Re: [SECURITY] [DLA 448-1] subversion security update
Hi there; As at: 20160501-0735 + (UTC): Updated packages DO NOT APPEAR at the Australian Mirror (IP: 150.203.164.61) of: http://security.debian.org/debian-security/pool/updates/main/s/subversion/ Can someone please ensure that the updated packages are pushed out to the Australian Mirror at the earliest opportunity. Yours sincerely, Bjoern. On 01/05/16 10:26, James McCoy wrote: Package: subversion Version: 1.6.17dfsg-4+deb7u11 CVE ID : CVE-2016-2167 CVE-2016-2168 CVE-2016-2167 svnserve, the svn:// protocol server, can optionally use the Cyrus SASL library for authentication, integrity protection, and encryption. Due to a programming oversight, authentication against Cyrus SASL would permit the remote user to specify a realm string which is a prefix of the expected realm string. CVE-2016-2168 Subversion's httpd servers are vulnerable to a remotely triggerable crash in the mod_authz_svn module. The crash can occur during an authorization check for a COPY or MOVE request with a specially crafted header value. This allows remote attackers to cause a denial of service.
Re: [SECURITY] [DLA 447-1] mysql-5.5 security update
Hi there; As at: 20160501-0739 + (UTC): Updated packages DO NOT APPEAR at the Australian Mirror (IP: 150.203.164.61) of: http://security.debian.org/debian-security/pool/updates/main/m/mysql-5.5/ Can someone please ensure that the updated packages are pushed out to the Australian Mirror at the earliest opportunity. Yours sincerely, Bjoern. On 30/04/16 17:29, Santiago Ruano Rincón wrote: Package: mysql-5.5 Version: 5.5.49-0+deb7u1 CVE ID : CVE-2016-0640 CVE-2016-0641 CVE-2016-0642 CVE-2016-0643 CVE-2016-0644 CVE-2016-0646 CVE-2016-0647 CVE-2016-0648 CVE-2016-0649 CVE-2016-0650 CVE-2016-0666 CVE-2016-2047 Debian Bug : 821100 Several vulnerabilities have been discovereded in the MySQL database server, which are fixed in the new upstream version 5.5.49. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-48.html https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-49.html http://www.oracle.com/technetwork/topics/security/cpuapr2016-2881694.html For Debian 7 "Wheezy", these issues have been fixed in mysql-5.5 version 5.5.49-0+deb7u1. We recommend you to upgrade your mysql-5.5 packages. Learn more about the Debian Long Term Support (LTS) Project and how to apply these updates at: https://wiki.debian.org/LTS/
Re: [SECURITY] [DLA 450-1] gdk-pixbuf security update
Hi there; As at: 20160501-0745 + (UTC): Updated packages DO NOT APPEAR at the Australian Mirror (IP: 150.203.164.61) of: http://security.debian.org/debian-security/pool/updates/main/g/gdk-pixbuf/ Can someone please ensure that the updated packages are pushed out to the Australian Mirror at the earliest opportunity. Yours sincerely, Bjoern. On 01/05/16 02:07, Markus Koschany wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: gdk-pixbuf Version: 2.26.1-1+deb7u4 CVE ID : CVE-2015-7552 CVE-2015-7674 A heap-based buffer overflow has been discovered in gdk-pixbuf, a library for image loading and saving facilities, fast scaling and compositing of pixbufs, that allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted BMP file. This update also fixes an incomplete patch for CVE-2015-7674. CVE-2015-7552 Heap-based buffer overflow in the gdk_pixbuf_flip function in gdk-pixbuf-scale.c in gdk-pixbuf allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted BMP file. CVE-2015-7674 Integer overflow in the pixops_scale_nearest function in pixops/pixops.c in gdk-pixbuf before 2.32.