Re: firmware-nonfree update
On Mon, 2019-03-25 at 17:20 +, Ben Hutchings wrote: > On Tue, 2019-03-05 at 22:00 +, Ben Hutchings wrote: > > On Fri, 2019-03-01 at 14:05 +0100, Emilio Pozuelo Monfort wrote: > [...] > > > (It > > > may be unlikely for old suites to have users with new hardware, however > > > it's > > > possible and users that don't have it will be unaffected by the new > > > firmware, so > > > it wouldn't hurt to ship it.) > > > > > > My branch is for jessie but I can prepare it for stretch too if you think > > > that's > > > worth it. > > > > The current jessie-security version of firmware-nonfree is really a > > backport from stretch. So I would prefer it if you update the stretch > > branch first and then merge that to jessie-security. > > I've merged your changes to stretch, uploaded to stretch, and then > merged stretch to jessie-security. Let me know if you want to do the > upload to jessie-security or if I should do it. I've now uploaded and sent the DLA. Ben. -- Ben Hutchings Klipstein's 4th Law of Prototyping and Production: A fail-safe circuit will destroy others. signature.asc Description: This is a digitally signed message part
[SECURITY] [DLA 1747-1] firmware-nonfree security update
Package: firmware-nonfree Version: 20161130-5~deb8u1 CVE ID : CVE-2018-5383 Eli Biham and Lior Neumann discovered a cryptographic weakness in the Bluetooth LE SC pairing protocol, called the Fixed Coordinate Invalid Curve Attack (CVE-2018-5383). Depending on the devices used, this could be exploited by a nearby attacker to obtain sensitive information, for denial of service, or for other security impact. This flaw has been fixed in firmware for Intel Wireless 7260 (B3), 7260 (B5), 7265 (D1), and 8264 adapters, and for Qualcomm Atheros QCA61x4 "ROME" version 3.2 adapters. Other Bluetooth adapters are also affected and remain vulnerable. For Debian 8 "Jessie", this problem has been fixed in version 20161130-5~deb8u1. We recommend that you upgrade your firmware-nonfree packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -- Ben Hutchings - Debian developer, member of kernel, installer and LTS teams signature.asc Description: This is a digitally signed message part
Accepted firmware-nonfree 20161130-5~deb8u1 (all source) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 02 Apr 2019 02:38:01 +0100 Binary: firmware-adi firmware-amd-graphics firmware-atheros firmware-bnx2 firmware-bnx2x firmware-brcm80211 firmware-cavium firmware-intel-sound firmware-intelwimax firmware-ipw2x00 firmware-ivtv firmware-iwlwifi firmware-libertas firmware-linux firmware-linux-nonfree firmware-misc-nonfree firmware-myricom firmware-netxen firmware-qlogic firmware-ralink firmware-realtek firmware-samsung firmware-siano firmware-ti-connectivity Source: firmware-nonfree Architecture: all source Version: 20161130-5~deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Kernel Team Changed-By: Ben Hutchings Description: firmware-adi - Binary firmware for Analog Devices Inc. DSL modem chips (dummmy p firmware-amd-graphics - Binary firmware for AMD/ATI graphics chips firmware-atheros - Binary firmware for Atheros wireless cards firmware-bnx2 - Binary firmware for Broadcom NetXtremeII firmware-bnx2x - Binary firmware for Broadcom NetXtreme II 10Gb firmware-brcm80211 - Binary firmware for Broadcom 802.11 wireless cards firmware-cavium - Binary firmware for Cavium Ethernet adapters firmware-intel-sound - Binary firmware for Intel sound DSPs firmware-intelwimax - Binary firmware for Intel WiMAX Connection firmware-ipw2x00 - Binary firmware for Intel Pro Wireless 2100, 2200 and 2915 firmware-ivtv - Binary firmware for iTVC15-family MPEG codecs (ivtv and pvrusb2 d firmware-iwlwifi - Binary firmware for Intel Wireless cards firmware-libertas - Binary firmware for Marvell wireless cards firmware-linux - Binary firmware for various drivers in the Linux kernel (meta-pac firmware-linux-nonfree - Binary firmware for various drivers in the Linux kernel (meta-pac firmware-misc-nonfree - Binary firmware for various drivers in the Linux kernel firmware-myricom - Binary firmware for Myri-10G Ethernet adapters firmware-netxen - Binary firmware for QLogic Intelligent Ethernet (3000 and 3100 Se firmware-qlogic - Binary firmware for QLogic HBAs firmware-ralink - Binary firmware for Ralink wireless cards (dummmy package) firmware-realtek - Binary firmware for Realtek wired/wifi/BT adapters firmware-samsung - Binary firmware for Samsung MFC video codecs firmware-siano - Binary firmware for Siano MDTV receivers firmware-ti-connectivity - Binary firmware for TI Connectivity wifi and BT/FM/GPS adapters Changes: firmware-nonfree (20161130-5~deb8u1) jessie-security; urgency=high . * Rebuild for jessie . firmware-nonfree (20161130-5) stretch; urgency=medium . [ Emilio Pozuelo Monfort ] * CVE-2018-5383: - atheros: Update BT firmware files for QCA ROME chip. - iwlwifi: Update Intel BT firmware to 20.60.0.2. Checksums-Sha1: fce3b234b5d95a76731bb02cc57fb3dee8cb21bb 3873 firmware-nonfree_20161130-5~deb8u1.dsc 18984aac329e420e757f8dc1f9079fb007886497 3991188 firmware-nonfree_20161130-5~deb8u1.debian.tar.xz 01f4b77d07f706378164f99655dd745c4d78fd7a 14764 firmware-linux_20161130-5~deb8u1_all.deb c984a38e5025a49456483b68f59fa10f5b7ba61c 14504 firmware-linux-nonfree_20161130-5~deb8u1_all.deb c25aa10a849fded445a01ddae5d4fcf8a494a314 14468 firmware-adi_20161130-5~deb8u1_all.deb 1047982a8971368382d969a9755f1ecef7564720 14458 firmware-ralink_20161130-5~deb8u1_all.deb 47edb6704f6c417c24b314798f945b5602f2d169 1579602 firmware-amd-graphics_20161130-5~deb8u1_all.deb 3c7c0449cca1d1c54b09fdf67ec9dc3915888a6e 3164232 firmware-atheros_20161130-5~deb8u1_all.deb 68665a789723a5a2c10bff45876235ee429c9a22 99630 firmware-bnx2_20161130-5~deb8u1_all.deb 98cf2ae88ce296953305ce4b7ea8a9041dcf54b7 3243808 firmware-bnx2x_20161130-5~deb8u1_all.deb 6e09fadf85d03fae05ff2bbabbc0f74467c87d86 3702080 firmware-brcm80211_20161130-5~deb8u1_all.deb 7a052efaf55c5e85ee886ff594f7f1846f20d56b 436806 firmware-cavium_20161130-5~deb8u1_all.deb 16bacd85a3e665068183d52341838ef526172bca 1191742 firmware-intelwimax_20161130-5~deb8u1_all.deb 2428cb124d0c7360c184d15b47092630051e83c2 613084 firmware-intel-sound_20161130-5~deb8u1_all.deb d80364a98776143d393316872ad023b8e5193378 250914 firmware-ipw2x00_20161130-5~deb8u1_all.deb a5aa75d353716219fc982e3315911d3020100508 106560 firmware-ivtv_20161130-5~deb8u1_all.deb 344886ae1568c3993389345fb03f526997d90959 6827338 firmware-iwlwifi_20161130-5~deb8u1_all.deb d269ea3d706cad73025035ab3b159dccb39ac1a4 2947460 firmware-libertas_20161130-5~deb8u1_all.deb 68cee14b482b8acd4be0b36497a84756d15d84cc 2325302 firmware-misc-nonfree_20161130-5~deb8u1_all.deb a81bd32264e9b86b6fd251c465259730f7d20db3 266632 firmware-myricom_20161130-5~deb8u1_all.deb 2929fe8753937586ef99c9ba0df7eaf3870f3d0d 1238826 firmware-netxen_20161130-5~deb8u1_all.deb 41f0f02ae9e326544432690924519c4b3a270fd8 2912628 firmware-qlogic_20161130-5~deb8u1_all.deb 12bfbf2cf3971b0e6a4cb3ed700619ced9a1d9bd 343596 firmware-realtek_20161130-5~deb8u1_all.deb 1d06e649b79aa414ad8bc917798cd503ce7f1482 516728
Re: jessie-updates gone
On 4/1/19 3:50 PM, Matus UHLAR - fantomas wrote: We have asked if it's going to be re-added, even if empty, to avoid people using jessie from seeing errors when updateing package lists. do I have to fill a bugreport to get it back? Yes, do it please.
