[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a7e3a4a4 by Anton Gladky at 2022-10-03T10:01:51+02:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Anton Gladky gl...@debian.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -79,10 +79,10 @@ libdatetime-timezone-perl (Emilio)
 --
 linux (Ben Hutchings)
 --
-mbedtls (Utkarsh)
+mbedtls
   NOTE: 20220821: Programming language: C.
 --
-netatalk (Stefano Rivera)
+netatalk
   NOTE: 20220816: Programming language: C.
   NOTE: 20220912: We get errors in the log, not present on bookworm. Needs 
more investigation. (stefanor)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7e3a4a486614207cb5d7d990a5bfd39c1555b9d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7e3a4a486614207cb5d7d990a5bfd39c1555b9d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Bug#1012993: marked as pending in lomiri-thumbnailer

[Anton Gladky]

Control: tag -1 pending

Hello,

Bug #1012993 in lomiri-thumbnailer reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/ubports-team/lomiri-thumbnailer/-/commit/451c874dfb0cfa2f2f51f7e188b10d255ab3b259


Add missing header. (Closes: #1012993)


(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1012993

[Git][security-tracker-team/security-tracker][master] LTS: claim curl in dla-needed.txt

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
93c327e4 by Anton Gladky at 2022-09-30T16:31:16+02:00
LTS: claim curl in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -25,7 +25,7 @@ bluez
   NOTE: 20220902: Programming language: C.
   NOTE: 20220902: Consider synchronizing with Stretch. (apo)
 --
-curl
+curl (gladk)
   NOTE: 20220901: Programming language: C.
   NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git
   NOTE: 20220904: Special attention: high popcon!.
@@ -59,7 +59,7 @@ golang-1.11
   NOTE: 20220916: Programming language: Go.
   NOTE: 20220916: Special attention: limited support; requires rebuilding 
reverse build dependencies (though recent bullseye updates didn't)
   NOTE: 20220916: Harmonize with bullseye and stretch: 9 CVEs fixed in Debian 
11.2 & 11.3 + 2 CVEs fixed in stretch-lts (Beuc/front-desk)
-  NOTE: 20220916: CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 
CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23773 
CVE-2022-23806 CVE-2022-24921 
+  NOTE: 20220916: CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 
CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23773 
CVE-2022-23806 CVE-2022-24921
 --
 golang-go.crypto
   NOTE: 20220915: Programming language: Go.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93c327e4e2abe4c032943e0fc655b781d29cdf8b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93c327e4e2abe4c032943e0fc655b781d29cdf8b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[SECURITY] [DLA 3122-1] dovecot security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3122-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
September 27, 2022https://wiki.debian.org/LTS
- -

Package: dovecot
Version: 1:2.3.4.1-5+deb10u7
CVE ID : CVE-2021-33515 CVE-2022-30550

Two security issues were discovered in dovecot: IMAP and POP3 email server.

CVE-2021-33515

The submission service in Dovecot before 2.3.15 allows STARTTLS command
injection in lib-smtp. Sensitive information can be redirected to an
attacker-controlled address.

CVE-2022-30550

When two passdb configuration entries exist with the same driver and args
settings, incorrectly applied settings can lead to an unintended security
configuration and can permit privilege escalation in certain configurations.

For Debian 10 buster, these problems have been fixed in version
1:2.3.4.1-5+deb10u7.

We recommend that you upgrade your dovecot packages.

For the detailed security status of dovecot please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/dovecot

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmMyeTgACgkQ0+Fzg8+n
/wbdKw//YewFBHxoPkh17+pDNUNrfK3tI95dFaqRN7vsuJXniE/hJgMSdXGtOWEM
/RsnJzTK5Ku7EASEf072NM00KMjwtkmxYVKpNN1SKoseg8PfBgWqaicDiEYJqMw2
CFpk20rf0Fr2yuuRMYWJpYXMPKpPLXSVy7IOqrU7RTvTiEK3eyqZ/O/QMwxFKCZj
X7z/nkBQtPqW+2eI1A3ezNrhBSbs5XolEM1v31MxusiDFwYnbG+7jqpA4BPbwPwQ
hhJurzzqnL0Z1glNZRavUrNrcEV/qp7x+LRmzYy9aCbjj4VuonpXKMIUD73exT9P
bio2WzSEAJNdNG3jZE9vA6Nyp93Zp5VimYhK1VbBJEhpWr0zFroDYk81ihjdcEPC
qpNaBJlHpOApCaWibC8azs8SPmxi9NDch1ejrH0lmCfu+dQAdR+4uKttZIdXqmF4
WYLXLECb4wACjyJ1yKCuulOqjlGrCdzk4rasz+aiGYs4DVYWgMrRgwgxG47+ALYd
/JIsY8/xw8zI1kv+AiVrS1q5qMIxr9CtXFQYV7J2UC/TjUPsh5Chi2Bop3Q42HM4
3lYp3t2R1C+c91q+af0tjoKKhP3XZot+JmaEMyZ6rpD0t+vMYlwb79dq9M6jW5pw
+2xZQWJ/xyaYQ5IzBkjTw2RzCHkl1nCbKeDGtPbFk2LxU2A8Z3Q=
=lZEB
-END PGP SIGNATURE-

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3122-1 for dovecot

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a7c7cb8f by Anton Gladky at 2022-09-27T06:08:00+02:00
Reserve DLA-3122-1 for dovecot

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -29107,7 +29107,6 @@ CVE-2022-30551 (OPC UA Legacy Java Stack 2022-04-01 
allows a remote attacker to
 CVE-2022-30550 (An issue was discovered in the auth component in Dovecot 2.2 
and 2.3 b ...)
- dovecot 1:2.3.19.1+dfsg1-2 (bug #1016351)
[bullseye] - dovecot 1:2.3.13+dfsg1-2+deb11u1
-   [buster] - dovecot  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/07/06/9
NOTE: 
https://github.com/dovecot/core/commit/7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904
NOTE: 
https://github.com/dovecot/core/commit/a1022072e2ce36f853873d910287f466165b184b
@@ -92518,7 +92517,6 @@ CVE-2021-33516 (An issue was discovered in GUPnP before 
1.0.7 and 1.1.x and 1.2.
NOTE: 
https://gitlab.gnome.org/GNOME/gupnp/-/commit/ca6ec9dcb26fd7a2a630eb6a68118659b589afac
 (master)
 CVE-2021-33515 (The submission service in Dovecot before 2.3.15 allows 
STARTTLS comman ...)
- dovecot 1:2.3.13+dfsg1-2 (bug #990566)
-   [buster] - dovecot  (Minor issue, fix along with next update)
[stretch] - dovecot  (Vulnerable code 
(smtp_server_command queue) introduced later)
NOTE: https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html
NOTE: https://www.openwall.com/lists/oss-security/2021/06/28/2


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[27 Sep 2022] DLA-3122-1 dovecot - security update
+   {CVE-2021-33515 CVE-2022-30550}
+   [buster] - dovecot 1:2.3.4.1-5+deb10u7
 [26 Sep 2022] DLA-3121-1 firefox-esr - security update
{CVE-2022-40956 CVE-2022-40957 CVE-2022-40958 CVE-2022-40959 
CVE-2022-40960 CVE-2022-40962}
[buster] - firefox-esr 102.3.0esr-1~deb10u2


=
data/dla-needed.txt
=
@@ -30,11 +30,6 @@ curl
   NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git
   NOTE: 20220904: Special attention: high popcon!.
 --
-dovecot (Anton)
-  NOTE: 20220913: Programming language: C.
-  NOTE: 20220913: VCS: https://salsa.debian.org/lts-team/packages/dovecot.git
-  NOTE: 20220913: Harmonize with bullseye: 1 CVE fixed in Debian 11.5 + 2 
other postponed CVEs (Beuc/front-desk)
---
 exiv2
   NOTE: 20220819: Programming language: C++.
   NOTE: 20220819: 
https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292
 does not directly apply, but a very quick glance suggests the earlier code may 
be equally vulnerable. (Chris Lamb)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7c7cb8f7e52ce9961dd40e9c18573e80a2a519d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7c7cb8f7e52ce9961dd40e9c18573e80a2a519d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-28200 ad ignored for buster

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3c7a7e4d by Anton Gladky at 2022-09-26T07:20:01+02:00
Mark CVE-2020-28200 ad ignored for buster

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -137214,7 +137214,7 @@ CVE-2020-28201
 CVE-2020-28200 (The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled 
Resource ...)
- dovecot 1:2.3.16+dfsg1-1 (bug #990566; bug #991323)
[bullseye] - dovecot  (Minor issue, fix along with next 
update)
-   [buster] - dovecot  (Minor issue, fix along with next update)
+   [buster] - dovecot  (Minor issue, backport is too disruptive)
[stretch] - dovecot  (Minor issue)
NOTE: https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html
NOTE: https://www.openwall.com/lists/oss-security/2021/06/28/3



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c7a7e4debcab7ece80328ba3b4c8f5aee44d729

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c7a7e4debcab7ece80328ba3b4c8f5aee44d729
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: take dovecot

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d7f8f3d0 by Anton Gladky at 2022-09-25T12:30:34+02:00
LTS: take dovecot

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -27,7 +27,7 @@ curl
   NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git
   NOTE: 20220904: Special attention: high popcon!.
 --
-dovecot
+dovecot (Anton)
   NOTE: 20220913: Programming language: C.
   NOTE: 20220913: VCS: https://salsa.debian.org/lts-team/packages/dovecot.git
   NOTE: 20220913: Harmonize with bullseye: 1 CVE fixed in Debian 11.5 + 2 
other postponed CVEs (Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7f8f3d0648ba55c543088f90ceb18610d11773d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7f8f3d0648ba55c543088f90ceb18610d11773d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Bug#1013616: Thanks

[Anton Gladky]

Thanks, Jonathan, for the patch!


Anton

Bug#1013616: Thanks

[Anton Gladky]

Thanks, Jonathan, for the patch!


Anton

Bug#1013616: Thanks

[Anton Gladky]

Thanks, Jonathan, for the patch!


Anton
-- 
debian-science-maintainers mailing list
debian-science-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers

Bug#978748: libboost-dev: Boost 1.75

[Anton Gladky]

Hi Andrea,

it is "in work". We will definitely need people
for testing, filing and fixing bugs during transition.

Thanks for the proposal!

Best regards

Anton


Am Do., 22. Sept. 2022 um 19:47 Uhr schrieb Andrea Pappacoda <
and...@pappacoda.it>:

> On Fri, 22 Apr 2022 17:39:35 +0200 Anton Gladky
>  wrote:
>  > I did some work a couple of months ago, packaging 1.78.
>  > It worked, but I did not have time to finish it. I would probably
>  > continue this work soon to prepare 1.79 or even 1.80 for the
>  > next stable Debian version.
>
> Hi Anton, what's the status of your boost 1.80 packaging? I'm currently
> having issues with a couple of packages depending on Boost because 1.74
> contains a few bugs, and I'd be happy to help you with preparing the
> next version if needed.
>
>
>

Bug#1019061: Done

[Anton Gladky]

gnuplot-data is built. Thus closing.

Cheers

Anton

Bug#1019061: Done

[Anton Gladky]

gnuplot-data is built. Thus closing.

Cheers

Anton

Bug#1019061: Done

[Anton Gladky]

gnuplot-data is built. Thus closing.

Cheers

Anton
-- 
debian-science-maintainers mailing list
debian-science-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers

Re: RFS: solvespace/3.1+ds1-2 [RC] [Team] -- Parametric 2d/3d CAD

[Anton Gladky]

Ok, uploaded! Thanks!


Anton


Am Di., 20. Sept. 2022 um 18:35 Uhr schrieb Ryan Pavlik <
ryan.pav...@gmail.com>:

> Ah, thanks for the reminder. I have submitted that request.
>
> On Tue, Sep 20, 2022 at 12:11 AM Anton Gladky 
> wrote:
> >
> > Hi Ryan,
> >
> > thanks for update. I will sponsor the package.
> >
> > But please note, just dropping the arch from the list of supported
> > one is not enough to get the package into the archive.
> > You have to request the binary removal from the archive on a specific
> > arch, filling the bug against ftp.debian.org.
> >
> > Best regards
> >
> > Anton
> >
> >
> > Am Mo., 19. Sept. 2022 um 21:00 Uhr schrieb Ryan Pavlik <
> ryan.pav...@gmail.com>:
> >>
> >> Hello science packagers,
> >>
> >> I've updated the SolveSpace package to fix the RC bug - unfortunately
> >> by excluding the architecture with the problem, since I couldn't
> >> reproduce it or debug it further here. Please review and submit. The
> >> source package has been uploaded to Mentors, and the salsa repo is
> >> updated.
> >>
> >> To access further information about this package, please visit the
> >> following URL:
> >>
> >>   https://mentors.debian.net/package/solvespace/
> >>
> >> Alternatively, you can download the package with 'dget' using this
> command:
> >>
> >>   dget -x
> https://mentors.debian.net/debian/pool/main/s/solvespace/solvespace_3.1+ds1-2.dsc
> >>
> >> Changes since the last upload:
> >>
> >>  solvespace (3.1+ds1-2) unstable; urgency=medium
> >>  .
> >>* Team upload.
> >>* Drop s390x architecture due to test failures. Closes: #1013163
> >>* Bump Standards-Version to 4.6.1. No changes required.
> >>* d/copyright: Update
> >>* Update lintian overrides.
> >>
> >>
> >> Ryan Pavlik
> >>
>

Re: RFS: solvespace/3.1+ds1-2 [RC] [Team] -- Parametric 2d/3d CAD

[Anton Gladky]

Hi Ryan,

thanks for update. I will sponsor the package.

But please note, just dropping the arch from the list of supported
one is not enough to get the package into the archive.
You have to request the binary removal from the archive on a specific
arch, filling the bug against ftp.debian.org.

Best regards

Anton


Am Mo., 19. Sept. 2022 um 21:00 Uhr schrieb Ryan Pavlik <
ryan.pav...@gmail.com>:

> Hello science packagers,
>
> I've updated the SolveSpace package to fix the RC bug - unfortunately
> by excluding the architecture with the problem, since I couldn't
> reproduce it or debug it further here. Please review and submit. The
> source package has been uploaded to Mentors, and the salsa repo is
> updated.
>
> To access further information about this package, please visit the
> following URL:
>
>   https://mentors.debian.net/package/solvespace/
>
> Alternatively, you can download the package with 'dget' using this command:
>
>   dget -x
> https://mentors.debian.net/debian/pool/main/s/solvespace/solvespace_3.1+ds1-2.dsc
>
> Changes since the last upload:
>
>  solvespace (3.1+ds1-2) unstable; urgency=medium
>  .
>* Team upload.
>* Drop s390x architecture due to test failures. Closes: #1013163
>* Bump Standards-Version to 4.6.1. No changes required.
>* d/copyright: Update
>* Update lintian overrides.
>
>
> Ryan Pavlik
>
>

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
df0164da by Anton Gladky at 2022-09-20T06:11:01+02:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Anton Gladky gl...@debian.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -121,7 +121,7 @@ pluxml
   NOTE: 20220913: Programming language: PHP.
   NOTE: 20220913: Special attention: orphaned package.
 --
-poppler (Markus Koschany)
+poppler
   NOTE: 20220904: Programming language: C.
 --
 python-django



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df0164daceb9175987ccb1ec6083d683b4d05089

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df0164daceb9175987ccb1ec6083d683b4d05089
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
30bc6ef3 by Anton Gladky at 2022-09-12T22:27:01+02:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Anton Gladky gl...@debian.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -13,7 +13,7 @@ To make it easier to see the entire history of an update, 
please append notes
 rather than remove/replace existing ones.
 
 --
-asterisk (Markus Koschany)
+asterisk
   NOTE: 20220810: Programming language: C.
   NOTE: 20220829: Ongoing triaging work. Maybe we should think about syncing
   NOTE: 20220829: bullseye and buster. (apo)
@@ -66,7 +66,7 @@ mariadb-10.3
 mbedtls
   NOTE: 20220821: Programming language: C.
 --
-mediawiki (Markus Koschany)
+mediawiki
   NOTE: 20220810: Programming language: PHP.
   NOTE: 20220829: Will be released soon. (apo)
 --
@@ -159,7 +159,7 @@ samba
 snort
   NOTE: 20220905: Requires further triaging to conclude exactly which CVEs to 
be fixed or ignored.
 --
-sox (Abhijith PA)
+sox
   NOTE: 20220818: Programming language: C.
   NOTE: 20220818: Requires some investigation; see #1012138 etc.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30bc6ef3b327268f10b2b1cdbb9c2e5f0bac3356

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30bc6ef3b327268f10b2b1cdbb9c2e5f0bac3356
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Re: Updating OpenStack compute (aka src:nova) in Buster

[Anton Gladky]

Hi Thomas,

thanks for the note. I have added the package into the data/dla_needed.txt
with
the corresponding message. So, somebody will take care of it.

