Hi Steffen,
On Tue, April 30, 2013 22:07, Steffen Moeller wrote:
The PHP code shipping with the BOINC Server Maker package was not updated
for a long time because of the freeze coinciding with the general overhaul
the BOINC package structure. An important security update was missed.
The
On Wed, May 1, 2013 12:17, Alyssa Milburn wrote:
These missed server issues were presumably what's now CVE-2013-2018:
http://article.gmane.org/gmane.comp.security.oss.general/10083
Thanks, noted.
Thijs
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of
fwiw, at a five day delay plus two days in unstable, the upload would
theoretically be eligible to migrate the night before the release. The
chances of that upload getting unblocked are practically nil unless the
release is delayed for some reason.
Given that the maintainer is on
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Hi,
Please unblock package phpmyadmin.
This is a security update. The issues fixed are not present in squeeze.
unblock phpmyadmin/4:3.4.11.1-2
Thanks,
Thijs
--
To UNSUBSCRIBE, email
Package: uruk
Version: 20121005-1
Severity: wishlist
Hoi Joost,
Please provide an uruk diff. When uruk config has been changed, this will
output the difference between the currently installed firewall rules and
the result of the config that would be installed when force-reload is used.
This can
Hi,
Michael Shuler wrote:
Using the steps to reproduce, I successfully get audio playback with
chromium_26.0.1410.43-1 without any issues at all.
Same here on Wheezy.
Timo Juhani Lindfors wrote:
2) In case it matters I'm using a standard debian squeeze amd64 gnome
desktop (with
On Wed, April 17, 2013 13:22, Timo Juhani Lindfors wrote:
On Sat, 2013-04-13 at 14:34 -0400, Michael Gilbert wrote:
Please unblock chromium-browser. It fixes a lot of security issues,
and new upstream versions will be continually uploaded during wheezy's
release cycle.
Done.
I'm bit
Package: release.debian.org
Severity: normal
Release team,
This is a request to consider tagging #704645 in GnuPG wheezy-ignore.
My reasoning follows.
The behaviour of gpg --verify has been this way since forever (not
intended as a justification of this behaviour per se). I checked it
against
retitle 704645 gpg --verify suggests entire file was verified, even if file
contains auxiliary data
thanks
Hi,
After some discussion I've come to the following description of this request
(submitters, please correct or augment where necessary):
gpg --verify filename returns a binary answer:
Hi,
I looked into it and after populating the database by hand and also fixing
manually the initial issue [1]. It doesn't work anyway, the following
errors appear:
[Mon Apr 01 02:15:47 2013] [error] [client x.x.x.x] PHP Warning:
include(bookmarks.tpl.php): failed to open stream: No such
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
Hi,
Please remove semanticscuttle from wheezy.
The problems are detailed in RC bug #659390. My last message details that
I had to conquer three different problems to get to an error-free home
severity 704300 important
thanks
Hi,
Scuttle doesn't work in Wheezy, all you get are some lovely PHP messages:
Strict Standards: Non-static method ServiceFactory::getServiceInstance()
should not be called statically in /usr/share/scuttle/www/index.php on
line 23
On a production system,
On Mon, April 1, 2013 09:42, Ana Guerrero wrote:
On Mon, Apr 01, 2013 at 09:37:01AM +0200, Thijs Kinkhorst wrote:
severity 704300 important
thanks
Hi,
Scuttle doesn't work in Wheezy, all you get are some lovely PHP
messages:
Strict Standards: Non-static method
ServiceFactory
On Mon, April 1, 2013 09:55, Ana Guerrero wrote:
On Mon, Apr 01, 2013 at 09:41:54AM +0200, Thijs Kinkhorst wrote:
Yes, but I'm making the point that strict standards messages would
normally and by default be logged, not output to the browser...
