Re: Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709

Hi, On Mon, 22 Apr 2024, Yadd wrote: > Let's upload 2.4.59-1~deb10u1 ? You might want to hold off until Thursday. Santiago requested help for a review and Bastien Roucaries said that he would do it tomorrow (Wednesday). Santiago also sent your updated package through our buster ELTS staging

Re: How to handle freeimage package

Hello Ola, On Fri, 12 Apr 2024, Ola Lundqvist wrote: > I see three: > 1) copy secteam decision and move on to the next package (I guess > remove from dla-needed) > 2) copy secteam decision for most of them, but fix the ones with fedora > patches > 3) dive in and start developing (that will take

Re: Guidance for CVE triage and listing packages in dla-needed.txt

Hi, On Wed, 10 Apr 2024, Ola Lundqvist wrote: > > Some package maintainers will typically decide to fix it via a point > > release. But they rarely update the triaging to document "postponed" or > > "ignored". So that's why it's up to the LTS team to make that call > > when we are (alone) in

Re: Guidance for CVE triage and listing packages in dla-needed.txt

Hello, On Tue, 09 Apr 2024, Ola Lundqvist wrote: > Let me use some data from CVEs for last year 2023. > I used the following method to extract the data > grep -B 5 '\[buster\]' list | grep -A 5 "^CVE-2023-" | grep '\[buster\]' > and then grepped for the end-of-life, not-affected (and so on to

Re: Expanding the scope (slightly) of dla-needed.txt

Hi, On Sat, 23 Mar 2024, Roberto C. Sánchez wrote: > In any event, I am happy to work towards reinitializing the Salsa issues > experiment to start again in April and then see how it goes from there. > > What do you think? It's a pity that nobody else responded... I'm no longer involved in

Re: Expanding the scope (slightly) of dla-needed.txt

Hello Roberto, On Thu, 14 Mar 2024, Roberto C. Sánchez wrote: > Santiago and I are in agreement that at the moment the best available > option is to use dla-needed.txt even for tracking work that needs to > happen after the DLA is released, specifically working toward an upload > to (old)stable.

Re: (E)LTS improved salsa pipeline support

Hi, On Thu, 16 Mar 2023, Emilio Pozuelo Monfort wrote: > The result is an improved pipeline with better support for both LTS and > ELTS. [1] Great work Emilio! It would be nice to have all this properly documented in https://lts-team.pages.debian.net I'm also curious to know if you think that

Re: Updating the LTS/ELTS instructions on freexian.com

Hello Chris, thanks for the report. Everything should be fixed now. Cheers, On Mon, 10 Oct 2022, Chris Lamb wrote: > Hi friends, > > I noticed that some of the URLs on the ELTS instructions page are now > outdated: > > https://www.freexian.com/lts/extended/docs/how-to-use-extended-lts/ >

Re: Regression in stretch update of ruby-activerecord 2:5.2.2.1+dfsg-1+deb10u4

Hi, On Tue, 13 Sep 2022, Abhijith PA wrote: > > Yes, that'd make sense. I'll start a separate thread for > > CVE-2022-32224. Roll back for now so there's no regression at least. > > I've disabled patch for CVE-2022-32224. Also tested against redmine. > Looks good for me. Can you give a smoke

Re: Regression in stretch update of ruby-activerecord 2:5.2.2.1+dfsg-1+deb10u4

Hello, On Thu, 08 Sep 2022, Abhijith PA wrote: > On 07/09/22 11:10 AM, Raphael Hertzog wrote: > > Hello Abhijith and the LTS team, > > > > in Kali we have applied the last ruby-active* security updates and this > > broke the web API part of autopkgtest.kali.org. &g

Regression in stretch update of ruby-activerecord 2:5.2.2.1+dfsg-1+deb10u4

Hello Abhijith and the LTS team, in Kali we have applied the last ruby-active* security updates and this broke the web API part of autopkgtest.kali.org. Specifically line 51 in /usr/share/rubygems-integration/all/gems/activerecord-5.2.2.1/lib/active_record/coders/yaml_column.rb makes a call to

Re: EOL candidates for security-support-ended.deb10

Hello, On Wed, 03 Aug 2022, Sylvain Beucler wrote: > OpenStack: we tend not to support openstack beyond upstream's support, but > I'm having a hard time associating the components version with OpenStack's > major version; possibly other openstack packages (horizon, manila, > neutron...) are

Re: Update of debian-archive-keyring in stretch?

Hi Utkarsh, On Tue, 14 Sep 2021, Utkarsh Gupta wrote: > On Thu, Aug 26, 2021 at 12:33 AM Utkarsh Gupta wrote: > > > The missing key creates problems for example with simple-cdd: > > > https://bugs.debian.org/992966 > > > > Okay, I'll be happy to do the update. Though I wonder if it'd rather > >

Update of debian-archive-keyring in stretch?

[ Ccing debian-release in case they have some advice / concerns to express ] Hello LTS team, it would be nice if we could get an update of debian-archive-keyring in stretch to add the bullseye key just like it has been done in buster a while ago:

Re: packages in *-lts newer than in subsequent releases

Hi, On Mon, 23 Aug 2021, Lucas Nussbaum wrote: > Is there a rsync mirror that could be used to sync dists/? Not currently, no. I could look into adding it but I might not want to make it publicly accessible. I don't really want to make it easy to have public mirrors while ELTS has a very limited

Re: Upgrade problems from LTS -> LTS+1

On Mon, 17 May 2021, Utkarsh Gupta wrote: > > Where do you think I should include this tool and what should I name it to? > > Hm, nice question :P > Probably here: https://salsa.debian.org/freexian-team? I would say https://salsa.debian.org/lts-team/ rather... Cheers, -- ⢀⣴⠾⠻⢶⣦⠀ Raphaël

Re: Match ecosystems with limited support in debian-security-support

Hello Moritz, On Fri, 16 Apr 2021, Moritz Mühlenhoff wrote: > > These source package sets comes to mind: > > - node-* > > That would be super-noisy and will potentially clash with a lot of local > package state. Do you consider it noisy due to the possible clash with local packages? Or are both

Re: Support for insecure applications

Hi, On Fri, 12 Feb 2021, Carles Pina i Estany wrote: > When I was discussing this with a friend I had thought if Debian could > make available and visible for the users some metrics, contextualised in > similar (per functionality) packages: That would certainly be useful to expose, yes! But

Re: Supporting unbound in stretch by upgrading to 1.9

Hi, On Tue, 19 Jan 2021, Robert Edmonds wrote: > There is an unfixed issue in Unbound 1.9.0 (#962459 / #973052) that > affects some users (I have not been able to reproduce it). Upstream has > invested some time in helping the Debian maintainers track down > potential combinations of commits from

Re: MongoDB license change and security support

Hello, On Wed, 25 Nov 2020, Sylvain Beucler wrote: > Consequently I believe we're not in a position to offer MongoDB security > support in LTS nor ELTS, and we need to drop it from our supported packages. > > What do you think? I think that you are right if you believe that we have no influence

Re: MongoDB license change and security support

Hi, On Wed, 25 Nov 2020, Utkarsh Gupta wrote: > Sensing there's an agreement by others here, let's drop and announce > this as EOL'ed then? For LTS, definitely, yes. For ELTS, it's a bit more complicated since each customer pays for their package list and as you noted, mongodb is among those.

Re: Question regarding security issues in LTS/Extended LTS packages

Hello, On Mon, 19 Oct 2020, Antoine Cervoise wrote: > I'm not familiar with how to report security issues regarding packages > under LTS/Extended LTS support. LTS and ELTS have very different organizations. LTS has a public contact point (here on this list) but ELTS doesn't have any since it's

Re: TODO List

Hi, On Wed, 20 May 2020, Holger Levsen wrote: > > Is the "Find upstream developers who are willing to work on LTS support" > > still relevant? It lists packages such as Xen, which I thought were > > already dealt with. > > yes and yes, xen is being taken care of atm. I've updated the TODO page.

Re: Security issues in standards (ruby-openid / CVE-2019-11027)

Hi, (Sylvain, please cc me if you want me to read something in any timely fashion) On Thu, 07 Nov 2019, Sylvain Beucler wrote: > Raphael, given that this package is low popcon and the vulnerability is > fuzzy, do you know if the sponsor for this package would be willing to > test fixes? The

Re: deb.freexian.com offline?