Best regards


Anton


Am So., 11. Sept. 2022 um 12:51 Uhr schrieb Thomas Goirand :

> Hi,
>
> In the OpenStack team git, there are updates for nova 2:18.1.0-6+deb10u1
> (CVE-2019-14433/ OSSA-2019-003). Can someone pick it up and upload it to
> Buster? It was never accepted in Buster due to the difficulties
> communicating with the Stable release team (too slow response, etc. that
> leads to /me giving up...). Though IMO, it'd be a very good candidate
> for buster LTS.
>
> The latest Buster version is in the debian/rocky branch at:
> https://salsa.debian.org/openstack-team/services/nova/
>
> How to proceed? Can I simply upload the normal way? IS there a 3rd party
> peer reviewing accepting / rejecting uploads for LTS?
>
> Cheers,
>
> Thomas Goirand (zigo)
>
>

[Git][security-tracker-team/security-tracker][master] Add nova into the dla-needed.txt

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
83635025 by Anton Gladky at 2022-09-12T07:09:02+02:00
Add nova into the dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -84,6 +84,13 @@ nodejs (Sylvain Beucler)
   NOTE: 20220801: Programming language: JavaScript, C/C++, Python.
   NOTE: 20220801: one of the upstream fixes doesn't address the security issue 
(jmm)
 --
+nova
+  NOTE: 20220912: Programming language: Python.
+  NOTE: 20220912: VCS: https://salsa.debian.org/openstack-team/services/nova
+  NOTE: 20220912: Maintainer notes: Contact original maintainer: zigo.
+  NOTE: 20220912: Please see: 
https://lists.debian.org/debian-lts/2022/09/msg00030.html.
+  NOTE: 20220912: Current branch to package: 
https://salsa.debian.org/openstack-team/services/nova/-/tree/debian/rocky/nova
+--
 openexr
   NOTE: 20220904: Programming language: C++.
   NOTE: 20220904: Should be synced with Stretch. (apo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8363502520a11e51b30c6cfe2a2bf1f066f15b67

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8363502520a11e51b30c6cfe2a2bf1f066f15b67
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark lxd-issues as not-affected.

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
dc352c6c by Anton Gladky at 2022-09-11T22:08:02+02:00
Mark lxd-issues as not-affected.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -394864,9 +394864,9 @@ CVE-2016-1583 (The ecryptfs_privileged_open function 
in fs/ecryptfs/kthread.c in
{DSA-3607-1 DLA-516-1}
- linux 4.6.2-1
 CVE-2016-1582 (LXD before 2.0.2 does not properly set permissions when 
switching an u ...)
-   - lxd  (bug #768073)
+   - lxd  (Fixed before initial upload to Debian)
 CVE-2016-1581 (LXD before 2.0.2 uses world-readable permissions for 
/var/lib/lxd/zfs. ...)
-   - lxd  (bug #768073)
+   - lxd  (Fixed before initial upload to Debian)
 CVE-2016-1580 (The setup_snappy_os_mounts function in the ubuntu-core-launcher 
packag ...)
NOT-FOR-US: ubuntu-core-launcher
 CVE-2016-1579 (UDM provides support for running commands after a download is 
complete ...)
@@ -400798,7 +400798,7 @@ CVE-2015-8224 (Huawei P8 before GRA-CL00C92B210, 
before GRA-L09C432B200, before
 CVE-2015-8223 (Huawei P7 before P7-L00C17B851, P7-L05C00B851, and 
P7-L09C92B85, and P ...)
NOT-FOR-US: Huawei
 CVE-2015-8222 (The lxd-unix.socket systemd unit file in the Ubuntu lxd package 
before ...)
-   - lxd  (bug #768073)
+   - lxd  (Fixed before initial upload to Debian)
 CVE-2015-8221 (Integer overflow in Google Picasa before 3.9.140 Build 259 
allows remo ...)
NOT-FOR-US: Google Picasa
 CVE-2015-8220 (Stack-based buffer overflow in the URI handler in DWRCC.exe in 
SolarWi ...)
@@ -420872,7 +420872,7 @@ CVE-2015-1342 (LXCFS before 0.12 does not properly 
enforce directory escapes, wh
 CVE-2015-1341 (Any Python module in sys.path can be imported if the command 
line of t ...)
NOT-FOR-US: Apport
 CVE-2015-1340 (LXD before version 0.19-0ubuntu5 doUidshiftIntoContainer() has 
an unsa ...)
-   - lxd  (bug #768073)
+   - lxd  (Fixed before initial upload to Debian)
 CVE-2015-1339 (Memory leak in the cuse_channel_release function in 
fs/fuse/cuse.c in  ...)
- linux 4.4.2-1
[jessie] - linux  (Vulnerable code introduced in v4.2-rc1)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc352c6c236346f8c79c384da94455c6340afec9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc352c6c236346f8c79c384da94455c6340afec9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Fis formatting in dla-needed.txt

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c70e639d by Anton Gladky at 2022-09-11T21:38:07+02:00
Fis formatting in dla-needed.txt

- - - - -
4b503835 by Anton Gladky at 2022-09-11T21:39:15+02:00
Fix merge conflicts

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -141,11 +141,12 @@ sox (Abhijith PA)
   NOTE: 20220818: Requires some investigation; see #1012138 etc.
 --
 sqlite3 (Chris Lamb)
-  NOTE: 20220905: Programming language: C
+  NOTE: 20220905: Programming language: C.
+  NOTE: 20220905: VCS: https://salsa.debian.org/lts-team/packages/sqlite3.git
   NOTE: 20220905: The three remaining issues seems to be simple enough to 
warrant a fix.
 --
 trafficserver
-  NOTE: 20220905: Programming language: C
+  NOTE: 20220905: Programming language: C.
 --
 unzip
   NOTE: 20220904: Programming language: C.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4053740f09dc75c762cb9dfdf9e83a77c4e566b7...4b5038351aeeacc8b716c865a78abda120c0515a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4053740f09dc75c762cb9dfdf9e83a77c4e566b7...4b5038351aeeacc8b716c865a78abda120c0515a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Bug#1019061: Root cause is #1019061

[Anton Gladky]

Hi,

thanks for bug report.

The main problem is #1017698. Gnuplot cannot be built
due to missing build-dep on emacs-nox.

Regards

Anton

Bug#1019061: Root cause is #1019061

[Anton Gladky]

Hi,

thanks for bug report.

The main problem is #1017698. Gnuplot cannot be built
due to missing build-dep on emacs-nox.

Regards

Anton

Bug#1019061: Root cause is #1019061

[Anton Gladky]

Hi,

thanks for bug report.

The main problem is #1017698. Gnuplot cannot be built
due to missing build-dep on emacs-nox.

Regards

Anton
-- 
debian-science-maintainers mailing list
debian-science-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4f047c4c by Anton Gladky at 2022-09-05T22:54:31+02:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Anton Gladky gl...@debian.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -41,7 +41,7 @@ curl
   NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git
   NOTE: 20220904: Special attention: high popcon!.
 --
-exiv2 (Roberto C. Sánchez)
+exiv2
   NOTE: 20220819: Programming language: C++.
   NOTE: 20220819: 
https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292
 does not directly apply, but a very quick glance suggests the earlier code may 
be equally vulnerable. (Chris Lamb)
 --
@@ -59,14 +59,14 @@ kopanocore
   NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973)
 --
 libgoogle-gson-java
-  NOTE: 20220905: Programming language Java.
+  NOTE: 20220905: Programming language: Java.
 --
 libraw
   NOTE: 20220904: Programming language: C++.
 --
 linux (Ben Hutchings)
 --
-mbedtls (Utkarsh)
+mbedtls
   NOTE: 20220821: Programming language: C.
 --
 mediawiki (Markus Koschany)
@@ -85,7 +85,7 @@ openexr
   NOTE: 20220904: Should be synced with Stretch. (apo)
 --
 pcs
-  NOTE: 20220905: Programming language: Python
+  NOTE: 20220905: Programming language: Python.
   NOTE: 20220905: Local access needed to get exploit the vulnerability.
   NOTE: 20220905: One could argue that the vulnerability is in 
Thin::Backends::UnixServer:connect
   NOTE: 20220905: since the solution is to override that function with a new 
umask.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f047c4c2868cea63cd9b90b98858643ac6a4f59

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f047c4c2868cea63cd9b90b98858643ac6a4f59
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Resurrect thunderbird (some more opened CVEs)

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d4e3e79b by Anton Gladky at 2022-09-04T22:54:18+02:00
Resurrect thunderbird (some more opened CVEs)

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -110,6 +110,9 @@ sox (Abhijith PA)
   NOTE: 20220818: Programming language: C.
   NOTE: 20220818: Requires some investigation; see #1012138 etc.
 --
+thunderbird
+  NOTE: 20220904: Programming language: C++.
+--
 upx-ucl (Thorsten Alteholz)
   NOTE: 20220820: Programming language: C.
   NOTE: 20220820: CVE-2020-27787 may be not-affected. (Chris Lamb)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4e3e79bb6886ac8b3e54fde532f89a9cab3ee80

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4e3e79bb6886ac8b3e54fde532f89a9cab3ee80
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[SECURITY] [DLA 3097-1] thunderbird security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3097-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
September 04, 2022https://wiki.debian.org/LTS
- -

Package: thunderbird
Version: 1:91.13.0-1~deb10u1
CVE ID : CVE-2022-38472 CVE-2022-38473 CVE-2022-38478

Multiple security issues were discovered in Thunderbird, which could
result in denial of service or the execution of arbitrary code.

For Debian 10 buster, these problems have been fixed in version
1:91.13.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmMVECoACgkQ0+Fzg8+n
/wYt8xAAmengfdphLdwH4GZY2Jm0TT8TzmgI9MOa7de3hEnOLtBKX9qE7ne2TD4u
pvHIPklor83XBgPBKwyUfYTbiYtTwRz8HdmORG8zUdi2+7NPBq/7T6DMcdbLuYlD
VqYZGKB8DkJL5SI9ISJ8mp52CJ8epnnGoy7/Fps9jEd6QGGs/hrv6BWzeOTNhot/
vkFCqWe+0oNoOIaG0MHiiLNhaBZzJrH3CKlV2ezVmXaG6izJTq36wEiOKCuNRPUj
zcWCdaWqi38MuXTWwIynM6tEh4b5R3PayTnti1c1UQl9Fs+T+4V5l6QQqcPzF95B
gk4nmQRZYeXCb/OI4oIwxDcHC1b+aLuHMXeS6KZn4KJHLQN/B4THIoTUNECjOd6P
GPd02zr9LuhnLjpIptxuGgQvTAdxXWqivkqH9cZEeQ3qI9DeLAyCYuUhEfP9vgGG
nIjVIDNXGs4ZsErd5ck7JMiATUmAIC6iuhC0GRnYTzKiwrFUwppz9AobdeSag8wm
fuIf0oX4pevBwmq3+6VhxSn6ykxIJy5AGVYXlOIcwIzUEph0Vamt1pDEfozPDsjr
qYDXcrfoVlilayHTu/CFq2/po1XSIyt9LdWTdFPLVPWKcAHCSXtNP15R//7RoFdM
OFLHrUv0irf6pqV2xU5lXYw58nYce5tTZETKcXO5sjINclI2gu0=
=QV36
-END PGP SIGNATURE-

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: update bluez meta-data

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7d13e03a by Anton Gladky at 2022-09-04T22:20:07+02:00
LTS: update bluez meta-data

- - - - -
880b3fcc by Anton Gladky at 2022-09-04T22:47:23+02:00
Reserve DLA-3097-1 for thunderbird

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[04 Sep 2022] DLA-3097-1 thunderbird - security update
+   {CVE-2022-38472 CVE-2022-38473 CVE-2022-38478}
+   [buster] - thunderbird 1:91.13.0-1~deb10u1
 [03 Sep 2022] DLA-3096-1 ghostscript - security update
{CVE-2020-27792}
[buster] - ghostscript 9.27~dfsg-2+deb10u6


=
data/dla-needed.txt
=
@@ -30,7 +30,7 @@ asterisk (Markus Koschany)
   NOTE: 20220829: bullseye and buster. (apo)
 --
 bluez
-  NOTE: 20220902: Programming language C.
+  NOTE: 20220902: Programming language: C.
   NOTE: 20220902: Consider synchronizing with Stretch. (apo)
 --
 connman
@@ -110,8 +110,6 @@ sox (Abhijith PA)
   NOTE: 20220818: Programming language: C.
   NOTE: 20220818: Requires some investigation; see #1012138 etc.
 --
-thunderbird
---
 upx-ucl (Thorsten Alteholz)
   NOTE: 20220820: Programming language: C.
   NOTE: 20220820: CVE-2020-27787 may be not-affected. (Chris Lamb)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e918bff88bb38b92cd8ab3127ad24a60c0b711b9...880b3fccdbd9a728393d5d7854e374a4112bb819

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e918bff88bb38b92cd8ab3127ad24a60c0b711b9...880b3fccdbd9a728393d5d7854e374a4112bb819
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 9 commits: LTS: update curl meta-data

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
531ebb2a by Anton Gladky at 2022-09-04T21:59:42+02:00
LTS: update curl meta-data

- - - - -
cc429809 by Anton Gladky at 2022-09-04T21:59:42+02:00
LTS: update glib2.0 meta-data

- - - - -
9e1330cb by Anton Gladky at 2022-09-04T21:59:42+02:00
LTS: update imagemagick meta-data

- - - - -
2c956dc5 by Anton Gladky at 2022-09-04T21:59:42+02:00
LTS: update libraw meta-data

- - - - -
3ed71294 by Anton Gladky at 2022-09-04T21:59:42+02:00
LTS: update openexr meta-data

- - - - -
a7841dc5 by Anton Gladky at 2022-09-04T21:59:42+02:00
LTS: update poppler meta-data

- - - - -
591bf63f by Anton Gladky at 2022-09-04T21:59:42+02:00
LTS: update python-oslo.utils meta-data

- - - - -
9d4fb228 by Anton Gladky at 2022-09-04T21:59:42+02:00
LTS: update samba meta-data

- - - - -
f620de97 by Anton Gladky at 2022-09-04T21:59:42+02:00
LTS: update vim meta-data

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -34,20 +34,24 @@ bluez
   NOTE: 20220902: Consider synchronizing with Stretch. (apo)
 --
 connman
-  NOTE: 20220902: Programming language C.
+  NOTE: 20220902: Programming language: C.
 --
 curl
-  NOTE: 20220901: Programming language C.
+  NOTE: 20220901: Programming language: C.
+  NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git
+  NOTE: 20220904: Special attention: high popcon!.
 --
 exiv2 (Roberto C. Sánchez)
   NOTE: 20220819: Programming language: C++.
   NOTE: 20220819: 
https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292
 does not directly apply, but a very quick glance suggests the earlier code may 
be equally vulnerable. (Chris Lamb)
 --
 glib2.0
-  NOTE: 20220901: Programming language C.
+  NOTE: 20220901: Programming language: C.
+  NOTE: 20220901: Special attention: High Popcon!.
 --
 imagemagick
-  NOTE: 20220904: Programming language C.
+  NOTE: 20220904: Programming language: C.
+  NOTE: 20220904: VCS: 
https://salsa.debian.org/lts-team/packages/imagemagick.git
   NOTE: 20220904: Should be synced with Stretch. (apo)
 --
 kopanocore
@@ -55,7 +59,7 @@ kopanocore
   NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973)
 --
 libraw
-  NOTE: 20220904: Programming language C++.
+  NOTE: 20220904: Programming language: C++.
 --
 linux (Ben Hutchings)
 --
@@ -74,13 +78,14 @@ nodejs (Sylvain Beucler)
   NOTE: 20220801: one of the upstream fixes doesn't address the security issue 
(jmm)
 --
 openexr
-  NOTE: 20220904: Programming language C++.
+  NOTE: 20220904: Programming language: C++.
   NOTE: 20220904: Should be synced with Stretch. (apo)
 --
 poppler (Markus Koschany)
-  NOTE: 20220902: Programming language C.
+  NOTE: 20220904: Programming language: C.
 --
 python-oslo.utils
+  NOTE: 20220904: Programming language: Python.
 --
 qemu (Abhijith PA)
   NOTE: 20220802: Programming language: C.
@@ -89,16 +94,18 @@ qemu (Abhijith PA)
   NOTE: 20220808: conflicting pu at 
https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc , 
needs to be merged (Beuc/abhijith)
   NOTE: 20220822: Merged new build at 
https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc 
(abhijith)
 --
-samba
-  NOTE: 20220904: Programming language C.
-  NOTE: 20220904: Many postponed or open CVE in general. (apo)
---
 salt
   NOTE: 20220814: Programming language: Python.
   NOTE: 20220814: Packages is not in the supported packages by us.
   NOTE: 20220814: Also, I am not sure, whether it is possible to fix issues
   NOTE: 20220814: without backporting a newer verion. (Anton)
 --
+samba
+  NOTE: 20220904: Programming language: C.
+  NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/samba.git
+  NOTE: 20220904: Special attention: High popcon! Used in many servers.
+  NOTE: 20220904: Many postponed or open CVE in general. (apo)
+--
 sox (Abhijith PA)
   NOTE: 20220818: Programming language: C.
   NOTE: 20220818: Requires some investigation; see #1012138 etc.
@@ -110,7 +117,8 @@ upx-ucl (Thorsten Alteholz)
   NOTE: 20220820: CVE-2020-27787 may be not-affected. (Chris Lamb)
 --
 vim
-  NOTE: 20220904: Programming language C.
+  NOTE: 20220904: Programming language: C.
+  NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/vim.git
 --
 zlib (Emilio)
   NOTE: 20220813: Programming language: C.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1d077ae3d8d0deb0f1109b4eb62707ce9df545d9...f620de9701dd8a03e82e7e9acdac81fba9363164

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1d077ae3d8d0deb0f1109b4eb62707ce9df545d9...f620de9701dd8a03e82e7e9acdac81fba9363164
You're receiving this email because of your account on salsa.debian.org

Bug#963901: ITA: glm -- C++ library for OpenGL GLSL type-based mathematics

[Anton Gladky]

Hi Andrea,

thanks for taking care of this package! Really appreciate it.

