[SECURITY] [DSA 5723-1] plasma-workspace security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5723-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 27, 2024 https://www.debian.org/security/faq - - Package: plasma-workspace CVE ID : CVE-2024-36041 Fabian Vogt discovered that the KDE session management server insufficiently restricted ICE connections from localhost, which could allow a local attacker to execute arbitrary code as another user on next boot. For the oldstable distribution (bullseye), this problem has been fixed in version 4:5.20.5-6+deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 4:5.27.5-2+deb12u2. We recommend that you upgrade your plasma-workspace packages. For the detailed security status of plasma-workspace please refer to its security tracker page at: https://security-tracker.debian.org/tracker/plasma-workspace Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZ9r5gACgkQEMKTtsN8 TjZUrRAAped6yEardsWDFEJgGZPtJzGItPSo1cS4u5J+DxNSOs5F0YWYpfgYk9Vq Ud92pF/ORYH4IVVUjKKDye6hVPufY1mu0Bibgl5OyZxgkrXLnnTRg69PAwqT1IZi 3L4ge8g+6zG3Y4j+e4kVOcgStvLnKXz8URQVCYvQB+VJWWfIJXl0YDJnHlX7hYhn Th2X1aUIryZs0reokkrofRIkcuPWZqth1Dgy1xmGBC2voCfrJ5g3Qu05nVFvnBFe QMV737XZxShKMbiV7oE7BXAZ3DuYU4OOXm14SvqTTwdNe/7zhhyz4GCmlIJHQu1u rTMPVODckBBAhc3dBjEPpAV5LJpEmoIoINsfp/ulArZkXifTl7sIBLcgodNsTPrE W6q5MU7u51XUDd4yYaa2PVT2U3xpPHaj4C5opbp7EwvoCN0Gj6m7BRhSWKl74joO QkWjRBxHcmv0zJPH0ttekpyjcwxPmGSSshVEbPYeG6Sw0Zwn9r6fT5749DP+iESf 7gDJhIxyxVG9o/p5sJOuGo9G43reGleQMigWwhfVt74Ing05o4sSIcqJkkmPNoIT MhkKHXRmKtDQOMsT74T/NX7zUGGZBpsmtZZq4Ze0zEvnVfMnxJc+n0WXIRLW+gid YFFHRXUY4T1vkcJKSLZpI3Kdp5xzMRPAVAn1sGrmnqkwZfcrWiA= =hKop -END PGP SIGNATURE-
[SECURITY] [DSA 5722-1] libvpx security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5722-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 26, 2024 https://www.debian.org/security/faq - - Package: libvpx CVE ID : CVE-2024-5197 It was discovered that multiple integer overflows in libvpx, a multimedia library for the VP8 and VP9 video codecs, may result in denial of service and potentially the execution of arbitrary code. For the oldstable distribution (bullseye), this problem has been fixed in version 1.9.0-1+deb11u3. For the stable distribution (bookworm), this problem has been fixed in version 1.12.0-1+deb12u3. We recommend that you upgrade your libvpx packages. For the detailed security status of libvpx please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libvpx Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZ8XGEACgkQEMKTtsN8 TjbR3xAAjCKV4coiR5I7kJJmjWma8XZvNs2U6UIr1TMuovp88eglwhfc/ppxfi+i 3K4+80Wznd+OqOwPvhOKDkSwR1H+Q1d7l3vRJnHvLOMVzjr8uziabk/P2GdszBWB yxFZ9K0iVJZyR0DDhn3gThBuSaPk8Y/9O0vP3ZWl/5cp66b3jdyOl/INVmwfylC8 tg2cFIeZJrGTbTI9avbhHvMaxbqvyLIaXM/hvewbN6I0yGhk3y2kasbkyEkDclcg QHzfQc20kPwgcWvJXD5ZD4MEHvXKvjhEfI7SRipgk2wFpxdrxRr/deA9+ZEvW5mn Ml0FkuAbOZp0MeqSu1/rWfqdAPy1q0nKJQgnTJ9uLskaYrL+ou/eNvhERD6Vdn5t Npa2pJlNlXkrmxmlUoLPmkgp9mO4EZ0xqaFqarj2KeYipUZMLdU1+19VsWkp+Ydm qmrQ1PSIbJ+M+sGCyrStR5V6MSe+FaIW1M+XmGvST98TrHj8MZvjBiqXjjGthhDm XHUhHfY4uM7ivurEjVcPiCJuD+YF7OfuFIxWP7Qoi50JJXeRpo1CYj4CaKwqXpbU QzocfXfiVm9v0I8xeJXhfTxV6K1lowYKTAcJ5u+rfUYYV/Q5nX1D5FqWFPjvNxtg GNF51gBbivEQNja1z7LFVSQs7QtiP6+gXuMFfrBMrhgA/ikO3Mk= =AYgJ -END PGP SIGNATURE-
[SECURITY] [DSA 5721-1] ffmpeg security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5721-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 26, 2024 https://www.debian.org/security/faq - - Package: ffmpeg CVE ID : CVE-2022-48434 CVE-2023-50010 CVE-2023-51793 CVE-2023-51794 CVE-2023-51798 Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed. For the oldstable distribution (bullseye), these problems have been fixed in version 7:4.3.7-0+deb11u1. We recommend that you upgrade your ffmpeg packages. For the detailed security status of ffmpeg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ffmpeg Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZ8XGAACgkQEMKTtsN8 TjayWQ//WBpVVtgWkhyjdpro2pRqJ1gOoRJHzHrx0NHBg1Taz1xL5UPj3YTzFJsf h73nAlbqe4uf4NjdcOzRjqsTEVXzIAyV34hh+4R0q9ct13e4f/iDxXKFlm/dNmux Lyx1lqT0C9yr7//XORM7zW3t7zaBMr/ZDzodw5ecndIqlqGoEH6IhPPAsPE2L2GA bFsN4RUeeI3XLbabWnGTB0DdAV/6oU7S9zb7D8uWuM351q9ihRloIQUNuWJdA2Te di85QDZdcM78BCIYwZ8gQpvimZG2GyF2erZni/qaOtp8JmhYHD9BdeIEe3fCNmeM R7FkNPHgr/f+h3Gu5/wXOutwtyswxH19R1GkdchPd3NtJhHeu1CY9Wf4OboCReCr x4N4Tqw36DUzGOy5mAdDfMyulli/bG5hItLG9krk2mNBI421xRnaSYzG2kvcUqNL FtxTPyhsr9Rh105y2eQjWjekTW4V8e/CdAvK/YkOgUtPqNob2LbZeoTu0Iig9zWw Ur8Brr/vUQvIGxudIoCpNXyD2VDcVMhAivDZRqdFOQoA7omDTIuO9peVF/71w27u 2ykEG8QZblkCjKLZXb1G1cpIq+VpGO7V0k92sKqw27npBPvqSXSwAsZ78pvL7Om+ FJdp/rcQngEApQEUgcIAEvae37Da57Cz+0TTnDHa4N/w8HGjH8w= =dG6V -END PGP SIGNATURE-
External check
CVE-2024-6257: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5720-1] chromium security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-5720-1 secur...@debian.org https://www.debian.org/security/ Andres Salomon June 25, 2024 https://www.debian.org/security/faq - - Package: chromium CVE ID : CVE-2024-6290 CVE-2024-6291 CVE-2024-6292 CVE-2024-6293 Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. For the stable distribution (bookworm), these problems have been fixed in version 126.0.6478.126-1~deb12u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmZ7iCsACgkQZF0CR8Nu djeZWQ/+OZWXz7T52DkWQeWComrkEqLiOn74kDdkNvKPzi7+miDRBOaADj6r8R/y Gvdf3ruxU9GlIeiCelVId62VHJaWkgiPSbWGaiNQk4Ux+BD+L0ng3XPxRBwKhf+M NDA/7WhlHd9npFDHpL0I+JNzKQdotGLbhVAwMATcfxXPK0wgQZabBfLfA9Whafdj qpN2rgRvBLYjlJbQOu9w66O+4IWhleIRBpboKJYKOpfPB71r1gGGrJS/CfcRo7bo 4ppk1ZmB7tkAmDRkWTJJMwtaOMSVBmR8ti1fMGPOL02mElOeRaq2PnUA/FHIHClc 8uqBz70cWLSuySMG6PCvy19ck/9LBCxS1BfwyEmdN3nmKpu2Ig1UsykcQhMiqcqN G9iYmp37jOoPNUPjKkdzqTx30OWMLAWHFg2RxMKNlQJGZfxOQPt62wJOz9dSsNeg unNnQIPLOzkFnkkl87AHMPcyLz9UxKgI2svP3F3cJk5M7MI3WHQJUQUS+0OgG+fC xk95jIm9munt46+99wb9E5wM39cUIieYVx56m5gAS21LxgHkFid3jeTRg7pqC8Ob Eyh9WL5c+Ssh3zvt5O74bFpzjFCxvD8V2RRRFKOBbaSxPkou05DZHEBHQvWRG+Uo bmvmBaz4a+gwg1/9TfUPCUeduLmz9mAe67o3RNemGXnAb20QST8= =vb9g -END PGP SIGNATURE-
[SECURITY] [DSA 5719-1] emacs security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5719-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 25, 2024 https://www.debian.org/security/faq - - Package: emacs CVE ID : CVE-2024-39331 Debian Bug : 1074137 It was discovered that Emacs is prone to arbitrary shell code evaluation when opening a specially crafted Org file. This update includes updates pending for the upcoming point releases including other security fixes. For the oldstable distribution (bullseye), this problem has been fixed in version 1:27.1+1-3.1+deb11u5. For the stable distribution (bookworm), this problem has been fixed in version 1:28.2+1-15+deb12u3. We recommend that you upgrade your emacs packages. For the detailed security status of emacs please refer to its security tracker page at: https://security-tracker.debian.org/tracker/emacs Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmZ7IMRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RRkQ//VodTfx1QWzYCV1WDvv2c6lekODGI1RQcM91+LRXnq+LsumEP55j5w26V 9O1u3Yze/94BVOzlggM3CzPLGeDS1gYDAGvoaZVrkgsK9k9DCN5vKJ3BSJf6vzj7 wtFVvlmnqIsMLUlu6yUpQlsDw6fhwKqrh4egIigDFSwR8kxzo+wBhTGVfuFLpmxl X0B1xAMWsk8srmWxcgvabMvGhSx+z06QHnsguLWljvk+yEQVfVTYqVA3PxySg/Qk /7SPwEBuWwe0MU6s4pltET/VdNI7nYeG2qSmWZ6ruFcYa2Xctoe+r2kQ02ngipJK RZScLFYmxbRqKDGTayNbXvAE9X6P05bhQvpYoYsnTueYrH5JzB++6Zli43PnT6aj ECMHPl7RKv6JOjqZB4VJpfsLw9S8QBkMPtSZ3zfy8/GSX8/113F8k4ur3pu/S3gH N8FWbygOYw6MrC7LeKKE77k43Tep1bEQPd6EwwlopjIulDg00tEGXXH9JdmXKH0V grgZTPubZvB/RrtW/AHkMrEDGdz9BfEnSxIOrPjbT//9tBVsxSN8jUflxUIoiCew v9yw6YUXKaRrIgcvMy/GMg/uaIZmxvYYVlO4eg7QHQ4trwaTtANjUFIya4PCpegu zjJS/rfx1BKpDDFQhJY25e7Tj6zfLV57GAb/rrZhRHRGQUCaBqQ= =62XM -END PGP SIGNATURE-
[SECURITY] [DSA 5718-1] org-mode security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5718-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 25, 2024 https://www.debian.org/security/faq - - Package: org-mode CVE ID : CVE-2024-39331 Debian Bug : 1074136 It was discovered that Org Mode for Emacs is prone to arbitrary shell code evaluation when opening a specially crafted Org file. This update includes updates pending for the upcoming point releases including other security fixes. For the oldstable distribution (bullseye), this problem has been fixed in version 9.4.0+dfsg-1+deb11u3. We recommend that you upgrade your org-mode packages. For the detailed security status of org-mode please refer to its security tracker page at: https://security-tracker.debian.org/tracker/org-mode Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmZ7HkJfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Ra0w/7BHBmDTLHRfXymGImQAh7e7QnVf2jliLZQKK//LuavYD0ts7ooPO7rHtF h/1iEw9/VIbj1D6FYsTfD3hD63YISgy0+NbygFqviiE/QYEt4V6GvGUbR8hhb0iZ 6fMKJcwBxfjCa8XOK/k9vK8tkrmEdF5dxGYyUOxeRGSpMoJyIFFdiQzTvtPTLVgf Q3kwznZjrSsFodM3Cwh8fpSf0qwJxQ5cRdll0lQ5YAJnZAs7tmOvI1gJWzr60xC+ iJNlc2BuKJpDbWGcd4hKLttmzfm1Awgg79xRbkWH4o36+gFz7XsPWDhUg8eUnAKJ LYkkNB7THyVj8iOKl657eVOWwK0mpWe9v8aq1JFOkIJ9/544DZo6OqJBli1CH/vO xRmol8AVGogBCNTRi+eG30aVfA3EMmf20qH+BIUOmb9CYwRAxIyOOT1TBHx5UCay V/JuF4LxajBGcYLavQg8ajD23UssEX+JOy/COG7jgUFrbzqaGYD+fn5iCmPoNaP9 09mP2s9xUn2E5Q9/B7JOn/bG9wpRm9lYFKUZJ0gGYZDLtOC77cf7Etc0TsSs9258 rZotSV30e81nxmz4w2Myv06acP11S51nMfm9EUMQkeK3j16IIco9zhpIcSbrHQDr gmkgrO16VfoRfWN5PovELosaYPDs3/zwS3ZJjENEYNQYBd2DrKk= =2Z9A -END PGP SIGNATURE-
External check
CVE-2024-6104: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5715-2] composer regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5715-2 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 24, 2024 https://www.debian.org/security/faq - - Package: composer The update for composer released as DSA 5715 introduced a regression in the handling of git feature branches. Updated composer packages are now available to address this issue. For the oldstable distribution (bullseye), these problems have been fixed in version 2.0.9-2+deb11u4. The stable distribution (bookworm) is not affected. We recommend that you upgrade your composer packages. For the detailed security status of composer please refer to its security tracker page at: https://security-tracker.debian.org/tracker/composer Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZ5vjkACgkQEMKTtsN8 TjbZPhAAlCCPInB2gsJz5gYa3aOq8nFpc/MT5oACPw+eWlClzPcg4dhNA5Uyr81b 399Vqd1u9YrxjNbFdeUEAbXSx+KsjIknl1qeCIpPCEKS9YViPL63zKGMTrG8b6Tb o/7Lobi5f33vCWVMm4GswCc3dSeA3pwuv/V14nhbbEi89ABrGNvlXT1MFfUpvlMb f4ixjnpbyHmkJQR8FI0LjNEj8pwcC6C4kBbtahfXwwDFRNKfRm/MD6KPbsAnOJdu UnCwmQv8WT1NiZ47oS+8Fku1CP3HI+47nF/XxRioeGf2bocksJUwQz782oHQlzRI MUkh73IuKYyKs9RltzH7Q38Ubw33invMDAvMAcU+w4agMuoYH8u7XbYked/2K0S6 T1tDsWO6uh5zyzkJ0s7xR0S/KbeHiQ0eoLM+GCqVv91rxvg6KRqKD8srN8WPgPKW +lBb0gRubptXpAb3Ptb/zxuPaGVUm4pn3Tltwf+oD6hLHJ0J/jcwECsU4g2+HNek Pbp2oOC5+4SxVbbOkXzp1XFLm2e3VUfTBJZqnv4vrKckmsojQs0NtA5fax4VHEiF dAacKmkPngiKrjHcjSxSam1SWO/Z/jgav9pW8Kcs1hQ1xTWv8cqLgtnF9OL6Kt2r I2q8Ub4IQ+gjX5uee9wIgbTQhwF2sMD7uhnmmI1yITttdB3uxKQ= =EuWI -END PGP SIGNATURE-
