Bug#824239: [DLA] fixes for dla-20,38,53,54

Fri, 13 May 2016 19:24:46 -0700 

Package: www.debian.org
Severity: normal
Tags: patch
X-Debbugs-CC: debian-...@lists.debian.org

* wrong references in dla-20
* missing wireshirk advisory (dla-38), no one sent to d-d-a
* wrong dla ID for "dla-54" sent and created as dla-53
* missing "real" dla-54

see the bottom of the mail

p.s.: 
scripts are not all-round genius;
scripts cannot decide if the source is valid,
scripts cannot fix issues in the source,
scripts do just as instructed.
then, YOU NEED CHECK AND FIX YOURSELF THE GENERATED CONTENTS

-- 
victory
no need to CC me :-)

Index: english/security/2014/dla-20.wml
===================================================================
--- english/security/2014/dla-20.wml    (revision 193)
+++ english/security/2014/dla-20.wml    (working copy)
@@ -8,9 +8,9 @@
   (Closes: #679897), closes <a 
href="https://security-tracker.debian.org/tracker/CVE-2012-3512";>CVE-2012-3512</a>.</li>
 <li>plugins: use runtime $ENV{MUNIN_PLUGSTATE}. So all properly written
   plugins will use /var/lib/munin-node/plugin-state/$uid/$some_file now   
please report plugins that are still using /var/lib/munin/plugin-state/   as 
those  might pose a security risk!</li>
-<li>Validate multigraph plugin name, <a 
href="https://security-tracker.debian.org/tracker/CVE-2013-6048";>CVE-2013-6048</a>.</li>
 <li>Don't abort data collection for a node due to malicious node, fixing
-  munin#1397, <a 
href="https://security-tracker.debian.org/tracker/CVE-2013-6359";>CVE-2013-6359</a>.</li>
+  munin#1397, <a 
href="https://security-tracker.debian.org/tracker/CVE-2013-6048";>CVE-2013-6048</a>.</li>
+<li>Validate multigraph plugin name, <a 
href="https://security-tracker.debian.org/tracker/CVE-2013-6359";>CVE-2013-6359</a>.</li>
 </ul>
 
 <p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in munin version 
1.4.5-3+deb6u1</p>
Index: english/security/2014/dla-38.data
===================================================================
--- english/security/2014/dla-38.data   (nonexistent)
+++ english/security/2014/dla-38.data   (working copy)
@@ -0,0 +1,10 @@
+<define-tag pagetitle>DLA-38-1 wireshark</define-tag>
+<define-tag report_date>2014-8-20</define-tag>
+<define-tag secrefs>CVE-2014-5161 CVE-2014-5162 CVE-2014-5163</define-tag>
+<define-tag packages>wireshark</define-tag>
+<define-tag isvulnerable>yes</define-tag>
+<define-tag fixed>yes</define-tag>
+<define-tag fixed-section>no</define-tag>
+
+#use wml::debian::security
+
Index: english/security/2014/dla-38.wml
===================================================================
--- english/security/2014/dla-38.wml    (nonexistent)
+++ english/security/2014/dla-38.wml    (working copy)
@@ -0,0 +1,25 @@
+<define-tag description>LTS security update</define-tag>
+<define-tag moreinfo>
+
+<ul>
+    <li><a 
href="https://security-tracker.debian.org/tracker/CVE-2014-5161";>CVE-2014-5161</a>,
+    <a 
href="https://security-tracker.debian.org/tracker/CVE-2014-5162";>CVE-2014-5162</a>:
+
+    <p>The Catapult DCT2000 and IrDA dissectors could underrun a buffer.
+    It may be possible to make Wireshark crash by injecting a malformed packet 
onto 
+    the wire or by convincing someone to read a malformed packet trace 
file.</p></li>
+
+    <li><a 
href="https://security-tracker.debian.org/tracker/CVE-2014-5163";>CVE-2014-5163</a>:
+
+    <p>The GSM Management dissector could crash.
+    It may be possible to make Wireshark crash by injecting a malformed packet 
onto
+    the wire or by convincing someone to read a malformed packet trace 
file.</p></li>
+</ul>
+
+<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in wireshark 
version 1.2.11-6+squeeze15</p>
+
+</define-tag>
+
+# do not modify the following line
+#include "$(ENGLISHDIR)/security/2014/dla-38.data"
+# $Id: $
Index: english/security/2014/dla-53.data
===================================================================
--- english/security/2014/dla-53.data   (revision 193)
+++ english/security/2014/dla-53.data   (working copy)
@@ -1,10 +1,10 @@
-<define-tag pagetitle>DLA-53-1 gnupg</define-tag>
-<define-tag report_date>2014-9-14</define-tag>
-<define-tag secrefs>CVE-2014-5270</define-tag>
-<define-tag packages>gnupg</define-tag>
-<define-tag isvulnerable>yes</define-tag>
-<define-tag fixed>yes</define-tag>
-<define-tag fixed-section>no</define-tag>
-
-#use wml::debian::security
-
+<define-tag pagetitle>DLA-53-1 apt</define-tag>
+<define-tag report_date>2014-9-3</define-tag>
+<define-tag secrefs>CVE-2014-0487 CVE-2014-0488 CVE-2014-0489</define-tag>
+<define-tag packages>apt</define-tag>
+<define-tag isvulnerable>yes</define-tag>
+<define-tag fixed>yes</define-tag>
+<define-tag fixed-section>no</define-tag>
+
+#use wml::debian::security
+
Index: english/security/2014/dla-53.wml
===================================================================
--- english/security/2014/dla-53.wml    (revision 193)
+++ english/security/2014/dla-53.wml    (working copy)
@@ -1,15 +1,16 @@
 <define-tag description>LTS security update</define-tag>
 <define-tag moreinfo>
-<p>Genkin, Pipman and Tromer discovered a side-channel attack on Elgamal
-encryption subkeys (<a 
href="https://security-tracker.debian.org/tracker/CVE-2014-5270";>CVE-2014-5270</a>).</p>
+<p>It was discovered that APT, the high level package manager, does not
+properly invalidate unauthenticated data (<a
+href="https://security-tracker.debian.org/tracker/CVE-2014-0488";>CVE-2014-0488</a>),
+performs incorrect verification of 304 replies (<a
+href="https://security-tracker.debian.org/tracker/CVE-2014-0487";>CVE-2014-0487</a>)
+and does not perform the checksum check when the Acquire::GzipIndexes option 
is used
+(<a 
href="https://security-tracker.debian.org/tracker/CVE-2014-0489";>CVE-2014-0489</a>).</p>
 
