Re: squid3 security update in oldstable

some clarification about this, as I'm reticent to >> install updates that haven't followed the full due process. > > Abhijith PA was supposed to send the announcements because he prepared > the updates. Abhijith could you follow up on this please? Sorry, I will send the announcement now. > Regards, > > Markus >

Accepted squid3 3.4.8-6+deb8u6 (source all amd64) into oldstable

Maintainer: Luigi Gangitano Changed-By: Abhijith PA Description: squid-cgi - Full featured Web Proxy cache (HTTP proxy) - control CGI squid-purge - Full featured Web Proxy cache (HTTP proxy) - control utility squid3 - Full featured Web Proxy cache (HTTP proxy) squid3-common - Full featured Web

Re: Security updates of keepalived and icecast2

Hi, On Friday 23 November 2018 03:13 PM, Chris Lamb wrote: > Chris Lamb wrote: > >> I will take libphp-phpmailer > > I have uploaded this and announced it as DLA 1591-1. > > Thank you Abhijith for your debdiff. I completely (and > embarrassingly...) failed to credit you in the DLA

Accepted libphp-phpmailer 5.2.9+dfsg-2+deb8u4 (source all) into oldstable

-By: Abhijith PA Description: libphp-phpmailer - full featured email transfer class for PHP Changes: libphp-phpmailer (5.2.9+dfsg-2+deb8u4) jessie-security; urgency=medium . * Non-maintainer upload by the Debian LTS Team. * Fix CVE-2017-5223: absolute local file path during transformation

Re: Security updates of keepalived and icecast2

Hi, On Friday 23 November 2018 04:06 AM, Markus Koschany wrote: > Hello Abhijith, > > I have just reviewed and uploaded your security updates of keepalived > and icecast2. All looked good to me. I have not sent the announcements > yet because I assume you will take care of them as usual. Thanks

Accepted icecast2 2.4.0-1.1+deb8u2 (source amd64) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 04 Nov 2018 19:18:01 +0530 Source: icecast2 Binary: icecast2 Architecture: source amd64 Version: 2.4.0-1.1+deb8u2 Distribution: jessie-security Urgency: medium Maintainer: Debian Multimedia Maintainers Changed-By: Abhijith

Re: CVE ID missed in DLA, squid3

On 10 November 2018 7:39:07 PM IST, Holger Levsen wrote: >On Sat, Nov 10, 2018 at 06:08:38PM +0530, Abhijith PA wrote: >> What we should do when we miss to specify a CVE ID in a DLA/DSA ? > >I'd say definitly update DLA/list and CVE/list in security-tracker.git OK >> Ca

Re: CVE ID missed in DLA, squid3

On 10 November 2018 7:40:02 PM IST, Markus Koschany wrote: >Hi, > >Am 10.11.18 um 13:38 schrieb Abhijith PA: >> Hello. >> >> >> What we should do when we miss to specify a CVE ID in a DLA/DSA ? Can >we >> just normally insert in next advisory

CVE ID missed in DLA, squid3

Hello. What we should do when we miss to specify a CVE ID in a DLA/DSA ? Can we just normally insert in next advisory release.? For eg: DLA-478-1[1] released for squid3 on 16 May 2016 missed to mention 'CVE-2016-3948'. --abhijith [1] -

LTS report for October 2018 - Abhijith PA

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 October 2018 marked my 9th month as a Debian LTS paid contributor. I had 14 hours of backlog, but due to some personal emergency situations I couldn't spend much time. All I did was: mupdf: marked CVE-2018-18662 as not affected. libspring-java:

LTS report for September 2018 - Abhijith PA

DLA[4]. * jekyll: Prepared update for CVE-2018-17567. Thanks to Markus Koschany and Roberto C. Sánchez for uploading the fixes . Regards. Abhijith PA [1]- https://lists.debian.org/debian-lts-announce/2018/09/msg00023.html [2]- https://lists.debian.org/debian-lts-announce/2018/09/msg00033.html

[SECURITY] [DLA 1541-1] jekyll security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: jekyll Version: 2.2.0+dfsg-2+deb8u1 CVE ID : CVE-2018-17567 Debian Bug : 909933 Parker Moore from Github Inc, discovered a vulnerability in include: setting in the config file of jekyll which allow arbitrary

