Looks like another "guess what strange thing the buildd is doing this time"
problem.
The failing test is (effectively)
pmap -XX $pid $pid | grep KB
And make sure the first numbers of each row are the same. Because it is the
same process, it should be the same.
There is the same test for pmap -X
On Sat, 31 Dec 2022 at 22:21, Michael Prokop wrote:
> I just uploaded guymager v0.8.13-2 which takes care of this.
Great, that's another one down. Thanks for the quick response.
- Craig
Hi
I checked the source code, build logs and current binaries, open-vm-tools
doesn't use libprocps or link to it.
A simple removal of libprocps-dev from debian/control will fix this.
- Craig
Hi,
I checked the build logs, the source code and even the current binary
packages. guymager does not need libprocps.
A simple removal of libprocps-dev from debian/control is all that is needed.
- Craig
On Thu, 22 Dec 2022 at 19:50, Paul Gevers wrote:
> That's (in general) sub-optimal for the release team. We try hard to
> avoid entangling transitions and therefor we try to finish transitions
> sooner rather than later. My preference would be that you NMU (minimal
> changes) now; the maintainer
(added the bug report for igt)
On Thu, 22 Dec 2022 at 08:29, Craig Small wrote:
> On Thu, 22 Dec 2022 at 07:46, Paul Gevers wrote:
>
>> An actual upload. If the maintainer isn't doing it, I think an NMU is
>> appropriate if you're sure of the fix.
>>
> Ah, I thought
On Mon, 19 Dec 2022 at 03:54, Paul Gevers wrote:
> With a recent upload of procps the autopkgtest of pslist fails in
> testing when that autopkgtest is run with the binary packages of procps
> from unstable. It passes when run with only packages from testing. In
> tabular form:
>
The good news
Control: tag -1 pending
Hello,
Bug #1025495 in procps reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
On Tue, 6 Dec 2022 at 06:51, Sebastian Ramacher
wrote:
> FAIL: check_fatal_proc_unmounted
> FAIL library/tests/test_pids (exit status: 1)
>
Not sure why the s390 (correctly) failed this test.
The issue is that the second value, which is the process VSS returns 0 so
it fails.
The failed check is
Control: tag -1 pending
Hello,
Bug #1024249 in wordpress reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
On Wed, 16 Nov 2022 at 21:45, Uwe Bueschel wrote:
> The following packages have unmet dependencies:
> wordpress : Depends: libjs-underscore (>= 1.13.4~dfsg+~1.11.4) but
> 1.9.1~dfsg-3 is to be installed
> Depends: php-getid3 (>= 1.9.22+dfsg) but 1.9.20+dfsg-1 is to
> be installed
>
Control: tag -1 pending
Hello,
Bug #1018863 in wordpress reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
On Thu, 1 Sept 2022 at 16:39, Salvatore Bonaccorso
wrote:
> Do the issues affect as well older series?
>
I suspect so because 2 days ago there was an update for the 5.7 branch
upstream.
https://github.com/WordPress/WordPress/commit/8b87e45e69889ec4a6a837c9d6971697da49e2c8
The commit message
Hi Colin,
Thanks for the report. I first copied dh-exec-install-rename from dh-exec
0.23.4 and compiled OpenSSL fine. The odd thing is that 0.23.4 was out but
0.24 was on Salsa but never released. 0.25 was just an update of the Salsa
version and 0.26 was the re-introduction of the patches for
set_status: CVE-2022-24806, CVE-2022-24807, CVE-2022-24808,
+CVE-2022-24810
+
+ -- Craig Small Wed, 10 Aug 2022 16:16:59 +1000
+
net-snmp (5.9+dfsg-3) unstable; urgency=medium
* Source only upload - no changes Closes: #970798
diff -Nru net-snmp-5.9+dfsg/debian/patches/series net-snmp-
I said:
> I had uploaded net-snmp 5.9.3 anyway but I'll add those CVEs to the
> changelog.
> I'm trying to find where they've made the changes to see if it is possible
> to get at least bullseye fixed.
>
I've had a look and believe these two commits are the fixes:
snmpd: fix bounds checking in
On Sun, 17 Jul 2022 at 21:12, Craig Small wrote:
> Why, after 10 years, has the mass-rebuild triggered it?
