Re: Suggesting change in DPT Policy
Same for me. Thanks for proposal. +1 Anton Am Sa., 9. März 2024 um 17:51 Uhr schrieb Nilesh Patra : > I am late to the party but I agree with the policy change. > > Best, > Nilesh >
Bug#1064982: gnuplot-qt: gnuplot displays a window with nothing in it
Hi Vincent, thanks a lot for this deep dive into the problem! Really appreciate it! Best regards Anton -- debian-science-maintainers mailing list debian-science-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
Bug#1064982: gnuplot-qt: gnuplot displays a window with nothing in it
Hi Vincent, thanks a lot for this deep dive into the problem! Really appreciate it! Best regards Anton
Re: PyTables no longer buildable on s390x
Hi Antonio, sure, please go ahead! Best regards Anton Am Mo., 12. Feb. 2024 um 20:12 Uhr schrieb Antonio Valentino < antonio.valent...@tiscali.it>: > Dear Anton, > PyTables > 3.9 depends on c-blosc2 that in not available on s390x. > As a consequence PyTables itself is no longer buildable on that platform. > > Please note that this will have a consequence on the sfepy package, > maintained by you, that currently depends on pytables. > > In #1061661 I have already requested the removal of python3-tables-lib > from unstable [s390x]. > Are you fine with removing sfepy form unstable [s390x] as well? > > > [#1061661] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061661 > > kind regards > -- > Antonio Valentino > >
Francesco Ballarin: Advocate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 For nm.debian.org, at 2024-02-06: I support Francesco Ballarin 's request to become a Debian Maintainer. I have reviewed and uploaded several versions of gmsh package, prepared by Francesco in the last several weeks and I consider him as having sufficient technical competence. I have communicated with Francesco Ballarin (key 1B5D04B1E507BBF03669E2B801F35FC33E73AF8C) and I know Francesco Ballarin can be trusted to have upload rights for his own packages, right now. -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmXBxL0ACgkQ0+Fzg8+n /wYbDw/+JfH+OLAShZlmLykRB9PjqtSCNDLX2X3Wzz4EQrOnc2z420rUqu8Yv/H8 lSJANjp9shUAw30qat81Pxg5/ntcnxGDNgUl1pbxJcwHrKCwkgBfPR//rjsXHiRQ MWkkQk4GSeUVpDSDaMWA5yPkaCGB2akSHIoNjQsxz2hObJCBv9eysv6/Pe2rgoeR 4yUaeKDiTziJhGH2WLWjILpeaD3j4f8NY0DBex7kCElS9sasMIRmki5yCyd9xcVy gS7SuweLACsYBNDZHTNlAGCQUJ6wOE9RKQQ2jRtTliiR+zBL/iSKuLfNiQob2Mei 5hX15+RzvFkpnqFPUIv4txBhhkNpQ4SZoM1ohSvLHKVZ/PspNiafXWE7bkbOujdu M+kvpTh/qJ46uZcRAQ7VhrfP4TupS2p7vG7pUInGYIVl0R8sIl2IX8I3jUnZZCYh pcwapL4kVRyVxOIpdb0aW3m6r3e+da21oUWFa4lIRIsSXpp0ZJyu/s4yxWQBEsbv O1+o9WNdqes4Hw2BjhmuWM0yU3l0lx/FcfgetGyIylgetpzyd/+gkN66DZ9xjimL wlR8cc+s8QFPY0EhT3BGBtoN9pX6aw/bP+tYBt6rITP7xdX6LW44Zsbx0WCwr9+N U+cEBrF2mo/wq/mAzi5ak87yRStlAi8QDc6CrHtiQfLcWrvirKA= =0wN2 -END PGP SIGNATURE- Anton Gladky (via nm.debian.org) For details and to comment, visit https://nm.debian.org/process/1253/ -- https://nm.debian.org/process/1253/
Bug#1061200: transition: vtk9
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: v...@packages.debian.org Control: affects -1 + src:vtk9 -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, please schedule vtk9.3 transition. Ben file: title = "vtk9"; is_affected = .depends ~ "libvtk9\.1|libvtk9\.1\-qt" | .depends ~ "libvtk9\.3|libvtk9\.3\-qt"; is_good = .depends ~ "libvtk9\.3|libvtk9\.3\-qt"; is_bad = .depends ~ "libvtk9\.1|libvtk9\.1\-qt"; I have done a full rebuild and some failures are detected. Bugs (most of them with patches) will be filed in the next time. Thank you Anton -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmWr/7QRHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wYKUA//a5VTdDoQST30wyb4hSsN40HKHU5Y65xX wLIcozZWvdzSnFQa7NDojOihsiYEjUEokhqqCGf7XbVZ/FokyJclzgh6ZHoX9APj 6O/Xfz5GHPpYblwMGC8029yUqnlQfQXcR7gS5HqfGBGZ1FyWRAqY0hS5kzbY/LYK mpcOAo0zGqj/4FaSNCCycPP9Yn+0HMUqcmT2mmGPye3cjnhrl+Ixlo/Is8+1vb3Z 92APiFLa259DeucniY02qMMSZdCS9Gv3VjMSah/4qYpJnbdtGjz/Vy0t0IRY6hSY D06I/YJiM8miY1QK5xwG2F5ElXermhuWNvf8dfy/DFJk7gul6HiSTUpe18xcv2y9 PR1h+NA0fEFVtaHf0KYaST45KPN2xIcRLovZQPX3IPzxuwHO5TcGYzd632/TTF7e 8OnVj3yoqhd41Gc0K8/0XBv7TgJ7nrXhcsUwi8MA1CArir0fGr5ZjTrKRBrzCc4p xF7AtxZuxWXoJ18SXE3oudWmuk97kSS5yAHzgBOgj4LUjTtJAzZIQtwgJT+sLvLJ QeISyC3z3mEf9+ed287EuYxWKuhdyUdElvLDfU66H/FL6Nzb2LrjskK6HfPrLsBe tDyyDm09rnhI47t6gDy3X+oPcgLd7SzIrXQQm8jmXCx3PxKHx8bDWXanF5ViBvte pfsgZmdit5k= =56QT -END PGP SIGNATURE-
Bug#1061200: transition: vtk9
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: v...@packages.debian.org Control: affects -1 + src:vtk9 -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, please schedule vtk9.3 transition. Ben file: title = "vtk9"; is_affected = .depends ~ "libvtk9\.1|libvtk9\.1\-qt" | .depends ~ "libvtk9\.3|libvtk9\.3\-qt"; is_good = .depends ~ "libvtk9\.3|libvtk9\.3\-qt"; is_bad = .depends ~ "libvtk9\.1|libvtk9\.1\-qt"; I have done a full rebuild and some failures are detected. Bugs (most of them with patches) will be filed in the next time. Thank you Anton -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmWr/7QRHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wYKUA//a5VTdDoQST30wyb4hSsN40HKHU5Y65xX wLIcozZWvdzSnFQa7NDojOihsiYEjUEokhqqCGf7XbVZ/FokyJclzgh6ZHoX9APj 6O/Xfz5GHPpYblwMGC8029yUqnlQfQXcR7gS5HqfGBGZ1FyWRAqY0hS5kzbY/LYK mpcOAo0zGqj/4FaSNCCycPP9Yn+0HMUqcmT2mmGPye3cjnhrl+Ixlo/Is8+1vb3Z 92APiFLa259DeucniY02qMMSZdCS9Gv3VjMSah/4qYpJnbdtGjz/Vy0t0IRY6hSY D06I/YJiM8miY1QK5xwG2F5ElXermhuWNvf8dfy/DFJk7gul6HiSTUpe18xcv2y9 PR1h+NA0fEFVtaHf0KYaST45KPN2xIcRLovZQPX3IPzxuwHO5TcGYzd632/TTF7e 8OnVj3yoqhd41Gc0K8/0XBv7TgJ7nrXhcsUwi8MA1CArir0fGr5ZjTrKRBrzCc4p xF7AtxZuxWXoJ18SXE3oudWmuk97kSS5yAHzgBOgj4LUjTtJAzZIQtwgJT+sLvLJ QeISyC3z3mEf9+ed287EuYxWKuhdyUdElvLDfU66H/FL6Nzb2LrjskK6HfPrLsBe tDyyDm09rnhI47t6gDy3X+oPcgLd7SzIrXQQm8jmXCx3PxKHx8bDWXanF5ViBvte pfsgZmdit5k= =56QT -END PGP SIGNATURE- -- debian-science-maintainers mailing list debian-science-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
Bug#1061200: transition: vtk9
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: v...@packages.debian.org Control: affects -1 + src:vtk9 -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, please schedule vtk9.3 transition. Ben file: title = "vtk9"; is_affected = .depends ~ "libvtk9\.1|libvtk9\.1\-qt" | .depends ~ "libvtk9\.3|libvtk9\.3\-qt"; is_good = .depends ~ "libvtk9\.3|libvtk9\.3\-qt"; is_bad = .depends ~ "libvtk9\.1|libvtk9\.1\-qt"; I have done a full rebuild and some failures are detected. Bugs (most of them with patches) will be filed in the next time. Thank you Anton -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmWr/7QRHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wYKUA//a5VTdDoQST30wyb4hSsN40HKHU5Y65xX wLIcozZWvdzSnFQa7NDojOihsiYEjUEokhqqCGf7XbVZ/FokyJclzgh6ZHoX9APj 6O/Xfz5GHPpYblwMGC8029yUqnlQfQXcR7gS5HqfGBGZ1FyWRAqY0hS5kzbY/LYK mpcOAo0zGqj/4FaSNCCycPP9Yn+0HMUqcmT2mmGPye3cjnhrl+Ixlo/Is8+1vb3Z 92APiFLa259DeucniY02qMMSZdCS9Gv3VjMSah/4qYpJnbdtGjz/Vy0t0IRY6hSY D06I/YJiM8miY1QK5xwG2F5ElXermhuWNvf8dfy/DFJk7gul6HiSTUpe18xcv2y9 PR1h+NA0fEFVtaHf0KYaST45KPN2xIcRLovZQPX3IPzxuwHO5TcGYzd632/TTF7e 8OnVj3yoqhd41Gc0K8/0XBv7TgJ7nrXhcsUwi8MA1CArir0fGr5ZjTrKRBrzCc4p xF7AtxZuxWXoJ18SXE3oudWmuk97kSS5yAHzgBOgj4LUjTtJAzZIQtwgJT+sLvLJ QeISyC3z3mEf9+ed287EuYxWKuhdyUdElvLDfU66H/FL6Nzb2LrjskK6HfPrLsBe tDyyDm09rnhI47t6gDy3X+oPcgLd7SzIrXQQm8jmXCx3PxKHx8bDWXanF5ViBvte pfsgZmdit5k= =56QT -END PGP SIGNATURE-
Bug#1060806: RM: yade [ppc64el i386 s390x] -- ROM; Reducing available archs
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear FTP team, please remove yade on [ppc64el i386 s390x]. Thanks Anton -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmWkEzwRHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wZ6Cg//cGdrVVsF9YBwGq6bhPLbFOH3YwccVmYc Z0ueERruk0jsw8M2+pzBiMl2PlKCQWrzRRfmdS1Qn0dY0H/vauOOr2kiyC0Fjxso Fp1tliCdlAgSySlvxPHwS1SKyZvah/ebaSE9XCMtlH4SaNLz+MhnoBENsDhAkBVl pCT37sB4s67xXF08m4BZL/1Z+V3ePFQJFhfq03NWHXISbukX96B0NO8Rff7b53GL NJ6OLq6md4ttJUxPPxN9HX+UoBNkO8ND4dhmfLAaz4T7izd2o1+aR5puuFfeSme8 IWbPaRXPNdBkxgC/DPIHCY9wT/vpQrEXt6U0FKfDfRcUXetA1SXKvdLcP/jlJu6R 4/jTjqdOcF4sK0pXTLYpOMI3FPKweKxaTcRzAYLUiWsBCRFot1ugdBmWJjpqOk12 isODVNFFg8AHAnsjvXtqbACKrJB5kQnvbUHE/R59NPNs+ykcmnWzuPYQVGyX9MUP XZF7cFHlg8/3FHxtJNNEOlbQXOhV6DHh3UeYR/EmAOK3xxZHqcdOzVSDQzf8Qe30 07ppwUNYRpKkXIRNT6+7h7rw3xxfKmBT4rH+iDcPSGnGmEpd3dSThhpg07oQ0+Yp 4k4/N/xn0+YlQsW4oWrbzRaHa40yokW7kBn1BaAEUQOfbO6Ar3y0Nu3qdSaQlxSo EfNYQzTwWQE= =7uCp -END PGP SIGNATURE-
Bug#1060454: RM: boost1.81 -- ROM; Superseded by boost1.83
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove X-Debbugs-Cc: boost1...@packages.debian.org Control: affects -1 + src:boost1.81 -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear FTP team, please remove boost1.81 because it is superseded by boost1.83 Thanks Anton -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmWgNFgRHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/waexg//QXnbojEQNJNFKaCsfCM1q7Ncgzu7sE+Q YJCpWjZj+ic2yFUd+AJ7Sbf+3dfeNvWpOnRxxv7vD1C9nCX9euJ6M+fcxUbH8mOn lvvGKE4UYLJt3EQA2U0lyp63oy4NJJgK2ehAYcwxQM+3Psirr3iGzOnIeiUBNgnv KZRoqrpDIMkbmyc+TDJRdzRK4v4i0b8DH10fAv2LLlymTNBFaNe3K1S2r3wLMxPg zshnlHyCQXL5fAjsfRrwX4CwHo5O4rE/bwxSXbh06jTVXN8HK88/TNJdfFI7hfW6 5SKysVCAaW46vSNO3PAEvC20KVOiYRzmHkUHyiCkJqPxEqbWo731uNrrSG2kBbmv iFB0Bz5EyQEpNmMg2HNEdPVobCUI4UUj4Ps6DqhV1MFkhE20IYadPmNykegRD83I 9FLwfI+MmeNSvKVYMr+zqr1uo4rFeeYu2UgYJqN05enYpLUdw3tTslxzxBj+jvrN xDHJKgG2iuxD7Uo7tRKjP1jx6zuDZ+VukyL2/Xp5AKBV6MgvbkcJnMC216C9MRPs oEjYReHyS8rv/OAe255z8DJ63oDHW2QbZIdpbTwessJWemosPfZEiwE0OxRaWini 0015G0FtZ++pdzMFnjGtJ48dRo+RtIUIy3Z+hhOZraYjbwdKVRdaRPAT2nS+gmlc y0CTVP+Od9c= =83EV -END PGP SIGNATURE-
Bug#1060453: RM: boost1.74 -- ROM; superseded by boost1.83
Package: ftp.debian.org Severity: normal User: ftp.debian@packages.debian.org Usertags: remove X-Debbugs-Cc: boost1...@packages.debian.org Control: affects -1 + src:boost1.74 -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear FTP team, please remove boost1.74 because it is superseeded by boost1.83 Thanks Anton -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmWgNBwRHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wZ1pA/9GhBoXY5hSSbFpSnx6pUFZ/SQ5I43duXz kL5lKDZLI9Mn05CmxaWyBKGFvEHPUZRGHfWMyvaMRbJPDSM1YmatDuG45dW0SObk PT4LQD0BDfvCWkU/rLRO2jFQGHVod03f4ku+cuw1QRwg8wMGzhtzMccLCpn8f4X7 IOF+yVZbgqTz6I6RMjQLa7I+0Xx4h9PcBRPte3UR4kz/aU2NPPyRGm0nAFlrrJ+r knmHf6DzIqI6PLRRiOxDetrOQvK6g7VM2W6lYAgBdrs8xvnY8FsVMV69hEe21DwW Hyg0OPBU9hDLtT5nnRUAXkodvuMz8wWxdyrtk7O33VQLPVDZjPgSTOep7hUsWgGu FEv60ot/D14TIGHyxytI9j9VHwGvRXiunfx+Du+nPHcYVjD6TQr1Qkdxqwc3fsoI iBSdHLyTkv1lYbvArdbDhMiL/AaX9O9M3a22ArH6Y4E4kdqw+y847KckUIg4gJ9j rOGx/thl1jOed29WYJZtHwNdcCHsTdVkaaL9cshrIXuz/sy2jWJs6N+L16bNqkh4 rvBU5F/yV1PrHqQ4rqiw3qeB+SqcIl9sEi//9wVAVYlpFiqn+w1UokNulKQl0VfG wNVD7x2TgKkBM6EqcFBDsoVfilPZDpmig7vuIwMn9ANu2RZXKixNyXYaROJJRwPe P1YAjLv0Kao= =vLPR -END PGP SIGNATURE-
Bug#1060299: libboost1.83-dev: After installing libboost-all-dev I can't perform an upgrade anymore
Hi, thanks for the bugreport. You have a nice mix of many third-party repos in the /etc/apt/sources.list, which can break the installation. Regards Anton Am Di., 9. Jan. 2024 um 03:00 Uhr schrieb Harald : > ~# apt-get update && apt-get upgrade > Get:1 > http://download.opensuse.org/repositories/home:/hawkeye116477:/waterfox/Debian_Unstable > InRelease [1,594 B] > Hit:2 http://security.debian.org testing-security InRelease > Get:3 > http://download.opensuse.org/repositories/home:/stevenpusser/Debian_10 > InRelease [1,547 B] > Hit:4 https://noone.org/conkeror-nightly-debs sid InRelease > Hit:5 https://deb.opera.com/opera-stable stable InRelease > Hit:6 http://packages.microsoft.com/repos/code stable InRelease > Hit:8 https://dl.winehq.org/wine-builds/debian trixie InRelease > Hit:9 https://updates.signal.org/desktop/apt xenial InRelease > Hit:10 http://ftp.de.debian.org/debian sid InRelease > Hit:7 https://debian.qgis.org/debian-nightly sid InRelease > :
[Yade-users] New version of Yade release, release plan
Dear Yade users and developers, As is customary at the beginning of January, we aim to release a new version of Yade. The release process takes some time, so we kindly request that you commit all your planned features by the *end of the day on January 19, 2023* , so that we can prepare the tarball, test it on all supported architectures, and upload it into the package archives. The version 2024.01 is intended to be included in the next Long-term-support Ubuntu Release 24.04, scheduled for release in April 2024 and will be supported until 2029. Please plan your work accordingly. Thanks and best regards, Anton ___ Mailing list: https://launchpad.net/~yade-users Post to : yade-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~yade-users More help : https://help.launchpad.net/ListHelp