Cool, then the problem has an easy fix
On Mon, April 1, 2013 09:59, Thijs Kinkhorst wrote:
On Mon, April 1, 2013 09:55, Ana Guerrero wrote:
On Mon, Apr 01, 2013 at 09:41:54AM +0200, Thijs Kinkhorst wrote:
Yes, but I'm making the point that strict standards messages would
normally and by default be logged, not output to the browser
tags 704300 patch pending
thanks
On Mon, April 1, 2013 10:12, Ana Guerrero wrote:
On Mon, Apr 01, 2013 at 10:06:48AM +0200, Thijs Kinkhorst wrote:
On Mon, April 1, 2013 09:59, Thijs Kinkhorst wrote:
On Mon, April 1, 2013 09:55, Ana Guerrero wrote:
On Mon, Apr 01, 2013 at 09:41:54AM +0200
On Sun, March 31, 2013 11:46, Jonathan Nieder wrote:
Presumably this note is only relevant on amd64, so this is a good
opportunity to make the release notes shorter on other arches. How
about this patch?
Looks good, I recommend applying it.
Thijs
--
To UNSUBSCRIBE, email to
Op vrijdag 29 maart 2013 22:02:48 schreef Gerfried Fuchs:
Today I got notified by a backports contributer that he wasn't able to
upload to backports anymore. While analying the issue I found out that
the following line in /etc/dput.cf is the cause, which was introduced
for fixing #561678:
Op zondag 31 maart 2013 12:45:50 schreef Thijs Kinkhorst:
#v+
allowed_distributions = (?!UNRELEASED|.*-security|.*-backports)
#v-
I'll take care of updates to dput for the current situation.
So here's my patch. As the previous NMU from half a year ago hasn't been
acknowledged yet, I'm
Hi,
backport and jp server are not used anymore, please remove it from
dput.cf file.
The backports stanza has been removed in 0.9.6.3+nmu2. The jp stanza currently
still remains.
Cheers,
Thijs
signature.asc
Description: This is a digitally signed message part.
: #704228).
+
+ -- Thijs Kinkhorst th...@debian.org Sun, 31 Mar 2013 13:09:54 +0200
+
dput (0.9.6.3+nmu1) unstable; urgency=low
* Non-maintainer upload.
diff -Nru dput-0.9.6.3+nmu1/dput.cf dput-0.9.6.3+nmu2/dput.cf
--- dput-0.9.6.3+nmu1/dput.cf 2012-10-14 14:54:17.0 +0200
+++ dput
Packages of libapache2-mod-mellon for squeeze and wheezy are available from
our aptable archive:
http://non-gnu.uvt.nl/debian/squeeze/libapache2-mod-auth-mellon/
http://non-gnu.uvt.nl/debian/wheezy/libapache2-mod-auth-mellon/
I'm not uploading to Debian proper until Apache 2.4 is unstable (as
On Tue, March 19, 2013 01:37, Christoph Anton Mitterer wrote:
severity 703290 important
stop
On Tue, 2013-03-19 at 10:20 +1300, Andrew McMillan wrote:
Is there any way to do an XSS exploit in 12 characters? If not, then I
don't think this is 'grave'.
Unless someone from the security or
severity 703294 important
thanks
On Tue, March 19, 2013 11:20, Jonathan Wiltshire wrote:
Agreed that it's not grave until we have a concrete vulnerability at
hand.
The code could/should definitely be more robust, but there's not yet
an acute issue.
Is it fair to apply this line of reasoning
On Sat, March 16, 2013 22:35, Mike Hommey wrote:
On Sat, Mar 16, 2013 at 04:53:00PM -0400, Michael Gilbert wrote:
We can consider to put it into a DSA in which the text details how to
disable
the options if they cause trouble. An alternative is to put it into
spu
instead, where it may be
Op maandag 11 maart 2013 21:22:28 schreef Helmut Grohne:
I wrote a manual page for the mutextrace utility. Please consider
including it under the very same license as the rest of the source.
You'll find it attached to this mail.
Well done!
Thijs
signature.asc
Description: This is a
severity 703128 important
thanks
Op zaterdag 16 maart 2013 00:45:18 schreef Christoph Anton Mitterer:
Marking this as important and security, as such ungracefull errors tend to
be prone to attacks.
