Re: Support for ckeditor3 in Debian
Hi Moritz, hi Santiago, On So 11 Aug 2024 12:57:23 CEST, Moritz Muehlenhoff wrote: On Sat, Aug 10, 2024 at 11:19:24AM -0300, Santiago Ruano Rincón wrote: (I had tried to answer from the web debian-lts archive, and I don't know why firefox ended up sending four empty emails to the list. Really sorry for the noise) El 31/05/22 a las 05:42, Mike Gabriel escribió: > Hi Moritz, Salvatore, Sylvain, > > On Mo 30 Mai 2022 20:04:14 CEST, Moritz Mühlenhoff wrote: > > > Am Sun, May 29, 2022 at 09:36:43AM +0200 schrieb Salvatore Bonaccorso: > > > While this is discouraged in general, we could opt here for this, to > > > avoid that ckeditor3 might get additional users outside of > > > php-horde-editor. > > > > This would also mean that only those bits of ckeditor3 which are actually > > used by Horde need to be updated. > > > > Cheers, > > Moritz > > I read that embedding is ok with the security team for the exceptional case > php-horde-editor. I will put this on my todo list for the next Horde update > round (which is already overdue). > > Mike Hello Mike, AFAICS on tracker.d.o, php-horde-editor hasn't been updated since then, so I guess the situation is the same than when buster was becoming LTS. I wonder if there is any action that could be made for bullseye and bookworm. Is there a way to limit the ckeditor3 security support to only cover the usage with php-horde-editor? Horde is pretty much unmaintained. php-horde-mime-viewer and php-horde-turba are in dsa-needed.txt for a long time, but pings were never replied to either. It seems best to drop Horde (and ckeditor3 alongside) from testing. Cheers, Moritz I will take a look at this the coming week or the week after (when I will have plenty of time for Debian stuff). For ckeditor3, I will drop the symlinking of ckeditor3 and use the bundled version instead (which currently gets removed). I will also check the diff between Horde's bundled version of ckeditor3 and the version we have in Debian and amend things if needed. Regarding the nearly-non-maintenance state of Horde: Horde hasn't been ported to PHP 8, yet. One of the upstream devs is working on that, but there are not official releases, yet. I will ping them about the current status. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgprsUfV9RYLW.pgp Description: Digitale PGP-Signatur
Re: Support for ckeditor3 in Debian
Hi Moritz, Salvatore, Sylvain, On Mo 30 Mai 2022 20:04:14 CEST, Moritz Mühlenhoff wrote: Am Sun, May 29, 2022 at 09:36:43AM +0200 schrieb Salvatore Bonaccorso: While this is discouraged in general, we could opt here for this, to avoid that ckeditor3 might get additional users outside of php-horde-editor. This would also mean that only those bits of ckeditor3 which are actually used by Horde need to be updated. Cheers, Moritz I read that embedding is ok with the security team for the exceptional case php-horde-editor. I will put this on my todo list for the next Horde update round (which is already overdue). Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgplcfuCx6078.pgp Description: Digitale PGP-Signatur
Re: Support for ckeditor3 in Debian
Hi all, On Sa 21 Mai 2022 10:25:35 CEST, Sylvain Beucler wrote: Hi all, On 12/05/2022 08:35, Mike Gabriel wrote: On Tue, May 10, 2022 at 12:31:46PM +0200, Sylvain Beucler wrote: On 08/05/2022 21:17, Salvatore Bonaccorso wrote: Now, php-horde-editor is the only rdepends of ckeditor3. IMHO we need to do a re-evaluation of the current CVEs for ckeditor to see which affect ckeditor3 as well and in partiular try to get a picture how those known to affect ckeditor3 impact php-horde-editor. Some might be for instance negligible in context of php-horde-editor specifically. Just an idea, and not necessarily right now already the security team view: Depending on this outcome we might declare it as unsupported in general, and only to be considered if an issue impacts php-horde-editor. This sounds good to me. To get a clearer view, I associated ckeditor CVEs to ckeditor3, excluding those that are clearly specific to v4 or v5, and marking them when possible: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a55e943bca823e36337c8b47cd65adcf0405fd4 I think all vulnerabilities apply to ckeditor3 in the context of php-horde-editor, as I didn't witness any particular limitation in the way it's loaded. A few of them can be fixed, most of them (as with ckeditor4) are too unclear, and (unlike ckeditor4) we don't have the option to bump to a new upstream release. I believe we can either mark ckeditor3 as end-of-life, or maybe add it to debian-security-support:security-support-limited (best effort), what do you think? Cheers! Sylvain Beucler Debian LTS Team as I have a company interest in Horde and thus in ckeditor3, I'd be happy to co-fund work hours on ckeditor3. Esp. because ckeditor3 in unstable needs the same love as in LTS. And we are currently working on upgrading the company mailserver. The extra funding from DAS-NETZWETKTEAM could either be directly invoiced to me by the LTS contributor or funding could be piped through Freexian if they can go with that and see that as a requirement. So, ping@Raphael? I have something like 4-6 hours in mind. What is your preferred way of handling individual package funding such as described above. Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpef0PYDpmRR.pgp Description: Digitale PGP-Signatur
Re: Support for ckeditor3 in Debian
Hi all, On Tue, May 10, 2022 at 12:31:46PM +0200, Sylvain Beucler wrote: > Hello Salvatore, > > On 08/05/2022 21:17, Salvatore Bonaccorso wrote: > > On Fri, May 06, 2022 at 09:23:27PM +0200, Sylvain Beucler wrote: > > > Hello Security Team, > > > > > > I'm currently checking 'ckeditor' (v4), an HTML editor for web > > > applications, > > > currently v4), for vulnerabilities to fix. > > > (I may send a separate e-mail about this later) > > > > > > I noted that 'ckeditor3' (re-introduced as a dependency to horde in 2016) > > > did not reference any vulnerabilities. A quick check showed that it > > > contains > > > vulnerable code for at least CVE-2021-33829 and CVE-2021-37695. > > > https://security-tracker.debian.org/tracker/source-package/ckeditor3 > > > > > > Do you think we should we tag 'ckeditor3' with confirmed CVEs from > > > 'ckeditor'? Or mark it as end-of-life? > > > > Thanks for spotting this. > > > > Do we know something about php-horde-editor's compatibility with > > ckeditor version 4? I assume it's still incompatible and we either > > would need to use the embedded copy or ckeditor3 in the archive. > > There as only one upstream version following the introduction of > > ckeditor3. > > It seems the situation didn't change. Technically, the situation hasn't change. ckeditor3 works very well in Horde, whereas API changes in ckeditor4 block a direct replace of ckeditor3. That is the main reason why I reintroduced removed ckeditor3 in 2020. At the same time, I noted in d/changelog, that the reintroduction of ckeditor3 was supposed to be an interim solution. We are still, well..., in the interim, at the moment. Sorry for no progress on this part. Horde upstream is normally quite active regarding maintenance support and Horde normally receives CVE fixes very promptly. However, the ckeditor3 is not on the Horde devs' radar, I assume. At the same time, there is currently no heavy development going on in the Horde project, so a port of php-horde-editor to ckeditor4 (or later) does not have any ETA. > php-horde-editor used to depend on ckeditor4 in jessie but this caused > issues and was reverted to ckeditor3: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769031 Indeed. > AFAICS upstream is still using 3.6.6: > https://github.com/horde/Editor/tree/master/js/ckeditor Yep. > > Now, php-horde-editor is the only rdepends of ckeditor3. > > > > IMHO we need to do a re-evaluation of the current CVEs for ckeditor to > > see which affect ckeditor3 as well and in partiular try to get a > > picture how those known to affect ckeditor3 impact php-horde-editor. > > Some might be for instance negligible in context of php-horde-editor > > specifically. > > > > Just an idea, and not necessarily right now already the security team > > view: Depending on this outcome we might declare it as unsupported in > > general, and only to be considered if an issue impacts > > php-horde-editor. This sounds good to me. > > And I wonder if it should be a goal to try to get rid of ckeditor3 > > again for the bookworm release, which we still would be in time. > > Removing does not seem to be feasible right now, as the php-horde > > framework depends with the php-horde-core, php-horde-imp and > > php-horde-gollem in some form from the editor. Removing php-horde-editor/ckeditor3 would remove the WYSIWYG editor from Horde's webmailer (which people around me use and like). I will make Horde upstream aware of this thread and discuss with them how doable a ckeditor4 (or later) would be. > > Inputs, Ideas? > > This sounds sensible to me, but since I'm no Horde expert I'm adding Mike > and Juri in Cc so they can provide their thoughts on a way forward. Please also note, that Horde still needs love regarding the PHP8 transition. I have this on my radar and will get this resolved over the summer. Currently, due to paid work, my system shows ENOTIME for this. Thanks for bringing up this topic, Mike -- DAS-NETZWERKTEAM Mike Gabriel, Herweg 7, 24357 Fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x9AF46B3025771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de signature.asc Description: PGP signature
Re: ruby-rails update destroy redmine issue number linking
Hi Sylvain, On Mo 31 Aug 2020 12:34:07 CEST, Sylvain Beucler wrote: Hi all, On 03/08/2020 16:43, Utkarsh Gupta wrote: On Mon, Aug 3, 2020 at 6:02 PM Sylvain Beucler wrote: This version is now impacted by new security issues, such as CVE-2020-8163, so I would recommend upgrading anyway. There is no place to upload a new version (in particular, not in ELTS where neither rails nor redmine are supported), This is not part of Debian per-se, but rails was recently added back to the list of supported packages in ELTS. Mike (in Cc:) claimed the next upload, so this is an opportunity to address a possible regression in CVE-2020-8164/CVE-2020-8165. Cheers! Sylvain thanks for Cc:ing me! Will take a look into issues tackled above. Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpJnbXLtLuGh.pgp Description: Digitale PGP-Signatur
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
On Mo 29 Jun 2020 12:07:31 CEST, Holger Levsen wrote: - DLA 2230-1 (reserved by Mike Gabriel) Ouch. Here it is: https://salsa.debian.org/webmaster-team/webwml/-/merge_requests/504 Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpVPAzRXACsR.pgp Description: Digitale PGP-Signatur
Re: EOL'ing freerdp (v.1.1) for jessie and stretch
Hi again, On Mo 01 Jun 2020 12:55:02 CEST, Mike Gabriel wrote: * CVE-fix freerdp2 in buster for the record... the first round of CVE fixes has just been uploaded to buster: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961978 Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpTwUMhTvX75.pgp Description: Digitale PGP-Signatur
EOL'ing freerdp (v.1.1) for jessie and stretch
HI all, Currently, we have tons of CVE issues open for FreeRDP (v1.1) regarding jessie+stretch: https://security-tracker.debian.org/tracker/source-package/freerdp And the same set of CVEs for FreeRDP v2 for buster and testing/unstable: https://security-tracker.debian.org/tracker/source-package/freerdp2 All issues have been esp. filed against FreeRDP v2 and proposed patches are also applicable against FreeRDP v2. Triaging and patch-backporting for FreeRDP (v1.1) will mean a considerable effort. IMHO, we should think about avoiding this. With the end of jessie LTS and the upcoming of stretch LTS, I'd like to propose the following changes for FreeRDP in old versions of Debian: * EOL freerdp 1.1 for jessie (E)LTS -> impacts: jessie ELTS won't have any version of FreeRDP * consider EOL'ing freerdp 1.1 for stretch LTS -> impacts: ltsp-client (easy to resolve, it can use freerdp2) -> impacts: medusa (resolve by dropping freerdp support) -> impacts: vlc-plugin-access-extra (drop freerdp support) * CVE-fix freerdp2 in buster * consider shipping freerdp2 for stretch LTS (as found in buster / stretch-backports) -> impacts: remmina (ship buster's / stretch-backports version) Please send your thoughts and feedback on this! Thanks+Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpBnY2A4chPi.pgp Description: Digitale PGP-Signatur
Re: [Pkg-phototools-devel] Jessie update of libexif?
Hi Hugh, On Mo 25 Mai 2020 14:15:43 CEST, Hugh McMaster wrote: Hi Mike, On Mon, 25 May 2020 at 14:21, Hugh McMaster wrote: On Mon, 25 May 2020 at 00:55, Adam D. Barratt wrote: Personally, it probably makes more sense for the new stretch version to be +deb9u3, built on top of the already uploaded package (and similar for buster) with a second release.d.o bug describing the new fixes. You /can/ re-use the version if that would be preferable, as the package is still in (old)stable-new right now, but that will require a reject+reupload cycle, and presumably corresponding re-tag on the git side. Good to know, but by the sound of things, incrementing is going to cleaner and quicker. I've prepared debdiffs for Jessie (0.6.21-2+deb9u3), Stretch (0.6.21-2+deb9u3) and Buster (0.6.21-5.1+deb10u3) with fixes for the three new CVEs. If you have time, I'd appreciate your help in once again uploading and completing the relevant documentation. Please note: I've replaced one of the CVE patches added to Jessie in the previous release because I included the wrong patch by mistake. I'm following Adam's suggestion and incrementing the Debian package version. I will also submit bugs for Stretch and Buster. Thanks, Hugh I'll take a look tonight (or tomorrow). Thanks for working on the updates. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpBNQkCo6m39.pgp Description: Digitale PGP-Signatur
Re: [Pkg-phototools-devel] Jessie update of libexif?
Hi Hugh, On Di 19 Mai 2020 13:24:45 CEST, Hugh McMaster wrote: Hi Mike, On Tue, 19 May 2020 at 00:37, Mike Gabriel wrote: On Mo 18 Mai 2020 16:14:39 CEST, Hugh McMaster wrote: > [...] > In many ways, the debdiff for Jessie is the same for Stretch. The > Developers Reference says SRUs need bug numbers and more detail in the > changelog, so I’ll get that ready. Excellent! I've prepared debdiffs targeting stretch and buster. Please let me know if anything needs to be changed. Hugh Sorry for the delay. I have uploaded +deb9u2 and +deb10u2 of libexif now. I will write the SRU acceptance request bugs this afternoon. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpawAl5S0klm.pgp Description: Digitale PGP-Signatur
Re: [Pkg-phototools-devel] Jessie update of libexif?
Dear Hugh, (re-including debian-lts) On Mo 18 Mai 2020 16:14:39 CEST, Hugh McMaster wrote: [...] In many ways, the debdiff for Jessie is the same for Stretch. The Developers Reference says SRUs need bug numbers and more detail in the changelog, so I’ll get that ready. Excellent! Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpLw78UHtHn8.pgp Description: Digitale PGP-Signatur
Re: [Pkg-phototools-devel] Jessie update of libexif?
HI Hugh, On Mo 18 Mai 2020 06:22:32 CEST, Mike Gabriel wrote: Hi Hugh, On So 17 Mai 2020 10:30:30 CEST, Hugh McMaster wrote: Hi Mike and LTS team, On Thu, 14 May 2020 at 15:42, Mike Gabriel wrote: The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of libexif: https://security-tracker.debian.org/tracker/CVE-2020-12767 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. I currently maintain libexif but am not a DD, so I can't upload the binary packages as per your workflow. I've prepared a debdiff covering all outstanding CVEs and two instances of undefined behaviour. Internal tests pass at build time. The patches are the same as those used in Sid, as the upstream version has not changed. Hope this helps. Please let me know if you need anything else. Feel free to adjust the changelog. Hugh I just reviewed your .debdiff. Thanks for the backporting of all those CVEs. libexif 0.6.21-2+deb8u2 has arrived in jessie-security. Paperwork for jessie LTS (DLA announcement mail, Debian website update, security-tracker update) has been done. Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpL4g_xbsBPj.pgp Description: Digitale PGP-Signatur
Re: [Pkg-phototools-devel] Jessie update of libexif?
Hi Hugh, On So 17 Mai 2020 10:30:30 CEST, Hugh McMaster wrote: Hi Mike and LTS team, On Thu, 14 May 2020 at 15:42, Mike Gabriel wrote: The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of libexif: https://security-tracker.debian.org/tracker/CVE-2020-12767 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. I currently maintain libexif but am not a DD, so I can't upload the binary packages as per your workflow. I've prepared a debdiff covering all outstanding CVEs and two instances of undefined behaviour. Internal tests pass at build time. The patches are the same as those used in Sid, as the upstream version has not changed. Hope this helps. Please let me know if you need anything else. Feel free to adjust the changelog. Hugh I just reviewed your .debdiff. Thanks for the backporting of all those CVEs. I see that libexif in stretch and buster require uploads to. As the issues have been marked for stretch and buster, the security updates have to be uploaded as (old)stable release updates (SRUs). I can easily forward port your .debdiff or you send me .debdiffs that match against libexif in stretch + buster. What approach do you prefer. I am happy to sponsor your uploads to stretch and buster. Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpAmVHJN4aQX.pgp Description: Digitale PGP-Signatur
Re: [Pkg-phototools-devel] Jessie update of libexif?
Dear Hugh, On So 17 Mai 2020 10:30:30 CEST, Hugh McMaster wrote: Hi Mike and LTS team, On Thu, 14 May 2020 at 15:42, Mike Gabriel wrote: The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of libexif: https://security-tracker.debian.org/tracker/CVE-2020-12767 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. I currently maintain libexif but am not a DD, so I can't upload the binary packages as per your workflow. I've prepared a debdiff covering all outstanding CVEs and two instances of undefined behaviour. Internal tests pass at build time. The patches are the same as those used in Sid, as the upstream version has not changed. Hope this helps. Please let me know if you need anything else. Feel free to adjust the changelog. Hugh Awesome. Thanks for sending the .debdiff. Will look into it now. Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpUg9yfqAqRm.pgp Description: Digitale PGP-Signatur
Re: Jessie update of openconnect?
Hi Luca, On Do 14 Mai 2020 20:18:53 CEST, Luca Boccassi wrote: On Thu, 2020-05-14 at 13:32 +, Mike Gabriel wrote: Hi Luca, On Do 14 Mai 2020 11:52:22 CEST, Luca Boccassi wrote: > On Thu, 2020-05-14 at 08:03 +0200, Mike Gabriel wrote: > > Dear maintainer(s), > > [...] > > If that workflow is a burden to you, feel free to just prepare an > > updated source package and send it to debian-lts@lists.debian.org > > (via a debdiff, or with an URL pointing to the source package, > > or even with a pointer to your packaging repository), and the members > > of the LTS team will take care of the rest. Indicate clearly whether you > > have tested the updated package or not. > > > > If you don't want to take care of this update, it's not a problem, we > > will do our best with your package. Just let us know whether you would > > like to review and/or test the updated package before it gets released. > > > > You can also opt-out from receiving future similar emails in your > > answer and then the LTS Team will take care of openconnect updates > > for the LTS releases. > > Hi Mike, > > The patch seems to apply cleanly on v6.00, so I can take care of that > when I do a new upload. I will only build-test it though. Waiting for > the MR to be approved upstream first. Yeah, please only upload once the patch has been approved by upstream. Thanks! The fix looks pretty straight forward. I can test the new version once uploaded. I can also take care of the paper work (Debian LTS Announcement, website update, etc.). I will claim openconnect in our dla-needed.txt tracking file and act as your point of contact for the jessie update of openconnect. Thanks+Greets, Mike Hi, The patch has been merged upstream, so I just backported and upload to jessie-security. Paperwork (security-tracker update, DLA mail announcement, website update) has been done now. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpDF0KFCiTdO.pgp Description: Digitale PGP-Signatur
Re: Jessie update of openconnect?
Hi Luca, On Do 14 Mai 2020 11:52:22 CEST, Luca Boccassi wrote: On Thu, 2020-05-14 at 08:03 +0200, Mike Gabriel wrote: Dear maintainer(s), [...] If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of openconnect updates for the LTS releases. Hi Mike, The patch seems to apply cleanly on v6.00, so I can take care of that when I do a new upload. I will only build-test it though. Waiting for the MR to be approved upstream first. Yeah, please only upload once the patch has been approved by upstream. Thanks! The fix looks pretty straight forward. I can test the new version once uploaded. I can also take care of the paper work (Debian LTS Announcement, website update, etc.). I will claim openconnect in our dla-needed.txt tracking file and act as your point of contact for the jessie update of openconnect. Thanks+Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpQPI5OmTQ7K.pgp Description: Digitale PGP-Signatur
Jessie update of openconnect?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of openconnect: https://security-tracker.debian.org/tracker/CVE-2020-12823 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of openconnect updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of cups (minor security issues)?
The Debian LTS team recently reviewed the security issue(s) affecting your package in Jessie: https://security-tracker.debian.org/tracker/CVE-2019-8842 https://security-tracker.debian.org/tracker/CVE-2020-3898 We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. When resources are available on our side, one of the LTS team members will start working on fixes for those minor security issues, as we think that the jessie users would most certainly benefit from a fixed package. If you'd rather want to work on such an update yourself, you're welcome to do so. Please send us a short notification to the debian-lts mailing list (debian-lts@lists.debian.org), expressing your intention to work on issues yourself. Otherwise, no action is required from your side. When working on issues, please try to follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. However please make sure to submit a tested package. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of libexif?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of libexif: https://security-tracker.debian.org/tracker/CVE-2020-12767 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libexif updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of graphicsmagick?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of graphicsmagick: https://security-tracker.debian.org/tracker/CVE-2020-12672 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of graphicsmagick updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of log4net?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of log4net: https://security-tracker.debian.org/tracker/CVE-2018-1285 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of log4net updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of apt?
Dear maintainer(s), The Debian LTS team would like to see the following security issue fixed which is currently open in the Jessie version of apt: https://security-tracker.debian.org/tracker/CVE-2020-3810 The apt package has been registered as a package that its maintainers would like to care of in jessie LTS themselves or at least be involved in the patch review. Please follow the workflow we have defined for LTS uploads here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with a URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, please let us know. We will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of exim4?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of exim4: https://security-tracker.debian.org/tracker/CVE-2020-12783 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of exim4 updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: Jessie update of libpam-krb5?
Hi Russ, Am Mittwoch, 1. April 2020 schrieb Russ Allbery: > Mike Gabriel writes: > > On Di 31 Mär 2020 10:28:42 CEST, Mike Gabriel wrote: > > >> PS: A member of the LTS team might start working on this update at > >> any point in time. You can verify whether someone is registered > >> on this update in this file: > >> https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt > > > I have prepared libpam-krb5 4.6-3+deb8u1 and uploaded it to > > people.debian.org: > > https://people.debian.org/~sunweaver/LTS/libpam-krb5.pkg/ > > > Please send me (or rather Utkarsh on behalf of me) doing the upload > > during the day if you want to handle the upload and the DLA yourself. > > Hi Mike, > > Please go ahead and upload! Thank you for preparing that fix! > done! Mike -- Gesendet von meinem Sailfish Gerät
Re: Jessie update of libpam-krb5?
Hi Russ, hi Sam, On Di 31 Mär 2020 10:28:42 CEST, Mike Gabriel wrote: PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt I have prepared libpam-krb5 4.6-3+deb8u1 and uploaded it to people.debian.org: https://people.debian.org/~sunweaver/LTS/libpam-krb5.pkg/ Please send me (or rather Utkarsh on behalf of me) doing the upload during the day if you want to handle the upload and the DLA yourself. Thanks+Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpzxeCKDFaz1.pgp Description: Digitale PGP-Signatur
Jessie update of libpam-krb5?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of libpam-krb5: https://security-tracker.debian.org/tracker/source-package/libpam-krb5 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libpam-krb5 updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: spamassassin security update in Debian jessie LTS
Hi Salvatore, hi Noah, On Sa 01 Feb 2020 14:01:36 CET, Salvatore Bonaccorso wrote: Hi Mike, On Fri, Jan 31, 2020 at 10:01:05PM +, Mike Gabriel wrote: Hi Ola, Noah, On Fr 31 Jan 2020 20:32:01 CET, Ola Lundqvist wrote: > Hi > > Spamassassin (and a few other packages) are handled a little differently > compared to most packages in Debian. > > I'd advise that we go for the latest release. The only reason I see why we > would not, would be if we introduce some major backwards compatibility > issue. > > // Ola Looking into a 3.4.4-1 backported to jessie (i.e. 3.4.4.-1~deb8u3) right now... Please don't (unless, see below). Noah did already outline what is going to be released for stable and oldstable, the patches are extracted and applied. He referenced the needed patches. Now if you are going still the route of backporting 3.4.4 (btw. the version should be either 3.4.4-0+deb8u1 or if it's most backporting the version minus packaging changes to be reverted 3.4.4-1~deb8u1), then please first work on getting 3.4.4 backports in oldstable and stable accordingly. SRM would need to agree on having those versions rebased. Otherwise after your release of the DSA we will have that jessie version of spamassassin is higher than the versions in stretch and buster. Hope this helps. Regards, Salvatore Salvatore, thanks for your feedback on this. You are right. First, I, by now, have a spamassassin 3.4.4-1 that builds and works on jessie (and should similarly build and work on stretch/buster, with some minor DH related changes required). I get the point about the need of having 3.4.4 in stretch/buster before shipping it in jessie. Acknowledged. So, I'd like to play the ball back to Noah. Do you think, that applying the security patches is sufficient for spamassassin in stretch/buster? Or have their been so many other fixes(TM) that justify an upstream backport to jessie/stretch/buster. Esp. I am thinking about future compatibilitiy with (upstream'ish) ruleset updates when those are performed on a Debian (old(old))stable system using sa-update. For jessie, I will follow what Noah will be doing in stretch+buster, then. Valid point. Thanks for bringing it up again, Salvatore. Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp08Cf5cwOn9.pgp Description: Digitale PGP-Signatur
Re: spamassassin security update in Debian jessie LTS
HI Matus, On Fr 31 Jan 2020 17:16:53 CET, Matus UHLAR - fantomas wrote: On 31.01.20 14:31, Mike Gabriel wrote: Hi Noah, dear LTS contributors, Helo guys, I am about to look into CVE-2020-1930 and CVE-2020-1931 reported against spamassassin. The issues have been fixed in 3.4.4~rc1 FYI, 3.4.4 was released two days ago... and as spamassassin has been upstream version bumped in Debian jessie LTS before, I am asking for your opinion, if you'd rather recommend cherry-picking the fixes (which I haven't been able to identify yet in upstream SVN) or simply upstream version bump spamassassin in jessie LTS once more. @LTS team: sharing your feedback / opinions will be much appreciated, too. ... and I discussed this with some people on spamassassin mailing list. quoting one mail[1]: Key to the issue is I fail to see how the highly intrusive security work done for 3.4.3 can possibly be backported. My recommendation remains a strong: upgrade to 3.4.4. and its reply[2] The Debian patches for CVE-2018-11805 and CVE-2019-12420 onto 3.4.2 are roughly 100kb in size. I can't guess how big would be the fix now. the decision is of course up to you. [1] https://mail-archives.apache.org/mod_mbox/spamassassin-users/202001.mbox/<32172386-a795-1bea-ad6f-05218d5db...@apache.org> [2] https://mail-archives.apache.org/mod_mbox/spamassassin-users/202001.mbox/ Looking into 3.4.4-1~deb8u3 right now... Thanks for the above feedback. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpQZpBhXLLtT.pgp Description: Digitale PGP-Signatur
Re: spamassassin security update in Debian jessie LTS