>
Because after even more years of printing a useless warning Dejagnu now
makes it an error[1].
- Craig
1:
https://git.savannah.gnu.org/gitweb/?p=dejagnu.git;a=co
Control: tag -1 pending
Hello,
Bug #1015089 in psmisc reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
On Sun, 17 Jul 2022 at 00:03, Lucas Nussbaum wrote:
> > ERROR: global config file ../testsuite/global-conf.exp not found.
> > ERROR: global config file ../testsuite/global-conf.exp not found.
> > ERROR: global config file ../testsuite/global-conf.exp not found.
>
This bug is curious for a few
Control: tag -1 pending
Hello,
Bug #1012693 in net-snmp reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
Control: tag -1 pending
Hello,
Bug #1006511 in net-snmp reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
Upstream should have a new version of net-snmp that compiles with
OpenSSL v3.0 in May. I've tested the RC1 release and it compiles
fine.
https://sourceforge.net/p/net-snmp/mailman/message/37642006/
- Craig
Control: tag -1 pending
Hello,
Bug #1008976 in wordpress reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
Package: wordpress
Version: 5.8.3+dfsg1-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team
WordPress has released version 5.9.2 that has one bug fix and three
security fixes[1]. They state the security fixes are required back
to 3.7 so all
Control: tag -1 pending
Hello,
Bug #1005376 in procps reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
Control: tag -1 pending
Hello,
Bug #1005376 in procps reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
Control: tag -1 pending
Hello,
Bug #1003243 in wordpress reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
Control: tag -1 pending
Hello,
Bug #1003243 in wordpress reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
Package: wordpress
Version: 5.8.2+dfsg1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team
WordPress have released version 5.8.3 which fixes 4 security bugs.
https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/
* An
Control: tag -1 pending
Hello,
Bug #991151 in procps reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 2021-07-16 at 02:49, p...@debian.org wrote:
> Can you elaborate on what you mean by "Using reload is very wrong"?
The scripts should be deliberate and specific. When you use reload you are
saying "don't stop the daemon but do what you do for
I can add an alias easily enough. Using reload is very wrong so corekeeper
do the right thing but it's a one line change for procps.
- Craig
On Fri, 16 Jul 2021, 12:31 Paul Wise, wrote:
> On Fri, 2021-07-16 at 02:25 +, Thorsten Glaser wrote:
>
> > … this isn’t right. This is an RC bug in
Hi All,
I'm still not sure if procps and psmisc need to be updated to cater for the
later version of manpages-de.
I think the issue is that some of the conflicting manpages made it back
into that package, so I need to update psmisc/procps?
- Craig
On Sun, 27 Jun 2021 at 05:39, Helge
reassign -1 manpages-de
On Mon, 14 Jun 2021 at 18:04, Axel Beckert wrote:
> JFTR: What came to me after sending that mail and what I didn't check
> so far, is if 4.9.3-4 is fine, but 4.9.3-4~bpo10+1 has those files.
>
> Actually in that case, I have no idea how the Breaks/Replaces headers
>
On Mon, 14 Jun 2021 at 00:03, Axel Beckert wrote:
> So the Breaks and Replaces headers (c.f. #982059) should likely be
> against "<< 4.9.3-4", not just against "<< 4.9.1-1".
>
It looks like both the psmisc and procps manpages came back from the dead.
They were removed in manpages-de 4.9.1-1 and
Control: tag -1 pending
Hello,
Bug #986085 in SOURCENAME reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
in #987084 which I think is the best
outcome for future maintenance.
- Craig
On Sat, 17 Apr 2021 at 16:37, Salvatore Bonaccorso
wrote:
> Hi Craig,
>
> On Sat, Apr 17, 2021 at 08:32:35AM +1000, Craig Small wrote:
> > Should CVE-2021-29447 [1] be also listed against this bug? I'
Control: tag -1 pending
Hello,
Bug #987065 in SOURCENAME reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
Should CVE-2021-29447 [1] be also listed against this bug? I'll be putting
it in the changelog.
How good is it when WordPress raise their own CVEs! One glorious day they
will put them in their announcements too.