Re: Request to join team
Hi, On Mon, 24 Jun 2024, Colin Watson wrote: > I'd like to join pkg-security-team on Salsa in order to add some > YubiHSM-related packages there (initially yubihsm-connector); Yubico do > publish Debian packages of these, but they could do with some > integration polish and it would be useful to have access to them without > having to add a separate repository. My plan had been to do this in > auth-team, but in https://bugs.debian.org/1074007 Simon suggested that I > use pkg-security-team instead and that seems to make some sense. You have been added to the team. Welcome! Cheers, -- ⢀⣴⠾⠻⢶⣦⠀ Raphaël Hertzog ⣾⠁⢠⠒⠀⣿⡁ ⢿⡄⠘⠷⠚⠋The Debian Handbook: https://debian-handbook.info/get/ ⠈⠳⣄ Debian Long Term Support: https://deb.li/LTS
Request to join team
Hi, I'd like to join pkg-security-team on Salsa in order to add some YubiHSM-related packages there (initially yubihsm-connector); Yubico do publish Debian packages of these, but they could do with some integration polish and it would be useful to have access to them without having to add a separate repository. My plan had been to do this in auth-team, but in https://bugs.debian.org/1074007 Simon suggested that I use pkg-security-team instead and that seems to make some sense. I've been a DD since 2001. At the moment I'm spending most of my time working with Freexian, who are funding my YubiHSM-related work. Thanks, -- Colin Watson (he/him) [cjwat...@debian.org]
RE: Mini-DebConf in Cambridge, UK - October 10-13 2024
will not be attending Debcamp/Debconf at all this year last week of July/first week of August as I am tired of drama in the Debian community right now and sledge was being an asshole and banned me from OFTC for a month like the transphobic pig he is, however will be attending as an online visitor at GUADEC 2024 in mid-July and resume my engagement in GNOME after this will also participate Online at Fedora's conference in the second week of August (but have no energy to fly to them on site this year in the USA) will however help at the openSUSE conference in Germany in 1 week and go to the guy in England in August, but 3-30th July I will be at home in Sweden and chill
External check
CVE-2024-32608: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2006-3082: missing from list CVE-2006-3083: missing from list CVE-2006-3093: missing from list CVE-2006-3113: missing from list CVE-2006-3117: missing from list CVE-2006-3145: missing from list CVE-2006-3174: missing from list CVE-2006-3242: missing from list CVE-2006-3311: missing from list CVE-2006-3334: missing from list CVE-2006-3376: missing from list CVE-2006-3378: missing from list CVE-2006-3403: missing from list CVE-2006-3404: missing from list CVE-2006-3459: missing from list CVE-2006-3460: missing from list CVE-2006-3461: missing from list CVE-2006-3462: missing from list CVE-2006-3463: missing from list CVE-2006-3464: missing from list CVE-2006-3465: missing from list CVE-2006-3467: missing from list CVE-2006-3468: missing from list CVE-2006-3469: missing from list CVE-2022-2989: missing from list CVE-2022-2990: missing from list CVE-2024-32608: missing from list CVE-2024-6239: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2024-32608: missing from list CVE-2024-6162: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5717-1] php8.2 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5717-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 20, 2024 https://www.debian.org/security/faq - - Package: php8.2 CVE ID : CVE-2024-5458 It was discovered that user validation was incorrectly implemented for filter_var(FILTER_VALIDATE_URL). For the stable distribution (bookworm), this problem has been fixed in version 8.2.20-1~deb12u1. We recommend that you upgrade your php8.2 packages. For the detailed security status of php8.2 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php8.2 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZ0dO4ACgkQEMKTtsN8 TjZE3w/+MqMgfCFODFOJynqDrcdQ4cycenVYZc3LhR9Als8W1OViYT/oyXGGlCIY iETylmEKhZfm9jUDCLKu0wdFWPkUrpbABUZMGgIW4PG4F4eBxDCaLbtqoaQgyOJ5 wcx2f9MDtg+ST1NOpjRYUDoDaXapfSNefegUedXdapXgA3IrYFt2XnTo7su7eO5i 2lBCguFY2errAUqsM9IDrmryYVu43BelVVsxnL+qQ3WUeIxL8tQDBXTmB1g+cQRk wC1dHrXWok5op0cRR8Wv9gVW0hDugLt7r+mhOMPgo3AyB1eOKdvRvrUWEveLeH1P Mozki0nWfjKW0V5cE/0vKFY0Oxo9WJHo8lvWnx1S2Bd3Grrxps2oRT6NRGN8nsBM WcViPXZwAIu2Q+1vQUAnWB48zExV3vOOMdzoUw6ROy+N4fIfXH7GjycENOPb0jYi Ty94WeOLQcTAcjtlBZaa5YuZjPZBdsf98n0NC+NtK61pERD8wio8OLm7RtMcGy8T GgUQzMXDpkhaEceUA+k1HQiqOVGgq+GxXrAdOHBkElhwZ7/Oq0660T1hV3yDleJz hRbMLIXDbG/jTmbpHc3faGgY8PlYE8NPaHou61e1OA8Mn2dlZEJAn1pSPgJibIz0 MvGNx1AZPBF4TQg+qxbPzZjEO3xHoYyfQs7OOk87V5pVlSdoW1c= =th5l -END PGP SIGNATURE-
External check
CVE-2022-23829: TODO: check CVE-2024-35326: TODO: check CVE-2024-35328: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: CVE applicability
Arul Anand MM wrote: > Advisory page on September 14 > https://web.archive.org/web/20230924174231/https://security-tracker.debian.org/tracker/CVE-2023-3390 > states the issue is fixed in 5.10.191-1 No, it doesn't. It states the issue was fixed - for bullseye, i.e. oldstable - in 5.10.179-3 (lower table). It also states that 5.10.191-1 was the current version in "bullseye (security)", so that suite was not vulnerable. > but the current version of advisory > states "5.10.209-2" as the fixed version. No, it doesn't. :-) It still states the issue was fixed in 5.10.179-3 (lower table). The current version in "bullseye (security)" is now 5.10.218-1, and in "bullseye" it's 5.10.209-2, so neither suite is vulnerable. The fixed version doesn't change. The current version in suites that still get updates does, of course. -thh
[SECURITY] [DSA 5716-1] chromium security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-5716-1 secur...@debian.org https://www.debian.org/security/ Andres Salomon June 19, 2024 https://www.debian.org/security/faq - - Package: chromium CVE ID : CVE-2024-6100 CVE-2024-6101 CVE-2024-6102 CVE-2024-6103 Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. For the stable distribution (bookworm), these problems have been fixed in version 126.0.6478.114-1~deb12u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmZzIpkACgkQZF0CR8Nu djdx6g/6Au2ftR6rzms9kC3GBwAwD7cpWWIqFPvCYTwuLidwwAma7Z8yWT19PWgH qDUUn0rA1PSHjUII9ZSDcMmvlRcYrZniqXbXQHibn1WhHJpfsInY2ddcBiQzywyT fFUXpQpQlaUEte0qry9fQ5c1Orr8YUc/w7dWThtZIXAEdjLXndvS5ToXKPqM8d6P LKgKDSF+TKhIwC8ft7vxdAW3APupwVolLiqGvkO+b6qLOURg2UHhG+oTf1RG8Kls l4dtm8e8tZPzkKWMv1KjnK4PUxOhHAMO512ZaCDlJNKWbVS/aoc96N+xWXUPOXPW eilXKgd6fsDOYSvofQ8iPwPBZjM+E92nJhXA1dpB7odkh4BRAiyV73txrb5NiOky WMjo2MDADBhzLJq3oCSnST1V54Mgu81QCK0NdX6vPk1K3UXbFUmIB701GXi740S/ ZyAdxO13F3d4SRqASLhMwIyhmHxHQImKRNH6IMeuW2fKaEyrxAvR0mUIkNrNNR/4 YxFlWeOgZBvjI5HCk4lwZoHzcBbEQ0txTEkcJOe9KG0Bl36360MEW1U1W/XPNUmW zldnS+AYsnTeJqtNFB0bTKdED9CjW/0KCYIueJ/s4iI+qjVDsAYW9F9TC868gkQ5 tiuuTm2Ss1cifvx8QbiGcwTVuIar5zKyZlG9gBvz0pRar6lcDt8= =+zlS -END PGP SIGNATURE-
External check
CVE-2024-23443: missing from list CVE-2024-35325: TODO: check CVE-2024-35326: TODO: check CVE-2024-35328: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: CVE applicability
Hi, On Wed, Jun 19, 2024 at 12:04:45AM +0530, Arul Anand MM wrote: > Hello Debian Security Team, > > This is regarding Debian advisory > https://security-tracker.debian.org/tracker/CVE-2023-3390. > > I would like to confirm whether version 5.10.191-1 is impacted by the UAF > and LPE. > > Advisory page on September 14 > https://web.archive.org/web/20230924174231/https://security-tracker.debian.org/tracker/CVE-2023-3390 > states the issue is fixed in 5.10.191-1 but the current version of advisory > states "5.10.209-2" as the fixed version. Is there any information on the > impacted version changes for CVE-2023-3390? All the version information required is actually on https://security-tracker.debian.org/tracker/CVE-2023-3390 . In the lower table you see where the fix landed, In the table above you see the current available versions in the suites, with their status. But maybe I'm missunderstanding the question? Regards, Salvatore
[SECURITY] [DSA 5715-1] composer security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5715-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 18, 2024 https://www.debian.org/security/faq - - Package: composer CVE ID : CVE-2024-35241 CVE-2024-35242 Two vulnerabilities have been discovered in Composer, a dependency manager for PHP, which could result in arbitrary command execution by operating on malicious git/hg repositories. For the oldstable distribution (bullseye), these problems have been fixed in version 2.0.9-2+deb11u3. For the stable distribution (bookworm), these problems have been fixed in version 2.5.5-1+deb12u2. We recommend that you upgrade your composer packages. For the detailed security status of composer please refer to its security tracker page at: https://security-tracker.debian.org/tracker/composer Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZyAQwACgkQEMKTtsN8 TjYxTw//by7RwssfrKcrNXWHLSJjcCJLtIUfDCzp31pxo9z1uc2viR1QYgfGgIB6 yuUtjY0j8KDVBnvlpo8CTlt9Z5auzgQ0poGzshgKlvFcMwhzt7wQJtoF/mlO1dlA BUcUyZvv8YLyKA4oYfRIN9bLSsldTb6gSV1bBTVLZeCggWb69HsFHrDxGmpKbcX4 3a+QL+qkScNu6wm7AdEG6RHDwJTJuFh72RjsONrg172i/6zL8wVqbGEg1HRYiFCC TYTniZsTi1eqQRSNzqIrq61Z/PFHhE7IS7DpNLF+8nVdTFAolou89/VTJSXO/nQC KR0MN/xHlctKY7wDj4lM3IrqNY0RoG1s4V/EiUz9fzdBitFvozPXgf45h45ETfv7 7NVw8quKrIQGKUNRtRBoemqHJ3J6ZpmGHyR5MRBjLdlZqnY0LtIq5dbj/AZJE48t waKbP8KsV6Yt7CtXe/c6zbqlRjZsV4p+4qOQtDuSqO751k3gWSLMtgogT4cmKLRu hhobe/zInQIsiUKcAmYiUcTjv2BXnSz2XYNfBn4Sd4/J2Bn+vMRMlLPOj7U3ZOIz Zr5gWnSoJrUQEj68icbYHLG2jVGxLpZ+N3YlGEd+V+5N5sklR6Ggy5RjgPCB7at2 84WtvfU0EggKpgWhjoDx273K/EIVEAaEpvIUe3mhle1Tj3cdeYo= =oulZ -END PGP SIGNATURE-
CVE applicability
Hello Debian Security Team, This is regarding Debian advisory https://security-tracker.debian.org/tracker/CVE-2023-3390. I would like to confirm whether version 5.10.191-1 is impacted by the UAF and LPE. Advisory page on September 14 https://web.archive.org/web/20230924174231/https://security-tracker.debian.org/tracker/CVE-2023-3390 states the issue is fixed in 5.10.191-1 but the current version of advisory states "5.10.209-2" as the fixed version. Is there any information on the impacted version changes for CVE-2023-3390? Thanks.
