[Git][security-tracker-team/security-tracker][master] 3 commits: LTS: add tiff to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ce7e10d8 by Anton Gladky at 2023-01-26T06:25:25+01:00 LTS: add tiff to dla-needed.txt - - - - - 9247fe01 by Anton Gladky at 2023-01-26T06:28:22+01:00 LTS: add bind9 to dla-needed.txt - - - - - a3f38955 by Anton Gladky at 2023-01-26T06:30:36+01:00 LTS: add libgit2 to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,6 +26,11 @@ asterisk NOTE: 20221211: Programming language: C. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git -- +bind9 + NOTE: 20230126: Programming language: C. + NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/bind9.git + NOTE: 20230126: Special attention: Package is used in many cases. Please be very carefull with fix and upload!. +-- ceph (Stefano Rivera) NOTE: 20221031: Programming language: C++. NOTE: 20221031: To be checked further. Not clear whether the vulnerability can be exploited in a Debian system. @@ -127,6 +132,11 @@ libapache2-mod-auth-mellon (Adrian Bunk) NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- +libgit2 + NOTE: 20230126: Programming language: C. + NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/libgit2.git + NOTE: 20230126: Please fix also CVE-2020* (gladk). +-- libhtml-stripscripts-perl (Utkarsh) NOTE: 20230125: Programming language: Perl. NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/libhtml-stripscripts-perl.git @@ -347,6 +357,11 @@ sox thunderbird (Emilio) NOTE: 20230123: Programming language: C++ -- +tiff + NOTE: 20230126: Programming language: C. + NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/tiff.git + NOTE: 20230126: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/tiff.html +-- tinymce NOTE: 20221227: Programming language: PHP. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0e06eda544305a780ac64c0ef55cdc4ba01311ae...a3f389554e3c95532d90e382713cccfe15177029 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0e06eda544305a780ac64c0ef55cdc4ba01311ae...a3f389554e3c95532d90e382713cccfe15177029 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Add fix link to the libhtml-stripscripts-perl
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a16069d by Anton Gladky at 2023-01-25T06:24:14+01:00 Add fix link to the libhtml-stripscripts-perl - - - - - ffc35fcd by Anton Gladky at 2023-01-25T06:28:55+01:00 LTS: add libhtml-stripscripts-perl to dla-needed.txt - - - - - 6c96ab38 by Anton Gladky at 2023-01-25T06:39:18+01:00 LTS: add golang-yaml.v2 to dla-needed.txt - - - - - f5bd72e6 by Anton Gladky at 2023-01-25T06:45:04+01:00 LTS: add sofia-sip to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1071,6 +1071,7 @@ CVE-2023-24039 (** UNSUPPORTED WHEN ASSIGNED ** A stack-based buffer overflow in CVE-2023-24038 (The HTML-StripScripts module through 1.06 for Perl allows _hss_attval_ ...) - libhtml-stripscripts-perl 1.06-4 (bug #1029400) NOTE: https://github.com/clintongormley/perl-html-stripscripts/issues/3 + NOTE: https://github.com/clintongormley/perl-html-stripscripts/pull/4 CVE-2023-24037 RESERVED CVE-2023-24036 = data/dla-needed.txt = @@ -101,6 +101,11 @@ golang-websocket NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies -- +golang-yaml.v2 + NOTE: 20230125: Programming language: Go. + NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/golang-yaml.v2.git + NOTE: 20230125: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't). +-- graphite-web NOTE: 20221229: Programming language: Python. -- @@ -122,6 +127,10 @@ libapache2-mod-auth-mellon NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- +libhtml-stripscripts-perl + NOTE: 20230125: Programming language: Perl. + NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/libhtml-stripscripts-perl.git +-- libreoffice NOTE: 20221012: Programming language: C++. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libreoffice.git @@ -325,6 +334,10 @@ snort (Markus Koschany) NOTE: 20230121: Prepared new upstream version for unstable which we could NOTE: 20230121: backport to buster later. See https://bugs.debian.org/1021276 -- +sofia-sip + NOTE: 20230125: Programming language: C. + NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/sofia-sip.git +-- sox NOTE: 20220818: Programming language: C. NOTE: 20220818: Requires some investigation; see #1012138 etc. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/24a110dd2b485ff3413d8325916c5c7161215086...f5bd72e6efcb5a14077c4f09dd44e29ec62f4602 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/24a110dd2b485ff3413d8325916c5c7161215086...f5bd72e6efcb5a14077c4f09dd44e29ec62f4602 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d6099979 by Anton Gladky at 2023-01-23T06:25:34+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -39,7 +39,7 @@ consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. -- -curl (Roberto C. Sánchez) +curl NOTE: 20220901: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. @@ -104,7 +104,7 @@ golang-websocket graphite-web NOTE: 20221229: Programming language: Python. -- -imagemagick (Roberto C. Sánchez) +imagemagick NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6099979893cc261fd3a52e90fd87f3b8b95cc57 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6099979893cc261fd3a52e90fd87f3b8b95cc57 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add some meta-info
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d395b4c by Anton Gladky at 2023-01-23T06:21:27+01:00 LTS: add some meta-info - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -159,6 +159,8 @@ modsecurity-apache (Tobias Frost) NOTE: 20230120: Requested two CVEs for modecurity-apache (tobi) NOTE: 20230120: 1) for https://github.com/SpiderLabs/ModSecurity/pull/2857 (WAF bypass vulnerabilty) NOTE: 20230120: 2) for https://github.com/SpiderLabs/ModSecurity/pull/2797 (the counterpart of CVE 2022-39956) + NOTE: 20230123: Programming language: C + NOTE: 20230123: VCS: https://salsa.debian.org/lts-team/packages/modsecurity-apache.git -- modsecurity-crs (Tobias Frost) NOTE: 20221006: Programming language: Other. @@ -341,6 +343,7 @@ swift NOTE: 20230123: Thomas already uploaded the package; discussion on #debian-lts. (utkarsh) -- thunderbird (Emilio) + NOTE: 20230123: Programming language: C++ -- tinymce NOTE: 20221227: Programming language: PHP. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d395b4c2f6f16763d2443061471dfa2be01081f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d395b4c2f6f16763d2443061471dfa2be01081f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: libappimage lts update
Hello Scarlett, thanks for your email! Please prepare a fix for the package, upload it to your salsa repo, and let us know. We will take care of adding the package to the dla-needed list and preparing all necessary steps for that. If you prefer to upload the package on your own, we can also support and consult you. Best regards. Anton Am Sa., 21. Jan. 2023 um 16:21 Uhr schrieb Scarlett Moore < scarlett.gately.mo...@gmail.com>: > Hello, > The security team pointed me here as Buster is now LTS. > I am reaching out to see if/how I should update libappimage in buster. > The bug is https://security-tracker.debian.org/tracker/CVE-2020-25265 > The upstream fix is: > https://github.com/AppImageCommunity/libappimage/pull/146 > I followed instructions here: > > https://lts-team.pages.debian.net/wiki/Development.html#claim-the-issue-in-the-security-tracker-in-dla-needed-txt > > and the CVE is not listed. I need to know how I proceed as it stated Do > not > add it, frontdesk needs to. I am a maintainer of the package and I do have > the > upstream fix. > > Thank you for any assistance in the matter. > Scarlett Moore >
Bug#1028951: Close
Thank you for your bug report! It looks like the issue is no more here. CI and new upload did not show any regression. Thus I am closing the ticket. Thanks Anton
Bug#1028951: Close
Thank you for your bug report! It looks like the issue is no more here. CI and new upload did not show any regression. Thus I am closing the ticket. Thanks Anton
[Git][security-tracker-team/security-tracker][master] LTS: fix old DLA entries
Anton Gladky pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
64c50f14 by Anton Gladky at 2023-01-19T18:45:54+01:00
LTS: fix old DLA entries
- - - - -
1 changed file:
- data/DLA/list
Changes:
=
data/DLA/list
=
@@ -5858,7 +5858,7 @@
[23 Apr 2018] DLA-1358-1 ruby1.9.1 - security update
{CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779
CVE-2018-8780 CVE-2018-175 CVE-2018-176 CVE-2018-177
CVE-2018-178}
[wheezy] - ruby1.9.1 1.9.3.194-8.1+deb7u8
-[22 Apr 2018] DLA-1357-1 gunicorn -- security-update
+[22 Apr 2018] DLA-1357-1 gunicorn - security-update
{CVE-2018-1000164}
[wheezy] - gunicorn 0.14.5-3+deb7u2
[19 Apr 2018] DLA-1356-1 libreoffice - security update
@@ -8887,7 +8887,7 @@
[06 Dec 2015] DLA-360-1 linux-2.6 - security update
{CVE-2013-7446 CVE-2015-7799 CVE-2015-7833 CVE-2015-7990 CVE-2015-8324}
[squeeze] - linux-2.6 2.6.32-48squeeze17
-[04 Dec 2015] DLA-359-1 mysql-5.5 packages as an option announcement
+[04 Dec 2015] DLA-359-1 mysql-5.5 - packages as an option announcement
{CVE-2015-0499 CVE-2015-0501 CVE-2015-0505 CVE-2015-2568 CVE-2015-2571
CVE-2015-2573 CVE-2015-4752 CVE-2015-4737 CVE-2015-2648 CVE-2015-2643
CVE-2015-2620 CVE-2015-2582 CVE-2015-4792 CVE-2015-4802 CVE-2015-4815
CVE-2015-4816 CVE-2015-4819 CVE-2015-4826 CVE-2015-4830 CVE-2015-4836
CVE-2015-4858 CVE-2015-4861 CVE-2015-4870 CVE-2015-4879 CVE-2015-4913}
[squeeze] - mysql-5.5 5.5.46-0+deb6u1
[03 Dec 2015] DLA-358-1 openssl - security update
@@ -9756,7 +9756,7 @@
[21 Oct 2014] DLA-74-1 ppp - security update
{CVE-2014-3158}
[squeeze] - ppp 2.4.5-4+deb6u1
-[21 Oct 2014] DLA-73-1 tzdata update
+[21 Oct 2014] DLA-73-1 tzdata - update
[squeeze] - tzdata 2014h-0squeeze1
[20 Oct 2014] DLA-72-2 rsyslog - regression update
[squeeze] - rsyslog 4.6.4-2+deb6u2
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64c50f140e3df846ee219182bfca7e919833c96a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64c50f140e3df846ee219182bfca7e919833c96a
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: [Yade-users] [Yade-dev] Upcoming Yade Release 2023.01
Thanks for your work, Janek! I really appreciate it! I will start preparing for a release this week, but will wait until next week for some upcoming features. Regards Anton Am Mi., 18. Jan. 2023 um 23:20 Uhr schrieb Janek Kozicki (yade) < jkozicki-y...@pg.edu.pl>: > Hi, > > I created update Changelog MR for this: > > https://gitlab.com/yade-dev/trunk/-/merge_requests/917/diffs > > best regards > Janek > > Anton Gladky said: (by the date of Mon, 16 Jan 2023 21:16:59 +0100) > > > Dear all, > > > > as always at the beginning of the year we are preparing > > the stable Yade Release. > > > > Please, push your changes through merge requests till this Friday, > > 20.01.2023 and think about adding some more notes into the > > Changelog [1]. > > > > [1] https://pad.systemli.org/p/yade-2023-changelog > > > > Thank you > > > > Anton > > > > ___ > > Mailing list: https://launchpad.net/~yade-dev > > Post to : yade-...@lists.launchpad.net > > Unsubscribe : https://launchpad.net/~yade-dev > > More help : https://help.launchpad.net/ListHelp > > > -- > -- > Janek Kozicki, PhD. DSc. Arch. Assoc. Prof. > Gdansk University of Technology (Gdansk Tech) > Faculty of Applied Physics and Mathematics > Institute of Physics and Applied Computer Science > Division of Theoretical Physics and Quantum Information > -- > http://yade-dem.org/ > http://pg.edu.pl/p/jan-kozicki-19725 > http://mostwiedzy.pl/en/jan-kozicki,19725-1 > ___ Mailing list: https://launchpad.net/~yade-users Post to : yade-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~yade-users More help : https://help.launchpad.net/ListHelp
Re: [Yade-dev] Upcoming Yade Release 2023.01
Thanks for your work, Janek! I really appreciate it! I will start preparing for a release this week, but will wait until next week for some upcoming features. Regards Anton Am Mi., 18. Jan. 2023 um 23:20 Uhr schrieb Janek Kozicki (yade) < jkozicki-y...@pg.edu.pl>: > Hi, > > I created update Changelog MR for this: > > https://gitlab.com/yade-dev/trunk/-/merge_requests/917/diffs > > best regards > Janek > > Anton Gladky said: (by the date of Mon, 16 Jan 2023 21:16:59 +0100) > > > Dear all, > > > > as always at the beginning of the year we are preparing > > the stable Yade Release. > > > > Please, push your changes through merge requests till this Friday, > > 20.01.2023 and think about adding some more notes into the > > Changelog [1]. > > > > [1] https://pad.systemli.org/p/yade-2023-changelog > > > > Thank you > > > > Anton > > > > ___ > > Mailing list: https://launchpad.net/~yade-dev > > Post to : yade-dev@lists.launchpad.net > > Unsubscribe : https://launchpad.net/~yade-dev > > More help : https://help.launchpad.net/ListHelp > > > -- > -- > Janek Kozicki, PhD. DSc. Arch. Assoc. Prof. > Gdansk University of Technology (Gdansk Tech) > Faculty of Applied Physics and Mathematics > Institute of Physics and Applied Computer Science > Division of Theoretical Physics and Quantum Information > -- > http://yade-dem.org/ > http://pg.edu.pl/p/jan-kozicki-19725 > http://mostwiedzy.pl/en/jan-kozicki,19725-1 > ___ Mailing list: https://launchpad.net/~yade-dev Post to : yade-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~yade-dev More help : https://help.launchpad.net/ListHelp
[Yade-users] Upcoming Yade Release 2023.01
Dear all, as always at the beginning of the year we are preparing the stable Yade Release. Please, push your changes through merge requests till this Friday, 20.01.2023 and think about adding some more notes into the Changelog [1]. [1] https://pad.systemli.org/p/yade-2023-changelog Thank you Anton ___ Mailing list: https://launchpad.net/~yade-users Post to : yade-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~yade-users More help : https://help.launchpad.net/ListHelp
[Yade-dev] Upcoming Yade Release 2023.01
Dear all, as always at the beginning of the year we are preparing the stable Yade Release. Please, push your changes through merge requests till this Friday, 20.01.2023 and think about adding some more notes into the Changelog [1]. [1] https://pad.systemli.org/p/yade-2023-changelog Thank you Anton ___ Mailing list: https://launchpad.net/~yade-dev Post to : yade-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~yade-dev More help : https://help.launchpad.net/ListHelp
[Git][security-tracker-team/security-tracker][master] LTS: take xfig
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: a2148892 by Anton Gladky at 2023-01-16T07:15:29+01:00 LTS: take xfig - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -360,7 +360,7 @@ xdg-utils NOTE: 20230111: VCS: https://salsa.debian.org/freedesktop-team/xdg-utils NOTE: 20230111: Maintainer notes: Coordinate with maintainer, whether their VCS can be used -- -xfig +xfig (gladk) NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a21488920fa30ea7473144a2e716ca5b9cabb06a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a21488920fa30ea7473144a2e716ca5b9cabb06a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 45925203 by Anton Gladky at 2023-01-16T06:34:20+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - aae91bcb by Anton Gladky at 2023-01-16T07:10:22+01:00 LTS: Add VCS information - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -146,6 +146,7 @@ libstb -- libzen (Thorsten Alteholz) NOTE: 20230115: Programming language: C. + NOTE: 20230116: VCS: https://salsa.debian.org/lts-team/packages/libzen.git -- linux (Ben Hutchings) NOTE: 20230111: Programming language: C @@ -328,7 +329,7 @@ sox NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith) NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/sox.git -- -tiff (Sylvain Beucler) +tiff NOTE: 20221031: Programming language: C. NOTE: 20221031: VCS: https://salsa.debian.org/lts-team/packages/tiff.git NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/tiff.html @@ -339,6 +340,7 @@ tinymce -- tor (Thorsten Alteholz) NOTE: 20220115: Programming language: C. + NOTE: 20230116: VCS: https://salsa.debian.org/lts-team/packages/tor.git -- trafficserver NOTE: 20220905: Programming language: C. @@ -362,7 +364,7 @@ xfig NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- -xrdp (Abhijith PA) +xrdp NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3e93e31dd7487a93cab970dcf92791952b8c77e6...aae91bcb61216038fe6c46b87c080273341a36e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3e93e31dd7487a93cab970dcf92791952b8c77e6...aae91bcb61216038fe6c46b87c080273341a36e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Bug#1028489: transition: boost1.81
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: boost1...@packages.debian.org Control: affects -1 + src:boost1.81 Dear release team, this is the placeholder for the possible upcoming boost1.81 transition. We are working hard to prepare the transition as smooth as possible. Large test rebuild of all dependent packages is planned. Thanks Ben file: title = "boost1.81"; is_affected = .depends ~ /libboost[a-z-.]*1\.[74]/ is_good = .depends ~ /libboost[a-z-.]*1\.81/ is_bad = .depends ~ /libboost[a-z-.]*1\.74/
Bug#1028489: transition: boost1.81
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: boost1...@packages.debian.org Control: affects -1 + src:boost1.81 Dear release team, this is the placeholder for the possible upcoming boost1.81 transition. We are working hard to prepare the transition as smooth as possible. Large test rebuild of all dependent packages is planned. Thanks Ben file: title = "boost1.81"; is_affected = .depends ~ /libboost[a-z-.]*1\.[74]/ is_good = .depends ~ /libboost[a-z-.]*1\.81/ is_bad = .depends ~ /libboost[a-z-.]*1\.74/
[Git][security-tracker-team/security-tracker][master] LTS: Add missing meta information in packages
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 14dce102 by Anton Gladky at 2023-01-11T07:13:02+01:00 LTS: Add missing meta information in packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -55,6 +55,7 @@ erlang NOTE: 20221119: Programming language: Erlang. NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang + NOTE: 20230111: Maintainer notes: Coordinate with maintainer, whether their VCS can be used. -- fig2dev NOTE: 20230105: Programming language: C. @@ -78,6 +79,7 @@ golang-1.11 NOTE: 20220916: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't) NOTE: 20220916: Harmonize with bullseye and stretch: 9 CVEs fixed in Debian 11.2 & 11.3 + 2 CVEs fixed in stretch-lts (Beuc/front-desk) NOTE: 20220916: CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-24921 + NOTE: 20230111: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/golang.html -- golang-github-nats-io-jwt NOTE: 20221109: Programming language: Go. @@ -151,6 +153,7 @@ libxstream-java NOTE: 20221231: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/libxstream-java.html -- linux (Ben Hutchings) + NOTE: 20230111: Programming language: C -- man2html NOTE: 20221004: Programming language: C. @@ -334,6 +337,7 @@ snakeyaml snort NOTE: 20220905: Requires further triaging to conclude exactly which CVEs to be fixed or ignored. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/snort.git + NOTE: 20230111: Programming language: C -- sox NOTE: 20220818: Programming language: C. @@ -370,6 +374,7 @@ xdg-utils NOTE: 20221120: Programming language: C. NOTE: 20221120: no real fix yet NOTE: 20230111: VCS: https://salsa.debian.org/freedesktop-team/xdg-utils + NOTE: 20230111: Maintainer notes: Coordinate with maintainer, whether their VCS can be used -- xfig NOTE: 20230105: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14dce10205c0e7eb2b3ccbd6b5883ac0af57b4e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14dce10205c0e7eb2b3ccbd6b5883ac0af57b4e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Add missing VCS information in packages
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: bc6470c0 by Anton Gladky at 2023-01-11T06:50:53+01:00 LTS: Add missing VCS information in packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -24,6 +24,7 @@ apache2 -- asterisk NOTE: 20221211: Programming language: C. + NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git -- ceph (Stefano Rivera) NOTE: 20221031: Programming language: C++. @@ -32,6 +33,7 @@ ceph (Stefano Rivera) NOTE: 20221130: CVE-2022-3650: The patch is kind of trivial Python stuff backporting work. NOTE: 20221130: Can someone take care of it in Buster? I'm currently building the Bullseye backport of the fix... NOTE: 20221130: https://lists.debian.org/debian-lts/2022/11/msg00025.html (zigo/maintainer) + NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ceph.git -- consul NOTE: 20221031: Programming language: Go. @@ -52,6 +54,7 @@ dojo erlang NOTE: 20221119: Programming language: Erlang. NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) + NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang -- fig2dev NOTE: 20230105: Programming language: C. @@ -107,6 +110,7 @@ kopanocore -- lava NOTE: 20221127: Programming language: Python. + NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/lava.git -- lemonldap-ng NOTE: 20230105: Programming language: Perl. @@ -124,12 +128,15 @@ libde265 NOTE: 20221107: Most vulnerabilities unfixed upstream, but a handful are fixed, and v1.0.9 (2022-10) is a security release (Beuc/front-desk) NOTE: 20221107: No prior DSA/DLA/ELA afaics (Beuc/front-desk) NOTE: 20221215: CVE-2020-21599 CVE-2021-35452 CVE-2021-36408 CVE-2021-36409 CVE-2021-36410 CVE-2021-36411 adressed, remaining CVEs are unfixed upstream. (I've proposed a patch upstream, waiting for feeback) (tobi) + NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libde265.git -- libitext5-java (Markus Koschany) NOTE: 20221225: Programming language: Java. + NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libitext5-java.git -- libreoffice NOTE: 20221012: Programming language: C++. + NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libreoffice.git -- libsdl2 NOTE: 2022: Programming language: C. @@ -153,9 +160,11 @@ man2html modsecurity-crs NOTE: 20221006: Programming language: Other. NOTE: 20221006: Maintainer notes: Please contact maintainer. Consider uploading of newer version. + NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/modsecurity-crs.git -- net-snmp (guilhem) NOTE: 20221120: Programming language: C. + NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/net-snmp.git -- netatalk NOTE: 20220816: Programming language: C. @@ -225,6 +234,7 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20221225: Programming language: binary blob. NOTE: 20230103: Cf. on-going discussion on nvidia support (Beuc/front-desk) NOTE: 20230103: https://lists.debian.org/debian-lts/2023/01/msg5.html + NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/nvidia-graphics-drivers-legacy-390xx.git -- openimageio NOTE: 20221225: Programming language: C. @@ -288,6 +298,7 @@ rainloop -- ring NOTE: 20221120: Programming language: C. + NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ring.git -- ruby-loofah NOTE: 20221231: Programming language: Ruby. @@ -322,11 +333,13 @@ snakeyaml -- snort NOTE: 20220905: Requires further triaging to conclude exactly which CVEs to be fixed or ignored. + NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/snort.git -- sox NOTE: 20220818: Programming language: C. NOTE: 20220818: Requires some investigation; see #1012138 etc. NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith) + NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/sox.git -- tiff (Sylvain Beucler) NOTE: 20221031: Programming language: C. @@ -345,6 +358,7 @@ trafficserver -- viewvc (Chris Lamb) NOTE: 20230104: Programming language: Python. + NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/viewvc.git -- webkit2gtk NOTE: 20221229: Programming language: C++. @@ -355,6 +369,7 @@ webkit2gtk xdg-utils NOTE: 20221120: Programming language: C. NOTE: 20221120: no real fix yet + NOTE: 20230111: VCS: https://salsa.debian.org/freedesktop-team/xdg-utils -- xfig NOTE: 20230105: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc6470c03cb018260a123a874d9df531919cd674 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security
Bug#1028110: marked as pending in php-horde-lz4
Control: tag -1 pending Hello, Bug #1028110 in php-horde-lz4 reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/horde-team/php-horde-lz4/-/commit/4e5ab4940daf5cfd1dd92529ad02f634b4e3234a d/t/control: add php-dom. (Closes: #1028110) (this message was generated automatically) -- Greetings https://bugs.debian.org/1028110
Bug#1003784: marked as pending in php-horde-wicked
Control: tag -1 pending Hello, Bug #1003784 in php-horde-wicked reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/horde-team/php-horde-wicked/-/commit/a4c38ee869b6e86c8b6ffe459732f1542cb3dfc0 d/patches: fix php8.0 failure. (Closes: #1003784) (this message was generated automatically) -- Greetings https://bugs.debian.org/1003784
Bug#1003473: marked as pending in php-horde-lz4
Control: tag -1 pending Hello, Bug #1003473 in php-horde-lz4 reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/horde-team/php-horde-lz4/-/commit/17094c5f099ecf0d5ccbb89da690a759b185e559 d/patches: fix compilation against php8.1. (Closes: #1003473) (this message was generated automatically) -- Greetings https://bugs.debian.org/1003473
Bug#1027855: RM: boost1.80/experimental -- ROM; Package is replaced by a newer 1.80 version
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove Please remove 1.80 in experimental. Thanks Anton
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: b3be6a11 by Anton Gladky at 2023-01-03T10:01:11+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -37,7 +37,7 @@ consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. -- -curl (Roberto C. Sánchez) +curl NOTE: 20220901: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. @@ -47,10 +47,10 @@ erlang NOTE: 20221119: Programming language: Erlang. NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) -- -exiv2 (Helmut Grohne) +exiv2 NOTE: 20221119: Programming language: C. -- -firmware-nonfree (Markus Koschany) +firmware-nonfree NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it. NOTE: 20221204: Coming soon in the first week of December. (apo) NOTE: 20221211: Programming language: Binary blob @@ -88,7 +88,7 @@ golang-websocket graphite-web NOTE: 20221229: Programming language: Python. -- -imagemagick (Roberto C. Sánchez) +imagemagick NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) @@ -110,7 +110,7 @@ libde265 NOTE: 20221107: No prior DSA/DLA/ELA afaics (Beuc/front-desk) NOTE: 20221215: CVE-2020-21599 CVE-2021-35452 CVE-2021-36408 CVE-2021-36409 CVE-2021-36410 CVE-2021-36411 adressed, remaining CVEs are unfixed upstream. (I've proposed a patch upstream, waiting for feeback) (tobi) -- -libetpan (Utkarsh) +libetpan NOTE: 20221203: Programming language: C++. NOTE: 20221203: VCS: https://salsa.debian.org/lts-team/packages/libetpan.git -- @@ -147,7 +147,7 @@ net-snmp NOTE: 20221120: Programming language: C. NOTE: 20221206: no upstream patch yet. -- -netatalk (gladk) +netatalk NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) NOTE: 20221212: VCS: https://salsa.debian.org/lts-team/packages/netatalk @@ -174,7 +174,7 @@ node-got NOTE: 2022: Follow fixes from bullseye 11.4 (Beuc/front-desk) NOTE: 20221223: Module has been rewritten in Typescript since Buster released (lamby). -- -node-moment (Utkarsh) +node-moment NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.4 and 11.5 (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3be6a1188a7427b8a03c8697580ba203c17780f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3be6a1188a7427b8a03c8697580ba203c17780f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials
Hi Sebastian, thanks for noting it! #1027402 is fixed now in unstable (that was wrong version in Breaks+Replaces). Regards Anton Am Sa., 31. Dez. 2022 um 14:20 Uhr schrieb Sebastian Ramacher : > > Hi Anton > > On 2022-12-28 09:30:00 +0100, Anton Gladky wrote: > > Hi Sebastian, > > > > sundials is already in NEW, fixing two RC bugs. > > Dyssol will be uploaded shortly. > > It's now in unstable. Please also fix #1027402. > > Cheers > > > > > Regards > > > > Anton > > > > Am Di., 27. Dez. 2022 um 12:23 Uhr schrieb Sebastian Ramacher > > : > > > > > > Hi Drew, hi Anton > > > > > > On 2022-12-19 21:52:10 +0100, Sebastian Ramacher wrote: > > > > Hi Drew > > > > > > > > On 2022-12-19 18:14:53 +0100, Drew Parsons wrote: > > > > > The hypre/petsc part of this transition is complete. > > > > > > > > > > The sundials part is waiting for dyssol to be patched. Anton is > > > > > preparing > > > > > this. > > > > > > > > sundials will also need fixes for #1026330 and #1026352. > > > > > > Any news regarding sundials? > > > > > > Cheers > > > > > > > > > > > Cheers > > > > > > > > > > > > > > Drew > > > > > > > > > > > > > > > On 2022-11-29 23:34, Sebastian Ramacher wrote: > > > > > > Control: tags -1 confirmed > > > > > > > > > > > > Hi Drew > > > > > > > > > > > > On 2022-11-29 12:16:55 +0100, Drew Parsons wrote: > > > > > > > Package: release.debian.org > > > > > > > Severity: normal > > > > > > > User: release.debian@packages.debian.org > > > > > > > Usertags: transition > > > > > > > X-Debbugs-Cc: Anton Gladky > > > > > > > > > > > > > > We'd like to update the numerical library stack in time for the > > > > > > > new > > > > > > > stable release. > > > > > > > > > > > > > > Affected libraries are > > > > > > > > > > > > > > hypre2.25.0 -> 2.26.0 > > > > > > > petsc/slepc3.17 -> 3.18 > > > > > > > sundials 5.8.0 -> 6.4.1 > > > > > > > > > > > > > > Autotransitions are already generated: > > > > > > > https://release.debian.org/transitions/html/auto-hypre.html > > > > > > > https://release.debian.org/transitions/html/auto-petsc.html > > > > > > > https://release.debian.org/transitions/html/auto-slepc.html > > > > > > > https://release.debian.org/transitions/html/auto-sundials.html > > > > > > > > > > > > > > Most of the dependent packages are under our control > > > > > > > (Debian Science Team), octave is the main one outside our team. > > > > > > > > > > > > > > Updates have built fine in experimental and dependent > > > > > > > packages are building successfully against them. > > > > > > > > > > > > > > Anton Gladky will upload the sundials update. > > > > > > > > > > > > Please go ahead > > > > > > > > > > > > Cheers > > > > > > > > > > > > > -- > > > > Sebastian Ramacher > > > > > > > > > > -- > > > Sebastian Ramacher > > > > -- > Sebastian Ramacher
Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials
Hi Sebastian, thanks for noting it! #1027402 is fixed now in unstable (that was wrong version in Breaks+Replaces). Regards Anton Am Sa., 31. Dez. 2022 um 14:20 Uhr schrieb Sebastian Ramacher : > > Hi Anton > > On 2022-12-28 09:30:00 +0100, Anton Gladky wrote: > > Hi Sebastian, > > > > sundials is already in NEW, fixing two RC bugs. > > Dyssol will be uploaded shortly. > > It's now in unstable. Please also fix #1027402. > > Cheers > > > > > Regards > > > > Anton > > > > Am Di., 27. Dez. 2022 um 12:23 Uhr schrieb Sebastian Ramacher > > : > > > > > > Hi Drew, hi Anton > > > > > > On 2022-12-19 21:52:10 +0100, Sebastian Ramacher wrote: > > > > Hi Drew > > > > > > > > On 2022-12-19 18:14:53 +0100, Drew Parsons wrote: > > > > > The hypre/petsc part of this transition is complete. > > > > > > > > > > The sundials part is waiting for dyssol to be patched. Anton is > > > > > preparing > > > > > this. > > > > > > > > sundials will also need fixes for #1026330 and #1026352. > > > > > > Any news regarding sundials? > > > > > > Cheers > > > > > > > > > > > Cheers > > > > > > > > > > > > > > Drew > > > > > > > > > > > > > > > On 2022-11-29 23:34, Sebastian Ramacher wrote: > > > > > > Control: tags -1 confirmed > > > > > > > > > > > > Hi Drew > > > > > > > > > > > > On 2022-11-29 12:16:55 +0100, Drew Parsons wrote: > > > > > > > Package: release.debian.org > > > > > > > Severity: normal > > > > > > > User: release.debian@packages.debian.org > > > > > > > Usertags: transition > > > > > > > X-Debbugs-Cc: Anton Gladky > > > > > > > > > > > > > > We'd like to update the numerical library stack in time for the > > > > > > > new > > > > > > > stable release. > > > > > > > > > > > > > > Affected libraries are > > > > > > > > > > > > > > hypre2.25.0 -> 2.26.0 > > > > > > > petsc/slepc3.17 -> 3.18 > > > > > > > sundials 5.8.0 -> 6.4.1 > > > > > > > > > > > > > > Autotransitions are already generated: > > > > > > > https://release.debian.org/transitions/html/auto-hypre.html > > > > > > > https://release.debian.org/transitions/html/auto-petsc.html > > > > > > > https://release.debian.org/transitions/html/auto-slepc.html > > > > > > > https://release.debian.org/transitions/html/auto-sundials.html > > > > > > > > > > > > > > Most of the dependent packages are under our control > > > > > > > (Debian Science Team), octave is the main one outside our team. > > > > > > > > > > > > > > Updates have built fine in experimental and dependent > > > > > > > packages are building successfully against them. > > > > > > > > > > > > > > Anton Gladky will upload the sundials update. > > > > > > > > > > > > Please go ahead > > > > > > > > > > > > Cheers > > > > > > > > > > > > > -- > > > > Sebastian Ramacher > > > > > > > > > > -- > > > Sebastian Ramacher > > > > -- > Sebastian Ramacher
Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials
Hi Sebastian, sundials is already in NEW, fixing two RC bugs. Dyssol will be uploaded shortly. Regards Anton Am Di., 27. Dez. 2022 um 12:23 Uhr schrieb Sebastian Ramacher : > > Hi Drew, hi Anton > > On 2022-12-19 21:52:10 +0100, Sebastian Ramacher wrote: > > Hi Drew > > > > On 2022-12-19 18:14:53 +0100, Drew Parsons wrote: > > > The hypre/petsc part of this transition is complete. > > > > > > The sundials part is waiting for dyssol to be patched. Anton is preparing > > > this. > > > > sundials will also need fixes for #1026330 and #1026352. > > Any news regarding sundials? > > Cheers > > > > > Cheers > > > > > > > > Drew > > > > > > > > > On 2022-11-29 23:34, Sebastian Ramacher wrote: > > > > Control: tags -1 confirmed > > > > > > > > Hi Drew > > > > > > > > On 2022-11-29 12:16:55 +0100, Drew Parsons wrote: > > > > > Package: release.debian.org > > > > > Severity: normal > > > > > User: release.debian@packages.debian.org > > > > > Usertags: transition > > > > > X-Debbugs-Cc: Anton Gladky > > > > > > > > > > We'd like to update the numerical library stack in time for the new > > > > > stable release. > > > > > > > > > > Affected libraries are > > > > > > > > > > hypre2.25.0 -> 2.26.0 > > > > > petsc/slepc3.17 -> 3.18 > > > > > sundials 5.8.0 -> 6.4.1 > > > > > > > > > > Autotransitions are already generated: > > > > > https://release.debian.org/transitions/html/auto-hypre.html > > > > > https://release.debian.org/transitions/html/auto-petsc.html > > > > > https://release.debian.org/transitions/html/auto-slepc.html > > > > > https://release.debian.org/transitions/html/auto-sundials.html > > > > > > > > > > Most of the dependent packages are under our control > > > > > (Debian Science Team), octave is the main one outside our team. > > > > > > > > > > Updates have built fine in experimental and dependent > > > > > packages are building successfully against them. > > > > > > > > > > Anton Gladky will upload the sundials update. > > > > > > > > Please go ahead > > > > > > > > Cheers > > > > > > > -- > > Sebastian Ramacher > > > > -- > Sebastian Ramacher
Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials
Hi Sebastian, sundials is already in NEW, fixing two RC bugs. Dyssol will be uploaded shortly. Regards Anton Am Di., 27. Dez. 2022 um 12:23 Uhr schrieb Sebastian Ramacher : > > Hi Drew, hi Anton > > On 2022-12-19 21:52:10 +0100, Sebastian Ramacher wrote: > > Hi Drew > > > > On 2022-12-19 18:14:53 +0100, Drew Parsons wrote: > > > The hypre/petsc part of this transition is complete. > > > > > > The sundials part is waiting for dyssol to be patched. Anton is preparing > > > this. > > > > sundials will also need fixes for #1026330 and #1026352. > > Any news regarding sundials? > > Cheers > > > > > Cheers > > > > > > > > Drew > > > > > > > > > On 2022-11-29 23:34, Sebastian Ramacher wrote: > > > > Control: tags -1 confirmed > > > > > > > > Hi Drew > > > > > > > > On 2022-11-29 12:16:55 +0100, Drew Parsons wrote: > > > > > Package: release.debian.org > > > > > Severity: normal > > > > > User: release.debian@packages.debian.org > > > > > Usertags: transition > > > > > X-Debbugs-Cc: Anton Gladky > > > > > > > > > > We'd like to update the numerical library stack in time for the new > > > > > stable release. > > > > > > > > > > Affected libraries are > > > > > > > > > > hypre2.25.0 -> 2.26.0 > > > > > petsc/slepc3.17 -> 3.18 > > > > > sundials 5.8.0 -> 6.4.1 > > > > > > > > > > Autotransitions are already generated: > > > > > https://release.debian.org/transitions/html/auto-hypre.html > > > > > https://release.debian.org/transitions/html/auto-petsc.html > > > > > https://release.debian.org/transitions/html/auto-slepc.html > > > > > https://release.debian.org/transitions/html/auto-sundials.html > > > > > > > > > > Most of the dependent packages are under our control > > > > > (Debian Science Team), octave is the main one outside our team. > > > > > > > > > > Updates have built fine in experimental and dependent > > > > > packages are building successfully against them. > > > > > > > > > > Anton Gladky will upload the sundials update. > > > > > > > > Please go ahead > > > > > > > > Cheers > > > > > > > -- > > Sebastian Ramacher > > > > -- > Sebastian Ramacher
Bug#973875: Closing the bug
As far as I understand the issue, it is already resolved in the current versions of the package. Thus, I am closing it. Please feel free to reopen, if you think the issue is still here. Thanks Anton
Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials
Dyssol has just been (today!) released. I will upload it ASAP. Regards Anton Am Mo., 19. Dez. 2022 um 18:14 Uhr schrieb Drew Parsons : > > The hypre/petsc part of this transition is complete. > > The sundials part is waiting for dyssol to be patched. Anton is > preparing this. > > Drew > > > On 2022-11-29 23:34, Sebastian Ramacher wrote: > > Control: tags -1 confirmed > > > > Hi Drew > > > > On 2022-11-29 12:16:55 +0100, Drew Parsons wrote: > >> Package: release.debian.org > >> Severity: normal > >> User: release.debian@packages.debian.org > >> Usertags: transition > >> X-Debbugs-Cc: Anton Gladky > >> > >> We'd like to update the numerical library stack in time for the new > >> stable release. > >> > >> Affected libraries are > >> > >> hypre2.25.0 -> 2.26.0 > >> petsc/slepc3.17 -> 3.18 > >> sundials 5.8.0 -> 6.4.1 > >> > >> Autotransitions are already generated: > >> https://release.debian.org/transitions/html/auto-hypre.html > >> https://release.debian.org/transitions/html/auto-petsc.html > >> https://release.debian.org/transitions/html/auto-slepc.html > >> https://release.debian.org/transitions/html/auto-sundials.html > >> > >> Most of the dependent packages are under our control > >> (Debian Science Team), octave is the main one outside our team. > >> > >> Updates have built fine in experimental and dependent > >> packages are building successfully against them. > >> > >> Anton Gladky will upload the sundials update. > > > > Please go ahead > > > > Cheers
Bug#1025056: transition: numerical library transition: hypre / petsc / slepc / sundials
Dyssol has just been (today!) released. I will upload it ASAP. Regards Anton Am Mo., 19. Dez. 2022 um 18:14 Uhr schrieb Drew Parsons : > > The hypre/petsc part of this transition is complete. > > The sundials part is waiting for dyssol to be patched. Anton is > preparing this. > > Drew > > > On 2022-11-29 23:34, Sebastian Ramacher wrote: > > Control: tags -1 confirmed > > > > Hi Drew > > > > On 2022-11-29 12:16:55 +0100, Drew Parsons wrote: > >> Package: release.debian.org > >> Severity: normal > >> User: release.debian@packages.debian.org > >> Usertags: transition > >> X-Debbugs-Cc: Anton Gladky > >> > >> We'd like to update the numerical library stack in time for the new > >> stable release. > >> > >> Affected libraries are > >> > >> hypre2.25.0 -> 2.26.0 > >> petsc/slepc3.17 -> 3.18 > >> sundials 5.8.0 -> 6.4.1 > >> > >> Autotransitions are already generated: > >> https://release.debian.org/transitions/html/auto-hypre.html > >> https://release.debian.org/transitions/html/auto-petsc.html > >> https://release.debian.org/transitions/html/auto-slepc.html > >> https://release.debian.org/transitions/html/auto-sundials.html > >> > >> Most of the dependent packages are under our control > >> (Debian Science Team), octave is the main one outside our team. > >> > >> Updates have built fine in experimental and dependent > >> packages are building successfully against them. > >> > >> Anton Gladky will upload the sundials update. > > > > Please go ahead > > > > Cheers
Bug#1003648: Reassign
reassign 1003648 php-horde-prefs/2.9.0-8 thanks The warning is in Prefs.php, which is in package php-horde-prefs. Some other packages can be affected Anton
Bug#1003648: Reassign
reassign 1003648 php-horde-prefs/2.9.0-8 thanks The warning is in Prefs.php, which is in package php-horde-prefs. Some other packages can be affected Anton
Bug#1003649: marked as pending in php-horde-argv
Control: tag -1 pending Hello, Bug #1003649 in php-horde-argv reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/horde-team/php-horde-argv/-/commit/1a6dde08c44d5a075389a66e46a90c86ee6c40e1 Fix autopkgtests. (Closes: #1003649) (this message was generated automatically) -- Greetings https://bugs.debian.org/1003649
Bug#1025658: libboost-python1.74-dev: Python 3.11 changes break loading of boost-python using extensions
Hi Niels, thanks for the note. Yes, I will take care of it. Regards Anton
Bug#1025658: libboost-python1.74-dev: Python 3.11 changes break loading of boost-python using extensions
Hi Niels, thanks for the note. Yes, I will take care of it. Regards Anton
[Git][security-tracker-team/security-tracker][master] LTS: Reclaim netatalk
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b64dc7c by Anton Gladky at 2022-12-12T06:17:19+01:00 LTS: Reclaim netatalk - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -147,9 +147,12 @@ net-snmp NOTE: 20221120: Programming language: C. NOTE: 20221206: no upstream patch yet. -- -netatalk +netatalk (gladk) NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) + NOTE: 20221212: VCS: https://salsa.debian.org/lts-team/packages/netatalk + NOTE: 20221212: Work is ongoing. CVE-2022-0194 is probably too intrusive. (gladk) + -- nextcloud-desktop NOTE: 20221128: Programming language: C++. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b64dc7cb23483dd6b916d552b70ec61312e9cbe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b64dc7cb23483dd6b916d552b70ec61312e9cbe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d488679b by Anton Gladky at 2022-12-12T06:02:49+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -87,7 +87,7 @@ golang-websocket NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies -- -imagemagick (Roberto C. Sánchez) +imagemagick NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) @@ -147,7 +147,7 @@ net-snmp NOTE: 20221120: Programming language: C. NOTE: 20221206: no upstream patch yet. -- -netatalk (gladk) +netatalk NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d488679beaf8c3eb9ff21345be4908e165190806 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d488679beaf8c3eb9ff21345be4908e165190806 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add asterisk to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: eacaf48e by Anton Gladky at 2022-12-11T20:00:25+01:00 LTS: add asterisk to dla-needed.txt - - - - - 3006dd86 by Anton Gladky at 2022-12-11T20:04:15+01:00 LTS: add some more info into firmware-nonfree - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -14,6 +14,7 @@ rather than remove/replace existing ones. -- asterisk + NOTE: 20221211: Programming language: C. -- cacti NOTE: 20221208: Programming language: PHP. @@ -47,6 +48,8 @@ exiv2 firmware-nonfree (Markus Koschany) NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it. NOTE: 20221204: Coming soon in the first week of December. (apo) + NOTE: 20221211: Programming language: Binary blob + NOTE: 20221211: VCS: https://salsa.debian.org/lts-team/packages/firmware-nonfree.git -- fusiondirectory NOTE: 20221203: Programming language: PHP. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/487a94c1660fff1d08597aadc8bb7c175c9747ae...3006dd86f53a5438ff47e69b7e172d4facc74a09 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/487a94c1660fff1d08597aadc8bb7c175c9747ae...3006dd86f53a5438ff47e69b7e172d4facc74a09 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Add testsuites to the packages
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 17d733ec by Anton Gladky at 2022-12-09T20:59:05+01:00 LTS: Add testsuites to the packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -17,6 +17,7 @@ asterisk -- cacti NOTE: 20221208: Programming language: PHP. + NOTE: 20221208: VCS: https://salsa.debian.org/cacti-team/cacti/ -- ceph NOTE: 20221031: Programming language: C++. @@ -34,6 +35,7 @@ curl (Roberto C. Sánchez) NOTE: 20220901: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. + NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/curl.html -- erlang NOTE: 20221119: Programming language: Erlang. @@ -85,6 +87,7 @@ golang-websocket grub2 (Salvatore Bonaccorso, Steve McIntyre) NOTE: 20221208: Programming language: C. NOTE: 20221208: Incorrectly/not-applied applied in DLA-3190-1 + NOTE: 20221209: VCS: https://salsa.debian.org/lts-team/packages/grub.git -- hsqldb (Markus Koschany) NOTE: 20221031: Programming language: Java. @@ -219,10 +222,12 @@ nodejs NOTE: 20221105: Programming language: Javascript, C/C++, Python NOTE: 20221105: VCS: https://salsa.debian.org/lts-team/packages/nodejs.git NOTE: 20221105: Source code not checked. It may be so that the vulnerability is not present in buster. + NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/nodejs.html -- openexr (Markus Koschany) NOTE: 20220904: Programming language: C++. NOTE: 20220904: Should be synced with Stretch. (apo) + NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/openexr.html -- php-cas NOTE: 20221105: Programming language: PHP. @@ -234,6 +239,7 @@ php-cas php7.3 (Emilio) NOTE: 20221031: Programming language: C. NOTE: 20221031: CVE-2022-37454 is what is of most concern. + NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/php.html -- pluxml NOTE: 20220913: Programming language: PHP. @@ -253,6 +259,7 @@ qemu NOTE: 20221108: Programming language: C. NOTE: 20221108: I updated the status of all opened (minor) CVEs to more clearly state whether we can fix or are waiting for a patch, NOTE: 20221108: there's about half of them that can be fixed now (or definitely ignored if backporting is too risky/complex) (Beuc/front-desk) + NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/qemu.html -- r-cran-commonmark NOTE: 20221009: Programming language: R. @@ -268,6 +275,8 @@ rails NOTE: 20221003: https://github.com/rails/rails/issues/45590#issuecomment-1249123907 (abhijith) NOTE: 20221024: Delay upload, see above comment, users have done workaround. Not a good idea NOTE: 20221024: to break thrice in less than 2 month. + NOTE: 20221209: Programming language: Ruby. + NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/rails.html -- rainloop NOTE: 20220913: Programming language: PHP, JavaScript. @@ -289,6 +298,7 @@ salt NOTE: 20220814: Packages is not in the supported packages by us. NOTE: 20220814: Also, I am not sure, whether it is possible to fix issues NOTE: 20220814: without backporting a newer verion. (Anton) + NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/salt.html -- samba NOTE: 20220904: Programming language: C. @@ -307,6 +317,7 @@ sox tiff NOTE: 20221031: Programming language: C. NOTE: 20221031: VCS: https://salsa.debian.org/lts-team/packages/tiff.git + NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/tiff.html -- trafficserver NOTE: 20220905: Programming language: C. @@ -320,4 +331,6 @@ xdg-utils -- zabbix NOTE: 20220911: At least CVE-2022-23134 was fixed in stretch so it should be fixed in buster too. + NOTE: 20221209: Programming language: C. + NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/zabbix.html -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17d733ecc3a4999acf4298a6c6491f2ecf7db106 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17d733ecc3a4999acf4298a6c6491f2ecf7db106 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: c7ecb41c by Anton Gladky at 2022-12-05T06:44:04+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,7 +52,7 @@ fusiondirectory NOTE: 20221203: Also the package was removed from sid recently (gladk). NOTE: 20221203: Feel free to marke both CVEs as , if they are not too serious (gladk). -- -fwupd (Stefano Rivera) +fwupd NOTE: 20221003: Programming language: C++. -- git @@ -244,7 +244,7 @@ php-cas NOTE: 20221107: consider fixing all 3 packages; also check situation in ELTS for reference (Beuc/front-desk) NOTE: 20221110: upcoming DSA (Beuc/front-desk) -- -php7.3 (Emilio) +php7.3 NOTE: 20221031: Programming language: C. NOTE: 20221031: CVE-2022-37454 is what is of most concern. -- @@ -290,7 +290,7 @@ rainloop NOTE: 20220913: also there's an unofficial one for CVE-2022-29360; NOTE: 20220913: Evaluate the situation and decide whether we should support or EOL this package (Beuc/front-desk) -- -ring (Thorsten Alteholz) +ring NOTE: 20221120: Programming language: C. -- ruby-rails-html-sanitizer @@ -331,7 +331,7 @@ trafficserver NOTE: 20221114: https://people.debian.org/~abhijith/upload/trf/ (abhijith) NOTE: 20221114: Asked upstream regarding CVE-2022-31779 (abhijith) -- -virglrenderer (Thorsten Alteholz) +virglrenderer NOTE: 20221009: Programming language: C. -- xdg-utils View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7ecb41c44bc87f78f854716627498c70e0d7653 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7ecb41c44bc87f78f854716627498c70e0d7653 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add awstats to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 131fb7b0 by Anton Gladky at 2022-12-04T23:30:21+01:00 LTS: add awstats to dla-needed.txt - - - - - e693d0b5 by Anton Gladky at 2022-12-04T23:39:42+01:00 LTS: add node-hawk to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -12,6 +12,10 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. +-- +awstats + NOTE: 20221204: Programming language: Perl. + NOTE: 20221204: VCS: https://salsa.debian.org/lts-team/packages/awstats.git -- ceph NOTE: 20221031: Programming language: C++. @@ -184,6 +188,10 @@ node-got NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.4 (Beuc/front-desk) -- +node-hawk + NOTE: 20221204: Programming language: Javascript. + NOTE: 20221204: VCS: https://salsa.debian.org/lts-team/packages/node-hawk.git +-- node-json-schema NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.2 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cafb47737e7036ec9be77a2b0db8f69f413f725e...e693d0b5cf3c53f4f975ba642ebf14de42ad3beb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cafb47737e7036ec9be77a2b0db8f69f413f725e...e693d0b5cf3c53f4f975ba642ebf14de42ad3beb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add fusiondirectory to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ba6f0df3 by Anton Gladky at 2022-12-03T22:31:20+01:00 LTS: add fusiondirectory to dla-needed.txt - - - - - dd890a05 by Anton Gladky at 2022-12-03T23:44:09+01:00 LTS: add libetpan to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,6 +40,13 @@ exiv2 firmware-nonfree (Markus Koschany) NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it. -- +fusiondirectory + NOTE: 20221203: Programming language: PHP. + NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk). + NOTE: 20221203: Two CVEs have only mitigation, fix in a new version (gladk). + NOTE: 20221203: Also the package was removed from sid recently (gladk). + NOTE: 20221203: Feel free to marke both CVEs as , if they are not too serious (gladk). +-- fwupd (Stefano Rivera) NOTE: 20221003: Programming language: C++. -- @@ -107,6 +114,10 @@ libde265 NOTE: 20221107: Most vulnerabilities unfixed upstream, but a handful are fixed, and v1.0.9 (2022-10) is a security release (Beuc/front-desk) NOTE: 20221107: No prior DSA/DLA/ELA afaics (Beuc/front-desk) -- +libetpan + NOTE: 20221203: Programming language: C++. + NOTE: 20221203: VCS: https://salsa.debian.org/lts-team/packages/libetpan.git +-- libreoffice NOTE: 20221012: Programming language: C++. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/51cca91dbdfed80ffe83a94e875befce8d3e704b...dd890a054bb9581b552a2c546f5786631bf7784c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/51cca91dbdfed80ffe83a94e875befce8d3e704b...dd890a054bb9581b552a2c546f5786631bf7784c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: Status of buster/armel
