Re: Wheezy update of simplesamlphp?
Hi, On Sun, 04 Feb 2018, Ola Lundqvist wrote: > No worry. It was my mistake. I did not expect that someone else would > do triaging when I was at front desk. You did nothing wrong. I'll try > to be a little more observant next time. :-) Just to be clear. Abhijith did not have to do this since he was not assigned to frontdesk. That's the best way to avoid duplicate work. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: upload simplesamlphp
Hi, On Mon, 05 Feb 2018, Abhijith PA wrote: > I prepared LTS security update for simplesamlphp. Basic functions also > tested in a wheezy machine. Please review and upload. Debdiff is > attached. FWIW I would help to build some confidence if you explained in a bit more details the tests that you have done. > https://mentors.debian.net/debian/pool/main/s/simplesamlphp/simplesamlphp_1.9.2-1+deb7u2.dsc In any case, I leave it to someone else to review and upload. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
Re: Wheezy update of dokuwiki?
Le 2018-02-03 21:59, Ola Lundqvist a écrit : Dear maintainers, Dear Ola, The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of dokuwiki: https://security-tracker.debian.org/tracker/CVE-2017-18123 Would you like to take care of this yourself? I no longer maintain Dokuwiki so I will let Tanguy take care of telling you the right course of action. Thank your for your email and for what you're doing for Debian LTS. -- Mohammed Adnène TROJETTE
Re: dojo / CVE-2018-6561
Hi Brian I tend to agree with your analysis. Source edit mode seems to be a separate module. https://dojotoolkit.org/reference-guide/1.10/dijit/_editor/plugins/ViewSource.html I do not know whether that one is included or not. According to that module page it has filtering support to filter out such things to avoid XSS attacks. I agree with you that the server side that the data is posted to, also need to do validation of the contents as you can not trust a client side security check. I think we can mark this as ignored as this is more of a minor security problem. Best regards // Ola On 6 February 2018 at 08:31, Brian May wrote: > Hello All, > > Looking at > https://github.com/imsebao/404team/blob/master/dijit_editor_xss.md: > > The complaint appears to be: If I directly enter HTML into the > JavaScript editor using its source mode, I can enter HTML code that > contains JavaScript code, which could lead to an XSS attack. > > I tried to reproduce this with the same online editor: > http://demos.dojotoolkit.org/demos/editor/demo.html > > However I seem to be unable to find the source mode button. > > Lets just assume this complaint is reproducible. > > This is a JavaScript application, designed to run entirely - I believe - > in the browser. Hence even if the JavaScript application filtered > dangerous HTML text, the fact remains it is still possible for the user > to override the data submitted and still create XSS attacks. > > Hence I believe the only solution for this security bug is that the > server the data is being submitted to must sanitise the HTML to ensure > it is safe (and should already be doing so). > > While this might be a bug, I don't believe the failure of a JavaScript > library to validate input is a *security* *bug*, as the server should be > doing this. > > Any comments? > > Regards > -- > Brian May > https://linuxpenguins.xyz/brian/ > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: exiv2 [was: January Report]
Hi
As you have the patch ready it may be worth it as I guess it will take
very limited time to build a package and upload.
I do not see this as important though. If the CVE for this package is
ignored for jessie I think we can safely ignore it for wheezy as well.
As you can see from the rest of the list, all kind of DoS class
vulnerabilities has been ignored in the past.
Best regards
// Ola
On 5 February 2018 at 07:55, Brian May wrote:
> Brian May writes:
>
>> Brian May writes:
>>
>>> Next month I plan to continue to exiv2 (unless somebody else wants to take
>>> over
>>> at this point). It might also be worth spending time and assisting the
>>> security
>>> team fix exiv2 (and maybe tiff too) in the other distributions.
>>
>> Since I looked at this last month, I have noticed that exiv2 has been
>> marked as no-DSA in Jessie and Stretch.
>>
>> I have a fixed version - based on a patch that was approved and merged
>> upstream, which I am in the process of testing, however wondered if it
>> is still worth uploading?
>>
>> The patch from upstream master applies to Wheezy without minimal changes
>> - in particular I had to remove the tests (there doesn't appear to be
>> any tests in wheezy) and make a small change in the name of the file
>> patched.
>>
>> It seems a bit strange fixing a problem in wheezy, but not Jessie or
>> Stretch.
>
> Here is the patch for the wheezy version.
>
> There is also an AMD64 version available for testing:
> https://people.debian.org/~bam/debian/pool/main/e/exiv2/
>
> (I can also build an i386 version if required)
>
>
> diff -Nru exiv2-0.23/debian/changelog exiv2-0.23/debian/changelog
> --- exiv2-0.23/debian/changelog 2017-10-26 01:05:29.0 +1100
> +++ exiv2-0.23/debian/changelog 2018-02-05 17:33:01.0 +1100
> @@ -1,3 +1,10 @@
> +exiv2 (0.23-1+deb7u3) wheezy-security; urgency=high
> +
> + * Non-maintainer upload by the LTS team.
> + * CVE-2017-17669: Fix out of bounds read in src/pngchunk_int.cpp.
> +
> + -- Brian May Mon, 05 Feb 2018 17:33:01 +1100
> +
> exiv2 (0.23-1+deb7u2) wheezy-security; urgency=medium
>
>* Non-maintainer upload by the LTS team.
> diff -Nru exiv2-0.23/debian/patches/CVE-2017-17669.patch
> exiv2-0.23/debian/patches/CVE-2017-17669.patch
> --- exiv2-0.23/debian/patches/CVE-2017-17669.patch 1970-01-01
> 10:00:00.0 +1000
> +++ exiv2-0.23/debian/patches/CVE-2017-17669.patch 2018-02-05
> 17:32:50.0 +1100
> @@ -0,0 +1,39 @@
> +From 4429b962e10e9f2e905e20b183ba008c616cd366 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?=
> +Date: Mon, 22 Jan 2018 23:56:08 +0100
> +Subject: [PATCH 1/3] Fix out of bounds read in src/pngchunk_int.cpp by
> + @brianmay
> +
> +- consider that key is advanced by 8 bytes if stripHeader is true
> + => length is reduced by same amount
> + Fixed by adding offset to the check in the loop
> +- Rewrote loop so that keysize is checked before the next
> + iteration (preventing an out of bounds read)
> +---
> + src/pngchunk_int.cpp | 10 ++
> + 1 file changed, 6 insertions(+), 4 deletions(-)
> +
> +--- a/src/pngchunk.cpp
> b/src/pngchunk.cpp
> +@@ -111,15 +111,17 @@
> + {
> + // From a tEXt, zTXt, or iTXt chunk,
> + // we get the key, it's a null terminated string at the chunk start
> +-if (data.size_ <= (stripHeader ? 8 : 0)) throw Error(14);
> +-const byte *key = data.pData_ + (stripHeader ? 8 : 0);
> ++const int offset = stripHeader ? 8 : 0;
> ++if (data.size_ <= offset) throw Error(14);
> ++const byte *key = data.pData_ + offset;
> +
> + // Find null string at end of key.
> + int keysize=0;
> +-for ( ; key[keysize] != 0 ; keysize++)
> ++while (key[keysize] != 0)
> + {
> ++keysize++;
> + // look if keysize is valid.
> +-if (keysize >= data.size_)
> ++if (keysize+offset >= data.size_)
> + throw Error(14);
> + }
> +
> diff -Nru exiv2-0.23/debian/patches/series exiv2-0.23/debian/patches/series
> --- exiv2-0.23/debian/patches/series2017-10-26 01:05:29.0 +1100
> +++ exiv2-0.23/debian/patches/series2018-02-05 17:32:07.0 +1100
> @@ -4,3 +4,4 @@
> CVE-2017-11683.patch
> some-hardening.patch
> CVE-2017-14859_14862_14864.patch
> +CVE-2017-17669.patch
>
> --
> Brian May
>
--
--- Inguza Technology AB --- MSc in Information Technology
/ o...@inguza.comFolkebogatan 26\
| o...@debian.org 654 68 KARLSTAD|
| http://inguza.com/Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---
Fwd: simplesamlphp_1.9.2-1+deb7u2_amd64.changes REJECTED
Hi, I think someone uploaded to master ftp queue. :) Forwarded Message Subject: simplesamlphp_1.9.2-1+deb7u2_amd64.changes REJECTED Date: Mon, 05 Feb 2018 12:08:25 + From: Debian FTP Masters To: abhij...@openmailbox.org, Abhijith PA , Thijs Kinkhorst Uploads to oldoldstable-proposed-updates are not accepted. Mapping wheezy to oldoldstable. Mapping oldoldstable to oldoldstable-proposed-updates. === Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns.