Rightly so. These issues indeed should be fixed to prevent any security issues
proactively, and
Op zaterdag 16 maart 2013 09:37:25 schreef Yves-Alexis Perez:
On sam., 2013-03-16 at 08:34 +0100, Mike Hommey wrote:
So, here are a few more info:
- 3.13 disabled SSL 2.0 by default
- 3.13 added a defense against the Rizzo and Duong attack, which is
known to break applications. It can
Hi,
| -Change Pre-Depends to Depends (OK now that base-files Pre-Depends: awk)
This is not correct and needs to be reverted, since it means that gawk
might be unpacked before its dependencies during upgrades. If the awk
alternative is set to gawk, other packages which are unpacked in the
@@ -1,3 +1,10 @@
+gawk (1:4.0.1+dfsg-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Change Depends back to Pre-Depends (closes: #702524).
+
+ -- Thijs Kinkhorst th...@debian.org Sat, 16 Mar 2013 12:31:51 +0100
+
gawk (1:4.0.1+dfsg-2) unstable; urgency=low
* debian/control:
diff
On Sat, March 16, 2013 00:02, Balint Reczey wrote:
I would like to upload wireshark/1.8.2-5wheezy1 to
testing-proposed-updates to fix open security issues in wheezy.
This request can be postponed, as we're going to try to handle this
through wheezy-security as a first guinea pig. If this works
Package: installation-reports
Severity: normal
-- Package-specific info:
Boot method: USB
Image version: Wheezy rc1 netinst
Date: 2013-03-06 22:00 CET
Machine: Samsung Series 5 Ultra NP530U3C-A07NL
Partitions: see below
Base System Installation Checklist:
[O] = OK, [E] = Error (please
Verified that squeeze is not affected. Although it contains the same
php5-radius code, the version of PHP itself in squeeze does not trigger
the segfault.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
Package: apache2
Version: 2.4.4-2
Severity: normal
Hi,
mod_authn_core is not enabled by default. This module makes common directives
like AuthType work. Also, other authn_* types are enabled by default.
Cheers,
Thijs
-- Package-specific info:
Enabled MPM: event
List of enabled modules:
Hi,
I have built mod_auth_cas with Apache 2.4 successfully and have also
verified that it still works, without source changes. This transition will
not pose a problem for this module.
Cheers,
Thijs
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of
Package: php5-radius
Version: 1.2.5-2.2
Severity: grave
On a 64 bit wheezy system, the radius module immediately segfaults
when attempting Radius authentication. The following minimal testcase
reproduces the problem:
thijs@solrock:~$ cat radtest.php
?php
$radius = radius_auth_open();
On Mon, March 11, 2013 21:47, Niko Tyni wrote:
Cc'ing the security team. Once we have a fix, I suppose we'll need to
fix libapache2-mod-perl2 via stable-security?
Yes please.
Cheers,
Thijs
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe.
, there are two unacked NMU's
against the package already and we're close to release.
Cheers,
Thijs
--
Thijs Kinkhorst th...@uvt.nl – LIS Unix
Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl
On Thu, March 7, 2013 21:44, Thijs Kinkhorst wrote:
On Thu, March 7, 2013 19:31, Mathieu Parent wrote:
severity 688577 grave
tag 688577 + patch upstream fixed-upstream
thanks
Hi,
Raising severity as this renders the package unusable.
Confirmed, fixed, will upload.
Thijs
of reworking of how simpleSAMLphp
tracks IdP's internally.
Cheers,
Thijs
--
Thijs Kinkhorst th...@uvt.nl – LIS Unix
Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres Warandelaan 2 • Tel. 013 466 3035 • G 236 • http://www.uvt.nl
signature.asc
Description
it's expired, if so, error out with specific
message, if not, continue. Possible, but not a matter of augmenting the error
message.
--
Thijs Kinkhorst th...@uvt.nl – LIS Unix
Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres Warandelaan 2 • Tel. 013 466
On Thu, March 7, 2013 19:31, Mathieu Parent wrote:
severity 688577 grave
tag 688577 + patch upstream fixed-upstream
thanks
Hi,
Raising severity as this renders the package unusable.