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted GIF image file, which triggers a heap-based buffer overflow. For Debian 7 "Wheezy", these problems have been fixed in version 2.26.1-1+deb7u4. We recommend that you upgrade your gdk-pixbuf packages. -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQJ8BAEBCgBmBQJXJPRZXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HksSsP/1Sc3VMZHkTZ0O2kAw89XL9r U9QBosMyPpjG/gWBwIjxzBmYqiCFsHh8LVifQGB87ycMOS8M66pOl54VBL9tggQe XSB7e/R2sVSpgk/is/SU+GubYfqZuOJyDvkmuPOcJGBT55RWZOCeD/tJ1cAoO9NJ ns3kL0BBRAbp1bHyRKBUWtOBcbznwRbJcOi95g+O8PdIGoa7CPGzp6EqBs0nHiMs LszhgXc5JJBE8TeYNSZniFxCEa6Ob1tlPlGk5endEZfdyf1OKZ/P/Mx2wj6Cr3Oo JiZ10A86wEZx5BaC0qqKYeERC7cSImEj9KrZdtgWfkXqftUgMHONhrfvwukqbkFa TEwarE8O/yncbSDwzYZzRbrWYzLD7IJdkp1drYciBe8LwtfTmN1Tk3Y+kL72Ld5u WhvI8Nnj5twukf7ZdRqsxN/8j80EYxxvEdXebMt6iTeUjdStF1ojZHZS2K9/gr3O fmY1iMDJ+9uncdEFS1FdKZgQh4F82Jcxe0+QMRr434TYbQFV+MVoN6qokPqHFeA5 lmtUsT4Yt+hs0shcGLPibLpSH8OSJ1Qg7sgwfPzlZ3pm33HAGqQOFAZ/QnfVQ/iG qtS/59EYwXQM6LqkZjluolEvGLHlHOCJKAsrd4nVAxdF+92rrEGUul+HeoQAts4Q iNvjk0bXXsmzCZ53NJuN =wvUe -END PGP SIGNATURE-
Re: [SECURITY] [DLA 448-1] subversion security update
On Sun, 01 May 2016, Bjoern Nyjorden wrote: > As at: 20160501-0735 + (UTC): Updated packages DO NOT APPEAR at the > Australian Mirror (IP: 150.203.164.61) of: And you don't think a single email for all your reports would have sufficed? The security mirror is current. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `-https://www.debian.org/
LTS updates not pushed to security mirrors
Am 01.05.2016 um 10:38 schrieb Peter Palfrader: [...] > The security mirror is current. Hi, I was informed that LTS updates are currently only pushed to the mirrors when the Security Team has issued a new DSA for it. Of course this is less than optimal but the ftp team is already aware of it. We have announced the DLAs because the new packages show up as "Installed": e.g. https://buildd.debian.org/status/package.php?p=gdk-pixbuf&suite=wheezy-security I suggest to wait with further announcements as long as this issue hasn't been resolved yet. Regards, Markus signature.asc Description: OpenPGP digital signature
Re: LTS updates not pushed to security mirrors
On Sun, 01 May 2016, Bjoern Nyjorden wrote: > Peter suggests that he can see the packages available at: No, I said that the mirror matches what the original archive has. (corollary: the update is not available in the archive yet.) -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `-https://www.debian.org/
Re: LTS updates not pushed to security mirrors
Hi again all, My concern is simply this: The packages are not showing up at the URI I've quoted below, when; it resolves to the IP ADDRESS: 150.203.164.61 (Australian Region). Peter suggests that he can see the packages available at: http://security.debian.org/debian-security/pool/updates/main/ What I am saying is; while Peter may be correct, the situation is not true for the same address above, when it resolves to IP ADDRESS: 150.203.164.61 (Australian Region). This was still the case when I tested again at: 11:12 + (UTC) today, after reading Peter's reply. It appears that there is an issue with the IP ADDRESS: 150.203.164.61, not automatically picking up security updates when they pushed out to the mirrors for the above URI. I don't want those of us in this region remaining vunerable until someone remembers to manually push the updates to our mirror. Yours sincerely, Bjoern. On 01/05/16 19:19, Markus Koschany wrote: Am 01.05.2016 um 10:38 schrieb Peter Palfrader: [...] The security mirror is current. Hi, I was informed that LTS updates are currently only pushed to the mirrors when the Security Team has issued a new DSA for it. Of course this is less than optimal but the ftp team is already aware of it. We have announced the DLAs because the new packages show up as "Installed": e.g. https://buildd.debian.org/status/package.php?p=gdk-pixbuf&suite=wheezy-security I suggest to wait with further announcements as long as this issue hasn't been resolved yet. Regards, Markus
