9NrESbt9UjQfYc =ecdp -END PGP SIGNATURE-
[SECURITY] [DLA 2014-1] vino security update
Package: vino Version: 3.14.0-2+deb8u1 CVE ID : CVE-2014-6053 CVE-2018-7225 CVE-2019-15681 Debian Bug : 945784 Several vulnerabilities have been identified in the VNC code of vino, a desktop sharing utility for the GNOME desktop environment. The vulnerabilities referenced below are issues that have originally been reported against Debian source package libvncserver. The vino source package in Debian ships a custom-patched and stripped down variant of libvncserver, thus some of libvncserver's security fixes required porting over. CVE-2014-6053 The rfbProcessClientNormalMessage function in libvncserver/rfbserver.c in LibVNCServer did not properly handle attempts to send a large amount of ClientCutText data, which allowed remote attackers to cause a denial of service (memory consumption or daemon crash) via a crafted message that was processed by using a single unchecked malloc. CVE-2018-7225 An issue was discovered in LibVNCServer. rfbProcessClientNormalMessage() in rfbserver.c did not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets. CVE-2019-15681 LibVNC contained a memory leak (CWE-655) in VNC server code, which allowed an attacker to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory and bypass ASLR. This attack appeared to be exploitable via network connectivity. For Debian 8 "Jessie", these problems have been fixed in version 3.14.0-2+deb8u1. We recommend that you upgrade your vino packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: libapache2-mod-auth-openidc
On Mi 20 Nov 2019 17:52:11 CET, Markus Koschany wrote: Hi, Am 20.11.19 um 17:13 schrieb Abhijith PA: Hello Markus, There isn't any open vulnerabilities in libapache2-mod-auth-openidc. Last one was announced in DLA-1996-1. Any particular reason for keeping it in dla-needed.txt. It was automatically removed from dla-needed.txt when I reserved DLA-1996-1 but Mike readded it. It can be safely removed. Regards, Markus Sorry for the race time condition... Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpSwQYC5YfTN.pgp Description: Digitale PGP-Signatur
Re: various security issues in VNC related packages
Hi Ola, On Mo 04 Nov 2019 09:58:27 CET, Ola Lundqvist wrote: Hi Mike Please go ahead. I will be off for some time due to a planned surgery so it would be very good if you can fix this. // Ola ACK. Good luck with the surgery. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpxyb857Ut1V.pgp Description: Digitale PGP-Signatur
Accepted italc 1:2.0.2+dfsg1-2+deb8u1 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 30 Oct 2019 21:41:30 +0100 Source: italc Binary: italc-master italc-master-dbg italc-client italc-client-dbg italc-management-console italc-management-console-dbg libitalccore libitalccore-dbg Architecture: source amd64 Version: 1:2.0.2+dfsg1-2+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Debian Edu Packaging Team Changed-By: Mike Gabriel Description: italc-client - intelligent Teaching And Learning with Computers - client italc-client-dbg - intelligent Teaching And Learning with Computers - client debug s italc-management-console - intelligent Teaching And Learning with Computers - management con italc-management-console-dbg - intelligent Teaching And Learning with Computers - imc debug symb italc-master - intelligent Teaching And Learning with Computers - master italc-master-dbg - intelligent Teaching And Learning with Computers - master debug s libitalccore - intelligent Teaching And Learning with Computers - libraries libitalccore-dbg - intelligent Teaching And Learning with Computers - library debug Changes: italc (1:2.0.2+dfsg1-2+deb8u1) jessie-security; urgency=medium . * Porting of libvncserver+libvncclient security patches: - CVE-2014-6051: Fix integer overflow in MallocFrameBuffer(). - CVE-2014-6052: Check for MallocFrameBuffer() return value. - CVE-2014-6053: Check malloc() return value on client->server ClientCutText message. - CVE-2014-6054: Do not accept a scaling factor of zero on PalmVNCSetScaleFactor and SetScale client->server messages - CVE-2014-6055: Fix multiple stack-based buffer overflows in file transfer feature. - CVE-2016-9941: Fix heap overflows in the various rectangle fill functions. - CVE-2016-9942: Fix heap overflow in the ultra.c decoder. - CVE-2018-7225: Uninitialized and potentially sensitive data could be accessed by remote attackers because the msg.cct.length in rfbserver.c was not sanitized. - CVE-2018-15127: heap out-of-bound write vulnerability. - CVE-2018-20019: multiple heap out-of-bound write vulnerabilities. - CVE-2018-20020: heap out-of-bound write vulnerability inside structure in VNC client code. - CVE-2018-20021: CWE-835: Infinite loop vulnerability in VNC client code. - CVE-2018-20022: CWE-665: Improper Initialization vulnerability. - CVE-2018-20023: Improper Initialization vulnerability in VNC Repeater client code. - CVE-2018-20024: null pointer dereference that can result DoS. - CVE-2018-6307: heap use-after-free vulnerability in server code of file transfer extension. - CVE-2018-20748: incomplete fix for CVE-2018-20019 oob heap writes. - CVE-2018-20749: incomplete fix for CVE-2018-15127 oob heap writes. - CVE-2018-20750: incomplete fix for CVE-2018-15127 oob heap writes. - CVE-2018-15126: heap use-after-free resulting in possible RCE. - CVE-2019-15681: rfbserver: don't leak stack memory to the remote. Checksums-Sha1: e27dd098ee97cc96a65234ec30198c0a835f7395 2854 italc_2.0.2+dfsg1-2+deb8u1.dsc b0688a5b5ac082a42a2fe42226da2a11b7ecce6e 2315812 italc_2.0.2+dfsg1.orig.tar.xz bf25cc0f1456a4f5a6432b528114e684cda903a2 59720 italc_2.0.2+dfsg1-2+deb8u1.debian.tar.xz 1fcd047b65e6d88c62091e0b46f98d309421d716 651630 italc-master_2.0.2+dfsg1-2+deb8u1_amd64.deb 9f0bd024fe3ed30bc15bebcd5e820aea709597e8 1096786 italc-master-dbg_2.0.2+dfsg1-2+deb8u1_amd64.deb 745e33e119586a201bae037da34a67834344c24c 641434 italc-client_2.0.2+dfsg1-2+deb8u1_amd64.deb 98a880aef9fef2947f60e96a7a47eb44e5129570 1256918 italc-client-dbg_2.0.2+dfsg1-2+deb8u1_amd64.deb efc2b2cae87ca8a4f7f9a1e5b8169360e808424e 142528 italc-management-console_2.0.2+dfsg1-2+deb8u1_amd64.deb 583efc2f9bfdb9394ce15095e95b7f3f5ac9f609 449924 italc-management-console-dbg_2.0.2+dfsg1-2+deb8u1_amd64.deb 2b238c60275b47c5578ae387e6196916532bd753 620098 libitalccore_2.0.2+dfsg1-2+deb8u1_amd64.deb f3910eea6548006ac3ecc5a9586a9392fdb3d108 1263692 libitalccore-dbg_2.0.2+dfsg1-2+deb8u1_amd64.deb Checksums-Sha256: 743e0a722a96061e42324a7104dc843cce983273124e8788731ed4e5eaa7972e 2854 italc_2.0.2+dfsg1-2+deb8u1.dsc 559212f84980120640db9742677c2dd7b3ee9f6663ccfe73ee8dbc2d417cc6d4 2315812 italc_2.0.2+dfsg1.orig.tar.xz e18ff645c9c4a66c4ec05fc49f2484e01b077b601047498f91581efa462d337b 59720 italc_2.0.2+dfsg1-2+deb8u1.debian.tar.xz 1747662b51bbc100a5c4d98be5f4faaa63f31cf3927b16fb0aff808bb90d36ee 651630 italc-master_2.0.2+dfsg1-2+deb8u1_amd64.deb 67030b3b6dfecb09139bb38dc69e2bac4dd53b72cde10155f22332b0a2087098 1096786 italc-master-dbg_2.0.2+dfsg1-2+deb8u1_amd64.deb 78a5f2068110ce06e54b1bf78cf4a02a2cd05542a6325ecd107def31059e1f1d 641434 italc-client_2.0.2+dfsg1-2+deb8u1_amd64.deb 956c619cb09d4edbfdf253fd5734cad48f1582196ccc6f37f547c45747c7128d 1256918 italc-client-dbg_2.0.2+dfsg1-2+deb8u1_amd
Re: various security issues in VNC related packages
Hi Ola, On Mi 30 Okt 2019 21:20:50 CET, Ola Lundqvist wrote: Hi I agree that the VNC situation in Debian is sub-optimal. Frankly speaking not just in Debian. This popular software has diverged quite a lot with lot of packages sharing similar code-base. I had a brief look at vnc4 as well. It does not seem to share the same code base as libvncserver so it should not be affected. Best regards // Ola Ok. Thanks for that. I claimed tightvnc in dla-needed.txt. As you are the maintainer, let me know if you want to pick that one up instead (I am happy to include it in my fix upload series, if not). My plan is to go over VNC related packages over the next couple of days and also propose .debdiffs for stretch versions. Thanks, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp80s0B7IdPw.pgp Description: Digitale PGP-Signatur
[SECURITY] [DLA 1979-1] italc security update
to consume excessive amount of resources like CPU and RAM CVE-2018-20022 LibVNC contained multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allowed attackers to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory layout and in bypassing ASLR. CVE-2018-20023 LibVNC contained CWE-665: Improper Initialization vulnerability in VNC Repeater client code that allowed attacker to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory layout and in bypassing ASLR. CVE-2018-20024 LibVNC contained null pointer dereference in VNC client code that could result DoS. CVE-2019-15681 LibVNC contained a memory leak (CWE-655) in VNC server code, which allowed an attacker to read stack memory and could be abused for information disclosure. Combined with another vulnerability, it could be used to leak stack memory and bypass ASLR. This attack appeared to be exploitable via network connectivity. For Debian 8 "Jessie", these problems have been fixed in version 1:2.0.2+dfsg1-2+deb8u1. We recommend that you upgrade your italc packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
various security issues in VNC related packages
Hi all, today I looked into libvncserver/CVE-2019-15681. The VNC situation is non-optimal in Debian... The gist (which also applies to Debian) can be found in [1]. Thanks to Pavel Cheremushkin from Kaspersky for publishing his findings. I looked at all packages I could think of that are related to VNC and came up with this list: x11vnc -> uses system's libvncserver and system's libvncclient, but still bundles older versions of both in the orig tarball. (See [2]). NOT AFFECTED italc -> bundles libvncserver (shame on myself+upstream) and uses it. It probably needs to be listed for all libvncserver CVEs we have seen in the past (luckily italc has been removed from unstable recently and replaced by veyon) AFFECTED (LOVE NEEDED) krfb -> ships rfbserver.c from libvncserver, but uses its own implementation of an rfbserver rewritten in C++/Qt NOT AFFECTED ssvnc -> VNC client only; ships libvncclient code files, probably affected by all libvncclient CVEs NEEDS MORE TRIAGING veyon -> uses system-wide libvncserver, but still bundles libvncclient (this will be resolved with veyon 4.3.0, I heard from upstream) NEEDS MORE TRIAGING vino -> bundles libvncserver and uses it. It probably needs to be listed for all libvncserver CVEs we have seen in the past AFFECTED (LOVE NEEDED) vncsnapshot -> contains a small subset the libvncclient files NEEDS MORE TRIAGING tightvnc -> has copy+pasted code from libvncserver, e.g. rfbserver.