Re: how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)
Hi On 29-08-2019 14:28, Raphael Hertzog wrote: > (Note: pkg-security@tracker.d.o is not a valid email, dropped) > > Hi, > > On Thu, 29 Aug 2019, Holger Levsen wrote: >>> In general, we (Debian) don't have a good answer to this problem and >>> virtualbox is clearly a bad precedent. We really need to find a solution >>> to this in concertation with the release managers. >> >> so I've added them to this thread. >> >> youtube-dl is in the same boat... Wasn't Pirate already working on a solution? How is that faring? I know it doesn't have all the properties you are seeking, but ... > To kickstart the discussion, I can try to make a proposal. > > 1/ We tag such packages in some way (let's say a new field > "Backport-Only: yes") > > 2/ Those packages are considered like others for testing migration >but when britney accepts them, instead of adding them to > "" >it adds them to "-backports". Obviously this requires >britney to consider the combination of both repositories when >considering migrations. And it will require changes to generate two >separate output files for dak. > >The hardest part is ensuring that testing doesn't contain packages that >would depend on packages present only in the backports part. Not sure >we want to handle this directly within britney. It might be better to >have QA tools for this and report bugs as appropriate. > > The good thing is that those applications are then available from day 1 in > stable-backports after the release. > > The backports rules would have to be tweaked a bit to accept backports > coming out of "-backports". But all those aspects are a > relatively minor detail IMO. in the discussion that Pirate had with the backports masters, it was my interpretation that they didn't like it. Paul signature.asc Description: OpenPGP digital signature
Re: Wheezy update of cacti?
Hi Ola On 08-11-17 21:21, Ola Lundqvist wrote: > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of cacti: > https://security-tracker.debian.org/tracker/CVE-2017-16641 > https://security-tracker.debian.org/tracker/CVE-2017-16660 > https://security-tracker.debian.org/tracker/CVE-2017-16661 > > Would you like to take care of this yourself? I expect (but haven't verified yet) that this is all only concerning buster and sid. Cacti got a major revamp this year. If it concerns Wheezy, I'll let you know, otherwise, I'll update the security tracker. That is, if you don't beat me to it. When Wheezy is affected and I find time before you do, I may do the Wheezy upload myself. If you beat me to it, can you push your changes to the git archive? Paul signature.asc Description: OpenPGP digital signature
Re: Bug#881110: cacti: CVE-2017-16641: arbitrary execution of os commands via path_rrdtool parameter in an action=save request
Control: found 881110 0.8.8a+dfsg-5+deb7u10 On 07-11-17 22:17, Salvatore Bonaccorso wrote: > Please adjust the affected versions in the BTS as needed, only did > check unstable's version for now source-wise. All versions in Debian are affected. Unfortunately the upstream commit contains much unneeded changes to fix the issue. Additionally for pre-buster fixes, the code in settings.php is seriously different. Paul signature.asc Description: OpenPGP digital signature
Re: Wheezy update of cacti?
Hi Ola, On 11/13/17 20:15, Ola Lundqvist wrote: > You are right two of the issues are not an issue in wheezy. I have > marked them accordingly. However one remains. I did not find time to > look through the last ome. I have already looked at that, it is present. But please see my comments in bug 881110¹ about how to treat it. I have, in the process of this, also filed bug 1072 upstream (about CVE-2009-4112). I think that until there is a patch for CVE-2009-4112, one can ignore fixing CVE-2017-16641. However, please read the upstream bug 1072 about the potential progress. Paul ¹ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881110 ² https://github.com/Cacti/cacti/issues/1072 signature.asc Description: OpenPGP digital signature
Fwd: cacti security update
Hi all, On 5 July, I sent the attached security update to the announce list. It seems to have never reached that list. Could somebody enlighten me and tell me what I did wrong? Paul --- Begin Message --- Package: cacti Version: 0.8.7g-1+squeeze4 CVE ID : CVE-2014-2326 CVE-2014-2327 CVE-2014-2328 CVE-2014-2708 CVE-2014-2709 CVE-2014-4002 Debian Bug : 742768 743565 752573 Multiple security issues (cross-site scripting, cross-site request forgery, SQL injections, missing input sanitising) have been found in Cacti, a web frontend for RRDTool. signature.asc Description: OpenPGP digital signature --- End Message --- signature.asc Description: OpenPGP digital signature
Re: [debian-lts] file package
Hi LTS list, On 19-02-15 08:38, Christoph Biedl wrote: > Thanks for that, given the past experiences with regressions > introduced in file updates I'd really like to keep an eye on it. Just an idea, couldn't we track somewhere which maintainers have expressed their ideas about LTS? I.e. it should be easy to look up if a maintainer (-team): - doesn't want to be bothered about LTS at all - in principle wants to take care himself - wants to be involved in the process of updates I am lurking on this list as the maintainer of several packages (mainly Cacti for LTS). So far I have no intent to do more for LTS, but I do want to be involved with all the packages that I actively (co-)maintain. Paul signature.asc Description: OpenPGP digital signature
cacti 0.8.7g-1+squeeze6
Hi all,
I intend to upload cacti 0.8.7g-1+squeeze6 soon (tomorrow, hopefully).
However, due to differences in the mysql version I am not able to test
the changes easily myself. I will try to upload the package to some
location for testing before, but at this moment I can't find how I can
put stuff on e.g. people.debian.org (it must be somewhere in the
documentation).
Debdiff attached, package builds correctly.
Paul
diff -u cacti-0.8.7g/debian/changelog cacti-0.8.7g/debian/changelog
--- cacti-0.8.7g/debian/changelog
+++ cacti-0.8.7g/debian/changelog
@@ -1,3 +1,19 @@
+cacti (0.8.7g-1+squeeze6) squeeze-lts; urgency=high
+
+ * Security update
+- CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti
+ before 0.8.8d allows remote attackers to inject arbitrary web script
+ or HTML via unspecified vectors.
