date:20161110

Wheezy update of potrace?

2016-11-10 Thread Chris Lamb

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of potrace:
https://security-tracker.debian.org/tracker/source-package/potrace

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of potrace updates
for the LTS releases. (In case we don't get any answer for months,
we may also take it as an opt-out, too.)

Thank you very much.

Chris Lamb,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

testing curl for Wheezy LTS

2016-11-10 Thread Thorsten Alteholz


Hi everybody,

I uploaded version 7.26.0-1+wheezy17 of curl to:

https://people.debian.org/~alteholz/packages/wheezy-lts/curl/amd64/

Please give it a try and tell me about any problems you met. It would be 
nice to also test cases where "range-to" is really needed.


Thanks!
 Thorsten


   * CVE-2016-8615
 If cookie state is written into a cookie jar file that is later read
 back and used for subsequent requests, a malicious HTTP server can
 inject new cookies for arbitrary domains into said cookie jar.
 The issue pertains to the function that loads cookies into memory, which
 reads the specified file into a fixed-size buffer in a line-by-line
 manner using the `fgets()` function. If an invocation of fgets() cannot
 read the whole line into the destination buffer due to it being too
 small, it truncates the output.
 This way, a very long cookie (name + value) sent by a malicious server
 would be stored in the file and subsequently that cookie could be read
 partially and crafted correctly, it could be treated as a different
 cookie for another server.
   * CVE-2016-8616
 When re-using a connection, curl was doing case insensitive comparisons
 of user name and password with the existing connections.
 This means that if an unused connection with proper credentials exists
 for a protocol that has connection-scoped credentials, an attacker can
 cause that connection to be reused if s/he knows the case-insensitive
 version of the correct password.
   * CVE-2016-8617
 In libcurl's base64 encode function, the output buffer is allocated
 as follows without any checks on insize:
malloc( insize * 4 / 3 + 4 )
 On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32),
 the multiplication in the expression wraps around if insize is at
 least 1GB of data. If this happens, an undersized output buffer will
 be allocated, but the full result will be written, thus causing the
 memory behind the output buffer to be overwritten.
 Systems with 64 bit versions of the `size_t` type are not affected
 by this issue.
   * CVE-2016-8618
 The libcurl API function called `curl_maprintf()` can be tricked into
 doing a double-free due to an unsafe `size_t` multiplication, on
 systems using 32 bit `size_t` variables. The function is also used
 internallty in numerous situations.
 Systems with 64 bit versions of the `size_t` type are not affected
 by this issue.
   * CVE-2016-8619
 In curl's implementation of the Kerberos authentication mechanism,
 the function `read_data()` in security.c is used to fill the
 necessary krb5 structures. When reading one of the length fields from
 the socket, it fails to ensure that the length parameter passed to
 realloc() is not set to 0.
   * CVE-2016-8621
 The `curl_getdate` converts a given date string into a numerical
 timestamp and it supports a range of different formats and
 possibilites to express a date and time. The underlying date
 parsing function is also used internally when parsing for example
 HTTP cookies (possibly received from remote servers) and it can be
 used when doing conditional HTTP requests.
   * CVE-2016-8622
 The URL percent-encoding decode function in libcurl is called
 `curl_easy_unescape`. Internally, even if this function would be
 made to allocate a unscape destination buffer larger than 2GB, it
 would return that new length in a signed 32 bit integer variable,
 thus the length would get either just truncated or both truncated
 and turned negative. That could then lead to libcurl writing outside
 of its heap based buffer.
   * CVE-2016-8623 curl Use-after-free via shared cookies
 libcurl explicitly allows users to share cookies between multiple
 easy handles that are concurrently employed by different threads.
 When cookies to be sent to a server are collected, the matching
 function collects all cookies to send and the cookie lock is released
 immediately afterwards. That funcion however only returns a list with
 *references* back to the original strings for name, value, path and so
 on. Therefore, if another thread quickly takes the lock and frees one
 of the original cookie structs together with its strings,
 a use-after-free can occur and lead to information disclosure. Another
 thread can also replace the contents of the cookies from separate HTTP
 responses or API calls.
   * CVE-2016-8624 curl invalid URL parsing with '#'
 curl doesn't parse the authority component of the URL correctly when
 the host name part ends with a '#' character, and could instead be
 tricked into connecting to a different host. This may have security
 implications if you for example use an URL parser that follows the RFC
 to check for allowed domains before using curl to request them.

Wheezy update of ming?

2016-11-10 Thread Chris Lamb

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of ming:
https://security-tracker.debian.org/tracker/source-package/ming

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of ming updates
for the LTS releases. (In case we don't get any answer for months,
we may also take it as an opt-out, too.)