Upload mailman
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hello.
I prepared a LTS security update for mailman. Debdiff is attached.
link:
https://mentors.debian.net/debian/pool/main/m/mailman/mailman_2.1.15-1+deb7u3.dsc
I manually done following tests for finding regressions.
- - Installed my build in a wheezy machine.
- - Created and deleted lists
- - Subscribed and unsubscribed to/from lists
- - send couple of tests mails
- - Checked archives.
Please upload.
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlp6iFEACgkQhj1N8u2c
KO963BAAkw0FEBWTzGaXrduG4jdC6o2ThRHeCKngm9OWHRT1RgPElvYytP4WLDt+
b19l3v/rndZc/HM2KIamKd/c4VvpeUMfOzdc3/6K3MsL2KxSq//LP9gbquQkUh/T
mNOc6bz3vqd+9WQgOFkrqByizsXCVUvHyMhBRbM7R9rPGfdqEMMd8oKY4VRqizHz
QQsGqkIS2MjYhU/8idwwVz9VTjs0wTBfyYFaa8rKt9c56Ef8Uh92/TPFEDPr1cQ7
O09ovww+KKtGVI2rx4mjngqp0ScoSbg39ZilAUWSQWVqi3p3UmlIf8+sop3OtLGN
DaYY0tksGTnvDvymF0/4+xOQpsE5yzlPe5xtTRndETbntmSBGSM1iCSJhNI0LhmP
niJpiI7rVtYnz/gr2p0eI0pNN+lZSgp9a9I5G+9kgvkhq0NmdrrWqE/yRoxKTJ6X
U+IA/RlbYLCh8hr3n/ArPqrJK4+l3tuGJDN7wyFR9RyAEdhEXQAW773/Sjsn0dAF
BhZ4DsxTvaVbHfBQC828iEr/XnOz8JHEoCGFLJfankoEFs+RWen1TrEsDxFU92O4
MybMXEGqFsmWB/8U49rBbR4jraaFDZKKTEuPhNnnt1zG4tyoyqkHPg5jR7VnUPVV
7jXuc+kLqw+xKpWX5wa/EXxVz7O1uL3a+66M6VB0Hz1qClSazBM=
=Zvv5
-END PGP SIGNATURE-
diff -Nru mailman-2.1.15/debian/changelog mailman-2.1.15/debian/changelog
--- mailman-2.1.15/debian/changelog 2016-09-02 00:22:17.0 +0530
+++ mailman-2.1.15/debian/changelog 2018-02-07 08:28:22.0 +0530
@@ -1,3 +1,11 @@
+mailman (1:2.1.15-1+deb7u3) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS team.
+ * CVE-2018-5950: Fix cross-site scripting (XSS) vulnerability in the
+web UI in Mailman. (Closes: #888201)
+
+ -- Abhijith PA Wed, 07 Feb 2018 08:28:22 +0530
+
mailman (1:2.1.15-1+deb7u2) wheezy-security; urgency=high
* CVE-2016-6893: Fix CSRF vulnerability associated in the user options page
diff -Nru mailman-2.1.15/debian/patches/94_CVE-2018-5950.patch
mailman-2.1.15/debian/patches/94_CVE-2018-5950.patch
--- mailman-2.1.15/debian/patches/94_CVE-2018-5950.patch1970-01-01
05:30:00.0 +0530
+++ mailman-2.1.15/debian/patches/94_CVE-2018-5950.patch2018-02-07
08:28:22.0 +0530
@@ -0,0 +1,58 @@
+Description: Fix CVE-2018-5950
+ Fix cross-site scripting (XSS) vulnerability in the web UI which allows
+ remote attackers to inject arbitrary web script or HTML via a user-options
+ URL.
+Author: Abhijith PA
+Origin: https://launchpadlibrarian.net/355686141/options.patch
+Bug: https://bugs.launchpad.net/mailman/+bug/1747209
+Bug-Debian: https://bugs.debian.org/888201
+Last-Update: 2018-02-07
+
+Index: mailman-2.1.15/Mailman/Cgi/options.py
+===
+--- mailman-2.1.15.orig/Mailman/Cgi/options.py
mailman-2.1.15/Mailman/Cgi/options.py
+@@ -152,20 +152,6 @@ def main():
+ doc.set_language(userlang)
+ i18n.set_language(userlang)
+
+-# See if this is VARHELP on topics.
+-varhelp = None
+-if cgidata.has_key('VARHELP'):
+-varhelp = cgidata['VARHELP'].value
+-elif os.environ.get('QUERY_STRING'):
+-# POST methods, even if their actions have a query string, don't get
+-# put into FieldStorage's keys :-(
+-qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
+-if qs and type(qs) == types.ListType:
+-varhelp = qs[0]
+-if varhelp:
+-topic_details(mlist, doc, user, cpuser, userlang, varhelp)
+-return
+-
+ # Are we processing an unsubscription request from the login screen?
+ if cgidata.has_key('login-unsub'):
+ # Because they can't supply a password for unsubscribing, we'll need
+@@ -268,6 +254,22 @@ def main():
+ # options. The first set of checks does not require the list to be
+ # locked.
+
++# See if this is VARHELP on topics.
++varhelp = None
++if cgidata.has_key('VARHELP'):
++varhelp = cgidata['VARHELP'].value
++elif os.environ.get('QUERY_STRING'):
++# POST methods, even if their actions have a query string, don't get
++# put into FieldStorage's keys :-(
++qs = cgi.parse_qs(os.environ['QUERY_STRING']).get('VARHELP')
++if qs and type(qs) == types.ListType:
++varhelp = qs[0]
++if varhelp:
++# Sanitize the topic name.
++varhelp = re.sub('<.*', '', varhelp)
++topic_details(mlist, doc, user, cpuser, userlang, varhelp)
++return
++
+ if cgidata.has_key('logout'):
+ print mlist.ZapCookie(mm_cfg.AuthUser, user)
+ loginpage(mlist, doc, user, language)
diff -Nru mailman-2.1.15/debian/patches/series
mailman-2.1.15/debian/patches/series
--- mailman-2.1.15/debian/patches/series2016-09-02 00:22:45.0
+0530
+++ mailman-2.1.15/debian/patches/series2018-02-07 08:28:22.0
+0530
@@ -12,3 +12,4 @@
79_archiver_slash.patch
92_CVE-2015-
Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Readd krb5 to dla-needed.txt
Markus Koschany writes: > +krb5 > + NOTE: lts-do-not-call > +-- What does lts-do-not-call mean? -- Brian May
Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Readd krb5 to dla-needed.txt
On Wednesday 07 February 2018 12:38 PM, Brian May wrote: > Markus Koschany writes: > >> +krb5 >> + NOTE: lts-do-not-call >> +-- > > What does lts-do-not-call mean? > See security-tracker/data/packages/lts-do-not-call .
Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] add python2.6, 2.7 and claim 2.7
Abhijith PA writes: > +python2.6 > +-- > +python2.7 (Abhijith PA) > +-- Hello, I see you have claimed Python2.7 but not Python2.6, which both have the same vulnerability. CVE-2018-130 Upstream have decided that this is not a security issue, and it has been marked no-DSA in Jessie and Stretch. https://bugs.python.org/issue31530 Do you have any objections to marking python2.6 and python2.7 as no-DSA in wheezy too? Regards -- Brian May
Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Readd krb5 to dla-needed.txt
Abhijith PA writes: > On Wednesday 07 February 2018 12:38 PM, Brian May wrote: >> Markus Koschany writes: >> >>> +krb5 >>> + NOTE: lts-do-not-call >>> +-- >> >> What does lts-do-not-call mean? >> > > See security-tracker/data/packages/lts-do-not-call . krb5 doesn't appear to be in this list? -- Brian May
Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] add python2.6, 2.7 and claim 2.7
Hi, On Wednesday 07 February 2018 12:54 PM, Brian May wrote: > > Hello, > > I see you have claimed Python2.7 but not Python2.6, which both have the > same vulnerability. CVE-2018-130 > > Upstream have decided that this is not a security issue, and it has been > marked no-DSA in Jessie and Stretch. https://bugs.python.org/issue31530 > > Do you have any objections to marking python2.6 and python2.7 as no-DSA > in wheezy too? > > Regards > No, I don't have any objection. :) I tried to reproduce this CVE with the given POC from upstream bug report. But 8 out of 10 I didn't see any. As security team already marked it as no-dsa we can do the same.
