Re: [SECURITY] [DLA 532-1] movabletype-opensource security update
> so that you stop doing the same mistake over and over. I think it might be unfair to characterise this as "over and over" when it has occured twice AFAIK, especially when the file is not even in the same repository.. > take some time to improve ~/bin/lts-cve-triage.py to show > unsupported packages in a special status I have pushed preliminary support for this. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Re: [SECURITY] [DLA 532-1] movabletype-opensource security update
On Tue, Jun 28, 2016 at 08:41:08AM +0200, Raphael Hertzog wrote: > On Mon, 27 Jun 2016, Chris Lamb wrote: > > Package: movabletype-opensource > > $ grep movabletype-opensource security-support-ended.deb7 > movabletype-opensource 5.1.4+dfsg-4+deb7u3 2016-02-06 Not supported in > Debian LTS (http://lists.debian.org/20151104190529.gy7...@urchin.earth.li) > > Please, pay some attention to this or take some time to improve > ~/bin/lts-cve-triage.py to show unsupported packages in a special status > so that you stop doing the same mistake over and over. There's also bin/support-ended.py movabletype-opensource movabletype-opensource unsupported in wheezy movabletype-opensource unsupported in squeeze if one doesn't want to resort to grep. Cheers, -- Guido
Re: [SECURITY] [DLA 532-1] movabletype-opensource security update
Hi, On Tue, Jun 28, 2016 at 08:55:32AM +0100, Chris Lamb wrote: > > so that you stop doing the same mistake over and over. > > I think it might be unfair to characterise this as "over and over" when it > has occured twice AFAIK, especially when the file is not even in the same > repository.. > > > take some time to improve ~/bin/lts-cve-triage.py to show > > unsupported packages in a special status Thanks for looking into this! This seems so silently hardcode wheezy without a way to override (so we might end up forgetting to bump this when switching to jessie): class UnsupportedPackages(set) +def __init__(self, debian_version=7, update_cache=True): +self.debian_version = debian_version I'd also be nicer to not silently drop unsupported packages but add them to special section since we still need to triage the CVEs (mark them as unsupported in data/CVE/list). Cheers, -- Guido
Re: pidgin
Brian May writes: > Attached is a patch to fix all known security issues in pidgin in > Wheezy-LTS. > > I found that a number of ther CVEs under security-tracker.debian.org > referenced the patch for the fix for the wrong CVE, so I had to retrieve > the correct patches from upstream git. > > I also found that the security fix I identified for CVE-2016-2372 was > the same as one of the patches for CVE-2016-2369 so I didn't apply it > twice. > > Still need to test this and make a copy for testing. Here is a version I built for testing: https://people.debian.org/~bam/debian/pool/main/p/pidgin/ Disclaimer: might be several days before I get a chance to test this myself. -- Brian May
Re: Wheezy update of ruby-eventmachine?
Hi Christian, 2016-06-28 7:27 GMT+02:00 Christian Hofstaedtler : > Hi, > > * Bálint Réczey [160628 00:28]: >> Dear Ruby and LTS Maintainers, >> >> I plan updating the ruby-eventmachine package in Wheezy LTS to >> fix the following security issue: >> https://security-tracker.debian.org/tracker/TEMP-0678512-2E167C >> >> Please see the diff to previous version attached. Thanks! I also tried the new test without fixing the issue in the code and it crashes nicely. > > Only gave this a quick glance, but LGTM. > >> I plan updating Jessie's version through jessie-proposed-updates, since >> the issue is marked as no-DSA. > > This can probably still go through debian-security? I'll ask them, showing the proposed diff. > Also, given there's no ruby1.8 in jessie, the diff will be a lot > smaller I guess. IMO the difference is very small and I'd rather add the few macros for 1.8 than breaking the source package's compatibility with the update. I have pushed my changes to the packaging repository in two new branches here: https://anonscm.debian.org/cgit/pkg-ruby-extras/ruby-eventmachine.git Cheers, Balint > >> Cheers, >> Balint > > Thanks, > Christian >
Re: [SECURITY] [DLA 532-1] movabletype-opensource security update
On Tue, 28 Jun 2016, Chris Lamb wrote: > > so that you stop doing the same mistake over and over. > > I think it might be unfair to characterise this as "over and over" when > it has occured twice AFAIK, especially when the file is not even in the > same repository.. Sorry, I did not want to point fingers at you in particular. It was more of a general "you" since the same happened with other contributors and other packages. > > take some time to improve ~/bin/lts-cve-triage.py to show > > unsupported packages in a special status > > I have pushed preliminary support for this. Thanks! Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
Re: pidgin
