Re: New list: lts-do-call-me
Hi Markus, On 17/07/2019 17:16, Markus Koschany wrote: > Am 17.07.19 um 16:46 schrieb Roberto C. Sánchez: >> On Wed, Jul 17, 2019 at 11:26:56AM -0300, Markus Koschany wrote: >>> lts-do-call-me contains all maintainers and/or source >>> packages that should be handled by the maintainer. Please contact all >>> maintainers in this list before starting to work on the package. There >>> are some other maintainers who regularly provide updates themselves, >>> please update the list as needed and share any information you have. >>> >> Is it correct to assume that packages will be noted with this >> information when triaged into dla-needed.txt? I've seen some that have >> a note like, "maintainer will handle update," so I assume that it is >> part of the front desk procedure. > Yes, ideally this should be managed by frontdesk. So if you are not > already aware of it take a look at both files and then add the package > with a note. > >> Likewise, I would expect a note >> indicating that the maintainer has been contacted and stating either >> that no response has been received yet, or a response has been received >> saying that we should go ahead or let the maintainer handle it (as >> appropriate). >> >> Do I understand correctly? > I think that works as before. We already do it this way. For the > majority of packages nothing will change but for those packages in > lts-do-call-me we should take extra care and note any responses of the > maintainer and follow-up as necessary. Would you be so kind as to update the wiki https://wiki.debian.org/LTS/Development to clarify what front-desk needs to do / not to do? I'm not sure what the workflow is (notify maintainer and add to dla-needed.txt stating so? not add to dla-needed until maintainer acked? also how to detect when a package maintainer changed and hence lts-do-call-me needs to be updated / new maintainer asked for their preference?). Last, do we drop 'lts-do-no-call'? Cheers! Sylvain
[SECURITY] [DLA 1854-1] libonig security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Package: libonig Version: 5.9.5-3.2+deb8u2 CVE ID : CVE-2019-13224 Debian Bug : 931878 A use-after-free in onig_new_deluxe() in regext.c allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). For Debian 8 "Jessie", this problem has been fixed in version 5.9.5-3.2+deb8u2. We recommend that you upgrade your libonig packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl0vPc1fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTbwhAAzmRv1LX8qeuOZjmRpp+Ae+YFwot9yBFYVraOEX+dAb0UIdgPUPwbuWyM jJ9p/8u7ocvK6C6Q6upX8z03M2YRi4LuSFFculoivX1SZgv4yhzV3QMW3GoA6LNm L1PwwEHmB9cIFALx0aIMl05ZWQY1/kLQ8EGwLxXQYv36cYk3NPTwVNO005nXZoXO faGSLCpD6T2aM9UgFlMAnlTvCDonI9K08NzuD7wZNkecHJAd1WLzsq3CpS/NnGvU W41EnDYO3iqGpP9LBzOzqBQ5XxeEMMHbEPdILiE/tNFg0dW+mcPbeLCca3ojHVug FDPIbllIYR5rde/nBcDYRuzHagWkz8bdyH0rHDsMlzyRmMuj6Z+3hHPlmDIuyBCy /eid9KoMzKlgZXg9IbRfBxFBBbWF7iNBflh8nqHWBJHx0seN6rA9Y92vaBptSuUO 51otfv/zbIYpIovNzvZami6rIsOy/An2n/2LPIqBG8vvEyjUOSQqiZKmlNFAXijc xGQAtAAs9XMHaP9SsJAYYdIHjXBla2MZy5cKe5nDGWgRFdOOnGg0OIsOh3eEas7q txZy+GXMIRL/at9WSOeB6dnqd5uI+s3kWIwWzeDsIHxxK0cNJharg6DxmyYpHQA/ pKVQSynJ+oFcL6lSGhQbs5VTWIxHGwS82j7yDYvXlbbyVhQg4oA= =tPIY -END PGP SIGNATURE-
Re: New list: lts-do-call-me