Accepted jekyll 2.2.0+dfsg-2+deb8u1 (source all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 02 Oct 2018 19:51:08 +0530 Source: jekyll Binary: jekyll Architecture: source all Version: 2.2.0+dfsg-2+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Debian Ruby Extras Maintainers Changed-By: Abhijith PA

LTS report for September 2018 - Abhijith PA

update for CVE-2018-17567. Thanks to Markus Koschany and Roberto C. Sánchez for uploading the fixes . Regards. Abhijith PA [1]- https://lists.debian.org/debian-lts-announce/2018/09/msg00023.html [2]- https://lists.debian.org/debian-lts-announce/2018/09/msg00033.html [3]- https://lists.debian.org

Re: upload jekyll

Hi Roberto On Thursday 04 October 2018 08:50 AM, Roberto C. Sánchez wrote: > On Thu, Oct 04, 2018 at 08:34:01AM +0530, Abhijith PA wrote: >> Hello. >> >> I've prepared security for jekyll. Debdiff is attached, please review >> and upload. A test specific to t

upload jekyll

with the use of 'include:' +setting in the config file. (Closes: #909933) + * New files added to port symlink test: ++ test/fixtures/test-theme/ ++ test/source/symlink-test/symlinked-file + + -- Abhijith PA Tue, 02 Oct 2018 19:51:08 +0530 + jekyll (2.2.0+dfsg-2) unstable; urgency

[SECURITY] [DLA 1521-1] otrs2 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: otrs2 Version: 3.3.18-1+deb8u6 CVE ID : CVE-2018-16586 CVE-2018-16587 Fabien Arnoux discovered several security issues in email validation of otrs system. CVE-2018-16586 Load external image or CSS resources

[SECURITY] [DLA 1522-1] strongswan security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: strongswan Version: 5.2.1-6+deb8u7 CVE ID : CVE-2018-16151 CVE-2018-16152 Sze Yiu Chau and his team from Purdue University and The University of Iowa found several security issues in the gmp plugin for strongSwan,

Accepted strongswan 5.2.1-6+deb8u7 (source all amd64) into oldstable

strongswan-charon strongswan-ike strongswan-nm strongswan-ikev1 strongswan-ikev2 charon-cmd Architecture: source all amd64 Version: 5.2.1-6+deb8u7 Distribution: jessie-security Urgency: medium Maintainer: strongSwan Maintainers Changed-By: Abhijith PA Description: charon-cmd - standalone IPsec client

Accepted otrs2 3.3.18-1+deb8u6 (source all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 26 Sep 2018 08:35:43 +0530 Source: otrs2 Binary: otrs2 otrs Architecture: source all Version: 3.3.18-1+deb8u6 Distribution: jessie-security Urgency: medium Maintainer: Patrick Matthäi Changed-By: Abhijith PA Description

Re: Strongswan and OTRS2 security update

2018-09-26 16:31:46.0 +0200 @@ -1,3 +1,10 @@ +strongswan (5.2.1-6+deb8u7) jessie-security; urgency=medium + + * Non-maintainer upload by the Debian LTS Security Team. + * Fix CVE-2018-16151, CVE-2018-16152: bypass vulnerability in gmp plugin + + -- Abhijith PA Wed, 26 Sep 2018 20:01:46 +

Accepted sympa 6.1.23~dfsg-2+deb8u3 (source) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 19 Sep 2018 22:45:20 +0530 Source: sympa Binary: sympa Architecture: source Version: 6.1.23~dfsg-2+deb8u3 Distribution: jessie-security Urgency: medium Maintainer: Debian Sympa team Changed-By: Abhijith PA Description

[SECURITY] [DLA 1502-1] mgetty security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: mgetty Version: 1.1.36-2.1+deb8u1 CVE ID : CVE-2018-16741 Two input sanitization failures have been found in the faxrunq and faxq binaries in mgetty. An attacker could leverage them to insert commands via shell

LTS report for August 2018 - Abhijith PA

-2018-15494. Thanks to Chris Lamb again for uploading and releasing DLA[2] * twig: ah, (twig delayed this report). Failed to reproduce the POC and after talking to upstream devs[3], decided to mark as not-affecting. Regards. Abhijith PA [1] - https://lists.debian.org/debian-lts-announce