Please, follow an advices given by Pierre and we will upload
the package, giving you permissions to upload it in the future.

It could also be good if you add salsa-CI to be sure that the package
is building aod passing all tests. It is also an additional tests for you,

Best regards

Anton


Am Fr., 2. Sept. 2022 um 22:13 Uhr schrieb Andrea Pappacoda <
and...@pappacoda.it>:

> Hi everyone!
>
> I've been wanting to adopt the glm package, maintained by the Science
> Team, since last September.
>
> I'm a DM, so I can't directly take ownership of the package nor push to
> Salsa. Could somebody please look at my changes, give me write access
> to the repo and possibly sponsor the first upload? You can find my
> changes here:
> 
>
> I've already asked this on IRC, and joostvb, while approving my changes
> in general, said that it would've been better to ask this on the
> mailing list.
>
> Thanks in advance :)
>
> --
> OpenPGP key: 66DE F152 8299 0C21 99EF  A801 A8A1 28A8 AB1C EE49
>
>
>

Bug#963901: ITA: glm -- C++ library for OpenGL GLSL type-based mathematics

[Anton Gladky]

Hi Andrea,

thanks for taking care of this package! Really appreciate it.

Please, follow an advices given by Pierre and we will upload
the package, giving you permissions to upload it in the future.

It could also be good if you add salsa-CI to be sure that the package
is building aod passing all tests. It is also an additional tests for you,

Best regards

Anton


Am Fr., 2. Sept. 2022 um 22:13 Uhr schrieb Andrea Pappacoda <
and...@pappacoda.it>:

> Hi everyone!
>
> I've been wanting to adopt the glm package, maintained by the Science
> Team, since last September.
>
> I'm a DM, so I can't directly take ownership of the package nor push to
> Salsa. Could somebody please look at my changes, give me write access
> to the repo and possibly sponsor the first upload? You can find my
> changes here:
> 
>
> I've already asked this on IRC, and joostvb, while approving my changes
> in general, said that it would've been better to ask this on the
> mailing list.
>
> Thanks in advance :)
>
> --
> OpenPGP key: 66DE F152 8299 0C21 99EF  A801 A8A1 28A8 AB1C EE49
>
>
>

Re: ITA: glm -- C++ library for OpenGL GLSL type-based mathematics

[Anton Gladky]

Hi Andrea,

thanks for taking care of this package! Really appreciate it.

Please, follow an advices given by Pierre and we will upload
the package, giving you permissions to upload it in the future.

It could also be good if you add salsa-CI to be sure that the package
is building aod passing all tests. It is also an additional tests for you,

Best regards

Anton


Am Fr., 2. Sept. 2022 um 22:13 Uhr schrieb Andrea Pappacoda <
and...@pappacoda.it>:

> Hi everyone!
>
> I've been wanting to adopt the glm package, maintained by the Science
> Team, since last September.
>
> I'm a DM, so I can't directly take ownership of the package nor push to
> Salsa. Could somebody please look at my changes, give me write access
> to the repo and possibly sponsor the first upload? You can find my
> changes here:
> 
>
> I've already asked this on IRC, and joostvb, while approving my changes
> in general, said that it would've been better to ask this on the
> mailing list.
>
> Thanks in advance :)
>
> --
> OpenPGP key: 66DE F152 8299 0C21 99EF  A801 A8A1 28A8 AB1C EE49
>
>
>

[SECURITY] [DLA 3087-1] webkit2gtk security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3087-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
August 30, 2022   https://wiki.debian.org/LTS
- -

Package: webkit2gtk
Version: 2.36.7-1~deb10u1
CVE ID : CVE-2022-32893

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2022-32893

An anonymous researcher discovered that processing maliciously
crafted web content may lead to arbitrary code execution. Apple is
aware of a report that this issue may have been actively
exploited.

For Debian 10 buster, this problem has been fixed in version
2.36.7-1~deb10u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmMOOScACgkQ0+Fzg8+n
/wYLWA/5AfkmYxgRJrmY1YIaknbP9BWsNn8/nxIwaVgN8jZlA0GkzhB0+J5GAPBx
5/fblyoWXWRdEsBekqlTTqOQsr5SdPWstbVSrb2eLkj6F/Yp6DhDRMWbOGU/gc5P
CBUdYOZ4/tB4XXeTrxDb//Q4Al7t2iRgADold1zlXw/TCEJAOa6qO6kZgZjf1xMq
YZmfU/h2FOCjDn9QccUM/tjoa+ePFzkz8P/3uQupP297c0G3wlWaCtkmca8h0UgD
LNjA+x3erQHYU354GSS1WCjbZChKdncEveWMMbV88YK8JLXbq3sD+Ztiqz3waDh+
I5h/Yh3ntSPnpp69ozHN/XbfUUJ3oTj4jP4VGWAuKhagKFg6dfIauilSkZ/FMCP9
bJxJWPOnyddiPKRHKA8gnmza5ponP2iwghAHsmORFntvDVp8R7N6xLWFE6cryoem
B/BVIF5xEsnZlD0MboGN/ZAcaXyeIqF2I6MxLLSaBTgnOShE1Ku26j8QOvqaL/er
p5inaZTu4WP1y0YqFgD6rvWjVGy5ZsCUbBhGDjJhK0FYTqWdOIu/QSomxfd0yxfC
2+fy13MYetPQXvMWYfDDGixxBK0lLJ0ArroGvad0WnB+uyEwX29jiq0rG+tyM9I3
hV8lWFGg4dIWRfln8oWmIiNcj7jANBa5B/Hdc3jlRwc4FY3Sv8I=
=tjtU
-END PGP SIGNATURE-

[Git][security-tracker-team/security-tracker][master] 2 commits: Revert "Reserve DLA-3087-1 for webkit2gtk"

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a69be114 by Anton Gladky at 2022-08-30T06:38:21+02:00
Revert Reserve DLA-3087-1 for webkit2gtk

This reverts commit b64da0a4dcfaa99c4b4a8acc3daa56c049f4097d.

- - - - -
ac000627 by Anton Gladky at 2022-08-30T06:39:19+02:00
Reserve DLA-3087-1 for webkit2gtk

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -1,4 +1,5 @@
 [30 Aug 2022] DLA-3087-1 webkit2gtk - security update
+   {CVE-2022-32893}
[buster] - webkit2gtk 2.36.7-1~deb10u1
 [29 Aug 2022] DLA-3086-1 maven-shared-utils - security update
{CVE-2022-29599}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3718d718b2aaec6217b69ab0d8902671a21be489...ac00062729725c3488edd7430a5157e3b06e040b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3718d718b2aaec6217b69ab0d8902671a21be489...ac00062729725c3488edd7430a5157e3b06e040b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3087-1 for webkit2gtk

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b64da0a4 by Anton Gladky at 2022-08-30T06:16:39+02:00
Reserve DLA-3087-1 for webkit2gtk

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -1,3 +1,5 @@
+[30 Aug 2022] DLA-3087-1 webkit2gtk - security update
+   [buster] - webkit2gtk 2.36.7-1~deb10u1
 [29 Aug 2022] DLA-3086-1 maven-shared-utils - security update
{CVE-2022-29599}
[buster] - maven-shared-utils 3.3.0-1+deb10u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b64da0a4dcfaa99c4b4a8acc3daa56c049f4097d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b64da0a4dcfaa99c4b4a8acc3daa56c049f4097d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5c1ed16d by Anton Gladky at 2022-08-29T22:38:40+02:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Anton Gladky gl...@debian.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -36,7 +36,7 @@ exiv2 (Roberto C. Sánchez)
 flac (Utkarsh)
   NOTE: 20220821: Programming language: C.
 --
-kopanocore (Andreas Rönnquist)
+kopanocore
   NOTE: 20220801: Programming language: C++.
   NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973)
 --
@@ -77,7 +77,7 @@ rails (Abhijith PA)
   NOTE: 20220817: Programming language: Ruby.
   NOTE: 20220817: Vulnerable to at least CVE-2022-21831.
 --
-rsync (Stefano Rivera)
+rsync
   NOTE: 20220811: Programming language: C.
   NOTE: 20220811: All patches should be applied. If it is too disruptive - 
evaluate the CVE`s severity (Anton)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c1ed16dde9086ad758d600d928ef73b41e708df

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c1ed16dde9086ad758d600d928ef73b41e708df
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Re: Accepted thunderbird 1:91.13.0-1~deb10u1 (source) into oldstable

[Anton Gladky]

Hi Carsten,

thanks for update! As the buster is now in LTS hands, would you want
us to release a DLA?

Best regards.

Anton


Am Mo., 29. Aug. 2022 um 17:58 Uhr schrieb Debian FTP Masters <
ftpmas...@ftp-master.debian.org>:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Format: 1.8
> Date: Mon, 29 Aug 2022 08:15:33 +0200
> Source: thunderbird
> Architecture: source
> Version: 1:91.13.0-1~deb10u1
> Distribution: buster-security
> Urgency: medium
> Maintainer: Carsten Schoenert 
> Changed-By: Carsten Schoenert 
> Changes:
>  thunderbird (1:91.13.0-1~deb10u1) buster-security; urgency=medium
>  .
>* Rebuild for buster-security
> Checksums-Sha1:
>  288fd9815beda05f078da798dc2933b1a4a106bb 8420
> thunderbird_91.13.0-1~deb10u1.dsc
>  a0d0de06ad8f2a0d7916c2fff5feeaa734f0779b 548696
> thunderbird_91.13.0-1~deb10u1.debian.tar.xz
> Checksums-Sha256:
>  0d7c1b58493ad97b4519f0fb69d6bb48d22d79951f4ec82a2cae15cb8d4e89aa 8420
> thunderbird_91.13.0-1~deb10u1.dsc
>  34fbb1c635a9d527ecb53335e0dd89996368d1436de5fae8e9e26e3af8fa9dcc 548696
> thunderbird_91.13.0-1~deb10u1.debian.tar.xz
> Files:
>  6061e6cd85806d7de4aa95feeef926c9 8420 mail optional
> thunderbird_91.13.0-1~deb10u1.dsc
>  2758c96803b17cfc09a5370d4bc3c2f3 548696 mail optional
> thunderbird_91.13.0-1~deb10u1.debian.tar.xz
>
> -BEGIN PGP SIGNATURE-
>
> iQIzBAEBCgAdFiEEtw38bxNP7PwBHmKqgwFgFCUdHbAFAmMM2moACgkQgwFgFCUd
> HbD2tA//ScZocOAr8mE6ub8kEt5GsLzi4S9qovQFiEtHGMBwIw3WjZhDmLpG+uwH
> 6PTy3SaTYlopcAhfRMzxpaSphzAGuroALWUjbsLqwfPXbi/Q4KiDWdHEnXuteTTI
> hFRTogyb0hzW42YY1GLyjTaHh1NtB4YrqtzLyyGZz8Lrpsi/i6xzn2ZHLDwGB5yh
> kfsSMYQcUg0l+hbYZvGP+YqcZN+ME4tjczUQBtscP7wxhzeSAXTUgoRfzsfvQ24k
> u4CMeGbNx1UPljm68/lWyit2bqgfYi4YLOEqXdz614I3zCxoZbhTe9BnHP1SZKDO
> vvpMUlOADWswFrfZwGEzvtoLJujl7dAeEbRcbP1qALIHl1QzBUET+lY16lcX6EOX
> gqNzqasEDLKFHr6LDdE9nOU6l8UH6sr4ABTiFj+YiO0ma2xQTUV2oRFpVKwUqULr
> kIocFMrM6+HcX+J2qAaA5e+ILi0jJCLx0wGhL6HJOm51GI703OFhy8rt9rEHd285
> Y2twxetaqhcyiVGp3Y0j/WiXyP1z7rq/YFivyj8nDGJ7puewi8Q7ZtS0528cf2m7
> 9RtRZ+BtZF5tli6lAkMGaRqFZaTNZysQTt4170TGsl+aKzeLK3ScsiChhWFgL610
> B+qCBnBYkp81g/+CKafsMZaK9jEKW8FMZTqtqsS5ISxTCh1D044=
> =9kLz
> -END PGP SIGNATURE-
>
>

[SECURITY] [DLA 3084-1] ndpi security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3084-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
August 27, 2022   https://wiki.debian.org/LTS
- -

Package: ndpi
Version: 2.6-3+deb10u1
CVE ID : CVE-2020-15472 CVE-2020-15476

Two security issues have been discovered in ndpi: deep packet inspection
library.


CVE-2020-15472

H.323 dissector is vulnerable to a heap-based buffer over-read in 
ndpi_search_h323 in lib/protocols/h323.c.

CVE-2020-15476

Oracle protocol dissector has a heap-based buffer over-read in 
ndpi_search_oracle.

For Debian 10 buster, these problems have been fixed in version
2.6-3+deb10u1.

We recommend that you upgrade your ndpi packages.

