[Secure-testing-commits] r57981 - data
Author: santiago Date: 2017-11-23 21:47:29 + (Thu, 23 Nov 2017) New Revision: 57981 Modified: data/dsa-needed.txt Log: dsa-needed.txt: santiago takes a look at poppler Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-23 21:20:03 UTC (rev 57980) +++ data/dsa-needed.txt 2017-11-23 21:47:29 UTC (rev 57981) @@ -42,6 +42,7 @@ phpmyadmin/oldstable -- poppler + 2017-11-23: santiago will prepare a debdiff -- qemu/oldstable -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57618 - data/CVE
Author: santiago Date: 2017-11-14 10:08:47 + (Tue, 14 Nov 2017) New Revision: 57618 Modified: data/CVE/list Log: CVE-2017-15565/poppler: add fix url Signed-off-by: Santiago R.RModified: data/CVE/list === --- data/CVE/list 2017-11-14 09:48:40 UTC (rev 57617) +++ data/CVE/list 2017-11-14 10:08:47 UTC (rev 57618) @@ -3227,6 +3227,7 @@ CVE-2017-15565 (In Poppler 0.59.0, a NULL Pointer Dereference exists in the ...) - poppler (bug #879066) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103016 + NOTE: Fixed by: https://cgit.freedesktop.org/poppler/poppler/commit/?id=19ebd40547186a8ea6da08c8d8e2a6d6b7e84f5d CVE-2017-15564 RESERVED CVE-2017-15563 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57456 - data/CVE
Author: santiago Date: 2017-11-08 15:16:34 + (Wed, 08 Nov 2017) New Revision: 57456 Modified: data/CVE/list Log: sqlite3/CVE-2017-2513 wheezy and jessie not vulnerable Modified: data/CVE/list === --- data/CVE/list 2017-11-08 14:40:16 UTC (rev 57455) +++ data/CVE/list 2017-11-08 15:16:34 UTC (rev 57456) @@ -42209,6 +42209,8 @@ NOTE: Not covered by security support CVE-2017-2513 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - sqlite3 3.15.2-1 + [jessie] - sqlite3 (Vulnerable code not present) + [wheezy] - sqlite3 (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=171 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=5770842466156544 NOTE: Fixed by: https://www.sqlite.org/src/info/c5dbc599b910c02a ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57449 - data/CVE
Author: santiago Date: 2017-11-08 10:34:40 + (Wed, 08 Nov 2017) New Revision: 57449 Modified: data/CVE/list Log: sqlite3/CVE-2017-2513,CVE-2017-2518,CVE-2017-2519,CVE-2017-2520: include fix urls Modified: data/CVE/list === --- data/CVE/list 2017-11-08 09:56:57 UTC (rev 57448) +++ data/CVE/list 2017-11-08 10:34:40 UTC (rev 57449) @@ -42186,14 +42186,17 @@ - sqlite3 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=384 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=5694101458518016 + NOTE: Fixed by: https://www.sqlite.org/src/info/2dc7eeb5b4d2eaf1 CVE-2017-2519 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - sqlite3 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=288 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=6739028850245632 + NOTE: Fixed by: https://www.sqlite.org/src/info/d08b72c38ff6fae6 CVE-2017-2518 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - sqlite3 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=199 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=4603622180519936 + NOTE: Fixed by: https://www.sqlite.org/src/info/0a98c8d76ac86412 CVE-2017-2517 (An issue was discovered in certain Apple products. iOS before 10.3.3 ...) NOT-FOR-US: Apple Safari CVE-2017-2516 (An issue was discovered in certain Apple products. macOS before ...) @@ -42208,6 +42211,7 @@ - sqlite3 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=171 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=5770842466156544 + NOTE: Fixed by: https://www.sqlite.org/src/info/c5dbc599b910c02a CVE-2017-2512 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2017-2511 (An issue was discovered in certain Apple products. Safari before ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53665 - data
Author: santiago Date: 2017-07-19 12:05:57 + (Wed, 19 Jul 2017) New Revision: 53665 Modified: data/dsa-needed.txt Log: preparing debdiff for atril Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-07-19 11:34:59 UTC (rev 53664) +++ data/dsa-needed.txt 2017-07-19 12:05:57 UTC (rev 53665) @@ -15,6 +15,7 @@ 389-ds-base (fw) -- atril + santiago sent a patch, and is preparing a debdiff for jessie and stretch -- chromium-browser -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44170 - in data: . DLA
Author: santiago Date: 2016-08-27 08:25:32 + (Sat, 27 Aug 2016) New Revision: 44170 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-602-1 for gnupg Modified: data/DLA/list === --- data/DLA/list 2016-08-27 05:34:03 UTC (rev 44169) +++ data/DLA/list 2016-08-27 08:25:32 UTC (rev 44170) @@ -1,3 +1,6 @@ +[27 Aug 2016] DLA-602-1 gnupg - security update + {CVE-2016-6313} + [wheezy] - gnupg 1.4.12-7+deb7u8 [26 Aug 2016] DLA-601-1 quagga - security update {CVE-2016-4036 CVE-2016-4049} [wheezy] - quagga 0.99.22.4-1+wheezy3 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-08-27 05:34:03 UTC (rev 44169) +++ data/dla-needed.txt 2016-08-27 08:25:32 UTC (rev 44170) @@ -15,8 +15,6 @@ -- eog -- -gnupg (Santiago R.R.) --- icu (Roberto C. Sánchez) NOTE: lamby: I suggest to wait a bit with icu, see the CVE assignment note from MITRE on CVE-2016-6293 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r43789 - in data: . DLA
Author: santiago Date: 2016-08-05 08:00:03 + (Fri, 05 Aug 2016) New Revision: 43789 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-567-2 for mysql-5.5 Modified: data/DLA/list === --- data/DLA/list 2016-08-05 04:29:27 UTC (rev 43788) +++ data/DLA/list 2016-08-05 08:00:03 UTC (rev 43789) @@ -1,3 +1,5 @@ +[05 Aug 2016] DLA-567-2 mysql-5.5 - regression update + [wheezy] - mysql-5.5 5.5.50-0+deb7u2 [04 Aug 2016] DLA-586-1 curl - security update {CVE-2016-5419 CVE-2016-5420} [wheezy] - curl 7.26.0-1+wheezy14 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-08-05 04:29:27 UTC (rev 43788) +++ data/dla-needed.txt 2016-08-05 08:00:03 UTC (rev 43789) @@ -42,9 +42,6 @@ -- mongodb (Ola Lundqvist) -- -mysql-5.5 (Santiago R.R) - NOTE: Security update is currently stuck in NEW --- nettle (Ola Lundqvist) NOTE: Original patch had some unintended side effects: https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003104.html -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r43715 - in data: . DLA
Author: santiago Date: 2016-08-02 17:30:38 + (Tue, 02 Aug 2016) New Revision: 43715 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-583-1 for lighttpd Modified: data/DLA/list === --- data/DLA/list 2016-08-02 16:26:02 UTC (rev 43714) +++ data/DLA/list 2016-08-02 17:30:38 UTC (rev 43715) @@ -1,3 +1,6 @@ +[02 Aug 2016] DLA-583-1 lighttpd - security update + {CVE-2016-1000212} + [wheezy] - lighttpd 1.4.31-4+deb7u5 [02 Aug 2016] DLA-582-1 libidn - security update {CVE-2015-8948 CVE-2016-6261 CVE-2016-6263} [wheezy] - libidn 1.25-2+deb7u2 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-08-02 16:26:02 UTC (rev 43714) +++ data/dla-needed.txt 2016-08-02 17:30:38 UTC (rev 43715) @@ -36,8 +36,6 @@ -- libupnp (Balint Reczey) -- -lighttpd (Santiago R.R.) --- linux (Ben Hutchings) -- mat ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r43599 - data
Author: santiago Date: 2016-07-29 09:10:52 + (Fri, 29 Jul 2016) New Revision: 43599 Modified: data/dla-needed.txt Log: Claim lighttpd in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-07-29 09:10:11 UTC (rev 43598) +++ data/dla-needed.txt 2016-07-29 09:10:52 UTC (rev 43599) @@ -54,7 +54,7 @@ -- libupnp (Balint Reczey) -- -lighttpd +lighttpd (Santiago R.R.) -- linux (Ben Hutchings) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r43595 - in data: . DLA
Author: santiago Date: 2016-07-29 08:33:52 + (Fri, 29 Jul 2016) New Revision: 43595 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-567-1 for mysql-5.5 Modified: data/DLA/list === --- data/DLA/list 2016-07-29 08:31:11 UTC (rev 43594) +++ data/DLA/list 2016-07-29 08:33:52 UTC (rev 43595) @@ -1,3 +1,6 @@ +[29 Jul 2016] DLA-567-1 mysql-5.5 - security update + {CVE-2016-3477 CVE-2016-3521 CVE-2016-3615 CVE-2016-5440} + [wheezy] - mysql-5.5 5.5.50-0+deb7u1 [28 Jul 2016] DLA-566-1 cakephp - security update [wheezy] - cakephp 1.3.15-1+deb7u1 [28 Jul 2016] DLA-565-1 perl - security update Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-07-29 08:31:11 UTC (rev 43594) +++ data/dla-needed.txt 2016-07-29 08:33:52 UTC (rev 43595) @@ -66,8 +66,6 @@ mupdf (Thorsten Alteholz) NOTE: Can reproduce in wheezy chroot. -- -mysql-5.5 (Santiago R.R.) --- ntp NOTE: up to now maintainer did the LTS uploads -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r43557 - data
Author: santiago Date: 2016-07-28 13:37:28 + (Thu, 28 Jul 2016) New Revision: 43557 Modified: data/dla-needed.txt Log: gnupg needs a DLA Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-07-28 13:22:42 UTC (rev 43556) +++ data/dla-needed.txt 2016-07-28 13:37:28 UTC (rev 43557) @@ -22,6 +22,8 @@ NOTE: 20160529, no fix yet NOTE: 20160618, still no fix -- +gnupg (Santiago R.R.) +-- icedove (Guido Günther) -- icu (Roberto C. Sánchez) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r43490 - in data: CVE DLA
