Re: git CVE-2024-32004 & CVE-2024-32020

Hi Ubuntu security team, I would just like to put you in the loop about this git issue, and a possible regression in Ubuntu related to its fix. Please, see below. El 31/05/24 a las 10:41, Roberto C. Sánchez escribió: > Hi Sean, > > On Fri, May 31, 2024 at 03:05:35PM +0100, Sean Whitton wrote: >

[SECURITY] [DLA 3816-1] bind9 security update

- Debian LTS Advisory DLA-3816-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Santiago Ruano Rincón May 17, 2024 https://wiki.debian.org/LTS

Bug#1070494: ITP: linux-livepatching -- linux livepatching module for Debian

Package: wnpp Severity: wishlist Owner: Emmanuel Arias , Santiago Ruano Rincón X-Debbugs-Cc: debian-de...@lists.debian.org, t...@security.debian.org, debian-ker...@lists.debian.org, debian-lts@lists.debian.org, eam...@debian.org * Package name: linux-livepatching Version

[SECURITY] Debian 10 LTS will reach end-of-life on June 30th, 2024

Dear Debian LTS users, This is a gentle reminder that Debian 10 ("buster") will reach end of support as the LTS release on June 30, 2024. Users are encouraged to upgrade to Debian 11 ("bullseye"). Starting in July, Debian will not provide further security updates for Debian 10. A subset of

Re: bind9 LTS

e first time I looked at these CVEs, when they just came out. Thanks, and sorry for the noise, -- S > > Cheers > > // Ola > > On Tue, 23 Apr 2024 at 22:55, Santiago Ruano Rincón > wrote: > > > > Hi Ola, > > El 19/04/24 a las 07:54, Ola Lundqvist escr

Re: freeimage and CVE-2019-12214

Hi Cyrille! El 25/04/24 a las 15:00, Cyrille Bollu escribió: > Hi Santiago, > > Here's some follow up :-) > > Best regards, > > Cyrille > > Le mardi 16 avril 2024 à 12:52 -0300, Santiago Ruano Rincón a écrit : > > Hi Cyrille, > > > > El 16/04/24

Re: bind9 LTS

Hi Ola, El 19/04/24 a las 07:54, Ola Lundqvist escribió: > Hi > > I have now made the package build. Thank you for preparing the patch. I've built, tested basic functionality and tested reversed dependencies. However, I have a question: could you please point me where do you get from the

LTS Team's samba git repository and forced push debian/buster branch

Dear team, TL;DR: if you have a local copy of the lts-team/packages/samba repo, please consider resetting the debian/buster branch. The lts-team's was originally created from scratch, then we moved over a fork of the debian maintainers. To reconcile the differences in history between the buster

[SECURITY] [DLA 3792-1] samba security update

- Debian LTS Advisory DLA-3792-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Santiago Ruano Rincón April 22, 2024https://wiki.debian.org/LTS

Re: freeimage and CVE-2019-12214

Hi Cyrille, El 16/04/24 a las 16:09, Cyrille Bollu escribió: > Hi Santiago, > > >It is not a question of trust. It is a problem of lack of strong > >evidence that the issue is no longer there in freeimage or openjepg2. > >We cannot rely only on CVE description to track the issues. > > I think

Re: freeimage and CVE-2019-12214

Hi, El 15/04/24 a las 21:47, Ola Lundqvist escribió: > Hi Santiago > > On Mon, 15 Apr 2024 at 21:10, Santiago Ruano Rincón > wrote: > > > > Hi Ola, > > > > As being discussed with Salvatore, there is not enough evidence to > > conclude there is n

Re: freeimage and CVE-2019-12214

NOTE: in libopenjpeg, not freeimage. Without reproducer or > > stacktrace, this is > > NOTE: nearly unfixable. > > + NOTE: Turned out that the issue is not in freeimage at all, > > but rather in openjpeg. > > + NOTE: For more information see > > https://

Re: freeimage and CVE-2019-12214

Hi, Cyrille, thank you for checking this. However, I don't think the contact address you had sent the email is correct. CVE is maintained by MITRE (not NIST). And there exist several CNAs that could issue CVE IDs for specific products/domains. According to

Re: Guidance for CVE triage and listing packages in dla-needed.txt

Hello Cyrille, El 11/04/24 a las 09:15, Cyrille Bollu escribió: > Why not using CVSS as a base calculation for assigning severity levels? > > IIRC, something like: > > CVSS>=8 => High > 4<=CVSS<8 => Medium > CVSS<4 => Low ... Thanks for the comment! I cannot talk for the security team, but I

