Bug#1061472: bullseye-pu: package tinyxml/2.6.2-4+deb11u2

On Thu, 25 Jan 2024 at 04:44:12 +0100, Guilhem Moulin wrote: > [ Changes ] > > Fix CVE-2023-34194: Reachable assertion (and application exit) via a > crafted XML document with a '\0' located after whitespace. Per https://bugs.debian.org/1061473#12 I guess you'd like CVE-2023-40462 t

Bug#1061473: bookworm-pu: package tinyxml/2.6.2-6+deb12u1

Control: tags -1 - moreinfo On Mon, 29 Jan 2024 at 21:55:37 +, Adam D. Barratt wrote: > > On Thu, 2024-01-25 at 04:45 +0100, Guilhem Moulin wrote: >> Fix CVE-2023-34194: Reachable assertion (and application exit) via a >> crafted XML document with a '\0' locate

Bug#1061556: bullseye-pu: package dropbear/2020.81-3+deb11u1

to 4G as the previous size was +too small for bullseye-security updates (kernel etc.). + * Salsa CI: Target bullseye and disable lintian job. + + -- Guilhem Moulin Fri, 26 Jan 2024 12:00:26 +0100 + dropbear (2020.81-3) unstable; urgency=medium * Initramfs: Use 10 placeholders in ~root

Bug#1061549: bookworm-pu: package dropbear/2022.83-1+deb12u1

end up with a +connection for which some security features have been downgraded or +disabled, aka a Terrapin attack. (Closes: #1059001) + + -- Guilhem Moulin Fri, 26 Jan 2024 10:01:00 +0100 + dropbear (2022.83-1) unstable; urgency=medium * New upstream release 2022.83. Support

Bug#1061473: bookworm-pu: package tinyxml/2.6.2-6+deb12u1

after whitespace. +(Closes: #1059315) + + -- Guilhem Moulin Thu, 25 Jan 2024 04:27:36 +0100 + tinyxml (2.6.2-6) unstable; urgency=medium * Import fix for CVE-2021-42260. diff -Nru tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch

Bug#1061472: bullseye-pu: package tinyxml/2.6.2-4+deb11u2

' located after whitespace. +(Closes: #1059315) + + -- Guilhem Moulin Thu, 25 Jan 2024 04:12:05 +0100 + tinyxml (2.6.2-4+deb11u1) bullseye; urgency=medium * Import fix for CVE-2021-42260. diff -Nru tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch tinyxml-2.6.2/debian/patches/CVE-2023-34194

Bug#1061471: bullseye-pu: package xerces-c/3.2.3+debian-3+deb11u1

On Thu, 25 Jan 2024 at 03:54:46 +0100, Guilhem Moulin wrote: > [x] attach debdiff against the package in oldstable Oops, doing that now :-) -- Guilhem. diffstat for xerces-c-3.2.3+debian xerces-c-3.2.3+debian changelog |

Bug#1061471: bullseye-pu: package xerces-c/3.2.3+debian-3+deb11u1

Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: xerce...@packages.debian.org Control: affects -1 + src:xerces-c [ Reason ] xerces-c 3.2.3+debian-3 is vulnerable to CVE-2023-37536 (Integer overflows in

Bug#1058928: bookworm-pu: package cryptsetup/2:2.6.1-4~deb12u2

Control: tag -1 - moreinfo Hi, On Thu, 21 Dec 2023 at 21:59:40 +, Jonathan Wiltshire wrote: > On Mon, Dec 18, 2023 at 02:10:20PM +0100, Guilhem Moulin wrote: >> [ Reason ] >> >> 1. cryptsetup-suspend 2:2.6.1-4~deb12u1 was found incompatible with >> systemd 254.1

Bug#1058928: bookworm-pu: package cryptsetup/2:2.6.1-4~deb12u2

) + + [ Guilhem Moulin ] + * add_modules(): Change suffix drop logic to match initramfs-tools. + * Fix DEP-8 tests with kernels shipping compressed modules. + * d/salsa-ci.yml: Set RELEASE=bookworm. + + -- Guilhem Moulin Mon, 18 Dec 2023 03:41:04 +0100 + cryptsetup (2:2.6.1-4~deb12u1) bookworm; urgency

Bug#1052629: bookworm-pu: package roundcube/1.6.3+dfsg-1~deb12u1

On Thu, 28 Sep 2023 at 18:53:46 +0100, Adam D. Barratt wrote: > --- a/CHANGELOG.md > +++ b/CHANGELOG.md > @@ -1,5 +1,54 @@ > # Changelog Roundcube Webmail > > +## Unreleased > + > > That seems wrong, given that you're uploading a released version. Well spotted but that one is upstream's, see