For the detailed security status of ndpi please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ndpi

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmMLOuQACgkQ0+Fzg8+n
/wa5EhAAk2gRn9sJAlealaLCTNtatgM1VNAS6+qans3GFqUd++lzcD5DX1i2e6Tx
lOR55eWNLeMqx3wP6w67Ik+uPvEfmPg6AKk/EiGkcgRfw8A5ZFdAXfg8yT7cC723
X/9qK7FepHR0cB297vzXezrWggV/Mjbsbfx3ZfMyUiS5S4iwSR5sqsNNXdLkudKC
E3AymRsUKhOty6TSCRilNOd5kvORx9eJvUUTJca8Tfo6LwTQBCRWyTX6hU/5gQqP
el5n2K+MZJ5eV0+ckrj8w8dCLT5y3M+/qgZGSosOMdqKSDZrNzDdvuUF8EKSjN6z
4H+ba5u4Fxr6oDCC4V4uCijsSTvbslH+XwGMCKGABxPL3Yq+ldC7H9mZIi5bJEGr
gwu4iEeIAzIlTPdLvyycBqgLPV8S2Dzv7HV5Z1SXp6f38fUBczBTyq0kBSXkivOq
tAH6eKGtqkiW1VXY1JSCl197GaxDrHQkBdFG3bDI+3hX0Kx9MN8qXBc0mShOkGep
788dVF38OL5BtOLVRwTLCsqGX2+mZX1hA1SgvZ8v3wg4Y3gZoIP/p0UYNsa3XFEV
DZ3QamPS/YZlWhLfa05sTC+CaM5+W7SYkTaPT84wpyPd3//XaXYUuK+LUxBnkt7N
t9PCZPXxSc+xlsECEWadAiXvTVDN7Q7iBkjuqps19PcQy4mMQjs=
=ufUV
-END PGP SIGNATURE-

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3084-1 for ndpi

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ac1caed1 by Anton Gladky at 2022-08-27T22:16:08+02:00
Reserve DLA-3084-1 for ndpi

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[27 Aug 2022] DLA-3084-1 ndpi - security update
+   {CVE-2020-15472 CVE-2020-15476}
+   [buster] - ndpi 2.6-3+deb10u1
 [28 Aug 2022] DLA-3083-1 puma - security update
{CVE-2021-29509 CVE-2021-41136 CVE-2022-23634 CVE-2022-24790}
[buster] - puma 3.12.0-2+deb10u3


=
data/dla-needed.txt
=
@@ -57,10 +57,6 @@ mbedtls (Utkarsh)
 mediawiki (Markus Koschany)
   NOTE: 20220810: Programming language: PHP.
 --
-ndpi (Anton)
-  NOTE: 20220801: Programming language: C.
-  NOTE: 20220822: VCS: https://salsa.debian.org/lts-team/packages/ndpi.git
---
 net-snmp (Thorsten Alteholz)
   NOTE: 20220816: Programming language: C.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac1caed1e3f3c8b400ae7334bf898a8524f63634

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac1caed1e3f3c8b400ae7334bf898a8524f63634
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: ignore CVE-2020-15473

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
db83ae38 by Anton Gladky at 2022-08-27T21:20:32+02:00
LTS: ignore CVE-2020-15473

- - - - -
b18d1f41 by Anton Gladky at 2022-08-27T21:20:38+02:00
LTS: mark CVE-2020-15475 as not-affected for buster

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -160133,6 +160133,7 @@ CVE-2020-15476 (In nDPI through 3.2, the Oracle 
protocol dissector has a heap-ba
 CVE-2020-15475 (In nDPI through 3.2, ndpi_reset_packet_line_info in 
lib/ndpi_main.c om ...)
- ndpi 3.4-1 (bug #972050)
[stretch] - ndpi  (Vulnerable code not present, 
content_disposition_line introduced later)
+   [buster] - ndpi  (Vulnerable code not present, 
content_disposition_line introduced later)
NOTE: 
https://github.com/ntop/nDPI/commit/6a9f5e4f7c3fd5ddab3e6727b071904d76773952 
(3.4)
 CVE-2020-15474 (In nDPI through 3.2, there is a stack overflow in 
extractRDNSequence i ...)
- ndpi 3.4-1 (bug #972050)
@@ -160142,6 +160143,7 @@ CVE-2020-15474 (In nDPI through 3.2, there is a stack 
overflow in extractRDNSequ
 CVE-2020-15473 (In nDPI through 3.2, the OpenVPN dissector is vulnerable to a 
heap-bas ...)
- ndpi 3.4-1 (bug #972050)
[stretch] - ndpi  (Vulnerable code introduced later)
+   [buster] - ndpi  (Patch cannot be cleanly applied. Codebase 
changed a lot.)
NOTE: 
https://github.com/ntop/nDPI/commit/8e7b1ea7a136cc4e4aa9880072ec2d69900a825e 
(3.4)
 CVE-2020-15472 (In nDPI through 3.2, the H.323 dissector is vulnerable to a 
heap-based ...)
- ndpi 3.4-1 (bug #972050)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/47976b80a09c5e377f688b5b211c1c8a95b86d3a...b18d1f41e7b215ed96de704374bda7abb11f6270

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/47976b80a09c5e377f688b5b211c1c8a95b86d3a...b18d1f41e7b215ed96de704374bda7abb11f6270
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[SECURITY] [DLA 3080-1] firefox-esr security update

[Anton Gladky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian LTS Advisory DLA-3080-1debian-...@lists.debian.org
https://www.debian.org/lts/security/ Anton Gladky
August 24, 2022   https://wiki.debian.org/LTS
- -

Package: firefox-esr
Version: 91.13.0esr-1~deb10u1
CVE ID : CVE-2022-38472 CVE-2022-38473 CVE-2022-38478
Debian Bug : 

Multiple security issues have been found in the Mozilla Firefox
web browser, which could potentially result in the execution
of arbitrary code or spoofing.

For Debian 10 buster, these problems have been fixed in version
91.13.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmMGhb8ACgkQ0+Fzg8+n
/wZ6OxAAj2NFWat//igxYPjh+JDm995lhVyFApVpf9pLwlA567AhpbD94ujY+Cmu
ne+oQWumvjAHL6/tW7htrZdL42YCqr97Fh0X4qyH+gkmkLQkb1cHQL94aAlhW71I
7k6e4mqp1mRHZ1hxJSRIf1OC5vtCnuCILZu8EVv/ylT4uCMTvwo5oEUutBCCIISG
EbhRpPZ6u6F5LnT4si10Bay48fAs3CwF39P9Tvq0fGXAKbzezQf/TRApNW1DtRjt
Zz9tNsskKAqUb5oCN4kfkureDKks17buANxm9S9IWTLKvQ9maIdzc+gtRA/bnCZ8
0Tj1PZy4CWbK/3hYVfT3G/khSG9H+VKhaCR8s5XEzynJ/87gZ8TDR35b80sRANKy
Jvgt6yK/lPGv9cecJnWTL1MukbGnkD5dK4u8py9JPF/2+JLn7O9fHVhfDLEsTu0b
Wa8Tz6urQlpc1B+7HDxDAEvWv5p3xg50BBaK17CvYRFFqet2ZM8ylh4G0/UzqvGv
bzu5WYiLO3QH3YEUy4HgsGkhvCLe9+jQxQRpZJIFg95egVqnXlYk6XW3bEvW1UIq
7rg39WuvJq4WFq1tnUeK6KmiV1l7UoCTbu1mzeLzIskhAc3MgSzWv5k4fGlfkqQ3
HIBD7UWBU5xgZ3EG4pv0fHL6msmMe3q5VblILDDqnGWei8SIw8I=
=8s/D
-END PGP SIGNATURE-

[Git][security-tracker-team/security-tracker][master] 2 commits: DLA: add firefox-esr (urgent upload)

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2f7e1346 by Anton Gladky at 2022-08-24T22:05:48+02:00
DLA: add firefox-esr (urgent upload)

- - - - -
5203f09e by Anton Gladky at 2022-08-24T22:05:49+02:00
Reserve DLA-3080-1 for firefox-esr

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[24 Aug 2022] DLA-3080-1 firefox-esr - security update
+   {CVE-2022-38472 CVE-2022-38473 CVE-2022-38478}
+   [buster] - firefox-esr 91.13.0esr-1~deb10u1
 [22 Aug 2022] DLA-3079-1 jetty9 - security update
{CVE-2022-2047 CVE-2022-2048}
[buster] - jetty9 9.4.16-0+deb10u2



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6358e4da1fd866791f374a8d42c63ded36dbe5e9...5203f09e41d2901b77b25a9ec5228c76677df6b2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6358e4da1fd866791f374a8d42c63ded36dbe5e9...5203f09e41d2901b77b25a9ec5228c76677df6b2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: minor dla-needed update

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2a338a60 by Anton Gladky at 2022-08-23T22:48:23+02:00
LTS: minor dla-needed update

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -19,6 +19,7 @@ NOTE: IMPORTANT: 
https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=release.deb
 --
 apache2
   NOTE: 20220811: Programming language: C.
+  NOTE: 20220811: VCS: https://salsa.debian.org/lts-team/packages/apache2.git
   NOTE: 20220723: Prepared update 2.4.38-3+deb10u8 and filed #1014346 
requesting SRM approval for upload to final buster point release (roberto)
   NOTE: 20220723: Received upload approval from SRM and uploaded to buster 
(roberto)
   NOTE: 20220809: Package is in oldstable-proposed-updates and will be in 
final buster point release (roberto)
@@ -47,7 +48,7 @@ kopanocore (Andreas Rönnquist)
 linux (Ben Hutchings)
 --
 maven-shared-utils
-  NOTE: 20220813: Programming language: Java
+  NOTE: 20220813: Programming language: Java.
   NOTE: 20220813: VCS: https://salsa.debian.org/java-team/maven-shared-utils
   NOTE: 20220813: Maintainer notes: Markus is active in the Java team
   NOTE: 20220813: Special attention: Relatively high popcon
@@ -101,7 +102,7 @@ ruby-rack (Utkarsh)
   NOTE: 20220818: Programming language: Ruby.
 --
 salt
-  NOTE: 20220814: Programming language: Python
+  NOTE: 20220814: Programming language: Python.
   NOTE: 20220814: Packages is not in the supported packages by us.
   NOTE: 20220814: Also, I am not sure, whether it is possible to fix issues
   NOTE: 20220814: without backporting a newer verion. (Anton)
@@ -121,7 +122,7 @@ wkhtmltopdf
   NOTE: 20220819: Programming language: C++.
 --
 zlib (Emilio)
-  NOTE: 20220813: Programming language: C
+  NOTE: 20220813: Programming language: C.
   NOTE: 20220813: VCS: https://salsa.debian.org/lts-team/packages/zlib/
   NOTE: 20220813: Special attention: Very high popcon. Please test carefully!
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a338a603c15ed1bbbe03fac2a44009381e331f5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a338a603c15ed1bbbe03fac2a44009381e331f5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: Add VCS for ndpi

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4c215889 by Anton Gladky at 2022-08-22T07:00:22+02:00
LTS: Add VCS for ndpi

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -61,6 +61,7 @@ mediawiki (Markus Koschany)
 --
 ndpi (Anton)
   NOTE: 20220801: Programming language: C.
+  NOTE: 20220822: VCS: https://salsa.debian.org/lts-team/packages/ndpi.git
 --
 net-snmp (Thorsten Alteholz)
   NOTE: 20220816: Programming language: C.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c21588920bc57089bb68dd6bc757999d08797f3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c21588920bc57089bb68dd6bc757999d08797f3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: Add VCS to curl

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
03bc418a by Anton Gladky at 2022-08-21T20:35:14+02:00
LTS: Add VCS to curl

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -28,6 +28,7 @@ asterisk (Markus Koschany)
 --
 curl (Markus Koschany)
   NOTE: 20220802: Programming language: C.
+  NOTE: 20220821: VCS: https://salsa.debian.org/lts-team/packages/curl
 --
 exim4
   NOTE: 20220820: Programming language: C.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03bc418aba04052267ab5850c3831eb0c92e556c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03bc418aba04052267ab5850c3831eb0c92e556c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Re: Changing how we handle non-free firmware

[Anton Gladky]

Hi Steve,


=

We will include non-free firmware packages from the
"non-free-firmware" section of the Debian archive on our official
media (installer images and live images). The included firmware
binaries will *normally* be enabled by default where the system
determines that they are required, but where possible we will include
ways for users to disable this at boot (boot menu option, kernel
command line etc.).

When the installer/live system is running we will provide information
to the user about what firmware has been loaded (both free and
non-free), and we will also store that information on the target
system such that users will be able to find it later. The target
system will *also* be configured to use the non-free-firmware
component by default in the apt sources.list file. Our users should
receive security updates and important fixes to firmware binaries just
like any other installed software.

We will publish these images as official Debian media, replacing the
current media sets that do not include non-free firmware packages.

=



thanks for proposing this and for working on this important topic!
Seconded.

Regards

Anton


OpenPGP_signature
Description: OpenPGP digital signature

Re: updating debian-security-support(.limited) in buster and bullseye (Re: EOL candidates for security-support-ended.deb10 (recap))

[Anton Gladky]

Hi Holger,

just to clarify the things. If the "-limited" file will be versioned,
I think it is better not to include python2.7 or cython
into the buster-file, as we still support them for buster. But,
some internal scripts should be modified in this case to
use the suffix.

If it remains versioned, well, I do not know then. Maybe it is
better to include them into the "debisan-security-support-limited".

Regards


Anton


Am Mo., 15. Aug. 2022 um 21:11 Uhr schrieb Holger Levsen <
hol...@layer-acht.org>:

> On Mon, Aug 15, 2022 at 07:51:56PM +0200, Anton Gladky wrote:
> > Regarding your question, if there are not other objections, I would say
> > please go ahead with an upload (despite python2.7).
>
> Anton, what do you mean with that python2.7 comment?
>
> pochu also said on irc:
>
>  h01ger: I think it makes sense to merge them, except for the
> [pc]ython
> ones, as python2.7 is fully supported in buster
>
>
> --
> cheers,
> Holger
>
>  ⢀⣴⠾⠻⢶⣦⠀
>  ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
>  ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
>  ⠈⠳⣄
>
> In Germany we don‘t say „Happy Valentine‘s Day, I love you“, we say „ich
> werde
> diesen vom Markt kreierten, konsumorientierten Trend des Kapitalismus nicht
> unterstützen,“ and I think that’s beautiful. (Hazel Brugger)
>

Re: updating debian-security-support(.limited) in buster and bullseye (Re: EOL candidates for security-support-ended.deb10 (recap))

[Anton Gladky]

Hi Holger,

thanks for taking care of it!

Regarding your question, if there are not other objections, I would say
please go ahead with an upload (despite python2.7).

Regards


Anton


Am Sa., 13. Aug. 2022 um 11:30 Uhr schrieb Holger Levsen <
hol...@layer-acht.org>:

> On Fri, Aug 12, 2022 at 12:06:21PM +, Holger Levsen wrote:
> > yes, I have uploading debian-security-support to buster for the last
> > point release on my agenda and will do that upload as needed.
>
> As there has now been a date announced for the final buster point release,
> the timeline for this has become:
>
> - today prepare buster branch for release (33% done, see below)
> - today until aug 23: possible further updates to the master branch
>   which then get copied to the buster branch
> - aug 23: upload & SRM bug
> - aug 27: freeze
> - sep 10: buster 10.13 point release
>
> I've prepared the buster branch accordingly, that is, I have copied
> security-support-ended.deb10 from 1:12+2022.08.12 from unstable.
>
> Two questions remain, the first I have just raised in #debian-release:
>
>  given that debian-security-support now has the release number
>  in its version, do you still want additional ~deb11u1 version
>  suffixes? eg debian-security-support is 1:11+2021.03.19, are
>  you fine with 1:11+2022.08.13 now or would you prefer
>  1:11+2022.08.13~deb11u1 ? (sid/bullseye is at 1:12+2022.08.12
>  and will not get ...08.13.)
>  happy to ask this in an SRM bug too :)
>
> (no reply on #d-release yet, though I only asked 15min ago...)
>
> The second question is about security-support-limited, which is not
> versioned atm, though maybe it should. Anyway, the current diff
> between buster and master/unstable/bookworm is:
>
> --- a/security-support-limited
> +++ b/security-support-limited
> @@ -8,24 +8,26 @@
>
>  adnsStub resolver that should only be used with trusted
> recursors
>  binutilsOnly suitable for trusted content; see
> https://lists.debian.org/msgid-search/87lfqsomtg@mid.deneb.enyo.de
> +cython  Only included for building packages, not running them,
> #975058
>  ganglia See README.Debian.security, only supported behind an
> authenticated HTTP zone, #702775
>  ganglia-web See README.Debian.security, only supported behind an
> authenticated HTTP zone, #702776
> -glpiOnly supported behind an authenticated HTTP zone for
> trusted users
> -golang*See
> https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking
> +golang.*See
> https://www.debian.org/releases/buster/amd64/release-notes/ch-information.en.html#golang-static-linking
>  kde4libskhtml has no security support upstream, only for use on
> trusted content
> +khtml   khtml has no security support upstream, only for use on
> trusted content, see #1004293
>  libv8-3.14  Not covered by security support, only suitable for
> trusted content
> -ltp Pure Testsuite, only supported on non-production
> non-multiuser systems
>  mozjs   Not covered by security support, only suitable for
> trusted content
>  mozjs24 Not covered by security support, only suitable for
> trusted content
>  mozjs52 Not covered by security support, only suitable for
> trusted content
>  mozjs60 Not covered by security support, only suitable for
> trusted content
> +mozjs68 Not covered by security support, only suitable for
> trusted content, see #959804
> +mozjs78 Not covered by security support, only suitable for
> trusted content, see #959804
>  ocsinventory-server Only supported behind an authenticated HTTP zone
> +python2.7   Only included for building packages, not running them,
> #975058
> +python-stdlib-extensions Only included for building packages, not running
> them, #975058
>  qtwebengine-opensource-src No security support upstream and backports not
> feasible, only for use on trusted content
>  qtwebkitNo security support upstream and backports not feasible,
> only for use on trusted content
>  qtwebkit-opensource-src No security support upstream and backports not
> feasible, only for use on trusted content
>  sql-ledger  Only supported behind an authenticated HTTP zone
>  swftoolsNot covered by security support, only suitable for
> trusted content
>  webkitgtk   No security support upstream and backports not feasible,
> only for use on trusted content
> -wine-gecko-2.21 Not covered by security support, see
> https://bugs.debian.org/804058
> -wine-gecko-2.24  Not
> covered by security support, see https://bugs.debian.org/804058
>  zoneminder  See README.Debian.security, only supported behind an
> authenticated HTTP zone, #922724
>
> I'm leaning towards not updating security-support-limited for buster. What
> do
> you think?
>
>
> --
> cheers,
> Holger
>
>  ⢀⣴⠾⠻⢶⣦⠀
>  ⣾⠁⢠⠒⠀⣿⡁  

[Git][security-tracker-team/security-tracker][master] LTS: add salt package

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9bee9630 by Anton Gladky at 2022-08-14T22:50:11+02:00
LTS: add salt package

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -64,6 +64,12 @@ nodejs
 puma (Abhijith PA)
   NOTE: 20220801: Programming language: Ruby.
 --
+salt
+  NOTE: 20220814: Programming language: Python
+  NOTE: 20220814: Packages is not in the supported packages by us.
+  NOTE: 20220814: Also, I am not sure, whether it is possible to fix issues
+  NOTE: 20220814: without backporting a newer verion. (Anton)
+--
 schroot (carnil)
   NOTE: 20220813: Programming language: C++
   NOTE: 20220813: VCS: https://salsa.debian.org/debian/schroot/



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bee963004dc89ba33f39db8a602ec8806a4d96e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bee963004dc89ba33f39db8a602ec8806a4d96e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add maven-shared-utils

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
32e2ff0e by Anton Gladky at 2022-08-14T22:36:06+02:00
LTS: add maven-shared-utils

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -42,6 +42,13 @@ kopanocore (Andreas Rönnquist)
   NOTE: 20220801: Programming language: C++.
   NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973)
 --
+maven-shared-utils
+  NOTE: 20220813: Programming language: Java
+  NOTE: 20220813: VCS: https://salsa.debian.org/java-team/maven-shared-utils
+  NOTE: 20220813: Maintainer notes: Markus is active in the Java team
+  NOTE: 20220813: Special attention: Relatively high popcon
+  NOTE: 20220813: Patch is relatively high. Please check, whether it can 
safely be applied (Anton)
+--
 linux (Ben Hutchings)
 --
 mediawiki (Markus Koschany)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32e2ff0e0d1761649d35af7a91158318a022b8b4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32e2ff0e0d1761649d35af7a91158318a022b8b4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: assign schroot

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
41d943ba by Anton Gladky at 2022-08-14T10:02:09+02:00
LTS: assign schroot

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -57,7 +57,7 @@ nodejs
 puma (Abhijith PA)
   NOTE: 20220801: Programming language: Ruby.
 --
-schroot
+schroot (carnil)
   NOTE: 20220813: Programming language: C++
   NOTE: 20220813: VCS: https://salsa.debian.org/debian/schroot/
   NOTE: 20220813: Maintainer notes: Maintainer prepares o-o-stable updates



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41d943ba2963e86ebd2e9602a73cba86577b373f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41d943ba2963e86ebd2e9602a73cba86577b373f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add zlib to dla-needed

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c24bb079 by Anton Gladky at 2022-08-13T09:46:55+02:00
LTS: add zlib to dla-needed

- - - - -
13a33704 by Anton Gladky at 2022-08-13T09:48:51+02:00
LTS: add schroot to dla-needed

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -57,6 +57,12 @@ nodejs
 puma
   NOTE: 20220801: Programming language: Ruby.
 --
+schroot
+  NOTE: 20220813: Programming language: C++
+  NOTE: 20220813: VCS: https://salsa.debian.org/debian/schroot/
+  NOTE: 20220813: Maintainer notes: Maintainer prepares o-o-stable updates
+  NOTE: 20220813: Debian security team will release DSA and DLA
+--
 rsync (Stefano Rivera)
   NOTE: 20220811: Programming language: C.
   NOTE: 20220811: All patches should be applied. If it is too disruptive - 
evaluate the CVE`s severity (Anton)
@@ -67,3 +73,8 @@ qemu (Abhijith PA)
   NOTE: 20220802: wcan now be released as DLA instead. The updated packages 
are/were running fine in a buster ganeti cluster. (jmm)
   NOTE: 20220808: conflicting pu at 
https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc , 
needs to be merged (Beuc/abhijith)
 --
+zlib
+  NOTE: 20220813: Programming language: C
+  NOTE: 20220813: VCS: https://salsa.debian.org/lts-team/packages/zlib/
+  NOTE: 20220813: Special attention: Very high popcon. Please test carefully!
+--



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bc8bbd01945320cb4cb3431a5429b9734bfdf5a8...13a3370479890e8b843843dfc4d4c69f38a6d5c4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bc8bbd01945320cb4cb3431a5429b9734bfdf5a8...13a3370479890e8b843843dfc4d4c69f38a6d5c4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove `Added` field

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bc8bbd01 by Anton Gladky at 2022-08-13T09:43:25+02:00
Remove `Added` field

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -25,56 +25,44 @@ apache2
 --
 asterisk (Markus Koschany)
   NOTE: 20220810: Programming language: C.
-  NOTE: 20220810: Added
 --
 curl (Markus Koschany)
   NOTE: 20220802: Programming language: C.
-  NOTE: 20220802: Added
 --
 epiphany-browser (Emilio)
   NOTE: 20220811: Programming language: C.
-  NOTE: 20220811: Added
 --
 jetty9 (Markus Koschany)
   NOTE: 20220802: Programming language: Java.
-  NOTE: 20220802: Added
 --
 kicad
   NOTE: 20220811: Programming language: C++.
-  NOTE: 20220811: Added
 --
 kopanocore (Andreas Rönnquist)
   NOTE: 20220801: Programming language: C++.
-  NOTE: 20220801: Added
   NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973)
 --
 linux (Ben Hutchings)
 --
 mediawiki (Markus Koschany)
   NOTE: 20220810: Programming language: PHP.
-  NOTE: 20220810: Added
 --
 ndpi (Anton)
   NOTE: 20220801: Programming language: C.
-  NOTE: 20220801: Added
 --
 nodejs
   NOTE: 20220801: Programming language: JavaScript.
-  NOTE: 20220801: Added
   NOTE: 20220801: one of the upstream fixes doesn't address the security issue
 --
 puma
   NOTE: 20220801: Programming language: Ruby.
-  NOTE: 20220801: Added
 --
 rsync (Stefano Rivera)
   NOTE: 20220811: Programming language: C.
-  NOTE: 20220811: Added
   NOTE: 20220811: All patches should be applied. If it is too disruptive - 
evaluate the CVE`s severity (Anton)
 --
 qemu (Abhijith PA)
   NOTE: 20220802: Programming language: C.
-  NOTE: 20220802: Added
   NOTE: 20220802: debdiff of backported fixes was submitted to 
buster-proposed-updates: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007931 and
   NOTE: 20220802: wcan now be released as DLA instead. The updated packages 
are/were running fine in a buster ganeti cluster. (jmm)
   NOTE: 20220808: conflicting pu at 
https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc , 
needs to be merged (Beuc/abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc8bbd01945320cb4cb3431a5429b9734bfdf5a8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc8bbd01945320cb4cb3431a5429b9734bfdf5a8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add epiphany-browser

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
eb5282fc by Anton Gladky at 2022-08-11T21:49:59+02:00
LTS: add epiphany-browser

- - - - -
c4e446e7 by Anton Gladky at 2022-08-11T21:49:59+02:00
LTS: add kicad

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -31,10 +31,18 @@ curl (Markus Koschany)
   NOTE: 20220802: Programming language: C.
   NOTE: 20220802: Added
 --
+epiphany-browser
+  NOTE: 20220811: Programming language: C.
+  NOTE: 20220811: Added
+--
 jetty9 (Markus Koschany)
   NOTE: 20220802: Programming language: Java.
   NOTE: 20220802: Added
 --
+kicad
+  NOTE: 20220811: Programming language: C++.
+  NOTE: 20220811: Added
+--
 kopanocore (Andreas Rönnquist)
   NOTE: 20220801: Programming language: C++.
   NOTE: 20220801: Added



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/755aa767b5ca8339ababcd1d95fefea27f0fc7a2...c4e446e7822100a3d7a3e59bf45fe3512ef1a22a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/755aa767b5ca8339ababcd1d95fefea27f0fc7a2...c4e446e7822100a3d7a3e59bf45fe3512ef1a22a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add rsync

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3b294f6e by Anton Gladky at 2022-08-11T06:46:17+02:00
LTS: add rsync

- - - - -
63d817aa by Anton Gladky at 2022-08-11T07:00:24+02:00
LTS: add some meta-info into dla-needed

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -18,36 +18,64 @@ NOTE: IMPORTANT: 
https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=release.deb
 
 --
 apache2
+  NOTE: 20220811: Programming language: C.
   NOTE: 20220723: Prepared update 2.4.38-3+deb10u8 and filed #1014346 
requesting SRM approval for upload to final buster point release (roberto)
   NOTE: 20220723: Received upload approval from SRM and uploaded to buster 
(roberto)
   NOTE: 20220809: Package is in oldstable-proposed-updates and will be in 
final buster point release (roberto)
 --
 asterisk (Markus Koschany)
+  NOTE: 20220810: Programming language: C.
+  NOTE: 20220810: Added
 --
 curl (Markus Koschany)
+  NOTE: 20220802: Programming language: C.
+  NOTE: 20220802: Added
 --
 gnutls28 (Emilio)
+  NOTE: 20220810: Programming language: C.
+  NOTE: 20220810: Added
   NOTE: 20220810: there's an update in opu, checked with SRM, will upload with 
higher
   NOTE: 20220810: version and including the changes in opu to -security (pochu)
 --
 jetty9 (Markus Koschany)
+  NOTE: 20220802: Programming language: Java.
+  NOTE: 20220802: Added
 --
 kopanocore
+  NOTE: 20220801: Programming language: C++.
+  NOTE: 20220801: Added
 --
 libtirpc (Emilio)
+  NOTE: 20220810: Programming language: C.
+  NOTE: 20220810: Added
 --
 linux (Ben Hutchings)
 --
 mediawiki (Markus Koschany)
+  NOTE: 20220810: Programming language: PHP.
+  NOTE: 20220810: Added
 --
-ndpi
+ndpi (Anton)
+  NOTE: 20220801: Programming language: C.
+  NOTE: 20220801: Added
 --
 nodejs
-  one of the upstream fixes doesn't address the security issue
+  NOTE: 20220801: Programming language: JavaScript.
+  NOTE: 20220801: Added
+  NOTE: 20220801: one of the upstream fixes doesn't address the security issue
 --
 puma
+  NOTE: 20220801: Programming language: Ruby.
+  NOTE: 20220801: Added
+--
+rsync
+  NOTE: 20220811: Programming language: C.
+  NOTE: 20220811: Added
+  NOTE: 20220811: All patches should be applied. If it is too disruptive - 
evaluate the CVE`s severity (Anton)
 --
 qemu (Abhijith PA)
+  NOTE: 20220802: Programming language: C.
+  NOTE: 20220802: Added
   NOTE: 20220802: debdiff of backported fixes was submitted to 
buster-proposed-updates: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007931 and
   NOTE: 20220802: wcan now be released as DLA instead. The updated packages 
are/were running fine in a buster ganeti cluster. (jmm)
   NOTE: 20220808: conflicting pu at 
https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc , 
needs to be merged (Beuc/abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0726f7d07e009d72b130a75bcf0c62be4fc7a6df...63d817aa2a0dd5770d2ec6514a2c767d2dc53897

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0726f7d07e009d72b130a75bcf0c62be4fc7a6df...63d817aa2a0dd5770d2ec6514a2c767d2dc53897
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0726f7d0 by Anton Gladky at 2022-08-11T06:36:44+02:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Anton Gladky gl...@debian.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -17,7 +17,7 @@ NOTE: IMPORTANT: prepared upload for buster's last point 
release, see:
 NOTE: IMPORTANT: 
https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=release.debian@packages.debian.org;tag=pu
 
 --
-apache2 (Roberto C. Sánchez)
+apache2
   NOTE: 20220723: Prepared update 2.4.38-3+deb10u8 and filed #1014346 
requesting SRM approval for upload to final buster point release (roberto)
   NOTE: 20220723: Received upload approval from SRM and uploaded to buster 
(roberto)
   NOTE: 20220809: Package is in oldstable-proposed-updates and will be in 
final buster point release (roberto)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0726f7d07e009d72b130a75bcf0c62be4fc7a6df

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0726f7d07e009d72b130a75bcf0c62be4fc7a6df
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][fix_987283] Wrap comment line at ca. 80 symbols

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch fix_987283 at Debian Security Tracker / 
security-tracker


Commits:
c28bf164 by Anton Gladky at 2022-08-08T21:21:28+00:00
Wrap comment line at ca. 80 symbols
- - - - -


1 changed file:

- data/packages/ignored-debian-bug-packages


Changes:

=
data/packages/ignored-debian-bug-packages
=
@@ -1,4 +1,5 @@
-# This file lists packages which by default should be ignored from reporting 
bugs for Debian unstable.
+# This file lists packages which by default should be ignored from reporting
+# bugs for Debian unstable.
 
 linux
 gitlab
\ No newline at end of file



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c28bf164fff7792988c502883f4ef69dc1e62da7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c28bf164fff7792988c502883f4ef69dc1e62da7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][fix_987283] Fix wording in data/packages/ignored-debian-bug-packages

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch fix_987283 at Debian Security Tracker / 
security-tracker


Commits:
104a5b9d by Anton Gladky at 2022-07-31T21:28:45+02:00
Fix wording in data/packages/ignored-debian-bug-packages

- - - - -


1 changed file:

- data/packages/ignored-debian-bug-packages


Changes:

=
data/packages/ignored-debian-bug-packages
=
@@ -1,5 +1,4 @@
-# This file lists packages which are no longer present in the Debian
-# archive, one per line.
+# This file lists packages which by default should be ignored from reporting 
bugs for Debian unstable.
 
 linux
-gitlab
+gitlab
\ No newline at end of file



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/104a5b9dc627247b71a502f5974cf55af364a97e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/104a5b9dc627247b71a502f5974cf55af364a97e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][fix_987283] Implement frontend and checkbox

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch fix_987283 at Debian Security Tracker / 
security-tracker


Commits:
7f8bdd41 by Anton Gladky at 2022-07-30T22:38:28+02:00
Implement frontend and checkbox

- - - - -


2 changed files:

- bin/tracker_service.py
- lib/python/security_db.py


Changes:

=
bin/tracker_service.py
=
@@ -1075,14 +1075,21 @@ checker to find out why they have not entered testing 
yet."""),
 replacement="No ITP bugs are currently known.")])
 
 def page_status_unreported(self, path, params, url):
+show_ignored = params.get('show_ignored', False)
+if show_ignored:
+flags = A(url.updateParamsDict({'show_ignored' : None}),
+  'Hide ignored issues')
+else:
+flags = A(url.updateParamsDict({'show_ignored' : '1'}),
+  'Show ignored issues')
 def gen():
-for (bug, packages) in self.db.getUnreportedVulnerabilities():
+for (bug, packages) in 
self.db.getUnreportedVulnerabilities(show_ignored=show_ignored):
 pkgs = make_list([self.make_source_package_ref(url, pkg)
   for pkg in packages], ", ")
 yield self.make_xref(url, bug), pkgs
 return self.create_page(
 url, "Unfixed vulnerabilities in unstable without a filed bug",
-[P("""The list below contains vulnerabilities for which no matching
+[P(flags), P("""The list below contains vulnerabilities for which 
no matching
 Debian bug has been filed, and there is still an unfixed package in sid."""),
  make_table(gen(), caption=("Bug", "Packages"))])
 


=
lib/python/security_db.py
=
@@ -2066,16 +2066,21 @@ class DB:
 st.bug_name > 'TEMP-' AND st.bug_name LIKE 'TEMP-%'
 ORDER BY st.bug_name""",(vulnerability,)))
 
-def getUnreportedVulnerabilities(self, cursor=None):
+def getUnreportedVulnerabilities(self, cursor=None, show_ignored=False):
 """Returns a list of pairs (BUG_NAME, DESCRIPTION)
 of vulnerabilities which are unfixed in unstable and lack a filed bug.
 """
 if cursor is None:
 cursor = self.cursor()
 last_bug = None
+
+show_ignored_sql = ""
+if (not show_ignored):
+show_ignored_sql = "AND source_package_status.debian_bug_file = 1"
+
 result = []
 for bug, pkg in cursor.execute(
-"""SELECT DISTINCT source_package_status.bug_name, source_packages.name
+f"""SELECT DISTINCT source_package_status.bug_name, source_packages.name
   FROM source_packages
   JOIN source_package_status
 ON source_packages.rowid = source_package_status.package
@@ -2088,6 +2093,7 @@ class DB:
   AND package_notes.urgency <> 'unimportant'
   AND package_notes.rowid NOT IN (SELECT note FROM debian_bugs)
   AND source_package_status.vulnerable
+  {show_ignored_sql}
   ORDER BY source_package_status.bug_name, source_packages.name"""):
 if last_bug is None or last_bug != bug:
 last_bug = bug



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f8bdd4125caebbab5a9438acc26d954a1238def

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f8bdd4125caebbab5a9438acc26d954a1238def
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker] Pushed new branch fix_987283

[Anton Gladky (@gladk)]

Anton Gladky pushed new branch fix_987283 at Debian Security Tracker / 
security-tracker

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/tree/fix_987283
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Re: libxslt: some CVEs not fixed in debian buster

[Anton Gladky]

Hi,

thanks for this information. We do not have buster under the LTS
control yet. But your information about possible vulnerable libxslt
is important. We will try to check it.

Regards

Anton


Am Fr., 29. Juli 2022 um 06:31 Uhr schrieb Akira Shibakawa <
arabishi...@gmail.com>:

> Hi,
> CVE-2019-5815 and CVE-2021-30560 are vulnerabilities of libxslt
> included in chromium source code as third-party code.
> And not only chromium but also libxslt upstream has already fixed them.
> https://gitlab.gnome.org/GNOME/libxslt/-/commit/08b62c258
> https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9cd3
>
> Because libxslt in debian buster is older than the fixed version in
> upstream, these bugs are still present in debian buster.
> Is there any plans to fix them in debian buster ?
> (I am wonder why these CVEs are linked to only chromium, not libxslt.)
>
>

Re: coinor packages

[Anton Gladky]

Hi Håvard,

thanks for your contribution efforts! I have just added you
into the salsa group of the debian science team. Feel free
to move your repos into it. I will review your packages ASAP.

Best regards


Anton


Am Fr., 22. Juli 2022 um 09:10 Uhr schrieb Håvard F. Aasen <
havard.f.aa...@pfft.no>:

> Hi,
>
> I was looking at coinutils [1], and noticed it was lagging a few "bug-fix"
> releases behind.
>
> Would it be ok if I reintroduced the packages coinutils and coinor-osi
> into the team, and add myself as uploader?
>
> If we are to keep the coinor packages up to date, we also need to ship a
> new
> package, I have already prepared, coinor-data-sample [2], this is test
> files
> that has been split out from the coinutils package. I was hoping to
> maintain
> this under the Science Team umbrella. There is also a second package I
> would
> like to package, coinor-data-netlib [3], these are optional test files,
> and as far as i know isn't shipped in any package in Debian. I haven't
> filed
> any ITP's yet.
>
> If we go through with this, packages that depends on files split out from
> coinutils, would need to add coinor-data-sample as a build-dependency, if
> they use the test files of course, coinor packages normally do.
>
>
> I'm not sure if I am an official team member, I know I already has
> developer
> access, if not, I would also request to join the Debian Science Team.
>
>
> Regards,
> Håvard
>
> [1] https://tracker.debian.org/pkg/coinutils
> [2] https://salsa.debian.org/haava/coinor-data-sample
> [3] https://salsa.debian.org/haava/coinor-data-netlib
>
>

Re: What do do with bullseye minor issues?

[Anton Gladky]

Hi Ola,

thanks for rising this very important question.

Please use this ticket [1] for the discussion. So we will
be able to formulate the common position and put everything
into the documentation.

[1] https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/38

Regards

Anton



Am Do., 14. Juli 2022 um 23:50 Uhr schrieb Ola Lundqvist :

> Hi fellow LTS contributors
>
> During my front desk work I have now got down to the CVEs for buster
> that are "postponed".
> The triage script suggests me to "ignore" or "fix".
> I know I should not change triaging status for buster, yet but I'm now
> working on setting some best practices to use later on.
>
> The question is what to do with them in general.
>
> Here are some examples.
>
> composer CVE-2022-24828
> e2guardian CVE2021-44273
> bullseye is fixed but I cannot find any trace of a DSA. This must mean
> that it was fixed in a point release without a DSA. I have not
> checked.
> For buster it was marked as no-dsa (Minor issue). Note not proposed
> for point release.
> One of them was unaffected in stretch the other was also marked as
> minor issue for stretch.
>
> The security team have clearly indicated that this is a minor issue so
> I guess it should not be added to dla-needed.
>
> But what should I do? Should I (or rather some future front desk when
> buster is LTS responsibility) change the status from no-dsa to
> ignored?
>
> Or should we change the lts-triage script to not tell that it should be
> ignored?
>
> I'm asking since from earlier discussions we have said that we should
> generally not mark issues as "ignored" unless we really should not fix
> it, because of too intrusive change, backwards compatibility issues
> and the like. Now our triaging script tells us that we should and that
> is contradicting the earlier conclusions we had.
>
> Anyone with good advice?
>
> The other type is CVE-2021-28210 for edk2. It is marked as minor issue
> for buster, but it was fixed in the scope of a DLA for stretch.
>
> In this case I'm more inclined to add it to dla-needed with the
> motivation that it was fixed in stretch and if someone upgrade the
> system should not get worse from a security perspective.
> Maybe we should automate the detection of this case in some way.
>
> There are probably more, but now it is getting late for today so I
> will continue checking tomorrow.
>
> Cheers
>
> // Ola
>
> --
>  --- Inguza Technology AB --- MSc in Information Technology 
> |  o...@inguza.como...@debian.org|
> |  http://inguza.com/Mobile: +46 (0)70-332 1551 |
>  ---
>
>

[Git][security-tracker-team/security-tracker][master] LTS: Dispatch FD-weeks for Q4/2022

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bd8229e4 by Anton Gladky at 2022-07-13T06:37:21+02:00
LTS: Dispatch FD-weeks for Q4/2022

- - - - -


1 changed file:

- org/lts-frontdesk.2022.txt


Changes:

=
org/lts-frontdesk.2022.txt
=
@@ -50,16 +50,16 @@ From 05-09 to 11-09:Ola Lundqvist 
 From 12-09 to 18-09:Sylvain Beucler 
 From 19-09 to 25-09:Thorsten Alteholz 
 From 26-09 to 02-10:Utkarsh Gupta 
-From 03-10 to 09-10:
-From 10-10 to 16-10:
-From 17-10 to 23-10:
-From 24-10 to 30-10:
-From 31-10 to 06-11:
-From 07-11 to 13-11:
-From 14-11 to 20-11:
-From 21-11 to 27-11:
-From 28-11 to 04-12:
-From 05-12 to 11-12:
-From 12-12 to 18-12:
-From 19-12 to 25-12:
-From 26-12 to 01-01:
\ No newline at end of file
+From 03-10 to 09-10:Anton Gladky 
+From 10-10 to 16-10:Chris Lamb 
+From 17-10 to 23-10:Emilio Pozuelo Monfort 
+From 24-10 to 30-10:Markus Koschany 
+From 31-10 to 06-11:Ola Lundqvist 
+From 07-11 to 13-11:Sylvain Beucler 
+From 14-11 to 20-11:Thorsten Alteholz 
+From 21-11 to 27-11:Utkarsh Gupta 
+From 28-11 to 04-12:Anton Gladky 
+From 05-12 to 11-12:Chris Lamb 
+From 12-12 to 18-12:Emilio Pozuelo Monfort 
+From 19-12 to 25-12:Markus Koschany 
+From 26-12 to 01-01:Ola Lundqvist 
\ No newline at end of file



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd8229e42a5d8b77569a36c6fe8a2b12eae593b7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd8229e42a5d8b77569a36c6fe8a2b12eae593b7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Re: Request for sponsorship - SolveSpace 3.1

[Anton Gladky]

Uploaded, thanks for contributing!


Anton


Am Mo., 11. Juli 2022 um 16:08 Uhr schrieb Ryan Pavlik :

> Hello all,
>
> I've updated the team-maintained SolveSpace package following the
> recent upstream release, and have pushed it to mentors as well as
> updated on salsa.
>
> The previous RC1 upload's migration to testing is stuck behind an
> autopkgtest s390x regression I can't reproduce, and that isn't seen in
> Ubuntu either, but that debci can reliably trigger. I have not done
> anything particularly different in this package, but perhaps some
> small detail of the build will make it pass; otherwise help there
> would be appreciated as well.
>
> The RFS template follows below.
>
> I am looking for a sponsor for my package "solvespace":
>
>  * Package name: solvespace
>Version : 3.1+ds1-1
>Upstream Author : [fill in name and email of upstream]
>  * URL : https://solvespace.com
>  * License : OFL-1.1-RFN, GPL-3.0+, Expat, GPL-2.0+, other
>  * Vcs : https://salsa.debian.org/science-team/solvespace
>Section : graphics
>
> The source builds the following binary packages:
>
>   solvespace - Parametric 2d/3d CAD
>   libslvs1 - SolveSpace geometric kernel
>   libslvs1-dev - SolveSpace geometric kernel (development files)
>
> To access further information about this package, please visit the
> following URL:
>
>   https://mentors.debian.net/package/solvespace/
>
> Alternatively, you can download the package with 'dget' using this command:
>
>   dget -x
> https://mentors.debian.net/debian/pool/main/s/solvespace/solvespace_3.1+ds1-1.dsc
>
> Changes since the last upload:
>
>  solvespace (3.1+ds1-1) unstable; urgency=medium
>  .
>* Team upload.
>* New upstream version 3.1+ds1
>* Rediff patches.
>  Drop 05_eigen_dependency_fix.patch: Applied upstream.
>  Drop 06_desktop_file_exec.patch: Applied upstream.
>
> Regards,
>   Ryan A. Pavlik
>
>

DebConf22, Debian Science BoF

[Anton Gladky]

Dear all,

this year we are organizing Debian Science BoF during
Debconf22. It is scheduled [0]:

Type: BoF (45 minutes)

Room: Ereniku

Time: Jul 22 (Fri): 15:00


Please use this link to add some topics to discuss [1].
It is planned to have an informal talk about Debian Science
Team activities and plans for the future.

[0] https://debconf22.debconf.org/talks/16-debian-science-bof/
[1] https://pad.dc22.debconf.org/p/16-debian-science-bof

See you there!

Anton

DebConf22, Debian Science BoF

[Anton Gladky]

Dear all,

this year we are organizing Debian Science BoF during
Debconf22. It is scheduled [0]:

Type: BoF (45 minutes)

Room: Ereniku

Time: Jul 22 (Fri): 15:00


Please use this link to add some topics to discuss [1].
It is planned to have an informal talk about Debian Science
Team activities and plans for the future.

[0] https://debconf22.debconf.org/talks/16-debian-science-bof/
[1] https://pad.dc22.debconf.org/p/16-debian-science-bof

See you there!

Anton
-- 
debian-science-maintainers mailing list
debian-science-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0411d591 by Anton Gladky at 2022-07-11T22:26:43+02:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Anton Gladky gl...@debian.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -15,6 +15,6 @@ rather than remove/replace existing ones.
 --
 linux (Ben Hutchings)
 --
-rustc (Emilio)
+rustc
   NOTE: 20220614: backporting toolchain (rust, llvm...) for Firefox 102 ESR 
(pochu)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0411d59117de14ebd4f1603317e8a63b303ef598

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0411d59117de14ebd4f1603317e8a63b303ef598
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Re: [Debian Wiki] Update of "LTS" by BenWestover

[Anton Gladky]

Thanks, Utkarsh for fixing this!

That is one of the reasons, why we should migrate to the website.

Regards

Anton


Am Sa., 2. Juli 2022 um 08:58 Uhr schrieb Utkarsh Gupta <
guptautkarsh2...@gmail.com>:

> Hello,
>
> Someone (Ben Westover) made 2 (incorrect) revisions to the LTS wiki page:
> https://wiki.debian.org/LTS?action=diff=88=89
> https://wiki.debian.org/LTS?action=diff=89=90
>
> I've reverted them for now. Will TAL closely and add changes worth keeping.
>
>
> - u
>
> On Sat, Jul 2, 2022 at 3:01 AM Debian Wiki  wrote:
> >
> > Dear Wiki user,
> >
> > You have subscribed to a wiki page or wiki category on "Debian Wiki" for
> change notification.
> >
> > The "LTS" page has been changed by BenWestover:
> > https://wiki.debian.org/LTS?action=diff=88=89
> >
> > Comment:
> > Debian 10 is now LTS, 9 is now extended LTS
> >
> >
> >   /!\ For more information see [[LTS/Stretch]], [[LTS/Using]] and
> [[LTS/FAQ]].
> >
> > - LTS time table from June 30,2020
> > + LTS time table from July 1, 2022
> >
> >   ||<:> '''Version''' ||<:> '''support architecture''' ||<:>
> '''schedule''' ||
> >   ||<#F06C47-3> __Previous LTS Releases__ ||
> >   ||<#F06C47> Debian 6 “Squeeze” ||<#F06C47> i386 and
> amd64 ||<#F06C47> until 29th of February 2016 ||
> >   ||<#F06C47> Debian 7 “[[LTS/Wheezy|Wheezy]]”   ||<#F06C47> i386,
> amd64, armel and armhf ||<#F06C47> from 26th April 2016 to 31st May 2018 ||
> >   ||<#F06C47> Debian 8 “[[LTS/Jessie|Jessie]]”   ||<#F06C47> i386,
> amd64, armel and armhf ||<#F06C47> from 17th June 2018 to June 30, 2020  ||
> > + ||<#F06C47> Debian 9 “[[LTS/Stretch|Stretch]]” ||<#F06C47> i386,
> amd64, armel, armhf and arm64  ||<#F06C47> July 6, 2020 to June 30, 2022 ||
> >   ||<#FCED77-3> __'''Current LTS Release(s)'''__ ||
> > - ||<#FCED77> '''Debian 9 “[[LTS/Stretch|Stretch]]”''' ||<#FCED77>
> '''i386, amd64, armel, armhf and arm64'''  ||<#FCED77> '''July 6, 2020 to
> June 30, 2022''' ||
> > + ||<#FCED77> Debian 10 “[[LTS/Buster|Buster]]”  ||<#FCED77> i386,
> amd64, armel, armhf and arm64  ||<#FCED77> July, 2022 to June, 2024  ||
> >   ||<#98fb98-3> __Future LTS Release(s)__ ||
> > - ||<#98fb98> Debian 10 “Buster” ||<#98fb98> i386,
> amd64, armel, armhf and arm64  ||<#98fb98> July, 2022 to June, 2024  ||
> >   ||<#98fb98> Debian 11 “Bullseye”   ||<#98fb98> i386,
> amd64, armel, armhf and arm64  ||<#98fb98> July, 2024 to June, 2026  ||
> >
> >   ||<:> {i} '''Legend:''' ||<#F06C47> End of life ||<#FCED77>
> '''Supported by LTS team'''||<#98fb98> [[DebianOldStable|Supported by
> security and release teams]] ||
>
>

Re: [RFS] resampy

[Anton Gladky]

Hi Antonio,

I do not have enough permissions to move the package away
from python team. I would just propose to let the package be
there. The only thing which should be fixed is the binaries
in the code.

