On Fri, May 24, 2024 at 11:42:38AM -0400, Louis-Philippe Véronneau wrote:
> On Fri, 24 May 2024 16:53:28 +0200 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=
> wrote:
> > Source: clojure
> > X-Debbugs-CC: t...@security.debian.org
> > Severity: important
> > Tags: security
> >
> > Hi,
> >
> > The following
On Wed, May 22, 2024 at 02:42:58PM -0300, Leandro Cunha wrote:
> Hi everyone,
>
> On Wed, May 22, 2024 at 12:39 PM Moritz Mühlenhoff wrote:
> >
> > Am Wed, Mar 06, 2024 at 06:39:01AM -0300 schrieb Leandro Cunha:
> > > Hi Christoph Berg,
> > >
> > > On Wed, Mar 6, 2024 at 5:42 AM Christoph Berg
Source: debian-security-support
Version: 1:13+2024.01.30
Severity: wishlist
X-Debbugs-Cc: gennaro.ol...@gmail.com
Security support for slurm-wlm in Bullseye is EOLed, the recent
changes were too intrusive too meaningfully backport.
On Wed, May 01, 2024 at 06:29:29PM +0100, Adam D. Barratt wrote:
> On Wed, 2024-05-01 at 13:02 +0200, Moritz Muehlenhoff wrote:
> > Please remove salt in the next Bullseye point release.
> > It was already removed frm unstable for being unsupportable
> > and unmaintained (htt
Source: debian-security-support
Version: 1:13+2024.01.30
Severity: wishlist
X-Debbugs-Cc: z...@debian.org
Please mark pdns-recursor as EOL/no longer covered by security support
in Bullseye. These packages can still be used for select use cases
(internal resolver within a company network), but 4.4
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: s...@packages.debian.org
Control: affects -1 + src:salt
User: release.debian@packages.debian.org
Usertags: rm
Please remove salt in the next Bullseye point release.
It was already removed frm unstable for being unsupportable
and
On Thu, Apr 25, 2024 at 08:37:14AM +0200, Chris Hofstaedtler wrote:
> Hi Moritz,
>
> could we once again use the upstream release for stable?
> debdiff 4.8.7-1 -> 4.8.8-1 is attached.
Ack. Following the 4.8 releases has served us well. debdiff looks fine,
please build with -sa and upload to
On Sun, Apr 21, 2024 at 07:35:43PM +, Victor Seva wrote:
> Hi,
>
>
> I've just uploaded sngrep 1.8.1-1 to sid and prepared 1.6.0-1+deb12u1 for
> bookworms-security [0].
>
> Attached debdiff file.
>
> Waiting for you reply,
> Victor
>
> [0]
>
On Thu, Apr 18, 2024 at 02:40:41PM +0200, Moritz Schlarb wrote:
> Dear Salvatore,
>
> I've prepared, built, tested and uploaded fixed versions for bullseye
> (2.4.9.4-0+deb11u4), bookworm (2.4.12.3-2+deb12u1) and trixie (2.4.15.7-1).
>
> Would you like to issue a DSA for them or is it enough
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libtomm...@packages.debian.org
Control: affects -1 + src:libtommath
Addresses CVE-2023-36328, debdiff below. Acked by Dominique before.
Cheers,
Moritz
diff
On Fri, Apr 05, 2024 at 08:16:43AM +0400, Yadd wrote:
> On 4/4/24 22:51, Moritz Mühlenhoff wrote:
> > Source: apache2
> > X-Debbugs-CC: t...@security.debian.org
> > Severity: grave
> > Tags: security
> >
> > Hi,
> >
> > The following vulnerabilities were published for apache2.
> >
> >
On Thu, Apr 04, 2024 at 05:54:51AM +0200, Salvatore Bonaccorso wrote:
> Hi Marco,
>
> [CC'ing security team]
>
> On Mon, Apr 01, 2024 at 04:25:05PM +0200, Marco d'Itri wrote:
> > Control: found -1 5.0.0-1
> > Control: fixed -1 7.4.2
> >
> > On Nov 17, Salvatore Bonaccorso wrote:
> >
> > >
Hi Adrian,
> >...
> > > debdiffs contain only changes to debian/
> >
> > The bookworm/bullseye debdiffs looks good, please upload to
> > security-master, thanks!
>
> both are now uploaded.
DSA has been released, thanks!
> > Note that both need -sa, but dak needs some special attention when
>
On Thu, Mar 21, 2024 at 09:33:51PM +0100, Andreas Rönnquist wrote:
> On Fri, 10 Mar 2023 18:04:23 +0100 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=
> wrote:
> > Source: allegro4.4
> > X-Debbugs-CC: t...@security.debian.org
> > Severity: important
> > Tags: security
> >
> > Hi,
> >
> > The following
On Fri, Feb 23, 2024 at 10:13:53PM +0100, Hilmar Preuße wrote:
> On 23.02.24 16:31, Moritz Mühlenhoff wrote:
>
> Hello Moritz,
>
> > The following vulnerability was published for texlive-bin.
> >
> > CVE-2024-25262[0]:
> > | texlive-bin commit c515e was discovered to contain heap buffer
> > |
On Wed, Feb 21, 2024 at 04:15:17PM +0100, Matthias Klumpp wrote:
> I'd read the "unaffected at 1.2.7" as version 1.2.7 and higher not
> having the bug... But then again, on another page it said that the
> respective patch only lowered the impact...
> I remember merging that patch, and it was a
On Tue, Feb 20, 2024 at 10:11:35PM +0100, Matthias Klumpp wrote:
> The CVE page lists that commit as "patch" now, and given that emitting
> a finished transaction as finished multiple times could indeed cause
> issues (and use-after-free issues potentially as well), I am inclined
> to think that
On Mon, Feb 12, 2024 at 06:16:48PM +, Jonathan Wiltshire wrote:
> On Mon, Feb 12, 2024 at 09:24:47AM +, Holger Levsen wrote:
> > hi,
> >
> > On Sun, Feb 11, 2024 at 09:44:18PM +, Jonathan Wiltshire wrote:
> > > Requested by security team. Not in stable or testing.
> >
> > once this
On Fri, Feb 09, 2024 at 04:40:31PM +0100, Thorsten Alteholz wrote:
> Hi Moritz,
>
> thanks for the bug. Upstream knows about the issue and already fixed it [1]
> + [2].
Thanks. I think the real worl impact is pretty negligible, it's enough to land
a fix for the next release, but not for released
On Fri, Jan 26, 2024 at 08:48:47PM +0100, Santiago Vila wrote:
> severity 1061543 important
> found 1061543 2.2.12-1
> found 1061543 2.2.12-4+deb12u2
> thanks
>
> El 26/1/24 a las 8:52, Moritz Mühlenhoff escribió:
> > Source: indent
> > X-Debbugs-CC: t...@security.debian.org
> > Severity: normal
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: un...@packages.debian.org
Control: affects -1 + src:unadf
Addresses two no-dsa security issues, same fix already rolled out
for Bookworm. Debdiff below.
Cheers,
On Mon, Jan 15, 2024 at 09:10:57PM +0100, Salvatore Bonaccorso wrote:
> Hi Moritz,
>
> On Mon, Jan 15, 2024 at 08:49:04PM +0100, Moritz Muehlenhoff wrote:
> > Source: rust-tracing
> > Version: 0.1.37-1
> > Severity: important
> > Tags: security
>
Source: rust-tracing
Version: 0.1.37-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
https://rustsec.org/advisories/RUSTSEC-2023-0078.html
https://github.com/tokio-rs/tracing/pull/2765
Fixed by:
Source: gtkwave
Version: 3.3.116-1
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
A very thorough security audit of gtkwave unveiled a total of 82 security
issues in gtkwave, all fixed in 3.3.118:
CVE-2023-32650 CVE-2023-34087 CVE-2023-34436 CVE-2023-35004
CVE-2023-35057
On Mon, Dec 25, 2023 at 10:32:41AM +0100, Tobias Frost wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: hapr...@packages.debian.org
> X-Debbugs-Cc: t...@security.debian.org
> Control: affects -1 +
al:
> >> > Le jeu. 21 déc. 2023 à 10:54, Moritz Muehlenhoff a
> >> écrit :
> >> >
> >> > > On Thu, Dec 21, 2023 at 06:43:35AM +0100, Salvatore Bonaccorso wrote:
> >> > > > Hi,
> >> > > >
> >> > > > [CC'
On Fri, Dec 22, 2023 at 10:28:42AM +0100, Samuel Thibault wrote:
> Control: severity -1 wishlist
>
> Hello,
>
> Moritz Mühlenhoff, le ven. 22 déc. 2023 10:03:28 +0100, a ecrit:
> > CVE-2023-49287[0]:
> > | TinyDir is a lightweight C directory and file reader. Buffer
> > | overflows in the
On Thu, Dec 21, 2023 at 06:43:35AM +0100, Salvatore Bonaccorso wrote:
> Hi,
>
> [CC'ing node-undici uploader]
> > >> Ack, let's do that. Could you prepare bookworm-security updates
> > >> based on 18.17.0 (after it has landed in unstable)?
> > >
> > nodejs 18.19.0 has landed in testing.
> > It
On Wed, Dec 20, 2023 at 11:43:11AM +0900, Mike Hommey wrote:
> Version: 2:3.95-1
>
> On Tue, Dec 19, 2023 at 10:21:27PM +0100, Moritz Mühlenhoff wrote:
> > Source: nss
> > X-Debbugs-CC: t...@security.debian.org
> > Severity: grave
> > Tags: security
> >
> > Hi,
> >
> > The following
On Fri, Dec 15, 2023 at 10:39:04AM +0200, Adrian Bunk wrote:
> > That is a good point. However, I consider full coverage of security support
> > for stable to be an improvement over the current situation. Explicitly
> > stating that security support is not shipped for oldstable does not do any
> >
Hi Simon,
> Unless the security team have reasons to want this to be treated as
> urgent, I would suggest that instead of rushing to apply Ubuntu's
> solution, we should see what happens upstream, and then follow that in
> Debian when the dust has settled.
Agreed, this isn't an issue we need to
Source: debian-security-support
Version: 1:13+2023.09.27
Severity: wishlist
Hashicorp changed the license of Consul and MPLed patches are onky
provided until Dec 31. As such, it has been removed from unstable
and needs to be EOLed for bullseye (removal from bullseye isn't
simple, it would require
On Mon, Dec 04, 2023 at 09:13:41AM +, Holger Levsen wrote:
> Hi Salvatore,
>
> thanks for your continous work on Debian security!
>
> On Sun, Dec 03, 2023 at 08:03:05PM +, Debian Bug Tracking System wrote:
> > > clone -1 -2 -3
> > Bug #1057315 [src:tiles] tiles: CVE-2023-49735
> > Bug
Salvatore Bonaccorso wrote:
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> The project is dead-upstream TTBOMK, so not sure if/what we can do at
> all for this issue. Removal seems not possible as per:
On Thu, Nov 30, 2023 at 11:26:00PM +1100, Dmitry Smirnov wrote:
> On Monday, 30 October 2023 10:16:07 PM AEDT Moritz Muehlenhoff wrote:
> > Please remove consul. Hashicorp changed the license for Consul
> > to the BSL and they will only provide security fixes for the
> > MP
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: un...@packages.debian.org
Control: affects -1 + src:unadf
Fixes two minor security issues. These have actually been in
past releases (wheezy/jessie), but the patch
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: golang-github-go-macaron-bind...@packages.debian.org
Control: affects -1 + src:golang-github-go-macaron-bindata
Please remove golang-github-go-macaron-bindata. The version in the
On Tue, Oct 31, 2023 at 10:29:55AM +0100, Bernd Zeimetz wrote:
>
> Both uploaded!
DSA has been released, thanks!
Cheers,
Moritz
On Mon, Oct 30, 2023 at 07:09:53PM +0100, Bernd Zeimetz wrote:
> Hi Moritz,
>
> as usual, stable/oldstable updates prepared, diffs are attached to this
> mail as salsa seems to have some issues right now.
>
> https://salsa.debian.org/vmware-packaging-team/pkg-open-vm-tools/ -
> bookworm/bullseye
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: con...@packages.debian.org
Control: affects -1 + src:consul
Please remove consul. Hashicorp changed the license for Consul
to the BSL and they will only provide security fixes for the
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: rest...@packages.debian.org
Control: affects -1 + src:restbed
Please remove restbed. The last maintainer upload was in 2017,
it FTBFS since 3.5 years and there are no reverse
On Wed, Sep 20, 2023 at 09:16:28AM +, Holger Levsen wrote:
> control: tags + pending
> thanks
>
> On Tue, Sep 19, 2023 at 11:17:55PM +0200, Moritz Muehlenhoff wrote:
> > Hashicorp changed the license for Consul to the BSL and they will only
> > provide security fix
Source: debian-security-support
Severity: normal
Hashicorp changed the license for Consul to the BSL and they will only
provide security fixes for the MPLed version until end of the year, as
such Consul should be marked as EOLed for Bullseye in Debian.
Ideally we'd just remove it in the Bullseye
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: q...@packages.debian.org, m...@tls.msk.ru
Control: affects -1 + src:qemu
Various low severity security issues in qemu, debdiff below.
I've tested this on a Bullseye
On Mon, Sep 18, 2023 at 07:27:24AM +0200, Salvatore Bonaccorso wrote:
> Moritz is taking care of releasing the DSA.
Indeed, all builds are in, I'll release tonight.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: consu...@packages.debian.org
Control: affects -1 + src:consulfs
Please remove consulfs. It hasn't seen update for 2.5 years, missed Bookworm
and depends on Consul, which is about to be
Source: kino
Version: 1.3.4+dfsg0-1.1
Severity: serious
Your package came up as a candidate for removal from Debian:
- Dead upstream for a decade
- FTBFS with ffmpeg 5 since 1.5 years (Debian is at ffmpeg 6 by now)
- Depends on various legacy libs (GTK2, Glade)
If you disagree and want to
On Sun, Sep 10, 2023 at 07:13:37AM +, Bastien Roucariès wrote:
> Le dimanche 10 septembre 2023, 05:44:02 UTC Rene Engelhard a écrit :
> > severity 1051474 important
> >
> > thanks
> >
> > Hi,
> >
> > Am 08.09.23 um 19:19 schrieb Bastien Roucariès:
> > > Source: libreoffice
> > > Severity:
On Thu, Sep 07, 2023 at 11:43:27AM +0200, Bernd Zeimetz wrote:
> Hi Moritz,
>
> > Ack, that's perfectly fine!
> >
>
> Thanks!
>
> Here are the current diffs:
>
> bullseye:
>
On Wed, Sep 06, 2023 at 08:11:17PM +0200, Bernd Zeimetz wrote:
> Hi security team,
>
> I'm preparing security uploads for bookworm-security and buster-security
> for
>
> > CVE-2023-20900[0]:
> > | VMware Tools contains a SAML token signature bypass vulnerability. A
> > | malicious actor with
On Tue, Sep 05, 2023 at 04:04:27AM +0900, YOKOTA Hiroshi wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: 7...@packages.debian.org, yokota.h...@gmail.com,
> b...@debian.org,
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
Needs to be removed alongside with nomad.
Cheers,
Moritz
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
Hashicorp switched to the non-free BSL and security fixes will
only be made available until December 31 2023, so we should
remove it with the Bullseye 11.8 point release:
Source: pyparsing
Version: 3.1.0-1
Severity: important
pyparsing 3.1.0 introduced a regression which breaks src:cumin (#1042262),
this has been reported at https://github.com/pyparsing/pyparsing/issues/502
and was fixed in 3.1.1.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
Please remove fnfx, this is an addon package for 20 year old laptops,
long dead upstream like the laptops it originally supported.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: el...@packages.debian.org
Control: affects -1 + src:elida
Please remove elida, it's obsolete, unused and without an adopter for years.
Upstream is also gone, the former maintainer was
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
Please remove digitools. It's obsolete (it's for a barebone system
released 20 years ago), dead upstream and unmaintained (last upload
in 2008).
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: netkit-...@packages.debian.org
Control: affects -1 + src:netkit-rsh
Please remove netkit-rsh. It's obsolete, dead upstream and has open security
issues.
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: no...@packages.debian.org
Control: affects -1 + src:nomad
Please remove nomad. The version in sid is really outdated, FTBFSes since two
years, has plenty
of open security issues and
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: test...@packages.debian.org, d...@debian.org,
vladimir.pe...@canonical.com
Control: affects -1 + src:testng7
We need to introduce a backport of testng7 in the
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: asmto...@packages.debian.org, ebo...@apache.org
Control: affects -1 + src:asmtools
We need to introduce a backport of asmtools in the version found in bookworm
to
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: crtmpser...@packages.debian.org
Control: affects -1 + src:crtmpserver
Please remove crtmpserver. It's RC-buggy and dropped from testing for over
three years no (and missed two stable
On Tue, Jul 04, 2023 at 03:17:43PM -0400, Roberto C. Sánchez wrote:
> On Fri, Jun 16, 2023 at 10:12:22PM +0200, Moritz Muehlenhoff wrote:
> > On Fri, Jun 16, 2023 at 01:29:28PM -0400, Roberto C. Sánchez wrote:
> > > On Wed, May 17, 2023 at 10:50:34AM +0200, Moritz
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: rtppr...@packages.debian.org
Control: affects -1 + src:rtpproxy
Please remove rtpproxy. The last maintainer upload was in 2014, it's RC-buggy
(FTBFS with GCC 10) and dropped from
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: apf-firew...@packages.debian.org
Control: affects -1 + src:apf-firewall
Please remove apf-firewall. Removal was already hinted at in the original
orphan bug from 2016 and at this point
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: kis...@packages.debian.org
Control: affects -1 + src:kismet
Pleae remove kismet. It's unmaintained (last maintainer upload in 2016), is
removed from
testing for over three years and
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: gsm0710m...@packages.debian.org
Control: affects -1 + src:gsm0710muxd
Please remove gsm0710muxd. It's been orphaned since nine years and removal was
already suggested in the original
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: masqm...@packages.debian.org
Control: affects -1 + src:masqmail
Please remove masqmail. It's dead upstream, orphaned without an adopter
since 2015 and RC-buggy (dropped from testing
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: ma...@packages.debian.org
Control: affects -1 + src:mason
Please remove mason, it's orphaned without an adopter since 2018, upstream
is dead upstream (vanished off the internet) and it
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: p...@packages.debian.org
Control: affects -1 + src:pads
Please move pads. It's dead upstream, orphaned without a new maintainer since
2015
and depends on the legacy PCRE.
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: free...@packages.debian.org
Control: affects -1 + src:freelan
Please remove freelan. It's orphaned without an adopter since five years
and FTBFS since almost two years due to a lack of
Package: security-tracker
Severity: wishlist
"unimportant" issues don't have security impact, but currently they get shown
as "vulnerable" in red, both in a package overview page, e.g.
https://security-tracker.debian.org/tracker/source-package/c-ares and
CVE-specific pages, e.g.
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: mailaven...@packages.debian.org
Control: affects -1 + src:mailavenger
Please remove mailavenger. It hasn't seen an upload since four years,
is RC-buggy since years (e.g. FTBFSes since
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: dm...@packages.debian.org
Control: affects -1 + src:dmtcp
Please remove dmtcp. It's RC-buggy for a long time, there was only
a single upload by the new maitainer in 2019 and never made
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: git-notif...@packages.debian.org
Control: affects -1 + src:git-notifier
Please remove git-notifier. It hasn't seen an upload since 2015, missed
two stable releases and is one of the
On Fri, Jun 16, 2023 at 01:29:28PM -0400, Roberto C. Sánchez wrote:
> On Wed, May 17, 2023 at 10:50:34AM +0200, Moritz Muehlenhoff wrote:
> >
> > My take would be to mark it as unsupported after the trixie development
> > cycle
> > has started (this flags awareness,
On Wed, Jun 07, 2023 at 01:43:26PM +0530, Utkarsh Gupta wrote:
> Hi Chris,
>
> On Wed, Jun 7, 2023 at 12:56 PM Salvatore Bonaccorso
> wrote:
> > Can you please have a look, as this seems to be caused by the DLA
> > issued as DLA-3447-1.
>
> This has been caused by the ruby2.5 update.
It's
On Sun, Jun 04, 2023 at 12:06:01PM -0400, Andres Salomon wrote:
> Hi Security Team,
>
> Looking at https://security.debian.org/debian-security/pool/main/c/chromium/
> , I see that chromium-l10n built for bookworm (deb12u1) but not for bullseye
> (deb11u1). I'm guessing that the arch:all build was
On Wed, May 31, 2023 at 09:28:02AM +0300, Timo Aaltonen wrote:
> Moritz Muehlenhoff kirjoitti 3.5.2023 klo 20.44:
> > Source: libdmx
> > Version: 1:1.1.4-2
> > Severity: serious
> >
> > The Xorg folks mentioned at
> > https://www.openwall.com/lists/oss-se
On Fri, May 26, 2023 at 12:10:18AM +0200, Markus Koschany wrote:
> First of all trapperkeeper-webserver-jetty9-clojure should add a build-
> dependency on logback to detect such regressions in advance.
>
> #1036250 is mainly a logback problem, not a tomcat problem. I still would like
> to hear
Package: elinks
Version: 0.13.2-1+b4
Severity: minor
It seems recent uploads in experimental switched to
https://github.com/rkd77/elinks/
as upstream, so please update the Homepage: header so that can be linked in the
PTS.
Cheers,
Moritz
Source: dokuwiki
Version: 0.0.20220731.a-1
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
No CVE yet:
https://huntr.dev/bounties/c6119106-1a5c-464c-94dd-ee7c5d0bece0/
https://github.com/dokuwiki/dokuwiki/pull/3967
On Fri, May 12, 2023 at 08:58:01AM +, Holger Levsen wrote:
> On Fri, May 12, 2023 at 10:08:52AM +0200, Raphael Hertzog wrote:
> > > ISC is not longer maintaing any of the components of isc-dhcp (client,
> > > I propose to mark it as unsupported. Or at least, limited, if we still
> > > have
On Wed, May 10, 2023 at 11:35:14AM +0200, Cyril Brulebois wrote:
> Hallo Moritz,
>
> And thanks for the report…
>
> Moritz Mühlenhoff (2023-05-10):
> > Moritz Muehlenhoff wrote:
> > > call. $MENU is set to '/usr/bin/main-menu' and in fact running
> > >
&
Package: installation-reports
Severity: normal
Boot method: network
Image version: netboot daily from 2023-05-09
Date: 2023-05-10
I've successfully tested the Bookworm installer on a few Dell PowerEdge servers
(with rc1, rc2
and dailies) and it's working fine on baremetal using the netboot
Source: libdmx
Version: 1:1.1.4-2
Severity: serious
The Xorg folks mentioned at
https://www.openwall.com/lists/oss-security/2023/05/02/3:
| We have also announced that we plan to retire the following packages soon
