some clarification about this, as I'm reticent to
>> install updates that haven't followed the full due process.
>
> Abhijith PA was supposed to send the announcements because he prepared
> the updates. Abhijith could you follow up on this please?
Sorry, I will send the announcement now.
> Regards,
>
> Markus
>
Maintainer: Luigi Gangitano
Changed-By: Abhijith PA
Description:
squid-cgi - Full featured Web Proxy cache (HTTP proxy) - control CGI
squid-purge - Full featured Web Proxy cache (HTTP proxy) - control utility
squid3 - Full featured Web Proxy cache (HTTP proxy)
squid3-common - Full featured Web
Hi,
On Friday 23 November 2018 03:13 PM, Chris Lamb wrote:
> Chris Lamb wrote:
>
>> I will take libphp-phpmailer
>
> I have uploaded this and announced it as DLA 1591-1.
>
> Thank you Abhijith for your debdiff. I completely (and
> embarrassingly...) failed to credit you in the DLA
-By: Abhijith PA
Description:
libphp-phpmailer - full featured email transfer class for PHP
Changes:
libphp-phpmailer (5.2.9+dfsg-2+deb8u4) jessie-security; urgency=medium
.
* Non-maintainer upload by the Debian LTS Team.
* Fix CVE-2017-5223: absolute local file path during transformation
Hi,
On Friday 23 November 2018 04:06 AM, Markus Koschany wrote:
> Hello Abhijith,
>
> I have just reviewed and uploaded your security updates of keepalived
> and icecast2. All looked good to me. I have not sent the announcements
> yet because I assume you will take care of them as usual. Thanks
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Sun, 04 Nov 2018 19:18:01 +0530
Source: icecast2
Binary: icecast2
Architecture: source amd64
Version: 2.4.0-1.1+deb8u2
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Multimedia Maintainers
Changed-By: Abhijith
On 10 November 2018 7:39:07 PM IST, Holger Levsen wrote:
>On Sat, Nov 10, 2018 at 06:08:38PM +0530, Abhijith PA wrote:
>> What we should do when we miss to specify a CVE ID in a DLA/DSA ?
>
>I'd say definitly update DLA/list and CVE/list in security-tracker.git
OK
>> Ca
On 10 November 2018 7:40:02 PM IST, Markus Koschany wrote:
>Hi,
>
>Am 10.11.18 um 13:38 schrieb Abhijith PA:
>> Hello.
>>
>>
>> What we should do when we miss to specify a CVE ID in a DLA/DSA ? Can
>we
>> just normally insert in next advisory
Hello.
What we should do when we miss to specify a CVE ID in a DLA/DSA ? Can we
just normally insert in next advisory release.? For eg: DLA-478-1[1]
released for squid3 on 16 May 2016 missed to mention 'CVE-2016-3948'.
--abhijith
[1] -
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
October 2018 marked my 9th month as a Debian LTS paid contributor. I
had 14 hours of backlog, but due to some personal emergency situations
I couldn't spend much time. All I did was:
mupdf: marked CVE-2018-18662 as not affected.
libspring-java:
DLA[4].
* jekyll: Prepared update for CVE-2018-17567.
Thanks to Markus Koschany and Roberto C. Sánchez for uploading the fixes
.
Regards.
Abhijith PA
[1]- https://lists.debian.org/debian-lts-announce/2018/09/msg00023.html
[2]- https://lists.debian.org/debian-lts-announce/2018/09/msg00033.html
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: jekyll
Version: 2.2.0+dfsg-2+deb8u1
CVE ID : CVE-2018-17567
Debian Bug : 909933
Parker Moore from Github Inc, discovered a vulnerability in include:
setting in the config file of jekyll which allow arbitrary
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Tue, 02 Oct 2018 19:51:08 +0530
Source: jekyll
Binary: jekyll
Architecture: source all
Version: 2.2.0+dfsg-2+deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
Changed-By: Abhijith PA
update for CVE-2018-17567.
Thanks to Markus Koschany and Roberto C. Sánchez for uploading the fixes
.
Regards.
Abhijith PA
[1]- https://lists.debian.org/debian-lts-announce/2018/09/msg00023.html
[2]- https://lists.debian.org/debian-lts-announce/2018/09/msg00033.html
[3]- https://lists.debian.org
Hi Roberto
On Thursday 04 October 2018 08:50 AM, Roberto C. Sánchez wrote:
> On Thu, Oct 04, 2018 at 08:34:01AM +0530, Abhijith PA wrote:
>> Hello.
