HEADSUP: Security updates outstanding

HEADSUP: Security updates outstanding

[Yaakov (Cygwin Ports)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Before packagers start focusing on 1.7, it appears that we still have a
number of security updates required for the 1.5 tree:

By maintainer
=============

ORPAHNED: apache2
Jari Aalto: mercurial, pngcrush, python-paramiko
Lapo Luchini: lighttpd
David Rothenberger: libvorbis
Reini Urban: icu
Charles Wilson: unzip
Dr. Volker Zell: gnutls, openldap

By package
==========

apache2
problem: multiple vulnerabilities (CVE-2007-6420, CVE-2008-1672/2364)
solution: bump to 2.2.9
info: http://www.gentoo.org/security/en/glsa/glsa-200807-06.xml

gnutls
problem: execution of arbitrary code (CVE-2008-1948/1949/1950)
solution: bump to 2.2.5+ (current stable 2.4.1)
info: http://www.gentoo.org/security/en/glsa/glsa-200805-20.xml

icu
problem: multiple vulnerabilities (CVE-2007-4770/4771)
solution: apply this patch:
http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/dev-libs/icu/files/icu-3.8-regexp-CVE-2007-4770+4771.diff
info: http://www.gentoo.org/security/en/glsa/glsa-200803-20.xml

libvorbis
problem: heap-based buffer overflows (CVE-2008-1419/1420/1423)
solution: bump to 1.2.1-rc1, OR apply these patches to 1.2.0:
http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/media-libs/libvorbis/files/libvorbis-1.2.0-CVE-2008-1419.patch
http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/media-libs/libvorbis/files/libvorbis-1.2.0-CVE-2008-1420.patch
http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/media-libs/libvorbis/files/libvorbis-1.2.0-CVE-2008-1423.patch
info: http://www.gentoo.org/security/en/glsa/glsa-200806-09.xml

lighttpd
problem: multiple vulnerabilities (CVE-2008-1270/1531)
solution: bump to 1.4.19 AND apply these patches:
http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-servers/lighttpd/files/1.4.19-r2/
info: http://www.gentoo.org/security/en/glsa/glsa-200804-08.xml

mercurial
problem: directory traversal (CVE-2008-2942)
solution: bump to 1.0.2
info: http://www.gentoo.org/security/en/glsa/glsa-200807-09.xml

openldap
problem: DoS (CVE-2008-2952)
solution: bump to 2.3.43 or 2.4.11
info: http://www.gentoo.org/security/en/glsa/glsa-200808-09.xml

pngcrush
problem: user-assisted execution of arbitrary code (CVE-2008-1382)
solution: bump to 1.6.7 and patch to use system libpng:
http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-gfx/pngcrush/files/pngcrush-1.6.7-modified_debian_patchset_1.patch
info: http://www.gentoo.org/security/en/glsa/glsa-200805-10.xml

python-paramiko
problem: information disclosure (CVE-2008-0299)
solution: bump to 1.7.2
info: http://www.gentoo.org/security/en/glsa/glsa-200803-07.xml

unzip
problem: execution of arbitrary code (CVE-2008-0888)
solution: apply this patch
http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/app-arch/unzip/files/unzip-5.52-CVE-2008-0888.patch
info: http://www.gentoo.org/security/en/glsa/glsa-200804-06.xml



Yaakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkioybQACgkQpiWmPGlmQSPcWgCg+iuHvJPW9zwZeRJVVkEzzYMW
1GcAoPQDveXwTGKE8u7Hp+/K4M3GM+XA
=+nV6
-----END PGP SIGNATURE-----

Re: HEADSUP: Security updates outstanding

[Christopher Faylor]

On Sun, Aug 17, 2008 at 08:00:36PM -0500, Yaakov (Cygwin Ports) wrote:
>Before packagers start focusing on 1.7, it appears that we still have a
>number of security updates required for the 1.5 tree:

I hate to suggest another mailing list but I wonder if we should have
another unarchived, closed list for discussing security issues.  The
recent setup.exe problem got me thinking that we might need something
like this.

I'm not suggesting that this email was inappropriate since these are all
known issues but maybe another mailing list might help focus on
important security issues.

Or should we just use this list and not worry about it?

cgf

Re: HEADSUP: Security updates outstanding

[Yaakov (Cygwin Ports)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Christopher Faylor wrote:
> I hate to suggest another mailing list but I wonder if we should have
> another unarchived, closed list for discussing security issues.  The
> recent setup.exe problem got me thinking that we might need something
> like this.
> 
> I'm not suggesting that this email was inappropriate since these are all
> known issues but maybe another mailing list might help focus on
> important security issues.
> 
> Or should we just use this list and not worry about it?

The major problem that we have with security is that we don't have a
person/team which has advance notice of security issues like the Linux
distros have, and I have no idea how to go about changing that.  Right
now I have to wait for the issues to be public in order to know about them.