[Yade-dev] New version of Yade release, release plan
Dear Yade users and developers, As is customary at the beginning of January, we aim to release a new version of Yade. The release process takes some time, so we kindly request that you commit all your planned features by the *end of the day on January 19, 2023* , so that we can prepare the tarball, test it on all supported architectures, and upload it into the package archives. The version 2024.01 is intended to be included in the next Long-term-support Ubuntu Release 24.04, scheduled for release in April 2024 and will be supported until 2029. Please plan your work accordingly. Thanks and best regards, Anton ___ Mailing list: https://launchpad.net/~yade-dev Post to : yade-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~yade-dev More help : https://help.launchpad.net/ListHelp
Bug#1059961: transition: benchmark
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: benchm...@packages.debian.org Control: affects -1 + src:benchmark -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, please schedule a tiny benchmark transition. Thanks! Ben file: title = "benchmark"; is_affected = .depends ~ "libbenchmark1debian" | .depends ~ "libbenchmark1.8.3"; is_good = .depends ~ "libbenchmark1.8.3"; is_bad = .depends ~ "libbenchmark1debian"; -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmWWWMARHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wb6uA/9FuLjNjbEHrnfYhaMJPlFjc1d7xSOv5MJ SsQJP8RRQP3KpSuP2U3B66b1itzRSOCMb+OiDIK9nigUPjM79l/E8WlVtZ6mLTBp 9PAoe391wPmJ4th3MzGQCOwCam/eXgy1xLa7/l6BgfBDRiOCygokFB1Pu3Af8IJq 34fsyPX2mbFoGjA+oqQcCLDPDmkWWYvo6iuMvP9tC3nGWojzAJlj4BS0Kds4ulsQ NQ78W28wNfwqGSyfegHYN/8krkxWZI+OVXD/4eaW4qs+lfsMabdfCaiomA5dZZb8 N3UaPZdXwDRVw00btwW2lB/FN4smWd7V9gOprVzwwU8VfG9NGWGZ1DTrLQCjDQgj /FGVFgTnp29xZSE1Z9FGJJh0BwJJLgM77x3+cDf8SHVwLiWO8DS51Y4P4xLTXSS6 9fvjea5XfquhDfSLsXpXFt6wFrnjrAImj/v1OWp9negPSRWyKycNzf4ePgIqhvw6 rQV6+VTVFGpB7DggoHqHmFEi8JV6SC44f5USpcHd5mMvHczGIgfuzho69xSoKx4U CmdGtVEbEGsnxqylqFYHkfUz6B2Euper193JXAX5GQ/2DzrJe5TNsXStGvRBy+PS TNSLeZMMkMofNE+1VjiffqQgmRSdFzqCmX6gmd3Zs6ZA20iNUjdcNPxKW9BAslbh TndgQAtpDV4= =EugD -END PGP SIGNATURE-
Bug#1059961: transition: benchmark
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: benchm...@packages.debian.org Control: affects -1 + src:benchmark -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, please schedule a tiny benchmark transition. Thanks! Ben file: title = "benchmark"; is_affected = .depends ~ "libbenchmark1debian" | .depends ~ "libbenchmark1.8.3"; is_good = .depends ~ "libbenchmark1.8.3"; is_bad = .depends ~ "libbenchmark1debian"; -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmWWWMARHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wb6uA/9FuLjNjbEHrnfYhaMJPlFjc1d7xSOv5MJ SsQJP8RRQP3KpSuP2U3B66b1itzRSOCMb+OiDIK9nigUPjM79l/E8WlVtZ6mLTBp 9PAoe391wPmJ4th3MzGQCOwCam/eXgy1xLa7/l6BgfBDRiOCygokFB1Pu3Af8IJq 34fsyPX2mbFoGjA+oqQcCLDPDmkWWYvo6iuMvP9tC3nGWojzAJlj4BS0Kds4ulsQ NQ78W28wNfwqGSyfegHYN/8krkxWZI+OVXD/4eaW4qs+lfsMabdfCaiomA5dZZb8 N3UaPZdXwDRVw00btwW2lB/FN4smWd7V9gOprVzwwU8VfG9NGWGZ1DTrLQCjDQgj /FGVFgTnp29xZSE1Z9FGJJh0BwJJLgM77x3+cDf8SHVwLiWO8DS51Y4P4xLTXSS6 9fvjea5XfquhDfSLsXpXFt6wFrnjrAImj/v1OWp9negPSRWyKycNzf4ePgIqhvw6 rQV6+VTVFGpB7DggoHqHmFEi8JV6SC44f5USpcHd5mMvHczGIgfuzho69xSoKx4U CmdGtVEbEGsnxqylqFYHkfUz6B2Euper193JXAX5GQ/2DzrJe5TNsXStGvRBy+PS TNSLeZMMkMofNE+1VjiffqQgmRSdFzqCmX6gmd3Zs6ZA20iNUjdcNPxKW9BAslbh TndgQAtpDV4= =EugD -END PGP SIGNATURE-
Bug#1059961: transition: benchmark
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: benchm...@packages.debian.org Control: affects -1 + src:benchmark -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear release team, please schedule a tiny benchmark transition. Thanks! Ben file: title = "benchmark"; is_affected = .depends ~ "libbenchmark1debian" | .depends ~ "libbenchmark1.8.3"; is_good = .depends ~ "libbenchmark1.8.3"; is_bad = .depends ~ "libbenchmark1debian"; -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmWWWMARHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wb6uA/9FuLjNjbEHrnfYhaMJPlFjc1d7xSOv5MJ SsQJP8RRQP3KpSuP2U3B66b1itzRSOCMb+OiDIK9nigUPjM79l/E8WlVtZ6mLTBp 9PAoe391wPmJ4th3MzGQCOwCam/eXgy1xLa7/l6BgfBDRiOCygokFB1Pu3Af8IJq 34fsyPX2mbFoGjA+oqQcCLDPDmkWWYvo6iuMvP9tC3nGWojzAJlj4BS0Kds4ulsQ NQ78W28wNfwqGSyfegHYN/8krkxWZI+OVXD/4eaW4qs+lfsMabdfCaiomA5dZZb8 N3UaPZdXwDRVw00btwW2lB/FN4smWd7V9gOprVzwwU8VfG9NGWGZ1DTrLQCjDQgj /FGVFgTnp29xZSE1Z9FGJJh0BwJJLgM77x3+cDf8SHVwLiWO8DS51Y4P4xLTXSS6 9fvjea5XfquhDfSLsXpXFt6wFrnjrAImj/v1OWp9negPSRWyKycNzf4ePgIqhvw6 rQV6+VTVFGpB7DggoHqHmFEi8JV6SC44f5USpcHd5mMvHczGIgfuzho69xSoKx4U CmdGtVEbEGsnxqylqFYHkfUz6B2Euper193JXAX5GQ/2DzrJe5TNsXStGvRBy+PS TNSLeZMMkMofNE+1VjiffqQgmRSdFzqCmX6gmd3Zs6ZA20iNUjdcNPxKW9BAslbh TndgQAtpDV4= =EugD -END PGP SIGNATURE- -- debian-science-maintainers mailing list debian-science-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
Re: Updating ortools
Hi, sure, welcome to team! it would be also good to fix RC bugs also there. Thanks! Regards, Anton Am Di., 2. Jan. 2024 um 20:15 Uhr schrieb Kari Pahula : > > Hi. > > As the maintainer of minizinc, I have an interest in ortools. I added > ortools-flatzinc as rdep for it with a recent update but noticed that > it's kind of unmaintained at the moment. > > I can prepare an update with the newest upstream version and add > myself as an uploader. >
Bug#1056088: marked as pending in bagel
Control: tag -1 pending Hello, Bug #1056088 in bagel reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/debichem-team/bagel/-/commit/2dc6e7c37ac418531088df93d512dfe6fc9aa501 Fix FTBFS against boost 1.83. (Closes: #1056088) (this message was generated automatically) -- Greetings https://bugs.debian.org/1056088
Bug#1028489: boost1.83 as default
Hi Sebastian, uploded. Anton Am So., 17. Dez. 2023 um 18:13 Uhr schrieb Sebastian Ramacher : ... > Please go ahead. > > Cheers > -- > Sebastian Ramacher
Bug#1028489: boost1.83 as default
Hi Sebastian, uploded. Anton Am So., 17. Dez. 2023 um 18:13 Uhr schrieb Sebastian Ramacher : ... > Please go ahead. > > Cheers > -- > Sebastian Ramacher
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3676-1 for libde265
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 808dc32e by Anton Gladky at 2023-11-30T17:39:19+01:00 Reserve DLA-3676-1 for libde265 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -41871,14 +41871,12 @@ CVE-2023-27103 (Libde265 v1.0.11 was discovered to contain a heap buffer overflo - libde265 1.0.12-1 (bug #1033257) [bookworm] - libde265 (Minor issue) [bullseye] - libde265 (Minor issue) - [buster] - libde265 (Minor issue) NOTE: https://github.com/strukturag/libde265/issues/394 NOTE: https://github.com/strukturag/libde265/commit/d6bf73e765b7a23627bfd7a8645c143fd9097995 (v1.0.12) CVE-2023-27102 (Libde265 v1.0.11 was discovered to contain a segmentation violation vi ...) - libde265 1.0.12-1 (bug #1033257) [bookworm] - libde265 (Minor issue) [bullseye] - libde265 (Minor issue) - [buster] - libde265 (Minor issue) NOTE: https://github.com/strukturag/libde265/issues/393 NOTE: https://github.com/strukturag/libde265/commit/0b1752abff97cb542941d317a0d18aa50cb199b1 (v1.0.12) CVE-2023-27101 = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Nov 2023] DLA-3676-1 libde265 - security update + {CVE-2023-27102 CVE-2023-27103 CVE-2023-43887 CVE-2023-47471} + [buster] - libde265 1.0.11-0+deb10u5 [30 Nov 2023] DLA-3675-1 zbar - security update {CVE-2023-40889 CVE-2023-40890} [buster] - zbar 0.22-1+deb10u1 = data/dla-needed.txt = @@ -89,10 +89,6 @@ keystone knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- -libde265 (gladk) - NOTE: 20231119: Added by Front-Desk (apo) - NOTE: 20231119: Fix along with postponed issues. --- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/808dc32e5e7fbd049a8faf0570941fe689e19210 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/808dc32e5e7fbd049a8faf0570941fe689e19210 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-21428 as not-affected for stretch
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 6619bfa5 by Anton Gladky at 2023-11-28T06:52:43+01:00 Mark CVE-2020-21428 as not-affected for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -236803,6 +236803,7 @@ CVE-2020-21429 CVE-2020-21428 (Buffer Overflow vulnerability in function LoadRGB in PluginDDS.cpp in ...) {DLA-3662-1} - freeimage 3.18.0+ds2-10 (bug #1051738) + [stretch] - freeimage (vulnerable code is not present) NOTE: https://sourceforge.net/p/freeimage/bugs/299/ NOTE: Fixed with r1877 from http://svn.code.sf.net/p/freeimage/svn/FreeImage/ CVE-2020-21427 (Buffer Overflow vulnerability in function LoadPixelDataRLE8 in PluginB ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6619bfa58413f9d3459f33f21a696aa0da67fb3b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6619bfa58413f9d3459f33f21a696aa0da67fb3b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3662-1 for freeimage
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 22ea11b5 by Anton Gladky at 2023-11-24T06:51:27+01:00 Reserve DLA-3662-1 for freeimage - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Nov 2023] DLA-3662-1 freeimage - security update + {CVE-2020-21427 CVE-2020-21428 CVE-2020-22524} + [buster] - freeimage 3.18.0+ds2-1+deb10u2 [23 Nov 2023] DLA-3661-1 firefox-esr - security update {CVE-2023-6204 CVE-2023-6205 CVE-2023-6206 CVE-2023-6207 CVE-2023-6208 CVE-2023-6209 CVE-2023-6212} [buster] - firefox-esr 115.5.0esr-1~deb10u1 = data/dla-needed.txt = @@ -65,13 +65,6 @@ flatpak NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) -- -freeimage (gladk) - NOTE: 20230826: Added by Front-Desk (utkarsh) - NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the - NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll - NOTE: 20230826: out the DLA/ELA now. (utkarsh) - NOTE: 20231120: many CVEs, check with ASAN is needed. (gladk) --- frr NOTE: 20231119: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22ea11b5c0e68482bfcb0169a846d12f3eff2ee2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22ea11b5c0e68482bfcb0169a846d12f3eff2ee2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for outstanding freeimage issues
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e1308ad by Anton Gladky at 2023-11-24T06:15:04+01:00 Update notes for outstanding freeimage issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -157555,26 +157555,31 @@ CVE-2021-40266 (FreeImage before 1.18.0, ReadPalette function in PluginTIFF.cpp - freeimage (bug #1055305) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/334/ CVE-2021-40265 (A heap overflow bug exists FreeImage before 1.18.0 via ofLoad function ...) - freeimage (bug #1055304) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/337/ CVE-2021-40264 (NULL pointer dereference vulnerability in FreeImage before 1.18.0 via ...) - freeimage (bug #1055303) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/335/ CVE-2021-40263 (A heap overflow vulnerability in FreeImage 1.18.0 via the ofLoad funct ...) - freeimage (bug #1055302) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/336/ CVE-2021-40262 (A stack exhaustion issue was discovered in FreeImage before 1.18.0 via ...) - freeimage (bug #1055301) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/338/ CVE-2021-40261 (Multiple Cross Site Scripting (XSS) vulnerabilities exist in SourceCod ...) NOT-FOR-US: SourceCodester @@ -236524,6 +236529,7 @@ CVE-2020-21427 (Buffer Overflow vulnerability in function LoadPixelDataRLE8 in P CVE-2020-21426 (Buffer Overflow vulnerability in function C_IStream::read in PluginEXR ...) - freeimage (bug #1051736) NOTE: https://sourceforge.net/p/freeimage/bugs/300/ + NOTE: it looks like the issue is in openexr. No relevant patches in freeimage are detected CVE-2020-21425 RESERVED CVE-2020-21424 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e1308ad75a56bf0dd66cb4d1ec18df92aff30ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e1308ad75a56bf0dd66cb4d1ec18df92aff30ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: [Yade-dev] Deprecate Debian Stretch, Ubuntu 16.04, 18.04