The fix is at:
https://github.com/Jasig/mod_auth_cas/commit/24369afdb9363273f0436582dda44589d5014c65
Hi,
Confirmed as above. Upgrade indeed doesn't add that statement:
Setting up postfix (2.10.0-1) ...
Installing new version of config file /etc/init.d/postfix ...
Installing new version of config file /etc/postfix/postfix-script ...
Installing new version of config file /etc/postfix/post-install
package release.debian.org
user release.debian@packages.debian.org
usertag 687583 + rm - unblock
retitle 687583 RM: altos/1.0.3
thanks
Hi Release Managers,
Please remove altos from testing as per maintainer comment in #676739.
Cheers,
Thijs
signature.asc
Description: This is a digitally
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Hi Release Team,
I've been looking into Postfix RC bug #700719. In short, my proposal is to
fix the maintainer field and then unblock the package. Please see my message
in the bug log for
Op woensdag 6 maart 2013 10:16:18 schreef Adam D. Barratt:
It looks like the maintainer field is already fixed in sid, in
2.10.0-1; that is a number of upstream releases more recent than the
current wheezy package, however.
Your last message in #700719 indicates that your inclination
notfound 702374 2.9.6-1
found 702374 2.10.0-1
tags 702374 moreinfo
thanks
Hi Danny,
I upgraded from version 2.9.6-1 to 2.10.0-1 and sasl started working (for
me)
I downgraded _only_ postfix and everything started working again.
You're saying twice here that it started working. I'm assuming
Removal of this package has been requested by the maintainer in #701858.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
severity 700923 important
thanks
Hi,
I find it unlikely that in serious deployments remote cib management would be
enabled for untrusted connections. This kind of management usually happens
over separate networks or is appropriately guarded by other controls. And
where not, the worst result
Hi LaMont, Release Team,
I've taken a look at this RC bug in Postfix. Looking at the diff between
2.9.3-2.1 (testing) and 2.9.6-1 (sid), t
I've attached the debdiff between testing and unstable removing changes to po
files, documentation and tests. The changes for this bug are the majority,
So, for the moment (Wheezy) I think the best approach to solve this bug
is to apply the small patch for OpenLDAP that I'm attaching.
It is the less intrusive approach to fix this bug. It don't needs to
touch anything on GnuTLS or libgcrypt. It is really fixing the problem
where is: OpenLDAP
Hi Bdale,
On Fri, Jun 15, 2012 at 09:27:12AM -0600, Bdale Garbee wrote:
Thanks for the report. The problem is that sdcc 3.X introduces new
compiler features that are big problems for 8051, and sdcc is a build
dep for altos.
Are you aware that this still needs fixing for wheezy?
Cheers,
not that I'd know anything about this module in particular, but please
ensure before uploading this module that the package works and compiles
with Apache 2.4.
We're going to prepare a transition to 2.4 (currently available in
experimental) as soon as the Jessie release cycle starts. Ideally
Package: wnpp
Severity: wishlist
Owner: Thijs Kinkhorst th...@debian.org
* Package name: libapache2-mod-auth-mellon
Version : 0.6.0
Upstream Author : Feide RND, Uninett
* URL : http://code.google.com/p/modmellon/
* License : GPLv3
Programming Lang: C
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Hi RT,
Package pigz/2.2.4-2 was uploaded to sid fixing CVE-2013-0296 (#700608).
The maintainer also added hardening flags. This may be on the border of
acceptable/unacceptable for an
On Sun, February 24, 2013 19:03, Raphael Hertzog wrote:
I have uploaded 1.4.5-1 to unstable and I have prepared 1.2.3-3+squeeze5
for stable, you can get it here:
http://people.debian.org/~hertzog/packages/python-django_1.2.3-3+squeeze5_amd64.changes
Thijs, can you do some testing before
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Hi,
Please unblock and bump the urgency of package pktstat.
It fixes security issue CVE-2013-0350; #701211: left over debug code caused
both a temp file race and information leak.