If we can set up a "security team" from the core group of maintainers
and start getting advance notices, then we definitely will need a way of
communicating in private.  I would agree to such a list for the
"security team" only, but I would suggest it be used in tandem with
"closed" Bugzilla entries.  This would allow including a maintainer on a
per-issue basis, and once the issue is public, the bug could then be opened.


Yaakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkio4XoACgkQpiWmPGlmQSMw2gCfTphwMrLIN46o5aw/LLzosmvs
oZ8An32yfI0TzcfNolwkw69qf749Iu5k
=3J3u
-----END PGP SIGNATURE-----

Re: HEADSUP: Security updates outstanding

[David Rothenberger]

On 8/17/2008 6:00 PM, Yaakov (Cygwin Ports) wrote:
> libvorbis
> problem: heap-based buffer overflows (CVE-2008-1419/1420/1423)

1.2.0-2, released May 14, 2008, includes patches for these issues.[1]

[1] http://cygwin.com/ml/cygwin-announce/2008-05/msg00009.html

-- 
David Rothenberger  ----  daveroth@acm.org

QOTD:
        "Our parents were never our age."

Re: HEADSUP: Security updates outstanding

[Reini Urban]

2008/8/18 Yaakov (Cygwin Ports):
> Before packagers start focusing on 1.7, it appears that we still have a
> number of security updates required for the 1.5 tree:
>
> By maintainer
> =============
>
> ORPAHNED: apache2
> Jari Aalto: mercurial, pngcrush, python-paramiko
> Lapo Luchini: lighttpd
> David Rothenberger: libvorbis
> Reini Urban: icu
> Charles Wilson: unzip
> Dr. Volker Zell: gnutls, openldap

Thanks a heap for checking.
I haven't got these.

icu will be fixed together with the new parrot-0.7.0.
Probably Tuesday or Wednesday.
-- 
Reini Urban
http://phpwiki.org/ http://murbreak.at/

Re: HEADSUP: Security updates outstanding

[Reini Urban]

2008/8/18 Reini Urban:
> icu will be fixed together with the new parrot-0.7.0.
> Probably Tuesday or Wednesday.

Oops. I just checked my source. This fix is already in the current
icu-3.8-3 as I based it on yours.
PATCH_URI="
        mirror://portage/dev-libs/${PN}/files/${PN}-3.8-setBreakType-public.diff
	mirror://portage/dev-libs/${PN}/files/${PN}-3.8-regexp-CVE-2007-4770+4771.diff"

These are all old ones.
-- 
Reini Urban
http://phpwiki.org/ http://murbreak.at/

Re: HEADSUP: Security updates outstanding

[Christopher Faylor]

On Sun, Aug 17, 2008 at 09:42:02PM -0500, Yaakov (Cygwin Ports) wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>Christopher Faylor wrote:
>> I hate to suggest another mailing list but I wonder if we should have
>> another unarchived, closed list for discussing security issues.  The
>> recent setup.exe problem got me thinking that we might need something
>> like this.
>> 
>> I'm not suggesting that this email was inappropriate since these are all
>> known issues but maybe another mailing list might help focus on
>> important security issues.
>> 
>> Or should we just use this list and not worry about it?
>
>The major problem that we have with security is that we don't have a
>person/team which has advance notice of security issues like the Linux
>distros have, and I have no idea how to go about changing that.  Right
>now I have to wait for the issues to be public in order to know about them.

Either Corinna or I can ask the Red Hat person responsible for these
matters how we can "sign up" for this wonderful duty.

>If we can set up a "security team" from the core group of maintainers
>and start getting advance notices, then we definitely will need a way of
>communicating in private.  I would agree to such a list for the
>"security team" only, but I would suggest it be used in tandem with
>"closed" Bugzilla entries.  This would allow including a maintainer on a
>per-issue basis, and once the issue is public, the bug could then be opened.

Yes, I thought we'd use closed Bugzilla for this.  I actually am kicking
myself for not suggesting this during the setup.exe security problem.
We were using Red Hat's bugzilla for that and the person who reported
the problem was continually confused by the fact that this wasn't a Red
Hat issue.  They were just kindly letting us use their bugzilla in a no
good dead goes unpunished kind of way.

cgf

Re: HEADSUP: Security updates outstanding

[Corinna Vinschen]

On Aug 18 09:09, Christopher Faylor wrote:
> On Sun, Aug 17, 2008 at 09:42:02PM -0500, Yaakov (Cygwin Ports) wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA256
> >
> >Christopher Faylor wrote:
> >> I hate to suggest another mailing list but I wonder if we should have
> >> another unarchived, closed list for discussing security issues.  The
> >> recent setup.exe problem got me thinking that we might need something
> >> like this.
> >> 
> >> I'm not suggesting that this email was inappropriate since these are all
> >> known issues but maybe another mailing list might help focus on
> >> important security issues.
> >> 
> >> Or should we just use this list and not worry about it?
> >
> >The major problem that we have with security is that we don't have a
> >person/team which has advance notice of security issues like the Linux
> >distros have, and I have no idea how to go about changing that.  Right
> >now I have to wait for the issues to be public in order to know about them.
> 
> Either Corinna or I can ask the Red Hat person responsible for these
> matters how we can "sign up" for this wonderful duty.

Personally I'm kind of not interested to go this road.  If I learn about
a problem in an upstream package, I update.  If anybody else want's to
take over responsibility for security problems, I certainly don't stand
in the way, of course.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

Re: HEADSUP: Security updates outstanding

[Yaakov (Cygwin Ports)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Corinna Vinschen wrote:
> Personally I'm kind of not interested to go this road.  If I learn about
> a problem in an upstream package, I update.  If anybody else want's to
> take over responsibility for security problems, I certainly don't stand
> in the way, of course.

While that seems to work for you, when applied to the entire distro
there are some pitfalls:

1) According to the cygwin-pkg-maint file, there are currently 56
"active" package maintainers.  We can't assume that everyone is as
diligent -- or in the know -- as you are.

2) Even if they would be, most of the time we would still be playing
"catch-up", first updating when the issue is public instead of
coordinating beforehand like the linux distros.

3) We have absolutely no way of handling the case where a maintainer is
away (or MIA) when we need an urgent bump/patch.

Having a security team and a private list would allow us to deal with
all these things responsibly.


Yaakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkipyJQACgkQpiWmPGlmQSPwGgCgs78m1gu7SqcTp60/uvh64a6C
k+gAoN5D0+Ro1o4A9RdeBJ/1XXuR5I8v
=RKHP
-----END PGP SIGNATURE-----

Re: HEADSUP: Security updates outstanding

[Corinna Vinschen]

On Aug 18 14:08, Yaakov (Cygwin Ports) wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Corinna Vinschen wrote:
> > Personally I'm kind of not interested to go this road.  If I learn about
> > a problem in an upstream package, I update.  If anybody else want's to
> > take over responsibility for security problems, I certainly don't stand
> > in the way, of course.
> 
> While that seems to work for you, when applied to the entire distro
> there are some pitfalls:
> [...]
> Having a security team and a private list would allow us to deal with
> all these things responsibly.

I thought that's integrated in the "I certainly don't stand in the way"
part.  I'm just not interested having to take over that responsibility
or having to drive this process through.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

RFU: mercurial, pngcrush, python-paramiko (was: Re: HEADSUP: Security updates outstanding)

[Jari Aalto]

"Yaakov (Cygwin Ports)"
<yselkowitz-Rn4VEauK+AKRv+LV9MX5uipxlwaOVQ5f@public.gmane.org> writes:

> Before packagers start focusing on 1.7, it appears that we still have
> a number of security updates required for the 1.5 tree:
>
> By maintainer
> =============
>
> Jari Aalto: mercurial, pngcrush, python-paramiko

FYI, my capacity to participate is severily restrained for the rest of
the year because thunderstorm wiped out all my home network (several
servers, hard disks etc.)

I managed to pull old copies from cygwin.com and upgrade these. Please
upload.

Jari

wget \
    http://cante.net/~jaalto/tmp/cygwin/mercurial/mercurial-1.0.2-1-cygwin.patch \
    http://cante.net/~jaalto/tmp/cygwin/mercurial/mercurial-1.0.2-1.sh \
    http://cante.net/~jaalto/tmp/cygwin/mercurial/mercurial-1.0.2-1-src.tar.bz2 \
    http://cante.net/~jaalto/tmp/cygwin/mercurial/mercurial-1.0.2-1.tar.bz2 \
    http://cante.net/~jaalto/tmp/cygwin/mercurial/mercurial-1.0.2.tar.gz \
    http://cante.net/~jaalto/tmp/cygwin/mercurial/setup.hint

wget \
    http://cante.net/~jaalto/tmp/cygwin/pngcrush/pngcrush-1.6.7-1-cygwin.patch \
    http://cante.net/~jaalto/tmp/cygwin/pngcrush/pngcrush-1.6.7-1.sh \
    http://cante.net/~jaalto/tmp/cygwin/pngcrush/pngcrush-1.6.7-1-src.tar.bz2 \
    http://cante.net/~jaalto/tmp/cygwin/pngcrush/pngcrush-1.6.7-1.tar.bz2 \
    http://cante.net/~jaalto/tmp/cygwin/pngcrush/pngcrush_1.6.7.orig.tar.gz \
    http://cante.net/~jaalto/tmp/cygwin/pngcrush/setup.hint