Hi Brian, On Tue, Jun 28, 2016 at 07:08:37AM +1000, Brian May wrote: > I found that a number of ther CVEs under security-tracker.debian.org > referenced the patch for the fix for the wrong CVE, so I had to retrieve > the correct patches from upstream git. Can you point me to the errors you found? Since I added I think most of those entries I would like to correct them if I wrongly commited. Regards, Salvatore
Re: Analysis of issue for phpmyadmin and request for comment on XSS issues
On 26.06.2016 23:47, Ola Lundqvist wrote: > Hi LTS team Hi! > > I have done some analysis of the issues for phpmyadmin. > > It would be good to know what your opinion about XSS issues for admin > software like phpmyadmin is. I do not see how that can be very > important. I mean you know the URL and do not really use external links > for accessing it. > Or do anyone have another opinion? XSS is not just about getting tricked into clicking the wrong site URL of the application. XSS is very common for web applications and in case of webapps like phpmyadmin, where usually multiple users have access to databases with various permissions, there are often multiple possibilities to inject Javascript or other code into HTML tags,
Re: Security update of Gosa
On 21.06.2016 12:42, Mike Gabriel wrote: [...] > I'll get back to you tomorrow on this. Basically, I can do the upload my > self. > > Greets, > Mike Hi Mike, Is there any news? If you need assistance, don't hesitate to ask on debian-lts. Cheers, Markus signature.asc Description: OpenPGP digital signature
Re: pidgin
Salvatore Bonaccorso writes: > Can you point me to the errors you found? Since I added I think most > of those entries I would like to correct them if I wrongly commited. Sure. Hope I haven't made too many mistakes myself :-) * CVE-2016-2365 / TALOS-CAN-0133 https://bitbucket.org/pidgin/main/commits/5fa3f2bc69d7 - commit message says TALOS-CAN-0128. - believe correct patch is 1c4acc6977a8686ad980e5b820327c9c47dbeaca * CVE-2016-2366 / TALOS-CAN-0134 https://bitbucket.org/pidgin/main/commits/abdc3025f6b8 - is correct * CVE-2016-2367 / TALOS-2016-0135 https://bitbucket.org/pidgin/main/commits/5e3601f8bde4 https://bitbucket.org/pidgin/main/commits/1c5197a66760 https://bitbucket.org/pidgin/main/commits/648f667a679c - same patches given as for CVE-2016-2370 / TALOS-CAN-0138 - same patches given as for CVE-2016-2372 / TALOS-2016-0140 - assuming these are correct, however neither the CVE or TALOS id in the commit message. * CVE-2016-2368 / TALOS-CAN-0136 https://bitbucket.org/pidgin/main/commits/f6efc254e947 https://bitbucket.org/pidgin/main/commits/60f95045db42 - wrong order, but still correct * CVE-2016-2369 / TALOS-CAN-0137 No patch given. - Correct patch appears to be 7b52ca213832882c9f69b836560ba44c6e929a34 (see below) * CVE-2016-2370 / TALOS-CAN-0138 https://bitbucket.org/pidgin/main/commits/5e3601f8bde4 https://bitbucket.org/pidgin/main/commits/1c5197a66760 https://bitbucket.org/pidgin/main/commits/648f667a679c - same patches given as for CVE-2016-2367 / TALOS-2016-0135 - same patches given as for CVE-2016-2372 / TALOS-2016-0140 - Correct patch appears to be fe0e01b2840740d9a07acf9a9788ec22e9dd120f * CVE-2016-2371 / TALOS-CAN-0139 https://bitbucket.org/pidgin/main/commits/7b52ca213832 - This commit mentions TALOS-CAN-0137 - Correct patch appears to be f0287378203fbf496a9890bf273d96adefb93b74 * CVE-2016-2372 / TALOS-2016-0140 https://bitbucket.org/pidgin/main/commits/5e3601f8bde4 https://bitbucket.org/pidgin/main/commits/1c5197a66760 https://bitbucket.org/pidgin/main/commits/648f667a679c - same patches given as for CVE-2016-2367 / TALOS-2016-0135 - same patches given as for CVE-2016-2370 / TALOS-CAN-0138 - my search suggested the correct patch is the 2nd one, or 1c5197a66760396a28de87d566e0eb0d986175ea - I put this patch as part of CVE-2016-2367 / TALOS-2016-0135 which might be wrong. * CVE-2016-2373 / TALOS-CAN-0141 https://bitbucket.org/pidgin/main/commits/e6159ad42c4c - correct * CVE-2016-2374 / TALOS-CAN-0142 https://bitbucket.org/pidgin/main/commits/f6c08d962618 - correct * CVE-2016-2375 / TALOS-CAN-0143 https://bitbucket.org/pidgin/main/commits/b786e9814536 - correct * CVE-2016-2376 / TALOS-CAN-0118 https://bitbucket.org/pidgin/main/commits/19f89eda8587 - correct * CVE-2016-2377 / TALOS-CAN-0119 https://bitbucket.org/pidgin/main/commits/0f94ef13ab37 - correct * CVE-2016-2378 / TALOS-CAN-0120 https://bitbucket.org/pidgin/main/commits/06278419c703 - correct * CVE-2016-2380 / TALOS-CAN-0123 https://bitbucket.org/pidgin/main/commits/8172584fd640 - correct * CVE-2016-4323 / TALOS-CAN-0128 Patch not given - Believe correct patch is 5fa3f2bc69d7918d1e537e780839df63d5df59aa - was patch listed for CVE-2016-2365 / TALOS-CAN-0133 -- Brian May
Re: pidgin
Hi Brian, On Wed, Jun 29, 2016 at 08:35:26AM +1000, Brian May wrote: > Salvatore Bonaccorso writes: > > > Can you point me to the errors you found? Since I added I think most > > of those entries I would like to correct them if I wrongly commited. > > Sure. Hope I haven't made too many mistakes myself :-) Thanks, I will go double-check those today again. Regards, Salvatore
