[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Unblocks for security fixes



Hi,

When looking at the security-tracker page for testing, I noticed some of the security bugs are fixed in unstable.

aircrack-ng: CVE-2010-1159, fixed in 1:1.1-1
bind9: CVE-2010-3762, fixed in 1:9.7.2.dfsg.P2-1
cups: CVE-2010-2941, fixed in 1.4.4-7
freeradius: CVE-2010-3696 and CVE-2010-3697, fixed in 2.1.10+dfsg-1
php5: CVE-2010-3710, fixed in 5.3.3-3
scilab: CVE-2010-3378, fixed in 5.2.2-8
ust: CVE-2010-3386, fixed in 0.7-2.1

I have no idea if any of those were already asked to be unblocked and/or they should be unblocked. I've pasted the changelogs between the version in testing and the fixed version below. Since some of them contain 'new upstream version' I guess not all of them will meet the freeze exception requirement.

Regards,

Rik



=== aircrack-ng ===
aircrack-ng (1:1.1-1.1) unstable; urgency=low

   * Non-maintainer upload.
   * Fixed FTBFS on sparc due to incorrect detection of Solaris OS
    (closes: #590765).
 -- Giovanni Mascellani <gio@debian.org>  Sat, 02 Oct 2010 19:23:51 +0200

aircrack-ng (1:1.1-1) unstable; urgency=low

   * New upstream release (Closes: #582658):
     - Fix a buffer overflow (Closes: #577758),
     - Fix compilation errors (Closes: #546312).
   * Switch to dpkg-source 3.0 (quilt) format.
   * Bump Standards-Version to 3.8.4.
   * Add missing ${misc:Depends}.
   * Fix airodump-ng manpage (Closes: #570982).
 -- Adam Cécile (Le_Vert) <gandalf@le-vert.net>  Mon, 31 May 2010 18:34:37 +0200

2009

aircrack-ng (1:1.0-1) unstable; urgency=low

   * New upstream release (Closes: #546312).
 -- Adam Cécile (Le_Vert) <gandalf@le-vert.net>  Sun, 27 Sep 2009 17:10:42 +0200

aircrack-ng (1:1.0~rc4-1) unstable; urgency=low

   * New upstream release.
   * Bump Standards-Version to 3.8.3.
   * Add README.source.
 -- Adam Cécile (Le_Vert) <gandalf@le-vert.net>  Fri, 28 Aug 2009 22:18:13 +0200

=== bind9 ===
bind9 (1:9.7.2.dfsg.P2-2) unstable; urgency=low

   [Roy Jamison]
 
   * lib/isc/unix/resource.c was missing inttypes.h include.  LP: #674199
 -- LaMont Jones <lamont@debian.org>  Fri, 12 Nov 2010 10:52:32 -0700

bind9 (1:9.7.2.dfsg.P2-1) unstable; urgency=low

   [Joe Dalton]
 
   * Add Danish translation of debconf templates.  Closes: #599431
 
   [Internet Software Consortium, Inc]
 
   * v9.7.2-P2
 
   [José Figueiredo]
 
   * Add Brazilian Portuguese debconf templates translation.  Closes: #597616
 
   [LaMont Jones]
 
   * drop this v3 (quilt) source format idea.  Closes: #589916
 -- LaMont Jones <lamont@debian.org>  Sun, 10 Oct 2010 19:01:57 -0600

=== cups ===
cups (1.4.4-7) unstable; urgency=low

   [ Till Kamppeter ]
   * debian/local/filters/pdf-filters/pdftopdf/parseargs.c,
     debian/local/filters/pdf-filters/pdftopdf/parseargs.cxx,
     debian/local/filters/pdf-filters/pdftopdf/parseargs.h,
     debian/local/filters/pdf-filters/pdftopdf/Makefile: Made pdftopdf
     building with Poppler 0.15.x. Thanks to Koji Otani for this patch.
   * debian/control: Added dependency on "cups-ppdc" package to the "cups"
     package, so that the PPDs of the drivers which come with CUPS get built
     (LP: #485383).
 
   [ Martin Pitt ]
   * ubuntu-upstart.dpatch: Wait until daemon is ready, to avoid race
     conditions with init scripts which expect cups tools to work right after
     restarting it. (LP: #647369)
   * ubuntu-upstart.dpatch: If D-BUS is not available, start on runlevels 2 to
     5, so that this also works in server environments. (LP: #650893)
   * debian/local/apparmor-profile: Allow access to /usr/local/lib/cups/**.
     (LP: #160092)
   * debian/local/apparmor-profile: Allow reading /usr/local/**, in case
     third-party printer drivers need auxiliary files.
   * debian/local/apparmor-profile: Allow reading /var/run/**. (LP: #659961)
   * ubuntu-upstart.dpatch: Time out after 5 seconds when the local socket
     doesn't get created. Apparently a lot of users disable it in cupsd.conf.
     (LP: #672438)
   * debian/local/filters/pdf-filters/addtocups: Link pdftoijs with $(CXX),
     since it's a C++ program. Fixes FTBFS with gcc 4.5.
   * debian/local/filters/pdf-filters/pdftopdf/Makefile: Explicitly pdftopdf
     with -lz. gcc 4.5 does not automatically link to transitive library
     dependencies any more.
   * drop_unnecessary_dependencies.dpatch: Drop hunk for reduced krb5/gssapi
     linkage. With gcc 4.5, we now need -lkrb5.
 
   [ Marc Deslauriers ]
   * Add CVE-2010-2941.dpatch: Fix denial of service and possible code execution
     via invalid free. Skip over and reserve unused tags in cups/ipp.{c,h}.
     [CVE-2010-2941]
 -- Martin Pitt <mpitt@debian.org>  Fri, 12 Nov 2010 11:07:33 +0100

cups (1.4.4-6) unstable; urgency=low

   * debian/cups.preinst: Go back to using lsb-release, since dpkg-vendor is
     not installed by default (it's in dpkg-dev). Bump the version guard to
     this version, to reattempt the migration. (LP: #645328)
 -- Martin Pitt <mpitt@debian.org>  Thu, 23 Sep 2010 08:47:11 +0200

cups (1.4.4-5) unstable; urgency=low

   [ Martin Pitt ]
   * ubuntu-upstart.dpatch: Drop the dependency "on starting smbd", it causes
     samba to hang on package upgrades or manual restarts. There doesn't seem
     to be a good way to express this dependency right now. (LP: #639768)
     Instead, send a SIGHUP to smbd if it is running, which causes it to reload
     printers.
 
   [ Till Kamppeter ]
   * pstops-based-workflow-only-for-printing-ps-on-a-ps-printer.dpatch:
     Let CUPS use the former PostScript-based filter chain only if the input
     file is PostScript and the printer is a PostScript printer with
     manufacturer-supplied PPD file. This avoids ugly PS->PDF->PS conversions
     which are bad for the performance and sometimes cause issues
     (Closes: #593338, requested by Ricoh).
 -- Martin Pitt <mpitt@debian.org>  Thu, 16 Sep 2010 18:57:06 +0200

cups (1.4.4-4) unstable; urgency=low

   [ Till Kamppeter ]
   * default-ripcache-size-auto.dpatch: Replaced patch for letting CUPS default
     RIP_MAX_CACHE to 1/4 of the system's RAM by a patch defaulting
     RIP_MAX_CACHE to "auto". See LP: #628030.
   * debian/patches/cups-snmp-oids-device-id-hp-ricoh.dpatch: Let the "snmp"
     backend also use the manufacturer-specific MIBs of HP and Ricoh to
     obtain the device IDs of network-connected printers. This way we get more
     reliable information about make and model and in addition the supported
     page description languages, which allow to identify whether an optional
     PostScript add-on is installed or for an unsupported printer which
     generic PPD is the best choice (requested by Ricoh, thanks to Tim Waugh
     from Red Hat to create the patch).
 
   [ Martin Pitt ]
   * debian/control: Drop perl-modules dependency. The only script that uses
     perl is oopstops, which uses IO::Handle, and this is in perl-base.
   * debian/control, debian/rules, ubuntu-*.dpatch: Replace lsb_release call
     with dpkg-vendor, and drop lsb-release build dependency.
   * Upstartify for Ubuntu:
     - Add ubuntu-upstart.dpatch: Add debian/cups.upstart script, which now
       causes Samba to wait for cups to start. Don't have it in debian/ by
       default, since dh_installinit unconditionally prefers it over .init.
     - debian/rules: Call dh_installinit with --upstart-only when building on
       Ubuntu.
     - debian/cups.preinst: Remove old init script on upgrades when running on
       Ubuntu.
   * debian/cups.preinst: Remove some obsolete transitional code.
   * debian/cups.init.d, debian/cups.postinst: Move custom PPD directory setup
     from init script into postinst. No need to do that on every boot.
 -- Martin Pitt <mpitt@debian.org>  Tue, 14 Sep 2010 18:49:39 +0200

=== freeradius ===

freeradius (2.1.10+dfsg-2) unstable; urgency=medium

   * The zombie period start time variable mistakenly got set to a random
     value because of an upstream typo. Cherry-picked upstream commit
     7b7dff7724721f8af5fd163f2292d427a869992d into a Debian patch,
     requested for squeeze in #600465.
   * Since 2.1.9, the daemon stopped reopening the default radius.log file
     constantly, which means the default logrotate setup breaks the default
     logging. D'oh. We now have to send SIGHUP to the daemon as a postrotate
     action, which makes it reopen log files and continue normally.
     * Added delaycompress to the logrotate options, just to be on the safe
       side.
     * Added a reload action into the init script accordingly, so that the
       right pidfile is picked up (one that can be overridden by the admin
       in /etc/default/freeradius, available since the last release).
     * Called reload from the postrotate section, closes: #602815.
     * However, the latter signal also makes the server re-read configuration
       files, but unlike the initial server start, this all happens under
       the unprivileged user. That in turn means that if by any chance there
       is any part of FR configuration that happens not to be readable by
       group freerad (or whatever non-default is configured), the reload
       will fail, effectively silently, as the log has been moved away. Gah.
       So we have to make an effort to ensure that the configuration files
       are still readable by that user, otherwise the reload fails and the
       aforementioned bug is not fixed. The files seem to revert to
       root:root upon conffile actions, at least that's what happened to me
       and I think that was the cause. So, on upgrade, try to re-apply the
       dpkg-statoverrides on our /etc/freeradius/* stuff, whatever they are,
       under the assumption they will let the freerad group read config files
       as is the initial setup. (I wish dpkg-statoverride --update $file
       just did the right thing, but it doesn't, so there's a new local
       function that does that.)
     * While doing the latter, noticed that we were checking for directories
       in dpkg-statoverride --list output with trailing slashes, but they
       get output without it, so it was a no-op. Fixed the check by removing
       the trailing slashes. Also then noticed that we were grepping --list
       output, but it takes an optional glob pattern, so saved us that
       pointless grep fork by using that facility, just as described in the
       policy manual.
     * force-reload switches from restart to reload, per policy 9.3.2.
   * lenny backport needed also libltdl-dev (2.2.x) to build properly, rather
     than libltdl3-dev, which is obsolete and doesn't make sense anyway.
 -- Josip Rodin <joy-packages@debian.org>  Sat, 13 Nov 2010 15:21:30 +0100

freeradius (2.1.10+dfsg-1) unstable; urgency=medium

   * New upstream version, closes a bunch of reproducible SNAFUs,
     including two tagged as security issues, CVE-2010-3696, CVE-2010-3697,
     closes: #600176.
   * Build-depend on newer Libtool because of lt_dladvise_init(), also
     upstream now has a configure check so we no longer need a patch,
     yet we still don't want the old behaviour. Noticed by John Morrissey,
     closes: #584151.
   * Added the /etc/default/freeradius file as suggested by
     Rudy Gevaert and Matthew Newton, closes: #564716.
   * Stop symlinking /dev/urandom into /etc/freeradius/certs/random,
     it breaks grep -r in /etc. Instead, replace it inside eap.conf,
     both in the new shipped conffile and in postinst.
 -- Josip Rodin <joy-packages@debian.org>  Thu, 14 Oct 2010 21:51:51 +0200

=== php5 ===
php5 (5.3.3-3) unstable; urgency=high

   * Fix segfault in filter_var with FILTER_VALIDATE_EMAIL with large
     amount of data (CVE-2010-3710, Closes: #601619)
 -- Ondřej Surý <ondrej@debian.org>  Wed, 27 Oct 2010 23:39:37 +0200

=== scilab ===
scilab (5.2.2-8) unstable; urgency=high

   * SECURITY UPDATE:
     - (CVE-2010-3378) : Insecure library loading (Closes: #598422, #598423)
 -- Sylvestre Ledru <sylvestre@debian.org>  Thu, 30 Sep 2010 15:17:57 +0200

scilab (5.2.2-7) unstable; urgency=low

   * Fix a bad upload: Not binNMU-able (Closes: #597755)
   * Fix an issue with mips64. Thanks to Liushiwei (Closes: #593902)
   * Wrong recommends on sivp (Closes: #576475)
 -- Sylvestre Ledru <sylvestre@debian.org>  Thu, 23 Sep 2010 14:07:07 +0200

scilab (5.2.2-6) unstable; urgency=low

   * Fix a problem with the build system
 -- Sylvestre Ledru <sylvestre@debian.org>  Sat, 18 Sep 2010 08:50:49 +0200

scilab (5.2.2-5) unstable; urgency=low

   [ Matthias Klose ]
   * Fix JVM detection for armv<anything> machines (Closes: #596509)
 -- Sylvestre Ledru <sylvestre@debian.org>  Sun, 12 Sep 2010 11:14:58 +0200

scilab (5.2.2-4) unstable; urgency=low

   * Fix a FTBFS under powerpc (conflicting declaration of basename)
     basename.diff
 -- Sylvestre Ledru <sylvestre@debian.org>  Mon, 16 Aug 2010 22:20:42 +0200

scilab (5.2.2-3) unstable; urgency=low

   * Remove option -fwritable-string. writable-string.diff (Closes: #593114)
   * Fix a problem in the detection of sparc for sivp sparcstartup.diff
     (Closes: #591541)
   * Update copyright file to fix lintian warning:
     copyright-refers-to-deprecated-bsd-license-file
   * Standards-Version updated to version 3.9.1
 -- Sylvestre Ledru <sylvestre@debian.org>  Mon, 16 Aug 2010 16:03:13 +0200

scilab (5.2.2-2) unstable; urgency=low

   * Missing files in libjavasci (Closes: #585679)
   * libjavasci arch: all => any
   * Rpath back in business for sciscipy (Closes: #586746)
   * Set the exact dependencies on jgraphx (1.2.0.8). Too many compatibilities
     issues.
 -- Sylvestre Ledru <sylvestre@debian.org>  Sun, 27 Jun 2010 17:22:12 +0200

=== ust ===
ust (0.7-3) unstable; urgency=low

   * [2c4036] Restore info-dir-section patch from previous NMU
 -- Jon Bernard <jbernard@debian.org>  Sat, 30 Oct 2010 20:31:26 -0400

ust (0.7-2.1) unstable; urgency=high

   * Non-maintainer upload.
   * debian/patches
     - (CVE-2010-3386--bug598309): New. Fix LD_LIBRARY_PATH. Initial patch
       idea thanks to Etienne Millon <etienne.millon@gmail.com> (grave,
       security; Closes: #598309).
 -- Jari Aalto <jari.aalto@cante.net>  Mon, 18 Oct 2010 18:55:42 +0300

ust (0.7-2) unstable; urgency=low

   * [7d6a5c] Remove sparc and alpha from supported architectures
   * [5603a1] Add build dependency on version 0.4.6 of liburcu-dev
   * [5f3cf6] Recommend liburcu-dev for libust-dev - thanks to Alexandre
     Montplaisir <alexandre.montplaisir@gmail.com>
   * [06df73] Depends on version 0.4.6 of liburcu0 for libust0
 -- Jon Bernard <jbernard@debian.org>  Mon, 27 Sep 2010 04:27:29 -0400

ust (0.7-1) unstable; urgency=low

   * [ed442a] Imported Upstream version 0.7
   * [0de6a7] Update installed libraries
   * [dfd55b] Bump standards version to 3.9.1, no changes necessary
 -- Jon Bernard <jbernard@debian.org>  Mon, 30 Aug 2010 22:27:57 -0400



Reply to: