Hi,
On Mon, 22 Apr 2024, Yadd wrote:
> Let's upload 2.4.59-1~deb10u1 ?
You might want to hold off until Thursday. Santiago requested help for a
review and Bastien Roucaries said that he would do it tomorrow
(Wednesday).
Santiago also sent your updated package through our buster ELTS staging
Hello Ola,
On Fri, 12 Apr 2024, Ola Lundqvist wrote:
> I see three:
> 1) copy secteam decision and move on to the next package (I guess
> remove from dla-needed)
> 2) copy secteam decision for most of them, but fix the ones with fedora
> patches
> 3) dive in and start developing (that will take
Hi,
On Wed, 10 Apr 2024, Ola Lundqvist wrote:
> > Some package maintainers will typically decide to fix it via a point
> > release. But they rarely update the triaging to document "postponed" or
> > "ignored". So that's why it's up to the LTS team to make that call
> > when we are (alone) in
Hello,
On Tue, 09 Apr 2024, Ola Lundqvist wrote:
> Let me use some data from CVEs for last year 2023.
> I used the following method to extract the data
> grep -B 5 '\[buster\]' list | grep -A 5 "^CVE-2023-" | grep '\[buster\]'
> and then grepped for the end-of-life, not-affected (and so on to
Hi,
On Sat, 23 Mar 2024, Roberto C. Sánchez wrote:
> In any event, I am happy to work towards reinitializing the Salsa issues
> experiment to start again in April and then see how it goes from there.
>
> What do you think?
It's a pity that nobody else responded... I'm no longer involved in
Hello Roberto,
On Thu, 14 Mar 2024, Roberto C. Sánchez wrote:
> Santiago and I are in agreement that at the moment the best available
> option is to use dla-needed.txt even for tracking work that needs to
> happen after the DLA is released, specifically working toward an upload
> to (old)stable.
Hi,
On Thu, 16 Mar 2023, Emilio Pozuelo Monfort wrote:
> The result is an improved pipeline with better support for both LTS and
> ELTS. [1]
Great work Emilio!
It would be nice to have all this properly documented in
https://lts-team.pages.debian.net
I'm also curious to know if you think that
Hello Chris,
thanks for the report. Everything should be fixed now.
Cheers,
On Mon, 10 Oct 2022, Chris Lamb wrote:
> Hi friends,
>
> I noticed that some of the URLs on the ELTS instructions page are now
> outdated:
>
> https://www.freexian.com/lts/extended/docs/how-to-use-extended-lts/
>
Hi,
On Tue, 13 Sep 2022, Abhijith PA wrote:
> > Yes, that'd make sense. I'll start a separate thread for
> > CVE-2022-32224. Roll back for now so there's no regression at least.
>
> I've disabled patch for CVE-2022-32224. Also tested against redmine.
> Looks good for me. Can you give a smoke
Hello,
On Thu, 08 Sep 2022, Abhijith PA wrote:
> On 07/09/22 11:10 AM, Raphael Hertzog wrote:
> > Hello Abhijith and the LTS team,
> >
> > in Kali we have applied the last ruby-active* security updates and this
> > broke the web API part of autopkgtest.kali.org.
&g
Hello Abhijith and the LTS team,
in Kali we have applied the last ruby-active* security updates and this
broke the web API part of autopkgtest.kali.org.
Specifically line 51 in
/usr/share/rubygems-integration/all/gems/activerecord-5.2.2.1/lib/active_record/coders/yaml_column.rb
makes a call to
Hello,
On Wed, 03 Aug 2022, Sylvain Beucler wrote:
> OpenStack: we tend not to support openstack beyond upstream's support, but
> I'm having a hard time associating the components version with OpenStack's
> major version; possibly other openstack packages (horizon, manila,
> neutron...) are
Hi Utkarsh,
On Tue, 14 Sep 2021, Utkarsh Gupta wrote:
> On Thu, Aug 26, 2021 at 12:33 AM Utkarsh Gupta wrote:
> > > The missing key creates problems for example with simple-cdd:
> > > https://bugs.debian.org/992966
> >
> > Okay, I'll be happy to do the update. Though I wonder if it'd rather
> >
[ Ccing debian-release in case they have some advice / concerns to express ]
Hello LTS team,
it would be nice if we could get an update of debian-archive-keyring
in stretch to add the bullseye key just like it has been done in buster a
while ago:
Hi,
On Mon, 23 Aug 2021, Lucas Nussbaum wrote:
> Is there a rsync mirror that could be used to sync dists/?