Hi Bruno, we can freeze the daily versions and drop deprecated distros from all CI pipelines. Regards Anton Am Mo., 20. Nov. 2023 um 21:01 Uhr schrieb Bruno Chareyre : > > Hi Anton, > > I agree to stop building them. To be sure: are you thinking about removing > them from "daily" package repository as well, or just to freeze the versions > there? > > Cheers > > Bruno > > > On 20/11/2023 20:52, Anton Gladky wrote: > > Dear all, > > We are adding more and more releases to be supported.| > Debian Trixie is being added in the near future, and later > next year, Ubuntu 24.04 LTS will also be included. > > My proposal is to deprecate at least Debian Stretch, Ubuntu 16.04, > and Ubuntu 18.04. We need to free up some resources, and > having always older distributions in pipelines is unlikely to bring > any benefit. > > What are your thoughts? How many users are really using those > distributions? > > Best regards > > Anton > > ___ > Mailing list: https://launchpad.net/~yade-dev > Post to : yade-dev@lists.launchpad.net > Unsubscribe : https://launchpad.net/~yade-dev > More help : https://help.launchpad.net/ListHelp > > -- > > Bruno Chareyre > Associate Professor > > Grenoble INP - UGA > Institut d'ingénierie et de management / Graduate Schools of engineering and > management > 46 av. Félix-Viallet - 38301 Grenoble > www.grenoble-inp.fr > > 3SR Lab > Soils, Solids, Structures, Risks > 1270, rue de la piscine - 38400 Saint Martin d’Hères > www.3sr.univ-grenoble-alpes.fr > > ___ > Mailing list: https://launchpad.net/~yade-dev > Post to : yade-dev@lists.launchpad.net > Unsubscribe : https://launchpad.net/~yade-dev > More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~yade-dev Post to : yade-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~yade-dev More help : https://help.launchpad.net/ListHelp
[Yade-dev] Deprecate Debian Stretch, Ubuntu 16.04, 18.04
Dear all, We are adding more and more releases to be supported.| Debian Trixie is being added in the near future, and later next year, Ubuntu 24.04 LTS will also be included. My proposal is to deprecate at least Debian Stretch, Ubuntu 16.04, and Ubuntu 18.04. We need to free up some resources, and having always older distributions in pipelines is unlikely to bring any benefit. What are your thoughts? How many users are really using those distributions? Best regards Anton ___ Mailing list: https://launchpad.net/~yade-dev Post to : yade-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~yade-dev More help : https://help.launchpad.net/ListHelp
[Git][security-tracker-team/security-tracker][master] LTS: note in dla_neded
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 16e6f3b6 by Anton Gladky at 2023-11-20T07:02:25+01:00 LTS: note in dla_neded - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -73,6 +73,7 @@ freeimage (gladk) NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll NOTE: 20230826: out the DLA/ELA now. (utkarsh) + NOTE: 20231120: many CVEs, check with ASAN is needed. (gladk) -- frr NOTE: 20231119: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16e6f3b6512b453ff0939ec5f3289d8b7bca143b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16e6f3b6512b453ff0939ec5f3289d8b7bca143b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take netatalk and libde265
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 0473ca78 by Anton Gladky at 2023-11-20T06:31:00+01:00 Take netatalk and libde265 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -106,7 +106,7 @@ keystone knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- -libde265 +libde265 (gladk) NOTE: 20231119: Added by Front-Desk (apo) NOTE: 20231119: Fix along with postponed issues. -- @@ -138,7 +138,7 @@ mediawiki (guilhem) minizip (Thorsten Alteholz) NOTE: 20231117: Added by Front-Desk (apo) -- -netatalk +netatalk (gladk) NOTE: 20231119: Added by Front-Desk (apo) -- node-json5 (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0473ca7857001389e12bf070d7a9189be3c5b6f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0473ca7857001389e12bf070d7a9189be3c5b6f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Bug#1028489: boost1.83 as default
Hi Sebastian, bugs are filed: https://udd.debian.org/bugs/?release=na=ign=7=7=only=ftbfs-boost183-transition=gl...@debian.org=1=1=1=1#results Regards Anton
Bug#1028489: boost1.83 as default
Hi Sebastian, bugs are filed: https://udd.debian.org/bugs/?release=na=ign=7=7=only=ftbfs-boost183-transition=gl...@debian.org=1=1=1=1#results Regards Anton
Bug#1056089: Link update
Please use this link for logs qa-logs.debian.net/2023/10/26/autodock-vina_1.2.5-1_unstable_boost181.log thanks Anton
Bug#1056090: Link update
Please use this link for logs http://qa-logs.debian.net/2023/10/26/aegisub_3.2.2+dfsg-7_unstable_boost181.log Thanks Anton
Bug#1056074: libreoffice: FTBFS: boost1.83 transition
Hi Rene, thanks for the deep analysis. We did a full rebuild of related packages and it looks like libreoffice was false negative. Let's keep the bug open for now, till we switch to a newer version and if all is OK, the bug will be closed. Best regards Anton
Bug#1056074: libreoffice: FTBFS: boost1.83 transition
Hi Rene, thanks for the deep analysis. We did a full rebuild of related packages and it looks like libreoffice was false negative. Let's keep the bug open for now, till we switch to a newer version and if all is OK, the bug will be closed. Best regards Anton
Bug#1055972: UDD link update
https://udd.debian.org/bugs/?release=na=ign=7=7=only=ftbfs-boost183-transition=gl...@debian.org=1=1=1=1#results -- debian-science-maintainers mailing list debian-science-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
Bug#1055973: UDD link update
https://udd.debian.org/bugs/?release=na=ign=7=7=only=ftbfs-boost183-transition=gl...@debian.org=1=1=1=1#results
Bug#1055972: UDD link update
https://udd.debian.org/bugs/?release=na=ign=7=7=only=ftbfs-boost183-transition=gl...@debian.org=1=1=1=1#results
[Git][security-tracker-team/security-tracker][master] LTS: add Thorsten as FD 18-12 to 24-12
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: da44dab4 by Anton Gladky at 2023-11-12T20:50:04+01:00 LTS: add Thorsten as FD 18-12 to 24-12 - - - - - 1 changed file: - org/lts-frontdesk.2023.txt Changes: = org/lts-frontdesk.2023.txt = @@ -48,5 +48,5 @@ From 20-11 to 26-11:Ola Lundqvist From 27-11 to 03-12:Sylvain Beucler From 04-12 to 10-12:Thorsten Alteholz From 11-12 to 17-12:Utkarsh Gupta -From 18-12 to 24-12:Anton Gladky +From 18-12 to 24-12:Thorsten Alteholz From 25-12 to 31-12:Chris Lamb View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da44dab4615cce4ded1eb0909ed4e75eebc15d03 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da44dab4615cce4ded1eb0909ed4e75eebc15d03 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take freeimage
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ce2e749f by Anton Gladky at 2023-11-02T06:13:42+01:00 LTS: take freeimage - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -62,7 +62,7 @@ flatpak NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) -- -freeimage +freeimage (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce2e749f378fb03929164cf665a4e30f232c2d9c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce2e749f378fb03929164cf665a4e30f232c2d9c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[SECURITY] [DLA 3638-1] h2o security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3638-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky October 29, 2023 https://wiki.debian.org/LTS - - Package: h2o Version: 2.2.5+dfsg2-2+deb10u2 CVE ID : CVE-2023-44487 Debian Bug : 1054232 A vulnerability has been identified in h2o, a high-performance web server with support for HTTP/2. A security vulnerability CVE-2023-44487 was discovered that could potentially be exploited to disrupt server operation. The vulnerability in the h2o HTTP/2 server was related to the handling of certain types of HTTP/2 requests. In certain scenarios, an attacker could send a series of malicious requests, causing the server to process them rapidly and exhaust system resources. The applied upstream patch changes the ABI. Therefore, if your application is built against any shared libraries of h2o, you need to rebuild it. No Debian package is affected. For Debian 10 buster, this problem has been fixed in version 2.2.5+dfsg2-2+deb10u2. We recommend that you upgrade your h2o packages. For the detailed security status of h2o please refer to its security tracker page at: https://security-tracker.debian.org/tracker/h2o Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmVBCo8ACgkQ0+Fzg8+n /wbanQ//Yo0J2I6ph/5a2hZfQ+kgbsMBXCy7hZh6CenGPgHTjCWPp48ss7Pje0ZB j6w6EdMMpqgGHkS3ODMoavcK1Kvh+9ARtpS8yHvLuQo60IF8juaeJXQvSYZm9Lvk 4E7EiMOZ3MU+zPht9DgDi6CdeT9TS0aMRqWT89ClRJ63PUFJvIojby6wSKZ5jXg5 REoD1tAwNw+TMpQuH5NFCkn/SwhzPxwV/gzLSgwqynkXOBoVk1oLQ0e0utyla3tg RUl1x3b6LGm3mzpsufCSJ6e4nLoj7VWz0w1/U+RPYB+Sp4ORailC1LwF9GwjEuhq o+CETCwUsO4WtyR5QtSFTWYDBF65j9X+OfOSsuC5POykBM/KmXyRsZHzeETp30/c vbciK9xFP5b5iNk1aEfLxL2QJVcENFAfBzfIizggKWSFVVoJiSDQVbN3dY4QoQ8P yXX2CFgQmmv0TtSp7j7Lq1/oAxIiIp4RQWjqA18T3w1muuQ20fNJnEgNAs0Lh69v eiM6qbP5w9WMC0BUjPSqmg693A+SPk5nxcq1BX1uvQmF1UGlKCGX8E7iX8YAthjg KfWHS9KEUuW4AyoHCnJFtRqSEumScOaPfzNcfYMn/aCPCZ/TL/Qa1Mft26hpBn66 j7C637FYQ4gLCQMRykeHo45ES4jaZZO6XuotgUgDybgdzsv0vjc= =0auQ -END PGP SIGNATURE-
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3638-1 for h2o
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: afc552e0 by Anton Gladky at 2023-10-29T21:57:19+01:00 Reserve DLA-3638-1 for h2o - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Oct 2023] DLA-3638-1 h2o - security update + {CVE-2023-44487} + [buster] - h2o 2.2.5+dfsg2-2+deb10u2 [29 Oct 2023] DLA-3637-1 thunderbird - security update {CVE-2023-5721 CVE-2023-5724 CVE-2023-5725 CVE-2023-5728 CVE-2023-5730 CVE-2023-5732} [buster] - thunderbird 1:115.4.1-1~deb10u1 = data/dla-needed.txt = @@ -78,9 +78,6 @@ galera-3 (Adrian Bunk) NOTE: 20231028: Added by Front-Desk (gladk) NOTE: 20231028: Acc. to CVE notes the open issue is fixed in 26.4.12. Please, try to find a corresponding commit and try to backport it. Otherwise - no-dsa. (gladk) -- -h2o (gladk) - NOTE: 20231013: Added by Front-Desk (ta) --- i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afc552e00ddc08e5828739a01f7712cfcd48663e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afc552e00ddc08e5828739a01f7712cfcd48663e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS add memcached
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ba968ee5 by Anton Gladky at 2023-10-29T20:55:01+01:00 LTS add memcached - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -121,6 +121,9 @@ linux-5.10 mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- +memcached + NOTE: 20231029: Added by Front-Desk (gladk) +-- mosquitto NOTE: 20230924: Added by Front-Desk (apo) NOTE: 20231009: Waiting for upstream clarification how to proceed with open CVE. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba968ee5aed1ee863489a7a7a58afb3116878b11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba968ee5aed1ee863489a7a7a58afb3116878b11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Mark CVE-2023-42445 as no-dsa for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: a6540828 by Anton Gladky at 2023-10-29T20:49:01+01:00 Mark CVE-2023-42445 as no-dsa for buster - - - - - 2ae22b88 by Anton Gladky at 2023-10-29T20:49:45+01:00 LTS add knot-resolver - - - - - 8be5dbb5 by Anton Gladky at 2023-10-29T20:53:46+01:00 LTS add libstb - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -4080,6 +4080,7 @@ CVE-2023-42445 (Gradle is a build tool with a focus on build automation and supp - gradle [bookworm] - gradle (Minor issue) [bullseye] - gradle (Minor issue) + [buster] - gradle (Minor issue) NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-mrff-q8qj-xvg8 CVE-2023-41950 (Cross-Site Request Forgery (CSRF) vulnerability in Laposta - Roel Bous ...) NOT-FOR-US: WordPress plugin = data/dla-needed.txt = @@ -93,6 +93,9 @@ imagemagick jetty9 (Markus Koschany) NOTE: 20231011: Added by Front-Desk (ta) -- +knot-resolver + NOTE: 20231029: Added by Front-Desk (gladk) +-- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to @@ -104,6 +107,11 @@ libreswan libspf2 (Thorsten Alteholz) NOTE: 20231016: Added by Front-Desk (ta) -- +libstb + NOTE: 20231029: Added by Front-Desk (gladk) + NOTE: 20231029: A lot of open CVEs. Maybe duplicates. + NOTE: 20231029: If you take a package, please evaluate it as well as its importance. +-- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f92b09c1de83c27ee21cdebc8c88710e2c0fdff8...8be5dbb500f0a3c0220487b9ed7b96b7cba78fc5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f92b09c1de83c27ee21cdebc8c88710e2c0fdff8...8be5dbb500f0a3c0220487b9ed7b96b7cba78fc5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add galera-3
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: e801f1a0 by Anton Gladky at 2023-10-28T21:06:08+02:00 LTS: add galera-3 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,6 +74,10 @@ freerdp2 (tobi) NOTE: 20231007: First round done, unfortunatly missed a few CVES while updating, will do an follow up. NOTE: 20231023: Will continue working on package next weekend. (tobi) -- +galera-3 + NOTE: 20231028: Added by Front-Desk (gladk) + NOTE: 20231028: Acc. to CVE notes the open issue is fixed in 26.4.12. Please, try to find a corresponding commit and try to backport it. Otherwise - no-dsa. (gladk) +-- h2o (gladk) NOTE: 20231013: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e801f1a04ddb617cd411eaf499ba786e5261373f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e801f1a04ddb617cd411eaf499ba786e5261373f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add python-urllib3 and assign to spwhitton
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 3cb7d3aa by Anton Gladky at 2023-10-28T20:57:51+02:00 LTS: add python-urllib3 and assign to spwhitton - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -169,6 +169,9 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +python-urllib3 (spwhitton) + NOTE: 20231028: Added by Front-Desk (gladk) +-- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb7d3aa1a20579cf4b92eb1590ecad18d328cae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb7d3aa1a20579cf4b92eb1590ecad18d328cae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: Mark CVE-2023-{5586,5595} as EOL for LTS (gpac)
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: e794e0ed by Anton Gladky at 2023-10-24T21:20:34+02:00 Mark CVE-2023-{5586,5595} as EOL for LTS (gpac) - - - - - b60ef744 by Anton Gladky at 2023-10-24T21:38:01+02:00 Mark CVE-2023-41914 as EOL for buster (slurm-llnl) - - - - - c594f8a6 by Anton Gladky at 2023-10-24T21:40:21+02:00 Add firefox-esr - - - - - 944e210f by Anton Gladky at 2023-10-24T21:43:09+02:00 LTS: Add pmix - - - - - b6e80ee3 by Anton Gladky at 2023-10-24T21:49:32+02:00 LTS: add request-tracker4 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1207,6 +1207,7 @@ CVE-2011-10004 (A vulnerability was found in reciply Plugin up to 1.1.7 on WordP NOT-FOR-US: WordPress plugin CVE-2023-5595 (Denial of Service in GitHub repository gpac/gpac prior to 2.3.0-DEV.) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/0064cf76-ece1-495d-82b4-e4a1bebeb28e NOTE: https://github.com/gpac/gpac/commit/7a6f636db3360bb16d18078d51e8c596f31302a1 CVE-2023-5575 (Improper access control in the permission inheritance in Devolutions S ...) @@ -1508,6 +1509,7 @@ CVE-2018-25091 (urllib3 before 1.24.2 does not remove the authorization HTTP hea NOTE: Fixed by https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc (1.25) CVE-2023-5586 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3.0 ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/d2a6ea71-3555-47a6-9b18-35455d103740 NOTE: https://github.com/gpac/gpac/commit/ca1b48f0abe71bf81a58995d7d75dc27f5a17ddc CVE-2023-5585 (A vulnerability was found in SourceCodester Online Motorcycle Rental S ...) @@ -1548,6 +1550,7 @@ CVE-2023-41914 - slurm-wlm 23.02.6-1 [bullseye] - slurm-wlm (Very intrusive patch and upstream does not release patches for unsupported versions) - slurm-llnl + [buster] - slurm-llnl (EOL in buster LTS) NOTE: https://groups.google.com/g/slurm-users/c/N9WHFVefSHA NOTE: slurm-wlm-contrib also changed, but actual security issue is in slurm-wlm CVE-2023-4263 (Potential buffer overflow vulnerability in the Zephyr IEEE 802.15.4 nR ...) = data/dla-needed.txt = @@ -58,6 +58,9 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- +firefox-esr + NOTE: 20231024: Added by Front-Desk (gladk) +-- flatpak NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) @@ -159,6 +162,9 @@ osslsigncode phppgadmin (Chris Lamb) NOTE: 20230925: Added by Front-Desk (apo) -- +pmix + NOTE: 20231024: Added by Front-Desk (gladk) +-- python-django (Chris Lamb) NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) @@ -189,6 +195,11 @@ rails NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) NOTE: 20230828: want to rollout ruby-rack first. (utkarsh) -- +request-tracker4 + NOTE: 20231024: Added by Front-Desk (gladk) + NOTE: 20231024: Please check the commit: https://github.com/bestpractical/rt/commit/a7a83dfdf591cd4d9f547048e89a5a310eeef32d + NOTE: 20231024: Please check the commit: https://github.com/bestpractical/rt/commit/afb7dcded721e27028e47b62e7e5ed8ffc492beb +-- ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cf08268df07488cd908bcfeeda4b0dff8ad6c346...b6e80ee32afc2cdb18397cc1b3984781cecb9387 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cf08268df07488cd908bcfeeda4b0dff8ad6c346...b6e80ee32afc2cdb18397cc1b3984781cecb9387 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add roundcube and assign to maintainer
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 48b0cbf9 by Anton Gladky at 2023-10-24T18:35:36+02:00 LTS: add roundcube and assign to maintainer - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -193,6 +193,9 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- +roundcube (guilhem) + NOTE: 20231024: Added by Front-Desk (gladk) +-- salt NOTE: 20220814: Added by Front-Desk (gladk) NOTE: 20220814: I am not sure, whether it is possible to fix issues View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48b0cbf9c2541e3f71ca3a5bbc4ba31157fa50ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48b0cbf9c2541e3f71ca3a5bbc4ba31157fa50ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: heavy dependencies of libvtk-dev
Hi Johannes, packaging of the vtk9 is placed here [1]. If you have some technical solution, how to solve the issue, feel free to contribute. Yes, vtk9 is a large package. [1] https://salsa.debian.org/science-team/vtk9 Best regards Anton Am Mo., 23. Okt. 2023 um 20:22 Uhr schrieb Johannes Thrän : > > Hi, > > libpcl-dev has uneccessarily heavy dependencies. This is, because it depends > on the visualization part of pcl, which in turn pulls in libvtk and libvtk-qt > and with it a desktop environment. > > In containerized build environments, where one just need respective headers > to link against, this is problematic. To my knowlegde, there's no way around > it. > > How could we help to improve on this situation? > > BR, Johannes > > > -- > debian-science-maintainers mailing list > debian-science-maintainers@alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers -- debian-science-maintainers mailing list debian-science-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
Bug#1028489: boost1.83 as default
retitle 1028489 transition: boost1.83 thanks Dear release team, please consider an updated ben-file. Thanks! Ben file: title = "boost1.83"; is_affected = .depends ~ /libboost[a-z-.]*1\.[74]/ is_good = .depends ~ /libboost[a-z-.]*1\.83/ is_bad = .depends ~ /libboost[a-z-.]*1\.74/
Bug#1028489: boost1.83 as default
retitle 1028489 transition: boost1.83 thanks Dear release team, please consider an updated ben-file. Thanks! Ben file: title = "boost1.83"; is_affected = .depends ~ /libboost[a-z-.]*1\.[74]/ is_good = .depends ~ /libboost[a-z-.]*1\.83/ is_bad = .depends ~ /libboost[a-z-.]*1\.74/
[Git][security-tracker-team/security-tracker][master] LTS: take h2o
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: a3bd8eea by Anton Gladky at 2023-10-21T09:47:45+02:00 LTS: take h2o - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -84,7 +84,7 @@ gst-plugins-bad1.0 (Thorsten Alteholz) NOTE: 20230928: Added by Frond-Desk (ola) NOTE: 20231013: testing package -- -h2o (Abhijith PA) +h2o (gladk) NOTE: 20231013: Added by Front-Desk (ta) -- i2p View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3bd8eea71ddba0835e3da46384c0475eb6bc230 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3bd8eea71ddba0835e3da46384c0475eb6bc230 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-30847 as not-affected in Debian
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e7dd3e1 by Anton Gladky at 2023-10-20T06:51:42+02:00 Mark CVE-2023-30847 as not-affected in Debian - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23110,15 +23110,13 @@ CVE-2023-30849 (Pimcore is an open source data and experience management platfor CVE-2023-30848 (Pimcore is an open source data and experience management platform. Pri ...) NOT-FOR-US: Pimcore CVE-2023-30847 (H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the rev ...) - - h2o - [bookworm] - h2o (Minor issue) - [bullseye] - h2o (Minor issue) - [buster] - h2o (Minor issue) + - h2o (versions up to 2.2.6 not affected) NOTE: Fixed by: https://github.com/h2o/h2o/commit/a70af675328dda438ecd9d8a1673c1715fd93cc7 NOTE: Fixed by: https://github.com/h2o/h2o/commit/5f57d505514e937d13787b1f408837cb9197e2b2 NOTE: https://github.com/h2o/h2o/pull/3229 NOTE: https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx NOTE: https://github.com/h2o/h2o/commit/f2d9056ba5004000755a5a7adccd27d0d79d83da has done a major refactoring, but issue possibly present before + NOTE: versions up to 2.2.6 not affected (May 15 2023). Never been in Debian. https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx CVE-2023-30846 (typed-rest-client is a library for Node Rest and Http Clients with typ ...) NOT-FOR-US: typed-rest-client CVE-2023-30845 (ESPv2 is a service proxy that provides API management capabilities usi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e7dd3e160822a7a4e9a7c4c4915c62579c33154 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e7dd3e160822a7a4e9a7c4c4915c62579c33154 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Bug#1053912: transition: alglib
Hi Sebastian, uploaded, thanks! Anton Am Di., 17. Okt. 2023 um 17:37 Uhr schrieb Sebastian Ramacher < sramac...@debian.org>: > Control: tags -1 confirmed > Control: forwarded -1 > https://release.debian.org/transitions/html/auto-alglib.html > > Hi Anton > > On 2023-10-14 09:59:15 +0200, Anton Gladky wrote: > > Please schedule the transition of alglib. All reverse dependencies are > built and fine. > > Please go ahead. > > Cheers > -- > Sebastian Ramacher >
Bug#1053912: transition: alglib
Hi Sebastian, uploaded, thanks! Anton Am Di., 17. Okt. 2023 um 17:37 Uhr schrieb Sebastian Ramacher < sramac...@debian.org>: > Control: tags -1 confirmed > Control: forwarded -1 > https://release.debian.org/transitions/html/auto-alglib.html > > Hi Anton > > On 2023-10-14 09:59:15 +0200, Anton Gladky wrote: > > Please schedule the transition of alglib. All reverse dependencies are > built and fine. > > Please go ahead. > > Cheers > -- > Sebastian Ramacher >
[Git][security-tracker-team/security-tracker][master] LTS: take freeimage
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 7eaec764 by Anton Gladky at 2023-10-14T21:13:52+02:00 LTS: take freeimage - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,7 +79,7 @@ flatpak NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) -- -freeimage +freeimage (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eaec764449d7cded838abbe46955ae73dff8dc1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eaec764449d7cded838abbe46955ae73dff8dc1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Bug#1053912: transition: alglib
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: alg...@packages.debian.org Control: affects -1 + src:alglib -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please schedule the transition of alglib. All reverse dependencies are built and fine. Thanks Ben file: title = "alglib"; is_affected = .depends ~ "libalglib3.19" | .depends ~ "libalglib4.0"; is_good = .depends ~ "libalglib4.0"; is_bad = .depends ~ "libalglib3.19"; -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmUqSlERHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wYWWhAAgl9opG5Ch9wN8FvouBJqkdhJs/yfI5Sg iL2Qf3UGLuW+pCEYmnlJm2B+cJCCMQvqXKNpAHWfr9pSylQzc0/lBhl3QnAKFu2K 5m8Lm8aMTMWj5LdiCnsA/A2bN5oCQW74aAHi5f2aOIgOMCVmWpjXP3fG1CdoTh4h DgYfqjRHt9wELlSKuBCk+VvHfCg2S2mhvgTi4tCtWUJFetgb9Dg2Uxsd0AJNLS8x f7xP/Azzy+fWHFO32ncbIKNXQ0ee3cm/j9HI0Oq9BkvAMlIS/EU5qTD6u5jSwkQm x6FL50ribCodm41wvnWPs8cT7qF/ZbP3DZv8sCqpa8nM7EI+JhnWCOXthAsKYs+/ KJWZiGxDoXDTP0STuhV2ENg5xahQM6SZMWten/5GvxuteZIUEuTNigxhgEyqE0AY gtAsLjRImsVmqlfOPjV9213/GuNiZW1vequrnIrhDsJj2jJ3VH+A8HfHnYv15/+p IcszCVmHHNP5szOMvmk/bPIk9CMsg7bMUNg2AdmOsMbPwGBMGL+6aJRmVvdiHOql VQPfwxAwn32TZQy2TuOLr3kT5VDRMwOOD38AdmnQL8lj4DVWjarqM7Cb7l12x8Cz UO7nhvnXzqPMh0bTQDffvoOXey2vLKqMGYrOhyANVY35ugA3ctOnAzv0ol/cF1gN U+N5xvOI4DY= =rzva -END PGP SIGNATURE-
Bug#1053912: transition: alglib
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: alg...@packages.debian.org Control: affects -1 + src:alglib -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please schedule the transition of alglib. All reverse dependencies are built and fine. Thanks Ben file: title = "alglib"; is_affected = .depends ~ "libalglib3.19" | .depends ~ "libalglib4.0"; is_good = .depends ~ "libalglib4.0"; is_bad = .depends ~ "libalglib3.19"; -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmUqSlERHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wYWWhAAgl9opG5Ch9wN8FvouBJqkdhJs/yfI5Sg iL2Qf3UGLuW+pCEYmnlJm2B+cJCCMQvqXKNpAHWfr9pSylQzc0/lBhl3QnAKFu2K 5m8Lm8aMTMWj5LdiCnsA/A2bN5oCQW74aAHi5f2aOIgOMCVmWpjXP3fG1CdoTh4h DgYfqjRHt9wELlSKuBCk+VvHfCg2S2mhvgTi4tCtWUJFetgb9Dg2Uxsd0AJNLS8x f7xP/Azzy+fWHFO32ncbIKNXQ0ee3cm/j9HI0Oq9BkvAMlIS/EU5qTD6u5jSwkQm x6FL50ribCodm41wvnWPs8cT7qF/ZbP3DZv8sCqpa8nM7EI+JhnWCOXthAsKYs+/ KJWZiGxDoXDTP0STuhV2ENg5xahQM6SZMWten/5GvxuteZIUEuTNigxhgEyqE0AY gtAsLjRImsVmqlfOPjV9213/GuNiZW1vequrnIrhDsJj2jJ3VH+A8HfHnYv15/+p IcszCVmHHNP5szOMvmk/bPIk9CMsg7bMUNg2AdmOsMbPwGBMGL+6aJRmVvdiHOql VQPfwxAwn32TZQy2TuOLr3kT5VDRMwOOD38AdmnQL8lj4DVWjarqM7Cb7l12x8Cz UO7nhvnXzqPMh0bTQDffvoOXey2vLKqMGYrOhyANVY35ugA3ctOnAzv0ol/cF1gN U+N5xvOI4DY= =rzva -END PGP SIGNATURE-
Bug#1053912: transition: alglib
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition X-Debbugs-Cc: alg...@packages.debian.org Control: affects -1 + src:alglib -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Please schedule the transition of alglib. All reverse dependencies are built and fine. Thanks Ben file: title = "alglib"; is_affected = .depends ~ "libalglib3.19" | .depends ~ "libalglib4.0"; is_good = .depends ~ "libalglib4.0"; is_bad = .depends ~ "libalglib3.19"; -BEGIN PGP SIGNATURE- iQJFBAEBCgAvFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmUqSlERHGdsYWRrQGRl Ymlhbi5vcmcACgkQ0+Fzg8+n/wYWWhAAgl9opG5Ch9wN8FvouBJqkdhJs/yfI5Sg iL2Qf3UGLuW+pCEYmnlJm2B+cJCCMQvqXKNpAHWfr9pSylQzc0/lBhl3QnAKFu2K 5m8Lm8aMTMWj5LdiCnsA/A2bN5oCQW74aAHi5f2aOIgOMCVmWpjXP3fG1CdoTh4h DgYfqjRHt9wELlSKuBCk+VvHfCg2S2mhvgTi4tCtWUJFetgb9Dg2Uxsd0AJNLS8x f7xP/Azzy+fWHFO32ncbIKNXQ0ee3cm/j9HI0Oq9BkvAMlIS/EU5qTD6u5jSwkQm x6FL50ribCodm41wvnWPs8cT7qF/ZbP3DZv8sCqpa8nM7EI+JhnWCOXthAsKYs+/ KJWZiGxDoXDTP0STuhV2ENg5xahQM6SZMWten/5GvxuteZIUEuTNigxhgEyqE0AY gtAsLjRImsVmqlfOPjV9213/GuNiZW1vequrnIrhDsJj2jJ3VH+A8HfHnYv15/+p IcszCVmHHNP5szOMvmk/bPIk9CMsg7bMUNg2AdmOsMbPwGBMGL+6aJRmVvdiHOql VQPfwxAwn32TZQy2TuOLr3kT5VDRMwOOD38AdmnQL8lj4DVWjarqM7Cb7l12x8Cz UO7nhvnXzqPMh0bTQDffvoOXey2vLKqMGYrOhyANVY35ugA3ctOnAzv0ol/cF1gN U+N5xvOI4DY= =rzva -END PGP SIGNATURE- -- debian-science-maintainers mailing list debian-science-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
Bug#1028489: transition: boost1.81
Hi James, thanks for the offer. At the moment I am preparing 1.83 and will ask for transition soon. Best regards David James schrieb am Mi., 4. Okt. 2023, 20:23: > Hi Anton, > > Is there anything I can do to help this transition along? I wish to > package software that does not build on 1.74, but does on 1.81 and 1.82. > If there's anyway I can assist with bumping boost-defaults to 1.81 or 1.82 > I would be happy to help. > > Regards, > > David James > >
Bug#1028489: transition: boost1.81
Hi James, thanks for the offer. At the moment I am preparing 1.83 and will ask for transition soon. Best regards David James schrieb am Mi., 4. Okt. 2023, 20:23: > Hi Anton, > > Is there anything I can do to help this transition along? I wish to > package software that does not build on 1.74, but does on 1.81 and 1.82. > If there's anyway I can assist with bumping boost-defaults to 1.81 or 1.82 > I would be happy to help. > > Regards, > > David James > >
Bug#1050019: Reporting an issue
forwarded 1050019 https://github.com/google/cctz/issues/274 thanks Hi, I have reported the issue here [1] [1] https://github.com/google/cctz/issues/274 Best regards Anton
Bug#1050019: Reporting an issue
forwarded 1050019 https://github.com/google/cctz/issues/274 thanks Hi, I have reported the issue here [1] [1] https://github.com/google/cctz/issues/274 Best regards Anton
Bug#1050019: Reporting an issue
forwarded 1050019 https://github.com/google/cctz/issues/274 thanks Hi, I have reported the issue here [1] [1] https://github.com/google/cctz/issues/274 Best regards Anton -- debian-science-maintainers mailing list debian-science-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
[SECURITY] [DLA 3567-1] c-ares security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3567-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky September 15, 2023https://wiki.debian.org/LTS - - Package: c-ares Version: 1.14.0-1+deb10u4 CVE ID : CVE-2020-22217 A vulnerability has been identified in c-ares, an asynchronous name resolver library: CVE-2020-22217: A buffer overflow vulnerability has been found in c-ares before via the function ares_parse_soa_reply in ares_parse_soa_reply.c. This vulnerability was discovered through fuzzing. Exploitation of this vulnerability may allow an attacker to execute arbitrary code or cause a denial of service condition. For Debian 10 buster, this problem has been fixed in version 1.14.0-1+deb10u4. We recommend that you upgrade your c-ares packages. For the detailed security status of c-ares please refer to its security tracker page at: https://security-tracker.debian.org/tracker/c-ares Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmUD/DoACgkQ0+Fzg8+n /wZ4lw/9FgVXE7CvEKIGfSFXX4D/ayOVUUJ21pha8cI78qWvO2Lfxhc1MBN94eMX RLrt6KcLFfLkxSBq6KhHSOZ1ZuKZ56wN4OzsuvzClquTL1BZ63TfnDPCs1StkuTs PCNvmDdObRMXAEOjzYBwC61Zr89kYnijubupdVeCIG7L2+lfbjlWcxeGEu05C/9i HSD4WBo+RCtWhZd3LtDoHWn1kS6DhX+fHTrO22jE/+rL8i6Tc2foTcDzcAInLGG1 J5DqXfzLSQLk6pjH1eDGrrNN2ANL7HIY8UexUBKKJTAdSgcZ5qXLwhB1ymZRvw8R tvbuk0g8B7lNCoSDIU4HSUiZBfm4Pi8i1GFMZSqPG8cqWqpSbPYO6ZfAVM8PWt1i Xxf2tpiE8LmNf0KyI5epXSFugIeFtAkpQBiBc9OGRTH6CybUfpGf8e4rvdZzGPFR yS9be+d5/SlG++Jq3JT/Iw56kSAicHJenZtlIND0LWJ9TBxhRD80fQ6JtwEn0C++ Ko848oTzGya61kKajAFqv4wUXu9pheO1ZWDUgmPTqniHHKo9EeK7rn2SYqRmZVEH wbckwLC924JItis9YLuuNc+jE4VO1oDWbwMBGb2iChx4476YwQHkzYFvQdwCzmv3 JUR0zZSzh9/pqH92BttZx/+uWVMBc+ZIbvOKgTEPXxjaAx7ZuPo= =V+cN -END PGP SIGNATURE-
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3567-1 for c-ares
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: f7d87040 by Anton Gladky at 2023-09-15T07:36:26+02:00 Reserve DLA-3567-1 for c-ares - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Sep 2023] DLA-3567-1 c-ares - security update + {CVE-2020-22217} + [buster] - c-ares 1.14.0-1+deb10u4 [13 Sep 2023] DLA-3566-1 ruby-rails-html-sanitizer - security update {CVE-2022-23517 CVE-2022-23518 CVE-2022-23519 CVE-2022-23520} [buster] - ruby-rails-html-sanitizer 1.0.4-1+deb10u2 = data/dla-needed.txt = @@ -25,10 +25,6 @@ amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) NOTE: 20230910: still testing package (ta) -- -c-ares (gladk) - NOTE: 20230826: Added by Front-Desk (utkarsh) - NOTE: 20230826: it's a heap buffer overflow. Have mixed feelings about this one. Will look thoroughly. (utkarsh) --- cacti NOTE: 20230906: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7d87040c1a130e91637598eb091cf494791e913 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7d87040c1a130e91637598eb091cf494791e913 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take freeimage
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 59a480aa by Anton Gladky at 2023-09-14T04:55:59+02:00 LTS: take freeimage - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -73,7 +73,7 @@ flac NOTE: 20230827: Added by Front-Desk (utkarsh) NOTE: 20230827: incoming DSA -- -freeimage +freeimage (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59a480aa246d00c144e9f84f1d70d79f569d0a85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59a480aa246d00c144e9f84f1d70d79f569d0a85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: [SECURITY] [DLA 3562-1] orthanc security update
Hi, The fix is basically the backport from the bullseye, where the call is being dropped, if the configuration does not explicitly allow it. If you call export, it returns 403. If this is not the case, please share details. Regards Anton Am Di., 12. Sept. 2023 um 13:30 Uhr schrieb Abhishek Dutt < duttabhish...@gmail.com>: > Hi, > Please look into the vulnerability test that is not supposed to work > today. Moreover, look into the case where the API is not calling the option > and is not included in most options. I am not worried about the case where > option 2 is not working and this has to be done in the case. Therefore I > would request you to check the details: > > 1. DICOM HTTP status 200 OK . > > On Tue, Sep 12, 2023 at 1:50 PM Anton Gladky wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA512 >> >> - >> - >> Debian LTS Advisory DLA-3562-1debian-lts@lists.debian.org >> https://www.debian.org/lts/security/ Anton Gladky >> September 12, 2023https://wiki.debian.org/LTS >> - >> - >> >> Package: orthanc >> Version: 1.5.6+dfsg-1+deb10u1 >> CVE ID : CVE-2023-33466 >> Debian Bug : 1040597 >> >> A security vulnerability was identified in Orthanc, a DICOM server used >> for >> medical imaging, whereby authenticated API users had the capability to >> overwrite >> arbitrary files and, in certain configurations, execute unauthorized code. >> >> This update addresses the issue by backporting a safeguard mechanism: the >> RestApiWriteToFileSystemEnabled option is now included, and it is set to >> "true" >> by default in the /etc/orthanc/orthanc.json configuration file. Should >> users >> wish to revert to the previous behavior, they can manually set this option >> to "true" themselves. >> >> For Debian 10 buster, this problem has been fixed in version >> 1.5.6+dfsg-1+deb10u1. >> >> We recommend that you upgrade your orthanc packages. >> >> For the detailed security status of orthanc please refer to >> its security tracker page at: >> https://security-tracker.debian.org/tracker/orthanc >> >> Further information about Debian LTS security advisories, how to apply >> these updates to your system and frequently asked questions can be >> found at: https://wiki.debian.org/LTS >> -BEGIN PGP SIGNATURE- >> >> iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmUAHycACgkQ0+Fzg8+n >> /wbzLw/+OwxSnkOEATh2LGqRA4RwOFzCdCZxQvjRL+gzb6dvM2eG9P0aSs5/Ek2e >> kd9uSTRUvgkBoH00ku5QXVytXfiSbzEKZFqowRgCOaCTPfEHJDY6xxzXd8uPdfRY >> ZmaRUuwJDi4Wu0k8HBBZ+47vv8jXCXKLb2Z16aAjKaegCfMINujgMH5N/Ld6RlfX >> i4Gr+f1YTfwIHssEKj7IWGYd5+uoY/RoRbgWcIRWDjWUQ3a+/evTx8k6OV3E978G >> x9PC6loQGDZZLCypdhB6paIyKVpwD66h2AnIG5xAK+awv2SW0lb+SywcnJAqyaHa >> Hu3UvRI3YCSOMVkkuOyQ/GN3PhUOJ0+hhFGsaM9UFWWlZheARpqLSNYHdRRTw5rf >> XNPDiKkieUL4HC0bQQxuSGf3h71OpHIavfPX7OeysgKz3NfjYBl0l4RbmwQi1kNs >> 6zfOSPx+5hJbPGoQssMn1j7TWnWnZTOPPrgWVy/PX1JF6y47465gJeoxIQ8tFqbs >> 8Mx+LeH0HyjteYtVCCMPg1OPATTMSDBzfiY0JUKcowoOanLvL/+0MRH1A2iBcSAw >> HW3xRLA/6AB14iJGDwN7DyFXIkkNk/pLMM/siSMiBDP2NU68+ortlN6Lec+n7QFF >> YJAFJqeaLqTLf2fnJ9oUs9fyD3uBioec3uCqcm3rjTt7rsabpT4= >> =uDem >> -END PGP SIGNATURE- >> >> > > -- > Regards, > Abhishek Dutt >
[SECURITY] [DLA 3562-1] orthanc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3562-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky September 12, 2023https://wiki.debian.org/LTS - - Package: orthanc Version: 1.5.6+dfsg-1+deb10u1 CVE ID : CVE-2023-33466 Debian Bug : 1040597 A security vulnerability was identified in Orthanc, a DICOM server used for medical imaging, whereby authenticated API users had the capability to overwrite arbitrary files and, in certain configurations, execute unauthorized code. This update addresses the issue by backporting a safeguard mechanism: the RestApiWriteToFileSystemEnabled option is now included, and it is set to "true" by default in the /etc/orthanc/orthanc.json configuration file. Should users wish to revert to the previous behavior, they can manually set this option to "true" themselves. For Debian 10 buster, this problem has been fixed in version 1.5.6+dfsg-1+deb10u1. We recommend that you upgrade your orthanc packages. For the detailed security status of orthanc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/orthanc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmUAHycACgkQ0+Fzg8+n /wbzLw/+OwxSnkOEATh2LGqRA4RwOFzCdCZxQvjRL+gzb6dvM2eG9P0aSs5/Ek2e kd9uSTRUvgkBoH00ku5QXVytXfiSbzEKZFqowRgCOaCTPfEHJDY6xxzXd8uPdfRY ZmaRUuwJDi4Wu0k8HBBZ+47vv8jXCXKLb2Z16aAjKaegCfMINujgMH5N/Ld6RlfX i4Gr+f1YTfwIHssEKj7IWGYd5+uoY/RoRbgWcIRWDjWUQ3a+/evTx8k6OV3E978G x9PC6loQGDZZLCypdhB6paIyKVpwD66h2AnIG5xAK+awv2SW0lb+SywcnJAqyaHa Hu3UvRI3YCSOMVkkuOyQ/GN3PhUOJ0+hhFGsaM9UFWWlZheARpqLSNYHdRRTw5rf XNPDiKkieUL4HC0bQQxuSGf3h71OpHIavfPX7OeysgKz3NfjYBl0l4RbmwQi1kNs 6zfOSPx+5hJbPGoQssMn1j7TWnWnZTOPPrgWVy/PX1JF6y47465gJeoxIQ8tFqbs 8Mx+LeH0HyjteYtVCCMPg1OPATTMSDBzfiY0JUKcowoOanLvL/+0MRH1A2iBcSAw HW3xRLA/6AB14iJGDwN7DyFXIkkNk/pLMM/siSMiBDP2NU68+ortlN6Lec+n7QFF YJAFJqeaLqTLf2fnJ9oUs9fyD3uBioec3uCqcm3rjTt7rsabpT4= =uDem -END PGP SIGNATURE-
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3562-1 for orthanc
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: b315e37b by Anton Gladky at 2023-09-12T06:41:50+02:00 Reserve DLA-3562-1 for orthanc - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -9853,7 +9853,6 @@ CVE-2023-34486 (itsourcecode Online Hotel Management System Project In PHP v1.0. CVE-2023-33466 (Orthanc before 1.12.0 allows authenticated users with access to the Or ...) {DSA-5473-1} - orthanc 1.12.1+dfsg-1 (bug #1040597) - [buster] - orthanc (Requires new configuration variable) NOTE: https://discourse.orthanc-server.org/t/security-advisory-for-orthanc-deployments-running-versions-before-1-12-0/3568 NOTE: Requires the addition of a new RestApiWriteToFileSystemEnabled configuration and NOTE: a check in ExportInstanceFile (OrthancRestResources.cpp); the default value = data/DLA/list = @@ -1,3 +1,6 @@ +[12 Sep 2023] DLA-3562-1 orthanc - security update + {CVE-2023-33466} + [buster] - orthanc 1.5.6+dfsg-1+deb10u1 [11 Sep 2023] DLA-3561-1 node-cookiejar - security update {CVE-2022-25901} [buster] - node-cookiejar 2.0.1-1+deb10u1 = data/dla-needed.txt = @@ -156,11 +156,6 @@ openjdk-11 (Emilio) NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- -orthanc (gladk) - NOTE: 20230812: Added by Front-Desk (Beuc) - NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41 - NOTE: 20230812: Check DSA-5473-1 (Beuc/front-desk) --- poppler NOTE: 20230908: Added by Front-Desk (lamby) NOTE: 20230908: Added due to CVE-2020-23804. However, please check CVE-2020-18839 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b315e37b22361d185fcb3974d805fc81871bd5c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b315e37b22361d185fcb3974d805fc81871bd5c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[med-svn] [Git][med-team/orthanc] Pushed new tag debian/1.5.6+dfsg-1+deb10u1
Anton Gladky pushed new tag debian/1.5.6+dfsg-1+deb10u1 at Debian Med / orthanc -- View it on GitLab: https://salsa.debian.org/med-team/orthanc/-/tree/debian/1.5.6+dfsg-1+deb10u1 You're receiving this email because of your account on salsa.debian.org. ___ debian-med-commit mailing list debian-med-com...@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-med-commit
[med-svn] [Git][med-team/orthanc] Pushed new branch debian/buster
Anton Gladky pushed new branch debian/buster at Debian Med / orthanc -- View it on GitLab: https://salsa.debian.org/med-team/orthanc/-/tree/debian/buster You're receiving this email because of your account on salsa.debian.org. ___ debian-med-commit mailing list debian-med-com...@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-med-commit
[Git][security-tracker-team/security-tracker][master] LTS: take c-ares
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 29d1a721 by Anton Gladky at 2023-09-11T14:21:32+02:00 LTS: take c-ares - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -25,7 +25,7 @@ amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) NOTE: 20230910: still testing package (ta) -- -c-ares +c-ares (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: it's a heap buffer overflow. Have mixed feelings about this one. Will look thoroughly. (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29d1a7215d0d7fd2f1ae7376144e2f491f36dccf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29d1a7215d0d7fd2f1ae7376144e2f491f36dccf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add elfutils to dla-needed
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: b29cbb45 by Anton Gladky at 2023-09-03T21:25:34+02:00 LTS: add elfutils to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,6 +54,9 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- +elfutils + NOTE: 20230903: Added by Front-Desk (gladk) +-- file NOTE: 20230901: Added by Front-Desk (gladk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b29cbb455f01623885c8ef502dafe6089ac2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b29cbb455f01623885c8ef502dafe6089ac2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add some packages into the dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ceae6e23 by Anton Gladky at 2023-09-03T21:14:46+02:00 LTS: add some packages into the dla-needed.txt - - - - - dec5bf52 by Anton Gladky at 2023-09-03T21:19:47+02:00 LTS: mark CVE-2020-22217 as not-affected for jessie and stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -220872,6 +220872,8 @@ CVE-2020-22218 (An issue was discovered in function _libssh2_packet_add in libss NOTE: https://github.com/libssh2/libssh2/commit/642eec48ff3adfdb7a9e562b6d7fc865d1733f45 (libssh2-1.10.0) CVE-2020-22217 (Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via ...) - c-ares 1.17.1-1 + [jessie] - c-ares (vulnerable code is not present) + [stretch] - c-ares (vulnerable code is not present) NOTE: https://github.com/c-ares/c-ares/issues/333 NOTE: https://github.com/c-ares/c-ares/pull/332 NOTE: Fixed by: https://github.com/c-ares/c-ares/commit/1b98172b141fe874ad43e679e67506f9b2139043 (c-ares-1_17_0) = data/dla-needed.txt = @@ -73,6 +73,9 @@ freeimage frr NOTE: 20230901: Added by Front-Desk (gladk) -- +gerbv + NOTE: 20230903: Added by Front-Desk (gladk) +-- glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230710: WIP (santiago) @@ -80,6 +83,9 @@ glib2.0 (santiago) NOTE: 20230807: idem. NOTE: 20230820: asked for review/test. -- +gsl + NOTE: 20230903: Added by Front-Desk (gladk) +-- i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 @@ -91,6 +97,9 @@ imagemagick libreswan (Markus Koschany) NOTE: 20230817: Added by Front-Desk (ta) -- +libssh2 + NOTE: 20230903: Added by Front-Desk (gladk) +-- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- @@ -167,6 +176,9 @@ rails (utkarsh) NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) NOTE: 20230828: want to rollout ruby-rack first. (utkarsh) -- +ring + NOTE: 20230903: Added by Front-Desk (gladk) +-- ruby-loofah NOTE: 20221231: Added by Front-Desk (ola) NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6f2cbdbbbd71480032bd068740a244e3cae0520c...dec5bf5248e2327a541604610f3c040bdf072f31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6f2cbdbbbd71480032bd068740a244e3cae0520c...dec5bf5248e2327a541604610f3c040bdf072f31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add file and frr
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: fdc54d79 by Anton Gladky at 2023-09-01T18:55:27+02:00 LTS: add file and frr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,6 +54,9 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- +file + NOTE: 20230901: Added by Front-Desk (gladk) +-- firmware-nonfree NOTE: 20230820: Added by Front-Desk (ta) -- @@ -67,6 +70,9 @@ freeimage NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll NOTE: 20230826: out the DLA/ELA now. (utkarsh) -- +frr + NOTE: 20230901: Added by Front-Desk (gladk) +-- glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230710: WIP (santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdc54d79b47bcfaf9ab433057f1f095504075ec4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdc54d79b47bcfaf9ab433057f1f095504075ec4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: mark gpac CVEs as end-of-life for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b02951f by Anton Gladky at 2023-09-01T18:52:11+02:00 LTS: mark gpac CVEs as end-of-life for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61,20 +61,24 @@ CVE-2023-39912 (Zoho ManageEngine ADManager Plus through 7202 allows admin users CVE-2023-4683 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-D ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/112767e8b178fc82dec3cf82a1ca14d802cdb8ec NOTE: https://huntr.dev/bounties/7852e4d2-af4e-4421-a39e-db23e0549922 CVE-2023-4682 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3 ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/b1042c3eefca87c4bc32afb404ed6518d693e5be NOTE: https://huntr.dev/bounties/15232a74-e3b8-43f0-ae8a-4e89d56c474c CVE-2023-4681 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-D ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/4bac19ad854159b21ba70d8ab7c4e1cd1db8ea1c NOTE: https://huntr.dev/bounties/d67c5619-ab36-41cc-93b7-04828e25f60e CVE-2023-4678 (Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV.) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/4607052c482a51dbdacfe1ade10645c181d07b07 NOTE: https://huntr.dev/bounties/688a4a01-8c18-469d-8cbe-a2e79e80c877 CVE-2023-41748 (Remote command execution due to improper input validation. The followi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b02951f0c92dd615f9995398d293bf8a0fa1f32 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b02951f0c92dd615f9995398d293bf8a0fa1f32 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: take orthanc and tiff
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ac555012 by Anton Gladky at 2023-08-29T18:49:24+02:00 LTS: take orthanc and tiff - - - - - de4dd34a by Anton Gladky at 2023-08-29T18:50:54+02:00 Update email - - - - - 2 changed files: - data/dla-needed.txt - org/lts-frontdesk.2023.txt Changes: = data/dla-needed.txt = @@ -126,7 +126,7 @@ openjdk-11 (Emilio) NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- -orthanc +orthanc (gladk) NOTE: 20230812: Added by Front-Desk (Beuc) NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41 NOTE: 20230812: Check DSA-5473-1 (Beuc/front-desk) @@ -233,7 +233,7 @@ suricata (Adrian Bunk) thunderbird (Emilio) NOTE: 20230829: Added by pochu -- -tiff +tiff (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) -- trafficserver = org/lts-frontdesk.2023.txt = @@ -24,15 +24,15 @@ From 05-06 to 11-06:Markus Koschany From 12-06 to 18-06:Ola Lundqvist From 19-06 to 25-06:Sylvain Beucler From 26-06 to 02-07:Thorsten Alteholz -From 03-07 to 09-07:Anton Gladky +From 03-07 to 09-07:Anton Gladky From 10-07 to 16-07:Chris Lamb From 17-07 to 23-07:Emilio Pozuelo Monfort From 24-07 to 30-07:Markus Koschany -From 31-07 to 06-08:Anton Gladky +From 31-07 to 06-08:Anton Gladky From 07-08 to 13-08:Sylvain Beucler From 14-08 to 20-08:Thorsten Alteholz From 21-08 to 27-08:Utkarsh Gupta -From 28-08 to 03-09:Anton Gladky +From 28-08 to 03-09:Anton Gladky From 04-09 to 10-09:Chris Lamb From 11-09 to 17-09:Emilio Pozuelo Monfort From 18-09 to 24-09:Markus Koschany @@ -40,7 +40,7 @@ From 25-09 to 01-10:Ola Lundqvist From 02-10 to 08-10:Sylvain Beucler From 09-10 to 15-10:Thorsten Alteholz From 16-10 to 22-10:Utkarsh Gupta -From 23-10 to 29-10:Anton Gladky +From 23-10 to 29-10:Anton Gladky From 30-10 to 05-11:Chris Lamb From 06-11 to 12-11:Emilio Pozuelo Monfort From 13-11 to 19-11:Markus Koschany @@ -48,5 +48,5 @@ From 20-11 to 26-11:Ola Lundqvist From 27-11 to 03-12:Sylvain Beucler From 04-12 to 10-12:Thorsten Alteholz From 11-12 to 17-12:Utkarsh Gupta -From 18-12 to 24-12:Anton Gladky +From 18-12 to 24-12:Anton Gladky From 25-12 to 31-12:Chris Lamb View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fdb067e1a312feac5be29e31047dac80828d1552...de4dd34a68381a1344af5927547073b1b104c0b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fdb067e1a312feac5be29e31047dac80828d1552...de4dd34a68381a1344af5927547073b1b104c0b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[SECURITY] [DLA 3530-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian LTS Advisory DLA-3530-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Anton Gladky August 15, 2023 https://wiki.debian.org/LTS - - Package: openssl Version: 1.1.1n-0+deb10u6 CVE ID : CVE-2023-3446 CVE-2023-3817 Two vunerabilities were discovered in openssl, a Secure Sockets Layer toolkit: CVE-2023-3446, CVE-2023-3817 Excessively long DH key or parameter checks can cause significant delays in applications using DH_check(), DH_check_ex(), or EVP_PKEY_param_check() functions, potentially leading to Denial of Service attacks when keys or parameters are obtained from untrusted sources. For Debian 10 buster, these problems have been fixed in version 1.1.1n-0+deb10u6. We recommend that you upgrade your openssl packages. For the detailed security status of openssl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmTcZQoACgkQ0+Fzg8+n /wYumRAAj29oKHHqdz8gZgy+wZKZ86QUDtPGDLeGcgN0A1aLowvxtpfzXyR/p246 cn6tn2DiDo9wPvCq/7zMcbgv3i9a/vjS19769t0CtjyMSzp4F/B4R7e+wW69rXh2 42eNoRmvJtFtN0uyWARjOA3x3TKAL5oWcu/Tm7Ej5Ie9BKffCt4yAFn3dFbkYCF7 pYOQEsaBEBKclnX9diXvDCjxvh+8hHxCXTyIBtbVXRJwMzcOB0AoL18eGbbNE/i/ fobKMnlp4Iyn5OXokNFyxyzIEbc4281bndy/LbrVv+Rb3J8lejZRU/iAnSN0UPEV 1E/OpDJo49s6c3hzkTTG2by+TwoF3ZhPfltrL9ORtaCz8vGkLdx1LNE/EjS3fj8n 4w+MC89yBJt+Ira0/TOIgdZ7AFkoF+O1lhyC72uS0V5D0CQvqZnQ0msDUZj1xrfU /xVkhznjeHhJHF/3Te3SEmLLC0P8E630yn3Xq+5lkxr3u7ewvXtMbhVRezLZ6q3y i7uYDorZ6neToPVhhqmENqfn3QKHmOpi9Y6znY3IAWAuJkAsFUGaNmoHIfmftL0j YvyNEg7JjVcvAjKt0T2K6J30YPl+WXcwNE4DEAD3GG2yKMcYHTQrUs9qN6txienk mKA46MbjyqxLE5BB0MhFzrhCt6adr3ruWvOVK2naeSce0mgwHrw= =Kzxb -END PGP SIGNATURE-
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3530-1 for openssl
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 07413911 by Anton Gladky at 2023-08-15T21:55:34+02:00 Reserve DLA-3530-1 for openssl - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Aug 2023] DLA-3530-1 openssl - security update + {CVE-2023-3446 CVE-2023-3817} + [buster] - openssl 1.1.1n-0+deb10u6 [15 Aug 2023] DLA-3529-1 datatables.js - security update {CVE-2021-23445} [buster] - datatables.js 1.10.19+dfsg-1+deb10u1 = data/dla-needed.txt = @@ -139,10 +139,6 @@ openjdk-11 (Emilio) openssh NOTE: 20230814: Added by Front-Desk (ta) -- -openssl (gladk) - NOTE: 20230731: Added by Front-Desk (apo) - NOTE: 20230814: ready to be uploaded --- orthanc (gladk) NOTE: 20230812: Added by Front-Desk (Beuc) NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/074139111dfba9e192df3014f1f26261ae9990c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/074139111dfba9e192df3014f1f26261ae9990c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take openssl again, it will be uploaded today
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: c0675d07 by Anton Gladky at 2023-08-14T20:09:51+02:00 LTS: take openssl again, it will be uploaded today - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -141,8 +141,9 @@ openjdk-11 (Emilio) NOTE: 20230802: update prepared for new CPU, waiting for DSA and checking NOTE: 20230802: whether to change jtreg version (pochu) -- -openssl +openssl (gladk) NOTE: 20230731: Added by Front-Desk (apo) + NOTE: 20230814: ready to be uploaded -- orthanc (gladk) NOTE: 20230812: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0675d07f033f09cfc930e286b19407ba71a8f7f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0675d07f033f09cfc930e286b19407ba71a8f7f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take orthanc
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 55e76921 by Anton Gladky at 2023-08-13T17:53:16+02:00 LTS: take orthanc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -153,7 +153,7 @@ openjdk-11 (Emilio) openssl (gladk) NOTE: 20230731: Added by Front-Desk (apo) -- -orthanc +orthanc (gladk) NOTE: 20230812: Added by Front-Desk (Beuc) NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41 NOTE: 20230812: Check DSA-5473-1 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55e76921bad76df0b69bd533d9bebd92b41b2d5d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55e76921bad76df0b69bd533d9bebd92b41b2d5d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add gawk
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d9c15ff2 by Anton Gladky at 2023-08-06T22:34:53+02:00 LTS: add gawk - - - - - 1da15071 by Anton Gladky at 2023-08-06T22:37:52+02:00 LTS: add libhtmlcleaner-java - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -49,6 +49,11 @@ dogecoin firefox-esr (Emilio) NOTE: 20230802: Added by pochu -- +gawk + NOTE: 20230806: Added by Front-Desk (gladk) + NOTE: 20230806: Please, check, whether CVE is applicable for buster + NOTE: 20230806: poc are available in the mailing list (gladk) +-- ghostscript (Adrian Bunk) NOTE: 20230803: Added by Front-Desk (gladk) -- @@ -73,6 +78,11 @@ imagemagick NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) -- +libhtmlcleaner-java + NOTE: 20230806: Added by Front-Desk (gladk) + NOTE: 20230806: https://github.com/amplafi/htmlcleaner/issues/13#issuecomment-1597626510 + NOTE: 20230806: Please, check the upper link, whether the patch can be got (gladk) +-- libreoffice NOTE: 20230530: Added by Front-Desk (pochu) NOTE: 20230718: http://people.debian.org/~abhijith/upload/lo (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fcf9282efdb89459070b0d18c2db15bc5264d3ef...1da15071a3d33dd9831419435ba35e6a1a49e6f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fcf9282efdb89459070b0d18c2db15bc5264d3ef...1da15071a3d33dd9831419435ba35e6a1a49e6f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark new CVEs for webkit2gtk as end-of-line for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d4af5b20 by Anton Gladky at 2023-08-05T21:20:50+02:00 Mark new CVEs for webkit2gtk as end-of-line for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -950,6 +950,7 @@ CVE-2023-38601 (This issue was addressed by removing the vulnerable code. This i NOT-FOR-US: Apple CVE-2023-38599 (A logic issue was addressed with improved state management. This issue ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html @@ -957,6 +958,7 @@ CVE-2023-38598 (A use-after-free issue was addressed with improved memory manage NOT-FOR-US: Apple CVE-2023-38592 (A logic issue was addressed with improved restrictions. This issue is ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html @@ -1071,6 +1073,7 @@ CVE-2023-3451 REJECTED CVE-2023-38611 (The issue was addressed with improved memory handling. This issue is f ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html @@ -1084,21 +1087,25 @@ CVE-2023-38602 (A permissions issue was addressed with additional restrictions. NOT-FOR-US: Apple CVE-2023-38600 (The issue was addressed with improved checks. This issue is fixed in i ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html CVE-2023-38597 (The issue was addressed with improved checks. This issue is fixed in i ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html CVE-2023-38595 (The issue was addressed with improved checks. This issue is fixed in i ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html CVE-2023-38594 (The issue was addressed with improved checks. This issue is fixed in i ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html @@ -1108,6 +1115,7 @@ CVE-2023-38580 (The issue was addressed with improved memory handling. This issu NOT-FOR-US: Apple CVE-2023-38572 (The issue was addressed with improved checks. This issue is fixed in i ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html @@ -1136,6 +1144,7 @@ CVE-2023-38136 (The issue was addressed with improved memory handling. This issu NOT-FOR-US: Apple CVE-2023-38133 (The issue was addressed with improved checks. This issue is fixed in i ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4af5b202196a67e6599e5e8fbd6476c653b6409 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4af5b202196a67e6599e5e8fbd6476c653b6409 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add burp, poppler, thunderbird
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 9db40c66 by Anton Gladky at 2023-08-04T21:55:46+02:00 LTS: add burp, poppler, thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -24,6 +24,9 @@ rather than remove/replace existing ones. amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) -- +burp + NOTE: 20230804: Added by Front-Desk (gladk) +-- cairosvg (gladk) NOTE: 20230323: Added by Front-Desk (gladk) NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive) @@ -124,6 +127,9 @@ openssl (gladk) pdfcrack (Adrian Bunk) NOTE: 20230731: Added by Front-Desk (apo) -- +poppler + NOTE: 20230804: Added by Front-Desk (gladk) +-- python-glance-store NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. @@ -194,6 +200,9 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- +thunderbird + NOTE: 20230804: Added by Front-Desk (gladk) +-- zabbix (tobi) NOTE: 20230731: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9db40c661345d17a5d8878affb46fdc5c2f6f8ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9db40c661345d17a5d8878affb46fdc5c2f6f8ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Bug#1040731: wslay: autopkgtest failure due to new CMake deprecation warning
Hi Timo, thanks a lot for this upload! I have just prepared a "normal" update, including your changes and some others. If you want, you can cancel NMU or it will be automatically rejected by the system. Best regards Anton Am Di., 1. Aug. 2023 um 11:21 Uhr schrieb Timo Röhling : > Hi Anton, > > On Fri, 21 Jul 2023 21:13:56 +0200 Anton Gladky wrote: > > Thanks a lot for the MR and update. > > I will prepare an update and upload it in one week. If it's ok for you. > > Otherwise, please NMU. > I have just uploaded an NMU to DELAYED/5 and pushed the corresponding > commits to the branch nmu-bug-1040731. Chris' solution is probably > cleaner (I just hot-patched the CMakeLists.txt in autopkgtest), so > if you have time this week, feel free to upload your own release, > and I will cancel my upload. > > > Cheers > Timo > > -- > ⢀⣴⠾⠻⢶⣦⠀ ╭╮ > ⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │ > ⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │ > ⠈⠳⣄ ╰╯ >
Bug#1040731: wslay: autopkgtest failure due to new CMake deprecation warning
Hi Timo, thanks a lot for this upload! I have just prepared a "normal" update, including your changes and some others. If you want, you can cancel NMU or it will be automatically rejected by the system. Best regards Anton Am Di., 1. Aug. 2023 um 11:21 Uhr schrieb Timo Röhling : > Hi Anton, > > On Fri, 21 Jul 2023 21:13:56 +0200 Anton Gladky wrote: > > Thanks a lot for the MR and update. > > I will prepare an update and upload it in one week. If it's ok for you. > > Otherwise, please NMU. > I have just uploaded an NMU to DELAYED/5 and pushed the corresponding > commits to the branch nmu-bug-1040731. Chris' solution is probably > cleaner (I just hot-patched the CMakeLists.txt in autopkgtest), so > if you have time this week, feel free to upload your own release, > and I will cancel my upload. > > > Cheers > Timo > > -- > ⢀⣴⠾⠻⢶⣦⠀ ╭╮ > ⣾⠁⢠⠒⠀⣿⡁ │ Timo Röhling │ > ⢿⡄⠘⠷⠚⠋⠀ │ 9B03 EBB9 8300 DF97 C2B1 23BF CC8C 6BDD 1403 F4CA │ > ⠈⠳⣄ ╰╯ >
[Git][security-tracker-team/security-tracker][master] LTS: add ghostscript
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 61ad503e by Anton Gladky at 2023-08-03T22:44:45+02:00 LTS: add ghostscript - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,6 +52,9 @@ dogecoin firefox-esr (Emilio) NOTE: 20230802: Added by pochu -- +ghostscript + NOTE: 20230803: Added by Front-Desk (gladk) +-- glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230710: WIP (santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ad503edf06a0cac65995f5cb084447c726104c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ad503edf06a0cac65995f5cb084447c726104c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: CVE-2023-34478 mark as no-dsa
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 16b66fa0 by Anton Gladky at 2023-08-03T22:38:57+02:00 LTS: CVE-2023-34478 mark as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1552,6 +1552,7 @@ CVE-2023-34478 (Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible - shiro [bookworm] - shiro (Minor issue) [bullseye] - shiro (Minor issue) + [buster] - shiro (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/07/24/4 CVE-2023-34429 (Weintek Weincloud v0.13.6 could allow an attacker to cause a denia ...) NOT-FOR-US: Weincloud View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16b66fa05d33782cb17cf1ffb8569b1e7e1712ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16b66fa05d33782cb17cf1ffb8569b1e7e1712ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2020-22402: mark as not-affected for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: b285cbab by Anton Gladky at 2023-07-31T19:04:58+02:00 CVE-2020-22402: mark as not-affected for buster - - - - - 20387165 by Anton Gladky at 2023-07-31T19:04:59+02:00 LTS: add bouncycastle - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -214874,7 +214874,9 @@ CVE-2020-22403 (Cross Site Request Forgery (CSRF) vulnerability in Express cart NOT-FOR-US: Node express-cart CVE-2020-22402 (Cross Site Scripting (XSS) vulnerability in SOGo Web Mail before 4.3.1 ...) - sogo 4.3.2-1 + [buster] - sogo (Vulnerable code added later) NOTE: https://bugs.sogo.nu//view.php?id=4979 + NOTE: https://github.com/Alinto/sogo/commit/d1dbceb407b37aff6563d06194189965af39cf3e CVE-2020-22401 RESERVED CVE-2020-22400 = data/dla-needed.txt = @@ -24,6 +24,9 @@ rather than remove/replace existing ones. amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) -- +bouncycastle + NOTE: 20230731: Added by Front-Desk (gladk) +-- cairosvg (gladk) NOTE: 20230323: Added by Front-Desk (gladk) NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/abfb15aa3b763450b48fc626260a925efd9a79e8...203871654dfc7032aa83961ac891d40daea608a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/abfb15aa3b763450b48fc626260a925efd9a79e8...203871654dfc7032aa83961ac891d40daea608a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take openssl
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 15ad4339 by Anton Gladky at 2023-07-31T18:37:51+02:00 LTS: take openssl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -116,7 +116,7 @@ openjdk-11 (Emilio) NOTE: 20230612: sid updated, preparing backport (pochu) NOTE: 20230717: waiting for DSA, might wait for next CPU (pochu) -- -openssl +openssl (gladk) NOTE: 20230731: Added by Front-Desk (apo) -- orthanc (Chris Lamb) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15ad4339f85321b3f8bc0154a0671aecf3d5f4b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15ad4339f85321b3f8bc0154a0671aecf3d5f4b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: set myself as a FD for next week
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ed8ad67 by Anton Gladky at 2023-07-30T14:46:33+02:00 LTS: set myself as a FD for next week - - - - - 1 changed file: - org/lts-frontdesk.2023.txt Changes: = org/lts-frontdesk.2023.txt = @@ -28,7 +28,7 @@ From 03-07 to 09-07:Anton Gladky From 10-07 to 16-07:Chris Lamb From 17-07 to 23-07:Emilio Pozuelo Monfort From 24-07 to 30-07:Markus Koschany -From 31-07 to 06-08:Ola Lundqvist +From 31-07 to 06-08:Anton Gladky From 07-08 to 13-08:Sylvain Beucler From 14-08 to 20-08:Thorsten Alteholz From 21-08 to 27-08:Utkarsh Gupta @@ -49,4 +49,4 @@ From 27-11 to 03-12:Sylvain Beucler From 04-12 to 10-12:Thorsten Alteholz From 11-12 to 17-12:Utkarsh Gupta From 18-12 to 24-12:Anton Gladky -From 25-12 to 31-12:Chris Lamb \ No newline at end of file +From 25-12 to 31-12:Chris Lamb View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ed8ad67a02055e382e0f06a11adc9bfa89af0e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ed8ad67a02055e382e0f06a11adc9bfa89af0e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take cairosvg
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 62ba6ed8 by Anton Gladky at 2023-07-25T22:10:09+02:00 LTS: take cairosvg - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,7 +21,7 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -cairosvg +cairosvg (gladk) NOTE: 20230323: Added by Front-Desk (gladk) NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62ba6ed8bcc720692a5e6c87a235144dd7f42416 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62ba6ed8bcc720692a5e6c87a235144dd7f42416 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Bug#1040731: wslay: autopkgtest failure due to new CMake deprecation warning
Hi Chris, Thanks a lot for the MR and update. I will prepare an update and upload it in one week. If it's ok for you. Otherwise, please NMU. Best regards Chris Hofstaedtler schrieb am Fr., 21. Juli 2023, 20:58: > Hi Anton, > > * roehl...@debian.org : > > Source: wslay > [..] > > > > your package wslay will soon experience autopkgtest failures because > > the new CMake release 3.27 will issue a deprecation warning on stderr > > if cmake_minimum_required() asks for compatibility with CMake 3.4 or > > older. > > I've opened an MR with a trivial fix for this on salsa.d.o: > https://salsa.debian.org/debian/wslay/-/merge_requests/5 > > Depending on your preferences I could also prepare an NMU with this > and upload to delayed? > > Thanks, > Chris > > > PS: I assume wslay probably wants to go away. I hope dnsdist can > switch from h2o to nghttp2 during trixie. >
Re: How to build compatible packages that use Eigen?
Hi Dima, I have been maintaining the Eigen library in Debian for over 12 years, and I cannot recall the specific bug ticket related to this topic. However, it seems that the question you have raised is indeed valid. If patching Eigen in those two places would help resolve the issue, please prepare a patch, and I believe we can proceed with pushing it. Does it make sense to discuss this with the Eigen developers? Or is the question very specific to Debian (or packaging) and might not be of interest to them? Best regards, Anton Am Mi., 12. Juli 2023 um 01:24 Uhr schrieb Dima Kogan : > Hi. > > Apologies for taking so long to look at this again; I've been busy. > > I just looked into it, and my conclusion is that there's no way to > ensure that Eigen won't crash without us patching our package. So we > should patch our package. > > I'm attaching a tiny demo program. Extract it and > > make && ./main > > You'll see that it crashes. We have lib.cc: > > #include > > __attribute__((visibility("default"))) > Eigen::MatrixXd* make_array() > { > return new Eigen::MatrixXd(10,20); > } > > This is an analogue of some library we would be packaging for Debian. > This would be built with no cpu-specific options, which is what the > Makefile in this demo does. > > We also have a main.cc: > > #include > > Eigen::MatrixXd* make_array(); > int main(void) > { > Eigen::MatrixXd* matrix = make_array(); > delete matrix; > return 0; > } > > This is an analogue of some user program that uses this library. This > isn't going into Debian, and the user wants to use their CPU fully, so > they build with -mavx. This causes Eigen to crash. Because the > allocation and deallocation paths don't work the same. > > In this demo no Eigen symbols are exported from lib.so, so it's not a > case of the linker picking the wrong weak symbol, and this cannot be > fixed by symbol versioning or visibility settings or anything. > > This isn't a contrived example. I hit this in the real-world with a > package I'm going to upload soon (g2o). > > Can anybody see ways to make Eigen work reliably here without patching > away the different paths in aligned_malloc() and aligned_free() ? > > > https://sources.debian.org/src/eigen3/3.4.0-4/Eigen/src/Core/util/Memory.h/#L179 > > https://sources.debian.org/src/eigen3/3.4.0-4/Eigen/src/Core/util/Memory.h/#L200 > > I don't see any way to do it currently, and probably we should patch > these out. > > There was also a second similar problem I saw earlier, that resulted in > crashes due to inconsistent alignment. I'm going to revisit that > shortly. > > Thanks. > >
[Git][security-tracker-team/security-tracker][master] 3 commits: Mark CVE-2023-36201 as ignored for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 53d95b27 by Anton Gladky at 2023-07-09T20:45:19+02:00 Mark CVE-2023-36201 as ignored for buster - - - - - ebd698e1 by Anton Gladky at 2023-07-09T20:45:19+02:00 Mark CVE-2023-3523 as EOL for buster (gpac) - - - - - 2533cd69 by Anton Gladky at 2023-07-09T20:45:19+02:00 LTS: Add node-tough-cookie - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -109,6 +109,7 @@ CVE-2023-36256 (The Online Examination System Project 1.0 version is vulnerable CVE-2023-36201 (An issue in JerryscriptProject jerryscript v.3.0.0 allows an attacker ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5026 CVE-2023-34197 (Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP ...) NOT-FOR-US: Zoho @@ -160,6 +161,7 @@ CVE-2023-3523 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2. - gpac NOTE: https://huntr.dev/bounties/57e0be03-8484-415e-8b5c-c1fe4546eaac/ NOTE: https://github.com/gpac/gpac/commit/64201a26476c12a7dbd7ffb5757743af6954db96 + [buster] - gpac (EOL in buster LTS) CVE-2023-3456 (Vulnerability of kernel raw address leakage in the hang detector modu ...) NOT-FOR-US: Huawei CVE-2023-37454 (An issue was discovered in the Linux kernel through 6.4.2. A crafted U ...) = data/dla-needed.txt = @@ -103,6 +103,9 @@ linux (Ben Hutchings) mediawiki (Markus Koschany) NOTE: 20230701: Added by Front-Desk (ta) -- +node-tough-cookie + NOTE: 20230709: Added by Front-Desk (gladk) +-- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression @@ -132,6 +135,9 @@ openjdk-11 (Emilio) NOTE: 20230612: sid updated, preparing backport (pochu) NOTE: 20230627: waiting for DSA (pochu) -- +pandoc + NOTE: 20230709: Added by Front-Desk (gladk) +-- php-dompdf (rouca) NOTE: 20230618: Added by Front-Desk (opal) NOTE: 20230618: Low priority but higher than to not fix it. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/00404a33424169134995001a541dfecc28fd17a8...2533cd69dae703e8ebb5ec18e44b2b682bcf950d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/00404a33424169134995001a541dfecc28fd17a8...2533cd69dae703e8ebb5ec18e44b2b682bcf950d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add xqilla
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 3cd9e307 by Anton Gladky at 2023-07-06T06:54:41+02:00 LTS: add xqilla - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -268,6 +268,9 @@ webkit2gtk (Emilio) NOTE: 20230606: https://lists.debian.org/debian-lts/2023/06/msg5.html (pochu) NOTE: 20230627: will likely hold the update and mark as not-supported due to feedback (pochu) -- +xqilla + NOTE: 20230706: Added by Front-Desk (gladk) +-- yajl (tobi) NOTE: 20230702: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cd9e30762c0c123604902006e71b399d27d2359 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cd9e30762c0c123604902006e71b399d27d2359 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
Re: CVE-2023-33460, ruby-yajl affected?
Thanks all for the discussion. @Tobias, thanks for marking the CVE in the list. Best regards Anton Am Mi., 5. Juli 2023 um 17:56 Uhr schrieb Tobias Frost : > On Wed, Jul 05, 2023 at 09:06:15AM +, Bastien Roucaričs wrote: > > Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit : > > > Hello, > > > > > > I am looking into CVE-2023-33460 and I am not sure that ruby-yajl > > > is affected. There is no direct dependency on yajl, where the > vulnerability > > > was detected. > > ruby-yajl include a old version of yajl 1.01.12 > > > > The vuln code was introduced by > https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb > in version 2.1.0 in 2010 > > This matches my investation, however, a small correction: This commit is > already part of version 2.0.0. > > I've added note in data/CVE/list accordingly. > > -- > Cheers, > tobi > >
Re: CVE-2023-33460, ruby-yajl affected?
Thanks all for the discussion. @Tobias, thanks for marking the CVE in the list. Best regards Anton Am Mi., 5. Juli 2023 um 17:56 Uhr schrieb Tobias Frost : > On Wed, Jul 05, 2023 at 09:06:15AM +, Bastien Roucaričs wrote: > > Le mercredi 5 juillet 2023, 04:52:48 UTC Anton Gladky a écrit : > > > Hello, > > > > > > I am looking into CVE-2023-33460 and I am not sure that ruby-yajl > > > is affected. There is no direct dependency on yajl, where the > vulnerability > > > was detected. > > ruby-yajl include a old version of yajl 1.01.12 > > > > The vuln code was introduced by > https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb > in version 2.1.0 in 2010 > > This matches my investation, however, a small correction: This commit is > already part of version 2.0.0. > > I've added note in data/CVE/list accordingly. > > -- > Cheers, > tobi > >
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add pypdf2
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 8bf22648 by Anton Gladky at 2023-07-05T06:59:05+02:00 LTS: add pypdf2 - - - - - 544d1f55 by Anton Gladky at 2023-07-05T06:59:39+02:00 Mark ruby-yajl as no-dsa for buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3010,6 +3010,7 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse - ruby-yajl [bookworm] - ruby-yajl (Minor issue) [bullseye] - ruby-yajl (Minor issue) + [buster] - ruby-yajl (Minor issue) CVE-2023-33457 (In Sogou Workflow v0.10.6, memcpy a negtive size in URIParser::parse , ...) NOT-FOR-US: Sogou Workflow CVE-2023-33381 (A command injection vulnerability was found in the ping functionality ...) = data/dla-needed.txt = @@ -173,6 +173,9 @@ php-dompdf NOTE: 20230618: Added by Front-Desk (opal) NOTE: 20230618: Low priority but higher than to not fix it. -- +pypdf2 + NOTE: 20230705: Added by Front-Desk (gladk) +-- python-glance-store (jspricke) NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6870f195eca3236b18912c607f24f0f89da9dba9...544d1f55ffdf81d721dc6b756d6a122d5b70def0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6870f195eca3236b18912c607f24f0f89da9dba9...544d1f55ffdf81d721dc6b756d6a122d5b70def0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits