Re: Wheezy update of twisted?
This security vulnerability is described here: https://bugzilla.redhat.com/show_bug.cgi?id=1357345 as: "sets environmental variable based on user supplied Proxy request header" In particular it is talking about HTTP_PROXY, and it only a problem if the server makes an outgoing HTTP request using this value. Looking at this, I am inclined to say this isn't a security issue in twisted itself, rather some unspecified applications that use twisted. Just trying to double check this. I can't find any references (case-insensitive) of "HTTP_PROXY" in the twisted source however. This appears to be confirmed by the first sentence in the redhat bug report: "Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value." There are a number of projects in Debian that use twisted, should we check each one? Sure would be good if I had an example application that was confirmed vulnerable. -- Brian May
Re: Wheezy update of twisted?
Hi, I had a quick look at the code too (both in wheezy and jessie), but I couldn't find the offending bits. Perhaps it'd be good to put together a small web server and see what happens when you pass the 'Proxy' header. Free On 5 August 2016 at 10:26, Brian May wrote: > This security vulnerability is described here: > > https://bugzilla.redhat.com/show_bug.cgi?id=1357345 > > as: > > "sets environmental variable based on user supplied Proxy request > header" > > In particular it is talking about HTTP_PROXY, and it only a problem if > the server makes an outgoing HTTP request using this value. > > Looking at this, I am inclined to say this isn't a security issue in > twisted itself, rather some unspecified applications that use twisted. > > Just trying to double check this. I can't find any references > (case-insensitive) of "HTTP_PROXY" in the twisted source however. > > This appears to be confirmed by the first sentence in the redhat bug > report: > > "Many software projects and vendors have implemented support for the > “Proxy” request header in their respective CGI implementations and > languages by creating the “HTTP_PROXY” environmental variable based on > the header value." > > There are a number of projects in Debian that use twisted, should we > check each one? > > Sure would be good if I had an example application that was confirmed > vulnerable. > -- > Brian May >
Re: Wheezy update of libreoffice #2 (CVE-2016-1513)
Hi Rene, 2016-08-04 19:34 GMT+02:00 Rene Engelhard : > Hi, > > On Thu, Aug 04, 2016 at 09:12:04AM +0200, Rene Engelhard wrote: >> I noticed Balint did some additional changes to deb7u7 (build-depends >> on fixed graphite2 - thanks for that), so this needs >> either be merged into my deb7u8 or I can redo it this evening... > > now done. Thanks! Would you like to build and upload it yourself or would you prefer us to do the rest (build, test, upload, DLA) like before? Cheers, Balint
Security update of nettle
Hi Magnus and LTS team Magnus, Niels and I have been discussing the nettle update due to https://security-tracker.debian.org/tracker/CVE-2016-6489 Magnus has started to prepare a wheezy update but had a few questions. Here are some information that you should know about. https://wiki.debian.org/LTS/Development One question from Magnus was what should be mentioned in the changelog. I suggest something like this: "Protect against potential timing attacks against exponentiation operations as described in CVE-2016-6489 RSA code is vulnerable to cache sharing related attacks." Magnus, please let me know if you want to upload the correction too and whether you want to issue the DLA or whether you want me to do that. We want to time the DLA and the upload so they are close to each other in time. Magnus, if you decide to build the package for upload, please make sure to use the -sa option as wheezy-security need to know about the orig tar file. If not the package upload will be rejected. Best regards // Ola -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Security update of nettle
Hi Magnus You are of course welcome to improve the language in the changelog. :-) I should probably have put quite marks to clarify the language, that the text after the CVE number is a part of the CVE name. Like this: Protect against potential timing attacks against exponentiation operations as described in "CVE-2016-6489 RSA code is vulnerable to cache sharing related attacks." Regarding the upload. I'm not involved with the stable security team. Let me know when you have a build that I can check and upload. A debdiff and a statement what kind of tests you have performed are very good to have too, so we all have a possibility to check the change. Thanks in advance // Ola On Fri, Aug 5, 2016 at 11:28 PM, Magnus Holmgren wrote: > fredagen den 5 augusti 2016 22.16.29 skrev Ola Lundqvist: > > Hi Magnus and LTS team > > > > Magnus, Niels and I have been discussing the nettle update due to > > https://security-tracker.debian.org/tracker/CVE-2016-6489 > > > > Magnus has started to prepare a wheezy update but had a few > > questions. Here are some information that you should know about. > > https://wiki.debian.org/LTS/Development > > > > One question from Magnus was what should be mentioned in the changelog. > > I suggest something like this: > > "Protect against potential timing attacks against exponentiation > operations > > as described in CVE-2016-6489 RSA code is vulnerable to cache sharing > > related attacks." > > Hmm, that sounds like two sentences in one... > > > Magnus, please let me know if you want to upload the correction too and > > whether you want to issue the DLA or whether you want me to do that. We > > want to time the DLA and the upload so they are close to each other in > time. > > I think you can do that. But I should coordinate with the stable security > team > too. I suppose you're not involved with that? > > > Magnus, if you decide to build the package for upload, please make sure > to > > use the -sa option as wheezy-security need to know about the orig tar > file. > > If not the package upload will be rejected. > > OK, thanks. > > -- > Magnus Holmgrenholmg...@debian.org > Debian Developer -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Icedtea plugin
On 02/08/16 19:48, Emilio Pozuelo Monfort wrote: > On 01/08/16 23:26, Markus Koschany wrote: >> On 01.08.2016 23:01, Emilio Pozuelo Monfort wrote: >>> On 31/07/16 19:41, Roberto C. Sánchez wrote: On Sun, Jul 31, 2016 at 07:34:28PM +0200, Emilio Pozuelo Monfort wrote: > Hi, > > Currently, icedtea-plugin depends on icedtea-6-plugin, i.e. Java6. Given > openjdk-6 is unsupported, we should change it to depend on > icedtea-7-plugin > instead. See the attached source debdiff (the control file is > autogenerated). > > Thoughts? > > If no-one objects, I will upload that soon. > It looks good to me. >>> >>> Markus said on IRC that another option was to mark icedtea-plugin and >>> icedtea-6-plugin as unsupported. However, I think we should only do that for >>> icedtea-6-plugin, and update the metapackage to depend on Java7. >> >> Yes, it wouldn't hurt to update the dependency package icedtea-plugin. >> As far as I know it has no important reverse-dependencies though, for >> instance OpenJDk 6 only suggests it. So we could also just mark it as >> unsupported but I leave the decision up to you. > > I think icedtea-plugin should be kept updated and point to the supported > version, so that people can keep it installed and automatically get the next > supported version when/if it is changed again, whether in Wheezy or in future > releases. > > Since the change is simple, I'll look at uploading it soon. Uploaded. I'm not sure whether this deserves a DLA. Probably not, as openjdk-6 is already marked as unsupported, and there already was [1]. Though I could send something similar to that, without a DLA number, if that was deemed convenient. Thoughts, anyone? Cheers, Emilio [1] https://lists.debian.org/debian-lts-announce/2016/05/msg7.html
Re: Security update of firefox-esr for Wheezy
