*** This bug is a security vulnerability ***
Public security bug reported:
Oneiric tomcat7 (version 7.0.21-1) has the following vulnerability:
Apache Tomcat is prone to a denial-of-service vulnerability. Attacker
may leverage this issue to consume an excessive amount of CPU resources,
causing a
** Patch added: lp1115053-oneiric.debdiff
https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+attachment/3514213/+files/lp1115053-oneiric.debdiff
** Changed in: tomcat7 (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of
Yeah, I will look that I can prepare one debdiff with all the fixes.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to tomcat7 in Ubuntu.
https://bugs.launchpad.net/bugs/1115053
Title:
Parameter Handling Denial of Service in Oneiric
Here is an updated debdiff with all the fixes.
Please note: CVE-2011-4858 is resolved through patch for CVE-2012-0022.
CVE-2012-5568 is seen as a non-issue for tomcat (see
http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat)
Is the formating of the changelog okay like this?
From CVE-2012-2733 on Precise is affected too. Should I create a new bug for
it or add a future debdiff here?
As well some CVEs affect as well tomcat6. Same question: new bug or add here?
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed
Jamie,
Thanks for the info. There is a fix for CVE-2012-2733 for tomcat7 from
upstream (see
http://svn.apache.org/viewvc?view=revisionrevision=1350301).
Did you see the new debdiff for oneiric in comment #5? All the fixes for
the CVEs I am aware of should be in it (as well CVE-2012-2733). Please
I see. Thanks for the further comments. I will see that I can fix this
and prepare a new debdiff.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to tomcat7 in Ubuntu.
https://bugs.launchpad.net/bugs/1115053
Title:
Multiple open
I updated the DEP-3 comments according to your input. I hope it's easier
now to understand the patches I made. For some patches I didn't find the
according upstream bugs so I left them out. As far as I see is the Bug-
field optional.
The testsuite additions are now included. I got one error
Finally the tests run without any errors. I hope everything is okay now
with the patch. Thanks for your patience anyway.
** Patch added: lp1115053-oneiric-4.debdiff
https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+attachment/3557794/+files/lp1115053-oneiric-4.debdiff
--
You
I rewrote the description on CVE-2012-3439.patch and fixed the
whitespace changes in CVE-2012-0022.patch as far as I saw them.
CVE-2012-3439 gave me quite some headache since the testcases upstream changed
already before a lot and it was hard to adopt to the oneiric version. Either I
would have
This is the precise patch. Hopefully it goes smoother this time ;)
Note that I got certificate errors when I run the testsuite (in
TestClientCert.BIO.txt, TestClientCert.NIO.txt, TestCustomSSL.BIO.txt,
TestCustomSSL.NIO.txt, TestSSL.BIO.txt and TestSSL.NIO.txt). However I
got the exact same
Jamie,
There seems to be a problem with the updated package.
See https://plus.google.com/112659624466139657672/posts/cMaEhQbcdGL
I guess the precise package cause the problem. Was there anything added
regarding startup?
--
You received this bug notification because you are a member of Ubuntu
*** This bug is a security vulnerability ***
Public security bug reported:
Tomcat6 on quantal and raring include multiple vulnerabilities.
See http://people.canonical.com/~ubuntu-security/cve/pkg/tomcat6.html
** Affects: tomcat6 (Ubuntu)
Importance: Undecided
Status: New
**
I prepared a patch but want to test it first. Is there a testsuite
available in tomcat6 and is it enabled?
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to tomcat6 in Ubuntu.
https://bugs.launchpad.net/bugs/1166649
Title:
Multiple
Sitting too long on this patch for quantal and could not really enable the
testsuite I thought I just drop it here. Even with some hints from jamespage I
could not run the built in tests and didn't really had enough time to look
further in it.
The changes are all done as in upstream and it
*** This bug is a security vulnerability ***
Public security bug reported:
ruby-openid is affected by a XML denial of service (Entity Expansion
Attack / out of memory) attack.
See: https://github.com/openid/ruby-openid/pull/43
Patch:
Debdiff for quantal.
Tests done:
- Builds with pbuilder.
- Can install and upgrade cleanly.
** Patch added: lp1190179-quantal.debdiff
https://bugs.launchpad.net/ubuntu/+source/ruby-openid/+bug/1190179/+attachment/3701416/+files/lp1190179-quantal.debdiff
--
You received this bug
New debdiff to correctly set Maintainer in debian/control.
** Patch added: lp1190179-quantal-1.debdiff
https://bugs.launchpad.net/ubuntu/+source/ruby-openid/+bug/1190179/+attachment/3702015/+files/lp1190179-quantal-1.debdiff
--
You received this bug notification because you are a member of
*** This bug is a security vulnerability ***
Public security bug reported:
libopenid-ruby is affected by a XML denial of service (Entity Expansion
Attack / out of memory) attack.
See: https://github.com/openid/ruby-openid/pull/43
Patch:
It's the same vulnerability. As far as I see the package got
renamed/moved from libopenid-ruby to ruby-openid on quantal. Since they
are different packages I opened two bugs.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
*** This bug is a security vulnerability ***
Public security bug reported:
OCaml Xml-Light Library before r234 computes hash values without
restricting the ability to trigger hash collisions predictably, which
allows context-dependent attackers to cause a denial of service (CPU
consumption) via
Precise patch
** Patch added: lp1186860-precise.debdiff
https://bugs.launchpad.net/ubuntu/+source/xml-light/+bug/1186860/+attachment/3693254/+files/lp1186860-precise.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Lucid patch. I'm not sure if the versioning is right, since now precise
and lucid have the same version?
** Patch added: lp1186860-lucid.debdiff
https://bugs.launchpad.net/ubuntu/+source/xml-light/+bug/1186860/+attachment/3693335/+files/lp1186860-lucid.debdiff
--
You received this bug
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2012-3514
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1186860
Title:
Hash collision vulnerability in xml-light
To manage
Precise debdiff with right version.
** Patch added: lp1186860-precise-1.debdiff
https://bugs.launchpad.net/ubuntu/+source/xml-light/+bug/1186860/+attachment/3695033/+files/lp1186860-precise-1.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Lucid debdiff with right version.
Tests done on both debdiffs:
Builds with pbuilder.
Can install and upgrade cleanly.
Parses simple xml files (tests done with included test.ml)
** Patch added: lp1186860-lucid-1.debdiff
*** This bug is a security vulnerability ***
Public security bug reported:
Tomcat6 on quantal and raring include multiple vulnerabilities.
See http://people.canonical.com/~ubuntu-security/cve/pkg/tomcat6.html
** Affects: tomcat6 (Ubuntu)
Importance: Undecided
Status: New
**
I prepared a patch but want to test it first. Is there a testsuite
available in tomcat6 and is it enabled?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1166649
Title:
Multiple open vulnerabilities
Sitting too long on this patch for quantal and could not really enable the
testsuite I thought I just drop it here. Even with some hints from jamespage I
could not run the built in tests and didn't really had enough time to look
further in it.
The changes are all done as in upstream and it
Jamie,
There seems to be a problem with the updated package.
See https://plus.google.com/112659624466139657672/posts/cMaEhQbcdGL
I guess the precise package cause the problem. Was there anything added
regarding startup?
--
You received this bug notification because you are a member of Ubuntu
*** This bug is a security vulnerability ***
Public security bug reported:
There is a parsing buffer overflow vulnerability in the MASI loader of
xmb. The vulnerability is caused due to a boundary error when parsing
MASI files, which can be exploited to cause a buffer overflow.
The
Debdiff for Raring.
** Patch added: lp1182769-raring.debdiff
https://bugs.launchpad.net/ubuntu/+source/xmp/+bug/1182769/+attachment/3689473/+files/lp1182769-raring.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Debdiff for Precise
** Patch added: lp1182769-precise.debdiff
https://bugs.launchpad.net/ubuntu/+source/xmp/+bug/1182769/+attachment/3689475/+files/lp1182769-precise.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
The version in Saucy (3.4.0-3) is already patched.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1182769
Title:
Buffer Overflow in MASI loader
To manage notifications about this bug go to:
Debdiff for Quantal
** Patch added: lp1182769-quantal.debdiff
https://bugs.launchpad.net/ubuntu/+source/xmp/+bug/1182769/+attachment/3689474/+files/lp1182769-quantal.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
This is the precise patch. Hopefully it goes smoother this time ;)
Note that I got certificate errors when I run the testsuite (in
TestClientCert.BIO.txt, TestClientCert.NIO.txt, TestCustomSSL.BIO.txt,
TestCustomSSL.NIO.txt, TestSSL.BIO.txt and TestSSL.NIO.txt). However I
got the exact same
Oneiric patch
** Patch added: lp1092412-oneiric.debdiff
https://bugs.launchpad.net/ubuntu/precise/+source/xymon/+bug/1092412/+attachment/3483728/+files/lp1092412-oneiric.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Lucid patch
** Patch added: lp1092412-lucid.debdiff
https://bugs.launchpad.net/ubuntu/precise/+source/xymon/+bug/1092412/+attachment/3483729/+files/lp1092412-lucid.debdiff
** Changed in: xymon (Ubuntu Oneiric)
Status: New = Confirmed
** Changed in: xymon (Ubuntu Lucid)
Status:
*** This bug is a security vulnerability ***
Public security bug reported:
There is a vulnerability when Active Record is used in conjunction with
JSON parameter parsing.
Versions Affected: 3.x series
Not affected: 2.x series
See also:
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-0155
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1100162
Title:
Unsafe Query Generation Risk in Ruby on Rails
To manage
*** This bug is a security vulnerability ***
Public security bug reported:
There is a vulnerability when Active Record is used in conjunction with
JSON parameter parsing.
Versions Affected: 3.x series
Not affected: 2.x series
See also: http://www.openwall.com/lists/oss-security/2013/01/08/13
According to https://groups.google.com/forum/?fromgroups=#!topic
/rubyonrails-security/c7jT-EeN9eI all version (as well 2.x) is affected.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1100188
Title:
According to https://groups.google.com/forum/?fromgroups=#!topic
/rubyonrails-security/c7jT-EeN9eI all version (as well 2.x) is affected.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1100162
Title:
Patch for quantal 3.2.x serie
** Patch added: lp1100188-quantal-3.2.debdiff
https://bugs.launchpad.net/ubuntu/+source/ruby-activerecord-3.2/+bug/1100188/+attachment/3485936/+files/lp1100188-quantal-3.2.debdiff
** Changed in: ruby-activerecord-3.2 (Ubuntu)
Status: New = Confirmed
--
Patch for quantal
** Patch added: lp1100162-quantal.debdiff
https://bugs.launchpad.net/ubuntu/+source/ruby-actionpack-3.2/+bug/1100162/+attachment/3485947/+files/lp1100162-quantal.debdiff
** Changed in: ruby-actionpack-3.2 (Ubuntu)
Status: New = Confirmed
--
You received this bug
** Patch added: lp1083414-quantal.debdiff
https://bugs.launchpad.net/ubuntu/+source/pgbouncer/+bug/1083414/+attachment/3450319/+files/lp1083414-quantal.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Patch added: lp1083414-precise.debdiff
https://bugs.launchpad.net/ubuntu/+source/pgbouncer/+bug/1083414/+attachment/3452777/+files/lp1083414-precise.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Patch added: lp1083414-oneiric.debdiff
https://bugs.launchpad.net/ubuntu/+source/pgbouncer/+bug/1083414/+attachment/3453631/+files/lp1083414-oneiric.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
*** This bug is a security vulnerability ***
Public security bug reported:
Oneiric tomcat7 (version 7.0.21-1) has the following vulnerability:
Apache Tomcat is prone to a denial-of-service vulnerability. Attacker
may leverage this issue to consume an excessive amount of CPU resources,
causing a
** Patch added: lp1115053-oneiric.debdiff
https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+attachment/3514213/+files/lp1115053-oneiric.debdiff
** Changed in: tomcat7 (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of
*** This bug is a security vulnerability ***
Public security bug reported:
TraceManager in Firebird 2.5.0 and 2.5.1, when trace is enabled, allows
remote authenticated users to cause a denial of service (NULL pointer
dereference and crash) by preparing an empty dynamic SQL query.
Upstream
Quantal fix
** Patch added: lp1115902-quantal.debdiff
https://bugs.launchpad.net/ubuntu/+source/firebird2.5/+bug/1115902/+attachment/3515331/+files/lp1115902-quantal.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Raring fix
** Patch added: lplp1115902-raring.debdiff
https://bugs.launchpad.net/ubuntu/+source/firebird2.5/+bug/1115902/+attachment/3515420/+files/lplp1115902-raring.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Daniel,
As in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693210 they have
already a patch. Don't really see why it is not applied.
** Bug watch added: Debian Bug tracker #693210
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693210
--
You received this bug notification because you
Thanks for the infos. I will prepare another patch which should reflect
your input.
One question about your last comment. Did you mean add the link to the
upstream fix to the debian/changelog file or create a new debian/changes
file since there is no such file yet?
--
You received this bug
Second try for the precise debdiff. Let me know if everything is correct
now. Specially with the link to the upstream fix from my comment before.
Thanks.
** Patch added: lp1088355-2-precise.debdiff
*** This bug is a security vulnerability ***
Public security bug reported:
Multiple cross-site scripting (XSS) vulnerabilities in the Web UI in Xymon
before 4.3.1 allow remote attackers to inject arbitrary web script or HTML
via unspecified vectors.
** Affects: xymon (Ubuntu)
Importance:
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-1716
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1092412
Title:
Xymon Multiple XSS
To manage notifications about this bug go
I updated the DEP-3 comments according to your input. I hope it's easier
now to understand the patches I made. For some patches I didn't find the
according upstream bugs so I left them out. As far as I see is the Bug-
field optional.
The testsuite additions are now included. I got one error
Finally the tests run without any errors. I hope everything is okay now
with the patch. Thanks for your patience anyway.
** Patch added: lp1115053-oneiric-4.debdiff
https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1115053/+attachment/3557794/+files/lp1115053-oneiric-4.debdiff
--
You
Yeah, I will look that I can prepare one debdiff with all the fixes.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1115053
Title:
Parameter Handling Denial of Service in Oneiric
To manage
Precise fix
** Patch added: lp1115902-precise.debdiff
https://bugs.launchpad.net/ubuntu/+source/firebird2.5/+bug/1115902/+attachment/3516567/+files/lp1115902-precise.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Oneiric fix
** Patch added: lp1115902-oneiric.debdiff
https://bugs.launchpad.net/ubuntu/+source/firebird2.5/+bug/1115902/+attachment/3516579/+files/lp1115902-oneiric.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Here is an updated debdiff with all the fixes.
Please note: CVE-2011-4858 is resolved through patch for CVE-2012-0022.
CVE-2012-5568 is seen as a non-issue for tomcat (see
http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat)
Is the formating of the changelog okay like this?
From CVE-2012-2733 on Precise is affected too. Should I create a new bug for
it or add a future debdiff here?
As well some CVEs affect as well tomcat6. Same question: new bug or add here?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
I rewrote the description on CVE-2012-3439.patch and fixed the
whitespace changes in CVE-2012-0022.patch as far as I saw them.
CVE-2012-3439 gave me quite some headache since the testcases upstream changed
already before a lot and it was hard to adopt to the oneiric version. Either I
would have
*** This bug is a security vulnerability ***
Public security bug reported:
There are multiple open vulnerabilities (security bypass, DoS) in
tinyproxy affecting lucid up to raring.
** Affects: tinyproxy (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from
Note that CVE-2011-1499 and CVE-2011-1843 don't affect precise (higher
version than the vulnerable one). Hence just added patch for
CVE-2012-3505.
** Patch added: lp1154502-precise.debdiff
quantal and raring are not affected by any of these vulnerabilities.
Both already include all the needed fixes.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1154502
Title:
Multiple open
Jamie,
Thanks for the info. There is a fix for CVE-2012-2733 for tomcat7 from
upstream (see
http://svn.apache.org/viewvc?view=revisionrevision=1350301).
Did you see the new debdiff for oneiric in comment #5? All the fixes for
the CVEs I am aware of should be in it (as well CVE-2012-2733). Please
I see. Thanks for the further comments. I will see that I can fix this
and prepare a new debdiff.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1115053
Title:
Multiple open vulnerabilities in
*** This bug is a security vulnerability ***
Public security bug reported:
A security flaw was found in the way osc displayed build logs and build
status for particular build. A rogue repository server could use this
flaw to modify window's title, or possibly execute arbitrary commands or
Quantal ruby-openid is already fixed through
https://bugs.launchpad.net/ubuntu/+source/ruby-openid/+bug/1190179.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1190491
Title:
XML denial of service
Precise debdiff.
Tested install/upgrade on clean system.
Tested with the testsuite from osc (tests/suite.py). Got some errors in
TestCommit. Not sure if it might be a configuration thing. I got the same kind
of errors for the patched and unpatched version.
** Patch added:
Finally I managed to run the rails_openid example. I created a new empty rails2
application with 'rails openid' and copied the relevant files from the example
to the new application.
Like this I could start the example application and create a new identity.
However I could not start the second
Lucid debdiff.
Tests done:
- Builds with pbuilder
- can install and upgrade cleanly
- Tested with examples/rails_openid: creation of new identity and verifying via
second instance worked without a problem.
** Patch added: lp1190491-lucid.debdiff
Precise debdiff.
Tests done:
- Builds with pbuilder
- can install and upgrade cleanly
- Tested with examples/rails_openid: creation of new identity worked without a
problem. I could not start the second server with 'script/server --port=3001'.
The application didn't understand the port part.
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1083414
Title:
DoS-Vulnerability in pgbouncer
To manage notifications about this
And the last patch for lucid. Since this is my first security bug fix
let me know if I missed something or can improve anything.
** Patch added: lp1083414-lucid.debdiff
https://bugs.launchpad.net/ubuntu/+source/pgbouncer/+bug/1083414/+attachment/3455964/+files/lp1083414-lucid.debdiff
--
You
*** This bug is a security vulnerability ***
Public security bug reported:
There is a information disclosure vulnerability in dtach.
There is a upstream fix available
(http://sourceforge.net/tracker/download.php?group_id=36489atid=417357file_id=441195aid=3517812).
The versions in raring and
Please check the attached precise patch. Since the package doesn't have a patch
system. So let me know if I have to change anything.
Tested: Upgrading, retested that bug is corrected (unclean disconnect)
** Patch added: lp1088355-precise.debdiff
** Changed in: xymon (Ubuntu Precise)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1092412
Title:
Xymon Multiple XSS
To manage notifications about this bug go to:
Thanks for the review.
Yes some of the other patches apply with fuzz already before my patch
added and there was no change in the behavior befor and after my patch.
There is no particular reason for adding my patch at the head of the
series other than using 'quilt new x' which put it on top.
This is the new patch with the changes according to the feedback.
** Patch added: lp1092412-2-precise.debdiff
https://bugs.launchpad.net/ubuntu/precise/+source/xymon/+bug/1092412/+attachment/3479187/+files/lp1092412-2-precise.debdiff
** Changed in: xymon (Ubuntu Precise)
Status:
This is a backported patch for precise. It's based on the changes made
upstream (from 4.3.0 to 4.3.1). I hope I didn't miss anything. As well
please check if the new versioning is right.
** Patch added: lp1092412-precise.debdiff
sudo dpkg --configure -a
Setting up linux-headers-4.13.0-17-generic (4.13.0-17.20) ...
Examining /etc/kernel/header_postinst.d.
run-parts: executing /etc/kernel/header_postinst.d/dkms 4.13.0-17-generic
/boot/vmlinuz-4.13.0-17-generic
Seems to stuck for me on a wait4:
sudo strace -p9784
strace:
86 matches
Mail list logo
