On Thu, 25 Jan 2024 at 04:44:12 +0100, Guilhem Moulin wrote:
> [ Changes ]
>
> Fix CVE-2023-34194: Reachable assertion (and application exit) via a
> crafted XML document with a '\0' located after whitespace.
Per https://bugs.debian.org/1061473#12 I guess you'd like CVE-2023-40462
t
Control: tags -1 - moreinfo
On Mon, 29 Jan 2024 at 21:55:37 +, Adam D. Barratt wrote:
>
> On Thu, 2024-01-25 at 04:45 +0100, Guilhem Moulin wrote:
>> Fix CVE-2023-34194: Reachable assertion (and application exit) via a
>> crafted XML document with a '\0' locate
to 4G as the previous size was
+too small for bullseye-security updates (kernel etc.).
+ * Salsa CI: Target bullseye and disable lintian job.
+
+ -- Guilhem Moulin Fri, 26 Jan 2024 12:00:26 +0100
+
dropbear (2020.81-3) unstable; urgency=medium
* Initramfs: Use 10 placeholders in ~root
end up with a
+connection for which some security features have been downgraded or
+disabled, aka a Terrapin attack. (Closes: #1059001)
+
+ -- Guilhem Moulin Fri, 26 Jan 2024 10:01:00 +0100
+
dropbear (2022.83-1) unstable; urgency=medium
* New upstream release 2022.83. Support
after whitespace.
+(Closes: #1059315)
+
+ -- Guilhem Moulin Thu, 25 Jan 2024 04:27:36 +0100
+
tinyxml (2.6.2-6) unstable; urgency=medium
* Import fix for CVE-2021-42260.
diff -Nru tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch
tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch
' located after whitespace.
+(Closes: #1059315)
+
+ -- Guilhem Moulin Thu, 25 Jan 2024 04:12:05 +0100
+
tinyxml (2.6.2-4+deb11u1) bullseye; urgency=medium
* Import fix for CVE-2021-42260.
diff -Nru tinyxml-2.6.2/debian/patches/CVE-2023-34194.patch
tinyxml-2.6.2/debian/patches/CVE-2023-34194
On Thu, 25 Jan 2024 at 03:54:46 +0100, Guilhem Moulin wrote:
> [x] attach debdiff against the package in oldstable
Oops, doing that now :-)
--
Guilhem.
diffstat for xerces-c-3.2.3+debian xerces-c-3.2.3+debian
changelog |
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: xerce...@packages.debian.org
Control: affects -1 + src:xerces-c
[ Reason ]
xerces-c 3.2.3+debian-3 is vulnerable to CVE-2023-37536 (Integer
overflows in
Control: tag -1 - moreinfo
Hi,
On Thu, 21 Dec 2023 at 21:59:40 +, Jonathan Wiltshire wrote:
> On Mon, Dec 18, 2023 at 02:10:20PM +0100, Guilhem Moulin wrote:
>> [ Reason ]
>>
>> 1. cryptsetup-suspend 2:2.6.1-4~deb12u1 was found incompatible with
>> systemd 254.1
)
+
+ [ Guilhem Moulin ]
+ * add_modules(): Change suffix drop logic to match initramfs-tools.
+ * Fix DEP-8 tests with kernels shipping compressed modules.
+ * d/salsa-ci.yml: Set RELEASE=bookworm.
+
+ -- Guilhem Moulin Mon, 18 Dec 2023 03:41:04 +0100
+
cryptsetup (2:2.6.1-4~deb12u1) bookworm; urgency
On Thu, 28 Sep 2023 at 18:53:46 +0100, Adam D. Barratt wrote:
> --- a/CHANGELOG.md
> +++ b/CHANGELOG.md
> @@ -1,5 +1,54 @@
> # Changelog Roundcube Webmail
>
> +## Unreleased
> +
>
> That seems wrong, given that you're uploading a released version.
Well spotted but that one is upstream's, see
ency=high
+
+ * New security/bugfix upstream release:
++ Fix CVE-2023-43770: cross-site scripting (XSS) vulnerability in handling
+ of linkrefs in plain text messages. (Closes: #1052059)
++ Enigma: Fix initial synchronization of private keys.
+ * d/u/signing-key.asc: Add Alec's key BE
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pan...@packages.debian.org, Guilhem Moulin
Control: affects -1 + src:pandoc
[ Reason ]
pandoc 2.17.1.1-1.1 is vulnerable to CVE-2023-35936: Arbitrary file write
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pan...@packages.debian.org, Guilhem Moulin
Control: affects -1 + src:pandoc
[ Reason ]
pandoc 2.9.2.1-1 is vulnerable to CVE-2023-35936: Arbitrary file write
in lapi.c. (Closes:
+#920321)
+ * Fix CVE-2020-24370: Segmentation fault in getlocal and setlocal functions
+in ldebug.c. (Closes: #988734)
+
+ -- Guilhem Moulin Thu, 22 Jun 2023 22:03:38 +0200
+
lua5.3 (5.3.3-1.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru lua5.3-5.3.3
ay be what we
+observe when the server is fast enough, but according to RFC 8555 sec.