(ch) and also from libvncclient PARTIALLY AFFECTED (LOVE NEEDED) tigervnc -> VNC code has been entirely rewritten in C++, not related to libvncserver / libvncclient (anymore?) as it seems Please add more packages, if you see fit, that belong to the same category of packages. Please provide feedback if you think otherwise on statements I made above. light+love Mike [1] https://www.openwall.com/lists/oss-security/2018/12/10/5 [2] https://bugs.debian.org/943833 -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp8rquLx01o5.pgp Description: Digitale PGP-Signatur
Accepted libvncserver 0.9.9+dfsg2-6.1+deb8u6 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 30 Oct 2019 13:46:34 +0100 Source: libvncserver Binary: libvncclient0 libvncserver0 libvncserver-dev libvncserver-config libvncclient0-dbg libvncserver0-dbg linuxvnc Architecture: source amd64 Version: 0.9.9+dfsg2-6.1+deb8u6 Distribution: jessie-security Urgency: medium Maintainer: Peter Spiess-Knafl Changed-By: Mike Gabriel Description: libvncclient0 - API to write one's own vnc server - client library libvncclient0-dbg - debugging symbols for libvncclient libvncserver-config - API to write one's own vnc server - library utility libvncserver-dev - API to write one's own vnc server - development files libvncserver0 - API to write one's own vnc server libvncserver0-dbg - debugging symbols for libvncserver linuxvnc - VNC server to allow remote access to a tty Closes: 943793 Changes: libvncserver (0.9.9+dfsg2-6.1+deb8u6) jessie-security; urgency=medium . * Non-maintainer upload by the Debian LTS team. * CVE-2019-15681: rfbserver: don't leak stack memory to the remote. (Closes: #943793). Checksums-Sha1: 503fc1224b6da92ed05006cd2e64da20c38d2204 2486 libvncserver_0.9.9+dfsg2-6.1+deb8u6.dsc 8d50e2cb9988c8d77fd44321aa59bec433ff608c 36020 libvncserver_0.9.9+dfsg2-6.1+deb8u6.debian.tar.xz 6798c1b9090d9b93781d80563a9e4e502eadda1c 125754 libvncclient0_0.9.9+dfsg2-6.1+deb8u6_amd64.deb abd0d6cd2aa944e69aa6cd7f6d88cd21c99d10ef 192620 libvncserver0_0.9.9+dfsg2-6.1+deb8u6_amd64.deb 1786a605b5134b1e5219519fd9ba840bbf454deb 276356 libvncserver-dev_0.9.9+dfsg2-6.1+deb8u6_amd64.deb 7a97dd368b99d33d9b92cc817a9af998bf8dfba5 90982 libvncserver-config_0.9.9+dfsg2-6.1+deb8u6_amd64.deb a2c39f4795a165d33e2d9b32aa8cc53f83c1683d 183680 libvncclient0-dbg_0.9.9+dfsg2-6.1+deb8u6_amd64.deb 8d615a51e40c25524ba5a48840432549e0dc9e70 383842 libvncserver0-dbg_0.9.9+dfsg2-6.1+deb8u6_amd64.deb 0c9ee3f81ed9327a4ec32d372a9218f88ef8d9f6 86950 linuxvnc_0.9.9+dfsg2-6.1+deb8u6_amd64.deb Checksums-Sha256: 3dee5d735c28c59a066105b6102109f6c228eaf2b9af016af0cc88ca939d3bd2 2486 libvncserver_0.9.9+dfsg2-6.1+deb8u6.dsc 3530ad12cdd78546a1b182dda0178282ebb6e5724859d985547ff743d4f798e5 36020 libvncserver_0.9.9+dfsg2-6.1+deb8u6.debian.tar.xz ad9e619572912cac131a64d57d71f52c1d3d6c891bda4687474b4975c1ad8844 125754 libvncclient0_0.9.9+dfsg2-6.1+deb8u6_amd64.deb 8ec3f159e1827b0dc49870ce137bd74f9fa162ee25da27bfb3de3afcd22198c5 192620 libvncserver0_0.9.9+dfsg2-6.1+deb8u6_amd64.deb 029c9f151da975f88520f54bc9573143b18689909bf5812a0ec2d139a24ce380 276356 libvncserver-dev_0.9.9+dfsg2-6.1+deb8u6_amd64.deb f5a82313485963dcda296b615d92475e18af4daae495ccd604ba12db3c94092b 90982 libvncserver-config_0.9.9+dfsg2-6.1+deb8u6_amd64.deb 35117b9ca143503b4610e14840f282690d06f283ba193a16b7698f2c9fdcdab8 183680 libvncclient0-dbg_0.9.9+dfsg2-6.1+deb8u6_amd64.deb 82fc5d8d958ba1bc0ed31392b24eda85b59aedc9ca63bf7666fb054a0157cf0b 383842 libvncserver0-dbg_0.9.9+dfsg2-6.1+deb8u6_amd64.deb a877d4501156fb95fd2f9bfc486b778bbcf3a1a705f55af5628a7c2b3955c36f 86950 linuxvnc_0.9.9+dfsg2-6.1+deb8u6_amd64.deb Files: 82b4784f25f5e3b68a62438c35b0ac95 2486 libs optional libvncserver_0.9.9+dfsg2-6.1+deb8u6.dsc 74f9111d71e51491e57dca24ae5e3e9d 36020 libs optional libvncserver_0.9.9+dfsg2-6.1+deb8u6.debian.tar.xz 66d1d159adbfb0debc3f677d42ca51f5 125754 libs optional libvncclient0_0.9.9+dfsg2-6.1+deb8u6_amd64.deb 3705f78c2f9e064876b3420a18ec8e8e 192620 libs optional libvncserver0_0.9.9+dfsg2-6.1+deb8u6_amd64.deb 91f5869c0c9724d269b256065d96 276356 libdevel optional libvncserver-dev_0.9.9+dfsg2-6.1+deb8u6_amd64.deb 4986032e50cc64466d4021a937a5fd7f 90982 libdevel optional libvncserver-config_0.9.9+dfsg2-6.1+deb8u6_amd64.deb bfba6b71dac480d6eace2212ad020851 183680 debug extra libvncclient0-dbg_0.9.9+dfsg2-6.1+deb8u6_amd64.deb 267fae4a01cf2ea7b7d1ba1310868216 383842 debug extra libvncserver0-dbg_0.9.9+dfsg2-6.1+deb8u6_amd64.deb 401f3a0a0164161b323109efe4cefa0a 86950 net optional linuxvnc_0.9.9+dfsg2-6.1+deb8u6_amd64.deb -BEGIN PGP SIGNATURE- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl25h5gVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsx6qIQAIyKyMRC2D3RNvoBUfkz+SX8moCc VvysEGR1RFzR19iYKx9849Ah5rkpuwCT6CmWBLSZtnKeWKEfr4cEPVmtAB7yiGdH cBc5UyhFcrPeaLfyCiYlpGyPJxtRjTkHsmCW/e9rcfAcLV9ue3F3Ws7f2sse5PH5 HaeYMh6up2BKI2Mom91G7rQ309qOY7g2J4efYuNdqHn81SOq84L1zSFMTflyDLNj +Kc/ENNYZQoUByxdLbSO28p67smp7UJC68fFOOkzdfN4tQfKbikDU6z8m9MwAo0h xP1cFuZaE+MJjFcc0g+QyOSOCkMadmAzDrk24Ey7ryniOPzsVij7kc8e6kp9V++G 1h2KCIUSmYSGif7qBc/EyE3EVbApdmKRHuNQXo2ccorrKx+keODrXb1arx2Bmxr7 amKKUHfexflqYZk4a/CU08rblb5EfynlekAW3Jc/PgF01OBXQ8AUjZWqwMocDt7P 0VFmgo92FeT43TsaZxuxwXk3Vc4bVA0zLe/n0barkVb668XDEHuBcsUBaMHfvmJ9 FwVNooWGvcaXkIUR3b3UU3eczfXnUgP2MXfZEnG1qrxURJwF4DV53G7sfCbe8EXq QejvrJuyiEvcYE42YpetRK/JtHxH5Zsu/vgBgrwStGV+XV+0Mkop/j8ey0jsNYhI jcxJShm1cuAAUqKs =NMVB -END PGP SIGNATURE-
[SECURITY] [DLA 1977-1] libvncserver security update
Package: libvncserver Version: 0.9.9+dfsg2-6.1+deb8u6 CVE ID : CVE-2019-15681 Debian Bug : 943793 LibVNC contained a memory leak (CWE-655) in VNC server code, which allowed an attacker to read stack memory and could be abused for information disclosure. For Debian 8 "Jessie", this problem has been fixed in version 0.9.9+dfsg2-6.1+deb8u6. We recommend that you upgrade your libvncserver packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
[SECURITY] [DLA 1976-1] imapfilter security update
Package: imapfilter Version: 1:2.5.2-2+deb8u1 CVE ID : CVE-2016-10937 Debian Bug : 939702 The imapfilter tool, a utility for scripting IMAP operations in lua, lacked server name / certificate peer hostname validation support. For Debian 8 "Jessie", this problem has been fixed in version 1:2.5.2-2+deb8u1. We recommend that you upgrade your imapfilter packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
Hi Holger, Am Montag, 7. Oktober 2019 schrieb Holger Levsen: > Hi Mike, > > On Sun, Oct 06, 2019 at 10:14:23PM +0000, Mike Gabriel wrote: > > I tried another time, like described by Ben (a new DLA-1942-2), but the mail > > still has not arrived on the list. > > I've now send it for you. (mutt -H $file is what I've used for that.) Thanks! > > I will be afk for the next couple of days, so I will not be able to look > > into this again after my VAC (I am sorry)! > > enjoy your VAC and please rememeber to update DLA-1942-2 for webwml.git > when you're back. I had already done that and Carsten already merged my MR. Thanks, Mike -- Gesendet von meinem Fairphone2 (powered by Sailfish OS).