Hi Ola, Noah, On Fr 31 Jan 2020 20:32:01 CET, Ola Lundqvist wrote: Hi Spamassassin (and a few other packages) are handled a little differently compared to most packages in Debian. I'd advise that we go for the latest release. The only reason I see why we would not, would be if we introduce some major backwards compatibility issue. // Ola Looking into a 3.4.4-1 backported to jessie (i.e. 3.4.4.-1~deb8u3) right now... Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp_79EgjqlUF.pgp Description: Digitale PGP-Signatur
spamassassin security update in Debian jessie LTS
Hi Noah, dear LTS contributors, I am about to look into CVE-2020-1930 and CVE-2020-1931 reported against spamassassin. The issues have been fixed in 3.4.4~rc1 and as spamassassin has been upstream version bumped in Debian jessie LTS before, I am asking for your opinion, if you'd rather recommend cherry-picking the fixes (which I haven't been able to identify yet in upstream SVN) or simply upstream version bump spamassassin in jessie LTS once more. @LTS team: sharing your feedback / opinions will be much appreciated, too. Thanks+Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpvk81i7YzO3.pgp Description: Digitale PGP-Signatur
Re: Unable to announce the updates
Hi Utkarsh, On Di 14 Jan 2020 22:50:30 CET, Utkarsh Gupta wrote: Hi Mike, On 14/01/20 2:00 pm, Mike Gabriel wrote: please send over the announcement text, I'll handle the signed mail to d-lts-announce later today. Many thanks for doing so. Attached is the DLA-2060 for phpmyadmin and DLA-2063 for debian-lan-config. Best, Utkarsh I have sent both DLAs to the d-lts-announce mailing list now. I sent them under my UID in order to not confuse my or any other mail server nor my local GPG. I will accordingly document the sending on-behalf in my upcoming monthly report. Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpDgoLI9AURj.pgp Description: Digitale PGP-Signatur
Re: Unable to announce the updates
Hi, On Di 14 Jan 2020 04:10:46 CET, Utkarsh Gupta wrote: Hi Chris, On Tue, 14 Jan, 2020, 5:27 AM Chris Lamb, wrote: > Running `gpg --clearsign DLA-2063-1` which generates DLA-2063-1.asc and > pasting its content and sending it via GMail. > > Whilst I BCCed myself, I do get a "Good signature from Utkarsh Gupta > " on Thunderbird. Whilst not conclusive, this would suggest to me that the mailing list software is not treating this key as authorised; did you perhaps do some Debian keyring changes recently? It may take some time to propagate, perhaps after a keyring update (usually once a month IIRC). Ah, though my keys were in the keyring (as a DM) since March, only 15 days before did I get a mail from the DSA Team telling that the process from DM -> DD has been completed. So I'm guessing it'll sync by next month at least. That said, I shall send the DLAs here in sometime. Requesting for someone to announce the update on my behalf :) Best, Utkarsh please send over the announcement text, I'll handle the signed mail to d-lts-announce later today. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp7nJinr377t.pgp Description: Digitale PGP-Signatur
Re: Unable to announce the updates
Hi Utkarsh, On Mo 13 Jan 2020 20:39:12 CET, Utkarsh Gupta wrote: Hi Chris, Emilio, On 13/01/20 2:41 pm, Emilio Pozuelo Monfort wrote: On 10/01/2020 19:12, Utkarsh Gupta wrote: Hi Chris, On 10/01/20 11:34 pm, Chris Lamb wrote: I've been trying to send DLA-2063 (and now DLA-2060) announcement to -lts-announce but for some reasons I can't seem to post there. This is invariably due to issues regarding the GPG signature. Ah, I am guessing that Thunderbird doesn't really work when a GPG signature is sent as an attachment? If it helps, I tend to BCC myself when making those announcements so that I can confirm that I used the correct key and (inline) signature scheme. Aha! Nice idea, I shall BCC myself, too. Perhaps I shall look up the inline signature scheme, thanks! :) Using enigmail with PGP/mime has problems with debian lists for some reason. So that's most likely the cause. Just use inline PGP signatures when sending mails to -announce lists and you should be good. Perhaps this doesn't seem to be working for me :/ Here's what I'm doing: Running `gpg --clearsign DLA-2063-1` which generates DLA-2063-1.asc and pasting its content and sending it via GMail. Whilst I BCCed myself, I do get a "Good signature from Utkarsh Gupta " on Thunderbird. Am I missing something? Maybe use a mail client like Mutt or Thunderbird providing native GPG support on top of your gmail account? Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpouJciE20Az.pgp Description: Digitale PGP-Signatur
Re: Regression in X2Go Client caused by CVE-2019-14889/libssh fix
Hi, On Sa 21 Dez 2019 21:43:43 CET, Salvatore Bonaccorso wrote: Hi Mike, On Sat, Dec 21, 2019 at 05:47:25PM +, Mike Gabriel wrote: Hi again, On Sa 21 Dez 2019 18:36:09 CET, Mike Gabriel wrote: > Hi again, > > On Sa 21 Dez 2019 17:27:15 CET, Mike Gabriel wrote: > > > Hi all, > > > > the recent libssh fix for CVE-2019-14889 causes a regresion in X2Go Client: > > > > ``` > > Connection failed. Couldn't create remote file > > ~/.x2go/ssh/key.X18947 - SCP: Warning: status code 1 received: > > scp: ~/.x2go/ssh: No such file or directory" > > ``` > > > > The solution to this is a fix to be applied against X2Go Client (in > > jessie/stretch/buster/unstable): > > https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1 > > > > Thanks, > > Mike > > See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129 > and https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795 > > Btw... if anyone with MOTU (Ubuntu maintainer) status is reading this, > please follow-up and provide regression fixes (i.e. a patched X2Go > Client, see LP:#1856795) to Ubuntu. > > Thanks+Greets, > Mike I just dput x2goclient 4.0.3.1-4+deb8u1 to jessie-security shipping a fix for regression with CVE-2019-14889/libssh Does that need a DLA? If yes, shall it be a regression DLA for DLA-2038-1/libssh? Or a new DLA number? In this case I would use a DLA-2038-2 regression update advisory, with tracking the x2goclient source package and (important) not tracking the CVE id. Its bit of an unsual case, but that is how it's then usually handled. You can see DSA-4539-2 as re respective example. So your entry would look like (data/DLA/list): [$date] DLA-2038-2 x2goclient - regression update [jessie] - x2goclient $version Regards, Salvatore Done. Thanks! Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpJqZRCz9Mf3.pgp Description: Digitale PGP-Signatur
Re: Jessie update of nethack (minor security issues)?
Hi, On Sa 21 Dez 2019 15:42:08 CET, Abhijith PA wrote: Hi Markus and Mike On 21/12/19 3:26 am, Mike Gabriel wrote: On Fr 20 Dez 2019 15:35:01 CET, Markus Koschany wrote: Nethack is a game and I believe it should be added to our end-of-life list. +1 from me. Mike I claimed it in dla-needed. Should I take care of eol procedure or you will be doing it. --abhijith If no one objects within the next two days or so, please go ahead and take care of the eol procedure. Thanks+Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpkqGPPDcK0Z.pgp Description: Digitale PGP-Signatur
Re: Regression in X2Go Client caused by CVE-2019-14889/libssh fix
Hi again, On Sa 21 Dez 2019 18:36:09 CET, Mike Gabriel wrote: Hi again, On Sa 21 Dez 2019 17:27:15 CET, Mike Gabriel wrote: Hi all, the recent libssh fix for CVE-2019-14889 causes a regresion in X2Go Client: ``` Connection failed. Couldn't create remote file ~/.x2go/ssh/key.X18947 - SCP: Warning: status code 1 received: scp: ~/.x2go/ssh: No such file or directory" ``` The solution to this is a fix to be applied against X2Go Client (in jessie/stretch/buster/unstable): https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1 Thanks, Mike See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129 and https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795 Btw... if anyone with MOTU (Ubuntu maintainer) status is reading this, please follow-up and provide regression fixes (i.e. a patched X2Go Client, see LP:#1856795) to Ubuntu. Thanks+Greets, Mike I just dput x2goclient 4.0.3.1-4+deb8u1 to jessie-security shipping a fix for regression with CVE-2019-14889/libssh Does that need a DLA? If yes, shall it be a regression DLA for DLA-2038-1/libssh? Or a new DLA number? Appreciating feedback, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpzJLLSh7Gvn.pgp Description: Digitale PGP-Signatur
Re: Regression in X2Go Client caused by CVE-2019-14889/libssh fix
Hi again, On Sa 21 Dez 2019 17:27:15 CET, Mike Gabriel wrote: Hi all, the recent libssh fix for CVE-2019-14889 causes a regresion in X2Go Client: ``` Connection failed. Couldn't create remote file ~/.x2go/ssh/key.X18947 - SCP: Warning: status code 1 received: scp: ~/.x2go/ssh: No such file or directory" ``` The solution to this is a fix to be applied against X2Go Client (in jessie/stretch/buster/unstable): https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1 Thanks, Mike See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947129 and https://bugs.launchpad.net/ubuntu/+source/libssh/+bug/1856795 Btw... if anyone with MOTU (Ubuntu maintainer) status is reading this, please follow-up and provide regression fixes (i.e. a patched X2Go Client, see LP:#1856795) to Ubuntu. Thanks+Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgp1xlSFXmFzX.pgp Description: Digitale PGP-Signatur
Re: Jessie update of cyrus-sasl2?
Hi Roberto, On Fr 20 Dez 2019 16:36:05 CET, Roberto C. Sánchez wrote: On Fri, Dec 20, 2019 at 01:06:39PM +0100, Mike Gabriel wrote: Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of cyrus-sasl2: https://security-tracker.debian.org/tracker/CVE-2019-19906 Would you like to take care of this yourself? Hi Mike, I had intended to take care of this, but it seems you have already done it. Thanks for your help. Did you encounter any issues that might concern making the update or applying the patch in stretch or buster versions of cyrus-sasl? Regards, -Roberto In fact, I have upgrade my jessie-mailserver with the fix and it seems to be all good. However, I am not 100% sure, if my setup (cyrus-imap + postfix via saslauthd behind LDAP, etc.) hits the exact code path. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpS79aKjkWJR.pgp Description: Digitale PGP-Signatur
Regression in X2Go Client caused by CVE-2019-14889/libssh fix
Hi all, the recent libssh fix for CVE-2019-14889 causes a regresion in X2Go Client: ``` Connection failed. Couldn't create remote file ~/.x2go/ssh/key.X18947 - SCP: Warning: status code 1 received: scp: ~/.x2go/ssh: No such file or directory" ``` The solution to this is a fix to be applied against X2Go Client (in jessie/stretch/buster/unstable): https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d1 Thanks, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpy0PbLXCW3d.pgp Description: Digitale PGP-Signatur
Re: Jessie update of transfig (minor security issues)?
Hi Roland, On Fr 20 Dez 2019 13:46:08 CET, Roland Rosenfeld wrote: Hi Mike! On Fr, 20 Dez 2019, Mike Gabriel wrote: The Debian LTS team recently reviewed the security issue(s) affecting your package in Jessie: https://security-tracker.debian.org/tracker/CVE-2019-19797 We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. When resources are available on our side, one of the LTS team members will start working on fixes for those minor security issues, as we think that the jessie users would most certainly benefit from a fixed package. If you'd rather want to work on such an update yourself, you're welcome to do so. Please send us a short notification to the debian-lts mailing list (debian-lts@lists.debian.org), expressing your intention to work on issues yourself. Otherwise, no action is required from your side. I'm currently waiting for the upstream maintainer fixing this issue, hoping that he will work on this soon. If he provides a patch, I'd upload a fixed package to sid and buster and stretch. To say the truth, I didn't have jessie on my focus for this issue, at least since it is tagged "minor issue". If you want to work on this issue, I'd prefer got get a patch against sid and then backport the patch to the older releases, since upstream fixed several issues and vulnerabilities in recent versions, while starting with jessie looks like the wrong direction to me. But feel free to do so, maybe I can port it to the newer versions :-) Greetings Roland Currently, only low prio issues are open for transfig. This means, that a paid member of the LTS team will take a look at it, if no other pressing issue needs fixing. As maintainer, you should get notified by dak via mail, if an upload occurs. Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpwl15Uhn0qh.pgp Description: Digitale PGP-Signatur
Re: Jessie update of nethack (minor security issues)?
On Fr 20 Dez 2019 15:35:01 CET, Markus Koschany wrote: Hi Mike, Am 20.12.19 um 13:33 schrieb Mike Gabriel: The Debian LTS team recently reviewed the security issue(s) affecting your package in Jessie: https://security-tracker.debian.org/tracker/CVE-2019-19905 We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. [...] Nethack is a game and I believe it should be added to our end-of-life list. Regards, Markus +1 from me. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgp3R8MpqvQL7.pgp Description: Digitale PGP-Signatur
Jessie update of nethack (minor security issues)?
The Debian LTS team recently reviewed the security issue(s) affecting your package in Jessie: https://security-tracker.debian.org/tracker/CVE-2019-19905 We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. When resources are available on our side, one of the LTS team members will start working on fixes for those minor security issues, as we think that the jessie users would most certainly benefit from a fixed package. If you'd rather want to work on such an update yourself, you're welcome to do so. Please send us a short notification to the debian-lts mailing list (debian-lts@lists.debian.org), expressing your intention to work on issues yourself. Otherwise, no action is required from your side. When working on issues, please try to follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. However please make sure to submit a tested package. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of ruby-rack?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of ruby-rack: https://security-tracker.debian.org/tracker/CVE-2019-16782 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of ruby-rack updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt PPS: Please note that a member of the LTS team has already reviewed the upstream patches proposed to fix this CVE. The outcome of this review is: there might be regressions and possibly more when upstream's fix gets applied; see [1]. [1] https://salsa.debian.org/security-tracker-team/security-tracker/commit/e32ec7ffb4bfde893810967b08f90488f16d4be4 -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of transfig (minor security issues)?
