[SECURITY] [DLA-329-2] postgresql-8.4 update corrected

[Christoph Berg]

Package: postgresql-8.4
Version: 8.4.22lts5-0+deb6u2

The 8.4.22lts5-0+deb6u1 update failed to build on the i386
architecture because the regression tests were not correctly adapted
for changes in lts5. This has now been corrected, updated binaries for
i386 and amd64 (which were unaffected) have been published.

> Several bugs were discovered in PostgreSQL, a relational database server
> system.  The 8.4 branch is EOLed upstream, but still present in Debian 
> squeeze.
> This new LTS minor version contains the fixes that were applied upstream to 
> the
> 9.0.22 version, backported to 8.4.22 which was the last version officially
> released by the PostgreSQL developers.  This LTS effort for squeeze-lts is a
> community project sponsored by credativ GmbH.
> 
> ## Migration to Version 8.4.22lts5
> 
> A dump/restore is not required for those running 8.4.X.  However, if you are
> upgrading from a version earlier than 8.4.22, see the relevant release notes.
> 
> ## Security Fixes
> 
> Fix contrib/pgcrypto to detect and report too-short crypt salts (Josh
> Kupershmidt)
> 
> Certain invalid salt arguments crashed the server or disclosed a few
> bytes of server memory. We have not ruled out the viability of attacks
> that arrange for presence of confidential information in the disclosed
> bytes, but they seem unlikely. (CVE-2015-5288)

Christoph
-- 
c...@df7cb.de | http://www.df7cb.de/


signature.asc
Description: PGP signature

Re: Accepted postgresql-8.4 8.4.22lts5-0+deb6u1 (source all amd64) into squeeze-lts

[Christoph Berg]

Re: Pascal Hambourg 2015-10-27 <562f2f18.3060...@plouf.fr.eu.org>
> Hello,
> 
> According to
> 
> the build for i386 failed.

Hi Pascal,

I had noticed as well, but only now found the time to fix the problem.
The builds are now ok and should be available on the mirrors later
today.

Mit freundlichen Grüßen,
Christoph Berg
-- 
Senior Berater, Tel.: +49 (0)21 61 / 46 43-187
credativ GmbH, HRB Mönchengladbach 12080, USt-ID-Nummer: DE204566209
Hohenzollernstr. 133, 41061 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer
pgp fingerprint: 5C48 FE61 57F4 9179 5970  87C6 4C5A 6BAB 12D2 A7AE

squeeze update of libsndfile?

[Raphael Hertzog]

Hello Erik,

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of libsndfile:
https://security-tracker.debian.org/tracker/CVE-2014-9756
https://security-tracker.debian.org/tracker/CVE-2015-7805
https://security-tracker.debian.org/tracker/CVE-2015-8075
(and possibly CVE-2014-9496 too which was ignored last time
due to being a minor issue)

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Re: squeeze update of nss?

[Raphael Hertzog]

Hi,

On Wed, 04 Nov 2015, Mike Hommey wrote:
> (While on the subject, there's another round of Iceweasel security
> updates coming, along with NSPR and NSS fixes, this time)

Yes, I was about to contact you again about those but you are already
aware of them:

For nss:
https://security-tracker.debian.org/tracker/CVE-2015-7181
https://security-tracker.debian.org/tracker/CVE-2015-7182

For nspr:
https://security-tracker.debian.org/tracker/CVE-2015-7183

They are all in our radar.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Re: Unsupported packages for Wheezy LTS

[Raphael Hertzog]

Hello,

On Wed, 16 Sep 2015, Raphael Hertzog wrote:
> On Tue, 25 Aug 2015, Holger Levsen wrote:
> > > In addition it would make sense to exclude the OpenStack packages
> > > in wheezy, they are fully unsupported upstream und very unlikely
> > > to be used since OpenStack is evolving so fast. You should discuss
> > > that with Thomas Goirand.
> > 
> > Thomas, what's your stance on this?

