[SECURITY] [DSA 5088-1] varnish security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5088-1 secur...@debian.org https://www.debian.org/security/ Florian Weimer March 03, 2022

[SECURITY] [DSA 5032-1] djvulibre security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5032-1 secur...@debian.org https://www.debian.org/security/ Florian Weimer December 28, 2021

Re: Stretch-pu

* R. hertoric: > Number of Bugs reported up to date? Sorry, would you please explain? Thanks.

[SECURITY] [DSA 4687-1] exim4 security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4687-1 secur...@debian.org https://www.debian.org/security/ Florian Weimer May 16, 2020

Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page

* Salvatore Bonaccorso: > Hi Florian, > > On Fri, May 01, 2020 at 02:33:21PM +0200, Florian Weimer wrote: >> * Salvatore Bonaccorso: >> >> > Hi Florian, >> > >> > On Fri, May 01, 2020 at 02:11:50PM +0200, Florian Weimer wrote: >>

Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page

* Salvatore Bonaccorso: > Hi Florian, > > On Fri, May 01, 2020 at 02:11:50PM +0200, Florian Weimer wrote: >> * Florian Weimer: >> >> > * Francesco Poli: >> > >> >> Please note that the CVE is mentioned in [DSA-4667-1]. >> >> >&

Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page

* Florian Weimer: > * Francesco Poli: > >> Please note that the CVE is mentioned in [DSA-4667-1]. >> >> [DSA-4667-1]: >> <https://lists.debian.org/debian-security-announce/2020/msg00071.html> >> >> What's wrong with that tracker page? > &g

Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page

* Francesco Poli: > Please note that the CVE is mentioned in [DSA-4667-1]. > > [DSA-4667-1]: > > > What's wrong with that tracker page? It's something in the NVD data that breaks the HTML escaping.

Re: Reintroducing openjdk-8 for Bullseye?

* Graham Inggs: > As of nvidia-cuda-toolkit 10.1.243, upstream stopped shipping the > bundle JRE, and expect users to download it directly from Oracle. We > are considering our options, and one which is very attractive for us > is for openjdk-8 to be reintroduced for Bullseye, but the question

Re: package for security advice

* Russell Coker: > I think it would be good to have a package for improving system > security. It could depend on packages like spectre-meltdown-checker > and also contain scripts that look for ways of improving system > security. For example recommend SE Linux or Apparmor (if you don't > have

Re: new hash algorithim for git and maybe a goal for Bullseye ?

* shirish शिरीष: > I was shared this [1] and while it's important, it is equally > important to point out that the work isn't complete atm. From what > little I know, almost all Debian's work is now using git (there may be > some subversion, some mercurial repos) but most of the work has now >

Re: Why no security support for binutils? What to do about it?

* Paul Wise: > On Wed, Jan 1, 2020 at 1:00 PM Florian Weimer wrote: > >> Doesn't lintian on ftp-master use disposable VMs? > > No mention of qemu/kvm in dak.git nor any qemu processes running on > ftp-master.d.o, so I don't think so. Uh-oh. >> Some of its checks loo

Re: Why no security support for binutils? What to do about it?

* Daniel Reichelt: >> Some of its checks look inherently dangerous, e.g. the bash -n >> check for shell syntax. > > Why would bash -n be dangerous? In the past, the bash parser was not very successful at inhibiting command execution. I doubt that this has changed, although some corner cases

Re: Why no security support for binutils? What to do about it?

* Paul Wise: > On Tue, Dec 31, 2019 at 9:47 AM Florian Weimer wrote: > >> BFD and binutils have not been designed to process untrusted data. >> Usually, this does not matter at all. For example, no security >> boundary is crossed when linking object files that have be

Re: Why no security support for binutils? What to do about it?

