Source: libdmx
Version: 1:1.1.4-2
Severity: serious
The Xorg folks mentioned at
https://www.openwall.com/lists/oss-security/2023/05/02/3:
| We have also announced that we plan to retire the following packages soon
| and while their gitlab repos are not yet archived, we expect they will be
|
On Wed, May 03, 2023 at 04:55:00PM +0200, Moritz Mühlenhoff wrote:
> I think we can fix this via a DSA, can you please change the distribution line
> to bullseye-wikimedia and upload to security-master? (Needs an upload with -sa
Sorry, this should be bullseye-security obviously :-)
Cheers,
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: golang-github-go-macaron-bind...@packages.debian.org
Control: affects -1 + src:golang-github-go-macaron-binding
Please remove golang-github-go-macaron-binding. This was originally
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: golang-github-go-macaron-c...@packages.debian.org
Control: affects -1 + src:golang-github-go-macaron-csrf
Please remove golang-github-go-macaron-csrf. It was only packaged for
Gitea,
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: golang-github-go-macaron-g...@packages.debian.org
Control: affects -1 + src:golang-github-go-macaron-gzip
Please remove golang-github-go-macaron-gzip. The version in the archive is a
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: golang-github-go-macaron-i...@packages.debian.org
Control: affects -1 + src:golang-github-go-macaron-i18n
Please remove golang-github-go-macaron-i18n. It was only packaged for gitea,
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
X-Debbugs-Cc: g...@packages.debian.org, siret...@tauware.de,
sramac...@debian.org
Control: affects -1 + src:gpac
In priot discussion between Reinhard, Sebastian and the Security team we've
Package: gpac
Version: 2.0.0+dfsg1-2+b1
Severity: serious
In some discussion between Reinhard, Sebastian and the Security team we've come
to the
conclusion that gpac isn't suitable to be included in a stable release. The
massive
influx of security issues makes that untenable (and there's no
Source: rust-spin
Version: 0.9.5-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
https://rustsec.org/advisories/RUSTSEC-2023-0031.html
https://github.com/mvdnes/spin-rs/issues/148
Cheers,
Moritz
Hi Peter,
On Thu, Mar 23, 2023 at 09:23:18PM +, Peter Green wrote:
> severity 103 normal
> retitle 103 rust-encoding is unmaintained upstream
> severity 104 normal
> retitle 104 rust-boxfnonce is unmaintained upstream
> severity 105 normal
> retitle 105 rust-const-cstr
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: l...@packages.debian.org
Control: affects -1 + src:lvtk
Please remove lvtk. The last maintainer upload was in 2016, still depends on
Python
2 and has been removed from testing since
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: faumach...@packages.debian.org
Control: affects -1 + src:faumachine
Please remove faumachine. It FTBFSes since GCC 9 and still uses Python 2. It
has been
removed from testing since
Source: rust-boxfnonce
Version: 0.1.1-2
Severity: serious
Per https://rustsec.org/advisories/RUSTSEC-2019-0040.html rust-boxfnonce is
obsolete,
let's keep it out of bookworm (and remove from the archive).
Cheers,
Moritz
Source: rust-const-cstr
Version: 0.3.0-1
Severity: serious
Hi,
there is https://rustsec.org/advisories/RUSTSEC-2023-0020.html which flags
that rust-const-cstr is unmaintained. Since there are no reverse deps in the
archive, let's exclude it from bookworm (or rather remove rightaway)?
Cheers,
Source: rust-encoding
Version: 0.2.33-1
Severity: serious
Hi,
there is https://rustsec.org/advisories/RUSTSEC-2021-0153.html which flags
that rust-encoding is unmaintained. Since there are no reverse deps in the
archive, let's exclude it from bookworm (or rather remove rightaway)?
Cheers,
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: faumach...@packages.debian.org
Control: affects -1 + src:faumachine
Please remove drbdlinks. The last maintainer upload was in 2012, it's
removed from testing for over three years and
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: sql...@packages.debian.org
Control: affects -1 + src:sqlite
Please remove sqlite. It's an older copy of src:sqlite3
and EOL for a long time (#607969)
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: kannel-sql...@packages.debian.org
Control: affects -1 + src:kannel-sqlbox
Please remove kannel-sqlbox. The last maintainer upload was in 2018, it's
removed
from testing since 2020 and
On Sat, Mar 18, 2023 at 09:17:25AM +0100, Sebastian Ramacher wrote:
> Control: tags -1 moreinfo
>
> Hi security team
>
> On 2023-03-15 06:46:32 +0400, Yadd wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> >
Source: ippsample
Version: 0.0~git20220607.72f89b3-1
Severity: normal
ippsample bundles a copy of PDFio, which is affected by CVE-2023-24808.
Not sure if the code is even reachable and even if it's just a crash
in a CLI tool.
Cheers,
Moritz
Source: linux
Severity: wishlist
https://www.openwall.com/lists/oss-security/2023/03/14/2
Filing a bug (for trixie (added in 6.2), can be applied early to notice
potentially affected applications early on)
Cheers,
Moritz
Package: release-notes
Severity: important
Hi,
the "5.2.1.2. OpenJDK 17" section needs to be updated for bookworm:
The same applies for Java 21, so instead it should state:
Debian bookworm comes with an early access version of OpenJDK 21 (the next
expected OpenJDK LTS
version after OpenJDK 17),
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: sendp...@packages.debian.org
Control: affects -1 + src:sendpage
Please remove sendpage. It's dead upstream, obsolete and unmaintained
(last maintainer upload 14 years ago and dropped
On Mon, Mar 13, 2023 at 03:07:34PM +, Holger Levsen wrote:
> On Mon, Mar 13, 2023 at 03:58:45PM +0100, Moritz Mühlenhoff wrote:
> > Am Mon, Mar 13, 2023 at 01:43:11PM +0100 schrieb Holger Levsen:
> > > * security-support-limited:
> > > - for golang and openjdk-17, point to the bookworm
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: rust-crossbeam-utils-...@packages.debian.org
Control: affects -1 + src:rust-crossbeam-utils-0.7
Please remove rust-crossbeam-utils-0.7. It's an older version of
src:
On Wed, Mar 08, 2023 at 07:09:20AM +0400, Yadd wrote:
> On 3/7/23 23:46, Salvatore Bonaccorso wrote:
> > Source: apache2
> > Version: 2.4.55-1
> > Severity: grave
> > Tags: security upstream
> > X-Debbugs-Cc: car...@debian.org, Debian Security Team
> >
> >
> > Hi,
> >
> > The following
On Wed, Mar 08, 2023 at 02:20:25PM +0100, Marco d'Itri wrote:
0;115;0c> On Feb 14, Moritz Muehlenhoff wrote:
>
> > > > Varnish should only be included in Bookworm with a reliable commitment
> > > > by the maintainers to backport/test security fixes across the t
Source: fdroidserver
Version: 2.0.3-1
Severity: important
Hi,
with the latest security update of openjdk-11 in stable (which updated
from 11.0.6 to 11.0.8, as we're following the Java LTS releases), the
autopkgtest of fdroidserver fails.
This seems caused by the "Disabled SHA-1 Signed JARs
Source: rust-bumpalo
Version: 3.7.0-3
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team
https://rustsec.org/advisories/RUSTSEC-2022-0078.html
Source: golang-github-labstack-echo.v3
Version: 3.3.10-2
Severity: serious
This is an older version of src:golang-github-labstack-echo. None of the
reverse deps are currently in bookworm, so golang-github-labstack-echo.v3
should be dropped as well (and post freeze the reverse deps fixed and
the
Source: golang-github-labstack-echo.v2
Version: 2.2.0-3
Severity: serious
This is an older version of src:golang-github-labstack-echo. None of the
reverse deps are currently in bookworm, so golang-github-labstack-echo.v2
should be dropped as well (and post freeze the reverse deps fixed and
the
On Fri, Feb 24, 2023 at 10:29:07PM +0100, Markus Koschany wrote:
> Hi,
>
> Am Freitag, dem 24.02.2023 um 16:01 +0100 schrieb Moritz Mühlenhoff:
> [...]
> > Could we also ship the README.Debian.security that was recently added
> > in unstable to bullseye/buster?