[SECURITY] [DSA 5714-1] roundcube security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5714-1 secur...@debian.org https://www.debian.org/security/ Sebastien Delafond June 18, 2024 https://www.debian.org/security/faq - - Package: roundcube CVE ID : CVE-2024-37383 CVE-2024-37384 Debian Bug : 1071474 Huy Nguyễn Phạm Nhật, and Valentin T. and Lutz Wolf of CrowdStrike, discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not correctly process and sanitize requests. This would allow an attacker to perform Cross-Side Scripting (XSS) attacks. For the oldstable distribution (bullseye), these problems have been fixed in version 1.4.15+dfsg.1-1+deb11u3. For the stable distribution (bookworm), these problems have been fixed in version 1.6.5+dfsg-1+deb12u2. We recommend that you upgrade your roundcube packages. For the detailed security status of roundcube please refer to its security tracker page at: https://security-tracker.debian.org/tracker/roundcube Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmZxxS4ACgkQEL6Jg/PV nWSmBAgAlHkpKAMLQuMJh79XHBJD38gMRshGMgxGMmbD38uZBRGhxniE8CSP3Xc2 h/92qvSVcNJrjS8H0wPlkhKEV75NoNoofoDVb/Uoa1GcAShVb0pzBDzmBA1hbbdz CHfpGUnu8ghkzh1bBgX/zAwqScXcAGSn1/s4bknhPgEriRvfcAjN7o4S4lFOExSL L+RlqxWfHFNiQt6788BpgnfGZ3OWgAEWoEJdH7wr6/YdH5u/Fne6/1gD2HO3zYHV F4OzuVVkX6fTf+kHH74oGOSz7qtqW7HiriGY6+7j+7i+vSk95aWuxhPrPaGD3yVI 02WjtokupJJKmgGVUf3CgNJCMEzCqg== =rv9C -END PGP SIGNATURE-
[SECURITY] [DSA 5713-1] libndp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5713-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 16, 2024 https://www.debian.org/security/faq - - Package: libndp CVE ID : CVE-2024-5564 A buffer overflow was discovered in libndp, a library implementing the IPv6 Neighbor Discovery Protocol (NDP), which could result in denial of service or potentially the execution of arbitrary code if malformed IPv6 router advertisements are processed. For the oldstable distribution (bullseye), this problem has been fixed in version 1.6-1+deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 1.8-1+deb12u1. We recommend that you upgrade your libndp packages. For the detailed security status of libndp please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libndp Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZvJhIACgkQEMKTtsN8 TjaFxRAAoZ0KcqyXTKSql5dnEURXQPpbzVnjYd4xnEzbunVupRTJnFmDpF/huBYl +Owh85Et0uUvEwYZIGb5bt47jStw4iBHYSG7AaWWPWmlqPT2izu461AL1njjDJh0 i3BPGxTm1lY1k8tnUZkPp08BonJKnesSsogiFy51L0Apmug3/UJu9HrsUGGeVsI3 oFHgxQWAe92f/9mTzst0J1BoGYC66n2CUISVUBUmyCBBKiPWbzVX5fSMu5ZAgRCC m+8VcEgFG2zZmOxaWqhlKmWNcraAsJmi4Y4Isp7AsmYFjHogY/jURDf5Y/CcdGuK wyGThk0sU67kbEgQDkCW+40OGU+WuEE+5cU5FytNZzNunsu9BZM+YqwrtRHBZhmJ Mr1+io9pJaX/a2wQqiHxOsb8wKbWnykDmgXRHd3qAj/XzRjzipebfr+5N7wOee8J ritwniCimSSD3Uaev7HdFWO6DbhQZNH+EKpSgAZY0JlM96yIUafH6dwnH3NM/bBY P0iEbm+bXE8emF4XfkAU5TZuvPmsQgKCf8idgcHAE9a0jSv8e5bi4JNa0adLO+0B 9RtuOhRGjhTtkkzwYeU1/07vGnQrZasDjZoFgHcnrXqD8hDFVYX4z8T4pn0AMe1B XLaAx83D8JOX2SqP6qiiwOGViSDyZl/JUGQ/zmUf2rEDU6fXBic= =ilxi -END PGP SIGNATURE-
[SECURITY] [DSA 5712-1] ffmpeg security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5712-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 15, 2024 https://www.debian.org/security/faq - - Package: ffmpeg CVE ID : CVE-2023-50010 CVE-2023-51793 CVE-2023-51794 CVE-2023-51795 CVE-2023-51798 CVE-2024-31585 Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed. For the stable distribution (bookworm), these problems have been fixed in version 7:5.1.5-0+deb12u1. We recommend that you upgrade your ffmpeg packages. For the detailed security status of ffmpeg please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ffmpeg Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZt3FoACgkQEMKTtsN8 TjZddQ/+M8SG7jUGvMp5yfB+cMC8/ycNNpZBVObPfxJPg8XYTEXq+ayMd0uGdQO8 AjaLh+Z7/OOJQ5ZpVHTMcE+bmCV+vAAoYyprz/uX8QstMKkiHZ2/SE/1zNrYuAMC JnmX8jTPNDMjFxoXYH/a2+QVmH5/Wo5GmCHStYRfIdVqkG11s76bcrVdYQ99zhek NfOErXzd70z6zdk6KIMHLpFHbJCDSsWlHQPPvDidaMrGyVIs6mfh6tfcBfmTTB3m wpsTs/Z9prDRFMZUsph4AkMncYO9vfgWwervOckVDMosfuoSMo26DvaKqDUho20s Ej5S4tcgzzJ+L68itXoAfMLIc7ErjX+sMNPQB7Q4HnXwKH5fXkPIhmMoOC6NUPoe 6DQpg0rabcJajdZM2wfnvpnyLf7dzCHjjTQD4CBL6vQp9U6MNK5nme/P5EjJAcI7 TdT3VfLsi0QCZRnX0B71meCTUzg1BXThnhUriAaLF2QIpFuJs0qMwos7GLFtGXAD 06WY6ctpiZ8F38v4y9W3O+FXOat8BBW3kOYc/FETEYXtjt9nnCy2AuwWrJ3oKNpE qaOI9ikfBbLxCXSW/G9RBSId6vK5tQeeypKY1sYwHRmVOeY8v7rtgi6x7uXHBktV sWTXFqtF3HlA8jLpJQjemMGNvLpGaOTK331IRNkSGygtcUrGAGQ= =nhZN -END PGP SIGNATURE-
[SECURITY] [DSA 5711-1] thunderbird security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5711-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 15, 2024 https://www.debian.org/security/faq - - Package: thunderbird CVE ID : CVE-2024-5688 CVE-2024-5690 CVE-2024-5691 CVE-2024-5693 CVE-2024-5696 CVE-2024-5700 CVE-2024-5702 Multiple security issues were discovered in Thunderbird, which could result inthe execution of arbitrary code. For the oldstable distribution (bullseye), these problems have been fixed in version 1:115.12.0-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 1:115.12.0-1~deb12u1. We recommend that you upgrade your thunderbird packages. For the detailed security status of thunderbird please refer to its security tracker page at: https://security-tracker.debian.org/tracker/thunderbird Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZto9cACgkQEMKTtsN8 TjZXBhAAnSaDt9MYqXeJPvQm03CRoMX4NgoOoOX9Zx5lGKFHH44Ghy+ZbSc4jor6 wEIBlrw9TpE4Cvgi6dfAtRCP9owpOl5M75FK8/YDIudPq349SJbRZRGXs0CPY5fL zxG5WcLPqRGT9S5wm+LQ9u2BcyOOTyDa1ICl1JQ+vPOY0r/7jjojbbkPh61a3UTq JGbwPYhsE4DZW6CG5OsOvzoX8/9docjO/DnTg2X6SM11Ti7IK77VJ02aT4F1dEby TXD5SUWws1euRgLQBY0qaOB1kbXfQJTpx6StV7aaGVfC07qQyv+PZgW9xEpbGyIF oGcOtTHZStQHnbQRonChBYmWjkDahmrVET73VY1gpv6nggNy9z3RcTjyWzobHBX3 lfXJpvxtPF9/UpK2V6N5rd25F7Fq65Ldip8H/uCgJ2nL2u6qFSwrfujeaInoeDKk DpvkZXHJDFkim2uxjAnD1FVo88K4xa4cI8eUvN28VB1I0E+h4yHN4eIK3AgBlAiX +y9KoaMLVUdz29RZ/i2UngnX2K8V0P7Wqxk/SacMDiHuRt2LUt0yQQAmsSgb9CBb ajhbwAj/do+gsmroCz941w0O5pbmZ2Ggxqx8FiX223LwR7255IYj3qYWQd0kGXFr FxsZgxLryBMgBQuoDZVslO0rZ/klVZyDYS6S0C7+31lSfQAk7Og= =dDKM -END PGP SIGNATURE-
[SECURITY] [DSA 5710-1] chromium security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-5710-1 secur...@debian.org https://www.debian.org/security/ Andres Salomon June 14, 2024 https://www.debian.org/security/faq - - Package: chromium CVE ID : CVE-2024-5830 CVE-2024-5831 CVE-2024-5832 CVE-2024-5833 CVE-2024-5834 CVE-2024-5835 CVE-2024-5836 CVE-2024-5837 CVE-2024-5838 CVE-2024-5839 CVE-2024-5840 CVE-2024-5841 CVE-2024-5842 CVE-2024-5843 CVE-2024-5844 CVE-2024-5845 CVE-2024-5846 CVE-2024-5847 Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. For the stable distribution (bookworm), these problems have been fixed in version 126.0.6478.56-1~deb12u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmZsdK8ACgkQZF0CR8Nu djdfEg//VIIK1hEPZju418flr9luWXi/NKh1PcwFVhDusF5V4q5zBIsqb/5oTuwo 5dmZtj5muKUmC4WVhnSqwNtA+ctpr9HPxEcRrOORl2QCeYvdDQYOAFQR4StDAjOP Fn196YlDrJ58b5mLez+6f6CpsrCV9XNH37v+nxB3FjwfGSUeLT2GcdArRdfxlFuM p7uKZ5Cg9jID2LeOf86sjIYMxZSMQ7lsqtQYFsXwYsHDCUzGqaQR1qS5IF1eQjTv eHwKySMpe3HX9A3mkSZz05cgrmJNvuTbiD3DF5MiwiBxS+zH3pkfrE5OJjahmcw0 lUHhvpd3zD2+4uuotIGWJ0OdfbOvbO+r4g2K3CoKFVoyBut1Mu721maoQ51fLsSl HBNu/jirIUi8TgZtOiSbNPAV4O6B8qOznnaeGic4uGFhg3R/lfrQSVSxrJG3NYBC BDjd5P4WrT8VkCCmkwVN3MTEuLRCA6Xj7O1h1GZrxsWxn0ySDzyl2aQCOiZXbxYG ae3GzivetQyf8fpjZ2r4zCIxXZ58E+j9Xa32mpl/2xecazaYOv3QXSWO/zaRONCc 0JoS5t3V5TU/p9jwDqV+DVYTd8unm7OcAumpQ7K8rPOZ24tjQjLg+wO5d6rFF80V nz4RFKYsIJukoHJHb1R9DOzF/ufsj7//XzsaYc30Y6ni1HCivNU= =p6S/ -END PGP SIGNATURE-
Re: Upcoming oldstable point release (11.10)
On Wed, Jun 12, 2024 at 09:11:32PM +0100, Jonathan Wiltshire wrote: > The next point release for "bullseye" (11.10) is scheduled for Saturday, > February 10th. Processing of new uploads into bullseye-proposed-updates > will be frozen during the preceding weekend. The correct date for 11.10 is Saturday, 29th June 2024. Apologies for any confusion. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1 signature.asc Description: PGP signature
Upcoming oldstable point release (11.10)
Hi, The next point release for "bullseye" (11.10) is scheduled for Saturday, February 10th. Processing of new uploads into bullseye-proposed-updates will be frozen during the preceding weekend. This will be the penultimate release for this suite. The final point release is anticipated in approximately two months time, after which "bullseye" will adopted by the LTS team. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1 signature.asc Description: PGP signature
Upcoming stable point release (12.6)
Hi, The next point release for "bookworm" (the delayed 12.6 release) is scheduled for Saturday, 29th June 2024. Processing of new uploads into bookworm-proposed-updates will be frozen during the preceding weekend. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1 signature.asc Description: PGP signature
[SECURITY] [DSA 5709-1] firefox-esr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5709-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 12, 2024 https://www.debian.org/security/faq - - Package: firefox-esr CVE ID : CVE-2024-5688 CVE-2024-5690 CVE-2024-5691 CVE-2024-5693 CVE-2024-5696 CVE-2024-5700 CVE-2024-5702 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, the bypass of sandbox restrictions or an information leak. For the oldstable distribution (bullseye), these problems have been fixed in version 115.12.0esr-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 115.12.0esr-1~deb12u1. We recommend that you upgrade your firefox-esr packages. For the detailed security status of firefox-esr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/firefox-esr Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZp3moACgkQEMKTtsN8 Tjatxw/9FfA9OK9R93tp9VFpY58Wszpi7nJYMtGHiXnZTIrVX8ujEvWOcXic/iKx yetUGpakGs4IU2+sTXDRqHhRupSOGVM642pBeXrX/WAGyyqJ0xGuMXDDSjlPu745 UTywd2KEID9LxBCI6WOJXhiQXTpkA2oTJa63Hy1d04x19yCdlyMPvGFf6dvaZ5+C jzjPGmye+ym/SBkd+9eYafRqmauT+wn5N/SBHr+3EvY2Orssiw+0d1/HQ1Z+2n5/ dzNW/npF7TlFrXtOb6GkKNP+agY6HrbMqg+2WWm1LkrexlJSBPCTg3PxXv//ejm2 wd9eRyDyJnavwdDi4L4zXtMqLFouGFQdOYOB7qx+7yBfPUsp9arvMPaookrKxR5y HAjut/sbwODC6WJyWrEHP91OjFRrjkIK5YE2dgYrc5T03DMKW5oL0Ff4Pj+eUfbf fLyNQ2niC5MO9hO1H++u7sdWjQfZh6OrFEfw6Et1J/U5BIs7k5td4XvWtcyaTPHS mBtTV13yUV9In3ARt3Kl7KiszGp476mZe/FlAMYOfdvlDGHMSF9uOIf+m9G9pXg9 gAYzkvFDAJ+Gih+iDunPCSjvREpsjplmukK3bpNuHi1I7po4puUcVdNLSg9KjEUf wzBZhyAplATbnhZ22+pFssFKXgGxjEI9Ovw/5K4mX3Rgt3rb+zU= =9bhr -END PGP SIGNATURE-
External check
CVE-2023-4727: TODO: check CVE-2024-2408: TODO: check CVE-2024-25131: missing from list CVE-2024-35329: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: Bug#1067431: brutespray: Update the package to version > 2
Hi (cc pkg-security-tools), a new release of brutespray just went live, 2.2.3. Version 2 is a rewrite in Go so we have to manage go dependencies. I made a list of dependencies needed to be packaged so brutespray v2 can be uploaded - see below. This is kinda of call for help for those interested in brutespray :-) In Debian! -- github.com/emersion/go-imap v1.2.1 `--> golang-github-emersion-go-imap-dev 1.2.1-1 github.com/hirochachacha/go-smb2 v1.1.0 `--> golang-github-hirochachacha-go-smb2-dev 1.1.0-2 github.com/jlaffaye/ftp v0.2.0 `--> golang-github-jlaffaye-ftp-dev 0.2.0-1 github.com/lib/pq v1.10.9 `--> golang-github-lib-pq-dev 1.10.9-2 github.com/mitchellh/go-vnc v0.0.0-20150629162542-723ed9867aed `--> golang-github-mitchellh-go-vnc-dev 0.0~git20150629.723ed98-2 Might require newer version --- github.com/go-sql-driver/mysql v1.8.1 `--> golang-github-go-sql-driver-mysql-dev 1.7.1-2 github.com/gosnmp/gosnmp v1.37.0 `--> golang-github-soniah-gosnmp-dev 1.35.0-1 go.mongodb.org/mongo-driver v1.15.0 `--> golang-mongodb-mongo-driver-dev 1.12.1+ds1-2 golang.org/x/crypto v0.24.0 `--> golang-golang-x-crypto-dev 1:0.23.0-1 New packages github.com/knadh/go-pop3 v1.0.0 github.com/multiplay/go-ts3 v1.2.0 github.com/pterm/pterm v0.12.79 github.com/sijms/go-ora/v2 v2.8.19 github.com/tomatome/grdp v0.1.0 github.com/wenerme/astgo v0.0.0-20230926205800-1b5bc38663fa gosrc.io/xmpp v0.5.1 Cheers, Charles signature.asc Description: PGP signature
Bug#1073012: Automatically rewrite incoming entries from some CNAs as NFUs
Package: security-tracker Severity: wishlist These days the scopes of CNAs are usually narrow and scoped to a specific vendor. We should leverage this for pre-processing incoming data and to reduce toil. We can do this by extending the "automatic update" job to automatically annotate CVEs assigned by a given CNA as NFU entries. As an example all CVEs coming from the "Wordfence" CNA should be automatically added as "NOT-FOR-US: WordPress plugin". This avoids cumbersome manual triage (and review would still happen on the commited entries). Same for many commercial software vendors, e.g. a company like SAP which has no ties to FLOSS everything coming from their CNA should automatically be added as "NOT-FOR-US: SAP" without human interaction. We should only extend this on a case-by-case basis. E.g. Oracle has a lot of propietary software, but they also maintain mysql, Java and virtualbox, so they need manual review still. Cheers, Moritz
[SECURITY] [DSA 5708-1] cyrus-imapd security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5708-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 11, 2024 https://www.debian.org/security/faq - - Package: cyrus-imapd CVE ID : CVE-2024-34055 Damian Poddebniak discovered that the Cyrus IMAP server didn't restrict memory allocation for some command arguments which may result in denial of service. This update backports new config directives which allow to configure limits, additional details can be found at: https://www.cyrusimap.org/3.6/imap/download/release-notes/3.6/x/3.6.5.html These changes are too intrusive to be backported to the version of Cyrus in the oldstable distribution (bullseye). If the IMAP server is used by untrusted users an update to Debian stable/bookworm is recommended. In addition the version of cyrus-imapd in bullseye-backports will be updated with a patch soon. For the stable distribution (bookworm), this problem has been fixed in version 3.6.1-4+deb12u2. We recommend that you upgrade your cyrus-imapd packages. For the detailed security status of cyrus-imapd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cyrus-imapd Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZoliMACgkQEMKTtsN8 TjZehRAAmsG/uxV+I5d5ftA5Zt6vHzr+JGjjA9nOdRijRWI1eITjPIZV+IQgUszr rW/jgbYmRbzI1WNpHKp6bkB70s22bQjShw00MeLk1FSaQkTJyDIkA5sq/xiRM0Yn Ie8nVDaMhVpcYjfeFc/5ZKXZQoea4UiQpIKIGNdq/FHaY3vMja0xYvxVx+0BCrsc aRQrk/wyf7dBgS5HSiJpJruXOAW9zh3IBVF9IDXOpMDG266ymPUuIPmgRUwHjlwj TrWHkdiuHs6CO8zvETnukZOdJCebrfet6dE3/MFyt+Y3w+X6SLTzWD6quYV5rAp1 yaxHlwaeewXaBeX90OoRGL4wYElbl6NJPc2SKi3/uTuDHGzAExqXXzorhvGcmVgG SGmMlcSAp9CLNo9/VznMo8q3TJq6+RaJ1ivqh163fisQxsigsG3DjuBM0uBEHHXJ z/W7VCYVm1VcYsR3PCpfPI81Ds92SNHBf9HsDYI07fJV82BZ+EIPiXa6a9SAfI4+ dbG4C9Rz7tmh5XCVHBTg8ZxlJQhrF2S67ENI6IxjHjyLVfJiYVReEJ06GiytkcJ0 ZYzXu8pRjDP8s/jynCPGbmWbXSEEW6QykOWPT1qM2Uq5lGxZluKIKQySs+GJ6UJx guHK1eC2XCc4p9FDtEq6Nd0C593VPoYyf7CTqVKXfBL/N0uk/7U= =rPUU -END PGP SIGNATURE-
[SECURITY] [DSA 5707-1] vlc security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5707-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 11, 2024 https://www.debian.org/security/faq - - Package: vlc CVE ID : not yet available A buffer overflow was discovered in the MMS module of the VLC media player. For the oldstable distribution (bullseye), this problem has been fixed in version 3.0.21-0+deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 3.0.21-0+deb12u1. We recommend that you upgrade your vlc packages. For the detailed security status of vlc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/vlc Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZolW0ACgkQEMKTtsN8 TjYXjQ//UMm9CCL7ivyD16+UEH9s7pub7+9V2NKFzU1Zfj4Ta1Ikfn6ECd1NXx+R vEs03+UPor090UGHllCSXxuRLhjbM7UuqlQu3orrVBKu7+ZojMEPKV33eCsB2t88 3qHEZ4ln2SgVlELeATeQIa8AAN3Zu1ryiw0RVvNzFVMdvpzSKtDsK8Ioi1qR6Om+ dHXZ27/vDgVu/seT7YXzZ4yKByiutPEgUIBsGFw0075siRycKn9jQg5yrtbGZPG0 xVQIT+6+e5pXgO7O/Mofb7SI6k/pedO+m1iXjeE5kfXmhBRpILWtzF+gwD/GPALz oj9VBgdRv+cf8YtwFlc8V2IamrLrQcNr/sSe5AtPkVjibL2QqI7D250qrX1Lrwp9 x6jfkkevx9AuMtlEM1o/vdzD2toVuOphKxGpcsH5skRiYf7BJ6W7qe6hth3YyQQd AziS1RZUsYKh0v/yotjAfykUcnBgnLwzzfq2G/+/R0vYHFz/PbVrA+bCPLSArPy6 0BXRgH5VQKl6yJwgst16Uq0Kke3zYhF55XHISjifjLh1rH/omzTH+OtXWLl6VvTk ELrw05ER7sBB4ufilThjMOv4qB2WgaAcJgaTWcKekTwdwcOi5OJvMjDcQeTtWsYm 3iub3jWGatY69JGqQPGfesHIxjZE2nlhdDdiAhOcPgS1u1+mZh0= =TPrH -END PGP SIGNATURE-
External check
CVE-2024-2408: TODO: check CVE-2024-2698: missing from list CVE-2024-3183: missing from list CVE-2024-5203: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: [hel...@subdivi.de: MBF: Move remaining files into /usr]
Hi, Samuel, On Mon, Jun 10, 2024 at 10:09:06PM GMT, Samuel Henrique wrote: > Thank you for the list Carlos, I think you accidentally sent all of Helmut's > email as well (top posting). I was a bit lazy and just forwarded Helmut's email here*. If I shouldn't have done that, just let me know and next time I will get the link from the list's archive. * Forwarded the email to give more context to people reading it. Cheers, Charles signature.asc Description: PGP signature
Re: [hel...@subdivi.de: MBF: Move remaining files into /usr]
Hello all, On Mon, 10 Jun 2024 at 20:40, Håvard F. Aasen wrote: > > On 10.06.2024 20:02, Carlos Henrique Lima Melara wrote: > > Our affected packages are: > > > > Debian Security Tools > > bettercap dh-sequence-movetousr > > gsad dh-sequence-movetousr > > gvmd dh-sequence-movetousr > > notus-scanner dh-sequence-movetousr > > openscap-daemon dep17#1071918 > > ospd-openvas dh-sequence-movetousr > > snoopy dep17#1059371 > > > openscap-daemon has been removed from testing for over four years now, > the repository has also been archived by upstream [1]. Should we ask > ftp-master to remove the package? We should, yes. Thank you for the list Carlos, I think you accidentally sent all of Helmut's email as well (top posting). Regards, -- Samuel Henrique
Re: [hel...@subdivi.de: MBF: Move remaining files into /usr]
On 10.06.2024 20:02, Carlos Henrique Lima Melara wrote: > Hi, > > Saw this email in debian-devel today and we have a few packages listed > in there. I think we can fix these issues before the bugs came in or > become important. I'll try to work on it next weekend but we can > coordinate trhough the list if anyone intends to also work on it. > > Our affected packages are: > > Debian Security Tools > bettercap dh-sequence-movetousr > gsad dh-sequence-movetousr > gvmd dh-sequence-movetousr > notus-scanner dh-sequence-movetousr > openscap-daemon dep17#1071918 > ospd-openvas dh-sequence-movetousr > snoopy dep17#1059371 > openscap-daemon has been removed from testing for over four years now, the repository has also been archived by upstream [1]. Should we ask ftp-master to remove the package? Håvard [1] https://github.com/OpenSCAP/openscap-daemon
[hel...@subdivi.de: MBF: Move remaining files into /usr]
Hi, Saw this email in debian-devel today and we have a few packages listed in there. I think we can fix these issues before the bugs came in or become important. I'll try to work on it next weekend but we can coordinate trhough the list if anyone intends to also work on it. Our affected packages are: Debian Security Tools bettercap dh-sequence-movetousr gsad dh-sequence-movetousr gvmd dh-sequence-movetousr notus-scanner dh-sequence-movetousr openscap-daemon dep17#1071918 ospd-openvas dh-sequence-movetousr snoopy dep17#1059371 Cheers, Charles - Forwarded message from Helmut Grohne - Date: Mon, 10 Jun 2024 12:29:31 +0200 From: Helmut Grohne To: debian-de...@lists.debian.org Cc: Chris Hofstaedtler Subject: MBF: Move remaining files into /usr As many were so happy with the upload of the debootstrap set, we want to direct your attention to the long tail of the /usr-move transition that we want to see fixed in trixie: Moving aliased files in all remaining packages to /usr. More precisely, the transition should be fully completed in trixie before we enter the transition freeze likely in January 2025. Dragging it, including the restrictions on package splits and moving files, into forky would cause a lot of extra effort. At this time, packages needing work mostly fall into three minimally overlapping classes. Two of them already have bugs filed. This MBF is about filing bugs for the biggest one. * "dh-sequence-movetousr": adding dh-sequence-movetousr to Build-Depends moves all files. We want to file bugs for these now. 191 packages. * "ftbfs#NNN": package currently FTBFS. Automatic analysis was not possible. Most of the packages have been failing to build for quite a while. We'll also look into removing these packages from unstable. 28 packages. * "dep17#NNN": package already has a bug report on how to move. Often with a patch. 78 packages. We intend to use the following bug template: == Source: $SOURCEPKG Version: $SOURCEVERSION Severity: important Tags: patch trixie sid User: helm...@debian.org Usertags: dep17m2 dep17dhmovetousr This package is part of the /usr-move (DEP17) transition, because it contains files in aliased locations and should have those files moved to the corresponding /usr location. The goal of this move is eliminating bugs arising from aliasing, such as file loss during package upgrades. The following files in the following binary packages are affected. ... You may add dh-sequence-movetousr to Build-Depends to perform the move. This is an easy and readily applicable measure that has been verified for this package using a test build. The main advantage of this method is the low effort and it just works when backporting to bookworm. However, it is more of a stop-gap measure as eventually the installation procedure should refer to the files that are actually used for installation. This often means updating debian/*.install files but also changing flags passed to a configure script or similar measures. In case you do not anticipate your package being uploaded to bookworm-backports, please prefer a manual move, but generally prefer moving over delaying any further. After having done this move, please keep in mind that the relevant changes need to be reverted for bookworm-backports, with these exceptions: * dh-sequence-movetousr and dh_movetousr cancel themselves. * dh_installsystemd and dh_installudev revert to the aliased location. * The pkg-config variables systemdsystemunitdir in systemd.pc and udevdir in udev.pc reverts to aliased. Please keep in mind that restructuring changes may introduce problems after moving. A change is considered restructuring if formerly aliased files formerly owned by one package are later to be owned by a package with a different name. Such uploads should be done to experimental and quarantine for three days before moving to unstable. This way, automatic analysis (https://salsa.debian.org/helmutg/dumat) can detect problems and file bugs. Such bugs shall include support for resolving the problems. The severity of this bug shall be raised to RC on August 6th. For additional information about refer to https://wiki.debian.org/UsrMerge and https://subdivi.de/~helmut/dep17.html. == Additionally, we intend to upgrade all existing dep17* usertagged bugs to important severity at the time of the MBF. We intend to upgrade these bugs to RC severity on August 6th, too. Please find the dd-list attached. An irregularly updated version can be found at: https://subdivi.de/~helmut/usrmove.ddlist You may opt for not receiving a bug report by performing the requested change before the bugs are filed. Does anyone object to this MBF or wants an aspect about it changed? Kind regards Chris and Helmut Please fix your packages for the /usr-move aka DEP17. Legend: * "upload" means that a source-ful upload fixes all relevant /usr-move issues (in Arch:all packages) *
Re: New DD applications from the team: wiene and sge
Hi Samuel, On 2024-06-08 14:30:40, Samuel Henrique wrote: I am excited to let you know that Peter and me completed our exams successfully and have been granted DD access this morning. Awesome! Congratulations to you both! thank you very much! My appreciation goes to everybody I worked with during the last few years, especially Samuel, for their support and their highly valuable feedback to my work. Appreciate it, you and Peter made it easy for me as a reviewer :) I can only underline what Sven wrote. I am deeply grateful for all the support and advice I received. I am looking forward to extending contributing to the team and the Debian Project in its entirety. Also consider attending a DebConf or MiniDebConf near you. DebConf25 will be in France and the project can cover some or all of your costs through the bursary program (applications for DC24 are closed already). If we ever get enough people and a plan, we can even organize an in-person BSP for the team (again, the project can cover some/all of the costs). As few as 4/5 people should be enough to organize something as long as we have a plan of things to work on. I attended the MiniDebConf in Berlin three weeks ago and I really enjoyed it. I am looking forward to more in-person Debian events. :-) Best regards Peter
Re: RFS: HexWalk Request for sponsor
Hello Carmine, > Thank you for your time, actually the reviewers on mentors started only few > days ago, it's the first time that I submit a package to debian, so pardon me > if I didn't follow all the best practices. Nothing to be sorry for, don't worry. > I think I have catched your point, as long as the package is going on on > mentors it is redundant to work on it on your side, Yes, to be more clear, you can submit the package to be maintained within the team, then we can perform the review and upload for you. For this to happen, though, the package will have to be maintained on salsa under the team, otherwise it will become impossible/cumbersome for the team to contribute. If you prefer to keep the packaging bundled with the upstream sources, in the same repo, and/or outside of salsa, then you would have to request review from someone else on mentors (as you're doing now). This requires a special workflow for submitting new packaging revisions vs. new upstream releases, but some people might prefer it this way. Cheers -- Samuel Henrique
Re: New DD applications from the team: wiene and sge
Hello everyone, > I am excited to let you know that Peter and me completed our exams > successfully and have been granted DD access this morning. Awesome! Congratulations to you both! > My appreciation goes to everybody I worked with during the last few > years, especially Samuel, for their support and their highly valuable > feedback to my work. Appreciate it, you and Peter made it easy for me as a reviewer :) > I am looking forward to extending contributing to the team and the > Debian Project in its entirety. Also consider attending a DebConf or MiniDebConf near you. DebConf25 will be in France and the project can cover some or all of your costs through the bursary program (applications for DC24 are closed already). If we ever get enough people and a plan, we can even organize an in-person BSP for the team (again, the project can cover some/all of the costs). As few as 4/5 people should be enough to organize something as long as we have a plan of things to work on. Cheers, -- Samuel Henrique
External check
CVE-2024-37280: missing from list CVE-2024-5742: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2024-23445: missing from list CVE-2024-3049: TODO: check CVE-2024-3716: TODO: check CVE-2024-37279: missing from list CVE-2024-4812: TODO: check CVE-2024-5154: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2024-3716: TODO: check CVE-2024-4812: TODO: check CVE-2024-5037: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5706-1] libarchive security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5706-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 05, 2024 https://www.debian.org/security/faq - - Package: libarchive CVE ID : CVE-2024-26256 Debian Bug : 1072107 An integer overflow vulnerability in the rar e8 filter was discovered in libarchive, a multi-format archive and compression library, which may result in the execution of arbitrary code if a specially crafted RAR archive is processed. For the stable distribution (bookworm), this problem has been fixed in version 3.6.2-1+deb12u1. We recommend that you upgrade your libarchive packages. For the detailed security status of libarchive please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libarchive Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmZgy+pfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0ScPRAAi2HFosqr3NeyDgV7gT3bTjKrq5EwrG9HIYS0e21KPfLteXxcsDjNkfzN nhSY0CoEL29/vyQpON+ht1En7utYtiLrSgDcjak4E26mBcMy2haL3hqMuGQiJTGk clBUQ4iHFU1SL6+KoNEgpNPIDBgDtbVDTNJUz66IUTl/QTjPvTsbUkSdSuXAvN9C 9k5AEkSq4CIYl5UAQk4yJZ1MrU6pWdqPt6cpWULyaI5bIkC+fKdJ5T+2ElTnCT9V M/lkdePtI3V9iwj0vjEpelhmUlojjRUbbyuH+tDiCMUFj+GZueVvdZX1UuO4Je29 vcNZ4VU6YvxU5gsgnQb09KnZd5EFGnqGNBnaEq+EEzW3Q4p2non4q6PUj8H0qzgN DMz8fxXuwdIh/8bVkmRNVQPJFurfLp5aU4ECQ4NROk3rg/sotyAjgQb6QeP2tcax H0sKfgDc+SgcFgbUrGZ3CLanWiv19x7Oggt/I4DX/16GFSq3Z8xMzNlZOIotyr2T bKrIaPxwDrDyk8Qs2f6aPKOHZgiAIEOicpu3FP9Dr+oU9K/a8N2oDuz5Vwt4XOof N25GGZdhTTZtQ4uHBgEx1pmsWhpycdFSPUVHXW3pGoMNgIkOKau/oid73v224koB Xe2eWygGE9Tnk9EDL9FtqYRbq+zTJGElcF7URbVRrxR5MVE8Ejs= =BFbJ -END PGP SIGNATURE-
[SECURITY] [DSA 5705-1] tinyproxy security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5705-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 05, 2024 https://www.debian.org/security/faq - - Package: tinyproxy CVE ID : CVE-2023-49606 A use-after-free was discovered in tinyproxy, a lightweight, non-caching, optionally anonymizing HTTP proxy, which could result in denial of service. For the stable distribution (bookworm), this problem has been fixed in version 1.11.1-2.1+deb12u1. We recommend that you upgrade your tinyproxy packages. For the detailed security status of tinyproxy please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tinyproxy Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZgtJsACgkQEMKTtsN8 TjayjxAAv/O9LSl0hdPmdVluYepX1yso5nf8Qb42rSVNPfLegsy1gr/Q1NVPJjuy 471IezOPl6u/g8mg+3UquD6sRs5Q9vFc6seFWybo3TenVNNA2SMClwRAjJeuCWVW lEfAIpw0VTMpVh7cWqFuBBCOLJ0CMLXab/cXGib65L+jCxnmjTkvm3rXAfDxDec6 mF0UG0vQydGS7dBfMN86udhX3KMXQPY1lctG+6r0lhBnLC79+uJPHmfC6Qup18MS be80nB5pCc4kCk2+mbdGZ4UxnFW5sjKI40i9WAmw+7QRzunA6dgvqX6K9NINh3vr ol9yWcGMNVhdaw2OY1q37tlqc2DZmv6dUD3uQJ8QN7JKVjep+uukgzk99sLkgm6W Gxq815bQ1ExdFybxz+x4ixwJN5CoHlD9SjUONunPSq95wqYvkpMcmqDI2DMu3yRB Om7mOf9wePUnAFoqkQv3hUXX5VNfjnVPSYTh0ewNsj1mUv69flJBt9pmAQSuB24n 5SnnK4sRIQcVo/extDxtmLSNYqrKcM8FRD0mCGBv1CqyLHnYo9fLHdGzscO3GwzF FYBoH3Z6mVBpIICctWml0Sn5H1jr7/pu9pDmfmTGlJdyteW/XJLLtwLgu23CsFGW dcwTQPn8Uw21+qoFgullC94vsyvLjvn9yzTG59A0A6f5U9wODF0= =euKq -END PGP SIGNATURE-
[SECURITY] [DSA 5704-1] pillow security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5704-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 05, 2024 https://www.debian.org/security/faq - - Package: pillow CVE ID : CVE-2023-44271 CVE-2023-50447 CVE-2024-28219 Multiple security issues were discovered in Pillow, a Python imaging library, which could result in denial of service or the execution of arbitrary code if malformed images are processed. For the oldstable distribution (bullseye), these problems have been fixed in version 8.1.2+dfsg-0.3+deb11u2. For the stable distribution (bookworm), these problems have been fixed in version 9.4.0-1.1+deb12u1. We recommend that you upgrade your pillow packages. For the detailed security status of pillow please refer to its security tracker page at: https://security-tracker.debian.org/tracker/pillow Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZgtJUACgkQEMKTtsN8 TjZpSw//Ya0Ju4SEXNXTdbLtSMkJ/Mw76ooJgrvI3GaLSarant6LcK7WzyOnjbCH 9YKKPojJCyfa5RwBqphHU97dQ9apYmVRv5GVQdw7tjm+s0Uuu3oRMiE+S8c3FVBn Yl6nqiTAeQnGERWAnxH2be4P6p2izWaFgK4cBHY4Q958bivB3ebGgS8DfdtuhiQo 8tRdM0PREuF+xwiDb9UTRLqGGVNY+k8orkr7Imecu8IS2PakID4bnBB9AxwJ8hCC bRzNITaCh2c5BvovWNw8LADXH6mhYsnvWy0xlhDp7wrFuJBktzuXXLQuIxRkKcm0 QVO65rGFI7vrTMxdtxM7ORdnUa6OMxcOwTEYeQwVcQs4k4J7M3WTtH8rz9Bgtca1 DdY9foJw34bXitliJeekBibxoPbiQV+jluJAJOIvLVJ5eVeBKIowCsFmFgQbcHSb CgVA8khMMIcp4XFi3NypH2MkTJvJK+0RqchtaVmVFWoNnbamGoyr9Ml+YZbsLP22 kBBXSYw9MYCm8ZPN43owNhPHxD38rSg25hJYJOjVkLHoGZYMNse74xZkEaJpyPXk 5WS1QM7qYEcG1RK7a44E6xRXU4rLUfLJWCHPWsLLRTNVbKnm1EQsipbKnS4fGjc5 9dOD8HfNvRbwSpQ/+w9m3L/QU2F015d69UzgG1piGddGBdzLvdE= =oUWM -END PGP SIGNATURE-
External check
CVE-2019-14493: missing from list CVE-2019-14494: missing from list CVE-2019-14513: missing from list CVE-2019-14540: missing from list CVE-2019-14553: missing from list CVE-2019-14558: missing from list CVE-2019-14559: missing from list CVE-2019-14560: missing from list CVE-2023-1419: RESERVED -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5703-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5703-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 02, 2024 https://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2022-48655 CVE-2023-52585 CVE-2023-52882 CVE-2024-26900 CVE-2024-27398 CVE-2024-27399 CVE-2024-27401 CVE-2024-35848 CVE-2024-35947 CVE-2024-36017 CVE-2024-36031 CVE-2024-36883 CVE-2024-36886 CVE-2024-36889 CVE-2024-36902 CVE-2024-36904 CVE-2024-36905 CVE-2024-36916 CVE-2024-36919 CVE-2024-36929 CVE-2024-36933 CVE-2024-36934 CVE-2024-36939 CVE-2024-36940 CVE-2024-36941 CVE-2024-36946 CVE-2024-36950 CVE-2024-36953 CVE-2024-36954 CVE-2024-36957 CVE-2024-36959 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. For the oldstable distribution (bullseye), these problems have been fixed in version 5.10.218-1. We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmZcl2BfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T0Sw//XK7kn+jtJzbA6ZB2hI9ORfNOwOIuFpjc19ZRV1SVQDknnqqbbRn1R+oA Dlt8KqymYgIn+Mcqp96+xLfzS2F6dnLQlR/QBW47ve6dpjiVKWm7NxJHQaK7hmS6 q8glRv5yyJN5AOeNW2YB3+I18/ru/fuTUzspwQLhFd/8E9EIci8yWwT/xL4pOVHP Jg65Q/KJ1fUs+OkOkLHs6nMA5UokQ5P55irSdvI6vtOZpvPsmezM8ogQYJD4TU7h IxZNt13EfJooNMR8g6p/ddyZNRYQWSKpxUj/QP9D1jMrrvOH6YOvyvElbggpJJBE r5eEz4dziCXq8WeZeu2aEJusRZAug7H5wEq2RmR8UyHmkEjYsmufj3kbmzFdQvp1 GIuT3/BKVqrkMpZNf+1nh1ysVoHe3rA7jBEutUovV/GYMVkvy+mq9tlg2OrIIIwG 6Hl4gcMZ/bTHMr3BxAO6TZwnxMxcxu2pex1yRbs9KujBsa1aS2u5BbAddu1h141e BCSZbwYK/sE12Rl7S7WGEZkSevnmeovvHjPnx9hP0KhOb/lKCFFPP50YIesWfS2H NdpT1vCXdueIhCD+Jj1hnYZbHC/WVgjfAl9ghrDDrcDs3qvdEas/nLDI6VH98wew 8yFyp+3JikYNQP4cIqzRK2eD7q9VtH3WZQqORApB8zqlEfVuxZ4= =DCXU -END PGP SIGNATURE-
External check
CVE-2024-21506: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5702-1] gst-plugins-base1.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5702-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 01, 2024 https://www.debian.org/security/faq - - Package: gst-plugins-base1.0 CVE ID : CVE-2024-4453 An integer overflow in the EXIF metadata parsing was discovered in the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed file is processed. For the oldstable distribution (bullseye), this problem has been fixed in version 1.18.4-2+deb11u2. For the stable distribution (bookworm), this problem has been fixed in version 1.22.0-3+deb12u2. We recommend that you upgrade your gst-plugins-base1.0 packages. For the detailed security status of gst-plugins-base1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/gst-plugins-base1.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmZay4pfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RlARAAmIfIncL6OtrDoqmsIdVoAhc3ouI+X6X+GdkTellF4MUxo5e5t7L4AwNC SxLAHqbqEgYRicB4pn6gv8AMBzN1Sn/8i3l8V74Eh93IVaId11hbXPEY4YUM3/Md bHQNf8HYkBxfB0PbkuuIWiZpxRTbI9eyo0TwzzF4r74J2032k3hH5hHA+dbO8RiU l//tv3WYpimyL6xrtxM7duws9r3iloEgUNHC2igJVZ0VRnYfmhIF23euzbcCbOal pufHn7DR5CSbp0y2DMDIjwOu14ZJSvvgKzr1knH2t/zW2TuHnVwbDoSP1KBvpcqe 8kaSKcIJZoetxsIv/5wNoVj2IikDUomFO02QPGXIEuMrzYc7ZkX8JC4/+6dgRzKX gFzPXuAU7gHtcmLLfIRnMkg5FVsbJfSUXDaL5tTW5YZ8aSoBUMHn/dNzfJXGn2oE 0nVce4cf0JpeTwMFYs9xT7xn0XCU8CggUjODGY11jGowPpgOXnLO3y08tx6iJ34M QPcFSbhFkrRCgWXEhLTF9N0xpnmiYM0VanA3m2zJlBacotOfEG3ipeRrHylMTUun 9ATrxXWvVNY5hSSB7eK9X6RBSvRdtDPzJ5gzbk3zlH7MKIIyx6CiI+Zx51I292K3 6kmi9zmyFBZgnBzPX2Eigp0bNNZlRwOlOFYKwClcdsgO5yvaxX4= =f9Uv -END PGP SIGNATURE-
External check
CVE-2024-21506: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: New DD applications from the team: wiene and sge
Hi Samuel and Team, On Sun, 2024-03-03 at 18:10 +, Samuel Henrique wrote: > Peter Wienemann and Sven Geuer just started their DD application: > https://nm.debian.org/process/1264 > https://nm.debian.org/process/1268 > > They are long time contributors and I'm happy we are having them as DDs. > > If you've interacted with them on the team, you can consider advocating. > > If you're a member of the team and are interested in applying for DM or DD, > please let me know and I can do an assessment for you. This will give you some > perspective on what's missing for someone to advocate, or maybe if all the > requirements are fulfilled, you could start your process too. > I want to make sure people's work doesn't get unnoticed in the team. > > For Peter and Sven, good luck on your DD exam now :) I am excited to let you know that Peter and me completed our exams successfully and have been granted DD access this morning. My appreciation goes to everybody I worked with during the last few years, especially Samuel, for their support and their highly valuable feedback to my work. I am looking forward to extending contributing to the team and the Debian Project in its entirety. Regards, Sven -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585 signature.asc Description: This is a digitally signed message part
[SECURITY] [DSA 5701-1] chromium security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-5701-1 secur...@debian.org https://www.debian.org/security/ Andres Salomon May 31, 2024 https://www.debian.org/security/faq - - Package: chromium CVE ID : CVE-2024-5493 CVE-2024-5494 CVE-2024-5495 CVE-2024-5496 CVE-2024-5497 CVE-2024-5498 CVE-2024-5499 Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. For the stable distribution (bookworm), these problems have been fixed in version 125.0.6422.141-1~deb12u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmZaBlEACgkQZF0CR8Nu djcgGA//SPgci/IE8IgkqDwqhd/m2goBVMeCCg3D7pkDZmUPfXaC9wZsAdMi5ner 8S+UFUcSc1s9thCNIx7DNsyRa37f18Ou/qaEfu9iY1JAiKg8R23yBEuLqwfFtohV 4WjMVhqXu5UBizaz+BrUhHlvgBGkBAVvc1G2ornFNf19LNx1qcxmHdWRqPI7aKqo NKZ0V7V9RfnBC1KzIIA2V8dkhLZ2Kxb/i60KbDbqeIJVTIkHnhmVQ7QxRg/pUEjk zR752P2RHgYk8vlyYTHdv/8M0bPkNrXy07gxvUN5MLJmG9P69u3JDcoabnOoJ2r4 6HqhZZeUZZFcxiDn9Z9jP8S57HoxC9S4Xk2aZaey5B+/23DfWQLxbeHql24tRXRF MKzStFja7M6KjRVO9Y6xIHjiyQeDMULmV+7rEwC0PonoV2Ts0i0DtaOrtZTN3KGg R5p9eEUcIAP2QkIKKBtKTtvyzoFZL+ZQ8gBTpPdovkrJ86ZGBpy9J1c4oE6yN7Hh 9Aw8HWpYC4bM5QPSHBZLZVuM4mgNUB14PVVR8mQAwmy1VXGXkzSWGgsSKl+XlDyq Zl4AAgm3PORqw8vJ0xHbPJ5ez/fP2uXprToo4yMBgSEFt64e5n/YWROopfQK3TKT fclIK+96y/oK2GYtn6E0V+L+aloTIF4yA0oWATtTAO5dn7rhD60= =UO0f -END PGP SIGNATURE-
External check
CVE-2024-31079: TODO: check CVE-2024-32760: TODO: check CVE-2024-34161: TODO: check CVE-2024-35200: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5700-1] python-pymysql security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5700-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 29, 2024 https://www.debian.org/security/faq - - Package: python-pymysql CVE ID : CVE-2024-36039 An SQL injection was discovered in pymysql, a pure Python MySQL driver. For the oldstable distribution (bullseye), this problem has been fixed in version 0.9.3-2+deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 1.0.2-2+deb12u1. We recommend that you upgrade your python-pymysql packages. For the detailed security status of python-pymysql please refer to its security tracker page at: https://security-tracker.debian.org/tracker/python-pymysql Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZXZeAACgkQEMKTtsN8 TjY9cRAAkMErPcbiz3MnN7NmUuqkG/NmbuUM9smN4WZp8sF6kCsCm9G8M/dSioS+ IpZMFUv1DDELh2HtxWjvA+fqMTddY3CxINKmJEiMKPd8I02CjJsq1gArH8VVAaxN FQRyU69RA1hecMcQvR1lEssciddFfkzpe6E1SXK/Mp2JMNWmtpRJNUZ9khhIf4Pr thpForQN8EzQs8gJRQ/2rN48TgcAA/bGyS+W5PGJbb+1RjW5H4eaNo1HHgZNwJNc TjkylG9MV7nzC5ThCPb7ycrIadYPV/IAYqnh5qUHQnDDROFvWE1MDdn9cPxGYoDm Fk+/Sgxe9HXRE+Dr8/h0vb0tBBSqN6nBG/OBHKT3eKsDJVPt8TWkBuagsCvNFY3a 7Unu9NQC6NavUanspOacnY1W65BYHUq/5e/U0cLyZgJcPzaJSKeZHVsHLHLStqbK UCWVBpDxX+5eVd8v3hxGq32H3e71MKqoLV5FzWUzf77qe8SxhWJ+7YSUdYVpVjZX tronaUvPKTub8p2d32dAZOSQYTbeehQpb1pIoVBWNxAOi12xTz8y7qta/DspjF4T j3ks+9EiKtS7Bzf+jEQmYEI04RxRn/wdHRFhYjwaGsvhlaH221Y/w53fczJ5bj2z QODBJShGhuNmwpz9Jr7fvI+gZE3smVkMLWaJPl2BhtF2kAFB62s= =sLat -END PGP SIGNATURE-
External check
CVE-2024-2199: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2023-50977: TODO: check CVE-2024-26256: TODO: check CVE-2024-35219: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2018-11307: missing from list CVE-2018-1131: missing from list CVE-2018-1132: missing from list CVE-2018-11354: missing from list CVE-2018-11355: missing from list CVE-2018-11356: missing from list CVE-2018-11357: missing from list CVE-2018-11358: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: RFS: HexWalk Request for sponsor
Hi Samuel, Thank you for your time, actually the reviewers on mentors started only few days ago, it's the first time that I submit a package to debian, so pardon me if I didn't follow all the best practices. I think I have catched your point, as long as the package is going on on mentors it is redundant to work on it on your side, Thank you again, Best Regards, Carmix Il Sab 25 Mag 2024, 13:41 Samuel Henrique ha scritto: > Hello Carmine, > > > Anyway could you simply use the package that I have generated on mentors? > > Now I understand it better, yes the one on mentors does build, and in your > sources you put the packaging under deb-packaging. > > From a technical standpoint, the package has a few lintian findings that > have > to be fixed before the upload. > > I recommend you set up a lintian hook in pdebuild, or use another solution > which integrates with lintian, or even call lintian manually over the > artifacts. > > That's going to be useful even as upstream because lintian calls out > upstream > issues too, for example in this case there's lack of hardening and a typo > on > "Highlighting". > > Now, on the maintenance side, I see that the package is not under the > pkg-security team (d/control), which is fine. > > If the package were to be in the team, we would have to keep the packaging > separated from upstream (in a different git repo), because with the > current way > it's not really possible to team-maintain the package. The packaging repo > would > have all three branches we use (pristine-tar, upstream and > debian/unstable), > the packaging would live in the debian/ folder, and the repo would live on > salsa. > > Again, it's totally fine to not have the package under the team, if you > want to > keep it all in a single git repo, and I see you already got some reviews on > mentors. > > It's just that unfortunately I can't keep reviewing the package, I already > have > too many things to do for the team-owned ones and I have to prioritize > those. > > That is pretty much a never-ending task, so I rarely have time to do > reviews outside of the team, my own packages, or the people I mentor > directly. > Sorry. > > Cheers, > > > -- > Samuel Henrique >
Re: RFS: HexWalk Request for sponsor
Hello Carmine, > Anyway could you simply use the package that I have generated on mentors? Now I understand it better, yes the one on mentors does build, and in your sources you put the packaging under deb-packaging. >From a technical standpoint, the package has a few lintian findings that have to be fixed before the upload. I recommend you set up a lintian hook in pdebuild, or use another solution which integrates with lintian, or even call lintian manually over the artifacts. That's going to be useful even as upstream because lintian calls out upstream issues too, for example in this case there's lack of hardening and a typo on "Highlighting". Now, on the maintenance side, I see that the package is not under the pkg-security team (d/control), which is fine. If the package were to be in the team, we would have to keep the packaging separated from upstream (in a different git repo), because with the current way it's not really possible to team-maintain the package. The packaging repo would have all three branches we use (pristine-tar, upstream and debian/unstable), the packaging would live in the debian/ folder, and the repo would live on salsa. Again, it's totally fine to not have the package under the team, if you want to keep it all in a single git repo, and I see you already got some reviews on mentors. It's just that unfortunately I can't keep reviewing the package, I already have too many things to do for the team-owned ones and I have to prioritize those. That is pretty much a never-ending task, so I rarely have time to do reviews outside of the team, my own packages, or the people I mentor directly. Sorry. Cheers, -- Samuel Henrique
[SECURITY] [DSA 5699-1] redmine security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5699-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 24, 2024 https://www.debian.org/security/faq - - Package: redmine CVE ID : CVE-2023-47258 CVE-2023-47259 CVE-2023-47260 Multiple cross-site scripting vulnerabilities were found in Redmine, a project management web application. For the stable distribution (bookworm), these problems have been fixed in version 5.0.4-5+deb12u1. We recommend that you upgrade your redmine packages. For the detailed security status of redmine please refer to its security tracker page at: https://security-tracker.debian.org/tracker/redmine Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZQw0gACgkQEMKTtsN8 TjbXDhAAlwLX55/MEXwBGXK2/diyo0jALkcur3+674tfQQGzTDeOzN9LVxJLLSS6 FkgJEv/9bW/EjRpltBR64eqPjJC8JSmiqcEC7YU0paZi4gKyurBBy1F5hI2kHHFN M9KzjIh44Wak6W/3PtJHw8nClZMG2uJZFiXhqzrR1Gv+NWlFILhNyB1RGzB5hQYr 2/arb7tEj4heXGWtahrbzi7YZS5a0aREK0nQ7y09DCYpvlJTlpt3almGxPJhpbyz RTwhRMrOTOZJHfwAwxjND2xmblfvkeQxLrNbBBEO9NO18cN69lOMA/sG3haMMkVK RpZFIaEl+F8t0WIqlAog4JjiivrhkFL3Px4uthuD0HzAzxveHvC9rgqPWUOre2eL BONo74Wsx5kY+gY7RZyNJRQ7VRk71lRlqAlGSofJ9ckfOincXV8lT7DEEcki42Qh rx8Fw682z5m+ozyaI0FBK4yiKiZ44bgjIb166paoxhA+H9WiubhR70Z2SMUG2x7I qktbTa+oboSXOc2zYDFpIa5XWXWJz6OspHBxGE7JF+Zs/eRhxXsAJb/diJB6msgD GTFAmynvAifcfDHczRqG56AG8jVku4nIGT0Q7INAeukhdWUU5jyqYrcF0UoPa+c+ NW4g5CZNACKjpFAIwo+WJceUMsgVy8ZvIV/IRH12XtslD50K1yM= =Fejb -END PGP SIGNATURE-
[SECURITY] [DSA 5698-1] ruby-rack security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5698-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 24, 2024 https://www.debian.org/security/faq - - Package: ruby-rack CVE ID : CVE-2024-25126 CVE-2024-26141 CVE-2024-26146 Multiple security issues were found in Rack, an interface for developing web applications in Ruby, which could result in denial of service. For the oldstable distribution (bullseye), these problems have been fixed in version 2.1.4-3+deb11u2. For the stable distribution (bookworm), these problems have been fixed in version 2.2.6.4-1+deb12u1. We recommend that you upgrade your ruby-rack packages. For the detailed security status of ruby-rack please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-rack Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZQw0YACgkQEMKTtsN8 TjaEDQ/+In6arFD5sCgR6IZW2RiwAgBlLY9SAPlcuSI4qYkoN3JDMsm3dWV38UEO IwhvEiNpOXRiHCi4V15Eo92I1ayKJIZYM9n5B1pjGQrci5tl1cnFIfhfkIEjRET7 OFRgL6TYgzsc5PKmlBNmff/yQOPXdw2q8dfgJkBb9Nc7GUxrhnsAdy/5mrW9NgSP erd65rYZ3NcGpSCiKcUcweatBalf2GycXFXSNzUlYw4nGuEOM5P4uyB8TI0lhaxy +hQA24fVGfKIldSHvQu4gs2jN2CaCNp4KyV5SkAtK7lBTxWMihmXwhzvpGeKF/AB okicqj4AC/T1BhjqS7S5/CjScmJwwkOcpaNhcqoI9wmFkx/bVYbQGmFuYPibziBH fBeucZhCFW2zhxSGYX/oWx/V4J3kBwMMUll4pI3AM0SEs/loeU3k+eLR7mq1ElcL t+IOmQpwNIIuvy/r8wvSySBLXu07b1lS29LMtqk3qXdb3HO6e2QznIdW6CatcewE c6uWOAzUBSFwvA1kgXWFqT9gj17RQ6VdMAdOw+5dkWIbJrWeJfiDdlT6R0KWpAfE xQFzLbywtKJAtOnS7v+jyBkPlTg5Rz6z7o6PCf5fYA42FnI6p5AAryPvEupbiE6N 72K1+8x+mDeiPFLlmrlP3tUsdhVwSfD5AEO+Qiyi04rYY7w55RM= =9BYJ -END PGP SIGNATURE-
[SECURITY] [DSA 5697-1] chromium security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-5697-1 secur...@debian.org https://www.debian.org/security/ Andres Salomon May 24, 2024 https://www.debian.org/security/faq - - Package: chromium CVE ID : CVE-2024-5274 A security issue was discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. Google is aware that an exploit for CVE-2024-5274 exists in the wild. For the stable distribution (bookworm), this problem has been fixed in version 125.0.6422.112-1~deb12u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmZQvDgACgkQZF0CR8Nu djemlQ//Q1bTXczbYNw/gT4PCqkr956Xe0sR9tQ660X/281kR132ri1mfMfU7WT8 HCmvM3aL7r9gy5ia9RCtvThRjde7CNrI4fDux6YIsv5xnfyalcxDDjXN9uz2Iy1J Mq3fRjH2MhR0zK6vNiovc8DI0BcC2sWiBy3OiXIewkzO0sq54Z8g3Q/VZq9waNAA hbW7GhznVCqC1KQOzYT6/bLi9WshF9x8tOmfbNVzqBVQ2vQIJsr02gQ+kygohuNB qJjHvkt7IgkawsdQCcxLrlM/Wwa+YYTSKtjEmFG4uoL3jvFS3uRiXoSmFBrawaS/ KVQ267IiXu9qt5gn/SfXLgH2/ERau9csmLW0hlX3QeHodLD/msFNRHpMKgIplkve hP0qYqcDLGhgvP2ZmaBJMq0eU/SVB+2BKYN9SrWGSG+AHalkCGqmFzlEgbhui2zs oH9hf41uaFiRSs9sr8eMVCP2q8JXXlZAEoCi1HfP0/nbwyfsKGQ2+vn4/kzQd/Ha ML9JeY57rfOS7E2F2hO2xpadYJtzA6+FY8nlv9Jh6UmgpvOMTYDdITuIS5nUy2AA hIBMgHVBnIrkcxFhbkfBCyDkDKIvQeIVxy6zFpRwvBaGpJCWsMgaTs2ibWX67G6t VZmu0iDpaS86cHK4OnQmgXY6HX02iSM6te88FGl61g7qbk7hbK4= =JmnS -END PGP SIGNATURE-
External check
CVE-2006-4811: missing from list CVE-2006-4812: missing from list CVE-2006-4813: missing from list CVE-2006-4814: missing from list CVE-2006-4842: missing from list CVE-2006-4924: missing from list CVE-2006-4925: missing from list CVE-2006-4980: missing from list CVE-2006-4997: missing from list CVE-2006-5051: missing from list CVE-2006-5052: missing from list CVE-2006-5158: missing from list CVE-2006-5159: missing from list CVE-2006-5160: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: RFS: HexWalk Request for sponsor
Hi Samuel, I just updated the repo both on git and on mentors with your hints: https://mentors.debian.net/package/hexwalk For packaging I'm using a different method than yours, I use "pdebuild --debbuildopts -sa --debsign-k xx" Effectively I noticed that "debian" folder is not enough for you to reproduce my building environment, I just added a folder (/deb-packaging) in the git that I hope helps. in my build environment inside deb-packaging/hexwalk-1.7.1 I add the src/ folder and inside it I put these two folders contained in the root of the git repo: hexwalk/ src/ I see that it is not so straightforward but it seems to work. Anyway could you simply use the package that I have generated on mentors? Thank you again for your time, Carmix On 21/05/2024 22:55, Samuel Henrique wrote: Hello Carmine, On Tue, 21 May 2024 at 05:41, Carmine wrote: Thank you for your time, I'll try to fix the issues by myself and will return to you asap. The strange thing is that I already generated the package here: https://mentors.debian.net/package/hexwalk/ and I didn't face all these issues Am I missing something? Hmm, how are you building the package? Here are the steps to reproduce the failure: git clone https://github.com/gcarmix/HexWalk.git cd HexWalk/ sed -i "s/stable/unstable/" debian/changelog origtargz # to generate the orig tarball sbuild Cheers, -- Samuel Henrique
[SECURITY] [DSA 5696-1] chromium security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-5696-1 secur...@debian.org https://www.debian.org/security/ Andres Salomon May 22, 2024 https://www.debian.org/security/faq - - Package: chromium CVE ID : CVE-2024-5157 CVE-2024-5158 CVE-2024-5159 CVE-2024-5160 Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. For the stable distribution (bookworm), these problems have been fixed in version 125.0.6422.76-1~deb12u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmZOH24ACgkQZF0CR8Nu djeemg//Y1GqBjx++55D6XDRa23a2g0T4Y7TxemSEojcb8jR7JaVfFroql0d8fFy mFyHjS9tk2dV2naoKjaOWmm87IHjGv1bQxr8b9/2qjPp5+cf7lu02jTEwSo6Sroq serY1NuuJUyQfCs6K48wOjAoRDsrYHMXt2Db7Pu+nev0KB3mFWBfWrTErRQf5yoh 0PxSik3hutUn8pGuLiiZZxrWsHopi+qyPSWPQU0O9o+u5jvtsmuVH1lmbu8B/QC6 6UWcEAWPlzstnJWf5i+4OoJA+go8jo/Z2UvRn7gEmMeUb0ykrVLJB3DY22iNrb+/ 801KxD2qrwZHOGR0Xm7ImnZrYG4VlWPJZjZ1AcMSZYb/cvMLaQ8Y+5k0wBipep1I CCD4/WvTN00a0D3OHIwpS2T5+gxRfQ3TWhQ6pfH90lzZZdxELOXeuiFZebW22aBj d+h5a97WPvYKoDpgM+em7a1k3cixfFucakEQA7FL5ovPmwFc9N59l/rjeFtu5QOp tgq//rgj0N1EC7REAL7FWtiu8u8KOSB/sF5P9+GfWEEroHpm8ScfzBzV95Z6bYrE T8qQnvGnSGz9ESaEb6W83v5oMPU54h03Xwm3gQRJqf89ke6UJYEIVkyeN5x6F2T+ DUqTHhqQ5eZP8nl320BG516JXmw6jjsBF4SJeYXn/R/KFAg5Lq0= =lRoo -END PGP SIGNATURE-
[SECURITY] [DSA 5695-1] webkit2gtk security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5695-1 secur...@debian.org https://www.debian.org/security/ Alberto Garcia May 22, 2024 https://www.debian.org/security/faq - - Package: webkit2gtk CVE ID : CVE-2024-27834 The following vulnerabilities have been discovered in the WebKitGTK web engine: CVE-2024-27834 Manfred Paul discovered that an attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. For the oldstable distribution (bullseye), this problem has been fixed in version 2.44.2-1~deb11u1. For the stable distribution (bookworm), this problem has been fixed in version 2.44.2-1~deb12u1. We recommend that you upgrade your webkit2gtk packages. For the detailed security status of webkit2gtk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/webkit2gtk Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmZNsSQACgkQAAyEYu0C 2AL2wxAAnx+ORCkML2MQZukV0lBt7yHzBHWaZHDWF8C3hbo8DPxqpNPGSRwpLb6M xzRbW+7LvdlQUuSEMs0ms00jh1wkmQh1cAa09n778+pYhu5oLm09HOU51ybWaWRM gojJiHC6svqhov5vxtqbSTUrpXzGQhp9ZYUAyCI49eJSzROIdk188CHHY1PxHZH1 nwlQddTeaL63f+0nyXzHomFtgOhyA6ESmVgunS8/yoIxQUOn3T6MQOvdKlizMJAr watZ4fQq69AEqFMC2x8cCIZ6zZAhu4dLwagnundEdwZxeKRa6vAv6N5BLFx9lC8q HARmaMttDl1+3AMHwMiZDqdNt++L4Ldgy26PJQa8hsDlAmXQsR5qtR/xmS7+l6AN euXWeyF2DBM3GZgRzsACFJsnqYkQ9snQZdSYzHi2//xyskTpyHxYwMp/wFp4Kirt F05d66TocWkWviuYddytl0cRGb3X1I7pB+8vkw90ugIMJKFxh6cXDDPch6kTdMLg YPsSxV8/h1jcxr5MgST1LntvvhgGT70YV9HWJleQ33bmWqEQ6xF7vrIsKy3MiFx1 jKGoI7GvgOrWRDUIZuw4680f9Hv4Cpz4R0uKMOS4wTbrEQkhv96E/sAcER8P9VYm 9U6AuFAoA5KRU8BysUD3A/PzHo+wKwTSBUuKUGex8HnPIfmUEyw= =yLoR -END PGP SIGNATURE-
External check
CVE-2024-29651: TODO: check CVE-2024-31989: TODO: check CVE-2024-3744: TODO: check CVE-2024-5148: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: RFS: HexWalk Request for sponsor
Hello Carmine, On Tue, 21 May 2024 at 05:41, Carmine wrote: > Thank you for your time, I'll try to fix the issues by myself and will return > to you asap. > The strange thing is that I already generated the package here: > https://mentors.debian.net/package/hexwalk/ > > and I didn't face all these issues > > Am I missing something? Hmm, how are you building the package? Here are the steps to reproduce the failure: git clone https://github.com/gcarmix/HexWalk.git cd HexWalk/ sed -i "s/stable/unstable/" debian/changelog origtargz # to generate the orig tarball sbuild Cheers, -- Samuel Henrique
External check
CVE-2024-3744: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: RFS: HexWalk Request for sponsor
Hi Samuel, Thank you for your time, I'll try to fix the issues by myself and will return to you asap. The strange thing is that I already generated the package here: https://mentors.debian.net/package/hexwalk/ and I didn't face all these issues Am I missing something? Thank you again, Carmix Il Mar 21 Mag 2024, 00:00 Samuel Henrique ha scritto: > Hello carmix, > > I've had some time to review the package today, I didn't review everything > in > depth so there might be more comments after these changes. > > 1) d/changelog: unstable distribution > I see that you're targeting "stable" in the changelog, but in Debian we do > uploads to unstable or experimental, new packages can only get to stable > through stable-backports (and that's after the package migrates from > unstable > to testing). > You can read more about it here: > https://backports.debian.org/ > This diagram shows the workflow of packages: > https://wiki.debian.org/DebianReleases#Workflow > > For more information, I suggest reading about the Debian release process. > > 2) debian/compat: deprecated file > We don't use this file anymore, check the following manpage section for > details: > > https://manpages.debian.org/unstable/debhelper/debhelper.7.en.html#COMPATIBILITY_LEVELS > > 3) Build fails > I'm not able to build the package, it fails with missing file errors, like: > > dh_install: warning: Cannot find (any matches for) "hexwalk.ico" (tried > in ., debian/tmp) > I think the solution to this might fall under #4 below. > > In order for a review to be done, the package needs to be buildable, if > not, > then I suggest reaching out for help with the specific issues. > > 4) No build system > It doesn't seem like debhelper is building anything, changes need to be > done to > actually trigger the build, they will depend on the buildsystem you use. > > You can search for how other packages make use of qmake here: > https://codesearch.debian.net/search?q=qmake=1=1 > > I believe finding someone to help you more directly would be useful, > packaging > is hard and I know how tough it is to be in this position. > > But also, you don't necessarily need to do the packaging yourself, if you > prefer, you can open an RFP bug (or turn your RFS into an RFP), this would > be a > request for someone to package it. > > The only reason I'm saying this is because usually upstreams don't want to > get > too much involved in packaging, but if you do, that's great. > > Cheers, > > > -- > Samuel Henrique >
Re: Request to join your team as new member
Hello Alicherif, On Mon, 20 May 2024 at 14:54, Alicherif Samir wrote: > I'm working on the Wapiti web scanner with a team of motivated people, and we > want to see our work published on the Salsa repositories. That's great, feel free to send an MR against the debian branch, you can skip doing an MR for the pristine-tar and upstream branches (but they need to be updated in your fork). > As nobody packages Wapiti anymore, I'd like to take care of it. That's not true, the package is still under the team and someone ought to package the latest version eventually. It's still being taken care of, but contributions are very much welcomed! > Now that you know what I want to do, let me introduce myself. I'm Samir. I am > a developer passionate about many subjects, including Cyber Security and Risk > Management. I work for a company that publishes a vulnerability management > software. Awesome, we don't have a strict definition of being part of the team, so for any MRs you make against wapiti, feel free to use "Team upload" in the changelog. Salsa does have the concept of the team, for the pkg-security namespace, but ayn members added will have permissions across all repos maintained by the team, so we tend to only add people if needed/after some contributions. This doesn't stop others from contributing, as anyone is allowed to send an MR doing a "Team upload" (d/changelog). Welcome! -- Samuel Henrique
Re: Request to join as new member
Hello Simon, On Sat, 11 May 2024 at 10:59, Simon Josefsson wrote: > I'm not up to speed on all the pkg-security tooling, so please review > and fix anything that needs fixing. I feel uncomfortable having a salsa > write permission token in plain text on my laptop, which seemed required > to use some of the suggested tools -- hopefully none of that stuff is > critical, and if important could be fixed by others too? It felt like > going down someone's personal work flow understanding, which is great > for inspiration (I quickly agreed with most concepts) but may require > some more polishing before everyone can adapt. I had the same feeling > when adapting to the Debian Go Packaging workflow, most of the workflow > concepts are great improvements but deep below some assumptions that may > not be universal are made. I hope to learn and adapt though. I think only a few people use the tools at https://salsa.debian.org/pkg-security-team/pkg-security-team. You should be definitely fine without using it. The feature we get is standardization of the packaging, the main one being setting up the IRC and BTS hooks, but then the logic around branch names is outdated :(. I should take some time to update that wiki and the scripts... But for now, feel free to skip that. > Regarding having the repository in debian/ but still use pkg-security > group maintenance, I'll think about that some more, but you can tell > from my decision to move libntlm to pkg-security that I wanted to give > this approach a try first. Ack, I'm interested in your findings after trying it out for a bit. Cheers, -- Samuel Henrique
Re: pkg-security-team vs debian namespace
Hello Simon, On Sat, 11 May 2024 at 11:51, Simon Josefsson wrote: > Following up on the namespace question separately. To clarify: I'm not > proposing any change. I'm mostly trying to learn and understand why > some decisions were made and if the rationale still apply. No worries, I think there's definitely room for improvement. I've been having discussions like this with the other curl maintainers but we haven't managed to find a good alternative for the issue yet. If you're going to attend DebConf, I'd love to chat about this with you (I have seen your emails on other threads and it looks like we are aligned on how we view the issue). > Samuel Henrique writes: > > > Downsides of keeping the packaging under debian/: > > * Lack of the salsa's view of current opened MRs, as seen on > > https://salsa.debian.org/groups/pkg-security-team/-/merge_requests. This > > is > > the biggest downside in my opinion. > > Couldn't this easily be solved by tagging merge requests for > pkg-security-related packages with a tag, and search for that? Assuming > all pkg-security-team packages were to be moved to /debian/ (for sake of > discussing this aspect). I'm not familiar enough with GitLab workflows > to tell if using Assignee, Reviewer, Label, Environment or some other > tag though then you could go to this page, using label CI as an > example but CI would be replaced with PKG-SECURITY or similar: > > https://salsa.debian.org/groups/debian/-/merge_requests?scope=all=opened_name[]=CI That would work, yes, but I don't think there's a straightforward way to automate this. It's an interesting idea nonetheless... > > * Team contributors who have received permissions to push to all team-owned > > repos (before becoming DDs) will still not be able to push to the packages > > under debian/. This is not a huge issue because they can still open MRs, > > but > > the process to contribute becomes a bit more cumbersome. > > Is there any documented policy for /debian/ packages including group > membership policy? Maybe lack of documented policy for /debian/ is the > biggest problem here though, it isn't even possible to evaluate if the > policies are compatible. Not that I'm aware, what's done in practice is that all DDs get permission to push to the debian namespace. The way we handle the concept of teams on debian is not very well defined, for good or for bad. We miss a few things to get an ideal process, but one that often gets to my mind is the ability for multiple teams to own the same package. For example, a security-related package written in python should be set up so that both the security-tools and the python team are able to push to git (and to upload) as a team upload. If we go further, we can also say that any DD is allowed to push and upload, while still keeping a team under its maintenance umbrella (the people from the team would be the ones receiving bug reports, watching MRs, etc...). Cheers, -- Samuel Henrique
Re: RFS: HexWalk Request for sponsor
Hello carmix, I've had some time to review the package today, I didn't review everything in depth so there might be more comments after these changes. 1) d/changelog: unstable distribution I see that you're targeting "stable" in the changelog, but in Debian we do uploads to unstable or experimental, new packages can only get to stable through stable-backports (and that's after the package migrates from unstable to testing). You can read more about it here: https://backports.debian.org/ This diagram shows the workflow of packages: https://wiki.debian.org/DebianReleases#Workflow For more information, I suggest reading about the Debian release process. 2) debian/compat: deprecated file We don't use this file anymore, check the following manpage section for details: https://manpages.debian.org/unstable/debhelper/debhelper.7.en.html#COMPATIBILITY_LEVELS 3) Build fails I'm not able to build the package, it fails with missing file errors, like: > dh_install: warning: Cannot find (any matches for) "hexwalk.ico" (tried in ., > debian/tmp) I think the solution to this might fall under #4 below. In order for a review to be done, the package needs to be buildable, if not, then I suggest reaching out for help with the specific issues. 4) No build system It doesn't seem like debhelper is building anything, changes need to be done to actually trigger the build, they will depend on the buildsystem you use. You can search for how other packages make use of qmake here: https://codesearch.debian.net/search?q=qmake=1=1 I believe finding someone to help you more directly would be useful, packaging is hard and I know how tough it is to be in this position. But also, you don't necessarily need to do the packaging yourself, if you prefer, you can open an RFP bug (or turn your RFS into an RFP), this would be a request for someone to package it. The only reason I'm saying this is because usually upstreams don't want to get too much involved in packaging, but if you do, that's great. Cheers, -- Samuel Henrique
Request to join your team as new member
Hello there, I'm working on the Wapiti web scanner with a team of motivated people, and we want to see our work published on the Salsa repositories. As nobody packages Wapiti anymore, I'd like to take care of it. Now that you know what I want to do, let me introduce myself. I'm Samir. I am a developer passionate about many subjects, including Cyber Security and Risk Management. I work for a company that publishes a vulnerability management software. Cheers, Samir
External check
CVE-2024-3744: TODO: check CVE-2024-5042: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2024-3744: TODO: check CVE-2024-5042: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)
Hello everyone, Just wondering if the Security team could spend some time availiating my proposal. Feedback from others is always welcomed too, but in order to go ahead I would like to understand where the team stands. Cheers, -- Samuel Henrique
External check
CVE-2024-3744: TODO: check CVE-2024-5042: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5694-1] chromium security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-5694-1 secur...@debian.org https://www.debian.org/security/ Andres Salomon May 17, 2024 https://www.debian.org/security/faq - - Package: chromium CVE ID : CVE-2024-4947 CVE-2024-4948 CVE-2024-4949 CVE-2024-4950 Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. For the stable distribution (bookworm), these problems have been fixed in version 125.0.6422.60-1~deb12u1. We recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmZHldQACgkQZF0CR8Nu djdGzw//Zo/Kybc3RwFVXLvrISBKhxn8fckEayU2vL+WC8Zi2DzQRuNFxyvGmL0H m2v+dDZm1I2mtpdfjJSeM21AvFQA+GocwG3BTcxNKctCV48hyF3biqrtHSxtyfkM W2f0aDbtPhaO9sZfn5dfSrDQNYF8sOKfPv03A+irvNcYcFFVBGKsbXKm/Qpd1sfb tOcjoNIQE8jsTIA3RV8APJeEOIDrTUq76z0g5iICm2ZIQlL+KTrjX0gwwbR6NTFF wA2U+p3TL2VOwkknrTzlmtmFZF27oST7e5HT7e1rrqorxIAc2Txs8TPkwLv5LSBI J+HJNy3AZDgc8VhtZcVJ1/UU7jYhXeJr3EX1aaogehKvnIjeGuP7qhg6gVwK9wBV QxMLoRjGg/5nkd9WPURhfOlXa+icXKhZxtrWKKp3x+EX7yQsYYuS67JhRmB5OHHK 8kKmbdGdEf9+W7bBo/KoUZyyYbROV1MnqEVVefraiIVXwM42qDVxPM+z6HYJVUFY nrOxpSheA2V8l027o8n3Vh8Jv+DldXxnxDDtPSpXfDuCadARb1TlIREc+1XYXVxP 3yOjMljHvszFeSosRnXC8vUcDVG+NYFF6Ue0QlKgVI/Nnnap7qRJIHQyJMQTTeOs mS+Kc8nM4bah9uIMAEjcWtr54ccSxgsAZI2gEhS2377n9NHl1pQ= =v6Mr -END PGP SIGNATURE-
[SECURITY] [DSA 5693-1] thunderbird security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5693-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 17, 2024 https://www.debian.org/security/faq - - Package: thunderbird CVE ID : CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769 CVE-2024-4770 CVE-2024-4777 Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code. For the oldstable distribution (bullseye), these problems have been fixed in version 1:115.11.0-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 1:115.11.0-1~deb12u1. We recommend that you upgrade your thunderbird packages. For the detailed security status of thunderbird please refer to its security tracker page at: https://security-tracker.debian.org/tracker/thunderbird Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZHhvwACgkQEMKTtsN8 TjblehAAjdBymRSVaZikas4l3u+3RmsaSgg2CabDzMQI722DASHqseeqBvxTXrFC lLl0aFaweSIccV+G0Yh/Y446NofPibrAKQBOyMmo3U3pYkmYFwnJoJwrRyb+198F zt35McFfs6NZwWyve8BxezHvh5cCRQBn4PSwiVOtkf6aqmviW5jayyO86xb9SI5f 2CYNHzcoNpCqfxTxevkwJ4FOIYnvlKKIl72K2wXrCN99XSS2+mmJxhvrj/jG7zuR JDqCFlH08TXyAEklNxfQsdiojC2T2SLQT0U6viXxNjE6TicGSip3mFIvC1VD8ipP y+I1DZiSlYmxMqPfmQI/AO+sUGUUWKdenJPxevNZRppIG56yr6fhmWHuK6u6UnS4 DIwV2mc0a+mWzoG21otG2MJUBQJpulq8SnAmKE7UHLsVVSp+JysIgwq+4K4fOwbB 1oHFMaD/g9uFNjaBqRbkFpauaxcRpLqoP6L22qWM5fASuIYaxnvRmItbHPgHx8hA NND0bo7Fu5Uau4rr8pUfYdCWvYmCGhICc4jeXIeOAV/QtBYGuoLPiZ31iAFlro4m 4/CR0w3dUPTy7cUPMgU6akrvN0fuuznIjtQDyWuWRGG9JvmWPlN7vlSpT8vi0WDw 2zGD3owtPl0n0tvmSGZ+SRD9pVhzSOzPSEOCV2rJ8GHj1Zi3iOs= =8c2k -END PGP SIGNATURE-
External check
CVE-2006-5465: missing from list CVE-2006-5466: missing from list CVE-2006-5467: missing from list CVE-2006-5468: missing from list CVE-2006-5469: missing from list CVE-2006-5540: missing from list CVE-2006-5541: missing from list CVE-2006-5542: missing from list CVE-2006-5619: missing from list CVE-2006-5633: missing from list CVE-2006-5649: missing from list CVE-2006-5701: missing from list CVE-2006-5706: missing from list CVE-2024-326121: missing from list CVE-2024-326127: missing from list CVE-2024-326131: missing from list CVE-2024-326136: missing from list CVE-2024-326141: missing from list CVE-2024-326145: missing from list CVE-2024-326151: missing from list CVE-2024-326154: missing from list CVE-2024-326161: missing from list CVE-2024-326163: missing from list CVE-2024-326171: missing from list CVE-2024-326172: missing from list CVE-2024-326181: missing from list CVE-2024-326190: missing from list CVE-2024-326191: missing from list CVE-2024-3744: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2024-21823: missing from list CVE-2024-326121: missing from list CVE-2024-326127: missing from list CVE-2024-326131: missing from list CVE-2024-326136: missing from list CVE-2024-326141: missing from list CVE-2024-326145: missing from list CVE-2024-326151: missing from list CVE-2024-326154: missing from list CVE-2024-326161: missing from list CVE-2024-326163: missing from list CVE-2024-326171: missing from list CVE-2024-326172: missing from list CVE-2024-326181: missing from list CVE-2024-326190: missing from list CVE-2024-326191: missing from list CVE-2024-3744: TODO: check -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5692-1] ghostscript security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5692-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 15, 2024 https://www.debian.org/security/faq - - Package: ghostscript CVE ID : CVE-2023-52722 CVE-2024-29510 CVE-2024-33869 CVE-2024-33870 CVE-2024-33871 Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed. For the oldstable distribution (bullseye), these problems have been fixed in version 9.53.3~dfsg-7+deb11u7. For the stable distribution (bookworm), these problems have been fixed in version 10.0.0~dfsg-11+deb12u4. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmZFFaFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S3qQ/+L4NBqDHzbEmnYIqHMi578/wEX4UL7Y7LNXRz7K8fk7ltMaFeWNQIaHws vry6jGs471C5VL8v4TfzCfVQPc3YHPbAs7Dj/5JIHNSQm3Jljb2f+QYIUrUtpWnd tV/fbf0N8lQF6KDGzjU9ZWKy6vGAa/1KRTGJDXNp5r2YQi5FZeQsQvxpK/oQ7bZ4 auCKexJ5Yf/ybJNYcsAdPs+r2TlXOeHuq80yRkYOTNXwkSBv94xKrXswF6dlKOWz 8o+lmiVvva+qXguqaYvkviJiAGrWjW09tc58C0OtzwzCTgKNZ30Njkw8bGvghL2Q LmYZM/UEkzywCcF7eN9g/4xKKem26wLFKrn01i1Df815gE30/KFinC9+B/8F3UgZ Vng0ca9ddxeIRzdDLEERATBDwN+wJ5I4ips3NkqCBe3lNSyM+f+YMvzDj30/2UKx DrGYHLhNnQG3i2D2MJBQs8YTRjt0t9hIiAM7rYPBBUYaarTeINGfwIppktayYZIj Nika/GmgO9nljdWNHNaC26tfF2gWoHljyC7Qb4N5/VpSLlXT04o5db3SNDZBCANu pOjUKu7iuaa9aeqPwkWC5VLuJly9cGu+QP/s2DaPbJcAKaQDyTeFaUeFpXIzhJO6 YvL2/hd8C0RU+JHkeWK3i0xigODdmVCdoziN9CpAad68vkzD3L0= =ZjGy -END PGP SIGNATURE-
[SECURITY] [DSA 5691-1] firefox-esr security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5691-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 15, 2024 https://www.debian.org/security/faq - - Package: firefox-esr CVE ID : CVE-2024-4367 CVE-2024-4767 CVE-2024-4768 CVE-2024-4769 CVE-2024-4770 CVE-2024-4777 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or clickjacking. For the oldstable distribution (bullseye), these problems have been fixed in version 115.11.0esr-1~deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 115.11.0esr-1~deb12u1. We recommend that you upgrade your firefox-esr packages. For the detailed security status of firefox-esr please refer to its security tracker page at: https://security-tracker.debian.org/tracker/firefox-esr Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZE9HkACgkQEMKTtsN8 Tjbi6w//b/rdFGGSmnEzHq/+18x5CgOKUmQa/iJRj1H4LJ0XGBphsHvrFGg3Yp7w aUFq9yKGy2rNlkpxMJ6vpI3aMDmLnxMYY+fcdWqgJOwk08mw1aX0pod2TzuAW4dc Vfl8wKWTDpylLgiBsfa8gXKwf4rqLx3xObwZe/khgnM/8gcOXe6g3cOzH6YCeI+K BoZb6W+R9RnHOmvLDYY6hnUyWraZBFNNVfpyiBeqklC6SeLvyrXbsal/vKa8NnPg IwslILuyHZ2UpdetKzu1eSLWgr0gQabAkTZVKfwapRqopx4ZK78LiNtEK7g41Tlg cwQsA7Tpfy8Di1MxxDVZ9+RcoO7klaoY99ZTwRB2oeDaRrerxa3odDmvN1LdbZGS Ttrl1ZiMPH+H3/LgKrwOBvqQEdE++CN9J6Ct5A5eisZl7etIWG7xCOukxORL/zVF eBhzbkkOGT1RoXBcNEYlTKvCO915jfqKSHhPCTxRaeRxT1U6BcKOzHRmF8gPG8th 08KD4rMcYfT8499rdRursHq0y9Cqm5/CxjKm9oDF4wyIb/jeuNzBtmbZD7IZRer0 iWCSvRyvH/3IONc3FHQ/G1WBGH+0mh80ysvmuR8l9MCGyZ9TqmbaGfQXAnJfSWMO cttxZ9ER426nbzfLQ9dIIWQTwxJu+ga/DfxlbsMMT1wbXWkMeAM= =cQZH -END PGP SIGNATURE-
[SECURITY] [DSA 5689-1] chromium security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-5689-1 secur...@debian.org https://www.debian.org/security/ Andres Salomon May 15, 2024 https://www.debian.org/security/faq - - Package: chromium CVE ID : CVE-2024-4761 A security issue was discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. Google is aware that an exploit for CVE-2024-4761 exists in the wild. For the stable distribution (bookworm), this problem has been fixed in version 124.0.6367.207-1~deb12u1. We highly recommend that you upgrade your chromium packages. For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmZE78YACgkQZF0CR8Nu djdWbxAAhwVb7xJ1usRG570j/6eybHZI35MpuYTsQA8sIihYiTUjaPTGrW3sD8Jw G1dLL9x3nxZ5esj/sjvwqTs2xZGNaULQDYUrfQ+tHehNovFMu/kSqpmp2Cs8wO5Y rI7NvvPDgm0IOEs+JlLHPB13OKxghddIBloazm272MNcjTlm8alFZzZUsD21FJMG HjyhtZVkHTJJ4iQ33PJ9IyCgh65LHBU5v5L3ogM4BQivuS7tbRfZ/UXtMmGjZfez uHYnuhdViBzXYxBARWEy/7m97drhvCmNfMh7WIymtz1Iy2q2lP1Sl0h1hbhQxewB 64uc281AkBKuDTVyhmwiMC7PONvWYL+8dw956q2iv0cOglAfOkWdU5pzIoFZeKJG HuvsdImqkGwxjFUOKsR1wFJeY4tXnoZjEElhB/tPHC4c6yemSuZUYBrDa1vLT8U8 LiLvDxAVkT9LJLETOj9OqhXu2334++IgfIsYEDyt39nc/9/Gi7bxaZC47N86nJ9T pKqkjkCEKrxPwhv0DMLtVZYcDmyf9DMuTY7Wh9XzYuA6llKz6kE+3Am8CRYORfxk Y3eEBvSpXw3g+0loymbyGHfIZ0TH5E4bpfzh2a1hiQujHPCN+cDCRMFZ2kJCt4E9 H2frrf+M24pl1px0dlML5igtY+sPNE8jeCoJuRyChQEO5VDFihs= =S3Mo -END PGP SIGNATURE-
[SECURITY] [DSA 5690-1] libreoffice security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5690-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 15, 2024 https://www.debian.org/security/faq - - Package: libreoffice CVE ID : CVE-2024-3044 Amel Bouziane-Leblond discovered that LibreOffice's support for binding scripts to click events on graphics could result in unchecked script execution. For the oldstable distribution (bullseye), this problem has been fixed in version 1:7.0.4-4+deb11u9. For the stable distribution (bookworm), this problem has been fixed in version 4:7.4.7-1+deb12u2. We recommend that you upgrade your libreoffice packages. For the detailed security status of libreoffice please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libreoffice Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZE9HcACgkQEMKTtsN8 TjafDQ//Sk+rmcpKLiOqNIAbIgwFYGGFW/Fd+MK2XscOlzT9a0xr+BLSguIVkssJ vVlvl6z18D5xrCkLeMTsbKcgZYhsSyA6ehnOIclgDHoCCwdqNwfMLwL7xHM0Gw6B nu5P4CrVLqn4hm3awI5ynOFkKnWtR7RR5pM4hHxXicCQBNCvXEigkrySh4OzAY1P 0qUCsxGWiukTXfecoT4zhLfAS8iaNnQBIAZ4MKUM8C7cgYD149crmmiDhS1HihNg waQcz/YkbRGpsUJXjqgpeTXmdhq/GP0TRWnBrBPqEt+9l+/j3tcjHHJst506Y0O+ uF+NwK+7SuSHHAebowuam9sL99lTgQuf+NUnz1BxHWFvMeBtW+gAJRRXb8SiUIR2 OWBTyH8o0ovsxB4TfcjZcUleGZepgVDGvh5QJube5IvGGeHZCynjqIc/W9myCpot awCKzsf8so66rizMRIYj00Po5ScMwGAXOo9EQysK2/jVnew1+OqkeiNwslaWUqzF s7S6zA3HN41i5dVT/EJlsvXjqIT0r6NE9lNXPVD7yNfMUI4yjVFXiP6h3UALMpgn qodIXvwJoHb2BPCXc+ZphgHtlhyXs0YYYEbevLcdOe43YIX1mRyXK1mcbAuS1YgB VfHSXG+AYVGZXvu3ZLMwuk4z1FGnouCcpVBucG7RUB5m6cGPvpw= =qatu -END PGP SIGNATURE-
External check
CVE-2024-21823: missing from list CVE-2024-30045: TODO: check CVE-2024-30046: TODO: check CVE-2024-32002: TODO: check CVE-2024-32004: TODO: check CVE-2024-32020: TODO: check CVE-2024-32021: TODO: check CVE-2024-32465: TODO: check CVE-2024-326121: missing from list CVE-2024-326127: missing from list CVE-2024-326131: missing from list CVE-2024-326136: missing from list CVE-2024-326141: missing from list CVE-2024-326145: missing from list CVE-2024-326151: missing from list CVE-2024-326154: missing from list CVE-2024-326161: missing from list CVE-2024-326163: missing from list CVE-2024-326171: missing from list CVE-2024-326172: missing from list CVE-2024-326181: missing from list CVE-2024-326190: missing from list CVE-2024-326191: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2024-326121: missing from list CVE-2024-326127: missing from list CVE-2024-326131: missing from list CVE-2024-326136: missing from list CVE-2024-326141: missing from list CVE-2024-326145: missing from list CVE-2024-326151: missing from list CVE-2024-326154: missing from list CVE-2024-326161: missing from list CVE-2024-326163: missing from list CVE-2024-326171: missing from list CVE-2024-326172: missing from list CVE-2024-326181: missing from list CVE-2024-326190: missing from list CVE-2024-326191: missing from list CVE-2024-4840: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
External check
CVE-2024-326121: missing from list CVE-2024-326127: missing from list CVE-2024-326131: missing from list CVE-2024-326136: missing from list CVE-2024-326141: missing from list CVE-2024-326145: missing from list CVE-2024-326151: missing from list CVE-2024-326154: missing from list CVE-2024-326161: missing from list CVE-2024-326163: missing from list CVE-2024-326171: missing from list CVE-2024-326172: missing from list CVE-2024-326181: missing from list CVE-2024-326190: missing from list CVE-2024-326191: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
[SECURITY] [DSA 5688-1] atril security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-5688-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 12, 2024 https://www.debian.org/security/faq - - Package: atril CVE ID : CVE-2023-52076 It was discovered that missing input sanitising in the Atril document viewer could result in writing arbitrary files in the users home directory if a malformed epub document is opened. For the oldstable distribution (bullseye), this problem has been fixed in version 1.24.0-1+deb11u1. This update also disables support for comic book archives, mitigating CVE-2023-51698. For the stable distribution (bookworm), this problem has been fixed in version 1.26.0-2+deb12u3. We recommend that you upgrade your atril packages. For the detailed security status of atril please refer to its security tracker page at: https://security-tracker.debian.org/tracker/atril Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmZAwWEACgkQEMKTtsN8 TjYqAw/+OF7wq08UNm4f0fbj/1xH8rFftCj/pnB1XGjkPiOPQA7cYDHUM0kRjEQt 4MDCxzQXs5gWOR20XhZUUij95xj2d29t99N9xRWdhoC49pWOfAUKRNojrt+aa/LX SzEd2tQTWD+RuFd0ODUVJ8EYwwTH+U+NA2qVRnrXVS2PT3rUIotdXjIUPPe+LII+ UX/wx3c8AKBk8UH+2bJJnLpZ26KqzcoQR4Qx4hClx0mvDFtmbKPANBeiiJSmy3er Y9VG7PSDqI0m+N67Sa5mOqOr9rVFNpqXJegSm/RIEvN/K3J+HKtxpkDyWIsG8tro ZxA53WanVGLjWVU9HnE+XtwMvEQcjlg2r/vaN/oisbdFzybbBFrvoITVBQTeKnMP GVI3IIPGRBlHYGFJpvhc25xZfVphYlqB9gVwDIlkIIPCa23fr4KilCK/k7fDTrF/ 3ae91LnzyLMIxBIIDmtEbdWxKxCnizZtTpZf0Tdy1srueqdW5FdqT0fl/SZqtWhJ 2g/uAROk4lOvs8H609it8UCK4X9PPZwYci7gzKHBpzQ5vuI+oAjL9EN41R4sahq6 Wl0Z7n5gFcsfpfKSkdFosLMylsfQ3h2Wfdw/obiXr9VYjIUQHBdQ6zUgOnwdhNp8 hvwY2WNDWrpwg2mu0cp8zRcCFLeHtfYcza9VWtiJcEa+6WAAemQ= =6TWQ -END PGP SIGNATURE-
External check
CVE-2006-3813: missing from list CVE-2006-3835: missing from list CVE-2006-3879: missing from list CVE-2006-3918: missing from list CVE-2006-4019: missing from list CVE-2006-4020: missing from list CVE-2006-4023: missing from list CVE-2006-4031: missing from list CVE-2006-4093: missing from list CVE-2006-4095: missing from list CVE-2006-4096: missing from list CVE-2006-4124: missing from list CVE-2006-4144: missing from list CVE-2006-4145: missing from list CVE-2006-4146: missing from list CVE-2006-4168: missing from list CVE-2006-4181: missing from list CVE-2006-4192: missing from list CVE-2006-4226: missing from list CVE-2006-4227: missing from list CVE-2024-326121: missing from list CVE-2024-326127: missing from list CVE-2024-326131: missing from list CVE-2024-326136: missing from list CVE-2024-326141: missing from list CVE-2024-326145: missing from list CVE-2024-326151: missing from list CVE-2024-326154: missing from list CVE-2024-326161: missing from list CVE-2024-326163: missing from list CVE-2024-326171: missing from list CVE-2024-326172: missing from list CVE-2024-326181: missing from list CVE-2024-326190: missing from list CVE-2024-326191: missing from list -- The output might be a bit terse, but the above ids are known elsewhere, check the references in the tracker. The second part indicates the status of that id in the tracker at the moment the script was run.
Re: Request to join as new member
Arnaud Rebillout writes: > On 11/05/2024 16:59, Simon Josefsson wrote: >> I feel uncomfortable having a salsa >> write permission token in plain text on my laptop, which seemed required >> to use some of the suggested tools > > Just passing by. > > What are you referring to, why is a salsa token required? Often > enough, you can store secrets in with libsecret (check package > libsecret-tools) rather than plain text. On https://wiki.debian.org/Teams/pkg-security#Packaging_rules it mention the 'bin/update-repos' which complains: It looks like no token has been configured for /usr/bin/salsa. see 'man salsa' and setup a SALSA_TOKEN in the devscripts configuration file. The man page for salsa https://manpages.debian.org/bookworm/devscripts/salsa.1.en.html says I should put a Salsa token in plaintext in ~/.devscripts. If I understand correctly, leaking that token will leak write-permission to my account on Salsa. I don't feel comfortable about having this magic cookie around, it seems safer to rely on SSH or PGP keys (which I have on a smartcard) instead. /Simon signature.asc Description: PGP signature
Re: Request to join as new member
On 11/05/2024 16:59, Simon Josefsson wrote: I feel uncomfortable having a salsa write permission token in plain text on my laptop, which seemed required to use some of the suggested tools Just passing by. What are you referring to, why is a salsa token required? Often enough, you can store secrets in with libsecret (check package libsecret-tools) rather than plain text. Cheers, Arnaud