+- CVE-2015-4342 SQL Injection and Location header injection from cdef
+ id
+- CVE-2015-4454 SQL injection vulnerability in the
+ get_hash_graph_template function in lib/functions.php in Cacti before
+ 0.8.8d allows remote attackers to execute arbitrary SQL commands via
+ the graph_template_id parameter to graph_templates.php.
+- Unassigned CVE SQL injection VN:JVN#78187936 / TN:JPCERT#98968540
+
+ -- Paul Gevers Tue, 23 Jun 2015 21:22:55 +0200
+
cacti (0.8.7g-1+squeeze5) squeeze-lts; urgency=high
* Fix regression caused by fixing CVE-2014-4002 at least plugin autom8
diff -u cacti-0.8.7g/debian/patches/series cacti-0.8.7g/debian/patches/series
--- cacti-0.8.7g/debian/patches/series
+++ cacti-0.8.7g/debian/patches/series
@@ -22,0 +23,4 @@
+CVE-2015-2665_XSS_in_graphs.php.patch
+CVE-2015-4342_SQL_injection_in_cdef.php.patch
+CVE-2015-4454_SQL_injection_in_get_hash_graph_template.patch
+CVE-2015-_SQL_injection_in_tab.patch
only in patch2:
unchanged:
--- cacti-0.8.7g.orig/debian/patches/CVE-2015-2665_XSS_in_graphs.php.patch
+++ cacti-0.8.7g/debian/patches/CVE-2015-2665_XSS_in_graphs.php.patch
@@ -0,0 +1,18 @@
+Description: CVE-2015-2665 Cross-site scripting (XSS) vulnerability in Cacti
+ before 0.8.8d allows remote attackers to inject arbitrary web script
+ or HTML via unspecified vectors.
+Source:
http://svn.cacti.net/viewvc/cacti/tags/0.8.8d/graphs.php?r1=7716&r2=7717&view=patch
+
+Index: cacti/graphs.php
+===
+--- cacti.orig/graphs.php
cacti/graphs.php
+@@ -1325,7 +1325,7 @@ function graph() {
+ /* we're escaping strings here, so no need to escape
them on form_selectable_cell */
+ $template_name = ((empty($graph["name"])) ?
"None" : htmlspecialchars($graph["name"]));
+ form_alternate_row_color($colors["alternate"],
$colors["light"], $i, 'line' . $graph["local_graph_id"]); $i++;
+- form_selectable_cell("" .
((get_request_var_request("filter") != "") ? eregi_replace("(" .
preg_quote(get_request_var_request("filter")) . ")", "\\1",
title_trim(htmlspecialchars($graph["title_cache"]),
read_config_option("max_title_graph"))) :
title_trim(htmlspecialchars($graph["title_cache"]),
read_config_option("max_title_graph"))) . "", $graph["local_graph_id"]);
++ form_selectable_cell("" .
((get_request_var_request("filter") != "") ? eregi_replace("(" .
preg_quote(get_request_var_request("filter")) . ")", "\\1",
title_trim(htmlspecialchars($graph["title_cache"]),
read_config_option("max_title_graph"))) :
title_trim(htmlspecialchars($graph["title_cache"]),
read_config_option("max_title_graph"))) . "", $graph["local_graph_id"]);
+ form_selectable_cell($graph["local_graph_id"],
$graph["local_graph_id"]);
+
form_selectable_cell(((get_request_var_request("filter") != "") ?
eregi_replace("(" . preg_quote(get_request_var_request("filter")) . ")", "\\1", $template_name) :
$template_name), $graph["local_graph_id"]);
+ form_selectable_cell($graph["height"] . "x" .
$graph["width"], $graph["local_graph_id"]);
only in patch2:
unchanged:
---
cacti-0.8.7g.orig/debian/patches/CVE-2015-4342_SQL_injection_in_cdef.php.patch
+++ cacti-0.8.7g/debian/patches/CVE-2015-4342_SQL_injection_in_cdef.php.patch
@@ -0,0 +1,39 @@
+Description: CVE-2015-4342 SQL Injection and Location header injection
+ from cdef id
+Bug: http://bugs.cacti.net/view.php?id=2571
+Source: http://svn.cacti.net/viewvc?view=rev&revision=7719
+
+Index: cacti/lib/functions.php
+===
Re: cacti 0.8.7g-1+squeeze6
Hi all,n 25-06-15 22:50, Paul Gevers wrote: > Hi all, > > I intend to upload cacti 0.8.7g-1+squeeze6 soon (tomorrow, hopefully). > However, due to differences in the mysql version I am not able to test > the changes easily myself. I will try to upload the package to some > location for testing before, but at this moment I can't find how I can > put stuff on e.g. people.debian.org (it must be somewhere in the > documentation). Test package should now be available from my test repository: deb https://people.debian.org/~elbrus/debian squeeze-lts/ I would appreciate it when somebody could at least verify that after installing the cacti package and going through the install windows (3) at http://localhost/cacti/ (initial username/password combo is admin/admin) nothing weird happens when you hit "Save" on http://localhost/cacti/graphs.php?action=graph_edit&id=1 http://localhost/cacti/cdef.php?action=edit&id=4 http://localhost/cacti/cdef.php?action=item_edit&id=13&cdef_id=4 http://localhost/cacti/graph_templates.php?action=template_edit&id=18 And nothing weird happens if you switch tabs on: http://localhost/cacti/settings.php?tab=poller Paul signature.asc Description: OpenPGP digital signature
Re: squeeze update of cacti?
Hi, On 16-07-15 20:40, Ben Hutchings wrote: > Would you like to take care of this yourself? Yes. There are probably more CVE's involved, although they are not assigned yet. I am already communicating with the security team about this. Paul signature.asc Description: OpenPGP digital signature
Re: Accepted cacti 0.8.7g-1+squeeze8 (source all) into squeeze-lts
On 20-07-15 15:58, Raphael Hertzog wrote: > Don't forget to send a DLA mail to debian-lts-annou...@lists.debian.org. I didn't. > If you did so already, then it did not get through. Indeed. I thought I checked after the first e-mail, but apparently that was only a thought-experiment. Paul signature.asc Description: OpenPGP digital signature
Re: Testing mysql-5.5 on squeeze
Hi all, I am not really going to do any of this work for mysql-5.5, but... On 30-10-15 17:11, Raphael Hertzog wrote: > And this gives more ideas of things to verify: test install all packages > depending on dbconfig-common and offering mysql support. If there are any questions related to what dbconfig-common does or should do (and possible issues with how packages use dbconfig-common), please ask. I took over maintenance last year and know (or should) now quite a lot of its internals. I already experienced bug reports where the blame was on (changes in) dbconfig-common, but the package calling it was actually doing it wrong. Also, I fixed quite some issues, maybe it helps to backport some for this endeavor (although there isn't one that straight comes to mind). Paul signature.asc Description: OpenPGP digital signature
Re: squeeze update of dbconfig-common?
Hi On 25-11-15 22:19, Ben Hutchings wrote: > the Debian LTS team would like to fix the security issues which are > currently open in the Squeeze version of dbconfig-common: > https://security-tracker.debian.org/tracker/TEMP-0805638-5AC56F O, I didn't know they made an issue out of it. > Would you like to take care of this yourself? Yes. I am already talking to SRM on how to proceed for wheezy and jessie as the security team didn't consider this severe enough for a DSA. I am discussing if I am allowed to fix the already existing permissions in the same go. I like to have one solution for all releases. > If yes, please follow the workflow we have defined here: > http://wiki.debian.org/LTS/Development If you can already quickly add my name to the right file now, I will do the rest when I have my answers ready. Paul signature.asc Description: OpenPGP digital signature
Re: cacti, mysql-5.5 and squeeze-lts
Hi Santiago, On 27-11-15 08:53, Santiago Ruano Rincón wrote: > Paul, you have suggested the changes to be made on cacti to make it > compatible with mysql-5.5. Paul or Mahyuddin, would you like to provide > a package with those changes for squeeze-lts? If that is not the case, I > could take care of it. I would appreciate it when you can do the investigation to come to a proper solution as you probably have a working setup with both version installed and I really think this is too much work for me right now. Once you have defined the solution, I can do the uploading of my own packages. The problem here: I don't know the details of the change in MySQL regarding TYPE= vs ENGINE=, but I would expect that packages probably still need or want to declare the db engine type. If this is true than the solution is going to be rather involved as the packages probably need some intelligence to detect which version of MySQL is running (on the server side) before it knows which command to call. For cacti, this is fully delegated to dbconfig-common (of which I am now the maintainer and upstream as well). As said, I don't see how to do this trivially, as you have to detect what version is on the MySQL server, i.e. not necessarily on the host where you are installing the package. Now that I think about it, this is probably something that needs fixing in dbconfig-common anyways and as it was never reported an issue it probably means that hardly anybody is actually using the functionality from dbconfig-common to use packages this way (or they fix it manually and don't bother to report the issue). If declaring the engine is really not needed, the fix is trivial and I will update cacti. If declaring the engine is needed, I ask you to figure out how dbconfig-common should be patched to allow this detection as it is not my priority to fix this now. After that I will updated both dbconfig-common and cacti. Paul P.s. I will drop Mayuddin from my next response if he doesn't answer, because I haven't heard from since I took over maintenance of cacti. signature.asc Description: OpenPGP digital signature
Re: cacti, mysql-5.5 and squeeze-lts
Hi Santiago [Dropping Mahyuddin from CC as promised] On 30-11-15 10:11, Santiago Ruano Rincón wrote: > Well, I have installed cacti from the attached debdiff and available at > my personal repo [1]. I think there are some spurious changes that you included this way. I.e. adding new fields to the database, that isn't needed (and shouldn't be added because it may impact future upgrades to newer cacti versions) for this lts fix. > I have used both mysql-5.1 and mysql-5.5 and it > seems to work well. So you confirm that the new ENGINE syntax is already supported in mysql-5.1? > I have also tested upgrading from 5.1 to 5.5, but > AFAIU, the error is related to table creation. Is that with the old cacti, or with your patched cacti? Could you share the error here? > Is there any reason why cacti needs the MyISAM engine? I suppose that if > you don't declare it, mysql will use the default engine. The honest answer is, I don't know. I can't oversee the implications of not setting it and using the default, whatever that is. One thing I could come up with is that some engines support transactions and others don't. Not sure which one is which and if cacti needs them. The other packages that you need to update may use transactions, so they can't rely on the default being correct I guess, and for sure some used an other engine than MyISAM. Paul signature.asc Description: OpenPGP digital signature
Re: cacti, mysql-5.5 and squeeze-lts
Hi Santiago, On 30-11-15 21:36, Santiago Ruano Rincón wrote: > El 30/11/15 a las 19:56, Paul Gevers escribió: >> So you confirm that the new ENGINE syntax is already supported in mysql-5.1? > > Yes. Confirmed by MySQL documentation Yeah, great. Then there is no issue at all with updating only cacti, instead of requiring all kind of tweaks to dbconfig-common. > So, without further research, I wouldn't omit the engine declaration. > The current issue is trivial and I think we can upload. Agree. And just to be sure, if one installed cacti on mysql-5.1 and mysql is updated to 5.5, everything goes well automatically, right? Please just upload the debdiff that you had attached after fixing the distribution ;) Paul signature.asc Description: OpenPGP digital signature
Re: squeeze update of cacti?