On 04/08/16 23:02, Mike Hommey wrote: > On Thu, Aug 04, 2016 at 07:50:28PM +0200, Guido Günther wrote: >> Hi, >> On Thu, Aug 04, 2016 at 06:32:14PM +0900, Mike Hommey wrote: >>> On Thu, Aug 04, 2016 at 11:04:47AM +0200, Markus Koschany wrote: Hello Mike, Thank you for preparing the security update of firefox-esr. I have just sent a security announcement for your update in Wheezy to the debian-lts-announce mailing list. If you want to take care of this next time, please follow our guidelines which we have outlined at [1]. If this is a burden for you, no problem, we will do our best and take care of the rest. In this case we would like to ask you to send a short reminder to debian-lts, so that we can prepare the announcement in a timely manner. >>> >>> Heh, I hadn't realized that wasn't handled by standard DSAs, sorry about >>> that. That these updates go through the same security-master doesn't >>> help making it obvious they are different. >>> >>> Anyways, I'd rather not have more work to do, so if can send >>> announcements, that works for me. Or you can deal with the backport >>> from back to back. >>> >>> Please note that the next ESR bump (52) will require GCC 4.8, which is >>> not in wheezy, so I won't be building ESR45 for wheezy past 45.8, >>> presumably some time in April next year. >> >> The same is true for icedove. Since this is way before the end of Wheezy >> LTS (31st May 2018) I wonder if we should EOL Firefox/Icedove then or >> try to support this for longer? >> >> I have no idea what features of gcc-4.8 would be required, Mike do you >> know? > > Some C++11 features it supports that GCC 4.7 doesn't. We may want / need to backport GCC 4.8 to Wheezy then. Chromium is already unsupported, so it's either that, or leave Wheezy with no supported browsers. We probably want the former. Cheers, Emilio
Re: Security update of nettle
fredagen den 5 augusti 2016 22.16.29 skrev Ola Lundqvist: > Hi Magnus and LTS team > > Magnus, Niels and I have been discussing the nettle update due to > https://security-tracker.debian.org/tracker/CVE-2016-6489 > > Magnus has started to prepare a wheezy update but had a few > questions. Here are some information that you should know about. > https://wiki.debian.org/LTS/Development > > One question from Magnus was what should be mentioned in the changelog. > I suggest something like this: > "Protect against potential timing attacks against exponentiation operations > as described in CVE-2016-6489 RSA code is vulnerable to cache sharing > related attacks." Hmm, that sounds like two sentences in one... > Magnus, please let me know if you want to upload the correction too and > whether you want to issue the DLA or whether you want me to do that. We > want to time the DLA and the upload so they are close to each other in time. I think you can do that. But I should coordinate with the stable security team too. I suppose you're not involved with that? > Magnus, if you decide to build the package for upload, please make sure to > use the -sa option as wheezy-security need to know about the orig tar file. > If not the package upload will be rejected. OK, thanks. -- Magnus Holmgrenholmg...@debian.org Debian Developer signature.asc Description: This is a digitally signed message part.
Re: [SECURITY] [DLA 579-1] openjdk-7 security update
Em Sexta-feira, 5 de Agosto de 2016 17:15, Emilio Pozuelo Monfort escreveu: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package : openjdk-7 Version : 7u111-2.6.7-1~deb7u1 CVE ID : CVE-2016-3458 CVE-2016-3500 CVE-2016-3508 CVE-2016-3550 CVE-2016-3606 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in breakouts of the Java sandbox, denial of service or information disclosure. For Debian 7 "Wheezy", these problems have been fixed in version 7u111-2.6.7-1~deb7u1. We recommend that you upgrade your openjdk-7 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJXpQHtAAoJEJ1GxIjkNoMCRaUP/1lEwfXL5D67lRRnk05ae0Dv HBg9ajGVnwDbPsvrAgMK0m/ODaEfQl3+YaCa/hrwjVxNhByBZUpVWtcWfrUaiQ0b rEKHhqaUl3Vqh1uy7BSEfwMIb/QlppnktpDL6s+kKYTWfIFwoGnqPL87b4OnDgFs tmZ+zQSbGCCW1xaV24zxwpa/7Q7ji3Pvsj/TXG+vHOdj0OeRhi6/nik9Kzhl+Jnz aW6PRc8PrymoB86ZiDJo6djMs10u4Ld3g3MESz4/s0MaxP12uDiPAIexcCuojXUj Y3agFMSnSqaBVKXi/mkYXVG1tWYBPRTS8QWmAdYhYSSgA0+i+3lAZ+OCZtHlI3l3 7S86HUKKKMlYdKRvPIrT5/LjoeXoGxK3WjQyTBQDUcfQMjjsiHkcLbrIawuYpwKJ /i55KVrHts3D1fyTdISpx5rSrk3GeLcMlkNcTNiUro7W1Tco8XgV5KNXRi+PuARG ScZ+elJeqCxQrjgsQ6IDCQHwNNFa3BWDd4PidATlBsUE3A+pXqGWRVFAkFdVxC9J uWXuq0ra9qXUXFK2Rwxc1giTh6lGlSut+Y9V3jQ0Tj0LQGzaVTidUl2+Ac6BWd64 YCBgEfdPLun1G/oNZ0b7iaSz97wPrvH6CEIpWrb/TjIbgQlkdNR4OIX1kYQvCYSf tEAcJmyF/aHIxgktVlV0 =pkVs -END PGP SIGNATURE-