Am 17.07.19 um 16:46 schrieb Roberto C. Sánchez: > On Wed, Jul 17, 2019 at 11:26:56AM -0300, Markus Koschany wrote: >> >> lts-do-call-me contains all maintainers and/or source >> packages that should be handled by the maintainer. Please contact all >> maintainers in this list before starting to work on the package. There >> are some other maintainers who regularly provide updates themselves, >> please update the list as needed and share any information you have. >> > Is it correct to assume that packages will be noted with this > information when triaged into dla-needed.txt? I've seen some that have > a note like, "maintainer will handle update," so I assume that it is > part of the front desk procedure. Yes, ideally this should be managed by frontdesk. So if you are not already aware of it take a look at both files and then add the package with a note. > Likewise, I would expect a note > indicating that the maintainer has been contacted and stating either > that no response has been received yet, or a response has been received > saying that we should go ahead or let the maintainer handle it (as > appropriate). > > Do I understand correctly? I think that works as before. We already do it this way. For the majority of packages nothing will change but for those packages in lts-do-call-me we should take extra care and note any responses of the maintainer and follow-up as necessary. Regards, Markus signature.asc Description: OpenPGP digital signature
Re: New list: lts-do-call-me
On Wed, Jul 17, 2019 at 11:26:56AM -0300, Markus Koschany wrote: > > lts-do-call-me contains all maintainers and/or source > packages that should be handled by the maintainer. Please contact all > maintainers in this list before starting to work on the package. There > are some other maintainers who regularly provide updates themselves, > please update the list as needed and share any information you have. > Is it correct to assume that packages will be noted with this information when triaged into dla-needed.txt? I've seen some that have a note like, "maintainer will handle update," so I assume that it is part of the front desk procedure. Likewise, I would expect a note indicating that the maintainer has been contacted and stating either that no response has been received yet, or a response has been received saying that we should go ahead or let the maintainer handle it (as appropriate). Do I understand correctly? Regards, -Roberto -- Roberto C. Sánchez
New list: lts-do-call-me
Hello, after a conversation at DebConf19, I have created a new file org/lts-do-call-me. We have previously sent out many emails asking whether a maintainer would like to take care of the security update. We still do it but less frequently. It turned out that many did either not react, or were glad we did it and asked us not to call them anymore. We have changed this approach, more or less silently, and only call them if we know they want to take charge of the update. I believe it makes sense to create a list with those maintainers who want to be in charge to avoid any friction. lts-do-call-me contains all maintainers and/or source packages that should be handled by the maintainer. Please contact all maintainers in this list before starting to work on the package. There are some other maintainers who regularly provide updates themselves, please update the list as needed and share any information you have. Regards, Markus signature.asc Description: OpenPGP digital signature
Accepted libonig 5.9.5-3.2+deb8u2 (source amd64) into oldoldstable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 17 Jul 2019 14:56:48 +0200 Source: libonig Binary: libonig2 libonig2-dbg libonig-dev Architecture: source amd64 Version: 5.9.5-3.2+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Jörg Frings-Fürst Changed-By: Markus Koschany Description: libonig-dev - Development files for libonig2 libonig2 - Oniguruma regular expressions library libonig2-dbg - Debugging symbols for libonig2 Changes: libonig (5.9.5-3.2+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2019-13224: A use-after-free in onig_new_deluxe() in regext.c allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Checksums-Sha1: 577835fd247352a443aea137c52b2867424b55f1 2052 libonig_5.9.5-3.2+deb8u2.dsc 804132e1324ef8b940414324c741547d7ecf24e8 587874 libonig_5.9.5.orig.tar.gz 6cd0c735502eb29b4f19000f0aaf1a3d1fd1398d 8856 libonig_5.9.5-3.2+deb8u2.debian.tar.xz a3d58474f99934541e7f45d59e7ec4f519be0405 118194 libonig2_5.9.5-3.2+deb8u2_amd64.deb c38cd75b5dbc143af574552d04e4f30bd04e6be3 200780 libonig2-dbg_5.9.5-3.2+deb8u2_amd64.deb 29fde0a527633d79d33af846b6055d7d0eda90b4 79500 libonig-dev_5.9.5-3.2+deb8u2_amd64.deb Checksums-Sha256: 9f18307e1a4dcbf0e4eb6f9270e16a4d1184da8734064be12967515798dc6350 2052 libonig_5.9.5-3.2+deb8u2.dsc 9f49ae7819a5f47e25449d0e4b010d479f7868a24a7b9884b47041b49a76438a 587874 libonig_5.9.5.orig.tar.gz 0ef168eeb768792e8d28489ccdfbc60d12df64825e7cc2f2f340ba0b2d79a45d 8856 libonig_5.9.5-3.2+deb8u2.debian.tar.xz 2d3fa4ee3633d791a1f4111f21e8ff4ee13f8b2ee44f3bb08d6844e506ec8632 118194 libonig2_5.9.5-3.2+deb8u2_amd64.deb a49b35e44d25d8dacb795c36ec6e797bccde98308098bd319c8ecdf9110c2cb9 200780 libonig2-dbg_5.9.5-3.2+deb8u2_amd64.deb c2e7a78a86526553540734ba7e544948eb8a74d81a3f611e7935001d331d006f 79500 libonig-dev_5.9.5-3.2+deb8u2_amd64.deb Files: 85210f4889c44465221ff5d187d9629c 2052 libs extra libonig_5.9.5-3.2+deb8u2.dsc 970f98a4cd10021b545d84e34c34aae4 587874 libs extra libonig_5.9.5.orig.tar.gz f5a13615f57395da29ea5eb4c560dc95 8856 libs extra libonig_5.9.5-3.2+deb8u2.debian.tar.xz b911c28b28f7b26fa214c6511b2c118e 118194 libs optional libonig2_5.9.5-3.2+deb8u2_amd64.deb 461cc6b4485c38ff6285f272d855a5f2 200780 debug extra libonig2-dbg_5.9.5-3.2+deb8u2_amd64.deb f7cf35a6d4990614e05c555961fee67f 79500 libdevel optional libonig-dev_5.9.5-3.2+deb8u2_amd64.deb -BEGIN PGP SIGNATURE- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl0vHqJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkyvAP/A8ozF1tpueiujv9d2S18Xbo7iv+Fnb0oFCl hw38ieIV3Zi7pjXHb+aqv+C31beHYZYAID8pWDktYravaO5FPS3n24RUxWNt2fDc dQdqU0NeuGvclNqtRyRoAHM52qQ7UJE/XIt4Vsp8/mtO3g/5b5XcfWeBytr0dgHp j8QBW8LlM2BfyhecP5ADO3cPu1sm/7wq1/NDdM5hH2vFO+YIVOnEeWSckIE69Cl+ cMKLLnbRp4WCsVrdhyyCNChqx9ah+XAJhRWDU0O8dt/mpWsHmFco1tvnlPqIsgXI saJ54SOja9qDDJz1rR0qRCitjh5Kz/zr4Tg8gudj3VqOVliCd8IflRqp1Fr4IugM 8GZOtIIGdw8Uv+GzzujQ6h8VA3lAL8tg+kIJi83hkm6uF3SAQ12r9ht73vcMjVHx 6KySt/GGKC3yFGQo7k9QycCpJL3D+RKJqwlK3M3F6TNV21qd3zzWFlZG/p9FT/Rx FWEdXkmYDjtqMtNlxsZ5CpdmTbN9IIIXYP5ZYMz2WZxCIg0Gx7X46HPl87VkaM88 5r0mQQZxHJfmrGgyfQObUP5adHmvGTIHN4WtERJANAHtzl9BxgSExZS5jZiB0Rzu edIP7VP9+tsyw4zfiMO4aWFMX38rs6UBkZlBqMqMQISQDlvtadvsUW2+eoKtlsCN OAjG/428 =rs/p -END PGP SIGNATURE-
