Re: Missing DLA mail for DLA-378-1 (linux-2.6)?
On Tue, 2016-01-05 at 17:58 +, Michael Howe wrote: > Hello, > > linux-2.6 2.6.32-48squeeze18 appeared in the archives a couple of days > back, and I see from DLA/list that DLA-378-1 was reserved by Ben > Hutchings, but there doesn't seem to have been an email to > debian-lts-announce about it. > > Could a mail be sent if it hasn't been, or unstuck from wherever it's > got caught if it's held up somewhere? > > Alternatively, if I've just missed it, a pointer to the relevant message > would be greatly appreciated. I also uploaded updates for wheezy-security and jessie-security, and was waiting to coordinate the DLA with the DSA for those. Ben. -- Ben Hutchings Tomorrow will be cancelled due to lack of interest. signature.asc Description: This is a digitally signed message part
Missing DLA mail for DLA-378-1 (linux-2.6)?
Hello, linux-2.6 2.6.32-48squeeze18 appeared in the archives a couple of days back, and I see from DLA/list that DLA-378-1 was reserved by Ben Hutchings, but there doesn't seem to have been an email to debian-lts-announce about it. Could a mail be sent if it hasn't been, or unstuck from wherever it's got caught if it's held up somewhere? Alternatively, if I've just missed it, a pointer to the relevant message would be greatly appreciated. Many thanks, Michael -- Michael Howe, Infrastructure and Hosting Team Systems Development and Support IT Services, University of Oxford
[SECURITY] [DLA 378-1] linux-2.6 security update
Package: linux-2.6 Version: 2.6.32-48squeeze18 CVE ID : CVE-2015-7550 CVE-2015-8543 CVE-2015-8575 Debian Bug : #808293 This update fixes the CVEs described below. CVE-2015-7550 Dmitry Vyukov discovered a race condition in the keyring subsystem that allows a local user to cause a denial of service (crash). CVE-2015-8543 It was discovered that a local user permitted to create raw sockets could cause a denial-of-service by specifying an invalid protocol number for the socket. The attacker must have the CAP_NET_RAW capability. CVE-2015-8575 David Miller discovered a flaw in the Bluetooth SCO sockets implementation that leads to an information leak to local users. In addition, this update fixes a regression in the previous update: #808293 A regression in the UDP implementation prevented freeradius and some other applications from receiving data. For the oldoldstable distribution (squeeze), these problems have been fixed in version 2.6.32-48squeeze18. For the oldstable distribution (wheezy), these problems have been fixed in version 3.2.73-2+deb7u2. For the stable distribution (jessie), these problems have been fixed in version 3.16.7-ckt20-1+deb8u2 or earlier. -- Ben Hutchings - Debian developer, member of Linux kernel and LTS teams signature.asc Description: This is a digitally signed message part
Re: Accepted cacti 0.8.7g-1+squeeze9+deb6u13 (source all) into squeeze-lts
Hi Chris, On 05-01-16 00:23, Chris Lamb wrote: >> To be honest, I would have expected you would have shared your fix >> somewhere, e.g. also in a regular bug against cacti such that the >> (old)stable releases could more easily see/use the patch. > > I will happily add it too your bug tracker as requested. I did not > proactively send it upstream as it was simple and based on work that > was already being distributed; I was not able to find this work you based it on, but sure it is simple. I filed bug 2655¹ upstream with your patch attached, so that they are aware of your work. I will update the Debian security archive with this info shortly. > I made the assumption that you would either not care or you had seen > exactly what I had done. It is true that I saw it, but others may not. Paul ¹ http://bugs.cacti.net/view.php?id=2655 signature.asc Description: OpenPGP digital signature
Re: Accepted linux-2.6 2.6.32-48squeeze18 (all source) into squeeze-lts
Hi, On Tue, 05 Jan 2016, Jan Ingvoldstad wrote: > W: GPG error: http://http.debian.net squeeze-lts Release: The following > signatures were invalid: BADSIG 8B48AD6246925553 Debian Archive Automatic > Signing Key (7.0/wheezy)So that message is not specific to any particular package, but to the repository as a whole. > Since yesterday evening, we got another error from apt-get update instead: > > W: Failed to fetch > http://http.debian.net/dists/squeeze-lts/main/binary-amd64/Packages.bz2 > Hash Sum mismatch This URL returns a 404 for me. How is your sources.list configured? Can you tell us to which mirror you are redirected? Run this for example: $ curl -sI http://http.debian.net/debian/dists/squeeze-lts/main/binary-amd64/Packages.bz2 |grep Location Location: http://mirror.switch.ch/ftp/mirror/debian/dists/squeeze-lts/main/binary-amd64/Packages.bz2 That way we can verify whether the given mirror is problematic instead... Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/
another squeeze cacti update?
Hi! Cacti still shows up in the list of opened issues in squeeze... Are you going to take care of CVE-2015-8604 next? Thanks! a. -- The reasonable man adapts himself to the world. The unreasonable man persists in trying to adapt the world to himself. Therefore, all progress depends on the unreasonable man. - George Bernard Shaw