While Thomas did not reply directly, I discussed with him on IRC and he
confirmed me that he already has troubles supporting OpenStack in the
current stable releases, so expecting to support OpenStack for 5 years
is not realistic.

I thus suggest to exclude OpenStack packages from LTS support.

Thomas, can you provide us the list of the corresponding source packages?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Re: Unsupported packages for Wheezy LTS

[Raphael Hertzog]

[ Many people are on copy, please trim the list as appropriate when you reply ]

On Wed, 19 Aug 2015, Moritz Muehlenhoff wrote:
> as a followup to yesterday's BoF I compared the list of unsupported
> packages in Squeeze LTS against the current status quo:

> Support for these ended in Wheezy already, so unsupported in LTS as well:
> chromium-browser
> typo3-src
> mediawiki (support will cease in April 2016)

For mediawiki, might it not make sense to update to a new upstream version
when upstream supports ends? I know there's an ecosystem of plugins and
stuff like that but having to deal with an upgrade is probably better than
having a Mediawiki with security holes...

> Not covered by security support in normal security support, did
> someone actually check whether this still works in LTS? IMHO
> LTS should be limited to main. We shouldn't endorse the Flash plugin
> in LTS:
> flashplugin-nonfree

I agree that non-free should not be covered.

> Should probably be dropped:
> 
> mantis
> -> No active maintainer for years, has been kept on life support
>via security updates, frequent issues

Ack.

> asterisk
> -> Complicated to update/test, lack of effort by maintainers

Pinging the Asterisk maintainers. Do you think it is realistic to
support asterisk 1.8.13.1 in wheezy until May 2018?

Shall it be excluded from LTS support? Do you think you can support
it through backports?

(I see you have troubles supporting it in unstable/testing already...)

> openswan
> -> Dead upstream, strongswan exists as a supported alternative

Ack.

> movabletype-opensource
> -> Upstream went closed source, Dominic kept in on life support,
> should be checked with him

Dominic, do you think movabletype-opensource can be supported in wheezy
until May 2018?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Re: Unsupported packages for Wheezy LTS

[Raphael Hertzog]

[ Many people are on copy, please trim the list as appropriate when you reply ]

On Wed, 19 Aug 2015, Moritz Muehlenhoff wrote:
> These need to be discussed, since they will be a significant
> time drain (e.g. are they in the sponsors's interests?). They
> are supportable, but it will take a lot of work and sometimes
> special domain knowledge:
> 
> icedove
> iceweasel
> qemu
> qemu-kvm
> xen
> libvirt
> ffmpeg -> libav
> vlc
> rails -> several split packages (only the 3.2 packages are supported in 
> wheezy)

Nobody commented here but I believe that we should aim to support them.
Except vlc, they are all used by some of the current sponsors (even though
they are not currently supported in squeeze).

It would be good to identify Debian maintainers with the required "special
domain knowledge" for all those packages so that they can be paid to
take care of those packages when the need arises (cf
https://www.freexian.com/services/debian-lts-details.html#join for
details about requirement for paid contributors).

Thus putting the respective maintainers/maintainance team in copy (Mike
Hommey for iceweasel, Guido Günther for multiple package, Christop Göhre for 
Icedove,
Aurelien Jarno, Riku Voipio, Vagrant Cascadian for qemu, Michael Tokarev
for qemu-kvm, Guido Trotter and Bastian Blank for Xen, Laurent Léonard
for libvirt, Sebastian Ramacher and pkg-multimedia for libav/vlc).

Do you know someone from the Debian maintenance team or from the upstream
project which could be hired a few hours from time to time to provide the
required security updates on the above source packages when it gets too
complicated for the LTS contributors? Feel free to pass around this email
if you think of someone and want to inform him/her...

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Re: Unsupported packages for Wheezy LTS

[Dominic Hargreaves]

On Wed, Nov 04, 2015 at 05:42:43PM +0100, Raphael Hertzog wrote:
> > movabletype-opensource
> > -> Upstream went closed source, Dominic kept in on life support,
> > should be checked with him
> 
> Dominic, do you think movabletype-opensource can be supported in wheezy
> until May 2018?

No, I would rather not do this: the last open source version went out 
of support at the end of September as far as I can tell from this:

https://movabletype.org/product-life-cycle-policy.html

so there is nothing to backport upstream fixes from any more.
We should send out an EOL notice for wheezy-security too.

Thanks for checking!

Cheers,
Dominic.

Re: Accepted postgresql-8.4 8.4.22lts5-0+deb6u1 (source all amd64) into squeeze-lts

[Pascal Hambourg]

Christoph Berg a écrit :
> Re: Pascal Hambourg 2015-10-27 <562f2f18.3060...@plouf.fr.eu.org>
>>
>> the build for i386 failed.
> 
> I had noticed as well, but only now found the time to fix the problem.
> The builds are now ok and should be available on the mirrors later
> today.

Indeed. Thanks.

Re: Unsupported packages for Wheezy LTS

[Mike Hommey]

On Wed, Nov 04, 2015 at 05:44:36PM +0100, Raphael Hertzog wrote:
> [ Many people are on copy, please trim the list as appropriate when you reply 
> ]
> 
> On Wed, 19 Aug 2015, Moritz Muehlenhoff wrote:
> > These need to be discussed, since they will be a significant
> > time drain (e.g. are they in the sponsors's interests?). They
> > are supportable, but it will take a lot of work and sometimes
> > special domain knowledge:
> > 
> > icedove
> > iceweasel
> > qemu
> > qemu-kvm
> > xen
> > libvirt
> > ffmpeg -> libav
> > vlc
> > rails -> several split packages (only the 3.2 packages are supported in 
> > wheezy)
> 
> Nobody commented here but I believe that we should aim to support them.
> Except vlc, they are all used by some of the current sponsors (even though
> they are not currently supported in squeeze).
> 
> It would be good to identify Debian maintainers with the required "special
> domain knowledge" for all those packages so that they can be paid to
> take care of those packages when the need arises (cf
> https://www.freexian.com/services/debian-lts-details.html#join for
> details about requirement for paid contributors).

Speaking for iceweasel, backports to wheezy are not a significant
overhead compared to packaging for unstable and stable-security.

With that being said, the fact that we're backporting new upstream
ESR releases is going to have its own problems sooner or later, related
to the toolchains. First and foremost, while GCC 4.7 is the current
minimum version supported, it's likely to become GCC 4.8 in the near
future, because of some wanted C++11/C++14 features. Second, Firefox is
soon going to require the rust compiler, which we have no package for
except in unstable.

So there should be a discussion about what we do about those toolchains
first (and that's a broader discussion to have than LTS).

Mike

Re: Unsupported packages for Wheezy LTS

[Thomas Goirand]

On 11/04/2015 04:40 PM, Raphael Hertzog wrote:
> Hello,
> 
> On Wed, 16 Sep 2015, Raphael Hertzog wrote:
>> On Tue, 25 Aug 2015, Holger Levsen wrote:
 In addition it would make sense to exclude the OpenStack packages
 in wheezy, they are fully unsupported upstream und very unlikely
 to be used since OpenStack is evolving so fast. You should discuss
 that with Thomas Goirand.
>>>
>>> Thomas, what's your stance on this?
> 
> While Thomas did not reply directly, I discussed with him on IRC and he
> confirmed me that he already has troubles supporting OpenStack in the
> current stable releases, so expecting to support OpenStack for 5 years
> is not realistic.
> 
> I thus suggest to exclude OpenStack packages from LTS support.
> 
> Thomas, can you provide us the list of the corresponding source packages?
> 
> Cheers,

Hi,

Sorry that I forgot to answer.

Just to confirm, Raphael is right with the above. Upstream doesn't
provide security patches after a year, and what's in Jessie lost support
from upstream just a few weeks after the release.

Even more: if we had PPAMAIN (or Bikesheds?), I'd stop uploading to Sid
and I would work there only, so that I wouldn't get the burden of
supporting Stable, plus Debian users would get the benefits of having
all the releases of OpenStack having a specific repository, making it
more easy to do upgrades (and security supports would match what
upstream provides).

To answer your question, all the packages for OpenStack are listed on
the team's QA page:
https://qa.debian.org/developer.php?login=openstack-de...@lists.alioth.debian.org

Cheers,

Thomas Goirand (zigo)

Re: Unsupported packages for Wheezy LTS

[Tzafrir Cohen]

On Wed, Nov 04, 2015 at 05:42:43PM +0100, Raphael Hertzog wrote:
> [ Many people are on copy, please trim the list as appropriate when you reply 
> ]
> 
> On Wed, 19 Aug 2015, Moritz Muehlenhoff wrote:
> > as a followup to yesterday's BoF I compared the list of unsupported
> > packages in Squeeze LTS against the current status quo:
> 
> > Support for these ended in Wheezy already, so unsupported in LTS as well:

> > asterisk
> > -> Complicated to update/test, lack of effort by maintainers
> 
> Pinging the Asterisk maintainers. Do you think it is realistic to
> support asterisk 1.8.13.1 in wheezy until May 2018?

Upstream no longer supports it officially. So it requires backporting.

I previously hoped that a working testsuite will give me better
confidence in backporting. Many components for it are still missing, but
one was recently added (python interface of pjproject).

> 
> Shall it be excluded from LTS support? Do you think you can support
> it through backports?

Backports will simplify the problem, indeed, as they are supported by
upstream.

The thing to consider, then, is how to reduce the chance of breaking
user's configurations.

> 
> (I see you have troubles supporting it in unstable/testing already...)

Sorry about that. Trying to pick it back up. I'll try to give a better
reply in a month. Ditto for the viability of using a test-suite.

-- 
Tzafrir Cohen | tzaf...@jabber.org | VIM is
http://tzafrir.org.il || a Mutt's
tzaf...@cohens.org.il ||  best
tzaf...@debian.org|| friend

Using the same nss in all suites

[Guido Günther]

Hi,

Backporting fixes for nss can become a challenge over time due to:

* Bugs related to MFAs (often containing test cases) being restricted so
  one can only look at hg and try to find all the relevant commits.

* The library has rather frequent security updates

* The code diverges over the years


I haven't found an explicit statement about ABI stability on the nss
site but RedHat and others seem to be doing fine with always using the
latest version in all suites and I wonder if we should do the same. This
would probably include updating the nspr dependency from time to time
too.

I wonder what's the maintainers and security teams stance on this?
Should we do this? Should we start with this during Jessie? If so I
would be happy to prepare packages for the different distributions and
do some testing.

Cheers,
 -- Guido

Re: Using the same nss in all suites

[Mike Hommey]

On Thu, Nov 05, 2015 at 08:25:47AM +0100, Guido Günther wrote:
> Hi,
> 
> Backporting fixes for nss can become a challenge over time due to:
> 
> * Bugs related to MFAs (often containing test cases) being restricted so
>   one can only look at hg and try to find all the relevant commits.
> 
> * The library has rather frequent security updates
> 
> * The code diverges over the years
> 
> 
> I haven't found an explicit statement about ABI stability on the nss
> site but RedHat and others seem to be doing fine with always using the
> latest version in all suites and I wonder if we should do the same. This
> would probably include updating the nspr dependency from time to time
> too.
> 
> I wonder what's the maintainers and security teams stance on this?
> Should we do this? Should we start with this during Jessie? If so I
> would be happy to prepare packages for the different distributions and
> do some testing.

On ABI stability, both NSPR and NSS have a very strict policy. NSPR
receives very few ABI changes, and it's only adding new functions. NSS
has much more ABI changes, but also only adding new functions.
The biggest issue with NSS version bumps is that defaults change, such
as cyphers, protocols, etc. That can have unexpected consequences on
existing setups.

Mike

Re: Unsupported packages for Wheezy LTS

[Guido Günther]

Hi,

On Wed, Nov 04, 2015 at 05:44:36PM +0100, Raphael Hertzog wrote:
> [ Many people are on copy, please trim the list as appropriate when you reply 
> ]
> 
> On Wed, 19 Aug 2015, Moritz Muehlenhoff wrote:
> > These need to be discussed, since they will be a significant
> > time drain (e.g. are they in the sponsors's interests?). They
> > are supportable, but it will take a lot of work and sometimes
> > special domain knowledge:
> > 
> > icedove
> > iceweasel
> > qemu
> > qemu-kvm
> > xen
> > libvirt
> > ffmpeg -> libav
> > vlc
> > rails -> several split packages (only the 3.2 packages are supported in 
> > wheezy)
> 

For wheezy I think it would be possible to maintain libvirt. Especially
if we don't support all hypervisors in Wheezy. I could probably set
aside the extra time given enough advanced notice when the LTS team
takes over Wheezy.

Should we decide to support e.g. KVM via backports this would change the
picture since there are usually always changes needed for e.g. newer
qemu-kvm versions, some of them being very intrusive.

For qemu/qemu-kvm I'm not so sure given the large amount of dependencies
and code changes between versions. It would be great to hear what
Michael things about this.

Cheers,
 -- Guido

Re: Unsupported packages for Wheezy LTS

[Guido Günther]

Hi,
On Wed, Nov 04, 2015 at 05:44:36PM +0100, Raphael Hertzog wrote:
> [ Many people are on copy, please trim the list as appropriate when you reply 
> ]
> 
> On Wed, 19 Aug 2015, Moritz Muehlenhoff wrote:
> > These need to be discussed, since they will be a significant
> > time drain (e.g. are they in the sponsors's interests?). They
> > are supportable, but it will take a lot of work and sometimes
> > special domain knowledge:
> > 
> > icedove
> > iceweasel
> > qemu
> > qemu-kvm
> > xen
> > libvirt
> > ffmpeg -> libav
> > vlc
> > rails -> several split packages (only the 3.2 packages are supported in 
> > wheezy)
> 
> Nobody commented here but I believe that we should aim to support them.
> Except vlc, they are all used by some of the current sponsors (even though
> they are not currently supported in squeeze).
> 
> It would be good to identify Debian maintainers with the required "special
> domain knowledge" for all those packages so that they can be paid to
> take care of those packages when the need arises (cf
> https://www.freexian.com/services/debian-lts-details.html#join for
> details about requirement for paid contributors).
> 
> Thus putting the respective maintainers/maintainance team in copy (Mike
> Hommey for iceweasel, Guido Günther for multiple package, Christop Göhre for 
> Icedove,
> Aurelien Jarno, Riku Voipio, Vagrant Cascadian for qemu, Michael Tokarev
> for qemu-kvm, Guido Trotter and Bastian Blank for Xen, Laurent Léonard
> for libvirt, Sebastian Ramacher and pkg-multimedia for libav/vlc).
> 
> Do you know someone from the Debian maintenance team or from the upstream
> project which could be hired a few hours from time to time to provide the
> required security updates on the above source packages when it gets too
> complicated for the LTS contributors? Feel free to pass around this email
> if you think of someone and want to inform him/her...

If we do iceweasel then icedove wouldn't be hard on top but I'll let
Christoph and Carsten (added to cc:) comment on this since I've not
done any real Icedove work since ages.

Cheers,
 -- Guido

Re: Unsupported packages for Wheezy LTS

[Moritz Muehlenhoff]

On Thu, Nov 05, 2015 at 06:47:03AM +0900, Mike Hommey wrote:
> First and foremost, while GCC 4.7 is the current
> minimum version supported, it's likely to become GCC 4.8 in the near
> future, because of some wanted C++11/C++14 features. 

That problem also bit us with chromium in wheezy. Introducing an updated
g++ isn't simple since libstdc++ is also built from the source package.

> Second, Firefox is
> soon going to require the rust compiler, which we have no package for
> except in unstable.

I'd say lets ask the maintainers (and stable release managers) to 
introduce it in the next jessie point release.

Cheers,
Moritz