1:
OK, found a minor problem. The procps version needs an epoch to correctly
match. Not 3.3.17-1 but 2:3.3.17-1
- Craig
On Thu, 11 Feb 2021 at 08:03, Sedat Dilek wrote:
> On Wed, Feb 10, 2021 at 9:50 PM Craig Small wrote:
> >
> >
> >
> > On Thu, 11 Feb 2021 a
Control: tag -1 pending
Hello,
Bug #982566 in procps reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
Hi,
Looks like I missed the epoch for manpages-pl. It Breaks/Replaces <<
4.9.1-2 but should be << 1:4.9.1-2
- Craig
On Fri, 12 Feb 2021 at 09:48, Robert Luberda wrote:
> Package: procps
> Version: 2:3.3.17-2
> Severity: serious
> Justification: file conflict
>
> Hi,
>
> procps fails to
On Thu, 11 Feb 2021 at 07:39, Sedat Dilek wrote:
> Small nit:
> On a quick view on latest manpages-l10n I still see the duplicates in
> debian/rules e.g. kill.1 (manpages-de).
>
The criteria for removing a page out of manpages-* is actually more
complicated than that. It's not just "does the
For testing this I installed Procps and *all*of the generated man pages and
that seemed to be fine.
That's slightly different to the patch I put in the bug report but I
emailed Helge the difference.
- Craig
Control: tag -1 pending
Hello,
Bug #982391 in procps reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
Thanks for noticing that, procps should be installing those manpages but is
not. I'll fix that.
On Wed, 10 Feb 2021 at 20:28, Laurent Bigonville wrote:
> On Tue, 09 Feb 2021 21:49:29 +1100 Craig Small wrote:
> > Source: manpages-l10n
> > Severity: important
>
> I rai
The issue is you won't be able to install manpages-de afterwards (the fix
is one-way). See #982355 for the other half to this.
- Craig
On Wed, 10 Feb 2021 at 03:39, Sedat Dilek wrote:
> [ CC Helge & Craig ]
>
> With the attached debdiff on top of Helge's 4.9.1-1 tarball I was able
> to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
The first problem I can see is you haven't pushed the git tags. Salsa
doesn't know about the 4.9.1 update[1]
git push --tags should do it
So it fails to build for me here
$ gbp buildpackage --git-pbuilder
gbp:info: Building with (cowbuilder)
On Tue, 9 Feb 2021 at 05:16, Helge Kreutzmann wrote:
> On Sun, Feb 07, 2021 at 04:51:14PM -0500, Craig Small wrote:
> > I think you have the control lines wrong. You have both the lines from
> > psmisc and manpages-de there.
> >
> > Breaks: manpages-de (&l
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
I think you have the control lines wrong. You have both the lines from
psmisc and manpages-de there.
Breaks: manpages-de (<= 2.16-1), psmisc (<< 23.4-2)
Replaces: manpages-de (<= 2.16-1)
Think of Breaks as "someone won't have the manpage or
Hi Helge,
It's not the entire package, just the specific man pages that are carried
by the program package. So the de fuser.1 will still exist, just in psmisc
not manpages-de. The benefit is that the psmisc po4a will update the man
page every time the main man page is updated so they stay in
Yep, psmisc now ships with translated packages. So fuser.1 and friends are
in two places.
So manpages-de has fuser, killall, peekfd, pslog and pstree but not prstat.
There is also manpages-nl and manpages-pl but neither of those languages
are in psmisc. psmisc has ft, pt_BR, ru and uk and the
Ah I see now, you were just pointing it out, ok.
I'm about (like its happening in another window) to upload 5.6 but if
you're sure the two versions won't come unstuck then go ahead with a 5.5.3
upload.
- Craig
On Thu, 17 Dec 2020 at 22:21, peter green wrote:
> On 17/12/2020 10:29, Cr
Hi Peter,
I would, but the problem is the system is terrible.
Take Wordpress 5.6 which has just come out. Source upstream right? No, it
has a new theme, therefore a new package therefore NEW will reject a
source-only.