[SECURITY] [DLA 1942-2] phpbb3 regression update
This is a follow-up to DLA-1942-1. There was some confusion about the correct fix for CVE-2019-13776. The correct announcement for this DLA should have been: Package: phpbb3 Version: 3.0.12-5+deb8u4 CVE ID : CVE-2019-13776 CVE-2019-16993 CVE-2019-16993 In phpBB, includes/acp/acp_bbcodes.php had improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack was possible if an attacker also managed to retrieve the session id of a reauthenticated administrator prior to targeting them. CVE-2019-13776 phpBB allowed the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking lead to stored XSS. For Debian 8 "Jessie", these problems have been fixed in version 3.0.12-5+deb8u4. We recommend that you upgrade your phpbb3 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: PGP signature
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
HI Holger, On So 06 Okt 2019 19:12:22 CEST, Holger Levsen wrote: Hi Mike, On Sun, Oct 06, 2019 at 02:43:01PM +, Mike Gabriel wrote: This is a follow-up to DLA-1942-1. this mail didnt make it to lts-announce... I tried another time, like described by Ben (a new DLA-1942-2), but the mail still has not arrived on the list. I will be afk for the next couple of days, so I will not be able to look into this again after my VAC (I am sorry)! Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpTZ61d9C0D4.pgp Description: Digitale PGP-Signatur
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
On Di 01 Okt 2019 01:44:30 CEST, Mike Gabriel wrote: Package: phpbb3 Version: 3.0.12-5+deb8u4 CVE ID : CVE-2019-16993 In phpBB, includes/acp/acp_bbcodes.php had improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack was possible if an attacker also managed to retrieve the session id of a reauthenticated administrator prior to targeting them. The description in this DLA does not match what has been documented in the changelog.Debian.gz of this package version. After the upload of phpbb3 3.0.12-5+deb8u4, it became evident that CVE-2019-13776 has not yet been fixed. The correct fix for CVE-2019-13776 has been identified and will be shipped in a soon-to-come follow-up security release of phpbb3. This is a follow-up to DLA-1942-1. There was some confusion about the correct fix for CVE-2019-13776. The correct announcement for this DLA should have been: Package: phpbb3 Version: 3.0.12-5+deb8u4 CVE ID : CVE-2019-13776 CVE-2019-16993 CVE-2019-16993 In phpBB, includes/acp/acp_bbcodes.php had improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack was possible if an attacker also managed to retrieve the session id of a reauthenticated administrator prior to targeting them. CVE-2019-13776 phpBB allowed the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking lead to stored XSS. For Debian 8 "Jessie", these problems have been fixed in version 3.0.12-5+deb8u4. We recommend that you upgrade your phpbb3 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpjtHw9i_ywO.pgp Description: Digitale PGP-Signatur
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
Hi Sylvain, On Di 01 Okt 2019 13:32:25 CEST, Sylvain Beucler wrote: Hi Gabriel, I see you reverted affectation for CVE-2019-13376. CVE-2019-13376 is an follow-up fix to CVE-2019-16993 (2016) which I registered just yesterday toclarify that we've been missing this earlier fix (AFAICS unsuccessfully ;)). CVE-2019-13376 applies to 3.2.7 which already has the fix that you thought was related (phpbb's SECURITY-231), which is a different "vulnerability" (with quotes, as it just disables a feature by default, which is expected to be re-enabled for CVE-2019-13376 to apply, as mentioned in the write-up: "in the ACP, go to General > Avatar settings and enable remote avatars"). Consequently DLA 1942-1 fixes CVE-2019-13376 and CVE-2019-16993. SECURITY-231 doesn't have a CVE assigned. Cheers! Sylvain Are you 100% sure on this? Let me collect my todos for this, then: * Uploaded package is ok (3.0.12-5+deb8u4), even the debian/changelog entry(?) * security-tracker (data/DLA/list) needs to be adapted and CVE-2019-13376 needs to be re-added to DLA-1942-1(?) * the dla-announcement needs to be re-done / replied to, and it needs to be declared that CVE-2019-13376 is in fact already fixed by +deb8u4 * furthermore, I referenced CVE-2019-13776 in the announcement, rather than CVE-2019-13376 (typo, g...) Correct? Thanks for spotting this! Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpbjrtbFHy2c.pgp Description: Digitale PGP-Signatur
Accepted phpbb3 3.0.12-5+deb8u4 (source all) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 01 Oct 2019 00:58:32 +0200 Source: phpbb3 Binary: phpbb3 phpbb3-l10n Architecture: source all Version: 3.0.12-5+deb8u4 Distribution: jessie-security Urgency: medium Maintainer: phpBB packaging team Changed-By: Mike Gabriel Description: phpbb3 - full-featured, skinnable non-threaded web forum phpbb3-l10n - additional language files for phpBB Changes: phpbb3 (3.0.12-5+deb8u4) jessie-security; urgency=medium . * Non-maintainer upload by the LTS team. * CVE-2019-13376, CVE-2019-16993: includes/acp/acp_bbcodes.php: Check form key in acp_bbcodes, and check form key no matter if submit is set. CVE-2019-13376 has been a regression of the fix for CVE-2019-16993. Checksums-Sha1: 6d6d9affe388f4d8510eaeacee4cab9a8975cf5e 15438 phpbb3_3.0.12-5+deb8u4.dsc afbacef7b089b24a718f06a84a7f437747f80889 99052 phpbb3_3.0.12-5+deb8u4.debian.tar.xz 459eef08644bda4ed4ea0f3022f36710980cffeb 1484840 phpbb3_3.0.12-5+deb8u4_all.deb 8c9a24e851be7bcbd2cf5a9d1cd14b3bd1c2bc9d 5731834 phpbb3-l10n_3.0.12-5+deb8u4_all.deb Checksums-Sha256: 9c05add1960763674d5e56eb453525f9c7389cc7e1ca7cb030a495b81e009440 15438 phpbb3_3.0.12-5+deb8u4.dsc bb5752e45f148bf77b36151c2f951845b504c0510f7b909cb94a718186e7bd5a 99052 phpbb3_3.0.12-5+deb8u4.debian.tar.xz 61d04be8d0925a2d6f589fc843c85c3b1260ef645eede899edfbacd369603d49 1484840 phpbb3_3.0.12-5+deb8u4_all.deb c2843bb96ea06b487bb118ae3cfb8055308c04b5c1220b360f40be91040cec1c 5731834 phpbb3-l10n_3.0.12-5+deb8u4_all.deb Files: 967f06cb7ca3439989e9ba9d5e308d46 15438 web optional phpbb3_3.0.12-5+deb8u4.dsc fd97298982c26125b9009b225b0df4e9 99052 web optional phpbb3_3.0.12-5+deb8u4.debian.tar.xz 02a4f62f077642a74737e6c49451266f 1484840 web optional phpbb3_3.0.12-5+deb8u4_all.deb c3d35ae8ecf02f4ab3c8895bc7d0f3b7 5731834 localization optional phpbb3-l10n_3.0.12-5+deb8u4_all.deb -BEGIN PGP SIGNATURE- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl2Si1cVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxroUP/AhZFBvugq12tb3/S6l2g40YSe42 mrhjgf6VkNfrfJYw92uvGMgtIJOcxVtWnAqhpwd8KrD/WasTDwHV1xtJEBsZv0G/ 1jC4ItJy9NrIvBdUTQRFyHPZ6EbV451bynXnCoOjTCMLHFUSOTHrRxg/sm3lFoX4 jtPgxqOcQAV8rl5UdU7Wcvj1+3L6FdpBSeyZ0PZDsyipR5YaCahiC4szYAbIaGSv GYKW0G4q/DHiqLwmJiBLOY7bjVUdGRFXf+8HTnQ0+ERMYsfDZVQco8e/jPF12gfZ QAy7jpW3XFduJ9Ff2cb9zsfPDPje5imAKvzW2jYyW9seU3CJVPheAjNSoZZmZmSD RlNust9sWFjt7CjLIPe6ATflOzzFgvGrKigV0dtWv0FklTtCcvWwEvsD4N/oDl8c M6mc1k67O3jE5BsnXs+4KXpwqTnaGb1EOTPcH4yyYR/9fysfwXIfid7McdtfEwo6 MtyvhpkDM+viZ89rWUmxi8DVnyHjWzsDxUDprZFo3l+FnoOc6nqs52t3+Ji0AtgY yZP8J1/1s/y5cidt2MIosRUDcjuAlPYqiw5rAiRnb4aVdqBA44yU+8ws1bRasRHn l6hCR7+/KNqWYjZGK82VSCNmzmWuGsCKr1fQW6nliETVxKPiPXZq8suSOWrtV9vH 10XRyXFNfg/ApBbJ =/g1M -END PGP SIGNATURE-