Re: [SECURITY] [DLA 3690-1] intel-microcode security update
We shant discuss the Fatal Flaw of Electronics. Nor warnings given decades ago... However, Debian can never be secured. No OS can. Nothing Electronic can be secured. Nothing codependent on Electronics can be secured. The Golden Rule of Electronics Engineering gets broken all of the time. You may quote me. -StealthMode Spooky Applied Physicist On Sat, Dec 16, 2023 at 12:33 PM Tobias Frost wrote: > - > Debian LTS Advisory DLA-3690-1debian-lts@lists.debian.org > https://www.debian.org/lts/security/ Tobias Frost > December 16, 2023 https://wiki.debian.org/LTS > - > > Package: intel-microcode > Version: 3.20231114.1~deb10u1 > CVE ID : CVE-2023-23583 > Debian Bug : 1055962 > > Benoit Morgan, Paul Grosen, Thais Moreira Hamasaki, Ke Sun, Alyssa > Milburn, Hisham Shafi, Nir Shlomovich, Tavis Ormandy, Daniel Moghimi, > Josh Eads, Salman Qazi, Alexandra Sandulescu, Andy Nguyen, Eduardo Vela, > Doug Kwan, and Kostik Shtoyk discovered that some Intel processors > mishandle repeated sequences of instructions leading to unexpected > behavior, which may result in privilege escalation, information > disclosure or denial of service. > > For Debian 10 buster, this problem has been fixed in version > 3.20231114.1~deb10u1. > > We recommend that you upgrade your intel-microcode packages. > > For the detailed security status of intel-microcode please refer to > its security tracker page at: > https://security-tracker.debian.org/tracker/intel-microcode > > Further information about Debian LTS security advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://wiki.debian.org/LTS >
Pkg sponsorship needed with LTS upload: curl/7.64.0-4+deb10u8
Hello Boyuan, > The fix to this bug is present in Debian Unstable/Testing/Stable/Oldstable > already. > > Looking at https://lts-team.pages.debian.net/wiki/Development.html , it seems > that only CVE-related bugs or major bugs are actively handled. Now I am > wondering (1) if the current non-CVE bugfix would qualify for a separate > package upload in Debian Buster via LTS Team, and (2) if anyone would review > the changes attached and have it uploaded into the archive. I'm not affiliated with Freexian, but I've been maintaining curl (with the help of a few friends). We've recently created a team for the maintenance of the package and put the packaging git repo under the debian namespace on salsa. Feel free to directly push your changes to the debian/buster branch, just leave the changelog as "UNRELEASED" please, as more changes will be bundled (there's already a couple of commits there). I have asked the lts team to push their changes to that repo as well, and last time I checked it was in sync. I'm currently going over fixing a CVE for buster, and I think Markus is looking at a couple too (I'm still yet to reply to his last email to me), so there shall soon be a new upload on buster. Thank you for helping, -- Samuel Henrique
Re: Pkg sponsorship needed with LTS upload: curl/7.64.0-4+deb10u8
Hi, 在 2023-12-16星期六的 17:29 -0300,Samuel Henrique写道: > Hello Boyuan, > > > The fix to this bug is present in Debian Unstable/Testing/Stable/Oldstable > > already. > > > > Looking at https://lts-team.pages.debian.net/wiki/Development.html , it > > seems > > that only CVE-related bugs or major bugs are actively handled. Now I am > > wondering (1) if the current non-CVE bugfix would qualify for a separate > > package upload in Debian Buster via LTS Team, and (2) if anyone would review > > the changes attached and have it uploaded into the archive. > > I'm not affiliated with Freexian, but I've been maintaining curl (with the > help > of a few friends). > > We've recently created a team for the maintenance of the package and put the > packaging git repo under the debian namespace on salsa. > > Feel free to directly push your changes to the debian/buster branch, just > leave > the changelog as "UNRELEASED" please, as more changes will be bundled (there's > already a couple of commits there). > > I have asked the lts team to push their changes to that repo as well, and last > time I checked it was in sync. > > I'm currently going over fixing a CVE for buster, and I think Markus is > looking > at a couple too (I'm still yet to reply to his last email to me), so there > shall soon be a new upload on buster. I found the current git repo missing curl/7.64.0-4+deb10u7. What do you think? Anyway my changeset is pushed to the git repo without any d/changelog entries, and you can find it at: https://salsa.debian.org/debian/curl/-/commit/3a88731d4a68a2c3a21d1c6745f4795c2f734140 Feel free to make modifications or revise the commit if you find it necessary. Thanks, Boyuan Yang signature.asc Description: This is a digitally signed message part
Pkg sponsorship needed with LTS upload: curl/7.64.0-4+deb10u8
Hello Boyuan, > I found the current git repo missing curl/7.64.0-4+deb10u7. What do you think? Someone probably forgot to push the changes there, I did it just now with a merge commit so we're good. > Anyway my changeset is pushed to the git repo without any d/changelog > entries, and > you can find it at: > https://salsa.debian.org/debian/curl/-/commit/3a88731d4a68a2c3a21d1c6745f4795c2f734140 > > Feel free to make modifications or revise the commit if you find it necessary. Awesome, thank you. -- Samuel Henrique
curl: CVE-2023-28322 and CVE-2023-27534
Hello Markus, On Thu, 30 Nov 2023 at 06:36, Markus Koschany wrote: > I have recently triaged CVE-2023-28322 and CVE-2023-27534 for curl as ignored > for Buster because I believe those are minor issues. Since you expressed > interest as the maintainer of curl to fix potential security vulnerabilities, > I > am asking you for your assessment. Are you (or someone else reading the list) > interested in fixing those CVE? I have not had time to properly look at this yet, but I agree with not backporting the dynbuf functions for CVE-2023-27534 (at least from what I've seen so far). > My reasoning to ignore CVE-2023-28322 is, it does not affect the command line > tool and even a use after free is not present in libcurl. I'm not sure I understand this, I read it as "we are not affected at all" but you're not explaining why there's no use after free. I haven't reviewed the code so I wonder if you're talking about something trivial that I'll spot once I dedicate more time to it. To give you a rough timeline for changes, my current priorities for curl right now are to get the fixes for CVE-2023-46218 and CVE-2023-46219 on all affected releases, fix the ldap issue (#1057855) on unstable, and then come back to CVE-2023-27534 and CVE-2023-28322 (to be more confident on what to do). I appreciate the reach out. Thank you, -- Samuel Henrique
