Debian LTS and ELTS -- May 2024

Hi, I was examining and working on runc and dnsmasq in May. I prepared an upload of runc to bullseye-pu to fix all remaining CVEs: I continued working on the upload of dnsmasq for Buster. However, due to some other tasks, I wasn't able to put much time into it

Debian LTS and ELTS -- April 2024

Hi, I was examining and working on multiple packages in April. I continued working on the upload of dnsmasq for Buster and continued testing the complex updates. I also started working on h2o for Buster and runc for Bullseye. While I checked some of the packages in the TODO list, I researched

Debian LTS and ELTS -- March 2024

Hi, I was working on three packages this month. For pdns-recursor in Buster, I added patches for CVE-2020-14196 and CVE-2020-25829. Unfortunately, the upload is currently still blocked by #1067124. Thus, no DLA has been issued yet. I also prepared patches for dnsmasq in Buster to fix

Re: Confusion about runc status in dla-needed

Hi Ola, Am Sonntag, dem 10.03.2024 um 23:03 +0100 schrieb Ola Lundqvist: > > I was about to remove runc from dla-needed but since Adrian sent out > a question email about the removal I thought one more time. (I'm > trying to learn from my mistakes) :-) > > I'm getting a little confused about

Debian LTS and ELTS -- February 2024

Hi, I was working mostly on runc this month, backporting the patches to fix and harden runc in Buster against CVE-2021-43784 and CVE-2024-21626, issueing DLA 3735-1. I also prepared the same patchset for runc for ELTS because it seemed that the version from Buster had been uploaded to Stretch.

Re: [SECURITY] [DLA 3735-1] runc security update

Am Montag, dem 19.02.2024 um 07:11 +0100 schrieb Salvatore Bonaccorso: [..] > > Debian LTS Advisory DLA-3735-1 [..] > The DLA reservation for this update in data/DLA/list seems missing, > can you push the changes there? Otherwise there is potential that > there will be a

[SECURITY] [DLA 3735-1] runc security update

- Debian LTS Advisory DLA-3735-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Daniel Leidert February 19, 2024 https://wiki.debian.org/LTS

RFH: Backport usage of internal/poll.IsPollDescriptor (Go 1.12) for runc patch in Buster/Stretch

Hi, I'm currently in the process of backporting the runc patches to fix CVE-2024-21626. I have issues with this patch: https://github.com/opencontainers/runc/commit/284ba3057e428f8d6c7afcc3b0ac752e525957df second, but unrelated part of this patch is:

Debian LTS and ELTS -- January 2024

Hi, I was working solely on asyncssh this month, backporting the patches for CVE-2023-46445, CVE-2023-46446, and CVE-2023-48795; finally uploading 1.12.2-1+deb10u1 with the fix for CVE-2023-48795, issueing DLA 3730-1. The patches for CVE-2023-46445 and CVE-2023-46446 have been backported and

[SECURITY] [DLA 3730-1] python-asyncssh security update

- Debian LTS Advisory DLA-3730-1    debian-...@lists.debian.org https://www.debian.org/lts/security/   Daniel Leidert February 01, 2024 https://wiki.debian.org/LTS

Re: RFC: ruby-loofah 2.2.3-1+deb10u2

Hey Utkarsh, Am Freitag, dem 17.03.2023 um 01:23 +0100 schrieb Daniel Leidert: > Am Freitag, dem 17.03.2023 um 04:58 +0530 schrieb Utkarsh Gupta: [..] > > > I could do a thorough review of your patches if you'd like? > > Sure, please do so. Any news about this? Regards, Daniel

Re: RFC: ruby-loofah 2.2.3-1+deb10u2

Am Freitag, dem 17.03.2023 um 04:58 +0530 schrieb Utkarsh Gupta: > On Thu, Mar 16, 2023 at 7:06 PM Utkarsh Gupta > wrote: > > Please hold off on the update for a while. I have something to add wrt > > ruby-rails-html-sanitizer. I just haven't had the time to write it > > down, I'll get back in

Re: RFC: ruby-loofah 2.2.3-1+deb10u2

Am Mittwoch, dem 15.03.2023 um 12:34 +0100 schrieb Emilio Pozuelo Monfort: [..] > > > > What do you think? I wonder if that is an acceptable change? > > Without looking in detail, my question would be: > > Is the output change likely to cause issues to loofah users? If not, then > keep > the

Re: RFC: ruby-loofah 2.2.3-1+deb10u2

Am Dienstag, dem 14.03.2023 um 11:34 +0100 schrieb Daniel Leidert: > Am Dienstag, dem 14.03.2023 um 06:11 +0100 schrieb Anton Gladky: > > [..] > > 3) Please check, why piuparts is failing on CI. > > I have already yesterday, and I wasn't able to reproduce that (the log >

Re: RFC: ruby-loofah 2.2.3-1+deb10u2

Hi Anton, thanks for your feedback. Am Dienstag, dem 14.03.2023 um 06:11 +0100 schrieb Anton Gladky: > Hi Daniel, > > congratulations on your first update! > > Some notes: > > 1) to be consistent with all other updates please do not add the suffix > in the version number I'm not quite sure

RFC: ruby-loofah 2.2.3-1+deb10u2

Hi there, I prepared my first LTS update. You can find it here: https://salsa.debian.org/lts-team/packages/ruby-loofah When I ran some test cases to see if all the vulnerabilities are fixed, I discovered that there is a slight behavioral change: As part of the fix for CVE-2022-23516, loofah

Re: LTS upload of ruby-loofah

Hi Chris, Am Montag, dem 13.03.2023 um 16:29 + schrieb Chris Lamb: > Hi Daniel, > > After being unclaimed through inactivity, I took over the claim for > ruby-loofah in data/dla-needed.txt. However, I've just noticed that > you have already authored and prepared some patches in the Git repo,