Re: Introduction new LTS trainee
Hi Sylvain, Le jeu. 7 nov. 2019 à 11:17, Sylvain Beucler a écrit : > Welcome! Thanks! > Having on board somebody who understands R sounds good ;) I don't know if this will really help :-). > Any past encounters with computer security? I have already backported some security fixes into Debian. See a list of examples below. This is why I think I can help. CVE-2017-2816 libofx/1:0.9.10-2+deb9u1 and libofx/1:0.9.10-1+deb8u1 CVE-2017-14731 libofx/1:0.9.10-2+deb9u1 and libofx/1:0.9.10-1+deb8u1 - https://salsa.debian.org/debian/libofx/commit/e372eac2d28e26eb0e37e194b80e72bf44ce2c8e - https://salsa.debian.org/debian/libofx/commit/108bab5e62d28a90945d22ab72e8ae116fbfcc2b CVE-2018-11099 vcftools/0.1.14+dfsg-4+deb9u1 CVE-2018-11129 vcftools/0.1.14+dfsg-4+deb9u1 CVE-2018-11130 vcftools/0.1.14+dfsg-4+deb9u1 - https://salsa.debian.org/med-team/vcftools/commit/6f3285ced62dcf05dc5c43c97968173a4cada81c CVE-2018-20349 igraph/0.7.1-2.1+deb9u1 - https://salsa.debian.org/med-team/igraph/commit/4cbe21e1b59a363c2d806b85bd997be57ee1eff4 CVE-2019-9656 libofx/1:0.9.14-1+deb10u1 - https://salsa.debian.org/debian/libofx/commit/340f6fcbb75d41807a83b58356cf2c5ca6c8f726 CVE-2019-10269 bwa/0.7.15-2+deb9u1 - https://salsa.debian.org/med-team/bwa/commit/eecf9b4e0758a505d6044cbae87d95c18df6c2ad CVE-2019-10269 bwa/0.7.17-3 - https://salsa.debian.org/med-team/bwa/commit/2f03e0f1fa6b0ca04f6d5ec9f95a488f14508914 CVE-2019-10877 teeworlds/0.7.2-5 - https://salsa.debian.org/games-team/teeworlds/blob/master/debian/patches/CVE-2019-10877.patch CVE-2019-10878 teeworlds/0.7.2-5 - https://salsa.debian.org/games-team/teeworlds/blob/master/debian/patches/CVE-2019-10878.patch CVE-2019-10879 teeworlds/0.7.2-5 - https://salsa.debian.org/games-team/teeworlds/blob/master/debian/patches/CVE-2019-10879.patch CVE-2019-11471 libheif/1.3.2-2 - https://salsa.debian.org/multimedia-team/libheif/commit/9191a77912e1a21a5de3ef578d3f27887b9bdfe4 Best, Dylan
RFS: gdal
Hey, Since I am still a DM, I'd heartily request to sponsor the upload of gdal. The package is tested and uploaded to mentors.d.net and the relevant .dsc could be found here[1]. I am also attaching the DLA file for the same :) Best, Utkarsh --- [1]: https://mentors.debian.net/debian/pool/main/g/gdal/gdal_1.10.1+dfsg-8+deb8u1.dsc From: Utkarsh Gupta To: debian-lts-annou...@lists.debian.org Subject: [SECURITY] [DLA 1984-1] gdal security update Package: gdal Version: 1.10.1+dfsg-8+deb8u1 CVE ID : CVE-2019-17545 GDAL through 3.0.1 had a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold was exceeded. For Debian 8 "Jessie", this problem has been fixed in version 1.10.1+dfsg-8+deb8u1. We recommend that you upgrade your gdal packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS signature.asc Description: OpenPGP digital signature
Re: Introduction new LTS trainee
Hi, On 06/11/2019 12:22, Dylan Aïssi wrote: > After several emails exchanged with Holger and Raphaël, I am now a LTS > trainee :-). > I am still learning how to deal with the LTS workflow, so you can > expect some questions from my side. > > Otherwise, I am DD since September 2018 and mainly involved in the > Debian Med team and in the Debian R Packages team. Why these teams? > Because IRL, I am an academic data scientist / bioinformatician > working in biomedical research. And before that, I started to > contribute to Debian in 2014 through the "New Contributor Game" from > Raphaël. Welcome! Having on board somebody who understands R sounds good ;) Any past encounters with computer security? Cheers! Sylvain
Re: Security issues in standards (ruby-openid / CVE-2019-11027)
Hi, On 06/11/2019 21:14, Utkarsh Gupta wrote: > On 06/11/19 11:47 am, Brian May wrote: >> Utkarsh Gupta writes: >> >>> I am not quite sure about what should we do here because the update (DLA >>> 1956-1) doesn't quite fix the CVE completely and also brings some login >>> problems as reported in #125. >>> Because for now, #121 + #126 = actual CVE fix. But the login problem >>> remains. >> I guess we have three options: >> >> 1. Do nothing. >> 2. Revert the #121 patch, because it could break. I haven't seen any >> complaints however... > Whilst that is true, I'd rather not want someone to face an "unexpected > response" error. > Though I hope no one is using that feature yet :) > >> 3. Apply the #126 patch too. Not 100% convinced this is a justified >> change for LTS, but it "looks right". >> 4. Wait longer for possible upstream solution to #125. >> >> Any opinions? > I'd be a +1 on the 2nd and/or the 4th option. And a +0.5 on the 3rd. Do the package maintainers have an opinion on this? This can help. Raphael, given that this package is low popcon and the vulnerability is fuzzy, do you know if the sponsor for this package would be willing to test fixes? Cheers! Sylvain