Hi On 11-12-15 10:50, Guido Günther wrote: > the Debian LTS team would like to fix the security issues which are > currently open in the Squeeze version of cacti: > https://security-tracker.debian.org/tracker/CVE-2015-8369 Me too, but upstream hasn't even released a fix yet. > Would you like to take care of this yourself? Once there is a fix, yes, although I don't know about my availability, so I don't mind if the lts project takes care of it. So how to go from here? Of course it would be great if the lts project could even help upstream and the regular unstable/jessie/wheezy users by doing the actual work, i.e. come up with a patch. I am not sure if you think this is within scope of lts. Once the fix is made available, it should of go to all affected, including lts. Paul signature.asc Description: OpenPGP digital signature
Re: squeeze update of cacti?
Hi Chris, On 11-12-15 15:23, Chris Lamb wrote: Would you like to take care of this yourself? >>> >>> Once there is a fix, yes, although I don't know about my availability, >>> so I don't mind if the lts project takes care of it. > > I was actually going to have a look at this this evening and -- if it's > sensible -- push a patch upstream. Please don't, upstream already has a patch in SVN¹, but didn't mark the bug (I just did). Paul ¹ http://svn.cacti.net/viewvc?view=rev&revision=7767 signature.asc Description: OpenPGP digital signature
Re: squeeze update of cacti?
Hi all,
On 12-12-15 13:41, Paul Gevers wrote:
> Please don't, upstream already has a patch in SVN¹, but didn't mark the
> bug (I just did).
Please find attached the debdiff that I could come up with from my work
on sid, jessie and wheezy. It isn't tested yet (I don't have a suitable
setup for that) so I appreciate it if somebody could check the patch
doesn't break graph.php.
Paul
diff -u cacti-0.8.7g/debian/changelog cacti-0.8.7g/debian/changelog
--- cacti-0.8.7g/debian/changelog
+++ cacti-0.8.7g/debian/changelog
@@ -1,3 +1,10 @@
+cacti (0.8.7g-1+squeeze10) squeeze-lts; urgency=high
+
+ * Add upstream patch to fix (Closes: #807599)
+- CVE-2015-8369 SQL Injection vulnerability in graph.php
+
+ -- Paul Gevers Sun, 13 Dec 2015 20:48:52 +0100
+
cacti (0.8.7g-1+squeeze9) squeeze-lts; urgency=high
* Non-maintainer upload by the Squeeze LTS Team.
diff -u cacti-0.8.7g/debian/patches/series cacti-0.8.7g/debian/patches/series
--- cacti-0.8.7g/debian/patches/series
+++ cacti-0.8.7g/debian/patches/series
@@ -28,0 +29 @@
+CVE-2015-8369_sql_injection_in_graph.php.patch
only in patch2:
unchanged:
---
cacti-0.8.7g.orig/debian/patches/CVE-2015-8369_sql_injection_in_graph.php.patch
+++ cacti-0.8.7g/debian/patches/CVE-2015-8369_sql_injection_in_graph.php.patch
@@ -0,0 +1,206 @@
+From 1d85f9ab30af9558eb1da3a3c73a2551e08ec1ee Mon Sep 17 00:00:00 2001
+From: cigamit
+Date: Sat, 28 Nov 2015 20:08:16 +
+Subject: [PATCH] -bug:0002646: SQL injection in graph.php
+
+git-svn-id: svn://svn.cacti.net/cacti/cacti@7767
860744bd-22fc-0310-8c96-e9fe5004b5ca
+---
+ tags/0.8.8g/graph.php| 78
+ tags/0.8.8g/include/top_graph_header.php | 4 +-
+ 3 files changed, 42 insertions(+), 41 deletions(-)
+
+Index: cacti/graph.php
+===
+--- cacti.orig/graph.php
cacti/graph.php
+@@ -27,45 +27,45 @@ if (!isset($_REQUEST["action"])) { $_REQ
+ if (!isset($_REQUEST["view_type"])) { $_REQUEST["view_type"] = ""; }
+
+ $guest_account = true;
++/* = input validation = */
++input_validate_input_regex(get_request_var_request("rra_id"),
"^([0-9]+|all)$");
++input_validate_input_number(get_request_var_request("local_graph_id"));
++input_validate_input_number(get_request_var_request("graph_end"));
++input_validate_input_number(get_request_var_request("graph_start"));
++input_validate_input_regex(get_request_var_request("view_type"),
"^([a-zA-Z0-9]+)$");
++/* */
++
+ include("./include/auth.php");
+ include_once("./lib/rrd.php");
+ include_once("./lib/html_tree.php");
+ include_once("./include/top_graph_header.php");
+
+-/* = input validation = */
+-input_validate_input_regex(get_request_var("rra_id"), "^([0-9]+|all)$");
+-input_validate_input_number(get_request_var("local_graph_id"));
+-input_validate_input_number(get_request_var("graph_end"));
+-input_validate_input_number(get_request_var("graph_start"));
+-input_validate_input_regex(get_request_var_request("view_type"),
"^([a-zA-Z0-9]+)$");
+-/* */
+-
+-if (!isset($_GET['rra_id'])) {
+- $_GET['rra_id'] = 'all';
++if (!isset($_REQUEST['rra_id'])) {
++ $_REQUEST['rra_id'] = 'all';
+ }
+
+-if ($_GET["rra_id"] == "all") {
++if ($_REQUEST["rra_id"] == "all") {
+ $sql_where = " where id is not null";
+ }else{
+- $sql_where = " where id=" . $_GET["rra_id"];
++ $sql_where = " where id=" . $_REQUEST["rra_id"];
+ }
+
+ /* make sure the graph requested exists (sanity) */
+-if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where
local_graph_id=" . $_GET["local_graph_id"]))) {
++if (!(db_fetch_cell("select local_graph_id from graph_templates_graph where
local_graph_id=" . $_REQUEST["local_graph_id"]))) {
+ print "GRAPH DOES NOT
EXIST"; exit;
+ }
+
+ /* take graph permissions into account here, if the user does not have
permission
+ give an "access denied" message */
+ if (read_config_option("auth_method") != 0) {
+- $access_denied = !(is_graph_allowed($_GET["local_graph_id"]));
++ $access_denied = !(is_graph_allowed($_REQUEST["local_graph_id"]));
+
+ if ($access_denied == true) {
+ print "ACCESS
DEN
Re: squeeze update of cacti?
Hi Chris, On 14-12-15 11:32, Chris Lamb wrote: >>> Please don't, upstream already has a patch in SVN¹, but didn't mark the >>> bug (I just did). >> >> Please find attached the debdiff that I could come up with from my work >> on sid, jessie and wheezy. It isn't tested yet (I don't have a suitable >> setup for that) so I appreciate it if somebody could check the patch >> doesn't break graph.php. > > Just to clarify what's needed here - are you part of Debian LTS? What a difficult question to answer straight. Yes and no. Yes, I lurk on this e-mail list, yes, I have the intention to take care of "my" own packages as said multiple times on this list. But no, I don't get paid, no, I don't promise any "timely" response, and no, I don't intent to take up other packages. > Or rather; am just checking as I "took" this package in > data/dla-needed.txt to prepare an upload and don't want to duplicate > work/anouncements, etc. Yes, I know of the WoW, but due to the time commitment, I decided not to claim the issue myself. I also have difficulties with testing the package in a wheezy setup. But I did just uploaded to wheezy and jessie, so providing a debdiff against wheezy was the obvious thing to do. > Either way is fine, just let me know :) So, if you can check and test my debdiff you can upload and announce if you are satisfied with it. If you have concerns, I propose we discuss it here, because it may be relevant for the security uploads to sid/jessie/wheezy as well. Of course you can upload any package any time, if you feel it should be done regardless of my input. Paul signature.asc Description: OpenPGP digital signature
Re: squeeze update of cacti?
Hi Chris, On 15-12-15 15:11, Chris Lamb wrote: >>> Just to clarify what's needed here - are you part of Debian LTS? >> >> What a difficult question to answer straight. Yes and no. Yes, I lurk on >> this e-mail list, yes, I have the intention to take care of "my" own >> packages as said multiple times on this list. > > Oh, I didn't mean to put you in a difficult position - am fairly > "new" so haven't seen you on the list before. I also didn't mean to > imply anything negative, I just didn't want either of us to do > unnecessary duplicated work. :) No worries. >> So, if you can check and test my debdiff you can upload and announce if >> you are satisfied with it > Looks good, at least by eye. However, Buxy pointed me towards a > supplementary CVE-2015-8377 > (http://seclists.org/fulldisclosure/2015/Dec/att-57/cacti_sqli%281%29.txt) > - we should probably test and upload these at the same time. Yes, but no fix exist yet that I am aware of. I don't have the time to investigate myself on the short term. Paul signature.asc Description: OpenPGP digital signature
Re: Accepted cacti 0.8.7g-1+squeeze9+deb6u13 (source all) into squeeze-lts
Hi Chris, On 04-01-16 13:20, Chris Lamb wrote: > cacti (0.8.7g-1+squeeze9+deb6u13) squeeze-lts; urgency=high > . >* Correct yet another regression in patch for CVE-2015-8369, introduced in > 0.8.7g-1+squeeze9+deb6u12. Thanks to Marcel Meckel > (Closes: #809260, #807599) Apart from your weird continuation of the squeeze version numbers ;), thanks a lot for the cacti updates in lts. Would you mind sharing your fix for CVE-2015-8377 also with the rest of the world, i.e. add a patch to the cacti bug tracker (be it in but 2652¹ if it really is the same, or in a new bug if bug 2652 is not the same and not fixed by your patch)? To be honest, I would have expected you would have shared your fix somewhere, e.g. also in a regular bug against cacti such that the (old)stable releases could more easily see/use the patch. The patch looks extremely simple. Could you help me by telling how you tested the patch? Paul ¹ http://bugs.cacti.net/view.php?id=2652 signature.asc Description: OpenPGP digital signature
Re: Accepted cacti 0.8.7g-1+squeeze9+deb6u13 (source all) into squeeze-lts
Hi Chris, On 05-01-16 00:23, Chris Lamb wrote: >> To be honest, I would have expected you would have shared your fix >> somewhere, e.g. also in a regular bug against cacti such that the >> (old)stable releases could more easily see/use the patch. > > I will happily add it too your bug tracker as requested. I did not > proactively send it upstream as it was simple and based on work that > was already being distributed; I was not able to find this work you based it on, but sure it is simple. I filed bug 2655¹ upstream with your patch attached, so that they are aware of your work. I will update the Debian security archive with this info shortly. > I made the assumption that you would either not care or you had seen > exactly what I had done. It is true that I saw it, but others may not. Paul ¹ http://bugs.cacti.net/view.php?id=2655 signature.asc Description: OpenPGP digital signature
Re: another squeeze cacti update?
Hi LTS maintainers,
On 05-01-16 20:55, Antoine Beaupré wrote:
> Cacti still shows up in the list of opened issues in squeeze... Are you
> going to take care of CVE-2015-8604 next?
Apart from CVE-2015-8604, which I have a (attached) patch ready for
upload to sid, I also consider the patch for CVE-2015-8377 incomplete
(where should this actually be reported, bts?). The vulnerable variable
is a 3D array and both runs of "each" should be checked. Unfortunately
the upstream bug tracker is down now, but I will update the patch there.
please find it attached as well (line numbers may not be for squeeze).