Author: santiago Date: 2016-07-26 11:39:46 + (Tue, 26 Jul 2016) New Revision: 43490 Modified: data/CVE/list data/DLA/list Log: CVE-2016-5408/squid3 fixed by DLA-556-1. Fix references Modified: data/CVE/list === --- data/CVE/list 2016-07-26 11:37:31 UTC (rev 43489) +++ data/CVE/list 2016-07-26 11:39:46 UTC (rev 43490) @@ -2736,11 +2736,11 @@ CVE-2016-5409 RESERVED CVE-2016-5408 + {DLA-556-1} RESERVED - squid3 (Incomplete fix for CVE-2016-4051 not applied) NOTE: CVE is specific for the incomplete fix of CVE-2016-4051 as applied - NOTE: by some vendors. Possibly wheezy was as well, but covered with - NOTE: DLA-556-1. + NOTE: by some vendors. CVE-2016-5407 RESERVED CVE-2016-5406 @@ -7251,7 +7251,7 @@ NOTE: http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13235.patch (Squid 3.4) NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14034.patch (Squid 3.5) CVE-2016-4051 (Buffer overflow in cachemgr.cgi in Squid 2.x, 3.x before 3.5.17, and ...) - {DSA-3625-1 DLA-556-1 DLA-478-1} + {DSA-3625-1 DLA-478-1} - squid3 3.5.17-1 - squid [wheezy] - squid (cachemgr.cgi not installed. squid-cgi binary package built from squid3) @@ -7260,6 +7260,7 @@ NOTE: http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_5.patch (Squid 3.3) NOTE: http://www.squid-cache.org/Versions/v3/3.4/changesets/SQUID-2016_5.patch (Squid 3.4) NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID-2016_5.patch (Squid 3.5) + NOTE: Fixed in wheezy by DLA-556-1, c.f. CVE-2016-5408 CVE-2016-4044 RESERVED CVE-2016-4043 Modified: data/DLA/list === --- data/DLA/list 2016-07-26 11:37:31 UTC (rev 43489) +++ data/DLA/list 2016-07-26 11:39:46 UTC (rev 43490) @@ -13,7 +13,7 @@ [23 Jul 2016] DLA-557-1 dietlibc - security update [wheezy] - dietlibc 0.33~cvs20120325-4+deb7u1 [22 Jul 2016] DLA-556-1 squid3 - security update - {CVE-2016-4051} + {CVE-2016-5408} [wheezy] - squid3 3.1.20-2.2+deb7u6 [21 Jul 2016] DLA-555-1 python-django - security update {CVE-2016-6186} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r43471 - data
Author: santiago Date: 2016-07-25 21:49:19 + (Mon, 25 Jul 2016) New Revision: 43471 Modified: data/dla-needed.txt Log: Claim mysql-5.5 in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-07-25 21:34:28 UTC (rev 43470) +++ data/dla-needed.txt 2016-07-25 21:49:19 UTC (rev 43471) @@ -71,7 +71,7 @@ mupdf NOTE: Can reproduce in wheezy chroot. -- -mysql-5.5 +mysql-5.5 (Santiago R.R.) -- openssh (Ola Lundqvist) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r43465 - data
Author: santiago Date: 2016-07-25 19:05:15 + (Mon, 25 Jul 2016) New Revision: 43465 Modified: data/dla-needed.txt Log: perl needs a dla Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-07-25 18:59:58 UTC (rev 43464) +++ data/dla-needed.txt 2016-07-25 19:05:15 UTC (rev 43465) @@ -94,6 +94,9 @@ NOTE: but as I discussed with the maintainer (https://lists.debian.org/debian-lts/2016/07/msg00117.html) NOTE: we will wait upstream release it as an official solution. -- +perl + NOTE: Ben and Thorsten have the patches. +-- php5 (Thorsten Alteholz) NOTE: At least CVE-2016-4538 of the outstanding CVEs are vulnerable -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r43464 - data
Author: santiago Date: 2016-07-25 18:59:58 + (Mon, 25 Jul 2016) New Revision: 43464 Modified: data/dla-needed.txt Log: data/dla-needed.txt maintainer wants to handle ntp upload announce Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-07-25 18:57:24 UTC (rev 43463) +++ data/dla-needed.txt 2016-07-25 18:59:58 UTC (rev 43464) @@ -76,9 +76,8 @@ -- mysql-5.5 -- -ntp (Santiago R.R.) - NOTE: maintainer would like help working on the updates but will handle the updates himself - NOTE: 20160518175636.ga29...@roeckx.be +ntp + NOTE: maintainer uploaded and wants to handle the announce too. -- openssh (Ola Lundqvist) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r43163 - data/CVE
Author: santiago Date: 2016-07-13 08:24:26 + (Wed, 13 Jul 2016) New Revision: 43163 Modified: data/CVE/list Log: CVE-2016-4051/squid in wheezy, not-affected Modified: data/CVE/list === --- data/CVE/list 2016-07-13 06:31:35 UTC (rev 43162) +++ data/CVE/list 2016-07-13 08:24:26 UTC (rev 43163) @@ -6433,6 +6433,7 @@ {DLA-478-1} - squid3 3.5.17-1 - squid + [wheezy] - squid (cachemgr.cgi not installed. squid-cgi binary package built from squid3) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_5.txt NOTE: http://www.squid-cache.org/Versions/v3/3.2/changesets/SQUID-2016_5.patch (Squid 3.2) NOTE: http://www.squid-cache.org/Versions/v3/3.3/changesets/SQUID-2016_5.patch (Squid 3.3) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r43053 - data/CVE
Author: santiago Date: 2016-07-07 15:29:47 + (Thu, 07 Jul 2016) New Revision: 43053 Modified: data/CVE/list Log: CVE-2016-2119/samba: wheezy not-affected Modified: data/CVE/list === --- data/CVE/list 2016-07-07 14:31:41 UTC (rev 43052) +++ data/CVE/list 2016-07-07 15:29:47 UTC (rev 43053) @@ -12088,6 +12088,7 @@ CVE-2016-2119 [Client side SMB2/3 required signing can be downgraded] RESERVED - samba (bug #830195) + [wheezy] - samba (Affects Samba 4.0.0 to 4.4.0) NOTE: https://www.samba.org/samba/security/CVE-2016-2119.html NOTE: Affects Samba 4.0.0 to 4.4.4 CVE-2016-2118 (The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42989 - data
Author: santiago Date: 2016-07-03 09:30:21 + (Sun, 03 Jul 2016) New Revision: 42989 Modified: data/dla-needed.txt Log: dla-needed: note on squid3 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-07-03 09:16:45 UTC (rev 42988) +++ data/dla-needed.txt 2016-07-03 09:30:21 UTC (rev 42989) @@ -105,7 +105,8 @@ squid (Santiago R.R.) -- squid3 (Santiago R.R.) - NOTE: Fix for CVE-2016-4051 backported from RedHat is incomplete. Upstream noticed. + NOTE: Fix for CVE-2016-4051 backported from RedHat is incomplete. + NOTE: Waiting for feedback from upstream. -- tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42947 - data
Author: santiago Date: 2016-07-01 08:38:06 + (Fri, 01 Jul 2016) New Revision: 42947 Modified: data/dla-needed.txt Log: Add squid3 to dla-needed. Current fix for CVE-2016-4051 is incomplete Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-07-01 08:02:57 UTC (rev 42946) +++ data/dla-needed.txt 2016-07-01 08:38:06 UTC (rev 42947) @@ -101,6 +101,9 @@ -- squid (Santiago R.R.) -- +squid3 (Santiago R.R.) + NOTE: Fix for CVE-2016-4051 backported from RedHat is incomplete. Upstream noticed. +-- tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security https://anonscm.debian.org/cgit/collab-maint/tardiff.git/log/?h=wheezy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42690 - data/CVE
Author: santiago Date: 2016-06-22 14:25:39 + (Wed, 22 Jun 2016) New Revision: 42690 Modified: data/CVE/list Log: CVE-2016-3948/squid no-dsa Modified: data/CVE/list === --- data/CVE/list 2016-06-22 10:59:36 UTC (rev 42689) +++ data/CVE/list 2016-06-22 14:25:39 UTC (rev 42690) @@ -5386,6 +5386,7 @@ [jessie] - squid3 (Minor issue; needs substantial backporting; too intrusive to backport) [wheezy] - squid3 (Minor issue; needs substantial backporting; too intrusive to backport) - squid + [wheezy] - squid (Minor issue; needs substantial backporting; too intrusive to backport) NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14016.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_4.txt CVE-2016-3947 (Heap-based buffer overflow in the Icmp6::Recv function in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42684 - data
Author: santiago Date: 2016-06-22 07:41:46 + (Wed, 22 Jun 2016) New Revision: 42684 Modified: data/dla-needed.txt Log: Take squid in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-22 07:39:41 UTC (rev 42683) +++ data/dla-needed.txt 2016-06-22 07:41:46 UTC (rev 42684) @@ -81,7 +81,7 @@ -- spice (Santiago R.R.) -- -squid +squid (Santiago R.R.) -- tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42424 - in data: . DLA
Author: santiago Date: 2016-06-09 18:29:46 + (Thu, 09 Jun 2016) New Revision: 42424 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-509-1 for samba Modified: data/DLA/list === --- data/DLA/list 2016-06-09 16:41:26 UTC (rev 42423) +++ data/DLA/list 2016-06-09 18:29:46 UTC (rev 42424) @@ -1,3 +1,5 @@ +[09 Jun 2016] DLA-509-1 samba - security update + [wheezy] - samba 2:3.6.6-6+deb7u10 [08 Jun 2016] DLA-508-1 expat - security update {CVE-2012-6702 CVE-2016-5300} [wheezy] - expat 2.1.0-1+deb7u4 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-09 16:41:26 UTC (rev 42423) +++ data/dla-needed.txt 2016-06-09 18:29:46 UTC (rev 42424) @@ -87,9 +87,6 @@ -- ruby-eventmachine -- -samba (Santiago R.R.) - NOTE: regression update required for #821811, patches available --- spice (Santiago R.R.) -- squid ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42401 - data/CVE
Author: santiago Date: 2016-06-08 13:39:04 + (Wed, 08 Jun 2016) New Revision: 42401 Modified: data/CVE/list Log: CVE-2016-0749/spice: wheezy not-affected Modified: data/CVE/list === --- data/CVE/list 2016-06-08 12:07:08 UTC (rev 42400) +++ data/CVE/list 2016-06-08 13:39:04 UTC (rev 42401) @@ -14426,6 +14426,7 @@ RESERVED {DSA-3596-1} - spice (bug #826585) + [wheezy] - spice (Vulnerable code not present. Configured with --disable-smartcard) CVE-2016-0748 RESERVED CVE-2016-0747 (The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42381 - data
