Re: Fwd: phpldapadmin_1.2.2-5+deb7u1_amd64.changes REJECTED
Hi Markus et. al., > > This is probably obvious to someone else, but I am rather confused by > > this rejection from security-master. > > we are currently having a difficult time when we try to upload arch:all > packages to wheezy-security. For instance we receive the following message: […] FYI for phpldapadmin I worked-around this by building with --build=source,all and re-uploading. Best wishes, -- ,''`. : :' : Chris Lamb, Debian Project Leader `. `'` la...@debian.org / chris-lamb.co.uk `-
About the security issues affecting catdoc in Wheezy
Hello Martin, The Debian LTS team recently reviewed the security issue(s) affecting your package in Wheezy: https://security-tracker.debian.org/tracker/CVE-2017-0 We decided that we would not prepare a wheezy security update since the impact is low and unlikely to represent a serious issue in most situations where catdoc is generally used. That said the wheezy users would most certainly benefit from a fixed package. If you want to work on such an update, you're welcome to do so. Please try to follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. However please make sure to submit a tested package. Thank you very much. Raphaël Hertzog, on behalf of the Debian LTS team. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Wheezy update of ipsec-tools?
Hello Christian and other ipsec-tools maintainers, The Debian LTS team would like to fix the security issue which is currently open in the Wheezy version of ipsec-tools: https://security-tracker.debian.org/tracker/CVE-2016-10396 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of ipsec-tools updates for the LTS releases. Thank you very much. Raphaël Hertzog, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: Fwd: phpldapadmin_1.2.2-5+deb7u1_amd64.changes REJECTED
Am 11.07.2017 um 09:36 schrieb Chris Lamb: > Hi Markus et. al., > >>> This is probably obvious to someone else, but I am rather confused by >>> this rejection from security-master. >> >> we are currently having a difficult time when we try to upload arch:all >> packages to wheezy-security. For instance we receive the following message: > > […] > > FYI for phpldapadmin I worked-around this by building with --build=source,all > and re-uploading. Thank you for the hint. I was unable to pass the --build command to dpkg-buildpackage/debuild in Wheezy because it didn't exist and I couldn't use a different tool for other reasons. However renaming the _amd64-changes file to _all.changes worked for me. Cheers, Markus signature.asc Description: OpenPGP digital signature
Re: unattended upgrades don't work in wheezy
On 09.07.17 15:41, Chris Lamb wrote:
Is this https://bugs.debian.org/762965 ?
I don't think so. That bug is caused by someone making changes to config
file ("For extra security i have added the parameter n=wheezy.")
Ah okay, thanks.
Can you file a new bug against unattended-upgrades with a "Version:" field
of "0.79.5+wheezy2"?
On 09.07.17 17:06, Matus UHLAR - fantomas wrote:
either I did already or I miss something:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867169
and someone has reported it as bug 867728:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867728
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.
Wheezy update of lame?
Dear Fabian and other maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of lame: https://security-tracker.debian.org/tracker/CVE-2017-9872 https://security-tracker.debian.org/tracker/CVE-2017-9871 https://security-tracker.debian.org/tracker/CVE-2017-9870 https://security-tracker.debian.org/tracker/CVE-2017-9869 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of lame updates for the LTS releases. Thank you very much. Raphaël Hertzog, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Wheezy update of lucene-solr?
Dear maintainers, The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of lucene-solr: https://security-tracker.debian.org/tracker/CVE-2017-3163 Would you like to take care of this yourself? I noticed that lucene-solr is seriously out-of-date compared to upstream, even in unstable which has the same upstream version as jessie which is almost the same as wheezy... it would be nice to get back in sync with upstream to make it easier to handle security updates In any case, if you want to handle the wheezy update, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of lucene-solr updates for the LTS releases. Thank you very much. Raphaël Hertzog, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Wheezy update of swftools?