* Andreas: > there is no security support for binutils in debian stable > (buster). Given the importance of binutils this seems to me to be a real > problem. BFD and binutils have not been designed to process untrusted data. Usually, this does not matter at all. For example, no security

Re: Glances: Unprotected XMLRPC server enabled by default

* Jim Mi: > Done. Thanks. For future reference: > On Thu, Oct 10, 2019, 23:09 Salvatore Bonaccorso wrote: > >> Hi Jim, >> >> On Thu, Oct 10, 2019 at 04:31:01PM +0800, Jim Mee wrote: >> > Hi all, >> > >> > I recently found glances

Re: "-fstack-clash-protection" option

* Hideki Yamane: > I've read systemd's vulnerability article [1] and then I have > a question, do we have any plan to enable "-fstack-clash-protection" > by default? I cannot find any discussion about it. There's a bug report requesting a build flags change:

[SECURITY] [DSA 3984-1] git security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3984-1 secur...@debian.org https://www.debian.org/security/ Florian Weimer September 26, 2017

Re: [release-notes/stretch] Release notes sign-off from the security team

* Julien Cristau: > On Mon, Apr 3, 2017 at 20:43:08 +0200, Florian Weimer wrote: > >> * Niels Thykier: >> >> > There is a security team related item in the release checklist where we >> > need input from the you[1]: >> > >> > Items are:

Re: [release-notes/stretch] Release notes sign-off from the security team

* Niels Thykier: > There is a security team related item in the release checklist where we > need input from the you[1]: > > Items are: > * release-notes: Security Team signoff for lower supported packages > > Please review the release notes and file bugs for the missing items (if > any) and let

Re: Vulnerabilities rated medium or low risk may not be fixed by Debian security team, is that correct?

* Michael Stone: > On Thu, Oct 13, 2016 at 02:45:29PM -, te3...@sigaint.org wrote: >>As you asked me for a specific case, may I bring up CVE-2016-5696. >> >>A fix to the medium-risk vulnerability was uploaded on July 10, 2016 by >>Eric Dumazet (cf.

Re: Bug#839607: Robustify manager_dispatch_notify_fd()

* Salvatore Bonaccorso: > There were two CVE assingments for systemd recently, CVE-2016-7795 and > CVE-2016-7796, and assigned here: > https://marc.info/?l=oss-security=147521835218986=2 > > CVE-2016-7795 is for > > https://github.com/systemd/systemd/issues/4234 >

Re: Bug#839607: Robustify manager_dispatch_notify_fd()

* Michael Biebl: > Dear security team, I'd appreciate your input on bug #839607 It's a bug, and it should be fixed in stable, probably in a point update. Does this affect other distributions? In this case, it's best to request a CVE ID on the oss-security list.

Re: [SECURITY] [DSA 3372-1] linux security update

* Denny Bortfeldt: > Hello everyone, > > does anyone know why there aren't any changelogs for deb7u4 and dev7u5 ?! Hi Denny, I checked, and there are changelog entries in the package. > It would be really nice to know what have been changed. > > ~# apt-get changelog linux-headers-3.2.0-4-amd64

Re: curl security issue? - [SECURITY NOTICE] libidn with bad UTF8 input

* Patrick Schleizer: Are you aware of this already? [SECURITY NOTICE] libidn with bad UTF8 input http://curl.haxx.se/mail/lib-2015-06/0143.html Haven’t found anything related on debian.org mailing lists and/or curl's changelog. We are aware of it. This will be fixed in libidn because

Re: Crippling query plan change between 3.7.13 and 3.8.10.2

* Florian Weimer: I will figure out a way to rewrite the query so that it runs reasonably fast again (which will address our immediate needs), but maybe there is something that can be fixed in the planner as well. I committed something and restarted the daemon. The page still loads extremely

Re: upgrading soler.d.o

* Salvatore Bonaccorso: If one tries to access the JSON format url this triggers the issue. Thanks for isolating the issue and providing a test case. I can reproduce locally. It may not be a memory leak, but a change in the SQLite query planner. The problematic query appears to be: SELECT

Crippling query plan change between 3.7.13 and 3.8.10.2

The Debian security tracker https://security-tracker.debian.org/ uses an SQLite database to keep track of vulnerabilites and generate reports. We recently upgraded SQLite from 3.7.13 to 3.8.7.1 as part of an operating system upgrade and experienced a crippling query planner change. I verified

Re: upgrading soler.d.o

* Peter Palfrader: we'd like to upgrade soler.d.o jessie shortly. Any objections? Should we just do it and let you pick up the pieces, if any, or would you rather stop by in #debian-admin on IRC to coordinate? If you do it closer to the weekend, I'll probably be around to pick up the