Bug#1052611: bullseye-pu: package roundcube/1.4.14+dfsg.1-1~deb11u1

ency=high + + * New security/bugfix upstream release: ++ Fix CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling + of linkrefs in plain text messages. (Closes: #1052059) ++ Enigma: Fix initial synchronization of private keys. + * d/u/signing-key.asc: Add Alec's key BE

Bug#1042058: bookworm-pu: package pandoc/2.17.1.1-2~deb12u1

Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: pan...@packages.debian.org, Guilhem Moulin Control: affects -1 + src:pandoc [ Reason ] pandoc 2.17.1.1-1.1 is vulnerable to CVE-2023-35936: Arbitrary file write

Bug#1042057: bullseye-pu: package pandoc/2.9.2.1-1+deb11u1

Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: pan...@packages.debian.org, Guilhem Moulin Control: affects -1 + src:pandoc [ Reason ] pandoc 2.9.2.1-1 is vulnerable to CVE-2023-35936: Arbitrary file write

Bug#1039708: bullseye-pu: package lua5.3/5.3.3-1.1+deb11u1

in lapi.c. (Closes: +#920321) + * Fix CVE-2020-24370: Segmentation fault in getlocal and setlocal functions +in ldebug.c. (Closes: #988734) + + -- Guilhem Moulin Thu, 22 Jun 2023 22:03:38 +0200 + lua5.3 (5.3.3-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru lua5.3-5.3.3

Bug#1035046: bullseye-pu: package lacme/0.8.0-2+deb11u1

ay be what we +observe when the server is fast enough, but according to RFC 8555 sec. +7.1.6 the state actually transitions via "processing" and we need to +account for that (closes: #1034834). + * d/gbp.conf: Set 'debian-branch = debian/bullseye'. + + -- Guilhem Moulin Fri,

Bug#1034879: unblock: lacme/0.8.2-1

"valid". The latter may be what +we observe when the server is fast enough, but according to RFC 8555 +sec. 7.1.6 the state actually transitions via "processing" state and +we need to account for that. + - Test suite: Point stretch's archive URL to archive.d.o. + +

Bug#1034810: bookworm-pu: package cryptsetup/2:2.6.1-4~deb12u1

200 +++ cryptsetup-2.6.1/debian/changelog 2023-04-21 00:54:29.0 +0200 @@ -1,3 +1,17 @@ +cryptsetup (2:2.6.1-4~deb12u1) bookworm; urgency=medium + + * Rebuild for Bookworm. + + -- Guilhem Moulin Fri, 21 Apr 2023 00:54:29 +0200 + +cryptsetup (2:2.6.1-4) unstable; urgency=med

Bug#1034809: bullseye-pu: package argon2/0~20171227-0.3+deb12u1

ann ] + * Add Breaks on cryptsetup-initramfs (see #1032235) + + [ Guilhem Moulin ] + * d/gbp.conf: Set 'debian-branch = debian/bookworm'. + * d/rules: Restore threading support to libargon2-1-udeb (closes: #1034696). +This is beneficial for cryptsetup-udeb, see #1028250. Removing thread

Bug#1009065: buster-pu: package dropbear/2018.76-5+deb10u1

password length to +100 bytes. (Closes: #1009062.) +Cherry-picked from https://hg.ucc.asn.au/dropbear/rev/228b086794b7 . + * d/gbp.conf: Set debian-branch = debian/buster. + + -- Guilhem Moulin Wed, 06 Apr 2022 20:54:24 +0200 + dropbear (2018.76-5) unstable; urgency=medium * Put custo

Bug#1006010: bullseye-pu: package php-crypt-gpg/1.6.4-2+deb11u1

ci.yml: Target Bullseye release. + + -- Guilhem Moulin Fri, 18 Feb 2022 22:17:29 +0100 + php-crypt-gpg (1.6.4-2) unstable; urgency=medium * Require phpunit ≥8 in Build-Depends. diff -Nru php-crypt-gpg-1.6.4/debian/gbp.conf php-crypt-gpg-1.6.4/debian/gbp.conf --- php-crypt-gpg-1.6.4/debian/gb

Bug#988701: unblock: roundcube/1.4.11+dfsg.1-4

). + * d/roundcube-core.postinst: lighttpd: Don't enable fastcgi-php if there is +already an enabled fastcgi .php handler (closes: #988236). + * d/uupdate: Fix comment. + + -- Guilhem Moulin Mon, 17 May 2021 20:45:48 +0200 + roundcube (1.4.11+dfsg.1-3) unstable; urgency=medium * Remove

Bug#988216: unblock: lacme/0.8.0-2

delete system users on purge. There might be files +on disk owned by _lacme-client when 'challenge-directory' is set in the +configuration (closes: #988032). + + -- Guilhem Moulin Tue, 04 May 2021 01:37:13 +0200 + lacme (0.8.0-1) unstable; urgency=low * New upstream release (closes

Bug#985629: Bug#981405: unblock (pre-approval): cryptsetup/2:2.3.5-1

Control: tag -1 - moreinfo Hi Paul, On Fri, 02 Apr 2021 at 22:33:05 +0200, Paul Gevers wrote: > I'm not overly enthusiastic about the size of the diff, but indeed this > seems like something we'd want. > > Please go ahead and remove the moreinfo tag once the upload has happened. Done, many

Bug#975870: buster-pu: package lacme/0.5-1+deb10u1

+ - letsencryptauthorityx[34].pem +See https://letsencrypt.org/certificates/ + * Moreover 'CAfile' now defaults to /usr/share/lacme/ca-certificates.crt +which is a concatenation of all known active CA certificates (which +includes the previous default). +Closes: #975862. + + -- Guilhem Moulin Thu, 26

Bug#964456: stretch-pu: package roundcube/1.2.3+dfsg.1-4+deb9u6

On Tue, 07 Jul 2020 at 17:31:01 +0100, Adam D. Barratt wrote: >> The security team gave the green light for an upload of >> 1.3.14+dfsg.1-1~deb10u1 to buster-security, but suggested to target >> old-p-u for stretch. stretch currently has 1.2.3+dfsg.1-4+deb9u3 >> wwhile stretch-security and

Bug#964456: stretch-pu: package roundcube/1.2.3+dfsg.1-4+deb9u6

:59.0 +0200 @@ -1,3 +1,11 @@ +roundcube (1.2.3+dfsg.1-4+deb9u6) stretch; urgency=high + + * Backport security fix for CVE-2020-15562: Cross-Site Scripting (XSS) +vulnerability via HTML messages with malicious svg/namespace +(Closes: #964355) + + -- Guilhem Moulin Mon, 06 Jul 2020 16:14:59

Bug#935827: buster-pu: package cryptsetup/2:2.1.0-5+deb10u2

Thanks, uploaded! Hope this makes it to 10.1 :-) And again, many thanks for your work on Buster! -- Guilhem. signature.asc Description: PGP signature

Bug#935827: buster-pu: package cryptsetup/2:2.1.0-5+deb10u2

<->8-- cryptsetup (2:2.1.0-5+deb10u2) buster; urgency=medium * Cherry pick upstream commit 8f8f0b32: Fix mapped segments overflow on 32bit architectures. Regression since 2:2.1.0-1. (Closes: #935702) -- Guilhem Moulin Mon, 26 Aug 2019 14:54:10 +0200 cryptsetup (2:2

Bug#935370: buster-pu: package lacme/0.5-1+deb10u1

thorizations, order and certificate URLs. Let's Encrypt will remove +support of unauthenticated GETs from the V2 API on 01 Nov 2019. +Closes: #935799. + + -- Guilhem Moulin Thu, 22 Aug 2019 00:14:42 +0200 + lacme (0.5-1) unstable; urgency=medium * New upstream release, adding support

Bug#935370: buster-pu: package lacme/0.5-1+deb10u1

tps://tools.ietf.org/html/rfc8555> instead of the +ACME I-D URL. + * Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the +authorizations, order and certificate URLs. Let's Encrypt will remove +support of unauthenticated GETs from the V2 API on 01 Nov 2019. + + -- Guilhem

Bug#934956: buster-pu: package cryptsetup/2:2.1.0-5+deb10u1

Thanks, uploaded. And sorry the wall of text in the original report ^^ -- Guilhem. signature.asc Description: PGP signature

Bug#934956: buster-pu: package cryptsetup/2:2.1.0-5+deb10u1

lot on the header. (Closes: #934715) -- Guilhem Moulin Fri, 16 Aug 2019 19:18:10 +0200 The 3 cherry-picked patches are all backported from 2.2.0 [1,2], and the version in sid is not affected. (The one in Stretch is not affected either as it doesn't have LUKS2 support.) The diff also inclu

Bug#930330: unblock: cryptsetup/2.1.0-5

Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Tags: d-i Hi there, During a chat last at MiniDebConf Hamburg last week-end we (cryptsetup package maintainers + KiBi + ivodd) discussed a path forward for #927165 (debian-installer:

Bug#929828: unblock: cryptsetup/2:2.1.0-4

/changelog 2019-04-30 21:20:47.0 +0200 +++ cryptsetup-2.1.0/debian/changelog 2019-05-28 17:04:16.0 +0200 @@ -1,3 +1,22 @@ +cryptsetup (2:2.1.0-4) unstable; urgency=medium + + [Guilhem Moulin] + * d/initramfs/hooks/cryptroot: Always add userspace crypto module +('algif_skciph

Bug#928291: unblock: signing-party/2.10-1

Control: tag -1 - moreinfo Control: retitle -1 unblock: signing-party/2.10-2 Hi Ivo, On Sun, 05 May 2019 at 14:44:31 +0200, Ivo De Decker wrote: > On Wed, May 01, 2019 at 01:44:08PM +0200, Guilhem Moulin wrote: >> On Wed, 01 May 2019 at 12:46:12 +0200, Guilhem Moulin wrote: >>

Bug#928292: stretch-pu: package signing-party/2.5-1

Hi Salvatore, On Wed, 01 May 2019 at 13:37:12 +0200, Salvatore Bonaccorso wrote: > On Wed, May 01, 2019 at 01:27:26PM +0200, Guilhem Moulin wrote: >> +signing-party (2.5-1+deb9u1) stretch; urgency=medium >> + >> + * Backport security fix for CVE-2018-15599: unsafe shell ca

Bug#928291: unblock: signing-party/2.10-1

On Wed, 01 May 2019 at 12:46:12 +0200, Guilhem Moulin wrote: > gpg-key2ps(1) from signing-party 2.9-1 is vulnerable to CVE-2018-15599: > unsafe shell call enabling shell injection via a User ID. Erm that should be CVE-2019-11627, and the changelog is wrong as well. Would you like me to

Bug#928292: stretch-pu: package signing-party/2.5-1

.) + + -- Guilhem Moulin Wed, 01 May 2019 12:55:42 +0200 + signing-party (2.5-1) unstable; urgency=low * caff: diff -Nru signing-party-2.5/debian/control signing-party-2.5/debian/control --- signing-party-2.5/debian/control2016-10-06 14:59:44.0 +0200 +++ signing-party-2.5/debian/control

Bug#928291: unblock: signing-party/2.10-1

+ + * gpg-key2ps: Security fix for CVE-2018-15599: unsafe shell call enabling +shell injection via a User ID. Use Perl's (core) module Encode.pm instead +of shelling out to `iconv`. (Closes: #928256.) + + -- Guilhem Moulin Wed, 01 May 2019 12:21:59 +0200 + signing-party (2.9-1) unstable; urgency

Bug#928269: unblock: cryptsetup/2.1.0-3

to the +initramfs on non-usrmerge systems. (Closes: #928263.) + + -- Guilhem Moulin Tue, 30 Apr 2019 21:20:47 +0200 + cryptsetup (2:2.1.0-2) unstable; urgency=medium * debian/copyright: diff -Nru cryptsetup-2.1.0/debian/initramfs/hooks/cryptopensc cryptsetup-2.1.0/debian/initramfs

Bug#907124: stretch-pu: package dropbear/2016.74-5

On Sun, 26 Aug 2018 at 14:52:06 +0100, Adam D. Barratt wrote: > +dropbear (2016.74-5+deb9u1) stable; urgency=medium > > Please make the distribution "stretch", and feel free to upload. Oops yes sorry, uploaded with the correct distribution now. -- Guilhem. signature.asc Description: PGP

Bug#907124: stretch-pu: package dropbear/2016.74-5

in svr-auth.c in Dropbear through 2018.76 is prone to a user +enumeration vulnerability because username validity affects how fields in +SSH_MSG_USERAUTH messages are handled. (Closes: #906890.) +Adapted from https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00 . + + -- Guilhem Moulin

Bug#884618: transition: cryptsetup

Hi, On Sat, 20 Jan 2018 at 12:00:06 +0100, Cyril Brulebois wrote: > Jonas Meurer (2018-01-20): >> Am 18.12.2017 um 19:38 schrieb Emilio Pozuelo Monfort: >>> Actually I just read the thread about the -udeb uninstallability. >>> Let's wait until that is fixed or until Cyril