On Mon, February 25, 2013 09:32, Thijs Kinkhorst wrote:
On Sun, February 24, 2013 19:03, Raphael Hertzog wrote:
I have uploaded 1.4.5-1 to unstable and I have prepared 1.2.3-3+squeeze5
for stable, you can get it here:
http://people.debian.org/~hertzog/packages/python-django_1.2.3-3
Hi,
For the record, this is fixed in upstream release 3.14.3.
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.3_release_notes
Cheers,
Thijs
signature.asc
Description: This is a digitally signed message part.
On Sat, February 23, 2013 17:55, Niels Thykier wrote:
Control: reopen -1
On 2013-02-23 17:45, Alexander Wirt wrote:
Thijs Kinkhorst schrieb am Saturday, den 23. February 2013:
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
As mentioned in #700805, this line introduces a memory leak if realloc
fails for any reason.
Upstream has committed a fix for the issue but also concluded that this
causing real world trouble is not very probable.
So either the patch needs to be applied to openconnect or the package needs to
On Sat, February 23, 2013 16:54, Philipp Kern wrote:
On Sat, Feb 16, 2013 at 12:07:13PM +0100, Kurt Roeckx wrote:
armhf and s390x don't have any set up yet.
I've set up wheezy-security on zemlinsky and zandonai today.
Thanks. So the only thing we are missing according to my information is
On Sat, February 23, 2013 15:41, Salvatore Bonaccorso wrote:
Hi Alex
On Sat, Feb 23, 2013 at 01:17:03PM +0100, Alexander Wirt wrote:
On Sat, 23 Feb 2013, Salvatore Bonaccorso wrote:
Hi Alex, Hi Thijs
I was looking trough the bugs for nagios-nrpe, and noticed #547092
where there was an
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Dear release team,
Please unblock package nagios-nrpe.
The update is documentation only. It's done to address #547092: SSL support
is fundamentally broken in NRPE, which cannot be fixed
Package: lintian
Version: 2.5.10.3
Severity: wishlist
Hi,
I encountered an (example) package that had cdbs not only in its Build-Depends
line, but also in its Depends line. This was a mistake. I would have expected
that Lintian complained about this.
Obviously hardly any package would need to
Hi Lucas,
On Sun, February 17, 2013 22:07, Lucas Nussbaum wrote:
While testing the installation of all packages in wheezy, I ran
into the following problem:
The following packages have unmet dependencies:
ia32-libs : Depends: ia32-libs-i386 but it is not installable
E: Unable to correct
Hi Javier,
Currently, the Securing Debian Manual [1] ships the security FAQ [2],
duplicating an (outdated) information already available in 9 languages.
Hi. I think I implemented this already in SVN. I will check later tomorrow.
It's currently still present in svn, so please remove it as
On Mon, February 13, 2012 14:12, Colin Watson wrote:
Package: ttf-mscorefonts-installer
Version: 3.4
Severity: wishlist
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu ubuntu-patch precise
Using 'dpkg-maintscript-helper supports rm_conffile' guards introduces
On Sat, February 16, 2013 04:20, Daniel Hartwig wrote:
There are some third party packages which are i386-only and make use of
the mscorefonts. Also Attached is a patch from Ubuntu marking
tff-mscorefonts-installer Multi-Arch: foreign to facilitate these cases
and others.
Thanks. I've
On Wed, May 9, 2012 15:13, Andrey Rahmatullin wrote:
When the package is upgraded, postinst prints
These fonts were provided by Microsoft in the interest of cross-
platform compatibility. This is no longer the case, but they are
still available from third parties.
You are free to
On Sat, February 16, 2013 12:36, Andrey Rahmatullin wrote:
On Sat, Feb 16, 2013 at 12:18:00PM +0100, Thijs Kinkhorst wrote:
When the package is upgraded, postinst prints
These fonts were provided by Microsoft in the interest of cross-
platform compatibility. This is no longer the case
On Sat, February 16, 2013 12:50, Andrey Rahmatullin wrote:
What else do you want to know? I think it is obvious that this message is
useful only after the fonts are actually installed, not on each upgrade.
Right, agreed. I'll change that for the next upload.
Thijs
--
To UNSUBSCRIBE, email
Hi wb-team,
I read in this bug log that most aspects of wheezy-security have been
taken care of, but Philipp reported on Jan 4 that the buildds still need
to be taken care of. Can something be said about the progress of that? How
far along are we?
It would be great if we could have a guinea pig
Hi Simon,
On Thu, February 14, 2013 00:28, Simon Waters wrote:
The toggle has two values.
On - default
Inserts X-Powered-By header with PHP version.
Causes phpcredits page, PHP and ZEND LOGOs to be displayed in
unexpected fashion where people's webpages would be expected.
Can you clarify
Op donderdag 14 februari 2013 14:31:32 schreef Arno Töll:
On 12.02.2013 16:08, Thijs Kinkhorst wrote:
Do you agree on the approach? Barring any objections I'm planning to
release this as a DSA after the weekend.
I am by no means an expert with the SSL API, but I believe your patch
Hi Cyril,
On Wed, February 13, 2013 14:55, Cyril LAVIER wrote:
Thanks for this report.
I think we have to include this patch in the nginx packages (stable and
unstable).
I don't actually know if you already prepared an upload, so I did it by
myself (and it was a great time to relearn how
On Wed, February 13, 2013 15:42, Cyril LAVIER wrote:
Le 2013-02-13 15:36, Thijs Kinkhorst a écrit :
Hi Cyril,
On Wed, February 13, 2013 14:55, Cyril LAVIER wrote:
Thanks for this report.
I think we have to include this patch in the nginx packages (stable
and
unstable).
I don't
Package: lighttpd
Version: 1.4.28-2+squeeze1
Severity: grave
Tags: security
Hi,
lighttpd in squeeze is vulnerable to the SSL attack CVE-2012-4929 dubbed
'CRIME'. The attack is related to SSL compression.
The popular solution to the attack is to disable SSL compression. This is
what Apache has
/~thijs/lighttpd/
Do you agree on the approach? Barring any objections I'm planning to release
this as a DSA after the weekend.
Cheers,
Thijs
--
Thijs Kinkhorst th...@uvt.nl – LIS Unix
Universiteit van Tilburg – Library and IT Services • Postbus 90153, 5000 LE
Bezoekadres Warandelaan 2 • Tel
Package: nginx
Version: 0.7.67-3
Severity: grave
Tags: security patch
Hi,
nginx in squeeze and wheezy is vulnerable to the SSL attack CVE-2012-4929
dubbed 'CRIME'. The attack is related to SSL compression.
The popular solution to the attack is to disable SSL compression. This is
what Apache has
Hi Robert,
According to [1] and as confirmed by the current root-servers.net zone,
D.ROOT-SERVERS.NET has changed its IPv4 address.
Can you update this in wheezy and squeeze?
The window for the next point update for squeeze probably closes soon.
Cheers,
Thijs
--
To UNSUBSCRIBE, email to
/changelog
+++ nagios-nrpe-2.13/debian/changelog
@@ -1,3 +1,10 @@
+nagios-nrpe (2.13-1.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Add warning about the inadequateness of the 'ssl' option.
+
+ -- Thijs Kinkhorst th...@debian.org Sun, 10 Feb 2013 14:52:37 +0100
+
nagios-nrpe (2.13-1
On Sun, February 10, 2013 15:52, Ben Hutchings wrote:
On Sun, 2013-02-10 at 12:38 +0100, Florian Weimer wrote:
* Ben Hutchings:
According to
https://www.globalsign.com/certificate-authority-root-signing/, any
organisation may buy a secondary CA certificate signed by one of
GlobalSign's
Package: bouncycastle
Severity: serious
Tags: security
Hi,
Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling
of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing
differences arising during MAC processing. Details of this attack can be
found at:
Package: mysql-5.5
Severity: serious
Tags: security
Hi,
Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling
of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing
differences arising during MAC processing. Details of this attack can be
found at:
Package: polarssl
Severity: serious
Tags: security
Hi,
Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling
of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing
differences arising during MAC processing. Details of this attack can be
found at:
Package: nss
Severity: serious
Tags: security
Hi,
Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling
of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing
differences arising during MAC processing. Details of this attack can be
found at:
Package: openssl
Severity: serious
Tags: security
Hi,
Several issues were announced in the OpenSSL security advisory of 05 Feb 2013
(http://www.openssl.org/news/secadv_20130205.txt):
SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169)
TLS 1.1 and 1.2 AES-NI crash (CVE-2012-2686)
Package: release-notes
Severity: normal
Tags: wheezy
Hi Joost,
Filing a bug as discussed.
When I upgraded a desktop system from Squeeze to Wheezy, it failed to install
grub in my MBR. The reason given was probably along the lines of this:
warning: your core.img is unusually large. It won't
On Sat, January 26, 2013 16:05, Olivier Berger wrote:
As you can see in [0], I've integrated the full upstream commit [1] and
not just the change on Client.php.
Hope this helps.
The updated package indeed fixes the problem and works fine. Thanks!
Cheers,
Thijs
--
To UNSUBSCRIBE, email to
Hi Andreas,
I can now also offer to NMU ca-certificates-java with my patch (and
intend to do so in a few days without other progress).
I think the maintainer's earlier response in this log indicates that he
doesn't have time and appreciates if someone else could fix it, so I would
say, go
Package: php-cas
Version: 1.3.1-2
Severity: grave
Tags: patch
Hi Olivier,
The security update in 1.3.1-2 broke php-cas. The problem is in this hunk:
@@ -2418,6 +2428,7 @@ class CAS_Client
}
if ($this-_cas_server_ca_cert != '') {
Package: wnpp
Severity: wishlist
Owner: Thijs Kinkhorst th...@debian.org
* Package name: phpqrcode
Version : 1.1.4
Upstream Author : Dominik Dzienia
* URL : http://phpqrcode.sourceforge.net/
* License : LGPL
Programming Lang: PHP
Description : PHP
Package: lintian
Version: 2.5.10.3
Severity: normal
Tags: patch
Hi,
lua5.2 is in the archive since 2011-07. Attached patch adds it to the list
of known lua interpreters.
Cheers,
Thijs
From b1879b43d57d1707a4ee3b6bace7998d0c72d841 Mon Sep 17 00:00:00 2001
From: Thijs Kinkhorst th...@debian.org
Package: syslog-ng
Version: 3.1.3-3
Severity: normal
Hi,
Syslog-ng can be configured to accept logging over TCP and TLS via the tls
option and the key_file and cert_file parameters. There is however no
option to specify the certificate chain. Clients cannot verify the host's
certificate from
On Sun, January 6, 2013 06:38, Eric Dorland wrote:
Gah. I went out of town for Saturday and Sunday. I meant to upload before
I left today but forgot. I just tried to now but I can't seem to reach my
main Debian machine. So I won't be able to upload before Sunday night
Eastern USA time. So if
On Fri, September 7, 2012 16:37, Carlos Alberto Lopez Perez wrote:
Who is behind this Debconf CA? For what this is used?
Questions about why individual CAs are included are not on-topic to this bug.
To quickly answer your question though: Debconf is the annual Debian
conference and this
Hi,
On 11/16/2012 01:03 AM, Guillem Jover wrote:
The debconf.org certifcate is named just ca.crt [0], which ends up
being symlinked from /etc/ssl/certs/ as ca.pem. Please, rename the
filename to denote it's coming from Debconf CA, and to avoid using
such a generic and confusing name, in
Hi,
As found out by Google, Turktrust has issued blindly even two SubCA
certificates to normal users which then used these to create forged
certificates.
I think this shows that TurkTrust is not really trustworthy or competent
enough to have their root certs included and thus they should
Hi Eric,
On Sat, January 5, 2013 08:30, Eric Dorland wrote:
* Thijs Kinkhorst (th...@debian.org) wrote:
On Fri, January 4, 2013 11:39, Thijs Kinkhorst wrote:
On Thu, January 3, 2013 04:19, Christoph Anton Mitterer wrote:
This is a follow up for #697108 and CVE-2012-6085.
Eric
401 - 500 of 2622 matches
Mail list logo