After I take care of wheezy and jessie debdiff's I can take care of this
in squeeze myself, but I don't mind if somebody beats me to it. But
please use the attached patches or discuss why they are not good enough.
Paul
Description: SQL injection vulnerability in the host_new_graphs_save function
in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users
to execute arbitrary SQL commands via crafted serialized data in the
selected_graphs_array parameter in a save action.
Author: Chris Lamb and Paul Gevers
Bug: http://bugs.cacti.net/view.php?id=2655
Index: cacti/graphs_new.php
===
--- cacti.orig/graphs_new.php
+++ cacti/graphs_new.php
@@ -183,11 +183,17 @@ function host_new_graphs_save() {
while (list($form_id1, $form_array2) = each($form_array)) {
/* enumerate information from the arrays stored in post variables */
+ /* = input validation = */
+ input_validate_input_number($form_id1);
+ /* */
if ($form_type == "cg") {
$graph_template_id = $form_id1;
}elseif ($form_type == "sg") {
while (list($form_id2, $form_array3) = each($form_array2)) {
$snmp_index_array = $form_array3;
+ /* = input validation = */
+ input_validate_input_number($form_id2);
+ /* */
$snmp_query_array["snmp_query_id"] = $form_id1;
$snmp_query_array["snmp_index_on"] = get_best_data_query_index_type($_POST["host_id"], $form_id1);
Description: SQL injection vulnerability in the host_new_graphs function in
graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users
to execute arbitrary SQL commands via crafted serialized data in the
selected_graphs_array parameter in a save action.
Author: Paul Gevers
Bug: http://bugs.cacti.net/view.php?id=2652
Index: cacti/graphs_new.php
===
--- cacti.orig/graphs_new.php
+++ cacti/graphs_new.php
@@ -252,6 +252,9 @@ function host_new_graphs($host_id, $host
while (list($form_type, $form_array) = each($selected_graphs_array)) {
while (list($form_id1, $form_array2) = each($form_array)) {
+/* = input validation = */
+input_validate_input_number($form_id1);
+/* */
if ($form_type == "cg") {
$graph_template_id = $form_id1;
@@ -260,6 +263,7 @@ function host_new_graphs($host_id, $host
while (list($form_id2, $form_array3) = each($form_array2)) {
/* = input validation = */
input_validate_input_number($snmp_query_id);
+ input_validate_input_number($form_id2);
/* */
$snmp_query_id = $form_id1;
signature.asc
Description: OpenPGP digital signature
Re: another squeeze cacti update?
Hi all,
On 09-01-16 13:45, Paul Gevers wrote:
> After I take care of wheezy and jessie debdiff's I can take care of this
> in squeeze myself, but I don't mind if somebody beats me to it. But
> please use the attached patches or discuss why they are not good enough.
Please find attached my proposal for squeeze. I would appreciate it when
someone looks over the debdiff and comments. Ideally someone with a
setup to actually quickly run the package.
Paul
diff -u cacti-0.8.7g/debian/changelog cacti-0.8.7g/debian/changelog
--- cacti-0.8.7g/debian/changelog
+++ cacti-0.8.7g/debian/changelog
@@ -1,3 +1,12 @@
+cacti (0.8.7g-1+squeeze9+deb6u14) squeeze-lts; urgency=medium
+
+ * CVE-2015-8377: Improve fix for SQL injection vulnerability in
+graphs_new.php where a second instance of the variable wasn't checked
+in the original fix
+ * CVE-2015-8604: Fix SQL injection vulnerability in graphs_new.php
+
+ -- Paul Gevers Sun, 10 Jan 2016 20:51:51 +0100
+
cacti (0.8.7g-1+squeeze9+deb6u13) squeeze-lts; urgency=high
* Correct yet another regression in patch for CVE-2015-8369, introduced in
diff -u cacti-0.8.7g/debian/patches/series cacti-0.8.7g/debian/patches/series
--- cacti-0.8.7g/debian/patches/series
+++ cacti-0.8.7g/debian/patches/series
@@ -30,0 +31 @@
+CVE-2015-8604-sql-injection-in-graphs_new.patch
diff -u
cacti-0.8.7g/debian/patches/CVE-2015-8377-sql-injection-in-graph-php-host_new_graphs_save.patch
cacti-0.8.7g/debian/patches/CVE-2015-8377-sql-injection-in-graph-php-host_new_graphs_save.patch
---
cacti-0.8.7g/debian/patches/CVE-2015-8377-sql-injection-in-graph-php-host_new_graphs_save.patch
+++
cacti-0.8.7g/debian/patches/CVE-2015-8377-sql-injection-in-graph-php-host_new_graphs_save.patch
@@ -1,6 +1,22 @@
cacti-0.8.7g.orig/graphs_new.php
-+++ cacti-0.8.7g/graphs_new.php
-@@ -183,6 +183,9 @@ function host_new_graphs_save() {
+Description: SQL injection vulnerability in the host_new_graphs_save function
+ in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated
users
+ to execute arbitrary SQL commands via crafted serialized data in the
+ selected_graphs_array parameter in a save action.
+Author: Chris Lamb and Paul Gevers
+Bug: http://bugs.cacti.net/view.php?id=2655
+Index: cacti/graphs_new.php
+===
+--- cacti.orig/graphs_new.php
cacti/graphs_new.php
+@@ -178,11 +178,17 @@ function host_new_graphs_save() {
+
+ while (list($form_id1, $form_array2) = each($form_array)) {
+ /* enumerate information from the arrays stored in post
variables */
++ /* = input validation =
*/
++ input_validate_input_number($form_id1);
++ /*
*/
+ if ($form_type == "cg") {
+ $graph_template_id = $form_id1;
}elseif ($form_type == "sg") {
while (list($form_id2, $form_array3) =
each($form_array2)) {
$snmp_index_array = $form_array3;
only in patch2:
unchanged:
---
cacti-0.8.7g.orig/debian/patches/CVE-2015-8604-sql-injection-in-graphs_new.patch
+++ cacti-0.8.7g/debian/patches/CVE-2015-8604-sql-injection-in-graphs_new.patch
@@ -0,0 +1,28 @@
+Description: SQL injection vulnerability in the host_new_graphs function in
+ graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users
+ to execute arbitrary SQL commands via crafted serialized data in the
+ selected_graphs_array parameter in a save action.