-<p>In addition, this update hardens GnuPG's behaviour when treating keyserver
-responses; GnuPG now filters keyserver responses to only accepts those
-keyids actually requested by the user.</p>
-
-<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in gnupg version 
1.4.10-4+squeeze6</p>
+<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in apt version 
0.8.10.3+squeeze3</p>
 </define-tag>
 
 # do not modify the following line
 #include "$(ENGLISHDIR)/security/2014/dla-53.data"
-# $Id: dla-53.wml,v 1.2 2016/04/08 20:32:21 djpig Exp $
+# $Id: $
Index: english/security/2014/dla-54.data
===================================================================
--- english/security/2014/dla-54.data   (nonexistent)
+++ english/security/2014/dla-54.data   (working copy)
@@ -0,0 +1,10 @@
+<define-tag pagetitle>DLA-53-1 gnupg</define-tag>
+<define-tag report_date>2014-9-14</define-tag>
+<define-tag secrefs>CVE-2014-5270</define-tag>
+<define-tag packages>gnupg</define-tag>
+<define-tag isvulnerable>yes</define-tag>
+<define-tag fixed>yes</define-tag>
+<define-tag fixed-section>no</define-tag>
+
+#use wml::debian::security
+
Index: english/security/2014/dla-54.wml
===================================================================
--- english/security/2014/dla-54.wml    (nonexistent)
+++ english/security/2014/dla-54.wml    (working copy)
@@ -0,0 +1,15 @@
+<define-tag description>LTS security update</define-tag>
+<define-tag moreinfo>
+<p>Genkin, Pipman and Tromer discovered a side-channel attack on Elgamal
+encryption subkeys (<a 
href="https://security-tracker.debian.org/tracker/CVE-2014-5270";>CVE-2014-5270</a>).</p>
+
+<p>In addition, this update hardens GnuPG's behaviour when treating keyserver
+responses; GnuPG now filters keyserver responses to only accepts those
+keyids actually requested by the user.</p>
+
+<p>For Debian 6 <q>Squeeze</q>, these issues have been fixed in gnupg version 
1.4.10-4+squeeze6</p>
+</define-tag>
+
+# do not modify the following line
+#include "$(ENGLISHDIR)/security/2014/dla-53.data"
+# $Id: dla-53.wml,v 1.2 2016/04/08 20:32:21 djpig Exp $

Reply via email to