Re: How to handle freeimage package

Hi Ola, El 11/04/24 a las 08:25, Ola Lundqvist escribió: > On Thu, 11 Apr 2024 at 02:34, Santiago Ruano Rincón > > El 10/04/24 a las 22:08, Ola Lundqvist escribió: > > > Hi all > > > > > > Sorry for late reply. It took me too long today to answer th

Re: How to handle freeimage package

Hi Ola, El 10/04/24 a las 22:08, Ola Lundqvist escribió: > Hi all > > Sorry for late reply. It took me too long today to answer the CVE > triaging discussion. Now to this issue. > > Regarding the fedora patches. The patches seem to help for those > specific issues they solve. > > My intention

Re: How to handle freeimage package

Hi (especially Ola), El 08/04/24 a las 13:59, Sylvain Beucler escribió: > Hi, > > I think this requires a bit of coordination: > - the package is basically dead upstream, there hasn't been a fix in the > official repos, neither Debian or other distros attempted to fix them The only "exception"

Re: Expanding the scope (slightly) of dla-needed.txt

El 15/03/24 a las 08:31, Roberto C. Sánchez escribió: > On Fri, Mar 15, 2024 at 11:06:10AM +0100, Raphael Hertzog wrote: > > Hello Roberto, > > > > On Thu, 14 Mar 2024, Roberto C. Sánchez wrote: > > > Santiago and I are in agreement that at the moment the best available > > > option is to use

Re: kfreebsd-10 supported in buster?

El 08/03/24 a las 18:51, Ola Lundqvist escribió: > Hi > > Ah, right. I was thinking i386, amd64 were only hardware architectures. If > it includes freebsd as a separate then it is clearly not supported. > Thank you That is a good point. We tend to use the term architecture, but if you want to be

Re: kfreebsd-10 supported in buster?

Hello Ola, El 08/03/24 a las 00:20, Ola Lundqvist escribió: > Hi > > I'm triaging issues and I found one undetermined one for kfreebsd-10. > There is very little information on the issue so I agree with the > undetermined status. > > My question is whether we should even try to determine it...

Re: debvm invocations for ELTS

El 29/02/24 a las 14:14, Sean Whitton escribió: > Hello, > > Does anyone have working debvm runes for stretch & jessie? > > If you just use 'debvm-create -r stretch -- > http://deb.freexian.com/extended-lts' > then there isn't working networking. AFAIU, networking is set up while running

Re: man-db hardening fixes

El 05/02/24 a las 15:30, Colin Watson escribió: > On Mon, Feb 05, 2024 at 11:33:41AM -0300, Santiago Ruano Rincón wrote: > > As part of the LTS workflow, we keep information about VCS of the > > packages uploaded, including git tags for every upload. > > > > Woul

Re: man-db hardening fixes

El 01/02/24 a las 13:34, Colin Watson escribió: > On Thu, Feb 01, 2024 at 05:41:19PM +0530, Utkarsh Gupta wrote: > > On Thu, Feb 1, 2024 at 1:44 AM Colin Watson wrote: > > > I'm both the Debian and upstream maintainer of man-db. I'm considering > > > uploading some variation of the attached diff

[SECURITY] [DLA 3694-1] openssh security update

- Debian LTS Advisory DLA-3694-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Santiago Ruano Rincón December 25, 2023 https://wiki.debian.org/LTS

Re: Security releases for ecosystems that use static linking

El 22/12/23 a las 14:21, Moritz Muehlenhoff escribió: > On Fri, Dec 22, 2023 at 10:19:15AM -0300, Santiago Ruano Rincón wrote: > > El 22/12/23 a las 09:54, Moritz Muehlenhoff escribió: > > > On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote: > > > &

Re: Security releases for ecosystems that use static linking

El 22/12/23 a las 09:54, Moritz Muehlenhoff escribió: > On Thu, Dec 21, 2023 at 07:30:51PM -0300, Santiago Ruano Rincón wrote: > > So let me ask you: are you interested in addressing the infrastructure > > limitations to handle those kind of packages? and h