Re: openjdk-7 security updates after JDK 7 End of Public Updates

* Francis Devereux: Thanks Moritz, that's good news. I can't find any details of icedtea's security support lifecycle on their website so I might email their mailing list. What I'm trying to do is get an understanding of how long the Debian openjdk-7 packages are likely to be supported for

Bug#761859: security-tracker json deployed

* Holger Levsen: On Donnerstag, 26. Februar 2015, Paul Wise wrote: I noticed the description fields are truncated, is that intentional? that's all that is stored in the db... There used to be a job that downloaded the full description from the NVD web service and put it into the nvd_data

Re: debsecan now on Gitorious

* Raphael Hertzog: On Sun, 22 Feb 2015, Florian Weimer wrote: I've moved the debsecan Git repository to Gitorious. Please speak up if you want to be added to the push ACL. Out of curiosity, why not on git.debian.org ? As far as I understand it, there's no effective separation between user

Re: [SECURITY] [DSA 3171-1] samba security update

* Jernej Korinšek: Za Debian ne vem, za RH: Lastly the version of Samba 4.0 shipped with Red Hat Enterprise Linux 6.2 EUS is based on an alpha release of Samba 4, which lacked the password change functionality and thus the vulnerability. The same is true for the version of Samba 3.0 shipped

debsecan now on Gitorious

I've moved the debsecan Git repository to Gitorious. Please speak up if you want to be added to the push ACL. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive:

Bug#761859: yaml...

* Holger Levsen: the patch currently creates yaml, not json. Which do you prefer? JSON has less risk of unwanted data execution when deserializing. It is also supported by Python out of the box, so it's more natural for the successor of the custom debsecan format (which I created when Python

Re: Should we be alarmed at our state of security support?

* John Goerzen: Regarding the python2.6 one you were saying wasn't a big deal -- there's a proof of concept exploit for it https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/ . Why would the tracker say that such a thing wasn't important enough to

Re: [SECURITY] [DSA 3148-1] chromium-browser end of life

* Russell Coker: On Sun, 1 Feb 2015 11:18:43 PM Paul Wise wrote: chromium was already being backported to wheezy for security updates, the latest versions need newer compilers so we can't backport any more. Why can't we backport the compilers too? You'd have to replace the system libstdc++

Re: [SECURITY] [DSA 3121-1] file security update

* Henrique de Moraes Holschuh: However, it would be best if we could somehow get you permission to upload backports of file. Looks like it's being worked on: https://nm.debian.org/public/process/cbiedl (I don't know what's blocking this, Christoph really shouldn't have any trouble passing

Re: Switching the tracker to git

My guess is that the only reason that subversion is still used is inertia and that people would be happier with git. However, I'm curious to know if anyone thinks otherwise? For releasing security advisories, we need the centralized repository to gurantuee uniqness of DSA numbers. I'm also

Bug#759727: patches for including LTS into security-tracker.d.o

* Holger Levsen: -# security_db.py -- simple, CVE-driven Debian security bugs database +# lts_db.py -- simple, CVE-driven Debian security bugs database This change appears unnecessary. - AND sp.subrelease 'security' + AND sp.subrelease 'security' AND p.subrelease 'lts'

Re: Apache-based caching for https://security-tracker.debian.org/tracker/debsecan/release/1/

* Stephen Gran: This one time, at band camp, Florian Weimer said: Hi, I plan to switch the debsecan data source to URLs below: https://security-tracker.debian.org/tracker/debsecan/release/1/ I don't know how much traffic this will generate eventually. Would it be possible to tweak

security-tracker.debian.org redirects fixed

The tracker assumed it was running an http:// service and generated https:// URLs, including in redirects. For some reason, my Firefox didn't like these, and I think it's because Strict Transport Security was activated at one point. I switched all URLs to https://, so the redirects should work

Schema reorganization for package_notes table

The package_notes table currently looks like this: CREATE TABLE package_notes (id INTEGER NOT NULL PRIMARY KEY, bug_name TEXT NOT NULL, package TEXT NOT NULL, fixed_version TEXT CHECK (fixed_version IS NULL OR fixed_version ''),

Re: NSA software in Debian

* Marco Saller: i am not sure if this question has been asked or answered yet, please do not mind if i would ask it again. Is it possible that the NSA or other services included investigative software in some Debian packages? We don't reject contributions just because they come from a

Re: Check for revocation certificates before running apt-get?

* Kurt Roeckx: On Sun, Dec 15, 2013 at 03:15:03AM +, adrelanos wrote: When you implement this, please ensure it isn't vulnerable to any duplicate-keyid problems: http://debian-administration.org/users/dkg/weblog/105 Damn, I wasn't aware of the latest news that long key ids are

Re: MIT discovered issue with gcc

* Bob Proulx: In those systems the zero page is initially bit-zero and reading from the zero point will return zero values from the contents there. If the program writes to the zero page then subsequent reads will return whatever was written there. This is bad behavior that was the default

Re: process to include upstream jar sig in Debian-generated jar

* Michael Stone: On Thu, Aug 29, 2013 at 11:35:47AM +0200, Sébastien Le Ray wrote: Yes but the whole thing looks weird, on one hand OP wants to include a signed jar in the package, on the other hand he says signature could be omitted if quick update is needed… What's the point having signed JAR

Re: process to include upstream jar sig in Debian-generated jar

* Hans-Christoph Steiner: That should then result in a debian-generated jar that has the martus signature on it. If Debian Security needed to update the package to fix an urgent issue, then they could still do so. The package build process would only include the upstream signature from

Re: security-tracker now on https?

* Stephen Gran: This one time, at band camp, Florian Weimer said: * Peter Palfrader: The solution I'm favouring right now is to get a single *.debian.org wildcard from the cartell and spread it far and wide. The contract terms usually do not allow this. We could ask StartSSL or some

Re: security-tracker now on https?

* Martin Zobel-Helas: No, wildcards certificates are generally only licensed for installation on a single server. http://www.digicert.com/wildcard-ssl-certificates.htm And every DigiCert wildcard certificate comes with an unlimited server license, so you only pay once—whether you have one

Re: security-tracker now on https?

* Peter Palfrader: The solution I'm favouring right now is to get a single *.debian.org wildcard from the cartell and spread it far and wide. The contract terms usually do not allow this. We could ask StartSSL or some other CA if they would issue certificates to us in a convenient way. --

Re: Post-release changes on soler

* Florian Weimer: FYI, I'm trying to implement the post-release changes on soler, the host for security-tracker.debian.org. The NVD feed is gone (all the XML files are empty), so I'm disabling that temporarily. The web site should follow the Subversion repository again. -- To UNSUBSCRIBE

Re: About adding security.debian.org ipv6 to iptables, which range should we add?

* Stefan Eriksson: Hi now and again we get a timeout when looking up security.debian.org while running apt-get update. We have traced it to the ipv6's we get. It seems like they change (and as ipv6 have prio over ipv4 we are affected) Which ipv6 range should we open for in iptables to have

Re: CVE-2013-0240 misreported as fixed in experimental

* Thijs Kinkhorst: Hi Florian, On Fri, February 8, 2013 21:28, Florian Weimer wrote: Good point. We shouldn't have experimental in the tracker because it doesn't work - in general, the fixed versions from unstable cannot be applied there. As there was another confusion about this today

Re: CVE-2013-0240 misreported as fixed in experimental

* Simon McVittie: https://security-tracker.debian.org/tracker/CVE-2013-0240 says: gnome-online-accounts wheezy 3.4.2-1 vulnerable sid 3.4.2-2 fixed experimental 3.6.1-1 fixed but the bug is not fixed in experimental, and the BTS'

Re: [SECURITY] [DSA 2563-1] viewvc security update

* Jon Dowland: This DSA was signed with key 0x401DAC04, which is not in any debian-keyring package I can find, nor on pgp.mit.edu. Is this a mistake? Thanks! It's a signing subkey of E1C21845, some software might have problems with that. The entire key is available from the developer LDAP.

Re: pre-screening new package: SQLCipher, based on SQLite3

* Stephen Lombardo: I agree that implementing SQLCipher using a VFS plugin would work, and we've considered it in the past. However, we've decided to stick with the codec approach for now, given that some functionality could prove more complex to implement and a major shift / rewrite could

Re: pre-screening new package: SQLCipher, based on SQLite3

* Hans-Christoph Steiner: The tricky part is that it is a modified version of SQLite3, and lintian properly gives an error about that. But because of the features that SQLCipher provides, it must modify the core of SQLite to work, therefore it cannot be made into a plugin. Why isn't it

Re: sun-java6-plugin outdated and vulnerable to an actively exploited security issue

* Jason Fergus: Is it plausible to get openjdk7 backported to squeeze as a security measure in this regard? It sure seems to be more closely based to what oracle is now putting out. Well there are some programs that apparently refuse to work with Java7 altogether, but I'd say that's the

Re: The tracker is no longer updated

* Moritz Mühlenhoff: It looks as if the tracker instance doesn't update the Packages file properly. Florian, can you look into it? A download from cdn.debian.net was stuck. I'll try to add a timeout, so that in the future, recovery will be fully automated. -- To UNSUBSCRIBE, email to

Re: [SECURITY] [DSA 2491-1] postgresql-8.4 security update

* Florian Weimer: CVE-2012-2143 The crypt(text, text) function in the pgcrypto contrib module did not handle certain passwords correctly, ignoring characters after the first character which does not fall into the ASCII range. It's been pointed out to me

[DSA 2442-1] openarena security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2442-1 secur...@debian.org http://www.debian.org/security/Florian Weimer March 26, 2012

Re: AW: Vulnerable PHP version according to nessus

* Jordon Bedwell: New upstream version is used pretty loosely here. I would hardly consider a bug fix release a new version. You guys treat versions as if they're a matter of national security, because 5.3.7 vs 5.3.8 is obviously gonna have some major major API changes and some way new

Re: Bug#645881: critical update 29 available

* Philipp Kern: sun-java6 is sadly still a very high profile package. I won't go and break all those installations which force sun-java6 over openjdk-6 locally, either in unattended installations or through other means. It's really unfortunate that most of those installations seem to need

Re: Bug#645881: critical update 29 available

* Matthias Klose: On 12/11/2011 01:07 PM, Holger Levsen wrote: Hi, On Sonntag, 11. Dezember 2011, Philipp Kern wrote: sorry, but I'd rather like to have an announcement that it has a bug, me too, for all the reasons Philipp noted. It's also trivial to download the fixed jdk from

Re: Bug#645881: critical update 29 available

* Moritz Mühlenhoff: Florian, what's the status of openjdk6 for stable/oldstable? I've released the pending update for squeeze. lenny will eventually follow, and so will the pending updates for squeeze, but judging by my past performance, it will take a while. If someone else wants to work on

Re: RSA/DSA

* Wim Bertels: So why isn't it possible to choose one the longer keylengths for DSA? The original DSA standard explicitly required that key lengths did not exceed 1024 bits. Older OpenSSH versions implemented that standard. -- Florian Weimerfwei...@bfk.de BFK edv-consulting

Re: Bug#645881: critical update 29 available

* Moritz Muehlenhoff: As for stable/oldstable: I noticed that Red Hat provided packages for update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK): http://lwn.net/Articles/463919/ If anyone remembers the rationale behind the DLJ, perhaps they can check if the current BCL matches our needs, too?

Re: issues with version tracking

* Yves-Alexis Perez: CVEs for the radvd issues look weird on the tracker. For example, not so long ago sid had 1:1.8-1 (unfixed) while wheezy had 1:1.8-1.2 (fixed). Now both have 1:1.8-1 (while indeed the NMU reached testing today, so both sid and wheezy are fixed). Anyone knows what

Re: [SECURITY] [DSA 2311-1] openjdk-6 security update

* Simon McVittie: Would it be possible to provide some sort of empty transitional package for those Hotspot variants in order to get rid of them? I don't think we use transitional packages for this purpose. I think adding a Replaces: icedtea-6-jre-cacao to openjdk-6-jre-headless (on i386 and

Re: [SECURITY] [DSA 2260-1] rails security update

* Florian Weimer: Subject: Re: [SECURITY] [DSA 2260-1] rails security update Sorry, this is the correct subject line. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http

Re: DSA-2233-1 vs. tracker

* Francesco Poli: On Thu, 12 May 2011 22:13:00 +0200 Florian Weimer wrote: * Francesco Poli: It seems to me that the DSA-2233-1 tracker page [1] lacks the reference to CVE-2009-2939, which is instead present in the actual DSA [2]. Is there a reason for this, or is it just

Re: [SECURITY] [DSA 2233-1] postfix security update

* Florian Weimer: Package: postfix Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2009-2939 CVE-2011-0411 CVE-2011-1720 For the unstable distribution (sid), this problem has been fixed in version 2.8.0-1. This is incorrect. The fixed

Re: [SECURITY] [DSA 2208-1] bind9 security update

* Florian Weimer: For the oldstable distribution (lenny), the DS record issue will be fixed soon. (CVE-2011-0414 does not affect the lenny version.) We ran into trouble with the archive software, so only amd64 and i386 packages are available at this time. Hopefully, this will be rectified

Re: [SECURITY] [DSA 2162-1] openssl security update

* Nick Boyce: On 14/02/2011 16:28, Nico Golde wrote: We recommend that you upgrade your invalid memory access packages. This has been a mistake during the auto-generation of the DSA template. Of course thsi should say your openssl packages. Erm ... missing .. [cough] .. exit-status

Re: Squeeze release vs. tracker

* Thijs Kinkhorst: I've changed the code right after squeeze's release. I've also restarted the tracker service. Apparently this is not enough - Florian, can you help? Changing the views required a schema update. I've switched to temporary views, and it should work now. I also fixed the

Re: how to apply DSA-2157-1

* Edoardo Panfili: Reading DSA-2157-1 I can see that I must upgrade to 8.4.7-0squeeze1 but I can't find that package using http://www.debian.org/distrib/packages or apt. 8.4.7-0squeeze2 packages are now available on security.debian.org for most architectures. The remaining architectures

Re: [SECURITY] [DSA-2157-1] PostgreSQL security update

* Denis Feklushkin: After upgrading postgresql 9.0 it is started to appear error 'ERROR: XX000: cannot extract system attribute from virtual tuple' in executing request in a trigger: Please file a bug in the BTS (especially as it affects sid only). I'm not sure if this is related to the

Bug#610220: Show URLs in TODO/NOTE as hyperlinks in the web view

Package: security-tracker Severity: wishlist NOTE: see http://www.example.com/info.html; should render as NOTE: see a href='http://www.example.com/info.html'codehttp://www.example.com/info.html/code/a or something similar. -- To UNSUBSCRIBE, email to

Bug#610222: http://security-tracker.debian.org/tracker/data/releases broken

Package: security-tracker Severity: normal The per-suite architecture list is currently broken (,, 0, 3, 4, 6, 8, 9, a, c, d, e, h, i, l, m, o, p, r, s, w). -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact

Bug#479727: security-tracker: Show unimportant issues in some way on package overview

* Thijs Kinkhorst: Currently, issues marked as unimportant disappear entirely off the radar, which is not a big problem. I think for clarity however it would be better if they were displayed somewhere so users can see we know that such a CVE applies to the package, but we just disregard it.

Bug#610227: Move scripts driven by cron etc. to separate directory

Package: security-tracker Severity: wishlist In the secure-testing repository, the scripts which aren't supposed to be run by regular committers should be moved from the bin directory, so that there is less clutter there. -- To UNSUBSCRIBE, email to

Re: [SECURITY] [DSA 2122-2] New glibc packages fix privilege escalation

* Cyril Brulebois: Colin Watson discovered that the update for stable relased in DSA-2122-1 did not complete address the underlying security issue in ↑ +ly I obeyed the Reply-To, but maybe one should mail another address to get typos fixed in the web version?

More stable temporary names and URLs

We have changed the tracker to use temporary names containing truncated hashes of the description. This means that URLs such as http://security-tracker.debian.org/tracker/TEMP-000-9A49E3 are more stable now. Basically, they are invalidated only if the description changes or a CVE name is

Re: Bind security announce

* Account for Debian group mail: On Fri, 10 Dec 2010, Florian Weimer wrote: * Debian security: Is there any plan to upgrade the bind version in debian to 9.6-ESV-R3 which correct the bugs? There was a technical issue with the update process, which has been resolved now. Updates

Re: Bind security announce

* Debian security: Is there any plan to upgrade the bind version in debian to 9.6-ESV-R3 which correct the bugs? There was a technical issue with the update process, which has been resolved now. Updates will be released in due course. -- To UNSUBSCRIBE, email to

Re: [SECURITY] [DSA 2122-1] New glibc packages fix local privilege escalation

* Florian Weimer: For the stable distribution (lenny), this problem has been fixed in version 2.7-18lenny6. For the upcoming stable distribution (squeeze), this problem has been fixed in version 2.11.2-6+squeeze1 of the eglibc package. For the unstable distribution (sid), this problem

Re: CVE-2009-3555 not addressed in OpenSSL

* Simon Josefsson: FWIW, the latest stable GnuTLS version with RFC 5746 support is not even in testing, so it won't be part of even the next stable. What would be required to get a backport of RFC 5746 support into the current stable (considering that we do not want to incorporate too many

Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities

* Michael Gilbert: The problem here appears to be the jump to the new upstream version (1.8.2 to 1.8.13), which has a different dependency set. The actual problem was that the dependency set was initially different (it included additional, incorrect dependencies). This was corrected, and

Re: [SECURITY] [DSA 2076-1] New gnupg2 packages fix potential code execution

* Florian Weimer: For the stable distribution (lenny), this problem has been fixed in version 2.0.9-3.1+lenny1. Hi, we're investigating an issue with the dissemination of the gnupg2 security update (and the recent DSA-2075-1 update for xulrunner) through the security.debian.org infrastructure

Re: [SECURITY] [DSA 2054-1] New bind9 packages fix cache poisoning

Two more issues with the update have been identified: Unexpected permissions on /etc/ssl/openssl.cnf causes OpenSSL and named to exit: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584911 (We can only try to detect this situation in BIND and print something to the log, it is not correctable in

Re: [SECURITY] [DSA 2054-1] New bind9 packages fix cache poisoning

* Florian Weimer: This update is based on a new upstream version of BIND 9, 9.6-ESV-R1. Because of the scope of changes, extra care is recommended when installing the update. Due to ABI changes, new Debian packages are included, and the update has to be installed using apt-get dist-upgrade

Re: pilot-qof dpkg-cross reports in PTS

* Neil Williams: I don't see the same problem with my other packages' PTS pages, just these two: http://packages.qa.debian.org/d/dpkg-cross.html This is caused by an unimportant issue, it seems: http://security-tracker.debian.org/tracker/CVE-2008-4950

Re: A new ambiguity

* Michael Gilbert: this has actually come up every now and then, and we have just had to accept the wrongness. i was actually planning to implement the above solution at some point, but hadn't found the time. i don't think the additional repetition is too burdensome since the CVE info is

A new ambiguity

I have found what appears to be a previously unknown ambiguity in the tracker input data. Consider these two DSAs: [01 May 2009] DSA-1785-1 wireshark - several vulnerabilities {CVE-2009-1210 CVE-2009-1268 CVE-2009-1269} [lenny] - wireshark 1.0.2-3+lenny5 [29 Nov 2009] DSA-1942-1

Re: Refactoring the tracker

* Raphael Geissert: Florian Weimer wrote: Another issue which has gained some significance lately is that the package and CVE lists have grown quite a bit, leading to longer and longer processing times on soler. I've removed a few unused features to speed things up a bit, but it seems

Re: Refactoring the tracker

* Michael Gilbert: Along with Raphael's suggestion, perhaps during updates we could load the new dictionaries into memory concurrently with the old ones. Then we could compare the two and only act on items that actually have differences before pushing the new updates. As long as things fit

Re: Refactoring the tracker

* Michael Gilbert: How about making use of a more standardized set of python features such as dictionaries for the database, and possibly storing those to disk using pickles The actual data is just 44 MB as an SQLite database, so this might work indeed. I had planned to use smaller pickles

Re: jedit_4.3.1+dfsg-1_amd64.changes REJECTED

* Gabriele Giacone: For example openjdk-6-source: source code is in both orig tarball and openjdk-6-source binary package. This is a duplication, isn't it? First, the duplication refers to source packages. Second, openjdk-6-source is like the emacs*-el packages, it provides IDE navigation

Re: CVE-2010-0286 and affected versions

* Holger Levsen: why does http://security-tracker.debian.org/tracker/CVE-2010-0286 lists 4.2.8-1 in squeeze as affected? squeeze has a newer version and 4.2.8-1 is not in Debian anywhere anymore... We somehow missed the removal of the alpha architecture from squeeze. Thanks for spotting

  1   2   3   4   5   6   >