Re: Wheezy update of bash?

2016-10-06 Thread Ola Lundqvist
Hi Balint Ah, it could be the default shell. I'll try that. Thanks for the suggestion. Merely that the command id is executed is not a reproduction. It has to be executed as another user than the one one executing the binary to be a security problem. If not it could be a bug but not a security bu

Re: systemd CVE-2016-7796

2016-10-06 Thread Ben Hutchings
On Fri, 2016-10-07 at 08:10 +1100, Brian May wrote: > Ben Hutchings writes: > > > 2. Fix for CVE-2016-7796 > > > Has undefined reference to IN_SET. > > I am guessing I don't need this part of the patch, right? > > -if (errno == EAGAIN || errno == EINTR) > +

Re: Wheezy update of bash?

2016-10-06 Thread Bálint Réczey
Hi Ola, 2016-10-06 23:08 GMT+02:00 Ola Lundqvist : > Hi Matthias and Balint > > I have tried to reproduce the problem described in the openwall email. > However I can not reproduce it. Have you been able to? > > On wheezy: > > ola@tigereye:/$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test

Re: systemd CVE-2016-7796

2016-10-06 Thread Brian May
Ben Hutchings writes: > 2. Fix for CVE-2016-7796 Has undefined reference to IN_SET. I am guessing I don't need this part of the patch, right? -if (errno == EAGAIN || errno == EINTR) +if (!IN_SET(errno, EAGAIN, EINTR)) > 4. pid1-process-zero-leng

Re: Wheezy update of bash?

2016-10-06 Thread Ola Lundqvist
Hi Matthias and Balint I have tried to reproduce the problem described in the openwall email. However I can not reproduce it. Have you been able to? On wheezy: ola@tigereye:/$ env -i SHELLOPTS=xtrace PS4='$(id)' ./test Thu Oct 6 20:54:07 UTC 2016 ola@tigereye:/$ ls -la test -rwsr-xr

Re: version number when packaging a new upstream release

2016-10-06 Thread Markus Koschany
On 06.10.2016 20:10, Adrian Bunk wrote: > On Thu, Oct 06, 2016 at 06:16:37PM +0200, Raphael Hertzog wrote: >> On Thu, 06 Oct 2016, Adrian Bunk wrote: >> ... >>> Do you have any rationale why you think -1~deb7u1 would be better >>> than -0+deb7u1? >> >> My preference goes for the former because it m

Re: version number when packaging a new upstream release

2016-10-06 Thread Adrian Bunk
On Thu, Oct 06, 2016 at 06:16:37PM +0200, Raphael Hertzog wrote: > On Thu, 06 Oct 2016, Adrian Bunk wrote: >... > > Do you have any rationale why you think -1~deb7u1 would be better > > than -0+deb7u1? > > My preference goes for the former because it matches the logic of > backported packages and

Re: version number when packaging a new upstream release

2016-10-06 Thread Raphael Hertzog
On Thu, 06 Oct 2016, Adrian Bunk wrote: > I gave the a rationale in the following paragraph: > > In the general case it is even possible that the package was removed > from unstable, but later someone ITPs 6:0.8.18-1 into unstable. At that > point the version in oldstable would be higher tha

Re: version number when packaging a new upstream release

2016-10-06 Thread Adrian Bunk
On Thu, Oct 06, 2016 at 11:53:58AM +0200, Raphael Hertzog wrote: > Hi, > > On Mon, 03 Oct 2016, Adrian Bunk wrote: > > > I'd suggest to use 6:0.8.18-1+deb7u3 because it's the third update of > > > that package within Debian 7. > > > > The version number should not depend on whether 0.8.18 was eve

Re: systemd CVE-2016-7796

2016-10-06 Thread Ben Hutchings
On Thu, 2016-10-06 at 18:12 +1100, Brian May wrote: > > Ben Hutchings writes: > > > [ Unknown signature status ] > > On Thu, 2016-10-06 at 08:07 +1100, Brian May wrote: > > > Here is a new revised patch: > > > > > > You're trying to make multiple changes in one patch, and still not > > getting

Re: wheezy-specific bind9 issue

2016-10-06 Thread Shaun Bugler - Hetzner (Pty) Ltd
On 04/10/2016 19:52, Thorsten Alteholz wrote: Hi Florian, On Wed, 28 Sep 2016, Florian Weimer wrote: While trying to write a reproducer for CVE-2016-2776, I discovered that the 1:9.8.4.dfsg.P1-6+nmu2+deb7u10 version in wheezy would crash, while unpatched jessie and upstream would not:

Re: version number when packaging a new upstream release

2016-10-06 Thread Jonas Meurer
Hi Raphael and LTS list, Am 06.10.2016 um 11:53 schrieb Raphael Hertzog: > On Mon, 03 Oct 2016, Adrian Bunk wrote: >>> I'd suggest to use 6:0.8.18-1+deb7u3 because it's the third update of >>> that package within Debian 7. >> >> The version number should not depend on whether 0.8.18 was ever >> in

Re: Wheezy update of bash?

2016-10-06 Thread Ola Lundqvist
Hi Matthias I will look into this. // Ola On 6 October 2016 at 01:06, Matthias Klose wrote: > On 05.10.2016 16:02, Balint Reczey wrote: > > Hello dear maintainer(s), > > > > the Debian LTS team would like to fix the security issues which are > > currently open in the Wheezy version of bash: >

Re: version number when packaging a new upstream release

2016-10-06 Thread Raphael Hertzog
Hi, On Mon, 03 Oct 2016, Adrian Bunk wrote: > > I'd suggest to use 6:0.8.18-1+deb7u3 because it's the third update of > > that package within Debian 7. > > The version number should not depend on whether 0.8.18 was ever > in unstable. Where do you get that rule from? There's lots of bikesheddin

Re: systemd CVE-2016-7796

2016-10-06 Thread Brian May
Ben Hutchings writes: > [ Unknown signature status ] > On Thu, 2016-10-06 at 08:07 +1100, Brian May wrote: >> Here is a new revised patch: > > You're trying to make multiple changes in one patch, and still not > getting all of them.  I think you will need to apply (at least) this > series of patc