Accepted dojo 1.10.2+dfsg-1+deb8u1 (source all) into oldstable

Javascript Maintainers Changed-By: Abhijith PA Description: libjs-dojo-core - modular JavaScript toolkit libjs-dojo-dijit - modular JavaScript toolkit - Dijit libjs-dojo-dojox - modular JavaScript toolkit - DojoX Closes: 906540 Changes: dojo (1.10.2+dfsg-1+deb8u1) jessie-security; urgency=medium

upload dojo

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello. I've prepared security update for dojo. Please review and upload. Debdiff is attached. Its a trivial patch to escape quotes. Thanks Abhijith PA -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAluM38kACgkQhj1N8u2c

Re: fix squirrelmail bug 775720 in jessie

( Sorry for the duplicate, forgot to add ) Hello Matus On Friday 31 August 2018 05:25 PM, Matus UHLAR - fantomas wrote: > Hello, > > the debian bug 775720 for squirrelmail was closed by debian maintainer > because squirrelmail was removed from archive. > > However, there were security 3

Re: fix squirrelmail bug 775720 in jessie

Hello Matus On Friday 31 August 2018 05:25 PM, Matus UHLAR - fantomas wrote: > Hello, > > the debian bug 775720 for squirrelmail was closed by debian maintainer > because squirrelmail was removed from archive. > > However, there were security 3 updates to squirrelmail since, and I've had > to

Accepted squirrelmail 2:1.4.23~svn20120406-2+deb8u3 (source all) into oldstable

-By: Abhijith PA Description: squirrelmail - Webmail for nuts Closes: 905023 Changes: squirrelmail (2:1.4.23~svn20120406-2+deb8u3) jessie-security; urgency=high . * Non-maintainer upload by the Debian LTS Team. * Fix for several XSS vulnerabilities CVE-2018-14950 CVE-2018-14951 CVE-2018

upload squirrelmail

Abhijith PA [1 - https://sourceforge.net/p/squirrelmail/bugs/2831/ -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAluIAEAACgkQhj1N8u2c KO9/Mg/6A7P/CiHscu8RVyvTM5Xh6SwXXZY6dFVkXvWEhh7hD4/KYyfE+QrTpiDU jA6usWx+eyV68ydHP6HsHvxCjBpEQ9cMYv4zQppNBTD32IV93SNZXJvMHgrR2QnZ

LTS report for July 2018 - Abhijith PA

CVEs. Pending fixes will be uploaded in coming days. * twig: Working on CVE-2018-13818. Contacted the exploit author for the POC clarity. - --Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2018/07/msg00023.html [2] - https://lists.debian.org/debian-lts-announce/2018/08

[SECURITY] [DLA 1457-1] ant security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: ant Version: 1.9.4-3+deb8u2 CVE ID : TEMP-0904191-9063D5 Debian Bug : 904191 The fix for CVE-2018-10886 was incomplete in the previous upload. New changes was implemented upstream which check and resolve

Re: upload ant

Hello Roberto C. Sánchez On Wednesday 18 July 2018 11:17 PM, Roberto C. Sánchez wrote: > On Wed, Jul 18, 2018 at 09:06:43PM +0530, Abhijith PA wrote: >> >> Made all the corrections. Thanks for the review. >> >> >> --abhijith >> > > Thanks! It is now

Going to nm

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello. I am applying to become a DD, uploading. https://nm.debian.org/process/526 . :) - --abhijith -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAltigrgACgkQhj1N8u2c

Accepted policykit-1 0.105-15~deb8u3 (source amd64 all) into oldstable

-polkit-1.0 Architecture: source amd64 all Version: 0.105-15~deb8u3 Distribution: jessie-security Urgency: high Maintainer: Utopia Maintenance Team Changed-By: Abhijith PA Description: gir1.2-polkit-1.0 - GObject introspection data for PolicyKit libpolkit-agent-1-0 - PolicyKit Authentication

upload policykit-1

: polkit_backend_interactive_authority_check_authorization +function in polkitd allows to test for authentication and trigger +authentication of unrelated processes owned by other users which result +in local DoS. + * d/libpolkit-gobject-1-0.symbols: Update for new ABI + + -- Abhijith PA Fri, 27

