Re: Accepted cacti 0.8.7g-1+squeeze9+deb6u13 (source all) into squeeze-lts
Hi Chris, On 04-01-16 13:20, Chris Lamb wrote: > cacti (0.8.7g-1+squeeze9+deb6u13) squeeze-lts; urgency=high > . >* Correct yet another regression in patch for CVE-2015-8369, introduced in > 0.8.7g-1+squeeze9+deb6u12. Thanks to Marcel Meckel> (Closes: #809260, #807599) Apart from your weird continuation of the squeeze version numbers ;), thanks a lot for the cacti updates in lts. Would you mind sharing your fix for CVE-2015-8377 also with the rest of the world, i.e. add a patch to the cacti bug tracker (be it in but 2652¹ if it really is the same, or in a new bug if bug 2652 is not the same and not fixed by your patch)? To be honest, I would have expected you would have shared your fix somewhere, e.g. also in a regular bug against cacti such that the (old)stable releases could more easily see/use the patch. The patch looks extremely simple. Could you help me by telling how you tested the patch? Paul ¹ http://bugs.cacti.net/view.php?id=2652 signature.asc Description: OpenPGP digital signature
[SECURITY] [DLA 374-3] cacti regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: cacti Version: 0.8.7g-1+squeeze9+deb6u13 CVE ID : CVE-2015-8369 Debian Bug : 807599 It was discovered that there was a regression in the patch intended to fix CVE-2015-8369 in the recent upload of cacti 0.8.7g-1+squeeze9+deb6u12. For Debian 6 Squeeze, this issue has been fixed in cacti version 0.8.7g-1+squeeze9+deb6u13. Regards, - -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJWil7aAAoJEB6VPifUMR5YYzoQAI7kJdJvfTDBc/RsQn66GxUi ohGZN3B22VFm+UebUyz6cu06ojnenG5+DESz2ldwJFijbsJ7WrvyElHiq1ymaRQy YmT4aQRyEO21Do+8m0wrFDr+ILrQLENL/TCrgMBSBE+3dxUUBjy9FA9ze+U5YZph 6nZhP4+ZGcmLqxQai8YOFj5Ey9ktNkyumdMTadDIX+x2xPrPXuSGzc2VNUCeScHH jN6vEsbJbAn8wsnvF8V+txNqx5da4GAUW6uZiXMFclK98049Nle0yVl+GsKNk/S6 /tT6udMRFbqIaPCD4iHEvUW4xb7VyfiI+uxo4iVynMCzTsGTGk0qxBMsHvHinz0U jBiDQG8+yi/bv6HE9xaEE/eQkV8EgrK2I6EuSUguif0w0JutbckyX5ms0nwiRvCI msF6J99VlPfkdAyOCYJXTkl07U3j/jWJZ6jvSPhhOiW+Wmg2mCAc3J8EE16ASLfV 4OtKqAXzyNpivb0dWR9Aw99xnt0OgcOgC7KG5X7GI3fi7Lkn6h0ZVyf4xkENFR+y z8nmqkz1PQ3jFio4zH1HTuI1FkDDDa+37cydF5a2zFsnAxf5RypYKzjfFxbnuxs7 PnAoYvyYZn+5VGgiyUptu5tvoe2sRdrZlCw8OeBfTV9O52yYv3DFhbmlY6Zt/HIO LCbjhpuj/p1VE7SewKp5 =sqT4 -END PGP SIGNATURE-
Re: Accepted cacti 0.8.7g-1+squeeze9+deb6u13 (source all) into squeeze-lts
> Apart from your weird continuation of the squeeze version numbers ;), > thanks a lot for the cacti updates in lts. Well, once I started for this particular cacti version, I can hardly obstinately backtrack :) > To be honest, I would have expected you would have shared your fix somewhere, > e.g. also in a regular bug against cacti such that the (old)stable releases > could more easily see/use the patch. I will happily add it too your bug tracker as requested. I did not proactively send it upstream as it was simple and based on work that was already being distributed; I made the assumption that you would either not care or you had seen exactly what I had done. Will do so in future though, noted. Best, -- Chris Lamb chris-lamb.co.uk / @lolamby
[SECURITY] [DLA 380-1] libvncserver security update
Package: libvncserver Version: 0.9.7-2+deb6u2 An issue had been discovered and resolved by the libvncserver upstream developer Karl Runge addressing thread-safety in libvncserver when libvncserver is used for handling multiple VNC connections [1]. Unfortunately, it is not trivially feasible (because of ABI breakage) to backport the related patch to libvncserver 0.9.7 as shipped in Debian squeeze(-lts). However, the thread-safety patch discussed resolved a related issue of memory corruption caused by freeing global variables without nullifying them when reusing them in another "thread", especially occurring when libvncserver is used for handling multiple VNC connections The described issue has been resolved with this version of libvncserver and users of VNC are recommended to upgrade to this version of the package. [1] https://github.com/LibVNC/libvncserver/commit/804335f9d296440bb708ca844f5d89b58b50b0c6 -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net signature.asc Description: Digital signature
Re: Accepted linux-2.6 2.6.32-48squeeze18 (all source) into squeeze-lts
On Mon, 2016-01-04 at 08:32 +0100, Jan Ingvoldstad wrote: > On 01/02/2016 06:06 PM, Ben Hutchings wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > > > > Format: 1.8 > > Date: Sat, 02 Jan 2016 03:31:10 + > > Source: linux-2.6 > > We're getting a warning about invalid signature for this update: > > BADSIG 8B48AD6246925553 > > This occasionally seems to happen shortly after a package has been > uploaded, but it's now been two days, and that's a bit unusual. > > We're using http.debian.net as our package source, so I don't know which > specific mirror, if it's specific, but it is reproducible. What tool is showing that error, and which file is it validating - Release.gpg or the .dsc file? Which version of debian-archive-keyring is installed on that system? Ben. -- Ben Hutchings Lowery's Law: If it jams, force it. If it breaks, it needed replacing anyway. signature.asc Description: This is a digitally signed message part
Re: squeeze update of tiff?
Hi László, hi Ondřej, On Do 31 Dez 2015 19:01:33 CET, László Böszörményi (GCS) wrote: On Thu, Dec 31, 2015 at 10:04 AM, Ondřej Surýwrote: I have a git mirror[1] (git cvsimport) of upstream CVS and right now it's a tad bit confusing which patches are relevant to those CVEs. I've packaged 4.0.6, fixed two CVEs and two other vulnerabilities that don't have an id. However CVE-2015-8668 is not yet fixed by upstream as I see. I will have more time cherry-picking the patches next week, so if somebody starts the work (even for unstable), I really won't mind. In fact it would be much appreciated. I'm going to finish my investigations tomorrow even if my employer counts on me from 6am. Will do the upload and other fixes can come in later as upstream commit those. Also feel free to prepare Debian LTS update, I will share relevant patches, but we'll have to prepare security update for jessie and wheezy (+ tiff3 for wheezy), so feel free to take care about this in Debian LTS yourself. I can do the Wheezy + Jessie updates as well. But I've accepted Raphaël's advice not to do LTS security work so I follow Ondřej here: you can do the Squeeze LTS update yourself. I (with my LTS team hat on) just signed up for looking at fixing tiff in squeeze-lts. @László: once you finished your research tomorrow, could you send a short summary with your findings (or even upload a new package version to unstable)? Thanks+>Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de pgp_42zjuAAts.pgp Description: Digitale PGP-Signatur