+7.1.6 the state actually transitions via "processing" and we need to
+account for that (closes: #1034834).
+ * d/gbp.conf: Set 'debian-branch = debian/bullseye'.
+
+ -- Guilhem Moulin Fri,
"valid". The latter may be what
+we observe when the server is fast enough, but according to RFC 8555
+sec. 7.1.6 the state actually transitions via "processing" state and
+we need to account for that.
+ - Test suite: Point stretch's archive URL to archive.d.o.
+
+
200
+++ cryptsetup-2.6.1/debian/changelog 2023-04-21 00:54:29.0 +0200
@@ -1,3 +1,17 @@
+cryptsetup (2:2.6.1-4~deb12u1) bookworm; urgency=medium
+
+ * Rebuild for Bookworm.
+
+ -- Guilhem Moulin Fri, 21 Apr 2023 00:54:29 +0200
+
+cryptsetup (2:2.6.1-4) unstable; urgency=med
ann ]
+ * Add Breaks on cryptsetup-initramfs (see #1032235)
+
+ [ Guilhem Moulin ]
+ * d/gbp.conf: Set 'debian-branch = debian/bookworm'.
+ * d/rules: Restore threading support to libargon2-1-udeb (closes: #1034696).
+This is beneficial for cryptsetup-udeb, see #1028250. Removing thread
password length to
+100 bytes. (Closes: #1009062.)
+Cherry-picked from https://hg.ucc.asn.au/dropbear/rev/228b086794b7 .
+ * d/gbp.conf: Set debian-branch = debian/buster.
+
+ -- Guilhem Moulin Wed, 06 Apr 2022 20:54:24 +0200
+
dropbear (2018.76-5) unstable; urgency=medium
* Put custo
ci.yml: Target Bullseye release.
+
+ -- Guilhem Moulin Fri, 18 Feb 2022 22:17:29 +0100
+
php-crypt-gpg (1.6.4-2) unstable; urgency=medium
* Require phpunit ≥8 in Build-Depends.
diff -Nru php-crypt-gpg-1.6.4/debian/gbp.conf
php-crypt-gpg-1.6.4/debian/gbp.conf
--- php-crypt-gpg-1.6.4/debian/gb
).
+ * d/roundcube-core.postinst: lighttpd: Don't enable fastcgi-php if there is
+already an enabled fastcgi .php handler (closes: #988236).
+ * d/uupdate: Fix comment.
+
+ -- Guilhem Moulin Mon, 17 May 2021 20:45:48 +0200
+
roundcube (1.4.11+dfsg.1-3) unstable; urgency=medium
* Remove
delete system users on purge. There might be files
+on disk owned by _lacme-client when 'challenge-directory' is set in the
+configuration (closes: #988032).
+
+ -- Guilhem Moulin Tue, 04 May 2021 01:37:13 +0200
+
lacme (0.8.0-1) unstable; urgency=low
* New upstream release (closes
Control: tag -1 - moreinfo
Hi Paul,
On Fri, 02 Apr 2021 at 22:33:05 +0200, Paul Gevers wrote:
> I'm not overly enthusiastic about the size of the diff, but indeed this
> seems like something we'd want.
>
> Please go ahead and remove the moreinfo tag once the upload has happened.
Done, many
+ - letsencryptauthorityx[34].pem
+See https://letsencrypt.org/certificates/
+ * Moreover 'CAfile' now defaults to /usr/share/lacme/ca-certificates.crt
+which is a concatenation of all known active CA certificates (which
+includes the previous default).
+Closes: #975862.
+
+ -- Guilhem Moulin Thu, 26
On Tue, 07 Jul 2020 at 17:31:01 +0100, Adam D. Barratt wrote:
>> The security team gave the green light for an upload of
>> 1.3.14+dfsg.1-1~deb10u1 to buster-security, but suggested to target
>> old-p-u for stretch. stretch currently has 1.2.3+dfsg.1-4+deb9u3
>> wwhile stretch-security and
:59.0
+0200
@@ -1,3 +1,11 @@
+roundcube (1.2.3+dfsg.1-4+deb9u6) stretch; urgency=high
+
+ * Backport security fix for CVE-2020-15562: Cross-Site Scripting (XSS)
+vulnerability via HTML messages with malicious svg/namespace
+(Closes: #964355)
+
+ -- Guilhem Moulin Mon, 06 Jul 2020 16:14:59
Thanks, uploaded! Hope this makes it to 10.1 :-)
And again, many thanks for your work on Buster!
--
Guilhem.
signature.asc
Description: PGP signature
<->8--
cryptsetup (2:2.1.0-5+deb10u2) buster; urgency=medium
* Cherry pick upstream commit 8f8f0b32: Fix mapped segments overflow on
32bit architectures. Regression since 2:2.1.0-1. (Closes: #935702)
-- Guilhem Moulin Mon, 26 Aug 2019 14:54:10 +0200
cryptsetup (2:2
thorizations, order and certificate URLs. Let's Encrypt will remove
+support of unauthenticated GETs from the V2 API on 01 Nov 2019.
+Closes: #935799.
+
+ -- Guilhem Moulin Thu, 22 Aug 2019 00:14:42 +0200
+
lacme (0.5-1) unstable; urgency=medium
* New upstream release, adding support
tps://tools.ietf.org/html/rfc8555> instead of the
+ACME I-D URL.
+ * Issue GET and POST-as-GET requests (RFC 8555 sec. 6.3) for the
+authorizations, order and certificate URLs. Let's Encrypt will remove
+support of unauthenticated GETs from the V2 API on 01 Nov 2019.
+
+ -- Guilhem
Thanks, uploaded. And sorry the wall of text in the original report ^^
--
Guilhem.
signature.asc
Description: PGP signature
lot on the header.
(Closes: #934715)
-- Guilhem Moulin Fri, 16 Aug 2019 19:18:10 +0200
The 3 cherry-picked patches are all backported from 2.2.0 [1,2], and the
version in sid is not affected. (The one in Stretch is not affected
either as it doesn't have LUKS2 support.) The diff also inclu
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Tags: d-i
Hi there,
During a chat last at MiniDebConf Hamburg last week-end we (cryptsetup
package maintainers + KiBi + ivodd) discussed a path forward for #927165
(debian-installer:
/changelog 2019-04-30 21:20:47.0 +0200
+++ cryptsetup-2.1.0/debian/changelog 2019-05-28 17:04:16.0 +0200
@@ -1,3 +1,22 @@
+cryptsetup (2:2.1.0-4) unstable; urgency=medium
+
+ [Guilhem Moulin]
+ * d/initramfs/hooks/cryptroot: Always add userspace crypto module
+('algif_skciph
Control: tag -1 - moreinfo
Control: retitle -1 unblock: signing-party/2.10-2
Hi Ivo,
On Sun, 05 May 2019 at 14:44:31 +0200, Ivo De Decker wrote:
> On Wed, May 01, 2019 at 01:44:08PM +0200, Guilhem Moulin wrote:
>> On Wed, 01 May 2019 at 12:46:12 +0200, Guilhem Moulin wrote:
>>
Hi Salvatore,
On Wed, 01 May 2019 at 13:37:12 +0200, Salvatore Bonaccorso wrote:
> On Wed, May 01, 2019 at 01:27:26PM +0200, Guilhem Moulin wrote:
>> +signing-party (2.5-1+deb9u1) stretch; urgency=medium
>> +
>> + * Backport security fix for CVE-2018-15599: unsafe shell ca
On Wed, 01 May 2019 at 12:46:12 +0200, Guilhem Moulin wrote:
> gpg-key2ps(1) from signing-party 2.9-1 is vulnerable to CVE-2018-15599:
> unsafe shell call enabling shell injection via a User ID.
Erm that should be CVE-2019-11627, and the changelog is wrong as well.
Would you like me to
.)
+
+ -- Guilhem Moulin Wed, 01 May 2019 12:55:42 +0200
+
signing-party (2.5-1) unstable; urgency=low
* caff:
diff -Nru signing-party-2.5/debian/control signing-party-2.5/debian/control
--- signing-party-2.5/debian/control2016-10-06 14:59:44.0 +0200
+++ signing-party-2.5/debian/control
+
+ * gpg-key2ps: Security fix for CVE-2018-15599: unsafe shell call enabling
+shell injection via a User ID. Use Perl's (core) module Encode.pm instead
+of shelling out to `iconv`. (Closes: #928256.)
+
+ -- Guilhem Moulin Wed, 01 May 2019 12:21:59 +0200
+
signing-party (2.9-1) unstable; urgency
to the
+initramfs on non-usrmerge systems. (Closes: #928263.)
+
+ -- Guilhem Moulin Tue, 30 Apr 2019 21:20:47 +0200
+
cryptsetup (2:2.1.0-2) unstable; urgency=medium
* debian/copyright:
diff -Nru cryptsetup-2.1.0/debian/initramfs/hooks/cryptopensc
cryptsetup-2.1.0/debian/initramfs
On Sun, 26 Aug 2018 at 14:52:06 +0100, Adam D. Barratt wrote:
> +dropbear (2016.74-5+deb9u1) stable; urgency=medium
>
> Please make the distribution "stretch", and feel free to upload.
Oops yes sorry, uploaded with the correct distribution now.
--
Guilhem.
signature.asc
Description: PGP
in svr-auth.c in Dropbear through 2018.76 is prone to a user
+enumeration vulnerability because username validity affects how fields in
+SSH_MSG_USERAUTH messages are handled. (Closes: #906890.)
+Adapted from https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00 .
+
+ -- Guilhem Moulin
Hi,
On Sat, 20 Jan 2018 at 12:00:06 +0100, Cyril Brulebois wrote:
> Jonas Meurer (2018-01-20):
>> Am 18.12.2017 um 19:38 schrieb Emilio Pozuelo Monfort:
>>> Actually I just read the thread about the -udeb uninstallability.
>>> Let's wait until that is fixed or until Cyril
Hi Cyril,
On Mon, 18 Dec 2017 at 01:39:35 +0100, Cyril Brulebois wrote:
> Guilhem Moulin <guil...@debian.org> (2017-12-18):
>> On Sun, 17 Dec 2017 at 18:12:21 +0100, Cyril Brulebois wrote:
>>> I've added this as a todo item, along with looking into src:argon2
>>>
On Sun, 17 Dec 2017 at 18:12:21 +0100, Cyril Brulebois wrote:
> Guilhem Moulin <guil...@debian.org> (2017-12-17):
>> On Sun, 17 Dec 2017 at 13:32:55 +0100, Cyril Brulebois wrote:
>>> Jonas Meurer <jo...@freesources.org> (2017-12-17):
>>>> Debian-boot
Hi all,
On Sun, 17 Dec 2017 at 13:32:55 +0100, Cyril Brulebois wrote:
> Jonas Meurer (2017-12-17):
>> Debian-boot is Cc'ed as cryptsetup provides udebs, so debian-installer
>> is affected as well.
>
> Thanks for letting us (debian-boot@) know. AFAICT, on the udeb side we
7.3/debian/changelog 2017-05-09 13:50:59.0 +0200
@@ -1,3 +1,16 @@
+cryptsetup (2:1.7.3-4) unstable; urgency=high
+
+ [ Guilhem Moulin ]
+ * Drop obsolete update-rc.d parameters. Thanks to Michael Biebl for the
+patch. (Closes: #847620)
+ * debian/copyright: Fix license mismatch (d
upstream's LICENSE file.
+(Closes: #860406.)
+
+ -- Guilhem Moulin <guil...@guilhem.org> Sun, 16 Apr 2017 12:22:56 +0200
+
dropbear (2016.74-2) unstable; urgency=low
* Tolerate lack of boot script config file /etc/dropbear-initramfs/config.
diff -Nru dropbear-2016.74/debian/cop
"-N"; in particular, "-q0" is now a mere alias for
+"-N". (Closes: #854292)
+
+ -- Guilhem Moulin <guil...@guilhem.org> Fri, 03 Mar 2017 20:32:55 +0100
+
netcat-openbsd (1.130-2) unstable; urgency=medium
* Fix handling of delayed exit option (Closes: #8
ode as the local dbclient user if
+ particular -m or -c arguments are provided (CVE-2016-7408).
+
+ -- Guilhem Moulin <guil...@guilhem.org> Sat, 28 Jan 2017 18:23:47 +0100
+
dropbear (2014.65-1) unstable; urgency=low
[ Matt Johnston ]
only in patch2:
unchanged:
--- dropbear-2014.65
@@
+signing-party (1.1.10-3) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * caff:
++ Fix RCF 2822 violation: Never localize the Date header, regarless of
+ the LC_ALL, LC_TIME and LANG in use. Regression introduced in r698.
+ (Closes: #767371)
+
+ -- Guilhem Moulin guil
-party (1.1.10-1+deb8u1) unstable; urgency=medium
+
+ [ Guilhem Moulin ]
+ * caff:
++ Fix RCF 2822 violation: Never localize the Date header, regarless of
+ the LC_ALL, LC_TIME and LANG in use. Regression introduced in r698.
+ (Closes: #767371)
+
+ -- Guilhem Moulin guil
Control: retitle -1 unblock: signing-party/1.1.10-2
unblock signing-party/1.1.10-2
On Fri, 07 Nov 2014 at 23:26:24 +0100, Niels Thykier wrote:
On 2014-11-07 22:36, Guilhem Moulin wrote:
I would like to upload the attached changes: a regression bug has been
introduced in signing-party 1.1.10-1
54 matches
Mail list logo