>
> I've just uploaded a new
On Tue, Feb 21, 2023 at 09:48:35PM -0800, tony mancill wrote:
> On Tue, Feb 21, 2023 at 04:10:16PM +0100, Moritz Mühlenhoff wrote:
> > Source: libcommons-fileupload-java
> > X-Debbugs-CC: t...@security.debian.org
> > Severity: important
> > Tags: security
> >
> > Hi,
> >
> > The following
On Tue, Feb 21, 2023 at 03:32:01PM +, Simon McVittie wrote:
> On Tue, 21 Feb 2023 at 16:09:30 +0100, Moritz Mühlenhoff wrote:
> > CVE-2019-25104[0]:
> > https://github.com/rtcwcoop/rtcwcoop/pull/45
>
> This looks like a denial of service via memory exhaustion when running
> a multiplayer
On Sat, Feb 18, 2023 at 12:04:27PM +0100, Gabriel Corona wrote:
> I believe obtaining a CVE ID would be beneficial so that this issue may be
> tracked by downstream projects/distributions.
All those distros were notified via your post to oss-security. You can
try cveform, if there's no assignment
On Tue, Feb 14, 2023 at 02:48:43AM +0100, Marco d'Itri wrote:
> On Feb 02, Moritz Muehlenhoff wrote:
>
> > Varnish should only be included in Bookworm with a reliable commitment
> > by the maintainers to backport/test security fixes across the typical
> > three ye
Source: asterisk
Version: 1:20.1.0~dfsg+~cs6.12.40431414-1
Severity: serious
Asterisk should only be included in Bookworm with a reliable commitment
by the maintainers to backport/test security fixes across the typical
three year life cycle (two years of stable-security and one year of
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: l...@packages.debian.org
Control: affects -1 + src:latd
Please remove latd. It's orphaned without an adopter since 2014, dead upstream
and practically unused per popcon.
Cheers,
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: xava...@packages.debian.org
Control: affects -1 + src:xavante
Please remove xavante, the last maintainer upload was in 2013, there's plenty of
web servers in the archive and it depends
On Mon, Jan 30, 2023 at 10:15:47PM +0100, Markus Koschany wrote:
> Hi,
>
> Am Montag, dem 30.01.2023 um 18:44 +0100 schrieb Moritz Muehlenhoff:
> >
> > Could we please add a README.Debian.security with something like the
> > following
> > t
Source: varnish
Version: 7.1.1-1.1
Severity: serious
Varnish should only be included in Bookworm with a reliable commitment
by the maintainers to backport/test security fixes across the typical
three year life cycle (two years of stable-security and one year of
oldstable-security).
Especially
Source: snakeyaml
Version: 1.33-1
Severity: important
Google's oss-fuzz found various cases where snakeyaml triggers an exception
on malformed YAML input. These end up blindly being picked by various
security web sites (since CVE IDs) were assigned.
This is causing lots of overhead/annoyance for
On Sat, Jan 28, 2023 at 01:37:41PM +0100, Guillem Jover wrote:
> Control: reopen -1
> Control: affects -1 - leafnode
>
> Hi!
>
> This seems to still be a valid concern for update-inetd. I think this
> was probably closed in error as showing up in leafnode bugs page due
> to the affects. Given
On Sat, Jan 21, 2023 at 10:53:24PM +0100, Markus Koschany wrote:
> Hi Javier,
>
> Am Freitag, dem 20.01.2023 um 22:23 +0100 schrieb Javier Fernandez-Sanguino:
> > Dear Markus,
> >
> > Thank you for preparing. Could you please share the patch you are working
> > on?
> > Snort is available in
On Sun, Jan 15, 2023 at 12:28:06PM -0800, tony mancill wrote:
> On Wed, Dec 07, 2022 at 04:03:17PM +0100, Carsten Pfeiffer wrote:
> > Package: openjdk-11-jdk
> > Version: 11.0.16+8-1~deb11u1
> > Severity: normal
> >
> > Dear Maintainer,
> >
> > openjdk 11.0.16 in Bullseye contains a severe
Source: salt
Severity: serious
salt is currently RC-buggy and not in testing, but regardless of
the remaining RC bugs getting fixed it should only get re-included
with a reliable commitment to backport/test security-updates across
the typical three year life cycle (two years of stable-security
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: python...@packages.debian.org, d...@debian.org
Control: affects -1 + src:python3.9
Please remove python3.9, which has been replaced by python3.10/python3.11.
The removal will need to
On Fri, Jan 06, 2023 at 08:41:50AM +0100, Paul Gevers wrote:
> Dear Chromium team, Security team,
>
> On 27-01-2022 17:15, Moritz Muehlenhoff wrote:
> > On Wed, Jan 26, 2022 at 09:38:42PM +0100, Paul Gevers wrote:
> > > > So, I'm proposing the following: we unblock ch
Package: wnpp
Severity: normal
X-Debbugs-Cc: coco-...@packages.debian.org
Control: affects -1 + src:coco-cpp
The former maintainer is no longer active and per a discussion with the former
sponsor, I'm orphaning the coco-cpp package.
The package description is:
Coco/R is a compiler generator,
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: primesense-nite-nonf...@packages.debian.org
Control: affects -1 + src:primesense-nite-nonfree
Please remove primesense-nite-nonfree. It's broken since 2014 (#771187)
and hasn't seen an
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: selfh...@packages.debian.org
Control: affects -1 + src:selfhtml
Please remove selfhtml. The last upload was in 2008, it's RC-buggy (#1002966)
and these docs describe the state of
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: loganaly...@packages.debian.org
Control: affects -1 + src:loganalyzer
Please remove loganalyzer. It's broken since PHP 7 #974586, dropped
from testing since 15 months and hasn't seen a
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: python...@packages.debian.org, d...@debian.org
Control: affects -1 + src:python2.7
Removing the last Python 2 remnants, this will need to be forced
since there are some inter
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: python-defau...@packages.debian.org, d...@debian.org
Control: affects -1 + src:python-defaults
Removing the last Python 2 remnants, this will need to be forced
since there are some
Package: ftp.debian.org
Severity: normal
User: ftp.debian@packages.debian.org
Usertags: remove
X-Debbugs-Cc: python-stdlib-extensi...@packages.debian.org, d...@debian.org
Control: affects -1 + src:python-stdlib-extensions
Removing the last Python 2 remnants. This will need to be forced
since
Package: ftp.debian.org
Severity: normal
Please remove telepathy-ring. It's one of the last package still using
Python 2, there hasn't been a maintainer followup on #938644 since
2019 and https://git.merproject.org/mer-core/telepathy-ring is gone.
Source: puppetdb
Version: 7.11.2-3
Severity: grave
Thanks for all the great work on Puppetdb!
I was trying to setup a test environment with Puppetdb 7.11.2 from current
testing and I noticed that it's using openjdk-11-jre-headless.
While openjdk-11 is currently still in testing, Bookworm will
Package: ftp.debian.org
Severity: normal
Please remove sdic. It's RC-buggy and dropped from testing since 2017.
Cheers,
Moritz
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
This updates fixes various minor crashes in mplayer, which
don't warrant a DSA by itself. I've run the PoCs against
the updated build where applicable and also tested various
Source: netatalk
Version: 3.1.13~ds-2
Severity: serious
netatalk should not enter bookworm unless it gets adopted and
actively maintained.
Cheers,
Moritz
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: d...@debian.org
openjdk bumped the requirements for the test suite within
their 11.x branch (which is what we ship in Bullseye), it
now needs jtreg6.
The debdiff is
Source: maradns
Version: 2.0.13-1.4
Severity: serious
The last maintainer upload was in 2015 and the version currently in the
archive is way behind current upstream releases (which is at 3.4.07),
we have plenty of maintained DNS servers, keep it out of testing (
and if noone picks it up, remove
Package: ftp.debian.org
Severity: normal
Please remove gkrellm-x86info. The last maintainer upload was in 2011, it's
RC-buggy,
dead upstream and dropped from testing for almost a year. And 1002714 indicates
a
replacement exists.
Package: ftp.debian.org
Severity: normal
Please remove dvbsnoop. The last maintainer upload was in 2013, it's RC-buggy,
dead upstream and dropped from testing for almost a year.
Package: ftp.debian.org
Severity: normal
Please remove scim-canna. The last maintainer upload was in 2010, it's RC-buggy,
dead upstream and dropped from testing for almost a year.
Package: ftp.debian.org
Severity: normal
Please remove vsdump. The last maintainer upload was in 2010, it's RC-buggy,
dead upstream and dropped from testing for almost a year.
Package: ftp.debian.org
Severity: normal
Please remove ibam. The last maintainer upload was in 2011, it's RC-buggy,
dead upstream and dropped from testing for almost a year.
Package: ftp.debian.org
Severity: normal
Please remove cryptcat. The last maintainer upload was in 2008, it's RC-buggy,
dead upstream and dropped from testing for almost a year.
Package: ftp.debian.org
Severity: normal
Please remove lostirc. The last maintainer upload was in 2008, it's
orphaned without an adopter since 2016, depends on obsolete GTK2,
is dead upstream and there are plenty of alternatives in the archive.
Package: ftp.debian.org
Severity: normal
Please remove kanjipad. The last maintainer upload was in 2013, it's orphaned
without an adopter since 2020, depends on obsolete GTK2 and is dead upstream.
Popcon is practically non-existent.
Package: ftp.debian.org
Severity: normal
Please remove ion. It's unmaintained (last maintainer upload in 2014 and
orphaned
without adopter since 1.5 years) and RC-buggy (FTBFS with GCC >= 7) since 2017.
Package: ftp.debian.org
Severity: normal
Please remove setcolortemperature. Development has ceased and
https://github.com/Tookmund/setcolortemperature (and the original
O: bug) point to xsct, which is now packaged in Debian.
Package: ftp.debian.org
Severity: normal
Please remove twoftpd. The last maintainer upload was in 2014, it's orphaned
without
an adopter since 2019 and dead upstream. And there's plenty of ftpd
alternatives in
the archive.
reopen 1021142
thanks
On Wed, Nov 16, 2022 at 01:05:18PM +, Debian FTP Masters wrote:
> cargo (0.63.1-1) unstable; urgency=medium
> .
>* fix CVE-2022-36113/CVE-2022-36114 (Closes: #1021142)
Hi Fabian,
These are only fixed in 0.65, reopening.
Cheers,
Moritz
Package: ftp.debian.org
Severity: normal
Please remove golang-libgeoip. It's orphaned without a new adopter since 2016,
there are no reverse deps and it's dead upstream (last commit in 2017).
Package: ftp.debian.org
Severity: normal
Please remove golang-nzaat. It's up for adoption since 2016 without a new
maintainer, there are no reverse deps and it's dead upstream (last commit
nine years ago).
Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: r...@tardis.ca
Please remove golang-openldap. It's unmaintained (last upload in 2018), there
are no
reverse deps, it's broken with OpenLDAP 2.5 and it's dead upstream (no commits
since
2016). An alternative exists with golang-github-go-ldap
Package: ftp.debian.org
Severity: normal
Please remove mutrace. The last maintainer upload was in 2016, it's RC-buggy
(and apparently already broken since 2016 per 810638) and popcon is practically
non-existent.
Package: ftp.debian.org
Severity: normal
Please remove libdispatch. The last maintainer upload was in 2011,
it's up for adoption since 2020 (where the former maintainer suggested
to remove it) and there are no reverse deps.
Package: ftp.debian.org
Severity: normal
Please remove libblkmaker. It has been up for adoption since 2018,
is broken since 2017 (#858377) and there are no reverse deps.
Package: ftp.debian.org
Severity: normal
Please remove lostirc. The last maintainer upload was in 2008, it's
orphaned without an adopter since 2016, depends on obsolete GTK2,
is dead upstream and there are plenty of alternatives in the archive.
Package: ftp.debian.org
Severity: normal
Please remove gatling, the last maintainer upload was in 2016,
the version currently in the archive is way behind current
upstream releases, popcon is virtually non-existent and there's
plenty of other httpds in the archive.
Cheers,
Moritz
Source: wolfssl
Version: 5.2.0-2
Severity: serious
wolfssl has no active maintainer, plenty of open security issues and we already
have too many TLS libraries in our releases. Keep it out of testing. I'm going
to file bugs against the handful of reverse deps.
Cheers,
Moritz
Source: fbpanel
Version: 7.0-4.3
Severity: serious
Your package came up as a candidate for removal from Debian:
- Depends on Python 2, which will soon be removed
- Last maintainer upload five years ago
- Dead upstream
If you disagree and want to continue to maintain this package,
please just
Source: viewmol
Version: 2.4.1-26
Severity: serious
Your package came up as a candidate for removal from Debian:
- Still depends on Python 2 (which will soon be removed)
- Dead upstream
- Dropped from testing for over two years
If you disagree and want to continue to maintain this package,
Hi Clément,
> Sadly, upstream rectified and confirms it affects 2.2 [0], and has been
> tested and reproduced on Bullseye. We do need to fix it. Upstream has a few
> suggestions, but I guess our choices are either uploading 2.5 to stable, if
> that's possible. python-stem at least will need to be
On Tue, Oct 18, 2022 at 06:09:42PM -0300, Antonio Terceiro wrote:
> Hi,
>
> On Thu, Oct 13, 2022 at 09:13:18PM +0200, Moritz Mühlenhoff wrote:
> > Source: lava
> > X-Debbugs-CC: t...@security.debian.org
> > Severity: grave
> > Tags: security
> >
> > Hi,
> >
> > The following vulnerability was
> > For the latest set of Xen issues my estimate is that we can postpone
> > them until the next batch, they seem all of moderate/limited impact.
> > But let me know if you think otherwise.
>
> I agree. Let's do them together with the new stuff that's planned for
> Nov 1st,
On Tue, Oct 18, 2022 at 02:17:32PM +0200, Hans van Kranenburg wrote:
> Does explicitly opening a BTS bug mean that, like we use to call it,
> "these CVEs warrant a DSA",
No, in general we aim to file bugs for any open CVEs regardless of
the DSA state. This allows people to see that an issue is
On Sat, Oct 15, 2022 at 09:27:33AM +0300, Adrian Bunk wrote:
> Package: firefox-esr
> Version: 102.3.0esr-1
> Severity: serious
> Tags: bookworm sid
> X-Debbugs-Cc: Carsten Schoenert ,
> debian-rele...@lists.debian.org, t...@security.debian.org,
> debian-...@lists.debian.org
>
> [ various
reassign 995838 condor
thanks
On Fri, Sep 09, 2022 at 11:17:05AM -0500, Tim Theisen wrote:
> I am making progress here. I have built an HTCondor 9.0 LTS version locally
> back in May. I was about to upload it and then changes in sid caused it to
> not build from sources again.
>
> The 10.0 LTS
Package: ftp.debian.org
Severity: normal
Please remove patchage. It depends on Python 2, the upstream homepage vanished
from the internet and there hasn't been a maintainer upload since 2009.
Cheers,
Moritz
Source: snort
Version: 2.9.15.1-6
Severity: serious
Per https://blog.snort.org/2021/07/29150-has-reached-its-end-of-life.html
the version currently in sid is EOLed and no longer compatible with
current rule updates.
In general snort seems unsuitable for standard stable given that the
engine
Package: ftp.debian.org
Severity: normal
Please remove flowcanvas. Removal has already suggested back in 2018 (#888656),
there are no reverse dependencies left, the package is unmaintained (last
maintainer upload in 2009) and it depends on Python 2.
Cheers,
Moritz
On Mon, Aug 22, 2022 at 02:50:41PM +0530, Abhijith PA wrote:
> Hello Moritz,
>
> I've prepared a qemu build months back fixing pending CVEs then. I
> have now took 2 patches (CVE-2020-35504, CVE-2020-35505) from your
> diff and backported a new CVE, fixing total of ~35 CVEs.
>
> I've tested
Source: freeciv
Version: 2.6.6-1
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team
Quoting from the announcement posted to oss-security (no CVE is
available):
--
Just released freeciv-2.6.7 & freeciv-3.0.3 fix
Package: ftp.debian.org
Severity: normal
This was uploaded only to experimental over a decade ago. Given
it was never actually uploaded to unstable let's simply remove it...
Cheers,
Moritz
Source: lepton-eda
Version: 1.9.18-1
Severity: wishlist
geda-gaf has been removed from the archive. In #1008700 it was mentioned
that lepton-eda is a sufficient replacement, so it could provide a
transition package to help existing geda-gaf users.
Cheers,
Moritz
Source: kross
Version: 5.96.0-1
Severity: serious
See #1017061, kross isn't useful without interpreters.
Cheers,
Moritz
Source: kross-interpreters
Version: 4:21.12.3-1
Severity: serious
Your package came up as a candidate for removal from Debian. On
IRC Sune mentioned that libkross is most probably unused these
days and on the KF6 removal list. And the Python bindings still
depend on Python 2 (without porting
101 - 200 of 7409 matches
Mail list logo