Call for testing: upcoming libxml2 security update

2016-05-28 Thread Salvatore Bonaccorso 
Hi

The upcoming libxml2 security update is little more bigger than usual,
thus we want to expose the package a bit for additional testing. If
you find a problem introduced by updating to these packages, please
report the problem directly to t...@security.debian.org .

The packages can be found at:

https://people.debian.org/~carnil/tmp/libxml2/jessie/

(amd64 builds only)

While preparing the jessie-security update, The commits were
backported as well for libxml2 in wheezy. If you are using them please
test the packages at

https://people.debian.org/~carnil/tmp/libxml2/wheezy/

(amd64 builds only)

Regards,
Salvatore


signature.asc
Description: PGP signature

Re: bits.debian.org: Wheezy LTS post about armel and armhf support

2016-05-28 Thread Markus Koschany 
Hi all,

I haven't seen our Wheezy LTS post on bits.debian.org yet. Is there
anything we can do?

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Re: Debian LTS: uploaded packages to wheezy-security not available

2016-05-28 Thread Markus Koschany 
Am 04.05.2016 um 13:43 schrieb Markus Koschany:
> Hi Ansgar,
> 
> In preparation for the default Java switch I have uploaded more packages
> to wheezy-security yesterday and most of them are available in the
> archive now. However some of them never showed up there, although I made
> sure to build with -sa. I guess there is an issue with dak again.
> 
> The following packages are missing:
> 
> carmetal
> imagej
> jabref
> 
> Could you take a look at it?

Hello,

we have a problem with the wheezy-security suite. Whenever we try to fix
a package that was once in another section like non-free and is now in
main, dak won't accept a security upload. In my specific case carmetal,
imagej and jabref are rejected.

Shall I reupload the packages and you try your ftp magic on them or is
there another, maybe better way, to solve this issue once and for all?

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

testing php5 for Wheezy LTS

2016-05-28 Thread Thorsten Alteholz 

Hi,

this seems to be the month of testing requests. I uploaded version 
5.4.45-0+deb7u3 of php5 to:

 https://people.debian.org/~alteholz/packages/wheezy-lts/php5/amd64/
 https://people.debian.org/~alteholz/packages/wheezy-lts/php5/i386/

Please give it a try and tell me about any problems you met. There are 
still some CVEs open, they will be fixed in a later upload.


Thanks!
 Thorsten



Changes:
 * CVE-2015-8865.patch
   The file_check_mem function in funcs.c in file before 5.23, as used
   in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20,
   and 7.x before 7.0.5, mishandles continuation-level jumps, which
   allows context-dependent attackers to cause a denial of service
   (buffer overflow and application crash) or possibly execute arbitrary
   code via a crafted magic file.
 * CVE-2015-8866.patch
   libxml_disable_entity_loader setting is shared between threads
   ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when
   PHP-FPM is used, does not isolate each thread from
   libxml_disable_entity_loader changes in other threads, which allows
   remote attackers to conduct XML External Entity (XXE) and XML Entity
   Expansion (XEE) attacks via a crafted XML document, a related issue
   to CVE-2015-5161.
 * CVE-2015-8878.patch
   main/php_open_temporary_file.c in PHP before 5.5.28 and 5.6.x before
   5.6.12 does not ensure thread safety, which allows remote attackers to
   cause a denial of service (race condition and heap memory corruption)
   by leveraging an application that performs many temporary-file accesses.
 * CVE-2015-8879.patch
   The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12
   mishandles driver behavior for SQL_WVARCHAR columns, which allows
   remote attackers to cause a denial of service (application crash) in
   opportunistic circumstances by leveraging use of the odbc_fetch_array
   function to access a certain type of Microsoft SQL Server table.
 * CVE-2016-4070.patch
   Integer overflow in the php_raw_url_encode function in ext/standard/url.c
   in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows
   remote attackers to cause a denial of service (application crash) via a
   long string to the rawurlencode function.
 * CVE-2016-4071.patch
   Format string vulnerability in the php_snmp_error function in
   ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x
   before 7.0.5 allows remote attackers to execute arbitrary code via
   format string specifiers in an SNMP::get call.
 * CVE-2016-4072.patch
   The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x
   before 7.0.5 allows remote attackers to execute arbitrary code via a
   crafted filename, as demonstrated by mishandling of \0 characters by
   the phar_analyze_path function in ext/phar/phar.c.
 * CVE-2016-4073.patch
   Multiple integer overflows in the mbfl_strcut function in
   ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34, 5.6.x before
   5.6.20, and 7.x before 7.0.5 allow remote attackers to cause a denial
   of service (application crash) or possibly execute arbitrary code via
   a crafted mb_strcut call.
 * CVE-2016-4343.patch
   The phar_make_dirstream function in ext/phar/dirstream.c in PHP before
   5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files,
   which allows remote attackers to cause a denial of service
   (uninitialized pointer dereference) or possibly have unspecified other
   impact via a crafted TAR archive.
 * CVE-2016-4537.patch
   The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35,
   5.6.x before 5.6.21, and 7.x before 7.0.6 accepts a negative integer
   for the scale argument, which allows remote attackers to cause a
   denial of service or possibly have unspecified other impact via a
   crafted call.
 * CVE-2016-4539.patch
   The xml_parse_into_struct function in ext/xml/xml.c in PHP before
   5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote
   attackers to cause a denial of service (buffer under-read and
   segmentation fault) or possibly have unspecified other impact via
   crafted XML data in the second argument, leading to a parser level
   of zero.
 * CVE-2016-4540+4541.patch
   The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c
   in before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows
   remote attackers to cause a denial of service (out-of-bounds read)
   or possibly have unspecified other impact via a negative offset.
 * CVE-2016-4542+4543+4544.patch
   The exif_process_* function in ext/exif/exif.c in PHP before 5.5.35,
   5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes,
   which allows remote attackers to cause a denial of service
   (out-of-bounds read) or possibly have unspecified other impact via
   crafted header data.

Re: wheezy eglibc packages to test

2016-05-28 Thread Santiago Ruano Rincón 
El 27/05/16 a las 18:08, Guido Günther escribió:
> Hi,
> On Sat, May 21, 2016 at 12:16:07AM +0200, Santiago Ruano Rincón wrote:
> > Hi,
> > 
> > I've prepared a eglibc package for wheezy, available at 
> > 
> > deb https://people.debian.org/~santiago/debian santiago-wheezy/
> > deb-src https://people.debian.org/~santiago/debian santiago-wheezy/
> > 
> > Debdiff attached, and this is the dsc:
> > https://people.debian.org/~santiago/debian/santiago-wheezy/eglibc_2.13-38+deb7u11~3.dsc
> > 
> > As usual, feedback is warmly welcome.
> 
> LGTM. I had a look at the debiff and tested the package including
> checking that thecrasher in
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=19779
> 
> is fixed with your package.

Thanks. I'll prepare the upload.

Cheers,

Santiago


signature.asc
Description: PGP signature