Re: zoneminder CVEs

2017-02-06 Thread Markus Koschany 
On 05.02.2017 19:55, Guido Günther wrote:
> Hi,
> zoneminder has multiple CVEs open and it does not look pretty:
> 
> http://seclists.org/bugtraq/2017/Feb/5
> 
> I think we have no choice but to end security support (or mark the
> issues as no-dsa and move the package ot limited security support like
> only run in trusted environments).

Hello,

I think we should wait until it becomes clear how upstream intends to
deal with those security vulnerabilities but I agree that it looks
severe. If the proposed fixes are too intrusive to backport marking them
as unsupported and end-of-life seems to be reasonable. We could issue a
warning via debian-lts-announce though and recommend to use zoneminder
only in trusted environments for now. Agreed?

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Re: [debian-security-support PATCH] Drop support for kfreebsd-*

2017-02-06 Thread Holger Levsen 
On Sat, Feb 04, 2017 at 01:29:21PM +0100, Guido Günther wrote:
> kfreebsd-* builds packages for amd64 but we don't actually support the
> architecture so add it as unsupported in Wheezy LTS.
[...]
> +kfreebsd-8  8.3-6+deb7u12016-02-06  Not supported in 
> Debian LTS
> +kfreebsd-9  9.0-10+deb70.10 2016-02-06  Not supported in 
> Debian LTS
 
did you commit this to git or file a bug? (else this will be forgotten…)

or was this an RFC?


-- 
cheers,
Holger


signature.asc
Description: Digital signature

Re: [debian-security-support PATCH] Drop support for kfreebsd-*

2017-02-06 Thread Guido Günther 
On Mon, Feb 06, 2017 at 10:10:22AM +, Holger Levsen wrote:
> On Sat, Feb 04, 2017 at 01:29:21PM +0100, Guido Günther wrote:
> > kfreebsd-* builds packages for amd64 but we don't actually support the
> > architecture so add it as unsupported in Wheezy LTS.
> [...]
> > +kfreebsd-8  8.3-6+deb7u12016-02-06  Not supported 
> > in Debian LTS
> > +kfreebsd-9  9.0-10+deb70.10 2016-02-06  Not supported 
> > in Debian LTS
>  
> did you commit this to git or file a bug? (else this will be forgotten…)
> 
> or was this an RFC?

RFC, will commit in a couple of days if nobody objects.
 -- Guido

Wheezy update of mp3splt?

2017-02-06 Thread Markus Koschany 
Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of mp3splt:
https://security-tracker.debian.org/tracker/CVE-2017-5666

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of mp3splt updates
for the LTS releases.

Thank you very much.

Markus Koschany,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

Re: RFC - pleast test php5 (5.4.45-0+deb7u7), ready for upload

2017-02-06 Thread Roberto C . Sánchez 
As I've not received any feedback on the below RFC, I intend to make the
upload in ~12 hours.

Regards,

-Roberto

On Fri, Feb 03, 2017 at 06:57:13PM -0500, Roberto C. Sánchez wrote:
> Greetings all,
> 
> I have finished preparing an LTS upload of php5 (5.4.45-0+deb7u7) and
> your assistance with testing these packages before upload would be most
> welcome.  Please try these out and let me know if you encounter any
> issues.
> 
> Here are the relevant links:
> 
> .changes file:
> https://people.debian.org/~roberto/php5_5.4.45-0+deb7u7_amd64.changes
> 
> build log:
> https://people.debian.org/~roberto/php5_5.4.45-0+deb7u7_amd64.build
> 
> source:
> https://people.debian.org/~roberto/php5_5.4.45-0+deb7u7.dsc
> 
> debdiff against previous version:
> https://people.debian.org/~roberto/php5_5.4.45-0+deb7u6_5.4.45-0+deb7u7.diff
> 
> Here is the advisory text I plan to publish after the upload:
> 
> **
> *DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT*
> **
> 
> Package: php5
> Version: 5.4.45-0+deb7u7
> CVE ID : CVE-2016-2554 CVE-2016-3141 CVE-2016-3142 CVE-2016-4342
>  CVE-2016-9934 CVE-2016-9935 CVE-2016-10158
>  CVE-2016-10159 CVE-2016-10160 CVE-2016-10161
> PHP-Bugs   : 71323 70979 71039 71459 71391 71335
> 
> 
> Several issues have been discovered in PHP (recursive acronym for PHP:
> Hypertext Preprocessor), a widely-used open source general-purpose
> scripting language that is especially suited for web development and can
> be embedded into HTML.
> 
>   * CVE-2016-2554
> Stack-based buffer overflow in ext/phar/tar.c allows remote
> attackers to cause a denial of service (application crash) or
> possibly have unspecified other impact via a crafted TAR archive.
>   * CVE-2016-3141
> Use-after-free vulnerability in wddx.c in the WDDX extension allows
> remote attackers to cause a denial of service (memory corruption and
> application crash) or possibly have unspecified other impact by
> triggering a wddx_deserialize call on XML data containing a crafted
> var element.
>   * CVE-2016-3142
> The phar_parse_zipfile function in zip.c in the PHAR extension in
> PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to
> obtain sensitive information from process memory or cause a denial
> of service (out-of-bounds read and application crash) by placing a
> PK\x05\x06 signature at an invalid location.
>   * CVE-2016-4342
> ext/phar/phar_object.c in PHP before 5.5.32, 5.6.x before 5.6.18,
> and 7.x before 7.0.3 mishandles zero-length uncompressed data, which
> allows remote attackers to cause a denial of service (heap memory
> corruption) or possibly have unspecified other impact via a crafted
> (1) TAR, (2) ZIP, or (3) PHAR archive.
>   * CVE-2016-9934
> ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows
> remote attackers to cause a denial of service (NULL pointer
> dereference) via crafted serialized data in a wddxPacket XML
> document, as demonstrated by a PDORow string.
>   * CVE-2016-9935
> The php_wddx_push_element function in ext/wddx/wddx.c in PHP before
> 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a
> denial of service (out-of-bounds read and memory corruption) or
> possibly have unspecified other impact via an empty boolean element
> in a wddxPacket XML document.
>   * CVE-2016-10158
> The exif_convert_any_to_int function in ext/exif/exif.c in PHP
> before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows
> remote attackers to cause a denial of service (application crash)
> via crafted EXIF data that triggers an attempt to divide the minimum
> representable negative integer by -1.
>   * CVE-2016-10159
> Integer overflow in the phar_parse_pharfile function in
> ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows
> remote attackers to cause a denial of service (memory consumption or
> application crash) via a truncated manifest entry in a PHAR archive.
>   * CVE-2016-10160
> Off-by-one error in the phar_parse_pharfile function in
> ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows
> remote attackers to cause a denial of service (memory corruption) or
> possibly execute arbitrary code via a crafted PHAR archive with an
> alias mismatch.
>   * CVE-2016-10161
> The object_common1 function in ext/standard/var_unserializer.c in
> PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1
> allows remote attackers to cause a denial of service (buffer
> over-read and application crash) via crafted serialized data that is
> mishandled in a finish_nested_data call.
>   * BUG-71323.patch
> Output of stream_get_meta_data can be fa