>>
>> I've prepared security for jekyll. Debdiff is attached, please review
>> and upload. A test specific to t
with the use of 'include:'
+setting in the config file. (Closes: #909933)
+ * New files added to port symlink test:
++ test/fixtures/test-theme/
++ test/source/symlink-test/symlinked-file
+
+ -- Abhijith PA Tue, 02 Oct 2018 19:51:08 +0530
+
jekyll (2.2.0+dfsg-2) unstable; urgency
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: otrs2
Version: 3.3.18-1+deb8u6
CVE ID : CVE-2018-16586 CVE-2018-16587
Fabien Arnoux discovered several security issues in email validation
of otrs system.
CVE-2018-16586
Load external image or CSS resources
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: strongswan
Version: 5.2.1-6+deb8u7
CVE ID : CVE-2018-16151 CVE-2018-16152
Sze Yiu Chau and his team from Purdue University and The University of
Iowa found several security issues in the gmp plugin for strongSwan,
strongswan-charon strongswan-ike
strongswan-nm strongswan-ikev1 strongswan-ikev2 charon-cmd
Architecture: source all amd64
Version: 5.2.1-6+deb8u7
Distribution: jessie-security
Urgency: medium
Maintainer: strongSwan Maintainers
Changed-By: Abhijith PA
Description:
charon-cmd - standalone IPsec client
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Wed, 26 Sep 2018 08:35:43 +0530
Source: otrs2
Binary: otrs2 otrs
Architecture: source all
Version: 3.3.18-1+deb8u6
Distribution: jessie-security
Urgency: medium
Maintainer: Patrick Matthäi
Changed-By: Abhijith PA
Description
2018-09-26 16:31:46.0 +0200
@@ -1,3 +1,10 @@
+strongswan (5.2.1-6+deb8u7) jessie-security; urgency=medium
+
+ * Non-maintainer upload by the Debian LTS Security Team.
+ * Fix CVE-2018-16151, CVE-2018-16152: bypass vulnerability in gmp plugin
+
+ -- Abhijith PA Wed, 26 Sep 2018 20:01:46 +
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Wed, 19 Sep 2018 22:45:20 +0530
Source: sympa
Binary: sympa
Architecture: source
Version: 6.1.23~dfsg-2+deb8u3
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Sympa team
Changed-By: Abhijith PA
Description
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: mgetty
Version: 1.1.36-2.1+deb8u1
CVE ID : CVE-2018-16741
Two input sanitization failures have been found in the faxrunq and faxq
binaries in mgetty. An attacker could leverage them to insert commands
via shell
-2018-15494. Thanks to Chris Lamb again for
uploading and releasing DLA[2]
* twig: ah, (twig delayed this report). Failed to reproduce the POC and
after talking to upstream devs[3], decided to mark as not-affecting.
Regards.
Abhijith PA
[1] - https://lists.debian.org/debian-lts-announce
Javascript Maintainers
Changed-By: Abhijith PA
Description:
libjs-dojo-core - modular JavaScript toolkit
libjs-dojo-dijit - modular JavaScript toolkit - Dijit
libjs-dojo-dojox - modular JavaScript toolkit - DojoX
Closes: 906540
Changes:
dojo (1.10.2+dfsg-1+deb8u1) jessie-security; urgency=medium
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hello.
I've prepared security update for dojo. Please review and
upload. Debdiff is attached. Its a trivial patch to escape quotes.
Thanks
Abhijith PA
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAluM38kACgkQhj1N8u2c
( Sorry for the duplicate, forgot to add )
Hello Matus
On Friday 31 August 2018 05:25 PM, Matus UHLAR - fantomas wrote:
> Hello,
>
> the debian bug 775720 for squirrelmail was closed by debian maintainer
> because squirrelmail was removed from archive.
>
> However, there were security 3
Hello Matus
On Friday 31 August 2018 05:25 PM, Matus UHLAR - fantomas wrote:
> Hello,
>
> the debian bug 775720 for squirrelmail was closed by debian maintainer
> because squirrelmail was removed from archive.