Thank you very much.

Chris Lamb,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Re: python-django and CVE-2016-9014

2016-11-10 Thread Brian May

Brian May  writes:

> I think I understand this security issue now. I should be able to work
> on a fix for wheezy-security tomorrow.

Ok, I have packages available for testing at:

https://people.debian.org/~bam/debian/pool/main/p/python-django/

The debdiff is below.

diff -Nru python-django-1.4.22/debian/changelog 
python-django-1.4.22/debian/changelog
--- python-django-1.4.22/debian/changelog   2016-10-07 07:17:00.0 
+1100
+++ python-django-1.4.22/debian/changelog   2016-11-03 18:09:17.0 
+1100
@@ -1,3 +1,11 @@
+python-django (1.4.22-1+deb7u2) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * Fix CVE-2016-9013: Generated a random database user password when running
+tests on Oracle.
+
+ -- Brian May   Thu, 03 Nov 2016 18:08:17 +1100
+
 python-django (1.4.22-1+deb7u1) wheezy-security; urgency=high
 
   * CVE-2016-7401: CSRF protection bypass on a site with Google Analytics.
diff -Nru python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch 
python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch
--- python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch
1970-01-01 10:00:00.0 +1000
+++ python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch
2016-11-10 09:07:19.0 +1100
@@ -0,0 +1,43 @@
+--- a/django/http/__init__.py
 b/django/http/__init__.py
+@@ -215,7 +215,7 @@
+ if server_port != (self.is_secure() and '443' or '80'):
+ host = '%s:%s' % (host, server_port)
+ 
+-allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS
++allowed_hosts = settings.ALLOWED_HOSTS
+ if validate_host(host, allowed_hosts):
+ return host
+ else:
+--- a/tests/regressiontests/requests/tests.py
 b/tests/regressiontests/requests/tests.py
+@@ -261,13 +261,22 @@
+ request.get_host()
+ 
+ @override_settings(DEBUG=True, ALLOWED_HOSTS=[])
+-def test_host_validation_disabled_in_debug_mode(self):
+-"""If ALLOWED_HOSTS is empty and DEBUG is True, all hosts pass."""
+-request = HttpRequest()
+-request.META = {
+-'HTTP_HOST': 'example.com',
+-}
+-self.assertEqual(request.get_host(), 'example.com')
++def test_host_validation_in_debug_mode(self):
++"""
++If ALLOWED_HOSTS is empty and DEBUG is True, variants of localhost are
++allowed.
++"""
++valid_hosts = ['localhost', '127.0.0.1', '[::1]']
++for host in valid_hosts:
++request = HttpRequest()
++request.META = {'HTTP_HOST': host}
++# self.assertEqual(request.get_host(), host)
++
++# Other hostnames raise a SuspiciousOperation.
++with self.assertRaises(SuspiciousOperation):
++request = HttpRequest()
++request.META = {'HTTP_HOST': 'example.com'}
++request.get_host()
+ 
+ def test_near_expiration(self):
+ "Cookie will expire when an near expiration time is provided"
diff -Nru python-django-1.4.22/debian/patches/series 
python-django-1.4.22/debian/patches/series
--- python-django-1.4.22/debian/patches/series  2016-10-07 07:16:07.0 
+1100
+++ python-django-1.4.22/debian/patches/series  2016-11-08 09:01:14.0 
+1100
@@ -7,3 +7,4 @@
 0007-is_safe_url-crashes-with-a-byestring-URL-on-Python-2.patch
 0008-CVE-2016-2513-Fixed-user-enumeration-timing-attack-d.patch
 0009-CVE-2016-7401.patch
+0010-CVE-2016-9014.patch

-- 
Brian May

Re: python-django and CVE-2016-9014

2016-11-10 Thread Ben Hutchings

On Fri, 2016-11-11 at 08:46 +1100, Brian May wrote:
> > Brian May  writes:
> 
> > I think I understand this security issue now. I should be able to work
> > on a fix for wheezy-security tomorrow.
> 
> Ok, I have packages available for testing at:
> 
> https://people.debian.org/~bam/debian/pool/main/p/python-django/
> 
> The debdiff is below.
> 
> diff -Nru python-django-1.4.22/debian/changelog 
> python-django-1.4.22/debian/changelog
> > --- python-django-1.4.22/debian/changelog   2016-10-07 07:17:00.0 
> > +1100
> > +++ python-django-1.4.22/debian/changelog   2016-11-03 18:09:17.0 
> > +1100
> @@ -1,3 +1,11 @@
> +python-django (1.4.22-1+deb7u2) wheezy-security; urgency=high
> +
> +  * Non-maintainer upload by the LTS Team.
> +  * Fix CVE-2016-9013: Generated a random database user password when running
> +tests on Oracle.
[...]

That's not the issue being patched.

Ben.

-- 
Ben Hutchings
Q.  Which is the greater problem in the world today, ignorance or
apathy?
A.  I don't know and I couldn't care less.



signature.asc
Description: This is a digitally signed message part

Re: python-django and CVE-2016-9014

2016-11-10 Thread Brian May

Ben Hutchings  writes:

> That's not the issue being patched.

Ooops. Will fix the changelog before I upload.
-- 
Brian May

Re: python-django and CVE-2016-9014

2016-11-10 Thread Brian May

Brian May  writes:

>> That's not the issue being patched.
>
> Ooops. Will fix the changelog before I upload.

Here is a fixed diff:

diff -Nru python-django-1.4.22/debian/changelog 
python-django-1.4.22/debian/changelog
--- python-django-1.4.22/debian/changelog   2016-10-07 07:17:00.0 
+1100
+++ python-django-1.4.22/debian/changelog   2016-11-11 17:44:37.0 
+1100
@@ -1,3 +1,11 @@
+python-django (1.4.22-1+deb7u2) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * Fix CVE-2016-9014: DNS rebinding vulnerability when DEBUG=True.
+Attacker could attack services listening on localhost.
+ 
+ -- Brian May   Thu, 03 Nov 2016 18:08:17 +1100
+
 python-django (1.4.22-1+deb7u1) wheezy-security; urgency=high
 
   * CVE-2016-7401: CSRF protection bypass on a site with Google Analytics.
diff -Nru python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch 
python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch
--- python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch
1970-01-01 10:00:00.0 +1000
+++ python-django-1.4.22/debian/patches/0010-CVE-2016-9014.patch
2016-11-10 09:07:19.0 +1100
@@ -0,0 +1,43 @@
+--- a/django/http/__init__.py
 b/django/http/__init__.py
+@@ -215,7 +215,7 @@
+ if server_port != (self.is_secure() and '443' or '80'):
+ host = '%s:%s' % (host, server_port)
+ 
+-allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS
++allowed_hosts = settings.ALLOWED_HOSTS
+ if validate_host(host, allowed_hosts):
+ return host
+ else:
+--- a/tests/regressiontests/requests/tests.py
 b/tests/regressiontests/requests/tests.py
+@@ -261,13 +261,22 @@
+ request.get_host()
+ 
+ @override_settings(DEBUG=True, ALLOWED_HOSTS=[])
+-def test_host_validation_disabled_in_debug_mode(self):
+-"""If ALLOWED_HOSTS is empty and DEBUG is True, all hosts pass."""
+-request = HttpRequest()
+-request.META = {
+-'HTTP_HOST': 'example.com',
+-}
+-self.assertEqual(request.get_host(), 'example.com')
++def test_host_validation_in_debug_mode(self):
++"""
++If ALLOWED_HOSTS is empty and DEBUG is True, variants of localhost are
++allowed.
++"""
++valid_hosts = ['localhost', '127.0.0.1', '[::1]']
++for host in valid_hosts:
++request = HttpRequest()
++request.META = {'HTTP_HOST': host}
++# self.assertEqual(request.get_host(), host)
++
++# Other hostnames raise a SuspiciousOperation.
++with self.assertRaises(SuspiciousOperation):
++request = HttpRequest()
++request.META = {'HTTP_HOST': 'example.com'}
++request.get_host()
+ 
+ def test_near_expiration(self):
+ "Cookie will expire when an near expiration time is provided"
diff -Nru python-django-1.4.22/debian/patches/series 
python-django-1.4.22/debian/patches/series
--- python-django-1.4.22/debian/patches/series  2016-10-07 07:16:07.0 
+1100
+++ python-django-1.4.22/debian/patches/series  2016-11-08 09:01:14.0 
+1100
@@ -7,3 +7,4 @@
 0007-is_safe_url-crashes-with-a-byestring-URL-on-Python-2.patch
 0008-CVE-2016-2513-Fixed-user-enumeration-timing-attack-d.patch
 0009-CVE-2016-7401.patch
+0010-CVE-2016-9014.patch

-- 
Brian May

Wheezy update of potrace?

testing curl for Wheezy LTS

Wheezy update of ming?

Re: python-django and CVE-2016-9014

Re: python-django and CVE-2016-9014

Re: python-django and CVE-2016-9014

Re: python-django and CVE-2016-9014

7 matches

Site Navigation

Mail list logo

Footer information