Not currently, no. I could look into adding it but I might not want
to make it publicly accessible. I don't really want to make it easy
to have public mirrors while ELTS has a very limited
On Mon, 17 May 2021, Utkarsh Gupta wrote:
> > Where do you think I should include this tool and what should I name it to?
>
> Hm, nice question :P
> Probably here: https://salsa.debian.org/freexian-team?
I would say https://salsa.debian.org/lts-team/ rather...
Cheers,
--
⢀⣴⠾⠻⢶⣦⠀ Raphaël
Hello Moritz,
On Fri, 16 Apr 2021, Moritz Mühlenhoff wrote:
> > These source package sets comes to mind:
> > - node-*
>
> That would be super-noisy and will potentially clash with a lot of local
> package state.
Do you consider it noisy due to the possible clash with local packages?
Or are both
Hi,
On Fri, 12 Feb 2021, Carles Pina i Estany wrote:
> When I was discussing this with a friend I had thought if Debian could
> make available and visible for the users some metrics, contextualised in
> similar (per functionality) packages:
That would certainly be useful to expose, yes!
But
Hi,
On Tue, 19 Jan 2021, Robert Edmonds wrote:
> There is an unfixed issue in Unbound 1.9.0 (#962459 / #973052) that
> affects some users (I have not been able to reproduce it). Upstream has
> invested some time in helping the Debian maintainers track down
> potential combinations of commits from
Hello,
On Wed, 25 Nov 2020, Sylvain Beucler wrote:
> Consequently I believe we're not in a position to offer MongoDB security
> support in LTS nor ELTS, and we need to drop it from our supported packages.
>
> What do you think?
I think that you are right if you believe that we have no influence
Hi,
On Wed, 25 Nov 2020, Utkarsh Gupta wrote:
> Sensing there's an agreement by others here, let's drop and announce
> this as EOL'ed then?
For LTS, definitely, yes. For ELTS, it's a bit more complicated since each
customer pays for their package list and as you noted, mongodb is among
those.
Hello,
On Mon, 19 Oct 2020, Antoine Cervoise wrote:
> I'm not familiar with how to report security issues regarding packages
> under LTS/Extended LTS support.
LTS and ELTS have very different organizations. LTS has a public contact
point (here on this list) but ELTS doesn't have any since it's
Hi,
On Wed, 20 May 2020, Holger Levsen wrote:
> > Is the "Find upstream developers who are willing to work on LTS support"
> > still relevant? It lists packages such as Xen, which I thought were
> > already dealt with.
>
> yes and yes, xen is being taken care of atm. I've updated the TODO page.
Hi,
(Sylvain, please cc me if you want me to read something in any timely fashion)
On Thu, 07 Nov 2019, Sylvain Beucler wrote:
> Raphael, given that this package is low popcon and the vulnerability is
> fuzzy, do you know if the sponsor for this package would be willing to
> test fixes?
The
Hi,
On Sun, 06 Oct 2019, Markus Koschany wrote:
> Yes, there is a (DNS) problem with the server right now. We are aware of
> it and hope it will be fixed within the next 24 hours. Apologies for any
> inconveniences caused.
Server is back online. It had a problem with its network filesystem.
Hi,
On Mon, 30 Sep 2019, Sylvain Beucler wrote:
> From what I understand there was a training during July and August,
> resulting in active status this month.
> I saw zero traces of this training besides a passing anonymous
> mention in Raphael's reports.
> Possibly we can clarify this a lil'
Hi,
On Fri, 30 Aug 2019, Alexander Wirt wrote:
> > We're not speaking of crap software, we're just speaking of software that
> > can't be maintained multiple years by backports of security patches, where
> > we get fixes only with new upstream versions (mixed with new features).
> I don't want to
On Fri, 30 Aug 2019, Alexander Wirt wrote:
> There were several discussions over the last years. And yes, our vision of
> backports does not match the vision of those fastpace/not ready for
> stable/whatever you call them repos. In our vision debian-backports consists
> of new (tested, as in "is
Hi,
On Fri, 30 Aug 2019, Pirate Praveen wrote:
> Fast Track repo works exactly like current backports except the packages
> are added from unstable (or experimental during transitions and freeze)
> as they cannot go to testing and hence to current backports.
>
> As Paul noted earlier, backports
(Note: pkg-security@tracker.d.o is not a valid email, dropped)
Hi,
On Thu, 29 Aug 2019, Holger Levsen wrote:
> > In general, we (Debian) don't have a good answer to this problem and
> > virtualbox is clearly a bad precedent. We really need to find a solution
> > to this in concertation with the
Hi,
On Thu, 29 Aug 2019, Moritz Mühlenhoff wrote:
> The upstream link makes it sound as if they are one of those upstreams
> which reject the idea of distributions shipping an older release to
> a stable distro. For a tool like radare2 that seems fair enough, so
> how about simply excluding it
Hi,
On Sun, 14 Jul 2019, Roberto C. Sánchez wrote:
> My inclination is to add the 3.26.2 patch to the nss in jessie.
> However, I wanted to ask before making that change in the event that
> there is a reason the change should not be made.
>
> Do you have any insight you can add here?
I don't
Hi,
On Tue, 09 Jul 2019, Jonas Meurer wrote:
> 1. Upload packages targeted at LTS suites to some dedicated place for
>automated testing
> 2. Run automatic tests (piuparts, autopkgtests, lintian?, ...)
> 3. If tests passed, publish the packages somewhere to do manual
>testing (and reviews)
Hello,
On Fri, 24 May 2019, PICCORO McKAY Lenz wrote:
> well seems the ExLTS don ask for money .. the packages are free
> available and sources. so merged in debian archive are not problem!
The reason why Wheezy Extended LTS packages are not in the Debian
repositories is because Debian was not
On Tue, 16 Apr 2019, Paul Wise wrote:
> On Tue, Apr 16, 2019 at 10:20 AM PICCORO McKAY Lenz wrote:
>
> > was removed or not? are stil ELTS?
>
> The timeline says that eLTS support ended on 31st May 2019.
> https://wiki.debian.org/LTS/Extended
That date has not passed yet and the page said
Hi,
On Tue, 09 Apr 2019, Sylvain Beucler wrote:
> On 09/04/2019 09:50, Ingo Wichmann wrote:
> > labeling it "minor issues" when the real reason is "sponsors needed"
> > sounds wrong to me.
>
> That's never been the real reason so far AFAICS, only a complementary
> reason.
Ok, still to not
Hi,
On Mon, 08 Apr 2019, Markus Koschany wrote:
> "Not used by any sponsor" is often used internally in commit messages as
> an additional comment, reason and clarification why a certain issue is
In commit message to which repository?
I think you are mixing the ELTS security tracker here.
>
Hi,
On Mon, 11 Mar 2019, Sylvain Beucler wrote:
> I spent the day reproducing (unbreaking) the sqlalchemy exploit,
> figuring out how to run the test suite, attempting a backport of the
> upstream fix, plus some communication.
>
> I did about the same for the gnutls/nettle issue last week (only
Hi,
On Wed, 07 Nov 2018, Santiago Ruano Rincón wrote:
> I included it to dla-needed. It doesn't have any known security
> vulnerability, but its database is now out-of-date. I should be updated
> to 2018g, as it was done for stretch:
>
On Tue, 06 Nov 2018, Moritz Muehlenhoff wrote:
> On Tue, Nov 06, 2018 at 08:16:21PM +0100, Markus Koschany wrote:
> > Am 06.11.18 um 20:09 schrieb Moritz Muehlenhoff:
> > > Hi,
> > > if you fix any issues which were formerly tagged in a DLA, make
> > > sure
> > > to remove the no-dsa in CVE/list
On Sun, 28 Oct 2018, Wouter Verhelst wrote:
> On Sun, Oct 28, 2018 at 01:14:13AM +, Ben Hutchings wrote:
> > Debian can't afford to pay developers in general, and previous
> > proposals to pay specific developers were not well received.
>
> That was over a decade ago. The circumstances at the
Hi Steve,
On Tue, 23 Oct 2018, Steve McIntyre wrote:
> So I'm worried that those of us who have *not* volunteered to support
> LTS are being pressured into spending our time on it anyway. What can
> we do to fix that? How/where do we clarify for our users (and
> developers!) what LTS means, and
Hello Ola,
On Wed, 19 Sep 2018, Ola Lundqvist wrote:
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of sympa:
Wheezy is no longer the target of Debian LTS. How come that you are
sending mails about Wheezy?
"bin/contact-maintainers
Hi,
On Mon, 20 Aug 2018, Holger Levsen wrote:
> I'm not sure this code is helpful as it is, because it assumes
> -needed.txt and the DLA/DSA are generated at the same time which often
> is not the case.
>
> AIUI the code needs to check if the package for which a DLA/DSA is
> generated is present
Hello,
On Fri, 17 Aug 2018, Markus Koschany wrote:
> at the moment we only support four architectures, amd64, i386, armel and
> armhf because these are the ones which were requested by users and
> sponsors of Debian's Long Term support project. I believe we would all
> love to support even more
On Sat, 11 Aug 2018, Brian May wrote:
> Chris Lamb writes:
>
> > It would not be correct that generating a DLA would add an entry to
> > dla-needed.txt; quite the opposite as releasing a DLA ipso-facto
> > implies that the work has been completed and thus nothing is needed
> > anymore.
>
>
Hello,
On Fri, 01 Jun 2018, Markus Koschany wrote:
> > What do you think?
>
> Fine with me. Let's do it! I will add all necessary information to
> https://wiki.debian.org/LTS/ExtendedLTS shortly.
Note that wiki janitors (Paul Wise :)) renamed the page into
https://wiki.debian.org/LTS/Extended
Hi,
On Sat, 26 May 2018, Moritz Muehlenhoff wrote:
> It's not appropriate anyway for an official Debian announcement. LTS
> itself is already a grayish area, but advertising a service which
> solely prepares package updates on paid basis seems not ok with DMUP.
Given that no Debian machines
Hi,
On Fri, 25 May 2018, Markus Koschany wrote:
> It is true that https://deb.freexian.com/extended-lts is not available
> yet but I assumed this will change on May 31. If not I can also delete
> the sentence about ELTS for now and add "More information will follow
> soon" or something like that.
Hello Marc,
On Thu, 03 May 2018, Marc SCHAEFER wrote:
> Probably that a downgrade of the clamav suite would solve the problem; however
> there is something wrong in the coherency between wheezy LTS and jessie, don't
> you think?
A newer version is already targeted to jessie
On Sun, 22 Apr 2018, Ben Hutchings wrote:
> Therefore, would it make sense to add a Linux 4.9 backport to the
> regular jessie and jessie-security suites?
Yes, I think so. It's also interesting to keep a security-supported
kernel once we are past the usual 5 years of LTS (aka Extended LTS).
Since
Hi,
On Wed, 11 Apr 2018, Antoine Beaupré wrote:
> 1. removing the package from dla-needed.txt
> 2. adding the package as unsupported in debian-security-support
> 3. (do we send end-of-life announcements to debian-lts-announce when we
> do that?)
It's easy to mark packages as unsupported and
Hello,
On Tue, 20 Feb 2018, Vincent Bernat wrote:
> My bad. I suggest replacing "it would not be possible to get extended
> wheezy support" by "it would not be possible to sponsor extended wheezy
> support".
Done.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS:
(this reply on debian-lts, not on debian-devel)
On Tue, 20 Feb 2018, Raphael Hertzog wrote:
> some of the LTS sponsors are looking to extend the support period of
> Debian 7 Wheezy (from a few months up to a full year).i
FWIW, I published a blog post with more details about how it will
wor
Hello Jens,
On Tue, 20 Feb 2018, Jens Korte wrote:
> How would you organize and call it in the wiki name space, ELTS,
> extended LTS, LTS? Would you use the normal LTS name space and make no
> difference? LTS is on the one side the name for the support after
> oldstable and on the other side the
[ Bcc to ftpmasters, wanna-build team, DSA team, LTS team, security team
to catch their attention ]
Hello,
some of the LTS sponsors are looking to extend the support period of
Debian 7 Wheezy (from a few months up to a full year). Some of the LTS
sponsors (notably Plat'Home, Toshiba) are also
Hello,
On Thu, 08 Feb 2018, Raphael Hertzog wrote:
> I have had enquiries of LTS sponsors about the status of spectre/meltdown
> mitigations in Debian. I tried to answer but even for me as an insider who
> knows the ins and outs of Debian rather well, it's really difficult for me
>
Hello everybody,
I have had enquiries of LTS sponsors about the status of spectre/meltdown
mitigations in Debian. I tried to answer but even for me as an insider who
knows the ins and outs of Debian rather well, it's really difficult for me
to be able to answer.
IMO we should really try to
Hi,
On Sun, 04 Feb 2018, Ola Lundqvist wrote:
> No worry. It was my mistake. I did not expect that someone else would
> do triaging when I was at front desk. You did nothing wrong. I'll try
> to be a little more observant next time. :-)
Just to be clear. Abhijith did not have to do this since he
Hi,
On Tue, 09 Jan 2018, Brian May wrote:
> Raphael Hertzog <hert...@debian.org> writes:
>
> > I think this mail went through the cracks as we haven't received a reply
> > from you so far. Can you let us know the status and whether we can help to
> > get the wheezy
Hello Rohit,
On Sat, 06 Jan 2018, Rohit Yadav wrote:
> I would like to request a Linux kernel security patch/package for Debian
> "Wheezy" 7 (amd x86_64) for the Spectre/Meltdown security issues [1][2][3].
Please see https://lists.debian.org/debian-lts-announce/2018/01/msg4.html
This only
Hello Cyrill,
I saw that you closed a bunch of nasm bugs found by fuzzing the 2.14rc0
codebase saying « No longer triggers with upcoming 2.13.02 (will be
released soon) »
https://bugzilla.nasm.us/show_bug.cgi?id=3392433
https://bugzilla.nasm.us/show_bug.cgi?id=3392428
Hello Antonio,
On Thu, 21 Dec 2017, Antonio Terceiro wrote:
> No, please go ahead. I don't have the bandwidth to handle wheezy,
> unfortunately.
>
> It must be the third or fourth time I give this same response for
> ruby1.*. It would be nice if the LTS team could keep track of this type
> of
Hello Michael,
I think this mail went through the cracks as we haven't received a reply
from you so far. Can you let us know the status and whether we can help to
get the wheezy update out ?
Cheers,
On Mon, 23 Oct 2017, Antoine Beaupré wrote:
> On 2017-07-19 11:35:56, Michael Shuler wrote:
> >
Hello,
FYI I filed #884907 on debian-security-support to suggest that we mark
jasperreports as unsupported by Debian (thus not only in Wheezy). There's
a long thread in https://bugs.debian.org/880467 where its situation has
been discussed.
If you have anything to contribute to the discussion or
Hello,
I reviewed the case of mp3gain. Upstream development is dead (last release
in 2009). The package is only in wheezy, it's gone from jessie and newer
releases. The package is not used by any LTS sponsor.
Thus I believe that the best course of action is to not spend any time on
it and to
Hi,
On Tue, 19 Dec 2017, Salvatore Bonaccorso wrote:
> > Actually it got removed from wheezy in the mean time. Since it was
> > marked that way in dla-needed.txt, I pinged the ftp.d.o bug report and
> > pinged Chris Lamb (as ftp assistant) and the package is gone from wheezy:
> >
> > $ rmadison
Hello,
On Sun, 17 Dec 2017, Ola Lundqvist wrote:
> After some more reading I think removing it should be ok anyway. I'll
> change the wording from "will be removed" to "may be removed" to allow
> us the freedom to keep it if nobody takes the action to actually
> remove it.
Actually it got
Package: erlang
Version: 15.b.1-dfsg-4+deb7u2
CVE ID : CVE-2017-1000385
An erlang TLS server configured with cipher suites using RSA key exchange,
may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA
Bleichenbacher attack) against RSA, which when exploited, may
Hi Sergei,
On Wed, 13 Dec 2017, Sergei Golovan wrote:
> > I tried to backport the patch from version 18 for the version that we have
> > in wheezy. The resulting patch is attached. I'm not quite sure that the
> > patch is correct.
> >
> > Can you review it and test it?
>
> I've tested unpatched
Hello Sergei,
On Sun, 10 Dec 2017, Sergei Golovan wrote:
> On Sun, Dec 10, 2017 at 9:52 PM, Thorsten Alteholz wrote:
> > Hi Sergei,
> >
> > The Debian LTS team would like to fix the security issues which are
> > currently open in the Wheezy version of erlang:
> >
Package: simplesamlphp
Version: 1.9.2-1+deb7u1
CVE ID : CVE-2017-12867 CVE-2017-12868 CVE-2017-12869 CVE-2017-12872
CVE-2017-12873 CVE-2017-12874
The simplesamlphp package in wheezy is vulnerable to multiple attacks
on authentication-related code, leading
Hi,
On Thu, 07 Dec 2017, Brian May wrote:
> Does anyone have any objections to me removing this? Or should I persue
> to patch option?
Given that the package has no reverse dependencies, and that it is a perl
module, i.e. not an end-user application, I believe it is fine to remove
it.
Cheers,
Hello Thijs,
On Mon, 04 Sep 2017, Thijs Kinkhorst wrote:
> On Wed, August 30, 2017 16:26, Raphael Hertzog wrote:
> > The Debian LTS team would like to fix the security issues which are
> > currently open in the Wheezy version of simplesamlphp:
> > https://security-track
On Thu, 23 Nov 2017, Antoine Beaupré wrote:
> Now, I notice that the original advisory is about embeded data from the
> network, so maybe I'm doing things wrong and I need a weirder use
> case. In that case, I'd be happy to improve my test case to be able to
> reproduce, but otherwise we're just
Hi,
On Thu, 23 Nov 2017, Antoine Beaupré wrote:
> > sal_uInt16 nLevelAnz;
> > rIn >> nLevelAnz;
> > if ( nLevelAnz > 5 )
> > {
> > OSL_FAIL( "PPTStyleSheet::Ppt-TextStylesheet hat mehr als 5
> > Ebenen! (SJ)" );
> >
On Thu, 23 Nov 2017, Antoine Beaupré wrote:
> Fun times. So I'm stuck now - I reported the CVE issues upstream so
> they're at least aware of the issue:
>
> https://github.com/Exiv2/exiv2/issues/174
>
> ... but I am not sure what to do with the package in Wheezy. I'm tempted
> to mark this as
Hello Dominik,
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of xrdp:
https://security-tracker.debian.org/tracker/CVE-2017-16927
Would you like to take care of this yourself?
If yes, please follow the workflow we have defined here:
Hello Thomas & Patrick,
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of otrs2:
https://security-tracker.debian.org/tracker/CVE-2017-15864
https://security-tracker.debian.org/tracker/CVE-2017-16664
Would you like to take care of this
Hello Sylvestre,
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of ohcount:
https://security-tracker.debian.org/tracker/CVE-2017-16926
Would you like to take care of this yourself?
I tried to file an upstream bug as a first step (since
Hi,
On Wed, 15 Nov 2017, Roberto C. Sánchez wrote:
> The commit was made for PHP version 5.6 and mentions CVE-2017-14107 [0].
> However, CVE-2017-14107 is only listed for libzip in the security
> tracker. I looked at the build log and php5 in wheezy definitely builds
> the file that was modified
Hi,
On Thu, 16 Nov 2017, Emilio Pozuelo Monfort wrote:
> Well, it's there...
>
> libreoffice (Emilio Pozuelo)
> NOTE: regression update, see:
> NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html
Argh, sorry, I did not even check the entry... I only checked the output
of
On Tue, 14 Nov 2017, Emilio Pozuelo Monfort wrote:
> Yes, that was added back then due to a regression with the fix for
> https://security-tracker.debian.org/tracker/CVE-2017-3157
When you add an entry back for some reason, please document that
reason... this entry in dla-needed.txt is useless if
Hello Emilio,
as the libreoffice entry is the oldest one without update[1] I decided
to take a look at the issues (even though it's assigned to you).
For CVE-2017-12607 I believe that wheezy is not affected as the patch
shown below merely ensures that nLevelAnz does not overflow nMaxPPTLevels (=
On Mon, 06 Nov 2017, Brian May wrote:
> Why keep rtpproxy in data/dla-needed.txt if a fix is not possible?
Well, I wanted someone else to have a look at it. And also leave some
time to see if we could make an announce about possible ways to mitigate
the issue for LTS users.
Cheers,
--
Raphaël
On Tue, 31 Oct 2017, Antoine Beaupré wrote:
> I'll take care of it then. Should I just reuse the old DLA id? or
> simply mention the old DLA id in the announcement? Or mention all the
> CVEs fixed in the old DLA in the new DLA?
>
> Not actually sure how to merge this. :)
You prepare your DLA
On Tue, 31 Oct 2017, Antoine Beaupré wrote:
> > Please send it again and add a small sentence explaining that you send an
> > old advisory that never made it to the list... IOW if you expect
> > confusion, add an explanation to clear it up.
>
> I will be looking at a GM update later today -
Hi,
On Sat, 28 Oct 2017, Brian May wrote:
> I didn't realize until after I uploaded the newer version associated
> with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by
> DLA-1140-1.
>
> Unfortunately DLA-1140-1 made it to the list, but DLA-1130-1 still
> didn't. I am concerned if I
ian: https://debian-handbook.info/get/
-BEGIN PGP SIGNATURE-
Comment: Signed by Raphael Hertzog
iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAlnyFMkACgkQA4gdq+vC
mrmRmQf/R3pDU+VnZFfaWgOcGRBfwDo/WxgnhfKwvwmcihnvTp2Yt5ojwnhXS83+
BGawVQhw0w66xlkDouHV2nHBUojD2UGlIwGS7XkTaiOz4GB7wO7HNQ
Debian: https://debian-handbook.info/get/
-BEGIN PGP SIGNATURE-
Comment: Signed by Raphael Hertzog
iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAlnyCsEACgkQA4gdq+vC
mrlNNAf/YvyHZO1VnF28HRGDM4YQqS8bw1oOYBn4jQpvS2eAGdVjhhNgk696zWiD
CvVBxdls2cd40I0xA5jbXyCRljuCGztRc6aRwd2yBqjD3COBBHt7NcBq1McznR6i
html
Learn to master Debian: https://debian-handbook.info/get/
-BEGIN PGP SIGNATURE-
Comment: Signed by Raphael Hertzog
iQEyBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAlnyB54ACgkQA4gdq+vC
mrmk1Af3YmnqEQ6UnQ1msJuq1Wv4floBLSIo7/eQ36uoIwZAOX8uMBjkEjXDO1k3
sfdfYTKbyHQK6tY5dV+8OT
Thanks Roger. Since this upload seems to have been forgotten, I just
made the upload and will soon release the DLA.
Cheers,
On Sun, 02 Jul 2017, Roger Light wrote:
> Hi Gianfranco,
>
> Here you go. Build and runtime tested.
>
> Cheers,
>
> Roger
>
>
> On 2 July 2017 at 20:00, Gianfranco
Dear maintainer(s),
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of wpa:
https://security-tracker.debian.org/tracker/source-package/wpa
Would you like to take care of this yourself?
If yes, please follow the workflow we have defined
Hello Lucas,
On Tue, 05 Sep 2017, Lucas Kanashiro wrote:
> The 2 CVEs that I marked as no DSA, security team did the same for
> stretch: CVE-2017-10965 e CVE-2017-1066. Probably you are talking about
Even when they are marked no-dsa, it doesn't mean that you should not fix
them. It usually means
Hello,
On Wed, 06 Sep 2017, Ola Lundqvist wrote:
> The Debian LTS team recently reviewed the security issue(s) affecting your
> package in Wheezy:
> https://security-tracker.debian.org/tracker/CVE-2017-12794
The advisory
(https://www.djangoproject.com/weblog/2017/sep/05/security-releases/) says
On Sun, 03 Sep 2017, Hugo Lefeuvre wrote:
>These CVEs are especially difficult to reproduce because wheezy's gcc
>doesn't have asan and reproduction conditions might require a specific
>setup.
FWIW, I have been able to reproduce quite a few issues detected by ASAN
with valgrind which
Hello Thijs,
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of simplesamlphp:
https://security-tracker.debian.org/tracker/source-package/simplesamlphp
Would you like to take care of this yourself?
If yes, please follow the workflow we
Hello Sebastian,
The Debian LTS team recently reviewed the security issue(s) affecting your
package in Wheezy:
https://security-tracker.debian.org/tracker/CVE-2017-12797
(and there are few other older issues that have been also ignored up to
now)
We decided that we would not prepare a wheezy
Hello Alf,
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of connman:
https://security-tracker.debian.org/tracker/CVE-2017-12865
Would you like to take care of this yourself?
If yes, please follow the workflow we have defined here:
Hello Richard,
First I want to point out that git-annex 6.20170818-1 failed to build on
arm64, you might want to ask for a give-back to retry with a newer
compiler (gcc 7.2 landed in unstable since the failed build on arm64).
Apart from that, the Debian LTS team would like to fix the security
1 - 100 of 426 matches
Mail list logo