Re: [SECURITY] [DSA 2856-1] libcommons-fileupload-java security update
Unsubscribe Daniel On Feb 8, 2014 1:00 AM, Florian Weimer f...@deneb.enyo.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2856-1 secur...@debian.org http://www.debian.org/security/Florian Weimer February 07, 2014 http://www.debian.org/security/faq - - Package: libcommons-fileupload-java Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2014-0050 It was discovered that the Apache Commons FileUpload package for Java could enter an infinite loop while processing a multipart request with a crafted Content-Type, resulting in a denial-of-service condition. For the oldstable distribution (squeeze), this problem has been fixed in version 1.2.2-1+deb6u2. For the stable distribution (wheezy), this problem has been fixed in version 1.2.2-1+deb7u2. For the unstable distribution (sid), this problem has been fixed in version 1.3.1-1. We recommend that you upgrade your libcommons-fileupload-java packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBAgAGBQJS9WToAAoJEL97/wQC1SS+IcIH/18AS3UkkZtLgZcEGpBeBEM+ OX00IRYPc3emFQcB3ZUUeiYGtq3aAEKYTW5wd8tAA04K4wUMdcV70oUxnFEeUcLl ir0b4rIM/ozB86iBN95jmgQzY7pdx703tvhA7CQlNdC0WTEPFHW7yrGksrAk5rTv zw5NlN3Hi9McYH+kigp6ULoNavWfByNM7i7xNb7tPCulF0MnIyhfg0ewxgg+QfYj RB0V5U/jSW77n0E/Ft9MX5cthViwaCxYREJoXgSIDid/OYyNIE3aZuB+KKFDwPGw /dkC+QIE6Zbeesx73YBo+oCEKulGE1UOutjrHy/vnV+mvZklmvChyZEyaGjIG5w= =noFV -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87y51mil6r@mid.deneb.enyo.de
Re: Upcoming stable point release (7.4)
On Thu, 2014-01-23 at 20:08 +, Adam D. Barratt wrote: The next point release for wheezy (7.4) is scheduled for Saturday February 8th. Stable NEW will be frozen during the preceding weekend. The archive side of the point release has now finished, and an extra mirror update has been triggered, so packages should start appearing on mirrors over the next couple of hours. Regards, Adam -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1391857541.5649.19.ca...@jacala.jungle.funky-badger.org
Bug#727534: security-tracker: Add tabular view listing all CVEs and version table for a source package
Hi Antonio, On Thu, Oct 24, 2013 at 09:49:19AM -0300, Antonio Terceiro wrote: It would be nice if someone familiar with the codebase could write up instructions on how to do that. Actually at the Security Team meeting we are working now on this. Mainly if you want to set up a testinstance of the security tracker is doing the three steps: make update-packages make all make serve But Luciano is working on adding a section for this to the documentation. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140208103127.GA23612@eldamar.local
Bug#683986: marked as done (security-tracker: automated testing announcement emails)
Your message dated Sat, 8 Feb 2014 11:53:50 +0100 with message-id 20140208105349.GA8082@pisco.westfalen.local and subject line Re: security-tracker: automated testing announcement emails has caused the Debian Bug report #683986, regarding security-tracker: automated testing announcement emails to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 683986: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683986 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: security-tracker Hi Florian, On soler there's still the script that used to send the automatic testing announcement emails. I think it's been over a year since it broke due to changes in the security tracker's db schema. Since it is pretty obscure to me, would you please implement the feature in the tracker itself? Thanks. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net ---End Message--- ---BeginMessage--- On Sun, Aug 05, 2012 at 07:54:26PM -0500, Raphael Geissert wrote: Package: security-tracker Hi Florian, On soler there's still the script that used to send the automatic testing announcement emails. I think it's been over a year since it broke due to changes in the security tracker's db schema. Since it is pretty obscure to me, would you please implement the feature in the tracker itself? These announcements are no longer sent and there's no longer a testing security team, so we can just close the bug. Cheers, Moritz---End Message---
About testing security team [was: Re: Bug#683986: marked as done (security-tracker: automated testing announcement emails)]
On Sat, 08 Feb 2014 11:53:50 +0100 Moritz Mühlenhoff wrote: [...] there's no longer a testing security team [...] Hello Moritz, could you please clarify? Do you mean that the testing security team was merged with the (stable) security team? Or something else? I still see http://testing-security.debian.net/ https://alioth.debian.org/projects/secure-testing/ They do not seem to have been shut down... Thanks for your time. -- http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt New GnuPG key, see the transition document! . Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE pgpmnQ9fy1mt5.pgp Description: PGP signature
