Debian Bug report logs - #988289
htmldoc: CVE-2019-19630

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Andreas Beckmann <anbe@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: htmldoc: CVE-2019-19630

Date: Sun, 09 May 2021 19:33:19 +0200

Source: htmldoc
Version: 1.8.27-8
Severity: serious
Tags: security
User: debian-qa@lists.debian.org
Usertags: piuparts
Control: fixed -1 1.8.27-8+deb8u1
Control: fixed -1 1.9.7-1

Hi,

CVE-2019-19630 is fixed in jessie-lts but not stretch-lts, making
upgrades difficult since jessie-security has a newer version than
stretch(-security).
Please upload the fix to stretch-lts, too.
And as it looks, this is also unfixed in buster.

 htmldoc | 1.8.27-8        | jessie          | source
 htmldoc | 1.8.27-8        | stretch         | source
 htmldoc | 1.8.27-8+deb8u1 | jessie-security | source
 htmldoc | 1.9.3-1         | buster          | source
 htmldoc | 1.9.11-2        | bullseye        | source
 htmldoc | 1.9.11-2        | sid             | source


Andreas

Message #14 received at 988289@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: 988289@bugs.debian.org

Subject: Re: htmldoc: CVE-2019-19630

Date: Mon, 10 May 2021 00:28:43 +0530

Hello,

That's pretty unfortunate what happened. Since I fixed this in jessie
(back when it was LTS), I'll take care of stretch (now that it's LTS)
and subsequently buster as well. Thanks!

Message #21 received at 988289@bugs.debian.org (full text, mbox, reply):

From: Håvard Flaget Aasen <haavard_aasen@yahoo.no>

To: 988289@bugs.debian.org

Cc: utkarsh@debian.org

Subject: Re: htmldoc: CVE-2019-19630

Date: Mon, 10 May 2021 21:39:29 +0000

On Mon, 10 May 2021 00:28:43 +0530 Utkarsh Gupta <utkarsh@debian.org> wrote:
> Hello,
> 
> That's pretty unfortunate what happened. Since I fixed this in jessie
> (back when it was LTS), I'll take care of stretch (now that it's LTS)
> and subsequently buster as well. Thanks!
> 
> 


Hi Utkarsh,

I wasn't aware this versioning could be a problem.

I can make a release to buster if you want. I would need a sponsor
though, so if your determined, I won't rip it out of your hands.

Regardless who does it, can we fix CVE-2021-20308 [0] as well? It's
marked as unimportant but since we already is preparing packages...

I'v prepared a release to unstable and bullseye with the fix for
cve-2021-20308 it's on the mentors site now.

Håvard

[0] https://security-tracker.debian.org/tracker/CVE-2021-20308

Message #26 received at 988289@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: Håvard Flaget Aasen <haavard_aasen@yahoo.no>

Cc: 988289@bugs.debian.org

Subject: Re: htmldoc: CVE-2019-19630

Date: Tue, 11 May 2021 18:37:39 +0530

Hi Håvard,

On Tue, May 11, 2021 at 3:09 AM Håvard Flaget Aasen
<haavard_aasen@yahoo.no> wrote:
> I wasn't aware this versioning could be a problem.

Yep, a big one sometimes :)

> I can make a release to buster if you want. I would need a sponsor
> though, so if your determined, I won't rip it out of your hands.

That'd be helpful, thank you! Please let me know when you have a dsc ready?

> Regardless who does it, can we fix CVE-2021-20308 [0] as well? It's
> marked as unimportant but since we already is preparing packages...

Absolutely, by all means!

> I'v prepared a release to unstable and bullseye with the fix for
> cve-2021-20308 it's on the mentors site now.

Since this CVE is "unimportant", uploading to bullseye won't make
sense. Rather we can upload to unstable and file an unblock request,
that'd be a good way out here.

That said, I couldn't find the dsc there, could you sense the link to
dsc for unstable and I'll be very happy to sponsor the upload. Thanks!
:)


- u

Message #31 received at 988289@bugs.debian.org (full text, mbox, reply):

From: Håvard Flaget Aasen <haavard_aasen@yahoo.no>

To: Utkarsh Gupta <utkarsh@debian.org>

Cc: 988289@bugs.debian.org

Subject: Re: htmldoc: CVE-2019-19630

Date: Tue, 11 May 2021 22:41:29 +0200

Hi Utkarsh

> 
>> I can make a release to buster if you want. I would need a sponsor
>> though, so if your determined, I won't rip it out of your hands.
> 
> That'd be helpful, thank you! Please let me know when you have a dsc ready?
I've got the release ready for buster and uploaded it to mentors [0]. I
also sent a request to the RM, for  buster-pu, but haven't got any
response yet [1].
> 
>> Regardless who does it, can we fix CVE-2021-20308 [0] as well? It's
>> marked as unimportant but since we already is preparing packages...
> 
> Absolutely, by all means!
> 
>> I'v prepared a release to unstable and bullseye with the fix for
>> cve-2021-20308 it's on the mentors site now.
> 
> Since this CVE is "unimportant", uploading to bullseye won't make
> sense. Rather we can upload to unstable and file an unblock request,
> that'd be a good way out here.
> 
> That said, I couldn't find the dsc there, could you sense the link to
> dsc for unstable and I'll be very happy to sponsor the upload. Thanks!
> :)
> 

I was lucky with the sponsoring to unstable, the package got uploaded
earlier today. I also got it unblocked, so it will migrate to bullseye.


Håvard

[0] https://mentors.debian.net/package/htmldoc/
[1] https://bugs.debian.org/#988365

Message #36 received at 988289@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: Håvard Flaget Aasen <haavard_aasen@yahoo.no>

Cc: 988289@bugs.debian.org

Subject: Re: htmldoc: CVE-2019-19630

Date: Wed, 12 May 2021 03:43:16 +0530

Hi Håvard,

On Wed, May 12, 2021 at 2:11 AM Håvard Flaget Aasen
<haavard_aasen@yahoo.no> wrote:
> I've got the release ready for buster and uploaded it to mentors [0]. I
> also sent a request to the RM, for  buster-pu, but haven't got any
> response yet [1].

Thanks for the buster update; uploaded! \o/
You'll not receive any reply to -pu bug unless the release team has
some problem with it. However, you'll receive a reply when someone
from the release team will batch-accept the uploads from the proposed
queue.

So basically, we're all good and set!

> I was lucky with the sponsoring to unstable, the package got uploaded
> earlier today. I also got it unblocked, so it will migrate to bullseye.

Awesome, thank you!


- u

Message #41 received at 988289@bugs.debian.org (full text, mbox, reply):

From: Håvard Flaget Aasen <haavard_aasen@yahoo.no>

To: Utkarsh Gupta <utkarsh@debian.org>

Cc: 988289@bugs.debian.org

Subject: Re: Bug#988289: htmldoc: CVE-2019-19630

Date: Wed, 12 May 2021 17:35:04 +0200

On 12.05.2021 00:13, Utkarsh Gupta wrote:
> Hi Håvard,
> 
> On Wed, May 12, 2021 at 2:11 AM Håvard Flaget Aasen
> <haavard_aasen@yahoo.no> wrote:
>> I've got the release ready for buster and uploaded it to mentors [0]. I
>> also sent a request to the RM, for  buster-pu, but haven't got any
>> response yet [1].
> 
> Thanks for the buster update; uploaded! \o/
> You'll not receive any reply to -pu bug unless the release team has
> some problem with it. However, you'll receive a reply when someone
> from the release team will batch-accept the uploads from the proposed
> queue.
> 
> So basically, we're all good and set!
> 
>> I was lucky with the sponsoring to unstable, the package got uploaded
>> earlier today. I also got it unblocked, so it will migrate to bullseye.
> 
> Awesome, thank you!
> 
> 
> - u
> 

Thanks for the sponsoring Utkarsh!

I made a package for stretch as well, and uploaded it to mentors. [0]
Though I'm not sure about this lts stuff. So far this package I made
just targets "stretch". else it's quite identical to the package you
sponsored to buster.

If you have your own package it might be better suited.


Håvard

Message #46 received at 988289@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: Håvard Flaget Aasen <haavard_aasen@yahoo.no>

Cc: 988289@bugs.debian.org

Subject: Re: Bug#988289: htmldoc: CVE-2019-19630

Date: Thu, 13 May 2021 16:51:35 +0530

Hi Håvard,

On Wed, May 12, 2021 at 9:05 PM Håvard Flaget Aasen
<haavard_aasen@yahoo.no> wrote:
> Thanks for the sponsoring Utkarsh!

You're very welcome! :)

> I made a package for stretch as well, and uploaded it to mentors. [0]
> Though I'm not sure about this lts stuff. So far this package I made
> just targets "stretch". else it's quite identical to the package you
> sponsored to buster.
>
> If you have your own package it might be better suited.

Thanks, again. I have had a patch prepared, too. This will help me
compare and verify that everything's indeed in order.

Further, we have a slightly different workflow, we upload to -security
(since no pu) and have to announce and publish an update for the
website. I'll do them all, just letting you know. Thanks, again!


- u

Message #51 received at 988289-done@bugs.debian.org (full text, mbox, reply):

From: Håvard Flaget Aasen <haavard_aasen@yahoo.no>

To: 988289-done@bugs.debian.org

Subject: Re: htmldoc: CVE-2019-19630

Date: Sun, 4 Jul 2021 22:39:56 +0200

Control: fixed -1 1.8.27-8+deb9u1
Control: fixed -1 1.9.3-1+deb10u1

Hi,

Patches from upstream have been applied to fix CVE-2019-19630, in both
stretch and buster.
The version in stretch is now 1.8.27-8+deb9u1, which also eases the
upgrade from jessie.


Regards,
Håvard

Message #56 received at 988289@bugs.debian.org (full text, mbox, reply):

From: Andreas Beckmann <anbe@debian.org>

To: 988289@bugs.debian.org, Håvard Flaget Aasen <haavard_aasen@yahoo.no>

Subject: Re: Bug#988289 closed by Håvard Flaget Aasen <haavard_aasen@yahoo.no> (Re: htmldoc: CVE-2019-19630)

Date: Sun, 4 Jul 2021 23:58:23 +0200

Control: fixed -1 1.8.27-8+deb9u1
Control: fixed -1 1.9.3-1+deb10u1

'Control: bts command' does not work on -done@, thus resending the commands.


Andreas

Send a report that this bug log contains spam.