[SECURITY] [DLA 1431-1] ant security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: ant Version: 1.9.4-3+deb8u1 CVE ID : CVE-2018-10886 unzip and untar target tasks in ant allows the extraction of files outside the target directory. A crafted zip or tar file submitted to an Ant build could create

Accepted ant 1.9.4-3+deb8u1 (source all amd64) into oldstable

Maintainers Changed-By: Abhijith PA Description: ant- Java based build tool like make ant-doc- Java based build tool like make - API documentation and manual ant-gcj- Java based build tool like make (GCJ) ant-optional - Java based build tool like make - optional libraries ant

upload ant

file +submitted to an Ant build could create or overwrite arbitrary files +with the privileges of the user running Ant + + -- Abhijith PA Wed, 18 Jul 2018 16:33:03 +0530 + ant (1.9.4-3) unstable; urgency=medium * Removed the patch adding Xerces to the Ant classpath diff -Nru ant

LTS report for June 2018 - Abhijith PA

on Jessie. Backported 11 of them of which some are prepared before Jessie reaching LTS but couldn't upload. Rest are marked as not affecting. Thanks to Emilio Pozuelo for taking care of broken CVE-2016-6616.patch and sponsoring upload[1]. - -- Abhijith PA [1] - https://lists.debian.org/debian

Accepted phpmyadmin 4:4.2.12-2+deb8u3 (source all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Sun, 04 Mar 2018 10:57:49 +0530 Source: phpmyadmin Binary: phpmyadmin Architecture: source all Version: 4:4.2.12-2+deb8u3 Distribution: jessie-security Urgency: high Maintainer: Thijs Kinkhorst Changed-By: Abhijith PA Description

Re: phpmyadmin update (Was Re: last call for wheezy updates and remaining work for transition)

E-2016-9865, CVE-2017-18264 + + -- Abhijith PA Sun, 04 Mar 2018 10:57:49 +0530 + phpmyadmin (4:4.2.12-2+deb8u2) jessie-security; urgency=high * Fix several security issues: diff -Nru phpmyadmin-4.2.12/debian/patches/CVE-2016-6609.patch phpmyadmin-4.2.12/debian/patches/CVE-2016-6609.

Re: upload dokuwiki

On Wednesday 04 July 2018 08:59 PM, Antoine Beaupré wrote: > On 2018-07-04 10:52:15, Abhijith PA wrote: >> On Wednesday 04 July 2018 08:00 PM, Antoine Beaupré wrote: >>> I'm surprised you ended up with this result. I sent you an email over a >>> week ago

Re: upload dokuwiki

On Wednesday 04 July 2018 08:00 PM, Antoine Beaupré wrote: > I'm surprised you ended up with this result. I sent you an email over a > week ago (2018-06-27, id:87muvgi20l@curie.anarc.at) detailing the > work I already did to fix CVE-2017-18123. > > Is there any reason why you deviate from

ansible in jessie

Hello. CVE-2016-8614 is marked as "no-dsa (can be fixed via point release)" for Jessie. But I think its *not affecting* Jessie as the vulnerable code present in separate module which only merged to ansible from version 2.3. I am going to mark it as *not-affected*. Let me know if my research is

Re: phpmyadmin update (Was Re: last call for wheezy updates and remaining work for transition)

On Friday 22 June 2018 04:33 PM, Emilio Pozuelo Monfort wrote: > Ah, nice! Your work looks very useful. My old work was for wheezy, so it only > addressed one CVE (CVE-2017-18264). Since your work is on jessie (which is on > a > newer version) and fixes many more issues, I'll let you handle

phpmyadmin update (Was Re: last call for wheezy updates and remaining work for transition)

Hello Emilio. :) On Thursday 31 May 2018 03:30 AM, Emilio Pozuelo Monfort wrote: >> phpmyadmin (Emilio Pozuelo) > > I couldn't reproduce this in wheezy or jessie, though the PHP prerequisite is > there. I asked Michal if he had some more details, still waiting for a reply. Any news on

LTS report for May 2018 - Abhijith PA

-2018-1125 and CVE-2018-1126 from jessie. Thanks to Holger Levsen for uploading and releasing DLA[3] - --Abhijith PA [1] - https://lists.debian.org/debian-lts-announce/2018/05/msg6.html [2] - https://lists.debian.org/debian-lts-announce/2018/05/msg00014.html [3] - https://lists.debian.org