| and while their gitlab repos are not yet archived, we expect they will be
|
On Wed, May 03, 2023 at 04:55:00PM +0200, Moritz Mühlenhoff wrote:
> I think we can fix this via a DSA, can you please change the distribution line
> to bullseye-wikimedia and upload to security-master? (Needs an upload with -sa
Sorry, this should be bullseye-security obviously :-)
Cheers,
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: golang-github-go-macaron-bind...@packages.debian.org
Control: affects -1 + src:golang-github-go-macaron-binding
Please remove golang-github-go-macaron-binding. This was originally
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: golang-github-go-macaron-c...@packages.debian.org
Control: affects -1 + src:golang-github-go-macaron-csrf
Please remove golang-github-go-macaron-csrf. It was only packaged for
Gitea,
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: golang-github-go-macaron-g...@packages.debian.org
Control: affects -1 + src:golang-github-go-macaron-gzip
Please remove golang-github-go-macaron-gzip. The version in the archive is a
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: golang-github-go-macaron-i...@packages.debian.org
Control: affects -1 + src:golang-github-go-macaron-i18n
Please remove golang-github-go-macaron-i18n. It was only packaged for gitea,
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
X-Debbugs-Cc: g...@packages.debian.org, siret...@tauware.de,
sramac...@debian.org
Control: affects -1 + src:gpac
In priot discussion between Reinhard, Sebastian and the Security team we've
Package: gpac
Version: 2.0.0+dfsg1-2+b1
Severity: serious
In some discussion between Reinhard, Sebastian and the Security team we've come
to the
conclusion that gpac isn't suitable to be included in a stable release. The
massive
influx of security issues makes that untenable (and there's no
Source: rust-spin
Version: 0.9.5-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
https://rustsec.org/advisories/RUSTSEC-2023-0031.html
https://github.com/mvdnes/spin-rs/issues/148
Cheers,
Moritz
Hi Peter,
On Thu, Mar 23, 2023 at 09:23:18PM +, Peter Green wrote:
> severity 103 normal
> retitle 103 rust-encoding is unmaintained upstream
> severity 104 normal
> retitle 104 rust-boxfnonce is unmaintained upstream
> severity 105 normal
> retitle 105 rust-const-cstr
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: l...@packages.debian.org
Control: affects -1 + src:lvtk
Please remove lvtk. The last maintainer upload was in 2016, still depends on
Python
2 and has been removed from testing since
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: faumach...@packages.debian.org
Control: affects -1 + src:faumachine
Please remove faumachine. It FTBFSes since GCC 9 and still uses Python 2. It
has been
removed from testing since
Source: rust-boxfnonce
Version: 0.1.1-2
Severity: serious
Per https://rustsec.org/advisories/RUSTSEC-2019-0040.html rust-boxfnonce is
obsolete,
let's keep it out of bookworm (and remove from the archive).
Cheers,
Moritz
Source: rust-const-cstr
Version: 0.3.0-1
Severity: serious
Hi,
there is https://rustsec.org/advisories/RUSTSEC-2023-0020.html which flags
that rust-const-cstr is unmaintained. Since there are no reverse deps in the
archive, let's exclude it from bookworm (or rather remove rightaway)?
Cheers,
Source: rust-encoding
Version: 0.2.33-1
Severity: serious
Hi,
there is https://rustsec.org/advisories/RUSTSEC-2021-0153.html which flags
that rust-encoding is unmaintained. Since there are no reverse deps in the
archive, let's exclude it from bookworm (or rather remove rightaway)?
Cheers,
1 - 100 of 7394 matches
Mail list logo