Here’s my (fourth) monthly update about the activities I’ve done in Debian this January.
This was my fourth month as a Debian LTS paid contributor.
I was assigned 23.75 hours and worked on the following things:
CVE Fixes and Announcements:
- Issued DLA 2060-1, fixing CVE-2020-5504, for phpmyadmin.
In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of their own username when creating queries to this page. An attacker must have a valid MySQL account to access the server.
For Debian 8 “Jessie”, this problem has been fixed in version 4:4.2.12-2+deb8u8.
Furthermore, worked on preparing the security update for Stretch and Buster with the original maintainer.
- Issued DLA 2063-1, fixing CVE-2019-3467 for debian-lan-config.
In debian-lan-config < 0.26, configured too permissive ACLs for the Kerberos admin server allowed password changes for other Kerberos user principals.
For Debian 8 “Jessie”, this problem has been fixed in version 0.19+deb8u2.
- Issued DLA 2070-1, fixing CVE-2019-16779, for ruby-excon.
In RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response.
For Debian 8 “Jessie”, this problem has been fixed in version 0.33.0-2+deb8u1.
Furthermore, sent a patch to the Security team for Stretch and Buster.
P.S. this backporting took the most time and effort this month.
- Issued DLA 2090-1, fixing CVE-2020-7039, for qemu.
tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code.
For Debian 8 “Jessie”, this problem has been fixed in version 1:2.1+dfsg-12+deb8u13.
Checked with upstream of ruby-rack for their CVE fix which induces regression.
Worked a bit on ruby-rack-cors but couldn’t complete because of Amsterdam -> Brussels travel. Thanks to Brian for completing it \o/
This was a great month! MiniDebCamp -> FOSDEM -> Ruby Sprints. Blog post soon :D
In any case, in the month of January, I did the following work:
- ruby-haml-rails ~ 2.0.1-1 (to unstable).
Source-Only and Other Uploads:
- golang-github-zyedidia-pty ~ 1.1.1+git20180126.3036466-3 (to unstable).
- ruby-benchmark-suite ~ 1.0.0+git.20130122.5bded6-3 (to unstable).
- golang-github-robertkrimen-otto ~ 0.0+git20180617.15f95af-2~bpo10+1 (to buster-backports).
- golang-github-zyedidia-pty ~ 1.1.1+git20180126.3036466-3~bpo10+1 (to buster-backports).
- golang-github-mitchellh-go-homedir ~ 1.1.0-1~bpo10+1 (to buster-backports).
- golang-golang-x-sys ~ 0.0+git20190726.fc99dfb-1~bpo10+1 (to buster-backports).
- golang-github-mattn-go-isatty ~ 0.0.8-2~bpo10+1 (to buster-backports).
- golang-github-mattn-go-runewidth ~ 0.0.7-1~bpo10+1 (to buster-backports).
- golang-github-dustin-go-humanize ~ 1.0.0-1~bpo10+1 (to buster-backports).
- golang-github-blang-semver ~ 3.6.1-1~bpo10+1 (buster-backports).
- golang-github-flynn-json5 ~ 0.0+git20160717.7620272-2~bpo10+1 (to buster-backports).
- golang-github-zyedidia-terminal ~ 0.0+git20180726.533c623-2~bpo10+1 (to buster-backports).
- golang-github-go-errors-errors ~ 1.0.1-3~bpo10+1 (to buster-backports).
- python-debianbts ~ 3.0.2~bpo10+1 (to buster-backports).
- #945232 for ruby-benchmark-suite.
- #946904 for ruby-excon (CVE-2019-19779).
Reviews and Sponsored Uploads:
- phpmyadmin for William Desportes.
- Outreachy mentoring for GitLab project for Sakshi Sangwan.
- Raised various MRs upstream to sync Debian’s package version with GitLab’s upstream.
One exciting blog post coming very soon.
Until next time.
:wq for today.