Re: [SECURITY] [DSA 2874-1] mutt security update
Hi, On Wed, Mar 12, 2014 at 04:44:02PM +0100, Moritz Muehlenhoff wrote: Debian Security Advisory DSA-2874-1 secur...@debian.org [..] Package: mutt CVE ID : CVE-2014-0467 Debian Bug : 708731 Gentle reminder: DSA emails are supposed to contain a Vulnerability : key, that allow to generate the wml-ed DSA. -- Simon Paillard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140312204629.gg15...@mraw.org
Re: Bug#649625: webkit unmaintained security-wise (again)
Hi, On Tue, Nov 22, 2011 at 09:39:41PM +0100, Moritz Muehlenhoff wrote: Source: webkit Severity: grave [..] I have no idea, whether this LTS branch exists, but webkit is - as in Squeeze - unmaintained wrt security updates. [..] I guess the consequence is to pick one of the two as the default browser for Wheezy and to demote webkit as another unsupported HTML render engine usable to render a HTML help, but not for a full browser (just like khtml and qtwebkit) If the situation persists, it may be worth warning *squeeze* users, through a dedicated DSA/d-security-announce, as well as a dedicated paragraph in the next point release announce ? -- Simon Paillard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111205200047.ga14...@glenfiddich.mraw.org
security mirror lagging, issues on security-master archive
Hi, 22:55 symoon reminder: security mirrors are lagging behind security master, because of /dists/lenny/updates/main/binary-ia64/Packages.bz2.new kind files which are not readable by archvsync mirror user. 22:56 symoon see http://security.debian.org/debian-security/project/trace/ security.debian.org trace file is one hour late. -- Simon Paillard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110708205818.gp21...@glenfiddich.mraw.org
On publishing/announcing end of security support (was: [DSA-1975-1] Security .. Debian 4.0 to be discontinued..)
Hi, On Wed, Jan 20, 2010 at 08:51:17PM +, Stefan Fritsch wrote: Debian Security Advisory DSA-1975-1 secur...@debian.org [...] Security Support for Debian GNU/Linux 4.0 to be discontinued on February 15th The website doesn't support publishing package-less DSA (or it will looks *very* ugly). Though such announce could be sent to both debian-announce and -security-announce, I guess it doesn't need a DSA number since it's not related to any vuln. That's why previous such announcements were sent on debian-announce and published as a news: for Etch http://lists.debian.org/debian-announce/2008/msg1.html http://www.debian.org/News/2008/20080229 for Sarge http://lists.debian.org/debian-announce/2006/msg2.html http://www.debian.org/News/2006/20060601 Bye. -- Simon Paillard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Syntax for DSA (was: [SECURITY] [DSA 1865-1] New Linux 2.6.18)
Dear security team, From one DSA to another, the syntax changes a bit, and it makes the current import script not happy, and same with me :-) BTW, did you have a look at http://lists.debian.org/debian-security/2009/07/msg00096.html ? On Sun, Aug 16, 2009 at 02:52:35PM -0600, dann frazier wrote: -- Debian Security Advisory DSA-1865-1secur...@debian.org ^^Sometimes, -1 is ommited (yes we may consider ommited as -1 by default if you want to) Aug 16, 2009http://www.debian.org/security/faq ^^ August is expected here (full month name). Package: linux-2.6 [..] Upgrade instructions [..] The following matrix lists additional source packages that were rebuilt for compatability with or to take advantage of this update: Debian 4.0 (etch) fai-kernels 1.17+etch.24etch3 user-mode-linux 2.6.18-1um-2etch.24etch3 You may use an automated update by adding the resources from the footer to the proper configuration. Please put this notice before the paragraph about upgrade instructions if you want to be available on the web page. Or tell the exact syntax to use so that we can extract it from the upgrade paragraph. Debian GNU/Linux 4.0 alias etch --- Oldstable updates are available for alpha, amd64, hppa, i386, ia64, mipsel, powerpc, s390 and sparc. Updates for arm and mips will be released as they become available. Please put this notice before the paragraph about upgrade instructions if you want to be available on the web page. Source archives: [..] These changes will probably be included in the oldstable distribution on its next update. Same remark here. -- Simon Paillard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: http://www.debian.org/security/ does not show dsa-1753-2
Hello Thieo (and security team) On Wed, Jul 15, 2009 at 02:55:19PM +0200, Thiemo Nagel wrote: I just noticed that dsa-1753-2 (icedove end-of-life) is not displayed on http://www.debian.org/security/, although it is merely 3 days old (from July 12)... You're right, thanks for your notice. @security: DSA-N with N 1 usually contains the previous DSA. In the case of DSA-1753-2, the content is not merged at all. Since I guess it's too late to give DSA-1753-2 its own DSA--1, here is a proposal for the website: pAs indicated in the Etch release notes, security support for the Iceweasel **and Icedove** versions in the oldstable distribution (Etch) needed to be stopped before the end of the regular security maintenance life cycle./p pYou are strongly encouraged to upgrade to stable or switch from Iceweasel to a still supported browser **and from Icedove to a still supported email client.**/p pOn a side note, please note that the Debian stable/Lenny version of Iceweasel - the unbranded version of the Firefox browser - links dynamically against the Xulrunner library. As such, most of the vulnerabilities found in Firefox need only be fixed in the Xulrunner package and don't require updates to the Iceweasel package any longer./p ^^ Does this remark apply to Icedove ? It looks like none of the dsa-updates are shown (also not eg. DSA-1829-2). I'd consider this a bad policy, since dsa-updates may contain important additional information, like in the case of icedove end-of-life... Again, you noticed it right. There is today no automated way to updated already released DSA, the backlog increases unless someone takes care of it manually. @security: it raises again the subject of releasing DSAs on the wseb. Could we agree on a source format for DSA ? either plain text or XML, but something that guarantees the website is always up to date automatically. Issues today: which format for: DSA updates, CVE references in headers, CVE/vulnerabilities items. Example: Gentoo people use http://www.gentoo.org/dtd/glsa.dtd / http://dev.gentoo.org/~rbu/glsa-2/glsa-2.dtd -- Simon Paillard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
mipsel and s390 missing for dsa-1362-2
Hello, I noticed some updated dsa have not seen their .data updated on the website (1362 for lighttpd for example). By lauching parse-advisory.pl again on the DSA-1362-2 sent, it also seem that architectures packages updates available in 1362-1 are missing in 1362-2. Updated mipsel and s390 packages are missing : lftp security.debian.org:/pool/updates/main/l/lighttpd ls | grep etch3 I've not checked any other updated DSA for the moment. Regards, -- Simon Paillard -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]