The Debian LTS team recently reviewed the security issue(s) affecting your package in Jessie: https://security-tracker.debian.org/tracker/CVE-2019-19797 We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. When resources are available on our side, one of the LTS team members will start working on fixes for those minor security issues, as we think that the jessie users would most certainly benefit from a fixed package. If you'd rather want to work on such an update yourself, you're welcome to do so. Please send us a short notification to the debian-lts mailing list (debian-lts@lists.debian.org), expressing your intention to work on issues yourself. Otherwise, no action is required from your side. When working on issues, please try to follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. However please make sure to submit a tested package. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of cyrus-sasl2?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of cyrus-sasl2: https://security-tracker.debian.org/tracker/CVE-2019-19906 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of cyrus-sasl2 updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of proftpd-dfsg?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of proftpd-dfsg: https://security-tracker.debian.org/tracker/CVE-2019-19269 https://security-tracker.debian.org/tracker/CVE-2019-19270 https://security-tracker.debian.org/tracker/CVE-2019-19271 https://security-tracker.debian.org/tracker/CVE-2019-19272 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of proftpd-dfsg updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of libjackson-json-java?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of libjackson-json-java: https://security-tracker.debian.org/tracker/CVE-2019-10172 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libjackson-json-java updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of asterisk?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of asterisk: https://security-tracker.debian.org/tracker/CVE-2019-18790 https://security-tracker.debian.org/tracker/CVE-2019-18610 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of asterisk updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: RFS: 389-ds-base
Hi Holger, On Fr 29 Nov 2019 13:46:23 CET, Holger Levsen wrote: Hi Mike, Utkarsh, On Fri, Nov 29, 2019 at 12:24:34PM +, Mike Gabriel wrote: Sorry for the delay. Looking into it right now. Mike (with LTS frontdesk hat on) thanks a lot for this and the uploads, Mike! Utkarsh has pinged me privately last night and thus it was on my list for today, but I'm glad to scratch it from there now! ;) I saw those mails yesterday and wondered why nobody picked those RFSs up... Then I realized this week's frontdesk hat of mine..., and it still took a day for the bells to start ringing gently, that this might be my task... You could hear the clockwork creak in my brain before the bell rang, tststs... :-) Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp7PoBvEvRMT.pgp Description: Digitale PGP-Signatur
Re: RFS: tnef
Hi, On Mo 25 Nov 2019 06:00:51 CET, Utkarsh Gupta wrote: Hey, I have fixed CVE-2019-18849 for tnef and uploaded the same to mentors.d.net. The relevant .dsc could be found at [1]. Requesting to upload the same on my behalf. Attaching the DLA file for the same. Also, sent a patch for Stretch, Buster, Bullseye, and Sid to the maintainer. CCed #944851 and the Security team as well. Best, Utkarsh --- [1]: https://mentors.debian.net/debian/pool/main/t/tnef/tnef_1.4.9-1+deb8u4.dsc Uploaded to security-master now. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpCEl1eXdxAi.pgp Description: Digitale PGP-Signatur
Re: RFS: 389-ds-base
Hi, On Mo 25 Nov 2019 02:11:35 CET, Utkarsh Gupta wrote: Hey, I have fixed CVE-2019-14824 for 389-ds-base and uploaded the same to mentors.d.net. The relevant .dsc could be found at [1]. Requesting to upload the same on my behalf. Attaching the DLA file for the same. Also, sent a patch for (Stretch,) Buster, Bullseye, and Sid to the maintainer. CCed #944150. Best, Utkarsh --- [1]: https://mentors.debian.net/debian/pool/main/3/389-ds-base/389-ds-base_1.3.3.5-4+deb8u7.dsc Upload to security-master now. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp8fJc2LbsIt.pgp Description: Digitale PGP-Signatur
Re: RFS: 389-ds-base
Hi Utkarsh, On Mo 25 Nov 2019 02:11:35 CET, Utkarsh Gupta wrote: Hey, I have fixed CVE-2019-14824 for 389-ds-base and uploaded the same to mentors.d.net. The relevant .dsc could be found at [1]. Requesting to upload the same on my behalf. Attaching the DLA file for the same. Also, sent a patch for (Stretch,) Buster, Bullseye, and Sid to the maintainer. CCed #944150. Best, Utkarsh --- [1]: https://mentors.debian.net/debian/pool/main/3/389-ds-base/389-ds-base_1.3.3.5-4+deb8u7.dsc Sorry for the delay. Looking into it right now. Mike (with LTS frontdesk hat on) -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp3nBL3t8Fg8.pgp Description: Digitale PGP-Signatur
Jessie update of ssvnc?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of ssvnc: https://security-tracker.debian.org/tracker/CVE-2018-20020 https://security-tracker.debian.org/tracker/CVE-2018-20021 https://security-tracker.debian.org/tracker/CVE-2018-20022 https://security-tracker.debian.org/tracker/CVE-2018-20024 These security issues have recently become known while looking into all Debian packages that bundle some or another version of code originally derived from the libvncserver source package. I will soon send a .debdiff to the Debian bugtracker that resolves above named issues for ssvnc in Debian jessie. The patches should be easily forward-portable to ssvnc in stretch, buster and testing/unstable. Would you like to take care of the jessie LTS upload yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just review the proposed fixes in the source package and give feedback, if there is any. I, with my LTS team member hat on, will take care of the upload then. If you don't want to take care of this update at all, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of ssvnc updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: libapache2-mod-auth-openidc
On Mi 20 Nov 2019 17:52:11 CET, Markus Koschany wrote: Hi, Am 20.11.19 um 17:13 schrieb Abhijith PA: Hello Markus, There isn't any open vulnerabilities in libapache2-mod-auth-openidc. Last one was announced in DLA-1996-1. Any particular reason for keeping it in dla-needed.txt. It was automatically removed from dla-needed.txt when I reserved DLA-1996-1 but Mike readded it. It can be safely removed. Regards, Markus Sorry for the race time condition... Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpSwQYC5YfTN.pgp Description: Digitale PGP-Signatur
Re: various security issues in VNC related packages
Hi Ola, On Mo 04 Nov 2019 09:58:27 CET, Ola Lundqvist wrote: Hi Mike Please go ahead. I will be off for some time due to a planned surgery so it would be very good if you can fix this. // Ola ACK. Good luck with the surgery. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpxyb857Ut1V.pgp Description: Digitale PGP-Signatur
Re: various security issues in VNC related packages
Hi Ola, On Mi 30 Okt 2019 21:20:50 CET, Ola Lundqvist wrote: Hi I agree that the VNC situation in Debian is sub-optimal. Frankly speaking not just in Debian. This popular software has diverged quite a lot with lot of packages sharing similar code-base. I had a brief look at vnc4 as well. It does not seem to share the same code base as libvncserver so it should not be affected. Best regards // Ola Ok. Thanks for that. I claimed tightvnc in dla-needed.txt. As you are the maintainer, let me know if you want to pick that one up instead (I am happy to include it in my fix upload series, if not). My plan is to go over VNC related packages over the next couple of days and also propose .debdiffs for stretch versions. Thanks, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp80s0B7IdPw.pgp Description: Digitale PGP-Signatur
various security issues in VNC related packages
Hi all, today I looked into libvncserver/CVE-2019-15681. The VNC situation is non-optimal in Debian... The gist (which also applies to Debian) can be found in [1]. Thanks to Pavel Cheremushkin from Kaspersky for publishing his findings. I looked at all packages I could think of that are related to VNC and came up with this list: x11vnc -> uses system's libvncserver and system's libvncclient, but still bundles older versions of both in the orig tarball. (See [2]). NOT AFFECTED italc -> bundles libvncserver (shame on myself+upstream) and uses it. It probably needs to be listed for all libvncserver CVEs we have seen in the past (luckily italc has been removed from unstable recently and replaced by veyon) AFFECTED (LOVE NEEDED) krfb -> ships rfbserver.c from libvncserver, but uses its own implementation of an rfbserver rewritten in C++/Qt NOT AFFECTED ssvnc -> VNC client only; ships libvncclient code files, probably affected by all libvncclient CVEs NEEDS MORE TRIAGING veyon -> uses system-wide libvncserver, but still bundles libvncclient (this will be resolved with veyon 4.3.0, I heard from upstream) NEEDS MORE TRIAGING vino -> bundles libvncserver and uses it. It probably needs to be listed for all libvncserver CVEs we have seen in the past AFFECTED (LOVE NEEDED) vncsnapshot -> contains a small subset the libvncclient files NEEDS MORE TRIAGING tightvnc -> has copy+pasted code from libvncserver, e.g. rfbserver.(ch) and also from libvncclient PARTIALLY AFFECTED (LOVE NEEDED) tigervnc -> VNC code has been entirely rewritten in C++, not related to libvncserver / libvncclient (anymore?) as it seems Please add more packages, if you see fit, that belong to the same category of packages. Please provide feedback if you think otherwise on statements I made above. light+love Mike [1] https://www.openwall.com/lists/oss-security/2018/12/10/5 [2] https://bugs.debian.org/943833 -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp8rquLx01o5.pgp Description: Digitale PGP-Signatur
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
Hi Holger, Am Montag, 7. Oktober 2019 schrieb Holger Levsen: > Hi Mike, > > On Sun, Oct 06, 2019 at 10:14:23PM +0000, Mike Gabriel wrote: > > I tried another time, like described by Ben (a new DLA-1942-2), but the mail > > still has not arrived on the list. > > I've now send it for you. (mutt -H $file is what I've used for that.) Thanks! > > I will be afk for the next couple of days, so I will not be able to look > > into this again after my VAC (I am sorry)! > > enjoy your VAC and please rememeber to update DLA-1942-2 for webwml.git > when you're back. I had already done that and Carsten already merged my MR. Thanks, Mike -- Gesendet von meinem Fairphone2 (powered by Sailfish OS).
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
HI Holger, On So 06 Okt 2019 19:12:22 CEST, Holger Levsen wrote: Hi Mike, On Sun, Oct 06, 2019 at 02:43:01PM +, Mike Gabriel wrote: This is a follow-up to DLA-1942-1. this mail didnt make it to lts-announce... I tried another time, like described by Ben (a new DLA-1942-2), but the mail still has not arrived on the list. I will be afk for the next couple of days, so I will not be able to look into this again after my VAC (I am sorry)! Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpTZ61d9C0D4.pgp Description: Digitale PGP-Signatur
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
On Di 01 Okt 2019 01:44:30 CEST, Mike Gabriel wrote: Package: phpbb3 Version: 3.0.12-5+deb8u4 CVE ID : CVE-2019-16993 In phpBB, includes/acp/acp_bbcodes.php had improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack was possible if an attacker also managed to retrieve the session id of a reauthenticated administrator prior to targeting them. The description in this DLA does not match what has been documented in the changelog.Debian.gz of this package version. After the upload of phpbb3 3.0.12-5+deb8u4, it became evident that CVE-2019-13776 has not yet been fixed. The correct fix for CVE-2019-13776 has been identified and will be shipped in a soon-to-come follow-up security release of phpbb3. This is a follow-up to DLA-1942-1. There was some confusion about the correct fix for CVE-2019-13776. The correct announcement for this DLA should have been: Package: phpbb3 Version: 3.0.12-5+deb8u4 CVE ID : CVE-2019-13776 CVE-2019-16993 CVE-2019-16993 In phpBB, includes/acp/acp_bbcodes.php had improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack was possible if an attacker also managed to retrieve the session id of a reauthenticated administrator prior to targeting them. CVE-2019-13776 phpBB allowed the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking lead to stored XSS. For Debian 8 "Jessie", these problems have been fixed in version 3.0.12-5+deb8u4. We recommend that you upgrade your phpbb3 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpjtHw9i_ywO.pgp Description: Digitale PGP-Signatur
Re: [SECURITY] [DLA 1942-1] phpbb3 security update
Hi Sylvain, On Di 01 Okt 2019 13:32:25 CEST, Sylvain Beucler wrote: Hi Gabriel, I see you reverted affectation for CVE-2019-13376. CVE-2019-13376 is an follow-up fix to CVE-2019-16993 (2016) which I registered just yesterday toclarify that we've been missing this earlier fix (AFAICS unsuccessfully ;)). CVE-2019-13376 applies to 3.2.7 which already has the fix that you thought was related (phpbb's SECURITY-231), which is a different "vulnerability" (with quotes, as it just disables a feature by default, which is expected to be re-enabled for CVE-2019-13376 to apply, as mentioned in the write-up: "in the ACP, go to General > Avatar settings and enable remote avatars"). Consequently DLA 1942-1 fixes CVE-2019-13376 and CVE-2019-16993. SECURITY-231 doesn't have a CVE assigned. Cheers! Sylvain Are you 100% sure on this? Let me collect my todos for this, then: * Uploaded package is ok (3.0.12-5+deb8u4), even the debian/changelog entry(?) * security-tracker (data/DLA/list) needs to be adapted and CVE-2019-13376 needs to be re-added to DLA-1942-1(?) * the dla-announcement needs to be re-done / replied to, and it needs to be declared that CVE-2019-13376 is in fact already fixed by +deb8u4 * furthermore, I referenced CVE-2019-13776 in the announcement, rather than CVE-2019-13376 (typo, g...) Correct? Thanks for spotting this! Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpbjrtbFHy2c.pgp Description: Digitale PGP-Signatur
Re: since update 1.3.3.5-4+deb8u5 php ldap authentification failure
Hi, On Di 17 Sep 2019 17:38:03 CEST, Mike Gabriel wrote: What I did: 1. Setup a fresh 389-ds instance using jessie's original version (see http://snapshot.debian.org/package/389-ds-base/1.3.3.5-4/) 2. Upgrade to +deb8u4, test login, LDAP queries, etc. -> worked 3. Upgrade to +deb8u5, test login, LDAP queries, etc. -> worked 4. Upgrade to +deb8u6, test login, LDAP queries, etc. -> worked Can you be any chance provide more info about this issue? What exactly are the LDAP queries, that Nextcloud does on your 389-ds server? Can anyone else give feedback about 389-ds in jessie LTS? Any observed problems that look similar to #912224 [1]? Thanks+Greets, Mike [1] https://bugs.debian.org/912224 completing the story... During package upgades, I see upgrade failures: ``` root@jessie:~# apt-get install 389-ds-base --reinstall Paketlisten werden gelesen... Fertig Abhängigkeitsbaum wird aufgebaut. Statusinformationen werden eingelesen Fertig 0 aktualisiert, 0 neu installiert, 1 erneut installiert, 0 zu entfernen und 0 nicht aktualisiert. Es müssen noch 0 B von 1.459 kB an Archiven heruntergeladen werden. Nach dieser Operation werden 0 B Plattenplatz zusätzlich benutzt. (Lese Datenbank ... 137483 Dateien und Verzeichnisse sind derzeit installiert.) Vorbereitung zum Entpacken von .../389-ds-base_1.3.3.5-4+deb8u6_amd64.deb ... Entpacken von 389-ds-base (1.3.3.5-4+deb8u6) über (1.3.3.5-4+deb8u6) ... Trigger für man-db (2.7.0.2-5) werden verarbeitet ... Trigger für systemd (215-17+deb8u13) werden verarbeitet ... 389-ds-base (1.3.3.5-4+deb8u6) wird eingerichtet ... dpkg: Fehler beim Bearbeiten des Paketes 389-ds-base (--configure): Unterprozess installiertes post-installation-Skript gab den Fehlerwert 1 zurück Fehler traten auf beim Bearbeiten von: 389-ds-base E: Sub-process /usr/bin/dpkg returned an error code (1) ``` The underlying reason of this is this: ``` root@jessie:~# setup-ds -u -s General.UpdateMode=offline Use of literal control characters in variable names is deprecated at /usr/lib/x86_64-linux-gnu/dirsrv/perl/DSCreate.pm line 867. Could not rename config file '/etc/dirsrv/slapd-jessie/slapd-collations.conf' to '/var/lib/dirsrv/slapd-jessie/bak.bak/slapd-collations.conf'. Error: Ungültiger Link über Gerätegrenzen hinweg Error: could not update the directory server. Exiting . . . Log file is '/tmp/setupKkbY5z.log' ``` The fix for it (that one has to apply to /usr/share/dirsrv/updates/60upgradeconfigfiles.pl and then run "apt-get install -f") is this: ``` --- updates.orig/60upgradeconfigfiles.pl2018-09-03 09:58:45.911804203 +0200 +++ updates/60upgradeconfigfiles.pl 2018-09-03 09:59:36.420699451 +0200 @@ -31,7 +31,7 @@ next if (! -f $oldname); # does not exist - skip - already (re)moved my $newname = "$bakdir/$file"; $! = 0; # clear -rename $oldname, $newname; +move $oldname, $newname; if ($!) { push @errs, ["error_renaming_config", $oldname, $newname, $!]; } @@ -57,7 +57,7 @@ next if (! -f $oldname); # does not exist - not backed up my $newname = $inf->{slapd}->{config_dir} . "/" . $file; next if (-f $newname); # not removed -rename $oldname, $newname; +move $oldname, $newname; } return @errs; } ``` So, an improvement, we could offer is fixing the upgrade of 389-ds-base (which had been broken since jessie got released, in fact). Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp3oOnx3FwNp.pgp Description: Digitale PGP-Signatur
Re: since update 1.3.3.5-4+deb8u5 php ldap authentification failure
Hi Jan, On Thu, 12 Sep 2019 09:38:13 +0200 Jan Kowalsky wrote: > Hi Mike, > hi Hugo, > > > Am 11.09.19 um 14:04 schrieb Mike Gabriel: > > Hi Hugo, > > > > sorry for the late reply on this urgent matter. > > > > On So 08 Sep 2019 10:46:26 CEST, Hugo Lefeuvre wrote: > > > >> Sorry for the very late answer. For some reason, it looks like the LTS > >> team > >> was not aware of this bug... > >> > >> I am the one who provided these updates. This issue must have slipped > >> through my LDAP tests. I will investigate this as soon as possible and > >> provide a fix consequently. > >> > >> Mike, you did the latest 389-ds-base update. Did you notice anything > >> wrong > >> during your tests? > > > > For uploading 1.3.3.5-4+deb8u6, I unfortunately did not do much smoke > > testing regarding the LDAP query stuff (the patch was about indefinite > > SSL connection hangs). > > > > Let me know, if you need help looking into this (due to e.g. time > > constraints or what not on your side). > > as with version 1.3.5.17-2 everything worked fine, we didn't investiagte > further... > > So I can only report that we didn't encounter any errors with all the > versions shipped in debian 9. > > Regards > Jan I looked into this issue much deeper today and I cannot confirm the observation this bug was originally about. What I did: 1. Setup a fresh 389-ds instance using jessie's original version (see http://snapshot.debian.org/package/389-ds-base/1.3.3.5-4/) 2. Upgrade to +deb8u4, test login, LDAP queries, etc. -> worked 3. Upgrade to +deb8u5, test login, LDAP queries, etc. -> worked 4. Upgrade to +deb8u6, test login, LDAP queries, etc. -> worked Can you be any chance provide more info about this issue? What exactly are the LDAP queries, that Nextcloud does on your 389-ds server? Can anyone else give feedback about 389-ds in jessie LTS? Any observed problems that look similar to #912224 [1]? Thanks+Greets, Mike [1] https://bugs.debian.org/912224
Re: since update 1.3.3.5-4+deb8u5 php ldap authentification failure
Hi Hugo, sorry for the late reply on this urgent matter. On So 08 Sep 2019 10:46:26 CEST, Hugo Lefeuvre wrote: Sorry for the very late answer. For some reason, it looks like the LTS team was not aware of this bug... I am the one who provided these updates. This issue must have slipped through my LDAP tests. I will investigate this as soon as possible and provide a fix consequently. Mike, you did the latest 389-ds-base update. Did you notice anything wrong during your tests? For uploading 1.3.3.5-4+deb8u6, I unfortunately did not do much smoke testing regarding the LDAP query stuff (the patch was about indefinite SSL connection hangs). Let me know, if you need help looking into this (due to e.g. time constraints or what not on your side). Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgplU7dc2tMVB.pgp Description: Digitale PGP-Signatur
Re: qemu status
Hi Sylvain, On Mo 09 Sep 2019 21:37:31 CEST, Sylvain Beucler wrote: I can make myself available on Friday 10AM, that sounds good. Good. Stencilled into my calendar now. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpVuKP8MyhOr.pgp Description: Digitale PGP-Signatur
Re: qemu status
Hi Sylvain, On Mo 09 Sep 2019 11:23:59 CEST, Sylvain Beucler wrote: On 04/09/2019 15:41, Sylvain Beucler wrote: Hi Mike, hi all :) We have a prepared QEMU update from 3 months ago that needs attention: https://packages.sunweavers.net/debian/pool/main/q/qemu/ It fixes: CVE-2017-9375 CVE-2019-12155 CVE-2017-15124 CVE-2016-5403 CVE-2016-5126 Since then we got: CVE-2019-14378 CVE-2019-13164 CVE-2019-12068 CVE-2019-12067 and possibly CVE-2018-19665 to reconsider. I can take the time to setup a physical box and provide more testing / more patching. Before doing so, I thought I'd first check: what are you plans for this month regarding this update? :) Cheers! Sylvain Ping? Thanks for pinging. And: sorry, I did not get any work on this done on Saturday. Did you get any testing work done on this already? If not, I'd suggest to meet on IRC on Friday this week, after 10am (CEST) and get to work on this together. Is that a plan? Let me know, if you are available then. Thanks, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp1mhcswPfs6.pgp Description: Digitale PGP-Signatur
Re: About the security issues affecting imagemagick in Jessie
Hi Hugo, hi all, On So 01 Sep 2019 00:26:24 CEST, Hugo Lefeuvre wrote: Hi Mike, > I have recently worked on these issues (in the last two weeks, in fact). :-) > > Most of these issues are no-dsa, either very minor from a security point of > view or the patches are too unclear/unstable to be applied currently. > > The only recently postponed issue is CVE-2019-13391/CVE-2019-13308. I did not > upload this patch because it is big, not really understandable, and > undocumented. Upstream did not answer my questions yet. > > I'd just remove imagemagick from dla-needed and wait some time, until > upstream > clarifies this patch. If he doesn't, I'd just mark this no-dsa. can you rather document imagemagick (by adding a short version of the above as a note) in dla-needed.txt so that the person at front desktop knows. Yes I can do that, but it sounds like a misusage of dla-needed to me. Does it make sense to have a dla-needed entry for imagemagick if we don't intend to release any DLA for these issues (yet)? It may make sense or it may not. Either a CVE should be worked upon or it should not (for whatever reason). (see below) If you think that imagemagick has many issues, we should ignore for jessie LTS, would it be appropriate to tag them as ignored in data/CVE/list? Otherwise they pop up again and again in lts-cve-triage.py. I have done some more triage. However please note that these issues pop up in lts-cve-triage because they are still open in stretch. The security team is currently working on imagemagick, so this should be fixed in the next weeks. Ok, great. Thanks for checking once more. Sylvain recently added some changes to lts-cve-triage.py that show the no-dsa tags for each CVE. If an issue is still open for stretch, but tagged differently for jessie, then these tags help me to ignore those CVEs for LTS when triaging: ``` * imagemagick https://security-tracker.debian.org/tracker/source-package/imagemagick - CVE-2019-12977 https://security-tracker.debian.org/tracker/CVE-2019-12977 ignored - CVE-2019-12978 https://security-tracker.debian.org/tracker/CVE-2019-12978 ignored - CVE-2019-12979 https://security-tracker.debian.org/tracker/CVE-2019-12979 ignored - CVE-2019-13300 https://security-tracker.debian.org/tracker/CVE-2019-13300 ignored - CVE-2019-13307 https://security-tracker.debian.org/tracker/CVE-2019-13307 ignored - CVE-2019-13308 https://security-tracker.debian.org/tracker/CVE-2019-13308 postponed - CVE-2019-13391 https://security-tracker.debian.org/tracker/CVE-2019-13391 postponed - CVE-2019-13454 https://security-tracker.debian.org/tracker/CVE-2019-13454 ignored - CVE-2019-14981 https://security-tracker.debian.org/tracker/CVE-2019-14981 postponed ``` I find that the below package / CVE states make front-desk life easy and clear: - package has been claimed - a CVE is tagged with - a CVE is tagged with - a CVE is vulnerable - a CVE is fixed The tag is a bit of a dodgy statement here (it should be worked upon, but later when some other more severe issue pops up for the same package, or when some feedback is received, or when ). So, a tag can in fact mean anything. When being at front-desk you have to dig into the details (security-tracker comments, older mailing list threads, etc.) to understand the nature of individual tags. This is awkward IMHO. Regarding imagemagick, CVE-2019-13308 and CVE-2019-13391 are postponed, because upstream feedback is required. CVE-2019-14981 is postponed until something more severe needs fixing. IMHO, CVE-2019-13308 and CVE-2019-13391 are a good reason for keeping imagemagick in dla-needed.txt and also keeping it claimed by the person who sent out the requests for feedback to upstream. Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpSvOjJw0cpB.pgp Description: Digitale PGP-Signatur
Re: Dovecot Update Fails on Jessie [resolved]
Hi Rainer, On Sa 31 Aug 2019 19:39:46 CEST, Rainer Dorsch wrote: it says dovecot can be activated again by dovecot.socket, when stopping dovecot the way the pre-rm script does it. I then stopped dovecot.socket first and dovecot.service second: root@netcup:~# systemctl stop dovecot.socket root@netcup:~# systemctl stop dovecot.service This really stops dovecot [...] Now the upgrade went through flawless: [...] Many thanks again Roberto and Mike for looking into that and helping to get the issue resolved. Thanks for the analysis and I am glad that you found the solution/reason to/for your issue. I will check bug presence in unstable's dovecot and file a bug report against dovecot later today / tomorrow. Thanks+Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp3MhC_D_d46.pgp Description: Digitale PGP-Signatur
Re: Jessie update of ansible (minor security issues)?
Hi Lee, thanks for reply. On Sa 31 Aug 2019 16:22:38 CEST, Lee Garrett wrote: Hi Mike! (please don't CC Michael, he is not active on the ansible package anymore and asked to be removed from uploaders.) On 30/08/2019 12:09, Mike Gabriel wrote: The Debian LTS team recently reviewed the security issue(s) affecting your package in Jessie: https://security-tracker.debian.org/tracker/source-package/ansible We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. When resources are available on our side, one of the LTS team members will start working on fixes for those minor security issues, as we think that the jessie users would most certainly benefit from a fixed package. That sounds good. Though I really don't know how many people still use the oldoldstable packages. The bug reports and backport requests (on the BTS and in private) I get tend to be from stable and newer. Most common requests are for backports updates. If you think it's a good thing I'm more than happy to help. I agree with your assessment that all CVEs are of very low impact. There's a jessie git branch you can make releases from which I can give you access to. If you need any help feel free to help. I currently don't have capacity to commit to maintaining LTS, too, as IRL tends to come in between. :) If you'd rather want to work on such an update yourself, you're welcome to do so. Please send us a short notification to the debian-lts mailing list (debian-lts@lists.debian.org), expressing your intention to work on issues yourself. Otherwise, no action is required from your side. When working on issues, please try to follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. However please make sure to submit a tested package. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. Regards, Lee Roberta Sánchez from the LTS team picked up ansible and he will look into things the coming week, as I heard from him yesterday. I'll leave it to him to reply and get back to you. Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpEU9Wd8T2Hp.pgp Description: Digitale PGP-Signatur
Re: Dovecot Update Fails on Jessie
Hi Rainer, On Sa 31 Aug 2019 09:52:47 CEST, Rainer Dorsch wrote: It almost looks to me that dovecot restarts itself (?) Aug 31 09:49:13 netcup systemd[1]: Stopping Dovecot IMAP/POP3 email server... Aug 31 09:49:13 netcup dovecot[12165]: anvil: Warning: Killed with signal 15 (by pid=1 uid=0 code=kill) Aug 31 09:49:13 netcup dovecot[12165]: auth: Error: read(anvil-auth-penalty) failed: EOF Aug 31 09:49:13 netcup dovecot[12165]: auth: Error: net_connect_unix(anvil- auth-penalty) failed: Permission denied Aug 31 09:49:13 netcup dovecot[12165]: imap-login: Error: read(anvil) failed: EOF Aug 31 09:49:13 netcup dovecot[12165]: imap-login: Error: read(anvil) failed: EOF Aug 31 09:49:13 netcup dovecot[12165]: imap: Server shutting down. in=160 out=105576 Aug 31 09:49:13 netcup dovecot[12165]: imap: Server shutting down. in=141 out=1696 Aug 31 09:49:13 netcup systemd[1]: Stopped Dovecot IMAP/POP3 email server. Aug 31 09:49:13 netcup systemd[1]: Starting Dovecot IMAP/POP3 email server... Aug 31 09:49:13 netcup systemd[1]: Started Dovecot IMAP/POP3 email server. Aug 31 09:49:13 netcup dovecot[12180]: master: Dovecot v2.2.13 starting up for imap, sieve (core dumps disabled) Can you check on /var/run/dovecot and see if those socket files [1] appear / do not appear (they might possibly come and go rapidly, so you need to be a trickster using the watch tool, maybe? Please also let me know what permissions these files have. Could it be possible by any reason, that /var/run/dovecot is either read-only or out-of-space? From what I can tell (I looked at the diff between ~deb8u6 and ~deb8u7 and your console output), your issue may be conincidental with the upgrade of the dovecot package in jessie LTS. I am not saying that it is, but it could be. So let's better checkout if something outside of dovecot might be causing this issue. I have also attached the changes between ~deb8u6 and ~deb8u7 for review by yourself or others. I could not spot anything in the security patches applied that might cause such a severe issue as your report. It would be interesting if downgrading dovecot back to ~deb8u6 [3] might get this system back into a usable state. If dovecot is the cause of your issue, it very probably will. If not, then something else is going on. Greets, Mike [1] anvil, anvil-auth-penalty [2] dovecot_2.2.13-12~deb8u6_2.2.13-12~deb8u7.debdiff [3] http://snapshot.debian.org/package/dovecot/1%3A2.2.13-12%7Edeb8u6/#binpkgs -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de diff -Nru dovecot-2.2.13/debian/changelog dovecot-2.2.13/debian/changelog --- dovecot-2.2.13/debian/changelog 2019-03-29 12:38:40.0 +0100 +++ dovecot-2.2.13/debian/changelog 2019-08-29 20:23:16.0 +0200 @@ -1,3 +1,16 @@ +dovecot (1:2.2.13-12~deb8u7) jessie-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * Fix CVE-2019-11500 +- lib-imap: Don't accept strings with NULs +- lib-imap: Make sure str_unescape() won't be writing past allocated + memory +- lib-managesieve: Don't accept strings with NULs +- lib-managesieve: Make sure str_unescape() won't be writing past + allocated memory + + -- Roberto C. Sanchez Thu, 29 Aug 2019 14:23:16 -0400 + dovecot (1:2.2.13-12~deb8u6) jessie-security; urgency=high * Non-maintainer upload by the LTS team. diff -Nru dovecot-2.2.13/debian/patches/lib-imap-Don-t-accept-strings-with-NULs.patch dovecot-2.2.13/debian/patches/lib-imap-Don-t-accept-strings-with-NULs.patch --- dovecot-2.2.13/debian/patches/lib-imap-Don-t-accept-strings-with-NULs.patch 1970-01-01 01:00:00.0 +0100 +++ dovecot-2.2.13/debian/patches/lib-imap-Don-t-accept-strings-with-NULs.patch 2019-08-29 20:23:16.0 +0200 @@ -0,0 +1,36 @@ +From 58ffd3e8a02e54fc98b6be78e02b0511ee9263eb Mon Sep 17 00:00:00 2001 +From: Timo Sirainen +Date: Fri, 10 May 2019 19:24:51 +0300 +Subject: [PATCH 1/2] lib-imap: Don't accept strings with NULs + +IMAP doesn't allow NULs except in binary literals. We'll still allow them +in regular literals as well, but just not in strings. + +This fixes a bug with unescaping a string with NULs: str_unescape() could +have been called for memory that points outside the allocated string, +causing heap corruption. This could cause crashes or theoretically even +result in remote code execution exploit. + +Found by Nick Roessler and Rafi Rubin +[Salvatore Bonaccorso: Backported to 2.2.27: Rename back error field to +parser->error, which was an upstream change around 2.3.0.rc1 with +468440fab1a1 ("lib-imap: imap-parser: Renamed error field to +error_msg.")] +--- + src/lib-imap/imap-parser.c | 6
Re: CVE-2019-5477: ruby-nokogiri issue caused by rexical
Hi, Am Freitag, 30. August 2019 schrieb Salvatore Bonaccorso: > hi Mike, > > On Fri, Aug 30, 2019 at 03:22:23PM +0200, Salvatore Bonaccorso wrote: > > Hi Mike, > > > > On Fri, Aug 30, 2019 at 11:25:16AM +, Mike Gabriel wrote: > > > However, to address CVE-2019-5477 it should also be associated to the > > > rexical src:pkg in stretch and later. @security-team: can you please > > > update > > > data/CVE/list appropriately (instead of me updating it and you correcting > > > my > > > change)? Thanks! > > > > The CVE is very specific assigned for Nokogiri itself (Nokogiri does > > not regnerate the code with rexical AFAICS, but will double check > > again). Thus not updating it for now, but I have a pending request to > > MITRE to clarify the scope of the CVE. > > MITRE confirmed the scope can be covered by the change in rexical as > well considering it a vulnerability in that source as well. > > Thus following that, I added it now. > > Regards, > Salvatore > Thanks for handling this and updating the tracker. Mike -- Gesendet von meinem Fairphone2 (powered by Sailfish OS).
Re: About the security issues affecting imagemagick in Jessie
Hi Hugo, (taking out pkg maintainers out of the loop as this is an LTS workflow issue) On Fr 30 Aug 2019 15:03:03 CEST, Hugo Lefeuvre wrote: Hi Mike, The Debian LTS team recently reviewed the security issue(s) affecting your package in Jessie: https://security-tracker.debian.org/tracker/source-package/imagemagick We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. When resources are available on our side, one of the LTS team members will start working on fixes for those minor security issues, as we think that the jessie users would most certainly benefit from a fixed package. I have recently worked on these issues (in the last two weeks, in fact). :-) Most of these issues are no-dsa, either very minor from a security point of view or the patches are too unclear/unstable to be applied currently. The only recently postponed issue is CVE-2019-13391/CVE-2019-13308. I did not upload this patch because it is big, not really understandable, and undocumented. Upstream did not answer my questions yet. I'd just remove imagemagick from dla-needed and wait some time, until upstream clarifies this patch. If he doesn't, I'd just mark this no-dsa. regards, Hugo can you rather document imagemagick (by adding a short version of the above as a note) in dla-needed.txt so that the person at front desktop knows. If you think that imagemagick has many issues, we should ignore for jessie LTS, would it be appropriate to tag them as ignored in data/CVE/list? Otherwise they pop up again and again in lts-cve-triage.py. Thanks, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpee8GXyk26J.pgp Description: Digitale PGP-Signatur
Re: CVE-2019-5477: ruby-nokogiri issue caused by rexical
On Fr 30 Aug 2019 15:22:23 CEST, Salvatore Bonaccorso wrote: Hi Mike, On Fri, Aug 30, 2019 at 11:25:16AM +, Mike Gabriel wrote: However, to address CVE-2019-5477 it should also be associated to the rexical src:pkg in stretch and later. @security-team: can you please update data/CVE/list appropriately (instead of me updating it and you correcting my change)? Thanks! The CVE is very specific assigned for Nokogiri itself (Nokogiri does not regnerate the code with rexical AFAICS, but will double check again). Thus not updating it for now, but I have a pending request to MITRE to clarify the scope of the CVE. Regards, Salvatore Thanks for that! Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpN9AdWy5R8r.pgp Description: Digitale PGP-Signatur
Re: (minor) vs. ($not-fixable-because) (was: Re: gnutls/nettle (CVE-2018-16868/CVE-2018-16869))
Hi Sylvain, On Fr 30 Aug 2019 11:13:14 UTC, Sylvain Beucler wrote: Hi, On 30/08/2019 10:28, Mike Gabriel wrote: Hi Sylvain, hi all, On Fr 08 Mär 2019 11:03:49 CET, Sylvain Beucler wrote: Hi, On 04/03/2019 17:37, Sylvain Beucler wrote: On 04/03/2019 16:55, Markus Koschany wrote: Am 04.03.19 um 16:33 schrieb Sylvain Beucler: [...] I see this as a strong signal that we should not attempt to backport the fix, and go with a (minor). Alternatively we could upgrade nettle (libnettle4->libnettle6) which doesn't break gnutls28's test suite, though it's likely to introduce other issues (e.g. #789119). Thoughts? I also worked on nettle/gnutls26 for Wheezy. There are too many changes and just backporting rsa_sec_decrypt in nettle would be an incomplete fix for CVE-2018-16869 because they introduced more hardening against those side-channel attacks in other functions. An upgrade of nettle would require a rebuild of all reverse-dependencies and that is probably too intrusive. Thanks for your input Markus. Instead of upgrading I was thinking of providing libnettle6 /in addition to/ libnettle4, but that still sounds like more troubles than it solves. (and indeed, when testing gnutls28+libnettle6, "git clone" now fails.) # git clone https://github.com/symfony/symfony-installer Clonage dans 'symfony-installer'... fatal: unable to access 'https://github.com/symfony/symfony-installer/': gnutls_handshake() failed: Public key signature verification has failed. Also, the stable security team didn't answer my mail but reached the same conclusion ( minor). I'll mark these CVE-s as and fix the CVE/list incomplete assessment. I am currently going through all CVEs listed by bin/lts-cve-triage.py (in security-tracker Git repo (for those not acquainted to the sectracker toolchain). Marking such CVEs (such as CVE-2018-16868/gnutls28/jessie) as " (minor issue)" is technically correct, I guess, but such CVEs don't get explicitly marked by the output of lts-cve-triage.py. When doing frontdesk work, you get drawn to those issues to at least take another look. What was that CVE about, has there been some communication regarding it, etc. However, if we tagged such CVEs as " (too invasive to fix)", the tag would be shown in lts-cve-triage.py output and "ignore" explains better what we should do with such CVEs when triaging. Glad to see my contribution to lts-cve-triage.py is being useful :) I am inclined to adapt CVE-2018-16868 accordingly, unless people contradict. Sure, I now avoid the vague as much as I can, sounds adequate for this CVE resolution. Cheers! Sylvain CVE-2018-16868 has just been updated. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpzXmHnXoIri.pgp Description: Digitale PGP-Signatur
Jessie update of milkytracker (minor security issues)?
The Debian LTS team recently reviewed the security issue(s) affecting your package in Jessie: https://security-tracker.debian.org/tracker/CVE-2019-14464 https://security-tracker.debian.org/tracker/CVE-2019-14496 https://security-tracker.debian.org/tracker/CVE-2019-14497 We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. When resources are available on our side, one of the LTS team members will start working on fixes for those minor security issues, as we think that the jessie users would most certainly benefit from a fixed package. If you'd rather want to work on such an update yourself, you're welcome to do so. Please send us a short notification to the debian-lts mailing list (debian-lts@lists.debian.org), expressing your intention to work on issues yourself. Otherwise, no action is required from your side. When working on issues, please try to follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. However please make sure to submit a tested package. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of ruby-nokogiri?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of ruby-nokogiri: https://security-tracker.debian.org/tracker/CVE-2019-5477 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of ruby-nokogiri updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of libcommons-compress-java?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of libcommons-compress-java: https://security-tracker.debian.org/tracker/CVE-2019-12402 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libcommons-compress-java updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of libgcrypt20?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of libgcrypt20: https://security-tracker.debian.org/tracker/CVE-2019-13627 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libgcrypt20 updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
CVE-2019-5477: ruby-nokogiri issue caused by rexical
Hi, while triaging ruby-nokogiri/CVE-2019-5477, I noticed this in [1]: ``` [...] This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4. ``` The file lib/nokogiri/css/tokenizer.rb in nokogiri gets generated via rexical and is shipped in the nokogiri upstream repo. Debian jessie did not have rexical, so I suppose the generated code was simply shipped in Debian jessie's version of ruby-nokogiri. Interesting, how to patch that... However, in Debian stretch and beyond, we have rexical, however, I did not spend time on finding out, if ruby-nokogiri in stretch re-generates the lib/nokogiri/css/tokenizer.rb or if the upstream-shipped copy is used. However, to address CVE-2019-5477 it should also be associated to the rexical src:pkg in stretch and later. @security-team: can you please update data/CVE/list appropriately (instead of me updating it and you correcting my change)? Thanks! Greets, Mike [1] https://github.com/sparklemotion/nokogiri/commit/5d30128343573a9428c86efc758ba2c66e9f12dc -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpBBSSdtW2nI.pgp Description: Digitale PGP-Signatur
Jessie update of irssi?
Dear Rhonda, The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of irssi: https://security-tracker.debian.org/tracker/source-package/irssi Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of irssi updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of ansible (minor security issues)?
The Debian LTS team recently reviewed the security issue(s) affecting your package in Jessie: https://security-tracker.debian.org/tracker/source-package/ansible We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. When resources are available on our side, one of the LTS team members will start working on fixes for those minor security issues, as we think that the jessie users would most certainly benefit from a fixed package. If you'd rather want to work on such an update yourself, you're welcome to do so. Please send us a short notification to the debian-lts mailing list (debian-lts@lists.debian.org), expressing your intention to work on issues yourself. Otherwise, no action is required from your side. When working on issues, please try to follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. However please make sure to submit a tested package. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
About the security issues affecting imagemagick in Jessie
Dear maintainer(s), The Debian LTS team recently reviewed the security issue(s) affecting your package in Jessie: https://security-tracker.debian.org/tracker/source-package/imagemagick We decided that a member of the LTS team should take a look at this package, although the security impact of still open issues is low. When resources are available on our side, one of the LTS team members will start working on fixes for those minor security issues, as we think that the jessie users would most certainly benefit from a fixed package. If you'd rather want to work on such an update yourself, you're welcome to do so. Please send us a short notification to the debian-lts mailing list (debian-lts@lists.debian.org), expressing your intention to work on issues yourself. Otherwise, no action is required from your side. When working on issues, please try to follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. However please make sure to submit a tested package. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
(minor) vs. ($not-fixable-because) (was: Re: gnutls/nettle (CVE-2018-16868/CVE-2018-16869))
Hi Sylvain, hi all, On Fr 08 Mär 2019 11:03:49 CET, Sylvain Beucler wrote: Hi, On 04/03/2019 17:37, Sylvain Beucler wrote: On 04/03/2019 16:55, Markus Koschany wrote: Am 04.03.19 um 16:33 schrieb Sylvain Beucler: [...] I see this as a strong signal that we should not attempt to backport the fix, and go with a (minor). Alternatively we could upgrade nettle (libnettle4->libnettle6) which doesn't break gnutls28's test suite, though it's likely to introduce other issues (e.g. #789119). Thoughts? I also worked on nettle/gnutls26 for Wheezy. There are too many changes and just backporting rsa_sec_decrypt in nettle would be an incomplete fix for CVE-2018-16869 because they introduced more hardening against those side-channel attacks in other functions. An upgrade of nettle would require a rebuild of all reverse-dependencies and that is probably too intrusive. Thanks for your input Markus. Instead of upgrading I was thinking of providing libnettle6 /in addition to/ libnettle4, but that still sounds like more troubles than it solves. (and indeed, when testing gnutls28+libnettle6, "git clone" now fails.) # git clone https://github.com/symfony/symfony-installer Clonage dans 'symfony-installer'... fatal: unable to access 'https://github.com/symfony/symfony-installer/': gnutls_handshake() failed: Public key signature verification has failed. Also, the stable security team didn't answer my mail but reached the same conclusion ( minor). I'll mark these CVE-s as and fix the CVE/list incomplete assessment. I am currently going through all CVEs listed by bin/lts-cve-triage.py (in security-tracker Git repo (for those not acquainted to the sectracker toolchain). Marking such CVEs (such as CVE-2018-16868/gnutls28/jessie) as " (minor issue)" is technically correct, I guess, but such CVEs don't get explicitly marked by the output of lts-cve-triage.py. When doing frontdesk work, you get drawn to those issues to at least take another look. What was that CVE about, has there been some communication regarding it, etc. However, if we tagged such CVEs as " (too invasive to fix)", the tag would be shown in lts-cve-triage.py output and "ignore" explains better what we should do with such CVEs when triaging. I am inclined to adapt CVE-2018-16868 accordingly, unless people contradict. Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpOxdEqntZ7O.pgp Description: Digitale PGP-Signatur
Re: On (semi-)automated testing and improved workflow of LTS uploads
Hi Jonas, hi all, thanks for summarizing the discussion we had on the non-public paid LTS contributors' "mailing list". On Di 09 Jul 2019 16:21:47 CEST, Jonas Meurer wrote: Hello, Some LTS members recently started discussing options for better (semi-)automated testing of LTS uploads and an improved upload workflow. I'll try to summarize the discussion in order to bring it to this public mailinglist. [1] The motivation for an improved package upload workflow basically is to lower the risk of (simple) regressions and improve the overall quality of LTS security uploads. The way to get there is to run (semi-)automated tests against packages before uploading them to ${LTS}-security and (optionally) enforce a second review+acknowledgement by another LTS developer. In the internal discussions, the following vision for an improved upload workflow arose: 1. Upload packages targeted at LTS suites to some dedicated place for automated testing Yep. 2. Run automatic tests (piuparts, autopkgtests, lintian?, ...) Maybe, probably not lintian. As the package maintainer, at the time (old)oldstable (meaning the current Debian LTS) turned from testing to stable, might not have had their packages in shape lintian-wise. Also only using an old lintian would be appropriate. A recent lintian on old packages just creates too much noise (which we won't fix anyway). 3. If tests passed, publish the packages somewhere to do manual testing (and reviews) If either step (2. or 3.) fails, we go back to 1. 4. (Optionally?) demand acknowledgement by a second (different) LTS developer Although demanding a second ACK adds an extra delay to our workflow, I sense that such a second pair of eyes peering at security patches might greatly improve the quality of the LTS work. Even if we don't come up with some auto-test engine, we should consider "peer-"reviewed uploads. 5. Automatically upload packages that got uploaded, passed tests and got second acknowledgement to the targeted LTS upload queue yep While that would be very nice to have, it's probably a long way to go until we have such infrastructure. There seems to be some agreement that the first step would be to run (semi-)automated tests (e.g. piuparts and autopkgtests) against the packages before uploading them to ${LTS}-security, i.e. point 2 of the list above. So far, two implementation approaches have been discussed: */ Build an own service that provides a dedicated upload queue (e.g. 'lts-proposed-updates') which accepts uploads targeted at LTS suites, and processes the uploaded packages according to the workflow described above. */ Use Salsa-CI and their pipeline[2] for as much of the above proposal as possible. What's your thoughts on this? Do you think that we could implement most/all of the desired workflow using Salsa-CI/Gitlab-CI? Or would it be better to build it entirely independently of Salsa - e.g. implement it in dak? Personally, I think that using Salsa for this, adds an extra layer of complexity to the uploading workflow, because we have to pump all packages that we want to fix in LTS through GitLab. Many packages are packaged in Git already (probably on Salsa) and have a repo location of their own. With applying GitLab based CI to the workflow, the LTS team would add an extra Git repo, just for the LTS uploads done by the paid contributors. Some package uploads may even be embargoed, so generically, the LTS-team namespace on Salsa needs to be private (which excludes other contributors, also the usual package maintainers/uploaders, by default). As our intention is to operate on packages (not on upstream code in Git), so I'd suggest deploying/extending some sort of setup/infrastructure that utilizes Debian means for auto-testing LTS package upload candidates. And I really love the idea of a review workflow for package uploads. And, open question: Would such a workflow be an option for the security team's workflow, too? Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpL6ZV17YY4O.pgp Description: Digitale PGP-Signatur
Re: [SECURITY] [DLA 1826-1] glib2.0 security update
Hi, On Mi 26 Jun 2019 14:55:46 CEST, Sylvain Beucler wrote: Hi Mike, On Mon, Jun 24, 2019 at 08:28:11AM +, Mike Gabriel wrote: On Di 18 Jun 2019 22:47:44 CEST, Sylvain Beucler wrote: > Package: glib2.0 > Version: 2.42.1-1+deb8u1 > CVE ID : CVE-2019-12450 > Debian Bug : 929753 > > It was discovered that GLib does not properly restrict some file > permissions while a copy operation is in progress; instead, default > permissions are used. > > For Debian 8 "Jessie", this problem has been fixed in version > 2.42.1-1+deb8u1. > > We recommend that you upgrade your glib2.0 packages. > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS I wonder, if it would be good to have this upstream patch backported to jessie's glib2.0, too, to have the file permission stuff complete: ``` From 5e4da714f00f6bfb2ccd6d73d61329c6f3a08429 Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Tue, 22 Jan 2019 13:26:31 -0500 Subject: [PATCH] keyfile settings: Use tighter permissions When creating directories, create them with 700 permissions, instead of 777. Closes: #1658 --- gio/gkeyfilesettingsbackend.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/gio/gkeyfilesettingsbackend.c +++ b/gio/gkeyfilesettingsbackend.c @@ -89,7 +89,8 @@ contents = g_key_file_to_data (kfsb->keyfile, &length, NULL); g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, - G_FILE_CREATE_REPLACE_DESTINATION, + G_FILE_CREATE_REPLACE_DESTINATION | + G_FILE_CREATE_PRIVATE, NULL, NULL, NULL); compute_checksum (kfsb->digest, contents, length); @@ -640,7 +641,7 @@ kfsb->file = g_file_new_for_path (filename); kfsb->dir = g_file_get_parent (kfsb->file); - g_file_make_directory_with_parents (kfsb->dir, NULL, NULL); + g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700); kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL); kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL); ``` The patch was not explicitly mentioned in the CVE, but I stumbled over it when fixing glib2.0 for wheezy ELTS last month. (Unfortunately, the g_mkdir_with_parents() symbol is not in jessie, for wheezy I skipped the safe directory creation part). This looks like another vulnerability, not related to copying files from a non-unix VFS, but to the creation of key/value files and their directory (mitigated by umask and the strict permissions of e.g. ~/.config). Do you know if this has a CVE? Maybe we can ask pkg-gnome-maintainers's point? (I didn't see this applied in other distros but I may have missed it.) Feel free to take over btw, I won't be much available until next week :) I just requested a CVE for this from Mitre. Request ist now waiting for review on their side... Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp7cZfK91hbu.pgp Description: Digitale PGP-Signatur
Re: [SECURITY] [DLA 1826-1] glib2.0 security update
Hi, On Mi 26 Jun 2019 14:55:46 CEST, Sylvain Beucler wrote: Hi Mike, On Mon, Jun 24, 2019 at 08:28:11AM +, Mike Gabriel wrote: On Di 18 Jun 2019 22:47:44 CEST, Sylvain Beucler wrote: > Package: glib2.0 > Version: 2.42.1-1+deb8u1 > CVE ID : CVE-2019-12450 > Debian Bug : 929753 > > It was discovered that GLib does not properly restrict some file > permissions while a copy operation is in progress; instead, default > permissions are used. > > For Debian 8 "Jessie", this problem has been fixed in version > 2.42.1-1+deb8u1. > > We recommend that you upgrade your glib2.0 packages. > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS I wonder, if it would be good to have this upstream patch backported to jessie's glib2.0, too, to have the file permission stuff complete: ``` From 5e4da714f00f6bfb2ccd6d73d61329c6f3a08429 Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Tue, 22 Jan 2019 13:26:31 -0500 Subject: [PATCH] keyfile settings: Use tighter permissions When creating directories, create them with 700 permissions, instead of 777. Closes: #1658 --- gio/gkeyfilesettingsbackend.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/gio/gkeyfilesettingsbackend.c +++ b/gio/gkeyfilesettingsbackend.c @@ -89,7 +89,8 @@ contents = g_key_file_to_data (kfsb->keyfile, &length, NULL); g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, - G_FILE_CREATE_REPLACE_DESTINATION, + G_FILE_CREATE_REPLACE_DESTINATION | + G_FILE_CREATE_PRIVATE, NULL, NULL, NULL); compute_checksum (kfsb->digest, contents, length); @@ -640,7 +641,7 @@ kfsb->file = g_file_new_for_path (filename); kfsb->dir = g_file_get_parent (kfsb->file); - g_file_make_directory_with_parents (kfsb->dir, NULL, NULL); + g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700); kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL); kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL); ``` The patch was not explicitly mentioned in the CVE, but I stumbled over it when fixing glib2.0 for wheezy ELTS last month. (Unfortunately, the g_mkdir_with_parents() symbol is not in jessie, for wheezy I skipped the safe directory creation part). This looks like another vulnerability, not related to copying files from a non-unix VFS, but to the creation of key/value files and their directory (mitigated by umask and the strict permissions of e.g. ~/.config). Yes, exactly. Do you know if this has a CVE? AFAIK, it does not have one. Maybe we can ask pkg-gnome-maintainers's point? (I didn't see this applied in other distros but I may have missed it.) I'll ping people. OK. Feel free to take over btw, I won't be much available until next week :) Ok. Will do. Thanks+Greets. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp98GLA6PYQo.pgp Description: Digitale PGP-Signatur
Re: [SECURITY] [DLA 1826-1] glib2.0 security update
Hi Sylvain, On Di 18 Jun 2019 22:47:44 CEST, Sylvain Beucler wrote: Package: glib2.0 Version: 2.42.1-1+deb8u1 CVE ID : CVE-2019-12450 Debian Bug : 929753 It was discovered that GLib does not properly restrict some file permissions while a copy operation is in progress; instead, default permissions are used. For Debian 8 "Jessie", this problem has been fixed in version 2.42.1-1+deb8u1. We recommend that you upgrade your glib2.0 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS I wonder, if it would be good to have this upstream patch backported to jessie's glib2.0, too, to have the file permission stuff complete: ``` From 5e4da714f00f6bfb2ccd6d73d61329c6f3a08429 Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Tue, 22 Jan 2019 13:26:31 -0500 Subject: [PATCH] keyfile settings: Use tighter permissions When creating directories, create them with 700 permissions, instead of 777. Closes: #1658 --- gio/gkeyfilesettingsbackend.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/gio/gkeyfilesettingsbackend.c +++ b/gio/gkeyfilesettingsbackend.c @@ -89,7 +89,8 @@ contents = g_key_file_to_data (kfsb->keyfile, &length, NULL); g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, - G_FILE_CREATE_REPLACE_DESTINATION, + G_FILE_CREATE_REPLACE_DESTINATION | + G_FILE_CREATE_PRIVATE, NULL, NULL, NULL); compute_checksum (kfsb->digest, contents, length); @@ -640,7 +641,7 @@ kfsb->file = g_file_new_for_path (filename); kfsb->dir = g_file_get_parent (kfsb->file); - g_file_make_directory_with_parents (kfsb->dir, NULL, NULL); + g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700); kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL); kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL); ``` The patch was not explicitly mentioned in the CVE, but I stumbled over it when fixing glib2.0 for wheezy ELTS last month. (Unfortunately, the g_mkdir_with_parents() symbol is not in jessie, for wheezy I skipped the safe directory creation part). Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpFJqBvFmc6X.pgp Description: Digitale PGP-Signatur
Triaging request for golang-go.crypto
Hi Adrian, hi all other LTS contributors with Go knowledge, can anyone of you possibly take a closer look at golang-go.crypto [1] and triage CVE-2019-11840. Thanks, Mike (with LTS frontdesk hat on these days) [1] https://security-tracker.debian.org/tracker/source-package/golang-go.crypto -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpCaKfls6qSi.pgp Description: Digitale PGP-Signatur
Re: Jessie update of simplesamlphp?
Hi again, On Mi 29 Mai 2019 12:16:56 CEST, Mike Gabriel wrote: [...] I will remove the package from dla-needed.txt again for now. I just saw that Chris Lamb already did that earlier. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpOLbSb7bDnG.pgp Description: Digitale PGP-Signatur
Re: Jessie update of simplesamlphp?
HI Thijs, On Di 28 Mai 2019 18:17:39 CEST, Thijs Kinkhorst wrote: On Tue, May 28, 2019 16:01, Chris Lamb wrote: Mike Gabriel wrote: The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of simplesamlphp: Which CVE is/was this for? I am just looking at: https://security-tracker.debian.org/tracker/source-package/simplesamlphp ... and not seeing anything relevant. Is it still vulnerable? If so, we should remove it from dla-needed.txt, naturally. As the maintainer I have triaged all open issues and see no reason for releasing a jessie update at this point. There are some no-dsa issues that should be easy to fix (CVE-2018-7711, CVE-2016-9955, CVE-2016-9814). In the LTS team, we sometimes--when time allows it--work on those, too. From your message above, I get that you take care of simplesamlphp in jessie yourself and rather would not want to have us work on the above CVEs, right? I will remove the package from dla-needed.txt again for now. Greets, Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgptvQm2jZhXm.pgp Description: Digitale PGP-Signatur
Jessie update of mupdf?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of mupdf: https://security-tracker.debian.org/tracker/source-package/mupdf Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of mupdf updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of libspring-java?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of libspring-java: https://security-tracker.debian.org/tracker/source-package/libspring-java We also plan to work on issues that got previously tagged as "", that is the less severe issues. Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of libspring-java updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of miniupnpd?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of miniupnpd: https://security-tracker.debian.org/tracker/source-package/miniupnpd Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of miniupnpd updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Jessie update of simplesamlphp?
Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Jessie version of simplesamlphp: https://security-tracker.debian.org/tracker/source-package/simplesamlphp Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of simplesamlphp updates for the LTS releases. Thank you very much. Mike Gabriel, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/dla-needed.txt -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: PGP signature
Re: [SECURITY] [DLA 1762-1] systemd security update
Hi, On Friday, 26 April 2019, Klimov, Evgeny wrote: > Hello Mike, and a good day to you. > > Our project uses Debian (Jessie so far) as the platform, and since > yesterday’s rebuilds with the updated systemd packages (systemd > 215-17+deb8u12), our working directories created via tmpfiles are all owned > by root:root rather than the intended user and/or group accounts spelled in > corresponding configuration files. I have not seen the patch code yet, but > looking at the bug descriptions, I’d guess the hardlink protection goes a bit > too far. > > So with a typical config like this: > > # systemd-tmpfiles config for some-daemon-name > d /var/run/some-daemon-name 0755 www-data www-data > x /var/run/some-daemon-name/* > > …which sort of abused the tmpfiles purpose to make a persistent properly > owned location for some service’s data files (ensured to appear before the > service starts), we create the /var/run/some-daemon-name directory from > scratch, and until yesterday it was owned by www-data. Today it is owned by > root and is useless for the service. This happens both on tmpfs and ext4 > backed filesystems. > > I see that just recently a systemd 215-17+deb8u13 was released with some fix > to tmpfiles so we are waiting for our universe to rebuild and see if it > solves our issue, but just in case this is a separate problem – could you > please stay on the lookout? 😊 > > Thanks in advance, > Jim Klimov Hi Jim, sorry for that flaw from my side. +deb8u13 will fix your observed issue introduced by +deb8u12 Greets and sorry once more for the disruption, Mike -- Sent from my Sailfish device
Re: systemd/jessie: Problems with postgresql-9.4 after upgrade (215-17+deb8u11 => 215-17+deb8u12)
Hi, On Do 25 Apr 2019 09:55:43 CEST, Sedat Dilek wrote: On Thu, Apr 25, 2019 at 9:51 AM Mike Gabriel wrote: Hi Sedat, (Cc:-ing debian-lts mailing list) On Do 25 Apr 2019 09:07:40 CEST, Sedat Dilek wrote: > Hi, > > we have upgraded systemd on some of our Debian/jessie systems: > (215-17+deb8u11 => 215-17+deb8u12) > > root# apt-get update && apt-get dist-upgrade -V && apt-get autoremove --purge > ... > The following packages will be upgraded: >libsystemd0 (215-17+deb8u11 => 215-17+deb8u12) >libudev1 (215-17+deb8u11 => 215-17+deb8u12) >systemd (215-17+deb8u11 => 215-17+deb8u12) >systemd-sysv (215-17+deb8u11 => 215-17+deb8u12) >udev (215-17+deb8u11 => 215-17+deb8u12) > 5 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. > ... > root@watt:~# reboot > > root@watt:~# journalctl -u postgresql@9.4-main.service > > The logs show that user postgres has no permission to write > /var/run/postgresql (Sorry German) > > postgresql@9.4-main[509]: 2019-04-25 05:47:47 UTC FATAL: konnte > Sperrdatei »/var/run/postgresql/.s.PGSQL.5432.lock« nicht erstellen: > Keine Berechtigung > > which means "Could not write lock-file ... : no permission" > > Locally, this helped... > > > root# chown postgres:root /var/run/postgresql/ > root# systemctl restart postgresql@9.4-main.service > > ...but on the next reboot we have the same issue. > > Here the output of lsblk: > > root~# lsblk -f > NAME FSTYPE LABEL UUID >MOUNTPOINT > fd0 > sr0 > vda > ├─vda1 ext4 > 75520488-1b4e-42f9-98da-4932a1610d3b /boot > └─vda2 LVM2_member j4b51P-s5ww-LccR-o4BW-KEKX-g4og-qptI9E > ├─vg_watt-root ext4 99a7d505-8319-40b8-8923-b423e253a1b7 / > ├─vg_watt-var ext4 > a2a15c5e-c5d8-4d90-987e-0d1b058b1cab /var > ├─vg_watt-tmp ext4 > 2d3335be-c3ef-45a6-bc48-830ac4ca6409 /tmp > └─vg_watt-swap swap > 215bf415-b483-4a0e-8703-95b93d2e3b8e [SWAP] > > I had a quick look into the diff: > > diff -uprN systemd-215.old/debian/changelog systemd-215/debian/changelog > --- systemd-215.old/debian/changelog2019-03-13 11:52:10.0 +0100 > +++ systemd-215/debian/changelog2019-04-23 10:55:22.0 +0200 > @@ -1,3 +1,12 @@ > +systemd (215-17+deb8u12) jessie-security; urgency=medium > + > + * Non-maintainer upload by the LTS team. > + * CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are > +hardlinked, unless protected_hardlinks sysctl is on. > + * CVE-2019-3842: pam-systemd: use secure_getenv() rather than getenv(). > + > + -- Mike Gabriel Tue, 23 Apr 2019 10:55:22 +0200 > + > systemd (215-17+deb8u11) jessie-security; urgency=high > >* Non-maintainer upload by the LTS team. > > And we have on our systems set: > > root@watt:~# sysctl -n fs.protected_hardlinks > 1 > > Do you need further informations? > > Is this a known issue? > If not, shall I open a bug-report? > > Parallelly, I have informed our PotsgreSQL team and will contact > Christoph Berg here inhouse at credativ. > > Thanks. > > Regards, > - Sedat - I will look into this around lunch time. Thanks for reporting this issue so immediately. Shame on me. I really forgot a pair of curly braces in the patch for CVE-2017-18078. Aside from that, the returned EPERM error must be negated. Regression fix is currently building (once more), upload is coming in some minutes. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpLj1X9bHMZJ.pgp Description: Digitale PGP-Signatur
Re: systemd/jessie: Problems with postgresql-9.4 after upgrade (215-17+deb8u11 => 215-17+deb8u12)
Hi Sedat, On Do 25 Apr 2019 09:55:43 CEST, Sedat Dilek wrote: On Thu, Apr 25, 2019 at 9:51 AM Mike Gabriel wrote: Hi Sedat, (Cc:-ing debian-lts mailing list) On Do 25 Apr 2019 09:07:40 CEST, Sedat Dilek wrote: > Hi, > > we have upgraded systemd on some of our Debian/jessie systems: > (215-17+deb8u11 => 215-17+deb8u12) > > root# apt-get update && apt-get dist-upgrade -V && apt-get autoremove --purge > ... > The following packages will be upgraded: >libsystemd0 (215-17+deb8u11 => 215-17+deb8u12) >libudev1 (215-17+deb8u11 => 215-17+deb8u12) >systemd (215-17+deb8u11 => 215-17+deb8u12) >systemd-sysv (215-17+deb8u11 => 215-17+deb8u12) >udev (215-17+deb8u11 => 215-17+deb8u12) > 5 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. > ... > root@watt:~# reboot > > root@watt:~# journalctl -u postgresql@9.4-main.service > > The logs show that user postgres has no permission to write > /var/run/postgresql (Sorry German) > > postgresql@9.4-main[509]: 2019-04-25 05:47:47 UTC FATAL: konnte > Sperrdatei »/var/run/postgresql/.s.PGSQL.5432.lock« nicht erstellen: > Keine Berechtigung > > which means "Could not write lock-file ... : no permission" > > Locally, this helped... > > > root# chown postgres:root /var/run/postgresql/ > root# systemctl restart postgresql@9.4-main.service > > ...but on the next reboot we have the same issue. > > Here the output of lsblk: > > root~# lsblk -f > NAME FSTYPE LABEL UUID >MOUNTPOINT > fd0 > sr0 > vda > ├─vda1 ext4 > 75520488-1b4e-42f9-98da-4932a1610d3b /boot > └─vda2 LVM2_member j4b51P-s5ww-LccR-o4BW-KEKX-g4og-qptI9E > ├─vg_watt-root ext4 99a7d505-8319-40b8-8923-b423e253a1b7 / > ├─vg_watt-var ext4 > a2a15c5e-c5d8-4d90-987e-0d1b058b1cab /var > ├─vg_watt-tmp ext4 > 2d3335be-c3ef-45a6-bc48-830ac4ca6409 /tmp > └─vg_watt-swap swap > 215bf415-b483-4a0e-8703-95b93d2e3b8e [SWAP] > > I had a quick look into the diff: > > diff -uprN systemd-215.old/debian/changelog systemd-215/debian/changelog > --- systemd-215.old/debian/changelog2019-03-13 11:52:10.0 +0100 > +++ systemd-215/debian/changelog2019-04-23 10:55:22.0 +0200 > @@ -1,3 +1,12 @@ > +systemd (215-17+deb8u12) jessie-security; urgency=medium > + > + * Non-maintainer upload by the LTS team. > + * CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are > +hardlinked, unless protected_hardlinks sysctl is on. > + * CVE-2019-3842: pam-systemd: use secure_getenv() rather than getenv(). > + > + -- Mike Gabriel Tue, 23 Apr 2019 10:55:22 +0200 > + > systemd (215-17+deb8u11) jessie-security; urgency=high > >* Non-maintainer upload by the LTS team. > > And we have on our systems set: > > root@watt:~# sysctl -n fs.protected_hardlinks > 1 > > Do you need further informations? > > Is this a known issue? > If not, shall I open a bug-report? > > Parallelly, I have informed our PotsgreSQL team and will contact > Christoph Berg here inhouse at credativ. > > Thanks. > > Regards, > - Sedat - I will look into this around lunch time. Thanks for reporting this issue so immediately. First good news: I can reproduce your issue. ... Investigating things more closely now. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpiWTvzmY5ej.pgp Description: Digitale PGP-Signatur
Re: systemd/jessie: Problems with postgresql-9.4 after upgrade (215-17+deb8u11 => 215-17+deb8u12)
Hi Sedat, (Cc:-ing debian-lts mailing list) On Do 25 Apr 2019 09:07:40 CEST, Sedat Dilek wrote: Hi, we have upgraded systemd on some of our Debian/jessie systems: (215-17+deb8u11 => 215-17+deb8u12) root# apt-get update && apt-get dist-upgrade -V && apt-get autoremove --purge ... The following packages will be upgraded: libsystemd0 (215-17+deb8u11 => 215-17+deb8u12) libudev1 (215-17+deb8u11 => 215-17+deb8u12) systemd (215-17+deb8u11 => 215-17+deb8u12) systemd-sysv (215-17+deb8u11 => 215-17+deb8u12) udev (215-17+deb8u11 => 215-17+deb8u12) 5 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. ... root@watt:~# reboot root@watt:~# journalctl -u postgresql@9.4-main.service The logs show that user postgres has no permission to write /var/run/postgresql (Sorry German) postgresql@9.4-main[509]: 2019-04-25 05:47:47 UTC FATAL: konnte Sperrdatei »/var/run/postgresql/.s.PGSQL.5432.lock« nicht erstellen: Keine Berechtigung which means "Could not write lock-file ... : no permission" Locally, this helped... root# chown postgres:root /var/run/postgresql/ root# systemctl restart postgresql@9.4-main.service ...but on the next reboot we have the same issue. Here the output of lsblk: root~# lsblk -f NAME FSTYPE LABEL UUID MOUNTPOINT fd0 sr0 vda ├─vda1 ext4 75520488-1b4e-42f9-98da-4932a1610d3b /boot └─vda2 LVM2_member j4b51P-s5ww-LccR-o4BW-KEKX-g4og-qptI9E ├─vg_watt-root ext4 99a7d505-8319-40b8-8923-b423e253a1b7 / ├─vg_watt-var ext4 a2a15c5e-c5d8-4d90-987e-0d1b058b1cab /var ├─vg_watt-tmp ext4 2d3335be-c3ef-45a6-bc48-830ac4ca6409 /tmp └─vg_watt-swap swap 215bf415-b483-4a0e-8703-95b93d2e3b8e [SWAP] I had a quick look into the diff: diff -uprN systemd-215.old/debian/changelog systemd-215/debian/changelog --- systemd-215.old/debian/changelog2019-03-13 11:52:10.0 +0100 +++ systemd-215/debian/changelog2019-04-23 10:55:22.0 +0200 @@ -1,3 +1,12 @@ +systemd (215-17+deb8u12) jessie-security; urgency=medium + + * Non-maintainer upload by the LTS team. + * CVE-2017-18078: tmpfiles: refuse to chown()/chmod() files which are +hardlinked, unless protected_hardlinks sysctl is on. + * CVE-2019-3842: pam-systemd: use secure_getenv() rather than getenv(). + + -- Mike Gabriel Tue, 23 Apr 2019 10:55:22 +0200 + systemd (215-17+deb8u11) jessie-security; urgency=high * Non-maintainer upload by the LTS team. And we have on our systems set: root@watt:~# sysctl -n fs.protected_hardlinks 1 Do you need further informations? Is this a known issue? If not, shall I open a bug-report? Parallelly, I have informed our PotsgreSQL team and will contact Christoph Berg here inhouse at credativ. Thanks. Regards, - Sedat - I will look into this around lunch time. Thanks for reporting this issue so immediately. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgp1ahOLvORP3.pgp Description: Digitale PGP-Signatur
Re: RFT and RFC: Updates for evolution{,-data-server}
Hi Jonas, On Mi 24 Apr 2019 12:56:18 CEST, Jonas Meurer wrote: Jonas Meurer: With evolution-data-server, the situation is slightly more complicated. I'm still debugging issues with the patches[5] that are supposed to fix the "[GPG] Mails that are not encrypted look encrypted" issue. [5] https://gitlab.gnome.org/GNOME/evolution-data-server/commit/93306a29 and https://gitlab.gnome.org/GNOME/evolution-data-server/commit/accb0e24 My question: do you agree that these fixes are within the scope of CVE-2018-15587? If so, then I will continue working on the issue and upload both of evolution and evolution-data-server in a batch once I got the issues sorted out. Another option would be to upload evolution to jessie-security right now and decide that evolution-data-server is not affected by CVE-2018-15587, since it's only prone to "encrypted message spoofing", not to "signature spoofing". But in my eyes, that would be a sham. Looking more into the core issue[1] of "[GPG] Mails that are not encrypted look encrypted", it became clear that a lot of applications (GnuPG[2], Enigmail[3], Mutt[4]) are affected and it's not tracked as security issue for any of them. Is it required to coordinate an according update of those CVEs in data/CVE/list with the security team? Sounds like it. In fact it's tracked for evolution{,-data-server} in the debian security tracker only because the issue is mentioned in the CVE-2018-15587 bugreport[5]. Besides, I agree with the bug author that "this bug is certainly not in the same category as a serious security vulnerability, such as a plaintext leak or a signature spoof"[1]. So I changed my mind and decided to ignore the "encryption spoofing" bug and only care about "signature spoofing". This means that evolution-data-server is unaffected and only evolution needs to be fixed. Your choice of priority sounds good to me. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp1LqJBN4dNN.pgp Description: Digitale PGP-Signatur
Re: Wheezy/ELTS samba update broken for i386 arch
Hi Emilio, On Fr 12 Apr 2019 11:50:21 CEST, Emilio Pozuelo Monfort wrote: Hi, On 10/04/2019 13:29, Emilio Pozuelo Monfort wrote: Hi john, On 10/04/2019 13:00, john wrote: Hi, Samba update for ELTS is broken on i386 arch as some packages remain at old version and therefore there are broken dependencies: Thanks for the report. This list is for Debian LTS, the Extended LTS initiative is external though. In any case, it looks like the i386 build is missing. I'm notifying the person who handled the update and we'll follow up with an i386 samba build. I have just uploaded the i386 binaries. Thanks for doing this. Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpyfIAcod_l6.pgp Description: Digitale PGP-Signatur