Bug#824239: marked as done ([DLA] fixes for 2014/dla-*)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 20 May 2016 23:05:28 +0200
with message-id <CAOSaayVTJJy4QefY+K5c+HzG9VFxJduxpTDQ-O2dH4Pf8xDpVg@mail.gmail.com>
and subject line Re: Bug#824239: [DLA] fixes for dla-20,38,53,54
has caused the Debian Bug report #824239,
regarding [DLA] fixes for 2014/dla-*
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
824239: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824239
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: [DLA] fixes for dla-20,38,53,54
• From: victory <victory.deb@gmail.com>
• Date: Sat, 14 May 2016 11:21:39 +0900
• Message-id: <[🔎] 20160514112139.246a565a97e83412b8190fe1@gmail.com>

Package: www.debian.org
Severity: normal
Tags: patch
X-Debbugs-CC: debian-lts@lists.debian.org

* wrong references in dla-20
* missing wireshirk advisory (dla-38), no one sent to d-d-a
* wrong dla ID for "dla-54" sent and created as dla-53
* missing "real" dla-54

see the bottom of the mail

p.s.: 
scripts are not all-round genius;
scripts cannot decide if the source is valid,
scripts cannot fix issues in the source,
scripts do just as instructed.
then, YOU NEED CHECK AND FIX YOURSELF THE GENERATED CONTENTS

-- 
victory
no need to CC me :-)

Index: english/security/2014/dla-20.wml
===================================================================
--- english/security/2014/dla-20.wml	(revision 193)
+++ english/security/2014/dla-20.wml	(working copy)
@@ -8,9 +8,9 @@
   (Closes: #679897), closes <a href="https://security-tracker.debian.org/tracker/CVE-2012-3512";>CVE-2012-3512</a>.</li>
 <li>plugins: use runtime $ENV{MUNIN_PLUGSTATE}. So all properly written
   plugins will use /var/lib/munin-node/plugin-state/$uid/$some_file now   please report plugins that are still using /var/lib/munin/plugin-state/   as those  might pose a security risk!</li>
-<li>Validate multigraph plugin name, <a href="https://security-tracker.debian.org/tracker/CVE-2013-6048";>CVE-2013-6048</a>.</li>
 <li>Don't abort data collection for a node due to malicious node, fixing
-  munin#1397, <a href="https://security-tracker.debian.org/tracker/CVE-2013-6359";>CVE-2013-6359</a>.</li>
+  munin#1397, <a href="https://security-tracker.debian.org/tracker/CVE-2013-6048";>CVE-2013-6048</a>.</li>
+<li>Validate multigraph plugin name, <a href="https://security-tracker.debian.org/tracker/CVE-2013-6359";>CVE-2013-6359</a>.</li>
 </ul>
 
 <p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in munin version 1.4.5-3+deb6u1</p>
Index: english/security/2014/dla-38.data
===================================================================
--- english/security/2014/dla-38.data	(nonexistent)
+++ english/security/2014/dla-38.data	(working copy)
@@ -0,0 +1,10 @@
+<define-tag pagetitle>DLA-38-1 wireshark</define-tag>
+<define-tag report_date>2014-8-20</define-tag>
+<define-tag secrefs>CVE-2014-5161 CVE-2014-5162 CVE-2014-5163</define-tag>
+<define-tag packages>wireshark</define-tag>
+<define-tag isvulnerable>yes</define-tag>
+<define-tag fixed>yes</define-tag>
+<define-tag fixed-section>no</define-tag>
+
+#use wml::debian::security
+
Index: english/security/2014/dla-38.wml
===================================================================
--- english/security/2014/dla-38.wml	(nonexistent)
+++ english/security/2014/dla-38.wml	(working copy)
@@ -0,0 +1,25 @@
+<define-tag description>LTS security update</define-tag>
+<define-tag moreinfo>
+
+<ul>
+    <li><a href="https://security-tracker.debian.org/tracker/CVE-2014-5161";>CVE-2014-5161</a>,
+    <a href="https://security-tracker.debian.org/tracker/CVE-2014-5162";>CVE-2014-5162</a>:
+
+    <p>The Catapult DCT2000 and IrDA dissectors could underrun a buffer.
+    It may be possible to make Wireshark crash by injecting a malformed packet onto 
+    the wire or by convincing someone to read a malformed packet trace file.</p></li>
+
+    <li><a href="https://security-tracker.debian.org/tracker/CVE-2014-5163";>CVE-2014-5163</a>:
+
+    <p>The GSM Management dissector could crash.
+    It may be possible to make Wireshark crash by injecting a malformed packet onto
+    the wire or by convincing someone to read a malformed packet trace file.</p></li>
+</ul>
+
+<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in wireshark version 1.2.11-6+squeeze15</p>
+
+</define-tag>
+
+# do not modify the following line
+#include "$(ENGLISHDIR)/security/2014/dla-38.data"
+# $Id: $
Index: english/security/2014/dla-53.data
===================================================================
--- english/security/2014/dla-53.data	(revision 193)
+++ english/security/2014/dla-53.data	(working copy)
@@ -1,10 +1,10 @@
-<define-tag pagetitle>DLA-53-1 gnupg</define-tag>
-<define-tag report_date>2014-9-14</define-tag>
-<define-tag secrefs>CVE-2014-5270</define-tag>
-<define-tag packages>gnupg</define-tag>
-<define-tag isvulnerable>yes</define-tag>
-<define-tag fixed>yes</define-tag>
-<define-tag fixed-section>no</define-tag>
-
-#use wml::debian::security
-
+<define-tag pagetitle>DLA-53-1 apt</define-tag>
+<define-tag report_date>2014-9-3</define-tag>
+<define-tag secrefs>CVE-2014-0487 CVE-2014-0488 CVE-2014-0489</define-tag>
+<define-tag packages>apt</define-tag>
+<define-tag isvulnerable>yes</define-tag>
+<define-tag fixed>yes</define-tag>
+<define-tag fixed-section>no</define-tag>
+
+#use wml::debian::security
+
Index: english/security/2014/dla-53.wml
===================================================================
--- english/security/2014/dla-53.wml	(revision 193)
+++ english/security/2014/dla-53.wml	(working copy)
@@ -1,15 +1,16 @@
 <define-tag description>LTS security update</define-tag>
 <define-tag moreinfo>
-<p>Genkin, Pipman and Tromer discovered a side-channel attack on Elgamal
-encryption subkeys (<a href="https://security-tracker.debian.org/tracker/CVE-2014-5270";>CVE-2014-5270</a>).</p>
+<p>It was discovered that APT, the high level package manager, does not
+properly invalidate unauthenticated data (<a
+href="https://security-tracker.debian.org/tracker/CVE-2014-0488";>CVE-2014-0488</a>),
+performs incorrect verification of 304 replies (<a
+href="https://security-tracker.debian.org/tracker/CVE-2014-0487";>CVE-2014-0487</a>)
+and does not perform the checksum check when the Acquire::GzipIndexes option is used
+(<a href="https://security-tracker.debian.org/tracker/CVE-2014-0489";>CVE-2014-0489</a>).</p>
 
-<p>In addition, this update hardens GnuPG's behaviour when treating keyserver
-responses; GnuPG now filters keyserver responses to only accepts those
-keyids actually requested by the user.</p>
-
-<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in gnupg version 1.4.10-4+squeeze6</p>
+<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in apt version 0.8.10.3+squeeze3</p>
 </define-tag>
 
 # do not modify the following line
 #include "$(ENGLISHDIR)/security/2014/dla-53.data"
-# $Id: dla-53.wml,v 1.2 2016/04/08 20:32:21 djpig Exp $
+# $Id: $
Index: english/security/2014/dla-54.data
===================================================================
--- english/security/2014/dla-54.data	(nonexistent)
+++ english/security/2014/dla-54.data	(working copy)
@@ -0,0 +1,10 @@
+<define-tag pagetitle>DLA-53-1 gnupg</define-tag>
+<define-tag report_date>2014-9-14</define-tag>
+<define-tag secrefs>CVE-2014-5270</define-tag>
+<define-tag packages>gnupg</define-tag>
+<define-tag isvulnerable>yes</define-tag>
+<define-tag fixed>yes</define-tag>
+<define-tag fixed-section>no</define-tag>
+
+#use wml::debian::security
+
Index: english/security/2014/dla-54.wml
===================================================================
--- english/security/2014/dla-54.wml	(nonexistent)
+++ english/security/2014/dla-54.wml	(working copy)
@@ -0,0 +1,15 @@
+<define-tag description>LTS security update</define-tag>
+<define-tag moreinfo>
+<p>Genkin, Pipman and Tromer discovered a side-channel attack on Elgamal
+encryption subkeys (<a href="https://security-tracker.debian.org/tracker/CVE-2014-5270";>CVE-2014-5270</a>).</p>
+
+<p>In addition, this update hardens GnuPG's behaviour when treating keyserver
+responses; GnuPG now filters keyserver responses to only accepts those
+keyids actually requested by the user.</p>
+
+<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in gnupg version 1.4.10-4+squeeze6</p>
+</define-tag>
+
+# do not modify the following line
+#include "$(ENGLISHDIR)/security/2014/dla-53.data"
+# $Id: dla-53.wml,v 1.2 2016/04/08 20:32:21 djpig Exp $

--- End Message ---

--- Begin Message ---

• To: 824239-done@bugs.debian.org
• Subject: Re: Bug#824239: [DLA] fixes for dla-20,38,53,54
• From: Frank Lichtenheld <djpig@debian.org>
• Date: Fri, 20 May 2016 23:05:28 +0200
• Message-id: <CAOSaayVTJJy4QefY+K5c+HzG9VFxJduxpTDQ-O2dH4Pf8xDpVg@mail.gmail.com>
• In-reply-to: <[🔎] 20160517004404.2418728e939cd282972890d6@gmail.com>
• References: <[🔎] 20160514112139.246a565a97e83412b8190fe1@gmail.com> <handler.824239.B.14631925162256.ack@bugs.debian.org> <[🔎] 20160517004404.2418728e939cd282972890d6@gmail.com>

All patches applied (with some slight changes).

Thanks,
  Frank

--- End Message ---