Hi, On Sun, 06 Oct 2019, Markus Koschany wrote: > Yes, there is a (DNS) problem with the server right now. We are aware of > it and hope it will be fixed within the next 24 hours. Apologies for any > inconveniences caused. Server is back online. It had a problem with its network filesystem.

Re: Training process

Hi, On Mon, 30 Sep 2019, Sylvain Beucler wrote: > From what I understand there was a training during July and August, > resulting in active status this month. > I saw zero traces of this training besides a passing anonymous > mention in Raphael's reports. > Possibly we can clarify this a lil'

Re: how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)

Hi, On Fri, 30 Aug 2019, Alexander Wirt wrote: > > We're not speaking of crap software, we're just speaking of software that > > can't be maintained multiple years by backports of security patches, where > > we get fixes only with new upstream versions (mixed with new features). > I don't want to

Re: how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)

On Fri, 30 Aug 2019, Alexander Wirt wrote: > There were several discussions over the last years. And yes, our vision of > backports does not match the vision of those fastpace/not ready for > stable/whatever you call them repos. In our vision debian-backports consists > of new (tested, as in "is

Re: how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)

Hi, On Fri, 30 Aug 2019, Pirate Praveen wrote: > Fast Track repo works exactly like current backports except the packages > are added from unstable (or experimental during transitions and freeze) > as they cannot go to testing and hence to current backports. > > As Paul noted earlier, backports

Re: how to deal with widely used packages unsuitable for stable (was Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.)

(Note: pkg-security@tracker.d.o is not a valid email, dropped) Hi, On Thu, 29 Aug 2019, Holger Levsen wrote: > > In general, we (Debian) don't have a good answer to this problem and > > virtualbox is clearly a bad precedent. We really need to find a solution > > to this in concertation with the

Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.

Hi, On Thu, 29 Aug 2019, Moritz Mühlenhoff wrote: > The upstream link makes it sound as if they are one of those upstreams > which reject the idea of distributions shipping an older release to > a stable distro. For a tool like radare2 that seems fair enough, so > how about simply excluding it

Re: Question about nss patches

Hi, On Sun, 14 Jul 2019, Roberto C. Sánchez wrote: > My inclination is to add the 3.26.2 patch to the nss in jessie. > However, I wanted to ask before making that change in the event that > there is a reason the change should not be made. > > Do you have any insight you can add here? I don't

Re: On (semi-)automated testing and improved workflow of LTS uploads

Hi, On Tue, 09 Jul 2019, Jonas Meurer wrote: > 1. Upload packages targeted at LTS suites to some dedicated place for >automated testing > 2. Run automatic tests (piuparts, autopkgtests, lintian?, ...) > 3. If tests passed, publish the packages somewhere to do manual >testing (and reviews)

Re: packages from old security releases.

Hello, On Fri, 24 May 2019, PICCORO McKAY Lenz wrote: > well seems the ExLTS don ask for money .. the packages are free > available and sources. so merged in debian archive are not problem! The reason why Wheezy Extended LTS packages are not in the Debian repositories is because Debian was not

Re: Wheezy ELTS?

On Tue, 16 Apr 2019, Paul Wise wrote: > On Tue, Apr 16, 2019 at 10:20 AM PICCORO McKAY Lenz wrote: > > > was removed or not? are stil ELTS? > > The timeline says that eLTS support ended on 31st May 2019. > https://wiki.debian.org/LTS/Extended That date has not passed yet and the page said

Re: LTS, no-dsa reasoning and sponsored packages

Hi, On Tue, 09 Apr 2019, Sylvain Beucler wrote: > On 09/04/2019 09:50, Ingo Wichmann wrote: > > labeling it "minor issues" when the real reason is "sponsors needed" > > sounds wrong to me. > > That's never been the real reason so far AFAICS, only a complementary > reason. Ok, still to not

Re: LTS, no-dsa reasoning and sponsored packages

Hi, On Mon, 08 Apr 2019, Markus Koschany wrote: > "Not used by any sponsor" is often used internally in commit messages as > an additional comment, reason and clarification why a certain issue is In commit message to which repository? I think you are mixing the ELTS security tracker here. >