Re: Having a test repository for (kernel?) updates
On Mon, 2019-04-01 at 21:30 +0200, Bernhard Schmidt wrote: > Hi, > > as we now all know the last LTS kernel upgrade badly broke systems on > VMware. I don't think this is completely avoidable, but maybe there are > things that could be improved. > > As long as we have Jessie systems (and also for Stretch once it is in > LTS) we would be willing to run some staging systems and even parts of > the production systems on some sort of -proposed repository. If there > are more users doing that we could catch regressions earlier on. > > I don't exactly know how this could be done technically, as the security > repository is the only one open for updates during LTS. In the worst > case it could be a seperate host with a seperate signing key, but of > course something similar to s-p-u would be preferred. > > This would probably only be relevant to kernel and possibly things like > systemd, I would not want to have all updates sit in proposed for some > time. Also at the sole discretion of the maintainer, if a security fix > needs to get out it needs to get out. > > What do you think? I'm happy to upload packages for testing to people.debian.org, in the absence of something more official. Ben. -- Ben Hutchings Life is what happens to you while you're busy making other plans. - John Lennon signature.asc Description: This is a digitally signed message part
Re: Having a test repository for (kernel?) updates
On Mon, Apr 01, 2019 at 09:30:20PM +0200, Bernhard Schmidt wrote: > As long as we have Jessie systems (and also for Stretch once it is in > LTS) we would be willing to run some staging systems and even parts of > the production systems on some sort of -proposed repository. If there > are more users doing that we could catch regressions earlier on. > > I don't exactly know how this could be done technically, There's https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817286 which has all the requirements and there's even funding available to get that implemented, but we haven't heard anything back from the person who we were told would implement that. Cheers, Moritz
Having a test repository for (kernel?) updates
Hi, as we now all know the last LTS kernel upgrade badly broke systems on VMware. I don't think this is completely avoidable, but maybe there are things that could be improved. As long as we have Jessie systems (and also for Stretch once it is in LTS) we would be willing to run some staging systems and even parts of the production systems on some sort of -proposed repository. If there are more users doing that we could catch regressions earlier on. I don't exactly know how this could be done technically, as the security repository is the only one open for updates during LTS. In the worst case it could be a seperate host with a seperate signing key, but of course something similar to s-p-u would be preferred. This would probably only be relevant to kernel and possibly things like systemd, I would not want to have all updates sit in proposed for some time. Also at the sole discretion of the maintainer, if a security fix needs to get out it needs to get out. What do you think? Bernhard -- Bernhard Schmidt Netzbetrieb / IPv6 / DNSSEC Leibniz-Rechenzentrum Leibniz Supercomputing Centre Boltzmannstr. 1 D-85748 Garching b. Muenchen Tel: +49 89 35831-7885 E-Mail/Jabber: bernhard.schm...@lrz.de
Re: more missing DLAs on the website
Hi, Is there a rationale on why we are updating the website, by the way? And with a full copy of the advisory? (instead of e.g. pointing to the list archives). I wondered whether we needed translations at: https://lists.debian.org/debian-lts/2019/03/msg00101.html https://lists.debian.org/debian-lts/2019/03/msg00152.html but I didn't get any feedback. This doesn't seem to be a tool issue (I made a few fixes btw) but rather a matter of priority and man power. Understanding the goals in the first place would help IMHO :) Cheers! Sylvain On 01/04/2019 19:45, Holger Levsen wrote: > hi, > > the number of missing DLAs on https://www.debian.org/lts/security/ has > recently gone up again. Missing are: > > Emilio Pozuelo Monfort [DLA 1746-1] drupal7 security update > Emilio Pozuelo Monfort [DLA 1745-1] libdatetime-timezone-perl new upstream > version > Emilio Pozuelo Monfort [DLA 1744-1] tzdata new upstream version > Emilio Pozuelo Monfort [DLA 1743-1] thunderbird security update > Abhijith PA[DLA 1742-1] wordpress security update > Thorsten Alteholz [DLA 1741-1] php5 security update > Mike Gabriel [DLA 1740-1] libav security update > Thorsten Alteholz [DLA 1734-1] libraw security update > Emilio Pozuelo Monfort [DLA 1732-1] openjdk-7 security update > Mike Gabriel [DLA 1730-1] libssh2 security update > Thorsten Alteholz [DLA 1729-1] wireshark security update > Mike Gabriel [DLA 1728-1] openssh security update > Emilio Pozuelo Monfort [DLA 1727-1] firefox-esr security update > Emilio Pozuelo Monfort [DLA 1726-1] bash security update > Thorsten Alteholz [DLA 1725-1] rsync security update > Emilio Pozuelo Monfort [DLA 1724-1] ntfs-3g security update > Mike Gabriel [DLA 1723-1] cron security update > Emilio Pozuelo Monfort [DLA 1722-1] firefox-esr security update > Chris Lamb [DLA 1719-1] libjpeg-turbo security update > Abhijith PA[DLA 1714-1] libsdl2 security update > Abhijith PA[DLA 1713-1] libsdl1.2 security update > Emilio Pozuelo Monfort [DLA 1712-1] libsndfile security update > Markus Koschany[DLA 1711-1] systemd security update > Bastian Blank [DLA 1709-1] waagent security update > Bastian Blank [DLA 1688-1] waagent update > Emilio Pozuelo Monfort [DLA 1684-1] systemd security update > Emilio Pozuelo Monfort [DLA 1683-1] rdesktop security update > > What surprise me is that some people sometimes appearantly manage to > update the website and some times not, I wonder why? > > I'd also like to remind everyone - who is a paid contributor via > freexian - that it's your duty to update the website or provide an MR > via https://salsa.debian.org/webmaster-team/webwml/merge_requests > > If your name is listed above, *please* update the website or provide an MR > via https://salsa.debian.org/webmaster-team/webwml/merge_requests for > those DLAs. > > If somebody picks up the rest, I'd also be really thankful. And probably > not just me! ;) > > > Last not least: I've thought about (not) naming people but decided to do > so because I don't consider this public shaming but quite the contrary, > everybody listed above has done great work! Which just has a tiny flaw > which I'm sure you also want to fix, thus I made it easier for you to see if > you're affected. > I'm also sure this is mostly a tooling issue. #859123 is the best place > to discuss fixes. > >
[SECURITY] [DLA 1731-2] linux regression update
Package: linux Version: 3.16.64-2 CVE ID : CVE-2016-10741 CVE-2017-5753 CVE-2017-13305 CVE-2018-3639 CVE-2018-5848 CVE-2018-5953 CVE-2018-12896 CVE-2018-13053 CVE-2018-16862 CVE-2018-16884 CVE-2018-17972 CVE-2018-18281 CVE-2018-18690 CVE-2018-18710 CVE-2018-19824 CVE-2018-19985 CVE-2018-20169 CVE-2018-20511 CVE-2019-3701 CVE-2019-3819 CVE-2019-6974 CVE-2019-7221 CVE-2019-7222 CVE-2019-9213 Debian Bug : 925919 The linux update issued as DLA-1731-1 caused a regression in the vmxnet3 (VMware virtual network adapter) driver. This update corrects that regression, and an earlier regression in the CIFS network filesystem implementation introduced in DLA-1422-1. For reference the original advisory text follows. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2016-10741 A race condition was discovered in XFS that would result in a crash (BUG). A local user permitted to write to an XFS volume could use this for denial of service. CVE-2017-5753 Further instances of code that was vulnerable to Spectre variant 1 (bounds-check bypass) have been mitigated. CVE-2017-13305 A memory over-read was discovered in the keys subsystem's encrypted key type. A local user could use this for denial of service or possibly to read sensitive information. CVE-2018-3639 (SSB) Multiple researchers have discovered that Speculative Store Bypass (SSB), a feature implemented in many processors, could be used to read sensitive information from another context. In particular, code in a software sandbox may be able to read sensitive information from outside the sandbox. This issue is also known as Spectre variant 4. This update fixes bugs in the mitigations for SSB for AMD processors. CVE-2018-5848 The wil6210 wifi driver did not properly validate lengths in scan and connection requests, leading to a possible buffer overflow. On systems using this driver, a local user with the CAP_NET_ADMIN capability could use this for denial of service (memory corruption or crash) or potentially for privilege escalation. CVE-2018-5953 The swiotlb subsystem printed kernel memory addresses to the system log, which could help a local attacker to exploit other vulnerabilities. CVE-2018-12896, CVE-2018-13053 Team OWL337 reported possible integer overflows in the POSIX timer implementation. These might have some security impact. CVE-2018-16862 Vasily Averin and Pavel Tikhomirov from Virtuozzo Kernel Team discovered that the cleancache memory management feature did not invalidate cached data for deleted files. On Xen guests using the tmem driver, local users could potentially read data from other users' deleted files if they were able to create new files on the same volume. CVE-2018-16884 A flaw was found in the NFS 4.1 client implementation. Mounting NFS shares in multiple network namespaces at the same time could lead to a user-after-free. Local users might be able to use this for denial of service (memory corruption or crash) or possibly for privilege escalation. This can be mitigated by disabling unprivileged users from creating user namespaces, which is the default in Debian. CVE-2018-17972 Jann Horn reported that the /proc/*/stack files in procfs leaked sensitive data from the kernel. These files are now only readable by users with the CAP_SYS_ADMIN capability (usually only root) CVE-2018-18281 Jann Horn reported a race condition in the virtual memory manager that can result in a process briefly having access to memory after it is freed and reallocated. A local user permitted to create containers could possibly exploit this for denial of service (memory corruption) or for privilege escalation. CVE-2018-18690 Kanda Motohiro reported that XFS did not correctly handle some xattr (extended attribute) writes that require changing the disk format of the xattr. A user with access to an XFS volume could use this for denial of service. CVE-2018-18710 It was discovered that the cdrom driver does not correctly validate the parameter to the CDROM_SELECT_DISC ioctl. A user with access to a cdrom device could use this to read sensitive information from the kernel or to cause a denial of service (crash). CVE-2018-19824 Hui Peng and Mathias Payer discovered a use-after-free bug in the USB audio driver. A physically present attacker able to attach a specially designed USB device could use this for privilege escalation. CVE-2018-19985 Hui Peng and Mathias Payer discovered a missing bounds check in the hso USB serial driver. A physically present user able to attach a specially designed
Re: jessie-updates gone
Hello, On Mon, Apr 01, 2019 at 03:50:05PM +0200, Matus UHLAR - fantomas wrote: > On 01.04.19 13:40, Holger Levsen wrote: > >this is gone: > > > >deb http://deb.debian.org/debian/ jessie-updates main > > formerly volatile. > > We have asked if it's going to be re-added, even if empty, to avoid people > using jessie from seeing errors when updateing package lists. > > do I have to fill a bugreport to get it back? I do understand that re-adding an empty jessie-updates directory will silence a lot of warnings from apt update, and thus would avoid the questions from end users that I have seen in a lot of places, but… I can't help thinking that although it is bad that these users were confused, at least they now understand that the level of support has changed. Is there not a risk in future that these people will merrily go on using an empty buster-updates without ever realising that they are using a distribution with updates only from the LTS project? I don't know what the answer is other than having apt itself show a warning about the levels of support changing, but until we work out a better solution, isn't having the -updates suite go away at least a final chance to get the user's attention? How about a package update at the cut-over point with a NEWS changelog saying something like, "this distribution is now only supported by LTS; you should upgrade to continue to enjoy the usual level of support. For more information about the LTS project please see: https://…; ? Cheers, Andy
more missing DLAs on the website
hi, the number of missing DLAs on https://www.debian.org/lts/security/ has recently gone up again. Missing are: Emilio Pozuelo Monfort [DLA 1746-1] drupal7 security update Emilio Pozuelo Monfort [DLA 1745-1] libdatetime-timezone-perl new upstream version Emilio Pozuelo Monfort [DLA 1744-1] tzdata new upstream version Emilio Pozuelo Monfort [DLA 1743-1] thunderbird security update Abhijith PA[DLA 1742-1] wordpress security update Thorsten Alteholz [DLA 1741-1] php5 security update Mike Gabriel [DLA 1740-1] libav security update Thorsten Alteholz [DLA 1734-1] libraw security update Emilio Pozuelo Monfort [DLA 1732-1] openjdk-7 security update Mike Gabriel [DLA 1730-1] libssh2 security update Thorsten Alteholz [DLA 1729-1] wireshark security update Mike Gabriel [DLA 1728-1] openssh security update Emilio Pozuelo Monfort [DLA 1727-1] firefox-esr security update Emilio Pozuelo Monfort [DLA 1726-1] bash security update Thorsten Alteholz [DLA 1725-1] rsync security update Emilio Pozuelo Monfort [DLA 1724-1] ntfs-3g security update Mike Gabriel [DLA 1723-1] cron security update Emilio Pozuelo Monfort [DLA 1722-1] firefox-esr security update Chris Lamb [DLA 1719-1] libjpeg-turbo security update Abhijith PA[DLA 1714-1] libsdl2 security update Abhijith PA[DLA 1713-1] libsdl1.2 security update Emilio Pozuelo Monfort [DLA 1712-1] libsndfile security update Markus Koschany[DLA 1711-1] systemd security update Bastian Blank [DLA 1709-1] waagent security update Bastian Blank [DLA 1688-1] waagent update Emilio Pozuelo Monfort [DLA 1684-1] systemd security update Emilio Pozuelo Monfort [DLA 1683-1] rdesktop security update What surprise me is that some people sometimes appearantly manage to update the website and some times not, I wonder why? I'd also like to remind everyone - who is a paid contributor via freexian - that it's your duty to update the website or provide an MR via https://salsa.debian.org/webmaster-team/webwml/merge_requests If your name is listed above, *please* update the website or provide an MR via https://salsa.debian.org/webmaster-team/webwml/merge_requests for those DLAs. If somebody picks up the rest, I'd also be really thankful. And probably not just me! ;) Last not least: I've thought about (not) naming people but decided to do so because I don't consider this public shaming but quite the contrary, everybody listed above has done great work! Which just has a tiny flaw which I'm sure you also want to fix, thus I made it easier for you to see if you're affected. I'm also sure this is mostly a tooling issue. #859123 is the best place to discuss fixes. -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
semi-automatic unclaims after two weeks of inactivity
hi, I've just unclaimed these packages after two weeks of inactivity: LTS: -firmware-nonfree (Emilio) eLTS: -firmware-nonfree (Emilio) -mysql-5.5 (Emilio) -python2.6 (Roberto C. Sánchez) -sqlalchemy (Markus Koschany) As usual, feel free to reclaim and/or update the notes. -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C we'll all die. make a difference while you can. disobey. smile. signature.asc Description: PGP signature
Re: jessie-updates gone
Le lun. 1 avr. 2019 à 16:04, Emilio Pozuelo Monfort a écrit :
>
> On 01/04/2019 15:51, Pierre Fourès wrote:
> > Thanks Holger,
> >
> > If I understood good, this mean that tzdata will get updated through
> > "deb http://security.debian.org/ jessie/updates main" even if it's not
> > a "security" update per se ?
>
> Yes. tzdata and other such updates go into jessie-security because there's no
> other place for them with the closing of jessie{,-updates}. It's been that way
> since for a long time. The last tzdata and libdatetime-timezone-perl were
> uploaded to jessie-security earlier today.
>
> https://lists.debian.org/debian-lts-announce/2019/04/msg1.html
> https://lists.debian.org/debian-lts-announce/2019/04/msg2.html
>
> Hope that helps.
>
> Emilio
Yup it clarifies a lot. Thanks you all to take the time to outline it all.
[SECURITY] [DLA 1746-1] drupal7 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: drupal7 Version: 7.32-1+deb8u16 CVE ID : CVE-2019-6341 It was discovered that missing input sanitising in the file module of Drupal, a fully-featured content management framework, could result in cross-site scripting. For Debian 8 "Jessie", this problem has been fixed in version 7.32-1+deb8u16. We recommend that you upgrade your drupal7 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlyiHFEACgkQnUbEiOQ2 gwL8thAAgLDwlOyeLMD5lsmaJbErDZUvR+D0leuMPFMV7ijf2ZbIJp8EFs7nCP8a 4JpIeuTD5IOPqc6dspsDe+DAmLKEfpLBgdHMOkmEZ3oE2s4MEhKpAvrM9lJYhbRi UD/MI1KQ3Xi9M+XSS1/eglUZrWjbpRvGgsuCMo89r6HJD56fcIuIMCOqj6DgYK6s Lq8qVOlDMPs2PD7r/Wql/yOW2RSp3AXoijLc7xreOQ0Lb+zye5cVCrzEosQpLvAO OcgjIxilYmYtVIZn6c5abGx2QUDdAovWI3kssie8Yz0odxqsP6rAabAP2Xktwhe9 GijALQYv38aGcLVXw9+RZ5l2wBM30Utj0RwIywKuD7LYQX+nR/YaS3G5y+iEbP3c V6B07ywrWr3los2myeKtsleaLXTuWFCh4L5a9cyVddmt50sZy7D6ty67WX7uMvUD MNRSMdjG2zmjhJLt9H3lMbjtNUg1+ZZwETYrZTZ40O+JKPLeckNBETO/GaX5rveq /2YopnA09UJuBnCgHSZ4cYyhJ2dol8JyPT7iQt2v5vS3YrZHy1BzUkjydtbpZ+S3 6lldzsh+XljoH5piPCBF2fxnqaMWpZgHI3iaHjxIt4GQD5uoMlAvNTpilHXoMapr Pon+4I7WZ73Kx5gxAjI/1QJN7SKRZTvTyCdJ+VJy7v7abkviq1g= =ZWIA -END PGP SIGNATURE-
Accepted drupal7 7.32-1+deb8u16 (source all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 28 Mar 2019 11:17:31 +0100 Source: drupal7 Binary: drupal7 Architecture: source all Version: 7.32-1+deb8u16 Distribution: jessie-security Urgency: medium Maintainer: Luigi Gangitano Changed-By: Emilio Pozuelo Monfort Description: drupal7- fully-featured content management framework Changes: drupal7 (7.32-1+deb8u16) jessie-security; urgency=medium . * Non-maintainer upload by the LTS Team. * SA-CORE-2019-004, CVE-2019-6341: XSS vulnerability in the File module. Checksums-Sha1: abd488de1b5172564b22f2df94450f720ec0171a 1888 drupal7_7.32-1+deb8u16.dsc c673dfec976d86ec6079d503dc9d81f2cb73d262 3207974 drupal7_7.32.orig.tar.gz b47bebd3926f3253b35dc5f3046f8b5aa7178223 218916 drupal7_7.32-1+deb8u16.debian.tar.xz 5b777f637dfd896bb8fff921f3d93cfa5ef93f52 2483842 drupal7_7.32-1+deb8u16_all.deb Checksums-Sha256: f1e0d6b71b02eb7312a1a51967a9eed7bcd2b785c5d926ecedc5632b243c6255 1888 drupal7_7.32-1+deb8u16.dsc f5e6efc7269d1a6e35788ed84022da7da3edd9f7d5c7e5cfa04302de366cf206 3207974 drupal7_7.32.orig.tar.gz 758c3df5f0fbc1e95674f50b97f27267483cea0524a6a29a04c0e65857d1b218 218916 drupal7_7.32-1+deb8u16.debian.tar.xz 39958ea338d825c988232826fe524004301e42e518195f65f4a53515d1d90687 2483842 drupal7_7.32-1+deb8u16_all.deb Files: e7fe77930a9bbacbdc83707403414d77 1888 web extra drupal7_7.32-1+deb8u16.dsc 54754efc64474e8b9e0f8507a9f0ddca 3207974 web extra drupal7_7.32.orig.tar.gz 331c15521d01013c8d5aa1ecd3f14d64 218916 web extra drupal7_7.32-1+deb8u16.debian.tar.xz ec24d6e32991f72712e1fe51f2782718 2483842 web extra drupal7_7.32-1+deb8u16_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlyiFN0ACgkQnUbEiOQ2 gwJyWxAAyv0/HyFK670un3oZNgz4QPI3E+Ma0yCU4PS5jGKXX3JlYW0o54VUFSfB 5rVfTF9/z3iE8eLIUAExEQZ+zgMKS21+UL09W9KGA1eQbKr5HHvsX+abyslhE2gB BzD7m1BOBQDr51BaJHpfilwoWzRqVc9kjDSjw0zHehlMutZJyG9T0nbB3XadSm0t W79TEhWmxmrF2ZDHG06SrIsmYIlIdtVNaw00wLeuA8KqaA9GRPflHMYP3K+MgTvs zy+K2Bf/FJ1edD7LyjSNSYNmSUza4qH+/TIhosfLZ9yNvSDi9LZgfZ2WjkA54S81 g/hU2WzlS6XFSvRrLlE54zZmVtPHEJ5Yu6GEozDPmhrdysE7B6ge9GxIMiqZTLmA /SWjQiXDGglbgW7mQZkLJEsTv6jNgFjqKnMAR7d15PFXTUpsNO1OfEH8ovH5yeiX /ECLS5AKKwBwNTD7NbimqovOp9tvFoUFlEzo/eoKEUGA1ChYMqE5Pys+tvr1hups Ih7ouTt9mWYeNsmcwXgxaTuDC/DwJXOP75/p6Mcp5S/R9yIeh7sC08OtcVp4fShV TkiuHl7WxaPfi1OUe4BsyfxIyx8clTtwQjekFQ+mgpJdvO1UbafR+DhBVz+qrhRu 7qnejIo2euWsXa8WnSPglZk8+joCAhlACzPgaYRxxfhJdxaT0Ns= =ZqrS -END PGP SIGNATURE-
Re: jessie-updates gone
On 01/04/2019 15:50, Matus UHLAR - fantomas wrote: >> this is gone: >> >> deb http://deb.debian.org/debian/ jessie-updates main > > formerly volatile. > > We have asked if it's going to be re-added, even if empty, to avoid people > using jessie from seeing errors when updateing package lists. > > do I have to fill a bugreport to get it back? It will get back, we're waiting for an ftp-master to have the necessary cycles to do the archive work. The plan is to document what needs to get archived and what not after a release becomes LTS to avoid this sort of problem in the future (e.g. when stretch becomes LTS, and non-LTS architectures get archived). Cheers, Emilio
Re: jessie-updates gone
On 01/04/2019 15:51, Pierre Fourès wrote:
> Thanks Holger,
>
> If I understood good, this mean that tzdata will get updated through
> "deb http://security.debian.org/ jessie/updates main" even if it's not
> a "security" update per se ?
Yes. tzdata and other such updates go into jessie-security because there's no
other place for them with the closing of jessie{,-updates}. It's been that way
since for a long time. The last tzdata and libdatetime-timezone-perl were
uploaded to jessie-security earlier today.
https://lists.debian.org/debian-lts-announce/2019/04/msg1.html
https://lists.debian.org/debian-lts-announce/2019/04/msg2.html
Hope that helps.
Emilio
Re: jessie-updates gone
Thanks Holger, If I understood good, this mean that tzdata will get updated through "deb http://security.debian.org/ jessie/updates main" even if it's not a "security" update per se ? So, to Jessie users, everything work as expected (we still get not security updates) even if it doesn't goes through the way it used to ? Le lun. 1 avr. 2019 à 15:40, Holger Levsen a écrit : > > On Mon, Apr 01, 2019 at 02:29:23PM +0200, Pierre Fourès wrote: > > Now that Jessie is in LTS and that jessie-updates/ is gone, does this > > also mean there won't be any other updates to tzdata, clamav, or > > similar (timely dependent's) packages ? > > no. > > > Or if still updated, where does we got them from ? I guess it's not > > from security updates ? > > from LTS. > > to clarify: > > this is LTS: > > deb http://security.debian.org/ jessie/updates main > > this is gone: > > deb http://deb.debian.org/debian/ jessie-updates main > > > > -- > tschau, > Holger > > --- >holger@(debian|reproducible-builds|layer-acht).org >PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C > > In Europe there are people prosecuted by courts because they saved other > people > from drowning in the Mediterranean Sea. That is almost as absurd as if > there > were people being prosecuted because they save humans from drowning in the > sea.
Re: jessie-updates gone
On Mon, Apr 01, 2019 at 02:29:23PM +0200, Pierre Fourès wrote: Now that Jessie is in LTS and that jessie-updates/ is gone, does this also mean there won't be any other updates to tzdata, clamav, or similar (timely dependent's) packages ? no. good. Or if still updated, where does we got them from ? I guess it's not from security updates ? On 01.04.19 13:40, Holger Levsen wrote: from LTS. to clarify: this is LTS: deb http://security.debian.org/ jessie/updates main formerly security (only) updates. this is gone: deb http://deb.debian.org/debian/ jessie-updates main formerly volatile. We have asked if it's going to be re-added, even if empty, to avoid people using jessie from seeing errors when updateing package lists. do I have to fill a bugreport to get it back? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
Re: jessie-updates gone
On Mon, Apr 01, 2019 at 02:29:23PM +0200, Pierre Fourès wrote: > Now that Jessie is in LTS and that jessie-updates/ is gone, does this > also mean there won't be any other updates to tzdata, clamav, or > similar (timely dependent's) packages ? no. > Or if still updated, where does we got them from ? I guess it's not > from security updates ? from LTS. to clarify: this is LTS: deb http://security.debian.org/ jessie/updates main this is gone: deb http://deb.debian.org/debian/ jessie-updates main -- tschau, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C In Europe there are people prosecuted by courts because they saved other people from drowning in the Mediterranean Sea. That is almost as absurd as if there were people being prosecuted because they save humans from drowning in the sea. signature.asc Description: PGP signature
Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
I believe you've misunderstood. The version in stable is 0.100.3 and does not have a soname bump (nor does it need one). You should be able to update the LTS with that package with little more (maybe no more) than an updated changelog. Scott K On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote: > Hi Scott and LTS team > > Thank you. I'll see if I can backport the required fixes. That may solve > the library issue. > > Alternatively we state that clamav is not supported. Maybe someone in the > LTS team can advice on that. > > Best regards > > // Ola > > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman wrote: > > Comments inline. > > > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > > > Hi > > > > > > I missed to include the clamav maintainers. Sorry about that. > > > > > > // Ola > > > > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist wrote: > > > > Dear maintainers, LTS team and Debian Secutiry team > > > > > > > > I have started to look at the clamav package update due to > > > > CVE-2019-1787 > > > > CVE-2019-1788 > > > > CVE-2019-1789 > > > > (the other three vulnerabilities are not affecting jessie or stretch > > > > as I > > > > > > understand it) > > > > That's correct. > > > > > > I have understood that the clamav package is typically updated to the > > > > latest version also in stable and oldstable. However when doing so I > > > > encountered quite a few things that I would like to ask your advice > > > > on. > > > > > > > > First of all to the maintainers. Do you want to handle also LTS > > > > (oldstable) and regular security (stable) upload of clamav? > > > > Stable is already done through stable proposed updates (which is the > > normal > > path for clamav). We leave the LTS releases to the LTS team. Base your > > work > > on what's in stable. > > > > > > Question to maintainers and Security team. Should we synchronize the > > > > efforts here and have you already started on the stable update? > > > > > > > > If not I have a few questions: > > > > 1) Do you know the binary compatibility between libclamav7 and > > > > libclamav9? > > > > > > I have noticed that the package in sid produces libclamav9 while the > > > > one > > > > > > in jessie provides libclamav7. Do you think this can be an issue? > > > > Yes. It's guaranteed to be an issue. We have a stable transition > > prepared > > and will do it (once the srm blesses) after the next point release in > > April. > > Note that the security team doesn't support clamav. > > > > > > 2) Do you think backporting the package in sid is better than simply > > > > updating to the latest upstream while keeping most scripts in > > > > oldstable? I > > > > > > had to copy over the split-archive.sh to be able to generate a proper > > > > orig > > > > > > tarball. > > > > No. Use what's in stable proposed updates. > > > > > > - I personally think the package in sid have a little too much updates > > > > to > > > > > > make that safe, especially since it produces new library packages. > > > > Agreed. That would definitely be a bad idea. > > > > > > - On the other hand, I had to do some modifications already to make > > > > allow > > > > > > the package to be generated and I have not even started building yet. > > > > There > > > > may be many fixes needed to make this package work in oldstable... > > > > I suspect that what's in stable will work in oldstable, but I haven't > > tried > > it. It'll certainly take less work than what's in sid. > > > > > > I guess we cannot generate new library package version, or? > > > > Generally one does not, but for clamav you kind of have to at some point. > > Note that for libclamav7 -> libclamav9 there are also API changes, so > > libclamav-dev reverse builld-depends need patching in addition to > > rebuilding. > > Once we've done that in stable, it should be easy enough to adapt for > > oldstable when the time comes. Don't worry about it now. > > > > Scott K
Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
Hi Scott and LTS team Thank you. I'll see if I can backport the required fixes. That may solve the library issue. Alternatively we state that clamav is not supported. Maybe someone in the LTS team can advice on that. Best regards // Ola On Sun, 31 Mar 2019 at 22:35, Scott Kitterman wrote: > Comments inline. > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > > Hi > > > > I missed to include the clamav maintainers. Sorry about that. > > > > // Ola > > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist wrote: > > > Dear maintainers, LTS team and Debian Secutiry team > > > > > > I have started to look at the clamav package update due to > > > CVE-2019-1787 > > > CVE-2019-1788 > > > CVE-2019-1789 > > > (the other three vulnerabilities are not affecting jessie or stretch > as I > > > understand it) > > That's correct. > > > > I have understood that the clamav package is typically updated to the > > > latest version also in stable and oldstable. However when doing so I > > > encountered quite a few things that I would like to ask your advice on. > > > > > > First of all to the maintainers. Do you want to handle also LTS > > > (oldstable) and regular security (stable) upload of clamav? > > Stable is already done through stable proposed updates (which is the > normal > path for clamav). We leave the LTS releases to the LTS team. Base your > work > on what's in stable. > > > > Question to maintainers and Security team. Should we synchronize the > > > efforts here and have you already started on the stable update? > > > > > > If not I have a few questions: > > > 1) Do you know the binary compatibility between libclamav7 and > libclamav9? > > > I have noticed that the package in sid produces libclamav9 while the > one > > > in jessie provides libclamav7. Do you think this can be an issue? > > Yes. It's guaranteed to be an issue. We have a stable transition > prepared > and will do it (once the srm blesses) after the next point release in > April. > Note that the security team doesn't support clamav. > > > > 2) Do you think backporting the package in sid is better than simply > > > updating to the latest upstream while keeping most scripts in > oldstable? I > > > had to copy over the split-archive.sh to be able to generate a proper > orig > > > tarball. > > No. Use what's in stable proposed updates. > > > > - I personally think the package in sid have a little too much updates > to > > > make that safe, especially since it produces new library packages. > > Agreed. That would definitely be a bad idea. > > > > - On the other hand, I had to do some modifications already to make > allow > > > the package to be generated and I have not even started building yet. > > > There > > > may be many fixes needed to make this package work in oldstable... > > I suspect that what's in stable will work in oldstable, but I haven't > tried > it. It'll certainly take less work than what's in sid. > > > > I guess we cannot generate new library package version, or? > > Generally one does not, but for clamav you kind of have to at some point. > Note that for libclamav7 -> libclamav9 there are also API changes, so > libclamav-dev reverse builld-depends need patching in addition to > rebuilding. > Once we've done that in stable, it should be easy enough to adapt for > oldstable when the time comes. Don't worry about it now. > > Scott K > -- --- Inguza Technology AB --- MSc in Information Technology | o...@inguza.como...@debian.org| | http://inguza.com/Mobile: +46 (0)70-332 1551 | ---
Re: jessie-updates gone
Thanks a lot Adam for the clarification. Now that Jessie is in LTS and that jessie-updates/ is gone, does this also mean there won't be any other updates to tzdata, clamav, or similar (timely dependent's) packages ? Or if still updated, where does we got them from ? I guess it's not from security updates ? Regards, Pierre. Le ven. 29 mars 2019 à 17:02, Adam D. Barratt a écrit : > > On Fri, 2019-03-29 at 11:13 +0100, Pierre Fourès wrote: > > The way I understand it, but I asked for clarification and > > confirmation in my previous message [1], is that all « updates » goes > > into -proposed-updates/, but the one who need to be quickly applied > > into the distribution (but aren't security updates) are duplicated > > from -proposed-updates/ into -updates/. Theses are the updates who > > can't wait and must be applied between the point releases. Then, when > > point releases occurs, all packages in -proposed-updates/ moves into > > the stable repository of the distribution. They are automatically > > removed from -proposed-updates/. This isn't true for the -updates/ > > repository as it requires manual pruning. Nonetheless, all packages > > in > > -updates/ went into the stable repository (from the -proposed-updates > > they originated from) when the point-release occurred. So nothing is > > lost. But is that right ? > > Yes - see https://lists.debian.org/debian-devel-announce/2011/03/msg000 > 10.html , linked from every post to the debian-stable-announce list. > (There will probably be a better URL somewhere on release.d.o once > someone finds sufficient tuits to actually make it.) > > The removal of packages from p-u after adding them to stable is part of > the actions performed by ftp-master during the point release (easily > done as the package sets are the same). Technically, it is possible for > an update from -updates / p-u to not be included in a point release, > but that will usually be due to a regression being found before the > point release, and in such cases there will likely be a follow-up > update. > > Regards, > > Adam >
Re: RFT: linux with fix for VMware regression
short update: the system is still up and running. Cheers, Werner Am 30.03.19 um 19:01 schrieb Werner Detter: > Hi Ben, > > thanks for the updated version. I've installed the new version on one > affected machine which crashed after some hours with the old kernel. > It's currently running with the updated version since 9 hours without > problems. I'll get back to you. > > Cheers, > Werner signature.asc Description: OpenPGP digital signature
LTS/ELTS Report for March 2019
For March I spent 12 hours on the following LTS tasks: - symfony: final review of patches, additional testing, advisory preparation, package upload - qemu: review Hugo Lefeuvre’s assessment of CVE-2019-6501 - nss: CVE-2018-12404 - imagemagick: multiple issues, assess backport of newer version - python3.4, python2.7: CVE-2019-9636, CVE-2019-5010, CVE-2018-14647 I also spent 16 hours on the following ELTS tasks: - nss: CVE-2018-12404 - php5: triage, multiple issues - python2.7, python2.6: CVE-2019-9636, CVE-2019-5010, CVE-2018-14647 - python-urllib3: CVE-2019-9740 - cron: build and test package update prepared by Mike Gabriel - tiff3: CVE-2018-5360 Regards, -Roberto -- Roberto C. Sánchez
Accepted tzdata 2019a-0+deb8u1 (source all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 01 Apr 2019 10:54:44 +0200 Source: tzdata Binary: tzdata tzdata-java Architecture: source all Version: 2019a-0+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: GNU Libc Maintainers Changed-By: Emilio Pozuelo Monfort Description: tzdata - time zone and daylight-saving time data tzdata-java - time zone and daylight-saving time data for use by java runtimes Changes: tzdata (2019a-0+deb8u1) jessie-security; urgency=medium . * New upstream version, affecting the following past timestamps: - Palestine will not start DST until 2019-03-30, instead of 2019-03-23 as previously predicted. - Metlakatla ended its observance of Pacific standard time, rejoining Alaska Time, on 2019-01-20 at 02:00. Checksums-Sha1: aee97a0ddfcc7537aaed14c73187b92b4ce729e0 1985 tzdata_2019a-0+deb8u1.dsc 29cdb003e84a597a0253433401601e67865faa08 378961 tzdata_2019a.orig.tar.gz 834981d23259f2e8da5e6dcf5be9a22844d9df26 102980 tzdata_2019a-0+deb8u1.debian.tar.xz 0cb9cf32b51b1ed25b7aedaa04f44352b1927b49 233558 tzdata_2019a-0+deb8u1_all.deb 326bb31a4f834298736e35bbf9db8029fe6db4bc 82580 tzdata-java_2019a-0+deb8u1_all.deb Checksums-Sha256: 858fe36e4f1ae1d6612f97c2d0a9e1c134bd7b5b5959b4980ce96d0c6e929468 1985 tzdata_2019a-0+deb8u1.dsc 90366ddf4aa03e37a16cd49255af77f801822310b213f195e2206ead48c59772 378961 tzdata_2019a.orig.tar.gz 29477395b140ebff19d2e1da116cccf0366762fa8064ec07287e0b315c729af9 102980 tzdata_2019a-0+deb8u1.debian.tar.xz b0e53d46e86d9f1ab16614ab4508ab0ea5f162743d24212c3d4fa68512287612 233558 tzdata_2019a-0+deb8u1_all.deb 45b35a41d575eea517dcbbb214d38290234bad0685daa8cd904a96a45a51d754 82580 tzdata-java_2019a-0+deb8u1_all.deb Files: dbcaea427ad14db3d87cc67df2202955 1985 localization required tzdata_2019a-0+deb8u1.dsc 288f7b1e43018c633da108f13b27cf91 378961 localization required tzdata_2019a.orig.tar.gz 8a4c8069b9d52cda53fb65162f65799e 102980 localization required tzdata_2019a-0+deb8u1.debian.tar.xz 3256ee86d07618409293fba7dfbbc474 233558 localization required tzdata_2019a-0+deb8u1_all.deb df5e59edf92c1ba9f0e94245bba076f1 82580 java optional tzdata-java_2019a-0+deb8u1_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlyh3J0ACgkQnUbEiOQ2 gwIanA//fWSAK9yKgpOziCHHnkifv2RWIw8L7OMTo9JpRvnKygGpAjB6Lxs6mbYt 90kFKiFU2fxxnLW9rBvnjsJgaM6A4eO1OCrQGyF8bfD5pBefBDHgUBlNLPW38bo4 +OJrmEyAT3YgTuIL79LFVdTSvHQqC9lC++rZ7Sxw8fJC/OOU3i5dxU9Eee7XQSmr X/XfMRUoYiyYZUdvbyS8834RddE5o+3XUAe6GGL3F+uoc5XGc887JN5yYi9kFF1v PHKA7VwF9oGt3f08B3/B3iOPSidsPPlR/lEVkSEAWXDJjF3bEigIiBY+WrV5e4WN ZO7r8E9gUrEQM8c9x31yD/FBa1i1X197tndSG36nDmHabKM20dWJeTv+hDg0oq8d vnaCymh5P3+cDOhPRa2tpACrQyWzTydbH2ZuDBbU8Oo7eVq/OvFWA3TGusrs9fwk a89i6MTG01ZzKYvIGuau/fyGAlNvFt+Nx2Xqcn1lOKY23D64EmXi1gH0rqHNWMEi 3CZaaUL8LcazMkqlK+6mYABFIvFg1SJv/VcVUg9bc1V9QW2d9SY+C2DBXK8JtD3T 1mD3nBxkucE6mxkaCPMSDc5NciCDb+SGK3re63PmKhubfkfBpTsYazjyx7MCPojE vd/JuRwplhgmRoKp9sbzUAAjERaVZKV3IZFhiexE+qTcjrW9gZA= =rhlz -END PGP SIGNATURE-
Accepted libdatetime-timezone-perl 1:1.75-2+2019a (source all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 01 Apr 2019 11:12:02 +0200 Source: libdatetime-timezone-perl Binary: libdatetime-timezone-perl Architecture: source all Version: 1:1.75-2+2019a Distribution: jessie-security Urgency: medium Maintainer: Debian Perl Group Changed-By: Emilio Pozuelo Monfort Description: libdatetime-timezone-perl - framework exposing the Olson time zone database to Perl Changes: libdatetime-timezone-perl (1:1.75-2+2019a) jessie-security; urgency=medium . * Update to Olson database version 2019a. Checksums-Sha1: a71783150d09e6828cef6f4c186e5efb96741009 2498 libdatetime-timezone-perl_1.75-2+2019a.dsc 9b51fd924d1fcf4b0187bfc30146fbf7398302d5 888615 libdatetime-timezone-perl_1.75.orig.tar.gz bbe2e3d65cffe783215def477d200be960d7897d 301604 libdatetime-timezone-perl_1.75-2+2019a.debian.tar.xz aca01e0658a25f2dfb97a28608938483307a6ece 274476 libdatetime-timezone-perl_1.75-2+2019a_all.deb Checksums-Sha256: dbdab136abf1f9f0ccb00d800ec25d8ca2d5cde66634f3e01c5298cc72d8fa0c 2498 libdatetime-timezone-perl_1.75-2+2019a.dsc 8ea1282f1ab348766e9a81b46dac6e764375e319f442c24e030d14beb03a6e73 888615 libdatetime-timezone-perl_1.75.orig.tar.gz c67ca85cc884728da38c8cd31459646def0969bb1350f5c1bd8a7026847d6ec0 301604 libdatetime-timezone-perl_1.75-2+2019a.debian.tar.xz f18b608ddff2d8fad89d6ca9ecdb0601558532a8229949f97be1c85bb9c7d575 274476 libdatetime-timezone-perl_1.75-2+2019a_all.deb Files: ab731b05d8914f0ff94e86e224219b21 2498 perl optional libdatetime-timezone-perl_1.75-2+2019a.dsc b43030a38d74cd3993ba803da21fbc80 888615 perl optional libdatetime-timezone-perl_1.75.orig.tar.gz a60b75d79e61f677aed1f6cdf14dbf9b 301604 perl optional libdatetime-timezone-perl_1.75-2+2019a.debian.tar.xz f6306f49e9abd23698878ec1369265fb 274476 perl optional libdatetime-timezone-perl_1.75-2+2019a_all.deb -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlyh3MwACgkQnUbEiOQ2 gwJ/kBAAoiVdkG/Xg+YOK9BJ/CJ+4FFgMgv6TK+rXjYdUsn03FAOF62BSDWzH1IU rqmHszkYecTxaPG0c0dhfs7qZ7pbqicduBphG2I7Xxy0NuABLaLd+QukovYzG12A IftTIJT3zXqG6fQuHyW6XDqpOOpC8hoO5SCkPrsup2lcsRdXkgUoJjb5KCJCP8sD 5KA6p8IhHeTJ450h9IhwOzVh+VazAbqoRjMWD30QtYivXroA+PWnUdsMvOkmTDBY XpVQQEMy+8FE9cKPhX16rSxVP5aSO/2JGa9fnfEUTVcBfQQMSezJmWfOKNb+rEe+ cHnVtScGkhbR33Jkj2+DoDE1QPlmkHOuZMbWHDaFCDrO1snG2D3Qfrs1F9CeGX5r i/9nBWgnJFSlB1VMY4faQzcYrL8Sivo/GgjOCpOJYbe7AgS67GCOVsvhStGyhQk0 OGb0P3N/dpYjxBma+6ssjKXkI4j1iJwqojx+kmLbRo9VkKZqJtu2xEZXHS/ki87V BXJ7WJsE7OZDeIJHC+w81ML97OLgugJ25fz3EzQBXrkUptSWeCLKz1cYCqqffqDj Rqnq7fdNsbUISuxPjRV1ucDc88ooxPAZueLNOa8Cq2IeUtBqA+sbOJnDqG6fvu61 6veQYHxYl6BJ/YyWxptCz6TpLJGp/kxWU8GaZWC0mnmM4Z3vM9M= =sUfp -END PGP SIGNATURE-
[SECURITY] [DLA 1745-1] libdatetime-timezone-perl new upstream version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: libdatetime-timezone-perl Version: 1:1.75-2+2019a This update includes the changes in tzdata 2019a for the Perl bindings. For the list of changes, see DLA-1744-1. For Debian 8 "Jessie", this problem has been fixed in version 1:1.75-2+2019a. We recommend that you upgrade your libdatetime-timezone-perl packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlyh4rIACgkQnUbEiOQ2 gwJ6hQ//TmQOkANtnQHjrtNiA/CAA/sBpbbprjpcR61UsWJ5QlpJJbi/riGLHE44 E1ZOlAVJwuwn7O9Vb7BtrZ6VPDepf7ogtyavNKYW31GNe5PJUR0HOgTKxAAxyZ4j JOy37iyDFUNxbUfco0Y0COeSh7aT6+hXwFRWVUMB3bFi0J9oAjrgxm6cyh19YwEL UtZfzx5p5FS99v0rIPL7qyJMxLpNkeN+YRiaE4mHKY47SA+0BwO1L6PKMQAchW8q DgirvnIic+RUZoDOGMhAMp82B+MwC8y1zR+balGM+ICMxBWoemJZUgBkOPZYWs3+ +cntH/WumpI4BEJwMiioSRVcaC1z2sGLXsT6zbp5iMB8YGihvSVrV2AN8+BBweyt CFmPSbL6SFaLzFGfF2bMat+VGjo8p1p3BEg4S6poDFTZhV1LmsJTBnuDVeLJs/MZ vrPhDy96nXGItQBe6HQmExjj/DMDl/mO9W+DK5WiVWCxCeDQfPfuZC+d+8HPCG7x hAXd1nzvoZrbva0/VWHuvHOJPZtcnNeQmp6Y4GD668PD8Tjfj8T53CID44BKMENo WdA6ZnOcTjj9vSFRbhfzWboNtZKJI08X8AOqwkMgzuJz22wYZNP9W3wIE423w8+c b/FQy092uwKA2Ljl7umhRkrbifahiaBL63tCfDfzluvaZjh2RX4= =vTsM -END PGP SIGNATURE-
Re: RFT: linux with fix for VMware regression
Hi Ben I can confirm that we do not encounter the troubles anymore with your patch. The patched servers are running smooth and stable again. Thanks for the fast fix! Kind regards Emanuel On 30/03/2019 05:15, Ben Hutchings wrote: > I've uploaded a new version of linux to: > https://people.debian.org/~benh/packages/jessie-security/ > which I believe will fix this regression (bug #925919). Please let me > know whether it works for you. > > I only included the amd64 linux-image package and sources there, but > can add i386 linux-image packages if needed. > > Ben. >
[SECURITY] [DLA 1744-1] tzdata new upstream version
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: tzdata Version: 2019a-0+deb8u1 This update includes the changes in tzdata 2019a. Notable changes are: - Palestine started DST on 2019-03-30, instead of 2019-03-23 as previously predicted. - Metlakatla ended its observance of Pacific standard time, rejoining Alaska Time, on 2019-01-20 at 02:00. For Debian 8 "Jessie", this problem has been fixed in version 2019a-0+deb8u1. We recommend that you upgrade your tzdata packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlyh4hgACgkQnUbEiOQ2 gwLS1A//S9NGbu15AdbZP2v1/NDz88iSctXm6fIF/ZCzfY8DHUcPBgTl6Z2dr9iZ dZvVgzpedcLEE61CHmuZrtX94nKZ4cioVVF4RUaDckgSFaOHnOeMuxROxlx3oEdZ GjPl8ztYaCA2mzVUPIYDOxbVNowScGmdabOR9g8tQ1HsjQBud2hFkkA9FTpElYTR 40CS3CzsuDcg1XMTJIAoSOwoVDI3HvJBhEWc1w9A5mSH5QXr7f1H7ODLA1PESxIi R9LMXjsqDss5ibtHlz0y92ucEbPXhFwvnMwkNq5gOiVoxqxyPheR2rvLksv4xxX8 81FBKkjeo+8sWp/MAUvsN1t8KyuRUrDOk1RZTDEg/96hibg2jRROtGiPcw6ErcWU ZdXZLefTx0AVkaBVZLy0lNlCW3f5E2BOwYYyO0uMteoVeh8o5RqiTlX//ijsAGK/ Ha/NslWC7e3Q3+C5Rkebxmyhj8+ZkLADo/+3NK+MRkwaIR90BppDS4tkNlK9D4J0 EXEbpKQlVmPVsy7lXxv+9dYKqEHGcvSb5Ux5+0aNBgIca+HRoH2n5KT7XCGOnEZa 4CqxzmM2rD9idIKfo/z3KFGgFaTPe/ejT212mxZvNUHk77i4n3GW21FiDYpxz3el qkmMjBuFIs2Y7PyI/kYuAYJhV4cHPfNYa8y7ZdkdTeBXuhcUK7E= =Osgt -END PGP SIGNATURE-
Accepted thunderbird 1:60.6.1-1~deb8u1 (source amd64 all) into oldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 28 Mar 2019 10:39:21 +0100 Source: thunderbird Binary: thunderbird thunderbird-dbg lightning calendar-google-provider thunderbird-l10n-all thunderbird-l10n-ar thunderbird-l10n-ast thunderbird-l10n-be thunderbird-l10n-bg thunderbird-l10n-br thunderbird-l10n-ca thunderbird-l10n-cs thunderbird-l10n-cy thunderbird-l10n-da thunderbird-l10n-de thunderbird-l10n-dsb thunderbird-l10n-el thunderbird-l10n-en-gb thunderbird-l10n-es-ar thunderbird-l10n-es-es thunderbird-l10n-et thunderbird-l10n-eu thunderbird-l10n-fi thunderbird-l10n-fr thunderbird-l10n-fy-nl thunderbird-l10n-ga-ie thunderbird-l10n-gd thunderbird-l10n-gl thunderbird-l10n-he thunderbird-l10n-hr thunderbird-l10n-hsb thunderbird-l10n-hu thunderbird-l10n-hy-am thunderbird-l10n-id thunderbird-l10n-is thunderbird-l10n-it thunderbird-l10n-ja thunderbird-l10n-kab thunderbird-l10n-kk thunderbird-l10n-ko thunderbird-l10n-lt thunderbird-l10n-ms thunderbird-l10n-nb-no thunderbird-l10n-nl thunderbird-l10n-nn-no thunderbird-l10n-pl thunderbird-l10n-pt-br thunderbird-l10n-pt-pt thunderbird-l10n-rm thunderbird-l10n-ro thunderbird-l10n-ru thunderbird-l10n-si thunderbird-l10n-sk thunderbird-l10n-sl thunderbird-l10n-sq thunderbird-l10n-sr thunderbird-l10n-sv-se thunderbird-l10n-tr thunderbird-l10n-uk thunderbird-l10n-vi thunderbird-l10n-zh-cn thunderbird-l10n-zh-tw lightning-l10n-ar lightning-l10n-ast lightning-l10n-be lightning-l10n-bg lightning-l10n-br lightning-l10n-ca lightning-l10n-cs lightning-l10n-cy lightning-l10n-da lightning-l10n-de lightning-l10n-dsb lightning-l10n-el lightning-l10n-es-ar lightning-l10n-es-es lightning-l10n-en-gb lightning-l10n-et lightning-l10n-eu lightning-l10n-fi lightning-l10n-fr lightning-l10n-fy-nl lightning-l10n-ga-ie lightning-l10n-gd lightning-l10n-gl lightning-l10n-he lightning-l10n-hr lightning-l10n-hsb lightning-l10n-hu lightning-l10n-hy-am lightning-l10n-id lightning-l10n-is lightning-l10n-it lightning-l10n-ja lightning-l10n-kab lightning-l10n-kk lightning-l10n-ko lightning-l10n-ms lightning-l10n-lt lightning-l10n-nb-no lightning-l10n-nl lightning-l10n-nn-no lightning-l10n-pl lightning-l10n-pt-br lightning-l10n-pt-pt lightning-l10n-rm lightning-l10n-ro lightning-l10n-ru lightning-l10n-si lightning-l10n-sk lightning-l10n-sl lightning-l10n-sr lightning-l10n-sq lightning-l10n-sv-se lightning-l10n-tr lightning-l10n-uk lightning-l10n-vi lightning-l10n-zh-cn lightning-l10n-zh-tw icedove icedove-dbg iceowl-extension icedove-l10n-all icedove-l10n-ar icedove-l10n-ast icedove-l10n-be icedove-l10n-bg icedove-l10n-br icedove-l10n-ca icedove-l10n-cs icedove-l10n-da icedove-l10n-de icedove-l10n-dsb icedove-l10n-el icedove-l10n-en-gb icedove-l10n-es-ar icedove-l10n-es-es icedove-l10n-et icedove-l10n-eu icedove-l10n-fi icedove-l10n-fr icedove-l10n-fy-nl icedove-l10n-ga-ie icedove-l10n-gd icedove-l10n-gl icedove-l10n-he icedove-l10n-hr icedove-l10n-hsb icedove-l10n-hu icedove-l10n-hy-am icedove-l10n-id icedove-l10n-is icedove-l10n-it icedove-l10n-ja icedove-l10n-kab icedove-l10n-ko icedove-l10n-lt icedove-l10n-nb-no icedove-l10n-nl icedove-l10n-nn-no icedove-l10n-pl icedove-l10n-pt-br icedove-l10n-pt-pt icedove-l10n-rm icedove-l10n-ro icedove-l10n-ru icedove-l10n-si icedove-l10n-sk icedove-l10n-sl icedove-l10n-sq icedove-l10n-sr icedove-l10n-sv-se icedove-l10n-tr icedove-l10n-uk icedove-l10n-vi icedove-l10n-zh-cn icedove-l10n-zh-tw iceowl-l10n-ar iceowl-l10n-ast iceowl-l10n-be iceowl-l10n-bg iceowl-l10n-br iceowl-l10n-ca iceowl-l10n-cs iceowl-l10n-cy iceowl-l10n-da iceowl-l10n-de iceowl-l10n-dsb iceowl-l10n-el iceowl-l10n-en-gb iceowl-l10n-es-ar iceowl-l10n-es-es iceowl-l10n-et iceowl-l10n-eu iceowl-l10n-fi iceowl-l10n-fr iceowl-l10n-fy-nl iceowl-l10n-ga-ie iceowl-l10n-gd iceowl-l10n-gl iceowl-l10n-he iceowl-l10n-hr iceowl-l10n-hsb iceowl-l10n-hu iceowl-l10n-hy-am iceowl-l10n-id iceowl-l10n-is iceowl-l10n-it iceowl-l10n-ja iceowl-l10n-kab iceowl-l10n-ko iceowl-l10n-lt iceowl-l10n-nb-no iceowl-l10n-nl iceowl-l10n-nn-no iceowl-l10n-pl iceowl-l10n-pt-br iceowl-l10n-pt-pt iceowl-l10n-rm iceowl-l10n-ro iceowl-l10n-ru iceowl-l10n-si iceowl-l10n-sk iceowl-l10n-sl iceowl-l10n-sq iceowl-l10n-sr iceowl-l10n-sv-se iceowl-l10n-tr iceowl-l10n-uk iceowl-l10n-vi iceowl-l10n-zh-cn iceowl-l10n-zh-tw Architecture: source amd64 all Version: 1:60.6.1-1~deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Carsten Schoenert Changed-By: Emilio Pozuelo Monfort Description: calendar-google-provider - Google Calendar support for lightning icedove- mail/news client with RSS and integrated spam filter support icedove-dbg - Debug Symbols for Icedove icedove-l10n-all - All language packages for Icedove (meta) - Transitional package icedove-l10n-ar - Arabic language package for Icedove - Transitional package icedove-l10n-ast - Asturian language package for Icedove - Transitional package icedove-l10n-be - Belarusian
[SECURITY] [DLA 1743-1] thunderbird security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Package: thunderbird Version: 1:60.6.1-1~deb8u1 CVE ID : CVE-2018-18506 CVE-2019-9788 CVE-2019-9790 CVE-2019-9791 CVE-2019-9792 CVE-2019-9793 CVE-2019-9795 CVE-2019-9796 Multiple security issues have been found in the Thunderbird mail client, which could lead to the execution of arbitrary code or denial of service. For Debian 8 "Jessie", these problems have been fixed in version 1:60.6.1-1~deb8u1. We recommend that you upgrade your thunderbird packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlyh09kACgkQnUbEiOQ2 gwIO9g/+O8pnr6WWawgqZXC+6FRPBYYUzucv+39whdKcydeXX2GWrKFuWdh+fjXf WK0syZfLeQsyTjUDZ0l9ssunZquwFTV78YF6S6eck+uQPjcnfIB7NV7/5wkI7zV3 TNiZQZXobp4frApJNiw2OanuwXN8WqT5sRaFb+lniUvRmQ1Dt4dX/OGSmXNcLCh4 6hulQk3w4JdpVLBuOTFwDN+aXDZlCyILjoRTQMhF+4UUWSWGzcc8fjnp6e7jpew5 qeWyKYT00bGTINfSk8fWDoDTdhkHgKB6Jzs2vUdxi56aAPHtNxvJuOIZ2Tzm3aFx 0zvAKnM10v+jB1a5/YznTVbctbKCrRN3HgZph01VlE9ij8j7EusNFbqIbop7TmNB VZiUoKCSgLwWfaw8RMUBbdWvSv0jJ1SJ3lgOaIVGGiW9RZqP6FdcU88jNydpbpdN xonZA6t7SGgJWsdbctLXq88nUyoZuME2rbYNof7rph+Zp9IqsEPPahIOIwkc4dEy 7mJCKYjudxbu4c5/acrsZLzLTN8mvXpoIWnluJURL4vfUh18EmAxzT65sgMq3tL1 ++FYEox7aSJop6U9/wYIdEOTAOyzSeuIH6ekooDuZYsuNqBvgK2agnKfGZdRKO4M RSSMz4dffbRiHcsdIR72cZv9+tH5qtCSoxLjmHoP9OJ45a+h2uQ= =5vQG -END PGP SIGNATURE-