Re: About testing security team [was: Re: Bug#683986: marked as done (security-tracker: automated testing announcement emails)]
On Sat, 8 Feb 2014 12:46:27 +0100 Moritz Mühlenhoff wrote: On Sat, Feb 08, 2014 at 12:09:49PM +0100, Francesco Poli wrote: On Sat, 08 Feb 2014 11:53:50 +0100 Moritz Mühlenhoff wrote: [...] there's no longer a testing security team [...] Hello Moritz, could you please clarify? Do you mean that the testing security team was merged with the (stable) security team? Or something else? There's no longer anyone actively building fixed packages for testing-security. Fixed packages still transition to testing, but that's about it. Thanks for the clarification. I still see http://testing-security.debian.net/ I'll update the website to remove the outdated information. Good, thanks for being willing to do so! Bye. -- http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt New GnuPG key, see the transition document! . Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE pgpZOPOPA_5wW.pgp Description: PGP signature
Bug#738202: security-tracker: DSA-2856-1 vs. tracker
Package: security-tracker Severity: normal Hello, DSA-2856-1 [1] states that CVE-2014-0050 is fixed in oldstable and stable security updates for libcommons-fileupload-java. [1] https://lists.debian.org/debian-security-announce/2014/msg00026.html The tracker seems to agree on its DSA page [2], but seems to miss the link with the CVE. As a consequence the CVE page [3] still shows libcommons-fileupload-java as vulnerable in oldstable (security) and stable (security)... [2] https://security-tracker.debian.org/tracker/DSA-2856-1 [3] https://security-tracker.debian.org/tracker/CVE-2014-0050 Please update the tracker data accordingly. Thanks for your time! Bye. -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140208161009.6693.75010.reportbug@homebrew
Bug#738202: marked as done (security-tracker: DSA-2856-1 vs. tracker)
Your message dated Sat, 8 Feb 2014 18:23:20 +0100 with message-id 20140208172320.GA18060@eldamar.local and subject line Re: Bug#738202: security-tracker: DSA-2856-1 vs. tracker has caused the Debian Bug report #738202, regarding security-tracker: DSA-2856-1 vs. tracker to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 738202: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738202 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: security-tracker Severity: normal Hello, DSA-2856-1 [1] states that CVE-2014-0050 is fixed in oldstable and stable security updates for libcommons-fileupload-java. [1] https://lists.debian.org/debian-security-announce/2014/msg00026.html The tracker seems to agree on its DSA page [2], but seems to miss the link with the CVE. As a consequence the CVE page [3] still shows libcommons-fileupload-java as vulnerable in oldstable (security) and stable (security)... [2] https://security-tracker.debian.org/tracker/DSA-2856-1 [3] https://security-tracker.debian.org/tracker/CVE-2014-0050 Please update the tracker data accordingly. Thanks for your time! Bye. ---End Message--- ---BeginMessage--- HI Franceso, On Sat, Feb 08, 2014 at 05:10:09PM +0100, Francesco Poli (wintermute) wrote: Package: security-tracker Severity: normal Hello, DSA-2856-1 [1] states that CVE-2014-0050 is fixed in oldstable and stable security updates for libcommons-fileupload-java. [1] https://lists.debian.org/debian-security-announce/2014/msg00026.html The tracker seems to agree on its DSA page [2], but seems to miss the link with the CVE. As a consequence the CVE page [3] still shows libcommons-fileupload-java as vulnerable in oldstable (security) and stable (security)... [2] https://security-tracker.debian.org/tracker/DSA-2856-1 [3] https://security-tracker.debian.org/tracker/CVE-2014-0050 Please update the tracker data accordingly. Thanks, it is fixed now. Regards, Salvatore---End Message---
Processed: Re: Bug#738172: Track renames of source packages
Processing control commands: reassign -1 security-tracker Bug #738172 [security-tracker.debian.org] Track renames of source packages Warning: Unknown package 'security-tracker.debian.org' Bug reassigned from package 'security-tracker.debian.org' to 'security-tracker'. Ignoring request to alter found versions of bug #738172 to the same values previously set Ignoring request to alter fixed versions of bug #738172 to the same values previously set -- 738172: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738172 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-security-tracker-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.b738172.139188758911997.transcr...@bugs.debian.org