Re: procps

@ +procps (1:3.3.3-3+deb7u1) wheezy-security; urgency=high + + * Non-maintainer upload by the Debian LTS team. + * Fix various vulnerabilities CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, +CVE-2018-1125, CVE-2018-1126 (Closes: #899170) + + -- Abhijith PA Wed, 23 May 2018 13:15:16 +0530 + procps

procps

various vulnerabilities CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, +CVE-2018-1125, CVE-2018-1126 (Closes: #899170) + + -- Abhijith PA Wed, 23 May 2018 13:15:16 +0530 + procps (1:3.3.3-3) testing-proposed-updates; urgency=medium * 3.3.3-3 Fix ps crash with large process groups Closes

Re: last call for wheezy updates and remaining work for transition

st size. Here's the > whole thing, for the record: > > -- > enigmail (Abhijith PA) > -- > -- > procps (Abhijith PA) > -- Working on it. [..]

Re: Wheezy update of xdg-utils?

On 24 May 2018 3:10:37 PM IST, Markus Koschany <a...@debian.org> wrote: >Hi Abhijith, > >Am 24.05.2018 um 10:23 schrieb Abhijith PA: >[...] >> Looks good to me. >> I tested the patch with >> https://bugs.freedesktop.org/show_bug.cgi?id=103807#c0 . You can

Re: Wheezy update of xdg-utils?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello. On Thursday 24 May 2018 08:06 AM, Abhijith PA wrote: > Hi > > On Wednesday 23 May 2018 11:51 PM, Коля Гурьев wrote: >> Hi, >> >> I've prepared an update of the xdg-utils package for Debian >> Wheezy

Re: Wheezy update of xdg-utils?

Hi On Wednesday 23 May 2018 11:51 PM, Коля Гурьев wrote: > Hi, > > I've prepared an update of the xdg-utils package for Debian Wheezy. > It's available in Git packaging repository[1]. Please review it and, if > everything is okay, upload to archive. > > [1]: >

[SECURITY] [DLA 1375-1] wget security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: wget Version: 1.13.4-3+deb7u6 CVE ID : CVE-2018-0494 Debian Bug : 898076 Harry Sintonen have discovered a cookie injection vulnerability in wget caused by insufficient input validation, enabling an external

Accepted wget 1.13.4-3+deb7u6 (source amd64) into oldoldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Fri, 11 May 2018 00:48:07 +0530 Source: wget Binary: wget Architecture: source amd64 Version: 1.13.4-3+deb7u6 Distribution: wheezy-security Urgency: high Maintainer: Noël Köthe <n...@debian.org> Changed-By: Abhijith PA

Re: upload wget

Hi On Friday 11 May 2018 12:22 PM, Emilio Pozuelo Monfort wrote: > On 10/05/18 21:57, Abhijith PA wrote: >> Hello. >> >> Please upload wget. Debdiff is attached. I have tested new build with >> this (https://sintonen.fi/advisories/gnu-wget-cookie-injection.txt) >&

upload wget

-0494: Fix cookie injection vulnerability in the resp_new +function in http.c. (Closes: #898076) + + -- Abhijith PA <abhij...@disroot.org> Fri, 11 May 2018 00:48:07 +0530 + wget (1.13.4-3+deb7u5) wheezy-security; urgency=high * Non-maintainer upload by the Debian LTS Team diff -Nr

LTS Report for April 2018 - Abhijith PA

Debian-security team. Regards, Abhijith PA [1] https://lists.debian.org/debian-lts-announce/2018/04/msg00030.html -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlrsOtAACgkQhj1N8u2c KO9CeQ/9Fyr6avFpd7lGsT7mhjm1hKNKI68jvpuQ8MeS+D0DA5QEHC7WilUYfHRa

upload ocaml

+execute arbitrary code via a crafted object (Closes: #895472) + + -- Abhijith PA <abhij...@disroot.org> Wed, 02 May 2018 15:40:09 +0530 + ocaml (3.12.1-4+deb7u1) wheezy-security; urgency=high * Non-maintainer upload by the Wheezy LTS Team. diff -Nru ocaml-3.12.1/debian/patches/0017-CV

Re: upload drupal7

On Thursday 26 April 2018 12:29 PM, Emilio Pozuelo Monfort wrote: > On 26/04/18 04:54, Abhijith PA wrote: >> Hello. >> >> I have prepared LTS security update for drupal7[1] . Debdiff is >> attached. Please review and upload. I tested it on a clean wheezy vm >

[SECURITY] [DLA 1365-1] drupal7 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: drupal7 Version: 7.14-2+deb7u19 CVE ID : CVE-2018-7602 Debian Bug : 895778 A remote code execution vulnerability has been found within multiple subsystems of Drupal. This potentially allows attackers to exploit

Accepted drupal7 7.14-2+deb7u19 (source all) into oldoldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 26 Apr 2018 03:14:26 +0530 Source: drupal7 Binary: drupal7 Architecture: source all Version: 7.14-2+deb7u19 Distribution: wheezy-security Urgency: high Maintainer: Luigi Gangitano <lu...@debian.org> Changed-By: Abhij

upload drupal7

: A remote code execution vulnerability exists within +multiple subsystems of Drupal 7.x and 8.x. This potentially allows +attackers to exploit multiple attack vectors on a Drupal site, +which could result in the site being compromised. + + -- Abhijith PA <abhij...@disroot.org> T

LTS report for March 2018 - Abhijith PA

This is my second month as a Debian LTS paid contributor. I was assigned 8hours and I spend all of it for the following. * golang: Continued my work on Backporting CVE-2018-7187. Thanks to Chris Lamb for uploading and releasing DLA[1] * zsh: Backport CVE-2014-10070, CVE-2014-10071,

Fwd: [Ticket#2018033089000104] Ticket Created: [SECURITY] [DLA 1332-1] libvncserver security update

Hello. I received this mail after sending DLA. Is it something set up by our sponsors ? Or spam. --abhijith Original Message From: Helpdesk EDV <helpd...@bsvbio.de> Sent: 31 March 2018 1:00:04 AM IST To: Abhijith PA <abhij...@disroot.org> Subj

[SECURITY] [DLA 1332-1] libvncserver security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libvncserver Version: 0.9.9+dfsg-1+deb7u3 CVE ID : CVE-2018-7225 Debian Bug : 894045 libvncserver version through 0.9.11. does not sanitize msg.cct.length which may result in access to uninitialized and

Re: upload libvncserver

On Friday 30 March 2018 11:28 PM, Ola Lundqvist wrote: > Hi > > I have re-built the package and uploaded now. Will you send the DLA or > do you want me to do that too? > > // Ola > Thanks. I will send the DLA. --abhijith

Accepted libvncserver 0.9.9+dfsg-1+deb7u3 (source amd64) into oldoldstable

Urgency: high Maintainer: Luca Falavigna <dktrkr...@debian.org> Changed-By: Abhijith PA <abhij...@disroot.org> Description: libvncserver-config - API to write one's own vnc server - library utility libvncserver-dev - API to write one's own vnc server - development files libvncserver0 -

Re: Bug#892590: Review graphite2

Drop rene@, jmm@, 892...@bugs.debian.org. On Tuesday 20 March 2018 01:47 AM, Moritz Mühlenhoff wrote: > On Mon, Mar 19, 2018 at 05:04:17PM +0100, Rene Engelhard wrote: >> I am not going over the .-release procedure for this, I'd have uploaded >> to security, though, but... >> >> I don't think we

upload libvncserver

(Closes: #894045) + + -- Abhijith PA <abhij...@disroot.org> Thu, 29 Mar 2018 22:55:20 +0530 + libvncserver (0.9.9+dfsg-1+deb7u2) wheezy-security; urgency=high * CVE-2016-9941: Fix a heap-based buffer overflow that allows remote servers diff -Nru libvncserver-0.9.9+dfsg/debian/patches/CVE-201

Re: Patch for CVE-2018-7490 in uwsgi

On Sunday 18 March 2018 06:40 PM, Gero Treuner wrote: [..] >> +// fix docroot >> +if (uphp.docroot) { >> +char *orig_docroot = uphp.docroot; >> +uphp.docroot = uwsgi_expand_path(uphp.docroot, >> strlen(uphp.docroot), NULL); >> +if (!uphp.docroot) {

Re: Patch for CVE-2018-7490 in uwsgi

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi. Gero Treuner On Sunday 18 March 2018 02:32 PM, Gero Treuner wrote: > Hi all, > > Attached is a wheezy patch for a security issue: > https://security-tracker.debian.org/tracker/CVE-2018-7490 > Thanks for the patch :) > The upstream patch

Review graphite2

pointer dereference vulnerability +(closes: #892590) + + -- Abhijith PA <abhij...@disroot.org> Sat, 17 Mar 2018 08:44:25 +0530 + graphite2 (1.3.10-1~deb7u1) wheezy-security; urgency=high * Non-maintainer upload by the LTS team. diff -Nru graphite2-1.3.10/debian/patches/CVE-2018-7999

Accepted zsh 4.3.17-1+deb7u1 (source all amd64) into oldoldstable

pkg-zsh-de...@lists.alioth.debian.org> Changed-By: Abhijith PA <abhij...@disroot.org> Description: zsh- shell with lots of features zsh-dbg- shell with lots of features (debugging symbols) zsh-dev- shell with lots of features (development files) zsh-doc- zsh document

Re: [Pkg-zsh-devel] Wheezy update of zsh?

On Thursday 08 March 2018 10:35 AM, Chris Lamb wrote: > Hi Abhijith, > >> I prepared an update[1] for zsh. Debdiff attached along with the mail. >> It would be great if you do some testing. > > Works for me... :) > > > Regards, > It will be helpful if some could upload zsh. Once it

Re: [Pkg-zsh-devel] Wheezy update of zsh?

ax in exec.c + * Fix CVE-2014-10072: buffer overflow when scanning very long +directory paths for symbolic links + * Fix CVE-2016-10714: off-by-one error resulted in undersized buffers +that were intended to support PATH_MAX + * Fix CVE-2017-18206: symlink expansion has buffer overflow +

Re: FreeXL 1.0.5 - multiple heap-buffer-overflows

Hi. On Wednesday 28 February 2018 11:50 AM, Sebastiaan Couwenberg wrote: > LTS team, > > On 02/23/2018 11:30 AM, Sebastiaan Couwenberg wrote: >> Dear Security & LTS Teams, [..] >> Are these OK to upload? > > The jessie & stretch updates have been uploaded to security-master after > the OK

Accepted golang 2:1.0.2-1.1+deb7u3 (source amd64 all) into oldoldstable

-security Urgency: high Maintainer: Ondřej Surý <ond...@debian.org> Changed-By: Abhijith PA <abhij...@disroot.org> Description: golang - Go programming language compiler - metapackage golang-dbg - Go programming language compiler - debug files golang-doc - Go programming langu

upload golang

t validate the -import path (get/vcs.go only checks for "://" anywhere in -the string), which allows remote attackers to execute arbitrary -OS commands via a crafted web site. Backported from -upstream development branch. - - -- Abhijith PA <abhij...@disroot.org>

LTS Report for February 2018 - Abhijith

and release DLA 1272-1[2] * leptonlib: Patch for CVE-2018-3836, test and release DLA 1284-1[3] * golang: Research on CVE-2018-7187. Thanks to Markus Koschany and Roberto C. Sánchez for sponsoring packages . - -Abhijith PA [1] https://lists.debian.org/debian-lts-announce/2018/02/msg8.html [2

[SECURITY] [DLA 1284-1] leptonlib security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: leptonlib Version: 1.69-3.1+deb7u1 CVE ID : CVE-2018-3836 Debian Bug : 889759 Talosintelligence discovered a command injection vulnerability in the gplotMakeOutput function of leptonlib. A specially crafted

Accepted leptonlib 1.69-3.1+deb7u1 (source amd64) into oldoldstable

t;j...@debian.org> Changed-By: Abhijith PA <abhij...@disroot.org> Description: leptonica-progs - sample programs for Leptonica image processing library liblept3 - image processing library libleptonica-dev - image processing library Closes: 889759 Changes: leptonlib (1.69-3.1+deb7u1) whe

upload leptonlib

Command Injection Vulnerability +(closes: #889759) + + -- Abhijith PA <abhij...@disroot.org> Tue, 13 Feb 2018 23:36:39 +0530 + leptonlib (1.69-3.1) unstable; urgency=medium * Non-maintainer upload diff -Nru leptonlib-1.69/debian/patches/CVE-2018-3836.patch leptonlib-1.69/debian/p

[SECURITY] [DLA 1273-1] simplesamlphp security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: simplesamlphp Version: 1.9.2-1+deb7u2 CVE ID : CVE-2017-18121 CVE-2017-18122 CVE-2018-6521 Debian Bug : 889286 simplesamlphp, an authentication and federation application has been found vulnerable to Cross Site

[SECURITY] [DLA 1272-1] mailman security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: mailman Version: 1:2.1.15-1+deb7u3 CVE ID : CVE-2018-5950 Debian Bug : 888201 The mailman package has a Cross-site scripting (XSS) vulnerability in the web UI before 2.1.26 which allows remote attackers to

Accepted simplesamlphp 1.9.2-1+deb7u2 (source all) into oldoldstable

hanged-By: Abhijith PA <abhij...@disroot.org> Description: simplesamlphp - Authentication and federation application supporting several prot Changes: simplesamlphp (1.9.2-1+deb7u2) wheezy-security; urgency=high . * Non-maintainer upload by the Debian LTS Team. * Fix CVE-2017-1812

Accepted mailman 1:2.1.15-1+deb7u3 (source amd64) into oldoldstable

ack...@lists.alioth.debian.org> Changed-By: Abhijith PA <abhij...@disroot.org> Description: mailman- Powerful, web-based mailing list manager Closes: 888201 Changes: mailman (1:2.1.15-1+deb7u3) wheezy-security; urgency=high . * Non-maintainer upload by the Debian LTS team. * CVE-2018-5950: Fi

Re: [Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] add python2.6, 2.7 and claim 2.7

Hi, On Wednesday 07 February 2018 12:54 PM, Brian May wrote: > > Hello, > > I see you have claimed Python2.7 but not Python2.6, which both have the > same vulnerability. CVE-2018-130 > > Upstream have decided that this is not a security issue, and it has been > marked no-DSA in Jessie and

Upload mailman

:28:22.0 +0530 @@ -1,3 +1,11 @@ +mailman (1:2.1.15-1+deb7u3) wheezy-security; urgency=high + + * Non-maintainer upload by the Debian LTS team. + * CVE-2018-5950: Fix cross-site scripting (XSS) vulnerability in the +web UI in Mailman. (Closes: #888201) + + -- Abhijith PA <ab

upload simplesamlphp

-maintainer upload by the Debian LTS Team. + * Fix CVE-2017-18122: Signature validation bypass + * Fix CVE-2017-18121: Cross Site Scripting (XSS) in the consentAdmin module + * Fix CVE-2018-6521: Use of insecure connection charset (sqlauth module) + + -- Abhijith PA <abhij...@disroot.org> Mon,

Re: Wheezy update of simplesamlphp?

Removed On Sunday 04 February 2018 02:37 AM, Ola Lundqvist wrote: > Hi > > Sorry for the duplicate. I did not realize that someone else had sent > this message already. > > // Ola > Sorry for the confusion. What is the best solution to avoid this in future?

Wheezy update of simplesamlphp ?

releases. Thank you very much. Abhijith PA, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://salsa.debian.org/security-tracker-team/security

Wheezy update of python2.6, python2.7?

let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of python2.6, python2.7 updates for the LTS releases. Thank you very much. Abhijith PA

Accepted transmission 2.52-3+nmu3 (source all amd64) into oldoldstable

+nmu3 Distribution: wheezy-security Urgency: medium Maintainer: Leo Costela <cost...@debian.org> Changed-By: Abhijith PA <abhij...@openmailbox.org> Description: transmission - lightweight BitTorrent client transmission-cli - lightweight BitTorrent client (command line programs) transmi

LTS security update transmission

Hello. I prepared LTS security updates for transmission. Please review and upload. debdiff -http://188.226.198.239/transmission_2.52_wheezy.debdiff package: https://mentors.debian.net/debian/pool/main/t/transmission/transmission_2.52-3+nmu3.dsc -- Abhijith PA (bhe)

<    1   2   3