Security releases for ecosystems that use static linking

Dear Security, Release and Wanna-build teams, As some of you may be aware, we (the LTS Team) are reviewing the packages with limitations in their support, and I would like to bring some discussion regarding Go, Rust and the like. As the bookworm (and older) release notes document: The Debian

Support of Tor in buster LTS

unce/2023/msg00258.html and: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056606 I think we should follow that for buster. Any objections? Cheers, -- Santiago Ruano Rincón ◈ Freexian SARL https://www.freexian.com signature.asc Description: PGP signature

Re: Accepted node-babel 6.26.0+dfsg-3+deb10u1 (source all) into oldoldstable

El 19/10/23 a las 11:29, Yadd escribió: > Hi, > > I think I did what is needed (mail + webml). Let me know if everything is > OK. It is perfect. Thank you! Cheers, -- Santiago signature.asc Description: PGP signature

Re: Accepted node-babel 6.26.0+dfsg-3+deb10u1 (source all) into oldoldstable

Hey, node-babel was accepted into buster-security. Yadd, will you do the paperwork by yourself or do you want some help? Cheers, -- S El 18/10/23 a las 21:20, Debian FTP Masters escribió: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Format: 1.8 > Date: Fri, 13 Oct 2023 20:56:38

Re: Bug#1053880: node-babel7: CVE-2023-45133

Hi Yadd, El 13/10/23 a las 20:59, Yadd escribió: > and Buster ;-) Thanks for preparing the fix! Just to be on the safe side, have you been able to test it, and how? Are you willing to upload it by yourself, or do you want some help? Cheers, -- Santiago signature.asc Description: PGP

[SECURITY] [DLA 3583-1] glib2.0 security update

- Debian LTS Advisory DLA-3583-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Santiago Ruano Rincón September 25, 2023https://wiki.debian.org/LTS

[SECURITY] [DLA 3574-1] mutt security update

- Debian LTS Advisory DLA-3574-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Santiago Ruano Rincón September 20, 2023https://wiki.debian.org/LTS

Re: Backporting mutt patches to Debian Buster

Hi Chris, El 17/09/23 a las 21:56, Chris Frey escribió: > On Sun, Sep 17, 2023 at 08:34:57PM +0300, Santiago Ruano Rincón wrote: > > Chris, thanks for preparing the patches. Much appreciated. I have a > > question though: Why are you placing those two patches in >

Re: Backporting mutt patches to Debian Buster

hi! El 16/09/23 a las 15:44, Utkarsh Gupta escribió: > Hi Chris, > > On Fri, Sep 15, 2023 at 8:09 PM Chris Frey wrote: > > Attached is a patch that applies to the unpackaged sources of Debian > > Buster's > > version of mutt 1.10. > > > > It includes 3 patches: > > > >

[SECURITY] [DLA 3547-1] tryton-server security update

- Debian LTS Advisory DLA-3547-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Santiago Ruano Rincón August 29, 2023 https://wiki.debian.org/LTS

[SECURITY] [DLA 3533-1] lxc security update

- Debian LTS Advisory DLA-3533-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Santiago Ruano Rincón August 17, 2023 https://wiki.debian.org/LTS

Call for tests/review: glib2.0/buster

Dear all I've prepared a glib2.0 update for buster (and I am working for older releases). I think it should be ready, all the test pass. But since there were some regressions with a first set of patches, it would be great if someone could give it a try. The packages are available following these

Re: RFC - mark CVE-2017-18641/lxc as or ?

El 04/03/20 a las 21:09, Roberto C. Sánchez escribió: > On Wed, Feb 26, 2020 at 10:33:22AM -0500, Roberto C. Sánchez wrote: > > Hello all, > > > > I've been doing some work on CVE-2017-18641/lxc to understand the > > precise nature of the vulnerability and potential approaches to fixing > > it.

[Debian Code Search] Indexing releases other than sid

Hi, First of all, thanks a lot for Debian Code Search. It is really useful! I would like to give feedback about this from the FAQ: > Q: Which Debian distributions are indexed (e.g. testing, sid, > experimental)? > > Currently, DCS indexes sid only. If you have good arguments for > extending or

[SECURITY] [DLA 3464-1] xmltooling security update

- Debian LTS Advisory DLA-3464-1debian-...@lists.debian.org https://www.debian.org/lts/security/ Santiago Ruano Rincón June 21, 2023 https://wiki.debian.org/LTS

Re: xmltooling update for buster

El 14/06/23 a las 23:36, Ferenc Wágner escribió: > Santiago Ruano Rincón writes: > > > El 14/06/23 a las 18:30, Ferenc Wágner escribió: > > > >> Santiago Ruano Rincón writes: > >> > >>> According to the security team's dsa-needed, you are pre

Re: xmltooling update for buster

El 14/06/23 a las 18:30, Ferenc Wágner escribió: > Santiago Ruano Rincón writes: > > > Dear xmltooling maintainers, > > > > According to the security team's dsa-needed, you are preparing an update > > for the recent shibboleth/xmltooling security issue. Would

xmltooling update for buster

Dear xmltooling maintainers, According to the security team's dsa-needed, you are preparing an update for the recent shibboleth/xmltooling security issue. Would you be willing to prepare an update for buster too, or would you like the Debian LTS team handles it? Cheers, -- Santiago

Re: Shibboleth SP Security Advisory

Hi, El 13/06/23 a las 08:59, Enrique Pérez Arnaud escribió: > Hi, > > The people from Shibboleth released yesterday 12th of June a security > advisory and update [1]. > > Does anyone here know whether there will be a security update for Debian > LTS (buster) regarding this? > > Thanks! > > >

Bug#1035972: isc-dhcp EOL'ed

Source: debian-security-support Version: 1:12+2023.05.04 Severity: normal X-Debbugs-Cc: secur...@debian.org, debian-lts@lists.debian.org Dear security and LTS teams, ISC is not longer maintaing any of the components of isc-dhcp (client, relay or server):

Re: Using Salsa-CI as pre-upload QA for Bullseye and Buster uploads: Lintian and Piuparts

El 20/03/23 a las 09:08, Emilio Pozuelo Monfort escribió: > Hi Otto, > > I do run lintian from the target release before upload (actually on every > build). I don't think running lintian from sid for (old*)stable makes sense > as I'm not interested in newly introduced warnings or errors that

Re: [Debian-salsa-ci] Using Salsa-CI as pre-upload QA for Bullseye and Buster uploads: Lintian and Piuparts

Hi! El 14/11/22 a las 09:52, Chris Lamb escribió: > Hi Otto, > > > I was wondering how common is it for DDs to use Salsa-CI while doing > > quality assurance prior to Bullseye and Buster uploads? > > Since Debian LTS and ELTS changed its policy to use Salsa a few months > back, I have been

Re: Accepted knot-resolver 3.2.1-3+deb10u1 (source amd64 all) into oldstable

Hi Chris, Thanks for handling this. El 07/10/22 a las 18:10, Debian FTP Masters escribió: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Format: 1.8 > Date: Fri, 07 Oct 2022 10:17:02 -0700 > Source: knot-resolver > Binary: knot-resolver knot-resolver-dbgsym knot-resolver-doc >

Re: [SECURITY] [DLA 3107-1] sqlite3 security update

El 14/09/22 a las 08:04, Chris Lamb escribió: > Chris Lamb wrote: > > >> Did you forget to upload this? I don't see any sqlite3 update in > >> buster-security (or maybe it was rejected or something). > > > > I didn't forget. Rather, it was REJECTED late last night and I re- > > uploaded first

Re: Lintian errors on ffmpeg

Hi! El 04/05/22 a las 10:14, Enrico Zini escribió: > On Wed, May 04, 2022 at 08:58:36AM +0100, Neil Williams wrote: > > > > I'm working at a LTS release of ffmpeg, and the CI is failing with > > > Lintian errors that weren't present in the previous version: > > > > Is the version of lintian in

Re: KSK2017 in BIND 9 in Wheezy and Jessie LTS releases?

El 21/03/19 a las 00:03, Ondřej Surý escribió: > Hi, > > I have a question - did you update the KSK2017 in bind9 package in Wheezy > before it became EOL, and did you update the KSK2017 in Jessie? > > Would it be still possible to update the keys in bind9 package in Wheezy if > that hasn’t

Re: policykit-1 CVE-2018-19788 in jessie

El 20/12/18 a las 12:57, Moritz Muehlenhoff escribió: > On Thu, Dec 20, 2018 at 03:11:49PM +0530, Abhijith PA wrote: > > Hi Santiago, > > > > On Thursday 20 December 2018 01:00 AM, Santiago Ruano Rincón wrote: > > > Dear Maintainers, > > > > > &

policykit-1 CVE-2018-19788 in jessie

Dear Maintainers, (It seems my first attempt to send this mail failed. Sorry if you received it twice) As opposed to stretch, I have been unable to reproduce CVE-2018-19788 in jessie. i.e. systemctl correctly doesn't allow me to stop services, and pkexec blocks me from executing applications

[SECURITY] [DLA 1599-1] qemu security update

Package: qemu Version: 1:2.1+dfsg-12+deb8u8 CVE ID : CVE-2016-2391 CVE-2016-2392 CVE-2016-2538 CVE-2016-2841 CVE-2016-2857 CVE-2016-2858 CVE-2016-4001 CVE-2016-4002 CVE-2016-4020 CVE-2016-4037 CVE-2016-4439 CVE-2016-4441

Accepted qemu 1:2.1+dfsg-12+deb8u8 (source amd64) into oldstable

-binfmt qemu-utils qemu-guest-agent qemu-kvm Architecture: source amd64 Version: 1:2.1+dfsg-12+deb8u8 Distribution: jessie-security Urgency: medium Maintainer: Debian QEMU Team Changed-By: Santiago Ruano Rincón Description: qemu - fast processor emulator qemu-guest-agent - Guest-side qemu

Re: libdatetime-timezone-perl

El 07/11/18 a las 16:59, Brian May escribió: > I see libdatetime-timezone-perl is in dla-needed.txt, but I can't see > *any* security vulnerabilies in > https://security-tracker.debian.org/tracker/source-package/libdatetime-timezone-perl I included it to dla-needed. It doesn't have any known

[SECURITY] [DLA 1563-1] tzdata new upstream version

Package: tzdata Version: 2018g-0+deb8u1 tzdata upstream released version 2018g. Notables changes since 2018e (previous version available in jessie) include: - Morocco switched to permanent +01 on 2018-10-27. - Volgograd moved from +03 to +04 on 2018-10-28. - Fiji ends DST

Accepted tzdata 2018g-0+deb8u1 (source all) into oldstable

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 31 Oct 2018 09:05:21 +0100 Source: tzdata Binary: tzdata tzdata-java Architecture: source all Version: 2018g-0+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: GNU Libc Maintainers Changed-By: Santiago Ruano

[SECURITY] [DLA 1553-1] clamav security update

Package: clamav Version: 0.100.2+dfsg-0+deb8u1 CVE ID : CVE-2018-15378 Debian Bug : 910430 ClamAV is an anti-virus utility for Unix, whose upstream developers have released the version 0.100.2. Installing this new version is required to make use of all current virus

Accepted clamav 0.100.2+dfsg-0+deb8u1 (source all amd64) into oldstable

Version: 0.100.2+dfsg-0+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: ClamAV Team Changed-By: Santiago Ruano Rincón Description: clamav - anti-virus utility for Unix - command-line interface clamav-base - anti-virus utility for Unix - base package clamav-daemon - anti-virus

Re: Bug#906724: clamav-daemon: uninstalable on jessie i386 due to dependencies on clamav-base

El 09/10/18 a las 21:24, Sebastian Andrzej Siewior escribió: > On 2018-08-20 10:07:43 [+0200], Kiko Piris wrote: > > Package: clamav-daemon > > Version: 0.100.1+dfsg-0+deb8u1 > > Severity: important > > > > The following packages have unmet dependencies: > > clamav-daemon : Depends: clamav-base

Accepted dnsmasq 2.72-3+deb8u4 (source amd64 all) into oldstable

-By: Santiago Ruano Rincón Description: dnsmasq- Small caching DNS proxy and DHCP/TFTP server dnsmasq-base - Small caching DNS proxy and DHCP/TFTP server dnsmasq-utils - Utilities for manipulating DHCP leases Closes: 907887 Changes: dnsmasq (2.72-3+deb8u4) jessie-security; urgency=medium

Accepted openssh 1:6.7p1-5+deb8u7 (source amd64 all) into oldstable

+deb8u7 Distribution: jessie-security Urgency: medium Maintainer: Debian OpenSSH Maintainers Changed-By: Santiago Ruano Rincón Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb

Accepted openssh 1:6.7p1-5+deb8u6 (source amd64 all) into oldstable

+deb8u6 Distribution: jessie-security Urgency: medium Maintainer: Debian OpenSSH Maintainers Changed-By: Santiago Ruano Rincón Description: openssh-client - secure shell (SSH) client, for secure access to remote machines openssh-client-udeb - secure shell client for the Debian installer (udeb

Accepted qemu 1:2.1+dfsg-12+deb8u7 (source amd64) into oldstable

-binfmt qemu-utils qemu-guest-agent qemu-kvm Architecture: source amd64 Version: 1:2.1+dfsg-12+deb8u7 Distribution: jessie-security Urgency: medium Maintainer: Debian QEMU Team Changed-By: Santiago Ruano Rincón Description: qemu - fast processor emulator qemu-guest-agent - Guest-side qemu

Accepted clamav 0.100.1+dfsg-0+deb8u1 (source all amd64) into oldstable, oldstable

Version: 0.100.1+dfsg-0+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: ClamAV Team Changed-By: Santiago Ruano Rincón Description: clamav - anti-virus utility for Unix - command-line interface clamav-base - anti-virus utility for Unix - base package clamav-daemon - anti-virus

Accepted ruby2.1 2.1.5-2+deb8u4 (source amd64 all) into oldstable

: Antonio Terceiro Changed-By: Santiago Ruano Rincón Description: libruby2.1 - Libraries necessary to run Ruby 2.1 ruby2.1- Interpreter of object-oriented scripting language Ruby ruby2.1-dev - Header files for compiling extension modules for the Ruby 2.1 ruby2.1-doc - Documentation for Ruby 2.1

debian-security-support migrated to Salsa

Hi, FYI, I've moved the debian-security-support repo to Salsa: https://salsa.debian.org/debian/debian-security-support Cheers, Santiago signature.asc Description: PGP signature

Re: Wheezy LTS - apt error with recent apache2 update - monit issue?

Hi, El 21/07/16 a las 22:37, Jan Ingvoldstad escribió: > On 2016-07-21 21:13, Alastair Sherringham wrote: > > Hello, > > Hi! > > > I saw that Apache2 had a Wheezy LTS update today and did the usual : > > > > apt-get update && apt-get dist-upgrade > > > > However, this gave me an error, and it

My Debian LTS activities in June 2016

Hi, For June 2016, I am afraid I have been unable to use all the hours that Freexian had available for me, and catch up those remaining from May. This is the most important work in 15.5 hours: * samba: Sent the [DLA-509-1](https://lists.debian.org/debian-lts-announce/2016/06/msg00010.html),

Re: Update of tcpreplay 3.4.3-2+wheezy2

El 07/07/16 a las 15:15, Christoph Biedl escribió: > Hello, > > just a heads-up, since I had prepared a wheezy update for the recent > tcpreplay issue (CVE-2016-6160, #829350) beforehand, I will also do an > upload for wheezy-lts. The maintainer has agreed to this approach. If > you have

Re: CVE-2016-6131 binutils, gdb, valgrind etc.

El 06/07/16 a las 18:43, Bálint Réczey escribió: > Hi, > > 2016-07-06 18:22 GMT+02:00 Holger Levsen : > > On Wed, Jul 06, 2016 at 05:57:43PM +0200, Markus Koschany wrote: > >> In this specific case I wouldn't do it because of the reasons I have > >> mentioned before but

Re: Squid3 in wheezy-backports and dependencies

El 04/07/16 a las 15:25, Antoine MILLET escribió: > Hello, > > First of all I would thank all the LTS team for the great work you've done > last years. > > One of my sysadmin had the issue with squid and dependancies exlained in : > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819523. >

RFH: fixing some squid2 remaining open bugs. (was: Should we give security support for squid when wheezy also has squid3?)

(Sorry if you finally receive this twice. I have had issues sending mail) Hi, I have pushed in collab-maint a repo for a next squid2 release, that includes the fix for CVE-2016-4554: https://anonscm.debian.org/cgit/collab-maint/debian-lts/squid.git/ I would need help to address some bugs, that

Wheezy update of spice?

; urgency=medium + + * Non-maintainer upload by the Debian LTS Team. + * Fix CVE-2016-2150: Host memory access from guest using crafted primary +surface parameters (Closes: #826584) + + -- Santiago Ruano Rincón <santiag...@riseup.net> Wed, 08 Jun 2016 12:54:13 +0200 + spice (0.11.0-1+

[SECURITY] [DLA 509-1] samba security update

Package: samba Version: 2:3.6.6-6+deb7u10 Debian Bug : 820982 821811 The Samba 2:3.6.6-6+deb7u9 release, issued by the DSA-3548-1, introduced different regressions causing trust relationship with Win 7 domains to fail. The fix for the CVE-2016-2115 has been reverted, so

Re: Call for testing: upcoming libxml2 security update

Hi, El 01/06/16 a las 16:43, Salvatore Bonaccorso escribió: > Hi LTS team, > > On Sat, May 28, 2016 at 11:35:18AM +0200, Salvatore Bonaccorso wrote: > [...] > > While preparing the jessie-security update, The commits were > > backported as well for libxml2 in wheezy. If you are using them please

Re: wheezy update of ntp? (was: squeeze update of ntp?)

uest: Assertion failure by duplicate IPs on unconfig directives. * Fix CVE-2016-2518: ntp_request: Out-of-bounds reference caused by crafted addpeer. . [Santiago Ruano Rincón] * Fix CVE-2016-1551: ntp_io.c: [Sec 3020] Refclock impersonation. debian/rules: configure with

[SECURITY] [DLA 494-1] eglibc security update

Package: eglibc Version: 2.13-38+deb7u11 CVE ID : CVE-2016-1234 CVE-2016-3075 CVE-2016-3706 Several vulnerabilities have been fixed in the Debian GNU C Library, eglibc: CVE-2016-1234 Alexander Cherepanov discovered that the glibc's glob implementation suffered

Re: [Pkg-samba-maint] Bug#821811: samba: badlock patch breaks trust relationship

El 23/05/16 a las 22:28, Andrew Bartlett escribió: > On Wed, 2016-05-18 at 15:47 -0400, Antoine Beaupré wrote: > > On 2016-04-29 08:55:43, Santiago Ruano Rincón wrote: > > > Dear Samba maintainers, > > > > > > Any updates about this bug? > > >

Re: [Secure-testing-commits] r41743 - data/CVE

Hi Chris, El 15/05/16 a las 12:32, Chris Lamb escribió: > Author: lamby > Date: 2016-05-15 12:32:30 + (Sun, 15 May 2016) > New Revision: 41743 > > Modified: >data/CVE/list > Log: > Triage mediawiki for Wheezy LTS > > Modified: data/CVE/list >

Re: Unsupported packages for Wheezy LTS

Hi, El 13/05/16 a las 09:51, Raphael Hertzog escribió: > Hello, > > On Thu, 12 May 2016, Markus Koschany wrote: > > I saw those commits too yesterday. I would suggest that we discuss EOLed > > packages on debian-lts before we mark CVEs as unsupported in Wheezy LTS. > > Definitely, we should not

squid3 test packages

Hi, squid3 test packages available at: deb https://people.debian.org/~santiago/debian santiago-wheezy/ deb-src https://people.debian.org/~santiago/debian santiago-wheezy/ Tests are welcome and appreciated! Cheers, Santiago signature.asc Description: PGP signature

Re: Unsupported packages for Wheezy LTS

Hi, Given the recent bug triaging, security-support-ended.deb7 needs more updating. I'm taking Mortiz's mail as reference, and I hope I are not missing other info: El 11/11/15 a las 21:59, Sebastian Ramacher escribió: > Hi > > On 2015-11-04 17:44:36, Raphael Hertzog wrote: > > [ Many people are

Re: Accepted debian-security-support 2016.05.09+nmu1 (source all) into oldstable, oldstable

El 10/05/16 a las 08:43, Holger Levsen escribió: > Hi, > > first: thanks for taking care of the debian-security-package! Much > appreciated! > > On Tue, May 10, 2016 at 10:01:28AM +0200, Santiago Ruano Rincón wrote: > > I'll take that into account for future uploa

Re: Accepted debian-security-support 2016.05.09+nmu1 (source all) into oldstable, oldstable

El 10/05/16 a las 09:17, Raphael Hertzog escribió: > (Copying debian-lts as the information here is of general interest to > LTS contributors IMO) > > On Mon, 09 May 2016, d...@security.debian.org wrote: > > Version: 2016.05.09+nmu1 > > Distribution: wheezy-security > > How come you reused the

Re: how reliable is "debian-security-support" ? AW: [SECURITY] Security support for Wheezy handed over to the LTS team

El 09/05/16 a las 11:43, Moritz Muehlenhoff escribió: > On Mon, May 09, 2016 at 09:35:22AM +, Holger Levsen wrote: > > On Mon, May 09, 2016 at 08:43:37AM +, Schulz, Reiner wrote: > > > How often i have to update the "debian-security-support" package? > > > > "never" is valid answer I'd

My Debian LTS activities in April 2016

Hi everybody, The last month of April, I had available 15 hours in total paid by Freexian to work on LTS, but I have only spent 7.5. This is mainly what I did: * mysql-5.5: handle the new upstream version of the package prepared by Lars Tangvald, test it, and upload the [DLA

Wheezy update of quagga?

Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of quagga: https://security-tracker.debian.org/tracker/source-package/quagga Would you like to take care of this yourself? If yes, please follow the workflow we

[SECURITY] [DLA 447-1] mysql-5.5 security update

Package: mysql-5.5 Version: 5.5.49-0+deb7u1 CVE ID : CVE-2016-0640 CVE-2016-0641 CVE-2016-0642 CVE-2016-0643 CVE-2016-0644 CVE-2016-0646 CVE-2016-0647 CVE-2016-0648 CVE-2016-0649 CVE-2016-0650 CVE-2016-0666 CVE-2016-2047 Debian Bug :

About the security issues affecting cyrus-imapd-2.4 in Wheezy

Hello dear maintainer(s), the Debian LTS team recently reviewed the security issue(s) affecting your package in Squeeze: https://security-tracker.debian.org/tracker/CVE-2015-8076 We decided that we would not prepare a wheezy security update (usually because the security impact is low and that we

Wheezy update of squid3?

Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of squid3: https://security-tracker.debian.org/tracker/source-package/squid3 Would you like to take care of this yourself? If yes, please follow the workflow we

Re: Wheezy handed over LTS

El 27/04/16 a las 15:48, VigneshDhanraj G escribió: > https://www.debian.org/News/2016/20160425 > > LTS will support only amd64 and i386, If i need deb for ARM architecture, Is > there any steps to generate deb for arm architecture from the source? > > Regards, > Vigneshdhanraj G Maybe you

Re: Who is attending DebConf?

El 08/04/16 a las 20:08, Santiago Ruano Rincón escribió: > El 08/04/16 a las 18:57, Guido Günther escribió: > > Hi, > > On Fri, Apr 08, 2016 at 10:01:10AM +0200, Raphael Hertzog wrote: > > > Hello, > > > > > > I'm going to attend DebConf and

My Debian LTS activities in March 2016

Hello everybody, The last month of March, I spent 10 paid hours by Freexian on LTS, mainly on this: * squid3: After the problems found backporting the patch for CVE-2016-2569 to squeeze, I have investigated further on this bug, and I found a new DoS that has been fixed by upstream in 3.5.16.

Re: Bug#818843: debian-security-support: new earlyend type, consider future end of support

El 21/03/16 a las 18:00, Markus Koschany escribió: > Am 21.03.2016 um 00:38 schrieb Santiago Ruano Rincón: ... > > Also, would it be better to have a separate list file for earlyend? > > Hi, > > I think one file (security-support-ended.deb7) where we store all the

CVE-2015-7557/librsvg packages for wheezy and jessie (was: squeeze update of librsvg?)

21:16:12.0 +0100 +++ librsvg-2.36.1/debian/changelog 2016-03-24 10:53:07.0 +0100 @@ -1,3 +1,10 @@ +librsvg (2.36.1-2+deb7u1) wheezy; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2015-7557: Out-of-bounds heap read when parsing SVG file. + + -- Santiago Ruano Rincón

Accepted squid3 3.1.6-1.2+squeeze7 (source all amd64) into squeeze-lts

Gangitano <lu...@debian.org> Changed-By: Santiago Ruano Rincón <santiag...@riseup.net> Description: squid-cgi - A full featured Web Proxy cache (HTTP proxy) - control CGI squid3 - A full featured Web Proxy cache (HTTP proxy) squid3-common - A full featured Web Proxy cache (HTTP pro

Accepted squid3 3.1.6-1.2+squeeze6 (source all amd64) into squeeze-lts

Gangitano <lu...@debian.org> Changed-By: Santiago Ruano Rincón <santiag...@riseup.net> Description: squid-cgi - A full featured Web Proxy cache (HTTP proxy) - control CGI squid3 - A full featured Web Proxy cache (HTTP proxy) squid3-common - A full featured Web Proxy cache (HTTP pro

  1   2   3   >