Hi Sergio, armel is not being supported by the LTS as well as some other platforms. One of reasons is that we have limited resources so we can only support only the subset of archs. Best regards Anton Am Fr., 2. Dez. 2022 um 14:21 Uhr schrieb Sergio Callegari : > > From the LTS web site, I see that armel is not listed among the > architectures that are given LTS support for buster. > > I would like to check that this is indeed the case or whether armel is > going to come. > > On one hand, it is quite understandable that supporting armel today may > not very desirable from your perspective as it brings a lot of work on > slow hardware. On the other hand upgrading such old hardware is a pain, > so having the possibility to keep it at buster until it is eventually > replaced could be useful. > > Thanks for your help and effort, > > Best regards, > > Sergio > >
[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2022-4520{2,4} (gpac) as end-of-life
Anton Gladky pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
addabc15 by Anton Gladky at 2022-12-01T22:44:19+01:00
Mark CVE-2022-4520{2,4} (gpac) as end-of-life
- - - - -
bf924387 by Anton Gladky at 2022-12-01T23:00:50+01:00
LTS: add vlc to dla-needed.txt
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -3400,6 +3400,7 @@ CVE-2022-45205 (Jeecg-boot v3.4.3 was discovered to
contain a SQL injection vuln
NOT-FOR-US: Jeecg-boot
CVE-2022-45204 (GPAC v2.1-DEV-rev428-gcb8ae46c8-master was discovered to
contain a mem ...)
- gpac
+ [buster] - gpac (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2307
NOTE: Introduced by:
https://github.com/gpac/gpac/commit/74e53280dad7b29f85386c6a1286fb92643465da
NOTE: Fixed by:
https://github.com/gpac/gpac/commit/f045be5809808d64ebf8ce5ab628fa55786bea4f
@@ -3408,6 +3409,7 @@ CVE-2022-45203
RESERVED
CVE-2022-45202 (GPAC v2.1-DEV-rev428-gcb8ae46c8-master was discovered to
contain a sta ...)
- gpac
+ [buster] - gpac (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2296
NOTE: https://github.com/gpac/gpac/issues/2296#issuecomment-1303112783
NOTE: Fixed by:
https://github.com/gpac/gpac/commit/74e53280dad7b29f85386c6a1286fb92643465da
=
data/dla-needed.txt
=
@@ -349,6 +349,12 @@ vim
virglrenderer (Thorsten Alteholz)
NOTE: 20221009: Programming language: C.
--
+vlc
+ NOTE: 20221201: Programming language: C.
+ NOTE: 20221201: VCS: https://salsa.debian.org/lts-team/packages/vlc.git
+ NOTE: 20221201: Please try to find a real patch for CVE-2022-41325 (gladk).
+ NOTE: 20221201: Backporting of a new version would be not the best idea.
(gladk).
+--
xdg-utils
NOTE: 20221120: Programming language: C.
NOTE: 20221120: no real fix yet
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/58a84f5ccca8fdf907d2ec4a6de0882a14033c9f...bf92438714cc73a1ee0a63b7ac891069f0b7181d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/58a84f5ccca8fdf907d2ec4a6de0882a14033c9f...bf92438714cc73a1ee0a63b7ac891069f0b7181d
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Change programming language for elang.
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c8b4c79 by Anton Gladky at 2022-12-01T07:01:08+01:00 Change programming language for elang. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -35,7 +35,7 @@ curl (Roberto C. Sánchez) NOTE: 20220904: Special attention: high popcon!. -- erlang - NOTE: 20221119: Programming language: C. + NOTE: 20221119: Programming language: Erlang. NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) -- exiv2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c8b4c79f404271b4159bad4abbfe4495541c7da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c8b4c79f404271b4159bad4abbfe4495541c7da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Add link to the CVE-2022-46338
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b1d1a68 by Anton Gladky at 2022-12-01T05:33:19+01:00 Add link to the CVE-2022-46338 - - - - - c3fc4813 by Anton Gladky at 2022-12-01T05:33:19+01:00 LTS: add g810-led to dla-needed.txt - - - - - 272dbee4 by Anton Gladky at 2022-12-01T05:33:20+01:00 LTS: add node-xmldom to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -178,6 +178,7 @@ CVE-2021-46856 CVE-2022-46338 (g810-led 0.4.2, a LED configuration tool for Logitech Gx10 keyboards, ...) - g810-led 0.4.2-3 (bug #1024998) [bullseye] - g810-led (Minor issue) + NOTE: https://github.com/MatMoul/g810-led/pull/297 CVE-2022-46309 RESERVED CVE-2022-46308 = data/dla-needed.txt = @@ -47,6 +47,12 @@ firmware-nonfree (Markus Koschany) fwupd (Stefano Rivera) NOTE: 20221003: Programming language: C++. -- +g810-led + NOTE: 20221130: Programming language: C++. + NOTE: 20221130: VCS: https://salsa.debian.org/lts-team/packages/g810-led.git + NOTE: 20221130: The issue in the udev-rules, not in the package itself (gladk). + NOTE: 20221130: https://gitlab.com/qemu-project/qemu/-/issues/1268 (gladk). +-- git NOTE: 20221031: Programming language: C. NOTE: 20221031: VCS: https://salsa.debian.org/lts-team/packages/git.git @@ -227,6 +233,11 @@ node-url-parse NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.4 + check postponed issues (Beuc/front-desk) -- +node-xmldom + NOTE: 20221130: Programming language: JavaScript. + NOTE: 20221130: VCS: https://salsa.debian.org/lts-team/packages/node-xmldom.git + NOTE: 20221130: https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883 (gladk). +-- nodejs NOTE: 20221105: Programming language: Javascript, C/C++, Python NOTE: 20221105: VCS: https://salsa.debian.org/lts-team/packages/nodejs.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5a853b8d59f3084ad130bf649944e9607b249ebf...272dbee46ae9e1d46d3384c73d0e3dad7c21abdf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5a853b8d59f3084ad130bf649944e9607b249ebf...272dbee46ae9e1d46d3384c73d0e3dad7c21abdf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-45343 (gpac) as end-of-life
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c1502dc by Anton Gladky at 2022-11-29T23:11:44+01:00 Mark CVE-2022-45343 (gpac) as end-of-life - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2820,6 +2820,7 @@ CVE-2022-45344 RESERVED CVE-2022-45343 (GPAC v2.1-DEV-rev478-g696e6f868-master was discovered to contain a hea ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2315 NOTE: https://github.com/gpac/gpac/commit/1016912db5408b6f38e8eb715279493ae380d1c4 CVE-2022-45342 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c1502dcd8f0495c450d67548d6ba072922aed16 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c1502dcd8f0495c450d67548d6ba072922aed16 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add libraw to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 11ba0773 by Anton Gladky at 2022-11-29T22:48:00+01:00 LTS: add libraw to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -121,6 +121,10 @@ libpgjava NOTE: 20221128: Please check, whether CVE-2022-41946 affects modern systems (gladk). NOTE: 20221128: If not - please mark it as (gladk). -- +libraw + NOTE: 20221129: Programming language: C++. + NOTE: 20221129: VCS: https://salsa.debian.org/lts-team/packages/libraw.git +-- libreoffice NOTE: 20221012: Programming language: C++. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11ba0773d8bdc07e810052f1bfd0327d4770afb0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11ba0773d8bdc07e810052f1bfd0327d4770afb0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: LTS: add libarchive to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b9472f0 by Anton Gladky at 2022-11-28T23:14:05+01:00 LTS: add libarchive to dla-needed.txt - - - - - 9ec5d38c by Anton Gladky at 2022-11-28T23:14:05+01:00 LTS: add libpgjava to dla-needed.txt - - - - - d6fdd7de by Anton Gladky at 2022-11-28T23:14:05+01:00 LTS: add nextcloud-desktop to dla-needed.txt - - - - - a24776ed by Anton Gladky at 2022-11-28T23:14:05+01:00 LTS: add vim to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -105,6 +105,10 @@ lava libapreq2 NOTE: 20221031: Programming language: C. -- +libarchive + NOTE: 20221128: Programming language: C. + NOTE: 20221128: VCS: https://salsa.debian.org/lts-team/packages/libarchive.git +-- libcommons-jxpath-java NOTE: 20221027: Programming language: Java. NOTE: 20221027: Maintainer notes: Wait for the outcome of upstream discussion. See CVE-2022-41852 for pull requests. @@ -114,6 +118,12 @@ libde265 NOTE: 20221107: Most vulnerabilities unfixed upstream, but a handful are fixed, and v1.0.9 (2022-10) is a security release (Beuc/front-desk) NOTE: 20221107: No prior DSA/DLA/ELA afaics (Beuc/front-desk) -- +libpgjava + NOTE: 20221128: Programming language: Java. + NOTE: 20221128: VCS: https://salsa.debian.org/lts-team/packages/libpgjava.git + NOTE: 20221128: Please check, whether CVE-2022-41946 affects modern systems (gladk). + NOTE: 20221128: If not - please mark it as (gladk). +-- libreoffice NOTE: 20221012: Programming language: C++. -- @@ -153,6 +163,11 @@ netatalk (gladk) NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) -- +nextcloud-desktop + NOTE: 20221128: Programming language: C++. + NOTE: 20221128: VCS: https://salsa.debian.org/owncloud-team/nextcloud-desktop + NOTE: 20221128: Please coordinate with maintainer the usage of their git-repo (gladk). +-- node-cached-path-relative NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.3 (Beuc/front-desk) @@ -318,6 +333,11 @@ trafficserver NOTE: 20221114: https://people.debian.org/~abhijith/upload/trf/ (abhijith) NOTE: 20221114: Asked upstream regarding CVE-2022-31779 (abhijith) -- +vim + NOTE: 20221128: Programming language: C. + NOTE: 20221128: VCS: https://salsa.debian.org/lts-team/packages/vim.git + NOTE: 20221128: Please wait till at least several CVEs appear before upload (gladk). +-- virglrenderer (Thorsten Alteholz) NOTE: 20221009: Programming language: C. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/540aab09498e193c6b6058b811192049e3004270...a24776ed8ea4dd477fb2103df1af4f48d1519b4a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/540aab09498e193c6b6058b811192049e3004270...a24776ed8ea4dd477fb2103df1af4f48d1519b4a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: MRs on salsa and letting janitor automate things
Hello Stuart, thanks for the information! I am personally OK with the idea of committing directly to the Science packages, not sure about the opinions of other team members. But if it improves the overall package quality - I am totally for this. Otherwise, I did not find an opportunity to blacklist some packages for the janitor, not being touched by this tool. There are some difficult ones, so I would prefer to have this option. Do you know, whether it is possible? Thanks! Anton Am So., 27. Nov. 2022 um 06:02 Uhr schrieb Stuart Prescott : > > Hi folks > > tl;dr: there lots of untriaged MRs on salsa; let's permit Janitor to > automatically commit its updates > > > There are lots of MRs on salsa for science-team packages that are open. > Many of these have been open for months and many have no comments, > triage or feedback visible on salsa. Many of these have been made by > first time contributors who, by virtue of their MRs sitting > unacknowledged and unmerged for months, think we don't care. That's not > our intended message! > > Attached are: > > * a list of MRs that are currently open on salsa (sorted by package) > > * associated dd-list of maintainers/uploaders for these packages > > If you don't currently get notified about MRs being opened for packages > you are interested in, I encourage you to tweak your salsa notification > preferences. My approach to this is to "star" packages for which I am > maintainer, uploader, or otherwise interested enough in that I'd like to > see notifications for MRs. > > > In amongst the human-generated MRs, there was also a huge number of > automated MRs from the Janitor bot. Over the last couple of days I've > been through Janitor's MRs (about 200 of them). These are all really > simple changes, each of which I checked and almost all of them I have > merged. > > For those not familiar with Janitor, it looks for easy to fix issues in > the packaging that are flagged by lintian (or other similar tools) and > fixes them. Unlike lintian, it has internet access and knowledge of the > Debian archive, so it can do extra things like update upstream homepages > or remove obsolete version constraints on packages. Janitor's fixes > range from pedantic to very useful; even the more pedantic ones steadily > improve the signal:noise of lintian and so lintian becomes more useful > on those packages. > > https://janitor.debian.net/ > > I propose that we let Janitor make these commits directly rather than > opening MRs; quite a few other teams in Debian have done this and it is > working well. Janitor has proven itself to be reliable and useful. Since > we've now been able to see that Janitor's changes are OK for a few > years, we can safely cut out the manual work and just let the bot get on > with its work. Comments? > > regards > Stuart > > -- > Stuart Prescott http://www.nanonanonano.net/ stu...@nanonanonano.net > Debian Developer http://www.debian.org/ stu...@debian.org > GPG fingerprint 90E2 D2C1 AD14 6A1B 7EBB 891D BBC1 7EBB 1396 F2F7
[Git][security-tracker-team/security-tracker][master] LTS: claim netatalk in dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e41abfa by Anton Gladky at 2022-11-27T09:43:32+01:00 LTS: claim netatalk in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -162,7 +162,7 @@ multipath-tools net-snmp NOTE: 20221120: Programming language: C. -- -netatalk +netatalk (gladk) NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e41abfade4a23199d26118243f0f81251a49df4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e41abfade4a23199d26118243f0f81251a49df4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: e29f11d5 by Anton Gladky at 2022-11-14T06:32:31+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -39,7 +39,7 @@ consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. -- -curl (Emilio) +curl NOTE: 20220901: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. @@ -82,7 +82,7 @@ golang-websocket NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies -- -graphicsmagick (Thorsten Alteholz) +graphicsmagick NOTE: 20221027: Programming language: C. -- hsqldb @@ -313,7 +313,7 @@ r-cran-commonmark NOTE: 20221009: Programming language: R. NOTE: 20221009: Please synchronize with ghostwriter. -- -rails (Abhijith PA) +rails NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith) NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg4.html (abhijith) @@ -364,7 +364,7 @@ tiff NOTE: 20221031: Programming language: C. NOTE: 20221031: VCS: https://salsa.debian.org/lts-team/packages/tiff.git -- -trafficserver (Abhijith PA) +trafficserver NOTE: 20220905: Programming language: C. NOTE: 20221024: WIP, big changeset in security fix (abhijith) -- @@ -379,7 +379,7 @@ vim (Helmut) NOTE: 20221108: Programming language: C. NOTE: 20221108: VCS: https://salsa.debian.org/lts-team/packages/vim.git -- -virglrenderer (Thorsten Alteholz) +virglrenderer NOTE: 20221009: Programming language: C. -- zabbix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e29f11d5a05f7df459010f78268197364b6f6471 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e29f11d5a05f7df459010f78268197364b6f6471 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Bug#1023273: Old version is not working
The newer 14 version of ocrmypdf is needed to suppor the ghostscript 10. I have checked and can confirm, that 14.0.1 is working well. Regards Anton
Bug#1023273: Old version is not working
The newer 14 version of ocrmypdf is needed to suppor the ghostscript 10. I have checked and can confirm, that 14.0.1 is working well. Regards Anton
Re: Pre-creating Git repos in salsa.d.o/lts-team/packages/ - or not?
Hi Sylvain,
thanks for your feedback!
as you know one of our goals is to keep the git-history of all {E,L}TS
uploads. Some semi-automatic repo creation scripts are in a test phase
to ease this process. I have created some repos and
imported the last available security versions of packages into that.
Sure, if the maintainer of the particular package allows to push security
updates of {E,L}TS process, feel free to do it! Just drop the repo and
change the link in the VCS.
You are right, now the bot "anonymously" creates repos, it will
be changed in the next couple of days.
Best regards
Anton
Am Mo., 7. Nov. 2022 um 09:53 Uhr schrieb Sylvain Beucler :
>
> Hi,
>
> I see that a few repositories in salsa.d.o/lts-team/packages/ were
> created for packages that haven't been claimed yet.
> https://salsa.debian.org/lts-team/packages?sort=created_desc
>
> (I'm not sure who/what did it exactly, there's activity from
> "Bot-LTS-package", which may be the 'package-operations' script, then
> manual activity from Anton.)
>
> That means the repo was created and imported before there was a chance
> to discuss with the package maintainers whether they want to host the
> (E)LTS branch there or at another location (such as, their own salsa repo).
>
> I think this adds confusion. When I check the "VCS" field in
> dla-needed.txt, I assume this is the preferred repository for
> development, following an explicit decision from a previous contributor
> who worked on the package - not the result of semi-automation.
> Thoughts?
>
> Cheers!
> Sylvain
>
[Git][security-tracker-team/security-tracker][master] Update packaeg meta information in dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: e75eaccc by Anton Gladky at 2022-11-07T07:09:02+01:00 Update packaeg meta information in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -15,6 +15,7 @@ rather than remove/replace existing ones. -- android-platform-system-core NOTE: 20221102: Programming language: C++. + NOTE: 20221102: VCS: https://salsa.debian.org/lts-team/packages/android-platform-system-core.git NOTE: 20221102: The package in buster is likely affected but since no known fix is available it is hard to tell without running the proof of concept code. NOTE: 20221102: Consider ignoring this if Debian Security team see the CVEs as minor. (ola) NOTE: 20221103: Both PoCs (CVE-2022-20128 & CVE-2022-3168) work for me in buster (Beuc) @@ -297,6 +298,8 @@ webkit2gtk NOTE: 20221105: Programming language: C++. -- xorg-server + NOTE: 20221106: Programming language: C. + NOTE: 20221106: VCS: https://salsa.debian.org/lts-team/packages/xorg-server.git -- zabbix NOTE: 20220911: At least CVE-2022-23134 was fixed in stretch so it should be fixed in buster too. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e75eaccc3b8c8ae793c152f8344ad1a3e8e55b6a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e75eaccc3b8c8ae793c152f8344ad1a3e8e55b6a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c71a3e8 by Anton Gladky at 2022-11-07T06:17:33+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -19,7 +19,7 @@ android-platform-system-core NOTE: 20221102: Consider ignoring this if Debian Security team see the CVEs as minor. (ola) NOTE: 20221103: Both PoCs (CVE-2022-20128 & CVE-2022-3168) work for me in buster (Beuc) -- -asterisk (Markus Koschany) +asterisk NOTE: 20220810: Programming language: C. NOTE: 20220829: Ongoing triaging work. Maybe we should think about syncing NOTE: 20220829: bullseye and buster. (apo) @@ -296,7 +296,7 @@ virglrenderer (Thorsten Alteholz) webkit2gtk NOTE: 20221105: Programming language: C++. -- -xorg-server (Emilio) +xorg-server -- zabbix NOTE: 20220911: At least CVE-2022-23134 was fixed in stretch so it should be fixed in buster too. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c71a3e852dbb72e9c24f74132336e45a314baaa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c71a3e852dbb72e9c24f74132336e45a314baaa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Bug#1023419: transition: freeglut
Uploaded, thanks! Anton
Bug#1023419: transition: freeglut
Uploaded, thanks! Anton
Re: Veusz update to 3.5.3
Hi Jeremy! Looks good. Some notes: - overriding lintian "veusz source: source-is-missing [Documents/manual/html/searchindex.js]" please drop it from the source and use dh --sphinxtools to symlink it. - d/rules: override_dh_auto_build: export http_proxy=127.0.0.1:9 override_dh_auto_build: export https_proxy=127.0.0.1:9 override_dh_auto_build: delete_generated dh_auto_build... Looks weird. Is it really necessary to override auto_build several times? Otherwise, please read "man dh" the section about "execute_after" and "execute_before". It can make your d/rules shorter. When you are ready and the package needs to be sponsored - please let us know. Best regards Anton Am Sa., 5. Nov. 2022 um 13:09 Uhr schrieb Jeremy Sanders : > > Dear Science Team > > It would be great if someone could have a look at the current version of > the Veusz packaging (for version 3.5.3) and review if it is ready to upload: > > https://salsa.debian.org/science-team/veusz > > The existing package currently fails to build under unstable and does > not run (see closed bug #1023185). > > Thanks again > > Jeremy > > >
Bug#1023419: transition: freeglut
Hi Sebastian, you are right. I have uploaded a new package into experimental, which introduces fereglut3-dev as a transitional package. I will rebuild and report about results. Regards Anton Am Do., 3. Nov. 2022 um 22:51 Uhr schrieb Sebastian Ramacher : > > Control: tags -1 moreinfo > Control: forwarded -1 > https://release.debian.org/transitions/html/auto-freeglut.html > > On 2022-11-03 20:12:03 +0100, Anton Gladky wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: transition > > > > > > New version of freeglut library and binary renaming. > > Reverse depends were rebuilt against new lib. > > > > > > Ben file: > > > > title = "freeglut"; > > is_affected = .depends ~ "freeglut3|freeglut3-dev" | .depends ~ > > "libglut-dev|libglut3.12"; > > is_good = .depends ~ "libglut-dev|libglut3.12"; > > is_bad = .depends ~ "freeglut3|freeglut3-dev"; > > What's the deal with the renamed -dev package? Do we need sourceful > uploads for all the reverse dependencies? What's the upgrade path for > users? Or in other words: why is there no transitional freeglut3-dev > package? > > Cheers > -- > Sebastian Ramacher
Bug#1023419: transition: freeglut
Hi Sebastian, you are right. I have uploaded a new package into experimental, which introduces fereglut3-dev as a transitional package. I will rebuild and report about results. Regards Anton Am Do., 3. Nov. 2022 um 22:51 Uhr schrieb Sebastian Ramacher : > > Control: tags -1 moreinfo > Control: forwarded -1 > https://release.debian.org/transitions/html/auto-freeglut.html > > On 2022-11-03 20:12:03 +0100, Anton Gladky wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: transition > > > > > > New version of freeglut library and binary renaming. > > Reverse depends were rebuilt against new lib. > > > > > > Ben file: > > > > title = "freeglut"; > > is_affected = .depends ~ "freeglut3|freeglut3-dev" | .depends ~ > > "libglut-dev|libglut3.12"; > > is_good = .depends ~ "libglut-dev|libglut3.12"; > > is_bad = .depends ~ "freeglut3|freeglut3-dev"; > > What's the deal with the renamed -dev package? Do we need sourceful > uploads for all the reverse dependencies? What's the upgrade path for > users? Or in other words: why is there no transitional freeglut3-dev > package? > > Cheers > -- > Sebastian Ramacher
Bug#1023419: transition: freeglut
Hi Sebastian, rename was done to match the real shared object name to the package name: /usr/lib/x86_64-linux-gnu/libglut.so.3.11.0 will go to libglut3.11. At the moment source uploads are not necessary as libglut-dev provides freeglut3-dev. But after the transition yes, the batch of NMUs is planned. > why is there no transitional freeglut3-dev I thought it was enough that libglut-dev "provides" the freeglu3-dev. If not - I will add it. Thanks Regards Anton Am Do., 3. Nov. 2022 um 22:51 Uhr schrieb Sebastian Ramacher : > > Control: tags -1 moreinfo > Control: forwarded -1 > https://release.debian.org/transitions/html/auto-freeglut.html > > On 2022-11-03 20:12:03 +0100, Anton Gladky wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: transition > > > > > > New version of freeglut library and binary renaming. > > Reverse depends were rebuilt against new lib. > > > > > > Ben file: > > > > title = "freeglut"; > > is_affected = .depends ~ "freeglut3|freeglut3-dev" | .depends ~ > > "libglut-dev|libglut3.12"; > > is_good = .depends ~ "libglut-dev|libglut3.12"; > > is_bad = .depends ~ "freeglut3|freeglut3-dev"; > > What's the deal with the renamed -dev package? Do we need sourceful > uploads for all the reverse dependencies? What's the upgrade path for > users? Or in other words: why is there no transitional freeglut3-dev > package? > > Cheers > -- > Sebastian Ramacher
Bug#1023419: transition: freeglut
Hi Sebastian, rename was done to match the real shared object name to the package name: /usr/lib/x86_64-linux-gnu/libglut.so.3.11.0 will go to libglut3.11. At the moment source uploads are not necessary as libglut-dev provides freeglut3-dev. But after the transition yes, the batch of NMUs is planned. > why is there no transitional freeglut3-dev I thought it was enough that libglut-dev "provides" the freeglu3-dev. If not - I will add it. Thanks Regards Anton Am Do., 3. Nov. 2022 um 22:51 Uhr schrieb Sebastian Ramacher : > > Control: tags -1 moreinfo > Control: forwarded -1 > https://release.debian.org/transitions/html/auto-freeglut.html > > On 2022-11-03 20:12:03 +0100, Anton Gladky wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian@packages.debian.org > > Usertags: transition > > > > > > New version of freeglut library and binary renaming. > > Reverse depends were rebuilt against new lib. > > > > > > Ben file: > > > > title = "freeglut"; > > is_affected = .depends ~ "freeglut3|freeglut3-dev" | .depends ~ > > "libglut-dev|libglut3.12"; > > is_good = .depends ~ "libglut-dev|libglut3.12"; > > is_bad = .depends ~ "freeglut3|freeglut3-dev"; > > What's the deal with the renamed -dev package? Do we need sourceful > uploads for all the reverse dependencies? What's the upgrade path for > users? Or in other words: why is there no transitional freeglut3-dev > package? > > Cheers > -- > Sebastian Ramacher
Bug#1023419: transition: freeglut
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition New version of freeglut library and binary renaming. Reverse depends were rebuilt against new lib. Ben file: title = "freeglut"; is_affected = .depends ~ "freeglut3|freeglut3-dev" | .depends ~ "libglut-dev|libglut3.12"; is_good = .depends ~ "libglut-dev|libglut3.12"; is_bad = .depends ~ "freeglut3|freeglut3-dev"; Thanks Anton
Bug#1023419: transition: freeglut
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition New version of freeglut library and binary renaming. Reverse depends were rebuilt against new lib. Ben file: title = "freeglut"; is_affected = .depends ~ "freeglut3|freeglut3-dev" | .depends ~ "libglut-dev|libglut3.12"; is_good = .depends ~ "libglut-dev|libglut3.12"; is_bad = .depends ~ "freeglut3|freeglut3-dev"; Thanks Anton
Bug#1023273: Bugs severity
severity 1023273 grave thanks Hi, this error makes at least ocrmypdf unusable. Increasing the severity. Anton
Bug#1023273: Bugs severity
severity 1023273 grave thanks Hi, this error makes at least ocrmypdf unusable. Increasing the severity. Anton
Bug#1013158: facet-analyser: vtk[6,7] removal
Hi Picca, I have just successfully cloned the git-repo. I have only got a warning "[attr]our-c-style whitespace=tab-in-indent format.clang-format=9 n" but I thinking it is not critical. Please try to checkout it again. Maybe it was salsa issue? Regards Anton Am Di., 1. Nov. 2022 um 10:18 Uhr schrieb PICCA Frederic-Emmanuel < frederic-emmanuel.pi...@synchrotron-soleil.fr>: > Hello Anton, I try to checkout paraview in order to add the -dev > dependencies > > but I have this message > > $ git clone https://salsa.debian.org/science-team/paraview > Clonage dans 'paraview'... > remote: Enumerating objects: 175624, done. > remote: Counting objects: 100% (78929/78929), done. > remote: Compressing objects: 100% (38687/38687), done. > remote: Total 175624 (delta 47039), reused 65625 (delta 39190), > pack-reused 96695 > Réception d'objets: 100% (175624/175624), 246.21 Mio | 12.11 Mio/s, fait. > Résolution des deltas: 100% (109096/109096), fait. > [attr]our-c-style whitespace=tab-in-indent,-blank-at-eol > format.clang-format non permis : > ThirdParty/QtTesting/vtkqttesting/.gitattributes : 8 > [attr]our-c-style whitespace=tab-in-indent,-blank-at-eol > format.clang-format=9 non permis : > ThirdParty/catalyst/vtkcatalyst/catalyst/.gitattributes : 4 > [attr]our-c-style whitespace=tab-in-indent,-blank-at-eol > format.clang-format=8 non permis : VTK/.gitattributes : 10 > [attr]our-c-style whitespace=tab-in-indent format.clang-format=9 non > permis : VTK/ThirdParty/vtkm/vtkvtkm/vtk-m/.gitattributes : 2 > Mise à jour des fichiers: 100% (30828/30828), fait. > [attr]our-c-style whitespace=tab-in-indent,-blank-at-eol > format.clang-format=8 non permis : VTK/.gitattributes : 10 > [attr]our-c-style whitespace=tab-in-indent format.clang-format=9 non > permis : VTK/ThirdParty/vtkm/vtkvtkm/vtk-m/.gitattributes : 2 > Downloading VTK/ThirdParty/vtkm/vtkvtkm/vtk-m/data/README.md (643 B) > Error downloading object: VTK/ThirdParty/vtkm/vtkvtkm/vtk-m/data/README.md > (b30a14a): Smudge error: Error downloading > VTK/ThirdParty/vtkm/vtkvtkm/vtk-m/data/README.md > (b30a14a308f64c6fc2969e2b959d79dacdc5affda1d1c0e24f8e176304147146): > [b30a14a308f64c6fc2969e2b959d79dacdc5affda1d1c0e24f8e176304147146] Object > does not exist on the server or you don't have permissions to access it: > [404] Object does not exist on the server or you don't have permissions to > access it > > Errors logged to > /home/experiences/instrumentation/picca/debian/science-team/paraview/.git/lfs/logs/20221101T101535.441130442.log > Use `git lfs logs last` to view the log. > error: le filtre externe 'git-lfs filter-process' a échoué > fatal: VTK/ThirdParty/vtkm/vtkvtkm/vtk-m/data/README.md : le filtre smudge > 'lfs' a échoué > warning: Le clone a réussi, mais l'extraction a échoué. > Vous pouvez inspecter ce qui a été extrait avec 'git status' > et réessayer avec 'git restore --source=HEAD :/' >
Bug#1013158: facet-analyser: vtk[6,7] removal
Hi Picca, I have just successfully cloned the git-repo. I have only got a warning "[attr]our-c-style whitespace=tab-in-indent format.clang-format=9 n" but I thinking it is not critical. Please try to checkout it again. Maybe it was salsa issue? Regards Anton Am Di., 1. Nov. 2022 um 10:18 Uhr schrieb PICCA Frederic-Emmanuel < frederic-emmanuel.pi...@synchrotron-soleil.fr>: > Hello Anton, I try to checkout paraview in order to add the -dev > dependencies > > but I have this message > > $ git clone https://salsa.debian.org/science-team/paraview > Clonage dans 'paraview'... > remote: Enumerating objects: 175624, done. > remote: Counting objects: 100% (78929/78929), done. > remote: Compressing objects: 100% (38687/38687), done. > remote: Total 175624 (delta 47039), reused 65625 (delta 39190), > pack-reused 96695 > Réception d'objets: 100% (175624/175624), 246.21 Mio | 12.11 Mio/s, fait. > Résolution des deltas: 100% (109096/109096), fait. > [attr]our-c-style whitespace=tab-in-indent,-blank-at-eol > format.clang-format non permis : > ThirdParty/QtTesting/vtkqttesting/.gitattributes : 8 > [attr]our-c-style whitespace=tab-in-indent,-blank-at-eol > format.clang-format=9 non permis : > ThirdParty/catalyst/vtkcatalyst/catalyst/.gitattributes : 4 > [attr]our-c-style whitespace=tab-in-indent,-blank-at-eol > format.clang-format=8 non permis : VTK/.gitattributes : 10 > [attr]our-c-style whitespace=tab-in-indent format.clang-format=9 non > permis : VTK/ThirdParty/vtkm/vtkvtkm/vtk-m/.gitattributes : 2 > Mise à jour des fichiers: 100% (30828/30828), fait. > [attr]our-c-style whitespace=tab-in-indent,-blank-at-eol > format.clang-format=8 non permis : VTK/.gitattributes : 10 > [attr]our-c-style whitespace=tab-in-indent format.clang-format=9 non > permis : VTK/ThirdParty/vtkm/vtkvtkm/vtk-m/.gitattributes : 2 > Downloading VTK/ThirdParty/vtkm/vtkvtkm/vtk-m/data/README.md (643 B) > Error downloading object: VTK/ThirdParty/vtkm/vtkvtkm/vtk-m/data/README.md > (b30a14a): Smudge error: Error downloading > VTK/ThirdParty/vtkm/vtkvtkm/vtk-m/data/README.md > (b30a14a308f64c6fc2969e2b959d79dacdc5affda1d1c0e24f8e176304147146): > [b30a14a308f64c6fc2969e2b959d79dacdc5affda1d1c0e24f8e176304147146] Object > does not exist on the server or you don't have permissions to access it: > [404] Object does not exist on the server or you don't have permissions to > access it > > Errors logged to > /home/experiences/instrumentation/picca/debian/science-team/paraview/.git/lfs/logs/20221101T101535.441130442.log > Use `git lfs logs last` to view the log. > error: le filtre externe 'git-lfs filter-process' a échoué > fatal: VTK/ThirdParty/vtkm/vtkvtkm/vtk-m/data/README.md : le filtre smudge > 'lfs' a échoué > warning: Le clone a réussi, mais l'extraction a échoué. > Vous pouvez inspecter ce qui a été extrait avec 'git status' > et réessayer avec 'git restore --source=HEAD :/' >
Bug#1013158: facet-analyser: vtk[6,7] removal
Hi Picca, I have just successfully cloned the git-repo. I have only got a warning "[attr]our-c-style whitespace=tab-in-indent format.clang-format=9 n" but I thinking it is not critical. Please try to checkout it again. Maybe it was salsa issue? Regards Anton Am Di., 1. Nov. 2022 um 10:18 Uhr schrieb PICCA Frederic-Emmanuel < frederic-emmanuel.pi...@synchrotron-soleil.fr>: > Hello Anton, I try to checkout paraview in order to add the -dev > dependencies > > but I have this message > > $ git clone https://salsa.debian.org/science-team/paraview > Clonage dans 'paraview'... > remote: Enumerating objects: 175624, done. > remote: Counting objects: 100% (78929/78929), done. > remote: Compressing objects: 100% (38687/38687), done. > remote: Total 175624 (delta 47039), reused 65625 (delta 39190), > pack-reused 96695 > Réception d'objets: 100% (175624/175624), 246.21 Mio | 12.11 Mio/s, fait. > Résolution des deltas: 100% (109096/109096), fait. > [attr]our-c-style whitespace=tab-in-indent,-blank-at-eol > format.clang-format non permis : > ThirdParty/QtTesting/vtkqttesting/.gitattributes : 8 > [attr]our-c-style whitespace=tab-in-indent,-blank-at-eol > format.clang-format=9 non permis : > ThirdParty/catalyst/vtkcatalyst/catalyst/.gitattributes : 4 > [attr]our-c-style whitespace=tab-in-indent,-blank-at-eol > format.clang-format=8 non permis : VTK/.gitattributes : 10 > [attr]our-c-style whitespace=tab-in-indent format.clang-format=9 non > permis : VTK/ThirdParty/vtkm/vtkvtkm/vtk-m/.gitattributes : 2 > Mise à jour des fichiers: 100% (30828/30828), fait. > [attr]our-c-style whitespace=tab-in-indent,-blank-at-eol > format.clang-format=8 non permis : VTK/.gitattributes : 10 > [attr]our-c-style whitespace=tab-in-indent format.clang-format=9 non > permis : VTK/ThirdParty/vtkm/vtkvtkm/vtk-m/.gitattributes : 2 > Downloading VTK/ThirdParty/vtkm/vtkvtkm/vtk-m/data/README.md (643 B) > Error downloading object: VTK/ThirdParty/vtkm/vtkvtkm/vtk-m/data/README.md > (b30a14a): Smudge error: Error downloading > VTK/ThirdParty/vtkm/vtkvtkm/vtk-m/data/README.md > (b30a14a308f64c6fc2969e2b959d79dacdc5affda1d1c0e24f8e176304147146): > [b30a14a308f64c6fc2969e2b959d79dacdc5affda1d1c0e24f8e176304147146] Object > does not exist on the server or you don't have permissions to access it: > [404] Object does not exist on the server or you don't have permissions to > access it > > Errors logged to > /home/experiences/instrumentation/picca/debian/science-team/paraview/.git/lfs/logs/20221101T101535.441130442.log > Use `git lfs logs last` to view the log. > error: le filtre externe 'git-lfs filter-process' a échoué > fatal: VTK/ThirdParty/vtkm/vtkvtkm/vtk-m/data/README.md : le filtre smudge > 'lfs' a échoué > warning: Le clone a réussi, mais l'extraction a échoué. > Vous pouvez inspecter ce qui a été extrait avec 'git status' > et réessayer avec 'git restore --source=HEAD :/' > -- debian-science-maintainers mailing list debian-science-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
Re: clickhouse - Please review
Hi Tobias, well, having a CI for most of the packages is the goal if it is technically possible, but is not a dogma. If it is very difficult or not possible feel free to deactivate some of the tests or in the worst-case scenario just disable them completely. Regards Anton Am Di., 1. Nov. 2022 um 11:36 Uhr schrieb Tobias Frost : > Hi, > > I'm currently working on clickhoue for LTS and imported the repository > to the lts-team group [0]. > > As per git workflow instructions I ask for an exception to enable CI: > > I can't get CI working as during linking it seems to go OOM > on the salsa workers. I've tried disabling lto (the package does > uncondtionally on amd64 enable it, already on buster) then the compiling > will succeed. > > However, there will be then a test suit error, due to the salsa CI runners > are running a more recent than buster kernel, triggering cpuinfo being > noisy > on stderr, [1] which fails the testsuite with message alike: [2] > > 11: 00802_daylight_saving_time_shift_backwards_at_midnight: > [ FAIL ] - having stderror: > 11: Warning in cpuinfo: kernel_max value of 8191 parsed from > /sys/devices/system/cpu/kernel_max exceeds platform-default limit 1023 > > As said I believe this is due to the kernel on the CI is newer than > buster's. > Buster's value of /sys/devices/system/cpu/kernel_max is (at leas in my > buster VM) 511 > while in my sid machine it is 8192. > > On said buster VM, the package builds correctly and also the test suite > executes without error. > > I expect that the build will fail on the buildds as seem to have recent > kernels, so I anticipate that I need to disable the offending test for the > upload > > TIA for any feedback you might have… > > Cheers, > -- > tobi > > [0] https://salsa.debian.org/lts-team/packages/ClickHouse > [1] https://bugs.launchpad.net/ubuntu/+source/cpuinfo/+bug/1840847 > [2] > https://salsa.debian.org/lts-team/packages/ClickHouse/-/jobs/3455769#L1741 >
[Git][security-tracker-team/security-tracker][master] Fix dla-needed after git conflicts
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: e974ebb3 by Anton Gladky at 2022-11-01T06:19:34+01:00 Fix dla-needed after git conflicts - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -100,11 +100,13 @@ ini4j jackson-databind NOTE: 20221030: Programming language: Java. -- +jhead NOTE: 20221031: Programming language: C. NOTE: 20221031: Note that multiple options are vulnerable. The attacker have to trick someone to execute the command but arbitrary code exectuion is not good.. NOTE: 20221031: It should be stated in the DLA that multiple options are affected.. -- joblib + NOTE: 20221006: Programming language: Python. -- kopanocore NOTE: 20220801: Programming language: C++. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e974ebb3d78665d97f63a5e22df1c09797f26c7d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e974ebb3d78665d97f63a5e22df1c09797f26c7d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: be1ec401 by Anton Gladky at 2022-10-31T19:24:32+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -83,7 +83,7 @@ hsqldb NOTE: 20221031: To be investigated further. A possible outcome is to ignore it. NOTE: 20221031: https://lists.debian.org/debian-lts/2022/10/msg00060.html. -- -imagemagick (gladk) +imagemagick NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) @@ -95,13 +95,11 @@ ini4j jackson-databind NOTE: 20221030: Programming language: Java. -- -jhead NOTE: 20221031: Programming language: C. NOTE: 20221031: Note that multiple options are vulnerable. The attacker have to trick someone to execute the command but arbitrary code exectuion is not good.. NOTE: 20221031: It should be stated in the DLA that multiple options are affected.. -- -joblib (Utkarsh) - NOTE: 20221006: Programming language: Python. +joblib -- kopanocore NOTE: 20220801: Programming language: C++. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be1ec401e29f107f5a4d23d79b02d1f9299b44aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be1ec401e29f107f5a4d23d79b02d1f9299b44aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: Roll existing backports into ELTS update for distro-info-data?
Hi Stefano, I would say we should rely only on release and security suites, Backports are optional. Just be sure to provide a smooth upgrade from both release and backport suites. Regards Anton Am So., 30. Okt. 2022 um 15:08 Uhr schrieb Stefano Rivera < stefa...@debian.org>: > I'm an uploader for distro-info-data (a data only package like tzdata, > mostly useful to distro developers, but also potentially sysadmin > tools). We try to get updates out to all supported releases, but I > haven't been updating it in (E)LTS, before I joined Freexian & LTS. > > I just did a round of updates now, including LTS, because I can, > trivially. > > I see it in ELTS customer's package lists, but we have never issued an > update in ELTS. I can do updates for jessie and stretch ELTS, easily > enough (and fairly quickly), but quickly hit a policy question: > > Back in those days, we used to publish distro-info-data updates via > backports, not stable updates. So there were backports published to both > stretch-backports and jessie-backports. Backports don't support LTS, > never mind ELTS. > > So should I start (and version) ELTS updates based on the release suite > or the backport suite? I have to use the latter to ensure that users who > installed the backport get the update. > > Where do we usually stand on existing backports, when issuing updates? > > Another option is to just ignore the whole thing, because chances are > that if nobody has complained yet about old data, maybe they never will :) > > SR > > -- > Stefano Rivera > http://tumbleweed.org.za/ > +1 415 683 3272 > >
Re: Upgrades from Stretch to Bullseye and from Buster to Bookworm broken
Hi, thanks for the information. AFAIK skipping releases is not supported. You have to go through all releases step-by-step. Regards Anton Am Mo., 24. Okt. 2022 um 05:42 Uhr schrieb Otto Kekäläinen : > Hello LTS team! > > Users of Debian LTS are currently affected by a bug that prevents > skipping Debian releases. If skipping a release is not possible in an > upgrade, it makes using LTS kind of moot. > > For discoverability, I posted a summary and workaround steps at > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993755#62 > > I hope you find this useful. > > > - Otto > >
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: aa9dbf4d by Anton Gladky at 2022-10-23T23:32:18+02:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -153,7 +153,7 @@ r-cran-commonmark NOTE: 20221009: Programming language: R. NOTE: 20221009: Please synchronize with ghostwriter. -- -rails (Abhijith PA) +rails NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith) NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg4.html (abhijith) @@ -197,10 +197,10 @@ sox NOTE: 20220818: Requires some investigation; see #1012138 etc. NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith) -- -trafficserver (Abhijith PA) +trafficserver NOTE: 20220905: Programming language: C. -- -vim (Markus Koschany) +vim NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/vim.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa9dbf4d14f88227758d1338aaf140b957a7c679 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa9dbf4d14f88227758d1338aaf140b957a7c679 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim imagemagick in dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 6647e5bf by Anton Gladky at 2022-10-16T21:43:45+02:00 LTS: claim imagemagick in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -77,7 +77,7 @@ golang-websocket NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies -- -imagemagick +imagemagick (gladk) NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6647e5bfafd9bab2c0a036d56922f31367cf61cc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6647e5bfafd9bab2c0a036d56922f31367cf61cc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 0cd4968b by Anton Gladky at 2022-10-16T21:28:10+02:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -28,7 +28,7 @@ clickhouse NOTE: 20221003: One pull request closes several CVEs. NOTE: 20221003: Please evaluate, whether it can be applied. -- -curl (gladk) +curl NOTE: 20220901: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cd4968b11d2f046469427f267f83567e9f9eebe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cd4968b11d2f046469427f267f83567e9f9eebe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: [Yade-dev] Please enable runners for some projects in the group
Thanks, Janek! It really works! Anton Am Sa., 15. Okt. 2022 um 14:19 Uhr schrieb Janek Kozicki (yade) < jkozicki-y...@pg.edu.pl>: > Hi, > > I have created a single group runner, called loop1-group-runner, in: > > https://gitlab.com/groups/yade-dev/-/runners?runner_type[]=GROUP_TYPE > > now it appears in every of our projects. Also there is a > yade-runner-01, last time I checked it ran out of disc space and > couldn't do any jobs. Maybe it is time to recheck yade-runner-01 and > maybe erase it, Bruno? > > I suppose, that once group runners are enabled in all projects that > you linked below, it should work? I only checked in docker-prod and > it seems to work: > > https://gitlab.com/yade-dev/docker-prod/-/jobs/3178115457 > > best regards > Janek > > Anton Gladky said: (by the date of Sat, 15 Oct 2022 11:46:18 +0200) > > > Hi. > > > > as you probably know, gitlab is changing its business modell. > > Right now we are affected by this change through the usage > > of shared runners for some projects. > > > > @Janek, @Bruno or maybe somebody else, could you please > > your runner-instances for the following projects: > > > > - Docker-Prod: https://gitlab.com/yade-dev/docker-prod/-/settings/ci_cd > > - Singularity-Prod: > > https://gitlab.com/yade-dev/singularity-prod/-/settings/ci_cd > > - Answers (no CI, but would be good to have): > > https://gitlab.com/yade-dev/answers/-/settings/ci_cd > > - Yade-Website (reserved for the future): > > https://gitlab.com/yade-dev/yade-website/-/settings/ci_cd > > - Yade-data (no CI, but would be good to have) > > https://gitlab.com/yade-dev/yade-data/-/settings/ci_cd > > > > Thanks > > > > Anton > > > -- > -- > Janek Kozicki, PhD. DSc. Arch. Assoc. Prof. > Gdansk University of Technology (Gdansk Tech) > Faculty of Applied Physics and Mathematics > Institute of Physics and Applied Computer Science > Division of Theoretical Physics and Quantum Information > -- > http://yade-dem.org/ > http://pg.edu.pl/jkozicki (click English flag on top right) > ___ Mailing list: https://launchpad.net/~yade-dev Post to : yade-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~yade-dev More help : https://help.launchpad.net/ListHelp
[Yade-dev] Please enable runners for some projects in the group
Hi. as you probably know, gitlab is changing its business modell. Right now we are affected by this change through the usage of shared runners for some projects. @Janek, @Bruno or maybe somebody else, could you please your runner-instances for the following projects: - Docker-Prod: https://gitlab.com/yade-dev/docker-prod/-/settings/ci_cd - Singularity-Prod: https://gitlab.com/yade-dev/singularity-prod/-/settings/ci_cd - Answers (no CI, but would be good to have): https://gitlab.com/yade-dev/answers/-/settings/ci_cd - Yade-Website (reserved for the future): https://gitlab.com/yade-dev/yade-website/-/settings/ci_cd - Yade-data (no CI, but would be good to have) https://gitlab.com/yade-dev/yade-data/-/settings/ci_cd Thanks Anton ___ Mailing list: https://launchpad.net/~yade-dev Post to : yade-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~yade-dev More help : https://help.launchpad.net/ListHelp
Re: Updating the LTS/ELTS instructions on freexian.com
Hi Chris, I am not sure whether you are able to access this repo [1]. If not - the md-file is in attachment, please update it and feel free to send me. b) I am not able to answer right now,. Maybe some other team members will help. [1] https://gitlab.com/freexian/organization/website/ Anton Am Mo., 10. Okt. 2022 um 19:43 Uhr schrieb Chris Lamb : > Hi friends, > > I noticed that some of the URLs on the ELTS instructions page are now > outdated: > > https://www.freexian.com/lts/extended/docs/how-to-use-extended-lts/ > > In particular, the references to: > > a) freexian-archive-keyring_2020.09.19_all.deb > b) archive-key.gpg > > … return a 404. > > "a)" simply needs updating to the latest version > (freexian-archive-keyring_2022.06.08_all.deb), but I'm not sure what > to do with "b)", as well as how to update these instructions in the > first place. > > > Regards, > > -- > ,''`. > : :' : Chris Lamb > `. `'` la...@debian.org chris-lamb.co.uk >`- > > +++ type = "docs" title = "How to use Extended LTS" date = 2018-05-30T12:13:12+02:00 weight = 100 draft = false bref = "To benefit from the security updates, you just have to configure APT to use our extended LTS repository" toc = false +++ ### Adding extended LTS repositories to APT Installing the freexian archive GPG key The extended LTS repositories are signed with the following GPG key: ``` sec rsa4096 2018-05-28 [SC] [expires: 2025-07-18] AB597C4F6F3380BD4B2BEBC2A07310D369055D5A uid [ultimate] Extended LTS Repository ``` To enable this key in your APT configuration, you have the following choices: * manually install the freexian-archive-keyring package with `wget http://deb.freexian.com/extended-lts/pool/main/f/freexian-archive-keyring/freexian-archive-keyring_2020.09.19_all.deb && sudo dpkg -i freexian-archive-keyring_2020.09.19_all.deb` * manually fetch the key with `sudo wget http://deb.freexian.com/extended-lts/archive-key.gpg -O /etc/apt/trusted.gpg.d/freexian-archive-extended-lts.gpg` You might want to double check that the key fingerprint outputted by `apt-key finger` matches the one shown above. sources.list entries for APT # For Debian 8 jessie Here's what you should put in `/etc/apt/sources.list.d/extended-lts.list`: ``` deb http://deb.freexian.com/extended-lts jessie-lts main contrib non-free ``` Note that this repository only contains the security updates, not all packages from Debian 8. If you want all packages from Debian 8, you should keep another repository pointing to a Debian 8 mirror. We do provide a repository combining all Debian 8 packages and our security updates, but please use it only for small setups: ``` deb http://deb.freexian.com/extended-lts jessie main contrib non-free ``` ### Be nice, use local mirrors/caches There are currently no mirrors of this service and it runs on a single dedicated server. If you have many machines to keep secure, please make a local mirror (or use some cache) and point your machines to your local mirror (or cache) instead of pointing them to the repositories provided by Freexian.
Bug#1016248: marked as pending in content-hub
Control: tag -1 pending Hello, Bug #1016248 in content-hub reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/ubports-team/content-hub/-/commit/b4fad56d8242ba8e350d9752eed192331f6844ac Update symbols due to gcc-12. (CloseS: #1016248) (this message was generated automatically) -- Greetings https://bugs.debian.org/1016248
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 94674c1e by Anton Gladky at 2022-10-10T06:23:32+02:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -42,7 +42,7 @@ exiv2 firmware-nonfree NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it. -- -frr (Thorsten Alteholz) +frr NOTE: 20220923: Programming language: C. -- fwupd View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94674c1e3a9bbd28a2d451600e39a6c040ecd9f9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94674c1e3a9bbd28a2d451600e39a6c040ecd9f9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 6 commits: LTS: triage ghostwriter
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 3649a150 by Anton Gladky at 2022-10-09T22:25:35+02:00 LTS: triage ghostwriter - - - - - e34bdba1 by Anton Gladky at 2022-10-09T22:25:35+02:00 LTS: triage tinyproxy - - - - - 1167fd65 by Anton Gladky at 2022-10-09T22:25:35+02:00 LTS: triage r-cran-commonmark - - - - - df82c36f by Anton Gladky at 2022-10-09T22:25:36+02:00 LTS: triage virglrenderer - - - - - d6eb36ba by Anton Gladky at 2022-10-09T22:25:36+02:00 LTS: triage mplayer - - - - - 5bef28bb by Anton Gladky at 2022-10-09T22:25:36+02:00 LTS: triage python-scciclient - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,6 +54,9 @@ gajim gerbv NOTE: 20220923: Programming language: C. -- +ghostwriter + NOTE: 20221009: Programming language: C. +-- glibc (Helmut Grohne) NOTE: 20220913: Programming language: C, Assembly. NOTE: 20220913: Harmonize with bullseye: 4 CVEs fixed in Debian 11.3 and Debian 11.5 (Beuc/front-desk) @@ -102,6 +105,10 @@ modsecurity-crs NOTE: 20221006: Programming language: Other. NOTE: 20221006: Maintainer notes: Please contact maintainer. Consider uploading of newer version. -- +mplayer + NOTE: 20221009: Programming language: C. + NOTE: 20221009: Many open CVEs. +-- netatalk NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) @@ -133,6 +140,13 @@ python-django NOTE: 20220911: There are many minors issues that should be done in a point release. No further point releases for buster. NOTE: 20220911: Some issue was fixed in stretch so it should also be fixed for buster. -- +python-scciclient + NOTE: 20221009: Programming language: Python. +-- +r-cran-commonmark + NOTE: 20221009: Programming language: R. + NOTE: 20221009: Please synchronize with ghostwriter. +-- rails (Abhijith PA) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith) @@ -192,6 +206,9 @@ strongswan (Chris Lamb) NOTE: 20221004: Programming language: C. NOTE: 20221004: VCS: https://salsa.debian.org/lts-team/packages/strongswan.git -- +tinyproxy + NOTE: 20221009: Programming language: C. +-- trafficserver (Abhijith PA) NOTE: 20220905: Programming language: C. -- @@ -199,6 +216,9 @@ vim (Markus Koschany) NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/vim.git -- +virglrenderer + NOTE: 20221009: Programming language: C. +-- wireshark NOTE: 20220916: Programming language: C. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3f5c08b73273f6e0c4794634b55eff7adbc82522...5bef28bbd7377a0b5cb47b7c96bd29b821acedf3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3f5c08b73273f6e0c4794634b55eff7adbc82522...5bef28bbd7377a0b5cb47b7c96bd29b821acedf3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Add rexical and assign to Sylvain
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c8dfe31 by Anton Gladky at 2022-10-09T19:55:06+02:00 LTS: Add rexical and assign to Sylvain - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -150,6 +150,9 @@ rainloop NOTE: 20220913: also there's an unofficial one for CVE-2022-29360; NOTE: 20220913: Evaluate the situation and decide whether we should support or EOL this package (Beuc/front-desk) -- +rexical (Sylvain Beucler) + NOTE: 20221009: Programming language: Ruby. +-- ruby-nokogiri (Sylvain Beucler) NOTE: 20220911: Programming language: ruby NOTE: 20220911: CVE-2022-24836 was fixed in stretch so it should be fixed in buster too. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c8dfe31cdc9e0999ba678e9faa1f13add69a68d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c8dfe31cdc9e0999ba678e9faa1f13add69a68d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Ignore all pluxml issues in buster. Second try
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d2441fe1 by Anton Gladky at 2022-10-07T23:24:47+02:00 Ignore all pluxml issues in buster. Second try - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -480261,8 +480261,10 @@ CVE-2012-4676 (The errorExitIfAttackViaString function in Tunnelblick 3.3beta20 NOT-FOR-US: Tunnelblick CVE-2012-4675 (Cross-site scripting (XSS) vulnerability in PluXml 5.1.6 allows remote ...) - pluxml + [buster] - pluxml (Issue is 10 years old. Package exists only in this suite. Popcon: 4 on 2022.10.06) CVE-2012-4674 (PluXml before 5.1.6 allows remote attackers to obtain the installation ...) - pluxml + [buster] - pluxml (Issue is 10 years old. Package exists only in this suite. Popcon: 4 on 2022.10.06) CVE-2012-4673 (SQL injection vulnerability in application/controllers/invoice.php in ...) NOT-FOR-US: Neoinvoice CVE-2012-4672 (Apple iChat Server does not verify that a request was made for an XMPP ...) @@ -558822,6 +558824,7 @@ CVE-2007-3543 (Unrestricted file upload vulnerability in WordPress before 2.2.1 [etch] - wordpress (Vulnerable code not present) CVE-2007-3542 (Cross-site scripting (XSS) vulnerability in admin/auth.php in Pluxml 0 ...) - pluxml + [buster] - pluxml (Issue is 15 years old. Package exists only in this suite. Popcon: 4 on 2022.10.06) CVE-2007-3541 (Cross-site scripting (XSS) vulnerability in Kurinton sHTTPd 20070408 a ...) NOT-FOR-US: Kurinton sHTTPd CVE-2007-3540 (Multiple cross-site scripting (XSS) vulnerabilities in search.asp in r ...) @@ -559159,6 +559162,7 @@ CVE-2007-3433 (SQL injection vulnerability in index.php in Pharmacy System 2 and NOT-FOR-US: Pharmacy System CVE-2007-3432 (Unrestricted file upload vulnerability in admin/images.php in Pluxml 0 ...) - pluxml + [buster] - pluxml (Issue is 15 years old. Package exists only in this suite. Popcon: 4 on 2022.10.06) CVE-2007-3431 (PHP remote file inclusion vulnerability in cal.func.php in Valerio Cap ...) NOT-FOR-US: Dagger CVE-2007-3430 (SQL injection vulnerability in index.php in Simple Invoices 2007 05 25 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2441fe1836a30c09bd805353e3775727d9d0327 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2441fe1836a30c09bd805353e3775727d9d0327 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: LTS: triage gajim
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c8184c6 by Anton Gladky at 2022-10-06T22:28:36+02:00 LTS: triage gajim - - - - - c5768503 by Anton Gladky at 2022-10-06T22:28:38+02:00 Ignore all pluxml issues in buster - - - - - 3ba8c53e by Anton Gladky at 2022-10-06T22:30:34+02:00 LTS: triage joblib - - - - - fe280448 by Anton Gladky at 2022-10-06T22:38:49+02:00 LTS: triage modsecurity-crs - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -480117,8 +480117,10 @@ CVE-2012-4677 (Tunnelblick 3.3beta20 and earlier allows local users to gain priv CVE-2012-4676 (The errorExitIfAttackViaString function in Tunnelblick 3.3beta20 and e ...) NOT-FOR-US: Tunnelblick CVE-2012-4675 (Cross-site scripting (XSS) vulnerability in PluXml 5.1.6 allows remote ...) + [buster] - pluxml Issue is 10 years old. Package exists only in this suite. Popcon: 4 (2022.10.06). - pluxml CVE-2012-4674 (PluXml before 5.1.6 allows remote attackers to obtain the installation ...) + [buster] - pluxml Issue is 10 years old. Package exists only in this suite. Popcon: 4 (2022.10.06). - pluxml CVE-2012-4673 (SQL injection vulnerability in application/controllers/invoice.php in ...) NOT-FOR-US: Neoinvoice @@ -558678,6 +558680,7 @@ CVE-2007-3543 (Unrestricted file upload vulnerability in WordPress before 2.2.1 - wordpress 2.2.1-1 [etch] - wordpress (Vulnerable code not present) CVE-2007-3542 (Cross-site scripting (XSS) vulnerability in admin/auth.php in Pluxml 0 ...) + [buster] - pluxml Issue is 15 years old. Package exists only in this suite. Popcon: 4 (2022.10.06). - pluxml CVE-2007-3541 (Cross-site scripting (XSS) vulnerability in Kurinton sHTTPd 20070408 a ...) NOT-FOR-US: Kurinton sHTTPd @@ -559015,6 +559018,7 @@ CVE-2007-3434 (index.php in Pharmacy System 2 and earlier allows remote attacker CVE-2007-3433 (SQL injection vulnerability in index.php in Pharmacy System 2 and earl ...) NOT-FOR-US: Pharmacy System CVE-2007-3432 (Unrestricted file upload vulnerability in admin/images.php in Pluxml 0 ...) + [buster] - pluxml Issue is 15 years old. Package exists only in this suite. Popcon: 4 (2022.10.06). - pluxml CVE-2007-3431 (PHP remote file inclusion vulnerability in cal.func.php in Valerio Cap ...) NOT-FOR-US: Dagger = data/dla-needed.txt = @@ -46,6 +46,9 @@ frr (Thorsten Alteholz) fwupd NOTE: 20221003: Programming language: C++. -- +gajim + NOTE: 20221006: Programming language: Python. +-- gerbv NOTE: 20220923: Programming language: C. -- @@ -76,6 +79,9 @@ imagemagick NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) -- +joblib + NOTE: 20221006: Programming language: Python. +-- knot-resolver (Chris Lamb) NOTE: 20221003: Programming language: C. -- @@ -96,6 +102,10 @@ man2html mbedtls NOTE: 20220821: Programming language: C. -- +modsecurity-crs + NOTE: 20221006: Programming language: Other. + NOTE: 20221006: Maintainer notes: Please contact maintainer. Consider uploading of newer version. +-- netatalk NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0275d7b22983483569b602b2e41e62c16cd16b21...fe280448e1117137cdf8440a17b03b8014989874 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0275d7b22983483569b602b2e41e62c16cd16b21...fe280448e1117137cdf8440a17b03b8014989874 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Bug#1015103: marked as pending in lomiri-ui-extras
Control: tag -1 pending Hello, Bug #1015103 in lomiri-ui-extras reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/ubports-team/lomiri-ui-extras/-/commit/282f186494d31d546336365dbb9805731e268eb8 Disable tst_printers test. (Closes: #1015103) (this message was generated automatically) -- Greetings https://bugs.debian.org/1015103
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: triage strongswan
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: daa292f8 by Anton Gladky at 2022-10-04T22:28:27+02:00 LTS: triage strongswan - - - - - 86eb5298 by Anton Gladky at 2022-10-04T22:28:28+02:00 LTS: triage man2html - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -91,6 +91,11 @@ libpgjava -- linux (Ben Hutchings) -- +man2html + NOTE: 20221004: Programming language: C. + NOTE: 20221004: It looks like not patch is available. + NOTE: 20221004: Please evalulate, whether the issue can be marked as . +-- mbedtls NOTE: 20220821: Programming language: C. -- @@ -183,6 +188,10 @@ squid (Abhijith PA) NOTE: 20220923: Programming language: C. NOTE: 20220923: CVE-2022-41317 should be not-affected, but CVE-2022-41318 should be an issue, pleae recheck -- +strongswan + NOTE: 20221004: Programming language: C. + NOTE: 20221004: VCS: https://salsa.debian.org/lts-team/packages/strongswan.git +-- trafficserver (Abhijith PA) NOTE: 20220905: Programming language: C. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8054119441f4e8b40ab7c407b28327b6c83a8509...86eb529861da0e06e8f6e1b3ab2311fdfd35e699 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8054119441f4e8b40ab7c407b28327b6c83a8509...86eb529861da0e06e8f6e1b3ab2311fdfd35e699 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: triage knot-resolver
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: e60a01cc by Anton Gladky at 2022-10-03T22:46:49+02:00 LTS: triage knot-resolver - - - - - 84709f8f by Anton Gladky at 2022-10-03T23:08:57+02:00 LTS: triage libpgjava - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,10 +79,16 @@ imagemagick NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) -- +knot-resolver + NOTE: 20221003: Programming language: C. +-- kopanocore NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) -- +libpgjava + NOTE: 20221003: Programming language: Java. +-- linux (Ben Hutchings) -- mbedtls View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5ac0d0b0e140bf61f6919e3a69d942db1948efb8...84709f8f6c01c866b3874361a3c6c9ab441e636e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5ac0d0b0e140bf61f6919e3a69d942db1948efb8...84709f8f6c01c866b3874361a3c6c9ab441e636e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: triage clickhouse
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 55d774d9 by Anton Gladky at 2022-10-03T22:27:52+02:00 LTS: triage clickhouse - - - - - 5ac0d0b0 by Anton Gladky at 2022-10-03T22:39:42+02:00 LTS: triage fwupd - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,6 +26,11 @@ bluez NOTE: 20220902: Programming language: C. NOTE: 20220902: Consider synchronizing with Stretch. (apo) -- +clickhouse + NOTE: 20221003: Programming language: C++. + NOTE: 20221003: One pull request closes several CVEs. + NOTE: 20221003: Please evaluate, whether it can be applied. +-- curl (gladk) NOTE: 20220901: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git @@ -41,6 +46,9 @@ firmware-nonfree frr (Thorsten Alteholz) NOTE: 20220923: Programming language: C. -- +fwupd + NOTE: 20221003: Programming language: C++. +-- gerbv NOTE: 20220923: Programming language: C. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6c778ad6eebfb2fbc27cb33126ff197e98ca1b4...5ac0d0b0e140bf61f6919e3a69d942db1948efb8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6c778ad6eebfb2fbc27cb33126ff197e98ca1b4...5ac0d0b0e140bf61f6919e3a69d942db1948efb8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove lts-frontdesk.py (integrated into the dispatch-front-desk script)
Anton Gladky pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
52b9feeb by Anton Gladky at 2022-10-03T12:02:15+02:00
Remove lts-frontdesk.py (integrated into the dispatch-front-desk script)
- - - - -
fec88202 by Anton Gladky at 2022-10-03T12:03:08+02:00
LTS: dispatch frontdesk slots for 2023/H1
- - - - -
2 changed files:
- + org/lts-frontdesk.2023.txt
- − org/lts-frontdesk.py
Changes:
=
org/lts-frontdesk.2023.txt
=
@@ -0,0 +1,52 @@
+From 02-01 to 08-01:Sylvain Beucler
+From 09-01 to 15-01:Thorsten Alteholz
+From 16-01 to 22-01:Utkarsh Gupta
+From 23-01 to 29-01:Anton Gladky
+From 30-01 to 05-02:Chris Lamb
+From 06-02 to 12-02:Emilio Pozuelo Monfort
+From 13-02 to 19-02:Markus Koschany
+From 20-02 to 26-02:Ola Lundqvist
+From 27-02 to 05-03:Sylvain Beucler
+From 06-03 to 12-03:Thorsten Alteholz
+From 13-03 to 19-03:Utkarsh Gupta
+From 20-03 to 26-03:Anton Gladky
+From 27-03 to 02-04:Chris Lamb
+From 03-04 to 09-04:Emilio Pozuelo Monfort
+From 10-04 to 16-04:Markus Koschany
+From 17-04 to 23-04:Ola Lundqvist
+From 24-04 to 30-04:Sylvain Beucler
+From 01-05 to 07-05:Thorsten Alteholz
+From 08-05 to 14-05:Utkarsh Gupta
+From 15-05 to 21-05:Anton Gladky
+From 22-05 to 28-05:Chris Lamb
+From 29-05 to 04-06:Emilio Pozuelo Monfort
+From 05-06 to 11-06:Markus Koschany
+From 12-06 to 18-06:Ola Lundqvist
+From 19-06 to 25-06:Sylvain Beucler
+From 26-06 to 02-07:Thorsten Alteholz
+From 03-07 to 09-07:
+From 10-07 to 16-07:
+From 17-07 to 23-07:
+From 24-07 to 30-07:
+From 31-07 to 06-08:
+From 07-08 to 13-08:
+From 14-08 to 20-08:
+From 21-08 to 27-08:
+From 28-08 to 03-09:
+From 04-09 to 10-09:
+From 11-09 to 17-09:
+From 18-09 to 24-09:
+From 25-09 to 01-10:
+From 02-10 to 08-10:
+From 09-10 to 15-10:
+From 16-10 to 22-10:
+From 23-10 to 29-10:
+From 30-10 to 05-11:
+From 06-11 to 12-11:
+From 13-11 to 19-11:
+From 20-11 to 26-11:
+From 27-11 to 03-12:
+From 04-12 to 10-12:
+From 11-12 to 17-12:
+From 18-12 to 24-12:
+From 25-12 to 31-12:
\ No newline at end of file
=
org/lts-frontdesk.py deleted
=
@@ -1,42 +0,0 @@
-#!/usr/bin/env python3
-
-import sys
-import datetime
-
-HEADER = """
-Presentation
-
-
-The LTS frontdesk handles:
-
- * CVE triaging:
- https://wiki.debian.org/LTS/Development#Triage_new_security_issues
-
- * Making sure that queries on debian-...@lists.debian.org get an answer..
-
-Who is in charge ?
---
-"""
-
-LINE = """From {0.day:02d}-{0.month:02d} to {1.day:02d}-{1.month:02d}:"""
-
-
-def main(year):
-print(HEADER.strip())
-print()
-
-for x, y in generate_weeks(int(year)):
-print(LINE.format(x, y))
-
-
-def generate_weeks(year):
-dt = datetime.date(year, 1, 1)
-
-while dt.year == year:
-if dt.weekday() == 0:
-yield (dt, dt + datetime.timedelta(days=6))
-dt += datetime.timedelta(days=1)
-
-
-if __name__ == '__main__':
-sys.exit(main(*sys.argv[1:]))
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/99ff65e75540ca7b1ad602eb52c027abe97ac5ef...fec882025036401c20b9119851c6c867fe7ad508
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/99ff65e75540ca7b1ad602eb52c027abe97ac5ef...fec882025036401c20b9119851c6c867fe7ad508
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: a7e3a4a4 by Anton Gladky at 2022-10-03T10:01:51+02:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,10 +79,10 @@ libdatetime-timezone-perl (Emilio) -- linux (Ben Hutchings) -- -mbedtls (Utkarsh) +mbedtls NOTE: 20220821: Programming language: C. -- -netatalk (Stefano Rivera) +netatalk NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7e3a4a486614207cb5d7d990a5bfd39c1555b9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7e3a4a486614207cb5d7d990a5bfd39c1555b9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Bug#1012993: marked as pending in lomiri-thumbnailer
Control: tag -1 pending Hello, Bug #1012993 in lomiri-thumbnailer reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/ubports-team/lomiri-thumbnailer/-/commit/451c874dfb0cfa2f2f51f7e188b10d255ab3b259 Add missing header. (Closes: #1012993) (this message was generated automatically) -- Greetings https://bugs.debian.org/1012993
[Git][security-tracker-team/security-tracker][master] LTS: claim curl in dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 93c327e4 by Anton Gladky at 2022-09-30T16:31:16+02:00 LTS: claim curl in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -25,7 +25,7 @@ bluez NOTE: 20220902: Programming language: C. NOTE: 20220902: Consider synchronizing with Stretch. (apo) -- -curl +curl (gladk) NOTE: 20220901: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. @@ -59,7 +59,7 @@ golang-1.11 NOTE: 20220916: Programming language: Go. NOTE: 20220916: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't) NOTE: 20220916: Harmonize with bullseye and stretch: 9 CVEs fixed in Debian 11.2 & 11.3 + 2 CVEs fixed in stretch-lts (Beuc/front-desk) - NOTE: 20220916: CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-24921 + NOTE: 20220916: CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-24921 -- golang-go.crypto NOTE: 20220915: Programming language: Go. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93c327e4e2abe4c032943e0fc655b781d29cdf8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93c327e4e2abe4c032943e0fc655b781d29cdf8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[SECURITY] [DLA 3122-1] dovecot security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3122-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky September 27, 2022https://wiki.debian.org/LTS - - Package: dovecot Version: 1:2.3.4.1-5+deb10u7 CVE ID : CVE-2021-33515 CVE-2022-30550 Two security issues were discovered in dovecot: IMAP and POP3 email server. CVE-2021-33515 The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address. CVE-2022-30550 When two passdb configuration entries exist with the same driver and args settings, incorrectly applied settings can lead to an unintended security configuration and can permit privilege escalation in certain configurations. For Debian 10 buster, these problems have been fixed in version 1:2.3.4.1-5+deb10u7. We recommend that you upgrade your dovecot packages. For the detailed security status of dovecot please refer to its security tracker page at: https://security-tracker.debian.org/tracker/dovecot Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmMyeTgACgkQ0+Fzg8+n /wbdKw//YewFBHxoPkh17+pDNUNrfK3tI95dFaqRN7vsuJXniE/hJgMSdXGtOWEM /RsnJzTK5Ku7EASEf072NM00KMjwtkmxYVKpNN1SKoseg8PfBgWqaicDiEYJqMw2 CFpk20rf0Fr2yuuRMYWJpYXMPKpPLXSVy7IOqrU7RTvTiEK3eyqZ/O/QMwxFKCZj X7z/nkBQtPqW+2eI1A3ezNrhBSbs5XolEM1v31MxusiDFwYnbG+7jqpA4BPbwPwQ hhJurzzqnL0Z1glNZRavUrNrcEV/qp7x+LRmzYy9aCbjj4VuonpXKMIUD73exT9P bio2WzSEAJNdNG3jZE9vA6Nyp93Zp5VimYhK1VbBJEhpWr0zFroDYk81ihjdcEPC qpNaBJlHpOApCaWibC8azs8SPmxi9NDch1ejrH0lmCfu+dQAdR+4uKttZIdXqmF4 WYLXLECb4wACjyJ1yKCuulOqjlGrCdzk4rasz+aiGYs4DVYWgMrRgwgxG47+ALYd /JIsY8/xw8zI1kv+AiVrS1q5qMIxr9CtXFQYV7J2UC/TjUPsh5Chi2Bop3Q42HM4 3lYp3t2R1C+c91q+af0tjoKKhP3XZot+JmaEMyZ6rpD0t+vMYlwb79dq9M6jW5pw +2xZQWJ/xyaYQ5IzBkjTw2RzCHkl1nCbKeDGtPbFk2LxU2A8Z3Q= =lZEB -END PGP SIGNATURE-
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3122-1 for dovecot
Anton Gladky pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a7c7cb8f by Anton Gladky at 2022-09-27T06:08:00+02:00
Reserve DLA-3122-1 for dovecot
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -29107,7 +29107,6 @@ CVE-2022-30551 (OPC UA Legacy Java Stack 2022-04-01
allows a remote attacker to
CVE-2022-30550 (An issue was discovered in the auth component in Dovecot 2.2
and 2.3 b ...)
- dovecot 1:2.3.19.1+dfsg1-2 (bug #1016351)
[bullseye] - dovecot 1:2.3.13+dfsg1-2+deb11u1
- [buster] - dovecot (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/07/06/9
NOTE:
https://github.com/dovecot/core/commit/7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904
NOTE:
https://github.com/dovecot/core/commit/a1022072e2ce36f853873d910287f466165b184b
@@ -92518,7 +92517,6 @@ CVE-2021-33516 (An issue was discovered in GUPnP before
1.0.7 and 1.1.x and 1.2.
NOTE:
https://gitlab.gnome.org/GNOME/gupnp/-/commit/ca6ec9dcb26fd7a2a630eb6a68118659b589afac
(master)
CVE-2021-33515 (The submission service in Dovecot before 2.3.15 allows
STARTTLS comman ...)
- dovecot 1:2.3.13+dfsg1-2 (bug #990566)
- [buster] - dovecot (Minor issue, fix along with next update)
[stretch] - dovecot (Vulnerable code
(smtp_server_command queue) introduced later)
NOTE: https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html
NOTE: https://www.openwall.com/lists/oss-security/2021/06/28/2
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[27 Sep 2022] DLA-3122-1 dovecot - security update
+ {CVE-2021-33515 CVE-2022-30550}
+ [buster] - dovecot 1:2.3.4.1-5+deb10u7
[26 Sep 2022] DLA-3121-1 firefox-esr - security update
{CVE-2022-40956 CVE-2022-40957 CVE-2022-40958 CVE-2022-40959
CVE-2022-40960 CVE-2022-40962}
[buster] - firefox-esr 102.3.0esr-1~deb10u2
=
data/dla-needed.txt
=
@@ -30,11 +30,6 @@ curl
NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git
NOTE: 20220904: Special attention: high popcon!.
--
-dovecot (Anton)
- NOTE: 20220913: Programming language: C.
- NOTE: 20220913: VCS: https://salsa.debian.org/lts-team/packages/dovecot.git
- NOTE: 20220913: Harmonize with bullseye: 1 CVE fixed in Debian 11.5 + 2
other postponed CVEs (Beuc/front-desk)
---
exiv2
NOTE: 20220819: Programming language: C++.
NOTE: 20220819:
https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292
does not directly apply, but a very quick glance suggests the earlier code may
be equally vulnerable. (Chris Lamb)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7c7cb8f7e52ce9961dd40e9c18573e80a2a519d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7c7cb8f7e52ce9961dd40e9c18573e80a2a519d
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-28200 ad ignored for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c7a7e4d by Anton Gladky at 2022-09-26T07:20:01+02:00 Mark CVE-2020-28200 ad ignored for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -137214,7 +137214,7 @@ CVE-2020-28201 CVE-2020-28200 (The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource ...) - dovecot 1:2.3.16+dfsg1-1 (bug #990566; bug #991323) [bullseye] - dovecot (Minor issue, fix along with next update) - [buster] - dovecot (Minor issue, fix along with next update) + [buster] - dovecot (Minor issue, backport is too disruptive) [stretch] - dovecot (Minor issue) NOTE: https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html NOTE: https://www.openwall.com/lists/oss-security/2021/06/28/3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c7a7e4debcab7ece80328ba3b4c8f5aee44d729 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c7a7e4debcab7ece80328ba3b4c8f5aee44d729 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take dovecot
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d7f8f3d0 by Anton Gladky at 2022-09-25T12:30:34+02:00 LTS: take dovecot - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -27,7 +27,7 @@ curl NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. -- -dovecot +dovecot (Anton) NOTE: 20220913: Programming language: C. NOTE: 20220913: VCS: https://salsa.debian.org/lts-team/packages/dovecot.git NOTE: 20220913: Harmonize with bullseye: 1 CVE fixed in Debian 11.5 + 2 other postponed CVEs (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7f8f3d0648ba55c543088f90ceb18610d11773d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7f8f3d0648ba55c543088f90ceb18610d11773d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
