Re: Wheezy update of leptonlib?

[Jeff Breidenbach]

There a multiple email threads about leptonlib. I'll be as responsive as I
can to them, but LTS team should take the lead.

Re: upload leptonlib

[Jeff Breidenbach]

These binaries were removed in #830660.

>$ strings /usr/bin/printsplitimage | grep ^/tmp/
>/tmp/split
>$ strings /usr/bin/splitimage2pdf | grep ^/tmp/
>/tmp/junk_split_image.ps


prune_unsafe_binaries.diff.gz
Description: GNU Zip compressed data

Re: upload leptonlib

[Jeff Breidenbach]

The remaining hardcoded /tmp filenames are believed to be in test and debug
code paths.

Re: Wheezy update of irssi?

[Chris Lamb]

Hey Rhonda,

I've gone ahead and uploaded 0.8.15-5+deb7u5 and announced DLA 1289-1.

> It still would be nice to get some git patchsets for your uploads so I
> can apply them to the repository

Of course! Attached, including the "missing" changes for 0.8.15-5+deb7u2,
0.8.15-5+deb7u3 & 0.8.15-5+deb7u4. They should apply cleanly to the 'wheezy'
branch of git://git.deb.at/pkg/irssi.git.


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
From cd3e047c59d3fe8c679efc4f648f0b85d09d7744 Mon Sep 17 00:00:00 2001
From: Chris Lamb 
Date: Thu, 22 Feb 2018 20:45:43 +
Subject: [PATCH 6/6] CVE-2018-7052: When the number of windows exceeds the
 available space, a crash could occur due to a NULL pointer dereference.
 (Closes: #890676)

---
 debian/changelog   |  2 ++
 debian/patches/CVE-2018-7052.patch | 13 +
 debian/patches/series  |  1 +
 3 files changed, 16 insertions(+)
 create mode 100644 debian/patches/CVE-2018-7052.patch

diff --git a/debian/changelog b/debian/changelog
index 77baea4..12cc7a8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,8 @@ irssi (0.8.15-5+deb7u5) wheezy-security; urgency=high
 (Closes: #890678)
   * CVE-2018-7051: Prevent an issue where certain nick names could result in
 out-of-bounds access when printing theme strings. (Closes: #890677)
+  * CVE-2018-7052: When the number of windows exceeds the available space, a
+crash could occur due to a NULL pointer dereference. (Closes: #890676)
 
  -- Chris Lamb   Thu, 22 Feb 2018 20:34:59 +
 
diff --git a/debian/patches/CVE-2018-7052.patch b/debian/patches/CVE-2018-7052.patch
new file mode 100644
index 000..d7b8a79
--- /dev/null
+++ b/debian/patches/CVE-2018-7052.patch
@@ -0,0 +1,13 @@
+--- irssi.orig/src/fe-text/mainwindows.c
 irssi/src/fe-text/mainwindows.c
+@@ -807,6 +807,10 @@ static void cmd_window_show(const char *
+ 	}
+ 
+ 	parent = mainwindow_create();
++	if (parent == NULL) {
++		printformat_window(active_win, MSGLEVEL_CLIENTERROR, TXT_WINDOW_TOO_SMALL);
++		return;
++	}
+ 	parent->active = window;
+ gui_window_reparent(window, parent);
+ 
diff --git a/debian/patches/series b/debian/patches/series
index dfb6479..57279e7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -16,3 +16,4 @@
 28IRSSI-SA-2017-10.patch
 CVE-2018-7050.patch
 CVE-2018-7051.patch
+CVE-2018-7052.patch
-- 
2.16.1

From 62b7a4d1783ab99a6e32ae3f955fd60d22dcb4e7 Mon Sep 17 00:00:00 2001
From: Chris Lamb 
Date: Thu, 22 Feb 2018 20:42:17 +
Subject: [PATCH 5/6] CVE-2018-7051: Prevent an issue where certain nick names
 could result in out-of-bounds access when printing theme strings. (Closes:
 #890677)

---
 debian/changelog   | 2 ++
 debian/patches/CVE-2018-7051.patch | 0
 debian/patches/series  | 1 +
 3 files changed, 3 insertions(+)
 create mode 100644 debian/patches/CVE-2018-7051.patch

diff --git a/debian/changelog b/debian/changelog
index a258df4..77baea4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ irssi (0.8.15-5+deb7u5) wheezy-security; urgency=high
 
   * CVE-2018-7050: Prevent a null pointer dereference for an "empty" nick.
 (Closes: #890678)
+  * CVE-2018-7051: Prevent an issue where certain nick names could result in
+out-of-bounds access when printing theme strings. (Closes: #890677)
 
  -- Chris Lamb   Thu, 22 Feb 2018 20:34:59 +
 
diff --git a/debian/patches/CVE-2018-7051.patch b/debian/patches/CVE-2018-7051.patch
new file mode 100644
index 000..e69de29
diff --git a/debian/patches/series b/debian/patches/series
index a2c5330..dfb6479 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,4 @@
 24security-fixes
 28IRSSI-SA-2017-10.patch
 CVE-2018-7050.patch
+CVE-2018-7051.patch
-- 
2.16.1

From 669ff89c84f7725c2f3f35cd429a3d56f09f13e7 Mon Sep 17 00:00:00 2001
From: Chris Lamb 
Date: Thu, 22 Feb 2018 20:37:50 +
Subject: [PATCH 4/6] CVE-2018-7050: Prevent a null pointer dereference for an
 "empty" nick. (Closes: #890678)

---
 debian/changelog   |  7 +++
 debian/patches/CVE-2018-7050.patch | 18 ++
 debian/patches/series  |  1 +
 3 files changed, 26 insertions(+)
 create mode 100644 debian/patches/CVE-2018-7050.patch

diff --git a/debian/changelog b/debian/changelog
index b9b49a2..a258df4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+irssi (0.8.15-5+deb7u5) wheezy-security; urgency=high
+
+  * CVE-2018-7050: Prevent a null pointer dereference for an "empty" nick.
+(Closes: #890678)
+
+ -- Chris Lamb   Thu, 22 Feb 2018 20:34:59 +
+
 irssi (0.8.15-5+deb7u4) wheezy-security; urgency=medium
 
   * Non-maintainer upload by the Debian LTS team.
diff --git a/debian/patches/CVE-2018-7050.patch 

[SECURITY] [DLA 1289-1] irssi security update

[Chris Lamb]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: irssi
Version: 0.8.15-5+deb7u5
CVE IDs: CVE-2018-7050 CVE-2018-7051 CVE-2018-7052
Debian Bugs: #890676, #890677, #890678

It was discovered that there where a number of vulnerabilities in irssi,
the terminal based IRC client:
 
  - CVE-2018-7050: Null pointer dereference for an "empty" nick.

  - CVE-2018-7051: Certain nick names could result in out-of-bounds
access when printing theme strings.

  - CVE-2018-7052: When the number of windows exceeds the available space, a
crash could occur due to another NULL pointer dereference.

For Debian 7 "Wheezy", these issues have been fixed in irssi version
0.8.15-5+deb7u5.

We recommend that you upgrade your irssi packages.


Regards,

- -- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlqPPisACgkQHpU+J9Qx
HlhM4hAAq/ZKahiIFCzymVmjZn/Ht91BQv5hMgrH+9FkRzB440U9L5Y7Pqgev13f
jr7tMsbYn0hT0FXKvBLVEtFaANcVkcYmK3aDQv1RpteAfrFxtRkIGq6J5xef4Jkc
FaWHzWdR/BjTKz98vuNgoZr4HOQFRsjgp23D0mxMduJedAx6zxsIUDKaIA2qkr+o
B/KwcNABEHR40E/WWD1sqn7lQG+kZa5SGb0Ns+/018gNXqX2xN+S0Ysl02xpA3Ko
P9LgM9Ya8hxeid3Hwzd0Vms4stw5cQz2eQ0CRF0rQuRvEFHrGyecIPAOYHlxa+Fv
9aE9TAi5hQqLJCHIUPnoh6qNyIrw34LN6OlP68lEM1eFXlgWJ8xHWSDEfLB1QewS
6IbXGWd5xZLdE7+y6M8gYPtBJdhhY2CR93cLyV5NjGFxU2PSRlmEn3xgZkKCmGR4
91RB9y31T4sq5hjNedLnibG+Ys3G0bnvmU1kmfstjwEzoD5Y6MKuyyX2tc46FJUY
yBOkDWnDajFJOxLxa2An0cPsD6hual8XrFVcAHBjHaJVof4t0E9LBQJG/iLouE0H
jNVlBuFyL5fHZNdrr2S9ahkn6ymxpr4e8YbwzuWFv/3r4tUig2he9+0FA15wlnxu
/yeAKKVlci9tKrewq/MdgFw2yNHXdFQ5aTIfL7SYDmZmogBXxvE=
=AMvX
-END PGP SIGNATURE-

Re: upload leptonlib

[Salvatore Bonaccorso]

Hi Ben,

On Thu, Feb 22, 2018 at 05:38:16PM +0100, Ben Hutchings wrote:
> On Thu, 2018-02-22 at 07:26 +0100, Salvatore Bonaccorso wrote:
> > Hi Ben,
> > 
> > On Sat, Feb 17, 2018 at 09:28:19PM +, Ben Hutchings wrote:
> > > On Fri, 2018-02-16 at 14:36 -0500, Antoine Beaupré wrote:
> > > > On 2018-02-15 21:34:48, Ben Hutchings wrote:
> > > > > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote:
> > > > > > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote:
> > > > > > > Hello.
> > > > > > > 
> > > > > > > I prepared LTS security update for leptonlib. Please review and 
> > > > > > > upload.
> > > > > > > You can find debdiff along with the mail.
> > > > > > > link:
> > > > > > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc
> > > > > > > 
> > > > > > 
> > > > > > Abhijith,
> > > > > > 
> > > > > > I have reviewed and uploaded the package. While you backported the
> > > > > > upstream fix, I feel like their approach falls under item #2 of 
> > > > > > "The Six
> > > > > > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I 
> > > > > > cannot
> > > > > > help but wonder if another vulnerability will be uncovered later 
> > > > > > that
> > > > > > uses different characters that are not being checked.
> > > > > 
> > > > > I found one already: it filters out `command` but not $(command).
> > > > > 
> > > > > I'm afraid this library appears to have been written without any 
> > > > > regard
> > > > > for security, or even the existence of multiuser systems.
> > > > > 
> > > > > Bug #890548 (stack buffer overflows) is probably exploitable in 
> > > > > wheezy,
> > > > > and I think there are more instances.
> > > > > 
> > > > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but 
> > > > > I
> > > > > can still see:
> > > > 
> > > > [...]
> > > > 
> > > > I've re-added the package to dla-needed.txt for #889759 /
> > > > CVE-2018-3836. Should a new CVE be issued for #885704?
> > > 
> > > I think additional CVEs are needed for:
> > > 
> > > 1. #890548
> > 
> > This one has CVE-2018-7186.
> > 
> > > 2. Incomplete fix for #889759 / CVE-2018-3836
> > > 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so
> > > there is a possibility of path traversal and arbitrary file overwrite
> > > 4. #885704
> > > 5. The remaining hardcoded paths in /tmp
> > 
> > Have you already requested CVEs for the other issues?
> 
> No I haven't.

Alright, I will try to request the pending ones tonight.

Regards,
Salvatore

Re: upload leptonlib

[Ben Hutchings]

On Thu, 2018-02-22 at 07:26 +0100, Salvatore Bonaccorso wrote:
> Hi Ben,
> 
> On Sat, Feb 17, 2018 at 09:28:19PM +, Ben Hutchings wrote:
> > On Fri, 2018-02-16 at 14:36 -0500, Antoine Beaupré wrote:
> > > On 2018-02-15 21:34:48, Ben Hutchings wrote:
> > > > On Wed, 2018-02-14 at 22:23 -0500, Roberto C. Sánchez wrote:
> > > > > On Wed, Feb 14, 2018 at 02:56:24PM +0530, Abhijith PA wrote:
> > > > > > Hello.
> > > > > > 
> > > > > > I prepared LTS security update for leptonlib. Please review and 
> > > > > > upload.
> > > > > > You can find debdiff along with the mail.
> > > > > > link:
> > > > > > https://mentors.debian.net/debian/pool/main/l/leptonlib/leptonlib_1.69-3.1+deb7u1.dsc
> > > > > > 
> > > > > 
> > > > > Abhijith,
> > > > > 
> > > > > I have reviewed and uploaded the package. While you backported the
> > > > > upstream fix, I feel like their approach falls under item #2 of "The 
> > > > > Six
> > > > > Dumbest Ideas in Computer Security [0]": Enumerating Badness. I cannot
> > > > > help but wonder if another vulnerability will be uncovered later that
> > > > > uses different characters that are not being checked.
> > > > 
> > > > I found one already: it filters out `command` but not $(command).
> > > > 
> > > > I'm afraid this library appears to have been written without any regard
> > > > for security, or even the existence of multiuser systems.
> > > > 
> > > > Bug #890548 (stack buffer overflows) is probably exploitable in wheezy,
> > > > and I think there are more instances.
> > > > 
> > > > Bug #885704 (hardcoded paths in /tmp) has been closed in unstable but I
> > > > can still see:
> > > 
> > > [...]
> > > 
> > > I've re-added the package to dla-needed.txt for #889759 /
> > > CVE-2018-3836. Should a new CVE be issued for #885704?
> > 
> > I think additional CVEs are needed for:
> > 
> > 1. #890548
> 
> This one has CVE-2018-7186.
> 
> > 2. Incomplete fix for #889759 / CVE-2018-3836
> > 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so
> > there is a possibility of path traversal and arbitrary file overwrite
> > 4. #885704
> > 5. The remaining hardcoded paths in /tmp
> 
> Have you already requested CVEs for the other issues?

No I haven't.

Ben.

-- 
Ben Hutchings
[W]e found...that it wasn't as easy to get programs right as we had
thought. ... I realized that a large part of my life from then on was
going to be spent in finding mistakes in my own programs. - Maurice
Wilkes, 1949


signature.asc
Description: This is a digitally signed message part

[SECURITY] [DLA 1288-1] cups security update

[Chris Lamb]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Package: cups
Version: 1.5.3-5+deb7u7
CVE ID : CVE-2017-18190

It was discovered that there was an issue in the CUPS printer
framework where remote attackers could execute arbitrary commands by
sending POST requests to the CUPS daemon in conjunction with DNS
rebinding.

This was caused by a whitelisted "localhost.localdomain" entry.

For Debian 7 "Wheezy", this issue has been fixed in cups version
1.5.3-5+deb7u7.

We recommend that you upgrade your cups packages.


Regards,

- -- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAlqO0sEACgkQHpU+J9Qx
HljWZw//S+y2KQeB9XTnAzRmjCT+dednm7l0FMMtQcg4vQeblf2jcopfvQd+kE5u
qTuU3CfI3YF63mJV+VrBijd+eGkX/VwEUMqZG8uLB36FU6ndNk8XpZp74655/mip
YHy5uXJl4NTRzG19PJOEXHYCrA75yFnKCzYlO8KdfkQSlwKU4RNsvM7yeqoOYpDe
PS+oRTLJjaElUCwC/ufBdvE56hqKmdVPYRC3iQ8FcEmYQ2ZlJtMKD2RcutSXXDls
cgTEvlpwCUA7aQvuSgOqOtDwyorHSoBT9fNvYuK6pRGLOaLakJrrlU4EiBP7dI9b
1FMPGDYfuEaVhNju5tlquFYcv8O36NMXIwUv+VXgoRRdmNywUnQwZOj4TvYRvNbv
yEwxaEjwTT6VLKPRgM3MbFi4+hklhIcMySl5L47G0YHk9x5oEgbvMJzxBcrYeZ8z
rnIulFnSB10V0fX+iA0wX5Kld1WxHOCdXEePNpLsYaoXIuLdAxnaEyLjH9yMI+mE
zngs8SxaS6SgKtksHDwe7KwLadfB0TGOBV9G1Bw+JYO6Xkiz3/y928OEZHMQ3isD
lZozN+riRVJ79StgV+VOMj03OTkLYnXRMM9CvrkuYXV7qNO8oSZeTuuhh+eejtdO
/yxTu0XtcsI7MRWk8CGktPgtiF8DvsmMemzKSNtWwniQsg4TPp0=
=UnM2
-END PGP SIGNATURE-

Accepted cups 1.5.3-5+deb7u7 (source all amd64) into oldoldstable

[Chris Lamb]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 22 Feb 2018 14:17:48 +
Source: cups
Binary: libcups2 libcupsimage2 libcupscgi1 libcupsdriver1 libcupsmime1 
libcupsppdc1 cups cups-client libcups2-dev libcupsimage2-dev libcupscgi1-dev 
libcupsdriver1-dev libcupsmime1-dev libcupsppdc1-dev cups-bsd cups-common 
cups-ppdc cups-dbg cupsddk
Architecture: source all amd64
Version: 1.5.3-5+deb7u7
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Printing Team 
Changed-By: Chris Lamb 
Description: 
 cups   - Common UNIX Printing System(tm) - server
 cups-bsd   - Common UNIX Printing System(tm) - BSD commands
 cups-client - Common UNIX Printing System(tm) - client programs (SysV)
 cups-common - Common UNIX Printing System(tm) - common files
 cups-dbg   - Common UNIX Printing System(tm) - debugging symbols
 cups-ppdc  - Common UNIX Printing System(tm) - PPD manipulation utilities
 cupsddk- Common UNIX Printing System (transitional package)
 libcups2   - Common UNIX Printing System(tm) - Core library
 libcups2-dev - Common UNIX Printing System(tm) - Development files CUPS library
 libcupscgi1 - Common UNIX Printing System(tm) - CGI library
 libcupscgi1-dev - Common UNIX Printing System(tm) - Development files for CGI 
libra
 libcupsdriver1 - Common UNIX Printing System(tm) - Driver library
 libcupsdriver1-dev - Common UNIX Printing System(tm) - Development files 
driver librar
 libcupsimage2 - Common UNIX Printing System(tm) - Raster image library
 libcupsimage2-dev - Common UNIX Printing System(tm) - Development files CUPS 
image li
 libcupsmime1 - Common UNIX Printing System(tm) - MIME library
 libcupsmime1-dev - Common UNIX Printing System(tm) - Development files MIME 
library
 libcupsppdc1 - Common UNIX Printing System(tm) - PPD manipulation library
 libcupsppdc1-dev - Common UNIX Printing System(tm) - Development files PPD 
library
Changes: 
 cups (1.5.3-5+deb7u7) wheezy-security; urgency=high
 .
   * CVE-2017-18190: Prevent an issue where remote attackers could execute
 arbitrary IPP commands by sending POST requests to the CUPS daemon in
 conjunction with DNS rebinding. This was caused by a whitelisted
 "localhost.localdomain" entry.
Checksums-Sha1: 
 929c704cd7172ab043d7725f130208587e2673d2 3445 cups_1.5.3-5+deb7u7.dsc
 f7c4fc7d115da20dbbb6a3a568259df6702a7caa 9580485 cups_1.5.3.orig.tar.bz2
 facd664b42fd7f17cb0f47ce79b3e5eb076442ca 379357 
cups_1.5.3-5+deb7u7.debian.tar.gz
 81f16cb3958fb64a2f1a82d7fbcfa33f54a9 904348 
cups-common_1.5.3-5+deb7u7_all.deb
 a2a2a8d2a6bd5979f172a6e840e355d44e02e692 87546 cupsddk_1.5.3-5+deb7u7_all.deb
 86caad6149e6675797382f77c78b535ef4d27f6b 256458 
libcups2_1.5.3-5+deb7u7_amd64.deb
 ab8e7009fed1fed97772956fa0a2882c1f6090b6 138130 
libcupsimage2_1.5.3-5+deb7u7_amd64.deb
 dfb95a5b92e5fe4cc94771e7e6f52565d1c23c8b 116338 
libcupscgi1_1.5.3-5+deb7u7_amd64.deb
 d70f431646ffcbcb4e918097194b030451521eae 104776 
libcupsdriver1_1.5.3-5+deb7u7_amd64.deb
 ec27c4b8128de3fc569bb28204651108ce231d2f 99506 
libcupsmime1_1.5.3-5+deb7u7_amd64.deb
 a88625c00d75859dc71c043fb898ec661059 139636 
libcupsppdc1_1.5.3-5+deb7u7_amd64.deb
 50f493b0f748a8e72e7a1dc8cd33013309b108b6 1405898 cups_1.5.3-5+deb7u7_amd64.deb
 464645a3cba85343c6aacb7b36826393ceb61bcd 181112 
cups-client_1.5.3-5+deb7u7_amd64.deb
 27eeeb93e5f0b3f04dcf169eb2f6dc9e8e392c35 328458 
libcups2-dev_1.5.3-5+deb7u7_amd64.deb
 475a373eddbb86b957b7373d578facb4a0b33a8d 65378 
libcupsimage2-dev_1.5.3-5+deb7u7_amd64.deb
 95103651002df016f777a066f9b3c08bb1906818 121876 
libcupscgi1-dev_1.5.3-5+deb7u7_amd64.deb
 be4bf6f35fcea53ce9e7884a41fc0636ea9ab1d3 107800 
libcupsdriver1-dev_1.5.3-5+deb7u7_amd64.deb
 6f24ade0280cc842cd2bebb5764a2744a21278f3 100204 
libcupsmime1-dev_1.5.3-5+deb7u7_amd64.deb
 13d54e8754e4ef5bf55a662a222f6df790b3b7f2 157088 
libcupsppdc1-dev_1.5.3-5+deb7u7_amd64.deb
 3c8b6c1525d95ae5957c48b87e4b54620feeef02 45544 
cups-bsd_1.5.3-5+deb7u7_amd64.deb
 8ded57107e3c5255f5b529202eb0a2efbdedfe6d 117488 
cups-ppdc_1.5.3-5+deb7u7_amd64.deb
 0f4aaf74b0962ac036964ce0d784d9844fcdc147 2220588 
cups-dbg_1.5.3-5+deb7u7_amd64.deb
Checksums-Sha256: 
 51ba9797cfcf9d9845cb46b7f638501ce09b1247b25e0f5c943030d19bbe0d38 3445 
cups_1.5.3-5+deb7u7.dsc
 9d716a8ffcefdaff1c37f4a4b590f1d74ff9ff72383a18f3c883c9235907f93d 9580485 
cups_1.5.3.orig.tar.bz2
 b49afcba5b5d74aed04f96610b9d4e2784206b3b065456c2ebd6744b672bb24f 379357 
cups_1.5.3-5+deb7u7.debian.tar.gz
 7b1585ce6c994d3faf14fe9cbc28d59472367f6dee3498e110bd769a0a922d54 904348 
cups-common_1.5.3-5+deb7u7_all.deb
 c73629d1b854de8c47131aecf040ec3f94edaa8f261313711eea925d34e03dd6 87546 
cupsddk_1.5.3-5+deb7u7_all.deb
 2638636ebdf245e4c91e918be4f508ba8d6cd84feb070f064b914494e3005a44 256458 
libcups2_1.5.3-5+deb7u7_amd64.deb
 e09cb494ca152005a4e9f6908ade3fc158275904f594c956d7a904bda252f139 138130 
libcupsimage2_1.5.3-5+deb7u7_amd64.deb
 

Re: Wheezy update of irssi?

[Rhonda D'Vine]

* Antoine Beaupré  [2018-02-16 21:01:48 CET]:
> On 2017-12-22 13:53:46, Rhonda D'Vine wrote:
> > * Emilio Pozuelo Monfort  [2017-12-19 20:04:57 CET]:
> >  Given that you would be paid to do the update and me not there is
> > little sense for me to do it, right?  Don't want to step in the way of
> > payrolls.
> 
> Hi Rhonda,
> 
> I am not sure how you want us to proceed from here on... There has been
> yet another set of security issues discovered in irssi, as documented
> here:
> 
> https://irssi.org/security/html/irssi_sa_2018_02/

 I am aware.

> It's your call, really. If you see another option, I'd be happy to hear
> it as well.

 I thought my above statement should have been clear enough?  Again,
I don't want to step in the way of your payrolls, and I am still a
bit disturbed by the fact that oldoldstable gets more attention than
oldstable or stable for the matter, still believe that the priorities
with respect to that are the wrong way around, but you are free to do
what you can and should do, this is still a voluntary project.

 I plan to work on 1.0.7 for unstable, haven't yet made up my mind if I
want to switch to the 1.1 branch (1.0 is said to be supported by
upstream specificly for long time, 1.2 will be the next maintenance
branch), and after that would go so-to-say "top down" from newest
release to oldest release, not the other way around.  So I won't get in
your way there unless I have enough time to get there earlier than you.

 It still would be nice to get some git patchsets for your uploads so I
can apply them to the repository, but my priorities are definitely
rather on fixing-more-current-releases-first than oldoldstable as
highest priority.

> I hope you are well! I'll probably be available to discuss this in
> person at DebConf Taiwan if you'd rather avoid an another email
> discussion, although that is rather far in the future...

 Also looking forward to be there. :)
Rhonda
-- 
Fühlst du dich mutlos, fass endlich Mut, los  |
Fühlst du dich hilflos, geh raus und hilf, los| Wir sind Helden
Fühlst du dich machtlos, geh raus und mach, los   | 23.55: Alles auf Anfang
Fühlst du dich haltlos, such Halt und lass los|

Re: Wheezy update of irssi?

[Chris Lamb]

Hey Rhonda,

I trust this finds you well? :)

> I think people in the LTS team would be happy either way

Unless you have Strong Opinions, I'm going go ahead and upload
to LTS tomorrow to fix CVE-2018-7050, CVE-2018-7051 & CVE-2018-7052.

Naturally do let me know if I should hold off for whateverreason. :)


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Re: Extended Long Term Support for Wheezy

[Raphael Hertzog]

Hello,

On Tue, 20 Feb 2018, Vincent Bernat wrote:
> My bad. I suggest replacing "it would not be possible to get extended
> wheezy support" by "it would not be possible to sponsor extended wheezy
> support".

Done.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/