Bug#868284: stretch-pu: package suricata/3.2.1-1

[Arturo Borrero Gonzalez]

On 8 August 2017 at 17:39, Adam D. Barratt  wrote:
>
> Thanks. Please go ahead, with the tweaks from the earlier discussion -
> i.e. 3.2.1-1+deb9u1, with a changelog distribution of "stretch".
>

Uploaded, thanks.

Bug#872023: transition: nodejs

[Jérémy Lal]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: transition

Transition from nodejs 4 to nodejs 6, with module abi change from
version 46 to version 48.
All nodejs c++ addons (build-depending on nodejs-dev) must be rebuilt.

Also Julien Puydt rebuilt all node modules packages against nodejs 6
to check for failures and report them:
- node-chai #868319 fixed upstream
- node-argparse #868294 might be fixed upstream
- node-evp-bytestokey fails and is deprecated. #868298

Also i'm using nodejs 6 from experimental for some time now, and i don't
see breakage.

Ben file:

title = "nodejs";
is_affected = .build-depends ~ /nodejs-dev/;
is_good = .depends ~ /nodejs-abi-48/;
is_bad = .depends ~ /nodejs-abi-46/;


Regards,

Jérémy

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.11.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), 
LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: webkit2gtk_2.16.6-0+deb9u1_mips64el.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: webkit2gtk_2.16.6-0+deb9u1_mipsel.changes
  ACCEPT

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: webkit2gtk_2.16.6-0+deb9u1_armhf.changes
  ACCEPT

Bug#869836: stretch-pu: package nvidia-graphics-drivers/375.82-1~deb9u1

[Julien Aubin]

On Sat, 12 Aug 2017 12:41:20 -0400 "Adam D. Barratt" <
a...@adam-barratt.org.uk> wrote:
> Control: tags -1 + pending
>
> On Wed, 2017-08-09 at 17:17 +0200, Andreas Beckmann wrote:
> > On Tue, 08 Aug 2017 16:12:47 -0400 "Adam D. Barratt"
> >  wrote:
> > > Please go ahead, and we'll hope it looks sane after that. :-p
> >
> > Uploaded, with the attached diff (from svn, excluding the blobs).
>
> Flagged for acceptance.
>
> Regards,
>
> Adam
>
>
>

Hi Adam,

Just to confirm the fix does work fine for me, no regression seen.

Hardware used :
Intel Core i7 4790
32 GB RAM
NVidia GeForce GTX 1070
Debian Stretch AMD64 w/ 4.9 kernel (i.e. not bpo)

Environment : KDE

Games tested :
Civilization VI (benchmark only)
Shadow of Mordor (benchmark only)
Sudden Strike 4
Wargame Red Dragon


Also tested on a GeForce GTX 970 (just boot test) w/o issue.

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: webkit2gtk_2.16.6-0+deb9u1_mips.changes
  ACCEPT

Bug#869836: Info received (Bug#869836: stretch-pu: package nvidia-graphics-drivers/375.82-1~deb9u1)

[Julien Aubin]

Hi,

Also tested on a third machine w/ a GeForce GTX 760 and KDE and kernel 4.9
AMD64 and it works well too.

Thanks

2017-08-13 16:51 GMT+02:00 Debian Bug Tracking System :

> Thank you for the additional information you have supplied regarding
> this Bug report.
>
> This is an automatically generated reply to let you know your message
> has been received.
>
> Your message is being forwarded to the package maintainers and other
> interested parties for their attention; they will reply in due course.
>
> Your message has been sent to the package maintainer(s):
>  Debian Release Team 
>
> If you wish to submit further information on this problem, please
> send it to 869...@bugs.debian.org.
>
> Please do not send mail to ow...@bugs.debian.org unless you wish
> to report a problem with the Bug-tracking system.
>
> --
> 869836: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869836
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems
>

NEW changes in stable-new

[Debian FTP Masters]

Processing changes file: webkit2gtk_2.16.6-0+deb9u1_armel.changes
  ACCEPT

Bug#866335: Python3.6 blocker: automake

[Bastien ROUCARIES]

control: block -1 by 872052
control: affects 872052 src:imagemagick


Hi,

I have found why phythonmagick fail: automake is at fault

automake does not support python3.6...

I have made a patch and I plan to NMU if you are ok ASAP

Processed: Python3.6 blocker: automake

[Debian Bug Tracking System]

Processing control commands:

> block -1 by 872052
Bug #866335 [release.debian.org] transition: python3-defaults
866335 was blocked by: 866575
866335 was not blocking any bugs.
Added blocking bug(s) of 866335: 872052
> affects 872052 src:imagemagick
Bug #872052 [automake] [automake] Lack of python3.6 support
Added indication that 872052 affects src:imagemagick

-- 
866335: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866335
872052: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872052
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: reassign 872058 to src:linux, forcibly merging 869511 872058

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> reassign 872058 src:linux
Bug #872058 {Done: Ben Hutchings } 
[linux-headers-4.11.0-2-all] linux-headers-4.11.0-2-all: impossible to install 
due to version incompatibility with common header package
Bug reassigned from package 'linux-headers-4.11.0-2-all' to 'src:linux'.
No longer marked as found in versions linux/4.11.11-1.
No longer marked as fixed in versions 4.12.6-1.
> forcemerge 869511 872058
Bug #869511 {Done: Ben Hutchings } [src:linux] linux: 
binNMU-unsafe dependency on linux-headers-*-common
Bug #869670 {Done: Ben Hutchings } [src:linux] Depends: 
linux-headers-4.11.0-2-common ... but it is not going to be installed
Bug #869824 {Done: Ben Hutchings } [src:linux] missing 
package
Bug #870132 {Done: Ben Hutchings } [src:linux] 
linux-headers-amd64 broken, can't install
Bug #870298 {Done: Ben Hutchings } [src:linux] 
4.11.0-2-amd64 headers cannot be installed
Bug #872058 {Done: Ben Hutchings } [src:linux] 
linux-headers-4.11.0-2-all: impossible to install due to version 
incompatibility with common header package
865614 was blocked by: 869511 870298 869824 870132 869670 867257
865614 was not blocking any bugs.
Added blocking bug(s) of 865614: 872058
866389 was blocked by: 869602 826471 866317 869383 869139 865033 869576 866934 
826502 865034 826505 865477 866315 869583 827640 866944 869670 865020 869579 
869824 870132 866978 826497 869418 865045 867213 870298 809352 867514 826473 
867046 865898 865380 869504 869578 869436 867984 865893 869580 865482 865224 
869357 869511 826489 867210 869433 865888
866389 was not blocking any bugs.
Added blocking bug(s) of 866389: 872058
Marked as fixed in versions linux/4.12.6-1.
The source linux and version 4.11.11-1+b1 do not appear to match any binary 
packages
Marked as found in versions linux/4.11.11-1+b1 and linux/4.11.11-1.
Added tag(s) newcomer.
Bug #869670 {Done: Ben Hutchings } [src:linux] Depends: 
linux-headers-4.11.0-2-common ... but it is not going to be installed
Bug #869824 {Done: Ben Hutchings } [src:linux] missing 
package
Bug #870132 {Done: Ben Hutchings } [src:linux] 
linux-headers-amd64 broken, can't install
Bug #870298 {Done: Ben Hutchings } [src:linux] 
4.11.0-2-amd64 headers cannot be installed
Merged 869511 869670 869824 870132 870298 872058
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
865614: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865614
866389: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866389
869511: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869511
869670: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869670
869824: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869824
870132: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870132
870298: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870298
872058: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872058
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#872056: jessie-pu: package krb5/1.12.1+dfsg-19+deb8u2

[Sam Hartman]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi. I'd like to get some security updates that were not serious enough
for a DSA into jessie.  The security team encouraged me to make this
request, so they are in the loop, but have not reviewed the diff or the 
specific set of cves fixed.

Diff produced with git diff dgit/dgit/jessie debian after looking at
git diff --numstat dgit/dgit/jessie to make sure that all the changes
outside of debian were because of new applied patches.  Also confirmed
that dgit quilt-fixup shows no changes between the produced source
package and my tree.

I've confirmed this builds, but have not reviewed the diffs
line-by-line (although all these changes are shipping in stretch or
sid now) and have not finished my testing.
I'll do both of those things before uploading.

diff --git a/debian/changelog b/debian/changelog
index d90f21581b..6aa052a1c5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+krb5 (1.12.1+dfsg-19+deb8u3) jessie; urgency=high
+
+  * CVE-2017-11368: Remote authenticated attackers can crash the KDC,
+Closes: #869260
+  *  fix for CVE-2016-3120 (kdc crash on restrict_anon_to_tgt), , Closes:
+#832572
+  * fix for CVE-2016-3119: remote DOS with ldap for authenticated
+attackers, Closes: #819468
+  * Prevent requires_preauth bypass (CVE-2015-2694), Closes: #783557
+  
+ -- Sam Hartman   Sun, 13 Aug 2017 18:02:34 -0400
+
 krb5 (1.12.1+dfsg-19+deb8u2) jessie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff --git a/debian/patches/fix-ldap-null-deref-on-empty-arg-cve-201.patch 
b/debian/patches/fix-ldap-null-deref-on-empty-arg-cve-201.patch
new file mode 100644
index 00..f1f5ff13a8
--- /dev/null
+++ b/debian/patches/fix-ldap-null-deref-on-empty-arg-cve-201.patch
@@ -0,0 +1,37 @@
+From: Greg Hudson 
+Date: Mon, 14 Mar 2016 17:26:34 -0400
+X-Dgit-Generated: 1.12.1+dfsg-19+deb8u3 
f7e4ca67d86a5a5b280b859072bbc5015a2ddd27
+Subject: Fix LDAP null deref on empty arg [CVE-2016-3119]
+
+In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
+if there is an empty string in the db_args array.  Check for this case
+and avoid dereferencing a null pointer.
+
+CVE-2016-3119:
+
+In MIT krb5 1.6 and later, an authenticated attacker with permission
+to modify a principal entry can cause kadmind to dereference a null
+pointer by supplying an empty DB argument to the modify_principal
+command, if kadmind is configured to use the LDAP KDB module.
+
+CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND
+
+(cherry picked from commit 08c642c09c38a9c6454ab43a9b53b2a89b9eef99)
+
+ticket: 8383
+version_fixed: 1.14.2
+
+(cherry picked from commit b5abd8c4872d7a024d49439342a6643f774afb1c)
+
+---
+
+--- krb5-1.12.1+dfsg.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
 krb5-1.12.1+dfsg/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -268,6 +268,7 @@ process_db_args(krb5_context context, ch
+ if (db_args) {
+ for (i=0; db_args[i]; ++i) {
+ arg = strtok_r(db_args[i], "=", _val);
++arg = (arg != NULL) ? arg : "";
+ if (strcmp(arg, TKTPOLICY_ARG) == 0) {
+ dptr = >tktpolicydn;
+ } else {
diff --git a/debian/patches/fix-s4u2self-kdc-crash-when-anon-is-rest.patch 
b/debian/patches/fix-s4u2self-kdc-crash-when-anon-is-rest.patch
new file mode 100644
index 00..4b63bd8ee0
--- /dev/null
+++ b/debian/patches/fix-s4u2self-kdc-crash-when-anon-is-rest.patch
@@ -0,0 +1,51 @@
+From: Greg Hudson 
+Date: Tue, 19 Jul 2016 11:00:28 -0400
+X-Dgit-Generated: 1.12.1+dfsg-19+deb8u3 
862d5e532d03db566ee2955f69e008a253d39dec
+Subject: Fix S4U2Self KDC crash when anon is restricted
+
+In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
+use client.princ instead of request->client; the latter is NULL when
+validating S4U2Self requests.
+
+CVE-2016-3120:
+
+In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
+to dereference a null pointer if the restrict_anonymous_to_tgt option
+is set to true, by making an S4U2Self request.
+
+  CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
+
+(cherry picked from commit 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7)
+
+ticket: 8458
+version_fixed: 1.14.3
+
+(cherry picked from commit 85c3046d42eeb821967ad5625fcb08e8c6177b1a)
+
+---
+
+--- krb5-1.12.1+dfsg.orig/src/kdc/kdc_util.c
 krb5-1.12.1+dfsg/src/kdc/kdc_util.c
+@@ -688,7 +688,7 @@ validate_as_request(kdc_realm_t *kdc_act
+ return(KDC_ERR_MUST_USE_USER2USER);
+ }
+ 
+-if (check_anon(kdc_active_realm, request->client, request->server) != 0) {
++if (check_anon(kdc_active_realm, client.princ, request->server) != 0) {
+ *status = "ANONYMOUS NOT ALLOWED";
+ return(KDC_ERR_POLICY);
+ }
+--- krb5-1.12.1+dfsg.orig/src/tests/t_pkinit.py