>
> However, there were security 3 updates to squirrelmail since, and I've had
> to
-By: Abhijith PA
Description:
squirrelmail - Webmail for nuts
Closes: 905023
Changes:
squirrelmail (2:1.4.23~svn20120406-2+deb8u3) jessie-security; urgency=high
.
* Non-maintainer upload by the Debian LTS Team.
* Fix for several XSS vulnerabilities CVE-2018-14950 CVE-2018-14951
CVE-2018
Abhijith PA
[1 - https://sourceforge.net/p/squirrelmail/bugs/2831/
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAluIAEAACgkQhj1N8u2c
KO9/Mg/6A7P/CiHscu8RVyvTM5Xh6SwXXZY6dFVkXvWEhh7hD4/KYyfE+QrTpiDU
jA6usWx+eyV68ydHP6HsHvxCjBpEQ9cMYv4zQppNBTD32IV93SNZXJvMHgrR2QnZ
CVEs. Pending fixes will be
uploaded in coming days.
* twig: Working on CVE-2018-13818. Contacted the exploit author for the
POC clarity.
- --Abhijith PA
[1] - https://lists.debian.org/debian-lts-announce/2018/07/msg00023.html
[2] - https://lists.debian.org/debian-lts-announce/2018/08
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: ant
Version: 1.9.4-3+deb8u2
CVE ID : TEMP-0904191-9063D5
Debian Bug : 904191
The fix for CVE-2018-10886 was incomplete in the previous upload. New
changes was implemented upstream which check and resolve
Hello Roberto C. Sánchez
On Wednesday 18 July 2018 11:17 PM, Roberto C. Sánchez wrote:
> On Wed, Jul 18, 2018 at 09:06:43PM +0530, Abhijith PA wrote:
>>
>> Made all the corrections. Thanks for the review.
>>
>>
>> --abhijith
>>
>
> Thanks! It is now
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hello.
I am applying to become a DD, uploading.
https://nm.debian.org/process/526 . :)
- --abhijith
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAltigrgACgkQhj1N8u2c
-polkit-1.0
Architecture: source amd64 all
Version: 0.105-15~deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Utopia Maintenance Team
Changed-By: Abhijith PA
Description:
gir1.2-polkit-1.0 - GObject introspection data for PolicyKit
libpolkit-agent-1-0 - PolicyKit Authentication
: polkit_backend_interactive_authority_check_authorization
+function in polkitd allows to test for authentication and trigger
+authentication of unrelated processes owned by other users which result
+in local DoS.
+ * d/libpolkit-gobject-1-0.symbols: Update for new ABI
+
+ -- Abhijith PA Fri, 27
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: ant
Version: 1.9.4-3+deb8u1
CVE ID : CVE-2018-10886
unzip and untar target tasks in ant allows the extraction of files
outside the target directory. A crafted zip or tar file submitted to
an Ant build could create
Maintainers
Changed-By: Abhijith PA
Description:
ant- Java based build tool like make
ant-doc- Java based build tool like make - API documentation and manual
ant-gcj- Java based build tool like make (GCJ)
ant-optional - Java based build tool like make - optional libraries
ant
file
+submitted to an Ant build could create or overwrite arbitrary files
+with the privileges of the user running Ant
+
+ -- Abhijith PA Wed, 18 Jul 2018 16:33:03 +0530
+
ant (1.9.4-3) unstable; urgency=medium
* Removed the patch adding Xerces to the Ant classpath
diff -Nru ant
on
Jessie. Backported 11 of them of which some are prepared
before Jessie reaching LTS but couldn't upload. Rest are marked as
not affecting. Thanks to Emilio Pozuelo for taking care of broken
CVE-2016-6616.patch and sponsoring upload[1].
- --
Abhijith PA
[1] - https://lists.debian.org/debian
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Sun, 04 Mar 2018 10:57:49 +0530
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:4.2.12-2+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Thijs Kinkhorst
Changed-By: Abhijith PA
Description
E-2016-9865, CVE-2017-18264
+
+ -- Abhijith PA Sun, 04 Mar 2018 10:57:49 +0530
+
phpmyadmin (4:4.2.12-2+deb8u2) jessie-security; urgency=high
* Fix several security issues:
diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6609.patch
phpmyadmin-4.2.12/debian/patches/CVE-2016-6609.
On Wednesday 04 July 2018 08:59 PM, Antoine Beaupré wrote:
> On 2018-07-04 10:52:15, Abhijith PA wrote:
>> On Wednesday 04 July 2018 08:00 PM, Antoine Beaupré wrote:
>>> I'm surprised you ended up with this result. I sent you an email over a
>>> week ago
On Wednesday 04 July 2018 08:00 PM, Antoine Beaupré wrote:
> I'm surprised you ended up with this result. I sent you an email over a
> week ago (2018-06-27, id:87muvgi20l@curie.anarc.at) detailing the
> work I already did to fix CVE-2017-18123.
>
> Is there any reason why you deviate from
Hello.
CVE-2016-8614 is marked as "no-dsa (can be fixed via point release)" for
Jessie. But I think its *not affecting* Jessie as the vulnerable code
present in separate module which only merged to ansible from version
2.3. I am going to mark it as *not-affected*. Let me know if my research
is
On Friday 22 June 2018 04:33 PM, Emilio Pozuelo Monfort wrote:
> Ah, nice! Your work looks very useful. My old work was for wheezy, so it only
> addressed one CVE (CVE-2017-18264). Since your work is on jessie (which is on
> a
> newer version) and fixes many more issues, I'll let you handle
Hello Emilio. :)
On Thursday 31 May 2018 03:30 AM, Emilio Pozuelo Monfort wrote:
>> phpmyadmin (Emilio Pozuelo)
>
> I couldn't reproduce this in wheezy or jessie, though the PHP prerequisite is
> there. I asked Michal if he had some more details, still waiting for a reply.
Any news on
-2018-1125 and CVE-2018-1126 from jessie. Thanks to
Holger Levsen for uploading and releasing DLA[3]
- --Abhijith PA
[1] - https://lists.debian.org/debian-lts-announce/2018/05/msg6.html
[2] - https://lists.debian.org/debian-lts-announce/2018/05/msg00014.html
[3] - https://lists.debian.org
@
+procps (1:3.3.3-3+deb7u1) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS team.
+ * Fix various vulnerabilities CVE-2018-1122, CVE-2018-1123, CVE-2018-1124,
+CVE-2018-1125, CVE-2018-1126 (Closes: #899170)
+
+ -- Abhijith PA Wed, 23 May 2018 13:15:16 +0530
+
procps
various vulnerabilities CVE-2018-1122, CVE-2018-1123, CVE-2018-1124,
+CVE-2018-1125, CVE-2018-1126 (Closes: #899170)
+
+ -- Abhijith PA Wed, 23 May 2018 13:15:16 +0530
+
procps (1:3.3.3-3) testing-proposed-updates; urgency=medium
* 3.3.3-3 Fix ps crash with large process groups Closes
st size. Here's the
> whole thing, for the record:
>
> --
> enigmail (Abhijith PA)
> --
> --
> procps (Abhijith PA)
> --
Working on it.
[..]
On 24 May 2018 3:10:37 PM IST, Markus Koschany <a...@debian.org> wrote:
>Hi Abhijith,
>
>Am 24.05.2018 um 10:23 schrieb Abhijith PA:
>[...]
>> Looks good to me.
>> I tested the patch with
>> https://bugs.freedesktop.org/show_bug.cgi?id=103807#c0 . You can
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hello.
On Thursday 24 May 2018 08:06 AM, Abhijith PA wrote:
> Hi
>
> On Wednesday 23 May 2018 11:51 PM, Коля Гурьев wrote:
>> Hi,
>>
>> I've prepared an update of the xdg-utils package for Debian
>> Wheezy
Hi
On Wednesday 23 May 2018 11:51 PM, Коля Гурьев wrote:
> Hi,
>
> I've prepared an update of the xdg-utils package for Debian Wheezy.
> It's available in Git packaging repository[1]. Please review it and, if
> everything is okay, upload to archive.
>
> [1]:
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: wget
Version: 1.13.4-3+deb7u6
CVE ID : CVE-2018-0494
Debian Bug : 898076
Harry Sintonen have discovered a cookie injection vulnerability in
wget caused by insufficient input validation, enabling an external
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Fri, 11 May 2018 00:48:07 +0530
Source: wget
Binary: wget
Architecture: source amd64
Version: 1.13.4-3+deb7u6
Distribution: wheezy-security
Urgency: high
Maintainer: Noël Köthe <n...@debian.org>
Changed-By: Abhijith PA
Hi
On Friday 11 May 2018 12:22 PM, Emilio Pozuelo Monfort wrote:
> On 10/05/18 21:57, Abhijith PA wrote:
>> Hello.
>>
>> Please upload wget. Debdiff is attached. I have tested new build with
>> this (https://sintonen.fi/advisories/gnu-wget-cookie-injection.txt)
>&
-0494: Fix cookie injection vulnerability in the resp_new
+function in http.c. (Closes: #898076)
+
+ -- Abhijith PA <abhij...@disroot.org> Fri, 11 May 2018 00:48:07 +0530
+
wget (1.13.4-3+deb7u5) wheezy-security; urgency=high
* Non-maintainer upload by the Debian LTS Team
diff -Nr
Debian-security team.
Regards,
Abhijith PA
[1] https://lists.debian.org/debian-lts-announce/2018/04/msg00030.html
-BEGIN PGP SIGNATURE-
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlrsOtAACgkQhj1N8u2c
KO9CeQ/9Fyr6avFpd7lGsT7mhjm1hKNKI68jvpuQ8MeS+D0DA5QEHC7WilUYfHRa
+execute arbitrary code via a crafted object (Closes: #895472)
+
+ -- Abhijith PA <abhij...@disroot.org> Wed, 02 May 2018 15:40:09 +0530
+
ocaml (3.12.1-4+deb7u1) wheezy-security; urgency=high
* Non-maintainer upload by the Wheezy LTS Team.
diff -Nru ocaml-3.12.1/debian/patches/0017-CV
On Thursday 26 April 2018 12:29 PM, Emilio Pozuelo Monfort wrote:
> On 26/04/18 04:54, Abhijith PA wrote:
>> Hello.
>>
>> I have prepared LTS security update for drupal7[1] . Debdiff is
>> attached. Please review and upload. I tested it on a clean wheezy vm
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: drupal7
Version: 7.14-2+deb7u19
CVE ID : CVE-2018-7602
Debian Bug : 895778
A remote code execution vulnerability has been found within multiple
subsystems of Drupal. This potentially allows attackers to exploit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Thu, 26 Apr 2018 03:14:26 +0530
Source: drupal7
Binary: drupal7
Architecture: source all
Version: 7.14-2+deb7u19
Distribution: wheezy-security
Urgency: high
Maintainer: Luigi Gangitano <lu...@debian.org>
Changed-By: Abhij
: A remote code execution vulnerability exists within
+multiple subsystems of Drupal 7.x and 8.x. This potentially allows
+attackers to exploit multiple attack vectors on a Drupal site,
+which could result in the site being compromised.
+
+ -- Abhijith PA <abhij...@disroot.org> T
This is my second month as a Debian LTS paid contributor. I was assigned
8hours and I spend all of it for the following.
* golang: Continued my work on Backporting CVE-2018-7187.
Thanks to Chris Lamb for uploading and releasing DLA[1]
* zsh: Backport CVE-2014-10070, CVE-2014-10071,
Hello.
I received this mail after sending DLA. Is it something set up by our sponsors
? Or spam.
--abhijith
Original Message
From: Helpdesk EDV <helpd...@bsvbio.de>
Sent: 31 March 2018 1:00:04 AM IST
To: Abhijith PA <abhij...@disroot.org>
Subj
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: libvncserver
Version: 0.9.9+dfsg-1+deb7u3
CVE ID : CVE-2018-7225
Debian Bug : 894045
libvncserver version through 0.9.11. does not sanitize msg.cct.length
which may result in access to uninitialized and
On Friday 30 March 2018 11:28 PM, Ola Lundqvist wrote:
> Hi
>
> I have re-built the package and uploaded now. Will you send the DLA or
> do you want me to do that too?
>
> // Ola
>
Thanks.
I will send the DLA.
--abhijith
Urgency: high
Maintainer: Luca Falavigna <dktrkr...@debian.org>
Changed-By: Abhijith PA <abhij...@disroot.org>
Description:
libvncserver-config - API to write one's own vnc server - library utility
libvncserver-dev - API to write one's own vnc server - development files
libvncserver0 -
Drop rene@, jmm@, 892...@bugs.debian.org.
On Tuesday 20 March 2018 01:47 AM, Moritz Mühlenhoff wrote:
> On Mon, Mar 19, 2018 at 05:04:17PM +0100, Rene Engelhard wrote:
>> I am not going over the .-release procedure for this, I'd have uploaded
>> to security, though, but...
>>
>> I don't think we
(Closes: #894045)
+
+ -- Abhijith PA <abhij...@disroot.org> Thu, 29 Mar 2018 22:55:20 +0530
+
libvncserver (0.9.9+dfsg-1+deb7u2) wheezy-security; urgency=high
* CVE-2016-9941: Fix a heap-based buffer overflow that allows remote servers
diff -Nru libvncserver-0.9.9+dfsg/debian/patches/CVE-201
On Sunday 18 March 2018 06:40 PM, Gero Treuner wrote:
[..]
>> +// fix docroot
>> +if (uphp.docroot) {
>> +char *orig_docroot = uphp.docroot;
>> +uphp.docroot = uwsgi_expand_path(uphp.docroot,
>> strlen(uphp.docroot), NULL);
>> +if (!uphp.docroot) {
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi. Gero Treuner
On Sunday 18 March 2018 02:32 PM, Gero Treuner wrote:
> Hi all,
>
> Attached is a wheezy patch for a security issue:
> https://security-tracker.debian.org/tracker/CVE-2018-7490
>
Thanks for the patch :)
> The upstream patch
pointer dereference vulnerability
+(closes: #892590)
+
+ -- Abhijith PA <abhij...@disroot.org> Sat, 17 Mar 2018 08:44:25 +0530
+
graphite2 (1.3.10-1~deb7u1) wheezy-security; urgency=high
* Non-maintainer upload by the LTS team.
diff -Nru graphite2-1.3.10/debian/patches/CVE-2018-7999
pkg-zsh-de...@lists.alioth.debian.org>
Changed-By: Abhijith PA <abhij...@disroot.org>
Description:
zsh- shell with lots of features
zsh-dbg- shell with lots of features (debugging symbols)
zsh-dev- shell with lots of features (development files)
zsh-doc- zsh document
On Thursday 08 March 2018 10:35 AM, Chris Lamb wrote:
> Hi Abhijith,
>
>> I prepared an update[1] for zsh. Debdiff attached along with the mail.
>> It would be great if you do some testing.
>
> Works for me... :)
>
>
> Regards,
>
It will be helpful if some could upload zsh. Once it
ax in exec.c
+ * Fix CVE-2014-10072: buffer overflow when scanning very long
+directory paths for symbolic links
+ * Fix CVE-2016-10714: off-by-one error resulted in undersized buffers
+that were intended to support PATH_MAX
+ * Fix CVE-2017-18206: symlink expansion has buffer overflow
+
Hi.
On Wednesday 28 February 2018 11:50 AM, Sebastiaan Couwenberg wrote:
> LTS team,
>
> On 02/23/2018 11:30 AM, Sebastiaan Couwenberg wrote:
>> Dear Security & LTS Teams,
[..]
>> Are these OK to upload?
>
> The jessie & stretch updates have been uploaded to security-master after
> the OK
-security
Urgency: high
Maintainer: Ondřej Surý <ond...@debian.org>
Changed-By: Abhijith PA <abhij...@disroot.org>
Description:
golang - Go programming language compiler - metapackage
golang-dbg - Go programming language compiler - debug files
golang-doc - Go programming langu
t validate the
-import path (get/vcs.go only checks for "://" anywhere in
-the string), which allows remote attackers to execute arbitrary
-OS commands via a crafted web site. Backported from
-upstream development branch.
-
- -- Abhijith PA <abhij...@disroot.org>
and release DLA 1272-1[2]
* leptonlib: Patch for CVE-2018-3836, test and release DLA 1284-1[3]
* golang: Research on CVE-2018-7187.
Thanks to Markus Koschany and Roberto C. Sánchez for sponsoring packages
.
- -Abhijith PA
[1] https://lists.debian.org/debian-lts-announce/2018/02/msg8.html
[2
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: leptonlib
Version: 1.69-3.1+deb7u1
CVE ID : CVE-2018-3836
Debian Bug : 889759
Talosintelligence discovered a command injection vulnerability in the
gplotMakeOutput function of leptonlib. A specially crafted
t;j...@debian.org>
Changed-By: Abhijith PA <abhij...@disroot.org>
Description:
leptonica-progs - sample programs for Leptonica image processing library
liblept3 - image processing library
libleptonica-dev - image processing library
Closes: 889759
Changes:
leptonlib (1.69-3.1+deb7u1) whe
Command Injection Vulnerability
+(closes: #889759)
+
+ -- Abhijith PA <abhij...@disroot.org> Tue, 13 Feb 2018 23:36:39 +0530
+
leptonlib (1.69-3.1) unstable; urgency=medium
* Non-maintainer upload
diff -Nru leptonlib-1.69/debian/patches/CVE-2018-3836.patch
leptonlib-1.69/debian/p
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: simplesamlphp
Version: 1.9.2-1+deb7u2
CVE ID : CVE-2017-18121 CVE-2017-18122 CVE-2018-6521
Debian Bug : 889286
simplesamlphp, an authentication and federation application has been
found vulnerable to Cross Site
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: mailman
Version: 1:2.1.15-1+deb7u3
CVE ID : CVE-2018-5950
Debian Bug : 888201
The mailman package has a Cross-site scripting (XSS) vulnerability in
the web UI before 2.1.26 which allows remote attackers to
hanged-By: Abhijith PA <abhij...@disroot.org>
Description:
simplesamlphp - Authentication and federation application supporting several
prot
Changes:
simplesamlphp (1.9.2-1+deb7u2) wheezy-security; urgency=high
.
* Non-maintainer upload by the Debian LTS Team.
* Fix CVE-2017-1812
ack...@lists.alioth.debian.org>
Changed-By: Abhijith PA <abhij...@disroot.org>
Description:
mailman- Powerful, web-based mailing list manager
Closes: 888201
Changes:
mailman (1:2.1.15-1+deb7u3) wheezy-security; urgency=high
.
* Non-maintainer upload by the Debian LTS team.
* CVE-2018-5950: Fi
Hi,
On Wednesday 07 February 2018 12:54 PM, Brian May wrote:
>
> Hello,
>
> I see you have claimed Python2.7 but not Python2.6, which both have the
> same vulnerability. CVE-2018-130
>
> Upstream have decided that this is not a security issue, and it has been
> marked no-DSA in Jessie and
:28:22.0 +0530
@@ -1,3 +1,11 @@
+mailman (1:2.1.15-1+deb7u3) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Debian LTS team.
+ * CVE-2018-5950: Fix cross-site scripting (XSS) vulnerability in the
+web UI in Mailman. (Closes: #888201)
+
+ -- Abhijith PA <ab
-maintainer upload by the Debian LTS Team.
+ * Fix CVE-2017-18122: Signature validation bypass
+ * Fix CVE-2017-18121: Cross Site Scripting (XSS) in the consentAdmin module
+ * Fix CVE-2018-6521: Use of insecure connection charset (sqlauth module)
+
+ -- Abhijith PA <abhij...@disroot.org> Mon,
Removed
On Sunday 04 February 2018 02:37 AM, Ola Lundqvist wrote:
> Hi
>
> Sorry for the duplicate. I did not realize that someone else had sent
> this message already.
>
> // Ola
>
Sorry for the confusion. What is the best solution to avoid this in
future?
releases.
Thank you very much.
Abhijith PA,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://salsa.debian.org/security-tracker-team/security
let us know whether you would
like to review and/or test the updated package before it gets released.
You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of python2.6, python2.7
updates
for the LTS releases.
Thank you very much.
Abhijith PA
+nmu3
Distribution: wheezy-security
Urgency: medium
Maintainer: Leo Costela <cost...@debian.org>
Changed-By: Abhijith PA <abhij...@openmailbox.org>
Description:
transmission - lightweight BitTorrent client
transmission-cli - lightweight BitTorrent client (command line programs)
transmi
Hello.
I prepared LTS security updates for transmission. Please review and upload.
debdiff -http://188.226.198.239/transmission_2.52_wheezy.debdiff
package:
https://mentors.debian.net/debian/pool/main/t/transmission/transmission_2.52-3+nmu3.dsc
--
Abhijith PA (bhe)
201 - 296 of 296 matches
Mail list logo