Hello Christian, The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of swftools: https://security-tracker.debian.org/tracker/source-package/swftools Note that the security team marked a bunch of issues as unimportant but you are free to fix them too, even though those CVE are no longer on the radar of the security team. Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of swftools updates for the LTS releases. Thank you very much. Raphaël Hertzog, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: Wheezy update of ncurses?
On Sun, Jul 09, 2017 at 03:14:33PM +0100, Chris Lamb wrote: > Dear maintainer(s), > > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of ncurses: > https://security-tracker.debian.org/tracker/source-package/ncurses > All the open ncurses issues are marked no-dsa for jessie and stretch. Should we do the same for wheezy? Regards, -Roberto -- Roberto C. Sánchez signature.asc Description: Digital signature
Re: [SECURITY] [DLA 997-1] libffi security update
On Wed, Jun 21, 2017 at 11:52:37AM -0300, Lucas Kanashiro wrote: > Package: libffi > Version: 3.0.10-3+deb7u1 > CVE ID : CVE-2017-1000376 > > libffi requests an executable stack allowing attackers to more easily trigger > arbitrary code execution by overwriting the stack. Please note that libffi is > used by a number of other libraries. > > For Debian 7 "Wheezy", these problems have been fixed in version > 3.0.10-3+deb7u1. > > We recommend that you upgrade your libffi packages. > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS Hello, the page https://packages.debian.org/wheezy/libffi-dev links to several broken locations: https://sources.debian.net/patches/summary/libffi/3.0.10-3+deb7u2/ http://ftp-master.metadata.debian.org/changelogs//main/libf/libffi/libffi_3.0.10-3+deb7u2_copyright http://ftp-master.metadata.debian.org/changelogs//main/libf/libffi/libffi_3.0.10-3+deb7u2_changelog Best Regards Joachim Ernst -- Gruss / Best regards | LF.net GmbH| fon +49 711 90074-0 Joachim Ernst | Ruppmannstrasse 27 | fax +49 711 90074-33 supp...@lf.net| D-70565 Stuttgart | https://www.lf.net Handelsregister Stuttgart: HRB 18 189 Geschaeftsfuehrer: Norman Fuerst, Rodney Volz signature.asc Description: Digital signature
Re: Wheezy update of ncurses?
On 2017-07-11 10:17 -0400, Roberto C. Sánchez wrote:
> On Sun, Jul 09, 2017 at 03:14:33PM +0100, Chris Lamb wrote:
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of ncurses:
>> https://security-tracker.debian.org/tracker/source-package/ncurses
>>
>
> All the open ncurses issues are marked no-dsa for jessie and stretch.
> Should we do the same for wheezy?
That would be logical. The bugs only affect the tic program and the tic
library which is used by about three programs in the world (tic, infocmp
and tack), and most of our users never run any of these programs.
Anyway, I have attempted to backport the patches I sent to the release
team (bugs #867814 and #867817). The changes to the library applied
cleanly, but I had to edit progs/dump_entry.c by hand since two hunks
failed to apply there. If anybody wants to upload a fixed package to
wheezy (I won't), please review carefully.
Also attached are the testcases for the six bugs in the Red Hat
bugtracker. You had better verify that the script to run them exits
successfully with the fixed libtinfo5 and ncurses-bin packages.
Cheers,
Sven
>From 0ac89a314f89dfe33314df934d9e32954bcb21dc Mon Sep 17 00:00:00 2001
From: Sven Joachim
Date: Tue, 11 Jul 2017 20:37:27 +0200
Subject: [PATCH] Cherry-pick/backport upstream fixes for various crash bugs
Several crash bugs in the tic binary and library have been reported to
the Red Hat bugtracker, with four CVEs assigned to them. The new
patch cve-fixes.diff contains these changes. It is derived from the
same patch jessie, with two hunks for progs/dump_entry.c edited so
that they apply.
---
debian/changelog | 9 +++
debian/patches/cve-fixes.diff | 173 ++
debian/patches/series | 1 +
3 files changed, 183 insertions(+)
create mode 100644 debian/patches/cve-fixes.diff
diff --git a/debian/changelog b/debian/changelog
index 9149be12..52aa94fa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+ncurses (5.9-10+deb7u1) wheezy; urgency=medium
+
+ * Cherry-pick/backport upstream fixes from the 20170701 and 20170708
+patchlevels for various crash bugs in the tic library and the tic
+binary (CVE-2017-10684, CVE-2017-10685, CVE-2017-2,
+CVE-2017-3).
+
+ -- Sven Joachim Tue, 11 Jul 2017 20:35:12 +0200
+
ncurses (5.9-10) unstable; urgency=low
* Drop the dependency of the biarch packages on libtinfo5
diff --git a/debian/patches/cve-fixes.diff b/debian/patches/cve-fixes.diff
new file mode 100644
index ..0d9cb89e
--- /dev/null
+++ b/debian/patches/cve-fixes.diff
@@ -0,0 +1,173 @@
+Author: Sven Joachim
+Description: Fixes for four CVEs
+ Fixes for CVE 2017-10684, CVE-2017-10685, CVE-2017-2,
+ CVE-2017-3 cherry-picked from upstream patchlevels 20170701 and
+ 20170708.
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464684
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464685
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464686
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464687
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464691
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1464692
+Forwarded: not-needed
+Last-Update: 2017-07-09
+
+---
+ ncurses/tinfo/alloc_entry.c |6 +-
+ ncurses/tinfo/parse_entry.c | 22 --
+ progs/dump_entry.c | 29 +++--
+ 3 files changed, 36 insertions(+), 21 deletions(-)
+
+--- a/ncurses/tinfo/alloc_entry.c
b/ncurses/tinfo/alloc_entry.c
+@@ -120,7 +120,11 @@ _nc_save_str(const char *const string)
+ {
+ char *result = 0;
+ size_t old_next_free = next_free;
+-size_t len = strlen(string) + 1;
++size_t len;
++
++if (string == 0)
++ return _nc_save_str("");
++len = strlen(string) + 1;
+
+ if (len == 1 && next_free != 0) {
+ /*
+--- a/ncurses/tinfo/parse_entry.c
b/ncurses/tinfo/parse_entry.c
+@@ -234,13 +234,14 @@ _nc_parse_entry(struct entry *entryp, in
+ * implemented it. Note that the resulting terminal type was never the
+ * 2-character name, but was instead the first alias after that.
+ */
++#define ok_TC2(s) (isgraph(UChar(s)) && (s) != '|')
+ ptr = _nc_curr_token.tk_name;
+ if (_nc_syntax == SYN_TERMCAP
+ #if NCURSES_XNAMES
+ && !_nc_user_definable
+ #endif
+ ) {
+- if (ptr[2] == '|') {
++ if (ok_TC2(ptr[0]) && ok_TC2(ptr[1]) && (ptr[2] == '|')) {
+ ptr += 3;
+ _nc_curr_token.tk_name[2] = '\0';
+ }
+@@ -282,9 +283,11 @@ _nc_parse_entry(struct entry *entryp, in
+ if (is_use || is_tc) {
+ entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
+ entryp->uses[entryp->nuses].line = _nc_curr_line;
+- entryp->nuses++;
+- if (entryp->nuses > 1 && is_tc) {
+- BAD_TC_USAGE
++ if (VALID_STRING(entryp->uses[entryp->nuses].name)) {
++ entryp->nuses++;
++ if (entryp->
testing bind9 for Wheezy LTS
Hi everybody, I uploaded version 9.8.4.dfsg.P1-6+nmu2+deb7u17 of bind9 to: https://people.debian.org/~alteholz/packages/wheezy-lts/bind9/amd64/ Please give it a try and tell me about any problems you met. It would be nice if you could especially test TSIG. Thanks! Thorsten * CVE-2017-3142 An error in TSIG authentication can permit unauthorized zone transfers. * CVE-2017-3143 An error in TSIG authentication can permit unauthorized dynamic updates.
