Re: Introduction new LTS trainee

2019-11-07 Thread Dylan Aïssi 
Hi Sylvain,

Le jeu. 7 nov. 2019 à 11:17, Sylvain Beucler  a écrit :
> Welcome!

Thanks!

> Having on board somebody who understands R sounds good ;)

I don't know if this will really help :-).

> Any past encounters with computer security?

I have already backported some security fixes into Debian. See a list
of examples below. This is why I think I can help.

CVE-2017-2816 libofx/1:0.9.10-2+deb9u1 and libofx/1:0.9.10-1+deb8u1
CVE-2017-14731 libofx/1:0.9.10-2+deb9u1 and libofx/1:0.9.10-1+deb8u1
 - 
https://salsa.debian.org/debian/libofx/commit/e372eac2d28e26eb0e37e194b80e72bf44ce2c8e
 - 
https://salsa.debian.org/debian/libofx/commit/108bab5e62d28a90945d22ab72e8ae116fbfcc2b
CVE-2018-11099 vcftools/0.1.14+dfsg-4+deb9u1
CVE-2018-11129 vcftools/0.1.14+dfsg-4+deb9u1
CVE-2018-11130 vcftools/0.1.14+dfsg-4+deb9u1
 - 
https://salsa.debian.org/med-team/vcftools/commit/6f3285ced62dcf05dc5c43c97968173a4cada81c
CVE-2018-20349 igraph/0.7.1-2.1+deb9u1
 - 
https://salsa.debian.org/med-team/igraph/commit/4cbe21e1b59a363c2d806b85bd997be57ee1eff4
CVE-2019-9656 libofx/1:0.9.14-1+deb10u1
 - 
https://salsa.debian.org/debian/libofx/commit/340f6fcbb75d41807a83b58356cf2c5ca6c8f726
CVE-2019-10269 bwa/0.7.15-2+deb9u1
 - 
https://salsa.debian.org/med-team/bwa/commit/eecf9b4e0758a505d6044cbae87d95c18df6c2ad
CVE-2019-10269 bwa/0.7.17-3
 - 
https://salsa.debian.org/med-team/bwa/commit/2f03e0f1fa6b0ca04f6d5ec9f95a488f14508914
CVE-2019-10877 teeworlds/0.7.2-5
 - 
https://salsa.debian.org/games-team/teeworlds/blob/master/debian/patches/CVE-2019-10877.patch
CVE-2019-10878 teeworlds/0.7.2-5
 - 
https://salsa.debian.org/games-team/teeworlds/blob/master/debian/patches/CVE-2019-10878.patch
CVE-2019-10879 teeworlds/0.7.2-5
 - 
https://salsa.debian.org/games-team/teeworlds/blob/master/debian/patches/CVE-2019-10879.patch
CVE-2019-11471 libheif/1.3.2-2
 - 
https://salsa.debian.org/multimedia-team/libheif/commit/9191a77912e1a21a5de3ef578d3f27887b9bdfe4

Best,
Dylan

RFS: gdal

2019-11-07 Thread Utkarsh Gupta 
Hey,

Since I am still a DM, I'd heartily request to sponsor the upload of gdal.
The package is tested and uploaded to mentors.d.net and the relevant
.dsc could be found here[1].

I am also attaching the DLA file for the same :)


Best,
Utkarsh
---
[1]:
https://mentors.debian.net/debian/pool/main/g/gdal/gdal_1.10.1+dfsg-8+deb8u1.dsc

From: Utkarsh Gupta 
To: debian-lts-annou...@lists.debian.org
Subject: [SECURITY] [DLA 1984-1] gdal security update

Package: gdal
Version: 1.10.1+dfsg-8+deb8u1
CVE ID : CVE-2019-17545


GDAL through 3.0.1 had a poolDestroy double free in OGRExpatRealloc
in ogr/ogr_expat.cpp when the 10MB threshold was exceeded.

For Debian 8 "Jessie", this problem has been fixed in version
1.10.1+dfsg-8+deb8u1.

We recommend that you upgrade your gdal packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


signature.asc
Description: OpenPGP digital signature

Re: Introduction new LTS trainee

2019-11-07 Thread Sylvain Beucler 
Hi,

On 06/11/2019 12:22, Dylan Aïssi wrote:
> After several emails exchanged with Holger and Raphaël, I am now a LTS
> trainee :-).
> I am still learning how to deal with the LTS workflow, so you can
> expect some questions from my side.
>
> Otherwise, I am DD since September 2018 and mainly involved in the
> Debian Med team and in the Debian R Packages team. Why these teams?
> Because IRL, I am an academic data scientist / bioinformatician
> working in biomedical research. And before that, I started to
> contribute to Debian in 2014 through the "New Contributor Game" from
> Raphaël.
Welcome!

Having on board somebody who understands R sounds good ;)

Any past encounters with computer security?

Cheers!
Sylvain

Re: Security issues in standards (ruby-openid / CVE-2019-11027)

2019-11-07 Thread Sylvain Beucler 
Hi,

On 06/11/2019 21:14, Utkarsh Gupta wrote:
> On 06/11/19 11:47 am, Brian May wrote:
>> Utkarsh Gupta  writes:
>>
>>> I am not quite sure about what should we do here because the update (DLA
>>> 1956-1) doesn't quite fix the CVE completely and also brings some login
>>> problems as reported in #125.
>>> Because for now, #121 + #126 = actual CVE fix. But the login problem
>>> remains.
>> I guess we have three options:
>>
>> 1. Do nothing.
>> 2. Revert the #121 patch, because it could break. I haven't seen any
>> complaints however...
> Whilst that is true, I'd rather not want someone to face an "unexpected
> response" error.
> Though I hope no one is using that feature yet :)
>
>> 3. Apply the #126 patch too. Not 100% convinced this is a justified
>> change for LTS, but it "looks right".
>> 4. Wait longer for possible upstream solution to #125.
>>
>> Any opinions?
> I'd be a +1 on the 2nd and/or the 4th option. And a +0.5 on the 3rd.
Do the package maintainers have an opinion on this?
This can help.

Raphael, given that this package is low popcon and the vulnerability is
fuzzy, do you know if the sponsor for this package would be willing to
test fixes?

Cheers!
Sylvain