Author: santiago Date: 2016-06-07 14:36:51 + (Tue, 07 Jun 2016) New Revision: 42381 Modified: data/dla-needed.txt Log: Take spice in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-06-07 14:35:55 UTC (rev 42380) +++ data/dla-needed.txt 2016-06-07 14:36:51 UTC (rev 42381) @@ -93,7 +93,7 @@ samba (Santiago R.R.) NOTE: regression update required for #821811, patches available -- -spice +spice (Santiago R.R.) -- squid -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42183 - data
Author: santiago Date: 2016-05-31 08:52:35 + (Tue, 31 May 2016) New Revision: 42183 Modified: data/dla-needed.txt Log: remove mediawiki from dla-needed.txt, not supported in wheezy Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-05-31 07:13:30 UTC (rev 42182) +++ data/dla-needed.txt 2016-05-31 08:52:35 UTC (rev 42183) @@ -49,9 +49,6 @@ -- linux -- -mediawiki - NOTE: question raised about backporting jessie version: 87y478d6no@angela.anarcat.ath.cx --- mxml -- nss ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42129 - in data: . DLA
Author: santiago Date: 2016-05-29 19:45:47 + (Sun, 29 May 2016) New Revision: 42129 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-494-1 for eglibc Modified: data/DLA/list === --- data/DLA/list 2016-05-29 19:41:35 UTC (rev 42128) +++ data/DLA/list 2016-05-29 19:45:47 UTC (rev 42129) @@ -1,3 +1,6 @@ +[29 May 2016] DLA-494-1 eglibc - security update + {CVE-2016-1234 CVE-2016-3075 CVE-2016-3706} + [wheezy] - eglibc 2.13-38+deb7u11 [29 May 2016] DLA-493-1 openafs - security update {CVE-2015-8312 CVE-2016-2860 CVE-2016-4536} [wheezy] - openafs 1.6.1-3+deb7u6 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-05-29 19:41:35 UTC (rev 42128) +++ data/dla-needed.txt 2016-05-29 19:45:47 UTC (rev 42129) @@ -18,8 +18,6 @@ cakephp NOTE: CVE-2015-8379 No official solution is currently available, 20160425 -- -eglibc (Santiago R.R.) --- extplorer NOTE: 20160529, no fix yet -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42102 - data
Author: santiago Date: 2016-05-28 22:58:56 + (Sat, 28 May 2016) New Revision: 42102 Modified: data/dla-needed.txt Log: Claim ntp in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-05-28 17:44:40 UTC (rev 42101) +++ data/dla-needed.txt 2016-05-28 22:58:56 UTC (rev 42102) @@ -51,7 +51,7 @@ -- mxml -- -ntp +ntp (Santiago R.R.) NOTE: maintainer would like help working on the updates but will handle the updates himself NOTE: 20160518175636.ga29...@roeckx.be -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42007 - data/DLA
Author: santiago Date: 2016-05-25 08:04:30 + (Wed, 25 May 2016) New Revision: 42007 Modified: data/DLA/list Log: reserve DLA-487-1 for debian-security-support Modified: data/DLA/list === --- data/DLA/list 2016-05-25 07:14:26 UTC (rev 42006) +++ data/DLA/list 2016-05-25 08:04:30 UTC (rev 42007) @@ -1,3 +1,5 @@ +[25 May 2016] DLA-487-1 debian-security-support - Long term security support update + [wheezy] - debian-security-support 2016.05.24~deb7u1 [23 May 2016] DLA-486-1 imagemagick - security update {CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717 CVE-2016-3718} [wheezy] - imagemagick 8:6.7.7.10-5+deb7u5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41990 - data
Author: santiago Date: 2016-05-24 13:47:57 + (Tue, 24 May 2016) New Revision: 41990 Modified: data/dla-needed.txt Log: claim samba on dla-needed Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-05-24 10:27:45 UTC (rev 41989) +++ data/dla-needed.txt 2016-05-24 13:47:57 UTC (rev 41990) @@ -97,7 +97,7 @@ -- ruby-rest-client (Ola Lundqvist) -- -samba +samba (Santiago R.R.) NOTE: regression update required for #821811, patches available -- squid ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41801 - data
Author: santiago Date: 2016-05-17 13:22:59 + (Tue, 17 May 2016) New Revision: 41801 Modified: data/dla-needed.txt Log: claim eglibc in data/dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-05-17 13:06:13 UTC (rev 41800) +++ data/dla-needed.txt 2016-05-17 13:22:59 UTC (rev 41801) @@ -22,7 +22,7 @@ -- dhcpcd5 -- -eglibc +eglibc (Santiago R.R.) -- extplorer (Thorsten Alteholz) NOTE: package for testing uploaded ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41766 - in data: . DLA
Author: santiago Date: 2016-05-16 10:26:07 + (Mon, 16 May 2016) New Revision: 41766 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-478-1 for squid3 Modified: data/DLA/list === --- data/DLA/list 2016-05-16 10:03:00 UTC (rev 41765) +++ data/DLA/list 2016-05-16 10:26:07 UTC (rev 41766) @@ -1,3 +1,6 @@ +[16 May 2016] DLA-478-1 squid3 - security update + {CVE-2016-4051 CVE-2016-4052 CVE-2016-4053 CVE-2016-4054 CVE-2016-4554 CVE-2016-4555 CVE-2016-4556} + [wheezy] - squid3 3.1.20-2.2+deb7u5 [16 May 2016] DLA-477-1 librsvg - security update {CVE-2015-7558 CVE-2016-4347 CVE-2016-4348} [wheezy] - librsvg 2.36.1-2+deb7u2 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-05-16 10:03:00 UTC (rev 41765) +++ data/dla-needed.txt 2016-05-16 10:26:07 UTC (rev 41766) @@ -110,8 +110,6 @@ -- squid -- -squid3 (Santiago R.R.) --- tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security https://anonscm.debian.org/cgit/collab-maint/tardiff.git/log/?h=wheezy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41651 - data/CVE
Author: santiago Date: 2016-05-11 20:32:34 + (Wed, 11 May 2016) New Revision: 41651 Modified: data/CVE/list Log: CVE-2016-4553/squid3 wheezy not affected Modified: data/CVE/list === --- data/CVE/list 2016-05-11 20:14:50 UTC (rev 41650) +++ data/CVE/list 2016-05-11 20:32:34 UTC (rev 41651) @@ -144,6 +144,7 @@ CVE-2016-4553 [Cache Poisoning issue in HTTP Request handling] RESERVED - squid3 3.5.19-1 (bug #823968) + [wheezy] - squid3 (issue introduced by CVE-2009-0801 fix, not applied in wheezy) - squid (Does not affect 2.x) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_7.txt NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41623 - data
Author: santiago Date: 2016-05-10 21:41:22 + (Tue, 10 May 2016) New Revision: 41623 Modified: data/dsa-needed.txt Log: squid3: santiago started to prepare a debdiff Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-05-10 21:10:11 UTC (rev 41622) +++ data/dsa-needed.txt 2016-05-10 21:41:22 UTC (rev 41623) @@ -66,6 +66,7 @@ Samba maintainers are preparing updates for regressions -- squid3 + Santiago is preparing a debdiff. -- tomcat8 (Markus Koschany) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41610 - data/CVE
Author: santiago Date: 2016-05-10 15:14:22 + (Tue, 10 May 2016) New Revision: 41610 Modified: data/CVE/list Log: CVE-2016-4553/squid3: add note Modified: data/CVE/list === --- data/CVE/list 2016-05-10 15:02:17 UTC (rev 41609) +++ data/CVE/list 2016-05-10 15:14:22 UTC (rev 41610) @@ -122,6 +122,7 @@ - squid (Does not affect 2.x) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_7.txt NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14039.patch + NOTE: Fix relies on SBuf, not present in jessie nor wheezy. Maybe too intrusive CVE-2016-4535 (Integer signedness error in the AV engine before DAT 8145, as used in ...) NOT-FOR-US: McAfee / AV engine CVE-2016-4534 (The McAfee VirusScan Console (mcconsol.exe) in McAfee VirusScan ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41601 - data/CVE
Author: santiago Date: 2016-05-10 11:12:55 + (Tue, 10 May 2016) New Revision: 41601 Modified: data/CVE/list Log: CVE-2016-4554/squid3 add note about regression and fix Modified: data/CVE/list === --- data/CVE/list 2016-05-10 11:03:20 UTC (rev 41600) +++ data/CVE/list 2016-05-10 11:12:55 UTC (rev 41601) @@ -115,6 +115,7 @@ NOTE: http://www.squid-cache.org/Versions/v3/3.3/changesets/squid-3.3-12698.patch NOTE: http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13236.patch NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14038.patch + NOTE: Regression and fix: http://bugs.squid-cache.org/show_bug.cgi?id=4515 CVE-2016-4553 [Cache Poisoning issue in HTTP Request handling] RESERVED - squid3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41556 - data
Author: santiago Date: 2016-05-09 09:22:41 + (Mon, 09 May 2016) New Revision: 41556 Modified: data/dla-needed.txt Log: Claim squid3 in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-05-09 09:15:42 UTC (rev 41555) +++ data/dla-needed.txt 2016-05-09 09:22:41 UTC (rev 41556) @@ -93,7 +93,7 @@ -- squid -- -squid3 +squid3 (Santiago R.R.) -- tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41340 - data
Author: santiago Date: 2016-05-01 17:52:41 + (Sun, 01 May 2016) New Revision: 41340 Modified: data/dla-needed.txt Log: dla-needed.txt add note on quagga Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-05-01 15:37:28 UTC (rev 41339) +++ data/dla-needed.txt 2016-05-01 17:52:41 UTC (rev 41340) @@ -76,6 +76,7 @@ -- quagga NOTE: see dsa-needed's notes. + NOTE: Maintainer's answer: https://lists.debian.org/msgid-search/878tzv6pru@mid.deneb.enyo.de -- samba Samba maintainers are preparing updates for regressions ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41313 - data
Author: santiago Date: 2016-04-30 15:41:19 + (Sat, 30 Apr 2016) New Revision: 41313 Modified: data/dla-needed.txt Log: add quagga to dla-needed Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-30 15:29:28 UTC (rev 41312) +++ data/dla-needed.txt 2016-04-30 15:41:19 UTC (rev 41313) @@ -75,6 +75,9 @@ policykit-1 NOTE: CVE-2016-2568 doesn't have a fix yet, 20160425 -- +quagga + NOTE: see dsa-needed's notes. +-- samba Samba maintainers are preparing updates for regressions -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41312 - data
Author: santiago Date: 2016-04-30 15:29:28 + (Sat, 30 Apr 2016) New Revision: 41312 Modified: data/dla-needed.txt Log: openafs needs a DLA Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-30 14:34:34 UTC (rev 41311) +++ data/dla-needed.txt 2016-04-30 15:29:28 UTC (rev 41312) @@ -59,6 +59,8 @@ NOTE: maintainer wants to upload package (as done before) NOTE: <20160213161710.ga9...@roeckx.be> -- +openafs +-- openjdk-7 (Markus Koschany) -- openssl ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41294 - data
Author: santiago Date: 2016-04-29 14:39:01 + (Fri, 29 Apr 2016) New Revision: 41294 Modified: data/dla-needed.txt Log: phpmyadmin needs a dla Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-29 14:34:37 UTC (rev 41293) +++ data/dla-needed.txt 2016-04-29 14:39:01 UTC (rev 41294) @@ -69,6 +69,9 @@ -- php5 -- +phpmyadmin + NOTE: anarcat already prepared a package: https://lists.debian.org/debian-lts/2016/04/msg00086.html +-- policykit-1 NOTE: CVE-2016-2568 doesn't have a fix yet, 20160425 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41291 - templates
Author: santiago Date: 2016-04-29 14:21:28 + (Fri, 29 Apr 2016) New Revision: 41291 Modified: templates/lts-no-dsa.txt Log: update templates/lts-no-dsa.txt for Wheezy Modified: templates/lts-no-dsa.txt === --- templates/lts-no-dsa.txt2016-04-29 14:18:57 UTC (rev 41290) +++ templates/lts-no-dsa.txt2016-04-29 14:21:28 UTC (rev 41291) @@ -1,11 +1,11 @@ To: {{ to }} Cc: {{ cc }} -Subject: About the security issues affecting {{ package }} in Squeeze +Subject: About the security issues affecting {{ package }} in Wheezy Hello dear maintainer(s), the Debian LTS team recently reviewed the security issue(s) affecting your -package in Squeeze: +package in Wheezy: {%- if cve -%} {% for entry in cve %} https://security-tracker.debian.org/tracker/{{ entry }} @@ -14,10 +14,10 @@ https://security-tracker.debian.org/tracker/source-package/{{ package }} {%- endif %} -We decided that we would not prepare a squeeze security update (usually +We decided that we would not prepare a wheezy security update (usually because the security impact is low and that we concentrate our limited resources on higher severity issues and on the most widely used packages). -That said the squeeze users would most certainly benefit from a fixed +That said the wheezy users would most certainly benefit from a fixed package. If you want to work on such an update, you're welcome to do so. Please @@ -25,11 +25,11 @@ https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an -updated source package and send it to debian-...@lists.debian.org -(via a debdiff, or with an URL pointing to the the source package, -or even with a pointer to your packaging repository), and the members -of the LTS team will take care of the rest. However please make sure to -submit a tested package. +updated source package and send it to debian-...@lists.debian.org (via a +debdiff, or with an URL pointing to the source package, or even with a +pointer to your packaging repository), and the members of the LTS team +will take care of the rest. However please make sure to submit a tested +package. Thank you very much. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41290 - data/CVE
Author: santiago Date: 2016-04-29 14:18:57 + (Fri, 29 Apr 2016) New Revision: 41290 Modified: data/CVE/list Log: CVE-2015-8076/cyrus-imapd-2.4 no-dsa in wheezy Modified: data/CVE/list === --- data/CVE/list 2016-04-29 13:25:59 UTC (rev 41289) +++ data/CVE/list 2016-04-29 14:18:57 UTC (rev 41290) @@ -16709,6 +16709,7 @@ CVE-2015-8076 (The index_urlfetch function in index.c in Cyrus IMAP 2.3.x before ...) - cyrus-imapd-2.4 2.4.17+nocaldav-2 [jessie] - cyrus-imapd-2.4 (Will be fixed via a jessie-pu) + [wheezy] - cyrus-imapd-2.4 (Minor issue; can be fixed alone in a future DLA) NOTE: http://www.openwall.com/lists/oss-security/2015/09/29/2 NOTE: https://cyrus.foundation/cyrus-imapd/commit/?id=07de4ff1bf2fa340b9d77b8e7de8d43d47a33921 NOTE: https://cyrus.foundation/cyrus-imapd/commit/?id=c21e179c1f6b968fe69bebe079176714e511587b ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41274 - data
Author: santiago Date: 2016-04-29 09:26:19 + (Fri, 29 Apr 2016) New Revision: 41274 Modified: data/dla-needed.txt Log: add squid3 to dla-needed Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-29 09:10:12 UTC (rev 41273) +++ data/dla-needed.txt 2016-04-29 09:26:19 UTC (rev 41274) @@ -79,6 +79,8 @@ -- squid -- +squid3 +-- subversion -- tardiff ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41272 - data
Author: santiago Date: 2016-04-29 08:29:34 + (Fri, 29 Apr 2016) New Revision: 41272 Modified: data/dla-needed.txt Log: add subversion to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-29 07:03:53 UTC (rev 41271) +++ data/dla-needed.txt 2016-04-29 08:29:34 UTC (rev 41272) @@ -79,6 +79,8 @@ -- squid -- +subversion +-- tardiff fw asked maintainer for preparing debdiffs for wheezy- and jessie-security https://anonscm.debian.org/cgit/collab-maint/tardiff.git/log/?h=wheezy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41266 - in data: . DLA
Author: santiago Date: 2016-04-28 21:06:59 + (Thu, 28 Apr 2016) New Revision: 41266 Modified: data/DLA/list data/dla-needed.txt Log: reserve DLA-447-1 for mysql-5.5 Modified: data/DLA/list === --- data/DLA/list 2016-04-28 20:24:26 UTC (rev 41265) +++ data/DLA/list 2016-04-28 21:06:59 UTC (rev 41266) @@ -1,3 +1,6 @@ +[28 Apr 2016] DLA-447-1 mysql-5.5 - security update + {CVE-2016-0640 CVE-2016-0641 CVE-2016-0642 CVE-2016-0643 CVE-2016-0644 CVE-2016-0646 CVE-2016-0647 CVE-2016-0648 CVE-2016-0649 CVE-2016-0650 CVE-2016-0666 CVE-2016-2047} + [wheezy] - mysql-5.5 5.5.49-0+deb7u1 [28 Apr 2016] DLA-446-1 poppler - security update {CVE-2015-8868} [wheezy] - poppler 0.18.4-6+deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-28 20:24:26 UTC (rev 41265) +++ data/dla-needed.txt 2016-04-28 21:06:59 UTC (rev 41266) @@ -55,10 +55,6 @@ minissdpd NOTE: debdiff sent by Thorsten Alteholz to the Security Team on 2016-03-28 -- -mysql-5.5 (Santiago R.R.) - NOTE: carnil already claimed in dsa-needed.txt - NOTE: Robie Basak prepared also a wheezy package http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/2016-April/008959.html --- nss -- ntp ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41256 - data
Author: santiago Date: 2016-04-28 10:02:31 + (Thu, 28 Apr 2016) New Revision: 41256 Modified: data/dla-needed.txt Log: take mysql-5.5 in dla-needed Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-28 09:32:55 UTC (rev 41255) +++ data/dla-needed.txt 2016-04-28 10:02:31 UTC (rev 41256) @@ -53,8 +53,9 @@ minissdpd NOTE: debdiff sent by Thorsten Alteholz to the Security Team on 2016-03-28 -- -mysql-5.5 +mysql-5.5 (Santiago R.R.) NOTE: carnil already claimed in dsa-needed.txt + NOTE: Robie Basak prepared also a wheezy package http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/2016-April/008959.html -- nss -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41200 - templates
Author: santiago Date: 2016-04-26 09:58:11 + (Tue, 26 Apr 2016) New Revision: 41200 Modified: templates/lts-update-planned.txt Log: templates/lts-update-planned.txt: squeeze->wheezy Modified: templates/lts-update-planned.txt === --- templates/lts-update-planned.txt2016-04-26 09:30:40 UTC (rev 41199) +++ templates/lts-update-planned.txt2016-04-26 09:58:11 UTC (rev 41200) @@ -1,11 +1,11 @@ To: {{ to }} Cc: {{ cc }} -Subject: squeeze update of {{ package }}? +Subject: Wheezy update of {{ package }}? Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are -currently open in the Squeeze version of {{ package }}: +currently open in the Wheezy version of {{ package }}: {%- if cve -%} {% for entry in cve %} https://security-tracker.debian.org/tracker/{{ entry }} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41197 - data
Author: santiago Date: 2016-04-26 09:00:08 + (Tue, 26 Apr 2016) New Revision: 41197 Modified: data/dla-needed.txt Log: add poppler to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-26 07:49:19 UTC (rev 41196) +++ data/dla-needed.txt 2016-04-26 09:00:08 UTC (rev 41197) @@ -75,6 +75,8 @@ policykit-1 NOTE: CVE-2016-2568 doesn't have a fix yet, 20160425 -- +poppler +-- samba Samba maintainers are preparing updates for regressions -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41166 - bin
Author: santiago Date: 2016-04-25 14:13:39 + (Mon, 25 Apr 2016) New Revision: 41166 Modified: bin/tracker_data.py Log: update bin/tracker_data.py lts->wheezy, next_lts->jessie Modified: bin/tracker_data.py === --- bin/tracker_data.py 2016-04-25 14:13:38 UTC (rev 41165) +++ bin/tracker_data.py 2016-04-25 14:13:39 UTC (rev 41166) @@ -29,8 +29,8 @@ 'unstable': 'sid', 'experimental': 'experimental', # LTS specific aliases -'lts': 'squeeze', -'next_lts': 'wheezy', +'lts': 'wheezy', +'next_lts': 'jessie', } ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41164 - data
Author: santiago Date: 2016-04-25 14:13:37 + (Mon, 25 Apr 2016) New Revision: 41164 Modified: data/dla-needed.txt Log: add tardiff to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-25 14:13:35 UTC (rev 41163) +++ data/dla-needed.txt 2016-04-25 14:13:37 UTC (rev 41164) @@ -80,6 +80,9 @@ -- squid -- +tardiff + fw asked maintainer for preparing debdiffs for wheezy- and jessie-security +-- tiff NOTE: 20160226, no fix available yet -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41165 - data
Author: santiago Date: 2016-04-25 14:13:38 + (Mon, 25 Apr 2016) New Revision: 41165 Modified: data/dla-needed.txt Log: add tiff3 to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-25 14:13:37 UTC (rev 41164) +++ data/dla-needed.txt 2016-04-25 14:13:38 UTC (rev 41165) @@ -86,5 +86,7 @@ tiff NOTE: 20160226, no fix available yet -- +tiff3 +-- xymon (Chris Lamb) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41163 - data
Author: santiago Date: 2016-04-25 14:13:35 + (Mon, 25 Apr 2016) New Revision: 41163 Modified: data/dla-needed.txt Log: add samba to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-25 14:13:34 UTC (rev 41162) +++ data/dla-needed.txt 2016-04-25 14:13:35 UTC (rev 41163) @@ -75,6 +75,9 @@ policykit-1 NOTE: CVE-2016-2568 doesn't have a fix yet, 20160425 -- +samba + Samba maintainers are preparing updates for regressions +-- squid -- tiff ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41162 - data
Author: santiago Date: 2016-04-25 14:13:34 + (Mon, 25 Apr 2016) New Revision: 41162 Modified: data/dla-needed.txt Log: dla-needed.txt: policykit-1 add note about CVE-2016-2568 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-25 14:13:33 UTC (rev 41161) +++ data/dla-needed.txt 2016-04-25 14:13:34 UTC (rev 41162) @@ -73,6 +73,7 @@ php5 -- policykit-1 + NOTE: CVE-2016-2568 doesn't have a fix yet, 20160425 -- squid -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41161 - data
Author: santiago Date: 2016-04-25 14:13:33 + (Mon, 25 Apr 2016) New Revision: 41161 Modified: data/dla-needed.txt Log: remove mediawiki from dla-needed.txt, not supported in LTS Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-25 14:13:28 UTC (rev 41160) +++ data/dla-needed.txt 2016-04-25 14:13:33 UTC (rev 41161) @@ -52,8 +52,6 @@ -- linux -- -mediawiki --- minissdpd NOTE: debdiff sent by Thorsten Alteholz to the Security Team on 2016-03-28 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41160 - data
Author: santiago Date: 2016-04-25 14:13:28 + (Mon, 25 Apr 2016) New Revision: 41160 Modified: data/dla-needed.txt Log: add openjdk-7, pdns and php5 to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-25 14:01:34 UTC (rev 41159) +++ data/dla-needed.txt 2016-04-25 14:13:28 UTC (rev 41160) @@ -66,8 +66,14 @@ NOTE: maintainer wants to upload package (as done before) NOTE: <20160213161710.ga9...@roeckx.be> -- +openjdk-7 +-- openssl -- +pdns (Mike Gabriel) +-- +php5 +-- policykit-1 -- squid ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41154 - data
Author: santiago Date: 2016-04-25 13:28:13 + (Mon, 25 Apr 2016) New Revision: 41154 Modified: data/dla-needed.txt Log: data/dla-needed.txt: add libidn and libxstream-java, fixs for both already proposed Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-25 13:06:57 UTC (rev 41153) +++ data/dla-needed.txt 2016-04-25 13:28:13 UTC (rev 41154) @@ -36,9 +36,20 @@ imagemagick NOTE: only minor issues -- +libidn + Working debdiff for wheezy-security at + https://people.debian.org/~ghedo/libidn_1.25-2+deb7u1.diff + Work-in-progress debdiff for jessie-security at + https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff + Help is needed to fix it so that it doesn't FTBFS +-- libxml2 NOTE: 20160226, no fix available yet -- +libxstream-java (jmm) + Emmanuel Bourg proposed debdiff for both wheezy- and jessie-security + waiting an additional to solicit regression feedback from change in sid +-- linux -- ntp ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41155 - data
Author: santiago Date: 2016-04-25 13:28:14 + (Mon, 25 Apr 2016) New Revision: 41155 Modified: data/dla-needed.txt Log: add mediawiki to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-25 13:28:13 UTC (rev 41154) +++ data/dla-needed.txt 2016-04-25 13:28:14 UTC (rev 41155) @@ -52,6 +52,8 @@ -- linux -- +mediawiki +-- ntp NOTE: maintainer wants to upload package (as done before) NOTE: <20160213161710.ga9...@roeckx.be> ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41156 - data
Author: santiago Date: 2016-04-25 13:28:16 + (Mon, 25 Apr 2016) New Revision: 41156 Modified: data/dla-needed.txt Log: add minissdpd, mysql-5.5 and nss to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-25 13:28:14 UTC (rev 41155) +++ data/dla-needed.txt 2016-04-25 13:28:16 UTC (rev 41156) @@ -54,6 +54,14 @@ -- mediawiki -- +minissdpd + NOTE: debdiff sent by Thorsten Alteholz to the Security Team on 2016-03-28 +-- +mysql-5.5 + NOTE: carnil already claimed in dsa-needed.txt +-- +nss +-- ntp NOTE: maintainer wants to upload package (as done before) NOTE: <20160213161710.ga9...@roeckx.be> ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41149 - data
Author: santiago Date: 2016-04-25 13:06:50 + (Mon, 25 Apr 2016) New Revision: 41149 Modified: data/dla-needed.txt Log: remove dwarfutils, currently only no-dsa issues Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-25 12:46:01 UTC (rev 41148) +++ data/dla-needed.txt 2016-04-25 13:06:50 UTC (rev 41149) @@ -17,9 +17,6 @@ cakephp NOTE: CVE-2015-8379 No official solution is currently available, 20160425 -- -dwarfutils - NOTE: 20160123, no CVE assigned yet, no fix availabe yet --- extplorer (Thorsten Alteholz) -- graphicsmagick ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41150 - data
Author: santiago Date: 2016-04-25 13:06:53 + (Mon, 25 Apr 2016) New Revision: 41150 Modified: data/dla-needed.txt Log: add 389-ds-base to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-25 13:06:50 UTC (rev 41149) +++ data/dla-needed.txt 2016-04-25 13:06:53 UTC (rev 41150) @@ -9,6 +9,8 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- +389-ds-base +-- asterisk (Thorsten Alteholz) -- cacti ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41152 - data
Author: santiago Date: 2016-04-25 13:06:56 + (Mon, 25 Apr 2016) New Revision: 41152 Modified: data/dla-needed.txt Log: add gosa to dla-needed.txt, already claimed by Mike Gabriel Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-25 13:06:54 UTC (rev 41151) +++ data/dla-needed.txt 2016-04-25 13:06:56 UTC (rev 41152) @@ -23,6 +23,10 @@ -- extplorer (Thorsten Alteholz) -- +gosa (Mike Gabriel) + NOTE: .debdiff sent to the Security Team, waiting for feedback + NOTE: asked about jessie status (seb) +-- graphicsmagick NOTE: CVE-2016-231{8,9} don't have upstream fixes but we crash on the exploits -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41153 - data
Author: santiago Date: 2016-04-25 13:06:57 + (Mon, 25 Apr 2016) New Revision: 41153 Modified: data/dla-needed.txt Log: remove note about test icu packages for squeeze-lts Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-25 13:06:56 UTC (rev 41152) +++ data/dla-needed.txt 2016-04-25 13:06:57 UTC (rev 41153) @@ -32,7 +32,6 @@ -- icu NOTE: check comments on CVE-2016-0494 as well - NOTE: tentative package for icu https://lists.debian.org/debian-lts/2016/01/msg00133.html -- imagemagick NOTE: only minor issues ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41151 - data
Author: santiago Date: 2016-04-25 13:06:54 + (Mon, 25 Apr 2016) New Revision: 41151 Modified: data/dla-needed.txt Log: add botan1.10 to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-25 13:06:53 UTC (rev 41150) +++ data/dla-needed.txt 2016-04-25 13:06:54 UTC (rev 41151) @@ -13,6 +13,8 @@ -- asterisk (Thorsten Alteholz) -- +botan1.10 (Markus Koschany) +-- cacti NOTE: CVE-2016-3659 doesn't have a fix yet, 20160425 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41147 - data
Author: santiago Date: 2016-04-25 12:13:36 + (Mon, 25 Apr 2016) New Revision: 41147 Modified: data/dla-needed.txt Log: remove curl, currently only no-dsa issues Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-25 12:13:34 UTC (rev 41146) +++ data/dla-needed.txt 2016-04-25 12:13:36 UTC (rev 41147) @@ -17,9 +17,6 @@ cakephp NOTE: CVE-2015-8379 No official solution is currently available, 20160425 -- -curl - NOTE: marked as no-dsa as fixes may be too intrusive to backport --- dwarfutils NOTE: 20160123, no CVE assigned yet, no fix availabe yet -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41146 - data
Author: santiago Date: 2016-04-25 12:13:34 + (Mon, 25 Apr 2016) New Revision: 41146 Modified: data/dla-needed.txt Log: Note about CVE-2015-8379/cakephp Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-25 12:13:33 UTC (rev 41145) +++ data/dla-needed.txt 2016-04-25 12:13:34 UTC (rev 41146) @@ -12,10 +12,10 @@ asterisk (Thorsten Alteholz) -- cacti - NOTE: CVE-2016-3659 doesn't have a fix yet, 20160425 (santiago) + NOTE: CVE-2016-3659 doesn't have a fix yet, 20160425 -- cakephp - NOTE: 20160123, No official solution is currently available. + NOTE: CVE-2015-8379 No official solution is currently available, 20160425 -- curl NOTE: marked as no-dsa as fixes may be too intrusive to backport ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41145 - data
Author: santiago Date: 2016-04-25 12:13:33 + (Mon, 25 Apr 2016) New Revision: 41145 Modified: data/dla-needed.txt Log: dla-needed: note about CVE-2016-3659/cacti Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-04-25 11:37:38 UTC (rev 41144) +++ data/dla-needed.txt 2016-04-25 12:13:33 UTC (rev 41145) @@ -12,7 +12,7 @@ asterisk (Thorsten Alteholz) -- cacti - NOTE: Issue being disputed, check https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814353#10 + NOTE: CVE-2016-3659 doesn't have a fix yet, 20160425 (santiago) -- cakephp NOTE: 20160123, No official solution is currently available. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41033 - org
Author: santiago Date: 2016-04-21 07:15:06 + (Thu, 21 Apr 2016) New Revision: 41033 Modified: org/lts-frontdesk.2016.txt Log: LTS frontdesk: add myself for next week Modified: org/lts-frontdesk.2016.txt === --- org/lts-frontdesk.2016.txt 2016-04-21 06:42:04 UTC (rev 41032) +++ org/lts-frontdesk.2016.txt 2016-04-21 07:15:06 UTC (rev 41033) @@ -27,7 +27,7 @@ From 04-04 to 10-04: From 11-04 to 17-04:Markus Koschany <a...@debian.org> From 18-04 to 24-04: -From 25-04 to 01-05: +From 25-04 to 01-05:Santiago Ruano Rincón <santiag...@riseup.net> From 02-05 to 08-05:Markus Koschany <a...@debian.org> From 09-05 to 15-05: From 16-05 to 22-05: ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40181 - data/CVE
Author: santiago Date: 2016-03-05 16:43:27 + (Sat, 05 Mar 2016) New Revision: 40181 Modified: data/CVE/list Log: CVE-2016-2569/squid3 add notes on needed additional patches Modified: data/CVE/list === --- data/CVE/list 2016-03-05 14:24:22 UTC (rev 40180) +++ data/CVE/list 2016-03-05 16:43:27 UTC (rev 40181) @@ -738,6 +738,8 @@ - squid (Vulnerable code not present) NOTE: http://www.squid-cache.org/Advisories/SQUID-2016_2.txt NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13991.patch + NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13998.patch + NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13999.patch NOTE: http://www.squid-cache.org/Versions/v4/changesets/squid-4-14552.patch NOTE: Upstream confirmed it does not affect squid 2.7.x CVE-2016-2568 [Program run via pkexec as unprivileged user can escape to parent session via TIOCSTI ioctl] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40154 - data/DLA
Author: santiago Date: 2016-03-03 21:55:53 + (Thu, 03 Mar 2016) New Revision: 40154 Modified: data/DLA/list Log: DLA-445-2/squid3 regression update Modified: data/DLA/list === --- data/DLA/list 2016-03-03 21:15:54 UTC (rev 40153) +++ data/DLA/list 2016-03-03 21:55:53 UTC (rev 40154) @@ -1,3 +1,6 @@ +[03 Mar 2016] DLA-445-2 squid3 - regression update + {CVE-2016-2569} + [squeeze] - squid3 3.1.6-1.2+squeeze7 [29 Feb 2016] DLA-445-1 squid3 - security update {CVE-2016-2569 CVE-2016-2571} [squeeze] - squid3 3.1.6-1.2+squeeze6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40068 - in data: . DLA
Author: santiago Date: 2016-02-29 19:00:55 + (Mon, 29 Feb 2016) New Revision: 40068 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA 445-1 for squid3 Modified: data/DLA/list === --- data/DLA/list 2016-02-29 18:57:56 UTC (rev 40067) +++ data/DLA/list 2016-02-29 19:00:55 UTC (rev 40068) @@ -1,3 +1,6 @@ +[29 Feb 2016] DLA-445-1 squid3 - security update + {CVE-2016-2569 CVE-2016-2571} + [squeeze] - squid3 3.1.6-1.2+squeeze6 [29 Feb 2016] DLA-444-1 php5 - security update {CVE-2015-2305 CVE-2015-2348} [squeeze] - php5 5.3.3.1-7+squeeze29 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-29 18:57:56 UTC (rev 40067) +++ data/dla-needed.txt 2016-02-29 19:00:55 UTC (rev 40068) @@ -53,8 +53,6 @@ -- squid -- -squid3 (Santiago R.R.) --- tiff NOTE: 20160226, no fix available yet -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40066 - data/CVE
Author: santiago Date: 2016-02-29 18:51:51 + (Mon, 29 Feb 2016) New Revision: 40066 Modified: data/CVE/list Log: add note about CVE-2016-2570/squid3 Modified: data/CVE/list === --- data/CVE/list 2016-02-29 18:45:48 UTC (rev 40065) +++ data/CVE/list 2016-02-29 18:51:51 UTC (rev 40066) @@ -91,6 +91,7 @@ NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13993.patch NOTE: http://www.squid-cache.org/Versions/v4/changesets/squid-4-14549.patch NOTE: Upstream confirmed it does not affect squid 2.7.x + NOTE: It's maybe too instrusive to fix in 3.1 (squeeze and wheezy). CVE-2016-2569 RESERVED - squid3 (bug #816011) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40053 - data
Author: santiago Date: 2016-02-29 08:43:34 + (Mon, 29 Feb 2016) New Revision: 40053 Modified: data/dla-needed.txt Log: Take squid3 in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-29 08:32:27 UTC (rev 40052) +++ data/dla-needed.txt 2016-02-29 08:43:34 UTC (rev 40053) @@ -65,7 +65,7 @@ -- squid -- -squid3 +squid3 (Santiago R.R.) -- tiff NOTE: 20160226, no fix available yet ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40052 - data
Author: santiago Date: 2016-02-29 08:32:27 + (Mon, 29 Feb 2016) New Revision: 40052 Modified: data/dla-needed.txt Log: sort data/dla-needed.txt alphabetically Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-29 07:44:39 UTC (rev 40051) +++ data/dla-needed.txt 2016-02-29 08:32:27 UTC (rev 40052) @@ -17,6 +17,8 @@ cakephp NOTE: 20160123, No official solution is currently available. -- +coreutils +-- curl NOTE: marked as no-dsa in wheezy as too intrusive to backport NOTE: should we have the resources to handle it we should fix wheezy too. @@ -36,9 +38,13 @@ -- jasper (Ben Hutchings) -- +libebml +-- libxml2 NOTE: 20160226, no fix available yet -- +linux-2.6 +-- lxc (Mike Gabriel) NOTE: waiting for upstream feedback: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1476662/comments/77 -- @@ -48,27 +54,21 @@ NOTE: maintainer wants to upload package (as done before) NOTE: <20160213161710.ga9...@roeckx.be> -- +openssl +-- +pcre3 (Markus Koschany) +-- php5 (Thorsten Alteholz) NOTE: next upload end of December -- -tiff - NOTE: 20160226, no fix available yet --- -xymon (Chris Lamb) --- -pcre3 (Markus Koschany) --- policykit-1 -- squid -- squid3 -- -openssl +tiff + NOTE: 20160226, no fix available yet -- -libebml +xymon (Chris Lamb) -- -coreutils --- -linux-2.6 --- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39978 - in data: . DLA
Author: santiago Date: 2016-02-27 09:51:13 + (Sat, 27 Feb 2016) New Revision: 39978 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-434-1 for gtk+2.0 Modified: data/DLA/list === --- data/DLA/list 2016-02-27 08:25:23 UTC (rev 39977) +++ data/DLA/list 2016-02-27 09:51:13 UTC (rev 39978) @@ -1,3 +1,6 @@ +[27 Feb 2016] DLA-434-1 gtk+2.0 - security update + {CVE-2015-4491 CVE-2015-7673 CVE-2015-7674} + [squeeze] - gtk+2.0 2.20.1-2+deb6u2 [25 Feb 2016] DLA-433-1 xerces-c - security update {CVE-2016-0729} [squeeze] - xerces-c 3.1.1-1+deb6u2 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-27 08:25:23 UTC (rev 39977) +++ data/dla-needed.txt 2016-02-27 09:51:13 UTC (rev 39978) @@ -27,8 +27,6 @@ graphicsmagick NOTE: CVE-2016-231{8,9} don't have upstream fixes but we crash on the exploits -- -gtk+2.0 (Santiago R.R.) --- icu NOTE: check comments on CVE-2016-0494 as well NOTE: tentative package for icu https://lists.debian.org/debian-lts/2016/01/msg00133.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39809 - data
Author: santiago Date: 2016-02-22 14:06:38 + (Mon, 22 Feb 2016) New Revision: 39809 Modified: data/dla-needed.txt Log: Add gtk+2.0 to dla-needed and claim it Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-22 14:03:33 UTC (rev 39808) +++ data/dla-needed.txt 2016-02-22 14:06:38 UTC (rev 39809) @@ -29,6 +29,8 @@ graphicsmagick NOTE: CVE-2016-231{8,9} don't have upstream fixes but we crash on the exploits -- +gtk+2.0 (Santiago R.R.) +-- icu NOTE: check comments on CVE-2016-0494 as well NOTE: tentative package for icu https://lists.debian.org/debian-lts/2016/01/msg00133.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39808 - data/CVE
Author: santiago Date: 2016-02-22 14:03:33 + (Mon, 22 Feb 2016) New Revision: 39808 Modified: data/CVE/list Log: CVE-2015-4491, CVE-2015-7673, CVE-2015-7674: gdk-pixbuf code was part of gtk+2.0 in squeeze Modified: data/CVE/list === --- data/CVE/list 2016-02-22 13:50:15 UTC (rev 39807) +++ data/CVE/list 2016-02-22 14:03:33 UTC (rev 39808) @@ -10148,6 +10148,7 @@ CVE-2015-7673 (io-tga.c in gdk-pixbuf before 2.32.0 uses heap memory after its ...) {DSA-3378-1} - gdk-pixbuf 2.32.0-1 + [squeeze] - gtk+2.0 NOTE: http://www.openwall.com/lists/oss-security/2015/10/01/3 NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=19f9685dbff7d1f929c61cf99188df917a18811d NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=edf6fb8d856574bc3bb3a703037f56533229267c @@ -10155,6 +10156,7 @@ CVE-2015-7674 (Integer overflow in the pixops_scale_nearest function in ...) {DSA-3378-1} - gdk-pixbuf 2.32.1-1 + [squeeze] - gtk+2.0 NOTE: http://www.openwall.com/lists/oss-security/2015/10/01/4 NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=e9a5704edaa9aee9498f1fbf6e1b70fcce2e55aa CVE-2015- [trivial hash complexity DoS attack] @@ -18793,6 +18795,7 @@ CVE-2015-4491 (Integer overflow in the make_filter_table function in pixops/pixops.c ...) {DSA-3337-2 DSA-3337-1} - gdk-pixbuf 2.31.7-1 + [squeeze] - gtk+2.0 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=752297 NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=ffec86ed5010c5a2be14f47b33bcf4ed3169a199 NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=8dba67cb4f38d62a47757741ad41e3f245b4a32a ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39738 - in data: . DLA
Author: santiago Date: 2016-02-17 09:52:58 + (Wed, 17 Feb 2016) New Revision: 39738 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-419-1 for gtk+2.0 Modified: data/DLA/list === --- data/DLA/list 2016-02-17 06:12:58 UTC (rev 39737) +++ data/DLA/list 2016-02-17 09:52:58 UTC (rev 39738) @@ -1,3 +1,6 @@ +[17 Feb 2016] DLA-419-1 gtk+2.0 - security update + {CVE-2013-7447} + [squeeze] - gtk+2.0 2.20.1-2+deb6u1 [16 Feb 2016] DLA-418-1 wordpress - security update {CVE-2016-2221 CVE-2016-} [squeeze] - wordpress 3.6.1+dfsg-1~deb6u9 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-17 06:12:58 UTC (rev 39737) +++ data/dla-needed.txt 2016-02-17 09:52:58 UTC (rev 39738) @@ -25,8 +25,6 @@ graphicsmagick NOTE: CVE-2016-231{8,9} don't have upstream fixes but we crash on the exploits -- -gtk+2.0 (Santiago R.R.) --- icu NOTE: check comments on CVE-2016-0494 as well NOTE: tentative package for icu https://lists.debian.org/debian-lts/2016/01/msg00133.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39711 - data
Author: santiago Date: 2016-02-16 09:12:54 + (Tue, 16 Feb 2016) New Revision: 39711 Modified: data/dla-needed.txt Log: take gtk+2.0 in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-16 09:10:15 UTC (rev 39710) +++ data/dla-needed.txt 2016-02-16 09:12:54 UTC (rev 39711) @@ -24,7 +24,7 @@ -- eglibc (Aurelien Jarno) -- -gtk+2.0 +gtk+2.0 (Santiago R.R.) -- icu NOTE: check comments on CVE-2016-0494 as well ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39686 - in data: . DLA
Author: santiago Date: 2016-02-15 09:01:02 + (Mon, 15 Feb 2016) New Revision: 39686 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-415-1 for cpio Modified: data/DLA/list === --- data/DLA/list 2016-02-14 21:10:12 UTC (rev 39685) +++ data/DLA/list 2016-02-15 09:01:02 UTC (rev 39686) @@ -1,3 +1,6 @@ +[15 Feb 2016] DLA-415-1 cpio - security update + {CVE-2016-2037} + [squeeze] - cpio 2.11-4+deb6u2 [12 Feb 2016] DLA-414-1 chrony - security update {CVE-2016-1567} [squeeze] - chrony 1.24-3+squeeze3 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-14 21:10:12 UTC (rev 39685) +++ data/dla-needed.txt 2016-02-15 09:01:02 UTC (rev 39686) @@ -12,8 +12,6 @@ cakephp NOTE: 20160123, No official solution is currently available. -- -cpio (Santiago R.R.) --- curl NOTE: marked as no-dsa in wheezy as too intrusive to backport NOTE: should we have the resources to handle it we should fix wheezy too. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39651 - data/CVE
Author: santiago Date: 2016-02-13 18:12:33 + (Sat, 13 Feb 2016) New Revision: 39651 Modified: data/CVE/list Log: CVE-2015-7511/libgcrypt11 squeeze not-affected Modified: data/CVE/list === --- data/CVE/list 2016-02-13 14:36:36 UTC (rev 39650) +++ data/CVE/list 2016-02-13 18:12:33 UTC (rev 39651) @@ -9932,6 +9932,7 @@ {DSA-3474-1} - libgcrypt20 1.6.5-2 - libgcrypt11 + [squeeze] - libgcrypt11 (Vulnerable code not present) NOTE: http://www.cs.tau.ac.IL/~tromer/ecdh/ NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=fcbb9fcc2e6983ea61bf565b6ee2e29816b8cd57 (LIBGCRYPT-1-5-BRANCH) NOTE: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=de7db12fa04016e12dffb2b678632f45eba15ec4 (libgcrypt-1.6.5) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39634 - data
Author: santiago Date: 2016-02-12 15:59:20 + (Fri, 12 Feb 2016) New Revision: 39634 Modified: data/dla-needed.txt Log: claim cpio in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-12 15:53:31 UTC (rev 39633) +++ data/dla-needed.txt 2016-02-12 15:59:20 UTC (rev 39634) @@ -16,8 +16,7 @@ NOTE: maintainer applied patch in git, but package couldn't be built NOTE: follow thread: https://lists.debian.org/debian-lts/2016/01/msg00115.html -- -cpio - NOTE: 20160123, no fix available yet +cpio (Santiago R.R.) -- curl NOTE: marked as no-dsa in wheezy as too intrusive to backport ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39597 - data
Author: santiago Date: 2016-02-11 10:07:27 + (Thu, 11 Feb 2016) New Revision: 39597 Modified: data/dla-needed.txt Log: wordpress needs a DLA Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-11 08:14:32 UTC (rev 39596) +++ data/dla-needed.txt 2016-02-11 10:07:27 UTC (rev 39597) @@ -59,3 +59,5 @@ -- xymon (Chris Lamb) -- +wordpress +-- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39617 - data/DLA
Author: santiago Date: 2016-02-11 22:13:40 + (Thu, 11 Feb 2016) New Revision: 39617 Modified: data/DLA/list Log: reserve DLA-411-2 for eglibc Modified: data/DLA/list === --- data/DLA/list 2016-02-11 21:10:14 UTC (rev 39616) +++ data/DLA/list 2016-02-11 22:13:40 UTC (rev 39617) @@ -1,3 +1,5 @@ +[11 Feb 2016] DLA-411-2 eglibc - regression update + [squeeze] - eglibc 2.11.3-4+deb6u10 [09 Feb 2016] DLA-413-1 gajim - security update {CVE-2015-8688} [squeeze] - gajim 0.13.4-3+squeeze4 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39562 - data
Author: santiago Date: 2016-02-09 14:56:12 + (Tue, 09 Feb 2016) New Revision: 39562 Modified: data/dla-needed.txt Log: add xymon to dla-needed Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-09 13:38:26 UTC (rev 39561) +++ data/dla-needed.txt 2016-02-09 14:56:12 UTC (rev 39562) @@ -57,3 +57,5 @@ -- tiff -- +xymon +-- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39474 - in data: . DLA
Author: santiago Date: 2016-02-05 11:45:03 + (Fri, 05 Feb 2016) New Revision: 39474 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-411-1 for eglibc Modified: data/DLA/list === --- data/DLA/list 2016-02-05 11:08:57 UTC (rev 39473) +++ data/DLA/list 2016-02-05 11:45:03 UTC (rev 39474) @@ -1,3 +1,6 @@ +[05 Feb 2016] DLA-411-1 eglibc - security update + {CVE-2014-9761 CVE-2015-8776 CVE-2015-8778 CVE-2015-8779} + [squeeze] - eglibc eglibc_2.11.3-4+deb6u9 [04 Feb 2016] DLA-410-1 openjdk-6 - security update {CVE-2015-7575 CVE-2015-8126 CVE-2015-8472 CVE-2016-0402 CVE-2016-0448 CVE-2016-0466 CVE-2016-0483 CVE-2016-0494} [squeeze] - openjdk-6 6b38-1.13.10-1~deb6u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-02-05 11:08:57 UTC (rev 39473) +++ data/dla-needed.txt 2016-02-05 11:45:03 UTC (rev 39474) @@ -26,8 +26,6 @@ dwarfutils NOTE: 20160123, no CVE assigned yet, no fix availabe yet -- -eglibc (Santiago R.R.) --- gajim (Brian May) NOTE: _rosterSetCB in src/common/connection_handlers.py ? NOTE: I believe the referenced patch should fix this: ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39388 - in data: . DLA
Author: santiago Date: 2016-01-31 21:30:33 + (Sun, 31 Jan 2016) New Revision: 39388 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-409-1 for mysql-5.5 Modified: data/DLA/list === --- data/DLA/list 2016-01-31 21:10:11 UTC (rev 39387) +++ data/DLA/list 2016-01-31 21:30:33 UTC (rev 39388) @@ -1,3 +1,6 @@ +[31 Jan 2016] DLA-409-1 mysql-5.5 - security update + {CVE-2016-0505 CVE-2016-0546 CVE-2016-0596 CVE-2016-0597 CVE-2016-0598 CVE-2016-0600 CVE-2016-0606 CVE-2016-0608 CVE-2016-0609 CVE-2016-0616} + [squeeze] - mysql-5.5 5.5.47-0+deb6u1 [31 Jan 2016] DLA-408-1 gosa - security update {CVE-2015-8771} [squeeze] - gosa 2.6.11-3+squeeze5 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-31 21:10:11 UTC (rev 39387) +++ data/dla-needed.txt 2016-01-31 21:30:33 UTC (rev 39388) @@ -56,9 +56,6 @@ -- macopix (Paul Liu) -- -mysql-5.5 (Santiago R.R.) - NOTE: test packages available: https://lists.debian.org/debian-lts/2016/01/msg00092.html --- nss (Guido Günther) NOTE: Trying to sync the solution for CVE-2015-4000 with security team first NOTE: see https://lists.debian.org/debian-lts/2015/12/msg00025.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39359 - data
Author: santiago Date: 2016-01-30 22:48:49 + (Sat, 30 Jan 2016) New Revision: 39359 Modified: data/dla-needed.txt Log: Claim eglibc in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-30 21:10:12 UTC (rev 39358) +++ data/dla-needed.txt 2016-01-30 22:48:49 UTC (rev 39359) @@ -28,7 +28,7 @@ dwarfutils NOTE: 20160123, no CVE assigned yet, no fix availabe yet -- -eglibc +eglibc (Santiago R.R.) -- gajim NOTE: _rosterSetCB in src/common/connection_handlers.py ? ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39286 - data
Author: santiago Date: 2016-01-29 09:17:08 + (Fri, 29 Jan 2016) New Revision: 39286 Modified: data/dla-needed.txt Log: add note on mysql-5.5.47 for squeeze Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-29 09:15:31 UTC (rev 39285) +++ data/dla-needed.txt 2016-01-29 09:17:08 UTC (rev 39286) @@ -51,6 +51,7 @@ macopix (Paul Liu) -- mysql-5.5 (Santiago R.R.) + NOTE: test packages available: https://lists.debian.org/debian-lts/2016/01/msg00092.html -- nss (Guido Günther) NOTE: Trying to sync the solution for CVE-2015-4000 with security team first ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39187 - data
Author: santiago Date: 2016-01-26 09:08:09 + (Tue, 26 Jan 2016) New Revision: 39187 Modified: data/dla-needed.txt Log: add back tiff to dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-26 08:08:34 UTC (rev 39186) +++ data/dla-needed.txt 2016-01-26 09:08:09 UTC (rev 39187) @@ -58,3 +58,5 @@ -- radicale (Markus Koschany) -- +tiff +-- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39176 - in data: . DLA
Author: santiago Date: 2016-01-25 23:25:31 + (Mon, 25 Jan 2016) New Revision: 39176 Modified: data/DLA/list data/dla-needed.txt Log: reserve DLA-402-1 for tiff Modified: data/DLA/list === --- data/DLA/list 2016-01-25 21:32:26 UTC (rev 39175) +++ data/DLA/list 2016-01-25 23:25:31 UTC (rev 39176) @@ -1,3 +1,6 @@ +[26 Jan 2016] DLA-402-1 tiff - security update + {CVE-2015-8665 CVE-2015-8683} + [squeeze] - tiff 3.9.4-5+squeeze13 [24 Jan 2016] DLA-401-1 imlib2 - security update {CVE-2014-9762 CVE-2014-9763 CVE-2014-9764} [squeeze] - imlib2 1.4.2-8+deb6u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-25 21:32:26 UTC (rev 39175) +++ data/dla-needed.txt 2016-01-25 23:25:31 UTC (rev 39176) @@ -58,5 +58,3 @@ -- radicale (Markus Koschany) -- -tiff (Santiago R.R.) --- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39061 - data
Author: santiago Date: 2016-01-21 18:51:03 + (Thu, 21 Jan 2016) New Revision: 39061 Modified: data/dla-needed.txt Log: Add mysql-5.5 in dla-needed.txt, and claim it Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-21 17:36:41 UTC (rev 39060) +++ data/dla-needed.txt 2016-01-21 18:51:03 UTC (rev 39061) @@ -28,6 +28,8 @@ -- macopix (Paul Liu) -- +mysql-5.5 (Santiago R.R.) +-- nss (Guido Günther) NOTE: Trying to sync the solution for CVE-2015-4000 with security team first NOTE: see https://lists.debian.org/debian-lts/2015/12/msg00025.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39044 - data/CVE
Author: santiago Date: 2016-01-20 14:02:26 + (Wed, 20 Jan 2016) New Revision: 39044 Modified: data/CVE/list Log: CVE-2015-7744 also fixed in squeeze Modified: data/CVE/list === --- data/CVE/list 2016-01-20 13:40:46 UTC (rev 39043) +++ data/CVE/list 2016-01-20 14:02:26 UTC (rev 39044) @@ -7464,6 +7464,7 @@ - mysql-5.5 5.5.46-0+deb8u1 [jessie] - mysql-5.5 5.5.46-0+deb8u1 [wheezy] - mysql-5.5 5.5.46-0+deb7u1 + [squeeze] - mysql-5.5 5.5.46-0+deb6u1 - mariadb-10.0 NOTE: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixMSQL CVE-2015-7743 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39015 - data/CVE
Author: santiago Date: 2016-01-19 15:13:14 + (Tue, 19 Jan 2016) New Revision: 39015 Modified: data/CVE/list Log: CVE-2015-7558/librsvg in squeeze: (Too intrusive to backport) Modified: data/CVE/list === --- data/CVE/list 2016-01-19 15:11:13 UTC (rev 39014) +++ data/CVE/list 2016-01-19 15:13:14 UTC (rev 39015) @@ -7912,6 +7912,7 @@ - librsvg 2.40.12-1 [jessie] - librsvg (Too intrusive to backport) [wheezy] - librsvg (Too intrusive to backport) + [squeeze] - librsvg (Too intrusive to backport) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1268243 NOTE: https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61 (2.40.12) CVE-2015-7557 [Out-of-bounds heap read in librsvg2 was found when parsing SVG file] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39014 - in data: . DLA
Author: santiago Date: 2016-01-19 15:11:13 + (Tue, 19 Jan 2016) New Revision: 39014 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-395-1 for librsvg Modified: data/DLA/list === --- data/DLA/list 2016-01-19 14:55:10 UTC (rev 39013) +++ data/DLA/list 2016-01-19 15:11:13 UTC (rev 39014) @@ -1,3 +1,6 @@ +[19 Jan 2016] DLA-395-1 librsvg - security update + {CVE-2015-7557} + [squeeze] - librsvg 2.26.3-1+deb6u3 [19 Jan 2016] DLA-385-2 isc-dhcp - regression update {CVE-2015-8605} [squeeze] - isc-dhcp 4.1.1-P1-15+squeeze10 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-19 14:55:10 UTC (rev 39013) +++ data/dla-needed.txt 2016-01-19 15:11:13 UTC (rev 39014) @@ -20,8 +20,6 @@ -- libraw -- -librsvg (Santiago R.R.) --- linux-2.6 (Ben Hutchings) -- lxc (Mike Gabriel) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39017 - data
Author: santiago Date: 2016-01-19 16:54:39 + (Tue, 19 Jan 2016) New Revision: 39017 Modified: data/dla-needed.txt Log: Claim tiff in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-19 15:57:54 UTC (rev 39016) +++ data/dla-needed.txt 2016-01-19 16:54:39 UTC (rev 39017) @@ -41,5 +41,5 @@ -- radicale (Markus Koschany) -- -tiff +tiff (Santiago R.R.) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38818 - data
Author: santiago Date: 2016-01-10 12:23:02 + (Sun, 10 Jan 2016) New Revision: 38818 Modified: data/dla-needed.txt Log: Claim icu in dla-needed.txt Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-10 10:28:58 UTC (rev 38817) +++ data/dla-needed.txt 2016-01-10 12:23:02 UTC (rev 38818) @@ -18,7 +18,7 @@ -- giflib (Guido Günther) -- -icu +icu (Santiago R.R.) -- inspircd (Ben Hutchings) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38832 - in data: . DLA
Author: santiago Date: 2016-01-10 21:18:18 + (Sun, 10 Jan 2016) New Revision: 38832 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-381-1 for icu Modified: data/DLA/list === --- data/DLA/list 2016-01-10 21:10:10 UTC (rev 38831) +++ data/DLA/list 2016-01-10 21:18:18 UTC (rev 38832) @@ -1,3 +1,6 @@ +[10 Jan 2016] DLA-381-1 icu - security update + {CVE-2015-2632} + [squeeze] - icu 4.4.1-8+squeeze5 [04 Jan 2016] DLA-374-3 cacti - regression update [squeeze] - cacti 0.8.7g-1+squeeze9+deb6u13 [04 Jan 2016] DLA-380-1 libvncserver - security update Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-10 21:10:10 UTC (rev 38831) +++ data/dla-needed.txt 2016-01-10 21:18:18 UTC (rev 38832) @@ -18,8 +18,6 @@ -- giflib (Guido Günther) -- -icu (Santiago R.R.) --- inspircd (Ben Hutchings) -- libraw ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38645 - data
Author: santiago Date: 2016-01-02 15:50:07 + (Sat, 02 Jan 2016) New Revision: 38645 Modified: data/dla-needed.txt Log: Take librsvg in dla-needed Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-02 09:27:14 UTC (rev 38644) +++ data/dla-needed.txt 2016-01-02 15:50:07 UTC (rev 38645) @@ -22,7 +22,7 @@ -- libraw -- -librsvg +librsvg (Santiago R.R.) -- libvncserver (Mike Gabriel) NOTE: a fix is probably not trivial, as thread safety has to be backported to 0.9.7 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38649 - in data: . DLA
Author: santiago Date: 2016-01-02 19:01:30 + (Sat, 02 Jan 2016) New Revision: 38649 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-379-1 for samba Modified: data/DLA/list === --- data/DLA/list 2016-01-02 17:39:14 UTC (rev 38648) +++ data/DLA/list 2016-01-02 19:01:30 UTC (rev 38649) @@ -1,3 +1,6 @@ +[02 Jan 2016] DLA-379-1 samba - security update + {CVE-2015-5252 CVE-2015-5296 CVE-2015-5299} + [squeeze] - samba 2:3.5.6~dfsg-3squeeze13 [02 Jan 2016] DLA-378-1 linux-2.6 - security update {CVE-2015-7550 CVE-2015-8543 CVE-2015-8575} [squeeze] - linux-2.6 2.6.32-48squeeze18 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-01-02 17:39:14 UTC (rev 38648) +++ data/dla-needed.txt 2016-01-02 19:01:30 UTC (rev 38649) @@ -47,8 +47,6 @@ -- quassel (Scott K) -- -samba (Santiago R.R.) --- srtp (Thorsten Alteholz) -- sudo (Ben Hutchings) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38554 - data/CVE
Author: santiago Date: 2015-12-27 11:57:07 + (Sun, 27 Dec 2015) New Revision: 38554 Modified: data/CVE/list Log: CVE-2015-8669/phpmyadmin squeeze not affected Modified: data/CVE/list === --- data/CVE/list 2015-12-27 11:34:50 UTC (rev 38553) +++ data/CVE/list 2015-12-27 11:57:07 UTC (rev 38554) @@ -1,5 +1,6 @@ CVE-2015-8669 [Full path disclosure vulnerability] - phpmyadmin 4:4.5.3.1-1 (unimportant) + [squeeze] - phpmyadmin (Vulnerable code not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2015-6/ NOTE: non-issue for Debian-packaged version CVE-2015-8683 [out-of-bounds read in CIE Lab image format] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits