[Secure-testing-team] Bug#857083: [bugreport-ng] Vault 7 Security Vulnerabilities Debian

Tue Mar 7 21:39:46 UTC 2017

Package: bugreport-ng
Severity: normal
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org

--- Please enter the report below this line. ---

Hi there Debian enthusiasts :)

If this security vulnerabilities report is not sent to the correct
package(s) team
could you please redirect it to the correct package(s) team

- - -

Could the following security vulnerabilities exposed by WikiLeaks on
March 7, 2017 affect Debian? Official press release at
https://wikileaks.org/ciav7p1/#PRESS

Edward Snowden is currently reviewing WikiLeaks published documents
about Vault 7 security vulnerabilities. Snowden wrote: "genuinely a big
deal. Looks authentic." "catastrophic weaknesses". Which were kept open
by both CIA & FBI "to spy" on you and the Linux community.

"Vault 7" reveals:

• Classified manuals for CIA malware to infest Linux. Sources and secret
documents at:
https://twitter.com/wikileaks/status/839151511838015488
https://wikileaks.org/ciav7p1/cms/files/UsersGuide.pdf
https://wikileaks.org/ciav7p1/cms/files/DevelopersGuide.pdf

• Gaping holes in all popular operating systems. Source:
https://twitter.com/wikileaks/status/839132303280451587
https://wikileaks.org/ciav7p1/

• CIA created huge amount of weaponized malware. Source at:
https://twitter.com/wikileaks/status/839122455738339328

• CIA illicitly hoarded 'zero day' attacks, putting at risk industry,
government. Source at:
https://twitter.com/wikileaks/status/839119536012001280

- - -

Edward Snowden wrote:

• "Still working through the publication, but what wikileaks has here is
genuinely a big deal. Looks authentic." Source at
https://twitter.com/Snowden/status/839157182872576000

• "What makes this look real? Program & office names, such as the JQJ
(IOC) crypt series, are real. Only a cleared insider could know them."
Source at https://twitter.com/Snowden/status/839159736977227777

• "The CIA reports show the USG developing vulnerabilities in US
products, then intentionally keeping the holes open. Reckless beyond
words." Source at https://twitter.com/Snowden/status/839171129331830784

• "If you're writing about the CIA/@Wikileaks story, here's the big
deal: first public evidence USG secretly paying to keep US software
unsafe." Source at https://twitter.com/Snowden/status/839168025517522944

• "Evidence mounts showing CIA & FBI knew about catastrophic weaknesses
in the most-used smartphones in America, but kept them open -- to spy."
Source at https://twitter.com/Snowden/status/839193727751098368

- - -

One secret leaked file describes how the CIA writes its malware code to
obscure its USG origin at
https://wikileaks.org/ciav7p1/cms/page_14588467.html

Currently 607 Vault 7's documents are related to CIA's hacking tools at
https://search.wikileaks.org/?query=debian&exact_phrase=&any_of=&exclude_words=&document_date_start=&document_date_end=&released_date_start=&released_date_end=&publication_type%5B%5D=51&new_search=False&order_by=most_relevant#results

Search all Vault 7: CIA hacking tools at https://wikileaks.org/ciav7p1/

By the way, the "bugreport-ng" required to enter a package name to fill
this security vulnerability report. Otherwise it's ignored completely.
So I randomly picked "bugreport-ng" package. I'm not a security expert
so I need help to identify which package(s) is affected. Any volunteers
to help with that? The links above go to documents with more details.
"openssh" package might be one affected package?

Cheers,

Francewhoa

--- System information. ---
Architecture: amd64
Kernel: Linux 3.2.0-4-amd64

Debian Release: 7.11
500 oldstable-updates ftp.ca.debian.org
500 oldstable security.debian.org
500 oldstable ftp.ca.debian.org
100 wheezy-backports ftp.debian.org

--- Package information. ---
Package's Depends field is empty.

Package's Recommends field is empty.

Package's Suggests field is empty.