+Author: Paul Gevers
+Bug: http://bugs.cacti.net/view.php?id=2652
+Index: cacti/graphs_new.php
+===
+--- cacti.orig/graphs_new.php
cacti/graphs_new.php
+@@ -249,6 +249,9 @@ function host_new_graphs($host_id, $host
+
+ while (list($form_type, $form_array) = each($selected_graphs_array)) {
+ while (list($form_id1, $form_array2) = each($form_array)) {
++/* = input validation = */
++input_validate_input_number($form_id1);
++/* */
+ if ($form_type == "cg") {
+ $graph_template_id = $form_id1;
+
+@@ -257,6 +260,7 @@ function host_new_graphs($host_id, $host
+ while (list($form_id2, $form_array3) =
each($form_array2)) {
+ /* = input validation
= */
+
input_validate_input_number($snmp_query_id);
++
Fwd: [SECURITY] [DLA 381-1] dbconfig-common security update
Hi, Just in case my message doesn't get through to the announce list, below is the message I sent 15 minutes ago. I would appreciate it when somebody resents it when it takes too long. Paul Forwarded Message Subject: [SECURITY] [DLA 381-1] dbconfig-common security update Date: Fri, 15 Jan 2016 14:07:39 +0100 From: Paul Gevers To: debian-lts-annou...@lists.debian.org Package: dbconfig-common Version: 1.8.46+squeeze.1 CVE ID : NA Debian Bug : 805638 It was discovered that dbconfig-common could, depending on the local umask, make PostgreSQL database backups that were readable by other users than the database owner. The issue is fixed in version 1.8.46+squeeze.1. Access rights to existing database backups (not only for PostgreSQL) will be limited to the owner of the backup during the upgrade of dbconfig-common to this version. Future upgrades will not change access rights in case the local administrator has specific requirements. dbconfig-common is a Debian helper package that is used by a number of packages to manage the corresponding database. signature.asc Description: OpenPGP digital signature
Re: Fwd: [SECURITY] [DLA 381-1] dbconfig-common security update
arg, I just notice my screw up... I didn't reserve 381-1, but 390-1. Is that a reason to reject the mail? (I must stop with using "git svn" on the security archive.) Paul On 15-01-16 14:23, Paul Gevers wrote: > Hi, > > Just in case my message doesn't get through to the announce list, below > is the message I sent 15 minutes ago. I would appreciate it when > somebody resents it when it takes too long. > > Paul > > > Forwarded Message > Subject: [SECURITY] [DLA 381-1] dbconfig-common security update > Date: Fri, 15 Jan 2016 14:07:39 +0100 > From: Paul Gevers > To: debian-lts-annou...@lists.debian.org > > Package: dbconfig-common > Version: 1.8.46+squeeze.1 > CVE ID : NA > Debian Bug : 805638 > > It was discovered that dbconfig-common could, depending on the local > umask, make PostgreSQL database backups that were readable by other > users than the database owner. The issue is fixed in version > 1.8.46+squeeze.1. Access rights to existing database backups (not only > for PostgreSQL) will be limited to the owner of the backup during the > upgrade of dbconfig-common to this version. Future upgrades will not > change access rights in case the local administrator has specific > requirements. > > dbconfig-common is a Debian helper package that is used by a number of > packages to manage the corresponding database. > > > > > signature.asc Description: OpenPGP digital signature
Re: squeeze update of chrony?
Hi Vincent, On 05-02-16 01:56, Vincent Blut wrote: > +chrony (1.24-3+squeeze3) squeeze-lts; urgency=medium > + > + * Fix CVE-2016-1567: retrict authentication of server/peer > + to specified key I suggest you close bug 812923 in the changelog. The bts is smart enough to track different trees. > +This patch fixes CVE-2016-1567 in chrony 1.24. Prior to version 1.31.2, > +chrony does not verify peer associations of symmetric keys when > authenticating > +packets, which might allow remote attackers to conduct impersonation > attacks > +via an arbitrary trusted key, aka a "skeleton key." This issue also > affects > +chrony 2.2 and has been fixed in version 2.2.1. I assume I read this text wrong if it appears that the issue is not in testing/sid (because than the security tracker needs to be updated). How I read it (the first times) is that prior to version 1.31.2 and in the 2.2 branch the issue exists, anything between 1.31.2 and 2.2 would than be fine, but I am pretty sure that is not what you meant. So, I assume you intent to fix testing and sid soon as well right? And although this vulnerability is tagged as no-dsa, you can still prepare a point release update and communicate with the RT to get it in. Paul PS: did you on purpose not create a squeeze-lts branch in your git repo? signature.asc Description: OpenPGP digital signature
Re: squeeze update of chrony?
