CVE-2019-10906 - jinja sandbox escape poc

2019-04-08 Thread Hugo Lefeuvre
Hi, I'm working on a potential jinja2 Debian LTS security update. Here is a proof of concept which allows to easily reproduce the issue. This should help confirming vulnerability in other suites. >>> from jinja2.sandbox import SandboxedEnvironment >>> env = SandboxedEnvironment() >>> config =

Re: CVE-2019-10906 - jinja sandbox escape poc

2019-04-08 Thread Hugo Lefeuvre
> This should help confirming vulnerability in other suites. 2.7.3-1 and all later releases affected. In addition, both 2.7.3-1 and 2.8-1 are affected by the previous str.format issue[0]. [0] https://palletsprojects.com/blog/jinja-281-released/ -- Hugo Lefeuvre (hle)|

libvirt / CVE-2019-3886

2019-04-08 Thread Brian May
Patch for Jessie version attached. Patch is applied by hand from https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html I am a bit concerned this patch only patches the virDomainGetHostname function and not the virDomainGetTime function, while the tests (which I suspect are not run

Re: Fwd: [SECURITY] [DSA 4427-1] samba security update

2019-04-08 Thread Sylvain Beucler
Thanks Mathieu. I referenced it in our dla-needed.txt task list. A member of the LTS team will look into it. Cheers! Sylvain On 08/04/2019 11:10, Mathieu Parent wrote: > Dear LTS maintainers, > > See attached patch for CVE-2019-3880 in samba. > Don't know if it applies cleanly. > > Regards > >

Re: libvirt / CVE-2019-3886

2019-04-08 Thread Guido Günther
Hi, On Mon, Apr 08, 2019 at 05:50:46PM +1000, Brian May wrote: > Patch for Jessie version attached. Patch is applied by hand from > https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html I don't think this is needed for jessie since the corresponding function in qemu was implemented

Fwd: [SECURITY] [DSA 4427-1] samba security update

2019-04-08 Thread Mathieu Parent
Dear LTS maintainers, See attached patch for CVE-2019-3880 in samba. Don't know if it applies cleanly. Regards Mathieu Parent -- Forwarded message - De : Sebastien Delafond Date: lun. 8 avr. 2019 à 10:27 Subject: [SECURITY] [DSA 4427-1] samba security update To: -BEGIN

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity

2019-04-08 Thread Roberto C . Sánchez
7 (Roberto C. Sánchez) NOTE: 20190321: Patches integrated for CVE-2018-14647, CVE-2019-5010, and CVE-2019-9636 - NOTE: 20190321: Waiting on upstream action for CVE-2019-9740 (roberto) + NOTE: 20190408: Waiting on upstream action for CVE-2019-9740 (roberto) -- python3.4 (Roberto C. Sánch

(semi-)automatic unclaim of packages with more than 2 weeks of inactivity

2019-04-08 Thread Holger Levsen
Hi, I've done this again and am considering (in general) to not write these mails anymore. Please speak up if you think these mails are useful (or could be made more useful.) Today I do feel it's useful to point out, that one should not merely reclaim the packages but also update the notes and

Accepted suricata 2.0.7-2+deb8u4 (source amd64) into oldstable

2019-04-08 Thread Hugo Lefeuvre
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 08 Apr 2019 13:17:04 +0200 Source: suricata Binary: suricata Architecture: source amd64 Version: 2.0.7-2+deb8u4 Distribution: jessie-security Urgency: high Maintainer: Pierre Chifflier Changed-By: Hugo Lefeuvre Description:

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity

2019-04-08 Thread Sylvain Beucler
Hi, On 08/04/2019 14:32, Holger Levsen wrote: > I've done this again and am considering (in general) to not write these mails > anymore. Please speak up if you think these mails are useful (or could > be made more useful.) > > Today I do feel it's useful to point out, that one should not merely >

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity

2019-04-08 Thread Holger Levsen
On Mon, Apr 08, 2019 at 10:31:23AM -0400, Roberto C. Sánchez wrote: > Is there perhaps a way of thinking about this that I am missing? honest question: do you think it's too much work to update the notes every other week? -- tschau, Holger

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity

2019-04-08 Thread Hugo Lefeuvre
> > I've done this again and am considering (in general) to not write these > > mails > > anymore. Please speak up if you think these mails are useful (or could > > be made more useful.) > > I think they are useful, though according to the wiki page they are part > of the front-desk duties. I

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity

2019-04-08 Thread Holger Levsen
On Mon, Apr 08, 2019 at 02:35:21PM +0200, Sylvain Beucler wrote: > I think they are useful ok. as two people expressed this, I will keep them. > though according to the wiki page they are part > of the front-desk duties. > > Should we update it? so far, I think, frontdesk has never done this,

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity

2019-04-08 Thread Roberto C . Sánchez
On Mon, Apr 08, 2019 at 12:32:35PM +, Holger Levsen wrote: > Hi, > > I've done this again and am considering (in general) to not write these mails > anymore. Please speak up if you think these mails are useful (or could > be made more useful.) > > Today I do feel it's useful to point out,

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity

2019-04-08 Thread Holger Levsen
On Mon, Apr 08, 2019 at 11:26:31AM -0400, Roberto C. Sánchez wrote: > I knew something was missing from my message :-) :) > I have no problem updating the notes weekly or so. That solution would > also fit well with the current system. great! and yes, simply updating the note is enough. It's

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity

2019-04-08 Thread Roberto C . Sánchez
On Mon, Apr 08, 2019 at 04:25:39PM +, Holger Levsen wrote: > On Mon, Apr 08, 2019 at 11:26:31AM -0400, Roberto C. Sánchez wrote: > > I knew something was missing from my message :-) > > :) > > > I have no problem updating the notes weekly or so. That solution would > > also fit well with

Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity

2019-04-08 Thread Holger Levsen
On Mon, Apr 08, 2019 at 12:36:25PM -0400, Roberto C. Sánchez wrote: > That is excellent to know. Thanks for the feedback. thank you too! :) -- tschau, Holger ---

Re: LTS, no-dsa reasoning and sponsored packages

2019-04-08 Thread Sylvain Beucler
Hi, On 08/04/2019 21:56, Holger Levsen wrote: > On Mon, Apr 08, 2019 at 09:51:19PM +0200, Salvatore Bonaccorso wrote: >> Recently I noticed that for a no-dsa (either for no-dsa or the >> stronger ignored) as explanation was started to be used e.g. "not used >> by any sponsor". That sounds

LTS, no-dsa reasoning and sponsored packages

2019-04-08 Thread Salvatore Bonaccorso
Hi LTS contributors, Recently I noticed that for a no-dsa (either for no-dsa or the stronger ignored) as explanation was started to be used e.g. "not used by any sponsor". If LTS is meant as Debian project, then I would suggest not to start to use those formulations, which I think are fine for

[SECURITY] [DLA 1751-1] suricata security update

2019-04-08 Thread Hugo Lefeuvre
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: suricata Version: 2.0.7-2+deb8u4 CVE ID : CVE-2018-10242 CVE-2018-10243 Multiple vulnerabilities have been found in suricata, the network threat detection engine: CVE-2018-10242 Missing length check causing

Re: more missing DLAs on the website

2019-04-08 Thread Holger Levsen
retitle 859122 25 DLAs missing from the website thanks On Wed, Apr 03, 2019 at 05:47:42PM +1100, Brian May wrote: > > Thanks for this offer! I don't think anybody would complain if you do this > > work... quite the contrary :) > I fixed some more: >

Re: LTS, no-dsa reasoning and sponsored packages

2019-04-08 Thread Holger Levsen
Hi Salvatore, On Mon, Apr 08, 2019 at 09:51:19PM +0200, Salvatore Bonaccorso wrote: > Recently I noticed that for a no-dsa (either for no-dsa or the > stronger ignored) as explanation was started to be used e.g. "not used > by any sponsor". > > If LTS is meant as Debian project, then I would

[SECURITY] [DLA 1752-1] poppler security update

2019-04-08 Thread Mike Gabriel
Package: poppler Version: 0.26.5-2+deb8u9 CVE ID : CVE-2019-9631 Debian Bug : A security issue was discovered in the poppler PDF rendering shared library. The Poppler shared library had a heap-based buffer over-read in the CairoRescaleBox.cc

Re: more missing DLAs on the website

2019-04-08 Thread Brian May
Holger Levsen writes: > ERROR: .data or .wml file missing for DLA 1750-1 > ERROR: .data or .wml file missing for DLA 1730-2 > ERROR: .data or .wml file missing for DLA 719-1 > ERROR: .data or .wml file missing for DLA 706-1 > ERROR: .data or .wml file missing for DLA 659-1 > ERROR: .data or .wml

Accepted poppler 0.26.5-2+deb8u9 (source amd64 all) into oldstable

2019-04-08 Thread Mike Gabriel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 08 Apr 2019 18:17:24 +0200 Source: poppler Binary: libpoppler46 libpoppler-dev libpoppler-private-dev libpoppler-glib8 libpoppler-glib-dev libpoppler-glib-doc gir1.2-poppler-0.18 libpoppler-qt4-4 libpoppler-qt4-dev

Re: LTS, no-dsa reasoning and sponsored packages

2019-04-08 Thread Markus Koschany
Am 08.04.19 um 21:51 schrieb Salvatore Bonaccorso: > Hi LTS contributors, > > Recently I noticed that for a no-dsa (either for no-dsa or the > stronger ignored) as explanation was started to be used e.g. "not used > by any sponsor". > > If LTS is meant as Debian project, then I would suggest not

Accepted proftpd-dfsg 1.3.5e-0+deb8u1 (source amd64 all) into oldstable

2019-04-08 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 08 Apr 2019 21:30:59 +0200 Source: proftpd-dfsg Binary: proftpd-basic proftpd-dev proftpd-doc proftpd-mod-mysql proftpd-mod-pgsql proftpd-mod-ldap proftpd-mod-odbc proftpd-mod-sqlite proftpd-mod-geoip Architecture: source

[SECURITY] [DLA 1753-1] proftpd-dfsg security update

2019-04-08 Thread Markus Koschany
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: proftpd-dfsg Version: 1.3.5e-0+deb8u1 CVE ID : not-available Debian Bug : 923926 Several memory leaks were discovered in proftpd-dfsg, a versatile, virtual-hosting FTP daemon, when mod_facl or mod_sftp is used