Regards

Anton

Am Di., 28. Juni 2022 um 07:49 Uhr schrieb Antonio Valentino
:
>
> Dear David and Anton,
>
> Il 28/06/22 00:56, David Bremner ha scritto:
> > Antonio Valentino  writes:
> >>
> >> David (in cc), how performed the initial packaging, recommends to
> >> maintain the package in debian-python.
> >> I have not a strong preference but my sponsoring request posted on
> >> debian-python have been ignored for long time, so I fear that there is
> >> not too much interest there for this package.
> >>
> >> I no one have objections I would be more comfortable to maintain the
> >> package in debian-science.
> >> If it is OK for you I can quickly update the package control file
> >> accordingly.
> >>
> >
> > It only seemed natural to package it in the python team, because people
> > there are experts in python modules. But I really don't have strong
> > opinions, I'm happy if someone will take care of it somewhere in Debian.
>
> thanks for the feedback David.
> In this case I would move the package into debian science.
>
> Anton, IMHO the first step is to move the repository.
> Is it something that I can do myself as a DM?
>
>
> regards
> --
> Antonio Valentino
>

Re: [RFS] resampy

[Anton Gladky]

Hi Antonio,

the package looks good. I would only propose to drop "resampy/data/"
because they are binaries. Is there any opportunity to replace it with the
text version maybe?

And you are going to put it into the python-team (which I think is totally OK),
but you are asking in the debian-science list :)

But I will sponsor it for python team too.

Regards

Anton

Am Mi., 22. Juni 2022 um 08:37 Uhr schrieb Antonio Valentino
:
>
> Dear Debian Science Maintainers,
> I have prepared a debian package for resampy [1], an "Efficient signal
> resampling. Implements band-limited sinc interpolation method for
> sampling rate conversion."
>
> The initial packaging has been started by David (in cc) and the ITP is
> at [2].
> The David's original idea was to maintain the package in debian-python
> [3] but it seems that there is not too much interest there, and I was
> not able to find a sponsor for the initial upload.
>
> I think that the package fits very well in debian-science and I'm
> wondering if there is interest in maintaining resampy under debian-science.
>
> Of course I will take care of the package maintenance and updates but I
> would need help to move the repository form debian-python [3], and also
> I need someone to review the package and sponsor the initial upload.
>
> In there anyone interested in sponsoring resampy?
>
>
> [1] https://github.com/bmcfee/resampy
> [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968469
> [3] https://salsa.debian.org/python-team/packages/resampy
>
> kind regards
> --
> Antonio Valentino
>

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d60bd8c9 by Anton Gladky at 2022-06-27T21:58:27+02:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Anton Gladky gl...@debian.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -106,7 +106,7 @@ horizon
   NOTE: 20220523: Follow buster: harmonize with with DSA-4820-1 (1 CVE) 
(Beuc/front-desk)
   NOTE: 20220523: part of OpenStack (Beuc/front-desk)
 --
-icingaweb2 (Abhijith PA)
+icingaweb2
   NOTE: 20220529: Programming language: PHP.
   NOTE: 
https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.6.2-3~bpo9+1+deb9u1.dsc
 (abhijith)
 --
@@ -167,7 +167,7 @@ mariadb-10.1
   NOTE: 20220529: Programming language: C.
   NOTE: 20220222: Can be risky. Please consider backporting mariadb-10.3. See 
discussion https://lists.debian.org/debian-lts/2022/02/msg5.html and 
coordinate with maintainer (Anton)
 --
-mbedtls (Utkarsh)
+mbedtls
   NOTE: 20220529: Programming language: C.
   NOTE: 20220404: update prepared, needs testing. (utkarsh)
   NOTE: 20220419: waiting for a quick feedback from carnil. (utkarsh)
@@ -225,7 +225,7 @@ pdns
 php-horde-turba
   NOTE: 20220603: Programming language: PHP.
 --
-postgresql-9.6 (Roberto C. Sánchez)
+postgresql-9.6
   NOTE: 20220529: Programming language: C.
   NOTE: 20220523: cf. DSA-5135-1/DSA-5136-1 (Beuc/front-desk)
   NOTE: 20220523: 9.6 is EOL'd upstream (Beuc/front-desk)
@@ -292,7 +292,7 @@ sox
 spip
   NOTE: 20220529: Programming language: PHP.
 --
-systemd (Stefano Rivera)
+systemd
   NOTE: 20220529: Programming language: C.
   NOTE: 20220524: CVE-2020-1712 marked for update but didn't make it to 9.13
   NOTE: 20220524: nor DLA-2715-1; the issue looks somewhat invasive to fix but 
at the



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d60bd8c9b2a5a6f02456147579da8ba1f4578bc8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d60bd8c9b2a5a6f02456147579da8ba1f4578bc8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Re: RFR: openscad update

[Anton Gladky]

Hi Helmut,

I would propose that you are contacting the original openscad maintainer
and ask him, whether you can make a p-u upload for buster (if it is still
possible).

Thus you can get an experience with dealing of such uploads. Anyway, for
LTS we do not have any point releases. So basically it is possible to fix
even those CVEs which are not DSA-considered. But for not-important issue
it is better to pick up several issues (maybe together with some important
ones) and make an upload.

Leaving the package in dla-needed.txt without any action is not a good idea.
Or the upload should be done with the fixes. Or CVEs should be tagged as
 in tracker. In both cases the package should be removed from
dla-needed.txt as well.

The package can stay in dla-needed.txt longer (due to some testing
issues, or waiting for upstream reaction etc.) and it is OK. But simpl
leaving the package in dla-needed without any action can not bring a benefit.

Best regards


Anton

Am Do., 23. Juni 2022 um 17:03 Uhr schrieb Helmut Grohne :
>
> Hi,
>
> I've been looking into updating openscad in buster to fix CVE-2022-0496
> and CVE-2022-0497. They're already fixed in bullseye and later. They are
> input sanitization issues and CVE-2022-0496 needed a little porting of
> the patch. I verified that the provided PoCs for CVE-2022-0496 do
> trigger in an asan/ubsan build and no longer trigger after applying the
> patch. The provided PoC for CVE-2022-0497 did not trigger in an
> asan/ubsan build, but the fix is quite obvious and the PoC looks quite
> sensitive to the memory layout, so that's unsurprising. Beyond the
> build-time test suite, autopkgtests also pass.
>
> Given the buster -> LTS transition, I'm unsure where to upload this to.
> Adam's mail seems to indicate that it's late for the point release.
>
> Full build available at https://subdivi.de/~helmut/openscad_lts/, and
> .debdiff attached. Did I miss anything obvious on the process side?
>
> Helmut

Re: Migration from vtk7 to vtk9

[Anton Gladky]

Hi François,

thanks for working on this!

Yes, those bugs are filed against packages, depending on vtk6 and vtk7.
I would firstly recommend finding out, whether the package has a newer
version and maybe vtk9 support is provided. If not - it makes sense to contact
upstream about migration to vtk9, and only if upstream is dead or not
quite active, does it make sense to dive into the code and fix it.

Progress on fixing those bugs can be monitored here [1]/

[1]  
https://udd.debian.org/cgi-bin/bts-usertags.cgi?user=gladk%40debian.org=vtk6_vtk7_removal


Anton

Am Di., 21. Juni 2022 um 22:15 Uhr schrieb François Mazen :
>
> Hello science team!
>
> After discussion with Jochen and Andreas, I'm working on removing the
> old vtk7 package from the archive, or at least do not build-depends on
> it.
> The rationale is that vtk7 is old and not maintained upstream anymore.
> The current version is vtk9.
> Unfortunately, many packages are not ready for the migration because
> the way VTK works changed between version 8 and 9, especially on the
> CMake side.
>
> So I've started to update reverse build-depends of libvtk7-dev: cgal-
> demo [1], mia [2], nifti2dicom [3], openems [4]...
>
> I've discovered that similar initiatives are ongoing [5]. I think that
> synchronization is needed to avoid duplicate work.
>
> There is still a lot to do, like camitk, gdcm, vtk-dicom, facet-
> analyser, so any contribution is welcome!
>
> Best Regards,
> François
>
>
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012280
> [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012689
> [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012691
> [4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013190
> [5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013158
>
>

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
386165e9 by Anton Gladky at 2022-06-20T20:56:07+02:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Anton Gladky gl...@debian.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -144,7 +144,7 @@ liblouis
   NOTE: 20220503: CVE-2022-26981 patch applied in salsa lts-team repo,
   NOTE: 20220503: Patch not applied upstream yet.
 --
-libmatio (Abhijith PA)
+libmatio
   NOTE: 20220529: Programming language: C.
   NOTE: 20220528: lots of postponed minor vulnerabilities, no past stretch 
security upload, supported package (Beuc/front-desk)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/386165e9c855168ae2a2e1a82a214de24dc29bf1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/386165e9c855168ae2a2e1a82a214de24dc29bf1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add note about halibut

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
11e64acd by Anton Gladky at 2022-06-20T20:50:31+02:00
LTS: add note about halibut

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -101,6 +101,7 @@ halibut (Anton)
   NOTE: 20220605: Maintainer is contacted regarding this issue (Anton)
   NOTE: 20220607: Maintainer is OK with the backport. But reverse dependencies 
should be checked whether the new version
   NOTE: 20220607: is producing the same output. (Anton)
+  NOTE: 20220620: test package is built locally. Testing (Anton)
 --
 horizon
   NOTE: 20220529: Programming language: Python.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11e64acd89f39521bfccd90968b0fefec956c226

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11e64acd89f39521bfccd90968b0fefec956c226
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add apache2

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7bc1c7ba by Anton Gladky at 2022-06-18T15:53:17+02:00
LTS: add apache2

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -21,6 +21,9 @@ rather than remove/replace existing ones.
 amd64-microcode
   NOTE: 20220529: Programming language: binary blob.
 --
+apache2
+  NOTE: 20220618: Programming language: C.
+--
 blender (Thorsten Alteholz)
   NOTE: 20220529: Programming language: C++.
   NOTE: 20220528: 3 CVEs now fixed in unstable, but maintainer never was 
approached to fix in stable/oldstable,



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bc1c7ba1acee63beac6b460a8ec2eec9a2c1572

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bc1c7ba1acee63beac6b460a8ec2eec9a2c1572
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Bug#1013158: facet-analyser: vtk[6,7] removal

[Anton Gladky]

Hi Picca,

thanks for your work! Yes, it is known issue that the paraview uses an
embedded version of VTK. As far as I remember there were several tries
to fix it, though without visible success.

Please file the bug against paraview or just add those dependencies into
the git of paraview, so it will be fixed with the next upload.

Thanks again for the quick reaction!

Anton

Am Sa., 18. Juni 2022 um 11:23 Uhr schrieb PICCA Frederic-Emmanuel
:

>
> Hello, I removed the vtk7 dependency but I needed a bunch of -dev packages.
>
> + libavcodec-dev,
> + libavformat-dev,
>   libdouble-conversion-dev,
>   libfftw3-dev,
> + libfreetype-dev,
> + libgdal-dev,
>   libgdcm-tools,
> + libgl2ps-dev,
> + libglew-dev,
>   libinsighttoolkit4-dev,
>   liblz4-dev,
> + libogg-dev,
>   libopengl-dev,
> + libopenmpi-dev,
>   libqt5opengl5-dev,
>   libqt5svg5-dev,
> + libswscale-dev,
> + libtheora-dev,
>   libutfcpp-dev,
> - libvtk7-dev,
>   libvtkgdcm-cil,
>   libvtkgdcm-dev,
>   libvtkgdcm-java,
> @@ -26,10 +37,9 @@ Build-Depends:
>   qtbase5-dev,
>   qttools5-dev,
>   qtxmlpatterns5-dev-tools,
> - vtk7,
>
>
> paraview seems to use an internal version of vtk. So when I build an 
> extension with paraview-dev, I expect to have all the -dev pulled via this 
> package.
>
> Package: paraview-dev
> Version: 5.10.1-1
> Priority: optional
> Section: libdevel
> Source: paraview
> Maintainer: Debian Science Team 
> 
> Installed-Size: 117 MB
> Depends: qttools5-dev-tools, libc6 (>= 2.14), paraview (= 5.10.1-1), 
> python3:any | python3-minimal:any, libeigen3-dev
>
>
> I am wondering if the right solution is not to  add all these vtk dependency 
> in the paraview -dev package ?
>
> cheers
>
> Fred

Bug#1013158: facet-analyser: vtk[6,7] removal

[Anton Gladky]

Hi Picca,

thanks for your work! Yes, it is known issue that the paraview uses an
embedded version of VTK. As far as I remember there were several tries
to fix it, though without visible success.

Please file the bug against paraview or just add those dependencies into
the git of paraview, so it will be fixed with the next upload.

Thanks again for the quick reaction!

Anton

Am Sa., 18. Juni 2022 um 11:23 Uhr schrieb PICCA Frederic-Emmanuel
:

>
> Hello, I removed the vtk7 dependency but I needed a bunch of -dev packages.
>
> + libavcodec-dev,
> + libavformat-dev,
>   libdouble-conversion-dev,
>   libfftw3-dev,
> + libfreetype-dev,
> + libgdal-dev,
>   libgdcm-tools,
> + libgl2ps-dev,
> + libglew-dev,
>   libinsighttoolkit4-dev,
>   liblz4-dev,
> + libogg-dev,
>   libopengl-dev,
> + libopenmpi-dev,
>   libqt5opengl5-dev,
>   libqt5svg5-dev,
> + libswscale-dev,
> + libtheora-dev,
>   libutfcpp-dev,
> - libvtk7-dev,
>   libvtkgdcm-cil,
>   libvtkgdcm-dev,
>   libvtkgdcm-java,
> @@ -26,10 +37,9 @@ Build-Depends:
>   qtbase5-dev,
>   qttools5-dev,
>   qtxmlpatterns5-dev-tools,
> - vtk7,
>
>
> paraview seems to use an internal version of vtk. So when I build an 
> extension with paraview-dev, I expect to have all the -dev pulled via this 
> package.
>
> Package: paraview-dev
> Version: 5.10.1-1
> Priority: optional
> Section: libdevel
> Source: paraview
> Maintainer: Debian Science Team 
> 
> Installed-Size: 117 MB
> Depends: qttools5-dev-tools, libc6 (>= 2.14), paraview (= 5.10.1-1), 
> python3:any | python3-minimal:any, libeigen3-dev
>
>
> I am wondering if the right solution is not to  add all these vtk dependency 
> in the paraview -dev package ?
>
> cheers
>
> Fred

-- 
debian-science-maintainers mailing list
debian-science-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers

[Git][security-tracker-team/security-tracker][master] LTS: triage netatalk

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bbe3abbe by Anton Gladky at 2022-06-16T21:36:55+02:00
LTS: triage netatalk

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -188,6 +188,9 @@ ncurses (Thorsten Alteholz)
   NOTE: 20220524: Follow buster: harmonize with with Debian 10.2 (2-3 CVEs + 
some non-CVE'd issues) (Beuc/front-desk)
   NOTE: 20220613: testing package
 --
+netatalk
+  NOTE: 20220616: Programming language: C.
+--
 ntfs-3g
   NOTE: 20220529: Programming language: C.
   NOTE: 20220515: Please recheck. There are currently not enough information



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bbe3abbe17edfa1274aa12a064b862569066c09f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bbe3abbe17edfa1274aa12a064b862569066c09f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: triage grub2

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e6a4f585 by Anton Gladky at 2022-06-16T21:35:10+02:00
LTS: triage grub2

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -87,6 +87,10 @@ golang-go.crypto (Dominik George)
   NOTE: 20220529: Programming language: Go.
   NOTE: 20220331: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> 
DLA-2453-1/DLA-2454-1/DLA-2455-1; also check buster status (Beuc/front-desk)
 --
+grub2
+  NOTE: 20220616: Programming language: C.
+  NOTE: 20220616: Several CVEs need to be analyzed: fixed or tagged (Anton).
+--
 grunt
   NOTE: 20220529: Programming language: JavaScript.
   NOTE: 20220528: upcoming stable update (cf. #1010211) + 1 new CVE 
(Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6a4f585763ee408b19bece5300354967c0afe26

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6a4f585763ee408b19bece5300354967c0afe26
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: triage firejail

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
be9f305b by Anton Gladky at 2022-06-16T21:31:05+02:00
LTS: triage firejail

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -58,6 +58,9 @@ exempi
   NOTE: 20220517: A lot of packages reverse depends on libexmpi8. Further 
analysis
   NOTE: 20220517: is needed.
 --
+firejail
+  NOTE: 20220616: Programming language: C
+--
 firmware-nonfree
   NOTE: 20220529: Programming language: binary blob.
   NOTE: 20210731: WIP: 
https://salsa.debian.org/lts-team/packages/firmware-nonfree