Re: Time allocation per CVE

Hi, On Mon, 11 Mar 2019, Sylvain Beucler wrote: > I spent the day reproducing (unbreaking) the sqlalchemy exploit, > figuring out how to run the test suite, attempting a backport of the > upstream fix, plus some communication. > > I did about the same for the gnutls/nettle issue last week (only

Re: libdatetime-timezone-perl

Hi, On Wed, 07 Nov 2018, Santiago Ruano Rincón wrote: > I included it to dla-needed. It doesn't have any known security > vulnerability, but its database is now out-of-date. I should be updated > to 2018g, as it was done for stretch: >

Re: Removing no-dsa entries when releasing a DLA

On Tue, 06 Nov 2018, Moritz Muehlenhoff wrote: > On Tue, Nov 06, 2018 at 08:16:21PM +0100, Markus Koschany wrote: > > Am 06.11.18 um 20:09 schrieb Moritz Muehlenhoff: > > > Hi, > > > if you fix any issues which were formerly tagged in a DLA, make > > > sure > > > to remove the no-dsa in CVE/list

Re: Confusing our users - who is supporting LTS?

On Sun, 28 Oct 2018, Wouter Verhelst wrote: > On Sun, Oct 28, 2018 at 01:14:13AM +, Ben Hutchings wrote: > > Debian can't afford to pay developers in general, and previous > > proposals to pay specific developers were not well received. > > That was over a decade ago. The circumstances at the

Re: Confusing our users - who is supporting LTS?

Hi Steve, On Tue, 23 Oct 2018, Steve McIntyre wrote: > So I'm worried that those of us who have *not* volunteered to support > LTS are being pressured into spending our time on it anyway. What can > we do to fix that? How/where do we clarify for our users (and > developers!) what LTS means, and

Re: Wheezy update of sympa?

Hello Ola, On Wed, 19 Sep 2018, Ola Lundqvist wrote: > The Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of sympa: Wheezy is no longer the target of Debian LTS. How come that you are sending mails about Wheezy? "bin/contact-maintainers

Re: src:wpa overlap in Debian LTS?

Hi, On Mon, 20 Aug 2018, Holger Levsen wrote: > I'm not sure this code is helpful as it is, because it assumes > -needed.txt and the DLA/DSA are generated at the same time which often > is not the case. > > AIUI the code needs to check if the package for which a DLA/DSA is > generated is present

Re: Removal of 'arm64' from debian-security repo breaks community projects

Hello, On Fri, 17 Aug 2018, Markus Koschany wrote: > at the moment we only support four architectures, amd64, i386, armel and > armhf because these are the ones which were requested by users and > sponsors of Debian's Long Term support project. I believe we would all > love to support even more

Re: src:wpa overlap in Debian LTS?\

On Sat, 11 Aug 2018, Brian May wrote: > Chris Lamb writes: > > > It would not be correct that generating a DLA would add an entry to > > dla-needed.txt; quite the opposite as releasing a DLA ipso-facto > > implies that the work has been completed and thus nothing is needed > > anymore. > >

Re: News: 2018-06-01-Debian-7-Long-Term-Support-reaching-end-of-life

Hello, On Fri, 01 Jun 2018, Markus Koschany wrote: > > What do you think? > > Fine with me. Let's do it! I will add all necessary information to > https://wiki.debian.org/LTS/ExtendedLTS shortly. Note that wiki janitors (Paul Wise :)) renamed the page into https://wiki.debian.org/LTS/Extended

Re: Draft for EOL announcement

Hi, On Sat, 26 May 2018, Moritz Muehlenhoff wrote: > It's not appropriate anyway for an official Debian announcement. LTS > itself is already a grayish area, but advertising a service which > solely prepares package updates on paid basis seems not ok with DMUP. Given that no Debian machines

Re: Draft for EOL announcement

Hi, On Fri, 25 May 2018, Markus Koschany wrote: > It is true that https://deb.freexian.com/extended-lts is not available > yet but I assumed this will change on May 31. If not I can also delete > the sentence about ELTS for now and add "More information will follow > soon" or something like that.

Re: wheezy-security (LTS) libclamav7's version is newer than jessie's

Hello Marc, On Thu, 03 May 2018, Marc SCHAEFER wrote: > Probably that a downgrade of the clamav suite would solve the problem; however > there is something wrong in the coherency between wheezy LTS and jessie, don't > you think? A newer version is already targeted to jessie

Re: linux backport in jessie LTS

On Sun, 22 Apr 2018, Ben Hutchings wrote: > Therefore, would it make sense to add a Linux 4.9 backport to the > regular jessie and jessie-security suites? Yes, I think so. It's also interesting to keep a security-supported kernel once we are past the usual 5 years of LTS (aka Extended LTS). Since

Re: calibre / CVE-2018-7889

Hi, On Wed, 11 Apr 2018, Antoine Beaupré wrote: > 1. removing the package from dla-needed.txt > 2. adding the package as unsupported in debian-security-support > 3. (do we send end-of-life announcements to debian-lts-announce when we > do that?) It's easy to mark packages as unsupported and

Re: Extended Long Term Support for Wheezy

Hello, On Tue, 20 Feb 2018, Vincent Bernat wrote: > My bad. I suggest replacing "it would not be possible to get extended > wheezy support" by "it would not be possible to sponsor extended wheezy > support". Done. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS:

Re: Extended Long Term Support for Wheezy

(this reply on debian-lts, not on debian-devel) On Tue, 20 Feb 2018, Raphael Hertzog wrote: > some of the LTS sponsors are looking to extend the support period of > Debian 7 Wheezy (from a few months up to a full year).i FWIW, I published a blog post with more details about how it will wor

Re: Fw: Extended Long Term Support for Wheezy

Hello Jens, On Tue, 20 Feb 2018, Jens Korte wrote: > How would you organize and call it in the wiki name space, ELTS, > extended LTS, LTS? Would you use the normal LTS name space and make no > difference? LTS is on the one side the name for the support after > oldstable and on the other side the

Extended Long Term Support for Wheezy

[ Bcc to ftpmasters, wanna-build team, DSA team, LTS team, security team to catch their attention ] Hello, some of the LTS sponsors are looking to extend the support period of Debian 7 Wheezy (from a few months up to a full year). Some of the LTS sponsors (notably Plat'Home, Toshiba) are also

Re: Better communication about spectre/meltdown

Hello, On Thu, 08 Feb 2018, Raphael Hertzog wrote: > I have had enquiries of LTS sponsors about the status of spectre/meltdown > mitigations in Debian. I tried to answer but even for me as an insider who > knows the ins and outs of Debian rather well, it's really difficult for me >

Better communication about spectre/meltdown

Hello everybody, I have had enquiries of LTS sponsors about the status of spectre/meltdown mitigations in Debian. I tried to answer but even for me as an insider who knows the ins and outs of Debian rather well, it's really difficult for me to be able to answer. IMO we should really try to

Re: Wheezy update of simplesamlphp?

Hi, On Sun, 04 Feb 2018, Ola Lundqvist wrote: > No worry. It was my mistake. I did not expect that someone else would > do triaging when I was at front desk. You did nothing wrong. I'll try > to be a little more observant next time. :-) Just to be clear. Abhijith did not have to do this since he

Re: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?

Hi, On Tue, 09 Jan 2018, Brian May wrote: > Raphael Hertzog <hert...@debian.org> writes: > > > I think this mail went through the cracks as we haven't received a reply > > from you so far. Can you let us know the status and whether we can help to > > get the wheezy

Re: Linux kernel security release for Wheezy/Debian7 for Meltdown/Spectre mitigation

Hello Rohit, On Sat, 06 Jan 2018, Rohit Yadav wrote: > I would like to request a Linux kernel security patch/package for Debian > "Wheezy" 7 (amd x86_64) for the Spectre/Meltdown security issues [1][2][3]. Please see https://lists.debian.org/debian-lts-announce/2018/01/msg4.html This only

About latest nasm issues found by fuzzer

Hello Cyrill, I saw that you closed a bunch of nasm bugs found by fuzzing the 2.14rc0 codebase saying « No longer triggers with upcoming 2.13.02 (will be released soon) » https://bugzilla.nasm.us/show_bug.cgi?id=3392433 https://bugzilla.nasm.us/show_bug.cgi?id=3392428

Re: Wheezy update of ruby1.8 and ruby1.9.1?

Hello Antonio, On Thu, 21 Dec 2017, Antonio Terceiro wrote: > No, please go ahead. I don't have the bandwidth to handle wheezy, > unfortunately. > > It must be the third or fourth time I give this same response for > ruby1.*. It would be nice if the LTS team could keep track of this type > of

Re: Bug#858539: should ca-certificates certdata.txt synchronize across all suites?

Hello Michael, I think this mail went through the cracks as we haven't received a reply from you so far. Can you let us know the status and whether we can help to get the wheezy update out ? Cheers, On Mon, 23 Oct 2017, Antoine Beaupré wrote: > On 2017-07-19 11:35:56, Michael Shuler wrote: > >

Marking jasperreports as unsupported ?

Hello, FYI I filed #884907 on debian-security-support to suggest that we mark jasperreports as unsupported by Debian (thus not only in Wheezy). There's a long thread in https://bugs.debian.org/880467 where its situation has been discussed. If you have anything to contribute to the discussion or

Declaring mp3gain as unsupported

Hello, I reviewed the case of mp3gain. Upstream development is dead (last release in 2009). The package is only in wheezy, it's gone from jessie and newer releases. The package is not used by any LTS sponsor. Thus I believe that the best course of action is to not spend any time on it and to

Re: To be removed from wheezy as well

Hi, On Tue, 19 Dec 2017, Salvatore Bonaccorso wrote: > > Actually it got removed from wheezy in the mean time. Since it was > > marked that way in dla-needed.txt, I pinged the ftp.d.o bug report and > > pinged Chris Lamb (as ftp assistant) and the package is gone from wheezy: > > > > $ rmadison

Re: To be removed from wheezy as well

Hello, On Sun, 17 Dec 2017, Ola Lundqvist wrote: > After some more reading I think removing it should be ok anyway. I'll > change the wording from "will be removed" to "may be removed" to allow > us the freedom to keep it if nobody takes the action to actually > remove it. Actually it got

[SECURITY] [DLA 1207-1] erlang security update

Package: erlang Version: 15.b.1-dfsg-4+deb7u2 CVE ID : CVE-2017-1000385 An erlang TLS server configured with cipher suites using RSA key exchange, may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may

Re: Wheezy update of erlang?

Hi Sergei, On Wed, 13 Dec 2017, Sergei Golovan wrote: > > I tried to backport the patch from version 18 for the version that we have > > in wheezy. The resulting patch is attached. I'm not quite sure that the > > patch is correct. > > > > Can you review it and test it? > > I've tested unpatched

Re: Wheezy update of erlang?

Hello Sergei, On Sun, 10 Dec 2017, Sergei Golovan wrote: > On Sun, Dec 10, 2017 at 9:52 PM, Thorsten Alteholz wrote: > > Hi Sergei, > > > > The Debian LTS team would like to fix the security issues which are > > currently open in the Wheezy version of erlang: > >

[SECURITY] [DLA 1205-1] simplesamlphp security update

Package: simplesamlphp Version: 1.9.2-1+deb7u1 CVE ID : CVE-2017-12867 CVE-2017-12868 CVE-2017-12869 CVE-2017-12872 CVE-2017-12873 CVE-2017-12874 The simplesamlphp package in wheezy is vulnerable to multiple attacks on authentication-related code, leading

Re: libnet-ping-external-perl / CVE-2008-7319

Hi, On Thu, 07 Dec 2017, Brian May wrote: > Does anyone have any objections to me removing this? Or should I persue > to patch option? Given that the package has no reverse dependencies, and that it is a perl module, i.e. not an end-user application, I believe it is fine to remove it. Cheers,

Re: Wheezy update of simplesamlphp?

Hello Thijs, On Mon, 04 Sep 2017, Thijs Kinkhorst wrote: > On Wed, August 30, 2017 16:26, Raphael Hertzog wrote: > > The Debian LTS team would like to fix the security issues which are > > currently open in the Wheezy version of simplesamlphp: > > https://security-track

Re: About the libreoffice CVE-2017-3157 regression

On Thu, 23 Nov 2017, Antoine Beaupré wrote: > Now, I notice that the original advisory is about embeded data from the > network, so maybe I'm doing things wrong and I need a weirder use > case. In that case, I'd be happy to improve my test case to be able to > reproduce, but otherwise we're just

Re: About libreoffice CVE

Hi, On Thu, 23 Nov 2017, Antoine Beaupré wrote: > > sal_uInt16 nLevelAnz; > > rIn >> nLevelAnz; > > if ( nLevelAnz > 5 ) > > { > > OSL_FAIL( "PPTStyleSheet::Ppt-TextStylesheet hat mehr als 5 > > Ebenen! (SJ)" ); > >

Re: ASAN builds and exiv2

On Thu, 23 Nov 2017, Antoine Beaupré wrote: > Fun times. So I'm stuck now - I reported the CVE issues upstream so > they're at least aware of the issue: > > https://github.com/Exiv2/exiv2/issues/174 > > ... but I am not sure what to do with the package in Wheezy. I'm tempted > to mark this as

Wheezy update of xrdp?

Hello Dominik, The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of xrdp: https://security-tracker.debian.org/tracker/CVE-2017-16927 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here:

Wheezy update of otrs2?

Hello Thomas & Patrick, The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of otrs2: https://security-tracker.debian.org/tracker/CVE-2017-15864 https://security-tracker.debian.org/tracker/CVE-2017-16664 Would you like to take care of this

Wheezy update of ohcount?

Hello Sylvestre, The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of ohcount: https://security-tracker.debian.org/tracker/CVE-2017-16926 Would you like to take care of this yourself? I tried to file an upstream bug as a first step (since

Re: Issue affecting php5?

Hi, On Wed, 15 Nov 2017, Roberto C. Sánchez wrote: > The commit was made for PHP version 5.6 and mentions CVE-2017-14107 [0]. > However, CVE-2017-14107 is only listed for libzip in the security > tracker. I looked at the build log and php5 in wheezy definitely builds > the file that was modified

Re: About libreoffice CVE

Hi, On Thu, 16 Nov 2017, Emilio Pozuelo Monfort wrote: > Well, it's there... > > libreoffice (Emilio Pozuelo) > NOTE: regression update, see: > NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html Argh, sorry, I did not even check the entry... I only checked the output of

Re: About libreoffice CVE

On Tue, 14 Nov 2017, Emilio Pozuelo Monfort wrote: > Yes, that was added back then due to a regression with the fix for > https://security-tracker.debian.org/tracker/CVE-2017-3157 When you add an entry back for some reason, please document that reason... this entry in dla-needed.txt is useless if

About libreoffice CVE

Hello Emilio, as the libreoffice entry is the oldest one without update[1] I decided to take a look at the issues (even though it's assigned to you). For CVE-2017-12607 I believe that wheezy is not affected as the patch shown below merely ensures that nLevelAnz does not overflow nMaxPPTLevels (=

Re: rtpproxy / CVE-2017-14114

On Mon, 06 Nov 2017, Brian May wrote: > Why keep rtpproxy in data/dla-needed.txt if a fix is not possible? Well, I wanted someone else to have a look at it. And also leave some time to see if we could make an announce about possible ways to mitigate the issue for LTS users. Cheers, -- Raphaël

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

On Tue, 31 Oct 2017, Antoine Beaupré wrote: > I'll take care of it then. Should I just reuse the old DLA id? or > simply mention the old DLA id in the announcement? Or mention all the > CVEs fixed in the old DLA in the new DLA? > > Not actually sure how to merge this. :) You prepare your DLA

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

On Tue, 31 Oct 2017, Antoine Beaupré wrote: > > Please send it again and add a small sentence explaining that you send an > > old advisory that never made it to the list... IOW if you expect > > confusion, add an explanation to clear it up. > > I will be looking at a GM update later today -

Re: Accepted graphicsmagick 1.3.16-1.1+deb7u10 (source amd64 all) into oldoldstable

Hi, On Sat, 28 Oct 2017, Brian May wrote: > I didn't realize until after I uploaded the newer version associated > with DLA-1140-1. So I tried sending DLA-1130-1 again, followed by > DLA-1140-1. > > Unfortunately DLA-1140-1 made it to the list, but DLA-1130-1 still > didn't. I am concerned if I

[SECURITY] [DLA 1147-1] exiv2 security update

ian: https://debian-handbook.info/get/ -BEGIN PGP SIGNATURE- Comment: Signed by Raphael Hertzog iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAlnyFMkACgkQA4gdq+vC mrmRmQf/R3pDU+VnZFfaWgOcGRBfwDo/WxgnhfKwvwmcihnvTp2Yt5ojwnhXS83+ BGawVQhw0w66xlkDouHV2nHBUojD2UGlIwGS7XkTaiOz4GB7wO7HNQ

[SECURITY] [DLA 1145-1] zoneminder security update

Debian: https://debian-handbook.info/get/ -BEGIN PGP SIGNATURE- Comment: Signed by Raphael Hertzog iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAlnyCsEACgkQA4gdq+vC mrlNNAf/YvyHZO1VnF28HRGDM4YQqS8bw1oOYBn4jQpvS2eAGdVjhhNgk696zWiD CvVBxdls2cd40I0xA5jbXyCRljuCGztRc6aRwd2yBqjD3COBBHt7NcBq1McznR6i

[SECURITY] [DLA 1146-1] mosquitto security update

html Learn to master Debian: https://debian-handbook.info/get/ -BEGIN PGP SIGNATURE- Comment: Signed by Raphael Hertzog iQEyBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAlnyB54ACgkQA4gdq+vC mrmk1Af3YmnqEQ6UnQ1msJuq1Wv4floBLSIo7/eQ36uoIwZAOX8uMBjkEjXDO1k3 sfdfYTKbyHQK6tY5dV+8OT

Re: Wheezy update of mosquitto?

Thanks Roger. Since this upload seems to have been forgotten, I just made the upload and will soon release the DLA. Cheers, On Sun, 02 Jul 2017, Roger Light wrote: > Hi Gianfranco, > > Here you go. Build and runtime tested. > > Cheers, > > Roger > > > On 2 July 2017 at 20:00, Gianfranco

Wheezy update of wpa?

Dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of wpa: https://security-tracker.debian.org/tracker/source-package/wpa Would you like to take care of this yourself? If yes, please follow the workflow we have defined

Re: Wheezy update of irssi?

Hello Lucas, On Tue, 05 Sep 2017, Lucas Kanashiro wrote: > The 2 CVEs that I marked as no DSA, security team did the same for > stretch: CVE-2017-10965 e CVE-2017-1066. Probably you are talking about Even when they are marked no-dsa, it doesn't mean that you should not fix them. It usually means

Re: About the security issues affecting python-django in Wheezy

Hello, On Wed, 06 Sep 2017, Ola Lundqvist wrote: > The Debian LTS team recently reviewed the security issue(s) affecting your > package in Wheezy: > https://security-tracker.debian.org/tracker/CVE-2017-12794 The advisory (https://www.djangoproject.com/weblog/2017/sep/05/security-releases/) says

Re: August Report

On Sun, 03 Sep 2017, Hugo Lefeuvre wrote: >These CVEs are especially difficult to reproduce because wheezy's gcc >doesn't have asan and reproduction conditions might require a specific >setup. FWIW, I have been able to reproduce quite a few issues detected by ASAN with valgrind which

Wheezy update of simplesamlphp?

Hello Thijs, The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of simplesamlphp: https://security-tracker.debian.org/tracker/source-package/simplesamlphp Would you like to take care of this yourself? If yes, please follow the workflow we

About the security issues affecting mpg123 in Wheezy

Hello Sebastian, The Debian LTS team recently reviewed the security issue(s) affecting your package in Wheezy: https://security-tracker.debian.org/tracker/CVE-2017-12797 (and there are few other older issues that have been also ignored up to now) We decided that we would not prepare a wheezy

Wheezy update of connman?

Hello Alf, The Debian LTS team would like to fix the security issues which are currently open in the Wheezy version of connman: https://security-tracker.debian.org/tracker/CVE-2017-12865 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here:

Wheezy update of git-annex?

Hello Richard, First I want to point out that git-annex 6.20170818-1 failed to build on arm64, you might want to ask for a give-back to retry with a newer compiler (gcc 7.2 landed in unstable since the failed build on arm64). Apart from that, the Debian LTS team would like to fix the security

  1   2   3   4   5   >