wget \
    http://cante.net/~jaalto/tmp/cygwin/python-paramiko/python-paramiko-1.7.4-1-cygwin.patch \
    http://cante.net/~jaalto/tmp/cygwin/python-paramiko/python-paramiko-1.7.4-1.sh \
    http://cante.net/~jaalto/tmp/cygwin/python-paramiko/python-paramiko-1.7.4-1-src.tar.bz2 \
    http://cante.net/~jaalto/tmp/cygwin/python-paramiko/python-paramiko-1.7.4-1.tar.bz2 \
    http://cante.net/~jaalto/tmp/cygwin/python-paramiko/python-paramiko-1.7.4.tar.gz \
    http://cante.net/~jaalto/tmp/cygwin/python-paramiko/setup.hint

Re: RFU: mercurial, pngcrush, python-paramiko (was: Re: HEADSUP: Security updates outstanding)

[Corinna Vinschen]

On Aug 20 14:51, Jari Aalto wrote:
> FYI, my capacity to participate is severily restrained for the rest of
> the year because thunderstorm wiped out all my home network (several
> servers, hard disks etc.)

Not good.  I'm sorry to read that.

> I managed to pull old copies from cygwin.com and upgrade these. Please
> upload.
> 
> Jari
> 
> wget \
>     http://cante.net/~jaalto/tmp/cygwin/mercurial/mercurial-1.0.2-1-src.tar.bz2 \
>     http://cante.net/~jaalto/tmp/cygwin/mercurial/mercurial-1.0.2-1.tar.bz2 \
>     http://cante.net/~jaalto/tmp/cygwin/mercurial/setup.hint

Uploaded.

> wget \
>     http://cante.net/~jaalto/tmp/cygwin/pngcrush/pngcrush-1.6.7-1-src.tar.bz2 \
>     http://cante.net/~jaalto/tmp/cygwin/pngcrush/pngcrush-1.6.7-1.tar.bz2 \
>     http://cante.net/~jaalto/tmp/cygwin/pngcrush/setup.hint

Is it really correct that libpng12 and zlib are dropped from the requirements?

> wget \
>     http://cante.net/~jaalto/tmp/cygwin/python-paramiko/python-paramiko-1.7.4-1-src.tar.bz2 \
>     http://cante.net/~jaalto/tmp/cygwin/python-paramiko/python-paramiko-1.7.4-1.tar.bz2 \
>     http://cante.net/~jaalto/tmp/cygwin/python-paramiko/setup.hint

Uploaded.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

Re: RFU: mercurial, pngcrush, python-paramiko

[Jari Aalto]

Corinna Vinschen <corinna-cygwin@cygwin.com> writes:

> On Aug 20 14:51, Jari Aalto wrote:
>> wget \
>>     http://cante.net/~jaalto/tmp/cygwin/pngcrush/pngcrush-1.6.7-1-src.tar.bz2 \
>>     http://cante.net/~jaalto/tmp/cygwin/pngcrush/pngcrush-1.6.7-1.tar.bz2 \
>>     http://cante.net/~jaalto/tmp/cygwin/pngcrush/setup.hint
>
> Is it really correct that libpng12 and zlib are dropped from the requirements?

It should be in there. Just in case, please download again. My copy
might have been incorrect.

Jari

wget -O - http://cante.net/~jaalto/tmp/cygwin/pngcrush/setup.hint

desc: "Optimize PNG image files"
ldesc: "An optimizer for PNG (Portable Network Graphics) files. Its main
purpose is to reduce the size of the PNG IDAT data stream by trying
various compression levels and PNG filter methods. It also can be used
to remove unwanted ancillary chunks, or to add certain chunks
including gAMA, tRNS, and textual chunks."
category: Graphics
requires: cygwin libpng12 zlib

Re: RFU: mercurial, pngcrush, python-paramiko

[Corinna Vinschen]

On Aug 20 15:34, Jari Aalto wrote:
> Corinna Vinschen <corinna-cygwin@cygwin.com> writes:
> 
> > On Aug 20 14:51, Jari Aalto wrote:
> >> wget \
> >>     http://cante.net/~jaalto/tmp/cygwin/pngcrush/pngcrush-1.6.7-1-src.tar.bz2 \
> >>     http://cante.net/~jaalto/tmp/cygwin/pngcrush/pngcrush-1.6.7-1.tar.bz2 \
> >>     http://cante.net/~jaalto/tmp/cygwin/pngcrush/setup.hint
> >
> > Is it really correct that libpng12 and zlib are dropped from the requirements?
> 
> It should be in there. Just in case, please download again. My copy
> might have been incorrect.

Nope, my fault.  I read the diff between the old and the new setup.hint
file in the wrong direction.  Sorry.

Uploaded.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat