Multiple vulnerabilities

Debian Bug report logs - #911797
Multiple vulnerabilities

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Multiple vulnerabilities

Date: Wed, 24 Oct 2018 23:32:34 +0200

Source: open-build-service
Severity: grave
Tags: security

Please verify whether these affect OBS as packaged in Debian:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12477
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12479
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12467
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12466

Cheers,
        Moritz

Message #10 received at 911797@bugs.debian.org (full text, mbox, reply):

From: Andrew Lee (李健秋) <ajqlee@debian.org>

To: Debian Bug Tracking System <911797@bugs.debian.org>

Subject: Re: Multiple vulnerabilities

Date: Fri, 26 Oct 2018 15:24:27 +0800

Source: open-build-service
Followup-For: Bug #911797


Hi, Thanks for reporting these. I've checked and found:

* CVE-2018-12477 not affected:
  - This is 3rd party that wasn't packaged in our open-build-service
    package:
    https://github.com/openSUSE/obs-service-refresh_patches

* CVE-2018-12478 not affected:
  - This is 3rd party that wasn't packaged in our open-build-service
    package:
    https://github.com/openSUSE/obs-service-replace_using_package_version

* CVE-2018-12479 needs to forward upstream:
  - This probably need a backport patch. Patches from the pull request
    wasn't apply on our OBS 2.7.4:
    https://github.com/openSUSE/open-build-service/pull/5880

* CVE-2018-12467 needs to forward upstream:
  - This probably need a backport patch. Patches that only found
    in master branch on upstream github. Doesn't find in 2.9 and 2.7
    branches on upstream. The patch wasn't able to apply on our
    OBS 2.7.4:
    https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063

* CVE-2018-12466 probably not affected:
  - This pointed to the same commit in upstream github. And the url
    provided on the CVE listed vulnerable products that doesn't
    contains OBS 2.7.x:
    https://www.securityfocus.com/bid/104958

Best regards,
-Andrew

Message #15 received at 911797@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Andrew Lee (李健秋) <ajqlee@debian.org>

Cc: Debian Bug Tracking System <911797@bugs.debian.org>

Subject: Re: Multiple vulnerabilities

Date: Fri, 26 Oct 2018 12:17:24 +0200

On Fri, Oct 26, 2018 at 03:24:27PM +0800, Andrew Lee (李健秋) wrote:
> * CVE-2018-12466 probably not affected:
>   - This pointed to the same commit in upstream github. And the url
>     provided on the CVE listed vulnerable products that doesn't
>     contains OBS 2.7.x:
>     https://www.securityfocus.com/bid/104958

The affected versions listed on securityfocus.com are mostly meaningless,
I don't think there's real research behind them.

Better contact upstream to have them clarify the status for 2.7.


Also, I think it would be good if OBS as packaged in Debian would
explicitly state the scope of support/intended purpose (e.g.
in README.Debian).

This most probably isn't meant to operate a public service like
the one operated by SuSE? What's the intended scope/audience/use
case? Building a trusted source for a number of platforms/distros
or are untrusted uploads/permission management in scope?

Cheers,
        Moritz

Message #20 received at 911797@bugs.debian.org (full text, mbox, reply):

From: Andrew Lee (李健秋) <ajqlee@debian.org>

To: Debian Bug Tracking System <911797@bugs.debian.org>

Subject: Re: Multiple vulnerabilities

Date: Fri, 02 Nov 2018 16:46:20 +0800

Source: open-build-service
Followup-For: Bug #911797

Thanks for the suggestion.

I've opened an issue on upstream:
    https://github.com/openSUSE/open-build-service/issues/6166

Explicitly state the scope of support/intended purpose is also a good
idea. As I don't think this package is targeting to operate a public
service like the build.opensuse.org.

I think it's more likely for people who wants such tool to:
- build and maintain their customize distro
- build their own software for multiple distros
in a private or public network with access control.

Best regards,
-Andrew

Message #25 received at 911797-close@bugs.debian.org (full text, mbox, reply):

From: Andrew Lee (李健秋) <ajqlee@debian.org>

To: 911797-close@bugs.debian.org

Subject: Bug#911797: fixed in open-build-service 2.9.4-1

Date: Thu, 07 Feb 2019 09:34:27 +0000

Source: open-build-service
Source-Version: 2.9.4-1

We believe that the bug you reported is fixed in the latest version of
open-build-service, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 911797@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrew Lee (李健秋) <ajqlee@debian.org> (supplier of updated open-build-service package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 07 Feb 2019 16:51:58 +0800
Source: open-build-service
Binary: obs-api obs-productconverter obs-server obs-utils obs-worker
Architecture: source all
Version: 2.9.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Andrew Lee (李健秋) <ajqlee@debian.org>
Description:
 obs-api    - Open Build Service (API)
 obs-productconverter - Open Build Service (product definition utility)
 obs-server - Open Build Service (server component)
 obs-utils  - Open Build Service (utilities)
 obs-worker - Open Build Service (build host component)
Closes: 853161 903796 903797 911797 917427 918402
Changes:
 open-build-service (2.9.4-1) unstable; urgency=medium
 .
   [ Dan Nicholson ]
   * debian/control: Add Vcs-* links.
 .
   [ Andrew Lee (李健秋) ]
   * New upstream release version 2.9.4. Closes: #918402, #903797, #903796.
     Fixes: CVE-2018-12467, CVE-2018-7689, CVE-2018-7688.
   * Refreshed use-ruby2.5.patch.
   * Refresh gemfile-tweaks.patch. Dropped embedded gem.
   * Drop drop-test-and-development-depends.patch.
   * Drop drop-ruby-hoptoad-notifier.patch.
   * Drop rails-4-gem-assets.patch.
   * Refreshed FHS-path.patch.
   * Refreshed and rename to do-not-install-fillups-and-initscripts.patch.
   * Drop Rakefile-fix.patch.
   * Drop fix-privacy-breach-piwik.patch.
   * Refreshed jquery-ui.patch.
   * Refreshed Do-not-ship-database.yml.patch.
   * Drop localgem.patch.
   * Drop CVE-2017-5188.patch.
   * Drop fix-kiwitree-symlink.patch.
   * Drop handle-links-properly.patch.
   * Drop dist-Use-2.7-packages-for-testing.patch.
   * debian/control: build-deps on rails (>= 5.1.1).
   * Drop airbrake, airbrake-ruby and it's related code.
   * Drop peek-dalli and peek-mysql2.
   * Adjust new build-deps.
   * Refresh gemfile-tweaks.patch.
   * Added do-not-run-rake-at-build-time.patch.
   * Added obsdeltastore.service file.
   * Install missing files.
 .
   [ Lucas Kanashiro ]
   * debian/copyright: remove symlink from listed files
   * Drop debian/missing-sources
   * Remove the debian/localgem directory
   * Do not depend or recommend obsolete packages
   * Build depends on python instead of python-dev
   * Improve the obs-api package description
   * Use dh_missing to list missing files
   * Update config files copied to /etc
   * Call dh_install even overriding it
   * Add jquery.js missing source
   * Add patch to not allow one to load external JS in runtime
   * Runtime depends on libjs-html5shiv
   * Do not use recursive chown
   * Fix the script's perl interpreter path
   * Make obs-api runtime depends on adduser
   * Add some basic autopkgtests
   * debian/obs-api.postinst: enable obs apache2 site config
   * Use deb-systemd-invoke instead of invoke-rc.d
   * d/obs-server.postrm: check if group exists before remove it
   * Do not move database.yml.example to /etc
 .
   [ Andrew Lee (李健秋) ]
   * No signd support by default in Debian OBS.
   * Adjust permissions for obs 2.9 rails app.
 .
   [ Lucas Kanashiro ]
   * Add another basic autopkgtest
   * Add my self to Uploaders
   * Add patch fixing CVE-2018-12479. Closes: #911797
   * Do not enable obsworker service when it is installed
   * Do not install empty directory in obs-server package
   * Do not install empty directory in obs-api package
   * Declare compliance with Debian Policy 4.3.0
   * Add Vcs-{Git,Browser} fields
 .
   [ Lucas Kanashiro ]
   * Update debian/changelog
   * debian/changelog: add missing entries
 .
   [ Andrew Lee (李健秋) ]
   * Refine changlog to have Dan Nicholson's change on top
 .
   [ Lucas Kanashiro ]
   * Remove duplicated VCS links
   * d/rake-tasks.sh: do not chown non existent file
   * d/patch/CVE-2018-12479.patch: use APIException
   * d/rake-tasks.sh: run ts:index task using production env
 .
   [ Andrew Lee (李健秋) ]
   * d/rake-tasks.sh: touch the file if it's not exist yet for chown
     command.
   * Refreshed obsapidelayed init script changes from upstream.
   * Fix minor code style mistake in obsapidelayed init script.
   * Clean up mistake in refreshed obsapidelayed init script.
   * debian/control: obs-worker depends on tar. (Closes:#917427)
   * Added systemd obsapidelayed.service file.
   * Added systemd obsworker@.service file. (Closes:#853161)
   * debian/README.Debian: added how to run worker with systemd.
   * Added versioned depends on tar to avoid lintien error.
   * debian/obs-api.postinst: add a fallback hostname to make it installs
     in autopkgtest.
Checksums-Sha1:
 614260b03252ae49525a46c05f97a5d2fe6df243 3890 open-build-service_2.9.4-1.dsc
 f2e1fa26611f322181b91756ea7e4ce677fa6320 5204083 open-build-service_2.9.4.orig.tar.gz
 044713192d7547aee7b64f9bc294e706232d05da 98232 open-build-service_2.9.4-1.debian.tar.xz
 d1eb6ae42cb57a4897d3c900279aee475c0f1cb8 1626648 obs-api_2.9.4-1_all.deb
 5b61ee4e5ce6fcb13a3f9596a3e3486fb4c8f85a 23060 obs-productconverter_2.9.4-1_all.deb
 f633de7fea0d9fce591e5970c7ba83ebefe7e29f 396196 obs-server_2.9.4-1_all.deb
 22cf5fbcdd49c7bf4946b1d7c8279abcb8a4cac2 11148 obs-utils_2.9.4-1_all.deb
 2cd7ded2a5198c0935e0ef6b9aee65caad711a05 14528 obs-worker_2.9.4-1_all.deb
 37438041b4843ee26e1103d4c7f9d7178d83a989 14026 open-build-service_2.9.4-1_amd64.buildinfo
Checksums-Sha256:
 29b3c9667a94316a7663da3b4bac408e9f0f268bc5c061badae7e9ebc36f056f 3890 open-build-service_2.9.4-1.dsc
 e901da089b1d2844e632065e28d674ef0ca63db28eac2b3f6a12f6bcc3e3bca2 5204083 open-build-service_2.9.4.orig.tar.gz
 52af2becfac4fd967be0bf4e6bdf65bd89dca185364a9e9c68af8924e543bc0d 98232 open-build-service_2.9.4-1.debian.tar.xz
 8277ab4aa6a95281c7a0f8ea6a099e06eb10f00f283d86a92cbe4aacfb8f72e1 1626648 obs-api_2.9.4-1_all.deb
 9e85d34441fea4746cc7f43a873d88d3d6d903c7727c5dba45ae8cdeae483741 23060 obs-productconverter_2.9.4-1_all.deb
 7d03837d0126325f4f3615379820ef4146ae5305f8072abb1ebd84bf356d0d14 396196 obs-server_2.9.4-1_all.deb
 9028117b118d064347f3d61b20182bcd3e2e70c8a2708eff5d88bb079c96d2e6 11148 obs-utils_2.9.4-1_all.deb
 203b43256fecf08612b463b494028e343ec693ea80348a01692180b8c99aa985 14528 obs-worker_2.9.4-1_all.deb
 bad3d96ad291a3dd8d220f9853e34b4dbd4f00e79c8d4824cbf7df58f7213f3a 14026 open-build-service_2.9.4-1_amd64.buildinfo
Files:
 376be341458cf2be68d58a549890af08 3890 devel optional open-build-service_2.9.4-1.dsc
 46ff0129d8ea08b8577b4ad3222a7cb3 5204083 devel optional open-build-service_2.9.4.orig.tar.gz
 c4caa622798df4e298a01ced5190ed1a 98232 devel optional open-build-service_2.9.4-1.debian.tar.xz
 e56eb72dc9e0f0b1ac46932f898acaf0 1626648 devel optional obs-api_2.9.4-1_all.deb
 35d2bfd5044e8305b3bc24933986a60b 23060 devel optional obs-productconverter_2.9.4-1_all.deb
 13edd622ce121bdb5a93186a22194e37 396196 devel optional obs-server_2.9.4-1_all.deb
 0083462a406c1612108a0691f4fe7768 11148 devel optional obs-utils_2.9.4-1_all.deb
 f549ccdc5c81df842d39ce72a3f03ca0 14528 devel optional obs-worker_2.9.4-1_all.deb
 fe17d82d4f0da770254dbd8c4f6d15ab 14026 devel optional open-build-service_2.9.4-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE703UlH90QYpfEyJV58vhUqwX+XMFAlxb98QACgkQ58vhUqwX
+XNyXhAAlVJtAmmSfc5TC/fy2tOY69Kyid7+LzMEQy+Y2KtGp38nUVkx46rnIfRf
A/C3Gs+CxbDZ1ylTqRBcAkcKpS6l4Y2hKeVV8yAmF9JY3tIEw9ZOae4iUfDR02n6
pSfd7I9YcM+j8Rz/h4ROXvaq/mfaVaSpPsGnqAYg0A37y9ANAQAfZoBqk+BvhUXl
qUoUmqQR6dQ5w2f6UPArafSROTeCUq5ws5YVT2s3XKSbnxH9iZXd5j7QdECqt5f3
F0FnWljlHlEEpnBwmOwQdUWeb30KB8no2ZXgtfB+MHt+yve/UC0To0NLeg39thKI
CnhpbVorIGlhE6AssWLV+mGx7ScFGL8jDVVVLUdZT4LKVQ31EvQOBoPvoc0pMF4G
vn8XdxQvSNjZfeZL8zXDUj/RfOVMbGBifPG/464pVlSkRlHX9sJbfSPPWmXd8+DU
UwGMs+sKYgQF6EfaDN3v2mbQcOYLunZtKil5REZsL69cx2kD2SOMpkXEEd9HfsX0
6gRjG68It5vDflv0z5VMz2WGnyAL9klUZpXY9k7vbKjZ4HwOQ+bPymRhTgoYhM/Z
8bJjwBcJJPEPPqC+deJk6PqiS4PoN++uumBk7JgHTA1+8Dw6zqpRqwy6g0/tGT8B
OD7502tJ4OxHolD4FGi9I/6qZZAJUe0y/eV/AswVHhsOCjNYRJw=
=BADk
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.