Bug#824239: [DLA] fixes for dla-20,38,53,54
Package: www.debian.org
Severity: normal
Tags: patch
X-Debbugs-CC: debian-lts@lists.debian.org
* wrong references in dla-20
* missing wireshirk advisory (dla-38), no one sent to d-d-a
* wrong dla ID for "dla-54" sent and created as dla-53
* missing "real" dla-54
see the bottom of the mail
p.s.:
scripts are not all-round genius;
scripts cannot decide if the source is valid,
scripts cannot fix issues in the source,
scripts do just as instructed.
then, YOU NEED CHECK AND FIX YOURSELF THE GENERATED CONTENTS
--
victory
no need to CC me :-)
Index: english/security/2014/dla-20.wml
===================================================================
--- english/security/2014/dla-20.wml (revision 193)
+++ english/security/2014/dla-20.wml (working copy)
@@ -8,9 +8,9 @@
(Closes: #679897), closes <a href="https://security-tracker.debian.org/tracker/CVE-2012-3512">CVE-2012-3512</a>.</li>
<li>plugins: use runtime $ENV{MUNIN_PLUGSTATE}. So all properly written
plugins will use /var/lib/munin-node/plugin-state/$uid/$some_file now please report plugins that are still using /var/lib/munin/plugin-state/ as those might pose a security risk!</li>
-<li>Validate multigraph plugin name, <a href="https://security-tracker.debian.org/tracker/CVE-2013-6048">CVE-2013-6048</a>.</li>
<li>Don't abort data collection for a node due to malicious node, fixing
- munin#1397, <a href="https://security-tracker.debian.org/tracker/CVE-2013-6359">CVE-2013-6359</a>.</li>
+ munin#1397, <a href="https://security-tracker.debian.org/tracker/CVE-2013-6048">CVE-2013-6048</a>.</li>
+<li>Validate multigraph plugin name, <a href="https://security-tracker.debian.org/tracker/CVE-2013-6359">CVE-2013-6359</a>.</li>
</ul>
<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in munin version 1.4.5-3+deb6u1</p>
Index: english/security/2014/dla-38.data
===================================================================
--- english/security/2014/dla-38.data (nonexistent)
+++ english/security/2014/dla-38.data (working copy)
@@ -0,0 +1,10 @@
+<define-tag pagetitle>DLA-38-1 wireshark</define-tag>
+<define-tag report_date>2014-8-20</define-tag>
+<define-tag secrefs>CVE-2014-5161 CVE-2014-5162 CVE-2014-5163</define-tag>
+<define-tag packages>wireshark</define-tag>
+<define-tag isvulnerable>yes</define-tag>
+<define-tag fixed>yes</define-tag>
+<define-tag fixed-section>no</define-tag>
+
+#use wml::debian::security
+
Index: english/security/2014/dla-38.wml
===================================================================
--- english/security/2014/dla-38.wml (nonexistent)
+++ english/security/2014/dla-38.wml (working copy)
@@ -0,0 +1,25 @@
+<define-tag description>LTS security update</define-tag>
+<define-tag moreinfo>
+
+<ul>
+ <li><a href="https://security-tracker.debian.org/tracker/CVE-2014-5161">CVE-2014-5161</a>,
+ <a href="https://security-tracker.debian.org/tracker/CVE-2014-5162">CVE-2014-5162</a>:
+
+ <p>The Catapult DCT2000 and IrDA dissectors could underrun a buffer.
+ It may be possible to make Wireshark crash by injecting a malformed packet onto
+ the wire or by convincing someone to read a malformed packet trace file.</p></li>
+
+ <li><a href="https://security-tracker.debian.org/tracker/CVE-2014-5163">CVE-2014-5163</a>:
+
+ <p>The GSM Management dissector could crash.
+ It may be possible to make Wireshark crash by injecting a malformed packet onto
+ the wire or by convincing someone to read a malformed packet trace file.</p></li>
+</ul>
+
+<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in wireshark version 1.2.11-6+squeeze15</p>
+
+</define-tag>
+
+# do not modify the following line
+#include "$(ENGLISHDIR)/security/2014/dla-38.data"
+# $Id: $
Index: english/security/2014/dla-53.data
===================================================================
--- english/security/2014/dla-53.data (revision 193)
+++ english/security/2014/dla-53.data (working copy)
@@ -1,10 +1,10 @@
-<define-tag pagetitle>DLA-53-1 gnupg</define-tag>
-<define-tag report_date>2014-9-14</define-tag>
-<define-tag secrefs>CVE-2014-5270</define-tag>
-<define-tag packages>gnupg</define-tag>
-<define-tag isvulnerable>yes</define-tag>
-<define-tag fixed>yes</define-tag>
-<define-tag fixed-section>no</define-tag>
-
-#use wml::debian::security
-
+<define-tag pagetitle>DLA-53-1 apt</define-tag>
+<define-tag report_date>2014-9-3</define-tag>
+<define-tag secrefs>CVE-2014-0487 CVE-2014-0488 CVE-2014-0489</define-tag>
+<define-tag packages>apt</define-tag>
+<define-tag isvulnerable>yes</define-tag>
+<define-tag fixed>yes</define-tag>
+<define-tag fixed-section>no</define-tag>
+
+#use wml::debian::security
+
Index: english/security/2014/dla-53.wml
===================================================================
--- english/security/2014/dla-53.wml (revision 193)
+++ english/security/2014/dla-53.wml (working copy)
@@ -1,15 +1,16 @@
<define-tag description>LTS security update</define-tag>
<define-tag moreinfo>
-<p>Genkin, Pipman and Tromer discovered a side-channel attack on Elgamal
-encryption subkeys (<a href="https://security-tracker.debian.org/tracker/CVE-2014-5270">CVE-2014-5270</a>).</p>
+<p>It was discovered that APT, the high level package manager, does not
+properly invalidate unauthenticated data (<a
+href="https://security-tracker.debian.org/tracker/CVE-2014-0488">CVE-2014-0488</a>),
+performs incorrect verification of 304 replies (<a
+href="https://security-tracker.debian.org/tracker/CVE-2014-0487">CVE-2014-0487</a>)
+and does not perform the checksum check when the Acquire::GzipIndexes option is used
+(<a href="https://security-tracker.debian.org/tracker/CVE-2014-0489">CVE-2014-0489</a>).</p>
-<p>In addition, this update hardens GnuPG's behaviour when treating keyserver
-responses; GnuPG now filters keyserver responses to only accepts those
-keyids actually requested by the user.</p>
-
-<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in gnupg version 1.4.10-4+squeeze6</p>
+<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in apt version 0.8.10.3+squeeze3</p>
</define-tag>
# do not modify the following line
#include "$(ENGLISHDIR)/security/2014/dla-53.data"
-# $Id: dla-53.wml,v 1.2 2016/04/08 20:32:21 djpig Exp $
+# $Id: $
Index: english/security/2014/dla-54.data
===================================================================
--- english/security/2014/dla-54.data (nonexistent)
+++ english/security/2014/dla-54.data (working copy)
@@ -0,0 +1,10 @@
+<define-tag pagetitle>DLA-53-1 gnupg</define-tag>
+<define-tag report_date>2014-9-14</define-tag>
+<define-tag secrefs>CVE-2014-5270</define-tag>
+<define-tag packages>gnupg</define-tag>
+<define-tag isvulnerable>yes</define-tag>
+<define-tag fixed>yes</define-tag>
+<define-tag fixed-section>no</define-tag>
+
+#use wml::debian::security
+
Index: english/security/2014/dla-54.wml
===================================================================
--- english/security/2014/dla-54.wml (nonexistent)
+++ english/security/2014/dla-54.wml (working copy)
@@ -0,0 +1,15 @@
+<define-tag description>LTS security update</define-tag>
+<define-tag moreinfo>
+<p>Genkin, Pipman and Tromer discovered a side-channel attack on Elgamal
+encryption subkeys (<a href="https://security-tracker.debian.org/tracker/CVE-2014-5270">CVE-2014-5270</a>).</p>
+
+<p>In addition, this update hardens GnuPG's behaviour when treating keyserver
+responses; GnuPG now filters keyserver responses to only accepts those
+keyids actually requested by the user.</p>
+
+<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in gnupg version 1.4.10-4+squeeze6</p>
+</define-tag>
+
+# do not modify the following line
+#include "$(ENGLISHDIR)/security/2014/dla-53.data"
+# $Id: dla-53.wml,v 1.2 2016/04/08 20:32:21 djpig Exp $
Reply to: