Re: Missing DLA mail for DLA-378-1 (linux-2.6)?

2016-01-05 Thread Ben Hutchings 
On Tue, 2016-01-05 at 17:58 +, Michael Howe wrote:
> Hello,
> 
> linux-2.6 2.6.32-48squeeze18 appeared in the archives a couple of days
> back, and I see from DLA/list that DLA-378-1 was reserved by Ben
> Hutchings, but there doesn't seem to have been an email to
> debian-lts-announce about it.
> 
> Could a mail be sent if it hasn't been, or unstuck from wherever it's
> got caught if it's held up somewhere?
> 
> Alternatively, if I've just missed it, a pointer to the relevant message
> would be greatly appreciated.

I also uploaded updates for wheezy-security and jessie-security, and
was waiting to coordinate the DLA with the DSA for those.

Ben.

-- 
Ben Hutchings
Tomorrow will be cancelled due to lack of interest.

signature.asc
Description: This is a digitally signed message part

Missing DLA mail for DLA-378-1 (linux-2.6)?

2016-01-05 Thread Michael Howe 
Hello,

linux-2.6 2.6.32-48squeeze18 appeared in the archives a couple of days
back, and I see from DLA/list that DLA-378-1 was reserved by Ben
Hutchings, but there doesn't seem to have been an email to
debian-lts-announce about it.

Could a mail be sent if it hasn't been, or unstuck from wherever it's
got caught if it's held up somewhere?

Alternatively, if I've just missed it, a pointer to the relevant message
would be greatly appreciated.

Many thanks,

Michael

-- 
Michael Howe, Infrastructure and Hosting Team
Systems Development and Support
IT Services, University of Oxford

[SECURITY] [DLA 378-1] linux-2.6 security update

2016-01-05 Thread Ben Hutchings 
Package: linux-2.6
Version: 2.6.32-48squeeze18
CVE ID : CVE-2015-7550 CVE-2015-8543 CVE-2015-8575
Debian Bug : #808293

This update fixes the CVEs described below.

CVE-2015-7550

Dmitry Vyukov discovered a race condition in the keyring subsystem
that allows a local user to cause a denial of service (crash).

CVE-2015-8543

It was discovered that a local user permitted to create raw sockets
could cause a denial-of-service by specifying an invalid protocol
number for the socket. The attacker must have the CAP_NET_RAW
capability.

CVE-2015-8575

David Miller discovered a flaw in the Bluetooth SCO sockets
implementation that leads to an information leak to local users.

In addition, this update fixes a regression in the previous update:

#808293

A regression in the UDP implementation prevented freeradius and
some other applications from receiving data.

For the oldoldstable distribution (squeeze), these problems have been
fixed in version 2.6.32-48squeeze18.

For the oldstable distribution (wheezy), these problems have been
fixed in version 3.2.73-2+deb7u2.

For the stable distribution (jessie), these problems have been fixed
in version 3.16.7-ckt20-1+deb8u2 or earlier.

-- 
Ben Hutchings - Debian developer, member of Linux kernel and LTS teams




signature.asc
Description: This is a digitally signed message part

Re: Accepted cacti 0.8.7g-1+squeeze9+deb6u13 (source all) into squeeze-lts

2016-01-05 Thread Paul Gevers 
Hi Chris,

On 05-01-16 00:23, Chris Lamb wrote:

>> To be honest, I would have expected you would have shared your fix
>> somewhere, e.g. also in a regular bug against cacti such that the
>> (old)stable releases could more easily see/use the patch.
> 
> I will happily add it too your bug tracker as requested. I did not
> proactively send it upstream as it was simple and based on work that
> was already being distributed;

I was not able to find this work you based it on, but sure it is simple.
I filed bug 2655¹ upstream with your patch attached, so that they are
aware of your work. I will update the Debian security archive with this
info shortly.

> I made the assumption that you would either not care or you had seen
> exactly what I had done.

It is true that I saw it, but others may not.

Paul

¹ http://bugs.cacti.net/view.php?id=2655



signature.asc
Description: OpenPGP digital signature

Re: Accepted linux-2.6 2.6.32-48squeeze18 (all source) into squeeze-lts

2016-01-05 Thread Raphael Hertzog 
Hi,

On Tue, 05 Jan 2016, Jan Ingvoldstad wrote:
> W: GPG error: http://http.debian.net squeeze-lts Release: The following
> signatures were invalid: BADSIG 8B48AD6246925553 Debian Archive Automatic
> Signing Key (7.0/wheezy) 

So that message is not specific to any particular package, but to the
repository as a whole.

> Since yesterday evening, we got another error from apt-get update instead:
> 
> W: Failed to fetch
> http://http.debian.net/dists/squeeze-lts/main/binary-amd64/Packages.bz2
> Hash Sum mismatch

This URL returns a 404 for me. How is your sources.list configured?

Can you tell us to which mirror you are redirected?

Run this for example:
$ curl -sI 
http://http.debian.net/debian/dists/squeeze-lts/main/binary-amd64/Packages.bz2 
|grep Location
Location: 
http://mirror.switch.ch/ftp/mirror/debian/dists/squeeze-lts/main/binary-amd64/Packages.bz2

That way we can verify whether the given mirror is problematic instead...

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

another squeeze cacti update?

2016-01-05 Thread Antoine Beaupré 
Hi!

Cacti still shows up in the list of opened issues in squeeze... Are you
going to take care of CVE-2015-8604 next?

Thanks!

a.
-- 
The reasonable man adapts himself to the world.
The unreasonable man persists in trying to adapt the world to himself.
Therefore, all progress depends on the unreasonable man.
- George Bernard Shaw