Vulnerability Roundup 2

[grahamc]

Here are all the vulnerabilities from https://lwn.net/Vulnerabilities since our last hunt.

Notes on the list

1. Some of these were probably resolved the last hunt, as I believe 10 of the issues got dropped at some point. I don't know how, but I'm thinking this list will go quickly. 19 of these issues are new.
2. The reports have been roughly grouped by the package name. This isn't perfect, but is intended to help identify if a whole group of reports is resolved already.
3. Some issues will be duplicated, because it affects multiple packages. For example, there are sometimes problems that impact thunderbird, and firefox. LWN might report in one vulnerability "thunderbird firefox". These names have been split to make sure both packages get addressed.
4. By each issue is a link to code search for the package name, and a Github search by filename. These are to help, but may not return results when we do in fact package the software. If a search doesn't turn up, please try altering the search criteria or looking in nixpkgs manually before asserting we don't have it.

   Instructions:

5. Triage a report: If we don't have the software or our version isn't vulnerable, tick the box or add a comment with the report number, stating it isn't vulnerable.
6. Fix the issue: If we do have the software and it is vulnerable, either leave a comment on this issue saying so, even open a pull request with the fix. If you open a PR, make sure to tag this issue so we can coordinate.
7. When an entire section is completed, move the section to the "Triaged and Resolved Issues" details block below.

Without further ado...

Assorted (26 issues)

• [x] #701931 (search, files) mozilla: denial of service
• [x] #647618 (search, files) python-tornado: side-channel attack
• [x] #679619 (search, files) OpenVPN: multiple vulnerabilities
• [x] #701926 (search, files) qemu: multiple vulnerabilities
• [x] #701920 (search, files) mactelnet: code execution
• [x] #701727 (search, files) wordpress: multiple vulnerabilities
• [x] #701931 (search, files) mozilla: denial of service
• [x] #684319 (search, files) systemd: two vulnerabilities
• [x] #701999 (search, files) python-django: cross-site request forgery
• [x] #702118 (search, files) bind: denial of service
• [x] #701923 (search, files) bash: code execution
• [x] #701921 (search, files) policycoreutils: sandbox escape
• [x] #616041 (search, files) rubygem-bundler: installs malicious gem files
• [x] #633546 (search, files) cups: buffer overflow
• [x] #701739 (search, files) shiro: access control bypass
• [x] #701734 (search, files) openvas-libraries: multiple vulnerabilities
• [x] #675696 (search, files) nghttp2: denial of service
• [x] #680462 (search, files) putty: code execution
• [x] #701735 (search, files) openvas-scanner: denial of service
• [x] #676795 (search, files) poco: SSL server spoofing
• [x] #701917 (search, files) imagemagick: code execution
• [x] #683853 (search, files) postgresql: two vulnerabilities
• [x] #701918 (search, files) dwarfutils: two vulnerabilities
• [x] #698651 (search, files) borgbackup: directory traversal
• [x] #680795 (search, files) proftpd: weak key usage
• [x] #701997 (search, files) wireshark: denial of service

  freerdp (2 issues) Note: triage indicates Gentoo is running 1.1.0 beta? 1.0.2 doesn't seem to have a fix.

• [x] #702121 (search, files) freerdp: denial of service
• [x] #604034 (search, files) freerdp: two vulnerabilities

  openssl (2 issues)

• [x] #702000 (search, files) openssl: denial of service
• [x] #701729 (search, files) openssl: multiple vulnerabilities

[grahamc]

This one took under an hour :)

[Mic92]

openvpn:

• unstable has 2.3.12
• stable has 2.3.10
• the cve report talks update an update to openvpn-2.3.4
• openvpn 2.3.11: says "Fixed port-share bug with DoS potential" -> so this upgrade might be worse

UPDATE, oh I was to slow :)

[grahamc]

Thanks, @Mic92! 16.03 has 2.3.10? we should probably backport that. Would you like to do the honors?

[Mic92]

Upgrade straight to 2.3.12? There were mostly bug fixes in this version.

[aneeshusa]

@grahamc, do you know if there is an RSS/Atom feed for the LWN vulnerabilities? I couldn't find one.

[grahamc]

@aneeshusa I don't think there is one. if you want to chat more, I'd rather talk about it over IRC? gchristensen

[grahamc]

@Mic92 yep, straight to 2.3.12.

[Mic92]

done: https://github.com/NixOS/nixpkgs/commit/1abec08343e6ec11c31ffe9a1844d80b098ef98d