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be9f305b88c388824c97dd994c035f4fa0781efa

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be9f305b88c388824c97dd994c035f4fa0781efa
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: mark CVE-2021-40592 as EOL for stretch

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7d3bae0d by Anton Gladky at 2022-06-15T23:12:21+02:00
LTS: mark CVE-2021-40592 as EOL for stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -53458,6 +53458,7 @@ CVE-2021-40593
RESERVED
 CVE-2021-40592 (GPAC version before commit 
71460d72ec07df766dab0a4d52687529f3efcf0a (v ...)
- gpac 2.0.0+dfsg1-2
+   [stretch] - gpac 
NOTE: 
https://github.com/gpac/gpac/commit/71460d72ec07df766dab0a4d52687529f3efcf0a 
(v2.0.0)
NOTE: https://github.com/gpac/gpac/issues/1876
 CVE-2021-40591



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d3bae0d515d7612ed2351ea29c6beefc2a57fcb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d3bae0d515d7612ed2351ea29c6beefc2a57fcb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f80932d5 by Anton Gladky at 2022-06-13T22:02:06+02:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Anton Gladky gl...@debian.org

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -39,7 +39,7 @@ ckeditor
   NOTE: 20220510: waiting for ckeditor_3_ discussion to close up first (Beuc)
   NOTE: 20220510: https://lists.debian.org/debian-lts/2022/05/msg00018.html
 --
-curl (Emilio)
+curl
   NOTE: 20220529: Programming language: C.
   NOTE: 20220530: update prepared, but there are test regressions, 
investigating (pochu)
 --
@@ -56,7 +56,7 @@ exempi
   NOTE: 20220517: A lot of packages reverse depends on libexmpi8. Further 
analysis
   NOTE: 20220517: is needed.
 --
-firmware-nonfree (Markus Koschany)
+firmware-nonfree
   NOTE: 20220529: Programming language: binary blob.
   NOTE: 20210731: WIP: 
https://salsa.debian.org/lts-team/packages/firmware-nonfree
   NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding 
possible "ignore" tag
@@ -128,7 +128,7 @@ lemonldap-ng
   NOTE: 20220529: Programming language: Perl.
   NOTE: 20220523: Follow buster: harmonize with with Debian 10.4 (1 CVE) and 
10.5 (regression fix) (Beuc/front-desk)
 --
-liblouis (Andreas Rönnquist)
+liblouis
   NOTE: 20220529: Programming language: C.
   NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN
   NOTE: 20220320: and POC. Consider fixing CVE-2018-17294 too.
@@ -240,7 +240,7 @@ pyjwt
   NOTE: 20220610: intention to mark as no-dsa for stretch, and will do so in a 
few days
   NOTE: 20220610: see 
https://lists.debian.org/msgid-search/20220610102343.6o3ak3ehc3jdo...@enricozini.org
 (enrico)
 --
-qemu (Abhijith PA)
+qemu
   NOTE: 20220529: Programming language: C.
   NOTE: 20220527: a few new CVEs since last DLA, and buster got no updates 
since 2 years,
   NOTE: 20220527: so maybe coordinate to start anticipating the next LTS 
(Beuc/front-desk)
@@ -305,7 +305,7 @@ systemd (Stefano Rivera)
   NOTE: 20220524: nor DLA-2715-1; the issue looks somewhat invasive to fix but 
at the
   NOTE: 20220524: same time is severe and was fixed in other old distros 
(Beuc/front-desk)
 --
-tiff (Utkarsh)
+tiff
   NOTE: 20220529: Programming language: C.
   NOTE: 20220404: jessie upload at 
https://salsa.debian.org/lts-team/packages/tiff.
   NOTE: 20220404: if that works out well, I'll roll the same for stretch. 
(utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f80932d5012591d55da525bfa43fcdd2c194cdfb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f80932d5012591d55da525bfa43fcdd2c194cdfb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Re: gmp: machine-readable d/copyright and new repack

[Anton Gladky]

Hi Bastian,

thanks for the contribution!

I have just uploaded a new version with your changes
and repacked upstream tarball.

Best regards

Anton

Am So., 12. Juni 2022 um 02:09 Uhr schrieb Bastian Germann :
>
> Hi,
>
> I have just pushed some git commits that convert gmp's d/copyright file to 
> the machine-readable
> format and replace the repack logic to make use of Files-Excluded. Would some 
> team member who is
> more involved in gmp review the changes to make sure I have not missed 
> something?
>
> Thanks,
> Bastian
>

Re: pyjwt CVE-2022-29217 and stretch

[Anton Gladky]

Hi Enrico,

please pay attention that marking the CVE as no-dsa for LTS release
means that it still needs to be fixed!

We do not have point releases for o-o-stable so this state can just postpone
the upload, but it still needs to be fixed somehow.

If you feel that the patch is too destructive or something similar
that preserves
a fix for this particular CVE, so the  tag is more appropriate with
corresponding comment.

Best regards

Anton

Am Fr., 10. Juni 2022 um 12:24 Uhr schrieb Enrico Zini :
>
> Hello,
>
> I've been looking and pyjwt and CVE-2022-29217 for stretch.
>
> In theory, the CVE does not apply, because pyjwt < 2.0.0 (stretch has
> 1.4.2) does not support ed25519, which is the algorithm that uses
> the specific PEM header that pygwt was failing to blocklist.
>
> However, the patch at 
> https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc#diff-e952a2551c16d8c3865536b2bffb440e37f64fce6c4e23266f8722e1a48e8f19L564
> still introduces a stricter blocklisting of key material for the HMAC
> algorithm (line 188).
>
> I could either mark CVE-2022-29217 as no-dsa for stretch or, if we
> consider the stricter blocklisting worthwhile, prepare a DLA with only
> that part of the patch.
>
> https://security-tracker.debian.org/tracker/CVE-2022-29217 does consider
> the issue as minor, and I would agree, so my call would be to mark this
> as no-dsa.
>
> Let me know if you'd like me to still backport the applicable parts of
> the patch, otherwise I'll mark this as no-dsa in a few days.
>
>
> Enrico
>
> --
> GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini 

[Git][security-tracker-team/security-tracker][master] LTS: update notes for halibut package

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
db5552e7 by Anton Gladky at 2022-06-07T21:04:30+02:00
LTS: update notes for halibut package

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -89,6 +89,8 @@ halibut (Anton)
   NOTE: 20220605: https://salsa.debian.org/lts-team/packages/halibut/ (Anton)
   NOTE: 20220605: patch is over 2600 lines long. Consider updating to the 1.3 
version (Anton)
   NOTE: 20220605: Maintainer is contacted regarding this issue (Anton)
+  NOTE: 20220607: Maintainer is OK with the backport. But reverse dependencies 
should be checked whether the new version
+  NOTE: 20220607: is producing the same output. (Anton)
 --
 horizon
   NOTE: 20220529: Programming language: Python.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db5552e7bac0724f97f0b7224e09baf4f807dc8d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db5552e7bac0724f97f0b7224e09baf4f807dc8d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: Semi-automatic package unclaim after two weeks of inactivity

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c58d680f by Anton Gladky at 2022-06-06T21:04:57+02:00
LTS: Semi-automatic package unclaim after two weeks of inactivity

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -34,7 +34,7 @@ cgal
   NOTE: 20220529: Programming language: C++.
   NOTE: 20220421: many no-dsa issues, please check, whether it is possible to 
fix them without uploading a new upstream release (Anton)
 --
-ckeditor (Sylvain Beucler)
+ckeditor
   NOTE: 20220529: Programming language: JavaScript.
   NOTE: 20220402: multiple pendings vulnerabilities (Beuc/front-desk)
   NOTE: 20220510: no rdeps, no sponsors, most CVEs require following upstream 
stable 4.x,
@@ -99,7 +99,7 @@ horizon
   NOTE: 20220523: Follow buster: harmonize with with DSA-4820-1 (1 CVE) 
(Beuc/front-desk)
   NOTE: 20220523: part of OpenStack (Beuc/front-desk)
 --
-icingaweb2 (Abhijith PA)
+icingaweb2
   NOTE: 20220529: Programming language: PHP.
   NOTE: 
https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.4.1-1+deb9u2.dsc 
(abhijith)
   NOTE: 20220522: Pinged upstream for missing patches. Will write an detail
@@ -170,7 +170,7 @@ mariadb-10.1
 maven-shared-utils
   NOTE: 20220606: Programming language: Java.
 --
-mbedtls (Utkarsh)
+mbedtls
   NOTE: 20220529: Programming language: C.
   NOTE: 20220404: update prepared, needs testing. (utkarsh)
   NOTE: 20220419: waiting for a quick feedback from carnil. (utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c58d680fc081b79976a7df89546af8eb5c4ff436

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c58d680fc081b79976a7df89546af8eb5c4ff436
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: Update info about halibut

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b5266811 by Anton Gladky at 2022-06-06T15:55:00+02:00
LTS: Update info about halibut

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -94,7 +94,9 @@ grunt
 --
 halibut (Anton)
   NOTE: 20220528: Programming language: C.
-  NOTE: 20220605: https://salsa.debian.org/lts-team/packages/halibut/
+  NOTE: 20220605: https://salsa.debian.org/lts-team/packages/halibut/ (Anton)
+  NOTE: 20220605: patch is over 2600 lines long. Consider updating to the 1.3 
version (Anton)
+  NOTE: 20220605: Maintainer is contacted regarding this issue (Anton)
 --
 horizon
   NOTE: 20220529: Programming language: Python.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b526681161ce2744e2e0149f628421b8651ff3f2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b526681161ce2744e2e0149f628421b8651ff3f2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: Add info about halibut

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b5f3fc2d by Anton Gladky at 2022-06-06T15:40:40+02:00
LTS: Add info about halibut

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -94,6 +94,7 @@ grunt
 --
 halibut (Anton)
   NOTE: 20220528: Programming language: C.
+  NOTE: 20220605: https://salsa.debian.org/lts-team/packages/halibut/
 --
 horizon
   NOTE: 20220529: Programming language: Python.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5f3fc2dc980bed94f24fcdb02de0a2dad3d17d1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5f3fc2dc980bed94f24fcdb02de0a2dad3d17d1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: update programming language for request-tracker4

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ede479b8 by Anton Gladky at 2022-06-06T15:02:30+02:00
LTS: update programming language for request-tracker4

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -255,7 +255,7 @@ qemu (Abhijith PA)
   NOTE: 20220527: so maybe coordinate to start anticipating the next LTS 
(Beuc/front-desk)
 --
 request-tracker4
-  NOTE: 20220529: Programming language: pm?.
+  NOTE: 20220529: Programming language: Perl.
   NOTE: 20220524: Follow buster: harmonize with with Debian 10.11 (1 CVE) 
(Beuc/front-desk)
 --
 ring



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ede479b84de7d405f4da0051fce91ea16ae71c3c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ede479b84de7d405f4da0051fce91ea16ae71c3c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Bug#1009739: fixed in yade 2022.01a-8

[Anton Gladky]

Hi Bernhard,

I think one can ask the corresponding arm-mailing list. Anyway,
if you have a solution for that I could test it first on the real hardware.

Thanks

Anton

Am Mi., 1. Juni 2022 um 00:12 Uhr schrieb Bernhard Übelacker
:

>
> Hello Anton,
> I am happy if my work helps.
> And I am sorry, but I fear my test shows now a failure
> for armhf and armel too.
>
>  From 'echo | gcc -dM -E - | grep -i arm' I see gcc has
> on both platforms predefined the macro __ARMEL__.
> But I am not sure what is the best way to just detect those
> platforms, or maybe just check for sizeof(void*)==4 or similar.
>
> Kind regards,
> Bernhard
>

Bug#1009739: fixed in yade 2022.01a-8

[Anton Gladky]

Hi Bernhard,

I think one can ask the corresponding arm-mailing list. Anyway,
if you have a solution for that I could test it first on the real hardware.

Thanks

Anton

Am Mi., 1. Juni 2022 um 00:12 Uhr schrieb Bernhard Übelacker
:

>
> Hello Anton,
> I am happy if my work helps.
> And I am sorry, but I fear my test shows now a failure
> for armhf and armel too.
>
>  From 'echo | gcc -dM -E - | grep -i arm' I see gcc has
> on both platforms predefined the macro __ARMEL__.
> But I am not sure what is the best way to just detect those
> platforms, or maybe just check for sizeof(void*)==4 or similar.
>
> Kind regards,
> Bernhard
>

Bug#1009739: fixed in yade 2022.01a-8

[Anton Gladky]

Hi Bernhard,

I think one can ask the corresponding arm-mailing list. Anyway,
if you have a solution for that I could test it first on the real hardware.

Thanks

Anton

Am Mi., 1. Juni 2022 um 00:12 Uhr schrieb Bernhard Übelacker
:

>
> Hello Anton,
> I am happy if my work helps.
> And I am sorry, but I fear my test shows now a failure
> for armhf and armel too.
>
>  From 'echo | gcc -dM -E - | grep -i arm' I see gcc has
> on both platforms predefined the macro __ARMEL__.
> But I am not sure what is the best way to just detect those
> platforms, or maybe just check for sizeof(void*)==4 or similar.
>
> Kind regards,
> Bernhard
>

-- 
debian-science-maintainers mailing list
debian-science-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers

Re: SolveSpace update ready for review and sponsor

[Anton Gladky]

I have reviewed and uploaded the package! Thanks!

Anton

Am Mo., 16. Mai 2022 um 19:32 Uhr schrieb Ryan Pavlik :
>
> Hello Debian Science!
>
> I have prepared an updated package for SolveSpace, which I help
> develop/maintain, which recently put out its 3.1~rc1 release with
> substantial improvements. I have updated the package's git repo on
> salsa: https://salsa.debian.org/science-team/solvespace  and also
> pushed to Mentors: https://mentors.debian.net/package/solvespace/
>
> Since we now have upstream tarballs with the submodules included, we
> can now easily use debian/watch aka uscan to do the whole "getting new
> versions" thing, and we now use files-excluded in d/copyright to
> exclude mainly submodule files we don't want in our source package
> (Windows binaries, software already packaged in debian, generated
> doxygen files, etc.). Most of the patches I made for the last package
> release have now been integrated upstream, and only a few small new
> ones were needed, which are already submitted upstream. I also added
> lintian overrides for the false-positive checks, which does leave a
> few info/warning messages active, so I have a few things to improve in
> the future. However, it would be good to get this in. I did mostly
> test on Bullseye so it actually should be backportable easily too.
>
> Thank you!
>
> Ryan Pavlik
>

Bug#1009739: fixed in yade 2022.01a-8

[Anton Gladky]

Hi Bernhard,

Thank you very much for this information and for fixing it!

I have just uploaded boost1.74_1.74.0-15 with this fix and
will revert the workaround in yade!

Best regards

Anton

Bug#1009739: fixed in yade 2022.01a-8

[Anton Gladky]

Hi Bernhard,

Thank you very much for this information and for fixing it!

I have just uploaded boost1.74_1.74.0-15 with this fix and
will revert the workaround in yade!

Best regards

Anton

Bug#1009739: fixed in yade 2022.01a-8

[Anton Gladky]

Hi Bernhard,

Thank you very much for this information and for fixing it!

I have just uploaded boost1.74_1.74.0-15 with this fix and
will revert the workaround in yade!

Best regards

Anton

-- 
debian-science-maintainers mailing list
debian-science-maintainers@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers

[Git][security-tracker-team/security-tracker][master] LTS: take halibut

[Anton Gladky (@gladk)]

Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4852dde8 by Anton Gladky at 2022-05-28T12:06:39+02:00
LTS: take halibut

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -82,7 +82,8 @@ golang-github-hashicorp-go-getter
 golang-go.crypto
   NOTE: 20220331: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> 
DLA-2453-1/DLA-2454-1/DLA-2455-1; also check buster status (Beuc/front-desk)
 --
-halibut
+halibut (Anton)
+  NOTE: 20220528: Programming language C.
 --
 haproxy
   NOTE: 20220523: Follow buster: harmonize with with Debian 10.0 and 10.6 (3 
CVEs) (Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4852dde80a09a6e967bea594cb5bf61c7e0cd9c1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4852dde80a09a6e967bea594cb5bf61c7e0cd9c1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits