date:20160117

Re: Re: isc-dhcp-server in squeeze-lst broken after update

2016-01-17 Thread Olivier Dousse

Hi Mike,

I have the exact same problem on my server. I simply upgraded from 
4.1.1-P1-15+squeeze8 to 4.1.1-P1-15+squeeze9.
Given the patch you attached, this is very strange. But after downgrading back 
to 4.1.1-P1-15+squeeze8, everything was fine again. So there seems to be indeed 
a (critical) issue with 4.1.1-P1-15+squeeze9, as it basically breaks the DHCP 
server.

Cheers,
Olivier

Re: Re: isc-dhcp-server in squeeze-lst broken after update

2016-01-17 Thread Ben Hutchings

On Sun, 2016-01-17 at 13:10 +0100, Olivier Dousse wrote:
> Hi Mike,
> 
> I have the exact same problem on my server. I simply upgraded from
> 4.1.1-P1-15+squeeze8 to 4.1.1-P1-15+squeeze9.
> Given the patch you attached, this is very strange. But after
> downgrading back to 4.1.1-P1-15+squeeze8, everything was fine again.
> So there seems to be indeed a (critical) issue with 4.1.1-P1-
> 15+squeeze9, as it basically breaks the DHCP server.

I can't see anything wrong with the patch, so I wonder whether there
was something wrong with the build environment.

Additionally, the patch is *not* being applied isc-dhcp-server.  It is
only applied when building isc-dhcp-server-ldap (see the commands for
the build-stamp target).  It needs to be moved further up the patch
series.

Ben.

-- 
Ben Hutchings
Theory and practice are closer in theory than in practice.
- John Levine, moderator of comp.compilers

signature.asc
Description: This is a digitally signed message part

Re: isc-dhcp-server in squeeze-lst broken after update

2016-01-17 Thread Mike Gabriel


Hi Ben, hi all,

On  So 17 Jan 2016 23:42:19 CET, Ben Hutchings wrote:


On Sun, 2016-01-17 at 13:10 +0100, Olivier Dousse wrote:

Hi Mike,

I have the exact same problem on my server. I simply upgraded from
4.1.1-P1-15+squeeze8 to 4.1.1-P1-15+squeeze9.
Given the patch you attached, this is very strange. But after
downgrading back to 4.1.1-P1-15+squeeze8, everything was fine again.
So there seems to be indeed a (critical) issue with 4.1.1-P1-
15+squeeze9, as it basically breaks the DHCP server.


I can't see anything wrong with the patch, so I wonder whether there
was something wrong with the build environment.


The package has been source-built on Debian jessie (debuild -uc -us  
-S) and then binary-built with sbuild in a squeeze-lts (not squeeze)  
chroot.


I have checked my build log again. It seems that the CFLAGS specified  
in debian/rules do not get exported properly to the build environment  
and thus are not used at build time:


""" (from +squeeze9 build log)
[...]
Making all in server
make[2]: Entering directory `/«PKGBUILDDIR»/server'
gcc -DHAVE_CONFIG_H -I. -I../includes  -I.. -DLOCALSTATEDIR='"/var"'
-g -O2  -Wall -Werror -fno-strict-aliasing -MT dhcpd.o -MD -MP -MF  
.deps/dhcpd.Tpo -c -o dhcpd.o dhcpd.c

[...]
"""

When adding "export CFLAGS" at the end of the CFLAGS declarations in  
debian/rules, I get this:


""" (from upcoming +squeeze10 build log)
[...]
make[1]: Entering directory `/«PKGBUILDDIR»/server'
gcc -DHAVE_CONFIG_H -I. -I../includes  -I.. -DLOCALSTATEDIR='"/var"'  
-DLDAP_DEPRECATED   -Wall -g -O2  
-D_PATH_DHCLIENT_SCRIPT='"/sbin/dhclient-script"'  
-D_PATH_DHCPD_CONF='"/etc/dhcp/dhcpd.conf"'  
-D_PATH_DHCLIENT_CONF='"/etc/dhcp/dhclient.conf"' -DNOMINUM  -MT  
dhcpd-dhcpd.o -MD -MP -MF .deps/dhcpd-dhcpd.Tpo -c -o dhcpd-dhcpd.o  
`test -f 'dhcpd.c' || echo './'`dhcpd.c

[...]
"""

I wonder why this has been working in the first place.


Additionally, the patch is *not* being applied isc-dhcp-server.  It is
only applied when building isc-dhcp-server-ldap (see the commands for
the build-stamp target).  It needs to be moved further up the patch
series.


Oh wow... Thanks for spotting this. I am currenly preparing a  
+squeeze10 revision upload, but I'd really like to get the dhcpd.conf  
issue sorted out and addressed with next upload first.



I will upload +squeeze10 with attached .debdiff later today.

Any feedback on the provided .debdiff is welcome.

Thanks+Greets,
Mike

--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de
diff -u isc-dhcp-4.1.1-P1/debian/rules isc-dhcp-4.1.1-P1/debian/rules
--- isc-dhcp-4.1.1-P1/debian/rules
+++ isc-dhcp-4.1.1-P1/debian/rules
@@ -37,6 +37,8 @@
 CFLAGS += -D_PATH_DHCLIENT_CONF='"/etc/dhcp/dhclient.conf"'
 CFLAGS += -DNOMINUM
 
+export CFLAGS
+
 patched-ldap/build-stamp:
dh_testdir
 
diff -u isc-dhcp-4.1.1-P1/debian/changelog isc-dhcp-4.1.1-P1/debian/changelog
--- isc-dhcp-4.1.1-P1/debian/changelog
+++ isc-dhcp-4.1.1-P1/debian/changelog
@@ -1,3 +1,16 @@
+isc-dhcp (4.1.1-P1-15+squeeze10) squeeze-lts; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS Team (regression fix).
+  * debian/patches:
++ Move CVE-2015-8605.dpatch further up in the patch series. Assure that
+  the patch is applied to the non-LDAP build variant. Thanks to Ben
+  Hutchings for spotting this.
+  * debian/rules:
++ Export CFLAGS before build. Make sure that our Debianic path definitions
+  end-up in the binary builds of isc-dhcp-server*.
+
+ -- Mike Gabriel   Mon, 18 Jan 2016 05:19:44 +0100
+
 isc-dhcp (4.1.1-P1-15+squeeze9) squeeze-lts; urgency=medium
 
   * Non-maintainer upload by the Debian LTS Team.
diff -u isc-dhcp-4.1.1-P1/debian/patches/00list 
isc-dhcp-4.1.1-P1/debian/patches/00list
--- isc-dhcp-4.1.1-P1/debian/patches/00list
+++ isc-dhcp-4.1.1-P1/debian/patches/00list
@@ -17,6 +17,7 @@
 security-20110810
 CVE-2012-3571_CVE-2012-3954
 CVE-2011-4539_CVE-2012-3955
+CVE-2015-8605
 
 # must be applied before the LDAP stuff
 no-libcrypto
@@ -26,6 +27,4 @@
 dhcp-4.1.0-ldap-code
 
-CVE-2015-8605
-
 # fix build when gcc option -Werror is used
 drop_unused_vars_from_ldap-c.dpatch


pgpxdtRDldEiP.pgp
Description: Digitale PGP-Signatur

Re: squeeze update of librsvg?

2016-01-17 Thread Salvatore Bonaccorso

Hi Santiago,

Sorry for the late reply.

On Sat, Jan 09, 2016 at 07:06:35PM +0100, Santiago Ruano Rincón wrote:
> Hi,
> 
> El 30/12/15 a las 01:49, Ben Hutchings escribió:
> > Hello dear maintainer(s),
> > 
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Squeeze version of librsvg:
> > https://security-tracker.debian.org/tracker/CVE-2015-7557
> > https://security-tracker.debian.org/tracker/CVE-2015-7558
> 
> Regarding Squeeze and AFAICS, while the fix for CVE-2015-7557 is simple,
> the CVE-2015-7558 is not trivial. It has been fixed by many changes in the
> checks of cyclic references, using the new rsvg_acquire_node function
> (i.e. 
> https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61).
> 
> I cannot find info about how CVE-2015-7558 is exploitable, but I'd say
> that is no-dsa. What do you think? What's the security team position
> about it?

I have marked one issue as no-dsa for wheezy- and jessie
(CVE-2015-7557). Regarding CVE-2015-7558, not sure here. But if the
fix is too intrusive to backport we can mark it as  (Too
intrusive to backport).

Regards,
Salvatore

Re: Re: isc-dhcp-server in squeeze-lst broken after update

Re: Re: isc-dhcp-server in squeeze-lst broken after update

Re: isc-dhcp-server in squeeze-lst broken after update

Re: squeeze update of librsvg?

4 matches

Site Navigation

Mail list logo

Footer information