Re: [pkg-cryptsetup-devel] Upcoming transition: libcryptsetup4 -> libcryptsetup12

Hi Cyril, On Mon, 18 Dec 2017 at 01:39:35 +0100, Cyril Brulebois wrote: > Guilhem Moulin <guil...@debian.org> (2017-12-18): >> On Sun, 17 Dec 2017 at 18:12:21 +0100, Cyril Brulebois wrote: >>> I've added this as a todo item, along with looking into src:argon2 >>>

Re: [pkg-cryptsetup-devel] Upcoming transition: libcryptsetup4 -> libcryptsetup12

On Sun, 17 Dec 2017 at 18:12:21 +0100, Cyril Brulebois wrote: > Guilhem Moulin <guil...@debian.org> (2017-12-17): >> On Sun, 17 Dec 2017 at 13:32:55 +0100, Cyril Brulebois wrote: >>> Jonas Meurer <jo...@freesources.org> (2017-12-17): >>>> Debian-boot

Re: [pkg-cryptsetup-devel] Upcoming transition: libcryptsetup4 -> libcryptsetup12

Hi all, On Sun, 17 Dec 2017 at 13:32:55 +0100, Cyril Brulebois wrote: > Jonas Meurer (2017-12-17): >> Debian-boot is Cc'ed as cryptsetup provides udebs, so debian-installer >> is affected as well. > > Thanks for letting us (debian-boot@) know. AFAICT, on the udeb side we

Bug#862186: unblock: cryptsetup/2:1.7.3-4

7.3/debian/changelog 2017-05-09 13:50:59.0 +0200 @@ -1,3 +1,16 @@ +cryptsetup (2:1.7.3-4) unstable; urgency=high + + [ Guilhem Moulin ] + * Drop obsolete update-rc.d parameters. Thanks to Michael Biebl for the +patch. (Closes: #847620) + * debian/copyright: Fix license mismatch (d

Bug#860409: unblock: dropbear/2016.74-3

upstream's LICENSE file. +(Closes: #860406.) + + -- Guilhem Moulin <guil...@guilhem.org> Sun, 16 Apr 2017 12:22:56 +0200 + dropbear (2016.74-2) unstable; urgency=low * Tolerate lack of boot script config file /etc/dropbear-initramfs/config. diff -Nru dropbear-2016.74/debian/cop

Bug#857697: unblock: netcat-openbsd/1.130-3

"-N"; in particular, "-q0" is now a mere alias for +"-N". (Closes: #854292) + + -- Guilhem Moulin <guil...@guilhem.org> Fri, 03 Mar 2017 20:32:55 +0100 + netcat-openbsd (1.130-2) unstable; urgency=medium * Fix handling of delayed exit option (Closes: #8

Bug#852998: jessie-pu: package dropbear/2014.65-1

ode as the local dbclient user if + particular -m or -c arguments are provided (CVE-2016-7408). + + -- Guilhem Moulin <guil...@guilhem.org> Sat, 28 Jan 2017 18:23:47 +0100 + dropbear (2014.65-1) unstable; urgency=low [ Matt Johnston ] only in patch2: unchanged: --- dropbear-2014.65

Bug#768579: unblock: signing-party/1.1.10-3

@@ +signing-party (1.1.10-3) unstable; urgency=medium + + [ Guilhem Moulin ] + * caff: ++ Fix RCF 2822 violation: Never localize the Date header, regarless of + the LC_ALL, LC_TIME and LANG in use. Regression introduced in r698. + (Closes: #767371) + + -- Guilhem Moulin guil

Bug#768503: unblock: signing-party/1.1.10-1+deb8u1

-party (1.1.10-1+deb8u1) unstable; urgency=medium + + [ Guilhem Moulin ] + * caff: ++ Fix RCF 2822 violation: Never localize the Date header, regarless of + the LC_ALL, LC_TIME and LANG in use. Regression introduced in r698. + (Closes: #767371) + + -- Guilhem Moulin guil

Bug#768503: unblock: signing-party/1.1.10-1+deb8u1

Control: retitle -1 unblock: signing-party/1.1.10-2 unblock signing-party/1.1.10-2 On Fri, 07 Nov 2014 at 23:26:24 +0100, Niels Thykier wrote: On 2014-11-07 22:36, Guilhem Moulin wrote: I would like to upload the attached changes: a regression bug has been introduced in signing-party 1.1.10-1