Hi Vincent, On 08-02-16 18:23, Vincent Blut wrote: > That’s the plan, yes. By the way, I’ll contact you in the next few days > to review 2.2.1-1 which is mostly ready. Ok. Please be aware that I might not be able to act on the review this week. >> And although this vulnerability is tagged as no-dsa, you can still >> prepare a point release update and communicate with the RT to get it in. > > Yes, I’ll fix this in jessie and wheezy. Great. >> PS: did you on purpose not create a squeeze-lts branch in your git repo? > > Well, do you have any tips to properly handle this? I guess using > "gbp import-dsc" would do the trick but… Yes, with proper arguments to do this on the right branch. I would first branch on the right place and only import the missing releases. I believe there are even options to pull straight from snapshot.debian.org (but I have never used those before). > P.S. I’d like to apologize for my “long” silence, but I’m facing a > shitstorm IRL. :-/ NP. Take care of whatever you need to take care of. The note is appreciated though, such that "we" can act on it if needed. Paul signature.asc Description: OpenPGP digital signature
Re: Wiki update LTS/Using and EOL announcement
Hi Markus, On 29-02-16 12:35, Markus Koschany wrote: > We recommend that you upgrade your systems to Debian 7 "Wheezy". /me wonders, do we really recommend that? I would say we recommend our users to upgrade to the current stable (via Wheezy), no? And wheezy-lts is there for those that can't or won't upgrade now from wheezy to jessie (maybe coming from squeeze, true). But if you are upgrading, why not do it "right" if you can? Paul signature.asc Description: OpenPGP digital signature
Re: Wiki update LTS/Using and EOL announcement
Hi Markus, On 29-02-16 20:25, Matus UHLAR - fantomas wrote: > you only can upgrade to wheezy directly. upgrade accross versions is not > supported. I know, but that is not what I meant. I meant (and wrote), upgrade via wheezy. Paul signature.asc Description: OpenPGP digital signature
Re: Wiki update LTS/Using and EOL announcement
Hi Markus, On 29-02-16 21:56, Markus Koschany wrote: > If it helps I could remove the "Debian 7 Wheezy" part and write > "we recommend that you upgrade your systems". That fully resolves the issue I was having with the text. Paul signature.asc Description: OpenPGP digital signature
cacti & LTS
Hi all, Just in case somebody starts working on it, I'd like to review proposed uploads of cacti to LTS. CVE-2016-2313 was initially wrongly fixed (a sledgehammer for a simple nail). CVE-2016-3659 still needs reproducing in Debian and a check if the fix by a contributer in the upstream bug report is causing other damage. The third CVE has a trivial patch. Paul ps: see d-private. signature.asc Description: OpenPGP digital signature
Re: cacti LTS
Hi Emilio On 25-06-16 22:03, Emilio Pozuelo Monfort wrote: >> Just in case somebody starts working on it, I'd like to review proposed >> uploads of cacti to LTS. CVE-2016-2313 was initially wrongly fixed (a >> sledgehammer for a simple nail). CVE-2016-3659 still needs reproducing >> in Debian and a check if the fix by a contributer in the upstream bug >> report is causing other damage. The third CVE has a trivial patch. > > I've had a look at this. I set up cacti on a wheezy VM, and I could reproduce > CVE-2016-3172. However, like you, I couldn't reproduce CVE-2016-3659. I don't > know if we are vulnerable or not, maybe we are and the attack needs some > changes. In any case, I think the fix is very safe, sanitizing parenthesis, > so I > think we can just ship it. What do you think? Please see the attached debdiff. The patch for CVE-2016-3659 is accepted by upstream, so should be OK to apply. The issue with CVE-2016-2313 has been resolved upstream, the sledgehammer has been replaced by an appropriate hammer for the size of the nail: https://github.com/Cacti/cacti/commit/6e5f3be49b3f52e30c88ec75a576f89bb72c4e52 I believe CVE-2016-2313 should be included in this fix. Please be advised that since my previous e-mail, I actually created a brute force regression test for cacti, see http://anonscm.debian.org/cgit/pkg-cacti/cacti.git/tree/debian/tests/check-all-pages Paul signature.asc Description: OpenPGP digital signature
Re: cacti LTS
Hi Emilio [By the way, I read debian-lts, so no need to mail me directly, dropped your To: as well]. On 26-06-16 10:40, Emilio Pozuelo Monfort wrote: >> I believe CVE-2016-2313 should be included in this fix. > > Certainly! I have backported the fix and included in this new debdiff. Looks good to me (but I haven't tested). > Unfortunately I'm not sure how to trigger the bug. For one thing, you have to change the authentication scheme, (maybe remove the template, not sure if one is included by default), and log into cacti with a valid http user (but non-existing cacti user). > Ah, nice. I don't think we have ci.debian.net running for wheezy, but this can > be useful to do some basic testing after an update. It was for the last point that I mentioned it. As cacti before the current stretch package didn't run out-of-the-box, it would require additional logic to even work on a CI framework (such as making sure that the admin password is the same as the cacti/www-data password and actually configuring the cacti pages). But if cacti works on your VM, it should be simple to run the test (usually takes several minutes though). My intention is to add tests for all the CVE's that I fix as well, but as you can see in the test, I wasn't successful with CVE-2016-3659, however, a check for CVE-2016-3172 is in. Paul signature.asc Description: OpenPGP digital signature
Re: Bug#1079454: bookworm-pu: package python-django/3:3.2.19-1+deb12u2
Hi all, On 08-05-2025 22:05, Chris Lamb wrote: As a follow up of https://lists.debian.org/debian-lts/2025/05/msg00023.html, I forgot to check if a pu for python-django was in the queue. And I would just like to point you out about the above questions from Salvatore. Chris, the next point release window is closing this week-end. Do you think you could help with that? Unfortunately, I'm really really slammed right now so I don't feel confident I can prepare a fully-tested pu for Django by this weekend. Salvatore's questions are indeed still outstanding and haven't been dropped — lot of stuff IRL recently so things have piled up. Slowly digging my way out of the hole, however. And for avoidance of doubt, the people in this thread are aware of the regression that the current version of python-django in pu is causing in python-django-storages. I assume yes because of the cc list, but I wanted to spell it out. See https://release.debian.org/proposed-updates/stable.html Paul OpenPGP_signature.asc Description: OpenPGP digital signature