So it will be impossible, like literally impossible, for 5.6-1 to make it
to
Hi,
Can you check the version of the packages for me again? I'm not seeing
this at all. I do recall seeing this as a problem somewhere, but I don't
think it was 3.3.15-2
I think 3.3.16-4 had this though, fixed in 3.3.16-5
csmall@debian10:~$ dpkg -l procps
Hi Michael,
I'm not sure what you have done here.
libsnmp30 5.7.3+dfsg-5+deb10u1 is the current version in stable and depends
on libperl5.28 [1]
libperl5.28 is in stable [2]
libperl5.30 is not in stable, but it is in testing/unstable [3]
If you are using stable, then libsnmp30 will pull in
On Thu, 24 Sep 2020 at 01:27, Chris Hofstaedtler wrote:
> * Not built on buildd: arch amd64 binaries uploaded by csmall
> * Not built on buildd: arch all binaries uploaded by csmall, a new
> source-only upload is needed to allow migration
>
> While the first one could be fixed by a binNMU,
On Thu, 3 Sep 2020 at 06:45, Andreas Beckmann wrote:
> dpkg: error processing archive
> /var/cache/apt/archives/libsnmp-dev_5.9+dfsg-1_amd64.deb (--unpack):
>trying to overwrite '/usr/share/man/man3/SNMP.3pm.gz', which is also in
> package libsnmp-perl 5.8+dfsg-5
It should be in the
Package: snmpd
Version: 5.8+dfsg-4
Severity: grave
Tags: security upstream
Justification: user security hole
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
CVE-2020-15861
snmpd runs as a low privileged user account. However, in combination with
the *snmp-mibs-downloader package* this
Control: tag -1 pending
Hello,
Bug #965166 in net-snmp reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
On Sat, 18 Jul 2020 at 12:04, Bart Van Assche wrote:
> Net-SNMP version 5.7.3, the version included in Debian, is no longer
> maintained upstream.
>
I just tested it on snmpd v5.8 released around July 2018 and it has this
issue too.
A patch has been applied to the Net-SNMP v5.8 and master
Hi Bart,
Thanks for forwarding the report on. Isn't it a generic net-snmp bug?
Debian does use this feature of setting the user to not root but wouldn't
anyone using the set the user feature have the same issue?
Not sure of the best way to fix this. Maybe not being to set the user in
/car files
On Wed, 8 Jul 2020 at 01:48, Sylvain Beucler wrote:
> On 07/07/2020 17:07, Sylvain Beucler wrote:
> > In any case, all of this happens between 5.7.3 and 5.8.pre1.
>
> Restricting further (good..bad):
>
> $ git shortlog
>
>
Hi All
There's a few goes of the required patches but I think I've got them all.
There was the v3doublefree2.patch, a format patch and then the first git
reference in the tracker where they have re-arranged the free function so
it tracks the reference count.
The result does compile and build
On Fri, 26 Jun 2020 at 07:33, Andreas Hasenack
wrote:
> we are not happy yet with those commits because they change a struct
> without bumping the soname. We are investigating how impactful that is.
>
Hi,
Did you see how bad these patches are with the API change? Generally if
the API is
Source: wordpress
Version: 5.4.1+dfsg1-1
Severity: grave
Tags: security upstream
Justification: user security hole
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
WordPress 5.4.2 is out and fixes the following vulnerabilities:
Props to Sam Thomas (jazzy2fives) for finding an XSS issue where
Control: tag -1 pending
Hello,
Bug #959391 in SOURCENAME reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
Control: tag -1 pending
Hello,
Bug #959391 in SOURCENAME reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
This is the analysis of the latest WordPress security bugs.
Is it awesome upstream already has CVE IDs and (almost) clear patches of
the fixes? Yes, it is!
Sid: 5.4
All vulnerabilities, use upstream 5.4.1
Bullseye: 5.3.2
Hi Salvatore,
Thanks for the bug report. I'll look into it today and yes its good we
finally have CVE IDs to work with.
On Sat, 2 May 2020 at 06:21, Salvatore Bonaccorso wrote:
> example CVE-2020-11030 lists via the GHSA as affected versions 5.2 to
> 5.4, and patched in 5.4.1, 5.3.3 and
On Thu, 27 Feb. 2020, 4:51 pm Paul Wise, wrote:
>
> Another option would be a compat symlink.
>
I did think of that but then you have to conditionally put a symlink in
when there isn't the /bin directory link or maybe usrmerge there doing it's
thing or perhaps there is some third thing that
I think they all should be using a path rather than hard coding where ps
is. But in any case that's what these other packages do. I'll revert the
change.
- Craig
On Wed, 26 Feb. 2020, 7:45 pm Thorsten Glaser, wrote:
> Package: procps
> Version: 2:3.3.16-2
> Severity: important
>
> I just
> can you please upload the above fix? There are several packages that
> FTBFS because of bug #951494. Or are there reasons for holding back the
> upload?
>
Hi Mike,
Should be available very soon. I've just uploaded the -2 package now. It
was sitting there ready but was trying to work out why
Control: tag -1 pending
Hello,
Bug #951494 in procps reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
Hi Markus,
Yes Nils was doing a nmu for me. Unless they are very keen I'll handle
the backports. As you said the confusion is on the sponsorship. We were
using a
Mentors as a way of getting the package from him to me in the standard way.
- Craig
On Tue, 24 Dec. 2019, 4:27 am Markus Koschany,
I can get the CVEs.
I can also backport the patches into stable along with the previous set.
Curiously, there were 6 patchsets and 6 security bugs. But not all of them
match up.
For example, two patchsets fix one bug and another patchset fixes a
directory traversal which isn't mentioned at all.
Hi All,
Thanks again for the additional information. The build system really
doesn't work with parallel builds. I find random things changing
depending, I guess on many race conditions. While I rather not disable
parallel builds, it seems the only way to get a sensible repeatable outcome.
I
100, Craig Small wrote:
>
> > > libsnmp-perl is broken.
> > Ouch, I don't use the module (or Perl much for that matter) but that's
> very
> > broken. No idea what's going on but it worries me that
> > netsnmp_ds_get_boolean is the first function in that module which mean
On Mon, 14 Oct 2019 at 09:30, gregor herrmann wrote:
> libsnmp-perl is broken.
>
Ouch, I don't use the module (or Perl much for that matter) but that's very
broken. No idea what's going on but it worries me that
netsnmp_ds_get_boolean is the first function in that module which means a
On Sat, 8 Dec 2018 at 11:28, Craig Small wrote:
> WordPress probably uses its own version which, I assume, they will
> maintain afterwards.
>
> I'll see if I can find more about what they're doing with it for the
> longer term.
>
> The easiest way for me is to just drop the
WordPress probably uses its own version which, I assume, they will maintain
afterwards.
I'll see if I can find more about what they're doing with it for the longer
term.
The easiest way for me is to just drop the depends.
- Craig
On Sat, 8 Dec. 2018, 02:06 Salvatore Bonaccorso Control:
Hi Michael,
Thanks for looking into this for me. It does seem that if you have a
setup that includes libsnmp30 but not snmp then this problem will occur.
Looking through the changelog, I can see that snmp.conf has bounced between
snmp and the library, but with no real explanation why. I'll put
The bug is actually worse than this. Any time pgrep is run without a
process name and it matches nothing it segfaults.
The fix is a one liner already applied upstream.
- Craig
--
Craig Small https://dropbear.xyz/ csmall at : dropbear.xyz
Debian GNU/Linuxhttps
A mail queue stuck problem. It's all fixed thanks to Gregor!
On Sat, 7 Apr. 2018, 22:38 Niko Tyni, <nt...@debian.org> wrote:
> On Sat, Apr 07, 2018 at 03:35:22PM +0300, Niko Tyni wrote:
> > On Tue, Apr 03, 2018 at 08:39:34PM +1000, Craig Small wrote:
> > > tags 894626
On Sat, 7 Apr 2018 at 05:19 Salvatore Bonaccorso <car...@debian.org> wrote:
> Have you requested CVEs for those three new issues?
>
Yes I have, through SWF with their JSON templates.
I'll see how that goes.
- Craig
--
Craig Small https://dropbear.xyz/ csmall at :
Source: wordpress
Version: 4.9.4-1
Severity: grave
Tags: security upstream
Justification: user security hole
WordPress 4.9.5 fixes 3 security issues:
1) Don't treat localhost as same host by default.
2) Use safe redirects when redirecting the login page if SSL is forced.
3) Make sure the version
Makefile so it only builds perl modules after the
library is built.
I know #1 works.
#2 is my second option.
I'd like to do #3 but it comes down to working out the multitude of
Makefiles net-snmp has; most likely one word on the perlmodules line will
do it.
--
Craig Small https
,systemd
- Craig
--
Craig Small https://dropbear.xyz/ csmall at : dropbear.xyz
Debian GNU/Linuxhttps://www.debian.org/ csmall at : debian.org
Mastodon: @smalls...@social.dropbear.xyz Twitter: @smallsees
GPG fingerprint: 5D2F B320 B825 D939 04D2 0519
there is a symbol
error.
- Craig
On Tue, 3 Apr 2018 at 20:24 Craig Small <csm...@debian.org> wrote:
> The odd thing about this is nothing changed in that part of the packaging
> at all.
>
> - Craig
>
>
>
> On Tue, 3 Apr 2018 at 18:21 Niko Tyni <nt...@debian.org&
t; Niko Tyni nt...@debian.org
>
> ___
> Pkg-net-snmp-devel mailing list
> pkg-net-snmp-de...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-net-snmp-devel
>
--
Craig Small https://dropb
Source: wordpress
Version: 4.9.1+dfsg-1
Severity: grave
Tags: security
Justification: user security hole
An XSS vulnerability was discovered in the Flash fallback files in
MediaElement, a library that is included with WordPress. Because the Flash
files are no longer needed for most use cases,
88c9ef8afe03dafa9499cf1065d35a0106fe8d71
Author: Craig Small <csm...@debian.org>
Date: Thu Jan 4 18:26:37 2018 +1100
Restore numbered placeholders
Apply changeset 42058 to restored nuymbered placeholders in
wpdb::prepare()
Fixes CVE-2017-16510
diff --git a/debian/changelog b/debian/cha
5d5ab9f7749187a352c3db3bc765972c5cbf176e
Author: Craig Small <csm...@debian.org>
Date: Sat Dec 9 18:30:08 2017 +1100
Security backport from 4.9.1
Backport of 4 patches from 4.9.1 to address security issues.
Addresses CVE-2017-17091 CVE-2017-17092 CVE-2017-17093
and CVE-2017-17094
diff
I did it 4 times. 4th time lucky!
The reply came in a few minutes ago.
On Thu, 2 Nov. 2017, 22:41 Salvatore Bonaccorso, <car...@debian.org> wrote:
> Hi Craig,
>
> On Thu, Nov 02, 2017 at 06:40:04AM +1100, Craig Small wrote:
> > I have attempted to get a CVE id for it
Source: wordpress
Version: 4.8.2+dfsg-2
Severity: grave
Tags: upstream security
Justification: user security hole
WordPress versions 4.8.2 and earlier are affected by an issue where
$wpdb->prepare() can create unexpected and unsafe queries leading to
potential SQL injection (SQLi). WordPress core
security release I am waiting for security team to approve the
upload.
Rodrigo has made a backport for Jessie. I'll try to upload it in the next
24 hours.
That's all the other versions I know of.
- Craig
--
Craig Small https://dropbear.xyz/ csmall at : enc.com.au
Debian GNU/
2b4ced00f007dafe1813fbdb59dfbb6f64416d9e
Author: Craig Small <csm...@debian.org>
Date: Fri Sep 22 06:28:50 2017 +1000
Update changelog to 4.8.2-1
diff --git a/debian/changelog b/debian/changelog
index 2ebddd7..b7ea231 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,29 @@
+wordpress (4.8.2+
g there
will be a new improved setup for the next round of bugs.
Not started the mappings yet but it's on my list. The WPvuln guy has mapped
only the first SQLi.
- Craig
--
Craig Small https://dropbear.xyz/ csmall at : enc.com.au
Debian GNU/Linuxhttps://www.debian.org/ c
Source: wordpress
Version: 4.8.1+dfsg-1
Severity: grave
Tags: security
Justification: user security hole
Wordpress 4.8.2 is out which fixes 9 security issues[1]
$wpdb->prepare() can create unexpected and unsafe queries leading to
potential SQL injection (SQLi). WordPress core is not directly
15f30ad74428038ecaed723da126e387e01148da
Author: Craig Small <csm...@debian.org>
Date: Mon Jun 5 21:37:17 2017 +1000
Don't use SERVER_NAME for emails
WordPress uses the SERVER_NAME variable to generate the from address for
password resets. This variable can be set by the hostname sent by the
1 - 100 of 251 matches
Mail list logo