Here’s my (fifth) monthly update about the activities I’ve done in Debian this February.
This was my fifth month as a Debian LTS paid contributor.
I was assigned 20.00 hours and worked on the following things:
CVE Fixes and Announcements:
- Issued DLA 2095-1, fixing CVE-2020-7040, for storebackup.
storeBackup.pl in storeBackup through 3.5 relies on the /tmp/storeBackup.lock pathname, which allows symlink attacks that possibly lead to privilege escalation.
For Debian 8 “Jessie”, this problem has been fixed in version 3.2.1-1+deb8u1.
Furthermore, sent the patch for the security update for Stretch and Buster to the maintainer.
- Issued DLA 2113-1, fixing CVE-2020-8631 and CVE-2020-8632 for cloud-init.
For CVE-2020-8631, in cloud-init, relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.
For CVE-2020-8632, in cloud-init, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords.
For Debian 8 “Jessie”, this problem has been fixed in version 0.7.6~bzr976-2+deb8u1.
- Issued DLA 2116-1, fixing CVE-2015-9542, for libpam-radius-auth.
A vulnerability was found in pam_radius: the password length check was done incorrectly in the add_password() function in pam_radius_auth.c, resulting in a stack based buffer overflow.
This could be used to crash (DoS) an application using the PAM stack for authentication.
For Debian 8 “Jessie”, this problem has been fixed in version 1.3.16-4.4+deb8u1.
- Issued DLA 2127-1, fixing CVE-2019-10785, for dojo.
dojox was vulnerable to Cross-site Scripting. This was due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them.
For Debian 8 “Jessie”, this problem has been fixed in version 1.10.2+dfsg-1+deb8u2.
- Whilst Dylan issued DLA 2120-1, fixing CVE-2020-8130, for rake, I, with the Ruby team hat on, fixed the same issue for Stretch and Buster via proposed-updates.
This CVE was fixed via 10.5.0-2+deb9u1 and 12.3.1-3+deb10u1 respectively.
Other LTS Work:
Triaged CVE-2020-1711 and CVE-2020-8608 with more precision and discussed the details with Ola.
Started working on rrdtool for CVE-2014-6262.
This was a great month! MiniDebCamp -> FOSDEM -> Ruby Sprints. Blog post soon :D
In the month of February, I did a lot of Debian work.
// given limited time in March, this section is yet to be updated.
One exciting blog post coming very soon.
Until next time.
:wq for today.